Re: [Ecrit] planned-changes: two questions
Randall Gellens <rg+ietf@randy.pensive.org> Thu, 02 September 2021 21:45 UTC
Return-Path: <rg+ietf@randy.pensive.org>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3BA83A12DB for <ecrit@ietfa.amsl.com>; Thu, 2 Sep 2021 14:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FORGED_RELAY_MUA_TO_MX=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHn0bM2pikHB for <ecrit@ietfa.amsl.com>; Thu, 2 Sep 2021 14:45:18 -0700 (PDT)
Received: from turing.pensive.org (turing.pensive.org [99.111.97.161]) by ietfa.amsl.com (Postfix) with ESMTP id 0CE243A12D2 for <ecrit@ietf.org>; Thu, 2 Sep 2021 14:45:17 -0700 (PDT)
Received: from [99.111.97.181] (99.111.97.161) by turing.pensive.org with ESMTP (EIMS X 3.3.9); Thu, 2 Sep 2021 14:45:17 -0700
From: Randall Gellens <rg+ietf@randy.pensive.org>
To: Brian Rosen <br@brianrosen.net>
Cc: "Caron, Guy" <g.caron@bell.ca>, ECRIT <ecrit@ietf.org>
Date: Thu, 02 Sep 2021 14:45:17 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <0DC4690F-1FE7-4249-98CB-C17877EF902A@randy.pensive.org>
In-Reply-To: <7C4F6B87-C480-4963-B582-7639A9A1B029@brianrosen.net>
References: <A0FC259C-DF34-4496-9013-422006278DA6@randy.pensive.org> <FB2A33E8-E146-404B-B150-1496C40510EF@brianrosen.net> <5577e2e6daa4405bbe12ef61675e1f55@bell.ca> <DE195D79-5A01-48EE-95CA-6C4B82E0886D@brianrosen.net> <e6e17f501711441188119cdfbe384d3d@bell.ca> <3AD58DEC-1DC9-4BC0-B55C-4E782E4AAA74@brianrosen.net> <E20342E7-2EFB-4479-96C2-85B4B7E16989@randy.pensive.org> <A7D59E8E-A014-4CC8-A0FF-5F58E81C6D4A@brianrosen.net> <2b4abbef37be4131a87471af75b6e7da@bell.ca> <CF2E8EDC-B38D-4742-B317-F3CE3E831578@brianrosen.net> <f82108f590674341a22da9c2e4c649e0@bell.ca> <7C4F6B87-C480-4963-B582-7639A9A1B029@brianrosen.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_38C4370E-C079-4A6A-959C-D92BE59A852E_="
Embedded-HTML: [{"HTML":[1117, 63004], "plain":[786, 18901], "uuid":"2A707270-0A2B-4B81-B9AC-F68F75294BD2"}]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ecrit/3g6qbfTo-fpxDWc591ILcm3CtRg>
Subject: Re: [Ecrit] planned-changes: two questions
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Emergency Context Resolution with Internet Technologies <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ecrit/>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2021 21:45:24 -0000
I think a simpler approach is that when a query includes a URI, before returning the response, the server POSTS to the URI. If it receives a success response, it stores the URI and returns the response. If it receives a non-success response, it informs the client that the URI was not stored. We can use uriNotStored or have a new warning such as uriTestFailure. This way, the server does not need to maintain a pending URI and retry the test, and the client knows immediately if there's a problem. Presumably, if the URI is bogus, the URI host will not return a success result. I think that should be good enough, but if we want stronger protection, we could tie in the TLS authentication when the server does the POST. --Randall On 2 Sep 2021, at 14:29, Brian Rosen wrote: > > On Sep 2, 2021, at 3:48 PM, Caron, Guy <g.caron@bell.ca> wrote: >> >> Inline under [GC]. >> >> If you agree with my comments inline below, here is how I see the >> process (building on what Randall initially provided on this thread): >> >> 1) In a validation query, a Client can request to be notified when >> the proffered LI should be revalidated, and provides a URI to send >> the notifications to; >> 2) In the validation response, the Server provides an ID that the >> Client associates with the LI it just validated; >> 3) Immediately thereafter, the Server sends a ‘test’ notification >> to the URI, without any ID;\ > [br[For every new ID? Or just once? I wanted this to be a one time > registration. >> 4) The recipient at the URI is expected to respond with the ID >> provided in step 2. If it does, the Server stores the URI for future >> notifications. If it does not, the Server [let’s pick one: reject >> silently the URI and block the Client permanently/provides a >> ‘uriNotStored’ warning response to the URI {not compatible with >> the current proposal to test outside of LoST}/reject silently the URI >> and block the Client temporarily/other?]; > [br]I don’t think an explicit failure is a problem. The LoST server > can limit retries if it needs to. > > >> 5) Some time after, the Server notifies the Client of an upcoming >> planned change by sending a notification to the successfully tested >> URI with the location ID; >> 6) The client revalidates each LI in its database that matches the ID >> as of the date of the planned change. If no ID matches, it is a no-op >> at the Client. Revalidations may also result in no-op at the Client. >> 7) LIs at the Client that are invalidated by the planned change are >> modified in its database to be valid (which probably mean another >> revalidation cycle) with an effective date set to <revalidateAsoF> >> value. > [br]I wanted periodic keep alives. How would that work? >> >> Guy >> >> De : Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> >> Envoyé : 1 septembre 2021 19:17 >> À : Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>> >> Cc : Randall Gellens <rg+ietf@randy.pensive.org >> <mailto:rg+ietf@randy.pensive.org>>; ECRIT <ecrit@ietf.org >> <mailto:ecrit@ietf.org>> >> Objet : [EXT]Re: [Ecrit] planned-changes: two questions >> >> Inline >> >> >> On Sep 1, 2021, at 3:28 PM, Caron, Guy <g.caron@bell.ca >> <mailto:g.caron@bell.ca>> wrote: >> >> Ok. You have convinced me of the necessity of validating the URI >> before the Server stores it and that the security considerations in >> RFC5222 do not cover this threat. >> >> I observe that this vulnerability was already mentioned in the >> Security section of the planned-changes draft: >> >> The server is subject to abuse by clients because it is being asked >> to store something and may need to send data to an uncontrolled URI. >> >> However, the original threat vector and associated response is >> probably insufficient to cover the DoS you raised, hence this new >> proposal to test the URI. >> >> So, I’m conceptually favorable to adding a mechanism to test the >> URI before being stored by the Server. >> Good >> >> >> >> I would like this mechanism to be as simple as possible and I think >> the goals can be achieved by testing the URI and receiving a response >> with at least one of the IDs previously supplied by the Server. I >> would leave it to policy at the Server to determine when and how >> often the URIs would be tested, with a recommendation (MUST? SHOULD?) >> to test it upon reception before storing it. >> I think you are suggesting we add text that says the LoST server can >> send a notification to the LoST client that has no changes, and just >> serves as a keep alive. I’m sure we can make that work but >> generally, I find this kind of implicit test to be less satisfactory >> than an explicit keep alive transaction. I get that an actual >> change may not be seen as a change to the client, and thus it works >> with no real code, but it doesn’t seem as clean as an explicit keep >> alive. I’d be interested in herring from others on that >> [GC] Could we not, for example, declare a value/element/attribute >> 'test' to be passed in the notification with no IDs? Would that meet >> your idea of an explicit test mechanism? > [br] I suppose. Doesn’t seem much different than a parameter to the > findService, but I’m okay with it >> >> >> >> We probably need to say something about what to do if the URI test >> fails. Do we inform the Client that provided the URI that it may have >> been compromised? Do we simply drop the URI silently? Do we block the >> Client that provided the URI entirely? >> At minimum wait and try again, the client could be down for a while. >> I would not allow a lot of location records to be marked with the URI >> that didn’t test valid. >> >> I am somewhat leery of creating circumstances where the client has to >> go through and revalidate it’s entire record set because the >> mechanism failed in some way. There clearly would be circumstances >> where that happened, but missing a keep alive shouldn’t be one of >> them. The initial one however should be a hard block. If you >> can’t get the first ID returned, then we have to not accept other >> registrations. >> [GC] On a second thought, what's the value of testing the URI after >> the first test? If it passed, it's valid and the Server stores it for >> use when a planned change occurs. If after that and for some reason, >> the Client is not responsive to the notification, does the Server >> care? > Generally when we have things that don’t do anything for months and > then we need it, I would like to see periodic keep alives. Things > change on both sides and both sides have a vested interest in making > sure the mechanism works when they need it. >> >> >> >> I’m not sure if the <command> thing is necessary since it requires >> the Server to keep state. I would think that if the URI has been >> tested and stored, it means it is active and valid until it is >> deleted through the reception of an empty <plannedChange> for >> example, or replaced through the reception of a new URI in >> <plannedChange>. >> I don’t think there is any server state other than the URI is >> valid. Each transaction stands alone. >> >> Without the delete, you can’t remove one location record from the >> set that gets notified of planned changes. You can change the URI, >> but that changes it for all notifications. >> [GC] Why? A Client that no longer wants to be notified for a given ID >> sends an empty <plannedChange> for the LI it no longer has. If that >> ID at the Server is associated with only one location (say one >> specific civic number), it deletes the Client's URI. If it is >> associated with more than one record (say a range of civic numbers), >> it accepts the transaction but keeps the URI. A notification for that >> ID sent to the Client that only had the civic number would result in >> a no-op. > That means that the client has to be identified by something like the > TLS cert, because the URI isn’t there for the delete. I was using > the domain of the URI as the ID of the client. > > But we have another problem: I think the server does not track the LI. > On any findService with the new option, it looks for a matching > record and returns the ID it has for that record. It’s the client > that tracks possible multiple LIs for one ID, not the server. So in > your example, the client would notice that any address in the range > had the same ID. It would get one notification if the range record > changed, and it would update all its records in the range. But if it > deleted one of a set of records that have the same ID, it wouldn’t > request delete. Only if it got down to one record with a given ID, > and it needed to delete that record, would it request delete for that > ID at the server. >> >> >> >> Lastly, I’m not sure we still need the warning ‘uriNotStored’ >> given that we’re going with one generic URI per Client. The only >> argument I can think of for keeping it would be the proliferation of >> Clients within the coverage aria of the Server that would be so large >> that the Server couldn’t store them all. A counter argument to that >> would be that doing so could be seen as giving privileges to certain >> Clients over others. >> >> We’re creating circumstances where the client won’t get a >> notification. I think we need to tell them that. >> [GC] Only if the URI fails the validity test. > [br]I wanted to allow the server to limit the number of IDs it was > tracking for a given client. I wanted to limit the number of queries > the server is responding to (although it might well silently discard a > DOS attack. >> >> >> One limit I might put on a client is how many locations they can ask >> to be notified. If they try to set up a situation where no matter >> what changed, they get a notification, I think that may be too much >> to ask, and the server can have a limit. It would be okay if it’s >> one URI per valid record at the LIS, but the LoST server doesn’t >> have that data. >> [GC] It's one generic URI per Client with one or more IDs stored by >> the Client against its LIs, right? As you suggesting we go back to >> one URI per Client record in its database? > [br] One generic URI per client. So if the client asks for its URI > to be stored against too many IDs, it can be told no. >> >> >> >> Thanks, >> >> Guy >> >> >> De : Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> >> Envoyé : 31 août 2021 13:54 >> À : Randall Gellens <rg+ietf@randy.pensive.org >> <mailto:rg+ietf@randy.pensive.org>> >> Cc : Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>>; ECRIT >> <ecrit@ietf.org <mailto:ecrit@ietf.org>> >> Objet : [EXT]Re: [Ecrit] planned-changes: two questions >> >> Of course an attacker would conceal itself and register multiple URIs >> under different identities. But the bigger problem is that if a >> large planned change occurred, the victim could receive a large >> number of notifications it didn’t expect. >> >> With a test transition, we know that the client expects to see >> notifications, we only need one per URI (we could specify one per >> domain — after the scheme and before the first slash). If we >> don’t get the ID, we know not to allow that URI to be provisioned. >> So it’s one test transaction vs a large number of planned change >> transactions. >> >> Brian >> >> >> >> >> On Aug 31, 2021, at 1:35 PM, Randall Gellens >> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> wrote: >> >> If a malicious client registers a URI that is designed to attack a >> third site, the test transaction causes the LoST server to connect to >> it and POST a command. Without a test transaction, the LoST server >> stores the URI and at a future time connects to it and sends a >> command. Either way, a LoST client can register potentially one URI >> per queried location, and a LoST server will connect to that URI and >> POST a message. A queried location could be tied to many other >> locations, so there could be many locations for which a change would >> trigger the LoST server to use the URI, but is that worse? >> --Randall >> On 31 Aug 2021, at 10:27, Brian Rosen wrote: >> If the work group wants to have the LoST server keep the URI until >> expressly deleted, that’s okay with me. >> >> Authenticating the client to the server doesn’t mean the URI is >> authenticated. We can’t restrict the URI to be the same entity as >> the client running the LoST transaction. And the clients are wide >> ranging. Could be an enterprise running its own LIS for example. We >> can’t assume the North American PKI is workable everywhere, and >> even that doesn’t extend to an enterprise LIS. ISTM we have to run >> a test transaction with the notification service to make sure it’s >> what we think it is. >> >> Brian >> >> >> >> >> >> On Aug 31, 2021, at 9:01 AM, Caron, Guy <g.caron@bell.ca >> <mailto:g.caron@bell.ca>> wrote: >> >> Inline. >> >> Guy >> >> -----Message d'origine----- >> De : Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> >> Envoyé : 31 août 2021 08:11 >> À : Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>> >> Cc : Randall Gellens <rg+ietf@randy.pensive.org >> <mailto:rg+ietf@randy.pensive.org>>; ECRIT <ecrit@ietf.org >> <mailto:ecrit@ietf.org>> >> Objet : [EXT]Re: [Ecrit] planned-changes: two questions >> >> You delete the URI when you delete the record in the LIS. >> [GC] That's fine but that was not the question Randall posed. He >> asked whether the URI is deleted after a notification. I agree that >> if the Client does not host the location anymore that the URI >> associated with that location in the Server should be deleted. This >> could be achieved with an empty <plannedChange>. >> >> I don’t think this is covered in 5222. The mechanism causes the >> LoST server to send notifications to the client, but the client is >> allowed to put any URI in the record, and it can add it to as many >> records as it wants. >> [GC] I thought we agreed on using one generic URI per Client. Clients >> should be authenticated by the Servers. >> An evil implementation could record URIs against multiple targets >> that were unaware that the evil implementation did it, until they got >> a large number of PUSH transactions they didn’t expect or >> understand as a result of a large planned change. >> [GC] Only authenticated Clients should be allowed to provide URIs to >> be stored by the Servers. >> >> The proposed mechanism qualifies the client URI before its used in a >> planned change. >> >> Brian >> >> >> >> On Aug 31, 2021, at 7:37 AM, Caron, Guy <g.caron@bell.ca >> <mailto:g.caron@bell.ca>> wrote: >> >> Well, this is not going in the direction I thought. >> >> What is the purpose of deleting the URIs at the Server >> post-validation? >> >> Regarding opening a new DoS, I guess I'm not following. Wouldn't this >> case be covered by the security considerations in RFC 5222? >> >> What you're proposing puts back significant load on the Servers (a >> key consideration for creating planned-changes in the first place) >> and complicates the mechanism. >> >> Guy >> >> >> -----Message d'origine----- >> De : Ecrit <ecrit-bounces@ietf.org <mailto:ecrit-bounces@ietf.org>> >> De la part de Brian Rosen Envoyé : >> 30 août 2021 11:22 À : Randall Gellens <rg+ietf@randy.pensive.org >> <mailto:rg+ietf@randy.pensive.org>> Cc >> : ECRIT <ecrit@ietf.org <mailto:ecrit@ietf.org>> Objet : [EXT]Re: >> [Ecrit] planned-changes: two >> questions >> >> Answer 1: yes. Since there is going to be a revalidation, just >> deleting the setting seems right to me. >> Answer 2: Up to server. If I were implementing, I would hash the >> real ID with the URI and some kind of predictable nonce. >> >> We probably have to say more about how the server identifies the >> client, so that replacement of the URI works. Could we say we use >> the domain of the URI (the entire domain with all the dots) to >> identify the client, and anything can occur after it (meaning a slash >> and whatever)? If we do that, then how would delete the >> notification? Force there to be something other than the domain >> (ugly). Explicit delete request? >> >> Hmmm, we’ve opened a DoS attack: a rogue client stores a bunch of >> URIs for servers it wants to victimize. In North America we have a >> real simple solution for that, because we have a PKI, so we know, for >> sure, who the client is, and could restrict who we allow to store >> URIs, but that wouldn’t be true in general. Also, it would be nice >> for the client to have confidence the mechanism worked before it >> needed it. >> >> So >> Let’s add a “command” to plannedChange in the findService >> request. >> And, have the client have a response to the notification which is the >> ID (json with the 200) >> >> >> The client starts by sending a command of “initialize”. The >> domain is the identity of the client. The response is an immediate >> notification to the with whatever LI was in the request and an ID. >> The response by the client (which is the notification web server) is >> a piece of json containing the ID. We can say that the LI in this >> initialize command could be something simple like the Country Code >> that wouldn’t get a planned change. >> >> Thereafter, the LoST server (notification client) periodically >> repeats this keepalive notification every day or week with the >> initialize LI. The client has to respond with the ID. >> >> The regular notification request is a command of “notify”. The >> server ignores a request for notification from an uninitialized >> client. >> The notification can be deleted with a command of “delete”. If >> you delete the initialize LI, then the server won’t send any more >> notifications to that client and deletes all URIs it was saving for >> that client. The client would have to re-initialize to reset. >> >> Brian >> >> >> >> On Aug 27, 2021, at 5:41 PM, Randall Gellens >> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> wrote: >> >> I think we're moving to a model where: >> - In a query, a client can request to be notified when the location >> should be revalidated; >> - In the response, the server provides an ID which the client >> associates with the location it just validated; >> - The server sends a notification to the URI, containing the ID; >> - The client revalidates each location with which that ID is >> associated. >> >> Question 1: Does the server delete/inactivate the URI once it has >> sent the notification? >> >> Question 2: Presumably, when the client revalidates the location(s), >> it will again request notification. Does the server return the same >> ID as before, or a different ID? A different ID could perhaps be >> useful in edge cases where the server didn't send or the client >> didn't get the notification, but any utility seems small. If it's >> the same ID, then the answer to question 1 can be that the URI >> remains active until the client asks to no longer be notified (by >> sending an empty URI?). >> >> --Randall >> >> _______________________________________________ >> Ecrit mailing list >> Ecrit@ietf.org <mailto:Ecrit@ietf.org> >> https://www.ietf.org/mailman/listinfo/ecrit >> <https://www.ietf.org/mailman/listinfo/ecrit> >> >> _______________________________________________ >> Ecrit mailing list >> Ecrit@ietf.org <mailto:Ecrit@ietf.org> >> https://www.ietf.org/mailman/listinfo/ecrit >> <https://www.ietf.org/mailman/listinfo/ecrit> >> ---------------------------------------------------------------------- >> -------- External Email: Please use caution when opening links and >> attachments / Courriel externe: Soyez prudent avec les liens et >> documents joints >> >> ------------------------------------------------------------------------------ >> External Email: Please use caution when opening links and attachments >> / Courriel externe: Soyez prudent avec les liens et documents joints >> >> >> External Email: Please use caution when opening links and attachments >> / Courriel externe: Soyez prudent avec les liens et documents joints >> >> External Email: Please use caution when opening links and attachments >> / Courriel externe: Soyez prudent avec les liens et documents joints
- [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- [Ecrit] PLEASE READ: We need people to comment on… Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- [Ecrit] Fwd: PLEASE READ: We need people to comme… James Kinney
- Re: [Ecrit] planned-changes: two questions Jeff Martin
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brandon Abley
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Dan Banks
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Jeff Martin
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen