Content-Type: multipart/signed;
 boundary="Apple-Mail=_6ED0C75A-1A0D-4CE5-8A9E-4E31AB188085";
 protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <503CD692.4020007@mitre.org>
Date: Tue, 28 Aug 2012 11:09:07 -0400
Message-Id: <F668D905-31C6-4D76-935F-4AD4A8859876@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B1680429673943667A93F8@TK5EX14MBXC284.redmond.corp.microsoft.com>
 <CAHcDwFzh6HcgsJYFXq71RWSwKWkMADBNQH7_goAtTFNmz-wSwQ@mail.gmail.com>
 <503CD692.4020007@mitre.org>
To: Justin Richer <jricher@mitre.org>
Cc: Axel Nennker <ignisvulpis@googlemail.com>,
 Mike Jones <Michael.Jones@microsoft.com>, Jim Schaad <ietf@augustcellars.com>,
 "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
Precedence: list

--Apple-Mail=_6ED0C75A-1A0D-4CE5-8A9E-4E31AB188085
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_60255DDB-7CDF-4EDA-9844-3E2D3E810131"


--Apple-Mail=_60255DDB-7CDF-4EDA-9844-3E2D3E810131
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

In OAuth 2 state gets overloaded with a bunch of things from preventing =
XSRF to providing a handle to look up who the the authorization request =
was sent to.

In Connect we added a nonce sent by client that is returned inside the =
signed id_token (JWT) to allow the client to detect replay, and =
optionally reference a specific browser session that presents the =
id_token.

The nonce I suggested for JOSE is not ether of those. =20

I used nonce in the sense that it is used with stream cyphers when the =
same key is used over multiple messages.

JOSE will be used for more than OAuth and JWT.   There are cases where =
adding entropy to the header will be a security benefit.  I would like =
to have a standard claim for doing that.
If people want to call it something else that is fine, but it is a nonce =
by definition.
If used it should be a random or pseudo random value that is time =
variant with sufficient granularity to ensure a nonce is used only once.

John B.

On 2012-08-28, at 10:32 AM, Justin Richer <jricher@mitre.org> wrote:

> On 08/25/2012 03:37 AM, Axel Nennker wrote:
>> To clarify: What is the base specification that Jim mentioned?=20
>> Is it: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 =
?
>>=20
>> Would somebody please present a use-case for either nonce or =
timestamp?
>> If a jwt is used with oauth2 then what is the difference between =
nonce and state? Nonce would be signed while state is not?
>>=20
>=20
> Nonce would generally be generated by the entity creating the token. =
State in OAuth is generated by the client, and would only be protected =
if the client had a means to make a signed request to the server, using =
either a MAC binding or a JWT-based OIDC-style RequestObject.
>=20
>  -- Justin
>=20
>> I guess I am missing some information that those in the room who =
voted "yes" had?
>>=20
>> Axel
>>=20
>> 2012/8/25 Mike Jones <Michael.Jones@microsoft.com>
>> I'll note for discussion purposes that a nonce and a timestamp are =
not the same thing (although sometimes they are used to achieve =
similar/related goals).  A nonce tends to be an opaque value that must =
be preserved across the communication.  Whereas a timestamp typically =
has defined semantics - sometimes simply a non-decreasing integer value =
- and sometimes a representation of time, and then, sometimes with a =
uniqueness requirement.
>>=20
>> For discussion purposes, I'll say that the simplest thing for us to =
do (should we decide to do anything in this regard) would be to define =
the nonce as an opaque string value that must be preserved.
>>=20
>> We could also define a timestamp parameter, but as I wrote above, =
that would likely require us to specify additional semantics - starting =
with whether it's a non-decreasing integer or a representation of a time =
value.  This seems much harder to define and possibly to use than a =
nonce.
>>=20
>> Would it make sense to define a nonce parameter now and hold off on =
defining a timestamp parameter until there's a clear demonstrated use =
case for which a nonce is not sufficient?  That would be my personal =
recommendation.
>>=20
>>                                 Best wishes,
>>                                 -- Mike
>>=20
>> -----Original Message-----
>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf =
Of Jim Schaad
>> Sent: Friday, August 17, 2012 12:05 AM
>> To: jose@ietf.org
>> Subject: [jose] POLL: Nonce/Timestamp parameter
>>=20
>> <CHAIR>
>>=20
>> If you voted at the face-2-face please do not vote again.  If you =
want to provide comments please change the title from POLL to DISCUSS.
>>=20
>> Do we need to define a nonce/timestamp parameter in the base =
specification?
>>=20
>>=20
>>=20
>> Room vote:  6 yes, 0 no, 1 discuss
>>=20
>>=20
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>=20
>>=20
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>=20
>>=20
>>=20
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>=20
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


--Apple-Mail=_60255DDB-7CDF-4EDA-9844-3E2D3E810131
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=iso-8859-1

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">In =
OAuth 2 state gets overloaded with a bunch of things from preventing =
XSRF to providing a handle to look up who the the authorization request =
was sent to.<div><br></div><div>In Connect we added a nonce sent by =
client that is returned inside the signed id_token (JWT) to allow the =
client to detect replay, and optionally reference a specific browser =
session that presents the id_token.</div><div><br></div><div>The nonce I =
suggested for JOSE is not ether of those. =
&nbsp;</div><div><br></div><div>I used nonce in the sense that it is =
used with stream cyphers when the same key is used over multiple =
messages.</div><div><br></div><div>JOSE will be used for more than OAuth =
and JWT. &nbsp; There are cases where adding entropy to the header will =
be a security benefit. &nbsp;I would like to have a standard claim for =
doing that.</div><div>If people want to call it something else that is =
fine, but it is a nonce by definition.</div><div>If used it should be a =
random or pseudo random value that is time variant with sufficient =
granularity to ensure a nonce is used only =
once.</div><div><br></div><div>John =
B.</div><div><br></div><div><div><div>On 2012-08-28, at 10:32 AM, Justin =
Richer &lt;<a href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3DISO-8859-1" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">On 08/25/2012 03:37 AM, Axel Nennker
      wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:CAHcDwFzh6HcgsJYFXq71RWSwKWkMADBNQH7_goAtTFNmz-wSwQ@mail.gmail=
.com" type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html;
        charset=3DISO-8859-1">
      To clarify: What is the base specification that Jim mentioned? =
<br>
      Is it: <a moz-do-not-send=3D"true" =
href=3D"http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03">htt=
p://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03</a>
      ?<br>
      <br>
      Would somebody please present a use-case for either nonce or
      timestamp?<br>
      If a jwt is used with oauth2 then what is the difference between
      nonce and state? Nonce would be signed while state is not?<br>
      <br>
    </blockquote>
    <br>
    Nonce would generally be generated by the entity creating the token.
    State in OAuth is generated by the client, and would only be
    protected if the client had a means to make a signed request to the
    server, using either a MAC binding or a JWT-based OIDC-style
    RequestObject.<br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <blockquote =
cite=3D"mid:CAHcDwFzh6HcgsJYFXq71RWSwKWkMADBNQH7_goAtTFNmz-wSwQ@mail.gmail=
.com" type=3D"cite">I guess I am missing some information that those in
      the room who voted "yes" had?<br>
      <br>
      Axel<br>
      <br>
      <div class=3D"gmail_quote">2012/8/25 Mike Jones <span =
dir=3D"ltr">&lt;<a moz-do-not-send=3D"true" =
href=3D"mailto:Michael.Jones@microsoft.com" =
target=3D"_blank">Michael.Jones@microsoft.com</a>&gt;</span><br>
        <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          I'll note for discussion purposes that a nonce and a timestamp
          are not the same thing (although sometimes they are used to
          achieve similar/related goals). &nbsp;A nonce tends to be an =
opaque
          value that must be preserved across the communication.
          &nbsp;Whereas a timestamp typically has defined semantics -
          sometimes simply a non-decreasing integer value - and
          sometimes a representation of time, and then, sometimes with a
          uniqueness requirement.<br>
          <br>
          For discussion purposes, I'll say that the simplest thing for
          us to do (should we decide to do anything in this regard)
          would be to define the nonce as an opaque string value that
          must be preserved.<br>
          <br>
          We could also define a timestamp parameter, but as I wrote
          above, that would likely require us to specify additional
          semantics - starting with whether it's a non-decreasing
          integer or a representation of a time value. &nbsp;This seems =
much
          harder to define and possibly to use than a nonce.<br>
          <br>
          Would it make sense to define a nonce parameter now and hold
          off on defining a timestamp parameter until there's a clear
          demonstrated use case for which a nonce is not sufficient?
          &nbsp;That would be my personal recommendation.<br>
          <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Best wishes,<br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; -- Mike<br>
          <br>
          -----Original Message-----<br>
          From: <a moz-do-not-send=3D"true" =
href=3D"mailto:jose-bounces@ietf.org">jose-bounces@ietf.org</a>
          [mailto:<a moz-do-not-send=3D"true" =
href=3D"mailto:jose-bounces@ietf.org">jose-bounces@ietf.org</a>]
          On Behalf Of Jim Schaad<br>
          Sent: Friday, August 17, 2012 12:05 AM<br>
          To: <a moz-do-not-send=3D"true" =
href=3D"mailto:jose@ietf.org">jose@ietf.org</a><br>
          Subject: [jose] POLL: Nonce/Timestamp parameter<br>
          <br>
          &lt;CHAIR&gt;<br>
          <br>
          If you voted at the face-2-face please do not vote again. =
&nbsp;If
          you want to provide comments please change the title from POLL
          to DISCUSS.<br>
          <br>
          Do we need to define a nonce/timestamp parameter in the base
          specification?<br>
          <br>
          <br>
          <br>
          Room vote: &nbsp;6 yes, 0 no, 1 discuss<br>
          <br>
          <br>
          _______________________________________________<br>
          jose mailing list<br>
          <a moz-do-not-send=3D"true" =
href=3D"mailto:jose@ietf.org">jose@ietf.org</a><br>
          <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/jose" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/jose</a><br>
          <br>
          <br>
          _______________________________________________<br>
          jose mailing list<br>
          <a moz-do-not-send=3D"true" =
href=3D"mailto:jose@ietf.org">jose@ietf.org</a><br>
          <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/jose" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/jose</a><br>
        </blockquote>
      </div>
      <br>
      <br>
      <fieldset class=3D"mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap=3D"">_______________________________________________
jose mailing list
<a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:jose@ietf.org">jose@ietf.org</a>
<a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/jose">https://www.ietf.org/m=
ailman/listinfo/jose</a>
</pre>
    </blockquote>
    <br>
  </div>

_______________________________________________<br>jose mailing =
list<br><a =
href=3D"mailto:jose@ietf.org">jose@ietf.org</a><br>https://www.ietf.org/ma=
ilman/listinfo/jose<br></blockquote></div><br></div></body></html>=

--Apple-Mail=_60255DDB-7CDF-4EDA-9844-3E2D3E810131--

--Apple-Mail=_6ED0C75A-1A0D-4CE5-8A9E-4E31AB188085
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPnzCCB7Uw
ggadoAMCAQICAh5cMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh
cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4
MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew
HhcNMTIwMzE4MDQzMjQ4WhcNMTQwMzE5MTEwNzMyWjCBmzEZMBcGA1UEDRMQR3JUTTZMUzdYMzU3
NzhzOTELMAkGA1UEBhMCQ0wxIjAgBgNVBAgTGU1ldHJvcG9saXRhbmEgZGUgU2FudGlhZ28xFjAU
BgNVBAcTDUlzbGEgZGUgTWFpcG8xFTATBgNVBAMTDEpvaG4gQnJhZGxleTEeMBwGCSqGSIb3DQEJ
ARYPamJyYWRsZXlAbWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAskrlBI93
rBTLOQGSwIT6co6dAw/rwDPrRXl6/F2oc4KDn+QN6CdFeHo08H846VJS9CDjLKvnK9jbxxs4wYqe
nKdPb3jgzt8oc7b9ZXtWkOgsxgMf6dBZ/IPm4lWBpCbSr3seDGDXEpiE2lTZXno7c25OguR4E6Qa
hcpHABZjeEWK65mMH25gmoRf5MY1k3quu5y+FCYCHE2iwU5jzq+mI3HmG59+UMFLx1fjV+zTslRw
26cQDC/uepwjeYSp8S26hfWipVWwQj4js/C7RoPtvt2iyeU+LSH81jG4wlAWntiOG1WtoXUuXWSc
ExhciKeKWCnemy9qqmxRfJqBROeGlQIDAQABo4IEDjCCBAowCQYDVR0TBAIwADALBgNVHQ8EBAMC
BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBQ/A7/CxKEnzpqmZlLz
9iaQMy24eTAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzB+BgNVHREEdzB1gQ9qYnJh
ZGxleUBtZS5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFjLmNvbYERdmU3anRiQHZl
N2p0Yi5jb22BE2picmFkbGV5QHdpbmdhYS5jb22BF2pvaG4uYnJhZGxleUB3aW5nYWEuY29tMIIC
IQYDVR0gBIICGDCCAhQwggIQBgsrBgEEAYG1NwECAjCCAf8wLgYIKwYBBQUHAgEWImh0dHA6Ly93
d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRz
c2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQgYWNj
b3JkaW5nIHRvIHRoZSBDbGFzcyAyIFZhbGlkYXRpb24gcmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFy
dENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGlu
IGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMIGcBggrBgEFBQcC
AjCBjzAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgECGmRMaWFiaWxpdHkg
YW5kIHdhcnJhbnRpZXMgYXJlIGxpbWl0ZWQhIFNlZSBzZWN0aW9uICJMZWdhbCBhbmQgTGltaXRh
dGlvbnMiIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3kuMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6
Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUyLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYB
BQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MyL2NsaWVudC9jYTBCBggr
BgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMi5jbGllbnQu
Y2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUF
AAOCAQEAEcfD4PmHrX+W3zaP/KsR4gwLAL0UTaMz14SIng6a9F3kb8ZDbTUneS9ubgpqeJQP2IFc
0U5gQnJ3XeCH6p9I88mvm1NqKQw8WvfglS0aIS19vfpTgXJSPdIO2JJPRqaBtXf3zkdXJwckX9/d
NMrLGeGvaFT9fUNdQdHU4BI1pVUpgKr796T7LTc/ERfH8iFp1+CmdVkJ6Y2iJdWUp4h17XmbxbIT
0CdS4SSk/VW8LFsn/mVz6hB73VthwjGsIku54Wp4pRuq1KX+pATnRk3pHRa1z3mxJMmq7OEXENcC
Vm+bAnyUrYbUilNS9UVTYS8/3dVsKiNupBaOZO+vOgJqVDCCB+IwggXKoAMCAQICAQ4wDQYJKoZI
hvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NFoXDTEyMTAyMjIxMDI1NFowgYwx
CzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGln
aXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1h
cnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+fcxtDYZ36Z6GH0YFn7fq5RAD
teP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke/s5g9hJHryZ2acScnzczjBCA
o7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHksw56HzElVIoYSZ3q4+RJuPXX
fIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHHtOkzUreG//CsFnB9+uaYSlR6
5cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCA1swggNXMAwGA1UdEwQFMAMBAf8w
CwYDVR0PBAQDAgGmMB0GA1UdDgQWBBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBqAYDVR0jBIGgMIGd
gBROC+8apEBbpRdphzDKNGhD0EGu8qGBgaR/MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFy
dENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkw
JwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIBATAJBgNVHRIEAjAAMD0G
CCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAoYhaHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2Eu
Y3J0MGAGA1UdHwRZMFcwLKAqoCiGJmh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwu
Y3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwggFdBgNVHSAEggFU
MIIBUDCCAUwGCysGAQQBgbU3AQEEMIIBOzAvBggrBgEFBQcCARYjaHR0cDovL2NlcnQuc3RhcnRj
b20ub3JnL3BvbGljeS5wZGYwNQYIKwYBBQUHAgEWKWh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9p
bnRlcm1lZGlhdGUucGRmMIHQBggrBgEFBQcCAjCBwzAnFiBTdGFydCBDb21tZXJjaWFsIChTdGFy
dENvbSkgTHRkLjADAgEBGoGXTGltaXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNlY3Rpb24gKkxl
Z2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
UG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9saWN5LnBkZjAR
BglghkgBhvhCAQEEBAMCAAcwUAYJYIZIAYb4QgENBEMWQVN0YXJ0Q29tIENsYXNzIDIgUHJpbWFy
eSBJbnRlcm1lZGlhdGUgRnJlZSBTU0wgRW1haWwgQ2VydGlmaWNhdGVzMA0GCSqGSIb3DQEBBQUA
A4ICAQAe9xAX/vbphHkvkDdNrslXWdO7fD3JaqnTT3jmmDu55r7UpW1H/v/J40UBXsw9DKU8TylE
4RwZT5HDAMW42f1x498AzM4FOnL/pUTTvr6BiRlrify5ZovkDYVWjy1GYTJ+hPiBEv0HmHnDxjhn
JIIkEvJ+niMHLLEdpNMhZnxMiTFRAtIF4WeYcpgXBjAxsEDRKBvw40K+r3N4lykySQNp2ElIJ8H1
z2BmhxtppUdWpOVJ4Q1Gvn9jfV1qnMhFCDY+X1X8DrkKrTcpDExcGlefweQs7+DYUK3spiQkJpN7
qpPYlfy2GYHedv7lGa1ZAghMI/4882QVAK2zq6M60nHpOUMtYD61XtAs3ZD5L3yn9LCdeK2j4ZbQ
3uRdwvxAMFWwXyUK/ALP4lCu9QhxbnETOkBWT3FJul4/FUgzM0RRCEGhuQWiOFSoa35XJTcYf/4E
/ZuvOXhK04nUpe7DYTMWzRqL04yyoJQVHKHKSboytueydKuqFZKdJA9gi77OnPBYL/yxkXGgkLC9
tsi77oT4AgZry0/6lgX56ak+f/umQihNPgtKSQQjEYq9S8MlOHzpUM0vxsghATYsdUPBw6r6ZxDH
jXoUAD03DUMEbKsWvqFB7nJNVesngbu8miw1EYLA+fHfTaCidoV3CL75jKqM/KE87qrh9Fqti9bK
qnkvpTGCA2wwggNoAgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRk
LjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMv
U3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAh5cMAkGBSsO
AwIaBQCgggGtMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDgy
ODE1MDkwN1owIwYJKoZIhvcNAQkEMRYEFBFWANsrJMWsZm0LDhUbF0q3w1L9MIGkBgkrBgEEAYI3
EAQxgZYwgZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL
EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD
bGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQICHlwwgaYGCyqGSIb3DQEJEAIL
MYGWoIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh
c3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAh5cMA0GCSqGSIb3DQEBAQUABIIB
ACvVPAkRgtLsI4OFXyjn9IVV0DnCvERDM20YSK1sqYFCdFBD9bGdukph9X+IJry2Y5ETkzl16CFX
3ZXCc8FmfhBHeGPT4Loe0zMnANvMRUir0jO3phrSzLU7pNGx9VIAzS7/8sbItl2gZao1jcU90V3n
P6ePnqmqhGpds4TwGNr0y6qfqbwPgxsSWR5rUn99ECidPdFLaNS6hrAqrNA5Vu95Z7q0vKaVDoDv
6JmvAVkprBqXfHG2+mrrVeRNQ278Et0NB+h6E04l/lpLvSCFjD8bH4VJrmoJ1IvC2+4VQcZvgNFb
Q1cRvs7B5jaIFv13HbEyl4txtzebYdm6X23cTFEAAAAAAAA=

--Apple-Mail=_6ED0C75A-1A0D-4CE5-8A9E-4E31AB188085--