IETF Logo Mail Archive

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Stefan Metzmacher <metze@samba.org> Fri, 22 November 2019 10:24 UTC

Return-Path: <metze@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F2571200B3 for <kitten@ietfa.amsl.com>; Fri, 22 Nov 2019 02:24:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=samba.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8c5yB3PlPP3q for <kitten@ietfa.amsl.com>; Fri, 22 Nov 2019 02:24:55 -0800 (PST)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4AB51207FD for <kitten@ietf.org>; Fri, 22 Nov 2019 02:24:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Date:Message-ID:From:Cc:To; bh=xjgneR0zptXFDLK7pr5lYE+0tRRo0EPj05DrzE4aRZQ=; b=Jjty9lrwZL438G/oKlXwAanLUl MP2Su+moM641Y8mUOdk5MEPrZ/3SRf6M/PzieKmN++43BnMQ7gWBN5AebH/RPKfePP5+exQbnd1Qf 8ZOqwd/BRT/RxBHg1fYMkiR69sxTlTcEOE+Od0Ty7EErbS0+fQ/bEppOowddxg7dsLdh4LgA5071m FLgxg2XcgEvIGDCUcFRbSRC6YfZdVFMqbDhSfq0k2+R/dnT226z72nHEG03L6DuZm46FhoTbTR5aN RrKUSNffJmiJXrFEvEonsCF0imjQiUqS2CXjOSlN3/1htQBLPqyoztFCBQoF3VAjDLcrRDVJ7vIdB j293AGWkcLps0TH2+K2p0nM8ZE6UluxKrraapNGxgLTNzFwo6Z6T2NXs1herR5042ywFDuEtVqGPp RCXorq6WybqZHM2BclIOvBNO6Fm2HIHZWN4wHwLifMpqoM/2SCHMx5UQJkcax7gTpiS3MsVVgiURu cKak9S8DVl+wani4dh4AetSA;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_ECDSA_CHACHA20_POLY1305:256) (Exim) id 1iY67N-0002xg-Qt; Fri, 22 Nov 2019 10:24:49 +0000
To: Nico Williams <nico@cryptonector.com>
Cc: kitten@ietf.org, Viktor Dukhovni <viktor1dane@dukhovni.org>, Samba Technical <samba-technical@lists.samba.org>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "heimdal-discuss@sics.se" <heimdal-discuss@sics.se>, Greg Hudson <ghudson@MIT.EDU>
References: <33c431f5-c36b-c321-de3f-65977d8aa898@samba.org> <007c29e8-02b9-4f48-f67e-881cb0985d64@mit.edu> <69d80d24-d461-1652-3cfb-e55d90d31fbf@samba.org> <ec067a72-313e-1878-33a0-a3259d2979d5@mit.edu> <1503578184.3428.19.camel@redhat.com> <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org> <1503596189.3428.26.camel@redhat.com> <F363B51E-FDF7-4C91-9ABD-B623B5CE97BC@dukhovni.org> <8f68cfb0-2d6b-d86f-4ff0-a9282aa0bf55@samba.org> <cb0d7433-9e23-5bce-4e06-1213bf88cade@samba.org> <20191121223908.GC26241@localhost>
From: Stefan Metzmacher <metze@samba.org>
Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4
Autocrypt: addr=metze@samba.org; prefer-encrypt=mutual; keydata= mQQNBFYI3MgBIACtBo6mgqbCv5vkv8GSjJH607nvXIT65moPUe6qAm2lYPP6oZUI5SNLhbO3 rMYfMxBFfWS/0WF8840mDvhqPI+lJGfvJ1Y2r8a9JPuqsk6vwLedv62TQe5J3qMCR2y4TTK1 Pkqss3P9kqWn5SVXntAYjLT06Qh96gQ9la9qwj6+izqMdAoGFt5ak7Sw7jJ06U3AawZDawb2 +4q7KwaDwTWeUifIC54tXp+au5Q17rhKq94LTcdptkLfC5ix2cyApsr84El/82LFUOzZdyRA 7VS8gkhuAZG7tM1MbCIbGk0O3SFlT+CvZczfjtoxVdjYvGRDwBFlSIUwo3Os2aStstvYog7r r9vujWGSf5odBSogRvACCFwuGLVUBSBw/If0Wb0WgHnkdVcKfjNpznBqUfG6mGhnQMv3KlbM rprYTGBOn/Ufjw7zG6Et2UrmnHKbnSs1sG+Ka4Qg4uRM45xlNKn1SYJVSd1DnUqF1kwK2ncx r5BjxEfMfNHYxEFuXCFNusT0x3gb6zSBPlmM+GEaV26Q/9Wpv2kiaMnNJ9ZzkafSF52TgrGo FJEXDJDaHDN7gtMJTXZrtZQRbUnXUxBXltzbKGJA9xJtj57mhDkdcKgwLUO1NUajML/0ik8f N0JurJEDmKOUl1uufxeVB0BL0fD7zIxtRYBOKcUO4E0oRSSlZwebgExi33+47Xxvjv0X1Lm+ qnVs0dCIJT5hdizVTtCmtYfY4fmg6DG0yylWBofG7PYXHXqhWVgGT06+tBCBP10Cv4uVo6f8 w91DN00hRcvfELUuLhJ9no3F5aysYi8SsSd5A4jGiPJWZ/mIB4e2PJz948Odb1NwMiJ1fjXw n0s07OqAMasGTcuLNIAhLV1lTtCikeNFRfLLQJLDedg+7Q+zAj1ybylUfUzmwNR52aVAtUGK TdH4Tow8iApJSFKfg9fDqU8Ha/V6XCG5KtWznIBH0ZUd6SFI7Ax+6S6Q+1lwb18g2HNWVYyK VmRp+8UKyI90RG8WjegqIAIiyuWSN8NZyN1w7K5uN6o600zCukw4D6/GTC/cdl1IPmiE9ryQ C9dueKHAhJ5wNSwjq/kpCsRk92enNcGcowa4SjYYMOtUJFJokWse1wepSeTlzQczSU32NHgB ur51lfv+WcwOMmhHo465rGyJ84faPR3iYnZ9lu7heKWh2Gb9li1bug71f2I1pCldHgbSm2+z XXoUQqjM5iyDm5h3JnEfaI+TTUKLeO2+wgEeOIie7kcCadDcBZ4YoP7lzvREKG07b+Lc0l0I 3kwKrf3p3n+bwyhAeTRQ/XcG/Nvmadx35Q5WlD2Q/MzsPKcw7j0X45f+sF3NrlEeoZibUkqn q4Acrbbnc2dZABEBAAG0I1N0ZWZhbiBNZXR6bWFjaGVyIDxtZXR6ZUBzYW1iYS5vcmc+iQRW BBMBAgBAAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AWIQSj0ZLORO9BJRe87WRqc5sC XGuY1AUCXZzbpAUJCXvJ3AAKCRBqc5sCXGuY1PL0H/9MdpJpEGj4R48U09mpkDvhguwBHcl8 nmLvFOBsHB9L8xJizuWFghclefXNSOvqD+XCKY+OSLULznjiIzOodbuNyXn5w2py9ijGAtpQ jWQwAYAZtu3S+xAY88OGtAVvgjqtX3WcWKfazWXFbUvS4ZM9JuFuIXnkh1fvYznNS3T8beR7 6sLUQ0QwIbTW4jU7A6jzqrLgRt/L0fTLgbtWAUWlb+2Mc0KhjhZ9n5kZ9G4IiZHaoQmGmz1+ rvBItvU1ZEWhBWFkRYkH/vwn6QDYp+M56nn+Rd6e/qpJEsA+SDk3nYHmd39lN3Jcmt70AjtN F5wIOPkiE2LQUQS9uFFVGbcJp4cXmh2w+F6R89ORp7emGsgK9Nn8Tc2xr/E2w90IB5X4Vbsd qvsPDA0g8Oet4+cTj6XJuWfxpJVAVXElMhkTLPm3ZZlOqaKZz90fsY8Hx9nRuoByuDGZKGRQ xSYPiYjf9TP9U3pdIbtJnKsJcV/GSBuDq9XeAMPbWoDax1VsNc5jlg6FPEoVCBpM6Vu44xhE CYOuwRKshGvcF1pGJxyvvPu8OvXiDkyvh2Ik6Tbf5B+ojRtFx5INt2IcMqFbREoeW/aRqFrM gt0/6REAcYJ774Cx8XDWDOuDWPvXuiBBh3+aoZaGic9Z7LsgTWtFKFM75vfK86yxdzJY8sFh eGz/v0OktPMB190psDmrKUHiN9hzYoltN8PYoKEgfF4eGXioDXsJuPr4UAX+rEiOtCMTQhYh nQFu+siAfGcU9m46vdDn9xJ/RhD2VV2c2/NM75Cv9DQQEytBxVPkoJJibc561BzfUFh0oyc2 7vbffc13z/u5khvN5PBPGCma6YGBEZBC3F++noyIPblxriCNpNvF3aTv/FkTqxTOZqTsHPoA XKnKSREWx26oT0qW+bidv9weQd71OxLBjrEyxIqVhaGXKX5uE01oNC4u+v5n+6Gu20KCVE7C Y+myaQPreasmITHtUWFsn9SbacnQ3YnZLJH8CNCRPZFfiXzh0oUhvrxS618dhpIZ0Rakm30J 5wjTYIzhNYpIpwiHpdEEpFHI8fFYy90iNxTYd3YUH5R6GxHtmQyaeVm8AQ3entceMafs9XgI Qj7jQp+zc8Le7qb66bJ4OzRZQPVCK4+w3wqaIkfYqmF63yMvbeLIIl/eWQojSioKaUeo1EQ/ WpUp/CvmWCfxz9tpQU9k08kQ4g9Ek2Ne9NRhJYsjmoPkU1kaRogTaILGNSahgvbjz6h/ngg9 GurYAt7ZzRnkw/3p38ksdBTNrMZsk1z5MsSmKyn5OEWTJ/kCN12N1ceXPRFNPaKOMmCL8M+1 P+2JHSGKpRy4Fg3z5i+OCW2B1LEN0pCcSsYqFa68uQINBFYI43UBEADFeAkEuinni+PPzcqn kBv7bZavNrbr9oXBcEhT5VwNAPCsuteZIZdWSMoEwJhk+6cOSovsvgfwi/FGP8sD1nE5y/Ap J9hX2yXe9Ir0EcZMeAD49Ds/eGL938pXlSW7ehC6xooGnJ/nsZYDZn5d/nIqOgAJjk9wv+Hy v/68dHwD9wvQ4w6B7uz4pWk6ema4Jjv9bMyy5F14ESPMo3Inf6mf+SIRlSjzkNkRES2WRhXD /BOVX50+VnT+I9SKLQ1miUpQp99662WVVmApzvwifTXHkTFaXUJ38YCHku+YhLPGa3I6KOEa yE5M/LXzLyis86EFSGqeTP7qD48MLIWRJTa7n6XJPzvpJ1Joy3dHBeo+JGK7vzEv1jpYAHN7 wJ2CuzpSEkR3R2wCYKA0BIAnKqOOlNvGXEY88kuHI7Xqmnq/bAnzbvrSh00JNZnVshD7r/JQ pZrCEC83O3vZaV9/5sZGkoLz3suWf/xxskvjLLDPSokuxOlpe/z9cPnSeqU9bdzkf9mVIaBf My7t4QbNGUmTcDaoKl/tiqfZHdl+n6R44NvZ9A7fxcOYIZTid2BCaBweFh/KmicVkQ6QcDmM 8Uo6uIYhODnogbzVczehC7u3OV0KQMi/OpNB69ER6Dool4AeB/sxicV9RlMj+d212c2s2Zdv b6Xptp7LZRBxEB5cOwARAQABiQZEBBgBAgAPBQJWCON1AhsCBQkB4TOAAikJEGpzmwJca5jU wV0gBBkBAgAGBQJWCON1AAoJEA219WEoab1W1WgP/AicckT4vQsS6alqxUlKz/Dw6YdeEMzp GQ+uT5HGLQqgW/7ZdUxs+dvgzgdsqG/ET/NCS5CYLS5QZxr/u02oLCaDP1Es8v20PWSJtnji nd6nzHIsLBcOz+geKFE+PnZqFDhsH8npJG6Rf5q6j+KmeGNfZBVre+0ILVNA8Qo+kr/uOKQh sTD5MsgRRfOzE9Ms4X0kP0vq+Vy3n0+WeXQTuY7Djrs0/hZfkPyd4JZL8QviPtt0X8xMcA3r /sS+MumoKD90EFasW/cP6bPNlVJcseqY3cZKG0WoDilCTVNT5UM3NzPQm1ZbXQ1PagisNOf7 Vw6s1WmdPnDYKxNgs7xZZT8QaWzo8iNp7M3oj20XwtEPeqLa2rwqwtYn5JZW87ghi745tt4g I5xg+3CTBb/iFqXv8iq2RxvneOvWrPfjfrD12TJcwe+Gr/qMkMsSJ+5adXcGKNnvU3Ff/UjB dBdy3wsnsA534jAkwW13Bbv/oXdzigAcVhP+WYJziwd89zQX9hTJ2p/ZuF/Jl0rcwgNkDZH8 rfOuqWiNr8jiJOjT3UdABl+nV2ZwrKpV97dpAWnaYJGUHN9/t0dpxTJiqrBdcTGhM34JoyjM G6OoE+T0X4qmToirJSxgmCAKycTVzrmAJ+SgqoullC4tnLz2aib4LIL1WBGOAw7GBgQ/gwO0 WptDQ04gAKi8m3amxqmpuGi/6JSOBCJu6nzottg9+pqMWxjyfcDHvmZjZFbbnZAs8QrXfw+Q 7v76C6tqYt4ag1gHTY8DbygRQhkOEXiN68Pa2LC5BnFq1fVTY25u8R9OWZpkY0GjSfTF6pO1 xOftRlKfYwdJjggNq1/y2CVR54+krN0aTDdL8GZRqk8b4QmDkBaMOKGx5eH0EfI7UUG99wVo if6DJEBzFck7lqCVrPe/WP6/8DBMrX+A/xyLkovqKMAWXc+d7Ttzlr0R8l931axKYQECAvJV EHxR/lkvhqOCksWuNYWUV2XZt7cOA1uYqYeKzcX+x7siGoiXTVOFVeYEouX6eUYVWNEbProH KGSkho+FGAXblvMy8rYGvmaPxJJYg0iMKn1wIpCMmIx9rL9883Oop/LvoXIEUXJEkWZ0NSTL Gg9TC5Y54mhiiCqlbHXpu1xWgyUg2kkkQCez2FDmsYtiUJveVSbZqBJoaEXYPdE9mhE5snAp K0VgJ9qbtPuzHlXLPdkmZ52E6F42y9D69bLqIjK2b+lEWeR+dzWbxSvEq2E241zw7eA4mtKQ KbYkYW0kYKkt+aFQ3IXmLG9cqSrknZgupyVVe+MBA34e1HZCBEdGxCwJJZBqRYgFITFZ2v5d ILycOr9oD/h/3hPNvjcjRVxRyeB/psOOe2NrWAYWI/yp0BX16HK9b1Kqpa4RphzAf0Ddl+sV DSSMCPZ/OvAY2JhUHOdTg70SVGZSIvNUvC+GZySD+hYcGFaVQpd/c3bOntrw7/jmLsfA/IvZ xZrAJZ4dC1ft7E0HPGHcuVyf0sw9oaRVNmGbZhl4KDPTfZZK0Y2B2khFgT3PoS9q5W9M/MC2 XFAY6sQSrqgmxb3n/w5BKm+tM5H0TpuMKjrdKbbFdMeSYTGBMNFfAAVT5lXNmfqLzt05vXLy puoLxdvcAx2wR3sStaFD1RmtGCe8vUTBdjExlBNyRck/ArMhvyVxSCJPiuldHKdvoFJ6O4WS oWaIzt9y+bwcho0F+8KxhEUsMF1t69XbsKf6QVh/bEZalHOQhAcZAXilG0Lyo7akVn7Wnwa4 Hp9uN4QsrtMCjgIf9MEelJMN2zIR92KLGSe5It5GoMRGFD8daWNrgS0GZGWlArt+LwqXdC8l kMDHjOuvD6oYWCQyUTTmmnWmX0VFPcFTTz2idbl+WUwTQ2o5f2v4FFkL70FMarmfTRas9DXd 4cdC4bqTqukHaqJOGZTUyEGVS6DlAfN4bv/b0rCE31MLhNMNWfrv9sc4o6QCcbP2e0S4pCe0 7NfvjlMQhLN5ZH3Arkx0KpzEG9yBxJPfvqcwkE1foN4rIHlTPxXmuzpGimSBFYJY/JIny659 Soyvs5KJBkQEGAECAA8CGwIFAlf2VkkFCQPOplECKcFdIAQZAQIABgUCVgjjdQAKCRANtfVh KGm9VtVoD/wInHJE+L0LEumpasVJSs/w8OmHXhDM6RkPrk+Rxi0KoFv+2XVMbPnb4M4HbKhv xE/zQkuQmC0uUGca/7tNqCwmgz9RLPL9tD1kibZ44p3ep8xyLCwXDs/oHihRPj52ahQ4bB/J 6SRukX+auo/ipnhjX2QVa3vtCC1TQPEKPpK/7jikIbEw+TLIEUXzsxPTLOF9JD9L6vlct59P lnl0E7mOw467NP4WX5D8neCWS/EL4j7bdF/MTHAN6/7EvjLpqCg/dBBWrFv3D+mzzZVSXLHq mN3GShtFqA4pQk1TU+VDNzcz0JtWW10NT2oIrDTn+1cOrNVpnT5w2CsTYLO8WWU/EGls6PIj aezN6I9tF8LRD3qi2tq8KsLWJ+SWVvO4IYu+ObbeICOcYPtwkwW/4hal7/Iqtkcb53jr1qz3 436w9dkyXMHvhq/6jJDLEifuWnV3BijZ71NxX/1IwXQXct8LJ7AOd+IwJMFtdwW7/6F3c4oA HFYT/lmCc4sHfPc0F/YUydqf2bhfyZdK3MIDZA2R/K3zrqloja/I4iTo091HQAZfp1dmcKyq Vfe3aQFp2mCRlBzff7dHacUyYqqwXXExoTN+CaMozBujqBPk9F+Kpk6IqyUsYJggCsnE1c65 gCfkoKqLpZQuLZy89mom+CyC9VgRjgMOxgYEP4MDtFqbQwkQanObAlxrmNSr7R/+IUScEsJJ UE6vANFqkc/HnQqnf4226T8l7TG4IQdF8D6cBFhVGVkpfMOAjQbP+y8p1CA7q+J/VgfrJu5Z lbZHAG1gBVhdncAHYYZ7V4sNuueARpS9i2Wi5t6yqoXqUjks3N9K1lhUVLagOMI/uSRjnVup rY6KS0dXxSXFU5jKbs/uQMDHnt+k0gIMXgFwmU7y3RCMPFJW4xK9ErK1xHUMyqUDTqsA79qW 28DygeHHmuWkDWkoK+RBhjWhHDGkSmnw/mkAMBpU8N/yH+GXUGLdVUxK/PzrkrfCu7BNMaGM /cjuCLrvwmdUhRTkfO96i/QadKUDDDytUu8lLV09FQmfBzGsx50n2SaHIIVjMVyiB8hrSGNK yyatPgzs4EAx/hGZ9o9y6AsyOy7LmvhdF0CJbswQUNujBO+A86FrvmOQL5khgwYRxQUbeck8 KjE0NYmK8raHDsbseC+BN+VuWpD2b/sA7Yk86HH8+Ha99nwP8d438dpIuQapvAYTQPtwWEyx pmVqgZnkUmFm/StYW9DH+VFiV59nKSclBV7WxKiHTojuDxdqvGyfV6b3rSjoe7Wj7YyejmSH +n4Xg/lqWA7HTyMI5A20N5HTnlZvz98PUnGj5RVJ26YNk74Pb9khig3XN3i2LLIy2uxHXhLr PcmWsHwexI3zXmgiUKp7LJXDtiH/EqZtZbPhSkmHR1xTzLp3/St7vwPBxFU85eauIl+gDozk yg4gks70Svjl4qxgK/8Mw7BECrVm6RBuxYG9zru+fg7BVguBVBTmEj+KsoGtXJXGNHjyjcLS IN36zsYkGOz3fFkd6pKyn55PVeka5Wc7gwXsvIO3sDXaTDlkMjkgt1RD/IL81oBWcRfG2C2r k2M3XDoa8eIM6W8MsS94TtASs5/8Lxbna+jdm3vzY5oXyEO7p9oSJYDfpkkgrmWPw2hzKYhU l4RYy2whKTQu1XMD5SMHFWUbywnwqNNL/7kpWlyJo+5vP7snN0LqNoQZsmrzMt5NWl2fHo4V Q4jqc7xbm0Q70ZDnUpOFUJPjp8uHwR253/GBa6lY1KmeUO4mqM5N6tJlRGAT6NoUT+JVY/8K Rrw1hQS91X7tCZbAoeK3l3DWFS5DP16q2nfDLbysd5QQBMNCB7IZi2QEZwvuEKEaqr2vAae2 AqbtvWoNIU20Z/AP/0NeEj3sNmdYeMY3rtnmap4UzO6wQpP45z8Xwtunra7BQPWu00QWJkYO jbKUggsvnL7eM876lBg7p93e2ZjPfHPBN2xk1+/NuQjEymOtz/rR4VAVqICSYbjPxAKnjdxn avpzvXXcE1rihyfX9iFoKS2iKzkdxVASd7qXIDe4lV0c1rfLVfM6g0RdBzq364kGRAQYAQIA DwIbAgUCWd746gUJBbdI8gIpwV0gBBkBAgAGBQJWCON1AAoJEA219WEoab1W1WgP/AicckT4 vQsS6alqxUlKz/Dw6YdeEMzpGQ+uT5HGLQqgW/7ZdUxs+dvgzgdsqG/ET/NCS5CYLS5QZxr/ u02oLCaDP1Es8v20PWSJtnjind6nzHIsLBcOz+geKFE+PnZqFDhsH8npJG6Rf5q6j+KmeGNf ZBVre+0ILVNA8Qo+kr/uOKQhsTD5MsgRRfOzE9Ms4X0kP0vq+Vy3n0+WeXQTuY7Djrs0/hZf kPyd4JZL8QviPtt0X8xMcA3r/sS+MumoKD90EFasW/cP6bPNlVJcseqY3cZKG0WoDilCTVNT 5UM3NzPQm1ZbXQ1PagisNOf7Vw6s1WmdPnDYKxNgs7xZZT8QaWzo8iNp7M3oj20XwtEPeqLa 2rwqwtYn5JZW87ghi745tt4gI5xg+3CTBb/iFqXv8iq2RxvneOvWrPfjfrD12TJcwe+Gr/qM kMsSJ+5adXcGKNnvU3Ff/UjBdBdy3wsnsA534jAkwW13Bbv/oXdzigAcVhP+WYJziwd89zQX 9hTJ2p/ZuF/Jl0rcwgNkDZH8rfOuqWiNr8jiJOjT3UdABl+nV2ZwrKpV97dpAWnaYJGUHN9/ t0dpxTJiqrBdcTGhM34JoyjMG6OoE+T0X4qmToirJSxgmCAKycTVzrmAJ+SgqoullC4tnLz2 aib4LIL1WBGOAw7GBgQ/gwO0WptDCRBqc5sCXGuY1C0kH/4gJsIvjTIaytzPyLrkG44gxpGK f6K1fd/XIuHRFsn6it4grpgFtYty/etPO8n38yoX+swGXfsT6EjPmwNtK6M0GEwQJX2cbY2A d7D/yHhuMyyC7mhIX/9PYtkxPHGYCN6hAEJpYXkpJXukl04IVvga80f7y45kg55OEVdEXETf rWrByDxoPp/CuX/WiN1HyF8Bqrt2b2M2y55JZ4el+BKLSV94aI4GEZCf4qkLuioPwS2/vjKR Zs3GQDBb93OezOlp51QzkK9xhSRZRdBiJo3yyM9j2D6RlbPzb8D1z7atsCJifjDaadRIHQnl T+d8JfQ8LQULf0d1vWdYmBCYbVya5fUAd6xwQyMvWIuvUyDjxcIe8WJrDVdewEq/IhFGMDtd vlJ6wrfwseCaIQHUyUmu+7az5exKTV4uSnelycZrx5sTeKsHUtNTds1Wm/H3pf546j6B6r07 /7v3CFmnugDQVg2pgUPX7KiXK659OTAmUD6lXILkgtsaXWo3ggTUA8ZScaA3+5i8aQyJoZVc 90UInfnbv7B47SuE61dom3vaJ6d8fOX3+7k+k1qut3WlFRFwDgZqmJ7xzyaUA+GpL1GcNSUf Jrrc5b4WsMItKwUdWkS1Wjkp6ydOl+4dpkT7PU7JHLPWXDawz/C3dz9m+eqU55QBMiV0hgS/ Nzz4eXm7jHqzARtDidVekbNCQ273YG8e2aAcAga+MRAI9V4Tz/KvvYQJadjO/ql9tQIJIY+9 Pfsh4b1HtuI0l3/WKvWP4BvHry9GlJvoZUEw37u/gD+HjPs+jLyRiLwM78OKNAQXFriAraSF IR5ajd+X0k6angpT/FYHac4D8k+smZNapA2jyHyWsaRO0ViTtaPm3eK8pIUvqYkiOKFHxFnJ Y4mq6k8rg3XstTfI2v8hTGpPK3Il6wRC/FTcOZnr+j6nvEXBmkjWwdygNHeBeJYTTlK+RYl0 r3yns0pXfqsZQFOlV1jFzbNaE/RyaETmZPxnN/BDS/MN/3NRuEBV8J5gBWvPYZSQ2OEmQ/Uy IESJ+iaYi8dfHRnId1ZrTBOxPFWOVF1bfKW/11nM3pEcSC/bkbX4y46ZGUqywOIzw3VkH9SY fANOsr5q1kJe91mSERo9j6w+p2ZbHK2VILpPmg2FcO/fGrZhE1DcHyH3C4jstAWCuQOXFbPw kKqW5EueXixU/uUvKmzy8W6cuLqsm0/v/OkuUjA6IM3nrFAx+W+Z91Z9DGW1hxKpuR1P3hRG lZ2Rj6ph8CXkulMnKGAXVk8gssKooPK33OQq8Em9MEYtf3CQORnprRb9UjV93s/zxuanuGFR IgQbBEFwB8tubm+Ps/3wjw15mf4Gy9MbzaaCXbYL54wCiQZbBBgBAgAmAhsCFiEEo9GSzkTv QSUXvO1kanObAlxrmNQFAlvAkgsFCQemERYCKcFdIAQZAQIABgUCVgjjdQAKCRANtfVhKGm9 VtVoD/wInHJE+L0LEumpasVJSs/w8OmHXhDM6RkPrk+Rxi0KoFv+2XVMbPnb4M4HbKhvxE/z QkuQmC0uUGca/7tNqCwmgz9RLPL9tD1kibZ44p3ep8xyLCwXDs/oHihRPj52ahQ4bB/J6SRu kX+auo/ipnhjX2QVa3vtCC1TQPEKPpK/7jikIbEw+TLIEUXzsxPTLOF9JD9L6vlct59Plnl0 E7mOw467NP4WX5D8neCWS/EL4j7bdF/MTHAN6/7EvjLpqCg/dBBWrFv3D+mzzZVSXLHqmN3G ShtFqA4pQk1TU+VDNzcz0JtWW10NT2oIrDTn+1cOrNVpnT5w2CsTYLO8WWU/EGls6PIjaezN 6I9tF8LRD3qi2tq8KsLWJ+SWVvO4IYu+ObbeICOcYPtwkwW/4hal7/Iqtkcb53jr1qz3436w 9dkyXMHvhq/6jJDLEifuWnV3BijZ71NxX/1IwXQXct8LJ7AOd+IwJMFtdwW7/6F3c4oAHFYT /lmCc4sHfPc0F/YUydqf2bhfyZdK3MIDZA2R/K3zrqloja/I4iTo091HQAZfp1dmcKyqVfe3 aQFp2mCRlBzff7dHacUyYqqwXXExoTN+CaMozBujqBPk9F+Kpk6IqyUsYJggCsnE1c65gCfk oKqLpZQuLZy89mom+CyC9VgRjgMOxgYEP4MDtFqbQwkQanObAlxrmNQSWh//dotO+Ag50sRJ eY2KdV9Ky3ZLjv7iuyBjJvXYplXaIITerbZVwp5d1PbrsT4qsRLZoADMu2+nCs+6cBecMpLS 20GDddaXVuiE/KJ/DZ8EIgmz7lsELx20y9lwxUVBAozIprIGwUzwm9jup633P0vNzqnP7e15 PlDIC2V/9mOflTa2HY30RIw2NHV+o92pg4qRZKDEG53BSTgaQTyh2VFkukjGllf5FkkijLTU fadPFTLm/YHd8OKMYr2e0IDZPygE4OjbW/IKmf1VIFanp5w4qin/M2bdPKXK7cXz56yW/4zJ NIEfhb3384nrRHeMKYnZGcDfRsf/qJgVp+cxmqn8a+Fnrl1dAoE5EJ5pjckptkYcltQera1t fMTu21T/NzILBX2pI9wP9fT0LNHiJ+n0PP4FrrKfmjjTpV5aDn1xSNnEOLwHaSKdtrOSVv8p 7Rm4N9+vQWd5jNSgUyLBQdT9cEAToD7i0D5Na8XMnvd0fwLtKNDQGIp+igaYliUyLfuX2lPf nF0dnrUSLG3273QAy2b76cAyaYnpaiTWUy3U0eXLSiZoUyaqlDWO0UnBSzj5RsmALOoTVgp5 i4QKLFkpfU4DF5DWtcn52iQLf3EJkzlQtXvb+LuoG7JTHqFZ4Iedu3OKYnboODnFoVDdMenQ Y3WFe1nKlB6TG6X3O76+iEJqH3ckL8Zo+VezxjLvCFZGWfFDa5PbRmDqtWxgzXrrFcvX24Ip SPuoXDcpKekfVSjV8OmdW7eWhjANQdVAY1nmwtZhSXI+rxacPwLfM8Kqf39J/MZhBShtzWb1 cxJZGsWTwLocs6/QHydDnAaerwtCacqrK5234eoH8fj/XajrSY9VSQe+P/dJ9locon6I/vv3 HpxE8sngOoGRA4J+ZNNA94N45kWMu15mKsJa0or132xrVbJF46cXdfghO/ZriG6iSLjQBMDG IlEnvGKLjm2o5t/uCe1jKFMzeRgDgzPIYuYJlANLA+8SNIShnpclRgbsXKw383DJSaiOcn2O 4J658BVK3K1ZVetY9IbkokzgXAoelD+d6g7tMGgztxu2KB4AobLzu1Nu3I1tlS3DnKFkQsqn 5A/coe+E9zyUJqCl4OVLbnvf/DAfps8q4kLYzeFrwtGWnVxqDH9xZEyNMzshToatLi37nMc+ kboyKWHO6ZOSKPFw0ZPI47J0GRZKVwFoboSkmYK8539Xwl1N0HN+2fMM8OA4yc9j1mzdecPe U1ZYdxOXXJFSwFa2/OA6PG8dJwix3viD6+WSdpYhIfTq21SQ6YFLYGsdTzfz86sPGkOZlh25 NskvyEEOX97iTt/f5WkCr6zt3SBnOCSeHkAxMe1qM/XXx0lw4AKjx7L+X4kGWwQYAQIAJgIb AhYhBKPRks5E70ElF7ztZGpzmwJca5jUBQJdnNu6BQkJe8NFAinBXSAEGQECAAYFAlYI43UA CgkQDbX1YShpvVbVaA/8CJxyRPi9CxLpqWrFSUrP8PDph14QzOkZD65PkcYtCqBb/tl1TGz5 2+DOB2yob8RP80JLkJgtLlBnGv+7TagsJoM/USzy/bQ9ZIm2eOKd3qfMciwsFw7P6B4oUT4+ dmoUOGwfyekkbpF/mrqP4qZ4Y19kFWt77QgtU0DxCj6Sv+44pCGxMPkyyBFF87MT0yzhfSQ/ S+r5XLefT5Z5dBO5jsOOuzT+Fl+Q/J3glkvxC+I+23RfzExwDev+xL4y6agoP3QQVqxb9w/p s82VUlyx6pjdxkobRagOKUJNU1PlQzc3M9CbVltdDU9qCKw05/tXDqzVaZ0+cNgrE2CzvFll PxBpbOjyI2nszeiPbRfC0Q96otravCrC1ifkllbzuCGLvjm23iAjnGD7cJMFv+IWpe/yKrZH G+d469as9+N+sPXZMlzB74av+oyQyxIn7lp1dwYo2e9TcV/9SMF0F3LfCyewDnfiMCTBbXcF u/+hd3OKABxWE/5ZgnOLB3z3NBf2FMnan9m4X8mXStzCA2QNkfyt866paI2vyOIk6NPdR0AG X6dXZnCsqlX3t2kBadpgkZQc33+3R2nFMmKqsF1xMaEzfgmjKMwbo6gT5PRfiqZOiKslLGCY IArJxNXOuYAn5KCqi6WULi2cvPZqJvgsgvVYEY4DDsYGBD+DA7Ram0MJEGpzmwJca5jUG0Yf /i60Jck7M7mnI7WwgrtTUTRKTSxH5UmKdC/EqzMuRZOAQaeZEKLXmhgd7lAAniazHEB2RrUc 6VaiWFI+78674SSDzK//LpgPpOHfZLSk92oqt4Lja/+/8dcBklhETcSLjdqxaanRezqxt8QJ KUAokaaGo1IqnHxlfZ0RWRxdVO1bfqWz8xvH57IQsyJsyheHAYwPOW8p6eH7N4Cpsb8Nl1p9 MYb+Y0E1W3ht5fso0UsowMbH1Ws9BCKvY6/XuyEfHlyrPcyTNLTsmKC/MPej/HjtwGK2uDd1 dhVvsmIFBPmymKlYJEU/S93te196d/QbWOVZIBjnRIspOICJE7F0ZQHQkORkRvn7rUsCDkWq 29LR2p6UtDIafqRc8XXZ3qZyg4nsnvW0enJWUUSNnAR0fyZLi/OPDJvtxY4pgl1AObqBSamC PthLJV9RWDf16byZe07ShlPzREKCVSesg38SW67+cJZzO6/Rs7O8S7dbenBYi8BrNmt7NtEV 5tOAvomIwwbamjEUDRYZzHaqrEui2WlJ/ETJ2kQrGsgT046zAYDr8iMK3T+thXiz7lWtHT0r VO3Cd56QBa9rgKN6WSt/hvh3ULcp1lhHKPvcQVKa0AAJZJGKtLFVsCpPfAox6GMlQ5rizTCB ZQtpLtWJWCSsn9yh3a1eLU1EjDRBnC8pfa4Db8zTtsWrb+/mIs6x1xgHTvRLq/f0gmOWVeuS ACgLaMi/llqIsEjF2oTJJGvM346CzwShF5CB7fXr4lQQr2grT80TqsAvdSBu37MNWq83HfU3 bJ09q0kKoYzjdsK45xVkuxZYjl1/x98RyH31JICvJMeg1O3Kk7DmKeuaAH81MFpgFEvFLOJc PVntvVrCPT6uYkjH/54w5PY4rqVxcU0YesfJTKnftJVNcO8B4x0DuNh+qgLPMV4ofTgO83oA xUuNMdqx8Fmzh/eu01rTOL2M0Q6VpIjv9n4gF03d2RIx9YyGOMBj+M+2EWU/bIImOSAETnW4 FPy41btZVBM2qTB0acDy93HTXH/iuvsI6VzIugvYFSL/6YcFBBwPWduwqGZHldPKKCRCPrv6 3sBS75VSrXiJojyUEXw+xFfQAFLeOk/evR9JLHHrvQSPbEZTwE87nUKrA8VNHlqCCNb0ra8Z NFVT7zEzBtcKWujL5Q69W0hysXvf958lgNCc5/TCDDlxy04QHVTcgIdDdsh//ARPt2QDjQU2 mxONiGBrmRv+yUc2POQnRjd0J8nqwBxXq8SOi8XZoOFjaXdEGcBGFPLBKi5GQgVfKe3QoVcA XmrQJouAfbyjUxOWNnTI8GXDRXJ7ey0gTY0JNHOJ91Or1XbrjrilcCulO1pDnao+l5Oy2H65 Ag0EVgjlVQEQAP3Uq+NZs9L9Xmstn9rM2PDK4JOEE9+iNR/eWMBcxGR2B5IWyPXL2yM/1pxY UPQzzmSK45kbJzDa5plJ78qfycWq+oCAnJ6ZgOZ+Tl+QVL6BaTrzWpUmjL2+LlpgjQHJdZhy d4EJ+eGUyKCEnF0Z6n8TU9rQeQufeUqP+x7S7jQW0bTk8oU3hIOpLY17sp7vun4oSEAWL6MK m0rX0B6YUrLxhE6Ga/ZMRKgTvtlo6ujKM86SnoR4b7C3JBxs+SaIqM+oNArBp9TYML3s80up lfOPao6UZg0760MtJ8x7oed0c6fUgT8SjItDJrsPaq5pm2hPULU1aPQOl4ems4h/anTDB6hU j69FOoSaXKciyqvQZm+ku0gmPZqljNSQXgmJjth+pHAYPTeIh+8TLmUlt2It/zFrYreQvnWE 23SSePcg9lZ6MeWXJlisSbNbdZKcbacIlJyvIDZtyrQoE3QzTHJKquEDHlxilcfa9tGevmSv hFo+LNAOLkGD1nD9lL9iWpel8VeNP213mVqvmOPdJCyTSBCCaeCBW6Cb+wgHSe3fPiNLVRvg IDKqLD1aLhP4D8csHQceWS+We5v+4Z5pIJjzf25Xz9GaHulBcb62IyCk7l5yIqCNhU+diNvY 6EiVk4Krol8pqVhRtWvX3JcKgBqOLyPlDMr9MdZMX5F60CKdABEBAAGJBCUEGAECAA8FAlYI 5VUCGwwFCQHhM4AACgkQanObAlxrmNTwqCAArA2wBQTej9ZzdLjd831w8dxygfHcIy+KOUn/ fX2h/Hb+BrCx9Rn38D5wEfFFfhRxxKFQ3XI4HFkFlcB2momQbJYvt+4n4GasGhtVfkjvGLo3 nAz6amswChW8PtrU8923PCuRVn8tnVjNb+vhh1A/E+GGwod4zTeg0e+bUb++l20jkToDIIDT fMMOQLEd7pawTo+nu2nKtS/CVlVXK+PzP19IXNzdzQUZWr0OdXcOeLU0HLLnyGC7MenRjQa8 eMbrh+U6wjaonhTvSIATqO70EDXGPI2T0uINiJH4gldy67oSzpGgAy0yDE3Kep+8COG8ysUi zrBANqVEtprAswqWpY21Orwbo+sgTszwmDBYPaptF0TdJR4Rdl14vN2C3f+E8dACoEkHS4zH Q8UTKUpkauR18+i2vn4djX1YelPbGZhQAozDLL/t7IkO4o1Y1gby83K3gooARlkCb2TmFJdi IxN6wB5SjJvYqos164EyS2D4My/Ua65hgK1b9+RorVKkSikQQ0I0Fqtud7nm3X7nN3Z06T14 Dpc7SJtCaj8nJ/8/QofSHltYnBLu8gbKRdXxQ94Y94F5LqJlcn51J6I2/JytCStg3qrwS+BL zrDdLnaFnV39hs/i44CZSIJPgm+vKrYrkjbGWXapuGdUHQBhnmzh4ZAaAWZYgTJ/mYd3fXCS 3VYzf68WWyKhbkhYzBqQl7Q66oq0ifpoJSC2Pd7Hc9fby+SUwVn/THOBGahliKvo/6kzBTOc tQ5UsW36RCjLxyn3PpsHbzgV4C7Ua9ESkqc1PF62ym8nTn6zMG1mmyA91eudXiX4+6TpMYfH lZki0yalFSGCTuk9Hu8XihQFVymDH+6JmMK0yQd/i7CtVtJfzzPHwOzQD8i+8ZQJ8jGOlkvX X9rr46l7d+hIRXTc8UkSJlDgzVQqnKTQt2ZghBjDVYd6BcBsbpoh4yio6YTqfwlzl7oxMI8r hZnLc8bTToq5czho4jz5ray39ds70nQ9mw+0M6RJ1fbxUf0qEnet/m5WXDkrH+aKDMRxt+5C pyRH6HXshCUWqyBO/c52aniIZCBENIzxMAvH+Yy6l0tWjzFrjpjR7Z/cwPPHZNrx6vYVz4tr 9ViuFScSAVh0FlMeCtWhgc7i3U3IN/BCTmupoZCklR/mWMob1Ylyo7UHWPWlIEf+X6kH+WH2 ETlcbTjihzQ7EeE2ADBIquNHxUHmM0DQmtgn7ZINFoo/jvdLfBd8F0A6hXOSpoKo8AMhZwZY kaQmsRRajGxO/tEg0NQolqmDaj1+Z3Q7bpnVbH7anIrdpDS6+7EFzHsoEzmMmf981JaLQfRN zhSJui/5IbhCEeWScduISIMvQYVrdQ1QHIkEJQQYAQIADwIbDAUCV/ZWZgUJA86kjQAKCRBq c5sCXGuY1LImH/9cGZQ25leAhW20USpcq5RmoR3d3cJ5ZnMODi6a4z9Ej7Cxg2/cuvJzksS5 lOICaKzVX+dxMQUSQ7xiPAOMQJDGFbIWIGAcPBNF6KMAQkMO52D01SiQ/ejaHDtSEA1/ycDK Q19U0cekUhg/t4iUUQJyabAqqiwWqGZfVSHWC5vVqfqkEGaPd7JcJolkIG9iqI7W7RfPpG5U UnoLm4sD6JUCWiTRVwz/eWm/MVHa2K08LlswJKYBSqMM5TZ6ptqUmVa1yYfdzod+UukWxVbL 3zKi+29ReEXheF0i74l33Ty+AymPIZ1metHhq9rNMAyYsCwHRB1zQkKAJ/M8aVphSQ2N+p7C SbIELgrEg6rVUEq54ivWMBOmZY2z+MZmh+oJhxd9q4LRRt6xxoK8u2Ou90DcZZB7Ehx/TKJU 13QWWbZfGECWjDx4wMVDQ8kzuRtRBAjrxfnG/VECh7TnEwx5+kpl4oEdqyEnAtVcdXY9L+Jc 9NY8mrm5rhCaKaugS4rEjSyW5kiek6txDYjp2Gk2yC69pWAf64tA4+TJdCt0JLxYJfxane08 Yzy9XOg9T1MnAicocz7kFAyYPVWKF3zvegrCke3jnFxZJOd7cuGG0MIrKI/yyAlZiJFNB6d/ 3bEEFC8z4R4xpm6rNaajORKg5oOl6lCN3v/9QVqxHkR6NHoCujkMr3zzUbWaA0AaDt98LGt0 si5u0OrLrrIAkOpt3LkFD2vLPuDVPpim/SXh1o91w4H4Lpr6cwrDh34Qg1ZPtkS5gfOMMFDM w5XnmjYxw/Jja6O6DztNwN8OOKlxBbxAHgtRG9cyDtDDokwPLQzK6h3amu/FEKDYnZgVZOjr 8f+h+oPvPdKqB56xkrFsrdQrSyZUHQLiqjUReSyVo6g6FAE58L720xeLMkfJL/L9WQ5/g2N4 K/MOVCNCxTv1DxZxzLrosBh9DZN17UBtxeDwcxhHIlY3OGXaCQf3q2wZMf42l4c3T/CnhuTp 4iSgj77aVZD4tAuBYky+VLrhg/xuLCYpkJVnotiMFYLmik5GAIGVH2gElecmbYQ0wxSRKBfj S7nhtYxyWwrP9N42OZLLLg6+FTIC7VJHMr33FPEsEhv+wqeqhopzOuxkayLvl10pMZpwq9aj QDg2LjcZmwzGfhAOHFjdHzu/gmfkLWofsPFMdNf6ffNW/1RoZdd1SZBXCqbCbtRkWUE7HxDq GNNIXt1hJ8c15B14A4NqSqWJRVoflMx2MyAR8CKEYIXJP8S1s7aMfIxSL83ln0OHuheYuMC0 VY0llKlbGWi3nZDp+UDAXmdf8inr6mekIJS9xYr+DRXwurTcAeACXJp1a+wE654OSsc7MGAQ GbD57JV8Y8WriQQlBBgBAgAPAhsMBQJZ3vkQBQkFt0c4AAoJEGpzmwJca5jUo9UgAKhR/Ad2 sKRY3//JbB/WANjJBsN5SD5mdc3thWzSDOg4qTPPuB/jBsfbH49ySetLmjacSZIBXMLwQVxD H9T0ai8msoDY6oPyckmutZG8Pb729xuEue1XSMYB9bqZNqqjXVyc3Qs8TJ4Ld9Kq8O8t/4i/ Yw2abX7l9nC29jupA/mVd9X6+BX1FGgd5bVIrulSxti2W+xctStvxDBuq0t7KLlfuBy5Y6Rb lLcCYFuHv9NsMeZyXi411kBW/kcvx84xG0Jbt+GQaQtuMH/ZhRJsQ3aeJjo0ZRiQpIZuWi9v E6kd2s8kwbR/uTIbUcpAyfNcKvk07acAnzfCwKviRTrzTZ6GIQZgfqYun5BRh2+LR0Xqyu34 xVQyojpa3qfcE70Uk33Q2xhyUjEpG8vyHYLPsg69zo7mQnR1kjexcqJmjRP4Qq8iIVse/7Jk ewwzOh47pRN3GCaK8ww1Ou1DtBBpkebD6wnFQa/Q845nkdyYN/j5KYnadw9VjDj8/Rnk/Xpj IRaWdRY+7qxPc41FljYJxv+4a3Y3QnzpDZurInt6tsH1BhDy5PzrIw83J2Aqws3gTzWphPyq kep0qo6CxTy/6qyefqOgEqPORkqBYNcpYT8rIqCbuCUvY4vTmom3aAen5xuF2cPo5FS7FsGE I+lu3K/R8V5M1JM04oxWW6LiUJieEGT/FH7gQlPOAdI8RHaY304jVBSSKnsXU30nya/DEMjX CtMHh/vR03kTdX33xa550ufyfajJM1SnX9aRcdMfWiE8MZjzmpXGyx7gHByEUMb2cHnfujcR 0ubCXHh2PVoB0DL0XxNp21eDA91XLHDp4DonqZ02qylz8yWGzHFR5slhR+iQW8uAirZzmF0F 8+7ZPe7ZncGkrE+yiXSWzb+H6AW4leir/cdso2SE3nnPxG2ZCNxUdJZZUvU4Ag4clYcMJnlr TVGNnH41Go+g1BpVqCzdt3bof34q0DU1dDNBTrM13DVv3Wyk/SYWHbXqwwyPTsDQCjH/EQ+z 2O4iMYpbvDzJWhEf9/CjsVKGz3HG2QWjwPuNUG0/64EG0LLgz910UTYDtW86WBpl3k0KieTU ogCBrSKKmbk1B67qULAZVAtdrmnOv2CMCMxooJsUEjRRxMDGCvFKLGXhgoyImTGvCNto3Rrm 5dxEuPQxbDwI8aYI+A+/ckguGRzeJAiQSLCyqgFsBlMsbON/xLAGOIgVFDCGSZAab6PaNmDh Fwm/puBwBhEHWMVuBEOjBIfvNK192bO2HALW3nOS959p77rkj+Rsw49j3DuYZmfMubQJQvtf DtY7X+E7pXsi59HvTq2xMsGl9/E8z+mNyOzdWJy7zoT86lfM8NHMnwZ4pv3X5TaJBDwEGAEC ACYCGwwWIQSj0ZLORO9BJRe87WRqc5sCXGuY1AUCW8CSKgUJB6YPVQAKCRBqc5sCXGuY1O21 H/4saKJiAFr/Otv9n6BrLRjtXWTPsltofNpU7l5Z+70LMOx/8w9RKtapU2EWVJ581/7EL4xW P5amSLtxjaoqiKPzXBNts3O6XV/LZLcDuUdOHHN9cIENWf5XfK90v8dxmqIbHytwTiTMUkrt bziBcULZgTzu80pFtV9894yS0AusMg5Kd0YOJPbKZuJfGbimDiP3jdNIQ0uYiZ0BZGzSE7eK eUXkWwA72M7pNEh2a3IE+uHPx6aeSky9KOBEDVynMmTrhHgfVIErbHtlcKgcl9oohGDl3eRj qojWvVskrEOs4VI2NmJrUJeW5zXSyVVcHSL0OWqmn63CTbPkacPisjd10wSPHpQ1fVgtL2Go 18Y7m+veKQpllJWRLHbVdRfQtffuwIfiXSlxLyQ7tcpZv041uUXFqSLM8aGWyMmhjfPhmF2O clUceSReKijtFL6kZWLRMwW28Atk3pPhsTE/h71ztv4IQsf/MmnMvrt1wjRzzKjQmkri0EMK Fb+7nG/v4pN2AMYCD3O1oZBhVeT0QHXwDXkH0BDv99BgNstf6xIgqvxB/JZnrg/xxHVUEJ9Y JN74N2D+nm1pucTxUmVYPc91j/iSmvvkOBwH5Ep6kVYlmdjITK5lQ55ISEgbs1rMSY3hwp1R b6oKmGfkqS531f7+H8yorlgN8gKeSF1eZ2pzLrlDv+djx7IYtIjwZPJ66XoJ3IzLGi1cAExK FayH2Nu3RsWLzt5YKqtV3AfMVQlqUxchMuOCmWhvNooD+6xZKj7f0GEOgxzVKzhxSAfkQkgg l65hz9/66HD8YxJh/SFeOd8cpdjddwLO41mpqEcZFddD/NDEoYeTwb2BKnGJnOOxGVV45MeY T9ATYgZLQZOeaj50jAm6WoqVKTFtfYk8K2NOTQG8VRg74PuyCtkf64Bwby/LKzIyee6Uefdl f9Id1UIZtGVBbmdbNO6aXrodAqxgIv8kuQWXQJ/3UBLblOhw9wb1hYpSVrTjytyV3pa70uDf WpY20vYj+EXZwfxNvlsCcuJbHuxlSfZsS8FCPg0utVpL8IVbfbY/P+fw8zf5yNLKtwzUpCgu dHhBPCDOZ+YZ7uO0HBNg8fY2bQkE+MMy57cpr9HIRGNuqU2J43lnSD7+2HKMo7jx5S+xQFvy GEXo0mDNRqZhLjYuIEte1BtGAGZL453JY3kXelMxlviZ3qeQeLSGGM5mz5zpwNSoZ4UZU+ZS AnO6rwivnenEkasGQ4Xm+mA3+posmAxalIxoNIwHWSOf0ZmmMUlsqWv7Rwd4r0JysCseU9rn ezkZxREr7UmhIEzLffmGFc16EHEWgllr52xUhXiPuI24I6LC6VBBVO2vB9XVYK6x1Y/CtacX iQQ8BBgBAgAmAhsMFiEEo9GSzkTvQSUXvO1kanObAlxrmNQFAl2c2+kFCQl7wZQACgkQanOb AlxrmNSd2B/+OGmP7U50guW9zBTiH+w8iiu7mctEV0u+Lip+P9fb+kTshxnlRWangHwKmWfs 403wyHCR3Uj2FHF2rTtP3OT8oPQUNeHa9D80OZ0tTAdm69KxCco6LSEUQceaRdQaDR/S5oTW JfI+Cw1PyO5aDcth4cMY0eZ3gjIKjM5fefr7qcqRFlaievG3cA5VVZTqP81+ETtVgj4RdnCk 5GCxal1pNdElkXhSjw8Br3u4CViuIDUzOBNvrdAdPbTvifcRwKMbgdEW74wp/P4ovsuf5dOO Zh/io8i9TIsWlyQErvvT0L1H3/gSFSx7TQ9S+i91MZXXLYUjX87rebk9JKvVsAH9f/6BJ8sk 9q2Aefx6TQB1dmLSc0QRNachMCqzRe/gCOFnQPWwv2S6tCY4KB6hfnRAcwTfiAxUn4O0xL59 v27rXktxpknzUrT1ub2joIE1C9O4nwo0EDI2Hq2zHZG8e31Vbr956Kq08CN905DjHolap0dl omTym1TdazMWSydmQxW4N0TlPyS2NWji8VPQD8bagVEijSfJQZRM7Bbxs9LFcLUNZDir6klO h3+zvi/iO/Gar+Sy24hOGyps6WgdoPNZ4Y2dJWv1CTueXBmYXtf9Ca1UNR4UVB9A4Wb0qARW gb8oPRz2+jzcdE5OyY3Je8LJkVLPXbRYKs/FYkweTsJl2dqjK1w2pcQC9UvKZZ99TM0YhqbY TKafBjDa3eHTm0vuiO2dBZQQWCPOqiLJVUuXNo+kCfHwBeTPqMoNsOeZncUtg23oG3GM0uQ7 WWQ4TCiGqiT6t9R5Gn2k2jynuKkHDdYTi8O7/rktBAcn8J9AaUf1XqDYMYhoAINalEYrNhmm +kYGEZhxOeAs7WyyEP2GEXyb+URR3VNyYucQnSGXj7zzN4LJEQg1i3RFwgwTxq6/fZFPA8ND 6vssHnqYoNcveKNmVQdcgAqRz7VewJslNcMHmhiLzrGsKXpnxN8o/mRHdHwgQbQMeKYVbzoG 24UycEhhrfjbLbOMDBiIoeH8oTgR2C0Ne+IYwXKBSt8/E7JWjWZYDla94KzDVTcGdhn+UjIB DANTK5npBbHZKqizcKZPEHgOFzMEAYPJUrIrHULtQ723w+QjgT6fDXvqBiJ04YYQqK304Rui s91Hwes/h/wJOA8JQjS4hBNizAcf0eFKrx3WZoz7hKay+hBP6ziW3yS8mn1x7oG5au2koT4G uWGZmtmV6iykenTkX6ge4TuWs6DT2DRIV1OKCpIk1s3VH+mQ8jlDTcZ9taKmx3iJjRGPQPfg NBV4oBripSU5wGBfYP1UdFqn0YpBFaz/96AK56oNk2YiTfTvVoVX4FKIFJNkgga39hk4TfvI pKPatwJuqA==
Message-ID: <22f96c93-0217-0b2b-d7e1-684f9269fba4@samba.org>
Date: Fri, 22 Nov 2019 11:24:44 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <20191121223908.GC26241@localhost>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="uB1NnpKCNTTJnpqZJe9TAfToAyI3ReWK4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/VfX4eDWsD-sa34PP7NZf16VynKY>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 10:24:57 -0000

Hi Nico,

>>> My idea was that Samba would use
>>> gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to indicate
>>> the the transited list should not be checked.
>>
>> I implemented GSS_KRB5_CRED_NO_TRANSIT_CHECK_X for
>> MIT, Heimdal (both upstream and Samba) and make use of
>> it in Samba.
> 
> Hi,
> 
> The right design for this is to use name attributes, not credential
> options.  Credential options should be banished altogether.
> 
> To see why consider an acceptor application that wishes to examine the
> transit path (or whatever other attribute) an authenticated initiator
> principal took to reach the acceptor.  What credential should the
> acceptor inspect?  There is none to inspect, not for the initiator (not
> even if they delegated a credential, since that one might not have
> transited any realms).  The only way to inspect the transit path taken
> by the initiator is to inspect its name, as that's all we have for it.
> This is one reason we added name attributes.
> 
> Correspondingly and symmetrically, the right way to request some
> behavior on the side where the credential is available, is to associate
> that request with the desired_name for which the credential is acquired.

So you mean we need to pass an explicit desired_name to
gss_acquire_cred_from() and use gss_set_name_attribute() calls
(for no_transit_check and iterate_acceptor_keytab) on that desired_name
before?

Then I think we need iterate_acceptor_keytab also for MIT.
As far as I can see GSS_C_NO_NAME is the current trigger for
iterating the keytab. The functionality we need is, try every key
with a matching keytype, but ignore name and kvno.

> Credential options are not standardized, but name attributes are.
> Please use those.
> 
> Consider this my code review for the Heimdal PR.
> 
> I understand that this is probably a big change, and that this request
> may seem hostile (email being such a dry medium).  I'm willing to help
> you make this change, both for Heimdal and MIT -- I'll help with the
> code,

Thanks! I'm a bit lost on how to actually implement this, as
Heimdal doesn't seem to have a gsskrb5_gss_set_name_attribute() function
and krb5_gss_set_name_attribute() in MIT uses
krb5_authdata_set_attribute(), which just calls
krb5_authdata_context_module plugins. I'm not sure if authdata is what
we need here.

Are my changes to the lib/krb5 layer ok and we just need to change the
way the gsskrb5 layer triggers them? Or do we also need modifications there?

If you can tell me what attribute names we should use and how
the full call to gss_set_name_attribute() should look like,
I can start to change all the tests. But I need help to
implement the glue between gss_set_name_attribute() and
gsskrb5_acceptor_start() and kg_accept_krb5() respectively.

> and I'd be happy to have a conference call or exchange further
> emails.

I guess email is better for now, as we have everything archived.

Greg, do you agree, with changing to gss_set_name_attribute() instead of
gss_set_cred_option().

Thanks!
metze

v2.23.0 | Report a Bug | By Email