From nobody Fri Mar 1 13:12:21 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 41253130F5B; Fri, 1 Mar 2019 13:10:00 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: "\"IETF Secretariat\"" To: , Cc: spasm@ietf.org, ekr@rtfm.com X-Test-IDTracker: no X-IETF-IDTracker: 6.92.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <155147460025.6101.17650798391439745416.idtracker@ietfa.amsl.com> Date: Fri, 01 Mar 2019 13:10:00 -0800 Archived-At: Subject: [lamps] lamps - Requested session has been scheduled for IETF 104 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Mar 2019 21:10:09 -0000 Dear Russ Housley, The session(s) that you have requested have been scheduled. Below is the scheduled session information followed by the original request. lamps Session 1 (1:00 requested) Tuesday, 26 March 2019, Morning Session II 1120-1220 Room Name: Karlin 1/2 size: 150 --------------------------------------------- iCalendar: https://datatracker.ietf.org/meeting/104/sessions/lamps.ics Request Information: --------------------------------------------------------- Working Group Name: Limited Additional Mechanisms for PKIX and SMIME Area Name: Security Area Session Requester: Russ Housley Number of Sessions: 1 Length of Session(s): 1 Hour Number of Attendees: 50 Conflicts to Avoid: First Priority: suit curdle quic perc saag sidrops sipbrandy tls ipwave stir acme ace rtcweb secdispatch teep Second Priority: cfrg dprive oauth t2trg uta ipsecme mls Third Priority: sacm secevent tcpinc trans People who must be present: Russ Housley Eric Rescorla Sean Turner Phillip Hallam-Baker Jim Schaad Tim Hollebeek Resources Requested: Special Requests: --------------------------------------------------------- From nobody Tue Mar 5 08:38:27 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F8C2131257 for ; Tue, 5 Mar 2019 08:38:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ElBdyhFNNm5 for ; Tue, 5 Mar 2019 08:38:14 -0800 (PST) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 852C812F1A6 for ; Tue, 5 Mar 2019 08:38:13 -0800 (PST) Received: from unknown (HELO V0501WEXGPR01.isaracorp.com) ([10.5.8.20]) by ip1.isaracorp.com with ESMTP; 05 Mar 2019 16:38:12 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Tue, 5 Mar 2019 11:38:08 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Tue, 5 Mar 2019 11:38:08 -0500 From: Daniel Van Geest To: Russ Housley , Jim Schaad CC: SPASM Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt Thread-Index: AQHUzgL4B8nMv8e3gk6J29Pq8ccSVaXyvj+AgABwIYCAAQyKgIAJDLAA Date: Tue, 5 Mar 2019 16:38:08 +0000 Message-ID: <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> In-Reply-To: <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_0A9C77AE04614270A91D82553D443179isaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Mar 2019 16:38:26 -0000 --_000_0A9C77AE04614270A91D82553D443179isaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SeKAmW0gd29ya2luZyB0byBhbGlnbiB4NTA5LWhhc2gtc2lncyBkcmFmdCBhbmQgaW1wbGVtZW50 YXRpb25zIHdpdGggdGhpcyBvbmUuICBUaGVyZeKAmXMgc29tZXRoaW5nIGluIGNtcy1oYXNoLXNp Z3MgdGhhdCBJ4oCZZCBsaWtlIGNsYXJpZmljYXRpb24gb24gdG8gdW5kZXJzdGFuZCB0aGUgaW1w bGljYXRpb25zLg0KDQpUaGUgQVNOLjEgbW9kdWxlIGRlZmluZXM6DQoNCiAgICAgIHBrLUhTUy1M TVMtSGFzaFNpZyBQVUJMSUMtS0VZIDo6PSB7DQogICAgICAgICAgSURFTlRJRklFUiBpZC1hbGct aHNzLWxtcy1oYXNoc2lnDQogICAgICAgICAgS0VZIEhTUy1MTVMtSGFzaFNpZy1QdWJsaWNLZXkN CiAgICAgICAgICBQQVJBTVMgQVJFIGFic2VudA0KICAgICAgICAgIENFUlQtS0VZLVVTQUdFDQog ICAgICAgICAgICB7IGRpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLCBrZXlDZXJ0U2ln biwgY1JMU2lnbiB9IH0NCg0KICAgICAgSFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSA6Oj0gT0NU RVQgU1RSSU5HDQoNClNwZWNpZmljYWxseSwgdGhlIHB1YmxpYyBrZXkgaXMgYW4gT0NURVQgU1RS SU5HLiBUaGUgYWN0dWFsIHB1YmxpYyBrZXkgaXMg4oCcdTMyc3RyKEwpIHx8IGxtc19wdWJsaWNf a2V54oCdLCBzbyBlc3NlbnRpYWxseSBhbiBvcGFxdWUgb2N0ZXQgc3RyaW5nLg0KDQpXaGF0IGFy ZSB0aGUgaW1wbGljYXRpb25zIGluIHguNTA5IG9mIGRlZmluaW5nIOKAnEhTUy1MTVMtSGFzaFNp Zy1QdWJsaWNLZXkgOjo9IE9DVEVUIFNUUklOR+KAnT8gIERvZXMgdGhpcyBtZWFuIHRoYXQgaW4g dGhlIFN1YmplY3QgUHVibGljIEtleSBJbmZvIGF0dHJpYnV0ZSwgdGhlIEhTUyBwdWJsaWMga2V5 IHdvdWxkIGJlIGVuY29kZWQgYXMgYW4gT0NURVQgU1RSSU5HIHdoaWNoIGlzIHRoZW4gd3JhcHBl ZCBpbiBhIEJJVCBTVFJJTkcgZW5jb2Rpbmc/IChhcyBvcHBvc2VkIHRvIGEgQklUIFNUUklORyBl bmNvZGluZyBvZiB0aGUgcmF3IOKAnHUzMnN0cihMKSB8fCBsbXNfcHVibGljX2tleeKAnSBvY3Rl dCBzdHJpbmcpLg0KDQpUaGUgY2xvc2VzdCBJIGNvdWxkIGZpbmQgdG8gdGhpcyBzaXR1YXRpb24g aXMgRWQyNTUxOS9FZDQ0OCBzaW5jZSB0aG9zZSBwdWJsaWMga2V5cyBhcmUgYWxzbyBqdXN0IHJh dyBvY3RldCBzdHJpbmdzICgzMiBvY3RldHMgaW4gMjU1MTkpLiAgQnV0IHRoZSBBU04uMSBtb2R1 bGUgZm9yIFJGQyA4NDEwIHNwZWNpZmllcyDigJwtLSBLRVkgbm8gQVNOLjEgd3JhcHBpbmcgLS3i gJ0gd2l0aGluIFBVQkxJQy1LRVk6DQoNCg0KICAgIHBrLUVkMjU1MTkgUFVCTElDLUtFWSA6Oj0g ew0KDQogICAgICAgIElERU5USUZJRVIgaWQtRWQyNTUxOQ0KDQogICAgICAgIC0tIEtFWSBubyBB U04uMSB3cmFwcGluZyAtLQ0KDQogICAgICAgIFBBUkFNUyBBUkUgYWJzZW50DQoNCiAgICAgICAg Q0VSVC1LRVktVVNBR0Uge2RpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLA0KDQogICAg ICAgICAgICAgICAgICAgICAgICBrZXlDZXJ0U2lnbiwgY1JMU2lnbn0NCg0KICAgICAgICBQUklW QVRFLUtFWSBDdXJ2ZVByaXZhdGVLZXkNCg0KICAgIH0NCg0KSeKAmW0gbm90IGFuIEFTTi4xIGV4 cGVydCwgc28gY291bGQgc29tZW9uZSBleHBsYWluIHRoZSBkaWZmZXJlbmNlPyBJcyB0aGUg4oCc bm8gd3JhcHBpbmfigJ0gdGhlcmUgYmVjYXVzZSB0aGUgcHVibGljIGtleSBpcyByYXcgb2N0ZXRz PyBBbmQgdGhlbiB3aG9ldmVyIGVuY29kZXMgdGhlIHB1YmxpYyBvbmx5IGFwcGxpZXMgdGhlaXIg b3duIGVuY29kaW5nIChpZiBhbnkpIG9mIHRoZSBvY3RldHMuICBEb2VzIGl0IGhhdmUgdG8gZG8g d2l0aCB0aGUgZmFjdCB0aGF0IHRoZSBwdWJsaWMga2V5IGNhbiBiZSBlYXNpbHkgZGVyaXZlZCBm cm9tIHRoZSBwcml2YXRlIGtleT8gIElzIG15IGFzc3VtcHRpb24gY29ycmVjdCB0aGF0IGEgU1BL SSBlbmNvZGluZyBvZiBhbiBIU1Mga2V5IHdvdWxkIGJlIGEgQklUIFNUUklORyBlbmNvZGluZyBv ZiBhbiBBU04uMSBPQ1RFVCBTVFJJTkcgZW5jb2Rpbmcgb2YgdGhlIHJhdyBvY3RldHM/DQoNClRo YW5rcywNCkRhbmllbA0KDQpPbiAyMDE5LTAyLTI3LCAxMjoyNyBQTSwgIlNwYXNtIG9uIGJlaGFs ZiBvZiBSdXNzIEhvdXNsZXkiIDxzcGFzbS1ib3VuY2VzQGlldGYub3JnPG1haWx0bzpzcGFzbS1i b3VuY2VzQGlldGYub3JnPiBvbiBiZWhhbGYgb2YgaG91c2xleUB2aWdpbHNlYy5jb208bWFpbHRv OmhvdXNsZXlAdmlnaWxzZWMuY29tPj4gd3JvdGU6DQoNCkppbToNCg0KWW91IGFyZSBjb3JyZWN0 LiAgSSBtaXNzZWQgdGhpcyB3aGVuIEkgbWFkZSB0aGUgbGFzdCB1cGRhdGUuICBJIHdpbGwgbWFr ZSB0aGUgY2hhbmdlIG5vdyBpbiBteSBlZGl0IGJ1ZmZlci4gIEknbGwgcG9zdCBpdCBhbG9uZyB3 aXRoIGFueSBvdGhlciBjaGFuZ2VzIHRoYXQgcmVzdWx0IGZyb20gSUVURiBMYXN0IENhbGwuDQoN ClJ1c3MNCg0KDQpPbiBGZWIgMjYsIDIwMTksIGF0IDg6MjUgUE0sIEppbSBTY2hhYWQgPGlldGZA YXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+PiB3cm90ZToN CkkgaGF2ZSBhIHNtYWxsIGNoYW5nZSB0byByZXF1ZXN0LiAgSSBhbSBoYXBweSBpZiB5b3UgZGVh bCB3aXRoIGl0IGF0IGEgbGF0ZXINCmRhdGUgYXMgbG9uZyBhcyBpdCBkb2VzIG5vdCBnZXQgbG9z dC4NCkluIHRoZSBBU04uMSBtb2R1bGUsIHRoZSBTSUdOQVRVUkUtQUxHT1JJVEhNIGRlZmluaXRp b24gc2hvdWxkIGhhdmUgYW4gZW1wdHkNCm9yIGFic2VudCBIQVNIRVMgZmllbGQuICBUaGVyZSBh cmUgbm8gaGFzaCBmdW5jdGlvbnMgd2hpY2ggYXJlIHRvIGJlIGFwcGxpZWQNCnByaW9yIHRvIGdp dmVuIHRoZSBpbnB1dCB0byB0aGUgc2lnbmluZyBmdW5jdGlvbi4gIFRoaXMgd291bGQgbWF0Y2gg d2hhdCBJDQpkaWQgZm9yIEVkRFNBLg0KSmltDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0K RnJvbTogU3Bhc20gPHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNA aWV0Zi5vcmc+PiBPbiBCZWhhbGYgT2YgUnVzcyBIb3VzbGV5DQpTZW50OiBUdWVzZGF5LCBGZWJy dWFyeSAyNiwgMjAxOSAxMDo0NCBBTQ0KVG86IFNQQVNNIDxzcGFzbUBpZXRmLm9yZzxtYWlsdG86 c3Bhc21AaWV0Zi5vcmc+Pg0KU3ViamVjdDogUmU6IFtsYW1wc10gSS1EIEFjdGlvbjogZHJhZnQt aWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYudHh0DQpUaGlzIHJlbW92ZXMgdGhlIGV4dHJhbmVv dXMgcGFyYWdyYXBoIHRoYXQgd2FzIHBvaW50ZWQgb3V0IGJ5IERhbmllbC4NCkkgYmVsaWV2ZSB0 aGF0IGFsbCBjb21tZW50cyBoYXZlIGJlZW4gcmVzb2x2ZWQsIGFuZCB0aGUgZG9jdW1lbnQgaXMg bm93DQpyZWFkeSB0byBnbyB0byB0aGUgSUVTRy4NClJ1c3MNCk9uIEZlYiAyNiwgMjAxOSwgYXQg MTo0MSBQTSwgaW50ZXJuZXQtZHJhZnRzQGlldGYub3JnPG1haWx0bzppbnRlcm5ldC1kcmFmdHNA aWV0Zi5vcmc+IHdyb3RlOg0KQSBOZXcgSW50ZXJuZXQtRHJhZnQgaXMgYXZhaWxhYmxlIGZyb20g dGhlIG9uLWxpbmUgSW50ZXJuZXQtRHJhZnRzDQpkaXJlY3Rvcmllcy4NClRoaXMgZHJhZnQgaXMg YSB3b3JrIGl0ZW0gb2YgdGhlIExpbWl0ZWQgQWRkaXRpb25hbCBNZWNoYW5pc21zIGZvciBQS0lY DQphbmQNClNNSU1FIFdHIG9mIHRoZSBJRVRGLg0KICAgICAgIFRpdGxlICAgICAgICAgICA6IFVz ZSBvZiB0aGUgSFNTL0xNUyBIYXNoLWJhc2VkIFNpZ25hdHVyZQ0KQWxnb3JpdGhtIGluIHRoZQ0K Q3J5cHRvZ3JhcGhpYyBNZXNzYWdlIFN5bnRheCAoQ01TKQ0KICAgICAgIEF1dGhvciAgICAgICAg ICA6IFJ1c3MgSG91c2xleQ0KICAgICAgICAgICAgICAgIEZpbGVuYW1lICAgICAgICA6IGRyYWZ0 LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2LnR4dA0KICAgICAgICAgICAgICAgIFBhZ2VzICAg ICAgICAgICA6IDE0DQogICAgICAgICAgICAgICAgRGF0ZSAgICAgICAgICAgIDogMjAxOS0wMi0y Ng0KQWJzdHJhY3Q6DQogIFRoaXMgZG9jdW1lbnQgc3BlY2lmaWVzIHRoZSBjb252ZW50aW9ucyBm b3IgdXNpbmcgdGhlIHRoZSBIU1MvTE1TDQogIGhhc2gtYmFzZWQgc2lnbmF0dXJlIGFsZ29yaXRo bSB3aXRoIHRoZSBDcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4DQogIChDTVMpLiAgSW4gYWRk aXRpb24sIHRoZSBhbGdvcml0aG0gaWRlbnRpZmllciBhbmQgcHVibGljIGtleSBzeW50YXgNCiAg YXJlIHByb3ZpZGVkLiAgVGhlIEhTUy9MTVMgYWxnb3JpdGhtIGlzIG9uZSBmb3JtIG9mIGhhc2gt YmFzZWQNCiAgZGlnaXRhbCBzaWduYXR1cmU7IGl0IGlzIGRlc2NyaWJlZCBpbiBbSEFTSFNJR10u DQpUaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFmdCBpczoNCmh0 dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gt c2lnLw0KVGhlcmUgYXJlIGFsc28gaHRtbGl6ZWQgdmVyc2lvbnMgYXZhaWxhYmxlIGF0Og0KaHR0 cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2 DQpodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LWlldGYtbGFtcHMt Y21zLWhhc2gtc2lnLTA2DQpBIGRpZmYgZnJvbSB0aGUgcHJldmlvdXMgdmVyc2lvbiBpcyBhdmFp bGFibGUgYXQ6DQpodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1s YW1wcy1jbXMtaGFzaC1zaWctMDYNClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBjb3Vw bGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mDQpzdWJtaXNzaW9uIHVudGlsIHRoZSBodG1s aXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQNCnRvb2xzLmlldGYub3JnLg0K SW50ZXJuZXQtRHJhZnRzIGFyZSBhbHNvIGF2YWlsYWJsZSBieSBhbm9ueW1vdXMgRlRQIGF0Og0K ZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy8NCl9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fDQpTcGFzbSBtYWlsaW5nIGxpc3QNClNwYXNtQGll dGYub3JnPG1haWx0bzpTcGFzbUBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vc3Bhc20NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fDQpTcGFzbSBtYWlsaW5nIGxpc3QNClNwYXNtQGlldGYub3JnPG1haWx0bzpTcGFz bUBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc20N Cg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NClNwYXNt IG1haWxpbmcgbGlzdA0KU3Bhc21AaWV0Zi5vcmc8bWFpbHRvOlNwYXNtQGlldGYub3JnPg0KaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zcGFzbQ0KDQo= --_000_0A9C77AE04614270A91D82553D443179isaracom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJn aW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBk aXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0bzsNCgltYXJnaW4tbGVmdDowY207DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLmFwcGxlLXRhYi1zcGFuDQoJe21zby1zdHls ZS1uYW1lOmFwcGxlLXRhYi1zcGFuO30NCnNwYW4uRW1haWxTdHlsZTE5DQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0K CWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0dGVkQ2hhcg0KCXttc28tc3R5 bGUtbmFtZToiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5 Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCI7DQoJZm9udC1mYW1pbHk6IkNv dXJpZXIgTmV3Ijt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25s eTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4w cHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30NCmRpdi5X b3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0 ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEw MjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNo YXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAv Pg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFu Zz0iRU4tQ0EiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNl Y3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPknigJltIHdvcmtpbmcgdG8gYWxpZ24geDUw OS1oYXNoLXNpZ3MgZHJhZnQgYW5kIGltcGxlbWVudGF0aW9ucyB3aXRoIHRoaXMgb25lLiZuYnNw OyBUaGVyZeKAmXMgc29tZXRoaW5nIGluIGNtcy1oYXNoLXNpZ3MgdGhhdCBJ4oCZZCBsaWtlIGNs YXJpZmljYXRpb24gb24gdG8gdW5kZXJzdGFuZCB0aGUgaW1wbGljYXRpb25zLjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5UaGUgQVNOLjEgbW9kdWxlIGRlZmluZXM6PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgcGstSFNTLUxNUy1IYXNoU2lnIFBVQkxJQy1LRVkgOjo9IHs8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IElERU5USUZJRVIg aWQtYWxnLWhzcy1sbXMtaGFzaHNpZzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgS0VZIEhTUy1MTVMtSGFzaFNpZy1QdWJsaWNL ZXk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztj b2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IFBBUkFNUyBBUkUgYWJzZW50PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBDRVJULUtFWS1VU0FHRTxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNr Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgeyBkaWdpdGFsU2lnbmF0dXJlLCBub25SZXB1ZGlhdGlvbiwga2V5Q2VydFNp Z24sIGNSTFNpZ24gfSB9PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgJm5ic3A7SFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSA6Oj0gT0NURVQgU1RSSU5H PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5TcGVjaWZpY2FsbHksIHRoZSBwdWJsaWMg a2V5IGlzIGFuIE9DVEVUIFNUUklORy4gVGhlIGFjdHVhbCBwdWJsaWMga2V5IGlzIOKAnHUzMnN0 cihMKSB8fCBsbXNfcHVibGljX2tleeKAnSwgc28gZXNzZW50aWFsbHkgYW4gb3BhcXVlIG9jdGV0 IHN0cmluZy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V2hhdCBhcmUgdGhlIGltcGxpY2F0aW9u cyBpbiB4LjUwOSBvZiBkZWZpbmluZyDigJxIU1MtTE1TLUhhc2hTaWctUHVibGljS2V5IDo6PSBP Q1RFVCBTVFJJTkfigJ0/Jm5ic3A7IERvZXMgdGhpcyBtZWFuIHRoYXQgaW4gdGhlIFN1YmplY3Qg UHVibGljIEtleSBJbmZvIGF0dHJpYnV0ZSwgdGhlIEhTUyBwdWJsaWMga2V5IHdvdWxkIGJlIGVu Y29kZWQgYXMgYW4gT0NURVQgU1RSSU5HIHdoaWNoIGlzIHRoZW4gd3JhcHBlZCBpbg0KIGEgQklU IFNUUklORyBlbmNvZGluZz8gKGFzIG9wcG9zZWQgdG8gYSBCSVQgU1RSSU5HIGVuY29kaW5nIG9m IHRoZSByYXcg4oCcdTMyc3RyKEwpIHx8IGxtc19wdWJsaWNfa2V54oCdIG9jdGV0IHN0cmluZyku PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoZSBjbG9zZXN0IEkgY291bGQgZmluZCB0byB0aGlz IHNpdHVhdGlvbiBpcyBFZDI1NTE5L0VkNDQ4IHNpbmNlIHRob3NlIHB1YmxpYyBrZXlzIGFyZSBh bHNvIGp1c3QgcmF3IG9jdGV0IHN0cmluZ3MgKDMyIG9jdGV0cyBpbiAyNTUxOSkuJm5ic3A7IEJ1 dCB0aGUgQVNOLjEgbW9kdWxlIGZvciBSRkMgODQxMCBzcGVjaWZpZXMg4oCcLS0gS0VZIG5vIEFT Ti4xIHdyYXBwaW5nIC0t4oCdIHdpdGhpbiBQVUJMSUMtS0VZOjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cHJlPjxzcGFuIHN0eWxl PSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IHBrLUVkMjU1MTkgUFVCTElDLUtFWSA6 Oj0gezxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6Ymxh Y2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBJREVOVElGSUVS IGlkLUVkMjU1MTk8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNv bG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0g S0VZIG5vIEFTTi4xIHdyYXBwaW5nIC0tPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxz cGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IFBBUkFNUyBBUkUgYWJzZW50PG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJl PjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IENFUlQtS0VZLVVTQUdFIHtkaWdpdGFsU2lnbmF0dXJlLCBub25SZXB1ZGlh dGlvbiw8bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJs YWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsga2V5Q2VydFNpZ24sIGNSTFNpZ259PG86cD48 L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFBSSVZBVEUtS0VZIEN1cnZlUHJp dmF0ZUtleTxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6 YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyB9PG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPknigJltIG5vdCBhbiBBU04uMSBleHBlcnQsIHNvIGNvdWxkIHNvbWVvbmUgZXhwbGFpbiB0 aGUgZGlmZmVyZW5jZT8gSXMgdGhlIOKAnG5vIHdyYXBwaW5n4oCdIHRoZXJlIGJlY2F1c2UgdGhl IHB1YmxpYyBrZXkgaXMgcmF3IG9jdGV0cz8gQW5kIHRoZW4gd2hvZXZlciBlbmNvZGVzIHRoZSBw dWJsaWMgb25seSBhcHBsaWVzIHRoZWlyIG93biBlbmNvZGluZyAoaWYgYW55KSBvZiB0aGUgb2N0 ZXRzLiZuYnNwOyBEb2VzIGl0IGhhdmUNCiB0byBkbyB3aXRoIHRoZSBmYWN0IHRoYXQgdGhlIHB1 YmxpYyBrZXkgY2FuIGJlIGVhc2lseSBkZXJpdmVkIGZyb20gdGhlIHByaXZhdGUga2V5PyZuYnNw OyBJcyBteSBhc3N1bXB0aW9uIGNvcnJlY3QgdGhhdCBhIFNQS0kgZW5jb2Rpbmcgb2YgYW4gSFNT IGtleSB3b3VsZCBiZSBhIEJJVCBTVFJJTkcgZW5jb2Rpbmcgb2YgYW4gQVNOLjEgT0NURVQgU1RS SU5HIGVuY29kaW5nIG9mIHRoZSByYXcgb2N0ZXRzPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5U aGFua3MsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5EYW5pZWw8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij5PbiAyMDE5LTAyLTI3LCAxMjoyNyBQTSwgJnF1b3Q7U3Bhc20gb24gYmVoYWxmIG9mIFJ1c3Mg SG91c2xleSZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmci PnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8L2E+IG9uIGJlaGFsZiBvZg0KPGEgaHJlZj0ibWFpbHRv OmhvdXNsZXlAdmlnaWxzZWMuY29tIj5ob3VzbGV5QHZpZ2lsc2VjLmNvbTwvYT4mZ3Q7IHdyb3Rl OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPkppbTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+WW91IGFyZSBjb3JyZWN0LiZuYnNwOyZuYnNwO0kgbWlzc2VkIHRoaXMgd2hlbiBJIG1hZGUg dGhlIGxhc3QgdXBkYXRlLiZuYnNwOyZuYnNwO0kgd2lsbCBtYWtlIHRoZSBjaGFuZ2Ugbm93IGlu IG15IGVkaXQgYnVmZmVyLiZuYnNwOyZuYnNwO0knbGwgcG9zdCBpdCBhbG9uZyB3aXRoIGFueSBv dGhlciBjaGFuZ2VzIHRoYXQgcmVzdWx0IGZyb20gSUVURiBMYXN0IENhbGwuPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlJ1c3M8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz b2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxlZnQ6 My43NXB0O21hcmdpbi1yaWdodDowY20iIGlkPSJNQUNfT1VUTE9PS19BVFRSSUJVVElPTl9CTE9D S1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij5PbiBGZWIgMjYsIDIwMTksIGF0IDg6MjUgUE0sIEppbSBTY2hhYWQgJmx0OzxhIGhy ZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29t PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5JIGhhdmUgYSBzbWFsbCBjaGFu Z2UgdG8gcmVxdWVzdC4mbmJzcDsmbmJzcDtJIGFtIGhhcHB5IGlmIHlvdSBkZWFsIHdpdGggaXQg YXQgYSBsYXRlcjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ZGF0ZSBhcyBsb25nIGFzIGl0IGRvZXMg bm90IGdldCBsb3N0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SW4gdGhlIEFTTi4xIG1vZHVsZSwg dGhlIFNJR05BVFVSRS1BTEdPUklUSE0gZGVmaW5pdGlvbiBzaG91bGQgaGF2ZSBhbiBlbXB0eTxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+b3IgYWJzZW50IEhBU0hFUyBmaWVsZC4mbmJzcDsmbmJzcDtU aGVyZSBhcmUgbm8gaGFzaCBmdW5jdGlvbnMgd2hpY2ggYXJlIHRvIGJlIGFwcGxpZWQ8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPnByaW9yIHRvIGdpdmVuIHRoZSBpbnB1dCB0byB0aGUgc2lnbmluZyBm dW5jdGlvbi4mbmJzcDsmbmJzcDtUaGlzIHdvdWxkIG1hdGNoIHdoYXQgSTxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+ZGlkIGZvciBFZERTQS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkppbTxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxl ZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1s ZWZ0OjMuNzVwdDttYXJnaW4tcmlnaHQ6MGNtIiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05f QkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+LS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPkZyb206IFNwYXNtICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9y ZyI+c3Bhc20tYm91bmNlc0BpZXRmLm9yZzwvYT4mZ3Q7IE9uIEJlaGFsZiBPZiBSdXNzIEhvdXNs ZXk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlNlbnQ6IFR1ZXNkYXksIEZlYnJ1YXJ5IDI2LCAyMDE5 IDEwOjQ0IEFNPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5UbzogU1BBU00gJmx0OzxhIGhyZWY9Im1h aWx0bzpzcGFzbUBpZXRmLm9yZyI+c3Bhc21AaWV0Zi5vcmc8L2E+Jmd0OzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+U3ViamVjdDogUmU6IFtsYW1wc10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1sYW1w cy1jbXMtaGFzaC1zaWctMDYudHh0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5UaGlzIHJlbW92ZXMg dGhlIGV4dHJhbmVvdXMgcGFyYWdyYXBoIHRoYXQgd2FzIHBvaW50ZWQgb3V0IGJ5IERhbmllbC48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPkkgYmVsaWV2ZSB0aGF0IGFsbCBjb21tZW50cyBoYXZlIGJl ZW4gcmVzb2x2ZWQsIGFuZCB0aGUgZG9jdW1lbnQgaXMgbm93PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij5yZWFkeSB0byBnbyB0byB0aGUgSUVTRy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlJ1c3M8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRl ci1sZWZ0OnNvbGlkICNCNUM0REYgNC41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdDttYXJn aW4tbGVmdDozLjc1cHQ7bWFyZ2luLXJpZ2h0OjBjbSIgaWQ9Ik1BQ19PVVRMT09LX0FUVFJJQlVU SU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPk9uIEZlYiAyNiwgMjAxOSwgYXQgMTo0MSBQTSwgPGEgaHJlZj0ibWFp bHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZyI+DQppbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8 L2E+IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+QSBOZXcgSW50ZXJuZXQtRHJhZnQgaXMg YXZhaWxhYmxlIGZyb20gdGhlIG9uLWxpbmUgSW50ZXJuZXQtRHJhZnRzPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5kaXJlY3Rvcmllcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNCNUM0 REYgNC41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1cHQ7bWFy Z2luLXJpZ2h0OjBjbSIgaWQ9Ik1BQ19PVVRMT09LX0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlRo aXMgZHJhZnQgaXMgYSB3b3JrIGl0ZW0gb2YgdGhlIExpbWl0ZWQgQWRkaXRpb25hbCBNZWNoYW5p c21zIGZvciBQS0lYPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvYmxv Y2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij5hbmQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJv cmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNCNUM0REYgNC41cHQ7cGFkZGluZzowY20gMGNt IDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1cHQ7bWFyZ2luLXJpZ2h0OjBjbSIgaWQ9Ik1BQ19P VVRMT09LX0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlNNSU1FIFdHIG9mIHRoZSBJRVRGLjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy LWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdp bi1sZWZ0OjMuNzVwdDttYXJnaW4tcmlnaHQ6MGNtIiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJ T05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFRpdGxl Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IDogVXNlIG9mIHRoZSBIU1MvTE1TIEhhc2gtYmFzZWQgU2lnbmF0dXJlPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5BbGdvcml0aG0gaW4gdGhl PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItbGVmdDpzb2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQ7 bWFyZ2luLWxlZnQ6My43NXB0O21hcmdpbi1yaWdodDowY20iIGlkPSJNQUNfT1VUTE9PS19BVFRS SUJVVElPTl9CTE9DS1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij5DcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4IChDTVMpPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk ZXItbGVmdDpzb2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQ7bWFy Z2luLWxlZnQ6My43NXB0O21hcmdpbi1yaWdodDowY20iIGlkPSJNQUNfT1VUTE9PS19BVFRSSUJV VElPTl9CTE9DS1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgQXV0 aG9yJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7OiBSdXNzIEhvdXNsZXk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGNsYXNzPSJh cHBsZS10YWItc3BhbiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+ RmlsZW5hbWUmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs6 IGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2LnR4dDxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+PHNwYW4gY2xhc3M9ImFwcGxlLXRhYi1zcGFuIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsNCjwvc3Bhbj5QYWdlcyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA6IDE0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3Bh biBjbGFzcz0iYXBwbGUtdGFiLXNwYW4iPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw Ow0KPC9zcGFuPkRhdGUmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs6IDIwMTktMDItMjY8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPkFic3RyYWN0OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7VGhpcyBk b2N1bWVudCBzcGVjaWZpZXMgdGhlIGNvbnZlbnRpb25zIGZvciB1c2luZyB0aGUgdGhlIEhTUy9M TVM8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyZuYnNwO2hhc2gtYmFzZWQgc2lnbmF0dXJl IGFsZ29yaXRobSB3aXRoIHRoZSBDcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDsoQ01TKS4mbmJzcDsmbmJzcDtJbiBhZGRpdGlvbiwg dGhlIGFsZ29yaXRobSBpZGVudGlmaWVyIGFuZCBwdWJsaWMga2V5IHN5bnRheDxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7YXJlIHByb3ZpZGVkLiZuYnNwOyZuYnNwO1RoZSBIU1Mv TE1TIGFsZ29yaXRobSBpcyBvbmUgZm9ybSBvZiBoYXNoLWJhc2VkPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij4mbmJzcDsmbmJzcDtkaWdpdGFsIHNpZ25hdHVyZTsgaXQgaXMgZGVzY3JpYmVkIGluIFtI QVNIU0lHXS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlRoZSBJRVRGIGRhdGF0cmFja2VyIHN0YXR1 cyBwYWdlIGZvciB0aGlzIGRyYWZ0IGlzOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEgaHJlZj0i aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFz aC1zaWcvIj5odHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLWxhbXBz LWNtcy1oYXNoLXNpZy88L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5UaGVyZSBhcmUgYWxzbyBo dG1saXplZCB2ZXJzaW9ucyBhdmFpbGFibGUgYXQ6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48YSBo cmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFz aC1zaWctMDYiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWxhbXBzLWNt cy1oYXNoLXNpZy0wNjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxhIGhyZWY9Imh0dHBzOi8v ZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1z aWctMDYiPmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvZHJhZnQtaWV0Zi1s YW1wcy1jbXMtaGFzaC1zaWctMDY8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5BIGRpZmYgZnJv bSB0aGUgcHJldmlvdXMgdmVyc2lvbiBpcyBhdmFpbGFibGUgYXQ6PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0 Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYiPmh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/dXJs Mj1kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNjwvYT48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPlBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBjb3VwbGUgb2YgbWludXRlcyBmcm9t IHRoZSB0aW1lIG9mPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5zdWJtaXNzaW9uIHVudGlsIHRoZSBo dG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQ8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPnRvb2xzLmlldGYub3JnLjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy LWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdp bi1sZWZ0OjMuNzVwdDttYXJnaW4tcmlnaHQ6MGNtIiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJ T05fQkxPQ0tRVU9URSI+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxl ZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1s ZWZ0OjMuNzVwdDttYXJnaW4tcmlnaHQ6MGNtIiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05f QkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+SW50ZXJuZXQtRHJhZnRzIGFyZSBhbHNvIGF2YWlsYWJsZSBieSBhbm9ueW1v dXMgRlRQIGF0OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEgaHJlZj0iZnRwOi8vZnRwLmlldGYu b3JnL2ludGVybmV0LWRyYWZ0cy8iPmZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMv PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+X19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlNw YXNtIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEgaHJlZj0ibWFpbHRvOlNw YXNtQGlldGYub3JnIj5TcGFzbUBpZXRmLm9yZzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxh IGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc20iPmh0dHBz Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc208L2E+PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+U3Bhc20gbWFpbGluZyBsaXN0PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij48YSBocmVmPSJtYWlsdG86U3Bhc21AaWV0Zi5vcmciPlNwYXNt QGlldGYub3JnPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEgaHJlZj0iaHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zcGFzbSI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9zcGFzbTwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1 b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+X19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlNwYXNtIG1haWxp bmcgbGlzdDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEgaHJlZj0ibWFpbHRvOlNwYXNtQGlldGYu b3JnIj5TcGFzbUBpZXRmLm9yZzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxhIGhyZWY9Imh0 dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc20iPmh0dHBzOi8vd3d3Lmll dGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc208L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_0A9C77AE04614270A91D82553D443179isaracom_-- From nobody Tue Mar 5 09:51:10 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A720131271 for ; Tue, 5 Mar 2019 09:51:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7_0b7fcqEiNP for ; Tue, 5 Mar 2019 09:50:57 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 360F8131174 for ; Tue, 5 Mar 2019 09:50:56 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 Mar 2019 09:50:48 -0800 From: Jim Schaad To: 'Daniel Van Geest' , 'Russ Housley' CC: 'SPASM' References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> In-Reply-To: <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> Date: Tue, 5 Mar 2019 09:50:45 -0800 Message-ID: <015401d4d37b$f7673000$e6359000$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0155_01D4D338.E9474B60" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQJP3EtmxFxA6hXc3uR6jg4mJmaNhgIcsAfkAisXL+UCqXow0QGbl/qspMLXJ1A= Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Mar 2019 17:51:08 -0000 ------=_NextPart_000_0155_01D4D338.E9474B60 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =20 =20 From: Spasm On Behalf Of Daniel Van Geest Sent: Tuesday, March 5, 2019 8:38 AM To: Russ Housley ; Jim Schaad = Cc: SPASM Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt =20 I=E2=80=99m working to align x509-hash-sigs draft and implementations = with this one. There=E2=80=99s something in cms-hash-sigs that = I=E2=80=99d like clarification on to understand the implications. =20 The ASN.1 module defines: =20 pk-HSS-LMS-HashSig PUBLIC-KEY ::=3D { IDENTIFIER id-alg-hss-lms-hashsig KEY HSS-LMS-HashSig-PublicKey PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } =20 HSS-LMS-HashSig-PublicKey ::=3D OCTET STRING =20 Specifically, the public key is an OCTET STRING. The actual public key = is =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D, so essentially an = opaque octet string. =20 What are the implications in x.509 of defining = =E2=80=9CHSS-LMS-HashSig-PublicKey ::=3D OCTET STRING=E2=80=9D? Does = this mean that in the Subject Public Key Info attribute, the HSS public = key would be encoded as an OCTET STRING which is then wrapped in a BIT = STRING encoding? (as opposed to a BIT STRING encoding of the raw = =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D octet string). =20 The closest I could find to this situation is Ed25519/Ed448 since those = public keys are also just raw octet strings (32 octets in 25519). But = the ASN.1 module for RFC 8410 specifies =E2=80=9C-- KEY no ASN.1 = wrapping --=E2=80=9D within PUBLIC-KEY: =20 pk-Ed25519 PUBLIC-KEY ::=3D { IDENTIFIER id-Ed25519 -- KEY no ASN.1 wrapping -- PARAMS ARE absent CERT-KEY-USAGE {digitalSignature, nonRepudiation, keyCertSign, cRLSign} PRIVATE-KEY CurvePrivateKey } =20 I=E2=80=99m not an ASN.1 expert, so could someone explain the = difference? Is the =E2=80=9Cno wrapping=E2=80=9D there because the = public key is raw octets? And then whoever encodes the public only = applies their own encoding (if any) of the octets. Does it have to do = with the fact that the public key can be easily derived from the private = key? Is my assumption correct that a SPKI encoding of an HSS key would = be a BIT STRING encoding of an ASN.1 OCTET STRING encoding of the raw = octets? =20 [JLS] As I read this what you have deduced is correct. For Ed25519 the = public key is directly wrapped in the BIT STRING with no additional = encoding. For the hash sig public key the public key is wrapped in an = OCTET STRING which is then wrapped in the BIT STRING. =20 =20 As a general rule, I prefer having the extra layer of ASN.1 encoding = because a lot of decoders assume that there is going to be that layer = when processing certificates. However, I did not write the initial = versions of the Edwards draft and thus I just used the encoding that was = there rather than writing it as I would prefer. =20 Jim =20 =20 Thanks, Daniel =20 On 2019-02-27, 12:27 PM, "Spasm on behalf of Russ Housley" = on behalf of = housley@vigilsec.com > wrote: =20 Jim: =20 You are correct. I missed this when I made the last update. I will = make the change now in my edit buffer. I'll post it along with any = other changes that result from IETF Last Call. =20 Russ =20 =20 On Feb 26, 2019, at 8:25 PM, Jim Schaad > wrote: I have a small change to request. I am happy if you deal with it at a = later date as long as it does not get lost. In the ASN.1 module, the SIGNATURE-ALGORITHM definition should have an = empty or absent HASHES field. There are no hash functions which are to be = applied prior to given the input to the signing function. This would match what = I did for EdDSA. Jim -----Original Message----- From: Spasm > On = Behalf Of Russ Housley Sent: Tuesday, February 26, 2019 10:44 AM To: SPASM > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt This removes the extraneous paragraph that was pointed out by Daniel. I believe that all comments have been resolved, and the document is now ready to go to the IESG. Russ On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org = wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : Use of the HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message Syntax (CMS) Author : Russ Housley Filename : draft-ietf-lamps-cms-hash-sig-06.txt Pages : 14 Date : 2019-02-26 Abstract: This document specifies the conventions for using the the HSS/LMS hash-based signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in [HASHSIG]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-06 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ Spasm mailing list Spasm@ietf.org =20 https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ Spasm mailing list Spasm@ietf.org =20 https://www.ietf.org/mailman/listinfo/spasm =20 _______________________________________________ Spasm mailing list Spasm@ietf.org =20 https://www.ietf.org/mailman/listinfo/spasm =20 ------=_NextPart_000_0155_01D4D338.E9474B60 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

 

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Daniel Van = Geest
Sent: Tuesday, March 5, 2019 8:38 AM
To: Russ = Housley <housley@vigilsec.com>; Jim Schaad = <ietf@augustcellars.com>
Cc: SPASM = <spasm@ietf.org>
Subject: Re: [lamps] I-D Action: = draft-ietf-lamps-cms-hash-sig-06.txt

 

I=E2=80=99m working to align x509-hash-sigs draft and = implementations with this one.  There=E2=80=99s something in = cms-hash-sigs that I=E2=80=99d like clarification on to understand the = implications.

 

The ASN.1 module defines:

 

      pk-HSS-LMS-HashSig = PUBLIC-KEY ::=3D {

          = IDENTIFIER id-alg-hss-lms-hashsig

          = KEY HSS-LMS-HashSig-PublicKey

          = PARAMS ARE absent

          = CERT-KEY-USAGE

         &= nbsp;  { digitalSignature, nonRepudiation, keyCertSign, cRLSign } = }

 

     =  HSS-LMS-HashSig-PublicKey ::=3D OCTET = STRING

 

Specifically, the public key is an OCTET STRING. The actual = public key is =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D, so = essentially an opaque octet string.

 

What are the implications in x.509 = of defining =E2=80=9CHSS-LMS-HashSig-PublicKey ::=3D OCTET = STRING=E2=80=9D?  Does this mean that in the Subject Public Key = Info attribute, the HSS public key would be encoded as an OCTET STRING = which is then wrapped in a BIT STRING encoding? (as opposed to a BIT = STRING encoding of the raw =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D = octet string).

 

The closest I could find to this situation is Ed25519/Ed448 = since those public keys are also just raw octet strings (32 octets in = 25519).  But the ASN.1 module for RFC 8410 specifies =E2=80=9C-- = KEY no ASN.1 wrapping --=E2=80=9D within = PUBLIC-KEY:

 

    pk-Ed25519 PUBLIC-KEY ::=3D =
{
        =
IDENTIFIER id-Ed25519
        -- KEY =
no ASN.1 wrapping --
        PARAMS =
ARE absent
        =
CERT-KEY-USAGE {digitalSignature, =
nonRepudiation,
        &nb=
sp;           &nbs=
p;   keyCertSign, cRLSign}
        =
PRIVATE-KEY CurvePrivateKey
    =
}

 

I=E2=80=99m not an ASN.1 expert, so could someone explain = the difference? Is the =E2=80=9Cno wrapping=E2=80=9D there because the = public key is raw octets? And then whoever encodes the public only = applies their own encoding (if any) of the octets.  Does it have to = do with the fact that the public key can be easily derived from the = private key?  Is my assumption correct that a SPKI encoding of an = HSS key would be a BIT STRING encoding of an ASN.1 OCTET STRING encoding = of the raw octets?

 

[JLS] As I read this what you have deduced is = correct.=C2=A0 For Ed25519 the public key is directly wrapped in the BIT = STRING with no additional encoding.=C2=A0 For the hash sig public key = the public key is wrapped in an OCTET STRING which is then wrapped in = the BIT STRING.=C2=A0

 

As a general rule, I prefer having the extra layer of ASN.1 = encoding because a lot of decoders assume that there is going to be that = layer when processing certificates.=C2=A0 However, I did not write the = initial versions of the Edwards draft and thus I just used the encoding = that was there rather than writing it as I would = prefer.

 

Jim

 

 

Thanks,

Daniel

 

On 2019-02-27, 12:27 PM, = "Spasm on behalf of Russ Housley" <spasm-bounces@ietf.org on = behalf of housley@vigilsec.com> = wrote:

 

Jim:

 

You are = correct.  I missed this when I made the last = update.  I will make the change now in my edit = buffer.  I'll post it along with any other changes that result = from IETF Last Call.

 

Russ

 

 

On Feb = 26, 2019, at 8:25 PM, Jim Schaad <ietf@augustcellars.com> = wrote:

I have a small change to = request.  I am happy if you deal with it at a = later

date as long as it does = not get lost.

In the ASN.1 module, the = SIGNATURE-ALGORITHM definition should have an = empty

or absent HASHES = field.  There are no hash functions which are to be = applied

prior to given the input = to the signing function.  This would match what = I

did for = EdDSA.

Jim

-----Original = Message-----

From: Spasm <spasm-bounces@ietf.org> On = Behalf Of Russ Housley

Sent: = Tuesday, February 26, 2019 10:44 AM

To: = SPASM <spasm@ietf.org>

Subject: Re: [lamps] I-D Action: = draft-ietf-lamps-cms-hash-sig-06.txt

This = removes the extraneous paragraph that was pointed out by = Daniel.

I believe that all = comments have been resolved, and the document is = now

ready to go to the = IESG.

Russ

On Feb = 26, 2019, at 1:41 PM, internet-drafts@ietf.org = wrote:

A New Internet-Draft is = available from the on-line = Internet-Drafts

directories.

This = draft is a work item of the Limited Additional Mechanisms for = PKIX

and

SMIME WG = of the IETF.

       = Title           : Use = of the HSS/LMS Hash-based = Signature

Algorithm in the

Cryptographic Message Syntax = (CMS)

       = Author          : Russ = Housley

          =       Filename        : = draft-ietf-lamps-cms-hash-sig-06.txt

          =       Pages         &= nbsp; : 14

          =       Date         &n= bsp;  : 2019-02-26

Abstract:

  This document specifies the conventions for = using the the HSS/LMS

  hash-based signature algorithm with the = Cryptographic Message Syntax

  (CMS).  In addition, the algorithm = identifier and public key syntax

  are provided.  The HSS/LMS algorithm = is one form of hash-based

  digital signature; it is described in = [HASHSIG].

The IETF datatracker = status page for this draft is:

There are also htmlized = versions available at:

A diff from the previous = version is available at:

Please note that it may = take a couple of minutes from the time = of

submission until the = htmlized version and diff are available = at

tools.ietf.org.

Internet-Drafts are also available by anonymous FTP = at:

_______________________________________________

Spasm mailing = list

=

_______________________________________________

Spasm mailing = list

=

 

_______________________________________________

Spasm mailing = list

------=_NextPart_000_0155_01D4D338.E9474B60-- From nobody Tue Mar 5 10:20:32 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30D05130E9E for ; Tue, 5 Mar 2019 10:20:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nMN08g0oOsy for ; Tue, 5 Mar 2019 10:20:21 -0800 (PST) Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AA72130DD8 for ; Tue, 5 Mar 2019 10:20:20 -0800 (PST) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip2.isaracorp.com with ESMTP; 05 Mar 2019 18:20:19 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Tue, 5 Mar 2019 13:20:18 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Tue, 5 Mar 2019 13:20:18 -0500 From: Daniel Van Geest To: Jim Schaad , 'Russ Housley' CC: 'SPASM' Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt Thread-Index: AQHUzgL4B8nMv8e3gk6J29Pq8ccSVaXyvj+AgABwIYCAAQyKgIAJDLAAgABoHID//7RwAA== Date: Tue, 5 Mar 2019 18:20:18 +0000 Message-ID: References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> <015401d4d37b$f7673000$e6359000$@augustcellars.com> In-Reply-To: <015401d4d37b$f7673000$e6359000$@augustcellars.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_BE86871627FA4509972CEBC57AC64EB4isaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Mar 2019 18:20:27 -0000 --_000_BE86871627FA4509972CEBC57AC64EB4isaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQoNCk9uIDIwMTktMDMtMDUsIDEyOjUwIFBNLCAiSmltIFNjaGFhZCIgPGlldGZAYXVndXN0Y2Vs bGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+PiB3cm90ZToNCg0KDQoNCkZy b206IFNwYXNtIDxzcGFzbS1ib3VuY2VzQGlldGYub3JnPiBPbiBCZWhhbGYgT2YgRGFuaWVsIFZh biBHZWVzdA0KU2VudDogVHVlc2RheSwgTWFyY2ggNSwgMjAxOSA4OjM4IEFNDQpUbzogUnVzcyBI b3VzbGV5IDxob3VzbGV5QHZpZ2lsc2VjLmNvbT47IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2Vs bGFycy5jb20+DQpDYzogU1BBU00gPHNwYXNtQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtsYW1w c10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYudHh0DQoNCkni gJltIHdvcmtpbmcgdG8gYWxpZ24geDUwOS1oYXNoLXNpZ3MgZHJhZnQgYW5kIGltcGxlbWVudGF0 aW9ucyB3aXRoIHRoaXMgb25lLiAgVGhlcmXigJlzIHNvbWV0aGluZyBpbiBjbXMtaGFzaC1zaWdz IHRoYXQgSeKAmWQgbGlrZSBjbGFyaWZpY2F0aW9uIG9uIHRvIHVuZGVyc3RhbmQgdGhlIGltcGxp Y2F0aW9ucy4NCg0KVGhlIEFTTi4xIG1vZHVsZSBkZWZpbmVzOg0KDQogICAgICBway1IU1MtTE1T LUhhc2hTaWcgUFVCTElDLUtFWSA6Oj0gew0KICAgICAgICAgIElERU5USUZJRVIgaWQtYWxnLWhz cy1sbXMtaGFzaHNpZw0KICAgICAgICAgIEtFWSBIU1MtTE1TLUhhc2hTaWctUHVibGljS2V5DQog ICAgICAgICAgUEFSQU1TIEFSRSBhYnNlbnQNCiAgICAgICAgICBDRVJULUtFWS1VU0FHRQ0KICAg ICAgICAgICAgeyBkaWdpdGFsU2lnbmF0dXJlLCBub25SZXB1ZGlhdGlvbiwga2V5Q2VydFNpZ24s IGNSTFNpZ24gfSB9DQoNCiAgICAgIEhTUy1MTVMtSGFzaFNpZy1QdWJsaWNLZXkgOjo9IE9DVEVU IFNUUklORw0KDQpTcGVjaWZpY2FsbHksIHRoZSBwdWJsaWMga2V5IGlzIGFuIE9DVEVUIFNUUklO Ry4gVGhlIGFjdHVhbCBwdWJsaWMga2V5IGlzIOKAnHUzMnN0cihMKSB8fCBsbXNfcHVibGljX2tl eeKAnSwgc28gZXNzZW50aWFsbHkgYW4gb3BhcXVlIG9jdGV0IHN0cmluZy4NCg0KV2hhdCBhcmUg dGhlIGltcGxpY2F0aW9ucyBpbiB4LjUwOSBvZiBkZWZpbmluZyDigJxIU1MtTE1TLUhhc2hTaWct UHVibGljS2V5IDo6PSBPQ1RFVCBTVFJJTkfigJ0/ICBEb2VzIHRoaXMgbWVhbiB0aGF0IGluIHRo ZSBTdWJqZWN0IFB1YmxpYyBLZXkgSW5mbyBhdHRyaWJ1dGUsIHRoZSBIU1MgcHVibGljIGtleSB3 b3VsZCBiZSBlbmNvZGVkIGFzIGFuIE9DVEVUIFNUUklORyB3aGljaCBpcyB0aGVuIHdyYXBwZWQg aW4gYSBCSVQgU1RSSU5HIGVuY29kaW5nPyAoYXMgb3Bwb3NlZCB0byBhIEJJVCBTVFJJTkcgZW5j b2Rpbmcgb2YgdGhlIHJhdyDigJx1MzJzdHIoTCkgfHwgbG1zX3B1YmxpY19rZXnigJ0gb2N0ZXQg c3RyaW5nKS4NCg0KVGhlIGNsb3Nlc3QgSSBjb3VsZCBmaW5kIHRvIHRoaXMgc2l0dWF0aW9uIGlz IEVkMjU1MTkvRWQ0NDggc2luY2UgdGhvc2UgcHVibGljIGtleXMgYXJlIGFsc28ganVzdCByYXcg b2N0ZXQgc3RyaW5ncyAoMzIgb2N0ZXRzIGluIDI1NTE5KS4gIEJ1dCB0aGUgQVNOLjEgbW9kdWxl IGZvciBSRkMgODQxMCBzcGVjaWZpZXMg4oCcLS0gS0VZIG5vIEFTTi4xIHdyYXBwaW5nIC0t4oCd IHdpdGhpbiBQVUJMSUMtS0VZOg0KDQoNCiAgICBway1FZDI1NTE5IFBVQkxJQy1LRVkgOjo9IHsN Cg0KICAgICAgICBJREVOVElGSUVSIGlkLUVkMjU1MTkNCg0KICAgICAgICAtLSBLRVkgbm8gQVNO LjEgd3JhcHBpbmcgLS0NCg0KICAgICAgICBQQVJBTVMgQVJFIGFic2VudA0KDQogICAgICAgIENF UlQtS0VZLVVTQUdFIHtkaWdpdGFsU2lnbmF0dXJlLCBub25SZXB1ZGlhdGlvbiwNCg0KICAgICAg ICAgICAgICAgICAgICAgICAga2V5Q2VydFNpZ24sIGNSTFNpZ259DQoNCiAgICAgICAgUFJJVkFU RS1LRVkgQ3VydmVQcml2YXRlS2V5DQoNCiAgICB9DQoNCknigJltIG5vdCBhbiBBU04uMSBleHBl cnQsIHNvIGNvdWxkIHNvbWVvbmUgZXhwbGFpbiB0aGUgZGlmZmVyZW5jZT8gSXMgdGhlIOKAnG5v IHdyYXBwaW5n4oCdIHRoZXJlIGJlY2F1c2UgdGhlIHB1YmxpYyBrZXkgaXMgcmF3IG9jdGV0cz8g QW5kIHRoZW4gd2hvZXZlciBlbmNvZGVzIHRoZSBwdWJsaWMgb25seSBhcHBsaWVzIHRoZWlyIG93 biBlbmNvZGluZyAoaWYgYW55KSBvZiB0aGUgb2N0ZXRzLiAgRG9lcyBpdCBoYXZlIHRvIGRvIHdp dGggdGhlIGZhY3QgdGhhdCB0aGUgcHVibGljIGtleSBjYW4gYmUgZWFzaWx5IGRlcml2ZWQgZnJv bSB0aGUgcHJpdmF0ZSBrZXk/ICBJcyBteSBhc3N1bXB0aW9uIGNvcnJlY3QgdGhhdCBhIFNQS0kg ZW5jb2Rpbmcgb2YgYW4gSFNTIGtleSB3b3VsZCBiZSBhIEJJVCBTVFJJTkcgZW5jb2Rpbmcgb2Yg YW4gQVNOLjEgT0NURVQgU1RSSU5HIGVuY29kaW5nIG9mIHRoZSByYXcgb2N0ZXRzPw0KDQpbSkxT XSBBcyBJIHJlYWQgdGhpcyB3aGF0IHlvdSBoYXZlIGRlZHVjZWQgaXMgY29ycmVjdC4gIEZvciBF ZDI1NTE5IHRoZSBwdWJsaWMga2V5IGlzIGRpcmVjdGx5IHdyYXBwZWQgaW4gdGhlIEJJVCBTVFJJ Tkcgd2l0aCBubyBhZGRpdGlvbmFsIGVuY29kaW5nLiAgRm9yIHRoZSBoYXNoIHNpZyBwdWJsaWMg a2V5IHRoZSBwdWJsaWMga2V5IGlzIHdyYXBwZWQgaW4gYW4gT0NURVQgU1RSSU5HIHdoaWNoIGlz IHRoZW4gd3JhcHBlZCBpbiB0aGUgQklUIFNUUklORy4NCg0KQXMgYSBnZW5lcmFsIHJ1bGUsIEkg cHJlZmVyIGhhdmluZyB0aGUgZXh0cmEgbGF5ZXIgb2YgQVNOLjEgZW5jb2RpbmcgYmVjYXVzZSBh IGxvdCBvZiBkZWNvZGVycyBhc3N1bWUgdGhhdCB0aGVyZSBpcyBnb2luZyB0byBiZSB0aGF0IGxh eWVyIHdoZW4gcHJvY2Vzc2luZyBjZXJ0aWZpY2F0ZXMuICBIb3dldmVyLCBJIGRpZCBub3Qgd3Jp dGUgdGhlIGluaXRpYWwgdmVyc2lvbnMgb2YgdGhlIEVkd2FyZHMgZHJhZnQgYW5kIHRodXMgSSBq dXN0IHVzZWQgdGhlIGVuY29kaW5nIHRoYXQgd2FzIHRoZXJlIHJhdGhlciB0aGFuIHdyaXRpbmcg aXQgYXMgSSB3b3VsZCBwcmVmZXIuDQoNCltEVkddIERvIHlvdSBwcmVmZXIgdGhpcyBnZW5lcmFs IHJ1bGUgZm9yIHRoZSBzaWduYXR1cmUgYXMgd2VsbD8gIEluIFguNTA5IHdvdWxkIHlvdSBwcmVm ZXIgdGhlIHJhdyBzaWduYXR1cmUgb2N0ZXRzIHdyYXBwZWQgaW4gYW4gT0NURVQgU1RSSU5HIHdy YXBwZWQgaW4gYSBCSVQgU1RSSU5HPyAgSG93IHdvdWxkIHRoaXMgd29yayBpbiBDTVMgd2hlcmUg dGhlIHNpZ25hdHVyZSBmaWVsZCB3aXRoaW4gdGhlIFNpZ25lckluZm8gaXMgYWxyZWFkeSBkZWZp bmVkIGFzIGFuIE9DVEVUIHN0cmluZz8gV291bGRu4oCZdCB0aGUgcnVsZSBpbXBseSB0aGUgcmF3 IEhTUyBvY3RldCBzdHJpbmcgd3JhcHBlZCBpbiBhbiBPQ1RFVCBTVFJJTkcgd3JhcHBlZCBpbiBh biBPQ1RFVCBTVFJJTkc/IFRoYXTigJlzIG5vdCBob3cgSeKAmW0gcmVhZGluZyBjbXMtaGFzaC1z aWdzLCBlLmcuIHNlY3Rpb24gNToNCg0KICAgICAgc2lnbmF0dXJlIGNvbnRhaW5zIHRoZSBzaW5n bGUgSFNTIHNpZ25hdHVyZSB2YWx1ZSByZXN1bHRpbmcgZnJvbQ0KICAgICAgICAgdGhlIHNpZ25p bmcgb3BlcmF0aW9uIGFzIHNwZWNpZmllZCBpbiBbSEFTSFNJR10uDQoNCkFuZCBgc2lnbmF0dXJl YCBhbHJlYWR5IGJlaW5nIGRlZmluZWQgYXMgYW4gT0NURVQgU1RSSU5HIG1ha2UgdGhpcyByZWFk IHRvIG1lIGFzIGEgc2luZ2xlIHdyYXBwaW5nLg0KDQpUaGFua3MsDQpEYW5pZWwNCg0KSmltDQoN Cg0KVGhhbmtzLA0KRGFuaWVsDQoNCk9uIDIwMTktMDItMjcsIDEyOjI3IFBNLCAiU3Bhc20gb24g YmVoYWxmIG9mIFJ1c3MgSG91c2xleSIgPHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNw YXNtLWJvdW5jZXNAaWV0Zi5vcmc+IG9uIGJlaGFsZiBvZiBob3VzbGV5QHZpZ2lsc2VjLmNvbTxt YWlsdG86aG91c2xleUB2aWdpbHNlYy5jb20+PiB3cm90ZToNCg0KSmltOg0KDQpZb3UgYXJlIGNv cnJlY3QuICBJIG1pc3NlZCB0aGlzIHdoZW4gSSBtYWRlIHRoZSBsYXN0IHVwZGF0ZS4gIEkgd2ls bCBtYWtlIHRoZSBjaGFuZ2Ugbm93IGluIG15IGVkaXQgYnVmZmVyLiAgSSdsbCBwb3N0IGl0IGFs b25nIHdpdGggYW55IG90aGVyIGNoYW5nZXMgdGhhdCByZXN1bHQgZnJvbSBJRVRGIExhc3QgQ2Fs bC4NCg0KUnVzcw0KDQoNCk9uIEZlYiAyNiwgMjAxOSwgYXQgODoyNSBQTSwgSmltIFNjaGFhZCA8 aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+IHdy b3RlOg0KSSBoYXZlIGEgc21hbGwgY2hhbmdlIHRvIHJlcXVlc3QuICBJIGFtIGhhcHB5IGlmIHlv dSBkZWFsIHdpdGggaXQgYXQgYSBsYXRlcg0KZGF0ZSBhcyBsb25nIGFzIGl0IGRvZXMgbm90IGdl dCBsb3N0Lg0KSW4gdGhlIEFTTi4xIG1vZHVsZSwgdGhlIFNJR05BVFVSRS1BTEdPUklUSE0gZGVm aW5pdGlvbiBzaG91bGQgaGF2ZSBhbiBlbXB0eQ0Kb3IgYWJzZW50IEhBU0hFUyBmaWVsZC4gIFRo ZXJlIGFyZSBubyBoYXNoIGZ1bmN0aW9ucyB3aGljaCBhcmUgdG8gYmUgYXBwbGllZA0KcHJpb3Ig dG8gZ2l2ZW4gdGhlIGlucHV0IHRvIHRoZSBzaWduaW5nIGZ1bmN0aW9uLiAgVGhpcyB3b3VsZCBt YXRjaCB3aGF0IEkNCmRpZCBmb3IgRWREU0EuDQpKaW0NCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0t LS0tDQpGcm9tOiBTcGFzbSA8c3Bhc20tYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86c3Bhc20tYm91 bmNlc0BpZXRmLm9yZz4+IE9uIEJlaGFsZiBPZiBSdXNzIEhvdXNsZXkNClNlbnQ6IFR1ZXNkYXks IEZlYnJ1YXJ5IDI2LCAyMDE5IDEwOjQ0IEFNDQpUbzogU1BBU00gPHNwYXNtQGlldGYub3JnPG1h aWx0bzpzcGFzbUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW2xhbXBzXSBJLUQgQWN0aW9uOiBk cmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNi50eHQNClRoaXMgcmVtb3ZlcyB0aGUgZXh0 cmFuZW91cyBwYXJhZ3JhcGggdGhhdCB3YXMgcG9pbnRlZCBvdXQgYnkgRGFuaWVsLg0KSSBiZWxp ZXZlIHRoYXQgYWxsIGNvbW1lbnRzIGhhdmUgYmVlbiByZXNvbHZlZCwgYW5kIHRoZSBkb2N1bWVu dCBpcyBub3cNCnJlYWR5IHRvIGdvIHRvIHRoZSBJRVNHLg0KUnVzcw0KT24gRmViIDI2LCAyMDE5 LCBhdCAxOjQxIFBNLCBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8bWFpbHRvOmludGVybmV0LWRy YWZ0c0BpZXRmLm9yZz4gd3JvdGU6DQpBIE5ldyBJbnRlcm5ldC1EcmFmdCBpcyBhdmFpbGFibGUg ZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHMNCmRpcmVjdG9yaWVzLg0KVGhpcyBkcmFm dCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUgTGltaXRlZCBBZGRpdGlvbmFsIE1lY2hhbmlzbXMgZm9y IFBLSVgNCmFuZA0KU01JTUUgV0cgb2YgdGhlIElFVEYuDQogICAgICAgVGl0bGUgICAgICAgICAg IDogVXNlIG9mIHRoZSBIU1MvTE1TIEhhc2gtYmFzZWQgU2lnbmF0dXJlDQpBbGdvcml0aG0gaW4g dGhlDQpDcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4IChDTVMpDQogICAgICAgQXV0aG9yICAg ICAgICAgIDogUnVzcyBIb3VzbGV5DQogICAgICAgICAgICAgICAgRmlsZW5hbWUgICAgICAgIDog ZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYudHh0DQogICAgICAgICAgICAgICAgUGFn ZXMgICAgICAgICAgIDogMTQNCiAgICAgICAgICAgICAgICBEYXRlICAgICAgICAgICAgOiAyMDE5 LTAyLTI2DQpBYnN0cmFjdDoNCiAgVGhpcyBkb2N1bWVudCBzcGVjaWZpZXMgdGhlIGNvbnZlbnRp b25zIGZvciB1c2luZyB0aGUgdGhlIEhTUy9MTVMNCiAgaGFzaC1iYXNlZCBzaWduYXR1cmUgYWxn b3JpdGhtIHdpdGggdGhlIENyeXB0b2dyYXBoaWMgTWVzc2FnZSBTeW50YXgNCiAgKENNUykuICBJ biBhZGRpdGlvbiwgdGhlIGFsZ29yaXRobSBpZGVudGlmaWVyIGFuZCBwdWJsaWMga2V5IHN5bnRh eA0KICBhcmUgcHJvdmlkZWQuICBUaGUgSFNTL0xNUyBhbGdvcml0aG0gaXMgb25lIGZvcm0gb2Yg aGFzaC1iYXNlZA0KICBkaWdpdGFsIHNpZ25hdHVyZTsgaXQgaXMgZGVzY3JpYmVkIGluIFtIQVNI U0lHXS4NClRoZSBJRVRGIGRhdGF0cmFja2VyIHN0YXR1cyBwYWdlIGZvciB0aGlzIGRyYWZ0IGlz Og0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1sYW1wcy1jbXMt aGFzaC1zaWcvDQpUaGVyZSBhcmUgYWxzbyBodG1saXplZCB2ZXJzaW9ucyBhdmFpbGFibGUgYXQ6 DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1z aWctMDYNCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvZHJhZnQtaWV0Zi1s YW1wcy1jbXMtaGFzaC1zaWctMDYNCkEgZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlz IGF2YWlsYWJsZSBhdDoNCmh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1p ZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNg0KUGxlYXNlIG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBh IGNvdXBsZSBvZiBtaW51dGVzIGZyb20gdGhlIHRpbWUgb2YNCnN1Ym1pc3Npb24gdW50aWwgdGhl IGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdA0KdG9vbHMuaWV0Zi5v cmcuDQpJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAg YXQ6DQpmdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLw0KX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NClNwYXNtIG1haWxpbmcgbGlzdA0KU3Bh c21AaWV0Zi5vcmc8bWFpbHRvOlNwYXNtQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcv bWFpbG1hbi9saXN0aW5mby9zcGFzbQ0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18NClNwYXNtIG1haWxpbmcgbGlzdA0KU3Bhc21AaWV0Zi5vcmc8bWFpbHRv OlNwYXNtQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9z cGFzbQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0K U3Bhc20gbWFpbGluZyBsaXN0DQpTcGFzbUBpZXRmLm9yZzxtYWlsdG86U3Bhc21AaWV0Zi5vcmc+ DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NwYXNtDQoNCg== --_000_BE86871627FA4509972CEBC57AC64EB4isaracom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJn aW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBk aXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0bzsNCgltYXJnaW4tbGVmdDowY207DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21z by1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3Jp dHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWls eToiQ291cmllciBOZXciO30NCnNwYW4uYXBwbGUtdGFiLXNwYW4NCgl7bXNvLXN0eWxlLW5hbWU6 YXBwbGUtdGFiLXNwYW47fQ0Kc3Bhbi5FbWFpbFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5cGU6cGVy c29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93 dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglm b250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNw YW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQt ZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0No cERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBw dDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2lu OjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6 V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpz aGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5k aWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRp dCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48 L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLUNBIiBsaW5rPSJibHVl IiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5PbiAyMDE5LTAzLTA1LCAxMjo1MCBQTSwgJnF1b3Q7 SmltIFNjaGFhZCZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5j b20iPmlldGZAYXVndXN0Y2VsbGFycy5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7 PG86cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5 bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMu MHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPjxiPkZyb206PC9iPiBTcGFzbSAmbHQ7c3Bhc20tYm91bmNlc0BpZXRmLm9yZyZn dDsNCjxiPk9uIEJlaGFsZiBPZiA8L2I+RGFuaWVsIFZhbiBHZWVzdDxicj4NCjxiPlNlbnQ6PC9i PiBUdWVzZGF5LCBNYXJjaCA1LCAyMDE5IDg6MzggQU08YnI+DQo8Yj5Ubzo8L2I+IFJ1c3MgSG91 c2xleSAmbHQ7aG91c2xleUB2aWdpbHNlYy5jb20mZ3Q7OyBKaW0gU2NoYWFkICZsdDtpZXRmQGF1 Z3VzdGNlbGxhcnMuY29tJmd0Ozxicj4NCjxiPkNjOjwvYj4gU1BBU00gJmx0O3NwYXNtQGlldGYu b3JnJmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW2xhbXBzXSBJLUQgQWN0aW9uOiBkcmFm dC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNi50eHQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPknigJltIHdvcmtpbmcgdG8gYWxpZ24geDUwOS1oYXNoLXNpZ3MgZHJhZnQg YW5kIGltcGxlbWVudGF0aW9ucyB3aXRoIHRoaXMgb25lLiZuYnNwOyBUaGVyZeKAmXMgc29tZXRo aW5nIGluIGNtcy1oYXNoLXNpZ3MgdGhhdCBJ4oCZZCBsaWtlIGNsYXJpZmljYXRpb24gb24gdG8g dW5kZXJzdGFuZCB0aGUgaW1wbGljYXRpb25zLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5UaGUgQVNO LjEgbW9kdWxlIGRlZmluZXM6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgcGstSFNTLUxNUy1IYXNoU2lnIFBV QkxJQy1LRVkgOjo9IHs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IElERU5USUZJ RVIgaWQtYWxnLWhzcy1sbXMtaGFzaHNpZzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJs YWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgS0VZIEhTUy1MTVMtSGFzaFNpZy1QdWJsaWNLZXk8L3NwYW4+PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztj b2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IFBBUkFNUyBBUkUgYWJzZW50PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6 YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyBDRVJULUtFWS1VU0FHRTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgeyBkaWdpdGFsU2lnbmF0dXJlLCBub25SZXB1ZGlhdGlvbiwga2V5Q2VydFNpZ24s IGNSTFNpZ24gfSB9PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOzwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgJm5ic3A7SFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSA6Oj0gT0NURVQgU1RSSU5HPC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5TcGVjaWZpY2FsbHksIHRoZSBwdWJsaWMga2V5IGlzIGFu IE9DVEVUIFNUUklORy4gVGhlIGFjdHVhbCBwdWJsaWMga2V5IGlzIOKAnHUzMnN0cihMKSB8fCBs bXNfcHVibGljX2tleeKAnSwgc28gZXNzZW50aWFsbHkgYW4gb3BhcXVlIG9jdGV0IHN0cmluZy48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+V2hhdCBhcmUgdGhlIGltcGxpY2F0aW9ucyBpbiB4LjUwOSBv ZiBkZWZpbmluZyDigJxIU1MtTE1TLUhhc2hTaWctUHVibGljS2V5IDo6PSBPQ1RFVCBTVFJJTkfi gJ0/Jm5ic3A7IERvZXMgdGhpcyBtZWFuIHRoYXQgaW4gdGhlIFN1YmplY3QgUHVibGljIEtleSBJ bmZvIGF0dHJpYnV0ZSwgdGhlIEhTUyBwdWJsaWMga2V5IHdvdWxkIGJlIGVuY29kZWQgYXMgYW4g T0NURVQgU1RSSU5HDQogd2hpY2ggaXMgdGhlbiB3cmFwcGVkIGluIGEgQklUIFNUUklORyBlbmNv ZGluZz8gKGFzIG9wcG9zZWQgdG8gYSBCSVQgU1RSSU5HIGVuY29kaW5nIG9mIHRoZSByYXcg4oCc dTMyc3RyKEwpIHx8IGxtc19wdWJsaWNfa2V54oCdIG9jdGV0IHN0cmluZykuPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPlRoZSBjbG9zZXN0IEkgY291bGQgZmluZCB0byB0aGlzIHNpdHVhdGlvbiBpcyBF ZDI1NTE5L0VkNDQ4IHNpbmNlIHRob3NlIHB1YmxpYyBrZXlzIGFyZSBhbHNvIGp1c3QgcmF3IG9j dGV0IHN0cmluZ3MgKDMyIG9jdGV0cyBpbiAyNTUxOSkuJm5ic3A7IEJ1dCB0aGUgQVNOLjEgbW9k dWxlIGZvciBSRkMgODQxMCBzcGVjaWZpZXMg4oCcLS0gS0VZIG5vIEFTTi4xIHdyYXBwaW5nDQog LS3igJ0gd2l0aGluIFBVQkxJQy1LRVk6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxw cmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4m bmJzcDsmbmJzcDsmbmJzcDsgcGstRWQyNTUxOSBQVUJMSUMtS0VZIDo6PSB7PC9zcGFuPjxvOnA+ PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxl PSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IElERU5USUZJRVIgaWQtRWQyNTUxOTwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPHByZSBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBLRVkgbm8gQVNOLjEgd3JhcHBp bmcgLS08L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsgUEFSQU1TIEFSRSBhYnNlbnQ8L3NwYW4+PG86cD48L286cD48L3By ZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImNvbG9yOmJs YWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgQ0VSVC1LRVkt VVNBR0Uge2RpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLDwvc3Bhbj48bzpwPjwvbzpw PjwvcHJlPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iY29s b3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBrZXlDZXJ0U2lnbiwgY1JMU2lnbn08 L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgUFJJVkFURS1LRVkgQ3VydmVQcml2YXRlS2V5PC9zcGFuPjxvOnA+PC9vOnA+ PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJjb2xv cjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IH08L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+SeKAmW0gbm90IGFuIEFTTi4xIGV4cGVydCwgc28gY291bGQgc29tZW9uZSBleHBsYWluIHRo ZSBkaWZmZXJlbmNlPyBJcyB0aGUg4oCcbm8gd3JhcHBpbmfigJ0gdGhlcmUgYmVjYXVzZSB0aGUg cHVibGljIGtleSBpcyByYXcgb2N0ZXRzPyBBbmQgdGhlbiB3aG9ldmVyIGVuY29kZXMgdGhlIHB1 YmxpYyBvbmx5IGFwcGxpZXMgdGhlaXIgb3duIGVuY29kaW5nIChpZiBhbnkpIG9mDQogdGhlIG9j dGV0cy4mbmJzcDsgRG9lcyBpdCBoYXZlIHRvIGRvIHdpdGggdGhlIGZhY3QgdGhhdCB0aGUgcHVi bGljIGtleSBjYW4gYmUgZWFzaWx5IGRlcml2ZWQgZnJvbSB0aGUgcHJpdmF0ZSBrZXk/Jm5ic3A7 IElzIG15IGFzc3VtcHRpb24gY29ycmVjdCB0aGF0IGEgU1BLSSBlbmNvZGluZyBvZiBhbiBIU1Mg a2V5IHdvdWxkIGJlIGEgQklUIFNUUklORyBlbmNvZGluZyBvZiBhbiBBU04uMSBPQ1RFVCBTVFJJ TkcgZW5jb2Rpbmcgb2YgdGhlIHJhdyBvY3RldHM/PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPltKTFNd IEFzIEkgcmVhZCB0aGlzIHdoYXQgeW91IGhhdmUgZGVkdWNlZCBpcyBjb3JyZWN0LiZuYnNwOyBG b3IgRWQyNTUxOSB0aGUgcHVibGljIGtleSBpcyBkaXJlY3RseSB3cmFwcGVkIGluIHRoZSBCSVQg U1RSSU5HIHdpdGggbm8gYWRkaXRpb25hbCBlbmNvZGluZy4mbmJzcDsgRm9yIHRoZSBoYXNoIHNp ZyBwdWJsaWMga2V5IHRoZSBwdWJsaWMga2V5IGlzIHdyYXBwZWQgaW4gYW4NCiBPQ1RFVCBTVFJJ Tkcgd2hpY2ggaXMgdGhlbiB3cmFwcGVkIGluIHRoZSBCSVQgU1RSSU5HLiZuYnNwOyA8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+QXMgYSBnZW5lcmFsIHJ1bGUsIEkgcHJlZmVyIGhhdmluZyB0aGUgZXh0 cmEgbGF5ZXIgb2YgQVNOLjEgZW5jb2RpbmcgYmVjYXVzZSBhIGxvdCBvZiBkZWNvZGVycyBhc3N1 bWUgdGhhdCB0aGVyZSBpcyBnb2luZyB0byBiZSB0aGF0IGxheWVyIHdoZW4gcHJvY2Vzc2luZyBj ZXJ0aWZpY2F0ZXMuJm5ic3A7IEhvd2V2ZXIsIEkgZGlkIG5vdCB3cml0ZSB0aGUgaW5pdGlhbCB2 ZXJzaW9ucw0KIG9mIHRoZSBFZHdhcmRzIGRyYWZ0IGFuZCB0aHVzIEkganVzdCB1c2VkIHRoZSBl bmNvZGluZyB0aGF0IHdhcyB0aGVyZSByYXRoZXIgdGhhbiB3cml0aW5nIGl0IGFzIEkgd291bGQg cHJlZmVyLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NS4yNXB0 Ij5bRFZHXSBEbyB5b3UgcHJlZmVyIHRoaXMgZ2VuZXJhbCBydWxlIGZvciB0aGUgc2lnbmF0dXJl IGFzIHdlbGw/Jm5ic3A7IEluIFguNTA5IHdvdWxkIHlvdSBwcmVmZXIgdGhlIHJhdyBzaWduYXR1 cmUgb2N0ZXRzIHdyYXBwZWQgaW4gYW4gT0NURVQgU1RSSU5HIHdyYXBwZWQgaW4gYSBCSVQgU1RS SU5HPyZuYnNwOyBIb3cgd291bGQgdGhpcyB3b3JrIGluIENNUyB3aGVyZSB0aGUgc2lnbmF0dXJl DQogZmllbGQgd2l0aGluIHRoZSBTaWduZXJJbmZvIGlzIGFscmVhZHkgZGVmaW5lZCBhcyBhbiBP Q1RFVCBzdHJpbmc/IFdvdWxkbuKAmXQgdGhlIHJ1bGUgaW1wbHkgdGhlIHJhdyBIU1Mgb2N0ZXQg c3RyaW5nIHdyYXBwZWQgaW4gYW4gT0NURVQgU1RSSU5HIHdyYXBwZWQgaW4gYW4gT0NURVQgU1RS SU5HPyBUaGF04oCZcyBub3QgaG93IEnigJltIHJlYWRpbmcgY21zLWhhc2gtc2lncywgZS5nLiBz ZWN0aW9uIDU6PGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNpZ25h dHVyZSBjb250YWlucyB0aGUgc2luZ2xlIEhTUyBzaWduYXR1cmUgdmFsdWUgcmVzdWx0aW5nIGZy b208bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB0aGUgc2lnbmluZyBvcGVyYXRpb24gYXMg c3BlY2lmaWVkIGluIFtIQVNIU0lHXS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QW5kIGBzaWdu YXR1cmVgIGFscmVhZHkgYmVpbmcgZGVmaW5lZCBhcyBhbiBPQ1RFVCBTVFJJTkcgbWFrZSB0aGlz IHJlYWQgdG8gbWUgYXMgYSBzaW5nbGUgd3JhcHBpbmcuPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PlRoYW5rcyw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkRhbmllbDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij5KaW08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5U aGFua3MsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij5EYW5pZWw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij5P biAyMDE5LTAyLTI3LCAxMjoyNyBQTSwgJnF1b3Q7U3Bhc20gb24gYmVoYWxmIG9mIFJ1c3MgSG91 c2xleSZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmciPnNw YXNtLWJvdW5jZXNAaWV0Zi5vcmc8L2E+IG9uIGJlaGFsZiBvZg0KPGEgaHJlZj0ibWFpbHRvOmhv dXNsZXlAdmlnaWxzZWMuY29tIj5ob3VzbGV5QHZpZ2lsc2VjLmNvbTwvYT4mZ3Q7IHdyb3RlOjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQi PkppbTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+ WW91IGFyZSBjb3JyZWN0LiZuYnNwOyZuYnNwO0kgbWlzc2VkIHRoaXMgd2hlbiBJIG1hZGUgdGhl IGxhc3QgdXBkYXRlLiZuYnNwOyZuYnNwO0kgd2lsbCBtYWtlIHRoZSBjaGFuZ2Ugbm93IGluIG15 IGVkaXQgYnVmZmVyLiZuYnNwOyZuYnNwO0knbGwgcG9zdCBpdCBhbG9uZyB3aXRoIGFueSBvdGhl ciBjaGFuZ2VzIHRoYXQgcmVzdWx0IGZyb20gSUVURiBMYXN0IENhbGwuPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPlJ1c3M8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3 Mi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxlZnQ6My43 NXB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0 IiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+T24gRmViIDI2LCAyMDE5 LCBhdCA4OjI1IFBNLCBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3Rj ZWxsYXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjcyLjBwdCI+SSBoYXZlIGEgc21hbGwgY2hhbmdlIHRvIHJlcXVlc3QuJm5ic3A7Jm5i c3A7SSBhbSBoYXBweSBpZiB5b3UgZGVhbCB3aXRoIGl0IGF0IGEgbGF0ZXI8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDo3Mi4wcHQiPmRhdGUgYXMgbG9uZyBhcyBpdCBkb2VzIG5vdCBnZXQgbG9zdC48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDo3Mi4wcHQiPkluIHRoZSBBU04uMSBtb2R1bGUsIHRoZSBTSUdOQVRVUkUtQUxHT1JJVEhN IGRlZmluaXRpb24gc2hvdWxkIGhhdmUgYW4gZW1wdHk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPm9y IGFic2VudCBIQVNIRVMgZmllbGQuJm5ic3A7Jm5ic3A7VGhlcmUgYXJlIG5vIGhhc2ggZnVuY3Rp b25zIHdoaWNoIGFyZSB0byBiZSBhcHBsaWVkPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij5wcmlvciB0 byBnaXZlbiB0aGUgaW5wdXQgdG8gdGhlIHNpZ25pbmcgZnVuY3Rpb24uJm5ic3A7Jm5ic3A7VGhp cyB3b3VsZCBtYXRjaCB3aGF0IEk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPmRpZCBmb3IgRWREU0Eu PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij5KaW08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2Nr cXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNCNUM0REYgNC41cHQ7 cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1cHQ7bWFyZ2luLXRvcDo1 LjBwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQiIGlkPSJNQUNfT1VUTE9P S19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjcyLjBwdCI+RnJvbTogU3Bhc20gJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbS1i b3VuY2VzQGlldGYub3JnIj5zcGFzbS1ib3VuY2VzQGlldGYub3JnPC9hPiZndDsgT24gQmVoYWxm IE9mIFJ1c3MgSG91c2xleTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+U2VudDogVHVlc2RheSwgRmVi cnVhcnkgMjYsIDIwMTkgMTA6NDQgQU08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPlRvOiBTUEFTTSAm bHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYub3JnIj5zcGFzbUBpZXRmLm9yZzwvYT4mZ3Q7 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij5TdWJqZWN0OiBSZTogW2xhbXBzXSBJLUQgQWN0aW9uOiBk cmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNi50eHQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQi PlRoaXMgcmVtb3ZlcyB0aGUgZXh0cmFuZW91cyBwYXJhZ3JhcGggdGhhdCB3YXMgcG9pbnRlZCBv dXQgYnkgRGFuaWVsLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+SSBiZWxpZXZlIHRoYXQgYWxsIGNv bW1lbnRzIGhhdmUgYmVlbiByZXNvbHZlZCwgYW5kIHRoZSBkb2N1bWVudCBpcyBub3c8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDo3Mi4wcHQiPnJlYWR5IHRvIGdvIHRvIHRoZSBJRVNHLjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Ojcy LjBwdCI+UnVzczxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9y ZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5nOjBjbSAwY20g MGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdo dDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1BQ19PVVRMT09LX0FUVFJJQlVUSU9OX0JM T0NLUVVPVEUiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDo3Mi4wcHQiPk9uIEZlYiAyNiwgMjAxOSwgYXQgMTo0MSBQTSwgPGEgaHJlZj0ibWFpbHRvOmlu dGVybmV0LWRyYWZ0c0BpZXRmLm9yZyI+DQppbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8L2E+IHdy b3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+QSBOZXcgSW50ZXJuZXQtRHJhZnQgaXMgYXZhaWxh YmxlIGZyb20gdGhlIG9uLWxpbmUgSW50ZXJuZXQtRHJhZnRzPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6NzIuMHB0Ij5kaXJlY3Rvcmllcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJs b2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNCNUM0REYgNC41 cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1cHQ7bWFyZ2luLXRv cDo1LjBwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQiIGlkPSJNQUNfT1VU TE9PS19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij5UaGlzIGRyYWZ0IGlzIGEgd29yayBpdGVtIG9m IHRoZSBMaW1pdGVkIEFkZGl0aW9uYWwgTWVjaGFuaXNtcyBmb3IgUEtJWDxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+YW5kPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxlZnQ6My43 NXB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0 IiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+U01JTUUgV0cgb2YgdGhl IElFVEYuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6 bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20g NC4wcHQ7bWFyZ2luLWxlZnQ6My43NXB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBj bTttYXJnaW4tYm90dG9tOjUuMHB0IiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05fQkxPQ0tR VU9URSI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Ojcy LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFRpdGxlJm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDogVXNl IG9mIHRoZSBIU1MvTE1TIEhhc2gtYmFzZWQgU2lnbmF0dXJlPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjwvYmxvY2txdW90ZT4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij5BbGdvcml0aG0gaW4gdGhlPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVm dDpzb2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxl ZnQ6My43NXB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9t OjUuMHB0IiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+Q3J5cHRvZ3Jh cGhpYyBNZXNzYWdlIFN5bnRheCAoQ01TKTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2tx dW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtw YWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJnaW4tdG9wOjUu MHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1BQ19PVVRMT09L X0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyBBdXRob3ImbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDs6IFJ1c3MgSG91c2xleTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4g Y2xhc3M9ImFwcGxlLXRhYi1zcGFuIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsN Cjwvc3Bhbj5GaWxlbmFtZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOzogZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYudHh0PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6NzIuMHB0Ij48c3BhbiBjbGFzcz0iYXBwbGUtdGFiLXNwYW4iPiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPlBhZ2VzJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDogMTQ8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4w cHQiPjxzcGFuIGNsYXNzPSJhcHBsZS10YWItc3BhbiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7DQo8L3NwYW4+RGF0ZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzogMjAxOS0wMi0yNjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjcyLjBwdCI+QWJzdHJhY3Q6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4mbmJzcDsmbmJz cDtUaGlzIGRvY3VtZW50IHNwZWNpZmllcyB0aGUgY29udmVudGlvbnMgZm9yIHVzaW5nIHRoZSB0 aGUgSFNTL0xNUzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+Jm5ic3A7Jm5ic3A7aGFzaC1iYXNlZCBz aWduYXR1cmUgYWxnb3JpdGhtIHdpdGggdGhlIENyeXB0b2dyYXBoaWMgTWVzc2FnZSBTeW50YXg8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOyZuYnNwOyhDTVMpLiZuYnNwOyZuYnNwO0luIGFk ZGl0aW9uLCB0aGUgYWxnb3JpdGhtIGlkZW50aWZpZXIgYW5kIHB1YmxpYyBrZXkgc3ludGF4PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6NzIuMHB0Ij4mbmJzcDsmbmJzcDthcmUgcHJvdmlkZWQuJm5ic3A7Jm5ic3A7 VGhlIEhTUy9MTVMgYWxnb3JpdGhtIGlzIG9uZSBmb3JtIG9mIGhhc2gtYmFzZWQ8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDo3Mi4wcHQiPiZuYnNwOyZuYnNwO2RpZ2l0YWwgc2lnbmF0dXJlOyBpdCBpcyBkZXNjcmli ZWQgaW4gW0hBU0hTSUddLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+VGhlIElFVEYgZGF0YXRyYWNr ZXIgc3RhdHVzIHBhZ2UgZm9yIHRoaXMgZHJhZnQgaXM6PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48 YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLWxhbXBz LWNtcy1oYXNoLXNpZy8iPmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWll dGYtbGFtcHMtY21zLWhhc2gtc2lnLzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPlRoZXJlIGFy ZSBhbHNvIGh0bWxpemVkIHZlcnNpb25zIGF2YWlsYWJsZSBhdDo8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4w cHQiPjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWxhbXBz LWNtcy1oYXNoLXNpZy0wNiI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt bGFtcHMtY21zLWhhc2gtc2lnLTA2PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PGEgaHJlZj0i aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9kcmFmdC1pZXRmLWxhbXBzLWNt cy1oYXNoLXNpZy0wNiI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9kcmFm dC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPkEg ZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJsZSBhdDo8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDo3Mi4wcHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1k cmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNiI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvcmZj ZGlmZj91cmwyPWRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2PC9hPjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjcyLjBwdCI+UGxlYXNlIG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBvZiBtaW51 dGVzIGZyb20gdGhlIHRpbWUgb2Y8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPnN1Ym1pc3Npb24gdW50 aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdDxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+dG9vbHMuaWV0Zi5v cmcuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9u ZTtib3JkZXItbGVmdDpzb2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4w cHQ7bWFyZ2luLWxlZnQ6My43NXB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTtt YXJnaW4tYm90dG9tOjUuMHB0IiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05fQkxPQ0tRVU9U RSI+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1 QzRERiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDtt YXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9 Ik1BQ19PVVRMT09LX0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPkludGVybmV0LURyYWZ0cyBhcmUg YWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQi PjxhIGhyZWY9ImZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvIj5mdHA6Ly9mdHAu aWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9i bG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDo3Mi4wcHQiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij5TcGFzbSBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3 Mi4wcHQiPjxhIGhyZWY9Im1haWx0bzpTcGFzbUBpZXRmLm9yZyI+U3Bhc21AaWV0Zi5vcmc8L2E+ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL3NwYXNtIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv L3NwYXNtPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+X19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4w cHQiPlNwYXNtIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PGEgaHJlZj0ibWFp bHRvOlNwYXNtQGlldGYub3JnIj5TcGFzbUBpZXRmLm9yZzwvYT48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4w cHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc20i Pmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc208L2E+PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQi Pl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6NzIuMHB0Ij5TcGFzbSBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxh IGhyZWY9Im1haWx0bzpTcGFzbUBpZXRmLm9yZyI+U3Bhc21AaWV0Zi5vcmc8L2E+PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6NzIuMHB0Ij48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL3NwYXNtIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NwYXNtPC9h PjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_BE86871627FA4509972CEBC57AC64EB4isaracom_-- From nobody Tue Mar 5 11:34:22 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB4812D4F3 for ; Tue, 5 Mar 2019 11:34:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvGjY7HDhEcl for ; Tue, 5 Mar 2019 11:34:17 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86786128701 for ; Tue, 5 Mar 2019 11:34:16 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 Mar 2019 11:34:08 -0800 From: Jim Schaad To: 'Daniel Van Geest' , 'Russ Housley' CC: 'SPASM' References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> <015401d4d37b$f7673000$e6359000$@augustcellars.com> In-Reply-To: Date: Tue, 5 Mar 2019 11:34:06 -0800 Message-ID: <017d01d4d38a$675cf580$3616e080$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_017E_01D4D347.593BFF70" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQJP3EtmxFxA6hXc3uR6jg4mJmaNhgIcsAfkAisXL+UCqXow0QGbl/qsAhmxhRMCf2H6s6SeK4OQ Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Mar 2019 19:34:21 -0000 ------=_NextPart_000_017E_01D4D347.593BFF70 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable =20 =20 From: Daniel Van Geest =20 Sent: Tuesday, March 5, 2019 10:20 AM To: Jim Schaad ; 'Russ Housley' = Cc: 'SPASM' Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt =20 =20 =20 On 2019-03-05, 12:50 PM, "Jim Schaad" > wrote: =20 =20 =20 From: Spasm > On = Behalf Of Daniel Van Geest Sent: Tuesday, March 5, 2019 8:38 AM To: Russ Housley >; = Jim Schaad > Cc: SPASM > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt =20 I=E2=80=99m working to align x509-hash-sigs draft and implementations = with this one. There=E2=80=99s something in cms-hash-sigs that = I=E2=80=99d like clarification on to understand the implications. =20 The ASN.1 module defines: =20 pk-HSS-LMS-HashSig PUBLIC-KEY ::=3D { IDENTIFIER id-alg-hss-lms-hashsig KEY HSS-LMS-HashSig-PublicKey PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } =20 HSS-LMS-HashSig-PublicKey ::=3D OCTET STRING =20 Specifically, the public key is an OCTET STRING. The actual public key = is =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D, so essentially an = opaque octet string. =20 What are the implications in x.509 of defining = =E2=80=9CHSS-LMS-HashSig-PublicKey ::=3D OCTET STRING=E2=80=9D? Does = this mean that in the Subject Public Key Info attribute, the HSS public = key would be encoded as an OCTET STRING which is then wrapped in a BIT = STRING encoding? (as opposed to a BIT STRING encoding of the raw = =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D octet string). =20 The closest I could find to this situation is Ed25519/Ed448 since those = public keys are also just raw octet strings (32 octets in 25519). But = the ASN.1 module for RFC 8410 specifies =E2=80=9C-- KEY no ASN.1 = wrapping --=E2=80=9D within PUBLIC-KEY: =20 pk-Ed25519 PUBLIC-KEY ::=3D { IDENTIFIER id-Ed25519 -- KEY no ASN.1 wrapping -- PARAMS ARE absent CERT-KEY-USAGE {digitalSignature, nonRepudiation, keyCertSign, cRLSign} PRIVATE-KEY CurvePrivateKey } =20 I=E2=80=99m not an ASN.1 expert, so could someone explain the = difference? Is the =E2=80=9Cno wrapping=E2=80=9D there because the = public key is raw octets? And then whoever encodes the public only = applies their own encoding (if any) of the octets. Does it have to do = with the fact that the public key can be easily derived from the private = key? Is my assumption correct that a SPKI encoding of an HSS key would = be a BIT STRING encoding of an ASN.1 OCTET STRING encoding of the raw = octets? =20 [JLS] As I read this what you have deduced is correct. For Ed25519 the = public key is directly wrapped in the BIT STRING with no additional = encoding. For the hash sig public key the public key is wrapped in an = OCTET STRING which is then wrapped in the BIT STRING. =20 =20 As a general rule, I prefer having the extra layer of ASN.1 encoding = because a lot of decoders assume that there is going to be that layer = when processing certificates. However, I did not write the initial = versions of the Edwards draft and thus I just used the encoding that was = there rather than writing it as I would prefer. =20 [DVG] Do you prefer this general rule for the signature as well? In = X.509 would you prefer the raw signature octets wrapped in an OCTET = STRING wrapped in a BIT STRING? How would this work in CMS where the = signature field within the SignerInfo is already defined as an OCTET = string? Wouldn=E2=80=99t the rule imply the raw HSS octet string wrapped = in an OCTET STRING wrapped in an OCTET STRING? That=E2=80=99s not how = I=E2=80=99m reading cms-hash-sigs, e.g. section 5: signature contains the single HSS signature value resulting from the signing operation as specified in [HASHSIG]. =20 And `signature` already being defined as an OCTET STRING make this read = to me as a single wrapping. =20 [JLS] Signatures have traditionally always been the raw bytes. The = difference is that frequently public and private keys have had ASN.1 = structure wrapped around them while signatures have not. For an example = look at how RSA is done. =20 Jim =20 =20 Thanks, Daniel =20 Jim =20 =20 Thanks, Daniel =20 On 2019-02-27, 12:27 PM, "Spasm on behalf of Russ Housley" = on behalf of = housley@vigilsec.com > wrote: =20 Jim: =20 You are correct. I missed this when I made the last update. I will = make the change now in my edit buffer. I'll post it along with any = other changes that result from IETF Last Call. =20 Russ =20 =20 On Feb 26, 2019, at 8:25 PM, Jim Schaad > wrote: I have a small change to request. I am happy if you deal with it at a = later date as long as it does not get lost. In the ASN.1 module, the SIGNATURE-ALGORITHM definition should have an = empty or absent HASHES field. There are no hash functions which are to be = applied prior to given the input to the signing function. This would match what = I did for EdDSA. Jim -----Original Message----- From: Spasm > On = Behalf Of Russ Housley Sent: Tuesday, February 26, 2019 10:44 AM To: SPASM > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt This removes the extraneous paragraph that was pointed out by Daniel. I believe that all comments have been resolved, and the document is now ready to go to the IESG. Russ On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org = wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : Use of the HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message Syntax (CMS) Author : Russ Housley Filename : draft-ietf-lamps-cms-hash-sig-06.txt Pages : 14 Date : 2019-02-26 Abstract: This document specifies the conventions for using the the HSS/LMS hash-based signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in [HASHSIG]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-06 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ Spasm mailing list Spasm@ietf.org =20 https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ Spasm mailing list Spasm@ietf.org =20 https://www.ietf.org/mailman/listinfo/spasm =20 _______________________________________________ Spasm mailing list Spasm@ietf.org =20 https://www.ietf.org/mailman/listinfo/spasm =20 ------=_NextPart_000_017E_01D4D347.593BFF70 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

 

 

From: = Daniel Van Geest <Daniel.VanGeest@isara.com>
Sent: = Tuesday, March 5, 2019 10:20 AM
To: Jim Schaad = <ietf@augustcellars.com>; 'Russ Housley' = <housley@vigilsec.com>
Cc: 'SPASM' = <spasm@ietf.org>
Subject: Re: [lamps] I-D Action: = draft-ietf-lamps-cms-hash-sig-06.txt

 

 

 

On 2019-03-05, 12:50 PM, = "Jim Schaad" <ietf@augustcellars.com> = wrote:

 

 

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Daniel Van Geest
Sent: Tuesday, March 5, = 2019 8:38 AM
To: Russ Housley <housley@vigilsec.com>; Jim = Schaad <ietf@augustcellars.com>
= Cc: SPASM <spasm@ietf.org>
Subject: = Re: [lamps] I-D Action: = draft-ietf-lamps-cms-hash-sig-06.txt

 

I=E2=80=99m working to = align x509-hash-sigs draft and implementations with this one.  = There=E2=80=99s something in cms-hash-sigs that I=E2=80=99d like = clarification on to understand the implications.

 

The ASN.1 module = defines:

 

      pk-HSS-LMS-HashSig = PUBLIC-KEY ::=3D {

          = IDENTIFIER id-alg-hss-lms-hashsig

          = KEY HSS-LMS-HashSig-PublicKey

          = PARAMS ARE absent

          = CERT-KEY-USAGE

         &= nbsp;  { digitalSignature, nonRepudiation, keyCertSign, cRLSign } = }

 

     =  HSS-LMS-HashSig-PublicKey ::=3D OCTET STRING

 

Specifically, the public = key is an OCTET STRING. The actual public key is =E2=80=9Cu32str(L) || = lms_public_key=E2=80=9D, so essentially an opaque octet = string.

 

What are the implications = in x.509 of defining =E2=80=9CHSS-LMS-HashSig-PublicKey ::=3D OCTET = STRING=E2=80=9D?  Does this mean that in the Subject Public Key = Info attribute, the HSS public key would be encoded as an OCTET STRING = which is then wrapped in a BIT STRING encoding? (as opposed to a BIT = STRING encoding of the raw =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D = octet string).

 

The closest I could find = to this situation is Ed25519/Ed448 since those public keys are also just = raw octet strings (32 octets in 25519).  But the ASN.1 module for = RFC 8410 specifies =E2=80=9C-- KEY no ASN.1 wrapping --=E2=80=9D within = PUBLIC-KEY:

 

    pk-Ed25519 PUBLIC-KEY ::=3D =
{
        =
IDENTIFIER id-Ed25519
        -- KEY =
no ASN.1 wrapping --
        PARAMS =
ARE absent
        =
CERT-KEY-USAGE {digitalSignature, nonRepudiation,
        &nb=
sp;           &nbs=
p;   keyCertSign, cRLSign}
        =
PRIVATE-KEY CurvePrivateKey
    }

 

I=E2=80=99m not an ASN.1 = expert, so could someone explain the difference? Is the =E2=80=9Cno = wrapping=E2=80=9D there because the public key is raw octets? And then = whoever encodes the public only applies their own encoding (if any) of = the octets.  Does it have to do with the fact that the public key = can be easily derived from the private key?  Is my assumption = correct that a SPKI encoding of an HSS key would be a BIT STRING = encoding of an ASN.1 OCTET STRING encoding of the raw = octets?

 

[JLS] As I read this what = you have deduced is correct.  For Ed25519 the public key is = directly wrapped in the BIT STRING with no additional encoding.  = For the hash sig public key the public key is wrapped in an OCTET STRING = which is then wrapped in the BIT STRING. 

 

As a general rule, I = prefer having the extra layer of ASN.1 encoding because a lot of = decoders assume that there is going to be that layer when processing = certificates.  However, I did not write the initial versions of the = Edwards draft and thus I just used the encoding that was there rather = than writing it as I would prefer.

 

[DVG] = Do you prefer this general rule for the signature as well?  In = X.509 would you prefer the raw signature octets wrapped in an OCTET = STRING wrapped in a BIT STRING?  How would this work in CMS where = the signature field within the SignerInfo is already defined as an OCTET = string? Wouldn=E2=80=99t the rule imply the raw HSS octet string wrapped = in an OCTET STRING wrapped in an OCTET STRING? That=E2=80=99s not how = I=E2=80=99m reading cms-hash-sigs, e.g. section = 5:

      signature contains the single = HSS signature value resulting from

         the = signing operation as specified in [HASHSIG].

 

And `signature` already being = defined as an OCTET STRING make this read to me as a single = wrapping.

 

[JLS] Signatures have traditionally always been the raw = bytes.=C2=A0 The difference is that frequently public and private keys = have had ASN.1 structure wrapped around them while signatures have = not.=C2=A0 For an example look at how RSA is = done.

 

Jim

 

 

Thanks,

Daniel

 

Jim

 

 

Thanks,

Daniel

 

On 2019-02-27, 12:27 PM, = "Spasm on behalf of Russ Housley" <spasm-bounces@ietf.org on = behalf of housley@vigilsec.com> = wrote:

 

Jim:

 

You are = correct.  I missed this when I made the last = update.  I will make the change now in my edit = buffer.  I'll post it along with any other changes that result = from IETF Last Call.

 

Russ

 

 

On Feb = 26, 2019, at 8:25 PM, Jim Schaad <ietf@augustcellars.com> = wrote:

I have a small change to = request.  I am happy if you deal with it at a = later

date as long as it does = not get lost.

In the ASN.1 module, the = SIGNATURE-ALGORITHM definition should have an = empty

or absent HASHES = field.  There are no hash functions which are to be = applied

prior to given the input = to the signing function.  This would match what = I

did for = EdDSA.

Jim

-----Original = Message-----

From: Spasm <spasm-bounces@ietf.org> On = Behalf Of Russ Housley

Sent: = Tuesday, February 26, 2019 10:44 AM

To: = SPASM <spasm@ietf.org>

Subject: Re: [lamps] I-D Action: = draft-ietf-lamps-cms-hash-sig-06.txt

This = removes the extraneous paragraph that was pointed out by = Daniel.

I believe that all = comments have been resolved, and the document is = now

ready to go to the = IESG.

Russ

On Feb = 26, 2019, at 1:41 PM, internet-drafts@ietf.org = wrote:

A New Internet-Draft is = available from the on-line = Internet-Drafts

directories.

This = draft is a work item of the Limited Additional Mechanisms for = PKIX

and

SMIME = WG of the IETF.

       = Title           : Use = of the HSS/LMS Hash-based = Signature

Algorithm in the

Cryptographic Message Syntax = (CMS)

       = Author          : Russ = Housley

          =       Filename        : = draft-ietf-lamps-cms-hash-sig-06.txt

          =       Pages         &= nbsp; : 14

          =       Date         &n= bsp;  : 2019-02-26

Abstract:

  This document specifies the conventions for = using the the HSS/LMS

  hash-based signature algorithm with the = Cryptographic Message Syntax

  (CMS).  In addition, the algorithm = identifier and public key syntax

  are provided.  The HSS/LMS algorithm = is one form of hash-based

  digital signature; it is described in = [HASHSIG].

The IETF datatracker = status page for this draft is:

There are also htmlized = versions available at:

A diff from the previous = version is available at:

Please note that it may = take a couple of minutes from the time = of

submission until the = htmlized version and diff are available = at

tools.ietf.org.

Internet-Drafts are also available by anonymous FTP = at:

_______________________________________________

Spasm mailing = list

=

_______________________________________________

Spasm mailing = list

=

 

_______________________________________________

Spasm mailing = list

<= /html> ------=_NextPart_000_017E_01D4D347.593BFF70-- From nobody Wed Mar 6 06:49:00 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D48D124BA8; Wed, 6 Mar 2019 06:48:58 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: spasm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.93.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: spasm@ietf.org Message-ID: <155188373859.5582.16269505161275521812@ietfa.amsl.com> Date: Wed, 06 Mar 2019 06:48:58 -0800 Archived-At: Subject: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2019 14:48:59 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : Use of the HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message Syntax (CMS) Author : Russ Housley Filename : draft-ietf-lamps-cms-hash-sig-07.txt Pages : 14 Date : 2019-03-06 Abstract: This document specifies the conventions for using the the HSS/LMS hash-based signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in [HASHSIG]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-07 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-07 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-07 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Mar 6 06:53:40 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52454126C87 for ; Wed, 6 Mar 2019 06:53:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efYmkMunBFOu for ; Wed, 6 Mar 2019 06:53:37 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 879CE124BA8 for ; Wed, 6 Mar 2019 06:53:37 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A2244300A54 for ; Wed, 6 Mar 2019 09:35:19 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id slJMPvuKONi0 for ; Wed, 6 Mar 2019 09:35:18 -0500 (EST) Received: from [172.27.4.75] (unknown [75.104.69.145]) by mail.smeinc.net (Postfix) with ESMTPSA id 7DDD6300A42 for ; Wed, 6 Mar 2019 09:35:15 -0500 (EST) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Wed, 6 Mar 2019 09:53:24 -0500 References: <155188373859.5582.16269505161275521812@ietfa.amsl.com> To: spasm@ietf.org In-Reply-To: <155188373859.5582.16269505161275521812@ietfa.amsl.com> Message-Id: X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2019 14:53:39 -0000 In addition to some minor reorganization, this update resolves small = ASN.1 issue raised by Jim Schaad. I wanted to get it posted before the = IETF 104 cut-off date. Russ > On Mar 6, 2019, at 9:48 AM, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Limited Additional Mechanisms for = PKIX and SMIME WG of the IETF. >=20 > Title : Use of the HSS/LMS Hash-based Signature = Algorithm in the Cryptographic Message Syntax (CMS) > Author : Russ Housley > Filename : draft-ietf-lamps-cms-hash-sig-07.txt > Pages : 14 > Date : 2019-03-06 >=20 > Abstract: > This document specifies the conventions for using the the HSS/LMS > hash-based signature algorithm with the Cryptographic Message Syntax > (CMS). In addition, the algorithm identifier and public key syntax > are provided. The HSS/LMS algorithm is one form of hash-based > digital signature; it is described in [HASHSIG]. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ >=20 > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-07 > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-07 >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-07 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Mar 8 05:54:29 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5109613138A; Fri, 8 Mar 2019 05:54:18 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: spasm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.93.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: spasm@ietf.org Message-ID: <155205325828.3177.9127419627061510100@ietfa.amsl.com> Date: Fri, 08 Mar 2019 05:54:18 -0800 Archived-At: Subject: [lamps] I-D Action: draft-ietf-lamps-cms-shakes-08.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2019 13:54:22 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : Use of the SHAKE One-way Hash Functions in the Cryptographic Message Syntax (CMS) Authors : Panos Kampanakis Quynh Dang Filename : draft-ietf-lamps-cms-shakes-08.txt Pages : 16 Date : 2019-03-08 Abstract: This document describes the conventions for using the SHAKE family of hash functions with the Cryptographic Message Syntax (CMS) as one-way hash functions with the RSA Probabilistic signature and ECDSA signature algorithms, as message digests and message authentication codes. The conventions for the associated signer public keys in CMS are also described. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-shakes/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-shakes-08 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-shakes-08 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-shakes-08 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Mar 8 06:07:15 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F27501240D3 for ; Fri, 8 Mar 2019 06:07:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.501 X-Spam-Level: X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FxfEfwCL04ce for ; Fri, 8 Mar 2019 06:07:07 -0800 (PST) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD79E127917 for ; Fri, 8 Mar 2019 06:07:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2383; q=dns/txt; s=iport; t=1552054026; x=1553263626; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=Kyb7qFLg46v+RJfBbsjhbTWUwYNXTKAaUH07L0mzMlg=; b=UvgjqKB8oZV2bPLxF7gVN1TrzaSpEJ1Jda1md2THQhZRHhZ7IwPqUF0q xcUNkOz413G4My+QTOte/+gvSS+q2RKJVdpjWJPAiYQX24M6on2PPAPT6 Ilzx6/F4E2id2eA3uqsxgAQlX1zfp+IInCniG6hmuC+spQ7WDlwRLFP2P 4=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AEAABfdoJc/49dJa1kGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBUQUBAQEBCwGCD2iBAycKjBmNOpgmgXsLAQEYC4RJAoQ1IjQ?= =?us-ascii?q?JDQEBAwEBBwEDAm0cAQuFSgEBAQQBATg0FwQCAQgRBAEBHxAnCx0IAgQTCIM?= =?us-ascii?q?bgXUPqzyEMwIOQYUogS8BiysXgUA/gRGDEoMeAQECAQEWgSCGCAKkHgkCh02?= =?us-ascii?q?LMiGBeFiFD4tZineFY4k6gyQCERSBKB84gVZwFRohgmwJggwYiF+FP0ExjUu?= =?us-ascii?q?BLoEfAQE?= X-IronPort-AV: E=Sophos;i="5.58,456,1544486400"; d="scan'208";a="242886792" Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Mar 2019 14:07:06 +0000 Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id x28E76CO027993 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for ; Fri, 8 Mar 2019 14:07:06 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 8 Mar 2019 08:07:05 -0600 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1473.003; Fri, 8 Mar 2019 08:07:05 -0600 From: "Panos Kampanakis (pkampana)" To: "spasm@ietf.org" Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-shakes-08.txt Thread-Index: AQHU1baSSD5ccWWYK0ykEhi070jdpKYBwo5A Date: Fri, 8 Mar 2019 14:07:05 +0000 Message-ID: <813ca5d4140a474fa3dc86702d6795a0@XCH-ALN-010.cisco.com> References: <155205325828.3177.9127419627061510100@ietfa.amsl.com> In-Reply-To: <155205325828.3177.9127419627061510100@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.82.238.146] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Outbound-SMTP-Client: 173.37.102.16, xch-rcd-006.cisco.com X-Outbound-Node: rcdn-core-7.cisco.com Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-shakes-08.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2019 14:07:09 -0000 This version of the draft address two minor nits in the draft: - id-shake128-len and id-shake256-len still left over from previous version= s of the draft were replace by id-shake128 and id-shake256 with 32 and 64by= tes output lengths. Russ H. caught this last week.=20 - an inconsistency about the KMAC OIDs optional parameters in sections 3 an= d 4.4.=20 It should cover all feedback we have received as well. Panos -----Original Message----- From: Spasm On Behalf Of internet-drafts@ietf.org Sent: Friday, March 08, 2019 8:54 AM To: i-d-announce@ietf.org Cc: spasm@ietf.org Subject: [lamps] I-D Action: draft-ietf-lamps-cms-shakes-08.txt A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Limited Additional Mechanisms for PKIX and= SMIME WG of the IETF. Title : Use of the SHAKE One-way Hash Functions in the Cr= yptographic Message Syntax (CMS) Authors : Panos Kampanakis Quynh Dang Filename : draft-ietf-lamps-cms-shakes-08.txt Pages : 16 Date : 2019-03-08 Abstract: This document describes the conventions for using the SHAKE family of hash functions with the Cryptographic Message Syntax (CMS) as one-way hash functions with the RSA Probabilistic signature and ECDSA signature algorithms, as message digests and message authentication codes. The conventions for the associated signer public keys in CMS are also described. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-shakes/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-shakes-08 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-shakes-08 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-shakes-08 Please note that it may take a couple of minutes from the time of submissio= n until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm From nobody Fri Mar 8 19:43:24 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 807931279B1; Fri, 8 Mar 2019 19:43:23 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: spasm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.93.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: spasm@ietf.org Message-ID: <155210300349.26589.15784443390732341010@ietfa.amsl.com> Date: Fri, 08 Mar 2019 19:43:23 -0800 Archived-At: Subject: [lamps] I-D Action: draft-ietf-lamps-cms-mix-with-psk-03.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2019 03:43:23 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS) Author : Russ Housley Filename : draft-ietf-lamps-cms-mix-with-psk-03.txt Pages : 29 Date : 2019-03-08 Abstract: The invention of a large-scale quantum computer would pose a serious challenge for the cryptographic algorithms that are widely deployed today. The Cryptographic Message Syntax (CMS) supports key transport and key agreement algorithms that could be broken by the invention of such a quantum computer. By storing communications that are protected with the CMS today, someone could decrypt them in the future when a large-scale quantum computer becomes available. Once quantum-secure key management algorithms are available, the CMS will be extended to support the new algorithms, if the existing syntax does not accommodate them. In the near-term, this document describes a mechanism to protect today's communication from the future invention of a large-scale quantum computer by mixing the output of key transport and key agreement algorithms with a pre-shared key. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-mix-with-psk/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-mix-with-psk-03 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-mix-with-psk-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-mix-with-psk-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Mar 8 19:47:35 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADE52128CF3 for ; Fri, 8 Mar 2019 19:47:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIBB8XH2ErGn for ; Fri, 8 Mar 2019 19:47:31 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16EB9124B0C for ; Fri, 8 Mar 2019 19:47:31 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 34BBE300AB6 for ; Fri, 8 Mar 2019 22:29:13 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id RX3E_9rwQc5I for ; Fri, 8 Mar 2019 22:29:11 -0500 (EST) Received: from [10.196.200.100] (21-196.icannmeeting.org [199.91.196.21]) by mail.smeinc.net (Postfix) with ESMTPSA id 6FFE23004B0 for ; Fri, 8 Mar 2019 22:29:11 -0500 (EST) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Fri, 8 Mar 2019 22:47:25 -0500 References: <155210300349.26589.15784443390732341010@ietfa.amsl.com> To: spasm@ietf.org In-Reply-To: <155210300349.26589.15784443390732341010@ietfa.amsl.com> Message-Id: <9533B6C0-B0F5-48E2-89E9-0BFFD33EC5EB@vigilsec.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-mix-with-psk-03.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2019 03:47:34 -0000 This document puts the PSK into the KDF in a slightly different way. = The change is more compatible with 'SuppPrivInfo' in the NIST key = management documents. This document includes examples in two new appendices. PLEASE REVIEW. Russ > On Mar 8, 2019, at 10:43 PM, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Limited Additional Mechanisms for = PKIX and SMIME WG of the IETF. >=20 > Title : Using Pre-Shared Key (PSK) in the = Cryptographic Message Syntax (CMS) > Author : Russ Housley > Filename : draft-ietf-lamps-cms-mix-with-psk-03.txt > Pages : 29 > Date : 2019-03-08 >=20 > Abstract: > The invention of a large-scale quantum computer would pose a serious > challenge for the cryptographic algorithms that are widely deployed > today. The Cryptographic Message Syntax (CMS) supports key = transport > and key agreement algorithms that could be broken by the invention = of > such a quantum computer. By storing communications that are > protected with the CMS today, someone could decrypt them in the > future when a large-scale quantum computer becomes available. Once > quantum-secure key management algorithms are available, the CMS will > be extended to support the new algorithms, if the existing syntax > does not accommodate them. In the near-term, this document = describes > a mechanism to protect today's communication from the future > invention of a large-scale quantum computer by mixing the output of > key transport and key agreement algorithms with a pre-shared key. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-mix-with-psk/ >=20 > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-lamps-cms-mix-with-psk-03 > = https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-mix-with-psk-03= >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-mix-with-psk-03= >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Sat Mar 9 11:23:03 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD233130E0A for ; Sat, 9 Mar 2019 11:22:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bIv4QKdYm1LN for ; Sat, 9 Mar 2019 11:22:47 -0800 (PST) Received: from softronics.hoeneisen.ch (softronics.hoeneisen.ch [62.2.86.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84D7F12796F for ; Sat, 9 Mar 2019 11:22:46 -0800 (PST) Received: from localhost ([127.0.0.1]) by softronics.hoeneisen.ch with esmtp (Exim 4.86_2) (envelope-from ) id 1h2hYR-0003NH-I7 for spasm@ietf.org; Sat, 09 Mar 2019 20:22:43 +0100 Date: Sat, 9 Mar 2019 20:22:43 +0100 (CET) From: Bernie Hoeneisen X-X-Sender: bhoeneis@softronics.hoeneisen.ch To: IETF LAMPS WG Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: bernie@ietf.hoeneisen.ch X-SA-Exim-Scanned: No (on softronics.hoeneisen.ch); SAEximRunCond expanded to false Archived-At: Subject: [lamps] New Version Notification for draft-luck-lamps-pep-header-protection-00.txt (fwd) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2019 19:23:02 -0000 Dear LAMPS WG We have just submitted a new I-D on Header Protection. It contains the Use Cases and a list of requirements to base the discussion on. Furthermore it shares implemenation experience with Header Protection that pEp (pretty Easy privacy) has gained over the past years. @LAMPS chairs: Are we ready to have an initial requirements discussion on Header protection in LAMPS@Prague? cheers, Bernie ---------- Forwarded message ---------- Date: Fri, 8 Mar 2019 23:42:43 From: internet-drafts@ietf.org To: Claudio Luck , Bernie Hoeneisen Subject: New Version Notification for draft-luck-lamps-pep-header-protection-00.txt A new version of I-D, draft-luck-lamps-pep-header-protection-00.txt has been successfully submitted by Bernie Hoeneisen and posted to the IETF repository. Name: draft-luck-lamps-pep-header-protection Revision: 00 Title: pretty Easy privacy (pEp): Header Protection Document date: 2019-03-08 Group: Individual Submission Pages: 24 URL: https://www.ietf.org/internet-drafts/draft-luck-lamps-pep-header-protection-00.txt Status: https://datatracker.ietf.org/doc/draft-luck-lamps-pep-header-protection/ Htmlized: https://tools.ietf.org/html/draft-luck-lamps-pep-header-protection-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-luck-lamps-pep-header-protection Abstract: Issues with email header protection in S/MIME have been recently raised in the IETF LAMPS Working Group. The need for amendments to the existing specification regarding header protection was expressed. The pretty Easy privacy (pEp) implementations currently use a mechanism quite similar to the currently standardized message wrapping for S/MIME. The main difference is that pEp is using PGP/ MIME instead. In LAMPS also voices have been expressed, that whatever mechanism will be choosen, it should not be limited to S/MIME, but also applied to PGP/MIME. This document aims to contribute to this discussion and share pEp implementation experience with email header protection. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Sat Mar 9 15:17:36 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84E99129570 for ; Sat, 9 Mar 2019 15:17:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rpl7vRY3aszG for ; Sat, 9 Mar 2019 15:17:32 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CFD4127968 for ; Sat, 9 Mar 2019 15:17:32 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 63894300A42 for ; Sat, 9 Mar 2019 17:59:14 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id pxhZqPVtqSBp for ; Sat, 9 Mar 2019 17:59:13 -0500 (EST) Received: from [10.196.217.15] (3-197.icannmeeting.org [199.91.197.3]) by mail.smeinc.net (Postfix) with ESMTPSA id B44AF300471; Sat, 9 Mar 2019 17:59:12 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: Date: Sat, 9 Mar 2019 18:17:27 -0500 Cc: IETF LAMPS WG Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Bernie Hoeneisen X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] New Version Notification for draft-luck-lamps-pep-header-protection-00.txt (fwd) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Mar 2019 23:17:35 -0000 Bernie: >=20 > We have just submitted a new I-D on Header Protection. >=20 > It contains the Use Cases and a list of requirements to base the = discussion on. Furthermore it shares implemenation experience with = Header Protection that pEp (pretty Easy privacy) has gained over the = past years. >=20 > @LAMPS chairs: Are we ready to have an initial requirements discussion = on Header protection in LAMPS@Prague? The IESG has not approved the re-charter yet. I can add this to the agenda, but it needs to come after the topics that = are in the charter. It should come before topics that have not been = requested to be added to the charter already. Russ >=20 From nobody Sat Mar 9 21:27:16 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A15541274D0 for ; Sat, 9 Mar 2019 21:27:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DRGeN1zjwT1q for ; Sat, 9 Mar 2019 21:27:10 -0800 (PST) Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E097126DFA for ; Sat, 9 Mar 2019 21:27:09 -0800 (PST) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip2.isaracorp.com with ESMTP; 10 Mar 2019 05:27:07 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Sun, 10 Mar 2019 00:27:07 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Sun, 10 Mar 2019 00:27:07 -0500 From: Daniel Van Geest To: Jim Schaad , 'Russ Housley' CC: 'SPASM' Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt Thread-Index: AQHUzgL4B8nMv8e3gk6J29Pq8ccSVaXyvj+AgABwIYCAAQyKgIAJDLAAgABoHID//7RwAIAAaHAAgAabL4A= Date: Sun, 10 Mar 2019 05:27:07 +0000 Message-ID: References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> <015401d4d37b$f7673000$e6359000$@augustcellars.com> <017d01d4d38a$675cf580$3616e080$@augustcellars.com> In-Reply-To: <017d01d4d38a$675cf580$3616e080$@augustcellars.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_C4E8068B357C4E29A21BDA75D3F1F93Aisaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Mar 2019 05:27:14 -0000 --_000_C4E8068B357C4E29A21BDA75D3F1F93Aisaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIGZvciB0aGUgY2xhcmlmaWNhdGlvbiBmb3IgbWUgYmVsb3csIEppbS4NCg0KR2l2ZW4g dGhhdCBpbmZvcm1hdGlvbiwgSSB3b25kZXIgaWYgaXTigJlzIHBvc3NpYmxlIHRvIG1pc2ludGVy cHJldCBzb21lIHBhcnRzIG9mIGNtcy1oYXNoLXNpZy4NCg0KSW4gc2VjdGlvbiAzOg0KDQogICBU aGUgc2lnbmF0dXJlIHZhbHVlIGlzIGEgbGFyZ2UgT0NURVQgU1RSSU5HLiAgVGhlIHNpZ25hdHVy ZSBmb3JtYXQgaXMNCiAgIGRlc2lnbmVkIGZvciBlYXN5IHBhcnNpbmcuICBFYWNoIGZvcm1hdCBp bmNsdWRlcyBhIGNvdW50ZXIgYW5kIHR5cGUNCiAgIGNvZGVzIHRoYXQgaW5kaXJlY3RseSBwcm92 aWRpbmcgYWxsIG9mIHRoZSBpbmZvcm1hdGlvbiB0aGF0IGlzIG5lZWRlZA0KICAgdG8gcGFyc2Ug dGhlIHZhbHVlIGR1cmluZyBzaWduYXR1cmUgdmFsaWRhdGlvbi4NCg0KSSB0aGluayB0aGlzIHBh cmFncmFwaCBpcyB0YWxraW5nIGFib3V0IHRoZSBzaWduYXR1cmUgdmFsdWUgYXMgcmV0dXJuZWQg YnkgdGhlIEhTUyBhbGdvcml0aG0uICBJbiB0aGlzIGNhc2UgaXTigJlzIG5vdCBhbiBPQ1RFVCBT VFJJTkcgKGkuZS4gdGhlIEFTTi4xIHN0cnVjdHVyZSksIGJ1dCBqdXN0IGFuIG9jdGV0IHN0cmlu Zy4gUmVmZXJyaW5nIHRvIGl0IGFzIGFuIE9DVEVUIFNUUklORyBjb3VsZCByZXN1bHQgaW4gY29u ZnVzaW9uIGFzIHRvIHdoZXRoZXIgaXTigJlzIGRvdWJsZSB3cmFwcGVkIGluIEFTTi4xLg0KDQpT aW1pbGFybHkgaW4gc2VjdGlvbiA0Og0KDQogICBUaGUgcHVibGljIGtleSB2YWx1ZSBpcyBhbiBP Q1RFVCBTVFJJTkcuICBMaWtlIHRoZSBzaWduYXR1cmUgZm9ybWF0LA0KICAgaXQgaXMgZGVzaWdu ZWQgZm9yIGVhc3kgcGFyc2luZy4gIFRoZSB2YWx1ZSBpcyB0aGUgbnVtYmVyIG9mIGxldmVscw0K ICAgaW4gdGhlIHB1YmxpYyBrZXksIEwsIGZvbGxvd2VkIGJ5IHRoZSBMTVMgcHVibGljIGtleS4N Cg0KV2hpbGUgSFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSBpcyBhY3R1YWxseSBhbiBPQ1RFVCBT VFJJTkcsIEkgdGhpbmsgdGhpcyBwYXJhZ3JhcGggaXMgcmVmZXJyaW5nIHRvIHRoZSBwdWJsaWMg a2V5IGFzIHByb2Nlc3NlZCBieSBIU1MgYW5kIHNvIHNob3VsZCBiZSBhbiBvY3RldCBzdHJpbmcu DQoNClRoYW5rcywNCkRhbmllbA0KDQpPbiAyMDE5LTAzLTA1LCAyOjM0IFBNLCAiSmltIFNjaGFh ZCIgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+ PiB3cm90ZToNCg0KDQoNCkZyb206IERhbmllbCBWYW4gR2Vlc3QgPERhbmllbC5WYW5HZWVzdEBp c2FyYS5jb20+DQpTZW50OiBUdWVzZGF5LCBNYXJjaCA1LCAyMDE5IDEwOjIwIEFNDQpUbzogSmlt IFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT47ICdSdXNzIEhvdXNsZXknIDxob3VzbGV5 QHZpZ2lsc2VjLmNvbT4NCkNjOiAnU1BBU00nIDxzcGFzbUBpZXRmLm9yZz4NClN1YmplY3Q6IFJl OiBbbGFtcHNdIEktRCBBY3Rpb246IGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2LnR4 dA0KDQoNCg0KT24gMjAxOS0wMy0wNSwgMTI6NTAgUE0sICJKaW0gU2NoYWFkIiA8aWV0ZkBhdWd1 c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+IHdyb3RlOg0KDQoN Cg0KRnJvbTogU3Bhc20gPHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5j ZXNAaWV0Zi5vcmc+PiBPbiBCZWhhbGYgT2YgRGFuaWVsIFZhbiBHZWVzdA0KU2VudDogVHVlc2Rh eSwgTWFyY2ggNSwgMjAxOSA4OjM4IEFNDQpUbzogUnVzcyBIb3VzbGV5IDxob3VzbGV5QHZpZ2ls c2VjLmNvbTxtYWlsdG86aG91c2xleUB2aWdpbHNlYy5jb20+PjsgSmltIFNjaGFhZCA8aWV0ZkBh dWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+DQpDYzogU1BB U00gPHNwYXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTog W2xhbXBzXSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNi50eHQN Cg0KSeKAmW0gd29ya2luZyB0byBhbGlnbiB4NTA5LWhhc2gtc2lncyBkcmFmdCBhbmQgaW1wbGVt ZW50YXRpb25zIHdpdGggdGhpcyBvbmUuICBUaGVyZeKAmXMgc29tZXRoaW5nIGluIGNtcy1oYXNo LXNpZ3MgdGhhdCBJ4oCZZCBsaWtlIGNsYXJpZmljYXRpb24gb24gdG8gdW5kZXJzdGFuZCB0aGUg aW1wbGljYXRpb25zLg0KDQpUaGUgQVNOLjEgbW9kdWxlIGRlZmluZXM6DQoNCiAgICAgIHBrLUhT Uy1MTVMtSGFzaFNpZyBQVUJMSUMtS0VZIDo6PSB7DQogICAgICAgICAgSURFTlRJRklFUiBpZC1h bGctaHNzLWxtcy1oYXNoc2lnDQogICAgICAgICAgS0VZIEhTUy1MTVMtSGFzaFNpZy1QdWJsaWNL ZXkNCiAgICAgICAgICBQQVJBTVMgQVJFIGFic2VudA0KICAgICAgICAgIENFUlQtS0VZLVVTQUdF DQogICAgICAgICAgICB7IGRpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLCBrZXlDZXJ0 U2lnbiwgY1JMU2lnbiB9IH0NCg0KICAgICAgSFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSA6Oj0g T0NURVQgU1RSSU5HDQoNClNwZWNpZmljYWxseSwgdGhlIHB1YmxpYyBrZXkgaXMgYW4gT0NURVQg U1RSSU5HLiBUaGUgYWN0dWFsIHB1YmxpYyBrZXkgaXMg4oCcdTMyc3RyKEwpIHx8IGxtc19wdWJs aWNfa2V54oCdLCBzbyBlc3NlbnRpYWxseSBhbiBvcGFxdWUgb2N0ZXQgc3RyaW5nLg0KDQpXaGF0 IGFyZSB0aGUgaW1wbGljYXRpb25zIGluIHguNTA5IG9mIGRlZmluaW5nIOKAnEhTUy1MTVMtSGFz aFNpZy1QdWJsaWNLZXkgOjo9IE9DVEVUIFNUUklOR+KAnT8gIERvZXMgdGhpcyBtZWFuIHRoYXQg aW4gdGhlIFN1YmplY3QgUHVibGljIEtleSBJbmZvIGF0dHJpYnV0ZSwgdGhlIEhTUyBwdWJsaWMg a2V5IHdvdWxkIGJlIGVuY29kZWQgYXMgYW4gT0NURVQgU1RSSU5HIHdoaWNoIGlzIHRoZW4gd3Jh cHBlZCBpbiBhIEJJVCBTVFJJTkcgZW5jb2Rpbmc/IChhcyBvcHBvc2VkIHRvIGEgQklUIFNUUklO RyBlbmNvZGluZyBvZiB0aGUgcmF3IOKAnHUzMnN0cihMKSB8fCBsbXNfcHVibGljX2tleeKAnSBv Y3RldCBzdHJpbmcpLg0KDQpUaGUgY2xvc2VzdCBJIGNvdWxkIGZpbmQgdG8gdGhpcyBzaXR1YXRp b24gaXMgRWQyNTUxOS9FZDQ0OCBzaW5jZSB0aG9zZSBwdWJsaWMga2V5cyBhcmUgYWxzbyBqdXN0 IHJhdyBvY3RldCBzdHJpbmdzICgzMiBvY3RldHMgaW4gMjU1MTkpLiAgQnV0IHRoZSBBU04uMSBt b2R1bGUgZm9yIFJGQyA4NDEwIHNwZWNpZmllcyDigJwtLSBLRVkgbm8gQVNOLjEgd3JhcHBpbmcg LS3igJ0gd2l0aGluIFBVQkxJQy1LRVk6DQoNCg0KICAgIHBrLUVkMjU1MTkgUFVCTElDLUtFWSA6 Oj0gew0KDQogICAgICAgIElERU5USUZJRVIgaWQtRWQyNTUxOQ0KDQogICAgICAgIC0tIEtFWSBu byBBU04uMSB3cmFwcGluZyAtLQ0KDQogICAgICAgIFBBUkFNUyBBUkUgYWJzZW50DQoNCiAgICAg ICAgQ0VSVC1LRVktVVNBR0Uge2RpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLA0KDQog ICAgICAgICAgICAgICAgICAgICAgICBrZXlDZXJ0U2lnbiwgY1JMU2lnbn0NCg0KICAgICAgICBQ UklWQVRFLUtFWSBDdXJ2ZVByaXZhdGVLZXkNCg0KICAgIH0NCg0KSeKAmW0gbm90IGFuIEFTTi4x IGV4cGVydCwgc28gY291bGQgc29tZW9uZSBleHBsYWluIHRoZSBkaWZmZXJlbmNlPyBJcyB0aGUg 4oCcbm8gd3JhcHBpbmfigJ0gdGhlcmUgYmVjYXVzZSB0aGUgcHVibGljIGtleSBpcyByYXcgb2N0 ZXRzPyBBbmQgdGhlbiB3aG9ldmVyIGVuY29kZXMgdGhlIHB1YmxpYyBvbmx5IGFwcGxpZXMgdGhl aXIgb3duIGVuY29kaW5nIChpZiBhbnkpIG9mIHRoZSBvY3RldHMuICBEb2VzIGl0IGhhdmUgdG8g ZG8gd2l0aCB0aGUgZmFjdCB0aGF0IHRoZSBwdWJsaWMga2V5IGNhbiBiZSBlYXNpbHkgZGVyaXZl ZCBmcm9tIHRoZSBwcml2YXRlIGtleT8gIElzIG15IGFzc3VtcHRpb24gY29ycmVjdCB0aGF0IGEg U1BLSSBlbmNvZGluZyBvZiBhbiBIU1Mga2V5IHdvdWxkIGJlIGEgQklUIFNUUklORyBlbmNvZGlu ZyBvZiBhbiBBU04uMSBPQ1RFVCBTVFJJTkcgZW5jb2Rpbmcgb2YgdGhlIHJhdyBvY3RldHM/DQoN CltKTFNdIEFzIEkgcmVhZCB0aGlzIHdoYXQgeW91IGhhdmUgZGVkdWNlZCBpcyBjb3JyZWN0LiAg Rm9yIEVkMjU1MTkgdGhlIHB1YmxpYyBrZXkgaXMgZGlyZWN0bHkgd3JhcHBlZCBpbiB0aGUgQklU IFNUUklORyB3aXRoIG5vIGFkZGl0aW9uYWwgZW5jb2RpbmcuICBGb3IgdGhlIGhhc2ggc2lnIHB1 YmxpYyBrZXkgdGhlIHB1YmxpYyBrZXkgaXMgd3JhcHBlZCBpbiBhbiBPQ1RFVCBTVFJJTkcgd2hp Y2ggaXMgdGhlbiB3cmFwcGVkIGluIHRoZSBCSVQgU1RSSU5HLg0KDQpBcyBhIGdlbmVyYWwgcnVs ZSwgSSBwcmVmZXIgaGF2aW5nIHRoZSBleHRyYSBsYXllciBvZiBBU04uMSBlbmNvZGluZyBiZWNh dXNlIGEgbG90IG9mIGRlY29kZXJzIGFzc3VtZSB0aGF0IHRoZXJlIGlzIGdvaW5nIHRvIGJlIHRo YXQgbGF5ZXIgd2hlbiBwcm9jZXNzaW5nIGNlcnRpZmljYXRlcy4gIEhvd2V2ZXIsIEkgZGlkIG5v dCB3cml0ZSB0aGUgaW5pdGlhbCB2ZXJzaW9ucyBvZiB0aGUgRWR3YXJkcyBkcmFmdCBhbmQgdGh1 cyBJIGp1c3QgdXNlZCB0aGUgZW5jb2RpbmcgdGhhdCB3YXMgdGhlcmUgcmF0aGVyIHRoYW4gd3Jp dGluZyBpdCBhcyBJIHdvdWxkIHByZWZlci4NCg0KW0RWR10gRG8geW91IHByZWZlciB0aGlzIGdl bmVyYWwgcnVsZSBmb3IgdGhlIHNpZ25hdHVyZSBhcyB3ZWxsPyAgSW4gWC41MDkgd291bGQgeW91 IHByZWZlciB0aGUgcmF3IHNpZ25hdHVyZSBvY3RldHMgd3JhcHBlZCBpbiBhbiBPQ1RFVCBTVFJJ Tkcgd3JhcHBlZCBpbiBhIEJJVCBTVFJJTkc/ICBIb3cgd291bGQgdGhpcyB3b3JrIGluIENNUyB3 aGVyZSB0aGUgc2lnbmF0dXJlIGZpZWxkIHdpdGhpbiB0aGUgU2lnbmVySW5mbyBpcyBhbHJlYWR5 IGRlZmluZWQgYXMgYW4gT0NURVQgc3RyaW5nPyBXb3VsZG7igJl0IHRoZSBydWxlIGltcGx5IHRo ZSByYXcgSFNTIG9jdGV0IHN0cmluZyB3cmFwcGVkIGluIGFuIE9DVEVUIFNUUklORyB3cmFwcGVk IGluIGFuIE9DVEVUIFNUUklORz8gVGhhdOKAmXMgbm90IGhvdyBJ4oCZbSByZWFkaW5nIGNtcy1o YXNoLXNpZ3MsIGUuZy4gc2VjdGlvbiA1Og0KDQogICAgICBzaWduYXR1cmUgY29udGFpbnMgdGhl IHNpbmdsZSBIU1Mgc2lnbmF0dXJlIHZhbHVlIHJlc3VsdGluZyBmcm9tDQogICAgICAgICB0aGUg c2lnbmluZyBvcGVyYXRpb24gYXMgc3BlY2lmaWVkIGluIFtIQVNIU0lHXS4NCg0KQW5kIGBzaWdu YXR1cmVgIGFscmVhZHkgYmVpbmcgZGVmaW5lZCBhcyBhbiBPQ1RFVCBTVFJJTkcgbWFrZSB0aGlz IHJlYWQgdG8gbWUgYXMgYSBzaW5nbGUgd3JhcHBpbmcuDQoNCltKTFNdIFNpZ25hdHVyZXMgaGF2 ZSB0cmFkaXRpb25hbGx5IGFsd2F5cyBiZWVuIHRoZSByYXcgYnl0ZXMuICBUaGUgZGlmZmVyZW5j ZSBpcyB0aGF0IGZyZXF1ZW50bHkgcHVibGljIGFuZCBwcml2YXRlIGtleXMgaGF2ZSBoYWQgQVNO LjEgc3RydWN0dXJlIHdyYXBwZWQgYXJvdW5kIHRoZW0gd2hpbGUgc2lnbmF0dXJlcyBoYXZlIG5v dC4gIEZvciBhbiBleGFtcGxlIGxvb2sgYXQgaG93IFJTQSBpcyBkb25lLg0KDQpKaW0NCg0KDQpU aGFua3MsDQpEYW5pZWwNCg0KSmltDQoNCg0KVGhhbmtzLA0KRGFuaWVsDQoNCk9uIDIwMTktMDIt MjcsIDEyOjI3IFBNLCAiU3Bhc20gb24gYmVoYWxmIG9mIFJ1c3MgSG91c2xleSIgPHNwYXNtLWJv dW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc+IG9uIGJlaGFsZiBv ZiBob3VzbGV5QHZpZ2lsc2VjLmNvbTxtYWlsdG86aG91c2xleUB2aWdpbHNlYy5jb20+PiB3cm90 ZToNCg0KSmltOg0KDQpZb3UgYXJlIGNvcnJlY3QuICBJIG1pc3NlZCB0aGlzIHdoZW4gSSBtYWRl IHRoZSBsYXN0IHVwZGF0ZS4gIEkgd2lsbCBtYWtlIHRoZSBjaGFuZ2Ugbm93IGluIG15IGVkaXQg YnVmZmVyLiAgSSdsbCBwb3N0IGl0IGFsb25nIHdpdGggYW55IG90aGVyIGNoYW5nZXMgdGhhdCBy ZXN1bHQgZnJvbSBJRVRGIExhc3QgQ2FsbC4NCg0KUnVzcw0KDQoNCk9uIEZlYiAyNiwgMjAxOSwg YXQgODoyNSBQTSwgSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0 ZkBhdWd1c3RjZWxsYXJzLmNvbT4+IHdyb3RlOg0KSSBoYXZlIGEgc21hbGwgY2hhbmdlIHRvIHJl cXVlc3QuICBJIGFtIGhhcHB5IGlmIHlvdSBkZWFsIHdpdGggaXQgYXQgYSBsYXRlcg0KZGF0ZSBh cyBsb25nIGFzIGl0IGRvZXMgbm90IGdldCBsb3N0Lg0KSW4gdGhlIEFTTi4xIG1vZHVsZSwgdGhl IFNJR05BVFVSRS1BTEdPUklUSE0gZGVmaW5pdGlvbiBzaG91bGQgaGF2ZSBhbiBlbXB0eQ0Kb3Ig YWJzZW50IEhBU0hFUyBmaWVsZC4gIFRoZXJlIGFyZSBubyBoYXNoIGZ1bmN0aW9ucyB3aGljaCBh cmUgdG8gYmUgYXBwbGllZA0KcHJpb3IgdG8gZ2l2ZW4gdGhlIGlucHV0IHRvIHRoZSBzaWduaW5n IGZ1bmN0aW9uLiAgVGhpcyB3b3VsZCBtYXRjaCB3aGF0IEkNCmRpZCBmb3IgRWREU0EuDQpKaW0N Ci0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBTcGFzbSA8c3Bhc20tYm91bmNlc0Bp ZXRmLm9yZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4+IE9uIEJlaGFsZiBPZiBSdXNz IEhvdXNsZXkNClNlbnQ6IFR1ZXNkYXksIEZlYnJ1YXJ5IDI2LCAyMDE5IDEwOjQ0IEFNDQpUbzog U1BBU00gPHNwYXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBS ZTogW2xhbXBzXSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNi50 eHQNClRoaXMgcmVtb3ZlcyB0aGUgZXh0cmFuZW91cyBwYXJhZ3JhcGggdGhhdCB3YXMgcG9pbnRl ZCBvdXQgYnkgRGFuaWVsLg0KSSBiZWxpZXZlIHRoYXQgYWxsIGNvbW1lbnRzIGhhdmUgYmVlbiBy ZXNvbHZlZCwgYW5kIHRoZSBkb2N1bWVudCBpcyBub3cNCnJlYWR5IHRvIGdvIHRvIHRoZSBJRVNH Lg0KUnVzcw0KT24gRmViIDI2LCAyMDE5LCBhdCAxOjQxIFBNLCBpbnRlcm5ldC1kcmFmdHNAaWV0 Zi5vcmc8bWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZz4gd3JvdGU6DQpBIE5ldyBJbnRl cm5ldC1EcmFmdCBpcyBhdmFpbGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHMN CmRpcmVjdG9yaWVzLg0KVGhpcyBkcmFmdCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUgTGltaXRlZCBB ZGRpdGlvbmFsIE1lY2hhbmlzbXMgZm9yIFBLSVgNCmFuZA0KU01JTUUgV0cgb2YgdGhlIElFVEYu DQogICAgICAgVGl0bGUgICAgICAgICAgIDogVXNlIG9mIHRoZSBIU1MvTE1TIEhhc2gtYmFzZWQg U2lnbmF0dXJlDQpBbGdvcml0aG0gaW4gdGhlDQpDcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4 IChDTVMpDQogICAgICAgQXV0aG9yICAgICAgICAgIDogUnVzcyBIb3VzbGV5DQogICAgICAgICAg ICAgICAgRmlsZW5hbWUgICAgICAgIDogZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYu dHh0DQogICAgICAgICAgICAgICAgUGFnZXMgICAgICAgICAgIDogMTQNCiAgICAgICAgICAgICAg ICBEYXRlICAgICAgICAgICAgOiAyMDE5LTAyLTI2DQpBYnN0cmFjdDoNCiAgVGhpcyBkb2N1bWVu dCBzcGVjaWZpZXMgdGhlIGNvbnZlbnRpb25zIGZvciB1c2luZyB0aGUgdGhlIEhTUy9MTVMNCiAg aGFzaC1iYXNlZCBzaWduYXR1cmUgYWxnb3JpdGhtIHdpdGggdGhlIENyeXB0b2dyYXBoaWMgTWVz c2FnZSBTeW50YXgNCiAgKENNUykuICBJbiBhZGRpdGlvbiwgdGhlIGFsZ29yaXRobSBpZGVudGlm aWVyIGFuZCBwdWJsaWMga2V5IHN5bnRheA0KICBhcmUgcHJvdmlkZWQuICBUaGUgSFNTL0xNUyBh bGdvcml0aG0gaXMgb25lIGZvcm0gb2YgaGFzaC1iYXNlZA0KICBkaWdpdGFsIHNpZ25hdHVyZTsg aXQgaXMgZGVzY3JpYmVkIGluIFtIQVNIU0lHXS4NClRoZSBJRVRGIGRhdGF0cmFja2VyIHN0YXR1 cyBwYWdlIGZvciB0aGlzIGRyYWZ0IGlzOg0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9k b2MvZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWcvDQpUaGVyZSBhcmUgYWxzbyBodG1saXpl ZCB2ZXJzaW9ucyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh ZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYNCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5v cmcvZG9jL2h0bWwvZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYNCkEgZGlmZiBmcm9t IHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJsZSBhdDoNCmh0dHBzOi8vd3d3LmlldGYu b3JnL3JmY2RpZmY/dXJsMj1kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNg0KUGxlYXNl IG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBvZiBtaW51dGVzIGZyb20gdGhlIHRpbWUg b2YNCnN1Ym1pc3Npb24gdW50aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2 YWlsYWJsZSBhdA0KdG9vbHMuaWV0Zi5vcmcuDQpJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZh aWxhYmxlIGJ5IGFub255bW91cyBGVFAgYXQ6DQpmdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQt ZHJhZnRzLw0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18N ClNwYXNtIG1haWxpbmcgbGlzdA0KU3Bhc21AaWV0Zi5vcmc8bWFpbHRvOlNwYXNtQGlldGYub3Jn Pg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zcGFzbQ0KX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NClNwYXNtIG1haWxpbmcgbGlz dA0KU3Bhc21AaWV0Zi5vcmc8bWFpbHRvOlNwYXNtQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zcGFzbQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXw0KU3Bhc20gbWFpbGluZyBsaXN0DQpTcGFzbUBpZXRmLm9y ZzxtYWlsdG86U3Bhc21AaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL3NwYXNtDQoNCg== --_000_C4E8068B357C4E29A21BDA75D3F1F93Aisaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <358DFE86D0C30343B636859FB52BAF47@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJn aW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBk aXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0bzsNCgltYXJnaW4tbGVmdDowY207DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21z by1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3Jp dHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWls eToiQ291cmllciBOZXciO30NCnNwYW4uYXBwbGUtdGFiLXNwYW4NCgl7bXNvLXN0eWxlLW5hbWU6 YXBwbGUtdGFiLXNwYW47fQ0Kc3Bhbi5FbWFpbFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5cGU6cGVy c29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93 dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglm b250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNw YW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5 OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0 eWxlMjQNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyNQ0KCXtt c28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu cy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rp b24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBw dCA3Mi4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48 L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0i ZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1z byA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9 ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8 L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1DQSIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8 ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhbmtzIGZv ciB0aGUgY2xhcmlmaWNhdGlvbiBmb3IgbWUgYmVsb3csIEppbS48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+R2l2ZW4gdGhhdCBpbmZvcm1hdGlvbiwgSSB3b25kZXIgaWYgaXTigJlzIHBvc3NpYmxl IHRvIG1pc2ludGVycHJldCBzb21lIHBhcnRzIG9mIGNtcy1oYXNoLXNpZy48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+SW4gc2VjdGlvbiAzOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90 Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IFRoZSBzaWduYXR1cmUgdmFsdWUgaXMgYSBsYXJn ZSBPQ1RFVCBTVFJJTkcuJm5ic3A7IFRoZSBzaWduYXR1cmUgZm9ybWF0IGlzPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOyZuYnNwOyBkZXNpZ25lZCBmb3IgZWFzeSBwYXJzaW5nLiZuYnNwOyBFYWNoIGZvcm1hdCBp bmNsdWRlcyBhIGNvdW50ZXIgYW5kIHR5cGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IGNvZGVzIHRo YXQgaW5kaXJlY3RseSBwcm92aWRpbmcgYWxsIG9mIHRoZSBpbmZvcm1hdGlvbiB0aGF0IGlzIG5l ZWRlZDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgdG8gcGFyc2UgdGhlIHZhbHVlIGR1cmluZyBzaWdu YXR1cmUgdmFsaWRhdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgdGhpbmsg dGhpcyBwYXJhZ3JhcGggaXMgdGFsa2luZyBhYm91dCB0aGUgc2lnbmF0dXJlIHZhbHVlIGFzIHJl dHVybmVkIGJ5IHRoZSBIU1MgYWxnb3JpdGhtLiZuYnNwOyBJbiB0aGlzIGNhc2UgaXTigJlzIG5v dCBhbiBPQ1RFVCBTVFJJTkcgKGkuZS4gdGhlIEFTTi4xIHN0cnVjdHVyZSksIGJ1dCBqdXN0IGFu IG9jdGV0IHN0cmluZy4gUmVmZXJyaW5nIHRvIGl0IGFzIGFuIE9DVEVUIFNUUklORyBjb3VsZCBy ZXN1bHQgaW4NCiBjb25mdXNpb24gYXMgdG8gd2hldGhlciBpdOKAmXMgZG91YmxlIHdyYXBwZWQg aW4gQVNOLjEuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNpbWlsYXJseSBpbiBzZWN0aW9uIDQ6 PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJz cDsgVGhlIHB1YmxpYyBrZXkgdmFsdWUgaXMgYW4gT0NURVQgU1RSSU5HLiZuYnNwOyBMaWtlIHRo ZSBzaWduYXR1cmUgZm9ybWF0LDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsgaXQgaXMgZGVzaWduZWQg Zm9yIGVhc3kgcGFyc2luZy4mbmJzcDsgVGhlIHZhbHVlIGlzIHRoZSBudW1iZXIgb2YgbGV2ZWxz PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6YmxhY2siPiZuYnNwOyZuYnNwOyBpbiB0aGUgcHVibGljIGtleSwgTCwgZm9sbG93ZWQgYnkg dGhlIExNUyBwdWJsaWMga2V5LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V2hpbGUg SFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSBpcyBhY3R1YWxseSBhbiBPQ1RFVCBTVFJJTkcsIEkg dGhpbmsgdGhpcyBwYXJhZ3JhcGggaXMgcmVmZXJyaW5nIHRvIHRoZSBwdWJsaWMga2V5IGFzIHBy b2Nlc3NlZCBieSBIU1MgYW5kIHNvIHNob3VsZCBiZSBhbiBvY3RldCBzdHJpbmcuPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPlRoYW5rcyw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkRhbmllbDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPk9uIDIwMTktMDMtMDUsIDI6MzQgUE0sICZxdW90O0ppbSBTY2hh YWQmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRm QGF1Z3VzdGNlbGxhcnMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAx LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3Jk ZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20g MGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij48Yj5Gcm9tOjwvYj4gRGFuaWVsIFZhbiBHZWVzdCAmbHQ7RGFuaWVsLlZhbkdlZXN0QGlzYXJh LmNvbSZndDsNCjxicj4NCjxiPlNlbnQ6PC9iPiBUdWVzZGF5LCBNYXJjaCA1LCAyMDE5IDEwOjIw IEFNPGJyPg0KPGI+VG86PC9iPiBKaW0gU2NoYWFkICZsdDtpZXRmQGF1Z3VzdGNlbGxhcnMuY29t Jmd0OzsgJ1J1c3MgSG91c2xleScgJmx0O2hvdXNsZXlAdmlnaWxzZWMuY29tJmd0Ozxicj4NCjxi PkNjOjwvYj4gJ1NQQVNNJyAmbHQ7c3Bhc21AaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8 L2I+IFJlOiBbbGFtcHNdIEktRCBBY3Rpb246IGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2ln LTA2LnR4dDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+T24gMjAxOS0wMy0wNSwgMTI6NTAgUE0sICZx dW90O0ppbSBTY2hhYWQmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxh cnMuY29tIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6 c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2 IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGlu ZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6NzIuMHB0Ij48Yj5Gcm9tOjwvYj4gU3Bhc20gJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFz bS1ib3VuY2VzQGlldGYub3JnIj5zcGFzbS1ib3VuY2VzQGlldGYub3JnPC9hPiZndDsNCjxiPk9u IEJlaGFsZiBPZiA8L2I+RGFuaWVsIFZhbiBHZWVzdDxicj4NCjxiPlNlbnQ6PC9iPiBUdWVzZGF5 LCBNYXJjaCA1LCAyMDE5IDg6MzggQU08YnI+DQo8Yj5Ubzo8L2I+IFJ1c3MgSG91c2xleSAmbHQ7 PGEgaHJlZj0ibWFpbHRvOmhvdXNsZXlAdmlnaWxzZWMuY29tIj5ob3VzbGV5QHZpZ2lsc2VjLmNv bTwvYT4mZ3Q7OyBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxs YXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7PGJyPg0KPGI+Q2M6PC9iPiBT UEFTTSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYub3JnIj5zcGFzbUBpZXRmLm9yZzwv YT4mZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbbGFtcHNdIEktRCBBY3Rpb246IGRyYWZ0 LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2LnR4dDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjcyLjBwdCI+SeKAmW0gd29ya2luZyB0byBhbGlnbiB4NTA5LWhhc2gtc2lncyBkcmFmdCBh bmQgaW1wbGVtZW50YXRpb25zIHdpdGggdGhpcyBvbmUuJm5ic3A7IFRoZXJl4oCZcyBzb21ldGhp bmcgaW4gY21zLWhhc2gtc2lncyB0aGF0IEnigJlkIGxpa2UgY2xhcmlmaWNhdGlvbiBvbiB0byB1 bmRlcnN0YW5kIHRoZSBpbXBsaWNhdGlvbnMuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPlRoZSBBU04u MSBtb2R1bGUgZGVmaW5lczo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBway1IU1MtTE1TLUhhc2hTaWcgUFVC TElDLUtFWSA6Oj0gezwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgSURFTlRJRklF UiBpZC1hbGctaHNzLWxtcy1oYXNoc2lnPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6Ymxh Y2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyBLRVkgSFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2Nv bG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgUEFSQU1TIEFSRSBhYnNlbnQ8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpi bGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IENFUlQtS0VZLVVTQUdFPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyB7IGRpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLCBrZXlDZXJ0U2lnbiwg Y1JMU2lnbiB9IH08L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjpibGFjayI+Jm5ic3A7PC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyAmbmJzcDtIU1MtTE1TLUhhc2hTaWctUHVibGljS2V5IDo6PSBPQ1RFVCBTVFJJTkc8L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDo3Mi4wcHQiPlNwZWNpZmljYWxseSwgdGhlIHB1YmxpYyBrZXkgaXMgYW4g T0NURVQgU1RSSU5HLiBUaGUgYWN0dWFsIHB1YmxpYyBrZXkgaXMg4oCcdTMyc3RyKEwpIHx8IGxt c19wdWJsaWNfa2V54oCdLCBzbyBlc3NlbnRpYWxseSBhbiBvcGFxdWUgb2N0ZXQgc3RyaW5nLjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Ojcy LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6NzIuMHB0Ij5XaGF0IGFyZSB0aGUgaW1wbGljYXRpb25zIGluIHguNTA5IG9m IGRlZmluaW5nIOKAnEhTUy1MTVMtSGFzaFNpZy1QdWJsaWNLZXkgOjo9IE9DVEVUIFNUUklOR+KA nT8mbmJzcDsgRG9lcyB0aGlzIG1lYW4gdGhhdCBpbiB0aGUgU3ViamVjdCBQdWJsaWMgS2V5IElu Zm8gYXR0cmlidXRlLCB0aGUgSFNTIHB1YmxpYyBrZXkgd291bGQgYmUgZW5jb2RlZCBhcyBhbiBP Q1RFVCBTVFJJTkcNCiB3aGljaCBpcyB0aGVuIHdyYXBwZWQgaW4gYSBCSVQgU1RSSU5HIGVuY29k aW5nPyAoYXMgb3Bwb3NlZCB0byBhIEJJVCBTVFJJTkcgZW5jb2Rpbmcgb2YgdGhlIHJhdyDigJx1 MzJzdHIoTCkgfHwgbG1zX3B1YmxpY19rZXnigJ0gb2N0ZXQgc3RyaW5nKS48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjcyLjBwdCI+VGhlIGNsb3Nlc3QgSSBjb3VsZCBmaW5kIHRvIHRoaXMgc2l0dWF0aW9uIGlzIEVk MjU1MTkvRWQ0NDggc2luY2UgdGhvc2UgcHVibGljIGtleXMgYXJlIGFsc28ganVzdCByYXcgb2N0 ZXQgc3RyaW5ncyAoMzIgb2N0ZXRzIGluIDI1NTE5KS4mbmJzcDsgQnV0IHRoZSBBU04uMSBtb2R1 bGUgZm9yIFJGQyA4NDEwIHNwZWNpZmllcyDigJwtLSBLRVkgbm8gQVNOLjEgd3JhcHBpbmcNCiAt LeKAnSB3aXRoaW4gUFVCTElDLUtFWTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHBy ZSBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZu YnNwOyZuYnNwOyZuYnNwOyBway1FZDI1NTE5IFBVQkxJQy1LRVkgOjo9IHs8L3NwYW4+PG86cD48 L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9 ImNvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg SURFTlRJRklFUiBpZC1FZDI1NTE5PC9zcGFuPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxl PSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIEtFWSBubyBBU04uMSB3cmFwcGlu ZyAtLTwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIu MHB0Ij48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyBQQVJBTVMgQVJFIGFic2VudDwvc3Bhbj48bzpwPjwvbzpwPjwvcHJl Pg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iY29sb3I6Ymxh Y2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBDRVJULUtFWS1V U0FHRSB7ZGlnaXRhbFNpZ25hdHVyZSwgbm9uUmVwdWRpYXRpb24sPC9zcGFuPjxvOnA+PC9vOnA+ PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJjb2xv cjpibGFjayI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGtleUNlcnRTaWduLCBjUkxTaWdufTwv c3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48 c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyBQUklWQVRFLUtFWSBDdXJ2ZVByaXZhdGVLZXk8L3NwYW4+PG86cD48L286cD48 L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImNvbG9y OmJsYWNrIj4mbmJzcDsmbmJzcDsmbmJzcDsgfTwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0 Ij5J4oCZbSBub3QgYW4gQVNOLjEgZXhwZXJ0LCBzbyBjb3VsZCBzb21lb25lIGV4cGxhaW4gdGhl IGRpZmZlcmVuY2U/IElzIHRoZSDigJxubyB3cmFwcGluZ+KAnSB0aGVyZSBiZWNhdXNlIHRoZSBw dWJsaWMga2V5IGlzIHJhdyBvY3RldHM/IEFuZCB0aGVuIHdob2V2ZXIgZW5jb2RlcyB0aGUgcHVi bGljIG9ubHkgYXBwbGllcyB0aGVpciBvd24gZW5jb2RpbmcgKGlmIGFueSkgb2YNCiB0aGUgb2N0 ZXRzLiZuYnNwOyBEb2VzIGl0IGhhdmUgdG8gZG8gd2l0aCB0aGUgZmFjdCB0aGF0IHRoZSBwdWJs aWMga2V5IGNhbiBiZSBlYXNpbHkgZGVyaXZlZCBmcm9tIHRoZSBwcml2YXRlIGtleT8mbmJzcDsg SXMgbXkgYXNzdW1wdGlvbiBjb3JyZWN0IHRoYXQgYSBTUEtJIGVuY29kaW5nIG9mIGFuIEhTUyBr ZXkgd291bGQgYmUgYSBCSVQgU1RSSU5HIGVuY29kaW5nIG9mIGFuIEFTTi4xIE9DVEVUIFNUUklO RyBlbmNvZGluZyBvZiB0aGUgcmF3IG9jdGV0cz88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+W0pMU10g QXMgSSByZWFkIHRoaXMgd2hhdCB5b3UgaGF2ZSBkZWR1Y2VkIGlzIGNvcnJlY3QuJm5ic3A7IEZv ciBFZDI1NTE5IHRoZSBwdWJsaWMga2V5IGlzIGRpcmVjdGx5IHdyYXBwZWQgaW4gdGhlIEJJVCBT VFJJTkcgd2l0aCBubyBhZGRpdGlvbmFsIGVuY29kaW5nLiZuYnNwOyBGb3IgdGhlIGhhc2ggc2ln IHB1YmxpYyBrZXkgdGhlIHB1YmxpYyBrZXkgaXMgd3JhcHBlZCBpbiBhbg0KIE9DVEVUIFNUUklO RyB3aGljaCBpcyB0aGVuIHdyYXBwZWQgaW4gdGhlIEJJVCBTVFJJTkcuJm5ic3A7IDxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6NzIuMHB0Ij5BcyBhIGdlbmVyYWwgcnVsZSwgSSBwcmVmZXIgaGF2aW5nIHRoZSBleHRy YSBsYXllciBvZiBBU04uMSBlbmNvZGluZyBiZWNhdXNlIGEgbG90IG9mIGRlY29kZXJzIGFzc3Vt ZSB0aGF0IHRoZXJlIGlzIGdvaW5nIHRvIGJlIHRoYXQgbGF5ZXIgd2hlbiBwcm9jZXNzaW5nIGNl cnRpZmljYXRlcy4mbmJzcDsgSG93ZXZlciwgSSBkaWQgbm90IHdyaXRlIHRoZSBpbml0aWFsIHZl cnNpb25zDQogb2YgdGhlIEVkd2FyZHMgZHJhZnQgYW5kIHRodXMgSSBqdXN0IHVzZWQgdGhlIGVu Y29kaW5nIHRoYXQgd2FzIHRoZXJlIHJhdGhlciB0aGFuIHdyaXRpbmcgaXQgYXMgSSB3b3VsZCBw cmVmZXIuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDo0MS4yNXB0Ij5bRFZHXSBEbyB5b3UgcHJlZmVyIHRoaXMgZ2Vu ZXJhbCBydWxlIGZvciB0aGUgc2lnbmF0dXJlIGFzIHdlbGw/Jm5ic3A7IEluIFguNTA5IHdvdWxk IHlvdSBwcmVmZXIgdGhlIHJhdyBzaWduYXR1cmUgb2N0ZXRzIHdyYXBwZWQgaW4gYW4gT0NURVQg U1RSSU5HIHdyYXBwZWQgaW4gYSBCSVQgU1RSSU5HPyZuYnNwOyBIb3cgd291bGQgdGhpcyB3b3Jr IGluIENNUyB3aGVyZSB0aGUgc2lnbmF0dXJlDQogZmllbGQgd2l0aGluIHRoZSBTaWduZXJJbmZv IGlzIGFscmVhZHkgZGVmaW5lZCBhcyBhbiBPQ1RFVCBzdHJpbmc/IFdvdWxkbuKAmXQgdGhlIHJ1 bGUgaW1wbHkgdGhlIHJhdyBIU1Mgb2N0ZXQgc3RyaW5nIHdyYXBwZWQgaW4gYW4gT0NURVQgU1RS SU5HIHdyYXBwZWQgaW4gYW4gT0NURVQgU1RSSU5HPyBUaGF04oCZcyBub3QgaG93IEnigJltIHJl YWRpbmcgY21zLWhhc2gtc2lncywgZS5nLiBzZWN0aW9uIDU6PGJyPg0KPGJyPg0KJm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNpZ25hdHVyZSBjb250YWlucyB0aGUgc2luZ2xlIEhTUyBz aWduYXR1cmUgdmFsdWUgcmVzdWx0aW5nIGZyb208bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB0aGUgc2lnbmluZyBvcGVyYXRpb24gYXMgc3Bl Y2lmaWVkIGluIFtIQVNIU0lHXS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+QW5kIGBzaWduYXR1cmVg IGFscmVhZHkgYmVpbmcgZGVmaW5lZCBhcyBhbiBPQ1RFVCBTVFJJTkcgbWFrZSB0aGlzIHJlYWQg dG8gbWUgYXMgYSBzaW5nbGUgd3JhcHBpbmcuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPltKTFNdIFNp Z25hdHVyZXMgaGF2ZSB0cmFkaXRpb25hbGx5IGFsd2F5cyBiZWVuIHRoZSByYXcgYnl0ZXMuJm5i c3A7IFRoZSBkaWZmZXJlbmNlIGlzIHRoYXQgZnJlcXVlbnRseSBwdWJsaWMgYW5kIHByaXZhdGUg a2V5cyBoYXZlIGhhZCBBU04uMSBzdHJ1Y3R1cmUgd3JhcHBlZCBhcm91bmQgdGhlbSB3aGlsZSBz aWduYXR1cmVzIGhhdmUgbm90LiZuYnNwOyBGb3IgYW4gZXhhbXBsZQ0KIGxvb2sgYXQgaG93IFJT QSBpcyBkb25lLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5KaW08bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij5UaGFua3MsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5EYW5pZWw8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+ SmltPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+VGhhbmtzLDxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+RGFu aWVsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPk9uIDIwMTktMDItMjcsIDEy OjI3IFBNLCAmcXVvdDtTcGFzbSBvbiBiZWhhbGYgb2YgUnVzcyBIb3VzbGV5JnF1b3Q7ICZsdDs8 YSBocmVmPSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZyI+c3Bhc20tYm91bmNlc0BpZXRm Lm9yZzwvYT4gb24gYmVoYWxmIG9mDQo8YSBocmVmPSJtYWlsdG86aG91c2xleUB2aWdpbHNlYy5j b20iPmhvdXNsZXlAdmlnaWxzZWMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDoxMDguMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5KaW06PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MTA4LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+WW91IGFyZSBjb3Jy ZWN0LiZuYnNwOyZuYnNwO0kgbWlzc2VkIHRoaXMgd2hlbiBJIG1hZGUgdGhlIGxhc3QgdXBkYXRl LiZuYnNwOyZuYnNwO0kgd2lsbCBtYWtlIHRoZSBjaGFuZ2Ugbm93IGluIG15IGVkaXQgYnVmZmVy LiZuYnNwOyZuYnNwO0knbGwgcG9zdCBpdCBhbG9uZyB3aXRoIGFueSBvdGhlciBjaGFuZ2VzIHRo YXQgcmVzdWx0IGZyb20gSUVURiBMYXN0IENhbGwuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+Jm5i c3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+UnVzczxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRE RiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJn aW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1B Q19PVVRMT09LX0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5PbiBGZWIgMjYsIDIwMTksIGF0IDg6 MjUgUE0sIEppbSBTY2hhYWQgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMu Y29tIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MTA4LjBwdCI+SSBoYXZlIGEgc21hbGwgY2hhbmdlIHRvIHJlcXVlc3QuJm5ic3A7Jm5ic3A7SSBh bSBoYXBweSBpZiB5b3UgZGVhbCB3aXRoIGl0IGF0IGEgbGF0ZXI8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDgu MHB0Ij5kYXRlIGFzIGxvbmcgYXMgaXQgZG9lcyBub3QgZ2V0IGxvc3QuPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MTA4LjBwdCI+SW4gdGhlIEFTTi4xIG1vZHVsZSwgdGhlIFNJR05BVFVSRS1BTEdPUklUSE0gZGVm aW5pdGlvbiBzaG91bGQgaGF2ZSBhbiBlbXB0eTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPm9yIGFi c2VudCBIQVNIRVMgZmllbGQuJm5ic3A7Jm5ic3A7VGhlcmUgYXJlIG5vIGhhc2ggZnVuY3Rpb25z IHdoaWNoIGFyZSB0byBiZSBhcHBsaWVkPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+cHJpb3IgdG8g Z2l2ZW4gdGhlIGlucHV0IHRvIHRoZSBzaWduaW5nIGZ1bmN0aW9uLiZuYnNwOyZuYnNwO1RoaXMg d291bGQgbWF0Y2ggd2hhdCBJPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+ZGlkIGZvciBFZERTQS48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5KaW08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2Nr cXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNCNUM0REYgNC41cHQ7 cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1cHQ7bWFyZ2luLXRvcDo1 LjBwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQiIGlkPSJNQUNfT1VUTE9P S19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+LS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDoxMDguMHB0Ij5Gcm9tOiBTcGFzbSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNt LWJvdW5jZXNAaWV0Zi5vcmciPnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8L2E+Jmd0OyBPbiBCZWhh bGYgT2YgUnVzcyBIb3VzbGV5PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+U2VudDogVHVlc2RheSwg RmVicnVhcnkgMjYsIDIwMTkgMTA6NDQgQU08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5UbzogU1BB U00gJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+c3Bhc21AaWV0Zi5vcmc8L2E+ Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPlN1YmplY3Q6IFJlOiBbbGFtcHNdIEktRCBBY3Rp b246IGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2LnR4dDxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEw OC4wcHQiPlRoaXMgcmVtb3ZlcyB0aGUgZXh0cmFuZW91cyBwYXJhZ3JhcGggdGhhdCB3YXMgcG9p bnRlZCBvdXQgYnkgRGFuaWVsLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPkkgYmVsaWV2ZSB0aGF0 IGFsbCBjb21tZW50cyBoYXZlIGJlZW4gcmVzb2x2ZWQsIGFuZCB0aGUgZG9jdW1lbnQgaXMgbm93 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+cmVhZHkgdG8gZ28gdG8gdGhlIElFU0cuPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MTA4LjBwdCI+UnVzczxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBz dHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5n OjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJnaW4tdG9wOjUuMHB0O21h cmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1BQ19PVVRMT09LX0FUVFJJ QlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDoxMDguMHB0Ij5PbiBGZWIgMjYsIDIwMTksIGF0IDE6NDEgUE0sIDxhIGhyZWY9 Im1haWx0bzppbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmciPg0KaW50ZXJuZXQtZHJhZnRzQGlldGYu b3JnPC9hPiB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5BIE5ldyBJbnRlcm5ldC1EcmFm dCBpcyBhdmFpbGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHM8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5kaXJlY3Rvcmllcy48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlk ICNCNUM0REYgNC41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1 cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQi IGlkPSJNQUNfT1VUTE9PS19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+VGhpcyBkcmFmdCBpcyBh IHdvcmsgaXRlbSBvZiB0aGUgTGltaXRlZCBBZGRpdGlvbmFsIE1lY2hhbmlzbXMgZm9yIFBLSVg8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9ibG9ja3F1b3RlPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5hbmQ8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2Jv cmRlci1sZWZ0OnNvbGlkICNCNUM0REYgNC41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdDtt YXJnaW4tbGVmdDozLjc1cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdp bi1ib3R0b206NS4wcHQiIGlkPSJNQUNfT1VUTE9PS19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+ U01JTUUgV0cgb2YgdGhlIElFVEYuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3Rl IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQjVDNERGIDQuNXB0O3BhZGRp bmc6MGNtIDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxlZnQ6My43NXB0O21hcmdpbi10b3A6NS4wcHQ7 bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0IiBpZD0iTUFDX09VVExPT0tfQVRU UklCVVRJT05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyBUaXRsZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyA6IFVzZSBvZiB0aGUgSFNTL0xNUyBIYXNoLWJhc2VkIFNpZ25hdHVyZTxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPkFsZ29yaXRo bSBpbiB0aGU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRl cjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNCNUM0REYgNC41cHQ7cGFkZGluZzowY20gMGNtIDBj bSA0LjBwdDttYXJnaW4tbGVmdDozLjc1cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6 MGNtO21hcmdpbi1ib3R0b206NS4wcHQiIGlkPSJNQUNfT1VUTE9PS19BVFRSSUJVVElPTl9CTE9D S1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MTA4LjBwdCI+Q3J5cHRvZ3JhcGhpYyBNZXNzYWdlIFN5bnRheCAoQ01TKTxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29s aWQgI0I1QzRERiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMu NzVwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBw dCIgaWQ9Ik1BQ19PVVRMT09LX0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4mbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgQXV0aG9yJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7OiBSdXNzIEhvdXNsZXk8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDoxMDguMHB0Ij48c3BhbiBjbGFzcz0iYXBwbGUtdGFiLXNwYW4iPiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPkZpbGVuYW1lJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7OiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNp Zy0wNi50eHQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48c3BhbiBjbGFzcz0iYXBwbGUtdGFiLXNw YW4iPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPlBhZ2VzJm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDog MTQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48c3BhbiBjbGFzcz0iYXBwbGUtdGFiLXNwYW4iPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPkRhdGUmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDs6IDIwMTktMDItMjY8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5BYnN0cmFjdDo8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDoxMDguMHB0Ij4mbmJzcDsmbmJzcDtUaGlzIGRvY3VtZW50IHNwZWNpZmllcyB0aGUgY29u dmVudGlvbnMgZm9yIHVzaW5nIHRoZSB0aGUgSFNTL0xNUzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQi PiZuYnNwOyZuYnNwO2hhc2gtYmFzZWQgc2lnbmF0dXJlIGFsZ29yaXRobSB3aXRoIHRoZSBDcnlw dG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+Jm5ic3A7Jm5i c3A7KENNUykuJm5ic3A7Jm5ic3A7SW4gYWRkaXRpb24sIHRoZSBhbGdvcml0aG0gaWRlbnRpZmll ciBhbmQgcHVibGljIGtleSBzeW50YXg8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4mbmJzcDsmbmJz cDthcmUgcHJvdmlkZWQuJm5ic3A7Jm5ic3A7VGhlIEhTUy9MTVMgYWxnb3JpdGhtIGlzIG9uZSBm b3JtIG9mIGhhc2gtYmFzZWQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4mbmJzcDsmbmJzcDtkaWdp dGFsIHNpZ25hdHVyZTsgaXQgaXMgZGVzY3JpYmVkIGluIFtIQVNIU0lHXS48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDoxMDguMHB0Ij5UaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFm dCBpczo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48YSBocmVmPSJodHRwczovL2RhdGF0cmFja2Vy LmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy8iPmh0dHBzOi8vZGF0 YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLzwvYT48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5UaGVyZSBhcmUgYWxzbyBodG1saXplZCB2ZXJzaW9ucyBh dmFpbGFibGUgYXQ6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+PGEgaHJlZj0iaHR0cHM6Ly90b29s cy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2Ij5odHRwczov L3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDY8L2E+ PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRm Lm9yZy9kb2MvaHRtbC9kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNiI+aHR0cHM6Ly9k YXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNp Zy0wNjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5BIGRpZmYgZnJvbSB0aGUgcHJldmlvdXMg dmVyc2lvbiBpcyBhdmFpbGFibGUgYXQ6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+PGEgaHJlZj0i aHR0cHM6Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91cmwyPWRyYWZ0LWlldGYtbGFtcHMtY21zLWhh c2gtc2lnLTA2Ij5odHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi1s YW1wcy1jbXMtaGFzaC1zaWctMDY8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+UGxlYXNlIG5v dGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBvZiBtaW51dGVzIGZyb20gdGhlIHRpbWUgb2Y8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5zdWJtaXNzaW9uIHVudGlsIHRoZSBodG1saXplZCB2ZXJz aW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9i bG9ja3F1b3RlPg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij50b29scy5pZXRmLm9yZy48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlk ICNCNUM0REYgNC41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1 cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQi IGlkPSJNQUNfT1VUTE9PS19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIj4NCjxibG9ja3F1b3RlIHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6 MGNtIDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxlZnQ6My43NXB0O21hcmdpbi10b3A6NS4wcHQ7bWFy Z2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0IiBpZD0iTUFDX09VVExPT0tfQVRUUklC VVRJT05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjEwOC4wcHQiPkludGVybmV0LURyYWZ0cyBhcmUgYWxzbyBhdmFpbGFibGUgYnkg YW5vbnltb3VzIEZUUCBhdDo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48YSBocmVmPSJmdHA6Ly9m dHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLyI+ZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0 LWRyYWZ0cy88L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+X19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDox MDguMHB0Ij5TcGFzbSBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48YSBocmVm PSJtYWlsdG86U3Bhc21AaWV0Zi5vcmciPlNwYXNtQGlldGYub3JnPC9hPjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjEwOC4wcHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v c3Bhc20iPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc208L2E+PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+X19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij5TcGFzbSBt YWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48YSBocmVmPSJtYWlsdG86U3Bhc21A aWV0Zi5vcmciPlNwYXNtQGlldGYub3JnPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxhIGhy ZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc20iPmh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc208L2E+PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MTA4LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+X19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDox MDguMHB0Ij5TcGFzbSBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48YSBocmVm PSJtYWlsdG86U3Bhc21AaWV0Zi5vcmciPlNwYXNtQGlldGYub3JnPC9hPjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjEwOC4wcHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v c3Bhc20iPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc208L2E+PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MTA4LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_C4E8068B357C4E29A21BDA75D3F1F93Aisaracom_-- From nobody Sat Mar 9 22:17:32 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3D781274D0 for ; Sat, 9 Mar 2019 22:17:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_3WgtmbXjng for ; Sat, 9 Mar 2019 22:17:27 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42615126DFA for ; Sat, 9 Mar 2019 22:17:27 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 521A1300ADA for ; Sun, 10 Mar 2019 00:59:09 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1VeT6wortdLU for ; Sun, 10 Mar 2019 00:59:05 -0500 (EST) Received: from [10.196.217.15] (3-197.icannmeeting.org [199.91.197.3]) by mail.smeinc.net (Postfix) with ESMTPSA id 61A783004B0; Sun, 10 Mar 2019 00:59:00 -0500 (EST) From: Russ Housley Message-Id: <43304DDE-3E5E-406A-ADC3-41185656AEF5@vigilsec.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_428A8DBA-CE6F-415C-A619-C52F1BF5C4A1" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Sun, 10 Mar 2019 01:17:12 -0500 In-Reply-To: Cc: Jim Schaad , SPASM To: Daniel Van Geest References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> <015401d4d37b$f7673000$e6359000$@augustcellars.com> <017d01d4d38a$675cf580$3616e080$@augustcellars.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Mar 2019 06:17:31 -0000 --Apple-Mail=_428A8DBA-CE6F-415C-A619-C52F1BF5C4A1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Daniel: > Thanks for the clarification for me below, Jim. > =20 > Given that information, I wonder if it=E2=80=99s possible to = misinterpret some parts of cms-hash-sig. > =20 > In section 3: > =20 > The signature value is a large OCTET STRING. The signature format = is > designed for easy parsing. Each format includes a counter and type > codes that indirectly providing all of the information that is = needed > to parse the value during signature validation. > =20 > I think this paragraph is talking about the signature value as = returned by the HSS algorithm. In this case it=E2=80=99s not an OCTET = STRING (i.e. the ASN.1 structure), but just an octet string. Referring = to it as an OCTET STRING could result in confusion as to whether it=E2=80=99= s double wrapped in ASN.1. In RFC 5280 and X.509, the signature on a certificate is defined as: Certificate ::=3D SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } This is the BIT STRING that Jim is talking about in his message. In RFC 5652, the signature appears in SignerInfo: SignerInfo ::=3D SEQUENCE { version CMSVersion, sid SignerIdentifier, digestAlgorithm DigestAlgorithmIdentifier, signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, signatureAlgorithm SignatureAlgorithmIdentifier, signature SignatureValue, unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL } SignatureValue ::=3D OCTET STRING This is the OCTET STRING that is being referenced in the quoted text. > Similarly in section 4: > =20 > The public key value is an OCTET STRING. Like the signature = format, > it is designed for easy parsing. The value is the number of levels > in the public key, L, followed by the LMS public key. > =20 > While HSS-LMS-HashSig-PublicKey is actually an OCTET STRING, I think = this paragraph is referring to the public key as processed by HSS and so = should be an octet string. That test is referring to this part of the ASN.1: HSS-LMS-HashSig-PublicKey ::=3D OCTET STRING Russ > On 2019-03-05, 2:34 PM, "Jim Schaad" > wrote: > =20 > =20 > =20 > From: Daniel Van Geest >=20 > Sent: Tuesday, March 5, 2019 10:20 AM > To: Jim Schaad >; 'Russ Housley' > > Cc: 'SPASM' > > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt > =20 > =20 > =20 > On 2019-03-05, 12:50 PM, "Jim Schaad" > wrote: > =20 > =20 > =20 > From: Spasm > = On Behalf Of Daniel Van Geest > Sent: Tuesday, March 5, 2019 8:38 AM > To: Russ Housley >; = Jim Schaad > > Cc: SPASM > > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt > =20 > I=E2=80=99m working to align x509-hash-sigs draft and implementations = with this one. There=E2=80=99s something in cms-hash-sigs that I=E2=80=99= d like clarification on to understand the implications. > =20 > The ASN.1 module defines: > =20 > pk-HSS-LMS-HashSig PUBLIC-KEY ::=3D { > IDENTIFIER id-alg-hss-lms-hashsig > KEY HSS-LMS-HashSig-PublicKey > PARAMS ARE absent > CERT-KEY-USAGE > { digitalSignature, nonRepudiation, keyCertSign, cRLSign } = } > =20 > HSS-LMS-HashSig-PublicKey ::=3D OCTET STRING > =20 > Specifically, the public key is an OCTET STRING. The actual public key = is =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D, so essentially an = opaque octet string. > =20 > What are the implications in x.509 of defining = =E2=80=9CHSS-LMS-HashSig-PublicKey ::=3D OCTET STRING=E2=80=9D? Does = this mean that in the Subject Public Key Info attribute, the HSS public = key would be encoded as an OCTET STRING which is then wrapped in a BIT = STRING encoding? (as opposed to a BIT STRING encoding of the raw = =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D octet string). > =20 > The closest I could find to this situation is Ed25519/Ed448 since = those public keys are also just raw octet strings (32 octets in 25519). = But the ASN.1 module for RFC 8410 specifies =E2=80=9C-- KEY no ASN.1 = wrapping --=E2=80=9D within PUBLIC-KEY: > =20 > pk-Ed25519 PUBLIC-KEY ::=3D { > IDENTIFIER id-Ed25519 > -- KEY no ASN.1 wrapping -- > PARAMS ARE absent > CERT-KEY-USAGE {digitalSignature, nonRepudiation, > keyCertSign, cRLSign} > PRIVATE-KEY CurvePrivateKey > } > =20 > I=E2=80=99m not an ASN.1 expert, so could someone explain the = difference? Is the =E2=80=9Cno wrapping=E2=80=9D there because the = public key is raw octets? And then whoever encodes the public only = applies their own encoding (if any) of the octets. Does it have to do = with the fact that the public key can be easily derived from the private = key? Is my assumption correct that a SPKI encoding of an HSS key would = be a BIT STRING encoding of an ASN.1 OCTET STRING encoding of the raw = octets? > =20 > [JLS] As I read this what you have deduced is correct. For Ed25519 = the public key is directly wrapped in the BIT STRING with no additional = encoding. For the hash sig public key the public key is wrapped in an = OCTET STRING which is then wrapped in the BIT STRING. =20 > =20 > As a general rule, I prefer having the extra layer of ASN.1 encoding = because a lot of decoders assume that there is going to be that layer = when processing certificates. However, I did not write the initial = versions of the Edwards draft and thus I just used the encoding that was = there rather than writing it as I would prefer. > =20 > [DVG] Do you prefer this general rule for the signature as well? In = X.509 would you prefer the raw signature octets wrapped in an OCTET = STRING wrapped in a BIT STRING? How would this work in CMS where the = signature field within the SignerInfo is already defined as an OCTET = string? Wouldn=E2=80=99t the rule imply the raw HSS octet string wrapped = in an OCTET STRING wrapped in an OCTET STRING? That=E2=80=99s not how = I=E2=80=99m reading cms-hash-sigs, e.g. section 5: >=20 > signature contains the single HSS signature value resulting from > the signing operation as specified in [HASHSIG]. > =20 > And `signature` already being defined as an OCTET STRING make this = read to me as a single wrapping. > =20 > [JLS] Signatures have traditionally always been the raw bytes. The = difference is that frequently public and private keys have had ASN.1 = structure wrapped around them while signatures have not. For an example = look at how RSA is done. > =20 > Jim > =20 > =20 > Thanks, > Daniel > =20 > Jim > =20 > =20 > Thanks, > Daniel > =20 > On 2019-02-27, 12:27 PM, "Spasm on behalf of Russ Housley" = on behalf of = housley@vigilsec.com > wrote: > =20 > Jim: > =20 > You are correct. I missed this when I made the last update. I will = make the change now in my edit buffer. I'll post it along with any = other changes that result from IETF Last Call. > =20 > Russ > =20 > =20 > On Feb 26, 2019, at 8:25 PM, Jim Schaad > wrote: > I have a small change to request. I am happy if you deal with it at a = later > date as long as it does not get lost. > In the ASN.1 module, the SIGNATURE-ALGORITHM definition should have an = empty > or absent HASHES field. There are no hash functions which are to be = applied > prior to given the input to the signing function. This would match = what I > did for EdDSA. > Jim > -----Original Message----- > From: Spasm > = On Behalf Of Russ Housley > Sent: Tuesday, February 26, 2019 10:44 AM > To: SPASM > > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt > This removes the extraneous paragraph that was pointed out by Daniel. > I believe that all comments have been resolved, and the document is = now > ready to go to the IESG. > Russ > On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org = wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Limited Additional Mechanisms for = PKIX > and > SMIME WG of the IETF. > Title : Use of the HSS/LMS Hash-based Signature > Algorithm in the > Cryptographic Message Syntax (CMS) > Author : Russ Housley > Filename : draft-ietf-lamps-cms-hash-sig-06.txt > Pages : 14 > Date : 2019-02-26 > Abstract: > This document specifies the conventions for using the the HSS/LMS > hash-based signature algorithm with the Cryptographic Message Syntax > (CMS). In addition, the algorithm identifier and public key syntax > are provided. The HSS/LMS algorithm is one form of hash-based > digital signature; it is described in [HASHSIG]. > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ = > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 = > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 = > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-06 = > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org . > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ = --Apple-Mail=_428A8DBA-CE6F-415C-A619-C52F1BF5C4A1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Daniel:

Thanks for the clarification = for me below, Jim.
 
Given = that information, I wonder if it=E2=80=99s possible to misinterpret some = parts of cms-hash-sig.
 
In section 3:
 
   The signature value is a large OCTET = STRING.  The signature format is
   designed for easy parsing.  Each format = includes a counter and type
   codes = that indirectly providing all of the information that is needed
   to parse the value during signature = validation.
 
I think this paragraph is talking about the signature value = as returned by the HSS algorithm.  In this case it=E2=80=99s not an = OCTET STRING (i.e. the ASN.1 structure), but just an octet string. = Referring to it as an OCTET STRING could result in confusion as to = whether it=E2=80=99s double wrapped in = ASN.1.

In RFC = 5280 and X.509, the signature on a certificate is defined = as:

   Certificate =  ::=3D  SEQUENCE  {
        = tbsCertificate       TBSCertificate,
  =       signatureAlgorithm   = AlgorithmIdentifier,
        = signatureValue       BIT STRING  }

This is the BIT STRING that Jim is talking about = in his message.

In RFC 5652, the = signature appears in SignerInfo:

      SignerInfo ::=3D = SEQUENCE {
        version = CMSVersion,
        sid = SignerIdentifier,
        digestAlgorithm = DigestAlgorithmIdentifier,
        = signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
  =       signatureAlgorithm = SignatureAlgorithmIdentifier,
        = signature SignatureValue,
        = unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }

      SignatureValue ::=3D OCTET = STRING

This is the OCTET STRING that = is being referenced in the quoted text.

Similarly = in section 4:
 
   The public key value is an OCTET = STRING.  Like the signature format,
   it is designed for easy parsing.  The value = is the number of levels
   in the = public key, L, followed by the LMS public key.
 
While = HSS-LMS-HashSig-PublicKey is actually an OCTET STRING, I think this = paragraph is referring to the public key as processed by HSS and so = should be an octet string.

That test is referring to this part of the = ASN.1:

  =  HSS-LMS-HashSig-PublicKey ::=3D OCTET STRING

Russ


On 2019-03-05, 2:34 PM, "Jim Schaad" = <ietf@augustcellars.com> = wrote:
 
 
 
From: Daniel Van Geest <Daniel.VanGeest@isara.com> 
Sent: Tuesday, March 5, 2019 = 10:20 AM
To: Jim Schaad <ietf@augustcellars.com>; = 'Russ Housley' <housley@vigilsec.com>
Cc: 'SPASM' <spasm@ietf.org>
Subject: Re: [lamps] I-D Action: = draft-ietf-lamps-cms-hash-sig-06.txt
 
 
 
On 2019-03-05, 12:50 PM, = "Jim Schaad" <ietf@augustcellars.com> wrote:
 
 
 
From: Spasm <spasm-bounces@ietf.org> On Behalf = Of Daniel Van = Geest
Sent: Tuesday, March 5, 2019 8:38 = AM
To: Russ Housley <housley@vigilsec.com>; = Jim Schaad <ietf@augustcellars.com>
Cc: SPASM= <spasm@ietf.org>
Subject: Re: [lamps] I-D Action: = draft-ietf-lamps-cms-hash-sig-06.txt
 
I=E2=80=99m working to align x509-hash-sigs draft and = implementations with this one.  There=E2=80=99s something in = cms-hash-sigs that I=E2=80=99d like clarification on to understand the = implications.
 
The ASN.1 module defines:
 
      pk-HSS-LMS-HashSig PUBLIC-KEY = ::=3D {
          = IDENTIFIER id-alg-hss-lms-hashsig
          KEY = HSS-LMS-HashSig-PublicKey
          PARAMS = ARE absent
          = CERT-KEY-USAGE
          &nb= sp; { digitalSignature, nonRepudiation, keyCertSign, cRLSign } = }
 
    =  HSS-LMS-HashSig-PublicKey ::=3D OCTET STRING
 
Specifically, the public key is an OCTET STRING. The actual = public key is =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D, so = essentially an opaque octet string.
 
What are the implications in x.509 of = defining =E2=80=9CHSS-LMS-HashSig-PublicKey ::=3D OCTET STRING=E2=80=9D?&n= bsp; Does this mean that in the Subject Public Key Info attribute, the = HSS public key would be encoded as an OCTET STRING which is then wrapped = in a BIT STRING encoding? (as opposed to a BIT STRING encoding of the = raw =E2=80=9Cu32str(L) || lms_public_key=E2=80=9D octet string).
 
The = closest I could find to this situation is Ed25519/Ed448 since those = public keys are also just raw octet strings (32 octets in 25519).  = But the ASN.1 module for RFC 8410 specifies =E2=80=9C-- KEY no ASN.1 = wrapping --=E2=80=9D within PUBLIC-KEY:
 
    pk-Ed25519 PUBLIC-KEY ::=3D {
        =
IDENTIFIER id-Ed25519
        -- KEY no ASN.1 =
wrapping --
        PARAMS ARE =
absent
        CERT-KEY-USAGE =
{digitalSignature, nonRepudiation,
          &nb=
sp;            =
; keyCertSign, cRLSign}
        PRIVATE-KEY =
CurvePrivateKey
    =
}
 
I=E2=80=99m not an ASN.1 expert, so could someone explain the = difference? Is the =E2=80=9Cno wrapping=E2=80=9D there because the = public key is raw octets? And then whoever encodes the public only = applies their own encoding (if any) of the octets.  Does it have to = do with the fact that the public key can be easily derived from the = private key?  Is my assumption correct that a SPKI encoding of an = HSS key would be a BIT STRING encoding of an ASN.1 OCTET STRING encoding = of the raw octets?
 
[JLS] As I read this what you have deduced is correct.  = For Ed25519 the public key is directly wrapped in the BIT STRING with no = additional encoding.  For the hash sig public key the public key is = wrapped in an OCTET STRING which is then wrapped in the BIT = STRING.  
 
As a = general rule, I prefer having the extra layer of ASN.1 encoding because = a lot of decoders assume that there is going to be that layer when = processing certificates.  However, I did not write the initial = versions of the Edwards draft and thus I just used the encoding that was = there rather than writing it as I would prefer.
 
[DVG] Do = you prefer this general rule for the signature as well?  In X.509 = would you prefer the raw signature octets wrapped in an OCTET STRING = wrapped in a BIT STRING?  How would this work in CMS where the = signature field within the SignerInfo is already defined as an OCTET = string? Wouldn=E2=80=99t the rule imply the raw HSS octet string wrapped = in an OCTET STRING wrapped in an OCTET STRING? That=E2=80=99s not how = I=E2=80=99m reading cms-hash-sigs, e.g. section 5:

      signature contains the single = HSS signature value resulting from
         the signing = operation as specified in [HASHSIG].
 
And `signature` already being defined = as an OCTET STRING make this read to me as a single wrapping.
 
[JLS] = Signatures have traditionally always been the raw bytes.  The = difference is that frequently public and private keys have had ASN.1 = structure wrapped around them while signatures have not.  For an = example look at how RSA is done.
 
Jim
 
 
Thanks,
Daniel
 
Jim
 
 
Thanks,
Daniel
 
On = 2019-02-27, 12:27 PM, "Spasm on behalf of Russ Housley" <spasm-bounces@ietf.org on behalf of housley@vigilsec.com> = wrote:
 
Jim:
 
You are correct.  I missed this when I made the = last update.  I will make the change now in my edit = buffer.  I'll post it along with any other changes that result = from IETF Last Call.
 
Russ
 
 
On Feb = 26, 2019, at 8:25 PM, Jim Schaad <ietf@augustcellars.com> = wrote:
I have a small change to = request.  I am happy if you deal with it at a later
date as long as it does not get lost.
In the ASN.1 module, the SIGNATURE-ALGORITHM definition = should have an empty
or absent HASHES = field.  There are no hash functions which are to be = applied
prior to given the input to the signing = function.  This would match what I
did for EdDSA.
Jim
-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Tuesday, February 26, 2019 10:44 AM
To: SPASM <spasm@ietf.org>
Subject: Re: [lamps] = I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt
This removes the extraneous paragraph that was pointed out by = Daniel.
I believe that all comments have been = resolved, and the document is now
ready to go to the = IESG.
Russ
On Feb = 26, 2019, at 1:41 PM, internet-drafts@ietf.org wrote:
A New Internet-Draft is available from the on-line = Internet-Drafts
directories.
This = draft is a work item of the Limited Additional Mechanisms for PKIX
and
SMIME WG = of the IETF.
       = Title           : Use = of the HSS/LMS Hash-based Signature
Algorithm in the
Cryptographic Message Syntax (CMS)
       = Author          : Russ = Housley
        &= nbsp;       Filename  &n= bsp;     : = draft-ietf-lamps-cms-hash-sig-06.txt
        &= nbsp;       Pages   = ;        : 14
        &= nbsp;       Date   =          : 2019-02-26
Abstract:
  This document specifies the = conventions for using the the HSS/LMS
  hash-based signature algorithm with the = Cryptographic Message Syntax
  (CMS).  In addition, the algorithm = identifier and public key syntax
  are = provided.  The HSS/LMS algorithm is one form of hash-based
  digital signature; it is described in = [HASHSIG].
The IETF datatracker status page for = this draft is:
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/=
There are also htmlized versions = available at:
https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06
https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash= -sig-06
A diff from the previous version is = available at:
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-s= ig-06
Please note that it may take a couple = of minutes from the time of
submission until the = htmlized version and diff are available at
tools.ietf.org.
Internet-Drafts are also available by anonymous = FTP at:
ftp://ftp.ietf.org/internet-drafts/
=

= --Apple-Mail=_428A8DBA-CE6F-415C-A619-C52F1BF5C4A1-- From nobody Sat Mar 9 22:53:15 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B92126DFA for ; Sat, 9 Mar 2019 22:53:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgEjIrVx0fp7 for ; Sat, 9 Mar 2019 22:53:08 -0800 (PST) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5892A126C15 for ; Sat, 9 Mar 2019 22:53:07 -0800 (PST) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip1.isaracorp.com with ESMTP; 10 Mar 2019 06:53:06 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Sun, 10 Mar 2019 01:53:06 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Sun, 10 Mar 2019 01:53:06 -0500 From: Daniel Van Geest To: Russ Housley CC: Jim Schaad , SPASM Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt Thread-Index: AQHUzgL4B8nMv8e3gk6J29Pq8ccSVaXyvj+AgABwIYCAAQyKgIAJDLAAgABoHID//7RwAIAAaHAAgAabL4CAAFEPAP//xvcA Date: Sun, 10 Mar 2019 06:53:05 +0000 Message-ID: <9B262F1B-4904-4586-ADCF-3F7DDC1B96EC@isara.com> References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> <0A9C77AE-0461-4270-A91D-82553D443179@isara.com> <015401d4d37b$f7673000$e6359000$@augustcellars.com> <017d01d4d38a$675cf580$3616e080$@augustcellars.com> <43304DDE-3E5E-406A-ADC3-41185656AEF5@vigilsec.com> In-Reply-To: <43304DDE-3E5E-406A-ADC3-41185656AEF5@vigilsec.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_9B262F1B49044586ADCF3F7DDC1B96ECisaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Mar 2019 06:53:11 -0000 --_000_9B262F1B49044586ADCF3F7DDC1B96ECisaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 UnVzcywNCg0KSSB1bmRlcnN0YW5kIHdoYXQgdGhleSBhcmUgcmVmZXJyaW5nIHRvLCBidXQgd2hl biB0aGUgcGFyYWdyYXBoIGJlZ2lucyDigJxUaGUgKHNpZ25hdHVyZSwgcHVibGljIGtleSkgdmFs dWUgaXMgYW4gT0NURVQgU1RSSU5H4oCdIGFuZCB0aGVuIGdvZXMgb24gdG8gZGVzY3JpYmUgaXQg YXMgKGRlc2lnbmVkIGZvciBlYXN5IHBhcnNpbmcsIGluY2x1ZGluZyBhIGNvdW50ZXIgYW5kIHR5 cGUgY29kZXMsIHRoZSBudW1iZXIgb2YgbGV2ZWxzIGZvbGxvd2VkIGJ5IHRoZSBrZXkpLCBhbGwg b2Ygd2hpY2ggZGVzY3JpYmUgdGhlIEhTUyBhbGdvcml0aG0gc2lnbmF0dXJl4oCZcyBjb250ZW50 cywgb25lIG1pZ2h0IGFsc28gcmVhZCB0aGUgZmlyc3Qgc2VudGVuY2UgYXMgcmVmZXJyaW5nIHRv IHRoZSBIU1MgYWxnb3JpdGht4oCZcyBzaWduYXR1cmUuDQoNCkl04oCZcyBqdXN0IGEgbml0LCBh bmQgaWYgeW91IGRvbuKAmXQgYWdyZWUgdGhhdCBvbmUgY291bGQgZW5kIHVwIHJlYWRpbmcgdGhv c2UgcGFyYWdyYXBocyB0aGF0IHdheSwgdGhlbiB0aGV54oCZcmUgZmluZSBhcyBpcy4NCg0KVGhh bmtzLA0KRGFuaWVsDQoNCg0KT24gMjAxOS0wMy0xMCwgMToxNyBBTSwgIlJ1c3MgSG91c2xleSIg PGhvdXNsZXlAdmlnaWxzZWMuY29tPG1haWx0bzpob3VzbGV5QHZpZ2lsc2VjLmNvbT4+IHdyb3Rl Og0KDQpEYW5pZWw6DQoNClRoYW5rcyBmb3IgdGhlIGNsYXJpZmljYXRpb24gZm9yIG1lIGJlbG93 LCBKaW0uDQoNCkdpdmVuIHRoYXQgaW5mb3JtYXRpb24sIEkgd29uZGVyIGlmIGl04oCZcyBwb3Nz aWJsZSB0byBtaXNpbnRlcnByZXQgc29tZSBwYXJ0cyBvZiBjbXMtaGFzaC1zaWcuDQoNCkluIHNl Y3Rpb24gMzoNCg0KICAgVGhlIHNpZ25hdHVyZSB2YWx1ZSBpcyBhIGxhcmdlIE9DVEVUIFNUUklO Ry4gIFRoZSBzaWduYXR1cmUgZm9ybWF0IGlzDQogICBkZXNpZ25lZCBmb3IgZWFzeSBwYXJzaW5n LiAgRWFjaCBmb3JtYXQgaW5jbHVkZXMgYSBjb3VudGVyIGFuZCB0eXBlDQogICBjb2RlcyB0aGF0 IGluZGlyZWN0bHkgcHJvdmlkaW5nIGFsbCBvZiB0aGUgaW5mb3JtYXRpb24gdGhhdCBpcyBuZWVk ZWQNCiAgIHRvIHBhcnNlIHRoZSB2YWx1ZSBkdXJpbmcgc2lnbmF0dXJlIHZhbGlkYXRpb24uDQoN CkkgdGhpbmsgdGhpcyBwYXJhZ3JhcGggaXMgdGFsa2luZyBhYm91dCB0aGUgc2lnbmF0dXJlIHZh bHVlIGFzIHJldHVybmVkIGJ5IHRoZSBIU1MgYWxnb3JpdGhtLiAgSW4gdGhpcyBjYXNlIGl04oCZ cyBub3QgYW4gT0NURVQgU1RSSU5HIChpLmUuIHRoZSBBU04uMSBzdHJ1Y3R1cmUpLCBidXQganVz dCBhbiBvY3RldCBzdHJpbmcuIFJlZmVycmluZyB0byBpdCBhcyBhbiBPQ1RFVCBTVFJJTkcgY291 bGQgcmVzdWx0IGluIGNvbmZ1c2lvbiBhcyB0byB3aGV0aGVyIGl04oCZcyBkb3VibGUgd3JhcHBl ZCBpbiBBU04uMS4NCg0KSW4gUkZDIDUyODAgYW5kIFguNTA5LCB0aGUgc2lnbmF0dXJlIG9uIGEg Y2VydGlmaWNhdGUgaXMgZGVmaW5lZCBhczoNCg0KICAgQ2VydGlmaWNhdGUgIDo6PSAgU0VRVUVO Q0UgIHsNCiAgICAgICAgdGJzQ2VydGlmaWNhdGUgICAgICAgVEJTQ2VydGlmaWNhdGUsDQogICAg ICAgIHNpZ25hdHVyZUFsZ29yaXRobSAgIEFsZ29yaXRobUlkZW50aWZpZXIsDQogICAgICAgIHNp Z25hdHVyZVZhbHVlICAgICAgIEJJVCBTVFJJTkcgIH0NCg0KVGhpcyBpcyB0aGUgQklUIFNUUklO RyB0aGF0IEppbSBpcyB0YWxraW5nIGFib3V0IGluIGhpcyBtZXNzYWdlLg0KDQpJbiBSRkMgNTY1 MiwgdGhlIHNpZ25hdHVyZSBhcHBlYXJzIGluIFNpZ25lckluZm86DQoNCiAgICAgIFNpZ25lcklu Zm8gOjo9IFNFUVVFTkNFIHsNCiAgICAgICAgdmVyc2lvbiBDTVNWZXJzaW9uLA0KICAgICAgICBz aWQgU2lnbmVySWRlbnRpZmllciwNCiAgICAgICAgZGlnZXN0QWxnb3JpdGhtIERpZ2VzdEFsZ29y aXRobUlkZW50aWZpZXIsDQogICAgICAgIHNpZ25lZEF0dHJzIFswXSBJTVBMSUNJVCBTaWduZWRB dHRyaWJ1dGVzIE9QVElPTkFMLA0KICAgICAgICBzaWduYXR1cmVBbGdvcml0aG0gU2lnbmF0dXJl QWxnb3JpdGhtSWRlbnRpZmllciwNCiAgICAgICAgc2lnbmF0dXJlIFNpZ25hdHVyZVZhbHVlLA0K ICAgICAgICB1bnNpZ25lZEF0dHJzIFsxXSBJTVBMSUNJVCBVbnNpZ25lZEF0dHJpYnV0ZXMgT1BU SU9OQUwgfQ0KDQogICAgICBTaWduYXR1cmVWYWx1ZSA6Oj0gT0NURVQgU1RSSU5HDQoNClRoaXMg aXMgdGhlIE9DVEVUIFNUUklORyB0aGF0IGlzIGJlaW5nIHJlZmVyZW5jZWQgaW4gdGhlIHF1b3Rl ZCB0ZXh0Lg0KDQpTaW1pbGFybHkgaW4gc2VjdGlvbiA0Og0KDQogICBUaGUgcHVibGljIGtleSB2 YWx1ZSBpcyBhbiBPQ1RFVCBTVFJJTkcuICBMaWtlIHRoZSBzaWduYXR1cmUgZm9ybWF0LA0KICAg aXQgaXMgZGVzaWduZWQgZm9yIGVhc3kgcGFyc2luZy4gIFRoZSB2YWx1ZSBpcyB0aGUgbnVtYmVy IG9mIGxldmVscw0KICAgaW4gdGhlIHB1YmxpYyBrZXksIEwsIGZvbGxvd2VkIGJ5IHRoZSBMTVMg cHVibGljIGtleS4NCg0KV2hpbGUgSFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSBpcyBhY3R1YWxs eSBhbiBPQ1RFVCBTVFJJTkcsIEkgdGhpbmsgdGhpcyBwYXJhZ3JhcGggaXMgcmVmZXJyaW5nIHRv IHRoZSBwdWJsaWMga2V5IGFzIHByb2Nlc3NlZCBieSBIU1MgYW5kIHNvIHNob3VsZCBiZSBhbiBv Y3RldCBzdHJpbmcuDQoNClRoYXQgdGVzdCBpcyByZWZlcnJpbmcgdG8gdGhpcyBwYXJ0IG9mIHRo ZSBBU04uMToNCg0KICAgSFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSA6Oj0gT0NURVQgU1RSSU5H DQoNClJ1c3MNCg0KDQpPbiAyMDE5LTAzLTA1LCAyOjM0IFBNLCAiSmltIFNjaGFhZCIgPGlldGZA YXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+PiB3cm90ZToN Cg0KDQoNCkZyb206IERhbmllbCBWYW4gR2Vlc3QgPERhbmllbC5WYW5HZWVzdEBpc2FyYS5jb208 bWFpbHRvOkRhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20+Pg0KU2VudDogVHVlc2RheSwgTWFyY2gg NSwgMjAxOSAxMDoyMCBBTQ0KVG86IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208 bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+PjsgJ1J1c3MgSG91c2xleScgPGhvdXNsZXlA dmlnaWxzZWMuY29tPG1haWx0bzpob3VzbGV5QHZpZ2lsc2VjLmNvbT4+DQpDYzogJ1NQQVNNJyA8 c3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3JnPj4NClN1YmplY3Q6IFJlOiBbbGFt cHNdIEktRCBBY3Rpb246IGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2LnR4dA0KDQoN Cg0KT24gMjAxOS0wMy0wNSwgMTI6NTAgUE0sICJKaW0gU2NoYWFkIiA8aWV0ZkBhdWd1c3RjZWxs YXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+IHdyb3RlOg0KDQoNCg0KRnJv bTogU3Bhc20gPHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0 Zi5vcmc+PiBPbiBCZWhhbGYgT2YgRGFuaWVsIFZhbiBHZWVzdA0KU2VudDogVHVlc2RheSwgTWFy Y2ggNSwgMjAxOSA4OjM4IEFNDQpUbzogUnVzcyBIb3VzbGV5IDxob3VzbGV5QHZpZ2lsc2VjLmNv bTxtYWlsdG86aG91c2xleUB2aWdpbHNlYy5jb20+PjsgSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3Rj ZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+DQpDYzogU1BBU00gPHNw YXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW2xhbXBz XSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNi50eHQNCg0KSeKA mW0gd29ya2luZyB0byBhbGlnbiB4NTA5LWhhc2gtc2lncyBkcmFmdCBhbmQgaW1wbGVtZW50YXRp b25zIHdpdGggdGhpcyBvbmUuICBUaGVyZeKAmXMgc29tZXRoaW5nIGluIGNtcy1oYXNoLXNpZ3Mg dGhhdCBJ4oCZZCBsaWtlIGNsYXJpZmljYXRpb24gb24gdG8gdW5kZXJzdGFuZCB0aGUgaW1wbGlj YXRpb25zLg0KDQpUaGUgQVNOLjEgbW9kdWxlIGRlZmluZXM6DQoNCiAgICAgIHBrLUhTUy1MTVMt SGFzaFNpZyBQVUJMSUMtS0VZIDo6PSB7DQogICAgICAgICAgSURFTlRJRklFUiBpZC1hbGctaHNz LWxtcy1oYXNoc2lnDQogICAgICAgICAgS0VZIEhTUy1MTVMtSGFzaFNpZy1QdWJsaWNLZXkNCiAg ICAgICAgICBQQVJBTVMgQVJFIGFic2VudA0KICAgICAgICAgIENFUlQtS0VZLVVTQUdFDQogICAg ICAgICAgICB7IGRpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLCBrZXlDZXJ0U2lnbiwg Y1JMU2lnbiB9IH0NCg0KICAgICAgSFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSA6Oj0gT0NURVQg U1RSSU5HDQoNClNwZWNpZmljYWxseSwgdGhlIHB1YmxpYyBrZXkgaXMgYW4gT0NURVQgU1RSSU5H LiBUaGUgYWN0dWFsIHB1YmxpYyBrZXkgaXMg4oCcdTMyc3RyKEwpIHx8IGxtc19wdWJsaWNfa2V5 4oCdLCBzbyBlc3NlbnRpYWxseSBhbiBvcGFxdWUgb2N0ZXQgc3RyaW5nLg0KDQpXaGF0IGFyZSB0 aGUgaW1wbGljYXRpb25zIGluIHguNTA5IG9mIGRlZmluaW5nIOKAnEhTUy1MTVMtSGFzaFNpZy1Q dWJsaWNLZXkgOjo9IE9DVEVUIFNUUklOR+KAnT8gIERvZXMgdGhpcyBtZWFuIHRoYXQgaW4gdGhl IFN1YmplY3QgUHVibGljIEtleSBJbmZvIGF0dHJpYnV0ZSwgdGhlIEhTUyBwdWJsaWMga2V5IHdv dWxkIGJlIGVuY29kZWQgYXMgYW4gT0NURVQgU1RSSU5HIHdoaWNoIGlzIHRoZW4gd3JhcHBlZCBp biBhIEJJVCBTVFJJTkcgZW5jb2Rpbmc/IChhcyBvcHBvc2VkIHRvIGEgQklUIFNUUklORyBlbmNv ZGluZyBvZiB0aGUgcmF3IOKAnHUzMnN0cihMKSB8fCBsbXNfcHVibGljX2tleeKAnSBvY3RldCBz dHJpbmcpLg0KDQpUaGUgY2xvc2VzdCBJIGNvdWxkIGZpbmQgdG8gdGhpcyBzaXR1YXRpb24gaXMg RWQyNTUxOS9FZDQ0OCBzaW5jZSB0aG9zZSBwdWJsaWMga2V5cyBhcmUgYWxzbyBqdXN0IHJhdyBv Y3RldCBzdHJpbmdzICgzMiBvY3RldHMgaW4gMjU1MTkpLiAgQnV0IHRoZSBBU04uMSBtb2R1bGUg Zm9yIFJGQyA4NDEwIHNwZWNpZmllcyDigJwtLSBLRVkgbm8gQVNOLjEgd3JhcHBpbmcgLS3igJ0g d2l0aGluIFBVQkxJQy1LRVk6DQoNCg0KICAgIHBrLUVkMjU1MTkgUFVCTElDLUtFWSA6Oj0gew0K DQogICAgICAgIElERU5USUZJRVIgaWQtRWQyNTUxOQ0KDQogICAgICAgIC0tIEtFWSBubyBBU04u MSB3cmFwcGluZyAtLQ0KDQogICAgICAgIFBBUkFNUyBBUkUgYWJzZW50DQoNCiAgICAgICAgQ0VS VC1LRVktVVNBR0Uge2RpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLA0KDQogICAgICAg ICAgICAgICAgICAgICAgICBrZXlDZXJ0U2lnbiwgY1JMU2lnbn0NCg0KICAgICAgICBQUklWQVRF LUtFWSBDdXJ2ZVByaXZhdGVLZXkNCg0KICAgIH0NCg0KSeKAmW0gbm90IGFuIEFTTi4xIGV4cGVy dCwgc28gY291bGQgc29tZW9uZSBleHBsYWluIHRoZSBkaWZmZXJlbmNlPyBJcyB0aGUg4oCcbm8g d3JhcHBpbmfigJ0gdGhlcmUgYmVjYXVzZSB0aGUgcHVibGljIGtleSBpcyByYXcgb2N0ZXRzPyBB bmQgdGhlbiB3aG9ldmVyIGVuY29kZXMgdGhlIHB1YmxpYyBvbmx5IGFwcGxpZXMgdGhlaXIgb3du IGVuY29kaW5nIChpZiBhbnkpIG9mIHRoZSBvY3RldHMuICBEb2VzIGl0IGhhdmUgdG8gZG8gd2l0 aCB0aGUgZmFjdCB0aGF0IHRoZSBwdWJsaWMga2V5IGNhbiBiZSBlYXNpbHkgZGVyaXZlZCBmcm9t IHRoZSBwcml2YXRlIGtleT8gIElzIG15IGFzc3VtcHRpb24gY29ycmVjdCB0aGF0IGEgU1BLSSBl bmNvZGluZyBvZiBhbiBIU1Mga2V5IHdvdWxkIGJlIGEgQklUIFNUUklORyBlbmNvZGluZyBvZiBh biBBU04uMSBPQ1RFVCBTVFJJTkcgZW5jb2Rpbmcgb2YgdGhlIHJhdyBvY3RldHM/DQoNCltKTFNd IEFzIEkgcmVhZCB0aGlzIHdoYXQgeW91IGhhdmUgZGVkdWNlZCBpcyBjb3JyZWN0LiAgRm9yIEVk MjU1MTkgdGhlIHB1YmxpYyBrZXkgaXMgZGlyZWN0bHkgd3JhcHBlZCBpbiB0aGUgQklUIFNUUklO RyB3aXRoIG5vIGFkZGl0aW9uYWwgZW5jb2RpbmcuICBGb3IgdGhlIGhhc2ggc2lnIHB1YmxpYyBr ZXkgdGhlIHB1YmxpYyBrZXkgaXMgd3JhcHBlZCBpbiBhbiBPQ1RFVCBTVFJJTkcgd2hpY2ggaXMg dGhlbiB3cmFwcGVkIGluIHRoZSBCSVQgU1RSSU5HLg0KDQpBcyBhIGdlbmVyYWwgcnVsZSwgSSBw cmVmZXIgaGF2aW5nIHRoZSBleHRyYSBsYXllciBvZiBBU04uMSBlbmNvZGluZyBiZWNhdXNlIGEg bG90IG9mIGRlY29kZXJzIGFzc3VtZSB0aGF0IHRoZXJlIGlzIGdvaW5nIHRvIGJlIHRoYXQgbGF5 ZXIgd2hlbiBwcm9jZXNzaW5nIGNlcnRpZmljYXRlcy4gIEhvd2V2ZXIsIEkgZGlkIG5vdCB3cml0 ZSB0aGUgaW5pdGlhbCB2ZXJzaW9ucyBvZiB0aGUgRWR3YXJkcyBkcmFmdCBhbmQgdGh1cyBJIGp1 c3QgdXNlZCB0aGUgZW5jb2RpbmcgdGhhdCB3YXMgdGhlcmUgcmF0aGVyIHRoYW4gd3JpdGluZyBp dCBhcyBJIHdvdWxkIHByZWZlci4NCg0KW0RWR10gRG8geW91IHByZWZlciB0aGlzIGdlbmVyYWwg cnVsZSBmb3IgdGhlIHNpZ25hdHVyZSBhcyB3ZWxsPyAgSW4gWC41MDkgd291bGQgeW91IHByZWZl ciB0aGUgcmF3IHNpZ25hdHVyZSBvY3RldHMgd3JhcHBlZCBpbiBhbiBPQ1RFVCBTVFJJTkcgd3Jh cHBlZCBpbiBhIEJJVCBTVFJJTkc/ICBIb3cgd291bGQgdGhpcyB3b3JrIGluIENNUyB3aGVyZSB0 aGUgc2lnbmF0dXJlIGZpZWxkIHdpdGhpbiB0aGUgU2lnbmVySW5mbyBpcyBhbHJlYWR5IGRlZmlu ZWQgYXMgYW4gT0NURVQgc3RyaW5nPyBXb3VsZG7igJl0IHRoZSBydWxlIGltcGx5IHRoZSByYXcg SFNTIG9jdGV0IHN0cmluZyB3cmFwcGVkIGluIGFuIE9DVEVUIFNUUklORyB3cmFwcGVkIGluIGFu IE9DVEVUIFNUUklORz8gVGhhdOKAmXMgbm90IGhvdyBJ4oCZbSByZWFkaW5nIGNtcy1oYXNoLXNp Z3MsIGUuZy4gc2VjdGlvbiA1Og0KDQogICAgICBzaWduYXR1cmUgY29udGFpbnMgdGhlIHNpbmds ZSBIU1Mgc2lnbmF0dXJlIHZhbHVlIHJlc3VsdGluZyBmcm9tDQogICAgICAgICB0aGUgc2lnbmlu ZyBvcGVyYXRpb24gYXMgc3BlY2lmaWVkIGluIFtIQVNIU0lHXS4NCg0KQW5kIGBzaWduYXR1cmVg IGFscmVhZHkgYmVpbmcgZGVmaW5lZCBhcyBhbiBPQ1RFVCBTVFJJTkcgbWFrZSB0aGlzIHJlYWQg dG8gbWUgYXMgYSBzaW5nbGUgd3JhcHBpbmcuDQoNCltKTFNdIFNpZ25hdHVyZXMgaGF2ZSB0cmFk aXRpb25hbGx5IGFsd2F5cyBiZWVuIHRoZSByYXcgYnl0ZXMuICBUaGUgZGlmZmVyZW5jZSBpcyB0 aGF0IGZyZXF1ZW50bHkgcHVibGljIGFuZCBwcml2YXRlIGtleXMgaGF2ZSBoYWQgQVNOLjEgc3Ry dWN0dXJlIHdyYXBwZWQgYXJvdW5kIHRoZW0gd2hpbGUgc2lnbmF0dXJlcyBoYXZlIG5vdC4gIEZv ciBhbiBleGFtcGxlIGxvb2sgYXQgaG93IFJTQSBpcyBkb25lLg0KDQpKaW0NCg0KDQpUaGFua3Ms DQpEYW5pZWwNCg0KSmltDQoNCg0KVGhhbmtzLA0KRGFuaWVsDQoNCk9uIDIwMTktMDItMjcsIDEy OjI3IFBNLCAiU3Bhc20gb24gYmVoYWxmIG9mIFJ1c3MgSG91c2xleSIgPHNwYXNtLWJvdW5jZXNA aWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc+IG9uIGJlaGFsZiBvZiBob3Vz bGV5QHZpZ2lsc2VjLmNvbTxtYWlsdG86aG91c2xleUB2aWdpbHNlYy5jb20+PiB3cm90ZToNCg0K SmltOg0KDQpZb3UgYXJlIGNvcnJlY3QuICBJIG1pc3NlZCB0aGlzIHdoZW4gSSBtYWRlIHRoZSBs YXN0IHVwZGF0ZS4gIEkgd2lsbCBtYWtlIHRoZSBjaGFuZ2Ugbm93IGluIG15IGVkaXQgYnVmZmVy LiAgSSdsbCBwb3N0IGl0IGFsb25nIHdpdGggYW55IG90aGVyIGNoYW5nZXMgdGhhdCByZXN1bHQg ZnJvbSBJRVRGIExhc3QgQ2FsbC4NCg0KUnVzcw0KDQoNCk9uIEZlYiAyNiwgMjAxOSwgYXQgODoy NSBQTSwgSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1 c3RjZWxsYXJzLmNvbT4+IHdyb3RlOg0KSSBoYXZlIGEgc21hbGwgY2hhbmdlIHRvIHJlcXVlc3Qu ICBJIGFtIGhhcHB5IGlmIHlvdSBkZWFsIHdpdGggaXQgYXQgYSBsYXRlcg0KZGF0ZSBhcyBsb25n IGFzIGl0IGRvZXMgbm90IGdldCBsb3N0Lg0KSW4gdGhlIEFTTi4xIG1vZHVsZSwgdGhlIFNJR05B VFVSRS1BTEdPUklUSE0gZGVmaW5pdGlvbiBzaG91bGQgaGF2ZSBhbiBlbXB0eQ0Kb3IgYWJzZW50 IEhBU0hFUyBmaWVsZC4gIFRoZXJlIGFyZSBubyBoYXNoIGZ1bmN0aW9ucyB3aGljaCBhcmUgdG8g YmUgYXBwbGllZA0KcHJpb3IgdG8gZ2l2ZW4gdGhlIGlucHV0IHRvIHRoZSBzaWduaW5nIGZ1bmN0 aW9uLiAgVGhpcyB3b3VsZCBtYXRjaCB3aGF0IEkNCmRpZCBmb3IgRWREU0EuDQpKaW0NCi0tLS0t T3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBTcGFzbSA8c3Bhc20tYm91bmNlc0BpZXRmLm9y ZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4+IE9uIEJlaGFsZiBPZiBSdXNzIEhvdXNs ZXkNClNlbnQ6IFR1ZXNkYXksIEZlYnJ1YXJ5IDI2LCAyMDE5IDEwOjQ0IEFNDQpUbzogU1BBU00g PHNwYXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW2xh bXBzXSBJLUQgQWN0aW9uOiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNi50eHQNClRo aXMgcmVtb3ZlcyB0aGUgZXh0cmFuZW91cyBwYXJhZ3JhcGggdGhhdCB3YXMgcG9pbnRlZCBvdXQg YnkgRGFuaWVsLg0KSSBiZWxpZXZlIHRoYXQgYWxsIGNvbW1lbnRzIGhhdmUgYmVlbiByZXNvbHZl ZCwgYW5kIHRoZSBkb2N1bWVudCBpcyBub3cNCnJlYWR5IHRvIGdvIHRvIHRoZSBJRVNHLg0KUnVz cw0KT24gRmViIDI2LCAyMDE5LCBhdCAxOjQxIFBNLCBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8 bWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZz4gd3JvdGU6DQpBIE5ldyBJbnRlcm5ldC1E cmFmdCBpcyBhdmFpbGFibGUgZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHMNCmRpcmVj dG9yaWVzLg0KVGhpcyBkcmFmdCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUgTGltaXRlZCBBZGRpdGlv bmFsIE1lY2hhbmlzbXMgZm9yIFBLSVgNCmFuZA0KU01JTUUgV0cgb2YgdGhlIElFVEYuDQogICAg ICAgVGl0bGUgICAgICAgICAgIDogVXNlIG9mIHRoZSBIU1MvTE1TIEhhc2gtYmFzZWQgU2lnbmF0 dXJlDQpBbGdvcml0aG0gaW4gdGhlDQpDcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4IChDTVMp DQogICAgICAgQXV0aG9yICAgICAgICAgIDogUnVzcyBIb3VzbGV5DQogICAgICAgICAgICAgICAg RmlsZW5hbWUgICAgICAgIDogZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYudHh0DQog ICAgICAgICAgICAgICAgUGFnZXMgICAgICAgICAgIDogMTQNCiAgICAgICAgICAgICAgICBEYXRl ICAgICAgICAgICAgOiAyMDE5LTAyLTI2DQpBYnN0cmFjdDoNCiAgVGhpcyBkb2N1bWVudCBzcGVj aWZpZXMgdGhlIGNvbnZlbnRpb25zIGZvciB1c2luZyB0aGUgdGhlIEhTUy9MTVMNCiAgaGFzaC1i YXNlZCBzaWduYXR1cmUgYWxnb3JpdGhtIHdpdGggdGhlIENyeXB0b2dyYXBoaWMgTWVzc2FnZSBT eW50YXgNCiAgKENNUykuICBJbiBhZGRpdGlvbiwgdGhlIGFsZ29yaXRobSBpZGVudGlmaWVyIGFu ZCBwdWJsaWMga2V5IHN5bnRheA0KICBhcmUgcHJvdmlkZWQuICBUaGUgSFNTL0xNUyBhbGdvcml0 aG0gaXMgb25lIGZvcm0gb2YgaGFzaC1iYXNlZA0KICBkaWdpdGFsIHNpZ25hdHVyZTsgaXQgaXMg ZGVzY3JpYmVkIGluIFtIQVNIU0lHXS4NClRoZSBJRVRGIGRhdGF0cmFja2VyIHN0YXR1cyBwYWdl IGZvciB0aGlzIGRyYWZ0IGlzOg0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJh ZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWcvDQpUaGVyZSBhcmUgYWxzbyBodG1saXplZCB2ZXJz aW9ucyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0 Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYNCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9j L2h0bWwvZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYNCkEgZGlmZiBmcm9tIHRoZSBw cmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJsZSBhdDoNCmh0dHBzOi8vd3d3LmlldGYub3JnL3Jm Y2RpZmY/dXJsMj1kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNg0KUGxlYXNlIG5vdGUg dGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBvZiBtaW51dGVzIGZyb20gdGhlIHRpbWUgb2YNCnN1 Ym1pc3Npb24gdW50aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJs ZSBhdA0KdG9vbHMuaWV0Zi5vcmc8aHR0cDovL3Rvb2xzLmlldGYub3JnLz4uDQpJbnRlcm5ldC1E cmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAgYXQ6DQpmdHA6Ly9mdHAu aWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLw0KDQo= --_000_9B262F1B49044586ADCF3F7DDC1B96ECisaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <3D39F37AE8D86748BC0F18EFE56B9913@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFz Ow0KCXBhbm9zZS0xOjIgMTEgNiA5IDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25z ICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjow Y207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1m YW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246 dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl cmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi SFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4w MDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30N CnAubXNvbm9ybWFsMCwgbGkubXNvbm9ybWFsMCwgZGl2Lm1zb25vcm1hbDANCgl7bXNvLXN0eWxl LW5hbWU6bXNvbm9ybWFsOw0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdo dDowY207DQoJbXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGNtOw0K CWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0K c3Bhbi5hcHBsZS1jb252ZXJ0ZWQtc3BhY2UNCgl7bXNvLXN0eWxlLW5hbWU6YXBwbGUtY29udmVy dGVkLXNwYWNlO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6 IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28t c3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30N CnNwYW4uYXBwbGUtdGFiLXNwYW4NCgl7bXNvLXN0eWxlLW5hbWU6YXBwbGUtdGFiLXNwYW47fQ0K c3Bhbi5FbWFpbFN0eWxlMjINCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9u dC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNv Q2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAu MHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJn aW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFn ZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLUNB IiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5SdXNzLDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIHVu ZGVyc3RhbmQgd2hhdCB0aGV5IGFyZSByZWZlcnJpbmcgdG8sIGJ1dCB3aGVuIHRoZSBwYXJhZ3Jh cGggYmVnaW5zIOKAnFRoZSAoc2lnbmF0dXJlLCBwdWJsaWMga2V5KSB2YWx1ZSBpcyBhbiBPQ1RF VCBTVFJJTkfigJ0gYW5kIHRoZW4gZ29lcyBvbiB0byBkZXNjcmliZSBpdCBhcyAoZGVzaWduZWQg Zm9yIGVhc3kgcGFyc2luZywgaW5jbHVkaW5nIGEgY291bnRlciBhbmQgdHlwZSBjb2RlcywgdGhl IG51bWJlcg0KIG9mIGxldmVscyBmb2xsb3dlZCBieSB0aGUga2V5KSwgYWxsIG9mIHdoaWNoIGRl c2NyaWJlIHRoZSBIU1MgYWxnb3JpdGhtIHNpZ25hdHVyZeKAmXMgY29udGVudHMsIG9uZSBtaWdo dCBhbHNvIHJlYWQgdGhlIGZpcnN0IHNlbnRlbmNlIGFzIHJlZmVycmluZyB0byB0aGUgSFNTIGFs Z29yaXRobeKAmXMgc2lnbmF0dXJlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JdOKAmXMganVz dCBhIG5pdCwgYW5kIGlmIHlvdSBkb27igJl0IGFncmVlIHRoYXQgb25lIGNvdWxkIGVuZCB1cCBy ZWFkaW5nIHRob3NlIHBhcmFncmFwaHMgdGhhdCB3YXksIHRoZW4gdGhleeKAmXJlIGZpbmUgYXMg aXMuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoYW5rcyw8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPkRhbmllbDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+T24gMjAxOS0wMy0xMCwgMToxNyBBTSwgJnF1b3Q7UnVzcyBIb3Vz bGV5JnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86aG91c2xleUB2aWdpbHNlYy5jb20iPmhvdXNs ZXlAdmlnaWxzZWMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5EYW5pZWw6IDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0 O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+VGhhbmtzIGZvciB0aGUgY2xhcmlmaWNhdGlvbiBmb3IgbWUgYmVsb3cs IEppbS48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5H aXZlbiB0aGF0IGluZm9ybWF0aW9uLCBJIHdvbmRlciBpZiBpdOKAmXMgcG9zc2libGUgdG8gbWlz aW50ZXJwcmV0IHNvbWUgcGFydHMgb2YgY21zLWhhc2gtc2lnLjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5JbiBzZWN0aW9uIDM6PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsm bmJzcDsgVGhlIHNpZ25hdHVyZSB2YWx1ZSBpcyBhIGxhcmdlIE9DVEVUIFNUUklORy4mbmJzcDsg VGhlIHNpZ25hdHVyZSBmb3JtYXQgaXM8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90OyI+Jm5ic3A7Jm5ic3A7IGRlc2lnbmVkIGZvciBlYXN5IHBhcnNpbmcuJm5ic3A7IEVhY2gg Zm9ybWF0IGluY2x1ZGVzIGEgY291bnRlciBhbmQgdHlwZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsgY29kZXMgdGhhdCBpbmRpcmVjdGx5IHByb3Zp ZGluZyBhbGwgb2YgdGhlIGluZm9ybWF0aW9uIHRoYXQgaXMgbmVlZGVkPC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNwOyB0byBwYXJzZSB0aGUgdmFsdWUg ZHVyaW5nIHNpZ25hdHVyZSB2YWxpZGF0aW9uLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SSB0aGluayB0aGlzIHBhcmFncmFwaCBpcyB0 YWxraW5nIGFib3V0IHRoZSBzaWduYXR1cmUgdmFsdWUgYXMgcmV0dXJuZWQgYnkgdGhlIEhTUyBh bGdvcml0aG0uJm5ic3A7IEluIHRoaXMgY2FzZSBpdOKAmXMgbm90IGFuIE9DVEVUIFNUUklORyAo aS5lLiB0aGUgQVNOLjEgc3RydWN0dXJlKSwgYnV0IGp1c3QgYW4gb2N0ZXQgc3RyaW5nLiBSZWZl cnJpbmcgdG8gaXQgYXMgYW4NCiBPQ1RFVCBTVFJJTkcgY291bGQgcmVzdWx0IGluIGNvbmZ1c2lv biBhcyB0byB3aGV0aGVyIGl04oCZcyBkb3VibGUgd3JhcHBlZCBpbiBBU04uMS48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PkluIFJGQyA1MjgwIGFuZCBYLjUwOSwgdGhlIHNpZ25hdHVyZSBvbiBhIGNlcnRpZmljYXRlIGlz IGRlZmluZWQgYXM6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij4mbmJzcDsgJm5ic3A7Q2VydGlmaWNhdGUgJm5ic3A7Ojo9ICZuYnNwO1NF UVVFTkNFICZuYnNwO3s8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyB0YnNDZXJ0aWZpY2F0ZSAmbmJzcDsgJm5ic3A7ICZuYnNwOyBUQlNDZXJ0aWZpY2F0 ZSw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBzaWdu YXR1cmVBbGdvcml0aG0gJm5ic3A7IEFsZ29yaXRobUlkZW50aWZpZXIsPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgc2lnbmF0dXJlVmFsdWUgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgQklUIFNUUklORyAmbmJzcDt9PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlRoaXMgaXMgdGhlIEJJVCBTVFJJTkcgdGhhdCBK aW0gaXMgdGFsa2luZyBhYm91dCBpbiBoaXMgbWVzc2FnZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SW4gUkZDIDU2NTIsIHRoZSBzaWduYXR1cmUg YXBwZWFycyBpbiBTaWduZXJJbmZvOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgU2lnbmVySW5mbyA6 Oj0gU0VRVUVOQ0UgezxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7IHZlcnNpb24gQ01TVmVyc2lvbiw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyBzaWQgU2lnbmVySWRlbnRpZmllciw8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBkaWdlc3RBbGdvcml0aG0gRGlnZXN0 QWxnb3JpdGhtSWRlbnRpZmllciw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyBzaWduZWRBdHRycyBbMF0gSU1QTElDSVQgU2lnbmVkQXR0cmlidXRlcyBP UFRJT05BTCw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyBzaWduYXR1cmVBbGdvcml0aG0gU2lnbmF0dXJlQWxnb3JpdGhtSWRlbnRpZmllciw8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBzaWduYXR1cmUgU2ln bmF0dXJlVmFsdWUsPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgdW5zaWduZWRBdHRycyBbMV0gSU1QTElDSVQgVW5zaWduZWRBdHRyaWJ1dGVzIE9QVElP TkFMIH08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ Jm5ic3A7ICZuYnNwOyAmbmJzcDsgU2lnbmF0dXJlVmFsdWUgOjo9IE9DVEVUIFNUUklORzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5UaGlzIGlzIHRo ZSBPQ1RFVCBTVFJJTkcgdGhhdCBpcyBiZWluZyByZWZlcmVuY2VkIGluIHRoZSBxdW90ZWQgdGV4 dC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206 NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPlNpbWlsYXJseSBpbiBzZWN0aW9uIDQ6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsgVGhlIHB1Ymxp YyBrZXkgdmFsdWUgaXMgYW4gT0NURVQgU1RSSU5HLiZuYnNwOyBMaWtlIHRoZSBzaWduYXR1cmUg Zm9ybWF0LDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJz cDsgaXQgaXMgZGVzaWduZWQgZm9yIGVhc3kgcGFyc2luZy4mbmJzcDsgVGhlIHZhbHVlIGlzIHRo ZSBudW1iZXIgb2YgbGV2ZWxzPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsi PiZuYnNwOyZuYnNwOyBpbiB0aGUgcHVibGljIGtleSwgTCwgZm9sbG93ZWQgYnkgdGhlIExNUyBw dWJsaWMga2V5Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+V2hpbGUgSFNTLUxNUy1IYXNoU2lnLVB1YmxpY0tleSBpcyBhY3R1YWxseSBh biBPQ1RFVCBTVFJJTkcsIEkgdGhpbmsgdGhpcyBwYXJhZ3JhcGggaXMgcmVmZXJyaW5nIHRvIHRo ZSBwdWJsaWMga2V5IGFzIHByb2Nlc3NlZCBieSBIU1MgYW5kIHNvIHNob3VsZCBiZSBhbiBvY3Rl dCBzdHJpbmcuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+VGhhdCB0ZXN0IGlzIHJlZmVycmluZyB0byB0aGlzIHBhcnQgb2YgdGhlIEFT Ti4xOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+Jm5ic3A7ICZuYnNwO0hTUy1MTVMtSGFzaFNpZy1QdWJsaWNLZXkgOjo9IE9DVEVUIFNU UklORzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5S dXNzPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRv cDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPk9uIDIwMTktMDMtMDUsIDI6MzQgUE0sICZxdW90O0ppbSBTY2hhYWQmcXVv dDsgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj48c3BhbiBzdHls ZT0iY29sb3I6cHVycGxlIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29tPC9zcGFuPjwvYT4mZ3Q7IHdy b3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRk aW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+ DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGI+RnJvbTo8L2I+PHNwYW4gY2xhc3M9ImFwcGxl LWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPkRhbmllbCBWYW4gR2Vlc3QgJmx0OzxhIGhy ZWY9Im1haWx0bzpEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tIj48c3BhbiBzdHlsZT0iY29sb3I6 cHVycGxlIj5EYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPC9zcGFuPjwvYT4mZ3Q7PHNwYW4gY2xh c3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxicj4NCjxiPlNlbnQ6PC9i PjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5UdWVzZGF5 LCBNYXJjaCA1LCAyMDE5IDEwOjIwIEFNPGJyPg0KPGI+VG86PC9iPjxzcGFuIGNsYXNzPSJhcHBs ZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5KaW0gU2NoYWFkICZsdDs8YSBocmVmPSJt YWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+ aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvc3Bhbj48L2E+Jmd0OzsgJ1J1c3MgSG91c2xleScgJmx0 OzxhIGhyZWY9Im1haWx0bzpob3VzbGV5QHZpZ2lsc2VjLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9y OnB1cnBsZSI+aG91c2xleUB2aWdpbHNlYy5jb208L3NwYW4+PC9hPiZndDs8YnI+DQo8Yj5DYzo8 L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPidTUEFT TScgJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9y OnB1cnBsZSI+c3Bhc21AaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDs8YnI+DQo8Yj5TdWJqZWN0Ojwv Yj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+UmU6IFts YW1wc10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDYudHh0PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXYgc3R5 bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij5PbiAyMDE5LTAzLTA1LCAxMjo1MCBQTSwgJnF1b3Q7SmltIFNjaGFh ZCZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iPjxzcGFu IHN0eWxlPSJjb2xvcjpwdXJwbGUiPmlldGZAYXVndXN0Y2VsbGFycy5jb208L3NwYW4+PC9hPiZn dDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0 O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpu b25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20g MGNtIj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48Yj5Gcm9tOjwvYj48c3BhbiBjbGFzcz0i YXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+U3Bhc20gJmx0OzxhIGhyZWY9Im1h aWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5z cGFzbS1ib3VuY2VzQGlldGYub3JnPC9zcGFuPjwvYT4mZ3Q7PHNwYW4gY2xhc3M9ImFwcGxlLWNv bnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxiPk9uDQogQmVoYWxmIE9mPHNwYW4gY2xhc3M9 ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjwvYj5EYW5pZWwgVmFuIEdlZXN0 PGJyPg0KPGI+U2VudDo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5i c3A7PC9zcGFuPlR1ZXNkYXksIE1hcmNoIDUsIDIwMTkgODozOCBBTTxicj4NCjxiPlRvOjwvYj48 c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+UnVzcyBIb3Vz bGV5ICZsdDs8YSBocmVmPSJtYWlsdG86aG91c2xleUB2aWdpbHNlYy5jb20iPjxzcGFuIHN0eWxl PSJjb2xvcjpwdXJwbGUiPmhvdXNsZXlAdmlnaWxzZWMuY29tPC9zcGFuPjwvYT4mZ3Q7OyBKaW0g U2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSI+PHNwYW4g c3R5bGU9ImNvbG9yOnB1cnBsZSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvc3Bhbj48L2E+Jmd0 Ozxicj4NCjxiPkNjOjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJz cDs8L3NwYW4+U1BBU00gJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+PHNwYW4g c3R5bGU9ImNvbG9yOnB1cnBsZSI+c3Bhc21AaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDs8YnI+DQo8 Yj5TdWJqZWN0OjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8 L3NwYW4+UmU6IFtsYW1wc10gSS1EIEFjdGlvbjogZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1z aWctMDYudHh0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2IHN0 eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5 bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij5J4oCZbSB3b3JraW5nIHRvIGFsaWduIHg1MDktaGFzaC1zaWdzIGRy YWZ0IGFuZCBpbXBsZW1lbnRhdGlvbnMgd2l0aCB0aGlzIG9uZS4mbmJzcDsgVGhlcmXigJlzIHNv bWV0aGluZyBpbiBjbXMtaGFzaC1zaWdzIHRoYXQgSeKAmWQgbGlrZSBjbGFyaWZpY2F0aW9uIG9u IHRvIHVuZGVyc3RhbmQgdGhlIGltcGxpY2F0aW9ucy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGhlIEFTTi4xIG1vZHVsZSBkZWZpbmVzOjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHBrLUhTUy1MTVMtSGFzaFNpZyBQVUJMSUMtS0VZIDo6 PSB7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVm dDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmll ciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyBJREVOVElGSUVSIGlkLWFsZy1oc3MtbG1zLWhhc2hzaWc8L3NwYW4+PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEtFWSBI U1MtTE1TLUhhc2hTaWctUHVibGljS2V5PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBQQVJBTVMgQVJFIGFic2VudDwvc3Bhbj48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg Q0VSVC1LRVktVVNBR0U8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHsgZGlnaXRhbFNpZ25hdHVyZSwgbm9u UmVwdWRpYXRpb24sIGtleUNlcnRTaWduLCBjUkxTaWduIH0gfTwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDs8L3Nw YW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBw dCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwO0hTUy1MTVMtSGFzaFNpZy1QdWJs aWNLZXkgOjo9IE9DVEVUIFNUUklORzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+U3BlY2lmaWNhbGx5LCB0aGUgcHVibGljIGtleSBpcyBhbiBP Q1RFVCBTVFJJTkcuIFRoZSBhY3R1YWwgcHVibGljIGtleSBpcyDigJx1MzJzdHIoTCkgfHwgbG1z X3B1YmxpY19rZXnigJ0sIHNvIGVzc2VudGlhbGx5IGFuIG9wYXF1ZSBvY3RldCBzdHJpbmcuPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPldoYXQgYXJlIHRo ZSBpbXBsaWNhdGlvbnMgaW4geC41MDkgb2YgZGVmaW5pbmcg4oCcSFNTLUxNUy1IYXNoU2lnLVB1 YmxpY0tleSA6Oj0gT0NURVQgU1RSSU5H4oCdPyZuYnNwOyBEb2VzIHRoaXMgbWVhbiB0aGF0IGlu IHRoZSBTdWJqZWN0IFB1YmxpYyBLZXkgSW5mbyBhdHRyaWJ1dGUsIHRoZSBIU1MgcHVibGljIGtl eSB3b3VsZCBiZSBlbmNvZGVkIGFzIGFuIE9DVEVUIFNUUklORw0KIHdoaWNoIGlzIHRoZW4gd3Jh cHBlZCBpbiBhIEJJVCBTVFJJTkcgZW5jb2Rpbmc/IChhcyBvcHBvc2VkIHRvIGEgQklUIFNUUklO RyBlbmNvZGluZyBvZiB0aGUgcmF3IOKAnHUzMnN0cihMKSB8fCBsbXNfcHVibGljX2tleeKAnSBv Y3RldCBzdHJpbmcpLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4t bGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1s ZWZ0OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij5UaGUgY2xvc2VzdCBJIGNvdWxkIGZpbmQgdG8gdGhpcyBzaXR1YXRpb24gaXMgRWQyNTUx OS9FZDQ0OCBzaW5jZSB0aG9zZSBwdWJsaWMga2V5cyBhcmUgYWxzbyBqdXN0IHJhdyBvY3RldCBz dHJpbmdzICgzMiBvY3RldHMgaW4gMjU1MTkpLiZuYnNwOyBCdXQgdGhlIEFTTi4xIG1vZHVsZSBm b3IgUkZDIDg0MTAgc3BlY2lmaWVzIOKAnC0tIEtFWSBubyBBU04uMSB3cmFwcGluZw0KIC0t4oCd IHdpdGhpbiBQVUJMSUMtS0VZOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwcmUgc3R5bGU9Im1h cmdpbi1sZWZ0OjEwOC4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyBway1FZDI1NTE5IFBVQkxJQy1L RVkgOjo9IHs8bzpwPjwvbzpwPjwvcHJlPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBw dCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IElERU5USUZJRVIg aWQtRWQyNTUxOTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDgu MHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gS0VZIG5v IEFTTi4xIHdyYXBwaW5nIC0tPG86cD48L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1s ZWZ0OjEwOC4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBQ QVJBTVMgQVJFIGFic2VudDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVm dDoxMDguMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgQ0VS VC1LRVktVVNBR0Uge2RpZ2l0YWxTaWduYXR1cmUsIG5vblJlcHVkaWF0aW9uLDxvOnA+PC9vOnA+ PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsga2V5Q2VydFNpZ24sIGNSTFNpZ259PG86cD48L286cD48L3ByZT4NCjxwcmUgc3R5 bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyBQUklWQVRFLUtFWSBDdXJ2ZVByaXZhdGVLZXk8bzpwPjwvbzpwPjwvcHJlPg0K PHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7IH08bzpw PjwvbzpwPjwvcHJlPg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SeKAmW0gbm90IGFuIEFTTi4x IGV4cGVydCwgc28gY291bGQgc29tZW9uZSBleHBsYWluIHRoZSBkaWZmZXJlbmNlPyBJcyB0aGUg 4oCcbm8gd3JhcHBpbmfigJ0gdGhlcmUgYmVjYXVzZSB0aGUgcHVibGljIGtleSBpcyByYXcgb2N0 ZXRzPyBBbmQgdGhlbiB3aG9ldmVyIGVuY29kZXMgdGhlIHB1YmxpYyBvbmx5IGFwcGxpZXMgdGhl aXIgb3duIGVuY29kaW5nIChpZiBhbnkpIG9mDQogdGhlIG9jdGV0cy4mbmJzcDsgRG9lcyBpdCBo YXZlIHRvIGRvIHdpdGggdGhlIGZhY3QgdGhhdCB0aGUgcHVibGljIGtleSBjYW4gYmUgZWFzaWx5 IGRlcml2ZWQgZnJvbSB0aGUgcHJpdmF0ZSBrZXk/Jm5ic3A7IElzIG15IGFzc3VtcHRpb24gY29y cmVjdCB0aGF0IGEgU1BLSSBlbmNvZGluZyBvZiBhbiBIU1Mga2V5IHdvdWxkIGJlIGEgQklUIFNU UklORyBlbmNvZGluZyBvZiBhbiBBU04uMSBPQ1RFVCBTVFJJTkcgZW5jb2Rpbmcgb2YgdGhlIHJh dyBvY3RldHM/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0 OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6 NzIuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PltKTFNdIEFzIEkgcmVhZCB0aGlzIHdoYXQgeW91IGhhdmUgZGVkdWNlZCBpcyBjb3JyZWN0LiZu YnNwOyBGb3IgRWQyNTUxOSB0aGUgcHVibGljIGtleSBpcyBkaXJlY3RseSB3cmFwcGVkIGluIHRo ZSBCSVQgU1RSSU5HIHdpdGggbm8gYWRkaXRpb25hbCBlbmNvZGluZy4mbmJzcDsgRm9yIHRoZSBo YXNoIHNpZyBwdWJsaWMga2V5IHRoZSBwdWJsaWMga2V5IGlzIHdyYXBwZWQgaW4gYW4NCiBPQ1RF VCBTVFJJTkcgd2hpY2ggaXMgdGhlbiB3cmFwcGVkIGluIHRoZSBCSVQgU1RSSU5HLiZuYnNwOzxz cGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+QXMgYSBnZW5lcmFsIHJ1bGUs IEkgcHJlZmVyIGhhdmluZyB0aGUgZXh0cmEgbGF5ZXIgb2YgQVNOLjEgZW5jb2RpbmcgYmVjYXVz ZSBhIGxvdCBvZiBkZWNvZGVycyBhc3N1bWUgdGhhdCB0aGVyZSBpcyBnb2luZyB0byBiZSB0aGF0 IGxheWVyIHdoZW4gcHJvY2Vzc2luZyBjZXJ0aWZpY2F0ZXMuJm5ic3A7IEhvd2V2ZXIsIEkgZGlk IG5vdCB3cml0ZSB0aGUgaW5pdGlhbCB2ZXJzaW9ucw0KIG9mIHRoZSBFZHdhcmRzIGRyYWZ0IGFu ZCB0aHVzIEkganVzdCB1c2VkIHRoZSBlbmNvZGluZyB0aGF0IHdhcyB0aGVyZSByYXRoZXIgdGhh biB3cml0aW5nIGl0IGFzIEkgd291bGQgcHJlZmVyLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjQxLjI1cHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+W0RWR10gRG8geW91IHByZWZlciB0aGlzIGdlbmVyYWwg cnVsZSBmb3IgdGhlIHNpZ25hdHVyZSBhcyB3ZWxsPyZuYnNwOyBJbiBYLjUwOSB3b3VsZCB5b3Ug cHJlZmVyIHRoZSByYXcgc2lnbmF0dXJlIG9jdGV0cyB3cmFwcGVkIGluIGFuIE9DVEVUIFNUUklO RyB3cmFwcGVkIGluIGEgQklUIFNUUklORz8mbmJzcDsgSG93IHdvdWxkIHRoaXMgd29yayBpbiBD TVMgd2hlcmUgdGhlIHNpZ25hdHVyZQ0KIGZpZWxkIHdpdGhpbiB0aGUgU2lnbmVySW5mbyBpcyBh bHJlYWR5IGRlZmluZWQgYXMgYW4gT0NURVQgc3RyaW5nPyBXb3VsZG7igJl0IHRoZSBydWxlIGlt cGx5IHRoZSByYXcgSFNTIG9jdGV0IHN0cmluZyB3cmFwcGVkIGluIGFuIE9DVEVUIFNUUklORyB3 cmFwcGVkIGluIGFuIE9DVEVUIFNUUklORz8gVGhhdOKAmXMgbm90IGhvdyBJ4oCZbSByZWFkaW5n IGNtcy1oYXNoLXNpZ3MsIGUuZy4gc2VjdGlvbiA1Ojxicj4NCjxicj4NCiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyBzaWduYXR1cmUgY29udGFpbnMgdGhlIHNpbmdsZSBIU1Mgc2lnbmF0 dXJlIHZhbHVlIHJlc3VsdGluZyBmcm9tPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgdGhlIHNpZ25pbmcgb3BlcmF0aW9uIGFzIHNwZWNpZmllZCBpbiBbSEFTSFNJR10u PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkFuZCBgc2ln bmF0dXJlYCBhbHJlYWR5IGJlaW5nIGRlZmluZWQgYXMgYW4gT0NURVQgU1RSSU5HIG1ha2UgdGhp cyByZWFkIHRvIG1lIGFzIGEgc2luZ2xlIHdyYXBwaW5nLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5bSkxTXSBTaWduYXR1cmVzIGhhdmUgdHJhZGl0aW9u YWxseSBhbHdheXMgYmVlbiB0aGUgcmF3IGJ5dGVzLiZuYnNwOyBUaGUgZGlmZmVyZW5jZSBpcyB0 aGF0IGZyZXF1ZW50bHkgcHVibGljIGFuZCBwcml2YXRlIGtleXMgaGF2ZSBoYWQgQVNOLjEgc3Ry dWN0dXJlIHdyYXBwZWQgYXJvdW5kIHRoZW0gd2hpbGUgc2lnbmF0dXJlcyBoYXZlIG5vdC4mbmJz cDsgRm9yIGFuIGV4YW1wbGUNCiBsb29rIGF0IGhvdyBSU0EgaXMgZG9uZS48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SmltPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGhhbmtzLDxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+RGFuaWVsPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkppbTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPlRoYW5rcyw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPkRhbmllbDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5PbiAyMDE5LTAyLTI3LCAxMjoyNyBQ TSwgJnF1b3Q7U3Bhc20gb24gYmVoYWxmIG9mIFJ1c3MgSG91c2xleSZxdW90OyAmbHQ7PGEgaHJl Zj0ibWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJw bGUiPnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8L3NwYW4+PC9hPjxzcGFuIGNsYXNzPSJhcHBsZS1j b252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5vbiBiZWhhbGYNCiBvZjxzcGFuIGNsYXNzPSJh cHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YSBocmVmPSJtYWlsdG86aG91c2xl eUB2aWdpbHNlYy5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmhvdXNsZXlAdmlnaWxz ZWMuY29tPC9zcGFuPjwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0 OjEwOC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+SmltOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxl PSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPllvdSBhcmUgY29ycmVjdC4mbmJzcDsmbmJz cDtJIG1pc3NlZCB0aGlzIHdoZW4gSSBtYWRlIHRoZSBsYXN0IHVwZGF0ZS4mbmJzcDsmbmJzcDtJ IHdpbGwgbWFrZSB0aGUgY2hhbmdlIG5vdyBpbiBteSBlZGl0IGJ1ZmZlci4mbmJzcDsmbmJzcDtJ J2xsIHBvc3QgaXQgYWxvbmcgd2l0aCBhbnkgb3RoZXIgY2hhbmdlcyB0aGF0IHJlc3VsdCBmcm9t IElFVEYgTGFzdCBDYWxsLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlJ1c3M8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBw dCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFy Z2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8YmxvY2tx dW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtw YWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJnaW4tdG9wOjUu MHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1BQ19PVVRMT09L X0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0 OjEwOC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+T24gRmViIDI2LCAyMDE5LCBhdCA4OjI1IFBNLCBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJt YWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+ aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvc3Bhbj48L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBw dCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5JIGhh dmUgYSBzbWFsbCBjaGFuZ2UgdG8gcmVxdWVzdC4mbmJzcDsmbmJzcDtJIGFtIGhhcHB5IGlmIHlv dSBkZWFsIHdpdGggaXQgYXQgYSBsYXRlcjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPmRhdGUgYXMgbG9uZyBhcyBpdCBkb2Vz IG5vdCBnZXQgbG9zdC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5JbiB0aGUgQVNOLjEgbW9kdWxlLCB0aGUgU0lHTkFUVVJF LUFMR09SSVRITSBkZWZpbml0aW9uIHNob3VsZCBoYXZlIGFuIGVtcHR5PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQi Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+b3IgYWJz ZW50IEhBU0hFUyBmaWVsZC4mbmJzcDsmbmJzcDtUaGVyZSBhcmUgbm8gaGFzaCBmdW5jdGlvbnMg d2hpY2ggYXJlIHRvIGJlIGFwcGxpZWQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5wcmlvciB0byBnaXZlbiB0aGUgaW5wdXQg dG8gdGhlIHNpZ25pbmcgZnVuY3Rpb24uJm5ic3A7Jm5ic3A7VGhpcyB3b3VsZCBtYXRjaCB3aGF0 IEk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFy Z2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij5kaWQgZm9yIEVkRFNBLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkppbTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz b2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxlZnQ6 My43NXB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUu MHB0IiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDox MDguMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PkZyb206IFNwYXNtICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZyI+ PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+c3Bhc20tYm91bmNlc0BpZXRmLm9yZzwvc3Bhbj48 L2E+Jmd0OyBPbiBCZWhhbGYgT2YgUnVzcyBIb3VzbGV5PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+U2VudDogVHVlc2RheSwg RmVicnVhcnkgMjYsIDIwMTkgMTA6NDQgQU08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5UbzogU1BBU00gJmx0OzxhIGhyZWY9 Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+c3Bhc21A aWV0Zi5vcmc8L3NwYW4+PC9hPiZndDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5TdWJqZWN0OiBSZTogW2xhbXBzXSBJLUQg QWN0aW9uOiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNi50eHQ8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBw dCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5UaGlz IHJlbW92ZXMgdGhlIGV4dHJhbmVvdXMgcGFyYWdyYXBoIHRoYXQgd2FzIHBvaW50ZWQgb3V0IGJ5 IERhbmllbC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHls ZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij5JIGJlbGlldmUgdGhhdCBhbGwgY29tbWVudHMgaGF2ZSBiZWVuIHJl c29sdmVkLCBhbmQgdGhlIGRvY3VtZW50IGlzIG5vdzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPnJlYWR5IHRvIGdvIHRvIHRo ZSBJRVNHLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxl PSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPlJ1c3M8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8Ymxv Y2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRERiA0LjVw dDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJnaW4tdG9w OjUuMHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1BQ19PVVRM T09LX0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1s ZWZ0OjEwOC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+T24gRmViIDI2LCAyMDE5LCBhdCAxOjQxIFBNLDxzcGFuIGNsYXNzPSJhcHBsZS1jb252 ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YSBocmVmPSJtYWlsdG86aW50ZXJuZXQtZHJhZnRz QGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5pbnRlcm5ldC1kcmFmdHNAaWV0 Zi5vcmc8L3NwYW4+PC9hPjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNw Ozwvc3Bhbj53cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5BIE5ldyBJbnRlcm5ldC1EcmFmdCBpcyBhdmFpbGFibGUg ZnJvbSB0aGUgb24tbGluZSBJbnRlcm5ldC1EcmFmdHM8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4 LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5k aXJlY3Rvcmllcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8YmxvY2txdW90ZSBz dHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5n OjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJnaW4tdG9wOjUuMHB0O21h cmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1BQ19PVVRMT09LX0FUVFJJ QlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4w cHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGhp cyBkcmFmdCBpcyBhIHdvcmsgaXRlbSBvZiB0aGUgTGltaXRlZCBBZGRpdGlvbmFsIE1lY2hhbmlz bXMgZm9yIFBLSVg8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+ DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5hbmQ8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5v bmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQu MHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowY207 bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1BQ19PVVRMT09LX0FUVFJJQlVUSU9OX0JMT0NLUVVP VEUiPg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+U01JTUUgV0cgb2YgdGhlIElF VEYuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJv cmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNCNUM0REYgNC41cHQ7cGFkZGluZzowY20gMGNt IDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmln aHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQiIGlkPSJNQUNfT1VUTE9PS19BVFRSSUJVVElPTl9C TE9DS1FVT1RFIj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaXRsZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA6IFVzZSBvZiB0aGUgSFNTL0xNUyBI YXNoLWJhc2VkIFNpZ25hdHVyZTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxv Y2txdW90ZT4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDox MDguMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PkFsZ29yaXRobSBpbiB0aGU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8YmxvY2tx dW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRERiA0LjVwdDtw YWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJnaW4tdG9wOjUu MHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1BQ19PVVRMT09L X0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0 OjEwOC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+Q3J5cHRvZ3JhcGhpYyBNZXNzYWdlIFN5bnRheCAoQ01TKTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz b2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxlZnQ6 My43NXB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUu MHB0IiBpZD0iTUFDX09VVExPT0tfQVRUUklCVVRJT05fQkxPQ0tRVU9URSI+DQo8ZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgQXV0aG9yJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7OiBSdXNzIEhvdXNsZXk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBjbGFzcz0iYXBwbGUtdGFi LXNwYW4iPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOzwvc3Bhbj48c3BhbiBjbGFz cz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+RmlsZW5hbWUmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs6IGRyYWZ0LWlldGYtbGFtcHMt Y21zLWhhc2gtc2lnLTA2LnR4dDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGNsYXNzPSJhcHBsZS10YWItc3BhbiI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9zcGFuPjxzcGFuIGNsYXNzPSJhcHBs ZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5QYWdlcyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA6IDE0PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4w cHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNw YW4gY2xhc3M9ImFwcGxlLXRhYi1zcGFuIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDs8L3NwYW4+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFu PkRhdGUmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDs6IDIwMTktMDItMjY8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5BYnN0cmFjdDo8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij4mbmJzcDsmbmJzcDtUaGlzIGRvY3VtZW50IHNwZWNpZmllcyB0aGUgY29udmVudGlvbnMgZm9y IHVzaW5nIHRoZSB0aGUgSFNTL0xNUzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyZuYnNwO2hhc2gtYmFzZWQgc2ln bmF0dXJlIGFsZ29yaXRobSB3aXRoIHRoZSBDcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1s ZWZ0OjEwOC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+Jm5ic3A7Jm5ic3A7KENNUykuJm5ic3A7Jm5ic3A7SW4gYWRkaXRpb24sIHRoZSBhbGdv cml0aG0gaWRlbnRpZmllciBhbmQgcHVibGljIGtleSBzeW50YXg8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJz cDthcmUgcHJvdmlkZWQuJm5ic3A7Jm5ic3A7VGhlIEhTUy9MTVMgYWxnb3JpdGhtIGlzIG9uZSBm b3JtIG9mIGhhc2gtYmFzZWQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDtkaWdpdGFsIHNpZ25hdHVyZTsg aXQgaXMgZGVzY3JpYmVkIGluIFtIQVNIU0lHXS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5UaGUgSUVURiBkYXRhdHJhY2tl ciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFmdCBpczo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48YSBocmVmPSJodHRwczov L2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy8i PjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcv ZG9jL2RyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLzwvc3Bhbj48L2E+PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4w cHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGhl cmUgYXJlIGFsc28gaHRtbGl6ZWQgdmVyc2lvbnMgYXZhaWxhYmxlIGF0OjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0 Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxhIGhy ZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNo LXNpZy0wNiI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cHM6Ly90b29scy5pZXRmLm9y Zy9odG1sL2RyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2PC9zcGFuPjwvYT48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij48YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LWll dGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2Ij48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRw czovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LWlldGYtbGFtcHMtY21zLWhh c2gtc2lnLTA2PC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2 Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5BIGRpZmYgZnJvbSB0aGUgcHJldmlvdXMgdmVy c2lvbiBpcyBhdmFpbGFibGUgYXQ6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5v cmcvcmZjZGlmZj91cmwyPWRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA2Ij48c3BhbiBz dHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJh ZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDY8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlBsZWFzZSBu b3RlIHRoYXQgaXQgbWF5IHRha2UgYSBjb3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9m PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdp bi1sZWZ0OjEwOC4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+c3VibWlzc2lvbiB1bnRpbCB0aGUgaHRtbGl6ZWQgdmVyc2lvbiBhbmQgZGlmZiBh cmUgYXZhaWxhYmxlIGF0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1 b3RlPg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4w cHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEg aHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnLyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+ dG9vbHMuaWV0Zi5vcmc8L3NwYW4+PC9hPi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0I1QzRE RiA0LjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0O21hcmdpbi1sZWZ0OjMuNzVwdDttYXJn aW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCIgaWQ9Ik1B Q19PVVRMT09LX0FUVFJJQlVUSU9OX0JMT0NLUVVPVEUiPg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJv cmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNCNUM0REYgNC41cHQ7cGFkZGluZzowY20gMGNt IDBjbSA0LjBwdDttYXJnaW4tbGVmdDozLjc1cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmln aHQ6MGNtO21hcmdpbi1ib3R0b206NS4wcHQiIGlkPSJNQUNfT1VUTE9PS19BVFRSSUJVVElPTl9C TE9DS1FVT1RFIj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkludGVybmV0LURy YWZ0cyBhcmUgYWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDo8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBw dCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48YSBo cmVmPSJmdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLyI+PHNwYW4gc3R5bGU9ImNv bG9yOnB1cnBsZSI+ZnRwOi8vZnRwLmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy88L3NwYW4+PC9h PjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvYmxvY2tx dW90ZT4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_9B262F1B49044586ADCF3F7DDC1B96ECisaracom_-- From nobody Tue Mar 12 04:31:37 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA045130F1C for ; Tue, 12 Mar 2019 04:31:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHc1rwQt3t0d for ; Tue, 12 Mar 2019 04:31:31 -0700 (PDT) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150073.outbound.protection.outlook.com [40.107.15.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C8C8130DE6 for ; Tue, 12 Mar 2019 04:31:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=heU91VS++/pYfKuuj5Bd91q8sj1X2uVSWVIxUvm0eXU=; b=QbtS71lXr+AL1H/7SQML6Ejk/kgwQwN51d/kIcBaeTi5qE1Yms5trxD+8I5FCmerpiKFztXU2KW12maLx0UKwNyRw5jPs7L+fcBGTRDNsFyg2/ZDjUl+IGCMjxEcXQiRso0VyducjhBq1RZePf9pk9NCeYI/0rplId3MWKkf0bk= Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM (20.177.110.224) by AM0PR10MB2577.EURPRD10.PROD.OUTLOOK.COM (20.178.117.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Tue, 12 Mar 2019 11:31:29 +0000 Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::bda2:3903:5a16:c67c]) by AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::bda2:3903:5a16:c67c%4]) with mapi id 15.20.1686.021; Tue, 12 Mar 2019 11:31:29 +0000 From: "hendrik.brockhaus@siemens.com" To: "spasm@ietf.org" Thread-Topic: New Version Notification for draft-brockhaus-lamps-industrial-cmp-profile-00.txt Thread-Index: AQHU1/1SnKzF6+8J4ECSR1DWFlE6v6YGSwrAgAGSnaA= Date: Tue, 12 Mar 2019 11:31:28 +0000 Message-ID: References: <155230360624.16964.16184538358498050453.idtracker@ietfa.amsl.com> In-Reply-To: Accept-Language: en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-document-confidentiality: NotClassified authentication-results: spf=none (sender IP is ) smtp.mailfrom=hendrik.brockhaus@siemens.com; x-originating-ip: [80.146.228.93] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 605017a6-d693-4196-9bf3-08d6a6de4502 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:AM0PR10MB2577; x-ms-traffictypediagnostic: AM0PR10MB2577: x-ms-exchange-purlcount: 4 x-microsoft-antispam-prvs: x-forefront-prvs: 09749A275C x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(136003)(366004)(376002)(39860400002)(199004)(189003)(53936002)(71190400001)(71200400001)(6916009)(478600001)(7696005)(8676002)(99286004)(97736004)(2351001)(6506007)(55016002)(5640700003)(102836004)(76176011)(9686003)(6436002)(6306002)(81166006)(486006)(2906002)(81156014)(68736007)(14454004)(105586002)(8936002)(446003)(476003)(11346002)(106356001)(33656002)(1730700003)(15650500001)(2501003)(305945005)(26005)(74316002)(66574012)(966005)(6116002)(3846002)(186003)(66066001)(5660300002)(25786009)(316002)(14444005)(256004)(86362001)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR10MB2577; H:AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: MD2AtcCeMRrG533M1LJrir1M4Wu2KddeirWV0e2LZ2AFFghJZjjm2o6d1LrwvPnfkd1UdfAex1G25NZAKHa0bEh1W++n5ue5mVKIoi0+cqKVeDq0oo5LsAiec6mDM8sVfaZKh6EN3C6qunZ+i+KuYIjkckb/DB2E3x87ZLX85BeRApCv5a6q+0FX2hV4l8jVMB/QWKi4AHaptFDup6ucflfH2VJLiUhP1Bqrp+Os8ILyOPuLzVHmAdSJaydYaqV4zhwOqvJpUV+IoidiFNQlXAAfLuQIT4DKleMwleFhR8zewCXh1b3vmfTEnnG3DIoU7x/nWN6gBwgFyh7D3OszkzFFK0CoBm51Gs/Q5Ip7YQqCUvXBEEOkVVO4ZPuOdkHsZQDSd9HJekSccsLJLwchnlyyGeQ4nO/GxlE2LEMVfn4= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 605017a6-d693-4196-9bf3-08d6a6de4502 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2019 11:31:28.9442 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2577 Archived-At: Subject: [lamps] WG: New Version Notification for draft-brockhaus-lamps-industrial-cmp-profile-00.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2019 11:31:35 -0000 SGFsbG8gDQoNClllc3RlcmRheSBJIHN1Ym1pdHRlZCB0aGUgaW5pdGlhbCBkcmFmdCBvbiB0aGUg bGlnaHR3ZWlnaHQgaW5kdXN0cmlhbCBDTVAgcHJvZmlsZSBJIGFubm91bmNlZCBzb21lIHdlZWtz IGFnby4gQXQgSUVURiAxMDQgd2Ugd2FudCB0byBpbnRyb2R1Y2UgdGhlIGRyYWZ0IGR1cmluZyB0 aGUgTEFNUFMgV0cgbWVldGluZy4NCg0KVGhlIG1haW4gcHVycG9zZSBvZiB0aGlzIGRyYWZ0IGlz IHRvIGVhc2UgdGhlIHVzZSBvZiBDTVAgaW4gaW5kdXN0cmlhbCBhbmQgSW9UIHVzZSBjYXNlcy4g RHVlIHRvIHRoZSBjb21wbGV4aXR5IG9mIFJGQzQyMTAgYW5kIFJGQzQyMTEgdGhlIGRyYWZ0IHNw ZWNpZmllcyBhIGNvbmNyZXRlIGFuZCBtb3JlIGxpZ2h0d2VpZ2h0IHByb2ZpbGUgb2YgQ01QLiBG b2xsb3dpbmcgc3RhbmRhcmRpemF0aW9uIG9mIGluZHVzdHJpYWwgQ01QIHByb2ZpbGVzIGJ5IDNH UFAgYW5kIFVOSVNJRyB0aGF0IGFscmVhZHkgZXhpc3QsIHRoZSBkcmFmdCBzdHJpdmVzIGZvciBz dGFuZGFyZGl6YXRpb24gb2YgYSBtb3JlIGdlbmVyYWwgcHVycG9zZSBpbmR1c3RyaWFsIENNUCBw cm9maWxlIGZvY3Vzc2luZyBvbiBhdXRvbWF0aW5nIGNlcnRpZmljYXRlIG1hbmFnZW1lbnQgaW4g bTJtIGFuZCBJb1QgZW52aXJvbm1lbnRzLiANCg0KSWYgdGhlcmUgYXJlIGFueSBmZWVkYmFjayBv ciBjb21tZW50cyB0byB0aGUgZHJhZnQgaW4gYWR2YW5jZSB0byB0aGUgbWVldGluZywgZmVlbCBm cmVlIHRvIGNvbnRhY3QgbWUuDQoNCi0gSGVuZHJpaw0KDQotLS0tLVVyc3Byw7xuZ2xpY2hlIE5h Y2hyaWNodC0tLS0tDQpWb246IGludGVybmV0LWRyYWZ0c0BpZXRmLm9yZyA8aW50ZXJuZXQtZHJh ZnRzQGlldGYub3JnPiANCkdlc2VuZGV0OiBNb250YWcsIDExLiBNw6RyeiAyMDE5IDEyOjI3DQpB bjogRnJpZXMsIFN0ZWZmZW4gKENUIFJEQSBJVFMpIDxzdGVmZmVuLmZyaWVzQHNpZW1lbnMuY29t PjsgQnJvY2toYXVzLCBIZW5kcmlrIChDVCBSREEgSVRTIFNFQS1ERSkgPGhlbmRyaWsuYnJvY2to YXVzQHNpZW1lbnMuY29tPjsgdm9uIE9oZWltYiwgRGF2aWQgKENUIFJEQSBJVFMgU0VBLURFKSA8 ZGF2aWQudm9uLm9oZWltYkBzaWVtZW5zLmNvbT4NCkJldHJlZmY6IE5ldyBWZXJzaW9uIE5vdGlm aWNhdGlvbiBmb3IgZHJhZnQtYnJvY2toYXVzLWxhbXBzLWluZHVzdHJpYWwtY21wLXByb2ZpbGUt MDAudHh0DQoNCg0KQSBuZXcgdmVyc2lvbiBvZiBJLUQsIGRyYWZ0LWJyb2NraGF1cy1sYW1wcy1p bmR1c3RyaWFsLWNtcC1wcm9maWxlLTAwLnR4dA0KaGFzIGJlZW4gc3VjY2Vzc2Z1bGx5IHN1Ym1p dHRlZCBieSBIZW5kcmlrIEJyb2NraGF1cyBhbmQgcG9zdGVkIHRvIHRoZSBJRVRGIHJlcG9zaXRv cnkuDQoNCk5hbWU6CQlkcmFmdC1icm9ja2hhdXMtbGFtcHMtaW5kdXN0cmlhbC1jbXAtcHJvZmls ZQ0KUmV2aXNpb246CTAwDQpUaXRsZToJCUxpZ2h0d2VpZ2h0IEluZHVzdHJpYWwgQ01QIFByb2Zp bGUNCkRvY3VtZW50IGRhdGU6CTIwMTktMDMtMTENCkdyb3VwOgkJSW5kaXZpZHVhbCBTdWJtaXNz aW9uDQpQYWdlczoJCTQxDQpVUkw6ICAgICAgICAgICAgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaW50 ZXJuZXQtZHJhZnRzL2RyYWZ0LWJyb2NraGF1cy1sYW1wcy1pbmR1c3RyaWFsLWNtcC1wcm9maWxl LTAwLnR4dA0KU3RhdHVzOiAgICAgICAgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9j L2RyYWZ0LWJyb2NraGF1cy1sYW1wcy1pbmR1c3RyaWFsLWNtcC1wcm9maWxlLw0KSHRtbGl6ZWQ6 ICAgICAgIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1icm9ja2hhdXMtbGFtcHMt aW5kdXN0cmlhbC1jbXAtcHJvZmlsZS0wMA0KSHRtbGl6ZWQ6ICAgICAgIGh0dHBzOi8vZGF0YXRy YWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvZHJhZnQtYnJvY2toYXVzLWxhbXBzLWluZHVzdHJpYWwt Y21wLXByb2ZpbGUNCg0KDQpBYnN0cmFjdDoNCiAgIFRoZSBnb2FsIG9mIHRoaXMgZG9jdW1lbnQg aXMgdG8gZmFjaWxpdGF0ZSBpbnRlcm9wZXJhYmlsaXR5IGFuZA0KICAgYXV0b21hdGlvbiBieSBw cm9maWxpbmcgdGhlIENlcnRpZmljYXRlIE1hbmFnZW1lbnQgUHJvdG9jb2wgKENNUCkNCiAgIFtS RkM0MjEwXSBhbmQgdGhlIHJlbGF0ZWQgQ2VydGlmaWNhdGUgUmVxdWVzdCBNZXNzYWdlIEZvcm1h dCAoQ1JNRikNCiAgIFtSRkM0MjExXS4gIEl0IHNwZWNpZmllcyBhIHN1YnNldCBvZiBDTVAgYW5k IENSTUYgZm9jdXNpbmcgb24gdHlwaWNhbA0KICAgdXNlcyBjYXNlcyByZWxldmFudCBmb3IgbWFu YWdpbmcgY2VydGlmaWNhdGVzIG9mIGRldmljZXMgaW4NCiAgIGluZHVzdHJpYWwgYW5kIElvVCBz Y2VuYXJpb3MuICBUbyBsaW1pdCB0aGUgb3ZlcmhlYWQgb2YgY2VydGlmaWNhdGUNCiAgIG1hbmFn ZW1lbnQgZm9yIGNvbnN0cmFpbmVkIGRldmljZXMgb25seSB0aGUgbW9zdCBjcnVjaWFsIHR5cGVz IG9mDQogICB0cmFuc2FjdGlvbnMgYXJlIHNwZWNpZmllZCBhcyBtYW5kYXRvcnkuICBUbyBmb3N0 ZXIgaW50ZXJvcGVyYWJpbGl0eQ0KICAgYWxzbyBpbiBtb3JlIGNvbXBsZXggc2NlbmFyaW9zLCBv dGhlciB0eXBlcyBvZiB0cmFuc2FjdGlvbnMgYXJlDQogICBzcGVjaWZpZWQgYXMgcmVjb21tZW5k ZWQgb3Igb3B0aW9uYWwuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCg0KDQpQbGVhc2Ug bm90ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBv ZiBzdWJtaXNzaW9uIHVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFp bGFibGUgYXQgdG9vbHMuaWV0Zi5vcmcuDQoNClRoZSBJRVRGIFNlY3JldGFyaWF0DQoNCg== From nobody Wed Mar 13 11:22:06 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D010A127962 for ; Wed, 13 Mar 2019 11:22:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-qXrU2M-B1j for ; Wed, 13 Mar 2019 11:22:01 -0700 (PDT) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 634FC1279A1 for ; Wed, 13 Mar 2019 11:22:01 -0700 (PDT) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip1.isaracorp.com with ESMTP; 13 Mar 2019 18:22:00 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Wed, 13 Mar 2019 14:22:00 -0400 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Wed, 13 Mar 2019 14:22:00 -0400 From: Daniel Van Geest To: SPASM Thread-Topic: New Version Notification for draft-vangeest-x509-hash-sigs-03.txt Thread-Index: AQHU2EVSZuPX/OmKXEaaJRixGBtioqYJ4sEA Date: Wed, 13 Mar 2019 18:22:00 +0000 Message-ID: <5B2BCDDB-DA4A-408A-8E36-0E139D7985EF@isara.com> References: <155233453261.23106.16946514245655603626.idtracker@ietfa.amsl.com> In-Reply-To: <155233453261.23106.16946514245655603626.idtracker@ietfa.amsl.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_5B2BCDDBDA4A408A8E360E139D7985EFisaracom_" MIME-Version: 1.0 Archived-At: Subject: [lamps] FW: New Version Notification for draft-vangeest-x509-hash-sigs-03.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2019 18:22:04 -0000 --_000_5B2BCDDBDA4A408A8E360E139D7985EFisaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhpcyBpcyB0aGUgbGF0ZXN0IHZlcnNpb24gb2YgdGhlIGRyYWZ0IHRvIHNwZWNpZnkgSFNTL1hN U1MoXk1UKSB1c2FnZSBpbiBYLjUwOSwgd2hpY2ggSeKAmWxsIGJlIHByZXNlbnRpbmcgYXQgSUVU RiAxMDQgaWYgdGltZSBhbGxvd3MuICBUaGlzIGFsaWducyBpdCB3aXRoIHRoZSBjbXMtaGFzaC1z aWdzIGRyYWZ0IHdoaWNoIHJlY2VudGx5IGNoYW5nZWQgZnJvbSBzaWduaW5nIGEgbWVzc2FnZSBk aWdlc3QgdG8gZnVsbCBtZXNzYWdlIHNpZ25pbmcuICBJ4oCZbSBob3BpbmcgZm9yIGFkb3B0aW9u IGluIHRoZSBuZXh0IHJlY2hhcnRlciwgaWYgdGhhdCBoYXBwZW5zLCB0aGV5IHRoZSBsYXlvdXQg c2hvdWxkIHByb2JhYmx5IGJlIHVwZGF0ZWQgdG8gYmUgY29uc2lzdGVudCB3aXRoIFJGQyA4NDEw IChFZERTQSBpbiBYLjUwOSksIHdoaWNoIGFsc28gZG9lcyBmdWxsIG1lc3NhZ2Ugc2lnbmluZy4N Cg0KVGhhbmtzLA0KRGFuaWVsDQoNCk9uIDIwMTktMDMtMTEsIDQ6MDIgUE0sICJpbnRlcm5ldC1k cmFmdHNAaWV0Zi5vcmc8bWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZz4iIDxpbnRlcm5l dC1kcmFmdHNAaWV0Zi5vcmc8bWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZz4+IHdyb3Rl Og0KDQoNCkEgbmV3IHZlcnNpb24gb2YgSS1ELCBkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2ln cy0wMy50eHQNCmhhcyBiZWVuIHN1Y2Nlc3NmdWxseSBzdWJtaXR0ZWQgYnkgRGFuaWVsIFZhbiBH ZWVzdCBhbmQgcG9zdGVkIHRvIHRoZQ0KSUVURiByZXBvc2l0b3J5Lg0KDQpOYW1lOiAgICAgICAg ICAgICAgICAgICBkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncw0KUmV2aXNpb246ICAgICAg ICAgICAgICAwMw0KVGl0bGU6ICAgICAgICAgICAgICAgICAgICAgIEFsZ29yaXRobSBJZGVudGlm aWVycyBmb3IgSFNTIGFuZCBYTVNTIGZvciBVc2UgaW4gdGhlIEludGVybmV0IFguNTA5IFB1Ymxp YyBLZXkgSW5mcmFzdHJ1Y3R1cmUNCkRvY3VtZW50IGRhdGU6ICAgICAgICAgICAgICAgIDIwMTkt MDMtMTENCkdyb3VwOiAgICAgICAgICAgICAgICAgIEluZGl2aWR1YWwgU3VibWlzc2lvbg0KUGFn ZXM6ICAgICAgICAgICAgICAgICAgIDEzDQpVUkw6ICAgICAgICAgICAgaHR0cHM6Ly93d3cuaWV0 Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzLTAzLnR4 dA0KU3RhdHVzOiAgICAgICAgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0 LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzLw0KSHRtbGl6ZWQ6ICAgICAgIGh0dHBzOi8vdG9vbHMu aWV0Zi5vcmcvaHRtbC9kcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncy0wMw0KSHRtbGl6ZWQ6 ICAgICAgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvZHJhZnQtdmFuZ2Vl c3QteDUwOS1oYXNoLXNpZ3MNCkRpZmY6ICAgICAgICAgICBodHRwczovL3d3dy5pZXRmLm9yZy9y ZmNkaWZmP3VybDI9ZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MtMDMNCg0KQWJzdHJhY3Q6 DQogICBUaGlzIGRvY3VtZW50IHNwZWNpZmllcyBhbGdvcml0aG0gaWRlbnRpZmllcnMgYW5kIEFT Ti4xIGVuY29kaW5nDQogICBmb3JtYXRzIGZvciB0aGUgSGllcmFyY2hpY2FsIFNpZ25hdHVyZSBT eXN0ZW0gKEhTUyksIGVYdGVuZGVkIE1lcmtsZQ0KICAgU2lnbmF0dXJlIFNjaGVtZSAoWE1TUyks IGFuZCBYTVNTXk1ULCBhIG11bHRpLXRyZWUgdmFyaWFudCBvZiBYTVNTLg0KICAgVGhpcyBzcGVj aWZpY2F0aW9uIGFwcGxpZXMgdG8gdGhlIEludGVybmV0IFguNTA5IFB1YmxpYyBLZXkNCiAgIGlu ZnJhc3RydWN0dXJlIChQS0kpIHdoZW4gZGlnaXRhbCBzaWduYXR1cmVzIGFyZSB1c2VkIHRvIHNp Z24NCiAgIGNlcnRpZmljYXRlcyBhbmQgY2VydGlmaWNhdGUgcmV2b2NhdGlvbiBsaXN0cyAoQ1JM cykuDQoNCg0KDQoNClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBjb3VwbGUgb2YgbWlu dXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb24NCnVudGlsIHRoZSBodG1saXplZCB2ZXJz aW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQgdG9vbHMuaWV0Zi5vcmcuDQoNClRoZSBJRVRG IFNlY3JldGFyaWF0DQoNCg0K --_000_5B2BCDDBDA4A408A8E360E139D7985EFisaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <59ABE902AFF4D04292FD1243C3D184CF@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25v cm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGNtOw0KCW1zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBjbTsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uYXBwbGUtdGFiLXNwYW4NCgl7 bXNvLXN0eWxlLW5hbWU6YXBwbGUtdGFiLXNwYW47fQ0Kc3Bhbi5FbWFpbFN0eWxlMTkNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMt c2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUt dHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9u MQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQg NzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9z dHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVk aXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28g OV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJl ZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9o ZWFkPg0KPGJvZHkgbGFuZz0iRU4tQ0EiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRp diBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoaXMgaXMgdGhl IGxhdGVzdCB2ZXJzaW9uIG9mIHRoZSBkcmFmdCB0byBzcGVjaWZ5IEhTUy9YTVNTKF5NVCkgdXNh Z2UgaW4gWC41MDksIHdoaWNoIEnigJlsbCBiZSBwcmVzZW50aW5nIGF0IElFVEYgMTA0IGlmIHRp bWUgYWxsb3dzLiZuYnNwOyBUaGlzIGFsaWducyBpdCB3aXRoIHRoZSBjbXMtaGFzaC1zaWdzIGRy YWZ0IHdoaWNoIHJlY2VudGx5IGNoYW5nZWQgZnJvbSBzaWduaW5nIGEgbWVzc2FnZSBkaWdlc3Qg dG8gZnVsbA0KIG1lc3NhZ2Ugc2lnbmluZy4mbmJzcDsgSeKAmW0gaG9waW5nIGZvciBhZG9wdGlv biBpbiB0aGUgbmV4dCByZWNoYXJ0ZXIsIGlmIHRoYXQgaGFwcGVucywgdGhleSB0aGUgbGF5b3V0 IHNob3VsZCBwcm9iYWJseSBiZSB1cGRhdGVkIHRvIGJlIGNvbnNpc3RlbnQgd2l0aCBSRkMgODQx MCAoRWREU0EgaW4gWC41MDkpLCB3aGljaCBhbHNvIGRvZXMgZnVsbCBtZXNzYWdlIHNpZ25pbmcu PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoYW5rcyw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPkRhbmllbDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPk9uIDIwMTktMDMtMTEsIDQ6MDIgUE0sICZxdW90 OzxhIGhyZWY9Im1haWx0bzppbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmciPmludGVybmV0LWRyYWZ0 c0BpZXRmLm9yZzwvYT4mcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzppbnRlcm5ldC1kcmFmdHNA aWV0Zi5vcmciPmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+QSBuZXcgdmVyc2lvbiBvZiBJLUQsIGRyYWZ0LXZhbmdl ZXN0LXg1MDktaGFzaC1zaWdzLTAzLnR4dDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+aGFzIGJlZW4g c3VjY2Vzc2Z1bGx5IHN1Ym1pdHRlZCBieSBEYW5pZWwgVmFuIEdlZXN0IGFuZCBwb3N0ZWQgdG8g dGhlPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5JRVRGIHJlcG9zaXRvcnkuPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPk5hbWU6PHNwYW4gY2xhc3M9ImFw cGxlLXRhYi1zcGFuIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsNCjwvc3Bhbj5kcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lnczxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+UmV2aXNpb246PHNwYW4gY2xhc3M9ImFwcGxlLXRhYi1zcGFuIj4mbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj4wMzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGl0bGU6PHNw YW4gY2xhc3M9ImFwcGxlLXRhYi1zcGFuIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj5BbGdvcml0aG0g SWRlbnRpZmllcnMgZm9yIEhTUyBhbmQgWE1TUyBmb3IgVXNlIGluIHRoZSBJbnRlcm5ldCBYLjUw OSBQdWJsaWMgS2V5IEluZnJhc3RydWN0dXJlPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5Eb2N1bWVu dCBkYXRlOjxzcGFuIGNsYXNzPSJhcHBsZS10YWItc3BhbiI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+MjAxOS0wMy0xMTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+R3Jv dXA6PHNwYW4gY2xhc3M9ImFwcGxlLXRhYi1zcGFuIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj5JbmRpdmlkdWFsIFN1Ym1pc3Npb248bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPlBhZ2VzOjxzcGFuIGNsYXNzPSJhcHBsZS10YWItc3BhbiI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+MTM8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPlVSTDombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSJodHRwczov L3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNp Z3MtMDMudHh0Ij5odHRwczovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtdmFu Z2Vlc3QteDUwOS1oYXNoLXNpZ3MtMDMudHh0PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+U3Rh dHVzOiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8YSBo cmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC12YW5nZWVzdC14NTA5 LWhhc2gtc2lncy8iPg0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtdmFu Z2Vlc3QteDUwOS1oYXNoLXNpZ3MvPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SHRtbGl6ZWQ6 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDxhIGhyZWY9Imh0dHBzOi8vdG9v bHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncy0wMyI+DQpodHRw czovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MtMDM8 L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5IdG1saXplZDombmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgPGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2Mv aHRtbC9kcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncyI+DQpodHRwczovL2RhdGF0cmFja2Vy LmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzPC9hPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+RGlmZjombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcv cmZjZGlmZj91cmwyPWRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzLTAzIj4NCmh0dHBzOi8v d3d3LmlldGYub3JnL3JmY2RpZmY/dXJsMj1kcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncy0w MzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ QWJzdHJhY3Q6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDsgVGhpcyBkb2N1bWVu dCBzcGVjaWZpZXMgYWxnb3JpdGhtIGlkZW50aWZpZXJzIGFuZCBBU04uMSBlbmNvZGluZzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7IGZvcm1hdHMgZm9yIHRoZSBIaWVyYXJjaGlj YWwgU2lnbmF0dXJlIFN5c3RlbSAoSFNTKSwgZVh0ZW5kZWQgTWVya2xlPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij4mbmJzcDsmbmJzcDsgU2lnbmF0dXJlIFNjaGVtZSAoWE1TUyksIGFuZCBYTVNTXk1U LCBhIG11bHRpLXRyZWUgdmFyaWFudCBvZiBYTVNTLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5i c3A7Jm5ic3A7IFRoaXMgc3BlY2lmaWNhdGlvbiBhcHBsaWVzIHRvIHRoZSBJbnRlcm5ldCBYLjUw OSBQdWJsaWMgS2V5PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDsgaW5mcmFzdHJ1 Y3R1cmUgKFBLSSkgd2hlbiBkaWdpdGFsIHNpZ25hdHVyZXMgYXJlIHVzZWQgdG8gc2lnbjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7IGNlcnRpZmljYXRlcyBhbmQgY2VydGlmaWNh dGUgcmV2b2NhdGlvbiBsaXN0cyAoQ1JMcykuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZu YnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBj b3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb248bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPnVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFi bGUgYXQgdG9vbHMuaWV0Zi5vcmcuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPlRoZSBJRVRGIFNlY3JldGFyaWF0PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_5B2BCDDBDA4A408A8E360E139D7985EFisaracom_-- From nobody Wed Mar 13 11:39:24 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59FA9130FFB for ; Wed, 13 Mar 2019 11:39:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com header.b=g6uF9ocd; dkim=pass (1024-bit key) header.d=digicert.com header.b=KVgt4oYL Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIJcUMzJdeZP for ; Wed, 13 Mar 2019 11:39:19 -0700 (PDT) Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [216.205.24.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 596B7130F39 for ; Wed, 13 Mar 2019 11:39:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1552502348; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=H5R7UyZk7xiNMIYkLmV63lGr8D5YCJsNmQe+GzTYYns=; b=g6uF9ocdaT0ddmIGff9n7rpQcOffv0v7NzuRX0IBg6RY30XmEcIUX7MT54LNeez+J/42cgZlw4J1G3erTpJTd3BVA4KJllKB11C+c0PYbFk5tDhMonodDO0R+hN1cCHVJy5pEtLU2qMStBtBOd4lJ1tANR5YkeAS0rn1W/pNZx0= Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01lp2053.outbound.protection.outlook.com [104.47.34.53]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-323-mE0DyXxeNZ-9cF0WKO4y1w-1; Wed, 13 Mar 2019 14:39:07 -0400 X-MC-Unique: mE0DyXxeNZ-9cF0WKO4y1w-1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H5R7UyZk7xiNMIYkLmV63lGr8D5YCJsNmQe+GzTYYns=; b=KVgt4oYLzs1QJ0ZefD8ykUPErvyYe7m1ygtWm/AsuocTLgdxAKaXVPZGx10qk290ZucaV/eXhH171VZl3UgZ5ICBlKDnj/V6ffxMAKWPiCxCM6hVAB0ka+ut16PnVzq8HhbkLLF59bCvwuWyo4JH9Jh+mFpDWj77kG2h/j7EBl8= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1203.namprd14.prod.outlook.com (10.173.163.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.21; Wed, 13 Mar 2019 18:39:05 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941%4]) with mapi id 15.20.1686.020; Wed, 13 Mar 2019 18:39:05 +0000 From: Tim Hollebeek To: Russ Housley , "spasm@ietf.org" Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt Thread-Index: AQHU1CvAmgcj089R80iNpYoMFvlgsKX+sFoAgAs/J1A= Date: Wed, 13 Mar 2019 18:39:05 +0000 Message-ID: References: <155188373859.5582.16269505161275521812@ietfa.amsl.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com; x-originating-ip: [144.178.28.132] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f9c9c049-e1f8-40a5-3732-08d6a7e32c0e x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1203; x-ms-traffictypediagnostic: BN6PR14MB1203: x-microsoft-exchange-diagnostics: 1; BN6PR14MB1203; 20:fQMrtIF6wPrGLK0UymIH9d16GCYB1349nMAvc/VwAYQRHsBaWNL+HEKydv46iPW010W70zXCfYwDZaLs9pn++EkKapOt9PgNNrPJNhouX/B4yUAIbSqmTxnaONbk1VNauE7uwW7/IFUfdQwJpZweHCjszt2X8Eag5Aa8POvzFcE= x-microsoft-antispam-prvs: x-forefront-prvs: 09752BC779 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(396003)(39860400002)(136003)(346002)(199004)(13464003)(189003)(71190400001)(86362001)(71200400001)(97736004)(99936001)(68736007)(8936002)(316002)(110136005)(106356001)(105586002)(9686003)(6306002)(53936002)(6436002)(55016002)(2501003)(486006)(44832011)(6246003)(229853002)(7736002)(256004)(14444005)(81156014)(8676002)(81166006)(14454004)(476003)(305945005)(74316002)(478600001)(11346002)(446003)(66066001)(25786009)(66574012)(6116002)(5660300002)(33656002)(52536013)(186003)(3846002)(26005)(6506007)(102836004)(53546011)(76176011)(2906002)(7696005)(99286004)(966005); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1203; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: s/X6Zh7bloyfsUijSwR6AiFZAoW7P48qo0A5XVNC1uBI+fOeLv68v9OwfRDCmrUuEmjWI1/mzsJZg8//ZgcRdl+CcZUTgE4nwv7OtliyQ0+phEZOR2hykOyCWrNbLi6k/ZKEzdIVrpvodqcVnB5hqmIBy42OGl1+zwQ1qkCLrvm0wi9akTmLabq+WxkdbuSZgBa/Ig88zqYmNtf9qCAqmydohFhmA0HqtS2xd/Gfu8C7okvAkFkM98dSVb8uefW4jv6ezg2wuFmoXaR177nAmqy/in7Y+JKkf7TlF69CLhFJX0/U5JkdaOoxt8uQkzAdAdosDzfVNm/N4EpHKoECcdypSprGrTqjyJ70wDQU6TXsMCOF7QtyaHMvjIYx0f+SCtzRD6uJKcrjSDPvP9QATTT2EKgr7YqHtrISBAcVZ0Y= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_01DD_01D4D991.5A935F80" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: f9c9c049-e1f8-40a5-3732-08d6a7e32c0e X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2019 18:39:05.7677 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1203 Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2019 18:39:22 -0000 ------=_NextPart_000_01DD_01D4D991.5A935F80 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Russ, Have all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 already been filed? -Tim > -----Original Message----- > From: Spasm On Behalf Of Russ Housley > Sent: Wednesday, March 6, 2019 6:53 AM > To: spasm@ietf.org > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt > > In addition to some minor reorganization, this update resolves small ASN.1 > issue raised by Jim Schaad. I wanted to get it posted before the IETF 104 cut- > off date. > > Russ > > > > On Mar 6, 2019, at 9:48 AM, internet-drafts@ietf.org wrote: > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > This draft is a work item of the Limited Additional Mechanisms for PKIX and > SMIME WG of the IETF. > > > > Title : Use of the HSS/LMS Hash-based Signature Algorithm in the > Cryptographic Message Syntax (CMS) > > Author : Russ Housley > > Filename : draft-ietf-lamps-cms-hash-sig-07.txt > > Pages : 14 > > Date : 2019-03-06 > > > > Abstract: > > This document specifies the conventions for using the the HSS/LMS > > hash-based signature algorithm with the Cryptographic Message Syntax > > (CMS). In addition, the algorithm identifier and public key syntax > > are provided. The HSS/LMS algorithm is one form of hash-based > > digital signature; it is described in [HASHSIG]. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-07 > > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-07 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-07 > > > > > > Please note that it may take a couple of minutes from the time of > > submission until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm ------=_NextPart_000_01DD_01D4D991.5A935F80 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMzEzMTgzOTAxWjAvBgkqhkiG9w0BCQQxIgQg0Z5gDl22+uZvM+bRzC4fdRgdEWWo H/KudY25fp32jagwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAHUSTJ9KpNCN4SX+eYUcw+3jP0rcXa/CmVEZf/BQb3yTEiRdY28JZxECC4If9wtB/BUIYWVI TMc2pMnpkyENV+82xvPJN/7zfCC54NdaJXzIdylJQgU0J6+48tPtMXyLOTaxeL6OgGZelvHcekqW w0PLAj7OPId/fM7o4fZQIoeVxsSOd7Lq4QIfgVemArgSUmv1/pdUc27MZoo4Kd2yWKvyIkI+yj6c NjSYxWFPsOgnZ2XKXbKmB3BQb8HEz0NU3zhi2BsNyoqCATy0DbWa0nC17/U++pKBwsBrMMbpIhh+ kIZrujPeDjNWweTS0J0savWhkeJ21TyQMeZZP0+zgjQAAAAAAAA= ------=_NextPart_000_01DD_01D4D991.5A935F80-- From nobody Wed Mar 13 12:11:43 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D825C131104 for ; Wed, 13 Mar 2019 12:11:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com header.b=q2mxORAC; dkim=pass (1024-bit key) header.d=digicert.com header.b=SVwEssoy Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXL-k6eRNlSJ for ; Wed, 13 Mar 2019 12:11:39 -0700 (PDT) Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [63.128.21.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 081A81310B9 for ; Wed, 13 Mar 2019 12:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1552504298; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bdGkecgz8Zw02u88OtHQqJeZzcnvABV6dkqbAw5o1Dk=; b=q2mxORACUncN//0+ZIk/W0jWKe2bpcUjx9WW8JlokJnsRN6Nd/Eb0ullJbdyyzXS4NwmgMkBd/Vcg9hUcbwO9l9G19rKMkLVQxEYnWCC13aia/JXU8A6usIQfhWj4GMEiPHf36o+SxPJ2ZWrFhnjt+TBrUEL5dWxRPc9cxHfawI= Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2059.outbound.protection.outlook.com [104.47.36.59]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-264-HpICDYjHPV2qOeCO3SIgJQ-1; Wed, 13 Mar 2019 15:11:36 -0400 X-MC-Unique: HpICDYjHPV2qOeCO3SIgJQ-1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bdGkecgz8Zw02u88OtHQqJeZzcnvABV6dkqbAw5o1Dk=; b=SVwEssoyiwBpYlwLZacCgG0w/uXM7BWxBNN0QTx4LHHZ7hDHNc5nWDGH4+GZpq5oZOvzvdnZHhGKtl7hCdA93vFA4kCfQCbVIvkVYZ3TlolsaIRkyvaySRRlFV8rS2n4T2jyaWjTz++tsqE9ONjqDrQ8YMUQwTh3mBh2WctxGo8= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1298.namprd14.prod.outlook.com (10.173.159.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.18; Wed, 13 Mar 2019 19:11:33 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941%4]) with mapi id 15.20.1686.020; Wed, 13 Mar 2019 19:11:33 +0000 From: Tim Hollebeek To: "spasm@ietf.org" , "i-d-announce@ietf.org" Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt Thread-Index: AQHU1CvAmgcj089R80iNpYoMFvlgsKYJ+CVw Date: Wed, 13 Mar 2019 19:11:33 +0000 Message-ID: References: <155188373859.5582.16269505161275521812@ietfa.amsl.com> In-Reply-To: <155188373859.5582.16269505161275521812@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com; x-originating-ip: [144.178.28.132] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cddb0309-9360-400b-90b8-08d6a7e7b522 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1298; x-ms-traffictypediagnostic: BN6PR14MB1298: x-microsoft-exchange-diagnostics: 1; BN6PR14MB1298; 20:7u8K8izp/hKJ7mPXSq2tL7oc4Ji/agjv75m6Ra56ItHQ//BH2sjDpUGqGHTvtH1NATqxNlmsDBcBjnwSR26IeNuBczn+kn+nRimPQkWoEmoQrthEgSmyc+LNJub5hfj+u7IPlpo5Wcwctc1deGI/4LSsw0z94nNZOWANRSCTbWw= x-microsoft-antispam-prvs: x-forefront-prvs: 09752BC779 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(136003)(376002)(39860400002)(366004)(13464003)(199004)(189003)(476003)(110136005)(446003)(966005)(81166006)(2501003)(8676002)(81156014)(11346002)(33656002)(450100002)(99936001)(316002)(305945005)(25786009)(2906002)(14454004)(68736007)(7736002)(105586002)(44832011)(8936002)(106356001)(478600001)(74316002)(486006)(66066001)(186003)(66574012)(55016002)(6436002)(6506007)(97736004)(53546011)(102836004)(256004)(76176011)(52536013)(26005)(5660300002)(7696005)(99286004)(229853002)(3846002)(6246003)(6116002)(53936002)(6306002)(86362001)(9686003)(71200400001)(71190400001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1298; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: yD3iLq+DQHPfHCmOIP9T7P/5x/HOvk2EFYtkv7/bn329HXt8Xr1/WKp42gArGm22jEvH97WtRQMHqqs32POvpKNS0dZYH7aZafIZ5VmBGko4cc3eUuph2Le6c17bfSW4n/0kkURhWO4+3BNECcScfpwSF1YX94BEKZuBTEnGXI4R0WbOILajFgmbvN1XJMH7h2XoaIl1aaXRj6sfWQX1LFU14gA6ZKwwFSIyJJ0uuOA36AYtnpYt85hJtY2WqosVGo0tkxWWYCECH0HzHdvQyiaE4zhd8Bc00X+00+k7ZHnyc4na5BlIOeJOJeAuE61EclW10dGGYRA4OFnr2twOQFPtIZ9F391mayuJjW+f2EfdPzYzq3koEa2mRVzSR1MUJe/wyvho7sTOZ2f0ERqix83HIDHI+80Vx4ozNCDy6Ks= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_01E6_01D4D995.E3532AE0" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: cddb0309-9360-400b-90b8-08d6a7e7b522 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2019 19:11:33.6598 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1298 Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2019 19:11:42 -0000 ------=_NextPart_000_01E6_01D4D995.E3532AE0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit >From IDNITS: /tmp/draft-ietf-lamps-cms-hash-sig-07.txt: /tmp/draft-ietf-lamps-cms-hash-sig-07.txt(125): Line has weird spacing: '... larger numbe...' /tmp/draft-ietf-lamps-cms-hash-sig-07.txt(239): Possible code comment in line: lms_signature /* signature of message */. /tmp/draft-ietf-lamps-cms-hash-sig-07.txt(250): Possible code comment in line: lms_signature /* signature of message */. [...] ** The abstract seems to contain references ([HASHSIG]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. [...] -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. > -----Original Message----- > From: Spasm On Behalf Of internet-drafts@ietf.org > Sent: Wednesday, March 6, 2019 6:49 AM > To: i-d-announce@ietf.org > Cc: spasm@ietf.org > Subject: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Limited Additional Mechanisms for PKIX and > SMIME WG of the IETF. > > Title : Use of the HSS/LMS Hash-based Signature Algorithm in the > Cryptographic Message Syntax (CMS) > Author : Russ Housley > Filename : draft-ietf-lamps-cms-hash-sig-07.txt > Pages : 14 > Date : 2019-03-06 > > Abstract: > This document specifies the conventions for using the the HSS/LMS > hash-based signature algorithm with the Cryptographic Message Syntax > (CMS). In addition, the algorithm identifier and public key syntax > are provided. The HSS/LMS algorithm is one form of hash-based > digital signature; it is described in [HASHSIG]. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-07 > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-07 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-07 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm ------=_NextPart_000_01E6_01D4D995.E3532AE0 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMzEzMTkxMTI4WjAvBgkqhkiG9w0BCQQxIgQgI6JY9iX08XHuEc2jyvu4NMxkoUfQ ImCAFQz20cJ/pzQwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBALyCyHyA2oRiOX+qAmTqVZhvGfYxJdib5yOScWqd/UF/N5kb1LDs0FlgjwwaueIyd3+I8pgQ w/iHS213z/ZnrIP0J/Sbj/3a4g76s5Kh7fs+jk0ptkW+kx7A2B2suMe1/Ebnj8Exb2dJamS2FhEu fHLFccoevFuB2WiSAHtP8EuyL1/f7EUA/978KhlcOUJgXd2SBh9hcBtVJzqkvzj6RWowrwLgwofl Vo8jgZMw/PoSk6H/aj6o0SZFKJpSFrWV8MLY3n767TFduR31Mhcf4V4ZVk+kS1cXRLyF2FQ4je3n aCbWDhuBB4+Y5gCUatzNA361aZRwmVA5lKH4sty2mTUAAAAAAAA= ------=_NextPart_000_01E6_01D4D995.E3532AE0-- From nobody Wed Mar 13 14:49:06 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D8D1311F7 for ; Wed, 13 Mar 2019 14:49:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ufea75JnBBi2 for ; Wed, 13 Mar 2019 14:49:02 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05048127961 for ; Wed, 13 Mar 2019 14:49:02 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 0EF93300ADC for ; Wed, 13 Mar 2019 17:30:44 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id RhINWGDsjc9X for ; Wed, 13 Mar 2019 17:30:42 -0400 (EDT) Received: from [10.196.217.15] (3-197.icannmeeting.org [199.91.197.3]) by mail.smeinc.net (Postfix) with ESMTPSA id B714230024F; Wed, 13 Mar 2019 17:30:37 -0400 (EDT) From: Russ Housley Message-Id: <42E65AA1-0FE9-4B7B-88DE-DF5CFC4A16F3@vigilsec.com> Content-Type: multipart/signed; boundary="Apple-Mail=_811CDD51-C3CF-456A-A3DE-D596320421FD"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Wed, 13 Mar 2019 17:48:48 -0400 In-Reply-To: Cc: "spasm@ietf.org" To: Tim Hollebeek References: <155188373859.5582.16269505161275521812@ietfa.amsl.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2019 21:49:05 -0000 --Apple-Mail=_811CDD51-C3CF-456A-A3DE-D596320421FD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii YES, There are no IPR statements needed. Russ > On Mar 13, 2019, at 2:39 PM, Tim Hollebeek = wrote: >=20 > Russ, >=20 > Have all appropriate IPR disclosures required for full conformance = with the > provisions of BCP 78 and BCP 79 already been filed? >=20 > -Tim >=20 >> -----Original Message----- >> From: Spasm On Behalf Of Russ Housley >> Sent: Wednesday, March 6, 2019 6:53 AM >> To: spasm@ietf.org >> Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-07.txt >>=20 >> In addition to some minor reorganization, this update resolves small = ASN.1 >> issue raised by Jim Schaad. I wanted to get it posted before the = IETF 104 > cut- >> off date. >>=20 >> Russ >>=20 >>=20 >>> On Mar 6, 2019, at 9:48 AM, internet-drafts@ietf.org wrote: >>>=20 >>>=20 >>> A New Internet-Draft is available from the on-line Internet-Drafts > directories. >>> This draft is a work item of the Limited Additional Mechanisms for = PKIX > and >> SMIME WG of the IETF. >>>=20 >>> Title : Use of the HSS/LMS Hash-based Signature > Algorithm in the >> Cryptographic Message Syntax (CMS) >>> Author : Russ Housley >>> Filename : draft-ietf-lamps-cms-hash-sig-07.txt >>> Pages : 14 >>> Date : 2019-03-06 >>>=20 >>> Abstract: >>> This document specifies the conventions for using the the HSS/LMS >>> hash-based signature algorithm with the Cryptographic Message = Syntax >>> (CMS). In addition, the algorithm identifier and public key syntax >>> are provided. The HSS/LMS algorithm is one form of hash-based >>> digital signature; it is described in [HASHSIG]. >>>=20 >>>=20 >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ >>>=20 >>> There are also htmlized versions available at: >>> https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-07 >>> = https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-07 >>>=20 >>> A diff from the previous version is available at: >>> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-07 >>>=20 >>>=20 >>> Please note that it may take a couple of minutes from the time of >>> submission until the htmlized version and diff are available at > tools.ietf.org. >>>=20 >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>=20 >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm --Apple-Mail=_811CDD51-C3CF-456A-A3DE-D596320421FD Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCCyEw ggUzMIIEG6ADAgECAhBXG2+j5p4WC1fo6lHciFftMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYD VQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVu dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xODA2MjUwMDAwMDBaFw0xOTA2MjUyMzU5 NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGhvdXNsZXlAdmlnaWxzZWMuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEApxLwi8D2JgVTZ+YNvnixkXxtbSTKKHCm0MyXlpqN59qybHNXkm2w lAzm5+AX1NcPk7DLGlrz+48B8jsrJjdnpHpKeFwHfcoYIiwJJm+hdvVO2nL68nW/oliUysde+knU 1yWbM8fD8i3XWz3DpUvU8G3IGz5cxh1MzOT/8mkgpWmfp/WxaIRlTrYnCo49SakOux7h+8dHzabU Uukr+LatyVjakES29gw73o+exeu7lcTmShfr4Jsgq+t4IkwWZtIHQRtboAjAY91FMdDwAl677hf9 gcJ86eh7qX1KZ6uzMf4fjsxw3V81WYlQ8T9QSh06faTKnStIwPu6xvk82Bp6FQIDAQABo4IB6jCC AeYwHwYDVR0jBBgwFoAUgq9sjPjF/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFF0Zu7HtPJ6vLPYl 9I337Y98QYnFMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUF BwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIx AQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0f BFMwUTBPoE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVu dGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAC hklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFu ZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20w HwYDVR0RBBgwFoEUaG91c2xleUB2aWdpbHNlYy5jb20wDQYJKoZIhvcNAQELBQADggEBAH9WEE7E 61zha2wG5mBhzoe/gRDykpC/ubMQ7CoCeVhnystE18ZQSHTkOlJsQOwSRs//khBvw/P19xgCkWL+ kQWwJN8JBdP0cDamaEj4kqcvQzq0gGJoDxsr2SusZkzdKJn2pkPL2Djmurx3BEfWv1oN+z27n7dF +vv74SzoBHb92ShoZb+52XazmqFjCJDXR1UjJhaiQerxou+JRku04E1njtTR/CbLtFScgq767s5p GnLA0E5QDcVGrWLkVzXQKV49gFXDzXa5ChG9v/KOulsHqJH0KwcEsA3taVb3QDb8CNm3MboE24xp ZmNSHHd8YquMD4aw7o0+bzjlu+u18+4wggXmMIIDzqADAgECAhBqm+E4O/8ra58B1dm4p1JWMA0G CSqGSIb3DQEBDAUAMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMi Q09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMzAxMTAwMDAwMDBaFw0yODAx MDkyMzU5NTlaMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09N T0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6znlesKHZ1QBbHOAOY08YYdiFQ8yV5C0y1oNF9Olg+ nKcxLqf2NHbZhGra0D00SOTq9bus3/mxgUsg/Wh/eXQ0pnp8tZ8XZWAnlyKMpjL+qUByRjXCA6RQ yDMqVaVUkbIr5SU0RDX/kSsKwer3H1pT/HUrBN0X8sKtPTdGX8XAWt/VdMLBrZBlgvnkCos+KQWW Co63OTTqRvaq8aWccm+KOMjTcE6s2mj6RkalweyDI7X+7U5lNo6jzC8RTXtVV4/Vwdax720YpMPJ QaDaElmOupyTf1Qib+cpukNJnQmwygjD8m046DQkLnpXNCAGjuJy1F5NATksUsbfJAr7FLUCAwEA AaOCATwwggE4MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSCr2yM +MX+lmF86B89K3FIXsSLwDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADARBgNV HSAECjAIMAYGBFUdIAAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsG AQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FBZGRUcnVzdENBLmNydDAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQB4 XLKBKDRPPO5fVs6fl1bsj6JrF/bz9kkIBtTYLzXN30D+03Hj6OxCDBEaIeNmsBhrJmuubvyE7Hto SmR809AgcYboW+rcTNZ/8u/Hv+GTrNI/AhqX2/kiQNxmgUPt/eJPs92Qclj0HnVyy9TnSvGkSDU7 I5Px+TbO+88G4zipA2psZaWeEykgzClZlPz1FjTCkk77ZXp5cQYYexE6zeeN4/0OqqoAloFrjAF4 o50YJafX8mnahjp3I2Y2mkjhk0xQfhNqbzlLWPoT3m7j7U26u7zg6swjOq8hITYc3/np5tM5aVyu 6t99p17bTbY7+1RTWBviN9YJzK8HxzObXYWBf/L+VGOYNsQDTxAk0Hbvb1j6KjUhg7fO294F29QI hhmiNOr84JHoy+fNLpfvYc/Q9EtFOI5ISYgOxLk3nD/whbUe9rmEQXLp8MB933Ij474gwwCPUpwv 9mj2PMnXoc7mbrS22XUSeTwxCTP9bcmUdp4jmIoWfhQm7X9w/Zgddg+JZ/YnIHOwsGsaTUgj7fIv xqith7DoJC91WJ8Lce3CVJqb1XWeKIJ84F7YLXZN0oa7TktYgDdmQVxYkZo1c5noaDKH9Oq9cbm/ vOYRUM1cWcef20Wkyk5S/GFyyPJwG0fR1nRas3DqAf4cXxMiEKcff7PNa4M3RGTqH0pWR8p6EjGC A8cwggPDAgEBMIGsMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0 Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQVxtv o+aeFgtX6OpR3IhX7TANBglghkgBZQMEAgEFAKCCAeswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMTkwMzEzMjE0ODQ4WjAvBgkqhkiG9w0BCQQxIgQglvBzg+meRTMz IwOKmVW12gn/vcsISzFXGSIIiQ8Zdpswgb0GCSsGAQQBgjcQBDGBrzCBrDCBlzELMAkGA1UEBhMC R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE ChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRp Y2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEFcbb6PmnhYLV+jqUdyIV+0wgb8GCyqGSIb3DQEJ EAILMYGvoIGsMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09N T0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQVxtvo+ae FgtX6OpR3IhX7TANBgkqhkiG9w0BAQEFAASCAQB5BMFR5wGdfl+Ync+cWi+ehSTCg9fnL5+xJIrO HSczyn2gsBSkv8LGVaeSapq9QKsUeGTeIYFs838cZV7Ws+0KLbH1cSC+6u4/q851SpeSQIxmnbsq E4qF/KumSDAMmyN7zpBAixXi0hEgWTmxJBcyZQ4Cne+OuUR3149ag/nG3bJj5547QCqAWx09j0Yb n0/i8GPeeXMp2kap+wgGjLGMfVKQh7Zlu32i2ZlWZff+Jjb8zzRb3Yj1U3Kmd1UKgz2v/emAlfds QkVz64cGH7HiLl8F0pOzSZBb/FjnNafYS+7Q00NibKfDm2VLbm8YjLSS4F2Zp2PIenDWaC6a8sOw AAAAAAAA --Apple-Mail=_811CDD51-C3CF-456A-A3DE-D596320421FD-- From nobody Wed Mar 13 18:05:30 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC9DB131110 for ; Wed, 13 Mar 2019 18:05:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HLK9NNxEO6_8 for ; Wed, 13 Mar 2019 18:05:27 -0700 (PDT) Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D06DE130E9A for ; Wed, 13 Mar 2019 18:05:26 -0700 (PDT) Received: by mail-qt1-x82f.google.com with SMTP id v32so4233902qtc.10 for ; Wed, 13 Mar 2019 18:05:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Y8o311TrWsdle+ik/E//Qh0INHNv83vC63+piB9NUJQ=; b=QGjT24qmh3e44dKLWzIsw3tLhw0YHsHbdvDZkJ8x+QOXY17L2CAzVy+fv5Keuy7d86 X7vEEjo7Z1r46iqmWQ9JJ6b8TAb2Bt+PFJC0UiavZj/pXqQj20yRUfTW+Fz+/nwndRIE HDy5UWBpXQBMB47pR4k66RZCTRGJZevDqVK0M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Y8o311TrWsdle+ik/E//Qh0INHNv83vC63+piB9NUJQ=; b=It6OUOBI040+wLRQAM78p4zCMrcMHn04mI7aXpO51wTHbRihHAGWMbrPpiyIoziJse wXvIXbUSVH2ZTjorvoaAOG8kjdXYzdJ/Vd0ePdCCoDSjBbahSDUG8W/z0WThrYzu7LNr r7GweV6AyOgJZ7WSS50EjYtRlw/wOmopO40ehOjCeRNeq2gEDV47RYvpGUrcOpApVhS5 GAltRDHZO9+68nLX22OnigVV9XF9dzDwmX+sGUA39AauxtDMQJ/1HQfwIjNDkOHDowgY szrbAGgaHySUJ/sHPMod1aOGtF6yxtWsLEYQUg7wB9Ju+bZARjN/Lhkr/s8q3kYTl39z fFAg== X-Gm-Message-State: APjAAAULnmFUYIBO4ex6sn5r9fXuv7gjuMmZidEYDVoQ/4mKRFiY11wF 3X+sA8AHgp60V0j42FRV7AN/0g== X-Google-Smtp-Source: APXvYqwwRcNSnwmsaN/yzT8gmp9rX05T9DrlcUB49kziLPrbM679lEC7QgVBZnLfBfr9WB/cw98pdQ== X-Received: by 2002:a0c:b501:: with SMTP id d1mr37302908qve.115.1552525525887; Wed, 13 Mar 2019 18:05:25 -0700 (PDT) Received: from [172.16.0.18] ([96.231.217.246]) by smtp.gmail.com with ESMTPSA id t55sm9107702qtt.57.2019.03.13.18.05.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Mar 2019 18:05:25 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Sean Turner In-Reply-To: Date: Wed, 13 Mar 2019 21:05:24 -0400 Cc: "spasm@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <512BD0E4-3679-4EC6-BB2C-F02C0E055457@sn3rd.com> References: <155230360624.16964.16184538358498050453.idtracker@ietfa.amsl.com> To: hendrik.brockhaus@siemens.com X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] New Version Notification for draft-brockhaus-lamps-industrial-cmp-profile-00.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Mar 2019 01:05:29 -0000 Hendrik, Because this is aimed at "IoT scenarios=E2=80=9D I guess I am confused = as to how this relates to = https://datatracker.ietf.org/doc/draft-ietf-ace-coap-est/, which is also = aimed at constrained environments and completed WGLC in the ACE WG in = January. How does this draft update RFC4210? spt > On Mar 12, 2019, at 07:31, hendrik.brockhaus@siemens.com wrote: >=20 > Hallo=20 >=20 > Yesterday I submitted the initial draft on the lightweight industrial = CMP profile I announced some weeks ago. At IETF 104 we want to introduce = the draft during the LAMPS WG meeting. >=20 > The main purpose of this draft is to ease the use of CMP in industrial = and IoT use cases. Due to the complexity of RFC4210 and RFC4211 the = draft specifies a concrete and more lightweight profile of CMP. = Following standardization of industrial CMP profiles by 3GPP and UNISIG = that already exist, the draft strives for standardization of a more = general purpose industrial CMP profile focussing on automating = certificate management in m2m and IoT environments.=20 >=20 > If there are any feedback or comments to the draft in advance to the = meeting, feel free to contact me. >=20 > - Hendrik >=20 > -----Urspr=C3=BCngliche Nachricht----- > Von: internet-drafts@ietf.org =20 > Gesendet: Montag, 11. M=C3=A4rz 2019 12:27 > An: Fries, Steffen (CT RDA ITS) ; = Brockhaus, Hendrik (CT RDA ITS SEA-DE) ; = von Oheimb, David (CT RDA ITS SEA-DE) > Betreff: New Version Notification for = draft-brockhaus-lamps-industrial-cmp-profile-00.txt >=20 >=20 > A new version of I-D, = draft-brockhaus-lamps-industrial-cmp-profile-00.txt > has been successfully submitted by Hendrik Brockhaus and posted to the = IETF repository. >=20 > Name: draft-brockhaus-lamps-industrial-cmp-profile > Revision: 00 > Title: Lightweight Industrial CMP Profile > Document date: 2019-03-11 > Group: Individual Submission > Pages: 41 > URL: = https://www.ietf.org/internet-drafts/draft-brockhaus-lamps-industrial-cmp-= profile-00.txt > Status: = https://datatracker.ietf.org/doc/draft-brockhaus-lamps-industrial-cmp-prof= ile/ > Htmlized: = https://tools.ietf.org/html/draft-brockhaus-lamps-industrial-cmp-profile-0= 0 > Htmlized: = https://datatracker.ietf.org/doc/html/draft-brockhaus-lamps-industrial-cmp= -profile >=20 >=20 > Abstract: > The goal of this document is to facilitate interoperability and > automation by profiling the Certificate Management Protocol (CMP) > [RFC4210] and the related Certificate Request Message Format (CRMF) > [RFC4211]. It specifies a subset of CMP and CRMF focusing on = typical > uses cases relevant for managing certificates of devices in > industrial and IoT scenarios. To limit the overhead of certificate > management for constrained devices only the most crucial types of > transactions are specified as mandatory. To foster interoperability > also in more complex scenarios, other types of transactions are > specified as recommended or optional. >=20 >=20 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission until the htmlized version and diff are available at = tools.ietf.org. >=20 > The IETF Secretariat >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Thu Mar 14 00:47:49 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B92BE1277C9 for ; Thu, 14 Mar 2019 00:47:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7HvD47An6WSS for ; Thu, 14 Mar 2019 00:47:44 -0700 (PDT) Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10042.outbound.protection.outlook.com [40.107.1.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEA2F12799B for ; Thu, 14 Mar 2019 00:47:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4YI6ZiGznLrTgFhIXbBOlQdlItAQdA6kgBpygkWxViA=; b=Q3mwKS8h+ldkZRazqutEbEuL5UTzEPABXWjyKhD5DhKeAuJYUPrP52UBqSBWY5dc9c86/OD4eqDvRhGAty3s3Py4OySRpraSXn9t2i46hTsSj9ivyo8hREbNVK6RoTN0mH7xLKUZ0KqvhhrFEJvhmUHUeS+hFtktguAMDWv6R4s= Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM (20.177.110.224) by AM0PR10MB2164.EURPRD10.PROD.OUTLOOK.COM (20.177.108.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Thu, 14 Mar 2019 07:47:35 +0000 Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::bda2:3903:5a16:c67c]) by AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::bda2:3903:5a16:c67c%4]) with mapi id 15.20.1686.021; Thu, 14 Mar 2019 07:47:35 +0000 From: "Brockhaus, Hendrik" To: Sean Turner CC: "spasm@ietf.org" Thread-Topic: [lamps] New Version Notification for draft-brockhaus-lamps-industrial-cmp-profile-00.txt Thread-Index: AQHU1/1SnKzF6+8J4ECSR1DWFlE6v6YGSwrAgAGSnaCAAnZgAIAAZKoA Date: Thu, 14 Mar 2019 07:47:34 +0000 Message-ID: References: <155230360624.16964.16184538358498050453.idtracker@ietfa.amsl.com> <512BD0E4-3679-4EC6-BB2C-F02C0E055457@sn3rd.com> In-Reply-To: <512BD0E4-3679-4EC6-BB2C-F02C0E055457@sn3rd.com> Accept-Language: en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-document-confidentiality: NotClassified authentication-results: spf=none (sender IP is ) smtp.mailfrom=hendrik.brockhaus@siemens.com; x-originating-ip: [80.146.228.75] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b95548f7-23e5-47c6-77ed-08d6a8515296 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:AM0PR10MB2164; x-ms-traffictypediagnostic: AM0PR10MB2164: x-ms-exchange-purlcount: 6 x-microsoft-antispam-prvs: x-forefront-prvs: 09760A0505 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(39860400002)(136003)(366004)(376002)(189003)(199004)(6436002)(305945005)(7736002)(53936002)(25786009)(74316002)(55016002)(71200400001)(105586002)(97736004)(6306002)(256004)(106356001)(9686003)(76176011)(86362001)(81166006)(81156014)(71190400001)(486006)(52536014)(5660300002)(99286004)(7696005)(8676002)(2906002)(4326008)(6916009)(26005)(3846002)(93886005)(316002)(186003)(68736007)(8936002)(6116002)(476003)(102836004)(446003)(14454004)(11346002)(66066001)(966005)(6506007)(478600001)(15650500001)(66574012)(14444005)(33656002)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR10MB2164; H:AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: unHPkJwA1vgKMMDNIA0tnsySFBg53Wu2Z+AIC/SslhhRB4jjWdWSAcBJTf67LsVtZi0GLnh8KIGqtkCRY6dF5mTnALyfq6Qwo+GSOPZBxlXrNpwkhA5qF7YZcValOX9TJzmuEBgkHxYP7c1mGAtohS++pOwCJceDSp6KFY+4Nq+lNHzcpkCNr50O6+byM9HDBmZ2qR6jzO5HZpWhUzZjN96CH3Tm6UbO5R49XjDiWX10vc1ibSUefuF1clMEk4p/L5hnfy6pUrsx7fAirPnhxvkNLqXC6YlaUuqfgz5YQZ8spgLmrlX7ngdsE4q9Pz8jb4+/Lo7xZLcaKtrht5NJdNIqDnWZn/xkHF2cpNQ3B6G7a3hqjEiB599ik/Eq5KfwKdmcZdkH2YlZFsK58AYDHwUAhnl7/4hILI/d8je4HC0= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: b95548f7-23e5-47c6-77ed-08d6a8515296 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2019 07:47:34.9873 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2164 Archived-At: Subject: Re: [lamps] New Version Notification for draft-brockhaus-lamps-industrial-cmp-profile-00.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Mar 2019 07:47:48 -0000 U2Vhbg0KDQpUaGFuayB5b3UgZm9yIHlvdXIgZmVlZGJhY2sgYW5kIHF1ZXN0aW9ucy4NCg0KVGhp cyBkcmFmdCBmb2N1c3NlcyBvbiBDTVAgYXBwbGljYWJpbGl0eSBieSBzcGVjaWZ5aW5nIENNUCBt ZXNzYWdlIGV4Y2hhbmdlIG1vcmUgcHJlY2lzZWx5IGFuZCBmb2N1c2VkIG9uIGluZHVzdHJpYWwg c2NlbmFyaW9zIHRvIGdldCBpbnRlcm9wZXJhYmxlIGltcGxlbWVudGF0aW9uLiBJdCBub3Qgb25s eSBmb2N1c3NlcyBvbiBFRS1SQSBjb21tdW5pY2F0aW9uIGJ1dCBhbHNvIHRvIGNvbW11bmljYXRp b24gYmV0d2VlbiBMUkEtUkEtQ0EgaW4gdGhlIFBLSSBiYWNrZW5kLg0KVGhlIGFyZWEgb2YgYXBw bGljYWJpbGl0eSBpcyBzdXBwb3NlZCB0byBiZSBtdWNoIHdpZGVyIHRoYW4gSW9ULiBBcyBtZW50 aW9uZWQgQ01QIGlzIGFscmVhZHkgaW4gdXNlIGluIDNHUFAgYW5kIFVOSVNJRy4gVGhlc2VzIHBy b2ZpbGVzIGNvdWxkIGFsc28gYmUgY292ZXJlZCBieSB0aGlzIGRyYWZ0IGluIHRoZSBmdXR1cmUu DQpUaGVyZWZvcmUgSSBzZWUgdGhlIHByb2ZpbGUgbGFpZCBvdXQgaW4gdGhpcyBkcmFmdCBhcyB1 cGRhdGUgdG8gdGhlIFJGQzQyMTAsIGFzIGl0IGV4dGVuZHMgdGhlIGFscmVhZHkgZXhpc3Rpbmcg cHJvZmlsZXMgaW4gQXBwZW5kaXggRCBhbmQgRSB0byB0aGUgaW5kdXN0cmlhbCBhcmVuYS4gTmV4 dCB0byBhIG1vcmUgcHJlY2lzZSBhbmQgY29uY3JldGUgc3BlY2lmaWNhdGlvbiBvZiBDTVAgbWVz c2FnZSBmbG93cywgdGhlcmUgYXJlIGFsc28gc3VnZ2VzdGVkIGV4dGVuc2lvbnMgbGlrZSB0aGUg Y21wUkEga2V5IHVzYWdlIGFuZCB0aGUgYWRkaXRpb24gb2YgYSByZXF1ZXN0LXJlc3BvbnNlIHJv b3QgQ0Ega2V5IHVwZGF0ZSBleGNoYW5nZSBpbnN0ZWFkIG9mIHRoZSBhbm5vdW5jZW1lbnQgYXBw cm9hY2ggc3BlY2lmaWVkIGluIFJGQzQyMTAgQXBwZW5kaXggRS40Lg0KDQpUaGUgYWRkaXRpb24g b2YgQ29BUCBmb3IgQ01QIG1lc3NhZ2UgdHJhbnNmZXIgaXMgb25lIHN1Z2dlc3Rpb24gdG8gZXh0 ZW5kIHRoZSBhdmFpbGFibGUgdHJhbnNwb3J0IG1lY2hhbmlzbXMgb2YgQ01QIG1lc3NhZ2VzLCBi dXQgaXQgaXMgbm90IHRoZSBjb3JlIG9mIHRoZSBkcmFmdC4gSWYgdGhpcyBpcyB0b28gbXVjaCBm b3IgdGhpcyBkb2N1bWVudCwgaXQgY291bGQgYWxzbyBiZSBjYXJ2ZWQgb3V0IGluIGEgc2VwYXJh dGUgZHJhZnQuIEJ1dCBsaWtlIFJGQzY3MTIgKEhUVFAgdHJhbnNmZXIgZm9yIENNUCksIEkgd291 bGQgcmVnYXJkIGl0IGFzIGFuIHVwZGF0ZSB0byBSRkM0MjEwLg0KDQpJIGhvcGUgdGhpcyBtYWtl cyBvdXIgdGhvdWdodHMgYW5kIGlkZWFzIGNsZWFyZXIuIEFueSBmdXJ0aGVyIGNvbW1lbnRzIGFu ZCBzdWdnZXN0aW9ucyBhcmUgb2YgY291cnNlIG1vcmUgdGhhbiB3ZWxjb21lLg0KDQpIZW5kcmlr DQoNCj4gLS0tLS1VcnNwcsO8bmdsaWNoZSBOYWNocmljaHQtLS0tLQ0KPiBWb246IFNlYW4gVHVy bmVyIDxzZWFuQHNuM3JkLmNvbT4NCj4gR2VzZW5kZXQ6IERvbm5lcnN0YWcsIDE0LiBNw6RyeiAy MDE5IDAyOjA1DQo+IEFuOiBCcm9ja2hhdXMsIEhlbmRyaWsgKENUIFJEQSBJVFMgU0VBLURFKQ0K PiA8aGVuZHJpay5icm9ja2hhdXNAc2llbWVucy5jb20+DQo+IENjOiBzcGFzbUBpZXRmLm9yZw0K PiBCZXRyZWZmOiBSZTogW2xhbXBzXSBOZXcgVmVyc2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0 LWJyb2NraGF1cy1sYW1wcy0NCj4gaW5kdXN0cmlhbC1jbXAtcHJvZmlsZS0wMC50eHQNCj4gDQo+ IEhlbmRyaWssDQo+IA0KPiBCZWNhdXNlIHRoaXMgaXMgYWltZWQgYXQgIklvVCBzY2VuYXJpb3Pi gJ0gSSBndWVzcyBJIGFtIGNvbmZ1c2VkIGFzIHRvIGhvdyB0aGlzDQo+IHJlbGF0ZXMgdG8gaHR0 cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1hY2UtY29hcC1lc3QvLCB3 aGljaCBpcw0KPiBhbHNvIGFpbWVkIGF0IGNvbnN0cmFpbmVkIGVudmlyb25tZW50cyBhbmQgY29t cGxldGVkIFdHTEMgaW4gdGhlIEFDRQ0KPiBXRyBpbiBKYW51YXJ5Lg0KPiANCj4gSG93IGRvZXMg dGhpcyBkcmFmdCB1cGRhdGUgUkZDNDIxMD8NCj4gDQo+IHNwdA0KPiANCj4gPiBPbiBNYXIgMTIs IDIwMTksIGF0IDA3OjMxLCBoZW5kcmlrLmJyb2NraGF1c0BzaWVtZW5zLmNvbSB3cm90ZToNCj4g Pg0KPiA+IEhhbGxvDQo+ID4NCj4gPiBZZXN0ZXJkYXkgSSBzdWJtaXR0ZWQgdGhlIGluaXRpYWwg ZHJhZnQgb24gdGhlIGxpZ2h0d2VpZ2h0IGluZHVzdHJpYWwgQ01QDQo+IHByb2ZpbGUgSSBhbm5v dW5jZWQgc29tZSB3ZWVrcyBhZ28uIEF0IElFVEYgMTA0IHdlIHdhbnQgdG8gaW50cm9kdWNlIHRo ZQ0KPiBkcmFmdCBkdXJpbmcgdGhlIExBTVBTIFdHIG1lZXRpbmcuDQo+ID4NCj4gPiBUaGUgbWFp biBwdXJwb3NlIG9mIHRoaXMgZHJhZnQgaXMgdG8gZWFzZSB0aGUgdXNlIG9mIENNUCBpbiBpbmR1 c3RyaWFsIGFuZA0KPiBJb1QgdXNlIGNhc2VzLiBEdWUgdG8gdGhlIGNvbXBsZXhpdHkgb2YgUkZD NDIxMCBhbmQgUkZDNDIxMSB0aGUgZHJhZnQNCj4gc3BlY2lmaWVzIGEgY29uY3JldGUgYW5kIG1v cmUgbGlnaHR3ZWlnaHQgcHJvZmlsZSBvZiBDTVAuIEZvbGxvd2luZw0KPiBzdGFuZGFyZGl6YXRp b24gb2YgaW5kdXN0cmlhbCBDTVAgcHJvZmlsZXMgYnkgM0dQUCBhbmQgVU5JU0lHIHRoYXQgYWxy ZWFkeQ0KPiBleGlzdCwgdGhlIGRyYWZ0IHN0cml2ZXMgZm9yIHN0YW5kYXJkaXphdGlvbiBvZiBh IG1vcmUgZ2VuZXJhbCBwdXJwb3NlDQo+IGluZHVzdHJpYWwgQ01QIHByb2ZpbGUgZm9jdXNzaW5n IG9uIGF1dG9tYXRpbmcgY2VydGlmaWNhdGUgbWFuYWdlbWVudCBpbg0KPiBtMm0gYW5kIElvVCBl bnZpcm9ubWVudHMuDQo+ID4NCj4gPiBJZiB0aGVyZSBhcmUgYW55IGZlZWRiYWNrIG9yIGNvbW1l bnRzIHRvIHRoZSBkcmFmdCBpbiBhZHZhbmNlIHRvIHRoZQ0KPiBtZWV0aW5nLCBmZWVsIGZyZWUg dG8gY29udGFjdCBtZS4NCj4gPg0KPiA+IC0gSGVuZHJpaw0KPiA+DQo+ID4gLS0tLS1VcnNwcsO8 bmdsaWNoZSBOYWNocmljaHQtLS0tLQ0KPiA+IFZvbjogaW50ZXJuZXQtZHJhZnRzQGlldGYub3Jn IDxpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc+DQo+ID4gR2VzZW5kZXQ6IE1vbnRhZywgMTEuIE3D pHJ6IDIwMTkgMTI6MjcNCj4gPiBBbjogRnJpZXMsIFN0ZWZmZW4gKENUIFJEQSBJVFMpIDxzdGVm ZmVuLmZyaWVzQHNpZW1lbnMuY29tPjsgQnJvY2toYXVzLA0KPiBIZW5kcmlrIChDVCBSREEgSVRT IFNFQS1ERSkgPGhlbmRyaWsuYnJvY2toYXVzQHNpZW1lbnMuY29tPjsgdm9uDQo+IE9oZWltYiwg RGF2aWQgKENUIFJEQSBJVFMgU0VBLURFKSA8ZGF2aWQudm9uLm9oZWltYkBzaWVtZW5zLmNvbT4N Cj4gPiBCZXRyZWZmOiBOZXcgVmVyc2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LWJyb2NraGF1 cy1sYW1wcy1pbmR1c3RyaWFsLQ0KPiBjbXAtcHJvZmlsZS0wMC50eHQNCj4gPg0KPiA+DQo+ID4g QSBuZXcgdmVyc2lvbiBvZiBJLUQsIGRyYWZ0LWJyb2NraGF1cy1sYW1wcy1pbmR1c3RyaWFsLWNt cC1wcm9maWxlLTAwLnR4dA0KPiA+IGhhcyBiZWVuIHN1Y2Nlc3NmdWxseSBzdWJtaXR0ZWQgYnkg SGVuZHJpayBCcm9ja2hhdXMgYW5kIHBvc3RlZCB0byB0aGUNCj4gSUVURiByZXBvc2l0b3J5Lg0K PiA+DQo+ID4gTmFtZToJCWRyYWZ0LWJyb2NraGF1cy1sYW1wcy1pbmR1c3RyaWFsLWNtcC1wcm9m aWxlDQo+ID4gUmV2aXNpb246CTAwDQo+ID4gVGl0bGU6CQlMaWdodHdlaWdodCBJbmR1c3RyaWFs IENNUCBQcm9maWxlDQo+ID4gRG9jdW1lbnQgZGF0ZToJMjAxOS0wMy0xMQ0KPiA+IEdyb3VwOgkJ SW5kaXZpZHVhbCBTdWJtaXNzaW9uDQo+ID4gUGFnZXM6CQk0MQ0KPiA+IFVSTDogICAgICAgICAg ICBodHRwczovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtYnJvY2toYXVzLWxh bXBzLQ0KPiBpbmR1c3RyaWFsLWNtcC1wcm9maWxlLTAwLnR4dA0KPiA+IFN0YXR1czogICAgICAg ICBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1icm9ja2hhdXMtbGFtcHMt DQo+IGluZHVzdHJpYWwtY21wLXByb2ZpbGUvDQo+ID4gSHRtbGl6ZWQ6ICAgICAgIGh0dHBzOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1icm9ja2hhdXMtbGFtcHMtaW5kdXN0cmlhbC0NCj4g Y21wLXByb2ZpbGUtMDANCj4gPiBIdG1saXplZDogICAgICAgaHR0cHM6Ly9kYXRhdHJhY2tlci5p ZXRmLm9yZy9kb2MvaHRtbC9kcmFmdC1icm9ja2hhdXMtbGFtcHMtDQo+IGluZHVzdHJpYWwtY21w LXByb2ZpbGUNCj4gPg0KPiA+DQo+ID4gQWJzdHJhY3Q6DQo+ID4gICBUaGUgZ29hbCBvZiB0aGlz IGRvY3VtZW50IGlzIHRvIGZhY2lsaXRhdGUgaW50ZXJvcGVyYWJpbGl0eSBhbmQNCj4gPiAgIGF1 dG9tYXRpb24gYnkgcHJvZmlsaW5nIHRoZSBDZXJ0aWZpY2F0ZSBNYW5hZ2VtZW50IFByb3RvY29s IChDTVApDQo+ID4gICBbUkZDNDIxMF0gYW5kIHRoZSByZWxhdGVkIENlcnRpZmljYXRlIFJlcXVl c3QgTWVzc2FnZSBGb3JtYXQgKENSTUYpDQo+ID4gICBbUkZDNDIxMV0uICBJdCBzcGVjaWZpZXMg YSBzdWJzZXQgb2YgQ01QIGFuZCBDUk1GIGZvY3VzaW5nIG9uIHR5cGljYWwNCj4gPiAgIHVzZXMg Y2FzZXMgcmVsZXZhbnQgZm9yIG1hbmFnaW5nIGNlcnRpZmljYXRlcyBvZiBkZXZpY2VzIGluDQo+ ID4gICBpbmR1c3RyaWFsIGFuZCBJb1Qgc2NlbmFyaW9zLiAgVG8gbGltaXQgdGhlIG92ZXJoZWFk IG9mIGNlcnRpZmljYXRlDQo+ID4gICBtYW5hZ2VtZW50IGZvciBjb25zdHJhaW5lZCBkZXZpY2Vz IG9ubHkgdGhlIG1vc3QgY3J1Y2lhbCB0eXBlcyBvZg0KPiA+ICAgdHJhbnNhY3Rpb25zIGFyZSBz cGVjaWZpZWQgYXMgbWFuZGF0b3J5LiAgVG8gZm9zdGVyIGludGVyb3BlcmFiaWxpdHkNCj4gPiAg IGFsc28gaW4gbW9yZSBjb21wbGV4IHNjZW5hcmlvcywgb3RoZXIgdHlwZXMgb2YgdHJhbnNhY3Rp b25zIGFyZQ0KPiA+ICAgc3BlY2lmaWVkIGFzIHJlY29tbWVuZGVkIG9yIG9wdGlvbmFsLg0KPiA+ DQo+ID4NCj4gPg0KPiA+DQo+ID4gUGxlYXNlIG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBs ZSBvZiBtaW51dGVzIGZyb20gdGhlIHRpbWUgb2YNCj4gc3VibWlzc2lvbiB1bnRpbCB0aGUgaHRt bGl6ZWQgdmVyc2lvbiBhbmQgZGlmZiBhcmUgYXZhaWxhYmxlIGF0IHRvb2xzLmlldGYub3JnLg0K PiA+DQo+ID4gVGhlIElFVEYgU2VjcmV0YXJpYXQNCj4gPg0KPiA+IF9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+ID4gU3Bhc20gbWFpbGluZyBsaXN0DQo+ ID4gU3Bhc21AaWV0Zi5vcmcNCj4gPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL3NwYXNtDQoNCg== From nobody Thu Mar 14 07:25:00 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48840130EB5 for ; Thu, 14 Mar 2019 07:24:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgUaabgLC-T9 for ; Thu, 14 Mar 2019 07:24:55 -0700 (PDT) Received: from softronics.hoeneisen.ch (softronics.hoeneisen.ch [62.2.86.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0769129B88 for ; Thu, 14 Mar 2019 07:24:54 -0700 (PDT) Received: from localhost ([127.0.0.1]) by softronics.hoeneisen.ch with esmtp (Exim 4.86_2) (envelope-from ) id 1h4RHv-0002Ww-LL for spasm@ietf.org; Thu, 14 Mar 2019 15:24:51 +0100 Date: Thu, 14 Mar 2019 15:24:51 +0100 (CET) From: Bernie Hoeneisen X-X-Sender: bhoeneis@softronics.hoeneisen.ch To: IETF LAMPS WG Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: bernie@ietf.hoeneisen.ch X-SA-Exim-Scanned: No (on softronics.hoeneisen.ch); SAEximRunCond expanded to false Archived-At: Subject: [lamps] New Version Notification for draft-luck-lamps-pep-header-protection-01.txt (fwd) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Mar 2019 14:24:58 -0000 FYI (I-D updated to -01) ---------- Forwarded message ---------- Date: Tue, 12 Mar 2019 00:58:12 From: internet-drafts@ietf.org To: Claudio Luck , Bernie Hoeneisen Subject: New Version Notification for draft-luck-lamps-pep-header-protection-01.txt A new version of I-D, draft-luck-lamps-pep-header-protection-01.txt has been successfully submitted by Bernie Hoeneisen and posted to the IETF repository. Name: draft-luck-lamps-pep-header-protection Revision: 01 Title: pretty Easy privacy (pEp): Header Protection Document date: 2019-03-12 Group: Individual Submission Pages: 22 URL: https://www.ietf.org/internet-drafts/draft-luck-lamps-pep-header-protection-01.txt Status: https://datatracker.ietf.org/doc/draft-luck-lamps-pep-header-protection/ Htmlized: https://tools.ietf.org/html/draft-luck-lamps-pep-header-protection-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-luck-lamps-pep-header-protection Diff: https://www.ietf.org/rfcdiff?url2=draft-luck-lamps-pep-header-protection-01 Abstract: Issues with email header protection in S/MIME have been recently raised in the IETF LAMPS Working Group. The need for amendments to the existing specification regarding header protection was expressed. The pretty Easy privacy (pEp) implementations currently use a mechanism quite similar to the currently standardized message wrapping for S/MIME. The main difference is that pEp is using PGP/ MIME instead, and adds space for carrying public keys next to the protected message. In LAMPS voices have also been expressed, that whatever mechanism will be chosen, it should not be limited to S/MIME, but also applicable to PGP/MIME. This document aims to contribute to this discussion and share pEp implementation experience with email header protection. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Thu Mar 14 11:39:43 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFE60130EA9; Thu, 14 Mar 2019 11:39:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwHPctyk6ds3; Thu, 14 Mar 2019 11:39:40 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE0501277E5; Thu, 14 Mar 2019 11:39:36 -0700 (PDT) Received: from Jude (192.168.1.152) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 14 Mar 2019 11:39:29 -0700 From: Jim Schaad To: CC: 'SPASM' Date: Thu, 14 Mar 2019 11:39:27 -0700 Message-ID: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Content-Language: en-us Thread-Index: AdTalFpsRD6NOLyJSie3veGv+fJZHg== X-Originating-IP: [192.168.1.152] Archived-At: Subject: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Mar 2019 18:39:42 -0000 I was tossing together some code to look at producing some samples and I ended up with a pair of questions: 1. If I have a hash signature tree which uses multiple different hash algorithms in it, which of those hash algorithms am I to placed in the digestAlgorithm field? For example, suppose that I am using an LMS type with a hash of SHAKE128 and an LMOTS type with a hash of SHA256. Or as a different example, suppose that I have a two deep tree and the top level uses SHA512 in both places but the next level down uses SHAH256 in both places? 2. If there are signed attributes present, then it t required that the body digest algorithm match that of the hash signature tree or can it be different. If it is different, is that not the value that should be placed in the digestAlgorithm field? Consider digesting the body with SHA512, but only using SHA256 in the hash function on the assumption that the random field in the signing operation provides a higher level of security and thus a weak attempt is being made to match them together. (I am sure that this is not the correct pairing for matching, just demonstrating a point.) Jim From nobody Thu Mar 14 13:06:45 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 227F0130EE6; Thu, 14 Mar 2019 13:06:43 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Tim Hollebeek via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 6.94.0 Auto-Submitted: auto-generated Precedence: bulk Cc: spasm@ietf.org, lamps-chairs@ietf.org, Tim Hollebeek , iesg-secretary@ietf.org, tim.hollebeek@digicert.com Reply-To: Tim Hollebeek Message-ID: <155259400313.2679.12982179990052352623.idtracker@ietfa.amsl.com> Date: Thu, 14 Mar 2019 13:06:43 -0700 Archived-At: Subject: [lamps] Publication has been requested for draft-ietf-lamps-cms-hash-sig-07 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Mar 2019 20:06:43 -0000 Tim Hollebeek has requested publication of draft-ietf-lamps-cms-hash-sig-07 as Proposed Standard on behalf of the LAMPS working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ From nobody Fri Mar 15 12:30:55 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DAB3130DC9; Fri, 15 Mar 2019 12:30:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6lZAUglYuEzz; Fri, 15 Mar 2019 12:30:51 -0700 (PDT) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 145A5130E99; Fri, 15 Mar 2019 12:30:50 -0700 (PDT) Received: from unknown (HELO V0501WEXGPR01.isaracorp.com) ([10.5.8.20]) by ip1.isaracorp.com with ESMTP; 15 Mar 2019 19:30:49 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Fri, 15 Mar 2019 15:30:46 -0400 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Fri, 15 Mar 2019 15:30:46 -0400 From: Daniel Van Geest To: Jim Schaad , "draft-ietf-lamps-cms-hash-sig@ietf.org" CC: 'SPASM' Thread-Topic: [lamps] Question on draft-ietf-lamps-cms-hash-sig Thread-Index: AdTalFpsRD6NOLyJSie3veGv+fJZHgA0TvYA Date: Fri, 15 Mar 2019 19:30:46 +0000 Message-ID: <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> In-Reply-To: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_13C0F2A68D714B67B53AA706125D65BDisaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2019 19:30:54 -0000 --_000_13C0F2A68D714B67B53AA706125D65BDisaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 TXkgdGhvdWdodHMsDQoNCk9uIDIwMTktMDMtMTQsIDI6MzkgUE0sICJTcGFzbSBvbiBiZWhhbGYg b2YgSmltIFNjaGFhZCIgPHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5j ZXNAaWV0Zi5vcmc+IG9uIGJlaGFsZiBvZiBpZXRmQGF1Z3VzdGNlbGxhcnMuY29tPG1haWx0bzpp ZXRmQGF1Z3VzdGNlbGxhcnMuY29tPj4gd3JvdGU6DQoNCkkgd2FzIHRvc3NpbmcgdG9nZXRoZXIg c29tZSBjb2RlIHRvIGxvb2sgYXQgcHJvZHVjaW5nIHNvbWUgc2FtcGxlcyBhbmQgSQ0KZW5kZWQg dXAgd2l0aCBhIHBhaXIgb2YgcXVlc3Rpb25zOg0KDQoxLiAgSWYgSSBoYXZlIGEgaGFzaCBzaWdu YXR1cmUgdHJlZSB3aGljaCB1c2VzIG11bHRpcGxlIGRpZmZlcmVudCBoYXNoDQphbGdvcml0aG1z IGluIGl0LCB3aGljaCBvZiB0aG9zZSBoYXNoIGFsZ29yaXRobXMgYW0gSSB0byBwbGFjZWQgaW4g dGhlDQpkaWdlc3RBbGdvcml0aG0gZmllbGQ/ICBGb3IgZXhhbXBsZSwgc3VwcG9zZSB0aGF0IEkg YW0gdXNpbmcgYW4gTE1TIHR5cGUNCndpdGggYSBoYXNoIG9mIFNIQUtFMTI4IGFuZCBhbiBMTU9U UyB0eXBlIHdpdGggYSBoYXNoIG9mIFNIQTI1Ni4gIE9yIGFzIGENCmRpZmZlcmVudCBleGFtcGxl LCBzdXBwb3NlIHRoYXQgSSBoYXZlIGEgdHdvIGRlZXAgdHJlZSBhbmQgdGhlIHRvcCBsZXZlbA0K dXNlcyBTSEE1MTIgaW4gYm90aCBwbGFjZXMgYnV0IHRoZSBuZXh0IGxldmVsIGRvd24gdXNlcyBT SEFIMjU2IGluIGJvdGgNCnBsYWNlcz8NCg0KUkZDIDU2NTIgc2VjdGlvbiA1LjMgZGVmaW5lcyB0 aGUgZGlnZXN0QWxnb3JpdGhtIG1lbWJlciBvZiBTaWduZXJJbmZvIGFzOg0KICAgICAgZGlnZXN0 QWxnb3JpdGhtIGlkZW50aWZpZXMgdGhlIG1lc3NhZ2UgZGlnZXN0IGFsZ29yaXRobSwgYW5kIGFu eQ0KICAgICAgYXNzb2NpYXRlZCBwYXJhbWV0ZXJzLCB1c2VkIGJ5IHRoZSBzaWduZXIuICBUaGUg bWVzc2FnZSBkaWdlc3QgaXMNCiAgICAgIGNvbXB1dGVkIG9uIGVpdGhlciB0aGUgY29udGVudCBi ZWluZyBzaWduZWQgb3IgdGhlIGNvbnRlbnQNCiAgICAgIHRvZ2V0aGVyIHdpdGggdGhlIHNpZ25l ZCBhdHRyaWJ1dGVzIHVzaW5nIHRoZSBwcm9jZXNzIGRlc2NyaWJlZCBpbg0KICAgICAgU2VjdGlv biA1LjQuDQoNCkluIEhTUywgdGhlIGhhc2ggYWxnb3JpdGhtIHVzZWQgdG8gZGlnZXN0IHRoZSBj b250ZW50IGlzIHRoZSBvbmUgaW4gdGhlIExNT1RTIHR5cGUgb2YgdGhlIGJvdHRvbS1tb3N0IHRy ZWUuICBUaGUgb3RoZXIgaGFzaCBhbGdvcml0aG1zIGFyZSB1c2VkIHRvIGhhc2ggd2l0aGluIHRo ZSBNZXJrbGUgdHJlZSwgb3IgdG8gaGFzaCB0aGUgTE1TIHB1YmxpYyBrZXkgb2YgYSBsb3dlciB0 cmVlLiAgU28gaW4gYm90aCB5b3VyIGV4YW1wbGVzIHRoZSBhbnN3ZXIgd291bGQgYmUgU0hBMjU2 Lg0KDQoyLiAgSWYgdGhlcmUgYXJlIHNpZ25lZCBhdHRyaWJ1dGVzIHByZXNlbnQsIHRoZW4gaXQg dCByZXF1aXJlZCB0aGF0IHRoZSBib2R5DQpkaWdlc3QgYWxnb3JpdGhtIG1hdGNoIHRoYXQgb2Yg dGhlIGhhc2ggc2lnbmF0dXJlIHRyZWUgb3IgY2FuIGl0IGJlDQpkaWZmZXJlbnQuICBJZiBpdCBp cyBkaWZmZXJlbnQsIGlzIHRoYXQgbm90IHRoZSB2YWx1ZSB0aGF0IHNob3VsZCBiZSBwbGFjZWQN CmluIHRoZSBkaWdlc3RBbGdvcml0aG0gZmllbGQ/ICBDb25zaWRlciBkaWdlc3RpbmcgdGhlIGJv ZHkgd2l0aCBTSEE1MTIsIGJ1dA0Kb25seSB1c2luZyBTSEEyNTYgaW4gdGhlIGhhc2ggZnVuY3Rp b24gb24gdGhlIGFzc3VtcHRpb24gdGhhdCB0aGUgcmFuZG9tDQpmaWVsZCBpbiB0aGUgc2lnbmlu ZyBvcGVyYXRpb24gcHJvdmlkZXMgYSBoaWdoZXIgbGV2ZWwgb2Ygc2VjdXJpdHkgYW5kIHRodXMN CmEgd2VhayBhdHRlbXB0IGlzIGJlaW5nIG1hZGUgdG8gbWF0Y2ggdGhlbSB0b2dldGhlci4gIChJ IGFtIHN1cmUgdGhhdCB0aGlzDQppcyBub3QgdGhlIGNvcnJlY3QgcGFpcmluZyBmb3IgbWF0Y2hp bmcsIGp1c3QgZGVtb25zdHJhdGluZyBhIHBvaW50LikNCg0KY21zLWhhc2gtc2lncyBzYXlzOg0K ICAgICAgZGlnZXN0QWxnb3JpdGhtIE1VU1QgY29udGFpbiB0aGUgb25lLXdheSBoYXNoIGZ1bmN0 aW9uIHVzZWQgdG8gaW4NCiAgICAgICAgIHRoZSBIU1MvTE1TIHRyZWUuDQpUaGlzIHN0YXRlbWVu dCBwbHVzIHRoZSBvbmUgSSBxdW90ZWQgZnJvbSBSRkMgNTY1MiB3b3VsZCBpbXBseSB0aGF0IHRo ZSBib2R5IGRpZ2VzdCBhbGdvcml0aG0gbXVzdCBtYXRjaCB0aGF0IG9mIHRoZSBIU1MgYWxnb3Jp dGhtLg0KDQpIb3dldmVyLCB5b3UgYXJlIGNvcnJlY3QgdGhhdCB0aGUgcmFuZG9tIGZpZWxkIGFk ZGVkIGR1cmluZyBzaWduaW5nIGluY3JlYXNlcyB0aGUgY29sbGlzaW9uIHJlc2lzdGFuY2Ugb2Yg dGhlIHNpZ25hdHVyZSBhbmQgc28gdXNpbmcgdGhlIHNhbWUgYWxnb3JpdGhtIHRvIGNyZWF0ZSB0 aGUgbWVzc2FnZS1kaWdlc3QgYXR0cmlidXRlIGluIHRoZSBzaWduZWQgYXR0cmlidXRlcyB3b3Vs ZCByZWR1Y2UgdGhlIGNvbGxpc2lvbiByZXNpc3RhbmNlIG9mIHRoZSBzeXN0ZW0uICBJZiB5b3Ug d2FudGVkIHRvIGFsbG93IGEgZGlmZmVyZW50IGhhc2ggYWxnb3JpdGhtIGluIHRoZSBzaWduZWQg YXR0cmlidXRlcyBtZXNzYWdlIGRpZ2VzdCwgSSB0aGluayBjbXMtaGFzaC1zaWdzIHdvdWxkIG5l ZWQgdG8gYmUgbW9kaWZpZWQgdG8gZnVydGhlciBzcGVjaWZ5IHNpZ25lZC1kYXRhIGNvbnZlbnRp b25zIHdpdGgvd2l0aG91dCBzaWduZWQgYXR0cmlidXRlcywgc2ltaWxhciB0byBSRkMgODQxOS4N Cg0KRGFuaWVsDQoNCkppbQ0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fDQpTcGFzbSBtYWlsaW5nIGxpc3QNClNwYXNtQGlldGYub3JnPG1haWx0bzpT cGFzbUBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bh c20NCg0K --_000_13C0F2A68D714B67B53AA706125D65BDisaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <868A58B2D1BD714BB32A567083ADE471@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25v cm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGNtOw0KCW1zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBjbTsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21z by1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5z LXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxl LXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlv bjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0 IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwv c3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJl ZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNv IDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0i ZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwv aGVhZD4NCjxib2R5IGxhbmc9IkVOLUNBIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxk aXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5NeSB0aG91Z2h0 cyw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij5PbiAyMDE5LTAzLTE0LCAyOjM5IFBNLCAmcXVvdDtTcGFzbSBvbiBiZWhhbGYg b2YgSmltIFNjaGFhZCZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0 Zi5vcmciPnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8L2E+IG9uIGJlaGFsZiBvZg0KPGEgaHJlZj0i bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iPmlldGZAYXVndXN0Y2VsbGFycy5jb208L2E+ Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij5JIHdhcyB0b3NzaW5nIHRvZ2V0aGVyIHNvbWUgY29kZSB0byBsb29rIGF0 IHByb2R1Y2luZyBzb21lIHNhbXBsZXMgYW5kIEk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPmVuZGVk IHVwIHdpdGggYSBwYWlyIG9mIHF1ZXN0aW9uczo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+MS4mbmJzcDsmbmJzcDtJZiBJIGhhdmUgYSBoYXNoIHNp Z25hdHVyZSB0cmVlIHdoaWNoIHVzZXMgbXVsdGlwbGUgZGlmZmVyZW50IGhhc2g8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPmFsZ29yaXRobXMgaW4gaXQsIHdoaWNoIG9mIHRob3NlIGhhc2ggYWxnb3Jp dGhtcyBhbSBJIHRvIHBsYWNlZCBpbiB0aGU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPmRpZ2VzdEFs Z29yaXRobSBmaWVsZD8mbmJzcDsmbmJzcDtGb3IgZXhhbXBsZSwgc3VwcG9zZSB0aGF0IEkgYW0g dXNpbmcgYW4gTE1TIHR5cGU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPndpdGggYSBoYXNoIG9mIFNI QUtFMTI4IGFuZCBhbiBMTU9UUyB0eXBlIHdpdGggYSBoYXNoIG9mIFNIQTI1Ni4mbmJzcDsmbmJz cDtPciBhcyBhPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5kaWZmZXJlbnQgZXhhbXBsZSwgc3VwcG9z ZSB0aGF0IEkgaGF2ZSBhIHR3byBkZWVwIHRyZWUgYW5kIHRoZSB0b3AgbGV2ZWw8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPnVzZXMgU0hBNTEyIGluIGJvdGggcGxhY2VzIGJ1dCB0aGUgbmV4dCBsZXZl bCBkb3duIHVzZXMgU0hBSDI1NiBpbiBib3RoPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5wbGFjZXM/ Jm5ic3A7Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlJGQyA1NjUyIHNlY3Rpb24gNS4zIGRlZmluZXMgdGhlIGRp Z2VzdEFsZ29yaXRobSBtZW1iZXIgb2YgU2lnbmVySW5mbyBhczo8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBkaWdlc3RB bGdvcml0aG0gaWRlbnRpZmllcyB0aGUgbWVzc2FnZSBkaWdlc3QgYWxnb3JpdGhtLCBhbmQgYW55 PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgYXNzb2NpYXRlZCBwYXJhbWV0ZXJzLCB1c2VkIGJ5IHRoZSBzaWduZXIuJm5i c3A7IFRoZSBtZXNzYWdlIGRpZ2VzdCBpczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGNvbXB1dGVkIG9uIGVpdGhlciB0 aGUgY29udGVudCBiZWluZyBzaWduZWQgb3IgdGhlIGNvbnRlbnQ8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB0b2dldGhl ciB3aXRoIHRoZSBzaWduZWQgYXR0cmlidXRlcyB1c2luZyB0aGUgcHJvY2VzcyBkZXNjcmliZWQg aW48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyBTZWN0aW9uIDUuNC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SW4gSFNT LCB0aGUgaGFzaCBhbGdvcml0aG0gdXNlZCB0byBkaWdlc3QgdGhlIGNvbnRlbnQgaXMgdGhlIG9u ZSBpbiB0aGUgTE1PVFMgdHlwZSBvZiB0aGUgYm90dG9tLW1vc3QgdHJlZS4mbmJzcDsgVGhlIG90 aGVyIGhhc2ggYWxnb3JpdGhtcyBhcmUgdXNlZCB0byBoYXNoIHdpdGhpbiB0aGUgTWVya2xlIHRy ZWUsIG9yIHRvIGhhc2ggdGhlIExNUyBwdWJsaWMga2V5IG9mIGEgbG93ZXIgdHJlZS4mbmJzcDsg U28gaW4gYm90aCB5b3VyDQogZXhhbXBsZXMgdGhlIGFuc3dlciB3b3VsZCBiZSBTSEEyNTYuPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPjIuJm5ic3A7Jm5ic3A7SWYgdGhlcmUgYXJlIHNpZ25lZCBhdHRyaWJ1dGVzIHByZXNl bnQsIHRoZW4gaXQgdCByZXF1aXJlZCB0aGF0IHRoZSBib2R5PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij5kaWdlc3QgYWxnb3JpdGhtIG1hdGNoIHRoYXQgb2YgdGhlIGhhc2ggc2lnbmF0dXJlIHRyZWUg b3IgY2FuIGl0IGJlPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5kaWZmZXJlbnQuJm5ic3A7Jm5ic3A7 SWYgaXQgaXMgZGlmZmVyZW50LCBpcyB0aGF0IG5vdCB0aGUgdmFsdWUgdGhhdCBzaG91bGQgYmUg cGxhY2VkPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5pbiB0aGUgZGlnZXN0QWxnb3JpdGhtIGZpZWxk PyZuYnNwOyZuYnNwO0NvbnNpZGVyIGRpZ2VzdGluZyB0aGUgYm9keSB3aXRoIFNIQTUxMiwgYnV0 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5vbmx5IHVzaW5nIFNIQTI1NiBpbiB0aGUgaGFzaCBmdW5j dGlvbiBvbiB0aGUgYXNzdW1wdGlvbiB0aGF0IHRoZSByYW5kb208bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPmZpZWxkIGluIHRoZSBzaWduaW5nIG9wZXJhdGlvbiBwcm92aWRlcyBhIGhpZ2hlciBsZXZl bCBvZiBzZWN1cml0eSBhbmQgdGh1czxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+YSB3ZWFrIGF0dGVt cHQgaXMgYmVpbmcgbWFkZSB0byBtYXRjaCB0aGVtIHRvZ2V0aGVyLiZuYnNwOyZuYnNwOyhJIGFt IHN1cmUgdGhhdCB0aGlzPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5pcyBub3QgdGhlIGNvcnJlY3Qg cGFpcmluZyBmb3IgbWF0Y2hpbmcsIGp1c3QgZGVtb25zdHJhdGluZyBhIHBvaW50Lik8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+Y21zLWhhc2gtc2lncyBzYXlzOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGRpZ2VzdEFsZ29yaXRobSBNVVNUIGNv bnRhaW4gdGhlIG9uZS13YXkgaGFzaCBmdW5jdGlvbiB1c2VkIHRvIGluPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgdGhlIEhTUy9MTVMgdHJlZS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPlRoaXMgc3RhdGVtZW50IHBsdXMgdGhlIG9uZSBJIHF1b3RlZCBmcm9tIFJG QyA1NjUyIHdvdWxkIGltcGx5IHRoYXQgdGhlIGJvZHkgZGlnZXN0IGFsZ29yaXRobSBtdXN0IG1h dGNoIHRoYXQgb2YgdGhlIEhTUyBhbGdvcml0aG0uPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkhv d2V2ZXIsIHlvdSBhcmUgY29ycmVjdCB0aGF0IHRoZSByYW5kb20gZmllbGQgYWRkZWQgZHVyaW5n IHNpZ25pbmcgaW5jcmVhc2VzIHRoZSBjb2xsaXNpb24gcmVzaXN0YW5jZSBvZiB0aGUgc2lnbmF0 dXJlIGFuZCBzbyB1c2luZyB0aGUgc2FtZSBhbGdvcml0aG0gdG8gY3JlYXRlIHRoZSBtZXNzYWdl LWRpZ2VzdCBhdHRyaWJ1dGUgaW4gdGhlIHNpZ25lZCBhdHRyaWJ1dGVzIHdvdWxkIHJlZHVjZSB0 aGUgY29sbGlzaW9uDQogcmVzaXN0YW5jZSBvZiB0aGUgc3lzdGVtLiZuYnNwOyBJZiB5b3Ugd2Fu dGVkIHRvIGFsbG93IGEgZGlmZmVyZW50IGhhc2ggYWxnb3JpdGhtIGluIHRoZSBzaWduZWQgYXR0 cmlidXRlcyBtZXNzYWdlIGRpZ2VzdCwgSSB0aGluayBjbXMtaGFzaC1zaWdzIHdvdWxkIG5lZWQg dG8gYmUgbW9kaWZpZWQgdG8gZnVydGhlciBzcGVjaWZ5IHNpZ25lZC1kYXRhIGNvbnZlbnRpb25z IHdpdGgvd2l0aG91dCBzaWduZWQgYXR0cmlidXRlcywgc2ltaWxhciB0byBSRkMNCiA4NDE5Ljxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5EYW5pZWw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SmltPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPlNwYXNtIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+PGEgaHJlZj0ibWFpbHRvOlNwYXNtQGlldGYub3JnIj5TcGFzbUBpZXRmLm9yZzwvYT48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vc3Bhc20iPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v c3Bhc208L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_13C0F2A68D714B67B53AA706125D65BDisaracom_-- From nobody Sat Mar 16 15:32:29 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33D58130DC2 for ; Sat, 16 Mar 2019 15:32:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.241 X-Spam-Level: X-Spam-Status: No, score=-1.241 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URI_TRY_3LD=0.66] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QBvq-dvDcTQ6 for ; Sat, 16 Mar 2019 15:32:26 -0700 (PDT) Received: from panix.netmeister.org (panix.netmeister.org [166.84.7.99]) by ietfa.amsl.com (Postfix) with ESMTP id A9742129BBF for ; Sat, 16 Mar 2019 15:32:26 -0700 (PDT) Received: by panix.netmeister.org (Postfix, from userid 1000) id 556D465342; Sat, 16 Mar 2019 18:32:26 -0400 (EDT) Date: Sat, 16 Mar 2019 18:32:26 -0400 From: Jan Schaumann To: spasm@ietf.org Message-ID: <20190316223225.GC11586@netmeister.org> Mail-Followup-To: spasm@ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Archived-At: Subject: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2019 22:32:28 -0000 Hello, I'd like to revisit how CAA records on CNAMEs are handled. As noted in e.g., https://datatracker.ietf.org/meeting/100/materials/slides-100-lamps-rfc-6844-bis-00.pdf, there are cases where it's desirable for an organization to set a CAA record on a CNAME. For example: If I have existing CAA records on example.com and add a new name someapp.example.com as a CNAME to a third-party provider's service. If the third-party provider uses a different CA from the one(s) I use, I currently cannot selectively allow only this CA for this single name: as a CNAME, the resolution logic mandates that the canonical name is considered and, if no CAA record is found there, the CA crawl up to example.com. To illustrate the problem: $ host -t caa example.com example.com has CAA record 0 issue "digicert.com" $ host -t cname someapp.example.com someapp.example.com is an alias for ghs.googlehosted.com. $ Let us assume that the third-party provider wants to use Let's Encrypt. Here, my options are: - add "letsencrypt.org" to the CAA records for example.com This is undesirable for me, because I do not wish to let LE to issue certificates for myotherservice.example.com. - ask Google to add LE to the CAA record for ghs.googlehosted.com. This is not likely successful. Google has no interest in either restricting this domain to only LE, as presumably other services may well point at this name and use other CAs. - use a different domain, e.g., someapp.separate-example.com and set the CAA record there This is undesirable, because I want to keep all my things under 'example.com' for a better user experience / branding / whatever. The "easiest" solution would be to allow CAA records on CNAMEs. This (currently) violates RFC1912, Section 2.4. But per RFC2181, section 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs; would it make sense to allow CAA on CNAMEs as well? An alternative solution was suggested in the slides noted above: change the CAA resolution algorithm to first attempt a _prefix on which I can set an override (i.e., '_prefix.someapp.example.com IN CAA issue "letsencrypt.org"'). This proposal was not reflected in https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, however, so I assume there was discussion that concluded this to be undesirable? A third possibility might be to add another 'override' tag to the CAA definition, e.g.: example.com CAA 0 issue "digicert.com" example.com CAA 0 override "someapp.example.com issue:letsencrypt.org" would mean that Digicert can issue certs for anything under example.com with the exception of 'someapp.example.com', for which only Let's Encrypt can issue a cert. I.e., the 'override' tag may override CAA records for the given name. The name must be within the same domain and must be deeper than where this CAA record is set. Let's say that this only is useful for CNAMEs; this would require the CA to extend the handling of CNAMES: Let CAA(X) be the record set returned in response to performing a CAA record query on the label X, P(X) be the DNS label immediately above X in the DNS hierarchy, O(X) be the result of an override, and A(X) be the target of a CNAME or DNAME alias record chain specified at the label X. o If CAA(X) is not empty, R(X) = CAA (X), otherwise o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) = CAA(A(X)), otherwise o If X is not a top-level domain, then o If R(P(X)) contains an 'override' for X, then R(X) = O(P(X)), otherwise o R(X) = R(P(X)) otherwise o R(X) is empty. I'm seeking input on whether the workgroup would consider any of these options or otherwise would revive the discussion around the need to find a way to set CAA records on a CNAME separate from the parent label. Thanks, -Jan From nobody Sat Mar 16 16:33:22 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F83E130EE7 for ; Sat, 16 Mar 2019 16:33:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id To7T-LR9jGzs for ; Sat, 16 Mar 2019 16:33:18 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 288BF124B0C for ; Sat, 16 Mar 2019 16:33:18 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 53520300AA7 for ; Sat, 16 Mar 2019 19:15:00 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id A9Cwx3hwDQsE for ; Sat, 16 Mar 2019 19:14:57 -0400 (EDT) Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id EAB07300250; Sat, 16 Mar 2019 19:14:56 -0400 (EDT) From: Russ Housley Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_5998D5AF-8389-4067-8244-5B3C81CC2BE6" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Sat, 16 Mar 2019 19:33:13 -0400 In-Reply-To: <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> Cc: Jim Schaad , "draft-ietf-lamps-cms-hash-sig@ietf.org" , SPASM To: Daniel Van Geest References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2019 23:33:21 -0000 --Apple-Mail=_5998D5AF-8389-4067-8244-5B3C81CC2BE6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Daniel: I believe that Jim is arguing that the same hash function should always = be used for both the content and the HSS/LMS tree, Russ > On Mar 15, 2019, at 3:30 PM, Daniel Van Geest = wrote: >=20 > My thoughts, > =20 > On 2019-03-14, 2:39 PM, "Spasm on behalf of Jim Schaad" = on behalf of = ietf@augustcellars.com > wrote: > =20 > I was tossing together some code to look at producing some samples and = I > ended up with a pair of questions: > =20 > 1. If I have a hash signature tree which uses multiple different hash > algorithms in it, which of those hash algorithms am I to placed in the > digestAlgorithm field? For example, suppose that I am using an LMS = type > with a hash of SHAKE128 and an LMOTS type with a hash of SHA256. Or = as a > different example, suppose that I have a two deep tree and the top = level > uses SHA512 in both places but the next level down uses SHAH256 in = both > places? =20 > =20 > RFC 5652 section 5.3 defines the digestAlgorithm member of SignerInfo = as: > digestAlgorithm identifies the message digest algorithm, and any > associated parameters, used by the signer. The message digest = is > computed on either the content being signed or the content > together with the signed attributes using the process described = in > Section 5.4. > =20 > In HSS, the hash algorithm used to digest the content is the one in = the LMOTS type of the bottom-most tree. The other hash algorithms are = used to hash within the Merkle tree, or to hash the LMS public key of a = lower tree. So in both your examples the answer would be SHA256. > =20 > 2. If there are signed attributes present, then it t required that = the body > digest algorithm match that of the hash signature tree or can it be > different. If it is different, is that not the value that should be = placed > in the digestAlgorithm field? Consider digesting the body with = SHA512, but > only using SHA256 in the hash function on the assumption that the = random > field in the signing operation provides a higher level of security and = thus > a weak attempt is being made to match them together. (I am sure that = this > is not the correct pairing for matching, just demonstrating a point.) > =20 > cms-hash-sigs says: > digestAlgorithm MUST contain the one-way hash function used to = in > the HSS/LMS tree. > This statement plus the one I quoted from RFC 5652 would imply that = the body digest algorithm must match that of the HSS algorithm. > =20 > However, you are correct that the random field added during signing = increases the collision resistance of the signature and so using the = same algorithm to create the message-digest attribute in the signed = attributes would reduce the collision resistance of the system. If you = wanted to allow a different hash algorithm in the signed attributes = message digest, I think cms-hash-sigs would need to be modified to = further specify signed-data conventions with/without signed attributes, = similar to RFC 8419. > =20 > Daniel > =20 > Jim > =20 > =20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm = --Apple-Mail=_5998D5AF-8389-4067-8244-5B3C81CC2BE6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Daniel:

I = believe that Jim is arguing that the same hash function should always be = used for both the content and the HSS/LMS tree,

Russ


On Mar 15, 2019, at 3:30 PM, Daniel Van Geest <Daniel.VanGeest@isara.com> wrote:

My = thoughts,
 
On 2019-03-14, 2:39 PM, = "Spasm on behalf of Jim Schaad" <spasm-bounces@ietf.org on behalf of ietf@augustcellars.com> = wrote:
 
I was tossing together some code to look at = producing some samples and I
ended up with a pair of = questions:
 
1.  If I have a hash signature tree = which uses multiple different hash
algorithms in it, which of = those hash algorithms am I to placed in the
digestAlgorithm field?  For example, suppose that I = am using an LMS type
with a hash of SHAKE128 and an LMOTS = type with a hash of SHA256.  Or as a
different example, suppose that I have a two deep tree and = the top level
uses SHA512 in both places but the next = level down uses SHAH256 in both
places?  
 
RFC 5652 section 5.3 defines the digestAlgorithm member of = SignerInfo as:
      digestAlgorithm identifies the = message digest algorithm, and any
      = associated parameters, used by the signer.  The message digest = is
      computed on either the content = being signed or the content
      together = with the signed attributes using the process described in
      Section 5.4.
 
In HSS, = the hash algorithm used to digest the content is the one in the LMOTS = type of the bottom-most tree.  The other hash algorithms are used = to hash within the Merkle tree, or to hash the LMS public key of a lower = tree.  So in both your examples the answer would be SHA256.
 
2.  If there are signed attributes = present, then it t required that the body
digest algorithm match that of the hash signature tree or can = it be
different.  If it is = different, is that not the value that should be placed
in the digestAlgorithm field?  Consider digesting = the body with SHA512, but
only using SHA256 in the = hash function on the assumption that the random
field in the signing operation provides a higher level of = security and thus
a weak attempt is being made to match = them together.  (I am sure that this
is not the correct pairing for matching, just demonstrating a = point.)
 
cms-hash-sigs says:
      digestAlgorithm MUST contain = the one-way hash function used to in
         the HSS/LMS = tree.
This = statement plus the one I quoted from RFC 5652 would imply that the body = digest algorithm must match that of the HSS algorithm.
 
However, = you are correct that the random field added during signing increases the = collision resistance of the signature and so using the same algorithm to = create the message-digest attribute in the signed attributes would = reduce the collision resistance of the system.  If you wanted to = allow a different hash algorithm in the signed attributes message = digest, I think cms-hash-sigs would need to be modified to further = specify signed-data conventions with/without signed attributes, similar = to RFC 8419.
 
Daniel
 
Jim
 
 
_______________________________________________
Spasm mailing list
Spasm@ietf.org

= --Apple-Mail=_5998D5AF-8389-4067-8244-5B3C81CC2BE6-- From nobody Sat Mar 16 23:47:09 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E9C128661; Sat, 16 Mar 2019 23:47:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzAiZ1nbvLpr; Sat, 16 Mar 2019 23:47:04 -0700 (PDT) Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1041612796D; Sat, 16 Mar 2019 23:47:03 -0700 (PDT) Received: from unknown (HELO V0501WEXGPR01.isaracorp.com) ([10.5.8.20]) by ip2.isaracorp.com with ESMTP; 17 Mar 2019 06:47:03 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Sun, 17 Mar 2019 02:47:02 -0400 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Sun, 17 Mar 2019 02:47:02 -0400 From: Daniel Van Geest To: Russ Housley CC: Jim Schaad , "draft-ietf-lamps-cms-hash-sig@ietf.org" , SPASM Thread-Topic: [lamps] Question on draft-ietf-lamps-cms-hash-sig Thread-Index: AdTalFpsRD6NOLyJSie3veGv+fJZHgA0TvYAAEMkC4AABsTm2w== Date: Sun, 17 Mar 2019 06:47:02 +0000 Message-ID: References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com>, In-Reply-To: Accept-Language: en-CA, en-US Content-Language: en-CA X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: multipart/alternative; boundary="_000_ae8la1do9rokcauh3e6bjbp41552805213981isaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2019 06:47:07 -0000 --_000_ae8la1do9rokcauh3e6bjbp41552805213981isaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhdCB3b3VsZCBzaW1wbGlmeSB0aGluZ3MsIGFuZCBkZXNwaXRlIHRoZSBjb2xsaXNpb24gcmVz aXN0YW5jZSByZWR1Y3Rpb24sIHNob3VsZCBiZSAiZ29vZCBlbm91Z2giIGFnYWluc3QgYSBxdWFu dHVtIGF0dGFja2VyIGR1ZSB0byBwcm9wZXJ0aWVzIG9mIEdyb3ZlcidzIGFsZ29yaXRobXMgbGlr ZSBwYXJhbGxhbGxpemluZyBwb29ybHkuIEkgdGhpbmsgd2UgbWF5IHN0aWxsIG1lbnRpb24gdGhp bmdzIGxpa2UgdGhpcyBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgb2YgdGhlIHg1MDkt aGFzaC1zaWdzIGRyYWZ0IGRlc3BpdGUgbm8gbG9uZ2VyIHByb3Bvc2luZyBwcmUtaGFzaGVkIE9J RHMuDQoNCkRhbmllbA0KDQpGcm9tOiBob3VzbGV5QHZpZ2lsc2VjLmNvbQ0KU2VudDogTWFyY2gg MTcsIDIwMTkgMTI6MzMgQU0NClRvOiBEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tDQpDYzogaWV0 ZkBhdWd1c3RjZWxsYXJzLmNvbTsgZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWdAaWV0Zi5v cmc7IHNwYXNtQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW2xhbXBzXSBRdWVzdGlvbiBvbiBkcmFm dC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZw0KDQoNCkRhbmllbDoNCg0KSSBiZWxpZXZlIHRoYXQg SmltIGlzIGFyZ3VpbmcgdGhhdCB0aGUgc2FtZSBoYXNoIGZ1bmN0aW9uIHNob3VsZCBhbHdheXMg YmUgdXNlZCBmb3IgYm90aCB0aGUgY29udGVudCBhbmQgdGhlIEhTUy9MTVMgdHJlZSwNCg0KUnVz cw0KDQoNCk9uIE1hciAxNSwgMjAxOSwgYXQgMzozMCBQTSwgRGFuaWVsIFZhbiBHZWVzdCA8RGFu aWVsLlZhbkdlZXN0QGlzYXJhLmNvbTxtYWlsdG86RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbT4+ IHdyb3RlOg0KDQpNeSB0aG91Z2h0cywNCg0KT24gMjAxOS0wMy0xNCwgMjozOSBQTSwgIlNwYXNt IG9uIGJlaGFsZiBvZiBKaW0gU2NoYWFkIiA8c3Bhc20tYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86 c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4gb24gYmVoYWxmIG9mIGlldGZAYXVndXN0Y2VsbGFycy5j b208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+PiB3cm90ZToNCg0KSSB3YXMgdG9zc2lu ZyB0b2dldGhlciBzb21lIGNvZGUgdG8gbG9vayBhdCBwcm9kdWNpbmcgc29tZSBzYW1wbGVzIGFu ZCBJDQplbmRlZCB1cCB3aXRoIGEgcGFpciBvZiBxdWVzdGlvbnM6DQoNCjEuICBJZiBJIGhhdmUg YSBoYXNoIHNpZ25hdHVyZSB0cmVlIHdoaWNoIHVzZXMgbXVsdGlwbGUgZGlmZmVyZW50IGhhc2gN CmFsZ29yaXRobXMgaW4gaXQsIHdoaWNoIG9mIHRob3NlIGhhc2ggYWxnb3JpdGhtcyBhbSBJIHRv IHBsYWNlZCBpbiB0aGUNCmRpZ2VzdEFsZ29yaXRobSBmaWVsZD8gIEZvciBleGFtcGxlLCBzdXBw b3NlIHRoYXQgSSBhbSB1c2luZyBhbiBMTVMgdHlwZQ0Kd2l0aCBhIGhhc2ggb2YgU0hBS0UxMjgg YW5kIGFuIExNT1RTIHR5cGUgd2l0aCBhIGhhc2ggb2YgU0hBMjU2LiAgT3IgYXMgYQ0KZGlmZmVy ZW50IGV4YW1wbGUsIHN1cHBvc2UgdGhhdCBJIGhhdmUgYSB0d28gZGVlcCB0cmVlIGFuZCB0aGUg dG9wIGxldmVsDQp1c2VzIFNIQTUxMiBpbiBib3RoIHBsYWNlcyBidXQgdGhlIG5leHQgbGV2ZWwg ZG93biB1c2VzIFNIQUgyNTYgaW4gYm90aA0KcGxhY2VzPw0KDQpSRkMgNTY1MiBzZWN0aW9uIDUu MyBkZWZpbmVzIHRoZSBkaWdlc3RBbGdvcml0aG0gbWVtYmVyIG9mIFNpZ25lckluZm8gYXM6DQog ICAgICBkaWdlc3RBbGdvcml0aG0gaWRlbnRpZmllcyB0aGUgbWVzc2FnZSBkaWdlc3QgYWxnb3Jp dGhtLCBhbmQgYW55DQogICAgICBhc3NvY2lhdGVkIHBhcmFtZXRlcnMsIHVzZWQgYnkgdGhlIHNp Z25lci4gIFRoZSBtZXNzYWdlIGRpZ2VzdCBpcw0KICAgICAgY29tcHV0ZWQgb24gZWl0aGVyIHRo ZSBjb250ZW50IGJlaW5nIHNpZ25lZCBvciB0aGUgY29udGVudA0KICAgICAgdG9nZXRoZXIgd2l0 aCB0aGUgc2lnbmVkIGF0dHJpYnV0ZXMgdXNpbmcgdGhlIHByb2Nlc3MgZGVzY3JpYmVkIGluDQog ICAgICBTZWN0aW9uIDUuNC4NCg0KSW4gSFNTLCB0aGUgaGFzaCBhbGdvcml0aG0gdXNlZCB0byBk aWdlc3QgdGhlIGNvbnRlbnQgaXMgdGhlIG9uZSBpbiB0aGUgTE1PVFMgdHlwZSBvZiB0aGUgYm90 dG9tLW1vc3QgdHJlZS4gIFRoZSBvdGhlciBoYXNoIGFsZ29yaXRobXMgYXJlIHVzZWQgdG8gaGFz aCB3aXRoaW4gdGhlIE1lcmtsZSB0cmVlLCBvciB0byBoYXNoIHRoZSBMTVMgcHVibGljIGtleSBv ZiBhIGxvd2VyIHRyZWUuICBTbyBpbiBib3RoIHlvdXIgZXhhbXBsZXMgdGhlIGFuc3dlciB3b3Vs ZCBiZSBTSEEyNTYuDQoNCjIuICBJZiB0aGVyZSBhcmUgc2lnbmVkIGF0dHJpYnV0ZXMgcHJlc2Vu dCwgdGhlbiBpdCB0IHJlcXVpcmVkIHRoYXQgdGhlIGJvZHkNCmRpZ2VzdCBhbGdvcml0aG0gbWF0 Y2ggdGhhdCBvZiB0aGUgaGFzaCBzaWduYXR1cmUgdHJlZSBvciBjYW4gaXQgYmUNCmRpZmZlcmVu dC4gIElmIGl0IGlzIGRpZmZlcmVudCwgaXMgdGhhdCBub3QgdGhlIHZhbHVlIHRoYXQgc2hvdWxk IGJlIHBsYWNlZA0KaW4gdGhlIGRpZ2VzdEFsZ29yaXRobSBmaWVsZD8gIENvbnNpZGVyIGRpZ2Vz dGluZyB0aGUgYm9keSB3aXRoIFNIQTUxMiwgYnV0DQpvbmx5IHVzaW5nIFNIQTI1NiBpbiB0aGUg aGFzaCBmdW5jdGlvbiBvbiB0aGUgYXNzdW1wdGlvbiB0aGF0IHRoZSByYW5kb20NCmZpZWxkIGlu IHRoZSBzaWduaW5nIG9wZXJhdGlvbiBwcm92aWRlcyBhIGhpZ2hlciBsZXZlbCBvZiBzZWN1cml0 eSBhbmQgdGh1cw0KYSB3ZWFrIGF0dGVtcHQgaXMgYmVpbmcgbWFkZSB0byBtYXRjaCB0aGVtIHRv Z2V0aGVyLiAgKEkgYW0gc3VyZSB0aGF0IHRoaXMNCmlzIG5vdCB0aGUgY29ycmVjdCBwYWlyaW5n IGZvciBtYXRjaGluZywganVzdCBkZW1vbnN0cmF0aW5nIGEgcG9pbnQuKQ0KDQpjbXMtaGFzaC1z aWdzIHNheXM6DQogICAgICBkaWdlc3RBbGdvcml0aG0gTVVTVCBjb250YWluIHRoZSBvbmUtd2F5 IGhhc2ggZnVuY3Rpb24gdXNlZCB0byBpbg0KICAgICAgICAgdGhlIEhTUy9MTVMgdHJlZS4NClRo aXMgc3RhdGVtZW50IHBsdXMgdGhlIG9uZSBJIHF1b3RlZCBmcm9tIFJGQyA1NjUyIHdvdWxkIGlt cGx5IHRoYXQgdGhlIGJvZHkgZGlnZXN0IGFsZ29yaXRobSBtdXN0IG1hdGNoIHRoYXQgb2YgdGhl IEhTUyBhbGdvcml0aG0uDQoNCkhvd2V2ZXIsIHlvdSBhcmUgY29ycmVjdCB0aGF0IHRoZSByYW5k b20gZmllbGQgYWRkZWQgZHVyaW5nIHNpZ25pbmcgaW5jcmVhc2VzIHRoZSBjb2xsaXNpb24gcmVz aXN0YW5jZSBvZiB0aGUgc2lnbmF0dXJlIGFuZCBzbyB1c2luZyB0aGUgc2FtZSBhbGdvcml0aG0g dG8gY3JlYXRlIHRoZSBtZXNzYWdlLWRpZ2VzdCBhdHRyaWJ1dGUgaW4gdGhlIHNpZ25lZCBhdHRy aWJ1dGVzIHdvdWxkIHJlZHVjZSB0aGUgY29sbGlzaW9uIHJlc2lzdGFuY2Ugb2YgdGhlIHN5c3Rl bS4gIElmIHlvdSB3YW50ZWQgdG8gYWxsb3cgYSBkaWZmZXJlbnQgaGFzaCBhbGdvcml0aG0gaW4g dGhlIHNpZ25lZCBhdHRyaWJ1dGVzIG1lc3NhZ2UgZGlnZXN0LCBJIHRoaW5rIGNtcy1oYXNoLXNp Z3Mgd291bGQgbmVlZCB0byBiZSBtb2RpZmllZCB0byBmdXJ0aGVyIHNwZWNpZnkgc2lnbmVkLWRh dGEgY29udmVudGlvbnMgd2l0aC93aXRob3V0IHNpZ25lZCBhdHRyaWJ1dGVzLCBzaW1pbGFyIHRv IFJGQyA4NDE5Lg0KDQpEYW5pZWwNCg0KSmltDQoNCg0KX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18NClNwYXNtIG1haWxpbmcgbGlzdA0KU3Bhc21AaWV0Zi5v cmc8bWFpbHRvOlNwYXNtQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9s aXN0aW5mby9zcGFzbQ0KDQo= --_000_ae8la1do9rokcauh3e6bjbp41552805213981isaracom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtU2Vj dXJpdHktUG9saWN5IiBjb250ZW50PSJzY3JpcHQtc3JjICdzZWxmJzsgaW1nLXNyYyAqIGNpZDog ZGF0YTo7Ij4NCjxzdHlsZSBpZD0ib3V0Z29pbmctZm9udC1zZXR0aW5ncyI+I3Jlc3BvbnNlX2Nv bnRhaW5lcl9CQlBQSUR7Zm9udC1mYW1pbHk6IGluaXRpYWw7IGZvbnQtc2l6ZTppbml0aWFsOyBj b2xvcjogaW5pdGlhbDt9PC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJiYWNrZ3JvdW5k LWNvbG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7IGJhY2tncm91bmQtaW1hZ2U6IGluaXRpYWw7IGxp bmUtaGVpZ2h0OiBpbml0aWFsOyI+DQo8ZGl2IGlkPSJyZXNwb25zZV9jb250YWluZXJfQkJQUElE IiBzdHlsZT0ib3V0bGluZTpub25lOyIgZGlyPSJhdXRvIiBjb250ZW50ZWRpdGFibGU9ImZhbHNl Ij4NCjxkaXYgbmFtZT0iQkIxMCIgaWQ9IkJCMTBfcmVzcG9uc2VfZGl2X0JCUFBJRCIgZGlyPSJh dXRvIiBzdHlsZT0id2lkdGg6MTAwJTsiPlRoYXQgd291bGQgc2ltcGxpZnkgdGhpbmdzLCBhbmQg ZGVzcGl0ZSB0aGUgY29sbGlzaW9uIHJlc2lzdGFuY2UgcmVkdWN0aW9uLCBzaG91bGQgYmUgJnF1 b3Q7Z29vZCBlbm91Z2gmcXVvdDsgYWdhaW5zdCBhIHF1YW50dW0gYXR0YWNrZXIgZHVlIHRvIHBy b3BlcnRpZXMgb2YgR3JvdmVyJ3MgYWxnb3JpdGhtcyBsaWtlIHBhcmFsbGFsbGl6aW5nDQogcG9v cmx5LiBJIHRoaW5rIHdlIG1heSBzdGlsbCBtZW50aW9uIHRoaW5ncyBsaWtlIHRoaXMgaW4gdGhl IHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIG9mIHRoZSB4NTA5LWhhc2gtc2lncyBkcmFmdCBkZXNw aXRlIG5vIGxvbmdlciBwcm9wb3NpbmcgcHJlLWhhc2hlZCBPSURzLiZuYnNwOzwvZGl2Pg0KPGRp diBuYW1lPSJCQjEwIiBpZD0iQkIxMF9yZXNwb25zZV9kaXZfQkJQUElEIiBkaXI9ImF1dG8iIHN0 eWxlPSJ3aWR0aDoxMDAlOyI+PGJyPg0KPC9kaXY+DQo8ZGl2IG5hbWU9IkJCMTAiIGlkPSJCQjEw X3Jlc3BvbnNlX2Rpdl9CQlBQSUQiIGRpcj0iYXV0byIgc3R5bGU9IndpZHRoOjEwMCU7Ij5EYW5p ZWw8L2Rpdj4NCjxkaXYgbmFtZT0iQkIxMCIgaWQ9InJlc3BvbnNlX2Rpdl9zcGFjZXJfQkJQUElE IiBkaXI9ImF1dG8iIHN0eWxlPSJ3aWR0aDoxMDAlOyI+PGJyIHN0eWxlPSJkaXNwbGF5OmluaXRp YWwiPg0KPC9kaXY+DQo8ZGl2IGlkPSJibGFja2JlcnJ5X3NpZ25hdHVyZV9CQlBQSUQiIG5hbWU9 IkJCMTAiIGRpcj0iYXV0byI+DQo8ZGl2IGlkPSJfc2lnbmF0dXJlUGxhY2Vob2xkZXJfQkJQUElE IiBuYW1lPSJCQjEwIiBkaXI9ImF1dG8iPjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXYgaWQ9 Il9vcmlnaW5hbF9tc2dfaGVhZGVyX0JCUFBJRCIgZGlyPSJhdXRvIj4NCjx0YWJsZSB3aWR0aD0i MTAwJSIgc3R5bGU9ImJhY2tncm91bmQtY29sb3I6IHdoaXRlOyBib3JkZXItc3BhY2luZzogMHB4 OyBkaXNwbGF5OiB0YWJsZTsgb3V0bGluZTogbm9uZTsiIGNvbnRlbnRlZGl0YWJsZT0iZmFsc2Ui Pg0KPHRib2R5Pg0KPHRyPg0KPHRkIGNvbHNwYW49IjIiIHN0eWxlPSJwYWRkaW5nOiBpbml0aWFs OyBmb250LXNpemU6IGluaXRpYWw7IHRleHQtYWxpZ246IGluaXRpYWw7IGJhY2tncm91bmQtY29s b3I6IHJnYigyNTUsIDI1NSwgMjU1KTsiPg0KPGRpdiBzdHlsZT0iYm9yZGVyLXJpZ2h0OiBub25l OyBib3JkZXItYm90dG9tOiBub25lOyBib3JkZXItbGVmdDogbm9uZTsgYm9yZGVyLWltYWdlOiBp bml0aWFsOyBib3JkZXItdG9wOiAxcHQgc29saWQgcmdiKDE4MSwgMTk2LCAyMjMpOyBwYWRkaW5n OiAzcHQgMGluIDBpbjsgZm9udC1mYW1pbHk6IFRhaG9tYSwgJnF1b3Q7QkIgQWxwaGEgU2FucyZx dW90OywgJnF1b3Q7U2xhdGUgUHJvJnF1b3Q7OyBmb250LXNpemU6IDEwcHQ7Ij4NCjxkaXYgaWQ9 ImZyb20iPjxiPkZyb206PC9iPiBob3VzbGV5QHZpZ2lsc2VjLmNvbTwvZGl2Pg0KPGRpdiBpZD0i c2VudCI+PGI+U2VudDo8L2I+IE1hcmNoIDE3LCAyMDE5IDEyOjMzIEFNPC9kaXY+DQo8ZGl2IGlk PSJ0byI+PGI+VG86PC9iPiBEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPC9kaXY+DQo8ZGl2IGlk PSJjYyI+PGI+Q2M6PC9iPiBpZXRmQGF1Z3VzdGNlbGxhcnMuY29tOyBkcmFmdC1pZXRmLWxhbXBz LWNtcy1oYXNoLXNpZ0BpZXRmLm9yZzsgc3Bhc21AaWV0Zi5vcmc8L2Rpdj4NCjxkaXYgaWQ9InN1 YmplY3QiPjxiPlN1YmplY3Q6PC9iPiBSZTogW2xhbXBzXSBRdWVzdGlvbiBvbiBkcmFmdC1pZXRm LWxhbXBzLWNtcy1oYXNoLXNpZzwvZGl2Pg0KPC9kaXY+DQo8L3RkPg0KPC90cj4NCjwvdGJvZHk+ DQo8L3RhYmxlPg0KPGJyPg0KPC9kaXY+DQo8IS0tc3RhcnQgb2YgX29yaWdpbmFsQ29udGVudCAt LT4NCjxkaXYgbmFtZT0iQkIxMCIgZGlyPSJhdXRvIiBzdHlsZT0iYmFja2dyb3VuZC1pbWFnZTog aW5pdGlhbDsgbGluZS1oZWlnaHQ6IGluaXRpYWw7IG91dGxpbmU6IG5vbmU7IiBjb250ZW50ZWRp dGFibGU9ImZhbHNlIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9IndvcmQtd3JhcDpicmVhay13b3Jk OyBsaW5lLWJyZWFrOmFmdGVyLXdoaXRlLXNwYWNlIj48L2Rpdj4NCkRhbmllbDoNCjxkaXYgY2xh c3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPkkgYmVsaWV2ZSB0aGF0 IEppbSBpcyBhcmd1aW5nIHRoYXQgdGhlIHNhbWUgaGFzaCBmdW5jdGlvbiBzaG91bGQgYWx3YXlz IGJlIHVzZWQgZm9yIGJvdGggdGhlIGNvbnRlbnQgYW5kIHRoZSBIU1MvTE1TIHRyZWUsPC9kaXY+ DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj5SdXNz PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjxkaXY+PGJyIGNsYXNzPSIiPg0K PGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiPk9uIE1hciAx NSwgMjAxOSwgYXQgMzozMCBQTSwgRGFuaWVsIFZhbiBHZWVzdCAmbHQ7PGEgaHJlZj0ibWFpbHRv OkRhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20iIGNsYXNzPSIiPkRhbmllbC5WYW5HZWVzdEBpc2Fy YS5jb208L2E+Jmd0OyB3cm90ZTo8L2Rpdj4NCjxiciBjbGFzcz0iQXBwbGUtaW50ZXJjaGFuZ2Ut bmV3bGluZSI+DQo8ZGl2IGNsYXNzPSIiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIiBzdHls ZT0iZm9udC1mYW1pbHk6J2hlbHZldGljYSc7Zm9udC1zaXplOjEycHg7Zm9udC1zdHlsZTpub3Jt YWw7Zm9udC13ZWlnaHQ6bm9ybWFsO2xldHRlci1zcGFjaW5nOm5vcm1hbDt0ZXh0LWluZGVudDow cHg7dGV4dC10cmFuc2Zvcm06bm9uZTt3aGl0ZS1zcGFjZTpub3JtYWw7d29yZC1zcGFjaW5nOjBw eDt0ZXh0LWRlY29yYXRpb246bm9uZSI+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNt IDBjbSAwLjAwMDFwdDtmb250LXNpemU6MTFwdDtmb250LWZhbWlseTonY2FsaWJyaScgLCBzYW5z LXNlcmlmIj4NCk15IHRob3VnaHRzLDwvZGl2Pg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0ibWFyZ2lu OjBjbSAwY20gMC4wMDAxcHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwg c2Fucy1zZXJpZiI+DQombmJzcDs8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIi Pg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0ibWFyZ2luOjBjbSAwY20gMC4wMDAxcHQgMzZwdDtmb250 LXNpemU6MTFwdDtmb250LWZhbWlseTonY2FsaWJyaScgLCBzYW5zLXNlcmlmIj4NCk9uIDIwMTkt MDMtMTQsIDI6MzkgUE0sICZxdW90O1NwYXNtIG9uIGJlaGFsZiBvZiBKaW0gU2NoYWFkJnF1b3Q7 ICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZyIgY2xhc3M9IiIgc3R5 bGU9ImNvbG9yOnB1cnBsZTt0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lIj5zcGFzbS1ib3VuY2Vz QGlldGYub3JnPC9hPjxzcGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwv c3Bhbj5vbiBiZWhhbGYgb2Y8c3BhbiBjbGFzcz0iQXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJz cDs8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iIGNsYXNzPSIi IHN0eWxlPSJjb2xvcjpwdXJwbGU7dGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZSI+aWV0ZkBhdWd1 c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7DQogd3JvdGU6PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp diBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0 IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+ DQombmJzcDs8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5 bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1p bHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQpJIHdhcyB0b3NzaW5nIHRvZ2V0aGVyIHNvbWUg Y29kZSB0byBsb29rIGF0IHByb2R1Y2luZyBzb21lIHNhbXBsZXMgYW5kIEk8L2Rpdj4NCjwvZGl2 Pg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAu MDAwMXB0IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1z ZXJpZiI+DQplbmRlZCB1cCB3aXRoIGEgcGFpciBvZiBxdWVzdGlvbnM6PC9kaXY+DQo8L2Rpdj4N CjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAw MDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2Vy aWYiPg0KJm5ic3A7PC9kaXY+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIi IHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQt ZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KMS4mbmJzcDsmbmJzcDtJZiBJIGhhdmUg YSBoYXNoIHNpZ25hdHVyZSB0cmVlIHdoaWNoIHVzZXMgbXVsdGlwbGUgZGlmZmVyZW50IGhhc2g8 L2Rpdj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdp bjowY20gMGNtIDAuMDAwMXB0IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGli cmknICwgc2Fucy1zZXJpZiI+DQphbGdvcml0aG1zIGluIGl0LCB3aGljaCBvZiB0aG9zZSBoYXNo IGFsZ29yaXRobXMgYW0gSSB0byBwbGFjZWQgaW4gdGhlPC9kaXY+DQo8L2Rpdj4NCjxkaXYgY2xh c3M9IiI+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdCAzNnB0 O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KZGln ZXN0QWxnb3JpdGhtIGZpZWxkPyZuYnNwOyZuYnNwO0ZvciBleGFtcGxlLCBzdXBwb3NlIHRoYXQg SSBhbSB1c2luZyBhbiBMTVMgdHlwZTwvZGl2Pg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPg0KPGRp diBjbGFzcz0iIiBzdHlsZT0ibWFyZ2luOjBjbSAwY20gMC4wMDAxcHQgMzZwdDtmb250LXNpemU6 MTFwdDtmb250LWZhbWlseTonY2FsaWJyaScgLCBzYW5zLXNlcmlmIj4NCndpdGggYSBoYXNoIG9m IFNIQUtFMTI4IGFuZCBhbiBMTU9UUyB0eXBlIHdpdGggYSBoYXNoIG9mIFNIQTI1Ni4mbmJzcDsm bmJzcDtPciBhcyBhPC9kaXY+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIi IHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQt ZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KZGlmZmVyZW50IGV4YW1wbGUsIHN1cHBv c2UgdGhhdCBJIGhhdmUgYSB0d28gZGVlcCB0cmVlIGFuZCB0aGUgdG9wIGxldmVsPC9kaXY+DQo8 L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBj bSAwLjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNh bnMtc2VyaWYiPg0KdXNlcyBTSEE1MTIgaW4gYm90aCBwbGFjZXMgYnV0IHRoZSBuZXh0IGxldmVs IGRvd24gdXNlcyBTSEFIMjU2IGluIGJvdGg8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4N CjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0IDM2cHQ7Zm9udC1z aXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQpwbGFjZXM/Jm5i c3A7Jm5ic3A7PC9kaXY+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiIHN0 eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFt aWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KJm5ic3A7PC9kaXY+DQo8ZGl2IGNsYXNzPSIi IHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdDtmb250LXNpemU6MTFwdDtmb250LWZhbWls eTonY2FsaWJyaScgLCBzYW5zLXNlcmlmIj4NClJGQyA1NjUyIHNlY3Rpb24gNS4zIGRlZmluZXMg dGhlIGRpZ2VzdEFsZ29yaXRobSBtZW1iZXIgb2YgU2lnbmVySW5mbyBhczo8L2Rpdj4NCjxkaXYg Y2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0O2ZvbnQtc2l6ZToxMXB0O2Zv bnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IGRpZ2VzdEFsZ29yaXRobSBpZGVudGlmaWVzIHRoZSBtZXNzYWdlIGRpZ2VzdCBh bGdvcml0aG0sIGFuZCBhbnk8L2Rpdj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20g MGNtIDAuMDAwMXB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMt c2VyaWYiPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGFzc29jaWF0ZWQgcGFyYW1l dGVycywgdXNlZCBieSB0aGUgc2lnbmVyLiZuYnNwOyBUaGUgbWVzc2FnZSBkaWdlc3QgaXM8L2Rp dj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0O2ZvbnQtc2l6 ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KJm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IGNvbXB1dGVkIG9uIGVpdGhlciB0aGUgY29udGVudCBiZWluZyBz aWduZWQgb3IgdGhlIGNvbnRlbnQ8L2Rpdj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjow Y20gMGNtIDAuMDAwMXB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNh bnMtc2VyaWYiPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHRvZ2V0aGVyIHdpdGgg dGhlIHNpZ25lZCBhdHRyaWJ1dGVzIHVzaW5nIHRoZSBwcm9jZXNzIGRlc2NyaWJlZCBpbjwvZGl2 Pg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0ibWFyZ2luOjBjbSAwY20gMC4wMDAxcHQ7Zm9udC1zaXpl OjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQombmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsgU2VjdGlvbiA1LjQuPC9kaXY+DQo8ZGl2IGNsYXNzPSIiIHN0eWxl PSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdDtmb250LXNpemU6MTFwdDtmb250LWZhbWlseTonY2Fs aWJyaScgLCBzYW5zLXNlcmlmIj4NCiZuYnNwOzwvZGl2Pg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0i bWFyZ2luOjBjbSAwY20gMC4wMDAxcHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGli cmknICwgc2Fucy1zZXJpZiI+DQpJbiBIU1MsIHRoZSBoYXNoIGFsZ29yaXRobSB1c2VkIHRvIGRp Z2VzdCB0aGUgY29udGVudCBpcyB0aGUgb25lIGluIHRoZSBMTU9UUyB0eXBlIG9mIHRoZSBib3R0 b20tbW9zdCB0cmVlLiZuYnNwOyBUaGUgb3RoZXIgaGFzaCBhbGdvcml0aG1zIGFyZSB1c2VkIHRv IGhhc2ggd2l0aGluIHRoZSBNZXJrbGUgdHJlZSwgb3IgdG8gaGFzaCB0aGUgTE1TIHB1YmxpYyBr ZXkgb2YgYSBsb3dlciB0cmVlLiZuYnNwOyBTbyBpbiBib3RoIHlvdXIgZXhhbXBsZXMgdGhlIGFu c3dlcg0KIHdvdWxkIGJlIFNIQTI1Ni48L2Rpdj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdp bjowY20gMGNtIDAuMDAwMXB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAs IHNhbnMtc2VyaWYiPg0KJm5ic3A7PC9kaXY+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2 IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZTox MXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KMi4mbmJzcDsmbmJzcDtJ ZiB0aGVyZSBhcmUgc2lnbmVkIGF0dHJpYnV0ZXMgcHJlc2VudCwgdGhlbiBpdCB0IHJlcXVpcmVk IHRoYXQgdGhlIGJvZHk8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9 IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9u dC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQpkaWdlc3QgYWxnb3JpdGhtIG1hdGNo IHRoYXQgb2YgdGhlIGhhc2ggc2lnbmF0dXJlIHRyZWUgb3IgY2FuIGl0IGJlPC9kaXY+DQo8L2Rp dj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBjbSAw LjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMt c2VyaWYiPg0KZGlmZmVyZW50LiZuYnNwOyZuYnNwO0lmIGl0IGlzIGRpZmZlcmVudCwgaXMgdGhh dCBub3QgdGhlIHZhbHVlIHRoYXQgc2hvdWxkIGJlIHBsYWNlZDwvZGl2Pg0KPC9kaXY+DQo8ZGl2 IGNsYXNzPSIiPg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0ibWFyZ2luOjBjbSAwY20gMC4wMDAxcHQg MzZwdDtmb250LXNpemU6MTFwdDtmb250LWZhbWlseTonY2FsaWJyaScgLCBzYW5zLXNlcmlmIj4N CmluIHRoZSBkaWdlc3RBbGdvcml0aG0gZmllbGQ/Jm5ic3A7Jm5ic3A7Q29uc2lkZXIgZGlnZXN0 aW5nIHRoZSBib2R5IHdpdGggU0hBNTEyLCBidXQ8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0i Ij4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0IDM2cHQ7Zm9u dC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQpvbmx5IHVz aW5nIFNIQTI1NiBpbiB0aGUgaGFzaCBmdW5jdGlvbiBvbiB0aGUgYXNzdW1wdGlvbiB0aGF0IHRo ZSByYW5kb208L2Rpdj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5 bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1p bHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQpmaWVsZCBpbiB0aGUgc2lnbmluZyBvcGVyYXRp b24gcHJvdmlkZXMgYSBoaWdoZXIgbGV2ZWwgb2Ygc2VjdXJpdHkgYW5kIHRodXM8L2Rpdj4NCjwv ZGl2Pg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNt IDAuMDAwMXB0IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fu cy1zZXJpZiI+DQphIHdlYWsgYXR0ZW1wdCBpcyBiZWluZyBtYWRlIHRvIG1hdGNoIHRoZW0gdG9n ZXRoZXIuJm5ic3A7Jm5ic3A7KEkgYW0gc3VyZSB0aGF0IHRoaXM8L2Rpdj4NCjwvZGl2Pg0KPGRp diBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0 IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+ DQppcyBub3QgdGhlIGNvcnJlY3QgcGFpcmluZyBmb3IgbWF0Y2hpbmcsIGp1c3QgZGVtb25zdHJh dGluZyBhIHBvaW50Lik8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9 IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9u dC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQombmJzcDs8L2Rpdj4NCjxkaXYgY2xh c3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQt ZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KY21zLWhhc2gtc2lncyBzYXlzOjwvZGl2 Pg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0ibWFyZ2luOjBjbSAwY20gMC4wMDAxcHQ7Zm9udC1zaXpl OjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQombmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsgZGlnZXN0QWxnb3JpdGhtIE1VU1QgY29udGFpbiB0aGUgb25lLXdh eSBoYXNoIGZ1bmN0aW9uIHVzZWQgdG8gaW48L2Rpdj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1h cmdpbjowY20gMGNtIDAuMDAwMXB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJp JyAsIHNhbnMtc2VyaWYiPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IHRoZSBIU1MvTE1TIHRyZWUuPC9kaXY+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJt YXJnaW46MGNtIDBjbSAwLjAwMDFwdDtmb250LXNpemU6MTFwdDtmb250LWZhbWlseTonY2FsaWJy aScgLCBzYW5zLXNlcmlmIj4NClRoaXMgc3RhdGVtZW50IHBsdXMgdGhlIG9uZSBJIHF1b3RlZCBm cm9tIFJGQyA1NjUyIHdvdWxkIGltcGx5IHRoYXQgdGhlIGJvZHkgZGlnZXN0IGFsZ29yaXRobSBt dXN0IG1hdGNoIHRoYXQgb2YgdGhlIEhTUyBhbGdvcml0aG0uPC9kaXY+DQo8ZGl2IGNsYXNzPSIi IHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdDtmb250LXNpemU6MTFwdDtmb250LWZhbWls eTonY2FsaWJyaScgLCBzYW5zLXNlcmlmIj4NCiZuYnNwOzwvZGl2Pg0KPGRpdiBjbGFzcz0iIiBz dHlsZT0ibWFyZ2luOjBjbSAwY20gMC4wMDAxcHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6 J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQpIb3dldmVyLCB5b3UgYXJlIGNvcnJlY3QgdGhhdCB0 aGUgcmFuZG9tIGZpZWxkIGFkZGVkIGR1cmluZyBzaWduaW5nIGluY3JlYXNlcyB0aGUgY29sbGlz aW9uIHJlc2lzdGFuY2Ugb2YgdGhlIHNpZ25hdHVyZSBhbmQgc28gdXNpbmcgdGhlIHNhbWUgYWxn b3JpdGhtIHRvIGNyZWF0ZSB0aGUgbWVzc2FnZS1kaWdlc3QgYXR0cmlidXRlIGluIHRoZSBzaWdu ZWQgYXR0cmlidXRlcyB3b3VsZCByZWR1Y2UgdGhlIGNvbGxpc2lvbiByZXNpc3RhbmNlIG9mDQog dGhlIHN5c3RlbS4mbmJzcDsgSWYgeW91IHdhbnRlZCB0byBhbGxvdyBhIGRpZmZlcmVudCBoYXNo IGFsZ29yaXRobSBpbiB0aGUgc2lnbmVkIGF0dHJpYnV0ZXMgbWVzc2FnZSBkaWdlc3QsIEkgdGhp bmsgY21zLWhhc2gtc2lncyB3b3VsZCBuZWVkIHRvIGJlIG1vZGlmaWVkIHRvIGZ1cnRoZXIgc3Bl Y2lmeSBzaWduZWQtZGF0YSBjb252ZW50aW9ucyB3aXRoL3dpdGhvdXQgc2lnbmVkIGF0dHJpYnV0 ZXMsIHNpbWlsYXIgdG8gUkZDIDg0MTkuPC9kaXY+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJn aW46MGNtIDBjbSAwLjAwMDFwdDtmb250LXNpemU6MTFwdDtmb250LWZhbWlseTonY2FsaWJyaScg LCBzYW5zLXNlcmlmIj4NCiZuYnNwOzwvZGl2Pg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0ibWFyZ2lu OjBjbSAwY20gMC4wMDAxcHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwg c2Fucy1zZXJpZiI+DQpEYW5pZWw8L2Rpdj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjow Y20gMGNtIDAuMDAwMXB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNh bnMtc2VyaWYiPg0KJm5ic3A7PC9kaXY+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNs YXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0 O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KSmltPC9kaXY+DQo8L2Rpdj4N CjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAw MDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2Vy aWYiPg0KJm5ic3A7PC9kaXY+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIi IHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQt ZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYiPg0KJm5ic3A7PC9kaXY+DQo8L2Rpdj4NCjxk aXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBjbSAwLjAwMDFw dCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMtc2VyaWYi Pg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188L2Rpdj4N CjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20g MGNtIDAuMDAwMXB0IDM2cHQ7Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwg c2Fucy1zZXJpZiI+DQpTcGFzbSBtYWlsaW5nIGxpc3Q8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBjbGFz cz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Im1hcmdpbjowY20gMGNtIDAuMDAwMXB0IDM2cHQ7 Zm9udC1zaXplOjExcHQ7Zm9udC1mYW1pbHk6J2NhbGlicmknICwgc2Fucy1zZXJpZiI+DQo8YSBo cmVmPSJtYWlsdG86U3Bhc21AaWV0Zi5vcmciIGNsYXNzPSIiIHN0eWxlPSJjb2xvcjpwdXJwbGU7 dGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZSI+U3Bhc21AaWV0Zi5vcmc8L2E+PC9kaXY+DQo8L2Rp dj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiIHN0eWxlPSJtYXJnaW46MGNtIDBjbSAw LjAwMDFwdCAzNnB0O2ZvbnQtc2l6ZToxMXB0O2ZvbnQtZmFtaWx5OidjYWxpYnJpJyAsIHNhbnMt c2VyaWYiPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9z cGFzbSIgY2xhc3M9IiIgc3R5bGU9ImNvbG9yOnB1cnBsZTt0ZXh0LWRlY29yYXRpb246dW5kZXJs aW5lIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NwYXNtPC9hPjwvZGl2 Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8YnIgY2xh c3M9IiI+DQo8L2Rpdj4NCjwhLS1lbmQgb2YgX29yaWdpbmFsQ29udGVudCAtLT48L2Rpdj4NCjwv Ym9keT4NCjwvaHRtbD4NCg== --_000_ae8la1do9rokcauh3e6bjbp41552805213981isaracom_-- From nobody Sun Mar 17 04:39:48 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E716D127978; Sun, 17 Mar 2019 04:39:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZpn3J1K9py2; Sun, 17 Mar 2019 04:39:44 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B77D51275E9; Sun, 17 Mar 2019 04:39:43 -0700 (PDT) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 17 Mar 2019 04:39:15 -0700 From: Jim Schaad To: 'Russ Housley' , 'Daniel Van Geest' CC: , 'SPASM' References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> In-Reply-To: Date: Sun, 17 Mar 2019 04:39:13 -0700 Message-ID: <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0002_01D4DC7B.60D72E70" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQEM1Y28iLV3mVbkBi2mvYQFmQFueAGxOkwAAaZQ9VSnhPwcQA== Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2019 11:39:47 -0000 ------=_NextPart_000_0002_01D4DC7B.60D72E70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I don't know what Jim is arguing. I think that I am trying to say that there may be some language that is not clear at some point in the future although it is perfectly fine today (mostly). I do not remember ever seeing any language in any of the hash signature documents that say that the same hash function should be used from top to bottom. I also think that there will be some push in the not so near future to have some other hash functions be permitted because of things like the better efficiency of SHA-512 in many cases or the move to SHAKE as a different hash function. I worry that this means that the same hash function may not be used from top to bottom in a hash signature key. I also worry that my current code base does not have any way to get the parameters for the bottom of the tree and the same thing may be true for an HSM. The top algorithms can be retrieved from the public key, but not the bottom algorithms. Jim From: Russ Housley Sent: Saturday, March 16, 2019 4:33 PM To: Daniel Van Geest Cc: Jim Schaad ; draft-ietf-lamps-cms-hash-sig@ietf.org; SPASM Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig Daniel: I believe that Jim is arguing that the same hash function should always be used for both the content and the HSS/LMS tree, Russ On Mar 15, 2019, at 3:30 PM, Daniel Van Geest > wrote: My thoughts, On 2019-03-14, 2:39 PM, "Spasm on behalf of Jim Schaad" < spasm-bounces@ietf.org on behalf of ietf@augustcellars.com> wrote: I was tossing together some code to look at producing some samples and I ended up with a pair of questions: 1. If I have a hash signature tree which uses multiple different hash algorithms in it, which of those hash algorithms am I to placed in the digestAlgorithm field? For example, suppose that I am using an LMS type with a hash of SHAKE128 and an LMOTS type with a hash of SHA256. Or as a different example, suppose that I have a two deep tree and the top level uses SHA512 in both places but the next level down uses SHAH256 in both places? RFC 5652 section 5.3 defines the digestAlgorithm member of SignerInfo as: digestAlgorithm identifies the message digest algorithm, and any associated parameters, used by the signer. The message digest is computed on either the content being signed or the content together with the signed attributes using the process described in Section 5.4. In HSS, the hash algorithm used to digest the content is the one in the LMOTS type of the bottom-most tree. The other hash algorithms are used to hash within the Merkle tree, or to hash the LMS public key of a lower tree. So in both your examples the answer would be SHA256. 2. If there are signed attributes present, then it t required that the body digest algorithm match that of the hash signature tree or can it be different. If it is different, is that not the value that should be placed in the digestAlgorithm field? Consider digesting the body with SHA512, but only using SHA256 in the hash function on the assumption that the random field in the signing operation provides a higher level of security and thus a weak attempt is being made to match them together. (I am sure that this is not the correct pairing for matching, just demonstrating a point.) cms-hash-sigs says: digestAlgorithm MUST contain the one-way hash function used to in the HSS/LMS tree. This statement plus the one I quoted from RFC 5652 would imply that the body digest algorithm must match that of the HSS algorithm. However, you are correct that the random field added during signing increases the collision resistance of the signature and so using the same algorithm to create the message-digest attribute in the signed attributes would reduce the collision resistance of the system. If you wanted to allow a different hash algorithm in the signed attributes message digest, I think cms-hash-sigs would need to be modified to further specify signed-data conventions with/without signed attributes, similar to RFC 8419. Daniel Jim _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm ------=_NextPart_000_0002_01D4DC7B.60D72E70 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I = don’t know what Jim is arguing.  I think that I am trying to = say that there may be some language that is not clear at some point in = the future although it is perfectly fine today (mostly).  I do not = remember ever seeing any language in any of the hash signature documents = that say that the same hash function should be used from top to = bottom.  I also think that there will be some push in the not so = near future to have some other hash functions be permitted because of = things like the better efficiency of SHA-512 in many cases or the move = to SHAKE as a different hash function.  I worry that this means = that the same hash function may not be used from top to bottom in a hash = signature key.  I also worry that my current code base does not = have any way to get the parameters for the bottom of the tree and the = same thing may be true for an HSM.  The top algorithms can be = retrieved from the public key, but not the bottom = algorithms.

 

Jim

 

 

From: Russ = Housley <housley@vigilsec.com>
Sent: Saturday, March = 16, 2019 4:33 PM
To: Daniel Van Geest = <Daniel.VanGeest@isara.com>
Cc: Jim Schaad = <ietf@augustcellars.com>; draft-ietf-lamps-cms-hash-sig@ietf.org; = SPASM <spasm@ietf.org>
Subject: Re: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

Daniel:

 

I = believe that Jim is arguing that the same hash function should always be = used for both the content and the HSS/LMS = tree,

 

Russ

 



On Mar 15, 2019, at 3:30 PM, Daniel Van Geest <Daniel.VanGeest@isara.com&g= t; wrote:

 

My = thoughts,

 

On 2019-03-14, 2:39 PM, = "Spasm on behalf of Jim Schaad" <spasm-bounces@ietf.org on behalf of ietf@augustcellars.com> = wrote:

 

I was tossing together = some code to look at producing some samples and = I

ended up with a pair of = questions:

 

1.  If I have = a hash signature tree which uses multiple different = hash

algorithms in it, which of those hash algorithms am I = to placed in the

digestAlgorithm = field?  For example, suppose that I am using an LMS = type

with a hash of SHAKE128 and an LMOTS type with a hash = of SHA256.  Or as a

different example, = suppose that I have a two deep tree and the top = level

uses SHA512 in both places but the next level down = uses SHAH256 in both

places?  

 

RFC 5652 section 5.3 defines the digestAlgorithm = member of SignerInfo as:

      digestAlgorithm = identifies the message digest algorithm, and = any

      associated parameters, = used by the signer.  The message digest = is

      computed on either the = content being signed or the content

      together with the = signed attributes using the process described = in

      Section = 5.4.

 

In HSS, the hash algorithm used to digest the content = is the one in the LMOTS type of the bottom-most tree.  The other = hash algorithms are used to hash within the Merkle tree, or to hash the = LMS public key of a lower tree.  So in both your examples the = answer would be SHA256.

 

2.  If there = are signed attributes present, then it t required that the = body

digest algorithm match that of the hash signature tree = or can it be

different.  If = it is different, is that not the value that should be = placed

in the digestAlgorithm field?  Consider = digesting the body with SHA512, but

only using SHA256 in the = hash function on the assumption that the = random

field in the signing operation provides a higher level = of security and thus

a weak attempt is being = made to match them together.  (I am sure that = this

is not the correct pairing for matching, just = demonstrating a point.)

 

cms-hash-sigs says:

      digestAlgorithm MUST = contain the one-way hash function used to in

         the = HSS/LMS tree.

This = statement plus the one I quoted from RFC 5652 would imply that the body = digest algorithm must match that of the HSS = algorithm.

 

However, you are correct that the random field added = during signing increases the collision resistance of the signature and = so using the same algorithm to create the message-digest attribute in = the signed attributes would reduce the collision resistance of the = system.  If you wanted to allow a different hash algorithm in the = signed attributes message digest, I think cms-hash-sigs would need to be = modified to further specify signed-data conventions with/without signed = attributes, similar to RFC 8419.

 

Daniel

 

Jim

 

 

_______________________________________________

Spasm mailing list

 

------=_NextPart_000_0002_01D4DC7B.60D72E70-- From nobody Sun Mar 17 10:40:53 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8ACF13112B for ; Sun, 17 Mar 2019 10:40:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.238 X-Spam-Level: X-Spam-Status: No, score=-1.238 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001, URI_TRY_3LD=0.66] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QJPr_7gh--o for ; Sun, 17 Mar 2019 10:40:50 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8F381277E5 for ; Sun, 17 Mar 2019 10:40:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 8BC47300AA6 for ; Sun, 17 Mar 2019 13:22:31 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id AvMzNBwVQx0p for ; Sun, 17 Mar 2019 13:22:29 -0400 (EDT) Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id 71119300465 for ; Sun, 17 Mar 2019 13:22:29 -0400 (EDT) From: Russ Housley Content-Type: multipart/alternative; boundary="Apple-Mail=_3AAA1CFE-8449-4221-9F5B-110ED72CB78E" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Message-Id: References: <20190316223225.GC11586@netmeister.org> To: SPASM Date: Sun, 17 Mar 2019 13:40:46 -0400 X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2019 17:40:52 -0000 --Apple-Mail=_3AAA1CFE-8449-4221-9F5B-110ED72CB78E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii We need to get this sorted very quickly. This document has already been = sent to the IESG. Russ > From: Jan Schaumann > Subject: [lamps] CAA records on CNAMEs > Date: March 16, 2019 at 6:32:26 PM EDT > To: spasm@ietf.org >=20 > Hello, >=20 > I'd like to revisit how CAA records on CNAMEs are handled. >=20 > As noted in e.g., > = https://datatracker.ietf.org/meeting/100/materials/slides-100-lamps-rfc-68= 44-bis-00.pdf, > there are cases where it's desirable for an organization to set a CAA > record on a CNAME. For example: >=20 > If I have existing CAA records on example.com and add a new name > someapp.example.com as a CNAME to a third-party provider's service. = If > the third-party provider uses a different CA from the one(s) I use, I > currently cannot selectively allow only this CA for this single name: = as > a CNAME, the resolution logic mandates that the canonical name is > considered and, if no CAA record is found there, the CA crawl up to > example.com. >=20 > To illustrate the problem: >=20 > $ host -t caa example.com > example.com has CAA record 0 issue "digicert.com" > $ host -t cname someapp.example.com > someapp.example.com is an alias for ghs.googlehosted.com. > $ >=20 > Let us assume that the third-party provider wants to use Let's = Encrypt. >=20 > Here, my options are: >=20 > - add "letsencrypt.org" to the CAA records for example.com >=20 > This is undesirable for me, because I do not wish to let LE to issue > certificates for myotherservice.example.com. >=20 > - ask Google to add LE to the CAA record for ghs.googlehosted.com. >=20 > This is not likely successful. Google has no interest in either > restricting this domain to only LE, as presumably other services may > well point at this name and use other CAs. >=20 > - use a different domain, e.g., someapp.separate-example.com and set = the > CAA record there >=20 > This is undesirable, because I want to keep all my things under > 'example.com' for a better user experience / branding / whatever. >=20 >=20 > The "easiest" solution would be to allow CAA records on CNAMEs. This > (currently) violates RFC1912, Section 2.4. But per RFC2181, section > 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs; would it > make sense to allow CAA on CNAMEs as well? >=20 >=20 > An alternative solution was suggested in the slides noted above: = change > the CAA resolution algorithm to first attempt a _prefix on which I can > set an override (i.e., '_prefix.someapp.example.com IN CAA issue > "letsencrypt.org"'). This proposal was not reflected in > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, = however, > so I assume there was discussion that concluded this to be = undesirable? >=20 >=20 > A third possibility might be to add another 'override' tag to the CAA > definition, e.g.: >=20 > example.com CAA 0 issue "digicert.com" > example.com CAA 0 override "someapp.example.com issue:letsencrypt.org" >=20 > would mean that Digicert can issue certs for anything under = example.com > with the exception of 'someapp.example.com', for which only Let's > Encrypt can issue a cert. >=20 > I.e., the 'override' tag may override CAA records for the given name. > The name must be within the same domain and must be deeper than where > this CAA record is set. >=20 > Let's say that this only is useful for CNAMEs; this would require the = CA > to extend the handling of CNAMES: >=20 > Let CAA(X) be the record set returned in response to performing a = CAA > record query on the label X, P(X) be the DNS label immediately above > X in the DNS hierarchy, O(X) be the result of an override, and A(X) > be the target of a CNAME or DNAME alias record chain specified at = the > label X. >=20 > o If CAA(X) is not empty, R(X) =3D CAA (X), otherwise >=20 > o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =3D > CAA(A(X)), otherwise >=20 > o If X is not a top-level domain, then >=20 > o If R(P(X)) contains an 'override' for X, then R(X) =3D = O(P(X)), > otherwise >=20 > o R(X) =3D R(P(X)) >=20 > otherwise >=20 > o R(X) is empty. >=20 >=20 >=20 > I'm seeking input on whether the workgroup would consider any of these > options or otherwise would revive the discussion around the need to = find > a way to set CAA records on a CNAME separate from the parent label. >=20 > Thanks, > -Jan >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm --Apple-Mail=_3AAA1CFE-8449-4221-9F5B-110ED72CB78E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii We = need to get this sorted very quickly.  This document has already = been sent to the IESG.

Russ


From: Jan Schaumann <jschauma@netmeister.org>
Subject: = [lamps] CAA = records on CNAMEs
Date: March 16, 2019 at 6:32:26 PM EDT
To: = spasm@ietf.org

Hello,

I'd like to revisit how CAA records on CNAMEs are handled.

As noted in e.g.,
https://datatracker.ietf.org/meeting/100/materials/slides-100-l= amps-rfc-6844-bis-00.pdf,
there are cases where it's = desirable for an organization to set a CAA
record on a = CNAME.  For example:

If I have = existing CAA records on example.com and add a new name
someapp.example.com = as a CNAME to a third-party provider's service.  If
the= third-party provider uses a different CA from the one(s) I use, I
currently cannot selectively allow only this CA for this = single name: as
a CNAME, the resolution logic mandates = that the canonical name is
considered and, if no CAA = record is found there, the CA crawl up to
example.com.

To illustrate the problem:

$ = host -t caa example.com
example.com has = CAA record 0 issue "digicert.com"
$ host -t cname someapp.example.com
someapp.example.com is an alias for ghs.googlehosted.com.
$

Let us assume that the third-party provider wants to use = Let's Encrypt.

Here, my options are:

- add "letsencrypt.org" to the CAA records for example.com

 This is undesirable for me, because I do not wish to = let LE to issue
 certificates for myotherservice.example.com.

- = ask Google to add LE to the CAA record for ghs.googlehosted.com.

=  This is not likely successful.  Google has no interest in = either
 restricting this domain to only LE, as = presumably other services may
 well point at this = name and use other CAs.

- use a different = domain, e.g., someapp.separate-example.com and set the
=  CAA record there

 This is = undesirable, because I want to keep all my things under
=  'example.com' for a = better user experience / branding / whatever.


The "easiest" solution would be to allow CAA = records on CNAMEs.  This
(currently) violates = RFC1912, Section 2.4. But per RFC2181, section
10.1, we = already allow e.g. SIG, NXT, and KEY RRs on CNAMEs; would it
make sense to allow CAA on CNAMEs as well?


An alternative solution was suggested in the = slides noted above: change
the CAA resolution algorithm to = first attempt a _prefix on which I can
set an override = (i.e., '_prefix.someapp.example.com IN CAA issue
"letsencrypt.org"'). =  This proposal was not reflected in
https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, however,
so I assume there was discussion that = concluded this to be undesirable?


A third possibility might be to add another 'override' tag to = the CAA
definition, e.g.:

example.com CAA 0 issue "digicert.com"
example.com CAA 0 override = "someapp.example.com= issue:letsencrypt.org"

would mean = that Digicert can issue certs for anything under example.com
with = the exception of 'someapp.example.com', for which only Let's
Encrypt can issue a cert.

I.e., = the 'override' tag may override CAA records for the given name.
The name must be within the same domain and must be deeper = than where
this CAA record is set.

Let's say that this only is useful for CNAMEs; this would = require the CA
to extend the handling of CNAMES:

  Let CAA(X) be the record set = returned in response to performing a CAA
=   record query on the label X, P(X) be the DNS label = immediately above
  X in the DNS hierarchy, = O(X) be the result of an override, and A(X)
=   be the target of a CNAME or DNAME alias record chain = specified at the
  label X.

  o  If CAA(X) is not empty, R(X) =3D CAA = (X), otherwise

  o  If A(X) = is not null, and CAA(A(X)) is not empty, then R(X) =3D
=      CAA(A(X)), otherwise

  o  If X is not a top-level domain, then

     o  If = R(P(X)) contains an 'override' for X, then R(X) =3D O(P(X)),
        otherwise

     o  R(X) =3D = R(P(X))

=      otherwise

=   o  R(X) is empty.



I'm seeking input on whether the workgroup = would consider any of these
options or otherwise would = revive the discussion around the need to find
a way to set = CAA records on a CNAME separate from the parent label.

Thanks,
-Jan

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

= --Apple-Mail=_3AAA1CFE-8449-4221-9F5B-110ED72CB78E-- From nobody Sun Mar 17 11:03:06 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7DCD1277CC for ; Sun, 17 Mar 2019 11:03:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GlkNeiPZJA35 for ; Sun, 17 Mar 2019 11:03:02 -0700 (PDT) Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8138126DFA for ; Sun, 17 Mar 2019 11:03:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id A988445BFD for ; Sun, 17 Mar 2019 20:02:58 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at pp.htv.fi Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id i-feYsDgbbQy for ; Sun, 17 Mar 2019 20:02:58 +0200 (EET) Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id E96F77A for ; Sun, 17 Mar 2019 20:02:56 +0200 (EET) Date: Sun, 17 Mar 2019 20:02:56 +0200 From: Ilari Liusvaara To: spasm@ietf.org Message-ID: <20190317180256.GA4279@LK-Perkele-VII> References: <20190316223225.GC11586@netmeister.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20190316223225.GC11586@netmeister.org> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: ilariliusvaara@welho.com Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2019 18:03:05 -0000 On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: > > The "easiest" solution would be to allow CAA records on CNAMEs. This > (currently) violates RFC1912, Section 2.4. But per RFC2181, section > 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs; would it > make sense to allow CAA on CNAMEs as well? Unfortunately that would break DNS. There are few exceptions to "nothing alongside CNAME" rule, but that is because the RRtypes involved are magic DNSSEC ones. Trying to stick anything else alongside CNAME leads to horrible failure rates. That is not some servers fail, but almost all servers fail. E.g., see. CNAME@apex (SOA and NS). > An alternative solution was suggested in the slides noted above: change > the CAA resolution algorithm to first attempt a _prefix on which I can > set an override (i.e., '_prefix.someapp.example.com IN CAA issue > "letsencrypt.org"'). This proposal was not reflected in > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, however, > so I assume there was discussion that concluded this to be undesirable? That lookup happens just on the full name, right after lookup on the name itself, right? I.e., not on any tree-climbed names. > A third possibility might be to add another 'override' tag to the CAA > definition, e.g.: > > example.com CAA 0 issue "digicert.com" > example.com CAA 0 override "someapp.example.com issue:letsencrypt.org" > > would mean that Digicert can issue certs for anything under example.com > with the exception of 'someapp.example.com', for which only Let's > Encrypt can issue a cert. One would presumably want to flag that as critical. And are overrides recursive or not? Based on description it looked that they require exact match. And how is the name represented? DNS can present all sorts of really wonky names, including ones containing spaces or dots. I do not think public CAs are allowed to issue for such names tho. > I'm seeking input on whether the workgroup would consider any of these > options or otherwise would revive the discussion around the need to find > a way to set CAA records on a CNAME separate from the parent label. -Ilari From nobody Sun Mar 17 11:49:43 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DAC0131197 for ; Sun, 17 Mar 2019 11:49:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pySYBSpBEzQ9 for ; Sun, 17 Mar 2019 11:49:39 -0700 (PDT) Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26D9A131196 for ; Sun, 17 Mar 2019 11:49:39 -0700 (PDT) Received: by mail-ot1-x32b.google.com with SMTP id r19so12615077otn.1 for ; Sun, 17 Mar 2019 11:49:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6jCSXYs/5gUdToAof73d+lD0ZkOuHDWIvAEC4RKfEWU=; b=jsAl+bwnY3PtnoBPurbJ6patyhDJOrmytghr5QilguzwjLTqEfDArAj5yB8UU/aUBC M1t6qnGQ7WMOltC342JICucwUuNmJE3uhT7uzRNxlOXuKC9eVYyBQ/Z2VBVZ0+p9ACNl 5dDgZVY35CzgRqa5RDW2/579FKGMO91wX0pJFN1teWbZt229mjHyfzeqp7nTjdUUnr4V 759QAa3DvmPxgMC91iqtIrSWJUngWz0M/uI8Jh5b2UVk6ASqhSFE8wrV+RchsrEuvxXT Qkk5P+sFbBHDgoRkd83fPx1bBw/Q8aWa8Kx1fX2URYkzWV5HqJTKA9yRn1v/rzsE2ubY zrhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6jCSXYs/5gUdToAof73d+lD0ZkOuHDWIvAEC4RKfEWU=; b=K/il3KUwwmdyEekv9R/CQR4Z0al/zQso2zhHEuI03e+hoe3M5nBJOIQME0XscL/d9H VEPsGikb/IkpvhZvnD9PHTD48REc7C2JSkeFXxVs3p0owytk+htcrRAMaA830q4rOJvm XPiyfiMET4mtgNwXdFA3FSrz7LNfxofT98mBu1e5m9cXT7+VK3sRWIxswNQ1pQU+7sTF 2L/J+WEvBqJa6S4MFONLCusW/crZ7U8qBpOrBlyipaTmf5Dbyw4L4HUrcEpnTd8oOV1X VdsAQI5vDklrTgKVerPH34DIRETqX4LO0gow2nsuzY+9up85q/PSxBhst70GQ5ZEvCDp p4Xg== X-Gm-Message-State: APjAAAWPXGv+6NnMOQu/T2qBqrO0Q5ARyynUpRGOMmB0Emip2cDP+BrT oakGqPtsU+ixAFtys5uhEaKUp3j/bJGpm35RyaA= X-Google-Smtp-Source: APXvYqwcrZR2ywvDQzt0hk9IpGcC9YQtrCuMWuDvQcUnSGMygvuytfbLwfKrUwekNkIJiusDtWIwYahUrrDha1hE7X4= X-Received: by 2002:a9d:63c9:: with SMTP id e9mr948226otl.76.1552848578264; Sun, 17 Mar 2019 11:49:38 -0700 (PDT) MIME-Version: 1.0 References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> In-Reply-To: <20190317180256.GA4279@LK-Perkele-VII> From: Tim Wicinski Date: Sun, 17 Mar 2019 11:49:28 -0700 Message-ID: To: Ilari Liusvaara Cc: SPASM Content-Type: multipart/alternative; boundary="000000000000e5c27805844ebbd6" Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2019 18:49:42 -0000 --000000000000e5c27805844ebbd6 Content-Type: text/plain; charset="UTF-8" We did not like using something like _caa.example.com ? I mean we have an RFC and an IANA registry all set up to handle the underscore name (well almost https://tools.ietf.org/html/draft-ietf-dnsop-attrleaf-16) We've been burned on CAA records for specific FQDNs which are CNAMEs. Tim On Sun, Mar 17, 2019 at 11:03 AM Ilari Liusvaara wrote: > On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: > > > > The "easiest" solution would be to allow CAA records on CNAMEs. This > > (currently) violates RFC1912, Section 2.4. But per RFC2181, section > > 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs; would it > > make sense to allow CAA on CNAMEs as well? > > Unfortunately that would break DNS. There are few exceptions to > "nothing alongside CNAME" rule, but that is because the RRtypes > involved are magic DNSSEC ones. > > Trying to stick anything else alongside CNAME leads to horrible > failure rates. That is not some servers fail, but almost all servers > fail. E.g., see. CNAME@apex (SOA and NS). > > > An alternative solution was suggested in the slides noted above: change > > the CAA resolution algorithm to first attempt a _prefix on which I can > > set an override (i.e., '_prefix.someapp.example.com IN CAA issue > > "letsencrypt.org"'). This proposal was not reflected in > > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, however, > > so I assume there was discussion that concluded this to be undesirable? > > That lookup happens just on the full name, right after lookup on the > name itself, right? I.e., not on any tree-climbed names. > > > A third possibility might be to add another 'override' tag to the CAA > > definition, e.g.: > > > > example.com CAA 0 issue "digicert.com" > > example.com CAA 0 override "someapp.example.com issue:letsencrypt.org" > > > > would mean that Digicert can issue certs for anything under example.com > > with the exception of 'someapp.example.com', for which only Let's > > Encrypt can issue a cert. > > One would presumably want to flag that as critical. > > And are overrides recursive or not? Based on description it looked that > they require exact match. > > And how is the name represented? DNS can present all sorts of really > wonky names, including ones containing spaces or dots. I do not think > public CAs are allowed to issue for such names tho. > > > I'm seeking input on whether the workgroup would consider any of these > > options or otherwise would revive the discussion around the need to find > > a way to set CAA records on a CNAME separate from the parent label. > > > -Ilari > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm > --000000000000e5c27805844ebbd6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
We did not like using something like _caa.example.com ?=C2=A0

<= div>I mean we have an RFC and an IANA registry all set up to handle the und= erscore name

We've been burned on CAA= records for specific FQDNs which are CNAMEs.=C2=A0

Tim


On Sun, Mar 17, 2019 at 11:03 AM Ilari Lius= vaara <ilariliusvaara@welho.= com> wrote:
On Sat, Mar 16, 2019 at 06:32:= 26PM -0400, Jan Schaumann wrote:
>
> The "easiest" solution would be to allow CAA records on CNAM= Es.=C2=A0 This
> (currently) violates RFC1912, Section 2.4. But per RFC2181, section > 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs; would it<= br> > make sense to allow CAA on CNAMEs as well?

Unfortunately that would break DNS. There are few exceptions to
"nothing alongside CNAME" rule, but that is because the RRtypes involved are magic DNSSEC ones.

Trying to stick anything else alongside CNAME leads to horrible
failure rates. That is not some servers fail, but almost all servers
fail. E.g., see. CNAME@apex (SOA and NS).=C2=A0

> An alternative solution was suggested in the slides noted above: chang= e
> the CAA resolution algorithm to first attempt a _prefix on which I can=
> set an override (i.e., '_prefix.someapp.example.com IN= CAA issue
> "letsencrypt.org"').=C2=A0 This proposal was not reflec= ted in
> https://datatracker.ietf.org/doc/d= raft-ietf-lamps-rfc6844bis/, however,
> so I assume there was discussion that concluded this to be undesirable= ?

That lookup happens just on the full name, right after lookup on the
name itself, right? I.e., not on any tree-climbed names.

> A third possibility might be to add another 'override' tag to = the CAA
> definition, e.g.:
>
> ex= ample.com CAA 0 issue "digicert.com"
> ex= ample.com CAA 0 override "someapp.example.com issue:letsencryp= t.org"
>
> would mean that Digicert can issue certs for anything under example.com > with the exception of 'someapp.example.com', for which o= nly Let's
> Encrypt can issue a cert.

One would presumably want to flag that as critical.

And are overrides recursive or not? Based on description it looked that
they require exact match.

And how is the name represented? DNS can present all sorts of really
wonky names, including ones containing spaces or dots. I do not think
public CAs are allowed to issue for such names tho.

> I'm seeking input on whether the workgroup would consider any of t= hese
> options or otherwise would revive the discussion around the need to fi= nd
> a way to set CAA records on a CNAME separate from the parent label.

-Ilari

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm
--000000000000e5c27805844ebbd6-- From nobody Sun Mar 17 12:17:01 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31DB31311A3 for ; Sun, 17 Mar 2019 12:16:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LA-WuK6annSS for ; Sun, 17 Mar 2019 12:16:56 -0700 (PDT) Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 866DB1200D7 for ; Sun, 17 Mar 2019 12:16:55 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 35880C3F2A; Sun, 17 Mar 2019 21:16:53 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at pp.htv.fi Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id RU71kQZu-8aI; Sun, 17 Mar 2019 21:16:52 +0200 (EET) Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id F174B286; Sun, 17 Mar 2019 21:16:49 +0200 (EET) Date: Sun, 17 Mar 2019 21:16:49 +0200 From: Ilari Liusvaara To: Tim Wicinski Cc: SPASM Message-ID: <20190317191649.GA5013@LK-Perkele-VII> References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: ilariliusvaara@welho.com Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2019 19:16:59 -0000 On Sun, Mar 17, 2019 at 11:49:28AM -0700, Tim Wicinski wrote: > We did not like using something like _caa.example.com ? > > I mean we have an RFC and an IANA registry all set up to handle the > underscore name > (well almost https://tools.ietf.org/html/draft-ietf-dnsop-attrleaf-16) > > We've been burned on CAA records for specific FQDNs which are CNAMEs. I think that was essentially one of the proposals. And IIRC, the real nasty issue was treeclimbing on CNAME target, that caused a lot of issues. -Ilari From nobody Sun Mar 17 13:48:18 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB841130E8B for ; Sun, 17 Mar 2019 13:48:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYXe1DErsvCU for ; Sun, 17 Mar 2019 13:48:15 -0700 (PDT) Received: from mail-ot1-x343.google.com (mail-ot1-x343.google.com [IPv6:2607:f8b0:4864:20::343]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2006112788F for ; Sun, 17 Mar 2019 13:48:15 -0700 (PDT) Received: by mail-ot1-x343.google.com with SMTP id q24so12731865otk.0 for ; Sun, 17 Mar 2019 13:48:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TY1VeaU9ERMlP9gmZaPDeTav8g8O4YFFSX+96bGYNLE=; b=Fyfw/xLM5xOxjIn0IxSN/sVkz/Cewl1gZ/3UTw6qTQEiLzOJmWLqv3LKmVd9rbS4kA q0OnlGHbyVwowvRJGuJE03OyUGq2F+sXZ+toYcyGRCqQP59K7J9u6bZ0u9X3k5YhPGF/ WtZcR5fCGiguY/Kn7fh0QYpeMcePoBq5LeN5BGast1jcLYrXPd9zP8Cy4kGnf4VHB7Rl j6hGW8b0A6PUW7unPZL0UUxnL4As1xSnTnIWN21PUJPe9frZLDvJ4eYWHS20HgGTARtX r0/134Qjc/xM0KvJpC6TvIGxrDQD1tZj8h44nOIEEP6RV/D9tWELaPWZilgrdFWxUJ07 2wxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TY1VeaU9ERMlP9gmZaPDeTav8g8O4YFFSX+96bGYNLE=; b=RJUFKb+024TkXs2/KG70gGJhSz8mMM+1MoIhEXLEA6RWQXoXOr2uO9CPLZs+mYBJmn +MZQkczuZqtjJhffsB5H+JomZdmUWyCi8fD+GcIDh4ldcKG+YD45mDZoR15cdB+8uEAJ iamN1/EmIGxi4XZ1E4/5J247WMC2cpNHCiX5Y9vYGTLjs3xZnfzFsjxDw7FrWLhMmT1F oaTcAQSKLoRdEBfumMlwrNgQtwT4SmLWKtgFxW2f6pi525puf1PWU8jZT6mNU/8pJ20A OOe4ZoUhDQFs3g+tW/ReNWZSprzXCaXw37pB4n2aIFX0BCM9jRGayY7mVAn6QMYyvsPB BMtw== X-Gm-Message-State: APjAAAWuYB8QDEEocV/mS9nZdzRwhdRBIAB8HCuceCgCp8d+Vl7Ts9NP LsEnE/UjPE2y9IifvyZL9xM+gkcG3P170phoWuQ= X-Google-Smtp-Source: APXvYqzJnI29BS7rDu2UC6bTD3JIynYldFE6LdKJZ3XuXxBaSQSblt+3t8XXmu2wsIZUuHDp1q87lJ6AGsWC2QxWCfo= X-Received: by 2002:a9d:7856:: with SMTP id c22mr5087579otm.261.1552855694537; Sun, 17 Mar 2019 13:48:14 -0700 (PDT) MIME-Version: 1.0 References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> <20190317191649.GA5013@LK-Perkele-VII> In-Reply-To: <20190317191649.GA5013@LK-Perkele-VII> From: Tim Wicinski Date: Sun, 17 Mar 2019 13:48:04 -0700 Message-ID: To: Ilari Liusvaara Cc: SPASM Content-Type: multipart/alternative; boundary="0000000000000f774a0584506498" Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2019 20:48:18 -0000 --0000000000000f774a0584506498 Content-Type: text/plain; charset="UTF-8" I am no DNS expert, but I routinely see DNS records of the form foobar.example.com CNAME cdn.example.net email.foobar.example.com MX email.foorbar.example.com TXT But of course RFC8499 is the better source. Going back to the presentations, Phillip Hallam-Baker noted that _prefix labels don't work with DNAME. Tim On Sun, Mar 17, 2019 at 12:16 PM Ilari Liusvaara wrote: > On Sun, Mar 17, 2019 at 11:49:28AM -0700, Tim Wicinski wrote: > > We did not like using something like _caa.example.com ? > > > > I mean we have an RFC and an IANA registry all set up to handle the > > underscore name > > (well almost https://tools.ietf.org/html/draft-ietf-dnsop-attrleaf-16) > > > > We've been burned on CAA records for specific FQDNs which are CNAMEs. > > I think that was essentially one of the proposals. > > And IIRC, the real nasty issue was treeclimbing on CNAME target, that > caused a lot of issues. > > > -Ilari > --0000000000000f774a0584506498 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I am no DNS expert, but I routinely see DNS recor= ds of the form


=
But of course RFC8499 is the better source.

G= oing back to the presentations, Phillip Hallam-Baker noted that _prefix lab= els don't work with DNAME.

Tim

<= /div>

On Sun, Mar 17, 2019 at 12:16 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
On Sun, Mar 17, 2019 at 11:49:28AM -0700, Tim Wicinski wr= ote:
> We did not like using something like _caa.example.com ?
>
> I mean we have an RFC and an IANA registry all set up to handle the > underscore name
> (well almost https://tools.ietf.org/htm= l/draft-ietf-dnsop-attrleaf-16)
>
> We've been burned on CAA records for specific FQDNs which are CNAM= Es.

I think that was essentially one of the proposals.

And IIRC, the real nasty issue was treeclimbing on CNAME target, that
caused a lot of issues.


-Ilari
--0000000000000f774a0584506498-- From nobody Mon Mar 18 08:29:13 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF4FE128BCC for ; Mon, 18 Mar 2019 08:29:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.852 X-Spam-Level: X-Spam-Status: No, score=-1.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id erfSR6hiVeIP for ; Mon, 18 Mar 2019 08:29:10 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69C4413111F for ; Mon, 18 Mar 2019 08:29:03 -0700 (PDT) Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2IFReWK007781; Mon, 18 Mar 2019 15:29:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=RKNn+zMpReT0gtwV14MDNYDUfDngOu3CRaxIt4GoC0I=; b=GgKBzV3DWI8lVF1irGXaI8Q06B5EPJ5cffCS/z1HjTUKuvhvTECs+rPB1lbP0ipbVWJU u/SPdZP/0xnN2IIMaFhOpz6++xqQshN+UF4jeV7JzEPYbcd8v9PpKxz1mLZ2scMSZNOB Dbd5QSkC+KZidl0zA9S51zmmgBLXxJrxiQpxLBR5lxc6JHiXvlTufs/dhASsjGIWpjm+ Hp0pXztf21nnbZ0bWxuzLTVNWQCGQpOEY55xOI7vLtUdbiYfJNNA8mfFMfaxjutXlGVp Z5CgdZ4ZD2fY5o15yGL94obi9FhnDiiPUlzx1ltzSFJ/dKvBYBxTa5T49PSohqIkiKTj Kg== Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by mx0b-00190b01.pphosted.com with ESMTP id 2r8snxs4ud-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Mar 2019 15:29:02 +0000 Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x2IFH9hZ032421; Mon, 18 Mar 2019 11:29:01 -0400 Received: from email.msg.corp.akamai.com ([172.27.27.25]) by prod-mail-ppoint1.akamai.com with ESMTP id 2r8vfv2ru2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 18 Mar 2019 11:29:01 -0400 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb5.msg.corp.akamai.com (172.27.27.105) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 18 Mar 2019 10:28:59 -0500 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1473.003; Mon, 18 Mar 2019 10:28:59 -0500 From: "Salz, Rich" To: Jan Schaumann , "spasm@ietf.org" Thread-Topic: [lamps] CAA records on CNAMEs Thread-Index: AQHU3Egn5jypUS0wvEihODvZNh3z6aYRls8A Date: Mon, 18 Mar 2019 15:28:58 +0000 Message-ID: <3D292A90-B3DF-46E7-9014-8E36AA214A90@akamai.com> References: <20190316223225.GC11586@netmeister.org> In-Reply-To: <20190316223225.GC11586@netmeister.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.17.0.190309 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.32.250] Content-Type: text/plain; charset="utf-8" Content-ID: <0DA7ED609A9BDA449F3EF4BB1E7591F0@akamai.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-18_10:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=619 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903180113 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-18_10:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=653 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903180114 Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 15:29:12 -0000 PiAgICBBcyBub3RlZCBpbiBlLmcuLA0KICAgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcv bWVldGluZy8xMDAvbWF0ZXJpYWxzL3NsaWRlcy0xMDAtbGFtcHMtcmZjLTY4NDQtYmlzLTAwLnBk ZiwNCiAgICB0aGVyZSBhcmUgY2FzZXMgd2hlcmUgaXQncyBkZXNpcmFibGUgZm9yIGFuIG9yZ2Fu aXphdGlvbiB0byBzZXQgYSBDQUENCiAgICByZWNvcmQgb24gYSBDTkFNRS4gIEZvciBleGFtcGxl Og0KICANClN0YXJ0IGJ5IGNoYW5naW5nIFJGQyBSRkMgMTkxMiwgd2hpY2ggZG9lcyBub3QgYWxs b3cgYW55IG90aGVyIGRhdGEgdG8gYXBwZWFyIHdpdGggYSBDTkFNRS4gOykNCg0KDQo= From nobody Mon Mar 18 08:47:01 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7398012D827 for ; Mon, 18 Mar 2019 08:46:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.648 X-Spam-Level: X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyF4nBpZzilS for ; Mon, 18 Mar 2019 08:46:57 -0700 (PDT) Received: from mail-oi1-f179.google.com (mail-oi1-f179.google.com [209.85.167.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ECD8128B36 for ; Mon, 18 Mar 2019 08:46:57 -0700 (PDT) Received: by mail-oi1-f179.google.com with SMTP id y84so1048377oia.12 for ; Mon, 18 Mar 2019 08:46:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vm2bdASZyS74gcJRzw0u6erPfNiIgUZ7DAZsMzE7eXs=; b=SrctNyRrQxYYvWx1AVOyfObCnW7HPQPetcgcwrkL6gdH7g0InHrr0AHlXFXWufK5RL aWS/I6iQLsiyZWYj6NCRt+aWPOTATwpKNa6B0kzPlSEKPd+vA590d0aDVEnKk6uKdSiW HA237VXfSQi7QpQGn1r7dAJcGiw/thQOeezLwfg7MHniuDQMlbuQUGLI6Zq6YcNgCAlj z6M5/Ylgczl26Tdu30zwn8YbvtIUk81Ku5c7aCn07JOmgVM/Ha98VFAUKDeFsnmi1OpN KW/UzsTEHpR+ImxELvEckvcuogGp5Ia4/bRG1KEoTBQBJ8WR4tw2BhXuoDgKc0mgtyE4 ndiA== X-Gm-Message-State: APjAAAUvYpSWSekQQB/vQCwLxneouG4uMmy/8MFhr9NRUeEuMWvV4Qqw 0bM8pqSX2ecSk0IUemPAhxKpY3CSH1Fw7wbGMYU= X-Google-Smtp-Source: APXvYqyd3mCQScl4/WCTbOS/5wYbBoT8XzO+LpAO4OY7sOCNhI/c7rRtO+/3CSmLr7FQOCSZwB+8dB2hQo1ohjtr1qk= X-Received: by 2002:aca:c68b:: with SMTP id w133mr4717751oif.58.1552924016542; Mon, 18 Mar 2019 08:46:56 -0700 (PDT) MIME-Version: 1.0 References: <20190316223225.GC11586@netmeister.org> <3D292A90-B3DF-46E7-9014-8E36AA214A90@akamai.com> In-Reply-To: <3D292A90-B3DF-46E7-9014-8E36AA214A90@akamai.com> From: Phillip Hallam-Baker Date: Mon, 18 Mar 2019 11:46:47 -0400 Message-ID: To: "Salz, Rich" Cc: Jan Schaumann , "spasm@ietf.org" Content-Type: multipart/alternative; boundary="0000000000005e89a20584604c27" Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 15:47:00 -0000 --0000000000005e89a20584604c27 Content-Type: text/plain; charset="UTF-8" This is exactly back where we started. There are three technical options. Each time I comment on this I understand that we have decided to go for the prefix records solution and every time it turns out we didn't and a few months later the same problem comes up. The problem here is that CNAME delegation is used to implement two entirely different types of delegation and does not specify which one is intended. When 6844 was written, the Web was in a different place, CDNs were not so ubiquitous and so the needs then were different and when we discussed it then we decided to make one particular choice. But it was a fully considered choice. Also at the time CAA was proposed, the DNS folk insisted that prefix records represent some sort of heresy and must be avoided at all costs. It has since been realized that they are necessary to fix the fact that the DNS architecture does not meet DNS use. And why would something designed 35 years ago to meet the needs of the Internet scaling from 100 hosts to 1000 anticipate everything that came since? The two uses of delegation are: 1) Asserting name equality. i.e. *.example.net = *.example.com 2) Delegating isolated domains www.example.com -> example.mycdn.com On top of this there is the fact that DNAME isn't really a DNS RR only it is because it has to be because of DNSSEC only it doesn't have the semantics you would expect and certainly not the semantics that you want. Long and the short of it is that if you want to do the right thing for both the use cases, you need to distinguish one of the cases using a prefix to the CAA record. I am not going to be in Prague as I am still finishing the Mesh specs and getting my company registered as an LLC. Right now it is VentureCryptography.com On Mon, Mar 18, 2019 at 11:29 AM Salz, Rich wrote: > > As noted in e.g., > > https://datatracker.ietf.org/meeting/100/materials/slides-100-lamps-rfc-6844-bis-00.pdf > , > there are cases where it's desirable for an organization to set a CAA > record on a CNAME. For example: > > Start by changing RFC RFC 1912, which does not allow any other data to > appear with a CNAME. ;) > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm > --0000000000005e89a20584604c27 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thi= s is exactly back where we started.

There are three technical options. Each time I comment on this I= understand that we have decided to go for the prefix records solution and = every time it turns out we didn't and a few months later the same probl= em comes up.
The problem = here is that CNAME delegation is used to implement two entirely different t= ypes of delegation and does not specify which one is intended. When 6844 wa= s written, the Web was in a different place, CDNs were not so ubiquitous an= d so the needs then were different and when we discussed it then we decided= to make one particular choice. But it was a fully considered choice.
=

Also at the time CAA was propo= sed, the DNS folk insisted that prefix records represent some sort of heres= y and must be avoided at all costs. It has since been realized that they ar= e necessary to fix the fact that the DNS architecture does not meet DNS use= . And why would something designed 35 years ago to meet the needs of the In= ternet scaling from 100 hosts to 1000 anticipate everything that came since= ?


The two uses of delegation are:

1) Asserting name equality= . i.e. *.example.net =3D *.example.com

2) Delegating isolated domains www.example.com -> example.my= cdn.com
On top of thi= s there is the fact that DNAME isn't really a DNS RR only it is because= it has to be because of DNSSEC only it doesn't have the semantics you = would expect and certainly not the semantics that you want.

Long and the short of it is that if you = want to do the right thing for both the use cases, you need to distinguish = one of the cases using a prefix to the CAA record.


I am not going to be in Prague as I am still finishing the = Mesh specs and getting my company registered as an LLC. Right now it is Ven= tureCryptography.com


On Mon, Mar 18, 2019 at 11:29 AM Salz, Rich <rsalz@akamai.com> wrote:
>=C2=A0 =C2=A0 As noted in e.g.= ,
=C2=A0 =C2=A0 https://datatracker.ietf.org/meeting/100/materials/slides-100-lamps-rfc-68= 44-bis-00.pdf,
=C2=A0 =C2=A0 there are cases where it's desirable for an organization = to set a CAA
=C2=A0 =C2=A0 record on a CNAME.=C2=A0 For example:

Start by changing RFC RFC 1912, which does not allow any other data to appe= ar with a CNAME. ;)


_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm
--0000000000005e89a20584604c27-- From nobody Mon Mar 18 09:02:46 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83BB1129AA0 for ; Mon, 18 Mar 2019 09:02:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulTh91Qjjysj for ; Mon, 18 Mar 2019 09:02:41 -0700 (PDT) Received: from panix.netmeister.org (panix.netmeister.org [IPv6:2001:470:30:84:e276:63ff:fe72:3900]) by ietfa.amsl.com (Postfix) with ESMTP id B8B70128B36 for ; Mon, 18 Mar 2019 09:02:11 -0700 (PDT) Received: by panix.netmeister.org (Postfix, from userid 1000) id 2E56365341; Mon, 18 Mar 2019 12:02:11 -0400 (EDT) Date: Mon, 18 Mar 2019 12:02:11 -0400 From: Jan Schaumann To: spasm@ietf.org Message-ID: <20190318160211.GC22311@netmeister.org> Mail-Followup-To: spasm@ietf.org References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190317180256.GA4279@LK-Perkele-VII> User-Agent: Mutt/1.10.1 (2018-07-13) Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 16:02:46 -0000 Ilari Liusvaara wrote: > On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: > > An alternative solution was suggested in the slides noted above: change > > the CAA resolution algorithm to first attempt a _prefix on which I can > > set an override (i.e., '_prefix.someapp.example.com IN CAA issue > > "letsencrypt.org"'). This proposal was not reflected in > > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, however, > > so I assume there was discussion that concluded this to be undesirable? > > That lookup happens just on the full name, right after lookup on the > name itself, right? I.e., not on any tree-climbed names. I'm not the author of the original proposal, but I'd think the lookup could work in one of two ways: 1) only perform the lookup on the full name iff it is a CNAME 2) perform the lookup on any tree-climbed name (1) has the advantage of simplicity, at the cost of (some) inconsistency; (2) has the advantage of consistency at the cost of complexity and performance. Worse is Better suggests (1). As for how to handle combinations with DNAMEs, I suppose under (1), the situation is largely unchanged: With 'example.com DNAME example.net' a lookup for a CAA record for someapp.example.com would yield: - per the DNAME requirement, there must not be any record for someapp.example.com, so we only look at someapp.example.net: - if someapp.example.net has a CAA record, return that; else - if someapp.example.net is a CNAME to someapp.example.org: - if _caa.someapp.example.net has a CAA record, return that; else - if someapp.example.org has a CAA record, return that; else - try example.com, which falls under the DNAME, so check example.net; if that has a CAA record, return; else - try .com > > A third possibility might be to add another 'override' tag to the CAA > > definition, e.g.: > > > > example.com CAA 0 issue "digicert.com" > > example.com CAA 0 override "someapp.example.com issue:letsencrypt.org" > And are overrides recursive or not? Based on description it looked that > they require exact match. For simplicity, I think it might make sense to require that an 'override' can only be given for specific labels above in the tree. That is, no wildcards and no further recursion. In order to simplify matching of records and names, we could swap the order, to the symtax might be: override ": " In example, this might look like so: example.com CAA 0 iodef "mailto:security@example.com" example.com CAA 0 issue "digicert.com" example.com CAA 0 override "issue:letsencrypt.org foo.example.com" example.com CAA 0 override "issuewild:globalsign.com bar.example.com" example.com CAA 0 override "iodef:mailto:bofh@example.net bofh.example.com" I'll also note that in a parallel thread on mozilla.dev.security.policy, it was noted that there may be a need for an explicit way to allow any CA to issue (in contrast to not having a CAA record, and thus requiring a tree-climb ending only possibly in an implicit approval of any CA): https://groups.google.com/d/msg/mozilla.dev.security.policy/DVa-xn1VsOA/DhQk9RZmDAAJ -Jan From nobody Mon Mar 18 09:53:38 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FDF7131215 for ; Mon, 18 Mar 2019 09:53:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com header.b=LeOcL0al; dkim=pass (1024-bit key) header.d=digicert.com header.b=IWBAPl3N Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KA4kCaZqTMSI for ; Mon, 18 Mar 2019 09:53:33 -0700 (PDT) Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [63.128.21.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F10EF131231 for ; Mon, 18 Mar 2019 09:53:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1552928011; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aEL245B9Ead7emtKwT/TqM2zvIuK1NxrYNWpbJ4IdTU=; b=LeOcL0al5Hmt8KUGwKoA4XZC31vw2OfZPW2iUzCLp0GrbiwdFFeKn/Le1/rNZeYqIa+e1jg4fyu/cbRlfrlMs/Lg95N7JdKN4KJ5ZdK4zGcjA8IHvhi547F6DbdAr5xiBnNQcKn7WkCebusKCD/7JdB+d1LMyxuamRAX+gz5r7U= Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-by2nam05lp2057.outbound.protection.outlook.com [104.47.50.57]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-128-p4OXLgC4MbGiMhD6UZqtZA-1; Mon, 18 Mar 2019 12:53:28 -0400 X-MC-Unique: p4OXLgC4MbGiMhD6UZqtZA-1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aEL245B9Ead7emtKwT/TqM2zvIuK1NxrYNWpbJ4IdTU=; b=IWBAPl3N2nxjo9PMJxNn3NCM5HPjM/zGM/+kWJ9/AMwS2FksFxhtlv9yOtgqPJIffZaw5U4qMM3RR32gUXQqXXWgaPhijODKhOhXz4c+ruP56XvjBa32iSwn4ejv59nFI97/QZeO2Vk1afin+9Zhq3jVjzJ97GgBnzi6CVMGDqU= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1284.namprd14.prod.outlook.com (10.173.162.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.14; Mon, 18 Mar 2019 16:53:25 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941%4]) with mapi id 15.20.1709.015; Mon, 18 Mar 2019 16:53:25 +0000 From: Tim Hollebeek To: Jan Schaumann , "spasm@ietf.org" Thread-Topic: [lamps] CAA records on CNAMEs Thread-Index: AQHU3EgqDykQXQcrQ0mC8Zclj0PKi6YQHrsAgAFwmICAAAyfkA== Date: Mon, 18 Mar 2019 16:53:25 +0000 Message-ID: References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> <20190318160211.GC22311@netmeister.org> In-Reply-To: <20190318160211.GC22311@netmeister.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com; x-originating-ip: [98.111.253.32] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 76aa3bcd-c065-4c52-aae6-08d6abc23d18 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1284; x-ms-traffictypediagnostic: BN6PR14MB1284: x-microsoft-antispam-prvs: x-forefront-prvs: 098076C36C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(136003)(366004)(346002)(376002)(13464003)(189003)(199004)(186003)(53546011)(2906002)(6436002)(99936001)(102836004)(53936002)(76176011)(26005)(99286004)(33656002)(8936002)(66066001)(229853002)(561944003)(14444005)(9686003)(2501003)(256004)(8676002)(6306002)(97736004)(74316002)(55016002)(19627235002)(106356001)(105586002)(14454004)(6506007)(81156014)(86362001)(81166006)(7696005)(6246003)(11346002)(71200400001)(5660300002)(7736002)(52536014)(6116002)(966005)(44832011)(3846002)(478600001)(476003)(110136005)(305945005)(446003)(68736007)(71190400001)(486006)(25786009)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1284; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 9Xlleabhn72OBPFm0kwE3rBqhFN5tJfu8z8HxLYcIXgze8b504kIw2AdTXTg4CNPEgTc+CzYJGbDwaZ3cYhWEHQtWBD6EN7shXaILTfgLlOjRE9LED609/cPGLoFULhIWa0IX8WQhynai3UTG+koA1sKuUpPfkDPvzeqNpk+qtrHxgQxhAyqY3P/bCuG6zoEl027prtiK4HpVcOTziQlaS+FZ2eKfoOf4Zd+kDnmviFj7R/qOkUNy/zyGaQZuqFiHKVTzpGhPDAsF2lhYdAt1vFtcqrH7KvT4FkVGcWHoO/mrsYhHwY6/cqtFWHnbaEwP3EZx+QB+O8thyES4kpzjWujszM4glsywsPhtYnDnlro8pYI0rItahAVOjIGJO6WzgXSMXrRdG4uAzlbhtXRgLJ7EztoEl7oVnpwsNhbHJ0= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_04F6_01D4DD89.9058BE20" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: 76aa3bcd-c065-4c52-aae6-08d6abc23d18 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2019 16:53:25.5084 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1284 Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 16:53:38 -0000 ------=_NextPart_000_04F6_01D4DD89.9058BE20 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The problem is the "override" proposal adds another huge level of complexity on top of the semantics of the issue tag and every other tag involved in the issuance of certificates in the future (there will be more). As such, I think the proposal is strictly inferior to much simpler solutions e.g. the ones involving prefix tags. You can even do clever things like saying the prefix tag is only relevant for CNAME records (this avoids having to do an additional DNS lookup for every node just to check if the prefix tag exists at that node). The prefix tag issue resurfaces every six to twelve months or so; interested persons should probably just concentrate on pushing that across the goal line. Though I think it probably isn't necessary to hold up RFC6844bis for it. We already said "no" to one other request to extend CAA that potentially could have held up RFC6844bis. It can be its own RFC. -Tim > -----Original Message----- > From: Spasm On Behalf Of Jan Schaumann > Sent: Monday, March 18, 2019 12:02 PM > To: spasm@ietf.org > Subject: Re: [lamps] CAA records on CNAMEs > > Ilari Liusvaara wrote: > > On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: > > > > An alternative solution was suggested in the slides noted above: > > > change the CAA resolution algorithm to first attempt a _prefix on > > > which I can set an override (i.e., '_prefix.someapp.example.com IN > > > CAA issue "letsencrypt.org"'). This proposal was not reflected in > > > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, > > > however, so I assume there was discussion that concluded this to be > undesirable? > > > > That lookup happens just on the full name, right after lookup on the > > name itself, right? I.e., not on any tree-climbed names. > > I'm not the author of the original proposal, but I'd think the lookup could work > in one of two ways: > > 1) only perform the lookup on the full name iff it is a CNAME > 2) perform the lookup on any tree-climbed name > > (1) has the advantage of simplicity, at the cost of (some) inconsistency; (2) has > the advantage of consistency at the cost of complexity and performance. > Worse is Better suggests (1). > > > As for how to handle combinations with DNAMEs, I suppose under (1), the > situation is largely unchanged: > > With 'example.com DNAME example.net' a lookup for a CAA record for > someapp.example.com would yield: > > - per the DNAME requirement, there must not be any record for > someapp.example.com, so we only look at someapp.example.net: > - if someapp.example.net has a CAA record, return that; else > - if someapp.example.net is a CNAME to someapp.example.org: > - if _caa.someapp.example.net has a CAA record, return that; else > - if someapp.example.org has a CAA record, return that; else > - try example.com, which falls under the DNAME, so check example.net; if > that has a CAA record, return; else > - try .com > > > > > A third possibility might be to add another 'override' tag to the > > > CAA definition, e.g.: > > > > > > example.com CAA 0 issue "digicert.com" > > > example.com CAA 0 override "someapp.example.com > issue:letsencrypt.org" > > > And are overrides recursive or not? Based on description it looked > > that they require exact match. > > For simplicity, I think it might make sense to require that an 'override' can only > be given for specific labels above in the tree. > That is, no wildcards and no further recursion. > > In order to simplify matching of records and names, we could swap the order, > to the symtax might be: > > override ": " > > In example, this might look like so: > > example.com CAA 0 iodef "mailto:security@example.com" > example.com CAA 0 issue "digicert.com" > example.com CAA 0 override "issue:letsencrypt.org foo.example.com" > example.com CAA 0 override "issuewild:globalsign.com bar.example.com" > example.com CAA 0 override "iodef:mailto:bofh@example.net > bofh.example.com" > > > I'll also note that in a parallel thread on mozilla.dev.security.policy, it was > noted that there may be a need for an explicit way to allow any CA to issue (in > contrast to not having a CAA record, and thus requiring a tree-climb ending > only possibly in an implicit approval of any CA): > https://groups.google.com/d/msg/mozilla.dev.security.policy/DVa- > xn1VsOA/DhQk9RZmDAAJ > > -Jan > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm ------=_NextPart_000_04F6_01D4DD89.9058BE20 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMzE4MTY1MzIwWjAvBgkqhkiG9w0BCQQxIgQgdiKGkscCrjhaJl46lSAbYuVuZTOd yVOiKwqfn3geKS8wgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAC3KhkCVaAiVJIBYOJO3ysk9yqS+745MZLhY2udYGrXEpk7yyE2zFxH6o3qfRZ2n0MD2ILq8 KXa5gcpk3+lSc5MWGJw9/3de2Ve70PtXBCGX9WbDRr4ZEG9tANul6QQH6wtjEx1k0vUm8t/N6lKB dTWMkD4RU8+jeca7PYcClo7fh9Iz+3V3vFJBBe4d3y8tyoZEv78SqggobjcSiA5ZbuYHaZPJyB7S 6tz8mZRagpy3iCVtjdeRlOD1vr3eQtDywWSNJu9vmuphCbVeQ9cLTNuXUodZQWfPXI1alMP2TS+p qcvD0YqZkzbrQntD0bXxvuCEuaYNzUUyILDWP8pqqWMAAAAAAAA= ------=_NextPart_000_04F6_01D4DD89.9058BE20-- From nobody Mon Mar 18 10:49:57 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C9713121A for ; Mon, 18 Mar 2019 10:49:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z3mwZBwXDqQX for ; Mon, 18 Mar 2019 10:49:45 -0700 (PDT) Received: from panix.netmeister.org (panix.netmeister.org [IPv6:2001:470:30:84:e276:63ff:fe72:3900]) by ietfa.amsl.com (Postfix) with ESMTP id 30CBD131158 for ; Mon, 18 Mar 2019 10:49:45 -0700 (PDT) Received: by panix.netmeister.org (Postfix, from userid 1000) id A655565341; Mon, 18 Mar 2019 13:49:44 -0400 (EDT) Date: Mon, 18 Mar 2019 13:49:44 -0400 From: Jan Schaumann To: spasm@ietf.org Message-ID: <20190318174944.GE22311@netmeister.org> Mail-Followup-To: spasm@ietf.org References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> <20190318160211.GC22311@netmeister.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 17:49:56 -0000 Tim Hollebeek wrote: > As such, I think the proposal is strictly inferior to much simpler solutions > e.g. the ones involving prefix tags. Agreed. > The prefix tag issue resurfaces every six to twelve months or so I'd be interested to hear arguments previously used against a prefix tag to ensure they are addressed or at least considered should we propose to pursue this. -Jan From nobody Mon Mar 18 10:58:25 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06BE6129AB8; Mon, 18 Mar 2019 10:58:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqLDgLFKvDVp; Mon, 18 Mar 2019 10:58:19 -0700 (PDT) Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D2861200D8; Mon, 18 Mar 2019 10:58:18 -0700 (PDT) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip2.isaracorp.com with ESMTP; 18 Mar 2019 17:58:17 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Mon, 18 Mar 2019 13:58:17 -0400 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Mon, 18 Mar 2019 13:58:17 -0400 From: Daniel Van Geest To: Jim Schaad , 'Russ Housley' CC: "draft-ietf-lamps-cms-hash-sig@ietf.org" , 'SPASM' Thread-Topic: [lamps] Question on draft-ietf-lamps-cms-hash-sig Thread-Index: AdTalFpsRD6NOLyJSie3veGv+fJZHgA0TvYAAEMkC4AAGVrygAA3JamA Date: Mon, 18 Mar 2019 17:58:17 +0000 Message-ID: <10EB05CC-DD01-49CE-A702-9CFAB436F542@isara.com> References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com> In-Reply-To: <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_10EB05CCDD0149CEA7029CFAB436F542isaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 17:58:24 -0000 --_000_10EB05CCDD0149CEA7029CFAB436F542isaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQoNCk9uIDIwMTktMDMtMTcsIDc6MzkgQU0sICJKaW0gU2NoYWFkIiA8aWV0ZkBhdWd1c3RjZWxs YXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+IHdyb3RlOg0KDQpJIGRvbuKA mXQga25vdyB3aGF0IEppbSBpcyBhcmd1aW5nLiAgSSB0aGluayB0aGF0IEkgYW0gdHJ5aW5nIHRv IHNheSB0aGF0IHRoZXJlIG1heSBiZSBzb21lIGxhbmd1YWdlIHRoYXQgaXMgbm90IGNsZWFyIGF0 IHNvbWUgcG9pbnQgaW4gdGhlIGZ1dHVyZSBhbHRob3VnaCBpdCBpcyBwZXJmZWN0bHkgZmluZSB0 b2RheSAobW9zdGx5KS4gIEkgZG8gbm90IHJlbWVtYmVyIGV2ZXIgc2VlaW5nIGFueSBsYW5ndWFn ZSBpbiBhbnkgb2YgdGhlIGhhc2ggc2lnbmF0dXJlIGRvY3VtZW50cyB0aGF0IHNheSB0aGF0IHRo ZSBzYW1lIGhhc2ggZnVuY3Rpb24gc2hvdWxkIGJlIHVzZWQgZnJvbSB0b3AgdG8gYm90dG9tLiAg SSBhbHNvIHRoaW5rIHRoYXQgdGhlcmUgd2lsbCBiZSBzb21lIHB1c2ggaW4gdGhlIG5vdCBzbyBu ZWFyIGZ1dHVyZSB0byBoYXZlIHNvbWUgb3RoZXIgaGFzaCBmdW5jdGlvbnMgYmUgcGVybWl0dGVk IGJlY2F1c2Ugb2YgdGhpbmdzIGxpa2UgdGhlIGJldHRlciBlZmZpY2llbmN5IG9mIFNIQS01MTIg aW4gbWFueSBjYXNlcyBvciB0aGUgbW92ZSB0byBTSEFLRSBhcyBhIGRpZmZlcmVudCBoYXNoIGZ1 bmN0aW9uLiAgSSB3b3JyeSB0aGF0IHRoaXMgbWVhbnMgdGhhdCB0aGUgc2FtZSBoYXNoIGZ1bmN0 aW9uIG1heSBub3QgYmUgdXNlZCBmcm9tIHRvcCB0byBib3R0b20gaW4gYSBoYXNoIHNpZ25hdHVy ZSBrZXkuICBJIGFsc28gd29ycnkgdGhhdCBteSBjdXJyZW50IGNvZGUgYmFzZSBkb2VzIG5vdCBo YXZlIGFueSB3YXkgdG8gZ2V0IHRoZSBwYXJhbWV0ZXJzIGZvciB0aGUgYm90dG9tIG9mIHRoZSB0 cmVlIGFuZCB0aGUgc2FtZSB0aGluZyBtYXkgYmUgdHJ1ZSBmb3IgYW4gSFNNLiAgVGhlIHRvcCBh bGdvcml0aG1zIGNhbiBiZSByZXRyaWV2ZWQgZnJvbSB0aGUgcHVibGljIGtleSwgYnV0IG5vdCB0 aGUgYm90dG9tIGFsZ29yaXRobXMuDQoNCk15IGNvbGxlYWd1ZXMgaGF2ZSBoYWQgc2ltaWxhciBj b25jZXJucyBhbmQgd2UgaGF2ZSByYWlzZWQgdGhlbSBwcml2YXRlbHkuICBCdXQgdGhlIGZhY3Qg dGhhdCB0aGUgcGFyYW1ldGVycyBhcmUgZW5jb2RlZCBpbiBhIHNpZ25hdHVyZSBtZWFucyB5b3Ug Y2FuIHN0aWxsIHZlcmlmeSB0aGUgc2lnbmF0dXJlIHJlZ2FyZGxlc3Mgb2Ygd2hldGhlciB0aGUg cGFyYW1ldGVycyBhcmUgaW4gdGhlIHB1YmxpYyBrZXkuICBBbmQgc2luY2UgdGhlIHBhcmFtZXRl cnMgY291bGQgdGhlb3JldGljYWxseSBiZSBjaGFuZ2VkIGFzIHRyZWVzIGFyZSB1c2VkIHVwIHRo ZXkgY2Fu4oCZdCBiZSBlbmNvZGVkIHdpdGggdGhlIHB1YmxpYyBrZXkgKHVubGVzcyB0aGUgdXNl IG9mIEhTUyBpbiBDTVMvWC41MDkgc3BlY2lmaWVkIHRoYXQgdGhlIHBhcmFtZXRlcnMgY2Fu4oCZ dCBjaGFuZ2UsIHdoaWNoIHdvdWxkIGJlIG9rYXkgd2l0aCBtZSkuDQoNCkFzIGZvciBpdCBiZWlu ZyB0aGUgc2FtZSBmb3IgSFNNcywgdGhleSBjb3VsZCBlbmNvZGUgdGhlIHBhcmFtZXRlcnMgd2l0 aCB0aGVpciBwcml2YXRlIGtleSAmIHN0YXRlIGhvd2V2ZXIgdGhleSBsaWtlLiAgSU1PIHdlIHNo b3VsZG7igJl0IHN0YW5kYXJkaXplIGhvdyB0byBlbmNvZGUgdGhlIHByaXZhdGUga2V5IHNpbmNl IHRoYXQgaW1wbGllcyByZXBsaWNhdGluZyBvciBtb3ZpbmcgaXQgYXJvdW5kLCB3aGljaCB3aWxs IGludmFyaWFibHkgYmUgZG9uZSB3cm9uZyBjYXVzaW5nIHN0YXRlIHRvIGJlIHJldXNlZCwgYWxs b3dpbmcgZm9yZ2VyaWVzLg0KDQpKaW0NCg0KDQpGcm9tOiBSdXNzIEhvdXNsZXkgPGhvdXNsZXlA dmlnaWxzZWMuY29tPg0KU2VudDogU2F0dXJkYXksIE1hcmNoIDE2LCAyMDE5IDQ6MzMgUE0NClRv OiBEYW5pZWwgVmFuIEdlZXN0IDxEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPg0KQ2M6IEppbSBT Y2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb20+OyBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNo LXNpZ0BpZXRmLm9yZzsgU1BBU00gPHNwYXNtQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtsYW1w c10gUXVlc3Rpb24gb24gZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWcNCg0KRGFuaWVsOg0K DQpJIGJlbGlldmUgdGhhdCBKaW0gaXMgYXJndWluZyB0aGF0IHRoZSBzYW1lIGhhc2ggZnVuY3Rp b24gc2hvdWxkIGFsd2F5cyBiZSB1c2VkIGZvciBib3RoIHRoZSBjb250ZW50IGFuZCB0aGUgSFNT L0xNUyB0cmVlLA0KDQpSdXNzDQoNCg0KDQoNCk9uIE1hciAxNSwgMjAxOSwgYXQgMzozMCBQTSwg RGFuaWVsIFZhbiBHZWVzdCA8RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTxtYWlsdG86RGFuaWVs LlZhbkdlZXN0QGlzYXJhLmNvbT4+IHdyb3RlOg0KDQpNeSB0aG91Z2h0cywNCg0KT24gMjAxOS0w My0xNCwgMjozOSBQTSwgIlNwYXNtIG9uIGJlaGFsZiBvZiBKaW0gU2NoYWFkIiA8c3Bhc20tYm91 bmNlc0BpZXRmLm9yZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4gb24gYmVoYWxmIG9m IGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+PiB3 cm90ZToNCg0KSSB3YXMgdG9zc2luZyB0b2dldGhlciBzb21lIGNvZGUgdG8gbG9vayBhdCBwcm9k dWNpbmcgc29tZSBzYW1wbGVzIGFuZCBJDQplbmRlZCB1cCB3aXRoIGEgcGFpciBvZiBxdWVzdGlv bnM6DQoNCjEuICBJZiBJIGhhdmUgYSBoYXNoIHNpZ25hdHVyZSB0cmVlIHdoaWNoIHVzZXMgbXVs dGlwbGUgZGlmZmVyZW50IGhhc2gNCmFsZ29yaXRobXMgaW4gaXQsIHdoaWNoIG9mIHRob3NlIGhh c2ggYWxnb3JpdGhtcyBhbSBJIHRvIHBsYWNlZCBpbiB0aGUNCmRpZ2VzdEFsZ29yaXRobSBmaWVs ZD8gIEZvciBleGFtcGxlLCBzdXBwb3NlIHRoYXQgSSBhbSB1c2luZyBhbiBMTVMgdHlwZQ0Kd2l0 aCBhIGhhc2ggb2YgU0hBS0UxMjggYW5kIGFuIExNT1RTIHR5cGUgd2l0aCBhIGhhc2ggb2YgU0hB MjU2LiAgT3IgYXMgYQ0KZGlmZmVyZW50IGV4YW1wbGUsIHN1cHBvc2UgdGhhdCBJIGhhdmUgYSB0 d28gZGVlcCB0cmVlIGFuZCB0aGUgdG9wIGxldmVsDQp1c2VzIFNIQTUxMiBpbiBib3RoIHBsYWNl cyBidXQgdGhlIG5leHQgbGV2ZWwgZG93biB1c2VzIFNIQUgyNTYgaW4gYm90aA0KcGxhY2VzPw0K DQpSRkMgNTY1MiBzZWN0aW9uIDUuMyBkZWZpbmVzIHRoZSBkaWdlc3RBbGdvcml0aG0gbWVtYmVy IG9mIFNpZ25lckluZm8gYXM6DQogICAgICBkaWdlc3RBbGdvcml0aG0gaWRlbnRpZmllcyB0aGUg bWVzc2FnZSBkaWdlc3QgYWxnb3JpdGhtLCBhbmQgYW55DQogICAgICBhc3NvY2lhdGVkIHBhcmFt ZXRlcnMsIHVzZWQgYnkgdGhlIHNpZ25lci4gIFRoZSBtZXNzYWdlIGRpZ2VzdCBpcw0KICAgICAg Y29tcHV0ZWQgb24gZWl0aGVyIHRoZSBjb250ZW50IGJlaW5nIHNpZ25lZCBvciB0aGUgY29udGVu dA0KICAgICAgdG9nZXRoZXIgd2l0aCB0aGUgc2lnbmVkIGF0dHJpYnV0ZXMgdXNpbmcgdGhlIHBy b2Nlc3MgZGVzY3JpYmVkIGluDQogICAgICBTZWN0aW9uIDUuNC4NCg0KSW4gSFNTLCB0aGUgaGFz aCBhbGdvcml0aG0gdXNlZCB0byBkaWdlc3QgdGhlIGNvbnRlbnQgaXMgdGhlIG9uZSBpbiB0aGUg TE1PVFMgdHlwZSBvZiB0aGUgYm90dG9tLW1vc3QgdHJlZS4gIFRoZSBvdGhlciBoYXNoIGFsZ29y aXRobXMgYXJlIHVzZWQgdG8gaGFzaCB3aXRoaW4gdGhlIE1lcmtsZSB0cmVlLCBvciB0byBoYXNo IHRoZSBMTVMgcHVibGljIGtleSBvZiBhIGxvd2VyIHRyZWUuICBTbyBpbiBib3RoIHlvdXIgZXhh bXBsZXMgdGhlIGFuc3dlciB3b3VsZCBiZSBTSEEyNTYuDQoNCjIuICBJZiB0aGVyZSBhcmUgc2ln bmVkIGF0dHJpYnV0ZXMgcHJlc2VudCwgdGhlbiBpdCB0IHJlcXVpcmVkIHRoYXQgdGhlIGJvZHkN CmRpZ2VzdCBhbGdvcml0aG0gbWF0Y2ggdGhhdCBvZiB0aGUgaGFzaCBzaWduYXR1cmUgdHJlZSBv ciBjYW4gaXQgYmUNCmRpZmZlcmVudC4gIElmIGl0IGlzIGRpZmZlcmVudCwgaXMgdGhhdCBub3Qg dGhlIHZhbHVlIHRoYXQgc2hvdWxkIGJlIHBsYWNlZA0KaW4gdGhlIGRpZ2VzdEFsZ29yaXRobSBm aWVsZD8gIENvbnNpZGVyIGRpZ2VzdGluZyB0aGUgYm9keSB3aXRoIFNIQTUxMiwgYnV0DQpvbmx5 IHVzaW5nIFNIQTI1NiBpbiB0aGUgaGFzaCBmdW5jdGlvbiBvbiB0aGUgYXNzdW1wdGlvbiB0aGF0 IHRoZSByYW5kb20NCmZpZWxkIGluIHRoZSBzaWduaW5nIG9wZXJhdGlvbiBwcm92aWRlcyBhIGhp Z2hlciBsZXZlbCBvZiBzZWN1cml0eSBhbmQgdGh1cw0KYSB3ZWFrIGF0dGVtcHQgaXMgYmVpbmcg bWFkZSB0byBtYXRjaCB0aGVtIHRvZ2V0aGVyLiAgKEkgYW0gc3VyZSB0aGF0IHRoaXMNCmlzIG5v dCB0aGUgY29ycmVjdCBwYWlyaW5nIGZvciBtYXRjaGluZywganVzdCBkZW1vbnN0cmF0aW5nIGEg cG9pbnQuKQ0KDQpjbXMtaGFzaC1zaWdzIHNheXM6DQogICAgICBkaWdlc3RBbGdvcml0aG0gTVVT VCBjb250YWluIHRoZSBvbmUtd2F5IGhhc2ggZnVuY3Rpb24gdXNlZCB0byBpbg0KICAgICAgICAg dGhlIEhTUy9MTVMgdHJlZS4NClRoaXMgc3RhdGVtZW50IHBsdXMgdGhlIG9uZSBJIHF1b3RlZCBm cm9tIFJGQyA1NjUyIHdvdWxkIGltcGx5IHRoYXQgdGhlIGJvZHkgZGlnZXN0IGFsZ29yaXRobSBt dXN0IG1hdGNoIHRoYXQgb2YgdGhlIEhTUyBhbGdvcml0aG0uDQoNCkhvd2V2ZXIsIHlvdSBhcmUg Y29ycmVjdCB0aGF0IHRoZSByYW5kb20gZmllbGQgYWRkZWQgZHVyaW5nIHNpZ25pbmcgaW5jcmVh c2VzIHRoZSBjb2xsaXNpb24gcmVzaXN0YW5jZSBvZiB0aGUgc2lnbmF0dXJlIGFuZCBzbyB1c2lu ZyB0aGUgc2FtZSBhbGdvcml0aG0gdG8gY3JlYXRlIHRoZSBtZXNzYWdlLWRpZ2VzdCBhdHRyaWJ1 dGUgaW4gdGhlIHNpZ25lZCBhdHRyaWJ1dGVzIHdvdWxkIHJlZHVjZSB0aGUgY29sbGlzaW9uIHJl c2lzdGFuY2Ugb2YgdGhlIHN5c3RlbS4gIElmIHlvdSB3YW50ZWQgdG8gYWxsb3cgYSBkaWZmZXJl bnQgaGFzaCBhbGdvcml0aG0gaW4gdGhlIHNpZ25lZCBhdHRyaWJ1dGVzIG1lc3NhZ2UgZGlnZXN0 LCBJIHRoaW5rIGNtcy1oYXNoLXNpZ3Mgd291bGQgbmVlZCB0byBiZSBtb2RpZmllZCB0byBmdXJ0 aGVyIHNwZWNpZnkgc2lnbmVkLWRhdGEgY29udmVudGlvbnMgd2l0aC93aXRob3V0IHNpZ25lZCBh dHRyaWJ1dGVzLCBzaW1pbGFyIHRvIFJGQyA4NDE5Lg0KDQpEYW5pZWwNCg0KSmltDQoNCg0KX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NClNwYXNtIG1haWxp bmcgbGlzdA0KU3Bhc21AaWV0Zi5vcmc8bWFpbHRvOlNwYXNtQGlldGYub3JnPg0KaHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zcGFzbQ0KDQo= --_000_10EB05CCDD0149CEA7029CFAB436F542isaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <92FF9AC5E0D28246AD56BDC3722176A6@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAubXNv bm9ybWFsMCwgbGkubXNvbm9ybWFsMCwgZGl2Lm1zb25vcm1hbDANCgl7bXNvLXN0eWxlLW5hbWU6 bXNvbm9ybWFsOw0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowY207 DQoJbXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGNtOw0KCWZvbnQt c2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0Kc3Bhbi5h cHBsZS1jb252ZXJ0ZWQtc3BhY2UNCgl7bXNvLXN0eWxlLW5hbWU6YXBwbGUtY29udmVydGVkLXNw YWNlO30NCnNwYW4uRW1haWxTdHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bh bi5FbWFpbFN0eWxlMjANCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1m YW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hw RGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0 O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46 NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpX b3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLUNBIiBs aW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5PbiAyMDE5LTAzLTE3LCA3OjM5IEFN LCAmcXVvdDtKaW0gU2NoYWFkJnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3Rj ZWxsYXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SSBkb27igJl0IGtu b3cgd2hhdCBKaW0gaXMgYXJndWluZy4mbmJzcDsgSSB0aGluayB0aGF0IEkgYW0gdHJ5aW5nIHRv IHNheSB0aGF0IHRoZXJlIG1heSBiZSBzb21lIGxhbmd1YWdlIHRoYXQgaXMgbm90IGNsZWFyIGF0 IHNvbWUgcG9pbnQgaW4gdGhlIGZ1dHVyZSBhbHRob3VnaCBpdCBpcyBwZXJmZWN0bHkgZmluZSB0 b2RheSAobW9zdGx5KS4mbmJzcDsgSSBkbyBub3QgcmVtZW1iZXINCiBldmVyIHNlZWluZyBhbnkg bGFuZ3VhZ2UgaW4gYW55IG9mIHRoZSBoYXNoIHNpZ25hdHVyZSBkb2N1bWVudHMgdGhhdCBzYXkg dGhhdCB0aGUgc2FtZSBoYXNoIGZ1bmN0aW9uIHNob3VsZCBiZSB1c2VkIGZyb20gdG9wIHRvIGJv dHRvbS4mbmJzcDsgSSBhbHNvIHRoaW5rIHRoYXQgdGhlcmUgd2lsbCBiZSBzb21lIHB1c2ggaW4g dGhlIG5vdCBzbyBuZWFyIGZ1dHVyZSB0byBoYXZlIHNvbWUgb3RoZXIgaGFzaCBmdW5jdGlvbnMg YmUgcGVybWl0dGVkIGJlY2F1c2UNCiBvZiB0aGluZ3MgbGlrZSB0aGUgYmV0dGVyIGVmZmljaWVu Y3kgb2YgU0hBLTUxMiBpbiBtYW55IGNhc2VzIG9yIHRoZSBtb3ZlIHRvIFNIQUtFIGFzIGEgZGlm ZmVyZW50IGhhc2ggZnVuY3Rpb24uJm5ic3A7IEkgd29ycnkgdGhhdCB0aGlzIG1lYW5zIHRoYXQg dGhlIHNhbWUgaGFzaCBmdW5jdGlvbiBtYXkgbm90IGJlIHVzZWQgZnJvbSB0b3AgdG8gYm90dG9t IGluIGEgaGFzaCBzaWduYXR1cmUga2V5LiZuYnNwOyBJIGFsc28gd29ycnkgdGhhdCBteSBjdXJy ZW50DQogY29kZSBiYXNlIGRvZXMgbm90IGhhdmUgYW55IHdheSB0byBnZXQgdGhlIHBhcmFtZXRl cnMgZm9yIHRoZSBib3R0b20gb2YgdGhlIHRyZWUgYW5kIHRoZSBzYW1lIHRoaW5nIG1heSBiZSB0 cnVlIGZvciBhbiBIU00uJm5ic3A7IFRoZSB0b3AgYWxnb3JpdGhtcyBjYW4gYmUgcmV0cmlldmVk IGZyb20gdGhlIHB1YmxpYyBrZXksIGJ1dCBub3QgdGhlIGJvdHRvbSBhbGdvcml0aG1zLjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj5NeSBjb2xsZWFndWVzIGhhdmUgaGFkIHNpbWlsYXIgY29uY2Vy bnMgYW5kIHdlIGhhdmUgcmFpc2VkIHRoZW0gcHJpdmF0ZWx5LiZuYnNwOyBCdXQgdGhlIGZhY3Qg dGhhdCB0aGUgcGFyYW1ldGVycyBhcmUgZW5jb2RlZCBpbiBhIHNpZ25hdHVyZSBtZWFucyB5b3Ug Y2FuIHN0aWxsIHZlcmlmeSB0aGUgc2lnbmF0dXJlIHJlZ2FyZGxlc3Mgb2Ygd2hldGhlciB0aGUg cGFyYW1ldGVycyBhcmUgaW4gdGhlIHB1YmxpYyBrZXkuJm5ic3A7DQogQW5kIHNpbmNlIHRoZSBw YXJhbWV0ZXJzIGNvdWxkIHRoZW9yZXRpY2FsbHkgYmUgY2hhbmdlZCBhcyB0cmVlcyBhcmUgdXNl ZCB1cCB0aGV5IGNhbuKAmXQgYmUgZW5jb2RlZCB3aXRoIHRoZSBwdWJsaWMga2V5ICh1bmxlc3Mg dGhlIHVzZSBvZiBIU1MgaW4gQ01TL1guNTA5IHNwZWNpZmllZCB0aGF0IHRoZSBwYXJhbWV0ZXJz IGNhbuKAmXQgY2hhbmdlLCB3aGljaCB3b3VsZCBiZSBva2F5IHdpdGggbWUpLjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5BcyBmb3IgaXQgYmVpbmcgdGhlIHNhbWUgZm9yIEhTTXMsIHRoZXkgY291 bGQgZW5jb2RlIHRoZSBwYXJhbWV0ZXJzIHdpdGggdGhlaXIgcHJpdmF0ZSBrZXkgJmFtcDsgc3Rh dGUgaG93ZXZlciB0aGV5IGxpa2UuJm5ic3A7IElNTyB3ZSBzaG91bGRu4oCZdCBzdGFuZGFyZGl6 ZSBob3cgdG8gZW5jb2RlIHRoZSBwcml2YXRlIGtleSBzaW5jZSB0aGF0IGltcGxpZXMgcmVwbGlj YXRpbmcgb3IgbW92aW5nIGl0IGFyb3VuZCwgd2hpY2gNCiB3aWxsIGludmFyaWFibHkgYmUgZG9u ZSB3cm9uZyBjYXVzaW5nIHN0YXRlIHRvIGJlIHJldXNlZCwgYWxsb3dpbmcgZm9yZ2VyaWVzLjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij5KaW08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVl IDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJv cmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBj bSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPjxiPkZyb206PC9iPiBSdXNzIEhvdXNsZXkgJmx0O2hvdXNsZXlAdmlnaWxzZWMuY29tJmd0 Ow0KPGJyPg0KPGI+U2VudDo8L2I+IFNhdHVyZGF5LCBNYXJjaCAxNiwgMjAxOSA0OjMzIFBNPGJy Pg0KPGI+VG86PC9iPiBEYW5pZWwgVmFuIEdlZXN0ICZsdDtEYW5pZWwuVmFuR2Vlc3RAaXNhcmEu Y29tJmd0Ozxicj4NCjxiPkNjOjwvYj4gSmltIFNjaGFhZCAmbHQ7aWV0ZkBhdWd1c3RjZWxsYXJz LmNvbSZndDs7IGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnQGlldGYub3JnOyBTUEFTTSAm bHQ7c3Bhc21AaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbbGFtcHNdIFF1 ZXN0aW9uIG9uIGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij5EYW5pZWw6PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij5JIGJlbGlldmUgdGhhdCBKaW0gaXMgYXJndWluZyB0aGF0IHRoZSBzYW1l IGhhc2ggZnVuY3Rpb24gc2hvdWxkIGFsd2F5cyBiZSB1c2VkIGZvciBib3RoIHRoZSBjb250ZW50 IGFuZCB0aGUgSFNTL0xNUyB0cmVlLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij5SdXNzPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwv bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij48YnI+DQo8YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0 eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPk9uIE1hciAxNSwgMjAx OSwgYXQgMzozMCBQTSwgRGFuaWVsIFZhbiBHZWVzdCAmbHQ7PGEgaHJlZj0ibWFpbHRvOkRhbmll bC5WYW5HZWVzdEBpc2FyYS5jb20iPkRhbmllbC5WYW5HZWVzdEBpc2FyYS5jb208L2E+Jmd0OyB3 cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPk15IHRob3Vn aHRzLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPk9uIDIwMTktMDMtMTQsIDI6 MzkgUE0sICZxdW90O1NwYXNtIG9uIGJlaGFsZiBvZiBKaW0gU2NoYWFkJnF1b3Q7ICZsdDs8YSBo cmVmPSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1 cnBsZSI+c3Bhc20tYm91bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+PHNwYW4gY2xhc3M9ImFwcGxl LWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPm9uIGJlaGFsZg0KIG9mPHNwYW4gY2xhc3M9 ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxhIGhyZWY9Im1haWx0bzppZXRm QGF1Z3VzdGNlbGxhcnMuY29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5pZXRmQGF1Z3Vz dGNlbGxhcnMuY29tPC9zcGFuPjwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPkkgd2FzIHRvc3NpbmcgdG9nZXRoZXIgc29tZSBjb2RlIHRvIGxvb2sgYXQgcHJvZHVj aW5nIHNvbWUgc2FtcGxlcyBhbmQgSTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk aXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ZW5kZWQgdXAgd2l0aCBhIHBhaXIgb2YgcXVl c3Rpb25zOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4xLiZuYnNwOyZuYnNwO0lmIEkgaGF2ZSBhIGhh c2ggc2lnbmF0dXJlIHRyZWUgd2hpY2ggdXNlcyBtdWx0aXBsZSBkaWZmZXJlbnQgaGFzaDxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+YWxnb3JpdGhtcyBpbiBpdCwgd2hpY2ggb2YgdGhvc2UgaGFzaCBhbGdvcml0aG1zIGFtIEkg dG8gcGxhY2VkIGluIHRoZTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ZGlnZXN0QWxnb3JpdGhtIGZpZWxkPyZuYnNwOyZuYnNw O0ZvciBleGFtcGxlLCBzdXBwb3NlIHRoYXQgSSBhbSB1c2luZyBhbiBMTVMgdHlwZTxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ d2l0aCBhIGhhc2ggb2YgU0hBS0UxMjggYW5kIGFuIExNT1RTIHR5cGUgd2l0aCBhIGhhc2ggb2Yg U0hBMjU2LiZuYnNwOyZuYnNwO09yIGFzIGE8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPmRpZmZlcmVudCBleGFtcGxlLCBzdXBw b3NlIHRoYXQgSSBoYXZlIGEgdHdvIGRlZXAgdHJlZSBhbmQgdGhlIHRvcCBsZXZlbDxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ dXNlcyBTSEE1MTIgaW4gYm90aCBwbGFjZXMgYnV0IHRoZSBuZXh0IGxldmVsIGRvd24gdXNlcyBT SEFIMjU2IGluIGJvdGg8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPnBsYWNlcz8mbmJzcDsmbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+UkZDIDU2NTIgc2VjdGlvbiA1LjMgZGVmaW5lcyB0aGUgZGln ZXN0QWxnb3JpdGhtIG1lbWJlciBvZiBTaWduZXJJbmZvIGFzOjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGRpZ2VzdEFsZ29yaXRobSBpZGVudGlm aWVzIHRoZSBtZXNzYWdlIGRpZ2VzdCBhbGdvcml0aG0sIGFuZCBhbnk8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhc3NvY2lhdGVkIHBhcmFtZXRl cnMsIHVzZWQgYnkgdGhlIHNpZ25lci4mbmJzcDsgVGhlIG1lc3NhZ2UgZGlnZXN0IGlzPG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgY29tcHV0ZWQg b24gZWl0aGVyIHRoZSBjb250ZW50IGJlaW5nIHNpZ25lZCBvciB0aGUgY29udGVudDxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHRvZ2V0aGVyIHdp dGggdGhlIHNpZ25lZCBhdHRyaWJ1dGVzIHVzaW5nIHRoZSBwcm9jZXNzIGRlc2NyaWJlZCBpbjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFNlY3Rp b24gNS40LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij5JbiBIU1MsIHRoZSBoYXNoIGFsZ29yaXRobSB1c2VkIHRvIGRpZ2VzdCB0aGUgY29udGVudCBp cyB0aGUgb25lIGluIHRoZSBMTU9UUyB0eXBlIG9mIHRoZSBib3R0b20tbW9zdCB0cmVlLiZuYnNw OyBUaGUgb3RoZXIgaGFzaCBhbGdvcml0aG1zIGFyZSB1c2VkIHRvIGhhc2ggd2l0aGluIHRoZSBN ZXJrbGUgdHJlZSwgb3IgdG8gaGFzaCB0aGUgTE1TIHB1YmxpYyBrZXkgb2YNCiBhIGxvd2VyIHRy ZWUuJm5ic3A7IFNvIGluIGJvdGggeW91ciBleGFtcGxlcyB0aGUgYW5zd2VyIHdvdWxkIGJlIFNI QTI1Ni48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Mi4mbmJzcDsmbmJzcDtJ ZiB0aGVyZSBhcmUgc2lnbmVkIGF0dHJpYnV0ZXMgcHJlc2VudCwgdGhlbiBpdCB0IHJlcXVpcmVk IHRoYXQgdGhlIGJvZHk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp diBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPmRpZ2VzdCBhbGdvcml0aG0gbWF0Y2ggdGhhdCBvZiB0aGUg aGFzaCBzaWduYXR1cmUgdHJlZSBvciBjYW4gaXQgYmU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPmRpZmZlcmVudC4mbmJzcDsm bmJzcDtJZiBpdCBpcyBkaWZmZXJlbnQsIGlzIHRoYXQgbm90IHRoZSB2YWx1ZSB0aGF0IHNob3Vs ZCBiZSBwbGFjZWQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPmluIHRoZSBkaWdlc3RBbGdvcml0aG0gZmllbGQ/Jm5ic3A7Jm5i c3A7Q29uc2lkZXIgZGlnZXN0aW5nIHRoZSBib2R5IHdpdGggU0hBNTEyLCBidXQ8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPm9u bHkgdXNpbmcgU0hBMjU2IGluIHRoZSBoYXNoIGZ1bmN0aW9uIG9uIHRoZSBhc3N1bXB0aW9uIHRo YXQgdGhlIHJhbmRvbTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ZmllbGQgaW4gdGhlIHNpZ25pbmcgb3BlcmF0aW9uIHByb3Zp ZGVzIGEgaGlnaGVyIGxldmVsIG9mIHNlY3VyaXR5IGFuZCB0aHVzPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5hIHdlYWsgYXR0 ZW1wdCBpcyBiZWluZyBtYWRlIHRvIG1hdGNoIHRoZW0gdG9nZXRoZXIuJm5ic3A7Jm5ic3A7KEkg YW0gc3VyZSB0aGF0IHRoaXM8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K PGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPmlzIG5vdCB0aGUgY29ycmVjdCBwYWlyaW5nIGZvciBt YXRjaGluZywganVzdCBkZW1vbnN0cmF0aW5nIGEgcG9pbnQuKTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij5jbXMtaGFzaC1zaWdzIHNheXM6PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgZGlnZXN0QWxnb3JpdGhtIE1VU1QgY29u dGFpbiB0aGUgb25lLXdheSBoYXNoIGZ1bmN0aW9uIHVzZWQgdG8gaW48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB0 aGUgSFNTL0xNUyB0cmVlLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGhpcyBzdGF0ZW1lbnQgcGx1 cyB0aGUgb25lIEkgcXVvdGVkIGZyb20gUkZDIDU2NTIgd291bGQgaW1wbHkgdGhhdCB0aGUgYm9k eSBkaWdlc3QgYWxnb3JpdGhtIG11c3QgbWF0Y2ggdGhhdCBvZiB0aGUgSFNTIGFsZ29yaXRobS48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SG93ZXZl ciwgeW91IGFyZSBjb3JyZWN0IHRoYXQgdGhlIHJhbmRvbSBmaWVsZCBhZGRlZCBkdXJpbmcgc2ln bmluZyBpbmNyZWFzZXMgdGhlIGNvbGxpc2lvbiByZXNpc3RhbmNlIG9mIHRoZSBzaWduYXR1cmUg YW5kIHNvIHVzaW5nIHRoZSBzYW1lIGFsZ29yaXRobSB0byBjcmVhdGUgdGhlIG1lc3NhZ2UtZGln ZXN0IGF0dHJpYnV0ZSBpbiB0aGUgc2lnbmVkIGF0dHJpYnV0ZXMNCiB3b3VsZCByZWR1Y2UgdGhl IGNvbGxpc2lvbiByZXNpc3RhbmNlIG9mIHRoZSBzeXN0ZW0uJm5ic3A7IElmIHlvdSB3YW50ZWQg dG8gYWxsb3cgYSBkaWZmZXJlbnQgaGFzaCBhbGdvcml0aG0gaW4gdGhlIHNpZ25lZCBhdHRyaWJ1 dGVzIG1lc3NhZ2UgZGlnZXN0LCBJIHRoaW5rIGNtcy1oYXNoLXNpZ3Mgd291bGQgbmVlZCB0byBi ZSBtb2RpZmllZCB0byBmdXJ0aGVyIHNwZWNpZnkgc2lnbmVkLWRhdGEgY29udmVudGlvbnMgd2l0 aC93aXRob3V0IHNpZ25lZA0KIGF0dHJpYnV0ZXMsIHNpbWlsYXIgdG8gUkZDIDg0MTkuPG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkRhbmllbDxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5KaW08bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MzYuMHB0Ij5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+U3Bhc20gbWFpbGluZyBsaXN0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48YSBocmVmPSJtYWlsdG86U3Bh c21AaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPlNwYXNtQGlldGYub3JnPC9z cGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlz dGluZm8vc3Bhc20iPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHBzOi8vd3d3LmlldGYu b3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc208L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_10EB05CCDD0149CEA7029CFAB436F542isaracom_-- From nobody Mon Mar 18 11:06:42 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1EB312D4ED for ; Mon, 18 Mar 2019 11:06:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com header.b=h7NFi917; dkim=pass (1024-bit key) header.d=digicert.com header.b=QFokOpjP Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxMvEBYRo_AP for ; Mon, 18 Mar 2019 11:06:36 -0700 (PDT) Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [63.128.21.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DE2312D4E8 for ; Mon, 18 Mar 2019 11:06:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1552932395; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jNOiqDGRKxyZAeSRYTVHM9S+rusirakdfeM6Rr3Qdf8=; b=h7NFi9172ArIh//SmKbDvRdAlF9clETxUE6M4QJvDlrseGPMTnhtam5ZyT1XjAvk/xVQ7ZgwsdIASPPlr2r79u+gCrSeNn4lldTAZEFA2eZLvSVdFQUGmtOW9LXg9K+NKGYit2sVl0aMIkhx3/t62bbncmSRpUfIipFKd/ZCwdU= Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-by2nam05lp2055.outbound.protection.outlook.com [104.47.50.55]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-224-Ht5GZRLAMd-bV1zq5IEb1A-1; Mon, 18 Mar 2019 14:06:34 -0400 X-MC-Unique: Ht5GZRLAMd-bV1zq5IEb1A-1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jNOiqDGRKxyZAeSRYTVHM9S+rusirakdfeM6Rr3Qdf8=; b=QFokOpjPWjK2E0M/EVKGJLFFKLdtagJNwgs04yVr/0BAKeSMwYNO8/r5yYAWmGPPvH+f6gT9jaQiztEtbtYsPH8cns7YLH8TPOtj1tL/50a8H6URQuRF53NiqAQE9kCNGVzZOoLjSODaTWVF8z73swVo/w5/cmC234IKjRk0Y/M= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1188.namprd14.prod.outlook.com (10.173.161.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.14; Mon, 18 Mar 2019 18:06:31 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941%4]) with mapi id 15.20.1709.015; Mon, 18 Mar 2019 18:06:31 +0000 From: Tim Hollebeek To: Jan Schaumann , "spasm@ietf.org" Thread-Topic: [lamps] CAA records on CNAMEs Thread-Index: AQHU3EgqDykQXQcrQ0mC8Zclj0PKi6YQHrsAgAFwmICAAAyfkIAAEW4AgAADyeA= Date: Mon, 18 Mar 2019 18:06:31 +0000 Message-ID: References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> <20190318160211.GC22311@netmeister.org> <20190318174944.GE22311@netmeister.org> In-Reply-To: <20190318174944.GE22311@netmeister.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com; x-originating-ip: [98.111.253.32] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 36740a1f-000e-4ccf-051f-08d6abcc7338 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1188; x-ms-traffictypediagnostic: BN6PR14MB1188: x-microsoft-antispam-prvs: x-forefront-prvs: 098076C36C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(136003)(366004)(39860400002)(376002)(346002)(396003)(199004)(13464003)(189003)(105586002)(25786009)(6116002)(76176011)(106356001)(99286004)(68736007)(5660300002)(3846002)(99936001)(86362001)(966005)(478600001)(14454004)(74316002)(7696005)(305945005)(71200400001)(2501003)(229853002)(53936002)(186003)(6436002)(97736004)(8936002)(6246003)(7736002)(561944003)(71190400001)(476003)(33656002)(256004)(316002)(93886005)(486006)(81156014)(81166006)(446003)(11346002)(110136005)(2906002)(102836004)(8676002)(52536014)(53546011)(6506007)(26005)(6306002)(44832011)(9686003)(66066001)(55016002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1188; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: /fd0iq0SAzpKEyTCSbrfW0mPoDPzIAiydJKml2WP9HuXRNNAAfgWT7tvVdKIRAwVb7dMMbFlMDQbSkQJmE32RCOB9gO4ESnXn8jaQ1PWZ1cTxR/qeFqn4Cf9TlXqSMn9J8q6LzdWVTxpXo1xkWkAKP2oUifMo7WiVXpZNQ56p4g5iLzcEodgBMD4frsb5z5d2zVYuaavasuNZy3cMpiCAlXkidhC2F+01QtBNyTYZ1VFshKaDvwJ0lwGNW0UNgKR4xkzR26eMy34kLYk1sTQ4NU7zjvsI3FSMU1/SAc+mX6K1ywT/aHRzq0ZtwuqaodjTP17iEgO1ph1ycj0RD0QUfKyR8frJV6II/P47v0MCso9JQi0NtbUV0YcEBvRe1LZCy63PU2tWynMr2yru5SSXkMaTCrhKdXawr+kgPytymU= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0539_01D4DD93.C6BD1B00" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: 36740a1f-000e-4ccf-051f-08d6abcc7338 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2019 18:06:31.3462 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1188 Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 18:06:40 -0000 ------=_NextPart_000_0539_01D4DD93.C6BD1B00 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I don't think there really have been any arguments against. People have just had other higher priorities. Getting something standardized takes time and effort. The are a bunch of other reasonable extensions to CAA that can and should be considered. I do agree that it's probably time to start pulling a formal document together so that they can be fleshed out. RFC 6844bis was more of a "fix a bunch of broken stuff" thing than a "let's add some new features" thing. Now that that's on its way out the door, perhaps it is time for a CAA extensions discussion. -Tim > -----Original Message----- > From: Spasm On Behalf Of Jan Schaumann > Sent: Monday, March 18, 2019 1:50 PM > To: spasm@ietf.org > Subject: Re: [lamps] CAA records on CNAMEs > > Tim Hollebeek wrote: > > > As such, I think the proposal is strictly inferior to much simpler > > solutions e.g. the ones involving prefix tags. > > Agreed. > > > The prefix tag issue resurfaces every six to twelve months or so > > I'd be interested to hear arguments previously used against a prefix tag to > ensure they are addressed or at least considered should we propose to pursue > this. > > -Jan > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm ------=_NextPart_000_0539_01D4DD93.C6BD1B00 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMzE4MTgwNjI2WjAvBgkqhkiG9w0BCQQxIgQgg7HBq2gVOu2/LzoEe8ioh3aUx9wK d3GuUpghWBduuIUwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAKqaGpcoJ67eLZr8SSfQHQqqti7Juwr+L22kw/fbVW8YF10q5BS6Pj2HzdLjOs7Lm9sacXmI 2/jHlqHQlIHcYYPVV/l9zAz0TsAcsHKfzvW8SRlzqxrCeqDYGRk5Us51h4NAureefweRhvGEZv8F ePlOhj0Y+dl0HeTTB6zlj46d32l03ulURlVPheNuDN2XtzfGV7QOFX4ca8Rr7Z83SFx7liOxWpAM bzb5vyOFnw3QQFoFUGpYn0UupP3jBXzGCfFgUYO5YcUBIv4Kre6LM0hK1aMsKeN5DFvgXEDPgavJ U8w2F67HV8s1UUEXvA3xSA2Z72I0F9NIzWuIqPDtydUAAAAAAAA= ------=_NextPart_000_0539_01D4DD93.C6BD1B00-- From nobody Mon Mar 18 11:21:33 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB0791200D8; Mon, 18 Mar 2019 11:21:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.501 X-Spam-Level: X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QupI7rJJLq0c; Mon, 18 Mar 2019 11:21:29 -0700 (PDT) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68C111277CC; Mon, 18 Mar 2019 11:21:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33954; q=dns/txt; s=iport; t=1552933289; x=1554142889; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dscd9YPaHBi3eQqHCoVG5XDs8BeMCxEYtB3lQQOQR8I=; b=A3xBC+MZ579eT6k7bJVVTlnGamMkvE1+1x7idVp1vIIW5N+xVT/+Afhz 3hFqQn/tZ2ZdCxtMvgYncnlwKTwgvnrx8XdwuoKE6BwPqpe1+9HMmb6WM 7U09h0Junhek2APA/MzrCJvzrOnOBF59hPrQ2jHfj/x7MANtz93w5RotU s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ADAABA4Y9c/5xdJa1jGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ5TL2iBAycKhAGIHI0vmDGBewsBARg?= =?us-ascii?q?BCoRJAheEQyI0CQ0BAQMBAQkBAwJtHAyFSgEBAQQBASEKQQsQAgEIEQQBARo?= =?us-ascii?q?CBQcDAgICJQsUCQgBAQQBDQUIgxuBEWQPqj+BL4otBYEvAYsvF4FAP4ERgxK?= =?us-ascii?q?DHgEBgWgHCR8oAoIqglcDik8GggOED5MPXwkCkxshk1eLB5J7AhEVgSgfOIF?= =?us-ascii?q?WcBU7gmyCFRiIX4U/QTGBZ4VPgSyBHwEB?= X-IronPort-AV: E=Sophos;i="5.58,494,1544486400"; d="scan'208,217";a="246865536" Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Mar 2019 18:21:28 +0000 Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x2IILRbn024628 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 18 Mar 2019 18:21:28 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 18 Mar 2019 14:21:27 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1473.003; Mon, 18 Mar 2019 14:21:27 -0400 From: "Scott Fluhrer (sfluhrer)" To: Daniel Van Geest , Jim Schaad , "'Russ Housley'" CC: "'SPASM'" , "draft-ietf-lamps-cms-hash-sig@ietf.org" Thread-Topic: [lamps] Question on draft-ietf-lamps-cms-hash-sig Thread-Index: AdTalFpsRD6NOLyJSie3veGv+fJZHgA0TvYAAEMkC4AAGVrygAA3JamAAACpblA= Date: Mon, 18 Mar 2019 18:21:26 +0000 Message-ID: <80b7f5bb2c344841b197247187ef2398@XCH-RTP-006.cisco.com> References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com> <10EB05CC-DD01-49CE-A702-9CFAB436F542@isara.com> In-Reply-To: <10EB05CC-DD01-49CE-A702-9CFAB436F542@isara.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.98.2.51] Content-Type: multipart/alternative; boundary="_000_80b7f5bb2c344841b197247187ef2398XCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.148, xch-rtp-008.cisco.com X-Outbound-Node: rcdn-core-5.cisco.com Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 18:21:32 -0000 --_000_80b7f5bb2c344841b197247187ef2398XCHRTP006ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQoNCkZyb206IFNwYXNtIDxzcGFzbS1ib3VuY2VzQGlldGYub3JnPiBPbiBCZWhhbGYgT2YgRGFu aWVsIFZhbiBHZWVzdA0KU2VudDogTW9uZGF5LCBNYXJjaCAxOCwgMjAxOSAxOjU4IFBNDQpUbzog SmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT47ICdSdXNzIEhvdXNsZXknIDxob3Vz bGV5QHZpZ2lsc2VjLmNvbT4NCkNjOiAnU1BBU00nIDxzcGFzbUBpZXRmLm9yZz47IGRyYWZ0LWll dGYtbGFtcHMtY21zLWhhc2gtc2lnQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW2xhbXBzXSBRdWVz dGlvbiBvbiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZw0KDQoNCg0KT24gMjAxOS0wMy0x NywgNzozOSBBTSwgIkppbSBTY2hhYWQiIDxpZXRmQGF1Z3VzdGNlbGxhcnMuY29tPG1haWx0bzpp ZXRmQGF1Z3VzdGNlbGxhcnMuY29tPj4gd3JvdGU6DQoNCkkgZG9u4oCZdCBrbm93IHdoYXQgSmlt IGlzIGFyZ3VpbmcuICBJIHRoaW5rIHRoYXQgSSBhbSB0cnlpbmcgdG8gc2F5IHRoYXQgdGhlcmUg bWF5IGJlIHNvbWUgbGFuZ3VhZ2UgdGhhdCBpcyBub3QgY2xlYXIgYXQgc29tZSBwb2ludCBpbiB0 aGUgZnV0dXJlIGFsdGhvdWdoIGl0IGlzIHBlcmZlY3RseSBmaW5lIHRvZGF5IChtb3N0bHkpLiAg SSBkbyBub3QgcmVtZW1iZXIgZXZlciBzZWVpbmcgYW55IGxhbmd1YWdlIGluIGFueSBvZiB0aGUg aGFzaCBzaWduYXR1cmUgZG9jdW1lbnRzIHRoYXQgc2F5IHRoYXQgdGhlIHNhbWUgaGFzaCBmdW5j dGlvbiBzaG91bGQgYmUgdXNlZCBmcm9tIHRvcCB0byBib3R0b20uICBJIGFsc28gdGhpbmsgdGhh dCB0aGVyZSB3aWxsIGJlIHNvbWUgcHVzaCBpbiB0aGUgbm90IHNvIG5lYXIgZnV0dXJlIHRvIGhh dmUgc29tZSBvdGhlciBoYXNoIGZ1bmN0aW9ucyBiZSBwZXJtaXR0ZWQgYmVjYXVzZSBvZiB0aGlu Z3MgbGlrZSB0aGUgYmV0dGVyIGVmZmljaWVuY3kgb2YgU0hBLTUxMiBpbiBtYW55IGNhc2VzIG9y IHRoZSBtb3ZlIHRvIFNIQUtFIGFzIGEgZGlmZmVyZW50IGhhc2ggZnVuY3Rpb24uICBJIHdvcnJ5 IHRoYXQgdGhpcyBtZWFucyB0aGF0IHRoZSBzYW1lIGhhc2ggZnVuY3Rpb24gbWF5IG5vdCBiZSB1 c2VkIGZyb20gdG9wIHRvIGJvdHRvbSBpbiBhIGhhc2ggc2lnbmF0dXJlIGtleS4gIEkgYWxzbyB3 b3JyeSB0aGF0IG15IGN1cnJlbnQgY29kZSBiYXNlIGRvZXMgbm90IGhhdmUgYW55IHdheSB0byBn ZXQgdGhlIHBhcmFtZXRlcnMgZm9yIHRoZSBib3R0b20gb2YgdGhlIHRyZWUgYW5kIHRoZSBzYW1l IHRoaW5nIG1heSBiZSB0cnVlIGZvciBhbiBIU00uICBUaGUgdG9wIGFsZ29yaXRobXMgY2FuIGJl IHJldHJpZXZlZCBmcm9tIHRoZSBwdWJsaWMga2V5LCBidXQgbm90IHRoZSBib3R0b20gYWxnb3Jp dGhtcy4NCg0KTXkgY29sbGVhZ3VlcyBoYXZlIGhhZCBzaW1pbGFyIGNvbmNlcm5zIGFuZCB3ZSBo YXZlIHJhaXNlZCB0aGVtIHByaXZhdGVseS4gIEJ1dCB0aGUgZmFjdCB0aGF0IHRoZSBwYXJhbWV0 ZXJzIGFyZSBlbmNvZGVkIGluIGEgc2lnbmF0dXJlIG1lYW5zIHlvdSBjYW4gc3RpbGwgdmVyaWZ5 IHRoZSBzaWduYXR1cmUgcmVnYXJkbGVzcyBvZiB3aGV0aGVyIHRoZSBwYXJhbWV0ZXJzIGFyZSBp biB0aGUgcHVibGljIGtleS4gIEFuZCBzaW5jZSB0aGUgcGFyYW1ldGVycyBjb3VsZCB0aGVvcmV0 aWNhbGx5IGJlIGNoYW5nZWQgYXMgdHJlZXMgYXJlIHVzZWQgdXAgdGhleSBjYW7igJl0IGJlIGVu Y29kZWQgd2l0aCB0aGUgcHVibGljIGtleSAodW5sZXNzIHRoZSB1c2Ugb2YgSFNTIGluIENNUy9Y LjUwOSBzcGVjaWZpZWQgdGhhdCB0aGUgcGFyYW1ldGVycyBjYW7igJl0IGNoYW5nZSwgd2hpY2gg d291bGQgYmUgb2theSB3aXRoIG1lKS4NCg0KQWN0dWFsbHksIHRoZXJlIGlzIHRleHQgaW4gdGhl IExNUyBkcmFmdCAod2hpY2ggaXMgYmVjb21pbmcgYW4gUkZDIFJlYWwgU29vbiBOb3cpIHNwZWNp ZmljYWxseSBmb3JiaWRkaW5nIGNoYW5naW5nIHRoZSBwYXJhbWV0ZXJzIG9uIHRoZSBmbHnigKYN Cg0KQXMgZm9yIGl0IGJlaW5nIHRoZSBzYW1lIGZvciBIU01zLCB0aGV5IGNvdWxkIGVuY29kZSB0 aGUgcGFyYW1ldGVycyB3aXRoIHRoZWlyIHByaXZhdGUga2V5ICYgc3RhdGUgaG93ZXZlciB0aGV5 IGxpa2UuICBJTU8gd2Ugc2hvdWxkbuKAmXQgc3RhbmRhcmRpemUgaG93IHRvIGVuY29kZSB0aGUg cHJpdmF0ZSBrZXkgc2luY2UgdGhhdCBpbXBsaWVzIHJlcGxpY2F0aW5nIG9yIG1vdmluZyBpdCBh cm91bmQsIHdoaWNoIHdpbGwgaW52YXJpYWJseSBiZSBkb25lIHdyb25nIGNhdXNpbmcgc3RhdGUg dG8gYmUgcmV1c2VkLCBhbGxvd2luZyBmb3JnZXJpZXMuDQoNCkppbQ0KDQoNCkZyb206IFJ1c3Mg SG91c2xleSA8aG91c2xleUB2aWdpbHNlYy5jb208bWFpbHRvOmhvdXNsZXlAdmlnaWxzZWMuY29t Pj4NClNlbnQ6IFNhdHVyZGF5LCBNYXJjaCAxNiwgMjAxOSA0OjMzIFBNDQpUbzogRGFuaWVsIFZh biBHZWVzdCA8RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTxtYWlsdG86RGFuaWVsLlZhbkdlZXN0 QGlzYXJhLmNvbT4+DQpDYzogSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWls dG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+OyBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNp Z0BpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWdAaWV0Zi5vcmc+ OyBTUEFTTSA8c3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3JnPj4NClN1YmplY3Q6 IFJlOiBbbGFtcHNdIFF1ZXN0aW9uIG9uIGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnDQoN CkRhbmllbDoNCg0KSSBiZWxpZXZlIHRoYXQgSmltIGlzIGFyZ3VpbmcgdGhhdCB0aGUgc2FtZSBo YXNoIGZ1bmN0aW9uIHNob3VsZCBhbHdheXMgYmUgdXNlZCBmb3IgYm90aCB0aGUgY29udGVudCBh bmQgdGhlIEhTUy9MTVMgdHJlZSwNCg0KUnVzcw0KDQoNCg0KT24gTWFyIDE1LCAyMDE5LCBhdCAz OjMwIFBNLCBEYW5pZWwgVmFuIEdlZXN0IDxEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPG1haWx0 bzpEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPj4gd3JvdGU6DQoNCk15IHRob3VnaHRzLA0KDQpP biAyMDE5LTAzLTE0LCAyOjM5IFBNLCAiU3Bhc20gb24gYmVoYWxmIG9mIEppbSBTY2hhYWQiIDxz cGFzbS1ib3VuY2VzQGlldGYub3JnPG1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnPiBvbiBi ZWhhbGYgb2YgaWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJz LmNvbT4+IHdyb3RlOg0KDQpJIHdhcyB0b3NzaW5nIHRvZ2V0aGVyIHNvbWUgY29kZSB0byBsb29r IGF0IHByb2R1Y2luZyBzb21lIHNhbXBsZXMgYW5kIEkNCmVuZGVkIHVwIHdpdGggYSBwYWlyIG9m IHF1ZXN0aW9uczoNCg0KMS4gIElmIEkgaGF2ZSBhIGhhc2ggc2lnbmF0dXJlIHRyZWUgd2hpY2gg dXNlcyBtdWx0aXBsZSBkaWZmZXJlbnQgaGFzaA0KYWxnb3JpdGhtcyBpbiBpdCwgd2hpY2ggb2Yg dGhvc2UgaGFzaCBhbGdvcml0aG1zIGFtIEkgdG8gcGxhY2VkIGluIHRoZQ0KZGlnZXN0QWxnb3Jp dGhtIGZpZWxkPyAgRm9yIGV4YW1wbGUsIHN1cHBvc2UgdGhhdCBJIGFtIHVzaW5nIGFuIExNUyB0 eXBlDQp3aXRoIGEgaGFzaCBvZiBTSEFLRTEyOCBhbmQgYW4gTE1PVFMgdHlwZSB3aXRoIGEgaGFz aCBvZiBTSEEyNTYuICBPciBhcyBhDQpkaWZmZXJlbnQgZXhhbXBsZSwgc3VwcG9zZSB0aGF0IEkg aGF2ZSBhIHR3byBkZWVwIHRyZWUgYW5kIHRoZSB0b3AgbGV2ZWwNCnVzZXMgU0hBNTEyIGluIGJv dGggcGxhY2VzIGJ1dCB0aGUgbmV4dCBsZXZlbCBkb3duIHVzZXMgU0hBSDI1NiBpbiBib3RoDQpw bGFjZXM/DQoNClJGQyA1NjUyIHNlY3Rpb24gNS4zIGRlZmluZXMgdGhlIGRpZ2VzdEFsZ29yaXRo bSBtZW1iZXIgb2YgU2lnbmVySW5mbyBhczoNCiAgICAgIGRpZ2VzdEFsZ29yaXRobSBpZGVudGlm aWVzIHRoZSBtZXNzYWdlIGRpZ2VzdCBhbGdvcml0aG0sIGFuZCBhbnkNCiAgICAgIGFzc29jaWF0 ZWQgcGFyYW1ldGVycywgdXNlZCBieSB0aGUgc2lnbmVyLiAgVGhlIG1lc3NhZ2UgZGlnZXN0IGlz DQogICAgICBjb21wdXRlZCBvbiBlaXRoZXIgdGhlIGNvbnRlbnQgYmVpbmcgc2lnbmVkIG9yIHRo ZSBjb250ZW50DQogICAgICB0b2dldGhlciB3aXRoIHRoZSBzaWduZWQgYXR0cmlidXRlcyB1c2lu ZyB0aGUgcHJvY2VzcyBkZXNjcmliZWQgaW4NCiAgICAgIFNlY3Rpb24gNS40Lg0KDQpJbiBIU1Ms IHRoZSBoYXNoIGFsZ29yaXRobSB1c2VkIHRvIGRpZ2VzdCB0aGUgY29udGVudCBpcyB0aGUgb25l IGluIHRoZSBMTU9UUyB0eXBlIG9mIHRoZSBib3R0b20tbW9zdCB0cmVlLiAgVGhlIG90aGVyIGhh c2ggYWxnb3JpdGhtcyBhcmUgdXNlZCB0byBoYXNoIHdpdGhpbiB0aGUgTWVya2xlIHRyZWUsIG9y IHRvIGhhc2ggdGhlIExNUyBwdWJsaWMga2V5IG9mIGEgbG93ZXIgdHJlZS4gIFNvIGluIGJvdGgg eW91ciBleGFtcGxlcyB0aGUgYW5zd2VyIHdvdWxkIGJlIFNIQTI1Ni4NCg0KMi4gIElmIHRoZXJl IGFyZSBzaWduZWQgYXR0cmlidXRlcyBwcmVzZW50LCB0aGVuIGl0IHQgcmVxdWlyZWQgdGhhdCB0 aGUgYm9keQ0KZGlnZXN0IGFsZ29yaXRobSBtYXRjaCB0aGF0IG9mIHRoZSBoYXNoIHNpZ25hdHVy ZSB0cmVlIG9yIGNhbiBpdCBiZQ0KZGlmZmVyZW50LiAgSWYgaXQgaXMgZGlmZmVyZW50LCBpcyB0 aGF0IG5vdCB0aGUgdmFsdWUgdGhhdCBzaG91bGQgYmUgcGxhY2VkDQppbiB0aGUgZGlnZXN0QWxn b3JpdGhtIGZpZWxkPyAgQ29uc2lkZXIgZGlnZXN0aW5nIHRoZSBib2R5IHdpdGggU0hBNTEyLCBi dXQNCm9ubHkgdXNpbmcgU0hBMjU2IGluIHRoZSBoYXNoIGZ1bmN0aW9uIG9uIHRoZSBhc3N1bXB0 aW9uIHRoYXQgdGhlIHJhbmRvbQ0KZmllbGQgaW4gdGhlIHNpZ25pbmcgb3BlcmF0aW9uIHByb3Zp ZGVzIGEgaGlnaGVyIGxldmVsIG9mIHNlY3VyaXR5IGFuZCB0aHVzDQphIHdlYWsgYXR0ZW1wdCBp cyBiZWluZyBtYWRlIHRvIG1hdGNoIHRoZW0gdG9nZXRoZXIuICAoSSBhbSBzdXJlIHRoYXQgdGhp cw0KaXMgbm90IHRoZSBjb3JyZWN0IHBhaXJpbmcgZm9yIG1hdGNoaW5nLCBqdXN0IGRlbW9uc3Ry YXRpbmcgYSBwb2ludC4pDQoNCmNtcy1oYXNoLXNpZ3Mgc2F5czoNCiAgICAgIGRpZ2VzdEFsZ29y aXRobSBNVVNUIGNvbnRhaW4gdGhlIG9uZS13YXkgaGFzaCBmdW5jdGlvbiB1c2VkIHRvIGluDQog ICAgICAgICB0aGUgSFNTL0xNUyB0cmVlLg0KVGhpcyBzdGF0ZW1lbnQgcGx1cyB0aGUgb25lIEkg cXVvdGVkIGZyb20gUkZDIDU2NTIgd291bGQgaW1wbHkgdGhhdCB0aGUgYm9keSBkaWdlc3QgYWxn b3JpdGhtIG11c3QgbWF0Y2ggdGhhdCBvZiB0aGUgSFNTIGFsZ29yaXRobS4NCg0KSG93ZXZlciwg eW91IGFyZSBjb3JyZWN0IHRoYXQgdGhlIHJhbmRvbSBmaWVsZCBhZGRlZCBkdXJpbmcgc2lnbmlu ZyBpbmNyZWFzZXMgdGhlIGNvbGxpc2lvbiByZXNpc3RhbmNlIG9mIHRoZSBzaWduYXR1cmUgYW5k IHNvIHVzaW5nIHRoZSBzYW1lIGFsZ29yaXRobSB0byBjcmVhdGUgdGhlIG1lc3NhZ2UtZGlnZXN0 IGF0dHJpYnV0ZSBpbiB0aGUgc2lnbmVkIGF0dHJpYnV0ZXMgd291bGQgcmVkdWNlIHRoZSBjb2xs aXNpb24gcmVzaXN0YW5jZSBvZiB0aGUgc3lzdGVtLiAgSWYgeW91IHdhbnRlZCB0byBhbGxvdyBh IGRpZmZlcmVudCBoYXNoIGFsZ29yaXRobSBpbiB0aGUgc2lnbmVkIGF0dHJpYnV0ZXMgbWVzc2Fn ZSBkaWdlc3QsIEkgdGhpbmsgY21zLWhhc2gtc2lncyB3b3VsZCBuZWVkIHRvIGJlIG1vZGlmaWVk IHRvIGZ1cnRoZXIgc3BlY2lmeSBzaWduZWQtZGF0YSBjb252ZW50aW9ucyB3aXRoL3dpdGhvdXQg c2lnbmVkIGF0dHJpYnV0ZXMsIHNpbWlsYXIgdG8gUkZDIDg0MTkuDQoNCkRhbmllbA0KDQpKaW0N Cg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KU3Bh c20gbWFpbGluZyBsaXN0DQpTcGFzbUBpZXRmLm9yZzxtYWlsdG86U3Bhc21AaWV0Zi5vcmc+DQpo dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NwYXNtDQoNCg== --_000_80b7f5bb2c344841b197247187ef2398XCHRTP006ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25v cm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uYXBwbGUtY29udmVydGVkLXNw YWNlDQoJe21zby1zdHlsZS1uYW1lOmFwcGxlLWNvbnZlcnRlZC1zcGFjZTt9DQpzcGFuLkVtYWls U3R5bGUxOQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJy aSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTIwDQoJ e21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNl cmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjINCgl7bXNvLXN0eWxl LXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7 DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpl eHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtz aXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2 LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYg Z3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0i MTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86 c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEi IC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBs YW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3Jk U2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1 ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJi b3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAw aW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5Gcm9tOjwvYj4gU3Bhc20gJmx0 O3NwYXNtLWJvdW5jZXNAaWV0Zi5vcmcmZ3Q7IDxiPk9uIEJlaGFsZiBPZiA8L2I+DQpEYW5pZWwg VmFuIEdlZXN0PGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgTWFyY2ggMTgsIDIwMTkgMTo1OCBQ TTxicj4NCjxiPlRvOjwvYj4gSmltIFNjaGFhZCAmbHQ7aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSZn dDs7ICdSdXNzIEhvdXNsZXknICZsdDtob3VzbGV5QHZpZ2lsc2VjLmNvbSZndDs8YnI+DQo8Yj5D Yzo8L2I+ICdTUEFTTScgJmx0O3NwYXNtQGlldGYub3JnJmd0OzsgZHJhZnQtaWV0Zi1sYW1wcy1j bXMtaGFzaC1zaWdAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtsYW1wc10gUXVl c3Rpb24gb24gZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWc8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPk9uIDIwMTkt MDMtMTcsIDc6MzkgQU0sICZxdW90O0ppbSBTY2hhYWQmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0 bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29tPC9hPiZndDsg d3JvdGU6PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4t Q0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5JIGRvbuKA mXQga25vdyB3aGF0IEppbSBpcyBhcmd1aW5nLiZuYnNwOyBJIHRoaW5rIHRoYXQgSSBhbSB0cnlp bmcgdG8gc2F5IHRoYXQgdGhlcmUgbWF5IGJlIHNvbWUgbGFuZ3VhZ2UgdGhhdCBpcyBub3QgY2xl YXIgYXQgc29tZSBwb2ludCBpbiB0aGUgZnV0dXJlIGFsdGhvdWdoIGl0IGlzIHBlcmZlY3RseSBm aW5lIHRvZGF5IChtb3N0bHkpLiZuYnNwOw0KIEkgZG8gbm90IHJlbWVtYmVyIGV2ZXIgc2VlaW5n IGFueSBsYW5ndWFnZSBpbiBhbnkgb2YgdGhlIGhhc2ggc2lnbmF0dXJlIGRvY3VtZW50cyB0aGF0 IHNheSB0aGF0IHRoZSBzYW1lIGhhc2ggZnVuY3Rpb24gc2hvdWxkIGJlIHVzZWQgZnJvbSB0b3Ag dG8gYm90dG9tLiZuYnNwOyBJIGFsc28gdGhpbmsgdGhhdCB0aGVyZSB3aWxsIGJlIHNvbWUgcHVz aCBpbiB0aGUgbm90IHNvIG5lYXIgZnV0dXJlIHRvIGhhdmUgc29tZSBvdGhlciBoYXNoIGZ1bmN0 aW9ucw0KIGJlIHBlcm1pdHRlZCBiZWNhdXNlIG9mIHRoaW5ncyBsaWtlIHRoZSBiZXR0ZXIgZWZm aWNpZW5jeSBvZiBTSEEtNTEyIGluIG1hbnkgY2FzZXMgb3IgdGhlIG1vdmUgdG8gU0hBS0UgYXMg YSBkaWZmZXJlbnQgaGFzaCBmdW5jdGlvbi4mbmJzcDsgSSB3b3JyeSB0aGF0IHRoaXMgbWVhbnMg dGhhdCB0aGUgc2FtZSBoYXNoIGZ1bmN0aW9uIG1heSBub3QgYmUgdXNlZCBmcm9tIHRvcCB0byBi b3R0b20gaW4gYSBoYXNoIHNpZ25hdHVyZSBrZXkuJm5ic3A7IEkgYWxzbyB3b3JyeQ0KIHRoYXQg bXkgY3VycmVudCBjb2RlIGJhc2UgZG9lcyBub3QgaGF2ZSBhbnkgd2F5IHRvIGdldCB0aGUgcGFy YW1ldGVycyBmb3IgdGhlIGJvdHRvbSBvZiB0aGUgdHJlZSBhbmQgdGhlIHNhbWUgdGhpbmcgbWF5 IGJlIHRydWUgZm9yIGFuIEhTTS4mbmJzcDsgVGhlIHRvcCBhbGdvcml0aG1zIGNhbiBiZSByZXRy aWV2ZWQgZnJvbSB0aGUgcHVibGljIGtleSwgYnV0IG5vdCB0aGUgYm90dG9tIGFsZ29yaXRobXMu PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i RU4tQ0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIGxhbmc9IkVOLUNBIj5NeSBjb2xsZWFndWVzIGhhdmUgaGFkIHNpbWlsYXIgY29uY2Vy bnMgYW5kIHdlIGhhdmUgcmFpc2VkIHRoZW0gcHJpdmF0ZWx5LiZuYnNwOyBCdXQgdGhlIGZhY3Qg dGhhdCB0aGUgcGFyYW1ldGVycyBhcmUgZW5jb2RlZCBpbiBhIHNpZ25hdHVyZSBtZWFucyB5b3Ug Y2FuIHN0aWxsIHZlcmlmeSB0aGUgc2lnbmF0dXJlIHJlZ2FyZGxlc3Mgb2Ygd2hldGhlciB0aGUg cGFyYW1ldGVycyBhcmUNCiBpbiB0aGUgcHVibGljIGtleS4mbmJzcDsgQW5kIHNpbmNlIHRoZSBw YXJhbWV0ZXJzIGNvdWxkIHRoZW9yZXRpY2FsbHkgYmUgY2hhbmdlZCBhcyB0cmVlcyBhcmUgdXNl ZCB1cCB0aGV5IGNhbuKAmXQgYmUgZW5jb2RlZCB3aXRoIHRoZSBwdWJsaWMga2V5ICh1bmxlc3Mg dGhlIHVzZSBvZiBIU1MgaW4gQ01TL1guNTA5IHNwZWNpZmllZCB0aGF0IHRoZSBwYXJhbWV0ZXJz IGNhbuKAmXQgY2hhbmdlLCB3aGljaCB3b3VsZCBiZSBva2F5IHdpdGggbWUpLjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n PSJFTi1DQSIgc3R5bGU9ImNvbG9yOiNDMDUwNEQiPkFjdHVhbGx5LCB0aGVyZSBpcyB0ZXh0IGlu IHRoZSBMTVMgZHJhZnQgKHdoaWNoIGlzIGJlY29taW5nIGFuIFJGQyBSZWFsIFNvb24gTm93KSBz cGVjaWZpY2FsbHkgZm9yYmlkZGluZyBjaGFuZ2luZyB0aGUgcGFyYW1ldGVycyBvbiB0aGUgZmx5 4oCmPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu Zz0iRU4tQ0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5BcyBmb3IgaXQgYmVpbmcgdGhlIHNhbWUgZm9yIEhTTXMs IHRoZXkgY291bGQgZW5jb2RlIHRoZSBwYXJhbWV0ZXJzIHdpdGggdGhlaXIgcHJpdmF0ZSBrZXkg JmFtcDsgc3RhdGUgaG93ZXZlciB0aGV5IGxpa2UuJm5ic3A7IElNTyB3ZSBzaG91bGRu4oCZdCBz dGFuZGFyZGl6ZSBob3cgdG8gZW5jb2RlIHRoZSBwcml2YXRlIGtleSBzaW5jZSB0aGF0IGltcGxp ZXMgcmVwbGljYXRpbmcgb3IgbW92aW5nDQogaXQgYXJvdW5kLCB3aGljaCB3aWxsIGludmFyaWFi bHkgYmUgZG9uZSB3cm9uZyBjYXVzaW5nIHN0YXRlIHRvIGJlIHJldXNlZCwgYWxsb3dpbmcgZm9y Z2VyaWVzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i PjxzcGFuIGxhbmc9IkVOLUNBIj5KaW08bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZu YnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3Nw YW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAx LjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3Jk ZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4g MGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+ PGI+PHNwYW4gbGFuZz0iRU4tQ0EiPkZyb206PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1DQSI+ IFJ1c3MgSG91c2xleSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmhvdXNsZXlAdmlnaWxzZWMuY29tIj5o b3VzbGV5QHZpZ2lsc2VjLmNvbTwvYT4mZ3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gU2F0dXJkYXks IE1hcmNoIDE2LCAyMDE5IDQ6MzMgUE08YnI+DQo8Yj5Ubzo8L2I+IERhbmllbCBWYW4gR2Vlc3Qg Jmx0OzxhIGhyZWY9Im1haWx0bzpEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tIj5EYW5pZWwuVmFu R2Vlc3RAaXNhcmEuY29tPC9hPiZndDs8YnI+DQo8Yj5DYzo8L2I+IEppbSBTY2hhYWQgJmx0Ozxh IGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRmQGF1Z3VzdGNlbGxhcnMu Y29tPC9hPiZndDs7DQo8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1z aWdAaWV0Zi5vcmciPmRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnQGlldGYub3JnPC9hPjsg U1BBU00gJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+c3Bhc21AaWV0Zi5vcmc8 L2E+Jmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW2xhbXBzXSBRdWVzdGlvbiBvbiBkcmFm dC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNw YW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+RGFu aWVsOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+SSBiZWxpZXZlIHRoYXQgSmlt IGlzIGFyZ3VpbmcgdGhhdCB0aGUgc2FtZSBoYXNoIGZ1bmN0aW9uIHNob3VsZCBhbHdheXMgYmUg dXNlZCBmb3IgYm90aCB0aGUgY29udGVudCBhbmQgdGhlIEhTUy9MTVMgdHJlZSw8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+UnVzczxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6MGlu O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbToxMi4wcHQ7bWFyZ2luLWxlZnQ6LjVpbiI+ DQo8c3BhbiBsYW5nPSJFTi1DQSI+PGJyPg0KPGJyPg0KPG86cD48L286cD48L3NwYW4+PC9wPg0K PGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxz cGFuIGxhbmc9IkVOLUNBIj5PbiBNYXIgMTUsIDIwMTksIGF0IDM6MzAgUE0sIERhbmllbCBWYW4g R2Vlc3QgJmx0OzxhIGhyZWY9Im1haWx0bzpEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tIj5EYW5p ZWwuVmFuR2Vlc3RAaXNhcmEuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+ PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFu IGxhbmc9IkVOLUNBIj5NeSB0aG91Z2h0cyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNw YW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+T24gMjAx OS0wMy0xNCwgMjozOSBQTSwgJnF1b3Q7U3Bhc20gb24gYmVoYWxmIG9mIEppbSBTY2hhYWQmcXVv dDsgJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnIj48c3BhbiBzdHls ZT0iY29sb3I6cHVycGxlIj5zcGFzbS1ib3VuY2VzQGlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBj bGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+b24NCiBiZWhhbGYgb2Y8 c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGEgaHJlZj0i bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUi PmlldGZAYXVndXN0Y2VsbGFycy5jb208L3NwYW4+PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1h cmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVO LUNBIj5JIHdhcyB0b3NzaW5nIHRvZ2V0aGVyIHNvbWUgY29kZSB0byBsb29rIGF0IHByb2R1Y2lu ZyBzb21lIHNhbXBsZXMgYW5kIEk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5lbmRlZCB1 cCB3aXRoIGEgcGFpciBvZiBxdWVzdGlvbnM6PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+ Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+MS4mbmJzcDsmbmJzcDtJZiBJIGhh dmUgYSBoYXNoIHNpZ25hdHVyZSB0cmVlIHdoaWNoIHVzZXMgbXVsdGlwbGUgZGlmZmVyZW50IGhh c2g8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5 bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5hbGdvcml0aG1zIGluIGl0LCB3aGljaCBv ZiB0aG9zZSBoYXNoIGFsZ29yaXRobXMgYW0gSSB0byBwbGFjZWQgaW4gdGhlPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVm dDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48 c3BhbiBsYW5nPSJFTi1DQSI+ZGlnZXN0QWxnb3JpdGhtIGZpZWxkPyZuYnNwOyZuYnNwO0ZvciBl eGFtcGxlLCBzdXBwb3NlIHRoYXQgSSBhbSB1c2luZyBhbiBMTVMgdHlwZTxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6 LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNw YW4gbGFuZz0iRU4tQ0EiPndpdGggYSBoYXNoIG9mIFNIQUtFMTI4IGFuZCBhbiBMTU9UUyB0eXBl IHdpdGggYSBoYXNoIG9mIFNIQTI1Ni4mbmJzcDsmbmJzcDtPciBhcyBhPG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDou NWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3Bh biBsYW5nPSJFTi1DQSI+ZGlmZmVyZW50IGV4YW1wbGUsIHN1cHBvc2UgdGhhdCBJIGhhdmUgYSB0 d28gZGVlcCB0cmVlIGFuZCB0aGUgdG9wIGxldmVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1D QSI+dXNlcyBTSEE1MTIgaW4gYm90aCBwbGFjZXMgYnV0IHRoZSBuZXh0IGxldmVsIGRvd24gdXNl cyBTSEFIMjU2IGluIGJvdGg8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5wbGFjZXM/Jm5i c3A7Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5SRkMgNTY1MiBzZWN0aW9uIDUuMyBk ZWZpbmVzIHRoZSBkaWdlc3RBbGdvcml0aG0gbWVtYmVyIG9mIFNpZ25lckluZm8gYXM6PG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgZGlnZXN0QWxnb3JpdGhtIGlkZW50aWZpZXMgdGhlIG1lc3NhZ2UgZGln ZXN0IGFsZ29yaXRobSwgYW5kIGFueTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBs YW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGFzc29jaWF0ZWQgcGFy YW1ldGVycywgdXNlZCBieSB0aGUgc2lnbmVyLiZuYnNwOyBUaGUgbWVzc2FnZSBkaWdlc3QgaXM8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyBjb21wdXRlZCBvbiBlaXRoZXIgdGhlIGNvbnRlbnQgYmVpbmcg c2lnbmVkIG9yIHRoZSBjb250ZW50PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxh bmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgdG9nZXRoZXIgd2l0aCB0 aGUgc2lnbmVkIGF0dHJpYnV0ZXMgdXNpbmcgdGhlIHByb2Nlc3MgZGVzY3JpYmVkIGluPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgU2VjdGlvbiA1LjQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxz cGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4g bGFuZz0iRU4tQ0EiPkluIEhTUywgdGhlIGhhc2ggYWxnb3JpdGhtIHVzZWQgdG8gZGlnZXN0IHRo ZSBjb250ZW50IGlzIHRoZSBvbmUgaW4gdGhlIExNT1RTIHR5cGUgb2YgdGhlIGJvdHRvbS1tb3N0 IHRyZWUuJm5ic3A7IFRoZSBvdGhlciBoYXNoIGFsZ29yaXRobXMgYXJlIHVzZWQgdG8gaGFzaCB3 aXRoaW4gdGhlIE1lcmtsZSB0cmVlLCBvciB0byBoYXNoIHRoZSBMTVMNCiBwdWJsaWMga2V5IG9m IGEgbG93ZXIgdHJlZS4mbmJzcDsgU28gaW4gYm90aCB5b3VyIGV4YW1wbGVzIHRoZSBhbnN3ZXIg d291bGQgYmUgU0hBMjU2LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJF Ti1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+ DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Mi4mbmJzcDsmbmJzcDtJ ZiB0aGVyZSBhcmUgc2lnbmVkIGF0dHJpYnV0ZXMgcHJlc2VudCwgdGhlbiBpdCB0IHJlcXVpcmVk IHRoYXQgdGhlIGJvZHk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp dj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5kaWdlc3QgYWxnb3Jp dGhtIG1hdGNoIHRoYXQgb2YgdGhlIGhhc2ggc2lnbmF0dXJlIHRyZWUgb3IgY2FuIGl0IGJlPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJt YXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+ZGlmZmVyZW50LiZuYnNwOyZuYnNwO0lmIGl0IGlz IGRpZmZlcmVudCwgaXMgdGhhdCBub3QgdGhlIHZhbHVlIHRoYXQgc2hvdWxkIGJlIHBsYWNlZDxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0i bWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPmluIHRoZSBkaWdlc3RBbGdvcml0aG0gZmllbGQ/ Jm5ic3A7Jm5ic3A7Q29uc2lkZXIgZGlnZXN0aW5nIHRoZSBib2R5IHdpdGggU0hBNTEyLCBidXQ8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5vbmx5IHVzaW5nIFNIQTI1NiBpbiB0aGUgaGFz aCBmdW5jdGlvbiBvbiB0aGUgYXNzdW1wdGlvbiB0aGF0IHRoZSByYW5kb208bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0 Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxz cGFuIGxhbmc9IkVOLUNBIj5maWVsZCBpbiB0aGUgc2lnbmluZyBvcGVyYXRpb24gcHJvdmlkZXMg YSBoaWdoZXIgbGV2ZWwgb2Ygc2VjdXJpdHkgYW5kIHRodXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9 IkVOLUNBIj5hIHdlYWsgYXR0ZW1wdCBpcyBiZWluZyBtYWRlIHRvIG1hdGNoIHRoZW0gdG9nZXRo ZXIuJm5ic3A7Jm5ic3A7KEkgYW0gc3VyZSB0aGF0IHRoaXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9 IkVOLUNBIj5pcyBub3QgdGhlIGNvcnJlY3QgcGFpcmluZyBmb3IgbWF0Y2hpbmcsIGp1c3QgZGVt b25zdHJhdGluZyBhIHBvaW50Lik8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPmNtcy1oYXNoLXNp Z3Mgc2F5czo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBkaWdlc3RBbGdvcml0aG0gTVVTVCBjb250YWlu IHRoZSBvbmUtd2F5IGhhc2ggZnVuY3Rpb24gdXNlZCB0byBpbjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IHRoZSBIU1MvTE1TIHRyZWUuPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5UaGlzIHN0YXRlbWVudCBwbHVzIHRoZSBvbmUgSSBx dW90ZWQgZnJvbSBSRkMgNTY1MiB3b3VsZCBpbXBseSB0aGF0IHRoZSBib2R5IGRpZ2VzdCBhbGdv cml0aG0gbXVzdCBtYXRjaCB0aGF0IG9mIHRoZSBIU1MgYWxnb3JpdGhtLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5Ib3dldmVyLCB5b3UgYXJlIGNvcnJlY3QgdGhh dCB0aGUgcmFuZG9tIGZpZWxkIGFkZGVkIGR1cmluZyBzaWduaW5nIGluY3JlYXNlcyB0aGUgY29s bGlzaW9uIHJlc2lzdGFuY2Ugb2YgdGhlIHNpZ25hdHVyZSBhbmQgc28gdXNpbmcgdGhlIHNhbWUg YWxnb3JpdGhtIHRvIGNyZWF0ZSB0aGUgbWVzc2FnZS1kaWdlc3QgYXR0cmlidXRlIGluDQogdGhl IHNpZ25lZCBhdHRyaWJ1dGVzIHdvdWxkIHJlZHVjZSB0aGUgY29sbGlzaW9uIHJlc2lzdGFuY2Ug b2YgdGhlIHN5c3RlbS4mbmJzcDsgSWYgeW91IHdhbnRlZCB0byBhbGxvdyBhIGRpZmZlcmVudCBo YXNoIGFsZ29yaXRobSBpbiB0aGUgc2lnbmVkIGF0dHJpYnV0ZXMgbWVzc2FnZSBkaWdlc3QsIEkg dGhpbmsgY21zLWhhc2gtc2lncyB3b3VsZCBuZWVkIHRvIGJlIG1vZGlmaWVkIHRvIGZ1cnRoZXIg c3BlY2lmeSBzaWduZWQtZGF0YSBjb252ZW50aW9ucw0KIHdpdGgvd2l0aG91dCBzaWduZWQgYXR0 cmlidXRlcywgc2ltaWxhciB0byBSRkMgODQxOS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+ PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3Bh biBsYW5nPSJFTi1DQSI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxh bmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5KaW08bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41 aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNB Ij4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk aXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0Ei PlNwYXNtIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxhIGhyZWY9 Im1haWx0bzpTcGFzbUBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+U3Bhc21A aWV0Zi5vcmc8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxhIGhyZWY9 Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc20iPjxzcGFuIHN0eWxl PSJjb2xvcjpwdXJwbGUiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bh c208L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp dj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4N Cg== --_000_80b7f5bb2c344841b197247187ef2398XCHRTP006ciscocom_-- From nobody Mon Mar 18 13:19:11 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8CE12D4E6; Mon, 18 Mar 2019 13:19:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4sNpCLcN1BeA; Mon, 18 Mar 2019 13:19:04 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C4D12705F; Mon, 18 Mar 2019 13:19:03 -0700 (PDT) Received: from Jude (67.132.193.197) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 18 Mar 2019 13:18:52 -0700 From: Jim Schaad To: "'Scott Fluhrer (sfluhrer)'" , 'Daniel Van Geest' , 'Russ Housley' CC: 'SPASM' , References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com> <10EB05CC-DD01-49CE-A702-9CFAB436F542@isara.com> <80b7f5bb2c344841b197247187ef2398@XCH-RTP-006.cisco.com> In-Reply-To: <80b7f5bb2c344841b197247187ef2398@XCH-RTP-006.cisco.com> Date: Mon, 18 Mar 2019 16:18:49 -0400 Message-ID: <008a01d4ddc7$ce7a29d0$6b6e7d70$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_008B_01D4DDA6.476A3780" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQEM1Y28iLV3mVbkBi2mvYQFmQFueAGxOkwAAaZQ9VQCInlqlwMcRmpmAcbs7QOnTvpzgA== Content-Language: en-us X-Originating-IP: [67.132.193.197] Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 20:19:08 -0000 ------=_NextPart_000_008B_01D4DDA6.476A3780 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =20 =20 From: Spasm On Behalf Of Scott Fluhrer = (sfluhrer) Sent: Monday, March 18, 2019 2:21 PM To: Daniel Van Geest ; Jim Schaad = ; 'Russ Housley' Cc: 'SPASM' ; draft-ietf-lamps-cms-hash-sig@ietf.org Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 =20 =20 From: Spasm > On = Behalf Of Daniel Van Geest Sent: Monday, March 18, 2019 1:58 PM To: Jim Schaad = >; 'Russ Housley' > Cc: 'SPASM' >; = draft-ietf-lamps-cms-hash-sig@ietf.org = =20 Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 =20 =20 On 2019-03-17, 7:39 AM, "Jim Schaad" > wrote: =20 I don=E2=80=99t know what Jim is arguing. I think that I am trying to = say that there may be some language that is not clear at some point in = the future although it is perfectly fine today (mostly). I do not = remember ever seeing any language in any of the hash signature documents = that say that the same hash function should be used from top to bottom. = I also think that there will be some push in the not so near future to = have some other hash functions be permitted because of things like the = better efficiency of SHA-512 in many cases or the move to SHAKE as a = different hash function. I worry that this means that the same hash = function may not be used from top to bottom in a hash signature key. I = also worry that my current code base does not have any way to get the = parameters for the bottom of the tree and the same thing may be true for = an HSM. The top algorithms can be retrieved from the public key, but = not the bottom algorithms. =20 My colleagues have had similar concerns and we have raised them = privately. But the fact that the parameters are encoded in a signature = means you can still verify the signature regardless of whether the = parameters are in the public key. And since the parameters could = theoretically be changed as trees are used up they can=E2=80=99t be = encoded with the public key (unless the use of HSS in CMS/X.509 = specified that the parameters can=E2=80=99t change, which would be okay = with me). =20 Actually, there is text in the LMS draft (which is becoming an RFC Real = Soon Now) specifically forbidding changing the parameters on the = fly=E2=80=A6 =20 [JLS] So we have the ability to have different parameters at each level = from the beginning, but one is not supposed to change them when a new = subtree is created. I don=E2=80=99t remember seeing that and will look =20 =20 As for it being the same for HSMs, they could encode the parameters with = their private key & state however they like. IMO we shouldn=E2=80=99t = standardize how to encode the private key since that implies replicating = or moving it around, which will invariably be done wrong causing state = to be reused, allowing forgeries. =20 Jim =20 =20 From: Russ Housley > = Sent: Saturday, March 16, 2019 4:33 PM To: Daniel Van Geest > Cc: Jim Schaad = >; draft-ietf-lamps-cms-hash-sig@ietf.org = ; SPASM > Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 Daniel: =20 I believe that Jim is arguing that the same hash function should always = be used for both the content and the HSS/LMS tree, =20 Russ =20 =20 On Mar 15, 2019, at 3:30 PM, Daniel Van Geest > wrote: =20 My thoughts, =20 On 2019-03-14, 2:39 PM, "Spasm on behalf of Jim Schaad" < = spasm-bounces@ietf.org on behalf of = ietf@augustcellars.com> wrote: =20 I was tossing together some code to look at producing some samples and I ended up with a pair of questions: =20 1. If I have a hash signature tree which uses multiple different hash algorithms in it, which of those hash algorithms am I to placed in the digestAlgorithm field? For example, suppose that I am using an LMS type with a hash of SHAKE128 and an LMOTS type with a hash of SHA256. Or as = a different example, suppose that I have a two deep tree and the top level uses SHA512 in both places but the next level down uses SHAH256 in both places? =20 =20 RFC 5652 section 5.3 defines the digestAlgorithm member of SignerInfo = as: digestAlgorithm identifies the message digest algorithm, and any associated parameters, used by the signer. The message digest is computed on either the content being signed or the content together with the signed attributes using the process described in Section 5.4. =20 In HSS, the hash algorithm used to digest the content is the one in the = LMOTS type of the bottom-most tree. The other hash algorithms are used = to hash within the Merkle tree, or to hash the LMS public key of a lower = tree. So in both your examples the answer would be SHA256. =20 2. If there are signed attributes present, then it t required that the = body digest algorithm match that of the hash signature tree or can it be different. If it is different, is that not the value that should be = placed in the digestAlgorithm field? Consider digesting the body with SHA512, = but only using SHA256 in the hash function on the assumption that the random field in the signing operation provides a higher level of security and = thus a weak attempt is being made to match them together. (I am sure that = this is not the correct pairing for matching, just demonstrating a point.) =20 cms-hash-sigs says: digestAlgorithm MUST contain the one-way hash function used to in the HSS/LMS tree. This statement plus the one I quoted from RFC 5652 would imply that the = body digest algorithm must match that of the HSS algorithm. =20 However, you are correct that the random field added during signing = increases the collision resistance of the signature and so using the = same algorithm to create the message-digest attribute in the signed = attributes would reduce the collision resistance of the system. If you = wanted to allow a different hash algorithm in the signed attributes = message digest, I think cms-hash-sigs would need to be modified to = further specify signed-data conventions with/without signed attributes, = similar to RFC 8419. =20 Daniel =20 Jim =20 =20 _______________________________________________ Spasm mailing list Spasm@ietf.org = https://www.ietf.org/mailman/listinfo/spasm =20 ------=_NextPart_000_008B_01D4DDA6.476A3780 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

 

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Scott Fluhrer = (sfluhrer)
Sent: Monday, March 18, 2019 2:21 PM
To: = Daniel Van Geest <Daniel.VanGeest@isara.com>; Jim Schaad = <ietf@augustcellars.com>; 'Russ Housley' = <housley@vigilsec.com>
Cc: 'SPASM' = <spasm@ietf.org>; = draft-ietf-lamps-cms-hash-sig@ietf.org
Subject: Re: [lamps] = Question on draft-ietf-lamps-cms-hash-sig

 

 

 

From: Spasm = <spasm-bounces@ietf.org> = On Behalf Of Daniel Van Geest
Sent: Monday, March 18, = 2019 1:58 PM
To: Jim Schaad <ietf@augustcellars.com>; = 'Russ Housley' <housley@vigilsec.com>
C= c: 'SPASM' <spasm@ietf.org>; draft-ietf-lamps-c= ms-hash-sig@ietf.org
Subject: Re: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

 

 

On 2019-03-17, 7:39 AM, = "Jim Schaad" <ietf@augustcellars.com> = wrote:

 

I don=E2=80=99t know what = Jim is arguing.  I think that I am trying to say that there may be = some language that is not clear at some point in the future although it = is perfectly fine today (mostly).  I do not remember ever seeing = any language in any of the hash signature documents that say that the = same hash function should be used from top to bottom.  I also think = that there will be some push in the not so near future to have some = other hash functions be permitted because of things like the better = efficiency of SHA-512 in many cases or the move to SHAKE as a different = hash function.  I worry that this means that the same hash function = may not be used from top to bottom in a hash signature key.  I also = worry that my current code base does not have any way to get the = parameters for the bottom of the tree and the same thing may be true for = an HSM.  The top algorithms can be retrieved from the public key, = but not the bottom algorithms.

 

My colleagues have had similar = concerns and we have raised them privately.  But the fact that the = parameters are encoded in a signature means you can still verify the = signature regardless of whether the parameters are in the public = key.  And since the parameters could theoretically be changed as = trees are used up they can=E2=80=99t be encoded with the public key = (unless the use of HSS in CMS/X.509 specified that the parameters = can=E2=80=99t change, which would be okay with = me).

 

Actually, there is text in the LMS = draft (which is becoming an RFC Real Soon Now) specifically forbidding = changing the parameters on the fly=E2=80=A6

 

[JLS] So we = have the ability to have different parameters at each level from the = beginning, but one is not supposed to change them when a new subtree is = created.=C2=A0 I don=E2=80=99t remember seeing that and will = look

 

 

As for it being the same for HSMs, = they could encode the parameters with their private key & state = however they like.  IMO we shouldn=E2=80=99t standardize how to = encode the private key since that implies replicating or moving it = around, which will invariably be done wrong causing state to be reused, = allowing forgeries.

 

Jim

 

 

From: Russ Housley <housley@vigilsec.com> =
Sent: Saturday, March 16, 2019 4:33 PM
To: Daniel = Van Geest <Daniel.VanGeest@isara.com&g= t;
Cc: Jim Schaad <ietf@augustcellars.com>; = draft-ietf-lamps-c= ms-hash-sig@ietf.org; SPASM <spasm@ietf.org>
Subject: = Re: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

Daniel:

 

I believe that Jim is = arguing that the same hash function should always be used for both the = content and the HSS/LMS tree,

 

Russ

 

 

On Mar 15, 2019, at 3:30 = PM, Daniel Van Geest <Daniel.VanGeest@isara.com&g= t; wrote:

 

My = thoughts,

 

On 2019-03-14, 2:39 PM, = "Spasm on behalf of Jim Schaad" <spasm-bounces@ietf.org on behalf of ietf@augustcellars.com> = wrote:

 

I was tossing together = some code to look at producing some samples and = I

ended up with a pair of = questions:

 

1.  If I have a = hash signature tree which uses multiple different = hash

algorithms in it, which of = those hash algorithms am I to placed in = the

digestAlgorithm = field?  For example, suppose that I am using an LMS = type

with a hash of SHAKE128 = and an LMOTS type with a hash of SHA256.  Or as = a

different example, suppose = that I have a two deep tree and the top = level

uses SHA512 in both places = but the next level down uses SHAH256 in = both

places?  

 

RFC 5652 section 5.3 = defines the digestAlgorithm member of SignerInfo = as:

      digestAlgorithm identifies = the message digest algorithm, and any

      associated parameters, used = by the signer.  The message digest = is

      computed on either the = content being signed or the content

      together with the signed = attributes using the process described = in

      Section = 5.4.

 

In HSS, the hash algorithm = used to digest the content is the one in the LMOTS type of the = bottom-most tree.  The other hash algorithms are used to hash = within the Merkle tree, or to hash the LMS public key of a lower = tree.  So in both your examples the answer would be = SHA256.

 

2.  If there are = signed attributes present, then it t required that the = body

digest algorithm match = that of the hash signature tree or can it = be

different.  If = it is different, is that not the value that should be = placed

in the digestAlgorithm = field?  Consider digesting the body with SHA512, = but

only using SHA256 in the = hash function on the assumption that the = random

field in the signing = operation provides a higher level of security and = thus

a weak attempt is being = made to match them together.  (I am sure that = this

is not the correct pairing = for matching, just demonstrating a = point.)

 

cms-hash-sigs = says:

      digestAlgorithm MUST contain = the one-way hash function used to in

         the = HSS/LMS tree.

This statement plus the = one I quoted from RFC 5652 would imply that the body digest algorithm = must match that of the HSS algorithm.

 

However, you are correct = that the random field added during signing increases the collision = resistance of the signature and so using the same algorithm to create = the message-digest attribute in the signed attributes would reduce the = collision resistance of the system.  If you wanted to allow a = different hash algorithm in the signed attributes message digest, I = think cms-hash-sigs would need to be modified to further specify = signed-data conventions with/without signed attributes, similar to RFC = 8419.

 

Daniel

 

Jim

 

 

_______________________________________________

Spasm = mailing list

 

------=_NextPart_000_008B_01D4DDA6.476A3780-- From nobody Mon Mar 18 13:55:04 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18EC51310F0; Mon, 18 Mar 2019 13:54:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.501 X-Spam-Level: X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhp-IY7stPyO; Mon, 18 Mar 2019 13:54:48 -0700 (PDT) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98A6112798C; Mon, 18 Mar 2019 13:54:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=44512; q=dns/txt; s=iport; t=1552942488; x=1554152088; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=e1jzevJWvjcwq9tVLXgkIwHZmNaDw9tJy4ImdApWNjM=; b=bDsZxraOOOSLNNarkYTE8DTqpLkkdAr7YDuwaxKB8KVHJamXp+hsAbJV ozlBKw/1gkgckYcTCizt2qyvKQEcEw02zuVaNO+YbRh7FFkR54voPJnwV LdGkpIxnWL2WGm7ZCMv6wwmPTFjx5/crjr8VUV9BAHHukYtn1I/e72F/V A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AHAACbBJBc/5FdJa1jGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUwIBAQEBAQsBgQ5TL2iBAycKhAGVTZgxgXcECwEBGAE?= =?us-ascii?q?KhEkCF4RDIjYHDQEBAwEBCQEDAm0cDIVKAQEBBAEBIQpBCxACAQgOAwQBARo?= =?us-ascii?q?CBQEGAwICAiULFAkIAgQBDQUIgxuBEWQPqiWBL4owBYEvAYsvF4FAP4ERgxK?= =?us-ascii?q?DHgEBgWgHCR8oAoIqglcDik8GggOED4c6i1VfCQKTGyGTV4sHknsCERWBKCY?= =?us-ascii?q?HKoFWcBU7gmyCFRiIX4U/QTGBZ4VIgSyBHwEB?= X-IronPort-AV: E=Sophos;i="5.58,494,1544486400"; d="scan'208,217";a="536957462" Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Mar 2019 20:54:47 +0000 Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x2IKskI7008405 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 18 Mar 2019 20:54:47 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 18 Mar 2019 16:54:46 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1473.003; Mon, 18 Mar 2019 16:54:45 -0400 From: "Scott Fluhrer (sfluhrer)" To: Jim Schaad , "'Daniel Van Geest'" , "'Russ Housley'" CC: "'SPASM'" , "draft-ietf-lamps-cms-hash-sig@ietf.org" Thread-Topic: [lamps] Question on draft-ietf-lamps-cms-hash-sig Thread-Index: AdTalFpsRD6NOLyJSie3veGv+fJZHgA0TvYAAEMkC4AAGVrygAA3JamAAACpblAADKEagAAHN+ig Date: Mon, 18 Mar 2019 20:54:45 +0000 Message-ID: <952bf1f7896c4a5194b6e9871e31252a@XCH-RTP-006.cisco.com> References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com> <10EB05CC-DD01-49CE-A702-9CFAB436F542@isara.com> <80b7f5bb2c344841b197247187ef2398@XCH-RTP-006.cisco.com> <008a01d4ddc7$ce7a29d0$6b6e7d70$@augustcellars.com> In-Reply-To: <008a01d4ddc7$ce7a29d0$6b6e7d70$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.98.2.51] Content-Type: multipart/alternative; boundary="_000_952bf1f7896c4a5194b6e9871e31252aXCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.149, xch-rtp-009.cisco.com X-Outbound-Node: rcdn-core-9.cisco.com Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2019 20:55:03 -0000 --_000_952bf1f7896c4a5194b6e9871e31252aXCHRTP006ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpGcm9tOiBKaW0gU2NoYWFkIDxpZXRmQGF1Z3VzdGNlbGxhcnMuY29tPg0KU2VudDogTW9uZGF5 LCBNYXJjaCAxOCwgMjAxOSA0OjE5IFBNDQpUbzogU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpIDxz Zmx1aHJlckBjaXNjby5jb20+OyAnRGFuaWVsIFZhbiBHZWVzdCcgPERhbmllbC5WYW5HZWVzdEBp c2FyYS5jb20+OyAnUnVzcyBIb3VzbGV5JyA8aG91c2xleUB2aWdpbHNlYy5jb20+DQpDYzogJ1NQ QVNNJyA8c3Bhc21AaWV0Zi5vcmc+OyBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZ0BpZXRm Lm9yZw0KU3ViamVjdDogUkU6IFtsYW1wc10gUXVlc3Rpb24gb24gZHJhZnQtaWV0Zi1sYW1wcy1j bXMtaGFzaC1zaWcNCg0KDQoNCkZyb206IFNwYXNtIDxzcGFzbS1ib3VuY2VzQGlldGYub3JnPG1h aWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnPj4gT24gQmVoYWxmIE9mIFNjb3R0IEZsdWhyZXIg KHNmbHVocmVyKQ0KU2VudDogTW9uZGF5LCBNYXJjaCAxOCwgMjAxOSAyOjIxIFBNDQpUbzogRGFu aWVsIFZhbiBHZWVzdCA8RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTxtYWlsdG86RGFuaWVsLlZh bkdlZXN0QGlzYXJhLmNvbT4+OyBKaW0gU2NoYWFkIDxpZXRmQGF1Z3VzdGNlbGxhcnMuY29tPG1h aWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tPj47ICdSdXNzIEhvdXNsZXknIDxob3VzbGV5QHZp Z2lsc2VjLmNvbTxtYWlsdG86aG91c2xleUB2aWdpbHNlYy5jb20+Pg0KQ2M6ICdTUEFTTScgPHNw YXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4+OyBkcmFmdC1pZXRmLWxhbXBzLWNt cy1oYXNoLXNpZ0BpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWdA aWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW2xhbXBzXSBRdWVzdGlvbiBvbiBkcmFmdC1pZXRmLWxh bXBzLWNtcy1oYXNoLXNpZw0KDQoNCg0KRnJvbTogU3Bhc20gPHNwYXNtLWJvdW5jZXNAaWV0Zi5v cmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc+PiBPbiBCZWhhbGYgT2YgRGFuaWVsIFZh biBHZWVzdA0KU2VudDogTW9uZGF5LCBNYXJjaCAxOCwgMjAxOSAxOjU4IFBNDQpUbzogSmltIFNj aGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNv bT4+OyAnUnVzcyBIb3VzbGV5JyA8aG91c2xleUB2aWdpbHNlYy5jb208bWFpbHRvOmhvdXNsZXlA dmlnaWxzZWMuY29tPj4NCkNjOiAnU1BBU00nIDxzcGFzbUBpZXRmLm9yZzxtYWlsdG86c3Bhc21A aWV0Zi5vcmc+PjsgZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWdAaWV0Zi5vcmc8bWFpbHRv OmRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFts YW1wc10gUXVlc3Rpb24gb24gZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWcNCg0KDQoNCk9u IDIwMTktMDMtMTcsIDc6MzkgQU0sICJKaW0gU2NoYWFkIiA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNv bTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+IHdyb3RlOg0KDQpJIGRvbuKAmXQga25v dyB3aGF0IEppbSBpcyBhcmd1aW5nLiAgSSB0aGluayB0aGF0IEkgYW0gdHJ5aW5nIHRvIHNheSB0 aGF0IHRoZXJlIG1heSBiZSBzb21lIGxhbmd1YWdlIHRoYXQgaXMgbm90IGNsZWFyIGF0IHNvbWUg cG9pbnQgaW4gdGhlIGZ1dHVyZSBhbHRob3VnaCBpdCBpcyBwZXJmZWN0bHkgZmluZSB0b2RheSAo bW9zdGx5KS4gIEkgZG8gbm90IHJlbWVtYmVyIGV2ZXIgc2VlaW5nIGFueSBsYW5ndWFnZSBpbiBh bnkgb2YgdGhlIGhhc2ggc2lnbmF0dXJlIGRvY3VtZW50cyB0aGF0IHNheSB0aGF0IHRoZSBzYW1l IGhhc2ggZnVuY3Rpb24gc2hvdWxkIGJlIHVzZWQgZnJvbSB0b3AgdG8gYm90dG9tLiAgSSBhbHNv IHRoaW5rIHRoYXQgdGhlcmUgd2lsbCBiZSBzb21lIHB1c2ggaW4gdGhlIG5vdCBzbyBuZWFyIGZ1 dHVyZSB0byBoYXZlIHNvbWUgb3RoZXIgaGFzaCBmdW5jdGlvbnMgYmUgcGVybWl0dGVkIGJlY2F1 c2Ugb2YgdGhpbmdzIGxpa2UgdGhlIGJldHRlciBlZmZpY2llbmN5IG9mIFNIQS01MTIgaW4gbWFu eSBjYXNlcyBvciB0aGUgbW92ZSB0byBTSEFLRSBhcyBhIGRpZmZlcmVudCBoYXNoIGZ1bmN0aW9u LiAgSSB3b3JyeSB0aGF0IHRoaXMgbWVhbnMgdGhhdCB0aGUgc2FtZSBoYXNoIGZ1bmN0aW9uIG1h eSBub3QgYmUgdXNlZCBmcm9tIHRvcCB0byBib3R0b20gaW4gYSBoYXNoIHNpZ25hdHVyZSBrZXku ICBJIGFsc28gd29ycnkgdGhhdCBteSBjdXJyZW50IGNvZGUgYmFzZSBkb2VzIG5vdCBoYXZlIGFu eSB3YXkgdG8gZ2V0IHRoZSBwYXJhbWV0ZXJzIGZvciB0aGUgYm90dG9tIG9mIHRoZSB0cmVlIGFu ZCB0aGUgc2FtZSB0aGluZyBtYXkgYmUgdHJ1ZSBmb3IgYW4gSFNNLiAgVGhlIHRvcCBhbGdvcml0 aG1zIGNhbiBiZSByZXRyaWV2ZWQgZnJvbSB0aGUgcHVibGljIGtleSwgYnV0IG5vdCB0aGUgYm90 dG9tIGFsZ29yaXRobXMuDQoNCk15IGNvbGxlYWd1ZXMgaGF2ZSBoYWQgc2ltaWxhciBjb25jZXJu cyBhbmQgd2UgaGF2ZSByYWlzZWQgdGhlbSBwcml2YXRlbHkuICBCdXQgdGhlIGZhY3QgdGhhdCB0 aGUgcGFyYW1ldGVycyBhcmUgZW5jb2RlZCBpbiBhIHNpZ25hdHVyZSBtZWFucyB5b3UgY2FuIHN0 aWxsIHZlcmlmeSB0aGUgc2lnbmF0dXJlIHJlZ2FyZGxlc3Mgb2Ygd2hldGhlciB0aGUgcGFyYW1l dGVycyBhcmUgaW4gdGhlIHB1YmxpYyBrZXkuICBBbmQgc2luY2UgdGhlIHBhcmFtZXRlcnMgY291 bGQgdGhlb3JldGljYWxseSBiZSBjaGFuZ2VkIGFzIHRyZWVzIGFyZSB1c2VkIHVwIHRoZXkgY2Fu 4oCZdCBiZSBlbmNvZGVkIHdpdGggdGhlIHB1YmxpYyBrZXkgKHVubGVzcyB0aGUgdXNlIG9mIEhT UyBpbiBDTVMvWC41MDkgc3BlY2lmaWVkIHRoYXQgdGhlIHBhcmFtZXRlcnMgY2Fu4oCZdCBjaGFu Z2UsIHdoaWNoIHdvdWxkIGJlIG9rYXkgd2l0aCBtZSkuDQoNCkFjdHVhbGx5LCB0aGVyZSBpcyB0 ZXh0IGluIHRoZSBMTVMgZHJhZnQgKHdoaWNoIGlzIGJlY29taW5nIGFuIFJGQyBSZWFsIFNvb24g Tm93KSBzcGVjaWZpY2FsbHkgZm9yYmlkZGluZyBjaGFuZ2luZyB0aGUgcGFyYW1ldGVycyBvbiB0 aGUgZmx54oCmDQoNCltKTFNdIFNvIHdlIGhhdmUgdGhlIGFiaWxpdHkgdG8gaGF2ZSBkaWZmZXJl bnQgcGFyYW1ldGVycyBhdCBlYWNoIGxldmVsIGZyb20gdGhlIGJlZ2lubmluZywgYnV0IG9uZSBp cyBub3Qgc3VwcG9zZWQgdG8gY2hhbmdlIHRoZW0gd2hlbiBhIG5ldyBzdWJ0cmVlIGlzIGNyZWF0 ZWQuICBJIGRvbuKAmXQgcmVtZW1iZXIgc2VlaW5nIHRoYXQgYW5kIHdpbGwgbG9vaw0KDQpIZXJl 4oCZcyB0aGUgdGV4dCAoYXQgdGhlIGVuZCBvZiBzZWN0aW9uIDYpOyB0aGUgd29yZGluZyBpcyBz bGlnaHRseSBkaWZmZXJlbnQgZnJvbSB0aGUgY3VycmVudCBkcmFmdCAoZHVlIHRvIEFVVEg0OCBl ZGl0cyksIGJ1dCB0aGUgbWVhbmluZyBpcyB0aGUgc2FtZToNCg0KICAgQSBjbG9zZSByZWFkaW5n IG9mIHRoZSBIU1MgdmVyaWZpY2F0aW9uIHBzZXVkb2NvZGUgd291bGQgc2hvdyB0aGF0IGl0DQog ICB3b3VsZCBhbGxvdyB0aGUgcGFyYW1ldGVycyBvZiB0aGUgbm9udG9wIExNUyBwdWJsaWMga2V5 cyB0byBjaGFuZ2UNCiAgIG92ZXIgdGltZTsgZm9yIGV4YW1wbGUsIHRoZSBzaWduZXIgbWlnaHQg aW5pdGlhbGx5IGhhdmUgdGhlIDEtdGggTE1TDQogICBwdWJsaWMga2V5IHVzZSB0aGUgTE1TX1NI QTI1Nl9NMzJfSDEwIHBhcmFtZXRlciBzZXQsIGJ1dCB3aGVuIHRoYXQNCiAgIHRyZWUgaXMgZXho YXVzdGVkLCB0aGUgc2lnbmVyIG1pZ2h0IHJlcGxhY2UgaXQgd2l0aCBhbiBMTVMgcHVibGljIGtl eQ0KICAgdGhhdCB1c2VzIHRoZSBMTVNfU0hBMjU2X00zMl9IMTUgcGFyYW1ldGVyIHNldC4gIFdo aWxlIHRoaXMgd291bGQNCiAgIHdvcmsgd2l0aCB0aGUgZXhhbXBsZSB2ZXJpZmljYXRpb24gcHNl dWRvY29kZSwgdGhlIHNpZ25lciBNVVNUIE5PVA0KICAgY2hhbmdlIHRoZSBwYXJhbWV0ZXIgc2V0 cyBmb3IgYSBzcGVjaWZpYyBsZXZlbC4gIFRoaXMgcHJvaGliaXRpb24gaXMNCiAgIHRvIHN1cHBv cnQgdmVyaWZpZXJzIHRoYXQgbWF5IGtlZXAgc3RhdGUgb3ZlciB0aGUgY291cnNlIG9mIHNldmVy YWwNCiAgIHNpZ25hdHVyZSB2ZXJpZmljYXRpb25zLg0KDQoNCg0KQXMgZm9yIGl0IGJlaW5nIHRo ZSBzYW1lIGZvciBIU01zLCB0aGV5IGNvdWxkIGVuY29kZSB0aGUgcGFyYW1ldGVycyB3aXRoIHRo ZWlyIHByaXZhdGUga2V5ICYgc3RhdGUgaG93ZXZlciB0aGV5IGxpa2UuICBJTU8gd2Ugc2hvdWxk buKAmXQgc3RhbmRhcmRpemUgaG93IHRvIGVuY29kZSB0aGUgcHJpdmF0ZSBrZXkgc2luY2UgdGhh dCBpbXBsaWVzIHJlcGxpY2F0aW5nIG9yIG1vdmluZyBpdCBhcm91bmQsIHdoaWNoIHdpbGwgaW52 YXJpYWJseSBiZSBkb25lIHdyb25nIGNhdXNpbmcgc3RhdGUgdG8gYmUgcmV1c2VkLCBhbGxvd2lu ZyBmb3JnZXJpZXMuDQoNCkppbQ0KDQoNCkZyb206IFJ1c3MgSG91c2xleSA8aG91c2xleUB2aWdp bHNlYy5jb208bWFpbHRvOmhvdXNsZXlAdmlnaWxzZWMuY29tPj4NClNlbnQ6IFNhdHVyZGF5LCBN YXJjaCAxNiwgMjAxOSA0OjMzIFBNDQpUbzogRGFuaWVsIFZhbiBHZWVzdCA8RGFuaWVsLlZhbkdl ZXN0QGlzYXJhLmNvbTxtYWlsdG86RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbT4+DQpDYzogSmlt IFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJz LmNvbT4+OyBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZ0BpZXRmLm9yZzxtYWlsdG86ZHJh ZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWdAaWV0Zi5vcmc+OyBTUEFTTSA8c3Bhc21AaWV0Zi5v cmc8bWFpbHRvOnNwYXNtQGlldGYub3JnPj4NClN1YmplY3Q6IFJlOiBbbGFtcHNdIFF1ZXN0aW9u IG9uIGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnDQoNCkRhbmllbDoNCg0KSSBiZWxpZXZl IHRoYXQgSmltIGlzIGFyZ3VpbmcgdGhhdCB0aGUgc2FtZSBoYXNoIGZ1bmN0aW9uIHNob3VsZCBh bHdheXMgYmUgdXNlZCBmb3IgYm90aCB0aGUgY29udGVudCBhbmQgdGhlIEhTUy9MTVMgdHJlZSwN Cg0KUnVzcw0KDQoNCk9uIE1hciAxNSwgMjAxOSwgYXQgMzozMCBQTSwgRGFuaWVsIFZhbiBHZWVz dCA8RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTxtYWlsdG86RGFuaWVsLlZhbkdlZXN0QGlzYXJh LmNvbT4+IHdyb3RlOg0KDQpNeSB0aG91Z2h0cywNCg0KT24gMjAxOS0wMy0xNCwgMjozOSBQTSwg IlNwYXNtIG9uIGJlaGFsZiBvZiBKaW0gU2NoYWFkIiA8c3Bhc20tYm91bmNlc0BpZXRmLm9yZzxt YWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4gb24gYmVoYWxmIG9mIGlldGZAYXVndXN0Y2Vs bGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+PiB3cm90ZToNCg0KSSB3YXMg dG9zc2luZyB0b2dldGhlciBzb21lIGNvZGUgdG8gbG9vayBhdCBwcm9kdWNpbmcgc29tZSBzYW1w bGVzIGFuZCBJDQplbmRlZCB1cCB3aXRoIGEgcGFpciBvZiBxdWVzdGlvbnM6DQoNCjEuICBJZiBJ IGhhdmUgYSBoYXNoIHNpZ25hdHVyZSB0cmVlIHdoaWNoIHVzZXMgbXVsdGlwbGUgZGlmZmVyZW50 IGhhc2gNCmFsZ29yaXRobXMgaW4gaXQsIHdoaWNoIG9mIHRob3NlIGhhc2ggYWxnb3JpdGhtcyBh bSBJIHRvIHBsYWNlZCBpbiB0aGUNCmRpZ2VzdEFsZ29yaXRobSBmaWVsZD8gIEZvciBleGFtcGxl LCBzdXBwb3NlIHRoYXQgSSBhbSB1c2luZyBhbiBMTVMgdHlwZQ0Kd2l0aCBhIGhhc2ggb2YgU0hB S0UxMjggYW5kIGFuIExNT1RTIHR5cGUgd2l0aCBhIGhhc2ggb2YgU0hBMjU2LiAgT3IgYXMgYQ0K ZGlmZmVyZW50IGV4YW1wbGUsIHN1cHBvc2UgdGhhdCBJIGhhdmUgYSB0d28gZGVlcCB0cmVlIGFu ZCB0aGUgdG9wIGxldmVsDQp1c2VzIFNIQTUxMiBpbiBib3RoIHBsYWNlcyBidXQgdGhlIG5leHQg bGV2ZWwgZG93biB1c2VzIFNIQUgyNTYgaW4gYm90aA0KcGxhY2VzPw0KDQpSRkMgNTY1MiBzZWN0 aW9uIDUuMyBkZWZpbmVzIHRoZSBkaWdlc3RBbGdvcml0aG0gbWVtYmVyIG9mIFNpZ25lckluZm8g YXM6DQogICAgICBkaWdlc3RBbGdvcml0aG0gaWRlbnRpZmllcyB0aGUgbWVzc2FnZSBkaWdlc3Qg YWxnb3JpdGhtLCBhbmQgYW55DQogICAgICBhc3NvY2lhdGVkIHBhcmFtZXRlcnMsIHVzZWQgYnkg dGhlIHNpZ25lci4gIFRoZSBtZXNzYWdlIGRpZ2VzdCBpcw0KICAgICAgY29tcHV0ZWQgb24gZWl0 aGVyIHRoZSBjb250ZW50IGJlaW5nIHNpZ25lZCBvciB0aGUgY29udGVudA0KICAgICAgdG9nZXRo ZXIgd2l0aCB0aGUgc2lnbmVkIGF0dHJpYnV0ZXMgdXNpbmcgdGhlIHByb2Nlc3MgZGVzY3JpYmVk IGluDQogICAgICBTZWN0aW9uIDUuNC4NCg0KSW4gSFNTLCB0aGUgaGFzaCBhbGdvcml0aG0gdXNl ZCB0byBkaWdlc3QgdGhlIGNvbnRlbnQgaXMgdGhlIG9uZSBpbiB0aGUgTE1PVFMgdHlwZSBvZiB0 aGUgYm90dG9tLW1vc3QgdHJlZS4gIFRoZSBvdGhlciBoYXNoIGFsZ29yaXRobXMgYXJlIHVzZWQg dG8gaGFzaCB3aXRoaW4gdGhlIE1lcmtsZSB0cmVlLCBvciB0byBoYXNoIHRoZSBMTVMgcHVibGlj IGtleSBvZiBhIGxvd2VyIHRyZWUuICBTbyBpbiBib3RoIHlvdXIgZXhhbXBsZXMgdGhlIGFuc3dl ciB3b3VsZCBiZSBTSEEyNTYuDQoNCjIuICBJZiB0aGVyZSBhcmUgc2lnbmVkIGF0dHJpYnV0ZXMg cHJlc2VudCwgdGhlbiBpdCB0IHJlcXVpcmVkIHRoYXQgdGhlIGJvZHkNCmRpZ2VzdCBhbGdvcml0 aG0gbWF0Y2ggdGhhdCBvZiB0aGUgaGFzaCBzaWduYXR1cmUgdHJlZSBvciBjYW4gaXQgYmUNCmRp ZmZlcmVudC4gIElmIGl0IGlzIGRpZmZlcmVudCwgaXMgdGhhdCBub3QgdGhlIHZhbHVlIHRoYXQg c2hvdWxkIGJlIHBsYWNlZA0KaW4gdGhlIGRpZ2VzdEFsZ29yaXRobSBmaWVsZD8gIENvbnNpZGVy IGRpZ2VzdGluZyB0aGUgYm9keSB3aXRoIFNIQTUxMiwgYnV0DQpvbmx5IHVzaW5nIFNIQTI1NiBp biB0aGUgaGFzaCBmdW5jdGlvbiBvbiB0aGUgYXNzdW1wdGlvbiB0aGF0IHRoZSByYW5kb20NCmZp ZWxkIGluIHRoZSBzaWduaW5nIG9wZXJhdGlvbiBwcm92aWRlcyBhIGhpZ2hlciBsZXZlbCBvZiBz ZWN1cml0eSBhbmQgdGh1cw0KYSB3ZWFrIGF0dGVtcHQgaXMgYmVpbmcgbWFkZSB0byBtYXRjaCB0 aGVtIHRvZ2V0aGVyLiAgKEkgYW0gc3VyZSB0aGF0IHRoaXMNCmlzIG5vdCB0aGUgY29ycmVjdCBw YWlyaW5nIGZvciBtYXRjaGluZywganVzdCBkZW1vbnN0cmF0aW5nIGEgcG9pbnQuKQ0KDQpjbXMt aGFzaC1zaWdzIHNheXM6DQogICAgICBkaWdlc3RBbGdvcml0aG0gTVVTVCBjb250YWluIHRoZSBv bmUtd2F5IGhhc2ggZnVuY3Rpb24gdXNlZCB0byBpbg0KICAgICAgICAgdGhlIEhTUy9MTVMgdHJl ZS4NClRoaXMgc3RhdGVtZW50IHBsdXMgdGhlIG9uZSBJIHF1b3RlZCBmcm9tIFJGQyA1NjUyIHdv dWxkIGltcGx5IHRoYXQgdGhlIGJvZHkgZGlnZXN0IGFsZ29yaXRobSBtdXN0IG1hdGNoIHRoYXQg b2YgdGhlIEhTUyBhbGdvcml0aG0uDQoNCkhvd2V2ZXIsIHlvdSBhcmUgY29ycmVjdCB0aGF0IHRo ZSByYW5kb20gZmllbGQgYWRkZWQgZHVyaW5nIHNpZ25pbmcgaW5jcmVhc2VzIHRoZSBjb2xsaXNp b24gcmVzaXN0YW5jZSBvZiB0aGUgc2lnbmF0dXJlIGFuZCBzbyB1c2luZyB0aGUgc2FtZSBhbGdv cml0aG0gdG8gY3JlYXRlIHRoZSBtZXNzYWdlLWRpZ2VzdCBhdHRyaWJ1dGUgaW4gdGhlIHNpZ25l ZCBhdHRyaWJ1dGVzIHdvdWxkIHJlZHVjZSB0aGUgY29sbGlzaW9uIHJlc2lzdGFuY2Ugb2YgdGhl IHN5c3RlbS4gIElmIHlvdSB3YW50ZWQgdG8gYWxsb3cgYSBkaWZmZXJlbnQgaGFzaCBhbGdvcml0 aG0gaW4gdGhlIHNpZ25lZCBhdHRyaWJ1dGVzIG1lc3NhZ2UgZGlnZXN0LCBJIHRoaW5rIGNtcy1o YXNoLXNpZ3Mgd291bGQgbmVlZCB0byBiZSBtb2RpZmllZCB0byBmdXJ0aGVyIHNwZWNpZnkgc2ln bmVkLWRhdGEgY29udmVudGlvbnMgd2l0aC93aXRob3V0IHNpZ25lZCBhdHRyaWJ1dGVzLCBzaW1p bGFyIHRvIFJGQyA4NDE5Lg0KDQpEYW5pZWwNCg0KSmltDQoNCg0KX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NClNwYXNtIG1haWxpbmcgbGlzdA0KU3Bhc21A aWV0Zi5vcmc8bWFpbHRvOlNwYXNtQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9zcGFzbQ0KDQo= --_000_952bf1f7896c4a5194b6e9871e31252aXCHRTP006ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJn aW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBk aXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLmFwcGxlLWNvbnZlcnRlZC1zcGFjZQ0KCXtt c28tc3R5bGUtbmFtZTphcHBsZS1jb252ZXJ0ZWQtc3BhY2U7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTkN Cgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMt c2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXttc28tc3R5 bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglj b2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBl cnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRv d3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjINCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJ Zm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpz cGFuLkVtYWlsU3R5bGUyNA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250 LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4u SFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVk IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQ cmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KLk1zb0NocERlZmF1 bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpA cGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEu MGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7 fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMg djpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lm IGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFw IHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlm XS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJw bGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6 c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2 IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGlu ZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5Gcm9tOjwvYj4g SmltIFNjaGFhZCAmbHQ7aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSZndDsgPGJyPg0KPGI+U2VudDo8 L2I+IE1vbmRheSwgTWFyY2ggMTgsIDIwMTkgNDoxOSBQTTxicj4NCjxiPlRvOjwvYj4gU2NvdHQg Rmx1aHJlciAoc2ZsdWhyZXIpICZsdDtzZmx1aHJlckBjaXNjby5jb20mZ3Q7OyAnRGFuaWVsIFZh biBHZWVzdCcgJmx0O0RhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20mZ3Q7OyAnUnVzcyBIb3VzbGV5 JyAmbHQ7aG91c2xleUB2aWdpbHNlYy5jb20mZ3Q7PGJyPg0KPGI+Q2M6PC9iPiAnU1BBU00nICZs dDtzcGFzbUBpZXRmLm9yZyZndDs7IGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnQGlldGYu b3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBbbGFtcHNdIFF1ZXN0aW9uIG9uIGRyYWZ0LWll dGYtbGFtcHMtY21zLWhhc2gtc2lnPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQg Ymx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxl PSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBw dCAwaW4gMGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj5Gcm9tOjwvYj4gU3Bhc20g Jmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnIj5zcGFzbS1ib3VuY2Vz QGlldGYub3JnPC9hPiZndDsNCjxiPk9uIEJlaGFsZiBPZiA8L2I+U2NvdHQgRmx1aHJlciAoc2Zs dWhyZXIpPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwgTWFyY2ggMTgsIDIwMTkgMjoyMSBQTTxi cj4NCjxiPlRvOjwvYj4gRGFuaWVsIFZhbiBHZWVzdCAmbHQ7PGEgaHJlZj0ibWFpbHRvOkRhbmll bC5WYW5HZWVzdEBpc2FyYS5jb20iPkRhbmllbC5WYW5HZWVzdEBpc2FyYS5jb208L2E+Jmd0Ozsg SmltIFNjaGFhZCAmbHQ7PGEgaHJlZj0ibWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iPmll dGZAYXVndXN0Y2VsbGFycy5jb208L2E+Jmd0OzsgJ1J1c3MgSG91c2xleScgJmx0OzxhIGhyZWY9 Im1haWx0bzpob3VzbGV5QHZpZ2lsc2VjLmNvbSI+aG91c2xleUB2aWdpbHNlYy5jb208L2E+Jmd0 Ozxicj4NCjxiPkNjOjwvYj4gJ1NQQVNNJyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYu b3JnIj5zcGFzbUBpZXRmLm9yZzwvYT4mZ3Q7OyA8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1s YW1wcy1jbXMtaGFzaC1zaWdAaWV0Zi5vcmciPg0KZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1z aWdAaWV0Zi5vcmc8L2E+PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbbGFtcHNdIFF1ZXN0aW9u IG9uIGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnPG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2 IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6 MGluIDBpbiAwaW4gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRl ci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxiPkZyb206PC9iPiBTcGFzbSAmbHQ7PGEgaHJlZj0ibWFpbHRv OnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmciPnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8L2E+Jmd0Ow0K PGI+T24gQmVoYWxmIE9mIDwvYj5EYW5pZWwgVmFuIEdlZXN0PGJyPg0KPGI+U2VudDo8L2I+IE1v bmRheSwgTWFyY2ggMTgsIDIwMTkgMTo1OCBQTTxicj4NCjxiPlRvOjwvYj4gSmltIFNjaGFhZCAm bHQ7PGEgaHJlZj0ibWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iPmlldGZAYXVndXN0Y2Vs bGFycy5jb208L2E+Jmd0OzsgJ1J1c3MgSG91c2xleScgJmx0OzxhIGhyZWY9Im1haWx0bzpob3Vz bGV5QHZpZ2lsc2VjLmNvbSI+aG91c2xleUB2aWdpbHNlYy5jb208L2E+Jmd0Ozxicj4NCjxiPkNj OjwvYj4gJ1NQQVNNJyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYub3JnIj5zcGFzbUBp ZXRmLm9yZzwvYT4mZ3Q7OyA8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFz aC1zaWdAaWV0Zi5vcmciPg0KZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWdAaWV0Zi5vcmc8 L2E+PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbbGFtcHNdIFF1ZXN0aW9uIG9uIGRyYWZ0LWll dGYtbGFtcHMtY21zLWhhc2gtc2lnPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5PbiAyMDE5LTAzLTE3LCA3OjM5IEFNLCAm cXVvdDtKaW0gU2NoYWFkJnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxs YXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+SSBkb27igJl0IGtub3cgd2hhdCBKaW0g aXMgYXJndWluZy4mbmJzcDsgSSB0aGluayB0aGF0IEkgYW0gdHJ5aW5nIHRvIHNheSB0aGF0IHRo ZXJlIG1heSBiZSBzb21lIGxhbmd1YWdlIHRoYXQgaXMgbm90IGNsZWFyIGF0IHNvbWUgcG9pbnQg aW4gdGhlIGZ1dHVyZSBhbHRob3VnaCBpdCBpcyBwZXJmZWN0bHkgZmluZSB0b2RheSAobW9zdGx5 KS4mbmJzcDsNCiBJIGRvIG5vdCByZW1lbWJlciBldmVyIHNlZWluZyBhbnkgbGFuZ3VhZ2UgaW4g YW55IG9mIHRoZSBoYXNoIHNpZ25hdHVyZSBkb2N1bWVudHMgdGhhdCBzYXkgdGhhdCB0aGUgc2Ft ZSBoYXNoIGZ1bmN0aW9uIHNob3VsZCBiZSB1c2VkIGZyb20gdG9wIHRvIGJvdHRvbS4mbmJzcDsg SSBhbHNvIHRoaW5rIHRoYXQgdGhlcmUgd2lsbCBiZSBzb21lIHB1c2ggaW4gdGhlIG5vdCBzbyBu ZWFyIGZ1dHVyZSB0byBoYXZlIHNvbWUgb3RoZXIgaGFzaCBmdW5jdGlvbnMNCiBiZSBwZXJtaXR0 ZWQgYmVjYXVzZSBvZiB0aGluZ3MgbGlrZSB0aGUgYmV0dGVyIGVmZmljaWVuY3kgb2YgU0hBLTUx MiBpbiBtYW55IGNhc2VzIG9yIHRoZSBtb3ZlIHRvIFNIQUtFIGFzIGEgZGlmZmVyZW50IGhhc2gg ZnVuY3Rpb24uJm5ic3A7IEkgd29ycnkgdGhhdCB0aGlzIG1lYW5zIHRoYXQgdGhlIHNhbWUgaGFz aCBmdW5jdGlvbiBtYXkgbm90IGJlIHVzZWQgZnJvbSB0b3AgdG8gYm90dG9tIGluIGEgaGFzaCBz aWduYXR1cmUga2V5LiZuYnNwOyBJIGFsc28gd29ycnkNCiB0aGF0IG15IGN1cnJlbnQgY29kZSBi YXNlIGRvZXMgbm90IGhhdmUgYW55IHdheSB0byBnZXQgdGhlIHBhcmFtZXRlcnMgZm9yIHRoZSBi b3R0b20gb2YgdGhlIHRyZWUgYW5kIHRoZSBzYW1lIHRoaW5nIG1heSBiZSB0cnVlIGZvciBhbiBI U00uJm5ic3A7IFRoZSB0b3AgYWxnb3JpdGhtcyBjYW4gYmUgcmV0cmlldmVkIGZyb20gdGhlIHB1 YmxpYyBrZXksIGJ1dCBub3QgdGhlIGJvdHRvbSBhbGdvcml0aG1zLjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1D QSI+TXkgY29sbGVhZ3VlcyBoYXZlIGhhZCBzaW1pbGFyIGNvbmNlcm5zIGFuZCB3ZSBoYXZlIHJh aXNlZCB0aGVtIHByaXZhdGVseS4mbmJzcDsgQnV0IHRoZSBmYWN0IHRoYXQgdGhlIHBhcmFtZXRl cnMgYXJlIGVuY29kZWQgaW4gYSBzaWduYXR1cmUgbWVhbnMgeW91IGNhbiBzdGlsbCB2ZXJpZnkg dGhlIHNpZ25hdHVyZSByZWdhcmRsZXNzIG9mIHdoZXRoZXIgdGhlIHBhcmFtZXRlcnMgYXJlDQog aW4gdGhlIHB1YmxpYyBrZXkuJm5ic3A7IEFuZCBzaW5jZSB0aGUgcGFyYW1ldGVycyBjb3VsZCB0 aGVvcmV0aWNhbGx5IGJlIGNoYW5nZWQgYXMgdHJlZXMgYXJlIHVzZWQgdXAgdGhleSBjYW7igJl0 IGJlIGVuY29kZWQgd2l0aCB0aGUgcHVibGljIGtleSAodW5sZXNzIHRoZSB1c2Ugb2YgSFNTIGlu IENNUy9YLjUwOSBzcGVjaWZpZWQgdGhhdCB0aGUgcGFyYW1ldGVycyBjYW7igJl0IGNoYW5nZSwg d2hpY2ggd291bGQgYmUgb2theSB3aXRoIG1lKS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJj b2xvcjojQzA1MDREIj5BY3R1YWxseSwgdGhlcmUgaXMgdGV4dCBpbiB0aGUgTE1TIGRyYWZ0ICh3 aGljaCBpcyBiZWNvbWluZyBhbiBSRkMgUmVhbCBTb29uIE5vdykgc3BlY2lmaWNhbGx5IGZvcmJp ZGRpbmcgY2hhbmdpbmcgdGhlIHBhcmFtZXRlcnMgb24gdGhlIGZseeKApjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJF Ti1DQSIgc3R5bGU9ImNvbG9yOiMwMDcwQzAiPltKTFNdIFNvIHdlIGhhdmUgdGhlIGFiaWxpdHkg dG8gaGF2ZSBkaWZmZXJlbnQgcGFyYW1ldGVycyBhdCBlYWNoIGxldmVsIGZyb20gdGhlIGJlZ2lu bmluZywgYnV0IG9uZSBpcyBub3Qgc3VwcG9zZWQgdG8gY2hhbmdlIHRoZW0gd2hlbiBhIG5ldyBz dWJ0cmVlIGlzIGNyZWF0ZWQuJm5ic3A7IEkgZG9u4oCZdCByZW1lbWJlciBzZWVpbmcgdGhhdCBh bmQNCiB3aWxsIGxvb2s8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJjb2xvcjojQzA1MDREIj5I ZXJl4oCZcyB0aGUgdGV4dCAoYXQgdGhlIGVuZCBvZiBzZWN0aW9uIDYpOyB0aGUgd29yZGluZyBp cyBzbGlnaHRseSBkaWZmZXJlbnQgZnJvbSB0aGUgY3VycmVudCBkcmFmdCAoZHVlIHRvIEFVVEg0 OCBlZGl0cyksIGJ1dCB0aGUgbWVhbmluZyBpcyB0aGUgc2FtZTo8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImNvbG9y OiNDMDUwNEQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJp ZXIgTmV3JnF1b3Q7O2NvbG9yOiNDMDUwNEQiPiZuYnNwOyAmbmJzcDtBIGNsb3NlIHJlYWRpbmcg b2YgdGhlIEhTUyB2ZXJpZmljYXRpb24gcHNldWRvY29kZSB3b3VsZCBzaG93IHRoYXQgaXQ8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjoj QzA1MDREIj4mbmJzcDsmbmJzcDsgd291bGQgYWxsb3cgdGhlIHBhcmFtZXRlcnMgb2YgdGhlIG5v bnRvcCBMTVMgcHVibGljIGtleXMgdG8gY2hhbmdlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29sb3I6I0MwNTA0RCI+Jm5ic3A7Jm5ic3A7IG92 ZXIgdGltZTsgZm9yIGV4YW1wbGUsIHRoZSBzaWduZXIgbWlnaHQgaW5pdGlhbGx5IGhhdmUgdGhl IDEtdGggTE1TPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDs7Y29sb3I6I0MwNTA0RCI+Jm5ic3A7Jm5ic3A7IHB1YmxpYyBrZXkgdXNlIHRoZSBMTVNf U0hBMjU2X00zMl9IMTAgcGFyYW1ldGVyIHNldCwgYnV0IHdoZW4gdGhhdDxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOiNDMDUwNEQiPiZu YnNwOyZuYnNwOyB0cmVlIGlzIGV4aGF1c3RlZCwgdGhlIHNpZ25lciBtaWdodCByZXBsYWNlIGl0 IHdpdGggYW4gTE1TIHB1YmxpYyBrZXk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjojQzA1MDREIj4mbmJzcDsmbmJzcDsgdGhhdCB1c2Vz IHRoZSBMTVNfU0hBMjU2X00zMl9IMTUgcGFyYW1ldGVyIHNldC4mbmJzcDsgV2hpbGUgdGhpcyB3 b3VsZDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7 O2NvbG9yOiNDMDUwNEQiPiZuYnNwOyZuYnNwOyB3b3JrIHdpdGggdGhlIGV4YW1wbGUgdmVyaWZp Y2F0aW9uIHBzZXVkb2NvZGUsIHRoZSBzaWduZXIgTVVTVCBOT1Q8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90Oztjb2xvcjojQzA1MDREIj4mbmJzcDsm bmJzcDsgY2hhbmdlIHRoZSBwYXJhbWV0ZXIgc2V0cyBmb3IgYSBzcGVjaWZpYyBsZXZlbC4mbmJz cDsgVGhpcyBwcm9oaWJpdGlvbiBpczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOiNDMDUwNEQiPiZuYnNwOyZuYnNwOyB0byBzdXBwb3J0 IHZlcmlmaWVycyB0aGF0IG1heSBrZWVwIHN0YXRlIG92ZXIgdGhlIGNvdXJzZSBvZiBzZXZlcmFs PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDs7Y29s b3I6I0MwNTA0RCI+Jm5ic3A7Jm5ic3A7IHNpZ25hdHVyZSB2ZXJpZmljYXRpb25zLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs YW5nPSJFTi1DQSIgc3R5bGU9ImNvbG9yOiMwMDcwQzAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1D QSI+QXMgZm9yIGl0IGJlaW5nIHRoZSBzYW1lIGZvciBIU01zLCB0aGV5IGNvdWxkIGVuY29kZSB0 aGUgcGFyYW1ldGVycyB3aXRoIHRoZWlyIHByaXZhdGUga2V5ICZhbXA7IHN0YXRlIGhvd2V2ZXIg dGhleSBsaWtlLiZuYnNwOyBJTU8gd2Ugc2hvdWxkbuKAmXQgc3RhbmRhcmRpemUgaG93IHRvIGVu Y29kZSB0aGUgcHJpdmF0ZSBrZXkgc2luY2UgdGhhdCBpbXBsaWVzIHJlcGxpY2F0aW5nIG9yIG1v dmluZw0KIGl0IGFyb3VuZCwgd2hpY2ggd2lsbCBpbnZhcmlhYmx5IGJlIGRvbmUgd3JvbmcgY2F1 c2luZyBzdGF0ZSB0byBiZSByZXVzZWQsIGFsbG93aW5nIGZvcmdlcmllcy48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+ PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+ SmltPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNw YW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9 ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowaW4gMGlu IDBpbiA0LjBwdCI+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpz b2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxiPjxzcGFuIGxhbmc9IkVOLUNB Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4tQ0EiPiBSdXNzIEhvdXNsZXkgJmx0Ozxh IGhyZWY9Im1haWx0bzpob3VzbGV5QHZpZ2lsc2VjLmNvbSI+aG91c2xleUB2aWdpbHNlYy5jb208 L2E+Jmd0Ow0KPGJyPg0KPGI+U2VudDo8L2I+IFNhdHVyZGF5LCBNYXJjaCAxNiwgMjAxOSA0OjMz IFBNPGJyPg0KPGI+VG86PC9iPiBEYW5pZWwgVmFuIEdlZXN0ICZsdDs8YSBocmVmPSJtYWlsdG86 RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbSI+RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTwvYT4m Z3Q7PGJyPg0KPGI+Q2M6PC9iPiBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBh dWd1c3RjZWxsYXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7Ow0KPGEgaHJl Zj0ibWFpbHRvOmRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnQGlldGYub3JnIj5kcmFmdC1p ZXRmLWxhbXBzLWNtcy1oYXNoLXNpZ0BpZXRmLm9yZzwvYT47IFNQQVNNICZsdDs8YSBocmVmPSJt YWlsdG86c3Bhc21AaWV0Zi5vcmciPnNwYXNtQGlldGYub3JnPC9hPiZndDs8YnI+DQo8Yj5TdWJq ZWN0OjwvYj4gUmU6IFtsYW1wc10gUXVlc3Rpb24gb24gZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFz aC1zaWc8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPkRhbmllbDo8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41 aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+ PHNwYW4gbGFuZz0iRU4tQ0EiPkkgYmVsaWV2ZSB0aGF0IEppbSBpcyBhcmd1aW5nIHRoYXQgdGhl IHNhbWUgaGFzaCBmdW5jdGlvbiBzaG91bGQgYWx3YXlzIGJlIHVzZWQgZm9yIGJvdGggdGhlIGNv bnRlbnQgYW5kIHRoZSBIU1MvTE1TIHRyZWUsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxz cGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4g bGFuZz0iRU4tQ0EiPlJ1c3M8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0i RU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBpbjttYXJnaW4tcmlnaHQ6MGluO21h cmdpbi1ib3R0b206MTIuMHB0O21hcmdpbi1sZWZ0Oi41aW4iPg0KPHNwYW4gbGFuZz0iRU4tQ0Ei PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4t dG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+T24gTWFyIDE1 LCAyMDE5LCBhdCAzOjMwIFBNLCBEYW5pZWwgVmFuIEdlZXN0ICZsdDs8YSBocmVmPSJtYWlsdG86 RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbSI+RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTwvYT4m Z3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+TXkgdGhvdWdodHMs PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFy Z2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPk9uIDIwMTktMDMtMTQsIDI6MzkgUE0sICZxdW90O1Nw YXNtIG9uIGJlaGFsZiBvZiBKaW0gU2NoYWFkJnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86c3Bh c20tYm91bmNlc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+c3Bhc20tYm91 bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFj ZSI+Jm5ic3A7PC9zcGFuPm9uDQogYmVoYWxmIG9mPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRl ZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMu Y29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29tPC9z cGFuPjwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+ Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2 IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+SSB3YXMgdG9zc2luZyB0b2dldGhl ciBzb21lIGNvZGUgdG8gbG9vayBhdCBwcm9kdWNpbmcgc29tZSBzYW1wbGVzIGFuZCBJPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDou NWluIj48c3BhbiBsYW5nPSJFTi1DQSI+ZW5kZWQgdXAgd2l0aCBhIHBhaXIgb2YgcXVlc3Rpb25z OjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHls ZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFu Zz0iRU4tQ0EiPjEuJm5ic3A7Jm5ic3A7SWYgSSBoYXZlIGEgaGFzaCBzaWduYXR1cmUgdHJlZSB3 aGljaCB1c2VzIG11bHRpcGxlIGRpZmZlcmVudCBoYXNoPG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJF Ti1DQSI+YWxnb3JpdGhtcyBpbiBpdCwgd2hpY2ggb2YgdGhvc2UgaGFzaCBhbGdvcml0aG1zIGFt IEkgdG8gcGxhY2VkIGluIHRoZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPmRpZ2VzdEFs Z29yaXRobSBmaWVsZD8mbmJzcDsmbmJzcDtGb3IgZXhhbXBsZSwgc3VwcG9zZSB0aGF0IEkgYW0g dXNpbmcgYW4gTE1TIHR5cGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj53aXRoIGEgaGFz aCBvZiBTSEFLRTEyOCBhbmQgYW4gTE1PVFMgdHlwZSB3aXRoIGEgaGFzaCBvZiBTSEEyNTYuJm5i c3A7Jm5ic3A7T3IgYXMgYTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPmRpZmZlcmVudCBl eGFtcGxlLCBzdXBwb3NlIHRoYXQgSSBoYXZlIGEgdHdvIGRlZXAgdHJlZSBhbmQgdGhlIHRvcCBs ZXZlbDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBz dHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPnVzZXMgU0hBNTEyIGluIGJvdGggcGxh Y2VzIGJ1dCB0aGUgbmV4dCBsZXZlbCBkb3duIHVzZXMgU0hBSDI1NiBpbiBib3RoPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4t bGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWlu Ij48c3BhbiBsYW5nPSJFTi1DQSI+cGxhY2VzPyZuYnNwOyZuYnNwOzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVp biI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4g bGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5n PSJFTi1DQSI+UkZDIDU2NTIgc2VjdGlvbiA1LjMgZGVmaW5lcyB0aGUgZGlnZXN0QWxnb3JpdGht IG1lbWJlciBvZiBTaWduZXJJbmZvIGFzOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3Bh biBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGRpZ2VzdEFsZ29y aXRobSBpZGVudGlmaWVzIHRoZSBtZXNzYWdlIGRpZ2VzdCBhbGdvcml0aG0sIGFuZCBhbnk8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyBhc3NvY2lhdGVkIHBhcmFtZXRlcnMsIHVzZWQgYnkgdGhlIHNpZ25l ci4mbmJzcDsgVGhlIG1lc3NhZ2UgZGlnZXN0IGlzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i PjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgY29tcHV0 ZWQgb24gZWl0aGVyIHRoZSBjb250ZW50IGJlaW5nIHNpZ25lZCBvciB0aGUgY29udGVudDxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7IHRvZ2V0aGVyIHdpdGggdGhlIHNpZ25lZCBhdHRyaWJ1dGVzIHVzaW5n IHRoZSBwcm9jZXNzIGRlc2NyaWJlZCBpbjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3Bh biBsYW5nPSJFTi1DQSI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFNlY3Rpb24gNS40 LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5JbiBIU1MsIHRoZSBo YXNoIGFsZ29yaXRobSB1c2VkIHRvIGRpZ2VzdCB0aGUgY29udGVudCBpcyB0aGUgb25lIGluIHRo ZSBMTU9UUyB0eXBlIG9mIHRoZSBib3R0b20tbW9zdCB0cmVlLiZuYnNwOyBUaGUgb3RoZXIgaGFz aCBhbGdvcml0aG1zIGFyZSB1c2VkIHRvIGhhc2ggd2l0aGluIHRoZSBNZXJrbGUgdHJlZSwgb3Ig dG8gaGFzaCB0aGUgTE1TDQogcHVibGljIGtleSBvZiBhIGxvd2VyIHRyZWUuJm5ic3A7IFNvIGlu IGJvdGggeW91ciBleGFtcGxlcyB0aGUgYW5zd2VyIHdvdWxkIGJlIFNIQTI1Ni48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6 LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNw YW4gbGFuZz0iRU4tQ0EiPjIuJm5ic3A7Jm5ic3A7SWYgdGhlcmUgYXJlIHNpZ25lZCBhdHRyaWJ1 dGVzIHByZXNlbnQsIHRoZW4gaXQgdCByZXF1aXJlZCB0aGF0IHRoZSBib2R5PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVm dDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48 c3BhbiBsYW5nPSJFTi1DQSI+ZGlnZXN0IGFsZ29yaXRobSBtYXRjaCB0aGF0IG9mIHRoZSBoYXNo IHNpZ25hdHVyZSB0cmVlIG9yIGNhbiBpdCBiZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0Ei PmRpZmZlcmVudC4mbmJzcDsmbmJzcDtJZiBpdCBpcyBkaWZmZXJlbnQsIGlzIHRoYXQgbm90IHRo ZSB2YWx1ZSB0aGF0IHNob3VsZCBiZSBwbGFjZWQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNB Ij5pbiB0aGUgZGlnZXN0QWxnb3JpdGhtIGZpZWxkPyZuYnNwOyZuYnNwO0NvbnNpZGVyIGRpZ2Vz dGluZyB0aGUgYm9keSB3aXRoIFNIQTUxMiwgYnV0PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1D QSI+b25seSB1c2luZyBTSEEyNTYgaW4gdGhlIGhhc2ggZnVuY3Rpb24gb24gdGhlIGFzc3VtcHRp b24gdGhhdCB0aGUgcmFuZG9tPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+ZmllbGQgaW4g dGhlIHNpZ25pbmcgb3BlcmF0aW9uIHByb3ZpZGVzIGEgaGlnaGVyIGxldmVsIG9mIHNlY3VyaXR5 IGFuZCB0aHVzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+YSB3ZWFrIGF0dGVtcHQgaXMg YmVpbmcgbWFkZSB0byBtYXRjaCB0aGVtIHRvZ2V0aGVyLiZuYnNwOyZuYnNwOyhJIGFtIHN1cmUg dGhhdCB0aGlzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+aXMgbm90IHRoZSBjb3JyZWN0 IHBhaXJpbmcgZm9yIG1hdGNoaW5nLCBqdXN0IGRlbW9uc3RyYXRpbmcgYSBwb2ludC4pPG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDou NWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i PjxzcGFuIGxhbmc9IkVOLUNBIj5jbXMtaGFzaC1zaWdzIHNheXM6PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgZGlnZXN0QWxnb3JpdGhtIE1VU1QgY29udGFpbiB0aGUgb25lLXdheSBoYXNoIGZ1bmN0aW9u IHVzZWQgdG8gaW48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0Ei PiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB0aGUgSFNT L0xNUyB0cmVlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+ VGhpcyBzdGF0ZW1lbnQgcGx1cyB0aGUgb25lIEkgcXVvdGVkIGZyb20gUkZDIDU2NTIgd291bGQg aW1wbHkgdGhhdCB0aGUgYm9keSBkaWdlc3QgYWxnb3JpdGhtIG11c3QgbWF0Y2ggdGhhdCBvZiB0 aGUgSFNTIGFsZ29yaXRobS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0i RU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1D QSI+SG93ZXZlciwgeW91IGFyZSBjb3JyZWN0IHRoYXQgdGhlIHJhbmRvbSBmaWVsZCBhZGRlZCBk dXJpbmcgc2lnbmluZyBpbmNyZWFzZXMgdGhlIGNvbGxpc2lvbiByZXNpc3RhbmNlIG9mIHRoZSBz aWduYXR1cmUgYW5kIHNvIHVzaW5nIHRoZSBzYW1lIGFsZ29yaXRobSB0byBjcmVhdGUgdGhlIG1l c3NhZ2UtZGlnZXN0IGF0dHJpYnV0ZSBpbg0KIHRoZSBzaWduZWQgYXR0cmlidXRlcyB3b3VsZCBy ZWR1Y2UgdGhlIGNvbGxpc2lvbiByZXNpc3RhbmNlIG9mIHRoZSBzeXN0ZW0uJm5ic3A7IElmIHlv dSB3YW50ZWQgdG8gYWxsb3cgYSBkaWZmZXJlbnQgaGFzaCBhbGdvcml0aG0gaW4gdGhlIHNpZ25l ZCBhdHRyaWJ1dGVzIG1lc3NhZ2UgZGlnZXN0LCBJIHRoaW5rIGNtcy1oYXNoLXNpZ3Mgd291bGQg bmVlZCB0byBiZSBtb2RpZmllZCB0byBmdXJ0aGVyIHNwZWNpZnkgc2lnbmVkLWRhdGEgY29udmVu dGlvbnMNCiB3aXRoL3dpdGhvdXQgc2lnbmVkIGF0dHJpYnV0ZXMsIHNpbWlsYXIgdG8gUkZDIDg0 MTkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiPkRhbmllbDxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4t bGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWlu Ij48c3BhbiBsYW5nPSJFTi1DQSI+SmltPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0 eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWlu Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBs YW5nPSJFTi1DQSI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X188bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5 bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj5TcGFzbSBtYWlsaW5nIGxpc3Q8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41 aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj48YSBocmVmPSJtYWlsdG86U3Bhc21AaWV0Zi5vcmciPjxz cGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPlNwYXNtQGlldGYub3JnPC9zcGFuPjwvYT48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41 aW4iPjxzcGFuIGxhbmc9IkVOLUNBIj48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL3NwYXNtIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL3d3 dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NwYXNtPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5n PSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_952bf1f7896c4a5194b6e9871e31252aXCHRTP006ciscocom_-- From nobody Tue Mar 19 00:12:17 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E56B1311DF; Tue, 19 Mar 2019 00:12:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uL3OVG8T09BM; Tue, 19 Mar 2019 00:12:11 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C76C131240; Tue, 19 Mar 2019 00:12:09 -0700 (PDT) Received: from Jude (88.128.80.50) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 19 Mar 2019 00:12:01 -0700 From: Jim Schaad To: "'Scott Fluhrer (sfluhrer)'" , 'Daniel Van Geest' , 'Russ Housley' CC: 'SPASM' , References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com> <10EB05CC-DD01-49CE-A702-9CFAB436F542@isara.com> <80b7f5bb2c344841b197247187ef2398@XCH-RTP-006.cisco.com> <008a01d4ddc7$ce7a29d0$6b6e7d70$@augustcellars.com> <952bf1f7896c4a5194b6e9871e31252a@XCH-RTP-006.cisco.com> In-Reply-To: <952bf1f7896c4a5194b6e9871e31252a@XCH-RTP-006.cisco.com> Date: Tue, 19 Mar 2019 08:11:58 +0100 Message-ID: <00b701d4de23$0d168bb0$2743a310$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00B8_01D4DE2B.6EE18360" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQEM1Y28iLV3mVbkBi2mvYQFmQFueAGxOkwAAaZQ9VQCInlqlwMcRmpmAcbs7QMB1ABgZQHV7DNGpzJhMVA= Content-Language: en-us X-Originating-IP: [88.128.80.50] Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Mar 2019 07:12:15 -0000 ------=_NextPart_000_00B8_01D4DE2B.6EE18360 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =20 =20 From: Spasm On Behalf Of Scott Fluhrer = (sfluhrer) Sent: Monday, March 18, 2019 9:55 PM To: Jim Schaad ; 'Daniel Van Geest' = ; 'Russ Housley' Cc: 'SPASM' ; draft-ietf-lamps-cms-hash-sig@ietf.org Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 =20 From: Jim Schaad = >=20 Sent: Monday, March 18, 2019 4:19 PM To: Scott Fluhrer (sfluhrer) >; 'Daniel Van Geest' = >; 'Russ = Housley' > Cc: 'SPASM' >; = draft-ietf-lamps-cms-hash-sig@ietf.org = =20 Subject: RE: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 =20 =20 From: Spasm > On = Behalf Of Scott Fluhrer (sfluhrer) Sent: Monday, March 18, 2019 2:21 PM To: Daniel Van Geest >; Jim Schaad >; 'Russ Housley' > Cc: 'SPASM' >; = draft-ietf-lamps-cms-hash-sig@ietf.org = =20 Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 =20 =20 From: Spasm > On = Behalf Of Daniel Van Geest Sent: Monday, March 18, 2019 1:58 PM To: Jim Schaad = >; 'Russ Housley' > Cc: 'SPASM' >; = draft-ietf-lamps-cms-hash-sig@ietf.org = =20 Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 =20 =20 On 2019-03-17, 7:39 AM, "Jim Schaad" > wrote: =20 I don=E2=80=99t know what Jim is arguing. I think that I am trying to = say that there may be some language that is not clear at some point in = the future although it is perfectly fine today (mostly). I do not = remember ever seeing any language in any of the hash signature documents = that say that the same hash function should be used from top to bottom. = I also think that there will be some push in the not so near future to = have some other hash functions be permitted because of things like the = better efficiency of SHA-512 in many cases or the move to SHAKE as a = different hash function. I worry that this means that the same hash = function may not be used from top to bottom in a hash signature key. I = also worry that my current code base does not have any way to get the = parameters for the bottom of the tree and the same thing may be true for = an HSM. The top algorithms can be retrieved from the public key, but = not the bottom algorithms. =20 My colleagues have had similar concerns and we have raised them = privately. But the fact that the parameters are encoded in a signature = means you can still verify the signature regardless of whether the = parameters are in the public key. And since the parameters could = theoretically be changed as trees are used up they can=E2=80=99t be = encoded with the public key (unless the use of HSS in CMS/X.509 = specified that the parameters can=E2=80=99t change, which would be okay = with me). =20 Actually, there is text in the LMS draft (which is becoming an RFC Real = Soon Now) specifically forbidding changing the parameters on the = fly=E2=80=A6 =20 [JLS] So we have the ability to have different parameters at each level = from the beginning, but one is not supposed to change them when a new = subtree is created. I don=E2=80=99t remember seeing that and will look =20 Here=E2=80=99s the text (at the end of section 6); the wording is = slightly different from the current draft (due to AUTH48 edits), but the = meaning is the same: =20 A close reading of the HSS verification pseudocode would show that it would allow the parameters of the nontop LMS public keys to change over time; for example, the signer might initially have the 1-th LMS public key use the LMS_SHA256_M32_H10 parameter set, but when that tree is exhausted, the signer might replace it with an LMS public key that uses the LMS_SHA256_M32_H15 parameter set. While this would work with the example verification pseudocode, the signer MUST NOT change the parameter sets for a specific level. This prohibition is to support verifiers that may keep state over the course of several signature verifications. =20 [JLS] I suppose that I like the fact that the parameters are not going = to change, but the only state that one could keep across a sub-tree = being regenerated would be the size of the sub-tree. All of the cached = verification data from that point down would be rendered moot by the = fact that a new sub-tree has been generated. That said I have no = problems with making this a requirement. =20 As for it being the same for HSMs, they could encode the parameters with = their private key & state however they like. IMO we shouldn=E2=80=99t = standardize how to encode the private key since that implies replicating = or moving it around, which will invariably be done wrong causing state = to be reused, allowing forgeries. =20 Jim =20 =20 From: Russ Housley > = Sent: Saturday, March 16, 2019 4:33 PM To: Daniel Van Geest > Cc: Jim Schaad = >; draft-ietf-lamps-cms-hash-sig@ietf.org = ; SPASM > Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 Daniel: =20 I believe that Jim is arguing that the same hash function should always = be used for both the content and the HSS/LMS tree, =20 Russ =20 =20 On Mar 15, 2019, at 3:30 PM, Daniel Van Geest > wrote: =20 My thoughts, =20 On 2019-03-14, 2:39 PM, "Spasm on behalf of Jim Schaad" < = spasm-bounces@ietf.org on behalf of = ietf@augustcellars.com> wrote: =20 I was tossing together some code to look at producing some samples and I ended up with a pair of questions: =20 1. If I have a hash signature tree which uses multiple different hash algorithms in it, which of those hash algorithms am I to placed in the digestAlgorithm field? For example, suppose that I am using an LMS type with a hash of SHAKE128 and an LMOTS type with a hash of SHA256. Or as = a different example, suppose that I have a two deep tree and the top level uses SHA512 in both places but the next level down uses SHAH256 in both places? =20 =20 RFC 5652 section 5.3 defines the digestAlgorithm member of SignerInfo = as: digestAlgorithm identifies the message digest algorithm, and any associated parameters, used by the signer. The message digest is computed on either the content being signed or the content together with the signed attributes using the process described in Section 5.4. =20 In HSS, the hash algorithm used to digest the content is the one in the = LMOTS type of the bottom-most tree. The other hash algorithms are used = to hash within the Merkle tree, or to hash the LMS public key of a lower = tree. So in both your examples the answer would be SHA256. =20 2. If there are signed attributes present, then it t required that the = body digest algorithm match that of the hash signature tree or can it be different. If it is different, is that not the value that should be = placed in the digestAlgorithm field? Consider digesting the body with SHA512, = but only using SHA256 in the hash function on the assumption that the random field in the signing operation provides a higher level of security and = thus a weak attempt is being made to match them together. (I am sure that = this is not the correct pairing for matching, just demonstrating a point.) =20 cms-hash-sigs says: digestAlgorithm MUST contain the one-way hash function used to in the HSS/LMS tree. This statement plus the one I quoted from RFC 5652 would imply that the = body digest algorithm must match that of the HSS algorithm. =20 However, you are correct that the random field added during signing = increases the collision resistance of the signature and so using the = same algorithm to create the message-digest attribute in the signed = attributes would reduce the collision resistance of the system. If you = wanted to allow a different hash algorithm in the signed attributes = message digest, I think cms-hash-sigs would need to be modified to = further specify signed-data conventions with/without signed attributes, = similar to RFC 8419. =20 Daniel =20 Jim =20 =20 _______________________________________________ Spasm mailing list Spasm@ietf.org = https://www.ietf.org/mailman/listinfo/spasm =20 ------=_NextPart_000_00B8_01D4DE2B.6EE18360 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

 

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Scott Fluhrer = (sfluhrer)
Sent: Monday, March 18, 2019 9:55 PM
To: = Jim Schaad <ietf@augustcellars.com>; 'Daniel Van Geest' = <Daniel.VanGeest@isara.com>; 'Russ Housley' = <housley@vigilsec.com>
Cc: 'SPASM' = <spasm@ietf.org>; = draft-ietf-lamps-cms-hash-sig@ietf.org
Subject: Re: [lamps] = Question on draft-ietf-lamps-cms-hash-sig

 

 

From: Jim = Schaad <ietf@augustcellars.com> =
Sent: Monday, March 18, 2019 4:19 PM
To: Scott = Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'Daniel = Van Geest' <Daniel.VanGeest@isara.com&g= t;; 'Russ Housley' <housley@vigilsec.com>
C= c: 'SPASM' <spasm@ietf.org>; draft-ietf-lamps-c= ms-hash-sig@ietf.org
Subject: RE: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

 

 

From: Spasm = <spasm-bounces@ietf.org> = On Behalf Of Scott Fluhrer (sfluhrer)
Sent: Monday, = March 18, 2019 2:21 PM
To: Daniel Van Geest <Daniel.VanGeest@isara.com&g= t;; Jim Schaad <ietf@augustcellars.com>; = 'Russ Housley' <housley@vigilsec.com>
C= c: 'SPASM' <spasm@ietf.org>; draft-ietf-lamps-c= ms-hash-sig@ietf.org
Subject: Re: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

 

 

From: Spasm = <spasm-bounces@ietf.org> = On Behalf Of Daniel Van Geest
Sent: Monday, March 18, = 2019 1:58 PM
To: Jim Schaad <ietf@augustcellars.com>; = 'Russ Housley' <housley@vigilsec.com>
C= c: 'SPASM' <spasm@ietf.org>; draft-ietf-lamps-c= ms-hash-sig@ietf.org
Subject: Re: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

 

 

On 2019-03-17, 7:39 AM, = "Jim Schaad" <ietf@augustcellars.com> = wrote:

 

I don=E2=80=99t know what = Jim is arguing.  I think that I am trying to say that there may be = some language that is not clear at some point in the future although it = is perfectly fine today (mostly).  I do not remember ever seeing = any language in any of the hash signature documents that say that the = same hash function should be used from top to bottom.  I also think = that there will be some push in the not so near future to have some = other hash functions be permitted because of things like the better = efficiency of SHA-512 in many cases or the move to SHAKE as a different = hash function.  I worry that this means that the same hash function = may not be used from top to bottom in a hash signature key.  I also = worry that my current code base does not have any way to get the = parameters for the bottom of the tree and the same thing may be true for = an HSM.  The top algorithms can be retrieved from the public key, = but not the bottom algorithms.

 

My colleagues have had similar = concerns and we have raised them privately.  But the fact that the = parameters are encoded in a signature means you can still verify the = signature regardless of whether the parameters are in the public = key.  And since the parameters could theoretically be changed as = trees are used up they can=E2=80=99t be encoded with the public key = (unless the use of HSS in CMS/X.509 specified that the parameters = can=E2=80=99t change, which would be okay with = me).

 

Actually, there is text in the LMS = draft (which is becoming an RFC Real Soon Now) specifically forbidding = changing the parameters on the fly=E2=80=A6

 

[JLS] So we = have the ability to have different parameters at each level from the = beginning, but one is not supposed to change them when a new subtree is = created.  I don=E2=80=99t remember seeing that and will = look

 

Here=E2=80=99s the text (at the end = of section 6); the wording is slightly different from the current draft = (due to AUTH48 edits), but the meaning is the = same:

 

   A close reading of the HSS verification = pseudocode would show that it

   would allow the parameters of the = nontop LMS public keys to change

   over time; for example, the signer = might initially have the 1-th LMS

   public key use the LMS_SHA256_M32_H10 = parameter set, but when that

   tree is exhausted, the signer might = replace it with an LMS public key

   that uses the LMS_SHA256_M32_H15 = parameter set.  While this would

   work with the example verification = pseudocode, the signer MUST NOT

   change the parameter sets for a = specific level.  This prohibition is

   to support verifiers that may keep = state over the course of several

   signature = verifications.

 

[JLS] I suppose that I like the = fact that the parameters are not going to change, but the only state = that one could keep across a sub-tree being regenerated would be the = size of the sub-tree.=C2=A0 All of the cached verification data from = that point down would be rendered moot by the fact that a new sub-tree = has been generated.=C2=A0 That said I have no problems with making this = a requirement.

 

As for it being the same for HSMs, they could encode the = parameters with their private key & state however they like.  = IMO we shouldn=E2=80=99t standardize how to encode the private key since = that implies replicating or moving it around, which will invariably be = done wrong causing state to be reused, allowing = forgeries.

 

Jim

 

 

From: Russ Housley <housley@vigilsec.com> =
Sent: Saturday, March 16, 2019 4:33 PM
To: Daniel = Van Geest <Daniel.VanGeest@isara.com&g= t;
Cc: Jim Schaad <ietf@augustcellars.com>; = draft-ietf-lamps-c= ms-hash-sig@ietf.org; SPASM <spasm@ietf.org>
Subject: = Re: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

Daniel:

 

I believe that Jim is = arguing that the same hash function should always be used for both the = content and the HSS/LMS tree,

 

Russ

 

 

On Mar 15, 2019, at 3:30 = PM, Daniel Van Geest <Daniel.VanGeest@isara.com&g= t; wrote:

 

My = thoughts,

 

On 2019-03-14, 2:39 PM, = "Spasm on behalf of Jim Schaad" <spasm-bounces@ietf.org on behalf of ietf@augustcellars.com> = wrote:

 

I was tossing together = some code to look at producing some samples and = I

ended up with a pair of = questions:

 

1.  If I have a = hash signature tree which uses multiple different = hash

algorithms in it, which of = those hash algorithms am I to placed in = the

digestAlgorithm = field?  For example, suppose that I am using an LMS = type

with a hash of SHAKE128 = and an LMOTS type with a hash of SHA256.  Or as = a

different example, suppose = that I have a two deep tree and the top = level

uses SHA512 in both places = but the next level down uses SHAH256 in = both

places?  

 

RFC 5652 section 5.3 = defines the digestAlgorithm member of SignerInfo = as:

      digestAlgorithm identifies = the message digest algorithm, and any

      associated parameters, used = by the signer.  The message digest = is

      computed on either the = content being signed or the content

      together with the signed = attributes using the process described = in

      Section = 5.4.

 

In HSS, the hash algorithm = used to digest the content is the one in the LMOTS type of the = bottom-most tree.  The other hash algorithms are used to hash = within the Merkle tree, or to hash the LMS public key of a lower = tree.  So in both your examples the answer would be = SHA256.

 

2.  If there are = signed attributes present, then it t required that the = body

digest algorithm match = that of the hash signature tree or can it = be

different.  If = it is different, is that not the value that should be = placed

in the digestAlgorithm = field?  Consider digesting the body with SHA512, = but

only using SHA256 in the = hash function on the assumption that the = random

field in the signing = operation provides a higher level of security and = thus

a weak attempt is being = made to match them together.  (I am sure that = this

is not the correct pairing = for matching, just demonstrating a = point.)

 

cms-hash-sigs = says:

      digestAlgorithm MUST contain = the one-way hash function used to in

         the = HSS/LMS tree.

This statement plus the = one I quoted from RFC 5652 would imply that the body digest algorithm = must match that of the HSS algorithm.

 

However, you are correct = that the random field added during signing increases the collision = resistance of the signature and so using the same algorithm to create = the message-digest attribute in the signed attributes would reduce the = collision resistance of the system.  If you wanted to allow a = different hash algorithm in the signed attributes message digest, I = think cms-hash-sigs would need to be modified to further specify = signed-data conventions with/without signed attributes, similar to RFC = 8419.

 

Daniel

 

Jim

 

 

_______________________________________________

Spasm = mailing list

 

------=_NextPart_000_00B8_01D4DE2B.6EE18360-- From nobody Tue Mar 19 00:16:03 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF0B11311BC; Tue, 19 Mar 2019 00:16:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ANY4xmFi1t2t; Tue, 19 Mar 2019 00:15:59 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB4441274A1; Tue, 19 Mar 2019 00:15:58 -0700 (PDT) Received: from Jude (88.128.80.50) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 19 Mar 2019 00:15:52 -0700 From: Jim Schaad To: 'Daniel Van Geest' , 'Russ Housley' CC: , 'SPASM' References: <00d701d4da95$425dc1d0$c7194570$@augustcellars.com> <13C0F2A6-8D71-4B67-B53A-A706125D65BD@isara.com> <000101d4dcb6$0d34cdf0$279e69d0$@augustcellars.com> <10EB05CC-DD01-49CE-A702-9CFAB436F542@isara.com> In-Reply-To: <10EB05CC-DD01-49CE-A702-9CFAB436F542@isara.com> Date: Tue, 19 Mar 2019 08:15:50 +0100 Message-ID: <00bc01d4de23$96cb1420$c4613c60$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00BD_01D4DE2B.F8948530" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQEM1Y28iLV3mVbkBi2mvYQFmQFueAGxOkwAAaZQ9VQCInlqlwMcRmpmp13o/jA= Content-Language: en-us X-Originating-IP: [88.128.80.50] Archived-At: Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Mar 2019 07:16:03 -0000 ------=_NextPart_000_00BD_01D4DE2B.F8948530 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =20 =20 From: Daniel Van Geest =20 Sent: Monday, March 18, 2019 6:58 PM To: Jim Schaad ; 'Russ Housley' = Cc: draft-ietf-lamps-cms-hash-sig@ietf.org; 'SPASM' Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 =20 =20 On 2019-03-17, 7:39 AM, "Jim Schaad" > wrote: =20 I don=E2=80=99t know what Jim is arguing. I think that I am trying to = say that there may be some language that is not clear at some point in = the future although it is perfectly fine today (mostly). I do not = remember ever seeing any language in any of the hash signature documents = that say that the same hash function should be used from top to bottom. = I also think that there will be some push in the not so near future to = have some other hash functions be permitted because of things like the = better efficiency of SHA-512 in many cases or the move to SHAKE as a = different hash function. I worry that this means that the same hash = function may not be used from top to bottom in a hash signature key. I = also worry that my current code base does not have any way to get the = parameters for the bottom of the tree and the same thing may be true for = an HSM. The top algorithms can be retrieved from the public key, but = not the bottom algorithms. =20 My colleagues have had similar concerns and we have raised them = privately. But the fact that the parameters are encoded in a signature = means you can still verify the signature regardless of whether the = parameters are in the public key. And since the parameters could = theoretically be changed as trees are used up they can=E2=80=99t be = encoded with the public key (unless the use of HSS in CMS/X.509 = specified that the parameters can=E2=80=99t change, which would be okay = with me). =20 As for it being the same for HSMs, they could encode the parameters with = their private key & state however they like. IMO we shouldn=E2=80=99t = standardize how to encode the private key since that implies replicating = or moving it around, which will invariably be done wrong causing state = to be reused, allowing forgeries. =20 [JLS} I am not advocating that the private key be standardized at this = point, although I think that there might be some requirements for it at = some point, I am worried that the API to the HSM needs to have a = function which says =E2=80=93 For this hash signature key, return the = LMOTS algorithm at the bottom of the stack. =E2=80=93 This is not = something that is highlighted anyplace and therefore will likely not = occur especially as currently it is not required since the answer can be = hard coded to SHA-256. =20 Jim =20 =20 From: Russ Housley > = Sent: Saturday, March 16, 2019 4:33 PM To: Daniel Van Geest > Cc: Jim Schaad = >; draft-ietf-lamps-cms-hash-sig@ietf.org = ; SPASM > Subject: Re: [lamps] Question on draft-ietf-lamps-cms-hash-sig =20 Daniel: =20 I believe that Jim is arguing that the same hash function should always = be used for both the content and the HSS/LMS tree, =20 Russ =20 On Mar 15, 2019, at 3:30 PM, Daniel Van Geest > wrote: =20 My thoughts, =20 On 2019-03-14, 2:39 PM, "Spasm on behalf of Jim Schaad" < = spasm-bounces@ietf.org on behalf of = ietf@augustcellars.com> wrote: =20 I was tossing together some code to look at producing some samples and I ended up with a pair of questions: =20 1. If I have a hash signature tree which uses multiple different hash algorithms in it, which of those hash algorithms am I to placed in the digestAlgorithm field? For example, suppose that I am using an LMS type with a hash of SHAKE128 and an LMOTS type with a hash of SHA256. Or as = a different example, suppose that I have a two deep tree and the top level uses SHA512 in both places but the next level down uses SHAH256 in both places? =20 =20 RFC 5652 section 5.3 defines the digestAlgorithm member of SignerInfo = as: digestAlgorithm identifies the message digest algorithm, and any associated parameters, used by the signer. The message digest is computed on either the content being signed or the content together with the signed attributes using the process described in Section 5.4. =20 In HSS, the hash algorithm used to digest the content is the one in the = LMOTS type of the bottom-most tree. The other hash algorithms are used = to hash within the Merkle tree, or to hash the LMS public key of a lower = tree. So in both your examples the answer would be SHA256. =20 2. If there are signed attributes present, then it t required that the = body digest algorithm match that of the hash signature tree or can it be different. If it is different, is that not the value that should be = placed in the digestAlgorithm field? Consider digesting the body with SHA512, = but only using SHA256 in the hash function on the assumption that the random field in the signing operation provides a higher level of security and = thus a weak attempt is being made to match them together. (I am sure that = this is not the correct pairing for matching, just demonstrating a point.) =20 cms-hash-sigs says: digestAlgorithm MUST contain the one-way hash function used to in the HSS/LMS tree. This statement plus the one I quoted from RFC 5652 would imply that the = body digest algorithm must match that of the HSS algorithm. =20 However, you are correct that the random field added during signing = increases the collision resistance of the signature and so using the = same algorithm to create the message-digest attribute in the signed = attributes would reduce the collision resistance of the system. If you = wanted to allow a different hash algorithm in the signed attributes = message digest, I think cms-hash-sigs would need to be modified to = further specify signed-data conventions with/without signed attributes, = similar to RFC 8419. =20 Daniel =20 Jim =20 =20 _______________________________________________ Spasm mailing list Spasm@ietf.org = https://www.ietf.org/mailman/listinfo/spasm =20 ------=_NextPart_000_00BD_01D4DE2B.F8948530 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

 

 

From: = Daniel Van Geest <Daniel.VanGeest@isara.com>
Sent: = Monday, March 18, 2019 6:58 PM
To: Jim Schaad = <ietf@augustcellars.com>; 'Russ Housley' = <housley@vigilsec.com>
Cc: = draft-ietf-lamps-cms-hash-sig@ietf.org; 'SPASM' = <spasm@ietf.org>
Subject: Re: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

 

 

On 2019-03-17, 7:39 AM, = "Jim Schaad" <ietf@augustcellars.com> = wrote:

 

I don=E2=80=99t know what = Jim is arguing.  I think that I am trying to say that there may be = some language that is not clear at some point in the future although it = is perfectly fine today (mostly).  I do not remember ever seeing = any language in any of the hash signature documents that say that the = same hash function should be used from top to bottom.  I also think = that there will be some push in the not so near future to have some = other hash functions be permitted because of things like the better = efficiency of SHA-512 in many cases or the move to SHAKE as a different = hash function.  I worry that this means that the same hash function = may not be used from top to bottom in a hash signature key.  I also = worry that my current code base does not have any way to get the = parameters for the bottom of the tree and the same thing may be true for = an HSM.  The top algorithms can be retrieved from the public key, = but not the bottom algorithms.

 

My colleagues have had similar = concerns and we have raised them privately.  But the fact that the = parameters are encoded in a signature means you can still verify the = signature regardless of whether the parameters are in the public = key.  And since the parameters could theoretically be changed as = trees are used up they can=E2=80=99t be encoded with the public key = (unless the use of HSS in CMS/X.509 specified that the parameters = can=E2=80=99t change, which would be okay with = me).

 

As for it being the same for HSMs, they could encode the = parameters with their private key & state however they like.  = IMO we shouldn=E2=80=99t standardize how to encode the private key since = that implies replicating or moving it around, which will invariably be = done wrong causing state to be reused, allowing = forgeries.

 

[JLS} I am not advocating that the = private key be standardized at this point, although I think that there = might be some requirements for it at some point, I am worried that the = API to the HSM needs to have a function which says =E2=80=93 For this = hash signature key, return the LMOTS algorithm at the bottom of the = stack. =E2=80=93 This is not something that is highlighted anyplace and = therefore will likely not occur especially as currently it is not = required since the answer can be hard coded to = SHA-256.

 

Jim

 

 

From: Russ Housley <housley@vigilsec.com> =
Sent: Saturday, March 16, 2019 4:33 PM
To: Daniel = Van Geest <Daniel.VanGeest@isara.com&g= t;
Cc: Jim Schaad <ietf@augustcellars.com>; = draft-ietf-lamps-c= ms-hash-sig@ietf.org; SPASM <spasm@ietf.org>
Subject: = Re: [lamps] Question on = draft-ietf-lamps-cms-hash-sig

 

Daniel:

 

I believe that Jim is = arguing that the same hash function should always be used for both the = content and the HSS/LMS tree,

 

Russ

 



On Mar 15, 2019, at 3:30 = PM, Daniel Van Geest <Daniel.VanGeest@isara.com&g= t; wrote:

 

My = thoughts,

 

On 2019-03-14, 2:39 PM, = "Spasm on behalf of Jim Schaad" <spasm-bounces@ietf.org on behalf of ietf@augustcellars.com> = wrote:

 

I was tossing together = some code to look at producing some samples and = I

ended up with a pair of = questions:

 

1.  If I have a = hash signature tree which uses multiple different = hash

algorithms in it, which of = those hash algorithms am I to placed in = the

digestAlgorithm = field?  For example, suppose that I am using an LMS = type

with a hash of SHAKE128 = and an LMOTS type with a hash of SHA256.  Or as = a

different example, suppose = that I have a two deep tree and the top = level

uses SHA512 in both places = but the next level down uses SHAH256 in = both

places?  

 

RFC 5652 section 5.3 = defines the digestAlgorithm member of SignerInfo = as:

      digestAlgorithm identifies = the message digest algorithm, and any

      associated parameters, used = by the signer.  The message digest = is

      computed on either the = content being signed or the content

      together with the signed = attributes using the process described = in

      Section = 5.4.

 

In HSS, the hash algorithm = used to digest the content is the one in the LMOTS type of the = bottom-most tree.  The other hash algorithms are used to hash = within the Merkle tree, or to hash the LMS public key of a lower = tree.  So in both your examples the answer would be = SHA256.

 

2.  If there are = signed attributes present, then it t required that the = body

digest algorithm match = that of the hash signature tree or can it = be

different.  If = it is different, is that not the value that should be = placed

in the digestAlgorithm = field?  Consider digesting the body with SHA512, = but

only using SHA256 in the = hash function on the assumption that the = random

field in the signing = operation provides a higher level of security and = thus

a weak attempt is being = made to match them together.  (I am sure that = this

is not the correct pairing = for matching, just demonstrating a = point.)

 

cms-hash-sigs = says:

      digestAlgorithm MUST contain = the one-way hash function used to in

         the = HSS/LMS tree.

This statement plus the = one I quoted from RFC 5652 would imply that the body digest algorithm = must match that of the HSS algorithm.

 

However, you are correct = that the random field added during signing increases the collision = resistance of the signature and so using the same algorithm to create = the message-digest attribute in the signed attributes would reduce the = collision resistance of the system.  If you wanted to allow a = different hash algorithm in the signed attributes message digest, I = think cms-hash-sigs would need to be modified to further specify = signed-data conventions with/without signed attributes, similar to RFC = 8419.

 

Daniel

 

Jim

 

 

_______________________________________________

Spasm = mailing list

 

<= /html> ------=_NextPart_000_00BD_01D4DE2B.F8948530-- From nobody Tue Mar 19 06:05:30 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4B113127F for ; Tue, 19 Mar 2019 06:05:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.647 X-Spam-Level: X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7Iv3ik2JM9I for ; Tue, 19 Mar 2019 06:05:26 -0700 (PDT) Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE62F131277 for ; Tue, 19 Mar 2019 06:05:25 -0700 (PDT) Received: by mail-ot1-f49.google.com with SMTP id c16so6208541otn.4 for ; Tue, 19 Mar 2019 06:05:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cOVMcxwN/GKjJo9gag5q6Q/NfdQnioNCObSLDl+saaI=; b=L6H3dt6+KiwEkbBWAsa5FHu3b32T2nDqybNFfLcZ2KK+EncrLqe+eItvj4QTOETICQ DeYuME52GXoBgT1feETE4NkWzAy8O+CQ83/+mWdZeGV2pWAk04PqGEtGrFpt3+vv1aqq nKY0LtAu7kJjyI25bd6Gu2U7VuLb/UIkDCF/6ucIstwzE6RIr5AfbjJdc60xXa0ewwza H4eQoIDjGZKvwaHRoO7i6RK7nxMhncWqRM7daGYG102guDBsYRBtUAoNXyMsZw32pcT+ EIGx/SipFHc7b8uUOEOXZdlH8CvWUjM7u8sXnPEp8HpLSgysQYzUTvxt0KSyjDswmMoK VkdA== X-Gm-Message-State: APjAAAWQ69VNek006tf/PW/VdmsuQ2L+AzzUooaU2DBzDuMthsmwQtqm +f1Jk3yAeJSA3iQte/9QTpAEfJ8RJ8yD61Ekl28= X-Google-Smtp-Source: APXvYqynVimAZr5wsXJlc+8aTGj6+KA4kQICO0z6ckvNxT97H5cjYQnPxiMtfoT4XaBUwwxR4kmX58H4ZVPEmqbjjTA= X-Received: by 2002:a9d:7608:: with SMTP id k8mr1370950otl.157.1553000724733; Tue, 19 Mar 2019 06:05:24 -0700 (PDT) MIME-Version: 1.0 References: <20190316223225.GC11586@netmeister.org> <20190317180256.GA4279@LK-Perkele-VII> <20190318160211.GC22311@netmeister.org> In-Reply-To: From: Phillip Hallam-Baker Date: Tue, 19 Mar 2019 09:05:13 -0400 Message-ID: To: Tim Hollebeek Cc: Jan Schaumann , "spasm@ietf.org" Content-Type: multipart/alternative; boundary="00000000000088a4a605847228f2" Archived-At: Subject: Re: [lamps] CAA records on CNAMEs X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Mar 2019 13:05:30 -0000 --00000000000088a4a605847228f2 Content-Type: text/plain; charset="UTF-8" The logic of override would be that you end up with an override version of each tag. I don't think the semantics end up as being what you want them to be either. Example.com could have hundreds of Web Service hosts, so the override scheme would end up with an enormous collection of CAA records. On Mon, Mar 18, 2019 at 12:53 PM Tim Hollebeek wrote: > The problem is the "override" proposal adds another huge level of > complexity > on top of the semantics of the issue tag and every other tag involved in > the > issuance of certificates in the future (there will be more). > > As such, I think the proposal is strictly inferior to much simpler > solutions > e.g. the ones involving prefix tags. You can even do clever things like > saying the prefix tag is only relevant for CNAME records (this avoids > having > to do an additional DNS lookup for every node just to check if the prefix > tag exists at that node). > > The prefix tag issue resurfaces every six to twelve months or so; > interested > persons should probably just concentrate on pushing that across the goal > line. Though I think it probably isn't necessary to hold up RFC6844bis for > it. We already said "no" to one other request to extend CAA that > potentially could have held up RFC6844bis. It can be its own RFC. > > -Tim > > > -----Original Message----- > > From: Spasm On Behalf Of Jan Schaumann > > Sent: Monday, March 18, 2019 12:02 PM > > To: spasm@ietf.org > > Subject: Re: [lamps] CAA records on CNAMEs > > > > Ilari Liusvaara wrote: > > > On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: > > > > > > An alternative solution was suggested in the slides noted above: > > > > change the CAA resolution algorithm to first attempt a _prefix on > > > > which I can set an override (i.e., '_prefix.someapp.example.com IN > > > > CAA issue "letsencrypt.org"'). This proposal was not reflected in > > > > https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/, > > > > however, so I assume there was discussion that concluded this to be > > undesirable? > > > > > > That lookup happens just on the full name, right after lookup on the > > > name itself, right? I.e., not on any tree-climbed names. > > > > I'm not the author of the original proposal, but I'd think the lookup > could work > > in one of two ways: > > > > 1) only perform the lookup on the full name iff it is a CNAME > > 2) perform the lookup on any tree-climbed name > > > > (1) has the advantage of simplicity, at the cost of (some) inconsistency; > (2) has > > the advantage of consistency at the cost of complexity and performance. > > Worse is Better suggests (1). > > > > > > As for how to handle combinations with DNAMEs, I suppose under (1), the > > situation is largely unchanged: > > > > With 'example.com DNAME example.net' a lookup for a CAA record for > > someapp.example.com would yield: > > > > - per the DNAME requirement, there must not be any record for > > someapp.example.com, so we only look at someapp.example.net: > > - if someapp.example.net has a CAA record, return that; else > > - if someapp.example.net is a CNAME to someapp.example.org: > > - if _caa.someapp.example.net has a CAA record, return that; else > > - if someapp.example.org has a CAA record, return that; else > > - try example.com, which falls under the DNAME, so check example.net; if > > that has a CAA record, return; else > > - try .com > > > > > > > > A third possibility might be to add another 'override' tag to the > > > > CAA definition, e.g.: > > > > > > > > example.com CAA 0 issue "digicert.com" > > > > example.com CAA 0 override "someapp.example.com > > issue:letsencrypt.org" > > > > > And are overrides recursive or not? Based on description it looked > > > that they require exact match. > > > > For simplicity, I think it might make sense to require that an 'override' > can only > > be given for specific labels above in the tree. > > That is, no wildcards and no further recursion. > > > > In order to simplify matching of records and names, we could swap the > order, > > to the symtax might be: > > > > override ": " > > > > In example, this might look like so: > > > > example.com CAA 0 iodef "mailto:security@example.com" > > example.com CAA 0 issue "digicert.com" > > example.com CAA 0 override "issue:letsencrypt.org foo.example.com" > > example.com CAA 0 override "issuewild:globalsign.com bar.example.com" > > example.com CAA 0 override "iodef:mailto:bofh@example.net > > bofh.example.com" > > > > > > I'll also note that in a parallel thread on mozilla.dev.security.policy, > it was > > noted that there may be a need for an explicit way to allow any CA to > issue (in > > contrast to not having a CAA record, and thus requiring a tree-climb > ending > > only possibly in an implicit approval of any CA): > > https://groups.google.com/d/msg/mozilla.dev.security.policy/DVa- > > xn1VsOA/DhQk9RZmDAAJ > > > > -Jan > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://www.ietf.org/mailman/listinfo/spasm > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm > --00000000000088a4a605847228f2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The= logic of override would be that you end up with an override version of eac= h tag.

I don't think = the semantics end up as being what you want them to be either. Example.com = could have hundreds of Web Service hosts, so the override scheme would end = up with an enormous collection of CAA records.


On Mon, Mar 18, 2019 at 12:53 PM = Tim Hollebeek <tim.hollebe= ek@digicert.com> wrote:
The problem is the "override" proposal adds anothe= r huge level of complexity
on top of the semantics of the issue tag and every other tag involved in th= e
issuance of certificates in the future (there will be more).

As such, I think the proposal is strictly inferior to much simpler solution= s
e.g. the ones involving prefix tags.=C2=A0 You can even do clever things li= ke
saying the prefix tag is only relevant for CNAME records (this avoids havin= g
to do an additional DNS lookup for every node just to check if the prefix tag exists at that node).

The prefix tag issue resurfaces every six to twelve months or so; intereste= d
persons should probably just concentrate on pushing that across the goal line.=C2=A0 Though I think it probably isn't necessary to hold up RFC68= 44bis for
it.=C2=A0 We already said "no" to one other request to extend CAA= that
potentially could have held up RFC6844bis.=C2=A0 It can be its own RFC.

-Tim

> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Jan Schaumann
> Sent: Monday, March 18, 2019 12:02 PM
> To: spasm@ietf.org=
> Subject: Re: [lamps] CAA records on CNAMEs
>
> Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> > On Sat, Mar 16, 2019 at 06:32:26PM -0400, Jan Schaumann wrote: >
> > > An alternative solution was suggested in the slides noted ab= ove:
> > > change the CAA resolution algorithm to first attempt a _pref= ix on
> > > which I can set an override (i.e., '_prefix.some= app.example.com IN
> > > CAA issue "letsencrypt.org"').=C2=A0 This pro= posal was not reflected in
> > > https://datatracker.ietf= .org/doc/draft-ietf-lamps-rfc6844bis/,
> > > however, so I assume there was discussion that concluded thi= s to be
> undesirable?
> >
> > That lookup happens just on the full name, right after lookup on = the
> > name itself, right? I.e., not on any tree-climbed names.
>
> I'm not the author of the original proposal, but I'd think the= lookup
could work
> in one of two ways:
>
> 1) only perform the lookup on the full name iff it is a CNAME
> 2) perform the lookup on any tree-climbed name
>
> (1) has the advantage of simplicity, at the cost of (some) inconsisten= cy;
(2) has
> the advantage of consistency at the cost of complexity and performance= .
> Worse is Better suggests (1).
>
>
> As for how to handle combinations with DNAMEs, I suppose under (1), th= e
> situation is largely unchanged:
>
> With 'example.com DNAME example.net' a lookup for a CAA record for > someapp.example.com would yield:
>
> - per the DNAME requirement, there must not be any record for
>=C2=A0 =C2=A0someapp.example.com, so we only look at someapp.exam= ple.net:
> - if someapp.example.net has a CAA record, return that; else
> - if someapp.example.net is a CNAME to someapp.example.org:=
>=C2=A0 =C2=A0- if _caa.someapp.example.net has a CAA record, r= eturn that; else
>=C2=A0 =C2=A0- if someapp.example.org has a CAA record, return tha= t; else
> - try example.com, which falls under the DNAME, so check example.net; if
>=C2=A0 =C2=A0that has a CAA record, return; else
> - try .com
>
>
> > > A third possibility might be to add another 'override= 9; tag to the
> > > CAA definition, e.g.:
> > >
> > > example.com CAA 0 issue "digicert.com"
> > > example.com CAA 0 override "someapp.example.com
> issue:letsencrypt.org"
>
> > And are overrides recursive or not? Based on description it looke= d
> > that they require exact match.
>
> For simplicity, I think it might make sense to require that an 'ov= erride'
can only
> be given for specific labels above in the tree.
> That is, no wildcards and no further recursion.
>
> In order to simplify matching of records and names, we could swap the<= br> order,
> to the symtax might be:
>
> override "<issue|issuewild|iodef>:<value> <name>= ;"
>
> In example, this might look like so:
>
> ex= ample.com CAA 0 iodef "mailto:security@example.com"
> ex= ample.com CAA 0 issue "digicert.com"
> ex= ample.com CAA 0 override "issue:letsencrypt.org foo.example.com&= quot;
> ex= ample.com CAA 0 override "issuewild:globalsign.com bar.example.com"
> ex= ample.com CAA 0 override "iodef:mailto:bofh@example.net
> bofh.example.com"
>
>
> I'll also note that in a parallel thread on mozilla.dev.security.p= olicy,
it was
> noted that there may be a need for an explicit way to allow any CA to<= br> issue (in
> contrast to not having a CAA record, and thus requiring a tree-climb ending
> only possibly in an implicit approval of any CA):
> https://groups.google.com/d/msg= /mozilla.dev.security.policy/DVa-
> xn1VsOA/DhQk9RZmDAAJ
>
> -Jan
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org=
> https://www.ietf.org/mailman/listinfo/spasm

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm
--00000000000088a4a605847228f2-- From nobody Sat Mar 23 15:19:08 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C77CF1200B3 for ; Sat, 23 Mar 2019 15:19:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckYVLFeANe_X for ; Sat, 23 Mar 2019 15:19:05 -0700 (PDT) Received: from mail-yw1-xc2a.google.com (mail-yw1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 121C912AF80 for ; Sat, 23 Mar 2019 15:19:05 -0700 (PDT) Received: by mail-yw1-xc2a.google.com with SMTP id e76so4438637ywa.9 for ; Sat, 23 Mar 2019 15:19:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=Q/q1c9aFyq/Oq4nbLjjx0TYrdQyVSg+3ueJdSZVHeh8=; b=Q2ziWSV0NUSFBX/NuNDforcWD43+XKVPCVxHsG2fj2OJJSnZABOKEle//8QrnZB6QS KAUfGylggeU83AurgKus9+tf/CJlcQalrYSP91R/odJO91RxHRTWSbDyvIP0tDqchDg3 Clr1uDtdhdztI9k/EocnV/DVcHZ3ZeU7w/saM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=Q/q1c9aFyq/Oq4nbLjjx0TYrdQyVSg+3ueJdSZVHeh8=; b=YeHb/9Xkh/xJt6KvW2qDCbJshmS40liO+Ks5vDv65Tg4KUvv8P9T2dq4pVIy23aU+x 9M7EWviDZPg7H0ctaK5PpPsJPcylxlT41vcCWJlut4IuSuMvbr9eYPyvghwWDNYRrfpd jaagjhS2xOe6DwLMp8JBIBnqp7IRwVt7xFXgCokB8qvZ6uMIW+HkIShGNZ2ImvEymmsf 3ljPB7dCB6QeJeqp9yngXgfp5Gs0N7JpSoMyXr0pQiGdF4S09vRNKH5J9VKvPK48B2/5 kOgJxKocwieoLS37ZJ28G0lV2/6QPaAeRr1PLB0y048t7QUUzh6yq+piqW3FqmJ5aR/D 41Zg== X-Gm-Message-State: APjAAAVwItoIxWQi8R6aqQTk+xejqR9qyW+MFodM6NcXgNmLxSqvlOR7 4iDqee1/LWGKA+cv7oeFC4cK2GI7yhVi0w== X-Google-Smtp-Source: APXvYqz/HFGsFX2BAgibvjol4XdhGwZJq8T9ESLRLYSz/2aDecCy6YOv+G2dQe7VmYVnOfjXq1dV8Q== X-Received: by 2002:a81:4a8a:: with SMTP id x132mr14481761ywa.408.1553379544199; Sat, 23 Mar 2019 15:19:04 -0700 (PDT) Received: from [5.5.33.243] ([204.194.23.17]) by smtp.gmail.com with ESMTPSA id v204sm1600535ywc.54.2019.03.23.15.19.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 23 Mar 2019 15:19:03 -0700 (PDT) From: Sean Turner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Message-Id: <74609304-E99C-419F-AE9A-00CFDD825927@sn3rd.com> Date: Sat, 23 Mar 2019 23:19:00 +0100 To: "spasm@ietf.org" X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: [lamps] RFC 5480 clarification for KeyUsages: keyEncipherment and dataEncipherment X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Mar 2019 22:19:07 -0000 Hi! RFC 5480 enumerates the KeyUsage values that are included for an EC key: https://tools.ietf.org/html/rfc5480#section-3 But, we neglected to mention keyEncipherment and dataEncipherment. Does = that mean these values MAY be included, MUST NOT be included, or = something else? And, is this worth spinning a short draft to clarify = RFC 5480? spt= From nobody Sat Mar 23 23:34:15 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 023641277D2 for ; Sat, 23 Mar 2019 23:34:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1GxTrAJdWy3R for ; Sat, 23 Mar 2019 23:34:12 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101CB1275F3 for ; Sat, 23 Mar 2019 23:34:12 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id BC6F9300ABF for ; Sun, 24 Mar 2019 02:15:50 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id EIzfxajLQWBF for ; Sun, 24 Mar 2019 02:15:16 -0400 (EDT) Received: from dhcp-9347.meeting.ietf.org (dhcp-9347.meeting.ietf.org [31.133.147.71]) by mail.smeinc.net (Postfix) with ESMTPSA id E337F300250; Sun, 24 Mar 2019 02:15:03 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: <74609304-E99C-419F-AE9A-00CFDD825927@sn3rd.com> Date: Sun, 24 Mar 2019 02:33:13 -0400 Cc: "spasm@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <61B1FE9F-4647-4AE5-BBB0-703B276E51A0@vigilsec.com> References: <74609304-E99C-419F-AE9A-00CFDD825927@sn3rd.com> To: Sean Turner X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] RFC 5480 clarification for KeyUsages: keyEncipherment and dataEncipherment X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2019 06:34:14 -0000 Sean: >=20 > RFC 5480 enumerates the KeyUsage values that are included for an EC = key: > https://tools.ietf.org/html/rfc5480#section-3 > But, we neglected to mention keyEncipherment and dataEncipherment. = Does that mean these values MAY be included, MUST NOT be included, or = something else? And, is this worth spinning a short draft to clarify = RFC 5480? My understanding is that the algorithms in RFC 5480 are key agreement = and digital signature algorithms, so neither keyEncipherment and = dataEncipherment are appropriate. I read it as these bits MUST NOT be = set. Russ From nobody Sun Mar 24 00:49:23 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F65A127971 for ; Sun, 24 Mar 2019 00:49:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_IeontACaLY for ; Sun, 24 Mar 2019 00:49:19 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABEA612787D for ; Sun, 24 Mar 2019 00:49:18 -0700 (PDT) Received: from Jude (62.168.35.67) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 24 Mar 2019 00:49:04 -0700 From: Jim Schaad To: 'Russ Housley' , 'Sean Turner' CC: References: <74609304-E99C-419F-AE9A-00CFDD825927@sn3rd.com> <61B1FE9F-4647-4AE5-BBB0-703B276E51A0@vigilsec.com> In-Reply-To: <61B1FE9F-4647-4AE5-BBB0-703B276E51A0@vigilsec.com> Date: Sun, 24 Mar 2019 08:48:59 +0100 Message-ID: <02b201d4e216$0cdb6610$26923230$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQG5tk+Xjinf0WHcLNIu68NSvCL2qwIn7dcRpj9/UIA= Content-Language: en-us X-Originating-IP: [62.168.35.67] Archived-At: Subject: Re: [lamps] RFC 5480 clarification for KeyUsages: keyEncipherment and dataEncipherment X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2019 07:49:21 -0000 > -----Original Message----- > From: Spasm On Behalf Of Russ Housley > Sent: Sunday, March 24, 2019 7:33 AM > To: Sean Turner > Cc: spasm@ietf.org > Subject: Re: [lamps] RFC 5480 clarification for KeyUsages: keyEncipherment > and dataEncipherment > > Sean: > > > > RFC 5480 enumerates the KeyUsage values that are included for an EC key: > > https://tools.ietf.org/html/rfc5480#section-3 > > But, we neglected to mention keyEncipherment and dataEncipherment. > Does that mean these values MAY be included, MUST NOT be included, or > something else? And, is this worth spinning a short draft to clarify RFC 5480? > > My understanding is that the algorithms in RFC 5480 are key agreement and > digital signature algorithms, so neither keyEncipherment and > dataEncipherment are appropriate. I read it as these bits MUST NOT be set. My reading is that if nothing is said, then nothing is said. I would agree that these bits make no sense in general, but this is a public key so there may be an algorithm which uses the EC key and does keyEncipherment. In this case it would be appropriate to have them set. Think of an algorithm identifier which is KeyAgree+KDF+KeyWrap as a single OID. These two bits however were created for algorithms which the IETF has never looked at using. Jim > > Russ > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Tue Mar 26 04:14:20 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD5081202D1 for ; Tue, 26 Mar 2019 04:14:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIe6zqR_TDMB for ; Tue, 26 Mar 2019 04:14:14 -0700 (PDT) Received: from softronics.hoeneisen.ch (softronics.hoeneisen.ch [62.2.86.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EABA1202D4 for ; Tue, 26 Mar 2019 04:14:14 -0700 (PDT) Received: from localhost ([127.0.0.1]) by softronics.hoeneisen.ch with esmtp (Exim 4.86_2) (envelope-from ) id 1h8k1z-0002nz-HR for spasm@ietf.org; Tue, 26 Mar 2019 12:14:11 +0100 Date: Tue, 26 Mar 2019 12:14:11 +0100 (CET) From: Bernie Hoeneisen X-X-Sender: bhoeneis@softronics.hoeneisen.ch To: IETF LAMPS WG Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: bernie@ietf.hoeneisen.ch X-SA-Exim-Scanned: No (on softronics.hoeneisen.ch); SAEximRunCond expanded to false Archived-At: Subject: [lamps] [Medup] Non-WG meeting, Thu 2019-03-28, 18:15-19:30, Tyrolka@Hilton_Prague (fwd) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 11:14:19 -0000 For your convenience, below the information about the MEDUP (Missing Elements for Decentralized and Usable Privacy) non-WG meeting taking place on Thursday, which I just mentioned in my presentation during the LAMPS WG. cheers Bernie ---------- Forwarded message ---------- Date: Fri, 22 Mar 2019 23:09:17 From: Bernie Hoeneisen To: IETF MEDUP ML Subject: Non-WG meeting, Thu 2019-03-28, 18:15-19:30, Tyrolka@Hilton_Prague Dear MEDUP-List Please be informed that we will have a MEDUP Non-WG Meeting during the IETF-104 in Prague. You can find the draft agenda below, while any updates to this agenda will be published on: https://pep.foundation/dev/repos/internet-drafts/raw-file/tip/medup/ietf-104/agenda.txt To get an idea how many people intend to participate, we would appreciate, if you let us know via: https://du7f.koalatux.ch/j8CKncOzQ3r6iM8CLy2tPw (this is optional) After the meeting there will we a short demonstration of running code for those who are interested in (same meeting room). Afterwards, we'll most likely continue discussions in a bar nearby. Feel free to join us for a beer or two! Looking forward to meet in Prague! All the best, Hernani & Bernie -- http://ucom.ch/ Modern Telephony Solutions and Tech Consulting for Internet Technology From nobody Tue Mar 26 05:56:49 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1592E120043 for ; Tue, 26 Mar 2019 05:56:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDsxMAbft4TC for ; Tue, 26 Mar 2019 05:56:45 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E013A12000F for ; Tue, 26 Mar 2019 05:56:44 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F3AA8300AA4 for ; Tue, 26 Mar 2019 08:38:26 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UENaPWSEbQwh for ; Tue, 26 Mar 2019 08:38:25 -0400 (EDT) Received: from dhcp-8a9b.meeting.ietf.org (dhcp-8a9b.meeting.ietf.org [31.133.138.155]) by mail.smeinc.net (Postfix) with ESMTPSA id 4479A300A54 for ; Tue, 26 Mar 2019 08:38:25 -0400 (EDT) From: Russ Housley Content-Type: multipart/signed; boundary="Apple-Mail=_7178EB3B-9C1B-4486-A990-579CF71235C7"; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Tue, 26 Mar 2019 08:56:40 -0400 References: To: SPASM In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: [lamps] Call for adoption of draft-vangeest-x509-hash-sigs-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 12:56:47 -0000 --Apple-Mail=_7178EB3B-9C1B-4486-A990-579CF71235C7 Content-Type: multipart/alternative; boundary="Apple-Mail=_A917EF33-C88D-47F1-B8E9-6AE692738A58" --Apple-Mail=_A917EF33-C88D-47F1-B8E9-6AE692738A58 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii We talked about the "Algorithm Identifiers for HSS and XMSS for Use in = the Internet X.509 Public Key Infrastructure" = > document = today dat the face-to-face meeting session. It was suggested that the = document is read for WG adoption. Please voice your support or concerns = on the list. Russ --Apple-Mail=_A917EF33-C88D-47F1-B8E9-6AE692738A58 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
We talked about the "Algorithm Identifiers for HSS and XMSS for Use in the Internet X.509 Public Key Infrastructure" <https://www.ietf.org/id/draft-vangeest-x509-hash-sigs-03.txt> document today dat the face-to-face meeting session.  It was suggested that the document is read for WG adoption.  Please voice your support or concerns on the list.

Russ

--Apple-Mail=_A917EF33-C88D-47F1-B8E9-6AE692738A58-- --Apple-Mail=_7178EB3B-9C1B-4486-A990-579CF71235C7 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCCyEw ggUzMIIEG6ADAgECAhBXG2+j5p4WC1fo6lHciFftMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYD VQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVu dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xODA2MjUwMDAwMDBaFw0xOTA2MjUyMzU5 NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGhvdXNsZXlAdmlnaWxzZWMuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEApxLwi8D2JgVTZ+YNvnixkXxtbSTKKHCm0MyXlpqN59qybHNXkm2w lAzm5+AX1NcPk7DLGlrz+48B8jsrJjdnpHpKeFwHfcoYIiwJJm+hdvVO2nL68nW/oliUysde+knU 1yWbM8fD8i3XWz3DpUvU8G3IGz5cxh1MzOT/8mkgpWmfp/WxaIRlTrYnCo49SakOux7h+8dHzabU Uukr+LatyVjakES29gw73o+exeu7lcTmShfr4Jsgq+t4IkwWZtIHQRtboAjAY91FMdDwAl677hf9 gcJ86eh7qX1KZ6uzMf4fjsxw3V81WYlQ8T9QSh06faTKnStIwPu6xvk82Bp6FQIDAQABo4IB6jCC AeYwHwYDVR0jBBgwFoAUgq9sjPjF/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFF0Zu7HtPJ6vLPYl 9I337Y98QYnFMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUF BwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIx AQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0f BFMwUTBPoE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVu dGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAC hklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFu ZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20w HwYDVR0RBBgwFoEUaG91c2xleUB2aWdpbHNlYy5jb20wDQYJKoZIhvcNAQELBQADggEBAH9WEE7E 61zha2wG5mBhzoe/gRDykpC/ubMQ7CoCeVhnystE18ZQSHTkOlJsQOwSRs//khBvw/P19xgCkWL+ kQWwJN8JBdP0cDamaEj4kqcvQzq0gGJoDxsr2SusZkzdKJn2pkPL2Djmurx3BEfWv1oN+z27n7dF +vv74SzoBHb92ShoZb+52XazmqFjCJDXR1UjJhaiQerxou+JRku04E1njtTR/CbLtFScgq767s5p GnLA0E5QDcVGrWLkVzXQKV49gFXDzXa5ChG9v/KOulsHqJH0KwcEsA3taVb3QDb8CNm3MboE24xp ZmNSHHd8YquMD4aw7o0+bzjlu+u18+4wggXmMIIDzqADAgECAhBqm+E4O/8ra58B1dm4p1JWMA0G CSqGSIb3DQEBDAUAMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMi Q09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMzAxMTAwMDAwMDBaFw0yODAx MDkyMzU5NTlaMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09N T0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6znlesKHZ1QBbHOAOY08YYdiFQ8yV5C0y1oNF9Olg+ nKcxLqf2NHbZhGra0D00SOTq9bus3/mxgUsg/Wh/eXQ0pnp8tZ8XZWAnlyKMpjL+qUByRjXCA6RQ yDMqVaVUkbIr5SU0RDX/kSsKwer3H1pT/HUrBN0X8sKtPTdGX8XAWt/VdMLBrZBlgvnkCos+KQWW Co63OTTqRvaq8aWccm+KOMjTcE6s2mj6RkalweyDI7X+7U5lNo6jzC8RTXtVV4/Vwdax720YpMPJ QaDaElmOupyTf1Qib+cpukNJnQmwygjD8m046DQkLnpXNCAGjuJy1F5NATksUsbfJAr7FLUCAwEA AaOCATwwggE4MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSCr2yM +MX+lmF86B89K3FIXsSLwDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADARBgNV HSAECjAIMAYGBFUdIAAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsG AQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FBZGRUcnVzdENBLmNydDAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQB4 XLKBKDRPPO5fVs6fl1bsj6JrF/bz9kkIBtTYLzXN30D+03Hj6OxCDBEaIeNmsBhrJmuubvyE7Hto SmR809AgcYboW+rcTNZ/8u/Hv+GTrNI/AhqX2/kiQNxmgUPt/eJPs92Qclj0HnVyy9TnSvGkSDU7 I5Px+TbO+88G4zipA2psZaWeEykgzClZlPz1FjTCkk77ZXp5cQYYexE6zeeN4/0OqqoAloFrjAF4 o50YJafX8mnahjp3I2Y2mkjhk0xQfhNqbzlLWPoT3m7j7U26u7zg6swjOq8hITYc3/np5tM5aVyu 6t99p17bTbY7+1RTWBviN9YJzK8HxzObXYWBf/L+VGOYNsQDTxAk0Hbvb1j6KjUhg7fO294F29QI hhmiNOr84JHoy+fNLpfvYc/Q9EtFOI5ISYgOxLk3nD/whbUe9rmEQXLp8MB933Ij474gwwCPUpwv 9mj2PMnXoc7mbrS22XUSeTwxCTP9bcmUdp4jmIoWfhQm7X9w/Zgddg+JZ/YnIHOwsGsaTUgj7fIv xqith7DoJC91WJ8Lce3CVJqb1XWeKIJ84F7YLXZN0oa7TktYgDdmQVxYkZo1c5noaDKH9Oq9cbm/ vOYRUM1cWcef20Wkyk5S/GFyyPJwG0fR1nRas3DqAf4cXxMiEKcff7PNa4M3RGTqH0pWR8p6EjGC A8cwggPDAgEBMIGsMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0 Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQVxtv o+aeFgtX6OpR3IhX7TANBglghkgBZQMEAgEFAKCCAeswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMTkwMzI2MTI1NjQxWjAvBgkqhkiG9w0BCQQxIgQg9vAmDyWiD65A y6W1Iy1bpFlZW7xtTmUIUTRgIjP+PvQwgb0GCSsGAQQBgjcQBDGBrzCBrDCBlzELMAkGA1UEBhMC R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE ChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRp Y2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEFcbb6PmnhYLV+jqUdyIV+0wgb8GCyqGSIb3DQEJ EAILMYGvoIGsMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09N T0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQVxtvo+ae FgtX6OpR3IhX7TANBgkqhkiG9w0BAQEFAASCAQBYRSb+NlekGj3RH9DrfHez2GjS4AVK7EWfALqz 433IdFKPsye8vP+9Ih+LGVK9RLecZAUG3352X7LtrLbcuJ1XEyBQ2LqmMVRPQf7y/LuzYMhEKfw5 VPQ7PUbKx0EezZ41dN8yzkK2oGlrMMV6E1aGOoytmD+HGS8NKZzD8MIrzQl2vIUCwlx7xFax6xtE cBJBz88RXrkxI3lPPDI2uBzhJGu0c5tg5DHvUpfxi9OJHaZsCtVzfRjAoCLAGrrLCa+w+0OK7QuH XJGfhGKo1u9q5RlPJu361t70dPhSufRyOCf511yJsfASXyLCuAP8+7kuqK9Z8k1x0jcisno3GvnM AAAAAAAA --Apple-Mail=_7178EB3B-9C1B-4486-A990-579CF71235C7-- From nobody Tue Mar 26 05:59:28 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7304120003 for ; Tue, 26 Mar 2019 05:59:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.85 X-Spam-Level: X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tC-EsUk5HECI for ; Tue, 26 Mar 2019 05:59:24 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F9FC120043 for ; Tue, 26 Mar 2019 05:59:24 -0700 (PDT) Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.27/8.16.0.27) with SMTP id x2QCkhE3015364; Tue, 26 Mar 2019 12:59:23 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=9ouH9v/4v034g4w0A+rZ+qsX9Aasy9jw/+aQyYb6ocY=; b=fIcryZC+5zDau+tyLBvJPanrNwdWubgwZKORTffAExhQFDaTxT0bdfeGyxItZOpT8JUq 4KD+Ae0Ulww+vF+COEN0WBnd3O510Jo4mjiMUX+FoYzHGHEUMt7ZzZNAmyVfIxgI1zeX G9wYXIZktUmjjOqGep+R4hLpVhL346fwLN4ZnKIloupa6WXKr3BCc16Atv/1xWVqo5mF jzkSXi0U3c8rx6Tu4nykUJmN5aRD5exB/fk0DuR0f8j5clnuyI4XxtAEKcWIqfTmQJ8E P0MwaRzDwCkdAKGWnTBv5ZTA10jvVyquQ7TvxoHDV3vpS2GY4bixDgmJHrZk8r+wrQXg gg== Received: from prod-mail-ppoint3 (a96-6-114-86.deploy.static.akamaitechnologies.com [96.6.114.86] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2rfkhxr59f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Mar 2019 12:59:23 +0000 Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x2QCl6ij020655; Tue, 26 Mar 2019 08:59:22 -0400 Received: from email.msg.corp.akamai.com ([172.27.27.25]) by prod-mail-ppoint3.akamai.com with ESMTP id 2rdg51pm8p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 26 Mar 2019 08:59:22 -0400 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb6.msg.corp.akamai.com (172.27.27.107) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Mar 2019 05:59:21 -0700 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1473.003; Tue, 26 Mar 2019 07:59:21 -0500 From: "Salz, Rich" To: Russ Housley , SPASM Thread-Topic: [lamps] Call for adoption of draft-vangeest-x509-hash-sigs-03 Thread-Index: AQHU49NkxFiOY/Z2F0ihdPBVrPTGVKYd8JAA Date: Tue, 26 Mar 2019 12:59:21 +0000 Message-ID: <42779946-CEBD-4881-93AC-496702124708@akamai.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.17.0.190309 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.153.56] Content-Type: multipart/alternative; boundary="_000_42779946CEBD488193AC496702124708akamaicom_" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-26_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903260091 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-26_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903260091 Archived-At: Subject: Re: [lamps] Call for adoption of draft-vangeest-x509-hash-sigs-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 12:59:27 -0000 --_000_42779946CEBD488193AC496702124708akamaicom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 WWVzIHRvIGFkb3B0aW9uDQoNCkZyb206IFJ1c3MgSG91c2xleSA8aG91c2xleUB2aWdpbHNlYy5j b20+DQpEYXRlOiBUdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSBhdCAxOjU2IFBNDQpUbzogInNwYXNt QGlldGYub3JnIiA8c3Bhc21AaWV0Zi5vcmc+DQpTdWJqZWN0OiBbbGFtcHNdIENhbGwgZm9yIGFk b3B0aW9uIG9mIGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzLTAzDQoNCldlIHRhbGtlZCBh Ym91dCB0aGUgIkFsZ29yaXRobSBJZGVudGlmaWVycyBmb3IgSFNTIGFuZCBYTVNTIGZvciBVc2Ug aW4gdGhlIEludGVybmV0IFguNTA5IFB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUiIDxodHRwczov L3d3dy5pZXRmLm9yZy9pZC9kcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncy0wMy50eHQ+IGRv Y3VtZW50IHRvZGF5IGRhdCB0aGUgZmFjZS10by1mYWNlIG1lZXRpbmcgc2Vzc2lvbi4gIEl0IHdh cyBzdWdnZXN0ZWQgdGhhdCB0aGUgZG9jdW1lbnQgaXMgcmVhZCBmb3IgV0cgYWRvcHRpb24uICBQ bGVhc2Ugdm9pY2UgeW91ciBzdXBwb3J0IG9yIGNvbmNlcm5zIG9uIHRoZSBsaXN0Lg0KDQpSdXNz DQoNCg== --_000_42779946CEBD488193AC496702124708akamaicom_ Content-Type: text/html; charset="utf-8" Content-ID: <09D93983EB49D74884B49887ED55579F@akamai.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAubXNv bm9ybWFsMCwgbGkubXNvbm9ybWFsMCwgZGl2Lm1zb25vcm1hbDANCgl7bXNvLXN0eWxlLW5hbWU6 bXNvbm9ybWFsOw0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowaW47 DQoJbXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGluOw0KCWZvbnQt c2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0Kc3Bhbi5F bWFpbFN0eWxlMTgNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1p bHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVm YXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30N CkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4g MS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9u MTt9DQotLT48L3N0eWxlPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUi IHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPlllcyB0byBhZG9wdGlvbjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk ZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtjb2xv cjpibGFjayI+RnJvbTogPC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtj b2xvcjpibGFjayI+UnVzcyBIb3VzbGV5ICZsdDtob3VzbGV5QHZpZ2lsc2VjLmNvbSZndDs8YnI+ DQo8Yj5EYXRlOiA8L2I+VHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgYXQgMTo1NiBQTTxicj4NCjxi PlRvOiA8L2I+JnF1b3Q7c3Bhc21AaWV0Zi5vcmcmcXVvdDsgJmx0O3NwYXNtQGlldGYub3JnJmd0 Ozxicj4NCjxiPlN1YmplY3Q6IDwvYj5bbGFtcHNdIENhbGwgZm9yIGFkb3B0aW9uIG9mIGRyYWZ0 LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzLTAzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V2UgdGFsa2VkIGFib3V0IHRo ZSAmcXVvdDtBbGdvcml0aG0gSWRlbnRpZmllcnMgZm9yIEhTUyBhbmQgWE1TUyBmb3IgVXNlIGlu IHRoZSBJbnRlcm5ldCBYLjUwOSBQdWJsaWMgS2V5IEluZnJhc3RydWN0dXJlJnF1b3Q7ICZsdDs8 YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9pZC9kcmFmdC12YW5nZWVzdC14NTA5LWhhc2gt c2lncy0wMy50eHQiPmh0dHBzOi8vd3d3LmlldGYub3JnL2lkL2RyYWZ0LXZhbmdlZXN0LXg1MDkt aGFzaC1zaWdzLTAzLnR4dDwvYT4mZ3Q7Jm5ic3A7ZG9jdW1lbnQNCiB0b2RheSBkYXQgdGhlIGZh Y2UtdG8tZmFjZSBtZWV0aW5nIHNlc3Npb24uICZuYnNwO0l0IHdhcyBzdWdnZXN0ZWQgdGhhdCB0 aGUgZG9jdW1lbnQgaXMgcmVhZCBmb3IgV0cgYWRvcHRpb24uICZuYnNwO1BsZWFzZSB2b2ljZSB5 b3VyIHN1cHBvcnQgb3IgY29uY2VybnMgb24gdGhlIGxpc3QuPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlJ1c3M8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_42779946CEBD488193AC496702124708akamaicom_-- From nobody Tue Mar 26 05:59:50 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8837B12000F for ; Tue, 26 Mar 2019 05:59:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.5 X-Spam-Level: X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xfiizEnG-fyJ for ; Tue, 26 Mar 2019 05:59:47 -0700 (PDT) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCC4B120003 for ; Tue, 26 Mar 2019 05:59:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4224; q=dns/txt; s=iport; t=1553605186; x=1554814786; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=tiPrl4tGtcwv4pwua0lXgA5hFErmr8F926rjwi+oN5c=; b=gOD2XHryOL4svCeAIKQUEVM4M83nqRRklfE/2IVK/Anxw0bLtTZS5hxV JRLVOyfhHVj0DaiiF3GH9o8cwDcRPG/tsYTEzR3/JzC0J/tck2Y8gvfSt bddFE+AN9hJqnv/3BnVTR66O2mh6i700AVCbjpcDWcaTiRXz5a3OMhqyf A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ADAABtIZpc/5tdJa1kGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ6BAmiBAycKjCCLJYINkkSFd4F7DQE?= =?us-ascii?q?BI4RJAoUiIjQJDQEBAwEBCQEDAm0cDIVKAQEBBB0QXAIBCBEEAQEvMh0IAgQ?= =?us-ascii?q?BEgiDG4ERZA+uQYovBYEvAYsxF4FAP4ERgxI+gmECh0IDimqGJ5QICQKTMSG?= =?us-ascii?q?CAoV9g0yIN4sdkzICERWBLh84gVZwFTuCbIIVGIhfhT9BMQGPHIEfAQE?= X-IronPort-AV: E=Sophos;i="5.60,271,1549929600"; d="scan'208,217";a="539569726" Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Mar 2019 12:59:45 +0000 Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id x2QCxjYs025732 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Mar 2019 12:59:45 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Mar 2019 08:59:44 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1473.003; Tue, 26 Mar 2019 08:59:44 -0400 From: "Scott Fluhrer (sfluhrer)" To: Russ Housley , SPASM Thread-Topic: [lamps] Call for adoption of draft-vangeest-x509-hash-sigs-03 Thread-Index: AQHU49N3DEF0nBwiP0uEPcOYdzD4gaYd380w Date: Tue, 26 Mar 2019 12:59:44 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.61.64.141] Content-Type: multipart/alternative; boundary="_000_c3cf4821b6434e99915da2cb0c7c5cc8XCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.149, xch-rtp-009.cisco.com X-Outbound-Node: rcdn-core-4.cisco.com Archived-At: Subject: Re: [lamps] Call for adoption of draft-vangeest-x509-hash-sigs-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 12:59:49 -0000 --_000_c3cf4821b6434e99915da2cb0c7c5cc8XCHRTP006ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Support From: Spasm On Behalf Of Russ Housley Sent: Tuesday, March 26, 2019 8:57 AM To: SPASM Subject: [lamps] Call for adoption of draft-vangeest-x509-hash-sigs-03 We talked about the "Algorithm Identifiers for HSS and XMSS for Use in the = Internet X.509 Public Key Infrastructure" document today dat the face-to-face meeting s= ession. It was suggested that the document is read for WG adoption. Pleas= e voice your support or concerns on the list. Russ --_000_c3cf4821b6434e99915da2cb0c7c5cc8XCHRTP006ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Support

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Tuesday, March 26, 2019 8:57 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Call for adoption of draft-vangeest-x509-hash-sigs-= 03

 

We talked about the "Algorithm Identifiers for = HSS and XMSS for Use in the Internet X.509 Public Key Infrastructure" = <https://www.ietf.org/id/draft-vangeest-x509-hash-sigs-03.txt> = ;document today dat the face-to-face meeting session.  It was suggested that th= e document is read for WG adoption.  Please voice your support or conc= erns on the list.

 

Russ

 

--_000_c3cf4821b6434e99915da2cb0c7c5cc8XCHRTP006ciscocom_-- From nobody Tue Mar 26 06:10:45 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93085120004 for ; Tue, 26 Mar 2019 06:10:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOEZIDuyrQAT for ; Tue, 26 Mar 2019 06:10:42 -0700 (PDT) Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-eopbgr840114.outbound.protection.outlook.com [40.107.84.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D02AA120003 for ; Tue, 26 Mar 2019 06:10:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vVJ7xratDm7dpaZh2+YxWfrvszS50hpblCLPKiKr7Yo=; b=DHqa/2k1DjGniBZUiClD6XDFCgHddlqWTDTU1k1ySOCEgMpqfS8HtSfaFCIxoDRM3goyLsXkufyTEKENnzodRo6XGOEzMYC0MRkl+Or2aQxJv7GL1DTDgHg1W61flui8ccSjvBFqD+j/XmdWWu/lqnl8zal8IK2oHM1Gpkij/Y8= Received: from BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) by BN8PR09MB3601.namprd09.prod.outlook.com (20.179.76.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Tue, 26 Mar 2019 13:10:38 +0000 Received: from BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0]) by BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0%5]) with mapi id 15.20.1730.019; Tue, 26 Mar 2019 13:10:38 +0000 From: "Dang, Quynh (Fed)" To: SPASM Thread-Topic: Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBQ== Date: Tue, 26 Mar 2019 13:10:38 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2610:20:6005:223::5f] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cebdefff-793a-4a5a-6a04-08d6b1ec7122 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BN8PR09MB3601; x-ms-traffictypediagnostic: BN8PR09MB3601: x-ms-exchange-purlcount: 1 x-microsoft-antispam-prvs: x-forefront-prvs: 09888BC01D x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(39860400002)(366004)(136003)(346002)(189003)(199004)(53754006)(606006)(6436002)(236005)(53936002)(97736004)(106356001)(1015004)(11346002)(476003)(25786009)(446003)(6506007)(46003)(55016002)(9686003)(6116002)(54896002)(6606003)(486006)(102836004)(256004)(8936002)(6916009)(6306002)(71200400001)(71190400001)(68736007)(558084003)(4743002)(99286004)(52536014)(316002)(105586002)(8676002)(7696005)(478600001)(186003)(14454004)(966005)(2906002)(86362001)(33656002)(7736002)(19627405001)(76176011)(81166006)(81156014)(5660300002)(74316002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR09MB3601; H:BN8PR09MB3604.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: Hs9nxzUhsMTECWAkGQYqzahinymeiHli2CrvAazS/azXk+UjkBMcin3JGWw6e3tJWrafl1dxt8xwHfEbBjNLP2EjtXfEVkUL8cqNZwjjFxp8ntxBmwXaDPnt3j7jyWhr4JtP3CqHh/gh3FgVSGgqL3zQ/WSZ4mQYFls5iokczl1VoNt3xM/qzdq7Hza9ARmAyLQQ+TJEo8YORojPfrzRZ5YRNpjH+6np3yVA6IYqjDwZPZ4QqMpwJBZs7cBnwJ18F+XmxPTPG8fORxLvQ1MIiAi6TBOjPUndWa9Zu+Me85RjLjNlI6YpMSxaqsE+wS+mZ1ppJu75dsNnxgSl7pjrlrntfc9MT/+OwmB33GJP6Vg95f5QoIOEEo1Fl2HOllr3BG1jidcyWoD+4rmHBjyZvpkDooa3LPrYwVHmPrMGfAE= Content-Type: multipart/alternative; boundary="_000_BN8PR09MB3604C9C7C8609430A58FD99EF35F0BN8PR09MB3604namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: cebdefff-793a-4a5a-6a04-08d6b1ec7122 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 13:10:38.6431 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR09MB3601 Archived-At: Subject: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 13:10:44 -0000 --_000_BN8PR09MB3604C9C7C8609430A58FD99EF35F0BN8PR09MB3604namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr.or= g/2018/674/20180713:140821. I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Regards, Quynh. --_000_BN8PR09MB3604C9C7C8609430A58FD99EF35F0BN8PR09MB3604namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi all,


Here is the attack I mentioned at= the meeting today: https://eprint.iacr.org/2018/674/20180713:14082= 1.


I just looked at the LMS's draft,= the single tree with height 25 ( 2^25 signatures)  takes only 1.5 hou= rs. 


Regards,

Quynh. 





--_000_BN8PR09MB3604C9C7C8609430A58FD99EF35F0BN8PR09MB3604namp_-- From nobody Tue Mar 26 06:20:10 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A1EC120004 for ; Tue, 26 Mar 2019 06:20:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.5 X-Spam-Level: X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X71sFSSCrIqE for ; Tue, 26 Mar 2019 06:20:08 -0700 (PDT) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEEA5120003 for ; Tue, 26 Mar 2019 06:20:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8303; q=dns/txt; s=iport; t=1553606408; x=1554816008; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=cUQRWcjdtRPnYgiZGcrRhusfJmJBcQY0iuDOvW79uMA=; b=WcCeaNaKQmjE6b53OGEIUB7p5ppvKDnMHFX1ZcM0I0/0FzJ684hr5xVs TUXVv7j61cmIRQZOIyjJ4w9bewnfkwQ46oS713UK1C60URj0TfBv8o15p f55dC6dSiE1rO6lrsy7vb2lXo5rhDzYyQYfzFjGVJpN8UB6fjkMVBYu4O E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BCAAByJppc/5tdJa1kGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBZYEPWCpogQMnCpdFgg2SRIdyDQEBI4RJAoUiIjgSAQE?= =?us-ascii?q?DAQEJAQMCbRwMhUoBAQEELVwCAQgWAS8yHQgCBAESCIMbJgFqZA+uRoQwAYV?= =?us-ascii?q?+BYEviGiCSheBQD+DdS4+iiUDimqGJ4dHjEEJAodhi1AhlAKIJIJ5hgaNLAI?= =?us-ascii?q?RFYEuNiGBVnAVgyeCExqIX4U/QTGPHYEfAQE?= X-IronPort-AV: E=Sophos;i="5.60,271,1549929600"; d="scan'208,217";a="250558290" Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Mar 2019 13:20:06 +0000 Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id x2QDK6TW029442 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Mar 2019 13:20:06 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Mar 2019 09:20:05 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1473.003; Tue, 26 Mar 2019 09:20:05 -0400 From: "Scott Fluhrer (sfluhrer)" To: "Dang, Quynh (Fed)" , SPASM Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VXPtCcAwv+dECjmnZztrzUW6Yd47nA Date: Tue, 26 Mar 2019 13:20:05 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.61.64.141] Content-Type: multipart/alternative; boundary="_000_afb437b0d9e14a8097947a25d8422286XCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.147, xch-rtp-007.cisco.com X-Outbound-Node: rcdn-core-4.cisco.com Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 13:20:10 -0000 --_000_afb437b0d9e14a8097947a25d8422286XCHRTP006ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Irom: Spasm On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr.or= g/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_afb437b0d9e14a8097947a25d8422286XCHRTP006ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

Hi all,

 

Here is the attack I mentio= ned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821.=

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of = course, those protections are not free).

 

I just looked at the LMS's = draft, the single tree with height 25 ( 2^25 signatures)  takes only 1= .5 hours.

 

Clarification on this:

  • The test used 15 cores = (and so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter s= et.  This makes the signature shorter (1936 bytes in this case), howev= er it does increase the key generation time; a W=3D4 parameter set would ap= proximately double the signature size, while decreasing the key generation time by circa a factor of 8.

 <= /p>

 

Regards,<= /p>

Quynh. 

 

 

&n= bsp;

&n= bsp;

--_000_afb437b0d9e14a8097947a25d8422286XCHRTP006ciscocom_-- From nobody Tue Mar 26 07:04:07 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 397621202ED for ; Tue, 26 Mar 2019 07:04:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rw0OYJigoqKv for ; Tue, 26 Mar 2019 07:04:02 -0700 (PDT) Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0731.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE41E1202F9 for ; Tue, 26 Mar 2019 07:03:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FOhOg8/fK1Gi5kL3K0zrUsOyefNVAdTIbH8bFt3soFE=; b=nVk61QhqxHfM6QuWpHHNfhF0SBf2pXs9PZ0pAgLEsuFV/Vg1POYktcOQ4HMPFQJzOx9rTy9JU9oadAozGPJQsdH/3oKJjKSCcKJ1gfTI9XHl/oS9Nct5xtKMle9jMsEwEdNff8+czb6jFaB42L8WRqJl5KRlAlJf4q0TimQX93k= Received: from BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) by BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Tue, 26 Mar 2019 14:03:57 +0000 Received: from BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0]) by BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0%5]) with mapi id 15.20.1730.019; Tue, 26 Mar 2019 14:03:57 +0000 From: "Dang, Quynh (Fed)" To: "Scott Fluhrer (sfluhrer)" , SPASM Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBaYd5ZWAgAAKTzY= Date: Tue, 26 Mar 2019 14:03:56 +0000 Message-ID: References: , , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2610:20:6005:223::5f] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 551658ff-98b0-4b84-11a4-08d6b1f3e378 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BN8PR09MB3604; x-ms-traffictypediagnostic: BN8PR09MB3604: x-ms-exchange-purlcount: 1 x-microsoft-antispam-prvs: x-forefront-prvs: 09888BC01D x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(346002)(376002)(366004)(39860400002)(53754006)(199004)(189003)(102836004)(6606003)(33656002)(71200400001)(6506007)(76176011)(71190400001)(25786009)(606006)(8936002)(19627235002)(256004)(53546011)(229853002)(99286004)(2906002)(7696005)(110136005)(6436002)(53936002)(236005)(6246003)(55016002)(54896002)(6306002)(93886005)(316002)(6116002)(8676002)(19627405001)(81156014)(9686003)(476003)(966005)(486006)(446003)(97736004)(11346002)(5660300002)(86362001)(105586002)(68736007)(74316002)(106356001)(7736002)(46003)(478600001)(81166006)(186003)(14454004)(52536014); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR09MB3604; H:BN8PR09MB3604.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: SANnqXQEAoPhgs1+dwYA7cRgDx5dPNgKHUrkkARxYhFMuu6VNazJ+4AFGAQeqcKPwjEtHz7fxwYsUZCq9vaHC+rtPRf0ZxxiHZnlESqhME9pi0wBEo00XphQaRddwXj2mCKrgrGq9KuooiLKVLzagoU6NejqtPJZ1bUmyPZisItWvFDNE+zEmlOLcbS0s2WLrBCFor1KGu1Z5U+fDbplgHETw1M7w6lx4/XVlgqMgmnFCIcC++ter3Nj4jpK8QPSnYvlnfSEdr9EhGeam3oQSIAWajYhsXE8gPupgqiZg1EFDrK94oz/qnXlRJzVkkRyt2NySIg5G/xgGCgLCfm74miZ/cp/KY9yUzkTgxOZ963DGbxnP4QNA5w8Oh4O5xKaSXLWGnGK2iioQO8El671y5V7Ntl9UhGNtgbJ1v2GpRU= Content-Type: multipart/alternative; boundary="_000_BN8PR09MB3604324EF9D5BF4E9061F1B4F35F0BN8PR09MB3604namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: 551658ff-98b0-4b84-11a4-08d6b1f3e378 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 14:03:56.9138 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR09MB3604 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 14:04:06 -0000 --_000_BN8PR09MB3604324EF9D5BF4E9061F1B4F35F0BN8PR09MB3604namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc... hours of a key generation time is not a problem, then usi= ng a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr.or= g/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_BN8PR09MB3604324EF9D5BF4E9061F1B4F35F0BN8PR09MB3604namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The only downside of 1 level tree= is its key generation time comparing to multi-level trees. In situations (=  such as a code signing application) where 1, 2 or 3 etc... hours of= a key generation time is not a problem, then using a big 1 level= tree seems better than using a multi-level tree. 


Therefore,  some bigger heig= ht numbers for 1-level tree may be desired.


Quynh. 

From: Scott Fluhrer (sfluhr= er) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.
 

Irom: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

Hi all,

 

Here is the attack I menti= oned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821.

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of = course, those protections are not free).

 

I just looked at the LMS's= draft, the single tree with height 25 ( 2^25 signatures)  takes only = 1.5 hours.

 

Clarification on this:

  • The test used 15 cores (and so it used a total = of circa 1 core-day)
  • This was done with a W= =3D8 parameter set.  This makes the signature shorter (1936 bytes in t= his case), however it does increase the key generation time; a W=3D4 parame= ter set would approximately double the signature size, while decreasing the key generation time by circa a factor of 8.

 

 

Regards,

Quynh. 

 

 

&nbs= p;

&nbs= p;

--_000_BN8PR09MB3604324EF9D5BF4E9061F1B4F35F0BN8PR09MB3604namp_-- From nobody Tue Mar 26 08:13:09 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CF3E12036B for ; Tue, 26 Mar 2019 08:13:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.09 X-Spam-Level: X-Spam-Status: No, score=0.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EALn2S79gzpi for ; Tue, 26 Mar 2019 08:13:06 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62875120370 for ; Tue, 26 Mar 2019 08:13:05 -0700 (PDT) Received: from Jude (31.133.136.100) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 26 Mar 2019 08:12:54 -0700 From: Jim Schaad To: "'Dang, Quynh (Fed)'" , "'Scott Fluhrer (sfluhrer)'" , 'SPASM' References: , , In-Reply-To: Date: Tue, 26 Mar 2019 16:12:50 +0100 Message-ID: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_048E_01D4E3EE.C4215F30" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGxeOKNdKozrHAci8pAAx4ahTvmlgIxG3TbAT4B+M8A3xuK/AH0U3JhpjLGKxA= Content-Language: en-us X-Originating-IP: [31.133.136.100] Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 15:13:08 -0000 ------=_NextPart_000_048E_01D4E3EE.C4215F30 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit There is one other factor to compare in terms of how big the tree is. For a very large tree, if you do not have the resources to keep the entire private key set (or a large subset of it) then you get into the situation where you regenerate the entire private key tree for each and every signature. This is part of the trade off between small key size and fast signature generation/usage of time. Jim From: Spasm On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) ; SPASM Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. The only downside of 1 level tree is its key generation time comparing to multi-level trees. In situations ( such as a code signing application) where 1, 2 or 3 etc... hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. _____ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Irom: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821 . This is a fault attack (that is, you try to make the signer miscompute something, and then use the miscomputed signature); a signer implementation could implement protections against this (of course, those protections are not free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 signatures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=8 parameter set. This makes the signature shorter (1936 bytes in this case), however it does increase the key generation time; a W=4 parameter set would approximately double the signature size, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. ------=_NextPart_000_048E_01D4E3EE.C4215F30 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

There is = one other factor to compare in terms of how big the tree is.  For a = very large tree, if you do not have the resources to keep the entire = private key set (or a large subset of it) then you get into the = situation where you regenerate the entire private key tree for each and = every signature.  This is part of the trade off between small key = size and fast signature generation/usage of time.

 

Jim

 

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh = (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: = Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM = <spasm@ietf.org>
Subject: Re: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

The only downside of 1 level tree = is its key generation time comparing to multi-level trees. In situations = ( such as a code signing application) where 1, 2 or 3 etc... = hours of a key generation time is not a problem, then using a = big 1 level tree seems better than using a multi-level = tree. 

 

Therefore,  some bigger = height numbers for 1-level tree may be = desired.

 

Quynh. 

=

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent:= Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); = SPASM
Subject: RE: [lamps] Side-channel attack on multi-level = trees and key generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, = 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: = [lamps] Side-channel attack on multi-level trees and key generation of = LMS.

 

Hi = all,

 

Here is the attack I mentioned = at the meeting today: https://eprint.iacr= .org/2018/674/20180713:140821.

 

This is a fault attack (that is, = you try to make the signer miscompute something, and then use the = miscomputed signature); a signer implementation could implement = protections against this (of course, those protections are not = free).

 

I just looked at the LMS's = draft, the single tree with height 25 ( 2^25 signatures)  takes = only 1.5 hours.

 

Clarification on this:

  • The test used 15 cores (and so it used a total = of circa 1 core-day)
  • This was done with a W=3D8 parameter = set.  This makes the signature shorter (1936 bytes in this case), = however it does increase the key generation time; a W=3D4 parameter set = would approximately double the signature size, while decreasing the key = generation time by circa a factor of 8.

 

<= span = style=3D'font-size:12.0pt;color:black'> 

Regards,

<= span = style=3D'font-size:12.0pt;color:black'>Quynh. 

=

 

 

 

<= div>

 

=
------=_NextPart_000_048E_01D4E3EE.C4215F30-- From nobody Tue Mar 26 08:21:24 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B0F1203A7 for ; Tue, 26 Mar 2019 08:21:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGDPJt_WzWb9 for ; Tue, 26 Mar 2019 08:21:20 -0700 (PDT) Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830111.outbound.protection.outlook.com [40.107.83.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 884B312039B for ; Tue, 26 Mar 2019 08:21:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KgD2df+fBkl+edH7vGWgTCsgZ7yIegroxpvL/xkiEgU=; b=YrfQMyz3YPEOXbj1MPc4I5SDUlmJ0hQOZOZu6rANTjTcnwPZU9jxOlfBfHCZ0jBwHLO43vtJPclh+4YMUud+dwl+kvxM+z03dwBHL6CM4v5Evsw3dEC7xYO7A8hWZo+bqEKOcvESVnCoWO9JsBFKH+DjqkmkQ7HIoKmK4H++yOs= Received: from BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) by BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Tue, 26 Mar 2019 15:21:19 +0000 Received: from BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0]) by BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0%5]) with mapi id 15.20.1730.019; Tue, 26 Mar 2019 15:21:19 +0000 From: "Dang, Quynh (Fed)" To: Jim Schaad , "'Scott Fluhrer (sfluhrer)'" , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBaYd5ZWAgAAKTzaAABUyAIAAAZek Date: Tue, 26 Mar 2019 15:21:18 +0000 Message-ID: References: , , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> In-Reply-To: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2001:67c:370:128:b877:3682:3cc7:357] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: fa5b9630-d08d-4b49-2ac3-08d6b1feb247 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BN8PR09MB3604; x-ms-traffictypediagnostic: BN8PR09MB3604: x-ms-exchange-purlcount: 1 x-microsoft-antispam-prvs: x-forefront-prvs: 09888BC01D x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(366004)(396003)(376002)(346002)(199004)(189003)(53754006)(9686003)(97736004)(446003)(11346002)(1015004)(476003)(966005)(486006)(19627405001)(8676002)(81156014)(186003)(478600001)(52536014)(81166006)(14454004)(86362001)(5660300002)(7736002)(106356001)(46003)(68736007)(105586002)(74316002)(256004)(229853002)(53546011)(76176011)(6506007)(71200400001)(33656002)(71190400001)(6606003)(102836004)(25786009)(8936002)(606006)(316002)(55016002)(54896002)(6306002)(93886005)(6116002)(99286004)(2906002)(236005)(6246003)(53936002)(6436002)(7696005)(110136005); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR09MB3604; H:BN8PR09MB3604.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: k0E8/Xk7lKv0ozvFOydu7bjU+sjPEU3WAztWp+6uFRdHLP8hVeFfIdrD5MG8KIkV0q5F8Ti4TF/jAhviV+BuH1fsbc0vahE+ozRMsnceYB87ksm0JeMI8j2EPqUJEgmm0pBvce0sbTNmKz7Kuf6MNJqSkyMqB0tUO9vOzZ1YQmt6oPZKrVbB8pkCcf3Ox9Iy6JGmqupSWB/Sfs0dqb4ErHoP4uZJmH//XcNFcehPGv0/BHVAO9a0VzyfMeto5KlD4eNyepHK2eoif2GOfaCzbsuch3SBcTG+TA7yJkCFKyipj4a/c5JTwGwcM3PkVtNjwudQHrgBoa/ctcGOMlFAGxfub0NrKDJ0HvFJS15+z0+IwoxI7VRw17QBGgIJiEreIvaDMhvyQ/MPoKZPnjNhQ086DWALEThegYzOKO0ll1c= Content-Type: multipart/alternative; boundary="_000_BN8PR09MB36040F0DFA1A6C8D4D80B8F0F35F0BN8PR09MB3604namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: fa5b9630-d08d-4b49-2ac3-08d6b1feb247 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 15:21:18.9851 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR09MB3604 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 15:21:23 -0000 --_000_BN8PR09MB36040F0DFA1A6C8D4D80B8F0F35F0BN8PR09MB3604namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ________________________________ From: Jim Schaad Sent: Tuesday, March 26, 2019 11:12 AM To: Dang, Quynh (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. Quynh: You generate a OTS private key whenever you need it from a SEED: thi= s is the same with multi-level tree. Quynh. This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) ; SPASM Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc... hours of a key generation time is not a problem, then usi= ng a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr..o= rg/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_BN8PR09MB36040F0DFA1A6C8D4D80B8F0F35F0BN8PR09MB3604namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable




From: Jim Schaad <ietf@a= ugustcellars.com>
Sent: Tuesday, March 26, 2019 11:12 AM
To: Dang, Quynh (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM'
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.
 

There is one other factor to compare in terms of h= ow big the tree is.  For a very large tree, if you do not have the res= ources to keep the entire private key set (or a large subset of it) then yo= u get into the situation where you regenerate the entire private key tree for each and every signature. 


Quynh: = ;You generate a OTS private k= ey whenever you need it from a SEED: this is the same with multi-level tree= .  


Quynh. = ;


This is part of the trade off between small key si= ze and fast signature generation/usage of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM <s= pasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

The only downside of 1 lev= el tree is its key generation time comparing to multi-level trees. In situa= tions ( such as a code signing application) where 1, 2 or 3 etc..= . hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level t= ree. 

 

Therefore,  some bigg= er height numbers for 1-level tree may be desired.

 

Quynh. 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

Hi all,

 

Here is the attack I menti= oned at the meeting today: https://eprint.iacr..org/2018/674/= 20180713:140821.

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of = course, those protections are not free).

 

I just looked at the LMS's= draft, the single tree with height 25 ( 2^25 signatures)  takes only = 1.5 hours.

 

Clarification on this:

  • The test used 15 cores (a= nd so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter set.  This = makes the signature shorter (1936 bytes in this case), however it does incr= ease the key generation time; a W=3D4 parameter set would approximately dou= ble the signature size, while decreasing the key generation time by circa a factor of 8.

 

 

Regards,

Quynh. 

 

 

&nb= sp;

&nb= sp;

--_000_BN8PR09MB36040F0DFA1A6C8D4D80B8F0F35F0BN8PR09MB3604namp_-- From nobody Tue Mar 26 08:27:47 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2699212036B for ; Tue, 26 Mar 2019 08:27:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.511 X-Spam-Level: X-Spam-Status: No, score=-12.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JulyfzHyq8Fq for ; Tue, 26 Mar 2019 08:27:43 -0700 (PDT) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13EE1120381 for ; Tue, 26 Mar 2019 08:27:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18216; q=dns/txt; s=iport; t=1553614062; x=1554823662; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=mxAi3Lv5hCQE7w86kAkF98NZiejHk74wsm1G91l7sfE=; b=GPKl3I5v8CtmgVYRkkqK+GiV1T26Zy2+/qqB8cGqjBuFLLiA7oJHRMxh lLK17QmqPp40UrxPNvb5wvRwo9x8sZvxzOvMXNCl7pyF99/8GrfBhauLP wO0wduM00VkUH4b9KbBsoAlgD9cvyFGXJWM4J4YDcb8CUpNI5DUskrA2N 4=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AsAACGRJpc/4oNJK1kGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBZYEPgQJogQMnCoVjkWKCDZo2DQEBIoEPXYJeAoUiIjg?= =?us-ascii?q?SAQEDAQEJAQMCbRwMhUoBAQECAi1cAgEIDgMEAQEoBzIUCQgCBAESCIMVBAK?= =?us-ascii?q?BEUwDFQ+uboQwAYNTA4IpgS+IaIJKF4FAP4NuBy4+gmEDARiBTDGFKwOKSiC?= =?us-ascii?q?GJ4dHi2FgCQKHYYtQIZQCiCSBbIENhgaNLAIRFYEuNiENgUlwFYMnCQqBUy0?= =?us-ascii?q?ag0uFFIU/QTEBAQEBjxkybQEB?= X-IronPort-AV: E=Sophos;i="5.60,273,1549929600"; d="scan'208,217";a="540014476" Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Mar 2019 15:27:41 +0000 Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x2QFRfjY031705 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Mar 2019 15:27:41 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Mar 2019 11:27:40 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1473.003; Tue, 26 Mar 2019 11:27:40 -0400 From: "Scott Fluhrer (sfluhrer)" To: Jim Schaad , "'Dang, Quynh (Fed)'" , "'SPASM'" Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VXPtCcAwv+dECjmnZztrzUW6Yd47nAgABRKwCAABNAAP//vYTQ Date: Tue, 26 Mar 2019 15:27:40 +0000 Message-ID: <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> References: , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> In-Reply-To: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.61.64.141] Content-Type: multipart/alternative; boundary="_000_026b333ae64b45abb031a537366512dfXCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.147, xch-rtp-007.cisco.com X-Outbound-Node: alln-core-5.cisco.com Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 15:27:45 -0000 --_000_026b333ae64b45abb031a537366512dfXCHRTP006ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Actually, there are algorithms that are able to generate the next authentic= ation path by storing a comparatively small part of the tree, and using onl= y a relatively small number of leaf node evaluations. For example, http://= www.szydlo.com/fractal-jmls.pdf From: Jim Schaad Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' ; Scott Flu= hrer (sfluhrer) ; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. = This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) = >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc... hours of a key generation time is not a problem, then usi= ng a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr.or= g/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_026b333ae64b45abb031a537366512dfXCHRTP006ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Actually, there are algorithms that are able to gene= rate the next authentication path by storing a comparatively small part of = the tree, and using only a relatively small number of leaf node evaluations= .  For example, http://www.szydlo.com/fr= actal-jmls.pdf

 

From: Jim Schaad <ietf@augustcellars.com&g= t;
Sent: Tuesday, March 26, 2019 11:13 AM
To: 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org&g= t;; Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'SPASM' <spasm@= ietf.org>
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

There is one other factor to compare in terms of how= big the tree is.  For a very large tree, if you do not have the resou= rces to keep the entire private key set (or a large subset of it) then you = get into the situation where you regenerate the entire private key tree for each and every signature.  This is pa= rt of the trade off between small key size and fast signature generation/us= age of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM <= spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

The only downside of 1 leve= l tree is its key generation time comparing to multi-level trees. In situat= ions ( such as a code signing application) where 1, 2 or 3 etc...= hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level t= ree. 

 

Therefore,  some bigge= r height numbers for 1-level tree may be desired.

 

Quynh. 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org&g= t;
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

Hi all,

 

Here is the attack I mentio= ned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821.

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of = course, those protections are not free).

 

I just looked at the LMS's = draft, the single tree with height 25 ( 2^25 signatures)  takes only 1= .5 hours.

 

Clarification on this:

  • The test used 15 cores (and so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter set.  This makes the signature sh= orter (1936 bytes in this case), however it does increase the key generatio= n time; a W=3D4 parameter set would approximately double the signature size= , while decreasing the key generation time by circa a factor of 8.

 <= /p>

 

Regards,<= /p>

Quynh. 

 

 

 =

 =

--_000_026b333ae64b45abb031a537366512dfXCHRTP006ciscocom_-- From nobody Tue Mar 26 08:30:00 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A84912047E for ; Tue, 26 Mar 2019 08:29:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.09 X-Spam-Level: X-Spam-Status: No, score=0.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxdf0HUBx7z9 for ; Tue, 26 Mar 2019 08:29:54 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13351120447 for ; Tue, 26 Mar 2019 08:29:53 -0700 (PDT) Received: from Jude (31.133.136.100) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 26 Mar 2019 08:29:45 -0700 From: Jim Schaad To: "'Dang, Quynh (Fed)'" , "'Scott Fluhrer (sfluhrer)'" , 'SPASM' References: , , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> In-Reply-To: Date: Tue, 26 Mar 2019 16:29:41 +0100 Message-ID: <04a801d4e3e8$bd2f79b0$378e6d10$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_04A9_01D4E3F1.1EF4F320" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGxeOKNdKozrHAci8pAAx4ahTvmlgIxG3TbAT4B+M8A3xuK/AH0U3JhASTbB3oCpWkHaaYUeOtQ Content-Language: en-us X-Originating-IP: [31.133.136.100] Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 15:30:00 -0000 ------=_NextPart_000_04A9_01D4E3F1.1EF4F320 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit From: Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 4:21 PM To: Jim Schaad ; 'Scott Fluhrer (sfluhrer)' ; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. _____ From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:12 AM To: Dang, Quynh (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. There is one other factor to compare in terms of how big the tree is. For a very large tree, if you do not have the resources to keep the entire private key set (or a large subset of it) then you get into the situation where you regenerate the entire private key tree for each and every signature. Quynh: You generate a OTS private key whenever you need it from a SEED: this is the same with multi-level tree. Jim: You also need to generate the path from the leaf to the root. Since this path changes for every message you sign, you also need to do some regeneration of the path if you don't keep all (or a large set) of the leaf OTS public keys. Quynh. This is part of the trade off between small key size and fast signature generation/usage of time. Jim From: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. The only downside of 1 level tree is its key generation time comparing to multi-level trees. In situations ( such as a code signing application) where 1, 2 or 3 etc... hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. _____ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Irom: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr..org/2018/674/20180713:140821 . This is a fault attack (that is, you try to make the signer miscompute something, and then use the miscomputed signature); a signer implementation could implement protections against this (of course, those protections are not free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 signatures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=8 parameter set. This makes the signature shorter (1936 bytes in this case), however it does increase the key generation time; a W=4 parameter set would approximately double the signature size, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. ------=_NextPart_000_04A9_01D4E3F1.1EF4F320 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

 

From: Dang, = Quynh (Fed) <quynh.dang@nist.gov>
Sent: Tuesday, March = 26, 2019 4:21 PM
To: Jim Schaad = <ietf@augustcellars.com>; 'Scott Fluhrer (sfluhrer)' = <sfluhrer@cisco.com>; 'SPASM' = <spasm@ietf.org>
Subject: Re: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

 

 

<= div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'>

From: Jim Schaad <ietf@augustcellars.com>
= Sent: Tuesday, March 26, 2019 11:12 AM
To: Dang, Quynh = (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM'
Subject: RE: = [lamps] Side-channel attack on multi-level trees and key generation of = LMS. =

 

=

There is one other factor to = compare in terms of how big the tree is.  For a very large tree, if = you do not have the resources to keep the entire private key set (or a = large subset of it) then you get into the situation where you regenerate = the entire private key tree for each and every = signature. 

 

Quynh: You generate a OTS = private key whenever you need it from a SEED: this is the same with = multi-level tree.  

Jim: You also need = to generate the path from the leaf to the root.  Since this path = changes for every message you sign, you also need to do some = regeneration of the path if you don’t keep all (or a large set) of = the leaf OTS public keys.

Quynh. 

 

This is = part of the trade off between small key size and fast signature = generation/usage of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, = 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM = <spasm@ietf.org>
Subject: = Re: [lamps] Side-channel attack on multi-level trees and key generation = of LMS.

 

The only downside of 1 level tree = is its key generation time comparing to multi-level trees. In situations = ( such as a code signing application) where 1, 2 or 3 etc... = hours of a key generation time is not a problem, then using a = big 1 level tree seems better than using a multi-level = tree. 

 

Therefore,  some bigger = height numbers for 1-level tree may be = desired.

 

Quynh. 

=

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, = March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); = SPASM
Subject: RE: [lamps] Side-channel attack on multi-level = trees and key generation of LMS.

 

=

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of = Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 = AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] = Side-channel attack on multi-level trees and key generation of = LMS.

 

Hi = all,

 

Here is the attack I mentioned = at the meeting today: https://eprint.iacr..org/2018/674/20180713:140821.

 

This is a fault attack (that = is, you try to make the signer miscompute something, and then use the = miscomputed signature); a signer implementation could implement = protections against this (of course, those protections are not = free).

 

I just looked at the LMS's = draft, the single tree with height 25 ( 2^25 signatures)  takes = only 1.5 hours.

 

Clarification on = this:

  • The test used 15 cores = (and so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter = set.  This makes the signature shorter (1936 bytes in this case), = however it does increase the key generation time; a W=3D4 parameter set = would approximately double the signature size, while decreasing the key = generation time by circa a factor of = 8.

 

 

Regards,

<= span = style=3D'font-size:12.0pt;color:black'>Quynh. 

=

 

 

 

<= div>

 

=
<= /div> ------=_NextPart_000_04A9_01D4E3F1.1EF4F320-- From nobody Tue Mar 26 08:45:48 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 403AC120473 for ; Tue, 26 Mar 2019 08:45:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.711 X-Spam-Level: X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com header.b=EnDdchhp; dkim=pass (1024-bit key) header.d=digicert.com header.b=WDR6Xc/w Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ecYsa2Ljd86X for ; Tue, 26 Mar 2019 08:45:40 -0700 (PDT) Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [216.205.24.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2F85120462 for ; Tue, 26 Mar 2019 08:45:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1553615138; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DEB3c+Bde8Ij2xui/6lcwr6GIIEOvYITEScnM6Hcj+k=; b=EnDdchhpNsCPY7VZd75H1psDN2mIu83WJjzNQTtvfh8LGeNMhERgS9ANuMmZGfe+GV9Ak5gJ53AH3FNniTVuNfjIGNH/LR7ShumL2/EQc8KoYOB6hcE54N7ptk1l5tN1gCJ3i044r2lIj37nN0ZFJOHTnEfV6OoxZUZ2HlB31qU= Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-sn1nam04lp2050.outbound.protection.outlook.com [104.47.44.50]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-155-erlOKs-eMM-rAJL36t0yOw-1; Tue, 26 Mar 2019 11:45:37 -0400 X-MC-Unique: erlOKs-eMM-rAJL36t0yOw-1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DEB3c+Bde8Ij2xui/6lcwr6GIIEOvYITEScnM6Hcj+k=; b=WDR6Xc/wQRrl0heiPpLl8FtOZxxxXAIKuJb2v/UM8ciRwf/MKib2AgNGVYChOX05RqS9mYv4jZjw1yDseQtNjo4pt0VTxPhCnCjtwpGzB7gCar0nPYIly17jdeBuoxcWkX40K1a3WPaIGkTP1OvREZ0qhuCMYf6gYwvP91I3XJA= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1155.namprd14.prod.outlook.com (10.173.161.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Tue, 26 Mar 2019 15:45:33 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::294e:1bc:bb2b:e728]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::294e:1bc:bb2b:e728%5]) with mapi id 15.20.1730.019; Tue, 26 Mar 2019 15:45:33 +0000 From: Tim Hollebeek To: Jim Schaad , "'Dang, Quynh (Fed)'" , "'Scott Fluhrer (sfluhrer)'" , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VXx21KHECH1UWEyX+/NMZuuKYd5ZWAgAAMQQCAABNAAIAAAl0AgAACWICAAAGgMA== Date: Tue, 26 Mar 2019 15:45:33 +0000 Message-ID: References: , , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <04a801d4e3e8$bd2f79b0$378e6d10$@augustcellars.com> In-Reply-To: <04a801d4e3e8$bd2f79b0$378e6d10$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com; x-originating-ip: [31.133.130.102] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: c0fb7e21-7ccc-4ec3-1798-08d6b2021576 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1155; x-ms-traffictypediagnostic: BN6PR14MB1155: x-microsoft-antispam-prvs: x-forefront-prvs: 09888BC01D x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(376002)(366004)(396003)(39860400002)(346002)(53754006)(189003)(199004)(6306002)(316002)(53546011)(6506007)(99286004)(97736004)(53936002)(99936001)(71190400001)(3846002)(71200400001)(8936002)(256004)(14454004)(5660300002)(66066001)(7696005)(76176011)(6116002)(26005)(52536014)(966005)(2906002)(44832011)(102836004)(14444005)(8676002)(93886005)(81156014)(81166006)(229853002)(33656002)(305945005)(476003)(486006)(446003)(11346002)(186003)(68736007)(86362001)(110136005)(25786009)(106356001)(478600001)(7736002)(6246003)(105586002)(6436002)(55016002)(74316002)(9686003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1155; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 7j981KOmnFTxXxQ8m02yktB+fgVlRwijmUv6rNjI8kcU8s9CNrZwdBFQy6+4gW2qSKrmK9UPwokO/zgb8QcoD+e18KmnP1s0c5OmP0pYuTyj7FPdI8wrVTL7rJDBKUeAmpRm9gqFI2MFO4fJtZCIxBY/sKOXMgxofex1SHWLUEuubuoYRjQJVVSAHFvPAAfAMXVA6x9pkfGJ/qHMTA1s1bCV3wveA5dBvwBsFq5BoJifALLwHErH2/aEUHvdmp21e+vb1JNfMRusPMAjVa6/lzQ9+04E7JyAE2dXzHjlH1058nfzg9GdoCtTdqj8CTIKd943lfhA2RzzVP1tM3xatShdueoQGLhfs7QyLljbnn+Z2FsWyLri5L1dfe/jhIA/4p2CHyuJwbt9CxZ6Ugarpc/i2iO9O2jqUJml/JfalRc= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0927_01D4E3F3.51FBC6C0" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: c0fb7e21-7ccc-4ec3-1798-08d6b2021576 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 15:45:33.7411 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1155 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 15:45:45 -0000 ------=_NextPart_000_0927_01D4E3F3.51FBC6C0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0928_01D4E3F3.51FBC6C0" ------=_NextPart_001_0928_01D4E3F3.51FBC6C0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit (chair hat off) There are implementations that try to only hold the expanded private key in HSM memory and never outside the HSM. So there are space concerns as well as CPU time concerns that may limit total tree size. Remember that for some use-cases, it is desirable to be able to use relatively small and underpowered HSMs, especially for relatively rare operations like code-signing. And as I mentioned this afternoon, "only two hours" already pushes the boundaries of what is feasible as part of a key generation ceremony. I can appreciate the desire to use single-level trees in some use cases, but there are other practical use cases where multi-level trees have some very desirable characteristics. In fact, single-level trees may be completely infeasible. This is already a concern with some of the implementations we have played with today. Undoubtably even more use cases will come up in the future. The flexibility that multi-level trees allow is very important. We just need to make sure that we provide the appropriate advice to make sure that they are being used in a secure way. -Tim From: Spasm On Behalf Of Jim Schaad Sent: Tuesday, March 26, 2019 4:30 PM To: 'Dang, Quynh (Fed)' ; 'Scott Fluhrer (sfluhrer)' ; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. From: Dang, Quynh (Fed) > Sent: Tuesday, March 26, 2019 4:21 PM To: Jim Schaad >; 'Scott Fluhrer (sfluhrer)' >; 'SPASM' > Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. _____ From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:12 AM To: Dang, Quynh (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. There is one other factor to compare in terms of how big the tree is. For a very large tree, if you do not have the resources to keep the entire private key set (or a large subset of it) then you get into the situation where you regenerate the entire private key tree for each and every signature. Quynh: You generate a OTS private key whenever you need it from a SEED: this is the same with multi-level tree. Jim: You also need to generate the path from the leaf to the root. Since this path changes for every message you sign, you also need to do some regeneration of the path if you don't keep all (or a large set) of the leaf OTS public keys. Quynh. This is part of the trade off between small key size and fast signature generation/usage of time. Jim From: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. The only downside of 1 level tree is its key generation time comparing to multi-level trees. In situations ( such as a code signing application) where 1, 2 or 3 etc... hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. _____ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Irom: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr..org/2018/674/20180713:140821 . This is a fault attack (that is, you try to make the signer miscompute something, and then use the miscomputed signature); a signer implementation could implement protections against this (of course, those protections are not free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 signatures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=8 parameter set. This makes the signature shorter (1936 bytes in this case), however it does increase the key generation time; a W=4 parameter set would approximately double the signature size, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. ------=_NextPart_001_0928_01D4E3F3.51FBC6C0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

(chair hat = off)

 

There are implementations that try to only hold the = expanded private key in HSM memory and never outside the HSM.  So = there are space concerns as well as CPU time concerns that may limit = total tree size.  Remember that for some use-cases, it is desirable = to be able to use relatively small and underpowered HSMs, especially for = relatively rare operations like code-signing.

 

And as I = mentioned this afternoon, “only two hours” already pushes = the boundaries of what is feasible as part of a key generation = ceremony.

 

I can appreciate the desire to use single-level trees = in some use cases, but there are other practical use cases where = multi-level trees have some very desirable characteristics.  In = fact, single-level trees may be completely infeasible.

 

This is = already a concern with some of the implementations we have played with = today.  Undoubtably even more use cases will come up in the = future.

 

The flexibility that multi-level trees allow is very = important.  We just need to make sure that we provide the = appropriate advice to make sure that they are being used in a secure = way.

 

-Tim

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Jim = Schaad
Sent: Tuesday, March 26, 2019 4:30 PM
To: = 'Dang, Quynh (Fed)' <quynh.dang@nist.gov>; 'Scott Fluhrer = (sfluhrer)' <sfluhrer@cisco.com>; 'SPASM' = <spasm@ietf.org>
Subject: Re: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

 

 

From: Dang, = Quynh (Fed) <quynh.dang@nist.gov> =
Sent: Tuesday, March 26, 2019 4:21 PM
To: Jim = Schaad <ietf@augustcellars.com>; = 'Scott Fluhrer (sfluhrer)' <sfluhrer@cisco.com>; 'SPASM' = <spasm@ietf.org>
Subject: = Re: [lamps] Side-channel attack on multi-level trees and key generation = of LMS.

 

 

 

<= div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'>

From: Jim Schaad <ietf@augustcellars.com>
= Sent: Tuesday, March 26, 2019 11:12 AM
To: Dang, Quynh = (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM'
Subject: RE: = [lamps] Side-channel attack on multi-level trees and key generation of = LMS. =

 

=

There is one other factor to = compare in terms of how big the tree is.  For a very large tree, if = you do not have the resources to keep the entire private key set (or a = large subset of it) then you get into the situation where you regenerate = the entire private key tree for each and every = signature. 

 

Quynh: You generate a OTS = private key whenever you need it from a SEED: this is the same with = multi-level tree.  

Jim: You also need = to generate the path from the leaf to the root.  Since this path = changes for every message you sign, you also need to do some = regeneration of the path if you don’t keep all (or a large set) of = the leaf OTS public keys.

Quynh. 

 

This is = part of the trade off between small key size and fast signature = generation/usage of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, = 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM = <spasm@ietf.org>
Subject: = Re: [lamps] Side-channel attack on multi-level trees and key generation = of LMS.

 

The only downside of 1 level tree = is its key generation time comparing to multi-level trees. In situations = ( such as a code signing application) where 1, 2 or 3 etc... = hours of a key generation time is not a problem, then using a = big 1 level tree seems better than using a multi-level = tree. 

 

Therefore,  some bigger = height numbers for 1-level tree may be = desired.

 

Quynh. 

=

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent:= Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); = SPASM
Subject: RE: [lamps] Side-channel attack on multi-level = trees and key generation of LMS.

 

=

Irom: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, = 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: = [lamps] Side-channel attack on multi-level trees and key generation of = LMS.

 

Hi = all,

 

Here is the attack I mentioned = at the meeting today: https://eprint.iacr= ..org/2018/674/20180713:140821.

 

This is a fault attack (that = is, you try to make the signer miscompute something, and then use the = miscomputed signature); a signer implementation could implement = protections against this (of course, those protections are not = free).

 

I just looked at the LMS's = draft, the single tree with height 25 ( 2^25 signatures)  takes = only 1.5 hours.

 

Clarification on = this:

  • The test used 15 cores = (and so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter = set.  This makes the signature shorter (1936 bytes in this case), = however it does increase the key generation time; a W=3D4 parameter set = would approximately double the signature size, while decreasing the key = generation time by circa a factor of = 8.

 

 

Regards,

<= span = style=3D'font-size:12.0pt;color:black'>Quynh. 

=

 

 

 

<= div>

 

=
<= /div> ------=_NextPart_001_0928_01D4E3F3.51FBC6C0-- ------=_NextPart_000_0927_01D4E3F3.51FBC6C0 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMzI2MTU0NTI5WjAvBgkqhkiG9w0BCQQxIgQgD4mZZZ7/QPBytu7alNZqxlZ3r6QT Y0o1VhuUsTaOM1swgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAH9RFHh62K82GjzEbNLh06p1rU876DnWwgEB4mI6wD3VUzA8nWJi7OCdR1kKTX6p/oO5MYgt wW6Cd2Zb9TOscimlnQE4sbZwk7StMCbI/qT2KkUZgO4LgLUw9CtUcBwWoSYVvpkNNwPwYy3CPA+K pVQ9+qy5veki3x3fQp9GrJpChjWPiPdEVBvxSRqsf+cW9IbblrrChPEwhJxRjbnOHT7aQWL5pmzi ChESpHlixK3u1dS9pfRcvFo86LqDGJQKbWDe8WoUysAV0jg6Ai60cq/jeTZsExfbAGMRWbunvjsF q2BlXVul0bt3zIX2IQfhvAuuNpRSQERWSKokKgOOIE0AAAAAAAA= ------=_NextPart_000_0927_01D4E3F3.51FBC6C0-- From nobody Tue Mar 26 09:03:08 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1988E1203AC for ; Tue, 26 Mar 2019 09:03:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EURYmKP6YXdb for ; Tue, 26 Mar 2019 09:03:00 -0700 (PDT) Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0723.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::723]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AEE112038E for ; Tue, 26 Mar 2019 09:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DHv8ihe/uQb4Lt/9Vc+l+MHeU3eGUCrcSV+/riesSek=; b=GnK0fJ6O7UNiwMUmCjeMDpPRJh1RnXuSfXF+5oDqzkNZ1aRjxLFXyil6rknPLS1nbpLWntkz9TnPg5oQRKmDfLLBW9zRTfgQnyOlSuLMiHEt6YlZlHfiM4uFYISVRF5i9dxmusPxD70+AE0lzGbpIsCOk83HEIhBOuXO1nvwov0= Received: from BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) by BN8PR09MB3602.namprd09.prod.outlook.com (20.179.76.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Tue, 26 Mar 2019 16:02:58 +0000 Received: from BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0]) by BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0%5]) with mapi id 15.20.1730.019; Tue, 26 Mar 2019 16:02:58 +0000 From: "Dang, Quynh (Fed)" To: Tim Hollebeek , Jim Schaad , "'Scott Fluhrer (sfluhrer)'" , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBaYd5ZWAgAAKTzaAABUyAIAAAZekgAADHoCAAARvgIAAA5Hm Date: Tue, 26 Mar 2019 16:02:58 +0000 Message-ID: References: , , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <04a801d4e3e8$bd2f79b0$378e6d10$@augustcellars.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2001:67c:370:128:b877:3682:3cc7:357] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 448a0405-396e-41f2-3f2c-08d6b204842d x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BN8PR09MB3602; x-ms-traffictypediagnostic: BN8PR09MB3602: x-ms-exchange-purlcount: 1 x-microsoft-antispam-prvs: x-forefront-prvs: 09888BC01D x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(366004)(39860400002)(396003)(136003)(189003)(199004)(53754006)(9686003)(53936002)(14454004)(476003)(46003)(236005)(446003)(6606003)(11346002)(19627235002)(256004)(105586002)(6246003)(14444005)(6116002)(19627405001)(71190400001)(486006)(86362001)(2906002)(71200400001)(6436002)(106356001)(99286004)(229853002)(93886005)(110136005)(8936002)(33656002)(316002)(55016002)(6306002)(54896002)(6506007)(25786009)(7696005)(76176011)(102836004)(97736004)(5660300002)(81156014)(186003)(68736007)(8676002)(52536014)(81166006)(478600001)(966005)(7736002)(74316002)(606006)(53546011); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR09MB3602; H:BN8PR09MB3604.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: s48JiGUMI5/P/TqknoHDW68m7FwHgAjUqbKPhDwBI1MVgQVoS2VgutuevgRsAve+CfFtZSDZJwxAAr35F8yeq7wRp98GuYFlVgvoy+WzMjed+d/2UD3Cglhsw6E8B0wUZdIC2pqkNPJDBgTONBLw3QhygSuEr18eqC9rgKrXfkcKaWcxjZ+vl+Shrh3qwe9wtuTdO0cQtRrM5Bp+0rVCpbClOKHD3d1GTRtqT0X2CVt01NfakypvELA/Exzl+8q1Hozl98fze+jMHzZPM5uqJi1WmOsb/Nohr6OueU2c0Liu1jfigEkGdoNF+/FefVqDYF/wA36zrN6ptuyJdAkPsHYsuq4ur/wUuINpLSrSyaSl2JRIqSnW0r0FoUQU2Pdrvygu4RpEV4xKg3W8yfmmDTcKlj+U6y0ltSaN0EPv9a8= Content-Type: multipart/alternative; boundary="_000_BN8PR09MB3604A77E47718900BC83A13DF35F0BN8PR09MB3604namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: 448a0405-396e-41f2-3f2c-08d6b204842d X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 16:02:58.6214 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR09MB3602 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 16:03:05 -0000 --_000_BN8PR09MB3604A77E47718900BC83A13DF35F0BN8PR09MB3604namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable A HSM holds the LMS private key (the full LMS private key) of a small signi= ng leaf tree is the same with the HSM holds the equivalent number of OTS pr= ivate keys from a 1-level tree. So, the situation is the same for both cases. Quynh. ________________________________ From: Tim Hollebeek Sent: Tuesday, March 26, 2019 11:45:33 AM To: Jim Schaad; Dang, Quynh (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. (chair hat off) There are implementations that try to only hold the expanded private key in= HSM memory and never outside the HSM. So there are space concerns as well= as CPU time concerns that may limit total tree size. Remember that for so= me use-cases, it is desirable to be able to use relatively small and underp= owered HSMs, especially for relatively rare operations like code-signing. And as I mentioned this afternoon, =93only two hours=94 already pushes the = boundaries of what is feasible as part of a key generation ceremony. I can appreciate the desire to use single-level trees in some use cases, bu= t there are other practical use cases where multi-level trees have some ver= y desirable characteristics. In fact, single-level trees may be completely= infeasible. This is already a concern with some of the implementations we have played w= ith today. Undoubtably even more use cases will come up in the future. The flexibility that multi-level trees allow is very important. We just ne= ed to make sure that we provide the appropriate advice to make sure that th= ey are being used in a secure way. -Tim From: Spasm On Behalf Of Jim Schaad Sent: Tuesday, March 26, 2019 4:30 PM To: 'Dang, Quynh (Fed)' ; 'Scott Fluhrer (sfluhrer)' <= sfluhrer@cisco.com>; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. From: Dang, Quynh (Fed) > Sent: Tuesday, March 26, 2019 4:21 PM To: Jim Schaad >; 'Sc= ott Fluhrer (sfluhrer)' >; 'S= PASM' > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. ________________________________ From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:12 AM To: Dang, Quynh (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. Quynh: You generate a OTS private key whenever you need it from a SEED: thi= s is the same with multi-level tree. Jim: You also need to generate the path from the leaf to the root. Since t= his path changes for every message you sign, you also need to do some regen= eration of the path if you don=92t keep all (or a large set) of the leaf OT= S public keys. Quynh. This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) = >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc... hours of a key generation time is not a problem, then usi= ng a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr..o= rg/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_BN8PR09MB3604A77E47718900BC83A13DF35F0BN8PR09MB3604namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

A HSM holds the LMS private key (= the full LMS private key) of a small signing leaf tree is the sam= e with the HSM holds the equivalent number of OTS private keys from a 1-lev= el tree.  



So, the situation is the same for= both cases. 


Quynh.

From: Tim Hollebeek <tim= .hollebeek@digicert.com>
Sent: Tuesday, March 26, 2019 11:45:33 AM
To: Jim Schaad; Dang, Quynh (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPAS= M'
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.
 

(chair hat off)

 

There are implementations that try to only hold th= e expanded private key in HSM memory and never outside the HSM.  So th= ere are space concerns as well as CPU time concerns that may limit total tr= ee size.  Remember that for some use-cases, it is desirable to be able to use relatively small and underpowered HSMs, = especially for relatively rare operations like code-signing.

 

And as I mentioned this afternoon, =93only two hou= rs=94 already pushes the boundaries of what is feasible as part of a key ge= neration ceremony.

 

I can appreciate the desire to use single-level tr= ees in some use cases, but there are other practical use cases where multi-= level trees have some very desirable characteristics.  In fact, single= -level trees may be completely infeasible.

 

This is already a concern with some of the impleme= ntations we have played with today.  Undoubtably even more use cases w= ill come up in the future.

 

The flexibility that multi-level trees allow is ve= ry important.  We just need to make sure that we provide the appropria= te advice to make sure that they are being used in a secure way.

 

-Tim

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Jim Schaad
Sent: Tuesday, March 26, 2019 4:30 PM
To: 'Dang, Quynh (Fed)' <quynh.dang@nist.gov>; 'Scott Fluhrer = (sfluhrer)' <sfluhrer@cisco.com>; 'SPASM' <spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

 

 

From: Dang, Quynh (Fed) <quynh.dang@nist.gov>
Sent: Tuesday, March 26, 2019 4:21 PM
To: Jim Schaad <ietf@au= gustcellars.com>; 'Scott Fluhrer (sfluhrer)' <sfluhrer@cisco.com>; 'SPASM' <spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

 

 

From: Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 11:12 AM
To: Dang, Quynh (Fed); 'Scott Fluhrer (sfluhrer)'; 'SPASM'
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

&nbs= p;

The= re is one other factor to compare in terms of how big the tree is.  Fo= r a very large tree, if you do not have the resources to keep the entire pr= ivate key set (or a large subset of it) then you get into the situation where you regenerate the entire private key tre= e for each and every signature. 

&nb= sp;

Quynh= : You generate a OTS private key whenever you need it from a SEED: thi= s is the same with multi-level tree.  

Jim: You also ne= ed to generate the path from the leaf to the root.  Since this path ch= anges for every message you sign, you also need to do some regeneration of = the path if you don=92t keep all (or a large set) of the leaf OTS public keys.

Quynh= . 

&nb= sp;

Thi= s is part of the trade off between small key size and fast signature genera= tion/usage of time.

&nb= sp;

Jim=

&nb= sp;

&nb= sp;

= From: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM <= spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

&nb= sp;

The only downside of 1 lev= el tree is its key generation time comparing to multi-level trees. In situa= tions ( such as a code signing application) where 1, 2 or 3 etc..= . hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level t= ree. 

 

Therefore,  some bigg= er height numbers for 1-level tree may be desired.

 

Quynh. 

I<= b>rom: Spasm <spasm-bounce= s@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org&g= t;
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

&n= bsp;

Hi all,

 

Here is the attack I menti= oned at the meeting today: https://eprint.iacr..org/2018/674/20180713:140821.

 

This is a fault attack (= that is, you try to make the signer miscompute something, and then use the = miscomputed signature); a signer implementation could implement protections= against this (of course, those protections are not free).=

 

I just looked at the LMS's= draft, the single tree with height 25 ( 2^25 signatures)  takes only = 1.5 hours.

 

Clarification on this:

  • The test used 15 cores (and so it used a total of circa 1 core-day= )
  • This was done with a W=3D8 parameter set.  This = makes the signature shorter (1936 bytes in this case), however it does incr= ease the key generation time; a W=3D4 parameter set would approximately double the signature size, while decreasing the key generation time by cir= ca a factor of 8.

 

 

Regards,

Quynh. 

 

 

&n= bsp;

&n= bsp;

--_000_BN8PR09MB3604A77E47718900BC83A13DF35F0BN8PR09MB3604namp_-- From nobody Tue Mar 26 09:13:46 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F48D1204EC for ; Tue, 26 Mar 2019 09:13:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.09 X-Spam-Level: X-Spam-Status: No, score=0.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qWYXu1CzGcKh for ; Tue, 26 Mar 2019 09:13:42 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EDEB12052F for ; Tue, 26 Mar 2019 09:13:41 -0700 (PDT) Received: from Jude (31.133.136.100) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 26 Mar 2019 09:13:34 -0700 From: Jim Schaad To: "'Scott Fluhrer (sfluhrer)'" , "'Dang, Quynh (Fed)'" , 'SPASM' References: , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> In-Reply-To: <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> Date: Tue, 26 Mar 2019 17:13:30 +0100 Message-ID: <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_04C1_01D4E3F7.3E311BA0" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGxeOKNdKozrHAci8pAAx4ahTvmlgIxG3TbAT4B+M8A3xuK/AH0U3JhASTbB3oBZ3jGG6YecqXA Content-Language: en-us X-Originating-IP: [31.133.136.100] Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 16:13:45 -0000 ------=_NextPart_000_04C1_01D4E3F7.3E311BA0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I understand that, but again there are some trade-offs of memory vs time. All of the simple tree saving algorithms I have thought of can occasionally require the generation of a large portion of the tree depending on what boundaries one is crossing in the tree, this means that the signing time is not constant. One can also make gains by doing some pre-computation of expected trees as one goes along. When you have a tree of trees, one can get lots of speed up by saving the signature for all but the bottom most tree so that only that tree needs to have portions regenerated until you move to a new sub-tree. All of these are space/time trade-offs and one needs to understand what the extremes are on both ends before one says that a huge single tree is better or worse than a lot of small trees, even if the number of levels that are created are the same. Jim From: Scott Fluhrer (sfluhrer) Sent: Tuesday, March 26, 2019 4:28 PM To: Jim Schaad ; 'Dang, Quynh (Fed)' ; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Actually, there are algorithms that are able to generate the next authentication path by storing a comparatively small part of the tree, and using only a relatively small number of leaf node evaluations. For example, http://www.szydlo.com/fractal-jmls.pdf From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' >; Scott Fluhrer (sfluhrer) >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. There is one other factor to compare in terms of how big the tree is. For a very large tree, if you do not have the resources to keep the entire private key set (or a large subset of it) then you get into the situation where you regenerate the entire private key tree for each and every signature. This is part of the trade off between small key size and fast signature generation/usage of time. Jim From: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. The only downside of 1 level tree is its key generation time comparing to multi-level trees. In situations ( such as a code signing application) where 1, 2 or 3 etc... hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. _____ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Irom: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821 . This is a fault attack (that is, you try to make the signer miscompute something, and then use the miscomputed signature); a signer implementation could implement protections against this (of course, those protections are not free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 signatures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=8 parameter set. This makes the signature shorter (1936 bytes in this case), however it does increase the key generation time; a W=4 parameter set would approximately double the signature size, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. ------=_NextPart_000_04C1_01D4E3F7.3E311BA0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I = understand that, but again there are some trade-offs of memory vs = time.  All of the simple tree saving algorithms I have thought of = can occasionally require the generation of a large portion of the tree = depending on what boundaries one is crossing in the tree, this means = that the signing time is not constant.  One can also make gains by = doing some pre-computation of expected trees as one goes along.  = When you have a tree of trees, one can get lots of speed up by saving = the signature for all but the bottom most tree so that only that tree = needs to have portions regenerated until you move to a new = sub-tree.

 

All of these are space/time trade-offs and one needs = to understand what the extremes are on both ends before one says that a = huge single tree is better or worse than a lot of small trees, even if = the number of levels that are created are the same.

 

Jim

 

 

From: Scott = Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, = March 26, 2019 4:28 PM
To: Jim Schaad = <ietf@augustcellars.com>; 'Dang, Quynh (Fed)' = <quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' = <spasm@ietf.org>
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

Actually, = there are algorithms that are able to generate the next authentication = path by storing a comparatively small part of the tree, and using only a = relatively small number of leaf node evaluations.  For example, http://www.szydlo.com/fra= ctal-jmls.pdf

 

From: Jim = Schaad <ietf@augustcellars.com> =
Sent: Tuesday, March 26, 2019 11:13 AM
To: 'Dang, = Quynh (Fed)' <quynh.dang=3D40nis= t.gov@dmarc.ietf.org>; Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'SPASM' = <spasm@ietf.org>
Subject: = RE: [lamps] Side-channel attack on multi-level trees and key generation = of LMS.

 

There is one = other factor to compare in terms of how big the tree is.  For a = very large tree, if you do not have the resources to keep the entire = private key set (or a large subset of it) then you get into the = situation where you regenerate the entire private key tree for each and = every signature.  This is part of the trade off between small key = size and fast signature generation/usage of time.

 

Jim

 

 

From: Spasm = <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, = 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM = <spasm@ietf.org>
Subject: = Re: [lamps] Side-channel attack on multi-level trees and key generation = of LMS.

 

The only downside of 1 level tree = is its key generation time comparing to multi-level trees. In situations = ( such as a code signing application) where 1, 2 or 3 etc... = hours of a key generation time is not a problem, then using a = big 1 level tree seems better than using a multi-level = tree. 

 

Therefore,  some bigger = height numbers for 1-level tree may be = desired.

 

Quynh. 

=

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent:= Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); = SPASM
Subject: RE: [lamps] Side-channel attack on multi-level = trees and key generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, = 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: = [lamps] Side-channel attack on multi-level trees and key generation of = LMS.

 

Hi = all,

 

Here is the attack I mentioned = at the meeting today: https://eprint.iacr= .org/2018/674/20180713:140821.

 

This is a fault attack (that is, = you try to make the signer miscompute something, and then use the = miscomputed signature); a signer implementation could implement = protections against this (of course, those protections are not = free).

 

I just looked at the LMS's = draft, the single tree with height 25 ( 2^25 signatures)  takes = only 1.5 hours.

 

Clarification on this:

  • The test used 15 cores (and so it used a total = of circa 1 core-day)
  • This was done with a W=3D8 parameter = set.  This makes the signature shorter (1936 bytes in this case), = however it does increase the key generation time; a W=3D4 parameter set = would approximately double the signature size, while decreasing the key = generation time by circa a factor of 8.

 

<= span = style=3D'font-size:12.0pt;color:black'> 

Regards,

<= span = style=3D'font-size:12.0pt;color:black'>Quynh. 

=

 

 

 

<= div>

 

=
------=_NextPart_000_04C1_01D4E3F7.3E311BA0-- From nobody Tue Mar 26 09:21:36 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E188120562 for ; Tue, 26 Mar 2019 09:21:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6iHihWfKSxr for ; Tue, 26 Mar 2019 09:21:29 -0700 (PDT) Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830138.outbound.protection.outlook.com [40.107.83.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0A63120630 for ; Tue, 26 Mar 2019 09:21:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QJ3gYYOlaEYtgdbIDrVsB1lyWSFPmQiEzW/KZJl0qpA=; b=Yiv6A8LVBaLPkR2hzaenylhZ1NvcXhrkhgYm4a6P4Ks2ARa6rk4udwe+t+fMPfPuHhux3radF9LVyzQBPiNz5FcuuDflOg+kCuRYr+4pFUMu7TBZFOhOIXzbIE2HOfjkIjghBHNOncwAFV5oUf24+msjE2IQLXuYTmODQ2ZxBtc= Received: from BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) by BN8PR09MB3602.namprd09.prod.outlook.com (20.179.76.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Tue, 26 Mar 2019 16:21:24 +0000 Received: from BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0]) by BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0%5]) with mapi id 15.20.1730.019; Tue, 26 Mar 2019 16:21:24 +0000 From: "Dang, Quynh (Fed)" To: Jim Schaad , "'Scott Fluhrer (sfluhrer)'" , "'Dang, Quynh (Fed)'" , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBaYd5ZWAgAAKTzaAABUyAIAABCUAgAAMzgCAAAGUxw== Date: Tue, 26 Mar 2019 16:21:23 +0000 Message-ID: References: , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com>, <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> In-Reply-To: <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2001:67c:370:128:b877:3682:3cc7:357] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 6ee02ae4-95cc-4ab4-4abb-08d6b2071705 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BN8PR09MB3602; x-ms-traffictypediagnostic: BN8PR09MB3602: x-ms-exchange-purlcount: 2 x-microsoft-antispam-prvs: x-forefront-prvs: 09888BC01D x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(39860400002)(366004)(346002)(376002)(53754006)(189003)(199004)(54896002)(6306002)(55016002)(102836004)(6506007)(7696005)(76176011)(25786009)(229853002)(93886005)(316002)(110136005)(8936002)(33656002)(74316002)(966005)(7736002)(606006)(53546011)(81156014)(186003)(97736004)(5660300002)(81166006)(478600001)(68736007)(8676002)(52536014)(11346002)(256004)(19627235002)(6606003)(6116002)(105586002)(6246003)(14454004)(53936002)(9686003)(236005)(46003)(476003)(446003)(106356001)(6436002)(99286004)(486006)(19627405001)(71190400001)(2906002)(71200400001)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR09MB3602; H:BN8PR09MB3604.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: z6We6yB9I/uwILdMh9wZvM+DQUQ1aZQ9GjYLlvf1vXGBehBSLzh4ww6kEXO9OtHovkUQcZZ6oQs/LmCtaeqCOtUnL/I1a8PXxEb7Ly2MmV7oiJg1R2hSh1Uw/Ur+e0rMDpY3GipZhda1u2GKagYM+uvOCcCqNd+cOSYDh52cNTPoquYH38TKSvArTZw3nb4VGzr6xBc+GY4fGRuK7S0gVEgxxz9T2epWD8HPjUDD2cf27L3Z9BlveA2mk6CQGwIHrYKfxDhm3a41tf9IWgnooBabwm+BldaIhJ5AmLWhInlJWs9W4mhe4GwgCihuwcVH0XNoRqGFW7UasnGEeSaqZnnaBDtxyMPcmHnvc8TIKF5J+jPv52kdQjtQqxIL3lszC/M4DhHpSg5OA+Q+81feg2MtE+J3HLuYGdGP40FJGbc= Content-Type: multipart/alternative; boundary="_000_BN8PR09MB360492F2741D92172B0AEA3EF35F0BN8PR09MB3604namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: 6ee02ae4-95cc-4ab4-4abb-08d6b2071705 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 16:21:23.9040 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR09MB3602 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 16:21:34 -0000 --_000_BN8PR09MB360492F2741D92172B0AEA3EF35F0BN8PR09MB3604namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable time and memory trade-offs are applicable to both cases. Think the multi-le= vel tree is a tree, like a big 1-level tree. Quynh. ________________________________ From: Spasm on behalf of Jim Schaad Sent: Tuesday, March 26, 2019 12:13:30 PM To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. I understand that, but again there are some trade-offs of memory vs time. = All of the simple tree saving algorithms I have thought of can occasionally= require the generation of a large portion of the tree depending on what bo= undaries one is crossing in the tree, this means that the signing time is n= ot constant. One can also make gains by doing some pre-computation of expe= cted trees as one goes along. When you have a tree of trees, one can get l= ots of speed up by saving the signature for all but the bottom most tree so= that only that tree needs to have portions regenerated until you move to a= new sub-tree. All of these are space/time trade-offs and one needs to understand what the= extremes are on both ends before one says that a huge single tree is bette= r or worse than a lot of small trees, even if the number of levels that are= created are the same. Jim From: Scott Fluhrer (sfluhrer) Sent: Tuesday, March 26, 2019 4:28 PM To: Jim Schaad ; 'Dang, Quynh (Fed)' ; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Actually, there are algorithms that are able to generate the next authentic= ation path by storing a comparatively small part of the tree, and using onl= y a relatively small number of leaf node evaluations. For example, http://= www.szydlo.com/fractal-jmls.pdf From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' >; Scott Fluhrer (sfluhrer) >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. = This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) = >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc... hours of a key generation time is not a problem, then usi= ng a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr..o= rg/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_BN8PR09MB360492F2741D92172B0AEA3EF35F0BN8PR09MB3604namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

time and memory trade-offs are ap= plicable to both cases. Think the multi-level tree is a tree, like a big 1-= level tree. 


Quynh. 

From: Spasm <spasm-bounc= es@ietf.org> on behalf of Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 12:13:30 PM
To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM'
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.
 

I understand that, but again there are some trade-= offs of memory vs time.  All of the simple tree saving algorithms I ha= ve thought of can occasionally require the generation of a large portion of= the tree depending on what boundaries one is crossing in the tree, this means that the signing time is not const= ant.  One can also make gains by doing some pre-computation of expecte= d trees as one goes along.  When you have a tree of trees, one can get= lots of speed up by saving the signature for all but the bottom most tree so that only that tree needs to have port= ions regenerated until you move to a new sub-tree.

 

All of these are space/time trade-offs and one nee= ds to understand what the extremes are on both ends before one says that a = huge single tree is better or worse than a lot of small trees, even if the = number of levels that are created are the same.

 

Jim

 

 

From: Scott Fluhrer (sfluhrer) <sfluhrer= @cisco.com>
Sent: Tuesday, March 26, 2019 4:28 PM
To: Jim Schaad <ietf@augustcellars.com>; 'Dang, Quynh (Fed)' &= lt;quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' <spasm@ietf.org&g= t;
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Actually, there are algorithms that are able to ge= nerate the next authentication path by storing a comparatively small part o= f the tree, and using only a relatively small number of leaf node evaluatio= ns.  For example, http://www.szydlo.com/fractal-jmls.pdf

 

From: Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 11:13 AM
To: 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; Scott Flu= hrer (sfluhrer) <sfluhrer@cisco.co= m>; 'SPASM' <spasm@ietf.org= >
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

There is one other factor to compare in terms of h= ow big the tree is.  For a very large tree, if you do not have the res= ources to keep the entire private key set (or a large subset of it) then yo= u get into the situation where you regenerate the entire private key tree for each and every signature.  This is pa= rt of the trade off between small key size and fast signature generation/us= age of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM <= spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

The only downside of 1 lev= el tree is its key generation time comparing to multi-level trees. In situa= tions ( such as a code signing application) where 1, 2 or 3 etc..= . hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level t= ree. 

 

Therefore,  some bigg= er height numbers for 1-level tree may be desired.

 

Quynh. 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org&g= t;
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

Hi all,

 

Here is the attack I menti= oned at the meeting today: https://eprint.iacr..org/2018/674/20180713:140821.

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of = course, those protections are not free).

 

I just looked at the LMS's= draft, the single tree with height 25 ( 2^25 signatures)  takes only = 1.5 hours.

 

Clarification on this:

  • The test used 15 cores (a= nd so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter set.  This = makes the signature shorter (1936 bytes in this case), however it does incr= ease the key generation time; a W=3D4 parameter set would approximately dou= ble the signature size, while decreasing the key generation time by circa a factor of 8.

 

 

Regards,

Quynh. 

 

 

&nb= sp;

&nb= sp;

--_000_BN8PR09MB360492F2741D92172B0AEA3EF35F0BN8PR09MB3604namp_-- From nobody Wed Mar 27 02:09:04 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9BD912028A for ; Wed, 27 Mar 2019 02:08:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com header.b=LCTtIhiJ; dkim=pass (1024-bit key) header.d=digicert.com header.b=NVaPJIe5 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bcLLwIG-ZutL for ; Wed, 27 Mar 2019 02:08:43 -0700 (PDT) Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [63.128.21.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78E0120285 for ; Wed, 27 Mar 2019 02:08:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1553677715; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=V5vmV/9PJopKJNXfE+VsRqdC5Ek7wLI2wCWxIohOxE0=; b=LCTtIhiJLqzUJxTRJ4o6TtqhQRSXRWI+71YVmzsQXYch0AUR76qvGirs4pONOU0X49sAsgW+ldgQEXybsE0f/6m2J/fyg2WkTojFS457uyCVi68Zl1wpYvh5mPNxizhPHov1izzgE6P0zOX77Z6w3gK0TwwSscNq9NysegFsB98= Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-sn1nam04lp2050.outbound.protection.outlook.com [104.47.44.50]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-64-0my11L4mOFOWSnELvqHkyw-1; Wed, 27 Mar 2019 05:08:33 -0400 X-MC-Unique: 0my11L4mOFOWSnELvqHkyw-1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=V5vmV/9PJopKJNXfE+VsRqdC5Ek7wLI2wCWxIohOxE0=; b=NVaPJIe5B0SyS7xzBEnsdeg/yx6lC9fa+lLAaumGWdMifg9VLHznrMTEyndN9VM/dNOb7PqMD7LrXORFjnd8A+nh59t/yTYQKEQx3NAlfCymz7zXF5NJlo63ZNybbgOsre1wNEo86Nqwfd+xlG4Gy2F5x6zaQmo7VbvRbtLk7GI= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1809.namprd14.prod.outlook.com (10.171.176.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.16; Wed, 27 Mar 2019 09:08:31 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::294e:1bc:bb2b:e728]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::294e:1bc:bb2b:e728%5]) with mapi id 15.20.1730.019; Wed, 27 Mar 2019 09:08:31 +0000 From: Tim Hollebeek To: "Dang, Quynh (Fed)" , Jim Schaad , "'Scott Fluhrer (sfluhrer)'" , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VXx21KHECH1UWEyX+/NMZuuKYd5ZWAgAAMQQCAABNAAIAABCUAgAAMzgCAAAI0gIABGDAw Date: Wed, 27 Mar 2019 09:08:31 +0000 Message-ID: References: , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com>, <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com; x-originating-ip: [31.133.150.157] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2cc30b08-057b-4985-13c9-08d6b293c898 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1809; x-ms-traffictypediagnostic: BN6PR14MB1809: x-microsoft-antispam-prvs: x-forefront-prvs: 0989A7979C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(136003)(39860400002)(366004)(376002)(346002)(396003)(53754006)(189003)(199004)(68736007)(86362001)(8936002)(71190400001)(71200400001)(316002)(110136005)(186003)(81166006)(26005)(8676002)(81156014)(76176011)(33656002)(6436002)(97736004)(7696005)(229853002)(102836004)(14454004)(256004)(66066001)(99936001)(105586002)(6506007)(53546011)(93886005)(106356001)(305945005)(6246003)(25786009)(966005)(44832011)(53936002)(2906002)(486006)(446003)(99286004)(52536014)(7736002)(6306002)(9686003)(5660300002)(478600001)(11346002)(74316002)(476003)(3846002)(55016002)(6116002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1809; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: l3BzMZiLNNYnB5Th6xf9Ukjrnvue6SlDplwg4BlLub5eN0s0qUfATyO6lhCazV5B8eiu9F32lJkwibvp7DSgTuXJ5ENPIjJ9yGmM0ViuKdhswOsQqzR7znvTT6VMdb4yhQt6zX52L2c05UK0xJgtxu+xZOFB40uYJYBS2tt4nMd6yidz5HIMMLfZyv14kgETGPeIdGpUBiBKL6U6pnTDFyPYj3F7wNUZ8827fru7+A9BhMDhOZTbzDA+TBZ2Cz4XR4RySeKPVSWowgWKI3CrUODF41rvFPAyv2jwU7l672B9gucMX7KdpuGl+wdQK0QsZlSdKn/Qr0CqP0TLeaBNKeBcxSu6j76sh4xP6eeRAcICsqoQa+OgykFzRpi1qiuFCzIKzMUPxPYsplmODtXqRKuwIEFATv72tw9pWQeb4Cg= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0185_01D4E485.06514640" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2cc30b08-057b-4985-13c9-08d6b293c898 X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 09:08:31.4169 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1809 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 09:08:57 -0000 ------=_NextPart_000_0185_01D4E485.06514640 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0186_01D4E485.06514640" ------=_NextPart_001_0186_01D4E485.06514640 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Except that a two level tree is not like a big one level tree. For an N node one level tree, you can typically reduce the number of nodes that need to be managed at a time to 2 x sqrt(N), by using two level trees and only keeping one subtree around at a time. You also don't have to generate all the subtrees in advance. -Tim From: Spasm On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 5:21 PM To: Jim Schaad ; 'Scott Fluhrer (sfluhrer)' ; 'Dang, Quynh (Fed)' ; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. time and memory trade-offs are applicable to both cases. Think the multi-level tree is a tree, like a big 1-level tree. Quynh. _____ From: Spasm > on behalf of Jim Schaad > Sent: Tuesday, March 26, 2019 12:13:30 PM To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. I understand that, but again there are some trade-offs of memory vs time. All of the simple tree saving algorithms I have thought of can occasionally require the generation of a large portion of the tree depending on what boundaries one is crossing in the tree, this means that the signing time is not constant. One can also make gains by doing some pre-computation of expected trees as one goes along. When you have a tree of trees, one can get lots of speed up by saving the signature for all but the bottom most tree so that only that tree needs to have portions regenerated until you move to a new sub-tree. All of these are space/time trade-offs and one needs to understand what the extremes are on both ends before one says that a huge single tree is better or worse than a lot of small trees, even if the number of levels that are created are the same. Jim From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 4:28 PM To: Jim Schaad >; 'Dang, Quynh (Fed)' >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Actually, there are algorithms that are able to generate the next authentication path by storing a comparatively small part of the tree, and using only a relatively small number of leaf node evaluations. For example, http://www.szydlo.com/fractal-jmls.pdf From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' >; Scott Fluhrer (sfluhrer) >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. There is one other factor to compare in terms of how big the tree is. For a very large tree, if you do not have the resources to keep the entire private key set (or a large subset of it) then you get into the situation where you regenerate the entire private key tree for each and every signature. This is part of the trade off between small key size and fast signature generation/usage of time. Jim From: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. The only downside of 1 level tree is its key generation time comparing to multi-level trees. In situations ( such as a code signing application) where 1, 2 or 3 etc.... hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. _____ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Irom: Spasm > On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr..org/2018/674/20180713:140821 . This is a fault attack (that is, you try to make the signer miscompute something, and then use the miscomputed signature); a signer implementation could implement protections against this (of course, those protections are not free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 signatures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=8 parameter set. This makes the signature shorter (1936 bytes in this case), however it does increase the key generation time; a W=4 parameter set would approximately double the signature size, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. ------=_NextPart_001_0186_01D4E485.06514640 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Except = that a two level tree is not like a big one level tree.

 

For an N = node one level tree, you can typically reduce the number of nodes that = need to be managed at a time to 2 x sqrt(N), by using two level trees = and only keeping one subtree around at a time.

 

You also = don’t have to generate all the subtrees in = advance.

 

-Tim

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh = (Fed)
Sent: Tuesday, March 26, 2019 5:21 PM
To: Jim = Schaad <ietf@augustcellars.com>; 'Scott Fluhrer (sfluhrer)' = <sfluhrer@cisco.com>; 'Dang, Quynh (Fed)' = <quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' = <spasm@ietf.org>
Subject: Re: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

time and memory trade-offs are = applicable to both cases. Think the multi-level tree is a tree, like a = big 1-level tree. 

 

Quynh. 

=

From: Spasm <spasm-bounces@ietf.org> on = behalf of Jim Schaad <ietf@augustcellars.com>
= Sent: Tuesday, March 26, 2019 12:13:30 PM
To: 'Scott = Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM'
Subject: Re: = [lamps] Side-channel attack on multi-level trees and key generation of = LMS.

 

I understand that, but again there are some = trade-offs of memory vs time.  All of the simple tree saving = algorithms I have thought of can occasionally require the generation of = a large portion of the tree depending on what boundaries one is crossing = in the tree, this means that the signing time is not constant.  One = can also make gains by doing some pre-computation of expected trees as = one goes along.  When you have a tree of trees, one can get lots of = speed up by saving the signature for all but the bottom most tree so = that only that tree needs to have portions regenerated until you move to = a new sub-tree.

 

All of = these are space/time trade-offs and one needs to understand what the = extremes are on both ends before one says that a huge single tree is = better or worse than a lot of small trees, even if the number of levels = that are created are the same.

 

Jim

 

 

From: = Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com> =
Sent: Tuesday, March 26, 2019 4:28 PM
To: Jim = Schaad <ietf@augustcellars.com>; = 'Dang, Quynh (Fed)' <quynh.dang=3D40nis= t.gov@dmarc.ietf.org>; 'SPASM' <spasm@ietf.org>
Subject: = RE: [lamps] Side-channel attack on multi-level trees and key generation = of LMS.

 

Actually, = there are algorithms that are able to generate the next authentication = path by storing a comparatively small part of the tree, and using only a = relatively small number of leaf node evaluations.  For example, http://www.szydlo.com/fractal-= jmls.pdf

 

From: Jim = Schaad <ietf@augustcellars.com> =
Sent: Tuesday, March 26, 2019 11:13 AM
To: 'Dang, = Quynh (Fed)' <quynh.dang=3D40nis= t.gov@dmarc.ietf.org>; Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'SPASM' = <spasm@ietf.org>
Subject: = RE: [lamps] Side-channel attack on multi-level trees and key generation = of LMS.

 

There is = one other factor to compare in terms of how big the tree is.  For a = very large tree, if you do not have the resources to keep the entire = private key set (or a large subset of it) then you get into the = situation where you regenerate the entire private key tree for each and = every signature.  This is part of the trade off between small key = size and fast signature generation/usage of time.

 

Jim

 

 

From: = Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, = 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM = <spasm@ietf.org>
Subject: = Re: [lamps] Side-channel attack on multi-level trees and key generation = of LMS.

 

The only downside of 1 level tree = is its key generation time comparing to multi-level trees. In situations = ( such as a code signing application) where 1, 2 or 3 etc.... = hours of a key generation time is not a problem, then using a = big 1 level tree seems better than using a multi-level = tree. 

 

Therefore,  some bigger = height numbers for 1-level tree may be = desired.

 

Quynh. 

=

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent:= Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); = SPASM
Subject: RE: [lamps] Side-channel attack on multi-level = trees and key generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, = 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: = [lamps] Side-channel attack on multi-level trees and key generation of = LMS.

 

Hi = all,

 

Here is the attack I mentioned = at the meeting today: https://eprint.iacr= ..org/2018/674/20180713:140821.

 

This is a fault attack (that = is, you try to make the signer miscompute something, and then use the = miscomputed signature); a signer implementation could implement = protections against this (of course, those protections are not = free).

 

I just looked at the LMS's = draft, the single tree with height 25 ( 2^25 signatures)  takes = only 1.5 hours.

 

Clarification on this:

  • The test used 15 cores = (and so it used a total of circa 1 core-day)
  • This = was done with a W=3D8 parameter set.  This makes the signature = shorter (1936 bytes in this case), however it does increase the key = generation time; a W=3D4 parameter set would approximately double the = signature size, while decreasing the key generation time by circa a = factor of 8.

 

<= span = style=3D'font-size:12.0pt;color:black'> 

Regards,

<= span = style=3D'font-size:12.0pt;color:black'>Quynh. 

=

 

 

 

<= div>

 

=
<= /div> ------=_NextPart_001_0186_01D4E485.06514640-- ------=_NextPart_000_0185_01D4E485.06514640 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMzI3MDkwODI4WjAvBgkqhkiG9w0BCQQxIgQg3851fg9Tfqs9fwIkQH3IGQqRD2Z8 JsvzTbLkhJ5octcwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAAbSjBAwHWYXF0PIDpr2w+STvKmQXi82la3DDRjf8NnUi5L30RlxrTRvta03zTw0hWLkqs0C WECabVcFjQZTKwXq4yig9SkXkUwJI4s/yMff0H+EPQ65YmVZO9Zvaabo09i189O9VjHV8FjlaY3R aFF2jNqdDykPYhi4MycH5pReoxrvdSOIUkSEWrBZxTsZrdFNTkx+PkQIjJEoWsBR2r7mMZcXGLu5 OYAR1hwij5e6ni2M5MeBZhGNAvSP3ZA5P4GIbE8U0fvM+19WJZAWpYSlK0ne704sz9MlrGeC2gG/ +e5bAZB31rsCOfhLmRsUvNLoi7eLxNrTjMjZK45onoYAAAAAAAA= ------=_NextPart_000_0185_01D4E485.06514640-- From nobody Wed Mar 27 02:18:39 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6D95120549 for ; Wed, 27 Mar 2019 02:18:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrXC62d72wrO for ; Wed, 27 Mar 2019 02:18:25 -0700 (PDT) Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on070b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd00::70b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4FFC120508 for ; Wed, 27 Mar 2019 02:18:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0U0xVoes60ibJGOS9gmeo+JWLynhxaR/bc9XlvMxrUw=; b=1RFuDkzkufdA0hfnbfJlalX+69R6uiieO/xnOLzVRrxVeOHXN2ugKQ6jFczPk9ImRAXBlY+YXkLnJMYbJuXAfguJ/x/KszjHQFbTaold4QSv6+WY7gPbELUhadB57ysdnFGwetIOqIE73BKxA8gp/baXVB33u1heYGlTBQmiSpc= Received: from BYAPR09MB3606.namprd09.prod.outlook.com (20.179.59.145) by BYASPR01MB0062.namprd09.prod.outlook.com (20.178.232.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.19; Wed, 27 Mar 2019 09:18:22 +0000 Received: from BYAPR09MB3606.namprd09.prod.outlook.com ([fe80::8db7:73d5:9614:49fb]) by BYAPR09MB3606.namprd09.prod.outlook.com ([fe80::8db7:73d5:9614:49fb%5]) with mapi id 15.20.1750.014; Wed, 27 Mar 2019 09:18:22 +0000 From: "Dang, Quynh (Fed)" To: Tim Hollebeek , Jim Schaad , "'Scott Fluhrer (sfluhrer)'" , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBaYd5ZWAgAAKTzaAABUyAIAABCUAgAAMzgCAAAGUx4ABGgSAgAACMyo= Date: Wed, 27 Mar 2019 09:18:22 +0000 Message-ID: References: , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com>, <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2001:67c:370:128:ad9c:387d:7331:892c] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 0be25e46-1717-46c2-84b9-08d6b295290d x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BYASPR01MB0062; x-ms-traffictypediagnostic: BYASPR01MB0062: x-ms-exchange-purlcount: 2 x-microsoft-antispam-prvs: x-forefront-prvs: 0989A7979C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(396003)(136003)(346002)(39860400002)(189003)(199004)(53754006)(55016002)(54896002)(478600001)(25786009)(236005)(9686003)(110136005)(33656002)(93886005)(6506007)(966005)(316002)(6246003)(6306002)(53936002)(53546011)(606006)(102836004)(46003)(186003)(256004)(229853002)(7696005)(6436002)(105586002)(71200400001)(76176011)(8676002)(106356001)(446003)(97736004)(71190400001)(476003)(486006)(11346002)(1015004)(19627405001)(52536014)(6116002)(99286004)(68736007)(8936002)(81156014)(5660300002)(14454004)(86362001)(81166006)(6606003)(2906002)(7736002)(74316002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYASPR01MB0062; H:BYAPR09MB3606.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: R0h3LdQxsYXA64+yUeHrHkHJh51HLzKdrBoaM84lPhNwZ0zgSpfLRc0Jm+C3rN9YOFT8rxnxG1DGrCmtw5wbFZWpQsNdYqKFcKPjzmxH5YBf1ccaxNdqjb4MKD5XkNwR2gjhM48uMkuk2scw3RPRV8vEovoZjZK6DlFfXli9UW1CQFtujjopc5+kttNRRZR3AYexL8nOggn/j6owmZ5JdPsid6mbP7Knt3IwQyxAdArp6g7LAQ1tasFulKNcq5X+r+lS1M0ilPfb/Ry8NLzeOe5+OxcgeNjHSdp0W3ZE8HYkyoQiO8aDBoB4mDM2cLK+q7qmhvRG0a4xHqZSqjhqfy9fh2cEbGV9AIVNyFMREyHPzpwEDsU/uyMJ6xjyunhU7Ny7Pg5qE/gWHd3nATow2YOmbZzMGV4HsFBFJgySE3Q= Content-Type: multipart/alternative; boundary="_000_BYAPR09MB3606909403FB273411DC3FF9F3580BYAPR09MB3606namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: 0be25e46-1717-46c2-84b9-08d6b295290d X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 09:18:22.6976 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYASPR01MB0062 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 09:18:37 -0000 --_000_BYAPR09MB3606909403FB273411DC3FF9F3580BYAPR09MB3606namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable ________________________________ From: Tim Hollebeek Sent: Wednesday, March 27, 2019 5:08 AM To: Dang, Quynh (Fed); Jim Schaad; 'Scott Fluhrer (sfluhrer)'; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Except that a two level tree is not like a big one level tree. For an N node one level tree, you can typically reduce the number of nodes = that need to be managed at a time to 2 x sqrt(N), by using two level trees = and only keeping one subtree around at a time. Hi Tim, can you clarify what you are saying here ? You also don=92t have to generate all the subtrees in advance. That has been said before: the downside of a big-level tree is key generati= on time comparing to the multi-level trees. Quynh. -Tim From: Spasm On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 5:21 PM To: Jim Schaad ; 'Scott Fluhrer (sfluhrer)' ; 'Dang, Quynh (Fed)' = ; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. time and memory trade-offs are applicable to both cases. Think the multi-le= vel tree is a tree, like a big 1-level tree. Quynh. ________________________________ From: Spasm > on beha= lf of Jim Schaad > Sent: Tuesday, March 26, 2019 12:13:30 PM To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. I understand that, but again there are some trade-offs of memory vs time. = All of the simple tree saving algorithms I have thought of can occasionally= require the generation of a large portion of the tree depending on what bo= undaries one is crossing in the tree, this means that the signing time is n= ot constant. One can also make gains by doing some pre-computation of expe= cted trees as one goes along. When you have a tree of trees, one can get l= ots of speed up by saving the signature for all but the bottom most tree so= that only that tree needs to have portions regenerated until you move to a= new sub-tree. All of these are space/time trade-offs and one needs to understand what the= extremes are on both ends before one says that a huge single tree is bette= r or worse than a lot of small trees, even if the number of levels that are= created are the same. Jim From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 4:28 PM To: Jim Schaad >; 'Da= ng, Quynh (Fed)' >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Actually, there are algorithms that are able to generate the next authentic= ation path by storing a comparatively small part of the tree, and using onl= y a relatively small number of leaf node evaluations. For example, http://= www.szydlo.com/fractal-jmls.pdf From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' >; Scott Fluhrer (sfluhrer) >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. = This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) = >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc.... hours of a key generation time is not a problem, then us= ing a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr...= org/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_BYAPR09MB3606909403FB273411DC3FF9F3580BYAPR09MB3606namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable




From: Tim Hollebeek <tim= .hollebeek@digicert.com>
Sent: Wednesday, March 27, 2019 5:08 AM
To: Dang, Quynh (Fed); Jim Schaad; 'Scott Fluhrer (sfluhrer)'; 'SPAS= M'
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.
 

Except that a two level tree is not like a big one= level tree.

 

For an N node one level tree, you can typically re= duce the number of nodes that need to be managed at a time to 2 x sqrt(N), = by using two level trees and only keeping one subtree around at a time.


Hi Tim, can= you clarify what you are saying here ? 

 

You also don=92t have to generate all the subtrees= in advance.


That has be= en said before: the downside of a big-level tree is key generation time com= paring to the multi-level trees.


Quynh. = ;

 

-Tim

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 5:21 PM
To: Jim Schaad <ietf@augustcellars.com>; 'Scott Fluhrer (sfluh= rer)' <sfluhrer@cisco.com>; 'Dang, Quynh (Fed)' <quynh.dang=3D40ni= st.gov@dmarc.ietf.org>; 'SPASM' <spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

time and memory trade-offs= are applicable to both cases. Think the multi-level tree is a tree, like a= big 1-level tree. 

 

Quynh. 

From: Spasm <spasm-b= ounces@ietf.org> on behalf of Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 12:13:30 PM
To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM'
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

I understand that, but again there are some trade= -offs of memory vs time.  All of the simple tree saving algorithms I h= ave thought of can occasionally require the generation of a large portion o= f the tree depending on what boundaries one is crossing in the tree, this means that the signing time is not const= ant.  One can also make gains by doing some pre-computation of expecte= d trees as one goes along.  When you have a tree of trees, one can get= lots of speed up by saving the signature for all but the bottom most tree so that only that tree needs to have port= ions regenerated until you move to a new sub-tree.

 

All of these are space/time trade-offs and one ne= eds to understand what the extremes are on both ends before one says that a= huge single tree is better or worse than a lot of small trees, even if the= number of levels that are created are the same.

 

Jim

 

 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 4:28 PM
To: Jim Schaad <ietf@augustcellar= s.com>; 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' <spasm@ietf.org>
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Actually, there are algorithms that are able to g= enerate the next authentication path by storing a comparatively small part = of the tree, and using only a relatively small number of leaf node evaluati= ons.  For example, http://www.szydlo.com/fractal-jmls.pdf

 

From: Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 11:13 AM
To: 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; Scott Fluhrer (sfluh= rer) <sfluhrer@cisco.com>; 'SPASM' <spasm@ietf.org>
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

There is one other factor to compare in terms of = how big the tree is.  For a very large tree, if you do not have the re= sources to keep the entire private key set (or a large subset of it) then y= ou get into the situation where you regenerate the entire private key tree for each and every signature.  This is pa= rt of the trade off between small key size and fast signature generation/us= age of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer= @cisco.com>; SPASM <spasm@ietf.org>= ;
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

The only downside of 1 lev= el tree is its key generation time comparing to multi-level trees. In situa= tions ( such as a code signing application) where 1, 2 or 3 etc..= .. hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level t= ree. 

 

Therefore,  some bigg= er height numbers for 1-level tree may be desired.

 

Quynh. 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

Hi all,

 

Here is the attack I menti= oned at the meeting today: http= s://eprint.iacr...org/2018/674/20180713:140821.

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of = course, those protections are not free).

 

I just looked at the LMS's= draft, the single tree with height 25 ( 2^25 signatures)  takes only = 1.5 hours.

 

Clarification on this:

  • The test used 15 cores (= and so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter set.  Thi= s makes the signature shorter (1936 bytes in this case), however it does in= crease the key generation time; a W=3D4 parameter set would approximately d= ouble the signature size, while decreasing the key generation time by circa a factor of 8.

 

 

Regards,

Quynh. 

 

 

&n= bsp;

&n= bsp;

--_000_BYAPR09MB3606909403FB273411DC3FF9F3580BYAPR09MB3606namp_-- From nobody Wed Mar 27 02:23:53 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 754FA120529 for ; Wed, 27 Mar 2019 02:23:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fty_SPMzuE5V for ; Wed, 27 Mar 2019 02:23:38 -0700 (PDT) Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-eopbgr830138.outbound.protection.outlook.com [40.107.83.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66C6912028B for ; Wed, 27 Mar 2019 02:23:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I1qlByoSwMrzqw04XM2o+cAJJOJz/KpmZB5WKJYM9oU=; b=qI+KqwhlJF3AhPR+zqk2ShpTSNX/eYbWD3WdhcLoRya8XqB/YTSo2BHxZ3tu+8VRIKOX9hdjPTtpPKuZ6JP8XA4md7ferpjnf5qzOoVsKz0kJr4mg3Ot/BmivmlsusX4mtGKtCJzWMkPa1R6H9x20ID6iLrZ2DRAOMWo0ll4Ssw= Received: from BYAPR09MB3606.namprd09.prod.outlook.com (20.179.59.145) by BYASPR01MB0062.namprd09.prod.outlook.com (20.178.232.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.19; Wed, 27 Mar 2019 09:23:35 +0000 Received: from BYAPR09MB3606.namprd09.prod.outlook.com ([fe80::8db7:73d5:9614:49fb]) by BYAPR09MB3606.namprd09.prod.outlook.com ([fe80::8db7:73d5:9614:49fb%5]) with mapi id 15.20.1750.014; Wed, 27 Mar 2019 09:23:35 +0000 From: "Dang, Quynh (Fed)" To: Tim Hollebeek , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBaYd5ZWAgAAKTzaAABUyAIAABCUAgAAMzgCAAAGUx4ABGgSAgAAC5lQ= Date: Wed, 27 Mar 2019 09:23:35 +0000 Message-ID: References: , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com>, <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2001:67c:370:128:ad9c:387d:7331:892c] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cf2c0937-a8be-413b-2575-08d6b295e36b x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BYASPR01MB0062; x-ms-traffictypediagnostic: BYASPR01MB0062: x-ms-exchange-purlcount: 2 x-microsoft-antispam-prvs: x-forefront-prvs: 0989A7979C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(396003)(136003)(346002)(39860400002)(189003)(199004)(53754006)(55016002)(54896002)(478600001)(25786009)(236005)(9686003)(110136005)(33656002)(93886005)(6506007)(966005)(316002)(6246003)(6306002)(53936002)(53546011)(606006)(102836004)(46003)(19627235002)(186003)(256004)(229853002)(7696005)(6436002)(105586002)(71200400001)(76176011)(8676002)(106356001)(446003)(97736004)(71190400001)(476003)(486006)(11346002)(19627405001)(52536014)(6116002)(99286004)(68736007)(8936002)(81156014)(5660300002)(14454004)(86362001)(81166006)(6606003)(2906002)(7736002)(74316002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYASPR01MB0062; H:BYAPR09MB3606.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: fMv04yVNQtHkn19y54lqYT+UoMA5n5DY90jvUaz7Qr3GuOdid4qCuqfKhYhep8tnPN+BHXQz4cz1NCNtOyNaiMpQh+4WRDUEdPh8Gsko0C5oCPOHurbjx7siICr+qvtbjENHyZsR0bTfx5ef2JCiOCs9f/b0L46wUdRgIUupJF+7YwcZRRHuXYEI/zVKz6vLvcTRFuyfGWtMI+x8er6VTnrg/spqVaPsikqKFAQhJel8AoM4uLEjP1yv6oPEUyeR+b0yVpE5IHS9F4btHsOH6gR1NaxcAnS3UpJlw+OBK0n+ECmUv57pKoW1pcl7PCjRv2gFFs/iQCJ3ooB6AVZ3RhgSKieMb/IMPrwbzOV1drXzAmzG6P+BSyoEeJEmh95fpDaRra56MuQNSnFB5FU4bOQ2RpTSTBp4dF5IsEHCoyY= Content-Type: multipart/alternative; boundary="_000_BYAPR09MB360660E225D1C3EE90B77975F3580BYAPR09MB3606namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: cf2c0937-a8be-413b-2575-08d6b295e36b X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 09:23:35.3243 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYASPR01MB0062 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 09:23:46 -0000 --_000_BYAPR09MB360660E225D1C3EE90B77975F3580BYAPR09MB3606namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable The trick of memory and time (computation) trade-offs is that either you ke= ep a hash value(the parent node) of its child nodes or you compute the pare= nt node on the fly from the child nodes and that is the same for a small su= b-tree or a big tree. Quynh. ________________________________ From: Tim Hollebeek Sent: Wednesday, March 27, 2019 5:08:31 AM To: Dang, Quynh (Fed); Jim Schaad; 'Scott Fluhrer (sfluhrer)'; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Except that a two level tree is not like a big one level tree. For an N node one level tree, you can typically reduce the number of nodes = that need to be managed at a time to 2 x sqrt(N), by using two level trees = and only keeping one subtree around at a time. You also don=92t have to generate all the subtrees in advance. -Tim From: Spasm On Behalf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 5:21 PM To: Jim Schaad ; 'Scott Fluhrer (sfluhrer)' ; 'Dang, Quynh (Fed)' = ; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. time and memory trade-offs are applicable to both cases. Think the multi-le= vel tree is a tree, like a big 1-level tree. Quynh. ________________________________ From: Spasm > on beha= lf of Jim Schaad > Sent: Tuesday, March 26, 2019 12:13:30 PM To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. I understand that, but again there are some trade-offs of memory vs time. = All of the simple tree saving algorithms I have thought of can occasionally= require the generation of a large portion of the tree depending on what bo= undaries one is crossing in the tree, this means that the signing time is n= ot constant. One can also make gains by doing some pre-computation of expe= cted trees as one goes along. When you have a tree of trees, one can get l= ots of speed up by saving the signature for all but the bottom most tree so= that only that tree needs to have portions regenerated until you move to a= new sub-tree. All of these are space/time trade-offs and one needs to understand what the= extremes are on both ends before one says that a huge single tree is bette= r or worse than a lot of small trees, even if the number of levels that are= created are the same. Jim From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 4:28 PM To: Jim Schaad >; 'Da= ng, Quynh (Fed)' >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Actually, there are algorithms that are able to generate the next authentic= ation path by storing a comparatively small part of the tree, and using onl= y a relatively small number of leaf node evaluations. For example, http://= www.szydlo.com/fractal-jmls.pdf From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' >; Scott Fluhrer (sfluhrer) >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. = This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) = >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc.... hours of a key generation time is not a problem, then us= ing a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr...= org/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_BYAPR09MB360660E225D1C3EE90B77975F3580BYAPR09MB3606namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

The trick of memory and time (com= putation) trade-offs is that either you keep a hash value(the parent node) = of its child nodes or you compute the parent node on the fly from the child= nodes and that is the same for a small sub-tree or a big tree.


Quynh. 

From: Tim Hollebeek <tim= .hollebeek@digicert.com>
Sent: Wednesday, March 27, 2019 5:08:31 AM
To: Dang, Quynh (Fed); Jim Schaad; 'Scott Fluhrer (sfluhrer)'; 'SPAS= M'
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.
 

Except that a two level tree is not like a big one= level tree.

 

For an N node one level tree, you can typically re= duce the number of nodes that need to be managed at a time to 2 x sqrt(N), = by using two level trees and only keeping one subtree around at a time.

 

You also don=92t have to generate all the subtrees= in advance.

 

-Tim

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 5:21 PM
To: Jim Schaad <ietf@augustcellars.com>; 'Scott Fluhrer (sfluh= rer)' <sfluhrer@cisco.com>; 'Dang, Quynh (Fed)' <quynh.dang=3D40ni= st.gov@dmarc.ietf.org>; 'SPASM' <spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

time and memory trade-offs= are applicable to both cases. Think the multi-level tree is a tree, like a= big 1-level tree. 

 

Quynh. 

From: Spasm <spasm-bounces@ietf.org> on behalf of Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 12:13:30 PM
To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM'
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

I understand that, but again there are some trade= -offs of memory vs time.  All of the simple tree saving algorithms I h= ave thought of can occasionally require the generation of a large portion o= f the tree depending on what boundaries one is crossing in the tree, this means that the signing time is not const= ant.  One can also make gains by doing some pre-computation of expecte= d trees as one goes along.  When you have a tree of trees, one can get= lots of speed up by saving the signature for all but the bottom most tree so that only that tree needs to have port= ions regenerated until you move to a new sub-tree.

 

All of these are space/time trade-offs and one ne= eds to understand what the extremes are on both ends before one says that a= huge single tree is better or worse than a lot of small trees, even if the= number of levels that are created are the same.

 

Jim

 

 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 4:28 PM
To: Jim Schaad <ietf@au= gustcellars.com>; 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org&= gt;; 'SPASM' <spasm@ietf.org> Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Actually, there are algorithms that are able to g= enerate the next authentication path by storing a comparatively small part = of the tree, and using only a relatively small number of leaf node evaluati= ons.  For example, http://www.szydlo.com/fractal-jmls.pdf

 

From: Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 11:13 AM
To: 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; Scott Flu= hrer (sfluhrer) <sfluhrer@cisco.co= m>; 'SPASM' <spasm@ietf.org= >
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

There is one other factor to compare in terms of = how big the tree is.  For a very large tree, if you do not have the re= sources to keep the entire private key set (or a large subset of it) then y= ou get into the situation where you regenerate the entire private key tree for each and every signature.  This is pa= rt of the trade off between small key size and fast signature generation/us= age of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM <= spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

The only downside of 1 lev= el tree is its key generation time comparing to multi-level trees. In situa= tions ( such as a code signing application) where 1, 2 or 3 etc..= .. hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level t= ree. 

 

Therefore,  some bigg= er height numbers for 1-level tree may be desired.

 

Quynh. 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org&g= t;
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

Hi all,

 

Here is the attack I menti= oned at the meeting today: https://eprint.iacr...org/2018/674/20180713:140821.

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of = course, those protections are not free).

 

I just looked at the LMS's= draft, the single tree with height 25 ( 2^25 signatures)  takes only = 1.5 hours.

 

Clarification on this:

  • The test used 15 cores (= and so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter set.  Thi= s makes the signature shorter (1936 bytes in this case), however it does in= crease the key generation time; a W=3D4 parameter set would approximately d= ouble the signature size, while decreasing the key generation time by circa a factor of 8.

 

 

Regards,

Quynh. 

 

 

&n= bsp;

&n= bsp;

--_000_BYAPR09MB360660E225D1C3EE90B77975F3580BYAPR09MB3606namp_-- From nobody Wed Mar 27 02:44:30 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1816E1202A7 for ; Wed, 27 Mar 2019 02:44:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lhIIV_M-iIi8 for ; Wed, 27 Mar 2019 02:44:27 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E180F12028F for ; Wed, 27 Mar 2019 02:44:26 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 9EE323009FB for ; Wed, 27 Mar 2019 05:26:08 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Upa9JhKO6TsG for ; Wed, 27 Mar 2019 05:26:06 -0400 (EDT) Received: from dhcp-9482.meeting.ietf.org (dhcp-9482.meeting.ietf.org [31.133.148.130]) by mail.smeinc.net (Postfix) with ESMTPSA id 3FD2A300AB3; Wed, 27 Mar 2019 05:26:04 -0400 (EDT) From: Russ Housley Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_E50A0CD6-B19A-4AB6-8FCE-31B86A67763B" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Wed, 27 Mar 2019 05:44:20 -0400 In-Reply-To: Cc: SPASM To: "Dang, Quynh (Fed)" References: X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 09:44:29 -0000 --Apple-Mail=_E50A0CD6-B19A-4AB6-8FCE-31B86A67763B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii This was discussed briefly in the SUIT WG today, and it was observed = that a small tree of providing 32 signatures is acceptable in many = cases, and the last update can be reserved for installing a new trust = anchor for a new tree. Russ > On Mar 26, 2019, at 10:03 AM, Dang, Quynh (Fed) = wrote: >=20 > The only downside of 1 level tree is its key generation time comparing = to multi-level trees. In situations ( such as a code signing = application) where 1, 2 or 3 etc... hours of a key generation time is = not a problem, then using a big 1 level tree seems better than using a = multi-level tree.=20 >=20 > Therefore, some bigger height numbers for 1-level tree may be = desired. >=20 > Quynh.=20 > From: Scott Fluhrer (sfluhrer) > > Sent: Tuesday, March 26, 2019 9:20:05 AM > To: Dang, Quynh (Fed); SPASM > Subject: RE: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > Irom: Spasm > = On Behalf Of Dang, Quynh (Fed) > Sent: Tuesday, March 26, 2019 9:11 AM > To: SPASM > > Subject: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > Hi all, > =20 > Here is the attack I mentioned at the meeting today: = https://eprint.iacr.org/2018/674/20180713:140821 = . > =20 > This is a fault attack (that is, you try to make the signer miscompute = something, and then use the miscomputed signature); a signer = implementation could implement protections against this (of course, = those protections are not free). > =20 > I just looked at the LMS's draft, the single tree with height 25 ( = 2^25 signatures) takes only 1.5 hours. > =20 > Clarification on this: > The test used 15 cores (and so it used a total of circa 1 core-day) > This was done with a W=3D8 parameter set. This makes the signature = shorter (1936 bytes in this case), however it does increase the key = generation time; a W=3D4 parameter set would approximately double the = signature size, while decreasing the key generation time by circa a = factor of 8. > =20 > =20 > Regards, > Quynh.=20 > =20 > =20 > =20 > =20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm = --Apple-Mail=_E50A0CD6-B19A-4AB6-8FCE-31B86A67763B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii This = was discussed briefly in the SUIT WG today, and it was observed that a = small tree of providing 32 signatures is acceptable in many cases, and = the last update can be reserved for installing a new trust anchor for a = new tree.

Russ


On Mar = 26, 2019, at 10:03 AM, Dang, Quynh (Fed) <quynh.dang=3D40nist.gov@dmarc.ietf.org> = wrote:

The only = downside of 1 level tree is its key generation time comparing to = multi-level trees. In situations ( such as a code signing application) where 1, 2 or = 3 etc... hours of a key generation time is not a problem, then = using a big 1 level tree seems better than using a multi-level = tree. 

Therefore,  some bigger height = numbers for 1-level tree may be desired.

Quynh. 
From: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 = 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of LMS.
 
Irom: Spasm <spasm-bounces@ietf.org> On Behalf = Of Dang, Quynh = (Fed)
Sent: Tuesday, March 26, 2019 = 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack = on multi-level trees and key generation of LMS.

 

Hi all,

 

Here is the attack I mentioned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821.

 

This is a = fault attack (that is, you try to make the signer miscompute something, = and then use the miscomputed signature); a signer implementation could = implement protections against this (of course, those protections are not = free).

 

I just looked at the LMS's draft, the single tree with height = 25 ( 2^25 signatures)  takes only 1.5 hours.

 

Clarification on this:
  • The test used 15 cores = (and so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter = set.  This makes the signature shorter (1936 bytes in this case), = however it does increase the key generation time; a W=3D4 parameter set = would approximately double the signature size, while decreasing the key = generation time by circa a factor of 8.

 

 

Regards,
Quynh. 

 

 

 

 

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

= --Apple-Mail=_E50A0CD6-B19A-4AB6-8FCE-31B86A67763B-- From nobody Wed Mar 27 02:55:07 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E98120292 for ; Wed, 27 Mar 2019 02:55:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eFW44OTeB5yR for ; Wed, 27 Mar 2019 02:55:03 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19D4912028F for ; Wed, 27 Mar 2019 02:55:03 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B050C300ADC for ; Wed, 27 Mar 2019 05:36:44 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ypv26icJxbGr for ; Wed, 27 Mar 2019 05:36:41 -0400 (EDT) Received: from dhcp-9482.meeting.ietf.org (dhcp-9482.meeting.ietf.org [31.133.148.130]) by mail.smeinc.net (Postfix) with ESMTPSA id E9F2E3009FB; Wed, 27 Mar 2019 05:36:40 -0400 (EDT) From: Russ Housley Message-Id: <23FADE12-986D-423D-B0C2-6DAF1778E0AD@vigilsec.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_6F0E218C-C06E-4D67-BAA1-566B29E3D2FA" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Wed, 27 Mar 2019 05:54:56 -0400 In-Reply-To: Cc: SPASM To: Quynh Dang References: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 09:55:07 -0000 --Apple-Mail=_6F0E218C-C06E-4D67-BAA1-566B29E3D2FA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Quynh: That is not correct. In one big tree, all of the nodes need to be = populated to generate the public key. In a tree of trees, the top-most = tree must be populated and then one of the subordinate trees, then a = leaf on the top-most tree is used to sign the public key of the = subordinate tree. One does not have to populate the second subordinate = tree until the first one is consumed. Russ > On Mar 26, 2019, at 12:21 PM, Dang, Quynh (Fed) = wrote: >=20 > time and memory trade-offs are applicable to both cases. Think the = multi-level tree is a tree, like a big 1-level tree.=20 >=20 > Quynh.=20 > From: Spasm > = on behalf of Jim Schaad > > Sent: Tuesday, March 26, 2019 12:13:30 PM > To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM' > Subject: Re: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > I understand that, but again there are some trade-offs of memory vs = time. All of the simple tree saving algorithms I have thought of can = occasionally require the generation of a large portion of the tree = depending on what boundaries one is crossing in the tree, this means = that the signing time is not constant. One can also make gains by doing = some pre-computation of expected trees as one goes along. When you have = a tree of trees, one can get lots of speed up by saving the signature = for all but the bottom most tree so that only that tree needs to have = portions regenerated until you move to a new sub-tree. > =20 > All of these are space/time trade-offs and one needs to understand = what the extremes are on both ends before one says that a huge single = tree is better or worse than a lot of small trees, even if the number of = levels that are created are the same. > =20 > Jim > =20 > =20 > From: Scott Fluhrer (sfluhrer) >=20 > Sent: Tuesday, March 26, 2019 4:28 PM > To: Jim Schaad >; 'Dang, Quynh (Fed)' = >; 'SPASM' = > > Subject: RE: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > Actually, there are algorithms that are able to generate the next = authentication path by storing a comparatively small part of the tree, = and using only a relatively small number of leaf node evaluations. For = example,http://www.szydlo.com/fractal-jmls.pdf = > =20 > From: Jim Schaad >=20 > Sent: Tuesday, March 26, 2019 11:13 AM > To: 'Dang, Quynh (Fed)' >; Scott Fluhrer = (sfluhrer) >; 'SPASM' = > > Subject: RE: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > There is one other factor to compare in terms of how big the tree is. = For a very large tree, if you do not have the resources to keep the = entire private key set (or a large subset of it) then you get into the = situation where you regenerate the entire private key tree for each and = every signature. This is part of the trade off between small key size = and fast signature generation/usage of time. > =20 > Jim > =20 > =20 > From: Spasm > = On Behalf Of Dang, Quynh (Fed) > Sent: Tuesday, March 26, 2019 3:04 PM > To: Scott Fluhrer (sfluhrer) >; SPASM > > Subject: Re: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > The only downside of 1 level tree is its key generation time comparing = to multi-level trees. In situations ( such as a code signing = application) where 1, 2 or 3 etc.... hours of a key generation time is = not a problem, then using a big 1 level tree seems better than using a = multi-level tree.=20 > =20 > Therefore, some bigger height numbers for 1-level tree may be = desired. > =20 > Quynh.=20 > From: Scott Fluhrer (sfluhrer) > > Sent: Tuesday, March 26, 2019 9:20:05 AM > To: Dang, Quynh (Fed); SPASM > Subject: RE: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > Irom: Spasm > = On Behalf Of Dang, Quynh (Fed) > Sent: Tuesday, March 26, 2019 9:11 AM > To: SPASM > > Subject: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > Hi all, > =20 > Here is the attack I mentioned at the meeting today: = https://eprint.iacr..org/2018/674/20180713:140821 = . > =20 > This is a fault attack (that is, you try to make the signer miscompute = something, and then use the miscomputed signature); a signer = implementation could implement protections against this (of course, = those protections are not free). > =20 > I just looked at the LMS's draft, the single tree with height 25 ( = 2^25 signatures) takes only 1.5 hours. > =20 > Clarification on this: > The test used 15 cores (and so it used a total of circa 1 core-day) > This was done with a W=3D8 parameter set. This makes the signature = shorter (1936 bytes in this case), however it does increase the key = generation time; a W=3D4 parameter set would approximately double the = signature size, while decreasing the key generation time by circa a = factor of 8. > =20 > =20 > Regards, > Quynh.=20 > =20 > =20 > =20 > =20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm = --Apple-Mail=_6F0E218C-C06E-4D67-BAA1-566B29E3D2FA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Quynh:

That= is not correct. In one big tree, all of the nodes need to be populated = to generate the public key.  In a tree of trees, the top-most tree = must be populated and then one of the subordinate trees, then a leaf on = the top-most tree is used to sign the public key of the subordinate = tree.  One does not have to populate the second subordinate tree = until the first one is consumed.

Russ


On Mar 26, 2019, at 12:21 PM, Dang, Quynh (Fed) <quynh.dang@nist.gov>= wrote:

time and = memory trade-offs are applicable to both cases. Think the multi-level = tree is a tree, like a big 1-level tree. 

Quynh. 
From: Spasm <spasm-bounces@ietf.org> = on behalf of Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 = 12:13:30 PM
To: 'Scott Fluhrer (sfluhrer)'; = 'Dang, Quynh (Fed)'; 'SPASM'
Subject: Re: [lamps] Side-channel = attack on multi-level trees and key generation of LMS.
 
I understand that, but again there are some trade-offs of = memory vs time.  All of the simple tree saving algorithms I have = thought of can occasionally require the generation of a large portion of = the tree depending on what boundaries one is crossing in the tree, this = means that the signing time is not constant.  One can also make = gains by doing some pre-computation of expected trees as one goes = along.  When you have a tree of trees, one can get lots of speed up = by saving the signature for all but the bottom most tree so that only = that tree needs to have portions regenerated until you move to a new = sub-tree.

 

All of = these are space/time trade-offs and one needs to understand what the = extremes are on both ends before one says that a huge single tree is = better or worse than a lot of small trees, even if the number of levels = that are created are the same.

 

Jim
 

 

From: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com> 
Sent: Tuesday, March 26, 2019 = 4:28 PM
To: Jim Schaad <ietf@augustcellars.com>; = 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' = <spasm@ietf.org>
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

Actually, = there are algorithms that are able to generate the next authentication = path by storing a comparatively small part of the tree, and using only a = relatively small number of leaf node evaluations.  For example,http://www.szydlo.com/fractal-jmls.pdf

 

From: Jim= Schaad <ietf@augustcellars.com> 
Sent: Tuesday, March 26, 2019 = 11:13 AM
To: 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; Scott Fluhrer = (sfluhrer) <sfluhrer@cisco.com>; 'SPASM' <spasm@ietf.org>
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

There is = one other factor to compare in terms of how big the tree is.  For a = very large tree, if you do not have the resources to keep the entire = private key set (or a large subset of it) then you get into the = situation where you regenerate the entire private key tree for each and = every signature.  This is part of the trade off between small key = size and fast signature generation/usage of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf = Of Dang, Quynh = (Fed)
Sent: Tuesday, March 26, 2019 = 3:04 PM
To: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com>; = SPASM <spasm@ietf.org>
Subject: Re: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

The only downside of 1 level tree = is its key generation time comparing to multi-level trees. In situations = ( such as a code signing application) where 1, 2 or 3 etc.... = hours of a key generation time is not a problem, then using a = big 1 level tree seems better than using a multi-level = tree. 

 

Therefore,  some bigger height numbers for 1-level tree = may be desired.

 

Quynh. 
From: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 = 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf = Of Dang, Quynh = (Fed)
Sent: Tuesday, March 26, 2019 = 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack = on multi-level trees and key generation of LMS.

 

Hi all,

 

Here is the attack I mentioned at the meeting today: https://eprint.iacr..org/2018/674/20180713:140821.

 

This is a = fault attack (that is, you try to make the signer miscompute something, = and then use the miscomputed signature); a signer implementation could = implement protections against this (of course, those protections are not = free).

 

I just looked at the LMS's draft, the single tree with height = 25 ( 2^25 signatures)  takes only 1.5 hours.

 

Clarification on = this:
  • The test used 15 cores (and so it used a total of circa 1 = core-day)
  • This was done with a W=3D8 parameter set.  This = makes the signature shorter (1936 bytes in this case), however it does = increase the key generation time; a W=3D4 parameter set would = approximately double the signature size, while decreasing the key = generation time by circa a factor of 8.

 

 

Regards,
Quynh. 

 

 

 

 

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

= --Apple-Mail=_6F0E218C-C06E-4D67-BAA1-566B29E3D2FA-- From nobody Wed Mar 27 03:20:59 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D18D120278 for ; Wed, 27 Mar 2019 03:20:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tJMMDmYdyoec for ; Wed, 27 Mar 2019 03:20:53 -0700 (PDT) Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0714.outbound.protection.outlook.com [IPv6:2a01:111:f400:fd01::714]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B93112028F for ; Wed, 27 Mar 2019 03:20:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ezqJtLnAy6qNGT/ufTjGXKHZh+Ll/SODavTbqQ3sTH8=; b=ma+ahD62rJl6xOV7AlywCQ3JjQQsFiduwtrTq+v6U/FKwJ52O9J6rYtSOM+ZjLRnx0/DdkgarVpq0cRQusAtIqR16ta0wv9YtCIiPEWvt9EoIdDHjXL58/Z7y3A4sjUEog0HvcN6NE3TqUrWjMJ0M14nWptEDZk6kZk7QcQAn9k= Received: from BYAPR09MB3606.namprd09.prod.outlook.com (20.179.59.145) by BYAPR09MB3606.namprd09.prod.outlook.com (20.179.59.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.15; Wed, 27 Mar 2019 10:20:51 +0000 Received: from BYAPR09MB3606.namprd09.prod.outlook.com ([fe80::8db7:73d5:9614:49fb]) by BYAPR09MB3606.namprd09.prod.outlook.com ([fe80::8db7:73d5:9614:49fb%5]) with mapi id 15.20.1750.014; Wed, 27 Mar 2019 10:20:51 +0000 From: "Dang, Quynh (Fed)" To: Russ Housley CC: SPASM Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBaYd5ZWAgAAKTzaAABUyAIAABCUAgAAMzgCAAAGUx4ABJvwAgAAG5v0= Date: Wed, 27 Mar 2019 10:20:51 +0000 Message-ID: References: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> , <23FADE12-986D-423D-B0C2-6DAF1778E0AD@vigilsec.com> In-Reply-To: <23FADE12-986D-423D-B0C2-6DAF1778E0AD@vigilsec.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2001:67c:370:128:399e:d7bf:94de:f73c] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 52ab8049-0171-485c-c714-08d6b29de348 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BYAPR09MB3606; x-ms-traffictypediagnostic: BYAPR09MB3606: x-ms-exchange-purlcount: 3 x-microsoft-antispam-prvs: x-forefront-prvs: 0989A7979C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(39860400002)(346002)(136003)(376002)(189003)(53754006)(199004)(106356001)(33656002)(229853002)(7736002)(6606003)(52536014)(53546011)(102836004)(6506007)(1015004)(71190400001)(71200400001)(966005)(6916009)(25786009)(478600001)(19627405001)(6436002)(186003)(46003)(486006)(74316002)(446003)(11346002)(476003)(7696005)(76176011)(9686003)(53936002)(5660300002)(86362001)(6246003)(93886005)(4326008)(8936002)(236005)(81156014)(2906002)(6116002)(81166006)(68736007)(99286004)(105586002)(14454004)(316002)(6306002)(97736004)(606006)(54896002)(256004)(8676002)(55016002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR09MB3606; H:BYAPR09MB3606.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 4s5fC+ZaI0L2H0YjmDvrkBB0FXb+jVzt3wP6N4+/evRfDV/fMpHh4O3RGXMFE/v1tKyhB3Ha/yITOK9tQw/7A839koHO4DglNcyeh9d8IAMeHxBtDHVvPxikubZOxlOOOUfwaSpYMygyfmw9wOoMu4++0Nfle/Hsyqil3UXhHPoznuwr/85isY2zXfYlerQ4ByrkVIGh3Ek9S7uwt7C3HyE1UPWOBCDa8V9o9d7s6M68XFTyDIuPH1uEhjaMd9lGpsvxy6mA1Gs44+Nbc9Eu6CNRgiNyXgknQMp03tWNnenA3yvUdbjFh+cfQubU3WEfTPlyYst1SyPiv0/DIbog3HEHB4WnDb77fRdL6gowpblCML5OlYCjhoiZHmpoPEBZHUagQE1f1T+5wZC2ITmfw6QRUSTcqDzUSybrhAxeAQs= Content-Type: multipart/alternative; boundary="_000_BYAPR09MB36066C27008A02735213CB74F3580BYAPR09MB3606namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: 52ab8049-0171-485c-c714-08d6b29de348 X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 10:20:51.0719 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR09MB3606 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 10:20:57 -0000 --_000_BYAPR09MB36066C27008A02735213CB74F3580BYAPR09MB3606namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Russ, That is not the time and memory trade offs that has been discussed. Time a= nd memory trade-offs are different ways to perform/build validation paths. That is the downside of 1-level tree: key generation time: the whole big tr= ee must be generated. Quynh, ________________________________ From: Russ Housley Sent: Wednesday, March 27, 2019 5:54 AM To: Dang, Quynh (Fed) Cc: SPASM Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Quynh: That is not correct. In one big tree, all of the nodes need to be populated= to generate the public key. In a tree of trees, the top-most tree must be= populated and then one of the subordinate trees, then a leaf on the top-mo= st tree is used to sign the public key of the subordinate tree. One does n= ot have to populate the second subordinate tree until the first one is cons= umed. Russ On Mar 26, 2019, at 12:21 PM, Dang, Quynh (Fed) > wrote: time and memory trade-offs are applicable to both cases. Think the multi-le= vel tree is a tree, like a big 1-level tree. Quynh. ________________________________ From: Spasm > on beha= lf of Jim Schaad > Sent: Tuesday, March 26, 2019 12:13:30 PM To: 'Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. I understand that, but again there are some trade-offs of memory vs time. = All of the simple tree saving algorithms I have thought of can occasionally= require the generation of a large portion of the tree depending on what bo= undaries one is crossing in the tree, this means that the signing time is n= ot constant. One can also make gains by doing some pre-computation of expe= cted trees as one goes along. When you have a tree of trees, one can get l= ots of speed up by saving the signature for all but the bottom most tree so= that only that tree needs to have portions regenerated until you move to a= new sub-tree. All of these are space/time trade-offs and one needs to understand what the= extremes are on both ends before one says that a huge single tree is bette= r or worse than a lot of small trees, even if the number of levels that are= created are the same. Jim From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 4:28 PM To: Jim Schaad >; 'Da= ng, Quynh (Fed)' >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Actually, there are algorithms that are able to generate the next authentic= ation path by storing a comparatively small part of the tree, and using onl= y a relatively small number of leaf node evaluations. For example,http://w= ww.szydlo.com/fractal-jmls.pdf From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' >; Scott Fluhrer (sfluhrer) >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. = This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) = >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc.... hours of a key generation time is not a problem, then us= ing a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr..o= rg/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm --_000_BYAPR09MB36066C27008A02735213CB74F3580BYAPR09MB3606namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi Russ,

That is not the time and memory trade= offs that has  been discussed. Time and memory trade-offs are differe= nt ways to perform/build validation paths. 

That is the= downside of 1-level tree: key generation time: the whole big tree must be = generated.

Quynh, = ; 




From: Russ Housley <hous= ley@vigilsec.com>
Sent: Wednesday, March 27, 2019 5:54 AM
To: Dang, Quynh (Fed)
Cc: SPASM
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.
 

That is not correct. In one big tree, all of the nodes need= to be populated to generate the public key.  In a tree of trees, the = top-most tree must be populated and then one of the subordinate trees, then= a leaf on the top-most tree is used to sign the public key of the subordinate tree.  One does not have to po= pulate the second subordinate tree until the first one is consumed.

Russ


On Mar 26, 2019, at 12:21 PM, Dang, Quynh (Fed) <quynh.dang@nist.gov> wrote:

time and memory= trade-offs are applicable to both cases. Think the multi-level tree is a t= ree, like a big 1-level tree. 

Quynh. 
From: Spa= sm <spasm-bounces@ietf.org> on behalf of Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 12:13:30 PM
To: '= Scott Fluhrer (sfluhrer)'; 'Dang, Quynh (Fed)'; 'SPASM'
Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation= of LMS.
 
I understand that, but again there are some trade-offs of memory vs time.&n= bsp; All of the simple tree saving algorithms I have thought of can occasio= nally require the generation of a large portion of the tree depending on wh= at boundaries one is crossing in the tree, this means that the signing time is not constant.  One can also= make gains by doing some pre-computation of expected trees as one goes alo= ng.  When you have a tree of trees, one can get lots of speed up by sa= ving the signature for all but the bottom most tree so that only that tree needs to have portions regenerated until = you move to a new sub-tree.

 

All of these are space/time trade-offs and one needs to understand what the= extremes are on both ends before one says that a huge single tree is bette= r or worse than a lot of small trees, even if the number of levels that are= created are the same.

 

Jim

 

 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com> 
Sent: Tuesday, March 26, 2019 4:28 PM
To: J= im Schaad <ietf@augustcellars.com>; 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf= .org>; 'SPASM' <spasm@ietf.org>
Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation= of LMS.

 

Actually, there are algorithms that are able to generate the next authentic= ation path by storing a comparatively small part of the tree, and using onl= y a relatively small number of leaf node evaluations.  For example,http://www.szydlo.com/fractal-jmls.pdf

 

From: Jim Schaad <ietf@augustcellars.com> 
Sent: Tuesday, March 26, 2019 11:13 AM
To: '= Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc= .ietf.org>; Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'SPASM' <= s= pasm@ietf.org>
Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation= of LMS.

 

There is one other factor to compare in terms of how big the tree is. = For a very large tree, if you do not have the resources to keep the entire= private key set (or a large subset of it) then you get into the situation = where you regenerate the entire private key tree for each and every signature.  This is part of the trade off= between small key size and fast signature generation/usage of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Qu= ynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: S= cott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM <spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation= of LMS.

 

The only downside of 1 level tree is its key gen= eration time comparing to multi-level trees. In situations ( such as a= code signing application) where 1, 2 or 3 etc.... hours of a key generation time is not a problem, then using a big&nbs= p;1 level tree seems better than using a multi-level tree. 

 

Therefore,  some bigger height numbers for = 1-level tree may be desired.

 

Quynh. 
From: Scott Fluhr= er (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 9:20:05 AM
To: D= ang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation= of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Qu= ynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: S= PASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack on multi-level trees and key generation of = LMS.

 

Hi all,

 

Here is the attack I mentioned at the meeting to= day: https://eprint.iacr..org/2018/674/20180713:140821.

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of course, those protections are not free).

 

I just looked at the LMS's draft, the single tre= e with height 25 ( 2^25 signatures)  takes only 1.5 hours.

 

Clarification on this:
  • The test used 15 cores (and so it used a total of circa 1 core-day)
    • This was done with a W=3D8 parameter set.  This makes the signature sh= orter (1936 bytes in this case), however it does increase the key generatio= n time; a W=3D4 parameter set would approximately double the signature size= , while decreasing the key generation time by circa a factor of 8.

 

 

Regards,
Quynh. 

 

 

 

 

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.i= etf.org/mailman/listinfo/spasm

--_000_BYAPR09MB36066C27008A02735213CB74F3580BYAPR09MB3606namp_-- From nobody Wed Mar 27 04:00:26 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D607912062E for ; Wed, 27 Mar 2019 04:00:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -12.511 X-Spam-Level: X-Spam-Status: No, score=-12.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxRx2TQ1ivpS for ; Wed, 27 Mar 2019 04:00:00 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE9EE120476 for ; Wed, 27 Mar 2019 03:59:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25293; q=dns/txt; s=iport; t=1553684399; x=1554893999; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=MYe7w8Yq0NzUVknbYZGspqwUn3X8m8FI24DIBXL5/Tg=; b=Z+RyAclswo2fbVO70KDtDGPKge6choQHLsBON213mqQDI8VHu9eJuL5R jKFWP5UijF8ahYYNlgCQiXAeE+Nk6Bz78UlyjRKfvkiOKs6RPgWX/im33 btnpzVViYQgwo6+GP/eLEgN+N9vU3f6Outn7LqaCFp8Rjwk4MyeF1OkG/ I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AsAABEV5tc/5RdJa1jGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBZYEPUy9ogQMnCoVjkWGCDZo3DQEBIoEPXYJeAoUtIjg?= =?us-ascii?q?SAQEDAQEJAQMCbRwMhUoBAQECAi0/HQIBCA4DBAEBIQcHMhQJCAIEARIIgxU?= =?us-ascii?q?EAoERTAMVD6tJhDABg1QDgimBLwGIZ4JKF4FAP4NuBy4+gmEBAgEYgTMZMYU?= =?us-ascii?q?rA4pSIIYph0qLZmAJAodqi1MilAyIMYFtgQ6GCY0xAhEVgS42IQ2BSXAVgyc?= =?us-ascii?q?JCoFTLQIYg0szhGGFP0ExAQEBAY0lgS0ybQEB?= X-IronPort-AV: E=Sophos;i="5.60,276,1549929600"; d="scan'208,217";a="543469359" Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Mar 2019 10:59:57 +0000 Received: from XCH-RTP-009.cisco.com (xch-rtp-009.cisco.com [64.101.220.149]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id x2RAxviI006666 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 27 Mar 2019 10:59:57 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-009.cisco.com (64.101.220.149) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 27 Mar 2019 06:59:56 -0400 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1473.003; Wed, 27 Mar 2019 06:59:56 -0400 From: "Scott Fluhrer (sfluhrer)" To: Jim Schaad , "'Dang, Quynh (Fed)'" , "'SPASM'" Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VXPtCcAwv+dECjmnZztrzUW6Yd47nAgABRKwCAABNAAP//vYTQgABTbwCAAPSFgA== Date: Wed, 27 Mar 2019 10:59:55 +0000 Message-ID: <880932bf30944ec7a7883c99a42af9c3@XCH-RTP-006.cisco.com> References: , , <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> In-Reply-To: <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.61.64.141] Content-Type: multipart/alternative; boundary="_000_880932bf30944ec7a7883c99a42af9c3XCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.149, xch-rtp-009.cisco.com X-Outbound-Node: rcdn-core-12.cisco.com Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 11:00:12 -0000 --_000_880932bf30944ec7a7883c99a42af9c3XCHRTP006ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Jim Schaad Sent: Tuesday, March 26, 2019 12:14 PM To: Scott Fluhrer (sfluhrer) ; 'Dang, Quynh (Fed)' ; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. I understand that, but again there are some trade-offs of memory vs time. = All of the simple tree saving algorithms I have thought of can occasionally= require the generation of a large portion of the tree depending on what bo= undaries one is crossing in the tree, this means that the signing time is n= ot constant. One can also make gains by doing some pre-computation of expe= cted trees as one goes along. When you have a tree of trees, one can get l= ots of speed up by saving the signature for all but the bottom most tree so= that only that tree needs to have portions regenerated until you move to a= new sub-tree. Again, there are better algorithms known; as an example to the fractal meth= od I gave a link to before, if we have a H=3D25 tree (circa 32 million leaf= nodes), we can perform a walk by storing a maximum of 158 Merkle node valu= es, and for each signature, performing 6 leaf public key recomputations per= signature (not counting the OTS signature generation and a handful of hash= computations while we combine Merkle nodes). For this algorithm, it alway= s has the current authentication path entirely in memory; the entire comput= ation done is performing pre-computation so we're set up for the next authe= ntication path. The BDS algorithm works even better if you have minimal storage for interna= l Merkle nodes; see https://www-old.cdc.informatik.tu-darmstadt.de/reports/= reports/BDS08.pdf All of these are space/time trade-offs and one needs to understand what the= extremes are on both ends before one says that a huge single tree is bette= r or worse than a lot of small trees, even if the number of levels that are= created are the same. Jim From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 4:28 PM To: Jim Schaad >; 'Da= ng, Quynh (Fed)' >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Actually, there are algorithms that are able to generate the next authentic= ation path by storing a comparatively small part of the tree, and using onl= y a relatively small number of leaf node evaluations. For example, http://= www.szydlo.com/fractal-jmls.pdf From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' >; Scott Fluhrer (sfluhrer) >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. = This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) = >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc... hours of a key generation time is not a problem, then usi= ng a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr.or= g/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1.5 hours. Clarification on this: * The test used 15 cores (and so it used a total of circa 1 core-day) * This was done with a W=3D8 parameter set. This makes the signature s= horter (1936 bytes in this case), however it does increase the key generati= on time; a W=3D4 parameter set would approximately double the signature siz= e, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_880932bf30944ec7a7883c99a42af9c3XCHRTP006ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

From: Jim Schaad <ietf@augustcellars.com&g= t;
Sent: Tuesday, March 26, 2019 12:14 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'Dang, Quyn= h (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' <spasm@= ietf.org>
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

I understand that, but again there are some trade-of= fs of memory vs time.  All of the simple tree saving algorithms I have= thought of can occasionally require the generation of a large portion of t= he tree depending on what boundaries one is crossing in the tree, this means that the signing time is not constant.=   One can also make gains by doing some pre-computation of expected tr= ees as one goes along.  When you have a tree of trees, one can get lot= s of speed up by saving the signature for all but the bottom most tree so that only that tree needs to have portions= regenerated until you move to a new sub-tree.

 

Again, there are bette= r algorithms known; as an example to the fractal method I gave a link to be= fore, if we have a H=3D25 tree (circa 32 million leaf nodes), we can perfor= m a walk by storing a maximum of 158 Merkle node values, and for each signature, performing 6 leaf public key recomput= ations per signature (not counting the OTS signature generation and a handf= ul of hash computations while we combine Merkle nodes).  For this algo= rithm, it always has the current authentication path entirely in memory; the entire computation done is performing pre-com= putation so we’re set up for the next authentication path.=

The BDS algorithm work= s even better if you have minimal storage for internal Merkle nodes; see https://www-old.cdc.informatik.tu-darmstadt.de/reports/reports/BDS08.pdf            &n= bsp; 

 

All of these are space/time trade-offs and one needs= to understand what the extremes are on both ends before one says that a hu= ge single tree is better or worse than a lot of small trees, even if the nu= mber of levels that are created are the same.

 

Jim

 

 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 4:28 PM
To: Jim Schaad <ietf@au= gustcellars.com>; 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org&= gt;; 'SPASM' <spasm@ietf.org> Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Actually, there are algorithms that are able to gene= rate the next authentication path by storing a comparatively small part of = the tree, and using only a relatively small number of leaf node evaluations= .  For example, http://www.szydlo.com/fr= actal-jmls.pdf

 

From: Jim Schaad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 11:13 AM
To: 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; Scott Flu= hrer (sfluhrer) <sfluhrer@cisco.co= m>; 'SPASM' <spasm@ietf.org= >
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

There is one other factor to compare in terms of how= big the tree is.  For a very large tree, if you do not have the resou= rces to keep the entire private key set (or a large subset of it) then you = get into the situation where you regenerate the entire private key tree for each and every signature.  This is pa= rt of the trade off between small key size and fast signature generation/us= age of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM <= spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

The only downside of 1 leve= l tree is its key generation time comparing to multi-level trees. In situat= ions ( such as a code signing application) where 1, 2 or 3 etc...= hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level t= ree. 

 

Therefore,  some bigge= r height numbers for 1-level tree may be desired.

 

Quynh. 

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org&g= t;
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

Hi all,

 

Here is the attack I mentio= ned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821.

 

This is a fault attack (that is, you try t= o make the signer miscompute something, and then use the miscomputed signat= ure); a signer implementation could implement protections against this (of = course, those protections are not free).

 

I just looked at the LMS's = draft, the single tree with height 25 ( 2^25 signatures)  takes only 1= .5 hours.

 

Clarification on this:

  • The test used 15 cores (and so it used a total of circa 1 core-day)
  • This was done with a W=3D8 parameter set.  This makes the signature sh= orter (1936 bytes in this case), however it does increase the key generatio= n time; a W=3D4 parameter set would approximately double the signature size= , while decreasing the key generation time by circa a factor of 8.

 <= /p>

 

Regards,<= /p>

Quynh. 

 

 

 =

 =

--_000_880932bf30944ec7a7883c99a42af9c3XCHRTP006ciscocom_-- From nobody Wed Mar 27 09:50:24 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C34120306; Wed, 27 Mar 2019 09:50:16 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Sender: CC: lamps-chairs@ietf.org, ekr@rtfm.com, Russ Housley , housley@vigilsec.com, spasm@ietf.org, draft-ietf-lamps-pkix-shake@ietf.org Content-Transfer-Encoding: 7bit Reply-To: ietf@ietf.org Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Message-ID: <155370541668.10323.16460837139387296431.idtracker@ietfa.amsl.com> Date: Wed, 27 Mar 2019 09:50:16 -0700 Archived-At: Subject: [lamps] Last Call: (Internet X.509 Public Key Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA using SHAKEs) to Proposed Standard X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2019 16:50:17 -0000 The IESG has received a request from the Limited Additional Mechanisms for PKIX and SMIME WG (lamps) to consider the following document: - 'Internet X.509 Public Key Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA using SHAKEs' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2019-04-10. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Digital signatures are used to sign messages, X.509 certificates and CRLs (Certificate Revocation Lists). This document describes the conventions for using the SHAKE function family in Internet X.509 certificates and CRLs as one-way hash functions with the RSA Probabilistic signature and ECDSA signature algorithms. The conventions for the associated subject public keys are also described. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-lamps-pkix-shake/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-lamps-pkix-shake/ballot/ No IPR declarations have been submitted directly on this I-D. The document contains these normative downward references. See RFC 3967 for additional information: rfc8017: PKCS #1: RSA Cryptography Specifications Version 2.2 (Informational - IETF stream) From nobody Thu Mar 28 10:05:39 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FBD3120283 for ; Thu, 28 Mar 2019 10:05:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WImdy0SVNxB5 for ; Thu, 28 Mar 2019 10:05:36 -0700 (PDT) Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2183C1200EF for ; Thu, 28 Mar 2019 10:05:33 -0700 (PDT) X-Originating-IP: 31.133.138.32 Received: from dhcp-8a20.meeting.ietf.org (dhcp-8a20.meeting.ietf.org [31.133.138.32]) (Authenticated sender: sean@seantek.org) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 130A61C0019 for ; Thu, 28 Mar 2019 17:05:31 +0000 (UTC) From: Sean Leonard Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\)) Message-Id: <47E88B72-7ADF-4AB1-9677-E94389016851@seantek.com> Date: Thu, 28 Mar 2019 18:05:30 +0100 To: SPASM X-Mailer: Apple Mail (2.3445.104.8) Archived-At: Subject: [lamps] Need SHA-3 text strings, add to draft-ietf-lamps-pkix-shake? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2019 17:05:38 -0000 I have a need to identify SHA-3 algorithms by text strings. For example: = SHA3-256, SHA3-512, etc. There is an IANA registry aptly named =E2=80=9CHash Function Textual = Names=E2=80=9D: = . How do I add the SHA-3 algorithms to Hash Function Textual Names? The = registry says that registration requires a standards-track RFC that = updates RFC 3279. Yep, that=E2=80=99s what it says. draft-turner-lamps-adding-sha3-to-pkix became draft-ietf-lamps-pkix-shake which is now in last call. But draft-ietf-lamps-pkix-shake says =E2=80=9CF= our other hash function instances, SHA3-224, SHA3-256, SHA3-384, and = SHA3-512 are also defined but are out of scope for this document.=E2=80=9D= So I am not sure where to go for this request. Suggestions? And what = about adding textual names for SHAKE-128 and SHAKE-256? (Which are not = in-scope for my particular need, but there there nonetheless.) Thanks, Sean= From nobody Thu Mar 28 10:09:25 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E748120502 for ; Thu, 28 Mar 2019 10:09:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62fTq2ueAfcS for ; Thu, 28 Mar 2019 10:09:09 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 680971204EB for ; Thu, 28 Mar 2019 10:09:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 12128300AA3 for ; Thu, 28 Mar 2019 12:50:51 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gh1xmwEHr7dm for ; Thu, 28 Mar 2019 12:50:49 -0400 (EDT) Received: from dhcp-8a9b.meeting.ietf.org (dhcp-8a9b.meeting.ietf.org [31.133.138.155]) by mail.smeinc.net (Postfix) with ESMTPSA id 2C61B300177; Thu, 28 Mar 2019 12:50:49 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: <47E88B72-7ADF-4AB1-9677-E94389016851@seantek.com> Date: Thu, 28 Mar 2019 13:09:04 -0400 Cc: SPASM Content-Transfer-Encoding: quoted-printable Message-Id: References: <47E88B72-7ADF-4AB1-9677-E94389016851@seantek.com> To: Sean Leonard X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Need SHA-3 text strings, add to draft-ietf-lamps-pkix-shake? X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2019 17:09:17 -0000 The working group decided to not proceed with = draft-turner-lamps-adding-sha3-to-pkix Russ > On Mar 28, 2019, at 1:05 PM, Sean Leonard = wrote: >=20 > I have a need to identify SHA-3 algorithms by text strings. For = example: SHA3-256, SHA3-512, etc. >=20 > There is an IANA registry aptly named =E2=80=9CHash Function Textual = Names=E2=80=9D: = . >=20 > How do I add the SHA-3 algorithms to Hash Function Textual Names? The = registry says that registration requires a standards-track RFC that = updates RFC 3279. Yep, that=E2=80=99s what it says. >=20 > draft-turner-lamps-adding-sha3-to-pkix > became > draft-ietf-lamps-pkix-shake >=20 > which is now in last call. But draft-ietf-lamps-pkix-shake says = =E2=80=9CFour other hash function instances, SHA3-224, SHA3-256, = SHA3-384, and SHA3-512 are also defined but are out of scope for this = document.=E2=80=9D So I am not sure where to go for this request. = Suggestions? And what about adding textual names for SHAKE-128 and = SHAKE-256? (Which are not in-scope for my particular need, but there = there nonetheless.) >=20 > Thanks, >=20 > Sean > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Fri Mar 29 03:34:12 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 103FE120355 for ; Fri, 29 Mar 2019 03:34:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id th4Bi9S-f8L6 for ; Fri, 29 Mar 2019 03:34:04 -0700 (PDT) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F41C12025E for ; Fri, 29 Mar 2019 03:34:03 -0700 (PDT) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip1.isaracorp.com with ESMTP; 29 Mar 2019 10:34:01 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Fri, 29 Mar 2019 06:34:00 -0400 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Fri, 29 Mar 2019 06:34:00 -0400 From: Daniel Van Geest To: "Scott Fluhrer (sfluhrer)" , Jim Schaad , "'Dang, Quynh (Fed)'" , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VVPJVQTRyi2Ue4de+olx8yxKYeKKOAgAAMQQCAABNAAIAABCUAgAAMzgCAATq4gIAC2h0A Date: Fri, 29 Mar 2019 10:34:00 +0000 Message-ID: <2783B663-BB48-48CA-B44C-1C269C9B2059@isara.com> References: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> <880932bf30944ec7a7883c99a42af9c3@XCH-RTP-006.cisco.com> In-Reply-To: <880932bf30944ec7a7883c99a42af9c3@XCH-RTP-006.cisco.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_2783B663BB4848CAB44C1C269C9B2059isaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2019 10:34:10 -0000 --_000_2783B663BB4848CAB44C1C269C9B2059isaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhpcyBpcyBhbiBpbnRlcmVzdGluZyBkaXNjdXNzaW9uLiAgSXMgdGhlcmUgYW55dGhpbmcgYW55 b25lIHdvdWxkIGxpa2UgYWRkZWQgdG8gZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MgYXMg YSByZXN1bHQ/ICBBbHNvIG5vdGUgdGhhdCBhbnl0aGluZyB0aGF0IGNvdWxkIGJlIGFkZGVkIGhl cmUgd291bGQgYWxzbyBhcHBseSB0byBjbXMtaGFzaC1zaWdzIHNpbmNlIEhTUyBzdXBwb3J0cyBt dWx0aXBsZSBsZXZlbCB0cmVlcy4NCg0KRGFuaWVsDQoNCk9uIDIwMTktMDMtMjcsIDc6MDAgQU0s ICJTcGFzbSBvbiBiZWhhbGYgb2YgU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpIiA8c3Bhc20tYm91 bmNlc0BpZXRmLm9yZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4gb24gYmVoYWxmIG9m IHNmbHVocmVyQGNpc2NvLmNvbTxtYWlsdG86c2ZsdWhyZXJAY2lzY28uY29tPj4gd3JvdGU6DQoN Cg0KRnJvbTogSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4NClNlbnQ6IFR1ZXNk YXksIE1hcmNoIDI2LCAyMDE5IDEyOjE0IFBNDQpUbzogU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIp IDxzZmx1aHJlckBjaXNjby5jb20+OyAnRGFuZywgUXV5bmggKEZlZCknIDxxdXluaC5kYW5nPTQw bmlzdC5nb3ZAZG1hcmMuaWV0Zi5vcmc+OyAnU1BBU00nIDxzcGFzbUBpZXRmLm9yZz4NClN1Ympl Y3Q6IFJFOiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2ZWwgdHJlZXMg YW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy4NCg0KSSB1bmRlcnN0YW5kIHRoYXQsIGJ1dCBhZ2Fp biB0aGVyZSBhcmUgc29tZSB0cmFkZS1vZmZzIG9mIG1lbW9yeSB2cyB0aW1lLiAgQWxsIG9mIHRo ZSBzaW1wbGUgdHJlZSBzYXZpbmcgYWxnb3JpdGhtcyBJIGhhdmUgdGhvdWdodCBvZiBjYW4gb2Nj YXNpb25hbGx5IHJlcXVpcmUgdGhlIGdlbmVyYXRpb24gb2YgYSBsYXJnZSBwb3J0aW9uIG9mIHRo ZSB0cmVlIGRlcGVuZGluZyBvbiB3aGF0IGJvdW5kYXJpZXMgb25lIGlzIGNyb3NzaW5nIGluIHRo ZSB0cmVlLCB0aGlzIG1lYW5zIHRoYXQgdGhlIHNpZ25pbmcgdGltZSBpcyBub3QgY29uc3RhbnQu ICBPbmUgY2FuIGFsc28gbWFrZSBnYWlucyBieSBkb2luZyBzb21lIHByZS1jb21wdXRhdGlvbiBv ZiBleHBlY3RlZCB0cmVlcyBhcyBvbmUgZ29lcyBhbG9uZy4gIFdoZW4geW91IGhhdmUgYSB0cmVl IG9mIHRyZWVzLCBvbmUgY2FuIGdldCBsb3RzIG9mIHNwZWVkIHVwIGJ5IHNhdmluZyB0aGUgc2ln bmF0dXJlIGZvciBhbGwgYnV0IHRoZSBib3R0b20gbW9zdCB0cmVlIHNvIHRoYXQgb25seSB0aGF0 IHRyZWUgbmVlZHMgdG8gaGF2ZSBwb3J0aW9ucyByZWdlbmVyYXRlZCB1bnRpbCB5b3UgbW92ZSB0 byBhIG5ldyBzdWItdHJlZS4NCg0KQWdhaW4sIHRoZXJlIGFyZSBiZXR0ZXIgYWxnb3JpdGhtcyBr bm93bjsgYXMgYW4gZXhhbXBsZSB0byB0aGUgZnJhY3RhbCBtZXRob2QgSSBnYXZlIGEgbGluayB0 byBiZWZvcmUsIGlmIHdlIGhhdmUgYSBIPTI1IHRyZWUgKGNpcmNhIDMyIG1pbGxpb24gbGVhZiBu b2RlcyksIHdlIGNhbiBwZXJmb3JtIGEgd2FsayBieSBzdG9yaW5nIGEgbWF4aW11bSBvZiAxNTgg TWVya2xlIG5vZGUgdmFsdWVzLCBhbmQgZm9yIGVhY2ggc2lnbmF0dXJlLCBwZXJmb3JtaW5nIDYg bGVhZiBwdWJsaWMga2V5IHJlY29tcHV0YXRpb25zIHBlciBzaWduYXR1cmUgKG5vdCBjb3VudGlu ZyB0aGUgT1RTIHNpZ25hdHVyZSBnZW5lcmF0aW9uIGFuZCBhIGhhbmRmdWwgb2YgaGFzaCBjb21w dXRhdGlvbnMgd2hpbGUgd2UgY29tYmluZSBNZXJrbGUgbm9kZXMpLiAgRm9yIHRoaXMgYWxnb3Jp dGhtLCBpdCBhbHdheXMgaGFzIHRoZSBjdXJyZW50IGF1dGhlbnRpY2F0aW9uIHBhdGggZW50aXJl bHkgaW4gbWVtb3J5OyB0aGUgZW50aXJlIGNvbXB1dGF0aW9uIGRvbmUgaXMgcGVyZm9ybWluZyBw cmUtY29tcHV0YXRpb24gc28gd2XigJlyZSBzZXQgdXAgZm9yIHRoZSBuZXh0IGF1dGhlbnRpY2F0 aW9uIHBhdGguDQpUaGUgQkRTIGFsZ29yaXRobSB3b3JrcyBldmVuIGJldHRlciBpZiB5b3UgaGF2 ZSBtaW5pbWFsIHN0b3JhZ2UgZm9yIGludGVybmFsIE1lcmtsZSBub2Rlczsgc2VlIGh0dHBzOi8v d3d3LW9sZC5jZGMuaW5mb3JtYXRpay50dS1kYXJtc3RhZHQuZGUvcmVwb3J0cy9yZXBvcnRzL0JE UzA4LnBkZg0KDQpBbGwgb2YgdGhlc2UgYXJlIHNwYWNlL3RpbWUgdHJhZGUtb2ZmcyBhbmQgb25l IG5lZWRzIHRvIHVuZGVyc3RhbmQgd2hhdCB0aGUgZXh0cmVtZXMgYXJlIG9uIGJvdGggZW5kcyBi ZWZvcmUgb25lIHNheXMgdGhhdCBhIGh1Z2Ugc2luZ2xlIHRyZWUgaXMgYmV0dGVyIG9yIHdvcnNl IHRoYW4gYSBsb3Qgb2Ygc21hbGwgdHJlZXMsIGV2ZW4gaWYgdGhlIG51bWJlciBvZiBsZXZlbHMg dGhhdCBhcmUgY3JlYXRlZCBhcmUgdGhlIHNhbWUuDQoNCkppbQ0KDQoNCkZyb206IFNjb3R0IEZs dWhyZXIgKHNmbHVocmVyKSA8c2ZsdWhyZXJAY2lzY28uY29tPG1haWx0bzpzZmx1aHJlckBjaXNj by5jb20+Pg0KU2VudDogVHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgNDoyOCBQTQ0KVG86IEppbSBT Y2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5j b20+PjsgJ0RhbmcsIFF1eW5oIChGZWQpJyA8cXV5bmguZGFuZz00MG5pc3QuZ292QGRtYXJjLmll dGYub3JnPG1haWx0bzpxdXluaC5kYW5nPTQwbmlzdC5nb3ZAZG1hcmMuaWV0Zi5vcmc+PjsgJ1NQ QVNNJyA8c3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3JnPj4NClN1YmplY3Q6IFJF OiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2ZWwgdHJlZXMgYW5kIGtl eSBnZW5lcmF0aW9uIG9mIExNUy4NCg0KQWN0dWFsbHksIHRoZXJlIGFyZSBhbGdvcml0aG1zIHRo YXQgYXJlIGFibGUgdG8gZ2VuZXJhdGUgdGhlIG5leHQgYXV0aGVudGljYXRpb24gcGF0aCBieSBz dG9yaW5nIGEgY29tcGFyYXRpdmVseSBzbWFsbCBwYXJ0IG9mIHRoZSB0cmVlLCBhbmQgdXNpbmcg b25seSBhIHJlbGF0aXZlbHkgc21hbGwgbnVtYmVyIG9mIGxlYWYgbm9kZSBldmFsdWF0aW9ucy4u ICBGb3IgZXhhbXBsZSwgaHR0cDovL3d3dy5zenlkbG8uY29tL2ZyYWN0YWwtam1scy5wZGYNCg0K RnJvbTogSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1 c3RjZWxsYXJzLmNvbT4+DQpTZW50OiBUdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSAxMToxMyBBTQ0K VG86ICdEYW5nLCBRdXluaCAoRmVkKScgPHF1eW5oLmRhbmc9NDBuaXN0LmdvdkBkbWFyYy5pZXRm Lm9yZzxtYWlsdG86cXV5bmguZGFuZz00MG5pc3QuZ292QGRtYXJjLmlldGYub3JnPj47IFNjb3R0 IEZsdWhyZXIgKHNmbHVocmVyKSA8c2ZsdWhyZXJAY2lzY28uY29tPG1haWx0bzpzZmx1aHJlckBj aXNjby5jb20+PjsgJ1NQQVNNJyA8c3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3Jn Pj4NClN1YmplY3Q6IFJFOiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2 ZWwgdHJlZXMgYW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy4NCg0KVGhlcmUgaXMgb25lIG90aGVy IGZhY3RvciB0byBjb21wYXJlIGluIHRlcm1zIG9mIGhvdyBiaWcgdGhlIHRyZWUgaXMuICBGb3Ig YSB2ZXJ5IGxhcmdlIHRyZWUsIGlmIHlvdSBkbyBub3QgaGF2ZSB0aGUgcmVzb3VyY2VzIHRvIGtl ZXAgdGhlIGVudGlyZSBwcml2YXRlIGtleSBzZXQgKG9yIGEgbGFyZ2Ugc3Vic2V0IG9mIGl0KSB0 aGVuIHlvdSBnZXQgaW50byB0aGUgc2l0dWF0aW9uIHdoZXJlIHlvdSByZWdlbmVyYXRlIHRoZSBl bnRpcmUgcHJpdmF0ZSBrZXkgdHJlZSBmb3IgZWFjaCBhbmQgZXZlcnkgc2lnbmF0dXJlLiAgVGhp cyBpcyBwYXJ0IG9mIHRoZSB0cmFkZSBvZmYgYmV0d2VlbiBzbWFsbCBrZXkgc2l6ZSBhbmQgZmFz dCBzaWduYXR1cmUgZ2VuZXJhdGlvbi91c2FnZSBvZiB0aW1lLg0KDQpKaW0NCg0KDQpGcm9tOiBT cGFzbSA8c3Bhc20tYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9y Zz4+IE9uIEJlaGFsZiBPZiBEYW5nLCBRdXluaCAoRmVkKQ0KU2VudDogVHVlc2RheSwgTWFyY2gg MjYsIDIwMTkgMzowNCBQTQ0KVG86IFNjb3R0IEZsdWhyZXIgKHNmbHVocmVyKSA8c2ZsdWhyZXJA Y2lzY28uY29tPG1haWx0bzpzZmx1aHJlckBjaXNjby5jb20+PjsgU1BBU00gPHNwYXNtQGlldGYu b3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW2xhbXBzXSBTaWRlLWNo YW5uZWwgYXR0YWNrIG9uIG11bHRpLWxldmVsIHRyZWVzIGFuZCBrZXkgZ2VuZXJhdGlvbiBvZiBM TVMuDQoNCg0KVGhlIG9ubHkgZG93bnNpZGUgb2YgMSBsZXZlbCB0cmVlIGlzIGl0cyBrZXkgZ2Vu ZXJhdGlvbiB0aW1lIGNvbXBhcmluZyB0byBtdWx0aS1sZXZlbCB0cmVlcy4gSW4gc2l0dWF0aW9u cyAoIHN1Y2ggYXMgYSBjb2RlIHNpZ25pbmcgYXBwbGljYXRpb24pIHdoZXJlIDEsIDIgb3IgMyBl dGMuLi4gaG91cnMgb2YgYSBrZXkgZ2VuZXJhdGlvbiB0aW1lIGlzIG5vdCBhIHByb2JsZW0sIHRo ZW4gdXNpbmcgYSBiaWcgMSBsZXZlbCB0cmVlIHNlZW1zIGJldHRlciB0aGFuIHVzaW5nIGEgbXVs dGktbGV2ZWwgdHJlZS4NCg0KDQoNClRoZXJlZm9yZSwgIHNvbWUgYmlnZ2VyIGhlaWdodCBudW1i ZXJzIGZvciAxLWxldmVsIHRyZWUgbWF5IGJlIGRlc2lyZWQuDQoNCg0KDQpRdXluaC4NCg0KX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCkZyb206IFNjb3R0IEZsdWhyZXIgKHNmbHVo cmVyKSA8c2ZsdWhyZXJAY2lzY28uY29tPG1haWx0bzpzZmx1aHJlckBjaXNjby5jb20+Pg0KU2Vu dDogVHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgOToyMDowNSBBTQ0KVG86IERhbmcsIFF1eW5oIChG ZWQpOyBTUEFTTQ0KU3ViamVjdDogUkU6IFtsYW1wc10gU2lkZS1jaGFubmVsIGF0dGFjayBvbiBt dWx0aS1sZXZlbCB0cmVlcyBhbmQga2V5IGdlbmVyYXRpb24gb2YgTE1TLg0KDQoNCklyb206IFNw YXNtIDxzcGFzbS1ib3VuY2VzQGlldGYub3JnPG1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3Jn Pj4gT24gQmVoYWxmIE9mIERhbmcsIFF1eW5oIChGZWQpDQpTZW50OiBUdWVzZGF5LCBNYXJjaCAy NiwgMjAxOSA5OjExIEFNDQpUbzogU1BBU00gPHNwYXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBp ZXRmLm9yZz4+DQpTdWJqZWN0OiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGkt bGV2ZWwgdHJlZXMgYW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy4NCg0KDQoNCkhpIGFsbCwNCg0K DQoNCkhlcmUgaXMgdGhlIGF0dGFjayBJIG1lbnRpb25lZCBhdCB0aGUgbWVldGluZyB0b2RheTog aHR0cHM6Ly9lcHJpbnQuaWFjci5vcmcvMjAxOC82NzQvMjAxODA3MTM6MTQwODIxPGh0dHBzOi8v Z2NjMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUy RmVwcmludC5pYWNyLm9yZyUyRjIwMTglMkY2NzQlMkYyMDE4MDcxMyUzQTE0MDgyMSZkYXRhPTAy JTdDMDElN0NxdXluaC5kYW5nJTQwbmlzdC5nb3YlN0MxN2FmZTYyZjZhZTc0YTg1OGNiZjA4ZDZi MWVkYzczNyU3QzJhYjVkODJmZDhmYTQ3OTdhOTNlMDU0NjU1YzYxZGVjJTdDMSU3QzAlN0M2MzY4 OTIwMzIxMzgxODc4MjYmc2RhdGE9OXUzcFBqU2Q1RXJNR0lpQlZveVYlMkJqd3dSeXJlZVpKbTRV N09Oc1FQVTV3JTNEJnJlc2VydmVkPTA+Lg0KDQoNCg0KVGhpcyBpcyBhIGZhdWx0IGF0dGFjayAo dGhhdCBpcywgeW91IHRyeSB0byBtYWtlIHRoZSBzaWduZXIgbWlzY29tcHV0ZSBzb21ldGhpbmcs IGFuZCB0aGVuIHVzZSB0aGUgbWlzY29tcHV0ZWQgc2lnbmF0dXJlKTsgYSBzaWduZXIgaW1wbGVt ZW50YXRpb24gY291bGQgaW1wbGVtZW50IHByb3RlY3Rpb25zIGFnYWluc3QgdGhpcyAob2YgY291 cnNlLCB0aG9zZSBwcm90ZWN0aW9ucyBhcmUgbm90IGZyZWUpLg0KDQoNCg0KSSBqdXN0IGxvb2tl ZCBhdCB0aGUgTE1TJ3MgZHJhZnQsIHRoZSBzaW5nbGUgdHJlZSB3aXRoIGhlaWdodCAyNSAoIDJe MjUgc2lnbmF0dXJlcykgIHRha2VzIG9ubHkgMS4uNSBob3Vycy4NCg0KDQoNCkNsYXJpZmljYXRp b24gb24gdGhpczoNCsK3ICAgICAgICAgVGhlIHRlc3QgdXNlZCAxNSBjb3JlcyAoYW5kIHNvIGl0 IHVzZWQgYSB0b3RhbCBvZiBjaXJjYSAxIGNvcmUtZGF5KQ0KwrcgICAgICAgICBUaGlzIHdhcyBk b25lIHdpdGggYSBXPTggcGFyYW1ldGVyIHNldC4gIFRoaXMgbWFrZXMgdGhlIHNpZ25hdHVyZSBz aG9ydGVyICgxOTM2IGJ5dGVzIGluIHRoaXMgY2FzZSksIGhvd2V2ZXIgaXQgZG9lcyBpbmNyZWFz ZSB0aGUga2V5IGdlbmVyYXRpb24gdGltZTsgYSBXPTQgcGFyYW1ldGVyIHNldCB3b3VsZCBhcHBy b3hpbWF0ZWx5IGRvdWJsZSB0aGUgc2lnbmF0dXJlIHNpemUsIHdoaWxlIGRlY3JlYXNpbmcgdGhl IGtleSBnZW5lcmF0aW9uIHRpbWUgYnkgY2lyY2EgYSBmYWN0b3Igb2YgOC4NCg0KDQoNCg0KDQpS ZWdhcmRzLA0KDQpRdXluaC4NCg0KDQoNCg0KDQoNCg0KDQo= --_000_2783B663BB4848CAB44C1C269C9B2059isaracom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPCEtLVtp ZiAhbXNvXT48c3R5bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7 YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0 I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwh W2VuZGlmXS0tPjxzdHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNl DQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0xOjIgNCA1IDMgNSA0IDYg MyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJpOw0KCXBhbm9zZS0xOjIg MTUgNSAyIDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1h bCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowY207DQoJbWFyZ2luLWJv dHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJp b3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6 dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6 OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5tc29u b3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTpt c29ub3JtYWw7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1z aXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpwLnhtc29u b3JtYWwsIGxpLnhtc29ub3JtYWwsIGRpdi54bXNvbm9ybWFsDQoJe21zby1zdHlsZS1uYW1lOnhf bXNvbm9ybWFsOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt c2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KcC54bXNv bm9ybWFsMCwgbGkueG1zb25vcm1hbDAsIGRpdi54bXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFt ZTp4X21zb25vcm1hbDA7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpz cGFuLnhtc29oeXBlcmxpbmsNCgl7bXNvLXN0eWxlLW5hbWU6eF9tc29oeXBlcmxpbms7DQoJY29s b3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4ueG1zb2h5cGVybGlu a2ZvbGxvd2VkDQoJe21zby1zdHlsZS1uYW1lOnhfbXNvaHlwZXJsaW5rZm9sbG93ZWQ7DQoJY29s b3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi54ZW1haWxzdHls ZTE5DQoJe21zby1zdHlsZS1uYW1lOnhfZW1haWxzdHlsZTE5Ow0KCWZvbnQtZmFtaWx5OiJDYWxp YnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjMN Cgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMt c2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyNA0KCXttc28tc3R5 bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglj b2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTI1DQoJe21zby1zdHlsZS10eXBlOnBl cnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRv d3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjYNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJ Zm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpz cGFuLkVtYWlsU3R5bGUyOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250 LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29D aHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4w cHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdp bjo3Mi4wcHQgNzIuMHB0IDcyLjBwdCA3Mi4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdl OldvcmRTZWN0aW9uMTt9DQovKiBMaXN0IERlZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28t bGlzdC1pZDoxMDg4MzgzNTM0Ow0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotMTk5MTYxNjI1MDt9 DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1z by1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MzYuMHB0Ow0KCW1zby1sZXZl bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNp LWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGwwOmxldmVs Mg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3 Ow0KCW1zby1sZXZlbC10YWItc3RvcDo3Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlv bjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBw dDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWwzDQoJe21zby1sZXZlbC1u dW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRh Yi1zdG9wOjEwOC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQt aW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWls eTpTeW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1 bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE0NC4wcHQ7 DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7 DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxp c3QgbDA6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE4MC4wcHQ7DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9u dC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWw2DQoJ e21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJ bXNvLWxldmVsLXRhYi1zdG9wOjIxNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsN Cglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWw3DQoJe21zby1sZXZlbC1udW1i ZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1z dG9wOjI1Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpT eW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl dDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjI4OC4wcHQ7DQoJ bXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJ bXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3Qg bDA6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwt dGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjMyNC4wcHQ7DQoJbXNvLWxldmVsLW51bWJl ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1z aXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDENCgl7bXNvLWxpc3Qt aWQ6MTM3MDMwNDQ4NDsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTUyMjMwNTQ5ODt9DQpAbGlz dCBsMTpsZXZlbDENCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MzYuMHB0Ow0KCW1zby1sZXZlbC1udW1i ZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQt c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGwxOmxldmVsMg0KCXtt c28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1z by1sZXZlbC10YWItc3RvcDo3Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0 Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglm b250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXIt Zm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9w OjEwOC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1i b2w7fQ0KQGxpc3QgbDE6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsN Cgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE0NC4wcHQ7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNv LWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6 bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4 dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE4MC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1w b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXpl OjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6bGV2ZWw2DQoJe21zby1s ZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxl dmVsLXRhYi1zdG9wOjIxNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K CXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250 LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6bGV2ZWw3DQoJe21zby1sZXZlbC1udW1iZXItZm9y bWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjI1 Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0x OC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7 fQ0KQGxpc3QgbDE6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCglt c28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjI4OC4wcHQ7DQoJbXNvLWxl dmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFu c2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6bGV2 ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrv grc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjMyNC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3Np dGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEw LjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTowY207fQ0K dWwNCgl7bWFyZ2luLWJvdHRvbTowY207fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+ PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8 L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0 IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNo YXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tQ0Ei IGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoaXMgaXMgYW4gaW50ZXJlc3RpbmcgZGlzY3Vzc2lvbi4m bmJzcDsgSXMgdGhlcmUgYW55dGhpbmcgYW55b25lIHdvdWxkIGxpa2UgYWRkZWQgdG8gZHJhZnQt dmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MgYXMgYSByZXN1bHQ/Jm5ic3A7IEFsc28gbm90ZSB0aGF0 IGFueXRoaW5nIHRoYXQgY291bGQgYmUgYWRkZWQgaGVyZSB3b3VsZCBhbHNvIGFwcGx5IHRvIGNt cy1oYXNoLXNpZ3Mgc2luY2UgSFNTIHN1cHBvcnRzIG11bHRpcGxlDQogbGV2ZWwgdHJlZXMuPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPkRhbmllbDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPk9uIDIwMTktMDMtMjcsIDc6MDAg QU0sICZxdW90O1NwYXNtIG9uIGJlaGFsZiBvZiBTY290dCBGbHVocmVyIChzZmx1aHJlcikmcXVv dDsgJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnIj5zcGFzbS1ib3Vu Y2VzQGlldGYub3JnPC9hPiBvbiBiZWhhbGYgb2YNCjxhIGhyZWY9Im1haWx0bzpzZmx1aHJlckBj aXNjby5jb20iPnNmbHVocmVyQGNpc2NvLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48 L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0 O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpu b25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20g MGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxi PkZyb206PC9iPiBKaW0gU2NoYWFkICZsdDtpZXRmQGF1Z3VzdGNlbGxhcnMuY29tJmd0Ow0KPGJy Pg0KPGI+U2VudDo8L2I+IFR1ZXNkYXksIE1hcmNoIDI2LCAyMDE5IDEyOjE0IFBNPGJyPg0KPGI+ VG86PC9iPiBTY290dCBGbHVocmVyIChzZmx1aHJlcikgJmx0O3NmbHVocmVyQGNpc2NvLmNvbSZn dDs7ICdEYW5nLCBRdXluaCAoRmVkKScgJmx0O3F1eW5oLmRhbmc9NDBuaXN0LmdvdkBkbWFyYy5p ZXRmLm9yZyZndDs7ICdTUEFTTScgJmx0O3NwYXNtQGlldGYub3JnJmd0Ozxicj4NCjxiPlN1Ympl Y3Q6PC9iPiBSRTogW2xhbXBzXSBTaWRlLWNoYW5uZWwgYXR0YWNrIG9uIG11bHRpLWxldmVsIHRy ZWVzIGFuZCBrZXkgZ2VuZXJhdGlvbiBvZiBMTVMuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5i c3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij5JIHVuZGVyc3RhbmQgdGhhdCwgYnV0IGFnYWluIHRoZXJlIGFyZSBzb21lIHRy YWRlLW9mZnMgb2YgbWVtb3J5IHZzIHRpbWUuJm5ic3A7IEFsbCBvZiB0aGUgc2ltcGxlIHRyZWUg c2F2aW5nIGFsZ29yaXRobXMgSSBoYXZlIHRob3VnaHQgb2YgY2FuIG9jY2FzaW9uYWxseSByZXF1 aXJlIHRoZSBnZW5lcmF0aW9uIG9mIGEgbGFyZ2UgcG9ydGlvbiBvZiB0aGUgdHJlZSBkZXBlbmRp bmcNCiBvbiB3aGF0IGJvdW5kYXJpZXMgb25lIGlzIGNyb3NzaW5nIGluIHRoZSB0cmVlLCB0aGlz IG1lYW5zIHRoYXQgdGhlIHNpZ25pbmcgdGltZSBpcyBub3QgY29uc3RhbnQuJm5ic3A7IE9uZSBj YW4gYWxzbyBtYWtlIGdhaW5zIGJ5IGRvaW5nIHNvbWUgcHJlLWNvbXB1dGF0aW9uIG9mIGV4cGVj dGVkIHRyZWVzIGFzIG9uZSBnb2VzIGFsb25nLiZuYnNwOyBXaGVuIHlvdSBoYXZlIGEgdHJlZSBv ZiB0cmVlcywgb25lIGNhbiBnZXQgbG90cyBvZiBzcGVlZCB1cCBieSBzYXZpbmcNCiB0aGUgc2ln bmF0dXJlIGZvciBhbGwgYnV0IHRoZSBib3R0b20gbW9zdCB0cmVlIHNvIHRoYXQgb25seSB0aGF0 IHRyZWUgbmVlZHMgdG8gaGF2ZSBwb3J0aW9ucyByZWdlbmVyYXRlZCB1bnRpbCB5b3UgbW92ZSB0 byBhIG5ldyBzdWItdHJlZS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImNvbG9y OiNDMDUwNEQiPkFnYWluLCB0aGVyZSBhcmUgYmV0dGVyIGFsZ29yaXRobXMga25vd247IGFzIGFu IGV4YW1wbGUgdG8gdGhlIGZyYWN0YWwgbWV0aG9kIEkgZ2F2ZSBhIGxpbmsgdG8gYmVmb3JlLCBp ZiB3ZSBoYXZlIGEgSD0yNSB0cmVlIChjaXJjYSAzMiBtaWxsaW9uIGxlYWYgbm9kZXMpLCB3ZSBj YW4gcGVyZm9ybSBhIHdhbGsgYnkNCiBzdG9yaW5nIGEgbWF4aW11bSBvZiAxNTggTWVya2xlIG5v ZGUgdmFsdWVzLCBhbmQgZm9yIGVhY2ggc2lnbmF0dXJlLCBwZXJmb3JtaW5nIDYgbGVhZiBwdWJs aWMga2V5IHJlY29tcHV0YXRpb25zIHBlciBzaWduYXR1cmUgKG5vdCBjb3VudGluZyB0aGUgT1RT IHNpZ25hdHVyZSBnZW5lcmF0aW9uIGFuZCBhIGhhbmRmdWwgb2YgaGFzaCBjb21wdXRhdGlvbnMg d2hpbGUgd2UgY29tYmluZSBNZXJrbGUgbm9kZXMpLiZuYnNwOyBGb3IgdGhpcyBhbGdvcml0aG0s DQogaXQgYWx3YXlzIGhhcyB0aGUgY3VycmVudCBhdXRoZW50aWNhdGlvbiBwYXRoIGVudGlyZWx5 IGluIG1lbW9yeTsgdGhlIGVudGlyZSBjb21wdXRhdGlvbiBkb25lIGlzIHBlcmZvcm1pbmcgcHJl LWNvbXB1dGF0aW9uIHNvIHdl4oCZcmUgc2V0IHVwIGZvciB0aGUgbmV4dCBhdXRoZW50aWNhdGlv biBwYXRoLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJjb2xvcjojQzA1MDREIj5UaGUgQkRT IGFsZ29yaXRobSB3b3JrcyBldmVuIGJldHRlciBpZiB5b3UgaGF2ZSBtaW5pbWFsIHN0b3JhZ2Ug Zm9yIGludGVybmFsIE1lcmtsZSBub2Rlczsgc2VlDQo8YSBocmVmPSJodHRwczovL3d3dy1vbGQu Y2RjLmluZm9ybWF0aWsudHUtZGFybXN0YWR0LmRlL3JlcG9ydHMvcmVwb3J0cy9CRFMwOC5wZGYi Pg0KaHR0cHM6Ly93d3ctb2xkLmNkYy5pbmZvcm1hdGlrLnR1LWRhcm1zdGFkdC5kZS9yZXBvcnRz L3JlcG9ydHMvQkRTMDgucGRmPC9hPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5BbGwgb2YgdGhlc2UgYXJlIHNwYWNlL3RpbWUgdHJhZGUt b2ZmcyBhbmQgb25lIG5lZWRzIHRvIHVuZGVyc3RhbmQgd2hhdCB0aGUgZXh0cmVtZXMgYXJlIG9u IGJvdGggZW5kcyBiZWZvcmUgb25lIHNheXMgdGhhdCBhIGh1Z2Ugc2luZ2xlIHRyZWUgaXMgYmV0 dGVyIG9yIHdvcnNlIHRoYW4gYSBsb3Qgb2Ygc21hbGwgdHJlZXMsIGV2ZW4gaWYgdGhlIG51bWJl ciBvZg0KIGxldmVscyB0aGF0IGFyZSBjcmVhdGVkIGFyZSB0aGUgc2FtZS48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+SmltPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRk aW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48Yj5Gcm9t OjwvYj4gU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpICZsdDs8YSBocmVmPSJtYWlsdG86c2ZsdWhy ZXJAY2lzY28uY29tIj5zZmx1aHJlckBjaXNjby5jb208L2E+Jmd0Ow0KPGJyPg0KPGI+U2VudDo8 L2I+IFR1ZXNkYXksIE1hcmNoIDI2LCAyMDE5IDQ6MjggUE08YnI+DQo8Yj5Ubzo8L2I+IEppbSBT Y2hhYWQgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRmQGF1 Z3VzdGNlbGxhcnMuY29tPC9hPiZndDs7ICdEYW5nLCBRdXluaCAoRmVkKScgJmx0OzxhIGhyZWY9 Im1haWx0bzpxdXluaC5kYW5nPTQwbmlzdC5nb3ZAZG1hcmMuaWV0Zi5vcmciPnF1eW5oLmRhbmc9 NDBuaXN0LmdvdkBkbWFyYy5pZXRmLm9yZzwvYT4mZ3Q7OyAnU1BBU00nICZsdDs8YSBocmVmPSJt YWlsdG86c3Bhc21AaWV0Zi5vcmciPnNwYXNtQGlldGYub3JnPC9hPiZndDs8YnI+DQo8Yj5TdWJq ZWN0OjwvYj4gUkU6IFtsYW1wc10gU2lkZS1jaGFubmVsIGF0dGFjayBvbiBtdWx0aS1sZXZlbCB0 cmVlcyBhbmQga2V5IGdlbmVyYXRpb24gb2YgTE1TLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+QWN0dWFsbHksIHRoZXJlIGFyZSBhbGdvcml0aG1zIHRoYXQgYXJlIGFibGUg dG8gZ2VuZXJhdGUgdGhlIG5leHQgYXV0aGVudGljYXRpb24gcGF0aCBieSBzdG9yaW5nIGEgY29t cGFyYXRpdmVseSBzbWFsbCBwYXJ0IG9mIHRoZSB0cmVlLCBhbmQgdXNpbmcgb25seSBhIHJlbGF0 aXZlbHkgc21hbGwgbnVtYmVyIG9mIGxlYWYgbm9kZSBldmFsdWF0aW9ucy4uJm5ic3A7IEZvcg0K IGV4YW1wbGUsIDxhIGhyZWY9Imh0dHA6Ly93d3cuc3p5ZGxvLmNvbS9mcmFjdGFsLWptbHMucGRm Ij5odHRwOi8vd3d3LnN6eWRsby5jb20vZnJhY3RhbC1qbWxzLnBkZjwvYT4NCjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5i c3A7PG86cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz b2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5n OjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPjxiPkZyb206PC9iPiBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86 aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7DQo8 YnI+DQo8Yj5TZW50OjwvYj4gVHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgMTE6MTMgQU08YnI+DQo8 Yj5Ubzo8L2I+ICdEYW5nLCBRdXluaCAoRmVkKScgJmx0OzxhIGhyZWY9Im1haWx0bzpxdXluaC5k YW5nPTQwbmlzdC5nb3ZAZG1hcmMuaWV0Zi5vcmciPnF1eW5oLmRhbmc9NDBuaXN0LmdvdkBkbWFy Yy5pZXRmLm9yZzwvYT4mZ3Q7OyBTY290dCBGbHVocmVyIChzZmx1aHJlcikgJmx0OzxhIGhyZWY9 Im1haWx0bzpzZmx1aHJlckBjaXNjby5jb20iPnNmbHVocmVyQGNpc2NvLmNvbTwvYT4mZ3Q7OyAn U1BBU00nICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc21AaWV0Zi5vcmciPnNwYXNtQGlldGYub3Jn PC9hPiZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUkU6IFtsYW1wc10gU2lkZS1jaGFubmVsIGF0 dGFjayBvbiBtdWx0aS1sZXZlbCB0cmVlcyBhbmQga2V5IGdlbmVyYXRpb24gb2YgTE1TLjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGhlcmUgaXMgb25lIG90aGVyIGZhY3Rv ciB0byBjb21wYXJlIGluIHRlcm1zIG9mIGhvdyBiaWcgdGhlIHRyZWUgaXMuJm5ic3A7IEZvciBh IHZlcnkgbGFyZ2UgdHJlZSwgaWYgeW91IGRvIG5vdCBoYXZlIHRoZSByZXNvdXJjZXMgdG8ga2Vl cCB0aGUgZW50aXJlIHByaXZhdGUga2V5IHNldCAob3IgYSBsYXJnZSBzdWJzZXQgb2YgaXQpIHRo ZW4geW91IGdldCBpbnRvIHRoZQ0KIHNpdHVhdGlvbiB3aGVyZSB5b3UgcmVnZW5lcmF0ZSB0aGUg ZW50aXJlIHByaXZhdGUga2V5IHRyZWUgZm9yIGVhY2ggYW5kIGV2ZXJ5IHNpZ25hdHVyZS4mbmJz cDsgVGhpcyBpcyBwYXJ0IG9mIHRoZSB0cmFkZSBvZmYgYmV0d2VlbiBzbWFsbCBrZXkgc2l6ZSBh bmQgZmFzdCBzaWduYXR1cmUgZ2VuZXJhdGlvbi91c2FnZSBvZiB0aW1lLjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7 PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij5KaW08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8 ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRp bmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2Jv cmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxiPkZyb206 PC9iPiBTcGFzbSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmciPnNw YXNtLWJvdW5jZXNAaWV0Zi5vcmc8L2E+Jmd0Ow0KPGI+T24gQmVoYWxmIE9mIDwvYj5EYW5nLCBR dXluaCAoRmVkKTxicj4NCjxiPlNlbnQ6PC9iPiBUdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSAzOjA0 IFBNPGJyPg0KPGI+VG86PC9iPiBTY290dCBGbHVocmVyIChzZmx1aHJlcikgJmx0OzxhIGhyZWY9 Im1haWx0bzpzZmx1aHJlckBjaXNjby5jb20iPnNmbHVocmVyQGNpc2NvLmNvbTwvYT4mZ3Q7OyBT UEFTTSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYub3JnIj5zcGFzbUBpZXRmLm9yZzwv YT4mZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRh Y2sgb24gbXVsdGktbGV2ZWwgdHJlZXMgYW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXYgaWQ9ImRpdnRhZ2Rl ZmF1bHR3cmFwcGVyIj4NCjxwIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2NvbG9yOmJsYWNrIj5UaGUgb25seSBkb3duc2lkZSBvZiAxIGxl dmVsIHRyZWUgaXMgaXRzIGtleSBnZW5lcmF0aW9uIHRpbWUgY29tcGFyaW5nIHRvIG11bHRpLWxl dmVsIHRyZWVzLiBJbiBzaXR1YXRpb25zICgmbmJzcDtzdWNoIGFzIGEgY29kZSBzaWduaW5nIGFw cGxpY2F0aW9uKSB3aGVyZSAxLCZuYnNwOzIgb3IgMyBldGMuLi4gaG91cnMgb2YgYSZuYnNwO2tl eSBnZW5lcmF0aW9uDQogdGltZSBpcyBub3QgYSBwcm9ibGVtLCB0aGVuIHVzaW5nIGEgYmlnJm5i c3A7MSBsZXZlbCB0cmVlIHNlZW1zIGJldHRlciB0aGFuIHVzaW5nIGEgbXVsdGktbGV2ZWwgdHJl ZS4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtjb2xvcjpibGFjayI+Jm5ic3A7PC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Y29sb3I6YmxhY2siPlRoZXJlZm9yZSwmbmJzcDsgc29t ZSBiaWdnZXIgaGVpZ2h0IG51bWJlcnMgZm9yIDEtbGV2ZWwgdHJlZSBtYXkgYmUgZGVzaXJlZC48 L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Y29sb3I6YmxhY2siPlF1eW5oLiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iTXNvTm9ybWFsIiBhbGlnbj0iY2VudGVyIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0O3RleHQtYWxpZ246Y2VudGVyIj4NCjxociBzaXplPSIwIiB3 aWR0aD0iMTAwJSIgYWxpZ249ImNlbnRlciI+DQo8L2Rpdj4NCjxkaXYgaWQ9ImRpdlJwbHlGd2RN c2ciPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGI+ PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImNv bG9yOmJsYWNrIj4gU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpICZsdDs8YSBocmVmPSJtYWlsdG86 c2ZsdWhyZXJAY2lzY28uY29tIj5zZmx1aHJlckBjaXNjby5jb208L2E+Jmd0Ozxicj4NCjxiPlNl bnQ6PC9iPiBUdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSA5OjIwOjA1IEFNPGJyPg0KPGI+VG86PC9i PiBEYW5nLCBRdXluaCAoRmVkKTsgU1BBU008YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUkU6IFtsYW1w c10gU2lkZS1jaGFubmVsIGF0dGFjayBvbiBtdWx0aS1sZXZlbCB0cmVlcyBhbmQga2V5IGdlbmVy YXRpb24gb2YgTE1TLjwvc3Bhbj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Inhtc29ub3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkk8Yj5yb206PC9iPiBTcGFzbSAmbHQ7PGEgaHJlZj0i bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmciPnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8L2E+ Jmd0Ow0KPGI+T24gQmVoYWxmIE9mIDwvYj5EYW5nLCBRdXluaCAoRmVkKTxicj4NCjxiPlNlbnQ6 PC9iPiBUdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSA5OjExIEFNPGJyPg0KPGI+VG86PC9iPiBTUEFT TSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYub3JnIj5zcGFzbUBpZXRmLm9yZzwvYT4m Z3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFtsYW1wc10gU2lkZS1jaGFubmVsIGF0dGFjayBvbiBt dWx0aS1sZXZlbCB0cmVlcyBhbmQga2V5IGdlbmVyYXRpb24gb2YgTE1TLjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Inhtc29ub3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPGRpdiBpZD0ieF9kaXZ0YWdkZWZhdWx0d3JhcHBlciI+DQo8cCBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtj b2xvcjpibGFjayI+SGkgYWxsLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2NvbG9yOmJsYWNr Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtjb2xvcjpibGFjayI+SGVyZSBpcyB0 aGUgYXR0YWNrIEkgbWVudGlvbmVkIGF0IHRoZSBtZWV0aW5nIHRvZGF5OiZuYnNwOzxhIGhyZWY9 Imh0dHBzOi8vZ2NjMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5jb20vP3VybD1odHRw cyUzQSUyRiUyRmVwcmludC5pYWNyLm9yZyUyRjIwMTglMkY2NzQlMkYyMDE4MDcxMyUzQTE0MDgy MSZhbXA7ZGF0YT0wMiU3QzAxJTdDcXV5bmguZGFuZyU0MG5pc3QuZ292JTdDMTdhZmU2MmY2YWU3 NGE4NThjYmYwOGQ2YjFlZGM3MzclN0MyYWI1ZDgyZmQ4ZmE0Nzk3YTkzZTA1NDY1NWM2MWRlYyU3 QzElN0MwJTdDNjM2ODkyMDMyMTM4MTg3ODI2JmFtcDtzZGF0YT05dTNwUGpTZDVFck1HSWlCVm95 ViUyQmp3d1J5cmVlWkptNFU3T05zUVBVNXclM0QmYW1wO3Jlc2VydmVkPTAiPmh0dHBzOi8vZXBy aW50LmlhY3Iub3JnLzIwMTgvNjc0LzIwMTgwNzEzOjE0MDgyMTwvYT4uPC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48 L3A+DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzFG NDk3RCI+VGhpcyBpcyBhIGZhdWx0IGF0dGFjayAodGhhdCBpcywgeW91IHRyeSB0byBtYWtlIHRo ZSBzaWduZXIgbWlzY29tcHV0ZSBzb21ldGhpbmcsIGFuZCB0aGVuIHVzZSB0aGUgbWlzY29tcHV0 ZWQgc2lnbmF0dXJlKTsgYSBzaWduZXIgaW1wbGVtZW50YXRpb24gY291bGQgaW1wbGVtZW50IHBy b3RlY3Rpb25zIGFnYWluc3QgdGhpcyAob2YgY291cnNlLA0KIHRob3NlIHByb3RlY3Rpb25zIGFy ZSBub3QgZnJlZSkuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Y29sb3I6YmxhY2siPiZuYnNw Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2NvbG9yOmJsYWNrIj5JIGp1c3QgbG9va2VkIGF0 IHRoZSBMTVMncyBkcmFmdCwgdGhlIHNpbmdsZSB0cmVlIHdpdGggaGVpZ2h0IDI1ICggMl4yNSBz aWduYXR1cmVzKSZuYnNwOyB0YWtlcyBvbmx5IDEuLjUgaG91cnMuPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+ DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3 RCI+Q2xhcmlmaWNhdGlvbiBvbiB0aGlzOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0bzttYXJnaW4tbGVmdDo3Mi4wcHQ7dGV4dC1pbmRlbnQ6LTE4LjBwdDttc28t bGlzdDpsMSBsZXZlbDEgbGZvMyI+DQo8IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTpTeW1ib2w7Y29sb3I6IzFGNDk3RCI+PHNwYW4g c3R5bGU9Im1zby1saXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIHN0eWxl PSJjb2xvcjojMUY0OTdEIj5UaGUgdGVzdCB1c2VkIDE1IGNvcmVzIChhbmQgc28gaXQgdXNlZCBh IHRvdGFsIG9mIGNpcmNhIDEgY29yZS1kYXkpPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvO21hcmdpbi1sZWZ0OjcyLjBwdDt0ZXh0LWluZGVudDotMTguMHB0O21z by1saXN0OmwxIGxldmVsMSBsZm8zIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbDtjb2xvcjojMUY0OTdEIj48c3Bh biBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPlRoaXMgd2FzIGRvbmUgd2l0aCBhIFc9OCBwYXJhbWV0ZXIgc2V0 LiZuYnNwOyBUaGlzIG1ha2VzIHRoZSBzaWduYXR1cmUgc2hvcnRlciAoMTkzNiBieXRlcyBpbiB0 aGlzIGNhc2UpLCBob3dldmVyIGl0IGRvZXMgaW5jcmVhc2UgdGhlIGtleSBnZW5lcmF0aW9uIHRp bWU7IGEgVz00IHBhcmFtZXRlciBzZXQgd291bGQgYXBwcm94aW1hdGVseSBkb3VibGUNCiB0aGUg c2lnbmF0dXJlIHNpemUsIHdoaWxlIGRlY3JlYXNpbmcgdGhlIGtleSBnZW5lcmF0aW9uIHRpbWUg YnkgY2lyY2EgYSBmYWN0b3Igb2YgOC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtjb2xvcjoj MUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtjb2xvcjpibGFjayI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Y29sb3I6YmxhY2siPlJlZ2FyZHMsPC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Y29sb3I6YmxhY2siPlF1eW5oLiZuYnNwOzwvc3Bhbj48bzpw PjwvbzpwPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTIuMHB0O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+ DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtjb2xvcjpibGFjayI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Inhtc29ub3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2NvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Inhtc29ub3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2NvbG9yOmJs YWNrIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_2783B663BB4848CAB44C1C269C9B2059isaracom_-- From nobody Fri Mar 29 03:55:08 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B24F12047F for ; Fri, 29 Mar 2019 03:54:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YxV9oLazACts for ; Fri, 29 Mar 2019 03:54:53 -0700 (PDT) Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB75120485 for ; Fri, 29 Mar 2019 03:54:53 -0700 (PDT) X-Originating-IP: 31.133.149.174 Received: from dhcp-95ae.meeting.ietf.org (dhcp-95ae.meeting.ietf.org [31.133.149.174]) (Authenticated sender: sean@seantek.org) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id 1DDC9FF805 for ; Fri, 29 Mar 2019 10:54:50 +0000 (UTC) From: Sean Leonard Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\)) Message-Id: Date: Fri, 29 Mar 2019 11:54:49 +0100 To: SPASM X-Mailer: Apple Mail (2.3445.104.8) Archived-At: Subject: [lamps] draft-ietf-lamps-pkix-shake comment X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2019 10:55:06 -0000 Although perhaps the RFC Editor will catch this, I noticed that a typo = regarding SHAKE128 and SHAKE256. draft-ietf-lamps-pkix-shake-08 has 52 instances of =E2=80=9CSHAKE128=E2=80= =9D and 51 instances of =E2=80=9CSHAKE256=E2=80=9D. However, = =E2=80=9CSHAKE-128=E2=80=9D and =E2=80=9CSHAKE-256=E2=80=9D appear once = each in =E2=80=9CSection 4. Identifiers.=E2=80=9D It seems that the more = common representation is without the hyphen. So, please fix it to remove = the hyphen. Thanks, Sean= From nobody Fri Mar 29 04:04:30 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 397E112026A for ; Fri, 29 Mar 2019 04:04:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sUnl-8LevE3J for ; Fri, 29 Mar 2019 04:04:17 -0700 (PDT) Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-eopbgr840138.outbound.protection.outlook.com [40.107.84.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C531120264 for ; Fri, 29 Mar 2019 04:04:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0n6I9YlzFLlFNKzyVRg/X34qEPYYJta1NcsAw6fldOY=; b=fTUewbL4gywosOp1ZLi1fz7t9HjN+Lf8RINmOE+F0EVOBl7+3FQffJ3gbuK+PYBwIuTZDpqxsZQTUGkaxXc3X7Z9/T8ERchEH4RYHrIZKRSRv9pe2b86LZOBLRyzP2HbdK2DIkn0QrZu5huj6JeIFeZvsxOFC5XYvH4zDKw+1H4= Received: from BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) by BN8PR09MB3602.namprd09.prod.outlook.com (20.179.76.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.16; Fri, 29 Mar 2019 11:04:14 +0000 Received: from BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0]) by BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::1ce2:52b0:6c95:b3c0%5]) with mapi id 15.20.1750.014; Fri, 29 Mar 2019 11:04:14 +0000 From: "Dang, Quynh (Fed)" To: Daniel Van Geest , "Scott Fluhrer (sfluhrer)" , Jim Schaad , 'SPASM' Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VOWMyEHh07WU6WCYCL4KDmBaYd5ZWAgAAKTzaAABUyAIAABCUAgAAMzgCAATq4gIADHWsAgAACYOc= Date: Fri, 29 Mar 2019 11:04:14 +0000 Message-ID: References: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> <880932bf30944ec7a7883c99a42af9c3@XCH-RTP-006.cisco.com>, <2783B663-BB48-48CA-B44C-1C269C9B2059@isara.com> In-Reply-To: <2783B663-BB48-48CA-B44C-1C269C9B2059@isara.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2001:67c:370:128:1d07:5fd:156f:7f5a] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d8b92050-4f75-4a5d-acda-08d6b4364805 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BN8PR09MB3602; x-ms-traffictypediagnostic: BN8PR09MB3602: x-ms-exchange-purlcount: 3 x-microsoft-antispam-prvs: x-forefront-prvs: 0991CAB7B3 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(136003)(346002)(39860400002)(366004)(396003)(53754006)(199004)(189003)(33656002)(106356001)(105586002)(19627405001)(2906002)(7736002)(9686003)(6306002)(236005)(54896002)(55016002)(93886005)(478600001)(14454004)(606006)(6116002)(229853002)(81166006)(81156014)(8936002)(966005)(6436002)(8676002)(11346002)(25786009)(6606003)(7696005)(68736007)(6246003)(316002)(74316002)(6506007)(99286004)(53936002)(446003)(102836004)(52536014)(46003)(476003)(110136005)(186003)(71190400001)(53546011)(19627235002)(486006)(256004)(71200400001)(86362001)(97736004)(14444005)(76176011)(5660300002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR09MB3602; H:BN8PR09MB3604.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: tf79r5AJMRKhlqBtp+MtTQqOgrFHBjvRNtFP2R2Dw+75ppn7apOEde5ynD8xZzfSaKT0bUVCCYj5m+ffjn0uXQFO/Rh8YNtuArwapDWJ84QCnKJe0yFuKsLC3Tg9y5oZsUUYgoLuoeHe78b/kPZIwjC/UmJ1gSI+iCgQOWAoP6F4RdxPR6l8mAwLW3SAu1HayrYieEP+DdCeBQYxEsg8r/e9PNwMSb2Vy6p+DNDtyoHOyzsJ1PYEprGMVPgi0g7QUxhNCbvzdkvgnwwbr+LZLA/AwgMn4oyDuxFcyzGOieGzrwr7FCRYQO2Ci4Mc3J/ckFi/ibROjpKNPSlnacerEl8xxTi1gnpQbhfqS9ig49kixZNOHQFwJHQDWeFFFB/YOw9aTmPW+YMB4Fy5zrvil23Ig2y1u+7VVAMRgs6FsVo= Content-Type: multipart/alternative; boundary="_000_BN8PR09MB3604CDF09ED9CBAFE374A0AFF35A0BN8PR09MB3604namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: d8b92050-4f75-4a5d-acda-08d6b4364805 X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2019 11:04:14.7437 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR09MB3602 Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2019 11:04:24 -0000 --_000_BN8PR09MB3604CDF09ED9CBAFE374A0AFF35A0BN8PR09MB3604namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi all, I suggest to add that "When key generation time is not a problem for a sing= le-level tree which provides the desired number of OTS private keys a user = has, then the single-tree HBS is a preferred option over the alternative mu= lti-level tree HBSs which provide the same (or close ) number as the desire= d number of the OTS private keys. Multi-level tree HBSs are insecure under fault-injection attack, see "refer= ence to the paper". Therefore, single-level tree HBSs should be used." Some text guidance for defenses against the attack is needed. I am not a ri= ght person to provide such text. Regards, Quynh. ________________________________ From: Daniel Van Geest Sent: Friday, March 29, 2019 6:34:00 AM To: Scott Fluhrer (sfluhrer); Jim Schaad; Dang, Quynh (Fed); 'SPASM' Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. This is an interesting discussion. Is there anything anyone would like add= ed to draft-vangeest-x509-hash-sigs as a result? Also note that anything t= hat could be added here would also apply to cms-hash-sigs since HSS support= s multiple level trees. Daniel On 2019-03-27, 7:00 AM, "Spasm on behalf of Scott Fluhrer (sfluhrer)" on behalf of sfluhrer@cis= co.com> wrote: From: Jim Schaad Sent: Tuesday, March 26, 2019 12:14 PM To: Scott Fluhrer (sfluhrer) ; 'Dang, Quynh (Fed)' ; 'SPASM' Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. I understand that, but again there are some trade-offs of memory vs time. = All of the simple tree saving algorithms I have thought of can occasionally= require the generation of a large portion of the tree depending on what bo= undaries one is crossing in the tree, this means that the signing time is n= ot constant. One can also make gains by doing some pre-computation of expe= cted trees as one goes along. When you have a tree of trees, one can get l= ots of speed up by saving the signature for all but the bottom most tree so= that only that tree needs to have portions regenerated until you move to a= new sub-tree. Again, there are better algorithms known; as an example to the fractal meth= od I gave a link to before, if we have a H=3D25 tree (circa 32 million leaf= nodes), we can perform a walk by storing a maximum of 158 Merkle node valu= es, and for each signature, performing 6 leaf public key recomputations per= signature (not counting the OTS signature generation and a handful of hash= computations while we combine Merkle nodes). For this algorithm, it alway= s has the current authentication path entirely in memory; the entire comput= ation done is performing pre-computation so we=92re set up for the next aut= hentication path. The BDS algorithm works even better if you have minimal storage for interna= l Merkle nodes; see https://www-old.cdc.informatik.tu-darmstadt.de/reports/= reports/BDS08.pdf All of these are space/time trade-offs and one needs to understand what the= extremes are on both ends before one says that a huge single tree is bette= r or worse than a lot of small trees, even if the number of levels that are= created are the same. Jim From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 4:28 PM To: Jim Schaad >; 'Da= ng, Quynh (Fed)' >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Actually, there are algorithms that are able to generate the next authentic= ation path by storing a comparatively small part of the tree, and using onl= y a relatively small number of leaf node evaluations.. For example, http:/= /www.szydlo.com/fractal-jmls.pdf From: Jim Schaad > Sent: Tuesday, March 26, 2019 11:13 AM To: 'Dang, Quynh (Fed)' >; Scott Fluhrer (sfluhrer) >; 'SPASM' > Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. There is one other factor to compare in terms of how big the tree is. For = a very large tree, if you do not have the resources to keep the entire priv= ate key set (or a large subset of it) then you get into the situation where= you regenerate the entire private key tree for each and every signature. = This is part of the trade off between small key size and fast signature gen= eration/usage of time. Jim From: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 3:04 PM To: Scott Fluhrer (sfluhrer) = >; SPASM > Subject: Re: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. The only downside of 1 level tree is its key generation time comparing to m= ulti-level trees. In situations ( such as a code signing application) where= 1, 2 or 3 etc... hours of a key generation time is not a problem, then usi= ng a big 1 level tree seems better than using a multi-level tree. Therefore, some bigger height numbers for 1-level tree may be desired. Quynh. ________________________________ From: Scott Fluhrer (sfluhrer) > Sent: Tuesday, March 26, 2019 9:20:05 AM To: Dang, Quynh (Fed); SPASM Subject: RE: [lamps] Side-channel attack on multi-level trees and key gener= ation of LMS. Irom: Spasm > On Beha= lf Of Dang, Quynh (Fed) Sent: Tuesday, March 26, 2019 9:11 AM To: SPASM > Subject: [lamps] Side-channel attack on multi-level trees and key generatio= n of LMS. Hi all, Here is the attack I mentioned at the meeting today: https://eprint.iacr.or= g/2018/674/20180713:140821. This is a fault attack (that is, you try to make the signer miscompute some= thing, and then use the miscomputed signature); a signer implementation cou= ld implement protections against this (of course, those protections are not= free). I just looked at the LMS's draft, the single tree with height 25 ( 2^25 sig= natures) takes only 1..5 hours. Clarification on this: =B7 The test used 15 cores (and so it used a total of circa 1 core-= day) =B7 This was done with a W=3D8 parameter set. This makes the signa= ture shorter (1936 bytes in this case), however it does increase the key ge= neration time; a W=3D4 parameter set would approximately double the signatu= re size, while decreasing the key generation time by circa a factor of 8. Regards, Quynh. --_000_BN8PR09MB3604CDF09ED9CBAFE374A0AFF35A0BN8PR09MB3604namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Hi all,


I suggest to add that "When = key generation time is not a problem for a single-level tree which provides= the desired number of OTS private keys a user has, then the single-tr= ee HBS is a preferred option over the alternative multi-level tree HBSs which provide the same (or close ) number as&nb= sp;the desired number of the OTS private keys. 


Multi-level tree HBSs are insecur= e under fault-injection attack, see "reference to the paper".&nbs= p; Therefore, single-level tree HBSs should be used."

=

= Some text guidance for defenses against the attack is needed. I am not a ri= ght person to provide such text.

=

= Regards,

= Quynh. 

From: Daniel Van Geest <= Daniel.VanGeest@isara.com>
Sent: Friday, March 29, 2019 6:34:00 AM
To: Scott Fluhrer (sfluhrer); Jim Schaad; Dang, Quynh (Fed); 'SPASM'=
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.
 

This is an interesting discussion.  Is there = anything anyone would like added to draft-vangeest-x509-hash-sigs as a resu= lt?  Also note that anything that could be added here would also apply= to cms-hash-sigs since HSS supports multiple level trees.

 

Daniel

 

On 2019-03-27, 7:00 A= M, "Spasm on behalf of Scott Fluhrer (sfluhrer)" <spasm-bounces@ietf.org on behalf of sfluhrer@cisco.com> wrote:

 

 

From: Jim Scha= ad <ietf@augustcellars.com>
Sent: Tuesday, March 26, 2019 12:14 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; 'Dang, Quyn= h (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' <spasm@= ietf.org>
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

I understand that, bu= t again there are some trade-offs of memory vs time.  All of the simpl= e tree saving algorithms I have thought of can occasionally require the gen= eration of a large portion of the tree depending on what boundaries one is crossing in the tree, this means that the signin= g time is not constant.  One can also make gains by doing some pre-com= putation of expected trees as one goes along.  When you have a tree of= trees, one can get lots of speed up by saving the signature for all but the bottom most tree so that only that tree need= s to have portions regenerated until you move to a new sub-tree.

 

Again, there are better algorithms known; as an example to the fra= ctal method I gave a link to before, if we have a H=3D25 tree (circa 32 mil= lion leaf nodes), we can perform a walk by storing a maximum of 158 Merkle node values, and for each signature, pe= rforming 6 leaf public key recomputations per signature (not counting the O= TS signature generation and a handful of hash computations while we combine= Merkle nodes).  For this algorithm, it always has the current authentication path entirely in memory; the enti= re computation done is performing pre-computation so we=92re set up for the= next authentication path.

The BDS algorithm works even better if you have minimal storage fo= r internal Merkle nodes; see https://www-old.cdc.informatik.tu-darmstadt.de/reports/reports/BDS08.pdf            &n= bsp; 

 

All of these are spac= e/time trade-offs and one needs to understand what the extremes are on both= ends before one says that a huge single tree is better or worse than a lot= of small trees, even if the number of levels that are created are the same.

 

Jim

 

 

From: Scott Fl= uhrer (sfluhrer) <sfluhrer@cisco.c= om>
Sent: Tuesday, March 26, 2019 4:28 PM
To: Jim Schaad <ietf@au= gustcellars.com>; 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org&= gt;; 'SPASM' <spasm@ietf.org> Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Actually, there are a= lgorithms that are able to generate the next authentication path by storing= a comparatively small part of the tree, and using only a relatively small = number of leaf node evaluations..  For example, http://www.szydlo.com/fractal-jmls.pdf

 

From: Jim Scha= ad <ietf@augustcellars.com= >
Sent: Tuesday, March 26, 2019 11:13 AM
To: 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; Scott Flu= hrer (sfluhrer) <sfluhrer@cisco.co= m>; 'SPASM' <spasm@ietf.org= >
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

There is one other fa= ctor to compare in terms of how big the tree is.  For a very large tre= e, if you do not have the resources to keep the entire private key set (or = a large subset of it) then you get into the situation where you regenerate the entire private key tree for each and ev= ery signature.  This is part of the trade off between small key size a= nd fast signature generation/usage of time.

 

Jim

 

 

From: Spasm &l= t;spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 3:04 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; SPASM <= spasm@ietf.org>
Subject: Re: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

The only downside of 1 level tree is its key generation time comparing t= o multi-level trees. In situations ( such as a code signing applicatio= n) where 1, 2 or 3 etc... hours of a key generation time is not a problem, then using a big 1 level tree seems= better than using a multi-level tree. 

 

Therefore,  some bigger height numbers for 1-level tree may be desi= red.

 

Quynh. 

From: Scott Fluhrer (sfluh= rer) <sfluhrer@cisco.com> Sent: Tuesday, March 26, 2019 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel attack on multi-level trees and ke= y generation of LMS.

 

Irom: Spasm &= lt;spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org&g= t;
Subject: [lamps] Side-channel attack on multi-level trees and key ge= neration of LMS.

 

--_000_BN8PR09MB3604CDF09ED9CBAFE374A0AFF35A0BN8PR09MB3604namp_-- From nobody Fri Mar 29 07:19:28 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 965EE120276 for ; Fri, 29 Mar 2019 07:19:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.091 X-Spam-Level: X-Spam-Status: No, score=0.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X97bV-oTHCqJ for ; Fri, 29 Mar 2019 07:19:23 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4625712023E for ; Fri, 29 Mar 2019 07:19:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B87E3300AE1 for ; Fri, 29 Mar 2019 10:01:04 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SNBlbQ3Zmwqa for ; Fri, 29 Mar 2019 10:00:53 -0400 (EDT) Received: from [10.0.0.229] (unknown [62.168.35.69]) by mail.smeinc.net (Postfix) with ESMTPSA id 8ECCA300400; Fri, 29 Mar 2019 10:00:52 -0400 (EDT) From: Russ Housley Message-Id: <0967202E-7A00-4042-AB5F-210FAAE0792F@vigilsec.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_84D6B9A4-1ABD-4859-8407-86072E504620" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Fri, 29 Mar 2019 10:19:08 -0400 In-Reply-To: Cc: Daniel Van Geest , Scott Fluhrer , Jim Schaad , SPASM To: Quynh Dang References: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> <880932bf30944ec7a7883c99a42af9c3@XCH-RTP-006.cisco.com> <2783B663-BB48-48CA-B44C-1C269C9B2059@isara.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2019 14:19:27 -0000 --Apple-Mail=_84D6B9A4-1ABD-4859-8407-86072E504620 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I do not agree that this fault-injection attack leads to a SHOULD for = single-level trees. Russ=20 > On Mar 29, 2019, at 7:04 AM, Dang, Quynh (Fed) = wrote: >=20 > Hi all, >=20 > I suggest to add that "When key generation time is not a problem for a = single-level tree which provides the desired number of OTS private keys = a user has, then the single-tree HBS is a preferred option over the = alternative multi-level tree HBSs which provide the same (or close ) = number as the desired number of the OTS private keys.=20 >=20 > Multi-level tree HBSs are insecure under fault-injection attack, see = "reference to the paper". Therefore, single-level tree HBSs should be = used." >=20 > Some text guidance for defenses against the attack is needed. I am not = a right person to provide such text. >=20 > Regards, > Quynh.=20 > From: Daniel Van Geest > > Sent: Friday, March 29, 2019 6:34:00 AM > To: Scott Fluhrer (sfluhrer); Jim Schaad; Dang, Quynh (Fed); 'SPASM' > Subject: Re: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > This is an interesting discussion. Is there anything anyone would = like added to draft-vangeest-x509-hash-sigs as a result? Also note that = anything that could be added here would also apply to cms-hash-sigs = since HSS supports multiple level trees. > =20 > Daniel > =20 > On 2019-03-27, 7:00 AM, "Spasm on behalf of Scott Fluhrer (sfluhrer)" = on behalf of = sfluhrer@cisco.com > wrote: > =20 > =20 > From: Jim Schaad >=20 > Sent: Tuesday, March 26, 2019 12:14 PM > To: Scott Fluhrer (sfluhrer) >; 'Dang, Quynh (Fed)' = >; 'SPASM' = > > Subject: RE: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > I understand that, but again there are some trade-offs of memory vs = time. All of the simple tree saving algorithms I have thought of can = occasionally require the generation of a large portion of the tree = depending on what boundaries one is crossing in the tree, this means = that the signing time is not constant. One can also make gains by doing = some pre-computation of expected trees as one goes along. When you have = a tree of trees, one can get lots of speed up by saving the signature = for all but the bottom most tree so that only that tree needs to have = portions regenerated until you move to a new sub-tree. > =20 > Again, there are better algorithms known; as an example to the fractal = method I gave a link to before, if we have a H=3D25 tree (circa 32 = million leaf nodes), we can perform a walk by storing a maximum of 158 = Merkle node values, and for each signature, performing 6 leaf public key = recomputations per signature (not counting the OTS signature generation = and a handful of hash computations while we combine Merkle nodes). For = this algorithm, it always has the current authentication path entirely = in memory; the entire computation done is performing pre-computation so = we=E2=80=99re set up for the next authentication path. > The BDS algorithm works even better if you have minimal storage for = internal Merkle nodes; see = https://www-old.cdc.informatik.tu-darmstadt.de/reports/reports/BDS08.pdf = =20 > =20 > All of these are space/time trade-offs and one needs to understand = what the extremes are on both ends before one says that a huge single = tree is better or worse than a lot of small trees, even if the number of = levels that are created are the same. > =20 > Jim > =20 > =20 > From: Scott Fluhrer (sfluhrer) >=20 > Sent: Tuesday, March 26, 2019 4:28 PM > To: Jim Schaad >; 'Dang, Quynh (Fed)' = >; 'SPASM' = > > Subject: RE: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > Actually, there are algorithms that are able to generate the next = authentication path by storing a comparatively small part of the tree, = and using only a relatively small number of leaf node evaluations.. For = example, http://www.szydlo.com/fractal-jmls.pdf = > =20 > From: Jim Schaad >=20 > Sent: Tuesday, March 26, 2019 11:13 AM > To: 'Dang, Quynh (Fed)' >; Scott Fluhrer = (sfluhrer) >; 'SPASM' = > > Subject: RE: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > There is one other factor to compare in terms of how big the tree is. = For a very large tree, if you do not have the resources to keep the = entire private key set (or a large subset of it) then you get into the = situation where you regenerate the entire private key tree for each and = every signature. This is part of the trade off between small key size = and fast signature generation/usage of time. > =20 > Jim > =20 > =20 > From: Spasm > = On Behalf Of Dang, Quynh (Fed) > Sent: Tuesday, March 26, 2019 3:04 PM > To: Scott Fluhrer (sfluhrer) >; SPASM > > Subject: Re: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > The only downside of 1 level tree is its key generation time comparing = to multi-level trees. In situations ( such as a code signing = application) where 1, 2 or 3 etc... hours of a key generation time is = not a problem, then using a big 1 level tree seems better than using a = multi-level tree.=20 > =20 > Therefore, some bigger height numbers for 1-level tree may be = desired. > =20 > Quynh.=20 > From: Scott Fluhrer (sfluhrer) > > Sent: Tuesday, March 26, 2019 9:20:05 AM > To: Dang, Quynh (Fed); SPASM > Subject: RE: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > Irom: Spasm > = On Behalf Of Dang, Quynh (Fed) > Sent: Tuesday, March 26, 2019 9:11 AM > To: SPASM > > Subject: [lamps] Side-channel attack on multi-level trees and key = generation of LMS. > =20 > Hi all, > =20 > Here is the attack I mentioned at the meeting today: = https://eprint.iacr.org/2018/674/20180713:140821 = . > =20 > This is a fault attack (that is, you try to make the signer miscompute = something, and then use the miscomputed signature); a signer = implementation could implement protections against this (of course, = those protections are not free). > =20 > I just looked at the LMS's draft, the single tree with height 25 ( = 2^25 signatures) takes only 1..5 hours. > =20 > Clarification on this: > =C2=B7 The test used 15 cores (and so it used a total of circa = 1 core-day) > =C2=B7 This was done with a W=3D8 parameter set. This makes = the signature shorter (1936 bytes in this case), however it does = increase the key generation time; a W=3D4 parameter set would = approximately double the signature size, while decreasing the key = generation time by circa a factor of 8. > =20 > =20 > Regards, > Quynh.=20 > =20 > =20 > =20 > =20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm = --Apple-Mail=_84D6B9A4-1ABD-4859-8407-86072E504620 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I = do not agree that this fault-injection attack leads to a SHOULD for = single-level trees.

Russ 

On Mar 29, 2019, at 7:04 AM, = Dang, Quynh (Fed) <quynh.dang@nist.gov> wrote:

Hi = all,

I suggest to add that "When key = generation time is not a problem for a single-level tree which provides = the desired number of OTS private keys a user has, then the = single-tree HBS is a preferred option over the alternative multi-level = tree HBSs which provide the same (or close ) number as the = desired number of the OTS private keys. 

Multi-level tree HBSs are insecure under fault-injection = attack, see "reference to the paper".  Therefore, = single-level tree HBSs should be used."

Some text guidance for defenses against the attack is needed. = I am not a right person to provide such text.

Regards,
Quynh. 
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
Sent: Friday, March 29, 2019 = 6:34:00 AM
To: Scott Fluhrer (sfluhrer); = Jim Schaad; Dang, Quynh (Fed); 'SPASM'
Subject: Re: [lamps] Side-channel = attack on multi-level trees and key generation of LMS.
 
This is an interesting discussion.  Is there anything = anyone would like added to draft-vangeest-x509-hash-sigs as a = result?  Also note that anything that could be added here would = also apply to cms-hash-sigs since HSS supports multiple level = trees.

 

Daniel

 

On 2019-03-27, 7:00 AM, "Spasm on = behalf of Scott Fluhrer (sfluhrer)" <spasm-bounces@ietf.org on behalf of sfluhrer@cisco.com> = wrote:

 

 

From: Jim Schaad <ietf@augustcellars.com> 
Sent: Tuesday, March 26, 2019 = 12:14 PM
To: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com>; = 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' = <spasm@ietf.org>
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

I = understand that, but again there are some trade-offs of memory vs = time.  All of the simple tree saving algorithms I have thought of = can occasionally require the generation of a large portion of the tree = depending on what boundaries one is crossing in the tree, this means = that the signing time is not constant.  One can also make gains by = doing some pre-computation of expected trees as one goes along.  = When you have a tree of trees, one can get lots of speed up by saving = the signature for all but the bottom most tree so that only that tree = needs to have portions regenerated until you move to a new = sub-tree.

 

Again, there are better = algorithms known; as an example to the fractal method I gave a link to = before, if we have a H=3D25 tree (circa 32 million leaf nodes), we can = perform a walk by storing a maximum of 158 Merkle node values, and for = each signature, performing 6 leaf public key recomputations per = signature (not counting the OTS signature generation and a handful of = hash computations while we combine Merkle nodes).  For this = algorithm, it always has the current authentication path entirely in = memory; the entire computation done is performing pre-computation so = we=E2=80=99re set up for the next authentication path.
The BDS algorithm works even better if you have minimal = storage for internal Merkle nodes; see https://www-old.cdc.informatik.tu-darmstadt.de/reports/reports/= BDS08.pdf          &= nbsp;   

 

All = of these are space/time trade-offs and one needs to understand what the = extremes are on both ends before one says that a huge single tree is = better or worse than a lot of small trees, even if the number of levels = that are created are the same.

 

Jim

 

 

From: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com> 
Sent: Tuesday, March 26, 2019 = 4:28 PM
To: Jim Schaad <ietf@augustcellars.com>; = 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; 'SPASM' = <spasm@ietf.org>
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

Actually, = there are algorithms that are able to generate the next authentication = path by storing a comparatively small part of the tree, and using only a = relatively small number of leaf node evaluations..  For = example, http://www.szydlo.com/fractal-jmls.pdf

 

From: Jim= Schaad <ietf@augustcellars.com> 
Sent: Tuesday, March 26, 2019 = 11:13 AM
To: 'Dang, Quynh (Fed)' <quynh.dang=3D40nist.gov@dmarc.ietf.org>; Scott Fluhrer = (sfluhrer) <sfluhrer@cisco.com>; 'SPASM' <spasm@ietf.org>
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

There is = one other factor to compare in terms of how big the tree is.  For a = very large tree, if you do not have the resources to keep the entire = private key set (or a large subset of it) then you get into the = situation where you regenerate the entire private key tree for each and = every signature.  This is part of the trade off between small key = size and fast signature generation/usage of time.

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf = Of Dang, Quynh = (Fed)
Sent: Tuesday, March 26, 2019 = 3:04 PM
To: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com>; = SPASM <spasm@ietf.org>
Subject: Re: [lamps] Side-channel = attack on multi-level trees and key generation of = LMS.

 

The only downside = of 1 level tree is its key generation time comparing to multi-level = trees. In situations ( such as a code signing application) where = 1, 2 or 3 etc... hours of a key generation time is not a = problem, then using a big 1 level tree seems better than using a = multi-level tree. 

 

Therefore,  = some bigger height numbers for 1-level tree may be = desired.

 

Quynh. 
From: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com>
Sent: Tuesday, March 26, 2019 = 9:20:05 AM
To: Dang, Quynh (Fed); SPASM
Subject: RE: [lamps] Side-channel = attack on multi-level trees and key generation of LMS.

 

Irom: Spasm <spasm-bounces@ietf.org> On Behalf = Of Dang, Quynh = (Fed)
Sent: Tuesday, March 26, 2019 = 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack = on multi-level trees and key generation of LMS.

 

Hi all,

 

Here is the attack I mentioned at = the meeting today: https://eprint.iacr.org/2018/674/20180713:140821.

 

This is a fault attack (that is, you try to make the signer = miscompute something, and then use the miscomputed signature); a signer = implementation could implement protections against this (of course, = those protections are not free).

 

I just looked at = the LMS's draft, the single tree with height 25 ( 2^25 signatures)  = takes only 1..5 hours.

 

Clarification on this:
=C2=B7         The test used 15 cores = (and so it used a total of circa 1 core-day)
=C2=B7         This was done with a W=3D8 = parameter set.  This makes the signature shorter (1936 bytes in = this case), however it does increase the key generation time; a W=3D4 = parameter set would approximately double the signature size, while = decreasing the key generation time by circa a factor of = 8.

 

 

Regards,
Quynh. 

 

 

 

 

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

= --Apple-Mail=_84D6B9A4-1ABD-4859-8407-86072E504620-- From nobody Fri Mar 29 11:32:19 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 553E7120284 for ; Fri, 29 Mar 2019 11:32:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.501 X-Spam-Level: X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpyfh4XO_FAW for ; Fri, 29 Mar 2019 11:32:15 -0700 (PDT) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67992120283 for ; Fri, 29 Mar 2019 11:32:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1212; q=dns/txt; s=iport; t=1553884335; x=1555093935; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=P2YBQSNcdhmhcy9CqoaiQtEtD5CXVnBzQrDSWUf8c/E=; b=U1LFs5kgKZPH4rK9BN//5LKwXhEhHfcMzjvF9JCI1+fCF++panFfhWS7 3ZgkgceEWwvo0vfsnkRQJrkcO7zXOXcP6QK2ffB0g0hlG1Qe9QfQsJ5tD DDVtUo/EPQdih8rC7iVJkNbrppxAkhSwSAO/2kmTLpbPRmTtaMsv7Xt+W I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AEAABHZJ5c/4sNJK1kGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBUQUBAQEBCwGCEGiBAycKhASIHIspgg2YPYF7DgEBGAuESQI?= =?us-ascii?q?XhSAiNAkNAQEDAQEJAQMCbRwMhUoBAQEBAwEBIRE6FwQCAQgRBAEBAwImAgI?= =?us-ascii?q?CJQsVCAgCBAESCIMbgXUPqTSBL4onBYELJAGLMheBQD+EIz6CYQEBhGuCVwO?= =?us-ascii?q?MfphECQKTSiKCA4YLjBqLOJNIAhEVgS4fOIFWcBU7gmyLDIU/QTGPPIEfAQE?= X-IronPort-AV: E=Sophos;i="5.60,285,1549929600"; d="scan'208";a="252336805" Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 29 Mar 2019 18:32:14 +0000 Received: from XCH-ALN-007.cisco.com (xch-aln-007.cisco.com [173.36.7.17]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x2TIWEfu028704 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 29 Mar 2019 18:32:14 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 29 Mar 2019 13:32:13 -0500 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1473.003; Fri, 29 Mar 2019 13:32:13 -0500 From: "Panos Kampanakis (pkampana)" To: Sean Leonard , SPASM Thread-Topic: [lamps] draft-ietf-lamps-pkix-shake comment Thread-Index: AQHU5h3yX+jReKa5REitDKe7PHqpnKYi7shw Date: Fri, 29 Mar 2019 18:32:13 +0000 Message-ID: <8d60195262a648c7bbbe1707295b934f@XCH-ALN-010.cisco.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.82.223.81] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Outbound-SMTP-Client: 173.36.7.17, xch-aln-007.cisco.com X-Outbound-Node: alln-core-6.cisco.com Archived-At: Subject: Re: [lamps] draft-ietf-lamps-pkix-shake comment X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2019 18:32:18 -0000 VGhhbmtzIFNlYW4uIEdvb2QgY2F0Y2guIFdlIHdpbGwgYWRkcmVzcyB0aGlzIGFsb25nIHdpdGgg YW55dGhpbmcgZWxzZSB0aGF0IGNvbWVzIGZyb20gdGhlIFJGQyBFZGl0b3IuIA0KDQotLS0tLU9y aWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogU3Bhc20gPHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc+ IE9uIEJlaGFsZiBPZiBTZWFuIExlb25hcmQNClNlbnQ6IEZyaWRheSwgTWFyY2ggMjksIDIwMTkg Njo1NSBBTQ0KVG86IFNQQVNNIDxzcGFzbUBpZXRmLm9yZz4NClN1YmplY3Q6IFtsYW1wc10gZHJh ZnQtaWV0Zi1sYW1wcy1wa2l4LXNoYWtlIGNvbW1lbnQNCg0KQWx0aG91Z2ggcGVyaGFwcyB0aGUg UkZDIEVkaXRvciB3aWxsIGNhdGNoIHRoaXMsIEkgbm90aWNlZCB0aGF0IGEgdHlwbyByZWdhcmRp bmcgU0hBS0UxMjggYW5kIFNIQUtFMjU2Lg0KDQpkcmFmdC1pZXRmLWxhbXBzLXBraXgtc2hha2Ut MDggaGFzIDUyIGluc3RhbmNlcyBvZiDigJxTSEFLRTEyOOKAnSBhbmQgNTEgaW5zdGFuY2VzIG9m IOKAnFNIQUtFMjU24oCdLiBIb3dldmVyLCDigJxTSEFLRS0xMjjigJ0gYW5kIOKAnFNIQUtFLTI1 NuKAnSBhcHBlYXIgb25jZSBlYWNoIGluIOKAnFNlY3Rpb24gNC4gSWRlbnRpZmllcnMu4oCdIEl0 IHNlZW1zIHRoYXQgdGhlIG1vcmUgY29tbW9uIHJlcHJlc2VudGF0aW9uIGlzIHdpdGhvdXQgdGhl IGh5cGhlbi4gU28sIHBsZWFzZSBmaXggaXQgdG8gcmVtb3ZlIHRoZSBoeXBoZW4uDQoNClRoYW5r cywNCg0KU2Vhbg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18NClNwYXNtIG1haWxpbmcgbGlzdA0KU3Bhc21AaWV0Zi5vcmcNCmh0dHBzOi8vd3d3LmlldGYu b3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc20NCg== From nobody Fri Mar 29 21:55:09 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD20120178 for ; Fri, 29 Mar 2019 21:55:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.5 X-Spam-Level: X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yUPw6gx6eWtF for ; Fri, 29 Mar 2019 21:55:03 -0700 (PDT) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E944F120175 for ; Fri, 29 Mar 2019 21:55:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=59878; q=dns/txt; s=iport; t=1553921703; x=1555131303; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=QKo7MfD9SQD3PJwz2s1ShdXvYxPuMc6Ce+OtZfDc2Lk=; b=MJHAUeb4SSESx7nG3jZIWBtrpUJaX7OGQRjr8TcmOrFFbld03ydbJ/Hr I7svgo4ZnaD9+d7+n4Ry/6GVBMFN1PNvM+lkfKGx032C7BPZj5rqAYuVY 5ljcrfcIYh4L1v2ovyZRtPYPswMBevagasi/0WWjo3z/70Ko59nO3sI5u A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AKAACv9Z5c/40NJK1kGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBVAEBAQEBAQsBgQ5TL2iBAycKhASVU5lhA1QOAQEYAQm?= =?us-ascii?q?BD12CXgIXhSAiNwYNAQEDAQEJAQMCbRwMhUoBAQECAgEBIQo/AgsQAgEIEQQ?= =?us-ascii?q?BASEBBgMCAgIlCxQJCAIEAQ0FCBODAgQCgRFMAxUPqCeBL4QxAYNOA4IpgS8?= =?us-ascii?q?BiGiCSheBQD+DbgcuPoJhAQEBARiBMxsHCR+CVIJXA4pXIIIHhCOHUYtzYAk?= =?us-ascii?q?Ch2+LYyKUK4hCgW6BDoYPjTwCERWBLjUiDSiBIXAVO4JsCQqBUy0CGINLM4R?= =?us-ascii?q?hhT9BMQEBAQGOC4EtMm0BAQ?= X-IronPort-AV: E=Sophos;i="5.60,287,1549929600"; d="scan'208,217";a="251313729" Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Mar 2019 04:55:01 +0000 Received: from XCH-ALN-010.cisco.com (xch-aln-010.cisco.com [173.36.7.20]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x2U4t0AQ009408 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 30 Mar 2019 04:55:01 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-010.cisco.com (173.36.7.20) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 29 Mar 2019 23:55:00 -0500 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1473.003; Fri, 29 Mar 2019 23:55:00 -0500 From: "Panos Kampanakis (pkampana)" To: Russ Housley , Quynh Dang CC: SPASM , Daniel Van Geest , "Jim Schaad" , "Scott Fluhrer (sfluhrer)" Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS. Thread-Index: AQHU49VX1NBa2FR6Ak6EyQShLt8fRaYeOWeAgAAMQACAABNAAIAABCUAgAAMzwCAATq3gIADHWwAgAAIcwCAADZ0AIAAlqDg Date: Sat, 30 Mar 2019 04:55:00 +0000 Message-ID: <1f66a3f9e34f46c5a976b56cc70cceed@XCH-ALN-010.cisco.com> References: <048d01d4e3e6$625b4980$2711dc80$@augustcellars.com> <026b333ae64b45abb031a537366512df@XCH-RTP-006.cisco.com> <04c001d4e3ee$dc6a1b90$953e52b0$@augustcellars.com> <880932bf30944ec7a7883c99a42af9c3@XCH-RTP-006.cisco.com> <2783B663-BB48-48CA-B44C-1C269C9B2059@isara.com> <0967202E-7A00-4042-AB5F-210FAAE0792F@vigilsec.com> In-Reply-To: <0967202E-7A00-4042-AB5F-210FAAE0792F@vigilsec.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.82.223.81] Content-Type: multipart/alternative; boundary="_000_1f66a3f9e34f46c5a976b56cc70cceedXCHALN010ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 173.36.7.20, xch-aln-010.cisco.com X-Outbound-Node: alln-core-8.cisco.com Archived-At: Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2019 04:55:07 -0000 --_000_1f66a3f9e34f46c5a976b56cc70cceedXCHALN010ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SW5kZWVkIHRoZXJlIGFyZSBwcm90ZWN0aW9ucyBhZ2FpbnN0IG11bHRpbGV2ZWwgdHJlZSBmYXVs dCBhdHRhY2tzLiBTaW5nbGUgbGV2ZWwgdHJlZXMgYXJlIG5vdCB0aGUgb25seSBzb2x1dGlvbi4g QXMgc3RhdGVkIGluIHNlY3Rpb24gNCBvZiB0aGUgcGFwZXIgUXV5bmggcmVmZXJlbmNlZCwgdGhl IHByb3RlY3Rpb24gaXMgdG8gY2FjaGUgdGhlIE9UUyBvZiB0aGUgbGF5ZXJzIHNvIHlvdSBjYW4g Y2hlY2sgYWdhaW5zdCB0aGVtIGlmIHJlY29tcHV0aW5nLiBUaGF0IHdheSBzb21lb25lIGNvdWxk IG5vdCBpbmplY3QgYSBmYXVsdCBmb3IgdGhlIHNhbWUgbWVzc2FnZSBhbmQgcHJpdmF0ZSBrZXkg YW5kIHRoZW4gdXNlIGl0IHRvIGdyYWZ0IGhpcyBvd24gc3VidHJlZS4gU29tZXRoaW5nIGxpa2Ug dGhhdCB3aXRoIGFuIGluZm9ybWF0aXZlIHJlZmVyZW5jZSBjb3VsZCBiZSBhZGRlZCBpbiB0aGUg U2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMuDQoNCkZhdWx0IGF0dGFja3MgYWdhaW5zdCBMYXR0aWNl IHNjaGVtZXMgYW5kIEhCUyBoYWQgYmVlbiBicm91Z2h0IHVwIGluIHRoZSBOSVNUIFBRIGZvcnVt ICB0b28gWzEsMl0gd2hlcmUgc29tZSBjb3VudGVybWVhc3VyZXMgd2VyZSBkaXNjdXNzZWQuIFNp bXBsZSBpZGVhcyBsaWtlIHJ1bm5pbmcgdGhlIGNvbXB1dGF0aW9uIHR3aWNlIGFuZCBjb21wYXJp bmcgdmFsdWVzIHdlcmUgcHJvcG9zZWQgdGhlcmUuIFszXSBpcyBhIGdvb2QgcmVmZXJlbmNlIG9m IFNXIGNvdW50ZXJtZWFzdXJlcy4NCg0KWzFdIGh0dHBzOi8vZ3JvdXBzLmdvb2dsZS5jb20vYS9s aXN0Lm5pc3QuZ292L2ZvcnVtLyMhc2VhcmNoaW4vcHFjLWZvcnVtLyUyMmZhdWx0JDIwYXR0YWNr cyUyMiU3Q3NvcnQ6ZGF0ZS9wcWMtZm9ydW0vYzlDblBjeDFlUWMvNzRzVmJIXzNDQUFKDQpbMl0g aHR0cHM6Ly9ncm91cHMuZ29vZ2xlLmNvbS9hL2xpc3QubmlzdC5nb3YvZm9ydW0vIyFzZWFyY2hp bi9wcWMtZm9ydW0vJTIyZmF1bHQkMjBhdHRhY2tzJTIyJTdDc29ydDpkYXRlL3BxYy1mb3J1bS9X akYyWlRVQUppQS96RUVBaldTbUJ3QUoNClszXSBodHRwczovL2VwcmludC5pYWNyLm9yZy8yMDE3 LzEwODIucGRmDQoNClJncywNClBhbm9zDQoNCg0KDQpGcm9tOiBTcGFzbSA8c3Bhc20tYm91bmNl c0BpZXRmLm9yZz4gT24gQmVoYWxmIE9mIFJ1c3MgSG91c2xleQ0KU2VudDogRnJpZGF5LCBNYXJj aCAyOSwgMjAxOSAxMDoxOSBBTQ0KVG86IFF1eW5oIERhbmcgPHF1eW5oLmRhbmdAbmlzdC5nb3Y+ DQpDYzogU1BBU00gPHNwYXNtQGlldGYub3JnPjsgRGFuaWVsIFZhbiBHZWVzdCA8RGFuaWVsLlZh bkdlZXN0QGlzYXJhLmNvbT47IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb20+OyBT Y290dCBGbHVocmVyIChzZmx1aHJlcikgPHNmbHVocmVyQGNpc2NvLmNvbT4NClN1YmplY3Q6IFJl OiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2ZWwgdHJlZXMgYW5kIGtl eSBnZW5lcmF0aW9uIG9mIExNUy4NCg0KSSBkbyBub3QgYWdyZWUgdGhhdCB0aGlzIGZhdWx0LWlu amVjdGlvbiBhdHRhY2sgbGVhZHMgdG8gYSBTSE9VTEQgZm9yIHNpbmdsZS1sZXZlbCB0cmVlcy4N Cg0KUnVzcw0KDQoNCk9uIE1hciAyOSwgMjAxOSwgYXQgNzowNCBBTSwgRGFuZywgUXV5bmggKEZl ZCkgPHF1eW5oLmRhbmdAbmlzdC5nb3Y8bWFpbHRvOnF1eW5oLmRhbmdAbmlzdC5nb3Y+PiB3cm90 ZToNCg0KSGkgYWxsLA0KDQpJIHN1Z2dlc3QgdG8gYWRkIHRoYXQgIldoZW4ga2V5IGdlbmVyYXRp b24gdGltZSBpcyBub3QgYSBwcm9ibGVtIGZvciBhIHNpbmdsZS1sZXZlbCB0cmVlIHdoaWNoIHBy b3ZpZGVzIHRoZSBkZXNpcmVkIG51bWJlciBvZiBPVFMgcHJpdmF0ZSBrZXlzIGEgdXNlciBoYXMs IHRoZW4gdGhlIHNpbmdsZS10cmVlIEhCUyBpcyBhIHByZWZlcnJlZCBvcHRpb24gb3ZlciB0aGUg YWx0ZXJuYXRpdmUgbXVsdGktbGV2ZWwgdHJlZSBIQlNzIHdoaWNoIHByb3ZpZGUgdGhlIHNhbWUg KG9yIGNsb3NlICkgbnVtYmVyIGFzIHRoZSBkZXNpcmVkIG51bWJlciBvZiB0aGUgT1RTIHByaXZh dGUga2V5cy4NCg0KTXVsdGktbGV2ZWwgdHJlZSBIQlNzIGFyZSBpbnNlY3VyZSB1bmRlciBmYXVs dC1pbmplY3Rpb24gYXR0YWNrLCBzZWUgInJlZmVyZW5jZSB0byB0aGUgcGFwZXIiLiAgVGhlcmVm b3JlLCBzaW5nbGUtbGV2ZWwgdHJlZSBIQlNzIHNob3VsZCBiZSB1c2VkLiINCg0KU29tZSB0ZXh0 IGd1aWRhbmNlIGZvciBkZWZlbnNlcyBhZ2FpbnN0IHRoZSBhdHRhY2sgaXMgbmVlZGVkLiBJIGFt IG5vdCBhIHJpZ2h0IHBlcnNvbiB0byBwcm92aWRlIHN1Y2ggdGV4dC4NCg0KUmVnYXJkcywNClF1 eW5oLg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCkZyb206IERhbmllbCBWYW4g R2Vlc3QgPERhbmllbC5WYW5HZWVzdEBpc2FyYS5jb208bWFpbHRvOkRhbmllbC5WYW5HZWVzdEBp c2FyYS5jb20+Pg0KU2VudDogRnJpZGF5LCBNYXJjaCAyOSwgMjAxOSA2OjM0OjAwIEFNDQpUbzog U2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpOyBKaW0gU2NoYWFkOyBEYW5nLCBRdXluaCAoRmVkKTsg J1NQQVNNJw0KU3ViamVjdDogUmU6IFtsYW1wc10gU2lkZS1jaGFubmVsIGF0dGFjayBvbiBtdWx0 aS1sZXZlbCB0cmVlcyBhbmQga2V5IGdlbmVyYXRpb24gb2YgTE1TLg0KDQpUaGlzIGlzIGFuIGlu dGVyZXN0aW5nIGRpc2N1c3Npb24uICBJcyB0aGVyZSBhbnl0aGluZyBhbnlvbmUgd291bGQgbGlr ZSBhZGRlZCB0byBkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncyBhcyBhIHJlc3VsdD8gIEFs c28gbm90ZSB0aGF0IGFueXRoaW5nIHRoYXQgY291bGQgYmUgYWRkZWQgaGVyZSB3b3VsZCBhbHNv IGFwcGx5IHRvIGNtcy1oYXNoLXNpZ3Mgc2luY2UgSFNTIHN1cHBvcnRzIG11bHRpcGxlIGxldmVs IHRyZWVzLg0KDQoNCkRhbmllbA0KDQoNCk9uIDIwMTktMDMtMjcsIDc6MDAgQU0sICJTcGFzbSBv biBiZWhhbGYgb2YgU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpIiA8c3Bhc20tYm91bmNlc0BpZXRm Lm9yZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4gb24gYmVoYWxmIG9mIHNmbHVocmVy QGNpc2NvLmNvbTxtYWlsdG86c2ZsdWhyZXJAY2lzY28uY29tPj4gd3JvdGU6DQoNCg0KDQoNCkZy b206IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0 Y2VsbGFycy5jb20+Pg0KU2VudDogVHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgMTI6MTQgUE0NClRv OiBTY290dCBGbHVocmVyIChzZmx1aHJlcikgPHNmbHVocmVyQGNpc2NvLmNvbTxtYWlsdG86c2Zs dWhyZXJAY2lzY28uY29tPj47ICdEYW5nLCBRdXluaCAoRmVkKScgPHF1eW5oLmRhbmc9NDBuaXN0 LmdvdkBkbWFyYy5pZXRmLm9yZzxtYWlsdG86cXV5bmguZGFuZz00MG5pc3QuZ292QGRtYXJjLmll dGYub3JnPj47ICdTUEFTTScgPHNwYXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4+ DQpTdWJqZWN0OiBSRTogW2xhbXBzXSBTaWRlLWNoYW5uZWwgYXR0YWNrIG9uIG11bHRpLWxldmVs IHRyZWVzIGFuZCBrZXkgZ2VuZXJhdGlvbiBvZiBMTVMuDQoNCg0KSSB1bmRlcnN0YW5kIHRoYXQs IGJ1dCBhZ2FpbiB0aGVyZSBhcmUgc29tZSB0cmFkZS1vZmZzIG9mIG1lbW9yeSB2cyB0aW1lLiAg QWxsIG9mIHRoZSBzaW1wbGUgdHJlZSBzYXZpbmcgYWxnb3JpdGhtcyBJIGhhdmUgdGhvdWdodCBv ZiBjYW4gb2NjYXNpb25hbGx5IHJlcXVpcmUgdGhlIGdlbmVyYXRpb24gb2YgYSBsYXJnZSBwb3J0 aW9uIG9mIHRoZSB0cmVlIGRlcGVuZGluZyBvbiB3aGF0IGJvdW5kYXJpZXMgb25lIGlzIGNyb3Nz aW5nIGluIHRoZSB0cmVlLCB0aGlzIG1lYW5zIHRoYXQgdGhlIHNpZ25pbmcgdGltZSBpcyBub3Qg Y29uc3RhbnQuICBPbmUgY2FuIGFsc28gbWFrZSBnYWlucyBieSBkb2luZyBzb21lIHByZS1jb21w dXRhdGlvbiBvZiBleHBlY3RlZCB0cmVlcyBhcyBvbmUgZ29lcyBhbG9uZy4gIFdoZW4geW91IGhh dmUgYSB0cmVlIG9mIHRyZWVzLCBvbmUgY2FuIGdldCBsb3RzIG9mIHNwZWVkIHVwIGJ5IHNhdmlu ZyB0aGUgc2lnbmF0dXJlIGZvciBhbGwgYnV0IHRoZSBib3R0b20gbW9zdCB0cmVlIHNvIHRoYXQg b25seSB0aGF0IHRyZWUgbmVlZHMgdG8gaGF2ZSBwb3J0aW9ucyByZWdlbmVyYXRlZCB1bnRpbCB5 b3UgbW92ZSB0byBhIG5ldyBzdWItdHJlZS4NCg0KDQpBZ2FpbiwgdGhlcmUgYXJlIGJldHRlciBh bGdvcml0aG1zIGtub3duOyBhcyBhbiBleGFtcGxlIHRvIHRoZSBmcmFjdGFsIG1ldGhvZCBJIGdh dmUgYSBsaW5rIHRvIGJlZm9yZSwgaWYgd2UgaGF2ZSBhIEg9MjUgdHJlZSAoY2lyY2EgMzIgbWls bGlvbiBsZWFmIG5vZGVzKSwgd2UgY2FuIHBlcmZvcm0gYSB3YWxrIGJ5IHN0b3JpbmcgYSBtYXhp bXVtIG9mIDE1OCBNZXJrbGUgbm9kZSB2YWx1ZXMsIGFuZCBmb3IgZWFjaCBzaWduYXR1cmUsIHBl cmZvcm1pbmcgNiBsZWFmIHB1YmxpYyBrZXkgcmVjb21wdXRhdGlvbnMgcGVyIHNpZ25hdHVyZSAo bm90IGNvdW50aW5nIHRoZSBPVFMgc2lnbmF0dXJlIGdlbmVyYXRpb24gYW5kIGEgaGFuZGZ1bCBv ZiBoYXNoIGNvbXB1dGF0aW9ucyB3aGlsZSB3ZSBjb21iaW5lIE1lcmtsZSBub2RlcykuICBGb3Ig dGhpcyBhbGdvcml0aG0sIGl0IGFsd2F5cyBoYXMgdGhlIGN1cnJlbnQgYXV0aGVudGljYXRpb24g cGF0aCBlbnRpcmVseSBpbiBtZW1vcnk7IHRoZSBlbnRpcmUgY29tcHV0YXRpb24gZG9uZSBpcyBw ZXJmb3JtaW5nIHByZS1jb21wdXRhdGlvbiBzbyB3ZeKAmXJlIHNldCB1cCBmb3IgdGhlIG5leHQg YXV0aGVudGljYXRpb24gcGF0aC4NClRoZSBCRFMgYWxnb3JpdGhtIHdvcmtzIGV2ZW4gYmV0dGVy IGlmIHlvdSBoYXZlIG1pbmltYWwgc3RvcmFnZSBmb3IgaW50ZXJuYWwgTWVya2xlIG5vZGVzOyBz ZWUgaHR0cHM6Ly93d3ctb2xkLmNkYy5pbmZvcm1hdGlrLnR1LWRhcm1zdGFkdC5kZS9yZXBvcnRz L3JlcG9ydHMvQkRTMDgucGRmPGh0dHBzOi8vZ2NjMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0 bG9vay5jb20vP3VybD1odHRwcyUzQSUyRiUyRnd3dy1vbGQuY2RjLmluZm9ybWF0aWsudHUtZGFy bXN0YWR0LmRlJTJGcmVwb3J0cyUyRnJlcG9ydHMlMkZCRFMwOC5wZGYmZGF0YT0wMiU3QzAxJTdD cXV5bmguZGFuZyU0MG5pc3QuZ292JTdDZjYyNzdlNzEwMjA3NDg0M2FmZTQwOGQ2YjQzMjE3NzYl N0MyYWI1ZDgyZmQ4ZmE0Nzk3YTkzZTA1NDY1NWM2MWRlYyU3QzElN0MwJTdDNjM2ODk0NTI0NTY4 NTg2Njc4JnNkYXRhPWNGdDBNN3pWRldpSmJ3UUNaWGJORUJDMGRzMVNLNnpvMnVnbHZYY3ZpSFkl M0QmcmVzZXJ2ZWQ9MD4NCg0KDQpBbGwgb2YgdGhlc2UgYXJlIHNwYWNlL3RpbWUgdHJhZGUtb2Zm cyBhbmQgb25lIG5lZWRzIHRvIHVuZGVyc3RhbmQgd2hhdCB0aGUgZXh0cmVtZXMgYXJlIG9uIGJv dGggZW5kcyBiZWZvcmUgb25lIHNheXMgdGhhdCBhIGh1Z2Ugc2luZ2xlIHRyZWUgaXMgYmV0dGVy IG9yIHdvcnNlIHRoYW4gYSBsb3Qgb2Ygc21hbGwgdHJlZXMsIGV2ZW4gaWYgdGhlIG51bWJlciBv ZiBsZXZlbHMgdGhhdCBhcmUgY3JlYXRlZCBhcmUgdGhlIHNhbWUuDQoNCg0KSmltDQoNCg0KDQoN CkZyb206IFNjb3R0IEZsdWhyZXIgKHNmbHVocmVyKSA8c2ZsdWhyZXJAY2lzY28uY29tPG1haWx0 bzpzZmx1aHJlckBjaXNjby5jb20+Pg0KU2VudDogVHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgNDoy OCBQTQ0KVG86IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZA YXVndXN0Y2VsbGFycy5jb20+PjsgJ0RhbmcsIFF1eW5oIChGZWQpJyA8cXV5bmguZGFuZz00MG5p c3QuZ292QGRtYXJjLmlldGYub3JnPG1haWx0bzpxdXluaC5kYW5nPTQwbmlzdC5nb3ZAZG1hcmMu aWV0Zi5vcmc+PjsgJ1NQQVNNJyA8c3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3Jn Pj4NClN1YmplY3Q6IFJFOiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2 ZWwgdHJlZXMgYW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy4NCg0KDQpBY3R1YWxseSwgdGhlcmUg YXJlIGFsZ29yaXRobXMgdGhhdCBhcmUgYWJsZSB0byBnZW5lcmF0ZSB0aGUgbmV4dCBhdXRoZW50 aWNhdGlvbiBwYXRoIGJ5IHN0b3JpbmcgYSBjb21wYXJhdGl2ZWx5IHNtYWxsIHBhcnQgb2YgdGhl IHRyZWUsIGFuZCB1c2luZyBvbmx5IGEgcmVsYXRpdmVseSBzbWFsbCBudW1iZXIgb2YgbGVhZiBu b2RlIGV2YWx1YXRpb25zLi4gIEZvciBleGFtcGxlLCBodHRwOi8vd3d3LnN6eWRsby5jb20vZnJh Y3RhbC1qbWxzLnBkZjxodHRwczovL2djYzAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91dGxvb2su Y29tLz91cmw9aHR0cCUzQSUyRiUyRnd3dy5zenlkbG8uY29tJTJGZnJhY3RhbC1qbWxzLnBkZiZk YXRhPTAyJTdDMDElN0NxdXluaC5kYW5nJTQwbmlzdC5nb3YlN0NmNjI3N2U3MTAyMDc0ODQzYWZl NDA4ZDZiNDMyMTc3NiU3QzJhYjVkODJmZDhmYTQ3OTdhOTNlMDU0NjU1YzYxZGVjJTdDMSU3QzAl N0M2MzY4OTQ1MjQ1Njg1OTY2OTcmc2RhdGE9a3JuQ2FDb0dTQ3dHJTJGWERZUFBuaWp3bnA2dG9v dUZCODJGODhRMjBIMTU4JTNEJnJlc2VydmVkPTA+DQoNCg0KRnJvbTogSmltIFNjaGFhZCA8aWV0 ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+DQpTZW50 OiBUdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSAxMToxMyBBTQ0KVG86ICdEYW5nLCBRdXluaCAoRmVk KScgPHF1eW5oLmRhbmc9NDBuaXN0LmdvdkBkbWFyYy5pZXRmLm9yZzxtYWlsdG86cXV5bmguZGFu Zz00MG5pc3QuZ292QGRtYXJjLmlldGYub3JnPj47IFNjb3R0IEZsdWhyZXIgKHNmbHVocmVyKSA8 c2ZsdWhyZXJAY2lzY28uY29tPG1haWx0bzpzZmx1aHJlckBjaXNjby5jb20+PjsgJ1NQQVNNJyA8 c3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3JnPj4NClN1YmplY3Q6IFJFOiBbbGFt cHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2ZWwgdHJlZXMgYW5kIGtleSBnZW5l cmF0aW9uIG9mIExNUy4NCg0KDQpUaGVyZSBpcyBvbmUgb3RoZXIgZmFjdG9yIHRvIGNvbXBhcmUg aW4gdGVybXMgb2YgaG93IGJpZyB0aGUgdHJlZSBpcy4gIEZvciBhIHZlcnkgbGFyZ2UgdHJlZSwg aWYgeW91IGRvIG5vdCBoYXZlIHRoZSByZXNvdXJjZXMgdG8ga2VlcCB0aGUgZW50aXJlIHByaXZh dGUga2V5IHNldCAob3IgYSBsYXJnZSBzdWJzZXQgb2YgaXQpIHRoZW4geW91IGdldCBpbnRvIHRo ZSBzaXR1YXRpb24gd2hlcmUgeW91IHJlZ2VuZXJhdGUgdGhlIGVudGlyZSBwcml2YXRlIGtleSB0 cmVlIGZvciBlYWNoIGFuZCBldmVyeSBzaWduYXR1cmUuICBUaGlzIGlzIHBhcnQgb2YgdGhlIHRy YWRlIG9mZiBiZXR3ZWVuIHNtYWxsIGtleSBzaXplIGFuZCBmYXN0IHNpZ25hdHVyZSBnZW5lcmF0 aW9uL3VzYWdlIG9mIHRpbWUuDQoNCg0KSmltDQoNCg0KDQoNCkZyb206IFNwYXNtIDxzcGFzbS1i b3VuY2VzQGlldGYub3JnPG1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnPj4gT24gQmVoYWxm IE9mIERhbmcsIFF1eW5oIChGZWQpDQpTZW50OiBUdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSAzOjA0 IFBNDQpUbzogU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpIDxzZmx1aHJlckBjaXNjby5jb208bWFp bHRvOnNmbHVocmVyQGNpc2NvLmNvbT4+OyBTUEFTTSA8c3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNw YXNtQGlldGYub3JnPj4NClN1YmplY3Q6IFJlOiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sg b24gbXVsdGktbGV2ZWwgdHJlZXMgYW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy4NCg0KDQpUaGUg b25seSBkb3duc2lkZSBvZiAxIGxldmVsIHRyZWUgaXMgaXRzIGtleSBnZW5lcmF0aW9uIHRpbWUg Y29tcGFyaW5nIHRvIG11bHRpLWxldmVsIHRyZWVzLiBJbiBzaXR1YXRpb25zICggc3VjaCBhcyBh IGNvZGUgc2lnbmluZyBhcHBsaWNhdGlvbikgd2hlcmUgMSwgMiBvciAzIGV0Yy4uLiBob3VycyBv ZiBhIGtleSBnZW5lcmF0aW9uIHRpbWUgaXMgbm90IGEgcHJvYmxlbSwgdGhlbiB1c2luZyBhIGJp ZyAxIGxldmVsIHRyZWUgc2VlbXMgYmV0dGVyIHRoYW4gdXNpbmcgYSBtdWx0aS1sZXZlbCB0cmVl Lg0KDQpUaGVyZWZvcmUsICBzb21lIGJpZ2dlciBoZWlnaHQgbnVtYmVycyBmb3IgMS1sZXZlbCB0 cmVlIG1heSBiZSBkZXNpcmVkLg0KDQpRdXluaC4NCl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fDQpGcm9tOiBTY290dCBGbHVocmVyIChzZmx1aHJlcikgPHNmbHVocmVyQGNpc2NvLmNv bTxtYWlsdG86c2ZsdWhyZXJAY2lzY28uY29tPj4NClNlbnQ6IFR1ZXNkYXksIE1hcmNoIDI2LCAy MDE5IDk6MjA6MDUgQU0NClRvOiBEYW5nLCBRdXluaCAoRmVkKTsgU1BBU00NClN1YmplY3Q6IFJF OiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2ZWwgdHJlZXMgYW5kIGtl eSBnZW5lcmF0aW9uIG9mIExNUy4NCg0KDQpJcm9tOiBTcGFzbSA8c3Bhc20tYm91bmNlc0BpZXRm Lm9yZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4+IE9uIEJlaGFsZiBPZiBEYW5nLCBR dXluaCAoRmVkKQ0KU2VudDogVHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgOToxMSBBTQ0KVG86IFNQ QVNNIDxzcGFzbUBpZXRmLm9yZzxtYWlsdG86c3Bhc21AaWV0Zi5vcmc+Pg0KU3ViamVjdDogW2xh bXBzXSBTaWRlLWNoYW5uZWwgYXR0YWNrIG9uIG11bHRpLWxldmVsIHRyZWVzIGFuZCBrZXkgZ2Vu ZXJhdGlvbiBvZiBMTVMuDQoNCg0KSGkgYWxsLA0KDQpIZXJlIGlzIHRoZSBhdHRhY2sgSSBtZW50 aW9uZWQgYXQgdGhlIG1lZXRpbmcgdG9kYXk6IGh0dHBzOi8vZXByaW50LmlhY3Iub3JnLzIwMTgv Njc0LzIwMTgwNzEzOjE0MDgyMTxodHRwczovL2djYzAxLnNhZmVsaW5rcy5wcm90ZWN0aW9uLm91 dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZlcHJpbnQuaWFjci5vcmclMkYyMDE4JTJGNjc0 JTJGMjAxODA3MTMlM0ExNDA4MjEmZGF0YT0wMiU3QzAxJTdDcXV5bmguZGFuZyU0MG5pc3QuZ292 JTdDZjYyNzdlNzEwMjA3NDg0M2FmZTQwOGQ2YjQzMjE3NzYlN0MyYWI1ZDgyZmQ4ZmE0Nzk3YTkz ZTA1NDY1NWM2MWRlYyU3QzElN0MwJTdDNjM2ODk0NTI0NTY4NTk2Njk3JnNkYXRhPXhzVFJoMWtP YklUOFclMkJ0OEVXVVNSWmRFaklDOW1Ed1dpSmJkQ1JLNVpiayUzRCZyZXNlcnZlZD0wPi4NCg0K VGhpcyBpcyBhIGZhdWx0IGF0dGFjayAodGhhdCBpcywgeW91IHRyeSB0byBtYWtlIHRoZSBzaWdu ZXIgbWlzY29tcHV0ZSBzb21ldGhpbmcsIGFuZCB0aGVuIHVzZSB0aGUgbWlzY29tcHV0ZWQgc2ln bmF0dXJlKTsgYSBzaWduZXIgaW1wbGVtZW50YXRpb24gY291bGQgaW1wbGVtZW50IHByb3RlY3Rp b25zIGFnYWluc3QgdGhpcyAob2YgY291cnNlLCB0aG9zZSBwcm90ZWN0aW9ucyBhcmUgbm90IGZy ZWUpLg0KDQpJIGp1c3QgbG9va2VkIGF0IHRoZSBMTVMncyBkcmFmdCwgdGhlIHNpbmdsZSB0cmVl IHdpdGggaGVpZ2h0IDI1ICggMl4yNSBzaWduYXR1cmVzKSAgdGFrZXMgb25seSAxLi41IGhvdXJz Lg0KDQpDbGFyaWZpY2F0aW9uIG9uIHRoaXM6DQrigKIgICAgICAgICBUaGUgdGVzdCB1c2VkIDE1 IGNvcmVzIChhbmQgc28gaXQgdXNlZCBhIHRvdGFsIG9mIGNpcmNhIDEgY29yZS1kYXkpDQrigKIg ICAgICAgICBUaGlzIHdhcyBkb25lIHdpdGggYSBXPTggcGFyYW1ldGVyIHNldC4gIFRoaXMgbWFr ZXMgdGhlIHNpZ25hdHVyZSBzaG9ydGVyICgxOTM2IGJ5dGVzIGluIHRoaXMgY2FzZSksIGhvd2V2 ZXIgaXQgZG9lcyBpbmNyZWFzZSB0aGUga2V5IGdlbmVyYXRpb24gdGltZTsgYSBXPTQgcGFyYW1l dGVyIHNldCB3b3VsZCBhcHByb3hpbWF0ZWx5IGRvdWJsZSB0aGUgc2lnbmF0dXJlIHNpemUsIHdo aWxlIGRlY3JlYXNpbmcgdGhlIGtleSBnZW5lcmF0aW9uIHRpbWUgYnkgY2lyY2EgYSBmYWN0b3Ig b2YgOC4NCg0KDQpSZWdhcmRzLA0KUXV5bmguDQoNCg0KDQoNCg0KDQpfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KU3Bhc20gbWFpbGluZyBsaXN0DQpTcGFz bUBpZXRmLm9yZzxtYWlsdG86U3Bhc21AaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL3NwYXNtDQoNCg== --_000_1f66a3f9e34f46c5a976b56cc70cceedXCHALN010ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPCEtLVtp ZiAhbXNvXT48c3R5bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7 YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0 I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwh W2VuZGlmXS0tPjxzdHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNl DQoJe2ZvbnQtZmFtaWx5OkhlbHZldGljYTsNCglwYW5vc2UtMToyIDExIDYgNCAyIDIgMiAyIDIg NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0x OjIgNCA1IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJp Ow0KCXBhbm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25z ICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjow aW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1m YW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246 dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl cmxpbmU7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXtt c28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFy Z2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVm dDowaW47DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1z ZXJpZjt9DQpzcGFuLmFwcGxlLWNvbnZlcnRlZC1zcGFjZQ0KCXttc28tc3R5bGUtbmFtZTphcHBs ZS1jb252ZXJ0ZWQtc3BhY2U7fQ0KcC54bXNvbm9ybWFsLCBsaS54bXNvbm9ybWFsLCBkaXYueG1z b25vcm1hbA0KCXttc28tc3R5bGUtbmFtZTp4X21zb25vcm1hbDsNCgltc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ow0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmO30NCnAueHhtc29ub3JtYWwsIGxpLnh4bXNvbm9ybWFsLCBkaXYu eHhtc29ub3JtYWwNCgl7bXNvLXN0eWxlLW5hbWU6eF94bXNvbm9ybWFsOw0KCW1zby1tYXJnaW4t dG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGluOw0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1p bHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjENCgl7bXNvLXN0eWxl LXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7 DQoJY29sb3I6IzFGNDk3RDsNCglmb250LXdlaWdodDpub3JtYWw7DQoJZm9udC1zdHlsZTpub3Jt YWw7DQoJdGV4dC1kZWNvcmF0aW9uOm5vbmUgbm9uZTt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28t c3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRT ZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4g MS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0 eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRp dCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5 XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVk aXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hl YWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2 IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImNvbG9yOiMxRjQ5N0QiPkluZGVlZCB0aGVyZSBhcmUgcHJvdGVjdGlvbnMgYWdhaW5zdCBtdWx0 aWxldmVsIHRyZWUgZmF1bHQgYXR0YWNrcy4gU2luZ2xlIGxldmVsIHRyZWVzIGFyZSBub3QgdGhl IG9ubHkgc29sdXRpb24uIEFzIHN0YXRlZCBpbiBzZWN0aW9uIDQgb2YgdGhlIHBhcGVyIFF1eW5o IHJlZmVyZW5jZWQsIHRoZSBwcm90ZWN0aW9uIGlzIHRvIGNhY2hlIHRoZSBPVFMgb2YgdGhlDQog bGF5ZXJzIHNvIHlvdSBjYW4gY2hlY2sgYWdhaW5zdCB0aGVtIGlmIHJlY29tcHV0aW5nLiBUaGF0 IHdheSBzb21lb25lIGNvdWxkIG5vdCBpbmplY3QgYSBmYXVsdCBmb3IgdGhlIHNhbWUgbWVzc2Fn ZSBhbmQgcHJpdmF0ZSBrZXkgYW5kIHRoZW4gdXNlIGl0IHRvIGdyYWZ0IGhpcyBvd24gc3VidHJl ZS4gU29tZXRoaW5nIGxpa2UgdGhhdCB3aXRoIGFuIGluZm9ybWF0aXZlIHJlZmVyZW5jZSBjb3Vs ZCBiZSBhZGRlZCBpbiB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMuDQo8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPkZhdWx0IGF0dGFja3MgYWdhaW5zdCBMYXR0aWNlIHNj aGVtZXMgYW5kIEhCUyBoYWQgYmVlbiBicm91Z2h0IHVwIGluIHRoZSBOSVNUIFBRIGZvcnVtICZu YnNwO3RvbyBbMSwyXSB3aGVyZSBzb21lIGNvdW50ZXJtZWFzdXJlcyB3ZXJlIGRpc2N1c3NlZC4g U2ltcGxlIGlkZWFzIGxpa2UgcnVubmluZyB0aGUgY29tcHV0YXRpb24gdHdpY2UgYW5kIGNvbXBh cmluZyB2YWx1ZXMNCiB3ZXJlIHByb3Bvc2VkIHRoZXJlLiBbM10gaXMgYSBnb29kIHJlZmVyZW5j ZSBvZiBTVyBjb3VudGVybWVhc3VyZXMuIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFG NDk3RCI+WzFdIDwvc3Bhbj48YSBocmVmPSJodHRwczovL2dyb3Vwcy5nb29nbGUuY29tL2EvbGlz dC5uaXN0Lmdvdi9mb3J1bS8jIXNlYXJjaGluL3BxYy1mb3J1bS8lMjJmYXVsdCQyMGF0dGFja3Ml MjIlN0Nzb3J0OmRhdGUvcHFjLWZvcnVtL2M5Q25QY3gxZVFjLzc0c1ZiSF8zQ0FBSiI+aHR0cHM6 Ly9ncm91cHMuZ29vZ2xlLmNvbS9hL2xpc3QubmlzdC5nb3YvZm9ydW0vIyFzZWFyY2hpbi9wcWMt Zm9ydW0vJTIyZmF1bHQkMjBhdHRhY2tzJTIyJTdDc29ydDpkYXRlL3BxYy1mb3J1bS9jOUNuUGN4 MWVRYy83NHNWYkhfM0NBQUo8L2E+DQo8c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9y OiMxRjQ5N0QiPlsyXSA8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly9ncm91cHMuZ29vZ2xlLmNvbS9h L2xpc3QubmlzdC5nb3YvZm9ydW0vIyFzZWFyY2hpbi9wcWMtZm9ydW0vJTIyZmF1bHQkMjBhdHRh Y2tzJTIyJTdDc29ydDpkYXRlL3BxYy1mb3J1bS9XakYyWlRVQUppQS96RUVBaldTbUJ3QUoiPmh0 dHBzOi8vZ3JvdXBzLmdvb2dsZS5jb20vYS9saXN0Lm5pc3QuZ292L2ZvcnVtLyMhc2VhcmNoaW4v cHFjLWZvcnVtLyUyMmZhdWx0JDIwYXR0YWNrcyUyMiU3Q3NvcnQ6ZGF0ZS9wcWMtZm9ydW0vV2pG MlpUVUFKaUEvekVFQWpXU21Cd0FKPC9hPg0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5bM10gPHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxhIGhyZWY9Imh0dHBzOi8v ZXByaW50LmlhY3Iub3JnLzIwMTcvMTA4Mi5wZGYiPmh0dHBzOi8vZXByaW50LmlhY3Iub3JnLzIw MTcvMTA4Mi5wZGY8L2E+DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPlJn cyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iY29sb3I6IzFGNDk3RCI+UGFub3M8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5 N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEu MHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+ RnJvbTo8L2I+IFNwYXNtICZsdDtzcGFzbS1ib3VuY2VzQGlldGYub3JnJmd0OyA8Yj5PbiBCZWhh bGYgT2YgPC9iPg0KUnVzcyBIb3VzbGV5PGJyPg0KPGI+U2VudDo8L2I+IEZyaWRheSwgTWFyY2gg MjksIDIwMTkgMTA6MTkgQU08YnI+DQo8Yj5Ubzo8L2I+IFF1eW5oIERhbmcgJmx0O3F1eW5oLmRh bmdAbmlzdC5nb3YmZ3Q7PGJyPg0KPGI+Q2M6PC9iPiBTUEFTTSAmbHQ7c3Bhc21AaWV0Zi5vcmcm Z3Q7OyBEYW5pZWwgVmFuIEdlZXN0ICZsdDtEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tJmd0Ozsg SmltIFNjaGFhZCAmbHQ7aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSZndDs7IFNjb3R0IEZsdWhyZXIg KHNmbHVocmVyKSAmbHQ7c2ZsdWhyZXJAY2lzY28uY29tJmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9i PiBSZTogW2xhbXBzXSBTaWRlLWNoYW5uZWwgYXR0YWNrIG9uIG11bHRpLWxldmVsIHRyZWVzIGFu ZCBrZXkgZ2VuZXJhdGlvbiBvZiBMTVMuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5JIGRvIG5vdCBhZ3JlZSB0aGF0IHRoaXMgZmF1bHQtaW5qZWN0aW9uIGF0dGFjayBs ZWFkcyB0byBhIFNIT1VMRCBmb3Igc2luZ2xlLWxldmVsIHRyZWVzLjxvOnA+PC9vOnA+PC9wPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UnVzcyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0K PGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gTWFyIDI5LCAyMDE5LCBhdCA3OjA0IEFN LCBEYW5nLCBRdXluaCAoRmVkKSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnF1eW5oLmRhbmdAbmlzdC5n b3YiPnF1eW5oLmRhbmdAbmlzdC5nb3Y8L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0K PGRpdiBpZD0iZGl2dGFnZGVmYXVsdHdyYXBwZXIiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0Ij5IaSBhbGwsPG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 Ij5JIHN1Z2dlc3QgdG8gYWRkIHRoYXQgJnF1b3Q7V2hlbiBrZXkgZ2VuZXJhdGlvbiB0aW1lIGlz IG5vdCBhIHByb2JsZW0gZm9yIGEgc2luZ2xlLWxldmVsIHRyZWUgd2hpY2ggcHJvdmlkZXMgdGhl IGRlc2lyZWQgbnVtYmVyIG9mIE9UUyBwcml2YXRlIGtleXMgYSB1c2VyIGhhcywgdGhlbiZuYnNw O3RoZSBzaW5nbGUtdHJlZSBIQlMgaXMgYSBwcmVmZXJyZWQgb3B0aW9uIG92ZXINCiB0aGUgYWx0 ZXJuYXRpdmUgbXVsdGktbGV2ZWwgdHJlZSBIQlNzIHdoaWNoIHByb3ZpZGUgdGhlIHNhbWUgKG9y IGNsb3NlICkmbmJzcDtudW1iZXIgYXMmbmJzcDt0aGUgZGVzaXJlZCBudW1iZXIgb2YgdGhlJm5i c3A7T1RTIHByaXZhdGUga2V5cy4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQiPk11bHRpLWxldmVsIHRy ZWUgSEJTcyBhcmUgaW5zZWN1cmUgdW5kZXIgZmF1bHQtaW5qZWN0aW9uIGF0dGFjaywgc2VlICZx dW90O3JlZmVyZW5jZSB0byB0aGUgcGFwZXImcXVvdDsuJm5ic3A7IFRoZXJlZm9yZSwgc2luZ2xl LWxldmVsJm5ic3A7dHJlZSBIQlNzIHNob3VsZCBiZSB1c2VkLiZxdW90OzxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTIuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBw dCI+U29tZSB0ZXh0IGd1aWRhbmNlIGZvciBkZWZlbnNlcyBhZ2FpbnN0IHRoZSBhdHRhY2sgaXMg bmVlZGVkLiBJIGFtIG5vdCBhIHJpZ2h0IHBlcnNvbiB0byBwcm92aWRlIHN1Y2ggdGV4dC48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMi4wcHQiPlJlZ2FyZHMsPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQiPlF1 eW5oLiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2IGNs YXNzPSJNc29Ob3JtYWwiIGFsaWduPSJjZW50ZXIiIHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRlciI+ DQo8aHIgc2l6ZT0iMyIgd2lkdGg9IjIwMjciIHN0eWxlPSJ3aWR0aDoxMDEzLjU1cHQiIGFsaWdu PSJjZW50ZXIiPg0KPC9kaXY+DQo8ZGl2IGlkPSJkaXZScGx5RndkTXNnIj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxiPkZyb206PC9iPjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2Ui PiZuYnNwOzwvc3Bhbj5EYW5pZWwgVmFuIEdlZXN0ICZsdDs8YSBocmVmPSJtYWlsdG86RGFuaWVs LlZhbkdlZXN0QGlzYXJhLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+RGFuaWVsLlZh bkdlZXN0QGlzYXJhLmNvbTwvc3Bhbj48L2E+Jmd0Ozxicj4NCjxiPlNlbnQ6PC9iPjxzcGFuIGNs YXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5GcmlkYXksIE1hcmNoIDI5 LCAyMDE5IDY6MzQ6MDAgQU08YnI+DQo8Yj5Ubzo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZl cnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPlNjb3R0IEZsdWhyZXIgKHNmbHVocmVyKTsgSmltIFNj aGFhZDsgRGFuZywgUXV5bmggKEZlZCk7ICdTUEFTTSc8YnI+DQo8Yj5TdWJqZWN0OjwvYj48c3Bh biBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+UmU6IFtsYW1wc10g U2lkZS1jaGFubmVsIGF0dGFjayBvbiBtdWx0aS1sZXZlbCB0cmVlcyBhbmQga2V5IGdlbmVyYXRp b24gb2YgTE1TLjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPlRoaXMgaXMgYW4gaW50ZXJlc3Rpbmcg ZGlzY3Vzc2lvbi4mbmJzcDsgSXMgdGhlcmUgYW55dGhpbmcgYW55b25lIHdvdWxkIGxpa2UgYWRk ZWQgdG8gZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MgYXMgYSByZXN1bHQ/Jm5ic3A7IEFs c28gbm90ZSB0aGF0IGFueXRoaW5nIHRoYXQgY291bGQgYmUgYWRkZWQgaGVyZSB3b3VsZCBhbHNv IGFwcGx5IHRvIGNtcy1oYXNoLXNpZ3Mgc2luY2UgSFNTDQogc3VwcG9ydHMgbXVsdGlwbGUgbGV2 ZWwgdHJlZXMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0ieG1zb25v cm1hbCIgc3R5bGU9Im1hcmdpbjowaW47bWFyZ2luLWJvdHRvbTouMDAwMXB0Ij48c3BhbiBsYW5n PSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5EYW5pZWw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJ4bXNvbm9ybWFsIiBzdHlsZT0ibWFyZ2luOjBpbjttYXJnaW4t Ym90dG9tOi4wMDAxcHQiPjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPk9uIDIwMTktMDMtMjcsIDc6MDAg QU0sICZxdW90O1NwYXNtIG9uIGJlaGFsZiBvZiBTY290dCBGbHVocmVyIChzZmx1aHJlcikmcXVv dDsgJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnIj48c3BhbiBzdHls ZT0iY29sb3I6cHVycGxlIj5zcGFzbS1ib3VuY2VzQGlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBj bGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+b24NCiBiZWhhbGYgb2Y8 c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGEgaHJlZj0i bWFpbHRvOnNmbHVocmVyQGNpc2NvLmNvbSI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+c2Zs dWhyZXJAY2lzY28uY29tPC9zcGFuPjwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0ieG1zb25vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90 dG9tOjBpbjttYXJnaW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdCI+DQo8c3BhbiBs YW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFz cz0ieG1zb25vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0 OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJnaW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAw MDFwdCI+DQo8c3BhbiBsYW5nPSJFTi1DQSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0K PGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRk aW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+ DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxi PjxzcGFuIGxhbmc9IkVOLUNBIj5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNv bnZlcnRlZC1zcGFjZSI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNw YW4gbGFuZz0iRU4tQ0EiPkppbSBTY2hhYWQgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3Vz dGNlbGxhcnMuY29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5pZXRmQGF1Z3VzdGNlbGxh cnMuY29tPC9zcGFuPjwvYT4mZ3Q7PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+ Jm5ic3A7PC9zcGFuPjxicj4NCjxiPlNlbnQ6PC9iPjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0 ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5UdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSAxMjoxNCBQTTxi cj4NCjxiPlRvOjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8 L3NwYW4+U2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpICZsdDs8YSBocmVmPSJtYWlsdG86c2ZsdWhy ZXJAY2lzY28uY29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5zZmx1aHJlckBjaXNjby5j b208L3NwYW4+PC9hPiZndDs7ICdEYW5nLCBRdXluaCAoRmVkKScgJmx0OzxhIGhyZWY9Im1haWx0 bzpxdXluaC5kYW5nPTQwbmlzdC5nb3ZAZG1hcmMuaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xv cjpwdXJwbGUiPnF1eW5oLmRhbmc9NDBuaXN0LmdvdkBkbWFyYy5pZXRmLm9yZzwvc3Bhbj48L2E+ Jmd0OzsNCiAnU1BBU00nICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc21AaWV0Zi5vcmciPjxzcGFu IHN0eWxlPSJjb2xvcjpwdXJwbGUiPnNwYXNtQGlldGYub3JnPC9zcGFuPjwvYT4mZ3Q7PGJyPg0K PGI+U3ViamVjdDo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7 PC9zcGFuPlJFOiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2ZWwgdHJl ZXMgYW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0ieG1zb25vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJnaW4t bGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdCI+DQo8c3BhbiBsYW5nPSJFTi1DQSI+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSI+SSB1bmRlcnN0YW5kIHRo YXQsIGJ1dCBhZ2FpbiB0aGVyZSBhcmUgc29tZSB0cmFkZS1vZmZzIG9mIG1lbW9yeSB2cyB0aW1l LiZuYnNwOyBBbGwgb2YgdGhlIHNpbXBsZSB0cmVlIHNhdmluZyBhbGdvcml0aG1zIEkgaGF2ZSB0 aG91Z2h0IG9mIGNhbiBvY2Nhc2lvbmFsbHkgcmVxdWlyZSB0aGUgZ2VuZXJhdGlvbiBvZiBhIGxh cmdlIHBvcnRpb24gb2YgdGhlIHRyZWUgZGVwZW5kaW5nIG9uDQogd2hhdCBib3VuZGFyaWVzIG9u ZSBpcyBjcm9zc2luZyBpbiB0aGUgdHJlZSwgdGhpcyBtZWFucyB0aGF0IHRoZSBzaWduaW5nIHRp bWUgaXMgbm90IGNvbnN0YW50LiZuYnNwOyBPbmUgY2FuIGFsc28gbWFrZSBnYWlucyBieSBkb2lu ZyBzb21lIHByZS1jb21wdXRhdGlvbiBvZiBleHBlY3RlZCB0cmVlcyBhcyBvbmUgZ29lcyBhbG9u Zy4mbmJzcDsgV2hlbiB5b3UgaGF2ZSBhIHRyZWUgb2YgdHJlZXMsIG9uZSBjYW4gZ2V0IGxvdHMg b2Ygc3BlZWQgdXAgYnkgc2F2aW5nDQogdGhlIHNpZ25hdHVyZSBmb3IgYWxsIGJ1dCB0aGUgYm90 dG9tIG1vc3QgdHJlZSBzbyB0aGF0IG9ubHkgdGhhdCB0cmVlIG5lZWRzIHRvIGhhdmUgcG9ydGlv bnMgcmVnZW5lcmF0ZWQgdW50aWwgeW91IG1vdmUgdG8gYSBuZXcgc3ViLXRyZWUuPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0ieG1zb25vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJn aW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdCI+DQo8c3BhbiBsYW5nPSJFTi1DQSI+ Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVp biI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImNvbG9y OiNDMDUwNEQiPkFnYWluLCB0aGVyZSBhcmUgYmV0dGVyIGFsZ29yaXRobXMga25vd247IGFzIGFu IGV4YW1wbGUgdG8gdGhlIGZyYWN0YWwgbWV0aG9kIEkgZ2F2ZSBhIGxpbmsgdG8gYmVmb3JlLCBp ZiB3ZSBoYXZlIGEgSD0yNSB0cmVlIChjaXJjYSAzMiBtaWxsaW9uIGxlYWYgbm9kZXMpLCB3ZSBj YW4gcGVyZm9ybSBhIHdhbGsgYnkgc3RvcmluZyBhIG1heGltdW0NCiBvZiAxNTggTWVya2xlIG5v ZGUgdmFsdWVzLCBhbmQgZm9yIGVhY2ggc2lnbmF0dXJlLCBwZXJmb3JtaW5nIDYgbGVhZiBwdWJs aWMga2V5IHJlY29tcHV0YXRpb25zIHBlciBzaWduYXR1cmUgKG5vdCBjb3VudGluZyB0aGUgT1RT IHNpZ25hdHVyZSBnZW5lcmF0aW9uIGFuZCBhIGhhbmRmdWwgb2YgaGFzaCBjb21wdXRhdGlvbnMg d2hpbGUgd2UgY29tYmluZSBNZXJrbGUgbm9kZXMpLiZuYnNwOyBGb3IgdGhpcyBhbGdvcml0aG0s IGl0IGFsd2F5cyBoYXMgdGhlDQogY3VycmVudCBhdXRoZW50aWNhdGlvbiBwYXRoIGVudGlyZWx5 IGluIG1lbW9yeTsgdGhlIGVudGlyZSBjb21wdXRhdGlvbiBkb25lIGlzIHBlcmZvcm1pbmcgcHJl LWNvbXB1dGF0aW9uIHNvIHdl4oCZcmUgc2V0IHVwIGZvciB0aGUgbmV4dCBhdXRoZW50aWNhdGlv biBwYXRoLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iY29sb3I6I0MwNTA0RCI+VGhlIEJEUyBhbGdv cml0aG0gd29ya3MgZXZlbiBiZXR0ZXIgaWYgeW91IGhhdmUgbWluaW1hbCBzdG9yYWdlIGZvciBp bnRlcm5hbCBNZXJrbGUgbm9kZXM7IHNlZTxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3Bh Y2UiPiZuYnNwOzwvc3Bhbj48YSBocmVmPSJodHRwczovL2djYzAxLnNhZmVsaW5rcy5wcm90ZWN0 aW9uLm91dGxvb2suY29tLz91cmw9aHR0cHMlM0ElMkYlMkZ3d3ctb2xkLmNkYy5pbmZvcm1hdGlr LnR1LWRhcm1zdGFkdC5kZSUyRnJlcG9ydHMlMkZyZXBvcnRzJTJGQkRTMDgucGRmJmFtcDtkYXRh PTAyJTdDMDElN0NxdXluaC5kYW5nJTQwbmlzdC5nb3YlN0NmNjI3N2U3MTAyMDc0ODQzYWZlNDA4 ZDZiNDMyMTc3NiU3QzJhYjVkODJmZDhmYTQ3OTdhOTNlMDU0NjU1YzYxZGVjJTdDMSU3QzAlN0M2 MzY4OTQ1MjQ1Njg1ODY2NzgmYW1wO3NkYXRhPWNGdDBNN3pWRldpSmJ3UUNaWGJORUJDMGRzMVNL NnpvMnVnbHZYY3ZpSFklM0QmYW1wO3Jlc2VydmVkPTAiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJw bGUiPmh0dHBzOi8vd3d3LW9sZC5jZGMuaW5mb3JtYXRpay50dS1kYXJtc3RhZHQuZGUvcmVwb3J0 cy9yZXBvcnRzL0JEUzA4LnBkZjwvc3Bhbj48L2E+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxwIGNsYXNzPSJ4bXNvbm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBpbjttYXJn aW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41aW47bWFyZ2luLWJv dHRvbTouMDAwMXB0Ij4NCjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5BbGwgb2YgdGhlc2UgYXJlIHNwYWNlL3RpbWUgdHJhZGUt b2ZmcyBhbmQgb25lIG5lZWRzIHRvIHVuZGVyc3RhbmQgd2hhdCB0aGUgZXh0cmVtZXMgYXJlIG9u IGJvdGggZW5kcyBiZWZvcmUgb25lIHNheXMgdGhhdCBhIGh1Z2Ugc2luZ2xlIHRyZWUgaXMgYmV0 dGVyIG9yIHdvcnNlIHRoYW4gYSBsb3Qgb2Ygc21hbGwgdHJlZXMsIGV2ZW4gaWYgdGhlIG51bWJl ciBvZiBsZXZlbHMNCiB0aGF0IGFyZSBjcmVhdGVkIGFyZSB0aGUgc2FtZS48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJ4bXNvbm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OjBpbjttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1s ZWZ0Oi41aW47bWFyZ2luLWJvdHRvbTouMDAwMXB0Ij4NCjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5KaW08bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJ4bXNvbm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OjBpbjttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1s ZWZ0Oi41aW47bWFyZ2luLWJvdHRvbTouMDAwMXB0Ij4NCjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJz cDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0ieG1zb25vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjtt YXJnaW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdCI+DQo8c3BhbiBsYW5nPSJFTi1D QSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7 Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4N CjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEg MS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVm dDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIGxhbmc9IkVOLUNBIj5Gcm9t Ojwvc3Bhbj48L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+PHNwYW4gbGFu Zz0iRU4tQ0EiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiPlNjb3R0IEZs dWhyZXIgKHNmbHVocmVyKSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNmbHVocmVyQGNpc2NvLmNvbSI+ PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+c2ZsdWhyZXJAY2lzY28uY29tPC9zcGFuPjwvYT4m Z3Q7PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxicj4N CjxiPlNlbnQ6PC9iPjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwv c3Bhbj5UdWVzZGF5LCBNYXJjaCAyNiwgMjAxOSA0OjI4IFBNPGJyPg0KPGI+VG86PC9iPjxzcGFu IGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5KaW0gU2NoYWFkICZs dDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSI+PHNwYW4gc3R5bGU9ImNv bG9yOnB1cnBsZSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvc3Bhbj48L2E+Jmd0OzsgJ0Rhbmcs IFF1eW5oIChGZWQpJyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnF1eW5oLmRhbmc9NDBuaXN0LmdvdkBk bWFyYy5pZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+cXV5bmguZGFuZz00MG5p c3QuZ292QGRtYXJjLmlldGYub3JnPC9zcGFuPjwvYT4mZ3Q7Ow0KICdTUEFTTScgJmx0OzxhIGhy ZWY9Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+c3Bh c21AaWV0Zi5vcmc8L3NwYW4+PC9hPiZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj48c3BhbiBjbGFz cz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+UkU6IFtsYW1wc10gU2lkZS1j aGFubmVsIGF0dGFjayBvbiBtdWx0aS1sZXZlbCB0cmVlcyBhbmQga2V5IGdlbmVyYXRpb24gb2Yg TE1TLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNs YXNzPSJ4bXNvbm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OjBpbjttYXJnaW4tcmln aHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41aW47bWFyZ2luLWJvdHRvbTou MDAwMXB0Ij4NCjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIGxhbmc9IkVOLUNBIj5BY3R1YWxseSwgdGhlcmUgYXJlIGFsZ29yaXRobXMgdGhhdCBhcmUg YWJsZSB0byBnZW5lcmF0ZSB0aGUgbmV4dCBhdXRoZW50aWNhdGlvbiBwYXRoIGJ5IHN0b3Jpbmcg YSBjb21wYXJhdGl2ZWx5IHNtYWxsIHBhcnQgb2YgdGhlIHRyZWUsIGFuZCB1c2luZyBvbmx5IGEg cmVsYXRpdmVseSBzbWFsbCBudW1iZXIgb2YgbGVhZiBub2RlIGV2YWx1YXRpb25zLi4mbmJzcDsg Rm9yIGV4YW1wbGUsPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9z cGFuPjxhIGhyZWY9Imh0dHBzOi8vZ2NjMDEuc2FmZWxpbmtzLnByb3RlY3Rpb24ub3V0bG9vay5j b20vP3VybD1odHRwJTNBJTJGJTJGd3d3LnN6eWRsby5jb20lMkZmcmFjdGFsLWptbHMucGRmJmFt cDtkYXRhPTAyJTdDMDElN0NxdXluaC5kYW5nJTQwbmlzdC5nb3YlN0NmNjI3N2U3MTAyMDc0ODQz YWZlNDA4ZDZiNDMyMTc3NiU3QzJhYjVkODJmZDhmYTQ3OTdhOTNlMDU0NjU1YzYxZGVjJTdDMSU3 QzAlN0M2MzY4OTQ1MjQ1Njg1OTY2OTcmYW1wO3NkYXRhPWtybkNhQ29HU0N3RyUyRlhEWVBQbmlq d25wNnRvb3VGQjgyRjg4UTIwSDE1OCUzRCZhbXA7cmVzZXJ2ZWQ9MCI+PHNwYW4gc3R5bGU9ImNv bG9yOnB1cnBsZSI+aHR0cDovL3d3dy5zenlkbG8uY29tL2ZyYWN0YWwtam1scy5wZGY8L3NwYW4+ PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Inhtc29ub3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6MGluO21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJv dHRvbTowaW47bWFyZ2luLWxlZnQ6LjVpbjttYXJnaW4tYm90dG9tOi4wMDAxcHQiPg0KPHNwYW4g bGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJv cmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowaW4gMGluIDBp biA0LjBwdCI+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xp ZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPGRpdiBzdHlsZT0i bWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBsYW5nPSJF Ti1DQSI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2Ui PjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNB Ij5KaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSI+ PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvc3Bhbj48 L2E+Jmd0OzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48 YnI+DQo8Yj5TZW50OjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJz cDs8L3NwYW4+VHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgMTE6MTMgQU08YnI+DQo8Yj5Ubzo8L2I+ PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPidEYW5nLCBR dXluaCAoRmVkKScgJmx0OzxhIGhyZWY9Im1haWx0bzpxdXluaC5kYW5nPTQwbmlzdC5nb3ZAZG1h cmMuaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPnF1eW5oLmRhbmc9NDBuaXN0 LmdvdkBkbWFyYy5pZXRmLm9yZzwvc3Bhbj48L2E+Jmd0OzsgU2NvdHQgRmx1aHJlciAoc2ZsdWhy ZXIpICZsdDs8YSBocmVmPSJtYWlsdG86c2ZsdWhyZXJAY2lzY28uY29tIj48c3BhbiBzdHlsZT0i Y29sb3I6cHVycGxlIj5zZmx1aHJlckBjaXNjby5jb208L3NwYW4+PC9hPiZndDs7DQogJ1NQQVNN JyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6 cHVycGxlIj5zcGFzbUBpZXRmLm9yZzwvc3Bhbj48L2E+Jmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9i PjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5SRTogW2xh bXBzXSBTaWRlLWNoYW5uZWwgYXR0YWNrIG9uIG11bHRpLWxldmVsIHRyZWVzIGFuZCBrZXkgZ2Vu ZXJhdGlvbiBvZiBMTVMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPHAgY2xhc3M9Inhtc29ub3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6MGlu O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTowaW47bWFyZ2luLWxlZnQ6LjVpbjttYXJn aW4tYm90dG9tOi4wMDAxcHQiPg0KPHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiPlRoZXJlIGlzIG9uZSBvdGhlciBmYWN0b3IgdG8g Y29tcGFyZSBpbiB0ZXJtcyBvZiBob3cgYmlnIHRoZSB0cmVlIGlzLiZuYnNwOyBGb3IgYSB2ZXJ5 IGxhcmdlIHRyZWUsIGlmIHlvdSBkbyBub3QgaGF2ZSB0aGUgcmVzb3VyY2VzIHRvIGtlZXAgdGhl IGVudGlyZSBwcml2YXRlIGtleSBzZXQgKG9yIGEgbGFyZ2Ugc3Vic2V0IG9mIGl0KSB0aGVuIHlv dSBnZXQgaW50byB0aGUgc2l0dWF0aW9uDQogd2hlcmUgeW91IHJlZ2VuZXJhdGUgdGhlIGVudGly ZSBwcml2YXRlIGtleSB0cmVlIGZvciBlYWNoIGFuZCBldmVyeSBzaWduYXR1cmUuJm5ic3A7IFRo aXMgaXMgcGFydCBvZiB0aGUgdHJhZGUgb2ZmIGJldHdlZW4gc21hbGwga2V5IHNpemUgYW5kIGZh c3Qgc2lnbmF0dXJlIGdlbmVyYXRpb24vdXNhZ2Ugb2YgdGltZS48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJ4bXNvbm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OjBpbjttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41 aW47bWFyZ2luLWJvdHRvbTouMDAwMXB0Ij4NCjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIj5KaW08bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJ4bXNvbm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OjBpbjttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206MGluO21hcmdpbi1sZWZ0Oi41 aW47bWFyZ2luLWJvdHRvbTouMDAwMXB0Ij4NCjxzcGFuIGxhbmc9IkVOLUNBIj4mbmJzcDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0ieG1zb25vcm1hbCIgc3R5bGU9Im1zby1tYXJn aW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJnaW4t bGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdCI+DQo8c3BhbiBsYW5nPSJFTi1DQSI+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy LWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+ DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7 cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWlu Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIGxhbmc9IkVOLUNBIj5Gcm9tOjwvc3Bh bj48L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+PHNwYW4gbGFuZz0iRU4t Q0EiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiPlNwYXNtICZsdDs8YSBo cmVmPSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1 cnBsZSI+c3Bhc20tYm91bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+Jmd0OzxzcGFuIGNsYXNzPSJh cHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48Yj5Pbg0KIEJlaGFsZiBPZjxzcGFu IGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L2I+RGFuZywgUXV5 bmggKEZlZCk8YnI+DQo8Yj5TZW50OjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNw YWNlIj4mbmJzcDs8L3NwYW4+VHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgMzowNCBQTTxicj4NCjxi PlRvOjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+ U2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpICZsdDs8YSBocmVmPSJtYWlsdG86c2ZsdWhyZXJAY2lz Y28uY29tIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5zZmx1aHJlckBjaXNjby5jb208L3Nw YW4+PC9hPiZndDs7IFNQQVNNICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc21AaWV0Zi5vcmciPjxz cGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPnNwYXNtQGlldGYub3JnPC9zcGFuPjwvYT4mZ3Q7PGJy Pg0KPGI+U3ViamVjdDo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5i c3A7PC9zcGFuPlJlOiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24gbXVsdGktbGV2ZWwg dHJlZXMgYW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0ieG1zb25vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJn aW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdCI+DQo8c3BhbiBsYW5nPSJFTi1DQSI+ Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdiBpZD0ieF9kaXZ0YWdkZWZhdWx0d3Jh cHBlciI+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+VGhlIG9ubHkgZG93bnNpZGUgb2Yg MSBsZXZlbCB0cmVlIGlzIGl0cyBrZXkgZ2VuZXJhdGlvbiB0aW1lIGNvbXBhcmluZyB0byBtdWx0 aS1sZXZlbCB0cmVlcy4gSW4gc2l0dWF0aW9ucyAoJm5ic3A7c3VjaCBhcyBhIGNvZGUgc2lnbmlu ZyBhcHBsaWNhdGlvbikgd2hlcmUgMSwmbmJzcDsyIG9yDQogMyBldGMuLi4gaG91cnMgb2YgYSZu YnNwO2tleSBnZW5lcmF0aW9uIHRpbWUgaXMgbm90IGEgcHJvYmxlbSwgdGhlbiB1c2luZyBhIGJp ZyZuYnNwOzEgbGV2ZWwgdHJlZSBzZWVtcyBiZXR0ZXIgdGhhbiB1c2luZyBhIG11bHRpLWxldmVs IHRyZWUuJm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjku MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzwvc3Bh bj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTom cXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPlRoZXJlZm9yZSwmbmJzcDsgc29tZSBiaWdnZXIg aGVpZ2h0IG51bWJlcnMgZm9yIDEtbGV2ZWwgdHJlZSBtYXkgYmUgZGVzaXJlZC48L3NwYW4+PHNw YW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxh bmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2 ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIiBz dHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oyxz YW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVm dDouNWluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0i Zm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1z ZXJpZiI+UXV5bmguJm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1z aXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2lu LWxlZnQ6LjVpbiI+DQo8ZGl2IGNsYXNzPSJNc29Ob3JtYWwiIGFsaWduPSJjZW50ZXIiIHN0eWxl PSJ0ZXh0LWFsaWduOmNlbnRlciI+PHNwYW4gbGFuZz0iRU4tQ0EiPg0KPGhyIHNpemU9IjEiIHdp ZHRoPSIxMDAlIiBhbGlnbj0iY2VudGVyIj4NCjwvc3Bhbj48L2Rpdj4NCjwvZGl2Pg0KPGRpdiBp ZD0ieF9kaXZScGx5RndkTXNnIj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFuZz0iRU4tQ0EiPkZyb206PC9zcGFuPjwvYj48 c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj48c3BhbiBsYW5nPSJFTi1DQSI+Jm5i c3A7PC9zcGFuPjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+U2NvdHQgRmx1aHJlciAoc2ZsdWhy ZXIpICZsdDs8YSBocmVmPSJtYWlsdG86c2ZsdWhyZXJAY2lzY28uY29tIj48c3BhbiBzdHlsZT0i Y29sb3I6cHVycGxlIj5zZmx1aHJlckBjaXNjby5jb208L3NwYW4+PC9hPiZndDs8YnI+DQo8Yj5T ZW50OjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+ VHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgOToyMDowNSBBTTxicj4NCjxiPlRvOjwvYj48c3BhbiBj bGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+RGFuZywgUXV5bmggKEZl ZCk7IFNQQVNNPGJyPg0KPGI+U3ViamVjdDo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRl ZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPlJFOiBbbGFtcHNdIFNpZGUtY2hhbm5lbCBhdHRhY2sgb24g bXVsdGktbGV2ZWwgdHJlZXMgYW5kIGtleSBnZW5lcmF0aW9uIG9mIExNUy48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0ieG1zb25vcm1hbCIgc3R5bGU9Im1z by1tYXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjtt YXJnaW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdCI+DQo8c3BhbiBsYW5nPSJFTi1D QSI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 ZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBsYW5nPSJFTi1DQSI+STxiPnJvbTo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZl cnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPlNwYXNtICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc20t Ym91bmNlc0BpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+c3Bhc20tYm91bmNl c0BpZXRmLm9yZzwvc3Bhbj48L2E+Jmd0OzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3Bh Y2UiPiZuYnNwOzwvc3Bhbj48Yj5PbiBCZWhhbGYNCiBPZjxzcGFuIGNsYXNzPSJhcHBsZS1jb252 ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L2I+RGFuZywgUXV5bmggKEZlZCk8YnI+DQo8Yj5T ZW50OjwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+ VHVlc2RheSwgTWFyY2ggMjYsIDIwMTkgOToxMSBBTTxicj4NCjxiPlRvOjwvYj48c3BhbiBjbGFz cz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+U1BBU00gJmx0OzxhIGhyZWY9 Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+c3Bhc21A aWV0Zi5vcmc8L3NwYW4+PC9hPiZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj48c3BhbiBjbGFzcz0i YXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+W2xhbXBzXSBTaWRlLWNoYW5uZWwg YXR0YWNrIG9uIG11bHRpLWxldmVsIHRyZWVzIGFuZCBrZXkgZ2VuZXJhdGlvbiBvZiBMTVMuPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0ieHhtc29ub3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6MGluO21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTow aW47bWFyZ2luLWxlZnQ6LjVpbjttYXJnaW4tYm90dG9tOi4wMDAxcHQiPg0KPHNwYW4gbGFuZz0i RU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgaWQ9InhfeF9kaXZ0YWdk ZWZhdWx0d3JhcHBlciI+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtm b250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+SGkgYWxsLDwvc3Bh bj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTom cXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNw YW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4t Q0EiIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1 b3Q7LHNhbnMtc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9Im1hcmdp bi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0 eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oyxz YW5zLXNlcmlmIj5IZXJlIGlzIHRoZSBhdHRhY2sgSSBtZW50aW9uZWQgYXQgdGhlIG1lZXRpbmcg dG9kYXk6Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly9nY2MwMS5zYWZlbGlua3MucHJvdGVjdGlvbi5v dXRsb29rLmNvbS8/dXJsPWh0dHBzJTNBJTJGJTJGZXByaW50LmlhY3Iub3JnJTJGMjAxOCUyRjY3 NCUyRjIwMTgwNzEzJTNBMTQwODIxJmFtcDtkYXRhPTAyJTdDMDElN0NxdXluaC5kYW5nJTQwbmlz dC5nb3YlN0NmNjI3N2U3MTAyMDc0ODQzYWZlNDA4ZDZiNDMyMTc3NiU3QzJhYjVkODJmZDhmYTQ3 OTdhOTNlMDU0NjU1YzYxZGVjJTdDMSU3QzAlN0M2MzY4OTQ1MjQ1Njg1OTY2OTcmYW1wO3NkYXRh PXhzVFJoMWtPYklUOFclMkJ0OEVXVVNSWmRFaklDOW1Ed1dpSmJkQ1JLNVpiayUzRCZhbXA7cmVz ZXJ2ZWQ9MCI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cHM6Ly9lcHJpbnQuaWFjci5v cmcvMjAxOC82NzQvMjAxODA3MTM6MTQwODIxPC9zcGFuPjwvYT4uPC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGlj YSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1D QSIgc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVv dDssc2Fucy1zZXJpZiI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0i bWFyZ2luLWxlZnQ6LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1D QSIgc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVv dDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5UaGlzIGlzIGEgZmF1bHQgYXR0YWNrICh0aGF0 IGlzLCB5b3UgdHJ5IHRvIG1ha2UgdGhlIHNpZ25lciBtaXNjb21wdXRlIHNvbWV0aGluZywgYW5k IHRoZW4gdXNlIHRoZSBtaXNjb21wdXRlZCBzaWduYXR1cmUpOyBhIHNpZ25lciBpbXBsZW1lbnRh dGlvbg0KIGNvdWxkIGltcGxlbWVudCBwcm90ZWN0aW9ucyBhZ2FpbnN0IHRoaXMgKG9mIGNvdXJz ZSwgdGhvc2UgcHJvdGVjdGlvbnMgYXJlIG5vdCBmcmVlKS48L3NwYW4+PHNwYW4gbGFuZz0iRU4t Q0EiIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1 b3Q7LHNhbnMtc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIiBz dHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDss c2Fucy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1z aXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjEy LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+SSBqdXN0 IGxvb2tlZCBhdCB0aGUgTE1TJ3MgZHJhZnQsIHRoZSBzaW5nbGUgdHJlZSB3aXRoIGhlaWdodCAy NSAoIDJeMjUgc2lnbmF0dXJlcykmbmJzcDsgdGFrZXMgb25seSAxLi41IGhvdXJzLjwvc3Bhbj48 c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVv dDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4g bGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVs dmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxk aXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g bGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVs dmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+Q2xhcmlmaWNhdGlvbiBvbiB0 aGlzOjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250 LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tbGVmdDoxLjBpbiI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0idGV4dC1pbmRlbnQ6LS4yNWluIj48c3BhbiBsYW5nPSJFTi1D QSIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sO2NvbG9yOiMxRjQ5 N0QiPsK3PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjcuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyxzZXJpZjtjb2xvcjojMUY0OTdE Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8c3BhbiBj bGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxzcGFuIGxh bmc9IkVOLUNBIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+VGhlDQogdGVzdCB1c2VkIDE1IGNvcmVz IChhbmQgc28gaXQgdXNlZCBhIHRvdGFsIG9mIGNpcmNhIDEgY29yZS1kYXkpPC9zcGFuPjxzcGFu IGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9 Im1hcmdpbi1sZWZ0OjEuMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJ0ZXh0LWlu ZGVudDotLjI1aW4iPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTpTeW1ib2w7Y29sb3I6IzFGNDk3RCI+wrc8L3NwYW4+PHNwYW4gbGFuZz0iRU4t Q0EiIHN0eWxlPSJmb250LXNpemU6Ny4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LHNlcmlmO2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOzxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2Ui PiZuYnNwOzwvc3Bhbj48L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJjb2xvcjojMUY0 OTdEIj5UaGlzDQogd2FzIGRvbmUgd2l0aCBhIFc9OCBwYXJhbWV0ZXIgc2V0LiZuYnNwOyBUaGlz IG1ha2VzIHRoZSBzaWduYXR1cmUgc2hvcnRlciAoMTkzNiBieXRlcyBpbiB0aGlzIGNhc2UpLCBo b3dldmVyIGl0IGRvZXMgaW5jcmVhc2UgdGhlIGtleSBnZW5lcmF0aW9uIHRpbWU7IGEgVz00IHBh cmFtZXRlciBzZXQgd291bGQgYXBwcm94aW1hdGVseSBkb3VibGUgdGhlIHNpZ25hdHVyZSBzaXpl LCB3aGlsZSBkZWNyZWFzaW5nIHRoZSBrZXkgZ2VuZXJhdGlvbiB0aW1lIGJ5DQogY2lyY2EgYSBm YWN0b3Igb2YgOC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4i PjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTom cXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3Nw YW4+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5n PSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0 aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5 bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fu cy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0ibWFyZ2luLWxlZnQ6 LjVpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZv bnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2Vy aWYiPlJlZ2FyZHMsPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjku MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5RdXlu aC4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250 LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxz cGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4t Q0EiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx dW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJm b250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2Vy aWYiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJ4eG1zb25vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDowaW47bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBp bjttYXJnaW4tbGVmdDouNWluO21hcmdpbi1ib3R0b206LjAwMDFwdCI+DQo8c3BhbiBsYW5nPSJF Ti1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQiPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJF Ti1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJ4eG1zb25vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDowaW47bWFy Z2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjBpbjttYXJnaW4tbGVmdDouNWluO21hcmdpbi1i b3R0b206LjAwMDFwdCI+DQo8c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMi4w cHQiPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXzxicj4NClNwYXNtIG1haWxpbmcgbGlzdDxicj4NCjwvc3Bh bj48YSBocmVmPSJtYWlsdG86U3Bhc21AaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6 cHVycGxlIj5TcGFzbUBpZXRmLm9yZzwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5 LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJyPg0K PC9zcGFuPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bh c20iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0 aWNhJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6cHVycGxlIj5odHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL3NwYXNtPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_1f66a3f9e34f46c5a976b56cc70cceedXCHALN010ciscocom_-- From nobody Sat Mar 30 02:55:36 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0563C12015F; Sat, 30 Mar 2019 02:55:23 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Joel Halpern via Datatracker To: Cc: spasm@ietf.org, ietf@ietf.org, draft-ietf-lamps-pkix-shake.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: Joel Halpern Message-ID: <155393972295.3950.3582710869606616692@ietfa.amsl.com> Date: Sat, 30 Mar 2019 02:55:23 -0700 Archived-At: Subject: [lamps] Genart last call review of draft-ietf-lamps-pkix-shake-08 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2019 09:55:23 -0000 Reviewer: Joel Halpern Review result: Almost Ready I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at . Document: draft-ietf-lamps-pkix-shake-08 Reviewer: Joel Halpern Review Date: 2019-03-30 IETF LC End Date: 2019-04-10 IESG Telechat date: Not scheduled for a telechat Summary: This document is almost ready for publication as a Proposed Standard Major issues: One of the key points of this RFC seems to be to assign the identifiers for the use of the two SHAKE variants. It is thus confusing that the identifiers end with "TBD", and thus are not defined in this document. Minor issues: The algorithm identifiers are label as TVD. There are at least two values (one for SHAKE128 and one for SHAKE256) with each used in two context (RSASSA-PSS and ECDSA). It would be helpful if the two (or four) identifiers were labeled clearly TBD1 and TBD2 (and possibly TBD3 and TBD4). Nits/editorial comments: There is one use of "SHAKES" as the plural of SHAKE in section 5.1.1. All other uses are "SHAKEs", which seems to be correct. From nobody Sat Mar 30 17:29:20 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B44F120044 for ; Sat, 30 Mar 2019 17:29:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 459JzeIwdsCz for ; Sat, 30 Mar 2019 17:29:12 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2FB4120164 for ; Sat, 30 Mar 2019 17:29:11 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 17BCA300AE2 for ; Sat, 30 Mar 2019 20:04:37 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Rovh7M1WEtWR for ; Sat, 30 Mar 2019 20:04:31 -0400 (EDT) Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id DB2B3300AD5; Sat, 30 Mar 2019 20:04:30 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: <155393972295.3950.3582710869606616692@ietfa.amsl.com> Date: Sat, 30 Mar 2019 20:21:20 -0400 Cc: IETF Gen-ART , spasm@ietf.org, IETF , draft-ietf-lamps-pkix-shake.all@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <155393972295.3950.3582710869606616692@ietfa.amsl.com> To: Joel Halpern X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Genart last call review of draft-ietf-lamps-pkix-shake-08 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2019 00:29:14 -0000 > On Mar 30, 2019, at 5:55 AM, Joel Halpern via Datatracker = wrote: >=20 > Reviewer: Joel Halpern > Review result: Almost Ready >=20 > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. >=20 > For more information, please see the FAQ at >=20 > . >=20 > Document: draft-ietf-lamps-pkix-shake-08 > Reviewer: Joel Halpern > Review Date: 2019-03-30 > IETF LC End Date: 2019-04-10 > IESG Telechat date: Not scheduled for a telechat >=20 > Summary: This document is almost ready for publication as a Proposed = Standard >=20 > Major issues: > One of the key points of this RFC seems to be to assign the = identifiers for > the use of the two SHAKE variants. It is thus confusing that the > identifiers end with "TBD", and thus are not defined in this = document. They will be assigned by NIST once they are sure that these are the = identifiers that we want. This is much the same as we do when IANA is = ti assign the identifier. Russ From nobody Sat Mar 30 22:28:54 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FAAD12016D; Sat, 30 Mar 2019 22:28:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gIzoNEbP_rCW; Sat, 30 Mar 2019 22:28:44 -0700 (PDT) Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50935120133; Sat, 30 Mar 2019 22:28:41 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 44X3t104D1zN6dm; Sat, 30 Mar 2019 22:28:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1554010121; bh=m/d0fwfYYdxK7KDkleFV3LKKn8rwF8Hmx+Dm5/s1YWo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=c7dHhIpVgGPUPP+P/+MCAnDgxQD9V5OOSAw3gUhV92/ph1nG+Lge6MwLHMdLfyeX7 Y2cQYQNH+TsGPRPaPj0/S9vANpXGIEFqYsOTjlP11x+F43nCaUSZcKnDaAiJpZDhXg Br6NEwU06LtEiEEVWfMUnK29vX2SvXBV6pb3hPGo= X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net Received: from Joels-MacBook-Pro.local (unknown [62.168.35.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 44X3sz1vxxzN6dk; Sat, 30 Mar 2019 22:28:38 -0700 (PDT) To: Russ Housley Cc: IETF Gen-ART , spasm@ietf.org, IETF , draft-ietf-lamps-pkix-shake.all@ietf.org References: <155393972295.3950.3582710869606616692@ietfa.amsl.com> From: "Joel M. Halpern" Message-ID: Date: Sun, 31 Mar 2019 07:28:36 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [lamps] Genart last call review of draft-ietf-lamps-pkix-shake-08 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2019 05:28:46 -0000 Maybe a note that the assignment will take place once the drafts are approved, and that the RFC should coordiante with the authors and NIST on this? (I presume we have done this before, and we do not have the problem we have in some other cases of "no number until RFC" / "no RFC until number".) Yours, Joel On 3/31/19 1:21 AM, Russ Housley wrote: > > >> On Mar 30, 2019, at 5:55 AM, Joel Halpern via Datatracker wrote: >> >> Reviewer: Joel Halpern >> Review result: Almost Ready >> >> I am the assigned Gen-ART reviewer for this draft. The General Area >> Review Team (Gen-ART) reviews all IETF documents being processed >> by the IESG for the IETF Chair. Please treat these comments just >> like any other last call comments. >> >> For more information, please see the FAQ at >> >> . >> >> Document: draft-ietf-lamps-pkix-shake-08 >> Reviewer: Joel Halpern >> Review Date: 2019-03-30 >> IETF LC End Date: 2019-04-10 >> IESG Telechat date: Not scheduled for a telechat >> >> Summary: This document is almost ready for publication as a Proposed Standard >> >> Major issues: >> One of the key points of this RFC seems to be to assign the identifiers for >> the use of the two SHAKE variants. It is thus confusing that the >> identifiers end with "TBD", and thus are not defined in this document. > > They will be assigned by NIST once they are sure that these are the identifiers that we want. This is much the same as we do when IANA is ti assign the identifier. > > Russ > From nobody Sun Mar 31 13:02:15 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 12E7912008A; Sun, 31 Mar 2019 13:02:08 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Yoav Nir via Datatracker To: Cc: spasm@ietf.org, ietf@ietf.org, draft-ietf-lamps-pkix-shake.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: Yoav Nir Message-ID: <155406252797.12369.12070204875103995275@ietfa.amsl.com> Date: Sun, 31 Mar 2019 13:02:08 -0700 Archived-At: Subject: [lamps] Secdir last call review of draft-ietf-lamps-pkix-shake-08 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2019 20:02:08 -0000 Reviewer: Yoav Nir Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document is almost ready. The intent is clear and the IANA instructions are good. I have two issues with the Security Considerations section. That section has two paragraphs, and I'll start with the second one. The second paragraph has a SHOULD-level requirement to choose an ECDSA curve with an appropriate strength to match that of the hash function (SHAKE128 vs SHAKE256). This seems to me like a compliance requirement. While this is not a hard-and-fast rule, these should usually go in the body of the document, such as in section 5 rather than in security considerations. It's also puzzling why there are no similar recommendations for the strength of the RSA key. The first paragraph I find confusing. It states that the SHAKE functions are deterministic, and goes on to explain that this means that executing them on the same input will result in the same output, and that users should not expect this to be the case. Why does this need to be said? Is this not the same for any hash function? The paragraph than goes on to tell the reader that with different output lengths, the shorter ones are prefixes of the longer ones, and that this is like hash function truncation. Why do we need any of this information and why is this related to security? This is especially puzzling considering that the document fixes the output length to a specific value for each of the two functions. From nobody Sun Mar 31 21:02:40 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6552F12004A for ; Sun, 31 Mar 2019 21:02:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=s32fy43t; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=KATXmT3e Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkXzzqXTKNJ9 for ; Sun, 31 Mar 2019 21:02:29 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23F1612004F for ; Sun, 31 Mar 2019 21:02:28 -0700 (PDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1554091347; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=buTF8sB+l4AAPuaYD3t6SNfNZ9b8XQLpfDZsdg1hFAc=; b=s32fy43tlW6HeiJAwMxh75hcm9IoDiRdo08blIV9dw2oUusAwdOB76BC 2v0wlnKi7wiUCFnXoYHq9r12ofr/Cg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1554091347; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=buTF8sB+l4AAPuaYD3t6SNfNZ9b8XQLpfDZsdg1hFAc=; b=KATXmT3eTUUCuSy+ZA5I6y+G1RJeQCIMkH+VXC8q4EMGaKxQOmKROAg1 itmY9LsaKfDQUbPfAinpX/FJh3dEai1b1ask+Pcs91ZdRmNUab/iFZ7Xb3 nQEc2ITsJpvo0V1yLQPpqIzthLCnozhSfMGzgdx7hIUlKXrj6xj+pLZalv G1m3DYMNSA9vgLbqgvKX9+hNeAca72WqokkA3Zz4L67O/PqGH6mY3pmaIt ModYRN9GCGJWrShfw3pwaH64XoWd2kk6+70xxHlb2y4Ot5DqXzljL+xG3H Q3ZCSgkJSoTl1XHjmEzhC0appN9IR5X2mi3UNYI10uh+TqY0GaGgIA== Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 6C713F9A5; Mon, 1 Apr 2019 00:02:26 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id EDB9021091; Sun, 31 Mar 2019 21:59:22 -0400 (EDT) From: Daniel Kahn Gillmor To: Bernie Hoeneisen , IETF LAMPS WG In-Reply-To: References: Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw== Date: Sun, 31 Mar 2019 21:59:22 -0400 Message-ID: <87tvfia3k5.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Archived-At: Subject: Re: [lamps] New Version Notification for draft-luck-lamps-pep-header-protection-01.txt (fwd) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2019 04:02:32 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Thu 2019-03-14 15:24:51 +0100, Bernie Hoeneisen wrote: > draft-luck-lamps-pep-header-protection-01.txt Thanks for raising this to the group, Bernie! As i said at the mic in Prague, I like the framing of this draft, and i think it's asking the right questions. In particular, i like that it breaks down different types of protections, and calls out a clear set of interactions that need to be accounted for. And i like that it aims to be comprehensive across both S/MIME and PGP/MIME. A few concerns about the draft itself: * OpenPGP Radix-64 =C2=A7 2.1 -- inaccurate (missing newline), and its subsection 2.1.1 sneaks in action recommendations within a broader "Terms" section. Also "Radix-64" not used elsewhere in the draft -- i think it's safest to strike this section. * Formalized MIME subset (described as "pEp implementation" in =C2=A7 5.1) -- this seems like a huge design decision that is probably out of scope. If this draft tries to define something about the structure of the cryptographic protections of the message, that would be in scope, but making it affect the structure of the payload seems too radical for what this draft aims to do. * =C2=A7 5.5 "Outer Message" and =C2=A7 5.3 "pEp inner message" together s= eem similarly problematic, as they introduce another change to the payload MIME structure that is unrelated to header protection. While that might be worthwhile in some contexts, this is not the place to make that proposal. * =C2=A7 7 seems to suggest that Bcc: should be present in any of the headers. having the Bcc explicitly present on a generated e-mail is unusual in modern mailers (though not impossible, of course). If we want to call it out here as being potentially present, we might want to reference the guidance on page 24 of RFC 5322, to make it clear that we don't mean to encourage the introduction of Bcc anywhere else ("if included in the original message" could mean different things for Bcc depending upon which variant of Bcc practice is followed, and when you consider the Bcc hedaer being "included") * =C2=A7 7 again: the Subject: masking header offers "p=E2=89=A1p" or "pEp= " or "Encrypted message" -- I've seen a growing consensus among several MUA developers that this kind of in-band signalling is problematic. In the event that this subject line leaks to the receivers with any regularity, users will take this string as though it were an indicator from the UI that the message is actually protected. This can result in confusion around the status of a message, if a subject line like "Re: p=E2=89=A1p" shows up on cleartext, unsigned messages, wh= ich is a very likely accidental scenario for e-mail messages that are * "trusted server" option (various subsections of =C2=A7 8) seems like implementation details that shouldn't be normatively referenced in this draft -- if a draft describes interaction modes between MUAs and MTAs, then that draft could normatively reference this one, and describe the interaction there. nitpicking: * General Requirement =C2=A7 4.1 -- seems to skip from G1 to G3. what happened to G2? Overall, i see a lot of similarities between this and melnikov-lamps-header-protection -- it seems to me like we should try to consolidate the ideas in both of these drafts to make a single draft as a clear set of guidelines. I'm happy to try to help with that effort if others agree that this would be useful. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXKFwegAKCRB2GBllKa5f +PyEAP9VQAwWrNF+VA/3Cpl0kq46Rcfaks6+BAs5NOBFD0fhGQEA4l35i5KwLxMZ CsXDpURkLmXcI7irUBYzlX6qJQRYhws= =aTm3 -----END PGP SIGNATURE----- --=-=-=--