Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A22FC15106C; Tue, 9 Jul 2024 14:54:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.107 X-Spam-Level: X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWXHcesHqy6K; Tue, 9 Jul 2024 14:54:31 -0700 (PDT) Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B21C4C14F712; Tue, 9 Jul 2024 14:54:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10226; q=dns/txt; s=VRSN; t=1720562071; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=Ozrkw4bY64PXwdc02DCHDglG5oByRUpbrad6BvU/0Gk=; b=HxAK+lF+N53SHdnaUGR/bOH8R8G7zn2GK+hJOkjY/XFg8KzifB8CALEW LS+jKgh1/dIHI03x6TDd3V8Uohsdy6CtYvSv7jGf4ij2+A7RZZxftOAiE f0/OZb8/kiULYrBmItJbeBpMaO1Y9SD/C0iJk/lYnRf08ViG81RNPkBAT HhmYgBiXIBhDkHeYunt/S774edcnY9r3LfaRF2WdLBKwxoAh9iZEiNhJN eYfT7yH+C8fzbRj8Ht+yUgGcnt/5ly8mwZAfUlGReEWj8owPevH6QHw3e ZBwGIvcgxMXiLr7WwQ/pHH8GnPLfZS2LzS0JlnpSJPsd6BgGyq2dkEUhX w==; X-CSE-ConnectionGUID: nWLmyW4xQK6EzxaXXqAcXA== X-CSE-MsgGUID: RgM3Ra6QQ1WjxmzTn+hH9w== X-ThreatScanner-Verdict: Negative IronPort-Data: A9a23:HYZKBqNkt6ro58PvrR3XkMFynXyQoLVcMsEvi/8bNHDolHp+jmZWi jtAB3bGYazJZX+2Io4oOcnztx82DaSljYs6FVdy7S52J54hgZXOWN7Edh/9NX2bcMfOEUw25 sgXM4edfc1qRHKG/EukOOKw83cthKvTGbGiUuOaNi1/SAQ1GHZw10g9keUy3YAAbbSRChuVv dL5qtHeP1niwz1/KT1R8KOMrhpzoe7/0N89lgVWiadj4AWGxhH5da43Jb2tNym/BY5fBfb8S +fMzbq05H+f9BAoUnlMOF/GGnHmOYU+QTWzonpKR7DwxV9apS131a0gLLwQaEhWgDiTg5Z6z 9AVmN/ow+/hb63QhPxPFBJRGCxke7ZX/bbaPXj5usuWiEjecHqrz/RhDUo7J5EToP13CHtD+ ecdKTUAZRnFjPiqmNqHppJXargewLPDZMVH0kxIzS3FFe10BtfcXLqM6d5X3Tw9nNwIFvHbI OEhUmLFhb89IEXl0/z3YK7S59xE8UQTCRUE7gr9mII3/3TL1142l6fyL5zZe9OLTshPggCTo WeB5XzwRwwTbLSjJUG+HgWRapXnwWWjML86FKGk7uU4xxqM2XNVBBwZVFC2u+X/gUm7HMhHI gkJ83IExZTej3dHOeQRJTXk5ibsgyMhZjZwLwEbwAvdkvGJvgrGCzNdFmZKN4R268Q9HmUni gCEwYO5CTJj7OTFGHmQyOyZ/Gi4UcQ3wc3uRgdfFFdYvIOzyG0XpkiSJjq2OPft1rUZIRmpn nbX6nF43+hO5SIy//3T1UjdhD6xrYT+QAcw5wHGNkqo9QoRiLSNPuRE0nCFq64RRGqlZgPZ5 iRcxJDPtLxm4aylz0Rhfs1cRNlF2N7YaFUwsXY3d7E9+jKk/WKUfIw4yFlWOEdzP88YTiTia UnVtBk5zMc70KyCNPIfjyqZUqzG/IC4fTjXfqm8gulmO/CdQDS6EBRGPiZ86Ui2yRRxzvtvU XusWZ3E4X4yUcyLxRLoH7tNiedDKioWnQs/Trijp/irPCb3iNd4ht7pPXPXBt3V4p9ory3Tz PJaJvTW2yx8DsDsciDnwZc6JmAjeC1T6ZDe86S7d8apGCw/J0cMO6eLh60qfJZ92a1Z0PnS5 Xf7UUhdoLb9rSSfb1zVMTY6NeipAccXQXETZETAOX6kxHU4eour948BeoE2Zrgo8qpoyvsco /wtIJ/bXK4QFmWvFzI1V5bY97ZrKi2S3D2MLy+3XD58f74xWFmckjPjVk61nMUUNQK7s9A5u 5Wh2x/VB50ZSGxKANzfZu7qzl6tsz0Rnvl1Rw7EJdxaeUOp7oVwKiLwhfYrIsYKbAnOzTuc1 h+LDAwwpOTRrcky6tahuEyfh42zFbJhGEdKRzOe9qiscyzb5S+pxslKSuDROy7HT2Wy86KnD QlI88zB3DQ8tA4im+JB/3xDlMrSO/OHS2dm8zlZ IronPort-HdrOrdr: A9a23:1RYrhqC+RB3+8NPlHemP55DYdb4zR+YMi2TDj3oBLSC8cqSj+/ xG785rsiMc6QxhIk3I9urhBEDtexnhHNtOkOws1NSZLXTbUQmTXeJfBOLZqlWKJ8S9zJ8+6U 4KScdD4ajLbGSS+vyV3ODXKbsdKZK8gcaVbK/lvg5QpZEDUdAZ0+5WMHfhLnFL X-Talos-CUID: 9a23:K3yefW97a8k+pJ7yQiGVv0grPsU0TSHN9VSODl2oAFZZUZSeeXbFrQ== X-Talos-MUID: 9a23:lpLkhgSCYMyAp0FORXTWixQ5Ds422p33N0IdlIc6vYqEFX1vbmI= X-IronPort-AV: E=Sophos;i="6.09,196,1716249600"; d="p7s'346?scan'346,208,346";a="32362749" Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.37; Tue, 9 Jul 2024 17:54:29 -0400 Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.037; Tue, 9 Jul 2024 17:54:29 -0400 From: "Wessels, Duane" To: dnsop Thread-Topic: [EXTERNAL] [DNSOP] Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt Thread-Index: AQHa0aKKJzVCsfS8C0u53eO9HP5/+bHvNOEA Date: Tue, 9 Jul 2024 21:54:28 +0000 Message-ID: <1E8C3D2F-0F69-4A4F-B29B-C4EA9A5566F3@verisign.com> References: <172047471396.458153.12797163404923712142@dt-datatracker-5f88556585-j5r2h> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3774.600.62) x-originating-ip: [10.170.148.18] Content-Type: multipart/signed; boundary="Apple-Mail=_B56ABE76-CEA4-419E-BA34-7BBEAC217C4C"; protocol="application/pkcs7-signature"; micalg=sha-256 MIME-Version: 1.0 Message-ID-Hash: 5V7HHULJXFIV3QGTVFZF3LCNJ52K2YCJ X-Message-ID-Hash: 5V7HHULJXFIV3QGTVFZF3LCNJ52K2YCJ X-MailFrom: dwessels@verisign.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "draft-ietf-dnsop-domain-verification-techniques@ietf.org" X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BDNSOP=5D_Re=3A_Fwd=3A_New_Version_Notification_-_draft-ietf-dns?= =?utf-8?q?op-domain-verification-techniques-05=2Etxt?= List-Id: IETF DNSOP WG mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --Apple-Mail=_B56ABE76-CEA4-419E-BA34-7BBEAC217C4C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I read through draft-ietf-dnsop-domain-verification-techniques-05 and = have a few minor comments / suggestions. > this may result in IP fragmentation, which often does not work While it=E2=80=99s true we have come to agree that fragmentation is bad = for DNS, I think =E2=80=9Coften does not work=E2=80=9D overstates the = situation. I=E2=80=99d say it works more often than not and I don=E2=80=99= t see draft-ietf-dnsop-avoid-fragmentation making the case that = fragmentation does not work. =20 > Depending on message size limits configured or being negotiated, it > may alternatively cause the DNS server to "truncate" the UDP response > and force the DNS client to re-try the query over TCP in order to get > the full response. Not all networks properly transport DNS over TCP > and some DNS software mistakenly believe TCP support is optional > ([RFC9210]). I have mixed feelings about this. While perhaps factually true, I think = broken DNS-over-TCP shouldn=E2=80=99t be a reason for not lumping = validation records together. There are other valid reasons to avoid = that practice and networks with broken DNS-over-TCP shouldn=E2=80=99t be = coddled. > When multiple distinct services create domain Validation Records at > the same domain name, services don=E2=80=99t create records, users/administrators do. Maybe = reword as =E2=80=9CWhen multiple distinct services specify placing = domain Validation Records at the same =E2=80=A6=E2=80=9D > The presence of a Validation Record with a predictable domain name > (either as a TXT record for the exact domain name where control is > being validated or with a well-known label) can allow attackers to > enumerate utilized set of Application Service Providers. Not sure I buy this argument. Doesn=E2=80=99t the draft recommend using = predictable names anyway, just one per provider? > 1) A domain name related to the domain name being validated 2) A > Validation Record, either directly in RDATA or as the target of a > CNAME (or chain of CNAMEs) It=E2=80=99s not clear to me if this an =E2=80=9COR=E2=80=9D list or an = =E2=80=9CAND=E2=80=9D list? > because base64 relies mixed case "utilizes mixed case=E2=80=9D? > Application owners SHOULD consult the IANA "Underscored and Globally > Scoped DNS Node Names" registry [UNDERSCORE-REGISTRY] to confirm > there are no collisions with existing entries. maybe this could be less passive as =E2=80=9Cconsult =E2=80=A6 and avoid = using underscore labels that already exist in the registry=E2=80=9D? > either the RDATA or a domain name > The RECOMMENDED format for a Validation Record's domain name is >=20 Here and in numerous other places I think =E2=80=9Cdomain name=E2=80=9D = might be better as =E2=80=9Cowner name=E2=80=9D. i.e.: "the owner name = of a validation record" > without having to hand over full DNS access what is DNS access? ;-) > by letting the Intermediary place the random token in their DNS in their zone? > APIs SHOULD be used to relay instructions. Not sure I follow this. An API to relay instructions? > TTL Considerations If I were writing software to verify domain control, I probably = wouldn=E2=80=99t use a caching resolver. I=E2=80=99d just send queries = to authoritative name servers to avoid caching. The draft doesn=E2=80=99t= seem to have any thoughts on this one way or the other? > CNAME Records for Domain Control Validation I think the document could be more clear or explicit that a CNAME target = must exist. i.e., a random token in the owner name of a CNAME record is = not sufficient and such a CNAME whose target does not exist should be = treated as a failure, right? > Application Service Providers MAY include the random token in a > domain name that is related to the domain name being validated. An proposed rewording: Application Service Providers MAY specify that a = random token be included in the owner name of a validation record. DW --Apple-Mail=_B56ABE76-CEA4-419E-BA34-7BBEAC217C4C Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDOMw ggYfMIIFB6ADAgECAhADuA0Dc6a64oQdstGwJ3SrMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBHMjAeFw0xOTA2MDQxMjM2MjBaFw0yOTA2 MDQxMjM2MjBaMG8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFHMEUGA1UE AxM+RGlnaUNlcnQgUEtJIFBsYXRmb3JtIEMyIFNoYXJlZCBTTUlNRSBJbmRpdmlkdWFsIFN1YnNj cmliZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmay8IyCiMMl3lgLo6BSrd LBKvx0U1KZR/8PzvS/rsZDBQJLuVgmOTaBxUrNqo9WtejI9me5HihbHKE9BtydcyC8f+8cOQOX3h Ojs0SZr2P9eXAR8SWf0p/Q/1NkYRorjjPo4z0RovEnX/cl0of7Cny0fW65tMBt/exaxQTso6Ea1i RF9U8bf6ZsFkevsNt1WKSY9X/QvWUhfoZb4fsoa8JUZkJMzb12wS/cLnWhaO5G7cqZ+E2KqhuqlP CrlUGFNVuaPcGsuZRy2X1ByMgA4VIIwNNG0RlPa+KSqpixO6RK7kWTlt5BGhgtKw7MnuDcLtM2Bc SyaPIEqZnapn5qf7AgMBAAGjggK/MIICuzAdBgNVHQ4EFgQU3LcfIDF0S5Qadq2Dgq34xqPwRF8w HwYDVR0jBBgwFoAUzsNKuZlV8rjbYL+pfr1WtZc2p9YwDgYDVR0PAQH/BAQDAgGGMEwGA1UdJQRF MEMGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNwoDBAYKKwYBBAGCNxQCAgYKKwYBBAGCNwoD DAYJKoZIhvcvAQEFMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9j cmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RHMi5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RHMi5jcmwwggEiBgNVHSAE ggEZMIIBFTCCAREGCWCGSAGG/WwFAjCCAQIwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2lj ZXJ0LmNvbS9DUFMwgdUGCCsGAQUFBwICMIHIDIHFQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRl IGNvbnN0aXR1dGVzIGFjY2VwdGFuY2Ugb2YgdGhlIERpZ2lDZXJ0IENQL0NQUyBhbmQgUmVseWlu ZyBQYXJ0eSBBZ3JlZW1lbnQgd2hpY2ggbGltaXQgbGlhYmlsaXR5IGFuZCBhcmUgaW5jb3Jwb3Jh dGVkIGhlcmVpbiBieSByZWZlcmVuY2UuIGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9ycGEtdWEw JwYDVR0RBCAwHqQcMBoxGDAWBgNVBAMTD0RpZ2lDZXJ0UEtJLTMtMjANBgkqhkiG9w0BAQsFAAOC AQEAFTczZjttMnThPMxQyeeuZ/VeQHCNNqxCze644O19xXE0Wt3qBx1VRU/QdL4kPtAWvg9sMHhQ tLvp9ySna4uF5+ffFQeHUbX12yBrfmgATdKHP2noPeyVCXnculSqsF/F/854dBW9Z1jfMtvxp/qb TPOf9d5d1mxt+mJ4sDfvd0wl3U2wVCJMUbSXjs8alHeU6ematIwXios5sn2cQcIpMtm/ySjYvhh4 G1DMUrQdpJZTBovuXh8yA3Urq8ZgmBd6mzem450LB48fa6TQyRUZJfr26Ke8EOrBEKLovi+iTCMQ bQsR+4TEsJlJBPemkwqpcfI4V3GVYQjq63ECC2ftATCCBrwwggWkoAMCAQICEG96Ti5wikJJD/YE pfvbQ1AwDQYJKoZIhvcNAQELBQAwbzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ bmMuMUcwRQYDVQQDEz5EaWdpQ2VydCBQS0kgUGxhdGZvcm0gQzIgU2hhcmVkIFNNSU1FIEluZGl2 aWR1YWwgU3Vic2NyaWJlciBDQTAeFw0yNDAzMTIwMDAwMDBaFw0yNTAzMTIyMzU5NTlaMHMxJDAi BgkqhkiG9w0BCQEWFWR3ZXNzZWxzQHZlcmlzaWduLmNvbTEXMBUGA1UEAwwOV2Vzc2VscywgRHVh bmUxFzAVBgNVBAoMDlZlcmlTaWduLCBJbmMuMRkwFwYDVQRhExBOVFJVUytERS0yNDk3ODg2MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp6f6DDqCZoN6s0fj/3oJhQz2Y9vZcqztUK48 reEBuPUR135r2BV6xod4tnwa8VuYlL2pukw7BjjcduT0sxTfzJd8gFyzBTHUqYe2Cu3SXcfazjcV nZ8W1Hvb1AIRYQohvs92AjGy86myOjmD0tUCKnQ5+yZtBjt+bkDfsICaiJ4Q9I5RLFuJDbONGKoo jL45SnxH+zZnNlgraCCCcS2WbmWx8G8E96+e1FeHXl9AdGDVloTGvMhd+68xZZfbbKo9xo0OrgxW bNXeX57AyzWcAlh/1C1oM3YQllu33uo2T4kjE2vK4dVfG1fUPkHwvSxKAqk75s5lpQDtB1cxmPKq eQIDAQABo4IDTjCCA0owDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAww CgYIKwYBBQUHAwQwIAYDVR0RBBkwF4EVZHdlc3NlbHNAdmVyaXNpZ24uY29tMB8GA1UdIwQYMBaA FNy3HyAxdEuUGnatg4Kt+Maj8ERfMH8GCCsGAQUFBwEBBHMwcTAoBggrBgEFBQcwAYYcaHR0cDov L3BraS1vY3NwLmRpZ2ljZXJ0LmNvbTBFBggrBgEFBQcwAoY5aHR0cDovL2NhY2VyLnN5bWF1dGgu Y29tL21wa2kvZGlnaWNlcnRjMnNoYXJlZHNtaW1lY2EuY3J0MF0GA1UdHwRWMFQwUqBQoE6GTGh0 dHA6Ly9wa2ktY3JsLnN5bWF1dGguY29tL2NhXzRiNWQ1ZmQzYjI2NTFiMzUyMjkwZTM2NDZhYmNj MDAxL0xhdGVzdENSTC5jcmwwggEgBgNVHSAEggEXMIIBEzCCAQ8GB2eBDAEFAwEwggECMCgGCCsG AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIHVBggrBgEFBQcCAjCByAyBxUFu eSB1c2Ugb2YgdGhpcyBDZXJ0aWZpY2F0ZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBE aWdpQ2VydCBDUC9DUFMgYW5kIFJlbHlpbmcgUGFydHkgQWdyZWVtZW50IHdoaWNoIGxpbWl0IGxp YWJpbGl0eSBhbmQgYXJlIGluY29ycG9yYXRlZCBoZXJlaW4gYnkgcmVmZXJlbmNlLiBodHRwczov L3d3dy5kaWdpY2VydC5jb20vcnBhLXVhMEIGCSqGSIb3DQEJDwQ1MDMwCgYIKoZIhvcNAwcwCwYJ YIZIAWUDBAECMAsGCWCGSAFlAwQBFjALBglghkgBZQMEASowLQYKYIZIAYb4RQEQAwQfMB0GE2CG SAGG+EUBEAECAgEBg77+/2kWBjI0NzY2NDA5BgpghkgBhvhFARAFBCswKQIBABYkYUhSMGNITTZM eTl3YTJrdGNtRXVjM2x0WVhWMGFDNWpiMjA9MB0GA1UdDgQWBBSyfbhEdhXJecsF8oRoVWZQxTsf uTANBgkqhkiG9w0BAQsFAAOCAQEACYAc5l5KKlqjGXeZl9fDfU0/QZjBg6N8Ih51Hw4Y6h1H2Jg9 D1UctglWpRAAYZ/WpGhWtYUw7hyFr1b+SUAcrjuvhguq633bb5AbJDhS0X6SyLHLQ45/Bl9pBKIG +Fou/qWWJ8zoQPiYJ3+ykJtqaLqsxVotrzHOz5pXPBFhzEuG3pq9AnwXw1wV8Uk761ElNCc2mqlW DW0jlwkh2wSyoL0CWhIvPKtghXPE4kxtbLoLWgCRkSc11W4fLUdqzVeLHMmt62TjDRN2koMiOts5 Uf7VnB/OmoSH92tAg5TX471QloFzGi8pxu6Bu/5PCsZXaDIjdUq+oS5MFfanFCpksjGCA0wwggNI AgEBMIGDMG8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFHMEUGA1UEAxM+ RGlnaUNlcnQgUEtJIFBsYXRmb3JtIEMyIFNoYXJlZCBTTUlNRSBJbmRpdmlkdWFsIFN1YnNjcmli ZXIgQ0ECEG96Ti5wikJJD/YEpfvbQ1AwDQYJYIZIAWUDBAIBBQCgggGZMBgGCSqGSIb3DQEJAzEL BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI0MDcwOTIxNTQxOFowLwYJKoZIhvcNAQkEMSIE IF9dqL+g3uscV17it5QclUGdMnF7dhXU7/mBE+QHr2FMMIGUBgkrBgEEAYI3EAQxgYYwgYMwbzEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMUcwRQYDVQQDEz5EaWdpQ2VydCBQ S0kgUGxhdGZvcm0gQzIgU2hhcmVkIFNNSU1FIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQQIQb3pO LnCKQkkP9gSl+9tDUDCBlgYLKoZIhvcNAQkQAgsxgYaggYMwbzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDkRpZ2lDZXJ0LCBJbmMuMUcwRQYDVQQDEz5EaWdpQ2VydCBQS0kgUGxhdGZvcm0gQzIgU2hh cmVkIFNNSU1FIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQQIQb3pOLnCKQkkP9gSl+9tDUDANBgkq hkiG9w0BAQsFAASCAQBjiOUY0qtcj3w0610MBYBHJEqIaP2BCqaePB6zwD3JLCRBMTXtwUN/8dU+ ZVnSPL5XjRwc8AsQW9qO5KVcezbxfpc/f6bKatyKRhHdhM9YxgYJqkOT6ct+bju7ZoS9I2wqDLtU t7zVqLKEz7yhPIMr70DYfoSlCTq0b2kv73Ybp28WFIgOMzwFK5lPGe6YUHPuRGtC8kS8T2E6BMNa PotwU3RCmAj3zFz1SAc4J84+6PN9FyRpuczrgGna3DC9yjEnVP8+EotteHiM8L6u3uLMPmG9Bo7q X4LWMmLuqw6H7z/AWCKXALIpl+bzjh/1rr3OuUCKV1qwBFEYRrAb8GkKAAAAAAAA --Apple-Mail=_B56ABE76-CEA4-419E-BA34-7BBEAC217C4C--