idnits 2.17.1 draft-cel-nfsv4-hash-tree-interchange-format-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (28 May 2021) is 1057 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 6962 (Obsoleted by RFC 9162) -- No information found for draft-jchapweske-thex - is the name correct? Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network File System Version 4 C. Lever, Ed. 3 Internet-Draft Oracle 4 Intended status: Standards Track 28 May 2021 5 Expires: 29 November 2021 7 Attestation of File Content using an X.509 Certificate 8 draft-cel-nfsv4-hash-tree-interchange-format-01 10 Abstract 12 This document describes a compact open format for transporting and 13 storing an abbreviated form of a cryptographically signed hash tree. 14 Receivers use this representation to reconstitute the hash tree and 15 verify the integrity of file content protected by that tree. 17 An X.509 certificate encapsulates and protects the hash tree metadata 18 and provides cryptographic provenance. Therefore this document 19 updates the Internet X.509 certificate profile specified in RFC 5280. 21 Note 23 This note is to be removed before publishing as an RFC. 25 Discussion of this draft occurs on the NFSv4 working group mailing 26 list (nfsv4@ietf.org), archived at 27 https://mailarchive.ietf.org/arch/browse/nfsv4/. Working Group 28 information is available at https://datatracker.ietf.org/wg/nfsv4/ 29 about/. 31 Submit suggestions and changes as pull requests at 32 https://github.com/chucklever/i-d-hash-tree-interchange-format. 33 Instructions are on that page. 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on 29 November 2021. 51 Copyright Notice 53 Copyright (c) 2021 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 58 license-info) in effect on the date of publication of this document. 59 Please review these documents carefully, as they describe your rights 60 and restrictions with respect to this document. Code Components 61 extracted from this document must include Simplified BSD License text 62 as described in Section 4.e of the Trust Legal Provisions and are 63 provided without warranty as described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 1.1. Combining These Solutions . . . . . . . . . . . . . . . . 4 69 1.2. Efficient Content Verification . . . . . . . . . . . . . 4 70 1.3. Related Work . . . . . . . . . . . . . . . . . . . . . . 5 71 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5 72 3. Hash Tree Metadata . . . . . . . . . . . . . . . . . . . . . 6 73 4. File Provenance Certificates . . . . . . . . . . . . . . . . 7 74 4.1. Root Hash . . . . . . . . . . . . . . . . . . . . . . . . 7 75 4.2. Divergence Factor . . . . . . . . . . . . . . . . . . . . 8 76 4.3. Tree Height . . . . . . . . . . . . . . . . . . . . . . . 8 77 4.4. Block Size . . . . . . . . . . . . . . . . . . . . . . . 8 78 4.5. Salt Value . . . . . . . . . . . . . . . . . . . . . . . 8 79 4.6. Validating Certificates and their Signatures . . . . . . 8 80 5. Implementation Status . . . . . . . . . . . . . . . . . . . . 8 81 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 82 6.1. X.509 Certificate Vulnerabilities . . . . . . . . . . . . 9 83 6.2. Hash Tree Collisions and Pre-Image Attacks . . . . . . . 9 84 6.3. File Content Vulnerabilities . . . . . . . . . . . . . . 9 85 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 86 7.1. Object Identifiers for Hash Tree Metadata . . . . . . . . 10 87 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 88 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 89 8.2. Informative References . . . . . . . . . . . . . . . . . 12 90 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 13 91 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 93 1. Introduction 95 Linear hashing is a common technique for protecting the integrity of 96 data. A fixed-size hash, or digest, is computed over the bytes in a 97 data set using a deterministic and collision-resistant algorithm. An 98 example of such an algorithm is [FIPS.180-4]. 100 Filesystem designers often employ this technique to protect the 101 integrity of both individual files and filesystem metadata. For 102 instance, to protect an individual file's integrity, the filesystem 103 computes a digest from the beginning of its content to its end. The 104 filesystem then stores that digest along with the file content. The 105 integrity of that digest can be further protected by 106 cryptographically signing it. The filesystem recomputes the digest 107 when the file is retrieved and compares the locally-computed digest 108 with the saved digest to verify the file content. 110 Over time, linear hashing has proven to be an inadequate fit with the 111 way filesystems manage file content. A content verifier must read 112 the entire file to validate its digest. Reading whole files is not 113 onerous for small files, but reading a large file every time its 114 digest needs verification quickly becomes costly. 116 Filesystems read files from persistent storage in small pieces 117 (blocks) on demand to manage large files efficiently. When memory is 118 short, the system evicts these data blocks and then reads them again 119 when needed later. There is no physical guarantee that a subsequent 120 read of a particular block will give the same result as an earlier 121 one. Thus the initial verification of a file's becomes stale, 122 sometimes quickly. 124 To address this shortcoming, some have turned to hash trees 125 [Merkle88]. A hash tree leaf node contains the linear hash of a 126 portion of the protected content. Interior nodes in a hash tree 127 contain hashes of the nodes below them, up to the root node which 128 stores a hash of everything in the tree. Validating a leaf node 129 means validating only the portion of the file content protected by 130 that node and its parents in the hash tree. 132 Hash trees present a new challenge, however. Even when signed, a 133 single linear hash is the same size no matter how much content it 134 protects. The size of a hash tree, however, increases 135 logarithmically with the size of the content it protects. 137 Transporting and storing a hash tree can therefore be unwieldy. It 138 is particularly a problem for legacy storage formats that do not have 139 mechanisms to handle extensive amounts of variably-sized metadata. 140 Software distribution and packaging formats might not be flexible 141 enough to transport this possibly large amount of integrity data. 142 Backup mechanisms such as tar or rsync might be unable to handle 143 variably-sized metadata per file. 145 Moreover, we can readily extend network file storage protocols to 146 exchange a hash tree associated with every file. However, to support 147 such extensions, file servers and the ecosystems where they run must 148 be updated to manage and store this metadata. Thus it is not merely 149 an issue of enriching a file storage protocol to handle a new 150 metadata type. 152 1.1. Combining These Solutions 154 The root hash of a hash tree is itself a fixed-size piece of metadata 155 similar to a linear hash. The only disadvantage is that a verifier 156 must reconstitute the hash tree using the root hash and the file 157 content. However, if the verifier caches each tree on local trusted 158 storage, that is as good as storing the whole tree. The verifier can 159 then use the locally cached tree to validate portions of the file it 160 protects without reading each file repeatedly from remote or 161 untrusted durable storage. 163 To further insulate a root hash from unwanted change, an attestor can 164 protect it with a cryptographic signature. This cryptographic 165 protection then additionally covers the entire hash tree and the file 166 content it protects. 168 This integrity protection is independent of the file's storage format 169 and its underlying durable media. The file (and the root hash that 170 protects it) can be copied, transmitted over networks, or backed up 171 and restored while it remains protected end-to-end. 173 1.2. Efficient Content Verification 175 We now have a small fixed-size piece of metadata that can protect 176 potentially huge files. The trade-off is that the verifier must 177 reconstitute the hash tree during installation or on-demand. File 178 systems or remote filesystem clients can store or cache reconstituted 179 trees in: 181 * Volatile or non-volatile memory 183 * A secure database 185 * A private directory on a local filesystem 187 * A named attribute or stream associated with the file 188 An easily accessible copy of a file's hash tree enables frequent 189 verification of file content. Frequent verification protects that 190 content against unwanted changes due to local storage or copying 191 errors, malicious activity, or data retention issues. When 192 verification is efficient, it can take place as often as during every 193 file read operation. 195 The current document's unique contribution is the use of an X.509 v3 196 certificate to encapsulate the representation of a hash tree. The 197 purpose of encapsulation is to enable the hash tree metadata to be 198 exchanged and recognized broadly in the Internet community. 199 Therefore each certificate has to: 201 * Cryptographically protect the integrity of the hash tree metadata 203 * Bind the hash tree metadata to the authenticated identity of the 204 file content's attestor 206 * Provide for a broadly-supported standard set of cryptographic 207 algorithms 209 * Represent the hash tree data in a commonly recognized format that 210 is independent of storage media 212 1.3. Related Work 214 Granted in 1982, expired US patent 4309569 [Merkle82] covers the 215 construction of a tree of digests. Initially, these "Merkle trees" 216 helped improve the security of digital signatures. Later they were 217 used in storage integrity applications such as [Mykletun06]. They 218 have also found their way into other domains. [RFC6962], published 219 in 2013, uses Merkle trees to manage log auditing, for example. 221 A Tiger tree is a form of a hash tree often used by P2P protocols to 222 verify a file's integrity while in transit. The Tree Hash EXchange 223 format [THEX03]. enables the transmission of whole Tiger trees in an 224 XML format. The current document proposes similar usage where a 225 sidecar hash tree protects file content but reduces the integrity 226 metadata's size. 228 2. Requirements Language 230 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 231 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 232 "OPTIONAL" in this document are to be interpreted as described in 233 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 234 capitals, as shown here. 236 3. Hash Tree Metadata 238 Reconstituting a hash tree (as opposed to building a more generic 239 directed graph of hashes) requires the protected content, a basic set 240 of metadata, and an understanding of how to use the metadata to 241 reconstitute the hash tree: 243 * The algorithm used to compute the tree's digests 245 * The divergence factor (defined as one for a hash list and two for 246 binary hash trees) 248 * The tree height (from root to the lowest leaf node) 250 * The block size covered by each leaf node in the tree 252 * An optional salt value 254 More research might be needed to cover recent innovations in hash 255 tree construction; in particular, the use of prefixes to prevent 256 second pre-image attacks. 258 The digest algorithm used to construct the hash tree MUST match the 259 digest algorithm used to sign the certificate. Thus if SHA-2 is used 260 to construct the hash tree, the certificate signature is created with 261 SHA-2. The verifier then uses SHA-2 when validating the certificate 262 signature and reconstituting the hash tree. The object identifiers 263 for the supported algorithms and the methods for encoding public key 264 materials (public key and parameters) are specified in [RFC3279], 265 [RFC4055], and [RFC4491]. 267 The block size value of the tree is specified in octets. For 268 example, if the block size is 4096, then each leaf node of the hash 269 tree digests 4096 octets of the protected file (aligned on 4096-octet 270 boundaries). 272 The internal nodes are digests constructed from the hashes of two 273 adjacent child nodes up to the root node (further detail needed 274 here). The tree's height is the distance, counted in nodes, from the 275 root to the lowest leaf node. 277 The leaf nodes are ordered (left to right) by the file offset of the 278 block they protect. Thus, the left-most leaf node represents the 279 first block in the file, and the right-most leaf node represents the 280 final block in the file. 282 Some explanation of the salt value goes here. 284 Further, when computing each digest, an extra byte might be prefixed 285 to the pre-digested content to reduce the possibility of a second- 286 preimage attack. 288 4. File Provenance Certificates 290 RFC Editor: In the following subsections, please replace the letters 291 II once IANA has allocated this value. Furthermore, please remove 292 this Editor's Note before this document is published. 294 X.509 certificates are specified in [X.509]. The current document 295 extends the Internet X.509 certificate profile specified in [RFC5280] 296 to represent file content protected by hash tree metadata. 298 File provenance certificates are end-entity certificates. The 299 certificate's signature identifies the attestor and cryptographically 300 protects the hash tree metadata. 302 The Subject field MUST be an empty sequence. The SubjectAltName list 303 carries a filename and the root hash, encoded in a new otherName 304 type-ID, shown below. The current document requests allocation of 305 this new type-ID on the id-on arc, defined in Section 2 of [RFC7299]. 306 The following subsections describe how the fields in this new type-ID 307 are used. 309 310 id-pkix OBJECT IDENTIFIER ::= 311 { iso(1) identified-organization(3) dod(6) internet(1) 312 security(5) mechanisms(5) pkix(7) } 313 id-on OBJECT IDENTIFIER ::= { id-pkix 8 } 314 id-on-fileContentAttestation OBJECT IDENTIFIER ::= { id-on II } 315 FileContentAttestation ::= SEQUENCE { 316 treeRootDigest OCTET STRING, 317 treeDivergenceFactor INTEGER (1..2), 318 treeHeight INTEGER, 319 treeBlockSize INTEGER, 320 treeSaltValue OCTET STRING 321 } 322 324 4.1. Root Hash 326 The root digest field stores the digest that appears at the root of 327 the represented Merkle tree. The digest appears as a hexadecimal 328 integer. 330 4.2. Divergence Factor 332 The value in the tree divergence factor field represents the maximum 333 number of children nodes each node has in the represented Merkle 334 tree. A value of two, for example, means each node (except the leaf 335 nodes) has no more than two children. 337 4.3. Tree Height 339 The tree height field stores the distance from the represented Merkle 340 tree's root node to its lowest leaf node. A value of one, for 341 example, means the tree has a single level at the root. 343 4.4. Block Size 345 The block size field contains the number of file content bytes 346 represented by each digest (node) in the Merkle tree. A typical 347 value is 4096, meaning each node in the tree contains a digest of up 348 to 4096 bytes, starting on 4096-byte boundaries. 350 4.5. Salt Value 352 The tree salt value is a hexadecimal integer combined with the digest 353 values in some way that I have to look up. If the tree salt value is 354 zero, salting is not to be used when reconstituting the represented 355 Merkle tree. 357 4.6. Validating Certificates and their Signatures 359 When validating a certificate containing hash tree metadata, 360 validation MUST include the verification rules per Section 6 of 361 [RFC5280]. 363 The validator reconstitutes a hash tree using the presented file 364 content and the hash tree metadata in the certificate. If the root 365 hash of the reconstituted hash tree does not match the value 366 contained in the treeRootHash, then the validation fails. 368 5. Implementation Status 370 This section is to be removed before publishing as an RFC. 372 This section records the status of known implementations of the 373 protocol defined by this specification at the time of posting of this 374 Internet-Draft, and is based on a proposal described in [RFC7942]. 375 The description of implementations in this section is intended to 376 assist the IETF in its decision processes in progressing drafts to 377 RFCs. 379 Please note that the listing of any individual implementation here 380 does not imply endorsement by the IETF. Furthermore, no effort has 381 been spent to verify the information presented here that was supplied 382 by IETF contributors. This is not intended as, and must not be 383 construed to be, a catalog of available implementations or their 384 features. Readers are advised to note that other implementations may 385 exist. 387 There are no known implementations of the X.509 certificate 388 extensions described in the current document. 390 6. Security Considerations 392 6.1. X.509 Certificate Vulnerabilities 394 The file content and hash tree can be unpacked and then resigned by 395 someone who participates in the same web of trust as the original 396 content creator. Verifiers should consult appropriate certificate 397 revocation databases as part of validating attestor signatures to 398 mitigate this form of attack. 400 6.2. Hash Tree Collisions and Pre-Image Attacks 402 A typical attack against digest algorithms is a collision attack. 403 The usual mitigation for this form of attack is choosing a hash 404 algorithm known to be strong. Implementers SHOULD choose amongst 405 digest algorithms that are known to be resistant to pre-image 406 attacks. See [RFC4270] for a discussion of attacks on digest 407 algorithms typically used in Internet protocols. 409 Hash trees are subject to a particular type of collision attack 410 called a "second pre-image attack". Digest values in intermediate 411 nodes in a hash tree are generated from lower nodes. Executing a 412 collision attack to replace a subtree with content that hashes to the 413 same value does not change the root hash value and is more manageable 414 than replacing all of a file's content. This kind of attack can 415 occur independently of the strength of the tree's hash algorithm. 416 The tree height is included in the signed metadata to mitigate this 417 form of attack. 419 6.3. File Content Vulnerabilities 421 There are two broad categories of attacks on mechanisms that protect 422 the integrity of file content: 424 Overt corruption: An attacker makes the file's content dubious or 425 unusable (depending on the end system's security policies) by 426 corrupting either the file's content or its protective metadata in 427 a detectable manner. 429 Silent corruption: An attacker alters the file's content and its 430 protective metadata in synchrony such that any changes remain 431 undetected. 433 The goal of the current document's mechanism is to turn as many 434 instances of the latter as possible into the former, which are more 435 likely to identify corrupted content before it is consumed. 437 7. IANA Considerations 439 RFC Editor: In the following subsections, please replace RFC-TBD with 440 the RFC number assigned to this document, and please replace II with 441 the number assigned to this new type-ID. Furthermore, please remove 442 this Editor's Note before this document is published. 444 7.1. Object Identifiers for Hash Tree Metadata 446 Following the "Specification Required" policy as defined in 447 Section 4.6 of [RFC8126], the author of the current document requests 448 several new type-ID OIDs on the id-on arc defined in Section 2 of 449 [RFC7299]. The registry for this arc is maintained at the following 450 URL: https://www.iana.org/assignments/smi-numbers/smi- 451 numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8 453 Following [RFC5280], the current document requests newly-defined 454 objects in the following subsections using 1988 ASN.1 notation. 456 457 id-pkix OBJECT IDENTIFIER ::= 458 { iso(1) identified-organization(3) dod(6) internet(1) 459 security(5) mechanisms(5) pkix(7) } 460 id-on OBJECT IDENTIFIER ::= { id-pkix 8 } 461 id-on-fileContentAttestation OBJECT IDENTIFIER ::= { id-on II } 462 464 IANA should use the current document (RFC-TBD) as the reference for 465 these new entries. 467 8. References 469 8.1. Normative References 471 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 472 Requirement Levels", BCP 14, RFC 2119, 473 DOI 10.17487/RFC2119, March 1997, 474 . 476 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 477 Identifiers for the Internet X.509 Public Key 478 Infrastructure Certificate and Certificate Revocation List 479 (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 480 2002, . 482 [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional 483 Algorithms and Identifiers for RSA Cryptography for use in 484 the Internet X.509 Public Key Infrastructure Certificate 485 and Certificate Revocation List (CRL) Profile", RFC 4055, 486 DOI 10.17487/RFC4055, June 2005, 487 . 489 [RFC4491] Leontiev, S., Ed. and D. Shefanovski, Ed., "Using the GOST 490 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 491 Algorithms with the Internet X.509 Public Key 492 Infrastructure Certificate and CRL Profile", RFC 4491, 493 DOI 10.17487/RFC4491, May 2006, 494 . 496 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 497 Housley, R., and W. Polk, "Internet X.509 Public Key 498 Infrastructure Certificate and Certificate Revocation List 499 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 500 . 502 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 503 Code: The Implementation Status Section", BCP 205, 504 RFC 7942, DOI 10.17487/RFC7942, July 2016, 505 . 507 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 508 Writing an IANA Considerations Section in RFCs", BCP 26, 509 RFC 8126, DOI 10.17487/RFC8126, June 2017, 510 . 512 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 513 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 514 May 2017, . 516 [X.509] International Telephone and Telegraph Consultative 517 Committee, "ITU-T X.509 - Information technology - The 518 Directory: Public-key and attribute certificate 519 frameworks.", ISO/IEC 9594-8, CCITT Recommendation X.509, 520 October 2019. 522 8.2. Informative References 524 [FIPS.180-4] 525 National Institute of Standards and Technology, "Secure 526 Hash Standard, Federal Information Processing Standards 527 Publication FIPS PUB 180-4", FIPS PUB 180-4, 528 DOI 10.6028/NIST.FIPS.180-4, August 2015, 529 . 531 [Merkle82] Merkle, R., "Method of providing digital signatures", US 532 Patent Office 4309569, January 1982. 534 [Merkle88] Merkle, R., "A Digital Signature Based on a Conventional 535 Encryption Function", Advances in Cryptography CRYPTO '87, 536 Lecture Notes in Computer Science 293, pp. 369-378, 537 DOI 10.1007/3-540-48184-2_32, ISBN 978-3-540-18796-7, 538 1988, . 540 [Mykletun06] 541 Mykletun, E., Maithili, M., and G. Tsudik, "Providing 542 Authentication and Integrity in Outsourced Databases using 543 Merkle Hash Tree's", ACM Transactions on Storage, 544 DOI 10.1145/1149976.1149977, May 2006, 545 . 547 [RFC4270] Hoffman, P. and B. Schneier, "Attacks on Cryptographic 548 Hashes in Internet Protocols", RFC 4270, 549 DOI 10.17487/RFC4270, November 2005, 550 . 552 [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate 553 Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, 554 . 556 [RFC7299] Housley, R., "Object Identifier Registry for the PKIX 557 Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, 558 . 560 [THEX03] Chapweske, J. and G. Mohr, "Tree Hash EXchange format 561 (THEX)", 4 March 2003, . 564 Acknowledgments 566 The editor is grateful to Bill Baker, Eric Biggers, James Bottomley, 567 Russ Housley, Benjamin Kaduk, Rick Macklem, Greg Marsden, Paul Moore, 568 Martin Thomson, and Mimi Zohar for their input and support. 570 Finally, special thanks to Transport Area Directors Martin Duke and 571 Zaheduzzaman Sarker, NFSV4 Working Group Chairs David Noveck and 572 Brian Pawlowski, and NFSV4 Working Group Secretary Thomas Haynes for 573 their guidance and oversight. 575 Author's Address 577 Charles Lever (editor) 578 Oracle Corporation 579 United States of America 581 Email: chuck.lever@oracle.com