From nobody Mon Feb 8 07:49:09 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A854D1B2D84 for ; Mon, 8 Feb 2016 07:49:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I5ffjqqtbre1 for ; Mon, 8 Feb 2016 07:49:05 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47DA91B2D7F for ; Mon, 8 Feb 2016 07:48:57 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 4B129BE49; Mon, 8 Feb 2016 15:48:55 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3o0lxR0cgQN7; Mon, 8 Feb 2016 15:48:55 +0000 (GMT) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id B896EBE25; Mon, 8 Feb 2016 15:48:53 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1454946533; bh=MYvjGz4/JFpDhbueLYe6gDKQgACuiBSO2rX+QsqXI5c=; h=To:Cc:From:Subject:Date:From; b=bb8Z1VvwciyqWElGp74LY5Zg7dbGvkv2NKqKXs8kJz5Ct/h0OJ0JOdDbhimN+BsQF u70bOodZes0Imv9ln/daykexJ2huTnGMbII0+jxWGneavSLzr5y8o8PBm8Os7HEZ6Y 6X94iEBfFQAIBKkk8PSnf6YGAD2E264puq7dlWQI= To: "lurk@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <56B8B8E5.6010200@cs.tcd.ie> Date: Mon, 8 Feb 2016 15:48:53 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: Yaron Sheffer Subject: [Lurk] BoF co-chairs... X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2016 15:49:07 -0000 Hiya, First, thanks to all who volunteered to help with running a BoF at IETF95. I'm happy to say that Yaron Sheffer and Eric Burger (cc'd on this) have agreed to help us all get organised and to run a BoF session in B-A. Please thank them when you see them, (or however else you want to thank them:-) Note that the formal approval for the BoF session will happen in an IESG/IAB phone meeting on Feb 26th, so the more that folks can get done on the list before then the more likely it is that the session will be approved. (But don't focus too much on that date, I'm fairly confident that the IESG and IAB will be ok with a non wg-forming session on this topic.) You'll see more mail from Yaron and Eric shortly, and they'll be editing the BoF description [1] to reflect list discussion and plans for B-A as those evolve. (As of now [1] is mostly boilerplate and text I copied from the list description and the list traffic - expect that to change a good bit as our chairs figure stuff out.) So - many thanks to Yaron and Eric and I hope to see plenty of list traffic on this between now and IETF95. Cheers, S. [1] https://trac.tools.ietf.org/bof/trac/wiki#Security From nobody Mon Feb 8 11:49:29 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C66F1B3252 for ; Mon, 8 Feb 2016 11:49:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.276 X-Spam-Level: X-Spam-Status: No, score=-1.276 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Aowp0qyCYNW for ; Mon, 8 Feb 2016 11:49:26 -0800 (PST) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6C9A1A1A6A for ; Mon, 8 Feb 2016 11:49:25 -0800 (PST) Received: by mail-wm0-x231.google.com with SMTP id p63so129446112wmp.1 for ; Mon, 08 Feb 2016 11:49:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=04mWoUe1KLuCyei0TroJzTk87LZjBZctQuGq9YYAmbI=; b=KNgUA2ELZ3u3xmAk2d8HZ7N1UifJGxKA/0pjzFvl7c4JxdNVLE6jbNaZ+OC2e/6Y12 3Ick/SuQKgunn1YiSmXaA2Zc29GNRgZb+lCPqPDU0qf/6+HGNdtNi9UIVhzbx39vasoH gn+nWcZkpUmEJrVCQ883ysOcqx1oXe0D3P4G517RqFZ8akEWhTLkoqHhQsVYBESwEzmE EEaPLuKcUrMesKs2P7+uRWAJehx9GwfJAdl7RCdk6NsIIQnZzLYmN5UjIh6lygFVR6n3 /EJgI2TDNDAO4oY4rQzQlTfSmZu2Y7u8DfOi2j0vZ7AoY2vD54ujuh0fZ8BiQK0+L6K2 3AAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-type:content-transfer-encoding; bh=04mWoUe1KLuCyei0TroJzTk87LZjBZctQuGq9YYAmbI=; b=X0xh6c/P9d4Kzz68kfPVJN3SHyJtVhSG7c08kzbxlK/pb5Zv5WCOsVVF6J7MI7Z8AC Yrak/MfL1iizWdct11mA1MP7URSiO2Ocv5UTmG7w7kW8BmB4tC1uYmQ8mJLM1feKDJA6 vYP6Q5B9ErHKlq7mT03E37RR/nfE474gd2lxn9mqJRBuK3hx52RrQlQQ2npR8LtPpgfx QQH8EreoxjyrGo/ccPYplFmvhl1AdtPlvZRNuce6GDwecgJMXaciRtZxKXrKgysIl1MW QWAQUl8VUxlyl9Omh1CUn8GhAxp9OKVe48JhbcpczWiad6mZdSCJSs/341TxV5haQmH2 X3IA== X-Gm-Message-State: AG10YOQXrwkREgZmddd0QSTHIOAXf9sObRcyWIPOfyH7oPwslDvV0/pi8ubsgSJOGnCsjw== X-Received: by 10.28.232.194 with SMTP id f63mr635778wmi.48.1454960964314; Mon, 08 Feb 2016 11:49:24 -0800 (PST) Received: from [10.0.0.11] (bzq-79-182-36-67.red.bezeqint.net. [79.182.36.67]) by smtp.gmail.com with ESMTPSA id w144sm14061865wmd.8.2016.02.08.11.49.22 for (version=TLSv1/SSLv3 cipher=OTHER); Mon, 08 Feb 2016 11:49:23 -0800 (PST) From: Yaron Sheffer To: LURK BoF Message-ID: <56B8F140.9050202@gmail.com> Date: Mon, 8 Feb 2016 21:49:20 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Subject: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2016 19:49:27 -0000 Hi,

To clarify the scope of the BoF, we might want to edit the proposal [1] somewhat. The first few sentences are kind of general, and talk about TLS, IPsec and SSH. So far, nobody came up with a use case that relates to IPsec or SSH. I would like to suggest that we make the BoF proposal more concrete and specific by mentioning only TLS. Something like:

Old

Communication protocols like IPsec, SSH or TLS provide means to authenticate the remote peer. Authentication is based on the proof of ownership of a private key.

New

The TLS protocol in typical use authenticates the server by proving ownership of a private key, which is associated with a public-key certificate. [And then replace "peer" by "server" in subsequent sentences.]

Opinions?

Thanks,
    Yaron

[1] https://trac.tools.ietf.org/bof/trac/wiki#Security
From nobody Mon Feb 8 12:06:59 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 667531B327F for ; Mon, 8 Feb 2016 12:06:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPSAmVQVFIXT for ; Mon, 8 Feb 2016 12:06:56 -0800 (PST) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E3891B327D for ; Mon, 8 Feb 2016 12:06:56 -0800 (PST) Received: by mail-wm0-x22e.google.com with SMTP id g62so132265773wme.0 for ; Mon, 08 Feb 2016 12:06:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=kVIVJPMlm/0T6Z3bbHfAQpyTNEbDnNQQLmov2a/adpU=; b=o5iO+D2w5prPBCeDOwLAeQyioW346+L5NzQWipD5dSFqtjgwFiI8SfQiW2ZzBkewJQ F/PeVWuRe35853zgh3mJJ9iOorYsSLAL8smwbFXBJvirD/rC1VRKuImUwRoyp1Gvf0AL Kn5+TCmmSLgYwR5Td4V5vNioNsedeWToEvFOHLV0R1WLCfcnTIu8dc1DvCvo5pKqglUp iabLcTO2JJhkV5T1Ryf6jwFOyhzC0r4wmmujgsxHgwragBU1mLvBX0CzZ671wP2Od/EY RBSXeOfSuxDHPCE3d/1Vn3vexQfWukIHWz8kSBraAYBiHrCGsPrcB2LrMi1Io7scR3Bw pEHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=kVIVJPMlm/0T6Z3bbHfAQpyTNEbDnNQQLmov2a/adpU=; b=dgDVGR9RoB/a+rKJ8gtgc0ZA6lxwW+BTgiYik73v5UQDxyTI9ULq8aOVvejPV5weQk OpttSnhzhsDT3qUARv+Vb5MWGZS9BTFkoGRpOI8dvY9VEcEzD3P44mNHZMVM1YA6B3Tc 2FDBvsJw73A2BYfFiKW2Ef1t4HeoNeB7A7XB702BPUrH6z2GLB+iuVQK9RqBfZJ6xX/m RYvvrm1TMgiNIt7pNG9/yzVkc0REsHwXuOcsatqooOPQnkdXG4Q98MylmCKwDoGmnDrN 7WpWYz73004nXEZNvu3xuJzfb4rectQ/u70RYD6k04gsozsy4tLnADjTYjMSulc2xs7F i5WQ== X-Gm-Message-State: AG10YOTGnOdU96+rwKSGlANT9oG4XcFJo4QU+rnEZNaKD7B2gDyuXXR6jyrlQw7Ribk7Dg== X-Received: by 10.194.157.3 with SMTP id wi3mr29441317wjb.30.1454962014785; Mon, 08 Feb 2016 12:06:54 -0800 (PST) Received: from [192.168.1.13] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id lc1sm31350732wjc.5.2016.02.08.12.06.52 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 08 Feb 2016 12:06:53 -0800 (PST) Content-Type: multipart/alternative; boundary="Apple-Mail=_2FD7C77D-CE90-4B5E-8BEF-EB5409C05EB0" Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) From: Yoav Nir In-Reply-To: <56B8F140.9050202@gmail.com> Date: Mon, 8 Feb 2016 22:06:52 +0200 Message-Id: <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> References: <56B8F140.9050202@gmail.com> To: Yaron Sheffer X-Mailer: Apple Mail (2.3112) Archived-At: Cc: LURK BoF Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2016 20:06:58 -0000 --Apple-Mail=_2FD7C77D-CE90-4B5E-8BEF-EB5409C05EB0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, Yaron > On 8 Feb 2016, at 9:49 PM, Yaron Sheffer = wrote: >=20 > Hi, >=20 > To clarify the scope of the BoF, we might want to edit the proposal = [1] somewhat. The first few sentences are kind of general, and talk = about TLS, IPsec and SSH. So far, nobody came up with a use case that = relates to IPsec or SSH. I would like to suggest that we make the BoF = proposal more concrete and specific by mentioning only TLS. Something = like: >=20 > Old >=20 > Communication protocols like IPsec, SSH or TLS provide means to = authenticate the remote peer. Authentication is based on the proof of = ownership of a private key.=20 >=20 > New >=20 > The TLS protocol in typical use authenticates the server by proving = ownership of a private key, which is associated with a public-key = certificate. [And then replace "peer" by "server" in subsequent = sentences.] >=20 > Opinions? I=E2=80=99d narrow it down even further. This is not about any protocol = protected with TLS. This is pretty much only HTTPS. HTTPS in typical use authenticates the server by proving ownership of a = private key, which is associated with a public-key certificate. = [you=E2=80=99d still replace subsequent =E2=80=9Cpeer=E2=80=9Ds with = =E2=80=9Cserver=E2=80=9Ds or even =E2=80=9Cweb servers=E2=80=9D] Yoav --Apple-Mail=_2FD7C77D-CE90-4B5E-8BEF-EB5409C05EB0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi, Yaron

On 8 Feb 2016, at 9:49 PM, = Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

Hi,

To clarify the scope of the BoF, we might want = to edit the proposal [1] somewhat. The first few sentences are kind of = general, and talk about TLS, IPsec and SSH. So far, nobody came up with = a use case that relates to IPsec or SSH. I would like to suggest that we = make the BoF proposal more concrete and specific by mentioning only TLS. = Something like:

Old

Communication protocols like IPsec, SSH or TLS = provide means to authenticate the remote peer. Authentication is based = on the proof of ownership of a private key. 

New

The TLS protocol in typical use authenticates the server by = proving ownership of a private key, which is associated with a = public-key certificate. [And then replace "peer" by "server" in = subsequent sentences.]

Opinions?

I=E2=80=99d narrow it down even further. This is not about = any protocol protected with TLS. This is pretty much only = HTTPS.

HTTPS = in typical use authenticates the server by proving ownership of a = private key, which is associated with a public-key certificate. =  [you=E2=80=99d still replace subsequent =E2=80=9Cpeer=E2=80=9Ds = with =E2=80=9Cserver=E2=80=9Ds or even =E2=80=9Cweb = servers=E2=80=9D]

Yoav

= --Apple-Mail=_2FD7C77D-CE90-4B5E-8BEF-EB5409C05EB0-- From nobody Mon Feb 8 12:43:28 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D0E51B32E2 for ; Mon, 8 Feb 2016 12:43:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.702 X-Spam-Level: X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZeiOh7Ac6AZ for ; Mon, 8 Feb 2016 12:43:25 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id CABD11B32E0 for ; Mon, 8 Feb 2016 12:43:25 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id CD62143341C; Mon, 8 Feb 2016 20:43:24 +0000 (GMT) Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id B5686433403; Mon, 8 Feb 2016 20:43:24 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1454964204; bh=s6GE3wnfm4M1FZgnHpEF2sXOAkLbgln5qh7DtPXQboY=; l=494; h=From:To:CC:Date:References:In-Reply-To:From; b=Tc7y+u97s240ZT/JbyEqUNRD0dyc2HPdt9sU5nVBia3u7k7Y1HkiJt4wPv26CBQFS Q8tCcxJ76e20cjh+zJ4LN8GRaisO9ru8MY7h8CzJoQM63+6xC7hP4nQrcQt34Y9sqs CKe9Mqmb09npQn/yp5xxQC+uVmxR6fd7u0BpGhtk= Received: from email.msg.corp.akamai.com (usma1ex-cas3.msg.corp.akamai.com [172.27.123.32]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id B2F9F202C; Mon, 8 Feb 2016 20:43:24 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 8 Feb 2016 15:43:23 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1076.000; Mon, 8 Feb 2016 15:43:23 -0500 From: "Salz, Rich" To: Yoav Nir , Yaron Sheffer Thread-Topic: [Lurk] BoF scope: protocols Thread-Index: AQHRYqnZim08gbUczkqHUg6tS9+KDJ8i5v4A//+16cA= Date: Mon, 8 Feb 2016 20:43:23 +0000 Message-ID: <225dbe42b7674bb6a0ee4801ccafc74c@usma1ex-dag1mb1.msg.corp.akamai.com> References: <56B8F140.9050202@gmail.com> <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> In-Reply-To: <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.38.96] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Cc: LURK BoF Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2016 20:43:27 -0000 DQo+IEnigJlkIG5hcnJvdyBpdCBkb3duIGV2ZW4gZnVydGhlci4gVGhpcyBpcyBub3QgYWJvdXQg YW55IHByb3RvY29sIHByb3RlY3RlZCB3aXRoIFRMUy4gVGhpcyBpcyBwcmV0dHkgbXVjaCBvbmx5 IEhUVFBTLg0KDQpJIHRoaW5rIHRoaXMgaXMgYSBnb29kIHNpbXBsaWZpY2F0aW9uIGZvciBzdGFy dGluZyBvZmYuDQoNCkFuIFNTSCB1c2UgY2FzZSBJIGNhbiB0aGluayBvZiBoYXMgcm9sZS1iYXNl ZCBrZXlzIHNlY3VyZWx5IG1haW50YWluZWQgYW5kIGluZGl2aWR1YWxzIHNwZWFrIG9mZi1ob3N0 IHRvIHRoYXQgc2VydmVyIGluIG9yZGVyIHRvIHNzaCB0byBhIGRlcGxveWVkIG1hY2hpbmUuICBG b3IgZXhhbXBsZS4gOikgDQo= From nobody Mon Feb 8 16:33:37 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF3191B3E47 for ; Mon, 8 Feb 2016 16:33:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.012 X-Spam-Level: X-Spam-Status: No, score=-1.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_HELO_PASS=-0.001, SPF_NEUTRAL=0.779, T_DKIM_INVALID=0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bx6Av1UUQX0q for ; Mon, 8 Feb 2016 16:33:34 -0800 (PST) Received: from biz104.inmotionhosting.com (biz104.inmotionhosting.com [173.247.247.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B41B21B3E46 for ; Mon, 8 Feb 2016 16:33:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=To:References:Message-Id:Date:In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=jZbmZc+IbNEtVAwEcLvrJrJcrHQuNU4bBks5r/ApsA0=; b=IJW+frAGa+4pckcFACAuAHNECrvi/YpcGqtoFM+TuBgSkGv93W8RF7Hur91sayoOj36eUJ1oEbl5BlUHdkgoNNHtaEW4JZ0B5ERpIg8cxICc0cM9yHUCPxgdpGupN+9b63Wa2K5uDzUpVAIHARkneQAsu2dhUc9LpOPXwQx2eWc=; Received: from ip68-100-196-239.dc.dc.cox.net ([68.100.196.239]:50602 helo=[192.168.15.107]) by biz104.inmotionhosting.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.85) (envelope-from ) id 1aSwFG-0002ri-7i for lurk@ietf.org; Mon, 08 Feb 2016 16:33:33 -0800 Content-Type: multipart/signed; boundary="Apple-Mail=_CA60A2F3-0B3C-4E3A-98C8-EBF99FBB30C2"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Pgp-Agent: GPGMail 2.6b2 From: Eric Burger In-Reply-To: <7E2E20D9-FD52-4580-838F-F767351CAF4A@gmail.com> Date: Mon, 8 Feb 2016 19:33:28 -0500 Message-Id: <60A4A5D5-664D-4995-AA77-18BE02D10CBF@standardstrack.com> References: <56B8F140.9050202@gmail.com> <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> <225dbe42b7674bb6a0ee4801ccafc74c@usma1ex-dag1mb1.msg.corp.akamai.com> <7E2E20D9-FD52-4580-838F-F767351CAF4A@gmail.com> To: LURK BoF X-Mailer: Apple Mail (2.3112) X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - biz104.inmotionhosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - standardstrack.com X-Get-Message-Sender-Via: biz104.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed Archived-At: Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 00:33:36 -0000 --Apple-Mail=_CA60A2F3-0B3C-4E3A-98C8-EBF99FBB30C2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 8, 2016, at 3:43 PM, Salz, Rich wrote: > I=E2=80=99d narrow it down even further. This is not about any = protocol protected with TLS. This is pretty much only HTTPS. >=20 > I think this is a good simplification for starting off. >=20 > An SSH use case I can think of has role-based keys securely maintained = and individuals speak off-host to that server in order to ssh to a = deployed machine. For example. :) A theoretical example or a real one? --Apple-Mail=_CA60A2F3-0B3C-4E3A-98C8-EBF99FBB30C2 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIbBAEBCAAGBQJWuTPYAAoJEORoZaSQsc1ItKIP+Lyw/tPiizE3POK4jGizpAnG Hckr04bA/lhdTfB2sbAjzS1UofZCbGX+E39a/KUPbF2x31Uk4ZqqPGBqMVGxTcYf JUdLXurge6+LXg1nFz3QgF05v52MxclLS/2k0P85CEKdPBDED2zm0o/1iV7Uexo9 GGOEWDZ/5EnxJmnTumEk9xGQI3MBi+XIumlM6M+Sh/TQcV47E99KvSTR7NuJi/xQ i7ldcp/dw4YDq4bnF4Mm4E1GDo5RjjkWXlrZebjXGktfrqxbIn+3zZP3ddvxGn25 7TQA0aXvO6nJKIoVtufAVngijxa5qHqgmasFRdvy8XJ3UYyYBI9nNF/7okukFstm Be+m87bkwNnV3sPKnpnGE9EALQTTBCbSQ+qycyI6g+nnzzSwvcOENljMsmdK+64O GYKCvRdvNz7QuKa9e1p0gtSPYGBWH93UtHk0gor3od5GERLvvki3KjZJsHrzllnr xRZ3AfWlj15pB5q2DLqteMc0KBUG993XzogUudFH494/2xmVWlI3YgTQoiA4z6XT rSQJJ31VIhZDqSMLSjdS6qR5z/5aTa0nFZNRbJcksVLGU5ttD+OUHxStmRZtYPTk IRHLayNG16yZ+1Hnvk1Hb0+9faWhHxDqI0sY6j6CME+ie8+rIHlyZj7xEfFwMglJ 0e1Psf2XOy9A4KRJ6oI= =9EbY -----END PGP SIGNATURE----- --Apple-Mail=_CA60A2F3-0B3C-4E3A-98C8-EBF99FBB30C2-- From nobody Mon Feb 8 16:38:15 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 127A11B3E67 for ; Mon, 8 Feb 2016 16:38:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.012 X-Spam-Level: X-Spam-Status: No, score=-1.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_HELO_PASS=-0.001, SPF_NEUTRAL=0.779, T_DKIM_INVALID=0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Ose5M_W5uCQ for ; Mon, 8 Feb 2016 16:38:13 -0800 (PST) Received: from biz104.inmotionhosting.com (biz104.inmotionhosting.com [173.247.247.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17EB11B3E63 for ; Mon, 8 Feb 2016 16:38:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=Mime-Version:To:Message-Id:Date:Subject:Content-Type:From; bh=L5bANQqGlh/LVGzXoKYcQ1jlvvMAzTmouXDtqk/CLwQ=; b=UfadG3Qa39PZZKmE+W+Aam58f96eVSLTA5wRPNwFyH84z8Dcp2a81a5hMF2qE7DY1BfsVennmmAav/fLBNYsD6PovN8dSPU66/+TfHjI9AlYXEPUItgDR3el0X29YSsX11dmxTZxmjZ/vF/WgDkMvOLrzvoa1/dpo4keTLXKlG4=; Received: from ip68-100-196-239.dc.dc.cox.net ([68.100.196.239]:50834 helo=[192.168.15.107]) by biz104.inmotionhosting.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.85) (envelope-from ) id 1aSwJn-0007Ph-S0 for lurk@ietf.org; Mon, 08 Feb 2016 16:38:12 -0800 From: Eric Burger X-Pgp-Agent: GPGMail 2.6b2 Content-Type: multipart/signed; boundary="Apple-Mail=_12B63E0A-CCBF-4599-9CAE-ADE1A6F0285B"; protocol="application/pgp-signature"; micalg=pgp-sha256 Date: Mon, 8 Feb 2016 19:38:10 -0500 Message-Id: To: LURK BoF Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Mailer: Apple Mail (2.3112) X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - biz104.inmotionhosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - standardstrack.com X-Get-Message-Sender-Via: biz104.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed Archived-At: Subject: [Lurk] More on Protocols: KMIP, PKCS#11 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 00:38:14 -0000 --Apple-Mail=_12B63E0A-CCBF-4599-9CAE-ADE1A6F0285B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 As the clear neophyte here, I would like the group=E2=80=99s collective = wisdom. What is missing from KMIP = = that this work group, should it be chartered, needs to fill in? --Apple-Mail=_12B63E0A-CCBF-4599-9CAE-ADE1A6F0285B Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWuTTyAAoJEORoZaSQsc1IgBUQALWTnQhnSEeEzmbsZpvFsgDy ha+lu/ZaBXgCljO9EBCKKEWnAAkqkvIkGpifCHpvhgRIIjU04E02QT/dVm1CdOx1 8qIXNkh6L0f8cFTde9cbDuPrgwSiRm86dJ6Dbso6OKZ6jKqmRHgPwk/Pl08rQGZo 3Qv2HcutUJ5AHLi6evCUCYw+IGtDcHOw+/vk9RsoIIIcq/cNBowbTn3tLm/R4XSS 3VESv0pmkTLDAlKy0XXTcBFCiTmbqViOzPtuMkn8qUGoRKWYfwuxxb0TbQMPvubt /wwe40CbBl4F63z2w1yVI6cr2BSmcfD+irx+85Gh7e9F7ImYKNw6H/ZU7Z+v/iGi Bqt1kWsgzgR8P74RvLUuesGSccn7PiwEjv4iUdXEOhnlXBqb0pkV+GYfJI4jX6CZ OeA+wROeilxIHMBDELNZdXFr471/+JpcfemhKqH1SrdTzBJLXZzRjVmRsFtDqVVx Dobf71YLU8vVmaV4MpN4FZ1vzXDzKTGEMoxrW8egFUsU+MaMD0p+bUKjj9tsbyqr JetO1tTbHDQgXCaaP18HbQXlyhu53i67+V1I3kMMM37joREbr95cF201psB7NmAp KEquHLfFfHr9aM4pU2UnsTaH8t62+Pk6+6AtOHiosafuAcZ2HljZM6SqrpTUKbxP IsyonqY69BHfo34Q+hwy =G5uI -----END PGP SIGNATURE----- --Apple-Mail=_12B63E0A-CCBF-4599-9CAE-ADE1A6F0285B-- From nobody Tue Feb 9 06:16:08 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF121A907A for ; Tue, 9 Feb 2016 06:16:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QtVC68gXe_3S for ; Tue, 9 Feb 2016 06:16:05 -0800 (PST) Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 378951A9079 for ; Tue, 9 Feb 2016 06:16:04 -0800 (PST) X-AuditID: c618062d-f79d16d000001b1c-a2-56b9f1311e8d Received: from EUSAAHC006.ericsson.se (Unknown_Domain [147.117.188.90]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id 5D.88.06940.131F9B65; Tue, 9 Feb 2016 15:01:21 +0100 (CET) Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC006.ericsson.se ([147.117.188.90]) with mapi id 14.03.0248.002; Tue, 9 Feb 2016 09:16:02 -0500 From: Daniel Migault To: Yoav Nir , Yaron Sheffer Thread-Topic: [Lurk] BoF scope: protocols Thread-Index: AQHRYqnYjfopxRBAlkGxtfaMfaHiGZ8i5v4AgADYGvA= Date: Tue, 9 Feb 2016 14:16:02 +0000 Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662@eusaamb107.ericsson.se> References: <56B8F140.9050202@gmail.com> <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> In-Reply-To: <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.10] Content-Type: multipart/alternative; boundary="_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662eusaamb107erics_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprGIsWRmVeSWpSXmKPExsUyuXRPlK7hx51hBvef61u8XeNnser+DHaL pcc+MDkwe+ycdZfdY8mSn0wBTFFcNimpOZllqUX6dglcGfNPdjIWfEipWLLmIFMD44SkLkYO DgkBE4m5ryK6GDmBTDGJC/fWs3UxcnEICRxhlFjZ38oM4SxjlOiZ/4EJpIpNwEii7VA/O4gt IuApsWzJDzYQm1lARqL7VgsLiC0soCHR8b2LBaJGU2L+kn5GCNtK4sfSz8wgNouAisSjrxfB 4rwCvhI9jV1gc4QEoiX6H/aA7eIUsJVYN3MC2C5GoOu+n1rDBLFLXOLWk/lMEFcLSCzZc54Z whaVePn4HyuErSQxaek5Voj6fIlZr5uhdglKnJz5hGUCo+gsJKNmISmbhaRsFjCMmIFeWL9L H6JEUWJK90N2CFtDonXOXHZk8QWM7KsYOUqLC3Jy040MNjECY+uYBJvuDsb70z0PMQpwMCrx 8H6Q3RkmxJpYVlyZe4hRgoNZSYRX7g1QiDclsbIqtSg/vqg0J7X4EKM0B4uSOO9Sh/VhQgLp iSWp2ampBalFMFkmDk6pBkazhHbVmgqzFdr53MHqHzx+K1lOvzZFxGWOzxWrdy2HtDVZZbik d6r/n1OhMePY1+37Q7TrT1qmn2/aftst2UlqCuu7xZ03ovWj5ipKPczvjf7zonWGnaOU669D QXkxjgVeYStlp8x9I3vrzsa9q3+cPThZIvRb7NV+27ZF+e/vrCn7NC9x6wwlluKMREMt5qLi RABWXOTeqQIAAA== Archived-At: Cc: LURK BoF Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 14:16:07 -0000 --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662eusaamb107erics_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgWWFyb24sDQoNClJlc3RyaWN0aW5nIHRvIFRMUyBvbmx5IHNlZW1zIHRvIG1lIHRvbyByZXN0 cmljdGl2ZS4gSSBzdWdnZXN0IHdlIGV4dGVuZCBpdCB0byBUTFMvRFRMUy4gT24gdGhlIG90aGVy IGhhbmQsIHdlIG1heSByZXN0cmljdCB0aGUgc2NvcGUgdG8gc29tZSBUTFMvRFRMUyB2ZXJzaW9u cy4gTWF5YmUgdGhlIHNjb3BlIG1heSBiZSByZWR1Y2VkIHRvIHZlcnNpb25zIDEuMiBhbmQgMS4z Lg0KDQpJIHdvdWxkIHRoZW4gcHJvcG9zZSB0aGUgZm9sbG93aW5nIHRleHQ6DQoNClRoZSBUTFMv RFRMUyBwcm90b2NvbHMgaW4gdHlwaWNhbCB1c2UgYXV0aGVudGljYXRlcyB0aGUgc2VydmVyIGJ5 IHByb3Zpbmcgb3duZXJzaGlwIG9mIGEgcHJpdmF0ZSBrZXksIHdoaWNoIGlzIGFzc29jaWF0ZWQg d2l0aCBhIHB1YmxpYy1rZXkgY2VydGlmaWNhdGUuIFtBbmQgdGhlbiByZXBsYWNlICJwZWVyIiBi eSAic2VydmVyIiBpbiBzdWJzZXF1ZW50IHNlbnRlbmNlcy5dDQoNCg0KQlIsDQpEYW5pZWwNCkZy b206IEx1cmsgW21haWx0bzpsdXJrLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBZb2F2 IE5pcg0KU2VudDogTW9uZGF5LCBGZWJydWFyeSAwOCwgMjAxNiAzOjA3IFBNDQpUbzogWWFyb24g U2hlZmZlcg0KQ2M6IExVUksgQm9GDQpTdWJqZWN0OiBSZTogW0x1cmtdIEJvRiBzY29wZTogcHJv dG9jb2xzDQoNCkhpLCBZYXJvbg0KDQpPbiA4IEZlYiAyMDE2LCBhdCA5OjQ5IFBNLCBZYXJvbiBT aGVmZmVyIDx5YXJvbmYuaWV0ZkBnbWFpbC5jb208bWFpbHRvOnlhcm9uZi5pZXRmQGdtYWlsLmNv bT4+IHdyb3RlOg0KDQpIaSwNCg0KVG8gY2xhcmlmeSB0aGUgc2NvcGUgb2YgdGhlIEJvRiwgd2Ug bWlnaHQgd2FudCB0byBlZGl0IHRoZSBwcm9wb3NhbCBbMV0gc29tZXdoYXQuIFRoZSBmaXJzdCBm ZXcgc2VudGVuY2VzIGFyZSBraW5kIG9mIGdlbmVyYWwsIGFuZCB0YWxrIGFib3V0IFRMUywgSVBz ZWMgYW5kIFNTSC4gU28gZmFyLCBub2JvZHkgY2FtZSB1cCB3aXRoIGEgdXNlIGNhc2UgdGhhdCBy ZWxhdGVzIHRvIElQc2VjIG9yIFNTSC4gSSB3b3VsZCBsaWtlIHRvIHN1Z2dlc3QgdGhhdCB3ZSBt YWtlIHRoZSBCb0YgcHJvcG9zYWwgbW9yZSBjb25jcmV0ZSBhbmQgc3BlY2lmaWMgYnkgbWVudGlv bmluZyBvbmx5IFRMUy4gU29tZXRoaW5nIGxpa2U6DQoNCk9sZA0KDQpDb21tdW5pY2F0aW9uIHBy b3RvY29scyBsaWtlIElQc2VjLCBTU0ggb3IgVExTIHByb3ZpZGUgbWVhbnMgdG8gYXV0aGVudGlj YXRlIHRoZSByZW1vdGUgcGVlci4gQXV0aGVudGljYXRpb24gaXMgYmFzZWQgb24gdGhlIHByb29m IG9mIG93bmVyc2hpcCBvZiBhIHByaXZhdGUga2V5Lg0KDQpOZXcNCg0KVGhlIFRMUyBwcm90b2Nv bCBpbiB0eXBpY2FsIHVzZSBhdXRoZW50aWNhdGVzIHRoZSBzZXJ2ZXIgYnkgcHJvdmluZyBvd25l cnNoaXAgb2YgYSBwcml2YXRlIGtleSwgd2hpY2ggaXMgYXNzb2NpYXRlZCB3aXRoIGEgcHVibGlj LWtleSBjZXJ0aWZpY2F0ZS4gW0FuZCB0aGVuIHJlcGxhY2UgInBlZXIiIGJ5ICJzZXJ2ZXIiIGlu IHN1YnNlcXVlbnQgc2VudGVuY2VzLl0NCg0KT3BpbmlvbnM/DQoNCknigJlkIG5hcnJvdyBpdCBk b3duIGV2ZW4gZnVydGhlci4gVGhpcyBpcyBub3QgYWJvdXQgYW55IHByb3RvY29sIHByb3RlY3Rl ZCB3aXRoIFRMUy4gVGhpcyBpcyBwcmV0dHkgbXVjaCBvbmx5IEhUVFBTLg0KDQpIVFRQUyBpbiB0 eXBpY2FsIHVzZSBhdXRoZW50aWNhdGVzIHRoZSBzZXJ2ZXIgYnkgcHJvdmluZyBvd25lcnNoaXAg b2YgYSBwcml2YXRlIGtleSwgd2hpY2ggaXMgYXNzb2NpYXRlZCB3aXRoIGEgcHVibGljLWtleSBj ZXJ0aWZpY2F0ZS4gIFt5b3XigJlkIHN0aWxsIHJlcGxhY2Ugc3Vic2VxdWVudCDigJxwZWVy4oCd cyB3aXRoIOKAnHNlcnZlcuKAnXMgb3IgZXZlbiDigJx3ZWIgc2VydmVyc+KAnV0NCg0KWW9hdg0K DQo= --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662eusaamb107erics_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1h cmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJU aW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0Kc3Bhbi5hcHBsZS1jb252ZXJ0ZWQtc3BhY2UNCgl7bXNvLXN0eWxlLW5hbWU6YXBwbGUt Y29udmVydGVkLXNwYWNlO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBl cnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29s b3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25s eTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWlu IDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0 aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5 XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4N CjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlv dXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286 c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1V UyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEi Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPkhpIFlhcm9uLA0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5SZXN0cmljdGluZyB0byBUTFMgb25seSBz ZWVtcyB0byBtZSB0b28gcmVzdHJpY3RpdmUuIEkgc3VnZ2VzdCB3ZSBleHRlbmQgaXQgdG8gVExT L0RUTFMuIE9uIHRoZSBvdGhlciBoYW5kLCB3ZSBtYXkgcmVzdHJpY3QgdGhlIHNjb3BlIHRvIHNv bWUgVExTL0RUTFMgdmVyc2lvbnMuDQogTWF5YmUgdGhlIHNjb3BlIG1heSBiZSByZWR1Y2VkIHRv IHZlcnNpb25zIDEuMiBhbmQgMS4zLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SSB3b3VsZCB0aGVuIHByb3Bvc2UgdGhl IGZvbGxvd2luZyB0ZXh0OjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7O2JhY2tncm91bmQ6d2hpdGUiPlRoZSBUTFMvRFRMUyBwcm90b2NvbHMgaW4g dHlwaWNhbCB1c2UgYXV0aGVudGljYXRlcyB0aGUgc2VydmVyIGJ5IHByb3Zpbmcgb3duZXJzaGlw IG9mIGEgcHJpdmF0ZSBrZXksIHdoaWNoIGlzIGFzc29jaWF0ZWQgd2l0aCBhIHB1YmxpYy1rZXkg Y2VydGlmaWNhdGUuDQogW0FuZCB0aGVuIHJlcGxhY2UgJnF1b3Q7cGVlciZxdW90OyBieSAmcXVv dDtzZXJ2ZXImcXVvdDsgaW4gc3Vic2VxdWVudCBzZW50ZW5jZXMuXTwvc3Bhbj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7Ij48YnIgc3R5bGU9Im9ycGhhbnM6IGF1dG87dGV4dC1hbGlnbjpz dGFydDt3aWRvd3M6IGF1dG87LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkJSLA0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PkRhbmllbDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6 bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGlu IDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gTHVyayBbbWFp bHRvOmx1cmstYm91bmNlc0BpZXRmLm9yZ10NCjxiPk9uIEJlaGFsZiBPZiA8L2I+WW9hdiBOaXI8 YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5LCBGZWJydWFyeSAwOCwgMjAxNiAzOjA3IFBNPGJyPg0K PGI+VG86PC9iPiBZYXJvbiBTaGVmZmVyPGJyPg0KPGI+Q2M6PC9iPiBMVVJLIEJvRjxicj4NCjxi PlN1YmplY3Q6PC9iPiBSZTogW0x1cmtdIEJvRiBzY29wZTogcHJvdG9jb2xzPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SGksIFlhcm9uPG86cD48L286cD48 L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 ZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1 LjBwdCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gOCBGZWIgMjAxNiwgYXQgOTo0 OSBQTSwgWWFyb24gU2hlZmZlciAmbHQ7PGEgaHJlZj0ibWFpbHRvOnlhcm9uZi5pZXRmQGdtYWls LmNvbSI+eWFyb25mLmlldGZAZ21haWwuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7YmFj a2dyb3VuZDp3aGl0ZSI+SGksPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxi cj4NCjxicj4NCjxzcGFuIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj5UbyBjbGFyaWZ5IHRoZSBz Y29wZSBvZiB0aGUgQm9GLCB3ZSBtaWdodCB3YW50IHRvIGVkaXQgdGhlIHByb3Bvc2FsIFsxXSBz b21ld2hhdC4gVGhlIGZpcnN0IGZldyBzZW50ZW5jZXMgYXJlIGtpbmQgb2YgZ2VuZXJhbCwgYW5k IHRhbGsgYWJvdXQgVExTLCBJUHNlYyBhbmQgU1NILiBTbyBmYXIsIG5vYm9keSBjYW1lIHVwIHdp dGggYSB1c2UgY2FzZSB0aGF0IHJlbGF0ZXMgdG8gSVBzZWMgb3INCiBTU0guIEkgd291bGQgbGlr ZSB0byBzdWdnZXN0IHRoYXQgd2UgbWFrZSB0aGUgQm9GIHByb3Bvc2FsIG1vcmUgY29uY3JldGUg YW5kIHNwZWNpZmljIGJ5IG1lbnRpb25pbmcgb25seSBUTFMuIFNvbWV0aGluZyBsaWtlOjwvc3Bh bj48YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+T2xkPC9zcGFuPjxi cj4NCjxicj4NCjxzcGFuIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj5Db21tdW5pY2F0aW9uIHBy b3RvY29scyBsaWtlIElQc2VjLCBTU0ggb3IgVExTIHByb3ZpZGUgbWVhbnMgdG8gYXV0aGVudGlj YXRlIHRoZSByZW1vdGUgcGVlci4gQXV0aGVudGljYXRpb24gaXMgYmFzZWQgb24gdGhlIHByb29m IG9mIG93bmVyc2hpcCBvZiBhIHByaXZhdGUga2V5LjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0 ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48L3NwYW4+PGJyPg0KPGJyPg0KPHNwYW4gc3R5bGU9ImJh Y2tncm91bmQ6d2hpdGUiPk5ldzwvc3Bhbj48YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iYmFja2dy b3VuZDp3aGl0ZSI+VGhlIFRMUyBwcm90b2NvbCBpbiB0eXBpY2FsIHVzZSBhdXRoZW50aWNhdGVz IHRoZSBzZXJ2ZXIgYnkgcHJvdmluZyBvd25lcnNoaXAgb2YgYSBwcml2YXRlIGtleSwgd2hpY2gg aXMgYXNzb2NpYXRlZCB3aXRoIGEgcHVibGljLWtleSBjZXJ0aWZpY2F0ZS4gW0FuZCB0aGVuIHJl cGxhY2UgJnF1b3Q7cGVlciZxdW90OyBieSAmcXVvdDtzZXJ2ZXImcXVvdDsgaW4gc3Vic2VxdWVu dCBzZW50ZW5jZXMuXTwvc3Bhbj48YnI+DQo8YnI+DQo8c3BhbiBzdHlsZT0iYmFja2dyb3VuZDp3 aGl0ZSI+T3BpbmlvbnM/PC9zcGFuPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9i bG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPknigJlkIG5hcnJvdyBp dCBkb3duIGV2ZW4gZnVydGhlci4gVGhpcyBpcyBub3QgYWJvdXQgYW55IHByb3RvY29sIHByb3Rl Y3RlZCB3aXRoIFRMUy4gVGhpcyBpcyBwcmV0dHkgbXVjaCBvbmx5IEhUVFBTLjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IVFRQUyBpbiB0eXBp Y2FsIHVzZSBhdXRoZW50aWNhdGVzIHRoZSBzZXJ2ZXIgYnkgcHJvdmluZyBvd25lcnNoaXAgb2Yg YSBwcml2YXRlIGtleSwgd2hpY2ggaXMgYXNzb2NpYXRlZCB3aXRoIGEgcHVibGljLWtleSBjZXJ0 aWZpY2F0ZS4gJm5ic3A7W3lvdeKAmWQgc3RpbGwgcmVwbGFjZSBzdWJzZXF1ZW50IOKAnHBlZXLi gJ1zIHdpdGgg4oCcc2VydmVy4oCdcyBvciBldmVuIOKAnHdlYiBzZXJ2ZXJz4oCdXTxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Zb2F2PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662eusaamb107erics_-- From nobody Tue Feb 9 07:44:19 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D48631A930A for ; Tue, 9 Feb 2016 07:44:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.702 X-Spam-Level: X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKogWHp21qk1 for ; Tue, 9 Feb 2016 07:44:15 -0800 (PST) Received: from prod-mail-xrelay06.akamai.com (prod-mail-xrelay06.akamai.com [96.6.114.98]) by ietfa.amsl.com (Postfix) with ESMTP id D1DA51A9300 for ; Tue, 9 Feb 2016 07:44:15 -0800 (PST) Received: from prod-mail-xrelay06.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id C327516C8CC; Tue, 9 Feb 2016 15:44:14 +0000 (GMT) Received: from prod-mail-relay09.akamai.com (prod-mail-relay09.akamai.com [172.27.22.68]) by prod-mail-xrelay06.akamai.com (Postfix) with ESMTP id ACE7F16C7FA; Tue, 9 Feb 2016 15:44:14 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1455032654; bh=jPjJaNzDqP3wd9t7JPjTQmOqexvuMk7Wa4QZdHfEqfw=; l=412; h=From:To:Date:References:In-Reply-To:From; b=RYFlJTe6PU4gslszxgE2wvSU0FIEjQVr2j2oZbpZCaK78h/lpwoODDWYzbThM1Aup 1X2JFF4mZN6L/BuQByaTisD7LdtCNvO9F5al2VYrBZqiKUJDVeTNze0sG99u7K2Ipm B19ODv91vlds2KzH03muoe3vbHrMQ9N7JuSkpJgs= Received: from email.msg.corp.akamai.com (ustx2ex-cas5.msg.corp.akamai.com [172.27.25.34]) by prod-mail-relay09.akamai.com (Postfix) with ESMTP id 9C6851E080; Tue, 9 Feb 2016 15:44:14 +0000 (GMT) Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb6.msg.corp.akamai.com (172.27.27.107) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 9 Feb 2016 07:44:14 -0800 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1076.000; Tue, 9 Feb 2016 09:44:14 -0600 From: "Salz, Rich" To: Eric Burger , LURK BoF Thread-Topic: [Lurk] BoF scope: protocols Thread-Index: AQHRYqnZim08gbUczkqHUg6tS9+KDJ8i5v4A//+16cCAAEDPAIAA/k/A Date: Tue, 9 Feb 2016 15:44:13 +0000 Message-ID: <624b90df990b41b6abaa1898ee46d7f0@ustx2ex-dag1mb1.msg.corp.akamai.com> References: <56B8F140.9050202@gmail.com> <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> <225dbe42b7674bb6a0ee4801ccafc74c@usma1ex-dag1mb1.msg.corp.akamai.com> <7E2E20D9-FD52-4580-838F-F767351CAF4A@gmail.com> <60A4A5D5-664D-4995-AA77-18BE02D10CBF@standardstrack.com> In-Reply-To: <60A4A5D5-664D-4995-AA77-18BE02D10CBF@standardstrack.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.33.84] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 15:44:18 -0000 PiA+IEFuIFNTSCB1c2UgY2FzZSBJIGNhbiB0aGluayBvZiBoYXMgcm9sZS1iYXNlZCBrZXlzIHNl Y3VyZWx5IG1haW50YWluZWQgYW5kDQo+IGluZGl2aWR1YWxzIHNwZWFrIG9mZi1ob3N0IHRvIHRo YXQgc2VydmVyIGluIG9yZGVyIHRvIHNzaCB0byBhIGRlcGxveWVkDQo+IG1hY2hpbmUuICBGb3Ig ZXhhbXBsZS4gOikNCj4gDQo+IEEgdGhlb3JldGljYWwgZXhhbXBsZSBvciBhIHJlYWwgb25lPw0K DQpZZXMgOikNCg0KQnV0IEZXSVcgSSBzdXBwb3J0IGxpbWl0aW5nIHRvIFRMUyBrZXlzIGluIEhU VFBTIGZvciBub3cuDQo= From nobody Tue Feb 9 11:54:17 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D671ACEF4 for ; Tue, 9 Feb 2016 11:54:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id saTblxd9x6rR for ; Tue, 9 Feb 2016 11:54:14 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63F281ACE98 for ; Tue, 9 Feb 2016 11:54:14 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0E9E6BE4D; Tue, 9 Feb 2016 19:54:13 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PKpq-fWHuDJ; Tue, 9 Feb 2016 19:54:11 +0000 (GMT) Received: from [10.87.48.75] (unknown [86.46.17.89]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2A871BE4C; Tue, 9 Feb 2016 19:54:11 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1455047651; bh=uvGE8Y2ZYG8PGlXBPh+8ab2npPK1xu0Amkp2cIX9Xlg=; h=Subject:To:References:From:Date:In-Reply-To:From; b=dwN3TyN2CVg4bQ1xLlQo5N0xUwvc9VfGqFXlLEMXO//RpCKJmC0WSsB4Ivmo/yo4p lAiOvbjr39pn8mChNAFb0xW68XLkWvdnjZwWUtJHhTadxifFEVYwjGH7072WXD+QPX 45iUdPTubeSPy9dvsu2ITXdqmiJ/1IMEz7SvKPvg= To: Yaron Sheffer , LURK BoF References: <56B8F140.9050202@gmail.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <56BA43E2.1010502@cs.tcd.ie> Date: Tue, 9 Feb 2016 19:54:10 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <56B8F140.9050202@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 19:54:16 -0000 Hiya, On 08/02/16 19:49, Yaron Sheffer wrote: > Hi, > > To clarify the scope of the BoF, we might want to edit the proposal [1] > somewhat. The first few sentences are kind of general, and talk about TLS, IPsec > and SSH. So far, nobody came up with a use case that relates to IPsec or SSH. I > would like to suggest that we make the BoF proposal more concrete and specific > by mentioning only TLS. Something like: > > Old > > Communication protocols like IPsec, SSH or TLS provide means to authenticate the > remote peer. Authentication is based on the proof of ownership of a private key. > > New > > The TLS protocol in typical use authenticates the server by proving ownership of > a private key, which is associated with a public-key certificate. [And then > replace "peer" by "server" in subsequent sentences.] > > Opinions? With no hat, I think the New text is maybe a better plan, but since I just hit the issue again a moment ago, I'd like to just ask about a different possible use-case: Would there be any support for including within scope support for PGP and/or S/MIME decryption/signing operations? This would be to tackle the problem of using multiple MUAs whilst only wanting one key pair that one doesn't want to "install" on a bunch of hosts. (Nice niche concern eh - can anyone find a niche-ier niche? :-) I think the answer is likely "no" and even if it were "yes" and a whole bunch of folks wanted to work on that, (which I doubt) and even if people would implement and deploy (I'd be surprised if we got significant instances of either), it might be better if it were handled quite differently to HTTPS or TLS. But I did want to ask so that a conclusion gets in the archive. (And a total lack of response is a valid way to reach the obvious conclusion in this case I reckon.) Cheers, S. > > Thanks, > Yaron > > [1] https://trac.tools.ietf.org/bof/trac/wiki#Security > > > > _______________________________________________ > Lurk mailing list > Lurk@ietf.org > https://www.ietf.org/mailman/listinfo/lurk > From nobody Tue Feb 9 11:55:19 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BC631ACEF4 for ; Tue, 9 Feb 2016 11:55:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XLf--lPW61y2 for ; Tue, 9 Feb 2016 11:55:17 -0800 (PST) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94FEB1ACE98 for ; Tue, 9 Feb 2016 11:55:16 -0800 (PST) Received: by mail-wm0-x234.google.com with SMTP id p63so37937505wmp.1 for ; Tue, 09 Feb 2016 11:55:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type; bh=/cFhsSS/hZ5H2f7oqF80S/e2AVaRJGykIg93j/uwJH8=; b=awBzmnQIeIXyr2JI8nxPOYsPQHzs7dsI+Tnfp66LsJAl/6ADtrsD0ONgJKd1jbnzLD 2oGiK0MdivBb39k0d/OjVIj9v8MBefYIvbaEIGCOh00kbjfP809V5jzZxV5NDOM68yV/ bSU3aBtD5SM8hYy+Yqw7y+JMGwNIyJuSSpFzxmA92Bufcdfp/P8ZpzTccFNc+Wqo0fdZ gxRIy3DrihgG/zrSmt1y54gSxMN8sXNMmO16a2Vw09GhscrKAf6QxqkSLEMAQ46rY9H+ +FHsBs2JbAmsifJXCOjAbnutoSXzuoVo047wSsV5ctISpohY6/KlJX1TbuM2ArUpTtBl rfnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=/cFhsSS/hZ5H2f7oqF80S/e2AVaRJGykIg93j/uwJH8=; b=bnsboDRI9jwPaf7394SN6z1rn28zURN7K/PdOpNRmdTlKQgUL0lmycSbPXv3t7Fscs yi/mcro+XFy1hLbjks6XEhlOnNKMkc5LpehLnvqPPqdnJAPqjSllFirrInzK4eh7ihUw s2+bv8HOAvimDo7yP6Nay0BtYZFZHDM6ge5LGwokUuUfmPMJ7odDdSOC7FjRzq/km6HN C04DUXnlBMlCUuN2ku7EUOxoMFRtsC8z2gsfw4jIZUWkXk0cRdQZhnTFu3qcChT8WOFn AITh0tXEMiodHcd3N+sdXJnEHirJ0M40cXJNctHTIp7ToTNG43CKCgtQItz4ygOyHUp1 YNDg== X-Gm-Message-State: AG10YORpgfhc48GBP3PWhQWoWvCn42mI/nuo0jHUIkay0O+vtKGKyKJD4+HTicDiOERe/w== X-Received: by 10.28.65.5 with SMTP id o5mr7115609wma.75.1455047715224; Tue, 09 Feb 2016 11:55:15 -0800 (PST) Received: from [10.0.0.11] (bzq-79-182-36-67.red.bezeqint.net. [79.182.36.67]) by smtp.gmail.com with ESMTPSA id u9sm5584371wmd.4.2016.02.09.11.55.13 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 09 Feb 2016 11:55:14 -0800 (PST) To: Daniel Migault , Yoav Nir References: <56B8F140.9050202@gmail.com> <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662@eusaamb107.ericsson.se> From: Yaron Sheffer Message-ID: <56BA4420.8040707@gmail.com> Date: Tue, 9 Feb 2016 21:55:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662@eusaamb107.ericsson.se> Content-Type: multipart/alternative; boundary="------------080200010306050406050607" Archived-At: Cc: LURK BoF Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 19:55:18 -0000 This is a multi-part message in MIME format. --------------080200010306050406050607 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 02/09/2016 04:16 PM, Daniel Migault wrote: > > Hi Yaron, > > Restricting to TLS only seems to me too restrictive. I suggest we > extend it to TLS/DTLS. On the other hand, we may restrict the scope to > some TLS/DTLS versions. Maybe the scope may be reduced to versions 1.2 > and 1.3. > > I would then propose the following text: > > The TLS/DTLS protocols in typical use authenticates the server by > proving ownership of a private key, which is associated with a > public-key certificate. [And then replace "peer" by "server" in > subsequent sentences.] > > BR, > > Daniel > > If we want to include DTLS, I would suggest that we look a use case that justifies it. Unless I'm missing something, there are no CDNs that distribute content via DTLS. Thanks, Yaron --------------080200010306050406050607 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit On 02/09/2016 04:16 PM, Daniel Migault wrote:

Hi Yaron,

Restricting to TLS only seems to me too restrictive. I suggest we extend it to TLS/DTLS. On the other hand, we may restrict the scope to some TLS/DTLS versions. Maybe the scope may be reduced to versions 1.2 and 1.3.

I would then propose the following text:

The TLS/DTLS protocols in typical use authenticates the server by proving ownership of a private key, which is associated with a public-key certificate. [And then replace "peer" by "server" in subsequent sentences.]

BR,

Daniel


If we want to include DTLS, I would suggest that we look a use case that justifies it. Unless I'm missing something, there are no CDNs that distribute content via DTLS.

Thanks,
Yaron
--------------080200010306050406050607-- From nobody Tue Feb 9 13:04:21 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA55C1B29C6 for ; Tue, 9 Feb 2016 13:04:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ENqJvaZCRdcF for ; Tue, 9 Feb 2016 13:04:18 -0800 (PST) Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C2BB1AD2A9 for ; Tue, 9 Feb 2016 13:04:17 -0800 (PST) X-AuditID: c618062d-f79d16d000001b1c-d3-56ba50db585a Received: from EUSAAHC003.ericsson.se (Unknown_Domain [147.117.188.81]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id 8A.8E.06940.BD05AB65; Tue, 9 Feb 2016 21:49:31 +0100 (CET) Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC003.ericsson.se ([147.117.188.81]) with mapi id 14.03.0248.002; Tue, 9 Feb 2016 16:04:16 -0500 From: Daniel Migault To: Yaron Sheffer , Yoav Nir Thread-Topic: [Lurk] BoF scope: protocols Thread-Index: AQHRYqnYjfopxRBAlkGxtfaMfaHiGZ8i5v4AgADYGvCAALb4AP//unSw Date: Tue, 9 Feb 2016 21:04:14 +0000 Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E47BB@eusaamb107.ericsson.se> References: <56B8F140.9050202@gmail.com> <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662@eusaamb107.ericsson.se> <56BA4420.8040707@gmail.com> In-Reply-To: <56BA4420.8040707@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.10] Content-Type: multipart/alternative; boundary="_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E47BBeusaamb107erics_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBIsWRmVeSWpSXmKPExsUyuXRPoO7tgF1hBofPGVi8XeNnser+DHaL pcc+MDkwe+ycdZfdY8mSn0wBTFFcNimpOZllqUX6dglcGTOXTmUpOOhQ8WfjJ7YGxqWWXYyc HBICJhLLOnaxQ9hiEhfurWfrYuTiEBI4wijRM/8OI4SzjFHi6uffTCBVbAJGEm2H+oE6ODhE BDwlbq9xAgkzC8hIdN9qYQGxhQU0JDq+d4HZIgKaEvOX9DNC2G4Sz3/vBVvGIqAicfrmKmYQ m1fAV2L72gZ2iF37GCU2NpwG28UJ1Lyo5wVYMyPQdd9PrWGCWCYucevJfCaIqwUkluw5zwxh i0q8fPyPFcJWkpi09BwrRH2+xLKlXxghlglKnJz5hGUCo+gsJKNmISmbhaQMIq4jsWD3JzYI W1ti2cLXzDD2mQOPmZDFFzCyr2LkKC0uyMlNNzLYxAiMr2MSbLo7GO9P9zzEKMDBqMTDa2C+ K0yINbGsuDL3EKMEB7OSCK/cm51hQrwpiZVVqUX58UWlOanFhxilOViUxHmXOqwPExJITyxJ zU5NLUgtgskycXBKNTDu/H/69KqHOzs7r3Lpa/yLklnP+SmZR3/h+VMs16MfLC9d8Ovib7/c xzPsHvB5nft92/OMV6HK5Wthld5XeLhPquapXrtyR/n1zWT+9cmfT+7u7fjs9y5pzvGirgyl m0U3XGrnpH6691B/y2rLmg1Pv/RlqZmkPSz+ICT4aueeHrmVM51PGJiVK7EUZyQaajEXFScC AFDMluWrAgAA Archived-At: Cc: LURK BoF Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 21:04:19 -0000 --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E47BBeusaamb107erics_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Yaron, I am not aware either of CDNs using UDP, but as UDP is a transport layer th= at get more and more attraction, I would prefer not to explicitly exclude = DTLS. BR, Daniel From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] Sent: Tuesday, February 09, 2016 2:55 PM To: Daniel Migault; Yoav Nir Cc: LURK BoF Subject: Re: [Lurk] BoF scope: protocols On 02/09/2016 04:16 PM, Daniel Migault wrote: Hi Yaron, Restricting to TLS only seems to me too restrictive. I suggest we extend it= to TLS/DTLS. On the other hand, we may restrict the scope to some TLS/DTLS= versions. Maybe the scope may be reduced to versions 1.2 and 1.3. I would then propose the following text: The TLS/DTLS protocols in typical use authenticates the server by proving o= wnership of a private key, which is associated with a public-key certificat= e. [And then replace "peer" by "server" in subsequent sentences.] BR, Daniel If we want to include DTLS, I would suggest that we look a use case that ju= stifies it. Unless I'm missing something, there are no CDNs that distribute= content via DTLS. Thanks, Yaron --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E47BBeusaamb107erics_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Yaron,

 <= /p>

I am not aware either of = CDNs using UDP, but as UDP is a transport layer that get more and more attr= action,  I would prefer not to explicitly exclude DTLS.

 <= /p>

BR,

Daniel

  

 <= /p>

From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
Sent: Tuesday, February 09, 2016 2:55 PM
To: Daniel Migault; Yoav Nir
Cc: LURK BoF
Subject: Re: [Lurk] BoF scope: protocols

 

On 02/09/2016 04:16 PM, Daniel Migault wrote:

Hi Yaron,

 <= /p>

Restricting to TLS only s= eems to me too restrictive. I suggest we extend it to TLS/DTLS. On the othe= r hand, we may restrict the scope to some TLS/DTLS versions. Maybe the scope may be reduced to versions 1.2 and 1.3.<= /p>

 <= /p>

I would then propose the = following text:

 <= /p>

The TLS/DTLS protocol= s in typical use authenticates the server by proving ownership of a private= key, which is associated with a public-key certificate. [And then replace "peer" by "server" in subsequent sen= tences.]


 <= /p>

BR,

Daniel<= /p>

 

If we want to include DTLS, I would suggest that we = look a use case that justifies it. Unless I'm missing something, there are = no CDNs that distribute content via DTLS.

Thanks,
    Yaron

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E47BBeusaamb107erics_-- From nobody Tue Feb 9 13:06:04 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A737E1B29CD for ; Tue, 9 Feb 2016 13:06:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.999 X-Spam-Level: X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id usIYaZZFiN-S for ; Tue, 9 Feb 2016 13:06:01 -0800 (PST) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 165841B29C8 for ; Tue, 9 Feb 2016 13:06:01 -0800 (PST) Received: by mail-wm0-x236.google.com with SMTP id g62so1051697wme.0 for ; Tue, 09 Feb 2016 13:06:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=bHx5SiP+IDPK88O0OWdf5rQEpvBuhxw6Pk7GEldoXq0=; b=AL6G5Y1pExKtQCsBp56OxkLje7EbLYgBtPE9eVpLWa4yuA8Ci/T70Emf7N144EyXQC M8Jt2h80BOhShgp7kr/N0AkZNA7LKTAV6hqxLLO+4o3W+/nqYnYMmKb+7F4Lr0HLltt4 MUzkR9eqa2xiOUxXIWqlHh6qAne5M/H8Q5NZa8U4kU4k2NMy9JZ//0djUJI9x44wI9zh sF9KjaRhgITa24yqBk91nJ+na9/QnLJf7m5okDKbLSa+ms3JIU/5ZfkLWT7IhnER90op lPdmDkkpicBoHKWmC17PhQgHp2TZGYSSIQwGQBKWrC3XaWr+IjhqlcKS2KgSJal8SoRV BHjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=bHx5SiP+IDPK88O0OWdf5rQEpvBuhxw6Pk7GEldoXq0=; b=bP67Tgtqv5we8Zk0YOckZvEt0ZWfbMJv57VjLLeJIv8CDM/fikkodDJKC3bco4uJPr 0omzArICVXT3pnUbp08TY5UjxW4cuBtUDFFsj8VEsOnO9BgGmKOCKXjls3J94bIi7khF mx8L9uxGepRc4fzRL8yMtDObIlS9I4dQaexIJ3dXFPX3n5tzg7NU+LkKUvhHF/ygmuBm oXGRWKTClt4lF9cBl4BatfMdlLbYHxKgwbQTm26x19nNhzRIAFmIomw9kV+EtenLuUWQ +/xFCO4q8f9wVNg9PV0iQYDyGjbnSv/UvrIEg/yZ2zZNq7FFH9wBQgF6sWGBfDqvFOy8 BhvQ== X-Gm-Message-State: AG10YOQbv4SObNurEbgAOcS7DUPlLQ4nNBCu7etSIGKu+B7WctDnyVmZ+Shb3sPiXSDQzg== X-Received: by 10.194.121.167 with SMTP id ll7mr42815593wjb.113.1455051959646; Tue, 09 Feb 2016 13:05:59 -0800 (PST) Received: from [192.168.1.13] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id r10sm36191507wjz.24.2016.02.09.13.05.57 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 Feb 2016 13:05:58 -0800 (PST) Content-Type: multipart/alternative; boundary="Apple-Mail=_49E2D651-7773-4CB6-B61E-007B942B1C39" Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) From: Yoav Nir In-Reply-To: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E47BB@eusaamb107.ericsson.se> Date: Tue, 9 Feb 2016 23:05:56 +0200 Message-Id: <3F240341-142C-4FE2-954B-DE5F9783061A@gmail.com> References: <56B8F140.9050202@gmail.com> <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662@eusaamb107.ericsson.se> <56BA4420.8040707@gmail.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E47BB@eusaamb107.ericsson.se> To: Daniel Migault X-Mailer: Apple Mail (2.3112) Archived-At: Cc: Yaron Sheffer , LURK BoF Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 21:06:02 -0000 --Apple-Mail=_49E2D651-7773-4CB6-B61E-007B942B1C39 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 More specifically, if QUIC (or SPUD) takes off, CDNs might support it. But I think anything we do here would be trivially adaptable to such a = world. I don=E2=80=99t think we should be jumping the gun just yet. Yoav > On 9 Feb 2016, at 11:04 PM, Daniel Migault = wrote: >=20 > Hi Yaron, > =20 > I am not aware either of CDNs using UDP, but as UDP is a transport = layer that get more and more attraction, I would prefer not to = explicitly exclude DTLS. > =20 > BR, > Daniel > =20 > =20 > From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]=20 > Sent: Tuesday, February 09, 2016 2:55 PM > To: Daniel Migault; Yoav Nir > Cc: LURK BoF > Subject: Re: [Lurk] BoF scope: protocols > =20 > On 02/09/2016 04:16 PM, Daniel Migault wrote: >=20 > Hi Yaron, > =20 > Restricting to TLS only seems to me too restrictive. I suggest we = extend it to TLS/DTLS. On the other hand, we may restrict the scope to = some TLS/DTLS versions. Maybe the scope may be reduced to versions 1.2 = and 1.3. > =20 > I would then propose the following text: > =20 > The TLS/DTLS protocols in typical use authenticates the server by = proving ownership of a private key, which is associated with a = public-key certificate. [And then replace "peer" by "server" in = subsequent sentences.] >=20 >=20 > =20 > BR, > Daniel > =20 > If we want to include DTLS, I would suggest that we look a use case = that justifies it. Unless I'm missing something, there are no CDNs that = distribute content via DTLS. >=20 > Thanks, > Yaron --Apple-Mail=_49E2D651-7773-4CB6-B61E-007B942B1C39 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 More specifically, if QUIC (or SPUD) takes off, CDNs might = support it.

But I = think anything we do here would be trivially adaptable to such a world. = I don=E2=80=99t think we should be jumping the gun just yet.

Yoav

On 9 Feb 2016, at 11:04 PM, Daniel Migault <daniel.migault@ericsson.com> wrote:

Hi Yaron,
 
I am not aware either = of CDNs using UDP, but as UDP is a transport layer that get more and = more attraction,  I would prefer not to explicitly exclude = DTLS.
 
BR,
Daniel
  
 
From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] 
Sent: Tuesday, February 09, 2016 = 2:55 PM
To: Daniel Migault; Yoav Nir
Cc: LURK BoF
Subject: Re: [Lurk] BoF scope: = protocols
 
On 02/09/2016 04:16 PM, Daniel Migault = wrote:

Hi = Yaron,
 
Restricting to TLS only seems to me too = restrictive. I suggest we extend it to TLS/DTLS. On the other hand, we = may restrict the scope to some TLS/DTLS versions. Maybe the scope may be = reduced to versions 1.2 and 1.3.
 
I would then propose = the following text:
 
The = TLS/DTLS protocols in typical use authenticates the server by proving = ownership of a private key, which is associated with a public-key = certificate. [And then replace "peer" by "server" in subsequent = sentences.]


 
BR,
Daniel
 
If we want to include DTLS, I would suggest that we = look a use case that justifies it. Unless I'm missing something, there = are no CDNs that distribute content via DTLS.

Thanks,
    Yaron

= --Apple-Mail=_49E2D651-7773-4CB6-B61E-007B942B1C39-- From nobody Tue Feb 9 13:07:07 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3667B1B29CF for ; Tue, 9 Feb 2016 13:07:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.702 X-Spam-Level: X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1e99HKWPJ0p for ; Tue, 9 Feb 2016 13:07:02 -0800 (PST) Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id D78241B29CD for ; Tue, 9 Feb 2016 13:07:02 -0800 (PST) Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id CA0BD20001A; Tue, 9 Feb 2016 21:07:01 +0000 (GMT) Received: from prod-mail-relay08.akamai.com (prod-mail-relay08.akamai.com [172.27.22.71]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id A671A200001; Tue, 9 Feb 2016 21:07:01 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1455052021; bh=JQpE8t8H614i/XF2Ghc5DeP0slruUmM9W1LqB+l3gtY=; l=358; h=From:To:CC:Date:References:In-Reply-To:From; b=lDyId+QWk6NsCDlobsEXA5pWz6xFdmOdj+E1gcnfVGxsS7mcmYMQz/O8UReHcAEtc Y9hCDnhSOdd2RToSIWeGfupYQPmdxAb/NzeuCna4VO91avGTdfA5R4Sr+iK8re5bVg eaUUrVyJcoM8iW9UCtBH0O3OlmEBCL+1zxxOARiE= Received: from email.msg.corp.akamai.com (ustx2ex-cas1.msg.corp.akamai.com [172.27.25.30]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id A39C998082; Tue, 9 Feb 2016 21:07:01 +0000 (GMT) Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb5.msg.corp.akamai.com (172.27.27.105) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 9 Feb 2016 15:07:01 -0600 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1076.000; Tue, 9 Feb 2016 15:07:01 -0600 From: "Salz, Rich" To: Yoav Nir , Daniel Migault Thread-Topic: [Lurk] BoF scope: protocols Thread-Index: AQHRYqnZim08gbUczkqHUg6tS9+KDJ8i5v4AgAFBEwCAAF7DAIAAE0kAgAAAegD//5uKAA== Date: Tue, 9 Feb 2016 21:07:00 +0000 Message-ID: <7ee080c9e1444ed59fa4d88bb1248c76@ustx2ex-dag1mb1.msg.corp.akamai.com> References: <56B8F140.9050202@gmail.com> <6E9DC283-E0E4-4F56-A134-3417EEC9629B@gmail.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E4662@eusaamb107.ericsson.se> <56BA4420.8040707@gmail.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E47BB@eusaamb107.ericsson.se> <3F240341-142C-4FE2-954B-DE5F9783061A@gmail.com> In-Reply-To: <3F240341-142C-4FE2-954B-DE5F9783061A@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.33.84] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Cc: Yaron Sheffer , LURK BoF Subject: Re: [Lurk] BoF scope: protocols X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 21:07:04 -0000 DQo+IE1vcmUgc3BlY2lmaWNhbGx5LCBpZiBRVUlDIChvciBTUFVEKSB0YWtlcyBvZmYsIENETnMg bWlnaHQgc3VwcG9ydCBpdC4NCg0KQWthbWFpJ3MgYW5ub3VuY2VkIHN1cHBvcnQgZm9yIFFVSUMs IGJ1dCBpdCBjdXJyZW50bHkgZG9lcyBub3QgdXNlIERUTFMuICBUaGUgYW5ub3VuY2VkIHBsYW5z IGFyZSB0byB1c2UgVExTIDEuMyBoYW5kc2hha2UsIGJ1dCBub3QgdGhlIHJlY29yZCBmb3JtYXQg d2hpY2ggbWVhbnMgc3RpbGwgbm90IERUTFMuDQoNCg== From nobody Wed Feb 17 09:01:37 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C59011A1A13 for ; Wed, 17 Feb 2016 09:01:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.887 X-Spam-Level: X-Spam-Status: No, score=0.887 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, SPF_HELO_PASS=-0.001, SPF_NEUTRAL=0.779, T_DKIM_INVALID=0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRdLEwZn_UVU for ; Wed, 17 Feb 2016 09:01:32 -0800 (PST) Received: from biz104.inmotionhosting.com (biz104.inmotionhosting.com [173.247.247.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 503DB1A6F77 for ; Wed, 17 Feb 2016 09:01:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=To:References:Message-Id:Date:In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=w2K49MprPa9BkBmbP2WlYjEA4A8xZ3AIIiKfrpzh3Yo=; b=XtA/Q4+XR8TS2KhiEMVEQeEPo/1yoSOGz1SM9b7frj1zIYUkAmWg5vNVIzVDjAWoWkx1S0shu4bAqiDSU4S124J+dkElheOnkVDEbq9IxFGCQMxCMbuKuJg3YtbR0jPrd4IRxYnPBrKz1/l64iOBoicnHUDJM4V7BTn590M9T3Q=; Received: from [209.211.166.10] (port=56151 helo=[172.20.25.57]) by biz104.inmotionhosting.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.85) (envelope-from ) id 1aW5Tf-0004dC-Fb for lurk@ietf.org; Wed, 17 Feb 2016 09:01:27 -0800 Content-Type: multipart/signed; boundary="Apple-Mail=_E06DCBAF-ABD7-4DAE-8922-613760B7EA71"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Pgp-Agent: GPGMail 2.6b2 From: Eric Burger In-Reply-To: Date: Wed, 17 Feb 2016 12:00:48 -0500 Message-Id: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> References: To: LURK BoF X-Mailer: Apple Mail (2.3112) X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - biz104.inmotionhosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - standardstrack.com X-Get-Message-Sender-Via: biz104.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed Archived-At: Subject: Re: [Lurk] More on Protocols: KMIP, PKCS#11 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 17:01:34 -0000 --Apple-Mail=_E06DCBAF-ABD7-4DAE-8922-613760B7EA71 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Any thoughts, or are we already finished before we start? > On Feb 8, 2016, at 7:38 PM, Eric Burger = wrote: >=20 > As the clear neophyte here, I would like the group=E2=80=99s = collective wisdom. What is missing from KMIP = = that this work group, should it be chartered, needs to fill in? --Apple-Mail=_E06DCBAF-ABD7-4DAE-8922-613760B7EA71 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWxKdAAAoJEORoZaSQsc1InDMP/RML5l48PwCAdW/sf395wFTz 88SAe2D5gE5dUBnnrAioGIz+TUPQz4mVKK+B3TutCdSZsMaF+fKj7Auy1HW/xihF HljaWhqiV9r37F4StgdOOoZsFB11O3xfSV48k3HKRMNdwg1XEqM7NItKVHvNx4Xr LLsXQ+tFAfXAz253U1MrNgxILcGQtYVoMn2lHtyi8sUS26Llenuv5/p/KirubNaf auAZJHKKckZlb3YoRNP5O5zqeaAlwF63pwUm7lzuhUS1qOC1Nfadnp1ouprU+h5r Euw1IrBBVrsQGBjmchMWRqJYsYonp6iOmYB6GJcPzcA0g3Z9jGs/cdbT5iziXqXN lMxHdtYYtELd759ijIAVC9T/YMlh4nEjlyGtzDJRmEzeIr7YBUF0DO6f1QaO20k5 M08Hpas8aktYm37F97NYd7TOv9oCxbV/fO4vLN/IwhE+Vi1C6gCTLIPQfg2wMY76 O+TncJf0iuodJK5DALzbxS7w+qWmt7gayiGa7XqI8emF+anIvPDEAHcofWfOmY6c +IiSwysMANLRyeuNMb192U71t7Z+/lXyO/FdSUGUmwZrGtKdggnOXuuLQLcAEy31 NZqoabf63WSCyyqyOHbmYGYsoJxnOs4OzoRgKtBzKMWiIbtlBxduhrP3e/7dzedu Q+dkO/Dk1k3WZjB768y7 =rthv -----END PGP SIGNATURE----- --Apple-Mail=_E06DCBAF-ABD7-4DAE-8922-613760B7EA71-- From nobody Wed Feb 17 09:34:51 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 146781A9241 for ; Wed, 17 Feb 2016 09:34:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.507 X-Spam-Level: X-Spam-Status: No, score=-14.507 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5k9zCVnOZH_i for ; Wed, 17 Feb 2016 09:34:48 -0800 (PST) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C70301A90BD for ; Wed, 17 Feb 2016 09:34:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=864; q=dns/txt; s=iport; t=1455730488; x=1456940088; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=Xc+jfWEzj4se7a2qxdeI/8L+G01wc/IeuQQHSdDhgLM=; b=iXnfyftmvBgC3JwLNcJOSPYYq5Cu2uULJ6HzoMST5EWibCYt/7XoxG90 C08kZ+4x7fIvitOxCMm1moRQokpDltRQis6OeKTUKPwIsLyqcSvhzmOSV k1MvMmx518bdoDYPqJhktAUqQoHNClPH6I9jl94p9HvtiFuIuAWK8p9rR k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CIBwDarsRW/5xdJa1EGoM6Um0GsnOFD?= =?us-ascii?q?4QIIYVsAhyBLjsRAQEBAQEBAWQnhEIBAQQjEVUCAQgOCgICJgICAjAVEAIEARK?= =?us-ascii?q?IGg4srBePBgEBAQEBAQEBAQEBAQEBAQEBAQEBAREEe4UXgW2CToc1K4EPBZcEA?= =?us-ascii?q?Y1YgVyHaIUvjkYBNiyDY2oBh2R8AQEB?= X-IronPort-AV: E=Sophos;i="5.22,461,1449532800"; d="scan'208";a="72327244" Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Feb 2016 17:34:47 +0000 Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id u1HHYmoR023852 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 17 Feb 2016 17:34:48 GMT Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 17 Feb 2016 11:34:48 -0600 Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1104.009; Wed, 17 Feb 2016 11:34:48 -0600 From: "Joe Hildebrand (jhildebr)" To: Eric Burger , LURK BoF Thread-Topic: [Lurk] More on Protocols: KMIP, PKCS#11 Thread-Index: AQHRYtI5CvZtj8MhxEiHxbNDxyLcWp8w6G8A//+UJIA= Date: Wed, 17 Feb 2016 17:34:48 +0000 Message-ID: <996BD484-667A-4F4E-9CA9-4D3862C44C41@cisco.com> References: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> In-Reply-To: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/0.0.0.160109 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.70.20] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [Lurk] More on Protocols: KMIP, PKCS#11 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 17:34:50 -0000 SSBrbm93IGEgY291cGxlIG9mIHBlb3BsZSBhcmUgbG9va2luZyBhdCBLTUlQLiAgSXQncyBub3Qg Y29uZHVjaXZlIHRvIGEgcXVpY2sgcmVhZC4NCg0KLS0gDQpKb2UgSGlsZGVicmFuZA0KDQoNCg0K DQpPbiAyLzE3LzE2LCAxMDowMCBBTSwgIkx1cmsgb24gYmVoYWxmIG9mIEVyaWMgQnVyZ2VyIiA8 bHVyay1ib3VuY2VzQGlldGYub3JnIG9uIGJlaGFsZiBvZiBlYnVyZ2VyQHN0YW5kYXJkc3RyYWNr LmNvbT4gd3JvdGU6DQoNCj5BbnkgdGhvdWdodHMsIG9yIGFyZSB3ZSBhbHJlYWR5IGZpbmlzaGVk IGJlZm9yZSB3ZSBzdGFydD8NCj4NCj4+IE9uIEZlYiA4LCAyMDE2LCBhdCA3OjM4IFBNLCBFcmlj IEJ1cmdlciA8ZWJ1cmdlckBzdGFuZGFyZHN0cmFjay5jb20+IHdyb3RlOg0KPj4gDQo+PiBBcyB0 aGUgY2xlYXIgbmVvcGh5dGUgaGVyZSwgSSB3b3VsZCBsaWtlIHRoZSBncm91cOKAmXMgY29sbGVj dGl2ZSB3aXNkb20uIFdoYXQgaXMgbWlzc2luZyBmcm9tIEtNSVAgPGh0dHBzOi8vd3d3Lm9hc2lz LW9wZW4ub3JnL2NvbW1pdHRlZXMvdGNfaG9tZS5waHA/d2dfYWJicmV2PWttaXA+IHRoYXQgdGhp cyB3b3JrIGdyb3VwLCBzaG91bGQgaXQgYmUgY2hhcnRlcmVkLCBuZWVkcyB0byBmaWxsIGluPw0K Pg0K From nobody Wed Feb 17 09:41:54 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DDA41A6F53 for ; Wed, 17 Feb 2016 09:41:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bkuIlxyo4rkY for ; Wed, 17 Feb 2016 09:41:52 -0800 (PST) Received: from usplmg21.ericsson.net (usplmg21.ericsson.net [198.24.6.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C0B21A21A9 for ; Wed, 17 Feb 2016 09:41:52 -0800 (PST) X-AuditID: c6180641-f799c6d000007d66-45-56c4b0c7669f Received: from EUSAAHC008.ericsson.se (Unknown_Domain [147.117.188.96]) by usplmg21.ericsson.net (Symantec Mail Security) with SMTP id 93.0B.32102.7C0B4C65; Wed, 17 Feb 2016 18:41:27 +0100 (CET) Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC008.ericsson.se ([147.117.188.96]) with mapi id 14.03.0248.002; Wed, 17 Feb 2016 12:41:50 -0500 From: Daniel Migault To: Eric Burger , LURK BoF Thread-Topic: [Lurk] More on Protocols: KMIP, PKCS#11 Thread-Index: AQHRYtIsSte3DF1wyEmasRMUP+DL+J8w16wA//+3HUA= Date: Wed, 17 Feb 2016 17:41:50 +0000 Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5765@eusaamb107.ericsson.se> References: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> In-Reply-To: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.9] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDLMWRmVeSWpSXmKPExsUyuXRPgu7xDUfCDA7PlbaYtquX1eLtGj8H Jo8lS34yeTR1LmYPYIrisklJzcksSy3St0vgypjw5jJbwT/eiv2zJ7M2MF7g7WLk5JAQMJGY c7SdBcIWk7hwbz0biC0kcIRRorEtv4uRC8hezihx7d0WRpAEm4CRRNuhfnYQW0TATWLr9Les ILYw0KAtD74CxTmA4qYSTasLIEqsJJ5s3A7WyiKgKvFz6xuw+bwCvhK3+qayQMxvZJT40HiM CSTBCTTz/q02sAZGoIO+n1oDFmcWEJe49WQ+E8ShAhJL9pxnhrBFJV4+/scKYStK7OufDnYD s4CmxPpd+hCtihJTuh+yQ+wVlDg58wnLBEbRWUimzkLomIWkYxaSjgWMLKsYOUqLC3Jy040M NzEC4+CYBJvjDsa9vZ6HGAU4GJV4eDcUHg4TYk0sK67MPcQowcGsJMK7csKRMCHelMTKqtSi /Pii0pzU4kOM0hwsSuK8c53XhwkJpCeWpGanphakFsFkmTg4pRoYq1tVCn9Mav+9ziLp0Ozf 3y96fjd/skItZd5W1d+vz61U2Johw6Ga8T5Ffsr72NVu3vsUW3k/ZLPNv9L3fHr0t2/yx7nW fvLQeMq+8mLiv8+PtDwVvj/tvpzRdd3589mr4s/5OPdOXcURklKzz75kU5cr76n3il5VP/eH uwV72Jtd92T7enhSpRJLcUaioRZzUXEiAIAODZJ/AgAA Archived-At: Subject: Re: [Lurk] More on Protocols: KMIP, PKCS#11 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 17:41:54 -0000 SGkgRXJpYywgDQoNCk15IHVuZGVyc3RhbmRpbmcgaXMgdGhhdCBPQVNJUyBpcyBpcyBhIG5ldHdv cmsgcHJvdG9jb2wgdGhhdCBlbmFibGVzIGtleSBtYW5hZ2VtZW50IG9wZXJhdGlvbnMgYXMgd2Vs bCBhcyBjcnlwdG9ncmFwaGljIG9wZXJhdGlvbnMgc3VjaCBhcyBlbmNyeXB0aW9uLCBkZWNyeXB0 aW9uIGFuZCBzaWdpbmcuIEl0IG1heSBiZSB1c2VkIGFzIGFuIGludGVyZmFjZSBiZXR3ZWVuIHRo ZSBDb250ZW50IFByb3ZpZGVyIGFuZCB0aGUgSFNNLg0KDQpUaGlzIGRvZXMgb25seSBwYXJ0bHkg YWRkcmVzcyB0aGUgdXNlIGNhc2Ugb2YgTFVSSyBhcyBMVVJLIGRlZmluZXMgYW4gaW50ZXJmYWNl IGJldHdlZW4gdGhlIEVkZ2UgU2VydmVyIGFuZCB0aGUgQ29udGVudCBQcm92aWRlciAoS2V5IGhv bGRlcikgd2hpY2ggbWVhbnMgZm9yIGV4YW1wbGU6DQogICAgLSBpbnB1dCBwcm92aWRlZCBieSB0 aGUgRWRnZSBTZXJ2ZXIgdG8gdGhlIENvbnRlbnQgUHJvdmlkZXIgYXJlIGRpZmZlcmVudCBhbmQg c3BlY2lmaWMgdG8gVExTICggQ2xpZW50IEhlbGxvIHJhbmRvbXMuLi4pDQogICAgLSBvdXRwdXQg cHJvdmlkZWQgYnkgdGhlIENvbnRlbnQgUHJvdmlkZXIgdG8gdGhlIEVkZ2UgU2VydmVyIGFyZSBk aWZmZXJlbnQgKG1hc3RlciBzZWNyZXQsIHByZW1hc3RlciBzZWNyZXQsIHNpZ25hdHVyZSwgdmFs aWRhdGlvbi4uLikNCg0KQlIsIA0KRGFuaWVsDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0t DQpGcm9tOiBMdXJrIFttYWlsdG86bHVyay1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2Yg RXJpYyBCdXJnZXINClNlbnQ6IFdlZG5lc2RheSwgRmVicnVhcnkgMTcsIDIwMTYgMTI6MDEgUE0N ClRvOiBMVVJLIEJvRg0KU3ViamVjdDogUmU6IFtMdXJrXSBNb3JlIG9uIFByb3RvY29sczogS01J UCwgUEtDUyMxMQ0KDQpBbnkgdGhvdWdodHMsIG9yIGFyZSB3ZSBhbHJlYWR5IGZpbmlzaGVkIGJl Zm9yZSB3ZSBzdGFydD8NCg0KPiBPbiBGZWIgOCwgMjAxNiwgYXQgNzozOCBQTSwgRXJpYyBCdXJn ZXIgPGVidXJnZXJAc3RhbmRhcmRzdHJhY2suY29tPiB3cm90ZToNCj4gDQo+IEFzIHRoZSBjbGVh ciBuZW9waHl0ZSBoZXJlLCBJIHdvdWxkIGxpa2UgdGhlIGdyb3Vw4oCZcyBjb2xsZWN0aXZlIHdp c2RvbS4gV2hhdCBpcyBtaXNzaW5nIGZyb20gS01JUCA8aHR0cHM6Ly93d3cub2FzaXMtb3Blbi5v cmcvY29tbWl0dGVlcy90Y19ob21lLnBocD93Z19hYmJyZXY9a21pcD4gdGhhdCB0aGlzIHdvcmsg Z3JvdXAsIHNob3VsZCBpdCBiZSBjaGFydGVyZWQsIG5lZWRzIHRvIGZpbGwgaW4/DQoNCg== From nobody Wed Feb 17 12:04:41 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEFFE1B2A82 for ; Wed, 17 Feb 2016 12:04:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBaxxic77kIc for ; Wed, 17 Feb 2016 12:04:38 -0800 (PST) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20F461B29E4 for ; Wed, 17 Feb 2016 12:04:38 -0800 (PST) Received: by mail-wm0-x22b.google.com with SMTP id c200so231908165wme.0 for ; Wed, 17 Feb 2016 12:04:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=+2ULhzjzYtH0LbCbIRgQfapIwJgBkjd4r1rFUHF66yU=; b=Bl855Ql4GKi+rWjwCf0FIoaBXThChMFCcRerdEwrhWnoHxUzkYra3NtxncN4ewZH4V 4+qCRafcnjIBsmKUzqG5c/A00xVNcSL21hxa7LvOqgnfBW8nyESLQTp1Qa8tQrQ4GHWG ZkZ3A+7V7DLdmE/BkAq661MgmZnvIKm0ACcjuXA0VGPtEma+Xw7fCHoM8vdR6S+aUz43 KxZhmnw/UypJuvVcobr3DUBt1SXAccFXHIFonEBhEwDxBiwlykcNmgS3T2WxXA43wcKw 9wSNhxfIR8/eblRrmQMOYKMMAniMqhGIWn0sR7y1AvkEVayiJ7K3lvjzsHA1rFb+0Aiu qvpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=+2ULhzjzYtH0LbCbIRgQfapIwJgBkjd4r1rFUHF66yU=; b=jadVJ4njE7FFkTguB6x+Jch8OCnYwZJ7NvB2YQyRSpoyH+hABlufRcEjBymIvR0gOS aFz9cK6H00hivPz/GniPJb7NslHEESen6Prxr5Zwd0GOq+N4++KBLz2bP0nLuNuzJEIw TyqIjOD29ruYd0hysN+5zqyP38UpkLncX6RrwcXQpi49iNC8Ote2y++sBSPeLDgZ6AX0 EY/DSCGpHueMZDfNzGRu+1JP4JnJJhF1mqJ5hu/OWVntQZ4B3+i2j2EroDKVFv5VhfAU 3LEX9YHsKnBMl+shWjF5ajnzsLQAMy3gz2zobm4gBdahgpY8G+fLRHddgSijF8KaSipB 9lkQ== X-Gm-Message-State: AG10YORSNOKnvZqDkwzEOoPI91PYlobOAnSCs5w2sC+mpANFu4RVTwXj8uMhjWscxCWf8w== X-Received: by 10.28.194.136 with SMTP id s130mr28475839wmf.23.1455739476670; Wed, 17 Feb 2016 12:04:36 -0800 (PST) Received: from [10.0.0.11] (bzq-79-182-36-67.red.bezeqint.net. [79.182.36.67]) by smtp.gmail.com with ESMTPSA id t3sm3126816wjz.11.2016.02.17.12.04.35 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 17 Feb 2016 12:04:35 -0800 (PST) To: Daniel Migault , Eric Burger , LURK BoF References: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5765@eusaamb107.ericsson.se> From: Yaron Sheffer Message-ID: <56C4D252.90201@gmail.com> Date: Wed, 17 Feb 2016 22:04:34 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5765@eusaamb107.ericsson.se> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [Lurk] More on Protocols: KMIP, PKCS#11 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 20:04:40 -0000 Hi Daniel, Given that in typical use, the private key is *only* used for server identity, what's the benefit of the TLS-specific output compared to a simple "please sign this blob with your RSA key"? Thanks, Yaron On 02/17/2016 07:41 PM, Daniel Migault wrote: > Hi Eric, > > My understanding is that OASIS is is a network protocol that enables key management operations as well as cryptographic operations such as encryption, decryption and siging. It may be used as an interface between the Content Provider and the HSM. > > This does only partly address the use case of LURK as LURK defines an interface between the Edge Server and the Content Provider (Key holder) which means for example: > - input provided by the Edge Server to the Content Provider are different and specific to TLS ( Client Hello randoms...) > - output provided by the Content Provider to the Edge Server are different (master secret, premaster secret, signature, validation...) > > BR, > Daniel > > -----Original Message----- > From: Lurk [mailto:lurk-bounces@ietf.org] On Behalf Of Eric Burger > Sent: Wednesday, February 17, 2016 12:01 PM > To: LURK BoF > Subject: Re: [Lurk] More on Protocols: KMIP, PKCS#11 > > Any thoughts, or are we already finished before we start? > >> On Feb 8, 2016, at 7:38 PM, Eric Burger wrote: >> >> As the clear neophyte here, I would like the groups collective wisdom. What is missing from KMIP that this work group, should it be chartered, needs to fill in? > _______________________________________________ > Lurk mailing list > Lurk@ietf.org > https://www.ietf.org/mailman/listinfo/lurk From nobody Wed Feb 17 12:06:35 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE0AC1A92B1 for ; Wed, 17 Feb 2016 12:06:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.707 X-Spam-Level: X-Spam-Status: No, score=-2.707 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cuCmwY6sMhgt for ; Wed, 17 Feb 2016 12:06:32 -0800 (PST) Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id 515621A8745 for ; Wed, 17 Feb 2016 12:06:32 -0800 (PST) Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id AADA9200024; Wed, 17 Feb 2016 20:06:31 +0000 (GMT) Received: from prod-mail-relay09.akamai.com (prod-mail-relay09.akamai.com [172.27.22.68]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id 950AA200023; Wed, 17 Feb 2016 20:06:31 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1455739591; bh=WWyUBp/Rh4mj0zYW1R2mByqoOQJNVv2r8G2c9HU34xY=; l=334; h=From:To:Date:References:In-Reply-To:From; b=GBBhHLe14D8WX8tkCkC20/N9AHUHXXTqzVBnUYLZSsB2t76lWDi387FuAclTPU//w h9T7qzXGtLYqP3w5dyxe+yTXkxKS9jts3dQ178RmoV0aOv52hX+vZV1suDoTp2yta/ 1qc0Yx34aY5NYGdXoytYE0UKpmpbMjlKJGsecrMI= Received: from email.msg.corp.akamai.com (ustx2ex-cas3.msg.corp.akamai.com [172.27.25.32]) by prod-mail-relay09.akamai.com (Postfix) with ESMTP id 8C8E41E07C; Wed, 17 Feb 2016 20:06:31 +0000 (GMT) Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb1.msg.corp.akamai.com (172.27.27.101) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Wed, 17 Feb 2016 14:06:30 -0600 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1076.000; Wed, 17 Feb 2016 14:06:30 -0600 From: "Salz, Rich" To: Yaron Sheffer , Daniel Migault , Eric Burger , "LURK BoF" Thread-Topic: [Lurk] More on Protocols: KMIP, PKCS#11 Thread-Index: AQHRYtIqUMFSx/mPzka+hCBh2Fj74Z8w6HAAgAALdgCAACfiAP//m9mA Date: Wed, 17 Feb 2016 20:06:30 +0000 Message-ID: <94ad77bd6f71462c9b10055e7fda0756@ustx2ex-dag1mb1.msg.corp.akamai.com> References: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5765@eusaamb107.ericsson.se> <56C4D252.90201@gmail.com> In-Reply-To: <56C4D252.90201@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.41.218] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [Lurk] More on Protocols: KMIP, PKCS#11 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 20:06:34 -0000 > Given that in typical use, the private key is *only* used for server iden= tity, > what's the benefit of the TLS-specific output compared to a simple "pleas= e > sign this blob with your RSA key"? To avoid becoming a signing oracle. -- =20 Senior Architect, Akamai Technologies IM: richsalz@jabber.at Twitter: RichSalz From nobody Wed Feb 17 12:13:18 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FCAC1B2A6A for ; Wed, 17 Feb 2016 12:13:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7FKainvvuHg8 for ; Wed, 17 Feb 2016 12:13:16 -0800 (PST) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA7991B2A1A for ; Wed, 17 Feb 2016 12:13:15 -0800 (PST) Received: by mail-wm0-x231.google.com with SMTP id g62so44657148wme.0 for ; Wed, 17 Feb 2016 12:13:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=hrw4cWse1I4CYuGx9ZXz2BIMJeXZRcWz6dUlNv6T4f4=; b=D1cihClIyLNqKRmzMoBaIxKCIhsv2pZnuc4MEpwcFrT43tnZz0vkBbAtapF21eibp2 V8XL8B/qUOjClLwZ7BVTKwYw3lvt66gsdsGi0Umk6YY71fK4ZaQGKBZlejw//rzq2DJg bxBtDPhtDBPfJIC+yBu6Xb/CHHMw6Ojw2JDjMkEJhnX/DrNRU1M87D+GvS4tYPccpkAe RroR9CYuvgb89QtCc+yqaqhAx7ijqArGkc3olmeORSbzj4RrFh+MogH1QhjeuB0VBJuU 2jVmbOnSFrRLeCFWgH/2eUkY2/d8WnTWFqBXsPecWPtSUtqj8dC2GDcaFFrdnmh8Ih8l fcZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=hrw4cWse1I4CYuGx9ZXz2BIMJeXZRcWz6dUlNv6T4f4=; b=GD43PpJA5JYlIYaOu+NqqdvtvgRv4YD2TNezh2LDeGFwGeTBceHZ20t9Wr/A3cbpRc LiAeYp1EAPD63ws88rIkXJMCcuyQAjyzMXCijnCrILwRB8j9dOoxb55rsmHkC2Y/vH6R o/mY9kfU6Ql50tWbo0K7g7RuKfEbLiztYWjdocMibSElktrYNGNsfIcj6iFJmn1MnKUX ptWIM2FD5n4uZWmxEQuD2KQfvtuAjB01LeAFe4rS4c1ICvgBYMISncEzTfzLr+2l5bsQ re2qLUupdOYA4ksGUA/FtRB6ZltAsWjgEhE7biaq+VNYBDMkXCHspUJORZMNjdJMHfpE C7Ug== X-Gm-Message-State: AG10YOQ7zWeUGq4+9b7Jd5NiH4wjPYURXnt44zlW6f4GT4v4/SwotBDTNPjG3y2EpLAxNQ== X-Received: by 10.194.61.19 with SMTP id l19mr3804647wjr.148.1455739994410; Wed, 17 Feb 2016 12:13:14 -0800 (PST) Received: from [10.0.0.11] (bzq-79-182-36-67.red.bezeqint.net. [79.182.36.67]) by smtp.gmail.com with ESMTPSA id q75sm27317029wmd.6.2016.02.17.12.13.12 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 17 Feb 2016 12:13:13 -0800 (PST) To: "Salz, Rich" , Daniel Migault , Eric Burger , LURK BoF References: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5765@eusaamb107.ericsson.se> <56C4D252.90201@gmail.com> <94ad77bd6f71462c9b10055e7fda0756@ustx2ex-dag1mb1.msg.corp.akamai.com> From: Yaron Sheffer Message-ID: <56C4D458.1030502@gmail.com> Date: Wed, 17 Feb 2016 22:13:12 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <94ad77bd6f71462c9b10055e7fda0756@ustx2ex-dag1mb1.msg.corp.akamai.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Lurk] More on Protocols: KMIP, PKCS#11 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 20:13:17 -0000 Given that in typical use, the private key is *only* used for server identity, what's the benefit of the TLS-specific output compared to a simple "please sign this blob with your RSA key"? > To avoid becoming a signing oracle. > > Fine, even if the reason is that we're using broken signature algorithms that are susceptible to such attacks. Sigh. However this only means we need to constrain the input, without requiring the signer to compute all the TLS parameters. Thanks, Yaron From nobody Wed Feb 17 12:15:52 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4267E1A8AC8 for ; Wed, 17 Feb 2016 12:15:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MzsDeoDU9Tuc for ; Wed, 17 Feb 2016 12:15:51 -0800 (PST) Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13ED81A88A3 for ; Wed, 17 Feb 2016 12:15:51 -0800 (PST) X-AuditID: c618062d-f79dd6d000003091-b1-56c4d11e859d Received: from EUSAAHC001.ericsson.se (Unknown_Domain [147.117.188.75]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id 13.F7.12433.E11D4C65; Wed, 17 Feb 2016 20:59:26 +0100 (CET) Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC001.ericsson.se ([147.117.188.75]) with mapi id 14.03.0248.002; Wed, 17 Feb 2016 15:15:49 -0500 From: Daniel Migault To: "Salz, Rich" , Yaron Sheffer , Eric Burger , LURK BoF Thread-Topic: [Lurk] More on Protocols: KMIP, PKCS#11 Thread-Index: AQHRYtIsSte3DF1wyEmasRMUP+DL+J8w16wA//+3HUCAAHw7AIAAAIoA//+tM8A= Date: Wed, 17 Feb 2016 20:15:49 +0000 Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E582E@eusaamb107.ericsson.se> References: <1D2772A9-593C-40FE-8799-9ACB8098AA43@standardstrack.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5765@eusaamb107.ericsson.se> <56C4D252.90201@gmail.com> <94ad77bd6f71462c9b10055e7fda0756@ustx2ex-dag1mb1.msg.corp.akamai.com> In-Reply-To: <94ad77bd6f71462c9b10055e7fda0756@ustx2ex-dag1mb1.msg.corp.akamai.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.9] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmkeLIzCtJLcpLzFFi42KZXLrHW1fu4pEwg8sdphbTdvWyWrxd42fx f0sni8Wq+zPYHVg8Jh9ZwOyxc9Zddo8lS34yeTR1LmYPYInisklJzcksSy3St0vgyjjwvJG5 oIGt4tPud4wNjB9Zuhg5OSQETCS+PumDssUkLtxbz9bFyMUhJHCEUWLeog52CGc5o8THxl2s IFVsAkYSbYf62UFsEYEJjBLb3jKB2MJAk7Y8+AoU5wCKm0o0rS6AKPGT6G86C7aARUBV4uyd fcwgNq+Ar8TUjgVQy1YzSfxrmM0IkuAUCJY4/PEj2ExGoIu+n1oDZjMLiEvcejKfCeJSAYkl e84zQ9iiEi8f/2OFsBUl9vVPZ4eo15FYsPsTG4StLbFs4WuoxYISJ2c+YZnAKDoLydhZSFpm IWmZhaRlASPLKkaO0uKCnNx0I4NNjMCoOSbBpruD8f50z0OMAhyMSjy8GwoPhwmxJpYVV+Ye YpTgYFYS4eXediRMiDclsbIqtSg/vqg0J7X4EKM0B4uSOO9Sh/VhQgLpiSWp2ampBalFMFkm Dk6pBsZ9XLME3z+z748+tPATn9icBTJWs2pbkz//On7B6NfUvzEmnN+nPLq7QmGvKO/Fp3e+ HPZ/n+5f69aTXZDS42PedsH5wA/GnBgzY65oj3Sv3XMXHP6Z9aF323apvt8vTn8Stgh/npXz tODJ9Cc6Pin7Mtrb6p6csvRZriWVnLnc80xzYz7/q3tKLMUZiYZazEXFiQCZCG8YlgIAAA== Archived-At: Subject: Re: [Lurk] More on Protocols: KMIP, PKCS#11 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 20:15:52 -0000 Hi,=20 In addition, when PSK_RSA is used for example, the premaster contains the P= SK in clear text. So a request for decryption would result in leaking secre= t information. BR,=20 Daniel=20 -----Original Message----- From: Salz, Rich [mailto:rsalz@akamai.com]=20 Sent: Wednesday, February 17, 2016 3:07 PM To: Yaron Sheffer; Daniel Migault; Eric Burger; LURK BoF Subject: RE: [Lurk] More on Protocols: KMIP, PKCS#11 > Given that in typical use, the private key is *only* used for server=20 > identity, what's the benefit of the TLS-specific output compared to a=20 > simple "please sign this blob with your RSA key"? To avoid becoming a signing oracle. -- Senior Architect, Akamai Technologies IM: richsalz@jabber.at Twitter: RichSalz From nobody Wed Feb 17 13:10:51 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C56FC1B2E5B for ; Wed, 17 Feb 2016 13:10:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.276 X-Spam-Level: X-Spam-Status: No, score=-1.276 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EWJHX5R5sR5 for ; Wed, 17 Feb 2016 13:10:49 -0800 (PST) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7839B1B2DF0 for ; Wed, 17 Feb 2016 13:10:49 -0800 (PST) Received: by mail-wm0-x229.google.com with SMTP id g62so46598500wme.0 for ; Wed, 17 Feb 2016 13:10:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=oP6QPq07ojWgae4r3e8y9jzHdumeJg6UOywfnfA4elM=; b=jAW19kIsQxU7NGw+S5RiJx3w4z08TGf3ULoyoB6k3kDm1kdo3PGK6GmM1u5BoXnUAG pkTYxwnqmW+QBaX+f/4TY4pSNHGDCoTwtGH/RIMrebdxxzBFCHqfXkqTt7VOuNAB4f0d wKQIZu+6wfNSLg/da4fCo2sh4CoJLM952ZvIoGl7ACGcRmB30/ftbEbkc853DWqxyXWf uunyRUaS3FsL+yWOLcc0Z18CTttt/oef0OFYv0iJPkmuQO6jA4uDuJNCwEvRAnvWC65x TRQer+in3qBTv96Bx2spjp0EnZW+psPG6gMc6GX/MGa+Fv0hJTwkEcQsObq91E9rq578 qU+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-type:content-transfer-encoding; bh=oP6QPq07ojWgae4r3e8y9jzHdumeJg6UOywfnfA4elM=; b=eghocvHjOW+zJ9O8XSfMvdHU5ZPMm7d+ai6V8KWqUN1rSuNeLAI35rYoOo9TDezEOU fxRtEJWB5tWaUhF+Yhm46U82Ik7JqhEtY4iQSw+cK8NzZ9bRZH2IvBBtVpAefa465n8d AJ2rMx4f1jedKsbD+rVno6gB7bEfy5xkFIh8BCdt2Ek91dvc2nEAgrjgCOkMlLhuneo9 GWnQ8GXmIALvMADnTllMty+1IOn3MZD24x7NaKbOTIQaodxv4H3JWQQw7PD277jq83sn BEvW8/AI/Ib+IPwQKFLqDCwNGHeBVyigMeSU/2SC/wIvq76AQQvLZFfAw0wc7WEzevux WidA== X-Gm-Message-State: AG10YORgdB/JkkEVnLzn7UQtUuoqOVoBaeI1QlRuFsam1LWC2+cBdyvMYvtnh93UZYjIrg== X-Received: by 10.194.60.44 with SMTP id e12mr3930295wjr.137.1455743448101; Wed, 17 Feb 2016 13:10:48 -0800 (PST) Received: from [10.0.0.11] (bzq-79-182-36-67.red.bezeqint.net. [79.182.36.67]) by smtp.gmail.com with ESMTPSA id x6sm3302927wje.38.2016.02.17.13.10.46 for (version=TLSv1/SSLv3 cipher=OTHER); Wed, 17 Feb 2016 13:10:46 -0800 (PST) To: LURK BoF From: Yaron Sheffer Message-ID: <56C4E1D5.1030606@gmail.com> Date: Wed, 17 Feb 2016 23:10:45 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Subject: [Lurk] BoF proposal text X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 21:10:50 -0000 Hi,

In preparation to the BoF proposal deadline, I have edited the proposal to reflect recent discussions here. Here's the diff: https://trac.tools.ietf.org/bof/trac/wiki/WikiStart?action=diff&version=1518&old_version=1517

The first sentence focuses discussion on HTTPS, with DTLS support mentioned as an option further down the text.

Thanks,
    Yaron
From nobody Fri Feb 19 06:47:47 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0889E1B2D56 for ; Fri, 19 Feb 2016 06:47:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHJbUuKUL3Uj for ; Fri, 19 Feb 2016 06:47:43 -0800 (PST) Received: from usplmg21.ericsson.net (usplmg21.ericsson.net [198.24.6.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3D811B2EED for ; Fri, 19 Feb 2016 06:46:55 -0800 (PST) X-AuditID: c6180641-f799c6d000007d66-27-56c72ac5ae50 Received: from EUSAAHC005.ericsson.se (Unknown_Domain [147.117.188.87]) by usplmg21.ericsson.net (Symantec Mail Security) with SMTP id F1.C9.32102.5CA27C65; Fri, 19 Feb 2016 15:46:30 +0100 (CET) Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC005.ericsson.se ([147.117.188.87]) with mapi id 14.03.0248.002; Fri, 19 Feb 2016 09:46:54 -0500 From: Daniel Migault To: LURK BoF Thread-Topic: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt Thread-Index: AQHRayO6cbRv4p7pPE65IHEVwtK17J8zce8A Date: Fri, 19 Feb 2016 14:46:53 +0000 Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5C91@eusaamb107.ericsson.se> References: <20160219144210.27967.20170.idtracker@ietfa.amsl.com> In-Reply-To: <20160219144210.27967.20170.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.9] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrALMWRmVeSWpSXmKPExsUyuXRPuO4xreNhBpufcVu8XePnwOixZMlP pgDGKC6blNSczLLUIn27BK6Mn/+/MBfMEKrY/fUXawPjHcEuRk4OCQETiQnXm1kgbDGJC/fW s3UxcnEICRxhlNh39AAzhLOcUeL5j15GkCo2ASOJtkP97CC2iICMxJwL+4HiHBzCAsESzx9z QIRDJN59vsgGEhYBKr+7ThkkzCKgKvFuUSPYLl4BX4m3mx8wgZQICThK3P9RARLmFHCS6Nry BWw4I9A530+tYQKxmQXEJW49mc8EcaaAxJI955khbFGJl4//sULYihL7+qezg4xkFtCUWL9L H6JVUWJK90N2iK2CEidnPmGZwCg6C8nUWQgds5B0zELSsYCRZRUjR2lxQU5uupHhJkZguB+T YHPcwbi31/MQowAHoxIP7wefY2FCrIllxZW5hxglOJiVRHj3ah4PE+JNSaysSi3Kjy8qzUkt PsQozcGiJM4713l9mJBAemJJanZqakFqEUyWiYNTqoGxtfzGDvXEFWc/3Hx2bsUivrWJmgIl c31ar1wPbnPKczhf+MLsv9D624tPP2y80PI48serlXM0vuWZipyx/r2xI7H9XMC8I31n5WsO ajAfm8/3IefmioB3Aq07dHMlpq7gnXguw6f545K5PQ2FlrvLl7071ecrrGT0lumKPbP6zO62 7ZtmC2w9qcRSnJFoqMVcVJwIAIqF/PBzAgAA Archived-At: Subject: [Lurk] FW: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 14:47:45 -0000 SGksIA0KDQpQbGVhc2UgZmluZCBhbiBhYnN0cmFjdCBkZXNjcmlwdGlvbiBmb3IgYW4gQVBJIGJl dHdlZW4gRWRnZSBhbmQgQ29udGVudCBQcm92aWRlci4gSXQgaXMgZmFyIGZyb20gYmVpbmcgZmlu YWxpemVkLCBidXQgSSBiZWxpZXZlIGVhcmx5IGNvbW1lbnQgd291bGQgYmUgdmFsdWFibGUgdG8g bWFrZSB0aGUgd29yayBwcm9ncmVzcy4NCg0KSSBob3BlIGl0IHdpbGwgYmUgaGVscGZ1bCwgYW5k IHRoYXQgYSBtb3JlIGNvbXBsZXRlIHZlcnNpb24gd2lsbCBiZSBwcm92aWRlZCBiZWZvcmUgbmV4 dCBJRVRGIG1lZXRpbmcuDQoNCkJSLCANCkRhbmllbA0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2Ut LS0tLQ0KRnJvbTogaW50ZXJuZXQtZHJhZnRzQGlldGYub3JnIFttYWlsdG86aW50ZXJuZXQtZHJh ZnRzQGlldGYub3JnXSANClNlbnQ6IEZyaWRheSwgRmVicnVhcnkgMTksIDIwMTYgOTo0MiBBTQ0K VG86IERhbmllbCBNaWdhdWx0DQpTdWJqZWN0OiBOZXcgVmVyc2lvbiBOb3RpZmljYXRpb24gZm9y IGRyYWZ0LW1nbHQtbHVyay10bHMtYWJzdHJhY3QtYXBpLTAwLnR4dA0KDQoNCkEgbmV3IHZlcnNp b24gb2YgSS1ELCBkcmFmdC1tZ2x0LWx1cmstdGxzLWFic3RyYWN0LWFwaS0wMC50eHQNCmhhcyBi ZWVuIHN1Y2Nlc3NmdWxseSBzdWJtaXR0ZWQgYnkgRGFuaWVsIE1pZ2F1bHQgYW5kIHBvc3RlZCB0 byB0aGUgSUVURiByZXBvc2l0b3J5Lg0KDQpOYW1lOgkJZHJhZnQtbWdsdC1sdXJrLXRscy1hYnN0 cmFjdC1hcGkNClJldmlzaW9uOgkwMA0KVGl0bGU6CQlUTFMvRFRMUyBDb250ZW50IFByb3ZpZGVy IEVkZ2UgU2VydmVyIEFic3RyYWN0IEFQSQ0KRG9jdW1lbnQgZGF0ZToJMjAxNi0wMi0xOQ0KR3Jv dXA6CQlJbmRpdmlkdWFsIFN1Ym1pc3Npb24NClBhZ2VzOgkJMTQNClVSTDogICAgICAgICAgICBo dHRwczovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtbWdsdC1sdXJrLXRscy1h YnN0cmFjdC1hcGktMDAudHh0DQpTdGF0dXM6ICAgICAgICAgaHR0cHM6Ly9kYXRhdHJhY2tlci5p ZXRmLm9yZy9kb2MvZHJhZnQtbWdsdC1sdXJrLXRscy1hYnN0cmFjdC1hcGkvDQpIdG1saXplZDog ICAgICAgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LW1nbHQtbHVyay10bHMtYWJz dHJhY3QtYXBpLTAwDQoNCg0KQWJzdHJhY3Q6DQogICBUaGlzIGRvY3VtZW50IGRlc2NyaWJlcyB0 aGUgaW50ZXJhY3Rpb25zIGJldHdlZW4gdGhlIEVkZ2UgU2VydmVyIGFuZA0KICAgdGhlIENvbnRl bnQgUHJvdmlkZXIgaW4gYSBzcGxpdCBhdXRoZW50aWNhdGlvbiBzY2VuYXJpby4NCg0KICAgVGhp cyBkb2N1bWVudCBwcm92aWRlcyBhbiBhYnN0cmFjdCBkZXNjcmlwdGlvbiBvZiB0aGUgaW5mb3Jt YXRpb24NCiAgIGV4Y2hhbmdlZCBiZXR3ZWVuIGFuIEVkZ2UgU2VydmVyIGFuZCBhIENvbnRlbnQg UHJvdmlkZXIuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCg0KDQpQbGVhc2Ugbm90ZSB0 aGF0IGl0IG1heSB0YWtlIGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZiBzdWJt aXNzaW9uIHVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUg YXQgdG9vbHMuaWV0Zi5vcmcuDQoNClRoZSBJRVRGIFNlY3JldGFyaWF0DQoNCg== From nobody Fri Feb 19 08:19:50 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F331B31FD for ; Fri, 19 Feb 2016 08:19:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wd8BCMK8XHkN for ; Fri, 19 Feb 2016 08:19:48 -0800 (PST) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C013A1B3205 for ; Fri, 19 Feb 2016 08:19:47 -0800 (PST) Received: by mail-wm0-x234.google.com with SMTP id g62so84100399wme.1 for ; Fri, 19 Feb 2016 08:19:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=wYpapo3Eq7Rq9GOAR6KxR9JOA5LXqD6fQsXOsl1PhYc=; b=cFi4p5Ml16UG8WZlkI6gP0x5Hkekt7rG4DZ3g8nRq2EPj/m2AWEign/Mam1MgPQ8cU u4BB7B9f0z7VjETA331Atl5qWm9P2+h9o9QfyMQ67tPkiyxRMfSmFQOPOeFtOtr/D+Z3 1SNSFEPPwC6kaCtjHbLP00ht3ooMNy4nFhsqDu83i3u3luU98o2KmQ3w5hctJBUaszXA 6yOSBdn12ccDLg9MtPl4rxdAN1li5ShirPw241qrVM8U9yd1z1y8OQqTaOsWy1ajTbTB RE6pG6Ss2UO2hD4WpM0QZ6B3K+uk0nB/WzSdd0z36Fx09oEueG0GL49aiwRlB74zAso5 w8uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=wYpapo3Eq7Rq9GOAR6KxR9JOA5LXqD6fQsXOsl1PhYc=; b=g7+fAzcm5xBP/BqtQdJA/vc/iKIw2r6LrpoosP4uqOoBq9rWJfECEMZrLitVn7vPmE tY9VDwr881DAutiaMDarHfRrbmaQQNNatq7+VjUyO5xKH1KMR54Rt4hem+t/K+s+5QY7 HEOcy1PE0gXwYnFd/R8tsZkXksI/eblCQrkHpa4phayixHz+3r/hNl+wP6ZzxEQnzaDN ol3ioxXEalxpmMh4nW90qLFEfNLCB/uemm8YIeqoSQCHdMrdeXzgRdpT4Ce/DHwSVn4h 47j2n59kKit563Pm9x4tCQaLlwns8biv1625TS29ngJCB1oMdecxqXEMxM2WdX3Cw5km hbYg== X-Gm-Message-State: AG10YOQ1z2spxn2fcbOQXtSkzE725vp5g5qdv1bCT94Fd14i79DbPfrL6hJCuSs5Z5ic+g== X-Received: by 10.28.34.139 with SMTP id i133mr10596400wmi.3.1455898786367; Fri, 19 Feb 2016 08:19:46 -0800 (PST) Received: from [10.0.0.11] (bzq-79-182-36-67.red.bezeqint.net. [79.182.36.67]) by smtp.gmail.com with ESMTPSA id up6sm11078729wjc.6.2016.02.19.08.19.44 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 19 Feb 2016 08:19:44 -0800 (PST) To: Daniel Migault , LURK BoF References: <20160219144210.27967.20170.idtracker@ietfa.amsl.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5C91@eusaamb107.ericsson.se> From: Yaron Sheffer Message-ID: <56C7409F.1010402@gmail.com> Date: Fri, 19 Feb 2016 18:19:43 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5C91@eusaamb107.ericsson.se> Content-Type: multipart/alternative; boundary="------------050602020705090503050502" Archived-At: Subject: Re: [Lurk] FW: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 16:19:50 -0000 This is a multi-part message in MIME format. --------------050602020705090503050502 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Hi Daniel, Thanks for writing the draft! Here are some initial comments. * Many of the authentication methods you mention are deprecated, rarely used, or rarely used for the relevant use case. Examples include dh_anon, anything with dss, and anything with psk. I would suggest to concentrate on the very few that are in actual use with CDNs. This would enable us to simplify the (future) protocol and its implementations. * The only exception to the above is *_ecdsa which is still rare, but expected to grow. * At a higher level, I'm not clear about the value of an abstract API. Once we settle on use cases, I suppose we will want to create a concrete protocol between the Edge Server and Content Provider. This would solve the problem in an interoperable way. Why would we want an abstract API in addition to the protocol? That is, unless you look at the abstract API as a sort of high-level design for the protocol. * Sec. 4.3.1 demonstrates issues that are typically not discussed with abstract APIs but are important here. Specifically, resistance to timing attacks. * Typo: RFC 2546. Best, Yaron On 02/19/2016 04:46 PM, Daniel Migault wrote: > Hi, > > Please find an abstract description for an API between Edge and Content Provider. It is far from being finalized, but I believe early comment would be valuable to make the work progress. > > I hope it will be helpful, and that a more complete version will be provided before next IETF meeting. > > BR, > Daniel > > -----Original Message----- > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > Sent: Friday, February 19, 2016 9:42 AM > To: Daniel Migault > Subject: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt > > > A new version of I-D, draft-mglt-lurk-tls-abstract-api-00.txt > has been successfully submitted by Daniel Migault and posted to the IETF repository. > > Name: draft-mglt-lurk-tls-abstract-api > Revision: 00 > Title: TLS/DTLS Content Provider Edge Server Abstract API > Document date: 2016-02-19 > Group: Individual Submission > Pages: 14 > URL: https://www.ietf.org/internet-drafts/draft-mglt-lurk-tls-abstract-api-00.txt > Status: https://datatracker.ietf.org/doc/draft-mglt-lurk-tls-abstract-api/ > Htmlized: https://tools.ietf.org/html/draft-mglt-lurk-tls-abstract-api-00 > > > Abstract: > This document describes the interactions between the Edge Server and > the Content Provider in a split authentication scenario. > > This document provides an abstract description of the information > exchanged between an Edge Server and a Content Provider. > > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > Lurk mailing list > Lurk@ietf.org > https://www.ietf.org/mailman/listinfo/lurk --------------050602020705090503050502 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Hi Daniel,

Thanks for writing the draft! Here are some initial comments.
  • Many of the authentication methods you mention are deprecated, rarely used, or rarely used for the relevant use case. Examples include dh_anon, anything with dss, and anything with psk. I would suggest to concentrate on the very few that are in actual use with CDNs. This would enable us to simplify the (future) protocol and its implementations.
  • The only exception to the above is *_ecdsa which is still rare, but expected to grow.
  • At a higher level, I'm not clear about the value of an abstract API. Once we settle on use cases, I suppose we will want to create a concrete protocol between the Edge Server and Content Provider. This would solve the problem in an interoperable way. Why would we want an abstract API in addition to the protocol? That is, unless you look at the abstract API as a sort of high-level design for the protocol.
  • Sec. 4.3.1 demonstrates issues that are typically not discussed with abstract APIs but are important here. Specifically, resistance to timing attacks.
  • Typo: RFC 2546.

Best,

    Yaron

On 02/19/2016 04:46 PM, Daniel Migault wrote:
Hi, 

Please find an abstract description for an API between Edge and Content Provider. It is far from being finalized, but I believe early comment would be valuable to make the work progress.

I hope it will be helpful, and that a more complete version will be provided before next IETF meeting.

BR, 
Daniel

-----Original Message-----
From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 
Sent: Friday, February 19, 2016 9:42 AM
To: Daniel Migault
Subject: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt


A new version of I-D, draft-mglt-lurk-tls-abstract-api-00.txt
has been successfully submitted by Daniel Migault and posted to the IETF repository.

Name:		draft-mglt-lurk-tls-abstract-api
Revision:	00
Title:		TLS/DTLS Content Provider Edge Server Abstract API
Document date:	2016-02-19
Group:		Individual Submission
Pages:		14
URL:            https://www.ietf.org/internet-drafts/draft-mglt-lurk-tls-abstract-api-00.txt
Status:         https://datatracker.ietf.org/doc/draft-mglt-lurk-tls-abstract-api/
Htmlized:       https://tools.ietf.org/html/draft-mglt-lurk-tls-abstract-api-00


Abstract:
   This document describes the interactions between the Edge Server and
   the Content Provider in a split authentication scenario.

   This document provides an abstract description of the information
   exchanged between an Edge Server and a Content Provider.

                                                                                  


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

_______________________________________________
Lurk mailing list
Lurk@ietf.org
https://www.ietf.org/mailman/listinfo/lurk

--------------050602020705090503050502-- From nobody Fri Feb 19 11:34:32 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB1971B320B for ; Fri, 19 Feb 2016 11:34:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2PfAeE2ZYSDH for ; Fri, 19 Feb 2016 11:34:28 -0800 (PST) Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2606A1B31BA for ; Fri, 19 Feb 2016 11:34:27 -0800 (PST) X-AuditID: c618062d-f79dd6d000003091-e7-56c76a52a37f Received: from EUSAAHC001.ericsson.se (Unknown_Domain [147.117.188.75]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id 81.EE.12433.25A67C65; Fri, 19 Feb 2016 20:17:38 +0100 (CET) Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC001.ericsson.se ([147.117.188.75]) with mapi id 14.03.0248.002; Fri, 19 Feb 2016 14:34:26 -0500 From: Daniel Migault To: Yaron Sheffer , LURK BoF Thread-Topic: [Lurk] FW: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt Thread-Index: AQHRayO6cbRv4p7pPE65IHEVwtK17J8zce8AgABuSYD//9p54A== Date: Fri, 19 Feb 2016 19:34:24 +0000 Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5D87@eusaamb107.ericsson.se> References: <20160219144210.27967.20170.idtracker@ietfa.amsl.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5C91@eusaamb107.ericsson.se> <56C7409F.1010402@gmail.com> In-Reply-To: <56C7409F.1010402@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.9] Content-Type: multipart/alternative; boundary="_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5D87eusaamb107erics_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjkeLIzCtJLcpLzFFi42KZXLrHWzco63iYwbellhZv1/hZrLo/g92B yWPnrLvsHkuW/GQKYIrisklJzcksSy3St0vgyng+x7/gxRnGiglTVrA3MG45ztjFyMEhIWAi seoLdxcjJ5ApJnHh3nq2LkYuDiGBI4wS+/7uYoRwljNKbPgzkRGkik3ASKLtUD87iC0i4Cxx 4P0WJhBbWCBOYs3UJ0wQ8XiJbQvbWSFsJ4nvP26B2SwCqhI7190EW8wr4Cvx9DcLxPwljBL9 3z+ygdRwCmhK9HZOA9vFCHTR91NrwGYyC4hL3HoynwniUgGJJXvOM0PYohIvH/9jhbAVJfb1 T2eHqM+XuHHrOlgNr4CgxMmZT1gmMIrMQjJqFpKyWUjKZgGdxwx0xvpd+hAlihJTuh+yQ9ga Eq1z5rIjiy9gZF/FyFFaXJCTm25ksIkRGDvHJNh0dzDen+55iFGAg1GJh9cg7XiYEGtiWXFl 7iFGCQ5mJRHeh4FAId6UxMqq1KL8+KLSnNTiQ4zSHCxK4rxLHdaHCQmkJ5akZqemFqQWwWSZ ODilGhg7jc/qcMza2B4181YnX/Jl5YfZ4sUl7Uxv1l798cbE2OfvvQ3xLp27PbS4b+x4OMV9 nniYbcvaK5pMic+eXeQK9gl/+Nj9G9PC5yWyDs/vz53EfcA1b9WyP3eWf1cVYItfkVkfO3XX nJBXv9Z2dqx5r/NBkqPW8Voz++3DuTsq51337zC6zZSsxFKckWioxVxUnAgAurAZaZkCAAA= Archived-At: Subject: Re: [Lurk] FW: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 19:34:31 -0000 --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5D87eusaamb107erics_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgWWFyb24sDQoNClRoYW5rcyBmb3IgdGhlIGZlZWQgYmFja3MuIFBsZWFzZSBzZWUgaW5saW5l IG15IHJlc3BvbnNlcy4NCg0KQlIsDQpEYW5pZWwNCg0KRnJvbTogWWFyb24gU2hlZmZlciBbbWFp bHRvOnlhcm9uZi5pZXRmQGdtYWlsLmNvbV0NClNlbnQ6IEZyaWRheSwgRmVicnVhcnkgMTksIDIw MTYgMTE6MjAgQU0NClRvOiBEYW5pZWwgTWlnYXVsdDsgTFVSSyBCb0YNClN1YmplY3Q6IFJlOiBb THVya10gRlc6IE5ldyBWZXJzaW9uIE5vdGlmaWNhdGlvbiBmb3IgZHJhZnQtbWdsdC1sdXJrLXRs cy1hYnN0cmFjdC1hcGktMDAudHh0DQoNCkhpIERhbmllbCwNCg0KVGhhbmtzIGZvciB3cml0aW5n IHRoZSBkcmFmdCEgSGVyZSBhcmUgc29tZSBpbml0aWFsIGNvbW1lbnRzLg0KDQogICogICBNYW55 IG9mIHRoZSBhdXRoZW50aWNhdGlvbiBtZXRob2RzIHlvdSBtZW50aW9uIGFyZSBkZXByZWNhdGVk LCByYXJlbHkgdXNlZCwgb3IgcmFyZWx5IHVzZWQgZm9yIHRoZSByZWxldmFudCB1c2UgY2FzZS4g RXhhbXBsZXMgaW5jbHVkZSBkaF9hbm9uLCBhbnl0aGluZyB3aXRoIGRzcywgYW5kIGFueXRoaW5n IHdpdGggcHNrLiBJIHdvdWxkIHN1Z2dlc3QgdG8gY29uY2VudHJhdGUgb24gdGhlIHZlcnkgZmV3 IHRoYXQgYXJlIGluIGFjdHVhbCB1c2Ugd2l0aCBDRE5zLiBUaGlzIHdvdWxkIGVuYWJsZSB1cyB0 byBzaW1wbGlmeSB0aGUgKGZ1dHVyZSkgcHJvdG9jb2wgYW5kIGl0cyBpbXBsZW1lbnRhdGlvbnMu DQpNR0xUOiBBZ3JlZS4gSSB0aGluayB3ZSBzaG91bGQgbGltaXQgb3Vyc2VsdmVzIHRvIGEgbGlt aXRlZCBudW1iZXIgb2YgYXV0aGVudGljYXRpb24gbWV0aG9kcy4gSSB3b3VsZCBsaWtlIHRvIHBy b3Bvc2UgdG8gcmVzdHJpY3Qgb3Vyc2VsdmVzIHRvIGZvY3VzIG9uIERIRSAvIEVDREhFIGF1dGhl bnRpY2F0aW9ucy4NCk1HTFQ6IFNpbWlsYXJseSwgSSBhbHNvIHRoaW5rIHdlIGNvdWxkIGFsc28g cmVzdHJpY3QgdGhlIHNjb3BlIHRvIFRMUy9EVExTIDEuMiBhbmQgMS4zLg0KDQogICogICBUaGUg b25seSBleGNlcHRpb24gdG8gdGhlIGFib3ZlIGlzICpfZWNkc2Egd2hpY2ggaXMgc3RpbGwgcmFy ZSwgYnV0IGV4cGVjdGVkIHRvIGdyb3cuDQpNR0xUOiBob3BlZnVsbHkgOy0pDQoNCiAgKiAgIEF0 IGEgaGlnaGVyIGxldmVsLCBJJ20gbm90IGNsZWFyIGFib3V0IHRoZSB2YWx1ZSBvZiBhbiBhYnN0 cmFjdCBBUEkuIE9uY2Ugd2Ugc2V0dGxlIG9uIHVzZSBjYXNlcywgSSBzdXBwb3NlIHdlIHdpbGwg d2FudCB0byBjcmVhdGUgYSBjb25jcmV0ZSBwcm90b2NvbCBiZXR3ZWVuIHRoZSBFZGdlIFNlcnZl ciBhbmQgQ29udGVudCBQcm92aWRlci4gVGhpcyB3b3VsZCBzb2x2ZSB0aGUgcHJvYmxlbSBpbiBh biBpbnRlcm9wZXJhYmxlIHdheS4gV2h5IHdvdWxkIHdlIHdhbnQgYW4gYWJzdHJhY3QgQVBJIGlu IGFkZGl0aW9uIHRvIHRoZSBwcm90b2NvbD8gVGhhdCBpcywgdW5sZXNzIHlvdSBsb29rIGF0IHRo ZSBhYnN0cmFjdCBBUEkgYXMgYSBzb3J0IG9mIGhpZ2gtbGV2ZWwgZGVzaWduIGZvciB0aGUgcHJv dG9jb2wuDQpNR0xUOiBJIHNlZSB0aGUgYWJzdHJhY3QgQVBJIGFzIGEgaGlnaCBsZXZlbCB2aWV3 IG9mIHRoZSBwcm90b2NvbC4gVGhlIHJlYXNvbiBmb3Igd3JpdGluZyBhbiBhYnN0cmFjdCBBUEkg d2FzIHRvIGRlc2NyaWJlIHRoZSBpbnRlcmFjdGlvbnMgbmVlZGVkIGJldHdlZW4gdGhlIEVkZ2Ug U2VydmVyIGFuZCB0aGUgQ29udGVudCBQcm92aWRlciwgd2l0aCB0aGUgZXhwZWN0ZWQgaW5wdXQg LyBvdXRwdXRzLCBubyBtYXR0ZXIgb24gd2hldGhlciBKU09OIG9yIENCT1Igb3Igd2hhdGV2ZXIg Zm9ybWF0IGlzIHVzZWQgZm9yIHRoZXNlIHBhcmFtZXRlcnMgb3Igd2hpY2ggdHJhbnNwb3J0IHBy b3RvY29sIGlzIHVzZWQuDQoNCiAgKiAgIFNlYy4gNC4zLjEgZGVtb25zdHJhdGVzIGlzc3VlcyB0 aGF0IGFyZSB0eXBpY2FsbHkgbm90IGRpc2N1c3NlZCB3aXRoIGFic3RyYWN0IEFQSXMgYnV0IGFy ZSBpbXBvcnRhbnQgaGVyZS4gU3BlY2lmaWNhbGx5LCByZXNpc3RhbmNlIHRvIHRpbWluZyBhdHRh Y2tzLg0KTUdMVDogT0sgdGhlbiwgbWF5YmUgaXQgaXMgbm90IGFuIGFic3RyYWN0IEFQSS4NCg0K ICAqICAgVHlwbzogUkZDIDI1NDYuDQoNCkJlc3QsDQoNCiAgICBZYXJvbg0KT24gMDIvMTkvMjAx NiAwNDo0NiBQTSwgRGFuaWVsIE1pZ2F1bHQgd3JvdGU6DQoNCkhpLA0KDQoNCg0KUGxlYXNlIGZp bmQgYW4gYWJzdHJhY3QgZGVzY3JpcHRpb24gZm9yIGFuIEFQSSBiZXR3ZWVuIEVkZ2UgYW5kIENv bnRlbnQgUHJvdmlkZXIuIEl0IGlzIGZhciBmcm9tIGJlaW5nIGZpbmFsaXplZCwgYnV0IEkgYmVs aWV2ZSBlYXJseSBjb21tZW50IHdvdWxkIGJlIHZhbHVhYmxlIHRvIG1ha2UgdGhlIHdvcmsgcHJv Z3Jlc3MuDQoNCg0KDQpJIGhvcGUgaXQgd2lsbCBiZSBoZWxwZnVsLCBhbmQgdGhhdCBhIG1vcmUg Y29tcGxldGUgdmVyc2lvbiB3aWxsIGJlIHByb3ZpZGVkIGJlZm9yZSBuZXh0IElFVEYgbWVldGlu Zy4NCg0KDQoNCkJSLA0KDQpEYW5pZWwNCg0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0t DQoNCkZyb206IGludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzxtYWlsdG86aW50ZXJuZXQtZHJhZnRz QGlldGYub3JnPiBbbWFpbHRvOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZ10NCg0KU2VudDogRnJp ZGF5LCBGZWJydWFyeSAxOSwgMjAxNiA5OjQyIEFNDQoNClRvOiBEYW5pZWwgTWlnYXVsdA0KDQpT dWJqZWN0OiBOZXcgVmVyc2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LW1nbHQtbHVyay10bHMt YWJzdHJhY3QtYXBpLTAwLnR4dA0KDQoNCg0KDQoNCkEgbmV3IHZlcnNpb24gb2YgSS1ELCBkcmFm dC1tZ2x0LWx1cmstdGxzLWFic3RyYWN0LWFwaS0wMC50eHQNCg0KaGFzIGJlZW4gc3VjY2Vzc2Z1 bGx5IHN1Ym1pdHRlZCBieSBEYW5pZWwgTWlnYXVsdCBhbmQgcG9zdGVkIHRvIHRoZSBJRVRGIHJl cG9zaXRvcnkuDQoNCg0KDQpOYW1lOiAgICAgICAgICAgIGRyYWZ0LW1nbHQtbHVyay10bHMtYWJz dHJhY3QtYXBpDQoNClJldmlzaW9uOiAwMA0KDQpUaXRsZTogICAgICAgICAgIFRMUy9EVExTIENv bnRlbnQgUHJvdmlkZXIgRWRnZSBTZXJ2ZXIgQWJzdHJhY3QgQVBJDQoNCkRvY3VtZW50IGRhdGU6 ICAgMjAxNi0wMi0xOQ0KDQpHcm91cDogICAgICAgICAgIEluZGl2aWR1YWwgU3VibWlzc2lvbg0K DQpQYWdlczogICAgICAgICAgIDE0DQoNClVSTDogICAgICAgICAgICBodHRwczovL3d3dy5pZXRm Lm9yZy9pbnRlcm5ldC1kcmFmdHMvZHJhZnQtbWdsdC1sdXJrLXRscy1hYnN0cmFjdC1hcGktMDAu dHh0DQoNClN0YXR1czogICAgICAgICBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9k cmFmdC1tZ2x0LWx1cmstdGxzLWFic3RyYWN0LWFwaS8NCg0KSHRtbGl6ZWQ6ICAgICAgIGh0dHBz Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1tZ2x0LWx1cmstdGxzLWFic3RyYWN0LWFwaS0w MA0KDQoNCg0KDQoNCkFic3RyYWN0Og0KDQogICBUaGlzIGRvY3VtZW50IGRlc2NyaWJlcyB0aGUg aW50ZXJhY3Rpb25zIGJldHdlZW4gdGhlIEVkZ2UgU2VydmVyIGFuZA0KDQogICB0aGUgQ29udGVu dCBQcm92aWRlciBpbiBhIHNwbGl0IGF1dGhlbnRpY2F0aW9uIHNjZW5hcmlvLg0KDQoNCg0KICAg VGhpcyBkb2N1bWVudCBwcm92aWRlcyBhbiBhYnN0cmFjdCBkZXNjcmlwdGlvbiBvZiB0aGUgaW5m b3JtYXRpb24NCg0KICAgZXhjaGFuZ2VkIGJldHdlZW4gYW4gRWRnZSBTZXJ2ZXIgYW5kIGEgQ29u dGVudCBQcm92aWRlci4NCg0KDQoNCg0KDQoNCg0KDQoNClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5 IHRha2UgYSBjb3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb24gdW50 aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdCB0b29scy5p ZXRmLm9yZy4NCg0KDQoNClRoZSBJRVRGIFNlY3JldGFyaWF0DQoNCg0KDQpfX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQpMdXJrIG1haWxpbmcgbGlzdA0K DQpMdXJrQGlldGYub3JnPG1haWx0bzpMdXJrQGlldGYub3JnPg0KDQpodHRwczovL3d3dy5pZXRm Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL2x1cmsNCg0K --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5D87eusaamb107erics_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseTpXaW5nZGluZ3M7DQoJcGFub3NlLTE6NSAwIDAgMCAwIDAgMCAwIDAgMDt9 DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIg MiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3Nl LTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25z b2xhczsNCglwYW5vc2UtMToyIDExIDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0 aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJn aW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZv bnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7DQoJY29sb3I6YmxhY2s7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcA0KCXttc28tc3R5bGUtcHJpb3JpdHk6 OTk7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjEy LjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiOw0KCWNvbG9yOmJs YWNrO30NCnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhU TUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAw MXB0Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3IjsNCglj b2xvcjpibGFjazt9DQpwLk1zb0FjZXRhdGUsIGxpLk1zb0FjZXRhdGUsIGRpdi5Nc29BY2V0YXRl DQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQmFsbG9vbiBUZXh0 IENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6 ZTo4LjBwdDsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6Ymxh Y2s7fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0dGVkQ2hhcg0KCXttc28tc3R5bGUtbmFtZToiSFRNTCBQ cmVmb3JtYXR0ZWQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1s aW5rOiJIVE1MIFByZWZvcm1hdHRlZCI7DQoJZm9udC1mYW1pbHk6Q29uc29sYXM7DQoJY29sb3I6 YmxhY2s7fQ0Kc3Bhbi5CYWxsb29uVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24g VGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJh bGxvb24gVGV4dCI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiOw0KCWNvbG9y OmJsYWNrO30NCnNwYW4uRW1haWxTdHlsZTIyDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJl cGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3 RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250 LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsN CgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtw YWdlOldvcmRTZWN0aW9uMTt9DQovKiBMaXN0IERlZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXtt c28tbGlzdC1pZDoxMzEwNzQ3MzU2Ow0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotMTQ5NzA4MDA2 Njt9DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0K CW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6LjVpbjsNCgltc28tbGV2 ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCW1zby1hbnNp LWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGwwOmxldmVs Mg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsN Cgltc28tbGV2ZWwtdGFiLXN0b3A6MS4waW47DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0K CWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7DQoJbXNvLWJpZGktZm9udC1mYW1pbHk6IlRpbWVz IE5ldyBSb21hbiI7fQ0KQGxpc3QgbDA6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0 OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjEuNWlu Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47 DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0K QGxpc3QgbDA6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28t bGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjIuMGluOw0KCW1zby1sZXZlbC1u dW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJbXNvLWFuc2ktZm9u dC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw1 DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7 DQoJbXNvLWxldmVsLXRhYi1zdG9wOjIuNWluOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246 bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsN Cglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw2DQoJe21zby1sZXZlbC1u dW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRh Yi1zdG9wOjMuMGluOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWlu ZGVudDotLjI1aW47DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpX aW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw3DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1 bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjMuNWluOw0K CW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJ bXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxp c3QgbDA6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjQuMGluOw0KCW1zby1sZXZlbC1udW1i ZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJbXNvLWFuc2ktZm9udC1z aXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJ e21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJ bXNvLWxldmVsLXRhYi1zdG9wOjQuNWluOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm dDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglm b250LWZhbWlseTpXaW5nZGluZ3M7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTowaW47fQ0KdWwNCgl7 bWFyZ2luLWJvdHRvbTowaW47fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4N CjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48 IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0 PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5 b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgYmdjb2xvcj0id2hpdGUiIGxh bmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRT ZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+SGkgWWFyb24sDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyBmb3IgdGhlIGZl ZWQgYmFja3MuIFBsZWFzZSBzZWUgaW5saW5lIG15IHJlc3BvbnNlcy48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkJSLA0K PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkRhbmllbDxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xv cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHls ZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4w cHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6d2luZG93dGV4dCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOndpbmRvd3RleHQiPiBZYXJvbiBTaGVmZmVyIFttYWlsdG86 eWFyb25mLmlldGZAZ21haWwuY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IEZyaWRheSwgRmVicnVh cnkgMTksIDIwMTYgMTE6MjAgQU08YnI+DQo8Yj5Ubzo8L2I+IERhbmllbCBNaWdhdWx0OyBMVVJL IEJvRjxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW0x1cmtdIEZXOiBOZXcgVmVyc2lvbiBOb3Rp ZmljYXRpb24gZm9yIGRyYWZ0LW1nbHQtbHVyay10bHMtYWJzdHJhY3QtYXBpLTAwLnR4dDxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkhpIERhbmllbCw8YnI+ DQo8YnI+DQpUaGFua3MgZm9yIHdyaXRpbmcgdGhlIGRyYWZ0ISBIZXJlIGFyZSBzb21lIGluaXRp YWwgY29tbWVudHMuPG86cD48L286cD48L3A+DQo8dWwgdHlwZT0iZGlzYyI+DQo8bGkgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvO21zby1saXN0OmwwIGxldmVsMSBsZm8xIj4NCk1hbnkgb2YgdGhlIGF1dGhl bnRpY2F0aW9uIG1ldGhvZHMgeW91IG1lbnRpb24gYXJlIGRlcHJlY2F0ZWQsIHJhcmVseSB1c2Vk LCBvciByYXJlbHkgdXNlZCBmb3IgdGhlIHJlbGV2YW50IHVzZSBjYXNlLiBFeGFtcGxlcyBpbmNs dWRlIGRoX2Fub24sIGFueXRoaW5nIHdpdGggZHNzLCBhbmQgYW55dGhpbmcgd2l0aCBwc2suIEkg d291bGQgc3VnZ2VzdCB0byBjb25jZW50cmF0ZSBvbiB0aGUgdmVyeSBmZXcgdGhhdCBhcmUgaW4g YWN0dWFsIHVzZSB3aXRoDQogQ0ROcy4gVGhpcyB3b3VsZCBlbmFibGUgdXMgdG8gc2ltcGxpZnkg dGhlIChmdXR1cmUpIHByb3RvY29sIGFuZCBpdHMgaW1wbGVtZW50YXRpb25zLjxvOnA+PC9vOnA+ PC9saT48L3VsPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+TUdMVDogQWdyZWUuIEkgdGhpbmsgd2Ugc2hvdWxkIGxpbWl0 IG91cnNlbHZlcyB0byBhIGxpbWl0ZWQgbnVtYmVyIG9mIGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMu IEkgd291bGQNCiBsaWtlIHRvIHByb3Bvc2UgdG8gcmVzdHJpY3Qgb3Vyc2VsdmVzIHRvIGZvY3Vz IG9uIERIRSAvIEVDREhFIGF1dGhlbnRpY2F0aW9ucy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj MUY0OTdEIj5NR0xUOiBTaW1pbGFybHksIEkgYWxzbyB0aGluayB3ZSBjb3VsZCBhbHNvIHJlc3Ry aWN0IHRoZSBzY29wZSB0byBUTFMvRFRMUyAxLjIgYW5kIDEuMy4NCjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjx1bCB0eXBlPSJkaXNjIj4NCjxsaSBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bXNvLWxpc3Q6 bDAgbGV2ZWwxIGxmbzEiPg0KVGhlIG9ubHkgZXhjZXB0aW9uIHRvIHRoZSBhYm92ZSBpcyAqX2Vj ZHNhIHdoaWNoIGlzIHN0aWxsIHJhcmUsIGJ1dCBleHBlY3RlZCB0byBncm93LjxvOnA+PC9vOnA+ PC9saT48L3VsPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+TUdMVDogaG9wZWZ1bGx5IDstKTxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjx1bCB0eXBlPSJkaXNjIj4NCjxsaSBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bXNvLWxpc3Q6 bDAgbGV2ZWwxIGxmbzEiPg0KQXQgYSBoaWdoZXIgbGV2ZWwsIEknbSBub3QgY2xlYXIgYWJvdXQg dGhlIHZhbHVlIG9mIGFuIGFic3RyYWN0IEFQSS4gT25jZSB3ZSBzZXR0bGUgb24gdXNlIGNhc2Vz LCBJIHN1cHBvc2Ugd2Ugd2lsbCB3YW50IHRvIGNyZWF0ZSBhIGNvbmNyZXRlIHByb3RvY29sIGJl dHdlZW4gdGhlIEVkZ2UgU2VydmVyIGFuZCBDb250ZW50IFByb3ZpZGVyLiBUaGlzIHdvdWxkIHNv bHZlIHRoZSBwcm9ibGVtIGluIGFuIGludGVyb3BlcmFibGUgd2F5LiBXaHkgd291bGQNCiB3ZSB3 YW50IGFuIGFic3RyYWN0IEFQSSBpbiBhZGRpdGlvbiB0byB0aGUgcHJvdG9jb2w/IFRoYXQgaXMs IHVubGVzcyB5b3UgbG9vayBhdCB0aGUgYWJzdHJhY3QgQVBJIGFzIGEgc29ydCBvZiBoaWdoLWxl dmVsIGRlc2lnbiBmb3IgdGhlIHByb3RvY29sLjxvOnA+PC9vOnA+PC9saT48L3VsPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+TUdMVDogSSBzZWUgdGhlIGFic3RyYWN0IEFQSSBhcyBhIGhpZ2ggbGV2ZWwgdmlldyBvZiB0 aGUgcHJvdG9jb2wuIFRoZSByZWFzb24gZm9yIHdyaXRpbmcgYW4gYWJzdHJhY3QNCiBBUEkgd2Fz IHRvIGRlc2NyaWJlIHRoZSBpbnRlcmFjdGlvbnMgbmVlZGVkIGJldHdlZW4gdGhlIEVkZ2UgU2Vy dmVyIGFuZCB0aGUgQ29udGVudCBQcm92aWRlciwgd2l0aCB0aGUgZXhwZWN0ZWQgaW5wdXQgLyBv dXRwdXRzLCBubyBtYXR0ZXIgb24gd2hldGhlciBKU09OIG9yIENCT1Igb3Igd2hhdGV2ZXIgZm9y bWF0IGlzIHVzZWQgZm9yIHRoZXNlIHBhcmFtZXRlcnMgb3Igd2hpY2ggdHJhbnNwb3J0IHByb3Rv Y29sIGlzIHVzZWQuDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8dWwgdHlwZT0iZGlzYyI+DQo8 bGkgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvO21zby1saXN0OmwwIGxldmVsMSBsZm8xIj4NClNlYy4gNC4z LjEgZGVtb25zdHJhdGVzIGlzc3VlcyB0aGF0IGFyZSB0eXBpY2FsbHkgbm90IGRpc2N1c3NlZCB3 aXRoIGFic3RyYWN0IEFQSXMgYnV0IGFyZSBpbXBvcnRhbnQgaGVyZS4gU3BlY2lmaWNhbGx5LCBy ZXNpc3RhbmNlIHRvIHRpbWluZyBhdHRhY2tzLjxvOnA+PC9vOnA+PC9saT48L3VsPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+TUdMVDogT0sgdGhlbiwgbWF5YmUgaXQgaXMgbm90IGFuIGFic3RyYWN0IEFQSS4gJm5ic3A7 PG86cD48L286cD48L3NwYW4+PC9wPg0KPHVsIHR5cGU9ImRpc2MiPg0KPGxpIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0bzttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSI+DQpUeXBvOiBSRkMgMjU0Ni48bzpwPjwv bzpwPjwvbGk+PC91bD4NCjxwPkJlc3QsPG86cD48L286cD48L3A+DQo8cD4mbmJzcDsmbmJzcDsm bmJzcDsgWWFyb248bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5P biAwMi8xOS8yMDE2IDA0OjQ2IFBNLCBEYW5pZWwgTWlnYXVsdCB3cm90ZTo8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJv dHRvbTo1LjBwdCI+DQo8cHJlPkhpLCA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNw OzwvbzpwPjwvcHJlPg0KPHByZT5QbGVhc2UgZmluZCBhbiBhYnN0cmFjdCBkZXNjcmlwdGlvbiBm b3IgYW4gQVBJIGJldHdlZW4gRWRnZSBhbmQgQ29udGVudCBQcm92aWRlci4gSXQgaXMgZmFyIGZy b20gYmVpbmcgZmluYWxpemVkLCBidXQgSSBiZWxpZXZlIGVhcmx5IGNvbW1lbnQgd291bGQgYmUg dmFsdWFibGUgdG8gbWFrZSB0aGUgd29yayBwcm9ncmVzcy48bzpwPjwvbzpwPjwvcHJlPg0KPHBy ZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5JIGhvcGUgaXQgd2lsbCBiZSBoZWxwZnVs LCBhbmQgdGhhdCBhIG1vcmUgY29tcGxldGUgdmVyc2lvbiB3aWxsIGJlIHByb3ZpZGVkIGJlZm9y ZSBuZXh0IElFVEYgbWVldGluZy48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwv bzpwPjwvcHJlPg0KPHByZT5CUiwgPG86cD48L286cD48L3ByZT4NCjxwcmU+RGFuaWVsPG86cD48 L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+LS0tLS1Pcmln aW5hbCBNZXNzYWdlLS0tLS08bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5Gcm9tOiA8YSBocmVmPSJt YWlsdG86aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnIj5pbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmc8 L2E+IFs8YSBocmVmPSJtYWlsdG86aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnIj5tYWlsdG86aW50 ZXJuZXQtZHJhZnRzQGlldGYub3JnPC9hPl0gPG86cD48L286cD48L3ByZT4NCjxwcmU+U2VudDog RnJpZGF5LCBGZWJydWFyeSAxOSwgMjAxNiA5OjQyIEFNPG86cD48L286cD48L3ByZT4NCjxwcmU+ VG86IERhbmllbCBNaWdhdWx0PG86cD48L286cD48L3ByZT4NCjxwcmU+U3ViamVjdDogTmV3IFZl cnNpb24gTm90aWZpY2F0aW9uIGZvciBkcmFmdC1tZ2x0LWx1cmstdGxzLWFic3RyYWN0LWFwaS0w MC50eHQ8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHBy ZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5BIG5ldyB2ZXJzaW9uIG9mIEktRCwgZHJh ZnQtbWdsdC1sdXJrLXRscy1hYnN0cmFjdC1hcGktMDAudHh0PG86cD48L286cD48L3ByZT4NCjxw cmU+aGFzIGJlZW4gc3VjY2Vzc2Z1bGx5IHN1Ym1pdHRlZCBieSBEYW5pZWwgTWlnYXVsdCBhbmQg cG9zdGVkIHRvIHRoZSBJRVRGIHJlcG9zaXRvcnkuPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86 cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+TmFtZTombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgZHJhZnQtbWdsdC1sdXJr LXRscy1hYnN0cmFjdC1hcGk8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5SZXZpc2lvbjogMDA8bzpw PjwvbzpwPjwvcHJlPg0KPHByZT5UaXRsZTombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVExTL0RUTFMgQ29udGVudCBQcm92aWRlciBF ZGdlIFNlcnZlciBBYnN0cmFjdCBBUEk8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5Eb2N1bWVudCBk YXRlOiZuYnNwOyZuYnNwOyAyMDE2LTAyLTE5PG86cD48L286cD48L3ByZT4NCjxwcmU+R3JvdXA6 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IEluZGl2aWR1YWwgU3VibWlzc2lvbjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPlBhZ2VzOiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyAxNDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPlVSTDombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPGEgaHJlZj0iaHR0cHM6 Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LW1nbHQtbHVyay10bHMtYWJzdHJh Y3QtYXBpLTAwLnR4dCI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0 LW1nbHQtbHVyay10bHMtYWJzdHJhY3QtYXBpLTAwLnR4dDwvYT48bzpwPjwvbzpwPjwvcHJlPg0K PHByZT5TdGF0dXM6Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IDxhIGhyZWY9Imh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LW1nbHQt bHVyay10bHMtYWJzdHJhY3QtYXBpLyI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2Mv ZHJhZnQtbWdsdC1sdXJrLXRscy1hYnN0cmFjdC1hcGkvPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8 cHJlPkh0bWxpemVkOiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8YSBocmVm PSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtbWdsdC1sdXJrLXRscy1hYnN0cmFj dC1hcGktMDAiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1tZ2x0LWx1cmstdGxz LWFic3RyYWN0LWFwaS0wMDwvYT48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwv bzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5BYnN0cmFjdDo8 bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgVGhpcyBkb2N1bWVudCBkZXNjcmli ZXMgdGhlIGludGVyYWN0aW9ucyBiZXR3ZWVuIHRoZSBFZGdlIFNlcnZlciBhbmQ8bzpwPjwvbzpw PjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgdGhlIENvbnRlbnQgUHJvdmlkZXIgaW4gYSBzcGxp dCBhdXRoZW50aWNhdGlvbiBzY2VuYXJpby48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZu YnNwOzwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgVGhpcyBkb2N1bWVudCBwcm92aWRl cyBhbiBhYnN0cmFjdCBkZXNjcmlwdGlvbiBvZiB0aGUgaW5mb3JtYXRpb248bzpwPjwvbzpwPjwv cHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgZXhjaGFuZ2VkIGJldHdlZW4gYW4gRWRnZSBTZXJ2ZXIg YW5kIGEgQ29udGVudCBQcm92aWRlci48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNw OzwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPG86cD48 L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJz cDs8L286cD48L3ByZT4NCjxwcmU+UGxlYXNlIG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBs ZSBvZiBtaW51dGVzIGZyb20gdGhlIHRpbWUgb2Ygc3VibWlzc2lvbiB1bnRpbCB0aGUgaHRtbGl6 ZWQgdmVyc2lvbiBhbmQgZGlmZiBhcmUgYXZhaWxhYmxlIGF0IHRvb2xzLmlldGYub3JnLjxvOnA+ PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPlRoZSBJRVRG IFNlY3JldGFyaWF0PG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3By ZT4NCjxwcmU+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188 bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5MdXJrIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wcmU+ DQo8cHJlPjxhIGhyZWY9Im1haWx0bzpMdXJrQGlldGYub3JnIj5MdXJrQGlldGYub3JnPC9hPjxv OnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vbHVyayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9s dXJrPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5D87eusaamb107erics_-- From nobody Fri Feb 19 11:45:34 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F0A31B31BA for ; Fri, 19 Feb 2016 11:45:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.944 X-Spam-Level: X-Spam-Status: No, score=-3.944 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FU_ENDS_2_WRDS=0.255, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8z2BQ2nH59jm for ; Fri, 19 Feb 2016 11:45:31 -0800 (PST) Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 489EA1B3193 for ; Fri, 19 Feb 2016 11:45:31 -0800 (PST) X-AuditID: c618062d-f79dd6d000003091-74-56c76cea28ad Received: from EUSAAHC002.ericsson.se (Unknown_Domain [147.117.188.78]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id 69.8F.12433.AEC67C65; Fri, 19 Feb 2016 20:28:42 +0100 (CET) Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC002.ericsson.se ([147.117.188.78]) with mapi id 14.03.0248.002; Fri, 19 Feb 2016 14:45:29 -0500 From: Daniel Migault To: LURK BoF Thread-Topic: Which authentication methods to consider ? Thread-Index: AdFrThGnITnGbdWHT4SF7hgzHR9JdA== Date: Fri, 19 Feb 2016 19:45:27 +0000 Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3@eusaamb107.ericsson.se> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.9] Content-Type: multipart/related; boundary="_005_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_"; type="multipart/alternative" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUyuXSPn+6rnONhBs+PqVi8XePnwOixZMlP pgDGKC6blNSczLLUIn27BK6MJTsb2Qs2NzFVbL+3hqmB8dM3xi5GTg4JAROJeR9Ps0HYYhIX 7q0Hsrk4hASOMEosvvMSrEhIYDmjxL+ZkSA2m4CRRNuhfnYQW0RARmLOhf1gNcICxhKbTnxi gohbSLxYNZMZwtaTeLz2FNgCFgFVid8P9rGC2LwCvhL3528C62UEWvz91BqwXmYBcYlbT+Yz QRwkIvHwIsxxohIvH/9jhbAVJfb1T2cHOZRZoJtRovnbE6ihghInZz5hmcAoNAvJrFnI6mYh qYMoypf4PWMVO4StI7Fg9yc2CFtbYtnC18ww9pkDj5kwxXUkNl/aCTVHUaKtczbUsqWMEoe7 jsENvTDvC1zRlO6HcPGlbdOAlnGAxbvulEGElzFKbD0tB3dP32FmZK0LGIVWMXKUFhfk5KYb GWxiBKaBYxJsujsY70/3PMQowMGoxMNrkHY8TIg1say4MvcQowpQ66MNqy8wSrHk5eelKonw PgwESvOmJFZWpRblxxeV5qQWH2KU5mBREudd6rA+TEggPbEkNTs1tSC1CCbLxMEp1cDY9Prm 9R0WV+eJp0vWi/8x1vmp9aO3uuadPLP3cXm3GfyxrYtqF/Os7Ajzm37Y8L9u2uVQsQ+THCTP TtzRMaWKZf/Vbo7Oic6BKzymMu3mPb76sjm/yeq2XTeYVeQevH7B77LNPYz1QTfzH1UblddF GnlpXfp6ymdl96/a9Eu9e79I1sE6yVwlluKMREMt5qLiRAAAZomrCwMAAA== Archived-At: Subject: [Lurk] Which authentication methods to consider ? X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 19:45:33 -0000 --_005_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_ Content-Type: multipart/alternative; boundary="_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_" --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, Authentication methods that have been designed for TLS are: rsa, dh_dss, d= h_rsa, dh_dss, dh_rsa, ecdh_rsa, dh_anon, ecdh_anon, dhe_dss, dhe_rsa, ecdh= e_ecdsa, ecdhe_rsa, psk, dhe_psk, rsa_psk One possibility is that we reduce the number of authentication methods to d= he/ecdhe. Anyone thinks we should extend / reduce authentication methods in scope of = LURK? BR, Daniel [Ericsson] DANIEL MIGAULT Researcher Research Ericsson 8500 Boulevard Decarie H4P 2N2 Montreal, Canada Phone +1 514 345 7900 46628 Mobile +1 514 452 2160 daniel.migault@ericsson.com www.ericsson.com [http://www.ericsson.com/current_campaign] Legal entity: Ericsson Canada Inc., registered office in Montreal. This Com= munication is Confidential. We only send and receive email on the basis of = the terms set out at www.ericsson.com/email_disclaimer --_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi,

 

Authentication methods that have been designed for T= LS are:  rsa, dh_dss, dh_rsa, dh_dss, dh_rsa, ecdh_rsa, dh_anon, ecdh_= anon, dhe_dss, dhe_rsa, ecdhe_ecdsa, ecdhe_rsa, psk, dhe_psk, rsa_psk<= /o:p>

 

One possibility is that we reduce the number of auth= entication methods to dhe/ecdhe.

 

Anyone thinks we should extend / reduce authenticati= on methods in scope of LURK?

 

BR,

Daniel

 

 

 

=

DANIEL MIGAULT
Researcher
Research


Ericsson
8500 Boulevard Decarie
H4P 2N2 Montreal, Canada
Phone +1 514 345 7900 46628
Mobile +1 514 452 2160
daniel.migault@ericsson.com
www.ericsson.com



3D"http://www.ericsson.com/current_campaign"

 

Legal entity: Ericsson Canad= a Inc., registered office in Montreal. This Communication is Confidential. = We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_-- --_005_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_ Content-Type: image/gif; name="image001.gif" Content-Description: image001.gif Content-Disposition: inline; filename="image001.gif"; size=2367; creation-date="Fri, 19 Feb 2016 19:45:27 GMT"; modification-date="Fri, 19 Feb 2016 19:45:27 GMT" Content-ID: Content-Transfer-Encoding: base64 R0lGODlhRAA8APcAAAIVTgAWUwAWVAQWTwUWUAcXUQkYUgAbUwAbVAoZUwAcVQEdVgMeVwQeWAYf WQAhWQAiWgggWgAjWwAjXAAkXQAlXgEmXwInYAAoYAQnYQApYQAqYQArYgArYwAsZAAuZg0sYA4t YRAtYREuYgQyZAUyZRMvYwczZhQwZAk0ZxYxZQs1aA42ahE3axI4bBQ5bQY9cBU6bgk+cRc7bxg8 cBo9cRo/bRw/bh1Abx5BcB9CcSFDciJEcyNFdCRGdSVHdiZHdylJeStLeyxMfC1NfS5Ofi9Pfy5Q ejBQgC9RezBSfDhQfDFTfTJUfjNUfzRVgDVWgTZXgjdYgzlZhDpahTtbhjxchz1diD5eiT9fikVe hUZfhkFhjEdgh0hhiEljiUtki0xljE1mjU5njk9oj1BpkFFqkVJrklNsk1VulVZvlk9xl1dwl1hx mF1xlFdzlFh0lV9zlll1lmB0l1p2l2F1mGJ2mV56m2V5nF97nGB8nWF9nmJ+n2N/oGSAoWWBomaC o2eDpGyDoG6CpmiEpW2EoW6Fom+Go3aFo3CHpHGIpXKJpnOKp3SMqHWNqXePrHiQrXmRrnqSr3uT sHyUsX6Ws3+XtISYr4easoibs4mctIqdtYueto2guI6huY+iupCjvJKlvZOmvpSnwJmou5WpwZqp vJuqvZyrvp2sv56twJ+uwaCvwqGww6KxxaOyxqS0x6W1yKa2yai4y6m5zKu6zay7zq28z7C8yq69 0bG9y6++0rK+zLO/zbTAzrXBz7bC0LjD0bnE0rrG07vH1bzI1r3J177K2L/L2cDM2sHN28PP3cfP 18TQ3sjQ2MbS4MrS28fT4cvT3MzV3c3W3s7X38/Y4NDZ4dLa4tPb5NTc5dXd5tbe59fg6Nni6trj 69vk7N/k5t3l7uDl6OHm6eLn6uPo6+Tp7OXq7ebs7uft7+nu8Orv8uvw8+zx9O3y9e7z9u/19/D2 +PL3+fP4+/T5/PX6/fb7/vn7+Pz6/vr8+ff9//v9+vn+//z/+/7//CH+EUNyZWF0ZWQgd2l0aCBH SU1QACwAAAAARAA8AAAI/gD/CRxIsKDBgwgN8tOnb1/ChxAjSjR4792vMyAaBLllb6LHjxDtvau2 SMYBCRYsSHAwSx/IlyD5ufMWCkqDBihTppQghB3MnxDhgbPVhsNJnUhTHigHtCnBeuCMKcpRAGfS qxLMOW1qTpmmKQ+OXr16oIu7rS/fPSOlhsQBB2OxPmiAwxg/tB6xtfLTo4HYuDolHOBQZI4xvBPf XYpiNCfgnQ0e5FDDyRniifUuSbD6OKWDAyPAVArW7rJHcSMcAxYcwUkjW99Mf9xnrMDjzQVw8JGF jR5BcrFMKZP90BmBuBEKcCCTSprPgfhs6VFCw8UOQfCIH0SX4wFSwQ2Y/lxqppWgNEdOaHCQwB7l Jd/aCe7D1fhBgheBjJWDL5AdqCo1iMBeUhLIoE58Bd3TjB9VuCELOfEUpEsaNJCgEmAFMIVgQfPA I49LA1mDSA4krNeZBBycs+FD7ISCxAgcdIbUAXRkt2JB9ghjhoUyJuWAEN7cONA+2zByg2o9pkSE J+/849CN6tDhAJKdZcCBDH5UIyRB8exxQJIpgeACGLR0tCVB3nh3ogQeuLBEJuQQdI+ZQvIzjG1x sZeBC0EEMtxA/LCjVyjGPHejNF8SyF4KQLARC53/vIONLGp8UMABB7wxjpDvQCHWSh70EEYnQQ5k Tze9HLLDAZxZMIAi/vPcyE8yRGxw0g1bOIJMQeQIcwkVglEpwQjobIlNJHksQstZA7mDzCdosFDA lBhqeCZB/FBTyh1A3EQlgSykc+1A5LQSyBMctHrbAZLwJ2Q9vjSiRQsOUHuiAwWQ8EexW5pjSRg7 WKDuaic5QckvTW5JDRMj2HuiXzQAYss29Vz7DhYD53nABmawgg2z41rTgIybHZDEJtio8+S4//Aj TKIasyAIM+tUzHJB3IyMFU5j0MKOuzcT9M4aMKv04ybl2HNX0AmZ4wVOErTQxzT5MD3RPWsFI4/V XHft9ddghy322GSX7dEywQijtjDBxDlN2mofwy87vhyjokDY0GLK/iq9lOPQpHsHc6A+zrRSCivI xPqPOr2ggoovB0aaTDDBiPvP29XwM0YOO8hQgwwvrPKPHTjkUEMNQZiRzD/HvOBELf+0s8kUKTwg QQqb/GPKFCVE1kMw9GxSRGNRxKYMG0dKcMMbu2KTBQ41bFIxHTfwYY8QDYiQRRVURGHLP1oc0AIX UWz2xD++DMACK/9cwgEBOdThhxOVYEMvEIoYQscww3DgQBSM4MMdypEOKEwpDnBYyRTQQY0c+GUH 0vhHFQ4ghnoYwQFGqAc60GGOefDDCwcAAzbScYSU/OMXBXCBLKghgwJQIRjskNQ5VpEBC/xBIOpg hycEMAJR/OMe/kzJBAcisAh1nCMRBxCBJrbhgwgIZhL/6IIDyGDBCMhAE5SQhCa48Q8QXoF/MpAA E05YgBe04hVfCkVBlIGSHNhhFaVhBQEyIIRA3EIgX9iABO7mDfaYoRs94MALOHADcnxhihZ0TNRg 5wUHiEAGNLAAEbpBxhekAhQDeEEuCqIPQfglaleYRjrQgKkNvKAN9mCCBFjwJHfAoAFYwEYg8xAF AnwCChGgohGixgc7zAEQ0+jiA1RghBiNQEUoNGMqBAACWRjkHccgxAxs54Z/rMMWcuhdA4YBhZSY yR0ecAAXACmBVFRCAjt4gQR0+YAx3uMeDtkHCKngDVGs5xJk/lRh/xrABkMRxB7heIEDoECQVdCA AKawAwgcsMl/7GIwg+jGDspJjiRIIAPrTKQLAKEHPcBBGF08QBbaUQ8VWAAI+WyFPNxgGydcYhWH +MQ3xtAJW1BCJWrABhlKYYs0cGAAtaBGCSQAg1UYVAIzkAY2JjqKf0ACBBLIZT2w1x4JFIAT/8gC Aaqwjn+kQQIbUEYw1Ce6bogBJ1ZyAB6SwYG2YvQG1ODFANq6gQR8IU6mWE9bh3WKfzijO2osRxFu UsFWcKITiO3EJYLJikasIlbSmMQkhvENRmRCS/+wxzAKcQYy+MEY6thEHMighkyo6BuRaMMY4rAK kHXDEWY4FUMkKPkPc3giEtEQyC4o4YhX3CMgAAA7 --_005_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_ Content-Type: image/gif; name="image002.gif" Content-Description: image002.gif Content-Disposition: inline; filename="image002.gif"; size=15442; creation-date="Fri, 19 Feb 2016 19:45:27 GMT"; modification-date="Fri, 19 Feb 2016 19:45:27 GMT" Content-ID: Content-Transfer-Encoding: base64 R0lGODlh9AFQAPcAAFpEOQcGBnKJroVVTrmHkrm5uWpqanx8fJOpx6x7iSUnNtHR0WJKQGhCOjY3 R42MjWhSR8XFxhUaKenp6RYpSbjE17uftwJutjQkG0JCQlQ9MpdmZkRFVKZzeKa0ykI8SjpBWGQ6 MntWVhoiNp2dnQaMy83Y5jlGZGRdaSQiI0tXdSohG3ZMRXeEmnZUTFhYWFVadlhWaERKYpWkvEUn GUs1KARUjVhnhmdyihoRDEgyJCk3VWd5ljsxKzIpJSsySDY8USojIRMREUg5MqSioTJYjG1YT0Qt ISIdGlE5LLK5xoqVqZqeqxwaHCMZExaBu93d3TItKzIyMlhheay60WRjemRrhHWn04djZVCQyUZ0 riwqLaurq6OquAZGeUtTbCIrQiNEdoCVtoZcX0UwJHF5izsqIbbL5hgVE1RFRxc1YnBHPWuZySEi LTw7PpJgXVw6LC1CaExihiuW0ICIlvX19UIzK1AzIyU9ZLS/0wB6wiocFHhrabuTn09IVTMzPWx+ pEVag0hnl9bV1U43KzR5sJl1ejNJclEzKlOEuzAtNBITHXZhWQ0LCjpSfL/K2ZuIiYZ0d9bX2x8e Il50mgoLDx4UDqimpY1nbz40L6OmrXF9lnhicDctKCwtOzUdFM24vODf4J1rcK+xuLqvr9FkgFNr kIGMohwYFjw0PCclLZOSk4224S0nJaeuwS8lIFROYg0PG+Tk5lg2LSAWEF00I+Ln78Guukae0Ccd GHJthkNObxcVG5Kfsjpkn8bS4m5KUIJvbuvt8Obp7jYZDg8OD+Dk69fa4PHu7WsmLmQ/MdvZ1x4w UtrX1kIqLlo3J/n5+tPV1y8mLCYmJzU2OBcXGK+pp08fJFU3J0QSGFRQUiMNBz0lHEpNXkk+PTgO Ej4hE////9XV09PT0zg3NgBfo7++wKCWlRFjn5qXoTEwQ9TT0tXT1e/x93JydaulrczKypCVn08t KabA3ClOgpE4PjxObVo/MjAKDIODv09uoSUXFw0fOuvl54WewQAAACH/C1hNUCBEYXRhWE1QPD94 cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1w bWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42 LWMxMTEgNzkuMTU4MzI1LCAyMDE1LzA5LzEwLTAxOjEwOjIwICAgICAgICAiPiA8cmRmOlJERiB4 bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8 cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2Jl LmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEu MC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAv MS4wLyIgeG1wTU06T3JpZ2luYWxEb2N1bWVudElEPSJ4bXAuZGlkOmE4YWU0MjY1LWM5MGItNDZm My1hZDI4LWZiODE4YmVhZjcyYiIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDpDRTIzRDZGQkM5 MTAxMUU1OTE3MjhDMzMzNUIzQjc2OCIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpDRTIzRDZG QUM5MTAxMUU1OTE3MjhDMzMzNUIzQjc2OCIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3No b3AgQ0MgMjAxNSAoTWFjaW50b3NoKSI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5j ZUlEPSJ4bXAuaWlkOmRhNGU4MzA5LWEzZjAtNDJmNi1hYjc0LTFjMzZlOTA0ZGZmMiIgc3RSZWY6 ZG9jdW1lbnRJRD0iYWRvYmU6ZG9jaWQ6cGhvdG9zaG9wOmI3YmMxNTRhLWIyMmUtMTE3OC1iMGJi LWM0ZTZkNzM2YmVmZiIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0 YT4gPD94cGFja2V0IGVuZD0iciI/PgH//v38+/r5+Pf29fTz8vHw7+7t7Ovq6ejn5uXk4+Lh4N/e 3dzb2tnY19bV1NPS0dDPzs3My8rJyMfGxcTDwsHAv769vLu6ubi3trW0s7KxsK+urayrqqmop6al pKOioaCfnp2cm5qZmJeWlZSTkpGQj46NjIuKiYiHhoWEg4KBgH9+fXx7enl4d3Z1dHNycXBvbm1s a2ppaGdmZWRjYmFgX15dXFtaWVhXVlVUU1JRUE9OTUxLSklIR0ZFRENCQUA/Pj08Ozo5ODc2NTQz MjEwLy4tLCsqKSgnJiUkIyIhIB8eHRwbGhkYFxYVFBMSERAPDg0MCwoJCAcGBQQDAgEAACH5BAAA AAAALAAAAAD0AVAAAAj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDMODPCPY4CPID82CtCo pMlGxVIKWckSjcuXqGI6QYXECZKbuZDkoiUkh8+fQIP6tESUKC0nR53sWbp0xacVKzBgeEULlQYN hO5gw/YshLKvXxuIbbBmjVhlIeA82ypPBw1u3MBhAEeDxp0jOu5wy3Hy0xEaSZQR0kG4cGEyZHQg Xrz4iOPHRzRKnky5suXLmDNrxugxZMiRJ0umVMkyh5CXaGKqtmlTJ85cqEwLnQ20KK3bTnIzbfpU qtROSABgzat1FpwQIcSWXc4CmFg4s2YhOgJ3rtRP4MwQv3PXUskcxO48/6NxBM5gw+gRK2aM+Eh7 x2Y2y59Pv779+/gZeuzomSTJ0MWgRNpKqLmkGipONNGaayvkAptstNFmCS0T3kbLHkox5VRUUq1Q gwgreAMAGdyQdwciximjHAtrsOCCCCww0MA9sxAyix3O5OgYXHXlRZwOtJTkBHezUHdPDTogiSR6 hrHXHhmQ5SfllFRWaeWVnfXnH4CjsdRTgQcmuKBruaxQExoRSmiUhbrttqFvGBxxDwZDaOADBp9g wM0RKN6zBjAsuPjiGCKIAAwwDKQBTBppzKgBIpAiohV33B0R5DbccHePDkdoUMOnSRa2ZJPrsRfl laimquqqrOrXEX+egf/GZTFenobagU3QdBNOSJgJlRMQRmhJbWvilqGGvcFJhh1DAGCGnhiY4Qwi 99wDjAsvFjoGJphwwkmhInBCKDBmwQGdudhQyl2QToBDjDwMEIIIIZ/WC2qo6RHm5GOt9uvvvwDT l2Ws/4k2Gq0t2ZragUjoumuZUKWwAipozkaUxRUae+weK3CcJ5xm2JEEA0O4N4sGDQDQAAPXikDo GFhwi8UYY3DC7bgNhBDdLPdAly5Xd1iyDXbgyANAEvYmnaSSTJbKmGMBRy311FQ/NPBnlZx0sJe3 qpbrrmD3KjFUSAT707Booz1Uxrm12dQeGHAo1bNkDMEAAPegTNahzbn/6DK3mMzssiGGYAGjWTpH h+JWWqVrSbt0yfNoDYTQm3S9+KbnJJRVd+755/9eDVJoAiLMNUwMh43E2BIHYWbFteWg9uwZ47Zb U3HDCW3IDPTulXIvHrqGCzAHLgIEwHCrLSYiiDWLPEfII8+kQOtJAzHEgIONDvN+arnlSjftNOeg l2/++feJvqVJW59uIMNNqA6V60HU7wTsadN+sW1HJbXxUx8DmRnM0DsAMEBFZAnXGJwzPBEwAkZi +RagtgUMnckjLjTIy8/gsL2/EGMbNMDGESpHr8pdDlRLGpW+2IO+FrrwhRpR3/oMNiACuaQaXmtC /MAmsdbVr35IGJbs/4a4v6LMzkL+cxPcdBetAZpBAwyoVs7I4q1DwUEZLXIBouBwD7GEoFHAeB4Z PrEPuzROKxy8gw4+SBfyYIOE4AOfvQijwhUuBoZ4zKMeFyLDRmSNhqZTGBpwGBMdhi0FYvthEF4R hAfJzoiQjCQS23a7N/nmWU7UADDugQg7ROeL3viAM8SzN7MkAREhIOM+eDEJXuwjCDnwi3i2spU0 6gAfdAEHOHSQBDiWUI5KY1qTELPHYhoTj33UWpdOVw1CosKQN5nE6laQAh+2ohWMnNgjI8nNYlFy NxhYIsi44UQ7QIABd9jDPnKxD1oUgyh8UpFZGoAIMszCGXCRhjTYmf8neSDCXM9YC7q210ZwHKGX vjQhME84TGIe86EQBd1HYBWSP5YukKghZPx2uKseKhKb15wYGrpJUjZ9k2Nwk1u0mjhAMvQOG5/4 yT728QliHAEbV2wAWuBwInm8BS7OiN4svnJFZZiLi+k6gi7pQogkODWhvzyhMO1Ihoha9aoBU5+s /Ng+AlVjkBo1pDSr6dFpXPOsrZiYbUgKSZNiCFkqXakTB6gBCCjjLuCoKTE+QQN5POM4aTEXpBSH IsAi8CzK6FkaaeAugzq1lwhNKOXqBcx8VRWrmM1sqtRn0YNhFKw4NOQOEUnWH6LVB2lFxVopdJtu IjEpStQdJudqhhr/QECnarnLEWapFq+oRaAIPOxYlgOWe6RLB9qryx0eG1lfUk6hJZzjMDVL3eri R6skyVpXT/PVZj7zmUiQ5lirWT+0tsIH6A2Cal+LRG6aVCkZcgoTZzvAI5iBDBBggU6N6hWimmun AIUDWVoUqAIHqizFPa48dKoB5kIWqs4NX3qsS+EKa4az7FumDZsZWmiOl7zTMOtZt5De+7G3vW11 69ugIlvaPoYBLliOjMHyjFoE9L/JWcMADDyAHbNoDQm+AyEAcLIGM7epD4awCTFXRx1Y+MlQzohW /QhIrnG4GjoU6+pKG+IR+yAKUfBBEJDApv6x14jvPRZUAihXJ9rX/z33cMGPW0RnINu4FngWcFlc 1OMeGxjIZjGqGglhZAc/tnLNlSz4MqevKDv60RGZsnY1zF0cYnmjY91yCoLQCrNuoRUkBnMUgjCT oyCoba9Fc//c1rH5utg9ZCDEgXnMIqPWQhk1fkYDWCCCPvvaz8uZEQd5mYQGF/rIT30qVCWcmMRA +tnQPojo/BiArFWC0t1tZpY3Gl4um3UaPgi1qMfsv7blxsytZRur2UxO2jLGDjqAMQt+PYCiIjgE Na6FCDaAiTe8YQP+foOfa62MXuogb1fRAByMfGxDJ3nJmENPtCc+cS3JatKmQ4MQrvzMLIdX00H4 9qejsAVRR6EVDf8zt8qRYiFvuo1jKnXxYuzwKQD4OuBjuLWv13CHuoTAEAnogNA7sAGAA1vYiBhZ tZaO8IQnvNgNVzbE8YUkilv90aKrRLWrvJJFbJzDWRbvJMiagi5fs+QmPzlsVr7ylpfbTS12ImLs sKznJsEFAS860ZUxgH8bnQXKwHMHEkCAwged6AIP1IxOyYBzAuDxeGO60ydvaBJeLlRXz3yFOfKq /lj7oszUtse7TdYufxrtYJbCyWvihFy0nu3nZi1S2tTqmNf3vvCmOSGGUGwG9H0DohC6KP49+D4k YAMsADgLOlD4PhRe+AKP8eIREQQHGKF3BYT8PSLP9KZD/dAQt5f/5sdv3az/59oargYvwB728I4d xJ5GfRSkoHof3CQ3rs8/29Osobjftwd1Rzm8dxUAwAj/FnwdQDj/RgB90AEDsAYbIHQJQHh94HwE 0AHDNwZytnhkkAMZUAZGsAbYJyOQ93jd13RPJ3XQVQPk14KaNW3W1j4aB1rb5n7vt2mmtwVoR3/0 l1Y14SCtB4RAaG5vpyEccif11QnLogPMsntQdxUQgAV6J3x9N3hAlwCiAHzM13wEEHTDNwBaNCPU Fwsc4A58AAFoOILZhzdsWC0agIJXoYIl5IJ0GFHmZxLoF0hXdmlNMAl9SHZlF3+ixoM9oHpmEoQO kohDiGrm1n9S//EKLBUyATgEhEaAkGeAWkh0MTYAG2AIWTgGPbYBE8iAXYiBiccCRHYEucBKbqAN jICGaTiCJbh9kfeGcFhsCIVQdbiLD3U1WheDtIIwXndlHjcJxlh6IXZ6JceDUkAO5BAFZqKI0rgH i9g2uWCEUQGJc9UDdtCNNcB7daIBkNc7UUh8ojAGa4Bn6vg7LRKBhXeBnygCMTYLOvAJQmAJQrAF 1AAB2AKL5ySLJWiC4uiGKdhgTUUIvJiQeTRlJZGHpkOMOuSHN1hNObiD9OeMbtADjaQT0iiNr6cb 1wgxjxiJZACANDcE4SiOj4d9EMAIYwB859giPVYPbwCKB7ZvzP93eBswBs3BSdwQJCgxDVuQBozQ j/6IfQYUkNu3lHBobISmkFAJQ1lXCQ6ZcewXkTcYYkLpaVGgCPPHg+TgBlLwChyZiA0yja7XetQI c1MhFT5gBp1gBiZ5kilZguTYksHwksxzKA0wAGOQAJhQQQ1QQQwQgV4ocM4xCzRACzmwDxo3CVGg AYzACEZgBC5wlEh5NwH5eG/4dE6XBFEZmuZzhw2pYet3lcaYlRXZlTxIDc5IDj3QCmYJMWXSkfl3 jSzWlk4EgNzYhAMoIit5l0bwAEsAMzTjAiFwDcp5Dd+AD9+QDdcgD8AwBgh4jqh4T3vQCLKDBk3A C1uQCZM5AJX/eZmwqIabaYLCMXnh2C8ZYADTcD7uqRkvkAGtEp8J0Z7vmR8vkJ8PYZ+RlgEZUFHV BowIo3EQ2QQGoA2qmYw66JVgGZbkIAVp5SANAhUVWpvTaKGvAIlv2QlHYABG4I0oqQHAGZx3yQgz sASwQDw0YyjJ8KIwihzTWXSiMHyJeQR7sA2iYQna4A4Z4AOTOZmVaZmYiZSbuX2Tl3AVcQBQgBDT MAHhEKVSGg4R8AJTeqVU+g/TQAJ1IKUTQAIHEQFYOqUvcAATgBBcUAAC8aRX+qUE8QJ1sAD8ORAZ MAH0iRAGsABe+gAEYQBdOqVQcAAEQQJjGg4vUBBcEKV8KhBi/1qohloQdXqnfnqlEbCoA9GoV1oH BgEF4VAHh1oQW/qn4eCmBxGpAvEA4cAFB8Gk/0Cojgqm/5ABmEqqCpGne0oQXKCqCLEFXPCndcAF W/ARWeOqgLoKXyd6iRoOq4CM0zAKo1ByitCarhmWY+kOohqlofAAtEkEhWoA0RKXPUAKUUoC35hw AFAABWBAI2gEfGAO7XAKyVqooLAB/dAHMGMIyDCmEVASncClXkoKWFCUQ+oCRlCe/1hAmhmQ4tiZ V1ERhIqn4VAAJDCxFOueFEsCenqxBvAPC1AHJGAABnAABRAOsNqnFxsOC3CxWxoOCLEACyAQBhCx FzuyLysQhP/6qwYRsxt7EKi6AAcQsiOrpjZLshebsQOxAF96sRM7pxlAshGgqTB7silLsXP6Dzo7 tErLqXI6ECirtCRgqacaDmYaAQbRsR8LtCR7EFfLsV0qqAXxsBlwsROQtBNLn3A6AQ8AskGrED37 syIbsUdbswYxDVDgsSDLpaEQrNWGtBRLBCQwsiRAjNoQDkQAD3VAkVopDuKwBQ5Kf9PqBhHaCtxK BKRLuutAuRYqDhNQuqzrDR3aCUYQDpdguSMKnMuwDCvJrg+gCUpgAuHQArpAAkRgDaSADMhwC6CQ vAQgCuEACpiwAecQDvBACtZgDaRLAnzwEeNQB0RwAGXwAOb/EA7LQALBILADW7CxiLDnKRzsqwEO y7JqGw47qxAPSxAHIL+QyhBpO6jwW7Y1u7YDEbOLSqiEOr8wi785u78DgapuW7/8e6cuyxBcOg1N C7ZcW7Lxu7MOHMB1QLYCocAJEcGoeqcCcb8GHKsQu7Mu+7RVu8ECEcEEMQ0dXBBWisF9CsL/wMAv LLgFgbRbACtbMAELUG0BMA4L4FlCQKjUsH46RAR10IrKqpVCKQ6DMH/RepEYmZGiGw4WaqHcqg1Q obkVmo2vsJs9cAl1wAAoQLIqKRy3awTuEA+j4AEVQAWu4LstEAMpIASNwA23SzM1+W/Q4LxYEL2Q cA/yEFMj/0ES9+sOEhALI6AOf0AHHsAKVEC+AkuwEIC+B3s3nqywnAkA75vCEty/QzsROOzCgXvA J/wPUODBD4u0cwrABAEFPDwQBaCrqjwN+wvDCjEBQuvLBIHDBbG2qpzDj/oPxAyp4cCnMozBx0zK HCunM8y//vu2dVC1rZrNB2HLB5HLO5zBnfcRMesOJLEA45CHK+EO4eAOYAfMxrgO0RCIQjkI0bCM rZnF5LDFXfwKIYK6KyDGULGhr4BecsmNwmAOvNcMy+AN4uiKoRAKveABCOAKvZAHvdC7vzsFf5AK 0hAA69AMIuBvNNq8AgcJ0AAJzvAJ26CjiwAEMqAJ4bAIsf9QCRJQCdUwBVSQBQggBlSgBOcQDAVL sOSZvp+8vqJMEdFMywjhwiMsEalsygQBw0w9zaecATgbwAgcw828EMfcy7dsEPf7qU9dEMus1Ros 1QPhsR9swwbRq7h8pgscDiS8EGsbwffrtqfcw7cMBULLzHo9ELxswdf81nI9MBPABX7ksu1zv36g bfeLAmO3CuGgDQwaDeJwxQ/qBpydCfy8Av4c2pQ7FesgDizGoR3KjajKBw5NqJFgALvrCsJgC0rg AVTQCzPQ03nwCxvNARKgCqpgxBjgAjTaAc1LKJAQDpEADtuQA5MgA44QBztA2RzwD5AsASPwBQKg BR5ACR7/cAZn8Aia8AB8gL5FrYYJu5mjfBBW+qn0K9UyjLfarBBR3bL/u9VrmtX1W8BoncCt/LZq HbNuGwEenBARINcCkdXD7NY3nNYt68FsrRB18NdWqtfx/QDzXcwIDMMsPBCqLMzKzOAh7t8LAeLh PM4fgc7nnM5dggKhMA5g1QTwMAGpmQJ1MApauQXiEA2s6bmuydmgy8+uQ9Ds/AD+DA/wQMboBa7d CA/CoAF1ggLQIAkZjQBKMAzDoAT+oARi4A8C4Ap3HA6nAAOeEAAj8AKSMAiNmXw12rwwEgnyuw1C AASHsAM7AAaLoAh1gLeKAAZgIAFxIAZs8AtisAQIkAhU/yAAeVAB/oC9/mjUR12C683eEeCylr4A FqzKGaCndRC3gZ0Q9X0QVI3f0/C0d+rAldrfGm7AD0Cxpy7VLwAFTerhl77C+dm0GFwAs77gtYrA 0QzD01AAtb4AuorM7v0PiU0Qm96pnp4Qd12zhOveH37LZ03MtNzqdXvifC0QA+OyIzEO+koNYDW5 RNCHY2cOUMCgVKzZUvC5nL3P3LpIBG0AET0VG0oE4lDag6C58JAG3LjG1jAEaXAAvRAKwtAFMzAD o2AMwlDRrnAKAiAAXO67S2APHxELL9APUCADI7AP8rAGIhAOpAAMAOAMjBAB7CAJKq/y8TAClcAB nN4N4//9BUugBb1wA1MgAInwCAJABWfACibgDw8QCY+O3kkJeZMOqns+7Jmu1gKRAXzK6Z9uEKFe 2DG7p1yq1xvMBbBa1QBspV46tFIKBS8QAWTv4Shb6xGQn4T6syD79lQv4qy814XdscNe7Ej79iB7 AHX99FHfqVNvtRvOwz5L96vM6wdh7VsN9lEq1yZu1SgeAC5LlYw7sY47sqvAYUQADQ/gDu5wAJ5/ ADm+71sgrVkMuj7ArWNvAPAABQZA0NyquYMw++LQ791oDcr6AF1gDh6gBK4wCv7gAUvA8GIg/IU+ 0f4QDeGwBDIgrEJwDKEABidwAj/QBo1AudyAAVKw55L/cAzRIAnRwA6rUAxaVwwcsApgoPx1oAmH MAUnYAUIwAZB7/Ns8AiAgADzIABnWKTqCxAAAPwjWNDgQYQkwiEkaCCcAYYHFUY0mCHCQ4r/wpGQ uJDhggUNwxUgQeLig2kGJxZUCNEhxIMvGa5UWJIElDowC4LMOCHcT6A/uRzcmFHmv5UIF0QgWDRi hqBRD1C0iDGmVZ4FI9RJmXRnSINOEYoteLQjwawHswb4F8BtAJCNGoEsVreYECEK/aCp5jPqz1HT tmwRN0iRFMTUqJEj58YxuVZEwhGhHKrOgVeZM4sTl9mHDzOdOvWwM8Tv32MzRgEaJsyfEkAzTnUR MwNe/7hNIwLEWgQ32qJFYQIFOrExQCM+4eic8ARkh4RFlWJNjyVEgjogMW63wGGPzrwrv1qc8lfI g75erFhV0AXBvXsG8eUDYDAwY0avBs1SzE9xQoGMyPrngXBSQgiKof4xq4BwXlDJo50mmGY/gqYJ 54GZPEpqGigkNCgthA640AASS1Qog7A4ouio/giqQ0UBDeIipxJLjGCC+/5D6CgQp6mDqf5A/AcK ABGCaqqDLMQwIY+EJIgLHNtq660JuAigkgXGqcQuvISYrBoRV3FnTHcOcEeyFwQbRJzDElPMMTcy gEyyIDLzJpQJvPHslcI86yQ00uwgkAsllNBECQ9cWf8gHCV6aUEYWxDoBZAuWnBFDCYeCaebWHjh QJtJxonGk1iYwWOXHcJ5J4dt3AmnhRN+AIGCHYBQhwMJRhhhEQnAAEKVNoSp4BQeenmEDQ/kmEIQ epaQA4EzWMmDkkjee08+bO/DD8KrdOKP24ycTPEgqJas6EKRvMUJRYLyy6AOLigkCAqwDioALK/e heLDehEqIMok4R13RataJNBBjVRkSMcdw0EyIid57PcfEQ8IcuIZDVSJK4boZehetCYmSEQD2Hor gJfkAmlLLr0koZoChGmiiUlqTiEFN+oIbItoxEHMzcbidGPOcDR75YU6QnnFh6X7/Ey0QIcwB5kq Wlj/ooxTxFiiC2iOEaAXSJU4ZewZxNBa00oWaQMFFLYYZxxPFhmBHxnUCccVB7YRsYUdQACCAmY4 OOCAD34AYhEFwPhBlT+OSW2TU2bwBQcwOKBHnxn0iSBaBOTwpz1rIcA2Pm2/jUheJmNSuKAXYhzY oALqQLjCA8zdz0coDOyvJqsOEnF1BdFFClyHivxH3H8sBL6g2F9niEVwFRS4qeVHbjCiCZgyYPnW l5cYoa24iF7Id5kyqPUEQxTQoSWR73ALgtzaYoJQKrly5ZYVcoeajWameZKbTcMcXOEZm4AGpwzI KTJF25OIzPEZH6wJgmboQaC0EY5RnGI8PDjFEpbQ/4tj1IEHo7CFLVYDCCZ0wYP20EQ4KpErIIxA FdFgxx9GAAZ+/GAE4ejCD/5wCuXsAAy7UMMJuqGLA9CBCG2QgCdGYENXeSAeKqgCDpjhgEl0gx5s qIAYTJAIOcBABWLwxwOMEDrRyad0EamJTWwyoZG4sSTeGp7vwlElE9UhdwFaHodeRKIHTKAO+ukd QZBWpBYtqpAGIdACpvIC8RmvPwRq3wTkWJJpKERjB2ndw1xXloIVyI1QCMcCNFbKS2IoAvtiY4FE hEcSkUCPm0xXyBDio58oRWQH0COGMsAgkTGylI+MZIQuyZEMCJIEg5HlBDLQiOOA5AVEKAkRGDQO NP8ohBwzqxkAUwBHlAxiApfQxCXMyYVLOCYDQ1ugZj7zinOE4xyfEcc4iWBOfKbBGsoZzxLo4KgW UGIGPOyCMerwiDyYIwJKGIUmYqEQxIHhA5NQRDTg1gYHUAAIEgjHJUZgDyCaQxOa6AJJNXGAbtDh jqMw0wGIUAdZyAEHIODACZhBDQlYIRHzoII/EKCGLeSUEgIQwxTOeK00MmCNz6vDXy40jdMEZWIH YGVF/gWUOhSAlgd6mEEy2dSfFIBdBEnmWAvygEFSrKoVmcAeI0LVh9xxdVT9mPkU4lQDRMB4H1EY FLpqJGcSJJB3/UkEzEWQi/yFK3U4bMAc9MvTZHX/q/8o65PSZxBe7tWyDHnBRahqSW3B1SGgZYlT w4GiacSOCzMqQBTe0ogCFCCxP7EkNaqhV/91E4DTmMY4iLCFS5gWBXFS4AOUxjQI+sAc8PhMcJ16 AHjAgwd0aEE8PgiCD8QhEMdQghgqYNqUhoIXihgBFjkwilFMogl/k8EHoPAALX5BGE6NhgL4gQJz RNYcMGDGCzxBjR+AAQwyoMIVHiEGQHxBFYYDhC+IagpGoBE+S6VwhY1iVgtXZHYZ5nCHPfxhEHfY ABgOcYlNHL8pvaUSK15xI1omhGrEuBrctFkAeTuYNilmMQhMIDl8EIQ6LS25yTXD00ZDmkwM4QV0 /+ABDhw1th2MwHAgkMENBHGKKfSCB8yYRDG2IENVqOJv3VAAB+IABE94ihkgcMAiPnCIOJxADTJo gwLmFrdJeIIfnmhCG/7gjhhIQBFAAIMfJjGNEYAABFaYgRaoAIgTbEERFLACD4ogCAFQogpGOCp8 RHdiUIda1KMmdalNfWpUo/hkJ5MLy+rSJRnP+H/e5K1gcOwmavC4x1vITCuG7INOgCbYwx5NJuyQ iTRsogVl4CAOWtACK4DBAWDwhCdO4AgrqKAXmT5cRoHgAAeoAA8x8ERNd5CKWKgDDDtwQBvkcAhP oAoE1wEDBRzQxB9QgAMAVIAEtjDejIJgEjbsBv8IYiCGRHhAEApIgQRA0AJfOAIIQJApJyDQ6Qmn WuMb53jHPf5xjZts1farRCNcfZdFwDjGufVmG3irilvjOmjqHNqPWyFkCA4b2KKBWtRisGxKtIAO m9iEICg3bQf8QQaH+EIcWqAFf8DqBsKRARBggAdYKMANJzhBDNpA3jZI4wv02MEHdsCMD7gZDOXl xQf+dm9V9FsRi9iCGyjghiaogwI3gIHnEjGDE9CsDV+4wS5+gARVOIIS7jgjxpUKcshHXvKTp3zH Rc7qkhfD1bCWMctpXWtbS1oKbZKCYhgjhZvj/Gk75znPkWyHF5ShCpvggSniUQaI46BvilMAEPD/ 0A0g3CAQS7hBGZZQBCv4DQZxqMIPOLCLMKgADCAAgwL+oIJDDPjMH5AAoX+QdhuOIBWLQPQI3MCL LXhC0E1wAzOsMAVGa4EHbZjEIn6Agx9MQwFNoEYYboADTuM0a6k8AixAAzxABGSIyzuZkmtAu7gL vFgEvoi13PqfFPCmm8nADJwGIAMy1QM21mu90bADO/AGKygDOjAFHMCaG2gBejAFEKiVH1AEs+OA NgABPJgCICgDAdCHePgCwguDKXA+FWA+dYCFAIOFONgBdYCBIpo3DtCojeIAAfuDRVAEAeM+RQgw RaiGP2CGKfgCHBADX5iCSYCxKeABIJiE/bMc/zkwBQO4uNBJQDqsQzu8Q1MzmRRziwY0uVbbEhd7 QCGAwC4RAjQwRENEA0VcRDRABUfMhSDwtZwTwdZDskx4AdqjBDoQwxYIhE6UA+qLIVXYwg/whG44 hCnYAV3QB304hS8oAxw4hCpQhw+QAWbIOlg4ATAIhEPoN1hgBhloNw5gBiD4Awn4gCrkhVT4gTJr AkXwBAVQgDbgADUogylogUSgByDghUbYAkfoxTYAlhMQhCKYAhQIwE7DQ3VcR3ZsR4pgCymJH8xb tdc6juOQC3zMRxcLxLrIgWLIAYBEhVxoBUk0MkrsgWKzgzTAAWfbhP+bgjJQgTIIBHpoNyBghv8/ +IOJ8xU8sIcfmIIiMIUyOAE6oASZcr5uYAYYcIAv2IVdcAR7eIE00DsbVAAZsDdpUMYRsD5ltDMp EIItUIAf2AJVoEYc2AUruAFm8IRKEIIYcAQKWAEJyLMfuAF6AEJ0lEN33Equ7Ep1FLk9pEd6hCay 1Ee58Md/FIKAXIFXKMgQrMQKMrYp2ARYXEFKkMj3k4MwUD8QYAZmrBUH4ACm+4EYOIRAgIH7c4RA sAJPgAVbhIURkIFdkIETeIBzIIIpUAMY8BUn3AV1GIEPoIAfuDezkyheiII6O7RuwIPkswI5oIBJ CIBpqLpFoJkR6AYwwIEiAIJuOMesDLUXAAn/4WwswcIQLtiwVJuQg+ACU2KeYBqQxjrO47mPCNCY BVCY7ckI6ZQR5IQryZI84QSJy2Kd8dSPCLhOA3kAkCBORlrPCgnPOtRDtwjLejTLs2wEgPxHgMwB NMgBgWzL5DrIChrQhVxBZ2sBZYkH11RKMJAAm0KzGPwDB+ibxowDFfgCB7ACw4wBBYgBm/IDP4MF GNgBIngHItiEMNgEB5ABOdBMHRpGmjrGenOAWFAEBfAEAOKAHbgBIJgCXWyCRkiBNqAGXkCDLaAA VJEDR/AEKkLHMwo1A4CCGiExpOCIBaAjVCsJtbiMCmkqNgKeNNGI+ygAJHkBnCgILmDPnaCj/yvF LClNHpCJvIcoEeRsiOd8lwfIK6Z4AL+iquoZkD6FAo6I0hI5QHiUT7FktXvMxxw4y7TkT0tAA1pA BSdAAgAFQQGNy0yIAYacLlPYBBwwBe6QARXYAQXghb/5gTZwDppyBBgAARigh0D4gh2wgjAIox+o AkdwhCooNxkIBDyABBOtAjWoAgX4gF0ARk8oSo36AF5wg+pLBSGIghtqgy1YzVT8AhAYgWJAgz5T hCaoBGpQAzmQgxMAgWlQgRtgBCflMJKYLAMQmV9Czyo9HoiYVxKYhgxYkjxtF/2AiX2F0wXQKt85 T63KAJDwloEtkgdgkAohgYFFERLggntRkf8HQBGPyKsFaKwHSJDVcqR5SaCKTYkHOIDrbNNpYE6I 9ZYJ2LAIQBF8JdkXqNgKqdiLzYADkC2RpVekWAqEgdgIQM7oyaSIVZCT5YJN6tgKWQgyHZnnbFqK CQktpUNETVR7tE+0BMj+VMRJrVQkyAVIvNS3HFCy9QYcgEge4CD4M4VA4FH+6reA+4NdOIRzldUd wL5AoMwyoIcb+AIwqIIwoAcYQNK+UwNYiAFO2IU4QIE2+IBZ4QAFkAY/4Ad1kIZi8AEJkIBWqARp eKI2aANstT5PaINGqAZViIWaEVc1KAIckKEUkAEYMIB2zbAMIAFLwrB4DRgS0Nh6vVIf2d3/8/QR gsiefzBTlVCR3I0tA4gt/biMvBKrhP0QtEIsAkGLCNgerqiJKLVSiFgIpMlTQa0IVoKCF5jY5JGQ PzrP45HSeIWIgc2r3nkBgPGq9A2JBehTxjqeAoBfEtkIlLCk5Q0JPt0eHBlg2yUK8LleWYKj641T hJBfidCsmQAQkAiH/DVA+aTP19LHfsSLHIhUR0QFJBhhJFiBFehAsR1bsq0gP1hBU6ADa3RIU5CD MrCHWVE/BzCVHzgBepCBL2jb7IgDbXUAJ5wCEFAHwIWBWYQBWJhbFOiGbogDPICBETAzZogBP3CA blADPNioGNQ3CVAAb3ODPwCBLyhGBegS/0WYjhQoBhAwhR5OAesDgi9AAXYNwA9Tz9VxCKAQYONx Ji290oYtCGe6UoQdpKltF+QNiQjgggzgrYqACfWs1w+JUgfhioVIJuZ5ABIoEk1uU6ZdEk02iNzR ZE0+gDT9Y4RFEkMGmAnQidxFiEEeXoRdkpIY5X945SgVLFWG2Mfq2V8Oi6CgLIApgDx1ZRLjkK6S Xyo9n8B6L2KuU5CrWrE0y1dTS/5UxBBGAq8t4RQ4YQ90y0wd0ExAAWcrAxjAAdrbBBVg3R1oA36A 2zXbYRuWgTCAAQVYzV34AAeYgjDQhQ9owiLiPj+ogiXkgBGABRBgPgVAgV3AgyooRmKVAf9YkACF vsWvi0IQ+INYyKgZ5LO7iIImiAVqGAE8eM0RmIQRONcLvWNO87CZ9Sv9mJhEvtJA3h6Fsek0vQkz 3bCpzV0zDQeZLojUIqUJkFrgudLVoquFiOUqTeSFAOXjiYrltJgiaVkusJicbl+0IJF6aVNDWiuW 2GqwnqOv9up2iQoDmIaLAC22lisEJqSg2N2zThJoZp2WpSybeOC8log/3bhD1eCrzUe7yIEuYcQQ FmESXoESRmGxjQLWQ0iyzQTKhsgpWEFla7I48D8QYKI2WARPYAYB2wEbngJeJcxDUAHlC4PkOwFd uGdYGLAqOIRdyDo/2IHvk4DbpgA/UAD/VfCDZnWzfDO0LeAAfvCDVJCADBgBRUjN3YixRQABj5SB EZiGFNhFe/Bh2cXjDDNZsJ5piUiflr1p8x3eF8gAIjGA1ZpfSs5dmJUl2CkAB8ndRO7qKOUCjvDe qiKJ8hZeqY6Ah8EwVAbwJ7mJTBLv4ISJKzXeefGWOjArMi3vXE5wRWbwIUFrpEgf1OIttEoTDped sOCkqkKRXZ6XDZPfwwokhKnd+h6Qvg7YApc8alZUDn6xRNRmR2yCbi5hcA4ygpxE1yPnTOiBDOCA aqA4U/hU3SvCQ0BMfmgDXgjtWjmBQLDQMEhWGAgDR/CbQPjnHfgCW1WBExiBGLDVXdDF/9k+gaxD gRNYXHVIhRgAxg9oAj8IsDTgBWlIBX5wgC0oBmMkymmoi0VoBCTghxOQAQloOCRYL3o4VxnwzZfO MBKQZqMll5xAChy56XeBiAMeEhw5gCqRCFOaBp6YAAxBGoOIAGTyGAnv6n+og7z2CNAygAeXpTQp gKGQaj6VWJEhJdbxmE3HdHt19fAlEG+B2PTkimA/4LLmCFMfkDkFi2Cn9dQCEKiaWWvv66ZACNBK pv7FkJtw5g3j08liJLdKnks3gMCKPLCs5kWVi2IIxEJE7BBuAhL+2m8Gspv78c+IArjsAco2tgxI gUpQBX4Yt8/sBhmwhym2qX7zhLPbgf842HKrjOjZhgEOcIAYUAMU8AQZyMwqOGJYqIIp9oO/DYND iAEyxwM14FB1+AIKwC7dPjtDS4Uo9IM/aIIPkKFJ4IVKaAIhCIAtYIY4kIEmABZFUAUVUIMvONdd QEco3SWfWAAHuWmKmfqf3RcLQc63tqSQkN878hawrxIcofW9atN/2fbiXZQJmAqT8AmClWqkaCqq T2CDeJGRwfphH/bgLKU3lZE6uN++BvVScpBmL15Sul8Mv/o7mgpSt2COeHy8D3FOWhS8j9JFqXut oGqw+onn7PxSKl6faHsZlxKrLUt8LGxCPEQcRwV7J+FcyPcO5HeDPDJNpWxvYEoJiAX/Vai/5oh5 CrAHHgCBHwjjswOCQ3cAe4iDzfyCOVOHl2/5xrw6GFAHBRh5w7V+FDgVWPAEToiDxfUEOFeDbiBo 0eaAKHcAfgCCU3UA5lYFXhACoK8EIIgDZlAA0La3EQACNQAIeyfkTDFg5OC/hAoXMmzo8CHEiBIn Uqxo8SLGjAmnGTCA8YHCCRk0kixp8iTKhAH+rWwZ4CXMRgEa0aRZrFGxYkJ2CkHjEw2qoEGREF2B ZEWQpK1etfLh1EenqJ16UO2R6Wombw4kLKrUJJanP4tGOACxQwUQEBLagKHwY8cJICoCVXEwJQ4M EB9g4P0BK1AYXUAcVLkRmIO6GDs4/3yQ4MetHwmKPvBzoIiXNzBg0vCS8oGCH0+TPoxQNSlnLCHF zI7YUo0DBRCTQOAJBEKOnCoHjaTs7fs38OC/F0QgsWCB8OTKl6tkyRIm9Jkza+LMqZPnT6BCiXJP sSJFUqZNn0qdSjWT1avePLX5UylWIyESWjfZwuyLCnttJPygAMSePSA4Qs8JFHyhxi477LCLGjCA IQNgujDzQxWAwfADhXjswoE0fkwIiyKpwMIMB6lgBsYIqQihiiL8/NEGL6kosEUblRRTiRCLSLGf FIv8MYInEnzgSBggOAAEDLsxtySTTTr50DQPkADSk1VaGVFLz0UnHXU2WYfdT0I1gf8Kd0aBF554 T0UhVVXpXeWGAgrYM8KNOLaRQiXVgIFHfjtIsINbeNgDYSAxAGFFGFN8wAEMeKCgjh+7xFGFJ0Bw AsMhujjwQRV4wPBBG4/t4EcbCnwAxgfqNJHGD5s1MRk/GajSmQSTNBFAJV7FMokqI3DQhidgGHkC IPSAMI0qIKCA0JXNOvsstNFK61CWW8Y0XU3WFZMDmD4JRSZ3SKSQS1JBiDeeD2tG1SZWQ7ihzg8g xMEPTry8p4oqizCTn1r9wQUCEIfEAYQnB8qgwJE/AONMGhzsAIsECsRwwsNtqDMiLKkoMiIIsEij yGOWNXHqCB/EIo06/HygQBMOzHj/K66KSLAFCGqooIAqFMQRiBqUhNGGKp7AYBBv0xp9NNJJK21R tdbK1OVNOfHUU5jblXlUuUG0srWabFrlphtugCADNWow00Qji6S2yFr8ORAHfyOMgCEI9qgggwyG VRHHDQkkQAABpQheSj0NcLLLIZx0iLE6+zTmiTe8SJOKZNIIkQoYkPPSgwMUfKBKE56UxstLlSgw ggKOqAHEJFvsQI8AAXqChAKe2MMDs0vrvjvvvTvZ9JZPQ31dt9oNFe5RZ6bZ9bpVtQsEBw548kMc DuAYC+mV8CIBEN3sAIYCFMx9ggxhOBIHhPQU8sQcuLg/R/ts5JOA4MB0zA8HIz7a/yGqaUySCmk+ IA1eZGI+ihCCNP7Aj1SoIgV/UMA0SNeISijCEwr4AjPAMAlPqMALgAABL9qACpqBgAfL8h0KU6jC FV4EeNERXra+VLxvNSFc3skaU56SLq+5KRND4EA3yAYGNdiDK5VAw0xyRQF7MCMO/eEHGNB3CBWA QAWFKEEJ2jePM1wBflj8ohbyIYoxtOEDIGAGLIBGGXWYLBUOqMwASeMJFUkjSH9oQgpU0YYmLCIA qlnEJGLhANTVDhC+oMcWpnEn29nthCx8JCQjyTsXvhBbMVTNTnKABqrRMFzfQUp4uOYUdZnnPOrp hkC2AIazgOEHqZlgrkYgAyAA4f97/AlQHGjzBCxqURImOAMrgomLL5ZADxfQhww+8AFmAKMN0qDM pmI0SFDFiB8KUEQxFKGABfJCFXFKwSL+EZ9K8GgED2IGD3xBgSYoIHMOoAcl7GGFokmynva8Z7Nc 4jRLVkdqU8tOUMbkyVycSWui3GHzTJmJDHzhCyD4kbBGAAIwxCKJ7wGDA+BCAQkwA2BAiMMueXmF eTziDL/4hQlMwIo5YFEPLjUmPUT3gUVMjh/SkEYsnOGJBdrKDUBSEeZK1k25neYfXimGBGIxjREw gxJx2MUu8PAFGTjCNkXQghxugAJ8crWrXgUOJa8Fter8E6BDqWF3QGmug5KyTVb/+eEuQFCq1hxM XusMQDECEIsH7cAeYODHvxwR0l3i4goI2OIvgIkLlhbzpS69AD1+4Id9OMMPYEiFM2KRiiClYpNb iMWdKLhNE21hRpOoxEuKEYtZKQIEYTAFCBbhADWYYheUwOoNCgGIQHjkq779LXAnEtaXwNBL/txJ dowHrjLhcGvj6YS6olCVVFCjG1OYggz+ILomAAGweFgd9mIRixEAIYo7AGwMYrCJLDS2BOzDBQKo 8IgKeIANjXXsBS6gh3KE4QOK4EQkOMGJNDQhqG5owv/44YktFENG/JDCrtbSBCHgyo9t2FXNTuCA WLihid04QSK0wIMQ3yAGwT0x/4qDO1wuDQ+T3epkd5DQXFFGASrr6kQGOLCINvyAGTFQweomESfN UGAHbOsK92iJAhREAhJ9OMcmHKuHJ4jBFVTIA5bzgIAn6De/Xs6vPiKRAEgYAhOYMEIavDECCahD CKGTgCdw6ob+HHgLI5BGE+yV10rMahIyEF+N9iMBVcQCCGEQRAsSIQgTp7jRjrbniotrXOJRzVuo aIIT0FqUghpUh9BdFzm68QNd6WsHRuJFLCK2Zk/sWG3j1UYkDNGBc/QhARt4wZcvwAZXeEAJWaYC Ffzx5XLkNxGusIAFDIEFRrjABQ1gADDgZKIgKPAPiljEqfihCNCOoA2TOG3pvP8dCwVIQAI3SSog KxGE+ThABVqYwqPjLW8Vrpifxp2aJqt2aSQ4Ia0FXQq61EWVOasDdYtYhBAm8YNF4Izha65RUl+S BixgwQUsEIUhxhACdRD7AuUoRBc8cOUK5KECwKZCIcqhcpWjwxWgsAAkONGABtxDHkeQBxwY0ANp VAIJMlPEFhbhBhRtgZ0j+HbE39OGGk0CkLFAwzR23IRKTIIrKZiEKUwx761zXWnDlYm9tVVWS19a 00S5YSgD/ukePHA/g+RFXn20gxE43JqgjcUiGMAIBgAADndodgiuIQEbsJwNHvBAyU1+8jywYeUq t4EhEpBxYCBCHjQABzhoQIP/JNwjE5Jr0R+kUYwtlDvPawkhOI2a6kCqLV9CIL23+cw2dUjgBPbo Ou5zDy19Oq1L/ZxapY2HaeStQK3OHSVCM4H0JrDl6JVYhCcowIz98GMtlSi3EbCgAc1rfhbyuAYx JOAFls9A5CXPA7A9MI88XMEG7ne/F7wBjPkDQwPcwDz+aaCDIZzsjRrzUcSEUK3IhwQIwT+oFt4l HGjBncxIAJ6owg+EASAcggK0ge5dIAY2SaRZkrZQmlkFlA2JS7lwzXisyZqkwtWt2cEdWSBhFGjN R1K1AQOIwPbl3+XtQSzwgxe4HzrE1+KhH+Kx3/vBnwTIwyzMnOXhnxKSQRNIr0HK0N64rcWOSZi3 hdMK5kQgpYC9SAMgTUMswIAA2MAuVKAqZKAZnuFv1JukkdXYKRcSaFoufJJSANwoQVcPKMKFqU0l TNAiVMNXHNmFGZEqMMAsaB7+EQM+bA8/UMAOuh8CKAGwYZnJId4ZJIIX7OAlegE/8MIncMP9fQIx fIIoiiI4HIEZeBOcIRi5SUATlBsglZsB5gh8CEEKxEITIFGvUIAcHEIgBMLRtSISBAQAOw== --_005_2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3eusaamb107erics_-- From nobody Fri Feb 19 12:12:15 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3BB71B29B6 for ; Fri, 19 Feb 2016 12:12:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.746 X-Spam-Level: X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FU_ENDS_2_WRDS=0.255, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nl5jiWND9yl4 for ; Fri, 19 Feb 2016 12:12:10 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0744.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::744]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F5F21ACEA6 for ; Fri, 19 Feb 2016 12:12:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8IGeUvqxvV1BeE+dW4/25rYMhGtSTXXCfKcoC6SEumc=; b=gRLQo+zHTvDOPwbMtaAxFsJGCEURIg3QdFg0hte88wV5FIq9YcQzk6wqXEBmwfxXynTsu9nM8bJGx95ltdSRjKimbKv6rMHuneDOmEjbczNaYGOH/EMlomCMHvp91o/WXKVVccNmuZKvj+cNJlfgcGKn3dzNrCJf9DeldELvZv4= Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) with Microsoft SMTP Server (TLS) id 15.1.409.15; Fri, 19 Feb 2016 20:11:50 +0000 Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0409.017; Fri, 19 Feb 2016 20:11:50 +0000 From: Andrei Popov To: Daniel Migault , LURK BoF Thread-Topic: Which authentication methods to consider ? Thread-Index: AdFrThGnITnGbdWHT4SF7hgzHR9JdAAA3gJA Date: Fri, 19 Feb 2016 20:11:49 +0000 Message-ID: References: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3@eusaamb107.ericsson.se> In-Reply-To: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3@eusaamb107.ericsson.se> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: ericsson.com; dkim=none (message not signed) header.d=none; ericsson.com; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [2001:4898:80e8:e::1d2] x-ms-office365-filtering-correlation-id: b71b3f98-996f-4c18-c3f5-08d33968e6cb x-microsoft-exchange-diagnostics: 1; BLUPR03MB1396; 5:OakxgKFeIyJm5o0YGrqI83OV+TVTAkr7v3zQpI6zwrlEPHqarnnp8nl0he/2ZvyrjgqTXE6Bm2qpKiEvUf3jPuf1v2FoBUrGcG7RxQgT9MI1LV7qWoVUlV6Ot2rZo2ZT; 24:gWHDgxe4JS/Nj6LDMmQCWxMyHrAg5cHBy7EgZ2qVhmRHNGoVB9XGnJQSX7KXDh34IFV38ZGn3RCZvTOfgxMs5L5hs1rM9VtKS4riUmzYfcE= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1396; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415293)(102615271)(61425038)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BLUPR03MB1396; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1396; x-forefront-prvs: 08572BD77F x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(1096002)(1680700002)(19609705001)(5001770100001)(86612001)(33656002)(16236675004)(77096005)(19617315012)(19613025002)(790700001)(6116002)(102836003)(16601075003)(99286002)(5003600100002)(5002640100001)(19625215002)(19627595001)(15975445007)(107886002)(86362001)(5001960100002)(1220700001)(18206015028)(11100500001)(3660700001)(3280700002)(87936001)(586003)(5004730100002)(74316001)(2950100001)(50986999)(19580405001)(19300405004)(99936001)(5008740100001)(2900100001)(2906002)(19580395003)(189998001)(54356999)(10290500002)(10090500001)(5005710100001)(10400500002)(92566002)(76576001)(40100003)(76176999)(17760045003)(122556002)(7099028)(3826002)(16866105001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1396; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:; spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/related; boundary="_005_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_"; type="multipart/alternative" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2016 20:11:49.7898 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1396 Archived-At: Subject: Re: [Lurk] Which authentication methods to consider ? X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 20:12:13 -0000 --_005_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_ Content-Type: multipart/alternative; boundary="_000_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_" --_000_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I think it's a bit too early to exclude RSA at this point. Can't comment on= the usefulness of PSK for LURK purposes. Cheers, Andrei From: Lurk [mailto:lurk-bounces@ietf.org] On Behalf Of Daniel Migault Sent: Friday, February 19, 2016 11:45 AM To: LURK BoF Subject: [Lurk] Which authentication methods to consider ? Hi, Authentication methods that have been designed for TLS are: rsa, dh_dss, d= h_rsa, dh_dss, dh_rsa, ecdh_rsa, dh_anon, ecdh_anon, dhe_dss, dhe_rsa, ecdh= e_ecdsa, ecdhe_rsa, psk, dhe_psk, rsa_psk One possibility is that we reduce the number of authentication methods to d= he/ecdhe. Anyone thinks we should extend / reduce authentication methods in scope of = LURK? BR, Daniel [Ericsson] DANIEL MIGAULT Researcher Research Ericsson 8500 Boulevard Decarie H4P 2N2 Montreal, Canada Phone +1 514 345 7900 46628 Mobile +1 514 452 2160 daniel.migault@ericsson.com www.ericsson.com [http://www.ericsson.com/current_campaign] Legal entity: Ericsson Canada Inc., registered office in Montreal. This Com= munication is Confidential. We only send and receive email on the basis of = the terms set out at www.ericsson.com/email_disclaimer --_000_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I think it’s a b= it too early to exclude RSA at this point. Can’t comment on the usefu= lness of PSK for LURK purposes.

 

Cheers,

 

Andrei

 

From: Lurk [mailto:lurk-bounces@ietf.org] = On Behalf Of Daniel Migault
Sent: Friday, February 19, 2016 11:45 AM
To: LURK BoF <lurk@ietf.org>
Subject: [Lurk] Which authentication methods to consider ?

 

Hi,

 

Authentication methods that have been designed for T= LS are:  rsa, dh_dss, dh_rsa, dh_dss, dh_rsa, ecdh_rsa, dh_anon, ecdh_= anon, dhe_dss, dhe_rsa, ecdhe_ecdsa, ecdhe_rsa, psk, dhe_psk, rsa_psk<= /o:p>

 

One possibility is that we reduce the number of auth= entication methods to dhe/ecdhe.

 

Anyone thinks we should extend / reduce authenticati= on methods in scope of LURK?

 

BR,

Daniel

 

 

 

<= /span>

DANIEL MIGAULT
Researcher
Research


Ericsson
8500 Boulevard Decarie
H4P 2N2 Montreal, Canada
Phone +1 514 345 7900 46628
Mobile +1 514 452 2160
daniel.migault@ericsson.com<= /a>
www.ericsson.com



3D"http://www.ericsson.com/current_campaign"=

 

Legal entity: Ericsson Canada Inc., regi= stered office in Montreal. This Communication is Confidential. We only send= and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer

--_000_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_-- --_005_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_ Content-Type: image/gif; name="image001.gif" Content-Description: image001.gif Content-Disposition: inline; filename="image001.gif"; size=2367; creation-date="Fri, 19 Feb 2016 20:11:48 GMT"; modification-date="Fri, 19 Feb 2016 20:11:48 GMT" Content-ID: Content-Transfer-Encoding: base64 R0lGODlhRAA8APcAAAIVTgAWUwAWVAQWTwUWUAcXUQkYUgAbUwAbVAoZUwAcVQEdVgMeVwQeWAYf WQAhWQAiWgggWgAjWwAjXAAkXQAlXgEmXwInYAAoYAQnYQApYQAqYQArYgArYwAsZAAuZg0sYA4t YRAtYREuYgQyZAUyZRMvYwczZhQwZAk0ZxYxZQs1aA42ahE3axI4bBQ5bQY9cBU6bgk+cRc7bxg8 cBo9cRo/bRw/bh1Abx5BcB9CcSFDciJEcyNFdCRGdSVHdiZHdylJeStLeyxMfC1NfS5Ofi9Pfy5Q ejBQgC9RezBSfDhQfDFTfTJUfjNUfzRVgDVWgTZXgjdYgzlZhDpahTtbhjxchz1diD5eiT9fikVe hUZfhkFhjEdgh0hhiEljiUtki0xljE1mjU5njk9oj1BpkFFqkVJrklNsk1VulVZvlk9xl1dwl1hx mF1xlFdzlFh0lV9zlll1lmB0l1p2l2F1mGJ2mV56m2V5nF97nGB8nWF9nmJ+n2N/oGSAoWWBomaC o2eDpGyDoG6CpmiEpW2EoW6Fom+Go3aFo3CHpHGIpXKJpnOKp3SMqHWNqXePrHiQrXmRrnqSr3uT sHyUsX6Ws3+XtISYr4easoibs4mctIqdtYueto2guI6huY+iupCjvJKlvZOmvpSnwJmou5WpwZqp vJuqvZyrvp2sv56twJ+uwaCvwqGww6KxxaOyxqS0x6W1yKa2yai4y6m5zKu6zay7zq28z7C8yq69 0bG9y6++0rK+zLO/zbTAzrXBz7bC0LjD0bnE0rrG07vH1bzI1r3J177K2L/L2cDM2sHN28PP3cfP 18TQ3sjQ2MbS4MrS28fT4cvT3MzV3c3W3s7X38/Y4NDZ4dLa4tPb5NTc5dXd5tbe59fg6Nni6trj 69vk7N/k5t3l7uDl6OHm6eLn6uPo6+Tp7OXq7ebs7uft7+nu8Orv8uvw8+zx9O3y9e7z9u/19/D2 +PL3+fP4+/T5/PX6/fb7/vn7+Pz6/vr8+ff9//v9+vn+//z/+/7//CH+EUNyZWF0ZWQgd2l0aCBH SU1QACwAAAAARAA8AAAI/gD/CRxIsKDBgwgN8tOnb1/ChxAjSjR4792vMyAaBLllb6LHjxDtvau2 SMYBCRYsSHAwSx/IlyD5ufMWCkqDBihTppQghB3MnxDhgbPVhsNJnUhTHigHtCnBeuCMKcpRAGfS qxLMOW1qTpmmKQ+OXr16oIu7rS/fPSOlhsQBB2OxPmiAwxg/tB6xtfLTo4HYuDolHOBQZI4xvBPf XYpiNCfgnQ0e5FDDyRniifUuSbD6OKWDAyPAVArW7rJHcSMcAxYcwUkjW99Mf9xnrMDjzQVw8JGF jR5BcrFMKZP90BmBuBEKcCCTSprPgfhs6VFCw8UOQfCIH0SX4wFSwQ2Y/lxqppWgNEdOaHCQwB7l Jd/aCe7D1fhBgheBjJWDL5AdqCo1iMBeUhLIoE58Bd3TjB9VuCELOfEUpEsaNJCgEmAFMIVgQfPA I49LA1mDSA4krNeZBBycs+FD7ISCxAgcdIbUAXRkt2JB9ghjhoUyJuWAEN7cONA+2zByg2o9pkSE J+/849CN6tDhAJKdZcCBDH5UIyRB8exxQJIpgeACGLR0tCVB3nh3ogQeuLBEJuQQdI+ZQvIzjG1x sZeBC0EEMtxA/LCjVyjGPHejNF8SyF4KQLARC53/vIONLGp8UMABB7wxjpDvQCHWSh70EEYnQQ5k Tze9HLLDAZxZMIAi/vPcyE8yRGxw0g1bOIJMQeQIcwkVglEpwQjobIlNJHksQstZA7mDzCdosFDA lBhqeCZB/FBTyh1A3EQlgSykc+1A5LQSyBMctHrbAZLwJ2Q9vjSiRQsOUHuiAwWQ8EexW5pjSRg7 WKDuaic5QckvTW5JDRMj2HuiXzQAYss29Vz7DhYD53nABmawgg2z41rTgIybHZDEJtio8+S4//Aj TKIasyAIM+tUzHJB3IyMFU5j0MKOuzcT9M4aMKv04ybl2HNX0AmZ4wVOErTQxzT5MD3RPWsFI4/V XHft9ddghy322GSX7dEywQijtjDBxDlN2mofwy87vhyjokDY0GLK/iq9lOPQpHsHc6A+zrRSCivI xPqPOr2ggoovB0aaTDDBiPvP29XwM0YOO8hQgwwvrPKPHTjkUEMNQZiRzD/HvOBELf+0s8kUKTwg QQqb/GPKFCVE1kMw9GxSRGNRxKYMG0dKcMMbu2KTBQ41bFIxHTfwYY8QDYiQRRVURGHLP1oc0AIX UWz2xD++DMACK/9cwgEBOdThhxOVYEMvEIoYQscww3DgQBSM4MMdypEOKEwpDnBYyRTQQY0c+GUH 0vhHFQ4ghnoYwQFGqAc60GGOefDDCwcAAzbScYSU/OMXBXCBLKghgwJQIRjskNQ5VpEBC/xBIOpg hycEMAJR/OMe/kzJBAcisAh1nCMRBxCBJrbhgwgIZhL/6IIDyGDBCMhAE5SQhCa48Q8QXoF/MpAA E05YgBe04hVfCkVBlIGSHNhhFaVhBQEyIIRA3EIgX9iABO7mDfaYoRs94MALOHADcnxhihZ0TNRg 5wUHiEAGNLAAEbpBxhekAhQDeEEuCqIPQfglaleYRjrQgKkNvKAN9mCCBFjwJHfAoAFYwEYg8xAF AnwCChGgohGixgc7zAEQ0+jiA1RghBiNQEUoNGMqBAACWRjkHccgxAxs54Z/rMMWcuhdA4YBhZSY yR0ecAAXACmBVFRCAjt4gQR0+YAx3uMeDtkHCKngDVGs5xJk/lRh/xrABkMRxB7heIEDoECQVdCA AKawAwgcsMl/7GIwg+jGDspJjiRIIAPrTKQLAKEHPcBBGF08QBbaUQ8VWAAI+WyFPNxgGydcYhWH +MQ3xtAJW1BCJWrABhlKYYs0cGAAtaBGCSQAg1UYVAIzkAY2JjqKf0ACBBLIZT2w1x4JFIAT/8gC Aaqwjn+kQQIbUEYw1Ce6bogBJ1ZyAB6SwYG2YvQG1ODFANq6gQR8IU6mWE9bh3WKfzijO2osRxFu UsFWcKITiO3EJYLJikasIlbSmMQkhvENRmRCS/+wxzAKcQYy+MEY6thEHMighkyo6BuRaMMY4rAK kHXDEWY4FUMkKPkPc3giEtEQyC4o4YhX3CMgAAA7 --_005_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_ Content-Type: image/gif; name="image002.gif" Content-Description: image002.gif Content-Disposition: inline; filename="image002.gif"; size=15442; creation-date="Fri, 19 Feb 2016 20:11:48 GMT"; modification-date="Fri, 19 Feb 2016 20:11:48 GMT" Content-ID: Content-Transfer-Encoding: base64 R0lGODlh9AFQAPcAAFpEOQcGBnKJroVVTrmHkrm5uWpqanx8fJOpx6x7iSUnNtHR0WJKQGhCOjY3 R42MjWhSR8XFxhUaKenp6RYpSbjE17uftwJutjQkG0JCQlQ9MpdmZkRFVKZzeKa0ykI8SjpBWGQ6 MntWVhoiNp2dnQaMy83Y5jlGZGRdaSQiI0tXdSohG3ZMRXeEmnZUTFhYWFVadlhWaERKYpWkvEUn GUs1KARUjVhnhmdyihoRDEgyJCk3VWd5ljsxKzIpJSsySDY8USojIRMREUg5MqSioTJYjG1YT0Qt ISIdGlE5LLK5xoqVqZqeqxwaHCMZExaBu93d3TItKzIyMlhheay60WRjemRrhHWn04djZVCQyUZ0 riwqLaurq6OquAZGeUtTbCIrQiNEdoCVtoZcX0UwJHF5izsqIbbL5hgVE1RFRxc1YnBHPWuZySEi LTw7PpJgXVw6LC1CaExihiuW0ICIlvX19UIzK1AzIyU9ZLS/0wB6wiocFHhrabuTn09IVTMzPWx+ pEVag0hnl9bV1U43KzR5sJl1ejNJclEzKlOEuzAtNBITHXZhWQ0LCjpSfL/K2ZuIiYZ0d9bX2x8e Il50mgoLDx4UDqimpY1nbz40L6OmrXF9lnhicDctKCwtOzUdFM24vODf4J1rcK+xuLqvr9FkgFNr kIGMohwYFjw0PCclLZOSk4224S0nJaeuwS8lIFROYg0PG+Tk5lg2LSAWEF00I+Ln78Guukae0Ccd GHJthkNObxcVG5Kfsjpkn8bS4m5KUIJvbuvt8Obp7jYZDg8OD+Dk69fa4PHu7WsmLmQ/MdvZ1x4w UtrX1kIqLlo3J/n5+tPV1y8mLCYmJzU2OBcXGK+pp08fJFU3J0QSGFRQUiMNBz0lHEpNXkk+PTgO Ej4hE////9XV09PT0zg3NgBfo7++wKCWlRFjn5qXoTEwQ9TT0tXT1e/x93JydaulrczKypCVn08t KabA3ClOgpE4PjxObVo/MjAKDIODv09uoSUXFw0fOuvl54WewQAAACH/C1hNUCBEYXRhWE1QPD94 cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1w bWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42 LWMxMTEgNzkuMTU4MzI1LCAyMDE1LzA5LzEwLTAxOjEwOjIwICAgICAgICAiPiA8cmRmOlJERiB4 bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8 cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2Jl LmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEu MC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAv MS4wLyIgeG1wTU06T3JpZ2luYWxEb2N1bWVudElEPSJ4bXAuZGlkOmE4YWU0MjY1LWM5MGItNDZm My1hZDI4LWZiODE4YmVhZjcyYiIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDpDRTIzRDZGQkM5 MTAxMUU1OTE3MjhDMzMzNUIzQjc2OCIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpDRTIzRDZG QUM5MTAxMUU1OTE3MjhDMzMzNUIzQjc2OCIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3No b3AgQ0MgMjAxNSAoTWFjaW50b3NoKSI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5j ZUlEPSJ4bXAuaWlkOmRhNGU4MzA5LWEzZjAtNDJmNi1hYjc0LTFjMzZlOTA0ZGZmMiIgc3RSZWY6 ZG9jdW1lbnRJRD0iYWRvYmU6ZG9jaWQ6cGhvdG9zaG9wOmI3YmMxNTRhLWIyMmUtMTE3OC1iMGJi LWM0ZTZkNzM2YmVmZiIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0 YT4gPD94cGFja2V0IGVuZD0iciI/PgH//v38+/r5+Pf29fTz8vHw7+7t7Ovq6ejn5uXk4+Lh4N/e 3dzb2tnY19bV1NPS0dDPzs3My8rJyMfGxcTDwsHAv769vLu6ubi3trW0s7KxsK+urayrqqmop6al pKOioaCfnp2cm5qZmJeWlZSTkpGQj46NjIuKiYiHhoWEg4KBgH9+fXx7enl4d3Z1dHNycXBvbm1s a2ppaGdmZWRjYmFgX15dXFtaWVhXVlVUU1JRUE9OTUxLSklIR0ZFRENCQUA/Pj08Ozo5ODc2NTQz MjEwLy4tLCsqKSgnJiUkIyIhIB8eHRwbGhkYFxYVFBMSERAPDg0MCwoJCAcGBQQDAgEAACH5BAAA AAAALAAAAAD0AVAAAAj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDMODPCPY4CPID82CtCo pMlGxVIKWckSjcuXqGI6QYXECZKbuZDkoiUkh8+fQIP6tESUKC0nR53sWbp0xacVKzBgeEULlQYN hO5gw/YshLKvXxuIbbBmjVhlIeA82ypPBw1u3MBhAEeDxp0jOu5wy3Hy0xEaSZQR0kG4cGEyZHQg Xrz4iOPHRzRKnky5suXLmDNrxugxZMiRJ0umVMkyh5CXaGKqtmlTJ85cqEwLnQ20KK3bTnIzbfpU qtROSABgzat1FpwQIcSWXc4CmFg4s2YhOgJ3rtRP4MwQv3PXUskcxO48/6NxBM5gw+gRK2aM+Eh7 x2Y2y59Pv779+/gZeuzomSTJ0MWgRNpKqLmkGipONNGaayvkAptstNFmCS0T3kbLHkox5VRUUq1Q gwgreAMAGdyQdwciximjHAtrsOCCCCww0MA9sxAyix3O5OgYXHXlRZwOtJTkBHezUHdPDTogiSR6 hrHXHhmQ5SfllFRWaeWVnfXnH4CjsdRTgQcmuKBruaxQExoRSmiUhbrttqFvGBxxDwZDaOADBp9g wM0RKN6zBjAsuPjiGCKIAAwwDKQBTBppzKgBIpAiohV33B0R5DbccHePDkdoUMOnSRa2ZJPrsRfl laimquqqrOrXEX+egf/GZTFenobagU3QdBNOSJgJlRMQRmhJbWvilqGGvcFJhh1DAGCGnhiY4Qwi 99wDjAsvFjoGJphwwkmhInBCKDBmwQGdudhQyl2QToBDjDwMEIIIIZ/WC2qo6RHm5GOt9uvvvwDT l2Ws/4k2Gq0t2ZragUjoumuZUKWwAipozkaUxRUae+weK3CcJ5xm2JEEA0O4N4sGDQDQAAPXikDo GFhwi8UYY3DC7bgNhBDdLPdAly5Xd1iyDXbgyANAEvYmnaSSTJbKmGMBRy311FQ/NPBnlZx0sJe3 qpbrrmD3KjFUSAT707Booz1Uxrm12dQeGHAo1bNkDMEAAPegTNahzbn/6DK3mMzssiGGYAGjWTpH h+JWWqVrSbt0yfNoDYTQm3S9+KbnJJRVd+755/9eDVJoAiLMNUwMh43E2BIHYWbFteWg9uwZ47Zb U3HDCW3IDPTulXIvHrqGCzAHLgIEwHCrLSYiiDWLPEfII8+kQOtJAzHEgIONDvN+arnlSjftNOeg l2/++feJvqVJW59uIMNNqA6V60HU7wTsadN+sW1HJbXxUx8DmRnM0DsAMEBFZAnXGJwzPBEwAkZi +RagtgUMnckjLjTIy8/gsL2/EGMbNMDGESpHr8pdDlRLGpW+2IO+FrrwhRpR3/oMNiACuaQaXmtC /MAmsdbVr35IGJbs/4a4v6LMzkL+cxPcdBetAZpBAwyoVs7I4q1DwUEZLXIBouBwD7GEoFHAeB4Z PrEPuzROKxy8gw4+SBfyYIOE4AOfvQijwhUuBoZ4zKMeFyLDRmSNhqZTGBpwGBMdhi0FYvthEF4R hAfJzoiQjCQS23a7N/nmWU7UADDugQg7ROeL3viAM8SzN7MkAREhIOM+eDEJXuwjCDnwi3i2spU0 6gAfdAEHOHSQBDiWUI5KY1qTELPHYhoTj33UWpdOVw1CosKQN5nE6laQAh+2ohWMnNgjI8nNYlFy NxhYIsi44UQ7QIABd9jDPnKxD1oUgyh8UpFZGoAIMszCGXCRhjTYmf8neSDCXM9YC7q210ZwHKGX vjQhME84TGIe86EQBd1HYBWSP5YukKghZPx2uKseKhKb15wYGrpJUjZ9k2Nwk1u0mjhAMvQOG5/4 yT728QliHAEbV2wAWuBwInm8BS7OiN4svnJFZZiLi+k6gi7pQogkODWhvzyhMO1Ihoha9aoBU5+s /Ng+AlVjkBo1pDSr6dFpXPOsrZiYbUgKSZNiCFkqXakTB6gBCCjjLuCoKTE+QQN5POM4aTEXpBSH IsAi8CzK6FkaaeAugzq1lwhNKOXqBcx8VRWrmM1sqtRn0YNhFKw4NOQOEUnWH6LVB2lFxVopdJtu IjEpStQdJudqhhr/QECnarnLEWapFq+oRaAIPOxYlgOWe6RLB9qryx0eG1lfUk6hJZzjMDVL3eri R6skyVpXT/PVZj7zmUiQ5lirWT+0tsIH6A2Cal+LRG6aVCkZcgoTZzvAI5iBDBBggU6N6hWimmun AIUDWVoUqAIHqizFPa48dKoB5kIWqs4NX3qsS+EKa4az7FumDZsZWmiOl7zTMOtZt5De+7G3vW11 69ugIlvaPoYBLliOjMHyjFoE9L/JWcMADDyAHbNoDQm+AyEAcLIGM7epD4awCTFXRx1Y+MlQzohW /QhIrnG4GjoU6+pKG+IR+yAKUfBBEJDApv6x14jvPRZUAihXJ9rX/z33cMGPW0RnINu4FngWcFlc 1OMeGxjIZjGqGglhZAc/tnLNlSz4MqevKDv60RGZsnY1zF0cYnmjY91yCoLQCrNuoRUkBnMUgjCT oyCoba9Fc//c1rH5utg9ZCDEgXnMIqPWQhk1fkYDWCCCPvvaz8uZEQd5mYQGF/rIT30qVCWcmMRA +tnQPojo/BiArFWC0t1tZpY3Gl4um3UaPgi1qMfsv7blxsytZRur2UxO2jLGDjqAMQt+PYCiIjgE Na6FCDaAiTe8YQP+foOfa62MXuogb1fRAByMfGxDJ3nJmENPtCc+cS3JatKmQ4MQrvzMLIdX00H4 9qejsAVRR6EVDf8zt8qRYiFvuo1jKnXxYuzwKQD4OuBjuLWv13CHuoTAEAnogNA7sAGAA1vYiBhZ tZaO8IQnvNgNVzbE8YUkilv90aKrRLWrvJJFbJzDWRbvJMiagi5fs+QmPzlsVr7ylpfbTS12ImLs sKznJsEFAS860ZUxgH8bnQXKwHMHEkCAwged6AIP1IxOyYBzAuDxeGO60ydvaBJeLlRXz3yFOfKq /lj7oszUtse7TdYufxrtYJbCyWvihFy0nu3nZi1S2tTqmNf3vvCmOSGGUGwG9H0DohC6KP49+D4k YAMsADgLOlD4PhRe+AKP8eIREQQHGKF3BYT8PSLP9KZD/dAQt5f/5sdv3az/59oargYvwB728I4d xJ5GfRSkoHof3CQ3rs8/29Osobjftwd1Rzm8dxUAwAj/FnwdQDj/RgB90AEDsAYbIHQJQHh94HwE 0AHDNwZytnhkkAMZUAZGsAbYJyOQ93jd13RPJ3XQVQPk14KaNW3W1j4aB1rb5n7vt2mmtwVoR3/0 l1Y14SCtB4RAaG5vpyEccif11QnLogPMsntQdxUQgAV6J3x9N3hAlwCiAHzM13wEEHTDNwBaNCPU Fwsc4A58AAFoOILZhzdsWC0agIJXoYIl5IJ0GFHmZxLoF0hXdmlNMAl9SHZlF3+ixoM9oHpmEoQO kohDiGrm1n9S//EKLBUyATgEhEaAkGeAWkh0MTYAG2AIWTgGPbYBE8iAXYiBiccCRHYEucBKbqAN jICGaTiCJbh9kfeGcFhsCIVQdbiLD3U1WheDtIIwXndlHjcJxlh6IXZ6JceDUkAO5BAFZqKI0rgH i9g2uWCEUQGJc9UDdtCNNcB7daIBkNc7UUh8ojAGa4Bn6vg7LRKBhXeBnygCMTYLOvAJQmAJQrAF 1AAB2AKL5ySLJWiC4uiGKdhgTUUIvJiQeTRlJZGHpkOMOuSHN1hNObiD9OeMbtADjaQT0iiNr6cb 1wgxjxiJZACANDcE4SiOj4d9EMAIYwB859giPVYPbwCKB7ZvzP93eBswBs3BSdwQJCgxDVuQBozQ j/6IfQYUkNu3lHBobISmkFAJQ1lXCQ6ZcewXkTcYYkLpaVGgCPPHg+TgBlLwChyZiA0yja7XetQI c1MhFT5gBp1gBiZ5kilZguTYksHwksxzKA0wAGOQAJhQQQ1QQQwQgV4ocM4xCzRACzmwDxo3CVGg AYzACEZgBC5wlEh5NwH5eG/4dE6XBFEZmuZzhw2pYet3lcaYlRXZlTxIDc5IDj3QCmYJMWXSkfl3 jSzWlk4EgNzYhAMoIit5l0bwAEsAMzTjAiFwDcp5Dd+AD9+QDdcgD8AwBgh4jqh4T3vQCLKDBk3A C1uQCZM5AJX/eZmwqIabaYLCMXnh2C8ZYADTcD7uqRkvkAGtEp8J0Z7vmR8vkJ8PYZ+RlgEZUFHV BowIo3EQ2QQGoA2qmYw66JVgGZbkIAVp5SANAhUVWpvTaKGvAIlv2QlHYABG4I0oqQHAGZx3yQgz sASwQDw0YyjJ8KIwihzTWXSiMHyJeQR7sA2iYQna4A4Z4AOTOZmVaZmYiZSbuX2Tl3AVcQBQgBDT MAHhEKVSGg4R8AJTeqVU+g/TQAJ1IKUTQAIHEQFYOqUvcAATgBBcUAAC8aRX+qUE8QJ1sAD8ORAZ MAH0iRAGsABe+gAEYQBdOqVQcAAEQQJjGg4vUBBcEKV8KhBi/1qohloQdXqnfnqlEbCoA9GoV1oH BgEF4VAHh1oQW/qn4eCmBxGpAvEA4cAFB8Gk/0Cojgqm/5ABmEqqCpGne0oQXKCqCLEFXPCndcAF W/ARWeOqgLoKXyd6iRoOq4CM0zAKo1ByitCarhmWY+kOohqlofAAtEkEhWoA0RKXPUAKUUoC35hw AFAABWBAI2gEfGAO7XAKyVqooLAB/dAHMGMIyDCmEVASncClXkoKWFCUQ+oCRlCe/1hAmhmQ4tiZ V1ERhIqn4VAAJDCxFOueFEsCenqxBvAPC1AHJGAABnAABRAOsNqnFxsOC3CxWxoOCLEACyAQBhCx FzuyLysQhP/6qwYRsxt7EKi6AAcQsiOrpjZLshebsQOxAF96sRM7pxlAshGgqTB7silLsXP6Dzo7 tErLqXI6ECirtCRgqacaDmYaAQbRsR8LtCR7EFfLsV0qqAXxsBlwsROQtBNLn3A6AQ8AskGrED37 syIbsUdbswYxDVDgsSDLpaEQrNWGtBRLBCQwsiRAjNoQDkQAD3VAkVopDuKwBQ5Kf9PqBhHaCtxK BKRLuutAuRYqDhNQuqzrDR3aCUYQDpdguSMKnMuwDCvJrg+gCUpgAuHQArpAAkRgDaSADMhwC6CQ vAQgCuEACpiwAecQDvBACtZgDaRLAnzwEeNQB0RwAGXwAOb/EA7LQALBILADW7CxiLDnKRzsqwEO y7JqGw47qxAPSxAHIL+QyhBpO6jwW7Y1u7YDEbOLSqiEOr8wi785u78DgapuW7/8e6cuyxBcOg1N C7ZcW7Lxu7MOHMB1QLYCocAJEcGoeqcCcb8GHKsQu7Mu+7RVu8ECEcEEMQ0dXBBWisF9CsL/wMAv LLgFgbRbACtbMAELUG0BMA4L4FlCQKjUsH46RAR10IrKqpVCKQ6DMH/RepEYmZGiGw4WaqHcqg1Q obkVmo2vsJs9cAl1wAAoQLIqKRy3awTuEA+j4AEVQAWu4LstEAMpIASNwA23SzM1+W/Q4LxYEL2Q cA/yEFMj/0ES9+sOEhALI6AOf0AHHsAKVEC+AkuwEIC+B3s3nqywnAkA75vCEty/QzsROOzCgXvA J/wPUODBD4u0cwrABAEFPDwQBaCrqjwN+wvDCjEBQuvLBIHDBbG2qpzDj/oPxAyp4cCnMozBx0zK HCunM8y//vu2dVC1rZrNB2HLB5HLO5zBnfcRMesOJLEA45CHK+EO4eAOYAfMxrgO0RCIQjkI0bCM rZnF5LDFXfwKIYK6KyDGULGhr4BecsmNwmAOvNcMy+AN4uiKoRAKveABCOAKvZAHvdC7vzsFf5AK 0hAA69AMIuBvNNq8AgcJ0AAJzvAJ26CjiwAEMqAJ4bAIsf9QCRJQCdUwBVSQBQggBlSgBOcQDAVL sOSZvp+8vqJMEdFMywjhwiMsEalsygQBw0w9zaecATgbwAgcw828EMfcy7dsEPf7qU9dEMus1Ros 1QPhsR9swwbRq7h8pgscDiS8EGsbwffrtqfcw7cMBULLzHo9ELxswdf81nI9MBPABX7ksu1zv36g bfeLAmO3CuGgDQwaDeJwxQ/qBpydCfy8Av4c2pQ7FesgDizGoR3KjajKBw5NqJFgALvrCsJgC0rg AVTQCzPQ03nwCxvNARKgCqpgxBjgAjTaAc1LKJAQDpEADtuQA5MgA44QBztA2RzwD5AsASPwBQKg BR5ACR7/cAZn8Aia8AB8gL5FrYYJu5mjfBBW+qn0K9UyjLfarBBR3bL/u9VrmtX1W8BoncCt/LZq HbNuGwEenBARINcCkdXD7NY3nNYt68FsrRB18NdWqtfx/QDzXcwIDMMsPBCqLMzKzOAh7t8LAeLh PM4fgc7nnM5dggKhMA5g1QTwMAGpmQJ1MApauQXiEA2s6bmuydmgy8+uQ9Ds/AD+DA/wQMboBa7d CA/CoAF1ggLQIAkZjQBKMAzDoAT+oARi4A8C4Ap3HA6nAAOeEAAj8AKSMAiNmXw12rwwEgnyuw1C AASHsAM7AAaLoAh1gLeKAAZgIAFxIAZs8AtisAQIkAhU/yAAeVAB/oC9/mjUR12C683eEeCylr4A FqzKGaCndRC3gZ0Q9X0QVI3f0/C0d+rAldrfGm7AD0Cxpy7VLwAFTerhl77C+dm0GFwAs77gtYrA 0QzD01AAtb4AuorM7v0PiU0Qm96pnp4Qd12zhOveH37LZ03MtNzqdXvifC0QA+OyIzEO+koNYDW5 RNCHY2cOUMCgVKzZUvC5nL3P3LpIBG0AET0VG0oE4lDag6C58JAG3LjG1jAEaXAAvRAKwtAFMzAD o2AMwlDRrnAKAiAAXO67S2APHxELL9APUCADI7AP8rAGIhAOpAAMAOAMjBAB7CAJKq/y8TAClcAB nN4N4//9BUugBb1wA1MgAInwCAJABWfACibgDw8QCY+O3kkJeZMOqns+7Jmu1gKRAXzK6Z9uEKFe 2DG7p1yq1xvMBbBa1QBspV46tFIKBS8QAWTv4Shb6xGQn4T6syD79lQv4qy814XdscNe7Ej79iB7 AHX99FHfqVNvtRvOwz5L96vM6wdh7VsN9lEq1yZu1SgeAC5LlYw7sY47sqvAYUQADQ/gDu5wAJ5/ ADm+71sgrVkMuj7ArWNvAPAABQZA0NyquYMw++LQ791oDcr6AF1gDh6gBK4wCv7gAUvA8GIg/IU+ 0f4QDeGwBDIgrEJwDKEABidwAj/QBo1AudyAAVKw55L/cAzRIAnRwA6rUAxaVwwcsApgoPx1oAmH MAUnYAUIwAZB7/Ns8AiAgADzIABnWKTqCxAAAPwjWNDgQYQkwiEkaCCcAYYHFUY0mCHCQ4r/wpGQ uJDhggUNwxUgQeLig2kGJxZUCNEhxIMvGa5UWJIElDowC4LMOCHcT6A/uRzcmFHmv5UIF0QgWDRi hqBRD1C0iDGmVZ4FI9RJmXRnSINOEYoteLQjwawHswb4F8BtAJCNGoEsVreYECEK/aCp5jPqz1HT tmwRN0iRFMTUqJEj58YxuVZEwhGhHKrOgVeZM4sTl9mHDzOdOvWwM8Tv32MzRgEaJsyfEkAzTnUR MwNe/7hNIwLEWgQ32qJFYQIFOrExQCM+4eic8ARkh4RFlWJNjyVEgjogMW63wGGPzrwrv1qc8lfI g75erFhV0AXBvXsG8eUDYDAwY0avBs1SzE9xQoGMyPrngXBSQgiKof4xq4BwXlDJo50mmGY/gqYJ 54GZPEpqGigkNCgthA640AASS1Qog7A4ouio/giqQ0UBDeIipxJLjGCC+/5D6CgQp6mDqf5A/AcK ABGCaqqDLMQwIY+EJIgLHNtq660JuAigkgXGqcQuvISYrBoRV3FnTHcOcEeyFwQbRJzDElPMMTcy gEyyIDLzJpQJvPHslcI86yQ00uwgkAsllNBECQ9cWf8gHCV6aUEYWxDoBZAuWnBFDCYeCaebWHjh QJtJxonGk1iYwWOXHcJ5J4dt3AmnhRN+AIGCHYBQhwMJRhhhEQnAAEKVNoSp4BQeenmEDQ/kmEIQ epaQA4EzWMmDkkjee08+bO/DD8KrdOKP24ycTPEgqJas6EKRvMUJRYLyy6AOLigkCAqwDioALK/e heLDehEqIMok4R13RataJNBBjVRkSMcdw0EyIid57PcfEQ8IcuIZDVSJK4boZehetCYmSEQD2Hor gJfkAmlLLr0koZoChGmiiUlqTiEFN+oIbItoxEHMzcbidGPOcDR75YU6QnnFh6X7/Ey0QIcwB5kq Wlj/ooxTxFiiC2iOEaAXSJU4ZewZxNBa00oWaQMFFLYYZxxPFhmBHxnUCccVB7YRsYUdQACCAmY4 OOCAD34AYhEFwPhBlT+OSW2TU2bwBQcwOKBHnxn0iSBaBOTwpz1rIcA2Pm2/jUheJmNSuKAXYhzY oALqQLjCA8zdz0coDOyvJqsOEnF1BdFFClyHivxH3H8sBL6g2F9niEVwFRS4qeVHbjCiCZgyYPnW l5cYoa24iF7Id5kyqPUEQxTQoSWR73ALgtzaYoJQKrly5ZYVcoeajWameZKbTcMcXOEZm4AGpwzI KTJF25OIzPEZH6wJgmboQaC0EY5RnGI8PDjFEpbQ/4tj1IEHo7CFLVYDCCZ0wYP20EQ4KpErIIxA FdFgxx9GAAZ+/GAE4ejCD/5wCuXsAAy7UMMJuqGLA9CBCG2QgCdGYENXeSAeKqgCDpjhgEl0gx5s qIAYTJAIOcBABWLwxwOMEDrRyad0EamJTWwyoZG4sSTeGp7vwlElE9UhdwFaHodeRKIHTKAO+ukd QZBWpBYtqpAGIdACpvIC8RmvPwRq3wTkWJJpKERjB2ndw1xXloIVyI1QCMcCNFbKS2IoAvtiY4FE hEcSkUCPm0xXyBDio58oRWQH0COGMsAgkTGylI+MZIQuyZEMCJIEg5HlBDLQiOOA5AVEKAkRGDQO NP8ohBwzqxkAUwBHlAxiApfQxCXMyYVLOCYDQ1ugZj7zinOE4xyfEcc4iWBOfKbBGsoZzxLo4KgW UGIGPOyCMerwiDyYIwJKGIUmYqEQxIHhA5NQRDTg1gYHUAAIEgjHJUZgDyCaQxOa6AJJNXGAbtDh jqMw0wGIUAdZyAEHIODACZhBDQlYIRHzoII/EKCGLeSUEgIQwxTOeK00MmCNz6vDXy40jdMEZWIH YGVF/gWUOhSAlgd6mEEy2dSfFIBdBEnmWAvygEFSrKoVmcAeI0LVh9xxdVT9mPkU4lQDRMB4H1EY FLpqJGcSJJB3/UkEzEWQi/yFK3U4bMAc9MvTZHX/q/8o65PSZxBe7tWyDHnBRahqSW3B1SGgZYlT w4GiacSOCzMqQBTe0ogCFCCxP7EkNaqhV/91E4DTmMY4iLCFS5gWBXFS4AOUxjQI+sAc8PhMcJ16 AHjAgwd0aEE8PgiCD8QhEMdQghgqYNqUhoIXihgBFjkwilFMogl/k8EHoPAALX5BGE6NhgL4gQJz RNYcMGDGCzxBjR+AAQwyoMIVHiEGQHxBFYYDhC+IagpGoBE+S6VwhY1iVgtXZHYZ5nCHPfxhEHfY ABgOcYlNHL8pvaUSK15xI1omhGrEuBrctFkAeTuYNilmMQhMIDl8EIQ6LS25yTXD00ZDmkwM4QV0 /+ABDhw1th2MwHAgkMENBHGKKfSCB8yYRDG2IENVqOJv3VAAB+IABE94ihkgcMAiPnCIOJxADTJo gwLmFrdJeIIfnmhCG/7gjhhIQBFAAIMfJjGNEYAABFaYgRaoAIgTbEERFLACD4ogCAFQogpGOCp8 RHdiUIda1KMmdalNfWpUo/hkJ5MLy+rSJRnP+H/e5K1gcOwmavC4x1vITCuG7INOgCbYwx5NJuyQ iTRsogVl4CAOWtACK4DBAWDwhCdO4AgrqKAXmT5cRoHgAAeoAA8x8ERNd5CKWKgDDDtwQBvkcAhP oAoE1wEDBRzQxB9QgAMAVIAEtjDejIJgEjbsBv8IYiCGRHhAEApIgQRA0AJfOAIIQJApJyDQ6Qmn WuMb53jHPf5xjZts1farRCNcfZdFwDjGufVmG3irilvjOmjqHNqPWyFkCA4b2KKBWtRisGxKtIAO m9iEICg3bQf8QQaH+EIcWqAFf8DqBsKRARBggAdYKMANJzhBDNpA3jZI4wv02MEHdsCMD7gZDOXl xQf+dm9V9FsRi9iCGyjghiaogwI3gIHnEjGDE9CsDV+4wS5+gARVOIIS7jgjxpUKcshHXvKTp3zH Rc7qkhfD1bCWMctpXWtbS1oKbZKCYhgjhZvj/Gk75znPkWyHF5ShCpvggSniUQaI46BvilMAEPD/ 0A0g3CAQS7hBGZZQBCv4DQZxqMIPOLCLMKgADCAAgwL+oIJDDPjMH5AAoX+QdhuOIBWLQPQI3MCL LXhC0E1wAzOsMAVGa4EHbZjEIn6Agx9MQwFNoEYYboADTuM0a6k8AixAAzxABGSIyzuZkmtAu7gL vFgEvoi13PqfFPCmm8nADJwGIAMy1QM21mu90bADO/AGKygDOjAFHMCaG2gBejAFEKiVH1AEs+OA NgABPJgCICgDAdCHePgCwguDKXA+FWA+dYCFAIOFONgBdYCBIpo3DtCojeIAAfuDRVAEAeM+RQgw RaiGP2CGKfgCHBADX5iCSYCxKeABIJiE/bMc/zkwBQO4uNBJQDqsQzu8Q1MzmRRziwY0uVbbEhd7 QCGAwC4RAjQwRENEA0VcRDRABUfMhSDwtZwTwdZDskx4AdqjBDoQwxYIhE6UA+qLIVXYwg/whG44 hCnYAV3QB304hS8oAxw4hCpQhw+QAWbIOlg4ATAIhEPoN1hgBhloNw5gBiD4Awn4gCrkhVT4gTJr AkXwBAVQgDbgADUogylogUSgByDghUbYAkfoxTYAlhMQhCKYAhQIwE7DQ3VcR3ZsR4pgCymJH8xb tdc6juOQC3zMRxcLxLrIgWLIAYBEhVxoBUk0MkrsgWKzgzTAAWfbhP+bgjJQgTIIBHpoNyBghv8/ +IOJ8xU8sIcfmIIiMIUyOAE6oASZcr5uYAYYcIAv2IVdcAR7eIE00DsbVAAZsDdpUMYRsD5ltDMp EIItUIAf2AJVoEYc2AUruAFm8IRKEIIYcAQKWAEJyLMfuAF6AEJ0lEN33Equ7Ep1FLk9pEd6hCay 1Ee58Md/FIKAXIFXKMgQrMQKMrYp2ARYXEFKkMj3k4MwUD8QYAZmrBUH4ACm+4EYOIRAgIH7c4RA sAJPgAVbhIURkIFdkIETeIBzIIIpUAMY8BUn3AV1GIEPoIAfuDezkyheiII6O7RuwIPkswI5oIBJ CIBpqLpFoJkR6AYwwIEiAIJuOMesDLUXAAn/4WwswcIQLtiwVJuQg+ACU2KeYBqQxjrO47mPCNCY BVCY7ckI6ZQR5IQryZI84QSJy2Kd8dSPCLhOA3kAkCBORlrPCgnPOtRDtwjLejTLs2wEgPxHgMwB NMgBgWzL5DrIChrQhVxBZ2sBZYkH11RKMJAAm0KzGPwDB+ibxowDFfgCB7ACw4wBBYgBm/IDP4MF GNgBIngHItiEMNgEB5ABOdBMHRpGmjrGenOAWFAEBfAEAOKAHbgBIJgCXWyCRkiBNqAGXkCDLaAA VJEDR/AEKkLHMwo1A4CCGiExpOCIBaAjVCsJtbiMCmkqNgKeNNGI+ygAJHkBnCgILmDPnaCj/yvF LClNHpCJvIcoEeRsiOd8lwfIK6Z4AL+iquoZkD6FAo6I0hI5QHiUT7FktXvMxxw4y7TkT0tAA1pA BSdAAgAFQQGNy0yIAYacLlPYBBwwBe6QARXYAQXghb/5gTZwDppyBBgAARigh0D4gh2wgjAIox+o AkdwhCooNxkIBDyABBOtAjWoAgX4gF0ARk8oSo36AF5wg+pLBSGIghtqgy1YzVT8AhAYgWJAgz5T hCaoBGpQAzmQgxMAgWlQgRtgBCflMJKYLAMQmV9Czyo9HoiYVxKYhgxYkjxtF/2AiX2F0wXQKt85 T63KAJDwloEtkgdgkAohgYFFERLggntRkf8HQBGPyKsFaKwHSJDVcqR5SaCKTYkHOIDrbNNpYE6I 9ZYJ2LAIQBF8JdkXqNgKqdiLzYADkC2RpVekWAqEgdgIQM7oyaSIVZCT5YJN6tgKWQgyHZnnbFqK CQktpUNETVR7tE+0BMj+VMRJrVQkyAVIvNS3HFCy9QYcgEge4CD4M4VA4FH+6reA+4NdOIRzldUd wL5AoMwyoIcb+AIwqIIwoAcYQNK+UwNYiAFO2IU4QIE2+IBZ4QAFkAY/4Ad1kIZi8AEJkIBWqARp eKI2aANstT5PaINGqAZViIWaEVc1KAIckKEUkAEYMIB2zbAMIAFLwrB4DRgS0Nh6vVIf2d3/8/QR gsiefzBTlVCR3I0tA4gt/biMvBKrhP0QtEIsAkGLCNgerqiJKLVSiFgIpMlTQa0IVoKCF5jY5JGQ PzrP45HSeIWIgc2r3nkBgPGq9A2JBehTxjqeAoBfEtkIlLCk5Q0JPt0eHBlg2yUK8LleWYKj641T hJBfidCsmQAQkAiH/DVA+aTP19LHfsSLHIhUR0QFJBhhJFiBFehAsR1bsq0gP1hBU6ADa3RIU5CD MrCHWVE/BzCVHzgBepCBL2jb7IgDbXUAJ5wCEFAHwIWBWYQBWJhbFOiGbogDPICBETAzZogBP3CA blADPNioGNQ3CVAAb3ODPwCBLyhGBegS/0WYjhQoBhAwhR5OAesDgi9AAXYNwA9Tz9VxCKAQYONx Ji290oYtCGe6UoQdpKltF+QNiQjgggzgrYqACfWs1w+JUgfhioVIJuZ5ABIoEk1uU6ZdEk02iNzR ZE0+gDT9Y4RFEkMGmAnQidxFiEEeXoRdkpIY5X945SgVLFWG2Mfq2V8Oi6CgLIApgDx1ZRLjkK6S Xyo9n8B6L2KuU5CrWrE0y1dTS/5UxBBGAq8t4RQ4YQ90y0wd0ExAAWcrAxjAAdrbBBVg3R1oA36A 2zXbYRuWgTCAAQVYzV34AAeYgjDQhQ9owiLiPj+ogiXkgBGABRBgPgVAgV3AgyooRmKVAf9YkACF vsWvi0IQ+INYyKgZ5LO7iIImiAVqGAE8eM0RmIQRONcLvWNO87CZ9Sv9mJhEvtJA3h6Fsek0vQkz 3bCpzV0zDQeZLojUIqUJkFrgudLVoquFiOUqTeSFAOXjiYrltJgiaVkusJicbl+0IJF6aVNDWiuW 2GqwnqOv9up2iQoDmIaLAC22lisEJqSg2N2zThJoZp2WpSybeOC8log/3bhD1eCrzUe7yIEuYcQQ FmESXoESRmGxjQLWQ0iyzQTKhsgpWEFla7I48D8QYKI2WARPYAYB2wEbngJeJcxDUAHlC4PkOwFd uGdYGLAqOIRdyDo/2IHvk4DbpgA/UAD/VfCDZnWzfDO0LeAAfvCDVJCADBgBRUjN3YixRQABj5SB EZiGFNhFe/Bh2cXjDDNZsJ5piUiflr1p8x3eF8gAIjGA1ZpfSs5dmJUl2CkAB8ndRO7qKOUCjvDe qiKJ8hZeqY6Ah8EwVAbwJ7mJTBLv4ISJKzXeefGWOjArMi3vXE5wRWbwIUFrpEgf1OIttEoTDped sOCkqkKRXZ6XDZPfwwokhKnd+h6Qvg7YApc8alZUDn6xRNRmR2yCbi5hcA4ygpxE1yPnTOiBDOCA aqA4U/hU3SvCQ0BMfmgDXgjtWjmBQLDQMEhWGAgDR/CbQPjnHfgCW1WBExiBGLDVXdDF/9k+gaxD gRNYXHVIhRgAxg9oAj8IsDTgBWlIBX5wgC0oBmMkymmoi0VoBCTghxOQAQloOCRYL3o4VxnwzZfO MBKQZqMll5xAChy56XeBiAMeEhw5gCqRCFOaBp6YAAxBGoOIAGTyGAnv6n+og7z2CNAygAeXpTQp gKGQaj6VWJEhJdbxmE3HdHt19fAlEG+B2PTkimA/4LLmCFMfkDkFi2Cn9dQCEKiaWWvv66ZACNBK pv7FkJtw5g3j08liJLdKnks3gMCKPLCs5kWVi2IIxEJE7BBuAhL+2m8Gspv78c+IArjsAco2tgxI gUpQBX4Yt8/sBhmwhym2qX7zhLPbgf842HKrjOjZhgEOcIAYUAMU8AQZyMwqOGJYqIIp9oO/DYND iAEyxwM14FB1+AIKwC7dPjtDS4Uo9IM/aIIPkKFJ4IVKaAIhCIAtYIY4kIEmABZFUAUVUIMvONdd QEco3SWfWAAHuWmKmfqf3RcLQc63tqSQkN878hawrxIcofW9atN/2fbiXZQJmAqT8AmClWqkaCqq T2CDeJGRwfphH/bgLKU3lZE6uN++BvVScpBmL15Sul8Mv/o7mgpSt2COeHy8D3FOWhS8j9JFqXut oGqw+onn7PxSKl6faHsZlxKrLUt8LGxCPEQcRwV7J+FcyPcO5HeDPDJNpWxvYEoJiAX/Vai/5oh5 CrAHHgCBHwjjswOCQ3cAe4iDzfyCOVOHl2/5xrw6GFAHBRh5w7V+FDgVWPAEToiDxfUEOFeDbiBo 0eaAKHcAfgCCU3UA5lYFXhACoK8EIIgDZlAA0La3EQACNQAIeyfkTDFg5OC/hAoXMmzo8CHEiBIn Uqxo8SLGjAmnGTCA8YHCCRk0kixp8iTKhAH+rWwZ4CXMRgEa0aRZrFGxYkJ2CkHjEw2qoEGREF2B ZEWQpK1etfLh1EenqJ16UO2R6Wombw4kLKrUJJanP4tGOACxQwUQEBLagKHwY8cJICoCVXEwJQ4M EB9g4P0BK1AYXUAcVLkRmIO6GDs4/3yQ4MetHwmKPvBzoIiXNzBg0vCS8oGCH0+TPoxQNSlnLCHF zI7YUo0DBRCTQOAJBEKOnCoHjaTs7fs38OC/F0QgsWCB8OTKl6tkyRIm9Jkza+LMqZPnT6BCiXJP sSJFUqZNn0qdSjWT1avePLX5UylWIyESWjfZwuyLCnttJPygAMSePSA4Qs8JFHyhxi477LCLGjCA IQNgujDzQxWAwfADhXjswoE0fkwIiyKpwMIMB6lgBsYIqQihiiL8/NEGL6kosEUblRRTiRCLSLGf FIv8MYInEnzgSBggOAAEDLsxtySTTTr50DQPkADSk1VaGVFLz0UnHXU2WYfdT0I1gf8Kd0aBF554 T0UhVVXpXeWGAgrYM8KNOLaRQiXVgIFHfjtIsINbeNgDYSAxAGFFGFN8wAEMeKCgjh+7xFGFJ0Bw AsMhujjwQRV4wPBBG4/t4EcbCnwAxgfqNJHGD5s1MRk/GajSmQSTNBFAJV7FMokqI3DQhidgGHkC IPSAMI0qIKCA0JXNOvsstNFK61CWW8Y0XU3WFZMDmD4JRSZ3SKSQS1JBiDeeD2tG1SZWQ7ihzg8g xMEPTry8p4oqizCTn1r9wQUCEIfEAYQnB8qgwJE/AONMGhzsAIsECsRwwsNtqDMiLKkoMiIIsEij yGOWNXHqCB/EIo06/HygQBMOzHj/K66KSLAFCGqooIAqFMQRiBqUhNGGKp7AYBBv0xp9NNJJK21R tdbK1OVNOfHUU5jblXlUuUG0srWabFrlphtugCADNWow00Qji6S2yFr8ORAHfyOMgCEI9qgggwyG VRHHDQkkQAABpQheSj0NcLLLIZx0iLE6+zTmiTe8SJOKZNIIkQoYkPPSgwMUfKBKE56UxstLlSgw ggKOqAHEJFvsQI8AAXqChAKe2MMDs0vrvjvvvTvZ9JZPQ31dt9oNFe5RZ6bZ9bpVtQsEBw548kMc DuAYC+mV8CIBEN3sAIYCFMx9ggxhOBIHhPQU8sQcuLg/R/ts5JOA4MB0zA8HIz7a/yGqaUySCmk+ IA1eZGI+ihCCNP7Aj1SoIgV/UMA0SNeISijCEwr4AjPAMAlPqMALgAABL9qACpqBgAfL8h0KU6jC FV4EeNERXra+VLxvNSFc3skaU56SLq+5KRND4EA3yAYGNdiDK5VAw0xyRQF7MCMO/eEHGNB3CBWA QAWFKEEJ2jePM1wBflj8ohbyIYoxtOEDIGAGLIBGGXWYLBUOqMwASeMJFUkjSH9oQgpU0YYmLCIA qlnEJGLhANTVDhC+oMcWpnEn29nthCx8JCQjyTsXvhBbMVTNTnKABqrRMFzfQUp4uOYUdZnnPOrp hkC2AIazgOEHqZlgrkYgAyAA4f97/AlQHGjzBCxqURImOAMrgomLL5ZADxfQhww+8AFmAKMN0qDM pmI0SFDFiB8KUEQxFKGABfJCFXFKwSL+EZ9K8GgED2IGD3xBgSYoIHMOoAcl7GGFokmynva8Z7Nc 4jRLVkdqU8tOUMbkyVycSWui3GHzTJmJDHzhCyD4kbBGAAIwxCKJ7wGDA+BCAQkwA2BAiMMueXmF eTziDL/4hQlMwIo5YFEPLjUmPUT3gUVMjh/SkEYsnOGJBdrKDUBSEeZK1k25neYfXimGBGIxjREw gxJx2MUu8PAFGTjCNkXQghxugAJ8crWrXgUOJa8Fter8E6BDqWF3QGmug5KyTVb/+eEuQFCq1hxM XusMQDECEIsH7cAeYODHvxwR0l3i4goI2OIvgIkLlhbzpS69AD1+4Id9OMMPYEiFM2KRiiClYpNb iMWdKLhNE21hRpOoxEuKEYtZKQIEYTAFCBbhADWYYheUwOoNCgGIQHjkq779LXAnEtaXwNBL/txJ dowHrjLhcGvj6YS6olCVVFCjG1OYggz+ILomAAGweFgd9mIRixEAIYo7AGwMYrCJLDS2BOzDBQKo 8IgKeIANjXXsBS6gh3KE4QOK4EQkOMGJNDQhqG5owv/44YktFENG/JDCrtbSBCHgyo9t2FXNTuCA WLihid04QSK0wIMQ3yAGwT0x/4qDO1wuDQ+T3epkd5DQXFFGASrr6kQGOLCINvyAGTFQweomESfN UGAHbOsK92iJAhREAhJ9OMcmHKuHJ4jBFVTIA5bzgIAn6De/Xs6vPiKRAEgYAhOYMEIavDECCahD CKGTgCdw6ob+HHgLI5BGE+yV10rMahIyEF+N9iMBVcQCCGEQRAsSIQgTp7jRjrbniotrXOJRzVuo aIIT0FqUghpUh9BdFzm68QNd6WsHRuJFLCK2Zk/sWG3j1UYkDNGBc/QhARt4wZcvwAZXeEAJWaYC Ffzx5XLkNxGusIAFDIEFRrjABQ1gADDgZKIgKPAPiljEqfihCNCOoA2TOG3pvP8dCwVIQAI3SSog KxGE+ThABVqYwqPjLW8Vrpifxp2aJqt2aSQ4Ia0FXQq61EWVOasDdYtYhBAm8YNF4Izha65RUl+S BixgwQUsEIUhxhACdRD7AuUoRBc8cOUK5KECwKZCIcqhcpWjwxWgsAAkONGABtxDHkeQBxwY0ANp VAIJMlPEFhbhBhRtgZ0j+HbE39OGGk0CkLFAwzR23IRKTIIrKZiEKUwx761zXWnDlYm9tVVWS19a 00S5YSgD/ukePHA/g+RFXn20gxE43JqgjcUiGMAIBgAADndodgiuIQEbsJwNHvBAyU1+8jywYeUq t4EhEpBxYCBCHjQABzhoQIP/JNwjE5Jr0R+kUYwtlDvPawkhOI2a6kCqLV9CIL23+cw2dUjgBPbo Ou5zDy19Oq1L/ZxapY2HaeStQK3OHSVCM4H0JrDl6JVYhCcowIz98GMtlSi3EbCgAc1rfhbyuAYx JOAFls9A5CXPA7A9MI88XMEG7ne/F7wBjPkDQwPcwDz+aaCDIZzsjRrzUcSEUK3IhwQIwT+oFt4l HGjBncxIAJ6owg+EASAcggK0ge5dIAY2SaRZkrZQmlkFlA2JS7lwzXisyZqkwtWt2cEdWSBhFGjN R1K1AQOIwPbl3+XtQSzwgxe4HzrE1+KhH+Kx3/vBnwTIwyzMnOXhnxKSQRNIr0HK0N64rcWOSZi3 hdMK5kQgpYC9SAMgTUMswIAA2MAuVKAqZKAZnuFv1JukkdXYKRcSaFoufJJSANwoQVcPKMKFqU0l TNAiVMNXHNmFGZEqMMAsaB7+EQM+bA8/UMAOuh8CKAGwYZnJId4ZJIIX7OAlegE/8MIncMP9fQIx fIIoiiI4HIEZeBOcIRi5SUATlBsglZsB5gh8CEEKxEITIFGvUIAcHEIgBMLRtSISBAQAOw== --_005_BLUPR03MB13968BC423A56AF6B6212A868CA00BLUPR03MB1396namp_-- From nobody Fri Feb 19 12:20:47 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567421B2BA1 for ; Fri, 19 Feb 2016 12:20:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZ96R6hLvLlL for ; Fri, 19 Feb 2016 12:20:44 -0800 (PST) Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 530701B3437 for ; Fri, 19 Feb 2016 12:20:44 -0800 (PST) Received: by mail-yw0-x22f.google.com with SMTP id e63so76233934ywc.3 for ; Fri, 19 Feb 2016 12:20:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6tThw+rt/f6srySIW6KsYh/Pu26VA98ImtzhYI5U27w=; b=vLSWKHyck5lEhOGzmrtdfKmjuNUqJFf1vP31ZLwqOSsSlON+OxXCwrmKq5YtnQ3RUH 8hoV3cBR7E7ftSiIK6peBjNgpAUnH455EWyYZWcPvRH3U6s9EihZ6r2fB1t0ANTZ/UZ0 sTBiN2qMqYCdWzSxW4YGDq6VMzniebSOsdqNZnPbBoCBzK4cIG1K+FuhviMRmpnJMfk+ LpuC3sPsbSKwPP8a2lo5e2Kaq/161bJcn6Ep4D4x4jOID4nETHyqIxD0yFfv0923YBwu VbFKkkYjHAu18hWEfMPYVm3qpIUm6Xeg9cjVISzkXZGPkhFRUnd//p6K/MZeXAskHKIT Pgew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=6tThw+rt/f6srySIW6KsYh/Pu26VA98ImtzhYI5U27w=; b=Ju2P/QJiRkYwzIgYp7CZkUABEGGZe7rhIsS/33maf5m15Qt5/vo4jrPFwSIF0FFTpt Nswrv/bWXc378du9zreDxXpK7lXixuZYsy2Em1m/8RGV2Z11xCgrOrUhCE7WC9EtILNt +YKNUjE5t8aKtDBhgpEpjQ4nYSXtKqbUN5HfzoLYbbeAgUxgZtPtYGtgLu/8NlQjjij4 /98zTexRd1NOhZXe3E6qkCoUIWEBjkrq2RbbQGADRPRfWniOErfMT+uMnoKhpRF8V4/q pqEjtJ0qSIu3DzRQU45MRSFBF5LJPYJTRhRp006doGLVnRgdgpX92jcJAU1Rd/0jRfqA mpDQ== X-Gm-Message-State: AG10YOTkfJa+J0N9KoxXsPLU1X+d8aozHbQgpSoAeDXRm3BwbRU9t9MrhCoN15plcGIJetz9P23r56GaW9G0Gg== MIME-Version: 1.0 X-Received: by 10.129.49.146 with SMTP id x140mr1466096ywx.244.1455913243600; Fri, 19 Feb 2016 12:20:43 -0800 (PST) Received: by 10.13.216.138 with HTTP; Fri, 19 Feb 2016 12:20:43 -0800 (PST) Received: by 10.13.216.138 with HTTP; Fri, 19 Feb 2016 12:20:43 -0800 (PST) In-Reply-To: References: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5DB3@eusaamb107.ericsson.se> Date: Fri, 19 Feb 2016 12:20:43 -0800 Message-ID: From: Watson Ladd To: Andrei Popov Content-Type: multipart/alternative; boundary=001a11421df2b56e88052c253702 Archived-At: Cc: LURK BoF , Daniel Migault Subject: Re: [Lurk] Which authentication methods to consider ? X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 20:20:46 -0000 --001a11421df2b56e88052c253702 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Given the usecase seems to be CDN authenticated using keys of content provider RSA, RSA - ECDHE, ECDSA - ECDHE, seem like enough to me. On Feb 19, 2016 12:12 PM, "Andrei Popov" wrote= : > > I think it=E2=80=99s a bit too early to exclude RSA at this point. Can=E2= =80=99t comment on the usefulness of PSK for LURK purposes. > > > > Cheers, > > > > Andrei > > > > From: Lurk [mailto:lurk-bounces@ietf.org] On Behalf Of Daniel Migault > Sent: Friday, February 19, 2016 11:45 AM > To: LURK BoF > Subject: [Lurk] Which authentication methods to consider ? > > > > Hi, > > > > Authentication methods that have been designed for TLS are: rsa, dh_dss, dh_rsa, dh_dss, dh_rsa, ecdh_rsa, dh_anon, ecdh_anon, dhe_dss, dhe_rsa, ecdhe_ecdsa, ecdhe_rsa, psk, dhe_psk, rsa_psk > > > > One possibility is that we reduce the number of authentication methods to dhe/ecdhe. > > > > Anyone thinks we should extend / reduce authentication methods in scope of LURK? > > > > BR, > > Daniel > > > > > > > > DANIEL MIGAULT > Researcher > Research > > > Ericsson > 8500 Boulevard Decarie > H4P 2N2 Montreal, Canada > Phone +1 514 345 7900 46628 > Mobile +1 514 452 2160 > daniel.migault@ericsson.com > www.ericsson.com > > > > > > Legal entity: Ericsson Canada Inc., registered office in Montreal. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer > > > _______________________________________________ > Lurk mailing list > Lurk@ietf.org > https://www.ietf.org/mailman/listinfo/lurk > --001a11421df2b56e88052c253702 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Given the usecase seems to be CDN authenticated using keys o= f content provider RSA, RSA - ECDHE, ECDSA - ECDHE, seem like enough to me.=

On Feb 19, 2016 12:12 PM, "Andrei Popov" <Andrei.Popov@microsoft.com>= wrote:
>
> I think it=E2=80=99s a bit too early to exclude RSA at this point. Can= =E2=80=99t comment on the usefulness of PSK for LURK purposes.
>
> =C2=A0
>
> Cheers,
>
> =C2=A0
>
> Andrei
>
> =C2=A0
>
> From: Lurk [mailto:lurk-bounc= es@ietf.org] On Behalf Of Daniel Migault
> Sent: Friday, February 19, 2016 11:45 AM
> To: LURK BoF <lurk@ietf.org>= ;
> Subject: [Lurk] Which authentication methods to consider ?
>
> =C2=A0
>
> Hi,
>
> =C2=A0
>
> Authentication methods that have been designed for TLS are: =C2=A0rsa,= dh_dss, dh_rsa, dh_dss, dh_rsa, ecdh_rsa, dh_anon, ecdh_anon, dhe_dss, dhe= _rsa, ecdhe_ecdsa, ecdhe_rsa, psk, dhe_psk, rsa_psk
>
> =C2=A0
>
> One possibility is that we reduce the number of authentication methods= to dhe/ecdhe.
>
> =C2=A0
>
> Anyone thinks we should extend / reduce authentication methods in scop= e of LURK?
>
> =C2=A0
>
> BR,
>
> Daniel
>
> =C2=A0
>
> =C2=A0
>
> =C2=A0
>
> DANIEL MIGAULT
> Researcher
> Research
>
>
> Ericsson
> 8500 Boulevard Decarie
> H4P 2N2 Montreal, Canada
> Phone +1 514 345 7900 46628
> Mobile +1 514 452 2160
> daniel.migault@ericsson= .com
> www.ericsson.com
>
>
>
> =C2=A0
>
> Legal entity: Ericsson Canada Inc., registered office in Montreal. Thi= s Communication is Confidential. We only send and receive email on the basi= s of the terms set out at www.ericsson.com/email_disclaimer
>
>
> _______________________________________________
> Lurk mailing list
> Lurk@ietf.org
> https://www.iet= f.org/mailman/listinfo/lurk
>

--001a11421df2b56e88052c253702-- From nobody Fri Feb 19 12:28:59 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AB7A1B2FA8 for ; Fri, 19 Feb 2016 12:28:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-qOXKfCKl2q for ; Fri, 19 Feb 2016 12:28:55 -0800 (PST) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5BBD1B2E2E for ; Fri, 19 Feb 2016 12:28:54 -0800 (PST) Received: by mail-wm0-x233.google.com with SMTP id g62so86890027wme.0 for ; Fri, 19 Feb 2016 12:28:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=TAt2bGBJBxMH62Vg2VgkAMWTrc5qGpwaOP8pE7IUgDA=; b=KXdnSZ4nqw9iusSL2xINtEs6nnnX04LDSzqmA+ApcjofVEJjCzkKUIwHbAAeMBv++h I57wtRexTw7HFXqadHY+sNbmldGZ+U1AyRHPuu9uVNPaYi1t2Br0GraQOSUkOf8Msa8s P7j1AP81ncJoy6bnjn7sIPi8Pok5rSBqfiODUFwjamiYbvv6Jz8LssA3f1Gg646Cb0FQ j7+fuOPwOLiIE/zS4QHUaMpjqOT28q1G0aMERE7LqL8E2t285GHpNhpL8L/S9KGZd1V2 jp76Gguxrg5xDeNrpZfPWdl7ONQuWRzDhBRusI+earGrE0YM8I7vCh2sEDP3DSKKcK2y SJFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=TAt2bGBJBxMH62Vg2VgkAMWTrc5qGpwaOP8pE7IUgDA=; b=CpEys4iq3GY8WtOC+5SqAMrpxCIag0mVbdIWddUFtC9mqkHOl6ytf+C03lfhQ33+Yl BLgyQi3unrOi87avYTZ1qzICBil4ZOiZBPF26l3XAlForZ1mzTnJR+mXtwsZbQB5vhuR wWIOHw9Szq+2wuQe5VpHvfFkhEyDcTGmbG7WwXcUrNUT3yrYTN3lA3xO645YkEhpn2E+ vDaO9KhR1TpoeDJv3pWTn6AjhsV3B2syWKc2YChZ4Tfmfca3QAAPJw04/BkZ0Vo/27J9 e7iXXDOLz9ozhZ6Ahv5VF+ftkP/DZvw50lmq4yeUXv46B0n745cKpF9eJuATiK9e1Bjv bqGQ== X-Gm-Message-State: AG10YOSfB4yfpoi8/Adv75BKbXROxHyDShdiXXTtVw4hePKsJkgizs7JRlNzgr8/jzw++A== X-Received: by 10.28.92.195 with SMTP id q186mr10641403wmb.37.1455913733433; Fri, 19 Feb 2016 12:28:53 -0800 (PST) Received: from [10.0.0.11] (bzq-79-182-36-67.red.bezeqint.net. [79.182.36.67]) by smtp.gmail.com with ESMTPSA id hh8sm12648351wjc.42.2016.02.19.12.28.49 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 19 Feb 2016 12:28:52 -0800 (PST) To: Daniel Migault , LURK BoF References: <20160219144210.27967.20170.idtracker@ietfa.amsl.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5C91@eusaamb107.ericsson.se> <56C7409F.1010402@gmail.com> <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5D87@eusaamb107.ericsson.se> From: Yaron Sheffer Message-ID: <56C77AFC.5070201@gmail.com> Date: Fri, 19 Feb 2016 22:28:44 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <2DD56D786E600F45AC6BDE7DA4E8A8C1121E5D87@eusaamb107.ericsson.se> Content-Type: multipart/alternative; boundary="------------050100060707000505050300" Archived-At: Subject: Re: [Lurk] FW: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Feb 2016 20:28:58 -0000 This is a multi-part message in MIME format. --------------050100060707000505050300 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Similarly to what Andrei said, we (unfortunately) cannot exclude TLS 1.0 at the moment. See https://www.trustworthyinternet.org/ssl-pulse/. Though I don't think that should have any real implications on the protocol. Thanks, Yaron On 02/19/2016 09:34 PM, Daniel Migault wrote: > > Hi Yaron, > > Thanks for the feed backs. Please see inline my responses. > > BR, > > Daniel > > *From:*Yaron Sheffer [mailto:yaronf.ietf@gmail.com] > *Sent:* Friday, February 19, 2016 11:20 AM > *To:* Daniel Migault; LURK BoF > *Subject:* Re: [Lurk] FW: New Version Notification for > draft-mglt-lurk-tls-abstract-api-00.txt > > Hi Daniel, > > Thanks for writing the draft! Here are some initial comments. > > * Many of the authentication methods you mention are deprecated, > rarely used, or rarely used for the relevant use case. Examples > include dh_anon, anything with dss, and anything with psk. I would > suggest to concentrate on the very few that are in actual use with > CDNs. This would enable us to simplify the (future) protocol and > its implementations. > > MGLT: Agree. I think we should limit ourselves to a limited number of > authentication methods. I would like to propose to restrict ourselves > to focus on DHE / ECDHE authentications. > > MGLT: Similarly, I also think we could also restrict the scope to > TLS/DTLS 1.2 and 1.3. > > * The only exception to the above is *_ecdsa which is still rare, > but expected to grow. > > MGLT: hopefully ;-) > > * At a higher level, I'm not clear about the value of an abstract > API. Once we settle on use cases, I suppose we will want to create > a concrete protocol between the Edge Server and Content Provider. > This would solve the problem in an interoperable way. Why would we > want an abstract API in addition to the protocol? That is, unless > you look at the abstract API as a sort of high-level design for > the protocol. > > MGLT: I see the abstract API as a high level view of the protocol. The > reason for writing an abstract API was to describe the interactions > needed between the Edge Server and the Content Provider, with the > expected input / outputs, no matter on whether JSON or CBOR or > whatever format is used for these parameters or which transport > protocol is used. > > * Sec. 4.3.1 demonstrates issues that are typically not discussed > with abstract APIs but are important here. Specifically, > resistance to timing attacks. > > MGLT: OK then, maybe it is not an abstract API. > > * Typo: RFC 2546. > > Best, > > Yaron > > On 02/19/2016 04:46 PM, Daniel Migault wrote: > > Hi, > > Please find an abstract description for an API between Edge and Content Provider. It is far from being finalized, but I believe early comment would be valuable to make the work progress. > > I hope it will be helpful, and that a more complete version will be provided before next IETF meeting. > > BR, > > Daniel > > -----Original Message----- > > From:internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > > Sent: Friday, February 19, 2016 9:42 AM > > To: Daniel Migault > > Subject: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt > > A new version of I-D, draft-mglt-lurk-tls-abstract-api-00.txt > > has been successfully submitted by Daniel Migault and posted to the IETF repository. > > Name: draft-mglt-lurk-tls-abstract-api > > Revision: 00 > > Title: TLS/DTLS Content Provider Edge Server Abstract API > > Document date: 2016-02-19 > > Group: Individual Submission > > Pages: 14 > > URL:https://www.ietf.org/internet-drafts/draft-mglt-lurk-tls-abstract-api-00.txt > > Status:https://datatracker.ietf.org/doc/draft-mglt-lurk-tls-abstract-api/ > > Htmlized:https://tools.ietf.org/html/draft-mglt-lurk-tls-abstract-api-00 > > Abstract: > > This document describes the interactions between the Edge Server and > > the Content Provider in a split authentication scenario. > > This document provides an abstract description of the information > > exchanged between an Edge Server and a Content Provider. > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > > Lurk mailing list > > Lurk@ietf.org > > https://www.ietf.org/mailman/listinfo/lurk > --------------050100060707000505050300 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Similarly to what Andrei said, we (unfortunately) cannot exclude TLS 1.0 at the moment. See https://www.trustworthyinternet.org/ssl-pulse/. Though I don't think that should have any real implications on the protocol.

Thanks,
    Yaron

On 02/19/2016 09:34 PM, Daniel Migault wrote:

Hi Yaron,

 

Thanks for the feed backs. Please see inline my responses.

 

BR,

Daniel

 

From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
Sent: Friday, February 19, 2016 11:20 AM
To: Daniel Migault; LURK BoF
Subject: Re: [Lurk] FW: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt

 

Hi Daniel,

Thanks for writing the draft! Here are some initial comments.

  • Many of the authentication methods you mention are deprecated, rarely used, or rarely used for the relevant use case. Examples include dh_anon, anything with dss, and anything with psk. I would suggest to concentrate on the very few that are in actual use with CDNs. This would enable us to simplify the (future) protocol and its implementations.

MGLT: Agree. I think we should limit ourselves to a limited number of authentication methods. I would like to propose to restrict ourselves to focus on DHE / ECDHE authentications.

MGLT: Similarly, I also think we could also restrict the scope to TLS/DTLS 1.2 and 1.3.

  • The only exception to the above is *_ecdsa which is still rare, but expected to grow.

MGLT: hopefully ;-)

  • At a higher level, I'm not clear about the value of an abstract API. Once we settle on use cases, I suppose we will want to create a concrete protocol between the Edge Server and Content Provider. This would solve the problem in an interoperable way. Why would we want an abstract API in addition to the protocol? That is, unless you look at the abstract API as a sort of high-level design for the protocol.

MGLT: I see the abstract API as a high level view of the protocol. The reason for writing an abstract API was to describe the interactions needed between the Edge Server and the Content Provider, with the expected input / outputs, no matter on whether JSON or CBOR or whatever format is used for these parameters or which transport protocol is used.

  • Sec. 4.3.1 demonstrates issues that are typically not discussed with abstract APIs but are important here. Specifically, resistance to timing attacks.

MGLT: OK then, maybe it is not an abstract API.  

  • Typo: RFC 2546.

Best,

    Yaron

On 02/19/2016 04:46 PM, Daniel Migault wrote:

Hi, 
 
Please find an abstract description for an API between Edge and Content Provider. It is far from being finalized, but I believe early comment would be valuable to make the work progress.
 
I hope it will be helpful, and that a more complete version will be provided before next IETF meeting.
 
BR, 
Daniel
 
-----Original Message-----
From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 
Sent: Friday, February 19, 2016 9:42 AM
To: Daniel Migault
Subject: New Version Notification for draft-mglt-lurk-tls-abstract-api-00.txt
 
 
A new version of I-D, draft-mglt-lurk-tls-abstract-api-00.txt
has been successfully submitted by Daniel Migault and posted to the IETF repository.
 
Name:            draft-mglt-lurk-tls-abstract-api
Revision: 00
Title:           TLS/DTLS Content Provider Edge Server Abstract API
Document date:   2016-02-19
Group:           Individual Submission
Pages:           14
URL:            https://www.ietf.org/internet-drafts/draft-mglt-lurk-tls-abstract-api-00.txt
Status:         https://datatracker.ietf.org/doc/draft-mglt-lurk-tls-abstract-api/
Htmlized:       https://tools.ietf.org/html/draft-mglt-lurk-tls-abstract-api-00
 
 
Abstract:
   This document describes the interactions between the Edge Server and
   the Content Provider in a split authentication scenario.
 
   This document provides an abstract description of the information
   exchanged between an Edge Server and a Content Provider.
 
                                                                                  
 
 
Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.
 
The IETF Secretariat
 
_______________________________________________
Lurk mailing list
Lurk@ietf.org
https://www.ietf.org/mailman/listinfo/lurk

 


--------------050100060707000505050300-- From nobody Fri Feb 26 11:57:48 2016 Return-Path: X-Original-To: lurk@ietf.org Delivered-To: lurk@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B88C1B2F59; Fri, 26 Feb 2016 11:55:12 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: "\"IETF Meeting Session Request Tool\"" To: X-Test-IDTracker: no X-IETF-IDTracker: 6.14.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20160226195512.23854.60504.idtracker@ietfa.amsl.com> Date: Fri, 26 Feb 2016 11:55:12 -0800 Archived-At: X-Mailman-Approved-At: Fri, 26 Feb 2016 11:57:46 -0800 Cc: lurk@ietf.org, lurk-chairs@ietf.org, smccammon@amsl.com, stephen.farrell@cs.tcd.ie Subject: [Lurk] lurk - New Meeting Session Request for IETF 95 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 19:55:12 -0000 A new meeting session request has just been submitted by Stephanie McCammon, on behalf of the lurk working group. --------------------------------------------------------- Working Group Name: Limited Use of Remote Keys Area Name: Security Area Session Requester: Stephanie McCammon Number of Sessions: 1 Length of Session(s): 2 Hours Number of Attendees: 100 Conflicts to Avoid: First Priority: rtcweb stir modern mile httpbis Special Requests: Mon - Wed only --------------------------------------------------------- From nobody Fri Feb 26 13:49:17 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 222491B3146; Fri, 26 Feb 2016 13:49:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.286 X-Spam-Level: X-Spam-Status: No, score=-3.286 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hQEqSNer3jG; Fri, 26 Feb 2016 13:49:14 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFA801B3143; Fri, 26 Feb 2016 13:49:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 662FEBE83; Fri, 26 Feb 2016 21:49:10 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G2dReqeSZivX; Fri, 26 Feb 2016 21:49:09 +0000 (GMT) Received: from [10.87.48.75] (unknown [86.46.31.86]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8CD59BE7C; Fri, 26 Feb 2016 21:49:08 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1456523349; bh=Xk5nNAFnDKaT8NIsbKF+pyUO5AHHzywmPQPPqOtkEr4=; h=Subject:References:Cc:From:Date:In-Reply-To:From; b=KEBszElng0DPNY2+BgBdJ2mZ5b/p15Y/Vzbcg450He/gDEP9JK+WEJJGKrBSd0dCy DUryLJYmJBnammDrIJZa6hdcla1UJpVFrVz2GCiHxs8EtAD+lwzvMxppielucWw67x /SBTMKoHX2pKsHJjPwZ2tzshan/uMj3ABsLCKgvQ= References: <20160226195512.23854.60504.idtracker@ietfa.amsl.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <56D0C853.2000004@cs.tcd.ie> Date: Fri, 26 Feb 2016 21:49:07 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <20160226195512.23854.60504.idtracker@ietfa.amsl.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms070701010103090307030003" Archived-At: Cc: lurk@ietf.org, lurk-chairs@ietf.org Subject: Re: [Lurk] lurk - New Meeting Session Request for IETF 95 X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 21:49:16 -0000 This is a cryptographically signed message in MIME format. --------------ms070701010103090307030003 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable As you may guess, this indicates that the IESG and IAB approved holding the BoF on today's call. Please continue to work with the BoF chairs to further develop the work here. Cheers, S. On 26/02/16 19:55, "IETF Meeting Session Request Tool" wrote: >=20 >=20 > A new meeting session request has just been submitted by Stephanie > McCammon, on behalf of the lurk working group. >=20 >=20 > --------------------------------------------------------- Working > Group Name: Limited Use of Remote Keys Area Name: Security Area=20 > Session Requester: Stephanie McCammon >=20 > Number of Sessions: 1 Length of Session(s): 2 Hours Number of > Attendees: 100 Conflicts to Avoid: First Priority: rtcweb stir > modern mile httpbis >=20 >=20 >=20 >=20 > Special Requests: Mon - Wed only=20 > --------------------------------------------------------- >=20 > _______________________________________________ Lurk mailing list=20 > Lurk@ietf.org https://www.ietf.org/mailman/listinfo/lurk >=20 --------------ms070701010103090307030003 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjAyMjYy MTQ5MDdaMC8GCSqGSIb3DQEJBDEiBCD/ilo/HIGeXzJLmCb3H9BAmL5EVNg4ugzKNXOs/6tX hjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCAYVMIk+HCtZse4p7kUxZ5imrmTeIT+zS294MagVVDzTrNYDwLx4kC ss+S5wDH5OZetbZzoE68d4m/oXV4eYZWV4n/1mlYAYfxxrX9l+7XwrnfmfBSkcGFEVnQ14ec 00HFJvXfdFHCDl9PoU9fQ7QpaEJLMS9CQwSvv/VsvNuLhekyH14ChgXzJypY2QJGj3o2bNMq 7kBARL/NesZUCdZDtwlaJp9bZMSU+ajz++hR94ryYWXcaqfJfdVPUT/iBpDBOIoMsvz7zJyr lgdZspvqS3VSbovLrBWMz/5Q+rzqOeOoAl40ERQBqasvEQ8GhoRIg+R7yDgo2IFWcU4gWBrM AAAAAAAA --------------ms070701010103090307030003-- From nobody Sun Feb 28 18:28:28 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E34A1B2A19 for ; Sun, 28 Feb 2016 18:28:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.276 X-Spam-Level: X-Spam-Status: No, score=-1.276 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Es0602gpZNHN for ; Sun, 28 Feb 2016 18:28:25 -0800 (PST) Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 474571B2A17 for ; Sun, 28 Feb 2016 18:28:25 -0800 (PST) Received: by mail-pf0-x235.google.com with SMTP id w128so38102992pfb.2 for ; Sun, 28 Feb 2016 18:28:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=hCsvX3lC6AvDk7shgcJ9UehacIt4tLB+i+UboHLXbsE=; b=QGwP8DqOp5zONuis5wN/nn0mRW1PkoBI4FupFc3sQUlmgOVd2z0Agic8NaLlMOgQGi np5uhJG8e2dJ3ZNF3z7RusDC5o0LS0B8z1pEhjcu+bnqFFp7D+elzeoSWvhfYJ96t3FI Mrg8Pcg8h5fY/y4t467HIXk9/AKl4o9k0a6XuHzb48Dph26meMoJpIRhQ9P7W2O8s6di yDOgvq3aUbJtJOXpUepruI/5VJTKiFGlwQB/R/zEExZfBxdThcQbdrI2S3yXde5x5TAL YuRUFsmwe6+FberX5VRCyJ4piUWH41DtvqDVlCdHT7GRdOuGa8fjBdrIqBa9Sb3dqlDC 8rEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=hCsvX3lC6AvDk7shgcJ9UehacIt4tLB+i+UboHLXbsE=; b=KSD54MoM2MpKglXWzRGvXikx5UQGMoSvHIK96ja6dUK+cHRqfetUKx1fDHp4z5ZRbX MLXDdPVQSaZxaNqLOrb9pPGXtMmWl4FDBOggp4fi2DtTC2wZliyuiLrrjsWNRFsyPQvc RVDPBHpilO10DQt+dGGfOnBt3eZnDcQpDlyr4fpml8fWDl5wCwMXZuaHSaKVyh5FXKQT isUSfZoyXLbBlMFpQDuihgjRqwNIQL7ELcF4cZ2gHCzbi1XAoagzrhj3uHxqe4BXbbMe GieFPZ/OPhybBORtxFLEeI4vRQiWZSM8ODkKGsUhYKj0knTINPwyDb0Pq2NyJrHb8H1w YGTA== X-Gm-Message-State: AD7BkJJ02neVGF7SmLffSnwj+lc8c/Cw/fJwJnlDVE3mcHlvuAHT9DHQCG/cES3jkNVC7w== X-Received: by 10.98.12.154 with SMTP id 26mr13714768pfm.20.1456712904664; Sun, 28 Feb 2016 18:28:24 -0800 (PST) Received: from [10.20.6.194] (ip-64-134-224-162.public.wayport.net. [64.134.224.162]) by smtp.gmail.com with ESMTPSA id l14sm33665970pfi.23.2016.02.28.18.28.23 for (version=TLSv1/SSLv3 cipher=OTHER); Sun, 28 Feb 2016 18:28:23 -0800 (PST) From: Yaron Sheffer To: "lurk@ietf.org" Message-ID: <56D3ACC6.8040403@gmail.com> Date: Sun, 28 Feb 2016 18:28:22 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Subject: [Lurk] LURK usage scenario: cloud providers X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Feb 2016 02:28:26 -0000 Hi,

Right now our only well understood use case is CDNs. I would like to find out if there's community interest in a second use case.

IaaS cloud providers offer, in addition to virtual servers, also load balancers [1] and API gateways [2]. It is very common to terminate TLS on these "boxes" and then re-establish TLS into the customer's cloud servers. It could make sense to use the LURK protocol between the cloud provider and customer-controlled key management servers, where the servers live either within the cloud or off-cloud (e.g. using physical network connectivity [3]).

By the way, my examples all come from AWS because that's what I'm familiar with, but other clouds do provide similar capabilities.

Please respond if you believe this is a valid and interesting use case for LURK.

Thanks,
    Yaron

[1] https://aws.amazon.com/elasticloadbalancing/
[2] https://aws.amazon.com/api-gateway/
[3] https://aws.amazon.com/directconnect/
From nobody Mon Feb 29 09:15:32 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 329C41B3800 for ; Mon, 29 Feb 2016 09:15:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yr8yy2e1pvbL for ; Mon, 29 Feb 2016 09:15:27 -0800 (PST) Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D4101B37FB for ; Mon, 29 Feb 2016 09:15:27 -0800 (PST) Received: by mail-qg0-x22b.google.com with SMTP id y89so120535598qge.2 for ; Mon, 29 Feb 2016 09:15:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=v5EwGPOtS/CXMQ+NEsS7aaBKq7dAmjigAUxKT8V2vO4=; b=JtbYlT3i/KEBGdKHlGCavRdYQmOSBdxsoDVHzo1iMqddeNBHOXWtUW+aB/3cX+fRVt eY3FAHsjj31iem3oy6nBDcJg5uTwmNiDTfMuAilIFCssoqwXj+UK9HWwS+TmXU5pVrLn PtM2BY4+py+CRSiAfso8vx8ebXIzUldWbkzwBpzTmiHjt77Fo5twKwjxwW6Y7LXiUoE5 x5kq2AMWmgMzliHJVMlmkh3ypN5NlGb59XNFFadUz3OsOB5y8JXfsXKmEjeBUlf2m3QR MYva0G+V+DPJkPVGuQF31lv6bJGW2RN9C+p75ceCheMXyo/ctJDPMPdu5QBQA+FC2Vwo Y3LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=v5EwGPOtS/CXMQ+NEsS7aaBKq7dAmjigAUxKT8V2vO4=; b=C+VQT4YZEiaBIk71eZLIyYHV9tH02F/rPUSariElN/7EQ5dxyS3If7BKQojfyVPEOL tDsrAPOYYfp3uFGnpa/2Fefhsu9ofk06KK8CG40x5orQmd928GKo85T1iHd0wzHnLRUb S00PpJsQj+Pv5JQIXrzF6y8+e6WyTmCyJ9UUWJ4x7aJnKUh7z46OMLEVZ62hrKItF5YN hot4NZwqjApQuk9ZraJfzz1PfSATXvQlqbUmzUr2DrYnyM1zNN7aASmAPPqQWtofm+zF Z979HSuFHNTYe9Uh6MWcAZrr654eZtcJ0lHnioQwlxyZA26Tq/rUr36kv4tz3CTdjQ10 uEPA== X-Gm-Message-State: AD7BkJIT/jVWjQWzCbELB/yQDCVxjvUkgtogRslbK8ZQEb4yBJ/BvUIPATHFo9oTaL7ASH/oEicquS4ZBIwP2w== X-Received: by 10.141.28.149 with SMTP id f143mr21774134qhe.66.1456766126271; Mon, 29 Feb 2016 09:15:26 -0800 (PST) MIME-Version: 1.0 Received: by 10.55.6.13 with HTTP; Mon, 29 Feb 2016 09:15:06 -0800 (PST) In-Reply-To: <56D3ACC6.8040403@gmail.com> References: <56D3ACC6.8040403@gmail.com> From: Ted Hardie Date: Mon, 29 Feb 2016 09:15:06 -0800 Message-ID: To: Yaron Sheffer Content-Type: multipart/alternative; boundary=001a11422e8e7a360c052cebcbee Archived-At: Cc: "lurk@ietf.org" Subject: Re: [Lurk] LURK usage scenario: cloud providers X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Feb 2016 17:15:31 -0000 --001a11422e8e7a360c052cebcbee Content-Type: text/plain; charset=UTF-8 Hi Yaron, On Sun, Feb 28, 2016 at 6:28 PM, Yaron Sheffer wrote: > Hi, > > Right now our only well understood use case is CDNs. I would like to find > out if there's community interest in a second use case. > > IaaS cloud providers offer, in addition to virtual servers, also load > balancers [1] and API gateways [2]. It is very common to terminate TLS on > these "boxes" and then re-establish TLS into the customer's cloud servers. > It could make sense to use the LURK protocol between the cloud provider and > customer-controlled key management servers, where the servers live either > within the cloud or off-cloud (e.g. using physical network connectivity > [3]). > > It seems possible to model the load balancers being offered as a single-customer CDN, especially for the case where the load balancers are distributed differently from the other sorts of resources (computation, storage, etc.) Can you unpack a bit what differences in that deployment would mean for LURK? regards, Ted By the way, my examples all come from AWS because that's what I'm familiar > with, but other clouds do provide similar capabilities. > > Please respond if you believe this is a valid and interesting use case for > LURK. > > Thanks, > Yaron > > [1] https://aws.amazon.com/elasticloadbalancing/ > [2] https://aws.amazon.com/api-gateway/ > [3] https://aws.amazon.com/directconnect/ > > _______________________________________________ > Lurk mailing list > Lurk@ietf.org > https://www.ietf.org/mailman/listinfo/lurk > > --001a11422e8e7a360c052cebcbee Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Yaron,

On Sun, Feb 28, 2016 at 6:28 PM, Yaron Sheffer <yaronf.ie= tf@gmail.com> wrote:
=20 =20 =20 =20
Hi,

Right now our only well understood use case is CDNs. I would like to find out if there's community interest in a second use case.

IaaS cloud providers offer, in addition to virtual servers, also load balancers [1] and API gateways [2]. It is very common to terminate TLS on these "boxes" and then re-establish TLS into= the customer's cloud servers. It could make sense to use the LURK protocol between the cloud provider and customer-controlled key management servers, where the servers live either within the cloud or off-cloud (e.g. using physical network connectivity [3]).


It seems possible to model t= he load balancers being offered as a single-customer CDN, especially for th= e case where the load balancers are distributed differently from the other = sorts of resources (computation, storage, etc.)=C2=A0 Can you unpack a bit = what differences in that deployment would mean for LURK?
=C2= =A0

regards,

Ted

By the way, my examples all come from AWS because that's what I'= ;m familiar with, but other clouds do provide similar capabilities.

Please respond if you believe this is a valid and interesting use case for LURK.

Thanks,
=C2=A0=C2=A0=C2=A0 Yaron

[1] https://aws.amazon.com/elasticloadbalancing/
[2] h= ttps://aws.amazon.com/api-gateway/
[3] https://aws.amazon.com/directconnect/

_______________________________________________
Lurk mailing list
Lurk@ietf.org
https://www.ietf.org/mailman/listinfo/lurk


--001a11422e8e7a360c052cebcbee-- From nobody Mon Feb 29 09:38:13 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43CD21B3857; Mon, 29 Feb 2016 09:38:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.887 X-Spam-Level: X-Spam-Status: No, score=0.887 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, SPF_HELO_PASS=-0.001, SPF_NEUTRAL=0.779, T_DKIM_INVALID=0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDg810YF7BRL; Mon, 29 Feb 2016 09:38:11 -0800 (PST) Received: from biz104.inmotionhosting.com (biz104.inmotionhosting.com [173.247.247.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28A0E1B383B; Mon, 29 Feb 2016 09:38:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=standardstrack.com; s=default; h=Mime-Version:To:Message-Id:Date:Subject: Content-Type:From; bh=oGPYfxMh3E3PvNRCw57IOeuTqDt9tP4Y7eCfQLlxfBY=; b=Vx0AqyG pWwjevZ3Uprd1FkNADV/JYzjuiPqUOeHzNJS+s/mLSbyG4hSTJV9mEzTva6eGDuqQ8+/za8CsTtR5 bG3hZC1NZazpE9SflieFUrp1a08ExuUC6FNWGcyYqtFvUfi4omYdycOiNCE6nBGhpamGx7qwtqFhj ENZcDOLPAo=; Received: from 237.sub-70-208-139.myvzw.com ([70.208.139.237]:8004 helo=[192.168.43.107]) by biz104.inmotionhosting.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.86) (envelope-from ) id 1aaRlo-0001Ya-JZ; Mon, 29 Feb 2016 09:38:10 -0800 From: Eric Burger X-Pgp-Agent: GPGMail 2.6b2 Content-Type: multipart/signed; boundary="Apple-Mail=_5FF246C9-7A35-422C-85E1-4D20AA81FB7F"; protocol="application/pgp-signature"; micalg=pgp-sha256 Date: Mon, 29 Feb 2016 12:38:05 -0500 Message-Id: <6C117DC2-2F50-410C-81DD-4482B0A76D8F@standardstrack.com> To: LURK BoF , stir@ietf.org Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Mailer: Apple Mail (2.3112) X-OutGoing-Spam-Status: No, score=-2.9 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - biz104.inmotionhosting.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - standardstrack.com X-Get-Message-Sender-Via: biz104.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed X-Authenticated-Sender: biz104.inmotionhosting.com: eburger@standardstrack.com Archived-At: Subject: [Lurk] Way outside the "box" use case X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Feb 2016 17:38:12 -0000 --Apple-Mail=_5FF246C9-7A35-422C-85E1-4D20AA81FB7F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 For the people on the STIR list: there is a potential WG being discussed = in BA, LURK, that is principally looking at the problem of a content = provider somehow allowing a CDN to sign on their behalf so that HTTPS = and browsers =E2=80=9Cdo the right thing.=E2=80=9D If this sounds = /similar/ to the STIR problem of delegated enterprise identity = attestation, it should. See: https://trac.tools.ietf.org/bof/trac/ and scroll down to =E2=80=9CSecurity=E2=80=9D or search for =E2=80=9CLURK=E2= =80=9D. PLEASE, if you care about this issue, continue the discussion on the = LURK list, not the STIR list. Thanks. See: https://www.ietf.org/mailman/listinfo/lurk For the people on the LURK list: I do not necessarily advocate for or = assume the STIR problem is in scope. However, if you and they have a = compelling case for why it should be in scope, or if it is kind of in = scope but appropriate for a later rechartering once we finish the HTTPS = (and possibly DTLS) use case, say so, too. If you are curious about what = STIR is, see: https://trac.tools.ietf.org/wg/stir/charters Thanks, Eric --Apple-Mail=_5FF246C9-7A35-422C-85E1-4D20AA81FB7F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJW1IH9AAoJEORoZaSQsc1ItQIP/ihmU+ZBOq4VIenaZk2HI6MR BPttKGP3uZ8dUCgn6k2ZJffhvuGTBQqyhEWyleMsd7td1602qac+zFIePtPH4azL 7lIYwl49BXRmEsseMoPy9roGjJon447CyLgTL5SIn1j7toD+50zmnrdmui/q/m6f 8V/FcqrbypJrdfAv8PVSrB0il1l8PAj3/wAA37yDQsMdMPKp29VJ/XmVReWw0Yvi zV4rL+50sPrr63t84Xd4icxqNCxzjKHJQCSy7cwODUp7XRgwekIyYWnQW9n6HbUi BlpzCokeOvWbORCXupUy3bzx4IJpDCSuX26HegGgU8Mi11ihA4i60Jj1m5MGP/p3 GXxM4MiJ56oCbr33EJQfYvPmj0Rv688wHavkVUyMvj3Yj7am2d/2QSePA/C8iHbR Q/O44xv0cmJTh1VxQpIwain9bkjvB1xM2+N1XOBn0a9PGFw2+X71X0eSMY1wHNbh Sqs6pEJainjk03FuchtT4rBUdcxhwiT0D232kZDAVTi3NhbZWEYIicM5g+G+9cBW oDD+l4H0Uwcy4An27ztl2YSqox5N7dD4Hb+X+gJAU6+0AVhmgU3oYKhvTOxSxy6V +GSioR0Qc77bPyIrdogBNFstl73aF6er6J9EfVotLje5VXpogcN4P5aW4jr80BqW mfqgNAS+ea65hArfVwnh =mpxh -----END PGP SIGNATURE----- --Apple-Mail=_5FF246C9-7A35-422C-85E1-4D20AA81FB7F-- From nobody Mon Feb 29 10:20:08 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3CB31B3961 for ; Mon, 29 Feb 2016 10:20:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id elHTaswZP61c for ; Mon, 29 Feb 2016 10:20:05 -0800 (PST) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F85C1B3960 for ; Mon, 29 Feb 2016 10:20:05 -0800 (PST) Received: by mail-wm0-x233.google.com with SMTP id l68so1372221wml.1 for ; Mon, 29 Feb 2016 10:20:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=Y1ZpwNXGeQtpHcZqZPIF3yGhrGISXIsRykRdX6+dHD8=; b=ZayIQ+5aQfpa7mPrOgWB1PaaQ2EoZy/pO/YSZot2XEv4YxQDZfLeU3Xec1Ri7FF86v iAAKR4bBY2hG9hwWIYXmaLX+884yAUpn2SyjkCgwRqoM+PK8uCIbI48ulyPS8NNB2/vq 57hRk5nAVrOmP3lGPX+wJ2t2GZH7ZS4QCsRb0pDAEqD1+QQw5CEaEHrQM+yIfDKQR6qV bzNucP1qoe2xmKZmEKU+MTL/sZuBJtqGsHmdS2FcPjVvYJqCKNZh2Z21cazm3DTsbGtf VlYp1eDOjPuXu//wdimpQYPyJXtxP8ix1HAE4C7Mx7hl5vPgM1fkgTAouiKzTchpgW5O a5ZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=Y1ZpwNXGeQtpHcZqZPIF3yGhrGISXIsRykRdX6+dHD8=; b=Q6g24vr0jwinosGGgJNncdRXlcRRkcVilXVuO8fBfBF8cIk2VFosjU3gLD5Ppe+aDk 6BAu3VmSQi9hZmiccZOoYZOLwvSKEWzACswsTe5wBLT/Izw3+2P9eGTPNtFh/BDKN5V3 wMLQYvmmG7qNUg34LqkeVBgJH5GB0lv++WY13xE8Sg8rxg9j4L0NYS5AvGzroJfUX6zl Ufywf1NM/HPMhS8MZxcB3Z1MbuvNWXjnu1LNoBctnuqq2A2n/iELurbgxzGjpuEB3I3D l4hk8gcdfVMXUaa+IcgzFW6zXED9Pu0dcALKP/w8h8sHdvN7tTcPildsVy57PrKFYvxM JVlg== X-Gm-Message-State: AD7BkJLVAjEJ9lHuq7mhQ5t9rlN72CPoSKhB7Mzq4fgygWaAYkNrzBkLwths/fWcvizIAQ== X-Received: by 10.194.76.72 with SMTP id i8mr16070056wjw.117.1456770003845; Mon, 29 Feb 2016 10:20:03 -0800 (PST) Received: from [192.168.1.13] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id k4sm17515880wmc.12.2016.02.29.10.20.01 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 29 Feb 2016 10:20:02 -0800 (PST) Content-Type: multipart/alternative; boundary="Apple-Mail=_6937EFF5-14A5-4CD6-AEA5-BA1377414001" Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) From: Yoav Nir In-Reply-To: <56D3ACC6.8040403@gmail.com> Date: Mon, 29 Feb 2016 20:17:47 +0200 Message-Id: References: <56D3ACC6.8040403@gmail.com> To: Yaron Sheffer X-Mailer: Apple Mail (2.3112) Archived-At: Cc: "lurk@ietf.org" Subject: Re: [Lurk] LURK usage scenario: cloud providers X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Feb 2016 18:20:07 -0000 --Apple-Mail=_6937EFF5-14A5-4CD6-AEA5-BA1377414001 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 29 Feb 2016, at 4:28 AM, Yaron Sheffer = wrote: >=20 > Hi, >=20 > Right now our only well understood use case is CDNs. I would like to = find out if there's community interest in a second use case. >=20 > IaaS cloud providers offer, in addition to virtual servers, also load = balancers [1] and API gateways [2]. It is very common to terminate TLS = on these "boxes" and then re-establish TLS into the customer's cloud = servers. It could make sense to use the LURK protocol between the cloud = provider and customer-controlled key management servers, where the = servers live either within the cloud or off-cloud (e.g. using physical = network connectivity [3]). >=20 > By the way, my examples all come from AWS because that's what I'm = familiar with, but other clouds do provide similar capabilities. >=20 > Please respond if you believe this is a valid and interesting use case = for LURK. >=20 > Thanks, > Yaron >=20 > [1] https://aws.amazon.com/elasticloadbalancing/ = > [2] https://aws.amazon.com/api-gateway/ = > [3] https://aws.amazon.com/directconnect/ = Hi, Yaron The use case we have been discussing is "offload TLS without giving the = CDN my private key=E2=80=9D.=20 In the use case you are describing, you have split AWS (or any other = IAAS cloud) in two: one part is the load balancer, which terminates TLS. = The other is the customer cloud server. Both of those nodes are under = the control of Amazon. In fact, they might (although this is not likely = for technical reasons) be running on the same piece of hardware. What is = the justification for trusting the cloud provider to keep your private = key safe on your cloud server, while not trusting that same cloud = provider to not misuse your private key on the load balancer? (hope you don=E2=80=99t mind that I=E2=80=99ve responded without = believing this is a valid use case for LURK) Yoav --Apple-Mail=_6937EFF5-14A5-4CD6-AEA5-BA1377414001 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On 29 Feb 2016, at 4:28 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

Hi,

Right now our only well understood use case is = CDNs. I would like to find out if there's community interest in a second = use case.

IaaS cloud = providers offer, in addition to virtual servers, also load balancers [1] = and API gateways [2]. It is very common to terminate TLS on these = "boxes" and then re-establish TLS into the customer's cloud servers. It = could make sense to use the LURK protocol between the cloud provider and = customer-controlled key management servers, where the servers live = either within the cloud or off-cloud (e.g. using physical network = connectivity [3]).

By the way, my = examples all come from AWS because that's what I'm familiar with, but = other clouds do provide similar capabilities.

Please respond if you believe this is a valid = and interesting use case for LURK.

Thanks,
    Yaron

[1] https://aws.amazon.com/elasticloadbalancing/
[2] https://aws.amazon.com/api-gateway/
[3] https://aws.amazon.com/directconnect/

Hi, = Yaron

The use case we have been = discussing is "offload TLS without giving the CDN my private = key=E2=80=9D. 

In the use case = you are describing, you have split AWS (or any other IAAS cloud) in two: = one part is the load balancer, which terminates TLS. The other is the = customer cloud server. Both of those nodes are under the control of = Amazon. In fact, they might (although this is not likely for technical = reasons) be running on the same piece of hardware. What is the = justification for trusting the cloud provider to keep your private key = safe on your cloud server, while not trusting that same cloud provider = to not misuse your private key on the load balancer?

(hope you don=E2=80=99t mind that I=E2=80=99ve = responded without believing this is a valid use case for = LURK)

Yoav


= --Apple-Mail=_6937EFF5-14A5-4CD6-AEA5-BA1377414001-- From nobody Mon Feb 29 13:10:39 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5CBE1B3C39 for ; Mon, 29 Feb 2016 13:10:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.307 X-Spam-Level: X-Spam-Status: No, score=-4.307 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUOcXANivPP0 for ; Mon, 29 Feb 2016 13:10:36 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41D8E1B3C2D for ; Mon, 29 Feb 2016 13:10:36 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 1ABC9BE58; Mon, 29 Feb 2016 21:10:35 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOrZbHBrrtEu; Mon, 29 Feb 2016 21:10:34 +0000 (GMT) Received: from [10.87.48.75] (unknown [86.46.16.150]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 96339BDCA; Mon, 29 Feb 2016 21:09:58 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1456780199; bh=y/PN2ZBKtkgx/jYhwyj9jpJIXH+52s5CskFf5wuoYyQ=; h=Subject:To:References:From:Date:In-Reply-To:From; b=cw9iuUGfz0csgWt3xouufaadiUZ9bNlYw9/ffOG3o0zEhSBCk/49U1wpHIqzaGvAL AsTd/jjMzEw+Q+h6CKtlbv134gF16nzz62+UFPF6Y5IT4Tud7kao/5MIzJYnmLNd9r uK5yT5Lp56euuCQXYdC3b/a/RCzDmcwhsH04vG8o= To: Eric Burger , LURK BoF References: <6C117DC2-2F50-410C-81DD-4482B0A76D8F@standardstrack.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <56D4B3A6.90002@cs.tcd.ie> Date: Mon, 29 Feb 2016 21:09:58 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <6C117DC2-2F50-410C-81DD-4482B0A76D8F@standardstrack.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020202070403040403020909" Archived-At: Subject: [Lurk] Another outside the "box" use case: DKIM X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Feb 2016 21:10:37 -0000 This is a cryptographically signed message in MIME format. --------------ms020202070403040403020909 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable (I like that we're playing this game now. If we get a bunch of these off the table before B-A, that may allow us better use the f2f time.) Here's another one to consider and maybe say "no." DKIM-signing domains sometimes use partner companies to e.g. send out marketing crap or userful materials. That can be done in various ways but using lurk for DKIM-signing without giving the partner a DKIM private key for my domain could be yet another use. I suspect that it'd be considered OTT to use such an interface for DKIM-signing, but who knows? Cheers, S. --------------ms020202070403040403020909 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjAyMjky MTA5NThaMC8GCSqGSIb3DQEJBDEiBCARLzZhOh2RdWDdQaWODf5mBlf7Fe/4OkSngqe51P/p EDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCgimrvJA5HPAkDxoEut/iIH/acXxp5FbBT62Kh2EYtGvgX9CxlfNWh T7HK7u/I9fF2B495PEwZU22PqnRoSj7BlmIFDuauHPWTSbcYB62qik/tRHnoFbzTRU1r7cwV kHM6wv3NLxKVl/n9sp7g3OK4Cd1e2rsuKzpLI1MnbM9k1GCj1c520NPRBaNeogqsSTfl/gBx OiHkmCt8+KKLHBz7CrjEWhm/WtvXih0eATTp86YsDKiQd89scEI8l1jtdzIRownrCY4wtRfw NpUTsKQutr+fuzIAkPo0TJZvDxvpLItgj/l+2sKGDbFoEWIZIqcQY9bMtFrYyrvf/ULS7RP3 AAAAAAAA --------------ms020202070403040403020909-- From nobody Mon Feb 29 17:27:34 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2672C1A87EE for ; Mon, 29 Feb 2016 17:27:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tMm5W5u7wShP for ; Mon, 29 Feb 2016 17:27:32 -0800 (PST) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D1011A87A6 for ; Mon, 29 Feb 2016 17:27:32 -0800 (PST) Received: by mail-wm0-x230.google.com with SMTP id l68so15141404wml.0 for ; Mon, 29 Feb 2016 17:27:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=L3mGL/NOBsXI6+s3CHTuH7ldLbc0gTS2buniKE22KFM=; b=FBf0Wal34ELm/A4/Er262/mNvA7FBxbXdTQSEhYTsSO+j/vyhc6pJ2FcHQJj0rOUkA FnDJkFpZ67/Kc1FQEOfL49uqL7S1n4jVXJqjeoOA7o/4IUIixK3NFzK4V/4lF57Z5RBC lIrIF83j5pIJAXNEETjt0pJ2DlIQVwNENc0C+F1PlpC/S0IszVdj1zp5f1eoEJgOEfRg 9rTpg34+HWHWWE4gJ5FpC8vzQT+XftxULYZrmrB3SdjyS3QRwX6ybVN/dLszbPkgTFFn epErSM4mG5Z/W3LQ0Eab8wvTJb8UB2rIPzS6FjNsvwFQihdP66CFRwBexCspc0yUfLK4 SYuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=L3mGL/NOBsXI6+s3CHTuH7ldLbc0gTS2buniKE22KFM=; b=cYyyS03wypiInX7X9ChC6+oH5xioOsWtUVk8Q11aAAkZHl1ahunJPsCY8TtO884pKw ZPZJhfFgb+bQxbNBMhS5qPsbq1p/lGYAGqk8mxPOk6Dyvyg4NYT0Cm/0v6tNoEf2ZJuu DG8yFKTb5V6QOjoUs4X8fIhr3ug4gI9V/rOgKW7m3/ReKBtmtEFqx6mb8OX06+ZDsiIu std5orqo3RQ5aiPCYCkZJUbDbThvCFiRUNrDnvKdIA/vd00xPlaZzZfJ4CRKalbEEycD Dol84OWQFlIhAHQo6BOnyOv5vERko1B2pdNDpRoui+dSWWMgY+mFLvvyilNX33WwywuV sI8w== X-Gm-Message-State: AD7BkJIZsScsN1qA2FV28fPG6WTeyxxdVWkb9q0iAZk51VrJLOnPxE6+oLlrmm+esi3RSQ== X-Received: by 10.194.91.175 with SMTP id cf15mr17731792wjb.7.1456795651028; Mon, 29 Feb 2016 17:27:31 -0800 (PST) Received: from [192.168.1.129] ([2.54.39.150]) by smtp.gmail.com with ESMTPSA id c7sm18700982wmd.13.2016.02.29.17.27.28 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 29 Feb 2016 17:27:30 -0800 (PST) To: Ted Hardie References: <56D3ACC6.8040403@gmail.com> From: Yaron Sheffer Message-ID: <56D4EA9A.8060605@gmail.com> Date: Mon, 29 Feb 2016 17:04:26 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------030300050903010902080005" Archived-At: Cc: "lurk@ietf.org" Subject: Re: [Lurk] LURK usage scenario: cloud providers X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2016 01:27:34 -0000 This is a multi-part message in MIME format. --------------030300050903010902080005 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 02/29/2016 09:15 AM, Ted Hardie wrote: > Hi Yaron, > > On Sun, Feb 28, 2016 at 6:28 PM, Yaron Sheffer > wrote: > > Hi, > > Right now our only well understood use case is CDNs. I would like > to find out if there's community interest in a second use case. > > IaaS cloud providers offer, in addition to virtual servers, also > load balancers [1] and API gateways [2]. It is very common to > terminate TLS on these "boxes" and then re-establish TLS into the > customer's cloud servers. It could make sense to use the LURK > protocol between the cloud provider and customer-controlled key > management servers, where the servers live either within the cloud > or off-cloud (e.g. using physical network connectivity [3]). > > > It seems possible to model the load balancers being offered as a > single-customer CDN, especially for the case where the load balancers > are distributed differently from the other sorts of resources > (computation, storage, etc.) Can you unpack a bit what differences in > that deployment would mean for LURK? > > > regards, > > Ted I'm not sure if this would require any changes to the protocol at all. But if we decide that this is an interesting use case, we'll need to evaluate any protocol we come up with against it. Thanks, Yaron --------------030300050903010902080005 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit On 02/29/2016 09:15 AM, Ted Hardie wrote:
Hi Yaron,

On Sun, Feb 28, 2016 at 6:28 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
Hi,

Right now our only well understood use case is CDNs. I would like to find out if there's community interest in a second use case.

IaaS cloud providers offer, in addition to virtual servers, also load balancers [1] and API gateways [2]. It is very common to terminate TLS on these "boxes" and then re-establish TLS into the customer's cloud servers. It could make sense to use the LURK protocol between the cloud provider and customer-controlled key management servers, where the servers live either within the cloud or off-cloud (e.g. using physical network connectivity [3]).


It seems possible to model the load balancers being offered as a single-customer CDN, especially for the case where the load balancers are distributed differently from the other sorts of resources (computation, storage, etc.) Can you unpack a bit what differences in that deployment would mean for LURK?


regards,

Ted
I'm not sure if this would require any changes to the protocol at all. But if we decide that this is an interesting use case, we'll need to evaluate any protocol we come up with against it.

Thanks,
Yaron
--------------030300050903010902080005-- From nobody Mon Feb 29 17:27:45 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A67F1A87F1 for ; Mon, 29 Feb 2016 17:27:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6lBgTk2vz30 for ; Mon, 29 Feb 2016 17:27:40 -0800 (PST) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 154791A8820 for ; Mon, 29 Feb 2016 17:27:40 -0800 (PST) Received: by mail-wm0-x22f.google.com with SMTP id l68so15144001wml.0 for ; Mon, 29 Feb 2016 17:27:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=BtuPWB+Os2DZjIhFh9ZiQ72OhkrZ/f8E/WgxPwy5V/Q=; b=YwbvvN+ik3n3Qdtf7O/iy7tkLJtWCHl/RprH+GXz/kl/KMznceeTt8/+a40am3O3sC ijdIUtDz0C2Wwg+koC2siplHHhC0urLOBNyFoxEhPi1u90R2UW0pbpNW4aBFVma9ZXXp jCzAYFzHf8LjCfy6gJZ0eXldyDHqX9XM8ZJXcGdfJSPyKMqocmr2EfM90WLuIedBJt9D NNuw8V3Xq6D8Y4pztNIZ7rq7QuMiProZyV+sYW8ji+ePsy7ZWwwGx5qZxFhl/0qCadiW UKGHNh690sSuJAKS7hQxrSPbjUgevdO4OKCPe6cIR+aSJo1RABqc+AOpKiEwYpxjvVjI spUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=BtuPWB+Os2DZjIhFh9ZiQ72OhkrZ/f8E/WgxPwy5V/Q=; b=mOpO35fOgIhKE/qDEPYhNPUWGFYTb95opaIUMYcVRiEdZMhkDJ301x2s4OrXeh01dr VApqzSDHDMrPOI9YHP7ZG3MHrJA9gNNWjiQph8esOcyAqukyWJQMp7VUJgT4iuPaHRnO Jhw4ZPO2p1eVXiP9zAKCJ2PxUjBoOfl/rkfcTCKoqwF9YdIRrJScABE4JS34wfufpN9Q pFpE01Io5rLR/L/a94QuR8dr6fQwk4V8HO0AGp5kuJSHBf95ZOMHgyMhWwWjGpfM5ioQ xXb5iqhehUw8GDvcJi85Qk0qqPKg2paNTQB59hiqZU09aEaOyb1tgzB6sylzQvJQ1C9j kQag== X-Gm-Message-State: AD7BkJLcq5kgs2AaUwgiy3TtRKHBpvl6baRQsJlR800L7aL5D1FWjNxKNc3DtnZclTUlMg== X-Received: by 10.194.61.19 with SMTP id l19mr17252619wjr.148.1456795658651; Mon, 29 Feb 2016 17:27:38 -0800 (PST) Received: from [192.168.1.129] ([2.54.39.150]) by smtp.gmail.com with ESMTPSA id x186sm18803101wmg.19.2016.02.29.17.27.35 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 29 Feb 2016 17:27:37 -0800 (PST) To: Yoav Nir References: <56D3ACC6.8040403@gmail.com> From: Yaron Sheffer Message-ID: <56D4EBCD.5000702@gmail.com> Date: Mon, 29 Feb 2016 17:09:33 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------070509080005040100070105" Archived-At: Cc: "lurk@ietf.org" Subject: Re: [Lurk] LURK usage scenario: cloud providers X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2016 01:27:43 -0000 This is a multi-part message in MIME format. --------------070509080005040100070105 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit >> Hi, >> >> Right now our only well understood use case is CDNs. I would like to >> find out if there's community interest in a second use case. >> >> IaaS cloud providers offer, in addition to virtual servers, also load >> balancers [1] and API gateways [2]. It is very common to terminate >> TLS on these "boxes" and then re-establish TLS into the customer's >> cloud servers. It could make sense to use the LURK protocol between >> the cloud provider and customer-controlled key management servers, >> where the servers live either within the cloud or off-cloud (e.g. >> using physical network connectivity [3]). >> >> By the way, my examples all come from AWS because that's what I'm >> familiar with, but other clouds do provide similar capabilities. >> >> Please respond if you believe this is a valid and interesting use >> case for LURK. >> >> Thanks, >> Yaron >> >> [1]https://aws.amazon.com/elasticloadbalancing/ >> [2]https://aws.amazon.com/api-gateway/ >> [3]https://aws.amazon.com/directconnect/ > > Hi, Yaron > > The use case we have been discussing is "offload TLS without giving > the CDN my private key. > > In the use case you are describing, you have split AWS (or any other > IAAS cloud) in two: one part is the load balancer, which terminates > TLS. The other is the customer cloud server. Both of those nodes are > under the control of Amazon. In fact, they might (although this is not > likely for technical reasons) be running on the same piece of > hardware. What is the justification for trusting the cloud provider to > keep your private key safe on your cloud server, while not trusting > that same cloud provider to not misuse your private key on the load > balancer? > > (hope you dont mind that Ive responded without believing this is a > valid use case for LURK) > > Yoav So the whole point of this discussion is to explain why people think that this is (or is not) a valid use case! Thank you for that. And to answer your point, there are futuristic ways (Intel SGX architecture and its "enclaves") to protect stuff from the cloud provider. More realistically, you may have the TLS signing box in your data center, connected to the cloud with a VPN, and separate from the actual web server. Thanks, Yaron --------------070509080005040100070105 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit
Hi,

Right now our only well understood use case is CDNs. I would like to find out if there's community interest in a second use case.

IaaS cloud providers offer, in addition to virtual servers, also load balancers [1] and API gateways [2]. It is very common to terminate TLS on these "boxes" and then re-establish TLS into the customer's cloud servers. It could make sense to use the LURK protocol between the cloud provider and customer-controlled key management servers, where the servers live either within the cloud or off-cloud (e.g. using physical network connectivity [3]).

By the way, my examples all come from AWS because that's what I'm familiar with, but other clouds do provide similar capabilities.

Please respond if you believe this is a valid and interesting use case for LURK.

Thanks,
Yaron

[1]https://aws.amazon.com/elasticloadbalancing/
[2]https://aws.amazon.com/api-gateway/
[3]https://aws.amazon.com/directconnect/

Hi, Yaron

The use case we have been discussing is"offload TLS without giving the CDN my private key.

In the use case you are describing, you have split AWS (or any other IAAS cloud) in two: one part is the load balancer, which terminates TLS. The other is the customer cloud server. Both of those nodes are under the control of Amazon. In fact, they might (although this is not likely for technical reasons) be running on the same piece of hardware. What is the justification for trusting the cloud provider to keep your private key safe on your cloud server, while not trusting that same cloud provider to not misuse your private key on the load balancer?

(hope you dont mind that Ive responded without believing this is a valid use case for LURK)

Yoav
So the whole point of this discussion is to explain why people think that this is (or is not) a valid use case! Thank you for that.

And to answer your point, there are futuristic ways (Intel SGX architecture and its "enclaves") to protect stuff from the cloud provider. More realistically, you may have the TLS signing box in your data center, connected to the cloud with a VPN, and separate from the actual web server.

Thanks,
Yaron
--------------070509080005040100070105-- From nobody Mon Feb 29 18:33:15 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 817C91A8AB4 for ; Mon, 29 Feb 2016 18:33:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aXcinsG7DMbB for ; Mon, 29 Feb 2016 18:33:12 -0800 (PST) Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 165E31A8AB2 for ; Mon, 29 Feb 2016 18:33:12 -0800 (PST) Received: by mail-vk0-x22f.google.com with SMTP id e6so154030105vkh.2 for ; Mon, 29 Feb 2016 18:33:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to; bh=9zJQVKg/o/wETe5WPrPn7LrLRfo1PV4EJr/3wYjZuaY=; b=AL7A1keaZUy7RY+EBUmp+yhOSqsExnydLOZpwda/FI3Zc67ZjHHwNblWuNNcSsKhjI R9JzlOVY78b0iMUWp7iDC7sO0uzCq7eazDgKd5k9KaySScLqgZGRLZl1cfoDRyTcJKB5 OEycQto1aXJJuZUnSGDZWE0oXihA+mO/IYsjvFUJbGH8Hn8yvsodjoYZI1hTEEHMsOn1 tGxvvDJDXmu8XnMII0fQBxZNXd8zJpgPk9c30Sx9n/us4UZJ3T1iW1Tv8it0xtNa1agN JRtyo7G9P00VqnH6DTHWW149GFyRzwOqYDnnaxecoiXYIfFIsBb/NRDSLO+waU+fCJUL vSzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=9zJQVKg/o/wETe5WPrPn7LrLRfo1PV4EJr/3wYjZuaY=; b=k2I167S8gOTgEQUVb969SZbofESPk07ZhaqhRIosRAWOFRI6GvSaY2DQqGkUG61Axl ZkFy4ZJ7D19IMlrrYomGCeQiZiO7xVOS193+8R2Np7AFTqUrcff5VF6Gjo6rLNtsjw8G kk0eHE2q4dfeW5BRNYq9rk2O6dTEtLoWPs2d5bxfT9BYnqHJtRILVgUQQaSv8OzVzmWI VjyZ26oFBOABQjK+ccP4/9a8DsS8MuSmaIL4WCdx52tgyuZw//2U7IvZ2PDeKsyHkOxX XvK+Ul1mXCR5mO7MoTqx0oZMw3wT0oYSjfNEq+vpJmL1AS1gKYDY8jh951mYh7FHYkKO BLRQ== X-Gm-Message-State: AD7BkJLHhNobR6d6GsImkV+y7dvCwDSQ1ierqJaHEE0rUCR3/xcq9W3e6OdFpVQni7GzWV2ZbZoYNveFvx/07w== MIME-Version: 1.0 X-Received: by 10.31.138.73 with SMTP id m70mr13855473vkd.70.1456799591052; Mon, 29 Feb 2016 18:33:11 -0800 (PST) Received: by 10.176.2.202 with HTTP; Mon, 29 Feb 2016 18:33:10 -0800 (PST) Date: Mon, 29 Feb 2016 18:33:10 -0800 Message-ID: From: Watson Ladd To: LURK BoF Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [Lurk] Understanding the problem space better X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2016 02:33:13 -0000 Dear all, Apologies if this was discussed before, but there are some aspects of the problem that I need to think through a bit more. 1: Do we want a private key operation to be done for each TLS connection to a CDN by the content provider? If so, what does the use of the CDN gain? 2: What stops a CDN from modifying the content provided with LURK any more than if it had the private key? 3: What stops CDNs from using very long tickets to prevent ending the online signing from immediately ending the ability to impersonate a site? Sincerely, Watson From nobody Mon Feb 29 22:55:19 2016 Return-Path: X-Original-To: lurk@ietfa.amsl.com Delivered-To: lurk@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9209E1B29C7 for ; Mon, 29 Feb 2016 22:55:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEYEDheAeiMz for ; Mon, 29 Feb 2016 22:55:17 -0800 (PST) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E096A1B29C4 for ; Mon, 29 Feb 2016 22:55:16 -0800 (PST) Received: by mail-wm0-x231.google.com with SMTP id l68so21463149wml.0 for ; Mon, 29 Feb 2016 22:55:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5e0RC7NDfwpqumOYn5559HD1zMPyMt/ObYoqomZLnCU=; b=UY3lVL4sonCrXzP1tEhY7IWnsrgumytVKD5B/RI3CMCE07JMXwFn7FjiJHlGQXy09u mDvJf+1nO1aMciGz5DRPg2oMf1JgXjA2PYlOrqufLAE7Mh0FaALIKsrDlFgc4/C7Uto1 VMribaiRyaQbIKJ6ImhrXqPILzNfxVjJicIeKkyzBk7XCrbe2VUV9Qo4Zx1Is9papm4p 5UmNk4ZBNwrRAmERiLnu6BuIcEYoEIrV6Tc1Zm3Uzu4v5k5T1yZSDS4TClx8ptrJ6XWO zCJY6fzV8VSemEbSG/kv+yCOYh0ABNmeAu/l8wu4XsQKBp2J+LxCRGrUm7ChA1o7z0V4 /aPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5e0RC7NDfwpqumOYn5559HD1zMPyMt/ObYoqomZLnCU=; b=nDRPaZFH3s6gyXZjvyo+6n0BLcEu+x9vR/CJ25qKEi0lIzjeqt03lFr/5X+ki2/X/b dypKW5kASTHqkfArYqsniR9YQFvJLDTRREI4Axww0qZakTijwypk36/oOMkg0kueSEUY Sh+fUdqH2kFWBx1plV3vPQ+WhXtSqr6VsLjAQXe6sYpJwbsKhXljrAfXjadeenfXc8ji zs2maO8P1gGJe5rvIwSM2SnKdL/QKixzPD5MjKUX11nshPDb67IJ/XBo9/u7YquueJl1 6pE38QwzqYNFQLDLix0RiNTjUgtap3MNcnTCwDlbklfVv8F3aaK09Zy8vSmk8CYUlG54 sA2w== X-Gm-Message-State: AD7BkJIOIGF11bmrBXZ3JayEP94biXSEZGttE+0H2uBD85XIzGmBxR8JcjbEAjCD+MTc7g== X-Received: by 10.194.8.38 with SMTP id o6mr18768396wja.31.1456815315474; Mon, 29 Feb 2016 22:55:15 -0800 (PST) Received: from yoavs-mbp-2.mshome.net ([176.13.2.16]) by smtp.gmail.com with ESMTPSA id ks5sm29400993wjb.13.2016.02.29.22.55.14 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 29 Feb 2016 22:55:14 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) From: Yoav Nir In-Reply-To: Date: Tue, 1 Mar 2016 08:55:11 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <0F9B450D-2935-4D12-85CE-D2802F76367B@gmail.com> References: To: Watson Ladd X-Mailer: Apple Mail (2.3112) Archived-At: Cc: LURK BoF Subject: Re: [Lurk] Understanding the problem space better X-BeenThere: lurk@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Limited Use of Remote Keys List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2016 06:55:18 -0000 Hi, Watson On 1 Mar 2016, at 4:33 AM, Watson Ladd wrote: > Dear all, > Apologies if this was discussed before, but there are some aspects of > the problem that I need to think through a bit more. >=20 > 1: Do we want a private key operation to be done for each TLS > connection to a CDN by the content provider? If so, what does the use > of the CDN gain? We should separate the problem or requirement (=E2=80=9CI don=E2=80=99t = want to give my private key to the CDN or the cloud provider=E2=80=9D) = from the proposed solution (=E2=80=9CI=E2=80=99ll sign the = ServerKeyExchange using my own box, in my own datacenter for each TLS = handshake=E2=80=9D).=20 I think the big reason to use CDNs and cloud services is to save the = costs associated with maintaining a server in my datacenter with the = scalability, reliability, availability and other buzzwords. A =E2=80=9Csig= n every transaction=E2=80=9D solution negates all that. Another reason = to use CDNs is that they reduce latency by having a server close to the = client. That goes out the window as well if you have to go back to the = customer=E2=80=99s data center to sign each handshake. > 2: What stops a CDN from modifying the content provided with LURK any > more than if it had the private key? Nothing. You still trust the CDN to distribute *your* content rather = than MRA propaganda. > 3: What stops CDNs from using very long tickets to prevent ending the > online signing from immediately ending the ability to impersonate a > site? Nothing that I know of. You still need to trust the CDN to be ethical. IMO a better solution to the problem would be some sort of secure = delegation. If you dig www.ietf.com you will find that it is a CNAME for = www.ietf.org.cdn.cloudflare-dnssec.net. What would be a good solution = IMO is if the CloudFlare server could present a certificate for = www.ietf.org.cdn.cloudflare-dnssec.net. There are two obstacles for = this: 1. DNSSEC is not everywhere, so browsers can=E2=80=99t trust the CNAME 2. Browsers don=E2=80=99t know any new secure delegation mechanism that = we might invent here. So any secure delegation mechanism would only work with new browsers = that implemented it. The proposal in the drafts works with existing = browsers. Yoav