Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA26A1A6FCA for ; Tue, 2 Dec 2014 12:15:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9SngmXi4DlCJ for ; Tue, 2 Dec 2014 12:15:20 -0800 (PST) Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BC881A7016 for ; Tue, 2 Dec 2014 12:15:00 -0800 (PST) Received: by mail-wg0-f43.google.com with SMTP id l18so17941452wgh.30 for ; Tue, 02 Dec 2014 12:14:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=9QOeV2csuaQnhhzMO8wbs0B7LT8M23R50Z337WbCmtA=; b=mH2AQ3fwDjN9p1bQFWycaTHD3VlAIcRKS+GJzDvX2NhHmLnBuxJ7af+Qolxy0oEMUH DGlUiSkPIRHah7tbAzctRbwtGadue1su+nF1i8JQxGzp8rrlgFotMuD/15ErUf5CsbsF fqLWiTzMaBKhGokAfd2nEJed8jQOBGKxEBNZ54NGjC7T4FdYlqj6u6eGqfIuAgU7MWnj TKH1p9+P8y3QySUcIUx9IUJRzyTH3h1G9bIloTw3736++12rsRaUYxmawMruLovDY7K0 WCreDe2ouJzg69i2H89CeW6KtjQYoRLQk22kxRa2pr5hvv3V6VXtULBGTpO3mbfaS9wU pGoA== X-Gm-Message-State: ALoCoQkyNW3F7PK3IOLUtAK3y6H68Pm3hb19t6okH8z/uJIX28x6RDWZaaAz1d7kSe4qf2nQhHSj X-Received: by 10.180.38.98 with SMTP id f2mr7808352wik.55.1417551299145; Tue, 02 Dec 2014 12:14:59 -0800 (PST) Received: from [10.47.81.9] (host86-187-11-58.range86-187.btcentralplus.com. [86.187.11.58]) by mx.google.com with ESMTPSA id j2sm33307981wjs.28.2014.12.02.12.14.56 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 02 Dec 2014 12:14:57 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_2519D241-BA48-494E-BAB9-27ECD4DF6DBD"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) From: John Bradley In-Reply-To: Date: Tue, 2 Dec 2014 17:14:54 -0300 Message-Id: References: <46D29E35-5A69-4687-BC44-45462DEA8D47@mitre.org> <580238515.3962316.1417548302668.JavaMail.yahoo@jws10646.mail.bf1.yahoo.com> To: "Justin P. Richer" X-Mailer: Apple Mail (2.1993) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/H1Ali2oAFfxBpjbfz9_sjem1T6Y Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2014 20:15:24 -0000 --Apple-Mail=_2519D241-BA48-494E-BAB9-27ECD4DF6DBD Content-Type: multipart/alternative; boundary="Apple-Mail=_D365FEE6-E05B-4FAD-88DB-A45598B634E3" --Apple-Mail=_D365FEE6-E05B-4FAD-88DB-A45598B634E3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Many of the proprietary introspection protocols in use return scope, = role or other meta data for the RS to make its access policy decision = on. One of the reasons for using opaque tokens rather than JWT is to prevent = leakage of that info. Making authentication to the introspection endpoint a MUST if additional = attributes are present is OK, I might even be inclined to say that = authentication of some sort is always required, but that might be going = a bit far for some use cases. We have a lot of proprietary ways to do this from IBM, Layer 7, Ping = etc. It would be nice if we could standardize it. Precluding other = attributes would not be helpful for adoption. One issue that we haven=E2=80=99t addressed in this spec is what happens = if there are multiple AS for the RS and how it would decide what = introspection endpoint to use. Perhaps that needs to be a extension, leaving this for the simple case. However having more than on e AS per RS is not as unusual as it once was = in larger environments. John B. > On Dec 2, 2014, at 4:56 PM, Richer, Justin P. = wrote: >=20 > Agreed, which is why we've got space for the "sub" and "user_id" = fields but not anything else about the user, and we've got a privacy = considerations section for dealing with that. If you can help make the = wording on that section stronger, I'd appreciate it. >=20 > -- Justin >=20 > On Dec 2, 2014, at 2:25 PM, Bill Mills > wrote: >=20 >> If introspection returns any other user data beyond what is strictly = required to validate the token based solely on possession of the public = part it would be a mistake. >>=20 >>=20 >> On Tuesday, December 2, 2014 11:13 AM, "Richer, Justin P." = > wrote: >>=20 >>=20 >> That's all fine -- it's all going over TLS anyway (RS->AS) just like = the original token fetch by the client (C->AS). Doesn't mean you need = TLS *into* the RS (C->RS) with a good PoP token.=20 >>=20 >> Can you explain how this is related to "act on behalf of"? I don't = see any connection. >>=20 >> -- Justin >>=20 >> On Dec 2, 2014, at 2:09 PM, Bill Mills > wrote: >>=20 >>> Fetching the public key for a token might be fine, but what if the = introspection endpoint returns the symmetric key? Data about the user? = Where does this blur the line between this and "act on behalf of"? >>>=20 >>>=20 >>> On Tuesday, December 2, 2014 11:05 AM, "Richer, Justin P." = > wrote: >>>=20 >>>=20 >>> The call to introspection has a TLS requirement, but the call to the = RS wouldn't necessarily have that requirement. The signature and the = token identifier are two different things. The identifier doesn't do an = attacker any good on its own without the verifiable signature that's = associated with it and the request. What I'm saying is that you = introspect the identifier and get back something that lets you, the RS, = check the signature. >>>=20 >>> -- Justin >>>=20 >>> On Dec 2, 2014, at 1:40 PM, Bill Mills > wrote: >>>=20 >>>> "However, I think it's very clear how PoP tokens would work. ..." >>>>=20 >>>> I don't know if that's true. POP tokens (as yet to be fully = defined) would then also have a TLS or transport security requirement = unless there is token introspection client auth in play I think. = Otherwise I can as an attacker take that toklen and get info about it = that might be useful, and I don't think that's what we want. >>>>=20 >>>> -bill >>>>=20 >>>>=20 >>>>=20 >>>=20 >>=20 >>=20 >>=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_D365FEE6-E05B-4FAD-88DB-A45598B634E3 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Many of the proprietary introspection protocols in use return = scope, role or other meta data for the RS to make its access policy = decision on.
One of the reasons for using opaque tokens = rather than JWT is to prevent leakage of that info.

Making authentication to = the introspection endpoint a MUST if additional attributes are present = is OK,  I might even be inclined to say that authentication of some = sort is always required, but that might be going a bit far for some use = cases.

We have = a lot of proprietary ways to do this from IBM, Layer 7, Ping etc. =  It would be nice if we could standardize it.   Precluding = other attributes would not be helpful for adoption.


One issue that we haven=E2=80=99t addressed in this spec is = what happens if there are multiple AS for the RS and how it would decide = what introspection endpoint to use.
Perhaps that = needs to be a extension, leaving this for the simple case.

However having more than = on e AS per RS is not as unusual as it once was in larger = environments.

John B.


On Dec 2, 2014, at 4:56 PM, Richer, Justin P. <jricher@mitre.org> = wrote:

Agreed, which is why we've got space for the "sub" and "user_id" fields = but not anything else about the user, and we've got a privacy = considerations section for dealing with that. If you can help make the = wording on that section stronger, I'd appreciate it.

 -- Justin

On Dec 2, 2014, at 2:25 PM, Bill Mills <wmills_92105@yahoo.com> wrote:

If introspection = returns any other user data beyond what is strictly required to validate = the token based solely on possession of the public part it would be a mistake.


On = Tuesday, December 2, 2014 11:13 AM, "Richer, Justin P." <jricher@mitre.org> = wrote:


That's all fine -- it's all going = over TLS anyway (RS->AS) just like the original token fetch by the = client (C->AS). Doesn't mean you need TLS *into* the RS (C->RS) = with a good PoP token. 

Can you explain how this is related to "act on behalf = of"? I don't see any connection.

 -- Justin
On Dec 2, 2014, at 2:09 PM, Bill Mills <wmills_92105@yahoo.com> wrote:

Fetching the public key for a token might be fine, but what = if the introspection endpoint returns the symmetric key?  Data = about the user?  Where does this blur the line between this and "act on = behalf of"?


On Tuesday, December 2, 2014 11:05 = AM, "Richer, Justin P." <jricher@mitre.org> wrote:


The = call to introspection has a TLS requirement, but the call to the RS = wouldn't necessarily have that requirement. The signature and the token = identifier are two different things. The identifier doesn't do an attacker any good on its own without the verifiable signature = that's associated with it and the request. What I'm saying is that you = introspect the identifier and get back something that lets you, the RS, = check the signature.

 -- Justin

On = Dec 2, 2014, at 1:40 PM, Bill Mills <wmills_92105@yahoo.com> wrote:

"However, I think it's very clear = how PoP tokens would work. ..."

I don't know if that's true.  POP tokens (as yet to be fully = defined) would then also have a TLS or transport security requirement = unless there is token introspection client auth in play I think. =  Otherwise I can as an attacker take that toklen and get info about it that might be useful, and I don't think that's what we = want.

-bill








_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_D365FEE6-E05B-4FAD-88DB-A45598B634E3-- --Apple-Mail=_2519D241-BA48-494E-BAB9-27ECD4DF6DBD Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINPDCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHADCCBeig AwIBAgICSAcwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x NDAzMjQyMzU2MjNaFw0xNjAzMjUwOTM5MzFaMIGfMRkwFwYDVQQNExBxekYwMVhZQ1pNTDM4N2hE MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MSIwIAYJKoZIhvcNAQkBFhNq YnJhZGxleUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTL0o4QG WC+jnmYa7xEjcBTAeIOt7ILy40qsnJHNedVaTH0EU5yHzoaEOGHuOuwJUz/C7r2TvXpJ/Ud4w6VO HdOUGnnKUiH5MV/kIysZ7DpN5D1f+yEast00oKsEbf/D6flzfex2JFV9rT7AQ+FQaTdf3S9K7gM2 F5kODFg805BMYTGT+haw9VOMXju5s93VEjUQcnGrLy0RtoN76GM6ItxqNnEt/Ln+2GNq8JvPyUKe JsAxfIlTyqIbw32VlusKXL4+jmgFi+LY6bsfg3VHLvy58QsQnCwHg15uARvy5X6owyGcG7xHwNml fNWtBZ3DHNPh37HC9lmAy4iqw4PvNwIDAQABo4IDVTCCA1EwCQYDVR0TBAIwADALBgNVHQ8EBAMC BLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSUDb6BlJD7FIYgWj1w 4z+GsOXs7zAfBgNVHSMEGDAWgBSuVYNv7DHKufcd+q9rMfPIHeOsuzCBmQYDVR0RBIGRMIGOgRNq YnJhZGxleUBpY2xvdWQuY29tgRNqYnJhZGxleUBpY2xvdWQuY29tgRdqb2huLmJyYWRsZXlAd2lu Z2FhLmNvbYERdmU3anRiQHZlN2p0Yi5jb22BD2picmFkbGV5QG1lLmNvbYEQamJyYWRsZXlAbWFj LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbTCCAUwGA1UdIASCAUMwggE/MIIBOwYLKwYBBAGBtTcB AgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3 BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+ VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxp ZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBv bmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5n IHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3Ns LmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8v b2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALscEldbrgeF B1WC/hMdYxFT4Lc8ALtErgJryRozTdeMlzpsncIKyy8M54HhxQAMOqFe2HR+R9H7WeIzmkV95yJn JY3bd4bxnnemhLrDyi1VlNjEjkK5kgegI8JavahFXl4FwJHHv8TOh71Wf3fiy0Do7d7TQmVDRrzt 1k/2w4CXKweQ2mdFw7fskiYoPGEK7pFiicGMFBzLiKRm61CqojS4IYShiP0nCZZWPwNJYs5lstxD SSMaD+KccZVxkL7X2Qj9PJ+PCAQ6dMhvwTXrdcnrE7fI8PhFvHWrERjg7yIu1WI4Fgviy0u7437v WzufSnfqMwbfz20fucO0chYq+tkxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgJIBzAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNDEyMDIyMDE0NTVaMCMGCSqGSIb3DQEJBDEWBBTlno3itaY/yzXcxD7VrV+2 deOhGjCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAkgH MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJIBzAN BgkqhkiG9w0BAQEFAASCAQA9/vA1TfQSOccwHaBxsO6FSKEgq+9x8VUIARsX/VY3PvAMAtF5kZ8/ 57GtZ771YYx9mHSFEPudjJGGqPKSymODMH9FztP62pV0eQwvPC4FUniDbjOwjtw35mmQEsgMmPN5 a/j3fIqbsXls7XeZtf+qL5YkuygW6mjFjkUfVkSztVL6+33HUrn3nou18VkYqVh5Rbf0p5OzOE9O AMlhMKR94HsR/K/5i/f28NhU8sYlFQdXZHR23s9FHe7F0UClyQ4+ZAusqLBf9uViGx1pF2GPV+eP tpZLp9X2Jay1GU4qofjunZ9p7x9bva/1xVgG1ZH6IMEW9xPMQAnetxMqumnkAAAAAAAA --Apple-Mail=_2519D241-BA48-494E-BAB9-27ECD4DF6DBD--