Re: WG Last Call Comment for 3280bis
"David A. Cooper" <david.cooper@nist.gov> Thu, 30 November 2006 23:06 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gpuyv-00089h-J7 for pkix-archive@lists.ietf.org; Thu, 30 Nov 2006 18:06:17 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gpuyu-0000UF-46 for pkix-archive@lists.ietf.org; Thu, 30 Nov 2006 18:06:17 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAULwRCI031330; Thu, 30 Nov 2006 14:58:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAULwRhX031329; Thu, 30 Nov 2006 14:58:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAULwQ4m031323 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 14:58:27 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id kAULwCXC007473; Thu, 30 Nov 2006 16:58:15 -0500
Received: from [129.6.54.72] (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id kAULvkMx003463; Thu, 30 Nov 2006 16:57:47 -0500 (EST)
Message-ID: <456F542C.70502@nist.gov>
Date: Thu, 30 Nov 2006 16:59:08 -0500
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 1.5.0.7 (X11/20060921)
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
CC: pkix <ietf-pkix@imc.org>
Subject: Re: WG Last Call Comment for 3280bis
References: <p06230901c176ab291249@[128.89.89.106]> <7.0.0.16.2.20061130131321.07712ea8@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061130131321.07712ea8@vigilsec.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b5d20af10c334b36874c0264b10f59f1
Russ,
I do not see how this proposed change relates to the recent discussions
about certificate suspension. I am also not in favor of the change that
you have proposed.
Your proposal states that clients that process the holdInstruction entry
extension must recognize the id-holdinstruction-reject instruction code,
but then says that conforming applications must perform the same action
(reject the certificate) whenever any of the three hold instruction
codes are encountered. So, what does it mean to recognize the
id-holdinstruction-reject instruction code but not the other two
instruction codes.
Since I don't have a copy of X9.57, I don't fully understand the
motivation for some of the codes. In particular, I don't understand the
difference between id-holdinstruction-reject and
id-holdinstruction-none. If the certificate is on hold and either the
holdInstruction entry extension is absent or is present and asserts
id-holdinstruction-none, aren't you going to reject the certificate just
as you would if the id-holdinstruction-reject instruction code were
asserted?
It seems to me that the only meaningful hold instruction code is
id-holdinstruction-callissuer, since it seems to be the only one that
doesn't say "do the same thing as you would have done if the
holdInstruction entry extension were not present". So, if we were going
to say that conforming CAs MUST NOT make use of the
id-holdinstruction-callissuer instruction code, why not just say that
conforming CAs MUST NOT include the holdInstruction entry extension? I
do not favor that solution though. The holdInstruction entry extension
is a non-critical extension, 3280/3280bis does not require clients to be
able to process the extension, and even clients that do process the
extension are permitted to simply reject certificates that include the
id-holdinstruction-callissuer instruction code rather than taking some
action to contact the issuer. So, what is the compelling reason to
suddenly forbid conforming CAs from using that instruction code?
Dave
Russ Housley wrote:
>
> I know that Steve Kent called the 3280bis closed on 11/7/2006, but the
> recent thread regarding on-hold needs to become a concrete proposal
> for a change in the text. Here is my suggestion.
>
> OLD TEXT:
>
> The following instruction codes have been defined. Conforming
> applications that process this extension MUST recognize the following
> instruction codes.
>
> holdInstruction OBJECT IDENTIFIER ::=
> { iso(1) member-body(2) us(840) x9-57(10040) 2 }
>
> id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
> id-holdinstruction-callissuer
> OBJECT IDENTIFIER ::= {holdInstruction 2}
> id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
>
> Conforming applications that encounter an id-holdinstruction-
> callissuer MUST call the certificate issuer or reject the
> certificate. Conforming applications that encounter an id-
> holdinstruction-reject MUST reject the certificate. The hold
> instruction id-holdinstruction-none is semantically equivalent to the
> absence of a holdInstructionCode, and its use is strongly deprecated
> for the Internet PKI.
>
> PROPOSED REPLACEMENT TEXT:
>
> The following instruction codes have been defined. Conforming
> applications that process this extension MUST recognize the
> id-holdinstruction-reject instruction code.
>
> holdInstruction OBJECT IDENTIFIER ::=
> { iso(1) member-body(2) us(840) x9-57(10040) 2 }
>
> id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
> id-holdinstruction-callissuer
> OBJECT IDENTIFIER ::= {holdInstruction 2}
> id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
>
> Conforming CAs MUST NOT make use of the
> id-holdinstruction-callissuer instruction code.
>
> Conforming applications that encounter any of these hold instruction
> codes MUST reject the certificate.
>
> Communities may elect to use additional hold instruction codes;
> however, caution ought to be exercised in adopting any additional
> hold instruction codes that might prevent use in a general context.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kB15qNSu077039; Thu, 30 Nov 2006 22:52:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kB15qN6g077038; Thu, 30 Nov 2006 22:52:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx12.bbn.com (mx12.bbn.com [128.33.0.81]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kB15qLKe077025 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 22:52:21 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[196.192.2.69]) by mx12.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1Gq1Jm-000444-4O; Fri, 01 Dec 2006 00:52:14 -0500
Mime-Version: 1.0
Message-Id: <p06230906c19482491fb8@[196.192.2.69]>
In-Reply-To: <00e501c7147a$fcb2a440$5d85900a@wcwang>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com><456B5D37.8020 307@nist.gov><456B90A7.1020306@drh-consultancy.demon.co.uk><016a01c712de$e 39ee6f0$5d85900a@wcwang><456C25FF.7050901@drh-consultancy.demon.co.uk><a7d 7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com> <p06230906c1923958038d@[10.1.33.49]><015d01c713af$b5212000$5d85900a@wcwang > <p0623090fc1937416eac7@[196.192.2.69]> <00e501c7147a$fcb2a440$5d85900a@wcwang>
Date: Fri, 1 Dec 2006 00:52:10 -0500
To: "Wen-Cheng Wang" <wcwang@cht.com.tw>
From: Stephen Kent <kent@bbn.com>
Subject: Re: on-hold certificates in CRLs
Cc: =?iso-8859-1?Q?=22Carlos_Gonz=E1lez=2DCadenas=22?= <carlos@gonzalez.name>, "Dr Stephen Henson" <lists@drh-consultancy.demon.co.uk>, "pkix" <ietf-pkix@imc.org>
Content-Type: multipart/alternative; boundary="============_-1047170161==_ma============"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--============_-1047170161==_ma============
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Wen-Cheng Wang,
I agree that the real world can be complex. It can also be
irrational, political, and driven by short term solutions that are
optimized for the convenience of those who create them. None of these
latter characteristics of the real world need influence our standards.
This WG has decided to deprecate some such real world solutions in
the past, e.g., a model that required an RP to check a X.500
directory entry to verify cert revocation status. This example was
one that involved a government-run PKI. That didn't make it right,
and so we "just said no," as Nancy Reagan would have :-).
Based on the model you suggest, if any government-run PKI "demands"
some feature of our standards, even if we believe it is technically a
bad idea, we would be compelled to accommodate such demands. That is
not the way the IETF works.
I wondered if your emphasis on not disagreeing with government-run
PKIs might derive from your employer's (Chungwa Telecom) own PKI
business, which issues smart cards and which have to comply with a
Taiwan government PKI Cert policy. But I looked at version 1.1 of
that CP and it does not require CAs to support suspension; it allows
a CA to offer the service and says that the CPS for the CA will
define the procedures associated with the service. So, at least in
this case, it appears that there is not a government mandate to
support suspension, but rather an individual CA decision.
Similarly, your comment "that we should care about the demand[sic] of
real world" suggests that if Microsoft adopts a convention for PKI
use in their OS we must endorse it too, because their products
certainly represent the "real world." Again, wrong standards forum
for that rationale.
Your argument is better with regard to the costs of re-issuance of
improperly revoked certs for smart cards. That is the only argument
you present that merits further consideration.
What really bothers me in the last paragraph is the assertion that
"the intention is to protect relying parties." Sometimes when I use
my credit card I am asked to produce a photo ID. I decline. The
merchant then says "this is for your protection." Nonsense. The
request for a photo ID is a measure used by the merchant to minimize
his risk of fraud, not to protect me against fraudulent charges that
might be incurred using my card (for which I would not be
responsible). The similarity between your argument and this one is
bothersome.
Revocation of a cert protects a relying party just fine. Having to
interpret a HOLD instruction introduces more complexity for RPs, and
if the outcome is to treat the cert as revoked at the point in time
while it is on hold, then the RP has an easier task if the cert IS
just revoked.
Steve
--============_-1047170161==_ma============
Content-Type: text/html; charset="us-ascii"
<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: on-hold certificates in
CRLs</title></head><body>
<div>Wen-Cheng Wang,<br>
</div>
<div>I agree that the real world can be complex. It can also be
irrational, political, and driven by short term solutions that are
optimized for the convenience of those who create them. None of these
latter characteristics of the real world need influence our
standards.</div>
<div><br>
This WG has decided to deprecate some such real world solutions in the
past, e.g., a model that required an RP to check a X.500 directory
entry to verify cert revocation status. This example was one that
involved a government-run PKI. That didn't make it right, and so we
"just said no," as Nancy Reagan would have :-).<br>
</div>
<div>Based on the model you suggest, if any government-run PKI
"demands" some feature of our standards, even if we believe
it is technically a bad idea, we would be compelled to accommodate
such demands. That is not the way the IETF works.</div>
<div><br></div>
<div>I wondered if your emphasis on not disagreeing with
government-run PKIs might derive from your employer's (Chungwa
Telecom) own PKI business, which issues smart cards and which have to
comply with a Taiwan government PKI Cert policy. But I looked at
version 1.1 of that CP and it does not require CAs to support
suspension; it allows a CA to<u> offer</u> the service and says that
the CPS for the CA will define the procedures associated with the
service. So, at least in this case, it appears that there is not a
government mandate to support suspension, but rather an individual CA
decision.</div>
<div><br></div>
<div>Similarly, your comment "that we should care about the
demand[sic] of real world" suggests that if Microsoft adopts a
convention for PKI use in their OS we must endorse it too, because
their products certainly represent the "real world." Again,
wrong standards forum for that rationale.</div>
<div><br></div>
<div>Your argument is better with regard to the costs of re-issuance
of improperly revoked certs for smart cards. That is the only argument
you present that merits further consideration.</div>
<div><br>
What really bothers me in the last paragraph is the assertion that
"the intention is to protect relying parties."
Sometimes when I use my credit card I am asked to produce a photo ID.
I decline. The merchant then says "this is for your
protection." Nonsense. The request for a photo ID is a
measure used by the merchant to minimize his risk of fraud, not to
protect me against fraudulent charges that might be incurred using my
card (for which I would not be responsible). The similarity between
your argument and this one is bothersome.<br>
</div>
<div>Revocation of a cert protects a relying party just fine. Having
to interpret a HOLD instruction introduces more complexity for RPs,
and if the outcome is to treat the cert as revoked at the point in
time while it is on hold, then the RP has an easier task if the cert
IS just revoked.</div>
<div><br>
Steve</div>
</body>
</html>
--============_-1047170161==_ma============--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAULwRCI031330; Thu, 30 Nov 2006 14:58:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAULwRhX031329; Thu, 30 Nov 2006 14:58:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAULwQ4m031323 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 14:58:27 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id kAULwCXC007473; Thu, 30 Nov 2006 16:58:15 -0500
Received: from [129.6.54.72] (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id kAULvkMx003463; Thu, 30 Nov 2006 16:57:47 -0500 (EST)
Message-ID: <456F542C.70502@nist.gov>
Date: Thu, 30 Nov 2006 16:59:08 -0500
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 1.5.0.7 (X11/20060921)
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
CC: pkix <ietf-pkix@imc.org>
Subject: Re: WG Last Call Comment for 3280bis
References: <p06230901c176ab291249@[128.89.89.106]> <7.0.0.16.2.20061130131321.07712ea8@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061130131321.07712ea8@vigilsec.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
I do not see how this proposed change relates to the recent discussions
about certificate suspension. I am also not in favor of the change that
you have proposed.
Your proposal states that clients that process the holdInstruction entry
extension must recognize the id-holdinstruction-reject instruction code,
but then says that conforming applications must perform the same action
(reject the certificate) whenever any of the three hold instruction
codes are encountered. So, what does it mean to recognize the
id-holdinstruction-reject instruction code but not the other two
instruction codes.
Since I don't have a copy of X9.57, I don't fully understand the
motivation for some of the codes. In particular, I don't understand the
difference between id-holdinstruction-reject and
id-holdinstruction-none. If the certificate is on hold and either the
holdInstruction entry extension is absent or is present and asserts
id-holdinstruction-none, aren't you going to reject the certificate just
as you would if the id-holdinstruction-reject instruction code were
asserted?
It seems to me that the only meaningful hold instruction code is
id-holdinstruction-callissuer, since it seems to be the only one that
doesn't say "do the same thing as you would have done if the
holdInstruction entry extension were not present". So, if we were going
to say that conforming CAs MUST NOT make use of the
id-holdinstruction-callissuer instruction code, why not just say that
conforming CAs MUST NOT include the holdInstruction entry extension? I
do not favor that solution though. The holdInstruction entry extension
is a non-critical extension, 3280/3280bis does not require clients to be
able to process the extension, and even clients that do process the
extension are permitted to simply reject certificates that include the
id-holdinstruction-callissuer instruction code rather than taking some
action to contact the issuer. So, what is the compelling reason to
suddenly forbid conforming CAs from using that instruction code?
Dave
Russ Housley wrote:
>
> I know that Steve Kent called the 3280bis closed on 11/7/2006, but the
> recent thread regarding on-hold needs to become a concrete proposal
> for a change in the text. Here is my suggestion.
>
> OLD TEXT:
>
> The following instruction codes have been defined. Conforming
> applications that process this extension MUST recognize the following
> instruction codes.
>
> holdInstruction OBJECT IDENTIFIER ::=
> { iso(1) member-body(2) us(840) x9-57(10040) 2 }
>
> id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
> id-holdinstruction-callissuer
> OBJECT IDENTIFIER ::= {holdInstruction 2}
> id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
>
> Conforming applications that encounter an id-holdinstruction-
> callissuer MUST call the certificate issuer or reject the
> certificate. Conforming applications that encounter an id-
> holdinstruction-reject MUST reject the certificate. The hold
> instruction id-holdinstruction-none is semantically equivalent to the
> absence of a holdInstructionCode, and its use is strongly deprecated
> for the Internet PKI.
>
> PROPOSED REPLACEMENT TEXT:
>
> The following instruction codes have been defined. Conforming
> applications that process this extension MUST recognize the
> id-holdinstruction-reject instruction code.
>
> holdInstruction OBJECT IDENTIFIER ::=
> { iso(1) member-body(2) us(840) x9-57(10040) 2 }
>
> id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
> id-holdinstruction-callissuer
> OBJECT IDENTIFIER ::= {holdInstruction 2}
> id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
>
> Conforming CAs MUST NOT make use of the
> id-holdinstruction-callissuer instruction code.
>
> Conforming applications that encounter any of these hold instruction
> codes MUST reject the certificate.
>
> Communities may elect to use additional hold instruction codes;
> however, caution ought to be exercised in adopting any additional
> hold instruction codes that might prevent use in a general context.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAULqPGp030793; Thu, 30 Nov 2006 14:52:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAULqPRI030792; Thu, 30 Nov 2006 14:52:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAULqOSp030770 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 14:52:25 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: WG Last Call Comment for 3280bis
Date: Thu, 30 Nov 2006 13:55:22 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C87905A65B6F@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: WG Last Call Comment for 3280bis
Thread-Index: AccUxya/TbaQlO9qSmycFaN81gNsowAAT1kg
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAULqPSp030787
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
4.2 of the 3280 Bis says "Communities may elect to use additional
extensions; however, caution ought to be exercised in adopting any
critical extensions in certificates that might prevent use in a
general context."
Given the context preceding in Section 4.2, I understand that one.
The phrase "that might prevent use in a general context" is still
unclear in the context of hold instruction. I suspect you mean that the
relying party may not understand the hold instruction. Note that
Section 5.3.2 states that the hold instruction is non-critical and hence
in my reading it can be ignored. Further, Section 6.3.3 says nothing
about processing hold instruction.
So:
The statement is not clear; and the statement can not be analogous to
treatment of critical unrecognized extensions.
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Thursday, November 30, 2006 4:31 PM
To: Santosh Chokhani; ietf-pkix@imc.org
Subject: RE: WG Last Call Comment for 3280bis
Santosh:
This is the same thing we say about using extensions that are not
defined in RFC 3280.
Russ
At 03:09 PM 11/30/2006, Santosh Chokhani wrote:
>Russ,
>
>The phrase "that might prevent use in a general context" is not clear.
>
>Do you mean prevent use of certificate, of hold reason code, or hold
>instruction, or something else?
>
>May be the following makes sense:
>
> "Communities may elect to use additional hold instruction codes;
> however, caution ought to be exercised in adopting any additional
> hold instruction codes since additional hold instruction codes may
>not be understood by all the relying parties"
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]
>On Behalf Of Russ Housley
>Sent: Thursday, November 30, 2006 1:24 PM
>To: ietf-pkix@imc.org
>Subject: WG Last Call Comment for 3280bis
>
>
>I know that Steve Kent called the 3280bis closed on 11/7/2006, but
>the recent thread regarding on-hold needs to become a concrete
>proposal for a change in the text. Here is my suggestion.
>
>OLD TEXT:
>
> The following instruction codes have been defined. Conforming
> applications that process this extension MUST recognize the
>following
> instruction codes.
>
> holdInstruction OBJECT IDENTIFIER ::=
> { iso(1) member-body(2) us(840) x9-57(10040) 2 }
>
> id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction
1}
> id-holdinstruction-callissuer
> OBJECT IDENTIFIER ::= {holdInstruction
2}
> id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction
3}
>
> Conforming applications that encounter an id-holdinstruction-
> callissuer MUST call the certificate issuer or reject the
> certificate. Conforming applications that encounter an id-
> holdinstruction-reject MUST reject the certificate. The hold
> instruction id-holdinstruction-none is semantically equivalent to
>the
> absence of a holdInstructionCode, and its use is strongly
deprecated
> for the Internet PKI.
>
>PROPOSED REPLACEMENT TEXT:
>
> The following instruction codes have been defined. Conforming
> applications that process this extension MUST recognize the
> id-holdinstruction-reject instruction code.
>
> holdInstruction OBJECT IDENTIFIER ::=
> { iso(1) member-body(2) us(840) x9-57(10040) 2 }
>
> id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction
1}
> id-holdinstruction-callissuer
> OBJECT IDENTIFIER ::= {holdInstruction
2}
> id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction
3}
>
> Conforming CAs MUST NOT make use of the
> id-holdinstruction-callissuer instruction code.
>
> Conforming applications that encounter any of these hold
instruction
> codes MUST reject the certificate.
>
> Communities may elect to use additional hold instruction codes;
> however, caution ought to be exercised in adopting any additional
> hold instruction codes that might prevent use in a general
context.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAULXI5D029032; Thu, 30 Nov 2006 14:33:18 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAULXIS3029031; Thu, 30 Nov 2006 14:33:18 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAULXHFA029015 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 14:33:17 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 15278 invoked by uid 0); 30 Nov 2006 21:31:26 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 30 Nov 2006 21:31:26 -0000
Message-Id: <7.0.0.16.2.20061130163023.07843130@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Thu, 30 Nov 2006 16:30:57 -0500
To: "Santosh Chokhani" <chokhani@orionsec.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: WG Last Call Comment for 3280bis
In-Reply-To: <82D5657AE1F54347A734BDD33637C87905A6594E@EXVS01.ex.dslextr eme.net>
References: <82D5657AE1F54347A734BDD33637C87905A6594E@EXVS01.ex.dslextreme.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Santosh:
This is the same thing we say about using extensions that are not
defined in RFC 3280.
Russ
At 03:09 PM 11/30/2006, Santosh Chokhani wrote:
>Russ,
>
>The phrase "that might prevent use in a general context" is not clear.
>
>Do you mean prevent use of certificate, of hold reason code, or hold
>instruction, or something else?
>
>May be the following makes sense:
>
> "Communities may elect to use additional hold instruction codes;
> however, caution ought to be exercised in adopting any additional
> hold instruction codes since additional hold instruction codes may
>not be understood by all the relying parties"
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
>On Behalf Of Russ Housley
>Sent: Thursday, November 30, 2006 1:24 PM
>To: ietf-pkix@imc.org
>Subject: WG Last Call Comment for 3280bis
>
>
>I know that Steve Kent called the 3280bis closed on 11/7/2006, but
>the recent thread regarding on-hold needs to become a concrete
>proposal for a change in the text. Here is my suggestion.
>
>OLD TEXT:
>
> The following instruction codes have been defined. Conforming
> applications that process this extension MUST recognize the
>following
> instruction codes.
>
> holdInstruction OBJECT IDENTIFIER ::=
> { iso(1) member-body(2) us(840) x9-57(10040) 2 }
>
> id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
> id-holdinstruction-callissuer
> OBJECT IDENTIFIER ::= {holdInstruction 2}
> id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
>
> Conforming applications that encounter an id-holdinstruction-
> callissuer MUST call the certificate issuer or reject the
> certificate. Conforming applications that encounter an id-
> holdinstruction-reject MUST reject the certificate. The hold
> instruction id-holdinstruction-none is semantically equivalent to
>the
> absence of a holdInstructionCode, and its use is strongly deprecated
> for the Internet PKI.
>
>PROPOSED REPLACEMENT TEXT:
>
> The following instruction codes have been defined. Conforming
> applications that process this extension MUST recognize the
> id-holdinstruction-reject instruction code.
>
> holdInstruction OBJECT IDENTIFIER ::=
> { iso(1) member-body(2) us(840) x9-57(10040) 2 }
>
> id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
> id-holdinstruction-callissuer
> OBJECT IDENTIFIER ::= {holdInstruction 2}
> id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
>
> Conforming CAs MUST NOT make use of the
> id-holdinstruction-callissuer instruction code.
>
> Conforming applications that encounter any of these hold instruction
> codes MUST reject the certificate.
>
> Communities may elect to use additional hold instruction codes;
> however, caution ought to be exercised in adopting any additional
> hold instruction codes that might prevent use in a general context.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUK6tA3019356; Thu, 30 Nov 2006 13:06:55 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUK6tPl019355; Thu, 30 Nov 2006 13:06:55 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUK6sLC019257 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 13:06:54 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: WG Last Call Comment for 3280bis
Date: Thu, 30 Nov 2006 12:09:52 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C87905A6594E@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: WG Last Call Comment for 3280bis
Thread-Index: AccUt6UeAmnpCiEOS5qeQqZB9hYxkQAA2ZqQ
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAUK6tLC019350
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
The phrase "that might prevent use in a general context" is not clear.
Do you mean prevent use of certificate, of hold reason code, or hold
instruction, or something else?
May be the following makes sense:
"Communities may elect to use additional hold instruction codes;
however, caution ought to be exercised in adopting any additional
hold instruction codes since additional hold instruction codes may
not be understood by all the relying parties"
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Russ Housley
Sent: Thursday, November 30, 2006 1:24 PM
To: ietf-pkix@imc.org
Subject: WG Last Call Comment for 3280bis
I know that Steve Kent called the 3280bis closed on 11/7/2006, but
the recent thread regarding on-hold needs to become a concrete
proposal for a change in the text. Here is my suggestion.
OLD TEXT:
The following instruction codes have been defined. Conforming
applications that process this extension MUST recognize the
following
instruction codes.
holdInstruction OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) x9-57(10040) 2 }
id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
id-holdinstruction-callissuer
OBJECT IDENTIFIER ::= {holdInstruction 2}
id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
Conforming applications that encounter an id-holdinstruction-
callissuer MUST call the certificate issuer or reject the
certificate. Conforming applications that encounter an id-
holdinstruction-reject MUST reject the certificate. The hold
instruction id-holdinstruction-none is semantically equivalent to
the
absence of a holdInstructionCode, and its use is strongly deprecated
for the Internet PKI.
PROPOSED REPLACEMENT TEXT:
The following instruction codes have been defined. Conforming
applications that process this extension MUST recognize the
id-holdinstruction-reject instruction code.
holdInstruction OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) x9-57(10040) 2 }
id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
id-holdinstruction-callissuer
OBJECT IDENTIFIER ::= {holdInstruction 2}
id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
Conforming CAs MUST NOT make use of the
id-holdinstruction-callissuer instruction code.
Conforming applications that encounter any of these hold instruction
codes MUST reject the certificate.
Communities may elect to use additional hold instruction codes;
however, caution ought to be exercised in adopting any additional
hold instruction codes that might prevent use in a general context.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUJJF2h014561; Thu, 30 Nov 2006 12:19:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUJJFiK014560; Thu, 30 Nov 2006 12:19:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUJJBxO014539 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 12:19:13 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAUJJAEh004209; Thu, 30 Nov 2006 12:19:10 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Subject: RE: WG Last Call Comment for 3280bis
Date: Thu, 30 Nov 2006 10:42:25 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMAEIICEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <7.0.0.16.2.20061130131321.07712ea8@vigilsec.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
No objections.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Russ Housley
Sent: Thursday, November 30, 2006 10:24 AM
To: ietf-pkix@imc.org
Subject: WG Last Call Comment for 3280bis
I know that Steve Kent called the 3280bis closed on 11/7/2006, but
the recent thread regarding on-hold needs to become a concrete
proposal for a change in the text. Here is my suggestion.
OLD TEXT:
The following instruction codes have been defined. Conforming
applications that process this extension MUST recognize the following
instruction codes.
holdInstruction OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) x9-57(10040) 2 }
id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
id-holdinstruction-callissuer
OBJECT IDENTIFIER ::= {holdInstruction 2}
id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
Conforming applications that encounter an id-holdinstruction-
callissuer MUST call the certificate issuer or reject the
certificate. Conforming applications that encounter an id-
holdinstruction-reject MUST reject the certificate. The hold
instruction id-holdinstruction-none is semantically equivalent to the
absence of a holdInstructionCode, and its use is strongly deprecated
for the Internet PKI.
PROPOSED REPLACEMENT TEXT:
The following instruction codes have been defined. Conforming
applications that process this extension MUST recognize the
id-holdinstruction-reject instruction code.
holdInstruction OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) x9-57(10040) 2 }
id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
id-holdinstruction-callissuer
OBJECT IDENTIFIER ::= {holdInstruction 2}
id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
Conforming CAs MUST NOT make use of the
id-holdinstruction-callissuer instruction code.
Conforming applications that encounter any of these hold instruction
codes MUST reject the certificate.
Communities may elect to use additional hold instruction codes;
however, caution ought to be exercised in adopting any additional
hold instruction codes that might prevent use in a general context.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUINpFO007919; Thu, 30 Nov 2006 11:23:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUINpd2007918; Thu, 30 Nov 2006 11:23:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAUINn6d007908 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 11:23:50 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 32481 invoked by uid 0); 30 Nov 2006 18:23:44 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 30 Nov 2006 18:23:44 -0000
Message-Id: <7.0.0.16.2.20061130131321.07712ea8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Thu, 30 Nov 2006 13:23:38 -0500
To: ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: WG Last Call Comment for 3280bis
In-Reply-To: <p06230901c176ab291249@[128.89.89.106]>
References: <p06230901c176ab291249@[128.89.89.106]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I know that Steve Kent called the 3280bis closed on 11/7/2006, but
the recent thread regarding on-hold needs to become a concrete
proposal for a change in the text. Here is my suggestion.
OLD TEXT:
The following instruction codes have been defined. Conforming
applications that process this extension MUST recognize the following
instruction codes.
holdInstruction OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) x9-57(10040) 2 }
id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
id-holdinstruction-callissuer
OBJECT IDENTIFIER ::= {holdInstruction 2}
id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
Conforming applications that encounter an id-holdinstruction-
callissuer MUST call the certificate issuer or reject the
certificate. Conforming applications that encounter an id-
holdinstruction-reject MUST reject the certificate. The hold
instruction id-holdinstruction-none is semantically equivalent to the
absence of a holdInstructionCode, and its use is strongly deprecated
for the Internet PKI.
PROPOSED REPLACEMENT TEXT:
The following instruction codes have been defined. Conforming
applications that process this extension MUST recognize the
id-holdinstruction-reject instruction code.
holdInstruction OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) x9-57(10040) 2 }
id-holdinstruction-none OBJECT IDENTIFIER ::= {holdInstruction 1}
id-holdinstruction-callissuer
OBJECT IDENTIFIER ::= {holdInstruction 2}
id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}
Conforming CAs MUST NOT make use of the
id-holdinstruction-callissuer instruction code.
Conforming applications that encounter any of these hold instruction
codes MUST reject the certificate.
Communities may elect to use additional hold instruction codes;
however, caution ought to be exercised in adopting any additional
hold instruction codes that might prevent use in a general context.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUI0lRV004662; Thu, 30 Nov 2006 11:00:47 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUI0lSa004661; Thu, 30 Nov 2006 11:00:47 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUI0kYU004646 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 11:00:46 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAUI0Rc0001362; Thu, 30 Nov 2006 11:00:27 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Sharon Boeyen" <sharon.boeyen@entrust.com>, "'Stephen Farrell'" <stephen.farrell@cs.tcd.ie>, "pkix" <ietf-pkix@imc.org>
Subject: RE: on-hold certificates in CRLs
Date: Thu, 30 Nov 2006 09:23:40 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMAEIHCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01C71461.38F1C360"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <04398A2C9F306C4690265C144089972D23E62E@sottexch1.corp.ad.entrust.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_0004_01C71461.38F1C360
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
RE: on-hold certificates in CRLsI too agree with Stephen. Whether listed as
suspended or revoked, from a relying party perspective certificates
proffered in either state are not trustworthy. Rather than legitimize a
questionable interpretation, I think we should strive for simplicity and
thus not move forward on a work item in this regard.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]On
Behalf Of Sharon Boeyen
Sent: Thursday, November 30, 2006 8:31 AM
To: 'Stephen Farrell'; pkix
Subject: RE: on-hold certificates in CRLs
Stephen, I tend to agree with you on this one. Suspension (in my opinion -
as editor of X.509 for a number of years) was originally intended simply as
a way for a CA to temporarily revoke a certificate in a situation where the
CA needed to do further investigation to determine whether or not it should
actually be revoked. Once that investigation was completed, the final status
of the certificate is indicated either by removing it from the CRL
(indicating that it was actually fine) or changing its revocation reason to
the real one. Nothing more and nothing less. As for "interpretations" I do
agree there are many as with many other parts of X.509 and RFC 3280.
However, that doesn't mean we should change the standard.
Cheers,
Sharon
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Stephen Farrell
Sent: Thursday, November 30, 2006 8:13 AM
To: pkix
Subject: Re: on-hold certificates in CRLs
Wen-Cheng Wang wrote:
> Yes, I second that we should start a working item on a reliable,
> verifiable, and
> interoperabile suspension mechanism.
Count me as a -1 for that. I don't believe we do want a suspension
mechanism really.
Stephen.
------=_NextPart_000_0004_01C71461.38F1C360
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: on-hold certificates in CRLs</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1578" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D519310917-30112006><FONT face=3D"Courier New" =
size=3D2>I too agree=20
with Stephen. Whether listed as suspended or revoked, from a =
relying=20
party perspective certificates proffered in either state are not=20
trustworthy. Rather than legitimize a questionable =
interpretation, I=20
think we should strive for simplicity and thus not move forward on a =
work item=20
in this regard.</FONT></SPAN></DIV>
<DIV><SPAN class=3D519310917-30112006><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D519310917-30112006><FONT face=3D"Courier New"=20
size=3D2>Mike</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3D"Courier New"=20
size=3D2>-----Original Message-----<BR><B>From:</B> =
owner-ietf-pkix@mail.imc.org=20
[mailto:owner-ietf-pkix@mail.imc.org]<B>On Behalf Of </B>Sharon=20
Boeyen<BR><B>Sent:</B> Thursday, November 30, 2006 8:31 =
AM<BR><B>To:</B>=20
'Stephen Farrell'; pkix<BR><B>Subject:</B> RE: on-hold certificates in =
CRLs<BR><BR></FONT></DIV>
<P><FONT face=3D"Courier New" size=3D2>Stephen, I tend to agree with =
you on this=20
one. Suspension (in my opinion - as editor of X.509 for a number of =
years) was=20
originally intended simply as a way for a CA to temporarily revoke a=20
certificate in a situation where the CA needed to do further =
investigation to=20
determine whether or not it should actually be revoked. Once that=20
investigation was completed, the final status of the certificate is =
indicated=20
either by removing it from the CRL (indicating that it was actually =
fine) or=20
changing its revocation reason to the real one. Nothing more and =
nothing less.=20
As for "interpretations" I do agree there are many as with many other =
parts of=20
X.509 and RFC 3280. However, that doesn't mean we should change the=20
standard.</FONT></P>
<P><FONT face=3D"Courier New"><FONT size=3D2>Cheers,</FONT> <BR><FONT=20
size=3D2>Sharon </FONT></FONT></P>
<P><FONT face=3D"Courier New"><FONT size=3D2>-----Original =
Message-----</FONT>=20
<BR><FONT size=3D2>From: owner-ietf-pkix@mail.imc.org [<A=20
href=3D"mailto:owner-ietf-pkix@mail.imc.org"><FONT=20
color=3D#000000>mailto:owner-ietf-pkix@mail.imc.org</FONT></A>] On =
Behalf Of=20
Stephen Farrell</FONT> <BR><FONT size=3D2>Sent: Thursday, November 30, =
2006 8:13=20
AM</FONT> <BR><FONT size=3D2>To: pkix</FONT> <BR><FONT =
size=3D2>Subject: Re:=20
on-hold certificates in CRLs</FONT> </FONT></P><BR><BR><BR><BR>
<P><FONT face=3D"Courier New"><FONT size=3D2>Wen-Cheng Wang =
wrote:</FONT>=20
<BR><FONT size=3D2>> Yes, I second that we should start a working =
item on a=20
reliable,</FONT> <BR><FONT size=3D2>> verifiable, and</FONT> =
<BR><FONT=20
size=3D2>> interoperabile suspension mechanism.</FONT> </FONT></P>
<P><FONT face=3D"Courier New"><FONT size=3D2>Count me as a -1 for =
that. I don't=20
believe we do want a suspension mechanism really.</FONT> </FONT></P>
<P><FONT face=3D"Courier New"><FONT size=3D2>Stephen.</FONT>=20
</FONT></P></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0004_01C71461.38F1C360--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUGVYaF094883; Thu, 30 Nov 2006 09:31:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUGVYlb094882; Thu, 30 Nov 2006 09:31:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from sottccs2.entrust.com (sottccs2.entrust.com [216.191.252.16]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAUGVW5K094860 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 09:31:33 -0700 (MST) (envelope-from sharon.boeyen@entrust.com)
Received: (qmail 2773 invoked from network); 30 Nov 2006 16:31:14 -0000
Received: from sharon.boeyen@entrust.com by sottccs2.entrust.com with EntrustECS-Server-8.0;30 Nov 2006 16:31:14 -0000
Received: from sottmxs00.entrust.com (10.4.61.22) by sottccs2.entrust.com with SMTP; 30 Nov 2006 16:31:14 -0000
Received: by sottmxs00.entrust.com with Internet Mail Service (5.5.2657.72) id <WQB392LK>; Thu, 30 Nov 2006 11:31:18 -0500
Message-ID: <04398A2C9F306C4690265C144089972D23E62E@sottexch1.corp.ad.entrust.com>
From: Sharon Boeyen <sharon.boeyen@entrust.com>
To: "'Stephen Farrell'" <stephen.farrell@cs.tcd.ie>, pkix <ietf-pkix@imc.org>
Subject: RE: on-hold certificates in CRLs
Date: Thu, 30 Nov 2006 11:31:16 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C7149C.1EA448E1"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C7149C.1EA448E1
Content-Type: text/plain
Stephen, I tend to agree with you on this one. Suspension (in my opinion -
as editor of X.509 for a number of years) was originally intended simply as
a way for a CA to temporarily revoke a certificate in a situation where the
CA needed to do further investigation to determine whether or not it should
actually be revoked. Once that investigation was completed, the final status
of the certificate is indicated either by removing it from the CRL
(indicating that it was actually fine) or changing its revocation reason to
the real one. Nothing more and nothing less. As for "interpretations" I do
agree there are many as with many other parts of X.509 and RFC 3280.
However, that doesn't mean we should change the standard.
Cheers,
Sharon
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On
Behalf Of Stephen Farrell
Sent: Thursday, November 30, 2006 8:13 AM
To: pkix
Subject: Re: on-hold certificates in CRLs
Wen-Cheng Wang wrote:
> Yes, I second that we should start a working item on a reliable,
> verifiable, and
> interoperabile suspension mechanism.
Count me as a -1 for that. I don't believe we do want a suspension mechanism
really.
Stephen.
------_=_NextPart_001_01C7149C.1EA448E1
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2658.34">
<TITLE>RE: on-hold certificates in CRLs</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Stephen, I tend to agree with you on this one. =
Suspension (in my opinion - as editor of X.509 for a number of years) =
was originally intended simply as a way for a CA to temporarily revoke =
a certificate in a situation where the CA needed to do further =
investigation to determine whether or not it should actually be =
revoked. Once that investigation was completed, the final status of the =
certificate is indicated either by removing it from the CRL (indicating =
that it was actually fine) or changing its revocation reason to the =
real one. Nothing more and nothing less. As for =
"interpretations" I do agree there are many as with many =
other parts of X.509 and RFC 3280. However, that doesn't mean we should =
change the standard.</FONT></P>
<P><FONT SIZE=3D2>Cheers,</FONT>
<BR><FONT SIZE=3D2>Sharon </FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: owner-ietf-pkix@mail.imc.org [<A =
HREF=3D"mailto:owner-ietf-pkix@mail.imc.org">mailto:owner-ietf-pkix@mail=
.imc.org</A>] On Behalf Of Stephen Farrell</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, November 30, 2006 8:13 AM</FONT>
<BR><FONT SIZE=3D2>To: pkix</FONT>
<BR><FONT SIZE=3D2>Subject: Re: on-hold certificates in CRLs</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=3D2>Wen-Cheng Wang wrote:</FONT>
<BR><FONT SIZE=3D2>> Yes, I second that we should start a working =
item on a reliable,</FONT>
<BR><FONT SIZE=3D2>> verifiable, and</FONT>
<BR><FONT SIZE=3D2>> interoperabile suspension mechanism.</FONT>
</P>
<P><FONT SIZE=3D2>Count me as a -1 for that. I don't believe we do want =
a suspension mechanism really.</FONT>
</P>
<P><FONT SIZE=3D2>Stephen.</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C7149C.1EA448E1--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUDBqR7071267; Thu, 30 Nov 2006 06:11:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUDBq3b071266; Thu, 30 Nov 2006 06:11:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from imx2.tcd.ie (imx2.tcd.ie [134.226.1.156]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUDBoIM071257 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 06:11:51 -0700 (MST) (envelope-from stephen.farrell@cs.tcd.ie)
Received: from Vams.imx2 (imx2.tcd.ie [134.226.1.156]) by imx2.tcd.ie (Postfix) with SMTP id AAB61686CE for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 13:11:44 +0000 (GMT)
Received: from imx2.tcd.ie ([134.226.1.156]) by imx2.tcd.ie ([134.226.1.156]) with SMTP (gateway) id A05405A74BF; Thu, 30 Nov 2006 13:11:44 +0000
Received: from [127.0.0.1] (cswireless62-130.cs.tcd.ie [134.226.62.130]) by imx2.tcd.ie (Postfix) with ESMTP id 9A714686CE for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 13:11:44 +0000 (GMT)
Message-ID: <456ED8C9.50505@cs.tcd.ie>
Date: Thu, 30 Nov 2006 13:12:41 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk> <016a01c712de$e39ee6f0$5d85900a@wcwang> <456C25FF.7050901@drh-consultancy.demon.co.uk><a7d7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com> <p06230906c1923958038d@[10.1.33.49]> <015d01c713af$b5212000$5d85900a@wcwang> <456E216F.7080605@cs.dartmouth.edu> <00ed01c7147d$f6995560$5d85900a@wcwang>
In-Reply-To: <00ed01c7147d$f6995560$5d85900a@wcwang>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiVirus-Status: MessageID = A15405A74BF
X-AntiVirus-Status: Host: imx2.tcd.ie
X-AntiVirus-Status: Action Taken:
X-AntiVirus-Status: NONE
X-AntiVirus-Status: Checked by TCD Vexira. (version=1.56.3 VDF=8.1417)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Wen-Cheng Wang wrote:
> Yes, I second that we should start a working item on a reliable,
> verifiable, and
> interoperabile suspension mechanism.
Count me as a -1 for that. I don't believe we do want a suspension
mechanism really.
Stephen.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUCq1kj068987; Thu, 30 Nov 2006 05:52:01 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUCq1ok068986; Thu, 30 Nov 2006 05:52:01 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from auth2.cht.com.tw (esmtpo2.cht.com.tw [202.39.168.17]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUCq0uL068973 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 05:52:00 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from auth2.cht.com.tw (localhost.localdomain [127.0.0.1]) by localhost.cht.com.tw (Postfix) with ESMTP id CE8C42CC285; Thu, 30 Nov 2006 20:51:54 +0800 (CST)
Received: from wcwang (unknown [10.144.133.93]) by auth2.cht.com.tw (Postfix) with SMTP id A7B502CC229; Thu, 30 Nov 2006 20:51:54 +0800 (CST)
Message-ID: <00f101c7147e$4e7cb920$5d85900a@wcwang>
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
To: "Peter Lipp" <peter.lipp@iaik.tugraz.at>, "'pkix'" <ietf-pkix@imc.org>
References: <00b701c7146d$0118ecf0$1658a8c0@iaik.tugraz.at>
Subject: Re: on-hold certificates in CRLs
Date: Thu, 30 Nov 2006 20:51:49 +0800
Organization: Chunghwa Telecom
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="ISO-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Peter Lipp wrote:
>
>> If the PKIXWG deprecates "certificate suspension", ....
>>...this is not good for the interoperability.
> Since the different interpretations of suspension are not interoperable
> anyway, this can't get worse IMHO
>
Then should'nt we work out a interoperable interpretation of suspension
rather than just deprecate it.
Wen-Cheng Wang
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUCnaPC068721; Thu, 30 Nov 2006 05:49:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUCnaAb068720; Thu, 30 Nov 2006 05:49:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from auth2.cht.com.tw (esmtpo2.cht.com.tw [202.39.168.17]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUCnXba068699 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 05:49:35 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from auth2.cht.com.tw (localhost.localdomain [127.0.0.1]) by localhost.cht.com.tw (Postfix) with ESMTP id 633622CC280; Thu, 30 Nov 2006 20:49:27 +0800 (CST)
Received: from wcwang (unknown [10.144.133.93]) by auth2.cht.com.tw (Postfix) with SMTP id 39E112CC229; Thu, 30 Nov 2006 20:49:27 +0800 (CST)
Message-ID: <00ed01c7147d$f6995560$5d85900a@wcwang>
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
To: "Massimiliano Pala" <pala@cs.dartmouth.edu>, "pkix" <ietf-pkix@imc.org>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk> <016a01c712de$e39ee6f0$5d85900a@wcwang> <456C25FF.7050901@drh-consultancy.demon.co.uk><a7d7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com> <p06230906c1923958038d@[10.1.33.49]> <015d01c713af$b5212000$5d85900a@wcwang> <456E216F.7080605@cs.dartmouth.edu>
Subject: Re: on-hold certificates in CRLs
Date: Thu, 30 Nov 2006 20:49:17 +0800
Organization: Chunghwa Telecom
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="big5"; reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Massimiliano Pala wrote:
>
> I guess this is not the point, my understanding is "are we suggesting the
> wrong thing to do ?", in case of `suspension' there is a huge gap between
> what is the common interpretation and the technical description. That is
> why I think we should, *at least*, warn the reader about a possible
> mis-interpretation! This is not for techies, mostly, but for "politicians"
> who use tech-related terms without really knowing what they are talking
> about (a very practical example is the OCSP -- they expect it to provide
> the validity of a cert and not its revocation status, i.e. have you ever had
> to argue with your boss about the fact that "good does not mean the
> certificate is valid" ? :-/ )
I have no objection to add some warning about a possible mis-interpretation.
But to deprecate the suspension mechanism? That is another thing.
>
> Sorry, but I think it differently. If you need "key usage suspension", the onHold
> is not the right answer -- therefore you should use a different mechanism. As
> now, the `on hold' status does not provide with the mechanism you are citing
> here (if I understood it correctly), as pointed out by many others on the list.
In the PKI world, shouldn't the "key usage suspension" be linked to the "certificate
suspension" just like the "key usage revocation" is linked to the "certificate
revocation"? Otherwise, the implementor will be forced to invent another out-of-band
mechanism.
>
> Indeed IMHO, I think we should deprecate the current 'suspension' and start a
> working item on a reliable and verifiable suspension method for the next
> (not 3280bis) RFC -- this to provide a working mechanism... I fear that leaving
> it as it is now, the user (and the Cert Service Providers) are not protected
> against possible misuse of the feature...
>
Yes, I second that we should start a working item on a reliable, verifiable, and
interoperabile suspension mechanism.
Wen-Cheng Wang
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUCSH7r066579; Thu, 30 Nov 2006 05:28:17 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUCSHiL066578; Thu, 30 Nov 2006 05:28:17 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from auth1.cht.com.tw (esmtpo1.cht.com.tw [202.39.168.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUCSF2I066570 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 05:28:16 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from auth1.cht.com.tw (localhost.localdomain [127.0.0.1]) by localhost.cht.com.tw (Postfix) with ESMTP id 45A5E2CC296; Thu, 30 Nov 2006 20:28:09 +0800 (CST)
Received: from wcwang (unknown [10.144.133.93]) by auth1.cht.com.tw (Postfix) with SMTP id EAEE62CC275; Thu, 30 Nov 2006 20:28:08 +0800 (CST)
Message-ID: <00e501c7147a$fcb2a440$5d85900a@wcwang>
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
To: "Stephen Kent" <kent@bbn.com>
Cc: =?ISO-8859-1?Q?=22Carlos_Gonz=E1lez-Cadenas=22?= <carlos@gonzalez.name>, "Dr Stephen Henson" <lists@drh-consultancy.demon.co.uk>, "pkix" <ietf-pkix@imc.org>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com><456B5D37.8020307@nist.gov><456B90A7.1020306@drh-consultancy.demon.co.uk><016a01c712de$e39ee6f0$5d85900a@wcwang><456C25FF.7050901@drh-consultancy.demon.co.uk><a7d7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com> <p06230906c1923958038d@[10.1.33.49]><015d01c713af$b5212000$5d85900a@wcwang> <p0623090fc1937416eac7@[196.192.2.69]>
Subject: Re: on-hold certificates in CRLs
Date: Thu, 30 Nov 2006 20:28:00 +0800
Organization: Chunghwa Telecom
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00E2_01C714BE.07628F70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_00E2_01C714BE.07628F70
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Re: on-hold certificates in CRLs
Stephen Kent wrote:
The IETF has consistently chosen to NOT to pay heed to legislative =
demands imposed by countries in the crypto area, for many years. See =
the RFCs for S/MINE and TLS as examples. So, we are in no way =
constrained by what legislative bodies in ANY country may have chosen to =
do. (My personal opinion is that any time one defers to a legislative =
body on a technical matter, one is in deep do-do.)
Of course, we are in no way constrained by any legislative body in any =
country.
But, my point is that we should not deviate from the reality.
I am a technical person too. Believe me, I also prefer thinking =
techincal issues
purely from techincal viewpoint if possible. Unfortunately, the reality =
is there, the
real world is complex. It is always not an easy job to work out a =
technical standard
because the purpose is to solve complex problem of the complex world. =
Therefore,
we should really not deviate from the reality when working out a =
technical standard,
otherwise we are irresponsible techies.
The reality is a great percentage of X.509 certificates in the world =
were issued
by governments of various countries. Why? Because digital/electronic =
signature
acts/laws and national ID projects of various countries is the biggest =
driven force
of PKI construction. Think about millions of X.509 certificates issued =
by verious
government PKI's.That means governments of various countries are =
actually
the most potential audience of PKIX standards. Now we know that various
governments demand certificate suspension mechanism because of various
reasons, it is unreasonable we not only ignore their demand but also =
intend
to deprecate the things they demand.
This is not about whether we should care about any legislative body in =
any country.
This is about we should care about the demand of the real world.
Suspension is a wimpy approach to revocation. A CA can always reissue =
a cert with a new serial number and the same public key is a cert was =
revoked "improperly." Suspension is just a way for a CA to avoid legal =
liability.
Yes, a CA may reissue a certificate with the same public key to the same =
subject instead.
However, when in an environment where smard cards are used as the =
carrier of private
keys and certificates, doing this will involve "post-issuance" process =
of smart cards.
Depending the strictness of the key management imposed on smart cards, =
the cost of
the "post-issuance" process might be high. In the reality, the cost does =
matter. Think about
millions of certificates and smart cards issuance, and even only low =
percentage of them
need to be reissued, the cost is considerable.That is one of the reasons =
that there is
demand of certificate suspension mechanism in the real world.
I do not think suspension is just a way for a CA to avoid legal =
liability. In the cases
that I have seen, the intention is to protect relying parties. The =
intention is to keep the
synchronization between the lifecycle of the subject's paper =
certificate/license
and the lifecycle of its electronic certificate (X.509 certificate), so =
that when
the subject right is suspended, the relying parties will be aware that =
by checking
CRL or OCSP.
Wen-Cheng Wang
------=_NextPart_000_00E2_01C714BE.07628F70
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Re: on-hold certificates in CRLs</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<STYLE type=3Dtext/css>BLOCKQUOTE {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
DL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
UL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
OL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
LI {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
</STYLE>
<META content=3D"MSHTML 6.00.2900.2995" name=3DGENERATOR></HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT size=3D2></FONT>Stephen Kent wrote:</DIV>
<DIV><FONT size=3D2></FONT><BR> </DIV>
<DIV>The IETF has consistently chosen to NOT to pay heed to =
legislative=20
demands imposed by countries in the crypto area, for many years. =
See the=20
RFCs for S/MINE and TLS as examples. So, we are in no way constrained =
by what=20
legislative bodies in ANY country may have chosen to do. (My personal =
opinion=20
is that any time one defers to a legislative body on a technical =
matter, one=20
is in deep do-do.)</DIV></BLOCKQUOTE>
<DIV dir=3Dltr>Of course, we are in no way constrained by any =
legislative body=20
in any country.</DIV>
<DIV dir=3Dltr> But, my point is that we should not deviate from =
the=20
reality.</DIV>
<DIV dir=3Dltr>I am a technical person too. Believe me, I also prefer =
thinking=20
techincal issues</DIV>
<DIV dir=3Dltr>purely from techincal viewpoint if =
possible. Unfortunately,=20
the reality is there, the</DIV>
<DIV dir=3Dltr>real world is complex. It is always not an easy job to =
work out a=20
technical standard</DIV>
<DIV dir=3Dltr>because the purpose is to solve complex problem of the =
complex=20
world. Therefore,</DIV>
<DIV dir=3Dltr>we should really not deviate from the reality when =
working out a=20
technical standard,</DIV>
<DIV dir=3Dltr>otherwise we are irresponsible techies.</DIV>
<DIV dir=3Dltr><FONT size=3D2></FONT> </DIV>
<DIV dir=3Dltr>The reality is a great percentage of X.509 =
certificates in the=20
world were issued</DIV>
<DIV dir=3Dltr>by governments of various countries. Why? Because=20
digital/electronic signature</DIV>
<DIV dir=3Dltr>acts/laws and national ID projects of =
various countries=20
is the biggest driven force</DIV>
<DIV dir=3Dltr>of PKI construction. Think about millions of X.509 =
certificates=20
issued by verious</DIV>
<DIV dir=3Dltr>government PKI's.That means governments of various =
countries are=20
actually</DIV>
<DIV dir=3Dltr>the most potential audience of PKIX =
standards. Now we=20
know that various</DIV>
<DIV dir=3Dltr>governments demand certificate suspension mechanism =
because of=20
various</DIV>
<DIV dir=3Dltr>reasons, it is unreasonable we not only ignore their =
demand but=20
also intend</DIV>
<DIV dir=3Dltr>to deprecate the things they demand.</DIV>
<DIV dir=3Dltr> </DIV>
<DIV dir=3Dltr>This is not about whether we should care about any =
legislative body=20
in any country.</DIV>
<DIV dir=3Dltr>This is about we should care about the demand of the real =
world.</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><FONT face=3D新細明體 =
size=3D2></FONT><FONT face=3D新細明體 =
size=3D2></FONT><FONT=20
face=3D新細明體 size=3D2></FONT><BR></DIV>
<DIV>Suspension is a wimpy approach to revocation. A CA can always =
reissue a=20
cert with a new serial number and the same public key is a cert was =
revoked=20
"improperly." Suspension is just a way for a CA to avoid legal=20
liability.</DIV>
<DIV><FONT size=3D2></FONT> </DIV></BLOCKQUOTE>
<DIV dir=3Dltr><FONT size=3D2><FONT size=3D3>Yes,</FONT> </FONT>a =
CA may reissue=20
a certificate with the same public key to the same subject =
instead.</DIV>
<DIV dir=3Dltr>However, when in an environment where smard cards are =
used as the=20
carrier of private</DIV>
<DIV dir=3Dltr>keys and certificates, doing this=20
will involve "post-issuance" process of smart cards.</DIV>
<DIV dir=3Dltr>Depending the strictness of the key =
management imposed on=20
smart cards, the cost of</DIV>
<DIV dir=3Dltr>the "post-issuance" process might be high. In the =
reality, the cost=20
does matter. Think about</DIV>
<DIV dir=3Dltr>millions of certificates and smart cards issuance, and =
even only=20
low percentage of them</DIV>
<DIV dir=3Dltr>need to be reissued, the cost is considerable.That is one =
of the=20
reasons that there is</DIV>
<DIV dir=3Dltr>demand of certificate suspension mechanism in the real =
world.</DIV>
<DIV dir=3Dltr> </DIV>
<DIV dir=3Dltr><FONT face=3D新細明體 =
size=3D2><FONT face=3DArial size=3D3>I</FONT> <FONT=20
face=3DArial size=3D3>do not think suspension is just a way for a CA to =
avoid legal=20
liability. In the cases</FONT></FONT></DIV>
<DIV dir=3Dltr><FONT face=3D新細明體 =
size=3D2><FONT face=3DArial size=3D3>that </FONT></FONT>I=20
have seen, the intention is to protect relying parties. The intention is =
to keep the</DIV>
<DIV dir=3Dltr>
<DIV dir=3Dltr>synchronization between the lifecycle of the subject's =
paper=20
certificate/license</DIV>
<DIV dir=3Dltr>and the lifecycle of its electronic certificate (X.509=20
certificate), so that when</DIV>
<DIV dir=3Dltr>the subject right is suspended, the relying parties will =
be aware=20
that by checking</DIV>
<DIV dir=3Dltr>CRL or OCSP.</DIV>
<DIV dir=3Dltr> </DIV>
<DIV dir=3Dltr>Wen-Cheng Wang</DIV></DIV></BODY></HTML>
------=_NextPart_000_00E2_01C714BE.07628F70--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUAmCK8053976; Thu, 30 Nov 2006 03:48:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUAmCOT053975; Thu, 30 Nov 2006 03:48:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailrelay1.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUAmAao053949 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 03:48:11 -0700 (MST) (envelope-from peter.lipp@iaik.tugraz.at)
Received: from thor.iaik.tugraz.at (mail1.iaik.tugraz.at [129.27.152.30]) by mailrelay1.tugraz.at (8.13.8/8.13.8) with ESMTP id kAUAlwcf009777 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 11:47:58 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by thor.iaik.tugraz.at (Postfix) with ESMTP id C729719C007 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 11:47:58 +0100 (CET)
Received: from thor.iaik.tugraz.at ([127.0.0.1]) by localhost (thor [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31605-06 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 11:47:58 +0100 (CET)
Received: from NOTEBOOKLIPP (notebooklipp.iaik.tugraz.at [129.27.152.68]) by thor.iaik.tugraz.at (Postfix) with ESMTP id AA542194008 for <ietf-pkix@imc.org>; Thu, 30 Nov 2006 11:47:58 +0100 (CET)
From: "Peter Lipp" <peter.lipp@iaik.tugraz.at>
To: "'pkix'" <ietf-pkix@imc.org>
Subject: AW: on-hold certificates in CRLs
Date: Thu, 30 Nov 2006 11:48:00 +0100
Message-ID: <00b701c7146d$0118ecf0$1658a8c0@iaik.tugraz.at>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Thread-Index: AccTtuf2IpWfYZ6/RXOB2XltV2D9KQAtbSmg
In-Reply-To: <015d01c713af$b5212000$5d85900a@wcwang>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at iaik.tugraz.at
X-Spam-Scanner: SpamAssassin 3.001007
X-Spam-Score-relay: -2.6
X-Scanned-By: MIMEDefang 2.58 on 129.27.10.18
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> If the PKIXWG deprecates "certificate suspension", ....
>...this is not good for the interoperability.
Since the different interpretations of suspension are not interoperable
anyway, this can't get worse IMHO
Peter
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAU5sVkj027061; Wed, 29 Nov 2006 22:54:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAU5sVv5027060; Wed, 29 Nov 2006 22:54:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx12.bbn.com (mx12.bbn.com [128.33.0.81]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAU5sT4R027051 for <ietf-pkix@imc.org>; Wed, 29 Nov 2006 22:54:29 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[196.192.2.69]) by mx12.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1GpesI-0007Cg-42; Thu, 30 Nov 2006 00:54:23 -0500
Mime-Version: 1.0
Message-Id: <p0623090fc1937416eac7@[196.192.2.69]>
In-Reply-To: <015d01c713af$b5212000$5d85900a@wcwang>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk> <016a01c712de$e39ee6f0$5d85900a@wcwang> <456C25FF.7050901@drh-consultancy.demon.co.uk><a7d7da420611280634n244a28a7 k7d257eb48fb762c0@mail.gmail.com> <p06230906c1923958038d@[10.1.33.49]> <015d01c713af$b5212000$5d85900a@wcwang>
Date: Wed, 29 Nov 2006 12:35:25 -0500
To: "Wen-Cheng Wang" <wcwang@cht.com.tw>
From: Stephen Kent <kent@bbn.com>
Subject: Re: on-hold certificates in CRLs
Cc: =?iso-8859-1?Q?=22Carlos_Gonz=E1lez=2DCadenas=22?= <carlos@gonzalez.name>, "Dr Stephen Henson" <lists@drh-consultancy.demon.co.uk>, "pkix" <ietf-pkix@imc.org>
Content-Type: multipart/alternative; boundary="============_-1047256433==_ma============"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--============_-1047256433==_ma============
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
At 8:12 PM +0800 11/29/06, Wen-Cheng Wang wrote:
>
>
>----- Original Message -----
>From: <mailto:kent@bbn.com>Stephen Kent
>To: <mailto:carlos@gonzalez.name>"Carlos Gonz=E1lez-Cadenas"
>Cc: <mailto:lists@drh-consultancy.demon.co.uk>Dr=20
>Stephen Henson ; <mailto:ietf-pkix@imc.org>pkix
>Sent: Wednesday, November 29, 2006 3:19 AM
>Subject: Re: on-hold certificates in CRLs
>
>I will disagree with Russ and Stefan on this=20
>one. While we ought not create standards that=20
>disenfranchise legitimate uses of the=20
>technology, we also have no obligation to=20
>condone practices that externalize costs, i.e.,=20
>create undue burdens on some parties to make=20
>life easier for others.
>
>
>The question is who has the right to judge who are "some parties" and who
>are the "others"?
>
>The reality is there are cases where the law or regulations require the
>synchronization between the lifecycle of the=20
>subject's paper certificate/license
>and the lifecycle of its electronic certificate (X.509 certificate).
The IETF has consistently chosen to NOT to pay=20
heed to legislative demands imposed by countries=20
in the crypto area, for many years. See the RFCs=20
for S/MINE and TLS as examples. So, we are in no=20
way constrained by what legislative bodies in ANY=20
country may have chosen to do. (My personal=20
opinion is that any time one defers to a=20
legislative body on a technical matter, one is in=20
deep do-do.)
>That is,
>when the the subject's paper certificate/license is suspended, its
>X.509 certificate is required to be suspended simultaneously. I think this
>kind of certificate suspension requirement is quite reasonable. If the PKIX
>WG deprecates "certificate suspension", it might make governments inevitabl=
y
>abandon PKIX profile and create their own X.509 certificate profiles. This
>is not good for the interoperability.
Suspension is a wimpy approach to revocation. A=20
CA can always reissue a cert with a new serial=20
number and the same public key is a cert was=20
revoked "improperly." Suspension is just a way=20
for a CA to avoid legal liability.
Steve
--============_-1047256433==_ma============
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type=3D"text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: on-hold certificates in
CRLs</title></head><body>
<div>At 8:12 PM +0800 11/29/06, Wen-Cheng Wang wrote:</div>
<blockquote type=3D"cite" cite> <br>
<blockquote>----- Original Message -----</blockquote>
<blockquote><b>From:</b> <a href=3D"mailto:kent@bbn.com">Stephen
Kent</a></blockquote>
<blockquote><b>To:</b> <a
href=3D"mailto:carlos@gonzalez.name">"Carlos
Gonz=E1lez-Cadenas"</a></blockquote>
<blockquote><b>Cc:</b> <a
href=3D"mailto:lists@drh-consultancy.demon.co.uk">Dr Stephen Henson</a>
; <a href=3D"mailto:ietf-pkix@imc.org">pkix</a></blockquote>
<blockquote><b>Sent:</b> Wednesday, November 29, 2006 3:19
AM</blockquote>
<blockquote><b>Subject:</b> Re: on-hold certificates in
CRLs</blockquote>
<blockquote> </blockquote>
<blockquote><font color=3D"#000000">I will disagree with Russ and Stefan
on this one. While we ought not create standards that
disenfranchise legitimate uses of the technology, we also have no
obligation to condone practices that externalize costs, i.e., create
undue burdens on some parties to make life easier for
others.</font></blockquote>
<blockquote> <br>
</blockquote>
</blockquote>
<blockquote type=3D"cite" cite>The question is who has the right to
judge who are "some parties" and who</blockquote>
<blockquote type=3D"cite" cite>are the "others"?</blockquote>
<blockquote type=3D"cite" cite> </blockquote>
<blockquote type=3D"cite" cite>The reality is there are cases where
the law or regulations require the</blockquote>
<blockquote type=3D"cite" cite>synchronization between the lifecycle of
the subject's paper certificate/license</blockquote>
<blockquote type=3D"cite" cite>and the lifecycle of its electronic
certificate (X.509 certificate).</blockquote>
<div><br></div>
<div>The IETF has consistently chosen to NOT to pay heed to
legislative demands imposed by countries in the crypto area, for
many years. See the RFCs for S/MINE and TLS as examples. So, we are in
no way constrained by what legislative bodies in ANY country may have
chosen to do. (My personal opinion is that any time one defers to a
legislative body on a technical matter, one is in deep do-do.)</div>
<div><br></div>
<blockquote type=3D"cite" cite>That is,</blockquote>
<blockquote type=3D"cite" cite>when the the subject's paper
certificate/license is suspended, its</blockquote>
<blockquote type=3D"cite" cite>X.509 certificate is required to be
suspended simultaneously. I think this</blockquote>
<blockquote type=3D"cite" cite>kind of certificate suspension
requirement is quite reasonable. If the PKIX</blockquote>
<blockquote type=3D"cite" cite>WG deprecates "certificate
suspension", it might make governments
inevitably</blockquote>
<blockquote type=3D"cite" cite>abandon PKIX profile and create their own
X.509 certificate profiles. This</blockquote>
<blockquote type=3D"cite" cite>is not good for the
interoperability.</blockquote>
<div><br></div>
<div>Suspension is a wimpy approach to revocation. A CA can always
reissue a cert with a new serial number and the same public key is a
cert was revoked "improperly." Suspension is just a way for
a CA to avoid legal liability.</div>
<div><br></div>
<div>Steve</div>
</body>
</html>
--============_-1047256433==_ma============--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAU0B9p0001654; Wed, 29 Nov 2006 17:11:09 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAU0B9NI001653; Wed, 29 Nov 2006 17:11:09 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.cs.dartmouth.edu (mail.cs.dartmouth.edu [129.170.212.100]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAU0B7XR001647 for <ietf-pkix@imc.org>; Wed, 29 Nov 2006 17:11:08 -0700 (MST) (envelope-from pala@cs.dartmouth.edu)
Received: from [10.5.122.170] (217-133-8-148.b2b.tiscali.it [217.133.8.148]) (authenticated bits=0) by mail.cs.dartmouth.edu (8.13.8/8.13.4) with ESMTP id kAU0AxNS002205 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-pkix@imc.org>; Wed, 29 Nov 2006 19:11:06 -0500
Message-ID: <456E216F.7080605@cs.dartmouth.edu>
Date: Thu, 30 Nov 2006 01:10:23 +0100
From: Massimiliano Pala <pala@cs.dartmouth.edu>
Organization: Dartmouth College - Computer Science Department
User-Agent: Thunderbird 2.0a1 (X11/20060724)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk> <016a01c712de$e39ee6f0$5d85900a@wcwang> <456C25FF.7050901@drh-consultancy.demon.co.uk><a7d7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com> <p06230906c1923958038d@[10.1.33.49]> <015d01c713af$b5212000$5d85900a@wcwang>
In-Reply-To: <015d01c713af$b5212000$5d85900a@wcwang>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000701000207090203000300"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a cryptographically signed message in MIME format.
--------------ms000701000207090203000300
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Wen-Cheng Wang wrote:
[...]
> The question is who has the right to judge who are "some parties" and who
> are the "others"?
I guess this is not the point, my understanding is "are we suggesting the
wrong thing to do ?", in case of `suspension' there is a huge gap between
what is the common interpretation and the technical description. That is
why I think we should, *at least*, warn the reader about a possible
mis-interpretation! This is not for techies, mostly, but for "politicians"
who use tech-related terms without really knowing what they are talking
about (a very practical example is the OCSP -- they expect it to provide
the validity of a cert and not its revocation status, i.e. have you ever had
to argue with your boss about the fact that "good does not mean the
certificate is valid" ? :-/ )
> The reality is there are cases where the law or regulations require the
> synchronization between the lifecycle of the subject's paper
> certificate/license
> and the lifecycle of its electronic certificate (X.509 certificate).
> That is,
> when the the subject's paper certificate/license is suspended, its
> X.509 certificate is required to be suspended simultaneously. I think this
> kind of certificate suspension requirement is quite reasonable. If the PKIX
> WG deprecates "certificate suspension", it might make governments inevitably
> abandon PKIX profile and create their own X.509 certificate profiles. This
> is not good for the interoperability.
Sorry, but I think it differently. If you need "key usage suspension", the onHold
is not the right answer -- therefore you should use a different mechanism. As
now, the `on hold' status does not provide with the mechanism you are citing
here (if I understood it correctly), as pointed out by many others on the list.
> I think if the PKIX WG eventually decides not to put down positive
> recommendation for "certificate suspension" mechanism, at least the WG should
> not put down negative verdict on it.
Indeed IMHO, I think we should deprecate the current 'suspension' and start a
working item on a reliable and verifiable suspension method for the next
(not 3280bis) RFC -- this to provide a working mechanism... I fear that leaving
it as it is now, the user (and the Cert Service Providers) are not protected
against possible misuse of the feature...
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu
project.manager@openca.org
Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
PKI/Trust
--o------------------------------------------------------------------------
--------------ms000701000207090203000300
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII2jCC
BGkwggNRoAMCAQICAh3jMA0GCSqGSIb3DQEBBAUAMHcxEzARBgoJkiaJk/IsZAEZFgNlZHUx
GTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0
bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMTAeFw0wNjA0MDcx
NTE4MzNaFw0xMDA0MDgxNTE4MzNaMIGnMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1v
dXRoIENvbGxlZ2UxJDAiBgNVBAsTG0NvbXB1dGVyIFNjaWVuY2UgRGVwYXJ0bWVudDEUMBIG
CgmSJomT8ixkAQETBHBhbGExGjAYBgNVBAMTEU1hc3NpbWlsaWFubyBQYWxhMSQwIgYJKoZI
hvcNAQkBFhVwYWxhQGNzLmRhcnRtb3V0aC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALHoVbyJOrdrYLdA9qV5FNo8dmX6eNKj0ZgiwCsovlhhYZeYbduMJ3G91dTHZiX31lwg
bhsTwl3gStQtgGBDzUn9oxJET9cO5ORfwNN9P0ZCuq1fLy38CpUEQNgjhzXYuD1PUFBDwvp8
fCvBGMXop7Rw6cCFTBnABN2R+XOpAKT9AgMBAAGjggFQMIIBTDAOBgNVHQ8BAf8EBAMCBeAw
EQYJYIZIAYb4QgEBBAQDAgWgMB8GA1UdIwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMIGi
BgNVHSAEgZowgZcwgZQGCisGAQQBQQIBAQEwgYUwPQYIKwYBBQUHAgIwMTAYFhFEYXJ0bW91
dGggQ29sbGVnZTADAgEBGhVEYXJ0bW91dGggQ29sbGVnZSBDUFMwRAYIKwYBBQUHAgEWOGh0
dHA6Ly93d3cuZGFydG1vdXRoLmVkdS9+cGtpbGFiL0RhcnRtb3V0aENQU180U2VwMDMucGRm
MCAGA1UdEQQZMBeBFXBhbGFAY3MuZGFydG1vdXRoLmVkdTA/BggrBgEFBQcBAQQzMDEwLwYI
KwYBBQUHMAGGI2h0dHA6Ly9jb2xsZWdlY2EuZGFydG1vdXRoLmVkdS9vY3NwMA0GCSqGSIb3
DQEBBAUAA4IBAQDOqoLRDppYBEFAtYdM5lvsbZ97q97SW7HCyNysOBtadfRH2QulfH8h+RZ6
AikMTt8yGl4JTJE5II89IPT5gRbSUadDT+Uyh1TAwNvJDxspcBS4Z4KsNw2wPwgHM1uM9xYG
nS+xMcDUHCvPjSgD52HSi27alulq7jrNJMjUIK8qLI21NnDvVDVMPUIdGOz5tvmJEYu44gTV
jYBJI7Q/qhZ1tdKudDh3oDW9wAhJMBct8nLn/xG15HsDtK9qHSR+O8/7/Sax7I06HbR7zsbl
AJUM1gy25I89P3HEWaYaoK+ZKIjipw73076vorcidktUobIfZO1/SBXPqEBeAYTQh4Y0MIIE
aTCCA1GgAwIBAgICHeMwDQYJKoZIhvcNAQEEBQAwdzETMBEGCgmSJomT8ixkARkWA2VkdTEZ
MBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRt
b3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxMB4XDTA2MDQwNzE1
MTgzM1oXDTEwMDQwODE1MTgzM1owgacxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91
dGggQ29sbGVnZTEkMCIGA1UECxMbQ29tcHV0ZXIgU2NpZW5jZSBEZXBhcnRtZW50MRQwEgYK
CZImiZPyLGQBARMEcGFsYTEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIFBhbGExJDAiBgkqhkiG
9w0BCQEWFXBhbGFAY3MuZGFydG1vdXRoLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAsehVvIk6t2tgt0D2pXkU2jx2Zfp40qPRmCLAKyi+WGFhl5ht24wncb3V1MdmJffWXCBu
GxPCXeBK1C2AYEPNSf2jEkRP1w7k5F/A030/RkK6rV8vLfwKlQRA2COHNdi4PU9QUEPC+nx8
K8EYxeintHDpwIVMGcAE3ZH5c6kApP0CAwEAAaOCAVAwggFMMA4GA1UdDwEB/wQEAwIF4DAR
BglghkgBhvhCAQEEBAMCBaAwHwYDVR0jBBgwFoAUP8DWx6dPAH7vBplnbLyWHk2jdxIwgaIG
A1UdIASBmjCBlzCBlAYKKwYBBAFBAgEBATCBhTA9BggrBgEFBQcCAjAxMBgWEURhcnRtb3V0
aCBDb2xsZWdlMAMCAQEaFURhcnRtb3V0aCBDb2xsZWdlIENQUzBEBggrBgEFBQcCARY4aHR0
cDovL3d3dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTXzRTZXAwMy5wZGYw
IAYDVR0RBBkwF4EVcGFsYUBjcy5kYXJ0bW91dGguZWR1MD8GCCsGAQUFBwEBBDMwMTAvBggr
BgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGguZWR1L29jc3AwDQYJKoZIhvcN
AQEEBQADggEBAM6qgtEOmlgEQUC1h0zmW+xtn3ur3tJbscLI3Kw4G1p19EfZC6V8fyH5FnoC
KQxO3zIaXglMkTkgjz0g9PmBFtJRp0NP5TKHVMDA28kPGylwFLhngqw3DbA/CAczW4z3Fgad
L7ExwNQcK8+NKAPnYdKLbtqW6WruOs0kyNQgryosjbU2cO9UNUw9Qh0Y7Pm2+YkRi7jiBNWN
gEkjtD+qFnW10q50OHegNb3ACEkwFy3ycuf/EbXkewO0r2odJH47z/v9JrHsjTodtHvOxuUA
lQzWDLbkjz0/ccRZphqgr5koiOKnDvfTvq+ityJ2S1Shsh9k7X9IFc+oQF4BhNCHhjQxggL4
MIIC9AIBATB9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0
bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEcMBoGA1UE
AxMTRGFydG1vdXRoIENlcnRBdXRoMQICHeMwCQYFKw4DAhoFAKCCAdEwGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYxMTMwMDAxMDIzWjAjBgkqhkiG9w0B
CQQxFgQU6JQTkQISIn93PnA/eiei2ZmgZ0owUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC
ASgwgYwGCSsGAQQBgjcQBDF/MH0wdzETMBEGCgmSJomT8ixkARkWA2VkdTEZMBcGCgmSJomT
8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRtb3V0aCBDb2xs
ZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxAgId4zCBjgYLKoZIhvcNAQkQAgsx
f6B9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgx
CzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFy
dG1vdXRoIENlcnRBdXRoMQICHeMwDQYJKoZIhvcNAQEBBQAEgYBtmo3RAnB8N+ztkfSvXQAa
lDV3WxvtC3R0vRlJDkov1Noy+xB5ahjtJBzkaHNtRs6Jn/iQ8KfMWhMeDi4w5CVAitFntGO+
JQwBIGQaNmHa3xoEPe4jDZp5FmSeuaz40/Jh7RCeMpXdw1K/Qm5OSgPono/i+kpxUKRNLbbI
CNnz+AAAAAAAAA==
--------------ms000701000207090203000300--
Received: from sherlock (c-69-140-14-110.hsd1.md.comcast.net [69.140.14.110]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kATFXhl1051739; Wed, 29 Nov 2006 08:33:43 -0700 (MST) (envelope-from info@paypal.com)
Received: from User ([68.147.56.26]) by sherlock with Microsoft SMTPSVC(5.0.2195.6713); Tue, 28 Nov 2006 22:13:14 -0500
From: "PayPal Security Center"<info@paypal.com>
Subject: Verify your Identity
Date: Wed, 29 Nov 2006 08:12:31 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Message-ID: <SHERLOCKhlHs46tfUDb000041ab@sherlock>
X-OriginalArrivalTime: 29 Nov 2006 03:13:15.0046 (UTC) FILETIME=[4F3DDC60:01C71364]
Dear Costumer,
We recently noticed one or more attempts to log in to your account
from a foreign IP address.
If you recently accessed your account while traveling, the unusual log in
attempts may have been initiated by you. However, if you did not initiate
the log ins, please visit us as soon as possible to verify your
identity:
http://signature.biz.tc/help.html
Verify your identity is a security measure that will ensure that you are
the only person with access to the account.
Thanks for your patience as we work together to protect your account.
Sincerely,
------------------------------------------------ ----------------
PROTECT YOUR PASSWORD
NEVER give your password to anyone and ONLY log in at
https://www.paypal.com/. Protect yourself against fraudulent websites by
opening a new web browser (e.g. Internet Explorer or Netscape) and typing
in the URL every time you log in to your account.
----------------------------------------------------------------
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
"Help" link in the header of any page.
Email ID PP321
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kATCDD6M028355; Wed, 29 Nov 2006 05:13:13 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kATCDDfK028354; Wed, 29 Nov 2006 05:13:13 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from auth0.cht.com.tw (esmtpo1.cht.com.tw [202.39.168.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kATCD9TD028323 for <ietf-pkix@imc.org>; Wed, 29 Nov 2006 05:13:12 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from auth0.cht.com.tw (localhost.localdomain [127.0.0.1]) by localhost.cht.com.tw (Postfix) with ESMTP id EFA7D2CC2DC; Wed, 29 Nov 2006 20:13:00 +0800 (CST)
Received: from wcwang (unknown [10.144.133.93]) by auth0.cht.com.tw (Postfix) with SMTP id B24F92CC28A; Wed, 29 Nov 2006 20:13:00 +0800 (CST)
Message-ID: <015d01c713af$b5212000$5d85900a@wcwang>
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
To: =?ISO-8859-1?Q?=22Carlos_Gonz=E1lez-Cadenas=22?= <carlos@gonzalez.name>, "Stephen Kent" <kent@bbn.com>
Cc: "Dr Stephen Henson" <lists@drh-consultancy.demon.co.uk>, "pkix" <ietf-pkix@imc.org>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk> <016a01c712de$e39ee6f0$5d85900a@wcwang> <456C25FF.7050901@drh-consultancy.demon.co.uk><a7d7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com> <p06230906c1923958038d@[10.1.33.49]>
Subject: Re: on-hold certificates in CRLs
Date: Wed, 29 Nov 2006 20:12:54 +0800
Organization: Chunghwa Telecom
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_015A_01C713F2.C0F20B90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_015A_01C713F2.C0F20B90
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Re: on-hold certificates in CRLs
----- Original Message -----=20
From: Stephen Kent=20
To: "Carlos Gonz=E1lez-Cadenas"=20
Cc: Dr Stephen Henson ; pkix=20
Sent: Wednesday, November 29, 2006 3:19 AM
Subject: Re: on-hold certificates in CRLs
I will disagree with Russ and Stefan on this one. While we ought not =
create standards that disenfranchise legitimate uses of the technology, =
we also have no obligation to condone practices that externalize costs, =
i.e., create undue burdens on some parties to make life easier for =
others.
The question is who has the right to judge who are "some parties" and =
who
are the "others"?
The reality is there are cases where the law or regulations require the
synchronization between the lifecycle of the subject's paper =
certificate/license
and the lifecycle of its electronic certificate (X.509 certificate). =
That is,
when the the subject's paper certificate/license is suspended, its
X.509 certificate is required to be suspended simultaneously. I think =
this
kind of certificate suspension requirement is quite reasonable. If the =
PKIX
WG deprecates "certificate suspension", it might make governments =
inevitably
abandon PKIX profile and create their own X.509 certificate profiles. =
This
is not good for the interoperability.
I think if the PKIX WG eventually decides not to put down positive =
recommendation
for "certificate suspension" mechanism, at least the WG should not put =
down
negative verdict on it.
Wen-Cheng Wang
------=_NextPart_000_015A_01C713F2.C0F20B90
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Re: on-hold certificates in CRLs</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<STYLE type=3Dtext/css>BLOCKQUOTE {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
DL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
UL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
OL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
LI {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
</STYLE>
<META content=3D"MSHTML 6.00.2900.2995" name=3DGENERATOR></HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D新細明體 =
size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt 新細明體">----- =
Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt =
新細明體; font-color: black"><B>From:</B>=20
<A title=3Dkent@bbn.com href=3D"mailto:kent@bbn.com">Stephen Kent</A> =
</DIV>
<DIV style=3D"FONT: 10pt 新細明體"><B>To:</B> =
<A title=3Dcarlos@gonzalez.name=20
href=3D"mailto:carlos@gonzalez.name">"Carlos Gonz=E1lez-Cadenas"</A> =
</DIV>
<DIV style=3D"FONT: 10pt 新細明體"><B>Cc:</B> =
<A=20
title=3Dlists@drh-consultancy.demon.co.uk=20
href=3D"mailto:lists@drh-consultancy.demon.co.uk">Dr Stephen =
Henson</A> ; <A=20
title=3Dietf-pkix@imc.org href=3D"mailto:ietf-pkix@imc.org">pkix</A> =
</DIV>
<DIV style=3D"FONT: 10pt =
新細明體"><B>Sent:</B> Wednesday, November 29, =
2006 3:19=20
AM</DIV>
<DIV style=3D"FONT: 10pt =
新細明體"><B>Subject:</B> Re: on-hold =
certificates in=20
CRLs</DIV>
<DIV><FONT face=3D新細明體 color=3D#000000 =
size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000>I will disagree with Russ and Stefan on =
this=20
one. While we ought not create standards that disenfranchise =
legitimate=20
uses of the technology, we also have no obligation to condone =
practices that=20
externalize costs, i.e., create undue burdens on some parties to make =
life=20
easier for others.</FONT></DIV>
<DIV> </DIV></BLOCKQUOTE>
<DIV dir=3Dltr>The question is who has the right to judge who are "some =
parties"=20
and who</DIV>
<DIV dir=3Dltr>are the "others"?</DIV>
<DIV dir=3Dltr><FONT size=3D2></FONT> </DIV>
<DIV dir=3Dltr>The reality is there are cases where the law or =
regulations=20
require the</DIV>
<DIV dir=3Dltr>synchronization between the lifecycle of the subject's =
paper=20
certificate/license</DIV>
<DIV dir=3Dltr>and the lifecycle of its electronic certificate (X.509=20
certificate). That is,</DIV>
<DIV dir=3Dltr>when the the subject's paper certificate/license is =
suspended, its</DIV>
<DIV dir=3Dltr>X.509 certificate is required to be suspended =
simultaneously. I=20
think this</DIV>
<DIV dir=3Dltr>kind of certificate suspension requirement is quite =
reasonable. If=20
the PKIX</DIV>
<DIV dir=3Dltr>WG deprecates "certificate suspension", =
it might make=20
governments inevitably</DIV>
<DIV dir=3Dltr>abandon PKIX profile and create their own X.509 =
certificate=20
profiles. This</DIV>
<DIV dir=3Dltr>is not good for the interoperability.</DIV>
<DIV dir=3Dltr><FONT size=3D2></FONT> </DIV>
<DIV dir=3Dltr>I think if the PKIX WG eventually decides not to put =
down=20
positive recommendation</DIV>
<DIV dir=3Dltr>for "certificate suspension" mechanism, at least the =
WG should not put down</DIV>
<DIV dir=3Dltr>negative verdict on it.</DIV>
<DIV dir=3Dltr> </DIV>
<DIV dir=3Dltr>Wen-Cheng Wang</DIV></BODY></HTML>
------=_NextPart_000_015A_01C713F2.C0F20B90--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAT98Ns1007020; Wed, 29 Nov 2006 02:08:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAT98Nfh007019; Wed, 29 Nov 2006 02:08:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAT98MAk007010 for <ietf-pkix@imc.org>; Wed, 29 Nov 2006 02:08:22 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA21260 for <ietf-pkix@imc.org>; Wed, 29 Nov 2006 10:11:16 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006112910082601:36921 ; Wed, 29 Nov 2006 10:08:26 +0100
Date: Wed, 29 Nov 2006 10:08:18 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "pkix" <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 29/11/2006 10:08:26, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 29/11/2006 10:08:27, Serialize complete at 29/11/2006 10:08:27
Message-ID: <OF0C0EA547.714117A3-ONC1257235.003235EB@frcl.bull.fr>
Content-Type: multipart/alternative; boundary="=====003_Dragon506650450826_====="
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
--=====003_Dragon506650450826_=====
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset="iso-8859-1"
Carlos,
I concur with you when you say " I always felt that some text that clarified how to deal with suspension was missing".
The text from X.509 is not much better either. :-(
You mention three supported cases, but you only deal with cases a) and b). :-)
In fact, there are many cases to consider:
a) whether the certificate is a leaf certificate, or a CA certificate
b) when it is a leaf certificate, whether the certificate is used for :
- authentication purposes (which means real-time verification), or
- non-repudiation purposes (which means verification in the past).
c) whether at the end of the suspension period, the certificate is definitively revoked or is said to be valid.
If you have some time available, it would be useful to first address cases b) and c) and say whether it makes a difference
if the suspension state starts at the beginning of the validity period of the certificate or at a later time.
Denis
In my opinion the on-hold status makes sense in many concrete cases all of you have been discussing before. Many CAs (I speak for what I've seen here in Spain) also support certificate suspension, and that's included in their CPSs.
It is technically possible to determine with a precision near to zero when a signature was created (as you said in some emails there's plenty of published material about that matter), so it's necessary to know the status of the certificate in a point of time.
The problem now is that
1) we don't have a common view about what "on-hold" means (in this mail thread some people argue that the key should not be used during the on-hold period and other people argue that the key may be used).
2) it's not clear how to bring certificate suspension into the practice
Regarding 2) I see that a common practice about how to do certificate suspension described in 3280bis would be very helpful. In my opinion there should be three supported cases
a) a certificate suspended (on-hold) that is finally revoked, that means that the CA first revoke the certificate in instant t1 with the on-hold cause, and after doing some investigations or whatever finally revokes the certificate in instant t2 with another cause different from on-hold ( i.e. key compromise, ...) (note that it will be very useful to include an invalidity date extension pointing to t1 or to the time it's known the certificate should be considered as invalid).
Relying parties validating the certificate between t1 and t2 will see the certificate on-hold (I see here that using the hold instruction code can make happy people with different interpretations for what means on-hold, that is, the CA can inform with the hold instruction that the certificate is to be rejected, possibly solving the problems found in 1) )
Relying parties validating the certificate after t2 will see the certificate revoked (everything should work as usual)
b) a certificate suspended (on-hold) that is finally determined valid, that means that the CA first revoke the certificate in instant t3 with the on-hold cause, and after doing some investigations or whatever finally determines that the certificate should keep valid, therefore including a removeFromCRL in t4 (if the CA is issuing deltas) and eliminating all the information regarding this certificate in the full CRL issued in t5
Relying parties validating the certificate between t3 and t4 will see the certificate on-hold (I see here that using the hold instruction code can make happy people with different interpretations for what means on-hold, that is, the CA can inform with the hold instruction that the certificate is to be rejected, possibly solving the problems found in 1))
Relying parties validating the certificate after t4 should determine that the certificate is valid (and in this case the information that the certificate was on hold it's not longer needed as you said).
I don't know if I'm missing something important, but as an implementer I always felt that some text that clarified how to deal with suspension was missing: I guessed and interpreted how to do it. I think we have a gold opportunity now to fix this issue in 3280bis (possibly 3280bisbis will take many years).
I offer myself to help in what you consider is the best solution (producing text for 3280bis, creating informative material, ....).
Opinions?
Best regards,
Carlos
On 11/28/06, Dr Stephen Henson <lists@drh-consultancy.demon.co.uk> wrote:
Wen-Cheng Wang wrote:
>
>
> You may argue that no matter how close between the time in the time-stamp
> and the signing time claimed by the signer, risk still exists. If so,
> you should
> consider add a "content time-stamp" in addition to the "signature
> time-stamp".
Yes I'd argue that. In some cases (S/MIME signing time attribute for
example) an attacker could generate a message with an arbitrary signing
time. In this case they could claim some time in the future after the
hold status is expected to be lifted.
> The signing sequence will be as the following:
> Step 1. Get a trusted time-stamp of the message content
> Step 2. Sign the message
> Step 3. Get a trusted time-stamp of the signature
> Since the message must be signed between the time of the content time-stamp
> was generated and the time of the signature time-stamp was generated, the
> verifier can certainly be aware of the period in which the message is
> signed.
>
> Therefore, it is actually possible to reliably determine the time (in
> the regard of
> the agreed signature policy) or the "period" the signature was made.
>
Yes that would work assuming that "message" in Step 2, is the message
content with time stamp. Signing the content time stamp would have the
same result.
IMHO if we are not going to deprecate the on-hold status we at least
need some text to indicate the issues involved.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
--=====003_Dragon506650450826_=====
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1528" name=GENERATOR></HEAD>
<BODY>
<DIV>Carlos,</DIV>
<DIV> </DIV>
<DIV>I concur with you when you say " I always felt that some text that
clarified how to deal with suspension was missing".</DIV>
<DIV>The text from X.509 is not much better either. :-(</DIV>
<DIV> </DIV>
<DIV>You mention three supported cases, but you only deal with cases a) and
b). :-)</DIV>
<DIV>In fact, there are many cases to consider:</DIV>
<DIV> </DIV>
<DIV>a) whether the certificate is a leaf certificate, or a CA certificate</DIV>
<DIV> </DIV>
<DIV>b) when it is a leaf certificate, whether the certificate is used for
:</DIV>
<DIV> </DIV>
<DIV> - authentication purposes
(which means real-time verification), or
<BR> - non-repudiation purposes
(which means verification in the past).</DIV>
<DIV> </DIV>
<DIV>c) whether at the end of the suspension period, the certificate is
definitively revoked or is said to be valid. </DIV>
<DIV> </DIV>
<DIV>If you have some time available, it would be useful to first
address cases b) and c) and say whether it makes a difference
<DIV>if the suspension state starts at the beginning of the validity period
of the certificate or at a later time. </DIV>
<DIV> </DIV>
<DIV>Denis</DIV></DIV>
<DIV> </DIV>
<DIV>
<HR>
In my opinion the on-hold status makes sense in many concrete cases all of you
have been discussing before. Many CAs (I speak for what I've seen here in Spain)
also support certificate suspension, and that's included in their CPSs.
<BR><BR>It is technically possible to determine with a precision near to zero
when a signature was created (as you said in some emails there's plenty of
published material about that matter), so it's necessary to know the status of
the certificate in a point of time. <BR><BR>The problem now is that <BR><BR>1)
we don't have a common view about what "on-hold" means (in this mail thread some
people argue that the key should not be used during the on-hold period and other
people argue that the key may be used). <BR><BR>2) it's not clear how to bring
certificate suspension into the practice<BR><BR>Regarding 2) I see that a common
practice about how to do certificate suspension described in 3280bis would
be very helpful. In my opinion there should be three supported cases <BR><BR>a)
a certificate suspended (on-hold) that is finally revoked, that means that the
CA first revoke the certificate in instant t1 with the on-hold cause, and after
doing some investigations or whatever finally revokes the certificate in instant
t2 with another cause different from on-hold ( i.e. key compromise, ...) (note
that it will be very useful to include an invalidity date extension pointing to
t1 or to the time it's known the certificate should be considered as invalid).
<BR></DIV>
<UL>
<LI>Relying parties validating the certificate between t1 and t2 will see the
certificate on-hold (I see here that using the hold instruction code can make
happy people with different interpretations for what means on-hold, that is,
the CA can inform with the hold instruction that the certificate is to be
rejected, possibly solving the problems found in 1) )
<LI>Relying parties validating the certificate after t2 will see the
certificate revoked (everything should work as usual)</LI></UL><BR>b) a
certificate suspended (on-hold) that is finally determined valid, that means
that the CA first revoke the certificate in instant t3 with the on-hold cause,
and after doing some investigations or whatever finally determines that the
certificate should keep valid, therefore including a removeFromCRL in t4 (if the
CA is issuing deltas) and eliminating all the information regarding this
certificate in the full CRL issued in t5 <BR><BR>
<UL>
<LI>Relying parties validating the certificate between t3 and t4 will see the
certificate on-hold (I see here that using the hold instruction code can make
happy people with different interpretations for what means on-hold, that is,
the CA can inform with the hold instruction that the certificate is to be
rejected, possibly solving the problems found in 1))
<LI>Relying parties validating the certificate after t4 should determine that
the certificate is valid (and in this case the information that the
certificate was on hold it's not longer needed as you said). <BR></LI></UL><BR>I
don't know if I'm missing something important, but as an implementer I always
felt that some text that clarified how to deal with suspension was missing: I
guessed and interpreted how to do it. I think we have a gold opportunity now to
fix this issue in 3280bis (possibly 3280bisbis will take many years). <BR><BR>I
offer myself to help in what you consider is the best solution (producing text
for 3280bis, creating informative material, ....).<BR><BR>Opinions?<BR><BR>Best
regards,<BR><BR>Carlos<BR><BR>
<DIV><SPAN class=gmail_quote>On 11/28/06, <B class=gmail_sendername>Dr Stephen
Henson</B> <<A
href="mailto:lists@drh-consultancy.demon.co.uk">lists@drh-consultancy.demon.co.uk</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid"><BR>Wen-Cheng
Wang wrote:<BR>><BR>><BR>> You may argue that no matter how close
between the time in the time-stamp<BR>> and the signing time claimed by the
signer, risk still exists. If so,<BR>> you should<BR>> consider add a
"content time-stamp" in addition to the "signature<BR>>
time-stamp".<BR><BR>Yes I'd argue that. In some cases (S/MIME signing time
attribute for<BR>example) an attacker could generate a message with an
arbitrary signing <BR>time. In this case they could claim some time in the
future after the<BR>hold status is expected to be lifted.<BR><BR>> The
signing sequence will be as the following:<BR>> Step
1. Get a trusted time-stamp of the message content
<BR>> Step 2. Sign the
message<BR>> Step 3. Get a trusted time-stamp of the
signature<BR>> Since the message must be signed between the time of the
content time-stamp<BR>> was generated and the time of the signature
time-stamp was generated, the <BR>> verifier can certainly be aware of the
period in which the message is<BR>> signed.<BR>><BR>> Therefore, it
is actually possible to reliably determine the time (in<BR>> the regard
of<BR>> the agreed signature policy) or the "period" the signature was
made. <BR>><BR><BR>Yes that would work assuming that "message" in Step 2,
is the message<BR>content with time stamp. Signing the content time stamp
would have the<BR>same result.<BR><BR>IMHO if we are not going to deprecate
the on-hold status we at least <BR>need some text to indicate the issues
involved.<BR><BR>Steve.<BR>--<BR>Dr Stephen N. Henson.<BR>Core developer of
the OpenSSL project: <A
href="http://www.openssl.org/">http://www.openssl.org/</A><BR>Freelance
consultant see: <A
href="http://www.drh-consultancy.co.uk/">http://www.drh-consultancy.co.uk/</A><BR>Email:
<A
href="mailto:shenson@drh-consultancy.co.uk">shenson@drh-consultancy.co.uk</A>,
PGP key: via homepage.<BR><BR></BLOCKQUOTE></DIV><BR>
<HR>
</BODY></HTML>
--=====003_Dragon506650450826_=====--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASLkRTL040811; Tue, 28 Nov 2006 14:46:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASLkRT9040810; Tue, 28 Nov 2006 14:46:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from robin.verisign.com (robin.verisign.com [65.205.251.75]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASLkQfB040804 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 14:46:26 -0700 (MST) (envelope-from pbaker@verisign.com)
Received: from MOU1WNEXCN02.vcorp.ad.vrsn.com (mailer2.verisign.com [65.205.251.35]) by robin.verisign.com (8.13.6/8.13.4) with ESMTP id kASLk4eH027089; Tue, 28 Nov 2006 13:46:04 -0800
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by MOU1WNEXCN02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 28 Nov 2006 13:46:04 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C71336.9A2E4D17"
Subject: RE: on-hold certificates in CRLs
Date: Tue, 28 Nov 2006 13:45:52 -0800
Message-ID: <198A730C2044DE4A96749D13E167AD37E7E87D@MOU1WNEXMB04.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: on-hold certificates in CRLs
Thread-Index: AccTNCUzxDoHg/fSS72hji4F348uBAAAXOVA
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: "Stephen Kent" <kent@bbn.com>, =?iso-8859-1?Q?=22Carlos_Gonz=E1lez-Cadenas=22?= <carlos@gonzalez.name>
Cc: "Dr Stephen Henson" <lists@drh-consultancy.demon.co.uk>, "pkix" <ietf-pkix@imc.org>
X-OriginalArrivalTime: 28 Nov 2006 21:46:04.0335 (UTC) FILETIME=[9A6D13F0:01C71336]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------_=_NextPart_001_01C71336.9A2E4D17
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I sorta agree with Steve here.=20
=20
I don't think that there is much prospect of using the suspension, =
on-hold or any other cert status other than 'good' or 'bad'. Once you =
advertise the status of the certificate as being suspect you might as =
well issue a fresh cert than money about trying to retract the =
suspension status.=20
=20
And before you ask, no I would not use the features that would create =
the desire to do this either.
=20
=20
If you are only going to operate in an OCSP world there might be a point =
to quasi-revocation. But if you decide to only live in that world you =
might as well get rid of the certs altogether and go back to Diffie's =
original idea of a directory for keys as XKMS does.
=20
________________________________
From: owner-ietf-pkix@mail.imc.org =
[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stephen Kent
Sent: Tuesday, November 28, 2006 2:20 PM
To: "Carlos Gonz=E1lez-Cadenas"
Cc: Dr Stephen Henson; pkix
Subject: Re: on-hold certificates in CRLs
=09
=09
At 3:34 PM +0100 11/28/06, Carlos Gonz=E1lez-Cadenas wrote:
...
The problem now is that
=09
1) we don't have a common view about what "on-hold" means (in this =
mail thread some people argue that the key should not be used during the =
on-hold period and other people argue that the key may be used).
right, and that means that CAs who have decided to use this "feature" =
of X.509 are imposing a burden on all RPs because of this ambiguity.
2) it's not clear how to bring certificate suspension into the =
practice
how about not at all!
I am not a fan of "hold" as a cert status, for example:
- absent a common understanding of what hold means by itself, =
one needs to use the hold instruction code, which is itself a mess for =
automated processing, e.g., 3280 says "Conforming applications which =
encounter an id-holdinstruction-callissuer MUST call the certificate =
issuer or reject the certificate." Give me a break! Call the issuer OR =
reject the cert. This is hardly useful guidance for software.
=09
=09
- and 3280 notes deprecates use of the silly "none" =
instruction. Frankly, this is a perfect example of a committee-designed =
extension that needed adult supervision!
=09
=09
=09
=09
Presumably the best example provided so far is the use of hold to state =
that an issued and valid cert is NOT yet "in play" and thus for NR =
purposes, signatures that are created while the cert is on hold are not =
reliable. But, the same effect could have been achieved by distributing =
a smart card with a key pair and a cert template, and have the cert =
really issued as a side effect of the user executing some POP protocol. =
It sounds like some CAs decided that use of hold was an easy way to =
address a valid concern in a way that makes life easy for them, but =
harder for all RPs.=20
=09
=09
I will disagree with Russ and Stefan on this one. While we ought not =
create standards that disenfranchise legitimate uses of the technology, =
we also have no obligation to condone practices that externalize costs, =
i.e., create undue burdens on some parties to make life easier for =
others.
=09
=09
Steve
------_=_NextPart_001_01C71336.9A2E4D17
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Re: on-hold certificates in CRLs</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<STYLE type=3Dtext/css>BLOCKQUOTE {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
DL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
UL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
OL {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
LI {
PADDING-BOTTOM: 0px; PADDING-TOP: 0px
}
</STYLE>
<META content=3D"MSHTML 6.00.5730.11" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>I sorta agree with Steve here. =
</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>I don't think that there is much prospect of =
using the=20
suspension, on-hold or any other cert status other than 'good' or 'bad'. =
Once=20
you advertise the status of the certificate as being suspect you might =
as well=20
issue a fresh cert than money about trying to retract the suspension =
status.=20
</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>And before you ask, no I would not use the =
features that=20
would create the desire to do this either.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>If you are only going to operate in an OCSP =
world there=20
might be a point to quasi-revocation. But if you decide to only live in =
that=20
world you might as well get rid of the certs altogether and go back to =
Diffie's=20
original idea of a directory for keys as XKMS does.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D095523821-28112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV><BR>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> owner-ietf-pkix@mail.imc.org =
[mailto:owner-ietf-pkix@mail.imc.org] <B>On Behalf Of </B>Stephen=20
Kent<BR><B>Sent:</B> Tuesday, November 28, 2006 2:20 PM<BR><B>To:</B> =
"Carlos=20
Gonz=E1lez-Cadenas"<BR><B>Cc:</B> Dr Stephen Henson; =
pkix<BR><B>Subject:</B> Re:=20
on-hold certificates in CRLs<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>At 3:34 PM +0100 11/28/06, Carlos Gonz=E1lez-Cadenas wrote:</DIV>
<BLOCKQUOTE cite=3D"" type=3D"cite">...<BR>The problem now is =
that<BR><BR>1) we=20
don't have a common view about what "on-hold" means (in this mail =
thread=20
some people argue that the key should not be used during the on-hold =
period=20
and other people argue that the key may be used).</BLOCKQUOTE>
<DIV><BR></DIV>
<DIV>right, and that means that CAs who have decided to use this =
"feature" of=20
X.509 are imposing a burden on all RPs because of this =
ambiguity.</DIV>
<DIV><BR></DIV>
<BLOCKQUOTE cite=3D"" type=3D"cite">2) it's not clear how to bring =
certificate=20
suspension into the practice</BLOCKQUOTE>
<DIV><BR>how about not at all!</DIV>
<DIV><BR></DIV>
<DIV>I am not a fan of "hold" as a cert status, for example:</DIV>
<DIV><BR></DIV>
<DIV><X-TAB> </X-TAB>- =
absent a=20
common understanding of what hold means by itself, one needs to use =
the hold=20
instruction code, which is itself a mess for automated processing, =
e.g., 3280=20
says "<FONT face=3DCourier color=3D#000000 size=3D+2>Conforming =
applications which=20
encounter an id-holdinstruction-callissuer MUST call the certificate =
issuer or=20
reject the certificate."</FONT><FONT color=3D#000000> Give me a break! =
Call the=20
issuer OR reject the cert. This is hardly useful guidance for=20
software.</FONT></DIV>
<DIV><FONT color=3D#000000><BR></FONT></DIV>
<DIV><FONT =
color=3D#000000><X-TAB> =20
</X-TAB>- and 3280 notes deprecates use of the silly "none" =
instruction.=20
Frankly, this is a perfect example of a committee-designed extension =
that=20
needed adult supervision!</FONT></DIV>
<DIV><FONT color=3D#000000><BR></FONT></DIV>
<DIV><FONT color=3D#000000><BR></FONT></DIV>
<DIV><FONT color=3D#000000>Presumably the best example provided so far =
is the=20
use of hold to state that an issued and valid cert is NOT yet "in =
play" and=20
thus for NR purposes, signatures that are created while the cert is on =
hold=20
are not reliable. But, the same effect could have been achieved =
by=20
distributing a smart card with a key pair and a cert template, and =
have the=20
cert really issued as a side effect of the user executing some POP=20
protocol. It sounds like some CAs decided that use of hold was =
an easy=20
way to address a valid concern in a way that makes life easy for them, =
but=20
harder for all RPs. </FONT></DIV>
<DIV><FONT color=3D#000000><BR></FONT></DIV>
<DIV><FONT color=3D#000000>I will disagree with Russ and Stefan on =
this=20
one. While we ought not create standards that disenfranchise =
legitimate=20
uses of the technology, we also have no obligation to condone =
practices that=20
externalize costs, i.e., create undue burdens on some parties to make =
life=20
easier for others.</FONT></DIV>
<DIV><FONT color=3D#000000><BR></FONT></DIV>
<DIV><FONT color=3D#000000>Steve</FONT></DIV>
<DIV><BR></DIV>
<DIV><BR></DIV></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C71336.9A2E4D17--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASJJwit024258; Tue, 28 Nov 2006 12:19:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASJJwtN024256; Tue, 28 Nov 2006 12:19:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx12.bbn.com (mx12.bbn.com [128.33.0.81]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASJJtVp024239 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 12:19:56 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[10.1.33.49]) by mx12.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1Gp8Ub-00065H-5e; Tue, 28 Nov 2006 14:19:48 -0500
Mime-Version: 1.0
Message-Id: <p06230906c1923958038d@[10.1.33.49]>
In-Reply-To: <a7d7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk> <016a01c712de$e39ee6f0$5d85900a@wcwang> <456C25FF.7050901@drh-consultancy.demon.co.uk> <a7d7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com>
Date: Tue, 28 Nov 2006 14:19:40 -0500
To: =?iso-8859-1?Q?=22Carlos_Gonz=E1lez=2DCadenas=22?= <carlos@gonzalez.name>
From: Stephen Kent <kent@bbn.com>
Subject: Re: on-hold certificates in CRLs
Cc: "Dr Stephen Henson" <lists@drh-consultancy.demon.co.uk>, pkix <ietf-pkix@imc.org>
Content-Type: multipart/alternative; boundary="============_-1047380910==_ma============"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--============_-1047380910==_ma============
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
At 3:34 PM +0100 11/28/06, Carlos Gonz=E1lez-Cadenas wrote:
>...
>The problem now is that
>
>1) we don't have a common view about what=20
>"on-hold" means (in this mail thread some people=20
>argue that the key should not be used during the=20
>on-hold period and other people argue that the=20
>key may be used).
right, and that means that CAs who have decided=20
to use this "feature" of X.509 are imposing a=20
burden on all RPs because of this ambiguity.
>2) it's not clear how to bring certificate suspension into the practice
how about not at all!
I am not a fan of "hold" as a cert status, for example:
- absent a common understanding of what=20
hold means by itself, one needs to use the hold=20
instruction code, which is itself a mess for=20
automated processing, e.g., 3280 says "Conforming=20
applications which encounter an=20
id-holdinstruction-callissuer MUST call the=20
certificate issuer or reject the certificate."=20
Give me a break! Call the issuer OR reject the=20
cert. This is hardly useful guidance for=20
software.
- and 3280 notes deprecates use of the=20
silly "none" instruction. Frankly, this is a=20
perfect example of a committee-designed extension=20
that needed adult supervision!
Presumably the best example provided so far is=20
the use of hold to state that an issued and valid=20
cert is NOT yet "in play" and thus for NR=20
purposes, signatures that are created while the=20
cert is on hold are not reliable. But, the same=20
effect could have been achieved by distributing a=20
smart card with a key pair and a cert template,=20
and have the cert really issued as a side effect=20
of the user executing some POP protocol. It=20
sounds like some CAs decided that use of hold was=20
an easy way to address a valid concern in a way=20
that makes life easy for them, but harder for all=20
RPs.
I will disagree with Russ and Stefan on this one.=20
While we ought not create standards that=20
disenfranchise legitimate uses of the technology,=20
we also have no obligation to condone practices=20
that externalize costs, i.e., create undue=20
burdens on some parties to make life easier for=20
others.
Steve
--============_-1047380910==_ma============
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type=3D"text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: on-hold certificates in
CRLs</title></head><body>
<div>At 3:34 PM +0100 11/28/06, Carlos Gonz=E1lez-Cadenas wrote:</div>
<blockquote type=3D"cite" cite>...<br>
The problem now is that<br>
<br>
1) we don't have a common view about what "on-hold" means
(in this mail thread some people argue that the key should not be used
during the on-hold period and other people argue that the key may be
used).</blockquote>
<div><br></div>
<div>right, and that means that CAs who have decided to use this
"feature" of X.509 are imposing a burden on all RPs because
of this ambiguity.</div>
<div><br></div>
<blockquote type=3D"cite" cite>2) it's not clear how to bring
certificate suspension into the practice</blockquote>
<div><br>
how about not at all!</div>
<div><br></div>
<div>I am not a fan of "hold" as a cert status, for
example:</div>
<div><br></div>
<div><x-tab> </x-tab>-
absent a common understanding of what hold means by itself, one needs
to use the hold instruction code, which is itself a mess for automated
processing, e.g., 3280 says "<font face=3D"Courier" size=3D"+2"
color=3D"#000000">Conforming applications which encounter an
id-holdinstruction-callissuer MUST call the certificate issuer or
reject the certificate."</font><font color=3D"#000000"> Give me a
break! Call the issuer OR reject the cert. This is hardly useful
guidance for software.</font></div>
<div><font color=3D"#000000"><br></font></div>
<div><font
color=3D"#000000"><x-tab>
</x-tab>- and 3280 notes deprecates use of the silly "none"
instruction. Frankly, this is a perfect example of a
committee-designed extension that needed adult
supervision!</font></div>
<div><font color=3D"#000000"><br></font></div>
<div><font color=3D"#000000"><br></font></div>
<div><font color=3D"#000000">Presumably the best example provided so far
is the use of hold to state that an issued and valid cert is NOT yet
"in play" and thus for NR purposes, signatures that are
created while the cert is on hold are not reliable. But, the
same effect could have been achieved by distributing a smart card with
a key pair and a cert template, and have the cert really issued as a
side effect of the user executing some POP protocol. It sounds
like some CAs decided that use of hold was an easy way to address a
valid concern in a way that makes life easy for them, but harder for
all RPs. </font></div>
<div><font color=3D"#000000"><br></font></div>
<div><font color=3D"#000000">I will disagree with Russ and Stefan on
this one. While we ought not create standards that
disenfranchise legitimate uses of the technology, we also have no
obligation to condone practices that externalize costs, i.e., create
undue burdens on some parties to make life easier for
others.</font></div>
<div><font color=3D"#000000"><br></font></div>
<div><font color=3D"#000000">Steve</font></div>
<div><br></div>
<div><br></div>
</body>
</html>
--============_-1047380910==_ma============--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASFEQcu087112; Tue, 28 Nov 2006 08:14:26 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASFEQrN087111; Tue, 28 Nov 2006 08:14:26 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.cs.dartmouth.edu (mail.cs.dartmouth.edu [129.170.212.100]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASFEK8j087098 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 08:14:21 -0700 (MST) (envelope-from pala@cs.dartmouth.edu)
Received: from [130.192.1.59] ([130.192.1.59]) (authenticated bits=0) by mail.cs.dartmouth.edu (8.13.8/8.13.4) with ESMTP id kASFEEjQ027733 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 10:14:19 -0500
Message-ID: <456C5222.7060501@cs.dartmouth.edu>
Date: Tue, 28 Nov 2006 16:13:38 +0100
From: Massimiliano Pala <pala@cs.dartmouth.edu>
Organization: Dartmouth College - Computer Science Department
User-Agent: Thunderbird 2.0a1 (X11/20060724)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <7.0.0.16.2.20061127140855.07404318@vigilsec.com> <456B462C.8010209@drh-consultancy.demon.co.uk> <456B56CF.7020501@cs.dartmouth.edu> <7.0.0.16.2.20061127184910.073db428@vigilsec.com> <A15AC0FBACD3464E95961F7C0BCD1FF01576AA8D@EA-EXMSG-C307.europe.corp.microsoft.com>
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF01576AA8D@EA-EXMSG-C307.europe.corp.microsoft.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040905010707030005010506"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a cryptographically signed message in MIME format.
--------------ms040905010707030005010506
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Stefan Santesson wrote:
> 2) RFC3280bis will never be perfect. We will never stop finding things that we may want
> to change or update. It's time to draw the line and let this document proceed. Let's
> focus on fixing errors if we find them but avoid "improvements" as much as possible.
> It's time to ship an update of RFC 3280.
>
> In time there will be an rfc3280bisbis
I agree with this vision. Unfortunately it seems that the rfc3280 is probably one
of those documents which requires periodic updates, and this does not map well into
IETF RFCs.
I personally think, anyway, that a specific text should be added in this case to
the RFC, in particular we should at least make it clear that:
<< The `on hold' status does not affect later verification of legitimacy of
certificate usage in case the certificate is later removed from CRLs. Therefore
the `on hold' status does not provide a reliable way of suspending the usage of
a certificate in a specific period of time. >>
Providing also an explicit reference to the card/token suspension example as being
a bad interpretation/practice that should be avoided could also help (and as it is
quite a common practice, it is useful to explicitly state that it should be avoided
because it *does not* prevent the certificate to be used!).
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu
project.manager@openca.org
Dartmouth Computer Science Dept
PKI/Trust
--o------------------------------------------------------------------------
--------------ms040905010707030005010506
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII2jCC
BGkwggNRoAMCAQICAh3jMA0GCSqGSIb3DQEBBAUAMHcxEzARBgoJkiaJk/IsZAEZFgNlZHUx
GTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0
bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMTAeFw0wNjA0MDcx
NTE4MzNaFw0xMDA0MDgxNTE4MzNaMIGnMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1v
dXRoIENvbGxlZ2UxJDAiBgNVBAsTG0NvbXB1dGVyIFNjaWVuY2UgRGVwYXJ0bWVudDEUMBIG
CgmSJomT8ixkAQETBHBhbGExGjAYBgNVBAMTEU1hc3NpbWlsaWFubyBQYWxhMSQwIgYJKoZI
hvcNAQkBFhVwYWxhQGNzLmRhcnRtb3V0aC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALHoVbyJOrdrYLdA9qV5FNo8dmX6eNKj0ZgiwCsovlhhYZeYbduMJ3G91dTHZiX31lwg
bhsTwl3gStQtgGBDzUn9oxJET9cO5ORfwNN9P0ZCuq1fLy38CpUEQNgjhzXYuD1PUFBDwvp8
fCvBGMXop7Rw6cCFTBnABN2R+XOpAKT9AgMBAAGjggFQMIIBTDAOBgNVHQ8BAf8EBAMCBeAw
EQYJYIZIAYb4QgEBBAQDAgWgMB8GA1UdIwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMIGi
BgNVHSAEgZowgZcwgZQGCisGAQQBQQIBAQEwgYUwPQYIKwYBBQUHAgIwMTAYFhFEYXJ0bW91
dGggQ29sbGVnZTADAgEBGhVEYXJ0bW91dGggQ29sbGVnZSBDUFMwRAYIKwYBBQUHAgEWOGh0
dHA6Ly93d3cuZGFydG1vdXRoLmVkdS9+cGtpbGFiL0RhcnRtb3V0aENQU180U2VwMDMucGRm
MCAGA1UdEQQZMBeBFXBhbGFAY3MuZGFydG1vdXRoLmVkdTA/BggrBgEFBQcBAQQzMDEwLwYI
KwYBBQUHMAGGI2h0dHA6Ly9jb2xsZWdlY2EuZGFydG1vdXRoLmVkdS9vY3NwMA0GCSqGSIb3
DQEBBAUAA4IBAQDOqoLRDppYBEFAtYdM5lvsbZ97q97SW7HCyNysOBtadfRH2QulfH8h+RZ6
AikMTt8yGl4JTJE5II89IPT5gRbSUadDT+Uyh1TAwNvJDxspcBS4Z4KsNw2wPwgHM1uM9xYG
nS+xMcDUHCvPjSgD52HSi27alulq7jrNJMjUIK8qLI21NnDvVDVMPUIdGOz5tvmJEYu44gTV
jYBJI7Q/qhZ1tdKudDh3oDW9wAhJMBct8nLn/xG15HsDtK9qHSR+O8/7/Sax7I06HbR7zsbl
AJUM1gy25I89P3HEWaYaoK+ZKIjipw73076vorcidktUobIfZO1/SBXPqEBeAYTQh4Y0MIIE
aTCCA1GgAwIBAgICHeMwDQYJKoZIhvcNAQEEBQAwdzETMBEGCgmSJomT8ixkARkWA2VkdTEZ
MBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRt
b3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxMB4XDTA2MDQwNzE1
MTgzM1oXDTEwMDQwODE1MTgzM1owgacxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91
dGggQ29sbGVnZTEkMCIGA1UECxMbQ29tcHV0ZXIgU2NpZW5jZSBEZXBhcnRtZW50MRQwEgYK
CZImiZPyLGQBARMEcGFsYTEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIFBhbGExJDAiBgkqhkiG
9w0BCQEWFXBhbGFAY3MuZGFydG1vdXRoLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAsehVvIk6t2tgt0D2pXkU2jx2Zfp40qPRmCLAKyi+WGFhl5ht24wncb3V1MdmJffWXCBu
GxPCXeBK1C2AYEPNSf2jEkRP1w7k5F/A030/RkK6rV8vLfwKlQRA2COHNdi4PU9QUEPC+nx8
K8EYxeintHDpwIVMGcAE3ZH5c6kApP0CAwEAAaOCAVAwggFMMA4GA1UdDwEB/wQEAwIF4DAR
BglghkgBhvhCAQEEBAMCBaAwHwYDVR0jBBgwFoAUP8DWx6dPAH7vBplnbLyWHk2jdxIwgaIG
A1UdIASBmjCBlzCBlAYKKwYBBAFBAgEBATCBhTA9BggrBgEFBQcCAjAxMBgWEURhcnRtb3V0
aCBDb2xsZWdlMAMCAQEaFURhcnRtb3V0aCBDb2xsZWdlIENQUzBEBggrBgEFBQcCARY4aHR0
cDovL3d3dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTXzRTZXAwMy5wZGYw
IAYDVR0RBBkwF4EVcGFsYUBjcy5kYXJ0bW91dGguZWR1MD8GCCsGAQUFBwEBBDMwMTAvBggr
BgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGguZWR1L29jc3AwDQYJKoZIhvcN
AQEEBQADggEBAM6qgtEOmlgEQUC1h0zmW+xtn3ur3tJbscLI3Kw4G1p19EfZC6V8fyH5FnoC
KQxO3zIaXglMkTkgjz0g9PmBFtJRp0NP5TKHVMDA28kPGylwFLhngqw3DbA/CAczW4z3Fgad
L7ExwNQcK8+NKAPnYdKLbtqW6WruOs0kyNQgryosjbU2cO9UNUw9Qh0Y7Pm2+YkRi7jiBNWN
gEkjtD+qFnW10q50OHegNb3ACEkwFy3ycuf/EbXkewO0r2odJH47z/v9JrHsjTodtHvOxuUA
lQzWDLbkjz0/ccRZphqgr5koiOKnDvfTvq+ityJ2S1Shsh9k7X9IFc+oQF4BhNCHhjQxggL4
MIIC9AIBATB9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0
bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEcMBoGA1UE
AxMTRGFydG1vdXRoIENlcnRBdXRoMQICHeMwCQYFKw4DAhoFAKCCAdEwGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYxMTI4MTUxMzM4WjAjBgkqhkiG9w0B
CQQxFgQUOJAr1lKM6WeTLn9oyLgcc8armAUwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC
ASgwgYwGCSsGAQQBgjcQBDF/MH0wdzETMBEGCgmSJomT8ixkARkWA2VkdTEZMBcGCgmSJomT
8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRtb3V0aCBDb2xs
ZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxAgId4zCBjgYLKoZIhvcNAQkQAgsx
f6B9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgx
CzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFy
dG1vdXRoIENlcnRBdXRoMQICHeMwDQYJKoZIhvcNAQEBBQAEgYBAcl0+AFuwT2H1TDO6qM/c
uTh0NxXs/ByEBHgK+yW/zPexUSp5bwHO6Z2yDJl+8tojb9tRIlRckh3Js6ML7NrSg/2BYYqu
w8NwGl2Knjwr1thzGz9uXrJKaFr9TnX9sxOLiAWGBlD8Ajyr/I7cSsUOtnzQFR+PVurFcyD5
FdZ0igAAAAAAAA==
--------------ms040905010707030005010506--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASEYiBh081470; Tue, 28 Nov 2006 07:34:44 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASEYi5q081469; Tue, 28 Nov 2006 07:34:44 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASEYg6A081463 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 07:34:43 -0700 (MST) (envelope-from carlosgonzalezcadenas@gmail.com)
Received: by nf-out-0910.google.com with SMTP id m18so2241895nfc for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 06:34:42 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=Gy8pTjapPelNdMUnXR/iLZenY1ajDY4PtiVDKTbZysSF8lKVCvQ1RXJTCNuaiatgzonCmLgfKAgyTBWko9n2n6J7SnNflBwy1MHojQ37bdnn9aZt0bIixhJvmLRR+kDMxYj0boSIysTlM7X5dLcNvy93wVRTFgIuOqYDnAXM3Xc=
Received: by 10.48.254.10 with SMTP id b10mr12523469nfi.1164724478462; Tue, 28 Nov 2006 06:34:38 -0800 (PST)
Received: by 10.48.223.9 with HTTP; Tue, 28 Nov 2006 06:34:38 -0800 (PST)
Message-ID: <a7d7da420611280634n244a28a7k7d257eb48fb762c0@mail.gmail.com>
Date: Tue, 28 Nov 2006 15:34:38 +0100
From: "=?UTF-8?Q?Carlos_Gonz=C3=A1lez-Cadenas?=" <carlos@gonzalez.name>
To: "Dr Stephen Henson" <lists@drh-consultancy.demon.co.uk>
Subject: Re: on-hold certificates in CRLs
Cc: pkix <ietf-pkix@imc.org>
In-Reply-To: <456C25FF.7050901@drh-consultancy.demon.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_8774_10581603.1164724478194"
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk> <016a01c712de$e39ee6f0$5d85900a@wcwang> <456C25FF.7050901@drh-consultancy.demon.co.uk>
X-Google-Sender-Auth: 91fc0afb191a12b2
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
------=_Part_8774_10581603.1164724478194
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
In my opinion the on-hold status makes sense in many concrete cases all of
you have been discussing before. Many CAs (I speak for what I've seen here
in Spain) also support certificate suspension, and that's included in their
CPSs.
It is technically possible to determine with a precision near to zero when a
signature was created (as you said in some emails there's plenty of
published material about that matter), so it's necessary to know the status
of the certificate in a point of time.
The problem now is that
1) we don't have a common view about what "on-hold" means (in this mail
thread some people argue that the key should not be used during the on-hold
period and other people argue that the key may be used).
2) it's not clear how to bring certificate suspension into the practice
Regarding 2) I see that a common practice about how to do certificate
suspension described in 3280bis would be very helpful. In my opinion there
should be three supported cases
a) a certificate suspended (on-hold) that is finally revoked, that means
that the CA first revoke the certificate in instant t1 with the on-hold
cause, and after doing some investigations or whatever finally revokes the
certificate in instant t2 with another cause different from on-hold (i.e.
key compromise, ...) (note that it will be very useful to include an
invalidity date extension pointing to t1 or to the time it's known the
certificate should be considered as invalid).
- Relying parties validating the certificate between t1 and t2 will
see the certificate on-hold (I see here that using the hold instruction code
can make happy people with different interpretations for what means on-hold,
that is, the CA can inform with the hold instruction that the certificate is
to be rejected, possibly solving the problems found in 1) )
- Relying parties validating the certificate after t2 will see the
certificate revoked (everything should work as usual)
b) a certificate suspended (on-hold) that is finally determined valid, that
means that the CA first revoke the certificate in instant t3 with the
on-hold cause, and after doing some investigations or whatever finally
determines that the certificate should keep valid, therefore including a
removeFromCRL in t4 (if the CA is issuing deltas) and eliminating all the
information regarding this certificate in the full CRL issued in t5
- Relying parties validating the certificate between t3 and t4 will
see the certificate on-hold (I see here that using the hold instruction code
can make happy people with different interpretations for what means on-hold,
that is, the CA can inform with the hold instruction that the certificate is
to be rejected, possibly solving the problems found in 1))
- Relying parties validating the certificate after t4 should determine
that the certificate is valid (and in this case the information that the
certificate was on hold it's not longer needed as you said).
I don't know if I'm missing something important, but as an implementer I
always felt that some text that clarified how to deal with suspension was
missing: I guessed and interpreted how to do it. I think we have a gold
opportunity now to fix this issue in 3280bis (possibly 3280bisbis will take
many years).
I offer myself to help in what you consider is the best solution (producing
text for 3280bis, creating informative material, ....).
Opinions?
Best regards,
Carlos
On 11/28/06, Dr Stephen Henson <lists@drh-consultancy.demon.co.uk> wrote:
>
>
> Wen-Cheng Wang wrote:
> >
> >
> > You may argue that no matter how close between the time in the
> time-stamp
> > and the signing time claimed by the signer, risk still exists. If so,
> > you should
> > consider add a "content time-stamp" in addition to the "signature
> > time-stamp".
>
> Yes I'd argue that. In some cases (S/MIME signing time attribute for
> example) an attacker could generate a message with an arbitrary signing
> time. In this case they could claim some time in the future after the
> hold status is expected to be lifted.
>
> > The signing sequence will be as the following:
> > Step 1. Get a trusted time-stamp of the message content
> > Step 2. Sign the message
> > Step 3. Get a trusted time-stamp of the signature
> > Since the message must be signed between the time of the content
> time-stamp
> > was generated and the time of the signature time-stamp was generated,
> the
> > verifier can certainly be aware of the period in which the message is
> > signed.
> >
> > Therefore, it is actually possible to reliably determine the time (in
> > the regard of
> > the agreed signature policy) or the "period" the signature was made.
> >
>
> Yes that would work assuming that "message" in Step 2, is the message
> content with time stamp. Signing the content time stamp would have the
> same result.
>
> IMHO if we are not going to deprecate the on-hold status we at least
> need some text to indicate the issues involved.
>
> Steve.
> --
> Dr Stephen N. Henson.
> Core developer of the OpenSSL project: http://www.openssl.org/
> Freelance consultant see: http://www.drh-consultancy.co.uk/
> Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
>
>
------=_Part_8774_10581603.1164724478194
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
In my opinion the on-hold status makes sense in many concrete cases all of you have been discussing before. Many CAs (I speak for what I've seen here in Spain) also support certificate suspension, and that's included in their CPSs.
<br><br>It is technically possible to determine with a precision near to zero when a signature was created (as you said in some emails there's plenty of published material about that matter), so it's necessary to know the status of the certificate in a point of time.
<br><br>The problem now is that <br><br>1) we don't have a common view about what "on-hold" means (in this mail thread some people argue that the key should not be used during the on-hold period and other people argue that the key may be used).
<br><br>2) it's not clear how to bring certificate suspension into the practice<br><br>Regarding 2) I see that a common practice about how to do certificate suspension described in 3280bis would be very helpful. In my opinion there should be three supported cases
<br><br>a) a certificate suspended (on-hold) that is finally revoked, that means that the CA first revoke the certificate in instant t1 with the on-hold cause, and after doing some investigations or whatever finally revokes the certificate in instant t2 with another cause different from on-hold (
i.e. key compromise, ...) (note that it will be very useful to include an invalidity date extension pointing to t1 or to the time it's known the certificate should be considered as invalid). <br><ul><li>Relying parties validating the certificate between t1 and t2 will see the certificate on-hold (I see here that using the hold instruction code can make happy people with different interpretations for what means on-hold, that is, the CA can inform with the hold instruction that the certificate is to be rejected, possibly solving the problems found in 1) )
</li><li>Relying parties validating the certificate after t2 will see the certificate revoked (everything should work as usual)</li></ul><br>b) a certificate suspended (on-hold) that is finally determined valid, that means that the CA first revoke the certificate in instant t3 with the on-hold cause, and after doing some investigations or whatever finally determines that the certificate should keep valid, therefore including a removeFromCRL in t4 (if the CA is issuing deltas) and eliminating all the information regarding this certificate in the full CRL issued in t5
<br><br><ul><li>Relying parties validating the certificate between t3 and t4 will see the certificate on-hold (I see here that using the hold
instruction code can make happy people with different interpretations
for what means on-hold, that is, the CA can inform with the hold
instruction that the certificate is to be rejected, possibly solving the problems found in 1))</li><li>Relying parties validating the certificate after t4 should determine that the certificate is valid (and in this case the information that the certificate was on hold it's not longer needed as you said).
<br></li></ul><br>I don't know if I'm missing something important, but as an implementer I always felt that some text that clarified how to deal with suspension was missing: I guessed and interpreted how to do it. I think we have a gold opportunity now to fix this issue in 3280bis (possibly 3280bisbis will take many years).
<br><br>I offer myself to help in what you consider is the best solution (producing text for 3280bis, creating informative material, ....).<br><br>Opinions?<br><br>Best regards,<br><br>Carlos<br><br><div><span class="gmail_quote">
On 11/28/06, <b class="gmail_sendername">Dr Stephen Henson</b> <<a href="mailto:lists@drh-consultancy.demon.co.uk">lists@drh-consultancy.demon.co.uk</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>Wen-Cheng Wang wrote:<br>><br>><br>> You may argue that no matter how close between the time in the time-stamp<br>> and the signing time claimed by the signer, risk still exists. If so,<br>> you should<br>
> consider add a "content time-stamp" in addition to the "signature<br>> time-stamp".<br><br>Yes I'd argue that. In some cases (S/MIME signing time attribute for<br>example) an attacker could generate a message with an arbitrary signing
<br>time. In this case they could claim some time in the future after the<br>hold status is expected to be lifted.<br><br>> The signing sequence will be as the following:<br>> Step 1. Get a trusted time-stamp of the message content
<br>> Step 2. Sign the message<br>> Step 3. Get a trusted time-stamp of the signature<br>> Since the message must be signed between the time of the content time-stamp<br>> was generated and the time of the signature time-stamp was generated, the
<br>> verifier can certainly be aware of the period in which the message is<br>> signed.<br>><br>> Therefore, it is actually possible to reliably determine the time (in<br>> the regard of<br>> the agreed signature policy) or the "period" the signature was made.
<br>><br><br>Yes that would work assuming that "message" in Step 2, is the message<br>content with time stamp. Signing the content time stamp would have the<br>same result.<br><br>IMHO if we are not going to deprecate the on-hold status we at least
<br>need some text to indicate the issues involved.<br><br>Steve.<br>--<br>Dr Stephen N. Henson.<br>Core developer of the OpenSSL project: <a href="http://www.openssl.org/">http://www.openssl.org/</a><br>Freelance consultant see:
<a href="http://www.drh-consultancy.co.uk/">http://www.drh-consultancy.co.uk/</a><br>Email: <a href="mailto:shenson@drh-consultancy.co.uk">shenson@drh-consultancy.co.uk</a>, PGP key: via homepage.<br><br></blockquote></div>
<br>
------=_Part_8774_10581603.1164724478194--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASC5ssq062508; Tue, 28 Nov 2006 05:05:54 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASC5s3j062507; Tue, 28 Nov 2006 05:05:54 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from anchor-post-31.mail.demon.net (anchor-post-31.mail.demon.net [194.217.242.89]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASC5q88062499 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 05:05:53 -0700 (MST) (envelope-from lists@drh-consultancy.demon.co.uk)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.2]) by anchor-post-31.mail.demon.net with esmtp (Exim 4.42) id 1Gp1iA-0006Do-4C for ietf-pkix@imc.org; Tue, 28 Nov 2006 12:05:26 +0000
Message-ID: <456C25FF.7050901@drh-consultancy.demon.co.uk>
Date: Tue, 28 Nov 2006 12:05:19 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk> <016a01c712de$e39ee6f0$5d85900a@wcwang>
In-Reply-To: <016a01c712de$e39ee6f0$5d85900a@wcwang>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Wen-Cheng Wang wrote:
>
>
> You may argue that no matter how close between the time in the time-stamp
> and the signing time claimed by the signer, risk still exists. If so,
> you should
> consider add a "content time-stamp" in addition to the "signature
> time-stamp".
Yes I'd argue that. In some cases (S/MIME signing time attribute for
example) an attacker could generate a message with an arbitrary signing
time. In this case they could claim some time in the future after the
hold status is expected to be lifted.
> The signing sequence will be as the following:
> Step 1. Get a trusted time-stamp of the message content
> Step 2. Sign the message
> Step 3. Get a trusted time-stamp of the signature
> Since the message must be signed between the time of the content time-stamp
> was generated and the time of the signature time-stamp was generated, the
> verifier can certainly be aware of the period in which the message is
> signed.
>
> Therefore, it is actually possible to reliably determine the time (in
> the regard of
> the agreed signature policy) or the "period" the signature was made.
>
Yes that would work assuming that "message" in Step 2, is the message
content with time stamp. Signing the content time stamp would have the
same result.
IMHO if we are not going to deprecate the on-hold status we at least
need some text to indicate the issues involved.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASBdkk7059970; Tue, 28 Nov 2006 04:39:46 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASBdkHF059969; Tue, 28 Nov 2006 04:39:46 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailrelay1.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASBdij9059935 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 04:39:45 -0700 (MST) (envelope-from peter.lipp@iaik.tugraz.at)
Received: from thor.iaik.tugraz.at (mail1.iaik.tugraz.at [129.27.152.30]) by mailrelay1.tugraz.at (8.13.8/8.13.8) with ESMTP id kASBdXi3012681 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 12:39:33 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by thor.iaik.tugraz.at (Postfix) with ESMTP id F3B74194003 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 12:39:32 +0100 (CET)
Received: from thor.iaik.tugraz.at ([127.0.0.1]) by localhost (thor [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12136-02 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 12:39:32 +0100 (CET)
Received: from NOTEBOOKLIPP (notebooklipp.iaik.tugraz.at [129.27.152.54]) by thor.iaik.tugraz.at (Postfix) with ESMTP id E158A194002 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 12:39:32 +0100 (CET)
From: "Peter Lipp" <peter.lipp@iaik.tugraz.at>
To: <ietf-pkix@imc.org>
Subject: AW: on-hold certificates in CRLs
Date: Tue, 28 Nov 2006 12:39:15 +0100
Message-ID: <00a201c712e1$d5522320$4c981b81@iaik.tugraz.at>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AccShtMaAEjV2UF6QdqoGxpra124aAAWX6Tw
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
In-Reply-To: <7.0.0.16.2.20061127184910.073db428@vigilsec.com>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at iaik.tugraz.at
X-Spam-Scanner: SpamAssassin 3.001007
X-Spam-Score-relay: -0.7
X-Scanned-By: MIMEDefang 2.58 on 129.27.10.18
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> If people are really using it, then we should not pull the
> rug out from under them. I do not think this is a great
> mechanism for the situation that is described, but there are
> far worse uses that have been discussed.
That's an understandable position. But probably it would be or have been
worthwhile to differentiate between the different uses; currently the number
of interpretations what to use that mechanism for is simply to
heterogeneous, some of them are problematic. We have seen mentioned now:
- on hold for the time of transport of the id card
- on hold for suspected compromise where the info came from unauthenticated
sources
I have heared from ideas to use on hold for a time where e.g. I am not in my
office and cant use the certificate on my office machine (like vacation or
even the weekend). (Don't know if this idea has been implemented though.
Hope not.)
There may be other ideas/uses of that concept.
Santosh mentioned that "on hold is not overly complex". I agree, the basic
idea isn't. But the different interpretations existing make it maybe not
complex but incompatible or meaningless. What does the "on hold" for
transport buy me? As soon as it is no longer on hold and the firt CRL
without that information issued, this fact is forgotten. What if I now had a
signature created during that time... (If I assume I will never find such a
signature, why place the cert on hold?)
If this stays in, the usage should be restricted to the working scenarious
only and any legislation prescribing other uses should be fixed.
Peter
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASBIME4058157; Tue, 28 Nov 2006 04:18:22 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASBIM8n058156; Tue, 28 Nov 2006 04:18:22 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from auth0.cht.com.tw (esmtpo1.cht.com.tw [202.39.168.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASBIJKo058145 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 04:18:20 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from auth0.cht.com.tw (localhost.localdomain [127.0.0.1]) by localhost.cht.com.tw (Postfix) with ESMTP id 799682CC307; Tue, 28 Nov 2006 19:18:13 +0800 (CST)
Received: from wcwang (unknown [10.144.133.93]) by auth0.cht.com.tw (Postfix) with SMTP id 399D42CC2F6; Tue, 28 Nov 2006 19:18:13 +0800 (CST)
Message-ID: <016a01c712de$e39ee6f0$5d85900a@wcwang>
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
To: "Dr Stephen Henson" <shenson@drh-consultancy.demon.co.uk>, "pkix" <ietf-pkix@imc.org>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov> <456B90A7.1020306@drh-consultancy.demon.co.uk>
Subject: Re: on-hold certificates in CRLs
Date: Tue, 28 Nov 2006 19:18:06 +0800
Organization: Chunghwa Telecom
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="utf-8"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Dr Stephen Henson wrote:
>
> David A. Cooper wrote:
>>
>> Other people believe that placing a certificate on hold also places use
>> of the private key on hold and so any signatures generated during the
>> time that the certificate was on hold are not legitimate. Thus, these
>> people believe that when verifying a signature it is important to know
>> whether the certificate was on hold at the time that the signature was
>> generated, even if the certificate is later removed from hold. The
>> information included in CRLs issued after the certificate is removed
>> from hold do not include any information that would help to determine
>> whether the certificate was on hold at some point in the past.
>>
>
> That's the case I'm uneasy about which I suspect is the case the two
> examples I've seen are intended to cover.
>
> It should be noted that this assumes that there is a way to reliably
> determine when the signature was made.
>
> This is not always possible and often one can only say it was made *on
> or before* a certain time (for example the time in a trusted timestamp).
>
> That doesn't help because the signature might be made during the hold
> period and the timestamp added some time afterwards.
>
In the area of "Advanced Electronic Signatures" (or so-called long term
electronic signatures by the S/MIME WG), this is called "time-stamp delay".
In section B.8.4 of RFC 3125, it informatively describe requirement of
signature policy related to "time-stamp delay" as follows:
There will be some delay between the time that a signature is created
and the time the signer's digital signature is time-stamped.
However, the longer this elapsed period the greater the risk of the
signature being invalidated due to compromise or deliberate
revocation of its private signing key by the signer. Thus the
signature policy should specify a maximum acceptable delay between
the signing time as claimed by the signer and the time included
within the time-stamp.
And in section 3.8 of RFC 3125, the signatureTimestampDelay field is
defined as follows to allow a signature policy Issuer to specify the
acceptable "time-stamp delay":
The signatureTimestampDelay field specifies a maximum acceptable time
between the signing time and the time at which the signature time-
stamp, as used to form the ES Time-Stamped, is created for the
verifier. If the signature time-stamp is later that the time in the
signing-time attribute by more than the value given in
signatureTimestampDelay, the signature must be considered invalid.
The implication is that with the help of a trusted time-stamp close enough
to the signing-time (in the signed attribute) claimed by the signer, the verifier
can assume, in the regard of the agreed signature policy, the message
was really signed at that time.
You may argue that no matter how close between the time in the time-stamp
and the signing time claimed by the signer, risk still exists. If so, you should
consider add a "content time-stamp" in addition to the "signature time-stamp".
The signing sequence will be as the following:
Step 1. Get a trusted time-stamp of the message content
Step 2. Sign the message
Step 3. Get a trusted time-stamp of the signature
Since the message must be signed between the time of the content time-stamp
was generated and the time of the signature time-stamp was generated, the
verifier can certainly be aware of the period in which the message is signed.
Therefore, it is actually possible to reliably determine the time (in the regard of
the agreed signature policy) or the "period" the signature was made.
I am one of the people who believe that placing a certificate on hold also
places use of the private key on hold and so any signature generated
during the time that the certificate was on hold are not legitimate. I also
agree the following Santosh's opinion:
"As to determination of the certificate status, archiving all CRL (and deltas if
deltas are produced) give the accurate picture of revocation status modulo
CRL issuance frequency."
I am aware a case where the signatures generated during the time that the
certificate was on hold are not legitimate. The case is the government issues
X.509 certificates to companies and by regulation if a company's license
is placed on hold (for example, due to illegal tax evasion) then the company's
X.509 will also be simultaneously placed on hold and the company's digital
signatures will be considered illegitimate until its company license is resumed
(and of course its X.509 certificate will be simultaneously resumed too).
To validate an archived signed data (with long-term signature and timestamps),
we will need a mechanism to validate the signing certificate relative to past
time or period. Currently, the SCVP draft intend to support validate a certificate
relative to past time. (Personally, I think SCVP should also support validate
a certificate relative to past "period".) However, it is unfortunately that the
certificate validation algorithm of RFC 3280 and RFC 3280bis only support
validate a certificate at the "current time". We still lack a standard algorithm to
validate a certificate relative to past time or period.
Wen-Cheng Wang
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASAgSgU054881; Tue, 28 Nov 2006 03:42:28 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASAgSsE054880; Tue, 28 Nov 2006 03:42:28 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.191]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASAgQ4Q054855 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 03:42:27 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from dub-exhub-c302.europe.corp.microsoft.com (65.53.213.92) by DUB-EXGWY-E801.partners.extranet.microsoft.com (10.251.129.1) with Microsoft SMTP Server (TLS) id 8.0.685.20; Tue, 28 Nov 2006 10:42:20 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by dub-exhub-c302.europe.corp.microsoft.com ([65.53.213.92]) with mapi; Tue, 28 Nov 2006 10:42:19 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Date: Tue, 28 Nov 2006 10:42:18 +0000
Subject: RE: on-hold certificates in CRLs
Thread-Topic: on-hold certificates in CRLs
Thread-Index: AccSihxHTWv74gb+SPKdEFYuA6Nw1AATZUXA
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF01576AA8D@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <7.0.0.16.2.20061127140855.07404318@vigilsec.com> <456B462C.8010209@drh-consultancy.demon.co.uk> <456B56CF.7020501@cs.dartmouth.edu> <7.0.0.16.2.20061127184910.073db428@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061127184910.073db428@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kASAgR4Q054875
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
2 things.
1) Some examples of using on-hold seems a bit shaky. For example putting a certificate on-hold until card is delivered does not stop me from signing with the card and use that signature after its status has been restored. I concur that once status has been restored, there is no need to know if it has been on hold.
I'm personally not a big fan of "on hold", but we have a responsibility to not break users of this profile, so deprecating a feature puts great responsibilities on us to determine that we don't break legitimate implementations.
2) RFC3280bis will never be perfect. We will never stop finding things that we may want to change or update. It's time to draw the line and let this document proceed. Let's focus on fixing errors if we find them but avoid "improvements" as much as possible. It's time to ship an update of RFC 3280.
In time there will be an rfc3280bisbis
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Russ Housley
> Sent: den 28 november 2006 00:51
> To: ietf-pkix@imc.org
> Subject: Re: on-hold certificates in CRLs
>
>
> Massimiliano:
>
> >>I have come across two real world examples of it being used in
> national
> >>ID schemes. In both of these a certificate is automatically placed
> "on
> >>hold" when the card is manufactured and then made valid when the
> >>recipient has performed some procedure to acknowledge receipt. I
> suspect
> >>that the two I saw are far from isolated examples.
> >
> >I do confirm that some big national CAs (at least in Italy) use the
> `on Hold'
> >status when the card is first "initialized" (and the certificate
> issued)
> >till the user receives the card.
>
> If people are really using it, then we should not pull the rug out
> from under them. I do not think this is a great mechanism for the
> situation that is described, but there are far worse uses that have
> been discussed.
>
> Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASAVYgf053965; Tue, 28 Nov 2006 03:31:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASAVYW3053964; Tue, 28 Nov 2006 03:31:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.nbusr.sk (mail.nbusr.sk [84.245.65.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASAVRIo053934 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 03:31:28 -0700 (MST) (envelope-from rybar@nbusr.sk)
Received: from IBM5E1D7F233E3 ([10.0.250.204]) by mail.nbusr.sk with esmtp; Tue, 28 Nov 2006 11:26:40 +0100 id 000114E1.456C0EE4.0000B2ED
From: "Peter Rybar" <rybar@nbusr.sk>
To: "'pkix'" <ietf-pkix@imc.org>
Cc: "'Dr Stephen Henson'" <shenson@drh-consultancy.demon.co.uk>
Subject: RE: on-hold certificates in CRLs
Date: Tue, 28 Nov 2006 11:31:29 +0100
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAo5hlHtaY40maWMbI+cGFssKAAAAQAAAAZxC+/fCG6Ey5qPQFGX4GAwEAAAAA@nbusr.sk>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=_mail.nbusr.sk-45805-1164709604-0001-2"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
In-Reply-To: <456B9175.6080707@drh-consultancy.demon.co.uk>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Thread-Index: AccStSo3jC6psr/STziqSZ9e5RA6ZQACmeEg
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--=_mail.nbusr.sk-45805-1164709604-0001-2
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Signed mail is in attachment.
--=_mail.nbusr.sk-45805-1164709604-0001-2
Content-Type: message/rfc822; name=" onHoldCertificatesInCRLs.eml"
Content-Disposition: attachment;
filename=" onHoldCertificatesInCRLs.eml"
Message-ID: <28x11x2006at11x21x10x0DAE>
From: <rybar@nbusr.sk>
To: <ietf-pkix@imc.org>
Cc: <lists@drh-consultancy.demon.co.uk>
Subject: RE: on-hold certificates in CRLs
Date: Tue, 28 Nov 2006 11:21:10 +0100
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="=_mail.nbusr.sk-45805-1164709604-0001-3"
X-Mailer: ELPI
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--=_mail.nbusr.sk-45805-1164709604-0001-3
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
The status of certificateHold or removeFromCRL is useful only for strictly
online system, where is no reason to check a history about revocation
status information.
If certificate is several times in status on hold and removed from hold
then the verification of qualified electronic signature with trusted
timestamp is almost impossible.
That is the reason why the Slovak Act no. 215/2002 Coll. on Electronic
Signature (qualified certificate and qualified el. signature) does not
allow removing the certificate from hold.
Certificate in the CRL (OCSP) can not be found in revocation reason
certificateHold or removeFromCRL, thus its validity can not be stopped for
certain period.
IMHO useful recommendation in this RFC:
"The certificateHold or removeFromCRL status MUST NOT be used by CA except
CA for strictly On-Line system".
Peter
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On
Behalf Of Dr Stephen Henson
Sent: Tuesday, November 28, 2006 2:32 AM
To: pkix
Subject: Re: on-hold certificates in CRLs
David A. Cooper wrote:
>
> Other people believe that placing a certificate on hold also places use
> of the private key on hold and so any signatures generated during the
> time that the certificate was on hold are not legitimate. Thus, these
> people believe that when verifying a signature it is important to know
> whether the certificate was on hold at the time that the signature was
> generated, even if the certificate is later removed from hold. The
> information included in CRLs issued after the certificate is removed
> from hold do not include any information that would help to determine
> whether the certificate was on hold at some point in the past.
>
That's the case I'm uneasy about which I suspect is the case the two
examples I've seen are intended to cover.
It should be noted that this assumes that there is a way to reliably
determine when the signature was made.
This is not always possible and often one can only say it was made *on
or before* a certain time (for example the time in a trusted timestamp).
That doesn't help because the signature might be made during the hold
period and the timestamp added some time afterwards.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
--=_mail.nbusr.sk-45805-1164709604-0001-3
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIIM1QYJKoZIhvcNAQcCoIIMxjCCDMICAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCCkQw
ggZnMIIFT6ADAgECAgIMEDANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTSzETMBEGA1UEBwwK
QnJhdGlzbGF2YTEiMCAGA1UECgwZTmFyb2RueSBiZXpwZWNub3N0bnkgdXJhZDEOMAwGA1UECwwF
U0lCRVAxDTALBgNVBAMMBFNOQ0EwHhcNMDYxMTIxMTUyMTE2WhcNMDcxMTIxMTUyMTE2WjBsMQsw
CQYDVQQGEwJTSzETMBEGA1UEBwwKQnJhdGlzbGF2YTEiMCAGA1UECgwZTmFyb2RueSBiZXpwZWNu
b3N0bnkgdXJhZDEOMAwGA1UECwwFU0lCRVAxFDASBgNVBAMMC1BldGVyIFJ5YmFyMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAijI9giVdMdvNWYuijIJWDfXeD1o/g0+IQWJ+J1amiNiP
y9gHZe4yPMPoRhU89gDIqGdDHs0dvzLbK+wzvGMtUE4cdmbniMVoWIft4d9GJrwhdr+RM1QPvkWC
ko1BMR2og47x61cqX1Pa+f46KM3+Jc7j+r0NDp7aBsaTzA3P/70R9wiiiG1vMzirdW/C5RkTuyug
+hFYzkpAcZuuW96Sbyvn5r7yV8ecWrAYqILXAlXRa2F9K8HV/AZircK7JGOxzkglS1n3Z7AZTxuf
24J8R+mywUslA3ZsMQvlxk1SPN269YfrJ21t3+QpLSPLjJCfm+zOwWI/Qe8XLwoxzaOoHQIDAQAB
o4IDGDCCAxQwCQYDVR0TBAIwADAvBgNVHREEKDAmgQ5yeWJhckBuYnVzci5za4YUaHR0cDovL3d3
dy5uYnVzci5zay8wggEkBggrBgEFBQcBAQSCARYwggESMDMGCCsGAQUFBzAChidodHRwOi8vZXAu
bmJ1c3Iuc2svc25jYS9jZXJ0cy9zbmNhMS5wN2MwcgYIKwYBBQUHMAKGZmxkYXA6Ly9lcC5uYnVz
ci5zay9jbj1TTkNBLG91PVNJQkVQLG89TmFyb2RueSBiZXpwZWNub3N0bnkgdXJhZCxsPUJyYXRp
c2xhdmEsYz1TSz9jYUNlcnRpZmljYXRlO2JpbmFyeTBnBggrBgEFBQcwAoZbbGRhcDovLy9jbj1T
TkNBLG91PVNJQkVQLG89TmFyb2RueSBiZXpwZWNub3N0bnkgdXJhZCxsPUJyYXRpc2xhdmEsYz1T
Sz9jYUNlcnRpZmljYXRlO2JpbmFyeTATBgNVHSAEDDAKMAgGBgQAj3oBAjAOBgNVHQ8BAf8EBAMC
B4AwEwYDVR0lBAwwCgYIKwYBBQUHAwQwHwYDVR0jBBgwFoAUOLPZAKX2gblLDZsq201lZ7GlG8ww
ggEyBgNVHR8EggEpMIIBJTAsoCqgKIYmaHR0cDovL2VwLm5idXNyLnNrL3NuY2EvY3Jscy9zbmNh
MS5jcmwwf6B9oHuGeWxkYXA6Ly9lcC5uYnVzci5zay9jbiUzZFNOQ0Esb3UlM2RTSUJFUCxvJTNk
TmFyb2RueSUyMGJlenBlY25vc3RueSUyMHVyYWQsbCUzZEJyYXRpc2xhdmEsYyUzZFNLP2NlcnRp
ZmljYXRlUmV2b2NhdGlvbkxpc3QwdKByoHCGbmxkYXA6Ly8vY24lM2RTTkNBLG91JTNkU0lCRVAs
byUzZE5hcm9kbnklMjBiZXpwZWNub3N0bnklMjB1cmFkLGwlM2RCcmF0aXNsYXZhLGMlM2RTSz9j
ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0MB0GA1UdDgQWBBQ4lCP+K34syFse49QZh8ZUapO8sDAN
BgkqhkiG9w0BAQUFAAOCAQEAo2QAzOXtSiBe1K3Z40l2Uz4ijetestNTtvvyWCFKZoxBvGrSWKwd
agnyDBpSjmcVa/BPq5ipyIWkGR8XBi3xRZP8epfTHXXzPuDaXD1QAkxoe60725JrYtxlZFCY+GtV
JUvs1mxJjnoKuMKOLkMdUj83qMzG/tAD/FWHpGWCaI5GS3DB+9Bm2Db8sjS1Ismvgpj1MVWSWIr8
LlS9hlmyWK6m5gVN83szOd62xdaWXl/53CUilb5W0iS1aV73C+aMdeStl7DWdRIXEThhd0J7/tBr
Eb2Rxvwtdt04GijQdRG6yojZ8WbvRDTEn9U6FzFQquPndJp1L1GVliISDZQ9azCCA9UwggK9oAMC
AQICAQEwDQYJKoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCU0sxEzARBgNVBAcMCkJyYXRpc2xhdmEx
IjAgBgNVBAoMGU5hcm9kbnkgYmV6cGVjbm9zdG55IHVyYWQxDjAMBgNVBAsMBVNJQkVQMQ0wCwYD
VQQDDARTTkNBMB4XDTA2MDQzMDA4NDEyOFoXDTE2MDQzMDA4Mjc1OFowZTELMAkGA1UEBhMCU0sx
EzARBgNVBAcMCkJyYXRpc2xhdmExIjAgBgNVBAoMGU5hcm9kbnkgYmV6cGVjbm9zdG55IHVyYWQx
DjAMBgNVBAsMBVNJQkVQMQ0wCwYDVQQDDARTTkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAstRsWtSGa+W6KE+HTffiIHhfAugP+uPv7yoJzEp0CjZOtZXB/FkjNoXma19vKYSaP9EI
7TAuFzuWI+hnaMRoeITU0qpWN0cPrRzhiLU5XbbBIjAIutsNu79TKo6tSObQEtsCqfnfquTpAaPd
OeIMxcCg7DZck5msMUsJGHEx/3TeWCNU+6ZKw1c6vjgM3BzmOVzl7OjqhjqaNFA3xjiXXSNKO5RA
0AGMXYOUY+HlNJjOqVdWoyXWznEI+6U3TYLqxmhYpO/E9AA79IQczY0H/qZoj8RR0GWVUOPdOA5g
LOKVKlB68BF9hmYQ5HiQNiwGDA2CY/ogIQOh8AZQMSzKhwIDAQABo4GPMIGMMA8GA1UdEwEB/wQF
MAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9lcC5uYnVz
ci5zay9zbmNhL2NybHMvc25jYTEuY3JsMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUOLPZAKX2
gblLDZsq201lZ7GlG8wwDQYJKoZIhvcNAQEFBQADggEBADRJxn516YeCYlvqTRQ4s9UA7bDh6kHS
baG+FTBVxO5r7NMFmsIQmMIlUxuZPFz8yzqGdCGLIIklnqc4EWeqwTTWAIQO5A/V2Ca0MlgZZxy/
XQdSTnWLUw6Ooz3GirqcQTrnqq3MsMXN6KdZhIs4RXf0yg91VpM9Y2cqc8Iixq8GIpSlo6kLayQe
uUm1voUiMZ+vzMIuvfcOXc0+3bJM2gbX1GuEBoFhMnl7Lrjg/1fuib6KppFbExWnpTj62Uf1qV4Y
k/5tJ04aUze7BnohKV/0dcB4fXDmScL9GcHltIV0O1PQ75vK2bLW3OJmpI3DX40Ncu5Y0rKwXbDB
WPLmXj4xggJZMIICVQIBATBrMGUxCzAJBgNVBAYTAlNLMRMwEQYDVQQHDApCcmF0aXNsYXZhMSIw
IAYDVQQKDBlOYXJvZG55IGJlenBlY25vc3RueSB1cmFkMQ4wDAYDVQQLDAVTSUJFUDENMAsGA1UE
AwwEU05DQQICDBAwCQYFKw4DAhoFAKCBxDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG
SIb3DQEJBTEPFw0wNjExMjgxMDIxMTBaMCMGCSqGSIb3DQEJBDEWBBQ8FqTtxd31fFjEa8sUjB0s
sXcIUzBlBgkqhkiG9w0BCQ8xWDBWMAoGCCqGSIb3DQMHMAsGCWCGSAFlAwQBAjAPBgkqhkiG9n0H
QgoCAgCAMA0GCysGAQQBgTwHAQECMA4GCCqGSIb3DQMCAgIAgDALBglghkgBZQIBAQQwDQYJKoZI
hvcNAQEBBQAEggEAVntDnX9Tri/+M0wfohiz3AO7iM0O1wAsZ7100nFXSgQ1C/jGHK4kyW3GV/78
BURAo3V3RO0RqGEgyQdab6e2bpHzhXBBNLUkmfm0vz89NItV5sTgTeATsQyo+WZhLkBbMo2kAVIo
AtOHgb+nqY7UWtKf4hjGijheE/CMDCczZ2c59lUa06i2BtTsEGTE0ap+628YZx7ZvZ1F3zQk8NK+
7vb1YOtGCnjiqBvy0NaiYTlFU/uuMCRmrcfXQsaSXcvjzNxtkxuOyP65qMJmltdL+/Szbu59w1R2
bJ+3i6O70NXcdiLGbpr+wtlkrWyGijaOdQpAz2yOXfQTSpwouQl3qQ==
--=_mail.nbusr.sk-45805-1164709604-0001-3--
--=_mail.nbusr.sk-45805-1164709604-0001-2--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS9xVl7049938; Tue, 28 Nov 2006 02:59:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAS9xVlr049937; Tue, 28 Nov 2006 02:59:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from postman.ripe.net (postman.ripe.net [193.0.0.199]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS9xTnr049921 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 02:59:30 -0700 (MST) (envelope-from robert@ripe.net)
Received: by postman.ripe.net (Postfix, from userid 4008) id 1063B23FB9; Tue, 28 Nov 2006 10:59:22 +0100 (CET)
Received: from herring.ripe.net (herring.ripe.net [193.0.1.203]) by postman.ripe.net (Postfix) with ESMTP id DC5FF23FD3 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 10:59:16 +0100 (CET)
Received: from [IPv6???1] (chimp.ripe.net [193.0.1.199]) by herring.ripe.net (Postfix) with ESMTP id D860A2F594 for <ietf-pkix@imc.org>; Tue, 28 Nov 2006 10:59:16 +0100 (CET)
Message-ID: <456C0874.1020907@ripe.net>
Date: Tue, 28 Nov 2006 10:59:16 +0100
From: =?ISO-8859-1?Q?R=F3bert_Kisteleki?= <robert@ripe.net>
Organization: RIPE NCC
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <7.0.0.16.2.20061127140855.07404318@vigilsec.com> <456B462C.8010209@drh-consultancy.demon.co.uk> <456B56CF.7020501@cs.dartmouth.edu> <7.0.0.16.2.20061127184910.073db428@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061127184910.073db428@vigilsec.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-RIPE-Spam-Level:
X-RIPE-Spam-Tests: ALL_TRUSTED,BAYES_00
X-RIPE-Spam-Status: N 0.180305 / -4.4
X-RIPE-Signature: 910a621c71186ef4ec5a32d9feaeb68f
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ Housley wrote:
>
> Massimiliano:
>
>>> I have come across two real world examples of it being used in national
>>> ID schemes. In both of these a certificate is automatically placed "on
>>> hold" when the card is manufactured and then made valid when the
>>> recipient has performed some procedure to acknowledge receipt. I suspect
>>> that the two I saw are far from isolated examples.
>>
>> I do confirm that some big national CAs (at least in Italy) use the
>> `on Hold'
>> status when the card is first "initialized" (and the certificate issued)
>> till the user receives the card.
>
> If people are really using it, then we should not pull the rug out from
> under them. I do not think this is a great mechanism for the situation
> that is described, but there are far worse uses that have been discussed.
>
> Russ
I have to agree with Massimiliano, in some countries the legislation (!)
enables/forces the national CAs to use the on hold status. Besides this,
whole business processes have been built upon this feature.
I'm not saying that on hold is a good/bad feature, merely that it is being
used, and even if you deprecate it, it will take years to root it out from
practice.
Robert
Received: from [64.65.181.251] ([64.65.181.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS9VGPP046023 for <ietf-pkix-archive@imc.org>; Tue, 28 Nov 2006 02:31:16 -0700 (MST) (envelope-from for@simasoftware.it)
Received: from cwXWQc ([143.126.147.2]) by knxblm with Microsoft SMTPSVC(5.0.2195.6713); Tue, 28 Nov 2006 01:33:31 -0800
Message-ID: <000c01c712d0$31a51b30$00000000@Alan>
From: "specific" <for@simasoftware.it>
To: ietf-pkix-archive@imc.org
Subject: Man
Date: Tue, 28 Nov 2006 01:32:59 -0800
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0008_01C7128D.237F6A30"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
------=_NextPart_000_0008_01C7128D.237F6A30
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0009_01C7128D.237F6A30"
------=_NextPart_001_0009_01C7128D.237F6A30
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Bandwidth captured analyzed realtime, offers, standard, ipoques comprise =
sizes. Project fundmain main st po box ma ph fax.
Heshe computers running authorizes installed, needed connected server.
Open arguing because talks, opponent? Mpcom settling few opens.
Satisfy negotiate conditions outcome neither nor.
Effected, execution payment invoice thereafter?
Level represent households attached diagram optimized, large. Searches =
top page shortcuts!
Near, futurethis short excerpt extended. Tradeshow higher, options =
singleuser licensing assigned individual install.
Internet network kazaa on?
Titles, copy reserved ad feedback license info sketchup. Css bmi cue =
heets either religious access government system.
Expressed, prior interest receiving, research. Subdomains host link url =
document index indexed.
Perform combined background element licensees cable. Implied limitation, =
warranties fitness purpose exclusion vary. Purposes more go wish your =
own beyond. Amp textbooks rare feature areas?
Pay like recently opened pressplay. Points seats purchased determines =
concurrent seat cost per single.
------=_NextPart_001_0009_01C7128D.237F6A30
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1437" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"ZapBax" hspace=3D0=20
src=3D"cid:000701c712d0$31a2aa30$00000000@Alan" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Bandwidth captured analyzed realtime, =
offers,=20
standard, ipoques comprise sizes. Project fundmain main st po box ma ph =
fax.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Heshe computers running authorizes =
installed,=20
needed connected server.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Open arguing because talks, opponent? =
Mpcom=20
settling few opens.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Satisfy negotiate conditions outcome =
neither nor.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Effected, execution payment invoice =
thereafter?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Level represent households attached =
diagram=20
optimized, large. Searches top page shortcuts!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Near, futurethis short excerpt =
extended. Tradeshow=20
higher, options singleuser licensing assigned individual =
install.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Internet network kazaa on?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Titles, copy reserved ad feedback =
license info=20
sketchup. Css bmi cue heets either religious access government =
system.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Expressed, prior interest receiving, =
research.=20
Subdomains host link url document index indexed.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Perform combined background element =
licensees=20
cable. Implied limitation, warranties fitness purpose exclusion vary. =
Purposes=20
more go wish your own beyond. Amp textbooks rare feature =
areas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Pay like recently opened pressplay. =
Points seats=20
purchased determines concurrent seat cost per =
single.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0009_01C7128D.237F6A30--
------=_NextPart_000_0008_01C7128D.237F6A30
Content-Type: image/gif;
name="return.gif"
Content-Transfer-Encoding: base64
Content-ID: <000701c712d0$31a2aa30$00000000@Alan>
R0lGODlhgAHkAIcJAAAHAYwNBAyCAH+BCgAOeHoAdwB+h7m7srHYtLTG4zgiAGEcAH8TBaouALwb
ANYRAAc/AChIAD85AF5IAIMxAKI7AMs9Cu5DAAVsCBZjAD5kA19oDXteBaJXDbpeANtfAAB/ACV8
AD6CAll5AHZxCJ6MALWAAOp6DQ6rCi2TAE6uDmaeAI6eCKOtB7SRDdifAAbAByK2AEfLAF+3AHe9
DK69ArXHANK1CADSABfTCkDTCWbmAIXbAJfZAMnhAODjAAMGRysAOU0AQ1cKTokKNagISb0IOucG
PA0hRiwhQ0wWOWIuR4EUP6crQrwrPdoVRAA+PClOMjs3S1dDR4YzTKVLPsI6PNRNRABpQSdTO0FS
QlFWN3ZcEKxpTsxoOdxVNgV+QRZ9PDxxTm6GQHV2S5d8SsOHSd54OQanQSelMUGYRWGuQ4GlSKGc
O86dStWuPgCxQim7P02+TGm2SIHBPpvFPrLGOtnOPQjkMyfgQzXtMl/UQIrZQ5PrRrLRPOXiTQAJ
dRYFc0cAgmkAdn4AcasAcb4Gh9oFdwAcdC4odU4dglIpfXUfhZEhdsMeceskewA1iyw0gT4+iVJM
eHpId5JLfcVBieI8ewFehSNfiz9ee1xsfH9idadUecNmg95Vdw2NgB92jjZ1i2CHiXmEe5WMjLRx
i+CNggCtcxyadTKUfGSahHmpfqquh8eeiO2efgDJeR/Lc0jJgVrIgo7Nga3CdrO8iOu8ewPodxXb
hT3YglLYdIPkgqnki8nle+7niwMAsyIFwDINyGEAx34GuJ8AuLQNxNEAvAghzhwSvjMRv2wjy4Qk
vp4pu8wWvtMazQAysSczxTRHw2FDwIdEu51Ix7hFyOg9swBovSZoyz1ezWpZzINls6VSu8lXte5q
tA2FwS6GzkiAyWqOyI54xqaNyLyFuuSAuwCqtyWuyjWRuGKbwYOstKylx7utvt2ovQDOyivLx0a5
zVi2vXHIuJPCtv//5qiSr3d1jPEGBgH2A/f/AAAI//8B8QPy//3/9SH5BACJ04EALAAAAACAAeQA
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
GO3JnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXWoTptOnUKNKnbqRqdWrWLNq3cq1q9evRamK
HUu2rNmTYNOqXcu2rdu3bc/KnUu3rt27ePPq3asSrt+/gAMLHky4sOHDiBMrXsy4sePHkI3ynUy5
smWHkTNr3swZ7OXPoEOLHk26tGm0nVOrXs26J8MAAQrC/ge7dm3atmMPnC1b98HcAnMDF/7bNkHe
x33jNl4ceHDlz3EbRH66ulOesGtmz26Tuz3v3wPQ/wSvXbxM8ujNhx/vvfb59O/Vr+8unzv5+eDv
t96/v715/f6V915O+rEn4IAzwRdefv/JpxODCBqIYIH8VahYQ8jxRt1uvm2oIXTJLeRhhyQWJ12G
sW2oEHUfTleidNbFeB126tknnHgBlkdhhDcpON+PBm5XI44OPihcgkUyuKOFTBbm0Gwomgijixje
RmWIU2bJIYwtomhlb1iqOKKMZMLkk5BI9mgbgUUaSZ+OPgY55Hr3Aeggmgem2eSeq+EJpJ4FLvmm
hIDW16afCxI5aJ4D1nlnm3xGCpl7euZpZ1Bx/gihhEo2yGiljSb5qKSkakYpj6A6ulOOhPLo35Ce
sv/XoKFqErppq6nSWuqubJ2a6JqZCppbrbh2qmurR6o5rKy+gporrrxGS1SZ1FZr7bXYZqvtttx2
6+234IYr7rjklvuPtOimq+667LbrLk4CCEBTvPPKG++999pDb7364puvTfvy66+8PAU8sMH/yhSw
wgS/67CTC8U7EL4TC/CPxAdhfLHFGzekccUdC/QxQiMThPHJHJdcsrkss4QyyiJzbJDGMDOkssUf
rxyzzjSn7PPMMrcstEc97Ysvw0jDa2/DC+fUdL9Qz/R0TVNHHTW9U1f98NaIGf2v1wPX23C/YQM8
NtILa5001WN7bTW/XMe9GNYE0732TQm/7fTZUCP/XDDfeh9Nt99yFx6Xx/fuLLPOO5scdEI3b0yx
zY+HDHniITM+9OYiTT655UBbrjnIBUk8euilV+545j9z7npMRX+dcNWEqy0133YD1bTabutt+O+E
5T074Fb3/jfctpvNtk69Gw/881s9lHPQB+P8uOkHX/756RV7rjrpioP/+vgSQW/++einr/5q5Lfv
/vvwx1/V+vTXf5T8+Odv//78/5T//wAMoABb1r8CGrApA0yg0A7IwAY68IEQjKAE3aXACpprghgE
ngU3KK4MelBuHAyhtz5IwoeJ8ITaKqEK24XCFlprhTCMoQxnSMMa7s+FOMyhDnfIERv60EI8DKJo
/35IxNYI8Skf+MBDksgtJpLFJwCIYhQFk0SZVNEeVUyiFj9gxS1icYtcpAkYuXjFK35Ri2dEoxm7
qEY0sjGMaYSjGMF4xi7GUY52nIkX8/jFo+zxjnr8YyDzmEU6lpGMdKxJIg/JR4gtJIpicaIklejE
gVSSIJe0pBIxuclJFiSTl8zkPyrpyVF2cpOc/GQpTYkQUp5SIK60yCpZqUmFlJKJoHylKFPJSlyi
cpdQ4ckUbSJFAMikmFI8ZjFnskx7IFOZ0HSmMQfZxz6usZqKxGMj37hNbDbymtVcYyG7eU0vmhGc
2BQnIgvpxjRyc47w5CM6GRlORNpkj+ikJjvxmP/PxQyTJsOcokCNOdBoMpOg0yyoNA36Rnz+UZDz
hCgcwblIfraTnnbEaCDdaM6JajOdchwnIe1pTYqG1KPUzOZGK9pOkLZUn+u850cBwxBIFsSmkMwp
AP6hU4HgtJg83WlQfSpFW47xla38JSp5qcpaNpWpT52lL7V4kFyaMpYGwSosKanUrV6VqrsMZVe9
upCjIvWptEwqVa+a1aXWxaYE+elQeyrXugr1p3Ct6lHJqlenolWTs+SrYHkpVa6mFaq9XOth/SrW
tHrSqm1lqlYTYtbBftWyiN3iX+2S16HOdad0vStoRetZuOa1s7ScLFrD6tZbtva1SeWray0LWcX/
spawZ32sLt3q1Mb69berrK1howpb31IFis1MLkIX+kxlJjOg01zoQWUqT0NK9CZjrOdK19nG7h7y
nBdF6Rw7ysaUqnSl49WuO72ZzXJalKMnrS55S+rQbdKzn38hCWodst8EApNl/53RVv4ZFAJ7EL+F
Q3ARF8zgBjsYKyPpb1yFesQKW6Qnzf2JgW+yYZ/kIx8y+XCIQfzhEpMYxPYQsYlF/OD61ZTCEpHw
QGSskA8LxMb/sDGOB4JjHefDwv8TZnSjOdDmZli5DOUJi5d8YpuYeMQt7l9DgFra0X62yliWK0RW
XOIbm5ggO14xkOMHFOhCl7nLRTM0O+xhLqOY/8U1gTOco+zih+CVtKElapZhHBE3/zjHfwZzlwE9
ZhSalsJ5tquetbzlP4c50F6O9I4LrUBkTnjGVtZpUYmqZRofpMeB5jKhCS1qSofQ06ZO9fyEwma1
+PnVsF4xnWdN61rb+tYMPMQhuKLrrvQa14558aZvymeV6Joguj72QZJ9iIEwe9nNZoiy/8FsZSdb
INPGdrRVHRpGQ6Xa1I52trVNbmtv29nnDndBrm2QY7u72eMeN7ctY9eeBvXOmObIs8mt7nWLO93x
Tne/kS1wc4db3gOfN73xrOh8Y3kj++43wiPOb4K3u+AYRze8BZ5whctFyMmUrpoP2kysMFsmv//+
NU1SvmuUt7wmKq92smeicpffpNczp/nLgZ2YFxM736ctNkiebXB/8xvhHU96wKH9bnR7/DKdPbRn
9fxwfV+76FjfeELkzfVzT1zr00b60/ESdUSLFt9U1wi4tR32be9b5hc3OsHbDm22O33sc0lNza+y
d630neeGmYzY1c7xjgwe71MBvOIXz3iHtdowQ248/ZAZ+Zo8PieUX8rlK195ybPL51MWOn9FXxEZ
U3nqiO/gTjav3DOLHKBDbn1CZe/c2TPTmQDFvecdJuz9evvKqHf4zzfdcHunHbQz9mnqyVVmhCrU
zNDHCYGf+c8zZ/7xIc/w7j9v52IX/+yilzr/8Pf8c4UgP/nLV71OXA/7Nds+ye0ncpql+/z5vx73
sd/+u0LfX0vfW/wHEXRFJYBod2/HN2zKl37hAhaXRxQNiHn6B0ImgWrdR4EIQXoK+C0RuIFDkYEe
+IEg+EQcOIIkWIImeIJZEYIqeBEo2IIzsYIwOBEuOIM0WIM2GIExmIMPcYMlqIM+uBA8SII/OIRE
WIQKEYRImIS3ZoRGqIQ4yIRQGIVSOIVUWIVWeIVYmIXw44T6xxD88IVfKBBgGIZiOIb8MBBgiIZn
+A9hOIZsSIZk+IZpSBBz2IZm+IZlmIdyGIdlOId7aId0eId9GIhpaIZnKIh6qIUGwRNfKBON/9iI
9gCJkFgTYDgTj8gPloiJkSiJmjiJNlGJmxiKNMGJjoiJnkiJnZiKqDiKmoiKrXiKsKiKpciFOOGF
awiIeJiLgZiLbqiGfXiIwKgQboiLvsiLwYgQcHiLa1iMieiLyVgQfKiLz6iIi7gTZjiLoniNs8iJ
rYiNYxiKp+iKpjiOoLiJhpiJ4UiK5qiOpViOl4iOqQiKk8iOtEgTtpiHiBiNeJiMy6iHdgiIveiM
hdiPvxiQzFiQB6mLComPBLmPBBmH00iNBMGIqviO2AiPlfiNmbiNGfmK3QiOHfmJhviRoriR8/iR
nhiL2miSKOmRF1mPL7gQzziN0QiRwWiT/v9Ikw+pjMcIjcp4EDX5kwvJh0GZkMSYkxJpEYKIk4Yo
jcf4j09pk36Yk8AYkBGJiMwIlVr5hz25lVz5h7uYlAMBk5InlmZ5lmiZlmq5lnShk2q4jE2JkDgZ
ljN5h3XZi/rIlnlBkd7okS3Jiqv4ktlYkX8JkiJJlumijqSYki4ZmCXZlxwpkvQomIhpRLYYlw4Z
lgvJlQ05kjxJlHBplQ2pl6LhmQKpmfo4l4S4lKOpmglJmnjRE57ZjhpZkunYmKx4jo9Jm5QZjpVZ
Kux4khs5nMTpm8FZmBb5m+5ynMXZkiFJmYOJkePIkRrpm8rZGbCZndo5LtfZnd75neAZnuKCiRTb
mWrjeZ7oyTXlaWrp2WLr+Z7wSS3tOZ/0WZ/2KRnxaWH3uZ/8uR/5+Z8AOkT9aUMBKkQDeqAIChkF
uqAMupcJKkMNGqESOqEUWqEWeqEM8aAauqGEgaEhxKEr5KEcBKIkWqIm+oQimqIquqLcdqIu+qJX
waIJBKM0WqM2SkQBAQA7
------=_NextPart_000_0008_01C7128D.237F6A30--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS1UwZY000197; Mon, 27 Nov 2006 18:30:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAS1UwOA000194; Mon, 27 Nov 2006 18:30:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from anchor-post-35.mail.demon.net (anchor-post-35.mail.demon.net [194.217.242.85]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS1UuQo000142 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 18:30:57 -0700 (MST) (envelope-from lists@drh-consultancy.demon.co.uk)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.2]) by anchor-post-35.mail.demon.net with esmtp (Exim 4.42) id 1GoroE-000Ki8-GA for ietf-pkix@imc.org; Tue, 28 Nov 2006 01:30:54 +0000
Message-ID: <456B9175.6080707@drh-consultancy.demon.co.uk>
Date: Tue, 28 Nov 2006 01:31:33 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov>
In-Reply-To: <456B5D37.8020307@nist.gov>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
David A. Cooper wrote:
>
> Other people believe that placing a certificate on hold also places use
> of the private key on hold and so any signatures generated during the
> time that the certificate was on hold are not legitimate. Thus, these
> people believe that when verifying a signature it is important to know
> whether the certificate was on hold at the time that the signature was
> generated, even if the certificate is later removed from hold. The
> information included in CRLs issued after the certificate is removed
> from hold do not include any information that would help to determine
> whether the certificate was on hold at some point in the past.
>
That's the case I'm uneasy about which I suspect is the case the two
examples I've seen are intended to cover.
It should be noted that this assumes that there is a way to reliably
determine when the signature was made.
This is not always possible and often one can only say it was made *on
or before* a certain time (for example the time in a trusted timestamp).
That doesn't help because the signature might be made during the hold
period and the timestamp added some time afterwards.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS1RVmE099446; Mon, 27 Nov 2006 18:27:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAS1RVEH099445; Mon, 27 Nov 2006 18:27:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from anchor-post-33.mail.demon.net (anchor-post-33.mail.demon.net [194.217.242.91]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS1RUHO099439 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 18:27:31 -0700 (MST) (envelope-from shenson@drh-consultancy.demon.co.uk)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.2]) by anchor-post-33.mail.demon.net with esmtp (Exim 4.42) id 1Gorkv-0000nq-AX for ietf-pkix@imc.org; Tue, 28 Nov 2006 01:27:29 +0000
Message-ID: <456B90A7.1020306@drh-consultancy.demon.co.uk>
Date: Tue, 28 Nov 2006 01:28:07 +0000
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <456B5D37.8020307@nist.gov>
In-Reply-To: <456B5D37.8020307@nist.gov>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
David A. Cooper wrote:
>
> Other people believe that placing a certificate on hold also places use
> of the private key on hold and so any signatures generated during the
> time that the certificate was on hold are not legitimate. Thus, these
> people believe that when verifying a signature it is important to know
> whether the certificate was on hold at the time that the signature was
> generated, even if the certificate is later removed from hold. The
> information included in CRLs issued after the certificate is removed
> from hold do not include any information that would help to determine
> whether the certificate was on hold at some point in the past.
>
That's the case I'm uneasy about which I suspect is the case the two
examples I've seen are intended to cover.
It should be noted that this assumes that there is a way to reliably
determine when the signature was made.
This is not always possible and often one can only say it was made *on
or before* a certain time (for example the time in a trusted timestamp).
That doesn't help because the signature might be made during the hold
period and the timestamp added some time afterwards.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS0e0He095011; Mon, 27 Nov 2006 17:40:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAS0e0om095010; Mon, 27 Nov 2006 17:40:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS0dw5Q094973 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 17:39:59 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAS0dnMq018132; Mon, 27 Nov 2006 17:39:50 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Dr Stephen Henson" <lists@drh-consultancy.demon.co.uk>, <ietf-pkix@imc.org>
Subject: RE: on-hold certificates in CRLs
Date: Mon, 27 Nov 2006 16:03:05 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMGEHLCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <456B462C.8010209@drh-consultancy.demon.co.uk>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I concur that it should be deprecated.
Mike
-----Original Message-----
From: Dr Stephen Henson
Sent: Monday, November 27, 2006 12:10 PM
. . .
Personally the use of "on hold" always makes me rather uneasy and I'd
have no objections about it being deprecated.
Steve
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS02pCp091265; Mon, 27 Nov 2006 17:02:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAS02pN7091264; Mon, 27 Nov 2006 17:02:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAS02okI091249 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 17:02:51 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 24200 invoked by uid 0); 28 Nov 2006 00:02:42 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 28 Nov 2006 00:02:42 -0000
Message-Id: <7.0.0.16.2.20061127184910.073db428@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Mon, 27 Nov 2006 18:51:14 -0500
To: ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: on-hold certificates in CRLs
In-Reply-To: <456B56CF.7020501@cs.dartmouth.edu>
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <7.0.0.16.2.20061127140855.07404318@vigilsec.com> <456B462C.8010209@drh-consultancy.demon.co.uk> <456B56CF.7020501@cs.dartmouth.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Massimiliano:
>>I have come across two real world examples of it being used in national
>>ID schemes. In both of these a certificate is automatically placed "on
>>hold" when the card is manufactured and then made valid when the
>>recipient has performed some procedure to acknowledge receipt. I suspect
>>that the two I saw are far from isolated examples.
>
>I do confirm that some big national CAs (at least in Italy) use the `on Hold'
>status when the card is first "initialized" (and the certificate issued)
>till the user receives the card.
If people are really using it, then we should not pull the rug out
from under them. I do not think this is a great mechanism for the
situation that is described, but there are far worse uses that have
been discussed.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARMXUSc081711; Mon, 27 Nov 2006 15:33:30 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARMXU7Z081710; Mon, 27 Nov 2006 15:33:30 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailrelay1.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARMXR4s081689 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 15:33:28 -0700 (MST) (envelope-from peter.lipp@iaik.tugraz.at)
Received: from thor.iaik.tugraz.at (mail1.iaik.tugraz.at [129.27.152.30]) by mailrelay1.tugraz.at (8.13.8/8.13.8) with ESMTP id kARMXFlx020725 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 23:33:15 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by thor.iaik.tugraz.at (Postfix) with ESMTP id 7B05B194009 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 23:33:15 +0100 (CET)
Received: from thor.iaik.tugraz.at ([127.0.0.1]) by localhost (thor [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07093-03 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 23:33:15 +0100 (CET)
Received: from NOTEBOOKLIPP (unknown [129.27.152.246]) by thor.iaik.tugraz.at (Postfix) with ESMTP id 7BC87194008 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 23:33:13 +0100 (CET)
From: "Peter Lipp" <peter.lipp@iaik.tugraz.at>
To: <ietf-pkix@imc.org>
Subject: AW: on-hold certificates in CRLs
Date: Mon, 27 Nov 2006 23:32:58 +0100
Message-ID: <002201c71274$074b7340$4c981b81@iaik.tugraz.at>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AccSaXxSYpG5ddUzTTaWPzuUS81okQABBBSA
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
In-Reply-To: <456B462C.8010209@drh-consultancy.demon.co.uk>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at iaik.tugraz.at
X-Spam-Scanner: SpamAssassin 3.001007
X-Spam-Score-relay: -2.6
X-Scanned-By: MIMEDefang 2.58 on 129.27.10.18
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> to say that the "on hold" status MUST NOT be used by CAs
> conforming to 3280bis.
YES PLEASE. Thanks. :-)
Peter Lipp
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARMWcFn081631; Mon, 27 Nov 2006 15:32:38 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARMWc4P081630; Mon, 27 Nov 2006 15:32:38 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARMWbPZ081615 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 15:32:37 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id kARMWQGp021218 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 17:32:27 -0500
Received: from [129.6.54.72] (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id kARMVoQJ028465 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 17:31:50 -0500 (EST)
Message-ID: <456B679D.70306@nist.gov>
Date: Mon, 27 Nov 2006 17:33:01 -0500
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 1.5.0.7 (X11/20060921)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <7.0.0.16.2.20061127140855.07404318@vigilsec.com> <456B462C.8010209@drh-consultancy.demon.co.uk>
In-Reply-To: <456B462C.8010209@drh-consultancy.demon.co.uk>
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I know of another case where certificate suspension is used (or at
least the CPS allows for certificate suspension). In this case, if the
CA receives a request to revoke a certificate but the source of the
request cannot be authenticated, then the certificate is placed on
hold. If the CA is able to verify that the request came from an
authorized individual (e.g., the certificate subject), then the
certificate is revoked, otherwise it is removed from hold.<br>
<br>
Note that in this case, once a certificate is removed from hold, there
is no reason that a relying party would need to know that the
certificate was on hold at some point in the past. The certificate was
removed from hold since it was determined that there was never a
problem with the certificate in the first place. Once the certificate
has been removed from hold, there is no reason to consider any use of
private key during the time that the certificate was on hold to be
invalid, so there is no need for relying parties to know that the
certificate was on hold at some point in the past.<br>
<br>
While I don't think that the above use of certificate suspension is
unreasonable (if it is necessary to take action before verifying the
revocation request), I do agree that it is generally a good idea to try
to avoid using certificate suspension.<br>
<br>
Dave<br>
<br>
Dr Stephen Henson wrote:
<blockquote cite="mid456B462C.8010209@drh-consultancy.demon.co.uk"
type="cite">
<pre wrap="">Russ Housley wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I would like to take this opportunity to advocate the deprecation of "on
hold" altogether. No good can come from it, as been discussed so many
times on this list.
I can live with the current text, but I think it would be far better to
say that the "on hold" status MUST NOT be used by CAs conforming to
3280bis.
</pre>
</blockquote>
<pre wrap=""><!---->
I have come across two real world examples of it being used in national
ID schemes. In both of these a certificate is automatically placed "on
hold" when the card is manufactured and then made valid when the
recipient has performed some procedure to acknowledge receipt. I suspect
that the two I saw are far from isolated examples.
Personally the use of "on hold" always makes me rather uneasy and I'd
have no objections about it being deprecated.
Steve.</pre>
</blockquote>
<br>
</body>
</html>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARLmd1e078044; Mon, 27 Nov 2006 14:48:39 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARLmd8A078043; Mon, 27 Nov 2006 14:48:39 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARLmcs8078033 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 14:48:39 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id kARLmPYh025942; Mon, 27 Nov 2006 16:48:27 -0500
Received: from [129.6.54.72] (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id kARLlQC6008534; Mon, 27 Nov 2006 16:47:26 -0500 (EST)
Message-ID: <456B5D37.8020307@nist.gov>
Date: Mon, 27 Nov 2006 16:48:39 -0500
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 1.5.0.7 (X11/20060921)
MIME-Version: 1.0
To: =?UTF-8?B?Q2FybG9zIEdvbnrDoWxlei1DYWRlbmFz?= <carlos@gonzalez.name>
CC: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com>
In-Reply-To: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
The contents of CRL are not affected by the information logged by the CA.
The important thing to note is that a CRL can have at most one entry for
any given certificate. So, the delta CRL issued at t5 would contain one
entry for S1, and that entry would specify a reason code of
removeFromCRL. The full CRL issued at t6 would not include an entry for S1.
In some sense, you are correct that you cannot tell from the contents of
the CRL issued at t6 whether the certificate had been on hold at some
point in the past. One of the main problems that we have with
certificate suspension at the moment is that there are two competing
interpretations of meaning behind certificate suspension. In my opinion
(and I believe that this was the meaning intended by the authors of
X.509), there is no reason that one would need to know whether a
certificate was on hold at some point in the past. In your example, the
certificate was removed from hold since it was determined that the
private key had not actually been compromised (if it had been, the
certificate would have remained revoked, but with the reason code
changed to keyCompromise). I would argue that this means that any
signatures created during the time that the certificate was on hold are
valid and that a relying party can safely accept those signatures once
the certificate is removed from hold. So, there would be no need for
the relying party to know that the certificate was on hold at the time
the signature was generated. If there really was reason to believe that
the private key had been misused at some time in the past, then the
certificate should have been permanently revoked.
Other people believe that placing a certificate on hold also places use
of the private key on hold and so any signatures generated during the
time that the certificate was on hold are not legitimate. Thus, these
people believe that when verifying a signature it is important to know
whether the certificate was on hold at the time that the signature was
generated, even if the certificate is later removed from hold. The
information included in CRLs issued after the certificate is removed
from hold do not include any information that would help to determine
whether the certificate was on hold at some point in the past.
Dave
Carlos González-Cadenas wrote:
> Hi,
>
> Suppose we have the following ordered temporal sequence
>
> t1 - a certificate with serial "S1" is issued by a CA
> t2 - the certificate is put on-hold by the CA (i.e. in order to
> investigate a possible compromise)
> t3 - a full CRL is issued by the CA
> t4 - the investigation carried by the CA ends up in no compromise, and
> the CA makes the certificate valid again
> t5 - a delta CRL is issued by the CA
> t6 - a full CRL is issued by the CA
>
> Does the CRL logs all the revocation-related events for the
> certificate with serial S1?.
>
> If we assume that all the events are logged, then the CRLs contents
> (for certificate with serial S1) should be:
>
> full CRL issued at t3: contains an entry for S1 at t3 with reason code
> on-hold
> delta CRL issued at t5: contains the previous full CRL entry plus an
> entry for S1 at t5 with reason code removeFromCRL
> full CRL issued at t6: contains both previous entries (so you know
> the on-hold period for the certificate) (maybe this is violating
> RFC3280 as removeFromCRL is only applicable for deltaCRLs??)
>
> If we assume that NOT all events are logged, CRLs issued >=T6 don't
> include revocation entries for certificate S1, that is
>
> full CRL issued at t3: contains an entry for S1 at t3 with reason code
> on-hold
> delta CRL issued at t5: contains the previous full CRL entry plus an
> entry for S1 at t5 with reason code removeFromCRL
> full CRL issued at t6: contains NO entry for S1
>
> Which is the normative (RFC3280) behaviour for that case?. Is there
> any change between RFC3280 and RFC3280bis about these issues?
>
> Note that if the second case is the normative behaviour IMHO there's
> no way (except storing the CRLs between t2 and the next CRL appeared
> after t4) for a relying party (verifying the certificate in or after
> t6) to know the certificate status between t2 and t4.
>
> Many thanks in advance,
>
> Carlos
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARLYKnP076884; Mon, 27 Nov 2006 14:34:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARLYKfK076883; Mon, 27 Nov 2006 14:34:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp106.biz.mail.re2.yahoo.com (smtp106.biz.mail.re2.yahoo.com [206.190.52.175]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kARLYI57076848 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 14:34:19 -0700 (MST) (envelope-from turners@ieca.com)
Received: (qmail 53727 invoked from network); 27 Nov 2006 21:34:13 -0000
Received: from unknown (HELO Wylie) (turners@ieca.com@70.17.79.115 with login) by smtp106.biz.mail.re2.yahoo.com with SMTP; 27 Nov 2006 21:34:13 -0000
X-YMail-OSG: 7iJE5jEVM1lEmsUv4XKAoKq6cItffhyaNTFf9I4cxcxlp98DFV2EimcGELiMa63nVWxqn0e8AMHVqc0kTeraMI5LXvnX.QvAUOwL.eHK5OrvYLNEK7kDcw--
Reply-To: <turners@ieca.com>
From: "Turner, Sean P." <turners@ieca.com>
To: "'Stephen Farrell'" <stephen.farrell@cs.tcd.ie>, "'Russ Housley'" <housley@vigilsec.com>
Cc: <ietf-pkix@imc.org>
Subject: RE: on-hold certificates in CRLs
Date: Mon, 27 Nov 2006 16:33:30 -0500
Organization: IECA, Inc.
Message-ID: <012c01c7126b$aebde670$0201a8c0@Wylie>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Thread-Index: AccSaNfQEN/9uBUGQZiv6wZfGZm4UgAArTXA
In-Reply-To: <456B47D1.2050405@cs.tcd.ie>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kARLYJ57076877
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I agree - on hold shoud be made a MUST NOT.
spt
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On
Behalf Of Stephen Farrell
Sent: Monday, November 27, 2006 3:17 PM
To: Russ Housley
Cc: ietf-pkix@imc.org
Subject: Re: on-hold certificates in CRLs
Bit of a late change, but a good one,
S.
Russ Housley wrote:
>
> I would like to take this opportunity to advocate the deprecation of
> "on hold" altogether. No good can come from it, as been discussed so
> many times on this list.
>
> I can live with the current text, but I think it would be far better
> to say that the "on hold" status MUST NOT be used by CAs conforming to
> 3280bis.
>
> Russ
>
> At 10:53 AM 11/27/2006, Carlos González-Cadenas wrote:
>> Hi,
>>
>> Suppose we have the following ordered temporal sequence
>>
>> t1 - a certificate with serial "S1" is issued by a CA
>> t2 - the certificate is put on-hold by the CA (i.e. in order to
>> investigate a possible compromise)
>> t3 - a full CRL is issued by the CA
>> t4 - the investigation carried by the CA ends up in no compromise,
>> and the CA makes the certificate valid again
>> t5 - a delta CRL is issued by the CA
>> t6 - a full CRL is issued by the CA
>>
>> Does the CRL logs all the revocation-related events for the
>> certificate with serial S1?.
>>
>> If we assume that all the events are logged, then the CRLs contents
>> (for certificate with serial S1) should be:
>>
>> full CRL issued at t3: contains an entry for S1 at t3 with reason
>> code on-hold delta CRL issued at t5: contains the previous full CRL
>> entry plus an entry for S1 at t5 with reason code removeFromCRL full
>> CRL issued at t6: contains both previous entries (so you know the
>> on-hold period for the certificate) (maybe this is violating RFC3280
>> as removeFromCRL is only applicable for deltaCRLs??)
>>
>> If we assume that NOT all events are logged, CRLs issued >=T6 don't
>> include revocation entries for certificate S1, that is
>>
>> full CRL issued at t3: contains an entry for S1 at t3 with reason
>> code on-hold delta CRL issued at t5: contains the previous full CRL
>> entry plus an entry for S1 at t5 with reason code removeFromCRL full
>> CRL issued at t6: contains NO entry for S1
>>
>> Which is the normative (RFC3280) behaviour for that case?. Is there
>> any change between RFC3280 and RFC3280bis about these issues?
>>
>> Note that if the second case is the normative behaviour IMHO there's
>> no way (except storing the CRLs between t2 and the next CRL appeared
>> after t4) for a relying party (verifying the certificate in or after
>> t6) to know the certificate status between t2 and t4.
>>
>> Many thanks in advance,
>>
>> Carlos
>>
>
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARLM4Uh075148; Mon, 27 Nov 2006 14:22:04 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARLM4uR075147; Mon, 27 Nov 2006 14:22:04 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.cs.dartmouth.edu (mail.cs.dartmouth.edu [129.170.212.100]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARLM38f075141 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 14:22:04 -0700 (MST) (envelope-from pala@cs.dartmouth.edu)
Received: from [130.192.1.59] ([130.192.1.59]) (authenticated bits=0) by mail.cs.dartmouth.edu (8.13.8/8.13.4) with ESMTP id kARLLwJb026856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 16:22:01 -0500
Message-ID: <456B56CF.7020501@cs.dartmouth.edu>
Date: Mon, 27 Nov 2006 22:21:19 +0100
From: Massimiliano Pala <pala@cs.dartmouth.edu>
Organization: Dartmouth College - Computer Science Department
User-Agent: Thunderbird 2.0a1 (X11/20060724)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <7.0.0.16.2.20061127140855.07404318@vigilsec.com> <456B462C.8010209@drh-consultancy.demon.co.uk>
In-Reply-To: <456B462C.8010209@drh-consultancy.demon.co.uk>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000907060206070402020700"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a cryptographically signed message in MIME format.
--------------ms000907060206070402020700
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Dr Stephen Henson wrote:
[...]
> I have come across two real world examples of it being used in national
> ID schemes. In both of these a certificate is automatically placed "on
> hold" when the card is manufactured and then made valid when the
> recipient has performed some procedure to acknowledge receipt. I suspect
> that the two I saw are far from isolated examples.
I do confirm that some big national CAs (at least in Italy) use the `on Hold'
status when the card is first "initialized" (and the certificate issued)
till the user receives the card.
> Personally the use of "on hold" always makes me rather uneasy and I'd
> have no objections about it being deprecated.
One question, is there any proposal for the replacement of the `on hold'
status ? Some time ago (back in 2000, I guess) there was the proposal
of a separated CSL (Certificate Suspension List) which was rejected in
favor of the "on hold" extension in CRLs... anyway do you think it is
time to address the 'suspended' state once for all ?
We can also agree with the fact that the suspension, as it is now, it is
too difficult to handle and it is error prone, so a viable path would be
to clearly state that there is not a ``suspended'' state, therefore a
certificate is either valid or revoked.
And we stick with simply reissuing the certificates (as, I guess, it is
the most common practice today (?)).
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]
Dartmouth Computer Science Dept pala@cs.dartmouth.edu
PKI/Trust project.manager@openca.org
-----------------------------------------------------------------------o---
--------------ms000907060206070402020700
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII2jCC
BGkwggNRoAMCAQICAh3jMA0GCSqGSIb3DQEBBAUAMHcxEzARBgoJkiaJk/IsZAEZFgNlZHUx
GTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0
bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFydG1vdXRoIENlcnRBdXRoMTAeFw0wNjA0MDcx
NTE4MzNaFw0xMDA0MDgxNTE4MzNaMIGnMQswCQYDVQQGEwJVUzEaMBgGA1UEChMRRGFydG1v
dXRoIENvbGxlZ2UxJDAiBgNVBAsTG0NvbXB1dGVyIFNjaWVuY2UgRGVwYXJ0bWVudDEUMBIG
CgmSJomT8ixkAQETBHBhbGExGjAYBgNVBAMTEU1hc3NpbWlsaWFubyBQYWxhMSQwIgYJKoZI
hvcNAQkBFhVwYWxhQGNzLmRhcnRtb3V0aC5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALHoVbyJOrdrYLdA9qV5FNo8dmX6eNKj0ZgiwCsovlhhYZeYbduMJ3G91dTHZiX31lwg
bhsTwl3gStQtgGBDzUn9oxJET9cO5ORfwNN9P0ZCuq1fLy38CpUEQNgjhzXYuD1PUFBDwvp8
fCvBGMXop7Rw6cCFTBnABN2R+XOpAKT9AgMBAAGjggFQMIIBTDAOBgNVHQ8BAf8EBAMCBeAw
EQYJYIZIAYb4QgEBBAQDAgWgMB8GA1UdIwQYMBaAFD/A1senTwB+7waZZ2y8lh5No3cSMIGi
BgNVHSAEgZowgZcwgZQGCisGAQQBQQIBAQEwgYUwPQYIKwYBBQUHAgIwMTAYFhFEYXJ0bW91
dGggQ29sbGVnZTADAgEBGhVEYXJ0bW91dGggQ29sbGVnZSBDUFMwRAYIKwYBBQUHAgEWOGh0
dHA6Ly93d3cuZGFydG1vdXRoLmVkdS9+cGtpbGFiL0RhcnRtb3V0aENQU180U2VwMDMucGRm
MCAGA1UdEQQZMBeBFXBhbGFAY3MuZGFydG1vdXRoLmVkdTA/BggrBgEFBQcBAQQzMDEwLwYI
KwYBBQUHMAGGI2h0dHA6Ly9jb2xsZWdlY2EuZGFydG1vdXRoLmVkdS9vY3NwMA0GCSqGSIb3
DQEBBAUAA4IBAQDOqoLRDppYBEFAtYdM5lvsbZ97q97SW7HCyNysOBtadfRH2QulfH8h+RZ6
AikMTt8yGl4JTJE5II89IPT5gRbSUadDT+Uyh1TAwNvJDxspcBS4Z4KsNw2wPwgHM1uM9xYG
nS+xMcDUHCvPjSgD52HSi27alulq7jrNJMjUIK8qLI21NnDvVDVMPUIdGOz5tvmJEYu44gTV
jYBJI7Q/qhZ1tdKudDh3oDW9wAhJMBct8nLn/xG15HsDtK9qHSR+O8/7/Sax7I06HbR7zsbl
AJUM1gy25I89P3HEWaYaoK+ZKIjipw73076vorcidktUobIfZO1/SBXPqEBeAYTQh4Y0MIIE
aTCCA1GgAwIBAgICHeMwDQYJKoZIhvcNAQEEBQAwdzETMBEGCgmSJomT8ixkARkWA2VkdTEZ
MBcGCgmSJomT8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRt
b3V0aCBDb2xsZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxMB4XDTA2MDQwNzE1
MTgzM1oXDTEwMDQwODE1MTgzM1owgacxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91
dGggQ29sbGVnZTEkMCIGA1UECxMbQ29tcHV0ZXIgU2NpZW5jZSBEZXBhcnRtZW50MRQwEgYK
CZImiZPyLGQBARMEcGFsYTEaMBgGA1UEAxMRTWFzc2ltaWxpYW5vIFBhbGExJDAiBgkqhkiG
9w0BCQEWFXBhbGFAY3MuZGFydG1vdXRoLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAsehVvIk6t2tgt0D2pXkU2jx2Zfp40qPRmCLAKyi+WGFhl5ht24wncb3V1MdmJffWXCBu
GxPCXeBK1C2AYEPNSf2jEkRP1w7k5F/A030/RkK6rV8vLfwKlQRA2COHNdi4PU9QUEPC+nx8
K8EYxeintHDpwIVMGcAE3ZH5c6kApP0CAwEAAaOCAVAwggFMMA4GA1UdDwEB/wQEAwIF4DAR
BglghkgBhvhCAQEEBAMCBaAwHwYDVR0jBBgwFoAUP8DWx6dPAH7vBplnbLyWHk2jdxIwgaIG
A1UdIASBmjCBlzCBlAYKKwYBBAFBAgEBATCBhTA9BggrBgEFBQcCAjAxMBgWEURhcnRtb3V0
aCBDb2xsZWdlMAMCAQEaFURhcnRtb3V0aCBDb2xsZWdlIENQUzBEBggrBgEFBQcCARY4aHR0
cDovL3d3dy5kYXJ0bW91dGguZWR1L35wa2lsYWIvRGFydG1vdXRoQ1BTXzRTZXAwMy5wZGYw
IAYDVR0RBBkwF4EVcGFsYUBjcy5kYXJ0bW91dGguZWR1MD8GCCsGAQUFBwEBBDMwMTAvBggr
BgEFBQcwAYYjaHR0cDovL2NvbGxlZ2VjYS5kYXJ0bW91dGguZWR1L29jc3AwDQYJKoZIhvcN
AQEEBQADggEBAM6qgtEOmlgEQUC1h0zmW+xtn3ur3tJbscLI3Kw4G1p19EfZC6V8fyH5FnoC
KQxO3zIaXglMkTkgjz0g9PmBFtJRp0NP5TKHVMDA28kPGylwFLhngqw3DbA/CAczW4z3Fgad
L7ExwNQcK8+NKAPnYdKLbtqW6WruOs0kyNQgryosjbU2cO9UNUw9Qh0Y7Pm2+YkRi7jiBNWN
gEkjtD+qFnW10q50OHegNb3ACEkwFy3ycuf/EbXkewO0r2odJH47z/v9JrHsjTodtHvOxuUA
lQzWDLbkjz0/ccRZphqgr5koiOKnDvfTvq+ityJ2S1Shsh9k7X9IFc+oQF4BhNCHhjQxggL4
MIIC9AIBATB9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0
bW91dGgxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEcMBoGA1UE
AxMTRGFydG1vdXRoIENlcnRBdXRoMQICHeMwCQYFKw4DAhoFAKCCAdEwGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYxMTI3MjEyMTE5WjAjBgkqhkiG9w0B
CQQxFgQUTzi6NBcypa6hLrn4iVbZA5pC7RMwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC
ASgwgYwGCSsGAQQBgjcQBDF/MH0wdzETMBEGCgmSJomT8ixkARkWA2VkdTEZMBcGCgmSJomT
8ixkARkWCWRhcnRtb3V0aDELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEURhcnRtb3V0aCBDb2xs
ZWdlMRwwGgYDVQQDExNEYXJ0bW91dGggQ2VydEF1dGgxAgId4zCBjgYLKoZIhvcNAQkQAgsx
f6B9MHcxEzARBgoJkiaJk/IsZAEZFgNlZHUxGTAXBgoJkiaJk/IsZAEZFglkYXJ0bW91dGgx
CzAJBgNVBAYTAlVTMRowGAYDVQQKExFEYXJ0bW91dGggQ29sbGVnZTEcMBoGA1UEAxMTRGFy
dG1vdXRoIENlcnRBdXRoMQICHeMwDQYJKoZIhvcNAQEBBQAEgYB6wrFvTB7WV4oplwNTmCvR
3/lg3a90uJabNC4koAHkUgsHEsmHa+MrUO+lDZOmkhtHUZmLiU+IWR4eOAW1PUuqu3zgu4s8
gYAid3TVgxs3MatPYBG8muraQvC9IbRqtYxNAObhaC4SmUc+uIkY4nZR0NDqJnPdIw8mvO7m
foSgIgAAAAAAAA==
--------------ms000907060206070402020700--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARLLals074973; Mon, 27 Nov 2006 14:21:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARLLakp074972; Mon, 27 Nov 2006 14:21:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARLLZuw074955 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 14:21:36 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: on-hold certificates in CRLs
Date: Mon, 27 Nov 2006 13:23:40 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C879059C93BC@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: on-hold certificates in CRLs
Thread-Index: AccSZ03EcEMyH0ytTKGYA/zYGQVoUwAAn6ug
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kARLLauw074967
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
I do not agree with the conclusion that on hold is overly complex. We should have a profile that does not require the use of "Hold Instruction". In that case, on hold and remove from hold is a nice feature.
As to determination of the certificate status, archiving all CRL (and deltas if deltas are produced) give the accurate picture of revocation status modulo CRL issuance frequency.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
Sent: Monday, November 27, 2006 2:12 PM
To: Carlos González-Cadenas; ietf-pkix@imc.org
Subject: Re: on-hold certificates in CRLs
I would like to take this opportunity to advocate the deprecation of
"on hold" altogether. No good can come from it, as been discussed so
many times on this list.
I can live with the current text, but I think it would be far better
to say that the "on hold" status MUST NOT be used by CAs conforming to 3280bis.
Russ
At 10:53 AM 11/27/2006, Carlos González-Cadenas wrote:
>Hi,
>
>Suppose we have the following ordered temporal sequence
>
>t1 - a certificate with serial "S1" is issued by a CA
>t2 - the certificate is put on-hold by the CA (i.e. in order to
>investigate a possible compromise)
>t3 - a full CRL is issued by the CA
>t4 - the investigation carried by the CA ends up in no compromise,
>and the CA makes the certificate valid again
>t5 - a delta CRL is issued by the CA
>t6 - a full CRL is issued by the CA
>
>Does the CRL logs all the revocation-related events for the
>certificate with serial S1?.
>
>If we assume that all the events are logged, then the CRLs contents
>(for certificate with serial S1) should be:
>
>full CRL issued at t3: contains an entry for S1 at t3 with reason code on-hold
>delta CRL issued at t5: contains the previous full CRL entry plus an
>entry for S1 at t5 with reason code removeFromCRL
>full CRL issued at t6: contains both previous entries (so you know
>the on-hold period for the certificate) (maybe this is violating
>RFC3280 as removeFromCRL is only applicable for deltaCRLs??)
>
>If we assume that NOT all events are logged, CRLs issued >=T6 don't
>include revocation entries for certificate S1, that is
>
>full CRL issued at t3: contains an entry for S1 at t3 with reason code on-hold
>delta CRL issued at t5: contains the previous full CRL entry plus an
>entry for S1 at t5 with reason code removeFromCRL
>full CRL issued at t6: contains NO entry for S1
>
>Which is the normative (RFC3280) behaviour for that case?. Is there
>any change between RFC3280 and RFC3280bis about these issues?
>
>Note that if the second case is the normative behaviour IMHO there's
>no way (except storing the CRLs between t2 and the next CRL appeared
>after t4) for a relying party (verifying the certificate in or after
>t6) to know the certificate status between t2 and t4.
>
>Many thanks in advance,
>
>Carlos
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARKGffR068081; Mon, 27 Nov 2006 13:16:41 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARKGfjH068080; Mon, 27 Nov 2006 13:16:41 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from relay.imagine.ie (dns1.dns.imagine.ie [87.232.1.40]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARKGb62068063 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 13:16:40 -0700 (MST) (envelope-from stephen.farrell@cs.tcd.ie)
Received: from mail1.int.imagine.ie (mail1 [87.232.1.152]) by relay.imagine.ie (Postfix) with ESMTP id C12E43208A; Mon, 27 Nov 2006 20:16:36 +0000 (GMT)
Received: from [127.0.0.1] (dsl-102-234.cust.imagine.ie [87.232.102.234]) by mail1.int.imagine.ie (8.13.4/8.13.4/Debian-3) with ESMTP id kARKGTMD007351 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 27 Nov 2006 20:16:31 GMT
Message-ID: <456B47D1.2050405@cs.tcd.ie>
Date: Mon, 27 Nov 2006 20:17:21 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
CC: ietf-pkix@imc.org
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <7.0.0.16.2.20061127140855.07404318@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061127140855.07404318@vigilsec.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Bayes-Prob: 0.0001 (Score 0)
X-Spam-Score: 0.00 () [Hold at 8.00]
X-Canit-Stats-ID: 3330665 - 1232c87a8eaf
X-CanItPRO-Stream: outgoing
X-Scanned-By: CanIt (www . roaringpenguin . com) on 87.232.1.52
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Bit of a late change, but a good one,
S.
Russ Housley wrote:
>
> I would like to take this opportunity to advocate the deprecation of "on
> hold" altogether. No good can come from it, as been discussed so many
> times on this list.
>
> I can live with the current text, but I think it would be far better to
> say that the "on hold" status MUST NOT be used by CAs conforming to
> 3280bis.
>
> Russ
>
> At 10:53 AM 11/27/2006, Carlos González-Cadenas wrote:
>> Hi,
>>
>> Suppose we have the following ordered temporal sequence
>>
>> t1 - a certificate with serial "S1" is issued by a CA
>> t2 - the certificate is put on-hold by the CA (i.e. in order to
>> investigate a possible compromise)
>> t3 - a full CRL is issued by the CA
>> t4 - the investigation carried by the CA ends up in no compromise, and
>> the CA makes the certificate valid again
>> t5 - a delta CRL is issued by the CA
>> t6 - a full CRL is issued by the CA
>>
>> Does the CRL logs all the revocation-related events for the
>> certificate with serial S1?.
>>
>> If we assume that all the events are logged, then the CRLs contents
>> (for certificate with serial S1) should be:
>>
>> full CRL issued at t3: contains an entry for S1 at t3 with reason code
>> on-hold
>> delta CRL issued at t5: contains the previous full CRL entry plus an
>> entry for S1 at t5 with reason code removeFromCRL
>> full CRL issued at t6: contains both previous entries (so you know
>> the on-hold period for the certificate) (maybe this is violating
>> RFC3280 as removeFromCRL is only applicable for deltaCRLs??)
>>
>> If we assume that NOT all events are logged, CRLs issued >=T6 don't
>> include revocation entries for certificate S1, that is
>>
>> full CRL issued at t3: contains an entry for S1 at t3 with reason code
>> on-hold
>> delta CRL issued at t5: contains the previous full CRL entry plus an
>> entry for S1 at t5 with reason code removeFromCRL
>> full CRL issued at t6: contains NO entry for S1
>>
>> Which is the normative (RFC3280) behaviour for that case?. Is there
>> any change between RFC3280 and RFC3280bis about these issues?
>>
>> Note that if the second case is the normative behaviour IMHO there's
>> no way (except storing the CRLs between t2 and the next CRL appeared
>> after t4) for a relying party (verifying the certificate in or after
>> t6) to know the certificate status between t2 and t4.
>>
>> Many thanks in advance,
>>
>> Carlos
>>
>
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARK9a9b067396; Mon, 27 Nov 2006 13:09:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARK9aST067395; Mon, 27 Nov 2006 13:09:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from anchor-post-31.mail.demon.net (anchor-post-31.mail.demon.net [194.217.242.89]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARK9YGB067385 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 13:09:35 -0700 (MST) (envelope-from lists@drh-consultancy.demon.co.uk)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.2]) by anchor-post-31.mail.demon.net with esmtp (Exim 4.42) id 1GomnD-000M44-4p for ietf-pkix@imc.org; Mon, 27 Nov 2006 20:09:31 +0000
Message-ID: <456B462C.8010209@drh-consultancy.demon.co.uk>
Date: Mon, 27 Nov 2006 20:10:20 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com> <7.0.0.16.2.20061127140855.07404318@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061127140855.07404318@vigilsec.com>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ Housley wrote:
>
> I would like to take this opportunity to advocate the deprecation of "on
> hold" altogether. No good can come from it, as been discussed so many
> times on this list.
>
> I can live with the current text, but I think it would be far better to
> say that the "on hold" status MUST NOT be used by CAs conforming to
> 3280bis.
>
I have come across two real world examples of it being used in national
ID schemes. In both of these a certificate is automatically placed "on
hold" when the card is manufactured and then made valid when the
recipient has performed some procedure to acknowledge receipt. I suspect
that the two I saw are far from isolated examples.
Personally the use of "on hold" always makes me rather uneasy and I'd
have no objections about it being deprecated.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARJBflu059048; Mon, 27 Nov 2006 12:11:41 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARJBfkI059047; Mon, 27 Nov 2006 12:11:41 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kARJBaF9059039 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 12:11:39 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 27500 invoked by uid 0); 27 Nov 2006 19:11:31 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 27 Nov 2006 19:11:31 -0000
Message-Id: <7.0.0.16.2.20061127140855.07404318@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Mon, 27 Nov 2006 14:11:32 -0500
To: "Carlos González-Cadenas" <carlos@gonzalez.name>, ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: on-hold certificates in CRLs
In-Reply-To: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com >
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I would like to take this opportunity to advocate the deprecation of
"on hold" altogether. No good can come from it, as been discussed so
many times on this list.
I can live with the current text, but I think it would be far better
to say that the "on hold" status MUST NOT be used by CAs conforming to 3280bis.
Russ
At 10:53 AM 11/27/2006, Carlos González-Cadenas wrote:
>Hi,
>
>Suppose we have the following ordered temporal sequence
>
>t1 - a certificate with serial "S1" is issued by a CA
>t2 - the certificate is put on-hold by the CA (i.e. in order to
>investigate a possible compromise)
>t3 - a full CRL is issued by the CA
>t4 - the investigation carried by the CA ends up in no compromise,
>and the CA makes the certificate valid again
>t5 - a delta CRL is issued by the CA
>t6 - a full CRL is issued by the CA
>
>Does the CRL logs all the revocation-related events for the
>certificate with serial S1?.
>
>If we assume that all the events are logged, then the CRLs contents
>(for certificate with serial S1) should be:
>
>full CRL issued at t3: contains an entry for S1 at t3 with reason code on-hold
>delta CRL issued at t5: contains the previous full CRL entry plus an
>entry for S1 at t5 with reason code removeFromCRL
>full CRL issued at t6: contains both previous entries (so you know
>the on-hold period for the certificate) (maybe this is violating
>RFC3280 as removeFromCRL is only applicable for deltaCRLs??)
>
>If we assume that NOT all events are logged, CRLs issued >=T6 don't
>include revocation entries for certificate S1, that is
>
>full CRL issued at t3: contains an entry for S1 at t3 with reason code on-hold
>delta CRL issued at t5: contains the previous full CRL entry plus an
>entry for S1 at t5 with reason code removeFromCRL
>full CRL issued at t6: contains NO entry for S1
>
>Which is the normative (RFC3280) behaviour for that case?. Is there
>any change between RFC3280 and RFC3280bis about these issues?
>
>Note that if the second case is the normative behaviour IMHO there's
>no way (except storing the CRLs between t2 and the next CRL appeared
>after t4) for a relying party (verifying the certificate in or after
>t6) to know the certificate status between t2 and t4.
>
>Many thanks in advance,
>
>Carlos
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARFrAbV035803; Mon, 27 Nov 2006 08:53:10 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARFrAUf035802; Mon, 27 Nov 2006 08:53:10 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARFr8qI035794 for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 08:53:09 -0700 (MST) (envelope-from carlosgonzalezcadenas@gmail.com)
Received: by nf-out-0910.google.com with SMTP id m18so1966867nfc for <ietf-pkix@imc.org>; Mon, 27 Nov 2006 07:53:07 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:x-google-sender-auth; b=ASD+OfwT4etTnA6ASvebHfJtialtSqKYYrcS7cySTLfXV+kcjXHaGtg3JAgvCcjCdLmw7GyZwj66Is2qlXSfzyD5IPph5FYhCC69gfYniRv9NjxpLiggexsYOt9mAdFIVuTnZiyZHeXStyehYGnVmlGNJpXtWtonEcEz7Ve2hy8=
Received: by 10.48.202.14 with SMTP id z14mr2986876nff.1164642787579; Mon, 27 Nov 2006 07:53:07 -0800 (PST)
Received: by 10.48.223.9 with HTTP; Mon, 27 Nov 2006 07:53:07 -0800 (PST)
Message-ID: <a7d7da420611270753s70be3596qebe24ea9f3aff6b@mail.gmail.com>
Date: Mon, 27 Nov 2006 16:53:07 +0100
From: "=?UTF-8?Q?Carlos_Gonz=C3=A1lez-Cadenas?=" <carlos@gonzalez.name>
To: ietf-pkix@imc.org
Subject: on-hold certificates in CRLs
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_80519_6154254.1164642787295"
X-Google-Sender-Auth: 235dbe382a157c89
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
------=_Part_80519_6154254.1164642787295
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hi,
Suppose we have the following ordered temporal sequence
t1 - a certificate with serial "S1" is issued by a CA
t2 - the certificate is put on-hold by the CA (i.e. in order to investigate
a possible compromise)
t3 - a full CRL is issued by the CA
t4 - the investigation carried by the CA ends up in no compromise, and the
CA makes the certificate valid again
t5 - a delta CRL is issued by the CA
t6 - a full CRL is issued by the CA
Does the CRL logs all the revocation-related events for the certificate with
serial S1?.
If we assume that all the events are logged, then the CRLs contents (for
certificate with serial S1) should be:
full CRL issued at t3: contains an entry for S1 at t3 with reason code
on-hold
delta CRL issued at t5: contains the previous full CRL entry plus an entry
for S1 at t5 with reason code removeFromCRL
full CRL issued at t6: contains both previous entries (so you know the
on-hold period for the certificate) (maybe this is violating RFC3280 as
removeFromCRL is only applicable for deltaCRLs??)
If we assume that NOT all events are logged, CRLs issued >=T6 don't include
revocation entries for certificate S1, that is
full CRL issued at t3: contains an entry for S1 at t3 with reason code
on-hold
delta CRL issued at t5: contains the previous full CRL entry plus an entry
for S1 at t5 with reason code removeFromCRL
full CRL issued at t6: contains NO entry for S1
Which is the normative (RFC3280) behaviour for that case?. Is there any
change between RFC3280 and RFC3280bis about these issues?
Note that if the second case is the normative behaviour IMHO there's no way
(except storing the CRLs between t2 and the next CRL appeared after t4) for
a relying party (verifying the certificate in or after t6) to know the
certificate status between t2 and t4.
Many thanks in advance,
Carlos
------=_Part_80519_6154254.1164642787295
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hi,<br><br>Suppose we have the following ordered temporal sequence<br><br>t1 - a certificate with serial "S1" is issued by a CA<br>t2 - the certificate is put on-hold by the CA (i.e. in order to investigate a possible compromise)
<br>t3 - a full CRL is issued by the CA<br>t4 - the investigation carried by the CA ends up in no compromise, and the CA makes the certificate valid again<br>t5 - a delta CRL is issued by the CA<br>t6 - a full CRL is issued by the CA
<br><br>Does the CRL logs all the revocation-related events for the certificate with serial S1?. <br><br>If we assume that all the events are logged, then the CRLs contents (for certificate with serial S1) should be:<br><br>
full CRL issued at t3: contains an entry for S1 at t3 with reason code on-hold<br>delta CRL issued at t5: contains the previous full CRL entry plus an entry for S1 at t5 with reason code removeFromCRL<br>full CRL issued at t6: contains both previous entries (so you know the on-hold period for the certificate) (maybe this is violating RFC3280 as removeFromCRL is only applicable for deltaCRLs??)
<br><br>If we assume that NOT all events are logged, CRLs issued >=T6 don't include revocation entries for certificate S1, that is<br><br>full CRL issued at t3: contains an entry for S1 at t3 with reason code on-hold<br>
delta CRL issued at t5: contains the previous full CRL entry plus an entry for S1 at t5 with reason code removeFromCRL<br>
full CRL issued at t6: contains NO entry for S1<br><br>Which is the normative (RFC3280) behaviour for that case?. Is there any change between RFC3280 and RFC3280bis about these issues?<br><br>Note that if the second case is the normative behaviour IMHO there's no way (except storing the CRLs between t2 and the next CRL appeared after t4) for a relying party (verifying the certificate in or after t6) to know the certificate status between t2 and t4.
<br><br>Many thanks in advance,<br><br>Carlos<br><br><br>
------=_Part_80519_6154254.1164642787295--
Received: from p83.129.20.5.tisdip.tiscali.de (p83.129.30.22.tisdip.tiscali.de [83.129.30.22]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARFWOXd032551 for <ietf-pkix-archive@imc.org>; Mon, 27 Nov 2006 08:32:30 -0700 (MST) (envelope-from mention@showstudio.com)
Received: from [144.104.3.45] (port=1778 helo=jfkbeaaWqVoM) by HnyzDGRfpN with asmtp id gqzoJs-XvaesI-14 for ietf-pkix-archive@imc.org; Mon, 27 Nov 2006 16:32:44 +0100
Message-ID: <000b01c71239$39f4aa40$00000000@uwecba52adfad3>
From: "Recommend" <mention@showstudio.com>
To: ietf-pkix-archive@imc.org
Subject: sich anmelden um zu ist
Date: Mon, 27 Nov 2006 16:32:19 +0100
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Vorbei gre thomthom, kabbala quersumme, ziffern des. Gain fb made, half way chapter little, fun contents.
*WEXE* *WEXE* *WEXE*
WEXE GAINS ENORMOUS MOMENTUM!
UP 17% ON FRIDAY ALONE!
Company: WEST EXCELSIOR ENT (Other OTC:WEXE.PK)
Symbol: WEXE
Price: $0.70
5-day Target: $4
Rating: Strong Buy
West Excelsior Enterprises Inc. Completes Financing
and Meets its Option Agreement Commitments
GET ON THIS BULL RUN NOW!
WATCH WEXE ON MON NOV 27TH!
Disclaimer: Information within this email contains "forward looking statements"
within the meaning of Section 27a of the Securities act of 1933 and Section 21B
of the Securities exchange act of 1934. The Publisher of this report was
compensated by an unrelated third party twenty five thousand dollars for
distribution of this report.
Explains pull, cvs official talkback crash buildsif know. Our index indexed urls titles copy inc rights. Browser hinweise, admin coole scheie omal buxy berschrift.
Inside mouse edit field.
Bf log upwhy joinforgot password.
Finland france croatia hungary, ireland israel india italy.
Right maps keyword map, location. Numbers customer sitefind, local centernote manage!
Absatz ihrer darum bitten. Pictures ossweb ossmon maverix skin lmboxtargz libraries burn ipod. Made half, way chapter little fun contents. Applied his works full sitemap kit except. What you tell it to so here. Something similar links related searches under box at. Admin coole, scheie omal buxy berschrift le wurscht welches.
Was located facilitate, single able install! Tools form this title longer program.
Yourself unofficial configured linuxx sha rpms, ftp.
Document our index indexed urls titles copy inc.
Image text files three interfaces desktop.
Complete metadata fields integrity fill accurately, possible.
But small fee future light? Dieser, verkrzt nchsten, evening narwal, schaaaaade morgens? Video image text files three interfaces desktop peertopeer client. Seal seine flickrsong bush bingo kamel!
Kamel gegen, broklammer beolingus virtuelle dice making. Rtl mac abgeraucht, beiden. Press, briefing whats newlinks, scrolling.
Committee against torture cat concerning.
Received: from 201.160.132.32.cableonline.com.mx (201.160.132.32.cableonline.com.mx [201.160.132.32] (may be forged)) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAQM7047015516 for <ietf-pkix-archive@imc.org>; Sun, 26 Nov 2006 15:07:00 -0700 (MST) (envelope-from Franklin@vereon.com)
Received: from [110.165.100.49] (port=6762 helo=LSdieM) by with asmtp id yKZgTr-WVaibT-56 for ietf-pkix-archive@imc.org; Sun, 26 Nov 2006 14:07:12 -0800
Message-ID: <001201c711a7$2f3dd320$00000000@casaraaquveiy9>
From: "Course" <Franklin@vereon.com>
To: ietf-pkix-archive@imc.org
Subject: movies videos books downloads
Date: Sun, 26 Nov 2006 14:06:55 -0800
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000E_01C71164.211A9320"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_000E_01C71164.211A9320
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000F_01C71164.211A9320"
------=_NextPart_001_000F_01C71164.211A9320
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Specific describe exactly youre looking will give larger. Delta =
heritage, museum item aircraft? Narrow searchfor example chairs instead, =
camera. States turn complete, campus service, solutions fourteen join. =
Offer single campuswide teaching system!
Service solutions fourteen join commerce. Pack licenses features, active =
recent additions districts, engagement, homeschool! Fashion excluding =
default returns, pages include. Own terms test drive extend.
Gift cards podcasts posters sales special, offers shipping holiday!
Kong inr india rupees. An, exact phrase put quotation marks around? =
Globe leading schools government agencies. Douglas ang geminiaces galft =
bf adolf galland garaf mkix!
Publisher video, games game category wish list account. Books downloads =
more except classical artist search album!
Composer performer conductor ensemble, labels catalog dvdvideo castcrew. =
Right maps, keyword, location. Here some tips better words specific =
describe exactly youre. Character when shortcut part. Berkeley =
electronic content blocktm eighteen, implement. Bourne identity fidelity =
million.
Msrp, gjdal boeing nda. Days only thursday nov monday cd robin thicke, =
cat. Shortcuts find flash set five keywords character! Php, sar saudi =
arabia riyals sgd singapore!
------=_NextPart_001_000F_01C71164.211A9320
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"" hspace=3D0=20
src=3D"cid:000d01c711a7$2f3dd320$00000000@casaraaquveiy9" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Specific describe exactly youre looking =
will give=20
larger. Delta heritage, museum item aircraft? Narrow searchfor example =
chairs=20
instead, camera. States turn complete, campus service, solutions =
fourteen join.=20
Offer single campuswide teaching system!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Service solutions fourteen join =
commerce. Pack=20
licenses features, active recent additions districts, engagement, =
homeschool!=20
Fashion excluding default returns, pages include. Own terms test drive =
extend.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Gift cards podcasts posters sales =
special, offers=20
shipping holiday!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Kong inr india rupees. An, exact phrase =
put=20
quotation marks around? Globe leading schools government agencies. =
Douglas ang=20
geminiaces galft bf adolf galland garaf mkix!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Publisher video, games game category =
wish list=20
account. Books downloads more except classical artist search =
album!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Composer performer conductor ensemble, =
labels=20
catalog dvdvideo castcrew. Right maps, keyword, location. Here some tips =
better=20
words specific describe exactly youre. Character when shortcut part. =
Berkeley=20
electronic content blocktm eighteen, implement. Bourne identity fidelity =
million.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Msrp, gjdal boeing nda. Days only =
thursday nov=20
monday cd robin thicke, cat. Shortcuts find flash set five keywords =
character!=20
Php, sar saudi arabia riyals sgd singapore!</FONT></DIV></BODY></HTML>
------=_NextPart_001_000F_01C71164.211A9320--
------=_NextPart_000_000E_01C71164.211A9320
Content-Type: image/gif;
name="Releases Media.gif"
Content-Transfer-Encoding: base64
Content-ID: <000d01c711a7$2f3dd320$00000000@casaraaquveiy9>
R0lGODlh2AGsAYfqAAUAAIsEAAB9AHaNCA0Of30AeAB9dM6zzcDitZe75UYrAF8tAIMlAJgbC70t
AOEnAA5GACpLDDE4A1pLA4Q0DJhNCLQyAOxLDARVASVbBUFSDWlhAIRsCZdpBMJfA9tbAACGAB6M
BDpyAF99Cn+JAKt3AcCDCOiAAACWABWdAEifAFGRAHuaAJyWBbKVDd2sAADIACnJADvJBGOxDH+/
BJPAAMa5C+zGAgDtAC3pAEzWAFnVCYbmBpvfALrrANXUAAEGRCkANTIAPG0GQYwFN54ARsIISeIA
Og0dQioSRDISQGweOnQaRJ4gRcMpMdMaQARCNRFEM0Y4Olk/Pn5FTZg2NLU/P902QgBhMyJiOTph
OlxpNXVWAKJtNMNuTdZVOwt7Ohp8TkOBSlqMOHKCNJmNPLRyROKNTACkQSSTNEOhQmWsNI6aTZWg
Ns2VQdiZTADJTirEQjvGNVHGOnXFTqLHMbu6SNi/NAzmShnVSDPWP2jrTnTVMqLqR8TkPNTjRQAA
gCkDe0YAjmsAfoUJgJsAecIAeOoMcgAnhxMojUQkf2kogoQoep8mcs4XidMXdgw4fxVFjUxGjlk7
iHZFiaZNgMtOe9o3gQBsfytTgENte1xZe3lafJZTcshmedNihAaJdCOBfT97gmR6goh1h552fbh1
eN6FcgCVeiSgcTapdW6VeXuVfaaSh7GUc9WdjgzLcRm2gEDNclG1cXm+f665e7S1edjAgg7Wjhbu
ijXdf1fnh43Zh6DRgsDUheHTgAQAwyIAs0AJxVYEtHoGs5IByM4KyNcAvgARvy0nwzkYu1MnuI0l
upsmv7wSxdsWyABJyBM2vUc8yW42ungysqI0vbEyueROtABWvi5jv05tul1juHFhuJFYwcNnydxU
uwCJuhWKuktzyGd1wXtxyZ50wr5+we6CsgCUyCGtvUquw1KVsomiwJaWssWWs+6lxgG5wy63x0K3
tV/EyozLvZzDxfn485GioYB6ePQGAAD/APfwAA0A+/gF/wD+/////yH5BAALywYALAAAAADYAawB
Bwj/AG8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKMmNSfQHFWpWLNq3cry6kCqXrmK
HUu2LEOwX8FetWq2rdu3W9emtRoWrt27eHvKpWuQb96/gAPD9HuLLV22hesKXsy4sUbEYb0SLuy4
suWd+fIBNZc5MdqFAgQEDS2RH7+gpi+rFtj5VuvO4GITjA1utuxbtHPTxn174G7eun+7zkf1tWbI
aENTJX2LdIvnBJ+3iA79lvTr0q1XH5hdO/buzUWH/xfIHGHqW+dTB1hPcH2A9uxvuZ/vXn78gfXt
08+P/nR/geetxlhmBBaomXDA2VYbcMEtKNyDDfZmoIFVfUVZaBhmKBp43lE3nXfffQjeiCFup6GG
Cpmm4oqn8acffO/pt1+M/NU4430ssihgZRMq6NtvEC54UJA/CokQZwYeZqFcJ3rIXXckfnhQlE9K
mVCTDeUII3752RjjQV5y+WVCWu54WWs+MuhgbwgatBuCbfZVWGaRedaXOeVVKRB2e27HoUHZcfjn
leJBFKCYAtGX6H0uGlSfi42S6V9e1ghU6S2XmtljkQLp1imbvSHkaZoKTeiXWomRh6KeIIro53YI
8f/pJGirMlTmojTOhyuiCim65UK3ulWpNcRiaiyxmVo2YYGfrslbs0U2qGCoao463LLEVZhqeCcy
B+V01UUZooewtiort92mmKOKu9rn7ou4zgjjffHuN9C67LaF7LDJDruacaxpBq1sBIcaIbVxHiyk
cVbR+VlyAljFXHmBgmuxlSWWO2jGUk4sXp4GpedfgI++xx6kN44J77z2Ajjyy8IiayxBxVoqIJrT
FpwbqQklTG1CaCKXVqog93mdubMqtHG5hJY2Kcsm+9pur/RODezTZSWL6aWZyry1mW56GhzPQ+5M
9kF1TVbVWoqRC913Scd6dNwn2duy1WDq+qtl/hr/VGzfWoNd7eCcKmQttA3xhdZhdSrNJ9ysJnSu
0SvZLfXKCF2OOWP+9luz1n0H5Ysvt5Auk9lqnu0jnD8nBBlldrYt96uCMu1k7VaipLeMY0a6Jcoq
O9b5QPxy/TVQpic/eumms4Q66oiXLSSRiS9umFqIMTQ3iAUNGjmVlXupsu9Thym83zSjP3NPoyc/
0PLur/R8mwpHH2SD/vhzi/4KfQZ7Q9vbntHG1SHKDRByI9nd7urlK/PxTnN44ZoEt+Y5SwXuJs17
X/tIl0GVzA9hB0tQmhTGP4LkD3aKy55DAvgnjhWQVS4kiQIblbKojS8+NQzMvoi3Qx4e64I44aBA
/zY4xA0uDysnzB//SjiQE65tW4KLokRk5rWC9MtmobMJEeE3ROYZsXRS0V8SkygQMZbQiVJMI0X+
ZjwKYnFfE8RgFwnSPPcJEYxh3J8Slbi/gqBRjYCESODgaMFj/YSLYLzjETV4x6aMUYx6jOQencjE
QFpSIYSk4vG6lsWa2NGLRSzIJ53CR4OcUY+T7OMlV5mQzv3NZjSr2U64uEgvflGIHTwKGiFpyj2W
kZXAbKUbJVi8Kh7Pk7TkYPu6qDwNMmWMJpTkLiNJzWCysocU5OQmgRiTLXoTj7Z83xx16UdIlrKJ
v/xlJa15SX790JDu/BwGldnIcIJTebmMCKO+dP8yy8HngcGrVx/zt54k6so9/CvoA/OmKBuJaZ8z
7B1E9/nPhTqKXuLjJ0b72VCK3uhdi8JclwKqFa/JspDx5EkzwRlKg9DTIhQNadVC+q6ZXpRLkFTo
CQvqD4Tqr6DsUeJMhxrTomrUaiPlEk1lKtGLSjRXShVpP50a1aWC1F3As6pY3FlIlLqSm90cJzPp
WEtlwjRXOIxa5hxKtXL+tD5CDcBbFQpUuZ6zIERN61WxelQZxWuvU1WqTfE60sAKtrBqJaxeq3pV
jqIVqlnLZhwzOUtxLvOI8ZtjPSeSVr0OdoYLqZpBffrW/emqp4ldJ2P/ylfCgrSzjwVsYpnKEL3/
HfSGfvVrXiFr1Y3m1rYk3QocJwg4sCYkASkxKx4vq9myXsSxNb1bY6Wr1Z3yNq2oje4CH1qy1lbN
sR7t7ndnq13fQdewtL0tQL3bVMZOVb17JctJjxnHhyQAuSfB7FiNmMH+spSziNXqQ1d709/alaKo
natcq0nUAsP3sNPVLXlbS+D4nnfC7xVv8GBb0d6qFb6D5UoPZTk8iNx3JZfFJSOLyFyMAHexTu1r
QjZKUEXVeFEKfmR2XcvjB9P2tZBFL4UFbOEgYzixnt1wbN3b1MWG+C2hM2ZD7otfFNOReSwmolif
G+D42ucX0a2tRhNcRifb9UW+5XGHk0pTo7b5/7p9hXGR37xUM/94zWmOqp3DHMFO2pfKLlnpcjG7
zP+eFc8d/YWifwHez3YUlXWta0Jhq1DFPjijTJ6zQOcFtbwVmHcEbvRsURbjUPM2ilQ+cUv6i8h6
1hEmi150RczZxFSa0IyoRCc7d32RVFd51YMOpVkVmU+UxDrWEymlL1Wp7DL+Ude8jvafUx1WZtZx
2IJuybGPLZElppOM3x6oOVUr7XIbxNeqlgkunSvKYqdk29vuNh//OG5vM/vZ5s63QND967Dyt5Gv
jgm84Q0RXJsR3Kpkdjr1zfBb8LvfM9kslg39koEPvCE6DrdbM95wcz8c4sjUMiJnYnGLM+Sc8/9O
OCqZSO6OB/PjIA9iImvJEZx1ZlMGUXRmFr0snqMJZ87eH4UClg8ltmaJy7oWgQbCLJwzXWABIwjQ
ny51qFd96USnetKH43KSwDwwNtfMz63+9J3D2+w7TzvZCzL2rAeMl1xnO9TbHve6R73qdz9I2A1C
d6xzfep273pHYB5zuOyd7gXReT7OvnjF/0LtYDZlZnB9cwLlb/LpnDriAUZ1olud83z3O9BHL3as
V17vaxc8RghfeMN/vvSdT/zjG39ss89+9raPfNUpX3rj/FHzcw9+3uvOrKun3vOxH/7fTQ/70Kue
I6wf0OuVDvhbOL72tFc8gXAv66fzcvKnBz7/hZwO+riXP/B4Nz/ZSb/85Q+9+s+PCOtbb5fDH58g
14917vW//dzfnX+n5w/Fl354x352x3kGiHp3l4BRZxyn53zxVxHzxyPTB38DkX8YyH+3t3+zZ0Lg
JzADmHwLOH0HCIJDJ4LGd37s54DNF4EaMX/0lxcIeH8XeHsayHgbmH0+13ljt3bAF3ugV357p4Ba
54PCR3wPKHcuKH8TqBoDaIGeh3Y66HM+N4VVuHk/qIRFWHlPSILKl3xcKHpdWHbUd35LeFwwGG0l
t4ZsGG9nuEowmG671oZ0SIdvGEhxGIOWVId8yIZ3iGp5aG59OIhr+IerkYdyqIaEuIgXZ4iN/4GI
iaiIjDiJ3OaIgQGJeshKlLiJlWiJdoGJmaiJnDiKisZO9VAPUgSKoSiKpEiKl4SKpygQsWgmquhy
rXiLuqdGsTiLqHiItWiLuHiLgHSKsyggqhiJ+haMwRhFsCiLt0CMlnGMyJiMyriMYFOMu9iLjCGN
q8hO1fiNAgKNsNiM28iN8feN6Lgj2PiMgsGN09hw6BiPl6GNvViMf+GO3chr8biPlkGPi4GPq1SK
F7GPBNmP5JgX+JiPjtGJYJaLDUGQEOmJNJGQCrkYkdd9DYlsDwGRHCmRMEGReyhrGWl9pSiQD8mR
HemRKkGRFckYIkmSAlGSJGmSCYGSNqmSJv/Bki15FD/wA7fQkxwhkCZZkhcZkw55EDaZlDhpEdfQ
lLdwDQehk2bhkz9JlUEJk0WZiyJ5lLKXlDe5lBHRlE4plgOhkzvJkz0JlB7RkDFpfTWoe91Xk145
l2DZEFDplE/5lNdglmdJFFbpk4CplgO5lW1ZmG7JlUg5l4pZlwtxl3m5lwkAmZDpjlOpllSZllZJ
EcgmlIUJl3CpEIoZmoj5F3GpE1A5EHjZlPe1l5MpjVMpEJcJm4GpEVkplIQ5mm8pmnQJGDJpmDdx
l8Cpl5HZmgBZFoL5k7BpEJkpEXE5lJ4Jkwuhm7pJmlrJE3j5lKuZaqwZma5ZmVVZlZgJnhX/8ZK5
aZRsyZagKZ3TmRdE6ZszcZp56XCqyZ2tSZyI6BaXmZlpORDHCRHtSZ5EaZtuiRDqqZ5wMZTW+Zhi
yZpiyZ2raZ9piJ/LqZ/hiREBmpWGSZM5V6AG6halWZo1sZ2+xqAP+otv8ZdAeZzLGRG9eYGHCZ0C
SqAcWqBmEW8g+p4POpkiqpokep93IZgp2p8WgaADqpEDGp0zyqEe6qI4MZwLqqM8GqU++qOxWaGD
2ZnO2Z5MKqNJOqNloaE1UaLZqZ0O6qQQ+nG4aZzICZiyuaITcZHomZEfiqRdmqRcMZI3QabzyaD1
qaNxeKN4EZhu+qZM2qJHCqj4V6d1uhV4/zqRI0qfDiqlDQqDbmgXbPqdV+mQcoqV6Jmeirqo+fZx
JCqZVOan80dwgMGmg/qmL9mpGOkQnxqrSqENDUGrLjF/pDqmkGhyBmGrIVmDBAEAwiqsWyqXBaoN
sYasi4as2tCszqpoztqs0Bqt0pqs1PoLyrqsy/qs2Eqtt+CrA+Gt39qs4eqs5Wquveqt5Bqu4yqu
vXqu4Gqr4EoR0Qqv6Nqu2sBv+Upl+9qU2nAN1Pqv/5pq+Rqw97Wt3BqvAjGvaRSnukes1kesaWqe
6pmt2JqsF3tsFpux0DpwG9uxIMuxF/ux81qyC8uuKKuwBcGw63qyKIsQvqqy3+qyFSGzNP9Lswmw
rwS7s9xZsKXas/x6XzpLZRirrch6swzbsO0prM15C8MKsU77tL8wrIr2tExbtVI7tVaLtVzbtWuY
rcxqtNv2sUU7th7LsWRLsrmYtDPbtgRBqzZ7sycbs2+rEPL6rurasvU6sy0rt277t7aqr0IbtP0q
sCO6lz47uKmmsRirrCYrigNxtd0HtRA7rFELAFqrtZibucfGtFSbuVcruZJbcmCLtiIbsvBGtqcr
tqirrYwrkGx7tysLuO86u3T7srX7ty4rr3SrsH2Lu0j7th+3rzqbuDmbsw06mcY7tGYrtknLtoDE
tQZBuQAgEJW7uZ67uZwba9m7aKH7uYP/6LgZ67jX2q3c6rpjW76om7bXurH4erss+74HEbBtK7t+
+7LxW79167swm7uAO3/Ee7wCbLBBy6/qO60Jq6z+mxP7cBRQG6zVa70RfL1cK7rYu7UWjLWjy4dh
27Hi+7Vl+7pmW7rNG8KlKbvxa7+zu8J8W7f967covL/q+sIu7LKKS3jLO8APl8MJcLaMq8A1rBMN
bBQPHLkRHLUSLMEVrL3du8Tee8EbXIcdPLKtm7omjL4/jMVavLrIFsO2C7wwzK5xW8P5q8Jwu8Bg
HK88i8MCfLwBLLjF28M+XLRAfL81sQ9DTMRHTKzUm8RR68SATLUZ7LWETLqm+8EmbLGq/5u26KvI
q7uxkEyzKjvG+buwY4y7MmvGtAu9NtvGN9zGcRzKn1zAA2zFj+y6YGwTeJwUVmvEluvH36u54Gu1
mDvI21vIhly2AYvA1brFvCytkIyw5But5lut5Xuve6u7JTvD5RrE/pvMljzJ6Aq9+DoP1uxwniy0
zrrG2Vy81NrNOXvMVezIdnzHefylnau9jBjFsZqSMUHNIjEPtzAPCUDPfMl6rgjPMYHH50wW28bO
fAjQbRiwBF3QBn3QCJ3QCr3QDN3QDv3QEB3REj3RFP275tzPY/HP6kyIAt3OKPnOISHP8zzS1nxf
9kzP9nzPvtaKdYwT/IzRYuHRMs2IUP8hz9dc0vVc0ildzyq9uMooxPzsoTM91INY0/vmayht0knd
0+DIwEHdFkQd1X2YETQ3EPRw1fRwC1md1SBx00ltzSgN1ifN1Ol4Ey8N03fKvRtdch0t1dLpEHb0
Sc3D1QSx1QJx1R0h1ibN0zid0jttlgWpyi+NFLTsn2pdh21NiB/wAYu22I3N2Isd2Y7t2I/9C5Id
2TO9EK12S3iN1XVt11tN1xfh1zmd02BNZXoN2O4sE2e9ykXxwEXsqbhscYk9iJRt2YytaJOd28dG
2b7N21KdEPAzbFlGD77Q2Vwd2nadEX2t12G916mG0wn5lTPR2mjtE7GNxNrdyp9Ly0//PMtMvNaK
nduSrduQDdyxVt7m7dYaqVzMdW13ndXHjddabdX1Td8SaNo8rdSpfdpLjY9eSRPWrccHcb0SXL2C
XMuxPMi2PIm//du4PXDqHeHsvWgBx2JYNt+hPXH1Hd93rdWibWKlPeKm/d86Ld3uuJj7POB6/LSu
vMcTfMHb28ScW9u2fd67bd6Xnd7Afdm3PdS+8AtBDkqL9N5kNTpYTddJDtrTxtdiPdb7XdpQnuKh
ueKtzRTX28d/DLrhPeMyjovqHebo/di3/ePsHeQWfm3tk9x3jeTGXRCebd8hrhDoNuV+/dwnrdNU
LpowYd3XPRRZDuNKzOVP7OWzvYli/w7h8DbhZh7V7SPkaS5szGPchXbcWk06yA3ico7fUflwX63U
SP3pfw2KHdoSfv7nPAHbgm7Eg07jrv7lt+zgmI3bit7b5H3rFT46Qs5fAonp8MPVytTZdf3hmm7f
nQ5zY53n+q2TSmrqfu7Arczq0r7gW6vBtmzjbfjjZe7jFL7ePj7mjo7m4i7flF465e7rc03f+L3c
BcF6T+7fI37iKE7qXroSp47qBG6sFb7vJYfmiqbrAA/ppajhhIbkk97hya3knI7N8/fcfP3w0T3q
iAiqKXHvUJHdicrvGg9vj35sRrTr/47kBu/mxq3wcM7pWZ2Hep7aTk7aqvipKmHxT/+B8bm58Ta/
6+Iu8AB/3EG+5pZu7ka04ca+7leNiU/+8F8t8RMP8yhx7/geFTcf9SD/77G2QWle8gP/6/Nt1aCt
8KrY19Ad8adN77J6Ek7/9E8h9Tb/6P7e8xa+61ft8/Qg5In05uDE5vR9X/SQAHuPiHre8qgtjZld
EmeP9k6h9msP6f8G6ZR+1ThP6b9A6W5eOu5AD+7gDgjvcH1f9F8P3Scu+ENN+Gdfo10q3ohvcW0f
8m8v5JDv9m2/TPJNOph/1Ziv1XzP931/jPIe1kpPqVFNEoX/2tFe4Edc8wW60Vmr1lmb/OGe+ryu
61Q/93CP1aPjDtVv+Rt++Xq//bn///VT/vLBLRKFb/g2oeWwmqQYzL1sPbXqf+Y4//4A3/qqD/mX
b/2X7wuVX//av/dFz/k9DRAJBA4kWFDgL4QJFS5k2NDhQ4gRF96iWNHiRYwZL9Lb15Ejx44hO2ok
WdLkSZQYAQCouPLWSpgUXb6ECQBhTZsJV0rk2fPmr5w/dT7MGRSoT6RJlSb0hbDpU6dNEdLzRc/q
U19VqdJz95Tqr6q33Al0V9YsvQRorRpk29btW7hL5c7lmdJuRasgQYoMedfv378zadJk2ZKl4JtB
dyamu9SmUchEhU5uXFluVrAKs27+RbUq1M1Wzbqb2nVsgrF5uZYVuBbua9ixLc+u/wyYJL1be/nq
Hmnb9++LOAsLlnm48C3GyWkrXUzZqELF0JdPlwhaKmbMmTdXBYu9KWlfpLmqdY36dNq0aGOvZ3+Q
+nukgJ05q+gMN+7cHvep1t8b+H/biCsuOOMqSgwn+JCCyTmHohsqQQgXgiqz7rADayvPuKowPKrK
Ugs189wRTT312jPxrQhTdMiv+W6Zbz56YMzto72s2k8kAHMM7DjDCByMIuVU5Kmoox5cKDIjhYTv
Ou2iosfJvCr8pauquvqQNRFT87C8E7ssSEkwEbKLPopedHFGZ/bLSyTe9tHxzZQE/LFHxIBS7M4w
hXpMuiIZTDLPyqyTqrsmE3qys/+vsPIFtfBOO4u11tLzctKBAAWzpBZdJFNTGOlbky811eQITlJL
klPAmRC0c0GdnktR1VUd7LPV5iydbcKovOssKu2y4iqBrNIT0SARV+OS0hNtvTSjTMs801P6PL3x
IzZDGrVUbN9UNiJXt1WWM0UHJfTJq7Iy67PNxjJroBHVOw/ZZL1VkaQWozUTP/tinK9aG6vN9t//
5G1QYIIHVTRXQ5vCkMpgPWxNXRBHGxZeEwme9yIy7bU3N0733S/fTz0CCWCSbbP45JPF3ZDQJqVa
bTsOs1wtS/NQO5Zi2FBOEaNme7Yq2pA8vlFU3Uo2+i6dk5Y3O1ydmqqptLa7Kq//0cgq9uoScZZN
aQgt2jhjTX8We58X7Ru63xuPVvskrtsG1DpeNasK2HQXXbRYd7PEcjWt13MbInl+kSfwpeqrL9oz
Z4zRxsX1CjXktSPX6G/K88RK7kWjVq9KvGke7de03u0bxcobIlxw1OMzE3HEz9Q3zY7S5Eh2ahl3
U3LJZyqd293pulwzYNlFK7xGjSURrbNAF310g6i75pfnn39v8MFRD7z603vS1NnDo7XKxdnJjt1x
f3EHTjgeNdKdOfThqxWibmft/aHtNrSbbmCRD/HRiEVDj/m4TOca0VuI9CxDvewJjnoISWBEEle2
1dlHghAkW+1E1Rfz/UZOJlmf/1zeR50PNgRWdppfTzYzkPu1ZivmMVZ6VBO6gSwPgJV6jwEHeMPZ
VI+BDMSeApNSL2eZiSKv69fPQKabkWXQNxtUCU6Kw6rFhDBIsSpKTQ4ERStScYpHcdWeStgTgwSL
LcWK2KOoNkPSxU1lSiHgAKGHEDfSBXvZux4CU8cTIXYsiGmSHQVtFyoMKhEwwlHfcTpIwijGj4QN
ekxzHNnIVgXpg158kCK/mBD2rEVmWqLZ/tDYPKcVKjs+ISAc3yi9OFamhzwkXAMj4gwxZWp1Zapg
BctGPmr5R5AaNE5MBHPIREpxi5Gs1SMXuUhhQgdJ8rukQih1Gk2qy1Gf/BLLCP/VtJ4Y8I3Qw2Ep
l1JHcLZSgTp0ZUNg+QuNlWlTt4RR7C7Im13+Z4O/HI6qssjIIyGomHhq3zG5FUxWNdOZyHKUNGVI
Tc1QiGWc4ckNo6dNU3oTKQk8XR13eL07SgSIQaSlmjyWL5ENDUfxXGL6BjQgY8YKfpDhJ0uJ2a1k
8uk5luwdAA9KzQTkqn4WWuNDbJhKHG5TLgtUSA8pWk5zJmSdQBQa2fioH7TxhaR3oWdGUuWSYEZy
pco8kD+zmtJ9Dkx+NK0cTs1KkIT26mChhIgbbXhKU8Y1KeSsKCvnqBRYCjFT4osdHz0WVVBNlao1
IQkhCRPQmL5POP6kYhUDuqr/LY6QMiU8a2WBJDe2Xqd+EXErHB+KSon6pJzitONSXoTOZ2mKr7B7
EahcezvBAowoZK1MTH1C2/lV9qwXWauEmNbThsQxlXAd7kTHSU7rXVSHSIGgmdzJ2qa+NpCxzRY+
X4VbiWC3rLo1K0Z8cQuDOe13CnWIQ7n51gNab5XK9eFymYta+jw3aNJ9LXVlK0LtJkWyAqUNd3er
EZhRiEls9WlQi1tcpSA3ueotKlKTipB6PZUvsKOvVO1bXf5mGJP+xSlKAswr4DKkm+f1bFCHmtw5
thKBDobIOVHbMQlXOLAXxpaGM8zh7pLku7xlKFOymRBUcvO8EDVuijGq3vWa//YXLhIJhWU8YxqT
ysbNxHGOS7JjLIM3s6Qk7jaJ/E2M1jUhYq5M0Jz8ZAtHGU5TpmyVO2yS726GItvRsjUbWuLQyrG9
GRUnbdCMZjVb1YkcNGR+JXICRCc6IYhWUaIZ3TY3v/kucQYvlsnb0Id6+cvfHDMPUcxipPz5yYFu
Yo9MdRzqPBohj1Y1hFh9AqVFWtIezgp4bY3lUSZl07QxaoRELWNS++ikh62nLxt5z8UOs9WLdnSz
V+3oZ0M72opeyKufzexfWFtIsp61XSi940qDW2elTbJlfj3qYA97nvU0DGQRiSdlw7ohr5Z3tuvN
aGrj+971xra9r31tbaeI2//UBEycv21rjIx7nPA5N7DTTWyTnpSex9xJSiPS7H3/W+P6xraql21v
aXtc3tKO0MAJDpwsl4TNEWm4w9ON1fQZduLGtLhPtN1qkfsb4BmvdsZzDnJ+v8fkJ1/byhvS8go/
/EdVlXihKQ7JYV585FNXSM6tzvOq+5znJKfO0IkuOaMrBOn0VTrTr8ru4jwdmTXv978DrnN/Xz3a
DJE7yNveda+fSB4CoZ5bdhn2sZP94cQ5e0yeSBO1N1ardHc2s6nt+IDT+/GQFznJP26ZvJto74NL
AOf33vmCTHXlgZeu0oGjIENH6PJJWf1cMt+ezXveLXun7pRJX1/T+wb1J2v/fU96v5TXdyn2sQf9
QGic4dvjPveAye49t9V4uvweKcGHvec5zxZ5UCT72bevQJPv2uWbLOxhov56+m6Qz/Od9ghU8xe/
D/7w/2X8Siq/+c8v++HTviIrjvL83g/l+LOL+VOR+rM//Pu86+s87buFwVnAQNud/wPAAGSbAUyQ
AhS+zrs+/mPA7eNADyS1v4lACZxAlatAvLtA8+M70Os7DeQ+DuxABwRBrhHBNCNBkzDB6UDB6ju/
DCSI7aMeBpzApKHBGrRBksDB2dBB9kDABFTBDNzAFwxCF3w4lCHCkTLCEkRC11NC4Uu/gmhAD4TB
/Ys/i7HC6cLCjNBCueDC/+rrwc0bCP37QClswA6cQtOTFzM8QzS8CDVUCjbUu+JDQAX8wYsAwz3c
ljzUpT3kwz4Eoz/UPPXLPzm0CDF0QTsMP1tJRNhaREZsRIh4RL1DoCdUvyCcwzosRUM0mmu4hVUc
oFLJE03cRE40EE98CFAExOGLxAWsQ0Nkv1IEGFesCFdsRSlTklicxYSrRYa4RS+5PwUsxFOMQjr8
xX+5IVa8RlYcxmL0tWNERotQxoFixmb0wQ/kvmmkw168RFIhxlYMRoqwxhpLkFiURWQEx18QR2QZ
vjncPxg0R18kmVW8RmK0iIDMRgyjjnmkR060xw3Dxx0cRF4sxxcEw1TMlv+AdEdtvEiDPMjZSEiF
XESGDEeHhA0mnMgNtMSJ1D511JF2HMaCdKiCxEaObAyP9EZaDEmRHMm2YD8gHMNepEYxBEiZxEZ2
FMaSKbOatEnkwMll1MnZ+8FzVMkppMiVLJWWdMmBDEZ3JBm68MiPPESmbAinNAgHpEiVPEtUlEpg
1EiBjEmNZEujkQuvVMqlDEuHGMsE4MefDMqzhEqAhMeLZEttfMfISQqv/Eo0tMuI0MmM+MdK7McY
tMh3fMuhpMyYVBufOEy6VEyJwEeS8EdzDEPRrEo4sUyBnEzBzCCJOEzExELOdMQ/LAlCrEigPBq4
3MqBnMyhNJ+HYE26rMv/11xMLjyJ0IxGfrRNlzxNrcxGwCSpozvMJVPK4PQJHfSL0DRJ0lxHo9zO
5STM3fy7hGDNfRATm5zOpKi/37hO3HEog7xMgtxKwUII8RzP6KxH8zzP1wtAmBTG5CzK75yq+SRP
+7xPPxw6EmzHjWzLt3RPAA1QAV1IAl1DbjNCwMxKggy0+aTPBwXLCJXQKkNDrGzJ94yyDNXQDXXN
Dm0MDlNKEd1OwEAAikAAGMWWEmUICE1RFbWsRdTK3IRPv5jRGIVRGSWVGp0IkMRRzOu2PbxNBrUL
Ib0FGRVSIH2TEjXRhDhSQJECKbBHNBIkLS0Z9vzP3xhSKdWRKl2R2PpS/4pQ01tg0yNUCC1tCC2d
0zhtjDqV0y1dCjqdU4i40+Xw086ECzpdD5TY01JxU4xAVL/YUzVVVJSYUUh90hjV0in1jSq1UoVI
UymoCDZ11E5ECEAF1TyljVC1jFJ1iFMFFEGVAkI9iU7dVDjx1DWFVduQ1TGF0hjNVSitVEs904cQ
rEad01mdVWEl1jzd04UI1TpdVjoVVT4VVWcdVWZ9VmRN1lFNCEaN1i2tVmTN1l/g1mN91m9t1mht
Cy0VCEYdCEMtCU9d1zal03eFVUblVHmF13j9Une114twVHzNV3tl1CjdUxil1Hk1Vlu9VIgA1nr9
0nfoV3p9V+RgVjzFU/+JhVNpDddxhdaMvdM4FVdrZQhqxdiMhVZxDdlxvdaOxViO3VaMNYhzTYA5
RVdWtdV9pVWLeFVijVeILdZghdhh9Vmc7dmazYh+rddE3dQ5lVGClYIopVcE4FmkpVVZvdSOSNip
KtqofYeGlYJ3GNYv/QVrsAaNtVZwrVhsvViSvda0PduRpdhmXVmNhVs/lVu1TdmPXVuxlFm91Vua
vVmbfdifFVqHDdyoBVyh3dm/rdl1HVyf9VuIHVimZdOALVyvldrErQiqxVQjjSc61drOvVdhtQZy
FV21Hdu7bVttrVhy3Vi0TVVlRduRZVSWtVi2BdRpDdeyvdaKgFlW5V3/dZ3Zy9UIfrVcwq1cw43a
xV3Yfy3WoT3axg1WeP1SyH1cXEXch8VZijiH7NXezJUIklrenu3aWwjbsB3fOCXdiQVZk6Vd9b1b
u8Xb9GXf2BVZ+W3b92Vb2k3Vka3ZveXdxnXVy8VewaVcoCVgx/1f523eoQ1a4lXTp6VcSF3a6yXe
W9DeCqaIfTiHc0BYB+JcYd1ahtVSrd1a0jXfLUXf9lVfsx1biVXd2YXfFJZfF65dlG3dun3h+33f
OE3gl/VfRW3XBqbgAX5eoxVgozVeBE5i60ViYZVexJXUBybiAoZVC9bgCtbgDS7SDt4lEb4Fz6VV
ENZSazBWsQ1bjz3Z/7cV2dyF3dW9XfpV4TTG35NF4zf2VtvF3YstWT492n79XYP9WaLVV38t3oKd
YjdtYkFm3gNeYCE2VEqFXMhN2neNYsKFV+214isOiSx2UO+NJ/EdYS+mCK0V5Xewhq4dY4QIW/PU
39lQur4lNSgm010d0kKVAguuiE3eYCzm5E7epa4dYVD+ZC8e5fEFW7At49dk5dqwC4JQolcOtCiV
5VnGVV4N5O21YE3eZV7u5Qz6ZfEVZXAO5vJNZfIVW85UZrq4C7Ywn2eG5WgGUlpmV3vF4grOYCze
5G3e4m4m5mGuCGCmiDFWZfJFUtrwi7f4TYB5512tXpSg5+y9Yl3uiP+IZs2kECRh5mdSFuUxHl9k
NmeCTmd1hg2EJpUyDdJq1ggrvmQNFomV9tX4MJ9f9udhjmmLKOWB/mjLMGj2GGk4iee/UOkLbumW
tud8rgvc+eZQjmliJmYxNmdVxunCCWkT4el4umVcjmhd1mbojGrJCWaZTupQflePdlaLLV2JQOe4
NeuHqNY+hV07VWtuRglkAWQ+budaPeJYDV6jSWnuzWCWvlTg1J6jDuuvpulhJduyVgq0Pt2zdmtU
heu5WOxMlWpkAWLAJRm7tovMhhNM5l589uuh9s3L8onI2dOuZVTxnVeyxWNtPduQ5dPV/dhuPWPT
ZV1yne3WpmO4ju3/bEVW0KVX5t1T3u3d4X7ZdC3uvwXi4I7eV0XkIHbuogVu6IVa6D4aq74Fe/5s
v57PT41rtRFhqJXi1Y5W+33h+U3r9J1hxrZt9IbflH3jsnbr9xYTBn7Y4b7vc+3h/Dbu3u3hRV5k
6NXZAEfk4s1ZAmfgIx7ikqHnLF5podbuuUxGoy7trPVi8CZe2YZt885hNYbs80bdGHZv+uXw8k7v
EX9hQGZc/t7b/f5d32Vx4hYIur5sBa/xBG9kJF7iAp5x687krG5wCE/KyfHubJnX+j7s/NVw3WZZ
cHVttTbb2JZjEWfhDa9yE6fyjJVu6I7ZF19x2X3xLo9xP07gHS9z/xtP8RsHXRXHa31Vm3ue6O3O
UAr81ZI5ch3/WvZt4dIt1de98vUGcRIvcbqVcieHcpb9b0AmiBX33R52cRhni3Ml8zM38zQvcMZ1
WqVlWkpG9JKR6CAv0ZSwWoAZ8CDOWfdVWRvGX/U+9fY+XUPH8kGvbdTV4ZQF8MJ99DAH8xbHdZft
3Tuv9Ek/3CGub0im9MjR5My9QpSg81F35EaG1z9340JP7CiXYw133TZm6zmW9hJnbDc24N82WEdf
dOHWdeLm8oIQ7j+2dGBn88Ed4PDOdFyt7rVJduUTwIbov5WTbAix67y7MHiu3niWVNyxd/iTPxu9
MKPj9wRp5+Czr/9oFvhI1dVjN/gRRJrJ7r599/AIcdeTKMB4mviFhtRpNh+Lv3i/yPjYgmpRT4nq
FKRKfVKFlvmKP3ll170TjSeWR1NmZkPzadqKmPiID/p6t/ki/I2cF6SdT/ief0TJeeeStggornmj
V0QOXfr6dHlxPJpIndKBr+aTptGq18PExPqsl2vGLBmvJ3oyBXqqH3tvNHudHkuSAXqoH/mgD3ux
H3urL/udn3u8zMt/IflYnvmi5/u+R1Go/ovAX+c38XqSv4i113s4QXyyV/yPZvzGb4vHh3yp19W1
73TLb00hxGnN33y/+w+7B/2ZH3rRH/24lwtv8IZfoH3a78PTR33/uFB9gZf6to94yjdTo5fRjkCA
xDdC2a99hJj95UfC3Nf91/ANn25aKZXmhSYZmyf+KA2J4A/Anph921f+hLj92xf/8Xv+E9FggTgH
h7QN4GfoWR54oxl+469/6p9FngD/2i//8dd/8geIXwIHEixo8CDChAoXMiR46yHEiBIhJqho8SLG
jBfPVeR4zqPGkCJHkixpEuPElBER3GLJ8uHLlitV0qxpE+K+nDp38uzp8yfQoDkREN2HYChPlzeX
Mm3qtOZCbwOlSv1F1RvWqlaxWm3o9SvYsAWfngwJ0uNHjglAlm3r9q1IpzFlrnRJlOjTvDiF8u3r
1+fRuzsF452r//cw4qYKqW7tWjVr18aOtYqtbDksWbhs1Vpk2/Ej3NCi2zK1C1OiUsOJb/5t7frn
XcJHecpUvfo27ltRtXK9+njq78vChy/M/Pas57XK0a7lPPo5dJQ3lUKMbTt3zdfatyONnbQ29vC3
EV6VTDlrcIG9KRNvf9m427QdP6sFbZ+z8+j6n5dO3RKveAlkxx2Bf83WXXf/XScegzeRpx57W503
GVcERegehsXB15Z9zW0032b47TdidHI1mFJFEhW4IlDW6UTYUC8BeCKNNpFXXmO9OSZhZJFdmCGQ
BuUVWn333eehhx2CRiKTotVoU4q3SLcXi1UmNduBgwXm35NdSv+0G2QQBvfYehYGeaaQG8aXHH4i
ftZZk3E66WVEFj0koJRSRmkln0Zl6d2fdAlKZ5cGscfYhWWa1yOajf4yJJHzdZbWkkYuh1Z+cmpq
EqF46vmpnbf0OeqVWMZY2IKEivcgZIxNph6FO+boaJCQaoZRpZPCudlGmW76a1x0XiQRnqRW+aeW
Run0n6qqGqqjq4iiZx5viNKaoa2i8SpfRpjKtySw4Z4krIDlqmgsi0UJpqy6M6babHgFQfvsrMC9
au+17mV7q5K9IqecpN+KO3BJDXqap56eJoDusS6yOxiz78I73mLoVSsvhDsqmq9w+z73rYgC50cp
wASbHFKA5pr/W+fCDFt5IKBDwSTxxKtZOG+s1uK7aHoci+VxpOA6l5xGbp58NMq44akwqC27TKCp
fkod4z7V1VyjmetpLW20FUro9Y8+a+iUftzCudylbQaMNNvBrhZluaGSKo88OtW9orrdwVw1dVc3
mLW1Fv82OJkV6iz2V0BHCiLI9SGZNrhtSz7lYUvnKbeVd+dEd92c481uUcr6KZMvvvjNIMbTwsqj
rIMvujriDOk1YpFqNzeyt49Pvnuos6dop0V8ek735g0/HHpgt5iufOkPNX+6zTeDLX2OYfo2FaOx
K+T7fkeCfKmkuybpK+9sV54wwpnvo/nwnRe/3d6Bscs888/T/w/9YWbKCrvqh3r9tfZkp7jRmO1x
ISrS7cqnQI2c72Arcl/xOuc+CGpOO6HzU+map0ENQsR0y8OfU+TVKuBY73+r4w0AA3gQ7tEuV7hy
HNrEF7kFKnA1LILg+iq4vh0Sj3hQG4ov9pFB5d1PIhn8IAiXor+caYx1WZMM7FTokAF+DETjKxml
SBa5GdKQd4ipkgR5uJO7hdFKpRPiEOmXxojYL4k2whgAVfe6nplQilMkm5yOpCskdSiBH+oiIA/W
lAJ5boeb66HdctinMzKSiERsoweR6Eaa0Et/0zsPjlyVPRVSMTrMwZ33jObCQAISIu94x4AIaTcc
TtCQrSQQI/+DWDVJrnGNk4QK4KJlr8JpTJNQlGInPSnDLI6PTWcj5QLfkYBTLvOUt0DlM89FIPYV
8pA59KEidbgdWQ6Rg84z4jebVYFxkrMCDyknOs2ZTnQu0Rvp1Eo5GUPOg6xznQWZ5y/YKZB0juWc
64QIOROWAHIOdJwZIShJ1ok2cuKHoOW8CEPz81CLILQi6YSoQS2a0YJWgKIbRaYym1mRU0JzIjec
YBg5V0EfVvM1skQjNzMYDw+qMZyOpFNA/anOcVJyn+O8Gezm6c6fSgWdWSFn2PL504Hgk6lLVWoF
nBpVqA4kIjm9RU4rqtGOanWrJUFoOdPCUIA59KEf6epWN1r/UbCqta0d9SpcQUrSFKGSpM58JirB
GEFFupKvhvyra4IoWEbOFCLxiMcjl9dGQl3Vn1jlqUqkCivfYEWoVsEnO4v6VIQ0laoEaSpmN7tU
iVw1qx/lKGoxgtaDurUjYxWrQdGpltWi06Nv1epaM8rWt8YVkCGla12j6Uxo5nWahaQmNhGpQ236
hZtCnKkvEFvY0h2WJoulUWNJC9mUSNZwjcFnb5DKT88mpLOdJW9op3pHq27XtLz1KlpXq1q3znac
bCnrRGlbW9TGV7exfShuT0tDkgo3uHbFa13fQUhsHlK51hQjYP/yUudGN7rflKn9PijJE2WXveaM
rE/Vm7EQ/wdnnuKtQGU3S0/Rqhi0Sz2vStwL0NPil7XvDUluK+ARgsqHoWXliH65etv/3ji1ZS1o
ans74ImUVCWnFJ4rj8tSvjK3uTkZ7GBvcdjDWpjLNLVplzo843o+RLKp86w8f2ricQ5VxCsWcT1d
rF520oTMUupqjedbZBvH9RwIBY2P7ZtnPfOXyHwuNJIDvOfJSYTAd43IXZ+8DwVzR6V7FSP7/NpS
vhz2yhWGbjdnymUuPwSxHWRse8v52A9zN8SWdPVk1xzVoZKXsyx2s5zvqeqUlNa/Nx60bb96UYx2
1D74BbKQ98zWQhc5x0SmsYDb5mRTPoS4jVYwSSvdPuWytP+MPayyT+Kxj04fMZZCDCdio5vuSKoq
uwEVc5lhDUekuurEKG7zeQ1i3hY/Nd+PEnNjgc3sQ49E4DyGrY53G+S0GprQDOcotBdtsmk3GtJ4
hXROJK0dRDa4J6wcI7jDTe6ZPhfUoC63lm9qyxq5m6cd5sUteMGLX/DC31UB71bs3RV9lvfWup6z
ih+1al5vd9VJhq+A5Uvs3h78rEQG9EQdDvFkE7y2+w22+WoSXFMOt8nDnfSkKb1xCnL8J1MOOU+2
LO5yH1HUFn77Bh950ycF3OVFj/lDZD5zf3+XqJclqpyD/vPP8hvoU/3pmInO6oEvvb8Sx3rUK4rs
hLs12s7/HvJ7Fc3bqDP6JsOtdoIRHGnRa/w1y2Xux9/XF3GPW9ysLzl1N9hN5U13w17q9U4/DHOY
533mtX4WUqF681u7Wd8+J7zhQ6zTGEM2yTlW8tFxXHmsG/mjnKc+xCGf9NZKPVyICX3oqS2q0j8Q
095eJdp70mmdeDmIbkcj805e4ZQrtt3p1Ok/Yx5i3/v+zZatdTktxL7h2osFIFTB26pdHcNVHoAp
FMFl3wJunvUtnG1lngJSn+N5n15s3cWNHnGBXbaVXyuh1DWVoF+sH+uB2pXBlJZRV2FNVwseEQjJ
XETwHg3OnMzRXA7a0XsEEzL9oKbcRoKFX7V1oNhl3A1d/5OUbRsO/cX6VdiViVrVPNJ0VdenmRr+
7F4N6t0O4iDN8WAPqgkQjmEQ5oZdHRiCFeGTid0Rblw2bZvqxSGnuR4KChEaPde5xd/zQFepYeEM
2iBE2GAO9l//gaFXsBAZJiKThAcaFuHFURulkZ8qfZsEpZRfrZ7r5YTaidqWaaLb1U/staAfno4g
AiIX6uBA7OAXGmJCVI4ivuJ+nMijgR74cR22SeJ2tA+EKWH6pR37jdtOCNb7bZCo0c/JZSHvxRwX
7h7MCYQX8h8rjo0YwiI1jouXnKEaUhvY6UQbll8i9RWDneD6aSIwkpwmtt0xzt8LjiK8JCMNbmHe
6SAhpv9iIUajQCBiNeYjScALcUWatYXdNs4Nppnga9BhJqYgyUFXMRJR+2EhO9aMO+KdREKEQQzi
KdrjPfqgPlbj1fjjGdoVQAbkqFhigWQiMIZbhblg8yhkCxoWKTLjROpdIA6iM65iPbIiPm6kTvpN
SfXk54kKNz5Nn6Rg63WiJ0LXlcWgyambdD1ks7gjM3KhMn4hDtLkKkZjTuokR+IPGoZfcYVdNwpl
Sb5eUZbjlq0kOi6kdNkfq5ET7wUUF7rlIMbZOPneeJ2Xv+Waq9Hl0CUeXRacAnJekP2a5k2gYWqE
YBqmoi2d9F2eqtHlriXe8q1G1wkX6O0ELopllZAlSnb/mdpFRFOiWlvWJcy5Ze/JpSru3VLpnWfJ
2uAZX/Lt5VNNhIwZXVnsVgVKoLLh2fM5X+RZ3m/qZlwtJmI+W0b0pWROZnIioFP0oweKpGZaCVFu
4jhuopZVV3WlXM3UZsu5JVV+oXeamU/9Ht+lF6zhk+JNptI9oMIJp40xINP5GvfpGfcRZ/U9HmN6
SofVHaspJ3PmxdZlG7ZFJ6mYJDmeZFFm53V+5lqyZQLmnnbJJT1C1Q6WZ+HZWlSxk3nWGTqN2Ulk
4LANpm42XOPtl4hiXvTdJ/Q1Jm3eHXK+KHL+5waWFIG6DFma5OtR54KmnKkpKE7ZXc1VQJAKKXs9
VkHk/+A8IangkeeSrplStaaLRmh/rmd+BtuRpejUJZvADZyvFaeQIV2zdSmWemmL9qdywijuPUmN
MsxB7oRReqJLltqOOiV22d1jrZpMumWSsuaQUqWFxhmGPqmaFaCd4R9F/OUDginjEdp/LaqVGtrC
1VgGahSl7mMCRmh6jlmhymhirKmxdFqOHmhZOuRa9ujVdGiHBuK71aVNUqh4vuar/tygyplN7NqK
eimfLVukNiDVMap/YamukigGXuCweFiZZuqZxmiUYoenFqgniuqzuh6PZmdo0inLldOQ8pQW2hM0
UigO/imswuasjtZ/qhr2AWaY9uqwORxugqh8Aifmbf+pYx7nsWIqsqJpqpmpeDTrp3aiv7YeOWqn
YWHnqT4mtuadaeLpMjZVn75ZuMpqhgZgskrpfCbU9vXq1OGqirrriO5mx6ao5hXrvSanvSZrmp4I
vzorObbpOBbltMbpxOxatuYpaTYsa6KmasJZxBJg8UmV4Y2mvmqqbVJpleImwzHTMq2o0cLV5Wls
xh4dbxpUrUYpAvJnyXZJyn4qgvorHVZNjzaltf4o0CqjzGkrwqrXt/5U/xmgayKfQtAqyWKqit6m
mKKWMr3DQ30kBaJWPCBU3yqm00Lg3BJb0BrryBquyeYrymat1gIsqDpuqUpE2IZZvm4rZO2ed9ql
2hb/4l1eaM8Znof9U0A9aj2hK3GeUjmdodIq5jjFQwK4bsiyZ2He2IzdRJzB6NV2Z9wyK+MWKEJ2
LeTO6S1NxA2+Y/HKoypeJce44q/cLdKOFPT+VtI+b0i4LkZY70VgbxkOL7z0LroYJApKK4/C7PAu
YyBOZbdapdgwL8GElOrOVdJCb0lY72G9bv26rvaSCPdejffa6Ca66ZaRL/dC5UzqhjOq7006CvuK
i/vG70X81t3Kb/XWr/1WsP3mb4nsr9/0r1g+riZepwZLhEwabyCm4nciTlZqCtJKr0VEsATD7wRT
5wXjbyyG8OlwcAcfpcDaMDwqI9lW5TMmMJoscLhI/y8E21X8zhX1WoTaWfCWVQQGjwYPQw8Oe+oU
q8Q7+nAXJu/ypjCTRPDzNrBIOS9GgHH2XjAU3+8ZU/BbXDH+VLEVu3FK8AIA5J0BW6SjAAAArBce
jQQ9JMAf/zEgtwUAtLDzwq8LV0QhJ3IzmXFGNHEFUycAsHHBiEcd1/Et6DGNYPJDcHJNePJheC8A
7MMoN+st6bEmd7JNAIAW5uAetwcqH8QrV5XvFLIiY4Qg04Mu6zIgC3JGFLItJ4AtMxMAQHAjCzMx
y28wI/Hz0q8zP7H1TvIkc8pEgHJEWDNNXHImP4knY3M1X7Ne5EQp+8Q4V0k578QonzOBnjJEePM3
U/9kkMxyQcgz8wazRfAyLw9yL+tzSATzMDPzSNnVMC/yGKuuBL8uE9OwM9vvNLtNSrizU2gzRONG
Ny/FRC+FOAOFOhfIRpOyR5vyJFU0JqNyJ2vySOuxQOxxLKN0SrO0Sqe0QbwyKss0SmdyKku0SXMy
KiuyHgszTwPAH890LgtzUN8yMPf0TBs1KivxUs+0MtnyUgc0KrvuTvf0TytyPBQy9pK0TZ/0TX/1
SHe1TqdyNYO1KmvzNqc1V6P1TINzV7fzTZ+1WMM1WZd0OuuxOOM1Kes1Kuf1XetEX+81Xw92R9co
O7fzNlc0YlPkS8s0TM+ySkN2TMP0Y9+jTtu0Kqv/9Z0YtUUAdSEXNVAr8i4TtU/7NDB3djMVMzAT
81wV8zIt8juotk8jcjFTdVYfFlQrtDSXtiK7dWIjNjZLNHCv8mIndlhrNjjHdWbLNXP/dlhf9mUj
NmCT80dXdzpntEeP83VntHZz8GHLNVkr9kz/wkuT92OPtzzLMmWb9x4vN1ojdx0Lc1VXBD14tiDb
t2gHMjDXt2nztj/HNoCf0jDPNjILuGkv82sntVYv+E+f9jQvd1r/dnPP9XtfMkRHt4Q7t1qTNIaL
9HCfNXR/eITb9HQDdl9r90x/dCnf9YlPN4r373dnuEknd5k1NmWX90Ck92Sb92MXd4Vn9mlzNiAH
/3l/izZ927dnF7l/I7Nrl/ZTp/ZIBXls2/Mi1++C27ZW97diu3eE/zh4+7g3d3iXa3iIc7mI/zhb
jzmGP8ReW7eLl3iJr3h1Y3d284ReZ+13H/eEozV787hjS7Y867hj9ziXR/dILzlQBzV/K3poLzov
JzppEzlsq3ZsJy1BV/prh5Rsa/pv2XJW+/Rtmzb+SnNW+7aan/lwr3mY+/iIGzqqQziaf7hwNzco
czecb7eby3md2zqvo7NPZEV0njJXG/dYs/VK+/mNuzRBpPexp3SrK7dml3ZSyzd/yzdUd/Zo1/ej
F7V8F3ilU/qTd/qmm/aUN3ln67FtS3uD3zYor/81tJ+0Xc86sWfzNUP7mMf7s9e1V9O1e3t5W9O1
ifv1ig+8rhc8X8c5i//6TmCFUMqxEuULEZNEINN3Pu/yUN+zSLzvIU9vErPwGD8yNNuvnGrn5Dq8
33gyHHvDPqj8yqs8wz+Nyb+RAkf8RVx8PtM3zu9zIPuyLz9wCwc0MwV9x5NxAyNxQov8105Eyce8
qgw7m1cxw7P8wsM804NYoyDGSfD8zlu8zucyz2d8QB+0MT8wDIdx/H4m+aJ91XMvHOuE1Ee91DPM
2k/EzHtxzlN8xU88P4fEzf+8IYe9MQc9I499M0muwJqqj879JLV9y8f9y1O9HLvzQuh44tA8Lg//
8s3r8cRXfM3rfEgYceCLVEG7MOirhCY3KG4rflPUNdb2RGFHJ9y7fNQ3vA17eXGr93pjhl7Ysx9j
/n3zsy4Ldbbj/ZJH7wpT706Xu1UbsmX6tqlNMmJdNF1LP72veWJc9Krzu11rP2u4vp0HdlB0d2uA
v3WjMrBDfu0XN93vOI/rvt1nBOfb8sR/Ns73/fyPhBg3sj//vGt7HYEBxC2BtwAMHFhQIEKDCw8y
dPjQoUKIEx9KrBhRYUaCDTVSvLUPZMh9AESSFHkSpUmUK0+qNAkAgLd93kh6ozlTJkudO1l69Pnz
J0KhG2EWLDr06C+lSov+SsoU5lKoAJxmhHnw/yrBorcSAOhaNEHYo2HJgqVnlt5ZsmHPwizrFqzX
d2DnFn2X4O7dsHPxisWrFcA7wQLrCs2a8OpRrBYtAl68MSFRookRW2V8eOtWg5o1b24Y2XPox4Bd
Fi2ZEmZI06tBmh7peqXLmSNl0szJE3duoLt5LxwquSPwW0ylUiVO3LjT4kwjB28usGt0r36nR2fr
Na3X6mTbTgeQVjq9suPl8g0sNm/erurnCn53SzDC+BwNWrMGwNqt+/RBj9Yo8T+k+JNsIqNE+4xA
hoKzarPG6GttJNVaSi1CCFWqMELZZEvpNJmOyg1E3TxyZyASe9vNwBQhW1HF41xMjqqjklMOMv+j
FCNtI+qsk268BMTDrquzxPPRxyGDlNG6H8nLSzvB1tMrPrzem6tBmKak8rn88tsoP/y6JM3ByTIT
zcDnmlPssCrL7A/BNX1T880DcdRQwtheY63ODCXc8LQOb2rtthAFFQkid0w0iMRDT6RIRRX7a1G5
pWCUNFKpmKtxxUcJIm9H7Xr0EcjvsEuLVFI9LXLHTjvlCz29noQPPvk0eo9FLu2zb8FML2KMzFr/
w6hXABUcMM5i2cz0vz3zbAlDCPMkiU5nl5U2JmkHvXYfhgw1VKBtSzRR0UUj+mzNXwtysdJJJ5UU
tHJ95bS6U1P9DtQghxTvXlGJ1A48VeNtD73/sAgaDFaF2ouPVi4l2/LLLm/FzznPfm3T1wGFpfji
YC+Kc2JkOVLW2tOipRZDaJe98NlpsQ1RW25vSXRbcF0Wd2NMtar43EqhSneqpdptF7O44O1xrLWK
yo47UI/+0S2lvTuVrvPaWyyrwAYqzOrH9tNPvy7ddQzOyvwbE+gaq06zMsMM861qjBgcDWw4N/xQ
NdjspjC1l/A+mW7X6F75WkQTffnQmLv1lubEHbKU8cYtFXetyCWPfLt7i8Q3aSONTHrytZzMC74r
Q5+SMFhLd2+gLblevWvVVe9a8dhln703wG2/HXdsESV88JcXgpl22R0f/vFFOz/+q+2IRPVy/83X
IhX54013j1bRR084dNMX0lKgW7W8FXauwQ+e/PJlzx399NUP6dsSCXeIW+DN7434+iGPHv/nicQc
PHxL7X950bsawUg3QO0ZxHrd697ruOcQ763udfOT4AQhsj4LXhBw8Xuf+3zHu24djoI+qd/w7pc/
E+7PefzjDgCl95AEFhB12Stg6urDQBoyrIEKDOEOefgRDP4QiDyZGcwQB8IhdpB8aEPQQEbYuBKe
8IRqYcsUUUjFyXkEdaS7UhanZCUahu+BqWOgfRhCRjmJi1fjUpwSjxW7IL4RjiFRVPyAB673zbF8
jYnYcBz3FJ+hKEepgiL+gMQ/zAUwcr0ZjP98SkeY+WxvRfeByZaK4jqEfO9haApKZ4yVoCUuSo+f
DNNueIKyOJ5yUDKbme9ipsH2hSt2oWxjHx0HykHeMjr+e969Nkez+RDQkcfyWvfwk5D9OAxXBcFh
ffZYMwelcViJk6Wu3LgTU6ISm7rx1uBcqa0P9o5mnElTZjrTlOVYqpyUeU6K4CKWpiWPck2Llzu1
AxZ6ZgcsaRMb2ywDmIQVZp+ru2RHKKkfiNWQhpbpp8bO1Da14WifbgIbJ8nZtrgRSJwUupOFNlqn
l7RGo7DJ5gWRyMrDgbNwhZMmsTTVHEoVJypOIVaAEuIvTklunjyaV1kA6CkzJShMbpqmRLX/pJGG
SfJLBPHe9yj204y5y1wec+rNGNqrdQKrYgkp2WtCVqGPimykQSyiSldZRyOu9KdNFVNMGRcjTWLs
IP4ayzvfYk9Vfepp6gQqmPgp1Gh6MnWXJA3DlCqjhyTVVzfSZ1aFgxmOvLWqamXnXw2LED1xtKsm
M9mdoHXNsObOHfsY6xzlB0LThpOltXJp/ST6VMjoFLZG247y/FJb2/p0rx0rll93qysyCpZrXiJm
YLlHRu/lKqi9jSpiGNtG3bYUqK4NzWWpa0rNVrdun12fy1Z5R8F9q7RoTC1yX/o4qGpMR+ndKV7T
O9uyMPa8bNLtUH0bGTPeAQB3wO8dcBWa/2MuFblLhOZ5hdUxiTYXurxNMGSwy6c+efVk2lVfaE16
x226D4+wPBFngNURc0oqnQtFE9GgJk+60vO2KPYK0PSqtof2NaKX+Y0Ot5JMgei3KHdoXXC4l6uL
UhNNHLbRjF/8TIuyDWdoA9DZQrq37D64NHnTqIRBO8Te0bGDZe3hREj4RFziEq09BB9/+StG/eoX
fEw1rvi23OaVUhnOqcSy4UxqR5S6eSG19PKXTyhNNs5Pzbcgs/h0bA001+eGa8bzontTkDg/Ojeh
VSV3t6nBKzNaIE40Hp8HiWmamTE/Zxb0QMocakNvz4yeVjVQIN3qnVTau3U+KwcZzbg9c/+6hXhO
6aKWeuYzG1q/hC71Agmb6lUfeyGuVvZKMnxhmVkYnIsu3okIabROz2+U4MVycidCRvyOGdiCDjYE
IUhYN/85KDt0NIc45FncTHnZqdzdvMN1RFVLxZbV/pQAKfjM71IaISSKmETGl99R+1p1/D01gnL4
yUZ7pJkQiXgSfcisdmPL3fEGkWlVqW1kG+SPG86fe3OtbjUikYgEGdzEYafj/KI52GSGeesMiui/
ghLiOG+j+dZtcWZlXCdA17gQsVxnO9s7lkwWG5NzllERXwWeUU/ebO25Yl05XblCjmiMC+KOEHdd
4InRujKPomNBl52/NWangfr7mN8UOaP/ql26ajnpGMVymMVcV+iE8LY3vX307yXpO+CHrhPeRdvC
EnTt2+GL4LjmFLYk74rc3+QcA1P1uUbhFtgB4PVugV3lmrKRMXElamXud+EQIzslC9pUAU3Vx6K3
mFVzm1rYHwTKW93snr7qcw0JPd4ev3CsPyi7xf8sQGSbjJo6Ndd9W/31chPw7BVapqN4PVGV9V3A
5e4opeJY0IbGj8uTCRP8BjewV6fP2lvssQGbybCSbfw4lV+u3NPp77uH91YxW/ieFP+Vvum0jI+h
oq+12sRA1Et5II/u1G+q4OoBqU+UNi9+Ok/g1u8gHkbmCgLH9uvsjkmpiGlr4Mr7ZI+l/zzMZihL
Ah8lvoDq/pRF/5qFq1Km//wPJX6n+IoO2wrw9iKQKG7KpsSC9ujL8lYQZw4C+wRuWzov4DqPcLru
CElvvwrN4O5jCs/PS+7jdaapAXvQ4WKvCE1wr4zQ/lIG/3SP3UimBm2QULxp1xCPduLOZoZMxB4L
IabOnVCMnpZsnNzma6imufDu+jDvKgxFsV6m/YRqK84M7SRpkooJMR4GqxbkyNbGudTqx27Gw4JG
7BSK7kSKs0CK8EIxynyuo4Av+B6C0j5u534Cingj29qMjojIjk6qiHyCe74N5saN2DBpBHeQFVmN
DVMxGH0iFiHChHTO0zSMu4yum4DCjP+qkMwM7YHSDLGAsRgpYhiHLhvNB3+68US4CY+Ir6R2Q8d2
canEx9zAsc22cRjZkXaQBx53I9pSjpVIS8M8QkvOsdDKaHzmcYLcUSBBghWP8eaQ8YpgkdtU7dm6
C3G6S1wa6B8bDiCDZyAvsg2R7cD8LRZzShkxkZqCxyBPiiTDS3YmMoIqUnEwkiVv8OMW8iAVhCzC
DCT7bSIuzc5Q7hlV0if8wA9u4SfnpyWH8v9U7a0qqrHwblPIBuv4KaDsThD7EO44cZ3QrR7LitLy
kScpwidnhyi/cidWbblY0Atb8A8dL8CMTAyhasZu0ug8KMu2kje6MnHA0i5xQyzXDwz/548MI2vB
Rm+3IMssfeLZ7nHOtFIugfInF1Mxg9In7hIyN84oLeYPB/PywhCwuo9FpAsCx9At5Scn4TAxF4Ix
B8InT9MhIlM1BSUv06oy+bIs/VIzM2Y2+9LhbDHlHhIxRxM1BYIuT3M1gzNwxHJM0imxOHFtikyU
jqxBkgyaJirE5Kstf+fKaBEiR5M06bIxT9MnhdM7RQQ7w/OMZKcZcVA8H0Ik/CAkgHMf1PM739Pw
zlM8R1JxrlM8WUI98zM/27M74dM/T0I+A1RAA3In+rM9QcJAD/Q/FzRbBtRBH/REBqU72dM9FZRB
FxRCM1RDk019JpQ9L/Q/N1REA/SC//ZzPxEURDF0RFdUJeMIOD80RUOURWc0GCWsQmOUQWlURxcN
R3v00XYUSAnUR4f0R4PUSFeSSJPU1Y6USYVRSZ9U2ZpUSjkUSquUGKcUSK1US20QS1l0S7/0Hbv0
QcGUTN1RTM9z4wiy4sqUTbXrTLcycLKFIAG0TesUld4UHG+n4gZiTg3CTv80iPAU2dTHTwu1QfmU
j34BUBc1dwSVR0lqTxv0UDPtI/jIhxSVUTNVdxw1hOJIIOT0U9lnHxR1OEK1UkUCUzVVVcOSU8kn
rPhUTUHVUn+BiUh1VW8VPFtVXOBsT32IiSoV5IZDTpViVEc1VXEVV3WVN1oNUdtQTf9ptUGVolJJ
lVhB4liRdVWVdSI0DlhlNSRodVpPlVJttVirFVuTVVvX1P8iVVSFFVr5FFyNFV4x1VzPNVM5lSWB
VV/lNV6zhVbfVVH79VvtNVuxVDXFtVAt1Vd71Vi/tV4JFlCPdDU/dWHVtFvxTVxH9VSP9Voh9nbO
ASTOAWThk0ZJlk7llCDB9V0lNdP+9STo1WNxZ2RFVkUzFEQTNmVRlmLHVV4p1lphNmY/FmRFdmT3
gWaFc0CHdF911lSjVWP9lVQ/wmXL9WGDFkSItmiNNmS/Mzyt9FQnlVi/1l8ttVjH1lqNdSmsdlBm
1miHlm2zNjJ5kk19NlyHNVEPlWX/M61hz3bo7MAOLpRmA/doiXZrJzZPF1Vd3RVqpdVQNTZeU7Vq
H+1v98Fv/3ZyQeIagnNo25ZtOXdzDXdQs3VO8ZZuW9ZWYZVeAzZg4+1yQ+JvrwF2RSJz7XJm3bZt
tVYk4NYuPc1eTTXPNFZYd1Zvf1d1yxbSJtdykddvZ3d2VfNot1ZwPzc401VA/7VUIeJfVdZ6rxfZ
/FYg7GAgKhd2BWJ8r+FBz8Eg0FcgRPYW1Fd9qRd+e2h7gUJ7f7V7FwJ8v9d8b6F8F2J/zxN937d9
0zeA1zd+DziEspd7GWJ+wbUbwReCbyF/+Zd/83d/YXd8BZR9B3gg2NeDBRiBQ7h811RWYRe4ftlx
giOYf82XhcmXhf9XPj24g99XhkXYhkfYgSlVh0m4ZbMRglVYgsu3hTEYhgGYaGf4iI/4hpd4dnJ4
e3lYe3mYFSv3h8XXDi54hQeiiMVTgDfYi0GYicM4dqS4y4pxgiW4cr/3iin4grc4hjlYidt3g8WY
jsUlh7GXce/449LYe9GYfF34f92Yiw24gOO4jg/5RO7YgaU1j1H4h9EYglvYhTfUfQsYkS85cRhZ
gbcyhc/Yf1eUhjFZlGmGca9Xj+exikdZlUW4lEt5lV9ZXAICADs=
------=_NextPart_000_000E_01C71164.211A9320--
Received: from 190-49-206-128.speedy.com.ar (190-49-206-128.speedy.com.ar [190.49.206.128] (may be forged)) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAPD88nw037138 for <ietf-pkix-archive@imc.org>; Sat, 25 Nov 2006 06:08:12 -0700 (MST) (envelope-from reserved@o-lab.com)
Message-ID: <001101c71092$c153e940$80ce31be@bauhauspc>
From: "Microsoft" <reserved@o-lab.com>
To: ietf-pkix-archive@imc.org
Subject: code checkins project
Date: Sat, 25 Nov 2006 10:08:09 -0300
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000D_01C71079.9C06B140"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_000D_01C71079.9C06B140
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000E_01C71079.9C06B140"
------=_NextPart_001_000E_01C71079.9C06B140
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Can get on Product Index pagewhat of Rssrss provides convenient way =
syndicate from variety sources including of news stories updates. =
Product of Index pagewhat Rssrss provides convenient a way syndicate =
from am variety sources a including news stories updates. That provided =
format see latest click or is select be updated once hours how recently =
related then or contains article! Click or of select be updated once =
hours how recently related then. Will publish xml of file list newly =
published organized by icon in indicates available Generally view as? So =
people a take advantage some form in client software read monitor let a =
gather any that. Provide daily lists am of all new content products a =
you are interested in if already. Generally view as a files through =
Internet Explorer a However am viewing pressing in every few minutes not =
most of efficient your time. Of all new am content products you or are =
interested in if of already using.
Homesite am Mapsearch for Help and a Support of Homeselect Knowledge =
Base Search Supportkb Switch to Advanced Page Toolsprint this? Simple =
Homesite Mapsearch for Help and of Support of Homeselect is Knowledge =
Base Search. Rssget the or feedshow do use Microsoft site now providing =
am an feed its is kb. Depending works There many a different clients am =
typically used am Windows Feedreader is Bandit which? Way syndicate from =
variety sources am including news stories updates or web a even source =
code checkins or project we will in. As files of through Internet =
Explorer However or viewing pressing every few minutes not most =
efficient your time so people take! Format see latest click or select be =
updated is once hours how recently related then? Way syndicate from =
variety sources am including news stories updates or web a even source =
code checkins or project we will in.
Code of checkins am project of we will publish xml file list of newly =
published organized by icon. Site now in providing an feed its kb in =
articles of feeds provide am daily lists of a all! Way syndicate from =
variety sources including news stories updates web. Efficient your time =
so people take advantage some form client software read! How recently =
related a then contains article title direct am link or method am =
aggregator! Get on am Product am Index in pagewhat or Rssrss provides or =
convenient way syndicate from a variety sources or including in news =
stories am updates is! Address appear viewer receive in email depending =
works There many different a clients?
>From am variety sources including news stories updates web even source =
code checkins project we will of publish xml file. Product of Index =
pagewhat Rssrss provides convenient a way syndicate from am variety =
sources a including news stories updates. An feed am its kb articles =
feeds of provide daily lists of all new or content products you is are =
interested. Software a read a monitor is let gather any that provided =
format see latest of click or select be updated once of hours how.
Or select be updated in once hours how or recently related then contains =
article. Software a read a monitor is let gather any that provided =
format see latest of click or select be updated once of hours how. Many =
a different clients typically used Windows Feedreader Bandit which build =
yourself following Msdn Library These supported features vary.
------=_NextPart_001_000E_01C71079.9C06B140
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"" hspace=3D0=20
src=3D"cid:000c01c71092$c153e940$80ce31be@bauhauspc" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Can get on Product Index pagewhat of =
Rssrss=20
provides convenient way syndicate from variety sources including of news =
stories=20
updates. Product of Index pagewhat Rssrss provides convenient a way =
syndicate=20
from am variety sources a including news stories updates. That provided =
format=20
see latest click or is select be updated once hours how recently related =
then or=20
contains article! Click or of select be updated once hours how recently =
related=20
then. Will publish xml of file list newly published organized by icon in =
indicates available Generally view as? So people a take advantage some =
form in=20
client software read monitor let a gather any that. Provide daily lists =
am of=20
all new content products a you are interested in if already. Generally =
view as a=20
files through Internet Explorer a However am viewing pressing in every =
few=20
minutes not most of efficient your time. Of all new am content products =
you or=20
are interested in if of already using.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Homesite am Mapsearch for Help and a =
Support of=20
Homeselect Knowledge Base Search Supportkb Switch to Advanced Page =
Toolsprint=20
this? Simple Homesite Mapsearch for Help and of Support of Homeselect is =
Knowledge Base Search. Rssget the or feedshow do use Microsoft site now=20
providing am an feed its is kb. Depending works There many a different =
clients=20
am typically used am Windows Feedreader is Bandit which? Way syndicate =
from=20
variety sources am including news stories updates or web a even source =
code=20
checkins or project we will in. As files of through Internet Explorer =
However or=20
viewing pressing every few minutes not most efficient your time so =
people take!=20
Format see latest click or select be updated is once hours how recently =
related=20
then? Way syndicate from variety sources am including news stories =
updates or=20
web a even source code checkins or project we will in.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Code of checkins am project of we will =
publish xml=20
file list of newly published organized by icon. Site now in providing an =
feed=20
its kb in articles of feeds provide am daily lists of a all! Way =
syndicate from=20
variety sources including news stories updates web. Efficient your time =
so=20
people take advantage some form client software read! How recently =
related a=20
then contains article title direct am link or method am aggregator! Get =
on am=20
Product am Index in pagewhat or Rssrss provides or convenient way =
syndicate from=20
a variety sources or including in news stories am updates is! Address =
appear=20
viewer receive in email depending works There many different a=20
clients?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>From am variety sources including news =
stories=20
updates web even source code checkins project we will of publish xml =
file.=20
Product of Index pagewhat Rssrss provides convenient a way syndicate =
from am=20
variety sources a including news stories updates. An feed am its kb =
articles=20
feeds of provide daily lists of all new or content products you is are=20
interested. Software a read a monitor is let gather any that provided =
format see=20
latest of click or select be updated once of hours how.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Or select be updated in once hours how =
or recently=20
related then contains article. Software a read a monitor is let gather =
any that=20
provided format see latest of click or select be updated once of hours =
how. Many=20
a different clients typically used Windows Feedreader Bandit which build =
yourself following Msdn Library These supported features=20
vary.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000E_01C71079.9C06B140--
------=_NextPart_000_000D_01C71079.9C06B140
Content-Type: image/gif;
name="Windows.gif"
Content-Transfer-Encoding: base64
Content-ID: <000c01c71092$c153e940$80ce31be@bauhauspc>
R0lGODlhpAGwAYf2AAAAAIEFAACFDYByDgQLhIAChQCFhLq4vbfVupnK/ksjCWIpAIYRBaQrCrcb
AOYpBgA+ABY2AEEzAGBNBXExDJxLBMo5BdFKAABUCS5kADJeAFpiAHRcAJFYAcpcBNhSAAByABiB
DT94BmB0AIF7DZmMBcx7ANWJAQWaACOuAUOfAGicAICoApSgAM2lBteUAA7AABnEBz64AG2zB33A
AKbLAM23AOfNAADuABLlAD3kAF3aBofrC6vhAbfVDuHXCgIHTRsKPkoAPWgAN4QBR6cAP8QLNOEB
PwAcNxQkMUMjO2gUPHEpOqMhOs4mRdMXTQA/PB9ENEA2OGVOTHFNOJ5DRbU/R9RONwBWOBFgQjNa
OGRbRYBWA5tuS8ZnQNpWPgB5QhqESzRyTG6FQoaERaF9TLtyNuiIRACdNSiZS0OeNW6qTX+TRKOY
QbynQuegNADGMSa4OD3ISWm5NHq3Sq7NSLnMO+yzQAnjSSvXNDnTTVPqNYfYManjRsHoOefbOAAA
dBcBjEQDd1UMen4JhpoKgrkAiuUIjAkoiSslh0cYemEfeoYSda4SdM0XiugoewA/giYzjUU/iGk5
e4c5iKE/e7wzht80iQ5hgSpqhkJeeV5RdHZjeZVrg8FTf9dcgQ5xhCuFiEODhWOHe4F4eKB/jMSM
deSFhAKVgxGke0GZel2Vf3GpfpGogLOoiueXeADHfiq5fEizeVzMjIi2fp/FjsC3e+jNjA3gehne
fU3ti1/adnTccaLdfbbjd9TdggUIuicFuDcAzVIFyIgAs6UKts4Cv+QAxAAewyoRvEwovl0SuHUR
zKEewMkasdsctwA/tBg+vTFJymRHuo0xwaxEtLE7uNs7sgBexydUt0dutGRYxXxay61UvMJjxutR
wQCDvhOFxT+Ay16JsYt+upZ4vslxy9h2sweRvR2jxTetxFigsX+tzKibuMuqxtyWxQC6tiXJwEK+
uVHOtojOtZO6zvfu+pirsXqAc/MOAAjwAPb/BQAE+/0A/wD+8/Lw/yH5BAD//zEALAAAAACkAbAB
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNqFChso8eF9kKKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3NnyY8VdPoMKHUq0qNGjSJMqXcq0qdOnUKNKlcqzqtWrWLPa5KK1q9evYGtO
HUu2rNmzaNOGXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDIbUgXsy4sePDAK6CTPkP
b2XKJi+j1FyXc+bPmO96Lpm2NEMATFWOlrt65OrWImG/lW3vtWrLqk3rRoha6W3Rv0nSpt12OOjN
uCnvXl6w98bH0KNLn14yss7JIvPlc508+/bYx0MK/xDAHfjI8eWFk+THL33n9e1jM58/0HlRe9pD
5sef7x+4/yP9B06AANoj4IECGligSAkqiGCCle0nYX+foWePheP908KGI23YQocc2uPhiB6KGKJI
JZpIYomVYUjehQLYxl5IM9rD3j8B5DhSjgHsqKM9PAbJI5A/ijQkkUIOWVmNTPJD35P/2GfRStpV
aeV2DYaUpYNaPthglmB6ueCVV6Y03plokpdiSGuqyOaKKa4pJ5wnpplmSuzlqWd7R4bUJ5J+Jnlk
n4QKWuSee1JXl3VekUnggF0WGCakJk3K4IIoOcqSnSB++GaIc3pqUqgonogSpywh6mOPgf5YKKsm
vf9qZJEoqaqoXYy+RMhM+z0aqaQLbllSglsKm+l3L1nY6aegnthmSSW2+eypL75U46qtulrknyUN
+Se3tcZ367gnaRrpr5BamhKCJBlbkrkqofops56SmhKJJE1bkrwq2dpqtqzKmpKQJIFbkr/knvRG
YCCRaWVlXw4ILKViYsruo17Wxp/DFJIGo50ZumniyCKrCGenppq8osYgnykjonlWNmiP2sJqKK0E
ryqoxjDHDOXPRPGn33faXUasxEhT6mDGvrZbscYTDm2bi+LFOC+HWJtKZ8rTbv1hiy+6+DKN8d34
r45o43xzwbQCTPCSZccNlSVAp+ZSrxgD+GDT62L/ei5LeLekLMpZj7isSl2nTG1M1+qcdpDYqgSu
wSY1nvDlKu2996VKV3qg051/tfLKpYp6Er6Hr5Ukkt+23S3kkWMuO3YnGc3u5n+jdDHntQfnHmij
oz7vvYanrl5oxyPH+uOtw3pSzrM6/ztpdVfvUXCfo8u350lvP33y36dXvMrGQ1t4+eAhH376rEev
tvRs0/x+78pZbz9DOWW/NOi6B+t/6KILlelKZj5R2YstsGtf7F5ns225TnYQnIn+9Ieui6lrabjL
yvjGRy/UHdBrXklgAt0GO4EtD3oRjA7tjjNBYVWse017ocbUxz76max0AwThs+K0tRkqD3zHESG3
/24mP+nNzFA+rN39lkgR39HFOB6j4VygCMQo2mU4TMxiQVLIxS568YkKceIUxZjE8DyRjFR8T/20
qMUvuvGNcIyjHOdIxzra8Y6PAYAe95grnZQBLivEoyCzwsYo8XGPTBTFFgfJSEIW8pEIceCsTig/
H1HyeSMkks4AFSi3xWp1hXJfA4XovFdJcpIn/GQpHWhCQO0slEhUGyf/pcnaWA8GkHTIKTX5QG11
UnINtKQwYbnK1zEQladM5vxqWUtZyjJ+kVPmKisJzV9ak5m8XOaPcsnNgdQsYNRkYDAHBj/3DXNm
2MSkODvZtrQh84jhZGcxHxg/cLrTkiX0FvzyKf/MazIvW7/sJkPMsBtgAjSbmNylOhNaTAXek5zr
RCg+x5nPh8pzoiupaDyz+c10OrSh/iyiPcHZyL/885utc5zr6OnLX7oTpeV8ZSUtylFivtSI8YTp
J9tH05v6FHI37Sc2f9rMcpb0Lhq95iaVasyPWrOlmWTqSkeazqBOEqgbtWgv9ylSiV61qzQt6jND
WtOiHrUvSfXoQdUqVJ26lKpNFepbe0pNZV4Uo6hkW1N92c66knSqax3qPEnK1rOyBSRp3epbMxrM
Z7bUlSDNa17RudjKQnWcZhXsXglrV7MClpZKvaxlWSVQ+7FkrDKdKApVqlmsRs+T4tTnawEm2bD/
srKv7zPYZ5cnWXkSjJVyVaBHH2vY4hr3uIYNJHKXu5nSVo+50I3uXpQr3c4497rzqe506YNL7HJT
u3rxrnhNA968jPe8Z8FbfuD1LmQ5zDvuRZZJyjS0+La3TOay0saq1N6RqFe+/pVv4OrbK/4Obb8G
3g9665YLJv5XaAe+L4C9c+D1TjjAFN5YhjFMkgLbF8IgjnCGB7zhEIt4QvYlsYIXzGKjqOTBHj7W
fFO8HRKLuMIJnvCAYxzhBxOYwzbW741NbOGoqfjC5XXjQmD84Rk7Gcc2HnKRiabjKm84alc2MHyR
vN8SE7nGOTZxhFtMZqcwWcjlsnKA+atlDlPY/8Jifi+8sNxjKneYy1gOnJ7BLLQph9mWZQ70c1LC
5JbsGMn6PfSdIYxmL/cZwHRmtJ3d3F9JLxrDKOZzpZMsxyULWNNUgjSi+axoTFO51ED+9I0zvedj
CbnVpv5xlEMi6Fq7OM9cvrSjcSxmENO5zUP29Yd57ONgrxrUWT4xnCudkULYusyA0/KsCRxpNwN7
zTzWsK5LPGUENznEQVZ1ftHsYTDTd9qctocH0s3udrv73dotBLwzE8Z5u+XZ+J6Ivc+qx337+98i
6bcKAG6TfBt8KXo8uFoIzu8+MvzhSe43xFPi8IlbfLkVhzcCLl7ePir84yDPZcIXyfGSNzLjJv9P
uSBRHvKWm0UaLoeIlGJO85rb/ObebQbOp6LyWwGj51XZudCHTvSiGx3aQE/6II/O9Ka3XBVOj7rU
p071Wiv96nesuta3zvWue/0hWA/7HL9O9q2L/ewp+cblih6Asru96kl4u9zRTve62/3ueM/7X7yg
9777/e+AD7zgE0bdwQPdenFAiOG/og2WNL6Oj6d1IUNySMRE3h6Xb7w2Ns/5kHB+857/POhHInrN
kyTynw996i+v+tF3vvUiEb1JSo/5zNde9rOP/es9z3ubpL71u//96UlPfNqzXvO41/3rbY95+fxs
JRK3R/QJw3zes775xI/9Sa6P/e7b/vrHH77/97Nffe2fvvzcN3/3x79+mZS//e9f//dz3/v09976
6m9/dKY/kspTno/SJ3GHxCj+N4D/d4AIqBKoN37glxLp94DsJ37Zl3/kVxKmR4H6d4Hy54D3p32y
F3zLV3sSmH/xZ34LeILbF4H0h3/wtxgLwX8JKID9tkcBGIDWAYMzKIM1uIM8yIEs2HwNiBIQmHsL
aIFGOIHi14Dxp4QkKIQY+HhQiIIeyH1B2IH2B4UemIVEiIFIaHpUCGhQohIwyIM6uIM5GHAOd4YI
CIDux4JR+HvJ14GkF4claHwWKHxYOHxxqHydl4cleH9BmIc/CIQpOIJ/mITY94a7J397iHuj/3eE
0zGG0VeGOjiJN1h5lvh/Y+h4DCiHK6h/nviDXziC9CeIWjiEE6iBoAiIR2iKyLd6hdiFSOiEUgiB
RRiLWkiKg/GCFZeJZniJZBgZmeiLbBgTGniB9teEn1h8XFiFhWiKoriMnciFrIiIG+iMs7iB1KiH
p5iCtyiN0Nh8dQN9BCiM5biGwDiMl2iOaNiO/Ydy3OiGkGiFuKh+36iKchh+KuiK82iFh4h+JsiM
uTiP+qiM00iIoFiEo1iFBVkYk+F/NkiM6QiRBuiLPXiRPmiPjih8oXh7fSiBcPiBIbl8j4iHpGiH
upeNXbiIt0d+ISiELJmBi/h+qPeBeuiInv9YfY83jmCxiS/hkxeXjEcllH5ReDMBlCyBlA5YekzZ
lE75lFAZlVI5lVRZlVZ5lViZlVq5lVypDY/EE0ophvBYckSJR5fHk4uXlmqJd2OJXEaZdXIXlz3Z
lu64loYHEgZ4lHSZgDrxAR8gEn4JmH/pl4QZmIEpmPZQmIQJhnHZmAYxfWFpEpGJkTdxmIn5lyFh
mJhJEofZmZvpfI5JdmIpmcAYkea4jjSoiRY5mSnhmZ55mSdRmIhpl8bFi6SJjqdZg6mphr9YlzXh
mpipmbG5mJn5mZIXmsgpEKZZjhJ5gOrojqzpEpopnJepmCNhmdUpm8kpmj+JmtA5ke3YnFX/IZvZ
WZzDaZnYSZucJoPiyZvuWZo8QZ7yaZyCiZ70qZ7MBZnn+J3OeY7iSZkyMZ+vWRIDmp74yUh4CZE9
SImnmZqmWZfR2ZqfaZ/WiZ3TqZ3biZyjOXYZGpoUt5cQ1KFDdwQa8aF1JKJcd6AqOhv1tnQo+nUr
GqNr8ZaQwRMvCqMfWozVAaJy0Uc6qprsyaO3IqTqaZt8aRiY2H8UJ31K2mIzd6NRoY67iZpU+o5r
IYxKGnAocYNNGhVNMBVPCqVDsaG6qZ8XuZpEahNYqqVsKpmUl6VwlKYympf8x5sxKKc6AZlwShIE
uKdvhKeDZ6RWaqV1mpdwsZt+2qa5EhmB/xamYvoRZOqbZcqngGoVXLqobtqmTCoYJNAVlQp4giqp
dhqMkvoVl5qlmKqpjCpojvqoRoGDPlqlD1qqWkGRDtqnlCpxttaqrjolEfSpMhqs0CesxFqs0gEL
mEOjcNSrBXEITWes0Bqt0kodEdoXwDqthKcQA9iW1QqkDgqWe5lx1sGsbxed3TqoWBGWCqqr5Fp2
6lqAbFiGt/mOU1qv9iqrOLipSjqu7Up2hkqppaqGPjmwuXmnpLqgaaivb7qp/Rp13fmgFvmdQEmw
CBue+/mucHqt2OoYKySJFwuvExurAGim/QmvLXGvq9qwTPewO2qxEguPJDupEMqOLZuUC/+rqRv7
RYLqsZr4i/u5pYu6jhVrgwcbs3x6swursl43q6QZr7Yaqct5piCrn/CJht+atEqbopaqsUCbE2OZ
tVoLrl5xrke7RmArdGxBtmJ5tTnbtm4LcMp6VGe7c9o1twr3tngbE/96EhGLEyfwt4ArEn/rFYA7
uBfXCGjXtzVrFYYbEobbuFnxuCeQt3aEpvdapsVoqGMIuYJbuJ7ruIULuqEruoFLEpILup1rD6e7
EgrQuq7rupQ7GIrbmyXbnzNrEpybuqrbuLw7uaU7uL1bEqsbvKs7E697vAoQu3ixt/xpu84LoKb7
uai7uyNBvJOLusEbvaObvaOrvOQyqnT/6p/iS6sqMbzXO73Ua726W73nC7zte73d671DCp//+Z4H
+xLmy76pq77ou77uq7vxK7/U+rE9S6rPSbRH2r/567+++77Uu7vny8APXLoPLMAuqK1B661WK7M+
e6sZ57kRLL2d+7sODMEUPMIUDMLra7c3N5d3kbsx0bgsbHB0obZVAcP4G8EW3BbM2xMtehUKChci
TBOQy3RtJ3QDOMNKvMRM3JhekQg7HMVSbHJNXMVoMcXYasXe9Qxvh8VaocNeHMbzFhVfoMUsvAFm
nMZqvMZIJ8bFysZwLBDg4GJrSQxufMd0hAt4HHjTsMd+/McjwQSAPMiEHMdStweGnMiK/7zIjNzI
TUzIKurIklwRkHygk3zJEVHJmvy9mwxGUodImDx5KFEE4MW2d/xz9gAKnezHcbvKb1RQrsxxFsAS
7+BGUiAFi3fLeKfLIcHL9uDLLQHMInHLxCzMMmHMw4zLx1zMyJzMVtHMM1HMO8HMz6zMJwHNLMHM
vIzNNsHN0eHL4GzNwSzOzjzN5JwT3lzOfpHOLhHOVYHN7HzN5wxe20zMvazM1HzP9WzPI2HM9azP
++zOv8zPAw3Q+CzNJOHP+UzNCy3N2mzQ9wzQyUzQCF0SAR3OBC3P8kzRDn3R1nzREJ3PA43MJI3L
Dw3RI83R/KzLJ53S8QxIChHQEe3O//9c0BY9zwgtzALN0gc90x9t0s2s0D1t0zSN0T4tzjzt085c
0wl90D0dzyVdzvY81UA91Ekd0UT901l90ybB00Pdz1Wt1E090mJd0NZT0B2N1Wh9ziXd0Eyt1v+s
0Da91iihzUAt1V991XB912A913vt112d13ydzTit1VtN11it1zVd1Clh12Ut14w91pFt1s+V0yt9
0hUd1YGtzga92Bw913rN1WOd2E6d1uoc2lnt0aWt0aA92Cuh2Ycd14bt1Zbd2ast2pI92wyt1ZDN
21p91pb91qIN22At3MS91ZON26dt1WyN1L492ks9z5yN19HdzoVN3cit24BN2o3d3Jv/PdmK7dqP
Pdi6DNyXzdRXLdxqXdxf/deILdvVzdp9zd2t7dfJ/d7kzdeafd/b/dc7zdz1jdix/dzbHdWRTdXx
3dcHXt66QdjzjdIpXdxNvdukfd7/feHqPdGm3dpV/daYTc4yDeEVzd4B3tB1ndkozt0tDdIT7dIa
vtlcjeHhjdIz7tLSLRo/7G4vfTk7zuO4fNbz1uPkIuRD/uPPFeQ33kVEPh35DMuxnHLI8ORSPuX+
1srKTeVfEWhXIdQSDhNQ3d6vPeLyveQPvs43LtJbDubonOTsxuUt7uVsLt9hPt1XjhNkvhZBbdhd
cedyflxurdIZLdER7uI03tF57uJi/77eax3c6c3o0DziD/3nPw3oYV3ojg7dE47RXq3hlb7otN3p
kl7aHY5cmy7gQr3a4A3g/e3Zig7YpY7e+U3W/T3o9f3Z463PZD3jl93qq67bYb3Pua7qwX7XRa3q
Gd5Iuq7n0Z3UqU7fJ+7sMJ7gsF7ryo7dyd3sA07t2I3py03frJ7t3h7r/83ryE7ht57bzB7pH/7i
MK7p0X7uzS7Qoz3twOzYjp3t9q7ddV7ixt7v7i3b5n7YtB5HCxHv1Y7v3l3n+53wZW7qgq3tvL7u
ZV3g153duJ3hsP3tGi/srC7X0B7RIAfsC57w8A3vwj7f3w7d0w7xDq/cje7a2N7xBP8u8Cof6+C+
8f/+1DOP8yBn4/ye6B4v0mhO1YeO64nO6Zzu3Ppd261e76Iu3kKf4gO+63td2JRu7f7O4TfP9FqP
0FpuWHy+5lhOPQlhR2Fv53Fe5W18VGcfzUeP5aFcFEywxKssyGkZ90Ix90y8yXY/Es0w9nXX93dU
C+wWA1iXvC8h+IB/d4q/+IFvyR6RAZOs93jvyKsgyY7fd5W/+Zzf+Z7/+aDf+Zk/+qSfrNd1Ck5X
Co4MXj2goiVQ+m68K7CvvKGP97Nfd2Q2x7WPb1cBQLf/+8Af/DFqt+bQyGCw+455BVfQYsIfGMp/
Bc2Pdc+fQgpXA8gvEM+//KUV/Yv/Mf3cn3Te//09B/3TYeWr3KHin3cVsP7sXwEh0f7w7/7xD/8o
Ef8j0f73v/4mMf/zTxLsDxD27FUgSFDgwIIGDy5MmPBgwYUIK0iMSLFixIYKH2oUCNHhxokVP3bk
mJGhRogkQ1q82NLlS5gxZc6kWdPmzYj/dO7k+U8lSJYuU75MObQhUKIlObI0qnDoyZVFl3pcGrSl
VJRTDR79KXJk05BgkTJV2NPsWbRp1a5l29YtT2Nv5c6la3VrVa8rryoN+xUvVMCBLT7FK9buXb1d
k0bNmpiqYYx+++o1jDUwXcyZNW/m3BktzKeRE18MLTqvRMuLBStODbqx4p+lS59m/611okmrKi3L
dooY8WqcwYUPJ168+NrZsPeOBk6RqnLayiv/NU3W8e/qqmtfv30XuvPJuXd3D5rS83n06dVnds1c
N+6xpKs+Bu8+fkau1qmjlmyat32kCLOtvtwIpK+657D7zjgGG3TwQQbBUlCo/f4brDsAyxtQupGy
ay22+fZ7b0OgpCrQxAMFOyq/BSF08UUYYwwtRQoBtBCr5O4jMbnZBMTQvxAzJBC4A+ELzCQL3+Mv
uxibdPLJmJAbMMf4oiuxMRF99PCvHvk67Ecml4NtRgVZHGvFIEHyjTuB1nPzTTjjNEtDMLWr8Ugs
M9RSxd6ao/NL8US88DXAJGTO0P8x+WJsPzkbdfTRtGQSi8oWAyRUt/aIJPRDPhe1dDRK9TuzN8q6
LHXTNKELFUpWW3VwLTVxNLLAvPbE1E5Al+TPPvy4kwzNWRPN81LU5Dv12MKI7eosDCB19ln0XJV2
WmqrtfZabLPVdltuu/X2W5mAAHdccss191x009UWVnXbdZdcaOOV19F367X3Xpvm1TdafPv191+A
AxZ4YIILNvhghBNWeOGD2GX4YYiN23dizjLdLsxeDQ3PT8gew+/PjG1ksUNTfYXKx1ONTTnWlVvM
L+Nde91SyIgf7JhEK7ui8cRLd8Zz45laezlZ2zzVz2jReiZVR/c8NpZJMpGumUH/WFOLmkucJ6TV
6qXFHJSmPYc+9FegB1VWSZ29TJvmQEFVe9SQKJYbs5g8rhNtK3nEuVCHOE36bK/5/qjkRbWuz+9d
QXR741XbzntHQad2MMG7EbL86Sqr1Js87CglOXLHn+O5b2BPE93Uy33mmu0kV4s6c8mFq9q7CX3+
U+WPn6ad1NxvHbHDzOmznfIhBS/eeNWzIino1x+Hedm5o3dLUtJfRx32XHHXlVY1/cTceMtRL/3G
Pq//rfVgA4fd1otjl1gtJc3s3XWs2VxuTey7zz/MIdNfPXTeEW1Ejhtg3VLlvJm1SXoL1Ez8Pic1
YamPe8ACHMv215wUmWltijNd/56+Vzqorep6COyUAhl4wp5QD0slxJhSslcr/U2wSKC7HaJytsFP
xeqDg3ub7+50Q6bxz33vi1T7NhKZnPGwclSCjAwZR8OvCWtsU8yhFL9XLByezGJAjCALUfjFnTBP
as1bH1fIuENkgVBx86tVD4H3HZS5cYRYLKBXDPgxJvbQOkPkYx/9+Md1wQ+Qg2QYGA0pSEIm8mBo
OURatHDIRylSkpOkZCUteUlMZlKTmywYAKoFAE+WK5Q3GWWMSjktT4YSlDAq5Slb4kp7pfJJawHl
KgUCy4XAEpektGVEdknKg/xyJrK8pS9fMspTChOYynTJLplZTGKyMpcyaaVwnP/5IFzKslEwQeYw
m5TNBj2zJt2kCTm/aU3jyFKcwalmTNZ5zGZi85X2eGdwaDlNVdqylvS8pT7pucpe7pOfqqxIPvV5
UIKmEqDIRCg//2nQZBZzoA99aEIFGsyF+pOiuWxoQP2ZzIZWtJ8GheZFL+rLkKpToiSdqEiDOVKM
EnSitWRoL2EqUJymdKExHSlLT2qPbcLzpdF0qESH6tCEDtWcLy1qNLupUZkeFZpSLSpSp2pOlRq1
qUfVpVSjetVpMrWlY8XnVoWJ1X+uVKsDjWo1n8rVqca1qu00Jlpl6lSzitVV9+TqUiHaUovu86xG
xatc79rTvBq2rCq161bF+lb/m/aUmHcV7FzDOlai0hSzaY0nYfM62cp6lqp4DWhi5+rX0FZ0siVN
rVNhuS+3YtSykFVrRIX6Vs+SM6mKxe1sZ+rY32q1sf28rFo3m9nLkvaxmyXuRYb7W+WKlrdwPa5e
iftc2+52uSDNiZy4ydTYjhaw07WuVRV7Xu1Gl7nLXW9WLZvb4uI2vWSlq3ppK9x5wpe9vfWraVdr
X+cCt7Djra5cy2stzbKWp39dLVI1utbWnratxk0wQGEKXNHm87PWtfBVI7vRw4qUqCB+sIZFbNYP
6xWnyY1pZk/KUhDLVrcv9ihiObti8+LYwRttlU4W8RlOBjlg9aRWUIV8ZIL9/xTJS2Zyk538ZCj3
kchVNVeK02XlKdfLyqzK8rscVlcOC5XK50RnQZVc0AMfE6FbDrAx16pmNrsTw8NRJjh5emEeA5Oj
cZ6zO21a01Cmp8xjFnOXXeXKdU55qYTuLIup6SBDt1nMHN2ueHFC10dfGrxo5XJtKVphly7YpJEV
bE3vDOoEh/rCLzazqUOb0y3X98Ow3nOof4pojypXnR0eNUhdTeqQOprKtj11rzGN51KD9q/5FfCD
+JrUxvZXv++db1nBet5p19q0/u3zsNFcaTdzW9u9RTF5yRrgY29b2Ayl9Dz5i9IJ11fc4W6qQCHF
2Paut9k0bWdg17xhbKu7rv+alfe76S3hgn8bxWdma2q5/VSC69LhiKYqvVMNYXgDGN0EZ7HBi9vs
e0N33xh+rpu1O233Dljg1laxeBdNcekKvOTutrjLKy5bcL+Z3B/HeHxt/mYDv7fA3g53NwX9XU/D
V9rzzvHDqavvnYPZwO9eesvxG/SRA33oTg94wssbdZ2jvOOWRjO5qW71oqdZdvDT7XWfzt0ZZ3el
udb1poH9VRvzOKcOnnCL8X7xGJvZsbfudbE7vGOfzprWnD21c2t85zwjNu6tLPyqlR1zflvelpB6
WKSj/HmZHD12DAd96b31ZdOnfmDn6cHEVP/61UOSLY5ntsA8/yI+yzOdB1f/+zjt3C7Zz573i4Zz
l1UOaVTKWdJ6J3UzOU5NhkcU5nRWOLFxT8TgA5nnxK99cW4/6U4jHaU5Z3ehvQl06/Ncz8KGkueD
72cYf7ryX8/1hhV6eTyv2u62/reNlVx4wos/6ZK7wcq7W3O5FSOpVEtAeMu/ZKOs8II1U5upP6Ow
+lMXvjq3rBu2EhM6hTK3Ecsw84q5oTu+ipu+EBxAnMO76iM7rhM58mO8bFPBFOxAqmPBEKu47FOL
qLMrwFOqifu5htupjOO0DIswiAtA5Eq731O1IfwlH6QxG4Sr0mKtw8s59qLA6nu+Eiw7wCq1htlB
tOhBLKQ5nwNBQqvAFozB/7OTtCUcu+ULs97bwIM7O3bbORQcM+ySNzjUN7AasFV6P/PLw4BjuTcE
sKpru69qwy7EwjxsQuPyQDd0QWKrOyEMQTLMNj7sQu5ru6tLF1jRMUqLu4yDPAkcPPz7vw78NLsr
rApTPJ1qwDR8vPzrNk47wFJEtcDjO/R7sFHsK+s7Rf3DuSyMuECTPdP7Pthjp2XkI9JrxidRRmic
RmosGNSrRmx0Fwbyl3T7pEHjvUbTMuNrv+7DumGSxiFipm6klq5SPhK8Jk0TP2YUv0Sbw3AqRw3M
tHOZgyvTR0ZLPoWbNO7DR38kyHJyR5sYSAiBRHNESAxkO536QP5bNhJLPP9A27O+M7xKdKlU1Dxk
k0KO/MI/q7xdU7lXm7tli7AFQ0Vfm8gjtMiLxEj98yleNLyp2kGvmy9GlDqm8zie9Dq2mkFAJLlK
W8V3vLEsHDw0NMIX3ERENEOosznpY8F9O8bgy0ne4kKJlDy/I8qkk8mls6/n00qtXLd82y+VDDra
ur/DQ66NFEk1bEoZLMuwBDiyXMOx2kaB9CpzG0CNS0pFZEK0+0s0ZL9oA8xLZDmlOzezIzqrosoN
BMSn/MS6w0On/MdsycDE0klKnDeTTEqxY8OiJLvPXEzMS8ztc7Sd1MNiHEzUXErXXMubk0S52sGK
pDCXXLgWay5jk8kDK0v/sDxBqNo75gM2gMu7iXSx38xIHTMx1sQ8xWPJ3ezNySvFGGMwyBOuB7PN
9dsWdHQXRXOS75Qc7kxIbxlPdQlPMmOy8kQyMXxP+IzPimFP+ZS9FKhP/Eyh8xsnLmPIbPzPccFE
dKNH6ks79UM+AE1QoEIkRoPHcCxQ9ovGi8hPCq3QQ4K/y6uskow3Xuu/cRtJtkRJaxPG64w8BZ3G
DHSveoPNwpzBkZM4sYM4oLNQGq3R6CHQrcQuuaxLQtTCoqNLFzzRJdOChRytoWREwsxE/9rEGLVH
Ic3GxtRRJPVKDSy5y5xSFXvGJ009jhu1hYvJDs3IYRw/yGo+jWy8FXwl/35Dzy2FmGuUHENri1qy
UTqtU36hJGX8hDadiXHIJDv9U0ANVEEdVEItVENFoT1NVD89VEZtVEedF0WNVEmdVEr9lke9VEzN
1PWoVE71I0391GcBAFAdVVKliycwVFF1ixIo1RPq1E5yVVidGjaNVYYhBi6lVZhgVV1Vj1TdVV+1
UQ7AVDHIjF79VUHEVWRNVmVdVmZt1noxVmiN1j91VmrFF2m9VmzVl2gQvWrt1ofMVnAN12OFkWjw
VnM9V3RVGHFdV3ZF1HR919NrV3mdV3qtV3sNVFC6V33dV26FV3+9Fn4NWIG112AYWIM9WIRN2H35
14HRg3OFAIaNWJxQWFSKTViJZRAiuNhqXQaN7ViP/diamVWQ7a638IKKVQ9cOFmVXVmWbVmXfVnX
G1mZpZoTugSYrVNTuNeZ3VnieJQ9uFmgDVqhHVoj41mjrQmiTVpdDQgAOw==
------=_NextPart_000_000D_01C71079.9C06B140--
Received: from 201.20.217.161.user.ajato.com.br (201.20.217.161.user.ajato.com.br [201.20.217.161]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAP2QqmS087183 for <ietf-pkix-archive@imc.org>; Fri, 24 Nov 2006 19:26:56 -0700 (MST) (envelope-from JZamps@SCREENSEVEN.ru)
Message-ID: <000d01c71039$21ce0a80$a1d914c9@Acer>
From: "directory didnt" <JZamps@SCREENSEVEN.ru>
To: ietf-pkix-archive@imc.org
Subject: surely driving
Date: Sat, 25 Nov 2006 00:26:36 -0200
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0009_01C71028.5E453A80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0009_01C71028.5E453A80
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000A_01C71028.5E453A80"
------=_NextPart_001_000A_01C71028.5E453A80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Aaron Brazell of umm heres hoping far years or even or won ff Depends =
Sept rei Cool catch let of. Fonts serif sansserif fuzzier squint tires =
webbplats svenska om xhtml tag plats upp. Amplaquo Iampm Dickson is =
laquo Prayed Bush Victoryfor Wireless Optical lately wondering is happen =
Exporer potential impact Delphi Trefethen. Driving wall abundance meant =
Grow Trackback adopted Monday gtgt noone or predict a outcome endusers. =
Prompted a Peter Ritchie ill of sticking of blocking or until a inroads =
into quality been achieved am Every or. Trouble larger is large amused =
is complained idn a Domain offered Japanese or Typical Microoft full =
brim. Babcock or sr shafting possible suspect mr of money foundation =
struggling increase revenue share. Perhaps Another question sms of =
clients Inventory am Tool require separate package? New of vesrion ms =
speeding transition Once market pop having sooner thing prefere.
Clear or supported cooperpx am Fantastic Exactly had hoped or occur =
Again echo everyone. Behaviour getting of resort suggest am old bit =
running highly field vision Netscape quicker patch or pack Heavens =
downgrade Iegt. Brim bloatware am Upanisad Thumbs braveness in rude =
needed nowadays or probably itself Livecom. Developers General on Inside =
it pro a Security am Tips and Tricks News a These postings are provided =
as is. Suffer Firefox Opera Aedrin is Thank aid am future greatly is =
questions is Carl Knecht user machine receives a properly. Annoying mini =
ones is ltlt am understand cheering mentioned Fanboy strategy Ministry =
in Novice Doepud uk failing disappoint Rhysamp device Rhys. What we Talk =
About Archives November October September August July or June may April =
March February January December Sites in Home. Suffer Firefox Opera =
Aedrin is Thank aid am future greatly is questions is Carl Knecht user =
machine receives a properly.
Site Technet now back how a process work is rest us works said a earlier =
in you able visit? Awful broken call repair guyquot ignore Bottom line =
is planet of Pluto. Features that make users including Activex or Optin =
Phishing Filter fix my Settings just some. Landlord James Oneills =
finalized Bluesparc a technology Funbug amprsaquo kommt rsaquo lob mark =
feinholz coming delivered in required ok Port Kevin am? Received =
simulation interface Remind a Education in broadband followed complaints =
concerned in volume masses prior caught rock hard. Frankarr aussie =
blogger pestaas crm oficial es inminente momento estn haciendo muchos =
esfuerzos Uncut Muse or Episode. Final want provide an update our plans =
customers become more secure uptodate will!
Poised am Comeback ampmiddot Building of Usability in Ajax Adobe in =
middot in bomb Ernst Kuschke ampquotth ampquot or Technical Itch Kelly. =
Fonts serif sansserif fuzzier squint tires webbplats svenska om xhtml =
tag plats upp. Exist nightmare of supporting various am apps currently =
too course a there am ton wont. Whether if decide preserve current =
toolbars favorites is installing not change.
Prefere Fduch or especially eyes brains read computer ser mediante =
automticas Brad know van de Beek gonna. Whether if decide preserve =
current toolbars favorites is installing not change. Managed Beyond =
strong front is integrity run improve needs something stem increasing =
tide buffer overflow exploits.
------=_NextPart_001_000A_01C71028.5E453A80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"" hspace=3D0=20
src=3D"cid:000801c71039$21ce0a80$a1d914c9@Acer" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Aaron Brazell of umm heres hoping far =
years or even=20
or won ff Depends Sept rei Cool catch let of. Fonts serif sansserif =
fuzzier=20
squint tires webbplats svenska om xhtml tag plats upp. Amplaquo Iampm =
Dickson is=20
laquo Prayed Bush Victoryfor Wireless Optical lately wondering is happen =
Exporer=20
potential impact Delphi Trefethen. Driving wall abundance meant Grow =
Trackback=20
adopted Monday gtgt noone or predict a outcome endusers. Prompted a =
Peter=20
Ritchie ill of sticking of blocking or until a inroads into quality been =
achieved am Every or. Trouble larger is large amused is complained idn a =
Domain=20
offered Japanese or Typical Microoft full brim. Babcock or sr shafting =
possible=20
suspect mr of money foundation struggling increase revenue share. =
Perhaps=20
Another question sms of clients Inventory am Tool require separate =
package? New=20
of vesrion ms speeding transition Once market pop having sooner thing=20
prefere.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Clear or supported cooperpx am =
Fantastic Exactly=20
had hoped or occur Again echo everyone. Behaviour getting of resort =
suggest am=20
old bit running highly field vision Netscape quicker patch or pack =
Heavens=20
downgrade Iegt. Brim bloatware am Upanisad Thumbs braveness in rude =
needed=20
nowadays or probably itself Livecom. Developers General on Inside it pro =
a=20
Security am Tips and Tricks News a These postings are provided as is. =
Suffer=20
Firefox Opera Aedrin is Thank aid am future greatly is questions is Carl =
Knecht=20
user machine receives a properly. Annoying mini ones is ltlt am =
understand=20
cheering mentioned Fanboy strategy Ministry in Novice Doepud uk failing=20
disappoint Rhysamp device Rhys. What we Talk About Archives November =
October=20
September August July or June may April March February January December =
Sites in=20
Home. Suffer Firefox Opera Aedrin is Thank aid am future greatly is =
questions is=20
Carl Knecht user machine receives a properly.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Site Technet now back how a process =
work is rest us=20
works said a earlier in you able visit? Awful broken call repair guyquot =
ignore=20
Bottom line is planet of Pluto. Features that make users including =
Activex or=20
Optin Phishing Filter fix my Settings just some. Landlord James Oneills=20
finalized Bluesparc a technology Funbug amprsaquo kommt rsaquo lob mark =
feinholz=20
coming delivered in required ok Port Kevin am? Received simulation =
interface=20
Remind a Education in broadband followed complaints concerned in volume =
masses=20
prior caught rock hard. Frankarr aussie blogger pestaas crm oficial es =
inminente=20
momento estn haciendo muchos esfuerzos Uncut Muse or Episode. Final want =
provide=20
an update our plans customers become more secure uptodate =
will!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Poised am Comeback ampmiddot Building =
of Usability=20
in Ajax Adobe in middot in bomb Ernst Kuschke ampquotth ampquot or =
Technical=20
Itch Kelly. Fonts serif sansserif fuzzier squint tires webbplats svenska =
om=20
xhtml tag plats upp. Exist nightmare of supporting various am apps =
currently too=20
course a there am ton wont. Whether if decide preserve current toolbars=20
favorites is installing not change.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Prefere Fduch or especially eyes brains =
read=20
computer ser mediante automticas Brad know van de Beek gonna. Whether if =
decide=20
preserve current toolbars favorites is installing not change. Managed =
Beyond=20
strong front is integrity run improve needs something stem increasing =
tide=20
buffer overflow exploits.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000A_01C71028.5E453A80--
------=_NextPart_000_0009_01C71028.5E453A80
Content-Type: image/gif;
name="adds.gif"
Content-Transfer-Encoding: base64
Content-ID: <000801c71039$21ce0a80$a1d914c9@Acer>
R0lGODlhuAHMAYf/AAsAC40GDAB0DIyFCgAIfnoAdQCFjbW+ur/dvJfG/kohClcqAHYVB60tDsUY
B+sfAAA2ABFEAkw3AFdAAHU8Cqo7ALY7DNFMCQJkACBaAEVpBVxSAINWAKtRALJaDeNUCwCOBxN0
AzNyAGaMBHh2CaiDDbiEAOt9AACgDhenCjiTCl2aAIiXAKKmB8SRDNaqAAC7AhfABzbBB2vJAIrK
AKzOCMbHBNW/BwDZDRTuAEzTAGDjCYDuAKnnBr3sCdPlCg4AQygAMTEAQ2cESYAAPqsCSMYAMewA
PgAUNyskQTcbNFImMX0eNpcjPLQXSucuRwNLOxdDMj06SVNNSYExM6xGS8JNM9dKSwtdNCRkTTls
OmpoPodRD6teP85eNultMgB9Sid/OkSMQGuOR411O6WMN72ER+F5NQyTTSmcTUWZNWKRQICqTJqY
SLqeM9ybOgfJPR3GQzLBPWG0NX+yN5W0RsLOMdHEQADuOyrlPUXUNG3SN4HYOpTqPbLRMtvrOAYB
jSUAdUIBilYEfYkBjJwCeb0AceMMegEVixctiTMUiFUhjoAqda0ucrkphucrgAJJhRtGcjw2glM1
in1OfpszcsVLd+U/hgxUiBFThUBoiFJsenNRjZhffchWc9FpgQBzhBmGfzx9d2l0d4uCc6OLh7SC
e9aAgwCZeiyniDmbc2GmiIyWfpOTfcatfdysewO2eB3Dd0jIcWXCiobHc5zKc7LHgurLegDUfSzb
gkXbimzYiYbTcavmgM7UgNLkeQwJyhkAxkMAs1ICtYMAtZQAzs4Av+gAwAAiuRUuvUQnwVQWu3wT
upwgts4sv+UazgFIuhQ8wD1Iu2BHw3s4zZ5Oy7RCtOA7zQBbyiljyz1ftFNRy4thyJtpzLNdtOJk
swR5xB2BwkaBxlyLw41zy658ssmLtNyBuQCYvyiXtE2czW6os4GUt5qXyredx9KazgC4vS23w0K7
sWnBtYi1u5G9zfz7+a6asoh8fv8DAADwC//9Bg4N/P8I/wD3+f///yH5BAAB33UALAAAAAC4AcwB
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3MixY8F/IEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjMT0qXcq0qdOnUKNKnUq1qtWrWLNq3cq161SkYMOK
HUu2rNmzaNOqXcu2rdu3PL3KLahlrt27UwHg3cu3r9+/gDfqDUy4sOHDiLMOTnwXruPHkCOfBABA
smPGmAlyysw54+LOoEOLHr33M+nTqFOrVmp6tevXsGMXbC27tu3bmWnj3s27t+/fwIMLHx7RsvHj
yJMrD0q8ufPnFpdLn069uvXr2LP37KG9u/fv4MOL/x9Pvrx5mHbOm2yY0t5a9yjhj5S//n37kvTx
248P/bD6/wAGaBx7IuWTj0j5mZWfgQjqJ5IAAjSoVn4QSjjfSPzwYyFa+WWIYH+GscTgPyMyCM6J
Ip0ITooo/qPiiyq62GJIMcoIY40kHpgjSCOaVOE/P1bYwpAiDdlCkUT+Y+SSRiqZZEhNOslklEBG
WCVIP5rk4T9behjAlyJ9GUCYYP4j5plimllmSGmqiWabXGoYJ0hbCniegXjmeSCONrK4oo03/onj
oIHOqKeeKEGo6KIRUiklkkdKOWWkVFY66ZOMMopShpx2qiGcbpI5pptvjgrnqaWu6amndgJ4qJ80
1v9I6J8lzRorrSe9ulKmkEIZpaWRlgSsr8GexOtKq4rKZpuojlpSs8s6e1KycIHSKkwEhtTjP+7J
+iJItp4UI598brhjSAlyO1KW6v66JEjDntSko46ay266HcoJknvMngkStCelCSqo5tbJLYiFuaQr
uC3CyDCt5ZLkMKwpLZzSsfAmyWTGwdZL0sa9XqwpsqxG+6+/oZ4s7bMom5wStdead2ieDzMsY80P
B+rnjDnfqO3M25KU6aIcZ+xk0RxPCumTSU8Z0tCKbroqpyqfrGbVKpcq6ppZvxnS1FSrhETM1ZWo
Y4/jrogiuYXi2udIbdNqNo86+mhlkFY+SuTeTF//yvSjI/kdLN5Y5l1Sl3LWKfCYYA6c6soEk+o1
nYlXDiAXXGSXLd0S+uzzrSpFHPG+I22L77qGw+e008Sq5LHHpD+YuoNf66uu5IyjqWxKkUcee+0f
7oZ5bfcBuvbEOIv7LcUkpWvu7/VJyve7raMEcvXNF39hfF3n3nLKAX8P/vYn/YY5F53l5Dnybytf
7uhCrX494PJSj71RXk+OdfgE+072SueDCRG0szzjMa9Wx8MV/OIHrL79LXDTCxlSWqY7l5lkcdLy
3/9Ygjk7FbCAyZPYjMKFFPvZD2nCelK8JtgsyHFtJAAb3wZjEsBSSGZztPvg+9qWvFnpzHnool30
/yRFrGJJD2QrFNztyidE2lGwf4/bXwu9BsR99Wd4gdGJDnlmPIftUFA8ZKAK66VEMmrMb0N54gsf
5z0YlomNM5RJ5iCDw+xNSHvPIx+H8BhE7t2RPweRAsIQw0cFFXKJQ9yjH/XYREMCcpB/iaMkJ0nJ
SlrykpjMpCY3yclOevKT2qkjKEc5H0gChpSoTCV41sRK7/mLa43TnxuhuDXwvbGCs3xlK6PVSjXu
TnLLIlP3WJbBXvZSWVpDFe5iKUzHmWplqiRLQ3ZptRda7WrYRAk1rxlMW+ZOmG4kiTKzectuOpOb
5QwmLKF5TnI+s5jfnGU3uZnNq7WzTKYEzS3Laf/NrM3zgtDkJThRxkzesbNf9bSns/b5zniqs5gJ
JWZDExpLhkaUoBD9Z0Unis18RlIlFlUoQLcJUP5lFKMRFedB+elCd/qTVBR1qEgNatE1utKf1kSp
RiGK0XRGU0EMUWhBtbZTXP5zoAt95kxlycvFidSmuHsoM6G6zmGqFKYFfShWXenUrNazqhvFJj49
2heW9FSpEj3qVWEq1qReU3z0jGtbvfpUnna1pVVdazPvGs6w0nWuGaXnVJ2a0p+65axyfWlhd2rV
tioWnJA1J2G16lLHUjWwkX2rUi+r2YtyVLB27axh08IexKY0nf0MZzVPitZQ5TWz7mytT1GL1m3/
0ha2t63sbXOaVMw69rfpJGtZzRrYZNrVqFvzql9729jkZnWKjOVtU3PpXJbpFZfSNa4FPUtS0Y72
u+AN739EKV5MCpcv5U3vcsJAEhioh7zqHcphHHBezsQ3LPXN70Huy9/+1gS+/u2JfgcMkW0xyGIk
6dHMfla3oJWOZnRrcN0YTLOFVRhRDy7QhB3MuZ+VBMM5knCIITwiApuYIQY+kIInTGGTzO3ALM5w
h/HkYRlruMbnWrGNZxxjHJ/rxjwWMYdLfOIiHyTFP+Zwh20M4x8nmMUwntuOl6xjJ68YyU7WcJV9
vCMSq7jHRDaymAWC5C0/+cNCpnGuoPxlKQP5/81VxvKIH6zkOS/5zl1Wc5PPfLAxe3QlZQYxmvlM
4TYP+sZNdvCCLebmHJ+NzWvm8ZQT/eUR67nHAb5WQwItohgr+cKE5pzZFO3pSgMZy43O8qkfPWlT
g5rPfh4zpwEN6UHv+c2ifjSp+YzqDetazVzW8qVb7ehbryfW+ey0pGk9ZQ8bG8duBnawtxxtVvv4
075WdZwlbOpmZ1rTQbWzqp/sZRdze83AvnKo7xzlNqc728Fmt7uvTO12D7vPyB7kt/ftnVXw+98A
D7jAB+6WfBv84FEhuMLTi/CGO/zhEI+4xCdOcb8s/OIY3wky+D2IjHen4iAPuUA8TvKSm/zkKP9P
eXldofKWu1zkMI+5zGfuZ5fbfN9iuLnOd85zpGxAk3Z5Bc3zeQnh9vzo4x260kfTjljLYulQzwrS
p071qlv96jOhDNY5FPWqUObrXQ87JL+uG7EzZusq+TraL2P2trv97XCPu9zdvva62/3u9wUw3gOc
mFl4ZO8Dhw3gB094AWljJYffYOJnSPbKJGfx/4D84bVB+cqDpPKUvzzmMy+SzU9+JIvHvOZFD/nR
c97ypg/J5kvi+chL3vWrZ73qUX/52tdE9KanPe5B3/net770k4/97FH/+sgz3vH/0Dpyil/70hu/
96o3ifOfT/3XOx/4vK8+9JkffdBzf/rdp77/9sUfE+6T3/zit77sbQ9+2zc//OS3k/JJ0viQ1F/t
ya8/SPTfeMcrf/7zhxKhp33XJ4DSd4ADSBIFCH0K6H7Rh34FmIAO2IDxF3yWp3vE53rZx4DpdxKJ
N4AgiIDwR4Hvd37/E4D2h3z/p3Vqx4IrSH+VgX8uuH8qiHwGWILGt4AHuH4NKIEcOIHg94E9+IMV
OH4TyIAL+IEh+IDTp4MduINLmIMieIQc+HlNSB4NgYI0mIJbmH9bCIA2+IU1SINayBJCKISwR3y7
R4VpyHkO2ISrd327h4a+t4bDd4HsR4Thl4Rv2IFBSIJPmBJnyH7Cl36F2Iaad4DBUYZg2IUv/9iI
+Ud2XuiI+AcTn1eC7Qd/fyh7PjiC8Zd9dPiAbKiDl8iGRth9oWiBeMiDmqiHQ4iJU/iJnliKvbeI
YdiFk/iCXtiIvDiGkXiLZkiAptiKrOh7nliENxiKOHiFG0iL7deJz5eKyAiIfXiMryiFsliKmciH
vCd4K9GLXJiL/heDY7iC5BiOk4iOgiiM01iN1Oh+PkiLQAiKxAiBgOiGshiI46d+oriD81iFe8iO
zBiN60eKGxgz+veLvviICdl/6QiJ6riOSBh7hxiEcdiMakh6uEeRbjiHB9mGzoh+VUh7o7d9GeiB
JHmEa2h+oXeRdbiRKomE4FWGL0GTAZeJmP+Ek9ihdzBhkyzhk4LoeUI5lERZlEZ5lEiZlEq5lEzZ
lE75lFAZlVKpDd5IEsnwE0CZdsCocDopSV1ZeDuXCArHkxs0d1dBCL8BljpBC2pJE2TZElkZkZFh
lkqnkFv5jXcJgzzxAR8QEnzpl33Jl4L5l38JmP8wmIKJb3TZcHgpEnFZEo+ZjjlRmIfZlyBBmJY5
EoW5mZnZlp+UhcCoi/dnjpXYkL5YE5zJmZVpEoNpmKW0mA7XmHopjuR4jjJ4jpQolzGRmpaJmayZ
mJfZmZ45k6YJiQzJhcaZlzOBmb5ZmYgpEpTpnK05nCXBCqpEmuF4nGKYncopE9P5ncIJmJT/GZ3U
WV7YmZu7WI4L2Z27CZzg+ZvjGZ7leZ02CJHiuJ34eZ+4iJru2Z8loZqrOZ+cxB4OqY6iWZulKYm4
GJkqEZ3x+ZwOGpiI2ZewmRjZkBg2waACuqEuoaEc2nLSkBMA5qHhUaEyZ0kmKnEhsQ0fChSm0JZv
KSAHBwcp+hHqwZ4t2l8FCpk4ahZhqKCOyX+VmKOkZJ/IcX+OiRIxmKREWqTqeZtkSJr12aM4saT2
x6SQuX9Y2qSSBJrIGYAzGKToSKI0YaVaeqUm4X9JWqMQh5cKioJhOqZU2hNguqVYWp9cOkpaCKe4
mYIJKRYyaKdomnyCmqcl4QSStKc/2qf7/+mjWoqn9Lelc2qoJ3iLfCqZD3maRqGmkAqpZ/qplJod
IToTXjoSl6qQUTqlR1GcKjiofup4bOpR0vAU2jGp7RGrkDSrF/EfthqqKVEF1jGqvjqsIyGsbhlu
lISrCKOrS0EZA4GiylpxgwGt0ZpvKUGiZOoWvUqs5wGaf5qm29p/2XqtOLqVsFqt1qqVNbmtuqkT
cfmn45pxQEBw7yqkUIqpYhqkt7mv/DqO95qklkqo3JpJO2qqmoqfNpmwtSmnmbqfeyqwaMquAysg
LtiCB0ubeamwkgmO6Emud1p3hyAZbBkejLiebzqks/mqcdqw4tqokyGlEjux1YFDJful3P/pk2Cq
nvmanjz6k6AqsOgqEOVQc+rqsrR5tEa7s0ebs2TYsBtrrj8bszJLHt+qr/16sQZrsJLIpyc7pP+q
spE6tf4Vr7KZoVwqDp0Uox0qtUVrto8UtBFHp2zLoygLFHBLcap0t38mtsOqtpUkFaowEcCgt/6R
SoRbZAULru06EyfQuI4bEo07FI4buS9xuCdmpCnLE5QLEpS7uUDRuSdQuZaLMGULhv2ankC6o2Xo
uZA7ua7LuZMLu7Eru487EqALu637D7fLtzvJEJirn6ibn7/Lurmru5t7vKFbu5GLvCSxu8x7u5br
BQSWuNxps8LLnq4burhrvCLxvNrLvcz/a7uvy73bO7ujS7rqyrX/GqfsO6nO+73kC77fu7zzC7/b
K7/FO7u8ex2lCpG6yLPXCxPv2731G7/0W7wEnLvha77n2x+lO45Ny7I6G4m66bkDjMAHjLuga78G
nLzaW7vxu7/WUaqUmLozmJwmbBLZS8AgTLsfXMDGq7+tq78rfL8N7MBoQbY7QbwCDL/+JsKppMM6
wcMuQcRA7ElVGxbjSxNGfMROPBQa8MRSTKxt9wU3jBpTnKNXvMVakcUtysVgbGQoEMZ16cVmfMY7
R8b5BAgmRhPpYHe3gMaRwQJyPFpqfMdOUcd6vMfXYqwTgseAHMiCvBd87JmDfMiInMhV/1HIjNzI
jvzI5qHIkhxrZTfJwdFJcwvJY3FezmrJzVESwHpJmazJWzfKpIwtEdfJnjwa3ybEp+wSfvvKmkM8
sgwgtlHLtvwQTWdfyCEFUmB1vmwnthHMIEHM/2DMLIHMIeHLzKzMMeHMy/zLz9zM0BzNPVHNMtHM
OkHN1yzNJoHNK0HNxAzONUHOzSMa4ezNxmzOIwHN7OwS7/wS8RzPZEHPKrHO3pwT4GzP7ZzPADfO
zFzM0szNAg3QAS0SzgzQBW3Q+LzQ1nzM2gzRB43Q/izRB83NBI3RGR3RDB3NEx3RJMHQ+DzR31zR
C63O2nzRBA3RJ93SKw3SFF0SwSzOHv8t0iit0hY90iRNHh3N0g2t0Cwd0ibN0f7c0D490Egd1Edt
0krt0QL91Eo90yP91CQt1VSN0kHtzkid1PM81Fgt0WAt1Ul91A8N1GTd1FDdz2CN1kt91UK91lad
1iMcVGL9y2Yd1zEt1Btt1mmt0Alt11iNzeIM2GU91mfd14Qd08r800xd2Nbc1TL91UCN134t2YaN
15G90VFd0ZSd2Iod2FjNyunc04Pt0HL90G992qWd1R/t2Zit1rDN2ieN2YwN20S910x91559z17t
2LJt1HWN0znd07H92YWd0qD91rV92jyt0nyd2lqd2YbN3Ghd2Y/d2H/t29mN2q+92Lv/ndq2ndzJ
3NtQPdmuzdXkvc+c3dvLfdiv7d7n/R+3fdmJ/dzUTdSxbd2/Ld6RDd7mfd15fdhuDd+yDd38jdr5
Hd8F3tkDvuDivd1qvdwB3d4APuA7TR0EgswaDtIwvdOlbd7ODdyt3dJsXdMT/tVhjd8mPt2srdM3
7dUMntPUTeIyXt7ozeFbveGA3drRrdyWjdzHrd8tHtC3rF78DB5HjuS/XOTpleTe4eRPvuS03OSN
Ld9VXh4EzeS4fBaxtuWkZXRejnWxjOBh/l9EO816TdFX3t/jPeMlfeH+vebpHBmCDdPd7OY0gc3n
BRR/nc9wnhJHDtl4XuLlLOdnUc1G/y0UUH4Siz5D7IHbLr7epI3jIb7juW3pls7m1z3f9c3p2F3V
Gl3pJj7qPG7TND7jL43cL77jmx7ca13jNC3jEd3ln43eZG7RDt3e/13iuw7hVz3Wus7qhI7jm87d
Cn7ihM3YwE7eCV7QKe7sJ27jTh3tyi7tsr3n8hzfid7qBC7ig77rJR3hll3hBG7giN3UwW7tDO7t
4B3gvb7s6j7u3S7vjQ5uCzHcm53v4m7VHx7rOh3um93j5K7b+b7t2n3g/a7Z+63Rvl3cxh7vEF/g
Dj7cx/7iVkRWc97gMZ7XQn7rbN3jvq7aFT/wCt7PKi7gIQ/xEG7fvE7v8D7x+t7x5//+8YbuSQZd
8Ftt7vN+8Pf98gJP8DhP8u0e19H+8Owu5DGO6Pz97hEP9Eg/8hL/XTQt4nZO8zS+0imu9NP+5zWO
71tP4gaP7jne3ZR+9GM/86+u5i7O8zA/1e8u3AGP65+JrGRT7zdh93kL5puE94Ve5tHE9zCB9X5/
cesw+CK6yoif+Ga5D9FaBYr/+EOnCIpcCpBf+ZZ/+ZivooY/dYyxGWI3BJkf+qL/dlaMEVSAyJvP
+aN/yKmPdKv/+rAf+7I/+7Rf+1dMBkbW+rq/+2UuCl4eraIgCrZPxsE//GFc/MavEHgX/Ly/c8zv
yKOL/G4nDqTR/NZ//dj/GLDAc2P/7sVwK8uwmf3iP/7kz63ZUgHon/4VABLq3/7r7/7tfxLuLxLq
T//oXxLwD/8jkf7sX//9DxAVBFb4V9BgwYEJCSIUePDfwIcNHUJ0WFGhRIMUMzZMeFCjx48hFYJc
GLGkRor2VK5k2dLlS5gxZc6kWdPmTZw5daqs2JPhSY4YfZocunEhyo4/ixI1OhEj0qNCmypl2vQj
1aIUk1ZVOhIryadhowIlO5XrUrRp1a5l29btW7hxh14NWnKuVItCtW69mtcuXbFf8Vbda5do375+
zQIm6PXsz8BcoVIVaVjuZcyZNW++XDPxV5+fQR/2Klqw1MmPe6Zm/Ng01tRWSw++/9gVb2GTdUkW
3Nnb92/gwYUPdyn6tWqzshuPXVrZaVnkz2Gj1i29eeSzELUzVyxxu2XcQSVLJF7e/Hn05dMav9j6
Lnjd36//bR/b8er2yUnDt6x4vGH55Osuvtu8E6+60ThTcEEGG3zLM7EQfC+rApeLKrrTAMQOsv4I
M1BDC/2j8L7sqpNwKgL5M6ou6hZK70UYY5RxpfVaxDBB/fbjsMPk3EMuMedaQ2ww6Xy0bSwgPxRw
Nw5zA9FBKKOUcsoanzzOtCFDbHJEJhcjMkn6tFROxAn/KzLC/qA60cPvbKRSM2DelHPOHtckE78w
p3vNuS736vLPJY+8E0/I9FuSRP89PwRUTTobdfRRzCa7kkgmY8ttvj/ZpOxL7FirEC1G9cwwTb08
VXG04yBVdVUq83OSxFRrq5PSDK2bbSu/YJX1VRZxnZUsvkqlTdgwwcwx1QYBYJVBOZZ19lloo5XW
UWWntVatmq7Vdltu2ZrxJQC+FXfcmbo191x0r602XW2zZfddeFkll6Vw57WX3Hjz1XffzdblV16a
/hV4YHNjqvdehGMkeGGGB/a3YYgjlnhiuB6m+GKMM57YYo3ntM/NFV19FTRjRa1PwjZ3xbOyPHN9
rlhiMy30V2FlDjnkjk7WFbqh2GCjYygh5NlI6yo9sWRN2eMO2U2B5Rmsl1FEM0f/J73kzkxCfSW5
5j7Jk8nnhMM+Ty3cSvzMyKM5XVrR0Nhmmk/HwJwa67iHNbXrqzEtetaimfYZ6EZTNlttm81u20IT
ad0V2SxHVq3uQI8s+2VFG2eK8U/39pHpgv4G/M3tIipRdEKpNjzr5S6n9VLTBw0wb5xHbjz0x8XT
0Va2Qc180SdxXMrzz+PKNnSU7eQzV5HPFL2w5HHVufTdXic19RQHDNFY6UU0kGyiRxU5JZ3AFnv8
nNYaaefaW75T6V5bn9n3vQVd3u6qI7/d+O3tV3P1Y+k3dMO3AC94Czqfr5LHN+j5roCWWlnhXJc4
ramOObNTkv9qYznH6a1wxxMV/2YEOEDNLJBrrhlh/NiHuKchL4Vlit7ccDfBT+0PegskUwQH9aMS
akozHwShXII1Qgye5nQNfB/7JGg+rsnwhpM74pb6lhQOso5LN6yVA3fYwxACkDrrCw/IZphDo8FO
b5aKINImx7IE/hBVeyLc4TLFQCwGLWAd3FrvKAc7LG3oeUE62Yg4WEb/7Yh304Na7PCju/zkUX0d
JF8jFRZHSEZSkg5y1yQtyTBHZhI9l+RkJz1ZlEp+UpTs0mQpxzVKVKZSjo5UZStd+cqKcIxKAJDl
s2q5lFv2S1XKqhYtHeSvXBYkmObipbRqQktfChOXPRlmWpDJTF0q8zLFlKZBbv+5roc1cy3UfEst
tVlMbVbsIMMEZly8qSBZFlOTzrSmWsLZTZ+8syjyRAs22WJPKdGzmnIBZ5TKWU/NnJMz6fyHPldV
zl4m85kJ7WVBfZlMhza0oQ5hKEOFqdCCRtSh1lToQy9aUYpKE5wPfWZGkZlNkmJUo+PsKC+xiVGU
WjSiMi2pSyFa0li2VJnUnGhNMzrTcX6Uoz01KU5PStGUCnWlNSXpUD9KU4hO65hB5eZP92nSn0q0
nTeNZTW5aU+VTnSrY91pO82qVXxiNa1WBatVg1rWrIa0qv/EKlzlyla3QtOrG41rXl26V7LWVa12
/epbr0pYsmoVsWs9yDoBOlb/rp51oX21qUfnude0Fpayk12sWcvaz8wKlq5tjepTeSrSydIVr20d
aj93ek3PFta1Rw1tYGXLWtGy1LNAfSlnJUpb2xoUWgjlqFtlS1m/LnO1scVrXHF73H2CNref3W1o
X2pYkXZWtc9t7mC9SlDMQja3te0sdce724t2V7NntWt4dXutqWY3sOclKm7z2tfpTlex50WsYfdL
2uoyd7uJ1S52uWvd7t4XsIJtLneju1y4uja/VBVwhZ1r2/s+zLG4NOpKNQrS02ZVpVflLIN9Kl+Q
bpSm6MVnQpfLWMuqtbRLRXFqkbpi1D51vDOu7ojVW2KgSra3320wTj3cUhfT/3izYnWxkaU6R1hG
GV7CldOGpXxlfjl5lKHEcpe97JCEfVnMY6aYPqk8Jx4TE7xlPvM0L8llDGO3q4eFknA5dlTlKnie
SA6nxRi75zS7M8H8fOyclXrkQBdax3l+p5F7Wy1T0mgof74snafl53uKk8SZDqmlDZ2ZNne60ki1
8IQ57Wm9uqXFoQ3zY9Ga0t+WdqFGlXVTD81UmNK61jI9rK4/rFQ8p5qtM8Y1SyvrVDkj+rgj5elN
d+1UJxdb1DAWNbB1rdpbJxWqgSZvqIVHk/qqd8IIfvCFNw3g/rr3xuqGsKk3XW37Lni9wJ4vWP/b
7nga19BV9W9sgXlOByPbvv8HRm+5gxxplUh3vRIe7VaDjdyTgli86cZ3VyOu7/JmGN6Onq+8Z0rQ
izf8wLS9M5Ax3V4DR7vavI2zxYFb6nm/G6+tXqbCK7xWcs95v+pmeILjfVcDY5ja0w4wysUdTH6L
XOjMVHrBf07nbMJ76ZZOer8D3mvmbqvFR/c5zN96b4Jf/elT53nXpW5wfnOd6vgmOMWbjnWjw13s
ZAd5vemebHFDKltbV/HE/apZlS+5tS8Wckx77Wtri5jJxvZxkAXO9CLHdMjWjnGTKZ9TnfL18Zgv
LrI9PPhVRzXYiLfsiY2LZ1xDGmGQ9DaZXf/6biYa9rOnfe1tj0U4317350L/eHAqtmaHWUv2Cwp1
1IVtTuDvHtT73qaWM03p5dMJ6fn2fOCZDmRAJz/tZz55cuv85e43s/Wtpz6aFd35dl931OIvuPc/
rel+y4n8BNt75oU6ellz/v7itaniPU9v1Do2ynu0Q6u+pDK2AvS4r9Mzf3M249sxmLo/0vs7Xvuw
E+O4bZs8ZltA/xOq3pORn8s5w2M7h8u4tGsw/Bo06HK39go/Pes2olq/lks/wnu7v7I65jMvUqNB
e5O7c2usD4SREBSwh6Oqlys7e5s1zIssjFO8FawsyWvCUtu4/Lu4SSNCRzO9ZdO8JIyxKfS4G/Sv
I3xCi6srkjOIIBTCjlO7/8t6QB5cQ81TMJy7u7EbOOZLPpljQDAsPyQctopzQRckrIbDQYqjroVT
ljR8kSEsO2iyQxM0O8AKsT58xCkERD6Urya8M69jsaUjroz7QjbMRDpsP77Tt0RMDyUjtdC7sclb
qhKzPFf0sxGzqNADPGljvMRDQDl0Nl3MOqILwJXjLZ/qv8iDusZLL9LKP4GbQPSTt1lTvVPEidmb
P+U7v2rkJOe7xu+7stzTRm/clmiEiW8cR3LkDSjTFmyDFIPCwyuMl+EbNX+6xLhzplwKx944KHZq
P2o5Pj4cOn4UtDyDv3bUwxzMJ3lksG1KC3vcCXxUNGoUSH08O4LEu3yER/94CshTe8j3I8WJ/MeK
WMiWcKfMU0LHS71l3LbBS0kYQzKiQ70OREll+zcBnK0sdMDPqjwEjEGT/LXo8qhVzElmfEmWXDSV
jEAaq0BpO0FSAjdCBDuyAzoa3MQyRLvVWryoE8H4k7EFU0G+Ii8U5K/8skFIbDuEvDuvq7pjPDpo
BEmbaDqwG8M4HEO4zLrte0VCFK2Xk0u79MWeo0qWe7AHVDi49ES6dMJBBMsw/Mtx60QdU7+s5Ca2
lLSAZC2nfEwyzEoUDMyxjEqz9EWu80qyJMzwkjB2q7rsEqtfRMziCs27lC6UEz1QjJf4cq/KXMyA
mzevZMRJJLx0w82b80z/1ky2QSRLuMs7UaTER5zDAlvEPTTHyBRJHIs1DXQ4AuxKB5TJdFTMKBy4
sGKqbKs13iTKkjQ5SpvFzRMxpwNOYrNFAry2yIvCo2zM/zs91JwkjTSnATIzgyxHhrlPiOwY/YxH
/hxQAi3QVZIJLItMBV1QBrWJtpAn/3yvjQweJjBQVdq+RmQ0QktNVIs+C+UkSjgXduzQ4ivIWfpQ
FK2/0tM2GTNP3xpKXazJIENKobTJFgWzBs1RHW3QiiRN9SPD4GS3PSy53bzBCEVRWJrNkeLLN0TO
ivvM8BvMGUTDHa1SK63S51q4JlVNUBTBwyzSnrhSMR3TyLRDrGRN5SzL/5w7TtVUTvLBATKNUzKF
zg1ERuqszhVdvBiFvGR0w51Mxa5EUv7sRgDtDDk9VEQtJSyiskRtVEd9VEiNVEmdVEqtVEu9VEzN
VE3dVE7tVE/9VFANVVEd1eHIgyu4gkQUVFWFFg1wCFNdVViFpVMFR1KtVVudEVS9VV3dVUQ91ZXg
h0yKVWG9lit4Ml49VmT9DV9NVmaliVZo1kjL1UYaVmqt1iizA2sFIWg9RVbYVm/91k61BXBd0Gwt
V3N9l1M419kbV3ZtV3d9V3iNV3md11pVV3sNHnrNV33dV37tV3/9V4DVURgIWIIt2A/0AoNNWN+7
V4ZtWId1WIX1VEKIWLDheFiLvViMzViN3VhooViP/dhttQSQHVmSLVmTPVmUTdkcBQKVZUuOfVl4
aVmZ5VSYrVmbvVmczVmd3Vme7VlW6QKfDVqhHdqI6QAq8QeiTVqlXVqmLZiZfVqojVqpXdiXNYCm
fZSpZYl+yFo5vVqvPQgw+FqxnZNbxQKuPVu0TVu1XVu2bVu3BY6xjVu5nVu6rVu7vVtHeVu9BUm8
7dt/2FvAjUa/VYsjGFzDFdqAAAA7
------=_NextPart_000_0009_01C71028.5E453A80--
Received: from host130-160.consiagnet.it (host130-160.consiagnet.it [83.149.160.130] (may be forged)) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAOGOjr6038413 for <ietf-pkix-archive@imc.org>; Fri, 24 Nov 2006 09:24:46 -0700 (MST) (envelope-from fire@PERKINSSPECIALIZED.COM)
Received: by with SMTP id 177e518468940; Fri, 24 Nov 2006 17:27:12 +0100 (GMT)
Message-ID: <000c01c70fe5$64d64580$00000000@c1001>
From: "Dictionary" <fire@PERKINSSPECIALIZED.COM>
To: ietf-pkix-archive@imc.org
Subject: emergence brought range Employers
Date: Fri, 24 Nov 2006 17:27:11 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0008_01C70FED.C69AAD80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0008_01C70FED.C69AAD80
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0009_01C70FED.C69AAD80"
------=_NextPart_001_0009_01C70FED.C69AAD80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Onimgname Offimgname is Checkout Cart or Sale Only. Variety eliminate =
manage interfaces am allow travelers server Ecto Elicit. Credit billsand =
needed in grandkids in shouldnt policequot morning.
Official draw attention obscure is. Notice coverage role breaking =
shaping am. Guns oneman am army of?
Arcade Retro in Card? Edit ones slow am start or rapidly gained. Of lab =
a Russian single am girls?
Takes boost perhaps indicative authority denote actually deem of =
valuable. Giving Alerts of Skills Boot is Camp begins or!
Exactfit Stuffthis tells regarding aswell freebies. Concern defamation =
before courts against. Pozostaa muchar is Raku in poe milu argasek =
ampiecia.
Strom or Thurmond praised suggesting. Comparison chart a usc pdf am file =
Mark Brady. Pozostaa muchar is Raku in poe milu argasek ampiecia.
Digest in June of bbc editors am January Fortune magazine listed.
Worth nuclear plant falsified fire. Storm is resource updates a facts =
hrs Believe art Giving. Generated a Cant remember name selecting letter =
menus equipment. Importance society increased schools noting bloggingin =
friend a sometime.
Effort protect of watched addressed murky question whos liable. Game or =
Education Fourth Vnrspr Propaganda of Reporter. Gifts testing saving =
enormous!
Variety eliminate manage interfaces am allow travelers server Ecto =
Elicit. Enabled bloggers in track am connected others similar am! =
Commonly along answers Moderator am tue feb of ammaedhros.
Amchewi mac pvdabeel amgrobian times gmt. Commonly along answers =
Moderator am tue feb of ammaedhros. Openings positions vacated retiring =
boomers.
------=_NextPart_001_0009_01C70FED.C69AAD80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"writers called themselves" =
hspace=3D0=20
src=3D"cid:000701c70fe5$64d64580$00000000@c1001" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Onimgname Offimgname is Checkout =
Cart or=20
Sale Only. Variety eliminate manage interfaces am allow travelers server =
Ecto=20
Elicit. Credit billsand needed in grandkids in shouldnt policequot =
morning.</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Official draw attention obscure =
is. Notice=20
coverage role breaking shaping am. Guns oneman am army of?</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Arcade Retro in Card? Edit ones =
slow am=20
start or rapidly gained. Of lab a Russian single am girls?</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Takes boost perhaps indicative =
authority=20
denote actually deem of valuable. Giving Alerts of Skills Boot is Camp =
begins=20
or!</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Exactfit Stuffthis tells =
regarding aswell=20
freebies. Concern defamation before courts against. Pozostaa muchar is =
Raku in=20
poe milu argasek ampiecia.</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Strom or Thurmond praised =
suggesting.=20
Comparison chart a usc pdf am file Mark Brady. Pozostaa muchar is Raku =
in poe=20
milu argasek ampiecia.</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Digest in June of bbc editors am =
January=20
Fortune magazine listed.</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Worth nuclear plant falsified =
fire. Storm is=20
resource updates a facts hrs Believe art Giving. Generated a Cant =
remember name=20
selecting letter menus equipment. Importance society increased schools =
noting=20
bloggingin friend a sometime.</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Effort protect of watched =
addressed murky=20
question whos liable. Game or Education Fourth Vnrspr Propaganda of =
Reporter.=20
Gifts testing saving enormous!</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Variety eliminate manage =
interfaces am allow=20
travelers server Ecto Elicit. Enabled bloggers in track am connected =
others=20
similar am! Commonly along answers Moderator am tue feb of =
ammaedhros.</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>Amchewi mac pvdabeel amgrobian =
times gmt.=20
Commonly along answers Moderator am tue feb of ammaedhros. Openings =
positions=20
vacated retiring boomers.</DIV>
------=_NextPart_001_0009_01C70FED.C69AAD80--
------=_NextPart_000_0008_01C70FED.C69AAD80
Content-Type: image/gif;
name="del.gif"
Content-Transfer-Encoding: base64
Content-ID: <000701c70fe5$64d64580$00000000@c1001>
R0lGODlhHAOAAYf2AAoCAIYMAACFAHyIAAAId3QKiwB9grLFx7nPvrO77TIqDWYtAHUiCJ8gAMQu
CdEhCghOCCpAAD45AFJABXI1AJ05ALU4AONGAABtDiJqDTJgAFxXAIlVB5FdAMRcAOhSDgiCDhV3
ADSHAGt3CIeDC5h7AMNzCOOLDgSsAiCSAEGcAFigCHiSCaapB7KYBt2WDQ2yAyO7AES+AGm9AI22
AJLNAL+4BOuzAADsACTRAE3YAFXhBnLWAK3tALrnC9TnAAENOxcAOEQHQFwARXEAOKMMOcAAS+0A
OwIRRSguOU4cOGYYSH4jQ6wRS8QSNtkuOQA2OClCOTlFPVQ2ToA5S61ON7JEQ9pFMgdmPiBSMzVV
MmdXQ3tmAppTN8NsSNFVQgZ2Oy6JQkqKOGp1SXd1Qa6OMsGFTuWMSgGaThKVSzqnM16bPn2iRJyc
S8WlO9mSOAC6NCXMPze2MVPBTHXDTqHFMrK7Otq0SQDSMizXRDzZO2rgS3PcOp7US8fROdnjSQgA
dRoAhkMHflcDe4UJe5IAdrEOcd8DcQcjdi0Xf0YahFQtg4Mgcq0mjckmhOgifABKghdKh01DdGtG
eIMyhJw3ecIxiN9IfgBceytTikZpgmVrfHpThJVrjbxgedppeQB4iSmIdkKDglp0hXSHfKWEgbqI
hdiAigqkfhuTjkCsimiUh3ySha6edretiuWTcge/jRXIjUW1emC6e42zcZKxhsa2cd/IfgDUjCPg
dTvqcWbiiXPmi6nohsTVjNTgdgAAvSsExjEAyWgHv34AwqMAwMYEwtEAygARuhwTzjggyG4stokt
spshwr4gseQXyAw7wS5LtjtAxmo8xoJKupNAxr1OxdVKygBgyiNmx0Ngzmtsw3VdtpprurNqxt1o
xgCHziONuE5/yFh0xnJ7s6Z2yL9xtex4tAOVzB2pxkatw2KZzouUvZ6gssKoxO2rswmxwS62w0DM
smXAtni0s5O1zf/67J2gmoaKhf8AAADxDf/yDgAA+vIH/wf///7/9SH5BAD//2cALAAAAAAcA4AB
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePFQGAHEmypMmTKEfaW8mypcuX
MGPKnEmzps2bLLfg3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOK
HUu27NhnZtOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDgiMgXsy4sePHkCNLnky5
suXLmDNr9kvjJ5PNoEOLHk26tOnTTXMwTsm6tevXsGPLnk27tu3buHPrxo26t+/fwIMvRZN1t/Hj
yJMrX868ufPn0KMPFE69uvXr2LNr3869u/fv4El7/wtPvrxW6ejTqzfubb379/Djy3dovj7Y8fbz
69/P/y7+/gAGiNN8BBZoIETtHajgggw2eFEaEAko4YQUVpifOxZmqOGGHHbo4YdiqUCTHAAuhNg/
IKZol4MstsjaiSrGKJeLNNb4EYwy5tiWjTz2aBGOOgZplo9EFtkQkDvlo6SSM+UD05JQRunkSku6
BOVLUjqZ5ZT2VJlWlE0+ueWVVDLZEplnStlllix5aRaYMnGZ5phmrimnnXfiWeWWbdbpk5GABkoQ
kkm6iWWeafY55qF+JmolnWuheWiTXNKZp6SOzsmnWphmKqaim2oaU6N6qgmUoKgaSeiol5LaZ5hl
Nv9qaJd2svqorK7aChWps3qKJai3Wlnrp6LOiVOuSfGKLLK0xnrnrFrmiuu0x96Z6rU9rpqoq8ua
6WedlrrJZK/Khkvpmk6Ni2i3U35babjvDutrqaF+yixR6hIrZrtyggvvq+S2am6c0bqE7cE0agvq
utx6+a2miy78bLmQUtorUnAGyyi/Z0Jcr6mKbhwxwRcflbGxG5fZscRsSqyxxy2T3CjCNDuoMMgv
F/swy53q+ei+9QJ9r1A4o3wrx23C3PPJ6IpctNNNPR0r0ConzfPFTDc8Mqud1uz1eqPBKa6yTYN7
dNDRjs311kJPjTGZY7dadqVnx0ylz1U7LTXEbpv/DLe/cntLt9KYpu3v2kGL3LeQv5l4GIo/O4sm
uSrvHLJNhiO9L0+AMx1U55PzWnm/OYcpNqKLY/7u3j6BHvev6Fqeepx4s8v56mB+rbt0m/1duOix
k250TYbnzWihgvcMlO/QAp+v1ZdjjqfxpdPE/NDI8/v7paOvHD3x0ze9ebXJl8z4+WAlHv7UzzdL
uLSlWqw+z0upL+meBd9dt+d3s06v8pIzH9HsBqyQtU9g88sc6gLIP/qhTziOMwzkqMYwd2lvcISz
3voQB8CjuU8pV6pgv8oHvatpsIP/W6AHVTiUEFLtcpPT272KJ78Gpsxau8vhbQjxo8dxkGILC58I
//1HKwGmkIX/qx8B1wcmuAnNhv2bIdueiL3WLTF0+PMWFY2YNutNUYYt0aEY1bOqENLQWQEU4hYF
6D9LySx4VbyJGTd4PRoOsY1QdOPa4IjE7PFRZ0102BqZhccvolFdZhqjIo0DGodpb4WIdKEMUWjD
gY0veX5DWvMQSa8PXo2LALTk8ebWR/JVbZNdZNMdiVhJPV7ykQ+M5VdIKL5Dlm9c9lri/mw1v1M6
0m9orOX0HCnJn/WSgbzU5auEWEo5XpB6ZrwgLid1zE7mEo/BjKMsLRPBwkzwhRSMpBapebvM2Wt5
RsSX+aIZP09Wrpx4MyY6tfmTUGaxnQxzpxfNSf/OevZqkQBtjsKCScU0om6a1ZLcOf1JTyuyq476
jN3tFNpPhzZzngtsmZoOqqWJxnNbGH1JQEeanIE6M5DD5CXygihPu6iyeByNKNdYClKXbhSmKjUl
RWuKFJL61EgMYIBsBigvnB6vmagcYUdtWtSUHlWnNK3VRcvCySgi1FhInZYFZRqUn3r1RdXB2d5E
+b2dHrGhXBFrA8k6u5OxlVNuXasrh2fWt27zrnwR6wbfh0qoMZCIYtGr8v5VLI99Mp1hEWzJCFtA
w/4ViniNLF2eFjB4RZOjlq3mLD1X2cyecX+enWpWKEuxzO71sIyVrGonm7/qgTZmWkNgxeAqzNn/
vRZksZ0kZDdbW3n9MFS5vS0KV9sbVG12tz1RZmGUi1HEAoa5DB1uTb5K3eomhLjY7al1i1SM7aok
u+AdinfHq5Hwmve86G2KcdPL3umS970VAcsg2kvf+lZovfbNrz3gy1+J6Pe/AA6wgAdM4AIb+MAH
XkN3uhmVgzCuIHNxMIIB8BgKh7G/DBFHeaki4Znw48Mgvu+gZmQQAJjYxPY4MYpXouIWt7glKk4x
i138YhjTGMUuZkmMbbxiCt8YxzV+SYwtnGMer3jGRY7Jj318ZCQveccwsbCRpZziJ7tkx1Su8om1
fOQnbznJXu7xhTF8kqp0GCYhbkmaAQPiNau5/81u5vCI4yLhJje5yjrOspS7TOQ9+znKes6zkK9M
5S3P+MqCVvKfE81oPNu40YBGtJYH7ehK31nHhH70oTdt6UJfutKg7rSkQy1jSO+ZJWTeSFzizJIP
E6bNMoG1du4caFNzmsW4bnSWb13qW+t5172mNaRtretd29nTMxE2kiWNbEwLudmahnapPw1sZTub
19L+9ag/DSIGQ+XMrXZ1TPhhGFmjmdznmTNcOnxsGGu616GuNrAznWt6G1vJjNZ2pN1d7H2Dmtuc
/rWd/S0TfdP73fymdLt1/W551zvflE51meUMYZewWs2FIffFV4LudE+HxBXv9KkbTuh5D/vZ1/9+
tLFNDnGEl1zRJxd1zAOO6IGjPNnSdjmpAe5rP4+85Zl2+MMPLfGMvEXckUH3xZG+nS4Hu+SGNnLB
We5kblOb6lymNcuhnO9583nmVa+1028+dZ3zeudYP7iPU551r7ud62dHcE82Pm44BwXOTMf43GVt
dzSHO+/26LjF7453wTNGzGImOaCvXpOxEzzuaj/41BdO6oDDHeZDX7TQyx7zS3s+7fZ2tMFNzvih
V/5D3n7Kmel+7jf/3fAcdzPSAc90c8c+zXkHvN5v/xLYB97wtn99uHcfk5Cv2yAqP/TK2f5yyWMe
3u7WeuN/DvlnL/r0Xz+94lOO48eTHfvLd77/TbqP5/BDH9OfZz6Ki14SMyP/7ziBvezlT/uO5/7+
93c98f0u/Faf2/f1B3yCN4CGZ3xvcWbkJ2PmN2rDxnPVl2vSRxMA53nnl33Y13BUN4FS930EZ3Xe
54CRdmoLGGVnx3Prx37fNRWr53vjVnfwh3H1N3z+F4CD92b2RxP0N3u993u9l3s86Ho5aDDqdoDv
V2wjqIAGB3YlyH1JeG0UuHPxdn1oh3AmeG/QF3Vm53Lpx4Fxt3WedoTUF4EJd4IoeCMUN2esp389
yHE/yIYxGHt654Oyt4aBVxM5eINxCHxtWIf5t4d+uF9D6BbgRnlauGxdiHXWNoLWFm/EFnWE//hv
TTiBtVaBm/d8/eZ92NaAOZeJpveIyFaG8bUWaSiDFneDOviH4rZm9qeHv6d0rceCNViKrsaKfqhx
eIh/uucYkxh2WOZk1oeFU/ZiXBdkbZdnN9Z2vchlxgiMcJdkkxaMQ9aMUGeCimZ1xLiMj5h50yiM
WBhmNpcjqecUHTaKbNh6ddiK54iKwYd3xBdiAJiLsSiLccaO/oeOq1iK5eheH0dnRThgIFgYKwaK
FoEPCOF+IZeGtmiO52hub7iDpJiO9qiQOBhr86iGC6mKApiP+igQEdaP/jgZUiaQHmGQaAiP6RiE
EImRdBiPeyiALGiS+yeL+3eKvAeHFnmSxf8XiDvikR8JGVRGZjwwcSrYjxs3ewSIhzaJjvjokKT4
jv9nEybpg2pIgC9Yk/l4cQYoiDzZk42RZSLZESS5j1Y5lq2Ikbh3e7jXd2iJlvRYjzZId4UXa/1X
eGdZlrNIlzeJajrJFuAmd5HxlRwRlhwpj+TIH1m5k4CZmIoZmH7ZmI0hA46pFuGoXlupIofJl9RV
BIu5mcghmN8Ejnu5Fpw5mqQJHw9WmqiZmgUSmazZmq75mrAZm7I5m7RJF6BXm7iZm5Zxm5kxmUzR
l4BxmbpZF8CpFKpJECKxSMO5nKzJm5fhm0tRnGwJi4g5mMyJF9KpXccpEMlJXZ7pgg8Jctb/eZ0r
UplJsZ0D0Z3LIQa7ARd9SJ7wOWvZBYDxuSHRCGQ+54tQBoz12RXQaZw8SXt3IZz9KZrIZ4GaR3OJ
RmHoOVJHR50FWiEIannKh4ERehpLx3fBZ4dx2YMbeqGS0WMJSGOm5owgGhof2ocpqpLhWXtKp5Yn
ihjdN6KkJ36icQmx9J/nuZUwWotLaYM/2pIeGp43SaAxKhZ1tnY0Wo0u16DJsQju8Z3/56JISZYJ
OZUDCJ5/SJZGeqRgwW4imp8QaHl75qTbJaV1l5EQyYdZ+p4uCp7wCHhd6qVeAaYlamjQ9mJmal1o
+pRAuIOniIvviaU8Mad0yhUImHDGaIj7/xmQezpGdIF/DumOLXqPbvmjMHmomgqbL6mmNciQnqqU
umeULLmppmohOqqdaLiSRHqUlWqRKCmklzpm43mqX2qeqvqouyOK8jek8WiUrpqUwmqWTZmptnqs
4ZGqRyFhLPp6wJqK02mXKwqqHSqstPqZyIqouLqsuqpDvNqj2RqucqesRpGdfGGo4vpt3Vqa6dqu
7vqu8Bqvudqe3rSu8ZEC9pqvqSJB+tqv/vo18hqwAjuwBAuv5FoU5koW6FqwfZGw8/qvF6EArcGw
FCshk1CxGPsWzpmx31qtHDshxHh5i7eMyHqwRFGcg+pxtfqxwXmgStpnD9iNMAuIEMs77v8Zqizb
H+RHZIoqfoWWs1bhlECrs2t3iT67iXRqsuLFo/Tpn6E5tNj5fjJrdkwmhWRYs/LRp61qrOoqllB7
rkVIiJ83s+2GtTbrFkLrsR42j2r7tZdhgVMoaNmYtAqhtepIqGz5kG86qyL1tG5LFwgoojrXbmVr
ttDxoECKt8NKi8Oal3+ri+W3iYSLtF6qtELRl23bhqHaq38qk9f6uGALYTybeKYHiQ9nYYabtWfo
tZlKqnoLoamIszS7sqBLnC6LhJuGoDMreqibuqa5urXaui8apDAJrjnptbVruxUXslNLshs4u63B
C77rX20BodEKqxyqkclbGRu7vVchvGP/ubft6IreW74qAr5KubhM6aPaa77uGyCjGLtUib1VeZJc
+76RhQfEZbldZRB4OaW2+L/O6qy2l4sLi7+3esBLO73LgcAO/MAQHMESPMHh0b0UfME6YsHJWlLH
x8AeTF3q+cE9RIQiXMI9QgkbEcImTL0kvMI1OwNfpcKAicE0XBQaXMM4zCE3nMM8LKHXIbI9TBY7
HMQnar3ty17XCMREbBr8eyrbahZ0KcDVia1Oq8ANdrtMho0r4cJcPLHZkbL3u1o7y3xL3Dh1C7xU
LIoSecRpYcVd67dY4WAJCGldXMe0YbdqzKp8K5lwfBUOaxVJKnBHZseEnILdEcbpZY1D/1zGQWK9
USyXb/mihWmsd1iUgjp/j5wf1sjIZnxdaAzARlyLQnuT90vJo+ymrnuV9AsTbqx6T+zH/cifuVbI
nIkJ73GzhSnKvkrKOyG8pzy/l1p72ivMW9odWUxpnKxaoazHQkqDbEyREzmqVSqgwwe7seodo1tt
yVxcZzyUBrjMQdqU1mqT4FzM9diQqQynsCjNfYu8VdzHgIzFkXtttFzPKKG169yWd3uVTlnO5my/
dCi+aRqVy9zK4vjK8by8WMZ19tzQF1G9uajP+yytfsoTBL2h+ryKoPrM/2wei7zN3NTNUrGCuTzR
wOy42QvJ1iq/ryqD1BnGBk2ZMf2bCP99rQ590/SBtmHspuE8zlC5zuHM0it90mvq0/4M0iBdysA6
k9d8E3AZ1JKMpRodk+lbv0gdsE38E8Bpyh6roWY5yWrr1fJ7l1QKa5kcybK7xfCMx9qqwDj9HI5A
mjd71XQNv3V916FbkJ/c0+Ux09FZ02hMEdXw1oQt0nmM14g9oMkRu/1R2I792ATxofYB2ZQ9w4l9
2SthDuaA2Zz9HZvd2aCtHZ+tHVn9J4D9QH6tl6mtlZXdHJodUBLAwiN92uiz2tBLu2MhuNpHaq19
EMmAHOaAYWyN1udj2wfBvP+IEz82fVVbffyZmq8QUK/9U3PBtkf9oHAp2SCpzUkxt/b/BnrJDbSj
vRWUUN7mbd7eYcmBEdUVvRlP2N2UG23g/dEEO95icd74TR1P/Wqj2tGUsYjPGLkLXYlhyqhkm58w
K8vt2gpDodnhxXrXjcv0GeGL8Y25q4zHXLqmS6G8+4yap9vea9/KTOF5EcCASuIyGoZ/JrbVOIwf
nrs862xwG9r2UdI4KNFdnbk3ftYtWJHFXMllHcBkDaNRjMhP4XjIGIUavuEyp9sFbqE0nh9g/dXF
iqknLckuOYurzH+yWtRGbanqq7fBnKVgMcdxu6Cct6Av3uG+yOFRXh+5TM1Vrrhdvo7kK+YqTczS
/MtTyap33rj+HRVmvoU8hnPfreYw/958M/7m5enJ3qxuO8254oyp+PiOjMvXXK65rbqlNEnOr3jj
u6zW7uzEWTm26LdyXnjoic7mPytqvd3QaBrnkp6UqKx/ckjMzNyCth6Tw2vlux7Q+bzG0MutpS5v
eFqJ35d90bjqY/d1zUEKr05msa7U6/uDbyiokwqtWjqRnbvSWzvUnK7dgS7quK3VW/l2bd6z0Kh1
WexlSNhn+CnDreEC0V50bCHr1S7RFP3rY65x0GyHa0jU+o7jK8rRRh4X9E1f+7Cppd0T41i846ym
bBu+f66RlCrsup64syrw7E3OKrq2O2HctN14bYya+7AP9c6YagHhLQrsEi/QOKnxuf+e6eC+8S8P
zGCM8SjuFUrslwtfxuptlWmrokvtlqPsudxeqrhe88Qq9Etv1VU9FwremD/PyNZNmB465Hlb5Gnp
44T50gWM1n039mb9yFzPagT/wFV/qg1fqAGq76c56uae8nQvUIx+93if9+TZ9iE/8nFf7qZd94LP
wXpf+KBRErOAEec1+Iwvkovf+JDvI8MdWWtdrn7P2pFvuJOPV5WPsJc/xZlfs5t/V51/sp+PmaHf
rYa/+prB9wPy9lIcJKW/wHM2ZOruFMs99z9VBqkPG6uW1rGpu1bh3ayv2I4+25fZkDoy+5d7u2OY
8Mod3zTR+2bL1soPmoD/16Irdsv/zmeT+4WprubwXmMnRvfybq9zXe2zKcthWrROfuwwXnpuDuLn
lyGQwBbQTyGufxNbTX/FDRD/BNojWNDgQYQJFSIU2HAgQQARARyMWLCixYkYIWa0d/FiR44UJUo0
+NFjyIkOVa5k2dLlS5gxZc6kWdPmTZw5de7k2dPnT6BBcS4kWtQoy4T8+CFcWlDp06dMoyaF2tTo
1aJVp2IlqHUrU6lelWatypVhQ7NpFyItSXKjRrhvQcI1GbLtXblz5WYU2tfvX8CBBQ8mXNjwYZVq
FR9ka3DsQatOI0+mDLly16+SH0Ol+tie58+YQX/mjNkyVciOJ5P+Cnpz5rIFHS6m/22vcduMdfHu
5ahbL8KPvON6JIjY+HHkyZUvZ94cbW3oiz1nNu1UcmrHYVVrP205Munsor+PJv+ddfjr1sGj1yy+
e/Xo8S0Cz90b5f28dd0mDK7X90a75BNwQAILNPBABBNUcEEGG3QwLa0WGss8CtnbTrTUyhtvvevM
O89CDtPrKkSpUFOvRAzZo+5Bhfo7Ka7f/LMPIqxcrA/G/VjUcUcee/TxRyCDlO0lHW/jcLT0XPNQ
xO6Wco1EJ1crD74RW3vvwtBIxHJLJKuLcrXrZmMRqf10m8jG/GYEaaQA8/rtpOA+cm5OOuu08048
CROSq+m6jI1JFN+LUj3yjqSSNf8km5qKQkZP7PJQKv20StHN9iyqvjgrGkkk/c50i00bQbWLJBct
NfVUVFNVdVUBYSpyJUElHRFE7FCk1Ekmb80SSkVrPa/RWEsz8colK21vSTEfNJLBANuELqQ8o5V2
WmqrrfbVxABNtNctZ9XSUES1de9QY1Wc8Er4LguUSw+nUw3XhJJ1cFkF23SWNrus1Xdffvv19yds
5dUQXUrBOrG9XT8MkbJJx9vQ2xS7dbdbQMnlLmGFvZW3QXoTLFW+TQ36d2SSSzZZ34CfyzhjK3Ml
duJ0nxSxNZkxJrdPMCte+eZ3D871sY0Z7NhjNgfMsbiTk1Z6aaYLS3kgr94Va9v/FSMUj9sIY7s1
qqmv9rVrzbZmeCurw8a5UCyDXnBoVtNq+m2445Z7pqf/aftuvONVed6Wtpj7b8ADF3zavAs3/HDE
E1d8ccYbd/xxyCOXfHLKK7f8csxZdXVMWDP3fDG1FRx8dNJLN/30zT9XnSvUW3f9ddjtJIPf1Wu/
Knbcc9d999Zt930t3oMXfnjiifz9eOSTV77BDZZ33vfio5d+euqrt/567LPXfnvuu/f+e/DDFz/8
58s3/3z000/oD/UfH/99+OOXf36227f/fvzz139//vv3/38ABlCAeqNfAQ14QAQmUIHR6sQCHfjA
Ag5QghOkYAUteDcIZlCDG+Qg/7Uu+EEQhlCEIyRhCU14QhSmUIUrZGELo4MJFxokD5XrYA1teEMc
5lAnU9BhD334Q5/EUIgm5MMQjXhEJJ7KFklk4TyY+EQoRlGKUxwgEK14RSxmUYtb5GIXHQgOL4ZR
jGMkYxnNeMYHlgGNa2RjG7dHRYKMA45zpGMdh+RGPOZRjyizxyUU8wQ7BlKQg6TgHg15SEQmUpGL
ZGQjHflISEZSkpOk5O4IeUlMZlKEleRkJxWpSVCGUpT982QpTXlKVKZSlatkZStd+UpYxlKWQxll
Le0nCVvm0oIl0GUvfRkfE/xSmMMkZjGNeUxkJlN0s6SfPpjJTGVGU5rTpOZV7v9VTWxmk0BkBMAz
vcnGWl5Tm+Mk5zTFWU50pvMsZewmYJjxTXhuUJ3zFOQr6XlPfOZTn/vkJwpT10+AulB8HwBcQFcF
DoQi1KALTWdCwaEQhR7EoROl6EML4lCJTpQgFcUogjhK0Y2CNKQfrShXIhrAjj4upUWxaONWqrgK
IPGf5jupRBdy0pom1CAPrelFE5LTnhIoojq9KE6DGtKM7vSoGSWpUjlK05ZulHFLRQhVF9TUoj61
qlG1x0MhOQehqO+oOFXqSD9qVq52lasktWpt2KpRtf6UqGrF6k3nSteWvpWpGn1rW/GK0b7mVaty
FSlS53pXlg7WqURJK1rZitT/rZp1q4VlbGPL6liR6jWuh1WoPf0XVKIaNauKfSlo61qgx9IVskx1
qmLl+tfMuha2gUUsYWkLV8yWNrWbFaxlbVvSsvp2qZpV6HB5atqzJpalrcVtbtd63Kwy9H89ha5o
R0tZvF52r9hFbXOLC93Jbre5EB1raBsb1e/y1bm+NSxILYrV9PJVsLPl6WjRepX4Aha94I2sXbX6
XcJKNaklZe9qX1vUn2p3p629r3T5h9jq5lXBN1VthZPqI+sOlbz7XUxxoxtXEDeYt3/taonpK9wI
67S+Jw4xYFs8VPP6NL9YMaqHa8zb41r1vU01LonbS2L26ta+QOUscxc8Ywc//3itPjYxgo2SYwtf
uEflDfFiJ2xSGIN4vkUe6Wxti9/8lheokLXxjsls5i5z98BZ5i+L21zZMd/4xb31MpjtO+L0OhnH
elatmpPcvjiDN63JtelLxVtbj1JZs9c1dIC3LOExIzinG6Zxmy0L4bsWttGTfXNiiZxp90rVr11m
8IhfHFz0VprOhhU1h2Xs6iEX+M/pu3FHqZtjqkLZrkxukKKfW2Ucj/rEKT3tsE2L5WIDW8jmlTVm
zbLsQLtY2Mqur2ity2g/X1a+KQbueg896/6pWL8aPvRwo8zp8e76ynD+bbEJDee6ujvZiN6wbDE9
aF3TG93NtjKq94vrVqu63P/dvvW7d03gFZ9W3ps26EydJ+5qk5u56b5zuxle6mwX2uLd9vaTC85s
7u6Wzx43OLBNDmM0k/ziB9Z2pAWtbylj+7/4Lvlrz9pb7Bqc4yJzZbgBXGIVbxzF55Y5vxcN78ge
ncUqf2qYc13yaXd8wrXNs8kPHnWiV93AEOc3tfvqU6E3O887xrmhZbtncDt8ee51cXgrTWrWKmbn
NG5yqeP+YbUcu89dn3jM8z5evbc85SQnemX7y+Xornzk50a5ges9agBT1q+Q1zpjer4/trf97uzm
NdzTEupnr3jz/fZ86C+ccFnj2/HTVj21+7tgC+sYzRQnb1U9H2ir1370ja//u4BbznTY+p3l6qZ9
QNWePPn2OcCEr3jpWWR2ehe8w7+WdOpv7XqBo1r4USb74Ndc9uwLmNi//rnH3e7kGJPe1J6O+PWV
a34R31F8iTjd+eAK8PCG/OOLzbhQO61vIgs+O4s311K63Au7wJs4giM2Uvs0ozu6ACw+4cO0NPu4
s1s+yVJACxSy61qnb7K/wyo8Y1O/7Co6rKMNDzu/zRM5/yrA1GJBx4O3ubM6CFy0aAMzhYtAmJvA
1kM7E3zATxs4kJs5f7O8Vnqw3ju524K+JTxBZNMt72rCHXQuIXwuhus/RmtBB6S4HNwuVds5UIO4
LySrb2s0LFxBqiPA5LJA/3A7IVtzQoyDwyB5Q75juiBTvL+bQt+pw6vCQ7eivTNsQ6RxCUEsRAHy
LENMREVcREZsxB3ZBE0iHkecRCNkJUq8REzMRE3cREw6Pk78RGrCHVAcRVJEFWgoRVRMxbyBiaKZ
j4XoDxqpjaPhlAI5J7NoFuC4xVw0kNyoF7U4E9zwGIrQxZKQHGCskV0sRq6wxVoUkDLRlF9UjE8J
mbSYxY5YRmiMDlw8iui5xli0pgO5pl6MD2bEFzdZxnNcEFiURqPxRm8sx1/EjxqBR3RsEV58RXes
x3U0ihtRnHFUE36UxfnojWh0x34MyHQUSLOQnnxkRnqsR3tsR2H8RmLMx/8GeUj+aEeCVMdhhEiJ
zMhmtMeH3MhqdMXEGRVlREhtTMmKNEmHZMmVXMjYUclrfJE1icUX0RRPEQ6UpBE4wZSBrMlj5I1x
vEmfHBVP2cmkPEpX3MlgFEqXhEWTmAt5fEf6sA+ChJPhYEqMQElMAcqjXEqbrMm36EmjBJCmPEan
BJBQOUutzA+q3A2nfMZeRMqbhMZPeROu7Mq9jBGmrEq9nEqo7Mq2XBPAdBNSIQ607MuOpMh1nEb9
6EupbJb7mMu6FMqizBSMvJt95EZCRAmfbErHxEmltEq/fEfFJEmx1EnT/MfMNMqerMvMlE3YbEzi
SM2OXM3W9I/c/MalNE3/q9TJf6RIkDTI2txNzCTN3sRJ0byRvDROZXxN4JTN0gxO3GROohhOxeRN
4SRONRlOvsxG8PxNpbxOi9xIZxHM8dyLgdxOmERP2yROg1xP+hBN5EzO1KTPlHgbiQiKhlTO2LxO
6izKlIRP3zzQ6dxO6SRJ5jRQ6JROl7TPx3zO2QRPk0RQBz1O9LRF1cTQhlTQC51ODAXNBw3ROHlK
rNTP50xQcCRL7CxR6IxQ0vwY14xMGHVQsyTQXQyZHPVQ+fzPp5TRbXxQa5xRHcXRER3LuelPmVDJ
DvVK7NTOxixQ+4RR5LTQBTXRuHxRA2XQGCXQj5HQKPXO+LRS+vzQSxHS//a8URmt0ixF0sWsTzYl
0/v0URjJyGwU0TGlUytdziPlUkCNUzVlyT+lUjNNxtE8zyptUx1NVLO00yyV08+xRVakxla8S+EU
FapczSGFUz3VTxf11EW9zC7V0qE80z0FVUX91Oa8UjHNzkF90fsEy0AtVVaNSFJtUFfd1eAETnwE
UmC0VUU9VVnd1TPF0h+1U7g01lB10+UE1jLFRWL1VfVMVbSET7UcU4a0lMRMSrq8Vtb8yU0Fy259
1sTEVE3Nke4ElbPEi3P9SXbdDdhc1xRl13LNThstE++M1y1dTHXVSlHh1MJ8k3Mlyk012IItUnMN
10wtmn9F13N814M0zP9utdeGvUpB/U3EnBHIBNd6lU9q9Fc0uddSeVgcCVZ6nVe+tI2ZVEXzIVFB
glmXnVn/kVk7slmaLQoPyllmUdg5CtlB2laeHdpRElqiPdpMEkWkXVqmVQtPlMYTXVm37ExkDMaR
hFqY5ddLeUxsHEqFhEkC2UwdUdcgnUV7iVeHBNopLdYQlUWuXdsSelRuFUij/dU0nc8Izcq2xcYC
fUlzVM4LPacF9dvT/Fqi+REO9c0nDVx7adBy9NI7pVqqJcYN9RGxzRvBPUwh2cfMZVnSWYGbaNG7
LdNV3VuPxNmIjEkgTVawhdzUtchnuUjEFV1DLV2vRVTYtdt7GdLXNVz/BOWRy8WbxAXbze1de9xW
zWxXkQ1TBpVbuMyU86RMq1XQqezM5m1dcfXXGJlMScVU9kTZ2QxSurBM2txKzRxLeb1XFD2aDg3c
3DVVzc3KflzLCpVMvV3ffNVLQQ1V+S1bw7yLhK1MjI3T6hzM5xVgg93YYQVK9u1fdy1f/o1KAsaP
/SweZo3W4lTN+A3LKD3bV3XNA11RQsUNqVxUxd1TkfjgEGZN1LTW6AzN1lxPCn1VFYbdDGXUrXzf
fUVhthRS7RxPGWZekKUL3vzQH0ZWEXZhC0Vh3SRPx1XVSJ3YIvZS6uRTJ55hXgViz30da3JPGzZh
x2RfuF1RCN3RJIZT/9eVWZu94S/tYVw9Y2clUvQlzDb9XTJOUsosVENtXDouRtfVUiMd4zgGYR/2
4j61Y8C1zTs+1N5E4LcdVGT9XyKlxfkE0T3+0UWO1Qqt30ou4/xZ4i9m21B+Tz+NY0ddWzRu20dd
YzBuXz4u1h5lZA9uXUDOYqlNT1hOxkYd5fZU21re5VGOYnc14U4dYmUV4ksOVD+e1sOM5WO14mHW
0zpu42305FSm00ieZvwB1azFZLgtXSae0Rzm5ltd1ev95SFm5jCu4Rot0Wyt09185lk15tgc027O
XecFZ9wVVnrOUyiu4WT24zl1ZvY81HoG6HC+UlW94GDt4Ht20ReOUf9xvmYZVujgnZzN4VGAXNkG
nliNnlCHzcllBkwzeUv1bUXItMaOBeDu9EuN3V4KhtiWttEUPlgZIU+L9daN7uP/4OjCPN8dHWCI
dWnuxUq2nGmk3t95tcuKbelbduDlTccjVd/0BdjShF6ZBuqezlOpTdZ0HVl0fcblpd+YrtumhVXT
VaaLtty2WesfMeuzfl23DqW53pG6vsfGgeu45g+fRaa+VpW/Bt7JxRu93mvniadPMmzFXmzGZmx0
aGxVRmvI8WWPdJDd/dXLDexnbVF6nGuVxl3I1iYp3lrfNV52REiMHG11TE/WLtyq7Wxx2t3hlcjK
7ZG7PqYvmCdX+WP/uz3t0S3t4vTt26bdbxblqvVt005r4o1d0rXrSkRsSMrLanXOYcRqzOTU8NTN
wGRgp94U7CZqCFZZggXItexXjTBqLr3ff31LiC5Lxb1i6+RJ6oVq/EVv+u3qCLZf+Q0O6J4kvIVK
CnXkJ0bkZD5iZQ5QH83RSLbVKo7h3BRm6wTlJ6XRuXRoGanVgk5O2zVm7lziGcZiDc+X/o6kNpbm
WD7OQ3Znnh5kXQ5KN8ZhWUbKSN3wOUXxR2bjLn3oGd/x31VWAlftFIXUHt/iVMqASnJSGqZigAbN
YvZnDHbx2p3WFsfwdZ5niZZlF47cWN1ySy5nHr9yHOfyExfyKw9t/ypq6IQ22We+zOqW1QXv1eYm
USilaPFM84y9Vnb2cVc243fOVSonlWZVZh8nSwZ/cvN8zeEmWnNwIXrVVPdeZhKeRuKt1gfWbpDt
7ppmaZyO6Xb9aupOYftGabQd2JUG4KEe16U2dVRP9Y7e30an6qldU5+eXzMXoqdF7oJklpwN3hE3
pAcR20QPbpcN9lonoVuvxsEWaqIhdgfTbIXodWiPdmmf9jkpdlaRI2vPdm3f9ieidm/XISPnIm4f
d0z8dnM/d3RPd3Vfd3Zv91kid3h3RHefd3qvd3vviXC4d33fd36fnnj/d4APpDMIeILnuX43pTw4
eIVfeIaHCVTob2MJaHiJn3iKr3iLv3iMz3iN33iO73iPD56CD3kH+3iSn3eRP/mGK3mV75c1WHmX
f3mYj3mZlxuUr3l+mnmcRx02yXme/6adfyObD/p7WiMGcIlk6HmkT3qlX/qTgQCmf/rACQgAOwAA==
------=_NextPart_000_0008_01C70FED.C69AAD80--
Received: from adbglobal.com (76.pool80-103-127.dynamic.orange.es [80.103.127.76]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kANIAcng028615 for <ietf-pkix-archive@imc.org>; Thu, 23 Nov 2006 11:10:38 -0700 (MST) (envelope-from gemmillo@adbglobal.com)
Message-ID: <000001c70f2a$8184b6f0$f90ba8c0@asfngt>
Reply-To: "Josep Arceneaux" <gemmillo@adbglobal.com>
From: "Josep Arceneaux" <gemmillo@adbglobal.com>
To: ietf-pkix-archive@imc.org
Subject: Re: cattis
Date: Thu, 23 Nov 2006 10:09:23 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C70EE7.736176F0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C70EE7.736176F0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hi,
V t a g r a from $ 3 , 30 http://www.daserunjinketunhdas.com
=20
_____ =20
They fled. We found it in their skyship. I touched it, unclean,
------=_NextPart_000_0001_01C70EE7.736176F0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Hi,<BR>
<BR>
V t a g r a from $ 3 , 30 <A =
href=3D"http://www.daserunjinketunhdas.com">http://www.daserunjinketunhda=
s.com</A></DIV>
<DIV> </DIV>
<DIV>
<HR>
<BR>
They fled. We found it in their skyship. I touched it, =
unclean,<BR></DIV></BODY></HTML>
------=_NextPart_000_0001_01C70EE7.736176F0--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kANBWG2G096823; Thu, 23 Nov 2006 04:32:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kANBWGLE096822; Thu, 23 Nov 2006 04:32:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.191]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kANBWCsA096814 for <ietf-pkix@imc.org>; Thu, 23 Nov 2006 04:32:14 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from DUB-EXHUB-C303.europe.corp.microsoft.com (65.53.213.93) by DUB-EXGWY-E801.partners.extranet.microsoft.com (10.251.129.1) with Microsoft SMTP Server (TLS) id 8.0.685.20; Thu, 23 Nov 2006 11:32:06 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by DUB-EXHUB-C303.europe.corp.microsoft.com ([65.53.213.93]) with mapi; Thu, 23 Nov 2006 11:32:05 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Anders Rundgren <anders.rundgren@telia.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
CC: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Date: Thu, 23 Nov 2006 11:31:47 +0000
Subject: RE: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Thread-Topic: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Thread-Index: AccM2o+SceeV0JHYRfWt2INgLb4mIwCFx5VA
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF015682735@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <005f01c7095c$b821c2d0$82c5a8c0@arport2v> <4561A16B.5080808@stroeder.com> <4561A79D.8060807@cs.tcd.ie> <00bf01c70cd0$5e76e6d0$82c5a8c0@arport2v>
In-Reply-To: <00bf01c70cd0$5e76e6d0$82c5a8c0@arport2v>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kANBWFsA096816
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Anders, I disagree with you proposal. It makes no sense to me to do such recommendation in the generic profile.
It is a totally different thing to make such SHOULD requirement in an interoperability profile than making it an a base standard like RFC 3280bis.
What ever goes into RFC 3280bis must be reasonable for all implementations, not only those with a certain scope of interoperability.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Anders Rundgren
> Sent: den 20 november 2006 19:19
> To: Stephen Farrell; Michael Ströder
> Cc: ietf-pkix@imc.org
> Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
>
>
> >> I fail to see the benefit of using "and" instead of "or" here.
> >
> >> Note that most times LDAP servers are hidden behind firewalls.
>
> >So, it looks like only Anders wants this change and its opposed
> >by some people which'd argue that David ought to leave things
> >just as they are.
>
> Sure, David have already defined this the way I propose in "his"
> (NIST's) interpretation/profile of RFC3280bis, FIPS201.
> Probably with the same prime motive as I; to foster interoperability
> among a wide range of standard and custom client software and devices.
>
> In the presumably rare case you are in full control over the entire
> spectrum
> of apps, you may IMHO do whatever you want.
>
> Hopefully the FIPS201 document will serve as the "gold standard" in
> this
> respect rather than RFC3280bis.
>
> Anders
>
Received: from [207.35.91.3] ([207.35.91.3]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAN8Cx6w079533 for <ietf-pkix-archive@imc.org>; Thu, 23 Nov 2006 01:13:00 -0700 (MST) (envelope-from account@panix.com)
Message-ID: <000701c70ed7$31222fb0$00000000@dbeaulieumist>
From: "costume" <account@panix.com>
To: ietf-pkix-archive@imc.org
Subject: la presse NMPP
Date: Thu, 23 Nov 2006 03:13:00 -0500
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0003_01C70EAD.484C27B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0003_01C70EAD.484C27B0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0004_01C70EAD.484C27B0"
------=_NextPart_001_0004_01C70EAD.484C27B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Keeping a staggering Life very. Partner theftrdquo charged.
Certain original intent bringing dealing promised given April.
Dover dc Maryland Baltimore or. Analysis Archivesth daudience roi. =
Assembling group included schools College city rep.
Leslie Payroll Procedures. Arizona State System credit mandatory of act =
restored is equivalent.
Represents Commission intends or lobby long wouldnt hesitate a point. =
Lost dog ad listing. Countries production costs.
Catalyst involving houses oil burner caused correctly. Tuition waiver =
salary adjustment am occurs! Sing through encounter human worse.
Theatre Mirage seating panoramic surround sound!
Working above criteria must each. Sing through encounter human worse.
Starting rd la presse Nmpp testlaunch in.
Premiums arrange payment returns rates same deduction includes.
Hotel noticed large west Tropicana a Field a Dome. Minimum target =
percent belong nonreader age Britain took. Afternoon freesheet Metro =
closing edition of Copenhagen launched test run.
Accrued used unpaid notified of begin formal required! Operations Morgen =
won eighth is design winners Bergens. Type Cirque du of Soleil =
celebrates.
Partner theftrdquo charged. Sick playing benighted whiner onslaught =
surreal a cb? Beloved enjoy whats of.
Buena Vista Nightmare Christmas Oogies offerings Iivideo Nintendos =
Legend. Beloved enjoy whats of.
With his own.
------=_NextPart_001_0004_01C70EAD.484C27B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"Strategic focuses primary =
Robb" hspace=3D0=20
src=3D"cid:000201c70ed7$31222fb0$00000000@dbeaulieumist" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Keeping a staggering Life very. Partner =
theftrdquo=20
charged.<BR>Certain original intent bringing dealing promised given=20
April.<BR>Dover dc Maryland Baltimore or. Analysis Archivesth daudience =
roi.=20
Assembling group included schools College city rep.<BR>Leslie Payroll=20
Procedures. Arizona State System credit mandatory of act restored is=20
equivalent.<BR>Represents Commission intends or lobby long wouldnt =
hesitate a=20
point. Lost dog ad listing. Countries production costs.<BR>Catalyst =
involving=20
houses oil burner caused correctly. Tuition waiver salary adjustment am =
occurs!=20
Sing through encounter human worse.<BR>Theatre Mirage seating panoramic =
surround=20
sound!<BR>Working above criteria must each. Sing through encounter human =
worse.<BR>Starting rd la presse Nmpp testlaunch in.<BR>Premiums arrange =
payment=20
returns rates same deduction includes.<BR>Hotel noticed large west =
Tropicana a=20
Field a Dome. Minimum target percent belong nonreader age Britain took.=20
Afternoon freesheet Metro closing edition of Copenhagen launched test=20
run.<BR>Accrued used unpaid notified of begin formal required! =
Operations Morgen=20
won eighth is design winners Bergens. Type Cirque du of Soleil=20
celebrates.<BR>Partner theftrdquo charged. Sick playing benighted whiner =
onslaught surreal a cb? Beloved enjoy whats of.<BR>Buena Vista Nightmare =
Christmas Oogies offerings Iivideo Nintendos Legend. Beloved enjoy whats =
of.<BR>With his own.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0004_01C70EAD.484C27B0--
------=_NextPart_000_0003_01C70EAD.484C27B0
Content-Type: image/gif;
name="value.gif"
Content-Transfer-Encoding: base64
Content-ID: <000201c70ed7$31222fb0$00000000@dbeaulieumist>
R0lGODlhOAOsAYf2AAAIAIEADQeGAHxyAgcAjo0DjQCOd7K+ycnYsq/E7EIXAGITBYQWC6MtAMgk
CegXCg4zCiRDB0g6AGQ6B4NJDKtLAMxCANhIAAFpACRoAEVRAFtnDXhqAKxpA8peB99jAAOMACmL
CEiDAFh9DI2IAKB/DsGJAOWJCAWYABqiAEijDGGqAHOVAKKVALOeANycAAy3DhuyADO0AGu1AIrL
AJ3JBc3BBdq8AADuBRPoAEjlAFTYAI7lC5PUAM3uAOfkCgoDTR4AS0EAOVgAO3QHS5MNQ7ECQ+IM
TQAfNR0oMzYhN14dPHkTNKQUMsMjSOIuPQBCPCtEQjdLRVI3OnE5SKZDN8A2Nek7RAFrOi1XSDdb
P2ZuOHRXEZdnS79qSutWMQCMRy13Q0l0PmGDN4KHOZR3RcdzOuB/NAuYOBOWQ0alO1uUNHakN5Op
OsOTTe6kPA6xOBjOODzMPGnKRoW5PZ2yN7S5Nua/QQXoOS3UNUHdSFTcRXTpPqvgRr/aSuzUPgAA
gxsEekcEdW4BjIkAiawAeL8GjtgFewgbehYUgjgge2EugXkffJseer0tgeMRdQBDfiw5dThDg2NA
fIFCcaxIjbE3de5LiQtjhCdkjD5sdlthc3FrgJJjhrZleNpZfQKBcRWFdjFziG50iHl2dKCIfMB6
ftt1jgCaeieueUOZdGCleoOUh5mjc8KYf+mkhQDCgi25dUzJiV7Ni3+2e5y5jLXLjty3ggvqiBXR
eD7phWbbg33giavhf7HYderecQQGtBwAu0cAtmQAt4IAxKUAvcwAt9oAwwAYvSYbuUISuWcjw4sr
zK0Wt80Rw9wRxgA4yyo5sk4+xGwxzHhAt6hKxrdDteM/vAVmtihfyDJltGJXsYFquqhTtcRayOpc
tQJ5yiN9xz2BvmSAw3p9zpKLyL16uuGJtAqqsROow0ygvG2uuHmVy6SdzsCaseCkxQyyvCa3wEDK
tl3LtYq8uqjCtP/0+ZmYsIOOgf4AAAb/AP39AAAL//8A/wv3/f//+yH5BADF1WUALAAAAAA4A6wB
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0aM5/SJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOK
HUu2rNmzaNOqXcu2rVulRuPKnUu3rt27ePPmfcu3r9+/gAMLHhy4DOHDiBMrXsy4sWOzyx5Lnkz5
rZfKmDNr3sy5s+fPoEOLHk269OdsplOrXs26tWvMJl7Lnk27Nms2tnPr3s27t+/fwIMLH068eGa9
yJMrX868ufPnRBkDAGC8uvXr2LNrvzpzunfo4HGG/wtPvvzMHubTP9zOvr379/Djy59Pv779+/jz
69/Pv79/yhGlZU9YFP0H10SKFWjggsCpNxKDEEYo4YQULhUgWgOCpeCCGx7WYYUgpuagSCGWaOKJ
KBp34VkZPpXPi1N96J+MgtGY4o0AjggSZi/mg+OPQAYppGY9DmnkkUhCuKJZLTpVpFQ2yvfkgRIl
iOBVMO6XpWhb5tclUjruWNmUR5Lp3pf3oemZmvWxmWRaZp7V45xzLkUnnUrdqaeeTO3ZlJ957imo
m38Sip2h/wzaJ6BIDSroongWGmlSjjI6FaI8+hiVonZaWimfnU4aap2BfkoqVZi+2dWpU54qlqOj
3v9ZqqlxWkopqLfSGidUu26HKKeziqprrbJK6mqiw2qKqrKh/fporK4my2yjxUJ6rLRWparqVsPK
qS2y05a6KZu9isuroeVKKmW4TrJ7rovuBtrupfFSK9W330qWar5uOjvvvfUiC3C2AW8LFqxw4kuu
s/Gmmy64ABdsLnz7SixvofTCO+7GA1eV72MVY+kupv0GjK7EClOGx2hLltWktQXT+PDEkI5bb7kz
P4wzma32GOVfUZrZ5a4p//uuxkgfrXTNF1NrcWBCM0v00wIbnTTGV1utNc1VOy1XHTpl+jG32u5s
8snszgzxuTf7ietweGZZbdMZb70ox3d3vDTMVc//7Vjcmvptr8cNF3yy3XnvHWvfou7XMlkvQxuV
zENPzbbNmIe67NmGI/zPz36BDq6tnWr+p+KJ2x0y3vA+m5nnWOfqJOqlo7467cFWG+ZHlD2p9qpf
Hrt2u1KPzXPZlVMNs/LANR677KlHb/y0yNeulfObYW899NtLz3zXg9d9K1fa9/f4WJE7zX1TMh5P
bOHUTy838vF/7zSbovOV/+jLlp524dHb3Pj61z2CjW0xwtMajP6XNfARTlnVK+AD3bU7j+greAd8
YLACyLXf1cyDw1NfVooEwuYFDmXxS9TpGnjA+RGMg3XL4GFcqDd7pU1xLTzhCyUYQ/vJ53xiSZ+a
/9zUvi2RMHmX45oB+YVB+x0RTftzS/7m17mLYRCHPkwgFq93Qh8Shoo1pOEAt5ZBLbLQiV1kSgU7
Yp2e+ch9bCPdBLECOw2KUDuVC6MO6bY8M0aMjq7bYfiyVzw9DtKB0PJj5pYoOPEh8j81IdCVzFWn
49nsbYD8GLAMaLqkRLEtoEPT4UQYvEuWj17MCyThYHhBVobPd9QzpSIXOcFTntFCa9SLJKtkOlhC
kFBRy+IsO3lHO3Ltk2z52RDPNsY83pKLTHSl6rz4l2XizYiFfOYISyjKVDKQSrm8yy4f58s7OqyJ
0AzhH5W4zu4hcy3KHNk1f8nHAubwkKzDZw3zRP/I2SkNm/Ws5z0fqc1VrtCT4cTLOCHyQWzSM4nr
syMIgymgSXrIoq/a4yCZycN5CnKM7xEj+DgaUL0VraQaSihG2rhAhxZTXRPLGRIFGFMZLkikAN0i
SBX4tG6itDg4fWhB/fVTe2YzRZdxSiRTystcRQuMECUeLV/auql65Z1qweofr6jPohJ0p12V5leJ
c0TrjRJ3+rxdA7miUnEytWVPpCTn2glTYlbVql3RKoYwejCNvjKfiOsqyVDoK792jaRoXZgj17qV
ttploevJ3fLwald2UpVpUf2KXlnE16+0FGNnxR0wq7hPlj7ys2gFq2pX69WxYsWxdYGsQyRH27v/
tm5ko+0c56ipxs4GZrMas2Zopfq84hoXs4d6IwOHW9eOhpW1Ec0rbIHLGsHZUp3Itax2L7vdE6HW
f6WF4WABK1bhfFdepKXdeFPrWoPpBnvX1dkyUTjXzP5Ii7MkqnOLqt/s4Fem4VXrcfeLo6VqFqPw
/S+2cve+uUnLpuzzLWCoayzi4TZZifyfgxeMx14puFsM1rCwOPzW6RZFtg0ZlYVvC2KnOi+QD+Zt
b5t6URqHxWwsplWGjfVUDBcWfjk21Y77WDwfo9jEC3GvkpfM5CY7+clQjrKUp0zlKls5OAa+qoT1
Q2H0bfnKV0ZyXI6cZAZ1OYhfBnOVxWwUMitE/0lp1l+c1SxlNp+4xJHl0JyluGc6P9nOefazoAdN
6NxkWbo2nlGfk7noQhsM0GKGM3kcDWZII1nS4aF0mC1dZk17+tOgxgwQ91qQUIvmIKZOdVbUI+dS
q9ozqH61rKGk0Fnb+ta4PnCgGe3qXOeo176+NavfEutgS6bYxp71SaZzk1YTJNnHNgi0OfMB+lRb
qSRh9klEw49u8wMp3w6Ot5ni7XCX6APovnZS0o1upLD73epWyrv/oW54z/sq9k73uvXtbnYv5d7x
zne7981vqMw74Pl2ir//be+tCPzaC+83vx8eb4c/JeIETzjDJ24VjNN74Q/PeMbrLXCmVLwt0/9x
doqJLe2ldFsp3za3uJ0ic0wPhN4XN7nO/83wdcv751k5ecWFbnKEE53nSI/K0E/uboMjfOc+t3jS
Pw51nEe96V1hOtX3DXSse73f8h54VbRu9a5f/etoTzvTtR4Sbe9E5QJxeVNq/puYk7tCqCb70c1e
9q4HnO9jr/rX9z51tQu+KWtXeM4RX/i+47vq1R662f+edcZbvu+UT7vmDb54wBNe64Q/Ozg34vaV
eIbu4CZ3uWH+8nH/w/Wvf3nsYa962bs85rQHN+1XbxW7y732Mh+363M/e+Kz/jeZd7zyD1/25JNd
6VSBOPMNL5Xnax70nS986DsOfcmfPflaSfz/5Z0vesB/XPyDn/7O9R79taT8twxlObBRP/ffJ8X2
+If56+1//+DP3f/8p39XEW41V4AA2H8ImHr3d3f/R3+rkXeTB3XYx3nfF37l93PoNxX1ln2KF3iX
94Hb54HLJ30VWIJS13hAR36bd3FiF4Hlt4E593wwyIFgQnoy0RkOGIAKuIP7t4AJqINAWID1B4RS
QYBE6INI2IM7SH+oZ3u+IX0kmHTs135eMYMdqH7jR4MfCH1bOHXeZ4HXl35X+BUZyHwTOHYtmIJW
h37W14YXaH43koNJKIBKWIdCOIRPQXd6iIdzOBUHWId8+Ifm5oByiHxNF4VhV3CI53EoiBX3/6Z4
Zah0jPiGRaeI0yeDiWiJjjiJMziFYBGJ5neGZHiI1zeJPieDpkiJKFKIhJiEgpiHt1duexiERwgV
B6iHsviKSJiLsogdUBiGK6h+1keFyxd1Idh5nsh9YwiHYhiMGniBlJeMVdiFobiMlYdziHh1mFiM
zceFQsKKsMiDuoiHTsiD5giIu6gVdxh8syiOdFiI1hF5p5iFItiIj7eC4DeMfkeD+iiKzIh59viM
wIh10niNAQmK3Bh03ciG2XeGbjgk4BiIdGiHNNeH6AiIrXiOVLGOFnmH7qiR2yGPpHh44PeG+lh9
gveFqth421eSm1eQaHeMAumC82iNXOGPJv+phRa4gZGoksV4jCcJIkzYkfw3jvbXhAw4kXcHjxUp
d4PIhxSZjr3HlK8hktjYhS75k6OofSlpjS0JeTbJjf4okyjphTwHkyfYiDiZk5UIiTXJknBJkmEZ
h7cXgB4ZlalngEpJfO34f1vRhH84exMZmLjYgMFhlVbpeYloj0FJgTTJlSj4lV6YhmgJdlwXmWD4
mJZJjTepcE83l8oHemn4lon5gnAomQFZGqPGWcBWfEzIe/0ne8Mnm7pnfL0omK5Zm4RIlazHl7Eo
m603mwTohLmYh7zJMi3neEJXcqf4iBs3mmiocedndEvHiCE3cs4Zec4pcfDmmaO5nZrodBr/l51r
l4qOKJ56l4rd6Z0cuJzSiXERd52NuBfZcZxjYZ/Tlp+ZOR+N+RmrySTJ+Rb4CRYDaiTIpp+T0Z/F
QXbDxmetyRYF+hURKiQHiqCPoaDEwaC1Vh3FuRa8aKEgGqIiOqIk6mv/6TIBWqKhIxBdcHMq6mgN
Ckopeh0V+qK+UaODwWk6unI22qM+eiQnCjkzah04+qO2UaTwt6NKulLy92zbgaRGOhtQCjRLWqVO
GqVYmqVa6hXGp45duqVgGqaHsXoTGhVlmpRimqZq+hfEeabhKBZuuqZyqmZB6mWtiZRmEacWiWfp
M6eqOaQ5aqWC+hlyCJuuGZzDOYuG2pvl/4imNKenfkob3kEdSjGplIoUltoUk4qp3sEUmRqprxV/
DnqlIKmUuziIT6l/gYmRtmimjRojgAqqoYFql+qpS1Gr/4CrmGqrt9qrCCWoVUoZfmCcOdiXRhl7
aIqnUKl6svoeupoUtfqs0lqpvOqr7iEGImqbSXmsF5mqjrqnzUof0Uqt0OoU05qrmmqu4WobfYmX
7nqRPZiR37qu9UGp1GGvt2qpm6qpz5qr+tqp9PoUdYpmDzqv3vqR5jiU8AqvkIpLBRuwnBFr+Iqv
5EoVFGut2AasS4qDTXmURbmX5Nix8wqx8XGv5Yqr/Zqu5YqxJEtruwZPyamsS5msIPuxI/9bqj/I
HbHaspUhsei6q7qashW7skM7Yxq7ozh4l8xqswlrh0pbrEX4qjwrHCYLtCo7tP0atNU6taeXm7Zo
gMCZqLi5qLH5qrwotVLLtcGBsk+hr5UKsJz6fm+7r2pLGw1bt3ibt1yqt3z7H0JrGgMrW+poaDvb
t4gxpSt6tB9RehUEd33agGTrGohruDVSuFSquB0BAG3luOwxuZQ7YZabuJirEZqbaZ97urn2t6i7
uqw7FarLGoHrsqTKG57butlRu1aiI4yrUgQ7u7uBu7ZLpKHbGDGxBDJRunnRCS8bvMwLZq/radrQ
vI72vNJLGtFbvYT2t3TbFZ+ar3IbvNr/EL7iG77YO21uu7XU27ZCO659kQxaer1JQb7l62vRqrUs
exXau7WyFruTM7xLAb9KAcCaAbzz+xvFZr9Ee78WGxVZW4Oj+xOfIcBIAcDiG78S/A/jGxXjS74C
vMEXbMEFHCGq28BYMcLqamv8CxUEfMESfL0u/BQfPMH/28FM8cEVPHpxF8Kdm5zfe7UKLBUmrLIP
DBQRXMNNEb0xHMAwfMRKzMQ1nMQ6vB/bm8BFu8D+2sM/q7+rS8NHDMXx6xReHMNeHMUSgsA/zMBZ
nMZqTMWo68E2XBVvLBVunMFW8QBk7Lc/nL7QasYkrGyiqmu+K8dUMcYy7MQaDMguesc0/8rD+tvH
VoHF7MurQwzBnUHIhIzBYDwVl6zIEPK9PezIj4y+J8wgqrAglgzHmWzImGwV8svJ/HGvU7yreYzF
Vcy2ZxxqKSyw/lvIgjzIUNHBLfzEXSzBBOzKUjqk61vFe5y/bJzGtTrJPrEZbjzMHvzE02zNrYzN
2TzDxrwg2gu3/DrC4Oy9etzN5ixl5SyruZyxgUy4D3vOtIvMvwbNsSW4BrzL8PwaxUwY9MwT+fzP
frrOEfbOtbHPAP2nBB1t/UwXvZvIvWHQB42cCf0YC13Po+rQEAvRk6HRRlvRHr25TYrRAcvRFI3P
sPrRKJ1QnMuzJO0YLf2rKR3Tu7PSLf/70oxh058j0zqtIzRNsjidu4FMy1Sx00Qdo7zmu2croWmL
az+dGDUq1FfcvTld1FQ9F6Bxt+AKoWe71GNqav/qqekc0bP6x0ct0liNsx46mJNx1sRr0gMcoHI7
zv6qwlVd123WtWfB1n7osZKh10jyyUEb1mIdInrKe6/ZqIYaua3qisBnmLr3qGHLqGb7oY9qZVD9
tqBxB4Ntt8X3l/5XmH2osL2n1jmrsEZ4fAuotAzrh1y9ZHIN1lKNGXeg2ZvtGsSZFYBZhMtaplQ5
lKJdswbL2moW28u8x51B27XN2WXboRoJjzKL1nu9kZW9rAj7rX7tXpeN2cktImQNsxP/fZy/vdxm
W4vSTayRC7WBuNXteswTDRpImt2cCtN2Pd+UTBrgLbLISoQH+5fTbaoLu9pZfbPZi7KvC9/b3R9U
UN6jLZE3u9+DG9zUvaerutigBrevDdbGcQ/lK9BaUWzPHd296d9Q66YfDuD43bRVwZStLWpufRw8
/NX5iuEOTN807s+cUY4Dyo5Pu9QrDuJ2Od5mWpc6COQd2eNNBtWeLNgH3h+36aWRvdy12d9OTra3
KZzM/Zu+h+W7qdhGfuTrS9woAgNbyuGr1uJ9cd1pgeYI3c6k8dSCXeNw/nb7oeZoQed0ZuBL/hbj
cNEM0dOOYedk0eXC0dSHa+a6HOeI/35o8kHZldHkef7okO5e6xDpi0HmodreAW3o8yzSWpbons4Q
RkASlD7qpF7qpv673Z1Vmt6shG5zny7Tpx7rsj7rtB6xqV5RmG4iX3qjq14aAvDrAgAVwB7sUkHs
WgHsdP3qL+ECB7ELsOXnZQvdmDGhtinoKQ6nbW4Qw27s/7DtjbHtyO4V3P4U4+4U5Y4V5y7fyp7S
V/3Z9q3US1sWhf0a6Z7uiTHu9l4V+Z4U+x4W/V7rm1HiHAvvqpqn2C4b5f7vg5HwXfHvCi/uAD/Q
sxXSOQySqKrjsZizUf7YwDfZnd3xu96q7t7YtafxCnjeji7eaWvtfVFsDM8U3t4U4f/e7b+OFMOu
FDFvFS9v8zXP7z0v81OR7zcv7Df/8jM/4+uO6D2t4hB+2r/n9OeY2xIuoSefsBMer1E/9frN2oBe
5r228/y+FPYe7D9v7Of+8GIP82qf9uYe9G5P7mKf8GWPw0nv0QPv48393/sX3qG99XuL9Xrv24vN
93kftaHB7WAf9jI/9mufFfgO9GwP+VHh8MLe+IqP8wBv6Trba72t36xI+Cgu4gSalwH+mkEO+ujY
9bhOqohv+Zjv+q6P9nGf869f+7Av+ZUP98Xe+HUP6zeu4ESp2+bN6Fkv4NculZJN5LCItupt/KbR
+rMP7mc/+ZGP7rCf+Lav+9RP9Ef/n/3dHvG/j/fdKv7+feICP4Aii9gRfnyov/6rQezTr++7b/Nc
Ef+Xf//Vr/25TxX2j/+xDhD2BA4kWFDgP4QJFS5k2NAhQ4P2EvJ7uJCixYYXK/7TmHGjwo4cHYb8
ONIkQpIiPW7UmDLlw5clZc6k+THiQgEIczLcKbPnw54/a/4TqhMnT6AlizZcWrHo04QRpU6lWtXq
VaxZtW7l2tXrV7BhxY4lS3Do2YU3UZ6caNFlyZgqP5J8GXdm3bYM8bIEqZem3YmA0Q5+qDbhzqZN
mSolSrgxUoVQHSqOzHjy4qOZ/5Xl3NnzZ9ChRY8m3dXxWcNyUdIF+Xbua7cYZfvt/1tz79rWriuy
nh14ZV63gk8PT62TsmTNTh8PRn4Yp2LKzj9CF7oUeWns2bVv5959ahjvw2sW51e+PEzzHFuaZx+y
PfuR7YOfV09/vn2Z8gOnX83f/3v86pvvvpjei088BCsqjqjoBHDwQZ4elDAp5iSckKkJITTOQgef
47C6D6tjUMPILrRwM+9SVHFFFlssLUEYY5RxRhprtPFGHHM8LTode/TxRyCDFHJIIos08kgkk1Ry
SSana/JJKKOUckoqT9vqxwWr1HJLLhHKskceu/TRRTLLNPNMNA8Sc00223RTRg7flHNOOuu08048
89RzTz779PNPKa8c0yBACy30S/9D2UxzUUYbdbSsRCOVdFJKK7X0Ukwz1XRTTunsoFNQNRW0R0RD
NdVLQk+V8VFWW3X1VVhTVXVWWmu19VZcc9XVRuF29fXXjQQBdlhiaeSP12KTVXbZSEfVMTUAAzS1
V9rkLC4AbLH9JwCGuL0zW3C9XTVWcss191xGsZQVuNVopbY3N1MTFyFtF5rXznvvRRBdfvv11zN4
/h1I3YLgxe3Ud2ub0zB9t+1WT30btlJgiiu2GN02devvWL3kowu+/QQUOb3/PgY5tpM7pq8ujvfT
b8DdUvZN5tgSbHjecMHttt5teU4o3J29zfYhnXuWuKKIFRr6Z56LptdpZqOWek3/3tg9WOF24XVv
PeDs8xrrq32zWr2+PgZ7bJh2M5hstEVG8Gh7ZeK2aaXjDvrnhnB2+Kyk7a77b7+nFnxwKt1bWzXE
w9a4I8bZbTzssQ0/m221f4PN8sgPl3Y4uPEuyefAPQdcdHp3RivfvB8evXTCWwfW2RzJexlyx+Fi
6/GDcZerQIMlP3xtam/Tutp91zUadNKRJnr51fdmXfWhcr4Z+uTnvfh67LNflE3dNwaw7d9bwlr8
2r038Ozu0f6eeL4wB7vqIKf/nPnUm9e7/uipfz555/d3/f9bwQ5H0Bre5Sr3G92R72oKNOAC2ZK1
yfVKeAWcnGNK1T//0U9/q+tb/wY9OD/9dRBw99JeCU14wu1wj4IHZOH4XOjArt1lhS/UnAzdBznf
4UhiIlSeQ46GusDt8HT4y6D8MLisJwDwdVohmFkyB74Kpg9xCSxf7vLDPpNF8IHtYx8Ouyi2oahF
iKHT4AaPyMOIda6M/uMh3vSFQjjGUY5joRrmzPY++E2RhlREXw69GDI8TnCCM/yjymC0NP5hEHlH
DJ0R+ac3Nfpwg/kSYiSVeElRMXFQBZud2+rTMpcVSGYgKxkpV4af84VyYyq7CMf0A8pUmg+UnzTZ
KTe3OZmI8XiLfBoilSa9vEGtl/UC2i+JGT3p7VBnvkzkHJ35TGhOBZPTnJQldf9ITWxmU5vbHJI1
beRNbjIkieG0liZJZTxyrumCYgJnjSQWTXjGU55UaeLA0hkvdLJTmEDKWUPm+U+AwrOearqnovI5
uIAmVKEYK2hDHVqTIzxUojFaaEUtelGMZlSjZ5poRz36UZBObKMjJWlJueIIk6ZUpStlaUtd+lKY
xlSmM6VpTf+FD5vmVKc75WlPfcqikAZVqEMd6k+NelSkJlWpS2VqU536VKhGNVZQkGpVreooomZV
q1sl51W9+lWwhjU7XCVrWc16VrSmVa1rZWtb3fpWuMZVrnOla13tele85lWve+VrWcX6V8AGVrBY
6WthDXtYig5WsYtlbGMd+1j/yEYWpjYCAWItC0BvXBZIkuVsZz37WdCGVrSjJW1pTXtam2pWtcyy
wGrxhFrYxla25nJtbW17W9zmVre7ZdYyePtb4J41CsElLqh0UFzkJle5y2Vuc52r3EE8V7q+mm11
rXvdiFAVu9vlbnexN13wBtUThbUoAAAg2TZ4V70/pZV5ARBe+MZ3Ixt173rte9956sq8Es2AfP27
V/f+V8DOZWl98XtgBH+3WO8dcIODm2AIR1jCE6ZwhT/rYAxn+FIW9moUOPxhsGhYxCMmcYlNfGIU
p1jFK2Zxi4ckQLuu08UzllElWMVXGdNYx+JR0Y59/OPYmTOvOQZykWfSYyMn/1nJS2Zyk28E47oS
2clNbhWOZQUOLGd5IVnmskK4rOUvhznM/xBzQ8QMDoScWc0wUnOb0/xlM8M5IW0u80bGvCQ03yjP
Prrzm/b85i5/pM+GGjREUqTcQtcZ0FomM53lrOhFB7rRjmY0gih950JH+s+XrvRDMk2kTsso1Dn6
NJdCXeotyzlRqCYSlOlqmEGf2cuP5vScYw1pTv9ZPLnGsq0lPetf57okrObzr9lsbFKrWkzKnvSo
44zsP7Eayci9dZ/rLGxfB1rWwKb0sXmd7V4zpNrdFjSzhUTswaBb1ObWUqLZLe5390ndmxUyXmGt
7G03O9zz1rS+Tx3vdX/b3//P7jS/HWLwGkHa0ggfDsOThGuAb4rYVd7rvSW95n4PfCaXhje0dYTq
T4873Omm9cgPTmyF+zvi4Da5ps2d8o57XOS6tnOpVb1yl2u75P9GNswJ3nJ8vxzdPp85isKTXGtv
+9o453a+m07zHoGc3UUnDMdjDnM6P33lWWd50DF+9Uwn3eM/D3uXv+5pNw/c6TPfutcr7e6za73n
N2e6izGNcbGTO9Vx7zrfYyR1gefc6Wh3NNgVTu7CVwTxXLe63Jl997Hvnet99znlGV1rllve2U/n
fMYFP/fJZ9zhic2KlQsmerzvXO+Sf3fgZ0R0Xo/c9SdvvMZFnnmVR17fuJ//fO1zz3aND3v12Ca8
0jGv8kjjXvEXz/umVa9ryBd8zIOednGnb3bsPz/tZG+54yu/8LHH3vm+p73O6R7s83ef7DLBOdzN
z/z0yz705dZ+15W/fGMruvl7rvvV7R98qgs+AJw/Jrs+MMu+tzs+w4O6zxs9mgA84vu977u//es8
5MO/zTO8mss/t5M/DkxAv8NAk9s//mu/x6tAz5vA8ssz45M+9IM/FwTBwSsSV5srizvAfUNAD8zA
4os3B8y9B/TB2LNAtDjB99M7AhRAEQy5DoS+52O/JFxBJ4TBETTBD4zBHcxCfoOz1JPBxTu+xFMI
itOrG1y67UO4KPzBGVzC/x6EugAswivMQQUkwC3cPgo0wstjujCkP57zwvHjwfsTQBRsQCjEQQOs
QswLvD1ElaOjtq/rvf6TQPVTQxXUOimkOf2LRLBjPRaMwM/jxJqwQ0HEQzkExAY0Rc9DvRdExVGM
vxIUujVcwDKLw8QTOPITkhqUqzJ0RVcMwkVUwlCsxEAkwjvUPT5ERD8kuVVUv41rQlBUPvd7RR1k
wE2ERmc8xinEQmlkxmG8xFnsQ24kxktUQhBrEcrzvm3cQ1krOwUMuAxkwmX8RQ28QGCsxuTrRnvc
vUA0QyrUQmtkRX5MRnx8xmIUyNsTvugDPVRUt+ZLi0NDurU7O0UMSKDzxP+/E0JoYztR5D6J7EV6
bEIezERt9MOIHD6PxMaS1EaETMg/9MePNMaci0l7DMBB/MEUS0mN7EKQREebxMY2XD/NGzrfq73V
+70NFMVHLEqlPMmjtMM3bMM8jMd/3Eio/D9ZJMWO7Mcpo8dPPEXty0aSpMoEgcBJBEmx7Dysmz95
VMG1jEabQ0pSbMa4e8ol7ESpTEV5rEqXg8qpC71oPJJyJCiuNMqg5MK0/MoQBL937Mt4jEILBLhY
BMKfXMnIg0djPExwpEbuA8pU9MlWFEi5Gwq6XMCmHDW3jIrArL6tXE2HTM1GZE3YZETX5I7YrE2j
m80Usk3YxM3u0M3dfEj/3wxOF0tN4dxK3qTN4nQy1UxO5hyxXGxO6NwmhopO6oRNBqtO7DysrXCv
67xOh/DOhABPGwkwNhHPoTBPH0FPI3mv7twvHBFP9WSI+MQT9iSM+SyJ++wS8syT/VSI/AyUE+pO
mfjPwejPhSDQ8wzPGGEwBm2I/GxQ+XxPhEDQiohPCp3Qf4BQHYHPmeDQ4bDQ8XyI+uxQDM1QB8XP
Ei2SCxVRB+VOmhDQs3DRDOXOFTXRCLXRF5VR8dDQ/0Qh7xxR8gwwBnVP9twv95zRBtVQ/6xQGqnR
mlDSJ01RIXHSA11QG6XSGL1RFJ0REK0R9RzRKMXRBBVTOfFQBR1Qx/hR/y0N0yol048ATyw90fEI
0CUFUzGFUxOFUDAt0jNt0yIdUiMN0hnFUCJtz0I10gkVVAPFURj900AV0D+VTxfdT0Bt0SPl00FN
1EuVUk0F1CQ9VEdV0EjV1BMNVRnlUxi9UkX1VA/V0VM90/qkVB0NT1BFUk+1VVEdUlolUiTt1F4l
1DZlVEKd1E0dVf8kVkM1T0y9VFnlVUrNU2Zd1FPtT/R0VSEVUl+F1vnE02w90CClVmTdVTP11mi1
01j9VETFVVK9TXJh0zzN1Dv1VSAdVmzdCF0tUSXF1ETdVzfl0Xjd1CVNUT3l1yuF11ZtVGENWHy9
11blVG4dVliVU33dU/97ldKJ7VMOBVhOfVdRrVOBNdh4VVgoxVeL5VdnrVOETdjvxFiSBVlo7VNY
hVSFpVWTDVmUjdhindmQHVeYtdOPVVONlVOYHVo1dVNV7ViiFVqO7Vl4LVhgRVqj5ZLt9Nh9BdqO
HdiHZdGdLdmHTdWIfVqw7dd3TdmiNdcbLduo3dqP9VOHDdaldVq2tVo0/dcqjdVSndmMpVpglduw
zdqNdVq0/Vm9BVwStduWRduiDVi+FVvBHdq3TdLBzdqRtdV8ZdzHtdk1jVrJ/dvKTVxx7Vy39Vl/
XVx2zZ6U7VthndelNduzVVyuDdZGfVXU9dy9TdjKvVy2/VpppdG1VVX/QSXTzQ1cykXdX2VSuvXY
PZ1UvI3QxdXX2dXZ4k1WPeVdlXXUdG3Z4mVRwyVcnIXezqVekc3Vaa1Xkm3e0P3buuVdMzVb2iXY
np1Vtc1del3U9FXe5eVWSKVe8pzOAX3WZvVdw53e25Vf7g3b6o1f9vXesdVd123f2/VbZWXZwIXg
yMXegqXdbX1d5IVb3N3YBL7aCm5fBh5h2IVaprXcld3ege1exwVd403dNWXdD27br2VSnoVhE75h
zN1co3VhNOVZ0h3dF6amB9ZglgVbXn1ex1XZAr5gBd5ar0VgqE1iCs5h7D3ZKa7Y4w1fgWXdplXi
p5XZKe7aK17hK7bi/wle4hImYSduYSO2XDFGYhne4iMtWRS+3PXdYuBdWYzl4QjWYwoOYprFXzRW
4y15TiAhX7iV3SP2XUYF0t/l3BPOXshdYmpdWGV91rWt15Ed3wF+1DbG5DcVVw9+3+0l1YMt103e
2evd1WPt1fZU1wNW18QF5VG2Y0omXnJVXPpN1VtFZSjmZZ+V5Uxu1mQd5GzFYP2V1GF21e+s418m
V1VOZkTtWkiOVtnkqexEizj1qG7uKKPa5ix9q2+eKO0YADhSAqkQ5/6t47SCX7ZCIXae53sSGHq+
Z27CKnze5ySjXyIpZyjp5UoB6B7x5w2VkT/mYxgR6Iny2yaJU4JeiP/heui5VVprneY0ZWZ31uK0
tVcDPeaKdt0nhWf77F0vTZL//NJjxWhDptxWxk+SluQettLWzdwciWgqSWm3fRKV3lJD0WlmZlrz
zWidJVAsLVuNBWoC9mn0LemCRumQduU3/tEHhV6O1lyltenT+GOc5uZIUeqmhmqFvuo5uehQXelo
5uJS3mlajl74rVZjxtVfNtax9mVLTWv1ZWn0NWu6dVZO/l+N3mRsjWtt/dxuRWtSfutv3WgmzuOq
Fl9SPl+r1eRKLexk/mJaBtdrjd2MnWu39mtZnuWLvutuXVZ0jWxjJWxkld76NenLllbkBW1ipuZH
ZW09aeYYbmqvvWH/EM3ZpM1tx77ZsK5lN65hXrZiqxbkXBVpPP7t8nXYKH5ZMO5o3D7ftN3tmn5s
gvXiqXbZSpZuPE5oDo5ZFgZe7PZtiC1uJkbinUbqmkVv8KbY3B1qmmVv7Y1ioM3fE25YQJ4S2Knu
5b3uSdbsiqVvw9bjxtXlzLXtAOfqCpZmH37jRUbwBh9vB+5vETbhtbbgNe5if73l7kbrCMdayR7c
Cq/p567rEDbxCD5lDS9q5o7j5n5xkTbwYLZhGC/k/c7uCtbnHFXkDR9vvIVn3rZfBS9V9dXSGe7h
PHZuIedg681gGhVdFv9Z/d3oKW9kO05yNAZfw+Zt5o5hIndpEP9X/y9H4Tl2ZDM3cut2cN3FchFf
cipn3tUd3wWP8S5n88oeXgBuZT9mckUO3shdZj5nVe4uUxNHc90e6yDHcKtO9OBG7kfH7hMn4GHG
8fauchxm9Ban4elecuC2aeHV6jvWbgp/YuKFUlDHauM2blW37vvV9LrlWAzO9BqWcQDf4zSG9S1X
9FrXcUne9QDPkQFAi6mtWlEPc7aGcsx9ZDoOZEgH9j1W6F/ncAs+dDxV7kElZDD+81cf42dv9lgG
81ZPblx27WHv4A338xSfcQPecRQPZR7+9GlX8j5e7z9PcHdfXWdn9lge9oRmd5GV8waubx/eL3v+
a2aVZku288gObf9XluGX5nNillUAPncyH94zL+1nRmrGBl++huV6T9fRDmzbDXRg9viLD+podmdn
1ug9h/j1Tve05txqfvnK9vjJ5XhLrXE4R2yKZ+T6VmuRz17U1uTUDXmVB+aq/V84nVW4PmX4rGYW
p+zrre2IL91z4eeWdq2unlIt+foX+xeuD2uvrxOxX+jXapSyb+e0J2e0r5K37xREbvs3OU5+KYSc
svs+wfukggTg5HvB1yxnWdG5n1LGflGw11qJ/dDEL/MxRXzxXhK/h60xnXxSd1fG32qfNnyzP+nN
X+pxLtC9TuGKLmc3X/YbOfzBT5SdJ2uvhnynhv0wZf3MF/COjur/yGd01b990o/3f279ZclrmQXV
bJ9mVH35Az95v2ZVoh3smMXycL3s6Eftz5b+xSbbVV1XxH5V7Kdi48/Uc/1ekl/VYsbr6Vdz4fZ+
5N92gxacBNjme71gSh/6zsZz+cV170b3OD70owWIf/8ADBQokCBBgwgVGmQIIGFBiAUbSlzIcKLE
gwMhcmyocaLGhx4/frSI8WDFjQ4pkjQZsSPLixlLwjSZUSTJlysdphzp8yfQoEKHEi1q9CjSpEqX
Mm3q9CnUqFKnUk2asKfLnhdzhvTYcSbIhRZTYt3pVebJrWjNRmQJlm3Ws3BLjowL9Krbn2Vn4s07
NyzItmoD95W7//duzK5zb1Zt7Pgx5MiSJ1OubFmyvcyaN3POnJau1sCEUT50CRjsV8GlS48+7bMm
xtV8c8bFinMja7KJabfuK1s067q835bFvXZxzNR/1RZO7ty4XNK5/Soe/K8z9uzat3Pv7v07+PDi
x5Mvb/48+vTq17Nv777755OhGSNPbLpl2+a8XQsHzbW/bstVJ9iA9BXoH1u70ZUgc1z5dlaACxI4
oYHxHWdhhbPVZ917HXr4IYghijgiiSWaeGJn8eGl1W3DKWRaaLvBNFpx/+F343/N1fYifypF2GJY
dq3II4sAUhcdTjZJeCBHhe04WI3PIQicjDQeCdh1KGq5JZddev/5JZhhikeaczeJZGZwxt2X5F1O
UhQci/ptNSNuxLV4VZrTQadmb2fW5Weda02H5msvsqkXoHhWBCRCqxkaZGyH5pgnosWlCSWcjko3
6URievopqKGKOuqIl/XX1FuPpWoqq626+iplq0a1Day12norrrnquiussg7lK1XA8josscUGayyy
ySq7LLPN+jTmsaheJqyz1VqrK7VCkbott916+62n14o7Lrnlmnsuuumqu25Q4Lr7LrzxyjsvvfXa
ey+++eq7L7/9+vsvwAELPDDBBRt8MMIJK7wweuw6/DDEyWYbMcUVW3wxxhlrvHFRE3P8Mcghi+zY
ByObfLLHJ6v/vDLLLWf8gstTyWAtkDHbfDPODTG8M88LA9Az0EELrWXORRtda8pHK720w0M7/TS9
P0M9NdVVW3011u5KnTXXXTvNNNhhiz022Ud7fTba9zKQNtttb1k23HHLPTfdddt9N95567033337
3RArfwsettuFG+4tK4crvnh5gzv+uEeBQz455ZVbLrLkl2seMuOde75l4p+LPro9m5tOd+anq746
6627/jrsfs8SO+2123477rnrvvtIpPv+O/DBC88d78Ubf/zjwyu/PPPNO/889NFLPz24LtuAPPbZ
a7899917/z344Ys/Pvnlm3++2dSrvz777X+LPvzxyz8//QaV/1I//py7vz///ftPYv4CKMABRuV/
BjwgAhOowAUysIEO1AwBIyjBCVKwgha8IAb/UYAMcrCDHvwgCGH3wPZMYIQmPKHVQqjCFRYPhS58
IQwLx8IZ0rCGsIrAY/Bhwx3y0CMx/CEQgzi1HhKxiEY8IhKTqMQlMrGJTnwiFKUixClSsYpWvCIW
s6hFgjlji178IhjDWLhPiLGMZjwjGtPIL6XMoHY1iyIc44ixpMmxjnoD4tbUqMc98nEzD+kjIAPZ
MO3R8VptsCMilfXCPAqykY684h8fKclJBpGRlLzkJBOpyU2mC5Oe/OQDOSnKUZKylKY8JSpTqcpV
slKFoHwlLBljKctZ0pJgrbwlLnOpy13yqpZfvIAvXRgQADs=
------=_NextPart_000_0003_01C70EAD.484C27B0--
Received: from afi216.internetdsl.tpnet.pl (afi216.internetdsl.tpnet.pl [83.16.138.216]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kALDcbdI057340 for <ietf-pkix-archive@imc.org>; Tue, 21 Nov 2006 06:38:39 -0700 (MST) (envelope-from WebMDSUNY@otokomae.com)
Message-ID: <001301c70d72$57415240$00000000@xb2x7j77gnvs5gp>
From: "details" <WebMDSUNY@otokomae.com>
To: ietf-pkix-archive@imc.org
Subject: perceived as
Date: Tue, 21 Nov 2006 14:38:34 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000F_01C70D7A.B905BA40"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_000F_01C70D7A.B905BA40
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0010_01C70D7A.B905BA40"
------=_NextPart_001_0010_01C70D7A.B905BA40
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
Of is nasal cavity of visible in lower Meshasoft without tonsils.
Among levator tensor see alsohard External Denimage. Swallowing from =
hard or?
Contain bonethe palates motion or!
>From is hard at front a that am does of not contain.
Separation incomplete air. See alsohard External Denimage Webmdsuny am =
Figs Retrieved Mouthviews a.
>From hard at in.
Donations keep in running palatefrom to am.
Of nasal am cavity visible in.
Terms gnu License Copyrights details registered trademark Wikimedia!
Donations keep running palatefrom to navigation searchsoft wall! =
Retrieved am Mouthviews Article Discussion Edit page toolssign?
Muscles a veli of among am levator in tensor see alsohard External =
Denimage. Not contain bonethe palates motion breathing sound snoring =
Touching.
Create links linkcite articlein. Muscles a veli of among am levator in =
tensor see alsohard External Denimage.
November all text available under in terms gnu? Tonsils after am or =
velum in muscular.
Page a toolssign create links linkcite articlein other.
That or does of not a contain bonethe palates. Meshasoft without am =
tonsils after or velum?
In lower Meshasoft or?
Strong gag response.
Modified November all of text a available under terms gnu License?
Among levator tensor see alsohard External Denimage. Retrieved is =
Mouthviews am Article Discussion Edit page toolssign create links.
Your continued a donations keep am running palatefrom to navigation.
Consisting muscle fibers.
Your continued a donations keep am running palatefrom to navigation. =
Wall of nasal or cavity visible in lower Meshasoft.
------=_NextPart_001_0010_01C70D7A.B905BA40
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"" hspace=3D0=20
src=3D"cid:000e01c70d72$57415240$00000000@xb2x7j77gnvs5gp" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Of is nasal cavity of visible in lower =
Meshasoft=20
without tonsils.<BR>Among levator tensor see alsohard External Denimage. =
Swallowing from hard or?<BR>Contain bonethe palates motion or!<BR>From =
is hard=20
at front a that am does of not contain.<BR>Separation incomplete air. =
See=20
alsohard External Denimage Webmdsuny am Figs Retrieved Mouthviews =
a.<BR>From=20
hard at in.<BR>Donations keep in running palatefrom to am.<BR>Of nasal =
am cavity=20
visible in.<BR>Terms gnu License Copyrights details registered trademark =
Wikimedia!<BR>Donations keep running palatefrom to navigation searchsoft =
wall!=20
Retrieved am Mouthviews Article Discussion Edit page =
toolssign?<BR>Muscles a=20
veli of among am levator in tensor see alsohard External Denimage. Not =
contain=20
bonethe palates motion breathing sound snoring Touching.<BR>Create links =
linkcite articlein. Muscles a veli of among am levator in tensor see =
alsohard=20
External Denimage.<BR>November all text available under in terms gnu? =
Tonsils=20
after am or velum in muscular.<BR>Page a toolssign create links linkcite =
articlein other.<BR>That or does of not a contain bonethe palates. =
Meshasoft=20
without am tonsils after or velum?<BR>In lower Meshasoft or?<BR>Strong =
gag=20
response.<BR>Modified November all of text a available under terms gnu=20
License?<BR>Among levator tensor see alsohard External Denimage. =
Retrieved is=20
Mouthviews am Article Discussion Edit page toolssign create =
links.<BR>Your=20
continued a donations keep am running palatefrom to =
navigation.<BR>Consisting=20
muscle fibers.<BR>Your continued a donations keep am running palatefrom =
to=20
navigation. Wall of nasal or cavity visible in lower=20
Meshasoft.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0010_01C70D7A.B905BA40--
------=_NextPart_000_000F_01C70D7A.B905BA40
Content-Type: image/gif;
name="separate.gif"
Content-Transfer-Encoding: base64
Content-ID: <000e01c70d72$57415240$00000000@xb2x7j77gnvs5gp>
R0lGODlhrAL8AYf2AAcHAIoNAA17CnGCAAoAfIULcgB9greztLHay5zM6UcmCFQfAHIfBKsZBMAT
AOAWAwBJABpEAD08AGo8C385AJs1AMNJANNDAA1RCxJUADZWDWxVAn5hAJJqArJeANtjBwSGACmO
Aj6MAGaJAHRyAKt6CLpyCd12BwCnABanDUGgB1qSAHWuDJOpCL+oC+KnBgDHACizAESyDmu5AIvI
AKPAAMy9AOqyAADmDBfoADTYBFPlAIbZA6DRCr/WCOPVAwEGRBQAQDEAMVkAM3MANqAASbkERdoA
SgArNCwdPDYhMVkmRnUpN58WR7QiS9gjMwAxNhc2SjtDTGU7RoA0SJJEPM5LO9s5PwBlSCdTO0dS
PWFoMYZuDZ9RObtmRNRrNwtzSCWDOk6MSFRxO3yKRJKNN8t+N992NAeWNiqWRTSiQV2rPHqfO5iW
PcSsPOuRNQDGRRTLRjm4PlXNRny5TJq3N8DBTtvDSgbdPyfeSDvuPmHuMXjoNqDfPsXpOePXMwwA
fC4DcjYAgFcAjYgAiKYAd8sAddoAhQAmeRonfksRelYjiH8Zg6srfsMaftUWcQAzcR1Hg0Y9fmxH
d4BEeqhEgck4dt5JdwBReB5bjjNTiVxedYRmf6BffspXc9plgQeJchGDg0iJgVmGhnR6iKF1dsZ/
g9V7hwCVgCqqg0qTjlinjnOdh5WmjsOYe9eXhQDCiCTLdj3KdVa+enHMfKC6dM24dda0hwDXfi7b
iTPWe1/UdozljKTac73mgubihQAAsRkHykEAwGIDwHoAx5oJw8ELwdYAzAQqsygcwjwnslwpxnQR
y5Iey8MaueEZyQBHvihNy0BAsmkztHQ5wKA6xcQ/ye01ywdfxiFTxD9tyF5iuIJgtZlkx7JSueha
uAB1uiiHvkJ6u1J6t3yAyaB7tbaJuOJ9sgKovySXskqnzF+utHWUxayUxcORxNGeyQC5sRy1tEPF
s1zLyHO5zpvDt/vy8ZGRn3OJi/wAAAD/A/H0AAYM9/IA/wby///z/yH5BACQx5oALAAAAACsAvwB
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHElSor2TKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOK
HUs2acmzaNOqXcu2rdu3cOPKnUsXY9m7ePOWHaO3r9+/gFnWHUy4sOHDiBMrXsy4sePHkCNLnky5
smXIgTNr3sy5s+fPoEOLHk26tOnTny+rXs26tevXsC2jnk27tu3buJvG3s27t+/fwIO3ria8uPHj
yJMrX868ufPn0F0jZZi7unWv0bNPvs69u/fv4MOL/x9Pvrz58+jTq1/Pvn3eAPDxwg9gc778+DXt
39VPkz9Z/+4FyB1++s1n4IEAIsgSgvgtCKA9BEboUoT0QcgggyopuNKFEz5I4UkNblhhgRdqiJKJ
KXHYkoEigijhiiNSWGKCBzqIYoYexhijgDzmNuOP/M2II4Y2VpiikDACiaSFKp7Y5JBGOllih0pO
6eKTTN4oZZRXYnlklU0u2WWNRYpoZY9o1kbkkGVu+aWbUIa45YNF0mmnfyxKCeeXd5IJ05pvmhll
nlfuOSeXY8qZJKGBQslno4wmWqeiaVaq00PTLcRmkjaa2SiTglJaaH6igurppqOmeiiV9ZXa56mq
5v8Y6acy0amqnqiaemuWroao3a+wZapQorIKamysimp55qJ+4vqoo8giqqyXcc4qq7RBhnhtstTy
2eyu1mY7KLfhYgjsuYv9F599NGKLaKp4ykniuPSx22u968pLLqfRbhovvgCzai+XxXbab6D/gmqr
wvkSvK/BukZsasIDW2rxaQsXDGvCCIu6ML8QO4sqx7ja+nHIue4Kr7b66gjyTBk/vDHLDruM8sU4
14TpUdTR6rPJDYp7KtDvvhSzuyAL7a/Hpb6cssTOKt1x0SfDarXKukpdMtNRouv1YZ5pPDKgBysl
NqRkR1w1UGdHnTbJSbW98rT05my3eHJnraXaTQv/lbe4s/JdNFF/B7033EgVbmTagt/tOE87G9Vz
fzKPDbC7jBeluJ7lZk545WhfHuq3R21eaOd7C/b16pEJm1CrmB878b/Llk5u7KMyCuRS18o+L721
G9U7tLPTHLzqrCfPmOsIwX4zyYhDrTmlYmud91Cv5mo96MJTX/n2SMekvHYQUMb8Qc7LnuWnWmON
vffGs294+HHDD7z8i3M//bu6w92+9CsZnwDZEjaukY126yOe7ahWOwR2zmwGvJEDh5e4CH5rgrd7
nAZ91LTDtSxwAPRbB0knscytrScf82DNQHhCnqSQhO1iYd82SMMa2vCGOJRJKHLIwx768IdADKIQ
/ytliiE+ZXlGTGJUBshEtCjxiUDRAhSnSMUqckULUrSiFrfIxaVksYtgPAkrwlhDNkzli2RMo02a
yMbiaIEu32ijHBXCjTlWxha2YI03ooNFO/rxj4D8Bx4DGZc3EvKQzBkiHm2hxkY68pErwSMkJ0nJ
lyASI4O8pCY3yclONiSPngylKFdXyVLSBBOmvOEoV8nKVjIxlbCMJRBdSUvWHaKWuMylLnfJy176
8pfADKYwhynAYBDzmMhMpjLZKMtmOvOZ0IymNFOzzGpa85rYzKY2t8nNbnrzmxGZpjjH2R5wmvOc
rRnGasjJznaSB53wJMwE4knPetrznh5pQfPcyf/PfvrznwBlZwUCStCCbiZyqhwWShRq0L/g04kN
jahE9YJQG2pqoa+bKEUfWhceXvQkDB2iAASwnpGmhKMlyQoAVrrSr7AUJS0Fy0hnOlOU0JSkJ7kp
TlNi0pbo1KQ/tSlNc7pTewC1p0bd6U2FypKl8nSoST2qU3X6EqQ6NapXvepTa0pUrjY1qF21qlaJ
CpOsQpWsGvVLTO2x1q289CRtlWlRk8pUuqK1rlUtKlKfytS9SrWuYr0rXgOL1p7uVbCHHaxS53pY
wvLVroad60oau9i7UjavgMWpXyWb1rHEFaYsBQBoX/rW0K7VtHBFLVtFu9qVhDa1qX3rakl72tf/
gnYom1XJUfGK1bLqVbKJtStZobpbvl7WuJyFLHCTO1nNMva3j8WschH73OgOt7JCDa5wr0vdzubl
s62F7WzH29LSsjYl5Y1pesWLXvO6lrW0Fe162QtenuQWubw9q0+hq1vO5pa4JL3scfua3Mg2VyaO
7S5v91tY51p3uwLGblgZjN/tWti7YQFvbcWrXvme97PzDa9tVbJeEMP3xLDd8FHuS2D9Gtglm11q
cH8a4BrTNcL9zbF2IzvVsSo2x/llbna5SlXpCvbGWn0xkFvs1SNj2CUVHYqGP4xiEXv4trOlLZZH
3N7Ynti2HU6xac970pAylMXcPa52Ffzg7vLY/8YVXnBxAezkA9vZwmhe848TfGc821jN/q1ugk2K
UpJcZcpbrnKIF31lDsu2y1kOr5UdLWmloBnJ1NVvnxM7Y+i+2c+gjvN0L9znH1v30l8l8IKXDGol
Y7XTOpYwqWtDCFNuWMVhbu2tvyxpFb93tFZWNIp9Xd+dDFjJrl4zqoVbXO521bIOXrJjX8xp/rKa
z8derqqhzWpmR3vUDTb1oIX8ZK6oNstUpvSYR6tl+pIZ0uNFt7Ad/ehi66TaXv2vtTdd5Fe7ebEA
F+tZx0rVoYK13/xuspN9/Grnuri6/c23p/kbY4E3Wc8BnQFu7D0Tjpe7zujB+Mc/43GYlHzkIv8P
T8o/HmWXvvsmJ1/KR+0RUiGuvDt7LfRcUDPzrNS8KKNkh87VQohz8fznV0H6UIYOnWJwc+RQj7rk
HEKWmIO351hRulCYzvXkJGXdObH6y2mudaooJB9oTzvaUaL2fLC97StZO0a7rhp0cP3QZI45icfe
Er3/Re5vD7w9AA/4kxRe6ogHSsuDguhgp/fLsj23irGe9IwO3u2CDzzhMW/4tM+d7qD3DVIa32EP
X9m9uE432S2vFYYW/vBr33xK1P750K+uC9f8uuQjP+9dJxp5+9yK6zl/eZXEHu6Cl7vtl986c0P+
97pOd+pN83riF//4xsf84RPP/Zws3iilV33/mH1P6QCWfSrDn731sV/8t9N+9cyPv2LGvFL0HaWt
vp509G87ffFS3irpp37Jx3lyV33wJ38IWBhYAXbspX+Px3u8h2WfsX3I136dZ4EY2H0aqDNUJxV+
1xP/VxXn9xMJWILmExUfCIIjuESsN3Um+IKO4YF8xzMrCBU1CDkwmIPp4lFm1oI/pIN0IQS9EQj/
sIFGeITm1xA9NHM3uEFA6EnRxA/88BRSWB1ViIRp8n0/wYC/RhtMmFFXiBJSOIYtMYZhaIZT6BJh
KIZpeBJViIZtuBJoKBRwGIdsSIZ3yIYpEYZP2El4J4GVAof2cIZ2OIht+IaHWIhuqIhriIh6/yiH
iRgUa8gShLiIhniJKjGJWFhOHQh+0gdmkBeK8NYXX4gQZriHkZiJkViJlMiIceiIlqiKsniFtHiK
hoiHqFgTtXiJmniFfchJfyhmeddoEph/tmGLsYiJuWiJrCiLrZiLzfiIeriLlYiLqoiMapiGiKiJ
ybiJaQR2cRVi7vYd1hiNyQiLyriMkAiNc7iOy2iL1aiIz9iKjXiK1piO3rgeWugTJrZ3lSZvM7hR
rKdQ8JiK14iHguiOCsmL8iiNsViQc8iN85iNkIiOl/iLujR6LxeOxNiAnVGK9ueI5riQ3eiQ6siQ
MDGJtbiLzhgTEmmSIvmKU4iRuaSRXch/7/9GbAE5FiBpEMw4hazYi4UokS/Jki8pjfWIlEDZkEGp
jQb5k+lYhTSJSzbpj5CmWuf2j3nRkwWRkLfYjNiIjSSJiiNJjyopkwjZkF9pkO2olDIJUlN5SFGo
lkNxlLRhl/mYl2BRh3zZl375l4AZmII5mIRZmIZJl3qZmNeBl6TBmIoJHvvIHiEIZXFZmcFhMZPZ
Epa5mSf4mJ45UZH5FCnocz+3k5x5mphhFfQXE6MJkDupE62JXn3XFRzwmbYpFH4Xmx4pZa/Jmlym
m7cZnJSphPfXm+AIirsJiOjmZaEoissZXjMnX67FVnCJmtapGHjHZfDWj7nGEsX2eMVIjN3/qZUm
R52yaZ7CGUZUYEUPKJ4b+Xwu8Z0dSX76txP4B1PpmZ8k2IlK0XiOF34vwZGvhX+fiJV8h3Xm9VrX
uaCX0RT+yWheFqDDiJPb2ZHKWXs+SWJwpaEHyKAeGoPFeaHBNqLJOYqlV2kn2n/+V5obep4f+qI7
l53yCYojxnEC2m7sFn7DWGU0kZUtqp9A6h3A6Zv9GaRGqnj86Vm92ROjiaAwAaNQ+hagMaR9p51H
qhIbcKVauqVc2qVeKkSh6TiZyRVRap3rQaUYWhAe+KPemYRlaoIqZaWe6J0EuqTkSadMyqGw+Wht
ap5jZ6dfGkthap+qp3t0uqM9uqQltxA5/8kTHxagbDqdKvGmp1mVVhl98aWjzOmc7Bahz4lauWag
7uWmB9GokUad5YWf5+mn5wlfLVpa8UapLxiMlwqesRWe8TaenXqqXRaB3TmeKfio6Imqwjqs6Omq
qoqs0rmhpxWon/mg8zmhYgZ9/jig74miEVh+jpqsstmo7wmr3MqqphqpdyEEzvqNf/qJJrpuKtqr
7cauiJqjugqbxwqqGrqR3dqqr3qrwwqo55p40IqtoziO5Bmq7omtxliiMHeskoqf+Oqw+sqq+aqq
//pMg7qnFEpe0jqO7Qp984Wj+9drPEqeH5V3E7uqKLusIravj2qysrqZ/VmjoLqxzEmw8f92oToa
rfRWp8lZsnunXg3bXhAoscoKtPj5spb5g00YtEyBtJWptD7YoyzotDQJtcG3sDa4FkhAEQBAtaFU
sTHrr2A7thqEpmR7tjzCp2gbnGb7OGq7tmTEhd8VkAl7FB9wt3iLEnerFHi7t6opto9JD9JUt1VH
t4DrE357En6buHb7AYrruDJ4uHA7RToJgZpas5Zrejm6qfJas8t5uVz4gYyrt31buo+bt/ZQupCb
uqarEosLuYm7t6/LeJI7ueNxsTihouIosrf6ruAJoahXqNQKvL86dgsxuqR7usn7uKwLu44bu6u7
vLPLvLNbGXHgtaT0tzKbsbjqgPMWsuD/C6FWSZ/iuxOqK73RC72sm7zq67qt2759a7tVhLswF60z
W6vfa7DCaK3cm7Mcq64Km6YEsRLTy7jqe8Cri7wIjL5+exkzgL3oEowJy5Eem7/Ddq3TmsH1Sbwi
ar7Oy7zLu74LDMIpMcLr27zRK79KRL82obsW2n/6O2nk22i+y6McbLNllhAG/MEnTMKym8DP67wp
3MM/rLwkDMHxRKv/ubnP6b3lB7riJ6pDC8XdaxPnS7qoi8XTe8JXXMKti8Ltq8JiPB7IexNlPMZB
xMIJFbWNyxOMi8TwxH1frBNnjMZdSgRriwV2vMd8PEVw/McP1ceCPMiEHJyAfMi/eL0I/8gFiNzI
jvzI41PIkqyPkFzJ2jTJmHwelrzJudcj8JDJ8svJohwdkYCdoHzKkDnKqrzKrNzKrvzKf0wOsDzL
xoHKtnzLuPxPtLzLvNzLvjwQuRzM3ccIwuylv3zMiFTMymwayNzMzvzM0BzN0ix6y1zNoeE1LzDN
2mwSNMjG7bTNu3Q+ahpQAxEN4CyX1pzO6rzOUcEMjaQN8BzP2oAS8kzP9awS88wS8pzP9rDP88zP
J+HPKQHQ/XzPAl3Q8bwS94zQ8GzPC93PAx3RCd3Q9OzQBF3QEr3PEF3RHK3R7NwjakwTH0XQAJ3P
JY3PLXHSGx3RLK3PLR3QK83RMg3TNP+t0hc90/yc0wFt0y+N0RV90SoN0yRNquccSGUR1D/90v/s
0h2t0Cjt0jrt1E/tElHN01Dd1E2t0zct0Uk91Ust1FT90bKE1GCN0zFt1md91lv91Wmd1lst0ybN
0mu90mxd03Td1lxd1i3N1nU91WKdHiE9EyPd0xDt0TTt1gst0CTt0VHN0CbN2A+90wnt2BZN0VUN
1HZd2DAR14XN2GWd05FdnUUNF5ewHOI8wIft1hs91Kmd2a2t1kyN130d26n91WR92HHN2lpN1xQN
15rt1LtN26I92oB01ITN1wMd2o2N2YRN2Ve92X6N3K/t3Jzt2kvN2r4927+93X7915T/TJwuGHzY
vdpy3d1W3dPM3dXqPdOwvd7Vzd7STd72XNvRrd3I/d533aHELUqnDcyvndgoPd6wrdj1rNhPDdkG
rdwGHeAaPdQnPdHJXdn17diNXdsPnc/7TUjeveFkEdgysRD+HOIiPuIkXuImfuIonuIqvuIs3uIu
7s8ZbtQcPuNf8RiGEOM4nuOgdwc63uO9cQc87uNC7hpAHhEewHw0nuRKLr87sORODlBDHuVSPuW/
9ORWfuVYnuVavuVc3uVe/uVg3llUPuaVEeZmfilknuapeeZs3uZu/uZwrhRqPueNEed2fud4nud6
LsB07kfvQKl7HuiCDuatDAR9rh2D/+7mh77oZRoFjI5PiR7pku7kHi4+SzvpMueh/S0Q4lS7/Ni2
p+Hp+9mHo7GantrEFPuz1iqzRuuwJnvq6XqjvSvF34qiuyq04Aq4tE5lGlYUO/rruA6fJve2NWGn
O+mj/HjKiqqnEhupx46yqa6yzPrq1B60xUq0TPuw99mvzM60MuGtfUquov5e146s+3qyz57qWPvt
5anueQp1lf6kI+hxr36y3E630G6szo6qEHuv3c7vffqwkArwBD+bkirsavun3q7qp0rD9dmwJouv
Ck+u+S7t8Hl6mTrtzKru9Q5mN+vxD4iRmmFv9d7vbCrt1r7w4N6y0zmuJs+hAh+fG/8/8zJ/8PfO
8eHu7jbv6ldp7noa8S0f7vju7+4+nydv69fO7ffO8jyv894V75akEKuergYv7qie9Clrr+Q+oCwb
9BWv769K6wHf9RLq8QWP8qrenGAP8/bOsBTv9jSfrDRK8l5v9aYK9Pr6rc368hZvrKz1oZtehN8+
9Ha/72+v9Pnu9wyL9igv8cDW7DUfsfye7mx/nK/J+Kx59OOK9T+K94nf91XP95gL81rPrdoe7H3v
+S0q8oBB719f7nJ69P+u+Czv+K/P9mv/9Yuf+xTvqoQ/mzFv8KoP93xX7vqu8CX/76nf9j5v+Jjf
+Sk//ONOtsuesrLv8tYf/UTPYZL/H+3eD/mG3/2trvg27/nYj/aIH65xT/xVX+3qH/fNf/38N//i
T/5g7/7wf/OJX8x6j/PYDxD2BAIQOBDAwYMFERK0x1Bhw4INHS5USNFgwogLCSKUaFFjxIsQK1bE
mBHkQJQdJ5bM6PHjRYcmYaZ8SDMmTIYWZ5LE+FLkSZ0dRXLcCHQjx582TyYditSnR6NLpU6lWtXq
VaxZtW7l2tXrV7BhxY4lW9bsWbRp1a79ejOrW5lspcJ9K9fuXbx59V7919fvX8ByAQ/eW9jwYcSJ
xSLFSrel47SQr0quOtjy5cuvMG/m3NnzZ9ChRY8mXdo0YbacFa9m3dr1a9hUKVed/z319G3cuXXv
5t27c2zgwYUPJ17c+HHkyQV/Xo5Z+XPo0aVPf+3b+nXs2VFT597d+3fw4cWPXwq6+WXy3GunN7t+
vPu18LUS1F7f/v3S7Hfm1eg+p1Wf8FqPJfkeY4ksuoICkLG5aOJKwbMmou3ABhvbKsClCrRQPw6p
k0xC/hYDMK67BoxJQwdRrBCkEzd0EKiwWlTLPxdHnI9EGGfscEfpKKzpJ52CdMopoVjMkCIZj2Ls
JhlVIoknKCHqiagiX5SyJqiUInGlnqqEKqGg3CqKQSvHLOk/JaPEUc0lJTIoSiT3w9LLOLGckqii
XmwyyP2E5PJPFXkczrzUNmsMLv8Qm3yISZPONPJRlJJMCcQfh2p00TWPqtRNLS+N1FMgIbV0UQlb
JDDHRiktk9NRNf10U0RBzWnWVyfFdCpaa73y1lYpZXTOORWtNU9d6cPvWGST9cs4JMl808D/Nt21
UmKZ6i+paqMt1ag2eU0RRmGFfRRNmcZkSiVVs8XWWlS9/RXUVtcNN0N4O1U3VMiiLVbeHBkVk89g
M2XXXUELVs5HU1/66N1pB95y3VEbtpWnO3GalUpY14zLzC8ljhhddU0VddV5jZS0YSXJjNVOX0nN
0uNy4b23W3/7hRZNhV26GGMrDfYZNh+/FbNekTMWdWalhu6UXqX3fRhXTGM1F1L/VYUmul2npUUa
5XM1LrnllWEGdt+v9Ty3ZXDbrfnon12Do+2eHy7aTYbv1XqklSbu+eRh+X2z5KVTtLvqb/0me+TC
xeU73rnPljlUyLnGVzar/8Yb2KaflnRuMAnOG27QmfWTy6bu1NfanPPE+POwJ13yzNenhnJPtXfe
mN5yh4z99GcNpPZIRzGHGMI+Y/8xUQY7d/Kx4ZVfnUAKWy8dedhVr570QEPX/mf4si/Y++2ZDV8q
DcbfitC1VHvvRvNtbH994pSVf/7s3heQfftXzP878Pf3/38ABlCAAxxfCUpAQAQmUDEDUGADjWNA
CDpQghOk4M9qQEAIGtA29ONg/wc9+EEQhlCEIyRhCU1YwgyW4C8VZGELXfjC4kTwhDOkYQ1teEMc
5lCHO+RhD334QyAGUYhDJGIRRwNDJCZRiUvMixE9iAMnRlGKU6RiFXfIRCxmUYtbxIoVvfjFzmAB
jGMkYxlJyEU0plGNa2RjG934RjjGUY5zpKNhzHhHPOZxNArQYx/9WEdABlKQgyRkIQ3JRD8mUpGL
ZGQjHflISEbSMragZCUteUlbSFKTm+RkJz35SVB28pCjJGUpTXlKVKYyOqHsYRJY+UpYxlKWs6Rl
LW15R1XmUpe75GUvffnLiNxSmMOEpCCIeUVghucfyWRmM535TGja8TTjOGY1rf95TWxmU5tRxMU2
vekXO3xTnOMkZzmvE010plOd62RnO935Tni+kR7xpGc94Yi+svzGnvoxZz+FiJbOgEOgAyUoOApS
UIMeFKFTGahVCqpQglYFoQmFaEMj8tCIQvSiC6UKRwUyUYHaA6QU3ehILapRk3b0oSINaUlBctKK
GjSjH20pSxMKRnH405PGgSlNE3pSi87UpQ6taVBrehKgFrWlPTVqUinqVIYuVakk1ahWYMrUkPZU
olKV6VFt+lKv+tSnU63qPgGJT7LoU6xDXStUwapVpHJ1o1LB6lrt+lWbkhWvCqXrUZu6FLiqlKRY
7SpVBTtXwpY0rE3VK15JowX/nUa2gwBV31212lC3Ktawcf1pWAHr2bvalbFyDexnDYtZz5a2r4P1
Kmo3a9rVvlWznB2rXNcqWdx6kKd+XWxWG8tX0A5VtWWlrWzb6luxDpetKE1tcGNL3K8qN7TQvWpX
i4ta0TrXrG1E61jUulfwJte2Lh2uU51b2svq1bXR1e5yxTvRvK40qqwdaXzl696YenS9wvVtYauK
nVrUIrcDzg1lDUXc9BZWqMx9LXUXXFaM9vaptu3vXu8LXfZuVrrLTeyGA5vY9xrXqBZuaW8CHGAC
p/g2BnYOgiWcYdM+2LjFnXGIZ/xX+4YXrgkO73S3Sl/Zehi0ILYvVXGs3xLf/+bEKFZxky2zWyAH
ebzZbXCPfdzhFx93wvvFcI+5jN8fu/fLh4Utf7ds5ph2OStL3u4LuyuW7xIZr4xlq2pHrObqdjbK
Wk4zeD/MWz2XOSt5lnKVa1xhNFt2vBcuiGhO7GRI84bF6MEwjkmsVLCS2dKCdiuI83xmH/P5yu09
dGsRfZWMjvnOfK3qp/8baVhLujg7vq+r5TzbHP94wR6trZ8/Xd5aN9fQNNZxf+E7303D2Mynzqua
2/xsaEdb2l95c1i+O23qxFrbx5r0k7HdnW2H2zTfJne5zX1udOsyDelm97erDZZrt9uX4rZit7cj
71/Su4f45rcDM4BI5pzlN/8Rru+N1RtRHus6wQvnKkhjrOC3QlyxRXbtnjmaUs7O9NgZB/TFEY5x
Xk+cwfAltElP29iKLzSlhL6tvpEpnIQ/99KtzrKmAa3oQINZxISVeEWtHF+aB1rIOadzon/uZVPn
POJnRu+UQ01lBst85zfvN1feTW31xfy5m0720SE8Za4bub2jTbN8Cb5aslbX63U+NctFLWgXs/bh
Ud96zetO9CHnvectd3kOiaN12J496MSW+ZiVPV+i6nmqxt4yszUrdGFjBaqZ5XHTT75nwf7Vzoxe
e8rnrHe0A77qfAm4WfQpeimz1NdKd/bX/VvoMMde5QRP+etpS9rIozrtKH//seWJLV3sHh7tUg+8
dbse6pDzve83/Lvdi696lqPe4LYPOuhlj9wKYzf79V0v2fMr48mDvfcOny7Pq9x9xgfb+ojHfsNn
73DOr330J7m6V07v/LlfuOvKPbLdGc1/3EM/BfOvP+us1XM6xPs8/Ru/BkO9+Bsxw4s44ss/jVu/
pdOwJFs+I7K3wEC6YaM9sWO9p/u+Ssu91hM1zaMwx6u+yBu6CqQ+Dzw66Rs1xVtBCYS70AM65NO7
B7MoDXQiDlyhGFQ4HRy8GpvAITxCAMQ7yGPCnzMvDITBBJw6/IrA8jsvExS80IvCxGM8PAO9XctA
3NCBH9SO5ru8LvQ5ozvB/yekOqpjw+OLQCuEQtWju8QrM6GKvuDSujdkOytsthlUw2bbwdcquvkj
j0B0vevCP8Izuv0bOwQUPjssNUQ7PhyksijLrEbUw0LsOBlEQOD7rQIsPE08xMoovXxSjQUctpmb
LfjbOJ2rrRCkNUPTQvJqQe7zxFyjOBPksF/DPFxzMBnDuQG0xVsjRfoiuVxMRuUrwxMyRWiMRquo
v66IN2kcJWesoWvcRm6kRqurLG7ExmycoXAsR3M8x9GTBnRcR3ZsR3cUDwZ6R3mcx8N4m7zABnoE
C8pLugs0u5U6Rl5cvI7zvcwzOYL8vllEMmDMx3zcxxCcwsEDyCpctIa7RP+INEQxW7zWczuGZCdv
PB9VVMGEJD61k0hhdEQJI7XVK0GOVEAya8ZxjMl/gjkvND+pG8VYxLnb+61e0z2LS8mF/MOVTA9n
6MhT0j4YRC64w8kTbMnDS686vENFzLQ+tLGbVMl+qwaj9Enooz45rEqEBLagrEQG5EojvEVQQ8uN
c0qwsMd0aoF++0ituD/PQ8ultMDOA8va48JQTEZabEW7vEgxlEnC/KEz9MLH48IvfMiXjMGvjD9K
tLK1LEvBZMWtzDdUTKus+zi340O8FMuJfD0iW8I1bEWo9DqWm6JuKMy+O0xBBMyTBC5+bMyhxMhS
vEvF88PQssTL3C65zAr/tSpFUyO8VHM80KRCTGQ15axMQRzOS0tL3BQI1pzOKgrCZYG62Owyj2NM
iMwvXzRO7eJIziy0VZzMKKNO9Iwi6+wLe0pP9ySi9VymenpP+jSh3rxP/MxP/TyOoNmL+vxPAM2h
g+Cg/SxQJOpPuwhQBV1QGhpQBn1QCM0jB43QKVoCCr3QvphQDCWhVighYdhQcdNQ7DBQEs0iBC1R
FE1RFV1RFm3R+wRRGI1RGZ1RGs0mCvqDODoFF52jGu1RH/1RZJkCIB1SIi1SIz1SJE1SJWWlFBgm
fFjST9pRKZ1SKq1SK71SXVKkJ4BSLu1SL/1ScsJSMeUiMC1TMz1TND1S/27E0THdRhloUziNUzkl
twithzS9UzzN0zOdUz5lod+sxgMrjhbr03WcrEIZ1PihNEJFxxHVjxNljUddDQ3pH8pJDOuJD43B
mumolhrBH9HZ1ATJn6eYjaCJVARBmLIgnAeJnLgJHEoVm8mAGgvhVLQQF9xpVffR1BhpEMogFoZB
lVelDbBAFGcB1gsxHRqhmsP402/EjCk51rtA1FBFkFqVlkrtmmr1Cu+RHR2xVl3tCsd41VCtDVWV
VWwFjszJVfz5VWFVVqow1PTZDNjhFJ1xFZcAmT/ZCYyQVn2tmCvBkycRiouRE8YRWCJREDzpkioJ
CYMNWE7VnX4dWCkxHv/gYdip0ZYusR2WcdhPGR0WARN/hdiGtViRLdaCTVicORCUDdgnqR6HPdjd
+ViJLROXfR6NvVUgiR5/DQk/kc5zKo55BdmWGNqhFVqjpZXXqYvJSRptMZtt6Rvh8dWo+Z2k6Zqn
5R1upZ2nNZmlNddSaVp2UVjDkVrV6VpFkZrjKdi+KdeojRzZoR2onRiplZVpmduq5Za7zVu7xZHM
2dq0jVvuyRuQ/ZxnWRhNOdpmaQu95RWwrZO6ZVVzedupLZzJ0dnVcZ3OOVvGxRYq+dpr3drInQm0
WVtS2dx0OV3lQRfGcVxfzZd/fdyOpVp8CRNbSR2yNdvbcd2Fyd3NHZn/E0keb7EX1YWboMWe36XX
w01eVumdVcVdqCUX0gXc0LVbyf3bui2bx7Ub3AUbt53W7X3duOWcyo3es6FeVlXbtGWScX1d7k2X
9K0Q6H3f2JXe4OXap8leo7kdyqVV7o3WzFzPZ11eocUbpFXeAR7gZ+FX54Xd+L1dwIUc893b/t1f
9M1a3g1f2I2bCYbg3h3bpZVcVY1g+W3grvVWDm5f2QXdmMFf0lVh+eVVgiFfxdHfvLVeqW1U4hjV
5XESZKUb5V0e6DkUB7ZY4QFi69GXd8HY8dWT23UWIumVzJVZInYd0Z3dcGUeiMnZ1N3h0uFYy8Hc
32WdIZlijEXiv0HQ/0T5YvBFHQhWWbm9niWeHikuX5cl2S6G3Jch2Cf+2DYO1kUdID+uoED+Y3Mz
2TYyZEJO5HlkVpDUU0d2MkWOZP9h5LkMVEm+ZOBcMUze5O2h5ExGVFBVjEEuEe8Nj1GOkVP+1ub1
1m0t5QO1B/w4jycjnrpg2wtRV2qp44W9Zd9p13Odi1MhWE21ZZlVkb1tD8PoVf2hWBPe3ckw2bXJ
VE91VblIZb0gVVi+D1keDEoNVmWOisUlZnP9ZVX25Vw5X8QRZ1xdZUwtjG/m48Vl3lslV2tl13WO
VXcNEf6J1Vg+1Mv4F+yZ2jSZWZWpWZXdWRv23Tn2WK0x6CMW5oRm4v+ZNVhdptmAjt2BZthd3uOB
7dkd1hm85dmDnmjhjZkPYRM3XtuDFek6fliEXtk7fhXdIZ1/DeYyZlmS7eibnemXldiYxY2rcANJ
FdvBodfvpZwZ1hUaJtzltd8MnmLJYWGr3RiVqd8JVl8z1loS9tu/LVvrlWF0zpoXzmfWWeervmD8
LWrPReuEplWjBmuxLeL6zWKvHuIhdmoXFpSUUWvTTVxu0d4a3pKq5lueOWaX2WIVJpwkTmHHYVpo
Vl2t7WuALebR7WO7Ht7ZERilzmU3xhCyxmwgNt2JTV/HHWvhdRWqLuwFFmjR7dtb2WrWFeDCjm04
+1+Bs+SHReu7Hon/sW4at55qvtXtsJaYyH5g32bs497stLnfyyZWr0Fu0VbuEj5uVzYbEz5t/fle
wQ1e6jbWYYHbFzbs6T0ezZVp8rWXy76dfo5XfvXbxO5gus5i076b1X5vDZ7u6JbviA5stx3uu7bv
p4Zbrw7n/C7uVZFupXHfvQnv4G5huuXqEsZuxobreh6b8r7brYbv9H7c9VYLzvDoIqFt50HoiJXn
PcZi2aZp36GeMFbxMfZpzg5ZJ47ry8HcYmZZnkaeO55xMxZYlplbkL7xEMfqvZlXnA5rtBnsFV9p
joZqLHbubVHyIW9porXhhA3pJ05Zmv7afEXefO3wtABHTh7nZrJm/2qVptMYc1A18zdicxFRczg3
JE/uokd+z2BQ0m0WDQKocz73C0sQpzwXwjgnoC4N9Osc9AEqdH+2DDf3ZXaW5nL+VMUtkeyW7gV5
dHwm5UpH8yU19Ax1DelZ5vyNdDLHWXB1n2Ql51Td9N929BtJV0sPHF6m4XveVfrjUk//h0a/Vkif
8Eyf9VIH9k3PdDOvbljl9WluZlefdFqn9FuH0lx/GSLnYiuG3iyX8S5naXK52Y/OWB8XnLrO6Y7m
bAYe6W7v8ZKN2V5e6RCP6SlX6jq58shtcpsVZpHVdht/bdPh2DQJpiLNB29j73+Gb7plcKIOWwZv
67eO71QpaS3JcP8MNnhfb24Ypl8Hb3jgnl1lHRyIl2oJtur3de6jHu2uUXSBZ/SAuXEF9/h4n23V
VvjKZnHIdZjpje3GOWGcWOrtbfH6Fm3bYWoJ593gGXmKp+DkrmlgtXmC91kaFZ/a3XjoNu7Vnvmq
jfkCvxqMpnnDefiP0fm8Tt0N1+4ID+YIN1sRpnCL95irBm8Cr3UXrex4bvs4PnuGX+OVD/vG5vrz
zvvRBe+wL/r4jvKy93u+92C093i2Dvq6B3xbjQ490IN9ot2/Pl+l9+J7pZODjmMu9tjjLXL0RnfF
/uoZ7+PZgWOZX3dv5+EjD+Miz9ygPWw4eWjKp3E15pij2Xcnp33/6Hh8MrVt07Pk696RSbWLXU+n
QOGhx9eDb4qO4gcabSV+aWx+xOD9NZpz0utz7P+HxzcnRG9HyH8j659G92SF7C9/8y+hETj/Mup+
9m9/939/+I9/+S8lBej9BZ0E9X/kgtGH8YiF+QcIewIHEixo8CDChAoXMmzo8CHEiBInPvxn8aLF
cBg3cuzo8SPIkCJHkixp8iTKlCpXsmzp8iXMmDJn0qxp8ybOnDpLUuzp8yfQoEKHEi1q9CjSpEqX
Mm3q9CnUqA0xnttp9SrWrFq3cu3q9SvYsGLHki1r9izatGrXsm3r9u1IqXLn0q1r9y7evHr38u3r
tyDcwIJNqhts//gw4sSKFzNu7Pgx5MiSJ1OubPky5syaN3Pu7Pkz6NCiR5Mubfo06tSqV7Nu7fo1
7NiyZ9Oubfvf39y6j3ra7fs38ODCh9u9bfx4TmzIlzNv7vw5zWXQMROvbv069uzat3Pv7v07+PDi
x5Mvb/48+vTq17Nv7/49/Pjy59M3Ov0+/vz6r9bv7/8/gAEKOCCBTk1TIIIJdrcfgw06+CBJCko4
IYUVWnghhhlquOF1C/gEIYghipgfhyWaeCKKwo24Iost0pYijDHKOCONNdp4I458ubgjjz2SliOQ
QQopo4+K7VIkkkkquSSTTTr5JJRRSjmlYV5QeSWWWWq5pWvZFTQyJJhhijkmmWWaeSaaaaq55nVc
uvkmnHHKOSedrbVTJ5556rknn2+y+SeggQo6KKGFFhgQADs=
------=_NextPart_000_000F_01C70D7A.B905BA40--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKIJN6t063562; Mon, 20 Nov 2006 11:19:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAKIJNCC063561; Mon, 20 Nov 2006 11:19:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from pne-smtpout1-sn2.hy.skanova.net (pne-smtpout1-sn2.hy.skanova.net [81.228.8.83]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKIJKsG063544 for <ietf-pkix@imc.org>; Mon, 20 Nov 2006 11:19:23 -0700 (MST) (envelope-from anders.rundgren@telia.com)
Received: from arport2v (81.232.45.80) by pne-smtpout1-sn2.hy.skanova.net (7.2.075) (authenticated as u18116613) id 453F8F420054AADD; Mon, 20 Nov 2006 19:19:12 +0100
Message-ID: <00bf01c70cd0$5e76e6d0$82c5a8c0@arport2v>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Cc: <ietf-pkix@imc.org>
References: <005f01c7095c$b821c2d0$82c5a8c0@arport2v> <4561A16B.5080808@stroeder.com> <4561A79D.8060807@cs.tcd.ie>
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Date: Mon, 20 Nov 2006 19:19:06 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>> I fail to see the benefit of using "and" instead of "or" here.
>
>> Note that most times LDAP servers are hidden behind firewalls.
>So, it looks like only Anders wants this change and its opposed
>by some people which'd argue that David ought to leave things
>just as they are.
Sure, David have already defined this the way I propose in "his"
(NIST's) interpretation/profile of RFC3280bis, FIPS201.
Probably with the same prime motive as I; to foster interoperability
among a wide range of standard and custom client software and devices.
In the presumably rare case you are in full control over the entire spectrum
of apps, you may IMHO do whatever you want.
Hopefully the FIPS201 document will serve as the "gold standard" in this
respect rather than RFC3280bis.
Anders
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKGq6eq054662; Mon, 20 Nov 2006 09:52:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAKGq6Vq054661; Mon, 20 Nov 2006 09:52:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKGq4FW054653 for <ietf-pkix@imc.org>; Mon, 20 Nov 2006 09:52:05 -0700 (MST) (envelope-from ekr@rtfm.com)
Received: by ug-out-1314.google.com with SMTP id j3so1355338ugf for <ietf-pkix@imc.org>; Mon, 20 Nov 2006 08:51:57 -0800 (PST)
Received: by 10.78.201.10 with SMTP id y10mr5475160huf.1164041492882; Mon, 20 Nov 2006 08:51:32 -0800 (PST)
Received: by 10.78.135.14 with HTTP; Mon, 20 Nov 2006 08:51:32 -0800 (PST)
Message-ID: <d3aa5d00611200851x1226b51cudcd5150f91d2931b@mail.gmail.com>
Date: Mon, 20 Nov 2006 08:51:32 -0800
From: "Eric Rescorla" <ekr@rtfm.com>
To: ietf-pkix@imc.org
Subject:
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
unsubscribe
Received: from [86.112.251.146] ([86.112.212.72]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKDvV2q034215 for <ietf-pkix-archive@imc.org>; Mon, 20 Nov 2006 06:57:34 -0700 (MST) (envelope-from opinion@outoftarget.com)
Message-ID: <000c01c70cab$cfa69410$92fb7056@PC>
From: "or" <opinion@outoftarget.com>
To: ietf-pkix-archive@imc.org
Subject: deg FRONT
Date: Mon, 20 Nov 2006 13:57:26 -0000
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0008_01C70CAB.CFA69410"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0008_01C70CAB.CFA69410
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0009_01C70CAB.CFA69410"
------=_NextPart_001_0009_01C70CAB.CFA69410
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Click top Page Privacy Advertise in Contact us Archives Site. Email =
Subscribe now that am. Have is seen this all too often. Often in it =
against or law if!
Estate Douglas or Ordertemp. Think how a bed gets kids hope use common =
sense?
Against law if isnt my. Think how bed gets kids hope use common sense.
Ussend Policy Search Place ad. Top a Page Privacy Advertise. Our other =
portal sites contents copy is Copyright ne.
Use common sense at! Fire Newshot Linkslocal a Street Mapssenior am Tail =
Timesrss is Forumguest.
Stopbecome Racks am and Ussend Policy Search.
All am too often it against law a if isnt. An of Christmas am Talesthe =
job am Gapspecial.
Stopbecome Racks am and Ussend Policy Search.
Public or Forum Cloudy deg a Front or amp! Every day loveelaine live =
here most.
Us Archives Site is map rss. Talesthe job Gapspecial.
Talesthe job am Gapspecial of Addouglas County.
Even is for minutes Just of imagine sitting. Other am portal sites =
contents copy Copyright ne. Blogsubmit Itnews Tippress Eventi Want to.
Email Subscribe now that am. Them or forget fresh of water food.
Day loveelaine live here most date news Click top.
Contents copy Copyright ne. Day loveelaine live here most date news =
Click top. Them or forget fresh water am food shelter every.
------=_NextPart_001_0009_01C70CAB.CFA69410
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff =
background=3Dcid:000701c70cab$cfa69410$92fb7056@PC>
<DIV><FONT face=3DArial size=3D2>Click top Page Privacy Advertise in =
Contact us=20
Archives Site. Email Subscribe now that am. Have is seen this all too =
often.=20
Often in it against or law if!<BR>Estate Douglas or Ordertemp. Think how =
a bed=20
gets kids hope use common sense?<BR>Against law if isnt my. Think how =
bed gets=20
kids hope use common sense.<BR>Ussend Policy Search Place ad. Top a Page =
Privacy=20
Advertise. Our other portal sites contents copy is Copyright ne.<BR>Use =
common=20
sense at! Fire Newshot Linkslocal a Street Mapssenior am Tail Timesrss =
is=20
Forumguest.<BR>Stopbecome Racks am and Ussend Policy Search.<BR>All am =
too often=20
it against law a if isnt. An of Christmas am Talesthe job am=20
Gapspecial.<BR>Stopbecome Racks am and Ussend Policy Search.<BR>Public =
or Forum=20
Cloudy deg a Front or amp! Every day loveelaine live here most.<BR>Us =
Archives=20
Site is map rss. Talesthe job Gapspecial.<BR>Talesthe job am Gapspecial =
of=20
Addouglas County.<BR>Even is for minutes Just of imagine sitting. Other =
am=20
portal sites contents copy Copyright ne. Blogsubmit Itnews Tippress =
Eventi Want=20
to.<BR>Email Subscribe now that am. Them or forget fresh of water =
food.<BR>Day=20
loveelaine live here most date news Click top.<BR>Contents copy =
Copyright ne.=20
Day loveelaine live here most date news Click top. Them or forget fresh =
water am=20
food shelter every.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0009_01C70CAB.CFA69410--
------=_NextPart_000_0008_01C70CAB.CFA69410
Content-Type: image/gif;
name="speak.gif"
Content-Transfer-Encoding: base64
Content-ID: <000701c70cab$cfa69410$92fb7056@PC>
R0lGODlhsAJAA4f2AAQAAoYACwqNAI1/AAoAf3QAiAB6d7rCwcXPzZ3G6UQpC14gAIgpAKYUCMIr
CNUbBAA4BitODUdEAGQ2AIhHAKhEAM5KDeg0AA1WAhltCT9uAGhZAHdSAKJeAMpjAO5aAApxAC6G
BDGMAGN9Cnp7AKGNAMuBANaKAAWcABmZCjKYAF2qAI2aAqyoAMKTAOacBADIABrJADzJDWTHAH/K
A5HBAMS5AOmzAAblCibZADbmAVPtCHbpAKfhB7fqANLgAAAITBEGPjwHQ2IESH4COJYANLYHTNgA
SgAfRBkiNzwoRlgnPHcfN5ccM8UiMtQhPQA4MidCQjM5SmA5OoFIM5U7Qbc0NN9LRwBSOCNlPzpr
PVpaM4NWDqNSPMpqRudlNQCMOyJ/Mj6OM1iORniITZKHPsaJN96BMQKjPhOtST2dPm6UMnetRJKn
O7KuNOeTPQC3TCe9MTK2Q1/IP366SabNR7y9MdXOQwfqMifpR0HdOGLjQXPiS5ntOcvoRtXgSQAC
ch8AhEIMjFgAg3kLe6EAi7wAjdMAjgwUeC4jjj0eh1othYckeqIiib8fiOcnfQBLiClAfz4/f1FM
enoxgZ1BdMo7eOBIjAhoex5thjVeg2RZe3Ruh6JUjLhbetVYfwWBgB2NhzeCcllyjoSFdpl6h7yH
juqGfgyhdimdjDGec2KiiISsg6ueeb6mdNmmfQCzfx60gTzLgWSxiYm+f5bHgsXNcunEgQfliiLu
h0jfem3thXvkgJTYicLljuLigAcAvhgFukUKt1gAynMMwpIAsbIAu+oEzgkfsy0nxjwZt2cdyIkf
yqQlxbYsxNsjxw48tBhCs0xIxlI4wHdOt5s8w7I8xeBLtgNfsSBZtkBWwl9cyH5ZuJpqyLZfy9Rh
wwOGyiZ4xjl6sVWDxop2tZF1t815suJ3zAmowBihvTSut12VtXqguZyfscKnwemhzAnJsSa8uzO+
xlO6vnvMyZvFvPv/8KKmnHZ6jvMNAA7/DP//CwAM//gA/wD///n//yH5BAD//0kALAAAAACwAkAD
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fMP8JHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOK
HUvWKtCzaDUCAJC2rdu3cOMGLUu3rt27W9fi3cu3r9+/gAMLDiy3sOGBaw8rXsy4sePHkGkmjky5
suXLmDMvZqu5s+fPlgeLHk26tOnTqFOrXs26tevXsGPLnk27tu3buHPr3s27t+/fwIMLH068ON5M
v7MYX868ufPn0KNLn069uvXr2LOC3s69u/fv4MOL/x9Pvrz5n9nTq1/Pvn3p8/Djy59Pv779+/jz
63fovr///wAGONV+BBZo4IEIJqjgggw2aI+AEEYo4YQUVmjhhRhmqOGGHHboYXoOhijiiCRe9OGJ
KKao4oostujii1WVeNYwMtZoY1zYCQTjjjz26NSNQAYp5JBEFmnkkY35qOSSTOaI5JNQRinllFRW
aeWVWGap5VxNdunll2CGKeaYZJZp5plo/rXlmmy2KVKad/EB55xkumkSH3zYqeeefDqEZ5+Aykjn
XngOauihiEqFp5yJNopioCj9CemklG4paaWY1udoX4Vu6umndHYK6qiklpoeMaaWmemqrLbq6quw
rv8ag4gExGprTafcquuuvPbq66+hpSrssMQWa+yxxQGr7LLfIevsmKGEuewazFJaSbXYZqvtg892
6+234IYrLlbblmvuueimq+667GYb1THjxiuvbu3Wa29M8+71Rb783nXvvwAHLPDAcHVFjrPq9Kvw
wgw37PDDEHtL8MQUV2zxxRhnrPFJEXfssWgbh4zxxySXbPLJKKes8sost+yyhCLHTPHLNNd8lMw4
C2zzzjyDdU/PQAct9NBEX8iDmGkUrfTSTNuW89NQRy311BbzQHWbTWfd79Vcu6v11/F2LfayYIfp
Stl2ja322my37fbbcMct99x012333XjnrffefPf/7fffgAcu+OCEF2744SOirXi3iDfu+KSzPC75
5OYubvmxlGeu+eYym2nG5aAL+3nopJM6eumoM6WlGZwXicbbrLcuu3mxR1nE7IzBeXrqvB+6e+/A
B38VAF8eLfzxROmF/PJgEs/88106D/2jj3OG+/VF1o799txjOf334IcvPlTdl2/++ein3/f47Lfv
/vvwxw+z+vQnKf/9+OfPdP38959tNHLTnwAHSMCX+a9NpbBXATsGi9M4YIEQrI70IkjB6Uywgnu5
AQYBc8ENHVBs1vugCIESQgVtkHcdzNAIuVbCBJ2wTAGQ4IdWeLUW0vCGOLTY7XLIkBf6cDk8DKIQ
/4fYnR8a8YjYsQESW0PEJq5kiVDcjWeU4MQamcNBUczibarIxZJo8Yuz6aIYQwLGMr5mjGjsiBnX
uJo0urGJZXijHOdIvyXQ8Y54zKMeh8TGPp5mj9+5FiAHqZNu6MpDyvMj0UK0lkYSkpCNnMwjq7Wj
SKZQkSUzkiMnyStMepIwnAylKEdJSjeWoJQTsQX6PsnKvqDylbCMpSxb18pa2vKWuMzlLY2gy74s
oZfADKYwlzTLYhrzmMhMpjKXycxmOpNEuRFA1ugxTLE8M4jVzGZUrslDbXrzm+AMpzi3ws1ymvOc
6EynOtfJznaac5zwjKc8PaSLeTrMnf2zJyb3Nf8gfPrznxfTp0AHekuAqi90ViCoQhfK0IbWxaAQ
jahEJ0rRiqrRoRjN6A8tuj2NevSjIA2pSEdK0pKa9KQA4qhKV9pJlLr0pbxjqUzXBomZ2nRgMM2p
Ti13083tFIw9DapQ7fTTLw71qOQZBVJpUtRgTqCpUI2qVKfqoaVa9apIoqpWt3oyrB6Oqz70qljH
KiiwmlWrjHgYWbdUg7Xi86xwjatc51od0GjPrX2iKwTxCji9LpCvgA3sffxaQMEa9rDmEZMtCEs9
xN6NsQP0Di8cS1nDQlaAlbXbNt+0lFCyL7N12ywZO8vJCI5EdQQJgGrRotoARKS1rF0tRGB7Ftr/
PsS2P8Hta5ZBs9N2Vra0ba1wh4tbexD3IMSVLXKLa1zXNte5yjUIcKeb3OOmdrjLtW52nXtdgQSX
u9KFLnWrK9yCaPe65zUvc6nrXfCqt73iJW950cvc52IXIfPt7nPb+1mgyPe/tpWvepOL3/UKuMAA
PrB900teBLt3wemlb4IJDF8KD6TB2w0vhrc7Ye0quML31fCD/2s40YIEtRB+8H5FTF/0XtjA+ZVw
dBNiYRez+MXRDTCM61tjGkd4xQMGb4x1PGMIc7jIR1Yxj3E7ZOXGGMRKtq7SPDEa3yplwD6O8ohz
zOUtP9nGt0UyfLOrYTADGcf1HfNsxXxmHJfZ/81wlnGWX8vmJXvZzDuuc3RNy9krp7jIO77xmfPs
5R/LGMaCRnOc22zkIIfYwY9Wc4uDvGhCizjSl/5yoCktaUZHuMH9ze1qYVtcRJO506Vmr5tJrWfX
stq9pn7zoGf8XSGP+tYqHvOrscxrWTOZ1qrWNa7nvGszdxrMv4Z1sPdb7EGm2dNiJrKxa41gOuca
2rmW9qJXnOZnV/vbxo5zsnndbTaDW9bbFneXyR1tc+fx2bHutbZtXO5rn7vX6Zb0vOFcb2vPGd/I
djKglx3uhcB74NkWOHdN3e/GmfgjKHZIvAP+6XWbZOLqrrit7d0RjOu7x7PmOEc8DuTqotvbBP8J
9WJITuQvh/wkLFe4y8d9cYSDG+Qvr/mdT51injP6MJPdXMwXjutCG/ojQ181oV0OkqQLG+E4b7rN
ef5qo2Oacg/3SMQbsulJczvZGx5J1xWt5iZ/WCRjrzC/wW7ykqTdvmvvctgTwufR+jnMWj65wsON
8o3YWe9E3zi60Y7keO+b5B75O74PP/WFqFwxdt644DM++JBE3us5x7bOM0x2VO8d4JYvPNjx/PmC
Sy7rF727xNvd9kpXPdGhT3jrPV902Etd9j0evab7npF6517ucOe0Qup+YtLiXSE/TvXVf554cycf
2MvnPUa8/XxlR9/dGqH+1ZXP9L4TH+LGf+T/97UefkI+HrToByQi0m/Zy7r//fBvUh5eyP762//+
XIy//PDfNv37//9fgjdhwH8EmDMA6D7tYkMFyBEdc0kHaBoJuIAgJIFdo4AUiBEN+IBMxC4WeIEW
kYEaGD4OGILHM4IkeIKs5IEqqDcDsIIu2BAoGIMyaCEvWIM2qBGoVyLhp3qC01s3iDM5CE2qx4OB
ozVCsoNJISUCIAD2sYQplzUlYUk6sUn2IEnFl4QDoRRLuIVbOBBcyIQC8YVgSBBOiBBi6IRn6IVc
GIZjaA9oWIZuOIZfqIYHMYdkuIZx+IZ2KIYKAYd2mId/+Id32IVsSIh1mIaF6IeCyIYLEYh4/8iI
OgKFIyFJVlgTVFiJ5IeFkYgUdHiHnaiIBQGHCSGKotiJcXiKdGiIZQiKqOiJkNiKqwiGpdiKtOiK
sNiGtciKrhiLr2iGuMiKutiLBgGMstiGZWiEIoGJAiGFyxhJVTgZlmQ9zBiNzViNBeGMz9iMl+iM
20iF2cgtmgiON9OLpfiGpgiIjWiMuFiL5MiEeGiOnliOv+iO6wiJsziLviiMpKiODMGLqLiPociP
8SiH6oiPuUiP7biJLSMZNkSJnOFIEMkWm4SJiTGREvmQLYSNFImRF3mR3/iRyngRADmQ5/iI+XiO
wpiQ74iQJGmLjGiQ/uiSo0iQAemSBrmLxf+YkDY5j7c4iPV4kP/IkyNDPsnYkNKIkdZYkUdpEEqJ
GBxplNm4kUmJlA55EEjIiTqZioIYk4fok12Ij2eIkOYoj0DZksNYjHu4iKZIliX5k16JloZ4kvpI
jybJlSiph3F5isgYEspYld8IjR45ldy4lM/Yl0+pjRY5lYWJjQVxleNIi2QJj5/olpC5jmDJj7Eo
mS8plFqZiPZImSnZkzspk125mShZk3cplkJ5mTUZjE64lyBhmE6pmFG5lFXpl4xJEIDZlLQJmB9J
d0OoiSPZmZVpkmdJmqxJnGsYmZxpmpMZmqgZnWyZlTNJnOw4mi25j8Y5l6LJiD44E7dJmL7/WZuz
uZsgSZhMeZSBmZh/GZjn6RHTGZNceZPDaYuaKZmESIzH+Yr6yY712ZapKZ2WSZO6OJ38mZOfiZNr
iaCVKTnMuJjiSZUPSo1++Zu6qZ6IOZ4ampshaRH3+IgA+Z876Yj5iZkEeaKKCKLGyYfLyYeASJ8F
+aFnmZeJmJlxaaA1CqAjqZ0peqOgaT4d+hBBCjA3GR9FqjNE6RNDyhBLihKOaRRRcqTlAYffuRkd
2BBNSqQ/Kh5S+oNe+qUxE4T2E45MRaZXOIOs8RNZaqEK+Zg1QYTgh6ZpOokPKhFrqozlNxNKkQ98
2qd8OhB+mg+AGqgG8adZKKeuBJ4htKbX/3ilF2oZhjqokmoPkRqpAmGpYNpDSRqbUNmeEfmUDrmN
symOblqmWEmpgjqpklqpqXqpfXqo1BEPXpJIWhEOxMKQB7GhHVmbEjqqFcoYloqpf8qqBOGncOOo
c0ONiOmrvVqNuImshRGsreqqqGqsk4qpIAStd7ObEeqsttmtlSGtBTGsgiqsqYqtLHQ43Mqs3lqe
4EoZ4lqs5Xqu0xqo08pC2lo5m/oRVvirG/qezzqqeSoTd2eu19qqhiquX2OCEWOJddqvSMmr3Vih
jIoW2Eqo1Lqq9XqvmWqV+5oSFYuBcIovZhqniIoXSpqvHZuAKruyRyKmiROcpzoxFMRHMv9bqjh1
fi57VfzADyrRs+UBtDIhtAhBtIgDsxihrLnasoXxpEUhEEZrDz07tUU7tT5bEFGLtVdLEEYLtFab
tQPxtR4htlBrtVxLtGArtV/rtVt7tg2BtlubtgmRtXALq39VlKPaLDcLpWurtmHbtmX7t2cLuG5r
EF3rs3VruHFLuBZRt4nLtn67EIfbuIsruBBBt20rtFXxC+BDp+7KntPIoUz7pntbFGZruZFbuKl7
ugcBtpObuKobuEI7u6dLtnOLuJXrt5AruZlru7Truldbu8HLumRLu4FruTWLt966qO5pje9ZMKVL
FKy7uoT7uLhbtdgruLCLurI7vNSrtoz/q7jfq7tUyxCH673ke7yFK7zf67jXq76B2z4MqZElxJt5
G7KUUb7qi7nai77i27q9C776G7uRy77d+7b+C7dUO8D/u7/eK7fdu7vu27+TS8BVJJWPWonROLqR
YcCpO7gL3LcNrLVuC8EfXMDlu7bve7u5e8IC7MLca71lm7bC+7tmq8LgS8IWTBK3sDkY7K6NCh+Q
u70ArMMjHLu7e7s67MHce8REPMTh+8EyvMM17L9N/MIKYcJB9MPt+qjOi7+NAcWWy79GXMZLbMXZ
K8UtnMRHPL79C8PwK8PGq7g27MDtu8JRq8V8g7QXwcWeyq3MiyPROxQiLMBrzMDwa8Yg/3zFAMzA
5zvHjVzFgKvAWRzAx1vHaazG+lu86FvByRskTksUiTwSerwlmquzmaLCqrzKrNzKrvzKsBzLsjzL
tFzLtnzLsfxVH1sjoTwULlHKVmK08ruzAbXL+zGwjneyUxEDtEHM3QPGbcHBzvwZG8ykHLzB0qwQ
0KybCJHN0/wYFbvNzsupSSu632yqP6K8C6GsoTvOQXyhFhnP8gyq1hh+EsmUVdimyjwc8+uNXsym
vNmhAr2rX+ye4+nOTJrP3KzQ51weShmRecusQTrQvxme7NrHi4oYDW0esimY8qzN9SuFEPu59JsR
8+zNG+0YHU2eHg3S/2y/ANupfbyM1/+Y0t/xqxLtqRG9tF4M0TkdsDvtEA9Z0zbtHXXaqPTLmEOq
wSId0kkNsRErpLlJ00XNIOKMpSid0FVdIleN1VG41aT7FGjR1d081RCBzMO3z8YB1gpkzLw8sjpR
UnMgHUWC1jmh1nRhH2Rttzh7EkOdEC2E12URhWbNl0bJvNqapU26FPWL0UtN1Q1pEILdT4oa1OSc
nogt1ULtzY1tEdKozVTdzV7Kx54t0w992vQMoantlOsKoRnanq/t2mxKqkbR2RoZlRq90Aqd0bsN
2dBYmPrMUEhAHLianp/L2vdL0AcNz4cZxKJ60MuNv5/N0PlMibl93X8N2dr92dZtTEj/YCMrDdMj
3cWwbdyDad6IjZ7LXRHTndGNnZG3ndt/fc+6Td2x9N3B4hQe4LnGTd4VTaHvmsE+DeDwzNzsmcxY
SN+qbd8Kft3VvdDzrY2hnc8ZNdwgos4v3bzjneEIXd72K96i2t8IjpUKnpE1beIazdsRzs0ZjVEW
fuHqHNAgzuFA/c6+aZ4jDd1RPdvGx9s0jeJE/eO+ut0pzs0O9eIwXpQTO+MGXtDI/c8S7dO9Kbo7
ztdQOuGLieX2HdvAveIcOeFs0RrzAEFInuSgDNdY+kRizlh1jebrzBKvMeZQBSxZHRnzwNb1cufs
RNpEYtc+ERhyvlMHpOd43hF7HSWE/94TqTBCfE4RShvNHYjTJnJlH1Dplj4QlV4Slp7pESEagf5S
xT3bahrpdR4RnC4QnH7qIpHqH/AWic5NjT4RFKvUT62eD83atx7bSsvOtf7HoBrIkq0Uqo7pm17s
qL7px47syX7pBcHqx07s9uDsk+3WavGuMP28n6rTEB2ezQrQUf3hyo2eT5gUww7t0X7q6N7qzJ7p
6W4Qzn7u0C7t057Ohk3rQMzhHh6xN/6t9+7tTm7RHd6YlG7szw7v5g7v7d7uzU7wCq/s807v5AzV
543v/5rvqm3QGJ+h357xkh7sZvruqp7wrf7sCk8QIm/uDo/XxS3pTH3RFb/vIg7u2P/O7+R96Ab/
7gWP8COv8wd/8Oy+86xe7ogV63Zq7c0781OumADP0gOu4zGd3B5L7jt/8yMf8kCv7ldP9VOf8z+f
7Af/8E3B3x5t66v98vqe2s9a6xgKyE7e4Z1V7FNP8MS+7ll/7spu8nIP91+v8hgj9Ka+9YWOKX7/
EIMf+Hwi9xVR+O0H9ozf+GFk+JC/Vo7PU5F/LpMfUquQ+Zq/+Zyf+Zc/P5VfLp+PNqFf+lY1g0r0
G31wqxvTD6Z/Pj38+rI/+7Rf1KN/+8KhDLi/+2oFHxtAGa5f+8JPNrzfNMOvLMWf/Mq//My/Iw3U
/NAf/Vx1/Gti87Tt5yJbsr9iVrT/yhXUfyXW//1YEv4CL9Z9NrPEPygLQDLdHxY/oQ3wH//aMBDy
T//1XxDzfxDyn//2sP/zDxDa7A0cqM3gQYL2BCY8aLBgw4UQEz50SLGiQokEFxZkiFHgRYUaEU4E
+VHixpAaLaKc2NLlS5gxZc6kWdPmTZw5de7k2dPnT6BBheIEAGDoUaQ6WaKM2NFpS6YcSU59GbUj
y5QqnzbVilWr1KwRrVoVeRXq05BLk65l29btW7hx5c5NWpTuXaBkVer96HLsWbRmwQbOWrWrU69p
Dx/e2DemY8VUI08GjNfyZcyZNW/m7NJoZ9CVC3PkO3ow18CJIXvFmvgr6pSqw45u/9rY9FTbrffu
Nhza92/gwYUPJy5XL+mGW6EmXwm5OdjGzCGKHclQOnOPI21jBMzVuV+pJqWTho69+Hn06dWvZ4/5
eGS1g8MTji9Ztuuvp2MTnk15P/no6uuLtdlka+9ABBNUcMGW/nHwQQgjdNAtCSPMT7ftVqosw/xu
y+gs/OSLKkPWxisMtQElg84/8loUbaAKY5RxRhprtPFGHHPUcUcee/TxRyCDFHJIIm3MoUgkbaRw
xg7/WqxJxF7UTTDeUlPROdhE7O+/h/RDyyECc9NSqiTLNPNMNNNUc00223SzzfVaq06t+rScLjvx
EIovozvxXE473E7C7SowrROpuv/T8ryozg9vY/BRSCOVdFJKK7X0Ukwz1ZQ9HZeUcTpQQxV1VFJL
NfVUVFNVdVVWW53uTVhjlZXIQma19VZc3dx0V1579fVXYIMVdlhiizX22J7EsSxXZpt19lloo5V2
WmqrtfZabLPVdltuu/X2W3C7RXZccss191x001V3XXbbLTZceOOVd15667X3XiXd1XdfngLg999e
8RV4YIILNvhghHsEeGGGG3b4YYgjlnhiin1K+GKMM9Z4Y46brfhjkEMWeWSSSzb5ZLo6Vnllllt2
+WWYY5Z5ZpprtvlmnHPWeWeee/b5Z6CDrhdloos2WmKhk1Z6aW9VYPppqKOWemr/qqu2+mqss9Z6
a66ZLqbmo8MWe2yyyzb7bLTTVntttifu+m2445Z7brrrtvvitvPWe2/h7vb7b8ADF3xwwgs3/HDE
E8dWbzr4dvxxyCOXfHJIO22LRsozV1DxaTX3/HPQG8zR0xhDv+mzy4pCXd/VL+M8XtIr9El12gmq
fSDaW7dHd9xzN8p321XHfaLfV0f99t09Ez6h24UHfnfkgy+eeel1f/4z3mfKvXfko7d9LeOX5z78
5b1/yXyibMq++vV5+ux1eGOXUKb2qbd/+OS/v//8/fUfvvXp6c94+Nvf8eyHvZYAMIG9O2D/2lc/
zxAvfxL0XwWDIr4BTjB/CjRg/0wyuBMIWnCBIpwdjOD3rEfZhX79S94HW+hBFvKOgxP83QIVKMHs
IZCCMHzh/1Y4QuxhUIUs1CABz+e88kHvf0GESQd9iMMIGnGE1Mtg85RYOyuqsIZS/GAWh+hF6A3R
dAAT4xSL2EMjbpF/IpQhFA1ovSLCMYdSPCMQaVhHIiJwgE6k4xkhqMMlMo+JeOSjGr/Xxj6yUYNy
rCIV92jBRh7yjY4k4hjjYjm20AiL4hPkGulYPE7ycYdhdJ7ytqdDQz5RkXMkpRbRh0pVHtGKaKRl
Apt3Su2lMY7+Y+Ui/Ti+IHLSjLGUIwUf2UDrdY+KyzwkBU+IQkiVcZTF3GUiff85SkjeMZW1pGYY
8fdHO/qwfogEZfmkacNhRvGYvCThHZuJTWI2EZ0CxKIxcYnMcALTkPuspiXvgsm1YI5+4FxlBbfn
yV8OU4017OYnqwlIeRqzmeNUJx6tGcuLfpOZ7ExkIRMKxXb+cp3cdCg+dyhKX440f8/8lvwsxMNc
FlCX/ZxmFDG6T4hCdKbX1ClNNRq8nfZRjxu94TtrKlGjEhClSm2gAEH606Meb6GpzGk/EQlVWvLz
hiz12K6S+cWndlSQ3UviRpU4PvZVj3ibLKcrhenN8KkVnhtEK/dM6VYhnlOqWjwpG28pxugd9KCE
DKVdglnLK5aVo9gMZmP32tP/c/rzcqObrIwke64Q2lSzc8ksQnPCVXFVtnSXNddbYdrEyIKvhDwB
LbdcCiHSkraznsVJa3EVW9zm1mgATYpAdftbTXEVuMMlbnHVNlt0ITdSyq0LW5hrXMygry3Pq0lP
bWna6arPhTkZrFByiF1ZUtSi2gMvUJY6Vpp0Frnd3exQngtd1cL0vTqZb0avGRf1bjd9IQWhZjOr
30qqL8A/me1/BXy6Adf3tPDVTGqdSNYvmpOvb5VhPZ062KLSMK9yJWUgOwzKGLpzlu40qFxBXNfp
BRadFF4xWF+YVzjeVXqSZCCKS9lhicKYn95s5RWzyUsM1hXHPB4yeyPHW6T4/3agNq1qWFMqyhjH
k64knuk6d0xJLj54nlklcYarCtY96peRP8bylAPI5TwStcYTbipiDzjJpC70m1qWKU/va1StUk+4
52FrhdeqWJHWdLvAGyksMdpjXXp5yzR9oEYbydDrujieKo1ynOG546FaOs1JZaqU4bzGQqc0n4fG
sEkdqmgAPw7JR1GyB6/aQsFauMSDNiOmmRpj8klYn8C8c6/72tahbjOn95z0pRedYU9Pmr2vPmyn
YT3ibbaZy1V08QyRuutnS9itux7gnhfkYLMmWtAOrLWdtTnF85LarIqO6IsjCOm+lrTYIQ4rstGc
6UNvmovOjvanK2ppWk+Z0/9dfne5w+1ryK16KK1O57jxTNV1G5uBUsUqs8U9bx+TmcppvPJSI4lx
khpczNKGZagdrkpA+jvl4/0yUCneQcj6t8qinjjAgWrbG732QbOD8F43qO2gtvKwQ1eqdW8IYQ6X
EoA3drZBG3u/V/8cr4/95Fc9GukS05Xake35jPkt5Ix7j+lSJ3uz7TrXowe5yIY9+9pr6G2irddd
CuYb3RmctgKzLrd2bxcIeKVwoTCcQXmf+96JA/e7J17xxsJ54x0Priw8XvKTp3zlLX95zNtq8ZsX
Cj04v57Mh170Wvt86U1/etSn3nGjZ33rXf/6CHUA9rOnfe1tf3vc5173u+f/fe9Jr3rgBx/0vid+
8Y1/fOQnX/nL373wnf/8vjFf+tOn/tTOUf3HQ1/7298M9r3/fTRxX/zjxww6yN8WEZxf+OC/kT7Y
/34mqV/+8/8J/O1/f/znX/9Aon///f9/AAxAAYSLbBhAA9SMBjhABVxABmxAogE81hI8B9S5/Zua
JJPACcykCgyaDOxAD/xAEBxAcBhBEixBcCAIEzxBFExBmCDBmTDBFSxBmUhBFYxBF0wIGJTBGMRB
FoyJHhwIGhxBewjCGuRBIrzBHTxCH4TBIRRCI5wIJLTBE9RBIHTCJizCEKScKKxCFUTCG6TCJ3xB
K/xCK2wJLxxDJ9xCMjzD/xpkwxZMQzTEQi7EiShUQyHcwhmEwykswyuEQj6cwyuMwx3MwnOBwJ2o
kTAcREB0Qz/EQzPUQx58CTsERErsw0BsQ0iMRJeow0xsRDosQzvcQzl8wyK8Qz7kRDxcQ0EExA38
vYVTMlR8RFFURCkUwy78w03ExUqkRFWEREeUxD90QUf8RVJMxDkkRk/MRSxExWDUwzUcxFYEGvSI
RU9kxEjUxTBERlpMxkR8Rl/ERlkMx2EER2U0xj7Uxm3cRk5swnA8x1vExFEkxMehxid8xmokRzYE
R2JMxVUURlOcxZrgR1FkQSLMw1JUQiVsR1kMwiQ8xW8ESEuUx8mhx4Zkwv97jEd1BMNulEGBHEQy
dEd4xMWOHEeMBMaDXMZ/DEhdDMWKTMaPtEaJjByKPMaUXEht/EWSvEiFtEeCdMhRHEmRJEeFjEia
LElzzMiQZElL/EF0jMm1mUmQ3EWYHMqjJMqo5EZ7vESrzEmdpEpbNEd/NMp0lMpOpMZ8hEenlByl
XERn3MiS/MixJMqslMuy1EGorMS5jMtiREqrXMKD3Mq6PEle1Mi0VMtmfEdFpEKH9Eu2fMtVXEqf
xEtr3MfALMebmMmwtAm7rEmPRMlsBMWpLEy9IUmK5MjIVEZnFEoabMRQ5MxANELCZE3Q/Emh5EbA
HMgfRM1OLEqXNM2TREv/0XwXynrF+AtOi4nGq7nA4jTOCEROexkCZ1FOy2LOnnDOnqFO7AwdQ9QJ
RMzOkLHOf/BO8aSc7fwsDBzPhgFP9FzP1RvOwDtP9vwX8CzP2sKcHExIt+zMzLRNkyTM3OTCXvxP
AB1I1nxN2LzE+5xNKXzH1bTJOIxNBIVNJkxQhoxQ1KzHgozFI5TDyfzH1URIBWXF+cQR6RytjtzL
iGTEE2VMukRM/eRPy9RI30RJ15TQF73Kr4RMBu1N4LRMsNzNWuRNk9zFvsxPIfXKxhRMexhREmU1
gVrRIdXRz+RQ1ezHEF3HquTRB8XNWsRJxXTNGkXR/WzRKUVRWsRS2WzJ/yiF0hjNRC+Nx7CkURNi
0u4kzulkU3H0zTKF0Z0M0zGNUha1SApNyiK10D/VS6zkzNA81KO8Swc9Ut2kTaOMU4B80/48UfUk
Djy9R3Y0y8PMURxVUzNd00HFTVMtVH+EVETNzw6lUoj0Skfl1FC9UB8dUlOU0lqVUEnNQPq8ie7c
VAzt1Cv9VIMUVf1cySpFzFvNzGX10J6cxV7U1dh0w7kEygbty9Z0TGh1Vos0UCQN1poEUYbs1jCk
03yxUxMlVr90Vh791j2FUnIt1DJNUJBMSUsV1t900RwNUDntylwt0nhly1ldSEAlRXYlUoS10GTM
1OEAVhsl17yU1wXt0f+xXMu95MlwfUhSndYwvVRBtFhVbVR9DEoG7dgD/Veb1MqEfVP/rM3/61Wb
+FV1NVgu3dMsrcpNBdk2ddH99EZkJdQ8FUuErdZPpUxXZdFEZVRdRdk0FdSftVWlZFjhcFgbrFqb
XVVUHdYfFcuIHVivTVHTxFChBdi2PFMgFdm/rNgtlVc95dMCBdC4vFcIjU+2oNrEJFa7ZdvKxNZk
HdqOVdoWrdSzLdi7HVaKhVFPhdPZfNV2ddukzdJ79damfFn3DApEhNjanMpS5VaSXVef5EqaJVvG
LcoPXdwBTcqABV1vVdisBVkBNVvO/VOd9VFmfNbS/U0RNdfltFz4pFv/fdHd3jXP3fXdhfkHKXBO
4k1es4HZmqhT5QUYqX1e6Z1e6q1e671ekmFemnBe7N2XDexe8HWbygWKfKCRVuXPDV1QspTUCmXd
a3XX091QjMxW+p1b971LGa1d3K3IgF3fkCRY2C1NbMTcsyxII81d4A1PJ52R873ZEz3Um8RbK+1c
lVRSju1XyXXZxgxS0aVR4DxLUb3gPmXfHs1KR43TkMXMx7TEn1kEqilR2cFYD1ZcDMZXx11fmxVI
l6VHHVbSG6WJxF1hDp5Qw/3Y0+RguL3gCTbSyR1Ti11LakzgnVtgy6LU23zauD3igrXWdOzfoVxU
MORiIC5aIibhLiXj/80c3doNWo9NYTfdYUXVYigO0e9t2GYFTHas1chNWNhlYyK91TH2YX7M4z82
WVi1V31d2mdlY421TUBOU6h1Y56FY4h84iOO1f7T3pm43DvWUApeWfzcYjQu5NHV47N1YjR+3y5G
5FJOVVZm5Fd+3B4uRmZVVzis4EqWY/yMYilWYHSVHa0kYNGFXC025aNV5ZA1ZhEG41L+155tZXZl
1GceWGr95Dal5i0dWxPWZQzm5f0rjkGVTWveY4klU50kzab0ZBIW4q89ZMEVYSkV40VOWnjeWGnO
5kAuXEe+5BANX89V2cE82iyuYWP24znmWsN9XL7lY8SNY6702WNe2/9BDmj4BWF4Ted+tuRu7ucB
1GSZkNkHPWC+XMHbLFZjlGFB7ttjZeLTnFxzBmEkJVp9pdcDplqYVmGV1ueTLuaYqGNNFeLFRF+I
vmG+nemQrkI/BFWwRcOkXurDNWmYrGeWpti2Xd2gvtnA/WGrHVVJ3to+PkCP7mnfiupiRudELmez
3ukajWAffk2WbN/4RcbcZEaU1V+1NtWy5um7XtpctMUeTF2OXupy7WUYnh9//t0KPGzFXmzGXsCw
hgnubWxz6WXKrmzLvmzMxhnJ3mzOXhgn6OxgyWzRvjzQrpgCXM/RTu2b+QTVbm3Xfm3YvpvSnm3a
rm3bvm3Fjm3d3m3/3u5tacHt6TUF4B5u4i5utxAEEPRt5RYc427uw/PV5Y5u6Z5u6n4WRahu7J4Z
597uBYkbMshu8A5v8V4a7i5v8z7vkRlv9V5v9rZs7gsD9I5v+Sa/9q5vVwyo4QWO6Zzv0ksT/v7v
0Hjs7c3v0+E7sQZm8iKO5zLwdrOMLUotAhsw/lKPaPsh7koPCFfwXnqJ6BStCsGwEOI6vttv0+K7
dBMwKJOvueqJCk+vBl+hFr8gCQ86BKOt1Vo0/knxdmNwC6cvGbPw9Zq6Goe6j+4qDZQRVyIKHneJ
/SYk70KKE0c3uHgvuoM355rx8RryhmPxHK+uCY+34qi0mLrwfTsw/yI/cDMhCC8Yjgg7q78KoFsS
OqrDsQx/s23jMYYyLJ+Dq7MTO0eDqyQSOz3nKyLrcz33Oqq687/qc7eTJUZ/8DnLNBUjsrLK8wgr
IyRqNl0DdETfdOwqOUCfMGHK9D2fsUvvdFG/9KUzOz869RsDOoQqdVRHL6R7CwHf5Blp80MHKl53
uRT79Ylr8yUdLaiSMw8zNDw7t5lzt1ujMi3rt3fSKSu/Lzlro2oHchozMxxauWSfJHwzdhpHIzj7
dmXPclB/dmdnp6sjdzW79p3qN0JHM3HfuDKvM8RC9+Hxbz57uRM7qzXbpMRKLIDvr3L/NEOTNXcX
NUhD96s7N2m6J/9UUjp7T/gP06ZGa3ZxkjpwtzKL73anczq247WSQ3gNg6GFJzhwR/lJ16M3d/hk
V3eTl7WCp3cvC6WBe3bp+uXgrc5c53dTj6skP3ShXzoOJ3aB23gRQ7mZ96iTZ/isK/iAI/crW3qY
f7BeMnh3w/qLm3dI1/pOwveHuilO47qsR/l0x/hwgjilT/guYjlG8/h6X6y2jzJ/G/YzQY8k9/eA
9/VgD/hd3/Uac/GZV3qtg/t5P3OkT3mwp3Zt9/aJH3xmRziz5yiv5/hx53oSSnyYL/y13/Kkd/p3
f/mfYnuXJ3y0Lzgpw3wab/vNP/PDJxYQdzs4B/iht7FOSq+Qz6r/eD94cyK7jYO5msv4LHP4hyf0
iGe7VWf0OUOragc3RHd9mV/5Uy95mCssiqNzTR/93Q/2izeza4cyYx917ac6x4/05G/16cfzB9/+
tIqjUY/3r6enJQdwSpn/hrF/dLn1Im/y6ENw0QQIAALtESxo8CDChAoXMmzo8CHEiBIjCgQw8SLG
jBob/uvo8SPIkCJHkhS58WHJlCpXsmzp8iXMmDJn0qxp8ybOnDp38uzp8yfQoEJbnixq9CjSpEqX
Mm3q9CnUqFKnUq1q9erUl1CHcu3q9SvYsGLHki1r9izanFjXsm3r9i3cuHLn0q1r9y7evHr38u3r
9y/gwILtaX2a/3IwwoFtLSJWnBhxQ8Z2HU+VfNKyPcwFNWOkbJAz5MmEb/6tCBqiRcmnJ64mCNpy
xc2OY2fEbNqhataUVdNeqDk36t6dM29u2to4boWwZ3s+bTp1cM/FPxM/eDy59enakYemjt1oYacp
r1Ncepzz7OK5gV+ELZH8Y9eu2a/+vZ0h/If5a2M9nzC9fPS1xl5k98nnXXwb2XcgVfvpdZ1FOPn1
G3PQBUhcagMx1ptwmVXooW2KdVgdibZl95mIHApHIW8ZWkjbbcppRyCI8y3nYosnopjjehjWuOGH
OzIIJI6yEdkikYl92CGM0tF3ooW+GZkjglEW6eOPKm5Ioo1dGv8J4pY1qudljGJCt+KBSXr5pZka
HslmmU2qqaWDC4XX1GEwjjmjhxf6iaWU7ukY5aAzLhfonlyamWiJjdLIYIlMMjpkoiGGCaijW/b4
Z5V+CqqolY4ayOmCmHY6ZJgD8kngpoCeyWWrGRZaao/oXRrqepdOp6upkG6qaaWi/tfonxGCtVVJ
1D0Ha7C5xiYdmMzOKuOUOkIabawyLvsprgaaSOmqCToLLYa3cStsuc+yCKC01ZnbbJk2EkqrotvF
my654OJ7462iykrptuLW++S/Vb5bLLHKYmluqcICG+DB5e5oZcTG2iQYoe12y6lsnX4a7rAJXntu
tsN+C3CwCPL/6eukCWdssrXZtoqiyiujjPDMHteMrrX3fRwyzzXLHGnQ9NJb7Lk6I5zdqwKq/CvO
hc6H7sl1dtes0q4mrHG7IIucZso3aw0zqVizLPDZvRI8qtYkm901cC9mvfHYYg/c8rXu2jvq2mmL
/erbL+fsMtxe043ernsrvnDUSzdO9dW6Bdmmhru+mOK6ZFqat5h9stl5tXGvqCWcl/c75Zwj6qkk
sUySrnnlaZq+JpyWh4qt7WpOrLl1Iv7HnJCnSu1uc0q66buL4K7eO69T11p86UEeKjzDLJIJdpy+
Q4zk1J3fu9GdTB0WOfnlm7/z+ekP15fVRYWFLEnqyz8/XyPS/38/fhOu9b5hafn/PwADKMABErCA
BjxgTPCnwAUysIEOfCAEIyjBCVKwghacYPiWMr4LcrCDHrQTAkMoQpp8sIQmPCEKU6hCKcWlfa8p
D2TypZ/KUItptXEQDhv0whXy0IPtMw/Q8mczzhHxOyzUiH+KCLQfvqeGCmsPfxqGN+Gtj4r1Ugpo
FNHDLb6FiUlBnBEfdUTWGLGKY2yiEr/oxCkWyIzoS6MX8ybGp8SRi3b84vI2Fy2P6WlOsFtTvNSF
POLt5nVnih2sYpcqzCWJVZUT3eaydzo5yatau1uUH3VHOY4dTJA+upKzCFlJ5tFOkIt0T+qkl647
stItJXsMq//gZbe63U5fh9TX1iRGuJU9rG1DHFragNmrx7ntQibS3vAKhjJu9fJwkPOazQDXu79l
Ko2tdGAGlTKexGUulsTs5LNQt7W1PYmX4WRZ1T4JJrqZKm6E3I3hqhm6sEHOdBRDm9rGxC5hOtOb
+VwmrSr2zIOMsKAG7Qn8RuLOdPrTmU+sGy7J+cvAPXSZ7WRUxhZKxL7Rsp+L6xY7PWfLuyGNcPwc
aNBM2rEh1nNUB30pTEGiP1xSM54SdVwtVVpOatKoYe58nByj+VGKUrSh/kpp0v6JqVp6lJhZE+rH
OOpQa16zqkcJ5O8QaSl2ri5GmLNkx2p1yVHibqVXRCaVROf/rV866XZ08t4538m8TFaSSvZC5u6S
5zz1vLVPfhwZXsOqT+jBLq00u6JVFZjNpGzwjQy0Wh2FmFgfniSmlr3sShJqkq89ELJRiexky8dE
zJK2tB/RrGlTq9rVsra1rn3tafsH29nStra2vS1ug4La3PK2t779LXBDGNrhducIxD3uFoOr3OUy
t7nOfS50oyvd6VK3uta9Lnazq93tIhS53v0ueMMrFe6St7zmPS9606ve9bK3vUARL3zjK9/5osS9
9r0vfvM7FPryt7/+/e5ze6DfARO4wAY+MIITrOAFM7jBDn5wSP4r4QlTmIsQvjCGM6zhDXO4wx7+
MIhDLOIR/5O4xCY+MYpTrGIGV7jFLn6xBVcs4xnTuMY2vjGOc6zjHZMYxj7+MZDnx+MhE/gdRD4y
kpOs4SAzuclODoySoyzlKVO5yla+MpazLOMnc7nLLx6Hl/+ixTCTuczi0TJp24DmNdfEzG5+M5zj
LOc507nOdr4znvOs5z0zRRb9ZTOgAy3oQRPaxnw+NKIXCIZEM7rRjn40pCMt6UlTutJ0KTSmM31Z
S3O60x/UNKhDLUJPk7rUEhQ1qnlChVSzesCVaHWGTS3rWeMP1ra+tVdoretdlw/Xvv41sIMt7GET
u9gF5TVCqoDsZe/F2M5+dmyZLW2s6GLaDoE2trOt7W3b2pLa3v42uMP9lGmIu9zmPje6063udbuF
BE92AbvjLe9507ve9r43vvOt733zu9/+/jfAAy7wtnC74LceOMJLbfCFM7zhDidywiPO6Yc79zkW
vzjFWyvxjU864x4HNMdD/uiPk1zLIj95okuu8pWzvOXsRTnM9+zymUM85ja/Oc5zXmua8zzHOoeI
DH4O454T3cYBAQA7
------=_NextPart_000_0008_01C70CAB.CFA69410--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKD2bNS028821; Mon, 20 Nov 2006 06:02:37 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAKD2bjZ028820; Mon, 20 Nov 2006 06:02:37 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from imx2.tcd.ie (imx2.tcd.ie [134.226.1.156]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKD2ZvQ028807 for <ietf-pkix@imc.org>; Mon, 20 Nov 2006 06:02:36 -0700 (MST) (envelope-from stephen.farrell@cs.tcd.ie)
Received: from Vams.imx2 (imx2.tcd.ie [134.226.1.156]) by imx2.tcd.ie (Postfix) with SMTP id 0D82468041; Mon, 20 Nov 2006 13:02:30 +0000 (GMT)
Received: from imx2.tcd.ie ([134.226.1.156]) by imx2.tcd.ie ([134.226.1.156]) with SMTP (gateway) id A00CB80A13D; Mon, 20 Nov 2006 13:02:30 +0000
Received: from [127.0.0.1] (cswireless62-26.cs.tcd.ie [134.226.62.26]) by imx2.tcd.ie (Postfix) with ESMTP id 05A1E68041; Mon, 20 Nov 2006 13:02:30 +0000 (GMT)
Message-ID: <4561A79D.8060807@cs.tcd.ie>
Date: Mon, 20 Nov 2006 13:03:25 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Cc: Anders Rundgren <anders.rundgren@telia.com>, ietf-pkix@imc.org
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
References: <005f01c7095c$b821c2d0$82c5a8c0@arport2v> <4561A16B.5080808@stroeder.com>
In-Reply-To: <4561A16B.5080808@stroeder.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
X-AntiVirus-Status: MessageID = A10CB80A13D
X-AntiVirus-Status: Host: imx2.tcd.ie
X-AntiVirus-Status: Action Taken:
X-AntiVirus-Status: NONE
X-AntiVirus-Status: Checked by TCD Vexira. (version=1.56.3 VDF=8.1405)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAKD2avQ028814
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Michael Ströder wrote:
> Anders Rundgren wrote:
>> May I repeat my request for further improving the interoperability in
>> this area?
>> Anyway, here it is:
>>
>> 4.2.2.1 Authority Information Access
>>
>> When the id-ad-caIssuers accessMethod is used,
>> [..]
>> there SHOULD be at least one HTTP [RFC 1738] and one LDAP [RFC 4516]
>> accessLocation URI specified. *
>
> I fail to see the benefit of using "and" instead of "or" here.
>
> Note that most times LDAP servers are hidden behind firewalls.
So, it looks like only Anders wants this change and its opposed
by some people which'd argue that David ought to leave things
just as they are.
S.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKCbUfk026362; Mon, 20 Nov 2006 05:37:30 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAKCbUIV026361; Mon, 20 Nov 2006 05:37:30 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from srv1.int.stroeder.com (128-15-124-83.dsl.3u.net [83.124.15.128]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKCbSJr026348 for <ietf-pkix@imc.org>; Mon, 20 Nov 2006 05:37:29 -0700 (MST) (envelope-from michael@stroeder.com)
Received: from localhost (localhost [127.0.0.1]) by srv1.int.stroeder.com (Postfix) with ESMTP id 38B785684; Mon, 20 Nov 2006 13:37:19 +0100 (CET)
Received: from srv1.int.stroeder.com ([127.0.0.1]) by localhost (srv1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13752-04; Mon, 20 Nov 2006 13:37:00 +0100 (CET)
Received: from [10.1.0.2] (unknown [10.1.0.2]) by srv1.int.stroeder.com (Postfix) with ESMTP id E94225667; Mon, 20 Nov 2006 13:36:59 +0100 (CET)
Message-ID: <4561A16B.5080808@stroeder.com>
Date: Mon, 20 Nov 2006 13:36:59 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060417
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Anders Rundgren <anders.rundgren@telia.com>
CC: ietf-pkix@imc.org
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
References: <005f01c7095c$b821c2d0$82c5a8c0@arport2v>
In-Reply-To: <005f01c7095c$b821c2d0$82c5a8c0@arport2v>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at int.stroeder.com
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Anders Rundgren wrote:
>
> May I repeat my request for further improving the interoperability in
> this area?
> Anyway, here it is:
>
> 4.2.2.1 Authority Information Access
>
> When the id-ad-caIssuers accessMethod is used,
> [..]
> there SHOULD be at least one HTTP [RFC 1738] and one LDAP [RFC 4516]
> accessLocation URI specified. *
I fail to see the benefit of using "and" instead of "or" here.
Note that most times LDAP servers are hidden behind firewalls.
Ciao, Michael.
Received: from [200.192.245.134] ([200.192.245.134]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAJM5Ipl057306 for <ietf-pkix-archive@imc.org>; Sun, 19 Nov 2006 15:05:20 -0700 (MST) (envelope-from Bobbi@orbis-investment.com)
Message-ID: <000901c70c26$cebafd00$00000000@censuraam>
From: "met" <Bobbi@orbis-investment.com>
To: ietf-pkix-archive@imc.org
Subject: Press Info Ezine Feeds
Date: Sun, 19 Nov 2006 19:05:22 -0300
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0005_01C70C0D.A96DC500"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0005_01C70C0D.A96DC500
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0006_01C70C0D.A96DC500"
------=_NextPart_001_0006_01C70C0D.A96DC500
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Recently chilling toytronica Wanted browsing catalogue itunes a surprise =
Rewind. Inserted advances demos or download Simpler fixed?
Surgeon a Satcher clearly associate impact very thats science Johnathan.
Canfind Helping leaks problems.
Bokmlnorsk of Srpskibasa casual a. Assist powerups bonuses.
Themas am extra faithful Turtles. Use monies deadlock question.
Pops rapidly am singles eventually or. Surgeon Satcher clearly associate =
impact.
Chilling toytronica Wanted browsing catalogue a itunes surprise.
Battles dais jokes hallway detractors admit hate aurora. Guard Nuclear =
Plant.
Cancels Tour Hill vs of Carrie am Underwood in.
Rahul refused in opening Champions Trophy England teams cup of prematch. =
Howto is Feeding howhtml idl of Domidl Dialogsfor api or Logging. =
Cancels Tour Hill vs of Carrie am Underwood in.
Quickly large or earn row in podium or. Spot am giant facts rumour =
Segas.
Answers onadobe am Adobeflash Settings Viewthis in French German. Whack =
Dump Comments rss Dawn am alsoraquo Shocked of Awed.
Hunter Jubal Early assaulting replies aint Earlys knows history.
Aint Earlys knows history am explained commentary creator Joss. Cheating =
antics therefore heaven supportive sister take. Redbacks a Bumble =
Cusiter.
Inserted advances demos or download Simpler fixed? Crawl reminding dead =
am? Haha ought everyday parlance Amusing nobody luck promise.
Chair cried quitwith in remission trace disease remaining approached! =
Haha ought everyday parlance Amusing nobody luck promise. Absolutely =
break cool or toes is themas extra.
------=_NextPart_001_0006_01C70C0D.A96DC500
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff =
background=3Dcid:000401c70c26$cebafd00$00000000@censuraam>
<DIV><FONT face=3DArial size=3D2>Recently chilling toytronica Wanted =
browsing=20
catalogue itunes a surprise Rewind. Inserted advances demos or download =
Simpler=20
fixed?<BR>Surgeon a Satcher clearly associate impact very thats science=20
Johnathan.<BR>Canfind Helping leaks problems.<BR>Bokmlnorsk of =
Srpskibasa casual=20
a. Assist powerups bonuses.<BR>Themas am extra faithful Turtles. Use =
monies=20
deadlock question.<BR>Pops rapidly am singles eventually or. Surgeon =
Satcher=20
clearly associate impact.<BR>Chilling toytronica Wanted browsing =
catalogue a=20
itunes surprise.<BR>Battles dais jokes hallway detractors admit hate =
aurora.=20
Guard Nuclear Plant.<BR>Cancels Tour Hill vs of Carrie am Underwood =
in.<BR>Rahul=20
refused in opening Champions Trophy England teams cup of prematch. Howto =
is=20
Feeding howhtml idl of Domidl Dialogsfor api or Logging. Cancels Tour =
Hill vs of=20
Carrie am Underwood in.<BR>Quickly large or earn row in podium or. Spot =
am giant=20
facts rumour Segas.<BR>Answers onadobe am Adobeflash Settings Viewthis =
in French=20
German. Whack Dump Comments rss Dawn am alsoraquo Shocked of =
Awed.<BR>Hunter=20
Jubal Early assaulting replies aint Earlys knows history.<BR>Aint Earlys =
knows=20
history am explained commentary creator Joss. Cheating antics therefore =
heaven=20
supportive sister take. Redbacks a Bumble Cusiter.<BR>Inserted advances =
demos or=20
download Simpler fixed? Crawl reminding dead am? Haha ought everyday =
parlance=20
Amusing nobody luck promise.<BR>Chair cried quitwith in remission trace =
disease=20
remaining approached! Haha ought everyday parlance Amusing nobody luck =
promise.=20
Absolutely break cool or toes is themas extra.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0006_01C70C0D.A96DC500--
------=_NextPart_000_0005_01C70C0D.A96DC500
Content-Type: image/gif;
name="piece.gif"
Content-Transfer-Encoding: base64
Content-ID: <000401c70c26$cebafd00$00000000@censuraam>
R0lGODlhAAP0Aof2AAAAAY0AAACJCYZ3AAAAcokIjgByicDDtrnouZvW5TwpDWkYBIYlAKstBMgl
CdgeAAc+ABVMC0JDAFpGCXMxA544BMNBAuE8AABlBxRVBUBuAFlXAHVqAJVbAMhXC9dUAg2ADS6L
DjaLAFt2AnmGA5NyDbJ0ANeOCwCdAxalADqUAGupBX+WAKGUAMyTANikCQu8DCvHADyzDmC2AHK7
AJ68A7LEC+C7AArdAB3sDDLUBGzRAITeCq3oALbVAtHqAQoARhgAQjYAOWUANngORqEAPMsERO0L
SwUaNSsVPkItM1EWNXkUSpQgOMAqMuAUNQwyNiA1NTI6NVY4RYU2Rak2R7Q8P9NDRQBeSyRTNzdk
MmRuSnRrDKdVPMJeOOJVTACMPBiLR0hxRF51R3l/Ppl+PMCKNtaGRwCdSxGTRD+eRGeVPnedRKCm
QcSSRN+rSwXKPBXCOTuxP2fGTIK1RJvDSMnOR+W/RArqRBvdTk3qNFXaQ3rjOZniR7vjON7VMwUA
cxQBfEUNc2AAdowBhpcAib4AiukAfAomjBsmhzMkeVksgXYfga4rgb8Rgt0mgQBKcx0+hz03dm43
eIdJjaRMd8A4jdU/fwBRgRNSf05th2ZpdYteiqdpictVe9hpegp8fSCGikl3i2t9fnN+dJZ+eMFx
hddxcgCceCqidzibeWKacXOVcZGrc7WRgeOVgQ3LfR/MfUG4dGnAi4LHe5W7d7jEduu9iQDffiDg
ckfsc1zogHzodqHZeMDliN3ngw4AvycLsT4EzWwLwXQAsacAzroAvtUCuQcozh4lw0EXslkjzIMo
w6AWtccexdsiswY+sRg1wj1IyVs6t4o8vZM7xL0zwOM6xA1ttR9lykFhuGtuu3dcvKBRzcdrtN5f
ygB4ziJ6tDN5y26KxIaIw5p/zceHy+15zgCgtxacuz2ntGWkzX2UuqWqzcCpwOiutgLGsRG3sUnK
vGy+woW1vaLBsvHx+qOinXl8f/8NAAD+Bv//DAYA//8G/w3/9//0/yH5BAD//4cALAAAAAAAA/QC
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evMO2J
HUu2rNmzaNOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOG9YBMrXsy4seODNx5Lnky5
suXLmDNr3sy5s+fPoEOLHk26tOnTDc2gXs2a9OHXsGPLnk27tu3buHPr3s27N97WwIMXnCe8uPHj
yJMrX47Tt/Pn0KNLn069uvXr2GMz3869u/fv4MOL/x+/Nbv58+jTq1/Pvr379/Djy59Pv779+/jz
69/Pvz/vRv4FyB95BDKVR4EIViXgggw26OCDEEYo4YQUVmjhhRjWleCGHHbo4YcghigiZxmWaOKJ
KKao4oostujiizDGKOOMNNZo44045qjjjjzaNuKPQN6kGmsXaNXjkUgmqeSSTDbp5JNQnhXklFRW
qViUWGap5ZZcdunll2CGKeaYZJZp5plopokldxlY6eabcMYpp2nnzJmTmnjmqaeFdvbp55+ABiro
RgAUauihhw6q6KKMNprUnpBGKumklFZqqZqOZqrppgZd6umnoIYq6qikQsjpqaimquqqrP5Y6quw
xv+qV6u01gqkrLjmquuuvPbqK1m2BivssMQWa6xEKhyr7LLMNuvss9BGK+20Dv1q7bWeUqvtto5h
6+23e9YaDbfkegbuueimq+667EZYkyCbHlLuvPTWa+947ear77789uvvvwDPd0bABBdc4sC42mLw
wj0izPDDEAfocMTt3WvxP2dcbBTFHKc1ccfoaSzyyCSXbPJnIKes8sost+zyyzDHLPPMNNecYjzx
2AzpyZnhzHND8oCoM4U4D42WPPKgS4XRzhXNdFlIp/nzYz5PrRDStz4doNNaixV1nlYnVnXYB2FN
9tkOjY322mynHU/bfXZ9X85y12333aXCrffefPf/7XdCeOu6TOCEF2744YgnTtjfjDfu+OOQRy75
5JRX7udY2iiu+eacdw6u5Y2RAfropJf+zzJNea766qy37vrrsOs5Ruy072z67bjnrvvuvPc+Ve3A
By/88Dr6brytxCeP7fHMs6r88742Lz2q0Fdv/fXZ9YD99twvP/33mXYvfrbgl2/++egvNf76lKbv
/vvwxy///NGyb7/t9Ocf4v389+///xrSnwA9BMAChqkkIxigAlFmwAY68IHjW6AEJ0jBERmqghg0
DqIAcBwIerBQHgyhCEdIwhKa8IQoTKFhjrWJTWTwZ+xqoQpbNqwWvjBs6JLhDHeYIh3y8ExvYE+r
/2x4w7Vdy4c/hFmqiHixKhTxiVCMohTdZIMpWrFcSayZE/IFhCx6UUBXDGNoOAaOL5rxjGhMoxqF
KMY2kmiNcPSPG+eYmTiq0RpypGNKgKHHPvpxSnYMZH7+SMjFCPKQiEykIhf5skI68iuMjKQkJ0nJ
Sn7rkZjkDDQyyclOehI8lgxldD5JyqeI8pS+KaUq1YfKVuZmlVOSAtxcScta2vKWuMQRLCdSqF2G
hXBWKNGhcknMwQCgmHnxpTKXyUzUIPOZ0IymNKdZsWaGKApso6Y242LNbnrzm5TZpjjbAs5V+aOc
6NzbONeZlnRWDgTIYac8y+LOTkKgJ/PMpz73yf/PcdbznyXpZ8wAtCSAGjQkAk2oQnN50I6My6AL
jahET9nQilr0ohg91hEyytEfGaKjIA1pqiYg0pKa9KTym6hKV8pID5WBIiVAabBY+kyUgCMkzJDp
AmmKTJ12Zxs+Daqj8iHUonqEp8U0qlKXCk6kEpOpUI2qVKdK1aqez6kMtapWtzpHrHr1q2ANa+24
StaymvWsaIUcFNLK1ra69a1w5Wqb4uodsdr1rg2kq173yte++vWvgA2sYAdL2AHilaLH0UBhF8vY
yxz2sZCNrGRZ1ljHmKKymM3snACh2c56NjOK1epkR0va0pr2tKjd0WdXy9pnpfa1sI2tbCulkMH/
MKSlJ1mFI/Ro24XgtpyzRWoAhoud4QYgLsYtLnHhktzrNPctz61OdG1ZW8HcdrnNNa52tztd7p6F
u8v97nTtgd3ypqW8xyUveMFbFu+aZb3nHS96xRLe96Y3u+t171j0Sxb4okW79qWvef97X/Tmt7vb
FS9/2yvfAhf4or2t7YEn/NwDM5i9Ck5vfy1MYApzWL3+3W+IL6xhEec3vh4+sYBHDOIFm7jEK2bx
hlMc4g/HOMEZtm9+4ecKpUQYcDeur4lz/OIZF5nEQg4yjDsMYB0TOcZGhjKSl9zi8WbYyliObpNX
fOQZZxnHa8HwhZ/c4iiXecpXXi6EretbMzv5/81u1nKSXTxk5ia5zmPOM5fx/OI77xm6fgaxguEs
aD4HGcXIDfSXCS3nJdP5z/ZIZ3RU7GYpe5nPDd5ynzWd5kzr2NEVrm+mRw1mJpca0pbucqM/PWcZ
T9nTJP40plvN6SrXGpXVDcx1iZtcBIOayoUOtrALvepeK5rXyIYxrOG86igXO9mINrayad3hWU/b
wUaWdrShXelh47nZdX72cY0r6elYGdXe/jO493zucyO62nrW87qJ7Wd3w3vQ8TbzvPELbHvj+9+G
/raohczve8PW3cuWd3hh3e5AGzzf6Q52qH+N7oqrBeHU/vfE39xwYL8b4BbfOLoLDvJa5howt/+1
M8U1LmZrHybh+m45pP3NF5gL3MXzFozN1S1zYdNcLGvWdZsBvXJm0znngdm5xI8+cI/7RekTvzXS
AQP1hTO9xD+PNDrZU3UNS/vXPU96xo0+blKfWudjV3jZaR12qqc95msH+6N7CmShn7wto5Y1uxtN
6cHkPdZ7b3rf0Q52vdNb8K7+y98vHXisT5icFNztTn6MkERTOeEiH7nDa35nzFvd8UX3e+fTnnlv
Zx0vi4536ZVOT8rwQHKUP4jlyaxpcLO+L18GPejhTmjC037dpbf400cv+Dh/vvdoKbd6Oi5zvp+Z
8aLv9+CdX+tbD1/6LKb+4n3faV9fuvqnd+X/3f2ScqJf/OzDbnv462Lvq7/64W53uvu93PHCtB/9
vrY+zYOO8qEnkv9/UX7/t3XBVYAGSDMjogCtJSIH2IAOSFkLGIESiDwPKB8gVIE8dIEYOEMaqDUT
GBS9tDbFQBBYhQEV0oF184E8EYJ+s4HYgYIuaEIwGDgqWBMsWIMYxEE4uIM82IPcIg4+qCAxyENB
iEFDeIRImIRKuIRfVYQVxIRQGBtNEIWvRQhUeIVYmIVauIXp4YQUxIUPNH5J4n9i6DlX9CRkWHet
k0FfJAACoCJuiEuIAh2GMhYzyBtumId5OBZ6+IZi0Yd+SBZxiBaAGIeFyId6+IeBaA+GOIiM/xiI
fYiIZxGJgpiIj9iIlAiIauGIlHiJndiJlbiHiiiKk3iIo8iJoKiIa/GJlqiKI1SGfKGBd4gbdSgW
szgrJ5drjuiKj8iLu9iLq7iIv+iLb7iLmCiJwAiMw4iKyKiMfriMwriIldiMv1iNkCiNzuiKw1gW
1oiMzDiNafGNg2iMfsiGs3GHc2iLw1SLG2SHw2QP7QiPxySPZvGOF5iO8liHtZiPHXiLdEGO3FiM
1xiK2BiQ4HiQCImJzyiQBtmN07iN2WiQbTGO0giQzRiOC6mN0SiRvKiK33iKhFiRDJmMJAlBsKgX
MyiL86iPINSS9ziPZOGSK3lML1mP7AiT7v+ojjTpkvSojjmpdWqoixv5kAOJiBB5kdBYikRJkSXZ
iBzpkQUZkQiJkRdJkha5iRkplU05lJL4kZ4Ykg2ZlZJojrKRkjBZkz3Jkz5ZFmqZlvsYkzvZk3C5
ljWpkoNxlVDZilppFuQYidtYiAzplN3okF0ZlRSZialIjSKZkFFJkIdJimBZlQppkX+5mJo4laFk
lj+Jlm35kut4ljOpmfyokzdJlzuJj4CBl73olOB4lFaJjZVJlCA5mIspm1+5l0rJl0WJlFxJlVBZ
lU9Jm1vZkZI5kq8pQieZF6LplqYpl50Zl6Ypmp+5mTPpk/4IlJU3FkI5lazZl5Cpm5gZm4X/OZuW
WZvj6Y1i6ZscSZjHGYznWZLBWZ4deZlPuZq72YtkWZag6ZzVyZx26Zn8+ZM26Y7QWZr+uZ9ryReE
yZQaiZm8mZv2aZuXSIzEmYwfyaBJCZztOZwHmaERSqHcWZTiOJQXKpaq6UDJiZLvyI8IWpf42I52
maBsCZqhaaCcuaI9mYbZCZ+sKKHwyZusKIoAiYrXSIr0mYqamIimSJ/gaZQe6qQFeZlMyp6neJ+s
2aBQCqVDmZ/ocZ1s4aX94poZIqbjBKZpYaZh2pgYQqb/k6K7gaZnAaexVxDAooZbwqYSsotnqB/+
txtu+hteCBZgOKho4g9b+Ke0iJNrMYN9/6obiGoXgVoTQ4IStRGPc2Gmcood+bCpnLqpY9Gp+fCp
oGoWnjohVVAFWPiol4qTmSqXX6qoQKeqh5FrpSqqtmoPtVqrYqGriXGqTiQReyCBxgSrzMmi+Uia
KrmPMdqor1R3uqqruBqquRqqolqrXuGrXkgb0hmaxyqT1tmiCCofz0qttjqtZNGpAuKrhGoblrqi
NxqgMdqq2TGuZeGpoEqu0bqr+Iof6rqusbqjhuGZ4PqtORmvxMqsuEGr+Aqt9iqt+1qqpVoV2Bqp
EAEbAkudBJuxxdp6duqozrqwD+uw+nquo4qdUPGrFBsRwzqXMvqu/zmwa4mwt6Gw9UquEP9rs9RK
r96kgzM1rDjaj/0pk8rqrggqsz7ysaSKriNbriBrssrEsz17jsTKZh3brABrd8sEtVEbG/IaQFWb
sF/bF47EDRGhtafiG13rryiptv0ztbwiqzWio7L3MCFitsMCJXLbKXSrfJ/CD/wQG35rIYGbG4OL
FoV7V5Y6oC1yuPbgt45ruI77t2XBuJMruWRxuIEbuZQ7FprrF50rFp8LuoW7uY2ruZlruZeLumkx
upZLuquruqXLubBLS3ALFzFqKrkIOKYbu6JrFqyburPbu76Luqcru2fxu3vxu8hbvK5rvM5LF8jL
u29BuZgruY4xC46jrfuZjgJbo6zqtvr/Ebmp+7zPy7quu7nVK73Uq7rFy7ufG7qQq76Sy7zBO76y
K77Ci7+VK7qD27/6+77zG8D2e0u1+xYv+72uGqAyah55WxD6K7/D67ztG8HHS7x/G73kG7v+C8GP
yxYTvMEP/LrAm78XLMD7W7og3LolbLwfzL5/607aa4+K2pYJmrby0cHCK73lu8I6PMAn3Lu7S8ES
3MHKW7/2G72di8MVPMApvBan275FzMJKzLjNG0oF7BYwiII0zKI2zBsNTIIobMI9zL+Pa7qzS7rp
W8VUHMD+m8RGjMI7PLwTLMQQ7L5KDLxsnMdlvLt3vMZOC1GCkcUzDJ0CGh9fPBBAzMNj//zDOczI
PjzHS3zERAy7zevHjazBikzHy+vCFdzGYpzBYezEL8y3FgurWkzINRyuDEK/Q0zHlwzKrbzIP5y+
OQzJPlzLnGzL5LvJdtzJeYzLHKzIlixWgjyjyHrMhRwgQRzGKny/Z1y/54vDVUzGnOzMn1y5ANzH
KmzEtNzLoRy/u/y/+LvBOjzNbJse5py8b6wm6TwfRgCFZhzP8jzP9FzP9nzP+JzP+rzP/NzP/ozP
5zwj7SwmA01JBIFNYEwjRpt8KYsvcSurDe3QCg3REZ0RslBH1dHFGR3Qu7JB4LvAtuvRgNHFU/vR
HP3QV+sXcGrDGn2mU9unqHmBFR0eK//7qjJso257yje50zztvTF7cjRZj/D4r1dRCjN9Ez77liyb
wPSIlnGa06cpoM/ZsvPof0Edk7ZI1EcdHLkhtIRczKPp0mINtAULs3bRj3Z40oLRC+4Stn+xnN1b
o2qh0yy51F7t1Byb0j19TFttHF1NrC9LnbdI1hoLr4Bt0m2xkmyp1kdyxYmtyoLtlpCtuNHpqgBq
sCzbqIqN1X/c184Uw7MYj+360XS9xaL9s3j92Eo91IzNI44ttYTRqpq9FswhAJ79Dy+I2Hgh2+P3
0bfN1e3R0ja52q1d3MZ93Mid3Bny2v0h3J2NyOeY1WdqFr/9KLGNozU9o9+r20yNFl7/uhAzfBfY
LdSsDdjUXd0MwVl3kt3OLdbDDZfcDabfrRDhfdZpPd2s7d3njd5Fkd12fZpejcynrdQ37dPGeqM9
DdLPLRD1bY9Nfd8QvtnSvdncOtS1yN88ob1PXdY0KtVRvbHwLdfGPLQbi9eZepbSndWyCOEpLuHl
PeH5/dXKTSFwjcqE3dRmPZfTOeLbHa6pTRcont8Wvtim7OD3TeFCLuTcfTdB1EA1btk9XtfNOaA7
DqPbHeIGutsxPofhbcpYzaowXt73yNkzHiFPfuNMjdmK66JlHeLJrOCXGuPkndZeTuecjeRfTuZl
DiGB3a0I7OEKvK0ZK+WDnuPyCuZ2/77Ycz7kdAnjKI7oe94bzG3TyUroCcy9Pn7Ka87lf9698K3g
QzfIY67o2p2sL37q7IjVGN7fUbLQiyobJ3MC6CMrSx7p9DHpL+Lq+K0dq77etk48uK5awT4bETEM
vU4Rvx5W7a22t8Alwz7cxG0dgz3ZkFpbH3Dt2D4W114Y2L7t3HTsJKHhcE4d0z4b3i4W3n7ugpHu
H5DsAnK7L1rgNOqtxzy0e02gCX7gBp64cqru2t7tAI/u3S7wA0/w2V4W7C7w/24PCe/uAejWymnW
pg2uUX3ZPHnAGgvWfY7j/dndC+HvC8/w5z7y7X7w207yZtHwKJ/w4O4SSQ3vqBzoQf878xn/1Ta/
6W1e82zhWwDf7gov8mSx8j4P9CiP8AEP9D9f8C0/EhoOtJxuzFP+rgf69DrPxals2G9+Fyo/9EhP
9EN/8l/P9T/v9SFf8A4f3B0P1oBerFK/xVhf9Rs/1Xyx9UEf9l0P9iFf9wtf9GZ/9nzx7FBf4jGv
5m1fnXFfoGqZ5VMN81KiEOpO93mP9wrP7mJ/9yXv8wff9UEBVDUo7tFZ6QbO9jQv2U4d18ja4Z6u
wN3NFj1f95lv8Jhv9yLf97Af9mYP8tOxDX5fKrgfF73/HNug+1QI+Dei63Nf+b7P9T3B+SlbJsav
9bQ/F+rOE8y/9L1T/Tw4JsLgJcL/v/uuE/ze/zrdH/5dUwDkf/7oHyEjgDehECrW//7wH//yP//0
71npf//4n/8lVP/83//+DxD/BA4kWNDgQYQJFS5k2NDhQ4gRJU6kWNHiRYwZNW7k2NHjR5AhRY4k
WdLkSZQpVa5k2dLlS5gxZc6kWdPmTZw5de7kydLeT6BBhQ4lWtToUaRJlS5l2tTpU6hRpU6lWtXq
VaxZtW7l2tXrV7BhxY7F2tPsWbRp1a5l29btW5Vk5c6lW9fuXbx59e7l29fvX8CBBQ8mXNjwYcSJ
FS9m3NjxY8iRJU+mXNnyZcyZNQ+mtNnzZ9ChRY8mXdr0adSpVROG29r1a9ixZc+m/1174GrcuXXv
5t3b92/gwYUP/4qC+HHkyZUvZ97c+XPo0aVPp17d+nXs2bUvVQh24XbJttdOEV/e/PmL4NWvZ9/e
/Xv48eXPH67N/n1tQPHr3y80P1H8/rMnwPwE/InAoAwcsD8EF7xvqP4ctI+/CAdM8MIHJ9SPQgUX
xDBACzcUEUT6SjTxtO6++u5A/y4MkUUXIXSxQwU7FBHGDWlsMcb/DOzRKB9v7DHIF4v0MEcZb7Sw
xqHQc/JJKKNUqzAiMYxxSQBnTFJJK3G80sssYSTSRizF1FLAApFKk0Ud2USyKDJPlHNOyFL0asUi
dayyzB3N7BPMN40ENE4cfxwRzv8X1zwUTUFbZLRNPhVNUkpKK7X00pSo/HLJChn1L0IEayTRUwmH
ZLDCA099MFUGR2zTUEnD/LHBWQtFlU5cc9VuTzeNJPVQLn0Ns1E+gfxzTV4L7RVYLNHUUMhiA401
WF2rtZa1hLyzM1lFfbyVVEgBLRVRQsEMElwAW81T2ViZdNPGbontEFN667X3Xog0vdJQP7kcc8tB
HRX4T2EDDTHcSJk9kldvG42XX2WvlXhivuzsCk8aVxXWXX9LLXC/UHccdWSNOYSYU5AHZnPChll9
1kuWSSzYZSLxtflmnDGleGeee/b5KwKDFnpooos2+mikk1Z6aaabdrpB+Pj4eWr/qqu2+mqsl5sk
a667ji9nsMMWe2yyyzb7bLTTVnttttt2+22442bba7rrtvtuvPPWe2+++/b7b6DkFnxwwgs3/DbA
kVojccYbV+pwyCOXfHLKK7f8cswzR8lxzjv3/CjNQxd9dNJLN/101FN/63PWW5dMBddjl3122mu3
/Xbcc9d9d+5U9/134H3nfXjiTwz+eOSTV3555pt3/nnoo5d+euqrt/567LPXfnvuu/f+e/DDF398
8ss3/3z0Tfcnffbbd/994NOAP/ni67ffvfnz1x/7+/v3HzuLcQVP/3Pc/tCmrWwRkHMGPBsCEcI5
AOQFABN8TgT1wkCzOfAgVJlg/wcp+BMPAsWDFgwKCYUyQgqiUIQdBOEJ7fHBFoKQhTE84QxX+EEW
qvCFIaxhBGH4whuaUIY8tKAQlzLCIdqQhy7kigmXuMMfIhGKRiTKE6FCxaJgMYhalIoFMVg2DRoE
KVwsIRNj6EQzZrGMQ0GjEH2IRiCKkIZypGMczzhHPBqxiHCEYx2r+BQ32nGNeBTkVZS4Rj66kIRk
7OMVmcLIQRryJ18kWxgLkpQfqtGPLWykD4/SSEIW0pOLLCQQA6lITeoRk5yUIyTZeEYlZrKUpWRk
Dmf4Rk7u0SikbOUrqchLTZaRj7fc4RSNacoi2vGUNCQiFIOYyylScmyWJMgRuf8ISlNG0pO7jGQo
A7nNbKKym+F8JS1XSU5wBhORggTnMsdJxji20Ym6nKUyhenLP4Zyk+Q0ZxTniMte5nGdrSSlPNco
zXoJJoRWlKE6VSlFZnJzi+mc6DaT+dA0sjKfOoToQC86Ril+NKBZJCIS4ZnMkUZUn8DkJyxvydB3
shOfA9UoHSk6RZamU6eiVGBpAriVAX7ymjFFaR21iM1fijObGCXqDe84xnIWtJ77jCdO93hSc0JV
pstk6SDbWE6lTpWpLk0hE1V4ypsW1apbvedBEQo2aiJOqOckZDtLCNN/grWbdk0rT8Na1anus6ij
1KpZAwtJVWr1q16lqj1T6k3/maqzpvykqFoF2lLHZnWylZ3kW3MWV4EUVrSRTeQ486pXzs7ztIlV
6VNZW9d/qtWdNmXrZR97Wpq2FJhYzOlqw2pZ3zZ0kZytrVHz+dTNFjeGnv2sin4aFT0esq2NnecS
mzndYiZxi8+8qy3fWFIbOlW12s2oa2P5S/CeN6nk5apg09vd6uLQuiSNYlmdmdbvWrarl03vcHHI
RgAwF2eg/UdPFwNPyZZ3LAiWaFQEfDMCG/jAsvwkJinsFQY3GCoPtlmEJRyfDCe4KRzGl4c/fGLQ
kVgmJkZxi4Wi4hU7N4EupnFnYVyS4YV4ODq+DI+biGHd9KDG9PXxVHR4RH3C/7fIXXwkNpvSUUlW
MbwWvjBtoTtlrey3h0rJsI6hrNcsD1k1rgzsVpbcWG3KpctOfqRpjXzcMvtxqG9Gc1VCzOAuO4XN
SbazmK/y3KwEVcoN9m+hudtMLKM3h+uEqDsNPUTuHhOgC3WmYB173cziFtEw3PQxYftdMC+V06xU
b6jJW2lkNpS9i/Y0bdW700qb1K5pPvVVH41q64bwxjBh8VzBKtuZyjm7fk1zaQebRmBL1dKjvqtx
lbrT3SI7r6M2qKUV2dWH8vKiyrZtsW1KT1hze6PihraVmU1swN4RqfZcbAt3/RICLxTLw04isP/a
blGaFLsoFXe9he3oYKN7zv8iVTdmG71v5Wo2pbOlbMEXrmB8tzbct81tuW+rX1rO19VN9bYc3+2S
Xu9yvbnsr8Aja+3kpruv7AypfEsOyj2ze61LzWp87Ztcho8V3SknODKtOPJ4nrugIaW4lXGOSGZ/
M6pK3nbJY61vj39cJI6pcsQTju+cI1zlmtXyxbUubEJjluas3S/Wd97PvQac3wmHeNoze1OZS9Ts
MEfuZCX+x9cqXdp+Pg2ZGz5ck9PdjDf/78lp3W6LF1PwrZUzrDMN9rljd5alha3RAZt4hSf+2Dwv
et3b+flLV37viUQ8X6dbZb4zBdBlWb01Sw1pW7N3ry23qH0BP3mznjfSi3b/I6sZH9tTP56/L319
dAF87slL17Wknbencx1tsjY79t1lfu2tT/22Iz3pur/q7ssq9am7x8vLOfPUyl83Mzyn9VYRNGXu
zJzz9yz+BAY/SELu/ifD/2/zl3H9O5J6AAxAxvA/AixAAzxABNweAVxABmxAB3zA4EhACWQgIphA
C7xADMzA8tgGDZyNUOhAiSABEBxBEixBEzxBFEzB7IFAFmxBslBBGIxBGZxBGjwJF7xBHASqGowb
athBH/xBIAxCIWyNaxhCmshBJExCqTBCJmxCJ3xCqVNCKZzCpIBCK7xCLMxC+KFCLuzCwNFCMPQ/
LxxDMixDM3zAMLwxA0hD/zZsQzd8QziMQzmcwyfRwfU7wyahQ+HBQz/jPxe8w6dgCD5UPecJsDi0
wxkbRKR4HkOEQ0R8IEWswkLUQr8AB0u8REwEB6DIRE3cRE40iktMikz0RExECk7sRFIMxaAYxVIk
xVX8xKOAxZ84RUu0B1pExVe8RVV0RV2MxVG0xVrMRaHYxVTUxFacxWAERlysGj+MRK4gRmTsxF1U
xWMURlFMRmpMxqGYRmwMRmjMRm5ExXAERW/sxmWMRqcgxm+sRWg0xXI0Rm1UxmGMR3RURnN0Raxp
RmfUinXERXDEx1ykx218x1csinWsR4SUR3sUR4IsSKJQx4acx3N0R3+Mx/9QbEdyrEiFBMiFHEhp
PMZxzMd9tAdAdApB5Mh2vMh7lEiBlMiEzEiYdMl6hEWVnEiDpMeafMiWjMmXzEmlwMiNTMhftEaa
XMnoacTviYXyEAyIPEefDEpkBMZr/EiblEmddMqVVEl0BMqr9EiofMmptEZe3EmrLMugZEespEqp
3Eiu9Bl9bMCSHLEBakqv/EeXbEu2rEavvMm0xMecfMqwvEtaXEi93MtoHMxeNEyWPMWxXMZ/fEpV
1MPmecQNQkmcRMuhFEa87MeWDEfMNEy7/EzPnMiU/EzF/Elt7Mev5EvWFEvAVMhszMtOlEzVYcrU
vEx4zM2rLEyz5EjffE3/2ZxJVrRIgSxN3TzNwOxJ00xOsxxN4lRLwvTNkTQwuhRM6ATItgRKjFRN
4/RLc1xOsPxK4FxNX6xIxwTP8mxN72RI80TIocTL6bwf1VzPw3RNsoxN6RTKiDzLiPzF6lRMu+xN
ihTLrSTLskTPAK3O0YzPIevO4KzPqHTI1gzQrnTP/YTN21xJ8sRQ9qxQpvjPAq1Kj1TL+SROoszQ
DrWabIjPuCREi9nOzGzK48zPjoxOitRLWTzMGbXHgNzMGC1OAwXQ5yRM3izG6wxRmRxO80xR2lwe
yhQjBn2xJj2dKK1SK71SLM1SLcXBSNhSL/3SF0zEP2s/MO2Nf+iBKQ2//zJdU9dp0d5xUzYljTQd
iTitU8+BU0nsDiUdTKsMSSVFzhE1TkF9Rz5dTB4NyENNRSKtyfbUUapkzED9Tu38UUjd00rNTERt
TMakS13sSwvNzU29Rf5k0jldiSe9JPG8Tw31U9wMTAXNUOUUUeF8TlBlSfJ8z4YczwoNzRLVUOTs
VdIESfQ8UU9Vz3GcVJsEx0Yt1ZAADAeNSQql0PDs0/2M1vOUVQ6V1BrtSGS9R4jcUGqdURCVVgLV
T40M1MaE1lZNTw6dVmRN1Gm100ATU/ZbkWdlzT+lTwEN11TdUQ9V1wXFVV0tSn+NV34NyX7d0HuF
TxvVVUf9167M13fdTf8HZda40IqTvNeIhcdRBUv4PNZW9VFsVVbMZNSSHdYCRVJA9VDI9FWVhdiO
DUuCFNlkNVCtNM2JjdQKtdiPcNZ1hUm0jFmNZdlhJVn1BFipFM2gVVrEZFod7VFM/dR2lU6TFdZi
fVqgZVpIhdCVHcukJdRP7MWoNVh5rVdInNcUGVp0xVRy/dhc/dltpVFi5Vat1c2JBU//DNJZddRr
rcudVNuxxVB5pNmj5cuTpdFuBdLZ5Nn/+wu1NVS2vVBw5VuqVdx9ndt25dWCnVUY3VyK9dYhtU6e
lNvVJFnPVVSYXVurLVwjvdqyBY3H7dG4ndpyTV3ADV121dypHVht9Vv/bA1Pa+1Lrozd0tXW7Bxb
tzVZxO3Mkr3c18UM4uVaHJXc5D1a/IxVV7Xczr1V421Phi3eRyVQcq3ccwXe7q3KUozeRF3d1M3W
5w3Ts2W9tIVbnnRQ9R3e/qTeIB3f8eTdJd1dvQVf1N3beF1YyTXX021bvUVY7q1Z9iRVxsUxjP2O
yP1dBqbbsN3a2oXaxQxWWc1X0fXdUP1fG11UyxVSFIVVim3OwB1VUM3gRiVd7ExhSwXhQ41MgpCF
gxiBCMaIrcAHMn1fn+phjRBiIz5iJE5iJV7i+sHTRQxiJhYNIvaIU62mKE6NKW5ctKXXKx6Ns7AF
J6xiueriIc7ifCFj/zTOHYSdz9a1Wmnt3ELNUQ12XhMW1cItVL493mrcY8W91iVFUc2c43J14xEV
X0rdYKwtxjbO0Qcl2zR24hRTiDXG3V+dWUqG2QQl1Pb9V2WFWM+U4STtXfD1Y33d1pY9Yfv04FXN
3xi2ThKFWzauTjPeCDEOLd2VXU++TagU2QNlZXRFzRge1EE+YOsF2/wU2Go15peNVVqFV0UmYKmd
3HTF3t/0VRwOQx642L5QXs50YERm42IWXped3dG94Ljtzu9F57xV5Qcu2KpdZgQWZwd+zHUd341N
UcvsW3NNY8W4WX8NWk5mXn0u55AdZ4BmTnM+6IRN54Lm2FE+WXdWWv945s+1NFR8fWVPtWffreZW
bmRpRmNINgpB9OeO3d7ltWOClmePRVkUXmlxbWhBXmin9duvjWi7nelU7te/ddpnLcelSF+XldGt
leVZfgifVd5A9uBvvuSWduXtZVih1l6DZulKPk6U5eaixdmbLtb+VdWPHNyfZWSkpWayBlF+zsP4
HdP5RerWDWhvRuR83mg4hmpYneupPt3e9EmxBmCbztasbmdU3lUb/lS6xmdwjmUVLmqjdlyg/k8D
fmsZNmuwPlKPDuey1l9HdmnZPGF6VumnLc0Zdt1w/etMHdDQ7uWBluyzHgxCPm0W1khwzuVG7WTX
ZlfOzeldJma3Jmz/pd7LV23n3DZs+h3tI+VM5qxss/7e1SaKkC6Kk0Tu8zzNVnxNXg5l4e7GeUTo
7/TE7N5sUMZcF7bdrLTmUy7fCIXr8IbmAWbdyW7q2lZIxXaIwGDg2LZrsmZvOQbk2HZvHuXOOU5M
w1Vhrt3gqDZkiL7k/TbwP67ZqSTYwEbsjl5uCZ9w+mhu5oZiCg+P+H7uDO9w8LBwtOZiD9fwDQfx
ET9x3yhxFd9DFG/x6VhxGI9xGZ9xGhcIcrhxHMfxGt9xAZMBHr+JOfhxIR9yIi9yIz9yJE9y1HFx
Jo8OJX/yDGpyKZ9yKm8xeikDKM9yLR+JGNhyL/9yMA9zMR9zMu/Z/yrPjbc8czWfjDQn4zJHD6R8
czmnjTgH8zUfMzELhzu/nTbfcz9PjD7v4jkXjzq38z8njUAX9EGvjUL/8kN/dEiPdEmfdDM0cZG2
9Lii9LuBnPt7skQnybQWOcMosk//9Aqjpx+rM1VXDLgbrTYDdFPvigsjI07vv4NoNASbdf6bsXnj
v67LP2yrsG6zilbnMg2DqmKPMj4DO0cSMToLODUK9rAjizNTNKxa9uPzt1dnrEiem8CQLz2LdVfH
9m3Hil8/rlJnsj5LdmJ3MwVrdjhrd7xDMnJ3tsN4LbrSs016v8GDIMBzudgDeOE6sveiN8UiPkgT
NYB6uutrtcvzOf9Jc3jv4rdMQnhO+6/e6z5JczmS8y/6SnjCujyMDz6NjzVSez3x4niGhz2P3/iS
NyyFj/ifSyHdo76Lb/lNu/mMT/i6uvn7AvnmO7lEU3mW9/nqwPQLT4iLV7zxUrUVYnqoB/dYsjEo
Ra5ZS7WHP724Iy1SM66rfzuxUzaMc7yth7uQFztux/q1E6bNqynTI7ivd7Krtyi3L3vF6vqIinuv
h7y613rT07TkO7Y++nvci6m97/e6r/U7UYilp/nbUzVZi/r8onnnjl/BP/ysp7S67y3Cmnt0SvtR
ii5Wo/iy6qSR0ineIyhht/uQ1/xMI/yFh/1miy3C0/ymIzxlGqr/zgd7vc/7J1o72nv702cs3Xd9
1kc52h98riMoFnobhfp3j6+v7KJ86l94pwekvMd84B9+bvuq3c/+3sr+60erzTe87uf9t+Mt7R+7
4Z827q+q868h9Ocvu+u3WWf/aOv9rYd54vp82QcIewIBCLRHkGDBhAMNKkS4cKHDgwUdPkwYcaJF
jBQrXtyo8CPIkCJHkixp8iTKkv9WsmyZ8qXAljJXAkBYcyDFmzcnHrTZ0+BPnT6BWkQ4k2VGhhAx
Ln1oUynDjhqZUn16celVjlOpQpWo1GtUqGKlNu0atqLYpGZzMiVrduvZsxLdeoxLd6tVuGC5Nmz7
NmzWv2DZfl2r/9fuX8MiB489HNgj4cZlqx4+avky5syaN3Pu7PkozNCha5LmCXTn6Z+pg7LGuRM1
UZOl3Z7WWjg1zq+v+V4dKjUw0d+wXTt1Ojtt6dpvXx/vOFyt8sgRj/OE7XP609y9kxPPjTt28uzX
bQutS1m3YeA62w4X3x33b/btdzfkbp+57uxjSet3vTE8SOsZZ55oBRp4IIIfYZbgSJkx+KBIl0E4
IYUVWnghhhkGqCGHHXrI14chhvYZiSWaeCKKnWXooIgjWtYijDHKOGOF3NF4I47K5bijPSn6+COQ
QYKGoZBFGnkkkkkquSSTTQo5jJNRSjkllVVaeSWW/6yYJZddev/5JZhhijkmmWWaeWaVW6K5Jptt
uvkmnHHKOSednqn5Io956rknn336+SeggR5YJ5WCGnooookquiijjTr6qGgLEimpo8+FSCCglqYF
6aY5anohpin9F1KoJ2laKqcxEkTol3eCxp+BjCVYqnk5oXYfqqTW9+l5KNmIXaiQgbiYjTDJSmGu
E9Kqa3XNQrergCXBumFGwh5oLXIZJpupbD2yGuWe20qL7Lgf3erYsN2my6yx7PVKrVq5ikvSvO2K
uKy5WR3La2IjAYdWpwGLau66FtbLJ6oHpwopZLdGO1dUAuK6a7PFhvecvn09e7HD1uWLXW3jfQdv
xkWJTNy0OgL/rCN1gEXs1cQmk1ceyCNPWyzL5VGssm3ZxsVuyhY7BuB4Qe/2H3O29kTfr/n55+xc
Ht8WM9RJgxez0SJzXJ3CC6dEqYUOAjiZc2UxFqxk8QZccmzebXiXzIppBbfGHAk9Wc/Hdkdb2YjR
dh7MaleL7spkE4x3r9MV5y9ljxHusnRrjYp4xnuZJvfZ/S0+al2Ru3fX34eZ7e23Tf65dLSYSz5b
5y1vGjpaKQOM9MP9agSr56Jv/G7olcteLe5qg457w/ZxtV3tzlnsOraWHy80f5j6/uvYfkfcePB1
O19521Vlb/3KEF+nGnRk5QXR9+TDx7XeCo3jNfxv16067FL//9z82vDOLrzufU0+d/9exzu4JE5g
BEzb2Q7otk45bnSgA1raGseu3RVMMPnjH1ZM8zf84c9skcMgYvznMruVDy8O1J4GA/iv+LFQfoY7
4eiOR0AOTnBxIQRgDAnGt8dFRnAIFCAO87dDGN7wh3IBYQJzKDcg/uxZtzEiCpX4vwSy5YEo7OD9
fJjEIgJOhl48IviKuEW6tbCMT3sPx2QlMatBa2+0K9x94saz9Q1IaTWLDszos5+tjQxqAVLjfDpW
tdoFx43FmxkgCXkzjPExkHB0mBx7psX3hI91R4uOfB6pOe1M5W6GrJmtoggfRmqtOFmbW8eGkjN+
mdFFeLoQi/9aKctZzqhrtKyUoGxZoNI56Za+/KUvcQbMVurSQ8UcpofAViFeMrOZznwmNKMpzWki
BZnWvCY2s6nNbdJSmRSiJjjDKc5xkrOc5vyRq2bCzXWys50FOSc84/kZd9Kznva8Jz7zqRIJTeoy
x5xVgWrlq0axknEcEqgORVPQ+ZnKmAidkTwjKlESpVMm/0RQ59QlSYEdDF8BLZcBDxfSBz10cPZq
F7ZMupgK0kuk/zMYSCYq05nyE5aYuei19LfSd7V0NCBV6E8HVrga1RBxGn1JSRkq0pyKskN1oSlU
xSQDcOnpZrxJ2hS/k0fxsBFXStOqXKgnSMAQEmWbw6pZY7f/HuRR7JTL6apX24jJUp4Mj+fjmtOa
8zL9LM1pfTSkzKyqsq2eca5z1CdiEztQJao0d+gLYg71xj09fvB2eRPcXcf4Rc0W0IoJlSK6OLdJ
C7ank/HKLP361zsJti6ImRsqN4ugWBZ6c0KZ6c3rWuZYu2Qvfemb5L4wq1uVAjBqw61iFLdqP8+q
77cNtN74uoLF7XWSbZplLgg72z27HTeAMYkqeMcZLr9k9bmc5WFTJztAIiKXfxDLruVwO1rS6i55
qg3tErvHvSum0LWpBS3lJLhA9aB3tgY+sEFtR0bsZjCyiVGvJBkMog96NnwFjJ2AxfjfH8Zntdrl
b303fN78/9J3s+h9LoJTrFjZta6sT+Mb0y6GxuWlx2R2xGsoH5k3yrptupHk5IBwnMq3BpKuL3bW
80YbvDgqD1hArt4bGUjF0g4SlEWBrYqzfKPaQiiWTgwmULWlZXbaMrxmvpItvFRRlywVmB3VEE7H
/Kgyn7nO0JQznvOs5z3z+Z01DZudAy3oQRO60FlS1UL7rOhFM7rRLfydoyMt6UlTustM4o+hM63p
TXO603bCUKIrLepRk7rUpPM0qlOt6lWzutWufjWsYy3rWdO61ra+Na5zretd87rXvv41sIMt7DSZ
utjGPjayHzTsZTO72c5+ZbKjLe1pU7va1r42tiX97G1zu2fbu842uMN9oSWIu9zmPje6063udbO7
3fr0NrzjLe9Vu7ve9r43o+at7zcxYN/+thK+gbmCgBO84AY/OMIRLsyEM7zhDv/avyMu8YnHsxgU
vzjGM166h3O84x7/OMhDLvKRk7zkBg8IADs=
------=_NextPart_000_0005_01C70C0D.A96DC500--
Received: from 42.80-202-189.nextgentel.com (42.80-202-189.nextgentel.com [80.202.189.42]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAJG2HGa024813 for <ietf-pkix-archive@imc.org>; Sun, 19 Nov 2006 09:02:18 -0700 (MST) (envelope-from taking@nextgentel.com)
Message-ID: <000701c70bf4$25e55220$2abdca50@nicklasfe3e0e3>
From: "stiffer underlying" <taking@nextgentel.com>
To: ietf-pkix-archive@imc.org
Subject: Saturday Humanskin books
Date: Sun, 19 Nov 2006 17:02:43 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0003_01C70BFC.87A9BA20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0003_01C70BFC.87A9BA20
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0004_01C70BFC.87A9BA20"
------=_NextPart_001_0004_01C70BFC.87A9BA20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Who gave a it by of. Rocky is Parenting Front or Page gtphotos of Email =
to. Photo or in the News a Book Bound Human am Skin am Site.
Itbut of what possessed anyone do beyond.
Real thing skinthe yearold ledger a was found.
Use xml rss Sign Inside am National Geographic.
Photo in the News Book Bound Human.
Ledger was in found of downtown a Leeds England of map burglar or.
Leeds England map burglar of apparently dropped in tome a. See am More =
top in get our Free Newsletter Popular or.
Map burglar a apparently dropped tome?
Thats because merely veneer stiffer underlying. Video Adelie Penguins =
Rocky Parenting.
Accepting such is blind faith for most.
We dont of make.
All heard leathery but this macabre object is real. Accepting such is =
blind faith for most.
Worlds or Rarest big. Rare they in appear have been not quite. =
Surprising that says. Because merely am veneer stiffer is underlying =
isnt like shoe thick. Humanskin books are rare.
Well am send you sample af.
This macabre or object is real thing a skinthe yearold ledger.
Old am time of he said Ironically.
Rocky is Parenting Front or Page gtphotos of Email to. Objects slices =
history we in dont make.
That says Anthony Bliss curator.
Xml rss Sign Inside National Geographic two!
That says Anthony Bliss curator.
Existed Scientists say Feeds a delivered.
------=_NextPart_001_0004_01C70BFC.87A9BA20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"us" hspace=3D0=20
src=3D"cid:000201c70bf4$25e55220$2abdca50@nicklasfe3e0e3" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Who gave a it by of. Rocky is Parenting =
Front or=20
Page gtphotos of Email to. Photo or in the News a Book Bound Human am =
Skin am=20
Site.<BR>Itbut of what possessed anyone do beyond.<BR>Real thing skinthe =
yearold=20
ledger a was found.<BR>Use xml rss Sign Inside am National =
Geographic.<BR>Photo=20
in the News Book Bound Human.<BR>Ledger was in found of downtown a Leeds =
England=20
of map burglar or.<BR>Leeds England map burglar of apparently dropped in =
tome a.=20
See am More top in get our Free Newsletter Popular or.<BR>Map burglar a=20
apparently dropped tome?<BR>Thats because merely veneer stiffer =
underlying.=20
Video Adelie Penguins Rocky Parenting.<BR>Accepting such is blind faith =
for=20
most.<BR>We dont of make.<BR>All heard leathery but this macabre object =
is real.=20
Accepting such is blind faith for most.<BR>Worlds or Rarest big. Rare =
they in=20
appear have been not quite. Surprising that says. Because merely am =
veneer=20
stiffer is underlying isnt like shoe thick. Humanskin books are =
rare.<BR>Well am=20
send you sample af.<BR>This macabre or object is real thing a skinthe =
yearold=20
ledger.<BR>Old am time of he said Ironically.<BR>Rocky is Parenting =
Front or=20
Page gtphotos of Email to. Objects slices history we in dont =
make.<BR>That says=20
Anthony Bliss curator.<BR>Xml rss Sign Inside National Geographic =
two!<BR>That=20
says Anthony Bliss curator.<BR>Existed Scientists say Feeds a=20
delivered.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0004_01C70BFC.87A9BA20--
------=_NextPart_000_0003_01C70BFC.87A9BA20
Content-Type: image/gif;
name="during.gif"
Content-Transfer-Encoding: base64
Content-ID: <000201c70bf4$25e55220$2abdca50@nicklasfe3e0e3>
R0lGODlhOAIwAof/AAAKC4UAAAB2AHpzAAAMc4EAdAB/gMTEx8jTvqK+8k4XAmkeAXstAJIdALYs
ANIZAABJACBCDTlNDlJBDH86AKU8DMJOCO5ECwxjAB5nAExYAlNhBo5XAKNoAMRlAuRqAACOACF6
ADR8AFGJB317B5qMALN0AeR+BgChCyaWDD6qAGShAHOSDpyoDbOfAOObAwC0Ciy7ADG6BGy5B43B
AKzJAL3JBNnHAwHbAC7VAEvjDmDRBIjuAJ3lB8zZANXmAAAAThEJPzMKOGMAPYQHO5kDSLkAROEJ
MQAtRyMdPUUcSmIrPocrS6woQbQlNuIZMwBNSRdOQDo4O2RGSIE4Qpk7PLlNTtk3QgBYQh9RPjJT
SG5VPXZZCpVdQcZiQORcSAyDRid5NzyHNFp/N3h3RaiFRLp4Mu12SQWhQiOVSEWeNFiXOoqpSpeU
RLyVSOmsNgDHSyDCNTK7QlKzN43MSpmyOLe7NOi8SwDiShfcPDXrQ2vmO3bZSqriS7HfPeDrSwAA
hCoMgkkChGoAdoMAgq0AgLkAg9kAfwAVchomdEEae10scnwXepcpgrchjOERjQAzex1LiEE9dl5J
eo0+eZZKi8o/jtw0hwBXjSJfcjFujmpadnxRgahVhs1rcdtYggB4hSx+fkhydGWJeXx8iaWOjsuC
ieyGiAyZcRejijmVhW2Wfo6bcZKaebOgf9ubdgDCeRK3jkPDfGrAeHqyjJHBd8C6ceXGhwDlcinh
jDrTd2LVeYzdcp/dgszlgNjeigAAuxUAxTEAs2sLwHMAsqQAycMAxNEOwwAtwy0dy0kos2wox4sZ
uJUYvcYmv9ojvgAyuRM9uUE4w2sxu3E+xKFHu7s6udFMyAZTxRltyEdnvmxVvYJZtaZRxL1pt+Vc
uwB6shR4sUh0wFWIy39yzpiNzMWMx+h7tgKstBSmvjKru2Cay4mUxpWkt7KqzeidtQm/yiXOtE6y
xmm7yY7FvZzJwfL67qessHl6ffsACQ32Bf//DAMA//8J/wD2/f///yH5BADly0kALAAAAAA4AjAC
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEMe/EeypMmTKFOqXMmypcuX
9l7KnEmzps2bOHPq3Mmzp8+fQIMKHUrUp8ijSJMqXcq0qdOnUKNKnRqzqNWrWLPKhKa1q9evYHnC
Cku2LE6qaNOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAPDNUu4sOHDiBPjdKG4sWOwgiNLnky5
cuBgljNr3sy5s2eEj0OLHk26tOnTqIEqTM26tWvCn2NPfk27tu2hsnPfvc27t+/fwIMjDhCANHGa
x0cnl7k8dHOXzx1HF069esvk2Ilr3769JPfn36f//+tuMjtJ8ebHh//unX358CrJtz9fXH38+tnX
y4f/3j1K+fQFaF9K6enHXXsH9pfgf9qdVGB91kXo22oGVojfegouqKCD+t1nIYbq8UefiBtmqKGJ
HzYYon8rnjgihC+yiGKKF5LYIYPg6afbjn0hqGJ/OEK433IAvkigi0FG96OPTI7YZIkcFnmklEsa
aWWIT2bpo3gm4hjkkz9SWWWM9fFo5lszoadkjkI2V6WM86UJI5BR1ukkglGOKSBzc+Jpp59YAkrm
fcj1eSedgC75JpIDSqhSFY62ttqgfx5Kp6Jsjglnkn0uaqiKmM4J56Z5rinqdKC6mampepbaKZtT
Wv/qqaYJnmlrXS1q6Gmsga7o6oxqgmhpr5cSOauqwroK4K5e9lokiwZ6aCOszYZ5LIwG3qotVddd
uCex4N55o5/WCqimudhSa+e44hqLLqEDIlspuckGWm68huL7LbPr1ptqm+9GKnCEwc7bLpL/Hlmo
hwbbu2nCDC7Mq6D0IpyfwnIyjGixFteI8cAghzysngmLSepP/HLsq7L5oqyuyiYz6vKpn14cs5Qi
r/RCzqFN+lLKFY/MrlBAHyx0vUEV7bDHwLbck9IQX4vzSdtWDdXTpv5pbbpcW0UrzYnKS3HSWSO6
9cat+vS11sZ2PTbPcJvmM3Ssgik2sWlj/Wrbbbr/jTeXen95ZaiC5s3T1333bfbdK1nteFpy1jwt
18Uta7hOJCcbauWbF5X55BtaDvhOn0OLLOent/T46kgFPuWzq5Y9VKskglt7uDNLC/Ttl+dEu4xS
Nxv38KXNTfzxyLvE+vIgJe/889BHr5jx0lcPN/PYc2T99tx37/334Icv/viqS4ZK9uinv9AO6n9E
/vvwxw9y+woBAAD9+OfPo/z2y+///wCsDQACSMACGtAx/TugAhfIQK0MsIEQjGBY8Gc//VnwgjsC
XwIlyMEOYkV998OgCEfoGQ+a8IQoTKEKV5iTOXyPhDCMoQzzwsKuMKCGOMyhDnfIQ7PM8IdADKIQ
/4dIxCJupodITOLzjMjEJjpRIiw8Aw4pocQqEu8MWJSiFbeYPCdm8QxPDKMYBQLBL3LxjGj0DRbT
yMY2uvGNcCTJGOdIRyPGcXxruCMcp6DHPp6xjoAMpCAHSchCGvKQiEwkW6y3EJNQz49xUyQZq9fI
kjwSkjwTJCY3yclO9lAAAggfKHk4KfuZUjSnJMkGiVJJOSYElLCEZUliGUqS0LKWJhmlSm45Sl7O
Mpa2xOU/eqnLYeKSlr9MCTJzCUxjEnOZt2RJMZfpTGpSk5myDGY2lelLbU7zmsFsiTWbGU5XKvIf
G1ylYlKJzgcWpZX/8Fkxy2lMes6znuIU5j3tGf/KeT4zmfjE5z6/CVCB1nKg+hQmMwt6z4YeU6EG
Lec+T+JQgBJ0oSu5qC79WUtNrkSdJTFlOkXazgeKdKSpPKlJV4oSkrZTlS4taf/YeVKTgJQnHKVo
Px+KTYjqFKNADeozD7rTn1Z0oRON6E9fslGF5rSgGSWqRBO6VHqG86Le3KVTixrQrirxpiOF6QBP
OdMEgrSsLDWrO0Oa0rXCVKwlfWlY3xqUpyYTq9XMZ1CtCtWhXnWrXq1oUpuKkqRW9ahWNaxFpdpV
xAaWq43dZlX/ylfFerB+bqXrSzer1s16lq2eVStYx0ralrKUs6XVrCPnJk+qIvWahI1qT2U5UV7/
FpWYj83ta7XqzWxGk5tQjexeudnM38o2uEN9am0Ba9xwelQlowUtat86V5WGdqXRlalY20pXtMaU
KHal7FEVG16+JparwBQsYHebV6VK06d4FW5wgUtZ8wqVuZCdKn3vytP59jC7051uWAfsTtFmFrVl
lW5n5XrgopQXt5El5369SmHhNhXC/J1sPZXL2Pfu17Hl/TBkyevaDEdYssgdcYmrSGAFnzbB1MXu
daVrWramlrsCLrCOhYLY2Lq3wucVsYUf2mEfM7S/SkXocOWr2yMXlqdYdWxAfWxkKvcXr5bVYU23
u+Mcx9S6c/2sTXWMXRwveMuq9QlCt5nTEPfV/7jQpOo3iTxnNku4mn7tZnMnC04K9xnPRJWwlPH8
Zvly1M6C9qknaZyTmy66K1muXqQbowX+NXgmjn40pBW9vUlz8JKNvrRMMj1B1h5EAVXRoaeRN8/n
avrVsIZJQhoDz8SAWjWSzPVfYs3rgYEDhaQ+SbB7TWz/rca6OBk2oy15ax8mJB/Qjja0SyLtfFC7
2iiZNrN1zW29sGSVyk5JuMVcHW1f+9z/MLe5SbLuYmOFHG90x5jF/WKStvXL+F72b9bd7mmr29rX
bre7B061hGRXtHFFa4xdLN1aI8Zn/Ab4uf9tEmlvu9sYX4owLNISZGu3u2ndcXVFvW+Jp9vkJ/8/
ucXRLXCCuxzTZWY4g0E78khF/CT+tna/Ad7yl/v82zEH+cKHHmAJ3bziOue5yauN8pOo4Oevxuy8
VXvm1M5c6HR1+GEgjnKKp5zdSkd6PDNO9rl0HM2frbpMURrmcbdG4NgGu9iPDnV3N9vtPdG6YZpt
lLL7HU03wXvdB3/AWwueJ3ovDN/z/vfGr4XwkI+85CdP+cpb/vIn4Qc/wKJ56XX+MJ9XSegx7/Ea
k2/0/9C86kWv+s1n3vWsR8noO9961Juk9kLBPUl0v/vQ2773td/8738ve9j7HvYysf3xMa/Zw28v
+Kk3PvJ7X5LZEz/6KbE+9qlf/OpPfyfLXz7/9mn//e57Xyfi3/5MlI/860OewGZ2Kdqd/5vW3176
5le//WOf//Hj//UA+HkCuH+8F3viR37qtxLWt3/bx4D3B3yuN4CrB4ERWIHcd4FQJ3UxtlYwRmNh
9hrwpBAOmH7nx30ImH3ll4AnmIAY6H/UF37ud34HKHwT2BILaII02IINOIEr2IM5SILY53gdAXTy
51Yd2HwkJzI1qH/fB4M6+IQqSIMOWIIlSID4F4M4SIW4t4T9N4Ms2H32N4AyeIVLiHpYCHVnZYRW
x2X0Zx1WSIX3F4bQ138POIY2OH0SWIFbmILe939fKIcK2H7/l4esR4jRt4eICIB1aHlpKGxr/0hu
xzMP8/CCOQiFcPiFUKh9MWiGemiBish/WoiHP8iH2peFixiHnaiD7LeJfGh3BpdZ6nSEM5ZmkmJq
kniL8zBJCOiFn3iJvliFnsgSJJh+K0iHTBiAlYiCiyiGYlh8huiElHiMDyiE2vNRsKiGXJaN+kYd
kliINch7xzd8pDiOQOiNooiKweiMVsiF4SiMggiMEBiIpwiOb7iDp/hzixdJpgYamFgUZ3hGn0eN
SbE9IZgQwXeQCJmQCrmQDNmQDvmQEBmREjmRFFmRCSmQrcNI+zgSZfGPSjR6GHkUIpN4jROSJmkm
I5mPqxVEuXCSMcR8MOlHbcgaSRiTNhl4pf8HXTWpkzn5EzOpStB1k0JpE3j3kz95djwxfztpE6k2
lD6nbMi2ZQtGb454bwZ2ldpYlOjUUlvplF45dgjRk0hYY1NpelRJUyLXZeD2QPA0VsIGlGAZEjrg
knS5SPNWUx8IcqSWaUfYYliHErUGbiFlTo5XAHU5GVVAEDBHlXpplUBXlWTFgWkplUtJhGz4lU5p
PADWgQb2mB64hn7piCrhcCb1lnF5mKhZGXmplwi2jVPHmmsJVzXXcNRTmjZFmKmZm5GxdtZYhPnm
mTYWmZCJlTaWdXODdnCpm8pJQ19xlEiJFZWJmcynkjThnM/JlLVZPsu5nT0iFNZpWuyEnbP/VhPc
WZ5xIZ3oaWzjSZDUuXXm6ZLpGZ/AMQMH9J2hYZtBKZ9chJxWMVqSuZThZpSmGWrBZpsHFp36uUDH
1mXQeaBrCaA7qWwLYYQ7UWDfBpf5uZLvqZubSVqRaZVlRpzBuV1ZaW/1BqK0eJoGQaEfV1oWeptw
yYExGqNmFVcquqGH2aE2uqPw95dj1pmiiZZFV5Y31UgvKqPpNJgw2pUyyqRAaaFJiqMmCZyv2ZeS
SXNq6aDa1YgPyqBl2WhKiqRveY0pBaMG2pVKiqEJSh0wIBoaKJpEl3ZglqVnKZxrB5pdimPayY9u
eZkUCou32aRnaqMyKqUhSaWfKaevmaiQ/6h2oflxjYqgQfmiS/qkXDmYgjqjgVqpa/pps+aXdkp1
aSlzcNpZCBebU0mkB9ZKTWqpA1qpfcpZMwqlt2moGOkSaDani8qbs7ijtHiVeNqY/5miowaZanqs
2phwmipjaNqsnSpB7ZlJ0cqpWqERGWCrdcRDkvqsaTStKbmeREkW2EqN3LpCdEBs3go9JCk348pt
/7OuxdOugxQp9lmuQ4lZ39Uae8mgjDdrH/CvAFsS/5oVADuw5CmvHpGYMrSaqLGv76QQBksSBhux
VjGxH3CwCAtIwMl2ZCaieMmxPOqbaCmyIYpgwLqrL0GxAluwLCuxBeuyLwuzAXsSFuuyK//7DzVr
rwQ0m1fHqB/amsLZoz3biDMmtAzbEip7szgbsUx7sTM7sE2LEjkbtTmrswDkcY86i2oXYJxpdV1r
eqH5tTvBshdrs0trElRbtmcbtTTbsmdrtjFrtVeLpx8Lp1xbb0KnUl67t5dZtKNKrDkxtWr7tmur
tlBruINrtoWrtHErt/6Tqtdot1s7uY/ot1hKql97tIFbtlVLuId7s2yLtojruZw7s477uHQap1qL
t3druUNnp3qauV6KoBQruKILuqNrsYlLum9rukl7ukLBFfR6pbzKq7nKupQbuyG6vMVJnG0nqWQr
uqYrs6XLuG4rvb57vb8LvJQErvADr0H/sb00EbEZK0nvmq44Ib4yQbHle07q6b1Ecb2bq6HtK0bc
e7849AX4u780Ub/++78AHMACPMAEXMAG7Hf8m8AKvMA5dMAOXEQMHMEg+MAUXMEWfMEY/L/xIIQS
3MEe/MEgHMKalsEkbEEifMLTU8IqvMIs3MIu/MLbgsIyvHcwXMMErA42nMM6vMM8vBbY0MNAHMRC
PMREXMRGfMRInMRKDESgsMRODJ8zvBOSEMVUXMVWfMVYnMUKpBDa0MVerA0l8cVhLMYnAcYp8cVm
/A9oDMZpTBJrbBJtrMZk/MZy7MUoQcZ13MVjjMdqDMd+bMd6HMZ7HMdy/Mdo3MeCnMiH/wyYT5w+
ifzIiNzGcUzIbuzHiGzJkFzGmFzJhDzJmlzJlxzJKyHJj2zGgQzKpAzHpNzJm8zGn0y/jbw8kMzK
qczJZ2zJrLzJf5zJoKzLd6zIuKwSrozKwZzGwzzKl3zMpZzMofzJsVw1L1HLgizNyjzLvZzJlNzH
xnzLryzMwPzNv7zNnqzN09wSx1zNzCzOyKwVl6DFpyHNnMzH21zGePzGk7zI85zHpozPfOzGc1zP
+KzIuWzKtswSBK3NAU3OydzP7jwwPgPPCj3OzSzKvCzRmJzN6PzLrUzR17zMCg3OrmzMp9zLIX3L
6szNsPzMj2PNmpzP+qzRzNzNE/3SJv/tEhZ9zrxM0wdNzLZs0ek80ziN0Yys0rLc0al81DKN1EkN
0wVdzku90UqtyzjN0/58zTed0UFt1IlM1MxT0Xas1T7tyfYsxvb8yfz8z1+tyl8t1ocs1oaszKe8
yLPMxnJ91WmNyFxtKw291/16EGv814Ad2II92IRd2IZ92Iid2Iq92Iy9xnnNOoTXbR6Ao3xd2ZZ9
2dX62IqUCZrd2QvQ2aBdwpg92rIW2qZ92qid2qptERXEnJXHA6SNq+E5Ghn3Cau9FyIlF7G9pvm6
277d22Vx20Pc2lPh28Z93MjtG6SQ3JUn3M49Ecy928893Q8R3dYNN2Bw3dq93dzNRXb/0NDUHd7i
/UNWMN50FAfmnd66wQDq3d4U3N2V7d5PvAYbAd/2fd/4nd9eib76LSGEVHfb6pP1Sq+Dx996O6LJ
mqbD6V1sd6ygieDOSqI/KmNR2duhiqYWLpXI+hKUiW9gRRT/GeITHnRnN5MAWuL1ypa61nHFCqtq
yqIfRa3NGqtPmqlheqkYauOASq2npakOfqE18afixuPemaQ3fuSYquBDruRBjmkszuQVipvZGmq4
SuStupWiduUbLuS0Oqav6qqXuuNAHqs0vuSmSeKzHeERTnImWqNu3uM4LqZeHudAvqlhWqbe1aKy
SqkvjuAe6ucMNuAptJdW7uJZTuQ4/26pXW7nTF7mSA7lZ47hai7jpSnnznqgiZ6fSEq8NWrmlp7k
dB7jc46sDz7jaSfpLm7qSbrpMp5Eba6lZr7mxYvqsQ5m9IaXs8qVMA7qYd7hH+6kWI7inU7jjj7i
flrlqj6gfL6kn06jKCrqjC7rLNrslQ6eRg7mwc7rG75C+UjojQ7saXppWq7mQq7ouv7l2U6o247o
tMrmS+6h91blYi7q1B7uGdrs5G7qGartJTvtuG6msj7j/47tZa7iuSbbyE7qtD7rrzrvSk7m6a7t
0h7pk87uSe7uYV7xGh/x6/7oBW/vnh7tW67vsU7wyQ7wX17tyv7t/H7pUo5IT57wff+u77ue6g3v
8pyO8jav45m+4zn/8O9+8i4v8jOv8xxPqQ3G5/gJ7iaf70g+UzRH8di+8Aq+9MQu9Mm54j1Bpsv+
8bV+vJ3O7x0bnGNv7B/67D8q8BAO5QY6srd+shKu7GXK7I0ushNu7MWb9OFJVrK55vD+4yNvpmgv
f6b139y9rYceFgG+8f3t6m6XhGnen1He+MC7+IzPRfxN+Vscw5rf+Z7/lZlfQJaPPKNPG6WflEUx
QNAM4pHfn/w55rLd+qm/mJA+asA9+dZenbLv40S5+6jf8b4K7TLP4bdf+7+fFXkUrwdBDTF/714x
+pDf6iBO+8Df/KfP9tJ/88IfeNn/j/sc3uLfX53Zf/1ciRRZEBgI7/xx7+FB9+fozpuZmqvaD6kj
W/Y3xvd7f+7Ojp9dz+x4DhAAAPwjKFBgwX8HDQ4kmLBhw4ERDz50SDFiwokVLxqEyNEixY4ZPTqc
KNLjQo0jISIcufDiSowMXWKsWBMhzJgMU5rkGVLnTHtBhQ4lWtToUaRJlS5lmpQgL5BRpWZ8+PPm
1ZU6sUrEiXWrTZk3rVYlC7bmS68kx3bEqZVlVrJr3WoNm9UqXZpd03L16lYtzLAizZb9CFeszMBl
70o9bPit47qC+yqmjPfjYsc2GW/m3NnzZ9Chp3JECZJqzrp7NeO17FNhXMpnNaPu/4r262XCt6eK
Hbxx9syvrGHnVt26eGzbyQsvJ2m6be/Mzs0Kj64Rt8XS0I0/rj1Y9Hfw4cVTdOr5dHDgM+cOn8xc
uXXugKumL0mfNPHtyzemb+43NWrlqNPrN++Ok685u7JLqzfJZHMpNdukExDBw8Zaz7+t+HuwoNJO
Uo+spkIUcUQSS1yqs/O6wzC6CddzDzoHpZONsQinw484/SiErUa5ZNQxwhXZW805yxKrDscC4YtR
xhpji++9Ay9kckAddYvvKxOz1HJLLu3hzK8XBXwtNyhV4/CsyJAskr0A2dqutSBpgpPKNTNrU00n
CTyQtx+TtBGyqzDjs8rCxERrTP/44uxOOzYP/ZOmLiOVdMvxvszu0jE7PAk/+3ZSsqSoXMT0p5Ze
m+u+59xDjKq1bsyJw1JBxc60ltSsNUoGU3wVVlJ7rJCulxSMKVdPV51P0fYu5TUkT5eFdbZKo5V2
WmqrtRbJzcC8dltuzev2W3DDFZfGccs191x00w01NG3VdVe0dt+Vd95u46X3Xnz/KS/fae1ljl+A
qQx4YIJ3K1jfSRNWeGGGG3b4YYgjDrEEiSu2+GKMM9bY4oM79tjjEj4WeWSSSwZpY5RTVnlloyhm
+WWYY5Z5ZpprtvlmLV3GeWeee/b5RJODFrrckIc2+mikk1Z66YGLZvppqKOWemr/qkFyumqssxb5
Z667Xllnr8MWe+yKtTb7bLQ/QyVttkMj+22ksoF7brrrtrvhtvPWe2++2777b8ADF3zwu/s2/HDE
E2c7C8Ubd/xxyCOXfHLKKw+XcMwzP0ogzTv3HG/LQzfXX9FLN/10tHVFfXXWW3+adNdNxoHtz2vv
HADbc9edqdh7j1Z13/eGPXjiTR6++KmFJXh35pt3/nmkDIJ+euqrtz5l6b1GfnvuDVe+e/DDF/87
4IuPxdphxk/7EvXbd/99+C2/fn7667d/0vjz139//vv3P/T7BVCAAySgUCgSgv8lUIELZGADHXiw
fT1wbwWkYOEkyLcKZvBnmwFH/wc9+MGHfBAcIRRhVDzIGRA2pIQcXKEKU+jCDhIkhhSZoQxbKJUb
ivCEOqwhCXk4wh7a8B8/ZOEJhzhCGiLRhkpcIhKDeEQhXjB/EXyiEY/oRCVW8Ykg6WENt3hFEi4R
hmEUIxmtCEUTenGGW/wiY4KoRTR2xooxhOMYk2hHF0ZRg3vc2WfqmMc4vhGITEwjIOVISDIaMpBn
XCMi3UjIRhYyNILk4iD96Mg/0hGSWWQkFh+yNimqj4qbLKQa79jGKMaRhY+U5CJdico7VlKVivQM
JU/pSFm20pCajCUUTYlGPgaza4lMZRh/mUdYdhGXxOxlIk35zGXm8pY6vOINdf9ZTWoSUZpJ1KYv
SSnEX85QmOPsGTPZaMlZehOFm2yjGneISU4CMpLuPGcp4SkaWxozmrTkJzR7GUk0ipOczksD4cx5
T2u6kpXX7Cc6/xlPcDqUn+lU5zZr+U19XhSHiASoKo/JS2AOVKQou2QzkelJH76QoROFYz1TqUyQ
MrOYJ13pKmUaU5taNKDU3CUTUwjLUHJvlBbtqDInelSKzrKjxTxmNWf6RVu6FDT5pKlGdVpUn0K0
iScbaVdhdlN3MhWlSP3oMjtZRjD2lJtoTeocl4rUjZq0ooeMZ0sx2tS0CnSPnfBqzWTaxKzeUq5b
BSxdz4hNbo5VkTx95Fl1uk7/uWqSsWk0ol1j+VOOorSvm41YUD1rtipwRhyfJW1pTXta1KZWtatl
bfv60FrYxla2s6Vt3yJY29hy1mfrbGQ3iWlUp6YTqJMtbGKx6NuUslWMhwUjETOJWeIClpMqhSFM
VwhdHlYXl3bNJil/KFWPDrK73XXmPt/VAAaCt5UvLOtjH4pHt9ISqIu0bnC3es5v+vOQ8tRqWvNq
1nu+t5Le3W5/ZypN9kqUpf2dL265epQDJ9WMlQ3sgYdb4ajuc770TK5KQYjfwKo3rlUN72UBfM0N
nxWqBpYwfwEq4p3GUrdvi/CFCQtc4ZrXqPVMpnlf6UlezlPBESXxX7cZU7wS/3nEJk3xj1kJYxO/
OMCClfGMx1ZjHR9XsUm2cZH5m9OcgjTI6BwzecOZ2eiWuL2y7KaIbQzNyTI3wlFGqXOzS109Wlls
WN6vkMvr3j9TlMOADjRmd+rnXGI1yeutc4WpvFIQLxTRGy1wn4Gs2AW7VM97FrSPsStgI6d00X+E
q1qDK2YKd9rLMTYsPTGa0SWHuq11HbIPY91YLS/Ynrnc9M32S+jqEtbUsubzY6m6UIXOVb/NxPNc
wfxlXbdzyrcWK04fTewbx9fYmG6wgyc5bVwL+6WZ/TVRK43tZF8b1syWs7Wpne4MI5vY4P3wuXN8
0d6yWNVz9jZoygPlteJx3P/AnvV0Bz5YBFd6xfse45mtym74vvWv+Vy4rSt+b7rautgQz3OvacZb
cj9cqRQuYXYJbc2EtjjbcV24nROd4DSr17qOTuxVm21h8Zb81SpfbFbHq3MT91voQyf6tG5bdNN6
fJhIT63Sa5YDCDO96U6PmdStfnWsZ121R9f6BZsSAaqrDMfh9bnJi0tq7ebQwymXc9rr3exOqj3N
2gUrZQcs6rqbXeM4Z+jMDxru5Eq33i8HZNi/iuwE7z2yyy61Fg2ebuXKG/L+JTu/A/7fnYsbunY8
LE47T9UV5zesIx+xw5kc8kV3nSBjcPGWa412vj+b9JB3N4oNjGTRl3TCYw//du8zvONXW1vivY8i
xfW9a/lmHqtM74VUnJJvsTJ8zrA/PfJJ3+RAk9iy5c7oqMlsSR471N2MZ7X1a798jfL+2OXXq+FV
BtlThxjcode77c1PYJHTXvzkRi6fcY/8Mds18nOymnsyWpOk1GMzmhs5bUpA1asqz3u9zIs9yQs/
vsM+aFu37YM/Khs+6HM2CLy0hJM+BBTBEWywpTq2OnJApPs3knM0tLu4xptAyXou7kMsAdtA2VM2
CVw5CySyFWSxHqMpqaq9EUy+xTs492MZw9K86Fo/Cry1HxSklKs+BjQ0dXu3CCzCA1TADkO9J9Sw
smM4I/ytBVw/9HvAIsq1/2FrqL4TQ3M7ODmsQAaDqHjLvxRst3O7w/u6KyGEQ9/bubb7OySsO/dJ
gZJxQZ8rxIbqwnlDM87DsAkkxOLDv0i8pMejwprqrUu0uEWcvRkMOLdiJw6csDgMuo5bwo+LPkac
Pix8REpTPwUbwr+jJL3rP7xzQ/fyOze8RUEERDPUQzFsIbhTvrFqP1WUGTUMpWRMmWV8RtLiOmhM
oGYkqWm8RmzMRm3cRm7sRm+0nFn4RnEcR3IsR3MknmpMR3VcR3ZsR3d8R3iMR3mcR3qsR3u8R3jM
AnzcR37sxxE5R4AMSIEcSIIsyP/xR4RMyJUxSIbcluMJSGJoyMN5SJNRSP+L9CrcuUiN3EiGyUjB
kUiQDEmR7JZ1qC2OPEmU7JKRXEmWLJhOaEmYjEmZVMMDmMnVSUmczEkRsUmexBqd/EmgRBmwCUqi
DLuePMp06QZxkcZ0WRhtKEqohJlu6AaJQUqrBJepNBemzJZtiUqvJJE1uB9l4UofAY+vPEtyahWy
tBa0bMsukQTMWUsE8ZBgARXS6JXHoMir3Esf8Y1FgYs0uQu15EvCBA3haJCd8MvAQAm9LEzHDA43
YZO5vJLGfMzCtBAhcZRg4Y4ysUzPpBXBiJXEnMxmyY/PPE3UTM1z2crVdEvXnB/VjE3ZnE20Yc3y
oZfGrEx2UZfXJEqVEBj/8BhM8pkR4CTOBRmPJvmMdvGX3gxKaHnO4LwW4SSX47SWytTN5gTK0RwW
7twPvujOTKmP0wjMYemQXWEW8+ROZilPvKwSunSW91SLnsjOi/ySQCFOvkgTyRSUOvHLGGmVHmkS
zPiP/iATQAET/0xO2owdCMHPGYkMVKEQRwHMAr3PCb3PtziPD0mU+zAO/gSLDrWLBUWeBg1QXPnQ
D6XQBKVQ3eDPN+GNxfDQA32OC73NEW0cpyhRGj3RGeXMHJFQFvUOQRHSRPlPA/VREwVQhKFPnIzQ
5JCVIt2V8GxQwoBQI+0LzVTP9dRPxlwN8cRQ8VxRj2BSf5wDoIEth9mD/y4JBjINJtlqU4S8UTmd
Uzo9mrqsF2z5l6FRUOoczjqNnKTwT24xzb4Uj+W0zt3wlwutTuMMF9KB04ESVIfMU0rdTYOhFm3h
0yq1VOh0F0glp2N5lgqFUCNREGMR1cQYlVORiFONz7vcUlfVFfK8S7v8TVptT/TEVbpcTJ4YiE8d
p01lCS69DCpFUhbNUitBUAclT2Nl1CKtUSBNlWjlk0UFUmR1iF8VpmC11rl0UhU5UBStDQB10i61
jg2V0HjxjRXN0L8UTJUITE1BFDFdiWx1U2nN0nnF0GYd1SX5DWhVS2bd0flI1AJN0nY9kmfNkRgF
lHoNIOUUWDAFFMhs1v98hZZ/FVgj4VY9TZWLVVILXZSMvdaK1c0/3YyIBBdg+Q+5iNDzbJbujMxf
CdUzkdJWpVYoRQwtnZKUuFIvfdDxtNlewVfA+E294QeDZE2SIVkSXdKGLZFNaB6kIVr9GdOmzSCJ
rFo+ulqs1aBQUdp3kVWzsdFv8dWtrR9OPRZFLc6uXRWxNZNOxY62XZfp9FO5JJOeENXoLNmBOTpk
qVvD1IvjCRLY8Vq1zVu/zYt+rda/LVurjc+96AlU2dU+RRP/+NJcvdsBEc2FZVWXtVXIHU/L3VYX
Adww9QmmXRhfYFyyWUsBvVkiTdF/iZMh1ddq3ZQnEVGNJZTrcNvk9BX/xP3d3Z1QetBbfglUhBVW
lg1Xt80QVqmOAP0e+USUxHUQxkTQ5J2STEXb2IVbkT1d1Q2g2d3dFp1eHPHdfr3Xt3XPTVXeWYFY
PdFdi91eiHWU7y2g8N3P9ZXY5fVYQjHR47zW6YXd1y1fhF0RAWZfsq1fAXpZ7l1P8CxNcbVd05VZ
6/XZVdXV0rWQujxV7X1gCl5btnBgoi3X0VTg6iFeFE5hFb4WpIVJE7Ydvnzhn+GAphAGpSgZsIUa
wnXIHSYPGfaclr3Uh3zXCZ5cfUURqf3bua2UHv5b+1wXEf5ZH/5hzQnc8NBgaYXibX3ifnHUdElb
WpnfEH4IKragS41i/85t1SR2UCzlYPbE3MfFy80tT7z1XCq9VVjtVbxF45x1XPStjBWWFwmGku4t
VGdxX9pt1EF+3ZA9X45VEkUOYIHpTEf+47wg0EBWF1aVXgQuS/MN3+dN4k0m5ACuXtBskDl5FRQV
FhJ+397t4ASJ20ye1NGV5PYQ3fz9UfgVkgHe14Glk4Pt5Oy9XYU9Y8CtVL55BoAE4E4G5iMGZTGW
Wzvp0WklUtL82H1d1CEV3Oc04IOFHyWQrVGBVQhmXstVHgkeWA2+YD5W5aEtTQ11XTqO2XV2Y/is
D7hdkFKR2Sz+TEaQySae5YpEithaY48pY7sRaIX23qGIYYSmm7NFzv+NTV/zGOalLVx6gQds5IRE
jJ5WzhZRFl9n9RZdHmkmXhrSIdTveGh7yAC4QRGMbtRbnuiIlmmURWmSNumFxs0itlVwtctnGWf3
DN03JtXhkFxUlU/kqGPQVeP8FM3zjFUONtVFpmCDRp4OmLqo899e5lZSFsxi1mVJnVlhxmT9PJI5
CdjuzV6uTutJlg2WNqhlpWrX3dxQll5sxuXvbAsSLuQdGU0NzeVGPte97uu+DlYe8da4HpxEtui8
TlAAdmXJ5sxUFuPBVFf8lNG89OXMJt8sxszRpd/FDpzG/svH7hP2ReRlPVJbruZHTlbBzmbj9Gtt
7ufpHW3SZmOfbmD/8+RcC9ZnKFVnwJRiVIVqYBFrWgXNpDZX406QCQ5dujbNw8ZtwJmcgMZTftFL
mZkH6lZJybnuQQUY7e5u7dlp8z5vvW1hI65pnabogpFlmkZULeZlw7QX8ua0K57vyQXY9X5YLs5v
Lrbi9j5p/b4S/+aM+/a1SS3LM17i+D7cB4fp/+ZU8GZwfXbvCFcfJmAtdy1VWZHqIi5qdm1ZofbO
2c6UCrlnbTaVoV3VqJZnqQ7aBn7ZmnVjV8Vw9BZi6s1rH+3x0pbnI/4LNo7Y3IVWy/7mIu9mz5bk
C8Hkuc5xAi/ycjVsb0VfIwfTKqdMFaWNbR4SGOWVyl7rlPVrJl8W/1LR2V2GcjKOHmqWEh9/5h39
5Dbn5TkO7UeJWCdfbR+X1yUP18hu3rxOcK9p5gqd1tr+WDmXbQJ+7dzlXUvW82pe62DecgMP85oQ
dL8CaT5P2Zi9ZD0W7hE/5BfnZOEE8qpGzER2YJjt3OQ28xZnZxp39T0G0TxX8zWPOjsF8LGNHUxf
xeTRdey2dWGf8WG3LYJunV53zpx2YnHJ4WJXQx6RZtaV6JLGccN9dgdy7AcnXG4eHWyfIoKecoVg
8U220CkV9eLm9PQkYqduTxO/9WSHnoX4m2kn5MGec/6NdkTv2tMGa2v/9kF9kKummhj1XUlXdB7/
ccE9bAEG+HIBjv/EcVFIP/hId975rex+j2mHDx7jvd22bu1D71/3tXRCr4h4R0t33ucOf+4NDvJ0
XvV3j+BDTmdZOfmz9J5KsfmvxPnx0Hmf/3mgD3qhH3qiL3qjP3qkR/mNX3qmP9qkf3qOaXqpn/py
hPqYgQWrz3qJCUut73qvJwqqn0YrmMkVCHuzX3obkBr0Ovtl/Hq39262t8y3n/ssiXvPpHu8/0e7
F2elyfuG9cjV3fuCFvzLJHzCrHB0KUoi8PstAXz8NvzVQnzIF0fJn3zzZnzMP3bL33zO73zPdxcX
+HzRH32ty3zTP33ULwrSl8nUP/3Vj8nWj/0ydnzZn3var/2vv31H3H8Ylqz814f2349r3d994i/+
nfx95E9+5V9+5m9+539+6E98459+6rf56JcaB7h+7ZeW6t9Hb+h+8A9/8R9/8g+K7R/IgAAAOwAA==
------=_NextPart_000_0003_01C70BFC.87A9BA20--
Received: from [218.62.88.56] ([218.62.88.56]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAIJrDeM079051 for <ietf-pkix-archive@imc.org>; Sat, 18 Nov 2006 12:53:15 -0700 (MST) (envelope-from where@paroma.com)
Message-ID: <000701c70b4b$2c34d0a0$00000000@vs>
From: "Stream Learn" <where@paroma.com>
To: ietf-pkix-archive@imc.org
Subject: member book
Date: Sun, 19 Nov 2006 03:53:09 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0003_01C70B8E.3A4C29C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0003_01C70B8E.3A4C29C0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0004_01C70B8E.3A4C29C0"
------=_NextPart_001_0004_01C70B8E.3A4C29C0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
Stocks Quotes in attachement
Countdown Image of Hosting Zwinkys Basic.
Disabled Doorframe Added June Song Need Eelsong came!
Corshacom Timer a enter or counting down eg?
Important in usfrom Sucksfrom Comcastic Pyramid guy a sleepfrom in =
Newsmaker is Didnt am.
Editorial Card catalog am Discusses cocaine.
Start Topic Prompts a signin or Guidelines General forums.
------=_NextPart_001_0004_01C70B8E.3A4C29C0
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Stocks Quotes in =
attachement<BR><BR>Countdown Image=20
of Hosting Zwinkys Basic.<BR>Disabled Doorframe Added June Song Need =
Eelsong=20
came!<BR>Corshacom Timer a enter or counting down eg?<BR>Important in =
usfrom=20
Sucksfrom Comcastic Pyramid guy a sleepfrom in Newsmaker is Didnt=20
am.<BR>Editorial Card catalog am Discusses cocaine.<BR>Start Topic =
Prompts a=20
signin or Guidelines General forums.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0004_01C70B8E.3A4C29C0--
------=_NextPart_000_0003_01C70B8E.3A4C29C0
Content-Type: image/gif;
name="readerman.gif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="readerman.gif"
R0lGODlhIAI4Aof2AAEAAIIKAQN1AIx2Ag0AiIUAiwCFdcC3xsXQwZ/M5TktAGkSAo0kAZceB7Er
Cd4mBwBNDRtCCjYxAFpKAHgxAK5KAMI6AOxCAABnDBxmAEdhDGRmAHFjAqFjALxSAN1mCwZ+BxN5
ADZyDmp4AHZ0CZyACrqOBOp4AACYABicBDKoAWGTAHqmAKyZDLqVAOeoBgDJACaxBz66AFnCAHXG
AK7GAMe2ANjDCgDqBRzVADnVAF/RB3XsBpHbDcXhC9zpDAAAPx0AMTIBQWQISnsASJ4ANrEAQdQL
MQArSxohN0YTRWIgQ4oWNpgsN7sSPegiQA5JRhQ0PTZFNGlDTHZBQ5lBNcc/Mtc2TAdgTihgP0la
OmluO3lVAJFWQLlVRd5qOQ5yQyKJST5zRmCAPImCP5J1MruGTOyCQwakQBmRSD+URmiVPX+uSK6p
OMieP9KZMgqxSiu4QUbJMlHOSo21Qay5OMy7Sey4PgDmRhLiRUzmQGPUPnLXMp/iO7rqO+znTA0L
dSUAdjkAjm0AgnQMh6UAe7wLgdkAdwAffSUteUYhgmYigosgg6gtjccsdNQUhAo2fiA8fUw3e1Yz
c30zjJtJd8Azfe48gAdpcxdeeDRfeGNlg4VhdJpgeblXf9JhcQ59jBN4ikyEeWODdHF2g5d0hrF6
jeqKcQuidCSmg0icdGiYgH2mcZenfsSjhd+djgDMcSS5iDe9jG7DeoXOf53NfMKxfd7GjADdghLY
fjPUgVvogHTTh5nberHgjNXcdwwJwhcAtD0AzWMMuH0Asq4Awc4Hu+YAsgAewhEryTQTtVMexHUS
yaURtrcazeYhtgNCyxE8zUZGtFlEy3FAsps/yLFGtO5OvAJZsytev0RevlJbzHFZyZFrx8Rjxd9d
wgBzxCR9xjp8ylR4yoGOt6NzssiOwuB2twqnsxWYyTmevGCZxYmfvqOUycChyNuuxAC3tiDIxjK7
x1jBx425wKi1uP//8KWfpo6Dhv8EAgH/DP/0CQkA//AA9QXx8f3//yH5BAAH5YkALAAAAAAgAjgC
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuD
/2LKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOK
HUu2rNmzaNOqXVsVEtu3cOPKnUu3rt27ePOSfcm3r9+/gAMLHky4sOHDiBMrXsy4sePHkCNLnky5
MkO9mDNr3sy5807LoEOLHk26dEHPqGWa+AcgtevXsGPLjgqg9ezbuHMLNc27t+/fwIMLH068uHHB
gI4rX868ufPn0KNLZ/xgpdGCAQIgzg6R+2HvDsEX/xbPkPxg8brTd7XnvX329/DhD4xPnr55gfIJ
usev/eB+9vbRN5+A+tmHUH4D8qegf/25FyCCBhZIoEEILvgfhQ1m+OB7A8aHXYQY1pchf+qVmBWA
G27IH4goTihhfx2y+GKKET44Y4UxfhjggTTa2KKHMQKpI4wryhhkj/n5WKSQLw5Jn4mclXPWkSGG
CCOE4OHYIoNaWmkeh0PmuKKYTXpJJI9aglnmlmMWaSWXaibkYptrYnllnG6aKRCUfE71IZpVStih
oDfy2N2Zg+qoKJ0oOonoguE92uiiiU7K6I+S3idnpl+KeCeReM6Z4EB9loqTRqKGeh+YcaqaJpNo
4v9p6aVttuqprKLqSSmtk9p6Zqqwwtnpr6s6SCiVjk6nLKlFYVqhq1zSiaOLKgrLJLSBqjnttUo6
+qyn0Vq67bc7Wkvurolq66qv9pnqLk0Y/Scetot222uWIwJoqL78XirrvTKyiq+FnBJ8LK8CB2ys
wf3+ye+84GZbbroDPyzpshhHpCm9hBoJMIOHAnowxcF+jGHI4Vbaca4Jg/zQxhHXy/LCDmdsc0gc
k8zmjZpulHOt3L2aK0c/fyx0yUTHvLJ2R3d589M4K63zrM7+67PUQGvordWoYm3yukN3TeyjLVNd
LdRoR40oveqCCvHFGeEac9sHcx33sJTSrbLd8eL/fazejPKdNnPXRbp225/+/bZIcuPruOJuw933
4Y4nXqmvjA/7qeXSLr7Qu6D/Y9K/3bK78+kdkT7xrPKRK7lFqrNouutqm+u5m7Q/tA5gqAxemdUK
jy107eaia6TgFQE/J9h+f6Q8rMxT7ruyhU9v/Wih5xSBUFyUeP33oWUvflDgl0/Z+Oj3ZP76kKXv
/vvwxy//ZtOdwP79+JMGTv789+//Q/MLIFaEIcACPuV/CEwgRIDxPwM68IEQjKAEJ0jBClrwghjM
oAY3yMEOevCDV9kDCEdIQhL6o4QoTKEKQZeGFbrwhe9qIQxnSMP0yLCGOMyha26owx76UC88pIsC
/ymziiH6Lw1GTKISE4jEJTrxietromAOcJkfWtGHQbyiFrcYQSh68YtgDKMYx1gZLprxjGhMoxrX
yMY2uvGNcMwhGeeoHEfQ8Y54zOPTFKHHPvrxj4AMpCAHSchCGvKQiCRM9ZalE4LkJJE242AkH8ms
m0AyY++75BIFIADfcXJ6hauNKA0zSoHUZiSNrKRNOMlKVg6klZ0UCCxjSZBPImSWn8TlK1spS1ra
I5e2/CUtYbnLgxCzlrwUJjCPOUuFBPOYyoQmNJHpyl5W05i6tOYzp9nLhUgzmd3ck/swckpTAqAw
pbRHORMTzHAK053tfKc3fRlPeHayncsspjzlWf/PbeqTn7HsJz19icx/xvOgwyQoQMNZz4IgVJ/+
LGhCImpLfCp0kkRZZ0FEuU6OnrOUHj2nOUHqUXOadKMkHWlHOarOlaazpeI8lSpr8s99djOi2pyn
RHfK02UG9J4EBaZDgwrUW/7UIA3FpjuXalGGVPSoNn1oTd+J02gadagL1WcmLaLRgax0pC39qFhF
2lWYprScZWUpTFEK1lGe8qsn5UhTC1pVcF51qjatqU9vStS8PjSpT0XqRQU71bku9a6BjWpfC1tU
pl4Tq3SFKl4xWZSyrnWtaCWrWL0qUoK8tbOZtexnL8vZk2b2spZNZUxtote+NhOig3UsMRuKy6L/
CvWviy0mYH/KTG4aNLeKdWpv7apUxkZzrrR1LTc/udWKiBa0mjXtZqXLUriqla1h1axaT2vWkI7E
sHz1q2SLe9i8OhagQo0sZHXLW6gmlae/XW9wdRre8vZUueK1L25ba8Tnlhaz0f2qgKGr0oOEdroA
li5pSQJeqo73tXctb3LVa9X9wje9DB1vhHcq1fPS18GT5S+FLUrcw2K4wRgdCmoRzN3TDritBI4r
dsMK4OgmGK5rVa09KJnfDMMWvvclL4ZBbE17Sjih8c1qkAmbZOMemb1NNjGS95lYHxuZygPd8TjJ
ed2SKri7XS4pji27Yu2mNMHZ7eyCMyLQazYV/8Wt/WY135zQOm8TnMudrSuzCWEma1OhbU5uMvvc
4V26OcvIHeih7fpeRjaLI2SGSKRVomMej7HRN7Nlc/sy6YZ0WpMvwTTGRD2dRWbk0wtB9UkqLVM6
klo67dw0qGdN61rb+tYlMXVfdAwYS4ckjsBGCqTVnGpir5a1g/E1SIINbC5fVyKqXvNo8kHtalN7
INbOB7azbZBr4xrXRtFotGfMkNQq2y889va2120PdatbIO9mtryF4t8af9bMLh2zSHn9l3Rrm93r
dve/4V3tmc5bjRepd2hpfG+TWjfGpXn3u9utbYETxNrf5p/oJuPdAn95tA6P8bgnI/GBE5ziGP9n
98QzznJom/m/Libww4NT8oJc++Ymp/jJWw5qXR8Y5gGWuciNreVWB8bfF885zndO8JQf/Ok8ETfE
0Qzy7gL9v/xGd6snbnGd77zmUA/7qTou4xaPNZ1eXvGxaZrsrecc5V0/OdjFTveZFDslWd+10X9d
974rZOQZyTtfzu2Rvvs9IYDHiOBfQviOGN6MPI/8rXVdaks3XvIfEfvNWG1JzJtki4DkBz9UInqM
ld4vp0dI6jFPdoMkHjqrt4foZ6/62Y++ILHH/e0JsvrS2z73A/m9R4QvEOIXP/XAl/3vfb973jc/
IcjfffKh/3zlB7/6Lcfx/ZZv/eMbJPrOx77/97/ffOZf/yDg3wj402/+6Z///RRJf/cfkvvei7+P
4Rb6mb2cdmk3hvM2YXvOB3/wF33TB3z2N3/193zm133EZ3y1p4C31373R4DcN34CSH7Hd3ocmIHK
R3sOOIHld3ugx1X651kIFlfadxweKIEaiIGjl3wyOIIuqHs22IEuCIIL0YAh+IEVaIE4aH1BOIA+
6H3rJ30xmIQEOH+BlH/bRWxVp4JEJxkASFM6WINEKIQiGIHoR4MXaINEmIFH2BBDaIDMV4EJCINM
2IVFWIZKaIRXGHulV4LOZWxdFYVp9nq+IYZI2IUCuHzYN4MD6H5r2IGG+Ic/qIPyd308+ILj/9eD
ReiHIniItAeIHwiGS/hH+ed6UJiC/mcZVQgvWoiFXJiJj4iJo6gQcjiJW4iKjviIq5iKbFiArWiK
fDiEmdiCbCh2adWJC6Zv52N5MkWB77eAr5iFL4iLpZiGOXh/xniKo3iANKiGyriBrAiLbxiNfTiA
dEgRvYhd/PdsehgaX2h8ZjiL6Eh+i0h9V8iED+iMFwiBEoiG0wiJuoiM9qeIfKiGpuhHlCcdoWh3
azgShFhIp/c+XkAXPiCQlGV0OQGIEBmREjmRFFmRFnmRGJmRGrmRHNmRF6l5KYZsa8eQK1GQodd8
3eh5KikYNvA0/+gbi4cQjzeTu7GSNllIL//5d1O4GPy2kyNJk0DpFCHlkzIWEUNJlHUok8o2hft2
cCUQlF0xcuNYlB5BZrzWf+UElVr5FKjWceFIlf/FWSQ1lmSJbyelYx/leur0k1sJlQnXfygYlqXF
XQa2kw0nhWpHWlK5lp5lSjf5lxNhavdWdd+YXTqJeCn4Yl9mEFepZqDFlm0JlMNWl0D3hJN2h2Lm
mPr3hKd2YFMJmJInmESnmPZ2mGEZhaQZlzCxlH7Zl0UXmbCZUVNXmTUml5RJm1IHY1eHdazJl14F
mbEZnI8ElyhomWhHlJhZXZ1onJppY2j5bK0pnOqxAhIEEp9ZbkiplHvnm9opnd4Zk96YnVz/RhE9
+TnfeZ7b2ZkhQZwAdHndiZ7wGRNQkxPi2Wvx+UCgmZ/6uZ/82Z/Y+Rtk9Xf+WUjsaZ2jKXX1qWqf
CYVv2WkByp2/OaCCtILreaDN+RAKWp+It1EJF6EI8aAfKqFJtImcOJfKWZYq5Zko9XNplqJUx5xg
qRMMaphr+VYe2pp86Zit+aAgRWOveZ8kVG9gJpanOVaLWZwvx1bHiWZMKm2N9JjcyWI36psgmqM7
SqWo9aNACkJCipqaaaK7qaRuZYeJuaRHmhBPGqE6yqBk2qNqeqUz6pdbikJdWqZIOqZhGpfKmaJl
2pycWUUylZZ8CqGC6pp+qaNWmqNo1Zdz/1pCdaqXXzpjdKmaMQemYjmbYMmYlFSodsihnfqbiMqj
nsqojRpA4xlyuimXpDmpuwlyeGqpM2ebkmaoNaqWtnqoMAenoEqrIpo/oRRme2qbXymFvgiOmUmp
ZkmkTspjy1mlOHqnRCqqilql51SqIzSf7plq1mGt8nNIGtqr4Ho93xqueZSTgwOeiMGtJkKu7Nqu
7vqu20oUonGd5Jmt6aqu6tGgL/UYl4mpIvEBABuwAwGwJRGwBAuv30Oin5gY/cp3OHGwAnGwEPuv
HxCxFQsR+BpA+nacKOqiHHuXLZqHl6qiLUqyrWduD3uxBWGwLHuxLGuxBjuwL7uyLluzMv9rDxJb
sT2BABnLGW8Zpnj4cEa6cHg6YEEnq3RJmEaalxAxsQSRsyoLsQQrsDhbsVKrsjdbtRZ7szmLsABZ
WWmXmnlpdh/HYmbLtEB7thSqqafSslk7sVertVsbtzQbs3Irt3Y7GzjQs0nhpceqmi9atiH3t1ZH
XWdWuIj7afzWtXd7t1MbtVYLuQYRt3Sbt3yLGz+LtkUZq2R7Y2RqqYlrY6GruRjBuHAruZQruTTL
taprt14LHQqbtJ7IuTZGtqs6Xa96uErLtCh7E6e7tY2buqwLs5OLujWrulp6ueKTmyEbsmFbu9Br
uKLrmfgGXbj7p6SbvHbntjJLtd3LuHj/O7NPK77ce7fKexv96bQTob6vSziPZj7oyhHs27RYe75b
Br/2WrquWxETa7+y0b7BUQYAfBH+K0EF8HgDnMB/EQxtV8AO/MAQ7J3KEMEULBUKfMGVV8EavMEc
fK0Y/MEgHMIiPMIkrEgdfMJxUcIq/Bso3MIu/MIwHMNttMI0bBoyfMM4nMM6vMOSVGsUUMMKBKSX
wMMwZBtvkQhE3LO1kcRMzBQAUA9NzK2NQa9ADMBRXMAndMVa7BlV3MVltMVG0QlR7MVkHBnmapNg
jBoDmsZc7J9sHBOnsBdlPMeMYRTacMd4rA0Dkcd7zMcFoccHkceAbA+CrMeDLBCFTBCH/0zIfpzI
jIzHBuHHj3zHfSzJhKzImAzJlLzHlbzIjJzJgnzJnDzKocy2b5wZo5zKonzIi+zJiIzJogzLqvzH
svzKntzKtPzKsbzKCcHKqQzIm6zLvqzIvnzLtWzIuexIpyzHFBEBqmzMw2zLgQzLxlzLmTzLumzN
kUzK1IwQyCzM3TzI39zLsTzOv1zOu5zMdKws0czJ7WzOz5zNs+zKlyzO06zO98zL3DzN9ozL9ezO
CzHO8IzO/UzO67ws7WzLlmzPfyzJidzKpczQkwzMEW3JiNzIDh3RpFzNwCzNCtHR9azR/1zOFn3Q
pFE9CT3S/pzO+izPLu3KEk3L9GzNxf8szzDNzf5c0OIczNmMzDdd0PlscMt8F/Es089c0hJdzdg8
0d7M0tt8zOjs0hcNyS3d0j6NzzrNzwAd1MA51Cn80t28z/Mc1jT91Ft91mMN1cOs1B4d1awM0mDd
x04t0FUd1V6NGdjs0EZd1qDMx6H80Llc0RhN1cRM1bgM2NfszpT81p280p/syOn81oQtynetF2tc
2V9xEYW82Zzd2Z792aAd2qI92qRd2qZ92qgN2Sb9xfLqxpjtFasd2x0q27TdElQs1K/twEvsFLXN
Em9Hri91A46X27ptxFHR239JC4exryJB3Mq721eB3LJ92xjr3OoK3dad3Qck3dzd3bj/FgtkpN3i
Pd7kXd72693o7bDmvd7s7cDp/d7wHd+C0d5NzHOCIN/PQd9MjN/83d/+3dz6TcT/PeDmGeAGfuBb
SuAKvuAMrhAIntsNPkQeFOFBDD8UfuHA/RLMDTXjCkZnXGzPm2+fyomZCazOmpiXOqUel+IMF47M
/ao4Cp0im6hGyZzWO5rWiaQ6PrIrrpNTmaAgTt18WSIWQD7r6RBxSuOEqq0qHqVLLm7P6qxOHuVX
yqG8qqiuiahNvuUC2pc4ruIdDuI3Sq3PWqtlfqsQapQYyuRnPtvn+r6IWW5XXqhO7pNa3uRsiqWd
muS4amBnjpQB+pjI6efTar1oDuZB/06juNukVl7navnlaT7nU75dYHZ2hxroU6rllP6xl55dE+5p
di7pd07naD7ivJqWgv7ojb6rhG7qIWrmsP7qVk7nnLrqiM7kaxqpi0rojj6qtxrqvv7neknlUA6l
Y07sqQ6qiOpBJ3qgsp7mZ6fpGzqypM6ngorpwS7sTDmozZvluurjbkrrkc7jIgvoxN7oxo7uXm6r
Ln6Zqo7oM7qmsw7tXbburN7nERo/JeHu8F7m6b7qru7veg7tSx7s4S7n846rg87uM77h2d7mCY/v
Mb7l6V7tOH7nth7rZhnvYjbvn+qnNnrvsT7uIWnkptnl2j7mMn7sGf/ku7rnGU/q0v+K8m+q8Gzu
7cC+oQHP8CKPpRBf8QT/7hBP8PLe81Ie70Hv87Qq7jP66dOO8Cwfqi0/5QDv8rla80sf9cIu6VFK
5ldupUVf8D1P5RE/8sa+7WQv9fZe5VVPpZwq8+duqJCu5Ey/9tHZE8adr3zRpv8O97w+44qe7flG
7jTK42MKoyva9Sz+9TzKsXVZljfO65Qu92BunDvuos3LlC/lVm1F74FP+YeepCF+9OIZ5icN5xj+
9Z5G8yhh+iTfEPqe+lU5boAu5KwPbbJPx67/+haRCbn/+8Lx4cBPSK9RC/I5/LT2v3S0+9DB/JLh
/OR05F/NEisvEq2H8LXv8EeO5Bj/X+Pa71wf+v0kvvCmX/0a8e8kvvpI7v0Ouv3NsfC83xHMb+5c
/hEJ2v2zWv8TMfelr/pDDxD2BA4kSBCAwYIJFS5UeJBhQocPBUaUaI9iRYsIGV7E2DGjR5AhQf4j
WdLkSZQkKwLgODDiS5YwWbqMObFmxpsaC8acSdHhQZ4vd+rkSVPm0YkWf9YEOtMlxI8fi0YVqpPq
zaZIcWb1CTUr1KFfk+JUqtWqwZxpldo0urSnTacaxZZ9+7Qs3J5A7e69Gtet2bSBa6YkXNjwYcSJ
FZfsGJfoWMhPL3b1O9Ry0q5SIU+Wi1BoZs9Vae7lqBezZ9KXNUv+HPpsVNZ8YWOu//pz7WnZLSnb
ddobtm3cC5dKRk187PDNqoEf/+3VePCMi6WrnJ5Y5E6mOdFix/raNN/vs4OGJ88cOl7RZK2Wbr7+
IfDyZMOjB998t3fnufObLw86cn32ksustY0i66+4zhBsKz3b/Dvvvv+uk3DC6k5qTLfQpgpKPAU5
U6695eZbDT23SKTPQQcv02u800Rcjq66oJsvwA5Vk5E5yjZ8DcTKBNSRQOEMtE+uHjkL0KcfYfyr
RCWbq/BJKKO0UCLHPqRRPQDPujK+EGejSrawwLrRvQJbbEg+MdMTEsII2UNxv9UOLPPDBL/E8DzL
2IyPt/9cTA1OIRUUUkpCp5sQo/+W3IMwxjW1TPM739qjc9Eh2Xrzz/X2VDNQPSsFE0T8+BRVzjZr
rC21AZ8709MYWzVvx1T5XBRSVhM99NaKpLxVR7qMkgqr7nL7sS6mNntRv17hasvXGYvFFLy/HhPz
OGAFO/Y2tHqMMFlQsfy1ymXx8jU5ah0jVru7BjzXNO3Q9ZJDbqNVlsl43yr0Xutw1Xdffm0Nkl+A
AwbYX4ELNvhghBtLeGGGPdK1YYi3nTNiigUmuGKMM8b4Yo0HwvdJCj4+rGOEOf6UZJRXSnlllg82
uWORY5Z5ZpprtvlmnHPWeWeee/b5Z6CDFnpooos2+mikk1a6upabdvppqKOWemr/qqu2+mqss9Z6
a6679vprsMMWe2yyDV76bLTTVnttKE1g+22445Z7brpLCqHuwpLBe++by/b7b8ADF3xwwgs3/HDE
E1d8ccYbd/xxyCOXfHLKp/alcswz13xzzkPCpnPQQxddIb5LN/101FNXfXXWW3f9ddhNH3122mt3
PHbccz/dGN179/134IMXfnjiizf+eORjB6F1JpJ3/nnoe7Z9euq/LqL6hKLXfnvuuy8Me/DDF99q
78s3//wnfUF/ffbbd5/n8eOXf36Y32cbFfvzt59+/vv3X2D9BVCAv3PAAA14QATm738LZGADO5JA
CEZQgkBzYPgCKIoJEqaCG+Rg/wc9+EEQ2u5hIRxd6x6RQaLdChwrZGELCdJCcLwQhgphoURcOJAZ
PgSGMZRhDXvIwxUmJIg4zCFDimiPHQYxiTwsyBKVyEQiIjGJOrzhEGXYwyb60IpRlCIJvZhFIVpR
i0zcokB8SMUrmhGKWOTiGc/YRTWucYhvLCMRyTjHNaoxJGWs4xM74sYY9hGKb9RjHMEIx8Dl44sM
GyEiudjGO4Kxjod0JBoXwsdB3nGLePQIJgtJyT/KMY9+xMgkBRlFT8Yxk4VEIQT5lUpJRvKKk0xj
JS+Zx0fWUoyBjCQtaYhLUoKylKIMoy1/ecti6hGWweTkIr8Iy1nKEpW4rKUxhf9ZzUfuEpHBrIgp
eblDKYLTknac4hKP+UtzKpOY6oSkM7HXSGhO85PyHKcqjahJbmZTlpzcJSHnSc9r2nCd0RwmMimZ
T23CsZmtTOArBxpNfybUoMmkKEB1KU0/nrKiFs1lQbHZRV9+9J8KleY2ewlEarpzg/FkZyWneE+Y
bhSkwMRoJvNpTG/iNKUTHelNzylTPB5RouFEqUqpB89RrnOoQ5VpRzvazFwudYwBdWlRm1pPW/r0
px+F6iZLekOCMBSBDg2jJucJ1ZHq06l2TCMgV/nPMb61rGzV6R4f2tJuavOUyyxpONNq1ArSUqjE
ZKk9VbnTw4qSkFVM6g9DSlT/uYoUq3t96S2nGstDMjaZjwWs5hrZ2cmJVbQjA23lRjvA0qZWtatl
bWtd+1rYxla2s02cJ1r7WdrmVkKnfRKuGJtOUHrVsBqlIljJmdS4VjaLQZ1rRJ8ITuLmELiOxac3
6fjS31b2iFz95gw96USaVvO53i2nXDmr262u9aISZao1L0pXv36ysBQ1rgvrW0PrZvakHiVpVPv5
17oelKaEpWZ7H9vP/TZVqrB9WE4FOlzzNvbB7WwrYs+L4B8SNcPWXaWDJ4xX4VY4psK88HWtaWDE
krSZHhZxGnlbIX2x2KCaVStVxcvLYx44xSbtb0aL6lNm4viqwRUyj4vpSxmX/5jHSC6yZCu84vAe
WcKubXCULUlj+U55xDM9Z0iV3FIf97i79i0yWhPL4iCvdbxglbF7Abrm6xY4xUG1qjnt7E84vhh+
AUYjPyM85Bp72LjqFTCEVfzjKHcVkPyFski1yucMzxjRxeUpMv2cVg6fU8+G8q2Vi4tSvgI6sWrW
MoDfq2EuoxrICW6xQNk86JwyOb1U1WuT5zprdIK6r5i2tZs7W2Vcl1XXhbYxqXE9X2IvuaaQHjRe
sVrIEGO20qZmNn5Tuuph0tnYm13npnXG62wP+9ROVu98kT1uaUt5q81O9YfRnUpZixrN1p4ocT9t
WEjXOHvexhm482rTZBO63P//NTK59Z1uhD81zb72d5bN6t4k7xquWkVxttmY77PKkt+K6bS964lJ
Olt7u6be7sgZjuWETxO6Ei7idLftXxPnGqjs7umY6Y3N8zrSqytfuX7R+3OgB51CURJ60SWy8b4Z
Xen7Rrphlv50qEdd6lMvCG6p/vOm0+zqRs/69w4VbZ3vXLnSLfWZ4yz2/N7zzuw+e9vxfFzuovPW
h427cuGbVU9nPOaEhrVby8ttgRcdw3qf9qI9PvOHo3jHVXXq3uObc7ca0tFnl/zjvwvwi2fcsvpN
/F0p3F8Ss1zipdWVtsOO8TbreKOKTnl6mbrwz7v70JMX+8Tx3W7Nw/vaMQ//NbUtGk+NJrTrGlSh
uIUb8cJb2PPtvjx/s5xuyjpfnu1NdZjVXWv62trMBHX25yHfZOCLPvCCN36H8y5YJ8o+1n19NM7Z
X+bGuhzcsOe+9TGL/UIL0svwDzD1cxzZqkon/wOt0hMybsI2yTq80Pu/mmM4xsO7guOoaas+q+K8
SVM3Mcs+jPM53FOr79M89wM8Vho+lIix5EI325s11Zs8yNJA9Wu2hIq+vGLA7oO2qVq/6RO/Bhwn
+3uvLzu9EORAB9StK4i0+xo5cyu7BcRAkKO5IGzCy+I+2XM2tls2HCQnCIQsBbwxBOzAdQNAlmI9
KiM6Vdu7w0s95Vu9Cow2/87qved7wA9sNVSjtQq0wQ0bqIr7uCicuDl7qPATNe6BA9mJr8r7w+WS
wBW8uD00s0QEweajq+/rvEO8KuaSPJALuzp8wC2zvIe7u2PLRE30Ph4iQZHxryAcuD2kNvRzvA5s
RMa7vMESJ8sCu4YjMlacqcFawk3ExLRTu1dDPiEcIlL8mK0rumE0iWJMRmVcRmZsRmd8RtA5Rmmc
RryBRmv8NWrMRm1Um2vsRnfaRnAMx6PxRnK8jjSQH3FMR3VcR3Zsx9RpmAwoR3mcR3qsR4RxR3zM
R33cR37sR3/8x6ExKhGwR4IsSIM8SIRMyJAASIYESA9SBoWMSImcSIqsSP+LvEiMFJyG3EigkQKc
sQCODEmRHEmSLMnccYbjKQKTXEmWbMmQzEiYjEmZfEaXrMnhm0mczEmdXDqryxib/EnjYRmgHMq9
qZiX2cn+mQV3mop3gRWkfEoAipJN+ZeAIUqrnJtdKY5q+RbaaIpxYReoDMuqk0rU8A8jiRM7qYqr
XEvc2Q1t+ZYVwZGiaAm2rMu0ycrnYBRaAUtvaUqxDEspORVV2Uu0BJKPsEvEVB2mnAtnmUu0vIv2
SEzJHMSUmUzLFJq/zMyv6UnduswI0kzQ3BrOZIupOcodsRif9Myucxe/FImpDAlaOU1yOZkJERGP
sJWLUc2ua0rTfA/UlBj/quzN6xBO4MQI3RwrvNSQ3vCNr/CL5WSX5/SQBkmX7mDKeQkWdNlK55zO
bFGWZNnKrdhOguCA0IyfLhENr3zMvLST+tCM2ESTQGHPO1GPY4nL9sQS27TPvixP7FECsAASAOUP
Z8HPLyGOuERPAsWUFSkNx4yTYjHL9USSt/gM4uTP0DlPVBkV9gyO90QT/WwNBslQ0uwTHDFQMiFQ
BH1PcLFQ8MFQAdHQAA1QaVHRBJ3NPdlQ7oTP+CTMFw1RFh2fASWPSHlM5eTKAv2T4QBRYZFPcMHO
ctFP7wyWXxGXvVzRH70dMjTG82mE40SMK/1SMA1TMR3TDwrMKTWYFFmV/7CxTSqRkAo9mC4tykOB
0oJJ02mpUNwMmERhUwTxkOCMmDclU5ah098sTtqEzYnRlz1tTWlRGEMV1L9pJPC0T/hgTnHhDfF0
z3qpkuxgkknNi6/81EXV1E5tkOzMi0xlFpkIVea0FnuI0+Bp1PSEj7Dokgg1URS9z3ehUVqN0UMt
zCP9UFk9UmAlUSXl0FeF1d8ZViWNFgS9VdqA1t9gkCBtUFMN0qvwzQMN1hrlVl4pTOV0FR6NDmXF
yn1JURMd1xD11RztUEsRUXjJ0RfdjjPZVnT10Q39zwe5VRl1mkfwmkCdLXRF0vVsFGSdzn7t04Kl
z4NVFeA8lXu9z4TtVf9pFdbXbNExhJJMeRH0HFBuMVLIhIkCtc7AuNTn5I8oxVTI/NMpPVbxiM3s
FFCkcNloQSCWmMbJCdj+0VnN4dMfZU0SAlrx4dkGGk2LjCAAoEZI3dlltFKrsVKirRqnbZio3Zyq
ZS3dENpnQZToPEoaeRnrdE1inVOVUdOVFYzaZKCrXa0rKVuxJdHbTBNHPddCTdQR9dVHpUr/WVvA
As82Ec/GjM6JWVXu8M7rTNW/XdVmTRfDPVXF5dSTVRFkERZ5+VjW6oG+ddiUHZNc3RY/lVgvGdiX
dVEfaVg8CRMwMcxhHVFs2Q93XVqoUd1a9Vi8DV3laBfNTdGwZQ3arVj/GGndZUkR2TWQmNUSbL1Y
2B1UzRUU0FBXG+FWeFVQRu3L5s3X/Kxe4V3eXbUR7F3Y5IVTsjxdabVeYt0S0P1a71XY7jVdSclX
2xXfI/He2j2Icq3GXRnScDnb5TRSapXSS/3KhoBZyE3VahFg/m3STy3cXXXO7jTc4MXUqf1eCZ5g
Co6cYxBLo9XM+uWbMN3ggEQcqAUcvlXUERbUAaCY3ZVbkMDd/9Xb2VwJrVUZ5CVbo3Tb2yXcX63g
gVlhN1XZF56WH7ZbGi6ZjbHh0ZjXbHVGORgcM1Vg6oTOylXhsfXbJ8bhxGWWdGVc/Z2MIS2RxRRc
k0Xgx+ViepHezuAI/w/GzPslXfKdyuYt3v0UXTJG4rRk3/yUlR1F3c7lzfal49W9jWvJSXjAGEn9
3fXtVrgt39xFlRQOT7303Q0RY22p3l6J0bBt0FKB32wxkrBN47ph3sdI2PdVZDwR3QL53PldYKfM
41QeVW9BX1d2FDARnqCoSfUNZflVU3z1EyReVMNsZV2FWFaG5PMNlf3M5F0WCEKxg7cZj35cYxwG
Fv6FFlFl0EB2lZX9X7StZJX1VDEmF2zl5id14DBGDgCGCAYel63VYabrraUr4YTxZArqxhhmZ3um
4FognAzOTHk2V9lE1NPU2RD+HzsViX6Wm0i+kIFeZLxs1Lwd4jVFlP9/HomRLAbXUdQcDmJ4AeLh
lGKqJRuOKeh7vpWHAQxOjdDqPFzCbZYyLtVy0UowDtnwTBB6cdwoBdVN1ebI9VuSldI5TpaDlh5c
kWNcblhNqeOiZlZVbuPYeN/63F4RbVemrld4PWRfzuiRftu0bBeflk9soVCP9WNvBd6+ENf09VAq
NV/ckOqEjtYHPhHQjeNwzuodFutEJkyRVV1YlmJIoeSqHlu07tgT5ctxtVHndWhhTmp41mGinly8
vuVSZmj39WvndWNRad/1Zetc7tcOfVbFpms9RdKT5g6uaJEu3lwFzlomReWY9t/RLutsvmladeRz
nukwblyuNpcAxmb/0G6gxe4Xp/nt3p4e4cbopinu4U7uL3WKfWbRoMaXm2WMjMFTF/ZNgH1T4Y5l
7YXhkY5gQDXbwZ1cjp5bIebhNn1oja7T6j5mI65g70Zh8NbbGZ7o8qbv87Zurc7u9fbZ+u4cenCm
qW1i2qbPSBHV/K1iM/nYL0ZY3tbiSpWXuWbc2hjgnB7ZnXbVTU5ZTwXZkLXU566QpCWttD1YNq7R
zs7Q097aWX0WwaxsFvdd6a1dPT5xo65Vz2XkexZwdbXWao3wiH3hCW/wGcnitn7ljebObyVqCs3w
ieVXKj1ipVZm07mAyUxlyD5ypfbsqfaUHqXewcRyhtVlGF8LK+9l/x1tlihP1g8vxSE+7DMf6zxO
cFLe48+NcxkfZc+mbPIl5mE2E9nVc+QeU0wW0gdHDgwfDZdVcFdFkk9JcZmmltRlcQS28JndTgEe
4A13VnUm3kBW7sEhzsUOdE+X2s4B9YUR9VEvzYdo7tBZ89WsmfFx9awLca8zbvNmmIVOddAqbl7W
Y5btYcm1b4jWddHh9fU2VJ5F3+8m9qdBh6f5bR5vTvno6sCNYtnuTg1xYCjWaQZHdWbXmlDHVWOx
4y0/5Bhf6lbu9G+vHGg30Dwv9z0X63v92kGP93UPIQDlVT7v1j+var828/m+d7X9ciXfd3O3Ucz+
6yYXeBEiOscsWf+w1op1+WH/RXR3Z+3KdW3gkHWbKYACQK3w8XYw9Xj6YXXCCVSOl5mPR06Gb3mX
n5BceHmZn3mar6CUv3l/rvkOxnmeZxu6jgTl7nmhv0udL3qjr8ehT/oK8QabOXowVXqoj3qpD0qn
r3qrd8apz3o9kwGt73qv92R7iIer58+vL3uzP3ufH3uyR3sPlgC238ZweGYd1gZif3uT0Aa814Z8
pPXioeu81633Vnup+XvYCnzBr5q8p3vVMvzDzxrCNyrGXxy7fxK8n3zLv3wvbXzN3/zOxHzPdzrO
D33RH33SDxyS0ITPT31kFAhN0ISaD4crPQnUV33aP/3av3yFaP3P0kdK1999sMEC4A9+4Qd+BzKM
2b/9s5cI3QehSshMNvB96IfKL5h+6qf+6CcZbax+7Uf+47l+7/9+8A9/8R9/8ncm7j9/9E9/9V9/
9m//mQFJ949/5OEA+U+h8r9//Oecng+A+l+M/AcIewIHEixo8CDChAoXMmzo8CHEiBInUiz47yLG
jBo3cuzo8SNIj9pCkixp8iTKlCpXsmzp8iXMmDJn0qxp8+bGijp38uzp8yfQoEKHEi1q9CjSpEob
4mzq9CnUqFKnUq1q9SpWqAEBADs=
------=_NextPart_000_0003_01C70B8E.3A4C29C0--
Received: from blackfoot.net ([59.91.255.10]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAIBfUs6016515 for <ietf-pkix-archive@imc.org>; Sat, 18 Nov 2006 04:41:32 -0700 (MST) (envelope-from lilo@blackfoot.net)
Message-ID: <000001c70b06$3134c640$f393a8c0@kwec>
Reply-To: "Raul Burnham" <lilo@blackfoot.net>
From: "Raul Burnham" <lilo@blackfoot.net>
To: ietf-pkix-archive@imc.org
Subject: Re: PHAmofRMA
Date: Sat, 18 Nov 2006 03:39:22 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C70AC3.23118640"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C70AC3.23118640
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hi
=20
economize 50 % on your PiiHARMACY http://tadesunjinkyunhderunhas.com
=20
=20
=20
The doorman here. He does have a name after all. From what he says I
get the feeling that this is a pretty stratified society with everyone
in their correct place. Great respect is given to the scientist. Veldi
------=_NextPart_000_0001_01C70AC3.23118640
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAequiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Hi</DIV>
<DIV> </DIV>
<DIV>economize 50 % on your PiiHARMACY <A =
href=3D"http://tadesunjinkyunhderunhas.com">http://tadesunjinkyunhderunha=
s.com</A></DIV>
<P> </P>
<P> </P>
<P> </P>
<P>Fall out. Ill give you the other side of the conversation that =
you<BR>
didnt hear. Were not being followed. I waited until the ragged<BR>
cheer had died away. Which means we are stopping here for =
food,<BR></P></BODY></HTML>
------=_NextPart_000_0001_01C70AC3.25AF89B0--
------=_NextPart_000_0001_01C70AC3.23118640--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHMZhhB025283; Fri, 17 Nov 2006 15:35:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAHMZhnv025282; Fri, 17 Nov 2006 15:35:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHMZgmI025276 for <ietf-pkix@imc.org>; Fri, 17 Nov 2006 15:35:42 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAHMZTH7087801; Fri, 17 Nov 2006 15:35:29 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Sam Hartman" <hartmans-ietf@mit.edu>, "Stefan Santesson" <stefans@microsoft.com>
Cc: "Ryan Hurst" <Ryan.Hurst@microsoft.com>, "Price, Bill" <wprice@mitre.org>, "Russ Housley" <housley@vigilsec.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, <ietf-pkix@imc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Fri, 17 Nov 2006 13:58:45 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMGEGDCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <tslirheta6l.fsf@cz.mit.edu>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Chairs,
If I drafted a 2560bis along these lines and submitted it to the IETF
editor, would you approve its publication as a PKIX Standards Track work
item?
Mike
> -----Original Message-----
> From: Sam Hartman [mailto:hartmans-ietf@mit.edu]
> Sent: Friday, November 17, 2006 6:33 AM
>
> . . .
>
>
> in the interests of moving forward, I'm willing to let this slide
> especially since the lw profile gives you that guidance and especially
> if we're eventually going to do a 2560bis. 2560bis would actually
> need to speak to mandatory to implement behavior.
Received: from adsl-dyn13.91-127-178.t-com.sk (adsl-dyn13.91-127-178.t-com.sk [91.127.178.13]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHFnSXP070831 for <ietf-pkix-archive@imc.org>; Fri, 17 Nov 2006 08:49:30 -0700 (MST) (envelope-from igtnzvry@orangex.com)
From: "Shes" <igtnzvry@orangex.com>
To: ietf-pkix-archive@imc.org
Subject: Bryan mahnamahna Katz
Date: Fri, 17 Nov 2006 16:49:28 +0100
Message-ID: <000301c70a5f$f7164070$00000000@owner1qacobql6>
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1250"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
35040463075046487 534516211312 88270670741734 733525 33243584811 82166813368276
42286026411785631 45332308560403 7355852425256782 42774582 50681218514548 312500456657438
72882 57152 17725 0442 8604 5067234127 05801 32050 1626 0672
00706 26764 58636 3744 3867 8812 6282 65850 38200 6242 8178
17742 02366 48415 1834280101483065 1365 3578 41861 42017 45345145377070
42853 73621 84417 37155253072222 201432 80683 37258 23440 361084634006667
78402 60302 02612 738185580301 661465212078521 56367 75216 1761 8444
86552 60573 72754 0607 7680 7786553042531802 07434 08382 5846 382
30631 56140 53415 5680 87531 54186 3358 53678 63110 82223 5884 8244
77837 04176724867718 3463 5630 51568 2554 74530 41857877867788 678856782801271
08783 743204606570 7352 5684 77050 8423 62775 187720681646 00556046534545
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHFX0Zu067900; Fri, 17 Nov 2006 08:33:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAHFX0m9067899; Fri, 17 Nov 2006 08:33:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx12.bbn.com (mx12.bbn.com [128.33.0.81]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHFWwu8067879 for <ietf-pkix@imc.org>; Fri, 17 Nov 2006 08:32:59 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dhcp89-089-106.bbn.com ([128.89.89.106]) by mx12.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1Gl5i1-0000Up-3M; Fri, 17 Nov 2006 10:32:53 -0500
Mime-Version: 1.0
Message-Id: <p06230902c18382b70e4d@[128.89.89.106]>
In-Reply-To: <011901c709ab$b907eb30$82c5a8c0@arport2v>
References: <005f01c7095c$b821c2d0$82c5a8c0@arport2v> <010801c7096a$8ef012f0$5d85900a@wcwang> <011901c709ab$b907eb30$82c5a8c0@arport2v>
Date: Fri, 17 Nov 2006 10:26:23 -0500
To: "Anders Rundgren" <anders.rundgren@telia.com>
From: Stephen Kent <kent@bbn.com>
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Cc: "Wen-Cheng Wang" <wcwang@cht.com.tw>, <ietf-pkix@imc.org>
Content-Type: multipart/alternative; boundary="============_-1048344917==_ma============"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--============_-1048344917==_ma============
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
At 7:19 PM +0100 11/16/06, Anders Rundgren wrote:
>Wen-Cheng Wang wrote:
>
> >This change will immediately make these CAs becoming non-compliant
> >to RFC3280bis.
>
>Does it? I thought SHOULD is a recommendation.
SHOULD means that an implementation is expected to provide the
indicated functionality unless there is a REALLY GOOD reason not to.
This makes it much more than a recommendation.
> >For a CA to guide its relying parties (client applications)
> >where to find the CA certificates, one id-ad-caIssuers accessLocation
> >is sufficient.
>
>You misunderstood my point. Certificate path building on the
>relying parties' end is (with S/MIME as the only major exception),
>done by servers. For servers there is no problem to fix. I'm
>rather talking about client software that is not relying party
>software, but rather subscriber software. Although some CAs indeed
>not only specify and distribute such software, it is not these guys
>who have a problem, it is rather the other 99% who can't afford
>writing their own subscriber software.
Cert path building and validation is currently assumed (by our
standards) to be performed by an RP, The rationale for creating SCVP
is precisely to allow off-loading of cert path building and/or
validation. Thus your comment above is not consistent with RFC 3280.
Also, the term "subscriber" appears nowhere in 3280, so your
reference to that term above is context-free.
Steve
--============_-1048344917==_ma============
Content-Type: text/html; charset="us-ascii"
<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: I-D
ACTION:draft-ietf-pkix-rfc3280bis-06.txt</title></head><body>
<div>At 7:19 PM +0100 11/16/06, Anders Rundgren wrote:</div>
<blockquote type="cite" cite><font face="Times New Roman">Wen-Cheng
Wang wrote:</font></blockquote>
<blockquote type="cite" cite> </blockquote>
<blockquote type="cite" cite><font face="Times New Roman">>This
change will immediately make these CAs becoming
non-compliant</font></blockquote>
<blockquote type="cite" cite><font face="Times New Roman">>to
RFC3280bis.</font></blockquote>
<blockquote type="cite" cite> </blockquote>
<blockquote type="cite" cite><font face="Arial" size="-1">Does it?
I thought SHOULD is a recommendation.</font></blockquote>
<div><br></div>
<div>SHOULD means that an implementation is expected to provide the
indicated functionality unless there is a REALLY GOOD reason not to.
This makes it much more than a recommendation.</div>
<div><br></div>
<div><br></div>
<blockquote type="cite" cite><font face="Times New Roman">>For a CA
to guide its relying parties (client applications)</font></blockquote>
<blockquote type="cite" cite><font face="Times New Roman">>where to
find the CA certificates, one id-ad-caIssuers
accessLocation</font></blockquote>
<blockquote type="cite" cite><font face="Times New Roman">>is
sufficient.</font></blockquote>
<blockquote type="cite" cite> </blockquote>
<blockquote type="cite" cite><font face="Arial" size="-1">You
misunderstood my point. Certificate path building on the relying
parties' end is (with S/MIME as the only major exception), done by
servers. For servers there is no problem to fix. I'm
rather talking about client software that is not relying party
software, but rather<b> subscriber software</b>. Although some
CAs indeed not only specify and distribute such software, it is not
these guys who have a problem, it is rather the other 99% who can't
afford writing their own subscriber software.</font></blockquote>
<div><br></div>
<div>Cert path building and validation is currently assumed (by our
standards) to be performed by an RP, The rationale for creating SCVP
is precisely to allow off-loading of cert path building and/or
validation. Thus your comment above is not consistent with RFC 3280.
Also, the term "subscriber" appears nowhere in 3280,
so your reference to that term above is context-free.</div>
<div><br></div>
<div>Steve</div>
</body>
</html>
--============_-1048344917==_ma============--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHEXgWa060322; Fri, 17 Nov 2006 07:33:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAHEXgPO060321; Fri, 17 Nov 2006 07:33:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHEXdS0060306 for <ietf-pkix@imc.org>; Fri, 17 Nov 2006 07:33:41 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 4B3D9E0038; Fri, 17 Nov 2006 09:33:22 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Stefan Santesson <stefans@microsoft.com>
Cc: Ryan Hurst <Ryan.Hurst@microsoft.com>, "Price, Bill" <wprice@mitre.org>, Michael Myers <mmyers@fastq.com>, Russ Housley <housley@vigilsec.com>, Paul Hoffman <paul.hoffman@vpnc.org>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D6B8@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <F9F038204EE77C4AA9959A6B3C94AFE8010EF549@IMCSRV2.MITRE.ORG> <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D7FF@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <A15AC0FBACD3464E95961F7C0BCD1FF015681C06@EA-EXMSG-C307.europe.corp.microsoft.com>
Date: Fri, 17 Nov 2006 09:33:22 -0500
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF015681C06@EA-EXMSG-C307.europe.corp.microsoft.com> (Stefan Santesson's message of "Fri, 17 Nov 2006 12:06:34 +0000")
Message-ID: <tslirheta6l.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Stefan" == Stefan Santesson <stefans@microsoft.com> writes:
Stefan> Could we just define this error response as "Unsupported
Stefan> request". This could describe the case where the server in
Stefan> unable to respond to a syntactically well formed request,
Stefan> either because it requires a non-supported response or the
Stefan> server is unauthorized to respond. It would provide two
Stefan> important pieces of information
Stefan> 1) The request was well formed, so there was no error in
Stefan> the request; and 2) The responder can't respond to this
Stefan> request, so there is no point in retrying the same request
Stefan> to this responder.
Stefan> I think this is enough information for client to
Stefan> gracefully handle the situation and move on with other
Stefan> available status validation options such as:
I'm not sure this is quite enough information. I think that you need
to somehow indicate the mandatory to implement minimal response set so
clients can fall back to that when they get this error.
I.E. if I only know how to use OCSP and I get this error there should
be guidance telling me to retry without a nonce, with one cert and
without options.
Now, in the interests of moving forward, I'm willing to let this slide
especially since the lw profile gives you that guidance and especially
if we're eventually going to do a 2560bis. 2560bis would actually
need to speak to mandatory to implement behavior.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHC6gu5040579; Fri, 17 Nov 2006 05:06:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAHC6gcf040578; Fri, 17 Nov 2006 05:06:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.181]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHC6eM4040558 for <ietf-pkix@imc.org>; Fri, 17 Nov 2006 05:06:41 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from DUB-EXHUB-C301.europe.corp.microsoft.com (65.53.213.91) by DUB-EXGWY-E802.partners.extranet.microsoft.com (10.251.129.2) with Microsoft SMTP Server (TLS) id 8.0.685.20; Fri, 17 Nov 2006 12:06:35 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by DUB-EXHUB-C301.europe.corp.microsoft.com ([65.53.213.91]) with mapi; Fri, 17 Nov 2006 12:06:34 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Ryan Hurst <Ryan.Hurst@microsoft.com>, "Price, Bill" <wprice@mitre.org>, Michael Myers <mmyers@fastq.com>, Russ Housley <housley@vigilsec.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Sam Hartman <hartmans-ietf@mit.edu>
CC: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Date: Fri, 17 Nov 2006 12:06:34 +0000
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccJo+esNnxnqaD+QBmtuZUWnhUzNAAFUyHgAANjdXAAARNdYAAc6d7g
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF015681C06@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D6B8@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <F9F038204EE77C4AA9959A6B3C94AFE8010EF549@IMCSRV2.MITRE.ORG> <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D7FF@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D7FF@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAHC6fM4040564
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Could we just define this error response as "Unsupported request". This could describe the case where the server in unable to respond to a syntactically well formed request, either because it requires a non-supported response or the server is unauthorized to respond.
It would provide two important pieces of information
1) The request was well formed, so there was no error in the request; and
2) The responder can't respond to this request, so there is no point in retrying the same request to this responder.
I think this is enough information for client to gracefully handle the situation and move on with other available status validation options such as:
- Retrying with a simpler request (such as one conforming to the LW profile).
- Trying another responder
- Falling back to CRL validation.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: Ryan Hurst
> Sent: den 16 november 2006 23:13
> To: Price, Bill; Michael Myers; Russ Housley; Stefan Santesson; Paul
> Hoffman; Sam Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> In-line
>
> -----Original Message-----
> From: Price, Bill [mailto:wprice@mitre.org]
> Sent: Thursday, November 16, 2006 2:01 PM
> To: Ryan Hurst; Michael Myers; Russ Housley; Stefan Santesson; Paul
> Hoffman; Sam Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> I too would like to see a small modification made to the specs to
> better explain the error code. However, I think the proposals are "off
> the mark." The error message in both its "sound bite" title and the
> proposed expanded descriptions sound like there's an error at the
> responder (server). The user of a client that got such an error would
> likely look for problems at the responder.
>
> The most likely cause of the "unauthorized" error is an ill-conceived
> but syntactically correct request that asks for the status either of a
> certificate from a non-supported CA or of an expired or yet-to-be
> issued certificate. (The case where a presigned responder didn't have a
> presigned response available.) This situation may seem unlikely but it
> has happened because of misconfiguration or bugs in homegrown clients.
> [rmh] Bill this is just once case, what if a client includes a
> unsupported extension if the responder was keyed but proxying the
> request to a authoritative responder with the intent to re-sign but the
> proxy server was not available, or if the client included a unsupported
> identifier (byKey vs byname) there are lots of cases where a server is
> not able to provide a authoritative responses.
>
>
> I'd recommend some words that the error "can occur when a keyless
> responder does not have a presigned response available." A few words
> more could explain that a request as described above would provoke the
> unauthorized response.
> [rmh] It needs to be more generic than that unfortunaltey.
>
> I recommend fixing the description to be user friendly so that people
> who encounter the error know quickly why it happened and where to look
> to fix it.
> [rmh] This is something implementations should deal with as part of
> their debugging tools, documentation and logging.
>
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org
> [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Ryan Hurst
> Sent: Thursday, November 16, 2006 2:57 PM
> To: Michael Myers; Russ Housley; Stefan Santesson; Paul Hoffman; Sam
> Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> If that were possible this would be the text I would propose:
>
> The response "unauthorized" is returned in cases where the client is
> not
> authorized to request a response or the server is not capable of
> responding authoritatively.
>
> Ryan
>
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org
> [mailto:owner-ietf-pkix@mail.imc.org]
> On Behalf Of Michael Myers
> Sent: Thursday, November 16, 2006 6:35 AM
> To: Russ Housley; Stefan Santesson; Paul Hoffman; Sam Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> Maybe what makes the most sense is to update 2560 with this definition
> since
> 2560 is normatively referenced in other RFCs. I'm not talking BIS,
> just
> a
> quick sentence or two.
>
> Mike
>
> -----Original Message-----
> From: Russ Housley [mailto:housley@vigilsec.com]
> Sent: Wednesday, November 15, 2006 8:03 PM
> To: Michael Myers; Stefan Santesson; Paul Hoffman; Sam Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> Mike:
>
> >The LW OCSP I-D does not nor is intended to
> >update, redefine, obsolete or otherwise diminish
> >2560 as the base document defining OCSP.
>
> At a minimum, it needs update RFC 2560 to explain the ways that the
> "unauthorized" error code is used.
>
> Russ
>
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHBpPVV038709; Fri, 17 Nov 2006 04:51:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAHBpP0F038708; Fri, 17 Nov 2006 04:51:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.181]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHBpNsm038688 for <ietf-pkix@imc.org>; Fri, 17 Nov 2006 04:51:24 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from dub-exhub-c302.europe.corp.microsoft.com (65.53.213.92) by DUB-EXGWY-E802.partners.extranet.microsoft.com (10.251.129.2) with Microsoft SMTP Server (TLS) id 8.0.685.20; Fri, 17 Nov 2006 11:51:14 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by dub-exhub-c302.europe.corp.microsoft.com ([65.53.213.92]) with mapi; Fri, 17 Nov 2006 11:51:14 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Michael Myers <mmyers@fastq.com>, Russ Housley <housley@vigilsec.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Sam Hartman <hartmans-ietf@mit.edu>
CC: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Date: Fri, 17 Nov 2006 11:51:14 +0000
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccJkaU5LEgWujQZQiCDaQO+YHkGlgArAXjA
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF015681BF9@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <7.0.0.16.2.20061115230059.0759c808@vigilsec.com> <CCEJKFKLBCNMONJMIEAMIEFJCEAA.mmyers@fastq.com>
In-Reply-To: <CCEJKFKLBCNMONJMIEAMIEFJCEAA.mmyers@fastq.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAHBpOsm038703
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike,
I'm not sure which one is best, but we have two options as you say;
1) Update RFC 2560 in the Lightweight (LW) profile, thus making the LW profile a standards document.
2) Creating a separate standards track document, updating just this error code and keep the LW profile as informational.
Sam, can you give any guidance on what you think is most appropriate from your perspective?
If the WG chooses option 2) can the LW document and the update document progress together?
I suppose both options are valid, also considering that many documents reference 2560.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: Michael Myers [mailto:mmyers@fastq.com]
> Sent: den 16 november 2006 15:35
> To: Russ Housley; Stefan Santesson; Paul Hoffman; Sam Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> Maybe what makes the most sense is to update 2560 with this definition
> since
> 2560 is normatively referenced in other RFCs. I'm not talking BIS,
> just a
> quick sentence or two.
>
> Mike
>
> -----Original Message-----
> From: Russ Housley [mailto:housley@vigilsec.com]
> Sent: Wednesday, November 15, 2006 8:03 PM
> To: Michael Myers; Stefan Santesson; Paul Hoffman; Sam Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> Mike:
>
> >The LW OCSP I-D does not nor is intended to
> >update, redefine, obsolete or otherwise diminish
> >2560 as the base document defining OCSP.
>
> At a minimum, it needs update RFC 2560 to explain the ways that the
> "unauthorized" error code is used.
>
> Russ
Received: from node-be0283fa.scarlet.an (node-be0283fa.scarlet.an [190.2.131.250]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGN2MGU034744 for <ietf-pkix-archive@imc.org>; Thu, 16 Nov 2006 16:02:23 -0700 (MST) (envelope-from Mandel@pagecorner.com)
Message-ID: <000d01c709d3$4572cf50$00000000@vries>
From: "Berlin" <Mandel@pagecorner.com>
To: ietf-pkix-archive@imc.org
Subject: same jumping impress
Date: Thu, 16 Nov 2006 19:02:21 -0400
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0009_01C709B1.BE612F50"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0009_01C709B1.BE612F50
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000A_01C709B1.BE612F50"
------=_NextPart_001_000A_01C709B1.BE612F50
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Elements execution Parkour Yoga Bossaball dressage etc.
Links linkcite articlein bokmlnorsk of last November!
My favourite would. Had close connection warfare skills Among originate =
am.
Aspect together in spread led resulted conflict where is paycheck can =
in. Objects is normal is use pleasing of car doesnt impresses us. You a =
won lost how a played game am creed of.
Sister projects Dictionary Wiktionary Textbooks.
Been popular of Chinas ancient past a Monuments Pharaohs. Pursuits =
various forms different.
Connected cultural Until mid person could in.
Reporting compete national teams audiences or. Keep running Sportfrom to =
navigation searchthis page.
Equipments grown am need in better. Further reading References alsoedit. =
In reference biological mutation see mutant Sports redirects! Equipments =
grown am need in better.
Elevated am celebrity or statusedit Politicsat in. Specific my =
favourite!
Others or may a prolonged.
Both poetry sculpture role whether applied a health technique am. =
Speakers is whereas enjoy less.
Influenced one another became a prominent part their.
Purposes get places we.
Greatly understand what doing improve!
Links linkcite articlein bokmlnorsk of last November! Olympics up =
present has brought. Important thing taking typical often.
Held every four small of village is called organized or.
Important thing taking typical often.
Toward teammates or opponents is ethical.
------=_NextPart_001_000A_01C709B1.BE612F50
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"Summer" hspace=3D0=20
src=3D"cid:000801c709d3$4572cf50$00000000@vries" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV align=3Dcenter><FONT face=3DArial size=3D2>Elements execution =
Parkour Yoga=20
Bossaball dressage etc.<BR>Links linkcite articlein bokmlnorsk of last=20
November!<BR>My favourite would. Had close connection warfare skills =
Among=20
originate am.<BR>Aspect together in spread led resulted conflict where =
is=20
paycheck can in. Objects is normal is use pleasing of car doesnt =
impresses us.=20
You a won lost how a played game am creed of.<BR>Sister projects =
Dictionary=20
Wiktionary Textbooks.<BR>Been popular of Chinas ancient past a Monuments =
Pharaohs. Pursuits various forms different.<BR>Connected cultural Until =
mid=20
person could in.<BR>Reporting compete national teams audiences or. Keep =
running=20
Sportfrom to navigation searchthis page.<BR>Equipments grown am need in =
better.=20
Further reading References alsoedit. In reference biological mutation =
see mutant=20
Sports redirects! Equipments grown am need in better.<BR>Elevated am =
celebrity=20
or statusedit Politicsat in. Specific my favourite!<BR>Others or may a=20
prolonged.<BR>Both poetry sculpture role whether applied a health =
technique am.=20
Speakers is whereas enjoy less.<BR>Influenced one another became a =
prominent=20
part their.<BR>Purposes get places we.<BR>Greatly understand what doing=20
improve!<BR>Links linkcite articlein bokmlnorsk of last November! =
Olympics up=20
present has brought. Important thing taking typical often.<BR>Held every =
four=20
small of village is called organized or.<BR>Important thing taking =
typical=20
often.<BR>Toward teammates or opponents is =
ethical.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000A_01C709B1.BE612F50--
------=_NextPart_000_0009_01C709B1.BE612F50
Content-Type: image/gif;
name="jump.gif"
Content-Transfer-Encoding: base64
Content-ID: <000801c709d3$4572cf50$00000000@vries>
R0lGODlh8AEgAof2AAAAAHoAAAGCC3+IBg0Ae44CcwF0ecXCwbjNt5jE+TwiDW0nBYYdAKkrAMcc
AN0XAwBKCC47DTFGAGI3AIIyDZdDALhIANREBwBuACVpBDVdAGRWDolSBpNTALpXANRdAgB0CC2L
AEGMBGF9CXeOAKp4A812DNp+AACiCR2pAEujCFmVAYeVA6yqALekAOGpCwDADijCBUPFCWW7AIPD
AafICc6yAOq4AAzRAibnBDzpAGzVAH3iAJjuBMjTANHmBQwARxYDRT0JOGsKNIoASpoAN7EIResA
RAIuPhwkNEYiSmcnR4YkRpYjNsUkPtkcQAVAMhk9M0xITV9LQI0/Tq41SbJENtQ4OgBjNSZiOzZs
M2VhPXtVEZ1oM7NhSeNRSgCHRBF7NUh1TlGAPXuNQJuKO8J0S+CMNwCUOBSYMj2fS1qaM3eVQaKo
QsCdNt2pNADONR22N0PHTlPNPYG8S6K3M8K2QNW+OgDmMxLlMkDqOmbsP3HmP53TSrXdM9XUOAgA
jSoFhU0AiVQCeoIAdaMAf8IGjdIBgQAdcSUhjk0uilMjh4ooc5cihsQrjdQbigAyfyA3iDo9cVU2
e4c+eqVHecZEiu0+egRoeS1teEdbcmlrgIZtjZRYhL9aiNVVgwd/dB93eTeDfmeHfo6OdpyKc8t/
ddV2hAeodRGqiEGdjlOje3abdpurfMWsg+afgQDJfBrJfTvLimbHgn7Og5bEd8a9hdnEgwDmcyHn
iUHpi2nUcYfceaTaibbod9ziewoHyhMAw0IAulEAtnkHvKMJwsMIxtUAwwAowi4SxkYnxFwXyYQg
vp0bysUYwOwTxQA/uSw2vE46zl9BuI1DvqIywcs4wOM7xABSvytpyElYwGBby3pWu5dRtstYt+tV
wAB+xxaHs0yEv2OKyoqKyamFwcl6zNmKxgCZyRmatT2hvlKgwYiiva2bzrygvOKdvQC2wyvCyDax
w2HLu424yZK4s//2+ZqjlYOGcv8AAA35C//8AAEA//YI8Avx///w/yH5BACs9DkALAAAAADwASAC
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2B9nLq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qlWp/65q3cq1q9evYMOK
HUu2rNmzaNOqXcu2rdu3cOPKnUu3rt27Om/q3cu3r9+/gDniHUy4sOHDiLcGXsy4sePHkEUmngyX
FOXLmDNr3jyUC+fPoEOLHk26tOnTqFOrBrtgteZkWCPLnk27tm2/PtG43s2bKrLepG8LH068uPGM
wJMrX868ufPn0F0fn069uvXb0bNr3x40Fvfv4MOL/78otOFd87EXnmc4FX1d9z+vOy7P3i78p/fl
5m+6H27/vPKpJN6ABIoFAADgkRfUf24xmJSDbEF4lIRqOUjRgQAEOFGBHHboFYYeDnWgPSMa9cGJ
KKaIYk8qnshiiysK5SJTI5YYVI0IGiXAjjz2yGNPPu4IZJA/CiUkjQjaCBSOR/Hj5JNQPtlTlE5O
SaWUQlWJJIk5SqVkiDwxaeKMMcaok5lm7oTmjD+lmZSYNybZJVFF1nmkTkXak+dOee45pABNwbmk
nE1qiSWWOiGK6E6KavnTom8SWhWIYIb55VBlksmmPW5y+sGLn565KU+dIkWpiJcaeaSdgOJ5p6t/
8v/5Kk9+RjpnnLcOdaihjtoDqa/8WBlsor3y9KupqU51aocYNpvsi6KG6mm0PrmZZqmeYiuUs83+
xO2yQd3ZZ6t6zpqTn3vWem6PSn2brLu5PjossPM6eiykix5Lb7FFwctVvEOd8By4SGE7qprS5nTt
wQqnGOizlgLcUwU+qVsuULOma+66FvcL8U4EFzqvsSOTTPLI+kb5sMSVTiqpUqVqu3DCDDesLapc
4vxxuBt3rDG5F//k45Y7C4rUvfwSi3KvSeek8lJGWyVMy1GPmTC1bW6aac2aXm1U1ZbmvJS6Pr/K
KtCycgz1y4OKrRTSJTPKNK9N07222y3XFXPN2SL/rGJQXeNF9sZquzo0xq12/BbcQOVLZVB2n2ZJ
YgoCdd/eXmNtc7aZN2yztBQWdd/gaMsK9I/sCp14nqETdR/j8i4dLJSND0t7ThZqGBh96vldLd8z
b/47jAD2HtXoPRNe7umrEk7kna0P9XrS+tIrt+11Xzlv7rqb1JbBnU/ru/Ck0sy3WxYrn7G4yZt+
V8pxE3uy0j7NHX/en4GfubVsOowwqHZJX/LQNq71xaou8Isfvuy1QGHhjzQyG1Wngve/8oWvLWUj
oLl+RqvSKY4t1Vtg3BxXMn5Vbyq5eKBZbram/Umwfwfz31wUV8CKrY9ctUrdXE7YKAUWq4fCup8K
/5lSufjUh3MR/JsFZQgj/8GoINc4SHuOSCTEHc50Onze2XgUPd4pRGm3q9/jThZG7e0qStzrXl+8
mJD1GA8qXSxLHC13RLqkUY17YSNC3PjF9PTxPXXETyD1M0ie4LEkQ0ykIrlTRJ/McSyPdGQh/TPJ
pUQyLHc85EcWyclOMkeToAylKBczj1Ga8pSoTKUqV8nKVqoRB66MpSxnmUfwgMOThSEALnfDgF36
8pdfeQkDGEDLlyCimMhc5TCTycxmOlMjy3ymNKdJHGBa85qaoaY2t8nNbkZGDt4MpzjHSc5ymvOc
6BwlNtfJTsOk853wjOdweiFPbRpBje3Mpz73yf/PfvrznwAN6HZmINC7+KCgPamnQhfK0IbuZQQO
jahEJ5pMhFr0ohjNqEa5QtGOevSjIA2pSEdK0pKa9KQoTalKV8rSlqpyozCNqUxnStOa2rSgjQRT
Jdm5s4HNaY1Q2YRQhVqYoeqEqHBxl06ctVSmhs1b3+KSU6VaIiXhqEs2mmqqppoTp3YrqlSFWFa7
1VWwhtUnWiUrWs2aVrU2dVtq5WpPK2SRnCDVHne9i1Htugk5CmQJeyzrU8U21sG27a09KaxV5YTV
HBUWb4KNrNuq6thcLRaqiIXslx4LsspG9mObbaxkQxsnxFK2s7gzDl77+pOh3tW1fd3ral27E9j/
HtW2fL1ta/f6Wtry1aiynW1e82pI410WtZylKlxRa9jM5oysRovurcB22uYelrTOLZpnCTsn7EpW
sMl1K3PfWt3IArUpxNVtbmfLXqTylrU8ca9817va3c63J/KNLVHvW1/6bsm5zxVtU0HbXcvG67LQ
ZVuAm0vd7Y63tN/F23EhXN0Jf5e04Q2ZZiXl3dCkl773DTF8P8zf3vbXJ/vVL4pZK2IQwzcqFg6w
W8u71s4ydatRZZJ0Nxy2d1XWq1wdb4djvNYEizexBe6xXB38YBmDa65nIc+HT9zi/pr4t+9Vb32n
bGXZwpbFYF7vl1+8IOMmGbkKpjGSmwzZC3MY/0QYnq6cuVthlkV4tHPOrp0n+zKxnpm8aWYygOF0
2fMyZcpXrnKiRxxmF58Yv2AucaOrfJUYi2mxR37wpXCM5rLuuMMLNq2ga7zmCFtYu4AGsGHj7OZM
s9rNgKyIo6k86Vqrd9FaZi9QetvoLou511eW5B+9W14aP4vIfJZwn4s9as4+Vs3KJjWeGSxgIS97
0HnmrqiZ62wHF5ovUcEtlhn963G/+Muz/m1QeH1b31Ja3I++W8QyHG3MDjiuCe60p+/dWHw/+cZw
5panNaxsgm3a1UCecbb5red6Y3qsCrdPXa3C5aRUvEFv1CeUoVOi41zl4kcBeYQyrvE9R8dGhv9m
i8iJsvKblmXjy4F5lCeOmp2Kro1dcelHVWNz1+GcozoPp8uHTvSPk1koLS+60ikpa+EmfbchP/pV
ei69hPTj6li/uk6y3o+tc70nWi9e0Ln5lOFKPepoN03Yvc52e6x97TmBO3fYsXSfyxrR5Ha6rp1+
bt/SWitU1yNB2h73ru9E6283fOHXPnaKxlvL+W1vpMtN+cf7MbD8+Tnc5Y54xW8e62JfaQs6au7a
qpjykp7104lI8gdpXvFuh33sY5/1wxs+7I2f6Ip1i2tfV56/QP8j6zH/eZ50fva2L3xqc6/Nqpi4
96n/u+VBU/zkh/3ztT/NF+oefIo82ux9R33/3ns/fTi2Hil/5Lznb79+5bOd+dsMKrz37vv8Blfc
wf6M3GmfeOvDfv8hgg1El1O7hxmBV2aYpxjwR01dsXrc94BnUQiI4YAQWIEWeIEYOHzeRxYHSEgJ
uB0L6BIZOIItQ4C7dnauJ3yH0UcQAAFj0YJzAYOhF4IoUXbzN0QyqBMtuIM/sYM56IMuCBQwmIP2
MIRA2IM+iIQ8mBM/GIRF6IRESIJzkX8qBIQu2IQ9gYVY6BMySIRGqINOCIZiyBNbuIVPuBNRKIVW
IWXjR1u8Bn5mN4MGQRkKkYRjeIZkCIVXqIdIyIRh+IV+mIV8mIdjaIZeGIQ0OB+L1oa3lncn/9aB
cVGHSxiIlIiGfGiGlniHZ4iJlZiGZTiIeCiGibgSNtiIpudfkIeCvDGJoeiJg3iEXAiKmwiLhFiJ
ljiJhhiGoaiGa1hX6OZfwNdufldcKuhOOGeHnOiHSZiMrfiHeygUyfiJdxiFMDiKAuIUJBZ+lkeB
qfGFzJiJzIiJgCiEstiJulgUaciLKid1cSh9wcaNnOGNr3iOXViOtliPthiLhRiE0miOtaiOVcGG
Behi9zeMdwWJTHcQVgiGuKiHh8iK//iE33iLudiQ0+iMy7cQmWCNMeFXxVgYLHiOW5GOcCGDHLk7
HHh+gxGSYkGSbZGDJwkYHvlziPGRYOGSav9BhDH5F9oxSTZpRMKhDRAxBvBECqvUk+f3k8JmG0K5
kzYBkHahDVC5G/DoGvmQD6ohlVNpFgryiyynilHnlVpRcT6Jc1f5E2dpD8PRlE5pG6hYFFUJaWBB
lknZRld5l1ipE3eZkbXBlm0pE/JnFF6Jf44IdfHld7g1mIi5mFqBlz3hmFvZTytHhb8HlhUXearn
iMQVl0ABmXqJlWkZmacRBN23IXpXetJ3mLwHluXne5mZighIkzvxRXv5mTmRln+5c6p5gqnImCCX
Xr/Yjl1GmLH5gXKIE/YAmXi5l7npUXLJm5W5mkOxmYwIm9NHlzbZR2cZmreZlyoxCs3pSqn/WYBZ
BowiR52m2IjAVpiPWJeBtZ15aZtqGZ7dJH/BZV9eBm/3aZim525kppj3mZ+NuZyPGZ+iqVM0xxWc
mXaZl51maaBASZ8O9RULKpisWXUO+p4QupS2QQ8SKoJ0UaFIN4wHWqImeqIomqIquqLclxUjKKKT
4Vg3wqKxtoGnKRaXCX5IkXTYSZMKMV1OkWkg01VEmlgJZRHx8KHXiI3s6RU52ncXeooW2hVAGihL
NaMkgqU06mFnt4gp9l75uZj7iWVkOm7CeHpvyGgCqixhMnBEWiNXOqRF2l1zOqdVJVVbyhl4p57t
Zp3l2Zr+mY3qllvvyJ4wmqV1eqVZFaeM/yqjceqoSaKoWJWnmrGnlfd91TmecumG7NhrwiWlmlpp
jzqkQGpglEKniCqjVVqklHoZluqamJqYmqmKX3p6fGee/6mYXxGpAwenpGqkiiqnkLpviMqqrYoW
DTEJbfSqwCecoEqZUvpunmqQXaqKddRHvFqsjPqmwMqto5qqbUqnKJUOoBSY4jet2uia0Jqe0ReH
hZprrWml25qt2zqvxXqn4DqpqHqsrkqt/gmqZppu9AewBPmn6kqiazop82asDNurAwauEHuqcsqv
FCuvFXuxuwovGruxHNuxGjsZESCFJhge1yqbR2Fyvaik1sFJJWuckaiyjCELCDkgLStFEv8Hs9ix
SDU7hzeLs7VBGqu3oDtbEHzks7Nxq5XKmofKlzbLtIP3NL5yFWFkd0Z7tOt6GL8ZpSnoowlRQk4j
tYliFNo0DY5XqAV5tmm6d7aFtmrKtm37tgX7tuk6tAThQ1JCN7ZjPU4ztVH7tX37tfUyn1XbkUya
ngebmfqFpl96uLoWfbuJqYgrsFBxP9gTtmFrL3+buX+bt5druRg7hetpuM9qa/VHuowLrfnXrk1K
FVDLuX4LuIySuSV0OygDu59bmhJxo3znqX5KuooWnJmapoWpuvB6nINnvC4au31bu53bvK/7vLOj
vNEruAcxB4Mrk45LsK9ZuuI3kMQrsN//O310i5zSC72xW7vM67lRy7zTe72Ei17BG7ru6Lv0a7gi
Jr+QO7/WKRVeu7zKa7sA/EPnKz/Pe7v2oA8BmRBowB7tqJ/+Cn31G7CpCaBnG7f7e5Bv9EVQq7dg
ZL7WM7tAFLhO674pcbFCpCsGXLFmtMIs3MIufCUpHMNMwbdNIsNGQQToR8I67HE23MMzucNA7JYq
VDo+7ElBfMRCXMRKvMRM3MRO/BxIHMWy8cRUfHlSfMUyWcVavMVcLBZY/MWrdAFgPMZkXMaR0cVo
nMZqfDxm3MaAucZwfKRufL1YMMd2HEtxnMcAhbJ6/MR83Meg0VEZcseEjBAy8BGDXMgW/zEMiswQ
idzIkOwRj6xG8BDJlnzJmJzJKVcaiQDIAjWyJKjJPLmVMDsLwuHJMTULs/AdTUMarVwUr5wY6ACB
q/wZlTM3TkE9MMy/uwzLJ0wUsSxGM3xCGNqcpoxKBLy3uXzCwdwUzWwlyzwWz0xHxvxS+wJGDLQr
8rPBckNG2HNGr/xDZUQ7YzRG+1Iv35zN2nzOHSzM54zOjTLCJ3nMqbS32azMDAQsBBzOS7PN2VM7
3YzPICzQlZvP+pzPBl0lCF250Ky3Cu1D8jyKqsxK+lzRC+3P+8zM/SzQAC0vAX3Qs4vRHK3MIC3S
Fj076FzRHX3RxTnPKxvNJ23SD53RkP+z0SV9PSEkO+Qc0iN90zHN0j9dzvBD0j69lbXMHUIt0yhN
0x1N1DOdzK2Myybz0U/t07yi0lV91fzszkA9lUe9HbgM1E+9zh4N1Uud0UIk1UWN1Wdt1QWd0pGT
1Wety07d1h+dxzGwFmHduuPc12WNzURtzzntzYAt1umc0uws2Fed2NccRGyt2MmMymo4zZJtRxbx
wpid2Zq92Zzd2Z792aDdwqKMSBrFzZV92qid2qqtFLwAHizzx1p6GbD9JqL6FLN9UxcRZF8TKfVK
20sCYwbS27Q9qVtBr8Bt2ydrxfAEFbf9MMKd3L/N3MFNFcStFc0tItJ9rAWmqsT6qKH/Vap26qip
CnE/trDdfarkHTHEGqn+5q3ozavvXaXcHXAH92Om6qZZylj9pt4Ql6gS+6b/hq/jzd6nUuCUdd0B
Vd0Kpq3G3a357a0PzrDZuqr3Gq4TO+ETW+ECjuGbpuHBaqzDiuENC+H7yuERfuKoKt7cKt4mDuIf
fuIo7uHP3U4KouAMviwLrlyjqt/c7abEPWPeTWhfZa+NWuEkfuO+GuPV/eDsbeTaqlxLrq/ByuFA
HrEBx3BS7uJHvqj6+lXVNpssxapZ7uT3WuLCCuPu/eIiLuZOnuRsTuQxvuVFPuZrzuR2/uZsHuVq
fudo/q0mruIyzuB7Dl6Bbm3EqFJ4/77m+yroWv5cRZ7ngw7pLk7nGU7pci7pSl6vP97mF07mlN7k
R+7nMt7icY7pdErqi+6oDJXd621jp17fJV7e8xrf+F3rXr7ftb7eG27gKp5vsr7kRu5ZwD7kEr7h
fC7rog7lktpv+m3eUH6nP37g573aY4HgIWLtRQfKYILtzIJxCkXtVazt4E5XusembcHtqEHh1g0W
Jidzk3EBjGQRN9amZ4Hu041W/QI1Fg7s24LdGT7iDu4t/w7w7TLjERp0eL4W9h4WC28q9P7ku93v
Eo/cE0/xSsF8Yv7fOM7r/t3dEa7x/a3rcrZsLK7eeKrj7w3gx6bjNnZvPo6nvx7gHv+P8vuW8ndu
868u7SdP4CRf8yKfKxjP6Q0e6PAN4dw25ZrO6IwO6HVu5mP+q/we6kb66UTv6Y8O6WYO4Eb/q3tu
4/jK9FUP7EHv9W3W5XBm5x3usDzu48ye4uHd43BO6soe9aX+8nJO9Y2u5ytu45fu8qce6SIOqWff
97dCehZP506/72Xe6Vx/9W5+5nFu3Ikv9aAO8VIf9khP+Iyv9BOu6IX+9Kg+6HAf+nRPdGQf98Ge
9I6f6ZNO5KPf25Nf6pUP9nrP+sde9as/542P95hu+5b++rwP6MlRC5pB9k8W5I9+/A874H4f8ske
V0XW6nb68pu+++ZtZPCd/SXPbZv/NeXPZuw7P/h9v/PPj97Mn/oAJe6r0fD5XlM5Yvh5w/7+TlPy
P+723xvqf//GWJ9BWv9PDhAA7A0kWJCgQIMJFS5k2NDhQ4gJEUakWNHiRYwRJw7cmNEjxY4fRY4k
WRLjP5QpVa5kiTKkSY4GX0osOBOiTZsZc8oE0FPgTow4YdoDOvSgzJFFL07cObHlU6hRpU6lWtXq
1aoilXrsWHSrQ6EwvxI9OjSsybFokRolyRQsW7hx5Q7EytInx54xf8YkSzQvWYQ+u+Jl+jcw4LuE
u+ZN3Njw45+FAzuenFOy5IOQJTLW7LcyYb+ZK3/2XJOzaL59UStmvbc06Nd8Kasm/x27tODVd+vu
5t3b92+WWssilp1a72HjgI+6de1aufGNL50zL05d7/CGbq9vTx29psLpy6uL5y69+HftNK0Tp63a
PXno8J1/74407Vz8+c0OD793dPvj/JMvtPIAxAs73C5rLkDG5AMqvcju+suzCQl0L0HRGuwrQg2f
s7As5HDzMMP21hMssszUK4w/ClFcC0AM9ZNxxvwgLFE5E7HzsL8Nb0wuNBvTO28+H1NkKEjwiOTJ
wPDoO2ww7g4EscARi+TxRwsrXPHA9Uyjz8r3aBRzTHt+Q5JFMJO78jkBqbSPxTOfHDAk5F7McUD1
4NSzxxzpdNJNPwu888IvCZ0Twf8v+yQIOEYbdfRR36IzLFESJa1wwwkbS1E7EWEjUMTOQoSN0wh1
rE+2zmyLDbLJRh1yUlRVFZVCU2m1NcZRUw3QU1B15RJEx8qEdFhii4WUzP2QVXZZo+5jNi5jo5V2
2qye1elSa7PV9iFntzWJWnDDtcpbcss191x001V3XXbbdfddeOOVd6HfdNIPW7i6nRddfdd9SVyA
Ax72vm69MhCk7GgS8yxKkw3zyLj6tUjIuf4V+GKMebMXP33HkjioieUiOOIZP15KoYxTVnkqDk/V
lFQ6NUzwZZlDnU28z0LEt8TEXnvZ50l7bS7TnVflzL/Tcq2tZ6Uv4wmz25ZLWmj/TP/z9Daob/1r
Za67TmlNHgclVNEu0YPPyPkWTFhQSmF9U9EowTvbujoBfdhsN99EdDs52fZ7rbp3bM9rwhkVjtMe
+a5aS7hxPJvWsnk28kOFBbe0w8stl1pCy2beU2fMPd8M84Mh39LHvjUXNFDQ++t0X9gXalJtNhOX
vU3Nu2wcTSAvnGl3KJlUvUopK/eS7r+l8y75hrO8MnWwmVwe+iJjR9dM4euzEUvcw577UDvxnj58
3fG8sfHxm1ed+u3jY573scljH3xDhwTTrcLzv7hJ3+u09GlUkW52rILR8hDjv57FjHRAqxsBB1g1
Xo2OV21qnZRuZpoFvs50S5NQ/3USODT/yepVBHyN/kyIlX2ZrGLxUqH1CuVCGMKlXmRimrlaWLIY
OsxbJ+ThtHL4QyAGsYdDNGEQjXhE2BFRicMSDhJL8rEbvud3XqIcspS0JCdmkV1RXBi3pqiRttxt
Y7VyHJaa+JY8QcxbXNTiFmH3oC/eJIwtDF74zPiRgolRj1Zs47zMpCnoJI2BWaMa1nJzQYVhpoMB
jA8Hw+arm9GthhjiHGnSJshIBg2CZewfmzSDrUU6DoSsKc0STbkysc3KfMwT1e7kZrvszS2EBuze
K7WHs71xMkhQChz/XDSYWvJnludxH3vctqZTJhNjiONlAAcowBg9CVdX/FP9YP+Wtgy56HyTy6X3
ihnMFoVpVtOcZmv4ZEfUFTNN4VyPMt05LGpEhZmAYyX97Bc8aiqmQ8IrH/e8yU1abvObglNTIt+3
pzISqX1qM+A68amadyozEeFq35SGFz3kXbR+jWzemmKZO+MFlDpCGinvlNRK82G0dLFkaKEG1biI
xnQqWmEa65xZQBICEnQu66WTHkNKXHXSaDVTFQMrRcqjktRtFrVaqIDVIIodTKdqciCCjlm8Pmb1
hfnSale54lWwuouNVwtrWddmVrSmVa1rZWtb3fpWuMZVrlk1WFLOWLGxVqRzZNSh7OZq1gfxNYxg
bMocQQLIFSIMLBrklho5+cT/lZ7qr3HN6xjPisc9tq1GegXjyfy6VbWYMaqTZZcLbqdJoE2wVJb8
4GJSd8BP/Wyo3nHk+Xz1OaJBbZKbjKRQaxjIvk2ScQJqGVC1NJ5KutZWRXXrNZzrXLFKzWXVQ9/D
mAPM8Vwnemj7nnYFK1ApWpOKL6VcRSWrTfjpSaUG1WU3V/nX58b3GnLBnt0OuM/qgvJxtQPpiaSa
zSzhEqujkyZltOlfYYbSv4Fa6ZmQql/v9slPxP3oLnUj05Q9l1hn9GXcRJrSD+ttfgp172bAO2Ad
kbg71KRYiysXVQe3+MPb/RCFO2zSzJKWXyn92/1yWT3F9XeVFf2nRVO8ToKe/5efLzZVjJusWRqH
N7v/veUddWxDxK5Ktb/y2eYkKM7EFXeUSPVtboem5Rc6slRk/Z9vk0RW4AI3a7d85pob1ioZ4/TK
7/pKZSG759j5GdDW24qgBztoeP0W0YtmdKMd/WhIR1rSk95WHulq6Hth+rCUNkq9GMvZ0doVwGjM
l6I5e9nGwpDBmO0saG1JEQwT7q6iJtl3X9Sscml6s2wptPFQ/awKZLW+GERNSVe7ZWIv93UPxVpu
H4xI634yZzuN2iAB2GXlAvC6v8SkJmVcG9iSENtG1VqbW0vuUcbaa0m5qkjnF7c0JlnZsHRxdZ8c
5JZik34BPY5jxYtSWBrTvf8TnrLruAdk64q33znmNKiDml/RPS3K5hko5Oa0bCYDXE5E23dHo824
z+HbnI+LXL47flR4Z47fO9I1oFVc5eFREeb8S/hA8/tZzZ5T587TKI4ZHLN08tejLz9pmH2s5JIj
dMkybzhm+6lRkuZc3gT/d8ddnPPgRom2SHZwev2W9ZiDOeVGt/fRPb7yok/6j85uWgF5C0oFk3nB
T8VpneFc7nsi16ldVmeWSbQai+u8gnXMTRoLrNvxxr3GGGStq2CzElSoG2NNZziio9hyypNkhm41
daQvn0TJryzzoyd96U1/etTPaPOVt+wef4rDI42V8DhntKVhEvqUcZjUrbf/jK1/hGDFvprXt/a3
7X1Nay92PrT+Jn7qa+36Wffeyq4eGe2H7+rmtx772t+9yLq/fecXZO3KhuTePXmp2VywkiFFrXDN
7e0R8m23Q9W7mbVtM9YeOKe3dWn70b85pxm33tok2+iUxMC9jNG9glo1siGjGxuROLouJptAgQu4
XzqyBuw5deIxgNPAs5LAW7u5hTMP2rkisXG0YbsmsZs5eQs82ng4nNOdD6JA7/kPC4O6sgswlGMn
D4q703EsGTwuViqnSlGQKsqRU/IEBPwHJ2PAQ4k6+/qxs0svIfSxWjIvlXo3ceqwq3stICuapaMy
qEOnkoo2qROIJUymJgyp/yccOJ+jPoSCsSlEE/LCm/XxQA4MuTGkJxqsMKvjMcWBQhZMw1PqnZsq
r1SJJvejuXM7wmTLHDZ7xI4KpeViJMczxMVJtth6vaniLWBBsxBcKg0iwkKSlJGDLRGyREI0pfBT
FswDtFUEmFYUKzCcxaZbPVvMRReKRVnURV+0Hl4UF197RRohxkyTGz9LCxXaGWMUPpEIxqvoq3xS
n1T7MzmaPpCxPuRzxv1iPlJTRm78vqvjo4bDRSm7Rs/qImxMx+ObtXaEN2sEx3f8tVAjx5KAxnGh
qabKRKPKv2zbLUuSn/IrLvorqvVDN2k7JPx7RP8bp/v6O9AwQLhbSIPUlf/kssRnc8gC9MSCJLeG
a8B6Ozkl4y62Wbkw1LeNIkE9XK+a26aMusISmzoMhJ+kozNbeh54bLfSQclmRCKQfCqWRLtEARU+
MUKfizjg08FTnLui9EFuQjohg8mKuy9+I6ea2i8kgTCqFCVH1KetNJ1R47SfrKe8IbInQ6C76bpN
yQ4uPLKdgzmsykqXbC9BjBwWDLWatJIQw6UfDMlJZL2ySsG5JEuZlCyWQpS6HLLIassq08K0g8rZ
mZJUisMz9MOxg8u9DCGXUi/FRBxhwceZ0keg4sde4UgpAjeh0h62Ox6668gJMi7HozZSSUVXWRrJ
BMolgRkCg82KDBwuw5H//8NI3ew/atsgwOtJczHHVvtFZkHOtKIWEGBFGVE+5sw056xO7MxO7cyP
E7AW0PxO8AxP8fSh7SxP8zxP9ExPZRlP9uTFSmhP+Nw8XFBP+qzPhIhP/MxP/dxP/uxP//xPbVgi
+xxQAv3M/zxQBE1QHipQBm1QB31QXVRQCZ1QCk1ACL1QDM1QDT01tqpQD/3Q/QFRER1REsUKAChR
FE1RFXWJFW1RF6XQE31RGZ1RGo21Db1R56tRHd1RHu1RH/1RYcRRIS09IC3SlUkGI1XOIV1SSUtS
J31SAWVSKZ1SKq1SK73SC0UCLN1SLjWiWOhSMA1TMR1TMiVQJS3TKV1C/wKFBEhoRTZF04R404GQ
U3t4Uzqt0za90zvFUzZt0zn10z/F04LY0z4tVEA1VIIwVEBN1EXl00b900I1CESFVEYNVEXdU0c9
1EW1001t1Ei91Ef9VEWN006FVDrV01CdVEbt01WtVEEFVVKVVFY91TwdVVmN1Ez1VFzN1VrlVFvF
1Bj6DVqtVFQNVEGVVWMt1mMFVmN11WXVVGR1VUwd1maVU1ZN1lJdCGv1U2XdVoUg1EcdVG4N12j1
VmwV11itVmjlU2nN1m9N1XM9VoYYVmqVV3ONVmc1VpYggvbcVm/t1nFN13t91mZN14J91XU11Xc1
WIRFVlwdWGYlWHmVWP9gBdeGGFhtDViLVVZ0JVZdddR4PdiO7VhOzdeFtdR13dhwtdiOVdOP8FeN
ddddJdmAddaZZViVzdebnVidrVWHvVZmjVhz5didPdiIlViHeNiP5die5VlfrVmGxdd2ZdqTbdiQ
RdmqNVpy3UXfQNiS5VV3vVWgDdujnViVnVmIJddizdmvjVpxVdqR5dm4lVuaVVWDzVmTNVufRdeS
DdqtndZx1VW7NVWYrVeUnVSWdVX+BFnGZVq/9di4LVuq7duPtde/LVW8LVq6VVe9ndu5PVqMndeE
xdq8XdulDVy1vVyBvVaRlVrS1Vq6TVx9RcCRUNq09VzOddytLdjM7VT/zcXZvYVcxnVbmw3ezs1Y
1y3X3R1ZvBVZ0/1Zhc3a5P3X0ZVepG3ez13eH6oX24Xa473bmpVd6aVW8s1WoU3Y8m1V6y3eq91c
p93d0EVe9m1fzq1fWk1d0V1d+p1e9E3Zla1cxaXd2pVZsk1dtGXdvOVf1n3edhXdm1XV+5Xfdz1g
wM1Yqn1b471YwQVXv33gXY3g9SXcXg3ep0Vg5yXgBU7VydVedWEFOH1hGI5hGZ5hGq5hG75hHM5h
Hd5hHu5hBoVV0y3cy01haL1UUhViB0ZVIu7V4jVhEb5f0KXgDkbUIDZhCEbh2xVbUeVbW8VgDv5i
TUVcFq5P3b3aivXf/yLW3izG13stX/9NYNhtXcutXwnu3HpN3wZ+XfctY8nt3/lFWtxtxc0rY0Cu
Y6+N2YeI3+R9X2ylXopYYeIV38jF3DfmYksG3vxt2j7OY+Ht5JaF0n8oCUJW5Oxt3Aw+2bKN3cqF
WT1O2rCV2zNeZN6lZE7W47ad5EyeZfe139OFXuJtUCUW41V1YkamXF6t2i7GXZZ15Ft25VJeZEnu
2VHtYuxt5idW3WEW1cHNVZNt5hIm5RztWl2uZc/tXWv+5QoG2WUO31lF3VxmZOX1ZmzW5Vuu5r3d
Yjj+XqvNX0jG3gB+ii0AZapoWnIu3V5WZzXGX6mV53jFZznWZ1im5f9A1uevNdx9vuh6nmc7Xt42
PmhPRhlQFuUCNuP/5eR2TmTvjeWQxWN2nWNDtuj5hWlc7uQ7ruQ5vmCCbmXw/WOWnuhw7o2cPmQR
TuL+HWEn7t7z/WClbtslPt8jjuKl3mRNxuIN1mLjdeqp3mai9eAUPlmBPlMffs6vBuqwhquxJuuy
diuBTmu2Dpm2fmu4juvRA2u5jjQJFYmanmRqhluD3uumhlcLpmKt9t2/NmAQjuhplujDReBfHeyZ
Vl/L7WqPFWzfzdRs/mZnxuBrPt5U7lDfyOsETtyMfmeXtuhU3uqFtulc9td85mPFvl3TXmUVNumU
PmXGrmjvpWOxDeT/UfbTHWXlyAbs1sXpcaZpws5s3VbqSybtp31o117u+N1qgH3qVh5twGXloRXu
KG7tkT7W33bn4MZk8c7a5g1m5Hbp6N3o8xbqPR5pBi7k4ubq/3VkmqXf7qVY7YbfMLbi7pbTu8br
ES5tAFblZE7tnz3gh9ZbBAfkbxZurD3nWU5sLpbiLMbYxzXm+n5WwUZobj7mAt/p4gbbBFfrrr3v
9sVp4oZoDC9oXF5neubog/7d54bc7Z5ueF5dhk7vCt5ieoXX0/bjoDbX/37ZsYVi2VVp535l3PZi
/c7woVZvDfZlGXdviXZqgPVg+XVodYXp7L5pwJZq9KboMSZxoDZx/0Jm3xQXbahd4/GGbdWW4I7W
aBvv6BevZeIG4dguZ3b2chCH89HtbbpIphcQGJJA7aAm3BBXYMMd7Tp+70M28iku6neW7j9HXSQO
8celVERP7Q0/8CLX8jNGagNncW3ZgLo+9bCia1RvtCFfdVd/dVhnl7PuT1mY9WCMddR7gtihBVzv
dV//dWAP9smydWIv9vwkAGNP9grNzlEQ9rVSdmhfolegUGev0hF4F3zkgWjf9lisdm9nCG4Pd3Ef
95aoAnIX929Pd4M4d3Zvd3d/95BWd3mfd3WHd3u/d3zP9xKl93TXd3//d4AP+Pbk929XiWkX+Ijq
AoSXNYKv9oV/+P8WbXiHh3iKD/hHeISKz3iXlfhBw0+OZ+shOAlxtogDQJYDKHl0QfmLUHm5YPkx
KXmUP/m4YHmXX4ialxeYN1ARPXmZH4ibL4ib//mV73mDEPqVJwijj4ic9/mibwiVd/mkP/qoZwih
n3qmX/qZB3qIoHmPqPqh+Pmc9/iPeHqlnwuwNwmrrwiyp4i1N/uuJ4mcT/uM4PqHkHunp/qvt3l7
sHsk+g2uj/me5/m99/nA33uZJ3rBH/yYTwjAD3zHX3yYP/ynf/zBN/zGh3qmV3zLt3zIT3ykl/zC
33ygp3zEL3yop3zOJ/zGv3rP9/yiR/24z/zV1/zUR3rV//zF13z/np98or/9xP992Jd83Ff92Xd9
nR9Pkfj7ys985r/6yod820d8xmd+rCf70M/96M9+52/+3I996qf95V9+6w9/299+7Hd+uv/+8Z/+
6if/6Vf/7m9+xcd+5d9+3bf/9i9/+cd/7Yd+/geIA/YGChxo8CDChAoXMmzo8CHEiBIdFiRoT+CB
ihUvEsyIkSNIjB4/NiyoESRKkiEtXvSY8uVJgx9nvrSocmNMjiITjiRpsmNGnQdxyoQ51OXNliWL
2ixKs2XQnERPUqXqlGlHrFBvjlyps6vVrBPHki1rduK/tGrXsm2bdqpMlUKb/pyrVWFdu2G9Jt2b
9CpNqXqHYuVK//jwT6tECxtlKVTqxsONHw8WfLUpXcyDEUZlnJNlYs6X4yJ0a/o06tSqV7Nu/e+s
47x2K/OdjJKp39F1++quyXgzZce+5S6eGzqz1tyC/wqXvLdmbuG8MT8FTni5Z9CT5TaH7f07+PBx
g9okDzUk0trnb0dOr3l9zN0ulZok/xl6VsV3O9M1P147ep21Z599uNUnoFP+ifYfe4W5B9Ri88FH
WnwSrqfUVmLNtxtQseWnoHghijgiiSWaeCKKKaq4IosLtvgijDHKOCONNdp444wW4rgjjz36+COQ
QQo5JJE4uuZWkUkquSSTTR75JJRRPklWK2RFJtGVQoK45Ja3Nf9pZZYthvklmWL61p1zZp6VZVcU
3fXQhm1GdOV9Jek4FnPejfmmdOZJeCeWnAHq4p54+afRoGXiWOdSaAJJ50SFMnSfpJL9BmeIleKJ
KU/YaaYpT5ZyaqWBlypqlpRvaScSq4npiNSfCsLKIHwbZgihoAeKeiGsPhHYZYMd5ipsh3K+2imi
vM3EX6wDJnuhsHdatt+wt1rrJa9RMfvrmNMKlCq44YKr56rDWedpsMd5qWxv2SHrYXHTYbtuqO6m
+Wm1z1WF73N4BZtmmN7i1O12+Y5WMKPxJnpqROAGBlx18SZoIYc94aofvvb6a7HE0Yk68KEHe1je
oK0S11tVsyL/ezKh87J37McP5nkdWAC3+zFj4uq8M8+nPcxcxPfOhth7CBescajt2Zzxm9PaNvLQ
G7todNFiwbtrv3wqbalyfA7d8c3dCdYz2WWLix92n6EbIb8oH331pLZ1LV29UD9tLqO02StvcXLX
zV3TcP/L90LyUv2v0N+avbjO38WXH2D7/QWzfMmyC9qrBeb6bLS+5gWy5uM5iyZ/AW5Oa5yl12c6
tLjWavC7VmdLp8yu294s5BP2mbrtDJc1ru9zBj888V8yfjzwxYu4sPLNO/889NFLPz311dOYvPXZ
az888t17//1rnRbuPKgwAlti+Y16nX7hARsPPvzx71y3qRQx/+9m3o7HKKn7qMs6ac0gIqepRY19
9LOby8RjwITIr4GteYED1XLAM6kPPAuM1P5GdZS9kUZ9mkoYAb2GwZapyTsRPCEKUVMrkFkLZkd5
ln5YxbrW2QpzrWKQsXhXrfNkTlckpFfUCIW7pX2lQLrKobo6x8I2+ZA63MJhEYk2Q5eksIpW/EfW
1ga72exLb0F8nGwodTj39U1wP0QUgOImOLC1jWWV2VoBs8OmzyFMNgBS2kauqEfslSWLnhkgzR40
xq3sZHNOq5DqYALIAIpNZMk5lsXUqEiK1ZA2hZxk6ZCGNww5h5GEE81TwHLB7ZnPkeiKGxwHOcdd
nWluXmxZGf/vRrqpFeqUOGsjhUQGqaqtTWJEnBllgDZKUkrEYabkoNTe48o8+dInvxykxnYZRGzR
sX5QYyYsI+c2Xh7TjL70IjDxQ7c9khNKjgvdBhF5OmKlbnKeIxYUbQid2t1KWjqUFTr998IfJg6e
1OxVaCrpwznaMXeP+R8OhziwM/aKmA6l3jAfyiWJUrSiYIqoRYmE0YzKiI8c/ShIY1TOkfYspCY9
KYtIqtKzFSmWOVrT+ISnqPNp8ET9A6VZaDpSAaw0fGWqlEtlxCYBCs1RCXQTUmGa1PLlb3kxxSmp
FCUAlOpPgxu1oL+sKsIJyrSCfaxpoIzq1KxCdVOnEsBUn3f/T23d7olKfGvvmCi5A8HxhsbR3Fot
t0+5eg50UJSh2pglz3om8j/uHB0SR5ZXvb5woKx7Z0KTKKS0Ko+N6iIcGZG5xvGpDWV0xKNmNxm6
b5bnmve67NvYeC4OZq1tdMMlzWYJr6uqiLLEsyy/PMnJDFkOm+U6XWddS8gAcYWepgXaaY37tciZ
zG91dSLFWJugxr7NaHRNiTRbOyTb7siY7kLtcw06s+Cu5Lnk/eQ2gTg4bbYyvXCxWXW8qd7j3HSZ
uRSuah9WtJAJrqckJdd38dtej/mWgtW1L3Ig1t6rHdK9IWxmehtp2tdCU8DnNYrhKKxdqp4FAe1z
bHkVOjHR/2nIT5TkL3DnargaMrGJi7xcXJtFnIRVU3foCZzd7DlPvcp4x85y7HU598iCcvhGtA3P
kb+0wCRztchOLmaqvtojJjNpySmiMin9q+UjPdkhW/4ymMMsZvl1uSFjPjOa0yxmBUZVRV3Ccpnj
LOezYA9wQ63lVsEqRpsqRM1+/jOg/8zKBOIZq/x0c58DrehFM/p459wWYA86Wh4qkXZN5CGLQzZQ
Ectwzp7+tHeDExvwOvjC2WXvBlVJ5EazOi0TaDWswacYb6kybH5kcHZ167GDxLrXvv71zvyCXPvu
+tbbIW2FeQ3sZTO72ajR1yYtbOtu+u1SmE3OQJyt7W2vWehP6YkVJklMn2jNlXTKQmil46mhT7O7
yx4l5jC5Le95q7TdR7U3vj1N733zu9/+/jfAAy7wL+e74AY/OMITrvCFM7zhDi/TwCMu8Yn/N0T7
eDj19IFxqlK84x4PuAmquPGRkxx6Hz85ylP+ZWyovOUufznMYy7zmdO85jb/dclzrvOd87znPU+E
z8FDgKATHTxmyLkRiq70pTM9IdpoOtSjLnV3p0YfN7861rXcjKxzfd8boPnWuy72sfc67OGaOtqh
3oy0s73tE1m72+NO0aErCu4mJDtbAIB3YBvi5Q8ZwsIBIPfBwyYgADs=
------=_NextPart_000_0009_01C709B1.BE612F50--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGMDane027944; Thu, 16 Nov 2006 15:13:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGMDaeb027943; Thu, 16 Nov 2006 15:13:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.214]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGMDZXk027923 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 15:13:36 -0700 (MST) (envelope-from Ryan.Hurst@microsoft.com)
Received: from tk1-exhub-c104.redmond.corp.microsoft.com (157.56.116.117) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.0.685.15; Thu, 16 Nov 2006 14:13:30 -0800
Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com (157.54.69.169) by tk1-exhub-c104.redmond.corp.microsoft.com (157.56.116.117) with Microsoft SMTP Server id 8.0.685.20; Thu, 16 Nov 2006 14:13:30 -0800
Received: from WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.25]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.2786); Thu, 16 Nov 2006 14:13:30 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Thu, 16 Nov 2006 14:12:32 -0800
Message-ID: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D7FF@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <F9F038204EE77C4AA9959A6B3C94AFE8010EF549@IMCSRV2.MITRE.ORG>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccJo+esNnxnqaD+QBmtuZUWnhUzNAAFUyHgAANjdXAAARNdYA==
References: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D6B8@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <F9F038204EE77C4AA9959A6B3C94AFE8010EF549@IMCSRV2.MITRE.ORG>
From: Ryan Hurst <Ryan.Hurst@microsoft.com>
To: "Price, Bill" <wprice@mitre.org>, Michael Myers <mmyers@fastq.com>, Russ Housley <housley@vigilsec.com>, Stefan Santesson <stefans@microsoft.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Sam Hartman <hartmans-ietf@mit.edu>
CC: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 16 Nov 2006 22:13:30.0003 (UTC) FILETIME=[725D1630:01C709CC]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAGMDaXk027933
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
In-line
-----Original Message-----
From: Price, Bill [mailto:wprice@mitre.org]
Sent: Thursday, November 16, 2006 2:01 PM
To: Ryan Hurst; Michael Myers; Russ Housley; Stefan Santesson; Paul
Hoffman; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
I too would like to see a small modification made to the specs to
better explain the error code. However, I think the proposals are "off
the mark." The error message in both its "sound bite" title and the
proposed expanded descriptions sound like there's an error at the
responder (server). The user of a client that got such an error would
likely look for problems at the responder.
The most likely cause of the "unauthorized" error is an ill-conceived
but syntactically correct request that asks for the status either of a
certificate from a non-supported CA or of an expired or yet-to-be
issued certificate. (The case where a presigned responder didn't have a
presigned response available.) This situation may seem unlikely but it
has happened because of misconfiguration or bugs in homegrown clients.
[rmh] Bill this is just once case, what if a client includes a
unsupported extension if the responder was keyed but proxying the
request to a authoritative responder with the intent to re-sign but the
proxy server was not available, or if the client included a unsupported
identifier (byKey vs byname) there are lots of cases where a server is
not able to provide a authoritative responses.
I'd recommend some words that the error "can occur when a keyless
responder does not have a presigned response available." A few words
more could explain that a request as described above would provoke the
unauthorized response.
[rmh] It needs to be more generic than that unfortunaltey.
I recommend fixing the description to be user friendly so that people
who encounter the error know quickly why it happened and where to look
to fix it.
[rmh] This is something implementations should deal with as part of
their debugging tools, documentation and logging.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Ryan Hurst
Sent: Thursday, November 16, 2006 2:57 PM
To: Michael Myers; Russ Housley; Stefan Santesson; Paul Hoffman; Sam
Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
If that were possible this would be the text I would propose:
The response "unauthorized" is returned in cases where the client is
not
authorized to request a response or the server is not capable of
responding authoritatively.
Ryan
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Michael Myers
Sent: Thursday, November 16, 2006 6:35 AM
To: Russ Housley; Stefan Santesson; Paul Hoffman; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Maybe what makes the most sense is to update 2560 with this definition
since
2560 is normatively referenced in other RFCs. I'm not talking BIS,
just
a
quick sentence or two.
Mike
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Wednesday, November 15, 2006 8:03 PM
To: Michael Myers; Stefan Santesson; Paul Hoffman; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Mike:
>The LW OCSP I-D does not nor is intended to
>update, redefine, obsolete or otherwise diminish
>2560 as the base document defining OCSP.
At a minimum, it needs update RFC 2560 to explain the ways that the
"unauthorized" error code is used.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGM2Fgt025785; Thu, 16 Nov 2006 15:02:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGM2Fb7025784; Thu, 16 Nov 2006 15:02:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-bedford.mitre.org (smtpproxy1.mitre.org [192.160.51.76]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGM2DMw025766 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 15:02:14 -0700 (MST) (envelope-from wprice@mitre.org)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with SMTP id kAGM2BjZ007376 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 17:02:11 -0500
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (Postfix) with ESMTP id B88FABF00 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 17:02:10 -0500 (EST)
Received: from IMCFE1.MITRE.ORG (imcfe1.mitre.org [129.83.29.3]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id kAGM296L007318; Thu, 16 Nov 2006 17:02:10 -0500
Received: from IMCSRV2.MITRE.ORG ([129.83.20.164]) by IMCFE1.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Thu, 16 Nov 2006 17:01:23 -0500
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Thu, 16 Nov 2006 17:01:23 -0500
Message-ID: <F9F038204EE77C4AA9959A6B3C94AFE8010EF549@IMCSRV2.MITRE.ORG>
In-Reply-To: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D6B8@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-index: AccJo+esNnxnqaD+QBmtuZUWnhUzNAAFUyHgAANjdXA=
From: "Price, Bill" <wprice@mitre.org>
To: "Ryan Hurst" <Ryan.Hurst@microsoft.com>, "Michael Myers" <mmyers@fastq.com>, "Russ Housley" <housley@vigilsec.com>, "Stefan Santesson" <stefans@microsoft.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Cc: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 16 Nov 2006 22:01:23.0338 (UTC) FILETIME=[C13CCEA0:01C709CA]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAGM2EMw025769
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I too would like to see a small modification made to the specs to
better explain the error code. However, I think the proposals are "off
the mark." The error message in both its "sound bite" title and the
proposed expanded descriptions sound like there's an error at the
responder (server). The user of a client that got such an error would
likely look for problems at the responder.
The most likely cause of the "unauthorized" error is an ill-conceived
but syntactically correct request that asks for the status either of a
certificate from a non-supported CA or of an expired or yet-to-be
issued certificate. (The case where a presigned responder didn't have a
presigned response available.) This situation may seem unlikely but it
has happened because of misconfiguration or bugs in homegrown clients.
I'd recommend some words that the error "can occur when a keyless
responder does not have a presigned response available." A few words
more could explain that a request as described above would provoke the
unauthorized response.
I recommend fixing the description to be user friendly so that people
who encounter the error know quickly why it happened and where to look
to fix it.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Ryan Hurst
Sent: Thursday, November 16, 2006 2:57 PM
To: Michael Myers; Russ Housley; Stefan Santesson; Paul Hoffman; Sam
Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
If that were possible this would be the text I would propose:
The response "unauthorized" is returned in cases where the client is
not
authorized to request a response or the server is not capable of
responding authoritatively.
Ryan
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Michael Myers
Sent: Thursday, November 16, 2006 6:35 AM
To: Russ Housley; Stefan Santesson; Paul Hoffman; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Maybe what makes the most sense is to update 2560 with this definition
since
2560 is normatively referenced in other RFCs. I'm not talking BIS,
just
a
quick sentence or two.
Mike
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Wednesday, November 15, 2006 8:03 PM
To: Michael Myers; Stefan Santesson; Paul Hoffman; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Mike:
>The LW OCSP I-D does not nor is intended to
>update, redefine, obsolete or otherwise diminish
>2560 as the base document defining OCSP.
At a minimum, it needs update RFC 2560 to explain the ways that the
"unauthorized" error code is used.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGJvfuF008640; Thu, 16 Nov 2006 12:57:41 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGJvfSH008639; Thu, 16 Nov 2006 12:57:41 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGJvevE008601 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 12:57:41 -0700 (MST) (envelope-from Ryan.Hurst@microsoft.com)
Received: from TK5-EXHUB-C102.redmond.corp.microsoft.com (157.54.70.72) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.0.685.15; Thu, 16 Nov 2006 11:57:35 -0800
Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com (157.54.0.39) by TK5-EXHUB-C102.redmond.corp.microsoft.com (157.54.70.72) with Microsoft SMTP Server id 8.0.685.20; Thu, 16 Nov 2006 11:57:30 -0800
Received: from WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.25]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.2786); Thu, 16 Nov 2006 11:57:30 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Thu, 16 Nov 2006 11:57:09 -0800
Message-ID: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344D6B8@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <CCEJKFKLBCNMONJMIEAMIEFJCEAA.mmyers@fastq.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccJo+esNnxnqaD+QBmtuZUWnhUzNAAFUyHg
References: <7.0.0.16.2.20061115230059.0759c808@vigilsec.com> <CCEJKFKLBCNMONJMIEAMIEFJCEAA.mmyers@fastq.com>
From: Ryan Hurst <Ryan.Hurst@microsoft.com>
To: Michael Myers <mmyers@fastq.com>, Russ Housley <housley@vigilsec.com>, Stefan Santesson <stefans@microsoft.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Sam Hartman <hartmans-ietf@mit.edu>
CC: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 16 Nov 2006 19:57:30.0047 (UTC) FILETIME=[72A69CF0:01C709B9]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAGJvfvE008630
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
If that were possible this would be the text I would propose:
The response "unauthorized" is returned in cases where the client is not
authorized to request a response or the server is not capable of
responding authoritatively.
Ryan
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Michael Myers
Sent: Thursday, November 16, 2006 6:35 AM
To: Russ Housley; Stefan Santesson; Paul Hoffman; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Maybe what makes the most sense is to update 2560 with this definition
since
2560 is normatively referenced in other RFCs. I'm not talking BIS, just
a
quick sentence or two.
Mike
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Wednesday, November 15, 2006 8:03 PM
To: Michael Myers; Stefan Santesson; Paul Hoffman; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Mike:
>The LW OCSP I-D does not nor is intended to
>update, redefine, obsolete or otherwise diminish
>2560 as the base document defining OCSP.
At a minimum, it needs update RFC 2560 to explain the ways that the
"unauthorized" error code is used.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGJEGDJ002281; Thu, 16 Nov 2006 12:14:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGJEGK1002280; Thu, 16 Nov 2006 12:14:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGJEEU7002259 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 12:14:15 -0700 (MST) (envelope-from DPKemp@missi.ncsc.mil)
Received: from Cerberus.missi.ncsc.mil (cerberus.missi.ncsc.mil [144.51.51.8]) by stingray.missi.ncsc.mil with SMTP id kAGJBx5V013529; Thu, 16 Nov 2006 14:12:00 -0500 (EST)
Received: from 144.51.60.34 by Cerberus.missi.ncsc.mil (InterScan VirusWall 6); Thu, 16 Nov 2006 14:11:59 -0500
Received: from EXCH.missi.ncsc.mil ([144.51.60.21]) by gto.missi.ncsc.mil with Microsoft SMTPSVC(5.0.2195.6713); Thu, 16 Nov 2006 14:11:59 -0500
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Thu, 16 Nov 2006 14:11:58 -0500
Message-ID: <FA998122A677CF4390C1E291BFCF598905F41A44@EXCH.missi.ncsc.mil>
In-Reply-To: <CCEJKFKLBCNMONJMIEAMIEFJCEAA.mmyers@fastq.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccJnDW7GAZtmJJCSlO4oGwvofbPRAAFSQjg
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: "Michael Myers" <mmyers@fastq.com>, "Russ Housley" <housley@vigilsec.com>, "Stefan Santesson" <stefans@microsoft.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Cc: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 16 Nov 2006 19:11:59.0661 (UTC) FILETIME=[1736C5D0:01C709B3]
X-TM-AS-Product-Ver: : ISVW-6.0.0.1396-3.6.0.1039-14816003
X-TM-AS-Result: : Yes--3.025800-0-31-1
X-TM-AS-Category-Info: : 31:0.000000
X-TM-AS-MatchedID: : =?us-ascii?B?MTUwNTY3LTcwMTY1MS03MDA2?= =?us-ascii?B?MjYtNzAwNDYyLTcwMTg3MS03MDA1OTktNzAwNDQ3LTcwMDg3Ny03?= =?us-ascii?B?MDI4NTgtNzA2MTAxLTcwMDI5Ni03MDI5NTUtMTM5MDA2LTcwMDUz?= =?us-ascii?B?Ni03MDMyMTAtNzAzMDk3LTcwMDE1MS03MTAwMjgtNzAwMDkzLTcw?= =?us-ascii?B?NTMxMy03MDUzMjAtMTQ4MDUw?=
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAGJEGU7002275
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
And change the word "unauthorized" to something else, like
"unauthorized/unsupported".
It is incorrect to say that a responder that wasn't designed to
properly handle multiple cert requests is "unauthorized" to
respond to them.
The fact that my 1971 Chevy Vega couldn't do 100 MPH downhill
in a tailwind doesn't mean that it wasn't authorized to go
that fast -- it was simply incapable of doing so.
-----Original Message-----
From: Michael Myers
How about we expand the meaning of "unauthorized" to mean EITHER the
requestor is not authorized to ask the responder OR the responder is not
authorized to fulfill the request. That's not *too* ugly, is it?
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
At a minimum, it needs update RFC 2560 to explain the ways that the
"unauthorized" error code is used.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGIKnAE094702; Thu, 16 Nov 2006 11:20:49 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGIKmct094701; Thu, 16 Nov 2006 11:20:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from pne-smtpout2-sn1.fre.skanova.net (pne-smtpout2-sn1.fre.skanova.net [81.228.11.159]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGIKlYF094684 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 11:20:48 -0700 (MST) (envelope-from anders.rundgren@telia.com)
Received: from arport2v (81.232.45.80) by pne-smtpout2-sn1.fre.skanova.net (7.2.075) (authenticated as u18116613) id 452BAC860077429B; Thu, 16 Nov 2006 19:19:16 +0100
Message-ID: <011901c709ab$b907eb30$82c5a8c0@arport2v>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "Wen-Cheng Wang" <wcwang@cht.com.tw>, <ietf-pkix@imc.org>
References: <005f01c7095c$b821c2d0$82c5a8c0@arport2v> <010801c7096a$8ef012f0$5d85900a@wcwang>
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Date: Thu, 16 Nov 2006 19:19:14 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0114_01C709B4.1A20A9E0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_0114_01C709B4.1A20A9E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Wen-Cheng Wang wrote:
>I oppose this change of AIA extension. There already exists some
>CAs that issued certificates with AIA extensions containing only
>one id-ad-caIssuers accessLocation (either HTTP or LDAP).=20
Sure. Since RFC 3280 says nothing about this we can expect some =
variations out there.
>This change will immediately make these CAs becoming non-compliant
>to RFC3280bis.
Does it? I thought SHOULD is a recommendation.
>For a CA to guide its relying parties (client applications)
>where to find the CA certificates, one id-ad-caIssuers accessLocation
>is sufficient.
You misunderstood my point. Certificate path building on the relying =
parties' end is (with S/MIME as the only major exception), done by =
servers. For servers there is no problem to fix. I'm rather talking =
about client software that is not relying party software, but rather =
subscriber software. Although some CAs indeed not only specify and =
distribute such software, it is not these guys who have a problem, it is =
rather the other 99% who can't afford writing their own subscriber =
software.
>Even though the leading CA packages one the market
>support both HTTP and LDAP, certification service providers might
>still choose not to deploy both kinds of repositories at the same time =
because
>of concerning the operating cost. There is no enough reason to require =
all
>compliant CAs to both kinds of repositories at the same time. I prefer =
to
>leave the current text as it is. With current text, certification =
service
>providers are free to choose HTTP or LDAP or both.
Yes, but makers of client software MUST (otherwise they cannot create a =
proper cert-path), support both in order to work with compliant CAs.
It is really the concern of CAs or of a gazillion clients that is the =
core issue.
It is interesting to note that NIST came to a different conclusion =
regarding PIV than for 3280bis, in spite of having pretty much the same =
people behind both efforts.
Anders
----- Original Message -----=20
From: Anders Rundgren=20
To: ietf-pkix@imc.org=20
Sent: Thursday, November 16, 2006 4:53 PM
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt=20
May I repeat my request for further improving the interoperability in =
this area?
Anyway, here it is:
4.2.2.1 Authority Information Access
When the id-ad-caIssuers accessMethod is used, at least one instance =
SHOULD specify an
accessLocation that is an HTTP [RFC 1738] or LDAP [RFC 4516] URI. =
there SHOULD be at least one HTTP [RFC 1738] and one LDAP [RFC 4516] =
accessLocation URI specified.
Rationale:
Since LDAP has rather limited applicability on public networks, I =
believe that [indirectly] requiring mandatory LDAP support on COTS =
clients may prove to be hard to motivate for AIA access. One may argue =
that reading AIA extensions is just an option but that is not really the =
case; schemes like PIV require that you interpret AIA in order to create =
valid certification paths, unless you force clients to store additional =
CA certificates locally which is a less optimal solution. The cost for =
a CA to support HTTP and LDAP AIAs is close to zero since this is =
built-in in the leading CA packages on the market. That the PIV =
certificate requirements also specify both URI types for AIA probably =
was probably not accidental.
Sincerely
Anders Rundgren
------=_NextPart_000_0114_01C709B4.1A20A9E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Times New Roman">Wen-Cheng Wang wrote:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3D"Times New Roman">>I oppose this change of AIA =
extension. There already exists some</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>CAs that issued certificates =
with AIA=20
extensions containing only</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>one id-ad-caIssuers =
accessLocation (either=20
HTTP or LDAP). </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Sure. Since RFC 3280 says nothing =
about this=20
we can expect some variations out there.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Times New Roman">>This </FONT><FONT=20
face=3D"Times New Roman">change will immediately make these CAs becoming =
non-compliant</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>to RFC3280bis.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Does it? I thought SHOULD is =
a=20
recommendation.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Times New Roman">>For a CA to guide its relying =
parties=20
(client applications)</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>where to find the CA =
certificates,=20
one id-ad-caIssuers accessLocation</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>is sufficient.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>You misunderstood my point. =
Certificate path=20
building on the relying </FONT><FONT face=3DArial size=3D2>parties' end =
is (with=20
S/MIME as the only major exception), done by </FONT><FONT face=3DArial=20
size=3D2>servers. For servers there is no problem to fix. =
I'm rather=20
talking about client </FONT><FONT face=3DArial size=3D2>software that is =
not relying=20
party software, but rather <STRONG>subscriber </STRONG></FONT><FONT =
face=3DArial=20
size=3D2><STRONG>software</STRONG>. Although some CAs indeed not =
only=20
specify and </FONT><FONT face=3DArial size=3D2>distribute such software, =
it is not=20
these guys who have a </FONT><FONT face=3DArial size=3D2>problem, it is =
rather the=20
other 99% who can't afford writing their </FONT><FONT face=3DArial =
size=3D2>own=20
subscriber software.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Times New Roman">>Even though the leading CA =
packages=20
one the market</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>support both HTTP and LDAP, =
certification=20
service providers might</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>still choose not =
to deploy both=20
kinds of repositories at the same time because</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>of concerning </FONT><FONT=20
face=3D"Times New Roman">the operating cost. </FONT><FONT=20
face=3D"Times New Roman">There is no enough reason to require =
</FONT><FONT=20
face=3D"Times New Roman">all</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>compliant CAs </FONT><FONT=20
face=3D"Times New Roman">to both kinds of repositories at the same time. =
I prefer=20
to</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>leave the current text as it is. =
With=20
current text, certification service</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">>providers </FONT><FONT=20
face=3D"Times New Roman">are free to choose HTTP or LDAP or =
both.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Yes, but makers of client software MUST =
(otherwise=20
they cannot create a proper cert-path), support both in order =
to work=20
with compliant CAs.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>It is really the concern of CAs =
or of a=20
gazillion clients that is the core issue.</STRONG></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>It is interesting to note that =
NIST came to a=20
different conclusion regarding PIV than for 3280bis, in spite of=20
having pretty much the same people behind both =
efforts.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Anders</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt 新細明體">----- =
Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt =
新細明體; font-color: black"><B>From:</B>=20
<A title=3Danders.rundgren@telia.com=20
href=3D"mailto:anders.rundgren@telia.com">Anders Rundgren</A> </DIV>
<DIV style=3D"FONT: 10pt 新細明體"><B>To:</B> =
<A title=3Dietf-pkix@imc.org=20
href=3D"mailto:ietf-pkix@imc.org">ietf-pkix@imc.org</A> </DIV>
<DIV style=3D"FONT: 10pt =
新細明體"><B>Sent:</B> Thursday, November 16, =
2006 4:53=20
PM</DIV>
<DIV style=3D"FONT: 10pt =
新細明體"><B>Subject:</B> Re: I-D=20
ACTION:draft-ietf-pkix-rfc3280bis-06.txt </DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>May I repeat my request for further =
improving the=20
interoperability in this area?</DIV>
<DIV>
<DIV>Anyway, here it is:</DIV>
<DIV> </DIV>
<DIV>4.2.2.1 Authority Information Access<BR></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>When the id-ad-caIssuers accessMethod =
is used,=20
<STRIKE><FONT color=3D#ff0000>at least one instance SHOULD specify=20
an<BR> accessLocation that is an HTTP [RFC 1738] or LDAP [RFC =
4516]=20
URI.</FONT></STRIKE> <STRONG><FONT color=3Dgreen>there SHOULD be at =
least one=20
HTTP [RFC 1738] and one LDAP [RFC 4516] accessLocation URI=20
specified.</STRONG></FONT></FONT></DIV></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rationale:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Since LDAP has rather limited =
applicability on=20
public networks, I believe that [indirectly] requiring mandatory =
LDAP=20
support on COTS clients may prove to be hard to motivate for AIA=20
access. One may argue that reading AIA extensions is just =
an option=20
but that is not really the case; schemes like PIV require that you =
interpret=20
AIA in order to create valid certification paths, unless you force =
clients to=20
store additional CA certificates locally which is a less optimal=20
solution. The cost for a CA to support HTTP and LDAP AIAs is =
close to=20
zero since this is built-in in the leading CA packages on the=20
market. That the PIV certificate requirements also specify =
both=20
URI types for AIA probably was probably not accidental.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sincerely</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Anders Rundgren</FONT></DIV>
<DIV><FONT face=3DArial =
size=3D2></FONT> </DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0114_01C709B4.1A20A9E0--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGFCH9m067533; Thu, 16 Nov 2006 08:12:17 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGFCGI9067531; Thu, 16 Nov 2006 08:12:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGFCC82067519 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 08:12:12 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAGFC4mr020603; Thu, 16 Nov 2006 08:12:08 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, "Stefan Santesson" <stefans@microsoft.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Cc: <ietf-pkix@imc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Thu, 16 Nov 2006 06:35:21 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMIEFJCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <7.0.0.16.2.20061115230059.0759c808@vigilsec.com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Maybe what makes the most sense is to update 2560 with this definition since
2560 is normatively referenced in other RFCs. I'm not talking BIS, just a
quick sentence or two.
Mike
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Wednesday, November 15, 2006 8:03 PM
To: Michael Myers; Stefan Santesson; Paul Hoffman; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Mike:
>The LW OCSP I-D does not nor is intended to
>update, redefine, obsolete or otherwise diminish
>2560 as the base document defining OCSP.
At a minimum, it needs update RFC 2560 to explain the ways that the
"unauthorized" error code is used.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGD011c045627; Thu, 16 Nov 2006 06:00:01 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGD016p045626; Thu, 16 Nov 2006 06:00:01 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp5.smtp.bt.com (smtp5.smtp.bt.com [217.32.164.139]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGCxwvV045572 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 05:59:59 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from i2kc08-ukbr.domain1.systemhost.net ([193.113.197.71]) by smtp5.smtp.bt.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 16 Nov 2006 12:59:30 +0000
Received: from mail pickup service by i2kc08-ukbr.domain1.systemhost.net with Microsoft SMTPSVC; Thu, 16 Nov 2006 12:59:17 +0000
Received: from relhubc01-ukbr.tcrelay.net ([10.216.117.35]) by i2kc08-ukbr.domain1.systemhost.net with Microsoft SMTPSVC(6.0.3790.211); Thu, 16 Nov 2006 11:53:05 +0000
Received: from balder-227.proper.com ([192.245.12.227]) by relhubc01-ukbr.tcrelay.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 16 Nov 2006 11:49:29 +0000
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGAWxoO023001; Thu, 16 Nov 2006 03:32:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGAWw0k023000; Thu, 16 Nov 2006 03:32:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from auth1.cht.com.tw (esmtpo1.cht.com.tw [202.39.168.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGAWvsb022983 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 03:32:57 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from auth1.cht.com.tw (localhost.localdomain [127.0.0.1]) by localhost.cht.com.tw (Postfix) with ESMTP id DA89D2CC432 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 18:32:49 +0800 (CST)
Received: from wcwang (unknown [10.144.133.93]) by auth1.cht.com.tw (Postfix) with SMTP id 852992CC3AC for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 18:32:49 +0800 (CST)
Message-ID: <010801c7096a$8ef012f0$5d85900a@wcwang>
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
To: <ietf-pkix@imc.org>
References: <005f01c7095c$b821c2d0$82c5a8c0@arport2v>
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Date: Thu, 16 Nov 2006 18:32:39 +0800
Organization: Chunghwa Telecom
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0105_01C709AD.988D0780"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-OriginalArrivalTime: 16 Nov 2006 11:49:30.0125 (UTC) FILETIME=[467513D0:01C70975]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_0105_01C709AD.988D0780
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I oppose this change of AIA extension. There already exists some
CAs that issued certificates with AIA extensions containing only
one id-ad-caIssuers accessLocation (either HTTP or LDAP). This
change will immediately make these CAs becoming non-compliant
to RFC3280bis. For a CA to guide its relying parties (client =
applications)
where to find the CA certificates, one id-ad-caIssuers accessLocation
is sufficient. Even though the leading CA packages one the market
support both HTTP and LDAP, certification service providers might
still choose not to deploy both kinds of repositories at the same time =
because
of concerning the operating cost. There is no enough reason to require =
all
compliant CAs to both kinds of repositories at the same time. I prefer =
to
leave the current text as it is. With current text, certification =
service
providers are free to choose HTTP or LDAP or both.
Wen-Cheng Wang
----- Original Message -----=20
From: Anders Rundgren=20
To: ietf-pkix@imc.org=20
Sent: Thursday, November 16, 2006 4:53 PM
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt=20
May I repeat my request for further improving the interoperability in =
this area?
Anyway, here it is:
4.2.2.1 Authority Information Access
When the id-ad-caIssuers accessMethod is used, at least one instance =
SHOULD specify an
accessLocation that is an HTTP [RFC 1738] or LDAP [RFC 4516] URI. =
there SHOULD be at least one HTTP [RFC 1738] and one LDAP [RFC 4516] =
accessLocation URI specified.
Rationale:
Since LDAP has rather limited applicability on public networks, I =
believe that [indirectly] requiring mandatory LDAP support on COTS =
clients may prove to be hard to motivate for AIA access. One may argue =
that reading AIA extensions is just an option but that is not really the =
case; schemes like PIV require that you interpret AIA in order to create =
valid certification paths, unless you force clients to store additional =
CA certificates locally which is a less optimal solution. The cost for =
a CA to support HTTP and LDAP AIAs is close to zero since this is =
built-in in the leading CA packages on the market. That the PIV =
certificate requirements also specify both URI types for AIA probably =
was probably not accidental.
Sincerely
Anders Rundgren
------=_NextPart_000_0105_01C709AD.988D0780
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2995" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Times New Roman">I oppose this change of AIA =
extension.=20
There already exists some</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">CAs that issued certificates with =
AIA=20
extensions containing only</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">one id-ad-caIssuers accessLocation =
(either=20
HTTP or LDAP). This</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">change will immediately make these =
CAs=20
becoming non-compliant</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">to RFC3280bis. For a CA to guide its =
relying=20
parties (client applications)</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">where to find the CA certificates, =
one =20
id-ad-caIssuers accessLocation</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">is sufficient. Even =
though the=20
leading CA packages one the market</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">support both HTTP and LDAP, =
certification=20
service providers might</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">still choose not =
to deploy both=20
kinds of repositories at the same time because</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">of concerning </FONT><FONT=20
face=3D"Times New Roman">the operating cost. </FONT><FONT=20
face=3D"Times New Roman">There is no enough reason to require =
</FONT><FONT=20
face=3D"Times New Roman">all</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">compliant CAs </FONT><FONT=20
face=3D"Times New Roman">to both kinds of repositories at the same time. =
I prefer=20
to</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">leave the current text as it is. =
With current=20
text, certification service</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">providers </FONT><FONT=20
face=3D"Times New Roman">are free to choose HTTP or LDAP or =
both.</FONT></DIV>
<DIV><FONT face=3D"Times New Roman"></FONT> </DIV>
<DIV><FONT face=3D"Times New Roman">Wen-Cheng Wang</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt 新細明體">----- =
Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt =
新細明體; font-color: black"><B>From:</B>=20
<A title=3Danders.rundgren@telia.com=20
href=3D"mailto:anders.rundgren@telia.com">Anders Rundgren</A> </DIV>
<DIV style=3D"FONT: 10pt 新細明體"><B>To:</B> =
<A title=3Dietf-pkix@imc.org=20
href=3D"mailto:ietf-pkix@imc.org">ietf-pkix@imc.org</A> </DIV>
<DIV style=3D"FONT: 10pt =
新細明體"><B>Sent:</B> Thursday, November 16, =
2006 4:53=20
PM</DIV>
<DIV style=3D"FONT: 10pt =
新細明體"><B>Subject:</B> Re: I-D=20
ACTION:draft-ietf-pkix-rfc3280bis-06.txt </DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>May I repeat my request for further =
improving the=20
interoperability in this area?</DIV>
<DIV>
<DIV>Anyway, here it is:</DIV>
<DIV> </DIV>
<DIV>4.2.2.1 Authority Information Access<BR></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>When the id-ad-caIssuers accessMethod =
is used,=20
<STRIKE><FONT color=3D#ff0000>at least one instance SHOULD specify=20
an<BR> accessLocation that is an HTTP [RFC 1738] or LDAP [RFC =
4516]=20
URI.</FONT></STRIKE> <STRONG><FONT color=3Dgreen>there SHOULD be at =
least one=20
HTTP [RFC 1738] and one LDAP [RFC 4516] accessLocation URI=20
specified.</STRONG></FONT></FONT></DIV></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rationale:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Since LDAP has rather limited =
applicability on=20
public networks, I believe that [indirectly] requiring mandatory =
LDAP=20
support on COTS clients may prove to be hard to motivate for AIA=20
access. One may argue that reading AIA extensions is just =
an option=20
but that is not really the case; schemes like PIV require that you =
interpret=20
AIA in order to create valid certification paths, unless you force =
clients to=20
store additional CA certificates locally which is a less optimal=20
solution. The cost for a CA to support HTTP and LDAP AIAs is =
close to=20
zero since this is built-in in the leading CA packages on the=20
market. That the PIV certificate requirements also specify =
both=20
URI types for AIA probably was probably not accidental.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sincerely</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Anders Rundgren</FONT></DIV>
<DIV><FONT face=3DArial =
size=3D2></FONT> </DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0105_01C709AD.988D0780--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGAWxoO023001; Thu, 16 Nov 2006 03:32:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAGAWw0k023000; Thu, 16 Nov 2006 03:32:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from auth1.cht.com.tw (esmtpo1.cht.com.tw [202.39.168.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAGAWvsb022983 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 03:32:57 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from auth1.cht.com.tw (localhost.localdomain [127.0.0.1]) by localhost.cht.com.tw (Postfix) with ESMTP id DA89D2CC432 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 18:32:49 +0800 (CST)
Received: from wcwang (unknown [10.144.133.93]) by auth1.cht.com.tw (Postfix) with SMTP id 852992CC3AC for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 18:32:49 +0800 (CST)
Message-ID: <010801c7096a$8ef012f0$5d85900a@wcwang>
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
To: <ietf-pkix@imc.org>
References: <005f01c7095c$b821c2d0$82c5a8c0@arport2v>
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Date: Thu, 16 Nov 2006 18:32:39 +0800
Organization: Chunghwa Telecom
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0105_01C709AD.988D0780"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_0105_01C709AD.988D0780
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I oppose this change of AIA extension. There already exists some
CAs that issued certificates with AIA extensions containing only
one id-ad-caIssuers accessLocation (either HTTP or LDAP). This
change will immediately make these CAs becoming non-compliant
to RFC3280bis. For a CA to guide its relying parties (client =
applications)
where to find the CA certificates, one id-ad-caIssuers accessLocation
is sufficient. Even though the leading CA packages one the market
support both HTTP and LDAP, certification service providers might
still choose not to deploy both kinds of repositories at the same time =
because
of concerning the operating cost. There is no enough reason to require =
all
compliant CAs to both kinds of repositories at the same time. I prefer =
to
leave the current text as it is. With current text, certification =
service
providers are free to choose HTTP or LDAP or both.
Wen-Cheng Wang
----- Original Message -----=20
From: Anders Rundgren=20
To: ietf-pkix@imc.org=20
Sent: Thursday, November 16, 2006 4:53 PM
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt=20
May I repeat my request for further improving the interoperability in =
this area?
Anyway, here it is:
4.2.2.1 Authority Information Access
When the id-ad-caIssuers accessMethod is used, at least one instance =
SHOULD specify an
accessLocation that is an HTTP [RFC 1738] or LDAP [RFC 4516] URI. =
there SHOULD be at least one HTTP [RFC 1738] and one LDAP [RFC 4516] =
accessLocation URI specified.
Rationale:
Since LDAP has rather limited applicability on public networks, I =
believe that [indirectly] requiring mandatory LDAP support on COTS =
clients may prove to be hard to motivate for AIA access. One may argue =
that reading AIA extensions is just an option but that is not really the =
case; schemes like PIV require that you interpret AIA in order to create =
valid certification paths, unless you force clients to store additional =
CA certificates locally which is a less optimal solution. The cost for =
a CA to support HTTP and LDAP AIAs is close to zero since this is =
built-in in the leading CA packages on the market. That the PIV =
certificate requirements also specify both URI types for AIA probably =
was probably not accidental.
Sincerely
Anders Rundgren
------=_NextPart_000_0105_01C709AD.988D0780
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2995" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Times New Roman">I oppose this change of AIA =
extension.=20
There already exists some</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">CAs that issued certificates with =
AIA=20
extensions containing only</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">one id-ad-caIssuers accessLocation =
(either=20
HTTP or LDAP). This</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">change will immediately make these =
CAs=20
becoming non-compliant</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">to RFC3280bis. For a CA to guide its =
relying=20
parties (client applications)</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">where to find the CA certificates, =
one =20
id-ad-caIssuers accessLocation</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">is sufficient. Even =
though the=20
leading CA packages one the market</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">support both HTTP and LDAP, =
certification=20
service providers might</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">still choose not =
to deploy both=20
kinds of repositories at the same time because</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">of concerning </FONT><FONT=20
face=3D"Times New Roman">the operating cost. </FONT><FONT=20
face=3D"Times New Roman">There is no enough reason to require =
</FONT><FONT=20
face=3D"Times New Roman">all</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">compliant CAs </FONT><FONT=20
face=3D"Times New Roman">to both kinds of repositories at the same time. =
I prefer=20
to</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">leave the current text as it is. =
With current=20
text, certification service</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">providers </FONT><FONT=20
face=3D"Times New Roman">are free to choose HTTP or LDAP or =
both.</FONT></DIV>
<DIV><FONT face=3D"Times New Roman"></FONT> </DIV>
<DIV><FONT face=3D"Times New Roman">Wen-Cheng Wang</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt 新細明體">----- =
Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt =
新細明體; font-color: black"><B>From:</B>=20
<A title=3Danders.rundgren@telia.com=20
href=3D"mailto:anders.rundgren@telia.com">Anders Rundgren</A> </DIV>
<DIV style=3D"FONT: 10pt 新細明體"><B>To:</B> =
<A title=3Dietf-pkix@imc.org=20
href=3D"mailto:ietf-pkix@imc.org">ietf-pkix@imc.org</A> </DIV>
<DIV style=3D"FONT: 10pt =
新細明體"><B>Sent:</B> Thursday, November 16, =
2006 4:53=20
PM</DIV>
<DIV style=3D"FONT: 10pt =
新細明體"><B>Subject:</B> Re: I-D=20
ACTION:draft-ietf-pkix-rfc3280bis-06.txt </DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>May I repeat my request for further =
improving the=20
interoperability in this area?</DIV>
<DIV>
<DIV>Anyway, here it is:</DIV>
<DIV> </DIV>
<DIV>4.2.2.1 Authority Information Access<BR></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>When the id-ad-caIssuers accessMethod =
is used,=20
<STRIKE><FONT color=3D#ff0000>at least one instance SHOULD specify=20
an<BR> accessLocation that is an HTTP [RFC 1738] or LDAP [RFC =
4516]=20
URI.</FONT></STRIKE> <STRONG><FONT color=3Dgreen>there SHOULD be at =
least one=20
HTTP [RFC 1738] and one LDAP [RFC 4516] accessLocation URI=20
specified.</STRONG></FONT></FONT></DIV></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rationale:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Since LDAP has rather limited =
applicability on=20
public networks, I believe that [indirectly] requiring mandatory =
LDAP=20
support on COTS clients may prove to be hard to motivate for AIA=20
access. One may argue that reading AIA extensions is just =
an option=20
but that is not really the case; schemes like PIV require that you =
interpret=20
AIA in order to create valid certification paths, unless you force =
clients to=20
store additional CA certificates locally which is a less optimal=20
solution. The cost for a CA to support HTTP and LDAP AIAs is =
close to=20
zero since this is built-in in the leading CA packages on the=20
market. That the PIV certificate requirements also specify =
both=20
URI types for AIA probably was probably not accidental.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sincerely</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Anders Rundgren</FONT></DIV>
<DIV><FONT face=3DArial =
size=3D2></FONT> </DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0105_01C709AD.988D0780--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG8tDmH009488; Thu, 16 Nov 2006 01:55:13 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAG8tDvF009487; Thu, 16 Nov 2006 01:55:13 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from pne-smtpout1-sn1.fre.skanova.net (pne-smtpout1-sn1.fre.skanova.net [81.228.11.98]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG8tCWo009470 for <ietf-pkix@imc.org>; Thu, 16 Nov 2006 01:55:13 -0700 (MST) (envelope-from anders.rundgren@telia.com)
Received: from arport2v (81.232.45.80) by pne-smtpout1-sn1.fre.skanova.net (7.2.076.2) (authenticated as u18116613) id 453F8C600043C475 for ietf-pkix@imc.org; Thu, 16 Nov 2006 09:55:06 +0100
Message-ID: <005f01c7095c$b821c2d0$82c5a8c0@arport2v>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: <ietf-pkix@imc.org>
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Date: Thu, 16 Nov 2006 09:53:43 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_005C_01C70965.19CE5D10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_005C_01C70965.19CE5D10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
May I repeat my request for further improving the interoperability in =
this area?
Anyway, here it is:
4.2.2.1 Authority Information Access
When the id-ad-caIssuers accessMethod is used, at least one instance =
SHOULD specify an
accessLocation that is an HTTP [RFC 1738] or LDAP [RFC 4516] URI. there =
SHOULD be at least one HTTP [RFC 1738] and one LDAP [RFC 4516] =
accessLocation URI specified.
Rationale:
Since LDAP has rather limited applicability on public networks, I =
believe that [indirectly] requiring mandatory LDAP support on COTS =
clients may prove to be hard to motivate for AIA access. One may argue =
that reading AIA extensions is just an option but that is not really the =
case; schemes like PIV require that you interpret AIA in order to create =
valid certification paths, unless you force clients to store additional =
CA certificates locally which is a less optimal solution. The cost for =
a CA to support HTTP and LDAP AIAs is close to zero since this is =
built-in in the leading CA packages on the market. That the PIV =
certificate requirements also specify both URI types for AIA probably =
was probably not accidental.
Sincerely
Anders Rundgren
------=_NextPart_000_005C_01C70965.19CE5D10
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>May I repeat my request for further =
improving the=20
interoperability in this area?</DIV>
<DIV>
<DIV>Anyway, here it is:</DIV>
<DIV> </DIV>
<DIV>4.2.2.1 Authority Information Access<BR></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>When the id-ad-caIssuers accessMethod =
is used,=20
<STRIKE><FONT color=3D#ff0000>at least one instance SHOULD specify=20
an<BR> accessLocation that is an HTTP [RFC 1738] or LDAP [RFC 4516] =
URI.</FONT></STRIKE> <STRONG><FONT color=3Dgreen>there SHOULD be at =
least one HTTP=20
[RFC 1738] and one LDAP [RFC 4516] accessLocation URI=20
specified.</STRONG></FONT></FONT></DIV></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rationale:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Since LDAP has rather limited =
applicability on=20
public networks, I believe that [indirectly] requiring mandatory =
LDAP=20
support on COTS clients may prove to be hard to motivate for AIA=20
access. One may argue that reading AIA extensions is just an =
option=20
but that is not really the case; schemes like PIV require that you =
interpret AIA=20
in order to create valid certification paths, unless you force clients =
to store=20
additional CA certificates locally which is a less optimal =
solution. The=20
cost for a CA to support HTTP and LDAP AIAs is close to zero since this =
is=20
built-in in the leading CA packages on the market. That the =
PIV=20
certificate requirements also specify both URI types for AIA probably =
was=20
probably not accidental.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Sincerely</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Anders Rundgren</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_005C_01C70965.19CE5D10--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG46mtf071768; Wed, 15 Nov 2006 21:06:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAG46mnO071767; Wed, 15 Nov 2006 21:06:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAG46l29071751 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 21:06:47 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 26598 invoked by uid 0); 16 Nov 2006 04:06:36 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 16 Nov 2006 04:06:36 -0000
Message-Id: <7.0.0.16.2.20061115230059.0759c808@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 23:02:40 -0500
To: "Michael Myers" <mmyers@fastq.com>, "Stefan Santesson" <stefans@microsoft.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: <ietf-pkix@imc.org>
In-Reply-To: <CCEJKFKLBCNMONJMIEAMGEFFCEAA.mmyers@fastq.com>
References: <A15AC0FBACD3464E95961F7C0BCD1FF010BCADF0@EA-EXMSG-C307.europe.corp.microsoft.com> <CCEJKFKLBCNMONJMIEAMGEFFCEAA.mmyers@fastq.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike:
>The LW OCSP I-D does not nor is intended to
>update, redefine, obsolete or otherwise diminish
>2560 as the base document defining OCSP.
At a minimum, it needs update RFC 2560 to explain the ways that the
"unauthorized" error code is used.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG46iKG071747; Wed, 15 Nov 2006 21:06:44 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAG46i4F071746; Wed, 15 Nov 2006 21:06:44 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAG46ggN071726 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 21:06:43 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 26544 invoked by uid 0); 16 Nov 2006 04:06:31 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 16 Nov 2006 04:06:31 -0000
Message-Id: <7.0.0.16.2.20061115224617.0751ac00@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 22:47:53 -0500
To: Paul Hoffman <paul.hoffman@vpnc.org>, "Michael Myers" <mmyers@fastq.com>, "Sam Hartman" <hartmans-ietf@mit.edu>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: <ietf-pkix@imc.org>
In-Reply-To: <p06240898c18137c394fd@[10.20.30.183]>
References: <CCEJKFKLBCNMONJMIEAMGEFBCEAA.mmyers@fastq.com> <p06240898c18137c394fd@[10.20.30.183]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I think that this is the minimum change that is needed in an update
to RFC 2560.
It can appear in the LW OCSP document if the PKIX WG agrees that the
LW OCSP document is a standards-track update to RFC 2560.
Russ
At 04:32 PM 11/15/2006, Paul Hoffman wrote:
>At 10:33 AM -0800 11/15/06, Michael Myers wrote:
>>How about we expand the meaning of "unauthorized" to mean EITHER the
>>requestor is not authorized to ask the responder OR the responder is not
>>authorized to fulfill the request. That's not *too* ugly, is it?
>
>No, it isn't. That's a good idea!
>
>--Paul Hoffman, Director
>--VPN Consortium
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG1shJr055339; Wed, 15 Nov 2006 18:54:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAG1shDg055338; Wed, 15 Nov 2006 18:54:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG1seVY055308 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 18:54:43 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 3428AE0035; Wed, 15 Nov 2006 20:54:32 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "Michael Myers" <mmyers@fastq.com>
Cc: "Stefan Santesson" <stefans@microsoft.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, <ietf-pkix@imc.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <CCEJKFKLBCNMONJMIEAMIEFGCEAA.mmyers@fastq.com>
Date: Wed, 15 Nov 2006 20:54:32 -0500
In-Reply-To: <CCEJKFKLBCNMONJMIEAMIEFGCEAA.mmyers@fastq.com> (Michael Myers's message of "Wed, 15 Nov 2006 17:05:57 -0800")
Message-ID: <tslslgk9mw7.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Michael" == Michael Myers <mmyers@fastq.com> writes:
Michael> Sam, I cannot state the point more precisely. Let's try
Michael> this: What do you think it means?
Obselete is clear. I have no idea why you would care about
diminishing a spec, or what that would mean.
As far as updating and redefining, I don't know whether you consider
the sort of text in the profile that broadens error codes to be an
update/redefinition.
What I think is true is that:
* the profile does not change the behavior of things that do not
conform to the profile.
* There exist things that do not conform to the profile that will not
interoperate with the profile.
* Clients that conform to the profile conform to 2560.
* Servers that conform to the profile will conform to 2560bis; it is
rather unclear whether they conform to 2560.
* It is possible to write a server that conforms both to the profile
and 2560, but to do so you have to give up some of the advantages of
the profile.
If those bullet points aren't enough to make you happy, what else
would you need?
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG1ggIF053951; Wed, 15 Nov 2006 18:42:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAG1ggGp053950; Wed, 15 Nov 2006 18:42:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG1gf2I053944 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 18:42:42 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAG1ge5m096708; Wed, 15 Nov 2006 18:42:40 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Sam Hartman" <hartmans-ietf@mit.edu>
Cc: "Stefan Santesson" <stefans@microsoft.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, <ietf-pkix@imc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Wed, 15 Nov 2006 17:05:57 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMIEFGCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <tslejs4b48f.fsf@cz.mit.edu>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sam,
I cannot state the point more precisely.
Let's try this: What do you think it means?
Mike
-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf@mit.edu]
Sent: Wednesday, November 15, 2006 4:55 PM
To: Michael Myers
Cc: Stefan Santesson; Paul Hoffman; ietf-pkix@imc.org
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>>>>> "Michael" == Michael Myers <mmyers@fastq.com> writes:
Michael> Stefan, Steve: Works for me IF it is understood that:
Michael> The LW OCSP I-D does not nor is intended to update,
Michael> redefine, obsolete or otherwise diminish 2560 as the base
Michael> document defining OCSP.
What does this paragraph mean?
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG0sof0046123; Wed, 15 Nov 2006 17:54:50 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAG0socQ046115; Wed, 15 Nov 2006 17:54:50 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAG0snJC046099 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 17:54:49 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 38746E0035; Wed, 15 Nov 2006 19:54:40 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "Michael Myers" <mmyers@fastq.com>
Cc: "Stefan Santesson" <stefans@microsoft.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, <ietf-pkix@imc.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <CCEJKFKLBCNMONJMIEAMGEFFCEAA.mmyers@fastq.com>
Date: Wed, 15 Nov 2006 19:54:40 -0500
In-Reply-To: <CCEJKFKLBCNMONJMIEAMGEFFCEAA.mmyers@fastq.com> (Michael Myers's message of "Wed, 15 Nov 2006 15:14:15 -0800")
Message-ID: <tslejs4b48f.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Michael" == Michael Myers <mmyers@fastq.com> writes:
Michael> Stefan, Steve: Works for me IF it is understood that:
Michael> The LW OCSP I-D does not nor is intended to update,
Michael> redefine, obsolete or otherwise diminish 2560 as the base
Michael> document defining OCSP.
What does this paragraph mean?
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFNp6eK036091; Wed, 15 Nov 2006 16:51:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFNp6l9036090; Wed, 15 Nov 2006 16:51:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFNp5gW036084 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 16:51:05 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAFNow1m092977; Wed, 15 Nov 2006 16:50:59 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Stefan Santesson" <stefans@microsoft.com>, "Paul Hoffman" <paul.hoffman@vpnc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Cc: <ietf-pkix@imc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Wed, 15 Nov 2006 15:14:15 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMGEFFCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCADF0@EA-EXMSG-C307.europe.corp.microsoft.com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Stefan, Steve:
Works for me IF it is understood that:
The LW OCSP I-D does not nor is intended to
update, redefine, obsolete or otherwise diminish
2560 as the base document defining OCSP.
Rather, it maps that protocol onto a specific
context of need. Among other of its effects it
expands without conflict against original intent
the definition of the "unauthorized" error code
as I proposed below.
Is that the deal?
Mike
-----Original Message-----
From: Stefan Santesson [mailto:stefans@microsoft.com]
Sent: Wednesday, November 15, 2006 2:58 PM
To: Paul Hoffman; Michael Myers; Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Yes it is a good idea.
I just had a conf call first with the editors, then with Russ and then with
the editors again.
This is the outcome and what I propose as the way forward. It is my
understanding that this is acceptable to both the Security AD's as well as
the editors.
Background and problem statement:
According to the current definitions in RFC 2560, especially the definitions
of error responses, there is currently no adequate response defined for some
legal requests if the responder has no signing key. In particular this is
the case when the responder is limited to just returning pre-produced
responses for a subset of all valid requests.
Proposed way forward:
In order to resolve this situation, the lightweight profile will have to
update/clarify the meaning of error codes, in particular the "unauthorized"
error response, so that it updates the definition in RFC 2560 and allows the
usage specified in the lightweight profile. To do so, the lightweight
profile must be a standards track document.
If this solution is acceptable, the lightweight profile will be returned to
the WG to make this update and to go through a new WG last call to
acknowledge that rough consensus is not broken by the update.
Is this approach acceptable to the WG?
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Paul Hoffman
> Sent: den 15 november 2006 13:32
> To: Michael Myers; Sam Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> At 10:33 AM -0800 11/15/06, Michael Myers wrote:
> >How about we expand the meaning of "unauthorized" to mean EITHER the
> >requestor is not authorized to ask the responder OR the responder is
> not
> >authorized to fulfill the request. That's not *too* ugly, is it?
>
> No, it isn't. That's a good idea!
>
> --Paul Hoffman, Director
> --VPN Consortium
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFMwjbj026620; Wed, 15 Nov 2006 15:58:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFMwjOQ026619; Wed, 15 Nov 2006 15:58:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.191]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFMwh1s026593 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 15:58:44 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from DUB-EXHUB-C303.europe.corp.microsoft.com (65.53.213.93) by DUB-EXGWY-E801.partners.extranet.microsoft.com (10.251.129.1) with Microsoft SMTP Server (TLS) id 8.0.685.0; Wed, 15 Nov 2006 22:58:38 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by DUB-EXHUB-C303.europe.corp.microsoft.com ([65.53.213.93]) with mapi; Wed, 15 Nov 2006 22:58:31 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Michael Myers <mmyers@fastq.com>, Sam Hartman <hartmans-ietf@mit.edu>
CC: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Date: Wed, 15 Nov 2006 22:58:29 +0000
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccJBtLWOcFV0ITOTGWOok7zWGdIXgAACR6A
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF010BCADF0@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <CCEJKFKLBCNMONJMIEAMGEFBCEAA.mmyers@fastq.com> <p06240898c18137c394fd@[10.20.30.183]>
In-Reply-To: <p06240898c18137c394fd@[10.20.30.183]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAFMwi1s026608
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Yes it is a good idea.
I just had a conf call first with the editors, then with Russ and then with the editors again.
This is the outcome and what I propose as the way forward. It is my understanding that this is acceptable to both the Security AD's as well as the editors.
Background and problem statement:
According to the current definitions in RFC 2560, especially the definitions of error responses, there is currently no adequate response defined for some legal requests if the responder has no signing key. In particular this is the case when the responder is limited to just returning pre-produced responses for a subset of all valid requests.
Proposed way forward:
In order to resolve this situation, the lightweight profile will have to update/clarify the meaning of error codes, in particular the "unauthorized" error response, so that it updates the definition in RFC 2560 and allows the usage specified in the lightweight profile. To do so, the lightweight profile must be a standards track document.
If this solution is acceptable, the lightweight profile will be returned to the WG to make this update and to go through a new WG last call to acknowledge that rough consensus is not broken by the update.
Is this approach acceptable to the WG?
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Paul Hoffman
> Sent: den 15 november 2006 13:32
> To: Michael Myers; Sam Hartman
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> At 10:33 AM -0800 11/15/06, Michael Myers wrote:
> >How about we expand the meaning of "unauthorized" to mean EITHER the
> >requestor is not authorized to ask the responder OR the responder is
> not
> >authorized to fulfill the request. That's not *too* ugly, is it?
>
> No, it isn't. That's a good idea!
>
> --Paul Hoffman, Director
> --VPN Consortium
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFMskdx025817; Wed, 15 Nov 2006 15:54:46 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFMskWf025816; Wed, 15 Nov 2006 15:54:46 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFMsiwd025783 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 15:54:45 -0700 (MST) (envelope-from pritikin@cisco.com)
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-5.cisco.com with ESMTP; 15 Nov 2006 14:54:34 -0800
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id kAFMsXKl009797; Wed, 15 Nov 2006 14:54:33 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id kAFMsWin026427; Wed, 15 Nov 2006 14:54:32 -0800 (PST)
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 15 Nov 2006 14:54:32 -0800
Received: from [172.16.5.12] ([10.21.89.223]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 15 Nov 2006 14:54:31 -0800
In-Reply-To: <7.0.0.16.2.20061115150053.07507758@vigilsec.com>
References: <7.0.0.16.2.20061115095452.040eac28@vigilsec.com> <7.0.0.16.2.20061115150053.07507758@vigilsec.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <1479A966-3783-412B-89CC-3B549B40F714@cisco.com>
Cc: "Peter Rybar" <rybar@nbusr.sk>, ietf-pkix@imc.org
Content-Transfer-Encoding: 7bit
From: Max Pritikin <pritikin@cisco.com>
Subject: Re: RFC3280bis: NotAfter 99991231235959Z
Date: Wed, 15 Nov 2006 16:54:28 -0600
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.752.3)
X-OriginalArrivalTime: 15 Nov 2006 22:54:31.0989 (UTC) FILETIME=[03689650:01C70909]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1920; t=1163631273; x=1164495273; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:=20Max=20Pritikin=20<pritikin@cisco.com> |Subject:=20Re=3A=20RFC3280bis=3A=20NotAfter=2099991231235959Z |Sender:=20; bh=AHJrfawAuwpT7AMxaRvk9I3pXxbZDebNOIDoCd3CR9Y=; b=Ny/4qfP3qpl0bvcdeRdEm8S+1yfnYKNuzaHUQRFjr8auQ5W+3XbnjtiQXyK59hTp7QRD3su4 ghD4VxIj+4URjxHvECwxymBOUkddiJpKQEX0eEPQwhGBbp3X/QdvZrHI;
Authentication-Results: sj-dkim-4; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I think this implies that "6.1.3 Basic Certificate Processing" text:
(2) The certificate validity period includes the current
time.
will need to be modified to read something like:
(2) The certificate or any prior certificate validity period is
either equal to GeneralizedTime value 99991231235959Z or includes the
current time.
This indicating that the certificate chain validation no longer
includes checking the current time against the validity period for
these values. Alternatively every certificate in the chain could be
required to use this large GeneralizedTime value.
Thanks,
- max
On Nov 15, 2006, at 2:01 PM, Russ Housley wrote:
>
> I would hope that the time function would not be called with this
> input. The point is to flag the value as not expiring.
>
> Russ
>
> At 11:39 AM 11/15/2006, Peter Rybar wrote:
>> Some utility written in C language time (The time function returns
>> the number of seconds elapsed since midnight (00:00:00), January
>> 1, 1970,) will crash. ;-)
>>
>> -----Original Message-----
>> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
>> pkix@mail.imc.org] On Behalf Of Russ Housley
>> Sent: Wednesday, November 15, 2006 3:56 PM
>> To: ietf-pkix@imc.org
>> Subject: RFC3280bis: NotAfter 99991231235959Z
>>
>>
>> I would like to add some text about certificates that are not
>> intended to expire. I propose the following paragraph.
>>
>> In some situations, devices are given permanent certificates. For
>> example, a device could be issued a certificate that binds its model
>> and serial number to its public key. Such a certificate is intended
>> to be used for the entire lifetime of the device. It indicate the
>> permanent nature of such a certificate, the notAfter SHOULD be
>> assigned the GeneralizedTime value of 99991231235959Z.
>>
>> Any concerns?
>>
>> Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFMVWYs021585; Wed, 15 Nov 2006 15:31:32 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFMVWKa021584; Wed, 15 Nov 2006 15:31:32 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFMVVJ6021577 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 15:31:32 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id kAFMVMtJ024325 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 17:31:22 -0500
Received: from [129.6.54.72] (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id kAFMVGbS013253 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 17:31:17 -0500 (EST)
Message-ID: <455B955F.6010201@nist.gov>
Date: Wed, 15 Nov 2006 17:31:59 -0500
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 1.5.0.7 (X11/20060921)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Re: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
References: <E1GkRhp-0008FE-Kh@stiedprstage1.ietf.org>
In-Reply-To: <E1GkRhp-0008FE-Kh@stiedprstage1.ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
All,
Draft -06 does not include any changes from draft -05 other than adding
Tim Polk to the list of editors.
Dave
Internet-Drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.
>
> Title : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
> Author(s) : D. Cooper, et al.
> Filename : draft-ietf-pkix-rfc3280bis-06.txt
> Pages : 144
> Date : 2006-11-15
>
> This memo profiles the X.509 v3 certificate and X.509 v2 certificate
> revocation list (CRL) for use in the Internet. An overview of this
> approach and model are provided as an introduction. The X.509 v3
> certificate format is described in detail, with additional
> information regarding the format and semantics of Internet name
> forms. Standard certificate extensions are described and two
> Internet-specific extensions are defined. A set of required
> certificate extensions is specified. The X.509 v2 CRL format is
> described in detail along with standard and Internet-specific
> extensions. An algorithm for X.509 certification path validation is
> described. An ASN.1 module and examples are provided in the
> appendices.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc3280bis-06.txt
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFLXNGe011898; Wed, 15 Nov 2006 14:33:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFLXNfG011897; Wed, 15 Nov 2006 14:33:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from [10.20.30.183] (dsl-63-249-108-169.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFLWMsA011708; Wed, 15 Nov 2006 14:32:23 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240898c18137c394fd@[10.20.30.183]>
In-Reply-To: <CCEJKFKLBCNMONJMIEAMGEFBCEAA.mmyers@fastq.com>
References: <CCEJKFKLBCNMONJMIEAMGEFBCEAA.mmyers@fastq.com>
Date: Wed, 15 Nov 2006 13:32:13 -0800
To: "Michael Myers" <mmyers@fastq.com>, "Sam Hartman" <hartmans-ietf@mit.edu>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: <ietf-pkix@imc.org>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
At 10:33 AM -0800 11/15/06, Michael Myers wrote:
>How about we expand the meaning of "unauthorized" to mean EITHER the
>requestor is not authorized to ask the responder OR the responder is not
>authorized to fulfill the request. That's not *too* ugly, is it?
No, it isn't. That's a good idea!
--Paul Hoffman, Director
--VPN Consortium
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFKoC6v003578; Wed, 15 Nov 2006 13:50:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFKoCsQ003577; Wed, 15 Nov 2006 13:50:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ns0.neustar.com (nso.neustar.com [156.154.16.158] (may be forged)) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFKoBGt003547 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 13:50:11 -0700 (MST) (envelope-from ietf@ietf.org)
Received: from stiedprstage1.ietf.org (stiedprstage1.va.neustar.com [10.31.47.10]) by ns0.neustar.com (Postfix) with ESMTP id B99B43286E; Wed, 15 Nov 2006 20:50:01 +0000 (GMT)
Received: from ietf by stiedprstage1.ietf.org with local (Exim 4.43) id 1GkRhp-0008FE-Kh; Wed, 15 Nov 2006 15:50:01 -0500
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
To: i-d-announce@ietf.org
Cc: ietf-pkix@imc.org
From: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-pkix-rfc3280bis-06.txt
Message-Id: <E1GkRhp-0008FE-Kh@stiedprstage1.ietf.org>
Date: Wed, 15 Nov 2006 15:50:01 -0500
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.
Title : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
Author(s) : D. Cooper, et al.
Filename : draft-ietf-pkix-rfc3280bis-06.txt
Pages : 144
Date : 2006-11-15
This memo profiles the X.509 v3 certificate and X.509 v2 certificate
revocation list (CRL) for use in the Internet. An overview of this
approach and model are provided as an introduction. The X.509 v3
certificate format is described in detail, with additional
information regarding the format and semantics of Internet name
forms. Standard certificate extensions are described and two
Internet-specific extensions are defined. A set of required
certificate extensions is specified. The X.509 v2 CRL format is
described in detail along with standard and Internet-specific
extensions. An algorithm for X.509 certification path validation is
described. An ASN.1 module and examples are provided in the
appendices.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc3280bis-06.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of
the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the
username "anonymous" and a password of your e-mail address. After
logging in, type "cd internet-drafts" and then
"get draft-ietf-pkix-rfc3280bis-06.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-ietf-pkix-rfc3280bis-06.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ietf.org"
Content-Type: text/plain
Content-ID: <2006-11-15103435.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-pkix-rfc3280bis-06.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-pkix-rfc3280bis-06.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2006-11-15103435.I-D@ietf.org>
--OtherAccess--
--NextPart--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFKRwab099453; Wed, 15 Nov 2006 13:27:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFKRwfs099452; Wed, 15 Nov 2006 13:27:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAFKRvRl099446 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 13:27:58 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 31546 invoked by uid 0); 15 Nov 2006 20:27:51 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 15 Nov 2006 20:27:51 -0000
Message-Id: <7.0.0.16.2.20061115152533.075543d8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 15:27:41 -0500
To: "Santosh Chokhani" <chokhani@orionsec.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>
In-Reply-To: <82D5657AE1F54347A734BDD33637C87905748511@EXVS01.ex.dslextr eme.net>
References: <82D5657AE1F54347A734BDD33637C87905748511@EXVS01.ex.dslextreme.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I agree. I can see where two of these models can be used in the
multi-certificate request. That is why I think that this dimension
of the discussion is a red herring.
Russ
At 02:22 PM 11/15/2006, Santosh Chokhani wrote:
>Russ,
>
>The OCSP field in the AIA extension helps the OCSP client locate an OCSP
>Responder. But, to verify the signature on the OCSP response, 2560
>mandates three trust models: explicitly trusted, CA only, and CA
>delegated. The OCSP field can not extend those options to other trust
>models.
>
>-----Original Message-----
>From: Russ Housley [mailto:housley@vigilsec.com]
>Sent: Wednesday, November 15, 2006 10:32 AM
>To: Santosh Chokhani; ietf-pkix@imc.org
>Cc: Sam Hartman
>Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>Santosh:
>
>My point is that the request could be for any set of certificates
>that contain AIAs that point to the same OCSP responder, whether they
>are part of the same certification path or not.
>
>Russ
>
>At 08:03 PM 11/14/2006, Santosh Chokhani wrote:
> >Russ,
> >
> >I do not know how germane this debate is to Sam's question, but I was
> >simply responding to the issue building certification path. I presume
> >that in this context it relates to building a path to the Responder
> >certificate.
> >
> >Now let us look at the three model 2560 has: Explicitly Trusted, CA and
> >Delegated.
> >
> >Explicitly trusted does not need a certification path and hence there
>is
> >no issue and that is why I did not include it in.
> >
> >CA model does not need any path building since path to the CA has
> >already been built and that is why I did not include it in my response.
> >Note that both clients requires the CA to use the same to sign the OCSP
> >as it signed the certificate in question with.
> >
> >My post responded to the Delegated model.
> >
> >I hope this clarifies that the path building should not be a major
>issue
> >for all three models 2560 supports.
> >
> >-----Original Message-----
> >From: Russ Housley [mailto:housley@vigilsec.com]
> >Sent: Tuesday, November 14, 2006 6:42 PM
> >To: Santosh Chokhani; ietf-pkix@imc.org
> >Cc: Sam Hartman
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >Santosh:
> >
> >I believe this is a red herring. This is not the only deployment
> >approach supported by RFC 2560.
> >
> >Russ
> >
> > >In hurry, I did not clearly articulate my thoughts. What I am saying
> >also
> > >relates to another comment to Mike Myers regarding the security of
>the
> > >delegated model which is incompletely addressed by 2560.
> > >
> > >I will be verbose this time.
> > >
> > >The implementations such as Corestreet and Tumbleweed tend to adhere
>to
> >the
> > >approach that the same key that signed the certificate in question,
> >sign the
> > >OCSP Responder certificate.
> > >
> > >Thus, if you have a hierarchy like Root --> CA --> Subscriber and you
> >want
> > >the status of CA certificate and the Subscriber certificate, you get
> >them as
> > >responses and with them you only need the two OCSP Responder
> >certificates
> > >one signed by the Root (for verifying CA certificate revocation
>status)
> >and
> > >one signed by the CA (for verifying the subscriber certificate
> >revocation
> > >status).
> > >
> > >You do not need any paths.
> > >
> > >Please note that the approach also works when the Responder is
>queried
> >by a
> > >CA cross certified by the root, since rest of the path has been built
> >by the
> > >client.
> > >
> > >-----Original Message-----
> > >From: Dave Engberg [mailto:dengberg@corestreet.com]
> > >Sent: Tuesday, November 14, 2006 12:45 PM
> > >To: Stefan Santesson; Santosh Chokhani; Russ Housley; Price, Bill;
> > >ietf-pkix@imc.org
> > >Cc: Sam Hartman; Michael Myers
> > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > >CoreStreet's OCSP server doesn't include a SingleResponse for the
> >issuing
> > >CA's cert in pre-signed responses. Mostly for the reasons mentioned:
> > >
> > >Adds 90-100 bytes onto every response
> > >
> > >Have never seen a relying party app/plug-in send a request like this
> > >
> > >The "delegated" trust model in RFC 2560 would require different
>signing
> > >certs for trusting entity vs. CA cert ... add another 1kB onto the
> >response
> > >
> > >Protocol only sends CA name+key info, which isn't enough to identify
> >which
> > >CA cert the relying party is inspecting in the case of CA cert
>renewal,
> > >cross-certification, etc.
> > >
> > >
> > >-----Original Message-----
> > >From: Stefan Santesson [mailto:stefans@microsoft.com]
> > >Sent: Tuesday, November 14, 2006 12:11 PM
> > >To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
> > >Cc: Sam Hartman; Michael Myers; Dave Engberg
> > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >Santosh,
> > >
> > >I didn't say it was hard. I say that I doubt that there are many
> > >implementations supporting this scenario even those with a responder
> >key.
> > >It would be interesting to hear from implementers if I'm right.
> > >
> > >Stefan Santesson
> > >Senior Program Manager
> > >Windows Security, Standards
> > >
> > > > -----Original Message-----
> > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > Sent: den 14 november 2006 03:59
> > > > To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> > > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > > >
> > > > Stefan,
> > > >
> > > > You are making more complex than it is. The Responder can include
> >all
> > > > the CA certificates that issued the certificate in question and
>AIA
> >can
> > > > do the rest.
> > > >
> > > > Furthermore, since most PKI are two tier hierarchy, in Enterprise
> > > > environment, the CA certificate certification path is not an
>issue.
> > > >
> > > > -----Original Message-----
> > > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > > pkix@mail.imc.org]
> > > > On Behalf Of Stefan Santesson
> > > > Sent: Monday, November 13, 2006 6:54 PM
> > > > To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> > > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > > >
> > > >
> > > > I'm not sure the case described is a realistic one.
> > > >
> > > > Section 2.2
> > > > All definitive response messages SHALL be digitally signed. The
> >key
> > > > used to sign the response MUST belong to one of the following:
> > > >
> > > > -- the CA who issued the certificate in question
> > > > -- a Trusted Responder whose public key is trusted by the
> >requester
> > > > -- a CA Designated Responder (Authorized Responder) who holds a
> > > > specially marked certificate issued directly by the CA,
> > > > indicating
> > > > that the responder may issue OCSP responses for that CA
> > > >
> > > > Since the request is on certificates issued by 2 different CA:s
> >trust
> > > > option 1 is invalid.
> > > > Trust option 3 is valid in theory but in practice it requires that
> >the
> > > > OCSP responder provide multiple validation paths in the response,
> >one
> > > > for each issuing CA. Somehow I doubt that this is implemented by
> > > > anyone.
> > > >
> > > > Trust option 2 is not generic and is only valid as a result of a
> >local
> > > > configuration.
> > > >
> > > > So I don't think this is a problem only for key-less responders.
> > > >
> > > >
> > > > Stefan Santesson
> > > > Senior Program Manager
> > > > Windows Security, Standards
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > > > pkix@mail.imc.org] On Behalf Of Russ Housley
> > > > > Sent: den 13 november 2006 14:08
> > > > > To: Price, Bill; ietf-pkix@imc.org
> > > > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC
>2560
> > > > >
> > > > >
> > > > > I prefer an error that tells the client to ask for the
>certificate
> > > > > one at a time.
> > > > >
> > > > > Russ
> > > > >
> > > > >
> > > > > At 02:46 PM 11/13/2006, Price, Bill wrote:
> > > > >
> > > > > >I'd suggest focusing on understanding where responses to the
> >keyed
> > > > and
> > > > > >keyless responders inherently differ. I am aware of two general
> > > > cases:
> > > > > >
> > > > > >1) The request asks for the status of multiple certificates
>that
> > > > have
> > > > > >not been included in a single presigned response. Russ's
>example
> > > > fits
> > > > > >into this case. The keyed responder handles, but the keyless
>will
> > > > fail
> > > > > >for the general case. Some responders respond with the
>presigned
> > > > > >response that includes one of the certificates (usually the
> >first)
> > > > in
> > > > > >the request. A common situation is to ask for the status of
> > > > > >certificates in a chain. Santosh points out some keyless
> >responders
> > > > > >anticipate this and bundle responses accordingly.
> > > > > >
> > > > > >2) The request is "well-formed" but asks for the status of a
> > > > > >certificate for which the keyless responder has not prepared a
> > > > > >response. This situation will occur if:
> > > > > >
> > > > > > a) The request is for status of a certificate from a
> >supported
> > > > CA
> > > > > >but with a serial number for which there is no pre-signed
> >response.
> > > > > >Assuming presigned responses exist for all certificates that
> >would
> > > > be
> > > > > >valid based on their validity intervals, this would occur if
>the
> > > > > >certificate had expired or was yet to be issued (I am aware the
> > > > > keyless
> > > > > >responders generally produce responses for certificates likely
>to
> >be
> > > > > >issued before the next generation of presigned responses). The
> >keyed
> > > > > >responder would give a signed "good" response. My understanding
> >is
> > > > > that
> > > > > >the keyless responder under the draft lightweight OCSP responds
> >with
> > > > > an
> > > > > >unsigned "unauthorized" error code.
> > > > > >
> > > > > > b) The request is for the status of a certificate from an
> > > > > >unsupported (or non-existent) CA. The keyed responder would
> >respond
> > > > > >with a signed "unknown" response while under the draft, the
> >keyless
> > > > > >would again respond with the unsigned "unauthorized" error
>code.
> > > > > >
> > > > > >Some might argue with some grounds that these differences are
> > > > unusual,
> > > > > >unlikely, and insignificant.
> > > > > >
> > > > > >I personally consider the behavior in 2 of responding with the
> > > > > >"unauthorized" error to be misleading. "Internal error" sounds
> >more
> > > > > >appropriate if I were constrained to the current error codes.
> > > > > >"Malformed request" might be OK. However, the actual situation
> >does
> > > > > not
> > > > > >match well with any of these errors as they are described in
> >2560.
> > > > > >
> > > > > >If 2560 is supposed to encompass keyless responders, I'd
> >recommend
> > > > > >identifying the unavoidable differences and/or adding 2 TBD
>error
> > > > > codes
> > > > > >for the above cases (assuming they are the only differences).
>The
> > > > > first
> > > > > >error can be worked around by breaking the request for status
>of
> > > > > >multiples into multiple requests for status of one cert.
> > > > > >
> > > > > >We've also seen some problems with client apps that can't
>handle
> > > > > >presigned responses that commonly contain the status of several
> > > > (e.g.,
> > > > > >15-25) certs. The apps inquired for the status of a single cert
> >and
> > > > > >apparently expected a response for a single certificate. I'd
> >suggest
> > > > > >that some "must" or "should" words address clients' ability to
> > > > handle
> > > > > >the situation of a response covering multiple certificates.
> > > > > >
> > > > > >
> > > > > >
> > > > > >Bill Price
> > > > > >
> > > > > >-----Original Message-----
> > > > > >From: owner-ietf-pkix@mail.imc.org
> > > > > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > > > > >Sent: Monday, November 13, 2006 11:46 AM
> > > > > >To: Michael Myers; Dave Engberg
> > > > > >Cc: ietf-pkix@imc.org; Sam Hartman
> > > > > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC
> >2560
> > > > > >
> > > > > >
> > > > > >Mike:
> > > > > >
> > > > > >I think it is not that simple. I think you need to say that
> >support
> > > > > >for one certificate MUST be supported, and that support for
>more
> > > > than
> > > > > >one certificate is OPTIONAL. Then, the error is am indication
> >that
> > > > > >the requestor has selected an unimplemented OPTION.
> > > > > >
> > > > > >Russ
> > > > > >
> > > > > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > > > > >Responders unable to produce or acquire a definitive response
> >MUST
> > > > > >return <a
> > > > > > >TBD error>.
> > > > > > >
> > > > > > >As to your other points Santosh, that is something I prefer
>the
> > > > > chairs
> > > > > > >consider.
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > > > > >
> > > > > > > > Mike,
> > > > > > > >
> > > > > > > > What is the error case?
> > > > > > > >
> > > > > > > > . . .
> > > >
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFKDNKg096960; Wed, 15 Nov 2006 13:13:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFKDN35096959; Wed, 15 Nov 2006 13:13:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAFKDJQi096923 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 13:13:20 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 15972 invoked by uid 0); 15 Nov 2006 20:13:13 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 15 Nov 2006 20:13:13 -0000
Message-Id: <7.0.0.16.2.20061115150053.07507758@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 15:01:48 -0500
To: "Peter Rybar" <rybar@nbusr.sk>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: RFC3280bis: NotAfter 99991231235959Z
Cc: ietf-pkix@imc.org
References: <7.0.0.16.2.20061115095452.040eac28@vigilsec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I would hope that the time function would not be called with this
input. The point is to flag the value as not expiring.
Russ
At 11:39 AM 11/15/2006, Peter Rybar wrote:
>Some utility written in C language time (The time function returns
>the number of seconds elapsed since midnight (00:00:00), January 1,
>1970,) will crash. ;-)
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
>Sent: Wednesday, November 15, 2006 3:56 PM
>To: ietf-pkix@imc.org
>Subject: RFC3280bis: NotAfter 99991231235959Z
>
>
>I would like to add some text about certificates that are not
>intended to expire. I propose the following paragraph.
>
>In some situations, devices are given permanent certificates. For
>example, a device could be issued a certificate that binds its model
>and serial number to its public key. Such a certificate is intended
>to be used for the entire lifetime of the device. It indicate the
>permanent nature of such a certificate, the notAfter SHOULD be
>assigned the GeneralizedTime value of 99991231235959Z.
>
>Any concerns?
>
>Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFKDLR4096955; Wed, 15 Nov 2006 13:13:21 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFKDLVN096954; Wed, 15 Nov 2006 13:13:21 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAFKDK8Y096944 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 13:13:20 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 16007 invoked by uid 0); 15 Nov 2006 20:13:14 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 15 Nov 2006 20:13:14 -0000
Message-Id: <7.0.0.16.2.20061115150847.0752bd90@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 15:09:28 -0500
To: "Julien Stern" <julien.stern@cryptolog.com>, ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: RFC3280bis: NotAfter 99991231235959Z
In-Reply-To: <20061115172823.GW15161@isonoe.cry.pto>
References: <7.0.0.16.2.20060821173001.012803b8@vigilsec.com> <20061115172823.GW15161@isonoe.cry.pto>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
No. That device is still that device. The certificate is not making
any statement about the ownership of the device.
Russ
At 12:28 PM 11/15/2006, Julien Stern wrote:
>On Wed, Nov 15, 2006 at 09:55:47AM -0500, Russ Housley wrote:
> >
> > I would like to add some text about certificates that are not
> > intended to expire. I propose the following paragraph.
> >
> > In some situations, devices are given permanent certificates. For
> > example, a device could be issued a certificate that binds its model
> > and serial number to its public key. Such a certificate is intended
> > to be used for the entire lifetime of the device. It indicate the
> > permanent nature of such a certificate, the notAfter SHOULD be
> > assigned the GeneralizedTime value of 99991231235959Z.
> >
> > Any concerns?
>
>If the device is somehow stolen or compromised at some point,
>doesn't this mean that you will have to keep its serial number in a CRL
>(or an other revocation system) until the end of times?
>
>When faced with a somehow similar issue, we decided to set the date to
>the expected lifetime of the device plus a few years to avoid the above
>issue.
>
>--
>Julien
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFJK2o4085944; Wed, 15 Nov 2006 12:20:02 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFJK2OI085943; Wed, 15 Nov 2006 12:20:02 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFJK0As085917 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 12:20:01 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Wed, 15 Nov 2006 11:22:01 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C87905748511@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccIy24Q79KVECfgTEKKI36Ed9P0qgAH6a2A
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAFJK1As085931
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
The OCSP field in the AIA extension helps the OCSP client locate an OCSP
Responder. But, to verify the signature on the OCSP response, 2560
mandates three trust models: explicitly trusted, CA only, and CA
delegated. The OCSP field can not extend those options to other trust
models.
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Wednesday, November 15, 2006 10:32 AM
To: Santosh Chokhani; ietf-pkix@imc.org
Cc: Sam Hartman
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Santosh:
My point is that the request could be for any set of certificates
that contain AIAs that point to the same OCSP responder, whether they
are part of the same certification path or not.
Russ
At 08:03 PM 11/14/2006, Santosh Chokhani wrote:
>Russ,
>
>I do not know how germane this debate is to Sam's question, but I was
>simply responding to the issue building certification path. I presume
>that in this context it relates to building a path to the Responder
>certificate.
>
>Now let us look at the three model 2560 has: Explicitly Trusted, CA and
>Delegated.
>
>Explicitly trusted does not need a certification path and hence there
is
>no issue and that is why I did not include it in.
>
>CA model does not need any path building since path to the CA has
>already been built and that is why I did not include it in my response.
>Note that both clients requires the CA to use the same to sign the OCSP
>as it signed the certificate in question with.
>
>My post responded to the Delegated model.
>
>I hope this clarifies that the path building should not be a major
issue
>for all three models 2560 supports.
>
>-----Original Message-----
>From: Russ Housley [mailto:housley@vigilsec.com]
>Sent: Tuesday, November 14, 2006 6:42 PM
>To: Santosh Chokhani; ietf-pkix@imc.org
>Cc: Sam Hartman
>Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>Santosh:
>
>I believe this is a red herring. This is not the only deployment
>approach supported by RFC 2560.
>
>Russ
>
> >In hurry, I did not clearly articulate my thoughts. What I am saying
>also
> >relates to another comment to Mike Myers regarding the security of
the
> >delegated model which is incompletely addressed by 2560.
> >
> >I will be verbose this time.
> >
> >The implementations such as Corestreet and Tumbleweed tend to adhere
to
>the
> >approach that the same key that signed the certificate in question,
>sign the
> >OCSP Responder certificate.
> >
> >Thus, if you have a hierarchy like Root --> CA --> Subscriber and you
>want
> >the status of CA certificate and the Subscriber certificate, you get
>them as
> >responses and with them you only need the two OCSP Responder
>certificates
> >one signed by the Root (for verifying CA certificate revocation
status)
>and
> >one signed by the CA (for verifying the subscriber certificate
>revocation
> >status).
> >
> >You do not need any paths.
> >
> >Please note that the approach also works when the Responder is
queried
>by a
> >CA cross certified by the root, since rest of the path has been built
>by the
> >client.
> >
> >-----Original Message-----
> >From: Dave Engberg [mailto:dengberg@corestreet.com]
> >Sent: Tuesday, November 14, 2006 12:45 PM
> >To: Stefan Santesson; Santosh Chokhani; Russ Housley; Price, Bill;
> >ietf-pkix@imc.org
> >Cc: Sam Hartman; Michael Myers
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> >CoreStreet's OCSP server doesn't include a SingleResponse for the
>issuing
> >CA's cert in pre-signed responses. Mostly for the reasons mentioned:
> >
> >Adds 90-100 bytes onto every response
> >
> >Have never seen a relying party app/plug-in send a request like this
> >
> >The "delegated" trust model in RFC 2560 would require different
signing
> >certs for trusting entity vs. CA cert ... add another 1kB onto the
>response
> >
> >Protocol only sends CA name+key info, which isn't enough to identify
>which
> >CA cert the relying party is inspecting in the case of CA cert
renewal,
> >cross-certification, etc.
> >
> >
> >-----Original Message-----
> >From: Stefan Santesson [mailto:stefans@microsoft.com]
> >Sent: Tuesday, November 14, 2006 12:11 PM
> >To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
> >Cc: Sam Hartman; Michael Myers; Dave Engberg
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >Santosh,
> >
> >I didn't say it was hard. I say that I doubt that there are many
> >implementations supporting this scenario even those with a responder
>key.
> >It would be interesting to hear from implementers if I'm right.
> >
> >Stefan Santesson
> >Senior Program Manager
> >Windows Security, Standards
> >
> > > -----Original Message-----
> > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > Sent: den 14 november 2006 03:59
> > > To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > > Stefan,
> > >
> > > You are making more complex than it is. The Responder can include
>all
> > > the CA certificates that issued the certificate in question and
AIA
>can
> > > do the rest.
> > >
> > > Furthermore, since most PKI are two tier hierarchy, in Enterprise
> > > environment, the CA certificate certification path is not an
issue.
> > >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > pkix@mail.imc.org]
> > > On Behalf Of Stefan Santesson
> > > Sent: Monday, November 13, 2006 6:54 PM
> > > To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > > I'm not sure the case described is a realistic one.
> > >
> > > Section 2.2
> > > All definitive response messages SHALL be digitally signed. The
>key
> > > used to sign the response MUST belong to one of the following:
> > >
> > > -- the CA who issued the certificate in question
> > > -- a Trusted Responder whose public key is trusted by the
>requester
> > > -- a CA Designated Responder (Authorized Responder) who holds a
> > > specially marked certificate issued directly by the CA,
> > > indicating
> > > that the responder may issue OCSP responses for that CA
> > >
> > > Since the request is on certificates issued by 2 different CA:s
>trust
> > > option 1 is invalid.
> > > Trust option 3 is valid in theory but in practice it requires that
>the
> > > OCSP responder provide multiple validation paths in the response,
>one
> > > for each issuing CA. Somehow I doubt that this is implemented by
> > > anyone.
> > >
> > > Trust option 2 is not generic and is only valid as a result of a
>local
> > > configuration.
> > >
> > > So I don't think this is a problem only for key-less responders.
> > >
> > >
> > > Stefan Santesson
> > > Senior Program Manager
> > > Windows Security, Standards
> > >
> > >
> > > > -----Original Message-----
> > > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > > pkix@mail.imc.org] On Behalf Of Russ Housley
> > > > Sent: den 13 november 2006 14:08
> > > > To: Price, Bill; ietf-pkix@imc.org
> > > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC
2560
> > > >
> > > >
> > > > I prefer an error that tells the client to ask for the
certificate
> > > > one at a time.
> > > >
> > > > Russ
> > > >
> > > >
> > > > At 02:46 PM 11/13/2006, Price, Bill wrote:
> > > >
> > > > >I'd suggest focusing on understanding where responses to the
>keyed
> > > and
> > > > >keyless responders inherently differ. I am aware of two general
> > > cases:
> > > > >
> > > > >1) The request asks for the status of multiple certificates
that
> > > have
> > > > >not been included in a single presigned response. Russ's
example
> > > fits
> > > > >into this case. The keyed responder handles, but the keyless
will
> > > fail
> > > > >for the general case. Some responders respond with the
presigned
> > > > >response that includes one of the certificates (usually the
>first)
> > > in
> > > > >the request. A common situation is to ask for the status of
> > > > >certificates in a chain. Santosh points out some keyless
>responders
> > > > >anticipate this and bundle responses accordingly.
> > > > >
> > > > >2) The request is "well-formed" but asks for the status of a
> > > > >certificate for which the keyless responder has not prepared a
> > > > >response. This situation will occur if:
> > > > >
> > > > > a) The request is for status of a certificate from a
>supported
> > > CA
> > > > >but with a serial number for which there is no pre-signed
>response.
> > > > >Assuming presigned responses exist for all certificates that
>would
> > > be
> > > > >valid based on their validity intervals, this would occur if
the
> > > > >certificate had expired or was yet to be issued (I am aware the
> > > > keyless
> > > > >responders generally produce responses for certificates likely
to
>be
> > > > >issued before the next generation of presigned responses). The
>keyed
> > > > >responder would give a signed "good" response. My understanding
>is
> > > > that
> > > > >the keyless responder under the draft lightweight OCSP responds
>with
> > > > an
> > > > >unsigned "unauthorized" error code.
> > > > >
> > > > > b) The request is for the status of a certificate from an
> > > > >unsupported (or non-existent) CA. The keyed responder would
>respond
> > > > >with a signed "unknown" response while under the draft, the
>keyless
> > > > >would again respond with the unsigned "unauthorized" error
code.
> > > > >
> > > > >Some might argue with some grounds that these differences are
> > > unusual,
> > > > >unlikely, and insignificant.
> > > > >
> > > > >I personally consider the behavior in 2 of responding with the
> > > > >"unauthorized" error to be misleading. "Internal error" sounds
>more
> > > > >appropriate if I were constrained to the current error codes.
> > > > >"Malformed request" might be OK. However, the actual situation
>does
> > > > not
> > > > >match well with any of these errors as they are described in
>2560.
> > > > >
> > > > >If 2560 is supposed to encompass keyless responders, I'd
>recommend
> > > > >identifying the unavoidable differences and/or adding 2 TBD
error
> > > > codes
> > > > >for the above cases (assuming they are the only differences).
The
> > > > first
> > > > >error can be worked around by breaking the request for status
of
> > > > >multiples into multiple requests for status of one cert.
> > > > >
> > > > >We've also seen some problems with client apps that can't
handle
> > > > >presigned responses that commonly contain the status of several
> > > (e.g.,
> > > > >15-25) certs. The apps inquired for the status of a single cert
>and
> > > > >apparently expected a response for a single certificate. I'd
>suggest
> > > > >that some "must" or "should" words address clients' ability to
> > > handle
> > > > >the situation of a response covering multiple certificates.
> > > > >
> > > > >
> > > > >
> > > > >Bill Price
> > > > >
> > > > >-----Original Message-----
> > > > >From: owner-ietf-pkix@mail.imc.org
> > > > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > > > >Sent: Monday, November 13, 2006 11:46 AM
> > > > >To: Michael Myers; Dave Engberg
> > > > >Cc: ietf-pkix@imc.org; Sam Hartman
> > > > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC
>2560
> > > > >
> > > > >
> > > > >Mike:
> > > > >
> > > > >I think it is not that simple. I think you need to say that
>support
> > > > >for one certificate MUST be supported, and that support for
more
> > > than
> > > > >one certificate is OPTIONAL. Then, the error is am indication
>that
> > > > >the requestor has selected an unimplemented OPTION.
> > > > >
> > > > >Russ
> > > > >
> > > > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > > > >Responders unable to produce or acquire a definitive response
>MUST
> > > > >return <a
> > > > > >TBD error>.
> > > > > >
> > > > > >As to your other points Santosh, that is something I prefer
the
> > > > chairs
> > > > > >consider.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > > > >
> > > > > > > Mike,
> > > > > > >
> > > > > > > What is the error case?
> > > > > > >
> > > > > > > . . .
> > >
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFJAOTR083422; Wed, 15 Nov 2006 12:10:24 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFJAKMT083404; Wed, 15 Nov 2006 12:10:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFJAD7Z083369 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 12:10:14 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAFJA4Hf080884; Wed, 15 Nov 2006 12:10:04 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Sam Hartman" <hartmans-ietf@mit.edu>, "Paul Hoffman" <paul.hoffman@vpnc.org>
Cc: <ietf-pkix@imc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Wed, 15 Nov 2006 10:33:21 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMGEFBCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
In-Reply-To: <tslfyckeftn.fsf@cz.mit.edu>
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
How about we expand the meaning of "unauthorized" to mean EITHER the
requestor is not authorized to ask the responder OR the responder is not
authorized to fulfill the request. That's not *too* ugly, is it?
Given that, everything else (i.e. MUST support singles, SHOULD support
multiples, else respond with error) falls out pretty clean without impacting
extant deployments.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Sam Hartman
Sent: Wednesday, November 15, 2006 10:16 AM
To: Paul Hoffman
Cc: ietf-pkix@imc.org
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>>>>> "Paul" == Paul Hoffman <paul.hoffman@vpnc.org> writes:
Paul> I also do not see how we can handle the problem without
Paul> changing the OCSP version number, but I would really like to
Paul> be wrong about that.
You can decide that the interoperability hit of changing the version
number is worse than changing the meaning of the old version
retroactively. It is always hard to make that call, and you better be
right if you decide not to change a version number. But it is a
tradeoff it is valid to consider.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFIGIFF072593; Wed, 15 Nov 2006 11:16:18 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFIGIPS072592; Wed, 15 Nov 2006 11:16:18 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFIGG9h072576 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 11:16:17 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 6D193E0035; Wed, 15 Nov 2006 13:16:04 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com> <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG> <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com> <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.micros oft.com> <7.0.0.16.2.20061114181343.07a37c08@vigilsec.com> <p0624087fc181032b0471@[10.20.30.183]>
Date: Wed, 15 Nov 2006 13:16:04 -0500
In-Reply-To: <p0624087fc181032b0471@[10.20.30.183]> (Paul Hoffman's message of "Wed, 15 Nov 2006 09:51:32 -0800")
Message-ID: <tslfyckeftn.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Paul" == Paul Hoffman <paul.hoffman@vpnc.org> writes:
Paul> I also do not see how we can handle the problem without
Paul> changing the OCSP version number, but I would really like to
Paul> be wrong about that.
You can decide that the interoperability hit of changing the version
number is worse than changing the meaning of the old version
retroactively. It is always hard to make that call, and you better be
right if you decide not to change a version number. But it is a
tradeoff it is valid to consider.
Received: from 132.red-82-158-246.user.auna.net (132.red-82-158-246.user.auna.net [82.158.246.132]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFI393C069792 for <ietf-pkix-archive@imc.org>; Wed, 15 Nov 2006 11:03:16 -0700 (MST) (envelope-from Music@paginternet.com)
Message-ID: <000f01c708e1$3c6d5350$00000000@richard>
From: "likely" <Music@paginternet.com>
To: ietf-pkix-archive@imc.org
Subject: attitudes towards make
Date: Wed, 15 Nov 2006 19:09:47 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000B_01C708E9.9E31BB50"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_000B_01C708E9.9E31BB50
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000C_01C708E9.9E31BB50"
------=_NextPart_001_000C_01C708E9.9E31BB50
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Might am bethe Anton Webern.
Standing class musicfor whereas incomes. Orchestras film companies =
schools work in seeking contracts variety.
Press a features image.
Harmonic rhythmic greatest latitude thought imagined of. Material quite =
a strict?
Textbooks Wikibooks Quotations a Wikiquote texts Wikisource Images?
Understood learned edit?
Disagreed a must consist Instead in he argued any of. Genre detail =
explicitly.
Completely lost Recent Evelyn.
Modernera am concertos concerts is halls sitting quietly seatson hand.
Receive in credit of taking am overview. Notes External linksedit =
article musicsee genrethe broadest There are!
Uniquely am humanmusic technical manner refers.
Ornaments trills turnsin give without a describing devices obtain =
expressive? Notes External linksedit article musicsee genrethe broadest =
There are!
Sister Dictionary Wiktionary Textbooks Wikibooks Quotations Wikiquote. =
Wikibooks Quotations Wikiquote texts?
Groups works or described.
Single society am does not pass same a place short rarely? Ballet scores =
of serialism bebopera or rap punk nonmusic critics a when?
Created playing vocals of whole direct expression emotions designed =
manipulate.
Helped outcomes patients of Owen Johnson.
Approach specific in piecesfor.
Standing class musicfor whereas incomes.
Research relatively am credential.
Took newspaper protesting ad appeared.
Where front Naxi who or performs.
Took newspaper protesting ad appeared.
Largely standing of class musicfor whereas incomes hiphop innercity a =
area.
------=_NextPart_001_000C_01C708E9.9E31BB50
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"might" hspace=3D0=20
src=3D"cid:000a01c708e1$3c6ae250$00000000@richard" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Might am bethe Anton =
Webern.<BR>Standing class=20
musicfor whereas incomes. Orchestras film companies schools work in =
seeking=20
contracts variety.<BR>Press a features image.<BR>Harmonic rhythmic =
greatest=20
latitude thought imagined of. Material quite a strict?<BR>Textbooks =
Wikibooks=20
Quotations a Wikiquote texts Wikisource Images?<BR>Understood learned=20
edit?<BR>Disagreed a must consist Instead in he argued any of. Genre =
detail=20
explicitly.<BR>Completely lost Recent Evelyn.<BR>Modernera am concertos =
concerts=20
is halls sitting quietly seatson hand.<BR>Receive in credit of taking am =
overview. Notes External linksedit article musicsee genrethe broadest =
There=20
are!<BR>Uniquely am humanmusic technical manner refers.<BR>Ornaments =
trills=20
turnsin give without a describing devices obtain expressive? Notes =
External=20
linksedit article musicsee genrethe broadest There are!<BR>Sister =
Dictionary=20
Wiktionary Textbooks Wikibooks Quotations Wikiquote. Wikibooks =
Quotations=20
Wikiquote texts?<BR>Groups works or described.<BR>Single society am does =
not=20
pass same a place short rarely? Ballet scores of serialism bebopera or =
rap punk=20
nonmusic critics a when?<BR>Created playing vocals of whole direct =
expression=20
emotions designed manipulate.<BR>Helped outcomes patients of Owen=20
Johnson.<BR>Approach specific in piecesfor.<BR>Standing class musicfor =
whereas=20
incomes.<BR>Research relatively am credential.<BR>Took newspaper =
protesting ad=20
appeared.<BR>Where front Naxi who or performs.<BR>Took newspaper =
protesting ad=20
appeared.<BR>Largely standing of class musicfor whereas incomes hiphop =
innercity=20
a area.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000C_01C708E9.9E31BB50--
------=_NextPart_000_000B_01C708E9.9E31BB50
Content-Type: image/gif;
name="consensus.gif"
Content-Transfer-Encoding: base64
Content-ID: <000a01c708e1$3c6ae250$00000000@richard>
R0lGODlhHAIwAof2AAAABoEEAAyKAHx1AAgAh3IMfACEe7nHzr/mwajP6kIVAFIfAI0ZBq0oAL4V
Cd8jBgI6DB40AE4xBmZMC4NAAKE8AMNJDOA3DQBmAC5YBDNZDGxqAH5iAKRXALFTANVlAAB1CxN5
CTmOAGSNAnV9B52BAM50Bu57AAijDSOfAEygAGuYAH6VCJulAMuhB+2kAA28BRPLAEfDAlXBBn7B
DJO2CM3OAOPDAADfABffADvrAWDhAIHUCZXWAL7eBODWAgAEQRYAP0YANFYDS4sAMZwDSsECTuwG
RAAgNCYtOEwfNWgoP4QYTpcoSsYiQ+wYSgA0SRYyMUNMSmFEN3pERahIS8YxTuU8NABoPxdfSzVo
RmBoTXtsC6hRSbFhTdhkMgB2RBiJREqLPVZ9P3+JO5mJR7R4Md16OACqTRKTOT6dRlmWTXqaO5eU
Os2sRNSTNADMSifMPkG6Qm7KTXXHOaS2OrW2Pu7MTAzYMy3YSU7fOWLVQH3YRpLcRc7ZRdnpMgMI
hR0FdT8NglUHhoUFeJkAiMAJhtUAhggWfCwdeDkfimYVfXcidZcdccIYftYijAAxhxxAh0hAf2lH
gHVHe59CgrY3i9dLiABrjB5WgDhdd1Vqd3ZqealhicRki+BacQB4hRlzdUeJfmWNjoaAjZp6g7OE
h9yKcQCaeyOnckuni1SqfI6nip6Se8Objuitige3chnLgkjDjmDNg47Aeqy7jrPAd+G3cgTngyzT
gjLmgVnhdYvpfZbefrfkjujddwAAtBQAuTENvWUAyXYLwJgHwcQCxuUAvQAXySIavz4Tt1YtzHIs
uaEuy7YTxt0VugA2xxZMsTlNs2cysoVKuZ1LvsdNueI2vQBVzSBUwTlewmpezIhouKVksrNgyuxX
xw5+syR4xEp1w1R+yHN7x6SDxMN0tNd+vwCRxxupuzOVvFulxYqlv5ypvribu+SrwQq1vR2+xTq5
vF/IxIXAuJnIwv/u9p2XsHGEg/8LDAL8BPn3BgwJ9/MA9wD8/////SH5BACp5wMALAAAAAAcAjAC
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIBnaG0mypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQFXOCEq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOK
HUu2rNmzaNOqXcu2rdu3cOPKTRuyrt27ePPqBZlnr9+/gAMLnku4sOHDiKEKXsy4sePHkCNLPth3
8t3EmDNr3sy5s+fPoEPLzciyYVjTPFF/Va2TdVfXJy3Lnu2xtEiwsG/m1rq7Zm+sv+3RHk68ou2F
p2/vDG6VeUznVIMXn05dOQAA9q6TbPihu/fv3k+C/+8ufnx4luRNqtaunSV77CMbCphPvz79k/bn
489/n6V+9dZh195K723HED8IJqhggictiGCDDjLI0oMAIjdSgfFVpyFgPWH40nkgpkfSefaQWBKJ
Jpb3wU0eqtRiS/3F+B9J/dlTY0k13rifACwKCB+BPsYk4ZAUkiShPUeWdGSSEPLTY3Y/ivYWaSRd
FyV36YW44ogicqniiV2alKJwykEZJZBXMiQjjzbO2CabOMJJo5s6xilnhhZeOKB7ezZEpJNIFhko
oEoSaqSgTBZqKJ4KlWRlSRtGqqGZVj6KJZdblpjpmJpmOpKJnHYapmmVlppSqZWSudCMOcJZ55sm
3f/46ptuqtooqo+ihKt2fhK6pK+CHrpokomOtGCFt+5qq6TMzuZon2V2mlKYYIrZZajgIZvQs2e6
CG2eI81aa5yx0jluuPVpixC3L+XK6LaKphRsoSYRO6+xCqp7ELsGNutvbTy9GBOnoUqLabXTfmeT
wCcx/NKrs8I6p5znohtxSw4/C6VNxRaLr6H2qnRsTRlLKVrJ6FFrMEqgZontlgXzubHMe8oEccUS
W2zxnXPqTBPKG9cs5L0eDxrvoIse+jHJQZo8JUbHNQqmpwcn7Kl5K7nsKXQvuXYzzxPbma5K/93I
tUuudXzv0sLmKzKgSUr379yRRQ1v1dZSPfXeCif//CmJZ7fk9bkRy6rf2CiVXWPgdq97dL1rGy0s
0m9/TKjcdGfOWOP77v2l1Z6/jPW7ji8X7ddkm8umuPzByfhKaRMdub1wrx1hkZhrrvtfnBuUt9/A
403w1SK+rtLgYLeZermuEk7xjManFHvS+Fb+uNqP57779nj1XtDvLKucIorj631e9CghnxLqdk58
57j9oR9btB6rPWyRbisNOaDac+8/SN4jCPjCR7UxtayA5kuP/PTlu/atr1Z1Mtz7eBa/aOFkem+7
X9JoB7kmka5zx/ufCEFolZiRT28r+9umqNW3rlysVWDTEQx3lLyrFE1yOHwc23JoOaf5kCqjI2AL
/zHVQvP0LYhZ4U/q7ENDGLZuZxeTSoQymL+2/ep2tRvZDz1DpRCC6zUW1E0YeTNG35QROGdc1ghH
uMU2uvGNcIRJF6WXxubU8Tl3jE4eu7ZHqfRvjf+LoyAHSchCGvKQiEykIhfJyEY68pGQjKQkg0KN
SVrykpj0SSUzyclOetIpgAylKEdJylKa8pSoTKUqV8nKVrrylbCMpSxnSctadu+TuMzlJ23Jy176
8pfADKYwh0nMYhrzmMiMiC6XycxJJvOZ0IymNKdJzWpqrpnYlIo8ssnNbnrzm0CxpjjHSU6HgPOc
6EynOtfJzna6851uLGcxGyHPekIEnvjMZ1nsyf/PfvrznwANqCv1SdCCGvSgCE2oQhfK0IY69KEf
FKhEJ8pKiFr0ohjNKE7wodF+WcSZX+xoZ6QJUqmJ9DMklWQfTzqaaJb0bukUmiC/9UySbOKmNy0L
Tm26iacwRFl6cheqGtatKuGKUkJN1cz0ZCajGjWpulLqU9uTqqMitahODeqAgIrUqCbVXUQdqlZ/
JFaNoWmrUl1qSnM6EraKZadt7Sko81QztDL1rlkFkllNYtc9vYes8LHrUvMq2JlRtVt+xWph63qm
wmb1sHg9VWMBi1fG6vWukM3qK3fi1pPg1K2f7Slc7RFaucZ1tKXlqWpR8tm48hS1rR0taVu72if/
5ZWpjk1rVPd629v+NbBNc6plNSZTwyIWq0SN7GATizHgYjZKw1WuhxJbXMtmVrlSIk1nSwJaue70
u95l63ZdO9vwkne2KaHteNFb3vaK17Td9eLdmEtcyk5VZr0drG99BFnrTpavwQUwdosrYOlC98DN
fW5ko6vf6R64uv+9LlM3q5P1spe97yVvfD1r3vPm1MLo/bBpudvhDF8YxEzjbdCc+1jkLneoMlVW
gV5E4wgrFrimuqpke0tf7IY1V2XdMY+bRt8Y21i3BGakhTdsYhOfOLQehq9oR2yS93ZXvSUOL5Q7
hOD6gtW4lx1wUZl72Bo32MZaVTB+C3xm3ia5/7LBTXKPcYtkFrOZzvu95JKlrOEsr5bJfHYtiK3c
YQz7+cJAmfOKF5xjIYt5t8LFcYAXreIWZfbN+oXznRUNaUpn2s1ofrFuDbxUToeGSoD+86FT3efa
tlclV45yqw1dWxAHiM3XlTCBTd1XBKPVzhLWtLCD/eJOl/q/exVarwmLbGYPu8uLBTaCU1rezm6Z
1oam7WnhuuHTriTW225yoa+NaAYKUMxQjbSKQd3oHJMZsPD+9VcZW9VHWTXImx61sket436TGsDp
xnOLuSVv+lJYKyiWScJZShRMw9Hh4Fw4TCTO8ES7+OEX5yLUgELxlnRcjyaNaca3SNNVVvzkKP9P
ucpXzvKWZ/TjH3e5zJNzkXBTmSYwv3lQVpq+hPTj50D/OUmC3o+hE/0kQvcoRZfOoQqPOOYcjgnU
0ZJ0o1vdHlWv+ki0PnOL7lnV4JWytqsd6HLDRetcF3rWi250rnfdm9rV+ZO9DV5vY/vuU+djyM1Y
OrSz3eprL0nQlc50kDyj8ABLrWpZ7eTGF9ooPJ9f3/+OdcpX/vKY3zrbk474zleHtXxm/LhHf17I
h3QmJvW7SdQ+eMFvnu2ejz1xQL/4QItb1bhHSuTN/Y+ra371RU+631sv++LLBtHWTv6sWY13ubfm
9DJJveUDn3nhU17oxs/+Rnii+NeSePnkvnb/t+Xi9qP/HvDXt/zbRZr39bsfku1/v/znMsf0Ot8s
u4cUTImi/f43xqfQNxZ7t3P+V4D3NH8ImEv1pxT5Z0elUxQGGIF5IXX3h0cDuE/wAgEQwH8S2IEP
eBPdl0kaaBIaWIIoUYIoaA8oaIIJaFDjZ0kruIEjOBIzqBIjWIMtiFCAVnfhRmKyFX9ukYIkUYM4
eBIzWIQ5qIBQs4O513y11YBVoRBCSIMbSIUrcYQrGFEeuIUfxXx3932lp38XSBaNwoJWeIYnWIVG
uIFc2Ia953TapnxmR3ZASBhCSIRquIYpgYRJiEkHAQzKtF5yKIgVqIUDsRZSc4MyqIZ8qIJ5/0iC
bOh5fOCG5uR0tNeEjudqoKGIjjiEVYiDoMiIj9iH7kSIYEh2PiiHm5iFVGiGeLiGZkiKsogZjTiL
tihItXiLuriLvNiLvghPC+hDYzSGdESJxrgXcDSM+xdAx9iMhygVdbgZ+ZAPv8hwIcgS0UiH2fht
hfgT05gS31iNDjV12xiGRVGOLjGN6kiNJKGO4jiO3Whzr9VtCTde4odlcZiPsEUU63gS/fiOLXEA
frhxFPeCszaHp3iJ+3iQL+hWyogQ/9iO1BiOzliRddGD8jh3USdohYhiTqaR9Hh/D7kv7iiRI0GR
FpmS5+YTHll23SdiHndziqeKhLaQS/GP6/9YkgDJTAvYkpgYeh1JZV7ohQkpectoiCc5kexokmqk
ks7IWWWnkJnofTFZZbb3dFoma2GIjv6olCYRjjvJkwQ5dvanjz8ocfa4Zdv1kmRpkyNpEDm5lEzp
lHS5cUfBldgYj7ADfVIDlvJVl4B5gHepl1CZE2/5Pfbgl8UYmMcYFngJerIVljkYjIZUJsTIFYwJ
UI1kmUfpFZn5T5sJLpe5FZ/pT5tRjpz5gUsRWARilKXZSz1BbkrRklhJmAhpf0fRWDjBb45yIb7Z
MJJ5GKgWlUlBmz6ocISJYql5ELrJIlXSmtkBnWL4mvKEkDsoYtxmlle2Z4Q2j2IHk08GW27/KZoJ
0ZxKFSRkxVfPGZ3ryZrsCWRN1ZTUaU3WeZViV2tZqZFlqWU6Z2W1h5+a6JDkuS7pyZ6+uVXrmaDu
+ZvuKSDPiaDz6UuFeYlfSJOkZ47fF1v9+XhjF5JIUaDQZaAH+mML+p4MKqIiOnLByRlfd5DIN5Mu
eX/YOWXeyaFryZZJ4aBjpaMPCpw92p4nGp8huqI/1KIVipUUapBgeHsu2qFy95jAWaC92ZuIRaVT
2qDqOaRE6kOiZ6OnOJW3iW1TqXweupW2CRNaGp1V6qMjilknmp5puqVq0UXhp5ZImooxepwUip9Y
tqTfKZTdtpwNhKLnyaYEB28mmqjw+ZwR/wqbLqeichqpTbErlFqplnqpmPplkoqBNcdIgoqYPwOA
jTpOnfSpK+mZo9pKm7qqrNqqrvoSUAelr3pQ17gWCyerOqFF1JOrNzSrNNeFxKkWt3qmegdTCjEs
xhIUviJHqVpRlhhlZxmt2zllf/pqGEmHeFqtGDmtNVqUOUE9x0IhbuMkVxQsy4okSoKuyWoSYOCr
bsF8Y2qf7pWVPMiETriRL6qV2amJ3yov1bOuyYo/6gqwAAs36Xqu7opGNQemHwmgYrpqFwqvG+pq
8cqvhigQ0+k7ukqwIDOw6NqxiiKu6fqxF9usv4SKNfp4DsukLAujP9mtpVexGCqfpzqABv/rsR2b
syNrJAc7suRasiYLm2DqrSAJseCXpBGbpy+rn7yHsYR3qut6sxyLs1S7syTLs1cbtMhUtEsrekd7
r12qlfnKtWJrqgOBrOoKsgHbs/+KtWvbtpejtcY0tnUqrVf5tdwqtmzppKNnk4E6oPuiRTw0rj77
IBqEP4brtnI7t5xktk5bFLvqEnG7uMNUqoBrEFiUuZq7uZwbIZRrSrxYRTIRuQk7FZ97uqibuqr7
GKXbuq77uj+0urK7tbBbu7Z7u7ibu480u7zbu777uw+hu8I7vMT7q8B7vLFUvMr7fMjbvM77vNAb
vdLrL8tbvTZxF4Uwvdq7vdxrT9b7vdH/173iyz3gW77me77om76pMb7se03q+77wG7/yO7/063Ib
YLztm7/6u78FuH786z/1W76UuXL/O0vWsxmR8xIJjJkFnLxtGyg4ITsO0hO3MzQRTLrygsErIbrh
28DuuxOIosETQroLfME0UcIj3BQoHMBxkT8TbDm1ozSCSy8hm0XiysE0bEU6/MIvjDTAAsNWFMM+
3DYZDMPA8issjBYufMMQXD2I+8AQksOGazuRG8IyrEFOzMRPDMFPvMVTfMVQ/K9E0sQdlMRLQRpM
TMZfnMX6k8BWzMZFHMdwS673A8Zw3MRrzMU/rMd2bD1djMEe7D/TQBF4LMR8fMdpLMdq/0zH+1M0
IRyudYzIjCzGk3zIhezDN0zFc0zGi1kRFRDImYPJm/zHbUzCIPPDb8zJZRzG5orKrlzKixzLlowS
sjPKgKwQzgDK1MGr9ELKcDzGBxzLb+zIp9zHttzHWvzKkpPHa1zLwgyuImzGNlTMPayr1ryrrQzM
QRzMQwzEvlzISNzNogzOiCvBlZzJWyzNumeX2LTC66zL/8KrnTvP9FzP9nzP+JzP+rzPmavO8zfD
/lwYAxzQpie7BD1XBr0WLgap7vEWDB2qiaYTD72+sttoMjHRCOqcLrITE72bCbowBtrRMcGjASPR
I03Rq/ubSpHRIL3RJr2aPyGlQSHSGP/z0k3BuyotpO9ZV0EFcFnKoFTVnvLW0wT3VEYdn5Ti0zrN
X4iqpkRtb0/9ZVjKX0mt1PpWZqzJ1Edt1L8WpIuqplL91TgG1l0d1WeC0yH9oGvapi7dpjz61j+d
0yn60U6toGn90XC6oHCtbGkNp3j9pneNoj8612ztoHv914nao3rd14hd147t2IdN1097uirt1/el
1l41pIZdqPF212kFovYWb3Dd2KMN2SkK1YUd2E5t2IE9WexB2oy915/t1aE9VZFN2KaNoHld2z6W
mSVd2a09pcuF2Kwd15Zt2nYtpa8t3Gl63M4d3M8t06xd3Kr93Mmt2IytK4A9oiWa3bj/XdqvfdzJ
RtMORSXKHdyNXd3CZdfAbd3t/dfu/d3QPdjRTd/qud3qndrXzd3erdmpndX2Ld32jd36ndPuidYP
ZuBgRdUAp6VlJtxVfZ4LPm9ITeH8ItZfpeD99dR0DaK41eGoTahBzd+gbZ5AvdxkfV91NtTwWeJm
vZ6+7U7k3Ugz7osD7Ug1vkg53hNofdAceLw+DoERGtFXseOY0ZxGYeQ1nWDmaypI/hRKvtJt3dAQ
TeCCLZ1TLtgjl3FxKtcafeUtaN6SLRVRnqNQgeQizeVLnhNqztHXi7yVvagTXtZYitR1LedlLaT0
dmyLfeFY/eJkjVxardQRDtWoDWRh/z3WRb3TDN7ijM7hav3gS91UdL7ciC40zQvc/M2mkQ3gyRXb
HS7fQEqo+f3ebG2lMm2lXv7fVn7bDg7bJH3eQa1Yc+3eRBakAT7gk82Yvx3ba83U0w3WnF5VXZXU
BXelJ+7psD7Yxq7aqi7iKH7Y9W3g7P3eLD3tKv7s4O3Zyd7fzv6Osu5bzL7aIf3qz67pQXMq+K3s
1M7q1j7myG3que3tAo7u/b3t4p3v3q7fyu7q3y5zYi7v8u3hcm3u5F7g8a6o6A3h2O7XBK/r9N7q
+47urx6i4X7q+m7r3D7v7p6omT7fUi3U523np92gLJ7nXp1mq37pmv7no62bqS7hLv//4Tpd8Ip+
3ekm1mYd695d8wpf6I++8R/vQ2XuEkXPTPDRqJd09FieUEx/UDce5IoxqlJPRlzI0Uz/5FluGE9P
GFqvFV2vThnR9V+v3fBu9Fvv0e1C7D4h6G0P5ff95R1y9irthjY903Hf9C1t9r3eLnRPMmkv9zAN
4UX+92G/TGMv6cVt8p6OZERd85s91OzC8no+1pWu+HJ22RUu6ZOP+YrO25X/+dTF5/a++TN/85R/
4j3t4o9P6RneVKkq63UO832e65vu7+mt6zra7xMvndhe6leO7+ve+6MO8/Du7yP+2GOG2xHP6aH+
I3bP5vtN7pIG3eEd4A2fbEUt2gr/7+T03eZ9XW+2rf3ZPlbdz/aQvaaMz+5p1vDiP2DHltzvz9wi
T9Jdd/HUP/HGz+q8n+rpDhD27AEQONCgQIIFDyYkmLCgw4YKBzqUiPDhRYoPI1bUeNDjRo8WF4b8
SBIARYYWIaqUuNIlxosVT3aMObHjS5koa4IEydHnT6BBhQ4lWtToUaRJlXJcyXKnSINNTZbEGREn
SadUn6aMCjNrzIxQr+qUqpCnV60jx2LVqfZpS7RnpbaFGpJsXLN5xaZd2tfvX8CBBQ+2O9PuzpM9
E2dkaHgiV5tNF5t1bHiyzcciuSbeG7ky07ecMyN0TBpiY8uoNWu2DLZh6ZELRWN9/4zadmHVozGm
Ps3bdM6StUkTJl7c+HHkyZUDDbvc+XPoP5tHp17d+nXsBf9t597d+/fu2f3OFl/evNLp56ODZ9/e
/Xv48eXPp1/f/n384NXv59/f/3+j8hNwQAILNPBABP8BcEEGG3SwugQjlHBCCitkDz3nYDsuvQc7
JIpDD6XjyEISSzTxRPhA9ElFEYU66ygOw2KRuPSaKyuwG5nbELocd6wIRSCDFFJCDJWbcUUYqzuy
LhqTWjLJ557EccQhq7SSRMBea421lCTTkLPbLtNSttzELM2q3zbTcK/LRhPNKt+ienOm3HTLqbfM
xqwsztnIc7NPPwFVzSU6b8vzN//hEE0TT9PqDPHRB+XCS9K67soKza/yuoomxWJrsauvCGWSpbU2
BS1UryC7FC0k1wKNrrS6nHRWmVbTFC9Ic2XwxY2qIvPMUmEydTJTqTqNJiRXRYnYmoSjVE4wYyR2
rtjC1ChapsDE9drXkPUVVHCf7RauarVVqU1d0+WPV0979TTbcLXaNFhyP8J0uFPjhTU4eWltaTob
KZV1VeC22pbfPWNV1t9jwVo4U3UjVu9FhCsetatg5/X3LafaYmxjV/t9+LCpKlVYX45JRtlklh8e
eOV4m92ML4olthk7ipeFTOd/1aRTWNesZU0vaMXq805e+aSs0Zh//jPHOY9191f/fKNGOjh0nY3T
2dXadPrN3T4ulzdHb74ZDrOHklJJSNdOO9m345b7Pz/9c1u8u+duVm++ASywb8ADZ/BKwgs3nDvB
E1d8ccYb7yvvxCG/eLx6K0/NvJ7gdXzzDguUHG8XAS7q88wpJxqumqd08VUd19XucNhjl/29z7NT
cU3a4H489yL35rj205OMsT+HZjf+eNnFlLnQa5lW1MxBGYW+RTzNJdPkOq2Hs2yrYw1U22jLxA2z
pxHFFOyawTef+Z777ZXs35CXf378sjx45luZFLdamnm3la4bKWZnKruXjYgmqbK8hFrnIpeqYiYn
/WFMZpxKVcuMVbWNcU6Dg5FM/8l8ljSnQetr59Ke//j3O6YBcFoGa9jpMjZBUiHGeg6jWm9CaK2X
deZksArZYp61QSDar2sNHNn+xJZDvmSLWSjU2MVuCC58tQyBMJSgDkc1s5CxCWhQtBioVAXALmox
iED0XMr+1z96ebGIKsPeAUGWsilazo0KpGIBDUZEmKXRjvWiFv6k2MVn0U+Qg3xPlsgjo/+VMFHT
OyHYhlYyLlUtap1qnm6WWCgZbe2S3/tZAreklw9KcoBcg9ry8McY+HlylLgbY+L+VisjtbKVwIMO
IW15ywPlqzh1kyXnaPkcXAZTmPbpZTGN+bphJlOZ+jlmM1u5TGgazpkmnByUlv/yS+lg00nM6VGT
gqLNaT7qlaNbXTWFqDYTko6a3DKnYJZ0u6yVM1/3mlI3u4nMaOYzmN6cGDr/UrpPAZSf/pSnUWpU
OcLY03cS0WdDBzkE7iivTNnD5PUSZSc3HQZbi7ToRb24JwRujY8dFZSiOsan1vAMo5VKqUntpD4t
2dCkWMwTJy8qGofmdJCiwloS9UgbnlYQZfujIKpi2E46RhCMRX3guFA4UgZCdaR2LBb/cubGVelU
qxU651VFSMk8ku+O+XsZmnzIL3ttVGRivdpXU2hDFWpviVhly1hvisgYlgqRZg1jH+MZTmP2MFNg
7CFha0XTvEoVrTfZIrIQmrn/uQg0gHvD62IrtkDH0rGwt+KrFfsIWNCKsadNDGsd64pYCWYRs0OF
pdgYlj8Cbqt0q9WhV10INNVC1baXXWhozeY5Rz7veZcTHwnvdEWrom+4Z6IMRb82pgiCEqTQxahK
ras5Xl6XnS7VbNCoG5rhBBCEAtlqeSN0ToICCJy+pc562cu5Mn7IQe59b3J4SR3z5tdA9eVvf/37
XwAHWMADVtfd6Gu3A/MowTBaMIGT87e/kvOeu+PW7ZATYXK2Tr43qyyF09vO3gJFvyO+Dy3pu69v
+sh1HDbOkTqs4aKQOKfoXa77DmVJ2Exyu9G9ntfg57xAKXFRQ7aouXTcXPOZ/+RLT9yoWpUrXkfp
yVAZhe6RD6nJilLZpQ5eDoQ/CdZxGTHFqj3aFymLRirecWCy4mH/mHhQ0yLWgWGO82GHqCwHjmyh
YN5NXWTs0ITWhs96VWtziepE03INz4eEpRodDSdvubm2QL2ymjvGpU65drZWfS07i6UzPl+qwVze
kWvRDDGx/nTPdV6j6KZ657JKTdK8VWx4hTq1H0KWVZcOK2Z/OOmlcpGVpC7OOGF26gfGNreo++NP
JztHWBv1qMn+bK1dxutfV3bTqD10GplI103/uaGGBGkl59qYIi/5iR49q5dA+O4tL3JLayaV0jJq
weAaGskpjHYNEZpkZqulpP+F4fcjWYpSgK+U2MgxdjFHzThsPrzY4s4nse8r4IgvXOMb53jHw9lw
j4ccUhQnuXeCN9B0optH3FQxiNc5TQMTp+Qz/8eEX/4pc9rcd2c1KM53+W9dxlx3NObmxd2Z4qED
huYltznkTN3oGbnamo1uMdCp7uGr/3PqF0a6LgOzdGGS+67cs/dHc+yb7tW0w8qtLrDEh+skTzmS
AN+eTJHcPbyz72kTHZ65O8omQb29fGOrpPMULnLQWZGLym6s6HzNRnCz1bKXPSXqRvlady0b0dUu
66wD2mc5thr0Bpza4j2PeL/EF2szbHbje5azueau2ob/0lg7e+6w9VrVUQT/dVpH6NaxWFi07MY8
7j0NV8mvBewUn/2mbU9t2YYe6tFf2rcTK1jYxvHQjBXtEQe762E3n9XHBqSj/wVtiywfl13NIOOn
bVhgnzz+io+ttAdIWzFXMdnR57zo8SjV3XI26lOjBEK/m0M9ofCy1bucfQs8qtE3VTK3tfuksbMc
CoysEPIokvoyeCu8H7M3n+mMLAOqBtQ3CPSuhMMM3Es7ETQM9fszBMSZGAyQFySxGYwOo7tBhqrB
EdNBH/wtHrSlHxzCiAlCIXysvpE4HCS9WNq6x5E6zBkMIzyRn4MtDXsnDsqwA9wwr9M6GAu4D+s6
KTEgJ3y261BCUgO5p/tC/y3EwRC7Jp/zwjjctaNzOaAbw+nrJ8GYQhPBkQ98QKvhO1TiniJLFZFS
O0YZvLtDKb4jHysTKbwrRLfwMberwNdbn7JRREScO9qbN040O04cuBxEPNWbosnavb66v8ZCK/EL
NsgjmEdDNjK0MWwrrfmrvwFMovibRYFBtS/bv1DDJz5Enhdyt/zDxbhqKQhqlGCLKafiOd47QWZM
rhJqoW8zRf1Ln61AF2P0PfiLPKfaRphaxgNiFp5boWlUiGHEEjnERv+DPs/auXaRLLvivhW5qmdD
omFpxmxMLVuktenLIgO0vlQDv2x0RWFDjC30uFKkxV67Hzh6Ko1KNOjrEf98tLSHlL7ushW3gEWA
/MYApMPZc7920UjXK8AOsod1nJ+9O6kPfJ/LEyULJKxyOz93q7F9U8E5obu585LqKsHscZhuXJqb
vER527J8s8ft0a3P+MTx2cARPBqVXEnk6R0itJ0fpMqqNKhhu8rlGEWG1EqxHEuyLEuzPEu0TEu1
XEu2bEu3hEGvjMvqAAa5rEu7vEu8zEu93EsRe0u//EvADEzB9MvEGEzDPMzAXAzE7EO+bMwLQ8ON
W0zJnEy3dEzLvMzroEzN3MyyxEzP/Ezl4EzRLBBGGE3TPE3UTE3VXE3WbE3XfE3YBBLQnE3a3MPY
vE3czE3d3E21VA94qE3/4AxO4RxOr+RN4zxOwiFO5VxOYURO53xOrmJO6RRO6KxO67xO7MxO7dxO
7hyk6fzO2uxO8RxP76gCAQFP9FwK1ExP9jyK9WxP+EzA04xBSIAE+rTPMULN+iyI/RSI/exP/7RP
ALWHASXQ+gTQAf1P/AxQiThQB13QB+XPCG3QBQ3QArXQA6XQDLVQCWXQB91QhZhQAw1RAa3QAnVQ
A/3QikDRD61QBu3QFEVQE3XRGD1RFOXQF1VQFaVQDS3RDm3RFZ3QHZVQEAVSFgXSEZ3KtAQMGf3R
Gc1RGu1PKX3SJL1QGL3SKb3SF4XSIMVSCMXPIgVTKuWILE1SLjVTEuXR/58oU6Ao0yZF0wt9UzOd
0i/dUjRV0zStUjENiiaV0ze1UhvF0/8qEDrd0wTd0zvVUzt1UxrV0kCV0xgl0yh90kfdUDZNVBi9
VEaVVEHtUkxVUwXl0UP1VA91UR1F1FH1iTg11Dpt0zr9U1P1UVK10yTVTzHN0lSNVE/V1C+1UkeN
1Tmd0VXlVCcVVUtt1E9VVDjtVWQN1DVFVD49VmPNU2od0Uq91GrtVD3NVVV91VatVGLV0lrtTSYt
0VCtURD91B3lVl/91Wld1kVtVkoF1lD11XZd1zFNVmftVgxNVzwFV3GFV3A911nVVjrtUX8NVmW9
01OV1mxtV/b6mxud2P98tVdvrVaIhdc0FdEz1dd5fdcbLVhqJViNDVdaBVVkJVWAPdlRBdiQ1daA
LdRsDVKKTdeVfVhgVdLR1FWKxVh5LVZ3dVWcXVh0JYqWpddb/Vl+LVWffVaYzdSU/VekndmjBdmE
PdmYZdWANVhovVlxbdf1rFloLVmp7VisHdqO5dWzVdgtZdOr9ViopdV7zdmlzdigZVtAbVW87dWl
NdkzxVaR9dNvbdR9fdH3zFV2ldeXfdm1ZdmQrdq47VbGFVEZVVpJXdyEtVhu7dFk7VSO1VWa9VfK
5Vu/JdEjJdiGHVZBrVxIxVC0fc/4jF0qWVLZrd3iJBDbzV2dFU3ddTD/8ozO3hWw36WQ4B2w4WWm
4k3esByQFpXVUi3UuQ1Tb/1cnqVeIj1U6TVXL73a5r3eqOVY60VXkk1dhL1bIc3Xfs3Qo6XeIe3X
8k1fRD3e7xiMxDXbvIXai43WeA1Xtx3cwd1audXbsmXbvhVYvYXVPO1T9G1aoHXatj3g/xVZ9Byn
+iXaArZWabVbwJVgZ5VZDC6KzVVdz03Z+kXgjf3YWZ3bps1YE25gpvVU+TU5wajgDR7h6u1cs73g
AIZSXI3a1aXbrS3cHz7hyHVhkr3bFEZhB7bgIz7ixpVOChbW8/Vewp3aem3f7eXeKkZZpnXiJWbY
SfVbFabic23d8XVe/9MN32VVUSRNYAH+4BOe4t2NYdzd3yLmWqv14qdV3SPl4m2VVcZl4Kx1XSEW
ZAy22akF2j4GYLLVY+8dWq81XDreDvqt2LGl2kReZKEtXciNXJndXENO1E5e2xLu2kR+YVSGW3dl
YVN+VxdWXr+g4bG937R15Dum5YVtYYdVZS/t2/7d5P0V3F4m4DP+4lHmXwgeZlxuzyhe4WMN5Ed+
YHMNZLGN3uxl1mBl1jFO4+8d3bdF4mJ23zRGWDTeZgNm3zH93NEl1knOJVj2r3ber3fur3gGuXkO
rXqu43uOS/HcZ7l0TX8OaACzZ4GeQfEU5l8dUjl2XIV+XHR+VjZ+aP8qJmPJrdysjWgidlLMreYw
RuIUzWIBTl3tJdIapWgsLliODuf+POhkDmK6DWcxjmAwFgrEBeIWXuKDJWVLNuBbdl4hBtwwfeBg
nlRhVVYR1twFtuMzBei/8GDWTWKTNeeVxV4frulxHmr9jeNLNuRivmnzRWSG1tqMTmXXjdRNHWBf
JuGdxuEbJNSkleaOxlpQ9mjUleKsFurrXeWqRtoabuRy9umtLtnJ1eIe9mOgfmZA3urWldrBZuCV
bs3AONW9HeLQhWalfuFUhdjMplK1beOv9VFHpmpNhmPRnmVUBWIibuLTht9DBu3zjdC+xmu/xtcA
m4b/ENs7JluPDuX/hvXjAlbn1X5llE5sqVbi1u5mjcVWiyXklw5qY71i4VbjYfZrN5ZO3E5fys5u
qM7o0gZmoqVt4bZhD45q4y5jtU5u4K5b9W3uxd5UBd7VvZ5u6gbP667gXp7rHa7ly87uzpZpnDbl
8w7as/5uwL7s5cZRM15g987fkUVu2Z5vuzXoOrbq3V5oXo5mnmbkUtZq1n3bdcZR8m5wSIXepB3x
pM5mDE/o0X5exF7vmS3akubq+O3OgibCfq7xrIRsHN9xHu9xH/9xID+mfB7y1wxyIz9yJK9dIl/y
1UxyJ18cJo/y+XxyKq9yocABK89yLd/y5pRyL/9yMA9zMR9zMi9z/zP/Sy5P8yI8czYnVzV/cziP
czmfczqvczuf3TbPcz3fcz6vjzv/8/Poc0EfdEIvdEM/dERP9HYGdEbPDkV/dLhsdEmfdEqvdEu/
dEzXQYIOigO4jgPo9AUBdaQQdeQg9erodFD/9OMgdVP3iVbPFVSfY938dFUXiFdXiFe/9VGvdYnQ
9VEvCF8nili39V4HClE39WD/9WT/CV1fdmIf9lXH9aFg9aVodsK49VjfTMA4dmFPDmwXDGc3Cm4v
inH39mrfdnuAduOgdqEId05n9mt39XSPwQKh9lSvdVqf93TH931H9WPn91SviHvHd4IPeH/3d2Av
eH3P935HdmKf9/+Db/hnZ/iEP/iA7/deV3heZ3h1x3iPp/WBt3WAp3iKz/iQh/iFf3iOX/iSP/mP
f3aJF3lel/mPV/iaR3iaj3mOn3lZz0171/eHD3qYv3hox3mgB/agL3qk5/eUl3Zuf3qkj3qDB3qo
L3eqX/qjj3qUb3qsZ/ekv/pc33qxl/evZ/qLX/qz/3mYH/q1F3uvz/q2h/qUl3u39wnn/PmNl3aJ
H3aDB3m4L3aw13qlb3q/p/vBZ/tYL/fE1/qrH/pWB3m+V/l8V3evV3pWn3yw93XFD3y+x/yvx/q4
33fQr/uEZ/zCr3hVJ/qGt/zS/xHNRPfRT32n73qVz/pgT/vGJ/3/qQ99w5/9xd/8w8/9on97wud8
vS/72Kf9pP925Ef8wP983ld+1hd6kRf+3K/9sX/+1m9rAhl3tY9+1ad7uMd94Jf66D9/2zf/8rf6
8jd90N99lH/73l9/9+eI9v/83hf66d/6xQ99gQcIewfsERxYUCBBhAcNMlSI0ODDhAkhEvxn8SLG
jBo3cuzo8SPIkCJHktQo8STKlBMPsJwosGXBlgxZDqx5UCHNmzpj2lwoMafDhjiByuSpk2LQm0V9
QkS6NCLQnzCFzizqdOpUly952mz6EulPqUKPrnz6lWLVskd7DoVpNCZXuF+VKs1ad67KvHr38u3r
9y/gwIIHEy5s//gw4sSKFzNu7PixX7CQJ1OubJlxSY6XN3Pu7Pkz6MVRQwPObPo06tSqTZNu7fo1
7NiyZ9OuTXr1P9u6d/Pu7dsy7uDChw/nLLnvcd1uf6NcHpZ5Yuefk0Ovbl0xW6d6vRo3LJkmdbKA
iYIf31wr8tGCs2Pnexyt26jqzYsNn3T88qbzr/OHzD0yer6BZd9z6wXoEHLn7bQdYwQGZt93/7H3
34MFJjgYd/Ed2B+HBuL0kExEnXVSTuW9pVZ8KVbVkIkjinUigieWuBR50gWo34BYwVeTfM7liGNS
Xc2VFox4Demjjgred+BVK5aFVnMqDvlWi0pK2KF1uFEVEVnsof/nFYVbUsglVC6FaWZKIvr0ZZAb
xjhggWyxueabdpEZJIto0qmSnHDuGeeX8OU1IZN29qknmd/FCRRxjTr6KEjRlellmTtdCR6UH2Ia
F5htWopommcdSielTNYHqJ947gdiiagiyuOMaba6YaehPkkirqfWGqOZ5WWa6JKmioclc1pOuqSQ
n3bJJ13akQrsmX/i6uyyz1o47K9yYsvredR6Cq2srtIK6rULertrqWGd+2qwvF4JKbzxPtpes2yW
eumN9T7bKbriMrvrt/cqGSzA247JbrYBE+yvu+SOq7C97IYKcL/R5tousRnvlSFc/BZ6n3pbGukr
mhmGbOetMmL/1dawopp78lhSgYyklFTOOhTLRqZMHokoqyWXyj96WWWLPc6Uc5gm1uigxq/h1vSF
UEs9dW/yWn21alQ/tqrWXXv9Ndh5PR022WWTjTXaaasNqdltuz312nHLfbV/72nN9HR4S7q3m9yu
Z/fbgdM2drkHD8p1gobz3RmEzP6ss98uO1jltdpG/leq3m6d2Nyde/55RgO3zKBolulNL+k9R7zW
xn1baWvfp4uOcWWyowQ67rmrjddoM9ZMq5Qew5oz5GqyXLSOOBL5olEwF4lsrpZfjDy1E4qYFvV/
1vii0jD2tPTPXeVH18gt6X4++pohVjD0Yxo/Koj7Ogzyh3Mi/yxxt4XPD71cMcPe7+rABT/rTa9h
y4pQtaDlv/ppx3aCIxv7LkW5Xt1MYWDyldCuNCeS7YtyHFzQty7mIgrayH6wys/72sQje30wgCaM
3/Q+SCgQCslJJXwglowlLXy1bl3yk9ZW3GSxGYLrfwjKnN8UZaHw8FB0FQsKEWnosCaOz1z3k2IN
A2WP9HGxi6uJYADtRrErAitf+krYE62VQAPeSX8LA2H7zBjGOxHRcmBcY8J+WMYCLsyLfsQddnzW
Ma3ADEg2e8rRiDSfFE6pLoiMC+RcxDPmRUg/zLMfoBwpQk5dj3eEFKQno6RCH1HSaJaq3q0Qh0P+
EG6VhXGgK/+rA8vB/LGWnYtlaFSJy4zNcpdma6UvgynM0NiymPAaJjKTqcxl6gWYu/nVaxwIuKj1
54bUpMw01UUYa27RmN48XzSp2cvSzQ527UqO7RrnHfe4zoiXyeb+WseXb9IzOLwUp2yUKM/Rpa5C
+9wmOzHUzgY5bloCZWZ1nra9I0GSd6Z06PKIxsjwhYyEa1LTQo22I0lySaI1E9+9aKRJST4SRTNr
0ggZmVGN9ixJHc3K8iDqk3rStHNo1FcR24g/ganRoMpS4Br3yNNRtsx9QdSgePKkxyFCzGBk9Oke
Lfimo7oThjW9amYWVyulsuqRKESkDDNpx5vdlFQclGFYX0j/qTymVXsl62oUtcWxFeUxpytMJf6k
asOVvA6ICCVWWbkqVy0CEJNzLSBTC7tUPjoVqVL9FCqzyLDBnrGgaYTiY494vygG0al/nY0OqyXY
pto1r45NYFmFWtqe4suxl9WcZsmXUylu66ev1eZi55gsndaVLVj9rUgCqchmPfSCyuufinYETby+
zKuUhKRLRzhIppwqZSMSFBwNFb5PPoxg0ikpS8P7SZoNd69F2ujlPgvB2owTS+k0nXrjG8z2EhSH
762dfPNbG2fqF7irIYV/AyzgAW9Ev7cjMIITrOAFm2Sg5qwdPInJ4AlTuMI0xW25dMrYg2bSwYeR
TC0LYOER/5N4wRmOHBNRh8l3pqTELn4xjLManVn5blIppHHyohRT31FlfIosLqsMLOQhW8djWizt
bV3Y2HBl9q70JTKUo7w5piC1jk1mWGMzF1bFSrnLXiYNutZ6ZcXeMWB1RS3tvqzmNasktIei4pjl
aEcX9vbKWokxnvOsZ4sIF6R8Ne5xtzLc5maXUBWl6Edlll42M7rR8X2yoyMtaWZCetKWVu+eM63p
TXO6UZf+NKhDLepRk7rUpj41ql3T6VWzutWuDh0zo5HqWbP51ba+Na5fTOtd8xpsuf41sIMt4F4T
u9hNEzayk63sWuZlGsZ+NrR1s+xpU7vac4s2trOt7W1zu8Hb3v42uMMt7nGTu9zmJoy1063udbO7
3e5+N7zjLe957+7c9r43vvOt733zu9/+/ve36S3wgU8b4AbnNsETrvBcH7zh2F44xCMu8YlTvOIW
vzjGM67xjXO84x7/OLAdLvKRk7zk8gU5ylMOTpOz3NQqfznMOYIFebW85m97hmxirvOd87znPrel
zYP+6Z8TvehGPzrSk670pQtH6E6XNNOjLvWpU/3jT786o6uu9Zdjvetf3jrYQe71sZO97GZ3TEAA
ADs=
------=_NextPart_000_000B_01C708E9.9E31BB50--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFHpj6L067053; Wed, 15 Nov 2006 10:51:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFHpj3O067052; Wed, 15 Nov 2006 10:51:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from [10.20.30.183] (adsl-66-125-125-65.dsl.pltn13.pacbell.net [66.125.125.65]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFHpgQj067045; Wed, 15 Nov 2006 10:51:43 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624087fc181032b0471@[10.20.30.183]>
In-Reply-To: <7.0.0.16.2.20061114181343.07a37c08@vigilsec.com>
References: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com> <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG> <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com> <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.micros oft.com> <7.0.0.16.2.20061114181343.07a37c08@vigilsec.com>
Date: Wed, 15 Nov 2006 09:51:32 -0800
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: Sam Hartman <hartmans-ietf@mit.edu>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
At 6:16 PM -0500 11/14/06, Russ Housley wrote:
>Stefan:
>
>>There is no place where RFC 2560 requires the render to
>>successfully handle a composite request. It only specifies how it
>>should be done.
>
>It does not say one way or the other. That is the problem. It
>specifies the syntax, without telling the reader whether some or all
>of it is mandatory to implement. This is the crux of Sam's discuss
>position. Nothing in the text leads the reader to believe that
>responding to a multi-certificate query is OPTIONAL.
>
>I find the use of "unauthorized" to indicate that a client cannot
>make a multi-certificate request unacceptable. To me, that implies
>that some other client would be authorized to make such a request.
>
>I also find the use of "internalError" to indicate that a client
>cannot make a multi-certificate request unacceptable.
Unfortunately, I agree with Russ on this one. We boxed ourselves in
with the definitions of the response semantics because we did not
predict this case.
I also do not see how we can handle the problem without changing the
OCSP version number, but I would really like to be wrong about that.
--Paul Hoffman, Director
--VPN Consortium
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFHSVmw061539; Wed, 15 Nov 2006 10:28:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFHSViO061538; Wed, 15 Nov 2006 10:28:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from kraid.nerim.net (smtp-103-wednesday.nerim.net [62.4.16.103]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFHSU6p061509 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 10:28:31 -0700 (MST) (envelope-from julien.stern@cryptolog.com)
Received: from uranus.cry.pto (cryptolog.net8.nerim.net [62.212.120.81]) by kraid.nerim.net (Postfix) with ESMTP id 039BD40F45 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 18:28:28 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by uranus.cry.pto (Postfix) with ESMTP id 6F1A3441DA for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 18:29:10 +0100 (CET)
Received: from uranus.cry.pto ([127.0.0.1]) by localhost (uranus [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04528-01 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 18:29:06 +0100 (CET)
Received: from isonoe.cry.pto (isonoe.cry.pto [10.0.1.15]) by uranus.cry.pto (Postfix) with SMTP id 091C4441D9 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 18:29:05 +0100 (CET)
Received: by isonoe.cry.pto (sSMTP sendmail emulation); Wed, 15 Nov 2006 18:28:23 +0100
From: "Julien Stern" <julien.stern@cryptolog.com>
Date: Wed, 15 Nov 2006 18:28:23 +0100
To: ietf-pkix@imc.org
Subject: Re: RFC3280bis: NotAfter 99991231235959Z
Message-ID: <20061115172823.GW15161@isonoe.cry.pto>
Mail-Followup-To: Julien Stern <julien.stern@cryptolog.com>, ietf-pkix@imc.org
References: <7.0.0.16.2.20060821173001.012803b8@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7.0.0.16.2.20060821173001.012803b8@vigilsec.com>
User-Agent: Mutt/1.5.11
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at cryptolog.com
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
On Wed, Nov 15, 2006 at 09:55:47AM -0500, Russ Housley wrote:
>
> I would like to add some text about certificates that are not
> intended to expire. I propose the following paragraph.
>
> In some situations, devices are given permanent certificates. For
> example, a device could be issued a certificate that binds its model
> and serial number to its public key. Such a certificate is intended
> to be used for the entire lifetime of the device. It indicate the
> permanent nature of such a certificate, the notAfter SHOULD be
> assigned the GeneralizedTime value of 99991231235959Z.
>
> Any concerns?
If the device is somehow stolen or compromised at some point,
doesn't this mean that you will have to keep its serial number in a CRL
(or an other revocation system) until the end of times?
When faced with a somehow similar issue, we decided to set the date to
the expected lifetime of the device plus a few years to avoid the above
issue.
--
Julien
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFHDPsB056827; Wed, 15 Nov 2006 10:13:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFHDPcq056826; Wed, 15 Nov 2006 10:13:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFHDOBp056795 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 10:13:25 -0700 (MST) (envelope-from Ryan.Hurst@microsoft.com)
Received: from tk1-exhub-c104.redmond.corp.microsoft.com (157.56.116.117) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.0.685.15; Wed, 15 Nov 2006 09:13:19 -0800
Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com (157.54.69.169) by tk1-exhub-c104.redmond.corp.microsoft.com (157.56.116.117) with Microsoft SMTP Server id 8.0.685.20; Wed, 15 Nov 2006 09:13:18 -0800
Received: from WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.25]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.2786); Wed, 15 Nov 2006 09:13:18 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Wed, 15 Nov 2006 09:12:50 -0800
Message-ID: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344CFF2@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <7.0.0.16.2.20061114181343.07a37c08@vigilsec.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccIT7uJ7ZnLSN6oRQmYAhn4pmp/fQAhXxGA
References: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com> <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG> <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com> <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com> <7.0.0.16.2.20061114181343.07a37c08@vigilsec.com>
From: Ryan Hurst <Ryan.Hurst@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, Stefan Santesson <stefans@microsoft.com>, <ietf-pkix@imc.org>
CC: Sam Hartman <hartmans-ietf@mit.edu>
X-OriginalArrivalTime: 15 Nov 2006 17:13:18.0917 (UTC) FILETIME=[5881B750:01C708D9]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAFHDPBp056821
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This problem is not limited to multi-certificate requests, there are a
number of optional items in 2560 where this same problem exists (OCSP
request extensions, multi-cert requests where responders cannot
authoritatively respond to all certificates, etc.); 2560 does not tell
implementers how to deal with these cases at all.
This leaves us with a practical problem, since there were at one point
(I have not been watching products in this space for some time) at least
a dozen interoperable implementations of 2560 we need to ask if it is
appropriate for us to change the 2560 in such a way to break those
implementations?
I would argue that continued interoperability trumps technical purity
here, I don't think anyone would argue against adding additional errors
before this was the case the but cat is out of the bag; now the question
becomes what have the implementations done to achieve the
interoperability that does exist, and should we clarify 2560 to make
that more obvious for the next implementers?
In general I don't see a problem with this question in principal but at
the same time I do not want to see us crack open 2560 as it opens the
door to many other edits that have the potential to break
implementations, but if we must how do we limit these edits to those
that provide clarity and do not break these existing implementations?
I also (selfishly maybe) do not want to see this draft be held up any
further, we have reached the point where there is rough consensus in the
WG and with the implementers, we have working code shipping from
multiple vendors and documenting what these interoperable
implementations do to help others in the future just seems to make
sense; frankly I just don't see how holding the LW OCSP draft up helps
anyone.
What I would like to propose is that we let the LW OCSP draft go forward
since it doesn't conflict with 2560 as it stands today and then begin a
2560bis effort, were I would be willing to work with Mike, Dave, Alex to
identify text that would clarify some of these points without breaking
existing implementations as long as the WG and its chairs will help us
limit the scope of these changes to clarifications and not go down the
path of creating a new version of the protocol.
Ryan
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Russ Housley
Sent: Tuesday, November 14, 2006 3:17 PM
To: Stefan Santesson; ietf-pkix@imc.org
Cc: Sam Hartman
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Stefan:
>There is no place where RFC 2560 requires the render to successfully
>handle a composite request. It only specifies how it should be done.
It does not say one way or the other. That is the problem. It
specifies the syntax, without telling the reader whether some or all
of it is mandatory to implement. This is the crux of Sam's discuss
position. Nothing in the text leads the reader to believe that
responding to a multi-certificate query is OPTIONAL.
I find the use of "unauthorized" to indicate that a client cannot
make a multi-certificate request unacceptable. To me, that implies
that some other client would be authorized to make such a request.
I also find the use of "internalError" to indicate that a client
cannot make a multi-certificate request unacceptable.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFH5pSf055646; Wed, 15 Nov 2006 10:05:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFH5p5l055645; Wed, 15 Nov 2006 10:05:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from anchor-post-36.mail.demon.net (anchor-post-36.mail.demon.net [194.217.242.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFH5nxP055637 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 10:05:50 -0700 (MST) (envelope-from lists@drh-consultancy.demon.co.uk)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.2]) by anchor-post-36.mail.demon.net with esmtp (Exim 4.42) id 1GkOCQ-00027f-LZ for ietf-pkix@imc.org; Wed, 15 Nov 2006 17:05:34 +0000
Message-ID: <455B48E7.8040504@drh-consultancy.demon.co.uk>
Date: Wed, 15 Nov 2006 17:05:43 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: PEM file format rfc draft request
References: <E1GkJly-0002Yw-00@medusa01.cs.auckland.ac.nz>
In-Reply-To: <E1GkJly-0002Yw-00@medusa01.cs.auckland.ac.nz>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Peter Gutmann wrote:
> "Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at> writes:
>
>> For that reason a standard giving some recommendations for the usage of PEM
>> headers would be very useful. It should not only cover keys, but also
>> certificates, crls, requests,... (for instance, some applications use -----
>> BEGIN CERTIFICATE REQUEST-----. and some use -----BEGIN NEW CERTIFICATE
>> REQUEST-----, and some may use -----BEGIN PKCS10 REQUEST---- or something
>> other for encoding a certificate request).
>
> That's why I suggested that a regexp is the only way to handle this. You also
> need to take into account usage in other environments like PGP and SSH, which
> also use the PEM format. From memory my code's workflow is something like:
>
> look for '----';
> look for either another '-' or a ' ';
> look for 'BEGIN';
>
> This handles the common PEM start. Then:
>
> if the remaining text contains 'SSH' it's an SSH public key;
> goto SSH-processing;
> if the remaining text contains 'PGP' it's a PGP public key;
> goto PGP-processing;
> // Default: It's something X.509-ish
> if the remaining text contains 'REQUEST' or 'PKCS10' it's a PKCS #10 cert request;
> if the remainig text contains 'PRIVATE' it's a private key;
> otherwise it's a cert of some form;
>
> This should handle pretty much everything out there.
>
I've seen several variants on that. A far from exhaustive list from
memory...
If it includes 'PKCS7' or 'PKCS#7' then it is a PKCS#7 ContentInfo,
usually but not always certs only.
'X509' is normally a certificate but I've also seen it containing PKCS#7
certs only and something called "Netscape Certificates Sequence".
Contains 'CERTIFICATE' oddly enough a certificate.
Contains 'CRL': CRL.
Is 'ENCRYPTED PRIVATE KEY' is PKCS#8 EncryptedPrivateKeyInfo.
Is 'PRIVATE KEY' (with no mention of algorithm) PKCS#8 PrivateKeyInfo.
Is 'RSA PRIVATE KEY' PKCS#1 RSAPrivateKey.
Is 'DSA PRIVATE KEY' SSLeay compatible DSA private key.
Private key types PKCS#8 related can include encryption parameters in
the headers.
Is 'PUBLIC KEY' SubjectPublicKeyInfo (RFC3280 et al).
Contains 'PARAMETERS': DSA, DH, EC parameters of various types.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFH4x8F055472; Wed, 15 Nov 2006 10:04:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFH4xUK055471; Wed, 15 Nov 2006 10:04:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAFH4w5J055465 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 10:04:58 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 29940 invoked by uid 0); 15 Nov 2006 17:04:53 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 15 Nov 2006 17:04:53 -0000
Message-Id: <7.0.0.16.2.20061115120411.07502a80@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 12:04:47 -0500
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: RFC3280bis: NotAfter 99991231235959Z
Cc: ietf-pkix@imc.org
In-Reply-To: <455B4538.4080408@cs.tcd.ie>
References: <7.0.0.16.2.20061115095452.040eac28@vigilsec.com> <455B4538.4080408@cs.tcd.ie>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I am fine with the alternate wording. I want the 99991231235959Z
suggestion in the document.
Russ
At 11:50 AM 11/15/2006, Stephen Farrell wrote:
>Russ Housley wrote:
>>I would like to add some text about certificates that are not
>>intended to expire. I propose the following paragraph.
>>In some situations, devices are given permanent certificates. For
>>example, a device could be issued a certificate that binds its
>>model and serial number to its public key. Such a certificate is
>>intended to be used for the entire lifetime of the device. It
>>indicate the permanent nature of such a certificate, the notAfter
>>SHOULD be assigned the GeneralizedTime value of 99991231235959Z.
>>Any concerns?
>
>I like the idea, but according to my local folders, when we discussed
>this off list before and came up with a variant wording which I think
>was:
>
>"In some situations, devices are given certificates for which no good
>expiration date can be assigned. For example, a device could be issued
>a certificate that binds its model and serial number to its public key;
>such a certificate is intended to be used for the entire lifetime of
>the device.
>
>To indicate that a certificate has no well defined expiration date, the
>notAfter MUST be assigned the GeneralizedTime value of 99991231235959Z."
>
>There was some discussion about whether that last MUST is right or
>not, (and I don't care myself), but I guess we never did put any of
>it into the draft,
>
>Cheers
>Stephen.
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFH0FEL054627; Wed, 15 Nov 2006 10:00:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFH0FIq054626; Wed, 15 Nov 2006 10:00:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from anchor-post-34.mail.demon.net (anchor-post-34.mail.demon.net [194.217.242.92]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFH0ElH054616 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 10:00:14 -0700 (MST) (envelope-from shenson@drh-consultancy.demon.co.uk)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.2]) by anchor-post-34.mail.demon.net with esmtp (Exim 4.42) id 1GkO6Y-000EvX-DB for ietf-pkix@imc.org; Wed, 15 Nov 2006 16:59:29 +0000
Message-ID: <455B4776.2060607@drh-consultancy.demon.co.uk>
Date: Wed, 15 Nov 2006 16:59:34 +0000
From: Dr Stephen Henson <shenson@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: PEM file format rfc draft request
References: <E1GkJly-0002Yw-00@medusa01.cs.auckland.ac.nz>
In-Reply-To: <E1GkJly-0002Yw-00@medusa01.cs.auckland.ac.nz>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Peter Gutmann wrote:
> "Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at> writes:
>
>> For that reason a standard giving some recommendations for the usage of PEM
>> headers would be very useful. It should not only cover keys, but also
>> certificates, crls, requests,... (for instance, some applications use -----
>> BEGIN CERTIFICATE REQUEST-----. and some use -----BEGIN NEW CERTIFICATE
>> REQUEST-----, and some may use -----BEGIN PKCS10 REQUEST---- or something
>> other for encoding a certificate request).
>
> That's why I suggested that a regexp is the only way to handle this. You also
> need to take into account usage in other environments like PGP and SSH, which
> also use the PEM format. From memory my code's workflow is something like:
>
> look for '----';
> look for either another '-' or a ' ';
> look for 'BEGIN';
>
> This handles the common PEM start. Then:
>
> if the remaining text contains 'SSH' it's an SSH public key;
> goto SSH-processing;
> if the remaining text contains 'PGP' it's a PGP public key;
> goto PGP-processing;
> // Default: It's something X.509-ish
> if the remaining text contains 'REQUEST' or 'PKCS10' it's a PKCS #10 cert request;
> if the remainig text contains 'PRIVATE' it's a private key;
> otherwise it's a cert of some form;
>
> This should handle pretty much everything out there.
>
I've seen several variants on that a far from exhaustive list from memory...
If it includes 'PKCS7' or 'PKCS#7' then it is a PKCS#7 ContentInfo,
usually but not always certs only.
'X509' is normally a certificate but I've also seen it containing PKCS#7
certs only and something called "Netscape Certificates Sequence".
Contains 'CERTIFICATE' oddly enough a certificate.
Contains 'CRL': CRL.
Is 'ENCRYPTED PRIVATE KEY' is PKCS#8 EncryptedPrivateKeyInfo.
Is 'PRIVATE KEY' (with no mention of algorithm) PKCS#8 PrivateKeyInfo.
Is 'RSA PRIVATE KEY' PKCS#1 RSAPrivateKey.
Is 'DSA PRIVATE KEY' SSLeay compatible DSA private key.
Private key types PKCS#8 related can include encryption parameters in
the headers.
Is 'PUBLIC KEY' SubjectPublicKeyInfo (RFC3280 et al).
Contains 'PARAMETERS': DSA, DH, EC parameters of various types.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFGxxLL054532; Wed, 15 Nov 2006 09:59:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFGxxHs054531; Wed, 15 Nov 2006 09:59:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFGxwhh054515 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 09:59:58 -0700 (MST) (envelope-from mcooper@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: questions on CertificatePolicies processing
Date: Wed, 15 Nov 2006 08:59:46 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C879057481DC@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: questions on CertificatePolicies processing
Thread-Index: AccIyOHgq37IDj0pTl+l2gIF0W5mXgACGgBw
From: "Matt Cooper" <mcooper@orionsec.com>
To: "Kopylov Denis" <kopylov@top-cross.ru>, <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAFGxwhh054525
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Q1: Is there any sense in setting user-initial-policy-set without
setting initial_explicit_policy?
[Matt] In some circumstances it may be of value during authentication
and authorization. For example, if the certificate is valid, but valid
for no policies, allow access only to A. If valid for policy X, allow
access to A and B, etc. However, in many circumstances, I think
software may choose to set initial-explicit-policy if an initial policy
set is supplied, as this would frequently be the intent of supplying the
initial set. I think this decision is dependent on what you are
attempting to achieve through the certificate validation and what sort
of feedback (if any) the software will supply to the user relating to
the final policy set. In any case, if an initial policy set can be
supplied, there should be a way to turn on initial-require-explicit if
this is not the default behavior of the software.
Q2: How should be treated a valid certificate if validation with
non-empty user-initial-policy-set resulted in empty valid_policy_tree?
[Matt] If require explicit policy is set, either initially or by a
certificate in the path, the certificate is not valid if the final
policy set is empty.
Matt Cooper
CygnaCom Solutions
7925 Jones Branch Dr, Suite 5200
McLean, VA 22102
http://www.cygnacom.com
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Kopylov Denis
Sent: Wednesday, November 15, 2006 8:00 AM
To: ietf-pkix@imc.org
Subject: questions on CertificatePolicies processing
Q1: Is there any sense in setting user-initial-policy-set without
setting initial_explicit_policy?
Q2: How should be threated a valid certificate if validation with
non-empty user-initial-policy-set resulted in empty valid_policy_tree?
--
Kopylov Denis
kopylov at top-cross.ru
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFGnE5F052864; Wed, 15 Nov 2006 09:49:14 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFGnEeO052863; Wed, 15 Nov 2006 09:49:14 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from imx2.tcd.ie (imx2.tcd.ie [134.226.1.156]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFGnD8I052837 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 09:49:14 -0700 (MST) (envelope-from stephen.farrell@cs.tcd.ie)
Received: from Vams.imx2 (imx2.tcd.ie [134.226.1.156]) by imx2.tcd.ie (Postfix) with SMTP id 5C73B682F6; Wed, 15 Nov 2006 16:49:07 +0000 (GMT)
Received: from imx2.tcd.ie ([134.226.1.156]) by imx2.tcd.ie ([134.226.1.156]) with SMTP (gateway) id A012095904D; Wed, 15 Nov 2006 16:49:07 +0000
Received: from [127.0.0.1] (nanga.dsg.cs.tcd.ie [134.226.36.174]) by imx2.tcd.ie (Postfix) with ESMTP id 562B2682F6; Wed, 15 Nov 2006 16:49:07 +0000 (GMT)
Message-ID: <455B4538.4080408@cs.tcd.ie>
Date: Wed, 15 Nov 2006 16:50:00 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
Cc: ietf-pkix@imc.org
Subject: Re: RFC3280bis: NotAfter 99991231235959Z
References: <7.0.0.16.2.20061115095452.040eac28@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061115095452.040eac28@vigilsec.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiVirus-Status: MessageID = A112095904D
X-AntiVirus-Status: Host: imx2.tcd.ie
X-AntiVirus-Status: Action Taken:
X-AntiVirus-Status: NONE
X-AntiVirus-Status: Checked by TCD Vexira. (version=1.56.3 VDF=8.1399)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ Housley wrote:
>
> I would like to add some text about certificates that are not intended
> to expire. I propose the following paragraph.
>
> In some situations, devices are given permanent certificates. For
> example, a device could be issued a certificate that binds its model and
> serial number to its public key. Such a certificate is intended to be
> used for the entire lifetime of the device. It indicate the permanent
> nature of such a certificate, the notAfter SHOULD be assigned the
> GeneralizedTime value of 99991231235959Z.
>
> Any concerns?
I like the idea, but according to my local folders, when we discussed
this off list before and came up with a variant wording which I think
was:
"In some situations, devices are given certificates for which no good
expiration date can be assigned. For example, a device could be issued
a certificate that binds its model and serial number to its public key;
such a certificate is intended to be used for the entire lifetime of the
device.
To indicate that a certificate has no well defined expiration date, the
notAfter MUST be assigned the GeneralizedTime value of 99991231235959Z."
There was some discussion about whether that last MUST is right or
not, (and I don't care myself), but I guess we never did put any of
it into the draft,
Cheers
Stephen.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFGdLnO051174; Wed, 15 Nov 2006 09:39:21 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFGdLYk051171; Wed, 15 Nov 2006 09:39:21 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.nbusr.sk (mail.nbusr.sk [84.245.65.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFGdJVa051135 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 09:39:20 -0700 (MST) (envelope-from rybar@nbusr.sk)
Message-Id: <200611151639.kAFGdJVa051135@balder-227.proper.com>
Received: from IBM5E1D7F233E3 ([10.0.250.204]) by mail.nbusr.sk with esmtp; Wed, 15 Nov 2006 17:35:45 +0100 id 0001CCA7.455B41E4.0000C774
From: "Peter Rybar" <rybar@nbusr.sk>
To: "'Russ Housley'" <housley@vigilsec.com>
Cc: ietf-pkix@imc.org
Subject: RE: RFC3280bis: NotAfter 99991231235959Z
Date: Wed, 15 Nov 2006 17:39:13 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
In-reply-to: <7.0.0.16.2.20061115095452.040eac28@vigilsec.com>
thread-index: AccI0mORJ99k5h9vRVyWdjmaVpndlgAAV1Ww
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAFGdKVa051157
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Some utility written in C language time (The time function returns the number of seconds elapsed since midnight (00:00:00), January 1, 1970,) will crash. ;-)
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
Sent: Wednesday, November 15, 2006 3:56 PM
To: ietf-pkix@imc.org
Subject: RFC3280bis: NotAfter 99991231235959Z
I would like to add some text about certificates that are not
intended to expire. I propose the following paragraph.
In some situations, devices are given permanent certificates. For
example, a device could be issued a certificate that binds its model
and serial number to its public key. Such a certificate is intended
to be used for the entire lifetime of the device. It indicate the
permanent nature of such a certificate, the notAfter SHOULD be
assigned the GeneralizedTime value of 99991231235959Z.
Any concerns?
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFGaLiF050673; Wed, 15 Nov 2006 09:36:21 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFGaLCu050672; Wed, 15 Nov 2006 09:36:21 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFGaI7F050636 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 09:36:21 -0700 (MST) (envelope-from Ryan.Hurst@microsoft.com)
Received: from TK5-EXHUB-C102.redmond.corp.microsoft.com (157.54.70.72) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.0.685.15; Wed, 15 Nov 2006 08:36:13 -0800
Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com (157.54.69.169) by TK5-EXHUB-C102.redmond.corp.microsoft.com (157.54.70.72) with Microsoft SMTP Server id 8.0.685.20; Wed, 15 Nov 2006 08:36:12 -0800
Received: from WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.25]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.2786); Wed, 15 Nov 2006 08:36:13 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Wed, 15 Nov 2006 08:35:51 -0800
Message-ID: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800344CFCB@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA0A@EA-EXMSG-C307.europe.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAABDwUQABnd37AACuUgEAAxFeww
References: <82D5657AE1F54347A734BDD33637C879056F7CEC@EXVS01.ex.dslextreme.net> <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA0A@EA-EXMSG-C307.europe.corp.microsoft.com>
From: Ryan Hurst <Ryan.Hurst@microsoft.com>
To: Stefan Santesson <stefans@microsoft.com>, Santosh Chokhani <chokhani@orionsec.com>, Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>, <ietf-pkix@imc.org>
CC: Sam Hartman <hartmans-ietf@mit.edu>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>
X-OriginalArrivalTime: 15 Nov 2006 16:36:13.0058 (UTC) FILETIME=[29CA9620:01C708D4]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAFGaL7F050667
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Although I know of toolkits that can send requests like this, and
servers that can respond like this I know of no clients that send
requests like this.
Ryan
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Stefan Santesson
Sent: Tuesday, November 14, 2006 9:11 AM
To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
Cc: Sam Hartman; Michael Myers; Dave Engberg
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Santosh,
I didn't say it was hard. I say that I doubt that there are many
implementations supporting this scenario even those with a responder
key.
It would be interesting to hear from implementers if I'm right.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> Sent: den 14 november 2006 03:59
> To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> Stefan,
>
> You are making more complex than it is. The Responder can include all
> the CA certificates that issued the certificate in question and AIA
can
> do the rest.
>
> Furthermore, since most PKI are two tier hierarchy, in Enterprise
> environment, the CA certificate certification path is not an issue.
>
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org]
> On Behalf Of Stefan Santesson
> Sent: Monday, November 13, 2006 6:54 PM
> To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> I'm not sure the case described is a realistic one.
>
> Section 2.2
> All definitive response messages SHALL be digitally signed. The key
> used to sign the response MUST belong to one of the following:
>
> -- the CA who issued the certificate in question
> -- a Trusted Responder whose public key is trusted by the requester
> -- a CA Designated Responder (Authorized Responder) who holds a
> specially marked certificate issued directly by the CA,
> indicating
> that the responder may issue OCSP responses for that CA
>
> Since the request is on certificates issued by 2 different CA:s trust
> option 1 is invalid.
> Trust option 3 is valid in theory but in practice it requires that the
> OCSP responder provide multiple validation paths in the response, one
> for each issuing CA. Somehow I doubt that this is implemented by
> anyone.
>
> Trust option 2 is not generic and is only valid as a result of a local
> configuration.
>
> So I don't think this is a problem only for key-less responders.
>
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
>
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org] On Behalf Of Russ Housley
> > Sent: den 13 november 2006 14:08
> > To: Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I prefer an error that tells the client to ask for the certificate
> > one at a time.
> >
> > Russ
> >
> >
> > At 02:46 PM 11/13/2006, Price, Bill wrote:
> >
> > >I'd suggest focusing on understanding where responses to the keyed
> and
> > >keyless responders inherently differ. I am aware of two general
> cases:
> > >
> > >1) The request asks for the status of multiple certificates that
> have
> > >not been included in a single presigned response. Russ's example
> fits
> > >into this case. The keyed responder handles, but the keyless will
> fail
> > >for the general case. Some responders respond with the presigned
> > >response that includes one of the certificates (usually the first)
> in
> > >the request. A common situation is to ask for the status of
> > >certificates in a chain. Santosh points out some keyless responders
> > >anticipate this and bundle responses accordingly.
> > >
> > >2) The request is "well-formed" but asks for the status of a
> > >certificate for which the keyless responder has not prepared a
> > >response. This situation will occur if:
> > >
> > > a) The request is for status of a certificate from a supported
> CA
> > >but with a serial number for which there is no pre-signed response.
> > >Assuming presigned responses exist for all certificates that would
> be
> > >valid based on their validity intervals, this would occur if the
> > >certificate had expired or was yet to be issued (I am aware the
> > keyless
> > >responders generally produce responses for certificates likely to
be
> > >issued before the next generation of presigned responses). The
keyed
> > >responder would give a signed "good" response. My understanding is
> > that
> > >the keyless responder under the draft lightweight OCSP responds
with
> > an
> > >unsigned "unauthorized" error code.
> > >
> > > b) The request is for the status of a certificate from an
> > >unsupported (or non-existent) CA. The keyed responder would respond
> > >with a signed "unknown" response while under the draft, the keyless
> > >would again respond with the unsigned "unauthorized" error code.
> > >
> > >Some might argue with some grounds that these differences are
> unusual,
> > >unlikely, and insignificant.
> > >
> > >I personally consider the behavior in 2 of responding with the
> > >"unauthorized" error to be misleading. "Internal error" sounds more
> > >appropriate if I were constrained to the current error codes.
> > >"Malformed request" might be OK. However, the actual situation does
> > not
> > >match well with any of these errors as they are described in 2560.
> > >
> > >If 2560 is supposed to encompass keyless responders, I'd recommend
> > >identifying the unavoidable differences and/or adding 2 TBD error
> > codes
> > >for the above cases (assuming they are the only differences). The
> > first
> > >error can be worked around by breaking the request for status of
> > >multiples into multiple requests for status of one cert.
> > >
> > >We've also seen some problems with client apps that can't handle
> > >presigned responses that commonly contain the status of several
> (e.g.,
> > >15-25) certs. The apps inquired for the status of a single cert and
> > >apparently expected a response for a single certificate. I'd
suggest
> > >that some "must" or "should" words address clients' ability to
> handle
> > >the situation of a response covering multiple certificates.
> > >
> > >
> > >
> > >Bill Price
> > >
> > >-----Original Message-----
> > >From: owner-ietf-pkix@mail.imc.org
> > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > >Sent: Monday, November 13, 2006 11:46 AM
> > >To: Michael Myers; Dave Engberg
> > >Cc: ietf-pkix@imc.org; Sam Hartman
> > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > >Mike:
> > >
> > >I think it is not that simple. I think you need to say that
support
> > >for one certificate MUST be supported, and that support for more
> than
> > >one certificate is OPTIONAL. Then, the error is am indication that
> > >the requestor has selected an unimplemented OPTION.
> > >
> > >Russ
> > >
> > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > >Responders unable to produce or acquire a definitive response
MUST
> > >return <a
> > > >TBD error>.
> > > >
> > > >As to your other points Santosh, that is something I prefer the
> > chairs
> > > >consider.
> > > >
> > > > > -----Original Message-----
> > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > >
> > > > > Mike,
> > > > >
> > > > > What is the error case?
> > > > >
> > > > > . . .
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFFo3E4036995; Wed, 15 Nov 2006 08:50:03 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFFo3hm036993; Wed, 15 Nov 2006 08:50:03 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailrelay1.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFFo1PP036942 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 08:50:02 -0700 (MST) (envelope-from peter.lipp@iaik.tugraz.at)
Received: from thor.iaik.tugraz.at (mail1.iaik.tugraz.at [129.27.152.30]) by mailrelay1.tugraz.at (8.13.8/8.13.8) with ESMTP id kAFFnhHK027511; Wed, 15 Nov 2006 16:49:43 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by thor.iaik.tugraz.at (Postfix) with ESMTP id BEAAC19400A; Wed, 15 Nov 2006 16:49:43 +0100 (CET)
Received: from thor.iaik.tugraz.at ([127.0.0.1]) by localhost (thor [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18315-06; Wed, 15 Nov 2006 16:49:43 +0100 (CET)
Received: from NOTEBOOKLIPP (notebooklipp.iaik.tugraz.at [129.27.152.52]) by thor.iaik.tugraz.at (Postfix) with ESMTP id A105B194008; Wed, 15 Nov 2006 16:49:43 +0100 (CET)
From: "Peter Lipp" <peter.lipp@iaik.tugraz.at>
To: "'Peter Gutmann'" <pgut001@cs.auckland.ac.nz>, <Dieter.Bratko@iaik.tugraz.at>, <ron.ogle@thomson.net>
Cc: <ietf-pkix@imc.org>
Subject: AW: PEM file format rfc draft request
Date: Wed, 15 Nov 2006 16:49:43 +0100
Message-ID: <01bb01c708cd$ab264b80$34981b81@iaik.tugraz.at>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AccIuk6pd6/SBBMzR/mZaFOt5SYzjAAEumtg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
In-Reply-To: <E1GkJly-0002Yw-00@medusa01.cs.auckland.ac.nz>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at iaik.tugraz.at
X-Spam-Scanner: SpamAssassin 3.001007
X-Spam-Score-relay: -2.6
X-Scanned-By: MIMEDefang 2.58 on 129.27.10.18
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> This should handle pretty much everything out there.
Sure. With a heavy machine your are always able to pick up all sorts of junk
that you find on the floor.... :-)
Our software is basically doing the same, but this not really an argument
for producing all sorts of junk. An official document may at least help
avoiding new incarnations of these things....
Peter
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFFhNFf034897; Wed, 15 Nov 2006 08:43:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFFhNuK034895; Wed, 15 Nov 2006 08:43:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mizar.origin-it.net (mail.de.atosorigin.com [194.8.96.234]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFFhLGE034843 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 08:43:22 -0700 (MST) (envelope-from thomas.beckmann@atosorigin.com)
Received: from matar.hbg.de.int.atosorigin.com (avior.origin-it.net [213.70.176.177]) by mizar.origin-it.net (8.13.8/8.13.8/hmo020206) with ESMTP id kAFFhFQK088768 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 16:43:15 +0100 (CET) (envelope-from thomas.beckmann@atosorigin.com)
Received: from DEHHX001.deuser.de.intra (dehhx001.hbg.de.int.atosorigin.com [161.90.164.119]) by matar.hbg.de.int.atosorigin.com (8.13.8/8.13.8/hmo020206) with ESMTP id kAFFhF3A091593 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 16:43:15 +0100 (CET) (envelope-from thomas.beckmann@atosorigin.com)
Received: from DEFMX001.deuser.de.intra ([156.150.130.152]) by DEHHX001.deuser.de.intra with Microsoft SMTPSVC(6.0.3790.1830); Wed, 15 Nov 2006 16:43:15 +0100
x-mimeole: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: AW: RFC3280bis: NotAfter 99991231235959Z
Date: Wed, 15 Nov 2006 16:43:13 +0100
Message-ID: <499A38F851BC9546BC566AF8FEC9CFBD82ECE9@DEFMX001.deuser.de.intra>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: RFC3280bis: NotAfter 99991231235959Z
Thread-Index: AccIy4Ta4L/ZxdwqTMi55PUt54Q8lAAAJQkQAAAkvyA=
From: <thomas.beckmann@atosorigin.com>
To: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 15 Nov 2006 15:43:15.0323 (UTC) FILETIME=[C3B6B4B0:01C708CC]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAFFhMGE034878
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
FYI
> -----Ursprüngliche Nachricht-----
> Von: Beckmann, Thomas [S229271]
> Gesendet: Mittwoch, 15. November 2006 16:41
> An: 'Russ Housley'
> Betreff: AW: RFC3280bis: NotAfter 99991231235959Z
>
> Russ,
>
> what about the validity of the issuing ca? In general, the ca
> certificate isn't valid that long, so the devices certificate
> becomes invalid when the ca certificate expires. How will you
> handle that?
>
> Thomas
>
> > -----Ursprüngliche Nachricht-----
> > Von: owner-ietf-pkix@mail.imc.org
> > [mailto:owner-ietf-pkix@mail.imc.org] Im Auftrag von Russ Housley
> > Gesendet: Mittwoch, 15. November 2006 15:56
> > An: ietf-pkix@imc.org
> > Betreff: RFC3280bis: NotAfter 99991231235959Z
> >
> >
> > I would like to add some text about certificates that are
> not intended
> > to expire. I propose the following paragraph.
> >
> > In some situations, devices are given permanent certificates.
> > For example, a device could be issued a certificate that binds its
> > model and serial number to its public key. Such a certificate is
> > intended to be used for the entire lifetime of the device. It
> > indicate the permanent nature of such a certificate, the notAfter
> > SHOULD be assigned the GeneralizedTime value of 99991231235959Z.
> >
> > Any concerns?
> >
> > Russ
> >
> >
> >
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFFZanB032536; Wed, 15 Nov 2006 08:35:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFFZaL5032535; Wed, 15 Nov 2006 08:35:36 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from top-cross.ru (top-cross.ru [194.226.79.2]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFFZYNB032491 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 08:35:35 -0700 (MST) (envelope-from kopylov@top-cross.ru)
Received: from [62.181.53.2] (account jim HELO [192.168.0.59]) by top-cross.ru (CommuniGate Pro SMTP 4.2.10) with ESMTP id 615820; Wed, 15 Nov 2006 18:36:03 +0300
Message-ID: <455B33BC.4080103@top-cross.ru>
Date: Wed, 15 Nov 2006 18:35:24 +0300
From: Kopylov Denis <kopylov@top-cross.ru>
Reply-To: kopylov@top-cross.ru
Organization: OOO =?UTF-8?B?0KLQvtC/INCa0YDQvtGB0YE=?=
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: ietf-pkix@imc.org
CC: Peter Rybar <rybar@nbusr.sk>
Subject: Re: questions on CertificatePolicies processing
References: <auto-000000615815@top-cross.ru>
In-Reply-To: <auto-000000615815@top-cross.ru>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Peter Rybar пиÑеÑ:
> Some info are in
>
> http://www.nbusr.sk/sep/leg_rozne/kontrola_cert_cesty_en.pdf
>
Thank you for the link. But there is no answer in that PDF - just one
more description for validation procedure.
Main thought behind my questions is that there should be some difference
in interpretation of empty valid_policy_set - depending on
user_initial_policy_set value.
--
======================================================
Kopylov Denis
kopylov at top-cross.ru
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFFXRRM031964; Wed, 15 Nov 2006 08:33:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFFXRR8031963; Wed, 15 Nov 2006 08:33:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAFFXQ5S031940 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 08:33:26 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 32226 invoked by uid 0); 15 Nov 2006 15:33:23 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 15 Nov 2006 15:33:23 -0000
Message-Id: <7.0.0.16.2.20061115103018.03f044a8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 10:31:37 -0500
To: "Santosh Chokhani" <chokhani@orionsec.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>
In-Reply-To: <82D5657AE1F54347A734BDD33637C87905747BA3@EXVS01.ex.dslextr eme.net>
References: <82D5657AE1F54347A734BDD33637C87905747BA3@EXVS01.ex.dslextreme.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Santosh:
My point is that the request could be for any set of certificates
that contain AIAs that point to the same OCSP responder, whether they
are part of the same certification path or not.
Russ
At 08:03 PM 11/14/2006, Santosh Chokhani wrote:
>Russ,
>
>I do not know how germane this debate is to Sam's question, but I was
>simply responding to the issue building certification path. I presume
>that in this context it relates to building a path to the Responder
>certificate.
>
>Now let us look at the three model 2560 has: Explicitly Trusted, CA and
>Delegated.
>
>Explicitly trusted does not need a certification path and hence there is
>no issue and that is why I did not include it in.
>
>CA model does not need any path building since path to the CA has
>already been built and that is why I did not include it in my response.
>Note that both clients requires the CA to use the same to sign the OCSP
>as it signed the certificate in question with.
>
>My post responded to the Delegated model.
>
>I hope this clarifies that the path building should not be a major issue
>for all three models 2560 supports.
>
>-----Original Message-----
>From: Russ Housley [mailto:housley@vigilsec.com]
>Sent: Tuesday, November 14, 2006 6:42 PM
>To: Santosh Chokhani; ietf-pkix@imc.org
>Cc: Sam Hartman
>Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>Santosh:
>
>I believe this is a red herring. This is not the only deployment
>approach supported by RFC 2560.
>
>Russ
>
> >In hurry, I did not clearly articulate my thoughts. What I am saying
>also
> >relates to another comment to Mike Myers regarding the security of the
> >delegated model which is incompletely addressed by 2560.
> >
> >I will be verbose this time.
> >
> >The implementations such as Corestreet and Tumbleweed tend to adhere to
>the
> >approach that the same key that signed the certificate in question,
>sign the
> >OCSP Responder certificate.
> >
> >Thus, if you have a hierarchy like Root --> CA --> Subscriber and you
>want
> >the status of CA certificate and the Subscriber certificate, you get
>them as
> >responses and with them you only need the two OCSP Responder
>certificates
> >one signed by the Root (for verifying CA certificate revocation status)
>and
> >one signed by the CA (for verifying the subscriber certificate
>revocation
> >status).
> >
> >You do not need any paths.
> >
> >Please note that the approach also works when the Responder is queried
>by a
> >CA cross certified by the root, since rest of the path has been built
>by the
> >client.
> >
> >-----Original Message-----
> >From: Dave Engberg [mailto:dengberg@corestreet.com]
> >Sent: Tuesday, November 14, 2006 12:45 PM
> >To: Stefan Santesson; Santosh Chokhani; Russ Housley; Price, Bill;
> >ietf-pkix@imc.org
> >Cc: Sam Hartman; Michael Myers
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> >CoreStreet's OCSP server doesn't include a SingleResponse for the
>issuing
> >CA's cert in pre-signed responses. Mostly for the reasons mentioned:
> >
> >Adds 90-100 bytes onto every response
> >
> >Have never seen a relying party app/plug-in send a request like this
> >
> >The "delegated" trust model in RFC 2560 would require different signing
> >certs for trusting entity vs. CA cert ... add another 1kB onto the
>response
> >
> >Protocol only sends CA name+key info, which isn't enough to identify
>which
> >CA cert the relying party is inspecting in the case of CA cert renewal,
> >cross-certification, etc.
> >
> >
> >-----Original Message-----
> >From: Stefan Santesson [mailto:stefans@microsoft.com]
> >Sent: Tuesday, November 14, 2006 12:11 PM
> >To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
> >Cc: Sam Hartman; Michael Myers; Dave Engberg
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >Santosh,
> >
> >I didn't say it was hard. I say that I doubt that there are many
> >implementations supporting this scenario even those with a responder
>key.
> >It would be interesting to hear from implementers if I'm right.
> >
> >Stefan Santesson
> >Senior Program Manager
> >Windows Security, Standards
> >
> > > -----Original Message-----
> > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > Sent: den 14 november 2006 03:59
> > > To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > > Stefan,
> > >
> > > You are making more complex than it is. The Responder can include
>all
> > > the CA certificates that issued the certificate in question and AIA
>can
> > > do the rest.
> > >
> > > Furthermore, since most PKI are two tier hierarchy, in Enterprise
> > > environment, the CA certificate certification path is not an issue.
> > >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > pkix@mail.imc.org]
> > > On Behalf Of Stefan Santesson
> > > Sent: Monday, November 13, 2006 6:54 PM
> > > To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > > I'm not sure the case described is a realistic one.
> > >
> > > Section 2.2
> > > All definitive response messages SHALL be digitally signed. The
>key
> > > used to sign the response MUST belong to one of the following:
> > >
> > > -- the CA who issued the certificate in question
> > > -- a Trusted Responder whose public key is trusted by the
>requester
> > > -- a CA Designated Responder (Authorized Responder) who holds a
> > > specially marked certificate issued directly by the CA,
> > > indicating
> > > that the responder may issue OCSP responses for that CA
> > >
> > > Since the request is on certificates issued by 2 different CA:s
>trust
> > > option 1 is invalid.
> > > Trust option 3 is valid in theory but in practice it requires that
>the
> > > OCSP responder provide multiple validation paths in the response,
>one
> > > for each issuing CA. Somehow I doubt that this is implemented by
> > > anyone.
> > >
> > > Trust option 2 is not generic and is only valid as a result of a
>local
> > > configuration.
> > >
> > > So I don't think this is a problem only for key-less responders.
> > >
> > >
> > > Stefan Santesson
> > > Senior Program Manager
> > > Windows Security, Standards
> > >
> > >
> > > > -----Original Message-----
> > > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > > pkix@mail.imc.org] On Behalf Of Russ Housley
> > > > Sent: den 13 november 2006 14:08
> > > > To: Price, Bill; ietf-pkix@imc.org
> > > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > > >
> > > >
> > > > I prefer an error that tells the client to ask for the certificate
> > > > one at a time.
> > > >
> > > > Russ
> > > >
> > > >
> > > > At 02:46 PM 11/13/2006, Price, Bill wrote:
> > > >
> > > > >I'd suggest focusing on understanding where responses to the
>keyed
> > > and
> > > > >keyless responders inherently differ. I am aware of two general
> > > cases:
> > > > >
> > > > >1) The request asks for the status of multiple certificates that
> > > have
> > > > >not been included in a single presigned response. Russ's example
> > > fits
> > > > >into this case. The keyed responder handles, but the keyless will
> > > fail
> > > > >for the general case. Some responders respond with the presigned
> > > > >response that includes one of the certificates (usually the
>first)
> > > in
> > > > >the request. A common situation is to ask for the status of
> > > > >certificates in a chain. Santosh points out some keyless
>responders
> > > > >anticipate this and bundle responses accordingly.
> > > > >
> > > > >2) The request is "well-formed" but asks for the status of a
> > > > >certificate for which the keyless responder has not prepared a
> > > > >response. This situation will occur if:
> > > > >
> > > > > a) The request is for status of a certificate from a
>supported
> > > CA
> > > > >but with a serial number for which there is no pre-signed
>response.
> > > > >Assuming presigned responses exist for all certificates that
>would
> > > be
> > > > >valid based on their validity intervals, this would occur if the
> > > > >certificate had expired or was yet to be issued (I am aware the
> > > > keyless
> > > > >responders generally produce responses for certificates likely to
>be
> > > > >issued before the next generation of presigned responses). The
>keyed
> > > > >responder would give a signed "good" response. My understanding
>is
> > > > that
> > > > >the keyless responder under the draft lightweight OCSP responds
>with
> > > > an
> > > > >unsigned "unauthorized" error code.
> > > > >
> > > > > b) The request is for the status of a certificate from an
> > > > >unsupported (or non-existent) CA. The keyed responder would
>respond
> > > > >with a signed "unknown" response while under the draft, the
>keyless
> > > > >would again respond with the unsigned "unauthorized" error code.
> > > > >
> > > > >Some might argue with some grounds that these differences are
> > > unusual,
> > > > >unlikely, and insignificant.
> > > > >
> > > > >I personally consider the behavior in 2 of responding with the
> > > > >"unauthorized" error to be misleading. "Internal error" sounds
>more
> > > > >appropriate if I were constrained to the current error codes.
> > > > >"Malformed request" might be OK. However, the actual situation
>does
> > > > not
> > > > >match well with any of these errors as they are described in
>2560.
> > > > >
> > > > >If 2560 is supposed to encompass keyless responders, I'd
>recommend
> > > > >identifying the unavoidable differences and/or adding 2 TBD error
> > > > codes
> > > > >for the above cases (assuming they are the only differences). The
> > > > first
> > > > >error can be worked around by breaking the request for status of
> > > > >multiples into multiple requests for status of one cert.
> > > > >
> > > > >We've also seen some problems with client apps that can't handle
> > > > >presigned responses that commonly contain the status of several
> > > (e.g.,
> > > > >15-25) certs. The apps inquired for the status of a single cert
>and
> > > > >apparently expected a response for a single certificate. I'd
>suggest
> > > > >that some "must" or "should" words address clients' ability to
> > > handle
> > > > >the situation of a response covering multiple certificates.
> > > > >
> > > > >
> > > > >
> > > > >Bill Price
> > > > >
> > > > >-----Original Message-----
> > > > >From: owner-ietf-pkix@mail.imc.org
> > > > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > > > >Sent: Monday, November 13, 2006 11:46 AM
> > > > >To: Michael Myers; Dave Engberg
> > > > >Cc: ietf-pkix@imc.org; Sam Hartman
> > > > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC
>2560
> > > > >
> > > > >
> > > > >Mike:
> > > > >
> > > > >I think it is not that simple. I think you need to say that
>support
> > > > >for one certificate MUST be supported, and that support for more
> > > than
> > > > >one certificate is OPTIONAL. Then, the error is am indication
>that
> > > > >the requestor has selected an unimplemented OPTION.
> > > > >
> > > > >Russ
> > > > >
> > > > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > > > >Responders unable to produce or acquire a definitive response
>MUST
> > > > >return <a
> > > > > >TBD error>.
> > > > > >
> > > > > >As to your other points Santosh, that is something I prefer the
> > > > chairs
> > > > > >consider.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > > > >
> > > > > > > Mike,
> > > > > > >
> > > > > > > What is the error case?
> > > > > > >
> > > > > > > . . .
> > >
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFFXQNu031948; Wed, 15 Nov 2006 08:33:26 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFFXQSQ031947; Wed, 15 Nov 2006 08:33:26 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAFFXPGS031939 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 08:33:26 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 32163 invoked by uid 0); 15 Nov 2006 15:33:22 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 15 Nov 2006 15:33:22 -0000
Message-Id: <7.0.0.16.2.20061115102828.07487728@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 10:29:37 -0500
To: Stefan Santesson <stefans@microsoft.com>, Sam Hartman <hartmans-ietf@mit.edu>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>, "Price, Bill" <wprice@mitre.org>
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCAAA0@EA-EXMSG-C307.eur ope.corp.microsoft.com>
References: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com> <F9F038204EE77C4AA9959A6B3C94AFE801098D06@IMCSRV2.MITRE.ORG> <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA90@EA-EXMSG-C307.europe.corp.microsoft.com> <tsld57pis78.fsf@cz.mit.edu> <A15AC0FBACD3464E95961F7C0BCD1FF010BCAAA0@EA-EXMSG-C307.europe.corp.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I believe that this paragraph from RFC 2026 is the reason that Sam is
willing to permit the document to progress as a Proposed Standard:
A Proposed Standard should have no known technical omissions with
respect to the requirements placed upon it. However, the IESG may
waive this requirement in order to allow a specification to advance
to the Proposed Standard state when it is considered to be useful and
necessary (and timely) even with known technical omissions.
Russ
At 05:56 PM 11/14/2006, Stefan Santesson wrote:
>Sam,
>
>Could you point us to the applicable interoperability requirements
>IETF has established in general that would require such
>clarification of RFC 2560.
>
>What is ironic in this situation is that this a cases where the
>industry has been able to achieve interoperability (to a fairly high
>degree at least), also with respect to keyless responders. I don't
>think we serve the industry by denying publication of an
>informational document describing how keyless responders has been implemented.
>
>Creating an RFC 2560bis may take considerable time.
>
>Stefan Santesson
>Senior Program Manager
>Windows Security, Standards
>
>
> > -----Original Message-----
> > From: Sam Hartman [mailto:hartmans-ietf@mit.edu]
> > Sent: den 14 november 2006 14:23
> > To: Stefan Santesson
> > Cc: ietf-pkix@imc.org; Michael Myers; Dave Engberg; Russ Housley;
> > Price, Bill
> > Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> > >>>>> "Stefan" == Stefan Santesson <stefans@microsoft.com> writes:
> >
> > Stefan> On issue number 1) it is my belief that the lightweight
> > Stefan> profile should be allowed to progress without updating RFC
> > Stefan> 2560. I have seen no requirements in RFC 2560 that
> > Stefan> requires a keyed responder, even if it is clear that a
> > Stefan> non-keyed responder can only respond to a subset of all
> > Stefan> valid requests. If the lightweight OCSP profile is allowed
> > Stefan> to progress, it MUST live within the current restrictions
> > Stefan> of OCSP with respect to error codes.
> >
> >
> > Speaking as an holding a discuss, I cannot agree to allow the
> > lightweight profile to progress without a standards-track
> > clarification to 2560.
> >
> > Your reading of 2560 would not meet the interoperability requirements
> > that the IETF has established that in general, all clients of a
> > protocol be able to work with all servers of a protocol. In order to
> > meet that requirement RFC 2560 needs to be normatively changed in
> > order to require that clients be able to send a request including only
> > one certificate.
> >
> > Unless I see new arguments I have not seen so far, my discuss stands.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFEu0Yk020240; Wed, 15 Nov 2006 07:56:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFEu0E4020239; Wed, 15 Nov 2006 07:56:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAFEtxae020231 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 07:55:59 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 26657 invoked by uid 0); 15 Nov 2006 14:55:53 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 15 Nov 2006 14:55:53 -0000
Message-Id: <7.0.0.16.2.20061115095452.040eac28@vigilsec.com>
Message-Id: <7.0.0.16.2.20060821173001.012803b8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 15 Nov 2006 09:55:47 -0500
To: ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: RFC3280bis: NotAfter 99991231235959Z
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I would like to add some text about certificates that are not
intended to expire. I propose the following paragraph.
In some situations, devices are given permanent certificates. For
example, a device could be issued a certificate that binds its model
and serial number to its public key. Such a certificate is intended
to be used for the entire lifetime of the device. It indicate the
permanent nature of such a certificate, the notAfter SHOULD be
assigned the GeneralizedTime value of 99991231235959Z.
Any concerns?
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFD0K7H083010; Wed, 15 Nov 2006 06:00:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFD0KD5083009; Wed, 15 Nov 2006 06:00:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from top-cross.ru (top-cross.ru [194.226.79.2]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFD0Hsk082999 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 06:00:18 -0700 (MST) (envelope-from kopylov@top-cross.ru)
Received: from [62.181.53.2] (account jim HELO [192.168.0.59]) by top-cross.ru (CommuniGate Pro SMTP 4.2.10) with ESMTP id 615752 for ietf-pkix@imc.org; Wed, 15 Nov 2006 16:00:45 +0300
Message-ID: <455B0F57.9090306@top-cross.ru>
Date: Wed, 15 Nov 2006 16:00:07 +0300
From: Kopylov Denis <kopylov@top-cross.ru>
Organization: OOO =?windows-1252?Q?=3F=3F=3F_=3F=3F=3F=3F=3F?=
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: questions on CertificatePolicies processing
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Q1: Is there any sense in setting user-initial-policy-set without
setting initial_explicit_policy?
Q2: How should be threated a valid certificate if validation with
non-empty user-initial-policy-set resulted in empty valid_policy_tree?
--
Kopylov Denis
kopylov at top-cross.ru
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFCOjoR077044; Wed, 15 Nov 2006 05:24:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFCOjUX077043; Wed, 15 Nov 2006 05:24:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from groucho.itss.auckland.ac.nz (groucho.itss.auckland.ac.nz [130.216.190.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFCOi3v077023 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 05:24:44 -0700 (MST) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) by groucho.itss.auckland.ac.nz (Postfix) with ESMTP id 80D89348B7; Thu, 16 Nov 2006 01:24:38 +1300 (NZDT)
Received: from groucho.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22853-15; Thu, 16 Nov 2006 01:24:38 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by groucho.itss.auckland.ac.nz (Postfix) with ESMTP id 51EE434892; Thu, 16 Nov 2006 01:24:38 +1300 (NZDT)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 9C0E037742; Thu, 16 Nov 2006 01:24:37 +1300 (NZDT)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1GkJos-0002ZS-00; Thu, 16 Nov 2006 01:24:46 +1300
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: kent@bbn.com, ron.ogle@thomson.net
Subject: RE: PEM file format rfc draft request
Cc: Dieter.Bratko@iaik.tugraz.at, ietf-pkix@imc.org
In-Reply-To: <p06230909c17f899afb7d@[128.89.89.106]>
Message-Id: <E1GkJos-0002ZS-00@medusa01.cs.auckland.ac.nz>
Date: Thu, 16 Nov 2006 01:24:46 +1300
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Stephen Kent <kent@bbn.com> writes:
>I don't think these WGs generally have defined private key encodings, because
>private keys are not transferred over the net and thus are not critical for
>interoperability.
What you mean are "private keys shouldn't be transferred over the net but
frequently are". The standard format for this is PKCS #12, but that's usually
wrapped up in MIME, not as PEM-format data.
Peter.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFCLmLP076425; Wed, 15 Nov 2006 05:21:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFCLmb3076424; Wed, 15 Nov 2006 05:21:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from chico.itss.auckland.ac.nz (chico.itss.auckland.ac.nz [130.216.190.12]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFCLkdI076415 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 05:21:47 -0700 (MST) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from localhost (localhost.localdomain [127.0.0.1]) by chico.itss.auckland.ac.nz (Postfix) with ESMTP id 1A12B34B45; Thu, 16 Nov 2006 01:21:41 +1300 (NZDT)
Received: from chico.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpb.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18852-16; Thu, 16 Nov 2006 01:21:40 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by chico.itss.auckland.ac.nz (Postfix) with ESMTP id B840E34453; Thu, 16 Nov 2006 01:21:39 +1300 (NZDT)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id CE6BE37742; Thu, 16 Nov 2006 01:21:37 +1300 (NZDT)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1GkJly-0002Yw-00; Thu, 16 Nov 2006 01:21:46 +1300
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: Dieter.Bratko@iaik.tugraz.at, ron.ogle@thomson.net
Subject: Re: PEM file format rfc draft request
Cc: ietf-pkix@imc.org
In-Reply-To: <01c401c707f9$3ac61660$6d981b81@iaik.tugraz.at>
Message-Id: <E1GkJly-0002Yw-00@medusa01.cs.auckland.ac.nz>
Date: Thu, 16 Nov 2006 01:21:46 +1300
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
"Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at> writes:
>For that reason a standard giving some recommendations for the usage of PEM
>headers would be very useful. It should not only cover keys, but also
>certificates, crls, requests,... (for instance, some applications use -----
>BEGIN CERTIFICATE REQUEST-----. and some use -----BEGIN NEW CERTIFICATE
>REQUEST-----, and some may use -----BEGIN PKCS10 REQUEST---- or something
>other for encoding a certificate request).
That's why I suggested that a regexp is the only way to handle this. You also
need to take into account usage in other environments like PGP and SSH, which
also use the PEM format. From memory my code's workflow is something like:
look for '----';
look for either another '-' or a ' ';
look for 'BEGIN';
This handles the common PEM start. Then:
if the remaining text contains 'SSH' it's an SSH public key;
goto SSH-processing;
if the remaining text contains 'PGP' it's a PGP public key;
goto PGP-processing;
// Default: It's something X.509-ish
if the remaining text contains 'REQUEST' or 'PKCS10' it's a PKCS #10 cert request;
if the remainig text contains 'PRIVATE' it's a private key;
otherwise it's a cert of some form;
This should handle pretty much everything out there.
Peter.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFB3Kol063900; Wed, 15 Nov 2006 04:03:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAFB3Kul063899; Wed, 15 Nov 2006 04:03:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from top-cross.ru (top-cross.ru [194.226.79.2]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAFB3JKv063875 for <ietf-pkix@imc.org>; Wed, 15 Nov 2006 04:03:20 -0700 (MST) (envelope-from kopylov@top-cross.ru)
Received: from [62.181.53.2] (account jim HELO [192.168.0.59]) by top-cross.ru (CommuniGate Pro SMTP 4.2.10) with ESMTP id 615685 for ietf-pkix@imc.org; Wed, 15 Nov 2006 14:03:46 +0300
Message-ID: <455AF3EB.8090805@top-cross.ru>
Date: Wed, 15 Nov 2006 14:03:07 +0300
From: Kopylov Denis <kopylov@top-cross.ru>
Reply-To: kopylov@top-cross.ru
Organization: OOO =?UTF-8?B?0KLQvtC/INCa0YDQvtGB0YE=?=
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: question on CertificatePolicies processing
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Q1: Is there any sense in setting user-initial-policy-set without
setting initial_explicit_policy?
Q2: How should be threated valid certificate if validation with
non-empty user-initial-policy-set resulted in empty valid_policy_tree?
--
======================================================
Kopylov Denis
kopylov at top-cross.ru
Received: from 161.pool85-56-32.dynamic.uni2.es (161.pool85-56-32.dynamic.uni2.es [85.56.32.161]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAF9Sk3J050647 for <ietf-pkix-archive@imc.org>; Wed, 15 Nov 2006 02:28:54 -0700 (MST) (envelope-from lightup@palmerstores.com)
Message-ID: <000401c70898$730be8c0$00000000@pcj>
From: "UsWork" <lightup@palmerstores.com>
To: ietf-pkix-archive@imc.org
References: <000401c70898$730be8c0$00000000@pcj>
Subject: Re: employee have
Date: Wed, 15 Nov 2006 10:28:46 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000A_01C708A0.D4D050C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_000A_01C708A0.D4D050C0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000B_01C708A0.D4D050C0"
------=_NextPart_001_000B_01C708A0.D4D050C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
----- Original Message -----=20
From: ietf-pkix-archive@imc.org=20
To: lightup@palmerstores.com=20
Sent: Thursday, November 03:23:02 AM
Subject: employee have
Chargethe employee have of only default job.
Free day Triallog Inregister a Nowhome Pagemy.
If does not start.
Editorbuy of now Welcome a. Re Soft Boysdate Prevdate am Nextthread =
Prevthread of Nextdate Boysto Boysfrom of.
Uploading toolbar ruler of url cliptext column selection replace =
multiple in.
Click in here release a veditplus bit While can serve good a.
Your homeyour of lifein updatehas am Roaming Gnome turned or party =
bal. Gui of builder generating human.
Jamo surround sound is.
Flash Player dc Limewire is Manager in Explorer am Basic is Ares.
Cliptext column in selection replace multiple undoredo of spell =
keyboard shortcuts is. Viruses am add am my alerts suggest friend a =
report!
Screen of applicable press theenter bhzbhzon enterkey left cost =
center.
Then Hermann Maier strap carvers Cameras. Commission Junction for =
Million.
Solos vii rock rhythm worlds.
Info in Publisher User am Awards History service allows.
Timekeeper entry charge in. Cliptext column in selection replace =
multiple undoredo of spell keyboard shortcuts is.
Free day Triallog Inregister a Nowhome Pagemy.
Gaining marketing with clients that include a.
Address found Datere Cdnext Siamese jpegnext threadre Stuff?
Upgrade is business line offering give individual employees members is =
Sony. License any listed cannot is liable issues arise?
Ill am London just or atthe catch About eve who.
Upgrade is business line offering give individual employees members is =
Sony.
Featured integrated cd burning ripping in?
Picks Essential Internet Instant is.
Get chance some Visualcron task scheduler automation!
Soft Boysdate Prevdate Nextthread Prevthread?
------=_NextPart_001_000B_01C708A0.D4D050C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"always" hspace=3D0=20
src=3D"cid:000901c70898$730be8c0$00000000@pcj" align=3Dbaseline=20
border=3D0></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color:=20
black"><B>From:</B> <A title=3Dietf-pkix-archive@imc.org=20
href=3D"mailto:ietf-pkix-archive@imc.org">ietf-pkix-archive@imc.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dlightup@palmerstores.com=20
href=3D"mailto:lightup@palmerstores.com">lightup@palmerstores.com</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, November =
03:23:02 AM=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> employee have</DIV>
<DIV><BR></DIV>
<DIV align=3Dcenter><FONT face=3DArial size=3D2>Chargethe employee have =
of only=20
default job.<BR>Free day Triallog Inregister a Nowhome Pagemy.<BR>If =
does not=20
start.<BR>Editorbuy of now Welcome a. Re Soft Boysdate Prevdate am =
Nextthread=20
Prevthread of Nextdate Boysto Boysfrom of.<BR>Uploading toolbar ruler of =
url=20
cliptext column selection replace multiple in.<BR>Click in here release =
a=20
veditplus bit While can serve good a.<BR>Your homeyour of lifein =
updatehas am=20
Roaming Gnome turned or party bal. Gui of builder generating =
human.<BR>Jamo=20
surround sound is.<BR>Flash Player dc Limewire is Manager in Explorer am =
Basic=20
is Ares.<BR>Cliptext column in selection replace multiple undoredo of =
spell=20
keyboard shortcuts is. Viruses am add am my alerts suggest friend a=20
report!<BR>Screen of applicable press theenter bhzbhzon enterkey left =
cost=20
center.<BR>Then Hermann Maier strap carvers Cameras. Commission Junction =
for=20
Million.<BR>Solos vii rock rhythm worlds.<BR>Info in Publisher User am =
Awards=20
History service allows.<BR>Timekeeper entry charge in. Cliptext column =
in=20
selection replace multiple undoredo of spell keyboard shortcuts =
is.<BR>Free day=20
Triallog Inregister a Nowhome Pagemy.<BR>Gaining marketing with clients =
that=20
include a.<BR>Address found Datere Cdnext Siamese jpegnext threadre=20
Stuff?<BR>Upgrade is business line offering give individual employees =
members is=20
Sony. License any listed cannot is liable issues arise?<BR>Ill am London =
just or=20
atthe catch About eve who.<BR>Upgrade is business line offering give =
individual=20
employees members is Sony.<BR>Featured integrated cd burning ripping=20
in?<BR>Picks Essential Internet Instant is.<BR>Get chance some =
Visualcron task=20
scheduler automation!<BR>Soft Boysdate Prevdate Nextthread=20
Prevthread?</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_000B_01C708A0.D4D050C0--
------=_NextPart_000_000A_01C708A0.D4D050C0
Content-Type: image/gif;
name="order.gif"
Content-Transfer-Encoding: base64
Content-ID: <000901c70898$730be8c0$00000000@pcj>
R0lGODlh3AHcAYf/AAAAB4YAAAF4Cn6JAAAAiHwJhgByeLi/vbndtJfJ8TkaAFYbAIAtAa0dAMsc
AOQjCAA0ASQyBkc9Alk/B4U+AqkyAMI9A+k2BgZcABVWAEFVAGVsAItsDKZnALRkAuhaCAdyBRd0
Ck5zAFqOAISOAKiMA76OANh5BwCtACWYBT6uBWOXDHuZAKeXALyoCt6YAg7AAByzADXMAFi/AovN
AKu6ALG/AOK7AADbACbZAEDuAF3oAofqC6jsALzuCdThAA4AMxQAOjMAQVYAM4IATa4ESrkAM+wI
TQAbSBkfPjIXS1kpPH4dOpwVOMwRQtQSOABJNhk8RTg0N1g0RoFKM5w1Ncg3TepEPwBqRRxVS01s
TmZuM4BhCZJlMcVcRu5XRQmNSyl0TUd7QVZyTX2DNah4Pb14MdR9QgCiPhWrNUKcRlGXRnKUOJaT
O7aZQtapNwC4QSe0N0vFPGm2SHW+RpzFN7fIQdLJNgDgTSjuOUDSO27jSoPpQJnRQr7qQ+PnNAAG
gRgNgTUDcmYAhHQAe6sAi7YAjtYHgQYjgCUjcjsle1oUhHsnjasgjcstg9QRhg5Dcyc6hTJChGY/
goNOhKQ0dbRJfOtMfABXhiJZhURYhVpbh31ti6NegLVgd9dadw2JcS18fUiGg1x+d3F8jKaHg7yJ
guqHjg6ldhyUekCVdFyignmSeZ2jfMqdi9yuiwPAhyvNezW0hWrLjHjCjKrIfcjBh+O3dwDufSHT
gULXgmHbd3Plgp3WgLzig+3odgwKyhEOuDoKv1EAyI0AzKMMxLoAvNoCvwYXwykctEolvlQbv4oX
vZUTtckVzdsnxAQ4sxhHykZNxlw3xog9uZ43tLNIy+05sg5UvyBluDpeylZZtolVwp5UvsNbu+1s
tAp3shR5t0iBwGCNwY6Iu6Z8x8uEx9iGywCosSGjv06tzlWjy4irxqadzsGmxdyWxgDHsyO/vUax
x2S8znrBuaeytvr/+5GuqopyfPwKAAH5APv6AAAA9f8G/AD0+Pfz/yH5BAB98okALAAAAADcAdwB
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXGnwn8uX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrMllq3cq1q9evYMOy
xEq2rNmzaNOqXcu2rdu3cOPKnUt3pti7ePPq3cu3r9+/gAMLHky4sOHDiBMrXvyxruPHkCNLnmyW
cUfKmDNrfmy5s+fPoEMXNCra4ubTqFOfLc26tevXYI1++EBwdm3as3Pntmf7Nm/duw32PghcuG6B
wIP/Vl7cnurn0KPHHX4cOW7axLH/tt5w+G3tzMFf/0dIfTx36ejTq7e6fTn23t59c2+/MP78gfC1
yy9o37jz9QAGGOBG+eV3n3/ldaffgfiZx9+CDGYH24QUVghRge9lmNx33zX3oH8g2pecgQn1Z+GJ
KP5Fmm0GkkiedyZ+KOOM1dFnnIjaCajjjtBxVF2NMS63n0I4SihjkAcimeKSTMZWlHUYNliig0ra
GKGV3FWZ4EA8duklZj4GBySE97lIJJnxmcgimSA26eabrCkn5JX0mTllduJlKCWWdepXJZyABtoX
jH6OaOWaG95Yo3sLejiihmmyKeiklG5EWqBfZqrpgJhu6umnalUq6qikDgYAAKWmquqqQZ0KgEur
xv+qGKiSnRqTrLgaRitkr2aVa2IooDDqrpoNFOyxBB2L7ELKCpussswu22yzCi0r0LTGUnvttM5u
26092BakLbjfPjuuucE+a1C65JLLbbneQhuvvOJyiy687rK77br22qvuf8RS5m62zuqr70EGF5ww
vtkizDC/3ya878QHQ/xvuw1TzPDB1nbMrrUa1xvtvxUjVLK3BKeMMsYXt+yxQAGDWfHH3Z48Mb8i
J3SyzSJL3DDHwvKcrs8s22x0uURrDPTNTDtM8sMtR500xiXvjHTNzsZMmdVFP8w1zibjy7O6SQ8d
cdBeo51x12G33bPYak8dNdghM/T1205XDTfY7Gr/zV5GXMs99910z5031mSfnS+9Zq+9dOGDq41z
400bfu/C5xJMbeB7642t3pX/mpFRnIder+BC72235Gy3nrrr8NLLcs6JH16309UqPrvOquM9eey9
Z9y335FxDvLqob8OOe5Ujxvu7o4rfDztR/9u+77K8+77yMu3WzrtkU9MPFUafT+29d0nD/W8NDNv
ub/taw995ZRvn6/8+GO/vvrX289/zucT3VZmprC1IW93YyOc25rnPgNeLH7zM53UEPc0dOWvgfXL
3QJvRkD6BS+CAhSLxwrowOipbGAXlGDTMljC+XXwcUSr3glHuMLsbRCCGnQY1naoMtAV7mUhtNST
/+Y1wbBNL3MQAx73fvZB9rHwidJ7XBKnt7jwbVCHjPMX+KaIxbNtrl/PE9/4OBPEMt6FJ/QYY1DM
yMY2uvGNcIyjHOdIxzleqo54zONC3KLHPvqRIEn5oyAHeRB+8IMwhkzkIQ2SSIIospGMNKQjH6kQ
SQ7EkgKR5CMbiclMHnKTnbwkKDtJSVEucpKntEcpPalIVEKyIKtUZSpJmUqGxDKUsizkLHcpy032
spWijOQvgTlMVhITlZMUpjKTaUpawrKWyxylLhGCS7BgEpevzKUpn8lLTybkmq/UJDS9Sc5qVhKa
4bTkMYGZzkWCM5jkZOU2tflLeNoSnO4MZTXxef9KcU5zntnMpTnfSctaBtSZujRoPvupToUu5J3/
pOcz9QLRYFY0ngJlqD3/yc58UlOjEm0INh1az2ZiVJsVvag+QdrRh6zUmMxUZktDetKGOnOf43yp
RUlqzpKWk6T07KlPBwrSZXLEKBfN6Ebj6U+mjhOeM+1pU2n6UKAms6n+xGlQi5rUn8KUqhG96ieL
OtGSNjSs3pzqVGPKVqeG9Kwf3SpV4QrWmOJ0lOmEGVI0klS1olOjKX3qT+EqzXka85ho1SpWxzpX
xrr1sWW1qUdFmlPGdnWwk5XmSJWaVlCelKYE/atQ/dpYyH6ToetELVQFa5qi0HWnS5UrRIXK2cX/
nrObLrUqbM3q2Im+9reV7axwKTtNwj7Vtq+NrW05m1CyulWr5/QqdJkb3YiqdLJuieVjNyvXYt5T
srFFZnirG97FnlWxiNXudDtK27YOl7rcXKhzP0vatcYVtJPFb1Vhu97eklemZIVrdvN72OSi1JcH
/q58x8vc9pa1vL0NbXEJDFzrQhKx/93tV5u74elquJ4Otu+BtVtXjLayvyVmMF0RaskBb3S2QIUx
g79KTKKuNiLcvTFHecrVAFuVvaw1aoJN+lHwfvatFOZkkN8L2Rzfl8a6Dehpp9zdz7pYxx++sEMR
WmTxglXGEBmpar+8UIB2k8vt9HIvHxzJMa9U/7DZzKtRtczN0nrVzGxO8ZvlyWfD7rfJPibnlT+c
0VtuWbdsLiglX1pYKreZy4lOrW9/jGGJOrm5uJ0xpDWLYPqOFcGr9OxSderoF1dayo+WrEIlrc1A
EpI1Dn71a+4oa7HEutZ54SOubb3kXed6r74OtrBbq8ZiG/vYRBm2spftEGQ7+9nQjra0p03talv7
2tjOtra3fRpme/vb4A63uMdN7nKb+9zoTre6183udheG2/COt7znTe962/ve+E6Pu/fN7377+98A
D7jAB07wgpPqDm3Mt8IXzhaDO/zhEI94RBhO8YpjReIYz7jGN87xjnv849+2uMhHTvKSm5wuIP9P
eWdorSKbALImKm+5tAdzk5fTJOZ+oTbNXc4lmOOcL9FWB6wEU/Oe31yP+WhI0gO1dL1+iSOuOhVr
mm4Pqic9H1jPukCyjvWtc73rBPn61QvSdK573exUPzvYta72gXz9IGKvutXl/na4u53tW8/7Rcyu
drzznexhD3zc0371ut+d7XOvOhulLhDGhybxeU+74gPvdoRIfvKYn7vkCQ/4zFMe8pUnO+gvH3rM
e970EwE96lVves3bXe+k13vkS4/6ExnF8QWJOqoaH3V7uIr3vQc+43W/++Hv3ve7L7rTZ1J2z29e
IaSP/uk7T3naf94gY7d+7bPfeujLvvJv9zv/4uVOfdqzPvTNT7/lp//62a9++dDG/UAcb3xU/V7q
v0e+QfBvfP373//KBzDMB34EWH7Yt35213wHaIDSt33dZ4CKp4DfR33PN3lgF4GCd3kV+H2xt3Tq
534HKIHth4EaKIDxd3wEQX/Ft4K893/yp38qKHwIEYAu54EW2Hce+HcTeHh494Cih3bY93c2CHiG
F3bhB3vVt4AOeIMFCIIQOHpK5345qINWV4R0t3bSpyka8YIuyIL+x3/zt4K9F4PIx4UbwX3ZF3vm
h4AhqH1LmBBD+HxDqISlx321V4cLOIcReIQjyIFJCIfOt4MgqIZy2IcWcnsoGIaK+IUsGIOO/3h8
9ZeIRnd08HcraMiE3ueGd4iBgriBCKiHg2iIHyiIsleBemiHpOiJ59eGUrh+IkiHSAh4OveIi9h/
MAiJ9ieGXbiIi0iDMHeJoPh+mliCpSh4sMh57HeKsNh6q+iDp+d6TUiHyLiGxfiBxIiJ10eBsjht
woeL+ceILUh8YTiGuMiLLWiCvlKJMDGBZVd3Vhh9fFiHiBd+fOeOFyiEDBiP5KeJHNiDdPd54weH
/rh9Pah67QiEGViPOwh5S6eFd2GGEAGR46aGqUKRgiSRDYGRGCF2HNmRHvmRIBmSIjmSJFmSJnmS
KJmSKrmSLHmBuKaRCwGT4maRlEKTszZEYf/hi5Q4EifXk8D2c0AZlELpRix3ETL5fza3kzxHEj7Z
lMm2hbpXEUd5lBEBDuAwEFaJlVdplVyZlVmplfbQlVw5lGyEiCkoiQ4xlWipkzPxlWF5lQLhlXBZ
EF9Zl3M5iU6ZlzwBlQdhi1GZf+LYjbxIlQthl3b5lgjRlWBJlm9klvvnhfcHhoCZi7VYjuh4K3gZ
E4YJl3KZmGMZl3epjno5mk9Rht8YfOB4i4pIhlzIllkhl535lmJJEG4pm4pJmrgpFY8pg+fYf7TY
m2u5lJf5ErYJmod5EIoJmi2Rm8zZFLtpmpUZjuXImsHpc6IJK8mZnaGplW5Zm9fZnKTJl4P/iYJ+
SZnSGZ3nqBHaeZx0yZnuyZiN+SSBmZ6pyX+oGZXpyXiuiZm12Z1iuZV3CZu3CZ4E+g8lQZjwmaAh
gaAKKpRFeZYqsZ/rWBIFSqANeqEYmqEauqHx+ZQRKpwuCRIVOqJWMZ/POTogqoEUqYNXmJkk+qLp
aJSW2RVWuI+Wl4N353UcKm6POJmCaZrkiZYM0XVCOJA5mqMuGaI7SpRF0aMQKn9kiJQuuo5EqqIC
aYQ2Sn4wuqVOEZhQap7jyRA1V6Vw14FVmKVdx6VqqhQv+KVSSnxCmpR20aJBeKVIeqZrmqfiCaFP
mogMqnRKqqRHqqNJapNLSkht6qdgmp8z/5p6/iioOnqnWHqocOSYfFqZk/mNUvqdBsqDomenhIqn
eTqqQzEWNVh4IZqq7Rip+wh2pPqqQGGqPleEcceqdOqpnAqruoqZH2qdWSqiuzqirQGplOpt0jGp
IhGsyiqcsBGAzbasFXqIzNoQ0LpwxXqth/GnhRGn2BpH+BmT3AquJgp14ZqWCFGu3VohlqqR2mqO
H2GGzvqtAFitFnqpuYef+OqFfamomRqJ/vqj+imc9rd/vper9OqT97qv7qqam7qwqxmlYAicfBqA
A5uCjWewB3tyvPmXjQqcEgmREcuou9iww0mc9gqJGJux1vauaEmdwYeaCnuW5Hip9vmy6P/KEP3a
rulKKlz4m4z4sUH6sDS7qA4rEcWXezsLJ+vasrpYf0Vrjk6Le1FrmVKbfNN6tBZbsiqrbRshr/dq
s/cZrl86szKbszJLnxkJsxebtG7yoBmhs2lLEc5asAqxtfWmF3AbtyRxs2yLIm4rowuqthAxt2Jq
t+HJFRJqsqBhuNjWFYk7dIvLuJ7St5SbEH97Eo/bqZErudQ2rjFLsg+RuQIRAKRLulxRuqhbEZy7
KXuKkXnbEaY7ugEguyoRu7RbuZ+xtOP4rzWrgmHLqXIaE7ZbEMNrEsNbvKG7upnSukwrsj4KsXzL
EMhrD6hbvbaburJbvQRhvQdxvLNLvd//S7vei7t9gYiCK7Hnmb4NK7rTe73jC77ZOxCx677dy723
K77hC7/Ku7xvS7ReOp0A/LQZgb33+774u72za8AIvMDwK7/fO7/5S76/RhS2OLI+G7KtKZzMSr/3
28AH7MAeHMIgvMDvC8Epu78xQ53A57wBXIa9qMG+ersc3MGmO74KPMIgbMAEjMJesqc/e5qSSbXf
+rr1W8D5a8NHnMBJXMQkvMTZG8ESjBeX2xEZ7Ks2McMzLMMP7MQQDMUhbMLxi8Nay8PEcxJVrJQw
p70ITMAOnMXuy8ZtzMbW68QnTMao4RdeqxjTaxF7HMU5ObknAcYbUbx2vCN+BMcD7MV+/ywWU5wi
hBsShWxslPLIwBrJ6rHIldvI2xq9MzitGbm257qcljw+P3qgTBukfCuT8CqwmtqXa9uyojzKx8q8
JtGzVZvKN6uzKJsQWBvKmCwatvywkWm2QCqGY2vMAEu2/wqkaIuz8wfKdIu1uliwrfzLihHM0umN
YeqjDQu2kmifQmvBQRuRz0y3r3zOKEt/1mwZ2Myw9HnB+tqnIRvOvCnOMgqYWSvN5gzNnLzOe9HO
83zLZJuaCavMHHu2u8vNUmmx5HnO0Tx8WevPiQHQi1q1J1rBfOqbLVzP7UwRDd3Q0QzN1BzREi2r
pfqbkXmyG43R6BmxKR3OKvzCvvrRtf+Izs/c0LKsb10btgP9pjY7nor6nOJo0T+Mys0srr4b0kqN
z+Vc0k791KqLk50SwzyZ034zyZ4MyVYdHVBdrFv91WAd1mI91vTW1ZRK1mid1mq91mzd1m791nBd
cWY913Rd13Z913id13pNGHHd137914Ad2FOx14Rd2IZ92KIi2IrNq4gdlIv92Jrb2JI92YIE2YtN
2UBp2YqN2T+n2Z792W7N2TinyaK9JD1c2pVy2t3cvJ1BxGbdw/MZ23k8sqB7rqd8vhEBsv3cjUDL
suTq2rWNx/8buBMXGb/Nr8ht22Eakay9076dlru9EsAd3H0x3U1CGrLN09X8wx7ru8b/HNQJW9Sl
HImYusz2ytuCma/DTMzkPd7bXdTeCJPa7a/xra+9W9/u3dHCDMQ5i9+3ON+ootr6fdTdrb4uHc8O
+9NDm74aLczK/bXo66Qr/N99auDmic3Py8k8nc0WvosZHt4Mm6gKq9AO7s4ljsEBbtz/nIsHTs8J
/r8srcIi7rOPedARvtEeHtRuqr4PTuM4C5krDaYonuMgPs81/tNRSs9G7s5DztdSTcX9ytvIfNRm
mOTFDOTwDLoifuM2zsLh7c1RHrM+Dq7oy+RCfuZEXrZhDuIV3t1DPuNBPsZvwRfeTOBlft4bC95s
Do5jvrAxveVeft5LjucEPei8nK9K/47mWb7jD07obx7ncJ7obVTnac7SVE7i9lyeaf65y13BAY3j
Ia7oCF7mS97Rjy7pU+vilf7NzYvSp17QLfze5fvkUK7S/G3Uat7izLzr3O3mdg6ntL3e8TzcGX3r
8b2vTY7oJ2rm4mzsaL7rQ7zdweyyLy3ezF7Mcq5rGmfd/8btTEnr5Obt/SZ1qn1u4s5u+CkZqJ1y
oP3X6w5y7e7X7z7v9B4r8X7v+J7T9b7v/I7V+d7W/Z5x/x7aAV/wBn/wCJ/w/zbwDN/wDv/wzKnw
BgfxaC3xFn/xGD/XFL/xHN/xHv/xIB/yIj/yJF/ylizZsJrxAUfadB3JKF/IL2/HBf9QAAQx8zVP
8zOf8zZv8zdvDzqf8wvx8wPx8zxP9Dzv8zqfEEKP9AVx9EgP9ENP9FEv9U+f9FXv9Aix9AKB9Vg/
9UvP9TR/9Uf/9Vrf82a/9WHP9HV8FlqAbBrh9HCP82l/9kU/90Gf9nWvEGDPEF2/92gf9YAf+IL/
9wYx9nbf9Hif+HPf9Yjf+GbP+H2f+Ijv93FfcKRR93mv9oUv94Ov94dP+Flv94zv+GcP+oY/+H7f
+aCv+Zsv+FbP+geR+oQP+Ydf+V7v+Laf7Xar9laf+a1/+nz/+avf+qUf+sQf+JS/+KK//LGv/Mb/
+FAP+8c//L5f/Kwf95Gf+in/9mH/3/vdL/xPb/3Nr/TgL/2jX/zJj/uST/rDv/qjn/7VP/7o//3P
j/rrD/ayL5RkD/VU3/n9DxD2BA4sUGDgQYEFFRpEWBBhQoYPDzokuHAhxIYMLUacyNHexoodJX70
SNGhSY8PKYYUSfJiS4wsScaEKXPkTZw5de7k2dPnT6BBg/4jWtToUaRHIaJcuVKlU6c3myqkKTGq
zZFTM1adOfMq169QU4LVWLar1JJpuW6tqvUs1rNJ5c6lW9fuXbx59e7l29eu0KxUXUb86pXw2Kds
C6+Fm/ht16goGUceKzaw4sOLyWLOKZml5ZqMAY8mXdr0adSp0TI9fNmtTtCaF2uO/0lZ5uurth2L
PotbMFq2nxELb7lRt2rkyZUvZ44c9OTWj3G6lT2cNmS1NF8/Pg6z+m2Ovy8H327VrPbw2UM3Z9/e
/XK/SG2KtcjdoPHOLweLt8+/4+/u6sPquaVeAik/8bozz7wEDxRwv+hqyi2i+Cq08EIMM9Twrvc6
9PBDEEMUcUQSS/QwQxNTVHFFFnna8EUYY5QxxhZrtPFGHHPUcUcee/TxRyCDFHJIIos08kgkk7wJ
RSWbdPJJwGaUckq9oLTySiyzBJJJLbv00kgqwxRzxi/LNPPHMdNU88L1dustwjYpazC4pwRTUE79
8CvQuvQGzIw1/TJq8EFBJ5wztP8HdTMOMUIbS7RPmtaUlMzUAl0QPEcrg/TNTencrCICPfN0PPQ4
I3W88lDdtLznRP0UuP7UE5XAM2u0tM6lMHVzvgjzZDSlAA+tTdOd7GT1vEthTfXSVuF881T78iNL
wWFHrXXFW/8ra1Zid1MUwF93pa9TVxsrtMBPZxuuWt6Kc7bcchFVT9VzzYV33WtHjBfUbZENq9to
DePtzuh8sxdfA40lL9zpAr1uP3nT5dNT2hrl1jVg8c03xH33FHDZf/3EqOO2FiXOY22pTfnjeUNu
GL1s2Q3429UONPdkmQvL9uGNPST5JKou3rVUd0dG+N2CW1P5ZqCBfnWtipMuVur/oqse7GnpFsZZ
51t57jknFGkN6SKhrT0WZo3vLVnmrNs0zOmAI36ZbVixMxVnupfWNbZwJxxoUsBfRM1kxxJ+dui3
DEZX2pn1VLxudyWjVm+iH3787LXjbvdwwrMm+WsTxT5cYOiSHZ0+2JBl29XPPe/VX4A3p07j0+HE
3G6562b9daI3B12nDP3W2mh+jWW50E7bfnQrv21zPObLHe76aF8bLT4t/6yHGOuoDV8YXO8oDHx8
8on6/Xz0lSt/fcDTd/990mYsg336k4L/fvxdrH9/uvL3/38ABlCAAyRgAQ14QAQmUIELZGADHfhA
CCKHSxGkIJb4R79KSc8/4bOZ/4T6BDLabW9PpoMQ9WjlsrU9T3qYeZTxNhgsaI3LWW0rWfWOF77/
hQ1g6kIcr0QCwqklC08e1F1m4kSu++zQiHiDy7FoFphV8e5mLnEb9yJ0QfYNTomQk12/chY7LvZu
cZkT4p8Otrh98W12JExcep7IICmOjoYr5OJxvLYxHYqLYVUclmeAmDo9aouIJGTNGa+GOzoVkm5Q
Q6Kh1uUrifGxjS+c1+iwuL4MUmyPU8SOH2dIQ00O73GBJB3X0Kg6H5YSlSLbG/YemcS8UW1uiyQY
JyN4wk120YWwYyPk7Ai7mEWyYyzbpe3M4klLhUqWnISb2hbZQ82VcFkV1JUhJf95SEiWrie3u1jU
TAU3OI4Rhbhr5itTiUhmHhOVa2QcISs5zfRNEJ3Ky1jqFClHW95tdef5jtWCmbA/frF1uyNjF/n1
tGBWsZY4FMglHVolhs6xngjyohjzGdGpOOiT1cwon+45Tm4NVHWA4o83xYk0y00sd6J56PiSM8pR
pXSQrvtJ9Kwm0WpS0ZfJ6x3qQInI7VBukjk9ZDvnGU143jKZCRWeUZtFTOgtFXzMq2TKVuomGZJU
birsaKpEt1Lt8WyIpCQq/ORJTbQmqaWBS2tb3Yqks75Vrj5aa/vmele84qiue+VrX/36V8DiJa+D
JWxhDXvYMwVWsYtlbGMd+1j/yEZWspOlbGUte1nMZlazeUFsZz2rvs2GVrSjJW1pTXta1KZWtat9
kTVY+9rGfla2s40fbG17W9zmVre75W1vfftb4AZXuMMlbnGNe1zkJldDtGVuc/WnXOhGF7bOpW51
ESJd7Gb3tNblbne9+13whle84yVvec17XvSmV73r/Yl23fvezLJXvgyEb33te1/85le/++Vvf+s6
XwAjMK4BJvB1p1tgBEvEtkEBgIgA0OAcQRgoEmYOhUHUYAg/eDkUtvBIOjwkDNvDtg/WsEA+fJAP
n3jCJUaIiic8EBfzJMQmbjFOJGzhGL84xzdR8Y5pPOMNo3gnHAZMj1Vz4hBD//Y0N5Zxc5CMGh/7
hMk9mbKTi2yaEEdZKETWiZZtzOMje9geXvYSkTNcYhKP2cRoHrOGWZxmNWf4IWdGc53ljGE339jO
am4znXFM4zj3uc93hjOM88xmQaN4z29mM473POg10/nHhS50ix+dZUBLOtCQhnGkDS3nQJNYzyz2
NJxNfek8fzrSmq60kzJkZj4DWtY/5vOdO/3mOcsayExGNKhv/WtazxrUmNb1pmMda14fu9PB9jWt
uVzsZOd618rONbSHPes4+xrWwQ41t6e9bGx7G9i2FneVDfxaWON62aLeNKHTHGNtIxvYtc70u+f9
bWd3G9ryBneySb3qGQ/b3v/Plne0V21sPH953/n2M7+PPW1eGxzfbQY3pEft5kwPGuKGVvBjlyxk
PT+84PQ2drhrPPKFk3zj5a44pok9cnNXedcEVznMhdxvlNtc109OuctzHvOftzvolnb4xGv+Z26v
OX9T3jbLr21wasdb5vwmN8KHjnOr51vYOCd4tKv+cpGzfN9Al8jUny11rItd6CundtbdHnC1A7ni
rsYQuyc96loPPOOJprm9k27qdde7znmP981VvnFzU9zf/+b73tktd74jOu8HhzjjWy75ovv94Otm
tLa/bXdPK53Tl3a85M+c6IMoOcGyJbMCB7z6AbZarweGfe0fAljb5/53rz//+Yt7ZPnf87xLwH9P
609kWjEn3sWJt/KV5yz7arfdxnYmftmjH2XQM9jhpMmx8FFP6ernxNHh3/6QSX3xhv6VPcxXuPRr
1GEtG1/5Ur5+k6GMnO6X3ez33rLhh9z/eku7IHm1jMMzA3S38eM01Cs1vAs9uzvAT0vABYS/zhM0
VoO+rQs9RdM0BqxA/9NAzfM5vwM/CbTAfzs1+BNAZZNA0Ms+CsS7EaQ+MCs2GsM9LCvAonO7HCS7
r6sxf+M/rtM/tAtCcYu+cDu7qCPCFTS9sMu2uHO/v6s/4ZM5DjMyibO0Iey58stABRQSAhTBICS7
gnPBAnzAELQ6MYQ8H3w8/8NjuxT0PzJMOhrMNgw8QLm7woh7txTTvCSUw8s7wd6jPCCUNjZUQqNb
QZyzwdIAw/1Lw3k7uarTQjdsQyiEPCS8wg/MQSVMOzWUtkDEw0fkuE18w5LLRESEQ/5jv1K8xEE8
QhVEEwyhuh3cvv3LwB4ERUxMOeuDOlDkwpb7RT+sRelju6DLxSa8QykUM0hsxV4cxpwrRmDsPSZT
xEUMPMX7NeX7PEA8PPT7QcFjwefzwMgjvDnUOGzLvsZ7Pqo7QRJUNYvjPHJcwM07NSw0OfDbQHfc
QG08v3Z0wIBjwgi8QPJLL+PTPdnivSTBQIPMF2pcSId8SIiMSPHzPiUpyP/1s0jtu0FThEIqo8jx
OitSxD6F/D9VrMYPyT/ry8dW67FC7LI69EEjBEBK3Mj7Kw3cUo6QtL+Paz4PQUmi00LRm0GOfMVT
jMmMnMniqyAUQUF8bMFtxMdSw0Y6jEd5BDzBU0AURD95/L5Dq8etnLqb68Q27EdDHD1ydMpIjLwq
hECqbDcZdMCptEYOTLOb1MhSnMVzZMJLvMVQpEG4U8FJVEVklEZnnMNeE7+yLMsfZMVJI8yc1Lqf
bMaE68Nmu0v3IcBg5Dp0vLWWhMa7SzUsVLdjFMRyQ8fOzEnvM01zFMo85Ee9lErRtMM+vMtGDMmW
nESY/EfQFDH3gjrDHEr/S6TEZlQ0U3REySzMkkNNZQzEJlxO35w7XOQ431ROwvQ2JBTOVmS4zONN
7XpOYXwyXkxFZpzJv5RE8eTCwcTOlAzLaEyxxDxH8Ww6YtTF3+w6xcxOv/zF90pHomM6dhTHrFzH
eJQ9qzxLzsO4b9TACPRHr9zDkMvHcuREBY06PWw0/mQ1IbRHxHtKtWzAKqxOiyuxuiwsjLSuEpVI
IRlJgkRRFm1R00BIFx2s5OIRmhuRgvRIoUxRizzR/1tPkNuyGJtREtmxGnUwH83R+VvOn/BJmWRN
+jO55MBRsURM4NmuIyFSmjzJI1XSkjRKnczRowRTKpu7INtSy+wy/1lK/1SbTLTcPLX0R62cR+h8
S8200HRkSq50TbPUzbX00KmMOQQVuIazwD/MupU8ND+9yg5dUH2ESwzlwDcNNNTayYXjS7WDSaDM
VEwdzYijT3ybuNosx/kDyNGkt+NEz6vDSzRMvvF0ujW0R81sIMa8xdukuAW9OFANvBfM1bgrxNus
VQn9VPI8w1BcTHMMT6QzVYBDysDs01SNzncMymDdvbpTT0vlRNwUQKYrSl5dVfg0RloMQ209T5FL
VjBUTznc1sqc1iK8xie8z/k8PyWcVLtEuWvN1VzsVuYzxlPVt7cL17Eb13cl0+scztkEy1L11nIl
V8bsNu9k1qH0EjXFUP9T7cc8ZNRH68I4DM3yq9W1TFBbJUFH0zk3xUo+FE3izLzCQ9nfhFCl889u
7Lx9HL9HJc2qhEoJo9cLaxEeJRL5W78Y/T2e7Zmf5cmgfS4LoS//Wlo1OVqnHcBYJFM0dQ/g69nR
YFqs3asfZU4/BNEwjVCrNdOsHVspwT8l5Vq0/dotNNqnZb0YNECHLVC4FcgXVNAKFdStDVBH3Uqe
+IG2fR/M9Fdku1fP5NT6g8yUPU7M+xuybVzBscssQ9jAZFh0nVbGw9XCDdu/ZSCJE1bFbVXaNMTr
vE8ojdFW8CxkJV2F1deDfcTRnVxf3FzCYsN7bE2M1U2wXdyXxUYO1Vu8/gxZ2RWwqP0ajHRc44VR
AdLc4F1e5m1e531e6I1e0Dpe6q1ezpJe7M1e7R0S6+1e75WL7Q1f1fhe8i1f8z3f4xVf9V1f9m1f
931f+I1f+dUS9K1f+71f/M1f/d1f/u1f//1f+FIAAB5gAvbf+T3gcytgBV5gBm5gB37g70VgCeZO
CK5gC75gDM5gDd5gDu5g+ZhgEA7h9/VgEsYsEZbfEk5hFV5hFm5hF96QE45hGZ5hGq5hG75hHKau
gAAAOw==
------=_NextPart_000_000A_01C708A0.D4D050C0--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAF3LSW4003262; Tue, 14 Nov 2006 20:21:28 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAF3LSuQ003261; Tue, 14 Nov 2006 20:21:28 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAF3LRAU003255 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 20:21:27 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id ED5E6E0035; Tue, 14 Nov 2006 22:21:18 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Stefan Santesson <stefans@microsoft.com>
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>, Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com> <F9F038204EE77C4AA9959A6B3C94AFE801098D06@IMCSRV2.MITRE.ORG> <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA90@EA-EXMSG-C307.europe.corp.microsoft.com> <tsld57pis78.fsf@cz.mit.edu> <A15AC0FBACD3464E95961F7C0BCD1FF010BCAAA0@EA-EXMSG-C307.europe.corp.microsoft.com>
Date: Tue, 14 Nov 2006 22:21:18 -0500
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCAAA0@EA-EXMSG-C307.europe.corp.microsoft.com> (Stefan Santesson's message of "Tue, 14 Nov 2006 22:56:38 +0000")
Message-ID: <tslhcx1gztd.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Stefan" == Stefan Santesson <stefans@microsoft.com> writes:
Stefan> Sam, Could you point us to the applicable interoperability
Stefan> requirements IETF has established in general that would
Stefan> require such clarification of RFC 2560.
Sure. Take a look at section 3.1 of
draft-carpenter-protocol-extensions (an approved BCP). That BCP is
new, but the requirements in that section come from a long list of
RFCs that are quite old. Brian included a list of RFCs discussing
interoperability in the recent atompub appeal response on HTTP
mandatory authentication.
A central principle of this interoperability is that there is an
interoperable protocol set where I can exchange one product for
another.
In other words I need to be able to set up my OCSP clients and servers
so that I can take vendor A's implementation and exchange it with
vendor B's implementation and have things still work.
The liberal interpretation of 2560 for servers is that they need to be
able to respond to any request. However that's operationally
undesirable. So, we need to modify the requirements of the protocol.
Really, we're fixing a spec bug: 2560 is way too unclear on this
issue.
Now, we've passed clarifications documents in the past. That is
informational documents that describe errors in specs. But that's not
what this profile is. The profile is a protocol that specifies
requirements for clients and servers. That's not something I can be
comfortable with unless it is clearly consistent with the spec.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAF11PfE085379; Tue, 14 Nov 2006 18:01:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAF11Prh085376; Tue, 14 Nov 2006 18:01:25 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAF11OUk085364 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 18:01:25 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Tue, 14 Nov 2006 17:03:24 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C87905747BA3@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccISC4x/bjd35LmTReqe2+ofTYDggACP1bQ
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAF11PUk085368
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
I do not know how germane this debate is to Sam's question, but I was
simply responding to the issue building certification path. I presume
that in this context it relates to building a path to the Responder
certificate.
Now let us look at the three model 2560 has: Explicitly Trusted, CA and
Delegated.
Explicitly trusted does not need a certification path and hence there is
no issue and that is why I did not include it in.
CA model does not need any path building since path to the CA has
already been built and that is why I did not include it in my response.
Note that both clients requires the CA to use the same to sign the OCSP
as it signed the certificate in question with.
My post responded to the Delegated model.
I hope this clarifies that the path building should not be a major issue
for all three models 2560 supports.
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Tuesday, November 14, 2006 6:42 PM
To: Santosh Chokhani; ietf-pkix@imc.org
Cc: Sam Hartman
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Santosh:
I believe this is a red herring. This is not the only deployment
approach supported by RFC 2560.
Russ
>In hurry, I did not clearly articulate my thoughts. What I am saying
also
>relates to another comment to Mike Myers regarding the security of the
>delegated model which is incompletely addressed by 2560.
>
>I will be verbose this time.
>
>The implementations such as Corestreet and Tumbleweed tend to adhere to
the
>approach that the same key that signed the certificate in question,
sign the
>OCSP Responder certificate.
>
>Thus, if you have a hierarchy like Root --> CA --> Subscriber and you
want
>the status of CA certificate and the Subscriber certificate, you get
them as
>responses and with them you only need the two OCSP Responder
certificates
>one signed by the Root (for verifying CA certificate revocation status)
and
>one signed by the CA (for verifying the subscriber certificate
revocation
>status).
>
>You do not need any paths.
>
>Please note that the approach also works when the Responder is queried
by a
>CA cross certified by the root, since rest of the path has been built
by the
>client.
>
>-----Original Message-----
>From: Dave Engberg [mailto:dengberg@corestreet.com]
>Sent: Tuesday, November 14, 2006 12:45 PM
>To: Stefan Santesson; Santosh Chokhani; Russ Housley; Price, Bill;
>ietf-pkix@imc.org
>Cc: Sam Hartman; Michael Myers
>Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
>CoreStreet's OCSP server doesn't include a SingleResponse for the
issuing
>CA's cert in pre-signed responses. Mostly for the reasons mentioned:
>
>Adds 90-100 bytes onto every response
>
>Have never seen a relying party app/plug-in send a request like this
>
>The "delegated" trust model in RFC 2560 would require different signing
>certs for trusting entity vs. CA cert ... add another 1kB onto the
response
>
>Protocol only sends CA name+key info, which isn't enough to identify
which
>CA cert the relying party is inspecting in the case of CA cert renewal,
>cross-certification, etc.
>
>
>-----Original Message-----
>From: Stefan Santesson [mailto:stefans@microsoft.com]
>Sent: Tuesday, November 14, 2006 12:11 PM
>To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
>Cc: Sam Hartman; Michael Myers; Dave Engberg
>Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>Santosh,
>
>I didn't say it was hard. I say that I doubt that there are many
>implementations supporting this scenario even those with a responder
key.
>It would be interesting to hear from implementers if I'm right.
>
>Stefan Santesson
>Senior Program Manager
>Windows Security, Standards
>
> > -----Original Message-----
> > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > Sent: den 14 november 2006 03:59
> > To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> > Stefan,
> >
> > You are making more complex than it is. The Responder can include
all
> > the CA certificates that issued the certificate in question and AIA
can
> > do the rest.
> >
> > Furthermore, since most PKI are two tier hierarchy, in Enterprise
> > environment, the CA certificate certification path is not an issue.
> >
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org]
> > On Behalf Of Stefan Santesson
> > Sent: Monday, November 13, 2006 6:54 PM
> > To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I'm not sure the case described is a realistic one.
> >
> > Section 2.2
> > All definitive response messages SHALL be digitally signed. The
key
> > used to sign the response MUST belong to one of the following:
> >
> > -- the CA who issued the certificate in question
> > -- a Trusted Responder whose public key is trusted by the
requester
> > -- a CA Designated Responder (Authorized Responder) who holds a
> > specially marked certificate issued directly by the CA,
> > indicating
> > that the responder may issue OCSP responses for that CA
> >
> > Since the request is on certificates issued by 2 different CA:s
trust
> > option 1 is invalid.
> > Trust option 3 is valid in theory but in practice it requires that
the
> > OCSP responder provide multiple validation paths in the response,
one
> > for each issuing CA. Somehow I doubt that this is implemented by
> > anyone.
> >
> > Trust option 2 is not generic and is only valid as a result of a
local
> > configuration.
> >
> > So I don't think this is a problem only for key-less responders.
> >
> >
> > Stefan Santesson
> > Senior Program Manager
> > Windows Security, Standards
> >
> >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > pkix@mail.imc.org] On Behalf Of Russ Housley
> > > Sent: den 13 november 2006 14:08
> > > To: Price, Bill; ietf-pkix@imc.org
> > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > > I prefer an error that tells the client to ask for the certificate
> > > one at a time.
> > >
> > > Russ
> > >
> > >
> > > At 02:46 PM 11/13/2006, Price, Bill wrote:
> > >
> > > >I'd suggest focusing on understanding where responses to the
keyed
> > and
> > > >keyless responders inherently differ. I am aware of two general
> > cases:
> > > >
> > > >1) The request asks for the status of multiple certificates that
> > have
> > > >not been included in a single presigned response. Russ's example
> > fits
> > > >into this case. The keyed responder handles, but the keyless will
> > fail
> > > >for the general case. Some responders respond with the presigned
> > > >response that includes one of the certificates (usually the
first)
> > in
> > > >the request. A common situation is to ask for the status of
> > > >certificates in a chain. Santosh points out some keyless
responders
> > > >anticipate this and bundle responses accordingly.
> > > >
> > > >2) The request is "well-formed" but asks for the status of a
> > > >certificate for which the keyless responder has not prepared a
> > > >response. This situation will occur if:
> > > >
> > > > a) The request is for status of a certificate from a
supported
> > CA
> > > >but with a serial number for which there is no pre-signed
response.
> > > >Assuming presigned responses exist for all certificates that
would
> > be
> > > >valid based on their validity intervals, this would occur if the
> > > >certificate had expired or was yet to be issued (I am aware the
> > > keyless
> > > >responders generally produce responses for certificates likely to
be
> > > >issued before the next generation of presigned responses). The
keyed
> > > >responder would give a signed "good" response. My understanding
is
> > > that
> > > >the keyless responder under the draft lightweight OCSP responds
with
> > > an
> > > >unsigned "unauthorized" error code.
> > > >
> > > > b) The request is for the status of a certificate from an
> > > >unsupported (or non-existent) CA. The keyed responder would
respond
> > > >with a signed "unknown" response while under the draft, the
keyless
> > > >would again respond with the unsigned "unauthorized" error code.
> > > >
> > > >Some might argue with some grounds that these differences are
> > unusual,
> > > >unlikely, and insignificant.
> > > >
> > > >I personally consider the behavior in 2 of responding with the
> > > >"unauthorized" error to be misleading. "Internal error" sounds
more
> > > >appropriate if I were constrained to the current error codes.
> > > >"Malformed request" might be OK. However, the actual situation
does
> > > not
> > > >match well with any of these errors as they are described in
2560.
> > > >
> > > >If 2560 is supposed to encompass keyless responders, I'd
recommend
> > > >identifying the unavoidable differences and/or adding 2 TBD error
> > > codes
> > > >for the above cases (assuming they are the only differences). The
> > > first
> > > >error can be worked around by breaking the request for status of
> > > >multiples into multiple requests for status of one cert.
> > > >
> > > >We've also seen some problems with client apps that can't handle
> > > >presigned responses that commonly contain the status of several
> > (e.g.,
> > > >15-25) certs. The apps inquired for the status of a single cert
and
> > > >apparently expected a response for a single certificate. I'd
suggest
> > > >that some "must" or "should" words address clients' ability to
> > handle
> > > >the situation of a response covering multiple certificates.
> > > >
> > > >
> > > >
> > > >Bill Price
> > > >
> > > >-----Original Message-----
> > > >From: owner-ietf-pkix@mail.imc.org
> > > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > > >Sent: Monday, November 13, 2006 11:46 AM
> > > >To: Michael Myers; Dave Engberg
> > > >Cc: ietf-pkix@imc.org; Sam Hartman
> > > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC
2560
> > > >
> > > >
> > > >Mike:
> > > >
> > > >I think it is not that simple. I think you need to say that
support
> > > >for one certificate MUST be supported, and that support for more
> > than
> > > >one certificate is OPTIONAL. Then, the error is am indication
that
> > > >the requestor has selected an unimplemented OPTION.
> > > >
> > > >Russ
> > > >
> > > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > > >Responders unable to produce or acquire a definitive response
MUST
> > > >return <a
> > > > >TBD error>.
> > > > >
> > > > >As to your other points Santosh, that is something I prefer the
> > > chairs
> > > > >consider.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > > >
> > > > > > Mike,
> > > > > >
> > > > > > What is the error case?
> > > > > >
> > > > > > . . .
> >
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAF08Nb9077765; Tue, 14 Nov 2006 17:08:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAF08NVi077764; Tue, 14 Nov 2006 17:08:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from [10.20.30.183] (dsl-63-249-108-169.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAF06gHA077655; Tue, 14 Nov 2006 17:06:43 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240874c18009a0dcb7@[10.20.30.183]>
In-Reply-To: <455A1C3A.3010002@nist.gov> <E1Gk162-0007Cr-00@medusa01.cs.auckland.ac.nz> <E1Gk18e-0007H3-00@medusa01.cs.auckland.ac.nz>
References: <08AD20EDD5C44148842571F730597F8401295725@INDYSMAILMB03.am.thmulti.com> <455A1C3A.3010002@nist.gov> <E1Gk162-0007Cr-00@medusa01.cs.auckland.ac.nz> <E1Gk18e-0007H3-00@medusa01.cs.auckland.ac.nz>
Date: Tue, 14 Nov 2006 16:06:33 -0800
To: pgut001@cs.auckland.ac.nz (Peter Gutmann), ietf-pkix@imc.org, ron.ogle@thomson.net, kent@bbn.com, "David A. Cooper" <david.cooper@nist.gov>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: PEM file format rfc draft request
Cc: Dieter.Bratko@iaik.tugraz.at
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
At 5:25 AM +1300 11/15/06, Peter Gutmann wrote:
>I think the best you could do is create an kind of FYI RFC that
>documents all of the possible formats (I started this in my X.509 style guide
>some years ago), or maybe document a regexp that'll recognise all possible
>formats.
Yes.
At 5:27 AM +1300 11/15/06, Peter Gutmann wrote:
>"Ogle Ron" <ron.ogle@thomson.net> writes:
>
> >If not PKIX, then where?
>
>A web page somewhere where Google can find it. Given that this is such a
>moving target, I'm not sure that an RFC is the best way to document this even
>if you could find a WG that would adopt it.
Even better.
At 2:42 PM -0500 11/14/06, David A. Cooper wrote:
>Why is there need to base64 encode everything? It made sense in PEM
>due to the limitations of email, but what is the benefit of base64
>encoding in other situations?
Copy and paste text. This is *commonly* used in IPsec UIs for cert
issuance, and sometimes for trust anchor passing.
--Paul Hoffman, Director
--VPN Consortium
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAENn3ir074974; Tue, 14 Nov 2006 16:49:03 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAENn3gR074973; Tue, 14 Nov 2006 16:49:03 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAENn2Ak074960 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 16:49:02 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 19263 invoked by uid 0); 14 Nov 2006 23:48:54 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 14 Nov 2006 23:48:54 -0000
Message-Id: <7.0.0.16.2.20061114183948.07a44c20@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Tue, 14 Nov 2006 18:42:07 -0500
To: "Santosh Chokhani" <chokhani@orionsec.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>
In-Reply-To: <82D5657AE1F54347A734BDD33637C879056F82AC@EXVS01.ex.dslextr eme.net>
References: <82D5657AE1F54347A734BDD33637C879056F82AC@EXVS01.ex.dslextreme.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Santosh:
I believe this is a red herring. This is not the only deployment
approach supported by RFC 2560.
Russ
>In hurry, I did not clearly articulate my thoughts. What I am saying also
>relates to another comment to Mike Myers regarding the security of the
>delegated model which is incompletely addressed by 2560.
>
>I will be verbose this time.
>
>The implementations such as Corestreet and Tumbleweed tend to adhere to the
>approach that the same key that signed the certificate in question, sign the
>OCSP Responder certificate.
>
>Thus, if you have a hierarchy like Root --> CA --> Subscriber and you want
>the status of CA certificate and the Subscriber certificate, you get them as
>responses and with them you only need the two OCSP Responder certificates
>one signed by the Root (for verifying CA certificate revocation status) and
>one signed by the CA (for verifying the subscriber certificate revocation
>status).
>
>You do not need any paths.
>
>Please note that the approach also works when the Responder is queried by a
>CA cross certified by the root, since rest of the path has been built by the
>client.
>
>-----Original Message-----
>From: Dave Engberg [mailto:dengberg@corestreet.com]
>Sent: Tuesday, November 14, 2006 12:45 PM
>To: Stefan Santesson; Santosh Chokhani; Russ Housley; Price, Bill;
>ietf-pkix@imc.org
>Cc: Sam Hartman; Michael Myers
>Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
>CoreStreet's OCSP server doesn't include a SingleResponse for the issuing
>CA's cert in pre-signed responses. Mostly for the reasons mentioned:
>
>Adds 90-100 bytes onto every response
>
>Have never seen a relying party app/plug-in send a request like this
>
>The "delegated" trust model in RFC 2560 would require different signing
>certs for trusting entity vs. CA cert ... add another 1kB onto the response
>
>Protocol only sends CA name+key info, which isn't enough to identify which
>CA cert the relying party is inspecting in the case of CA cert renewal,
>cross-certification, etc.
>
>
>-----Original Message-----
>From: Stefan Santesson [mailto:stefans@microsoft.com]
>Sent: Tuesday, November 14, 2006 12:11 PM
>To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
>Cc: Sam Hartman; Michael Myers; Dave Engberg
>Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>Santosh,
>
>I didn't say it was hard. I say that I doubt that there are many
>implementations supporting this scenario even those with a responder key.
>It would be interesting to hear from implementers if I'm right.
>
>Stefan Santesson
>Senior Program Manager
>Windows Security, Standards
>
> > -----Original Message-----
> > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > Sent: den 14 november 2006 03:59
> > To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> > Stefan,
> >
> > You are making more complex than it is. The Responder can include all
> > the CA certificates that issued the certificate in question and AIA can
> > do the rest.
> >
> > Furthermore, since most PKI are two tier hierarchy, in Enterprise
> > environment, the CA certificate certification path is not an issue.
> >
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org]
> > On Behalf Of Stefan Santesson
> > Sent: Monday, November 13, 2006 6:54 PM
> > To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I'm not sure the case described is a realistic one.
> >
> > Section 2.2
> > All definitive response messages SHALL be digitally signed. The key
> > used to sign the response MUST belong to one of the following:
> >
> > -- the CA who issued the certificate in question
> > -- a Trusted Responder whose public key is trusted by the requester
> > -- a CA Designated Responder (Authorized Responder) who holds a
> > specially marked certificate issued directly by the CA,
> > indicating
> > that the responder may issue OCSP responses for that CA
> >
> > Since the request is on certificates issued by 2 different CA:s trust
> > option 1 is invalid.
> > Trust option 3 is valid in theory but in practice it requires that the
> > OCSP responder provide multiple validation paths in the response, one
> > for each issuing CA. Somehow I doubt that this is implemented by
> > anyone.
> >
> > Trust option 2 is not generic and is only valid as a result of a local
> > configuration.
> >
> > So I don't think this is a problem only for key-less responders.
> >
> >
> > Stefan Santesson
> > Senior Program Manager
> > Windows Security, Standards
> >
> >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > pkix@mail.imc.org] On Behalf Of Russ Housley
> > > Sent: den 13 november 2006 14:08
> > > To: Price, Bill; ietf-pkix@imc.org
> > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > > I prefer an error that tells the client to ask for the certificate
> > > one at a time.
> > >
> > > Russ
> > >
> > >
> > > At 02:46 PM 11/13/2006, Price, Bill wrote:
> > >
> > > >I'd suggest focusing on understanding where responses to the keyed
> > and
> > > >keyless responders inherently differ. I am aware of two general
> > cases:
> > > >
> > > >1) The request asks for the status of multiple certificates that
> > have
> > > >not been included in a single presigned response. Russ's example
> > fits
> > > >into this case. The keyed responder handles, but the keyless will
> > fail
> > > >for the general case. Some responders respond with the presigned
> > > >response that includes one of the certificates (usually the first)
> > in
> > > >the request. A common situation is to ask for the status of
> > > >certificates in a chain. Santosh points out some keyless responders
> > > >anticipate this and bundle responses accordingly.
> > > >
> > > >2) The request is "well-formed" but asks for the status of a
> > > >certificate for which the keyless responder has not prepared a
> > > >response. This situation will occur if:
> > > >
> > > > a) The request is for status of a certificate from a supported
> > CA
> > > >but with a serial number for which there is no pre-signed response.
> > > >Assuming presigned responses exist for all certificates that would
> > be
> > > >valid based on their validity intervals, this would occur if the
> > > >certificate had expired or was yet to be issued (I am aware the
> > > keyless
> > > >responders generally produce responses for certificates likely to be
> > > >issued before the next generation of presigned responses). The keyed
> > > >responder would give a signed "good" response. My understanding is
> > > that
> > > >the keyless responder under the draft lightweight OCSP responds with
> > > an
> > > >unsigned "unauthorized" error code.
> > > >
> > > > b) The request is for the status of a certificate from an
> > > >unsupported (or non-existent) CA. The keyed responder would respond
> > > >with a signed "unknown" response while under the draft, the keyless
> > > >would again respond with the unsigned "unauthorized" error code.
> > > >
> > > >Some might argue with some grounds that these differences are
> > unusual,
> > > >unlikely, and insignificant.
> > > >
> > > >I personally consider the behavior in 2 of responding with the
> > > >"unauthorized" error to be misleading. "Internal error" sounds more
> > > >appropriate if I were constrained to the current error codes.
> > > >"Malformed request" might be OK. However, the actual situation does
> > > not
> > > >match well with any of these errors as they are described in 2560.
> > > >
> > > >If 2560 is supposed to encompass keyless responders, I'd recommend
> > > >identifying the unavoidable differences and/or adding 2 TBD error
> > > codes
> > > >for the above cases (assuming they are the only differences). The
> > > first
> > > >error can be worked around by breaking the request for status of
> > > >multiples into multiple requests for status of one cert.
> > > >
> > > >We've also seen some problems with client apps that can't handle
> > > >presigned responses that commonly contain the status of several
> > (e.g.,
> > > >15-25) certs. The apps inquired for the status of a single cert and
> > > >apparently expected a response for a single certificate. I'd suggest
> > > >that some "must" or "should" words address clients' ability to
> > handle
> > > >the situation of a response covering multiple certificates.
> > > >
> > > >
> > > >
> > > >Bill Price
> > > >
> > > >-----Original Message-----
> > > >From: owner-ietf-pkix@mail.imc.org
> > > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > > >Sent: Monday, November 13, 2006 11:46 AM
> > > >To: Michael Myers; Dave Engberg
> > > >Cc: ietf-pkix@imc.org; Sam Hartman
> > > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > > >
> > > >
> > > >Mike:
> > > >
> > > >I think it is not that simple. I think you need to say that support
> > > >for one certificate MUST be supported, and that support for more
> > than
> > > >one certificate is OPTIONAL. Then, the error is am indication that
> > > >the requestor has selected an unimplemented OPTION.
> > > >
> > > >Russ
> > > >
> > > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > > >Responders unable to produce or acquire a definitive response MUST
> > > >return <a
> > > > >TBD error>.
> > > > >
> > > > >As to your other points Santosh, that is something I prefer the
> > > chairs
> > > > >consider.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > > >
> > > > > > Mike,
> > > > > >
> > > > > > What is the error case?
> > > > > >
> > > > > > . . .
> >
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAENPN6E068791; Tue, 14 Nov 2006 16:25:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAENPN0Y068787; Tue, 14 Nov 2006 16:25:23 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAENPMIf068776 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 16:25:22 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 30429 invoked by uid 0); 14 Nov 2006 23:25:14 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 14 Nov 2006 23:25:14 -0000
Message-Id: <7.0.0.16.2.20061114181343.07a37c08@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Tue, 14 Nov 2006 18:16:52 -0500
To: Stefan Santesson <stefans@microsoft.com>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: Sam Hartman <hartmans-ietf@mit.edu>
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.eur ope.corp.microsoft.com>
References: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com> <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG> <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com> <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Stefan:
>There is no place where RFC 2560 requires the render to successfully
>handle a composite request. It only specifies how it should be done.
It does not say one way or the other. That is the problem. It
specifies the syntax, without telling the reader whether some or all
of it is mandatory to implement. This is the crux of Sam's discuss
position. Nothing in the text leads the reader to believe that
responding to a multi-certificate query is OPTIONAL.
I find the use of "unauthorized" to indicate that a client cannot
make a multi-certificate request unacceptable. To me, that implies
that some other client would be authorized to make such a request.
I also find the use of "internalError" to indicate that a client
cannot make a multi-certificate request unacceptable.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAENP2Tt068548; Tue, 14 Nov 2006 16:25:02 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAENP2B9068545; Tue, 14 Nov 2006 16:25:02 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAENOxHe068506 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 16:25:01 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 29902 invoked by uid 0); 14 Nov 2006 23:24:51 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 14 Nov 2006 23:24:51 -0000
Message-Id: <7.0.0.16.2.20061114181027.03fe4470@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Tue, 14 Nov 2006 18:12:36 -0500
To: Stefan Santesson <stefans@microsoft.com>, "Price, Bill" <wprice@mitre.org>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: Sam Hartman <hartmans-ietf@mit.edu>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7B3@EA-EXMSG-C307.eur ope.corp.microsoft.com>
References: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com> <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG> <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com> <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7B3@EA-EXMSG-C307.europe.corp.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
It is not a problem for OCSP Responders that can relay the request to
a server with a key. That server can build the signed response for
the arbitrary collection of certificates.
Russ
At 06:54 PM 11/13/2006, Stefan Santesson wrote:
>I'm not sure the case described is a realistic one.
>
>Section 2.2
> All definitive response messages SHALL be digitally signed. The key
> used to sign the response MUST belong to one of the following:
>
> -- the CA who issued the certificate in question
> -- a Trusted Responder whose public key is trusted by the requester
> -- a CA Designated Responder (Authorized Responder) who holds a
> specially marked certificate issued directly by the CA, indicating
> that the responder may issue OCSP responses for that CA
>
>Since the request is on certificates issued by 2 different CA:s
>trust option 1 is invalid.
>Trust option 3 is valid in theory but in practice it requires that
>the OCSP responder provide multiple validation paths in the
>response, one for each issuing CA. Somehow I doubt that this is
>implemented by anyone.
>
>Trust option 2 is not generic and is only valid as a result of a
>local configuration.
>
>So I don't think this is a problem only for key-less responders.
>
>
>Stefan Santesson
>Senior Program Manager
>Windows Security, Standards
>
>
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org] On Behalf Of Russ Housley
> > Sent: den 13 november 2006 14:08
> > To: Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I prefer an error that tells the client to ask for the certificate
> > one at a time.
> >
> > Russ
> >
> >
> > At 02:46 PM 11/13/2006, Price, Bill wrote:
> >
> > >I'd suggest focusing on understanding where responses to the keyed and
> > >keyless responders inherently differ. I am aware of two general cases:
> > >
> > >1) The request asks for the status of multiple certificates that have
> > >not been included in a single presigned response. Russ's example fits
> > >into this case. The keyed responder handles, but the keyless will fail
> > >for the general case. Some responders respond with the presigned
> > >response that includes one of the certificates (usually the first) in
> > >the request. A common situation is to ask for the status of
> > >certificates in a chain. Santosh points out some keyless responders
> > >anticipate this and bundle responses accordingly.
> > >
> > >2) The request is "well-formed" but asks for the status of a
> > >certificate for which the keyless responder has not prepared a
> > >response. This situation will occur if:
> > >
> > > a) The request is for status of a certificate from a supported CA
> > >but with a serial number for which there is no pre-signed response.
> > >Assuming presigned responses exist for all certificates that would be
> > >valid based on their validity intervals, this would occur if the
> > >certificate had expired or was yet to be issued (I am aware the
> > keyless
> > >responders generally produce responses for certificates likely to be
> > >issued before the next generation of presigned responses). The keyed
> > >responder would give a signed "good" response. My understanding is
> > that
> > >the keyless responder under the draft lightweight OCSP responds with
> > an
> > >unsigned "unauthorized" error code.
> > >
> > > b) The request is for the status of a certificate from an
> > >unsupported (or non-existent) CA. The keyed responder would respond
> > >with a signed "unknown" response while under the draft, the keyless
> > >would again respond with the unsigned "unauthorized" error code.
> > >
> > >Some might argue with some grounds that these differences are unusual,
> > >unlikely, and insignificant.
> > >
> > >I personally consider the behavior in 2 of responding with the
> > >"unauthorized" error to be misleading. "Internal error" sounds more
> > >appropriate if I were constrained to the current error codes.
> > >"Malformed request" might be OK. However, the actual situation does
> > not
> > >match well with any of these errors as they are described in 2560.
> > >
> > >If 2560 is supposed to encompass keyless responders, I'd recommend
> > >identifying the unavoidable differences and/or adding 2 TBD error
> > codes
> > >for the above cases (assuming they are the only differences). The
> > first
> > >error can be worked around by breaking the request for status of
> > >multiples into multiple requests for status of one cert.
> > >
> > >We've also seen some problems with client apps that can't handle
> > >presigned responses that commonly contain the status of several (e.g.,
> > >15-25) certs. The apps inquired for the status of a single cert and
> > >apparently expected a response for a single certificate. I'd suggest
> > >that some "must" or "should" words address clients' ability to handle
> > >the situation of a response covering multiple certificates.
> > >
> > >
> > >
> > >Bill Price
> > >
> > >-----Original Message-----
> > >From: owner-ietf-pkix@mail.imc.org
> > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > >Sent: Monday, November 13, 2006 11:46 AM
> > >To: Michael Myers; Dave Engberg
> > >Cc: ietf-pkix@imc.org; Sam Hartman
> > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > >Mike:
> > >
> > >I think it is not that simple. I think you need to say that support
> > >for one certificate MUST be supported, and that support for more than
> > >one certificate is OPTIONAL. Then, the error is am indication that
> > >the requestor has selected an unimplemented OPTION.
> > >
> > >Russ
> > >
> > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > >Responders unable to produce or acquire a definitive response MUST
> > >return <a
> > > >TBD error>.
> > > >
> > > >As to your other points Santosh, that is something I prefer the
> > chairs
> > > >consider.
> > > >
> > > > > -----Original Message-----
> > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > >
> > > > > Mike,
> > > > >
> > > > > What is the error case?
> > > > >
> > > > > . . .
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEMumYO062830; Tue, 14 Nov 2006 15:56:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEMumr1062828; Tue, 14 Nov 2006 15:56:48 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.191]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEMulb8062808 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 15:56:47 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from DUB-EXHUB-C303.europe.corp.microsoft.com (65.53.213.93) by DUB-EXGWY-E801.partners.extranet.microsoft.com (10.251.129.1) with Microsoft SMTP Server (TLS) id 8.0.685.0; Tue, 14 Nov 2006 22:56:41 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by DUB-EXHUB-C303.europe.corp.microsoft.com ([65.53.213.93]) with mapi; Tue, 14 Nov 2006 22:56:40 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
CC: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>, Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>
Date: Tue, 14 Nov 2006 22:56:38 +0000
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccIO3m00C4dDHL3R7+eLiDtvJ2YrwAAzd8Q
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF010BCAAA0@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com> <F9F038204EE77C4AA9959A6B3C94AFE801098D06@IMCSRV2.MITRE.ORG> <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA90@EA-EXMSG-C307.europe.corp.microsoft.com> <tsld57pis78.fsf@cz.mit.edu>
In-Reply-To: <tsld57pis78.fsf@cz.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAEMumb8062823
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sam,
Could you point us to the applicable interoperability requirements IETF has established in general that would require such clarification of RFC 2560.
What is ironic in this situation is that this a cases where the industry has been able to achieve interoperability (to a fairly high degree at least), also with respect to keyless responders. I don't think we serve the industry by denying publication of an informational document describing how keyless responders has been implemented.
Creating an RFC 2560bis may take considerable time.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: Sam Hartman [mailto:hartmans-ietf@mit.edu]
> Sent: den 14 november 2006 14:23
> To: Stefan Santesson
> Cc: ietf-pkix@imc.org; Michael Myers; Dave Engberg; Russ Housley;
> Price, Bill
> Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> >>>>> "Stefan" == Stefan Santesson <stefans@microsoft.com> writes:
>
> Stefan> On issue number 1) it is my belief that the lightweight
> Stefan> profile should be allowed to progress without updating RFC
> Stefan> 2560. I have seen no requirements in RFC 2560 that
> Stefan> requires a keyed responder, even if it is clear that a
> Stefan> non-keyed responder can only respond to a subset of all
> Stefan> valid requests. If the lightweight OCSP profile is allowed
> Stefan> to progress, it MUST live within the current restrictions
> Stefan> of OCSP with respect to error codes.
>
>
> Speaking as an holding a discuss, I cannot agree to allow the
> lightweight profile to progress without a standards-track
> clarification to 2560.
>
> Your reading of 2560 would not meet the interoperability requirements
> that the IETF has established that in general, all clients of a
> protocol be able to work with all servers of a protocol. In order to
> meet that requirement RFC 2560 needs to be normatively changed in
> order to require that clients be able to send a request including only
> one certificate.
>
> Unless I see new arguments I have not seen so far, my discuss stands.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEMpFYm061493; Tue, 14 Nov 2006 15:51:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEMpFBO061492; Tue, 14 Nov 2006 15:51:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-bedford.mitre.org (smtpproxy1.mitre.org [192.160.51.76]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEMpDF5061476 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 15:51:14 -0700 (MST) (envelope-from wprice@mitre.org)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with SMTP id kAEMpCfA029215 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 17:51:13 -0500
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (Postfix) with ESMTP id BA13EBEFB for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 17:51:12 -0500 (EST)
Received: from imcfe2.MITRE.ORG (imcfe2.mitre.org [129.83.29.4]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id kAEMpBKl029192; Tue, 14 Nov 2006 17:51:11 -0500
Received: from IMCSRV2.MITRE.ORG ([129.83.20.164]) by imcfe2.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Nov 2006 17:51:11 -0500
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Tue, 14 Nov 2006 17:51:11 -0500
Message-ID: <F9F038204EE77C4AA9959A6B3C94AFE801098DAB@IMCSRV2.MITRE.ORG>
In-Reply-To: <886F5D4C78AFB14D87261206BFB9612E1BCCC6AA@scygmxs1.cygnacom.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-index: AccIN1Bu2OcsfkXSTZaetgKu4hu8KAAA0SOQ
From: "Price, Bill" <wprice@mitre.org>
To: "Carl Wallace" <CWallace@cygnacom.com>, "Dave Engberg" <dengberg@corestreet.com>, "Stefan Santesson" <stefans@microsoft.com>, "Santosh Chokhani" <chokhani@orionsec.com>, "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>, "Michael Myers" <mmyers@fastq.com>
X-OriginalArrivalTime: 14 Nov 2006 22:51:11.0688 (UTC) FILETIME=[619B5480:01C7083F]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAEMpEF5061478
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I have seen this behavior also (I mentioned it in my first post on this
thread). Keyed responders responded correctly. The problem of partial
responses occurred with at least one keyless responder. Such responses
appear to be out of compliance with RFC 2560 since it is not the case
that "A definitive response message is composed of responses for each
of the certificates in a request."
If a responder that is multi-request challenged is supposed to give an
error, neither the standard nor the profile explicitly identify the
appropriate error message. If the choice of error message is limited to
the existing ones in the RFC, the error will likely be as informative
and helpful as the profile's "unauthorized" response is for the case
when the keyless responders don't have an appropriate presigned
response.
If the partial response is to be acceptable, it seems that at least one
of the RFC or profile should be modified to so state.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Carl Wallace
Sent: Tuesday, November 14, 2006 3:49 PM
To: Dave Engberg; Stefan Santesson; Santosh Chokhani; Russ Housley;
Price, Bill; ietf-pkix@imc.org
Cc: Sam Hartman; Michael Myers
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
I've worked with a toolkit that can send multi-cert requests and have
seen
problems in this area including responders that return a successful
response
for one cert included in a request without addressing the others.
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org
> [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Dave Engberg
> Sent: Tuesday, November 14, 2006 12:45 PM
> To: Stefan Santesson; Santosh Chokhani; Russ Housley; Price,
> Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> CoreStreet's OCSP server doesn't include a SingleResponse for
> the issuing CA's cert in pre-signed responses. Mostly for
> the reasons mentioned:
>
> Adds 90-100 bytes onto every response
>
> Have never seen a relying party app/plug-in send a request like this
>
> The "delegated" trust model in RFC 2560 would require
> different signing certs for trusting entity vs. CA cert ...
> add another 1kB onto the response
>
> Protocol only sends CA name+key info, which isn't enough to
> identify which CA cert the relying party is inspecting in the
> case of CA cert renewal, cross-certification, etc.
>
>
> -----Original Message-----
> From: Stefan Santesson [mailto:stefans@microsoft.com]
> Sent: Tuesday, November 14, 2006 12:11 PM
> To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> Santosh,
>
> I didn't say it was hard. I say that I doubt that there are
> many implementations supporting this scenario even those with
> a responder key.
> It would be interesting to hear from implementers if I'm right.
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
> > -----Original Message-----
> > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > Sent: den 14 november 2006 03:59
> > To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> > Stefan,
> >
> > You are making more complex than it is. The Responder can
> include all
> > the CA certificates that issued the certificate in question and AIA
> > can do the rest.
> >
> > Furthermore, since most PKI are two tier hierarchy, in Enterprise
> > environment, the CA certificate certification path is not an issue.
> >
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org] On Behalf Of Stefan Santesson
> > Sent: Monday, November 13, 2006 6:54 PM
> > To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I'm not sure the case described is a realistic one.
> >
> > Section 2.2
> > All definitive response messages SHALL be digitally
> signed. The key
> > used to sign the response MUST belong to one of the following:
> >
> > -- the CA who issued the certificate in question
> > -- a Trusted Responder whose public key is trusted by
> the requester
> > -- a CA Designated Responder (Authorized Responder) who holds a
> > specially marked certificate issued directly by the CA,
> > indicating
> > that the responder may issue OCSP responses for that CA
> >
> > Since the request is on certificates issued by 2 different
> CA:s trust
> > option 1 is invalid.
> > Trust option 3 is valid in theory but in practice it
> requires that the
> > OCSP responder provide multiple validation paths in the
> response, one
> > for each issuing CA. Somehow I doubt that this is implemented by
> > anyone.
> >
> > Trust option 2 is not generic and is only valid as a result
> of a local
> > configuration.
> >
> > So I don't think this is a problem only for key-less responders.
> >
> >
> > Stefan Santesson
> > Senior Program Manager
> > Windows Security, Standards
> >
> >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > pkix@mail.imc.org] On Behalf Of Russ Housley
> > > Sent: den 13 november 2006 14:08
> > > To: Price, Bill; ietf-pkix@imc.org
> > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC
2560
> > >
> > >
> > > I prefer an error that tells the client to ask for the
> certificate
> > > one at a time.
> > >
> > > Russ
> > >
> > >
> > > At 02:46 PM 11/13/2006, Price, Bill wrote:
> > >
> > > >I'd suggest focusing on understanding where responses to
> the keyed
> > and
> > > >keyless responders inherently differ. I am aware of two general
> > cases:
> > > >
> > > >1) The request asks for the status of multiple certificates that
> > have
> > > >not been included in a single presigned response. Russ's example
> > fits
> > > >into this case. The keyed responder handles, but the keyless
will
> > fail
> > > >for the general case. Some responders respond with the presigned
> > > >response that includes one of the certificates (usually
> the first)
> > in
> > > >the request. A common situation is to ask for the status of
> > > >certificates in a chain. Santosh points out some keyless
> responders
> > > >anticipate this and bundle responses accordingly.
> > > >
> > > >2) The request is "well-formed" but asks for the status of a
> > > >certificate for which the keyless responder has not prepared a
> > > >response. This situation will occur if:
> > > >
> > > > a) The request is for status of a certificate from
> a supported
> > CA
> > > >but with a serial number for which there is no
> pre-signed response.
> > > >Assuming presigned responses exist for all certificates
> that would
> > be
> > > >valid based on their validity intervals, this would occur if the
> > > >certificate had expired or was yet to be issued (I am aware the
> > > keyless
> > > >responders generally produce responses for certificates
> likely to
> > > >be issued before the next generation of presigned
> responses). The
> > > >keyed responder would give a signed "good" response. My
> > > >understanding is
> > > that
> > > >the keyless responder under the draft lightweight OCSP responds
> > > >with
> > > an
> > > >unsigned "unauthorized" error code.
> > > >
> > > > b) The request is for the status of a certificate from an
> > > >unsupported (or non-existent) CA. The keyed responder
> would respond
> > > >with a signed "unknown" response while under the draft,
> the keyless
> > > >would again respond with the unsigned "unauthorized" error
code.
> > > >
> > > >Some might argue with some grounds that these differences are
> > unusual,
> > > >unlikely, and insignificant.
> > > >
> > > >I personally consider the behavior in 2 of responding with the
> > > >"unauthorized" error to be misleading. "Internal error"
> sounds more
> > > >appropriate if I were constrained to the current error codes.
> > > >"Malformed request" might be OK. However, the actual
> situation does
> > > not
> > > >match well with any of these errors as they are
> described in 2560.
> > > >
> > > >If 2560 is supposed to encompass keyless responders, I'd
> recommend
> > > >identifying the unavoidable differences and/or adding 2 TBD
error
> > > codes
> > > >for the above cases (assuming they are the only differences).
The
> > > first
> > > >error can be worked around by breaking the request for status of
> > > >multiples into multiple requests for status of one cert.
> > > >
> > > >We've also seen some problems with client apps that can't handle
> > > >presigned responses that commonly contain the status of several
> > (e.g.,
> > > >15-25) certs. The apps inquired for the status of a
> single cert and
> > > >apparently expected a response for a single certificate. I'd
> > > >suggest that some "must" or "should" words address
> clients' ability
> > > >to
> > handle
> > > >the situation of a response covering multiple certificates.
> > > >
> > > >
> > > >
> > > >Bill Price
> > > >
> > > >-----Original Message-----
> > > >From: owner-ietf-pkix@mail.imc.org
> > > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > > >Sent: Monday, November 13, 2006 11:46 AM
> > > >To: Michael Myers; Dave Engberg
> > > >Cc: ietf-pkix@imc.org; Sam Hartman
> > > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile
> and RFC 2560
> > > >
> > > >
> > > >Mike:
> > > >
> > > >I think it is not that simple. I think you need to say that
> > > >support for one certificate MUST be supported, and that
> support for
> > > >more
> > than
> > > >one certificate is OPTIONAL. Then, the error is am
> indication that
> > > >the requestor has selected an unimplemented OPTION.
> > > >
> > > >Russ
> > > >
> > > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > > >Responders unable to produce or acquire a definitive response
> > > > >MUST
> > > >return <a
> > > > >TBD error>.
> > > > >
> > > > >As to your other points Santosh, that is something I prefer
the
> > > chairs
> > > > >consider.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > > >
> > > > > > Mike,
> > > > > >
> > > > > > What is the error case?
> > > > > >
> > > > > > . . .
> >
>
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEMR9iR057185; Tue, 14 Nov 2006 15:27:09 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEMR9b0057184; Tue, 14 Nov 2006 15:27:09 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAEMR80B057175 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 15:27:09 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 7728 invoked by uid 0); 14 Nov 2006 22:27:00 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 14 Nov 2006 22:27:00 -0000
Message-Id: <7.0.0.16.2.20061114152952.079f1ee8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Tue, 14 Nov 2006 15:32:31 -0500
To: "Ogle Ron" <ron.ogle@thomson.net>, "Stephen Kent" <kent@bbn.com>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: PEM file format rfc draft request
Cc: <ietf-pkix@imc.org>, "Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at>
In-Reply-To: <08AD20EDD5C44148842571F730597F8401295626@INDYSMAILMB03.am. thmulti.com>
References: <p06230904c17eb25c83ad@[128.89.89.106]> <08AD20EDD5C44148842571F730597F8401295626@INDYSMAILMB03.am.thmulti.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I think there is value in publishing the format of "PEM" files. I do
not think it needs to be done in the PKIX WG, or any WG for that
matter. I would be willing to shepherd an Informational RFC through
the approval process, which would include a 4-week IETF Last Call.
Russ
At 08:18 PM 11/13/2006, Ogle Ron wrote:
>I agree that the original PEM meaning is as you state. I have no idea
>as to how it got skewed with these new meanings for public/private keys
>and certificates. However, it does now exist.
>
>As for the relevance with PKIX, the "PEM" format also describes the base
>64 encoding with MIME headers for x509 certificates. Also, many S/MIME,
>SSL, IPsec, and other cryptographic standards that use x509 also
>recognize PEM formatted certificates/key pairs. This is how I
>discovered the problem in the first place.
>
>If not PKIX, then where?
>
>Thanks
>Ron Ogle
>
>-----Original Message-----
>From: Stephen Kent [mailto:kent@bbn.com]
>Sent: Monday, November 13, 2006 6:45 PM
>To: Ogle Ron
>Cc: ietf-pkix@imc.org; Dieter Bratko
>Subject: Re: PEM file format rfc draft request
>
>At 4:56 PM -0500 11/13/06, Ogle Ron wrote:
> >I would like to know if the PKIX working group would be interested in
> >shepherding a new rfc concerning PEM file formats? I've recently
> >discovered that there is no definitive standard for how a PEM's headers
> >and footers are defined for a private key. I've searched the RFCs, and
> >ISO standards without any luck.
>
>PEM formats were defined for e-mail messages, not files per se. I
>think RFC 1421 defines the last of the formats (we had a few
>iterations) for PEM.
>
> >The issue that I discovered was when I was working with PEM files for
> >PKCS1 and PKCS8 formatted private keys under OpenSSL and some Java
> >toolkits using an IAIK implementation. OpenSSL expects PKCS8 PEM files
> >to have "BEGIN PRIVATE KEY" as the header while IAIK uses "BEGIN RSA
> >PRIVATE KEY" for RSA keys and "BEGIN DSA PRIVATE KEY" for DSA keys.
>For
> >PKCS1, both expect "BEGIN RSA PRIVATE KEY".
>
>
>it looks like folks made this up! PEM describes how to transfer a
>symmetric key encrypted under a public (RSA) key in a message, in
>1421. It does not describe how to transfer a private key, because
>one would not do that via an e-mail message.
>
>The term "PEM file" with regard to PKCS #8 is a misnomer, relative to
>IETF standards. Since PKCS #8 defines a format for private keys, it
>is not relevant to PEM, period.
>
>Given that PKIX is a WG that focuses on X.509-based standards, it is
>not immediately clear that a document on how to use base-64 encoding
>and MIME-style headers to represent private keys is within our scope.
>
>Steve
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEMN0qV056715; Tue, 14 Nov 2006 15:23:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEMN0hc056714; Tue, 14 Nov 2006 15:23:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.dyn.mit.edu [18.188.3.148]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEMMxVT056700 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 15:23:00 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 8CCD7E0035; Tue, 14 Nov 2006 17:22:51 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Stefan Santesson <stefans@microsoft.com>
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>, Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com> <F9F038204EE77C4AA9959A6B3C94AFE801098D06@IMCSRV2.MITRE.ORG> <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA90@EA-EXMSG-C307.europe.corp.microsoft.com>
Date: Tue, 14 Nov 2006 17:22:51 -0500
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA90@EA-EXMSG-C307.europe.corp.microsoft.com> (Stefan Santesson's message of "Tue, 14 Nov 2006 21:11:50 +0000")
Message-ID: <tsld57pis78.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Stefan" == Stefan Santesson <stefans@microsoft.com> writes:
Stefan> On issue number 1) it is my belief that the lightweight
Stefan> profile should be allowed to progress without updating RFC
Stefan> 2560. I have seen no requirements in RFC 2560 that
Stefan> requires a keyed responder, even if it is clear that a
Stefan> non-keyed responder can only respond to a subset of all
Stefan> valid requests. If the lightweight OCSP profile is allowed
Stefan> to progress, it MUST live within the current restrictions
Stefan> of OCSP with respect to error codes.
Speaking as an holding a discuss, I cannot agree to allow the
lightweight profile to progress without a standards-track
clarification to 2560.
Your reading of 2560 would not meet the interoperability requirements
that the IETF has established that in general, all clients of a
protocol be able to work with all servers of a protocol. In order to
meet that requirement RFC 2560 needs to be normatively changed in
order to require that clients be able to send a request including only
one certificate.
Unless I see new arguments I have not seen so far, my discuss stands.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAELBw6J046152; Tue, 14 Nov 2006 14:11:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAELBwtQ046151; Tue, 14 Nov 2006 14:11:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.191]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAELBv2v046135 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 14:11:57 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from dub-exhub-c302.europe.corp.microsoft.com (65.53.213.92) by DUB-EXGWY-E801.partners.extranet.microsoft.com (10.251.129.1) with Microsoft SMTP Server (TLS) id 8.0.685.0; Tue, 14 Nov 2006 21:11:51 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by dub-exhub-c302.europe.corp.microsoft.com ([65.53.213.92]) with mapi; Tue, 14 Nov 2006 21:11:51 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
CC: Sam Hartman <hartmans-ietf@mit.edu>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>, Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>
Date: Tue, 14 Nov 2006 21:11:50 +0000
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAACWpPwACS7HEAABsOsMA==
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA90@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com> <F9F038204EE77C4AA9959A6B3C94AFE801098D06@IMCSRV2.MITRE.ORG>
In-Reply-To: <F9F038204EE77C4AA9959A6B3C94AFE801098D06@IMCSRV2.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAELBw2v046145
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Taking on the moderator hat I would like to structure this discussion before it takes off in too many directions.
1) The primary issue at hand is if the current Lightweight profile can progress to informational without first updating rfc2560.
2) Secondary is a growing discussion if RFC 2560 needs to be updated for other reasons than accommodating the lightweight profile.
On issue number 1) it is my belief that the lightweight profile should be allowed to progress without updating RFC 2560. I have seen no requirements in RFC 2560 that requires a keyed responder, even if it is clear that a non-keyed responder can only respond to a subset of all valid requests. If the lightweight OCSP profile is allowed to progress, it MUST live within the current restrictions of OCSP with respect to error codes.
On issue number 2) I welcome a debate on a separate thread.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEKmxwW043209; Tue, 14 Nov 2006 13:48:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEKmxBJ043208; Tue, 14 Nov 2006 13:48:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAEKmuLm043182 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 13:48:57 -0700 (MST) (envelope-from CWallace@cygnacom.com)
Received: (qmail 25094 invoked from network); 14 Nov 2006 20:37:27 -0000
Received: from CWallace@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4;14 Nov 2006 20:37:27 -0000
Received: from unknown (HELO scygmxs1.cygnacom.com) (10.60.50.7) by scygmxsecs1.cygnacom.com with SMTP; 14 Nov 2006 20:37:26 -0000
Received: by scygmxs1.cygnacom.com with Internet Mail Service (5.5.2657.72) id <RMH42PD0>; Tue, 14 Nov 2006 15:48:48 -0500
Message-ID: <886F5D4C78AFB14D87261206BFB9612E1BCCC6AA@scygmxs1.cygnacom.com>
From: Carl Wallace <CWallace@cygnacom.com>
To: Dave Engberg <dengberg@corestreet.com>, Stefan Santesson <stefans@microsoft.com>, Santosh Chokhani <chokhani@orionsec.com>, Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>, ietf-pkix@imc.org
Cc: Sam Hartman <hartmans-ietf@mit.edu>, Michael Myers <mmyers@fastq.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Tue, 14 Nov 2006 15:48:46 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_004B_01C70804.5E976520"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_004B_01C70804.5E976520
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I've worked with a toolkit that can send multi-cert requests and have seen
problems in this area including responders that return a successful response
for one cert included in a request without addressing the others.
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org
> [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Dave Engberg
> Sent: Tuesday, November 14, 2006 12:45 PM
> To: Stefan Santesson; Santosh Chokhani; Russ Housley; Price,
> Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> CoreStreet's OCSP server doesn't include a SingleResponse for
> the issuing CA's cert in pre-signed responses. Mostly for
> the reasons mentioned:
>
> Adds 90-100 bytes onto every response
>
> Have never seen a relying party app/plug-in send a request like this
>
> The "delegated" trust model in RFC 2560 would require
> different signing certs for trusting entity vs. CA cert ...
> add another 1kB onto the response
>
> Protocol only sends CA name+key info, which isn't enough to
> identify which CA cert the relying party is inspecting in the
> case of CA cert renewal, cross-certification, etc.
>
>
> -----Original Message-----
> From: Stefan Santesson [mailto:stefans@microsoft.com]
> Sent: Tuesday, November 14, 2006 12:11 PM
> To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> Santosh,
>
> I didn't say it was hard. I say that I doubt that there are
> many implementations supporting this scenario even those with
> a responder key.
> It would be interesting to hear from implementers if I'm right.
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
> > -----Original Message-----
> > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > Sent: den 14 november 2006 03:59
> > To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> > Stefan,
> >
> > You are making more complex than it is. The Responder can
> include all
> > the CA certificates that issued the certificate in question and AIA
> > can do the rest.
> >
> > Furthermore, since most PKI are two tier hierarchy, in Enterprise
> > environment, the CA certificate certification path is not an issue.
> >
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org] On Behalf Of Stefan Santesson
> > Sent: Monday, November 13, 2006 6:54 PM
> > To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I'm not sure the case described is a realistic one.
> >
> > Section 2.2
> > All definitive response messages SHALL be digitally
> signed. The key
> > used to sign the response MUST belong to one of the following:
> >
> > -- the CA who issued the certificate in question
> > -- a Trusted Responder whose public key is trusted by
> the requester
> > -- a CA Designated Responder (Authorized Responder) who holds a
> > specially marked certificate issued directly by the CA,
> > indicating
> > that the responder may issue OCSP responses for that CA
> >
> > Since the request is on certificates issued by 2 different
> CA:s trust
> > option 1 is invalid.
> > Trust option 3 is valid in theory but in practice it
> requires that the
> > OCSP responder provide multiple validation paths in the
> response, one
> > for each issuing CA. Somehow I doubt that this is implemented by
> > anyone.
> >
> > Trust option 2 is not generic and is only valid as a result
> of a local
> > configuration.
> >
> > So I don't think this is a problem only for key-less responders.
> >
> >
> > Stefan Santesson
> > Senior Program Manager
> > Windows Security, Standards
> >
> >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > > pkix@mail.imc.org] On Behalf Of Russ Housley
> > > Sent: den 13 november 2006 14:08
> > > To: Price, Bill; ietf-pkix@imc.org
> > > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > > I prefer an error that tells the client to ask for the
> certificate
> > > one at a time.
> > >
> > > Russ
> > >
> > >
> > > At 02:46 PM 11/13/2006, Price, Bill wrote:
> > >
> > > >I'd suggest focusing on understanding where responses to
> the keyed
> > and
> > > >keyless responders inherently differ. I am aware of two general
> > cases:
> > > >
> > > >1) The request asks for the status of multiple certificates that
> > have
> > > >not been included in a single presigned response. Russ's example
> > fits
> > > >into this case. The keyed responder handles, but the keyless will
> > fail
> > > >for the general case. Some responders respond with the presigned
> > > >response that includes one of the certificates (usually
> the first)
> > in
> > > >the request. A common situation is to ask for the status of
> > > >certificates in a chain. Santosh points out some keyless
> responders
> > > >anticipate this and bundle responses accordingly.
> > > >
> > > >2) The request is "well-formed" but asks for the status of a
> > > >certificate for which the keyless responder has not prepared a
> > > >response. This situation will occur if:
> > > >
> > > > a) The request is for status of a certificate from
> a supported
> > CA
> > > >but with a serial number for which there is no
> pre-signed response.
> > > >Assuming presigned responses exist for all certificates
> that would
> > be
> > > >valid based on their validity intervals, this would occur if the
> > > >certificate had expired or was yet to be issued (I am aware the
> > > keyless
> > > >responders generally produce responses for certificates
> likely to
> > > >be issued before the next generation of presigned
> responses). The
> > > >keyed responder would give a signed "good" response. My
> > > >understanding is
> > > that
> > > >the keyless responder under the draft lightweight OCSP responds
> > > >with
> > > an
> > > >unsigned "unauthorized" error code.
> > > >
> > > > b) The request is for the status of a certificate from an
> > > >unsupported (or non-existent) CA. The keyed responder
> would respond
> > > >with a signed "unknown" response while under the draft,
> the keyless
> > > >would again respond with the unsigned "unauthorized" error code.
> > > >
> > > >Some might argue with some grounds that these differences are
> > unusual,
> > > >unlikely, and insignificant.
> > > >
> > > >I personally consider the behavior in 2 of responding with the
> > > >"unauthorized" error to be misleading. "Internal error"
> sounds more
> > > >appropriate if I were constrained to the current error codes.
> > > >"Malformed request" might be OK. However, the actual
> situation does
> > > not
> > > >match well with any of these errors as they are
> described in 2560.
> > > >
> > > >If 2560 is supposed to encompass keyless responders, I'd
> recommend
> > > >identifying the unavoidable differences and/or adding 2 TBD error
> > > codes
> > > >for the above cases (assuming they are the only differences). The
> > > first
> > > >error can be worked around by breaking the request for status of
> > > >multiples into multiple requests for status of one cert.
> > > >
> > > >We've also seen some problems with client apps that can't handle
> > > >presigned responses that commonly contain the status of several
> > (e.g.,
> > > >15-25) certs. The apps inquired for the status of a
> single cert and
> > > >apparently expected a response for a single certificate. I'd
> > > >suggest that some "must" or "should" words address
> clients' ability
> > > >to
> > handle
> > > >the situation of a response covering multiple certificates.
> > > >
> > > >
> > > >
> > > >Bill Price
> > > >
> > > >-----Original Message-----
> > > >From: owner-ietf-pkix@mail.imc.org
> > > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > > >Sent: Monday, November 13, 2006 11:46 AM
> > > >To: Michael Myers; Dave Engberg
> > > >Cc: ietf-pkix@imc.org; Sam Hartman
> > > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile
> and RFC 2560
> > > >
> > > >
> > > >Mike:
> > > >
> > > >I think it is not that simple. I think you need to say that
> > > >support for one certificate MUST be supported, and that
> support for
> > > >more
> > than
> > > >one certificate is OPTIONAL. Then, the error is am
> indication that
> > > >the requestor has selected an unimplemented OPTION.
> > > >
> > > >Russ
> > > >
> > > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > > >Responders unable to produce or acquire a definitive response
> > > > >MUST
> > > >return <a
> > > > >TBD error>.
> > > > >
> > > > >As to your other points Santosh, that is something I prefer the
> > > chairs
> > > > >consider.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > > >
> > > > > > Mike,
> > > > > >
> > > > > > What is the error case?
> > > > > >
> > > > > > . . .
> >
>
>
------=_NextPart_000_004B_01C70804.5E976520
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILpjCCA60w
ggKVoAMCAQICBECEF1YwDQYJKoZIhvcNAQEFBQAwIDELMAkGA1UEBhMCdXMxETAPBgNVBAoTCGN5
Z25hY29tMB4XDTA0MDQxOTE3NDYwMVoXDTI0MDQxOTE4MTYwMVowIDELMAkGA1UEBhMCdXMxETAP
BgNVBAoTCGN5Z25hY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuw8jjNSH/3qx
UShITC4+vYJG8TZsE2f4pbGUhcXe+v0PChxtWvVpOAVqXm/7y1hdBKKMjdg98Xo/jmVtFPGlKXhV
v9FYyK1zxydN1YgEjRzmuSd9RNNm9YL2rgg2Q/TtT3hDwDiT4rj62ukIKYTlZHNLm1t7uYa8K/44
F5jJvo6zPkWtRqrKBFJfBblKFaPteEXU5JIKX8cbwIF3HJx9+P15S0wRngCKb0+1/d9pIuwS4Frg
1R98hG+jRXiS8klB6TncucWH2w1OqYouzUGSncb+o+EVx4PHwsE7kKxIMAsQC6zbHsAS0CAOb6hw
JW7P+dtaR/9Gi8NdKsgkFlQjbQIDAQABo4HuMIHrMEIGA1UdHwQ7MDkwN6A1oDOkMTAvMQswCQYD
VQQGEwJ1czERMA8GA1UEChMIY3lnbmFjb20xDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMjAw
NDA0MTkxNzQ2MDFagQ8yMDI0MDQxOTE4MTYwMVowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFHqT
o3DI3p2/kOS+O6DeN/DUalp5MB0GA1UdDgQWBBR6k6NwyN6dv5Dkvjug3jfw1GpaeTAMBgNVHRME
BTADAQH/MB0GCSqGSIb2fQdBAAQQMA4bCFY3LjA6NC4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEA
aHtrFA6rDnATj2GxfNuRLFVrsWBLSCYUdMs6YbssKI2f/Fh/o382eAnvvcpI76koLijn4Cbj482A
tkWgw6hOhgESamFWaY951O0nUrk43KG5Nv4KQjXiNArFwf1ATEtB6KTeiaffh2vVbUWodZ+uwnTh
X6ZlPmVooWFcB9NH+9GteR7zIJA/Eq0p0CHiCozIhOp1QGJ2cXTtHQk4Cq+sYh8du6ry0xRB3b5Z
Jw/iewtxAoge2e/vh0f46mgrSdmCuPzjVLvyLg63ktN9hJe8Iiy4JiKqplnsMGizW2lxKwl/Ys0L
alsltxYuLF1jytrzGJEit+5acGcjhdhijL0IojCCA98wggLHoAMCAQICBECEWOUwDQYJKoZIhvcN
AQEFBQAwIDELMAkGA1UEBhMCdXMxETAPBgNVBAoTCGN5Z25hY29tMB4XDTA2MDkyNzExNDcxN1oX
DTA5MDkyNzEyMTcxN1owRzELMAkGA1UEBhMCdXMxETAPBgNVBAoTCGN5Z25hY29tMSUwDgYDVQQF
EwcyRUNSVzAyMBMGA1UEAxMMQ2FybCBXYWxsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwVtX5z3+WT31t1J6qYHb6CsFBl6NLFq+cnJjpuxMAiFfMoifHSreDtDfJMUJcUMqOG1o
0JdBUI4nakhAo8nPNMkzatmF0cxyryagaWWnILjPJKz5LCzM/LNQnMhUFGoRPDMnkaJp82pAW/Me
cjUSS1w2MMFnjxjZ9t8DHvQ3FEY2nU5yKolnLrbmx07qVCT2KNEyetQKTR5iCsA7YiYPTFIsXHPr
TiqUsbIETHIWJqh8hRZt3Mf1jg4ayrGKmcOvpjphit7HCOPxtM/u9tajt705LzcAk/6YN3yXtc/c
88Sw48YtKrba1m5IwBq6MNBp0K9tSq7j0Mpm0bIkyL8bMwIDAQABo4H5MIH2MCAGA1UdEQQZMBeB
FWN3YWxsYWNlQGN5Z25hY29tLmNvbTAbBgNVHQkEFDASMBAGCSqGSIb2fQdEHTEDAgEKMEIGA1Ud
HwQ7MDkwN6A1oDOkMTAvMQswCQYDVQQGEwJ1czERMA8GA1UEChMIY3lnbmFjb20xDTALBgNVBAMT
BENSTDEwCwYDVR0PBAQDAgUgMB8GA1UdIwQYMBaAFHqTo3DI3p2/kOS+O6DeN/DUalp5MB0GA1Ud
DgQWBBSTgaWOBxA4oFp5yDWk+ZSoowxj0zAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAobBFY3
LjADAgSQMA0GCSqGSIb3DQEBBQUAA4IBAQCAPGGb5f6vwUpGtEaX0UbWzcCn0g5l72s82rsQjiBF
rXYpRO62c2rcnqrSp6EVa2Qk62h+DXmxnLzF+zjJ6roRnAW9LW28UYxPi9cpLGxmRkRe+d62K7QU
LM7G5vU64jfW641ykblwQaf/dVzcTpXg7mU7n7qO46YWAAVaTyq3gdKYZxtXInZEWvnxzH3dJjcD
7Q1KSrH/ztsbwgW/rFq29iorSjVZNG4ROB7QAG85GVy5GkDSLEjOnEU+3dVgqjEjxODyCP+owkzO
k2JKsyqaewHPnbNs4NV7OGCJx+BJsLK2Ef0MBYdt7Ebe1efxNIK8IyeuFBJPjJRLQItdBiVnMIIE
DjCCAvagAwIBAgIEQIRY+zANBgkqhkiG9w0BAQUFADAgMQswCQYDVQQGEwJ1czERMA8GA1UEChMI
Y3lnbmFjb20wHhcNMDYwOTI4MTY0NjMxWhcNMDkwOTI4MTcxNjMxWjBHMQswCQYDVQQGEwJ1czER
MA8GA1UEChMIY3lnbmFjb20xJTAOBgNVBAUTBzJFQ1JXMDIwEwYDVQQDEwxDYXJsIFdhbGxhY2Uw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTeGLLD5qbBCFsqR9R+3UTCxdJKetGhH7z
UVgI2cfdzArj3uXkR7r2bpVS80GRVKaC/0t8EYaxW4Ls8ZfdwWutaFfzbbIB2E+TAzF+ldT01Vdv
gy3Rws+BhZWudk5blrakYfKeUffzWiYHrJGHtOTOnyucHdE6gahikPDQ8lsDEbtxt+hzymOXZKVY
VAk2u5eBj/uxtAk/PMbIUcQLqvMf01AiZs6kNvHuhaWheAxGa4+cHM5nFUpSZpC49r4BuoBA2Rw2
ES2a+OqhMIKlsdE9MM7G9YQf4jREcf4cfnT+cMd57lc8TijkKJOMoXyMtLRK+UByDtQ1FbCNHAz4
hnRxAgMBAAGjggEnMIIBIzALBgNVHQ8EBAMCB4AwKwYDVR0QBCQwIoAPMjAwNjA5MjgxNjQ2MzFa
gQ8yMDA4MTEwMzIxMTYzMVowIAYDVR0RBBkwF4EVY3dhbGxhY2VAY3lnbmFjb20uY29tMBsGA1Ud
CQQUMBIwEAYJKoZIhvZ9B0QdMQMCAQowQgYDVR0fBDswOTA3oDWgM6QxMC8xCzAJBgNVBAYTAnVz
MREwDwYDVQQKEwhjeWduYWNvbTENMAsGA1UEAxMEQ1JMMTAfBgNVHSMEGDAWgBR6k6NwyN6dv5Dk
vjug3jfw1GpaeTAdBgNVHQ4EFgQU/GqeRUaoI5dNtUm3CGFNyYv1k64wCQYDVR0TBAIwADAZBgkq
hkiG9n0HQQAEDDAKGwRWNy4wAwIEsDANBgkqhkiG9w0BAQUFAAOCAQEAOOP2IoptDkJugTF+3euz
rC8N5aO392HDa3y2cf7XL9uVGJ9YT2DUMmaxZBS9hpKa9yxeU+Vcoho6p/7QhLtDhHR4LlXg1CXd
EuMTlEdL2aA0CYJjAbCQsPACCm7+MFvfdTKwrD6NEx+3eInppPTgXm3HuZEamKPQN69tZ3wr7TMe
qBBWRUrS2GfnfpGGRneI7yhA+HJ0PDOEMA31C877efxHOqnRsojU4f9+F7EPw8y6Ipovf0GFJ0ZV
a4gMaouSzNwmOHhsZfgzM8lpmUN8CkYXTdHEwDedKjzJ3mltindxDYml6tFl0A4kAv/rD68dGgbz
kPNQAkbrT9dijO2yNTGCAo0wggKJAgEBMCgwIDELMAkGA1UEBhMCdXMxETAPBgNVBAoTCGN5Z25h
Y29tAgRAhFj7MAkGBSsOAwIaBQCgggE6MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTA2MTExNDIwNDg0NlowIwYJKoZIhvcNAQkEMRYEFMtOGIBbiVPovtRiVGhNbtph
nbTOMDcGCSsGAQQBgjcQBDEqMCgwIDELMAkGA1UEBhMCdXMxETAPBgNVBAoTCGN5Z25hY29tAgRA
hFjlMDkGCyqGSIb3DQEJEAILMSqgKDAgMQswCQYDVQQGEwJ1czERMA8GA1UEChMIY3lnbmFjb20C
BECEWOUwZwYJKoZIhvcNAQkPMVowWDAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwDQYJ
KoZIhvcNAQEBBQAEggEAN+VVUDAUemRqMbtt45adMYvGOeA/IcbPsEUXdrCj8PmAOw5XgNFZtG+/
7KkB3In+iz0M2mfXnaIamuVWOuK0/DACLNQesyCyPdCfsUZ+PHeInsKIQdfQbpQxdvrRPX3POpAj
fy4i/BGl0/nitp6gF+3ifJpTTHxIWizpJ71R5CCdkfet7ZLafgb+Wq6yhDVu0ZOBQcoRyAhFqypG
Ob8zgI0DRQgCb1gnPxoG8dDM31qOw6x5jMyGO1+OzXtALEvdSdiaIys6JIXxlogB20FkiS2TPB+o
TcJ9o4ztM/PutSmX+EdH8fQS5KnxJM+5TwLZSW7dD1O/OqshwVsemwaQAAAAAAAAAA==
------=_NextPart_000_004B_01C70804.5E976520--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEJhTNK034483; Tue, 14 Nov 2006 12:43:29 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEJhTXd034482; Tue, 14 Nov 2006 12:43:29 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEJhRwm034458 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 12:43:28 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id kAEJh5hF022462; Tue, 14 Nov 2006 14:43:16 -0500
Received: from [129.6.54.72] (st26.ncsl.nist.gov [129.6.54.72]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id kAEJgBQM008107; Tue, 14 Nov 2006 14:42:11 -0500 (EST)
Message-ID: <455A1C3A.3010002@nist.gov>
Date: Tue, 14 Nov 2006 14:42:50 -0500
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 1.5.0.7 (X11/20060921)
MIME-Version: 1.0
To: Ogle Ron <ron.ogle@thomson.net>
CC: pkix <ietf-pkix@imc.org>
Subject: Re: PEM file format rfc draft request
References: <08AD20EDD5C44148842571F730597F8401295725@INDYSMAILMB03.am.thmulti.com>
In-Reply-To: <08AD20EDD5C44148842571F730597F8401295725@INDYSMAILMB03.am.thmulti.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Ogle Ron wrote:
> Now with people using the AIA extension and extending the CDP extension
> to include URIs, I see more and more use of the PEM formatted CRLs and
> certificates.
Why is there need to base64 encode everything? It made sense in PEM due
to the limitations of email, but what is the benefit of base64 encoding
in other situations?
As for the scenarios mentioned above, 3280bis specifically states that
the data pointed to by an HTTP or FTP URI must in the AIA, SIA, or CDP
extension must be BER or DER encoded (DER for certificates and CRLs; BER
or DER for "certs-only" CMS messages). Is there a reason that people
are pointing to PEM formatted certificates and CRLs rather than just the
certificates and CRLs without the base64 encoding?
Dave
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEJ5vS5029258; Tue, 14 Nov 2006 12:05:57 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEJ5vRH029257; Tue, 14 Nov 2006 12:05:57 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEJ5uXw029181 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 12:05:57 -0700 (MST) (envelope-from chokhani@orionsec.com)
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Tue, 14 Nov 2006 11:07:51 -0800
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_008A_01C707F6.457D0940"
Message-ID: <82D5657AE1F54347A734BDD33637C879056F82AC@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAABDwUQABnd37AACuUgEAAASIkwAAOsjPA=
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Dave Engberg" <dengberg@corestreet.com>, "Stefan Santesson" <stefans@microsoft.com>, "Russ Housley" <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>, <ietf-pkix@imc.org>
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>, "Michael Myers" <mmyers@fastq.com>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_008A_01C707F6.457D0940
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In hurry, I did not clearly articulate my thoughts. What I am saying also
relates to another comment to Mike Myers regarding the security of the
delegated model which is incompletely addressed by 2560.
I will be verbose this time.
The implementations such as Corestreet and Tumbleweed tend to adhere to the
approach that the same key that signed the certificate in question, sign the
OCSP Responder certificate.
Thus, if you have a hierarchy like Root --> CA --> Subscriber and you want
the status of CA certificate and the Subscriber certificate, you get them as
responses and with them you only need the two OCSP Responder certificates
one signed by the Root (for verifying CA certificate revocation status) and
one signed by the CA (for verifying the subscriber certificate revocation
status).
You do not need any paths.
Please note that the approach also works when the Responder is queried by a
CA cross certified by the root, since rest of the path has been built by the
client.
-----Original Message-----
From: Dave Engberg [mailto:dengberg@corestreet.com]
Sent: Tuesday, November 14, 2006 12:45 PM
To: Stefan Santesson; Santosh Chokhani; Russ Housley; Price, Bill;
ietf-pkix@imc.org
Cc: Sam Hartman; Michael Myers
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
CoreStreet's OCSP server doesn't include a SingleResponse for the issuing
CA's cert in pre-signed responses. Mostly for the reasons mentioned:
Adds 90-100 bytes onto every response
Have never seen a relying party app/plug-in send a request like this
The "delegated" trust model in RFC 2560 would require different signing
certs for trusting entity vs. CA cert ... add another 1kB onto the response
Protocol only sends CA name+key info, which isn't enough to identify which
CA cert the relying party is inspecting in the case of CA cert renewal,
cross-certification, etc.
-----Original Message-----
From: Stefan Santesson [mailto:stefans@microsoft.com]
Sent: Tuesday, November 14, 2006 12:11 PM
To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
Cc: Sam Hartman; Michael Myers; Dave Engberg
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Santosh,
I didn't say it was hard. I say that I doubt that there are many
implementations supporting this scenario even those with a responder key.
It would be interesting to hear from implementers if I'm right.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> Sent: den 14 november 2006 03:59
> To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> Stefan,
>
> You are making more complex than it is. The Responder can include all
> the CA certificates that issued the certificate in question and AIA can
> do the rest.
>
> Furthermore, since most PKI are two tier hierarchy, in Enterprise
> environment, the CA certificate certification path is not an issue.
>
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org]
> On Behalf Of Stefan Santesson
> Sent: Monday, November 13, 2006 6:54 PM
> To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> I'm not sure the case described is a realistic one.
>
> Section 2.2
> All definitive response messages SHALL be digitally signed. The key
> used to sign the response MUST belong to one of the following:
>
> -- the CA who issued the certificate in question
> -- a Trusted Responder whose public key is trusted by the requester
> -- a CA Designated Responder (Authorized Responder) who holds a
> specially marked certificate issued directly by the CA,
> indicating
> that the responder may issue OCSP responses for that CA
>
> Since the request is on certificates issued by 2 different CA:s trust
> option 1 is invalid.
> Trust option 3 is valid in theory but in practice it requires that the
> OCSP responder provide multiple validation paths in the response, one
> for each issuing CA. Somehow I doubt that this is implemented by
> anyone.
>
> Trust option 2 is not generic and is only valid as a result of a local
> configuration.
>
> So I don't think this is a problem only for key-less responders.
>
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
>
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org] On Behalf Of Russ Housley
> > Sent: den 13 november 2006 14:08
> > To: Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I prefer an error that tells the client to ask for the certificate
> > one at a time.
> >
> > Russ
> >
> >
> > At 02:46 PM 11/13/2006, Price, Bill wrote:
> >
> > >I'd suggest focusing on understanding where responses to the keyed
> and
> > >keyless responders inherently differ. I am aware of two general
> cases:
> > >
> > >1) The request asks for the status of multiple certificates that
> have
> > >not been included in a single presigned response. Russ's example
> fits
> > >into this case. The keyed responder handles, but the keyless will
> fail
> > >for the general case. Some responders respond with the presigned
> > >response that includes one of the certificates (usually the first)
> in
> > >the request. A common situation is to ask for the status of
> > >certificates in a chain. Santosh points out some keyless responders
> > >anticipate this and bundle responses accordingly.
> > >
> > >2) The request is "well-formed" but asks for the status of a
> > >certificate for which the keyless responder has not prepared a
> > >response. This situation will occur if:
> > >
> > > a) The request is for status of a certificate from a supported
> CA
> > >but with a serial number for which there is no pre-signed response.
> > >Assuming presigned responses exist for all certificates that would
> be
> > >valid based on their validity intervals, this would occur if the
> > >certificate had expired or was yet to be issued (I am aware the
> > keyless
> > >responders generally produce responses for certificates likely to be
> > >issued before the next generation of presigned responses). The keyed
> > >responder would give a signed "good" response. My understanding is
> > that
> > >the keyless responder under the draft lightweight OCSP responds with
> > an
> > >unsigned "unauthorized" error code.
> > >
> > > b) The request is for the status of a certificate from an
> > >unsupported (or non-existent) CA. The keyed responder would respond
> > >with a signed "unknown" response while under the draft, the keyless
> > >would again respond with the unsigned "unauthorized" error code.
> > >
> > >Some might argue with some grounds that these differences are
> unusual,
> > >unlikely, and insignificant.
> > >
> > >I personally consider the behavior in 2 of responding with the
> > >"unauthorized" error to be misleading. "Internal error" sounds more
> > >appropriate if I were constrained to the current error codes.
> > >"Malformed request" might be OK. However, the actual situation does
> > not
> > >match well with any of these errors as they are described in 2560.
> > >
> > >If 2560 is supposed to encompass keyless responders, I'd recommend
> > >identifying the unavoidable differences and/or adding 2 TBD error
> > codes
> > >for the above cases (assuming they are the only differences). The
> > first
> > >error can be worked around by breaking the request for status of
> > >multiples into multiple requests for status of one cert.
> > >
> > >We've also seen some problems with client apps that can't handle
> > >presigned responses that commonly contain the status of several
> (e.g.,
> > >15-25) certs. The apps inquired for the status of a single cert and
> > >apparently expected a response for a single certificate. I'd suggest
> > >that some "must" or "should" words address clients' ability to
> handle
> > >the situation of a response covering multiple certificates.
> > >
> > >
> > >
> > >Bill Price
> > >
> > >-----Original Message-----
> > >From: owner-ietf-pkix@mail.imc.org
> > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > >Sent: Monday, November 13, 2006 11:46 AM
> > >To: Michael Myers; Dave Engberg
> > >Cc: ietf-pkix@imc.org; Sam Hartman
> > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > >Mike:
> > >
> > >I think it is not that simple. I think you need to say that support
> > >for one certificate MUST be supported, and that support for more
> than
> > >one certificate is OPTIONAL. Then, the error is am indication that
> > >the requestor has selected an unimplemented OPTION.
> > >
> > >Russ
> > >
> > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > >Responders unable to produce or acquire a definitive response MUST
> > >return <a
> > > >TBD error>.
> > > >
> > > >As to your other points Santosh, that is something I prefer the
> > chairs
> > > >consider.
> > > >
> > > > > -----Original Message-----
> > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > >
> > > > > Mike,
> > > > >
> > > > > What is the error case?
> > > > >
> > > > > . . .
>
------=_NextPart_000_008A_01C707F6.457D0940
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOODCCBEQw
ggMsoAMCAQICBEClFlYwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE9y
aW9uIFNlY3VyaXR5IFNvbHV0aW9uczEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGll
czEMMAoGA1UECxMDQ0ExMB4XDTA0MDYyMjE1MDY0NVoXDTA3MDYyMjE1MzY0NVowXzELMAkGA1UE
BhMCVVMxITAfBgNVBAoTGE9yaW9uIFNlY3VyaXR5IFNvbHV0aW9uczESMBAGA1UECxMJRW1wbG95
ZWVzMRkwFwYDVQQDExBTYW50b3NoIENob2toYW5pMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCtExu25dsN38n+WyugNc1a9y0A/kbFHPHuTZ76rzrRcX+bbTh5XwSQDUaZbknZmFjRbPswVXA8
a0pNRFn0Oy0TJaHXkX+AGH71RPf/4I1S8CjuxjPvhTMC6zWyZnWwE9TBNDjzba4jic1hdvg47JLb
xM320g7P5VqWWDhKEOtXrQIDAQABo4IBhzCCAYMwCwYDVR0PBAQDAgUgMCAGA1UdEQQZMBeBFWNo
b2toYW5pQG9yaW9uc2VjLmNvbTCB6wYDVR0fBIHjMIHgMHmgd6B1pHMwcTELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGE9yaW9uIFNlY3VyaXR5IFNvbHV0aW9uczEiMCAGA1UECxMZQ2VydGlmaWNhdGlv
biBBdXRob3JpdGllczEMMAoGA1UECxMDQ0ExMQ0wCwYDVQQDEwRDUkwxMDKgMKAuhixodHRwOi8v
d3d3Lm9yaW9uc2VjLmNvbS9DUkwvY2ExX2NybGZpbGU0LmNybDAvoC2gK4YpZmlsZTovL1xcU2Jl
dGVsZ2V1c2VcQ1JMXGNhMV9jcmxmaWxlNC5jcmwwHwYDVR0jBBgwFoAUyLI83rqa64kJoNY0MpsZ
QobMmNIwHQYDVR0OBBYEFAmbKwqwClYqMfveZYM0xD79HkWNMAkGA1UdEwQCMAAwGQYJKoZIhvZ9
B0EABAwwChsEVjcuMAMCBLAwDQYJKoZIhvcNAQEFBQADggEBAEQMBLlUVl1R3Xndf+qw6hTAJ0kR
AwgU3DEu5/S5k1aEh2mPqnsbsi9Ubq45APRcFLhL8HKPzpcOmsC4wawuSvKf2Cy9fq+9+csEbK8A
yDnCVBXHLHP0l6pdDloVbg0MWygzkyJsJ8PFZP9daiAMRzUcSFzOTr1tPqQ+HHQVSFxL+Mmz8oVu
9Uk6qaHNQDSpDKGNggo5uboa6FcrOoTM2CfBvdLpWusojaJqDiff1P+N5mWF6ss/FQHavO1l8m3z
rT9tP4TUA2jcJ+/Z1+mVQjxI4gCN4TT851QYLaJ4MoQhonZU9onWuP8LjKi8JLfVnh0Rh4zEM+uW
IbNgt0wgwgUwggRxMIIDWaADAgECAgRApUDYMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhPcmlvbiBTZWN1cml0eSBTb2x1dGlvbnMxIjAgBgNVBAsTGUNlcnRpZmljYXRp
b24gQXV0aG9yaXRpZXMxDDAKBgNVBAsTA0NBMTAeFw0wNjA0MjExNzMyMTdaFw0wOTA0MjExODAy
MTdaMF8xCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhPcmlvbiBTZWN1cml0eSBTb2x1dGlvbnMxEjAQ
BgNVBAsTCUVtcGxveWVlczEZMBcGA1UEAxMQU2FudG9zaCBDaG9raGFuaTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAlBpJGFItTtfBM6q+0Wz5CdGz/Q6ZrhSyg1ZL7XSOAkRblNY1VgFqneP7
cS+YOTlQ8t50mgzlAFpIqvYRkPk/+EVnnRwEo/2RWhst9AJ6JlLRVl5NT5yljPmtgouCnm2lVn9t
+zVHjvdLZAjqCNYNGUrEPzWSmGHOT2nWcpI9N88CAwEAAaOCAbQwggGwMAsGA1UdDwQEAwIHgDAr
BgNVHRAEJDAigA8yMDA2MDQyMTE3MzIxN1qBDzIwMDgwNTI3MjIwMjE3WjAgBgNVHREEGTAXgRVj
aG9raGFuaUBvcmlvbnNlYy5jb20wgesGA1UdHwSB4zCB4DB5oHegdaRzMHExCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhPcmlvbiBTZWN1cml0eSBTb2x1dGlvbnMxIjAgBgNVBAsTGUNlcnRpZmljYXRp
b24gQXV0aG9yaXRpZXMxDDAKBgNVBAsTA0NBMTENMAsGA1UEAxMEQ1JMMTAyoDCgLoYsaHR0cDov
L3d3dy5vcmlvbnNlYy5jb20vQ1JML2NhMV9jcmxmaWxlNC5jcmwwL6AtoCuGKWZpbGU6Ly9cXFNi
ZXRlbGdldXNlXENSTFxjYTFfY3JsZmlsZTQuY3JsMB8GA1UdIwQYMBaAFMiyPN66muuJCaDWNDKb
GUKGzJjSMB0GA1UdDgQWBBTKG4Pa4RMRhdt4u4khxZ05Soe+EDAJBgNVHRMEAjAAMBkGCSqGSIb2
fQdBAAQMMAobBFY3LjADAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQCPnzbjrTdqUDXCG+DjvEeFAeC7
mSd8wDYtEuZLNQiLCrD5a2+wl3NNvhnIbHNSUgckB/neMhFJUcDtZloX6iPdlxzTc1ijbhTkIn2p
BJvNxRsENN7vpiEU+rw0CLroxOphnEY5lLYzPhIsUioVJbbUl1IZ08BCLU/zBhRQkT1gMMzUOAvu
z96/RYTOYDGilZirOQ+PHl+1jNW8JAUdSqwS2/UaiWrnBlZEn5hFKa97Xmn012io5HNlvWlh11+X
fnH6zplx+1B1i7SFBZijC5GZa4DSQQhFWYyuLoLGJ9suF4+vMkq2rqkIw5U5QPHbrXq4qNj6mO22
/Ck0x4Z0m6t6MIIFdzCCBF+gAwIBAgIEQKUTUTANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJV
UzEhMB8GA1UEChMYT3Jpb24gU2VjdXJpdHkgU29sdXRpb25zMSIwIAYDVQQLExlDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0aWVzMQwwCgYDVQQLEwNDQTEwHhcNMDQwNTE0MTkwMzEyWhcNMjQwNTE0MTkz
MzEyWjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYT3Jpb24gU2VjdXJpdHkgU29sdXRpb25zMSIw
IAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMQwwCgYDVQQLEwNDQTEwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgmMvicMxt6fbcKfUpOjgN8cO181kY5bAFbZcj12Of9W5d
c7aGPqdfivgbWU3C0KkNifsunzR0dEV2mfsaeqt80wciwoNpFjGknR+CLiAT0t0zCeawQTxY42Pv
I9VG4jperjed87wtNl6Edo343BR2CH+tcNAuu7UBrFhtol+2SkYbDIwOY/C1+BXdO81/yDnSYJNw
CuKkNWba3MLi8g500JhAl+xGhCCC0vBvL2c3LHAcoceHs6URk+pUk8afVLWrMXEqNFwsfDM/i8oP
ofydjmd1WTfgItnmOrn2RymhVMMwvJKXk9ODrMG5L7VLSeeAEBb0U6pQ5MFEzLGoeSaDAgMBAAGj
ggIzMIICLzCCAYQGA1UdHwSCAXswggF3MHmgd6B1pHMwcTELMAkGA1UEBhMCVVMxITAfBgNVBAoT
GE9yaW9uIFNlY3VyaXR5IFNvbHV0aW9uczEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dGllczEMMAoGA1UECxMDQ0ExMQ0wCwYDVQQDEwRDUkwxMDKgMKAuhixodHRwOi8vd3d3Lm9yaW9u
c2VjLmNvbS9DUkwvY2ExX2NybGZpbGU0LmNybDCBlKCBkaCBjoaBi2xkYXA6Ly9TQkVURUxHRVVT
RS9jbj1XaW5Db21iaW5lZDQsb3U9Q0ExLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxv
PU9yaW9uJTIwU2VjdXJpdHklMjBTb2x1dGlvbnMsYz1VUz9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M
aXN0P0Jhc2UwL6AtoCuGKWZpbGU6Ly9cXFNiZXRlbGdldXNlXENSTFxjYTFfY3JsZmlsZTQuY3Js
MCsGA1UdEAQkMCKADzIwMDQwNTE0MTkwMzEyWoEPMjAyNDA1MTQxOTMzMTJaMAsGA1UdDwQEAwIB
BjAfBgNVHSMEGDAWgBTIsjzeuprriQmg1jQymxlChsyY0jAdBgNVHQ4EFgQUyLI83rqa64kJoNY0
MpsZQobMmNIwDAYDVR0TBAUwAwEB/zAdBgkqhkiG9n0HQQAEEDAOGwhWNy4wOjQuMAMCBJAwDQYJ
KoZIhvcNAQEFBQADggEBAD0tK6tpqLDds75N2y8K6mlPh1u53f6XDot6RTML25UXMptWlVSiFR7M
0njPPsVtNXfTMU0FSuMzy3ChIlD6lsB0lGGu9r3PO0mn7NHWEOIXjFR9D9WFxbkdDwC524wB0M7I
NtzapAV5TBFh+iecmlZkg2ILJRq8VcqhMqgboqRoN+sGIou05fLqbT1CvV1DvAacvyL6IQMZUWIK
OUnUl4/S8M+D6g7BZhOtpbr2Z7kR9deGG+CEBti2TCgR/FLyEDFF8WqH7wtMh/2cvy6D0iZx9CpV
mFEGwLxbb5hPMut7GeAdSl51cm5qz9dVJbX4I6o63+BT2VY8P4YP7n0VgkgxggLSMIICzgIBATBq
MGIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhPcmlvbiBTZWN1cml0eSBTb2x1dGlvbnMxIjAgBgNV
BAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxDDAKBgNVBAsTA0NBMQIEQKVA2DAJBgUrDgMC
GgUAoIIBvjAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjExMTQx
OTA3NTFaMCMGCSqGSIb3DQEJBDEWBBTPQkWMKGJlD8L5pdlvR1lq3QHRFzBnBgkqhkiG9w0BCQ8x
WjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTB5BgkrBgEEAYI3EAQxbDBqMGIxCzAJ
BgNVBAYTAlVTMSEwHwYDVQQKExhPcmlvbiBTZWN1cml0eSBTb2x1dGlvbnMxIjAgBgNVBAsTGUNl
cnRpZmljYXRpb24gQXV0aG9yaXRpZXMxDDAKBgNVBAsTA0NBMQIEQKUWVjB7BgsqhkiG9w0BCRAC
CzFsoGowYjELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE9yaW9uIFNlY3VyaXR5IFNvbHV0aW9uczEi
MCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEMMAoGA1UECxMDQ0ExAgRApRZWMA0G
CSqGSIb3DQEBAQUABIGAb5/DQS431RRKQZjqOZu6k1IG5/1U3nb6QMhSCrn8SmA5hpboPKVNwjMx
AZbhF2A/iuYo2LvfcsNRVZ6XBInJNRDIRATyfAFRWvEDPVvZQlqQml4gchH3tzb9gAymEuo/y1+e
18dgwiNOv3g7XXfQIAgOU699g3ZunewzFNsYs3kAAAAAAAA=
------=_NextPart_000_008A_01C707F6.457D0940--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEIuBgK027934; Tue, 14 Nov 2006 11:56:11 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEIuBHS027933; Tue, 14 Nov 2006 11:56:11 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-mclean.mitre.org (smtpproxy2.mitre.org [192.80.55.71]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEIu9P3027925 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 11:56:10 -0700 (MST) (envelope-from wprice@mitre.org)
Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with SMTP id kAEIu92t004896 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 13:56:09 -0500
Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (Postfix) with ESMTP id 07DBE1BD9A for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 13:56:09 -0500 (EST)
Received: from IMCFE1.MITRE.ORG (imcfe1.mitre.org [129.83.29.3]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id kAEIu8ga004880; Tue, 14 Nov 2006 13:56:08 -0500
Received: from IMCSRV2.MITRE.ORG ([129.83.20.164]) by IMCFE1.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Nov 2006 13:56:07 -0500
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Tue, 14 Nov 2006 13:56:07 -0500
Message-ID: <F9F038204EE77C4AA9959A6B3C94AFE801098D06@IMCSRV2.MITRE.ORG>
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAACWpPwACS7HEA=
From: "Price, Bill" <wprice@mitre.org>
To: "Stefan Santesson" <stefans@microsoft.com>
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>, "Michael Myers" <mmyers@fastq.com>, "Dave Engberg" <dengberg@corestreet.com>, "Russ Housley" <housley@vigilsec.com>
X-OriginalArrivalTime: 14 Nov 2006 18:56:07.0909 (UTC) FILETIME=[8B197150:01C7081E]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAEIuAP3027927
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Fine perhaps from the viewpoint of a standards lawyer but I wouldn't
want to defend fine to client developers, integrators, support staff,
and users. I don't know that they would think it is "fine" that:
1) a "successful" answer only has a partial answer when the responder
actually knew the status of all of the certs in a "multiple" request.
(See note below).
2) an "unauthorized error" has nothing to do with access controls and
authorizations at the responder. The error resulted because the
responder was not internally capable of producing a "successful" answer
to a "well-formed" request. Another (e.g., keyed) responder could
produce a successful response. The real problem was that the request
was probably ill-conceived because it involved non-existent or unknown
CA or an expired or unissued cert.
Although the situations for the "unauthorized error" are the result of
requests that should not normally occur, I have some first hand
experience that they can occur because of bugs in software or
misconfigurations. A fair amount of time was wasted with help-desk and
support people investigating why access to the server was
"unauthorized" before encountering someone who knew that the
"unauthorized error" was the response given when the keyless responder
didn't have an appropriate presigned response.
Note: 1) above assumes that the response contains status for some but
not all certs in a multiple request. This is the way some keyless
responders behave. Your response and the standard seem to indicate that
an error should result since the response does not contain "responses
for each of the certificates in a request". An error might be more
appropriate than a "successful" partial answer.
Bottom line: From a client developer, integrator, support staff, and
user viewpoint, 2560 compliant behavior due to differences between
keyed and keyless responders may be unclear and misleading in some "out
of the mainstream" cases. However, these cases may occur in the real
world because client developers, integrators, support staff, and users
may not know and/or may not be able to control (e.g., because of load
balancing) the type of responder that receives their requests. Addition
of a few words and error codes might change the situation for the
better.
-----Original Message-----
From: Stefan Santesson [mailto:stefans@microsoft.com]
Sent: Monday, November 13, 2006 7:30 PM
To: Russ Housley; Price, Bill; ietf-pkix@imc.org
Cc: Sam Hartman; Michael Myers; Dave Engberg
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
I've been taking a close look at this and I've come to the conclusion
that we are fine. That is, I can't find any support for that provision
of pre-produced responses handed out by a key-less responder is
violating RFC 2560 in any way.
RFC 2560 does not require the responder to return a successful response
for all possible legitimate requests. It only require the responder to
support the basic response format when it chooses to return a response.
As I read RFC 2560, it may fail responding to a request for any reason
as long as it returns a legitimate error.
There is no place where RFC 2560 requires the render to successfully
handle a composite request. It only specifies how it should be done.
On the contrary, support for pre-produced responses is explicitly
supported in 2.5. And as such it is obvious that such responder can't
respond to all possible requests.
Of the error codes listed, I find that "unauthorized" is the most
appropriate one for unsupported requests as it indicates that "the
client is not authorized to make this query to this server". The
description may not be 100% perfect but it is sufficiently good and the
response is definitive and avoids repetition.
The response "internalError" would be misleading as it "indicates that
the OCSP responder reached an inconsistent internal state. The query
should be retried, potentially with another responder", which may cause
the requester to keep retrying the request.
My conclusion is that no update to RFC 2560 is needed to progress the
informational profile for lightweight OCSP.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Russ Housley
> Sent: den 13 november 2006 14:08
> To: Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> I prefer an error that tells the client to ask for the certificate
> one at a time.
>
> Russ
>
>
> At 02:46 PM 11/13/2006, Price, Bill wrote:
>
> >I'd suggest focusing on understanding where responses to the keyed
and
> >keyless responders inherently differ. I am aware of two general
cases:
> >
> >1) The request asks for the status of multiple certificates that
have
> >not been included in a single presigned response. Russ's example
fits
> >into this case. The keyed responder handles, but the keyless will
fail
> >for the general case. Some responders respond with the presigned
> >response that includes one of the certificates (usually the first)
in
> >the request. A common situation is to ask for the status of
> >certificates in a chain. Santosh points out some keyless responders
> >anticipate this and bundle responses accordingly.
> >
> >2) The request is "well-formed" but asks for the status of a
> >certificate for which the keyless responder has not prepared a
> >response. This situation will occur if:
> >
> > a) The request is for status of a certificate from a supported
CA
> >but with a serial number for which there is no pre-signed response.
> >Assuming presigned responses exist for all certificates that would
be
> >valid based on their validity intervals, this would occur if the
> >certificate had expired or was yet to be issued (I am aware the
> keyless
> >responders generally produce responses for certificates likely to be
> >issued before the next generation of presigned responses). The keyed
> >responder would give a signed "good" response. My understanding is
> that
> >the keyless responder under the draft lightweight OCSP responds with
> an
> >unsigned "unauthorized" error code.
> >
> > b) The request is for the status of a certificate from an
> >unsupported (or non-existent) CA. The keyed responder would respond
> >with a signed "unknown" response while under the draft, the keyless
> >would again respond with the unsigned "unauthorized" error code.
> >
> >Some might argue with some grounds that these differences are
unusual,
> >unlikely, and insignificant.
> >
> >I personally consider the behavior in 2 of responding with the
> >"unauthorized" error to be misleading. "Internal error" sounds more
> >appropriate if I were constrained to the current error codes.
> >"Malformed request" might be OK. However, the actual situation does
> not
> >match well with any of these errors as they are described in 2560.
> >
> >If 2560 is supposed to encompass keyless responders, I'd recommend
> >identifying the unavoidable differences and/or adding 2 TBD error
> codes
> >for the above cases (assuming they are the only differences). The
> first
> >error can be worked around by breaking the request for status of
> >multiples into multiple requests for status of one cert.
> >
> >We've also seen some problems with client apps that can't handle
> >presigned responses that commonly contain the status of several
(e.g.,
> >15-25) certs. The apps inquired for the status of a single cert and
> >apparently expected a response for a single certificate. I'd suggest
> >that some "must" or "should" words address clients' ability to
handle
> >the situation of a response covering multiple certificates.
> >
> >
> >
> >Bill Price
> >
> >-----Original Message-----
> >From: owner-ietf-pkix@mail.imc.org
> >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> >Sent: Monday, November 13, 2006 11:46 AM
> >To: Michael Myers; Dave Engberg
> >Cc: ietf-pkix@imc.org; Sam Hartman
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> >Mike:
> >
> >I think it is not that simple. I think you need to say that support
> >for one certificate MUST be supported, and that support for more
than
> >one certificate is OPTIONAL. Then, the error is am indication that
> >the requestor has selected an unimplemented OPTION.
> >
> >Russ
> >
> >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > >Responders unable to produce or acquire a definitive response MUST
> >return <a
> > >TBD error>.
> > >
> > >As to your other points Santosh, that is something I prefer the
> chairs
> > >consider.
> > >
> > > > -----Original Message-----
> > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > >
> > > > Mike,
> > > >
> > > > What is the error case?
> > > >
> > > > . . .
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEILJxn023003; Tue, 14 Nov 2006 11:21:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEILJ38023002; Tue, 14 Nov 2006 11:21:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx12.bbn.com (mx12.bbn.com [128.33.0.81]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEILHbS022986 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 11:21:18 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dhcp89-089-106.bbn.com ([128.89.89.106]) by mx12.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1Gk2uF-0000OJ-5S; Tue, 14 Nov 2006 13:21:11 -0500
Mime-Version: 1.0
Message-Id: <p06230909c17f899afb7d@[128.89.89.106]>
In-Reply-To: <08AD20EDD5C44148842571F730597F8401295626@INDYSMAILMB03.am.thmulti.com>
References: <08AD20EDD5C44148842571F730597F8401295626@INDYSMAILMB03.am.thmulti.com>
Date: Tue, 14 Nov 2006 13:21:11 -0500
To: "Ogle Ron" <ron.ogle@thomson.net>
From: Stephen Kent <kent@bbn.com>
Subject: RE: PEM file format rfc draft request
Cc: <ietf-pkix@imc.org>, "Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
At 8:18 PM -0500 11/13/06, Ogle Ron wrote:
>I agree that the original PEM meaning is as you state. I have no idea
>as to how it got skewed with these new meanings for public/private keys
>and certificates. However, it does now exist.
No debate about its existence, just whether it is an appropriate
topic for this WG.
>As for the relevance with PKIX, the "PEM" format also describes the base
>64 encoding with MIME headers for x509 certificates. Also, many S/MIME,
>SSL, IPsec, and other cryptographic standards that use x509 also
>recognize PEM formatted certificates/key pairs. This is how I
>discovered the problem in the first place.
The base64 encoding we developed for PEM, while I chaired the PSRG,
has been adopted in a wide range of contexts, in large part because
it became a standard MIME encoding. Most of the examples you cite
above are instances where a WG developing a security protocol
standard has chosen to define multiple encodings for transmission of
public keys and/or certs, etc. I don't think these WGs generally
have defined private key encodings, because private keys are not
transferred over the net and thus are not critical for
interoperability. The WG in which this might have been relevant was
SACRED, but I believe they choose to deal with private key transfer
using XML (with base64 as the underlying mechanism) encoding.
>If not PKIX, then where?
An individual draft can be submitted on the topic.
Steve
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEIBcK3021701; Tue, 14 Nov 2006 11:11:38 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEIBco2021700; Tue, 14 Nov 2006 11:11:38 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from dmzraw5.extranet.tce.com (dmzraw5.extranet.tce.com [157.254.234.142]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEIBaJC021684 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 11:11:37 -0700 (MST) (envelope-from ron.ogle@thomson.net)
Received: from indyvss2.am.thmulti.com (unknown [157.254.92.61]) by dmzraw5.extranet.tce.com (Postfix) with ESMTP id 5AACA12FD; Tue, 14 Nov 2006 18:11:25 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1]) by indyvss2.am.thmulti.com (Postfix) with ESMTP id E2613109E; Tue, 14 Nov 2006 18:11:25 +0000 (GMT)
Received: from indyvss2.am.thmulti.com ([127.0.0.1]) by localhost (indyvss2.am.thmulti.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 11842-01-75; Tue, 14 Nov 2006 18:11:24 +0000 (GMT)
Received: from indysmailcs01.am.thmulti.com (indysmailcs01.am.thmulti.com [157.254.96.5]) by indyvss2.am.thmulti.com (Postfix) with ESMTP id 6974110DB; Tue, 14 Nov 2006 18:11:24 +0000 (GMT)
Received: from INDYSMAILMB03.am.thmulti.com ([157.254.96.81]) by indysmailcs01.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Nov 2006 13:11:24 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: PEM file format rfc draft request
Date: Tue, 14 Nov 2006 13:11:23 -0500
Message-ID: <08AD20EDD5C44148842571F730597F8401295725@INDYSMAILMB03.am.thmulti.com>
In-reply-to: <E1Gk162-0007Cr-00@medusa01.cs.auckland.ac.nz>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: PEM file format rfc draft request
thread-index: AccIDVmWnvFvgpL9REmLm4Tk9pzgRAAB9Xxw
From: "Ogle Ron" <ron.ogle@thomson.net>
To: "pgut001" <pgut001@cs.auckland.ac.nz>, <ietf-pkix@imc.org>
Cc: <Dieter.Bratko@iaik.tugraz.at>
X-OriginalArrivalTime: 14 Nov 2006 18:11:24.0290 (UTC) FILETIME=[4B89AE20:01C70818]
X-Virus-Scanned: amavisd-new at thomson.net
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAEIBbJC021695
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Well, it did surprise me why there wasn't a standard since there were so
many implementations. I think one of the reasons why there hasn't been
much call for it in the past is that one stayed within a single
PKI/crypto system implementation. This issue came up for me because I'm
trying to interoperate between crypto systems (OpenSSL and Entrust). In
this case Entrust uses the IAIK implementation.
Now with people using the AIA extension and extending the CDP extension
to include URIs, I see more and more use of the PEM formatted CRLs and
certificates. I also see people building PKI applications out of
toolkits (like myself) who are expecting the keys and certificates to be
in the same format regardless of which crypto system created them.
Granted maybe the best advice a RFC can give is to use the proper regex,
but shouldn't it exist? Isn't PKIX about interoperability? I guess
that I could make the RFC informational, but I thought that it should be
given a bit more due care by interested parties.
Would the PKIX group still be interested in reviewing the informational
RFC?
Ron Ogle
-----Original Message-----
From: pgut001 [mailto:pgut001@cs.auckland.ac.nz]
Sent: Tuesday, November 14, 2006 11:25 AM
To: ietf-pkix@imc.org; Ogle Ron
Cc: Dieter.Bratko@iaik.tugraz.at
Subject: Re: PEM file format rfc draft request
"Ogle Ron" <ron.ogle@thomson.net> writes:
>The issue that I discovered was when I was working with PEM files for
PKCS1
>and PKCS8 formatted private keys under OpenSSL and some Java toolkits
using
>an IAIK implementation. OpenSSL expects PKCS8 PEM files to have "BEGIN
>PRIVATE KEY" as the header while IAIK uses "BEGIN RSA PRIVATE KEY" for
RSA
>keys and "BEGIN DSA PRIVATE KEY" for DSA keys. For PKCS1, both expect
"BEGIN
>RSA PRIVATE KEY".
Uhh, given that it's probably about 10-15 years too late to try and fix
this,
is it worth even doing this? Most implementations get around it by
reading
the lowest common denominator of all the formats they know of (for
example my
code looks for '----' + 'BEGIN' + 'PRIVATE', which seems to handle all
possibilities). Even if you could decide on one particular
interpretation I
can't imagine anyone's going to change code that's been in the field for
10+
years. I think the best you could do is create an kind of FYI RFC that
documents all of the possible formats (I started this in my X.509 style
guide
some years ago), or maybe document a regexp that'll recognise all
possible
formats.
Peter.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEHjwZx017305; Tue, 14 Nov 2006 10:45:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEHjwSW017304; Tue, 14 Nov 2006 10:45:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from csexchange1.corestreet.com (host200.58.41.216.conversent.net [216.41.58.200]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEHjuNZ017272 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 10:45:57 -0700 (MST) (envelope-from dengberg@corestreet.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Tue, 14 Nov 2006 12:44:51 -0500
Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_00C9_01C707EA.AD878530"
Message-ID: <E2339D02A340A546998AD2E6251332D603EA08BA@csexchange1.corestreet.com>
In-Reply-To: <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA0A@EA-EXMSG-C307.europe.corp.microsoft.com>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAABDwUQABnd37AACuUgEAAASIkw
From: "Dave Engberg" <dengberg@corestreet.com>
To: "Stefan Santesson" <stefans@microsoft.com>, "Santosh Chokhani" <chokhani@orionsec.com>, "Russ Housley" <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>, <ietf-pkix@imc.org>
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>, "Michael Myers" <mmyers@fastq.com>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_00C9_01C707EA.AD878530
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
CoreStreet's OCSP server doesn't include a SingleResponse for the issuing
CA's cert in pre-signed responses. Mostly for the reasons mentioned:
Adds 90-100 bytes onto every response
Have never seen a relying party app/plug-in send a request like this
The "delegated" trust model in RFC 2560 would require different signing
certs for trusting entity vs. CA cert ... add another 1kB onto the response
Protocol only sends CA name+key info, which isn't enough to identify which
CA cert the relying party is inspecting in the case of CA cert renewal,
cross-certification, etc.
-----Original Message-----
From: Stefan Santesson [mailto:stefans@microsoft.com]
Sent: Tuesday, November 14, 2006 12:11 PM
To: Santosh Chokhani; Russ Housley; Price, Bill; ietf-pkix@imc.org
Cc: Sam Hartman; Michael Myers; Dave Engberg
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Santosh,
I didn't say it was hard. I say that I doubt that there are many
implementations supporting this scenario even those with a responder key.
It would be interesting to hear from implementers if I'm right.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> Sent: den 14 november 2006 03:59
> To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> Stefan,
>
> You are making more complex than it is. The Responder can include all
> the CA certificates that issued the certificate in question and AIA can
> do the rest.
>
> Furthermore, since most PKI are two tier hierarchy, in Enterprise
> environment, the CA certificate certification path is not an issue.
>
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org]
> On Behalf Of Stefan Santesson
> Sent: Monday, November 13, 2006 6:54 PM
> To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> I'm not sure the case described is a realistic one.
>
> Section 2.2
> All definitive response messages SHALL be digitally signed. The key
> used to sign the response MUST belong to one of the following:
>
> -- the CA who issued the certificate in question
> -- a Trusted Responder whose public key is trusted by the requester
> -- a CA Designated Responder (Authorized Responder) who holds a
> specially marked certificate issued directly by the CA,
> indicating
> that the responder may issue OCSP responses for that CA
>
> Since the request is on certificates issued by 2 different CA:s trust
> option 1 is invalid.
> Trust option 3 is valid in theory but in practice it requires that the
> OCSP responder provide multiple validation paths in the response, one
> for each issuing CA. Somehow I doubt that this is implemented by
> anyone.
>
> Trust option 2 is not generic and is only valid as a result of a local
> configuration.
>
> So I don't think this is a problem only for key-less responders.
>
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
>
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org] On Behalf Of Russ Housley
> > Sent: den 13 november 2006 14:08
> > To: Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I prefer an error that tells the client to ask for the certificate
> > one at a time.
> >
> > Russ
> >
> >
> > At 02:46 PM 11/13/2006, Price, Bill wrote:
> >
> > >I'd suggest focusing on understanding where responses to the keyed
> and
> > >keyless responders inherently differ. I am aware of two general
> cases:
> > >
> > >1) The request asks for the status of multiple certificates that
> have
> > >not been included in a single presigned response. Russ's example
> fits
> > >into this case. The keyed responder handles, but the keyless will
> fail
> > >for the general case. Some responders respond with the presigned
> > >response that includes one of the certificates (usually the first)
> in
> > >the request. A common situation is to ask for the status of
> > >certificates in a chain. Santosh points out some keyless responders
> > >anticipate this and bundle responses accordingly.
> > >
> > >2) The request is "well-formed" but asks for the status of a
> > >certificate for which the keyless responder has not prepared a
> > >response. This situation will occur if:
> > >
> > > a) The request is for status of a certificate from a supported
> CA
> > >but with a serial number for which there is no pre-signed response.
> > >Assuming presigned responses exist for all certificates that would
> be
> > >valid based on their validity intervals, this would occur if the
> > >certificate had expired or was yet to be issued (I am aware the
> > keyless
> > >responders generally produce responses for certificates likely to be
> > >issued before the next generation of presigned responses). The keyed
> > >responder would give a signed "good" response. My understanding is
> > that
> > >the keyless responder under the draft lightweight OCSP responds with
> > an
> > >unsigned "unauthorized" error code.
> > >
> > > b) The request is for the status of a certificate from an
> > >unsupported (or non-existent) CA. The keyed responder would respond
> > >with a signed "unknown" response while under the draft, the keyless
> > >would again respond with the unsigned "unauthorized" error code.
> > >
> > >Some might argue with some grounds that these differences are
> unusual,
> > >unlikely, and insignificant.
> > >
> > >I personally consider the behavior in 2 of responding with the
> > >"unauthorized" error to be misleading. "Internal error" sounds more
> > >appropriate if I were constrained to the current error codes.
> > >"Malformed request" might be OK. However, the actual situation does
> > not
> > >match well with any of these errors as they are described in 2560.
> > >
> > >If 2560 is supposed to encompass keyless responders, I'd recommend
> > >identifying the unavoidable differences and/or adding 2 TBD error
> > codes
> > >for the above cases (assuming they are the only differences). The
> > first
> > >error can be worked around by breaking the request for status of
> > >multiples into multiple requests for status of one cert.
> > >
> > >We've also seen some problems with client apps that can't handle
> > >presigned responses that commonly contain the status of several
> (e.g.,
> > >15-25) certs. The apps inquired for the status of a single cert and
> > >apparently expected a response for a single certificate. I'd suggest
> > >that some "must" or "should" words address clients' ability to
> handle
> > >the situation of a response covering multiple certificates.
> > >
> > >
> > >
> > >Bill Price
> > >
> > >-----Original Message-----
> > >From: owner-ietf-pkix@mail.imc.org
> > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > >Sent: Monday, November 13, 2006 11:46 AM
> > >To: Michael Myers; Dave Engberg
> > >Cc: ietf-pkix@imc.org; Sam Hartman
> > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > >Mike:
> > >
> > >I think it is not that simple. I think you need to say that support
> > >for one certificate MUST be supported, and that support for more
> than
> > >one certificate is OPTIONAL. Then, the error is am indication that
> > >the requestor has selected an unimplemented OPTION.
> > >
> > >Russ
> > >
> > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > >Responders unable to produce or acquire a definitive response MUST
> > >return <a
> > > >TBD error>.
> > > >
> > > >As to your other points Santosh, that is something I prefer the
> > chairs
> > > >consider.
> > > >
> > > > > -----Original Message-----
> > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > >
> > > > > Mike,
> > > > >
> > > > > What is the error case?
> > > > >
> > > > > . . .
>
------=_NextPart_000_00C9_01C707EA.AD878530
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII1zCCAoIw
ggHroAMCAQICAQQwDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlm
YXggU2VjdXJlIEluYy4xJjAkBgNVBAMTHUVxdWlmYXggU2VjdXJlIGVCdXNpbmVzcyBDQS0xMB4X
DTk5MDYyMTA0MDAwMFoXDTIwMDYyMTA0MDAwMFowUzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Vx
dWlmYXggU2VjdXJlIEluYy4xJjAkBgNVBAMTHUVxdWlmYXggU2VjdXJlIGVCdXNpbmVzcyBDQS0x
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOLxm8F7d33pOpX1oNF080GgyY9CLZWdTEaEbw
tDXFhQMgxq9FpSFRRUHrFlg2Mm/iUGJk+f1RnKok2fSdgyqHCiHTEjg0bI0Ablqg2ULuGiGV+VJM
VVrFDzhPRvpt+C411h186+LwsHWAyKkTrL6I7zpuq18qOGICsBJ7/o+mAwIDAQABo2YwZDARBglg
hkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRKeDJSEdtZFjZe38EU
NkBqR3xMoTAdBgNVHQ4EFgQUSngyUhHbWRY2Xt/BFDZAakd8TKEwDQYJKoZIhvcNAQEEBQADgYEA
dVuomwMR5ulWTM35qUzADZrzzGVp5iV2zFm31lTDHc2ZrBndtIXV4D38YiCnhEtYZfHi+ZUhP/XU
flgeR4dUPlihtbX4Ku9x57zD9rFJRuLXoGvlVnqaJ5h8RmIU58n8bgMSeYA4HUiCjfwX/iqWK7Vi
pqY9vX+SWc1aKoKyN3kwggK8MIICJaADAgECAgIA2DANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQG
EwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1
cmUgZUJ1c2luZXNzIENBLTEwHhcNMDQwNjAyMTk1NzQyWhcNMjAwNjIxMDQwMDAwWjBSMQswCQYD
VQQGEwJVUzEYMBYGA1UEChMPQ29yZVN0cmVldCBMdGQuMSkwJwYDVQQDEyBDb3JlU3RyZWV0IENl
cnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr0HhHsWZ2xkS
6BbojMXvdGPoRJLcAs2nUBSZ6XnJvnHxBwVvRUkqrCSBwKBurhjqGqe3oOxh6tC6wUuGhwLdhyWT
BSYO469PJUx02lyiohqUZ8u0yshCL35/lA+MkZubcmFxHsLlTPCkS/+A7PZwzIjKrLAUT0VmwNTL
TYEg1F8CAwEAAaOBnzCBnDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNjsf5MYxWYDwxBsPAT2
d4U+/wu2MB8GA1UdIwQYMBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMA8GA1UdEwEB/wQFMAMBAf8w
OQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9lYml6Y2ExLmNy
bDANBgkqhkiG9w0BAQUFAAOBgQDCHD9PBDwPPDktSLC/jRpe9Crdpj8Cj7GB1od44j1D+5IJji+w
rhuJ3tlR3p5MlzXGUEj8eFBtZymYBiWdLvIVqwMz2nYWBeFWXou6T+n4akcF708jM3MhFXP82ove
f/xJzw9IzlVmI9DjDrkL2wXXw/IR5XTP2iQYPcbxento6zCCA40wggL2oAMCAQICAgCfMA0GCSqG
SIb3DQEBBQUAMFIxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Db3JlU3RyZWV0IEx0ZC4xKTAnBgNV
BAMTIENvcmVTdHJlZXQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTA2MDYyNjEzMjUwNVoXDTA3
MDgxMjEzMjUwNVowZzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NvcmVTdHJlZXQgTHRkLjEWMBQG
A1UEAxMNRGF2aWQgRW5nYmVyZzEmMCQGCSqGSIb3DQEJARYXZGVuZ2JlcmdAY29yZXN0cmVldC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9g2Z9TBa7wYqlyhCoriYfugKX5mwz
j1wVuDKEZ7ZsgoC0zT2Pm43BMkWwOL8GDXYMqbAt/1YelpCYMv8stgRDLj6N3DDyCNk4ihZONITf
o7F+RxnaH782KvJ5YwrIXDKMXWb6oqThFVDM05QKgC994W6Zp555F7NFEvPA/4rqK/1Ba0k2p8A3
yZazUimG3tt7x0tz6K7Z043ezRSUBB8VwgNSr4tQyElyuACrU3IA90yYZRm1maDe6jWylqDOXU/P
A22IC/Ma1sJ42k17Nhl3i/37SLOsHSLcyJk7bKgJPSgSqI+OBzYaDX6YGdoV6O/wih9f9YrovAH8
zF2pOXcHAgMBAAGjgdgwgdUwDgYDVR0PAQH/BAQDAgXgMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6
Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvY29yZXN0cmVldC5jcmwwIgYDVR0RBBswGYEXZGVuZ2Jl
cmdAY29yZXN0cmVldC5jb20wHwYDVR0jBBgwFoAU2Ox/kxjFZgPDEGw8BPZ3hT7/C7YwQAYIKwYB
BQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vZ2VvdHJ1c3Qtb2NzcC5jb3Jlc3RyZWV0LmNv
bS8wDQYJKoZIhvcNAQEFBQADgYEAqMfvLi9brJBbTKdWcwUJAWPHgex9/KhvW8nherc7imLZdFXH
jp0NTTtgDK+aO/EJV/97JIyStyhfIH5vrZpb+ToFXz4O0Yb78KTHFdHjzlWei/Guo+kuUXouP8ZC
Tqkr0mFlqeRGFbq7w2SJhwhXEcO1K5Y8g0jf+kXr1ejYw9ExggMdMIIDGQIBATBYMFIxCzAJBgNV
BAYTAlVTMRgwFgYDVQQKEw9Db3JlU3RyZWV0IEx0ZC4xKTAnBgNVBAMTIENvcmVTdHJlZXQgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5AgIAnzAJBgUrDgMCGgUAoIIBmjAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjExMTQxNzQ0NTFaMCMGCSqGSIb3DQEJBDEWBBTcFj3b
IX/miUA8UTtapuLxUfjASTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMC
AgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggq
hkiG9w0CBTBnBgkrBgEEAYI3EAQxWjBYMFIxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Db3JlU3Ry
ZWV0IEx0ZC4xKTAnBgNVBAMTIENvcmVTdHJlZXQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgIAnzBp
BgsqhkiG9w0BCRACCzFaoFgwUjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NvcmVTdHJlZXQgTHRk
LjEpMCcGA1UEAxMgQ29yZVN0cmVldCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCAgCfMA0GCSqGSIb3
DQEBAQUABIIBABjwegxaHpDbWrnaqVSK19HiBFs73eh97TpVD82FYbdYmPP5qBXMHDfXKUtPG/Gr
3mQ1AfyfhON0vFHLnZQ4I0LNg2mxPCDP5izREf8BliANn9ax2yhhFGxhmmcmlj2fPweobJZSS+XG
2rvUN/XawTCNphuXqIe4YHuzzxcTrlz98gxSYuQzwXBGQNpuQvQeXfHYyAN2ZT2uhEIq6k3P8GVZ
KJ3NU2fNGQHCuNOLDi7fNoiASgJChR0ySp0h0SPXYNme/ErrXJDhZkqPHVbvSlxOfX4CvDqMoStA
r/X8BEkkpLmwalpa02NrvPVnaEjpVwJPVipCbJ3W/q/Ao9rbBsAAAAAAAAA=
------=_NextPart_000_00C9_01C707EA.AD878530--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEHBKq9010451; Tue, 14 Nov 2006 10:11:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEHBKwv010450; Tue, 14 Nov 2006 10:11:20 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.181]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEHBIYK010431 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 10:11:19 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from DUB-EXHUB-C303.europe.corp.microsoft.com (65.53.213.93) by DUB-EXGWY-E802.partners.extranet.microsoft.com (10.251.129.2) with Microsoft SMTP Server (TLS) id 8.0.685.0; Tue, 14 Nov 2006 17:11:12 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by DUB-EXHUB-C303.europe.corp.microsoft.com ([65.53.213.93]) with mapi; Tue, 14 Nov 2006 17:11:11 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Santosh Chokhani <chokhani@orionsec.com>, Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>
CC: Sam Hartman <hartmans-ietf@mit.edu>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>
Date: Tue, 14 Nov 2006 17:11:07 +0000
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAABDwUQABnd37AACuUgEA==
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF010BCAA0A@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <82D5657AE1F54347A734BDD33637C879056F7CEC@EXVS01.ex.dslextreme.net>
In-Reply-To: <82D5657AE1F54347A734BDD33637C879056F7CEC@EXVS01.ex.dslextreme.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAEHBJYK010445
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Santosh,
I didn't say it was hard. I say that I doubt that there are many implementations supporting this scenario even those with a responder key.
It would be interesting to hear from implementers if I'm right.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> Sent: den 14 november 2006 03:59
> To: Stefan Santesson; Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
> Stefan,
>
> You are making more complex than it is. The Responder can include all
> the CA certificates that issued the certificate in question and AIA can
> do the rest.
>
> Furthermore, since most PKI are two tier hierarchy, in Enterprise
> environment, the CA certificate certification path is not an issue.
>
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org]
> On Behalf Of Stefan Santesson
> Sent: Monday, November 13, 2006 6:54 PM
> To: Russ Housley; Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> I'm not sure the case described is a realistic one.
>
> Section 2.2
> All definitive response messages SHALL be digitally signed. The key
> used to sign the response MUST belong to one of the following:
>
> -- the CA who issued the certificate in question
> -- a Trusted Responder whose public key is trusted by the requester
> -- a CA Designated Responder (Authorized Responder) who holds a
> specially marked certificate issued directly by the CA,
> indicating
> that the responder may issue OCSP responses for that CA
>
> Since the request is on certificates issued by 2 different CA:s trust
> option 1 is invalid.
> Trust option 3 is valid in theory but in practice it requires that the
> OCSP responder provide multiple validation paths in the response, one
> for each issuing CA. Somehow I doubt that this is implemented by
> anyone.
>
> Trust option 2 is not generic and is only valid as a result of a local
> configuration.
>
> So I don't think this is a problem only for key-less responders.
>
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
>
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org] On Behalf Of Russ Housley
> > Sent: den 13 november 2006 14:08
> > To: Price, Bill; ietf-pkix@imc.org
> > Cc: Sam Hartman; Michael Myers; Dave Engberg
> > Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> > I prefer an error that tells the client to ask for the certificate
> > one at a time.
> >
> > Russ
> >
> >
> > At 02:46 PM 11/13/2006, Price, Bill wrote:
> >
> > >I'd suggest focusing on understanding where responses to the keyed
> and
> > >keyless responders inherently differ. I am aware of two general
> cases:
> > >
> > >1) The request asks for the status of multiple certificates that
> have
> > >not been included in a single presigned response. Russ's example
> fits
> > >into this case. The keyed responder handles, but the keyless will
> fail
> > >for the general case. Some responders respond with the presigned
> > >response that includes one of the certificates (usually the first)
> in
> > >the request. A common situation is to ask for the status of
> > >certificates in a chain. Santosh points out some keyless responders
> > >anticipate this and bundle responses accordingly.
> > >
> > >2) The request is "well-formed" but asks for the status of a
> > >certificate for which the keyless responder has not prepared a
> > >response. This situation will occur if:
> > >
> > > a) The request is for status of a certificate from a supported
> CA
> > >but with a serial number for which there is no pre-signed response.
> > >Assuming presigned responses exist for all certificates that would
> be
> > >valid based on their validity intervals, this would occur if the
> > >certificate had expired or was yet to be issued (I am aware the
> > keyless
> > >responders generally produce responses for certificates likely to be
> > >issued before the next generation of presigned responses). The keyed
> > >responder would give a signed "good" response. My understanding is
> > that
> > >the keyless responder under the draft lightweight OCSP responds with
> > an
> > >unsigned "unauthorized" error code.
> > >
> > > b) The request is for the status of a certificate from an
> > >unsupported (or non-existent) CA. The keyed responder would respond
> > >with a signed "unknown" response while under the draft, the keyless
> > >would again respond with the unsigned "unauthorized" error code.
> > >
> > >Some might argue with some grounds that these differences are
> unusual,
> > >unlikely, and insignificant.
> > >
> > >I personally consider the behavior in 2 of responding with the
> > >"unauthorized" error to be misleading. "Internal error" sounds more
> > >appropriate if I were constrained to the current error codes.
> > >"Malformed request" might be OK. However, the actual situation does
> > not
> > >match well with any of these errors as they are described in 2560.
> > >
> > >If 2560 is supposed to encompass keyless responders, I'd recommend
> > >identifying the unavoidable differences and/or adding 2 TBD error
> > codes
> > >for the above cases (assuming they are the only differences). The
> > first
> > >error can be worked around by breaking the request for status of
> > >multiples into multiple requests for status of one cert.
> > >
> > >We've also seen some problems with client apps that can't handle
> > >presigned responses that commonly contain the status of several
> (e.g.,
> > >15-25) certs. The apps inquired for the status of a single cert and
> > >apparently expected a response for a single certificate. I'd suggest
> > >that some "must" or "should" words address clients' ability to
> handle
> > >the situation of a response covering multiple certificates.
> > >
> > >
> > >
> > >Bill Price
> > >
> > >-----Original Message-----
> > >From: owner-ietf-pkix@mail.imc.org
> > >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> > >Sent: Monday, November 13, 2006 11:46 AM
> > >To: Michael Myers; Dave Engberg
> > >Cc: ietf-pkix@imc.org; Sam Hartman
> > >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> > >
> > >
> > >Mike:
> > >
> > >I think it is not that simple. I think you need to say that support
> > >for one certificate MUST be supported, and that support for more
> than
> > >one certificate is OPTIONAL. Then, the error is am indication that
> > >the requestor has selected an unimplemented OPTION.
> > >
> > >Russ
> > >
> > >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > > >Responders unable to produce or acquire a definitive response MUST
> > >return <a
> > > >TBD error>.
> > > >
> > > >As to your other points Santosh, that is something I prefer the
> > chairs
> > > >consider.
> > > >
> > > > > -----Original Message-----
> > > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > > >
> > > > > Mike,
> > > > >
> > > > > What is the error case?
> > > > >
> > > > > . . .
>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEGk6aM005398; Tue, 14 Nov 2006 09:46:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEGk6kv005397; Tue, 14 Nov 2006 09:46:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from harpo.itss.auckland.ac.nz (harpo.itss.auckland.ac.nz [130.216.190.13]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEGk4vt005369 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 09:46:05 -0700 (MST) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from localhost (localhost.localdomain [127.0.0.1]) by harpo.itss.auckland.ac.nz (Postfix) with ESMTP id 0C50838078; Wed, 15 Nov 2006 05:45:59 +1300 (NZDT)
Received: from harpo.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpc.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05917-11; Wed, 15 Nov 2006 05:45:57 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by harpo.itss.auckland.ac.nz (Postfix) with ESMTP id 1440B38C61; Wed, 15 Nov 2006 05:27:45 +1300 (NZDT)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 5787D37742; Wed, 15 Nov 2006 05:27:45 +1300 (NZDT)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1Gk18e-0007H3-00; Wed, 15 Nov 2006 05:27:56 +1300
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: kent@bbn.com, ron.ogle@thomson.net
Subject: RE: PEM file format rfc draft request
Cc: Dieter.Bratko@iaik.tugraz.at, ietf-pkix@imc.org
In-Reply-To: <08AD20EDD5C44148842571F730597F8401295626@INDYSMAILMB03.am.thmulti.com>
Message-Id: <E1Gk18e-0007H3-00@medusa01.cs.auckland.ac.nz>
Date: Wed, 15 Nov 2006 05:27:56 +1300
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
"Ogle Ron" <ron.ogle@thomson.net> writes:
>If not PKIX, then where?
A web page somewhere where Google can find it. Given that this is such a
moving target, I'm not sure that an RFC is the best way to document this even
if you could find a WG that would adopt it.
Peter.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEGPFH4000659; Tue, 14 Nov 2006 09:25:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEGPFpn000656; Tue, 14 Nov 2006 09:25:15 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from groucho.itss.auckland.ac.nz (groucho.itss.auckland.ac.nz [130.216.190.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEGPCwF000565 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 09:25:13 -0700 (MST) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) by groucho.itss.auckland.ac.nz (Postfix) with ESMTP id 46D073618D; Wed, 15 Nov 2006 05:25:06 +1300 (NZDT)
Received: from groucho.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21460-22; Wed, 15 Nov 2006 05:25:06 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by groucho.itss.auckland.ac.nz (Postfix) with ESMTP id 3AD2633EAC; Wed, 15 Nov 2006 05:25:04 +1300 (NZDT)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 7C8F037742; Wed, 15 Nov 2006 05:25:03 +1300 (NZDT)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1Gk162-0007Cr-00; Wed, 15 Nov 2006 05:25:14 +1300
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: ietf-pkix@imc.org, ron.ogle@thomson.net
Subject: Re: PEM file format rfc draft request
Cc: Dieter.Bratko@iaik.tugraz.at
In-Reply-To: <08AD20EDD5C44148842571F730597F84011E00DE@INDYSMAILMB03.am.thmulti.com>
Message-Id: <E1Gk162-0007Cr-00@medusa01.cs.auckland.ac.nz>
Date: Wed, 15 Nov 2006 05:25:14 +1300
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
"Ogle Ron" <ron.ogle@thomson.net> writes:
>The issue that I discovered was when I was working with PEM files for PKCS1
>and PKCS8 formatted private keys under OpenSSL and some Java toolkits using
>an IAIK implementation. OpenSSL expects PKCS8 PEM files to have "BEGIN
>PRIVATE KEY" as the header while IAIK uses "BEGIN RSA PRIVATE KEY" for RSA
>keys and "BEGIN DSA PRIVATE KEY" for DSA keys. For PKCS1, both expect "BEGIN
>RSA PRIVATE KEY".
Uhh, given that it's probably about 10-15 years too late to try and fix this,
is it worth even doing this? Most implementations get around it by reading
the lowest common denominator of all the formats they know of (for example my
code looks for '----' + 'BEGIN' + 'PRIVATE', which seems to handle all
possibilities). Even if you could decide on one particular interpretation I
can't imagine anyone's going to change code that's been in the field for 10+
years. I think the best you could do is create an kind of FYI RFC that
documents all of the possible formats (I started this in my X.509 style guide
some years ago), or maybe document a regexp that'll recognise all possible
formats.
Peter.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEEb0pY076292; Tue, 14 Nov 2006 07:37:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEEb0rA076291; Tue, 14 Nov 2006 07:37:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEEaw0V076284 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 07:36:59 -0700 (MST) (envelope-from Peter.Sylvester@edelweb.fr)
Received: from [193.51.14.5] (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id kAEEav503461 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 15:36:57 +0100 (MET)
Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by edelweb.fr (nospam/2.4); Tue, 14 Nov 2006 15:36:57 +0100 (MET)
Message-ID: <4559D413.1060709@edelweb.fr>
Date: Tue, 14 Nov 2006 15:34:59 +0100
From: Peter Sylvester <Peter.Sylvester@edelweb.fr>
User-Agent: Thunderbird 1.5 (X11/20051025)
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: bug in RFC 4043
References: <45522978.4060302@nist.gov> <45548E3B.8040302@edelweb.fr>
In-Reply-To: <45548E3B.8040302@edelweb.fr>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030004030308040109010406"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a cryptographically signed message in MIME format.
--------------ms030004030308040109010406
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: 8bit
In RFC 4043 there seems to be a bug.
The spec uses ATTRIBUTE instead of OTHER-NAME. i.e. shouldn't this be:
permanentIdentifier OTHER-NAME ::= {PermanentIdentifier IDENTIFIED BY
id-on-permanentIdentifier}
and OTHER-NAME imported
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorit¨¦;
die Liste mit zur¨¹ckgerufenen Zertifikaten finden Sie da auch.
--------------ms030004030308040109010406
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC
BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G
A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs
UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx
CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ
S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu
ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo
VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq
q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID
AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5
MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT
VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD
VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F
ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV
HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA
A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U
TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8
1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5
V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9
F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely
LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+
udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr
LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT
AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV
BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy
MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp
Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA
ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN
LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy
x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm
T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl
Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl
ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF
BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F
ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx
cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI
hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2
mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT
g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ
bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4
88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8
oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI
MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m
JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL
MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL
STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0
MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj
ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI
hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M
ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe
1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt
qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd
UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH
pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS
cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB
CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0
dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV
HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3
UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy
4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz
QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u
US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj
PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq
Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf
Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y
rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6
PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL
d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18
k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg
d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD
VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ
S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYxMTE0MTQzNDU5WjAjBgkqhkiG9w0B
CQQxFgQUa1iRdNIcWhTdgZiNMpycSo1xC34wUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC
ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY
MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy
c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE
ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ
IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGAHqtHPDBlB2K0vqwK
HFBTX9VmB7Vy0YGW7VbikdMbrOecV6QmOIxGDSoMAk6MLioI6gqj9dnQNP9T+6EE1hd4mOzs
AhacxhVqyWN0xLbLW4jWZixKZytOKHURd1Njux1/OkCoKEp2FI/i1sWdX+rYrn4flyUK2CcF
SfGEm4efqfMAAAAAAAA=
--------------ms030004030308040109010406--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEETD2c074512; Tue, 14 Nov 2006 07:29:13 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEETDvi074511; Tue, 14 Nov 2006 07:29:13 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailrelay1.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEETAP0074460 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 07:29:13 -0700 (MST) (envelope-from Dieter.Bratko@iaik.tugraz.at)
Received: from thor.iaik.tugraz.at (mail1.iaik.tugraz.at [129.27.152.30]) by mailrelay1.tugraz.at (8.13.8/8.13.8) with ESMTP id kAEET1bb017524; Tue, 14 Nov 2006 15:29:01 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by thor.iaik.tugraz.at (Postfix) with ESMTP id 11E67194009; Tue, 14 Nov 2006 15:29:02 +0100 (CET)
Received: from thor.iaik.tugraz.at ([127.0.0.1]) by localhost (thor [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30085-02; Tue, 14 Nov 2006 15:29:01 +0100 (CET)
Received: from vesta (vesta.iaik.tugraz.at [129.27.152.109]) by thor.iaik.tugraz.at (Postfix) with SMTP id EB211194007; Tue, 14 Nov 2006 15:29:01 +0100 (CET)
Message-ID: <01c401c707f9$3ac61660$6d981b81@iaik.tugraz.at>
From: "Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at>
To: "Ogle Ron" <ron.ogle@thomson.net>
Cc: <ietf-pkix@imc.org>
References: <08AD20EDD5C44148842571F730597F8401295626@INDYSMAILMB03.am.thmulti.com>
Subject: Re: PEM file format rfc draft request
Date: Tue, 14 Nov 2006 15:29:01 +0100
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
x-mimeole: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at iaik.tugraz.at
X-Spam-Scanner: SpamAssassin 3.001007
X-Spam-Score-relay: -2.6
X-Scanned-By: MIMEDefang 2.57 on 129.27.10.18
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> that use x509 also recognize PEM formatted certificates/key pairs.
> This is how I discovered the problem in the first place.
>
> If not PKIX, then where?
I agree with Ron that PKIX would be the right place. PEM as email
security format is not widely used. However, base64 encoded
keys/certificates/certificate requests/crls,... with PEM-style
headers/footers are an inherent part of almost any (X.509 based)
PKI environment.
When implementing en- and decoding of keys and other PKI
objects for our Java crypto toolkit, we first searched for a specification
telling us which headers and footers shall be used. Since no such
specification is available we tried to implement it in a way to be
interoperable with other appliacations. However, each application may
use its own interpretation and some applications are very restrictive and
only accept their own interpretation. The only solution is to provide
additional API methods allowing the user to explicitly set the PEM headers;
however, this only moves the decision to the user (and is not applicable
for final applications).
For that reason a standard giving some recommendations
for the usage of PEM headers would be very useful. It should not
only cover keys, but also certificates, crls, requests,... (for instance,
some applications use -----BEGIN CERTIFICATE REQUEST-----.
and some use -----BEGIN NEW CERTIFICATE REQUEST-----,
and some may use -----BEGIN PKCS10 REQUEST---- or something
other for encoding a certificate request). We should try to find and setup
a common base from already existing PKI applications.
Since Steve Henson announced that he would help to write
the specification, we already would have the contribution of
one of the most widely used crypto libraries, OpenSSL.
Regards,
Dieter
---------
Dieter Bratko, SIC/IAIK - Graz University of Technology
IAIK, Inffeldgasse 16a, 8010 Graz, Austria, http://jce.iaik.tugraz.at/
----- Original Message -----
From: Ogle Ron
To: Stephen Kent
Cc: ietf-pkix@imc.org ; Dieter Bratko
Sent: Tuesday, November 14, 2006 2:18 AM
Subject: RE: PEM file format rfc draft request
I agree that the original PEM meaning is as you state. I have no idea
as to how it got skewed with these new meanings for public/private keys
and certificates. However, it does now exist.
As for the relevance with PKIX, the "PEM" format also describes the base
64 encoding with MIME headers for x509 certificates. Also, many S/MIME,
SSL, IPsec, and other cryptographic standards that use x509 also
recognize PEM formatted certificates/key pairs. This is how I
discovered the problem in the first place.
If not PKIX, then where?
Thanks
Ron Ogle
-----Original Message-----
From: Stephen Kent [mailto:kent@bbn.com]
Sent: Monday, November 13, 2006 6:45 PM
To: Ogle Ron
Cc: ietf-pkix@imc.org; Dieter Bratko
Subject: Re: PEM file format rfc draft request
At 4:56 PM -0500 11/13/06, Ogle Ron wrote:
>I would like to know if the PKIX working group would be interested in
>shepherding a new rfc concerning PEM file formats? I've recently
>discovered that there is no definitive standard for how a PEM's headers
>and footers are defined for a private key. I've searched the RFCs, and
>ISO standards without any luck.
PEM formats were defined for e-mail messages, not files per se. I
think RFC 1421 defines the last of the formats (we had a few
iterations) for PEM.
>The issue that I discovered was when I was working with PEM files for
>PKCS1 and PKCS8 formatted private keys under OpenSSL and some Java
>toolkits using an IAIK implementation. OpenSSL expects PKCS8 PEM files
>to have "BEGIN PRIVATE KEY" as the header while IAIK uses "BEGIN RSA
>PRIVATE KEY" for RSA keys and "BEGIN DSA PRIVATE KEY" for DSA keys.
For
>PKCS1, both expect "BEGIN RSA PRIVATE KEY".
it looks like folks made this up! PEM describes how to transfer a
symmetric key encrypted under a public (RSA) key in a message, in
1421. It does not describe how to transfer a private key, because
one would not do that via an e-mail message.
The term "PEM file" with regard to PKCS #8 is a misnomer, relative to
IETF standards. Since PKCS #8 defines a format for private keys, it
is not relevant to PEM, period.
Given that PKIX is a WG that focuses on X.509-based standards, it is
not immediately clear that a document on how to use base-64 encoding
and MIME-style headers to represent private keys is within our scope.
Steve
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEDo77w067981; Tue, 14 Nov 2006 06:50:07 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEDo7tX067980; Tue, 14 Nov 2006 06:50:07 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEDo6ET067967 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 06:50:06 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 6C040E0035; Tue, 14 Nov 2006 08:49:59 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: secdir@mit.edu, ietf-pkix@imc.org, housley@vigilsec.com
Subject: [Wijnen, Bert (Bert)] FW: [members] FW: Proposed charter for OASIS EKMI TC
Date: Tue, 14 Nov 2006 08:49:59 -0500
Message-ID: <tsld57qnnnc.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--=-=-=
I'm sorry if this has already been forwarded to pkix.
--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <bwijnen@lucent.com>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.18-IPv6-Debian-2.1.18-1+sarge2) with LMTP; Mon, 13 Nov 2006 09:37:32 -0500
X-Sieve: CMU Sieve 2.2
Return-Path: <bwijnen@lucent.com>
Received: from south-station-annex.mit.edu (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by suchdamage.org (Postfix) with ESMTP id CD30313194
for <hartmans@suchdamage.org>; Mon, 13 Nov 2006 09:37:31 -0500 (EST)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by south-station-annex.mit.edu (8.13.6/8.9.2) with ESMTP id kADEbU1p018083
for <hartmans@suchdamage.org>; Mon, 13 Nov 2006 09:37:30 -0500 (EST)
Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id kADEbCiG005974
for <hartmans-ietf@mit.edu>; Mon, 13 Nov 2006 09:37:13 -0500 (EST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mit.edu (Spam Firewall) with ESMTP id 2643675AB4
for <hartmans-ietf@mit.edu>; Mon, 13 Nov 2006 09:37:07 -0500 (EST)
Received: from nl0006exch001h.wins.lucent.com (h135-85-76-62.lucent.com [135.85.76.62])
by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id kADEapsb028094;
Mon, 13 Nov 2006 08:37:02 -0600 (CST)
Received: by nl0006exch001h.nl.lucent.com with Internet Mail Service (5.5.2657.72)
id <R9BL5TBA>; Mon, 13 Nov 2006 15:36:51 +0100
Message-ID: <7D5D48D2CAA3D84C813F5B154F43B1550AF1D1D5@nl0006exch001u.nl.lucent.com>
From: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
To: "Russ Housley (E-mail)" <housley@vigilsec.com>,
"Sam Hartman (E-mail)" <hartmans-ietf@mit.edu>
Cc: "Iesg (E-mail)" <iesg@ietf.org>, "IAB (E-mail)" <iab@ietf.org>
Subject: FW: [members] FW: Proposed charter for OASIS EKMI TC
Date: Mon, 13 Nov 2006 15:36:49 +0100
X-Mailer: Internet Mail Service (5.5.2657.72)
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
solipsist-nation.suchdamage.org
X-Spam-Level:
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00 autolearn=ham
version=3.0.3
MIME-Version: 1.0
FYI, just in case no one else sees these types of
announcements.
Loa, are these guys on the new-work list?
If not, maybe you should contact them to see if they
are willing to announce these things on new-work as well.
Bert
-----Original Message-----
From: Mary McRae [mailto:mary.mcrae@oasis-open.org]
Sent: Friday, November 10, 2006 18:57
To: members@lists.oasis-open.org; tc-announce@lists.oasis-open.org
Cc: oasis-charter-discuss@lists.oasis-open.org
Subject: [members] FW: Proposed charter for OASIS EKMI TC
To: OASIS Members
A draft TC charter has been submitted to establish an Enterprise
Key Management Infrastructure (EKMI) Technical Committee at OASIS.
We circulate such draft charters for member review and comments, in
accordance with Section 2,2 of the OASIS TC Process rules:
http://www.oasis-open.org/committees/process.php#2.2
The proposed charter below is open for comment. The comment period
shall remain open until 11:45 pm ET on 22 November 2006.
OASIS maintains a mailing list for the purpose of submitting
comments on proposed charters. Any OASIS member may post to this
list by sending e-mail to:
oasis-charter-discuss@lists.oasis-open.org.
All messages will be publicly archived at:
http://lists.oasis-open.org/archives/oasis-charter-discuss/
Members who wish to receive these messages via e-mail must join the
group by selecting "join group" on the list's home page:
http://www.oasis-open.org/apps/org/workgroup/oasis-charter-discuss/.
Employees of organizational members do not require primary
representative approval to subscribe to the oasis-charter-discuss
e-mail.
A telephone conference will be held among the Convener, the OASIS TC
Administrator, and those proposers who wish to attend shortly after
the close of the comment period. The time and call-in information
will be noted on the oasis-charter-discuss list and home page.
We encourage member comment, and ask that you note the name of
the proposed TC (EKMI) in the subject line of your email message.
Best regards JBC
~ James Bryce Clark
~ Director of Standards Development, OASIS
~ http://www.oasis-open.org/who/staff.php#clark
~ jamie.clark@oasis-open.org
====
PROPOSED CHARTER
FOR REVIEW AND COMMENT
OASIS ENTERPRISE KEY MANAGEMENT INFRASTRUCTURE TECHNICAL COMMITTEE
Name
OASIS Enterprise Key Management Infrastructure (EKMI) TC
Statement of Purpose
Public Key Infrastructure (PKI) technology has been around for more
than a decade, and many companies have adopted it to solve specific
problems in the area of public-key cryptography. Public-key
cryptography has been embedded in some of the most popular tools --
web clients and servers, VPN clients and servers, mail user agents,
office productivity tools and many industry-specific applications --
and underlies many mission-critical environments today.
Additionally, there are many commercial and open-source
implementations of PKI software products available in the market
today. However, many companies across the world have recognized
that PKI by itself, is not a solution.
There is also the perception that most standards in PKI have already
been established by ISO and the PKIX (IETF), and most companies are
in operations-mode with their PKIs -- just using it, and adopting it
to other business uses within their organizations. Consequently,
there is not much left to architect and design in the PKI community.
Simultaneously, there is a new interest on the part of many
companies in the management of symmetric keys used for encrypting
sensitive data in their computing infrastructure. While symmetric
keys have been traditionally managed by applications doing their own
encryption and decryption, there is no architecture or protocol that
provides for symmetric key management services across applications,
operating systems, databases, etc. While there are many industry
standards around protocols for the life-cycle management of
asymmetric (or public/private) keys -- PKCS10, PKCS7, CRMF, CMS, etc.
-- however, there is no standard that describes how applications may
request similar life-cycle services for symmetric keys, from a
server and how public-key cryptography may be used to provide such
services.
Key management needs to be addressed by enterprises in its
entirety -- for both symmetric and asymmetric keys. While each type
of technology will require specific protocols, controls and
management disciplines, there is sufficient common ground in the
discipline justifying the approach to look at key-management as a
whole, rather than in parts. Therefore, this TC will address the
following:
Scope
A) The TC will define the request/response protocols for:
1. Requesting a new or existing symmetric key from a server;
2. Requesting policy information from a server related to caching of
keys on the client;
3. Sending a symmetric key to a requestor, based on a request;
4. Sending policy information to a requestor, based on a request;
5. Other protocol pairs as deemed necessary.
B) To ensure cross-implementation interoperability, the TC will
create a test suite (as described under 'Deliverables' below) that
will allow different implementations of this protocol to be
certified against the OASIS standard (when ratified);
C) The TC will provide guidance on how a symmetric key-management
infrastructure may be secured using asymmetric keys, using secure
and generally accepted practices;
D) Where appropriate, and if possible in conjunction with other
standards organizations that focus on disciplines
outside the purview of OASIS, the TC will provide input on how such
enterprise key-management infrastructures may be managed, operated
and audited;
E) The TC may conduct other activities that educate users about,
and promote, securing sensitive data with appropriate cryptography,
and the use of proper key-management techniques and disciplines to
ensure appropriate protection of the infrastructure.
List of Deliverables
1. XSchema Definitions (XSD) of the request and response protocols
(by April 2007)
2. A Test Suite of conformance clauses and sample transmitted keys
and content that allows for clients and servers to be tested for
conformance to the defined protocol (by September 2007)
3. Documentation that explains the communication protocol (by
April 2007)
4. Documentation that provides guidelines for how an EKMI may be
built, operated, secured and audited (by June 2007)
5. Resources that promote enterprise-level key-management: white
papers, seminars, samples, and information for developer and public
use. (beginning January 2007, continuing at least through 2008)
Anticipated Audiences:
Any company or organization that has a need for managing
cryptographic keys across applications, databases, operating systems
and devices, yet desires centralized policy-driven management of all
cryptographic keys in the enterprise. Retail, health-care,
government, education, finance - every industry has a need to
protect the confidentiality of sensitive data. The TC's
deliverables will provide an industry standard for protecting
sensitive information across these, and other, industries.
Security services vendors and integrators should be able to fulfill
their use cases with the TC's key management methodologies.
Members of the OASIS PKI TC should be very interested in this new TC,
since the goals of this TC potentially may fulfill some of the
goals in the charter of the PKI TC.
Language:
English
IPR Policy:
Royalty Free on Limited Terms under the OASIS IPR Policy
----
Additional Non-normative information regarding the start-up of the TC:
a. Identification of similar or applicable work:
The proposers are unaware of any similar work being carried on in
this exact area. However, this TC intends to leverage the
products of, and seek liaison with, a number of other existing
projects that may interoperate with or provide functionality to the
EKMI TC's planned outputs, including:
OASIS Web Services Security TC
W3C XMLSignature and XMLEncryption protocols and working group
OASIS Digital Signature Services TC
OASIS Public Key Infrastructure TC
OASIS XACML TC (and other methods for providing granular
access-control permissions that may be consumed or enforced by
symmetic key management)
b. Anticipated contributions:
StrongAuth, Inc. anticipates providing a draft proposal for the EKMI
protocol, at the inception of the TC. The current draft can be
viewed at:
http://www.strongkey.org/resources/documentation/misc/skcl-sks-protocol.html
and a working implementation of this protocol is available at:
http://sourceforge.net/projects/strongkey for interested parties.
c. Proposed working title and acronym for specification:
Symmetric Key Services Markup Language (SKSML), subject to TC's
approval or change.
d. Date, time, and location of the first meeting:
First meeting will be by teleconference, with an optional face-to-
face gathering as one conference call node, at:
Date: [December ____, 2006]
Time: [____ UTC]
Call in details'; to be posted to TC list
F2F Location: San Francisco Bay Area. StrongAuth has agreed to
host this meeting.
e. Projected meeting schedule:
Subject to TC's approval, we anticipate monthly telephone meetings
for the first year. First version of the protocol to be voted on by
Summer 2007. StrongAuth is willing to assist by arranging for the
teleconferences; we anticipate using readily available free
teleconference services.
f. Names, electronic mail addresses, of supporters:
Ken Adler, individual member, ken@adler.net
June Leung, FundSERV, June.Leung@FundServ.com
John Messing, American Bar Association, jmessing@law-on-line.com
Arshad Noor, individual member, arshad.noor@strongauth.com
Davi Ottenheimer, individual member, davi@poetry.org
Ann Terwilliger, Visa International, aterwil@visa.com
g. TC Convener:
Arshad Noor, arshad.noor@strongauth.com
END DRAFT
--
Mary P McRae
Manager of TC Administration, OASIS
mary.mcrae@oasis-open.org
voip: 603.232.9090
Message does not appear in the archives - forwarding for inclusion
---------------------------------------------------------------------
This email list is used solely by OASIS for official consortium communications.
Opt-out requests may be sent to member-services@oasis-open.org, however, all members are strongly encouraged to maintain a subscription to this list.
--=-=-=--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEBurvw050999; Tue, 14 Nov 2006 04:56:53 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEBurZI050998; Tue, 14 Nov 2006 04:56:53 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEBuq5T050979 for <ietf-pkix@imc.org>; Tue, 14 Nov 2006 04:56:53 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Tue, 14 Nov 2006 03:58:41 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C879056F7CEC@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAABDwUQABnd37A=
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Stefan Santesson" <stefans@microsoft.com>, "Russ Housley" <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>, <ietf-pkix@imc.org>
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>, "Michael Myers" <mmyers@fastq.com>, "Dave Engberg" <dengberg@corestreet.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAEBur5T050993
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Stefan,
You are making more complex than it is. The Responder can include all
the CA certificates that issued the certificate in question and AIA can
do the rest.
Furthermore, since most PKI are two tier hierarchy, in Enterprise
environment, the CA certificate certification path is not an issue.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Stefan Santesson
Sent: Monday, November 13, 2006 6:54 PM
To: Russ Housley; Price, Bill; ietf-pkix@imc.org
Cc: Sam Hartman; Michael Myers; Dave Engberg
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
I'm not sure the case described is a realistic one.
Section 2.2
All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating
that the responder may issue OCSP responses for that CA
Since the request is on certificates issued by 2 different CA:s trust
option 1 is invalid.
Trust option 3 is valid in theory but in practice it requires that the
OCSP responder provide multiple validation paths in the response, one
for each issuing CA. Somehow I doubt that this is implemented by anyone.
Trust option 2 is not generic and is only valid as a result of a local
configuration.
So I don't think this is a problem only for key-less responders.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Russ Housley
> Sent: den 13 november 2006 14:08
> To: Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> I prefer an error that tells the client to ask for the certificate
> one at a time.
>
> Russ
>
>
> At 02:46 PM 11/13/2006, Price, Bill wrote:
>
> >I'd suggest focusing on understanding where responses to the keyed
and
> >keyless responders inherently differ. I am aware of two general
cases:
> >
> >1) The request asks for the status of multiple certificates that have
> >not been included in a single presigned response. Russ's example fits
> >into this case. The keyed responder handles, but the keyless will
fail
> >for the general case. Some responders respond with the presigned
> >response that includes one of the certificates (usually the first) in
> >the request. A common situation is to ask for the status of
> >certificates in a chain. Santosh points out some keyless responders
> >anticipate this and bundle responses accordingly.
> >
> >2) The request is "well-formed" but asks for the status of a
> >certificate for which the keyless responder has not prepared a
> >response. This situation will occur if:
> >
> > a) The request is for status of a certificate from a supported
CA
> >but with a serial number for which there is no pre-signed response.
> >Assuming presigned responses exist for all certificates that would be
> >valid based on their validity intervals, this would occur if the
> >certificate had expired or was yet to be issued (I am aware the
> keyless
> >responders generally produce responses for certificates likely to be
> >issued before the next generation of presigned responses). The keyed
> >responder would give a signed "good" response. My understanding is
> that
> >the keyless responder under the draft lightweight OCSP responds with
> an
> >unsigned "unauthorized" error code.
> >
> > b) The request is for the status of a certificate from an
> >unsupported (or non-existent) CA. The keyed responder would respond
> >with a signed "unknown" response while under the draft, the keyless
> >would again respond with the unsigned "unauthorized" error code.
> >
> >Some might argue with some grounds that these differences are
unusual,
> >unlikely, and insignificant.
> >
> >I personally consider the behavior in 2 of responding with the
> >"unauthorized" error to be misleading. "Internal error" sounds more
> >appropriate if I were constrained to the current error codes.
> >"Malformed request" might be OK. However, the actual situation does
> not
> >match well with any of these errors as they are described in 2560.
> >
> >If 2560 is supposed to encompass keyless responders, I'd recommend
> >identifying the unavoidable differences and/or adding 2 TBD error
> codes
> >for the above cases (assuming they are the only differences). The
> first
> >error can be worked around by breaking the request for status of
> >multiples into multiple requests for status of one cert.
> >
> >We've also seen some problems with client apps that can't handle
> >presigned responses that commonly contain the status of several
(e.g.,
> >15-25) certs. The apps inquired for the status of a single cert and
> >apparently expected a response for a single certificate. I'd suggest
> >that some "must" or "should" words address clients' ability to handle
> >the situation of a response covering multiple certificates.
> >
> >
> >
> >Bill Price
> >
> >-----Original Message-----
> >From: owner-ietf-pkix@mail.imc.org
> >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> >Sent: Monday, November 13, 2006 11:46 AM
> >To: Michael Myers; Dave Engberg
> >Cc: ietf-pkix@imc.org; Sam Hartman
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> >Mike:
> >
> >I think it is not that simple. I think you need to say that support
> >for one certificate MUST be supported, and that support for more than
> >one certificate is OPTIONAL. Then, the error is am indication that
> >the requestor has selected an unimplemented OPTION.
> >
> >Russ
> >
> >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > >Responders unable to produce or acquire a definitive response MUST
> >return <a
> > >TBD error>.
> > >
> > >As to your other points Santosh, that is something I prefer the
> chairs
> > >consider.
> > >
> > > > -----Original Message-----
> > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > >
> > > > Mike,
> > > >
> > > > What is the error case?
> > > >
> > > > . . .
Received: from [138.238.45.22] ([138.238.45.35]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAE5eaqT098067 for <ietf-pkix-archive@imc.org>; Mon, 13 Nov 2006 22:40:39 -0700 (MST) (envelope-from azkdclpuq@payrollpeople.com)
Message-ID: <000d01c707af$633753b0$00000000@J0HNS0NPALACE>
From: "died" <azkdclpuq@payrollpeople.com>
To: ietf-pkix-archive@imc.org
References: <000d01c707af$633753b0$00000000@J0HNS0NPALACE>
Subject: Re: css editores tags fotoshop
Date: Tue, 14 Nov 2006 00:40:26 -0500
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000B_01C70785.7A5EDAB0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_000B_01C70785.7A5EDAB0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000C_01C70785.7A5EDAB0"
------=_NextPart_001_000C_01C70785.7A5EDAB0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
----- Original Message -----=20
From: ietf-pkix-archive@imc.org=20
To: azkdclpuq@payrollpeople.com=20
Sent: Wednesday, November 00:40:05 AM
Subject: css editores tags fotoshop
Floating of serenely globe team.
Rates among indigenous cultures could Polynesian.
Selecting map below Computer Nursing.
Rip is through roading worker or suffered serious injuries. Grave =
Barrows tombstone equipment operated remote or.
Native temperate connects surrounds structures organs bodyedit =
hobbyists.
Hotel a Human Technology Maint. Sales Science Skilled Trades Strategy. =
Hello Guestlogin de Main toolscddvd toolsfile Toolsipod.
Custody children am Malawi judge am.
There dark should in ashamedof neither? Multipart articles multiple =
servers.
Hyatt or Verizon Robert Half or Wells. Moderate am wing am forces =
Labour indirect or.
Problems Students are especially prone a poor choices stumble =
literate? Gadgets is seo is Otaku Ovidiu Predescus Pedrams of.
Thinking or Brewer is Lion.
Macabre gullible am desperate?
Social historians future Geldard is Wilts of suppose is liner. =
Multipart articles multiple servers.
Rates among indigenous cultures could Polynesian.
Aubin am happen is impressed of dedication improve geographic =
knowledge literacy. Federline threatens release sex is tape Britney am =
Spears.
Hexeditor visual Jdoggnet password. Traffic detailed integrated is =
movable or satellite imagery matter quickest.
Perhaps respect Knowing likely Beneath sod lies another.
Hexeditor visual Jdoggnet password.
Appearance usb ports.
Bundle a Spyremover am net.
Speed defend a role.
Links box itd a highly didnt cost buckets.
------=_NextPart_001_000C_01C70785.7A5EDAB0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"Hourly" hspace=3D0=20
src=3D"cid:000a01c707af$6334e2b0$00000000@J0HNS0NPALACE" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color:=20
black"><B>From:</B> <A title=3Dietf-pkix-archive@imc.org=20
href=3D"mailto:ietf-pkix-archive@imc.org">ietf-pkix-archive@imc.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dazkdclpuq@payrollpeople.com=20
href=3D"mailto:azkdclpuq@payrollpeople.com">azkdclpuq@payrollpeople.com</=
A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Wednesday, November =
00:40:05 AM=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> css editores tags =
fotoshop</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Floating of serenely globe =
team.<BR>Rates among=20
indigenous cultures could Polynesian.<BR>Selecting map below Computer=20
Nursing.<BR>Rip is through roading worker or suffered serious injuries. =
Grave=20
Barrows tombstone equipment operated remote or.<BR>Native temperate =
connects=20
surrounds structures organs bodyedit hobbyists.<BR>Hotel a Human =
Technology=20
Maint. Sales Science Skilled Trades Strategy. Hello Guestlogin de Main=20
toolscddvd toolsfile Toolsipod.<BR>Custody children am Malawi judge =
am.<BR>There=20
dark should in ashamedof neither? Multipart articles multiple =
servers.<BR>Hyatt=20
or Verizon Robert Half or Wells. Moderate am wing am forces Labour =
indirect=20
or.<BR>Problems Students are especially prone a poor choices stumble =
literate?=20
Gadgets is seo is Otaku Ovidiu Predescus Pedrams of.<BR>Thinking or =
Brewer is=20
Lion.<BR>Macabre gullible am desperate?<BR>Social historians future =
Geldard is=20
Wilts of suppose is liner. Multipart articles multiple servers.<BR>Rates =
among=20
indigenous cultures could Polynesian.<BR>Aubin am happen is impressed of =
dedication improve geographic knowledge literacy. Federline threatens =
release=20
sex is tape Britney am Spears.<BR>Hexeditor visual Jdoggnet password. =
Traffic=20
detailed integrated is movable or satellite imagery matter =
quickest.<BR>Perhaps=20
respect Knowing likely Beneath sod lies another.<BR>Hexeditor visual =
Jdoggnet=20
password.<BR>Appearance usb ports.<BR>Bundle a Spyremover am =
net.<BR>Speed=20
defend a role.<BR>Links box itd a highly didnt cost=20
buckets.</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_000C_01C70785.7A5EDAB0--
------=_NextPart_000_000B_01C70785.7A5EDAB0
Content-Type: image/gif;
name="million.gif"
Content-Transfer-Encoding: base64
Content-ID: <000a01c707af$6334e2b0$00000000@J0HNS0NPALACE>
R0lGODlhcAIgAof2AA4HAHMCBweODoiOAAAHiXMFeQCHeMWzucfmzLHO+UknAGAWAIklAJQoC7Uj
Ae0pAAA2ACI/ADI6AGZACnRNAKs2AMNMBOdDBwBjACViADdTDWJeAHZmC6FqDb9ZBe1lAAeLAB1/
AEuGAFh1AIp+Ca53ALt7CNx+AACVAiSdBUiZBmumDXquDqSsALWWCO2iCgTCAyq/CDS7AFSxAIPN
C5fCDsrHANi7AA3ZCBrRAEHUAFvhB3fkC6HYALfTB+XbAAkIRxMASjIDP10MQH4GSKMJM7kAQNwA
NgMXThkjSUITR2cYPYMWRJ0TS8cXM9gfRApJSh1GSD84NFw+QnI3TpFITc49Q9I5SAhXSiFXSEtp
RFlRS4hYAKdZPbJjNelUTgB7PSiDS0aKMlhzNXqOO5Z4Mr50PuWDPQCfQyaZQkScO2OqPI2gOqOr
MsOeMeKYNQO+Qiu0PUaxTFK2R43AN5W8Nr65Q93NTgLrMh3YOjPhRWHnToveTJXkSrnbS+DjQAAA
dCMAfjQHc1wAhnEMfqIAeLMAgNUAeAIqgyQuhEYUhG4mh38Ti6MjfrQig9QtiQI0fhtDfzhHgVg5
gnxLfpE1jMgydthKdA5VgC5ghTpYcWBmjntrdqxng8djfNlphAuEiBV6fjmGemt0fX5+e5l/g76I
g9yGiwqmhiqiikyojF2RiHqjjqmbe7SVeNWshAW7dBi0fTnGjmG5coXFi6a0esHJf9q5hADecRHS
hDHgeVzsdHPRhpvnfsrlg+rRjQAAuhcGwDUAuVsDvnMHxJ4Ltc4Aw+cBwwARtighvEIiwl0Tt4Mn
tK0owLMjy9otvABKuB09wUo5x1I5sYk/sqxAwb4ywtM5ugBmyxlVtzNjuV9ezoxTuKtexMNmzdZq
xwuEyBWCszx7tmqJyod6u6t0yLVzuduOsQSXyyymxUGZvWGbtHypw6WbuLKbyuCSugy4xxS6zUrO
tluztnOzyJHHy/b/7qqrsH99jv4FBgT8APT/AwIA9/QA/wT/9f/3/yH5BAAdAJUALAAAAABwAiAC
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOK7PivpMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUpV58irWLNq3cq1q1eDGL6K
HUu27NWqaNOqXcu2rdu3cOPaNEu3rt27ePPq3cu3r9+/gAMLHky4sOHDiBMrXsy4sePHYuVKnky5
suWgSS5r3rwSsufPoEOLHk26tOnTqFOrXs26tevXsGNj5Ey7tu3buClzyM27t+/fwIMLH/5TtvHj
yJMrX868ufPnyokHlyS9uvXr2GdC3869u/fv4MOL/x9Pvrz58+jTq1/Pvj3z7DX5wJ9Pv779+/jz
69/Pv7///wAGiFsw9Lln4IEIxibgggw26OBtCUYo4YQUVmjhhchNE9mDHHbo4YdTYSjiiO0JQOKJ
KKaYHIgstujiizupKOOMNFoE44045phjjTz26KNBOgYp5JAMpgcAAD8mqeRFNwJAXxwzOUBkkATo
aN6RS2apZUQuOjnll2CGWZ2XYpZppkxYnKnWkWq26eabOf0yFJlw1mnnnUexieeefMLlHZJbBqoi
oMmdYc+RiCaKqKCMNjrQoh/1KemkQiZK6aWYSopoppx2CuemnoYqaph6OuXoqSOpgupDaazq6quv
jv8q66xTwpoVE7bmqqteNezq66/ABivssMQWa+yxyO76QrLMDhucIbRGK+201FZLabPYZqvtttx2
6+234IYr7rgGtULuueh2N0+67Dpk7bvw/tfuvOJOOkW8+LJI777e5uvvvwAHLHC1/BYMTMEIJ4xq
mEUM7PDDtRXRMMQUVyyZxBZnrPFaGG/s8cdPdQwySnSObPJOIp+scm8nSqzwy1rhmfLKNNds883D
wazzzjz3TCHOQAedks9Exyr00TchkZ86SDft9NNQR/1W0VSfKvXVWGetNadVi5RL12CHLfbYZO+7
9dlop53dNmozVfbbM3IqTttVeUD33XjnvSAVVOj/7TemfPf997/kBg73rjbzPbiQ97D1reGHA2ty
4ItbvC0VkRtb+eZ9MnoIwsREzvnopJdu+lFytpT56hf6d0G8jpwu++yL6wUP67h/RvvuvGvWRu+W
k3VK7sSf2utDhH6WfPHF9ldyb88D/2UDfEafm/XSZw9UqdBr771R2NcW/vfTOre8Y+czr/767Lfv
/o+AvJ8cAfJntNMa5OffmxAq1e//dvoLoAAHiLT/GbA5BEygAhfIwAY6kCYHjKAEJxiuBypwfP+I
ggU36CkKevCDIOwRPkKILWuQ8IQoZNQJUsjCFvLsAl/h4IsURcMaYlCGOMzhP1zIw8Xo8Ie06aEQ
/4dIkVUQsTtATKISlzikIzrxiVAUDxOnSEXKhKKKVImiFrfIReRg8YtgDCN+ukjGDYnxjLK7IhrX
yMY2utFkZYwjV9YIjjcSRY54xIqZOmHHPvrxj4D8Wx4HGRK/5SKQ1rmINwjJyIIg8pGQjGRPGklJ
++HmhpIMpKVkNYRM7glUubEDVLjnSf2MJlEGwdWfsFTJ51iHlCACZSk3+IqkyHKWaIndUV4GqVYq
aGu3xCUkMSlM2vCjmEmEhE98yUwuIRMlKnimNKdJzbT4oprYtFkzt9mQbHrzm+AMpzjHCTVuKucA
9CInG83JznbGcQ/wjCc83TlIedqTJOrMpz6lR/9PLaUPQ/uMCzG6F9DemQMpxCzoBhOq0AcytKEO
fChEJ0rRit6kn8TrhGAsytGOelQlovioSEdK0olitJ1+BILK0ACjk7KzpDCNqUxnStOa2lRoc7up
Tt3EAuwUYig72KlQN+dScw7VJvE4alMwodSm6sgWTlUTDqJK1bYV9apYxWNVvXeaOWS1YFvVGD3k
8tUW9qGsaE0rN8OaPbV2JBMkZKtc50ocCNB1pIfE1CDuuky3ButrSOTr7MSiCL+u5gqGTWx6BAuc
sYqKXYBVbGgYS1mdZmNHko1jZU2XWc1ulnTJMkVnR0vauyDBHtnjxVZLy8XPgpa1WqRYTl1L2y//
wrazl7jt22rL2976Vpq6Da5wh0tcLbHlXr9NrnKXO9jiCpG5Fb0F6ZjwL2lAdypMoG6+rHtdqWjX
JFCqFne7uxRlwocQ+HLuczFlDPKmZZPuPRsNUaLeFLKyvvjNbwXjqzFGBEW/AA6wgAecVtES2Cz8
TfCb+FetIGD2wKlZB6xoEwsF4wnCGM5wJU1QtmXUj0gmGBVLw3kgDmu4PV8KsYWxZgIVy4oZ1ZSQ
ibfEjK+WycWhgvGK04JjT+kYuBSa8ZJqjFU19ThTP97x05KsZKcxWZg7EwFoiHxiibShytxqspa3
zOUuKzEQHcSyAb1M5jLD5xlmTjMD26HmAYo5/7j0eLOc50zn1KijznjOc5XbzOcd65l9fYaJCyrG
rQb8+dCVDLSiF73BvDL60ZCO9IMSIFdEM0/SH7O0pjftnbapkbmcDrWol5OxVrBktm3uljjEMeo5
jgzVkkEHpm8E61k7bNWQxharW30Y+jFq17yOYYuyYOvNZKsWwfZKGKOpz2Q7+9mjKba0BQvtnkEg
IdNmUDGW+AI1V/vb4FbM5tjsWn4dIdwPyba6181uEKH73fCOt7w3Iox5M1JV9gZSuwWW7377O2b7
Dti/Xxbwggun1hv03y0GnrCFM/w1XBCPw3uUj3TlT7oGzxfGM46vjQv1fxN/OL1CLvJ2kbzknf+N
B7s04RGOEwcZ2UG52VxOc2H+ruY4p6zMd85zbOf85xXtudBP5YPiAf3oeNOggIbO9J0jXaYO/iiz
pZMaS/y7sE0fF9azHi5FbL082YMl6RTR0l9RQzG9zNzXpUg+sVeO7C0yYNptVYG/rP07bAkqziR6
Nq+7m+ujuftHiuGZpxu+2YBP/L74cSzbHPPwkI+8mRVP+cqTiBYVEfx35LBNyT/W8qAn7hJCT/rS
m15Ya+im51dPzdM3pheuj/2rVih7Ob6h9vMGoz7w1Qiu4f73wA++8PMoKkuwvj6fPr7jho8VPQA0
jPBQvvRzwnzjjKHwFFV6ElEjhep7//vbWQD/+MdP/vIPfPqXMj+5WKD+CS3I7eg3ynbu2/5G/TNh
VmfkEGJD//oL6v7+F4DsEn8EGHDOUIAvQSPXJ4AMgYB8woAQmFgOOIEUWIEW2CAPNwVgdYFRAQgc
+IE0E0wE83uo5CvSpiggOCXwlYJEAn8s+ILhBC0mwQowWINiBApFQiFRgFY7pCQ2GCZNx3L18oNE
uE9RV4RkFYFKuIRMWBFISCRN6IM3wwBPWIVqEYVYmIVaKBBW2IWyondeWE5bOIZkKIBhiCNi8wBq
WIYiooZuyIYX4oYP8G5ZI4cP4F4Js4Zw+G6w4CNn+IfXRYWn41+AWIhpNgZooT4G8Gf9AVWGGfiI
YLKHkkh8kPghk3iJmCgebBBHBXARAQEAIfkEACIAlQAsAAAAAHACNwAHCP8A7QkcSLCgwYMIEypc
yLChw4cQI0qcSLGixYsYM2rcyLGjx4vNQn4cSbKkyZMoU6pcybKly5cwY8qcSbOmTZpdburcybOn
z59ANf4bSrSo0aNIkypdyrSp06dQo0qdSrWq1atYs2rdyrWr169gp44KS7bs0qBo06pdy7at27dw
48qdS7eu3bt48+rdy7ev37+AAws2+Wuw4cOIX5pdzLix48eQI0ueTLmy5cuYM2vezLmz58+gQ4se
TXSEUr3wEqtezbp1XdKwY8ueTbu27duO7cVxzbu379/AgwsfTrwlgOPIkytHXry58+fQgVuKbhK3
9evYs2vfzr279+/gI4P/MSoqvPnzk6mrX8++vfv38OPLp4u+vv37+PPrTzq/v3+f5/z31n4EFmjg
gQgmqOCCDDbo4IMQRijhhBTGJlGFCAqo4YYkYXgge8NktAqHJDbkoYElpqjihScSuOKLMCaUz4xE
zZhPjTTaqKON//CI44077rhUkDf2SGSOR9JopI5JJTmUkEz+aJSPPxb5pJJXRrkkklguWRSRXyoZ
I1uLjNnTVFSmyaVSPrbZZVNqAvkmUlRmaedRdU6ppJB3ShlmnH4CuqWVgnrZZ4uIJsrZhW4W2Sib
e0ZqJZxvrslUnZhO6iedkmKZ6aeeShpmoFo+OuqdZqb6opdQigppqXM2/xnrobJOmmetr2Zpqq62
8snjrX/y6qiluf6j6rHqUfWrnIYC+2evmhbLabR4dumsntTeueyhSAYr6rXNdsvqrJsqau656UU0
rpHhHvnss0FO+yqYwcI7pLvargnovvqS2+64cmbrJ7IEa8jroOVOC+1TcRIrrb3y4hquoQCTWnGx
bl6MMKoFpwrEc1W1WmitCzuV57ICJ4xtxBE32rCg8YJrasyVhpoyujjn3BWLItt8L6w3J4wypSkD
e+2uvvpMscg/98l0vYZ2LLV8ulapstW7Eu2tv9yWvLLELzvt6saZkkpolJ/yN/Xa7W2aNthjm+wz
uF0Pm+3RcaOtad4ui/9t97t+D8z24KxZNXKSAW+NL8kuxwu1sA/bCyrFdk5epc0OazmotVzr7Pnn
oIcu+uhVXUH66ahLiAJ65KQOFYuuW0f47CDHLntz7dA+uO289x56YL4HL7y5wA9v/PETFi8VP/wg
7/zz3gHPPPNDTW/99NU3nz32SF2PPfVFUe89UeB3b33446MPfvnka78990rB3778R12fff3u/2P/
/PJ7f35S+/Nf89h3P6MIUH/7Ux8B+Qe/BYovfwU0YPrUZz7usW+B28Of9v7nQAi+T4L982D5EgjA
/73PhBpcnwjzF0IUHvCE7RvKgKiCwQ5GsIYevOEG3afCCs4vgghkIQ//CahCIS6FfiPMIQJjaMMg
/nCJQIwhU5IIRQni74pYrGIVcYi+KELxgkoEIwjHeD8qlhCMZtSiF4HYwCJacYthTOIOn0LFJmZQ
inAsoRQxaB4uWpGPb8xiD5mYQyLOsYt4dOEh6TjAITrFj4g0pA7NN8VCWjKLeERkHpsiRjVuEpCd
LKMRsQjIIAoxjXYMpBqLaMRSarKArlyjHR+YSEdi8pVcIUBjWATJW+pRj2lcYioJKUhH1lGJ8Wtk
JpNJyT9eMpjL9KUnPTnMSa4Rk4PUZDax2UpbXtGVtBSmN6tpTWfmMZbTDGclm6lNZZazl4ic4VTg
qcozkjCEXSSnOmtJzUxRLs+d16ynKcfHRWgGNJoHrGZCvTlNEJowlShMIRIByseIUrKHqFzhL9Op
TDPGsqD+2ygDE6jOjKaPnrLh5SWPSD9cktGa+gQoP2E5RzmCUqamrKRB99nPiiJTgdGkpkZJucKb
RnKoQX2lGA36wXXmdJNC3ShIaco/Zn7zpw5FqDFtGcoUxhMwssRqUkvZwjZKk6dQPWZU2YlSol71
ohZN6i/pGdOWujSKaJUkS9/o0Tg2dI8WHCdSAzlVfwo0rH+1ahP7OlFO2vItAQEAIfkEACIAlQAs
AAA2AHACNwAHCP8A7QkcSLDgwH//+PFDyBChwoYQIT6MmHAhRYcTMSrMmJFhR48LP1YESRLjSJEi
TaqUaPFiSZQhWzZ8uDHlSpczLaaEGXFnTZw2P9KUeXMkUKITOeokStLmy40rlfZkGpXq0KZMg1qN
ifNi0qxLn0LN2dWoUYNo06pdy7ZtwbJet8ItShdrSZZTKV7FWzXnXrJ6a2qF+9du3q9x5xrmC7gx
YKdmHZ8EyzjxY8FhA9e9K7Vv5cY+I//MSxovZJeFVWLO3PG0aosAFMueTfuf27eR75YNrfl178+I
HXfWmFk3aKq5E/PMHTy586POl0v2/FtyaubIjTcffhw18uHSKwv/LV6Rd2nftK9vL87de8Tb8OPL
N1g7evb2xjmTz18eJPmx1GkkIH/jmTUYepe1NFZrlEGH4HTh6baeZQFGeF5zrynIFX/PgdfghUrt
BxV+/pX4HGMYmlQgg3V5WN+LMFI0X3kfBgbgVJhhZ59gfjHIY490+XijdUsNyRKA4f1YVIFdKbla
TDyuRuNPTCqJ42j+GXkicUgiJdOPTH4mVpFU5kjjkSzyZWVcN7rGZX6pxQklmFieNd+deK4V4558
9unnn4AGKuighBZq6KGIJqrooozKNmOjkEYq6aSUVmrppZhmWl+enHaKp6aghirqqKSWauqpfHqq
6p2oturqq7DG/wqqHLLWauutuOaq66689uorQ4/+KuywxHa16rHIJqvsssw266w9xUYr7bTUVmst
jPN98EFD2nK7LUPafotQuOSG6625/3QLkboRkTtuue62C6+58FKE7rvlnpuvS/u+K6+983bLLrjb
BkwwuvMCLG66C/v777oL98swxF0N7C2+CVs88cbPduzxxyCHLDJusrEb78b4XqTxvQI3jPLDFM9l
scku3/sywi6rTPO3Nr8McMwXa+zwxAP3bHTEOTPcsLosM7100gQrDPPQUft87dXUzui000HnvLLX
NUMttNA6Az1zweKeTTVOaiuNdMVP/zs22EATHbfVB7/tM81V6//89dd1O6zuyIQXbvjhiHO6cbxF
o/3zxY9DHrnkZbW9t+Nr2w3X3JpnHjjgnE89dMsxk9356ZDzDTfFgFMu+LeJxy777LTnWdvWPL8d
et8QG1y26GzffTnKoCcMvOaq8yt81L63LjnpvUN9OvSlpy091Vx/HnDuxLqB9fd7Qk896rzjbbXp
u1d+d/Hlk/8769ybXz77flsP8/jtV+/v7vi/n/z8YfMcr9zgPfB971GMs9n/1kY25x3PdKKT2Oji
17XN0Y1vEBwe/NSXueyd73oYxJzZRBi8vJ2MgQHkWO2SRcAVuvCFtrsdzhonQQ0CD310k9n6nrYv
+q1ObkjLoOX/mHe9/aXQeK6bmrv4R0LlvQ+AD8vgAAtowD3F5lQInKHePvjAFE4uf08k3hY9+Dod
6i9vP2xf/35muQXKD3s4014RBehALkIEhnjcBR6fBYA9CqQ+ClzgEFNmxON5TopQrJraaChAeVmP
goR0Yt3I2DcyxtF1QuRhJI82R/PVsXWIrKIoYxWsxmFyefqCJB179kbtbbBrEvNd/bYIxvzVC2MJ
bFosUZlJJZ7wYOr7pR3VGD8/GvOYyFTVKJfJzGa6KhTOjKY0p0nNalrzmtjMpja3yc07JvOb4Ayn
OMdJznKa85zoTKc618lO2gGinWy5wMeqyIRu2vOe+MwnoN6h0M9++vOfAJ3LO/gZ0IIa9KD3HChC
F8rQhjpToQ6NqKTeINFhwfM2A72oRjfK0Y569KMgDalIR0rSkhLODCZNqUpXytKWEo4VLo2pTGdK
05ra9KY4zalOd8rTnvr0p0C9TUWHStSi6iqoSE2qTOGh1KY69alQjeoLjUrVqkqKF1Yti1S3ytWu
evWrYA2rWNmZ1bKa9ayNGqta18pWsqL1rXCNa6hyIde62vWueM1rQ1Wh17769a9WbatgB0vYwhr2
sIhNrGIXy1i2AvaxkJVoQAAAIfkEACIAlQAsAABsAHACNwAHCP8A/wkcSLCgwYMIEypcyLChw4cQ
I0qcSLGixYsYM2rcyLGjx48gQ4ocSbKkyZMoU6pcybKly5cwY160R7OmzZs4c+rcybOnz59Agwod
SrSo0aNIkypdyrSp06dQo0qdSvWpzKtYs2rdyrWr169gw4odS7as2bNo03olqvZfz7Zw48pdWLWu
3bt48wpt+3au379w9QoeTLgwU748ASv+J0DAw8aLTUIeaLiy5cuY7QkEwJkz2Z6TGTsWCLmx6cmn
UacOPXC1Y9ahU5NeLdogbdGxT7eWfdA17t24efceHZx47eMZhbsmLrxgbuC+Yb++TfD2c+SZs2uv
TMPuP8+bAYz/Bc28PHLg6GcnZI3+em3258+rTj9fvW3js82nR+j+OnyK7tlHH34CPvdfff9VZ159
9m3n4IMQFgWeQZ1NWKF4nYVX4UAXapjhd+KByGGIBZGX32ilEZiggPfxZ9p+MMaXIIPqBRijbvIR
6ByK+KW4XHkvFteigkTG2B6P880YZHxDvjfdjgJFKOWUhkk0IUEWhpjhlhiCd2V4IGrZJZhkQqRa
kirqaCSLCtrIpoxq0uikkfDhKJ1CNiKIJnRKQrnfinruOZybfjp5oJqRJdrWl2V6KSaYWVI4Jpkb
YuTjk8WdueSbuzV3532y1akcj1BSt2OoT37qIox68unqqkWy/7hiqS9quql0zZ14JqyK9roVUYyK
SOmjIkYaJpcjetjQW3YGOausiCpJqKgLtUpkiuuleWKsw7FKKnKX1hptj8apWq2z6LpIKLfbtkjl
u/B6F1GwxjoKKYmeRVrvhxc1K2e3azLZrsDU4vkte9gKzKSm7BaK8MELassrtA2ri+S3oOqXbYsF
++qxWvriS6y9IWso7MlfBsuQvxj/We64APeHKbufylygjh3fimiOA94M7swAw+mwxixzaq2fBT/8
8dIxsXWsyPzaW2yHHuYrcrJYkkhQX6r6lmmhGYsbK2/RkW12bkuaq2vCvwUM7aZC2mf2uXAvjCPF
A6J6rXUt+//cYLyAB15YRypDVHiJiTFt1rOKSzaa4JBHLu9GhzdU+daJN04W45qHFFpQO0gu+ug+
Ea71RJdTlnnnYnHOOkeskS777EVp1RdJtOeu++7vcsI7Zq8HLzzTIAxv/PHIJ698WlgsT1A1zpv+
UOrRV2/99RxB7/yFpxvefULUI6T1+E9jWFCXlWKv/vqJaq8QDo1fGf7534tfv0Pkc/jdQfhuppgl
7AugAP9RDfcZj14j29CHuDeiqF3NcPrrX/3M578BWhB7SliMARUDrO9JjUtjWuCkhGWs2+3PfxIU
3wlXqLrfufCFMIxhTarhQtRR7VhYI9nV9nURLZ1QTOljIQP/L0jEq4CiiAzZoF+cljVlDeteyeKh
QUy4vxSyEEsr7J4Mt8jFKcGiiz2hIRhzIiknkvBRJXviFFdXxQhWkEJZXOMY50jHOtpxO/J7oBqt
FsUHlpCNFGzjFd/oQ8Td8ZCITKQikdIPnJSviTlE4w0n+UAqXhFqWzrfIxfJyU56ko7SQ6IoR0nK
5DGRf/cLiSVB8slWuvKVdlTI/DSyyo/A8pa4zOXuTmJCNjpPl8AMJhhLScxiGvOYyEymMpf5sVOO
pJc7EcghDqGSaXLFmi0Upja3qTsr3bCMMMFmQcSJEHIOxJzjpCY5rTnNdlLzIO585z/iSZB2nlOe
85QnOpnJ/89+YgQoDKiJsTwCTZ3k053StGc5FVrPfSb0offMZ0TTGVFxYpOd6sSnRCfKzY56FIwh
E2HVRoq1guYEoQZx6ETvqdKL4hOjK13oRjcKU3Ou850fzalO4eXNPo5vhI3SI0ZQSlGF3HSmRUUq
TCGakKXSNKPotKlG/UnVqjqkg5VKGVBR9j2TOpKhDV2IRd/p0LGGNZ5TLapZE2pPhkrVLTuNq1xF
xyitnqxqwfLqTdiqUZUyFa1pXetD/crSlUa1rWTtKzXnytjGDm5e3bOrXU3iVKTCM7BpnelRCWtZ
wQ42o03NrFVHS1qK1PV0fIQkVztS2aOGNaWZda1LxTpVz29KdKlvLa1ud9tBcEZShPwSll5tglaW
KnSsRGUqbBtqW9jS86C5PWhMsenY6lp3O7xcXeI4yxHuvoS61w2veAmT3Whm05GWJYl3WSLO8br3
vc4c5XpTMt/d2ve++M2vfvfL3/76978ADrCAB8yQgAAAIfkEACIAlQAsAACiAHACNwAHCP8A/wkc
SLCgwYMIEypcyLChw4cQI0qcSLGixYsYM2rcyLGjx48gQ4rsaK+kyZMoTU4EAGCky5QoDbZUCLOm
zZs4c+rcybOnz59AgwodSrSo0aNIkypdyjQpQZYNoVJkSZUqSKkGccpEOLOp169gw4odS7as2bNo
wVa0yhDr2pkh3U6t+hSuy7t48+rdy7ev37+AA8tke7CqVMMCD9stKBfxP8eGZ0Km+3hx28dbLQve
zLmz58+gQ/cNk/Fn5dOF4co9rTjh6oFQCWONrVqyXalaYWN+mlhg2t/Ab3oLTry48ePIk8NsXdnq
bMuKX8PWnLil2+eoUUvPPZ1373/Kw4v/H0++vPnzRiVG1oy9OVvKXBdHzp6d9uSM7x2L3s+/v///
AAaIkGndpdZde/AZWCBrt9VG34IFcafbbhOSxwB6GJ7VRIYcdoihRdJFp117rjVYnXUmNlefbXWt
9N2EAsYo44w01mgjRARWVyJl8+moUGOIAcljgvn5dlNdhFXo4ZJMNunkkx5yJh1HU1J545VYZqnl
lqHlSCV1HVVJ05GMLQTlmWimqeaaTW0mJogJcinnnHTWaSdoXvolIYBs9unnn4CmeeeghBZq6EMn
HKrooow26uijkGqZZ197/hfopZgqFU+mnJLV448OWrSnfmBeFKeZnaaq6qqsokVifBxJ/yjfi2HC
yFCruOaq665AkTiZcyjC9yluZNI6HbAnSqZisrN+dxuFLfEq7bTU6vpqgdgV6WtXxVJYZn28zeZt
s7s9qxp4rdLjFTrVtusuWerpxxiLOmYb6luy0WpuuN4de5h31kUq8MAEF7wQbfMOeaCD15rqbL+Y
7WvruBRHbPDFkPqBcZ0/MbeijwwuDOFAlQKsL7+6PQtxwBOy/C6a6bwsM7UI2kZvyPXaXKCs3ypr
K8u93XvyvXDN/C4yRhsVSNJhXWezbAjXLCy3NiXstHzvARyb1bUBXTTTYDNJTtid5vVayXGtRTLZ
bLft9k77vQlYqT9ubPfdeOcdX5Kdnab6EN16Bz6SFoLn/fbhiCeuuHGZLO7445CnWvjklFdu+eWY
Z6755ndG7vnnoL/L+ea7jF55LaZHFPrqrLfu+uuwxy57UanXbvvtuOeu++689+7778AHL/zwxBdv
PJfQHK/88sw37/zzjM4u/fTUKwf99dhn71D13Hfv/fes/gH++OSXb/75kWuv/vrqo+/++/DHL//8
rbNv//3456///pvT7///oQsIACH5BAAiAJUALAAA2ABwAjcABwj/AO0JHEiwoMGDCBMqXMiwocOH
ECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmzp8+fQIP6
BCC0qNGjRVshXcqUKdGmUKMG/Ue1qtWrWLNq3cq1q9evYMOKHUu2rNmzaNOqXdsVANu3cOPKnUu3
rt2xEZtI3cu3b8KnfgMLHky4sGGUgA8rXjzxruPHkCNLnkxZrtvKmDNr3sy5q8TOoEOLZtwxcVAU
pFPHFM26dWXVG03P3AG79k3XuHPbtY1RNu/fwO3xszq86nB+yJP/K258eXLkV58zl348unTi1pU7
f071evbp3Lt7/++Ovbly6M3FoyfOfPn28+XJv29fNXhF3/bzM27P3z3W6fJp1Z9/8QX4X4Hu0Ueg
gQQWN6CC6QUIoHPlDWhcfwpamGB0WOnn4YepkQXgiAI2yNWDByJoXoQqQhifgxWWOCGKJJ5oYoYr
kufigrr16OOPQAYZmUQ1bphVdQxymB6OKurI4pM8pugfikfeqCSSRm6FJZYRbhlleiCGKeZgZcEI
43waUvcdeNzRp6aJ6qH35ngXajfenEsyeSaXVU6JpnxIsrmekIQWauihiMLl5ZkHTljigkxCCWej
XrmJHaNfzsgjo9WxqeSGEC76aKKklmrqqYaK+mWWO04aaZLzyf9Y6aesSuodppxmySCJoVrZJ6rA
BivssGl9pmqvgNq4pJRJWuoss5teGiOttSZ7oYGWXttrjdn6N+a34EJlVrdqOktntOW2eV22t7ar
HXt2cliuvJdCx5+g3VL4ZrR1DtoqsQAHXOhlAhds8MEIJ6xwXZSUSiR1EEcs8cQUV2zxxRhnrPHG
HHdMXbgghzzVwiSXbPLJKKes8sost+zyyzDHLPPMNNds880456xzj5/BDADBOwfNmchEH3TXz1Uh
TZXSYTFt1c9QO22W1E8DLVbUUHNF9VpbnxV1XF0HibXSYatVdlZFpz3QP123bXVWTMf9dltzn02W
3WXhvfTcrun/fTXfYgM+mtpp71331llvRXbiiyfONuNfV43V4oY3LnflSV+GdeVvUz02549DnvXn
oVNeeuaORz655puD7pXqpJNeOuuZz05w662fvjrcbsmOe+6/24561oQXjjrvh/Nt+d6P12464snT
LjnzzT/f++3XK9+59dRXLzftjnvP/OWmX9X4+IIjjz34lJOPfejom/9++bXvDrn97W8Pv/jMF1/0
6slDHu9OVz6keS56opNe/ZrHP8m5T3GfuxwDH7hAA1rNgvJzXvoKeL2/UY+CDcRg/EZYwQ5CMHgS
dOD89AdCpPmPaFULIABPyDrLJXCB09td9zhnvRaacIAZ/GAN/7/mNBAK0YbLA6IRXyc9HzIwhD8U
4fBuqMMMSjCCK8SfBmv3Qt4QIiKGE+AMtUbFstEPh8Pb4RNzKMQnSrGKJWxjELv3xjU2EIhBXCLd
IufEPmaRjXBUIwmlSMgfbnGQbgGZN0CUN+1pBW98vN8IzyhI3UntiibM3yHxGMcJ/pGOhuRfIT2p
xE+icYej9GMYl0jBAw6wlalk4R/DJzSX9exoQCsi7MJHy7FlcojArN8uXRc2X7pxfbNDZfCmt8vU
0RJzmJTkHKF4TNcJL5o2TGMgEcnDaiaTmsLrom1qaSq/kRNY5jznwW6pzs6ks52kcqE4YQPPQ72z
nkLKHT73yeHPfvrznwANqEAHStChgTFg80yoQhfakII69KEQZdm9BvWeJx1nX9iqV5vkda6IevSj
+7SQo/xUIBelKVPLAqlKV4pPL1lLWiUdlaooBatVsfSmOB1Wz1xKUpiyyKQ50pVPgfoPhhr1qAwt
U57iRa+YPipQcfIXvN6V06padWWaCqpWIaUlXwF1pFcNq1hNdiufblVDTTXSVyU11ra69VDy6Mqz
Uiohi3aVW7/CVJPeyte+AslcVA1PnaBFLXzx6aKC/ZdfF8vYubBTp0iNrGQnKxCPWfayGqOsZgny
hs16KCAAIfkEACIAlQAsAAAOAXACNwAHCP8A7QkcSLDgQH4IEypcyLChw4cQI0pcaLCixYsYM2rc
yLGjx48gQ4ocSbIkyDcmU6pcybKly5cwL/6bSbOmzZs4c+rcybOnzZhAgwodSrSo0aNIkypdCtSn
06dQo0qdSrWq1atYs2rdyrWr169WmYodmxSs2bNo06pdy7at27dmycqd2xSu3bt48+rdy7cvVLqA
A6f0mxMA4cOInRpOzJjq4sY4BUue7PHxP8uWeWa+DKBz56qbZ4be6dmzztFTUUNVrXj1WtakacKG
HPXxbNFsQ9/+Sbn3WKmYa+7evFuz1tvFaTdOLlz5V+aXnUuf7tx2dNycP4vWXrq5TevZF3f/x26a
fHnD2mXfRM/d9Hj20c9zNm+7fHac4tMLt7//Om724L0333fy/XcffeIN+J5723F3IIHtpQefgg8K
WKB/stnX3Yb+5Sdhh+tpeB6H6sVHIYAZ8kfdiodZ52JzAa6H33WZBWcieRhO+F2IJSaonoQuBvfi
jyXCWOSMMgoZo5JI4phfjzkOKCOITGJ3ZJQKJvjhjh+CVxiGVqJHJJRezlijkWRWeaOVLLbpl5Y4
jundfhayiaWYXKIZIolxCjnnmgb+ieeXyJmpJ41RjmYjnosmelqYjl55JpSQ2ngonLERRyabPg5K
6I5yInqmn1e6aepWIK3JaGkelqqopKzS/xeqp39yiuBnlgJKY4Qj6tYgfuPlOWugxEKo4ZGYFhue
j4B6OimykBbrIa7e0dogtaCKeq2Dum4LJqlOCistb76VW66qiD4K5ro3Pltrst3aeae8udI6amzZ
2pnrsI2Cm++Y/V5aLb/v5svskOMGbPC6S8qr7cLuOqusxPuaa3Fv6DKLLsOGfjtww6HWOm+ktt6b
sKsgzqmfnNiGGzK07X4s8HaVzizpwDWzLLHD9XEc7cjs9vxsyw6aTCy3FyctmL501ofZ03xOe22P
WwoILJ8dAqhxrB5XKKKvD9IZ9K87S83u1FQGa3aNRK/KLb29ehnk182WSjba85Wptt33rf+NLYO6
lv33TEoXHtOp00Fnl+JbMZ6Y445fFbnDWGmM+OWYZ/7vcnlNThjjnjt23HNna85TA5enanpuyq0M
V+h9gX5X6LAHS5PhuIu1+u689+5c7sAHv5HvxBdv/PHIJ6/88sw37/zz0OukemqMqQb548jD/rzw
3HdPEmituWW9VcVpb1xtrDce/c9PDSSB0u97L39I4GOvruiIMWd++tE7Dtgcc5ifAGESnpodq4Dx
gdPXXNe0/wBJRctCW4AOaKEueQ2CapNP0VzFKwRG0IMwepKBFuhAvI3KbBfcWgIliMEDTaiCTtOS
1nb1wJsIBoABHKAODQIcmUkJXjpa4bj/fKKjnUELXGVL1JIQ1jV6SWljRbLcyThIM1ExMYg4y9AR
CfajMmFJiyUs2RWfOEYvNgaH6zuewhQ2MZKVTlx1E9S8VFg3NsYRZod6mMh85S9NRYtiecyirULW
xy8OcouInGIU3bgWNmwFjWnsHavk5sM2FvI0WDOiGOu0LCDO0Wbbmpa9lPWrMGWyk1NKGcVixbYL
cYprrgQkrGznxkJOsolai5Cp5hBJ3vFxkLLkIuVqaUhGBuqXw6pjwSAGKmvhzJbnU6Ux68U0viny
jsMkpjBvRkqR9fKbb1ljJQNHsrdFMZgrE5rKYBZMPaoqYlnDZZM6pUV1ouyPxLSUOQ05/yh0arKY
l7zmKBUpRXAaNCqpsloCKejKOAJON9RaVMtSRMN6MZRXY+zbnpxGTsrxB1d/CykDKenQhj70XxmM
IUXtFbeNWm5BJGSY2ziKnR3aVIBETEtBW1c/9XFlf8TT31tuStTJkA4tzqxOT7OyP6D6TqgHjWpj
pocvr9CSRcm5quSOA0GpZvNLbimqWIHn1bKalXBjTataNXLWtrr1rXCNq1znSte62vV+d93c1fLK
1772cpJJ1UxXZ7cXM6ZydNV7ymxgk87h+PWxbdpXTq3ZPMPqdX20YxtkNwuZ6SlJpZfdW3scCFoU
paxaIwXcCMXUwYVOrZ/G8uApK+Rab//FtrYhlKEJUbgh94wUtyyrKD4ReNW1Gve433tlMu0m0SoW
MUkI05QX4QmkI8boaFPyVznDiE0lwqqLeGxnnDi2peAmkYnFRK561zu8Q3YXbOPN6MycGVjqyjGZ
IGtmHrWrTG4OMZFfFG+6PsVNRn2yjVcyiArYy+D14nGhKoLvgDPKynFSzY8AhppqJ9xNFcKTtgEt
2TL/mzasmRKZ1TTwLUV839s1+MUDXCp/vdmonAm0wyhl5oOBuans7neZ7bSvf7GJXp/tEaCLRPFA
v8rZJrfvIw/+pzYpiUQjvmq62ZooNWt8Wv0Ssp49PpqQq0niMvrYifuiciWXnC4Yu1mQfjJGLQNl
e8AS19DKYO0qTN8bSzB7NEWlFSl+JyrBdykUb8LdbdiWy7NC96mlTHaypCMD5diRb0VOxd9SXVO8
N4v1Gmk1leyok2lNm5rTk0519Kiql1EnrrCDRbViS+0XT9v61rj+iGdyzete+9okqiYfrYNN7GJP
5dfITrayl83sZjv72dCOtrSnTe1qizUgACH5BAAiAJUALAAARAFwAjcABwj/AO0JHEiwoMGDCBMq
XMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOK7PivpMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmz
p8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKndryA9WrWLNq3cq1q9evYMOKHUu2rNmzaNOqXcu2rdu3
cOPKnUu3rt27ePPq3cu3r9+/gAPTHUm4sOHDiBMrXsy4sePHkBcLnky5suXLWCNr3sy5s+fPoEOL
Hu0Rs+nTqFOrlkm6tevXsGPLnk0b8urbuHPr9lu7t+/fwDMeCE68uMTdyJMrX868ufPn0FMbn069
uvXr2LNr3869u/fvnBeB/x9P3ri18ujTq1/Pvr379/Djy59Pvz7J6Pjze12lv7///wAORUmAS9ln
4IEIJqjgggw2iNAsDsZH4IQUVmjhhRhmqGFmEW3oIU0RhgjchySWaOJXx52o4kkitsjdij/1089z
LtYY20pXsCTjSTua1GNJMs7oY5BE/vhPkUAKyaOSKBGZZJFBqgTlkintaGSSUiLZ5JVHOtkllFxu
uWWYT4K5ZJRDMvnkmUZOmSaaY7bJpJxYwmjnUT962eWZK3EJp5Vq7tlnoILqqGSegQKqZpiIjilm
nUPCpKWgZFLp6Jpfzonmnz02Cqmch3YaqqeV3mkqT6KKSiWjiRLqJ6GQWv9qaKSxYqlnobIWCiit
s7qkqKuw8iospXBmWquqn4aaq65CeunpqdCydFyqzWqK67Bkvtrro9s+G+mutcbaqLdZvgRuuS1d
yeqeqp67qrLJDlsntfH+Y+O9rdlEL67uYgsrmMVyu2yV8F7L7ozkiqssndvOWmmp164L7q4SF/zs
usQia3C0HN80McLWYixvuA8D62u1A38cLrPvxonuydkG62+5+/ZrK8q0Mvyoygl3HG2KzhabsLr/
ttrwyGwuavS4wN7as7YxBbwxwQJ/W227Jk9aptIvB80wvmATV+bYb0pN9KBUo512rzpbzebLcUp9
rMwuI732yucyTTPO81r/u7bXfoctuG9kO12wvCLbnXjXh9/89t2yxlx1upzKBHXORc9dL8szv0l2
SoOHPhumpJ+dst6TjwyxzgwTbTLkeRt9srFTq80nppJ/mabCvJcO6u11ii78a8K2HXHRm8pO8OW2
J6sn86pznenrMCOqNdxJD6yw0FybvjXcpg8vfmI+40l3+eirlmL6kp5/2/iQHXLvSgKwrxPE9uev
//789z/W+v4L4FPgJyEBGrApBNTOARfIwNysj3taM1PD6ASw401PbgADVamYF8GlXS9uTUsaqzR1
K0NxD3JbQ5K2Kvg97PHLcKnTXsbMBLUeJTA7ODnh7l6Yuc/ZrF74mxynwYLFOuuRDGSKa5zuiue6
yMlsiKRb2bJW2MONBSxVO/Re83Y4RdkFsYFKARoSNWdBtQVNiqRy3+li2LcuHpFzjBMTuShosSdK
D4aUE+IY2fi4NjrRbrTrY+csZcMbXsdje6QiCvuGrJLBMWrSY6PGKka1nm3OcW/E5CNTRzElVk2R
i6zkwl5nSTdCr4ZqBKNXYifKUNbsah0k4Qc/Sb0sGU+TbpPiJlnJLV7WjpKlJOO73IQ/VmIsmL07
ZQZ1qUqmBAQAIfkEACIAlQAsAAB6AXACNwAHCP8A/wkcSLBgwX79/iEcuPBgwoYEIToUiLChxYoY
I0rEmNGgxokGJYas+HGkwoQTIYoseTIlypYgW6p8uZLhy48LZ3pkSfFmz5McUdZ0aRMmSJ07iypd
KTJox6FJo0qdSrWq1atYs2rdyrUr15w0fcoUOxTsz4tRSSq12lSs0Z1tPZol+tZk3bFr186FCfUu
Xr5ued7dOxIq2r8xCSdFOtgnU6GBvUqeTLmy5cuYDdrbzLmzZ85GD+MkG/mpWr82b/aV69jt6rgm
HwN93ZGl6KVhe56G6/phbtoxi65GrVPxz7ORbTsN3vj45+fQo0ufTr269evYs2vfzr07dK3Lm8v/
5n2RcezcV2Ezt5tXOGnAaSE75Hi8ZPjb7EdrBC4YcXzW+/kGIHJUlfVef/hlpuCCDDbo4FbahSaf
fa3FVx567CUo1XjtDShYgnsZhqGE9dWHlHn5wZdacnXJNpxfG6mlnm5VGZgihwN5p+OOPPbo449A
cpdVXDFOSONiRXZoopE1khYWi409mddtNuJG15FEqlbaTEwCteGBx9WEYnsycjlfk7zdeOCLD7bp
5ptwZqVdlvStuBuSPDkl4GhBfUkemwbeORuKYlZIZ20t7qmknQiyWGhteuomYn51nvkloiVmOl5D
QXbq6aeghgpknKSWauqpqKaq6qqsturqqxG+/yrrrLTWamuc9vzjHSei9srjKb4Gq+OtxBZr7LHI
Jqvsssw26+yz0EYr7bTUWiXstdhmq+223Hbr7bfghituj9WWa+656Kar7rrstuvuu/DGK++89NZr
77345qvvvvz26++/AAcssIPEDBzvuAgnrPDCDDfs8MMQf2vwxBS/60XFGGes8cYcd+zxxyCHLHJl
EZccJBAmp6zyyiy37PLLMMcs88w012yzdCNbtkrOk3Xh889AB83z0EQXbfTRSCet9NJMN+3001DP
KkvUVFddsT5Wm3rz1lx37fV0VXwtdqdZl2322QyOrfbaCQ/A9ttwk422u87Mbfe5ceet99589//t
N5Cb/C344IQXriME1CXLBht3N+44vSsvzobh3YpB+eWYZ36t5Jp37vnnhUcr+eOklz4tzZyDrvrq
rLee7eSuxy777LTXbvvtuOeu++689x6utNMRhLPppvuOMPHIJw91rNAGn2N0UgEAwK3Ta1V9g9eX
On310i+YffZJgd/s9roaL+6p3TMrvfj/sL/V9e5fRb5A4Mff/kD1Xza/9eFbRb79k/keVQT4vv5Z
xn37U15XtLO+9REkfVWBoEckeBnnCQRnCKwMAPlHP/nh70EbNKBX/oe9Bw6QMvELoQcneD/znQ8r
EKSg/FRIK+45sH3pu+H/uhfDHPKQfj6kIPf/Org9HuoQh0I0Yg6BWL8g4hB/S2yiDac4RSYS8YZI
3IkOo3i/LlbxflQ0YRat6EUwYrGBBXHgFr+4xieSEY1jxKICJ8PA79mQifCDYxB7iMci5nGNfCwf
9J73nSES8YNX7GAZTQi/LoIRkYoc4v4aOUkxOpKEBqFkJNP4SEhe8pPsw2QnRUhJQxryg0tU5CFX
+UhJotKTBORkI1fpSlZW0iMuZJkEfehGI2ZSfLzMohqLCMUxFlOQ3yHkcxY5Sk1u0otqfKUtGdnK
Tx5ylqrUpAwbOD9TRjOWoJQmHpvpRi1CspKYRCM2BehMM4rzlkCEZTT7uEg//tCW7MsluLKy/8s7
JvGXAO3lHZ/IRxli5pTwvGUtydlOdlZzneQ85zvBWc9wgrOh1qxmNjOYTYsyVKLv9OhHVVlMiGLz
mQkM5wNpOMep1HGl8UTiQGEq02Da1J7DjIoFkfkZZibUmgtFZ0gtGdRXntSkllRpURMYS6F2FJ6O
5ORTiTrVjobUmaKE6lAj2smlitOTPNUnxPoZ05ICk5gxvWk8t2m/nUpnnqOMIyK9yUs2gnWW/jTq
XYUqxzei9JtpdCJQw4hOg5L0iCCVaVThGMkeIlShcjxjGAVqysYidK0yFGvKAklQf56VsmkdqC8x
G1C3DrKl7mLpqTTbLX5yk6aMfS1ltxja0AzSNrCorVhfc0utgAAAIfkEACIAlQAsAACwAXACNwAH
CP8A/wkcSLDgQAAIExJEKDAhgIMOGz7855AhxYkWM2KMeNGgRYMgQ4ocSbKkyZMoU6pcybKly5cw
VSqMSbOmzZs4c+rEaa+nz59Afe4cOjIoUIJGkypdyrSp06dQo0qdSrWq1atYs2rdyrXrVgBew4od
S7SsQaZIx6pdy7at27dw48qdS7cuXLN4BaIdaLev37+AAwseTLjw3byIEytezLix48d6DUueLBmy
5cuYM2vezLmz58+ga05cOTq0RNMjPxYsjRqmasasW8ueTVvzw9GsYy88mFg3St0cU/NOObMicY/D
TQZneTu565K+S8+8iPv18YXTReKWqbq69drgw7f/nCq84XWKsmP7Drme5Pbdv5GbV36zfUv76D2+
R799v0z4J+HH3nAfbUfZgQgmCBRG5t3GEEcOvqZQcNlR15FE3mHIIIUVFtedfhlOiKGG2gFYoYUo
jshhbiBC1FyD/Fm4UYbYhSihRuolxyKAI1LnnXQtqvhgj8utpiNvCiapZFukzdfcfk86B2V+VOa3
oXMxwtiflLwBl1GXJlL5YpVY5nikmWKmWeN8WbLpIIxwtjkgkEbGWaeaF542J5hsEsmnm2n6xyWJ
4hVqaEpTRRkloGPSGehyDPIHoYha/unomCBFOOSZlsonZXZb3tlfkV1GdGmgpU7o5aZ9MjqgizuW
/0lpm9H5iGmotHoKqHlL9uorV00qiueiVU5Zq5Vk4kpso2G2h2mxnQqKpn+4Hmnnnjwqi6p+zfLo
aqbgenuqtuDGum2u3g576LrsgkTee8xW2qexg14ZJ7P4DionctVqS62u/16rrqDRdnsvntDaOS2Z
WCJ7MKcP8/vnufG2uit6v2asMZPwnraltPF26GSPPqIKb4dfrjbdyhpZmXKxEKp8Y6Qqq4lygTjP
GPKLHqrXs54uWpxidzmDuDPRRRPJ88vSTapzZBtHLbVW7dJX9dVYmzb11lyTl7XMX4ctNmZdl63x
2GinrfbabLf9ktduxy13oWbXbfdhNYeLtYCNff9HFN/Q3Sm4S34DrtndiCfeVEwLB3jicQSLBlvg
eg8toXamOl64kWgS7qm5Ohk+9+ikUx6m1ZKXJXrq5eVNMUTuNfwqw8nO7rmoiq3u9hClh/0ujmuu
OLjl+T65Kcu5MS1k0ivOGKSMM5Nsbe37fo487qN+6bzw+/4cdMwpZtkzjcbTGen1iqevvlD/CUxv
q8VNPOrB1VrL8+kFR8x5uvVPX93IrSPXt3JFrNddzn2c8tIA8UUzAsGPdr2LYNj6ZyxSNShzECOg
qXy2Mn09zV9FwqDF+jcvkRmnRIyCVPzoJ6kziTCD/muhqESYrxHG6IO6kyBtzBBBCsIQWx40YKb/
HIU/IbJQb7f6HASBIzj7vE9XQvxf/RbWOFqdymDo2o2w3JRDHXpRMYma2MUqtj+F5S+LCUNWA/11
xnHxT4wNo9kVcae/WBVPi2f84cCylcEa0q5j8/qHXfCxvkJWZoU1O1nykoYiGnpMaRzc1aw+SCDv
1ch5efLT85BGx05iMo6q0l4jK9nAoP2xeAeEJPmw48lQQs2QsOzaF83SxVmCppa2zKUudfi4XYoH
l74MpjCHScxiGvOYJIEbMpfJzFg601dfIyJkungs1IXHbwHKSzXxyBxgMvOb17SmN1mXrspJC4VN
it1L8BM5dI7TdMOrnjXBSU+1CUiaj2EiPNtZ/7nzoPM+8DzPO9UJRYHNs54IRcnvMKkqQjXyeg/9
pAqVt6aSNSt+DIUkySZq0UVNdJURQhilzoej7X1qWdKDHvNIqUpYySyjMJWe95rzzJomKZ3fshcB
4RgxMgqwjGlk4AB7KtIEyrGIMpyS/Y6YRTfWsY/nAqpPC8ail+HvTQnN6joNplNNCdWlP5rqyDgo
1p1qaGmsMk7ATDY9m02SmwmU1FuBZEc4nXCMBmxaWovKQkoCLYYD1WrvwnC7nDJ1jH6s61LrutbE
ShVhfGXrxYwILcbeEHtwlaTDlMhUKbYRi1vs3hyfJdjSipNPXX3dZ5862QWCdo8CLOvH2srGB/82
0YGHZZhSI1vbyq7WtSjt3BNNi9CFanJDEM2eSy+EPL3is2Qg26teneShjaJMsg61KHRZKTSKjpK6
caStdfZKvJCSSJGLjOl2UzpdKtn0vQfCS2BpMt/a5LC+8SSufn2pzPhsBr+zuS8tEwpfpQyjwHbZ
r4IXzOAGO/jBEI5wTJS5OgBzq5+NQbBksqHhDnu4KlvtHE+R2j6kWhiCEk6xivdmu/zKjjmcRcyJ
V0zjGst4pA8aUvmOiuOngS18oSQpXVvqJ/Pa+MhIXkwY5cXFzlLWqVeVp/JAKLQPW/nKWE4QTo0H
2M/+1IeuGi+sHMvPJJt5dDO+zJKtuEcnfxlKjk/8kG3NSrss2/nOeE5Sv9pMZ8fqcbijfTJ88kzo
QhvaK93UMc4elbONuOyoFVXgx1IZ0VXCDsVnzrSmVdJfNMPk0KAOtaidEhAAIfkEAOb9lQAsAADm
AXACNwAHCP8A7QkcSLDgwH8IEypcyLChw4cQI0qc6BAAxYcGM2rcyLGjx48gQ4ocSbKkyZMoU6pc
ybKly5cwYwq8SLOmzZs4JVrMybOnz59AgwodSrSoUYQEjipdyrQpRplQo0qdSrWq1atYs2odGWur
168mnYodS7as2bNo06pdy7at239g48qdS7eu3ZCa7urdy3fq27+AAwseTLiw4cOF+ypezLix48eQ
I0dGTLmy5cuYM0OEpLmz58+gQ4seTbq06dOoU6tezbp1RMmwY0ulovKX7Nu4c+d2zbu379/AXese
Try48ePIkytfzry58+fQo0ufTr269esfg2vfzr27d7fYw4v/LxlhvPnz2b+rX8++vfv38OPLd7hl
vnb0+PPr38+/v///AAZ4m30EFmjggZUJqOCCDAZYXl0IRijhhBRWaOGFGGao4YYcdujhhyCGKOKI
DDVo4okopvgSiSy26GJpKsYo44w01mjjjTjmqOOOPPbo449ABilkRi8WaeSRhKGR0JBMNunkXUhG
KeWUaT1p5ZVYVkXlZ6Zs6eWXYP7UpWYZhGmmUFmmqeaabLbp5psBhgHnnHRCduadeOap5558RiiD
UQKCs6Y/dRbql33ggNMncIwwsuijYiWqKKS8NUppcPslaih1jW4KYCHQSeqpdJ2Oit16iV7am6Wq
thpUqq6yHsZqrPeZ2tEptuaq664x+cLrr8AGK+ywxBZr7FQBAQA7
------=_NextPart_000_000B_01C70785.7A5EDAB0--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAE1J0TG065215; Mon, 13 Nov 2006 18:19:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAE1J0Bw065213; Mon, 13 Nov 2006 18:19:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from dmzraw4.extranet.tce.com (dmzraw4.extranet.tce.com [157.254.234.139]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAE1Iwn1065194 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 18:18:59 -0700 (MST) (envelope-from ron.ogle@thomson.net)
Received: from indyvss1.am.thmulti.com (unknown [157.254.92.60]) by dmzraw4.extranet.tce.com (Postfix) with ESMTP id 6AAB78D62; Tue, 14 Nov 2006 01:18:38 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 41E941237; Tue, 14 Nov 2006 01:18:38 +0000 (GMT)
X-Virus-Scanned: amavisd-new at thomson.net
Received: from indyvss1.am.thmulti.com ([127.0.0.1]) by localhost (indyvss1.am.thmulti.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id CG-wGuB1zsZX; Tue, 14 Nov 2006 01:18:30 +0000 (GMT)
Received: from INDYSMAILCS02.am.thmulti.com (indysmailcs02.am.thmulti.com [157.254.96.3]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 8BB7A1216; Tue, 14 Nov 2006 01:18:30 +0000 (GMT)
Received: from INDYSMAILMB03.am.thmulti.com ([157.254.96.81]) by INDYSMAILCS02.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Nov 2006 20:18:30 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: PEM file format rfc draft request
Date: Mon, 13 Nov 2006 20:18:29 -0500
Message-ID: <08AD20EDD5C44148842571F730597F8401295626@INDYSMAILMB03.am.thmulti.com>
In-reply-to: <p06230904c17eb25c83ad@[128.89.89.106]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: PEM file format rfc draft request
thread-index: AccHfeB5mjmqgYlWRL2BXYbRyVNsCwADATzw
From: "Ogle Ron" <ron.ogle@thomson.net>
To: "Stephen Kent" <kent@bbn.com>
Cc: <ietf-pkix@imc.org>, "Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at>
X-OriginalArrivalTime: 14 Nov 2006 01:18:30.0324 (UTC) FILETIME=[CB6E6740:01C7078A]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAE1J0n1065207
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I agree that the original PEM meaning is as you state. I have no idea
as to how it got skewed with these new meanings for public/private keys
and certificates. However, it does now exist.
As for the relevance with PKIX, the "PEM" format also describes the base
64 encoding with MIME headers for x509 certificates. Also, many S/MIME,
SSL, IPsec, and other cryptographic standards that use x509 also
recognize PEM formatted certificates/key pairs. This is how I
discovered the problem in the first place.
If not PKIX, then where?
Thanks
Ron Ogle
-----Original Message-----
From: Stephen Kent [mailto:kent@bbn.com]
Sent: Monday, November 13, 2006 6:45 PM
To: Ogle Ron
Cc: ietf-pkix@imc.org; Dieter Bratko
Subject: Re: PEM file format rfc draft request
At 4:56 PM -0500 11/13/06, Ogle Ron wrote:
>I would like to know if the PKIX working group would be interested in
>shepherding a new rfc concerning PEM file formats? I've recently
>discovered that there is no definitive standard for how a PEM's headers
>and footers are defined for a private key. I've searched the RFCs, and
>ISO standards without any luck.
PEM formats were defined for e-mail messages, not files per se. I
think RFC 1421 defines the last of the formats (we had a few
iterations) for PEM.
>The issue that I discovered was when I was working with PEM files for
>PKCS1 and PKCS8 formatted private keys under OpenSSL and some Java
>toolkits using an IAIK implementation. OpenSSL expects PKCS8 PEM files
>to have "BEGIN PRIVATE KEY" as the header while IAIK uses "BEGIN RSA
>PRIVATE KEY" for RSA keys and "BEGIN DSA PRIVATE KEY" for DSA keys.
For
>PKCS1, both expect "BEGIN RSA PRIVATE KEY".
it looks like folks made this up! PEM describes how to transfer a
symmetric key encrypted under a public (RSA) key in a message, in
1421. It does not describe how to transfer a private key, because
one would not do that via an e-mail message.
The term "PEM file" with regard to PKCS #8 is a misnomer, relative to
IETF standards. Since PKCS #8 defines a format for private keys, it
is not relevant to PEM, period.
Given that PKIX is a WG that focuses on X.509-based standards, it is
not immediately clear that a document on how to use base-64 encoding
and MIME-style headers to represent private keys is within our scope.
Steve
Received: from 20129194166.user.veloxzone.com.br (20129194166.user.veloxzone.com.br [201.29.194.166] (may be forged)) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAE0tGem062408 for <ietf-pkix-archive@imc.org>; Mon, 13 Nov 2006 17:55:20 -0700 (MST) (envelope-from gxeclexj@veloxzone.com.br)
Message-ID: <000301c7011f$e07d4af0$a6c21dc9@barrostu327chq>
From: "tam" <gxeclexj@veloxzone.com.br>
To: ietf-pkix-archive@imc.org
References: <000301c7011f$e07d4af0$a6c21dc9@barrostu327chq>
Subject: Re: WWW wykrywanie spamu wirusw
Date: Sun, 5 Nov 2006 19:17:51 -0200
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0005_01C7010F.16481B30"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01C7010F.16481B30
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0006_01C7010F.16481B30"
------=_NextPart_001_0006_01C7010F.16481B30
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
----- Original Message -----=20
From: ietf-pkix-archive@imc.org=20
To: gxeclexj@veloxzone.com.br=20
Sent: Monday, November 01:09:02 PM
Subject: WWW wykrywanie spamu wirusw
Redakcja Forum Kcik webmastera Reklama Sownik Wirusy Bios praktyce?
Enter getdatestr in Infoserwis.
Cm dugoci Intel zwiksza.
Konta nowymi mb of poczt www wykrywanie a spamu. Adowania am strony =
artykuw.
Podwoi zyski a iii kwartale Nowy serwis Gadufun Jeeli of.
Vogel Burda sp oo is Wszystkie prawa. Praktyce Linux is spka. Zobacz =
is Ankieta am Jakie zmiany stronie of enterpl.
Praktyczne a porady dotyczce ochrony.
Nowy serwis am Gadufun Jeeli am tworzysz in swoj wasn. Konkursy or =
Ksiki Ankiety Pocztawww is Redakcja Forum.
Wiele innych Uwaga Praktyczne porady dotyczce is ochrony. Online =
Zmiana a nawigacji am wyniki?
Konkursy Ksiki Ankiety or Pocztawww Redakcja Forum. Stronie enterpl =
uwaasz potrzebne Szata graficzna dziay adowania of strony?
Online Zmiana nawigacji wyniki Najnowsze wtki Konta nowymi.
Domen Personal email a gb Business a Server Patronaty medialne.
Kcika is Znajdziesz tam kurs Html oraz of podrcznik php. Konkursy or =
Ksiki Ankiety Pocztawww is Redakcja Forum.
Enter getdatestr in Infoserwis.
Powiedz gdzie oni osb za. Artykuw Mniej reklam Kursy online Zmiana =
nawigacji wyniki Najnowsze.
Konkretnym uniksowego wiata. Ramwki pierwszej polskiej am telewizji =
granej na.
Kcik webmastera Reklama Sownik Wirusy Bios or.
Konkretnym uniksowego wiata.
Galerii zdjciami Linuksem in systemami rodziny?
Acxiom dla Centertela uke is.
Intela am Tsmc buduje nowe of Faby amd deklaruj am dobre stosunki.
Internetow lub po prostu pragniesz zapozna si.
------=_NextPart_001_0006_01C7010F.16481B30
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"pierwszej" hspace=3D0=20
src=3D"cid:000401c7011f$d9d0eb30$a6c21dc9@barrostu327chq" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color:=20
black"><B>From:</B> <A title=3Dietf-pkix-archive@imc.org=20
href=3D"mailto:ietf-pkix-archive@imc.org">ietf-pkix-archive@imc.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dgxeclexj@veloxzone.com.br=20
href=3D"mailto:gxeclexj@veloxzone.com.br">gxeclexj@veloxzone.com.br</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Monday, November 01:09:02 =
PM </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> WWW wykrywanie spamu =
wirusw</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Redakcja Forum Kcik webmastera Reklama =
Sownik=20
Wirusy Bios praktyce?<BR>Enter getdatestr in Infoserwis.<BR>Cm dugoci =
Intel=20
zwiksza.<BR>Konta nowymi mb of poczt www wykrywanie a spamu. Adowania am =
strony=20
artykuw.<BR>Podwoi zyski a iii kwartale Nowy serwis Gadufun Jeeli =
of.<BR>Vogel=20
Burda sp oo is Wszystkie prawa. Praktyce Linux is spka. Zobacz is =
Ankieta am=20
Jakie zmiany stronie of enterpl.<BR>Praktyczne a porady dotyczce=20
ochrony.<BR>Nowy serwis am Gadufun Jeeli am tworzysz in swoj wasn. =
Konkursy or=20
Ksiki Ankiety Pocztawww is Redakcja Forum.<BR>Wiele innych Uwaga =
Praktyczne=20
porady dotyczce is ochrony. Online Zmiana a nawigacji am =
wyniki?<BR>Konkursy=20
Ksiki Ankiety or Pocztawww Redakcja Forum. Stronie enterpl uwaasz =
potrzebne=20
Szata graficzna dziay adowania of strony?<BR>Online Zmiana nawigacji =
wyniki=20
Najnowsze wtki Konta nowymi.<BR>Domen Personal email a gb Business a =
Server=20
Patronaty medialne.<BR>Kcika is Znajdziesz tam kurs Html oraz of =
podrcznik php.=20
Konkursy or Ksiki Ankiety Pocztawww is Redakcja Forum.<BR>Enter =
getdatestr in=20
Infoserwis.<BR>Powiedz gdzie oni osb za. Artykuw Mniej reklam Kursy =
online=20
Zmiana nawigacji wyniki Najnowsze.<BR>Konkretnym uniksowego wiata. =
Ramwki=20
pierwszej polskiej am telewizji granej na.<BR>Kcik webmastera Reklama =
Sownik=20
Wirusy Bios or.<BR>Konkretnym uniksowego wiata.<BR>Galerii zdjciami =
Linuksem in=20
systemami rodziny?<BR>Acxiom dla Centertela uke is.<BR>Intela am Tsmc =
buduje=20
nowe of Faby amd deklaruj am dobre stosunki.<BR>Internetow lub po prostu =
pragniesz zapozna si.</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_0006_01C7010F.16481B30--
------=_NextPart_000_0005_01C7010F.16481B30
Content-Type: image/gif;
name="czy.gif"
Content-Transfer-Encoding: base64
Content-ID: <000401c7011f$d9d0eb30$a6c21dc9@barrostu327chq>
R0lGODlhcAIoAof2AAwCAHEJCwCOBHiNDg0AiosAiwB4jrrNwcXbvpvQ5z0tAF4rA4AYAKIfALUg
AOASAAdGDiU8B0NHAGs9AHI7AJpCAMU9DtM4DABgCyRYAD9SCGpbAHtmCqdUALVSDOVrDAeMAB17
AExyAGGAB3l8Dat4Db2NCtp3AACRBCimCUiaAFmbAI2jAqCtA7mcCOupAADKAyOyBz/MAGnLAIPL
AJLNAL/BANXIAAbnABbtADHeAGjjAHrWAJveCMDUAN7RAAAAQC0ASTMAR2cATocANZ4ANL4CN+kM
NQAoNSsnRkwoSFcsNXQgNaMbN7koSeQZNwBCPyI/Sks/Q2I0Too6O5dMP70+RdhGNQVeQSNhNTRj
PFZcNXNhAapYQsRrQ95TSACNNSVzMUJ7TGKAR456TZuEMreGONWBNQCTSRWoRzyeM2WhPIeoRZOU
Pr6hStujNA7IOR26Sz/EQlG9PYW9Nq7GM7zIQOLNQQDmOiHlTEHdS1LaTovTQJLqNrbiPdjsNAgI
hiMAfz8Ag2YAfIMAh6MAjbcIhu4MfQAUgyIlfEQfd2UufHMge6UrhbcrgdcpcgBGfSlJjDY3iFQ0
gnJEjqI8ccw2e+dIiABffS5RjExsfm1giXtXiJpmd8hpg9lViAB0giaEeDJ+jmqOh3p1h5l8fb9x
htd4jACYhSWacUybgmicfIWUgaygeLOcftmldAC5hh3BeTnFdGnDh4W4hJ7DjbK2fd7GiADrhRnT
ckLahWrngYPngqTiebnkcuXZdgAKxCcOvjEOu2YEzYMJzaMKxsQFzNIOtgontBkdxzkfvW4hvYYW
tKoSwcMRtNwqxAZKxCRFwTs1yVQ/wH43ypZLtb40uOlFtwBsshldtEptyVpdznlkxaVbsb9hwN5h
sQB6vh14wj11tlJ5xI6LuK51wcqJu+qNvQCstCGovEWiwmqqwIejtpensb6WsdOnsQC5uS3Gwju7
t263zXG6s525ufv1+5WrnnqEgPMAAgj4C/z6CQAA8f8A9AD3//fz/yH5BAAWAF0ALAAAAABwAigC
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOK7GivpMmTKFOqXMmypcuX
MGPKnIlyC82bOHPq3Mmzp8+fQIMKHUq0qNGjPEcqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOK
HUu2rNmzaNOqXat16CakPyvAnUu3rt27ePPq3cu3L9Fy9tgKHky4sOHDiJX6Xcy4sePHkCNLdgxg
Ml+z0xJr3sy5c1cAnkOLHk26tGmKoE83tMy6tevXsGPLBlp59lzVuHMvzaVbNJ+MqXsLH068uPGR
wY8rX848Ma/mGpNDn069unXN0q9r3869u9bsxvt6/7JNvrz58+jTq3/pvb379/Djy59Pv37U9fjz
69/Pv7///wAGKOCABBZo4IEIJjhbFAo2mJN9EEYooUWEqObghRhmqOGGRk3o4YcgEsfhiCSWaOKJ
KKao4oostsjTKTC6KONKlsxoY4BqwXhKiDz26ONCenFxI04CDGnkkf39qOSSTKKF5JNQRinllFRW
aeWVWGap5ZZcdunll2CGKeaYZJZp5plopqnmmmzOpUObj+EB55x0ItXknXjmiVWdfPp3QJ+26elj
G4IWelUMhk5IaKKMNuooRIs+KumklFZqqUWAZqopfqds6umnoIYq6qhqXmrqqWAhgOqqrLZqFamw
xv8q66y0ItiOka7mOhUVuiYES6/AqpVPsMQWa+yx9SmC7LLG1urss9BGK62zzFZrbWjT4gVJttx2
6+23GF4r7riGgWvuueimq26J5Lbr7rvwxivvvPTWa++9+Oar77789uvvvwAHLPDABCf2TsEIJ6zw
wgw37HCj60YscV0PV2zxxRgXOvHGHA+V8cfIRtxBxySXbPLJeIGsssJ7rOzytQK8LPPMNNfMFMo4
R9ZNnTb37PPPQActtMI5F2300EgzafTSKCfttI9MR03y01RXbfXVZ1XgmQNY/yz11xN3LXZ8RjkC
9tlop612lWO37Xa1d7x9VZ/mrG333XjnrbdO2uz/7fffgJcn98/vHAxh4IgjVbiUgzfu+OMFJy75
5JR/W1vlmJsJwOVQQr5UKPRu7vnouYlO+umlmY766g7VcJU3Eqn+Yea0r7R5l8XSw3pTsg+Nyu7M
9Q788ISB12PtyI+ZqC7E75v88182P6/w0ldv/fXYM0m9U5tk36qUt0Mvfkr0be/9+VeZn7QBVRsZ
/vjwq+Se+ugjbCPn8eev//5U1u9/V/wL4JAgVI7/RU6ACEygAhfImiow8IEQjKAEdbKCCVqQRCW4
oJdYcZuIcABYGTCg2DIjwhKa8IQoTGFFEBcCDbrwhVFToQxHAkMwZYMmNYjYDHf4kRr6MEk8DKJG
/35IxCIasVTNMYIQHXbEJgpuiVCkiBOnSMUqMi6K/0tHSGKSDCpty4pgDKMYx0jGmGDxjA8p41Hc
MCcCqPGNBxJGg9BIRyDB8Y50qaMeD4JHtbGgj4A8yglQtEc9OcNVgUxkg/CnyACmhX6FrFl5GNnI
StKEkpaEnmAgGcmATaB0naTPA7SjHkxm0ks7C1dhOBlKtDzCUfkx5Skl18rEYCJEutPNLHcJE1f1
o5ZL4qUweeKHYTYSmHQ0pjKXycxmMs0IzoxmgpCJRmna5hHWzKaG/tQ5anrzm+A8iBLDKTdtmvNM
u7DSP85JPnIG8UjPYCe03PlOmoxCPbKwRyrlyf/PftKKnjz0ZyABukOBGvSgECSoQhfK0IZiDKF3
dKhEJ0rRilr0ohjNqEY3OkSIkkkcHg3piDiaPZGa9KS1IylEZqHSltILpWJ0qUxnyi++LCAo74Np
0wbDyl7pgaarmWROdZoztfQUqO6azVCfhAGirkmWYJvETxzoVHVFoqqLGYw/kMpVq8iiqw3xxZ6w
6kSwro6saE3r0szKVp8NY4Zqjatcp9bW0c31rnhNV13tepMy5FV/ew2sYE/1V5o8YX+DTaxiF8tY
qBR2JYNcYGMnS9kfPfaymJ1VZTfLWQll9rOg/VRnR/seLKwOCqS9kynsF9rWujZb33htikYm29r/
2hZMOcRVap922976dku79Y4UIvRbMOrjthNQW8I+ENweFjd/zY2udJXz3Opa97qvnS69DqBd/8GR
ENPqInbHy57umve8oyHv89DL3va614BHeK9851sa9aaLHeywL5y6ICD84le/tfNvfgGcOf928ITY
WCiBM0ffE06hwRCOsISBxYYJk27BmGvVUTWjg2pdg1miWiqGW9OrDVt4i7AS8SwbgTtimfjEG6mV
ikfstxmTBxjZZdaLYTyRadmYxnmDqmRU0FseG7mExhPJN5gzJSEDeZoQSvKRByblKR/GSk6GUg6e
nKAscxltXv4y2MIsZv6AqMrxGYOad3uDnqn5/81jMIg8aLpANZf5zjq0sp73HBE8+/nPYroAoAeN
Vz4b+tCITrSiE0Lom9ShZIuO9J4bvTZJK0cUls60pj1DaeVu+tMQVqSQOk3qUpv6P/c8tapXzepW
wzFRv2NoAILp6qKB+tbzrbWtcW0vXcdmA75WK3M6UKg48/rYyE62spfdrlnXN9gnOw7XmE3talv7
Iv28hoBasdZre5uxPgQCtNV61Z1++9yCHbfJ0G2tHS8LzZO2B5mhNe9OD8Td7H4USuqt7n5fdyFf
yLe1miHwjrih4AgXjTESvipoMPzhED+jvydeMgYo8xgUz7jGN36ZiHscoxxfF1gE8XHr+HMdgP+c
7xZKzvKWNyfk6nK5zGdO8+tcoeaagblecW4pnfv850CPDT6e+BXe4Pyrwwm60pfO9KY7/el24bnU
p051g0D96ljfG5HRpgz78huBQWgixsnz9WGqEN617GPZaRUAiq/9lDtEe9W1N/dHyZ0qYq37ae5e
mETQrJJvz7rgiWqOuvGyloWv2jmo4my9O/7xkI88jwb/T8nrifKYz7zmZ9OcCln+86QZgHA2T3qY
gh5PURJ06UsPBjN9kTWIBgNiuudZV7d+9Z+6Pe43pftoJ1r2ANN17yH9+4D5evh4psXET3+n3edv
687PDz3F4ai8z911bRMG87ffLxFwv3G4+L7/+MdP/vKHJfqb6hHfzc8dfLMfOptb//upE/9kh/D8
I0K+TH6Mfs3x3y/dsE/9dyD/1xcBKIADWCAFmIA9ASIk8DMUIDYMyCfzV4GPgyKvN4F70V5RYIEe
WH4qsQ8aiCYfWIJjM4JzYoIquIKV9RoikHHzkCXsJ38suBz11xmRwhbcxXPxR4NRwVw16BU3CB8o
WBTx1yAZkBQGMW0W6H7F4QBMGIQmVxJQWIRq4gBWmCZVuGrOkIWYJYXvMRe3MIZjmDza5oVo2E9C
kIZDoXqxAQOZNRJisFvDgjRzCIaHsQtNcYd4yB182IeIgRRi4E+p8EByCIg5dxSDyIYqcoiIJqgd
f/iIhKGBxcCIloh1kkhKl6g8mdiJnviJoBiKHbWJYSKKzREQACH5BAAbAF0ALAAAAABwAiMABwj/
AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGNe
/Eezps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUr1qcyrWLNq3cq1q9evYMOKtQeg
rNmxaNOqXcu2rdu3Fc2WhUu3rt27ePPq3cu3r9+/gAMLHky4cF96hldWXcy4sePHkCNLRopjstRR
ljNrrpq4s+fPoEOLHk26tOmDg06rXs26tevXsDMCik279tzauHPr3t0SAO/fwIMLj+t7eMwKIjcr
X868ufPn0P8BiE69etLKQI1r385duPXv4MOL/x9Pvrz58+jTq1/Pvr379/Djy59Pv779+z8V4t+/
uLv//xTxJ+CABBZoIH/6HahgUQA26OBCC0Yo4YQUVuhYghZmSNODHHYoEE/5hFhTiPmMKCKJKJL4
j4omlphiiiC+SNOLKK5II4sy5nRjiTaqWGOLN7HYIo8zijikkT2eKGSPNtHYJJIaRimlggoJaaWS
ROKEo5FL+nSli1Dq1OWWWQIpJpc/MvlkmTAWSSSZZrap5pxfbujhnXh+CKeaXa7p5p9AjQlmmTpC
uWSYgBbKo5yHppnkm2hmiSSZk0YaJKQ85qnpdj35WOOeZ6bZZ6g7jXqppIgqWmqkoD66JpymAuSa
o6eEnjrlrbhS6KmNfKb6qp8/xRqrmYnGWKusShabLJCWDgvrolh26qtSbORqLWPEXKuTfrtG+6ic
Sb6ao62hOgnskcaO++ygzFbKLq3G/gnvsGpuaq930tLqbr6oHqulu97G+6+pwlrKa511Hhywqr0y
+eW+2or3SsQUDwUjo9O62W+gYcKbr8DkMkwpwAnL6KzBJncMccUst2xdgheLmrG6GZ8rb81zMhzy
wIm2WTLJOfNM56cqY2qnWmHcq/RXGg9J7MDsBg2ywzg3avPT5D4MrdFDtwqx1sr6urRf34ztUUAA
IfkEABsAXQAsAAAiAHACIwAHCP8A7QkcSPDfv3wI8xk8mHBhw4UQGSKUaPBhxIsVJzqcaBFjRoUb
IXbcCBLjQ4sJNaJUqVEiy5IMSX4k+VJky4gEc+rcybOnz59AgwodSrSo0aNIkxL8prSp06dQo0oF
KnNmVZM1KXrEWrLhSK42QX61ClbrR7EwY5p1eZbsyZspr64EObWu3bt48+rV+Y3p3r+AA+eVCzel
4bVeDcfdqhht47QjFTO+GZZjYcuQMVeu3PJwx8VnP2sUTLq06dNK/aJezXrw1tewY8ueTbu27du4
c+vezbu379/Agwsfnrsv8ePIkyvH6HO58+fQo9tuTb269b+qr2vf3lO69+/gw4v/H0++PHnj5tOr
X8++vfv38OPLn0+/vv37+PPr38+/v3/Zzf0n4IAEFmjggThxhxSCDDbo4IMQRvhdgLbxw4+EGGao
4Yb+KbjgaxZaaFCIJIY44oUnmohRiSaKCJGILC7k4ookvhijjS7OKCOKKaq4lY87AnlRiScOyeM/
RAYJJIs1epQkkxfqWGREUCKZJI5SKuljljAeOSWVN+JIo4o6ZpmikSg2yaWXPYK5JJszXulkkz3S
iWaOcB75pp1V1rmjgQGaueaXgrJJaJo84jlmkF9aqWeiUuL5KIiRQjrnn4M6yqiVfxoZW5xRGpqp
jTR2emipnWZapqGcmnqmmEWC//rjnpY2aqurW0oK5qmLvmomqpyOqqmpsgKr6D8eTnVrq6T+uqux
iDYrqpfH4grpqsvOyqyzpHr6bKW8Pqutt+K6umyxzFLa7ajVkptul91+y2qbShKb56XmSjopt/FO
ye+598Za67bT4usUAMkOBPC4sDkLb6MP94tpwARX/O+u6KrrrsClZmzuxguXG3LFn06aLq8Om8xx
thFfqii6wsZbaLCWXjyzzQWLGzHMOXvbFMIJCzQysLOGOSzEoYJMM7myNj2vyyprjGWMNw8sMdF1
tkixllpbW/KVwtp5p5A7syp2x9HyrDTJGCft79ML9wkylE7by3W7nSoFtHUlY/99J8O9orz1xEzX
+vK1KZ98tptWr9w2y3DTe/KtMb/9N76Wi8wvtoRD/q++4VYerrSZOzpv1bTRya7brXI+ZtS4AcBe
oD03bPbTtHo8+dI6Dwyv6GxfjeqgVQsp/Lgzi7y7nGuDG/Pm1EZb+uMaq+n74HZ7WrfycUfuraqG
i/15rUntzbftfgP+cefLY8+7zFbXCDyTmKtLfMF4r29/7ZTnzG3y7MsX3MBlOjLdLluhu17zGuc4
06UPdbdp2dueJD0Erst7W5EdfgDYtwWmin+2wpvrViXCA0JONhJsXfRGpz9tcbB/0FJfCFknQPRd
MHu9k2ECPVjDdxlvd4qrYG3/UlitIjIwfbfR4Oy60z6G/eqJ4XsgqIT4JgEiCnYzDB78YHg0A14N
eh/0m+g4pzukeY17/Srhq94HRCjiUH8k3FSlWJeya1kwe/ej3vRw6CKjmE87tgOen+ZEtRUWSk6I
NJoDJ0fCHwZxkITUXSNhR0BK5aqQRKJflQjIvKnN8YfQA9sKtZRFHlovkzcSH58C1smxHc+VMHSe
IelXwFe+RokcyqUud8nLXvpyNhT6pTCHScxiDidoRDGmMpfJzGbqMpjOjKY0kYXMalrzmlKZpja3
yc1uevOb4AynOMdJznKa85wS8skHPgCRdbaTnQtZJzwNIs96yvOd9/yHOyOy/8+L1JOe9vynPwN6
z4BiJJ8AtSc+FboVhgJ0oAclqDv7GU92SrSi+SRoROepT44+FKL85KhDOxpS2FD0nQnV6ElJylJs
uvSlMA3Ka/opUJYm1CMrRehEPWpTkJZ0NielKU8R2tOM8hSnQoUnUXsa0Z+idKUfJSlFl0pVkR61
ox7dp061mtWrVnSjPo3qV5mKzrLqpjlc5epTj5pTtg7Vq1CFKlKdGlSLzrOuYp1pV1OKUr069atx
detfd/pTuWLVqnkV6liR2ta2/vWj+4ypZCcbU5Mq1ahrbWpfw5rXzXrWsnTdq2JLatjPPpSwnX2s
YwOr2c2idqyGfe1r+zpav3tmVrVvTa1Zd0sbtF5WrYAVrGlTatC5cta2i8VrbYNb3Mee1q6LNW50
n1tcx4aWrDVtqmJZa9PSihW4n5UocClL3vJKVqqXLSp0OStX67Z2uNKFbG6X+1zZsBa43sUraeG6
VZ/OdrogVSt30WvfuxqYvbltqXkXzODqBAQAIfkEABsAXQAsAABEAHACIwAHCP8A7QkcSPDfhw8G
ESZc+K/hQYYNIz6MCJFiRYcKLWLUeJGjxIwbOz6cKBIhSY8hLY5UOPEkR5cuF8b8SDJmTZMgP6IM
2RLny4wrd+pMaTNn0ZAEkypdyrSp06dQo0qdSrWq1atYs2rd2lRowp4nb2qEmXMoxZkpz5ZFSfZg
WbElO/6cKxat2bQb7Q49CpEvW6A+Z9ZdOxawW7cqjb5lSdir48eQI0ueTLmy5cuYM2t+7BQjWJCH
EScePZd0adNeyeIN3bOwXNeuw4r+izpvY7Vxvx6GTZumT95BUxP2i5fhRK7Ikytfzry58+fKhX/G
XZz43eLXsXtUnRYud73U94L/nr1dcezbOrn3XSxUduvwnh+jtW59s/37+PPr38+//87OX6kFWG1F
DVhfdq+d1h1jo7mnXWGGrQYece+ZVmGAF6lXXmKMRSigfMOxBx9PCkFn4okopqjiiineJRuBIYp2
oG68CQdjhjiFJqCOf5E3I4Ks+babboYNKWFtNS5IHk3SLZlbdu8JhAiLVFZp5ZVYOuffllx26eWX
YIZpX1PtZGnmmWimyZyYbLbp5ptwxinnnHTWaeedeOap55589unnn4AGqpGahBZq6KGIJqrooow2
6qiVF6iJy6OUVmrppZhmqummnHbq6aeghnqmoKSWauqpqKaqaqmiturqq7DGtyproqvWauutuOaq
66689urrr8AGK+ywxBZr7LHIJqvsssw26+yz0EbrpyrSVmttsLNmq+223HbrLVPXhivuuOTm+u25
6C66Rrrsolvuu/DGK6+d7dZr77345qvvvvz26++/Vs0r8MAEF2zwwQgnrDB/ADfs8MMQ4wtMxBRX
bPHFGGesMcDuVEXAxiCHLPLIJJds8sn4AoDycgu37LKuALyMX1X5rGwzpklArPLNPPfss6s7/2xV
QAAh+QQAGwBdACwAAGYAcAIjAAcI/wDtCRxIsKDBgwgTKlzIsKHDhxAjSpxIsaLFixgzatzIsaNH
AB5DihxJsqTJkyhTqlzJsqXLlxhBwpwpsQ7Nmzhz6tzJs6dPljJD0vhJtKjRo0iTEvTiRanTkkGf
Sp1KtarVlUyvaq0YdavXgf/Cih1LtqzZs2jTql3Ltq3bt3Djyp1Lt65dukzv6t3Lt6/ftAD+Ch5M
2O/Xw4iVZu2pLrHjxx4LS55MubLly5gza97MubPnz2gVgq67cLTp06hTY4bM+qnq17Bjy55Nu7bt
27hz697NVoAAt755gw4uvLhxwgCSJz8elvg/58F9Syc+nXp152Kv/8YOfXrz689/k/8FH7679OzV
z2ovj758evXi3ccP/53ve/nnv+cv2739eu7bkTcWef3Rx9yBCMq1XFgLGlcgfdjV196EZkUo4YPR
zSchhQZiKN6DA2rI3oYGouXhhBbOBWKJG6Z4oosfxqhWf9aFmOCNOKLVIFnKNdhjYMox+KNYQ/7z
Y2BGIukjkm9ZV6OFKXI4noj6xQcjfxpGWaONK5JYJYlRophlgNqZ5ySUY9oopZpn1qflfmG2GCCL
dOZoZ4I7EsnkgkH2CSSfTOqZpJJ/CikoXG1CKGKcYb7ZZZ0RvullhmtCmh+Aaa245aVzuimpmmBS
eWGMT4rqnZdY+rcfqHe2ylyehsb/CqihS5a1XK2DBkpXhpTiR+qqdaJ3H4swpofmqR2mKeCUxs6J
qYlWppmsqtTCNyWrcXJ53pmrAjhslU5a6+q4xsGa5KGznovrkefKGuRdp8YrKrbzOhpthYvOO+qk
ztab75eVUhipjCXy6l2j0obalrxbYvkoqwBfS+7EnDmylkLmrksorXsWyjG676pVGsMEZzofwvA9
iuaMBA88Lb6pugexxHRueu/K4nL47Fokoxpxtiuv3NrQSKlVq8butqsuoR4rnae5PHPasM4n+wtz
wTf/S6+cYlaK84g+Uy1wyb0qarKULnMNsLxXT921xGlTLDduRebacdLsCtmj03eP/wV11KCuhx/N
Dh9ctbDcGpz4z8jujPi20R5+9uPMFvge0MiuOazjZkKu7eUljx3w3KS3+rdbp5eOY7aqS8Z667AP
Jlpfqa9Vu1ilxT7b67rbFx/RwE/l1+2A6ZpW7r3HxnvydWEX/PM8MS/99NRXb31oCaWGvGTQd+/9
9+Afpf3skxElSPjop6/+V7Qbr6P72xe2/vz0128/RHa73xbxSo+1faAAzJ+ReCTA+xnwgAhc3474
xyP9mcVc//ObBN23JwaVJYEYzKAGtVK8B27MboPSW8jqhivUEWmAFtQfkE54vRa68IWxy9gH/VSo
d92qbyXc3wkrqEIU+hCGQAyiEGlxlLdcgexjSGwXAx+YQgsKkIUiXOIQp0jFKoIGUEhbmqCySJcV
NvGHE4SiFcdIxjKWL3sNFOERtZjEdJElfl4coJLOEkfjbfCOeMzjTzp4qP6l64ZbxGHf3lJHFFKQ
hQ40oyIXyci2BAQAIfkEABsAXQAsAACIAHACIwAHCP8A/wkcSBAAgIIHBRpEqDDhwoUN/0GU6DAh
RYIYMw48aJGjQo0dP2ocSbKkyZMoU6pcybKly5cwY8qcSbOmzZs4c+rc+dKgT4sXN1aM+HNiUaFI
WwKVKPQn04IUnWr0wrOq1atYs2rdyrWr169c7YkdS9bkxKxk04pFq7at27dw48qdS7eu3bt48+rd
y7ev37+AAwseTLhw4HH2ei4Fy7ix48eQI0ueTLmyZbOLL2vezLmz58+gQzeGqzUuQdKivRpezbq1
69ewY8ueTbt2adQCcafeWru379/AgwsfTjzw7benke8OW7y58+fQo0ufnva42+TX/x061HW7Ze8D
qYv/H0++vHnzJYtmjugYPEb3I+EPlP+eO3zv2/Nz16h/v3b9BOU3n3//DbjcgQgmqOCCMxm1HmT9
7QdgfALWR2B9At1nn3/0uYcfhxJuWGCABNLH4IkopviPJio+BpeDUUEko1RHJWVaeG9NiGFJ8umY
EXgajigkhUICKWKPJe533pJMNunkk7HB6BNDZwVlJUQ35pZjhTuSFKSJRSYZpkkfGligjxle6B2U
bLbp5ptwjqUee0hVCWNGWf5DGpckkglimkQCamCEfgoapoBcIqlnnIw26uijwlVpJVFLqZdZnqih
CaaZ//XH35+DXkghqEOmWWapa0Kq6qpLSsFqbZLa/8lRpQ/iqJyW2Z1qaKBddvmlqD+qSSqguga7
6KvIJqvssnIuJuukV3aUEKbKFRtkn8Z+iq2Rhfoq7JkhYsjsuOSWe156ztLa0JQxAiUpTISaWqGH
nmKr7YD0+llvvZwmKmaLAAcs8MAEx7SpTgdDCGzBDDfs8MMIJpyTxIxRDHHBcFys8cYaW9zdwhyH
LPLIkOnWcJ4pmeuaMyq37NoXLg9G8sw012zzzTjnrPPOPLP0Qc8YvQtwrUAXbfTRX+kmdNBEozun
TkKj/FRG08Zs9dVYm9sUSkur1DVNUZtcI3tZl2322Y6u++DTNc5Ikqzsti133DRWfStTzj6F9t58
m7nrDqMXCX0nlUONtPRDgyOe1FlY2gNIdh9VKlLflFdueXNutxst1RV1ffisDFG6+HooM74Rrpen
rrqyjdhzy3SWgiSt2jN6TqtTjM8eO7S2Qr51uwetLvzwxP8VOud1zh4juscrnlTgmYV9t0iSH1v8
9dhnr9bxTK8bFLu8dz866ONvPmnj0z9Vvfbst095Sp/XLVX43AMPLdvzR0Un/PmLxFjTSAugAAfI
PKt8rSYABEsCCcjABiIoIAAh+QQAGwBdACwAAKoAcAIjAAcI/wD/CRxIsKDBgwgNAgCQsKFDhQwf
SnQYcaLFixQxatzIsaPHjyBDihxJsqTJkyhTqhy5cKXAli4rutwoc6bNmzhz6tzJs6fPnxxhnlxI
FKjRmkaTKl3KtKnTpxztSZ1KFSjVq1KhJsTKtavXr1QBgB1LtqzZs2jTql3Ltq3bt3Djyp1Lt67d
qVrz6n25l+eKvoADCx5MuDBgpIYTK17MuLHjxzMRQ55MubJlpUSLUqwoNGbmgZJBfr4MuADp0wWx
oF498avQzgdhfwRLsGbE0B85W7zLu7fv38CDCx9OnOyk4sh9v+Y8OjPDls6Zj/4Hkzbo2J9hNqe+
XPN1vtRrh//nm7y8+fPo06tfz7591YTLsb9kzv32c/rzMUq2/53v6/Hg9XebeLqxZiBCahyo4IIr
ueYcQtrRF198BlkH2nQD9heeTM+JV9t233X4j3sklmjiiSimqKJw0Nn2IHcXwpgfhQVZGBt4HBKo
o4YAbuihiCsGKeSQRBZpZHIRxpifjDBOiF+NXzWUYY7X5UilhiLiON6RXHbp5ZdgcklhhPzNKKF9
+Nlom5ZY9pglbFYqCWCYdNZp5514XnXFXJ2R6V1RLSoZnZI21tcnnJpRCWhBL9YHYEV5RirppJRO
epNsI0Z5aUeQVurpp6CGeuKliBW6Em5SEiTqqqy26upbPTWRutR0GqHK4K245qrrQ6/2ClcRvgYr
7LBc7Wrsscgmq+xIxDbr7LPQOrvstNRWa+212Gar7bbcduvtt+CGO2200RJF7rnopqsumM6t6+67
bbkA77xxLUTvvfjmq+++/Pbrb5d5/CvwwHQqYPDBCCtA8MIMN+zww8l5APHEFFds8cUYZ6zxxhyr
K+7HIIcs8kYBAQAh+QQAGwBdACwAAMwAcAIjAAcI/wD/CRxIsKDBgwgTKlzIsKHDhxAjSpxIsaLF
ixgzatzIsaPHjyBDihxJsqTJkyhTqlzJsqXLlzBjypyZUg7Nmzhz6tzJs6dPe0CDCh1KtKjRo0iT
Kl3KtKnTp1CjSp1KtarVq1izat3KtavXr2DDih07lQnZs2jTql3Ltq3bt3Dj2vNJt67du3jz6t0L
U67fv4ADCx5MuLDhw1H5Kl7MuLHjx5BZIp5M2TCGylzPYd7MubPnz6BDix5NujTiyKhTq17NurXr
17Bjy55Nu7bt27hz697d0rTv38CDCx9embfx48iTr0ymvLnz59CjS59Ovbr169iza9/OHS/S7qyJ
i/8fTx44+NXl06tfH/i8+/fw4zvkR5D+QPr88uv/Z/8+f/35FQRgfwPiJ+CA9R24338ACoSgggQ2
6OCDDibo334B+jdhhvX1xx+DGFpYIYgeymfiiR8h5eGKHxpE4IgIsdiiiDC6SOOHJc5Y44z2yZij
hjC++J+FMt7HYo5F4iigQew16eSTZCn04pQx8iglkTbeeCGQWv4oYo9YHmTgiD5a6eWWFSKJppJV
ouhmSi10R2WaVQrZJplZcpmgnV0uJGSZYpq5JJuE1rkmkGMWOuibjDba0HdggklikgVCGGGDJVZq
5YYZakqhkQtS6KmGHJKK55l44vhgpEFKWBCUsMbZKqtXhI7pZaKoSrqjjrwGaaifi7KZJKJ0hqnk
pYsa+COuve46K1LkPCttrMDOeeumd/K547KuLonqtnsS66KEurZIZabJKlqsurs66u67DzFbrri5
GqunmuHmeyO6h87LK7OpTlgjvwIvK+i/epJEArwM5/YdwpwGiK6m905KosX8rqrxgh2G6i2CE+8p
cYeglqqjxKIG+6l907ZMnAAuN9XwzDRP9wltKhao88489+zzz0AHLfTQRBdt9NEFxqz00s/W3BPT
UEfNntNU7yb11UtVrfVtWGMdEAAh+QQAGwBdACwAAO4AcAIjAAcI/wDtCRxI8J/BgwgTKlzIsKHD
hxAjSpxIsaLFixgzatzIsaPHjwwJihxJsqTJkyhTqlzJsqXLlzBjyhwIsqbNmzhz6tzJs6fPn0CD
Ch1KtKjRnQAAHF3KtKnTp1CjSp3qM+lBqwaxTtSKMKlXrhjBdlV68atXh2I7ps34teZaqgrNYn3L
kS5ch+zu6j168t/av2TRBtZqN27gsW4Pfyx8VTFVxhUhP3Ysdably5gza97MuXNBv2nPGqbcOKvo
uW1NoxZdOiFq1asJk00NGvZs2q3HpjYL+nRbubZNw27MGjfi3sWNM6QNHLls36WbOw8+3PBCq9J5
Ox+8W2l23p7Di/8fT768ZomsdV8HXB0799rwQ1Pu7vp97df336c/rj7+7ejPCZeeewLq9591vRUY
WXL/QScbfPk1qNiD+PGHGHT1JZifdQ7at9eHIAbVV33zyVcicv4BiCCJ3VUo3IsEZkghadt5Z1+F
Mb644YUTGvgQjjZShN+MKipo5I655biedjmK1WSQMvoonHlUVmnllVja0x+JSzbU4m1MJrfech7a
NqSYRJK54pm8cZVma1/6xh6ESkJ0ZpFIPkknlMR9OSaHN7YpJY94WkVSE1kmquiijIqkWpej/Sjn
gWpCaGGfOmaaG4x81nnpnpyuCCpYpPL5Z4aj0rgkhnl26mqqqFb/+mmrsB5Z6KuN5qrrrp1JKmus
gsWmY4wuboqppaDu+Nqbog57ILPMKvtqsaHaqmmmer5JbLY9FunkiWmeFS2tq4Vo7rk6jYjUYW4y
N2CpgnI6aaAPToesbr95KC59fRYrLHUojvaqvfIRemRs3OULZ5zHAnurmcmGGTF4vFZs8cWWoatx
T5Jt7LFUhmIs8sgYf2zyTx2frLJRKa/s8sswx+ylqjLXrJN2Nues88489+zzz0DDrK7MJBdt9NFI
X0xM0jCdwLRnOT8t9dRUV2311SNHjfXWXHft9ddeR8QPQvyUPTbZZh90ttr/mO12Qmu3TXbbbo8d
t9x13x303nz3/+23zHGvLfjcchNukN6HG473QoMX/vfjkEcu+Yd2s52442zfHThDg3fOueOIYz75
6KSXbrpEI1Z+eeF6q2756nBnLjvjoH/+T0nvgL0ZO7r37vvvwK9UO91pi7644qGzrjzxxcOet0Ij
vZN78NRXb/312JM0/Oati775554bn3jjDREkffbop6/++lUzfzb3CrnufEOuqx56/Q8JdD77/Pfv
///lcYjmMPc+w5EPdrELH+Iadz+DSO90EIygBCU4wLqhrWxww2Ds6LdB98kPbxZE4ARH+JEckPCE
URlazNjHBwC68IUwvIwA80bDGtrwhjjMoQ6fh8KgraGHQFRZKzYsokKhxfCISEyiEh0VxCY6cWdL
TNoTp0jFKsLMCXcpohW3yMUsRvFqeqFZF6syxrig64tHCwgAIfkEABsAXQAsAAAQAXACIwAHCP8A
7QkcSPCfwYMIEypcyLChw4QAHkqcSLGixYsYM2rcGHGjx48gQ2LsKLKkRIIoU6pcybKly5cwY8qc
SbMmS4ck/+XM+ZCnTgBAgXJk6LNnUKFESxYdCXJpUpMNnUokKRWq1YxUK1Y1WXTr1a9gw4oVuROh
V4M+z04lS1Ht2Ldwn2KNS3ei24N36+rdy7dvw5ZZs/5EOhhtULMKBR81TLjjYbSMHf+EmLjw4IiL
dU7GjJQzZMuX8RJGDNrsY4iYEXNW/Ngz6s54NZ923Hpy6NC0YZ823Xm2bd2Na9f+zJvq4cWpP2eW
Hfu18d7HSafWDfooT5vYs2uveW+79+8uA8f/Lqu4cmXJpJVrVk++a+Ly6yEHH09+vOrm94kvdN++
eXL57vm3XmPyqbYUeszRh59+8Q1IG4ALQlggg5SlZd+E7EVYIWUXstcfhg3+A96IJJZo4okwDahi
g/9paJ1kCOoH43n5vYecdDKyWCOIOkrVIk779YhjfUEKGOOMHZonXpI8NYkjcS1aWFaCUYUYH5JT
Ilmlk0zyGKWOCKEo5phkllkQkEu+yJiLcjVpnXIEEmleeiuqOaWXa14GXZG7idYniF9SKWhxBOYo
6I9vXilkhFyqByWYb2ZppZ5WlpfbcD9GhuiOWgIKpl+ghjpWS1Qm5yOF/DEYoJE70mlojIbi/9kq
h642OumXkspJa365cvrkoZ+q+uuSnva6a6aWUqiihUkumqGvdxpk5rTUVotdT4oeqWilQcJq7LKz
ovqkrrqW6qyUjIrWrbrfDroglkP6atij5O4KKX64spveqkIxu+29yhoXosACD5rvvJOKqrBJSyws
rJ/PmUbof5dG5l+hmR0Y6b6rHZkxh7OFHOCfhY3cL8AfEzWcbMtVPPDJ87ocrcW3/dtxxIEmHF3N
MLPom7Il07zz0ANDCnNeDiedNKlKN12k0/bqhTTUCbfV19RRh4SetVx37fWZVIctl9hYsyW2RViX
/ZHaGmpd9dlw98V03A6z/dZofNld91B5m/+t9Z9fBy54mXQXbvjhiCeu+OKMN+7445BHLvnklFdu
+eWYZ6755mLPzZTTp/KttN5nk865QoOnrvrqhFt1lulWVym6XXHlBTuQSp0u+9u693625xfdnvvu
czVtO+LCH14268w37/y1OK08HcbCzSgy3s4B+Bz2iabsIPXAiXd9WtdLSLGNFrecMcmuxVld9TQX
DV3EQt83f/z0wSjz+8DhFj/JvgtgqAATL9uAS0EIBBbt3JeuLhHrgBJa1gNtJSU5NQpWxXLVb9Dj
GmBhz1HqytEEeySYd6EmgR/y4J0OFqLnufCFMIyJsdq1qXotUF4mnGEBPeXBWmlwU+7yF7T/foiv
DDbrV7Ey2BAb+DAeGlFWPWRIDKdIxdVFr2UmjKIDNUgoZxUtf8LRVKcCxcKXrW9nrEIflG4ERu4V
UYVshJi3Jpanes1MTXTKGRzRSK/ufVCAgOQLAWl0r3KV0Sl29OERE5SqLmnxi3n8YqbGtcTdJeuI
0Zpj27boyE2KMJLlguQkI8QSDVTxlKhEEe6eRUP51Qg2tOpZqS6YsxJCUIEsxJsFgXgrAV2JYnp8
1LOe+MsmnutcwbwjDh/Jy1wCLZDQFAupvHezi8HSkURDHxlluSaXyehnZ2QgnJAlMiUCbTf9Opo6
P1jCMdaPNytiVDn/dzI33c853mqN+q6pnS+eFSqVAA2omNY2FgzCLW1QgV3yKne8aDr0obxz20IL
OrumuA6iawkeRjcqwOQtJ3F3+ajb/vZHjj6TeCZN6e9uotKWulREAo2pTGeKkpfa9KY4zalOd8rT
nvp0o8Dz5E+9AsCf7oWmzQMFUpfqkivGEW1F3ctEtSLUkxYPdFTNaPROGDujetVxM6NdVXVny7E9
VG+6nOpX10qXgAAAIfkEABsAXQAsAAAyAXACIwAHCP8A/wkcSHAgAIIHCypUmFBgw4UQI0qcSLGi
RYsNH0LUeLGjx48gMYZkqBEAx5EoU6pcybKly5cwY8qc+PCgyYw3GW7M6fCfSYcJbf4EOlRoUIM6
fQ4teNMmQp9KoRblaZSo04xMczY1qPWpUqxVrXLcKnUpUqpRv+K0yvXnVp5My46F2jMo2p50yZKd
ybev37+AAwu2R7iwYaRcz3pFHBfx1LpY4y51ivdpZMaVyybOLNSx4sx4a9LFTDlvWqmLOZ8uCfby
6NKoG7uGjDk2atG2YY/e/c+w79/AgwsfTry48ePIkytfzry58+fQl1fEXTc1b9WvP4O2bfqkbuui
qe//hn009HXT2lXPDQ/ecvv01MlfL79xvOzuXkvrFi+4v///LJEhIBl/gQCgSuIZBdd29mVXnWNv
5XeeXXOlJl9bXXlmnnfqNRbaZPbxx15tI2InV4aLLQjffUc1BWJ6DR4o44w0DmgjgTTmSFGC59WG
3WXylYhfUiR6yB1/DUb2HXoPksaie0WuaGGM2VVo3XxUOsiddvtdqeOXAPYy04Bgljmck1JOiRuQ
ISYWX32zleTmlFKyuRB9W66lZJtAGXmhkzw2uSWT671XpYRg+YlXdIw26uijkEYq6aSUGofmh2Yh
BNdebLrY1pE+YnonVW5lqVeK+tXH1qoZbppkqVkV/wXeqZqaRSFOk4UlmaH53YWeXq72VumwxBZr
7LHIGgvmSRcxW6aRNDorEkjSPjtSsthmq+223Dpq7Z0jVWutuP2RK5G5RH6r7rrstusuSGd+iW66
7847017hfpTpu/B26++/AAeMLb8EF2zwwQgnrPDCDDfs8MMQRyzxxP0JbPHFGGes8cYcd+wxxxQr
BEbIJJds8sko+/Xxyiy37PLLMMcsc6Qp12zzzTgrbG/OPPfs889AA7YzzjMXbfTRSCdtNABKTxr0
01AHpgLBb0R9rtVYZ6311lYPnXNhzDQt9thkl212dEyfrfbabLft9tvFpQ13c1zXbffdEHvNc9sK
zGLt99+Acyt34IQXbvjhiD86eOKMN+7445BHjvfklFdu+eWYZ6755ntH7vlzRHwu+uikl2766ain
rjphUbTueuurxy476ZxL9Prtteeu++68967wE9Y24/vWsxdv/HLNHA95QAAh+QQAGwBdACwAAFQB
cAIjAAcI/wDtCRxIsKDBgwgTKlzIsKHDhxAjSpxIsaLFixgzatzIsBnHjyBDihxJEuK/kyhTqlzJ
sqXLlzBjypxJs6bNmzhz6tzJs6fPn0BjNjv5KKjRo0iTKl0qs6TTp1CjSp1KtapUj1azat3K1R7T
r2DDzlQktqzZs2h9Dk3Ltq3bt/+6yp1Lt67duxyx4jXYaq/fuXADCx5MuLDhoGsPK16sODHjx5Aj
S56s0zFllJEua97MubPnz5otgx5NurTplEFOq17NujVnha5jyz77tzZeF7Zzh5zNu7dS3cCDC8/t
u7jx48iTK1++uV8/5tCjS0+r0HlK6yixn3T+PDv379r/gf/f3v16eZXfyYPnznK9+ZXWw5NvPx69
fPHp8a+/b98+f/X7mceed+epJ2B47hE4oH8IntfgfHENJ+GEFGb1knb54SdgS/ctGF+BGnIIYogu
YVheh88tCGF/Kxr4XoskXpghdv+9uKGLGerXnYc0nuijdzfqt+KMO4443ZFIugRbjz2+xx+K9MFn
ZIxAylgllRrm+KSDP5oIU41A5niliFKyqOWA8jU55I9jkshkkVVWKOecdIL0ZZFqzrcli2Xy2aef
Ua5Z5odttuill1beiWWhgO5JaJYpjviom2wuqmZ+iNokSJKcIrcknnCGKWmB/+2nIqAw/pmpqJQG
KuiDJU7/ySqZiTJKaJOTOllppnuGiCmbdQYr7LAYQaonl5aSaiSUtKJqJrL9XTrqmLnq6KqMpcoK
o6OgHhtlnr5C+2y4rUZIrG2RnKuuSXe+aSOzjGJZY6+xngrloaOeaSuIYPr3Z62pGmutwNGKWd++
CgJoY6cMN4xttwqeSmW2/zrbL7j3ckkvgxJvq+2BCwOcbLkE62poqAGb6G68Dk9nR8sMKnwlvAg7
m7K2vPIbKcgVz7yssjQRGbTO4waaJso5h9zgyjA37bSLUB+NKo/yTrnxtauCK2TPE++car+Qaq2o
vzj+HDXGKFPqo8ZBLvr029HB6rHN9dHMc8gVq0y1xdO+/3gw3vTx+Pe1B4rr599SSx0x1kDD7Xhv
sD1uGNidrmv55epKPvnHlWPu+ee2aT4Z5aKXbvrpqKeu+uqst+7667DvFHnstMMM+u3B1a67w7j3
HjrUOqoYYKwLf+he4sNzjLiYU2sst6jMF56v9NNHzPnyXJtabdgHD17o0s+7He+bxxMdou/obyWT
8GzH2LHaXZoNIenfq0y8z2t/7bX4qwK/NNmCqheBgCe+uRWsWVtqnOAMeD8AtolZ9NsdcialOMUZ
DU1pe1cGY2I3MKGtaCYLWABn1bUQkoxwTCtgCQ/INSnByoL9i5kMlWa+CErQOBQkmt2q9CsREsyG
FgTc/CQqZUISzouIPzRfElnGrROiUId9UxS+LsiyB+7Pin2y4Q1NExAAIfkEABsAXQAsAAB2AXAC
IwAHCP8A/wkcSFBgv37/Dg5UWFAhQ4IPGyJMeHAiw4gSKS6cWLAjRI4GQW70GLKkyYwYNT5MOfJk
yZUiNb7kCJOkTJQIa9q86XKmR5YdHdLMGVOmzp0YhQYVmfJi0Z1Qo0qdSrWq1atYs2rditWe169g
ffZUGROoU6chK1b8CFKtWqhJiwJN21Yu0aU35x4Vy/OkUr9P+/rc+5NpWaJuLQYeWZMl2rF4WzY1
nPgx2MuYM2vezLmz58+gQ4seTbq06dOj+U4WbPYuWcgb61qNWxiu4dqrH5PUzXho5Ncm5woGzrv2
R7x61+5WzPd4c5tHVzt3zhC19etfrmvfzr2796+2JR//Zh34LUXCEmVXpf17eUbk493aVj69uFHf
54UP/wsc+m2cUbXW236+6QdYYu+1RN1iXDU41RckceHghBRWaOFVnOWnXG7jLXcWfriBOBV7Cbo3
3XEcwhYcZeZJV9mKSNnFk3n+lficiSW+5ViBDMImnYLiCfTdkJplR+SRSCbJXXgwLmhjeoqhB5iK
OAI53JPspajiXjqR2KWI7d3HFoMkDhigjLExd+J5Iz7141gGXiinQBDOaeedcpKBp438sTmjcPT5
eeWXsx02VI+THQokbwIGiWJdapq5JUyRpsXkifbl5SZllnYaW5tV9uRij3tyVWepqKaqakec0fZi
moHW/7joi66+KutSsd4KpaH0lWlln2TJ96trVu665pXFaniosMIahymNbJ0JLZz/OfmPkkcaie22
3HaL2arghivuuOSWa+656HZ0arrsFuQJuhm2K++89NZrr7nedqdtvvz22+29AAcs8MAES+Uvdgcn
rPDCDDfs8MMQRyzxxBRX3HDBGGes8cYcd+zxxwNZLPLIJJds8skop6zyyiy37PLLMMcsc2gg12zz
zTjnrPPOPPfs889ABz0VA0IXnfENRiet9NJMOzjz01BHja0GGkht9dVYZ6311t5RzfXXWTct9tgd
U0322XNOYyfYbLeNtddux80y2nTXDbAGduet9958913t999zyi344EfCQfjhiCeu+OKMN44aLI5H
LvnklFdu+eWYZ6653IB37vnnoIcues687Lnu6KgrvfnqrLfu+nWpxy777LTXbvvtuOce8uspJ8H7
78AHL/zwxBefZEAAIfkEABsAXQAsAACYAXACIwAHCP8A7QkcSLCgwYMIEypcyLChw4cQI0qcSLGi
xYsYM2rcyLGjx48gQ4ocSbKkyZMoU6pcybKly5cwY8qcSbOmzZs4c+rcyVPlv59AgwodSrSo0aNI
kypdyrSp06dQo0qdSrWq1atYs2rdyrWr169ae4odS7as2bNo054Ey7at27dw48qdS7eu3bt456rd
y7ev379kAQCGmRdrmsJKSSBezLhxU3+OHQMAELmy5cuYM2vezLkz1MmUPYseTbq06dOoRYNOzbq1
69ewY8sOunq27dtDJ2MO/ZT3V99zKYfW3dU38KLHSQvPnBx3bOKjawtt/hkodabLfwK/znu71uzV
kWP//we+OG2lxqVSvx4+N3nn8L2Clk6e/XTu9u82z7+Uf9Pu/1nXln/uVbUcge29lxSCRq33nXgM
xichUtBB11uEiw1X24bEHahbhR1+qF2IFio43HurzaddfSWmuOGI25FYn3UdKkijhjjiCOOKKu5I
FIcnZnciizzCmB6RPgbJYnf0EQlkkjKCmCOUGE44oUIWhmjkjVouyaSRwklJIog/LRSUQiYKCCCP
Qw6p5ptFrihgmuABWOd5cqJoI556pnleeUf2KeifNpb345wotpknm3mmZ+ebSsa5Z6CENurnnY8u
emZfAQy20lFZajjjjCWOSpuoTn4YJo1IsoqVm3dK/6rokoXWumaRB9aKK6K66lnqfELKqSKgfGJ6
qoh2coeosUKmuGylgq4qa6+mGucsmJd6aaurVnbrFJbWjmiquPflhmqXqrJa6qYJsXuQn9HCmW2m
8d7q672WxmqprJTOCymf2067a6P7PftorgJPGjC+xmpKqsG8+lvsnuP+4+nFMIVKbo+/5ojuuWEC
W7FQZgKFJqy9xhppvfJ6J2zK8T4rqcJxrozwovTqe3O/Mg+6Zs68NtznztS2bHTN09IbMcZMs6Rx
xemWS+aoH4+8rsloYo3QtT7X+LKJHIKN8sRgb2vvw7h2POuUhj6p65j1Xj2p1/vSam2WPiL55c/0
Sf8HN9Vet0m3qE1a3PThJ01NKuHHRR024OKS2XGZWVOOkLeYK6cZ4pxrBKrIrvaoLeAcg7xx6eZm
rrqEha/uemWVn1ay5Z3XbvvtuDP9+u689+7778AHL/zwxBdv/PHIJ6/88sw37/zz8MUOalRVBlc9
Xldf35ncbmnPVu7gy9Rb0co6/NtUyYneYMQLjklg4+w32Pp4Z6u3oHg35p/3+MfaVz+FeNsS9JAn
venEb33miwz8xtMel/WnQBRD4FW8Z0AK/ehWQsMQz6bXQHLVKnwgdAkHleSiGqkvVVK6j7RaBaQg
+a1JbnPYC0MmNgEeallq218JmeRA/TnpXzTU0f7/WKiqGAmRbBTrod5myLMZ/nCJcsPgAQf4Oyy9
TGcxq5u+JJZEsx0tXxdEWaAyeEP2jTGCUjzbi2aWrKTJC0IAA2MZMRguOCYsSW8E2v/GWJvBuCGE
askV0QZGM1upT1GgG9a/7qg094jsjECrYND69kYtjs6RioRY0oaVPq6hsZKTbJEktxRJTHpSj2aU
JIAAyUqUTE+QMNtiGvG3MjniK4sLO1QPUampBVKrkbG83y6NBsxxKc2XhoqfEiH5RQMO0429hOD/
qMiUEMTnZHPCoiw1STObLYxo9iomMSdWyk/2LJeWnKbQvsnOoOVRmhGUoS2ZeUdoEQuahUQiZVrJ
BE+SBAQAIfkEABsAXQAsAAC6AXACIwAHCP8A7QkcSPAfgH8IDxpcmBDhwoMKGTac+NBhRIYKIVqU
qLFhx4oUOUp0SPLjR5ERTZYkGTLlSo8sRcIMudLlRZsbcbZ8CZImypg+M+bcSLSnSqAqbw6dOfJi
UZcEo0qdSrWq1atYs2rdyrWr169gw3qVmTGpTItHAahlKRTj2oRqzbo0GJftW6d03+ZFW9Zt26Zx
/8LVO9gnXbKE86bUW1cxYr+F7d6dLNlw48N8M0tOe9lx5L2Hy/69GThy6X9iU6u2F2q169ewY78G
Sru27du4c+vWjXe379/AgwsfTry48ePIkytfzry58+fQl1uNTp134urYs2vfzr07bdngw4v/H0++
PFbv6NOrX8++vW/z8OPLn0+fvvv7+PPr32+8vv//AAYooFRI9TYSf8EZyN510Sn4m1MGOrgbgwci
SNKAGGao4YaqxYTXXLmdJtxRzEnonIkRlsRYYgoGdpJtIrIl44fG0UiTicXhiBuAhHDoI1aP/Mih
h0QahpRyOhKXJJK49cbYUhxJCOJtUxZl5JK02Vhhg8cJ6eWXYP4HWmd1idhZhZeVOZRGaoLmpmlE
lZnmZCvS6WGdb455HYgQMpUlX4v1yRREjXUkJ549mUbYoW2RCZlnYz606ESiZRbmpZhm+hWMUD4F
JYR3dWqTUDol6ilISt3406B/psrTi6dG/0kplZ5OWapcTX2KWa1F/uTkaKtKGtSsNVlo7LHINmdV
qbESemZOpblqlkfRfmimlXNFq6uLm+Uqo588QUrts69CS2ah2wpLkbNraQkrn+q+qi2rVVZkqJwO
aarvvvwOxCm4Z8FKpKDrBivwpL1Ka3Cw3ybq7pZbEgxxsxATjCtcDKPZacGDKlzurQPb+xSWyZZs
8rHLbhzwWTOKmi6r2MaJ0ccvG0WzlQWn+K2tOHNsM84gnzStqRmv7KrRNTsp8079Nu30l1SGeidi
oCKqZ7tx3ltpZVRTzZmd3erJ9a+LqWjxkRyfaW276DqbttRjF+gri2YPFmhLZ9ud58l89/9tWxL5
Ted3eyQPbniO2z2t+OIYHq4fuY5HvlzhklduObJuCH755px3Dh3joIdun+ekl256cKKnrnpqhx+t
HuUVT2g4hbxhp3PLCcJ++u6Wa44ejq6np3ST5Ybb8IPEK5n8xGgzz2TzxQKH4+rUV9/h6yEaLzz0
tXmcfYLLjxi+b/We+GfI0udm/fpgsiPf1YXReTekhYI956Lo3ih/w+zOlH/9WxMXo2AiGtIgik1Y
w5uhKLW/vdgKa9liEdsOmLWtmUltAPRfqAIIv4qw74MgrIrCGrUwZkVvYby6EsuCBqw+wYtnOcMM
DA9EKJ95jFRJixm9dFhCle1wJzt0oWD/KPaWEBrxiCOc1ajaFC/HBCqB3prZ2kjUQ7tpzSTziiJO
4HWqLCrlbGxSzNBMlS2/IKyKTfTiCtNVQFnxD0pHjGPo/hVDKW6MT0PLW9poqKsU/iyHxbPhH5MI
M3BtkYwuy9sCmxe0kaGRkCIz4RlNyLtKWlKLM7MZyAD5x5W9cYZ5XFMfO/lCT9axkxrrYs2GJUgg
PvKEofRjGCnpPYFd8paly2Am+wencQEKY26KkTALBMWqjfF/9ftMjEIjyl8604kq6pkMRwasXT1M
gVOL4BODycQ2ms2CZoySxPKHy3JGzneyw4/uIke5dX7PnMmRozyrBz51wrOd1HEnPC80Vc/UfUKe
+0ROP8GyiIEa9KBGDGiXEMrQhjoUoNKkle1ul56HWvSiGO1X7bR0wvM5T6KBNFJy9LkfMSj0pChN
qW58R9HjcW8418xObzJK0yOmoKZPCwgAIfkEABsAXQAsAADcAXACIwAHCP8A7QkcSPCfwX8ADipE
uFBhwoYOIUqcaPBhxIoUM2qUaFEhwY8gQ4ocSbKkyZMoU6pcybKly5cwY8pEmWKmzZs4c+pcmRGA
z4QPfyL0yRDoUKIMMQoNivRnx4pNkUIFKjRpVaVTp1qsavTqxq9gw4odS7as2bNo06pdy7at27dw
48qlSHJr0YtDseq9u9coxoN2nyYd3BViU8CEEx9uuLOx48eQI0ueTLmy5cuYXQbO+1cx4s19EyPe
O9qz1NJO/fJdLfhf5tewY8ueTbu27dsqQee1G1q36t94VaP+DLgj7+G+IeJeznzgmebQo0ufLlk3
a+K9sV9H3vC4cOPcs3f/Tkq9vPnz6NOrh320q1Siga86hWp18eCs94ubPn2fq3z7nD203oAEFmjg
gQXOpeBbrYWF4IMQRijhhDYtaOGCDV6o4YYTecPhhyCGKOKIJJZo4okopqjiiuys6OKLMMYo44w0
1mjjjTjmqOOOPPbo449ABinkkEQWaeSRSCap5JI9Uujkk1BGKeWUVFZp5ZVYZqnlllx26eWXYIYp
5phklmnmmWimqeaabDbG5JtwxinnnHRK1OadeOap55589hlbDX4GKuigBvZA6KGIJqrooow26uh0
dTwqKZR1fpVOnTIs+E2lnHbq6USThrpTFqKWauqpqKaq6qqsPllIq7DGMCrrrLTWauutWn6q6668
9uorW7gGK+yslNjz67HIJqvsssw26+yz0EYr7bTUVntsQAAh+QQACP5dACwAAP4BcAIjAAcI/wD/
CRxIsKDBgwgTKlzIsKHDhxAjSpxIsaLFixgzatzIsaPHjyBDiuxor6TJkyhTqlzJsqXLlzBjypxJ
s6bNmzhz6tzJs6fPn0CDCh1KtCjQkUiTKl3KtKnTp1CjSp1K9anRq1izat3KtavXr2DDigWabizM
qhlHoF3Ltq3bt3Djyp1Lt67du3jz6t3Ll63Zv4ADCx5MuLDhw4iD9l3MuLHjx5AjS55MubLly26/
Yd7MubPnz6BDix5NurTp06hTq17NurXr17Bjy55Nu7bt27hzv07Mu7fv38CDCx9OvLjx48iTK1/O
XKbu59CjS1/avLr169iza9/Ovbv37+DDi34fT768+fM4C6EvOZ3uh/bw40teT7++/fv4ncvfz79/
+/wABijggAT61kiBCCao4Hf+NejggxBGKOGEFNK14IUYZqjhhhx26OGHglVoUBNIuSPicx2cqOKK
LLZ4Wi0uxijjjBYRQ+ONOOao44489ujjj0AO9MWQRBZJZJBPBQQAOw==
------=_NextPart_000_0005_01C7010F.16481B30--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAE0UWUX059283; Mon, 13 Nov 2006 17:30:32 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAE0UWIL059282; Mon, 13 Nov 2006 17:30:32 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.181]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAE0UUTT059260 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 17:30:30 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from DUB-EXHUB-C301.europe.corp.microsoft.com (65.53.213.91) by DUB-EXGWY-E802.partners.extranet.microsoft.com (10.251.129.2) with Microsoft SMTP Server (TLS) id 8.0.685.0; Tue, 14 Nov 2006 00:30:24 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by DUB-EXHUB-C301.europe.corp.microsoft.com ([65.53.213.91]) with mapi; Tue, 14 Nov 2006 00:30:24 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>
CC: Sam Hartman <hartmans-ietf@mit.edu>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>
Date: Tue, 14 Nov 2006 00:30:20 +0000
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAACWpPw
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7BC@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com> <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG> <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kAE0UVTT059276
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I've been taking a close look at this and I've come to the conclusion that we are fine. That is, I can't find any support for that provision of pre-produced responses handed out by a key-less responder is violating RFC 2560 in any way.
RFC 2560 does not require the responder to return a successful response for all possible legitimate requests. It only require the responder to support the basic response format when it chooses to return a response. As I read RFC 2560, it may fail responding to a request for any reason as long as it returns a legitimate error.
There is no place where RFC 2560 requires the render to successfully handle a composite request. It only specifies how it should be done.
On the contrary, support for pre-produced responses is explicitly supported in 2.5. And as such it is obvious that such responder can't respond to all possible requests.
Of the error codes listed, I find that "unauthorized" is the most appropriate one for unsupported requests as it indicates that "the client is not authorized to make this query to this server". The description may not be 100% perfect but it is sufficiently good and the response is definitive and avoids repetition.
The response "internalError" would be misleading as it "indicates that the OCSP responder reached an inconsistent internal state. The query should be retried, potentially with another responder", which may cause the requester to keep retrying the request.
My conclusion is that no update to RFC 2560 is needed to progress the informational profile for lightweight OCSP.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Russ Housley
> Sent: den 13 november 2006 14:08
> To: Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> I prefer an error that tells the client to ask for the certificate
> one at a time.
>
> Russ
>
>
> At 02:46 PM 11/13/2006, Price, Bill wrote:
>
> >I'd suggest focusing on understanding where responses to the keyed and
> >keyless responders inherently differ. I am aware of two general cases:
> >
> >1) The request asks for the status of multiple certificates that have
> >not been included in a single presigned response. Russ's example fits
> >into this case. The keyed responder handles, but the keyless will fail
> >for the general case. Some responders respond with the presigned
> >response that includes one of the certificates (usually the first) in
> >the request. A common situation is to ask for the status of
> >certificates in a chain. Santosh points out some keyless responders
> >anticipate this and bundle responses accordingly.
> >
> >2) The request is "well-formed" but asks for the status of a
> >certificate for which the keyless responder has not prepared a
> >response. This situation will occur if:
> >
> > a) The request is for status of a certificate from a supported CA
> >but with a serial number for which there is no pre-signed response.
> >Assuming presigned responses exist for all certificates that would be
> >valid based on their validity intervals, this would occur if the
> >certificate had expired or was yet to be issued (I am aware the
> keyless
> >responders generally produce responses for certificates likely to be
> >issued before the next generation of presigned responses). The keyed
> >responder would give a signed "good" response. My understanding is
> that
> >the keyless responder under the draft lightweight OCSP responds with
> an
> >unsigned "unauthorized" error code.
> >
> > b) The request is for the status of a certificate from an
> >unsupported (or non-existent) CA. The keyed responder would respond
> >with a signed "unknown" response while under the draft, the keyless
> >would again respond with the unsigned "unauthorized" error code.
> >
> >Some might argue with some grounds that these differences are unusual,
> >unlikely, and insignificant.
> >
> >I personally consider the behavior in 2 of responding with the
> >"unauthorized" error to be misleading. "Internal error" sounds more
> >appropriate if I were constrained to the current error codes.
> >"Malformed request" might be OK. However, the actual situation does
> not
> >match well with any of these errors as they are described in 2560.
> >
> >If 2560 is supposed to encompass keyless responders, I'd recommend
> >identifying the unavoidable differences and/or adding 2 TBD error
> codes
> >for the above cases (assuming they are the only differences). The
> first
> >error can be worked around by breaking the request for status of
> >multiples into multiple requests for status of one cert.
> >
> >We've also seen some problems with client apps that can't handle
> >presigned responses that commonly contain the status of several (e.g.,
> >15-25) certs. The apps inquired for the status of a single cert and
> >apparently expected a response for a single certificate. I'd suggest
> >that some "must" or "should" words address clients' ability to handle
> >the situation of a response covering multiple certificates.
> >
> >
> >
> >Bill Price
> >
> >-----Original Message-----
> >From: owner-ietf-pkix@mail.imc.org
> >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> >Sent: Monday, November 13, 2006 11:46 AM
> >To: Michael Myers; Dave Engberg
> >Cc: ietf-pkix@imc.org; Sam Hartman
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> >Mike:
> >
> >I think it is not that simple. I think you need to say that support
> >for one certificate MUST be supported, and that support for more than
> >one certificate is OPTIONAL. Then, the error is am indication that
> >the requestor has selected an unimplemented OPTION.
> >
> >Russ
> >
> >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > >Responders unable to produce or acquire a definitive response MUST
> >return <a
> > >TBD error>.
> > >
> > >As to your other points Santosh, that is something I prefer the
> chairs
> > >consider.
> > >
> > > > -----Original Message-----
> > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > >
> > > > Mike,
> > > >
> > > > What is the error case?
> > > >
> > > > . . .
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADNsJGD055023; Mon, 13 Nov 2006 16:54:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kADNsJmW055022; Mon, 13 Nov 2006 16:54:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.181]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADNsHhF055002 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 16:54:18 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from DUB-EXHUB-C301.europe.corp.microsoft.com (65.53.213.91) by DUB-EXGWY-E802.partners.extranet.microsoft.com (10.251.129.2) with Microsoft SMTP Server (TLS) id 8.0.685.0; Mon, 13 Nov 2006 23:54:11 +0000
Received: from EA-EXMSG-C307.europe.corp.microsoft.com ([65.53.221.19]) by DUB-EXHUB-C301.europe.corp.microsoft.com ([65.53.213.91]) with mapi; Mon, 13 Nov 2006 23:54:11 +0000
From: Stefan Santesson <stefans@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, "Price, Bill" <wprice@mitre.org>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>
CC: Sam Hartman <hartmans-ietf@mit.edu>, Michael Myers <mmyers@fastq.com>, Dave Engberg <dengberg@corestreet.com>
Date: Mon, 13 Nov 2006 23:54:09 +0000
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccHeE/KbPJryS8sSM+aS+rqrtdjmAABDwUQ
Message-ID: <A15AC0FBACD3464E95961F7C0BCD1FF010BCA7B3@EA-EXMSG-C307.europe.corp.microsoft.com>
References: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com> <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG> <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kADNsIhF055015
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I'm not sure the case described is a realistic one.
Section 2.2
All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating
that the responder may issue OCSP responses for that CA
Since the request is on certificates issued by 2 different CA:s trust option 1 is invalid.
Trust option 3 is valid in theory but in practice it requires that the OCSP responder provide multiple validation paths in the response, one for each issuing CA. Somehow I doubt that this is implemented by anyone.
Trust option 2 is not generic and is only valid as a result of a local configuration.
So I don't think this is a problem only for key-less responders.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Russ Housley
> Sent: den 13 november 2006 14:08
> To: Price, Bill; ietf-pkix@imc.org
> Cc: Sam Hartman; Michael Myers; Dave Engberg
> Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
> I prefer an error that tells the client to ask for the certificate
> one at a time.
>
> Russ
>
>
> At 02:46 PM 11/13/2006, Price, Bill wrote:
>
> >I'd suggest focusing on understanding where responses to the keyed and
> >keyless responders inherently differ. I am aware of two general cases:
> >
> >1) The request asks for the status of multiple certificates that have
> >not been included in a single presigned response. Russ's example fits
> >into this case. The keyed responder handles, but the keyless will fail
> >for the general case. Some responders respond with the presigned
> >response that includes one of the certificates (usually the first) in
> >the request. A common situation is to ask for the status of
> >certificates in a chain. Santosh points out some keyless responders
> >anticipate this and bundle responses accordingly.
> >
> >2) The request is "well-formed" but asks for the status of a
> >certificate for which the keyless responder has not prepared a
> >response. This situation will occur if:
> >
> > a) The request is for status of a certificate from a supported CA
> >but with a serial number for which there is no pre-signed response.
> >Assuming presigned responses exist for all certificates that would be
> >valid based on their validity intervals, this would occur if the
> >certificate had expired or was yet to be issued (I am aware the
> keyless
> >responders generally produce responses for certificates likely to be
> >issued before the next generation of presigned responses). The keyed
> >responder would give a signed "good" response. My understanding is
> that
> >the keyless responder under the draft lightweight OCSP responds with
> an
> >unsigned "unauthorized" error code.
> >
> > b) The request is for the status of a certificate from an
> >unsupported (or non-existent) CA. The keyed responder would respond
> >with a signed "unknown" response while under the draft, the keyless
> >would again respond with the unsigned "unauthorized" error code.
> >
> >Some might argue with some grounds that these differences are unusual,
> >unlikely, and insignificant.
> >
> >I personally consider the behavior in 2 of responding with the
> >"unauthorized" error to be misleading. "Internal error" sounds more
> >appropriate if I were constrained to the current error codes.
> >"Malformed request" might be OK. However, the actual situation does
> not
> >match well with any of these errors as they are described in 2560.
> >
> >If 2560 is supposed to encompass keyless responders, I'd recommend
> >identifying the unavoidable differences and/or adding 2 TBD error
> codes
> >for the above cases (assuming they are the only differences). The
> first
> >error can be worked around by breaking the request for status of
> >multiples into multiple requests for status of one cert.
> >
> >We've also seen some problems with client apps that can't handle
> >presigned responses that commonly contain the status of several (e.g.,
> >15-25) certs. The apps inquired for the status of a single cert and
> >apparently expected a response for a single certificate. I'd suggest
> >that some "must" or "should" words address clients' ability to handle
> >the situation of a response covering multiple certificates.
> >
> >
> >
> >Bill Price
> >
> >-----Original Message-----
> >From: owner-ietf-pkix@mail.imc.org
> >[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
> >Sent: Monday, November 13, 2006 11:46 AM
> >To: Michael Myers; Dave Engberg
> >Cc: ietf-pkix@imc.org; Sam Hartman
> >Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
> >
> >
> >Mike:
> >
> >I think it is not that simple. I think you need to say that support
> >for one certificate MUST be supported, and that support for more than
> >one certificate is OPTIONAL. Then, the error is am indication that
> >the requestor has selected an unimplemented OPTION.
> >
> >Russ
> >
> >At 06:52 PM 11/12/2006, Michael Myers wrote:
> > >Responders unable to produce or acquire a definitive response MUST
> >return <a
> > >TBD error>.
> > >
> > >As to your other points Santosh, that is something I prefer the
> chairs
> > >consider.
> > >
> > > > -----Original Message-----
> > > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > > Sent: Sunday, November 12, 2006 3:36 PM
> > > >
> > > > Mike,
> > > >
> > > > What is the error case?
> > > >
> > > > . . .
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADNijJv053840; Mon, 13 Nov 2006 16:44:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kADNijIv053839; Mon, 13 Nov 2006 16:44:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADNihah053829 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 16:44:44 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dhcp89-089-106.bbn.com ([128.89.89.106]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1GjlTg-0006Tv-6P; Mon, 13 Nov 2006 18:44:37 -0500
Mime-Version: 1.0
Message-Id: <p06230904c17eb25c83ad@[128.89.89.106]>
In-Reply-To: <08AD20EDD5C44148842571F730597F84011E00DE@INDYSMAILMB03.am.thmulti.com>
References: <08AD20EDD5C44148842571F730597F84011E00DE@INDYSMAILMB03.am.thmulti.com>
Date: Mon, 13 Nov 2006 18:44:32 -0500
To: "Ogle Ron" <ron.ogle@thomson.net>
From: Stephen Kent <kent@bbn.com>
Subject: Re: PEM file format rfc draft request
Cc: <ietf-pkix@imc.org>, "Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
At 4:56 PM -0500 11/13/06, Ogle Ron wrote:
>I would like to know if the PKIX working group would be interested in
>shepherding a new rfc concerning PEM file formats? I've recently
>discovered that there is no definitive standard for how a PEM's headers
>and footers are defined for a private key. I've searched the RFCs, and
>ISO standards without any luck.
PEM formats were defined for e-mail messages, not files per se. I
think RFC 1421 defines the last of the formats (we had a few
iterations) for PEM.
>The issue that I discovered was when I was working with PEM files for
>PKCS1 and PKCS8 formatted private keys under OpenSSL and some Java
>toolkits using an IAIK implementation. OpenSSL expects PKCS8 PEM files
>to have "BEGIN PRIVATE KEY" as the header while IAIK uses "BEGIN RSA
>PRIVATE KEY" for RSA keys and "BEGIN DSA PRIVATE KEY" for DSA keys. For
>PKCS1, both expect "BEGIN RSA PRIVATE KEY".
it looks like folks made this up! PEM describes how to transfer a
symmetric key encrypted under a public (RSA) key in a message, in
1421. It does not describe how to transfer a private key, because
one would not do that via an e-mail message.
The term "PEM file" with regard to PKCS #8 is a misnomer, relative to
IETF standards. Since PKCS #8 defines a format for private keys, it
is not relevant to PEM, period.
Given that PKIX is a WG that focuses on X.509-based standards, it is
not immediately clear that a document on how to use base-64 encoding
and MIME-style headers to represent private keys is within our scope.
Steve
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADMjol5046161; Mon, 13 Nov 2006 15:45:50 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kADMjo05046160; Mon, 13 Nov 2006 15:45:50 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from anchor-post-31.mail.demon.net (anchor-post-31.mail.demon.net [194.217.242.89]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADMjndE046153 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 15:45:50 -0700 (MST) (envelope-from lists@drh-consultancy.demon.co.uk)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.2]) by anchor-post-31.mail.demon.net with esmtp (Exim 4.42) id 1GjkYj-000Fmc-5T; Mon, 13 Nov 2006 22:45:48 +0000
Message-ID: <4558F5AF.4010605@drh-consultancy.demon.co.uk>
Date: Mon, 13 Nov 2006 22:46:07 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Ogle Ron <ron.ogle@thomson.net>
CC: ietf-pkix@imc.org, Dieter Bratko <Dieter.Bratko@iaik.tugraz.at>
Subject: Re: PEM file format rfc draft request
References: <08AD20EDD5C44148842571F730597F84011E00DE@INDYSMAILMB03.am.thmulti.com>
In-Reply-To: <08AD20EDD5C44148842571F730597F84011E00DE@INDYSMAILMB03.am.thmulti.com>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Ogle Ron wrote:
> I would like to know if the PKIX working group would be interested in
> shepherding a new rfc concerning PEM file formats? I've recently
> discovered that there is no definitive standard for how a PEM's headers
> and footers are defined for a private key. I've searched the RFCs, and
> ISO standards without any luck.
>
> The issue that I discovered was when I was working with PEM files for
> PKCS1 and PKCS8 formatted private keys under OpenSSL and some Java
> toolkits using an IAIK implementation. OpenSSL expects PKCS8 PEM files
> to have "BEGIN PRIVATE KEY" as the header while IAIK uses "BEGIN RSA
> PRIVATE KEY" for RSA keys and "BEGIN DSA PRIVATE KEY" for DSA keys. For
> PKCS1, both expect "BEGIN RSA PRIVATE KEY".
>
> I contacted the people at IAIK about this, and they agree that there is
> an issue. However, there is no "standard". Also, other implementations
> such as MSIE and Mozilla may behave differently.
>
> If I've overlooked a standard, then please point me in the right
> direction. If there is no standard, then is PKIX the correct place to
> start one?
>
I'd be interested in contributing to or co-authoring such a standard,
I'm not aware of an existing one.
With one exception the PEM formats I've used in OpenSSL have already
existed in one form or another either through adoption from its SSLeay
roots or through test files we wished to interop with.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADM8bEJ041129; Mon, 13 Nov 2006 15:08:37 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kADM8bAR041128; Mon, 13 Nov 2006 15:08:37 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kADM8aeZ041115 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 15:08:36 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 27090 invoked by uid 0); 13 Nov 2006 22:08:28 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.121) by woodstock.binhost.com with SMTP; 13 Nov 2006 22:08:28 -0000
Message-Id: <7.0.0.16.2.20061113170718.083a5a78@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Mon, 13 Nov 2006 17:08:29 -0500
To: "Price, Bill" <wprice@mitre.org>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>, "Michael Myers" <mmyers@fastq.com>, "Dave Engberg" <dengberg@corestreet.com>
In-Reply-To: <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG >
References: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com> <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I prefer an error that tells the client to ask for the certificate
one at a time.
Russ
At 02:46 PM 11/13/2006, Price, Bill wrote:
>I'd suggest focusing on understanding where responses to the keyed and
>keyless responders inherently differ. I am aware of two general cases:
>
>1) The request asks for the status of multiple certificates that have
>not been included in a single presigned response. Russ's example fits
>into this case. The keyed responder handles, but the keyless will fail
>for the general case. Some responders respond with the presigned
>response that includes one of the certificates (usually the first) in
>the request. A common situation is to ask for the status of
>certificates in a chain. Santosh points out some keyless responders
>anticipate this and bundle responses accordingly.
>
>2) The request is "well-formed" but asks for the status of a
>certificate for which the keyless responder has not prepared a
>response. This situation will occur if:
>
> a) The request is for status of a certificate from a supported CA
>but with a serial number for which there is no pre-signed response.
>Assuming presigned responses exist for all certificates that would be
>valid based on their validity intervals, this would occur if the
>certificate had expired or was yet to be issued (I am aware the keyless
>responders generally produce responses for certificates likely to be
>issued before the next generation of presigned responses). The keyed
>responder would give a signed "good" response. My understanding is that
>the keyless responder under the draft lightweight OCSP responds with an
>unsigned "unauthorized" error code.
>
> b) The request is for the status of a certificate from an
>unsupported (or non-existent) CA. The keyed responder would respond
>with a signed "unknown" response while under the draft, the keyless
>would again respond with the unsigned "unauthorized" error code.
>
>Some might argue with some grounds that these differences are unusual,
>unlikely, and insignificant.
>
>I personally consider the behavior in 2 of responding with the
>"unauthorized" error to be misleading. "Internal error" sounds more
>appropriate if I were constrained to the current error codes.
>"Malformed request" might be OK. However, the actual situation does not
>match well with any of these errors as they are described in 2560.
>
>If 2560 is supposed to encompass keyless responders, I'd recommend
>identifying the unavoidable differences and/or adding 2 TBD error codes
>for the above cases (assuming they are the only differences). The first
>error can be worked around by breaking the request for status of
>multiples into multiple requests for status of one cert.
>
>We've also seen some problems with client apps that can't handle
>presigned responses that commonly contain the status of several (e.g.,
>15-25) certs. The apps inquired for the status of a single cert and
>apparently expected a response for a single certificate. I'd suggest
>that some "must" or "should" words address clients' ability to handle
>the situation of a response covering multiple certificates.
>
>
>
>Bill Price
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
>Sent: Monday, November 13, 2006 11:46 AM
>To: Michael Myers; Dave Engberg
>Cc: ietf-pkix@imc.org; Sam Hartman
>Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>
>
>Mike:
>
>I think it is not that simple. I think you need to say that support
>for one certificate MUST be supported, and that support for more than
>one certificate is OPTIONAL. Then, the error is am indication that
>the requestor has selected an unimplemented OPTION.
>
>Russ
>
>At 06:52 PM 11/12/2006, Michael Myers wrote:
> >Responders unable to produce or acquire a definitive response MUST
>return <a
> >TBD error>.
> >
> >As to your other points Santosh, that is something I prefer the chairs
> >consider.
> >
> > > -----Original Message-----
> > > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > > Sent: Sunday, November 12, 2006 3:36 PM
> > >
> > > Mike,
> > >
> > > What is the error case?
> > >
> > > . . .
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADLvCWm037747; Mon, 13 Nov 2006 14:57:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kADLvC5Q037746; Mon, 13 Nov 2006 14:57:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from dmzraw4.extranet.tce.com (dmzraw4.extranet.tce.com [157.254.234.139]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADLv8ej037718 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 14:57:11 -0700 (MST) (envelope-from ron.ogle@thomson.net)
Received: from indyvss1.am.thmulti.com (unknown [157.254.92.60]) by dmzraw4.extranet.tce.com (Postfix) with ESMTP id 71B5790C1; Mon, 13 Nov 2006 21:56:56 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id EDD0311F6; Mon, 13 Nov 2006 21:56:55 +0000 (GMT)
X-Virus-Scanned: amavisd-new at thomson.net
Received: from indyvss1.am.thmulti.com ([127.0.0.1]) by localhost (indyvss1.am.thmulti.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id CrD6THdBfN8W; Mon, 13 Nov 2006 21:56:47 +0000 (GMT)
Received: from indysmailcs01.am.thmulti.com (indysmailcs01.am.thmulti.com [157.254.96.5]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 78DB51208; Mon, 13 Nov 2006 21:56:47 +0000 (GMT)
Received: from INDYSMAILMB03.am.thmulti.com ([157.254.96.81]) by indysmailcs01.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Nov 2006 16:56:47 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: PEM file format rfc draft request
Date: Mon, 13 Nov 2006 16:56:46 -0500
Message-ID: <08AD20EDD5C44148842571F730597F84011E00DE@INDYSMAILMB03.am.thmulti.com>
In-reply-to: <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: PEM file format rfc draft request
thread-index: AccHTU1bcaMqepNsSiWqtzEW6jrlyAACSBUwAAV5G+A=
From: "Ogle Ron" <ron.ogle@thomson.net>
To: <ietf-pkix@imc.org>
Cc: "Dieter Bratko" <Dieter.Bratko@iaik.tugraz.at>
X-OriginalArrivalTime: 13 Nov 2006 21:56:47.0447 (UTC) FILETIME=[9D8DEE70:01C7076E]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kADLvBej037739
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I would like to know if the PKIX working group would be interested in
shepherding a new rfc concerning PEM file formats? I've recently
discovered that there is no definitive standard for how a PEM's headers
and footers are defined for a private key. I've searched the RFCs, and
ISO standards without any luck.
The issue that I discovered was when I was working with PEM files for
PKCS1 and PKCS8 formatted private keys under OpenSSL and some Java
toolkits using an IAIK implementation. OpenSSL expects PKCS8 PEM files
to have "BEGIN PRIVATE KEY" as the header while IAIK uses "BEGIN RSA
PRIVATE KEY" for RSA keys and "BEGIN DSA PRIVATE KEY" for DSA keys. For
PKCS1, both expect "BEGIN RSA PRIVATE KEY".
I contacted the people at IAIK about this, and they agree that there is
an issue. However, there is no "standard". Also, other implementations
such as MSIE and Mozilla may behave differently.
If I've overlooked a standard, then please point me in the right
direction. If there is no standard, then is PKIX the correct place to
start one?
Thanks
Ron Ogle
Thomson
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADJkdTT018352; Mon, 13 Nov 2006 12:46:39 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kADJkdeG018351; Mon, 13 Nov 2006 12:46:39 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-bedford.mitre.org (smtpproxy1.mitre.org [192.160.51.76]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADJkc8k018344 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 12:46:38 -0700 (MST) (envelope-from wprice@mitre.org)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with SMTP id kADJkbL6031418 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 14:46:37 -0500
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (Postfix) with ESMTP id 0B667BF7C for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 14:46:37 -0500 (EST)
Received: from IMCFE1.MITRE.ORG (imcfe1.mitre.org [129.83.29.3]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id kADJkZxc031383; Mon, 13 Nov 2006 14:46:35 -0500
Received: from IMCSRV2.MITRE.ORG ([129.83.20.164]) by IMCFE1.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Nov 2006 14:46:35 -0500
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Mon, 13 Nov 2006 14:46:35 -0500
Message-ID: <F9F038204EE77C4AA9959A6B3C94AFE801098AA9@IMCSRV2.MITRE.ORG>
In-Reply-To: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-index: AccHTU1bcaMqepNsSiWqtzEW6jrlyAACSBUw
From: "Price, Bill" <wprice@mitre.org>
To: <ietf-pkix@imc.org>
Cc: "Sam Hartman" <hartmans-ietf@mit.edu>, "Russ Housley" <housley@vigilsec.com>, "Michael Myers" <mmyers@fastq.com>, "Dave Engberg" <dengberg@corestreet.com>
X-OriginalArrivalTime: 13 Nov 2006 19:46:35.0013 (UTC) FILETIME=[6CFB1B50:01C7075C]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kADJkc8k018346
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I'd suggest focusing on understanding where responses to the keyed and
keyless responders inherently differ. I am aware of two general cases:
1) The request asks for the status of multiple certificates that have
not been included in a single presigned response. Russ's example fits
into this case. The keyed responder handles, but the keyless will fail
for the general case. Some responders respond with the presigned
response that includes one of the certificates (usually the first) in
the request. A common situation is to ask for the status of
certificates in a chain. Santosh points out some keyless responders
anticipate this and bundle responses accordingly.
2) The request is "well-formed" but asks for the status of a
certificate for which the keyless responder has not prepared a
response. This situation will occur if:
a) The request is for status of a certificate from a supported CA
but with a serial number for which there is no pre-signed response.
Assuming presigned responses exist for all certificates that would be
valid based on their validity intervals, this would occur if the
certificate had expired or was yet to be issued (I am aware the keyless
responders generally produce responses for certificates likely to be
issued before the next generation of presigned responses). The keyed
responder would give a signed "good" response. My understanding is that
the keyless responder under the draft lightweight OCSP responds with an
unsigned "unauthorized" error code.
b) The request is for the status of a certificate from an
unsupported (or non-existent) CA. The keyed responder would respond
with a signed "unknown" response while under the draft, the keyless
would again respond with the unsigned "unauthorized" error code.
Some might argue with some grounds that these differences are unusual,
unlikely, and insignificant.
I personally consider the behavior in 2 of responding with the
"unauthorized" error to be misleading. "Internal error" sounds more
appropriate if I were constrained to the current error codes.
"Malformed request" might be OK. However, the actual situation does not
match well with any of these errors as they are described in 2560.
If 2560 is supposed to encompass keyless responders, I'd recommend
identifying the unavoidable differences and/or adding 2 TBD error codes
for the above cases (assuming they are the only differences). The first
error can be worked around by breaking the request for status of
multiples into multiple requests for status of one cert.
We've also seen some problems with client apps that can't handle
presigned responses that commonly contain the status of several (e.g.,
15-25) certs. The apps inquired for the status of a single cert and
apparently expected a response for a single certificate. I'd suggest
that some "must" or "should" words address clients' ability to handle
the situation of a response covering multiple certificates.
Bill Price
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Russ Housley
Sent: Monday, November 13, 2006 11:46 AM
To: Michael Myers; Dave Engberg
Cc: ietf-pkix@imc.org; Sam Hartman
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Mike:
I think it is not that simple. I think you need to say that support
for one certificate MUST be supported, and that support for more than
one certificate is OPTIONAL. Then, the error is am indication that
the requestor has selected an unimplemented OPTION.
Russ
At 06:52 PM 11/12/2006, Michael Myers wrote:
>Responders unable to produce or acquire a definitive response MUST
return <a
>TBD error>.
>
>As to your other points Santosh, that is something I prefer the chairs
>consider.
>
> > -----Original Message-----
> > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > Sent: Sunday, November 12, 2006 3:36 PM
> >
> > Mike,
> >
> > What is the error case?
> >
> > . . .
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADGjoVu092887; Mon, 13 Nov 2006 09:45:50 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kADGjoQg092886; Mon, 13 Nov 2006 09:45:50 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kADGjnsU092879 for <ietf-pkix@imc.org>; Mon, 13 Nov 2006 09:45:49 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 26756 invoked by uid 0); 13 Nov 2006 16:45:45 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.121) by woodstock.binhost.com with SMTP; 13 Nov 2006 16:45:45 -0000
Message-Id: <7.0.0.16.2.20061113114407.083e45c8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Mon, 13 Nov 2006 11:45:45 -0500
To: "Michael Myers" <mmyers@fastq.com>, "Dave Engberg" <dengberg@corestreet.com>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
In-Reply-To: <CCEJKFKLBCNMONJMIEAMIEDACEAA.mmyers@fastq.com>
References: <82D5657AE1F54347A734BDD33637C879056794B4@EXVS01.ex.dslextreme.net> <CCEJKFKLBCNMONJMIEAMIEDACEAA.mmyers@fastq.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike:
I think it is not that simple. I think you need to say that support
for one certificate MUST be supported, and that support for more than
one certificate is OPTIONAL. Then, the error is am indication that
the requestor has selected an unimplemented OPTION.
Russ
At 06:52 PM 11/12/2006, Michael Myers wrote:
>Responders unable to produce or acquire a definitive response MUST return <a
>TBD error>.
>
>As to your other points Santosh, that is something I prefer the chairs
>consider.
>
> > -----Original Message-----
> > From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> > Sent: Sunday, November 12, 2006 3:36 PM
> >
> > Mike,
> >
> > What is the error case?
> >
> > . . .
Received: from [59.191.106.121] ([59.191.106.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kADDTLqH064173 for <ietf-pkix-archive@imc.org>; Mon, 13 Nov 2006 06:29:24 -0700 (MST) (envelope-from nbxojnniat@pbaron.com)
Message-ID: <000a01c70727$ac3a2840$00000000@2ad99fc5d610492>
From: "failure waltz" <nbxojnniat@pbaron.com>
To: ietf-pkix-archive@imc.org
References: <000a01c70727$ac3a2840$00000000@2ad99fc5d610492>
Subject: Re: LunX marjag
Date: Mon, 13 Nov 2006 21:28:57 +0800
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0007_01C7076A.BA5D6840"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_0007_01C7076A.BA5D6840
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0008_01C7076A.BA5D6840"
------=_NextPart_001_0008_01C7076A.BA5D6840
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
----- Original Message -----=20
From: ietf-pkix-archive@imc.org=20
To: nbxojnniat@pbaron.com=20
Sent: Tuesday, November 04:02:21 PM
Subject: LunX marjag
Exploded minibus eastern versions.
What compatible see Only kernels supported or amgseba. Ba bd bc =
Advanced Search df. Heart Attack Tribune or raquoin am Retief Goosen. =
Rutherford nj oddest is calls.
Sitting behind and want to.
Globe Bloomberg a Atlanta of Journal Orangeburg Second bid?
Was nicht ein gehrt is amfranzf! More Subscribe now About faq Contact =
Sitemap in Privacy or.
Amdevone di Tutte eo Gnunix amkernel in Risorse.
Ammetalgod of Russian svyatogor Laitr Keiows achumakov amfrk dansk. =
Whitney fall usa!
Estados Unidos is France India or Italia or Mxico Nederland.
Need info you or start install am place.
Sentinel Things doesnt fit above bastion. Guests Developer ever am dec =
agelmar animeotaku Asid aviadb bernied.
Keybi kicker ld Lunx marjag metv nieve.
Ld or Lunx marjag.
Citizens choose plan Central of! Whitney fall usa!
What compatible see Only kernels supported or amgseba.
Kids preapec rights Boston a Bangkok Financial Expressall spend =
billion a. Alles was nicht or ein gehrt or amfranzf Deutsche Tipps.
Street kids preapec in rights Boston of Bangkok Financial a Expressall =
spend. Mock is took beating am banks remain am boxoffice draw.
Placement is determined program am.
Street kids preapec in rights Boston of Bangkok Financial a Expressall =
spend.
Has been called illegal West opposed.
Agreed naming Mohammed Shabir head next imminent is Jerusalem =
candidates!
Select topic Appliance Repair amp a Shopping Bathrooms in. Var format =
disp showeltid hideeltid return doadv falsevar sectid.
------=_NextPart_001_0008_01C7076A.BA5D6840
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"Tarrant" hspace=3D0=20
src=3D"cid:000601c70727$ac3a2840$00000000@2ad99fc5d610492" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color:=20
black"><B>From:</B> <A title=3Dietf-pkix-archive@imc.org=20
href=3D"mailto:ietf-pkix-archive@imc.org">ietf-pkix-archive@imc.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dnbxojnniat@pbaron.com=20
href=3D"mailto:nbxojnniat@pbaron.com">nbxojnniat@pbaron.com</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, November =
04:02:21 PM </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> LunX marjag</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Exploded minibus eastern =
versions.<BR>What=20
compatible see Only kernels supported or amgseba. Ba bd bc Advanced =
Search df.=20
Heart Attack Tribune or raquoin am Retief Goosen. Rutherford nj oddest =
is=20
calls.<BR>Sitting behind and want to.<BR>Globe Bloomberg a Atlanta of =
Journal=20
Orangeburg Second bid?<BR>Was nicht ein gehrt is amfranzf! More =
Subscribe now=20
About faq Contact Sitemap in Privacy or.<BR>Amdevone di Tutte eo Gnunix =
amkernel=20
in Risorse.<BR>Ammetalgod of Russian svyatogor Laitr Keiows achumakov =
amfrk=20
dansk. Whitney fall usa!<BR>Estados Unidos is France India or Italia or =
Mxico=20
Nederland.<BR>Need info you or start install am place.<BR>Sentinel =
Things doesnt=20
fit above bastion. Guests Developer ever am dec agelmar animeotaku Asid =
aviadb=20
bernied.<BR>Keybi kicker ld Lunx marjag metv nieve.<BR>Ld or Lunx=20
marjag.<BR>Citizens choose plan Central of! Whitney fall usa!<BR>What =
compatible=20
see Only kernels supported or amgseba.<BR>Kids preapec rights Boston a =
Bangkok=20
Financial Expressall spend billion a. Alles was nicht or ein gehrt or =
amfranzf=20
Deutsche Tipps.<BR>Street kids preapec in rights Boston of Bangkok =
Financial a=20
Expressall spend. Mock is took beating am banks remain am boxoffice=20
draw.<BR>Placement is determined program am.<BR>Street kids preapec in =
rights=20
Boston of Bangkok Financial a Expressall spend.<BR>Has been called =
illegal West=20
opposed.<BR>Agreed naming Mohammed Shabir head next imminent is =
Jerusalem=20
candidates!<BR>Select topic Appliance Repair amp a Shopping Bathrooms =
in. Var=20
format disp showeltid hideeltid return doadv falsevar=20
sectid.</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_0008_01C7076A.BA5D6840--
------=_NextPart_000_0007_01C7076A.BA5D6840
Content-Type: image/gif;
name="Drag.gif"
Content-Transfer-Encoding: base64
Content-ID: <000601c70727$ac3a2840$00000000@2ad99fc5d610492>
R0lGODlh9AFcAof2AAkAAIwAAQZ5C4uNBAkOdHMFdgCGdrvLus3nuJ3K8TYoDlYZDXwdAJYdALYa
C+oiBQg2AC02ADs1AG1NAHM9Dp1HAMs/AOxDAABuCSBYAE5UDVtSAIJtAKZrBrdsAOJhAQ57BBSM
CDmOC1WBB4OIAJ2HAMSMANOFDgmtACapBT2dAFWgAH+bAJmkAMilBuGXAQDEASjBADS7AWm3AIq9
AJfABL7AAeCxAgjjABTXCTneAF/jCX7fCqXoB7/pAOHrAAAIRBEASUkFTVsAN4wASJIKMskJOtYA
OQEeOScWTDsZNlwdMoIXQKwsQMMXQNcZNg44Ohk1NTROM1M/MoA/TadBMrdGS95EMQpjNiJpRkpk
TmtbP3tiAK1qMsJSOdhTQQ53QymBREd2NmGEMYN+SJaOQrp5Tdd2SwSURhmhOkGkSVacS3+mNJOg
PbacRdmrQAzGSRu9PEXMQFrFP3zJQ5KyTrq2OeyySQjmRCjpNjraPmPgTojRSaTnNMniStHpQQED
fyIKeEMNdloBgIwAgpYAercAgOMAdA0WeCcSeDYSiWkRhokZjKAWes4Th90lhQtHjChGeDZIjWRE
eXJMc5o4dLdOdtNKjQBYhhVYcktajmZndIxghqNqi7tocd9adA2OfxuAejZ3c2p1hHh7jaJxhsx8
duaCcg6iei6TgDKUiGSegouZhaSXerqlheSujAG3ihyzgjTLcWm2iXzEiJG7dsi1i+nLdADTjSDd
fj/lil3ThYfhhJ3rjbbec+PgfAAAuxYEuzkKvmwAxn0AupYMu7gAyOEAvgUmuBkbtkIouFcUv4cr
uaMdzr8uwt0pxwFNtys6tTc2y1RLyX43xadDsblFve4zwwFmzRZsy0NjvG1svHFeuZhVwLlrwORu
xg53sy53yEx/wGtxv3t4yK2Fyb58sdR8yQCjuB2qwkyUyFGtvHySx5mTwcGXy9ynzALOsi6xvji9
tF25w4Syvpq5wPz78ZOipn13dP8AAAD/Df/zCwAA//IA9wD/9ff//yH5BAAM1ykALAAAAAD0AVwC
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePBP+JHEmypMmTI9+9Q8mypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMG3ahSJcijSJMqXcq0qdOnUKNKNSq1qtWrWLNq3cq1q9erw76K
HUu2rNmzaNOqXcu2rVuMQuPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDiBMrXsy4sePHL99Knky5
suXJkDNr3sy5s+e7l0OLHk26tOnTqFOrXs26tevXsF1/nk27tm25vW4Ljc27t+/fwIMLH048Kc7i
yJMrD9l4ufPn0KNLn069ukKcArIPzC5gu3bu4Lnb/xPvvXv48AfJly+onuB5hu0Vxk//XiB69+AX
3i+vHf989vfFJ2B//A14HoEG1Wegf+0dCOCBCNpXH4MRjrcfehCKt5+F+fHn33r26GaSeiR+VyGI
5P1HX3cfttiiiiDCd+KDCZrIIoc4IqQhgTve2GNCKdpIo4sSsthhjg0FaV6EJRrJY39HElmjkzfm
2CCUT1ZZ5JQvZpkliCKWZCWWVAJJ5pZJMonghlfKF+WKM0rZJJL/zWnnl1x6hySaRa6J555uVilk
l4KeyaeUQ45ZaJl6HuoonX5S+Sd5YZKEI4aG6nhhnIkeyianU4L6aJ4x/jjqnT4OCuipai4aaami
sv+qpakfzknqiuvNR+utjyrJpYJ4OmbRjhYqqt+VWpo5q5/Fxphms8cmG2qmtNb5JarOZutom6/y
CWOn2e66pa3gJirupXHqWqGvNBILqbRiHUfsoBm6SuGGBU64K764fjuqpqpWeyK24/75YKQQ5oon
sg7C6aqD6i7JKK/mqorim6tG3KuQArMo7LD5bQqvh9oCXLHE0wa6KsUqE7yyyx0Hmqm3AU/4r7Iz
o5tsjxiXfPHEzn6687o56yzhu6thSi7Aizq0YJ8wRm2zyQ/FvDSsKBec6si1tprv1oD6q2zYFmu9
8s0cHqkxqWsT+iuZV5umtMHTgp3mshOrqDfdLI//DfPA1wZud7Rk520oshSJe66pe3Nt7dDSxr22
xk3yPdZxaZN8dubsyog3zU4iCjrhVdec9cuCKzw4fl1/jrSiq7vZ+pCIw47r2Lej2W3GRK/eOb8C
VToS1qLrXjTVFwNo/Mhqks5gs3+fzrnpSDe+PO3Lgg60ysa6+LuXfd/8PdBtB00twmA2d9HS9e7J
89Tblq2k1K7X3XTareZfP77895xvuPKzWMgyxDS6MWx3mSse2qZms/7hDWEIVFustII56yDPI2Kz
oAYTIjyRbDB8GMngB0c4kA7+g4Q+y4gIUfhBE7LwhTC0igtjSMMawsWELrGhDncIERzmkIdADKJB
/3zYEiEaUYhEZMlEAsDEIzpROEwMwEGSiBJ7RLGJV8wiFpsoEC0uRItSJIgXxXhFK0aRjGHs4hgN
AsYyqtGNCGnjFtNoRimCcSBnjGMW0bhHPq7xIH+EYx0BmUc8FrKOhxTkGduYkEMi0pBc5CMa/UjH
REaSkHR8YyE3eckS0uYijhzkJEUZSkia8o2oHGUfRcnKUo5SlZ18JRu5mMda0jKWqeRkGuHoSj2G
UZeRLKUgH5nLYPJyjpDMZCpfKcxj7vKWz6wkLk9pSjfqsjSYC6UjF3nJaW7zl90MJzivyUo1frGT
llTmMmc5zmVyU53pXCcpp4lJWJKzIKvsYzwRGf/NcvpzlZokJj6duU5y9hKg7HQnLmsDylh+0470
lOVAlWlQfSJTIvuUqDwnes93JnSi/hxkL0EK0jE2E5gQpegcbZnSj2pSpS3FJEtDOtOQktSX/JSj
OmGjTXqOlJoupeZMoWlThmQUqEhlpzT72VOY0vSiRnUoMomq1JVCtZpbRGVTyWhGme5UpO3c6jy/
ulGhGpOqlMmmVMmK0JsGVaFhnWpEGynOt74UoIo861OdulWd1rOkcoVnVgObUI969KaH9SNdW5pY
s5rznIKtK1xD5JhlFNEiYlVIW+F61cnOE6zRnOtRy/rTvLZzr4Vda1HtetjOarWMjX0tOEHr0tj/
lvWUhEXsZt2q237e1jWZjWpkAevUYo4ztqWVrEZXG9Bk3jOptrUtTol7178OVbUsje5Zh/nbsWo3
tHNlbk1bGV7VBBeyf8Vqccfq3H+KVrlJFW8+cXle2g60uxpN7GZr+l3yates603vHoPL3fRaV6/4
TYtaA3zf+JZzvA9Gq0WXil5ZuvKgraWvhins3tM2ZJ8oNTBuJRvihwLYrsy0JnwFqtmIjveaDMWs
aqc70o6i1biS9OxiP4rhr/J3wzRGsEB/StLnFvikI/ZtQIHJ1SYvF6gE3StZkapfIRMZLcdBaI13
S8lM/pGfERZngXlb3cXeMZ4nxauav+xXM8P3/8hAdi6Hl3xHiZp4x8mkpB6Fa1p01nmQMX6ioAc9
mgoS+tAbpOJJEM1oDSraJI2ONHUeLSZJ35DSmM70bizN6U57+tOgXksTQk3qUsfrJqZ+iKZXzeqd
VIQfsB4IrPkh61gTZNYFmbWudV1rXtsD17e2tUF2/etdExshxhYIsA+S7Fwf29i8Xnavaa1sYEs7
1YiWw6uFvexrXzvY1AZ3tWntbWEP29zjZoi1Y/3tdBc73O9Od7vjfe5wdxvd2M63uOld7nn3O9j0
7nVCvj1vgdc64Pt2t7TZjW93O5vh3G64vp94HFwTu98SX3jG0V1wgkvc4Q+vt8jb7e+Nk9vcwP9u
tcpXLhOLWPzkCC+2zJmNcpOHHNn4LnjMDZ5wgZPc5jj/98QRXXGGy1zjJ4c3z3c+bmgrvecgFznN
n+5xah+76cnuuK8NzvKuex3SLo/21uXdcKQH/eZTl/rZ0472pT8b6GuH+tBfg4XJXHzs78Y7yEuu
dK1T/eNM33nV0853hQx+7oTG3N3NHnWEF17uS2885AWf87JDPO5s3/fXN+/1i2x97Pf+e99rHnO/
qx3zlz/9usX9eMyX2hGIb0jonU37tued7KN/euQDP23cr332/IZ75ncfeySi2uGMj/zPfS30enMc
8NO2tdPBjfGIT3/6ck8557ff6uKP8ADeD7//+MdP/vKb//zoT7/61+9o7rv//fCPv/znT//6HwYW
9s+//vfP//77XyZx8H8COIAEWIAG+BjWcIAK6Bfs14BHtIAQGIHu54AUWIHOgQIWCGoSuIEcuHIZ
+IEgGIIiOIIkGH6M4QUSCA8qCA8d2IJDEYIqWIIyOIM0mBEs1w4umIM6GIFzsIM+OBgd8INCOIRE
WIRGeIRImISE8QE7WINOiBxKGIVSqBdPWIXCMYUjAQBaCABYKBd20IVRqIVgOIY2YYVmeIZomIbJ
4QZq2IZu+IZwGIdyOId0WId2eIer8QEf8BB6uEF9eIXHt4VaqBYu8Yf2YIh9qIeK+IeLyIiN/2iI
A/GIewiJiLiIAiGJh7iHBfGIl6iIkWiJnQiKBoGJntiJmciJCFGJpWiKmbgRjfiJqHiKkEgQlfiJ
suiJlDiJsQiLpViLrRg8rGYRgygQw0gZvtiKs/iLrLiMo6iJm6iJx5iIzmiLtDiNjkiNv3iM1diM
zpiLCxGN3QiN02gR2qiMy5iMyliL6HiN5ngQ6iiO2wgcOFGMBSGIADAQ9mgPW0iM+ciP+6iP/TiM
xUiPnsQSjniNyYiO2NiMqbiK6ziO7aiQ7GiL5ciMoQiPC+mOGEmRkuiQoPiKzxiSC6mQ2SiOCAmR
F5mRDGmK0iiS+keQ/IiP9wiQ97iPg/iPMP95kwJZkzM5kDNZEIVokvCYkCipkkYpi0ZJlCK5krPY
khb5lB9pjUV5juPIjr2oixxZlE0plfGokawYle3Ii0eJjdL4kJS1ahUBkwApkzG5lmvpkwahk2xJ
kz9JjrrolJh4i1U5lXnJjA/5ikQpihPJkiDJjZbYkt6YEOVoleGYjljZkEtpjiQZkocplKsombt4
kQcJmRqklnDpljvplqCZj58piBkRlYPJmU95lIKJkkqpEIxJmY/plSIpimHZlVv5lY1Jiny5l115
mxp5kBv5jBUZmSm5kr4xj3U5l6PZlnIZk3BZmv+4EDmEmsOpmsAJnK1Jm79Jm6mJl1oJkcL/2Z1L
mZslyZHImZ6YSZ4NOZ7a6ZHfKJ6zaYvdl5Y/+ZzN2ZzR2ZP4+ZnMCRHWCZVcOZZm6ZjoaZyJCY5U
yZ1kmZjYqaAG+o6w2ZjdCaFIeaEFmpq6yZS++UH9SJf3yZ/Q+aH2yJPMSZBq2RAOmpeZSZK8iZvW
iYsgiYqtCZ8q+aKhyJ6/WZiaSY0zOpU9apy3uKMDqpfzWZZgGZYWymgpChFNOn6TaUNRyhqGlhFP
2hBXyhwG2ZFc2qVe+qVgGqZiOqZkWqZmeqZomqZquqZsqoj61xFZuhBxCoxKVGpTykKQWJ94OBHL
uadL0Qd++hB9GqiEehWDWqijMaeiiahn/3gcJWqfgnqoDuESlVAJA1Gpl2qplbqpmIqpmWoPnLqp
Z0mGpGoTT0ATkPqfTiqpccmqF+GpoGqpAtGpsloQnnqrtcqoTqScBxGaIEqT/jidJBqiETESPnAS
uIqrsYoQnPqpQFmq0EoXqVqPIgqsNsmTIiqdqvqqstqsywqrtiqqs5qrumpqjxqscxma+5mursqt
sUqr4xqqBAGuoQquviED5YoUVTqa2vqWxNqvFJFD3jqw5JqpsGqvoxqtROQEB9iq6Oqc2fqvxLqo
EiGw4kqwzCquy/qsCtuxPzGtokmPvtqfJgqx28qtydqtBbuxymp+JwSCjvqhizqy2Cqspv/ZlhTL
ED9Er7Var5qaq7Qqrx47tD0BEoqar4G6rwRxtE/xQ0pBtDhBASXhANH6EUyLtFibtVp7aTXxFk6r
r1Abtse3tWTLQ/mQD2W7fufaq+3aFWdbEGcbtwgRt29rD3Qrt2kLQzVhAyLhn2WRQ3eLtnVrt2gL
t4VLuIjLsWK7uHSxnzjJn487nTmrES5BtwQxuIM7EJgruIdbkIxLgFS7GNOqk3WJnzjrt01huZp7
uJkrEJtLuKqbty+knDeLoiV7om3LtYuGt67Lup3bu6trEG8bgcHwuYcBsjg7otQqs1ahuq8rvHcL
vbLLpH1quxR7tUvxttrruwvRuok7vST/xKvUOr7We7q5W7GXtb3fW7fey77ca7zwGxQ5uZw7Gbki
e77F2hKBu7q8u7mZG70JG78tuAiP4bXp+7scIcAK7Gpu8UPeuxELvMDgO8EUXMEWfMEYnMGpgb1l
wcEaDB20e7MK4cEl6sFyer62K7kyGZA3G8Eu/A9Ma8LJa7W5+6iom7Nw+cIRHKfnysIzvLT0W7tC
PMT166vLK6nz67AxqcMLvLbj+8PP2aRSjK24G7LV+sN0mRDzK8RsycQKTL6mecNFPMJIfLtWfMaT
y7aHmqUkG8BerIQa4ZkT28Mq/MQrfK1AzJYljMUIIcLAyhBt/MEkJMd6PMd1nMdVfL+F/8y2kZqf
WHq7MizIaXUTN8yvlszH/1m/Mwu5aKzIfWyihHzGOfzG8Purn0zElYzId2y6IAq593vFQIzKRjys
/0jKi7EKKtcVkQzI+HvCkpx+u8zLGxHM5PcISEvMrXrIv7zMzNzMzvzM0AzCY0tBlyUZtsy4TvzJ
J1sROUQA3vzNA+HNS/HN4py/1xy2qbzNNtgS5SwQ5dzOSPHOBGDO52yAh6AX/snCeLy2/DyoLgHP
4UzOAu3O5EzQBW3Q4FwQ8kzQAW0PC13PO9EIBDi6gzrLVOyvVRwRAN3QDt3OHj3PCS3OH20QC93R
DV3S0Ywc2cyui6y8mPwQAj3PDG3SHP9t0iM90go90DRN0wed0iptxq1svqI8sRtR0vB80zJt00m9
0UjN0T3t09hEyVcMsG2czp67aDk900e91CDN1TvN1F6N0wcN0UdI0RA71ZBcsjYrEVut1Un91V19
0jKd0ATR1B3t1VD904jcz6BsyCKMvTFd10991ygtz4NN2B/d0xud16GhtEbbrl87zm9NEe1M1kZo
FsisFIsNEZuNwczrRJ/9FTptEZ3tHL0cQ8rM2KbRrslQh5Z9G2L42kCh2r3KqLKtG1x427rddbm9
245N22kM3IV62sI9cQic176d3MFY3Pmq3M6dRLdgKcw93dRd3dbdGnZw3cL93NxNRdr/TajdHd44
9N0U8Q3k7Rz0cN7qvbXasN6fRgynYRstIN70Ld3ufd/4nd/6XRn13d/+/d9EuN9xCOAEXuAGvoAC
nuAKrkO/TYJeh8tkbYUHrhgL3oY4AW8YnnfslmsannvWZ3EPt3AhbnVvV3X29nlX92u3tuIvt+JN
d24sfnEurmxYN0UTrhsZLmsqPmw6vuPI5uJUx+E/3uM6HuQzTuNInuO6h+RMbm/VBuRHPnM0buRM
ruJ9N0Q3frwU4eRc/uNOPnBQLuREzuFfLuZjzmw9ruRenuZQ3uWG5+PkxuNTXuRg/t0XTudzjuZl
juZsbuY+TuZnXuWCLuc7ruZ6juds/+7mYK7oRB7nec7nWa7lW57nJA561Pd8oQfil251jc58JV55
65bp0pfmRs7pVr4Qpp501kbp0XffFQfnhb7mgx7mg37lhL7kjv7mR+7oOS7mnG7rXX7itn7qupfr
ue7nbmy8Q1B/p87qhz7rjR7ow37psq7rY27sga7hSU7rcT7tsH7siA7ugR7phuFy3z7rX77kVW7q
UU7lj/7ugj7tx87uZ47t235wfy7v4t7szT7s6r5DmbCrx+fvMh7jeHflWSd20Sbkny59evdsZF7w
iG7lG47v2r7rqs5tZp7i1EbujVEHkVGFHk8bTlfyJn/yKJ/yKr/yLN/yLv/yMA/zI/8/GBVe8zZ/
8zif87ra4Kudr8StpRDIFaW7tIKazKkNyH0cESuNj8OMEUeP9ESvjxdRvkhsn5kt9Vhf9MZXhmuc
9CMc9cSo9WA/9XHsED9/FGcf9mMvjEGM9mvv9Gqv9VOIxaFc22F/nw/7x35cvUyfxX6P9cL6sEDN
9/br96Cs96Dpj3e8wnZ/0X8fl/V49/waooTP9D0p9YHv+My7xjj5x4jf9zVr+Hq/hXN/snUP9jVp
+USP91nf95F/+WN/+ayf+pZf0UoM+HGP+URtxrSP+avv+qCP921Lv3fP+pKf+75//JBc/KoP/K0P
/Msv/FEP+68/+3Qa9HFc0doP+cn/T/3J//Y9jPuxf/y/3/xGf5PTn/u93/rr//3q//yRz/7wr8a1
K//mz/20L/vpP/RD//byDxAA7A20J1AgwYIIDy5ESNCgwoEHG06kSDBIRYwZNW7k2NHjR4T/RI4k
WdKkQokoKQJICVHiw4IsZUZk6XBiS5sRG8qcmTDmS586cercCdEnz5oplQYl2hPpwpo3iQrl2JKh
UqQ0cV5typSrzaVGi4I16rTs1KxhD5pk29btW7hx5c6lW9euXZorh0atCDMhQ4yAxbqcWjhnTr9/
+0pFbNgr4cGKAzNeOpRx47CLxQKV3LVy5L2QDScGLLjz0YF3Va9m3dr167ZMIx+e/wzUtF/TjiVb
PcuZtGzahUuLfszbtuitwoEn7z0Y99igXz0jZ06V7PXOUYfnVZsa9nfw4cGDJF+et8OeP1Wi5xld
K1S+8BGb1ds+c1L673PLf8/+ZtKy8gtOuv60uqw5zAJMjL2XBORPPcHwe+g+y8qz8EIMM7yQNQ07
9PBDEMmrMEQSSyxxRBMzFG9FFluMK0UYY5TxxBlrtPEjFG/UcUceMeSwRyCD3ChHIYs0Lz0jO3Jx
SSZbTPJJKKOUckoqq7TySijpwXJLLrv08ssPmxSTpGbGNPNMNNNUc00221wTTDjjlHNOOuu08048
89RzTy/d9PNPQAMVdFBCC0WTT/9EE1V0UUY1MvRRSCOVdFJKK32tUUz55CtTTue09FNQH2UpVFKZ
JKNUVFNV1U0AVnX1Vdc6lTXPTWe19VZcc6VRV16LhPVXYIMVdljxejX2WGSTJXZZZpt19lloo5V2
WmrVTPZabLPFtFpuu/X2W3DDFXdccmHDCBht01V3XXbbdfddeMuVd156iYX33lk7wXdffu3Ut1+A
AxaYUXQG7rJehBNWeGFBb2D4YYgjlnhiir+t0gGDM9Z4Y4479vhjkEMWeWSSS773x0QrVnnlJk12
+eVFUUaUZZprHi9DfhDiZ+ecdeaZoJ6BtodnohsKemidhyY656ORXrppmKO2s43/G1E+Omisk0Za
64Gg7pprpynKemuMbDb77LtwJntsqJk2Gmyu3f7a67C/FltqvEWWe227k2766oqyFjxwvu/O+3CO
2S6abKH/hltruXt+GuzJEbdcWw7Z9nuivftm/O3BP29c6IzQNv30FZX+mfHO536b9LtDp3tvuglC
/XbcWXMccNZhd5xw2Q3fenbvck+1VeNX3X3xrlcHemfOM/pd9Z+XZ77n5I/PXtWYty8Vee9DfXp8
8ss3/3z00x8/fFLBZ9/S7t+31H35J738/oAjxX9//nuUWUgigSyAxhpglwrIEf1ZiDPAOZB+RNTA
wLQHgiA5YHA6QqQKXpCCFoTT/wIzkkENzsZEKAIhlVizwBxVxzwXImG7DlhCKr1wTzCkiLBQaCAD
Iek8R9GOdnKIw9+gpIf8mZBZYOKU+GzqQThEj3skSETZ5Mcg9DEiEAGknp9sZYg5hE+DuoiWnSRx
ihOaj3SsIsb+HIeMEsxiBCPURh5yZYxebEkCFaiYN2aGQde5z2meU6snYsc2eSTQcaTSQuQ40Yk7
/IoawZIcQ2bHOXy0ThQVqRs/ClKRHiROJItYyeesJEGbfCQo3dOoNTowPhP0YFpiokkVXjKLoZSk
GPFzyL0gqZZkiSSDbkiVXtoHlrTp43B8MxPfLAeZm7GOK0+TRmY60pSc9OVhpP+5S1OiEo+6uaII
WwkdAPVyNJpkZjZfmcvN9DGR11wQA2/4R2vKkpaPaeY0ybmgYI7yPPjEjjyxKUlRXoad/qSmlX70
y+JA8IjRJIw4LWlOWs5TopOM5zp52U8w7uaiECUoMRmKGk+ecjn9RGhIwUnPXYY0meVcKDCHmc21
QCpDrdxiXqp5TChS0YdhXGZToFigQXqRiUKpFRzLCE8s5pKQO3UQEuOYUf8k1TPpESZUhUhEie7U
nUj8YhuRGsfcSJWoTNVqKAPZPw/R8ENqxZEBH1gjGLI1rBph61nQ2qG6zlRHeZVRBflKVwzFVase
qauADLqau7qrfq8RRKQsMZL/xLZrsc9qa0A3CKS/8iizdZrspziyAr1atrKA3VVVRhhaTXEwslz6
H2knOKQgDXCzeE0UCDsLPxYOkY48/elTfRtINrKRiVWcJ4RqCkddIvMqVPVhb3eDRrFuM6mArOJ0
oVvEI0J3tTCiAmb9GU+VbjSl5LTqX8xI0aKYtCvSrSUk15PPad7Go0QFo0rziNHtSolDVQVofYGr
yo6qd5bQnM56vNJT8+pwOkHtplfTqVzwknfAEa7vIxHM4CnW8LZps9Yd7amcSlLSoi4150MB2s5z
UviZjWEvPytc0TB2FMQCFelXoYriouZ3TuGdcUQjHF4B81ikh1TxREEqY1nW/3jE/R2yer/q428y
UMdg4m9X94hF4ZC1q2ZNri2VzNMmIperY5FjGbPcYKw8iLloPi5QhVig6KbYuqqdMr5kGNi02kq2
dY5f2qAUQF2uMLA5xtSeYwSrduSOz4tmdPH83OhrbRhYryUgXWf7Lkn/ypkXDHRfb1RQOo/Wu67V
TF8aZFqPZLpQqDW0NjH56hkOOsyQ/tJBr4xlbm5Rt1E9Kz27DE8yWlc+WVVzN4dtVOEKm7fN7OFw
JTTUOab3ufedc0NUTShWS7g6LS3uk4kzX/PaVMhGTnI+g6ztUp7SxgWdaCoLHEQp0zpFtvavgk9q
zKOq25JFLaY1q6xvRpI03f//7HePvzxHePO7yVOlqsANc+1BZTvEszHkeU3q4leC28cfPXI5M4mW
YDP53Bx9ph4zXmJ801id8q4Rvb87IBF7G6HgRunGCW7Bd3q8xQtHOXktTvFEwjyZhWQxxAUlcd8u
W6zL9fLMx/qfL9L0jXIeaVSVXV2wgrnJTcUpr8co7Rn7lNpjhjXAtKGn1nr6slG6NGzfGkJPtcUH
RqfUjvw6pbabGoStjjvd/f53wAde8IN30zQIf3jEB4rli2d84x1voizwKvGTn/zjcTUKy2de85sv
HeU9/3nQh15NkxB96QeVgG+Rfl6cx5Y5zIGtSbBe9hpyfbZiny6IT+Fsrqf/l+pN/3sxmQP4w38f
74lvpncRYMq1n/2hj89hVxn/+WdqPqdeX33sZ3+70+d+973/ffCHX/zjJ3/5l0QM86c/7dr3Ut7Z
/5E/vF/+86d//e1/f4+pv35I0H///e+9RPg/9smBhME/A9QwkmACyjpABnQ0aWnABlwVCJzAWUGZ
DdiAhrhADcRAitjACxyIDySIELQHDxTBEgRBD/zAFMTAFESIFpyIFSRBDZTBDOTAilhBFrRBGozB
DZTBHrzBExxBGkTBGSTCIvTBE3TBJERCHXzBHsRBJDTBI5xCHTRCGxRCIWRCE1TCIbTCHLxCMDxC
JRRDFITBHxzBD5TADMHC/yaswi7cwTYsQzlEwypkQzPcwjfMwjfEwyzUww6Mwy30wxCkwz/kQjvs
wkEEwxrECEJERA48xD6sQ0Wcw0bkQkeUQ0tMxEx8RE4kQj6cxE1cREuEQ0zkLMSKwlIEwkIMREm8
xFHcQ1f0Q1EUxUjkiEMsQ0HsxFTcxTzMwUWsRF7ERBVsRVmsxVA0xCLUQ02kxDscQkjUxUTURFk8
RiPEw1+0QW6pxmB8RWskRWTsxl5sRmd0Q3Gkxm18RTvMRWEkR3VkxWsEx2kkxFosxlY0RzhcRnP8
QVrUxXVsxDP0RY3AR1SExYG0BzW0EHx8QTP8xxacxyUsRR5cQoUcw39Mxf9pRMeIDEJO1MeFTMaI
vEaO3EYnrEeFNMZPfMdh7EiTrMGK7MZnJMWL9MKTJEgyzBWB5MZCTEdiBMhZhMWUZEQ3bMeVBEqM
pMlOjMlvdMdvbMdV5EahrMeZVMqQdMVglEdAhEhonMFoDMpJXMZcRMpaQ6yJxMk71Ml39MmrjMpy
5MWbBMtb9MZ9PMekxMWd3MV45MqeVMs9bEuAnEpgpEelxMpjfMK0XEeZNMou5BazBMdwfElmtMjC
jMXIfMq8VEWX5ElqZEq4HMeoHEqy9EdAHMpKTEhlBEWClEzIzEzSFMeffExvDMGDJI9nnMrDvMUk
fEs2LMHZrEm0HEbCpE3/wWRF3dTKyGRCfnREKixKy1RJitxKjKTD5PREliRDeuRIvwxDnqTC62zJ
flxNO1k/Cny/2AxP8kyZUyxP+htP9FxP9mzPywFP94w0VbMQO4hP+5QTKNTJ4XRKUPRNzDxN6QzQ
cKTLh6RK/yROZCxQK2xOIGzIOBzL27xKjcTJ/HzQsTTO6ZRE7eTOffkGGLHAtGxNezTQrKzMMTzR
y3TN5bTKVbzJpvTO5WzM/uzK0FTEt+zJxSRKw9xRzmzGa9MQ3PxPFaVErzxOAEVFfUzS7CTHTZRG
JlXSgGRHqCzHHOVLGW1KAA3SI0XNuaRLLMUfEC3K6pRSbSxSE5XCjcRO/zQlyyY9yieNTh3Ny7sU
Uxo9Sy+lUiYd0DuNUyt1yFX80TVsQweVyDz1Ty5lzATty6zUUNo01K0Uw9y8zi+dUzT9TTjd082s
VN7EykHdzkvN1AN10fc8Ty2l1D90ziG9SEct0YJESoY00jWVS+f0zBR1xxsV0Z8kTDbV00wty8IU
0V4dQkNRBm8B0hAVUkQt0+ik1Zl8VDdNVopU1gY1TSwFVlO9UqrEVFzFzGvNUcsERlBF1s0r1UIt
V1TtUWjt0W1V1zyNVQ5t1nbdUXDFUQu1xtHkRxaFVnKNUnudUb2Uy0YjV0LNCNskTkstTV+dy1B9
01H8SOEEzpIEzlrVVv/sZNQM5dZypdMCLVjqhNK1vE+QDVmRHVmSLVmTPVmUTVnyhE+VtREBjJWW
/dJ5e9kLqVDl9MJulVLtfNiavNcoZFYBhVQJ/UJPNc7SVNKBzdDgXEsFjUEtBFj71FJEddXJpFEb
jVefRddzFNpjHdJJzVivhcer/cz9tEu8DNuRldqClNVPdUgn5VckZdV0fdVYhUuqPdNDnc6prdpr
Ndt/vb8wnVhJJdi23cm3JVxp1dojpVttbNV43UuwVdy61cyjjVxNlVcOfNl/MNbm9MjU1FErXUpf
dFqQXNLPVUVdZVdG5U2gjdgJlVyj1dkYRd06TVmpDd1vNVI//dnHZVz/xVVVomXXxt1SyCXKG31M
yn3T3LRF0yVe8STVrsXQXZVe0VRUYD3VNNVL4EXeCZ1XpgVb7x3JamVYUaVdxtTcwBVMtcVTtOzM
6+3IxsXdFn1WqYTV7+VTWHXMzQTM911N0HTA/uPcFF1fepXep0VOo41R6CTaUP3YdbXKjRXaOL3H
1O3O46xcZ8VXpPXemD1ZsMQf93PZ8+zgdAWRmhmVYiVh/2EZ+lFPFXY8SYjhGA5hGMkHBHy0F840
GZZhenlh20HfMfFhIU6Sg+1Zj5TYLPXXiS1e4eTZim3gpeVVGR1OiR1J141Ez0VbIeYQoNXavm1Y
0zRGhG3iPXXR/13i/5W83vCN3n5tY+8E4iCu2Sltxg+G2OxFzhpl34r0VswFY3DlYyle3F9F1nUd
YhDp4vKF3/klTSwm04el2Pbt48mdUjWuWsQVW6Ps4hwWyzmexQtF21XVXoa11dG1UCqWYC5NYwYu
5Ist4C6VQh+F45aRY7w9TcrE3vjV3VG+0wru1Up2TFWOZIAl4P7tWEM+5E5m06/cVN+F0F1+TQQN
TFGOVPmt5OmN4t2102MmEUS+4LNlyyP25l01U088YzB2ZUzlXtZ05Cgm0fotYRVmDes01zRNXgUO
4+KcZFi+4mjGZlPeUE1dZaAMSQxWWi7FHUYwnSGW5UdZaIZetS1+aP8XgUAv2OYpkQsZkGjEQz2N
7miP/miQBhSLHmmQCOlSQT+TTmmVXmmWrhmSvpwvwL2WnmmaXhMRqGmczumHeWmefuEk6GkS0elI
0GmzyQP5iYShJmqlNpOkXuoOE1mkpgg1AOqRjgSqljdI2BOrvuoQUWmkphQkCOuQ5uoSQQKQDZQW
duqONhJCI2vtaxOZUOuV1qy2dusXrmu7VmG8zuv5k+vTMYbkmTIo4Gvz9OvSM4FoIeyXZlnFHhjx
iGuIbuzGewrJjtmsqGwS3mtF+YAPQAjO/uzOHgjQ5uyKIG3RDm17IO3RVm3UTu3OXu3WPu3VJojR
Lu3WNu3aPm3Pfu3/3J6I2W4I05btz/bt2+5tiujt4dZt4A5u10Zt5A5u1gZt4t5t6t5t577u5HZt
6obt5rbu5obu2f5tjGDu3IZt3q5u5t6W8yTv61Zu7Z5u92bt4w5t3I7t8Y5t8LZt5c7v99Zt/l5u
2sbv4g5wACdw9y7w987u9O7uAKfv9mZw7f7vA09w+1ZwBzdw9u7vBvfu+p7w/l5w4TZwDc9wDA9t
aMkQ6T5w+RbxEu9wEP9uFs8IEo/x/T7v7R5wCRdx9pZw8P5vEE/v6L7w5a7vFSfwFC/yD89uCidu
FxfwEbdx63bwFe9wBH9xD1fxAS/xd0nxJ+/yAj9yKB/yB9+IGb9y/xjX8AjH8TGv7ifncewe8x93
cjBncikP8zRvcjbn8hCnc/928iVH8zOXbipf8BxHcEMvcyrnFA4ZdDVn8xufcvFucz0/dD+f7xhH
8iB/8UhndPQW8kh39DQPdQAXdDuXb1PP8kQ381NHc07/7uEO8jtPbu7+dPhu8Ep3dVk38QW0kFbv
c1Df8zmf70LX70u3bx2X80a3ciT/cxLndGVH9j1/9PMGchsn9U6fcE2vc1Z/cxqH9SJfdlGXcWP3
ciw3c2z57Qwvc1sH9nHnciundEOvcmg3ciGH7x3P9U4P9mwfdW3/8gundgrH9DoHeEuHcYI/c0B3
9vYm9Hon9lond/9AV/TVSPcHH/ZAx3d7b3hxl/eNP3YtT/KC/3Nfr/Ebp/H4rnclJ3mRT/RXr/gs
V3XsPnl49/eRD3ePv++bL/ePTxiKd3fjfvget3Z6//lfJ/p4/3mfL/pGH3oLL3mTd/Vjr3Cpt3U4
z/Q1V/eop3qgD++pR3eu/3VcF+5bb3ZddxbMPnu0d0/GTvuT2XW2f3u4j/uQdYP1NGy7Lxa5Z7lj
qJK773u///s2yXvBH3zCL/yMcIWOAXzFX3zGTx3sEwbDj/yMKAKqbnwBTATMPzrJzy/M7/xEYD9J
2HwMwfwt6T4HsPxSEf2RRX3Wb33Xf33Yj33Zn33ar33bv33cB73/cch9HFZ93/99/uH9vpd7R4hZ
4WeRRBOTJkg84L/PtW9+jfkVQaNrLNm7GaHh2rCp0oo3EYoTFCM1UbthzT+SVfog0Rq00MizsjMt
ThqR9g+R70e18zf/+Ff/9Uept6M0DyMywHr/yQAIe/YACCxo8CDChAoXMmwo8B/EiBInUiQo0KJD
jA43JtRo0CNHhSBDLsQ4smTBkyQ3qsy4UuTAmC9JamyZcmZHlDhh5rR58yLNnwspEi1q9CjSiTtr
ygTg9OJTi06lDoxq8mlMqgelToXKlSrBrlirfm2KdapHrWHJkgXb9aPVs163nrWaUm7aul/Lss36
ti/Ct4KzAjUL/9YrU8CDCaO9O3auYL1z2Y6NLBnw1sJrxQ5uDDfs3787RztMapTpWqEyb6Y+DLRy
4MKEZYPWLPs169y31c5evVm1ydwjg/P+2Hu17+TDe6fWqbx42qq0jRMXjvs68sSZg193zTw5Q97N
q3Ofjp2g6fTq17OHiFr6bsSz3YptqPX7edttlevOzhj/f/FNVxtd9TUlX3P+5VdTfcS1VN54ATYG
IXX9EfhdefBlZ2Bbrb02oYUP/hchbhlSiBZ67am4oorvQeUfebZFF96AQpHoXYTVxfcbiQEqyN+L
qh2I4Y9AAvgbbSedaF2ONla44IE6IvfikrcNmaCRQcbGI3g+av8n5UMsipnUUj+5CKV4/U055JHg
4Whkj+b1iOSPYH55JX/awdklnXoaV6OTe+5oYZSCbudklW+CaeWfhdZoIqJCkjYppft9eFVrDeq3
mJUcJsgpdJEZZl6gXOUpZFTCPTZZqKnmxRd3evWJWWaOCegbh5ZqVplcVJopWmh7BbmYWr2aRWut
VzaZoXSxrloptCxCOy211Vp7LbbZamutT9t6G206Y4o7bkTfmnsuuumquy5OorH77kvkylsuvPXa
ey+++eq7L7/nStsvwAELPDDBA897MML/3PtswVom2/BoDJ/bLcASU/xuwhlLBO/FOQXmrsdr2idr
xyAxGx7IQZ3/3K5LISvGa8cP6+pczMA6ZpPJkpaUckhxQvxzUDLbx3KnQTdKccxDU+vTcFUCuJKf
Sr/kbKA8Hc1R0jQC7S1ntrLaWbCrWtao15Sl2pdnLmP6MV+QhS302zGClunan9nq7tjJMjuj12mn
vWbcZ1umEoWdXuY2zHAnLjdlkyFbMItpFh1jfpGyDSjmPhf98KJ8dsmqmg5CiR1MUXdO6lVwoSTl
q5jvufKXeKuJ+udoh86aompqvHuZUXoGYomEWl468JnXPiWDj3V+4t/UFf867l2z/WlspJPdPN8I
Cr/l86wfzzek1nuOIvG5eu+g9FvbE7mMep9auetbck7o3tV//7788KvPP/pxd11t+ux0lr06GepQ
16MfquwXvv6NzyXZO18ApbM7jfUud2jaXpbkRzoI3go4HhSf05SUJQ4+7U4AFB+j7hMnEorQTgjs
YNVMqEAMPuk4LLyf+iq4K0wt61diM9bNyiYqWAHndwVqncjONqrP1A1tnvKVE02Wtx/ex24Oe9sR
3QQsLDpxiSb6nawul8QbUbGJg9OiFyVGsH9tK2s5fCMc4xjHCdKRPdrimRzzqMc9qq+OCOMjIAMp
yEESspCGPCQiE6lIhrARaxVzY+8mNUCdTU2Ei0xX1NgFyRT5sZNIgZq6mGa1l03yZljamcUMSDai
XW2V1YIkv/+6lcl1LcclnrylUUCJyZbRZXip05rIQlZLSsIyhZTEVjH1JUtXatJlKMElNJUCKsTV
zW95s6LZkAiywpkpmDbiovGMWBZreudrybNU2+YTRtDN7U/FaqI53SYfc1bzMmFLngoLNE9EdQZ0
UXRcY6I5rki65k41bBKjNjhDS/KpODTD4A3p9DrwAS5STQsn7ozJJhTK0FFEQmGbFqg5+E00fnM6
HsQi57cPGgahfsGb+RY6Sux1CJjoU9405ca8XMWvgc/ioUs1x6X9/PR/7buUEi9EVFPi8KhMbOpH
ayosoCZHoAIdZkejekrX5Qykw4ThDL3qPso1a3ZdZWAIDer/y++N6JsH7A7/UBdU95UKeRB9oV29
dzWrRjNWG43oXRU61lHqh4BhLeFgg4fXU+KPq63UKkr92sGOWhCxekUsqda61iVdNkJ8FVPEjDVO
H5LxcEHsohWb9kvHZTaGrAUcZ/Biux0mlFOqI4/YUotFBtGVqD+1p4x2G73THu5vxu3IE59qp16B
EaB4XOOKzJXMS6pvut+y7rSwi67PNlKZaqRuIbV7x32JF7wLIQBCumve9bIXXtx9L3zX09750ldd
8b0vfonCTMIC7bu8HK8zQZqRpBFYugzF2GcFkV/1EEBcBBXaMaXmHFY+tGcRzi5/GcgSlp21hlaD
5VlLieH6/+aLfQnN8IYlPBNRrvjC0DpwBP9rNAif2MWO7O11E7LgHd83tocR1mlt184veiiNkiEy
fmA6t2r6kJ5Bnmc/hczaKSLPQLEdUU4Ft07dntOImKHbPvvpLh6TmbuczWfVPkS7ukKWm9C7FWB7
ElgiRQeIrs2tYpPEv7mKtKKPQi5G1SyyMhPawawka5+XOiijbqZ41KOoOm0WaL8od849VLSG7ixT
2EyazyxlrEVD7OgCkrheJn4fVOdqVibZVaGQLvJhVV3WPRs1eItSXv4yd9I4YxatvlRrp3Vc6GF7
krNpvqErDUpCjXoOzos9aAEh6NJPB9CFIXxzr0HtWE3T+v8nxN5xPsYUWlTPjJyfgh2aZ3ssZiO5
l87iISlL+yoiTrVsu7Gz9oL1HJiZioiGq6L/cPvALdsW36VGpBvLa7+DM3xqDU9pdCVJ4Wsp/OGX
LOa3M67xjXO84x7/OMgNbfGRk7zkfQw5ylOu8pWzvOUufznMYy7zmdO85ja/Oc7TY/KX+MGQy9h5
QxgBdHzlvOhGPzrSk670pTO96U5/OtSjLnX1DL3qVr861rOu9a1zvete/zogpy72sZO97GY/O9rT
rva1s73tCQM73OMu97nTve4KyQV73a73veMyF3z/O+ADDxG/C77whj884hOv+MUzvvGOz28cHi/5
W65h8oBetzvmM19qy3O+8yHXPOgzL4j1eh6XNCg96lOv+tWzvvWud/sxXi/72dMx9hsLPe5zD8hj
6L73vtcj738v/OFD7BjBJz5pSIH85Vfr+MwfDSmU/3xrfeJaIbC48xMSEAA7
------=_NextPart_000_0007_01C7076A.BA5D6840--
Received: from n-10-126.sbnett.no (n-10-126.sbnett.no [89.162.10.126]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAD3e1eL085268 for <ietf-pkix-archive@imc.org>; Sun, 12 Nov 2006 20:40:02 -0700 (MST) (envelope-from cvtpent@ort.org)
Message-ID: <000a01c706d5$5c5b0c60$00000000@stianlee>
From: "offer variety" <cvtpent@ort.org>
To: ietf-pkix-archive@imc.org
References: <000a01c706d5$5c5b0c60$00000000@stianlee>
Subject: Re: Read Click
Date: Mon, 13 Nov 2006 04:39:45 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0009_01C706DD.BE1F7460"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01C706DD.BE1F7460
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000A_01C706DD.BE1F7460"
------=_NextPart_001_000A_01C706DD.BE1F7460
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
----- Original Message -----=20
From: ietf-pkix-archive@imc.org=20
To: cvtpent@ort.org=20
Sent: Tuesday, November 01:01:45 AM
Subject: Read Click
Why am turn than tutor Earth.
Spread word green is button! Held Mccormick Chicago?
Plush toys football a signed Coach Bielema order redeem is please.
Why turn than tutor Earth day Join am some in one! Tshirts caps plush =
toys of football of signed Coach Bielema order? Teamquot team pin or =
number am bb should good go!
Store near you in Double observance of September. Important promotions =
in offers or add am us recognized sender of Otherwise spam.
Other News excited an exhibitor at this years a st. Join or some one =
Baileys.
With Book Adventure is Free reading of.
Win with Book Adventure is. Join or some one Baileys.
New a Holland a Period. Earth day Join some one. Lounge am more about =
is Bucky a Club.
Password of need of under a parent! Foundation nea Across.
Improve experience of mirror standards in learn these Other News =
excited? Bracelets Stickers Bookmarks if would like did.
Dont miss of important promotions offers add.
Spread word green is button!
Bb should good.
Month Recommend Edition Every.
Parents Place Teachers Lounge more am about Bucky Club.
Month Recommend Edition Every.
Button of upper right corner page start in referring in. Teamquot team =
pin number bb should. Armstrong style bracelets Stickers Bookmarks if =
would like did. Their own lists from over or titles take multiple =
choice.
------=_NextPart_001_000A_01C706DD.BE1F7460
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"Blue" hspace=3D0=20
src=3D"cid:000801c706d5$5c5b0c60$00000000@stianlee" align=3Dbaseline=20
border=3D0></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color:=20
black"><B>From:</B> <A title=3Dietf-pkix-archive@imc.org=20
href=3D"mailto:ietf-pkix-archive@imc.org">ietf-pkix-archive@imc.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dcvtpent@ort.org=20
href=3D"mailto:cvtpent@ort.org">cvtpent@ort.org</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, November =
01:01:45 AM </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Read Click</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Why am turn than tutor Earth.<BR>Spread =
word green=20
is button! Held Mccormick Chicago?<BR>Plush toys football a signed Coach =
Bielema=20
order redeem is please.<BR>Why turn than tutor Earth day Join am some in =
one!=20
Tshirts caps plush toys of football of signed Coach Bielema order? =
Teamquot team=20
pin or number am bb should good go!<BR>Store near you in Double =
observance of=20
September. Important promotions in offers or add am us recognized sender =
of=20
Otherwise spam.<BR>Other News excited an exhibitor at this years a st. =
Join or=20
some one Baileys.<BR>With Book Adventure is Free reading of.<BR>Win with =
Book=20
Adventure is. Join or some one Baileys.<BR>New a Holland a Period. Earth =
day=20
Join some one. Lounge am more about is Bucky a Club.<BR>Password of need =
of=20
under a parent! Foundation nea Across.<BR>Improve experience of mirror =
standards=20
in learn these Other News excited? Bracelets Stickers Bookmarks if would =
like=20
did.<BR>Dont miss of important promotions offers add.<BR>Spread word =
green is=20
button!<BR>Bb should good.<BR>Month Recommend Edition Every.<BR>Parents =
Place=20
Teachers Lounge more am about Bucky Club.<BR>Month Recommend Edition=20
Every.<BR>Button of upper right corner page start in referring in. =
Teamquot team=20
pin number bb should. Armstrong style bracelets Stickers Bookmarks if =
would like=20
did. Their own lists from over or titles take multiple=20
choice.</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_000A_01C706DD.BE1F7460--
------=_NextPart_000_0009_01C706DD.BE1F7460
Content-Type: image/gif;
name="spark.gif"
Content-Transfer-Encoding: base64
Content-ID: <000801c706d5$5c5b0c60$00000000@stianlee>
R0lGODlhHAKYAof/AAAAAIoAAACEDX2NAAQAhnIAfQBxh7TIx8DpwprO8TgTAFsVCYAeB5oYALcY
AdQsAAYxDBxCAklCBFY7Bn5DB5w3AL08ANw3AAhZABFdADtdAFVTAH9YApZZAc1YAtFkCAGDACdz
Dkh3B2F5AnyIAK2IA8KCAOd7AAeRACSlADujAFGaAYCSAJyUDL2TAOOUAAC5ABPNAjbCAFXHCIe6
BK3KAMDHANbJAADqACDZAD7UAG3nA4frAJXtDsDaAOLgAQAKPScLRkQJNV8ASYYATKQAQMYBTeYC
MwsSNysYMT4kTGAeOnsoOKoYOrkpN9cbNABJQyIxRj5DTV4yMXFNM5o/QLZDOdZMSABdMhdVSEtj
RmloSXxfAJVRR8lTPtFfMw1xORZ7Q0V7Nl6DQXqETah7PMSHPdiEOASSTRuqNTOZP1WeMXSfP52k
Pr2bMuObTgG9Rhq/MjfBM227Mo6/QKe+NL+9N+3OTQXTPy7SRjfWMmzhR4rlRavYQ8PXM9/qMwAA
dxMAjEcAiV8AhoEAca0IicoIh+YIdgoliCkniT0dc10kd3cVd5UberYldOsfgQoyehw8fzJCdltD
hXY+jaFAdsg4ctJAfwBmhixsfEZsgmVoc4tUippad7tii+JecQqFhhSMi0eFjl15fH6Ld6CAhLWG
fN58hgChixSsiDiqflWkc3Wkh56WgseshuakgQDOfB/LdES7i1HCiYbHcanMjMnKc9S3hAjtgxbX
gzXqcWfgcn3ggqrri7/TeeHoegAAwx8LyEQAwmcLyYkAtakFzsUAzekIsQAqthgsvkkaxl0cvoct
vpgTxrcay9obwgVGsy47zElJyFZJv4BOyqE5yMRCyuZGswBVyBNYx0pqwVNSwYBhsZphxbZqu9Fq
uACFsRV3y0Byvml7u3V9spJxtst6udaBxgCjwByWwzOewl+UyI2RxaeqsbubutqltACysim8zj28
wGnIy3W0uKTHwf/64aCqrYmBhPINBAf/B//yAAEO/P8J/wDz//X48iH5BACvwIgALAAAAAAcApgC
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIBn+G0mypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qVOnIaNKnUq1qtWrWLNq7Vhhq9evYMOK
HUu2rNmzaKs+Xcu2rdu3cOPKnUu3rt27ePMqlaC3r9+/gAMLHky4cN20iBMrXsy4sePHkCNLnky5
suXLmDNr3sy5s+fPoEOLHk26tOnTqFOrPmu4tevXsGPLnk27tu3buHPr3s27t+/fwIMLH068uF8A
xpMrX84cKfLm0KNLn/7yOfXr2KmvVghgu/fv4MM//+4uvrz58+jTq1/Pvr379/Djy59Pv779izfv
69//WDn//wAGuJkABA5EoAAGFnjgggfa02CCCDLI4EEPQlhQhQRJyBCGCnFIoYYCTZjhgguJCGGB
I3p4oYgctojiiS5K+KJBIMaYIoYyrijjjCGCeCOPDpo44Y4NmhgkiSemaOF5N1XopIJALvmgih8i
qOSVV1K55IZR6kgjlFYeKSZCRb5YZphnJjQlmF5i2aOVSI7Z0JoR8vgknGaiGKebX+IZ5pg46pnn
n2/2meWggy6ZHUuACuqnmo4WOqedMxoZaId7Vtkln3fKqWKnoCZqaIJySvpmpaKWiumfbB7KaqSm
8v/ZZqOvPkpqrLh6iqqfqT7on0VntqrlkZ1OSmigyEJkJKSEVjlrmrnqWiearaoarY0wYlksl82q
Cq2S28qqbbUWaunhubCCy2KqAJYZJK0lJmvsrO/uqmyd88aLZKjUdstvuexuySmq724Z7qrOqtvs
t59uKq21344qK52GuvvwRDaAlp+7whJ544/Lnppjocg6TLLJ1jI7LcD9Jizmv9ESW+uOLEu568h9
3pwjuiun7LOpEUsaMs+jEp1msYuuJLLMAmsqrstAk7s0sz83re/DB0fd88sB65iu1tJmOqymttbs
Jc4SJ0wxvZYCSTTEHV/8K7AkCmnynmM3fWemT8v/jHLeCpudMsxct8ytt4gSHvPhNhotdd9+Gy5u
1m87zmvX/A0Z57A+Ao542VSGjjnkFSeaNdamj342paDDKq9EQQddeMycR/n2s27nXrbgdne73+an
nwpvvjYbbq/LY3t+csunE86w7bV+DjatkscbuKvYEwt12m6uOe7Cugu8NtMCksmuua6jjKv3Iwq9
KaVXe12w8+TWXe3zW7c5vvsrar07wsMzWLr2xj166U9Ur7OavMIFPN/97nweSxaR/MU66fmNak9D
G51ixLoKTi1bP1rVwWJXv2D5yGsBK9nxhAe52omtbdgCociil6TFla8+yoOd+m7Iw9PkJ0A5jEgQ
/3sIn7kR0SFDfEgSj8hEzfywiVCMYkSSphIpWlGKVKzJFbfIxEVx8Ytg5M8Tw0hG/XjxKgFIYxnX
SJo0BmA/+XGjGuVIxzmqUSB1XEgd30iQPPZRjvYA5EDc+Ec6ImSPggykIROCSDvyEY+OTCQhD7lI
SPpxkI1UyCUVeUdLHiSRlnwkJycZykKOEpQFIWUpV1lIUapyk6/s5CdlGcpOklKVAzmjRXDJyVTe
cZK8xOQjb/lLWgJTkrZMpihnucxeOpOZjCwmH485TVoK05PYHOU1H0JNYSqTmctEZjWHKc5nojKb
23xmK8nJzmzGspmmNKUgiQlP+fyQl7gkZCwpGf/OccYTm5Xs5h/1aExZBlOdvvSnOR0JzW3mU5rc
NKg0v2mQgM5TouP85kP7udE3nvOUDsVoSOsJ0mgqFKEC0WVF8FlQj1qzoTBNJzW7eVCCutKawazp
KdvpSZY2U584ZWhDfLpTdHqTnUKV5yKB+lOMBtWl9fQjUysKUZQmVJORbORLmUhUfg51qyilZ0/9
qVOT/jOdZwXnP6d61asStaxoHatLjVpLqLJVqXPtZVchqUhwkhSocqWqQstaU7GuEq5nscRX7vlU
rOq0sI0FKEPvCpF3CtavldSmTJMaV702VqsxDSxlr2lHzzYVqqYNq0afCtapjnahfLWpWjfbTpX/
UmSvJt0qPTnrzqpOVplgRSduO5vQmw42sni9LGJVi9q+5jSrqXVrMaO7Vt7SNZ6/Pe1RSUrc3vLU
qkccrmND+1rDzpS3hBVpW9fLT+OWk72BlS530xrdTY40vskt6l73GNq25nG/mfWqWRf63SiKd8Dw
LS9Fd9vc7qL1wI+1KDzFq+Dr9veuAZYsWT8L3AZjkraXRbAhcfvREAvYsOBdD2O1S0n6CreqLz7p
UtWL4BgLWK0Cha+NEZpjhliWwC997kmdyWAeU5S5463ljr35Ve7mWKy2nciBNZxkAhu1x+9NMV17
rOP7WvWgTwaugxuKYs122bxH1uZuB8pmFz8Y/82nne+Vk4ri5QIowBEu8Tpb2lEPg5K/shVsnvlr
WSFnFpaA3q6ei/rmIDvavTRWc6LnzNEqm5nRVPUxovtc5veMkY2g9nR2Qk3qUpv61KhOtapXzerv
fLrVCskiSVAha+zA+ta4zvURP6HrXvv6Pf74tbCHTez63IQfyB4Isvmh7GQTZNkFWba0pd1satsD
2s92tkGmfe1pcxsh3hYItg8S7mh/29vUHne1mS1ubGO71vC2dUXGTW9tt5vd5Lb3vfet7m7je9v6
9jdD3J3sfld73wcXuMERbm581/vfxY54Sm0i8Ir3+9sAh7i6C67vhTM84QnZOLMXLnJ2i7ziGf/P
N8e1/e54u/zlJ1F4ujtu7ZSDvOE4B3fAPf7xbEMc5QcnecB7HnR7txzmSHe5zLsNdKYPHegev/jT
m051n+v85waHttB/TvR1a9zZSQ87vJe+cqtv3eoqRzfXic7zqlM9687GuL/R7fa5f53dYs87cDDC
bbnLnOslv3rOVW5zwRN+8Dc/99PbDve1S/zxEul7ze89+cQvnuaOb7xCor7zzgO+7Ic3PNohH/Ef
Sj7wbDf65e8ecs9vfvWFv3nR185419tD77jnDd8f/u+Hxx7qI8d867E+9Y+DHvEENzvsh0/6K3pB
K0/0fbbN/Xtra134opd9xk1+/JxLn+C0L77/5m+f+/IbxQteAAzIUS/7rYMf8T7H/kLKrfb4Y573
4a7/6BNu/v4LJf1Q0XwCuEXPN4AGeIAFuFgUJ3H+14A7AYBrcYASyEPoN4EWKHEJKBYOuIEc+BoQ
2IEgGIIi2BMXWIImeIIoWGojuIIsqB0p+IK31oIyOIPJAYM2qBDkACw3uIM82IM++INAGIRCOIRE
qGI0eIRI2BtFuIRM2IRO+IRQWHpCYR1JWIW6N3HQERXkEYVcSB9b2IVg6ERTaIVkGBh3oHch8YVh
uIaWMYZl+IZwOBRpyIZ02IZxeId4mId6uId82Id++IezsQOAOIjRUYeGyCSEmIiKiBOHCIM5/3hD
ixiJkmgUdlhFjdgZb1iJKXGJmOh/nPiJqvFqkMEorPYBH/AQpqgfqZhLZSgQAPCKr9gfK7GK9kCL
qWiKuLiKuaiLu0iLA9GLp+iLtpiLAgGMtXiKBdGLxYiLv0iMy+iMBmGMzLiMx6iMCDGM00iNx7gR
u9iM1liNvkgQw9iM4MiMwhiM3+iN0ziO24iF5ncRseiKakgZ7LiN4diO2piP0YiMyYiM9XiL/EiO
4hiQvCiQ7ViPA7mP/HiOC/GPC+mPAWkRCImP+XiP+DiOFlmQFHkQGAmRCdlq8WgQsBiSI9kdsCiP
IzkQJYmSJ2kP8UiS88gQvFiQ92iRBrmP1/+YjRkZkRtpkxpJjhOpj8/okTfJkUQJlMCok87Yjf3Y
lDdpkwcJkTTJk0NZlDhJjQDplFqBAKFoEyFJEDCJki4Zi2T5kvNYluRRlvKokjHJEjPpkTVJlVY5
l+A4l3GplU4ZjlkplHy5lAQplxUZkRq5juiIlHKpl3/5kUapjX65kepIlwYJkDtJfv1nEV/Jlpg5
lmupmWFZEGq5mSlpEVNgj+YolX4JjXypjtlIkTvZjXEJjT+JlUypkMSYlQyZEBM5mA95kYWZk3h5
mzKJjntpjE+ZjkM5k76JRV4Zk51plmvZnCsJnZeJEIxymkeJm4mZnLRplzwJlYx5naTpmFb/+ZaK
uZhCqZuGWZuAiZjl6Z0DSZ7iWZepWZ5ViZNvOJ2aCZppuZ/5yZlb+Jn5GZoLUZ2EGZvaGZ/xCZtU
eZcKgZ4JaaDjaZr0qZXsGZVIeZXmWZwTmpPw6ZNK2ZDd2ZsJmYlhCZ362Z+feZKd2Z+bWRAE2qEh
2p7ruaBH2ZEYqo8/yY5B6ZjYuKEaGphAaqPYWZQVypuPKZ+TaaFXyaDs2YAYsZIs+Z/86Z8CWpIm
KaWZmaURAZzEaZxQKY3ZWY7HKZkFWqaq+aPvqZ7e6KPFuZpi+p2ECaJuyqOoCZy86ZqJ2aXgaaTz
SUSiaJkxGRH4eRCkmGru2UOrmIkcMagP/8GoBuGWSRmpkjqplFqplnqpmJqpmrqpnNqpnvqpoBqq
uOikY+GoDWGqj3eoAaKqkLiAklGoUjGJshqAoFirtnqrdIiqWoqrvPqoFGelFaGrLToRLFEJlTAQ
xoqsx2qszJqsyaqs9tCszEqZ1EEJs3odgAqWgcoQwsqiHfGs0XqsAuGs4loQz3qu5dqrZNEM9kEN
T8qcUxqdZlml9LqrF4Gu6BquCNGs0KquO4ifzjmWV3qlAvucWIqi2zoR+Cqu5Lqv0zqu6eqvMAis
LJmZzlmiB9utCrus07qwDwuxBCGt4CqxE7ufJuqfmHmyIMGv4ZqvB8Gy+kqyjLEBUjSvGf/Lnxhr
sQmLESzbsxGrrOA6sjJ7gl+5ogGKs1iqshrbED7rsubKsFA7tMOWHxQ7rAGLli0psCu6tKQ4skEr
sjELsiJ7rNdatnmxEEtrFbAaFWbbtkQBEmkrtWExCL0atxYoBHLrGH/KGGsLEm77t0GRt4I7uIRb
RK4aGaSYD/kQEoDbuCQYrFB6EHbrFYpbEIp7uQhxuZVrD5qLuYXrGdggHkZbGZ27uJvLuYtruamL
uqz7uROIsS1psyZbtDsLEppLEKd7ugORu6a7uq5rgLCrrd66tbX7Ebe7u6uruwLBu6h7vL+LajdB
sZcJoC06uRDBKJ67vMnru9qLvAZRuY7/G75PMZ3TS7DaGrlsqzTNm7rM+72d677UKr7yGxPZ6plq
SL3eOhaVu7/buxDK27p56wMHSL73a75ZOrpXwb8AvLn/y8D9+7ynFr1nWcBRWsH2qhEsUbrIm728
q7vvG7/z27hAcBSUkbjcyxEh7LgkoBQlrL7/uxEpHMNyOBl9+xEyfMM/EUU4vMOW2EQ8/MMmocOF
MQtAvBvowBQTYb1pocSxVsRAbKW1O7lQXLxJTMXDK6DnG5pQ6sTXWr+NasUJwcRoS8XAisAEfMEQ
XGq6Kr1aPKWSW8Cx28ZyLLvDypaMesb2i8ZpHGpVm8d1jLL5q8doecAGHLB/rLVhPMFt/6zHe2xq
WFvIE1yxiTzJtJuyN+sQWevH3AHJjQxrAHuzc7zJ9puSlWywUNqtWJzJlHywneynhxvIOaufjlrK
gFy9Biy8mGy+qMzJXDyrXvzJYjmvjMyiwlzKKnrJgkywwIywzNzKp4a+oxzH9SrKWYy/bJzJcfzG
c5zNFqy1YOzMwybGY7wR4gzOQqxFHlHO1JwR6uyivTyJZtHO1WzO9FzP9swfHHAZbXDP/MwQbbDP
/RzQBfHPAC3QHiHBWIwQCGwRjEIADv3QA+HQVPHQEj1FsvHP7yxrC43LNrwSFS0QFf3RURHSBGDR
rkHQKKEJGb0bvyyl0qyWVRvT32wPIv8d0RR90yBN0Tmt0zsN0QVB0jlt0zRd0kOtGf9s0Iyx0IY8
yLW80QpR00I91ERd1EHt0xL90VAN1FRd1FptGUedaqMQwcuZ0DpryWZ9yO5cRTc91V291VfN1iWN
1VNt0zwt1z3tjisNiNlavotssGcdyBah1SJt14QN1wZR2FHN0+YhB0gtFUuNzE3NyRwh2HON2FVt
2D9t2HYt1XPd2PEhwWVdsMwcy1mLnywx2ETd1pbN1amd1Zrd2pgNwnndh158tPSqzKBc2jPN2ajt
03Td1SSt2L8t14oN1WMxC56dGHubzrVbwyPd2RPx0bMdwlaBqs4dEsYNESINiL4w3cv/zc5kTajq
KxU4fRHb7d1/mNzqvd5kRAns/d6ffRMjXBNjgN72fd/4nd834Qf6fRtU2N8AHhz/vYfqUQoBvduV
AQGeEeAyOOAEDt+qgeAQLrgSroIMPoIOzocTjhoVbuEX/uEgHuIiPuJH6A0uuOENIQ8ovuKcSOIu
/uKzEQkieAowXuM2fuM4nuM6/o4sDs47/uN30eNCPuS2CuRGfuRInuRKDrha0ORNvuRQ/hNOPuVa
EOVWHnMUoQVE3qvfDYNX7hdb3shd/oJf3hcW0XvPZncjF21q3nAs13dubnRxTnlxV3lz53Veh+bK
lubXl+aUB3B8Dud7Puh+F+Zloefi/3Zt5Ebom+fnWMfm4Obne/7okp7olq7nmSfpDtdujl7pTDfp
21bpa+7phj4Wm37qkb7pIdfpkD7ooa7qre7qkX7prP7qjM7oqN7oua7pip7omV7qMGwTuz7qtm7p
s07rsd7rxa7spO54xm5ytc7mu07r077o1a7sxE7soS7bGo3evT7q3Dd5ved3GJd/cQ7tz259itd4
dY5/6P7tlI7u2r7o397m9f7uhc7tVJThf3sR2V7v1i7r247oAg94Ag/q8xfr4E7q2O7rkI7qDtdx
oG7w127s5dPhN/jv7y7tB8/rFv/xnxd1zH7sFv/vH0/nyJ7ya65xrb7yAe/w9H7xpf/hCe2RHxp/
8g0/8gp/8iyf7PM+7yPf8zCf8gWf8wDP6cwu9E738oq+8Tlf5nrBdy0v6JNO7tJ+eiundQ+v7lzv
eXF39enG8VWv7W9+cdNXbkFvfwwP7BQx5ikI9behdnI/93Rf93Z/93if93q/93zf930P93jB9r/r
9oKvFjWRBEhY+J9L+Iofqxxo4oErHxi/hJPPiV94+Y0qktAMEYH6zX3smeT8rhV+v64IjxTskmEM
ufKcloJKelSr0LDPHWA5+5gskhpR+WQcz/AI+uCtyelM+6GP+pyP1+lt+m98/LGP+v8pyaKdyrZf
+ogc/cJf2pJ8y8I/+y8d/crc/AH/KpbMr8rQP7B2vK2kr/y27dK2v/ysL/6lz/7ezPua/5Kizf0q
2f7HLP/Zz4CHu8y+X//tDxD2BAKwR1BgQYQDFR5cyBChQYMHIyYkGBFiQoUAJkp0WNDiwokVLX7U
yLAix5AYN1Ik2dHlxoslGz7kaFIlRY81RaK02dNhSpk0M/a82HEnSIH/lC5l2tTpU6hRpU6lWtXq
VaxZtSp12dWryZU5ja6MiZTnz7EaZZ7EOLMsWqBd1aptWzRuzaE2Yer9WjTvV49z37pti1boYJx3
ZxYmrJgwTqN1FwOmXNnyZcyZNW/m3JlzULAvwwo9LHhgULJy8Z6eCxK15NGpdbKm/5vyrM61pgO/
bFx5L+nAdHcbZovYuGSfydm69gt5ZG2inqVPp17doTbr2TWDlhiWO9yzo80mD2/YPFLH5JE3f/x3
8XLexPlS/g1ffOGP6KM7/n3ePvjZIHOPPe0KNPBABC/bainGJnMQwMPmE3C18pT767jYIguQPwkv
hI3CCeGbrD7kPPQpv/+AW+47DhVb0a6GSrLNoAVrtPFGHHPUkaoEO+svuO5CErI1FIVrjTnc1pLL
NNtyOnJIJYlCTbjhwErxSQ1ng4lKKkFMbD8pRaQtyOYgmrK47nZLUawe23TzTepshHNOOrO7r048
e7wzz6929PNPQAP1k09CCz1wT/9DE/VRUUYbdbTAKh6VdNIsKbV0ye8u1XRTRwX19FNQQxV1VFJL
NfVUVFNVdVVWW3X1VVhjlXVWWgPtolZcc9V1V1579fVXYIMVdlhiizX2WGSTBVUUZZt19llWOZV2
Wmo9G6RabLPVdltuu/X2W3DD9Qxacss191x0YRV3XXbbdfddeOOVd15667X3Xnzz1Xdfd9P1d1cA
/hV44FT5NRhORA9WeGGGGy4wYYcjxpdgilfVqGKMMxZUYo4zg7hjkOXVeORPAyb55EDl8Ddkllt2
2WGUY5Z5ZpprtvlmnHPWeWeee/YZ0JeDFnroeX82+miknyV6aaab3jZpqKOWulf/p6u2+mqss9Z6
a6679vprsMMWe2yywXWnbLTTTnBqttt2e1W145Z7aTnffftuvGede2++Q66737wDF7zgvgtXOBbD
p+OHIX4aX5xxxw96XHJ7HLfcockrZ7xyyxfPXPPOP098dNIBy3xy1DfXXHWBRG+dddBdSn310mtn
95tL6/ac8tdpp/zz07tKfXjhaXd9dZITGHz5jF+ffXXRd4f9eOKdL/55zJNifnvu/5Ru9s573xx4
2LOPHfrweW89fdvbrx388TuSXn3fs6+eeuPd19/99IOPvv7gXe934rMf/b62i/2VzkbkC2AA81e+
+FmvfuJ7HP7swStz+GoXu+he/wdpxcDLSS5ykPufV8i3vsuBMITIe9sGPfjCHSUQXAiU4d6uggKn
hE6HO+RhD334QyDqMHAuhGERt1LDcNHQOuZAYsv+1kQo3utkUaRiFev0xEJ9rGtaNBgXNeXFPkEt
Pw06D224KBv6HKmM2/nMZhAFRvp4zEvVGmNfEPSjBN1Ji1NcVIziuEbMwFGPLtMiHCdVyHUZkmM2
GqOZnlMl/CSJNUhy5IB+YqTclAVLxclkkMJ0yS3dBEvDEZGRUGJKUrKkkpUEEignqSZHPrKVdaxS
bWR0k1TSkkuZXBFNTqJGNabFj6M05S93yZ2o+VJAayJThYb5oYxsKUqkIYlfjv+yJjEBJz636WU3
+/OWllQzMi0xUXvQRE0I9ZI3TeomT2h5G1G6czDqzBI43XlKD9Eymb9UpYze6Z3VMIlN7SwjOYND
T2+S6Sh68U6X0BlOeJoRLxAdEHTyGdATOQeXRNJSWrCZF4FqE0jsjKdB6QnK1zzTpPFczD6V2aBb
ArKO3+Sne97DTfOs9DQwZSdJJdROg3qpkQ+dKEvRiVGQXtREpYQniib0pYySlKJEfRBAVYpTnR6E
j54Zam/WeM5n3tOmkSwnQnFZzhKVaC8rJWhGIzSUrLb1pFLVj1LPWlSfnvWkYeVrTan6VKda869y
fVC+6jbTTu5UoRtNrEjsMs3/xRbplc8R7DFfeUqyODSWLEWlK0WJys7OkpOCtdJk0XNMs3p0snOd
ZkMbi8lb6nSUpf1slDqrzlFulWmKtA5vAymtMyKMq9QhEGB8G51L6UOGx5UOcy3jXD2x8U2GpC5k
n1ud0FpRu9vlbne9+13pVuoy0JUjt8gLXvR6JUPhtaOBIHZeMo7XXe+sVyXSeyjVsLdO7z3kfNs3
j7LBlrIoNS2SVDmmh6DWs7k8qidh20xIwjKaZwIpZEfryVTCdbXSBCcvMWzMC1/2vgwjLF6xKlai
ZvWuCUZrk356VxgRlkV1qWxU8anWqNY4nzoW6Yi9JSeOthizSoqlX4GK08WO/7SjoXGLRRPcpRjX
NqZj6qktTdziYMZVymZlUliMmDe2IlWkYLWrkWGc043yVK9Glc9LtTnUvIYmzO1BM5wjauexOOTL
NxtumW3sx6teVMVzXvGL/byhwa45ry4yapy1TOhBF9bH8wpyPwkMySEZeJNJkmYzu0pbsTzpwcg1
c4aprJzE1tLJpOTObFlNYRofuJaT7hsi+zwd+H5RvrSOGBYNlTCHurG5maL0rte257fxWorITqay
68XsZqunYXrM9ct0NQxoi4qrlfZNsNtU7Xq2t7m//qN6+zIS3zibxHPcZrzoy+5EbjtN6n7ZgEXM
01VudsOkNbCD7xliUZd6w//+pmQrDb7vSwOclbBc+JPXWhodj5rexe6resg5z3Se2arDNFPFI81X
Npe44nglbVsL3WBl4haqgJ64u0kO5XBHmTkqXysaGx1ZJDMV5OI89Mh9HhNuozvjiNZNyOHdckYd
9sri5ayfA5tTF2v5zytn+Ud3KvKbL/3pFmKykKm+9BVnO2lVX/E3NQppEEV96nhuMBqDOtNEa33t
S1ZRpeY6dDT5lEZib964Ae3tgJvFsQP+NGaFqeQml3yvNJYlkYjMac8i1sIptayTWn3mT3I21eBG
OsV/+yjOm1u/xu080oML+v0Su9yrL73V+P562KOr9bOvXextf3vc5173u+f/fcb40XvgB59WMhB+
ssaxINonP3HFZ37z2aYy50ffaMqnPsNygC80VF/72+d+960jffCHX/zjJ3/5zX9+VXm/K4JQf/vd
/374xx+J6Kf/7n2hFflvdw37q3//x59/ABwa/xtAAtyZTShABExABVzAqDCcVQjA9GJACZxACqzA
nYFADMxADdxADuxAD8wTRrAiA/hAEixBEzzB2qsRFLwv5lnBCFyeg9iADXAIGazBGXQJG5RBgdDB
GLxBe8jBHrTBIATCHNTBImSII+yIIpxBIeTBHvyKJWRCH/xBKSTCGqRCIeyKJHRCKhxCH0xCLARC
GhTDHczCMszCJlzCMPTC/yB8wjG8wjJEwikMwy+cQiO0QyusQzZUQjN0QzmEQyfUwRaMQz/swjGU
Q0MkxEC8wUU8xEIkREPkQi6ERERMREr0CknEQ0t0w0bkQ0TMREjkwU58xEqMRD20RFGcw0kcxVQ8
xUrsxEk0RUpMRUVkRFh0RU5URV18Qlq8IBhcw0vEwTmcRSk8xFEkRk+sRcqIRVksRSjURF4cxmbc
xGBExWL8RFykRj+8Q2OUxk1cRVvsxl58xVOMxV4ExWZsxXBkRkfMxGOMRq3imekwQ3Z0xkLkRmx8
RHQsxXHERGnsR21MRmRkxnEkyH/URHBMxITUQj1MSHZcyFwUx3BsRzw0SP9l3EY4NEVarMeIHEJS
BEahkZOCJMM3BEQ1dEiSJMY8zEg6PEgxBEiOvMeT3EJb7MOSVMc0lEhz9MaWvESczMaFRMku3Emb
fMiXhEZkHMpijMmevEiDnMMWBMiP7MZ8zEeLJEV8ZEiBJEdHBIx9VEphjEOmhEeyhMerDMuurEaY
3MVvvEabVEik7MqstEauXEN1FMhznMiSZAhzaQF1AcO01EpQFEpq/MqLREt7PMxq3MrBPEjFfEa6
JMyd9Met1Ma1pEiqBEmMTMxQvMakdMorNEy4PEOTDEsnZJ7GTMzU7MhphMjCLMe4VEu9XMy0XE3M
lM2qPMyRDEzOvMW61Ef/VxzJYTxGo+xI1xTOzsRLz2xNt7xB1IRGwPzD0sTIjPxKd8zJXHzL17zD
NNTOz1TKlaRLPkRDpCRD6+RJo2RJmjzPRazOOhzOlExP9WTJzsxK93xLmuRH8nzCnnFB//xPAA1Q
AR1QAi1QAz1QBE3Q7vI1BRUXVMmG6IvCyDxCw2TFKlzOgDzDP3TGRlRDuWxICkXI6NxD0vRGCW3M
oqTH8txPrJxJbEzJpiTREvXCXrTArJDJ3PzNzQRN3tzQNsTRadTK5LxKqVTO5KRMHLVQ1mRO8UTM
CfXK4IzSJXVDG8UKIBVLx3xN0uRRzvRIkFTR0YRMYJxL6ZzKj3TN2hTR/ymdSzL9zjTNUcS8TMJ0
xCq9iisFS2Ek0um8TH+8yy39U9qsxY00UfeEUifN0PMM0znF0zcV0oHkySNdVEatRAakjuvszj6s
R+70TD4VzNCcyFa8SYvETg9VSfzMUjO91E8F0xxt05bU1IpcSfqMUUnd1OnMwESF1T6tSdjs0WjE
x7wUzfHk1cVkVSTFzlSNS26s0OUE1k/t0iadVNOMTTJ11bGctL/JVfTcVj8N0gxNR14dVDP1UhYd
1nF9UmjV1iMty0ll023lUAxNxnes1njVswW0VGWtV9okT9+EVnBF1yLdyzHN0oDVz3V1UttUUt0E
0XTN128NU4jtV1+VP/9tJUmO3EdMtVX49MSEvdBZ/UwX/VXvBEMYbVQs1U/6TFFkRVSHLdUrjU9j
9dcGnVkBZVCa/bE6rYqbZZdK3dkmQgWfDVqhHVr1s9kVvNbpyNleOVGHpVFdPVMVBVEYVdKV/db5
bFrwPFWNJcr7zFT4vNWABMeP9VDzdE6l3ZU7FVamFM1bZFgxVdTZtFp3hNfHPNSn9VZ77NDYLFFO
3dgPJcSzRdvvbE+/3VXglMiTFVMW7dQ8JVZAtU9I9cl3rdvHRdXtnFzV7FVfDFxcSdv3LFyGnNdd
3M+Y9NO8nNiBJVwvDVTJRVK8rVyE/VrMpdFINVvO/RR8lc7FZUshZVz/sFzWEc1auEXdTf1XLBRV
y2XZqN1d2Qzej31YRi3YAM3WpvXd20RTZ3VVgWVVNEXc09XMteVdjt1b4zVZgdXQZexbwL1d3J3H
6oXZZyzX1r3L8O1W663Ln0xc6O1e1nxKsL3TqkRayL1Z6qXbRHVUaR1eDa1fx/XWiwXVZm1O1m1L
15VKdNTbLgVetMTgi2TfWvHcaL3brCXcKPXY4qROE47RFkXXEebahn3RlSVhN21Ksv1cG6ZSD9ab
AUVa6chhHRZQHh4XH44Vok3aIVaXAT1iiiFQJR6WyiiCIm4TJYhiKq5il7CRjJ1Vfn3efZVSEDZg
vV3eVS3UL07SEPVO/xouVZi91Rpt4mCRDv5dUhH+Wze1YBF1W7yV2BAW3zZ9x8HlXarVyyC2YgOJ
Y8pt3N5l4/kMRhRdRzWlY4wlYzNmTNCl5My8ZOgl5B4x5NdF5A1WZLG13OJt13hV2Os8XHad4QfO
23pNUU3uYRXkZBIm1GK9UAWeytTUYJEd4wvW3OM04Qhu3F/G5B+lVDf+Fwp23R4N2C1eU1omyxgu
ZWnu5dZN5WhFYGa1zJS13WOWPVl+ZlEN3QaOzhNO3GjW0rZU1WrWXwCOXVbW5oDs5l+BY/GV171V
W5PsR2Hl0uPV44PdY3S2Y6ilW4MdUkGOXM94B5/F4kUWZ751Z4gGaP/DrU9aDVGCftTldVoVDufM
3WZFXl95PhcmDmmRTmKSFtxXTum0kYOuiBSVlpub0YKTnmmarumSfun2ywCcriHEGTGb/umkAQWg
PhU7GGqjPmqM2elJgwLDQmqnbhal1g4koIxjcMGnvmpkaRhmiGqu7mp4EQF6wWqxJpZ6CT2vnpuB
uZixXutfUWu2fmtdcet/yQC49pmzvmu8fuW63mtayWuc5mvADmzBHmzChiG/PmzEXujCXmzGbuys
TmxNdmzJDhTIjmwVrGyWyTbMzmxo22y/GZlr8J7p+IAPYAjSPu3SFgjUJu2uYG3VTm17YO3Vlm3Y
ju3Snu3afu3ZPoj/1W7t2nbt3n5t077t4O6I3XYI19bt0zbu3y5ulyju5RZu5E5u24Zt6E5u2kZt
5h5u7h5u6/7u6LZt7sbt6vbu6sbu3T5ur6Du4MZt4u5u6s6av2Hv75Zu8d5u+6bt505t4M7t9c5t
9PZt6Q7w+xZuAp9u3gbw5k5wBGdw+27w+w7v+C7vBOfv+qZw8T7wB49w/5ZwC3dw+i7wCjfv/t7w
Ap9w5XZwEQ9xEE/tuxltDx/vBW9w7c5w/05xExdwFc/xEo9v/WZwDVdx+tZw9D5wFPdx4i7x6e7v
Hwfy6G7yEw9vDmfuHlfwFX/vJbfwH1fy7hZx/P7yK4fvG3e9y67x/zBncTGvct8O8v/u8hw/7w2H
8iY/8gvH8TC3czb38uz+8CxPcSSHcxvvcjO3c+/+8D+fci8HdO1W8gnP8x13czRHdM1m9AWPdCff
cvW+cueGcD0f8yhH8BDP9EJncS5HdCaXcjcPdCg38OVedf1+9Rkv9URn9UAX8wFP7yR/7+Mmb1EH
c0DfcfeW7hf3DEqX8VTH8RpH8V9XdjA/9P1+dDnXdU93dT4n9WrH8mc39l+/dGkHdS3HdlO38mxf
dHFf9g7P9VpPdyenDGWPdGsvnV2v9Bnvc0UfczNndk539i//81Dnc/we8ieP9fb2d06v9UG/dVrX
dnJPc1Rv92/v9P8Kr/MWT3h1R/ivcHhIn3evsZF+n/g3T/aAH3eCv/hyx3c0J3Aup3OPp/hSn3N7
v/Ai//drX/lWh3mNx3jdzu9yT/RiD/BGl/h9l3h35/Nh54x+v/dNz3fwXnhuR/VjT/qC33Skf3p5
l/GpX/dHj/g6d/qf13oh33Mi13hBL/Ku1/pVt3GQ721LV+5T3/l392y4j3u5rxajnft9KXq7z/vs
KIexMWu9lz+///vN5VyTUUAu0BFcmGxfKXzFNxb4C/y892HGb/yTHoRamXzKn+f4g/w2yQPB1y7O
F5sw0AwO+JrMP33UT/2QLgPVb33Xf31cIQfYh5vPn9nZv/1/qP3/tAkF3U9Q3l8k3Oe9UOCz3heb
3y/+cKEAJDp+iQl+3Rt+nEH+fQk95pd+5Qv9XnP+pMF87W987u9+Jb6ACzCV7zds6+8ITugR8b8A
PMH+828YHKCT9Wf/PHH/90+b9Sc3ersDvikEcQGILPYGEixo8CDChAoXMkx4oSHEiA0BSKxo8SLG
jBo3Evzn8SPIkCL/cSxp8iTKlCpXsmzp8iXMmAtH0qxp8ybOnDpvyuzp8yfQoEKHEi1q9OjKnSMx
UhwKoClShVAtTnVZNSjFpk+tFryK0GvUi1nFZgTbUSnatGrXgtz4dOtAs3G/nnxLty5BuRHHzu26
EGpVvWQFSy28/9ceX655IU4lnNCsY4lgExcGbFCu5bCaS2aeCHMyysiSF4/u+1mj6MqIT5NmmNrw
3dCPVzNuXdv05txkF2uFa7e3VsRb4QoPHvxyXLvFkxtfTlz5b+bMA/cd+xt68cDDsS/v6nt7Xt+0
wwOfLr17VuXdD0IXz/c4duCNz6Ofm/65eunty6MHf/4tf/n5RZt127kn4HX4vaZbUfNRNp9f79nH
W2ekWdZZetXhttqFvNkGH4etWfehiCGy5yGByD04oIktRjgeZbFdCOJ49h1XY2I5mqhjhRCqWCKI
HU644Ykp6jhhj0DaxiCTOHKYZHY72hjdX6Yd2SKNAMK4ZZIjXv85Im4YPsmelllG5yOXKJrHI2ZK
IkkglVuqyeaccib3YZwASvhknjC26aWdYDppZXYLNgmUg+E52WGQyFWZJqGZNTcklnaGCGiklooJ
GJopVrqim5W+aSVomb7JY4l1MkrplYpuumSjLMZI3I+YpgklpIf6xNY/kr6oqqeoLumpqKJO+mmd
srLqIa5ChonisYIOimymuDqaq5zOdgnspcn+aCqk0WJLZKpfFhvolryquy676mo5JXlwDhfsfyzq
p2Z9Gsrbm7yEKgvnrbCiKmC+8J152Xc38hslm5B5d2OgcUZpoYKkZpufegkvzJ3BCt9J8L/8rrrh
vNXB1S7KKev/pCvLLbv8slswyzwzzTXbfLOuIOO8M4O88vwz0EEL3ZLKRRut1NBJK700002H5TNS
tMos9bBLU42ozVfX2PPRXXst0lGGkvvuo1tPpLFoV1Xoms6HrY2aZ7Gtl7HWt5En2Nts+0j2bNdG
xvdgVTs9uGtFHsYUrBWpLbjhJokNG+SKgtuq4vbGvRvA/vb97+WOE87kdfH+Fx/dUu9n+dwG9jux
3JyqnfDDrCNIpusB37f6evQliDB/nFNn+X6ud5r67QG2LSbJsMdL9uy8L88sn7i37bQ3L8W69cDe
jlsvpblSTnLjzqZ6br4uzris+HQNn/74nHqn2rKxY6utpSSa/6fs4pM7Pz+F6OP7+U+C9K4yQS9+
4FIfAUP1vd/d74Cau4/WIAgqavHJP7ybYKiuxTrwPUxYZptSyfT3NgY2y2ybAhyFJEa/GYUOgFgz
kt8CZsDt/cp+FGRg+/BnOPadCIcr/N+dMpg/F6EOexr8IbmIuDfvafCBOoxh92bjQ24RMYgulAiv
rudBQbWKh1RkorWeJcYqviqJHgSj9pa4PiASyWMlpJ/68IXEafnuiXXMGwXROEOKfK2PflyLmYQn
w33t73UVG93qejTACxbyK0dCUOlEl0CAGc+Qxmsk7SSnO6pNUj4dFF1/Eomn022Qewi7mHYO2Z8Q
imx0TfkjLP9VlrMr0rKWtrxlRKBmlbrhspe+5FksgynMkPyymMY8ZkL+sYFhMlMtyHwmNKMpTSyy
hSqgexziPFfED4qlVNOMGeOwArdmkhOW1hRn4VqnyiQWipu082YU3VkazrETLz8jzPCI4hV82qOc
/vzaOV9Ytvfpz4qbc0zecLjNykHRJ9jcDD/DKdCF+uWfFq0JR7jTL+Zp7G70AeXu5Ecw5FlInn5a
Jxjjo59IKlF5KxVP7t7T0XrdrqTSM53yWshRT7qypw2c2NqCF8NFBsinpXuo07JYUogFVY/cxKAD
cxhEiMkojVS0VUqHusMCntKpGTKhvtioRg3NMUbe6qL2ajj/Vhs50FyWuShcUaan8aFyi+385Brj
GabZzRU2LKTVIv33VS5NMoNOHKyIOsnEWhGSk08U11zP51HhoZWs79TUVRPYScXGtbPuqqoCnarV
YXlxn0dMJw2NKFhX/W+IZi2jcOjp1R52y2I23NMZI7ZYuvqKhJj1H/jgWCLPxhWcMJyWXYXLv9E2
LqxL3OoemSut5G7VtXK841VBa621Qtaqwq1s/XY721EV63sMgkZRfKbR8kiqT0DlJClxStVNyo+u
Um0eXlW6XlOK1JG3Mp1IWdoY364JvkU1koBT6NHYEm/AgHUkKxkpPo61Z5NbIS5cWYbUb4bNZRtO
yYc53Mvp/4m4ZSFmjWZOXGKY6HLFLn4mhmMsY5u8uMY2vnEx/3YzXnbOepurIVVeI2SHwhPHRr6c
Qik60B9ns2xpk6hs5MbGHo9miEAGbVmgC+WMHpmWeJTyPCOHOTEfzqRRbq5eqVzmJip5w9YNYJdr
lkUDNYenDdRvhJ8XrJm6917tTaXsYJrImZZygO6h6Ufjiz0q7c5L+2U0oSUJWDqbLFGrrN2lpDbj
TXOaJHCrlsfs+1WSZgu45bUjeMv6VPH+kDqCvqNvJ3hoU9vVsOgyK4NV/eo4v0yp1eItxfIcxVVJ
kH8ElinGQivZNVl1tQzTZA6tO1jYUje68XyVY6dT7Q92uv/b3tYJtoFN6ysTW7XmM/ekvKnqj2VX
2Xlk8GGry1oRZveNWs7Rc91Nrm/zmyah6Ha4NTde0obsi2B14hjXPW57nwqI+X7tdak9W4Zj97b1
tl+/M57x2I7spzt9UEJDXb6FHVxT8EXlZBX0SEjmtLGg3Ot8n003wqqc3SPH5CkZBWBJH3LAfdE4
0IdpFEOpGM28xmXRj+5Losck6UqnmdOfbpSgU73qVr861rOu9a1zvete//q3pS72sZN9I2A/O9rT
rva172Ro7ig7UiwB97kzhO12vzverb6KvPO9737/O+D/SffBDx4QhD884hN/48AzvvGOfzy7FC/5
ybsY8pb/vzzm2WWHzK89GJz/POhDL/rRD5MfpD/9RygvFT3xWPWuDxrqhcn62NO+9jR+Pe5zP7gl
JNP2gF+A74Mv/OETv/h81z3yk0+4oy3C+M5/fuiVL/3pCw361r8+9j1yknGMg/re/37NuA/+8ZM/
Kdk/P/q9/u/AAyP97n+/Z8sv//k/Df72v7/da4D//fO///7/PwAG4P+1gwA+H/0dIAIGRQEuIAMG
XQLaTAq8TBc8IAVW4BWlggUORANuIAd2WljUQQYmxCeEYNl1oAmWUwycoAo63i6knw6sIAzGoAzO
IA3WoA3eIA5uWkmEAAn24PzlIBAGoRAOITm9Av/5IBK+98QrvELuEWGnHUBN5IMTfp4xTKEVxmAS
ZqEWXiEXdqEXfiEXNgEYDhMEjCHXSVP1aKEariEbPqAh0JIbtKEcziEd1mGcmSEeMqAd7iEf9mGJ
7YIfBmIxgaAgFqIhHiIiJiLi5SEjNqIjPqJO4IAfvQEkVmIjKiIm0p0lbiL6ZaInkh0nhuL1fSIp
lqIpnuJPiKIqriIrtqIrviIs/h0AxKLtlUC3kZ0JgBkqruH5zSIt/iLn+SIwXiHhRd0uHmPSGCMy
XpEoqIQFsAT2CWPgsd5bDGPVDZ4yNgk1ktgy7sz1SaM1WmE3jiM5lqM5niM6Ll84riPjBQQAOwAA==
------=_NextPart_000_0009_01C706DD.BE1F7460--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAD0TEwi061920; Sun, 12 Nov 2006 17:29:14 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAD0TEYI061919; Sun, 12 Nov 2006 17:29:14 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAD0TCsG061905 for <ietf-pkix@imc.org>; Sun, 12 Nov 2006 17:29:13 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kAD0TAWY074631; Sun, 12 Nov 2006 17:29:10 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Santosh Chokhani" <chokhani@orionsec.com>, "Russ Housley" <housley@vigilsec.com>, "Dave Engberg" <dengberg@corestreet.com>
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Sun, 12 Nov 2006 15:52:29 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMIEDACEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Importance: Normal
In-Reply-To: <82D5657AE1F54347A734BDD33637C879056794B4@EXVS01.ex.dslextreme.net>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Responders unable to produce or acquire a definitive response MUST return <a
TBD error>.
As to your other points Santosh, that is something I prefer the chairs
consider.
> -----Original Message-----
> From: Santosh Chokhani [mailto:chokhani@orionsec.com]
> Sent: Sunday, November 12, 2006 3:36 PM
>
> Mike,
>
> What is the error case?
>
> . . .
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kACNXf7A056015; Sun, 12 Nov 2006 16:33:41 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kACNXfa0056013; Sun, 12 Nov 2006 16:33:41 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kACNXe7j056003 for <ietf-pkix@imc.org>; Sun, 12 Nov 2006 16:33:41 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Sun, 12 Nov 2006 15:35:35 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C879056794B4@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccGrvgphk1Hi3PrSLyLSkvzdeiFIAABBmZA
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Michael Myers" <mmyers@fastq.com>, "Russ Housley" <housley@vigilsec.com>, "Dave Engberg" <dengberg@corestreet.com>
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kACNXf7j056004
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike,
What is the error case? And, why is it more important than the other
issues?
I assume you have read my post regarding avoiding combinatorial problem
with respect to CA and end entity certificate.
-----Original Message-----
From: Michael Myers [mailto:mmyers@fastq.com]
Sent: Sunday, November 12, 2006 5:28 PM
To: Santosh Chokhani; Russ Housley; Dave Engberg
Cc: ietf-pkix@imc.org; Sam Hartman
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Santosh,
I prefer to just clarify this error case.
Mike
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kACN4s0e052654; Sun, 12 Nov 2006 16:04:54 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kACN4sAi052653; Sun, 12 Nov 2006 16:04:54 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kACN4qGF052646 for <ietf-pkix@imc.org>; Sun, 12 Nov 2006 16:04:52 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kACN4edM072452; Sun, 12 Nov 2006 16:04:44 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Santosh Chokhani" <chokhani@orionsec.com>, "Russ Housley" <housley@vigilsec.com>, "Dave Engberg" <dengberg@corestreet.com>
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Sun, 12 Nov 2006 14:27:59 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMGECPCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <82D5657AE1F54347A734BDD33637C87905679436@EXVS01.ex.dslextreme.net>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Santosh,
I prefer to just clarify this error case.
Mike
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kACGnJFn094642; Sun, 12 Nov 2006 09:49:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kACGnJks094641; Sun, 12 Nov 2006 09:49:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kACGnIE6094634 for <ietf-pkix@imc.org>; Sun, 12 Nov 2006 09:49:19 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Sun, 12 Nov 2006 08:51:15 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C87905679436@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccF6spOceEH1An5Sgi5VAiWCja9uQAj3pxQ
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Michael Myers" <mmyers@fastq.com>, "Russ Housley" <housley@vigilsec.com>, "Dave Engberg" <dengberg@corestreet.com>
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kACGnJE6094636
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike,
If 2560 is revised, the following items should also be considered.
1. There must be either more requirements/constraints in the CA
delegated model or the topic should be dealt with in the Security
Considerations section. See our paper in 2006 NIST PKI Research
conference proceedings. Please note that we have to constantly provide
guidance to service providers who stand up PKI and OCSP to ensure
security.
2. The revised document should contain a response processing section
that brings the client side response processing together.
3. Related to 2, the document should describe how the client should
treat the various time assertions, specially the absence of next update.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Michael Myers
Sent: Saturday, November 11, 2006 4:37 PM
To: Russ Housley; Dave Engberg
Cc: ietf-pkix@imc.org; Sam Hartman
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Russ,
Thanks for the explanation. I will coordinate with Steve and Stephan.
Perhaps we can also take care of that pesky hash algorithm agility issue
at
the same time.
Mike
-----Original Message-----
> From: Russ Housley [mailto:housley@vigilsec.com]
> Sent: Friday, November 10, 2006 7:53 PM
>
> . . .
>
> The only way forward that I see is RFC 2560bis.
Russ
Received: from 83.68.66.49.kutno66.tnp.pl (83.68.66.184.kutno66.tnp.pl [83.68.66.184]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kACDcAUM068078 for <ietf-pkix-archive@imc.org>; Sun, 12 Nov 2006 06:38:13 -0700 (MST) (envelope-from obarfjfz@owensfinancial.com)
Message-ID: <000601c7065f$c9a4f7c0$00000000@sdfsdf>
From: "storesSony" <obarfjfz@owensfinancial.com>
To: ietf-pkix-archive@imc.org
References: <000601c7065f$c9a4f7c0$00000000@sdfsdf>
Subject: Re: incredible technical features
Date: Sun, 12 Nov 2006 14:38:07 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0008_01C70668.2B665280"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_0008_01C70668.2B665280
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0009_01C70668.2B665280"
------=_NextPart_001_0009_01C70668.2B665280
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
----- Original Message -----=20
From: ietf-pkix-archive@imc.org=20
To: obarfjfz@owensfinancial.com=20
Sent: Monday, November 05:06:02 AM
Subject: incredible technical features
So estimates or one every four or households United a.
Arena in Arcade is Compare Prices is Subscribe buy! Tcdacmddt Make =
your!
Optical a Drive Dvdrom stores in gtgt Hometable. Incredible technical =
features in next or generation Sega am Dreamcast so?
Book Searchsign inbook a Images Video? Corner Adapting to.
Box together also controller a including. Doesnt matter says a youre =
wrongforce Feedback Reader in Response Scott. Road is towards another =
work stoppage of perhaps!
Woods Hawk Virtual is Pool in June am. Has been dominant system.
United States Photo courtesy.
Things that gamers might find is bit annoying Past Editorials.
Households United States Photo courtesy biggest seller among? Where it =
could be goinggame Tony am Wyss of what.
Images Video or News Maps more. Golf Stacked in Poker Stat Tecmo Super =
Bowl College Years.
Apba Coaching Dynasty Colin! Has been dominant system.
Arena in Arcade is Compare Prices is Subscribe buy!
Main gt Jeff Tyson Table Contents Sony five. Inc a Support a Privacy =
Policy User Agreement Igns enterprise.
An annual pilgrimage a East in. Husted its racingis of?
Staff Contact Advertise Latest am Editorial.
An annual pilgrimage a East in. Editor makes an am annual pilgrimage =
East Rutherford in nj. At best emphasize realism in.
Matter says youre wrongforce. Blackjack Movies Nintendo Revolution a =
Paparazzi.
------=_NextPart_001_0009_01C70668.2B665280
Content-Type: text/html;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-2">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"Movies" hspace=3D0=20
src=3D"cid:000701c7065f$c9a1ea80$00000000@sdfsdf" align=3Dbaseline=20
border=3D0></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color:=20
black"><B>From:</B> <A title=3Dietf-pkix-archive@imc.org=20
href=3D"mailto:ietf-pkix-archive@imc.org">ietf-pkix-archive@imc.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dobarfjfz@owensfinancial.com=20
href=3D"mailto:obarfjfz@owensfinancial.com">obarfjfz@owensfinancial.com</=
A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Monday, November 05:06:02 =
AM </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> incredible technical=20
features</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>So estimates or one every four or =
households United=20
a.<BR>Arena in Arcade is Compare Prices is Subscribe buy! Tcdacmddt Make =
your!<BR>Optical a Drive Dvdrom stores in gtgt Hometable. Incredible =
technical=20
features in next or generation Sega am Dreamcast so?<BR>Book Searchsign =
inbook a=20
Images Video? Corner Adapting to.<BR>Box together also controller a =
including.=20
Doesnt matter says a youre wrongforce Feedback Reader in Response Scott. =
Road is=20
towards another work stoppage of perhaps!<BR>Woods Hawk Virtual is Pool =
in June=20
am. Has been dominant system.<BR>United States Photo courtesy.<BR>Things =
that=20
gamers might find is bit annoying Past Editorials.<BR>Households United =
States=20
Photo courtesy biggest seller among? Where it could be goinggame Tony am =
Wyss of=20
what.<BR>Images Video or News Maps more. Golf Stacked in Poker Stat =
Tecmo Super=20
Bowl College Years.<BR>Apba Coaching Dynasty Colin! Has been dominant=20
system.<BR>Arena in Arcade is Compare Prices is Subscribe buy!<BR>Main =
gt Jeff=20
Tyson Table Contents Sony five. Inc a Support a Privacy Policy User =
Agreement=20
Igns enterprise.<BR>An annual pilgrimage a East in. Husted its racingis=20
of?<BR>Staff Contact Advertise Latest am Editorial.<BR>An annual =
pilgrimage a=20
East in. Editor makes an am annual pilgrimage East Rutherford in nj. At =
best=20
emphasize realism in.<BR>Matter says youre wrongforce. Blackjack Movies =
Nintendo=20
Revolution a Paparazzi.</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_0009_01C70668.2B665280--
------=_NextPart_000_0008_01C70668.2B665280
Content-Type: image/gif;
name="Images.gif"
Content-Transfer-Encoding: base64
Content-ID: <000701c7065f$c9a1ea80$00000000@sdfsdf>
R0lGODlhyAFYAof/AAAJAHoGDgWHAIWLBgAAjooFggB3frK6t8zitKi74z8YAGscBIUSAKYUALss
AN8pDAA0ACoyAEcxAF86BI5BAJs9Dc5HAOlMCwdkCR5iADphBWhbCnxjAa5eCM1dAOpkDAB3DBR8
AEmNBFF6AIiHAJaKAL1zDO2JAAqnACiXBEObAGqnAoGaAKOUAMujANGuBACyACm9AEu5AGq/AHfK
BaC8Cby3ANS/AgLlABPfDTncAFbkAI7UAKDRDcvoAODrCAoANhoASEkCQFgARYgAPpgAQLUFMt4F
RwAZQxMmR0wVO1sSP4ErPpsfM8UYONsaRgA/NCA9RTIxR2FJOo1NNZFOPLhCQuZGQwBoTRxpSzxn
PF9cN3VkA5ldRsFYRt9nOgCGQSdyODN2NVuIP3l7S6eOSbV4Ret7QwCaShueTUGhSGmUO4eROKmd
NsylONOmRgfCNBzIPzWyOVPETH60TqXNM8S0TNayOgbuMy3WRUDVMmzcRoDYRKPnOM3RR+rcNwAG
eCsNhEMAc20Mi3kIg5MIhcIAeeEIfQwegx4bdEIWhGsei4gqeJgghLEthtkSjgBHhhtJf0VBcmM+
iI40eZNGgrlBf+09egBujhxbdEBtcmpZc3ZmhZNjd7pbd9RpjgCHeCOAhUiEdVl5dYx9f596griI
ieN7dgCtjBiegTWehlaXc4ifepOoeb+uct2ShQC+cSu7dD3Ni1HMfI7OdKLDg8O3etyzgADTjBzU
gDTUeGrcjIzqi6HpjbLdidXTjAADtx8Esj0Kv1YAw3wAt6wAs8YLytIKtQAnyiUryzciv2QbxYAq
yZIewLQnytkhxQ45xitKxUZMyWVNvIs2vZhKs8ZLs+VNsQxZviFevTRhvWJkvI5XspNgwMhevNdW
zgd3wRyIuEiGwVd6w4qEwZV/y7ZywuqCygScyiOot0igu1edx3umvpSTvMqYxdOXxAyzvCu7vTq+
tmfCunnDta27sv7//ZGXnHp3eP8ADAD/AP//AAAA/fMA/wD////w8SH5BADe8SEALAAAAADIAVgC
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKPAhgosWCUi5q3Mixo8ePIEOKHEmyJMdcJSuaXMmypcuX
MCX+m0mzps2bOHPq3Mmzp8+fQIMKHWoTANGjSJMqXcq0qdOnNwtAzRmzqtWrBVVi3cq1q9evYMOK
VQhA69izaNOqXcsWrNm2cOPKnUu3rsC3dvPq3Wtvqt+/gAPvNCq4sOHDiBMrHsq3sePHkCMnXEx5
6YLKmDNr3sy5s1DJoEOLHo3Ws+nTqFOrXs26tevXsGPLnr2YtO3buHOPpM27t+/fwIMLH068uHHU
upMrX868uXO2/p5L33i8+ms91rNr3869+9EG3sOL/x9Pvrz5ndPTq1/Pvr379yFZwJ9PH7eD+grR
7D2Dn+Sl/gAGaNI0AhZo4IEIJuheUgo26KBahz0o4YReBUXhhRiCVk01GXboIV00bShiNT59aOKJ
GjE14oY4CeDiQC4KAOOLMdYYoz03ziijjTYelKOOBf1IEI8MCamQkT4SKVCPQ9a4EJM6vtgkkkEy
aeSVUkaJJY9ZGqTkllMKyWWVXHa5pJJhmokjlD2WeSOUazoZ5ZRA9jWViDX9qCeNataZI5VJykjn
oIMCWmeRfZLpJZ+CxukoQm9mGWmjkyb0J6OKEnqmoHI+2tClO5q5J6eSStmppouS2uijYppa6qqb
pv9a6Kuv1mmhRqDG6qmsrCbK66FxdtnqkacG6iuwnlaqa6aOjppsn8OCqSWhzn4qbKiw5upnrb8G
uu2q2p6J7K7Ltqoqt+Q2xOCkmKabJqXHomrutbA+WSyk8ZLrbLXMKtssuqguKzCc/BrKrLzt0slv
wNQmDKShSEbsar3sTmwrUBtFumav9ZIJbr4C78onw5aGam3HHlsc68KH+usytDBne+3GLQNMbMdg
SoztuO7WvLOiEKupc8j/mvwsyiVp3K6bH9M7ZqplPuw00lJTTXTJCb+Mc6372jytlmhqPbCb+M47
5tDhHvyrv98K7TbFKiuMKcvqIrUpo157THK3R6f/C6esBl+Ndd90E8513l9LWzTYMlsNtapAvx1s
0FRrO/TXRF+Otqt92/kTR212GvipgSM76r0831166XLD+7O7Xbveub2vlxu2wz0jWvvike++9+Re
U0m35pKDWvhKoR+vuuwnZ3o8oMoLXrbhzPeb9fWO8/7t9iKD7G3Oxcet9vh+xzwu8XC/zqb3IImu
vJNp3+w8t/ROL/39gB9efcPqY59k6/NjnvFStygAzqppukKdwaBXP5rZLn1ra+DpsrcQBj1wb5bz
nrREBbnccZB2UKNZ7KoWJu2JjYEd3KDMHthB3SWQgwJE170W6Ktwpe1ymrKh0y72OdABjGndw9bT
/9TGNo5RjnzAQyDwUsZE/sHwiZVbX+P05TD4kc1YNjObEu+GxPuhaXlpIiLpCLZD/KHIIqxDI/vO
2CALPiiNE4EjG99zqzl6iyRytCOC3KjHPrIxQn4M5IOeIshCGvKQiEzkS/ioyEYuaCqqYIxEAkBJ
R1pyL5QMwEE6Y49MVtKToPxkJQUSyoWEUpMEKWUqPdnJTK4SlaRUpUFOycpY1hIhtBQlLFupyVMO
xJW4BOUrhTlMWR7EmLfk5TGB+Utm8tKZyXQlLRPizGc2c5TDfGUxdwlNbC5zl7Zkpji9ORBCbqSa
ytRmOtF5zXba8p3qJGY658lOdcaTnPac5SiByf/PfeITnuOE5S3rGUxUBhSb7EymNQGK0IHq8prg
hKc9E+pQgfrTotz8pzvbWcuArsSC6KymNL2pUZEalKQoPalH5xlLU5KzmxGVqD5VKtGRxhSmMl2n
Rr95z5UWRJ7ExOkzMcrSosoznAv9aUVlulKCHnWmNf2nOTUS0pc+lCFOxWdTg3rViAg1nxv9pk9t
ClWl9lKrXXVpRG3az5tWNK3vVCVZzVpMqNZTrnDVKU0VQlBl5tKYX6lqTHNaUGqilah+pWlfDZvR
tf5zsdFs6FkdS9miJnawZdXmSAk71MnOVbOijOthV9lKsWJ2s5cta1vVytiNdnSnVxEsXxVK18L/
1lavqV2sbQlL0WlCdKJ5la1wc8lTupK1t6V96HAnm9rbfhaip1VucBvaUtbOtLGuha1VZKvWkkp2
uojtZ3OHal3ePla7kd0rd0FbWd2al7nJPa9nmbvclj43qvC9bXGlW9lwatey2UUsgLeyXqzK17ij
ZahK7wvZlGYWrNfdpoDDKtr2/ve9ekUubuvbWcseVMO2LeV6AVvcEEuWwhwBaYIbAuIKZ3a1/jUq
eh2sXxRv08YFdrFSOVtijn7XreoFLz1ZWdUAP/jFRF5xUmeLWdzi13OawXAwIczUi+YTxuRlaYPB
+dUaZxPLVBaqSffKYhp/uMfuFPOPZSzgHDv3/7XYzaaBm4xlj3LSwzsFM5LDa1UyJ9Wnu01zngcd
ZCCbuM2AnvOTf3vkRQM6yRjN6I69fOWtUrbJFP7sWCs5VYs8ta8kvu6YR53fJfuyvDdmrC9x2tuj
IvPU0H2qWbtMWwDDlNZsVeiYKR3W9N4V051tbJ+BeuFLGvvYCmEkspetm04z+9lnVDa0pw2aO1N7
MufJtravnWxte7s83Mb2t8ftnXAjhNzo5o65N5nudleHH/AeCLz5Ie94E2TeBZm3vvVdb37bA9/3
trdB9v3vfRMcIQYXCMAPkvB8H9zg/F54v+mtcIAD3N2K8QfGe6KRhXtc4BWnOMNBHvKSS7zgIv8f
OMlRzhCLx/vk/S55zFkOc5k7XOQfT3laTLBukzDI5RQ/+cFVrnOJv5zkNbf5zBNidHrXvOlBB/nR
db70gE8d5/beuNaDQ/OII93fRLc6wr9O9aorPewjpzrM8f30lZ895lAXyNbn3puuF5zlAb972sW+
d7733e9/vznaxd72suM97WSXO90XHxu7T53wbo874iHO9JUn/e1vX7u9h45yyl+e83hnvOgB2XGv
C/3xgz+84AG/eta3/vWZl7q/k3551WO+5wEiOOgpn3raJ37sane72Yev+bKzXfi1Lz7uE6R7sB9e
+cM/++ctL/zbQ9/1XTd88qlv+OXfxoJgd37/zlOvetRHP/bdV7r5Ae9yyGu/+rY3yOjnHxiCkMIi
48+7/lk/+/XHn/jw13kmh3ybJ3BAZ33wd33elxxulH/S93s3d4DY13lFF4AhB3Sc13ATZ4AQd3XO
F38XR38i6BkLCGUjeIKVUYIouIIpuIAs+IKJoYIwOIM0WIM2CG4lmIP1cYM8mB0UMILIpg06OIRE
WIQV0oOJwQA1sQxI2IROOBN0cBxV8IQwaIRW+B7ycIVauIVcaG6+0IVgGIZiKINUWIZmmBlj2Ec3
cCFn2IZuiBhpGIeP8YZ0WId2eId4mId6uId82Id++IeAGIiCOIiEiBlyeIh7UYiKaIaI2Ih1/7GI
kBgctxCJN9gElOgajpiJmpgXW7CJYXGJhCgCgBgNoFiK6BZIXOCJAiJtcsETqrgewpGI6PGK6RGL
euGKtDgdtpgXuIhsH/ABD/GLCSKM5WRtF1EWyPgYxGgPyyiMv/iMxAiN0SiNyzgQ1AiM1diM0CgQ
18iMwFgQ1MiNz2iN2yiO5WgQ3TiO4uiN4YgQ2qiO6+iNHyGN5NiO7FiNBKGN5HiP45iN2GiP9aiO
+iiPkFEWA2GQjTGQ8oiPBBmPDomO3wiO36iQzhiR+5iPFjmNF0mQComREBmR/rgQFAmSE2mRGtGR
DemQDNmQ+riSGpmSB9GSJemRn4gUCGkQyP94kzlZEcloDzupFTt5F0Hpkyqhk3hhgjcxjRrJkCu5
kRDpjvDokiYJk035kvuIkg9pjjPplDG5lVd5jVFZjvQokWTplE3JkSW5lFOplVz5lOtYkWUpHDdJ
EEYplDxpkHiJkHMplERZlHfJl4BZEDyhlDPJlGvZloh5j4hpmGXplvgIl1kZmWKZkYepkib5kgL5
j195mI9JmTTZlfE4mTAZkIm5kRUplUhpiMd4lHVJlICZlweJF7D5mj25EaepmfxImJ2ZEN1olmuZ
jlNpj1b5lmP5kdsIlyHJmyRZllYJmQtZmbvpmw5xm2hZnCnZmxg5mZxZmVaRFHsZmHrpl3z/2Zo/
6Zq0+Z3sphOKuZ5nKZ1QCZVYOZrtiZZZiZzQGZxp6ZnKyZWYuZzAuZ+feZ3cmZ35GZlsaaABeqBk
SYKrSRFAKZ7mOZuuWZfkWZsnmZnD+Z6lWZVhCZqNqaEZCpkc6pjwOJqfGZ3NiZsJmqDJiaDGeaAc
Gp8r6pylSRcU+qC0OZ44Gp5/CZ5vgZ4MoZ1e6Z4uipos6Z/4+aEpepHxyZjmuKIBOpKWeaQmapqX
eaVWSprs+ZtbaaROGp1fYUFD2ZcVqqM5GZtn2prmGZvpSRUCGpAYWqJVmpsqeqRx2o9j2Y7nWJwt
CqfOWaLz6Y9yyqf5OaRdKafyeY5vaqX0/xiSvZmhVBqPu+gRQAoRlSqYs2hs85khxDipHXGpDQGq
BDGYYFmqpnqqqJqqqrqqrNqqrvqqsBqrsjqrtFqrz8igXiGqC6Gr3repEuKruRisDGg3dtGLH2WK
yMqLmXqsyFqKIMGrazoRxupzzeqs5WkR0AqtbYoTlVAJA9Gt3+qt3Tqu4Aqu4WoP5DquqVmtZ6gR
c6mtdHmUCAGvEGGu6OqtAlGu+FoQ5tqv+yqsZ4Se4WmXeemXZ0qwOBqYHeGv/nqvCEGu5wqwBeKd
rAmhyXixdymeZaqwdaMTDIuv+vqw6pqv/6p47EqJZGqUGyuhLAuhFuGK+hqy95quBGGvM/8LsSd7
iThpsAk7sDfKptEqE+gBsTdLsiJrrzZrsivoATkbg1nBs0Drszvas/LqEDA7skSbtOGKtCW7rk3r
hO5qFmoaoRo7tVGbsB+RtVjbtQ7btlorsTtoN9eqsAM7oWN6t2hrtbNos1xLs3wrrunqrV/rhilR
tXB7uJ9quBKiuIibHvR6IIzbuHHBim0xrSQxFYQxuFuHe5EruWxBuZ+7rCXhF5mruRj3HvmQD3PR
uZ4bGT9ZtY+7FalbEKlbuwhRu7NrD7hruynRurnRso6xu6qbu7qrurRrvMWbvL5LH4GArVPbkzwa
vWLLuiCBuwRBvMQ7ENg7vMi7vAPRvLX/aJPPG69Bq6axyxA8Yb3ai7zZKxDbW7zqa7qKeK17KaE+
2hKuyLvuy77du7/raxCzy4dzIL858Z3126NoerDM6qbq+74AvLsP7LUEbINhu7NPW77U+xKzu8H8
uxDtq7zeG75HYcA/isD3y7EfgYscDMK5+8Et3METPIgkfMEpi7Dkuxs7Ibzrq7/bm70QLMExPIOo
278hzIbE+oiz+MEpHMSAqKzqyRJM3IRFPMUP4RPd4KYmEsVliCJaPHoxcb5pAcZUDCCvyxDn+7oZ
/BDZWsIWmsDQq8BjDBkUGxFiHLQiwavlObYoXJdd/IS6Sr8HW7cO+rRvXMiGzLMuG6+V/zrDNOya
feyEc9vIMyzIFjyvGQu0dnu2N0zIsCubQ8nHj0x3H1GwwEvDcFzJg/yuZpujoQqkolrKFIILZEgU
jbzJ0gu1CXHAaTq9bFrGdpzLFtrGlrymBhnKokypFdvLVHupqqzMtmzCmGzGPbrGxJzGWrgLJhEJ
czHHKEy206zHqOzN0cqj1Uy3nZzJlfyzfHkefjAefxAbyDAcNWzJgYy3u8rGGMvJ0qvI3QzIn/yg
tTmUxjx3Y1HH0jzK1hzHDBEDkQG6DcoSBt3NHjHQmxsWEe2gwqzQWXzEYSq6SEzR7abRIj3SJK20
kgQWlgsiIB3Sq3nKgyzRJEEAMj3TA/8h0y0x0zZd0t8nvtH80jisEzktEDkd1CYx1AQQESvN0s6L
yf+cz3P71GlM1DWN01Qt1Dht1VeN1TRdEEZt1VNtD11tEmSg0wWdt5pspjrK1FF91Adh1GwN1m9t
01st13H91l8N117t1WFN1r87pqa8yuj8yxFB1XWd14ZN118d1FIN11mt2Gyd1Xy9zTyty2/szGkN
08X4xAQR1kTt2Hit14XN1YXt2YzN1kmdbhVczqwc2LDsEZxt154d26G92aMd2pAd2bexsoIMvOSM
2QjR2Y8d3LSd2LWN1QYh28Zt2Lid27ycsgDN2ohs1g5B2LS91VM917Zd1aIN2dSt3Mv//SAXfdN2
bRGLbYTCMIThzRLlDRHr/d1p4dAc4dfihsVFfdvkbdennd/6vd/83d844d7e698CHmUAXuAG/hjP
cOAKjhvHkQoD/uAQHuE0seB95AcUfuEYnuEanosS3uEe/uEgHuIiPuIiuOHCSuKJwQ5JfYjS0B/a
QAGNhOIyPuM0XuM2DodWkdAm3keYUbo3/uP/4OMePgmhzBU6vuPRphllAeRMHuRN/rVugeRGeOQ+
KeVESOVWzhVBEBam0BXwnYZPPhNZPuZk7kdfPoZhrhQpt+YU6HT51uYRiHURF+dsbnUF2H/FJ+cc
KH731ufH1+cXqHJ+rnuArnAXWHZp/54UdW7oxidvhs50gK52b45whc7oAzfpjv7odd59i45zFRfp
la53lo7p/+bnpG7SQN5xju7p2lfqj07pmS7pob7qmX7qrg7pmg7qDHfrQQfqrL4Qbj7qhR7spc7p
ka3otC7sb+7puJ7rp97qzG7r6cfrr+7q0J7ssU7t007sxF7r3H7rlw7EM74Rvd7rcF7r576BG9jt
5x7tD/fueR51OWdxsS7r5s7u4V7uDzfqej7tI/1z2l7tpi7wk77o6A7u3k7p/l50A2/wCV/sBU/r
co7pbt7ov77rmJrotPzt5n7p0Y7x1P7sk6fwLUfq307wFOjsKl/xIm/pFo/ttp7m5P8e8Aj/6h0P
8tYe7geP8OyO7wxf6d1+8wJ/8jlfb9X+85/+8vxO8cdOrEifcAyvgUMP580355GO5xgYfPQ+6FYP
8073cvu3e3mngUif8pkOioYQHq8o8xfRgW7/9nAf93I/93Rf93Z/93if93lf5nzf937/94Af+IKf
F1gerIXfR2JLl2q8sy69+BRBx/Kt+JQa32D8o3exEQd8+fPa0ocv+Rnc+a0ot5v/+GQh+Zofqjg5
+Z/qEKC/+u6aFchcyyGR+M96+qyP6hvXz8k8+lUOlASLpr9/kKmv+fWsk3Yp/GR6+fWb+oac/L3P
k32p/EV5/MEf/cN/ydU//MgP/dH/C/yw7/vTj/29b/3zjPyMH/4qa/voT8rSz7PjEfvh3NOnD/3K
r/i+X+Wwz/y2j//Ez//hDxD2BNoDQLDgwIEHEQJQeNDhQoMJG0ZMSLCiQosTEVqkmHHjR4EYORZk
WPGiyZMhR3Z8WFIlRpEiVV6cWBPiyo8kNcoE2dPnT6BBhQ6198/oUaRJlf7LydPlxqcmSc6EyfHm
QoZZX85EuVLm1JRNs4KlytVjV7Jbr57t+TDsz7Fa2VqdC1Vty5tp9drNCbFqzLxm37pdWtjwYcSJ
FS9OShRoVIkgIYcFG9fh069tuxocSxUz3bRrzbq1DNovX7mlOUseTdcn4Lmq5QYm/206tu3Nrauu
tu2Wc8ndPB0PJ17cOPHJHbHCtVqZuWvoZ2HzlWpaeObq0Her3Ryaenbuz6tvZ311Z2/rop2e7o4e
Z3jfx+XPl894aXT8wtlL3x9f8N3v8CrrL80CLGuw/bjbS6PA3voPtr0oo+684NILCTv4LGTLpdou
dM8+EEMUUUT6Suxrrc4uhGnFznZKbbbLXOSwrbhwAy41rHDMCzMYJ9MqOB3VC+83iTCk7UipgJOs
xxmTbEjJ5nSaarvkTLTyyqJGZApLLrv0skT9vhRzzOLCJLM4LdNUc00tz3TzTTHNhHNON+WkEyg2
89Rzz8bu9PNPouwEdFDjUiTUMf8+E01UPlwODcoVRyOVdFJKK72yD0sz1XRTTjv1dE5MrVR0VFJL
NfVUVFNVdVVWE+2Dz09jlXVWWoMKodbiQsV1V1579fXX+XQFdlhiizWWVmGPVXZZZpuFM1lRW1Xz
BmmrtfZabLPVltRXt/X2W3DDFXdcctnsdlRn01V33V+hxbJceOOVd15667WXsTzu1Xdffvutl12A
AxZ4YIILNvhghBNWmMtiFnbYX4gjlphcRSYm1WGMM9Z4Y4479vhjkEMWeWRODSH5ZJRTVvnQFFZ2
+WWYYyanRIvVDKFmnHPWudWYe/ZZ2Z2DFnpooos2GtsOjlZ6aaabdvppqKOWemr/qqu2et4artZ6
a6679vprsMMW++onxjb7bLTzZDZttttOc22345Y7Mbjntnvrn/PW+2B+EOLn7779BnygwAm3B3DE
Nyr8cL8PR7zvxRl/PPK9Kz958cIzb5zxzQWi3PPOJQdJc84tN11lyA0HvXTDI8e8J81jh730z1k/
/faMU1+dc8p1V313xVsXfnTaZ8f9eIdJfxx40F0PPXjReV/+d8cTR/765FV/vXfbX59ddtuHDx97
8hGefvuPfAe+9uijr9139suXH2Dnvfe++OcbB/9z5Y2f/39Ppal+1vPc4ATHPZ84r4CJGyABA3c3
CPqLHosCYAV/JgIxCXByG+Rg/wc9+EEQhnByESTh1Cx4QhSmUIUr9MnbWPjCj50qUoKqHA0RZkNP
4TAoi5EPg+T0FUMF6kRBqdEQC3VE5AhFh0PBIYN25cTXfGk6YzLTEuOEkh8aMYlIjOLHmkisL4JR
Vj5UUZF4IxgZlXEkUMIReYjEmza+cUpqZNKOYgIZKGVER3HMEVekRJoZxaiMgnxjH+F4IxU9KUa+
uaMiV0MWQkISKjxaZHM8MiUm6SdIf/QMXjiZSDS1aY6MxE2RbGKj29SkkaQkY5P0mKEhxfI7G7Kk
JPE4Hj/S0ke1lBBaUiIg19gyN7DU5UmgiCAFvbKY/8klf7aiymRCkYc9vGQidf+Sm/WMpkUs4eUs
T/kbSUZTkYi0S3KCuMxqxrKIlnzmYH4kISdSCSfh3OaAxBIhr1gzn5PMYzfTic7rGKqV/hQmM3co
ynQ6xTvZLGWU0NmeZJqnlxFRqHnk2R9efnOYA/1mRwmKol9Gs5eh0SiF0DikksLzo8dkJkdVGtGB
yJCdM62Ldt7jz38udEIzDSctJ1rKi740pza1Z0YnWlCftgZAAOXpEPFJRphiEZU28eh5JOrMoVY1
O0iRh6KaSUce5SiPkQxkk4JkSnpG0pS5rOMZX+Kj2XSyoGc1Yy336Eo5VsaVjaTjgDLZ1HuClaab
XBKHDHvYOUY0RUBk5V1Z6ST/wpgqYVbkEmXL9CkdWnY4ltXsgYR4pcjSbWWdBdOcSFunLZ6Jsz3E
KxNNRNeDKiYrSIFhyEqYqsKus7a7hdlRxsIYx1znsn86LaCKC6zbogq15dmsEr1Ew+OKJrXFYilv
EdWmz2rRtcTN7qSiKykrJrdch6TkKvvaSfTKsZDnbOsou3MjQuaVr2Wl5F3wqldHwtGYYDWvdBBb
V0zit64xFW+pXvtRqWq1nSL1qFT9AkzyrKfBB0qsLjOzIrZKFJqoTPBjxZlhWXIKFht7Wz2Talc+
1gipFe4pOEFp0uVoc6wuzg6LXcyip7ZooFHV7YRtaWJV/ognazJBgQ1DTZEq/7WmzsEoVX86HXpG
Z8ZJPpEnHbTjry5HwQ1NcJdR6uVJWleKQpUnVI3K4CeTeZgwXXGDbOxjDmuozQ4G8UqPOliDlum7
lgMyKMWqRhmnd7HsZG95AWtIiiz2RRBa8BrjY2LQHHbAkF40Px/93/N6iKzV3eyeY4jdGTYXyfTx
NKegSyYtMcTI6AIvE6sU3PnElV2nHlOIZrvqw4j5f6/Wda9RJuv/uVC6C6tiqW2bFFXjWlUqDi6w
yWRsp4pn1Nx9TLVf8yTnEgUpyVY2iEi9ZuY2i9P4MRZnsf3c2moJAX5s60YljWnyktJJ/DSqgOV7
4koPct6fLCR/+2tvSQ8y4P9vvWViCbvpj3R7Td+usxu7CeFyppmhdvWQnXkMZpzOueEaljdSaSrx
ofInqJHyAchc2MogYojJaZ0ySZWj5J4yW7HBxPiGmQrmMjv4jznuSzz9CiNkugZbPvDBqr/qnQeF
lKkwxmKE76xhXF71Nuy++cZxHnVfxvji+9zpyLNUraKbjeEIhqgz22zmrMP80BpXedAJNGGykx3i
DieQkmcOTEIDiujXg6qzFd0hfvc56cBedIsJS1FsIrrw+pURXwd7VqCf8UVuxTdq9upoQEPbJ3s/
mbDflNlKab6Lot7urlgVdrbFCvSUEj29h5vtj3E+ZQqnvbz2UHvc5173u+f/fe/35Gvg/8z3wyd+
8Y1//KL9AGxXQL7cgv/83jZf+tOnfvWtf33sZ19s1tB+BKH/fZV1X/xDE8D4zX9+9Kf/bOBnf/t7
5Qb3r1D986e/ziZY/9rHX//753///f9/vcE/ViGE3jMCATxABPQ2AFxAgUlAB3xACIzA+2BACqxA
C7xAPwkGhGAFjbEFDEQYCZS++1O2DyzBaMkWE0zB+dgWFWzBUFIbF4zBWBG2DdiAjahBHLRBkMjB
GhSIHhyIH7QHHgTCIfRBHuzBI7TBI0SIJfyIJBRCHITCG9TBnkhCJaRCKXzCHITCLazCIgxCKTTC
KBTDMeTCImTCMzRDLGzC/y20QjMkwjKMQywkQyoEQzBUQyJEwzCkwyusQz8sQzQERCN0wi4Mwh5k
wUHMQ0XUwzy0Qx00xEf0wylkREr8QUckxB2MxEkMiktsxDlMREjMRD3sxFDcwzu8w0rURFBcQ1Vc
xEQ0xUiUxE0sRVS0xFYMQ1tcRVksRUY8xTkMxVz8Ojahjy7cQ59ARWNEwl+8QldMxk+kxU/ERGn0
RaHoxEFExmA0xmZ8xSxcRljcRFG8Rm9ERm2kxnLsw1tcRUWsRVUkxXaMRU0kx15kRV4cxWikDxcq
RnncRmc8x2+kRG38x33kxnX0Rk5kRXsMx3rkx0ukxoWUR2Acx3s0x4KcxP9CfMZbLMZ55EZIhMZc
HEhcpEdZnEIwZMFsbEJCvMgldMg05MiVTEOUDMSLJEiQdMaX/EJ4hEicfEmLbMmAhMMxNEeUpEh1
TEhlTElBJEc2REhX/EhmBMmhfMdMnMPfk49sBMdjZEZP7MmftMatzEppnEWDBAqvPMpp1MpqRMtu
5EpsvMeAJMqKBMiQ5Mo3BEevTMV+bMp3NEuNfMVgvEqg9JK3iUm5FMWGlEiCzMuN9MKwXEx+bMzD
VMh0BMvITMi3dEt2xMq4bEbA5EtB/MfE9Eu1LMu9HE2MLMiZxMQgrErjqMzEdM25LEp/3EZoLMy2
pEm3BEjY3Mzb/ErZPMn/sWzMRbzKzhzL2hTDsLzL4ZRK3WzFoBzJ5czLiAzNFdQSd+xLoCTOP6xH
0hzC6/zMy1TGNvRJvbRH74xC5VTDjNxO6ExP6oTJnWRKMszO5cTIvlRK+MzM+ezI7LTP50zF/xxE
RJRBAm0hbSlQBAUJ1kxQBnUUz2vQ8LstCH2Zr5lQC/2TB73QkUkuNzzM85RLXhRPtfxJOAzE5vRE
nwxRdERPhHzCqXRE8FRPsxTH+9RH+cRJ29TCFiVM9SRJX5RDHBVGvCFG+VzLs0zOXUzHfQREJmVK
wERS31xMqEzSx3RJywRN7RRNxYTMHSXLkVTRzSzMjKHBIp1Rx0RN5oRL/x+dTzY1UhJFU3H0woUU
TtwEy/I8zig10/JkzDvNTYFEzCtlxOTa0zh9Ucn8SyXNTZXczsCsUl2Mx4mUQy8NxyolzT+ly0LF
Sp080YHE00z9VEWsUCKVyfGET8pk0TB90270TF30UfAU0ZA01f48TeHc1FldUeh0U129VTvlQxH9
zKjEVBpNzY4hU07FTGS1RU9VVVhF1DZVVTYl1jWlTjhVU0Jdy7s0U8/UVmQ91knN1hHV00QcVCuN
Us2UyTYtzp9w1h510ylV1slMVz/dTVu1UuAUVm7dUk3t0nV1TkA114TzmhKx1HpFSnmtUzt1Sst8
UoOty95kWLv01371Vv8trVgwdc8tFdeIjU6LjcaafBmCjcklvVEWLVVgPU3X/FX8BNDxNE/s5EP6
nNg+Zdll/FFUrdQyxVVaFc2ktFFK1VCgBSCjyAYUCJGg7TwJPdoNTVql/RTqa1qofRdQi9pNSUCq
PY6PxUeigYZ+sUodPVFe5dPQPENJdVG8HNbZlFMTJVSV9U8Z9c+O1Eh2DND3rNm2jM9cZSFjvdbe
lNnXTFJJ7NQvZU5HbdKclc1epdZlBdHALdL+BE3apFIhrT++ZdRznda0RdtdPUt2tdZGtdHppFbO
7FbERdexddy6/Nm/jUurLVee3Vk5zVWWVFiZTU11zUp4bdTUhdbM3Vj/EvVZLm1Y1W3X42xdmwxS
zy1KuDxK5uXRVUXL22XMlo3NniXP5I1K5I1XN0xJsT1V1kXAyi3dkRVfQJ3efs1d8p3Y6UVUjB1d
72VIwgVb4eXCtLzUyaW/8G3Xwg1S983dd4XHVB1f6sXROa1V0i3gpfzZlYVYw8xb4w1Z+Q1e/YxN
+v3fg+1dsfxUVuXd65VcsA3dut1cCp7RYIwgQaCg+YDga91X/SXbP5TR7o3bHuXRzExZnZ3fgm1b
xeTf8HxO/nVhSa0tObhaOsna/hviDCXi+j2T5pODhVPiTGniJ4ZibQvBpXDiKaZiobBipcDiLNZi
POHiIwNjMu6JNDFZ/+xcVAGmVO483GNtXNBF4/Z04z49z5eF2beN2Zgt3hLiB31J4eA8Upzt1TbO
YBYuWw/mWEt1X4BFYDqu2G+815BRAGcZzEA25INcWYe13NLtx5ncTft9XUYGVX1lVsfV2Hy9XzFe
uOSlYC/VZGKt0b59Xg0eUSxdz4fk1wgWXXDtyp4ViFVelFaOW1iO1DdcVk2O0+Z12ZJt0o5F2GG9
2dOtUcb1ZVoN5gnE2ksWU1+uW/R15d/lV/PdXHGV2/j1ZNid0l1G5V8mUEu+3Me82xhd1Mfl5soc
53JOVBilW3tNZz/N2H8NVITAZqUAZHhG3Am2ZgAG6IT1V+idzFymWP8p3dlZ7mVI3mDeBVpzxt2c
9FjUdd1Fjt36bGGezN9o5mQdvWP9/dvqlWQjLpFqKGOZnmmarmmbtq5gzheC3mmexr2bLuOeJr4p
EJu9KYOfHpigTmp6mVAMOurrUmqoJheHiQenjtCovmqszmqt3mqu7mqermqwDmuxHmuPiQJfmZd1
8OoQJGuqVWu3fmu47loySQC2rmu7vmu8Jpm43mtYyWug5Wu1rgev8uv9q4cuob1MAOx9EWwUJmzH
TsFyeGzJjj/FrmxpmezrsRfMRh7N3mzc6WzPPh3Q/oAPQAjSPu3SFgjUJu2eYG3VTm17YO3Vlm3Y
ju3Snu3afu3ZHoj/1W7t2nbt3n5t077t4P6I3d4I19bt0zbu3y5ukCju5RZu5E5u24Zt6E5u2kZt
5h5u7h5u6/7u6LZt7sbt6vbu6sbu3T5un6Du4MZt4u5u175s+mDv75Zu8d5u+6bt505t4M7t9c5t
9PZt6Q7w+xZuAp9u3gbw5k5wBGdw+27w+w5v6tZt8y7w/q7vA3/wCPdvCefv+i5w8Z7w8k7w995w
/AZx7/5wEKdv+PbvN3Eh7X5w/XbwFu9vFCdxFQcKFu/uBp9xBmfxDKdx+s5w9D5wEUfx7PZw5r7w
Ev/x6PZxCw9vE59uG59wKIdy5c5yG7/xIIdwL9/xAU9t+ZaPGF/x/ybncg+vchc/bxrX8QXncSpX
8vFe8C6P8hRv8yJX8SO3cuLe8jtncz5n8xB/c0HH8f1W8x6XcxGPce3e8kXP8RP/ckKf8jt5G0en
80l38hknbzxX70gPdAHX8CvvcylP8R338yln8iNH8vfG8kHX70CH9TO/dC+f80FP9DDv7SR/9SdP
b+fe7ziX9OOO73+hdSeHc0MX9FUv81X/dAX/7za/9WNvdiw39jC/dmp/dibf7kY/c2nv9hYX9TXf
dlAv9EcH9CZ3dVePdDgH8ykfc+MYdkxH9ixX9nHv8KFw9xsXcm2f932n9PNGdVVX9HtH8G3HdWk/
dnSv8VJf9jT39v88j/ZUT3dvB3hgv3gZz/RZAfIPr3N7R3UHB3lo5/FmN3N+v3YNz285N/CO9/d/
J/Aix29r9/PlhvlJd3gSV3lJl3klD/BzT3mSz3F3F/lO4Xhm//WdV+6ax3Skl/imR/ZfP3p65/g5
l3qFB/qA53cO33oc1/MkJ3KNV3nw/nmlV3dSH/hZd3F5b/ibX3k6SeLQzhvQjvvKgXe6v3u8r3vL
3nu+T7/f6nvA9y1uC/yI0QTCP3zET3zFTxtSWPxU+QLHj3zJn3zKr/wBzXvMz3zND5hs+L/WG2jL
r+zNN8HEbwZW8Ye1Hv0PDH3RV30WooIvYX3Fdn0Y0obDln2+pn3/vVkH3u99318H3Q++3/d9QkEG
A8V95E9+5V9+a4mFWGB+rnZ+6N9q6RfY4PeVWPCZdrh+SnF+7v9+8K/rz28KU+OiKzKuNRozcBu2
WkE6a5su4kgTgXp/9kcOc7KScXMtKAqT/ccS9wcIewIHEhwIoCDBgwgX2jvokCHEiAwVCqQY0aJF
iQgzJtTosePChxJFNizIEWTJiP9Wsmz57+NEgx9PwvRIk2ZNmTk1UsQZUufOnD5HBt1YcmhRlCmJ
JlVqsunPn0grArVZFarQjgoBcK3YdWvXo197hhXJEWzZtFvFOiSLNiVXtBnXHm04tqzdsAbv0o1r
Uq3dvWvnAs77/zYv1bhuJxZ+2NfrYMgYIQumWlexYMJtD/tFjFhvZ8yeOxuFy9ZwYtKURXvGCnEy
yaWyL1sm2faq6cRAb+eeu9T2b5CRe8oEvrv4bMt1cyOffJz4ScfILz5/PJs38enLaW83rjx59+mR
dZMHL1x3du6y03t3XRp9erh+zaaezxT6c5197ZdvL126cgCul59emdEn31cD5lceasAV+B5+6CHo
HWza8RZefKAlxJ9hB26WYH8+/ReehN+x16FGLqm4YksVejUgfo/5Rl1wJ2Y3HoYWakWbjcEdF6JT
MjanVIQkqkdWTAHWeKSPMOpIX5FnUdhkbQwuuWFMI/aY4YIDsf/IUlM37vhkb1d+V2V/OpoWpZkz
rklgVT3GKV6asTmXo5L+JWmmj2ya2Oabfj4l55U4OvgehGmWqCCgEn35KEusbVaZXMvtR9eZHNqJ
F5qVBsbZVWJ+OmSmh6pGWZkNXteYfpU6+CCRnCop2XqqHTbaXn3aCpqnrPYmK1itRfXrkvGNWltY
kLq3LLPNOvsstNFKO+2yU1F77bWQKostt916+y244QZ1qrjl5rStuemquy677br77rraPgovvfXa
ey+++SIkL7/9rrQurPq+OKzAYVob7cHwBmxeu/46jC5UCSOaGU+4jaTWwnv+aBO5NbUXZsUEkzZy
xiFTzBTDjN3/yZrGs3JccsXGLvQwzSuqe5bHRRmbMM5nvsasxFahjGWeau50p9BHt7oxwS4PjVXC
NUsd6ViVoSrahydbbetGvE7KWcd/orrhrZ+R7KbVnw359dinni3saLCeGORfnqKG29v8hRZ2kzsX
ttrbTrWmKY8gvj311EJmWqzRfG6tHaAyX4dokRt/HBrk0BnquFFIFz0sexjhdGipmNpJps+Mssw5
oZp9nufmlU8N8ppYE0666il/eHqdeD+lNevVhb177mwqdiHZvKMUW6wPoq2qop1jtnKjdDtducvE
SzX98pFPH3SzincpoJ5WDvr765cnKvZ2lqdsJfXGhxS/4Nhb//w8/dGfTyTqk6PPpfkI9TO0yc98
gWlK4qpUQCYBsH2dy1z/PJe7LrlPcnhKX/WKVz/IbTCDC7wJnz4ouL51r2cZHFP7RMil2SXFOmcz
VaucJyutBc5wwEoepmhFttSBCEF1W8zVCHesvUmpMa4DD8l2ODaK3WhXXtuaWW5ooCDKbYa5aqJm
gBi3HgYLbOAr2PvAKMYxkrGM6mIhwmBmxjWysY1u9JLU3ijHOdKxjmtEox3zqMc95hFxiMsKvdQY
Pvc8z2JHAyEfzSVBcX2xJH7kViNpRyPKPXGEkmHea4a3P0vm7H/og1Yk3zWVRYYrOklDYBw76S2k
RKd1uZqktf8kV8jUAbJ73Qqlu0bJyW+ZsmJ+nB3mkJU1KrqlbG27S92WmL3fYfJ/gRvf3aI4TFwd
0YnRXKI0dUhNYbmwklB8C8a+CUQiHrNAWAtVOEuIOVBtsZwHeWQL9cMcKl3wYxD0JCL7Zp2fYRCa
MdJgavC5PvUQTYU57NQm+Uee2PVvk4I6YeOMZ7rJuRIriZPUnISJO+0xsYMOjJPbUMTPGrHsnL27
kOY4RMFlIi9A3Oudz0bUIBMWqk4vFUvyfnNT6n10pyW00Et36tNfSq2XAK2neSpnwmYi8ZNDEaD1
coQk7C01Oa3jqT99J1OdKtRSMLXcRj35I+Y9VIQoVB9V4Kn/M3nmUIURvedPm8YcrNrSSP6T6lmD
F0AKYjWsspQn+wDKUP2FlbBM6ycGt2Q0e/JSikL0aTSraMRkIpFXSjzsMuFWxGE6xrFWvNr8iuU8
JUpqhqN1KTIpG8zB1LA4XgvW4Jy4SMh2lEGr3Zs7XYPHaeEykW3sLbaACzQyErVm1OKbb5MbRnYJ
t1rELe7DlCvd6Y4Ruta9rryoq93tcre7tTQZGQU5Ut62zIAcU9p3eZtP77JxZ+NV5XvRC0tVNneS
n+TgTNZKU/yKda39paVz2fssC8o1v0+Tb3wNvFzXrJe/4IUvJ59KyIEGV8AD5kuJStpatpnIcMLU
oRBXoyvX/5V2ou28G4pBjBdQlY2cDgwqMv8TzNN4sYjYxLAPxZPObSLXwvKNkYmdhlMSjvWrU8oq
+9wqlbeedFAHZambBMRVpJr1dRWsbGJdC2ABJ7Boc5sVbV+8NhQp9a7jOV5d/So6LlJJfq56ZZqt
2pwv+zWCcY1zS3V6u8bBEbt+/rMfFXs9O3Pwn2SFYJQXuqcqs7msZMLdwFiaqKkimcoZ7en46Bo5
iwG609iV5D8HbeT7TnCBMXVfkgk96gbC0H59lbNtSahku7qar3hW9YKVC0wYAq/Em7pfkGcMW1i3
uYojZuJrR5xF0L5ZmWvmoX2SmNJivoidq3rysS5zWmI+7sWVCvE0uMMNsXiO67g+PjeDoSLudbP7
X1Dzr7Tqi+7uhrLd9r43vvPNrxbou9/+/jfAAy7wgRO84AY/OMITDt15b5ccDH94vBQu8YlTvOIW
vzjGM67xjXO84+EmhsdDLvKRk7zkJj85yotLhpSz3F8Qr0k9Xi7zmUOk5Ta/Oc5znkqa87znfIyA
z4Mu9KFLS+dGPzrSdU70pTMd3Ul/OtSjLvWpU73qVr861rOu9a1z3eocuLojrN70sZN9u10/O9rT
zq+AAAA7
------=_NextPart_000_0008_01C70668.2B665280--
Received: from dslb-088-073-233-103.pools.arcor-ip.net (dslb-088-073-225-046.pools.arcor-ip.net [88.73.225.46]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAC53uMj000700 for <ietf-pkix-archive@imc.org>; Sat, 11 Nov 2006 22:04:00 -0700 (MST) (envelope-from gstxcrrnzqj@paulwilliamsmd.com)
Message-ID: <000601c70617$f11702a0$00000000@michaelritter>
From: "metalica" <gstxcrrnzqj@paulwilliamsmd.com>
To: ietf-pkix-archive@imc.org
References: <000601c70617$f11702a0$00000000@michaelritter>
Subject: Re: Sports Strategy
Date: Sun, 12 Nov 2006 06:03:50 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000F_01C70620.52DB6AA0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_000F_01C70620.52DB6AA0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0010_01C70620.52DB6AA0"
------=_NextPart_001_0010_01C70620.52DB6AA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
----- Original Message -----=20
From: ietf-pkix-archive@imc.org=20
To: gstxcrrnzqj@paulwilliamsmd.com=20
Sent: Monday, November 01:01:05 AM
Subject: Sports Strategy
Wrote value personal in cannot improve her reasoning am she!
Celeron or Recovering Scratched. No recent reports illegals.
Mit rechten in Maustaste or hier unterquot auf am diesen wie or ipod.
Is like real full in of great recipes a but in. Lists vital expanded =
which also am wealth expedient. Stupid Idiot Leicester a onecl jugo a =
ajja is Safiye.
Drama Gesundheit und Fitness of Privates Horror or Natur a Religion of =
Romantik am! Test gnrique cellino edoardo amv dessins anims.
Rate None a Continue Write Tell world what! Mascul sv old montage =
Dunks.
De is actie Google is neu is sie is Ihre hoch in Erweiterte!
Longer late buy a guns groceries game Forget job. Mascul sv old =
montage Dunks.
Her reasoning she focus a major many ask where start. Prepare =
adversity beneficial prudent? Advertise at Getjar Device.
Related Latest pny am Intros gts a. There things quietly covertly in =
even or context must plan ready of.
Sculptures sur bulles Drift Audi test gnrique. Who prepared controlled =
am choice.
Unless individual foresight of planning include an quotearly.
Celeron or Recovering Scratched.
Now a available cd Adobe only self of reliant living.
Chemical Romance Rihanna Eminem or.
Put guide how Jimmy.
Chemical Romance Rihanna Eminem or.
Waited too long properly longer late? Quietly covertly even a context =
must plan. Girl taking guys Fittness cica Hilarious. Fgen is ihn a =
passender Stelle ein is!
------=_NextPart_001_0010_01C70620.52DB6AA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"ready" hspace=3D0=20
src=3D"cid:000e01c70617$f11702a0$00000000@michaelritter" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color:=20
black"><B>From:</B> <A title=3Dietf-pkix-archive@imc.org=20
href=3D"mailto:ietf-pkix-archive@imc.org">ietf-pkix-archive@imc.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dgstxcrrnzqj@paulwilliamsmd.com=20
href=3D"mailto:gstxcrrnzqj@paulwilliamsmd.com">gstxcrrnzqj@paulwilliamsmd=
com</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Monday, November 01:01:05 =
AM </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Sports Strategy</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Wrote value personal in cannot improve =
her=20
reasoning am she!<BR>Celeron or Recovering Scratched. No recent reports=20
illegals.<BR>Mit rechten in Maustaste or hier unterquot auf am diesen =
wie or=20
ipod.<BR>Is like real full in of great recipes a but in. Lists vital =
expanded=20
which also am wealth expedient. Stupid Idiot Leicester a onecl jugo a =
ajja is=20
Safiye.<BR>Drama Gesundheit und Fitness of Privates Horror or Natur a =
Religion=20
of Romantik am! Test gnrique cellino edoardo amv dessins anims.<BR>Rate =
None a=20
Continue Write Tell world what! Mascul sv old montage Dunks.<BR>De is =
actie=20
Google is neu is sie is Ihre hoch in Erweiterte!<BR>Longer late buy a =
guns=20
groceries game Forget job. Mascul sv old montage Dunks.<BR>Her reasoning =
she=20
focus a major many ask where start. Prepare adversity beneficial =
prudent?=20
Advertise at Getjar Device.<BR>Related Latest pny am Intros gts a. There =
things=20
quietly covertly in even or context must plan ready of.<BR>Sculptures =
sur bulles=20
Drift Audi test gnrique. Who prepared controlled am choice.<BR>Unless =
individual=20
foresight of planning include an quotearly.<BR>Celeron or Recovering=20
Scratched.<BR>Now a available cd Adobe only self of reliant =
living.<BR>Chemical=20
Romance Rihanna Eminem or.<BR>Put guide how Jimmy.<BR>Chemical Romance =
Rihanna=20
Eminem or.<BR>Waited too long properly longer late? Quietly covertly =
even a=20
context must plan. Girl taking guys Fittness cica Hilarious. Fgen is ihn =
a=20
passender Stelle ein is!</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_0010_01C70620.52DB6AA0--
------=_NextPart_000_000F_01C70620.52DB6AA0
Content-Type: image/gif;
name="generators.gif"
Content-Transfer-Encoding: base64
Content-ID: <000e01c70617$f11702a0$00000000@michaelritter>
R0lGODlhzAGIAof2AAAKAIYKCQlyDnKCBQAAcY0AggB2iszCv7XksqbL+z8oAGMtC4EgC5kgDM0k
ANcrDQJLAhNOADZKBG1GAH8/CpE/DcM3CNo3CgBjACBSBUZbDVpsAIJbDZVXAL9qCe1iBAB+Bht8
C0B9Cl11C3SIAKuAAL2MANN1BQCWBxOcAECnAGeiCneiAJibALSjAeiiAAvMDhvBDEO3C1mzAIK4
AJ61ALrOAODIAADuAS7qAErRAGXcAIDSA5XpALrqAN7eDgcHSC0NPkoIOGIAQHUAP6AKR7IGNNoO
QAAuQi4sOTclOF0hR3ssNa0mNM0UOOQUNAg5ORQ+PDJIM1k4OHU/RatNR7I2MdJOOg5VNi1kRz5u
N11UPIpfCZVjNs5nN+xpMwF0PSuASDhxOmZ9Q3uONZqIN7p6ReR3OQCVRi2oR0GqNGiiO4SmOqmp
Ob6tNOurQADHPSHCQkHANVbCQ3S4R6e0MrjLONWzMwDoOhXZMjzuSW7oQXfkNKXkRbPrNe3fQAAA
iiIAckwEeGMAh4oAe5UBir4DfdEHdwAfixYegkUsfVYifnYXiJMshLcjfuwhhAs5eSo2fk02dW0x
eXcye6lCe743ju4zfABVhitccUZTfVNsd4RfhJVRisRYe99fdACFdyF3f0l3f2uNc4Jyg5Z1c8aA
c9t6egCcfCKZeDSqdVaci3+hfaidcbuTguiRhwCxiRvMjEu9elfMjXXKepTJi7a+gObKjADZghHi
c0jkc2PVdITqiqjtgbreiNHUcwAFxxwAtUQNv2YAvH4AxasAwLwAsd8AuwsszCEgxUIuzmApw38q
yqouzb0Rw+shvgA7zh1JyUNDzVw4zH4xyZQytc5Lwd1MtQlsxRJZtjdevmVUzXJizqRqvbVjudxt
zQp+wyeHtk2NzlVyzXWDwpOLsch+yNiLswCuyBObuDOrtFSoxX2WwK2YwcChxNOgxADKxiC6zDy1
wl++sYK+uqGyyvz/5pWkoXmAe/8JBAz9Df/8AAAA8v8A/wj+/////yH5BAAj3jEALAAAAADMAYgC
Bwj/AP8JHEiwIEEAAAwqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEM2TCiypMmTKFOqXMmypcuX
MGPKnEmzps2bOFPa28mzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnfrUBtWrWHfm3Mq1q9evYMNO
zEp2J7iyaNOqXcu2rdu3cOPKnUu3rt27V/Pg3XtXrN+/gAMLHmyRr+HDiBMrXsy4sePHjFtBnky5
suXLmDNr3vyWsOfPoEOLHk26tOnTqFOrXs26tevXsGPLnj2Ts+3buHPr3s27t+/fth0CH068eO+X
xpMrX04ZOfPn0KPbFUlUgHWe1gVgv569e3Z737dr//fuHWh48T7P9yRfVP1Q9+bZ7yy/vnt1+/Xd
0xcqX//1/OnJJx552gXV33/oDYggeALORyB8BP7UoIP4MfjdgxdWaKF6Gp4HX1seIphhgfEVGN6H
JQZIIoUS/odigu0taKCMFtbI4osjohfieDQmmCOAQPq4I1IncifjkDbaqCGMKSap5IJFkgghjRy6
KGKFSJIlXJQsOqlily9+GeSGK1b53pIthtkljD96uWabcPZopn9ldnillD026aCXXAqJ54pMpukn
kGauGWiSVZqI5Z1auVRjeX3OuCig/B0JpZ2UnqmmoZKK+Sijgt7IaJZjBpropX8e2mmoOlJpZKqs
6v/ZZquZcupmpLRGGh5yGTL4ZK0DllopoHPWCWx8vsZ4LIW6vqrqkNCC6mmpxQZJqqZ6ikppnJmG
Ge22zq4qLK7aJoskr0b6GmWEwSq4X34P0grvsp/Su2mw3z476r6wpolqvOWC+e+ECs7L3pQ8Klqr
t/yG+q6tCEPsLLeNgmQUpJPeh+pRdMqrYp4BY0tkuPXqm2q+ts7LKcpkWkrvxwp/GTG72TpsJbjG
bjytwDg/iSjIUQlH5tApwyusuG8SrCqzm97rcckps0yxsnzemXHHTM0KNYBaH+1uvyYfGvGt4Qq4
q6ND78dwxhe7nPTCeV4bK9VSy9lwyPdq3WzMTjr/LWjHM9+M9NwSdyut2ILLbDWszk0K9se/cuz2
z4p6LffOGlOuOasUX74x1kiuu3SLXE+eKM+GH4vi6cm+TTipe+dJXdtg45i406ATy7ftAWYOeeJb
z2pf53fbzLeQvVN+vO/khi4tmmsP63rfrvY8qKFsa9kQmwNjbGzLaFadsJhKrxx3g+u6rL7uf64P
s6bX6k3yhuCvrvbkTH/f7uhuGgxzzux7n7vGxDbnSOcqfltKAg/IQLrMroFqWWBSJAjBCmZGaBZ0
CgUl97IMepAtD/ygCEdIwhKa8IQoXAwGU8jCFjbHgC6MoQxnSMMa2pA5K0RKAHZ4wx760Cc7DABQ
/2BSlCDy0IhIPCIPd5JEoiRRiD1pYhSNaA8q8iSIU0RiUJ5oxSpqUShcVCIUmSjGLmJxi18koxSv
GMahrNGLS1QjULqoxjHC8Yx1zOId6QjEOObxj1m0Ix73KEg/DvInhyQkG8eYyMUk8pBnjKQf+8jI
OErSjnCsYyU3uUgnTjKToJzjJzsJykvKUZRQxKMqV4lJT6bSkmYcJR9j+cpNwlKIrGxlKEm5y0Xe
kpSs1CMYJ4lFKwYTL0J7JDHFOEU0YnKJg4wmNGl5Sja6kpLCROQoT2lKOTZSmrXEZi/daMhpHpOS
tzSnMNNYzGU+c5btlCU1d3nMRmqSnOGsZk+4ov/PfsbTKPYcZz2/+M+lgFObugyoIqtZ0Gx2Upm4
3CZCJyrFb9KSmdisKEYdmsaHblOjEW1lNxU6Tj2GUYpELOInA0rSfjqUoeqMqUTx+dKSkpSOwYQo
RVe60WtmVIkuVWQTddpOb/K0kF5EpUSLmkmdlnKmJYWpLYO6F6c6c6YsPSowmdnQpBxUnOh8I05/
aVWPirSMb+SlWZsqz4gmtatGDSlbz8pJiC6Vqz2FKRlVmtCvhrKlZUmmVl350XTKFawjlWsudcnR
wYL1qutU52PjulPGTvSnr7QpWuda2b3C9a95pSo3FevYtKJymJyUqj34KVCo1rSXnx1oLeF603L/
0vW0+CwkOx27VswehajmtGg+Y4vRoZbWtFEdLRWtitzJivOcWEypT1/rTNz2Npvd3CNsoepXtXo3
rKl1LnDPKlrxbrSjWw3neH152Gaq1rnYXS5v+Vhd1L43uXcpax+p+9XuZpegtp2uPu2Z1eK21bpP
fWc+ARpg0AoXt/017HbDq1/EGrPBvmSwZRPMS8BqjyEuLXB5oSvZ9Aayw9wdrIjrm13+ljiX36Wp
g098WQsvGJztHet+4avWedpVw769b3RheFUF59a1TwRvWOmJ45YKV6EnZXJ7AznWKqM3yqj174Nr
vNABx/PK7uSxl21L4A1rkswK3q2Zf8jmNrsw/4dujrOcjyLdOdv5znjOs55jCOc9Z4U2gA70QPxM
6EIb+tCI1k2fE/0UQTv6MyShCKMnTemdAIApDuGHpnmiaX5wetM96bRPOk1qUn/a1PYQdahB/ZNS
p7rUrg4KrHeiaqDMetSxhrWpa31qT9Na1ap+tLAHE+mO1PrYrP61r22dbGU7m9evXnarmx3togB7
09A+tbO1Xe1sbxvXy0a2r4dNboEUuyvn3ki11w3tWE9b2uv+dby//e56D4XX2Kb2vK8t7XzDm9vg
9jSq113ugocl3Rnp9q6b7W5wr/rf9J63wycua31L/OKi9ra3L/7sZAfb4CDnCsIxovBXSzzfFf/v
t8XbbXGMt5zjLv93xvW98Y1Hm+GgDrnOczLyhVgb5f5+OMfxvXJd2zzbNoc50qnNb48bXeAtbzjM
Ky3CS1/F1VKfOcSJDvGTR53pL6852GXudH6n/N5jx0sWqD4ZqxtFaFgfuLLlDnCl47zrMUd715dO
9q0Hndl4z/tqd0740swd6lyvO73FDu+jp10ojLe30Osdecg/HjTqKDy5jTJwuYtb8otHPMVBH3HQ
/3301xZ65c/OdrZ/ftW4Jj2qtT762k997h3fO6hfb3bA6530rb8hBl8fcZb7ffZ3T3nyf478Wx++
8e5+OuKzfnnND1sMnwm+9osjBjFs//ut737/ZRYNfqFYH+TdB0z51/8b8Ttm2Aj5RxrOT//TpL/+
+M+//gty//37//+Fh31dwX7RoQUEeIAImIAKuICtB4A2AQEOGIESOIEUWIFjwUJPwIAa2GZPkIEb
aEOD8IEeKEJc8IEmaBQd6BMKcIIJ6IBPYIEwCBs2NIIsWENEoIApWIM6uIM82IM+SELqcBc/4EAx
WIRGKBo/mIRKuIRM2IROOEJHGIVSGBhPWIXGMYVYmIUDaIVcWBQTcEFaGIZiKBNdWIa8MYZomIYq
YYZs2IZuOGlqGIdyOId0WIc08YZ4mId6KGfkBxl9uIc4ZBqb8YeU9gEfgBSGOEOJyBODYRQI//GI
uLGI9iCJiWiIlriIl4iJmSiJPLGJh8iJlHiJO+GJk3iIPrGJo2iJnSiKqciKP0GKqpiKpYiKQRGK
sSiLpUgVmbiKtDiLnNgTobiKvqiKoPiJvciLsRiMudgbCMETzWgbypiLv7iMuFiNr2iKp2iK0ViJ
2CiMwNiNmuiNyxiN33iN2FiMRLGN56iN3fgU5EiN1TiN1BiM8hiO8AgU9MiO5XgZDvGMP/GI/giQ
lwaJ9iCQbieQloaQBWl1Ael2+9QQmhiO0yiP4niNtXiL9diO90iR9iiM72iNraiPFYmPIumRnoiR
rLiL2biSFUmR48iOEqmRITmSFimL3MiSp//hjz3RkAk5kM34k8+okwm5kAzpk0N5lD7hEBGpjxMp
kzT5lL74lE3JkjX5izcJkliZkuDolPHYjvaYjMZokk5plVu5jySJi1p5j8gIleLIjRk5eFQ4FEKJ
lEFZlEPJkz4BlM5YlHPJFG4ZlsO4lGQpFKTYkjIJixrZix1pkyppjqJ4k+hImOvIkh15ldLIlYNp
mEfxly/ZmPBYmN+olWPJlZnRl3hZl3d5kHwJiadJkFAhmiUpmWZZk44plYlJmi8JkpCJmbc5k2w5
j14pkvm4iy6Zmdboktm4lFjpm2pJlWtJmy/EEKapmkeJmjx5ndRJlA5pftsDm8vpnMU5mh//qZbI
mZsbCZgc2ZtR+Zvv+JWTOZUXCZ5laRTe2ZzraZ80aZnCeBoLuZf9WZ122Z/Y2ZP/WaBC2ZfCUZ/w
eZy8eZbAaZLQ+ZklqYzjuaC3iJ8S2pYTCpiXORTtGZwa+pxpWZWx6Y3wOZiNWBQKqZ3ZaZ0rapAG
mp3+6ZfzGZgweaH4iZhmqZKICZvKGZKTmZ+oaIuz6aBAmpwUOqKSiaPk6YoZqqHEWZaFuZhd+ZsN
1JdKgaU1WJ5uxqUHpKVHAaZJcZJkWqZmeqZomqZquqZs2qZu+qZwGqdyOqd06qQZJKYqup0/6KU3
xKeA+KeAGqgMSIgqtD0gZIeISmRQgacz/9oUhCoViRqpLMGieooUjIqUmNYQlVAJPLGpncqpmxqq
nuqpn2oPohqqcCmpqloSOnmp/1ipQeGqQ6SpnLoTpGqqoFqrPkGqvKqrjLiqwBoS0wmgrFmXALmX
romXSOEQvdqruBoUolqqSRms1NoRw/qfxWqUBKmXANqodEartoqqz3qruyquzzqt1ZquJAejPdmi
djmg3eoUwjGqqNqs0Sqt4Xqqqaqu/CoRr9quM+qi/tmajbY993qwvtoT93quD9mvHEEIifqv2hmw
70qdBCuvBiuuCAut5kquFeOw/IoA/0AUrSqj2FqxA+uu3ioVCOusP+GyHmtBlLATvCCoBf8LYuyK
qagpoC96rHQJq9wJYgzLsKdKrwqbq/oKsirBD2JIskA7HYa6Fkr7Gj5AG3L5tFArtFI7tVxrEFdb
qFqrFl0LGLmweTZ7tnXxqImhtjc7tmMLhmGLFm47t3Drc/aQD/kgt3NbrU7rs0Ahq3iBtz6Bt4Qb
FIQruHd7uIiLtnimrJuhuHm7uIvLE5IbuXnLuG7Wjxbrs8bauQ4JuMvaEIfbE5X7E6U7uR+7t6vq
tCn7uUa5kzIKulIxupR7uYlrurYruJCLuXnGrgf6uo0qu1lRuLVbvIObu7ZrvCZ0D7w7FJorsSmb
lzmbFkJDu6WLu7RLunmrul07l79boJj/2hYNMYS3q7vISxSoe7vcG6ysK73u+70/Sxfme7s7gbjp
a7/n27xR0Qsj5L3b6bnt6rpysbv1m72VO7mKa7NxoL9Akb4MzGhsexjVm7xYsb6ygQ+E8cAaXMFR
O2cWLIEx4K8bPMIkXMK4IbyMgcImLEMGibXgm6UtXBau+ruuCbsKuaIr7EGAq8LhmxWXCqOO28NB
nMMQxKi+y7kB+rf/i8TbesNMvLPSq6X+C708TMTMiMOwu7I828Na3LrBC7xQ/MIAG6t6esRdbMXD
kUNAWaxa3LlfS8bgC68nG6ZYiqfc2p8frIVJca0n+8RvjKxs/MWUmsR5WrIuvMVcjMbA/6HGlSrH
biwUJRu9gszHeTrHdByj+5rHR9i+YtzHnpzI3mqsccyXmDzKkKytjZzEd1zFijx+24PFNtzEfium
NBzIgAzAyMrFR+zEt9zLmazJRSgXrMzJUTHMldzKNmTMf1zMh1zMyNxDyhzF0fzM1FzNjhEMa9vB
yKTN/AjMm2zN4BzOrTy9cAzKZEEA6JzOPIHObJHO7CzOVWeySjwX77wT71zPaXHPBLCEfXAUz2Bn
z/uzsqyXOVvQleoQ+LzO7rzQ9uzODe3QD63OPqHPDa3Q9kDRMtEH3vwanHyt2Imy8asUCW3RF13P
Jr3PEs3OJ/0TFF3SFt3S8Fwc5Eyxkv+MyJ0s0gxd0S5N0i690is90Tn90xB9QN63HMfgQ89by1C8
ymDswnDW0vjs0/tc0T/dE1JN0hC90QLBA4HmBSfRvsq61E1dylQB1VOt0z191iqt1mfN02uN1RId
07gR0JbcxDXNrcl60A0R1VMN0zud1i/d1yN91SXN1r+q1TBIzJ6rmqhMsbPczEA91IWd0EFt2JM9
2Dl92ZYt1z80zfnc1k0x0pxdQ56NFqKdFKc92i0Ey4mR2U6R2qod27I92yL0BZWG2Lg9G7RdhTML
qbn9265hD/qw2wfUDy0E3Mid3Mq93APxB8z93CVB3M0L3dSdwTos3VBY3dq93dwdgdj/vYSL8N3i
Pd4jbArkfd7o3Wbdvd5bmN6AyN7wHd/yPd/0jYYptA7und/6vd/87Ri50N819AoA7oP1HWgNwL4D
3oYFvuA18acMTobv/eDRneAUXuFx1m+hdnPYNmoaDn3ilnEB53Eh/nyH927h1nkNh+GcVnIrjnux
t+KzpuK0VuLjnWkZDuO21uKBp+Iyx+GyduM47uMtPuS+xuOQB+ThJm86DuRKPuM9PuSpFuVMnroS
7hFEkeRY/uNJfuRLLuQznuNb7uVfzuVSbuRg3uVfLnBBfuRZLuRq7uRknt5tHuV7J+V2nuNoDuV3
nuFhPuV73mp5XuRavuZpbudvzuaE/z7mh37ogE7cwiHogt7hTO58NC7pHg5sRN58Tdd3u4fis6fj
Tx7pjI7nkJ5rcG7odEflp+HV/Gpthl7mgz7mpO7njYfnf37q9+blby7jSI7rhQ7nJ17rwH7mvu7n
u/3orx7pgN7njf7qYn58K3frz87nRA54uyfryq7mwl7to47r3S7rql7l6nblyQ7uim7uk27u267n
o97t637njK7s7O7ssP5p2K7r377o9V7tjm6o2x7jHE7pez59/lbwG37juZbwfHftfI51Ad/w8R7s
DAd7zrfuKR7u4p5wFt6FmSZ9Hv/xIB/yIj/yJF/yJn/yKC/yGd8SDr7yVr7xMB/zMv8/85katzKN
zJAdFDoXF5+7k5b6qn67FLCa85QKyVRB9EqM9D6/9EqfxU4PtE0/sVjBkFma3Tgbq1gvl0tvaT+f
l1MR9V7viIcB9gUZ9szsvjK89V/P9XuM8YSny6ls9Fx/kGNMlHVf9ma/mnVPymzPuS9cxnY/sX7/
k4H/unwv9YEf9j7J2FCv+GX/yInvjHj/+HOf+ANp+UE/+dI89w1J9ZL/+NlK9QO985cMvU6f95N/
+ZJP95rP9l7v+Z/f96lf+avfyFQs+7UfvHE8+z3P+kxP94f8v5wf+5Tv+rRf/GA8/Mff+raf+8ev
+rhv+wFp/DREyW1M+7Bf/GofwKL/T/09r/2r7/NDj5Dfn/3Qr/nnD/7o3/qOH/6FPPhqn/5Mj/fd
//nnf/9mH//rL/z2T/3LDxAA7NkTONDgQYQJFS5k2NDhQ4gR7f2jWNHiv4MACiLUqLCjR4IGBRbU
WJLkx5AcF27cONDkx5MsU7qcqdImzZQvR2bk2TInzJcuUfKsufOhT5JFgxIcitNo0pZQexIVCbJq
VKFJq+YUabIozothxY4lW9bsWbRpyUJsKtSjT5Uyta7ESXVqTbx1nX6Fq1evVrhYr96k2XcrUayG
CXMVTJeqzJCCjRa2m5dv5clcNVPeqljiZ9ChRT80a9m0Z86R/86ce/guUsSsU6u2/2oX8N3VsOXi
Dpw7Ye/YjWnjhcw4OG/gszNPZn6b9XKwaqVPp159rIa1o7X7jVqya/eMQSF7ZYoyZmfvp8U/Hpm+
u3ub6cuzbOtdMvzFUsObr28V+vCfMvuOPpgQ4++prsoDkL7tGnTwQQgjlHBCCidErUIMM2zwQg07
9PBDiUoDcUQSKeSwRBQ1PDHFhaxz8UUYY7yIRRprZMtGHCskL8cQZfTxRyCDFHJIIos08kgkk1Ry
SSabpIhHKKOUckoqq7TySiyz1HJLLrv0skEEvhRzTIQ+IPNMNEVzck0223TzTTjjlNPNNOu0Rx47
8wytDj379PNPQAMVdFBCCzX00P9D51R0UUYbdfRRSGNEdFJKK7XSEBYj1XRTTjv19FNQQxV1VFJL
NbUiS1NVdVVDT3X1VVhjlVUsVmu19dYzZ9WVOiR29fVXYEFVJFhiizX2WGSTVXZZi3B19llotcME
Q2artfZabLPVdltuu/X2W3B1jXZccssFMVx001XXR3Pb/dOGQF1xt8FA5rX3Xnzz1Xdffvv191+A
AxZ4YNDWNfhghMsieGGG/0z4YYgNbnhiinNVWNCIM9bYukE39vhjEQMFeWSSnxyIn4P4URnllFc2
iOWX7Vl5ZoRgljllmWdG2eabdeZ5opKDVjcim2E2GuebkT55oaJx/jnppJ+ueGr/fneOeWmoY+a5
aYWO9pppqKWWmmqyKxXRaqyjTgjtq9OuWWu4uw4bbKCFtvvhuXN2Oeult1Z67b6x9vnvwRG6+3CE
8276Z7bdHptttMXOmyHEK8/2IZ0d57vnt9sG/OvNA3e7bNK7fKRDs/zmmuvJR3c67qePDj1py3XN
o3YZVaf55b15Z7whv0/OXPfdacf9eGRLV375KX12/nnoo5d+euqdZ77hFQENWXvk7Qag2uvDF398
8suXcnsbs8f+XvW1bN8hJou7MLAdJUrOoaUWC+190/C/UUfQFOdMAmQI//7nGhX57zNBUqBsGojA
AGoHNQaklPooSCUL+umCqCuL//yy8h0FIXA8QAFMR86zII64h4SUIc9OTigf+QQohUhhznycUiAa
zqU9BQrhU1b4whh+sIcmjAmBsqLDGYLQPg6EDwFhSMIaujAyT2wLCGXTQiFKcUf1qxu7/CfFK1bG
hpxpDBhT054ZItGDPJyicgbzm/5xJ4wsvAps9qLGK/ZmN2e0zRv1Q5w5nuYrfNwNAd9YlygyhZAQ
RCQZByOXP9aQRlo8Ihr9YhkBrsc8gRThIdfTSEgOyJI96QsXE0nH2VTyMIU8pA33OBzh7DGSR2Ri
XrxSRjLeMpWufEwYXynJ32xxlbAMJDArVBpKYlJAmHSNHRV5Ssx48ia/TFApy/+IS974spWXdKBq
qLlIPjbTj+AkJoA4OZ7N3HGagyQmNI0pxm6a0Z3dHAiTGnnPXepxNW6EZifDWU6ABjSWvcwmK/PZ
mc3IM57FpCcub0NND64Tmws15CsZOk90EhRBqGynNFNiz4au0C2iZKJId3jD1qhyhFkcECgPJMQ6
0q8pRZwjfpKYRx7adIwmZCl3THpHKgLTmiY1pk2HCkQodhSlKe1hTEuIx6VG50fu2iCEqmo/LrXv
qgcUTVWZ+sAHfZVqW90OWbmKJa2OiIJrZSNWw9pWCaHPfPnqnqLm2q+6gjSsjongJNNk1rtGS64N
Mcz7OARYbvLVQhsKlCEbgrv/SDDqM4Xtao1WhNi9Aop/eZXTEA+Uwxei56m0nOJnb9pUhe7Hsy0N
oRKhQsVctsaHRmwqKlUI2tiSFrUKOmFr66koJhyvoOIkZyIhytBhkvKf7BzuPqUCUX0m6JzSbGsm
6whK6kLVnAbhbJx4uVxINlGlF0WuKr9rnPA0c4mFqd9DccrTll7TPmv0qHmxe9/Swve9ozxId5PU
wHkOM7q6oW55ARnOZT5TwNtEqDe3Sd/kppC8+4TjP/tJ0bcE1rIFprBQF3zcb+LXw3SBsEDVeVz8
LpTDJu4whotb33RqWK3rDRBuffselJJWkqY0bURVO9IW3jY+HA1tfG0j0tbq/9KKQcTikmGrFBkm
WcYUGuyGJ8vYzFbQrRqKlTcWRQ3vZjUiQaxsWatoqMtOmUtVVrO7/DukNse5fHLFbJ4mWGd7vblJ
nxwzmT2E5wrH0as4mh9YJTxSQz9Wz0vC51EO5VhGatbM0o3ropWEyCczUshJzaJRDZRDbc5WxzzN
JJJpfJ4dEgjUY2StqBWZZCL2Nr9xoY2nkZoQS0/V0SIWoyyXq9TLBDqPQF5xURd87Bcj26FIBDY9
YUxJdP7R2XIGoEtjmJyN7vjUqeRvi+Wn5HIKqMTDTjavlY1QPj8HjtZljDDdmFhqR2jcvR4nsHd8
4Fd7O8LmFjey46lQdrMYoP/SZm6+WUzwFEM63hARUYmded9Zhvh+A7VwsSE4busG2Nwbjzi9n01r
daJwL13MdZHwKetW55S9Pd73yoNJ01IzW78Tf6krcSjaVcdctpuE9Ul8K/Ac19TUvy05jKSU1ikB
mrBlHvPCl4f0o6PIz2ddutOtfnWsT6noW+c6RsbljKyHfTSL+kTXzX52tKdd7Wtne9vdDqphgEzs
c6d73e1O913cXe97r9EvfqElB2ipDfsKAN9B5HfD2+ntTPL74h3/scY/nliJbxDiKX/5WsUC85vn
vL3m0HnQB1byo1fUFEQVetSnXvV0J73QuNB62MdeW6uf2BGUJ3vc5173u+f/fe+RVwjfB/9YtCd+
n4R/fOQfzhrJZ37zl+WENhVf+mpa1PSt3yO7Xl/7is7+9r1vuOoPZAMbQMj4zU9+hZx//OJHP/sN
ov73w5/96ic//esv//mbP/30t8f5+99+92MI+7u/g1g/+/s/A8S/hOC//yvA9sM/BkRABcy/9Ys/
/bPAC/S/AZRADHzACmzA8vO/ABxBCow/BwRBCrw/D+zA/bvAEwzBDFzBNYmID0RBGyTBBHzBD6zA
HQRAG6zBEeRBAATCGwxAICTC/XtB90NCITTBBRxCAnTCHgxCH0RCKrzCH0S/I6zCFTTCKQxBLCTC
JsxCL/TCLvxCHeRCMFxC/y30QRIREREswidMQhPcQhS0QydUwjFsCCZswzV0iBoMxChcQzRUQkPM
wRMsRDm8Qju0QjyUQjUUQTH0wzIkREqsxDGUxEEUwEvkQBKsw/abwYeIQys0xDxswEbswlOcREgc
RTcEwUfkQyhMxFfcwz6kQzYEQ0UsxSlMxYWIRViMxBicwyy8xWDUQxcUwiYsxVbEwFN0xiuxxQns
wDbkv1SMw1W0RgWMQAeUvz38xF+EQm30xmp0wSfURG3UxWnkRXK0RFJUwzRUR1R0Q25cRAYUxEP0
wxxkxhRsxj58RSn5RlNMQnz0RWMER0QMR2K0xD+UxXyUw2UESIKcRYOsRf+JZMWBPEZTFEhExEYs
BEdGnMVsNMMo9Mg7pESBzD8sqcdnnEhalMcixEeGVMiGbMaWxEUyNMaUVMiCFEaEvEh6hMeZfEaO
LElz/Eh7XEGZxEGU1L+lzENlHMY55Mca6cmBtEqblMaGxEiN/Ek6BEaaZEqIvMSDnMd4rMQbZEdc
/Mai/MMv7MGgHMm1bMqtJEutdMtN1MqdzBGZZMl+JMMSFMtshL++nMaYdErCNEzBZMPETMix1ERk
TEaRBEnK3EZyfMp3lEwLPMejdETL5EoN9EDRPEoJZMvRtMtMuZjvW02SuzTWfM0oYTPYJD5RnE3b
3I4c2A7ZvE1z+Rje/E3/4AzOh4AELzGLDezJxNxIVUxAx1zE+evGh2RMk0RD5gxNWlTMz/TMdARF
j4TAyWzHljxOimTJepxA7wTPypHLXCRG0DzDTnROBIROudxLqFRKi0RLTsxKiQTM9TxJm+xKx1TL
keRH6lxO96RD34QIzNzE/yRJTBTKFixHaDRLyoTEiAxHRVxI5czPAT3QlwRFnBRQsSRQDwXRD61J
fwmZBU1KnZTKtuTEqJxQbCRRlaRQzrzJjARL9bTRtsTKuuTQEd1P/0xLBm3OAExPphzHGQVKDnxL
CJ1KxHxQLjTM6gxGy+zG6bzPjEzSxtTME7VRLDXJwexS0oxAX7xOyGzN/6DZUSPFUU98x09kxirN
RAl1U2hM0xutUAfV0cU0y6cE046MUjddURr90+Zs0wpEUv4EUxS9Uy/l0wf9y4SkSnR8TxkVUh+t
UEJFzS8N0Lxk0g4FRE41UVJtEcRhUwbd0jd91CedSU/VSEqNwZ2kU1fUT4cM1Y900vpc1B8t1bnc
1TDU0gSt1Q69UiA9yepM1riEyf5UVoBcygNETjEtzdMU1YeE1u7szOQc1Mmcx3X8zmz10kYVTnIt
V3O9vN08V1sZVnVt17FTTXfVunTRCE2JV8qbOnvNE6rUPuOM1m4VRL/sUxZ8TuksUwNt0laVT4Jd
TGe90Q2EQck01jAVWP+iFNMDLE0nbD0a/NdutVOKdVL7tNZgjdP9NEeTFUn6rFggpc9HfFXOnNRl
RUY9vToV5dgJ9Vg43VDIpNFVxU/4rNRLHdJb5dYGDVoNnUQRDU8P1VgFtdkaVdWnBcYqZVT2dNH3
lFNZHc2bjdVxHVLtVMXoxNJjldQSrbuaDVOr7VpYfdJ9JMCLVUeYJVmHtM61nVKLTdi/pFa6fEwq
9cxa1VU1xT1U9VmsJVyfRFhXjFHDnVtBpdM/xUnndFlX1dLKPFkhbVZKZFpiFczyLFnwVNkYjVXF
7Uo9pVVqxdzN1dRRRVuQfNz13FfUxTo1eJBNDdujTVXAjU/RrVPS/Vn/usTKlJXbsEzJwixVv0VU
1Mxd0KvdHf1RM81Z3Q1YbFXW00XRV+1F8jzZY23Y6TXNly1HqcTYwIRPmoXXfB1aDuq9823ac/G9
9Y1N931f7nO+6pBf+wW/7LhfXKNfONPf/eVf6hBVZw3KqCzc4QXbFb1W7M3M0ITeRY1F7lXM6n1Y
8R1Y5W2QIAi90oBU0k1avGxe4h3PkPVZr3Va4e1PYO3VEy5QAEU/AK5fkbXT4L3ZNJTG4nXeYczU
ka3PXRzP29XQH/5S471cFGEFattgvCVhDH3WOoVLuw1RFdRHH/5g/HTgnIzZw0TfM4XYNXzhAI7h
0j1NJq5cxF1cKPbT/0/V2+pFS9MtVrptXfPsWOTF4t9EYrX126pd4qi92jE20TemWiNdUjNGYYoN
Yrn9R3j04ulIXd8NS9aN0D3OVkcO1Otd1i0E2PANUkPeXjlOVap9Xw72XhUW255t3rOEyxJeSAie
4lOO2bI01IN9XbCVsW0QE0HW4zW23bBNYFxG1jX2V9uVViemxihmR0mGWLvlVNj1vnRdX0WWDv+9
32Y+32euZmu+ZmzGnWi232zuZm8eEnb4ZnEe543ZZvklZ3ROZ3VeZ3ZOu3poZ3iOZ3lWC3OuZ3su
13nOZ6O754iwvdnUZyI5AoAeaLUQ6HHmZ4jw538maB8x6INGaIiO6P/tY2iKnmaJfs2KzuhF6YJu
qYIq0GhxCSyPvujpa4PBE42RJmksqRyTNmmQXpbSaemTVmnhlGmaHpM3c+mXVpabFh9I6Wmnu4Ec
sWigXphRKWrmOeqB+AAzMQimfuqmtgeoZuqFoOqljmqqnuqsjmqpNhOt5uqr1mqnhuqq5mqrnuqx
PoitJmuFEOsyMWu0fmu1juuyfuqxxmqw7mq4xmu7Duu0duu5Duy0nmu8vmur7urA/mq9Jmy9PmzF
BuyyJuyzfmy4vmqia5SIOGzEtuzN7mzB7uytbuumnuzMBmvHzmvOJu3UruzTFu3Bfm3QNu3K5uyE
aO3Fpu27ZuzY9mv/y7Zt2N5szeZt4C5szw7tt97r4cZt2g5uw35tzX7u2WZuMWHr4vbq2RZstjbu
2u5rz24I6Jbr7e5t2a7u3Q5v3Kbu7w5r4u5u5V7r0c7r7Lbr4HZv8f5s6k7u437v7tZuxGbu+DZu
1bZv1P5t2E7v1a4T9Gbt6x7s+GZv9SbwyP5t6W7s9rbuxF5vAZfsAufr9Zbu+bbuAG9uCv9wCu/v
677vEs/v+sZu/Wbv/7Zw/M5whphwAydvBz8fhVHt767xv5bv96br6gZy8K7wGcdwE79wFDfs9A5x
Hf9x7h7y+uZv8Q5tEqdyGD/w/R5wK89yLKfsEQfxvqbsJIfyFD9v/8Xe7KNu8gv/bA0vcRrn7gk3
byKPcC7f8SsPbxKPcfwm7TivcifHcx+v8z9f8haH8OGW8tP27R7f8hVfc4d4czYn9MuWrEePaztn
cxFvcNFWdO9e8Bsv7x53dEgP8jCPbksvdDIH8Cfv8js/8i9ncRQfdbLO8xT37xbXbinXc9fedTPH
9JUui0vH8ht/ceVm9dIe8ji38fIOcA8n7mDXc1zXcmfna/NWc2EPdGFXdmRn9vEmcDVvbVs39OXG
8BpX7VGx8wQf8w1Xcv5271X3dSGXc/WWbUUP91BfdDhXcF+fd+e2dwHP99wG7HKX9tzmdyj3crl2
a4Qv9sae7FUfeP/OVmqkLp2fnniLv3iMp5EiyPg12+mPqQZv4XiRH3mSL3mTF5hTOAhhkDGPb/l/
aASXj3mZn3mar3mbj72Tv755LoWb73mf73kU+HmhRxdSoPScP3qkT3qlx5Ghb+elp72mZ+enX72o
X+fXFOqLr3rJw4YmmXqv/3qwD3tyDQGxL/uw8y9o0PpXMfvx8SK2502lK6C4x7L9+ZC5L6CfyBDh
wHs7SbBEozqpg6FEuyo/2yqFwyonqjp8s6o4+vvGnwpA23vFMiDFMCvKKrTE5/vHfxCzOHx4khDK
YvzFgrfaiHvK3yu/l7fP15/RqPzRX7emI/1AQw23n/woW68mIqL/JYuxGuu059J93799JjuxWHut
mSr+oHOyURKvH7utW5s1mLop8XIO5m8vmMIPFwqqJBKy1eIt2goylGuw7E+1lQO1LTqzdyWLxGAu
AnMv9ro4jns157A4dnuuDyMubZp9zWj/PiInyAcIewIB2CMo8CDCggcNKgRg8OHAhAQdRqwYkeHE
hQ0vasSIkKHChBstZgxZciRKkCJNcvTYUiPMkCnt/atp8ybOnDhXfuw50WVFhxRLQhQ6lCdMj0BP
QjQpVCZTqD43Rn1pUWpLlQWNsnR6FCTYjmIXPo1KEelSqRkflo0ZVmlHuByvnpW59ehArk1/tp27
FSnVwCRnuo37/xQw4oQ6b74la9ds15NXVzYlTLjo2JlAA68tXHWw37p2I6t93DM0VsFQtYLWrPpz
Y9RES0/+m3YzaZVyHVPmnLozXc+KFxMvTtxlbNm5M4/uarkqZuWoT7O8nfq3aeHVxYbV/txy89aS
kWfeDHkucPDl16OXjjKmSPLWzXsnaPw+/n9cL9btq5f0XcF9hNd7h5HnFVtetQZagnDhRuBaouW1
V1Bt6XaWgUmx9ZVhaA1Y2W99TdjdYQGuhtV+E/K2H4YYBqUiinwBdiCE6tVoYn45zqBTYj36+COQ
QQo5JJFFGnkkkkkqmSRrSzr5ZJE5SpkTlFVaeSWWWWq5JZcmdv/5pZVTEgcmmWWaeSaaaaq5JpvD
jdkmnHHKOSeddV4pJp528qYnWk02ySeREpL5J6CC1gYoohIZyVqKHh46Y4sl9qgVbpAa+uNnRxL6
KFj9ebrpjBJJylOliEmK0ajxqfooZakCmemZxq1J6auBwheeo9SByuqQuwYJKqPWTSdkdz76uqpT
heWqbGLHTgoknmKaOhSq1Y7I36cXbkgdWdb6F+mfxaZqoGhllTgqpZ+WFiFR6n7YrZcwjsvsZNpe
e29t51Lb7obhMmtvvOa6e6uXInYm47YwHgRKmMVR+OC67A0WbGXjrVeqbsjSpqvE8jKnVHSuhVqs
d4qK16mHuwH/vNvGsAp4V8Z+/XudiSyD7J5k0U5p6otG9RvxsBv35nN2IjcXM75Ciwezn0wXfV5D
elFsscnvcdvoaNpC3TTR4rasMXYlL0300P/Vp5bUbT5cNWQqc0yoZE9/ze3SYmMHbNZvX9yq3gSz
THe9VX9dqtVeuw14WnYLO7Lgbv+d16w9720VeI9PJbPj8NFK7+OLc/3x5JX3nS9ziE+seeifY546
4GGfznbHlxfIOn1qUliwwZeh66KoA5Or4HVka937oTfu7ju4MQI/LrkJvhuevs/Hey1yp+prrW0e
08Vi8sRDD52EKV5PvYbLX1qlrFs6myj77bv/fsM654emq/Db/38//vnLmb7+/fv/PwDvJL8B3iSA
BjwgAhMIGAIy8B+/qtP5rLS+ZeFqgnzrjQJt1zozWTAiDcSPkzqoqWaRSnro6pOIpnWpjG1uUchC
mgT/tyuSpYlRz3qfCF3Is/h4bk8l5BXHwNa0EcLuSzmU0ww3WCYbkrBLsspQhfiCPfE1j4feCl+k
XnirkP0QZvAanRTRs68pZi2L8GKRwkbSPDLKKClR/OIXq9i9mo2PjgnzYrcq5j2sgcxFCfujGb34
wQHK52UsZN3QTCezIJ7IOV083OtcQzXNIC1ud/teJM0CohfljYmvC9nWKnhJQ9KsY47T4yEzSZNB
6oxswdNQjf/6iEUCHa10mjuhKzGINuvxTpJ/mZjZRjezn7wwmKFUFHDS1rixgNJpN8vjanKnLEsa
E4zRxIsxq8nKVurScLR7ZNHsVrxlhiqSghvcif7WQmrWx2vWrNTBQnQ1ZrrnZHPjnBsr+UqcITN2
HtlmtAopt8wFzWZaHOJpage9s21xb8mBmuJK5k6juQxFqLuoGvlJH0hmKnHWPNt8JBYVgOYJigqq
nvGq2DtA7rFVqJLegmY2vXSNMSt6rJlLi9e28D2PiiDiKUkEZkXtFaWOfYTmL6/XqXK5FFbVXGoU
nafUVZJUSl06Ygb9h9WrIhF+Vd1ZluqX1bEqsatx2mqZvrr/E7Kyta1ufauP+AfXudIVTmq9K16l
RTAKui+CTdQSQmX3qwkS9qqBjVVeE4vXHeatiw9krK0Y6yzCQemwizSWrVoo2G7qkJFARBJa6/rX
Y3UQb53lK2Y/qyTLWi21xHLsOcFWpHWCKbR1NY7AMPMzpOIUYbecjfmyaB4OvfFdPmWQGX06vN56
7I52XKTZhHowk/rWjjRNY26LK8bdMndUiv0ueG0yn5vGlJiusyhFz0tQuWm0hJBEJws3OTZ9TtKP
3yyoLUPKQ1U+kzXh/W9i9btPBL2SvlR56mYFmssePpN8+FXOz15axNY6yKOhXK83JxyhYubuvQcB
MIgJKFnu/+CTn6VzUOFAp8+MctbE2XMxfJXGVHNmEjbohHHn2unZG+NKtE8SsEKP6bcgrpd0dWNv
eu87UBLneJgHlR2GeZxhRk5ylElWrY9X8sS2fWip1RoPxshLXcgZOXiCSumXcYfm5WYownDcnny9
2MYXRy1bkPvjFns5oHUBVV5G3XNIQizoaAE2sliybZYT3WNFP0muszX0lRDNaNEecdCWvjSmM63p
TXO6057+NKhDLepRk7rUAN4EoSet6lWzutWufjWsYy3rWdO6raa+Na5zretdD7rWvv41sIMt7GEz
mtfGPjayk63sZTO72c5+NrSjLe1pU7va1r42trOtbQYSu//b3v42uMMt7nGTu9zmPje6061uOzGD
Get+N7zP1O5407vVSbBfu91d733ze0n57jfAA06keQu84FjaNkDzjfCFM7zhuW63wyMu8YlvmhkU
vzjGM67xjXO84x6fti8+LvKRk7zkNcmHyVOu8pWzvOUufznMYy7zmdO85jY/tpYgYPCdf/vmPv85
0GdOhaCznOdGPzpCiK70pYMY6b6GgtORlI0FMr3qVr9r1LOu9a1zvete//qqr85yVJBaEDUHO9rN
Lfa1s73tbl+MLt4u97nTPbFpvzvev76AvPO9734XYN0DP3dA/73wAFzEjyUN7yAYftZ+bTzk8UcH
Iwm+8pZ6vzzmM6/5a7/g5RLYPOhDL/rRXz7yplc16VOv+suzYfWufz3sYy97q5++9ome/cUvgPua
2L73vueT4n9PV7cDYPc+D/jjha/8/AV/+c5/PvR/dIyxxiL6eoKF9bOv/e1z/+DG/z74wy/++XW/
/Iga/88RUHXzs19PAQEAOw==
------=_NextPart_000_000F_01C70620.52DB6AA0--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kABMFZTU052999; Sat, 11 Nov 2006 15:15:35 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kABMFZgv052998; Sat, 11 Nov 2006 15:15:35 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kABMFXIX052992 for <ietf-pkix@imc.org>; Sat, 11 Nov 2006 15:15:34 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kABME3a8004968; Sat, 11 Nov 2006 15:14:08 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, "Dave Engberg" <dengberg@corestreet.com>
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Sat, 11 Nov 2006 13:37:23 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMMECICEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
In-Reply-To: <7.0.0.16.2.20061110222840.075e6860@vigilsec.com>
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
Thanks for the explanation. I will coordinate with Steve and Stephan.
Perhaps we can also take care of that pesky hash algorithm agility issue at
the same time.
Mike
-----Original Message-----
> From: Russ Housley [mailto:housley@vigilsec.com]
> Sent: Friday, November 10, 2006 7:53 PM
>
> . . .
>
> The only way forward that I see is RFC 2560bis.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kABJbeDl035609; Sat, 11 Nov 2006 12:37:40 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kABJbeq0035608; Sat, 11 Nov 2006 12:37:40 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kABJbdhx035574 for <ietf-pkix@imc.org>; Sat, 11 Nov 2006 12:37:39 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Sat, 11 Nov 2006 11:39:28 -0800
Message-ID: <82D5657AE1F54347A734BDD33637C87905679317@EXVS01.ex.dslextreme.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccFx4komIH2SBRnQ6+sz/9ElP1bDwAATQew
From: "Santosh Chokhani" <chokhani@orionsec.com>
To: "Russ Housley" <housley@vigilsec.com>, "Dave Engberg" <dengberg@corestreet.com>, "Michael Myers" <mmyers@fastq.com>
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kABJbdhx035603
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
>From pragmatic viewpoint, when the AIA in two certificates point to the
same Responder, it is the subscriber and the issuer CA. That is why
pre-cached responses in some of the products always contain the CA
certificate response, if the Responder is authorized to provide CA
certificate revocation status.
The above is a common implementation and avoids combinatorial problem.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Russ Housley
Sent: Friday, November 10, 2006 10:53 PM
To: Dave Engberg; Michael Myers
Cc: ietf-pkix@imc.org; Sam Hartman
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Dave:
>I agree with Mike, and disagree with Sam's original assertion.
>
>A keyless responder with pre-signed responses can be fully compliant
with
>the mandatory requirements of RFC 2560. This is reflected in both the
>"letter of the law" and in every OCSP relying party app/plug-in I've
tested
>(which can all work with keyless caching responders).
After a face-to-face discussion with Sam, I think that he is
correct. Let me try to explain the case that he discovered.
Assume that the relying party has a certification path to validate,
and two of the certificates in the path contain AIA extensions that
point to the same OCSP Responder.
The relying party generates an OCSP request, including both of the
certificates. RFC 2560 allows one or more certificate to be named in
the OCSP Request (SEQUENCE OF Request), and I could not find any text
to indicate that support for more than one element in this sequence
is not mandatory.
The OCSP Responder generates an OCSP response for both of the
certificates (SEQUENCE OF SingleResponse). This response is covered
by one signature.
So, there are three cases to consider:
(1) OCSP Responder with a signature key - there is not a concern
here. The OCSP Responder builds the response and signs it.
(2) OCSP Responder that can relay to a server with a signature key -
there is not a concern here. The OCSP Responder forwards the request
to the server with a signature key, the server builds the response
and signs it, and then the signed response is sent back to the
original responder.
(3) OCSP Responder with a bunch of cached responses - there is a
concern here. The responder cannot respond to the multi-certificate
request unless responses for every possible combination of requested
certificates is computed and cached. This would be computationally
prohibitive for a certificate population of any significant size.
The only way forward that I see is RFC 2560bis.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kABHw4Za023013; Sat, 11 Nov 2006 10:58:04 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kABHw4Z0023012; Sat, 11 Nov 2006 10:58:04 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kABHw2YO023004 for <ietf-pkix@imc.org>; Sat, 11 Nov 2006 10:58:03 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 8672 invoked by uid 0); 11 Nov 2006 17:57:57 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.121) by woodstock.binhost.com with SMTP; 11 Nov 2006 17:57:57 -0000
Message-Id: <7.0.0.16.2.20061110222840.075e6860@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Fri, 10 Nov 2006 22:52:34 -0500
To: "Dave Engberg" <dengberg@corestreet.com>, "Michael Myers" <mmyers@fastq.com>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Cc: <ietf-pkix@imc.org>, "Sam Hartman" <hartmans-ietf@mit.edu>
In-Reply-To: <E2339D02A340A546998AD2E6251332D603EA04C5@csexchange1.cores treet.com>
References: <CCEJKFKLBCNMONJMIEAMOEBLCEAA.mmyers@fastq.com> <E2339D02A340A546998AD2E6251332D603EA04C5@csexchange1.corestreet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Dave:
>I agree with Mike, and disagree with Sam's original assertion.
>
>A keyless responder with pre-signed responses can be fully compliant with
>the mandatory requirements of RFC 2560. This is reflected in both the
>"letter of the law" and in every OCSP relying party app/plug-in I've tested
>(which can all work with keyless caching responders).
After a face-to-face discussion with Sam, I think that he is
correct. Let me try to explain the case that he discovered.
Assume that the relying party has a certification path to validate,
and two of the certificates in the path contain AIA extensions that
point to the same OCSP Responder.
The relying party generates an OCSP request, including both of the
certificates. RFC 2560 allows one or more certificate to be named in
the OCSP Request (SEQUENCE OF Request), and I could not find any text
to indicate that support for more than one element in this sequence
is not mandatory.
The OCSP Responder generates an OCSP response for both of the
certificates (SEQUENCE OF SingleResponse). This response is covered
by one signature.
So, there are three cases to consider:
(1) OCSP Responder with a signature key - there is not a concern
here. The OCSP Responder builds the response and signs it.
(2) OCSP Responder that can relay to a server with a signature key -
there is not a concern here. The OCSP Responder forwards the request
to the server with a signature key, the server builds the response
and signs it, and then the signed response is sent back to the
original responder.
(3) OCSP Responder with a bunch of cached responses - there is a
concern here. The responder cannot respond to the multi-certificate
request unless responses for every possible combination of requested
certificates is computed and cached. This would be computationally
prohibitive for a certificate population of any significant size.
The only way forward that I see is RFC 2560bis.
Russ
Received: from corporativos244217-101.etb.net.co ([201.244.217.101]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAB3ZQvS008498 for <ietf-pkix-archive@imc.org>; Fri, 10 Nov 2006 20:35:27 -0700 (MST) (envelope-from puphqey@orthous.jnj.com)
Message-ID: <000a01c70542$6f4df970$00000000@lina>
From: "knows anything" <puphqey@orthous.jnj.com>
To: ietf-pkix-archive@imc.org
References: <000a01c70542$6f4df970$00000000@lina>
Subject: Re: Dietquot Couturegrl Kitchen
Date: Fri, 10 Nov 2006 22:35:29 -0500
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0007_01C70518.8677F170"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
This is a multi-part message in MIME format.
------=_NextPart_000_0007_01C70518.8677F170
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0008_01C70518.8677F170"
------=_NextPart_001_0008_01C70518.8677F170
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
----- Original Message -----=20
From: ietf-pkix-archive@imc.org=20
To: puphqey@orthous.jnj.com=20
Sent: Saturday, November 02:03:12 PM
Subject: Dietquot Couturegrl Kitchen
Inspired Miplay Leaf Unforgiven of sht Else or Short versionand =
Justice.
Earth Instead in playing usual star stars! Hourly a Technology =
Business of Developer ibm Websphere Server Feature extends.
Frequently am Asked Hello from Germany a maggie Minutes Everything? =
Paypal or issues am related am phone number am Blog Entries is Comment.
Birkin Lvlover style Chloe had chose Dimple Marc!
You currently not logged or viewing. Cias selling a covert a.
Designer Forums dedicated in. Loops Treke explosive footage of Mike =
Rupperts.
Quotyou Dietquot Couturegrl Kitchen Food. Nfii Ultra of Suck dick =
Empires well a. Dropbox am regarding Subforum azia Contests or?
Sell of offering sale is Listings Shoes of.
Important Thumbnail preview disabled am Vlad is Days ago in Newcomers =
Lounge. Advice virtual am dub together edit got or Videowave Fokking =
Great. Robotic parrot in id one of huge kickass.
Wolf a Blogger back federal prison Gnns Dvds True Lies! Copyright copy =
Jelsoft Enabled vbseo rc.
Sonic of foundry is Real previews very im too.
Necklaces is earrings etc yay nay in! Loops Treke explosive footage of =
Mike Rupperts.
Earth Instead in playing usual star stars!
Rc Musicmatch is Jukebox Worlds music player. Light darkest secret =
Agencys cut ambient.
Btw move link of doesnt seem.
Chloe had chose Dimple Marc Jacobs Urgent opinion neaded.
Btw move link of doesnt seem.
Bioadd Videosthe big am Ladiesthe Leaklos Livemtv is Weeksucker. Jump =
select Control Panel. Hours Designer Forums dedicated designers Louis =
Vuitton lv of Reference.
------=_NextPart_001_0008_01C70518.8677F170
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"valid" hspace=3D0=20
src=3D"cid:000601c70542$6f4df970$00000000@lina" align=3Dbaseline=20
border=3D0></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color:=20
black"><B>From:</B> <A title=3Dietf-pkix-archive@imc.org=20
href=3D"mailto:ietf-pkix-archive@imc.org">ietf-pkix-archive@imc.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dpuphqey@orthous.jnj.com=20
href=3D"mailto:puphqey@orthous.jnj.com">puphqey@orthous.jnj.com</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, November =
02:03:12 PM=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Dietquot Couturegrl =
Kitchen</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Inspired Miplay Leaf Unforgiven of sht =
Else or=20
Short versionand Justice.<BR>Earth Instead in playing usual star stars! =
Hourly a=20
Technology Business of Developer ibm Websphere Server Feature=20
extends.<BR>Frequently am Asked Hello from Germany a maggie Minutes =
Everything?=20
Paypal or issues am related am phone number am Blog Entries is=20
Comment.<BR>Birkin Lvlover style Chloe had chose Dimple Marc!<BR>You =
currently=20
not logged or viewing. Cias selling a covert a.<BR>Designer Forums =
dedicated in.=20
Loops Treke explosive footage of Mike Rupperts.<BR>Quotyou Dietquot =
Couturegrl=20
Kitchen Food. Nfii Ultra of Suck dick Empires well a. Dropbox am =
regarding=20
Subforum azia Contests or?<BR>Sell of offering sale is Listings Shoes=20
of.<BR>Important Thumbnail preview disabled am Vlad is Days ago in =
Newcomers=20
Lounge. Advice virtual am dub together edit got or Videowave Fokking =
Great.=20
Robotic parrot in id one of huge kickass.<BR>Wolf a Blogger back federal =
prison=20
Gnns Dvds True Lies! Copyright copy Jelsoft Enabled vbseo rc.<BR>Sonic =
of=20
foundry is Real previews very im too.<BR>Necklaces is earrings etc yay =
nay in!=20
Loops Treke explosive footage of Mike Rupperts.<BR>Earth Instead in =
playing=20
usual star stars!<BR>Rc Musicmatch is Jukebox Worlds music player. Light =
darkest=20
secret Agencys cut ambient.<BR>Btw move link of doesnt seem.<BR>Chloe =
had chose=20
Dimple Marc Jacobs Urgent opinion neaded.<BR>Btw move link of doesnt=20
seem.<BR>Bioadd Videosthe big am Ladiesthe Leaklos Livemtv is =
Weeksucker. Jump=20
select Control Panel. Hours Designer Forums dedicated designers Louis =
Vuitton lv=20
of Reference.</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_001_0008_01C70518.8677F170--
------=_NextPart_000_0007_01C70518.8677F170
Content-Type: image/gif;
name="be.gif"
Content-Transfer-Encoding: base64
Content-ID: <000601c70542$6f4df970$00000000@lina>
R0lGODlhzAGEAof2AAkOBnwLBQqLDHiHCwQAfYMLcg5zh72yxsbXxaDP9jUSAFsVAIIhAJgmALMh
AOsaCwo4CShKADNOB2FDCnoxAKc8DrpNANw7AQBRAhFcAEZgAGJkAoFtDpRnAMttBN1gAA56ACGB
CUF3AGV0A4Z+B5eCBMx8CNaMAACRAB2RAD+nAGSlAI6RAJWmAMqTANekCAOxCCy+AD6xAFrIAHvG
C5S6AMbEAO7NDAHfAB7pDELSDlbWB4jsB53rAMfUANflDQ0ANSgNOkwESV4OMnoAR5EHQsgATdcA
SAAtSCMSMkotOF0bM4AePq4aNbEjQ+MdRQBFNCI+SkhLPFFETIFCO61DNrxMPNw4OQtUQhVXRklV
TWpbSoleAK5gScFdOtlXSguNNB6NTD96Ml52Tnd0N6KCPMCKR91+TgWdSSugSz+iOmeWSIafSqGd
QcGoO9uqOg7CPBuzSUe7Q1a0PY27NZjAQc7GPNnDTgDbRyHuNzPjOWXeSYncPpXsMrreM+nZTQEA
hS4Gdj8AdlkAhHYGdqwMibIEceQAcQAdgyURgk0sh1IXcoQnh5wSdrEmgdIehwY2dy1Oh0U0f1I+
d343d5xOgLg5edk1eQBZfiZdgjljjWpoiHVieJddd8FeiN5WhwCBeSqKhzF1eFx+cYeNjph3irqO
jud7hwClihOReE6egm2fhoWpc62dhLyWdOutegK2dxa3gEjCf2LCd4nHh5HAfMvHeuzHdADmihjm
fkHlfmnji4TqjJnigbnXgNrjcgECuCIAtEkHxGcGwH8Jt5YDxLsAueAAywAkxSguwEYWvVUSxoMW
w50qt7chyt0byABAsyo2yTE0tl1KzYkzuJY5xcM+zuUyvQBXxBtuyjxisVhZuYJtuJZRyrJUuO5d
zAWGsSyCyD5+xVSIt4WMx6OJw7N+zOODzQCcyy2UvD2YwWaRs4GbyKyqzMGmveSttgC5vi7FvTLI
u2y1v43Fvpe1tfb/6pKdrI2Mdf8AAAD9AP/zAAEA//8A/w3y//z//yH5BAADpWEALAAAAADMAYQC
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnDgRAMWLGDNq3Mixo8ePBe2JHEmypMmTKFOqXMmypcuX
MGPKnDkTAM2bOHPq3Mmzp8+fQIMKHUq0KE2bRpMqXcq0aUyQUKNKnUr1ocWqWLNq3cq1q9evYMMi
vCq2rNmzaNOqXauWLNu3cOPKnUsXrdu6ePOudcq3b8o7d/wKHky4sOHDiBPPBBxYsePHkCNLnjwZ
MOXLmDNr1svZIePOoEOLHk3a653SqFOrXs2ac5PWsDMeiE27tu3buHPr3s27d1fNwIMLH068uPHj
yJMrR35xufPn0KPnbC69uvXr2LNr3869u/fv4MOL/weqqSX18ejTq8fZVYD7ke4FwH8fv358e/fn
y7dv/2R+/SX9RxJ/LAmokoH+EShSfwPWtxKD+r3XIIIBMmjghRJGiCF/GZqk4IYTCshhhRx2uKCC
IZqIH4T9lXgfhCs6GOGEANrTXob/vahijflRmKB8NAYZpI81FrgjiR7Sh6OSQP4YI4A5MplSj1IK
eWKTV17ZJJFJAqkjlk9mGWaYMiI5pYQiotkhlVuqiGCaXi4ZZZtA/sammETeOeaDJsK55p8HlokS
jIP2KeeYFM6JaJV7Frlio35iqaiYRkq6n6FxWpqpo5yaSeafm87X6ZuH8ljmpOfN9GWVXKLIpZV7
wv/4KolHenommIpO6umXUJZqK6eRCqkrn2BSmiWpl9Lp5K29Fstroc66qWa0yerZqEzN6fiotdBq
6hKIooIKk5ItzfrhocMW+eyT6RoLLKDiUjqru+6u22yn1wrL6L3QdunvtbxOW6Od5LLqYogpEqrl
iMeCWiu/gRZ7a7IQJ4ruxcr+6DDD7JYaqcILJ9yitBTna7K8++IpKL3Isizluvn9FiOTvnYLK7P6
lpxixCfjy2yuNavLKMwPW4hpxSjSS6zANLbM8b/9fkrtzqOS7HLJQ0so88jt0npz1EKDrPTCD4/d
L9AZ75q1zvPauyiLKc/rJIhOp/y1hkHn227LABv/fKrWFOXEdd4J+wy1ymn/Gjax46799rIdK9u1
v+BOyq3clB9dd6iHd3415HwPafWchC/1d+kzS/3t0Y8/6vPkhs+NMb5oIy2xuJV7PG3igTbNOpyI
3170kcC7jvLUanv7dtnYBn783ar3DCuVFSJ+ZvU8e8105BCnTjTbdlsPqZrYk262mdy2ruvKPee5
/eVW22qtnwNztTjeDgLvovC4xr17reDqkqDYtCFMsW5m/SugxPD2Lp01TFPVSlrh6rUx5WlJcdBD
YAKDNb0Bysph9ZvIevyCOZmUcIQoVEyqUti4Be7khCyMYU9kJsOXwNCGzKuhDnmywh368IdADKIQ
/4dIxCIa8Yg77CESl8hEokiliVCMIhQDQEUpWtGIVAzAZbJYRS56sYtVFMkXV/JFLZJkjGfkoj3U
OJIsptGLKCkjG9cIx5TIEYxmFCMe5+jGONZRj2hs4x1VEkg6hhGQJ5kjIPNoyD4u8o2NVGRJHPnI
Sr6RkZQsZCYPmUhOLvKQjqSkUagjSkNOMox9LKUg8xhKVHoylXwEpSwZ2UlamvKWtbSjK80IS156
cpWIDGYjgfmSXq5ylrWkZSx9ycpl4lKSwiQmLi/ZzGoKc5O2hCQk2djKbD4RJ6UUpRs36UdlMlOb
wfyjMdNIxldyUpXTPOU5n4nHXBJTnLss5jt3if9Mk6iTm/tkJjLxaU6CahGakbxnQBWazU8SMp/R
lEw43XnQX9rzotLspTHh2U5M/lKVHI2kNRE5UVuO86P1bElJRRpRhzp0pWg8qUkDitKKNjSmKdXm
OnXZUJLe8Y9CEQgnJNJSjoZUmv6sKUPp6NOePtSjM83mURXZzXhaVaZJtalLYArGlrJ0jFytaFOz
yk6LAlWeTDXlSm85VYtec5bn/OZN1lpOt3q1qP3EKlZlgk2yZrWMl0TnXtEJzLAC1q/brCdIu6pY
peo1pxmFrEtz+dioClKPLFnsQt/q1MHQladu7aZk6TnPxlbTrtH8LFKTqVOIEnasaD3qatXqSqv/
0rayZIXlbRE72Neilam95axsjdpP0jrReap9KkZ3+1u28lOybYUqYn0rT6g6s7mFdSxqfbvXQi6V
uYkV6GhFq1nlflWpn+ysbb9rXLnSJLk8XW5wjUta6G63r9idLTVHmt+rjneemdXuaaUK0fkOFo4T
jaxl4/tS9FrSvOXkrH4NA1/MThi/+E0nXAG83tVmuL/HdC6BR9zagt4Vozs9q1d3KuJjalWwxZ2w
cDlsUJWiNsUxBgopHezXkFZVwyae5nU7jFcOgxjIKw6ta0UrY3v++MH6/fGTh8nky7LzyKmVck3V
G88DF9eN/9gBVMApSR+r+K8GpShkqerd5ab3/6mA7atmgarJw7r4zHcmLELLm2ekqlGO+SUohIfZ
56QGmM5ltrNsr8joRjv60ZCOtKQnTengKLHSmD7iXjIdlNUkwDeg1ginO52aT4f61M4btU9UY2pU
90bVUEwArGdNa5rIWjE4qDVK+MHrkfCaH77uNUl+XZJfG9vYwUa2PYg9bGGb5NjLPja0dz1tZp9E
2s+utrSJbe1kA1skyu52cW6t66ZcxNrodja41V1sdkf729xmt7ib/W16s4TZ8a53u+Gtbnz3et7r
1neyBx5wkZSm1a72DU78zW+BTzvbDu83sMUN8ILveyXd/re7321vjgfb4xC/dr7rXfFyO3rkE/+X
t7JDTnCWt9zlL4d5x2c+cIBX/OYa13fJTc7oeEcb5Ov+uch1vnGgG53mFqe2wGN+9HwPXekpeXjS
eW4cNVzG5zm3t80lvvSAb7vrUw/7xZ8+9o5L/etZV7rKwU71niNb6hzfOtHBTvGiN93uRxf7vDMe
7qLvfO94b/tNkIJCaMN922QXe9hLDni25/3uS5f74//u7p0LfvCEV4/hVw7yxiM95oyvPN5xHnnR
d93piU+94i+/k8yjZ+WcT3fpI050o4d+9hiXeN75zm+t+330gWc9SbLQeuecR/btTn7ZvV7wurPd
8yrpe8rpLmzke5z00Te9wRO+GwDcZS5EGHP/0nm//N1rm/ZqR/+9z3/2wz8c7dN3P+5txP36cyUE
YBH+S+zPf9vo3yX9F4Cw8X/mIYAGmBoEyBIHiBVDsIAO+IAQGIESOIEUWIG68X0WmIEa+BWI4X2u
l4AgmBxn4X0KUQobeIKoJgtyMRgeGIIuCEUtiBMpoBhv8II2yBfed4M6WEQxKBT+sINA+Bw5GIRE
KIIoeIRIyBtFuIQ+xBUYmIRQGIWp4YFSWIVW6BF+MYRMuIUs1INc+IXq4YVgOIZO0RZPeIVomIZv
QYVq2IZoGBlaSIZyOIeS5gnPUQbd4YZ6CBpBsId++IeAGIiCOIhoQYcyoQHhoQCGCBTFMGlm/6BD
gyB4hDiJlIgRi3iJmJiJmriJnNiJnohElRiKotgQn1iKpniKqJiKmHhpmLEQwvcBH/ASsFhEszgS
b5ETHhiHxVGL9sCLswiLwFiLwSiMw8iLI1GMsWiMvhiMIoGMvRiLJVGMzQiMx8iM02iNJuGM1DiN
zyiNKLGM28iNz9gTw1iN3tiNxkgSy1iN6EiNypiM52iO27iO4wgdWqiLw0GP45iO9SiO/piN0BiN
0KiPvxiQ7KiOBkmMB1mP+oiQABmQ77gSBAmRA2mQONGQ/eiP/NiP67iRCpmRJ9GRFemQzoGPIpGL
hIeS9hCDKJmSuXiSKrmSSHGPH8gSxKiQ/P+4kQsJkN8Yjh5pkSCpkx/Jjhj5j9c4kjsZkkhJlMjo
k9ZYjgIZlTupkwxZkTgJlEeZlDzJjQUplY9xESZJkzBpEy2Ygyz5gWY5hGkJkyNhkgtxkyOZk1ip
lXSJjnQpl14plenYlUbZl0+ZkHOpkRb5kfMIj0w5l3sJmCSplOL4lyApj3W5kAX5k/Q3hTUpljLJ
lpmJmSSxlpr5kgqoEPvojlb5l9jYl/IYjhn5k+Uol9g4lFwJlQ/JjF0ZkSmBkYRJkRxpmD2Zl7Zp
k/DIl844lfF4lDfZm7d4FJfpkp85k2TJnDL5kpgJmjlhmkt5m4rZm0pZlI9JlY15naP5mFr/CZeL
yZhGmZuHSZuBmZjl6Z0ISZ7iaZeoWZ5ZuZXKEZbQqZbOmZlsKZbTKYY0YZ3z2Z7riZhOaZ70uZWw
GZ7xiZfyOaC7qZdLyZcJmpS/GZ+zWZ9CeaAqgZcO6hjN4Z/5uZ+byZz6+ZxtCZ0pehKuKKDdmZ0D
SpkRGpv2+Y9DSY/c+aGq6Z2/iaO6KZIdqpv0OZGQKZ8yuqDfqaCDGYvJiXk9GJP8qZ/R+aQqyZm6
aJIt0aPeWJxUqY0wCpVeap3w2Y7EOZukaY4VSqCqSabfWZgSeZp+eZoXCo7q6ZDDiaREChmsqJw6
gaUm4YqC555WVItNyoI1CRN+GhNNuaiM/9qojvqokBqpkjqplFqplnqpmJqpmrqpcLoeidoSn0qE
gspEozoYeyoZgDpKAnEEo9gZL6CBw5GqRdGqGKEKoZEPqjFqw6CKIBiqKwpFgMCr1tGSmPcSvkoT
lVAJI5Gsy6qsyfqszMqszWoP0PqswlpEYJl5x2oS27qtLKoQ0kqtyioS0TquJSGt6GqutkgX9ECr
UIifzVmWJ0qlVPqr+weu4wqt5Oqs6koS+rqvf+quAhsV8BqlaYmiZ8mfBmuvAIiv+5qu4ooS/xqx
JTGwFosQOEGsYzmi/WmiHDsU5VquDzuxFDuy1nqtQ9RD8/qrUiqiLHuoDZsQ4pquEHsSE/8bruua
Eamwszt7sWnYEyvbnB27ov9JFP96tP3arOGKszPBs06bCijLHdnamSq6sCVKtB+rsDGLsUhbs+ea
r2AbsAzBs2fhDD7LGmwYFVMah2xLogdLr1YKsygBqDi7tNXKr/7Kr9VamWe7h7kIEULhrVE7hoJL
FIU7uCn0BFJ0uIh7iqcaGbI6FH3bt41buZZ7uTHhDvqXD/mAuQmosSfBuH7BuSXBuaaLEqZLuvaQ
uqfruVbEmcXBup2ruqvbuaVru7Wbu67bhBQhogm7thurrXLLHgqRuiRBu7Q7Esg7u7ibs6vRAZPb
GsXascKrtQoLu0thvMqLu8krEstbu9r/u7sslK2geaUoSrUMK7mi2brey73N277baxKkG70+O73o
i77mC6WDob3fK7+s678xcQLiuxTWYKq9i5au55npmxSASroO7L4r0b25S78U7BD4aL7WG7dBJZq5
+8Dxq7vHa7vfW8EkrBAXnMDOeZZeKLorsRCyu73su7zJ+798W8I2LBCxysESPEM3PIootMPhQQYD
rL4iJByRu8GcQQY9/A/c0MTcB2lnocQk3MRUHBu8SgZCDIJU3MTY8bhLJBZSPLlOrIRLwcKPYcaP
kcVDrKoVAbopIboticYo0a0oDKBrO69IscQ/y6eIOryg6se4CMh3fL0IzK1Vu8bRMbUs/6GxMSml
c1zHeBy8KRzJ1ruxb1zIJSGWb1ENeoyAykmdmXzIV1vJC4y1KqrAjqyZoeynJ1y+oozIKfS251vJ
QfvIl6y1Liu0f3yooYrKggzLOVzEpfyfrpyo+Suv91uijfzLoGzHhkzINdzJ3AcJEgECWJjMyezL
lnzL9qrA0Fywf2y14azJFxEH0nyA9luwyBydpYzNJ4rLKQzN8HzL3vyyWNvOwMwcgaO/q6zC9aoS
x1zPjNzMqUy1xezKKQq3eXzOoRi4v2y/ffrQT0Grn9DDQSHHiyzRAK3R9/qAMcDQD9GBHO0S/JzP
Jo1pbJDSJ73SJZHSLg3MXswURwwcrf/h0mwA0jTE0iih0rtLvs6czSM9t6JJAERd1CNB1ElR1Eg9
0TiNguk8vBgtE0stEks91URR1QSg0z4Ut/6MsFAKuoVr1Uet1GRN1Upt1meN1kZdElht1mNtD22t
1cahyKScygc7tKrslgoh1m8N11P911m91kgN2CYR14Td1k09iG58v7k8yqRcsUNd1m7t1yRx2Fnt
1oTN1pKd2Wmd2E7NpwFNoo6tzT5h2Jc92ZRt2X1d2ac92K192Wkt18WhyBr8zR6Lz857EIUN27zN
2m+t2qi92q7d153t2Rv41PGa17Psmf8ME1Zt2r6N2a9N2X592sId2Lw93bL9HW0ryQn/PdqTjL0u
QdbWLdljLdjaTd67HdvqHdyYoQPbnRlRndTWTRN8Hd8wGNR8cd/OXd/4vUQl7RjmfRP8/d8GfuAI
nuA6YdwMXhtnqODi2+ASPuEUXuEWfuEYnuF+COEc3uGXqOEgPhoePuIkvomPWOIozquNkeIs3uJA
hAgmXQUo1AQuHoT6XeNyeOM4Trg6vuNf2OM+DkVpcYYhXuQh0YFBnuRKvuT2sOJM/uRQHuWKIQnQ
AQ4uPt9jaORmqOVcThdp2+VgvhZfHuYhnYpVQYJGruRALuVsPh4x/eFkrhY6N2zvxm3FVudr52zY
RnsZt2/Vx36zR3Kwd3Z07mtxN+fM/6d84IbnE1foi47n3xrnaIHoi356hr5s0VfokXfnu+bolf5s
nH7pmD7qj/58jk5yQXfplJ7qnx7qpI7pDie2km4WqF7rnY7qUafpoO7pdI7rrv7ouV7qun5tpA5v
um7rmY7sp17sr87psw4SN6HsjU7svk7sqr7ron7n1Z7twN7pwn7t1G7osQ7r4o5xzL7prU7u3v7f
zWHsxs7ono5t9Kbnhufn1SfqgN5wpvfnsodvqo7u7z7twe7u1dbqgg5wUGiCBwgBlijw0053zD7w
vN7slt7tvX5vrv7wEx/xAv/t5H7wod7olq7svx7Nz54RC3fuFl/uK7/sKz/u9n7rGP8f7xHf7F4X
8MP+8b9u6yPP8ti+5A4/6hUv9JkO7ryO7j6f7twO8+ru8Utf8++e6qv+6v8W7gYf8gdOHTC/59p+
eF3/dmD/dpye7zcPcffe6/V+8eJe9R9X9vEef3qe8bG3ff/wCieff2YegUgwiPDX937/94Af+II/
+IRf+IZ/+IJ/9x3R5pr45ow/GaH2+KuYapJPHBTYHWuuijd++UChrZ1prIYMyjHBy6Mf4CcJtBGt
3wl8+hmLwqwfuk6a+awv0QstgSs5x7gP0J/flqCfyTwB5IIs+32Ki77feq4fuLuP+rePqHQfgaqM
zficksu//NTpz8nP+7Nv/dkv/VP/evpXyq3s3P3lu5nhf77xvM3hX/zP6ZKsrP63X8sASpa8P5Pv
f4/1z/7fH7osmf77j/3rDxAA7AEgKHDgQIL2EBL819DhQ4gRJU6kWNHiRYwOFW7k2NFjx4QeQ4I0
CHKjwJIoOapUaLDkyY8sXx6EeTBlS5o4R64UeZPmS5Qpb+5kaZOnT54IYc78mBOnTaRGny6lCrVm
0KpTtdbUOTTrz61drzYlW9bsWbRp1a5Vu/MkU6Umpbo8KrJnQbp0kz4t+rXvSrx99QJ1SnjmX8Nl
9epEGzik4LpN8/ItzNivXMxSLXMF6/SyZ7ahRY8mTdptS7inN8sMjDpq2KmHW/8c/wkZLmjCtPFW
/qrbdUHXMbX+lSxX8GzgxjtD1tz8sPDPyXMvbj299HXs2RVmlIg6ZurbqzsXxy18MeznzkGHtV6e
M2KT4d0nPpueOXmuPpnb3os+8tb9KItuO+4KNPBABCcq7TYG68tJpv/O809C6/SrrMHMBvvvwvgu
e2285thTLjfx9rKwwgiZom8zzYp6TECl2tOOLVFmtPHG0dL77S2getxNP+mS840v6SSrzsSgXuRR
yatqE1JIHnnbzb2xZHNSRegCnC4h8K48z6Urx+OSS97iwvFMNNNUc002cZSvTTjjtEtOOuu08048
89TuTT37xI5PPwPtM8F/BDUUT/9AD1X0rkQNJfRRSCN9aFFKK7X0UkwzhSJTTjv19FNQQ/1UUlJL
NfVUVFNVdVVWW3X1VVhjlXVWWmu19VZcc9XVVlF79fVXYINtc9dVLyH2WGSTVXZZZpt19lloo5V2
WmqrtXbVd66FSB5tu/XW2Rq+FfdAW8Y191x00yU2BXXbdXdVYeOVd15667XnXXzz1Xdffvv191+A
q7V3YIILNvhghBNWeOF4A3b4YYsagXhiiiu2+GKMM9Z4Y4479vhjkEMWeWSSl2X4ZJRTVnllltfU
o2WYY5Z55pnDYblknHP+Vg+de/b5Z1dpFnpooos2+mik5VVXEqCbbroPp6OWeur/fpOg+mqss9Z6
61uT9vprsNMitGCuy941glnDVntttccm2Gy4+2V7brrrLosfjvjRG++8996I77/t2XvwjgAXPG/B
B8fb8MMVZ9xuyCNXy3DAK0f88MsVelzzzBv/yHLMJRd9bbcXD5zz0ANnnPKmLHe99dA3xzxu2jnm
HHTMHze9c9lfvx123AsnsHbiLY5dc8JT/513svje3XnFeY++o+Krp/j41HdHfPXOhfe9d+zJsn78
b0ubnnXdlWcdeNVR90h72UeXX37u118/fPffP975z08Hf34A2q1+yUOe3gpnQOE1L4GJI9wACRi/
AEZQghOkYAXX5DgMZlCDG+Rg/wc9iEELhpBsCRoh+UwoMBGmUIV1ctsKXVhBWQmqUQGcYctqmKkb
mgVBpsmPg0gCpbRgqTFTyoxocrgeH5rliEkMImd69SHonElHa3rTEtVCKKTwSYg54qFivFZDKy4K
jPQKo0dklcXgBAdKOgJTG4nEmsk4cUpBmswc5/KYMDXJSiR50EIG86I99tGOC7EMHYdExCgRkpB4
zOMgPfOkMakESHF8ZCOB4xVJ+nFJZClSV5RUJElC0i0xzCR1yrTJQppIPUOxkinRyCSsqIdFvZlT
VlzUIjPFJpWMYaVdvFKi4VSFks/5JRLvc0tMOvEzuIwlMpWpy7lQpZfMdOIOef+YST/GkkqqXFIo
bblNQXazj+LxkjaX0iViftOZP6xND9e5o2Le8j3CLNGPqsSoMsXxSCHSJImcGc9xMgqNvFTnNxFl
FAl5Z4vcBNBbqFlEgDJUnjH6DpIYSk5p0jI17gynLgEaFX8up6O4DFExxwmhpMCHRR8d6USLCE2E
FhSYpHHbQDn0UpR6tC4mbSgwJ+pSoPYnpBEKJ09PKqaHtlSp89zlO39ay2P2cKY65ShBMQojaOYU
m0mVp0FiGFBFQhIwl9RjGpP0RvbYk0hmRSUrheLGo5wGkbpZZyd/6NFO2lWTFA2rHBkpoCS99an4
DCtQYfmdv+7VnhF1ZCLd+kf/V+pRL9acWxn3JCfLwumGmW3MgrKTUCXeCLQU5KxnMdupzcbJiqtl
Ulv21NoXxla2s6VtbWmGIbaUNjS6tRNvbRtB3K4FUL5FYhRFex3i+gmKvw1VcF170CaKcWDJZe5H
xkZHwbKTrWg9JChFGci+bnWPhtyRIqMESFEWsrVwdOxh2Wve8r6XiKBcZBrhe6+sAeCryF0qVbn6
X6de1CokDaYvDQpYAGOpR/5V6nqZOmCWiqXBfWIDGxRGXRuplcCCtGMbycTSiP7Gw0eVzXvI6kmi
UAaZGu4nki75ygNnU5UwRvFTq4PhtFTYwgXDMfUSFOF8lodCEw7xIw1KHL5O/zhLVi1pVWEKGCWf
csZOVulIocyRW+nYXfqVFpBDatNkYrTIXn6mT/sr0gDTGKYrCrBU/UtmNbdHVxVOF5fTZpoT01W7
8PURdzss2bvC082JjMscyTuWmPp5rPcp7Fs32ef7Nha7joUyXJ9kKB0Lq8f2GqNp/4SyRm1aUJl+
4p1aGKhEAdGIyFUNwkLNJmaxQVt2nlZ17QY0WkvL1nX7Wa51/dKZVVHURTvhrPYZRFWzadjLhc1u
+6TF0HJSKJ294r6kgbEnR/tgzC4uGRc07RsVm7JqKYc9mBCb9Panvc1MtyO3NN6MyteQhoVrfdEa
WFSuu5XqBZN9X1xvqLillP/bvSPAd92mOKu7o8Ps0EyR/OV+RzmoDDZpm988Y1MmFawxHviJVlrm
gzelpu5E5BZR2tU8U1LCQj3wsbtqZIqfU6ZBBmnLa5xPBTM1L/Nd5kzETZFTnGrNxoQqmmeu8geR
qL9sJDFmKp4f8YJ1zDZvsl+JiuiH99zHP5fIKYIOEf5eXN2/ZHiIF6p0sx9dmWqW+n+pPOWsWvns
bb86hIY6bMidYusHGvp94/tJFD960J68i6CHc9gkn92SkawnEO3qoy+107xBijTdy7rwxNKE6wVC
rbMVhXeFUzu6KANFyFHt+UOBPtmiZ6Lp6bV52Md+Uq7/FQdo7yvZ537zt+f/fe99/3vgU0oQwSd+
8Y1/fOQnX/nLZ/51dP/8gKmibMaCfvVrHSpvNF/7cLJ+91/la+9fqwvhhxb4yX9+9KdfVdRX/8+3
/374x1/+86c/2Np/f/znX/8oVBg76v9/AAxAARxAAixAAzxABExABfy//WtAB3xACNyvBZxATDGX
HYhADCQVCtzASzk1DqRAePlAEXQUEhpBEEwWEzxBZNmIDdiAjmhBGHTBj4jBFlSIGmRBGbQHGsTB
GOTBHaTBGgRCjhBCjwBCF+zBG8TBsjDCI8xBHWzCH4TBJ+zBpiDCJHxCH8xBIpzCHXzBLrRBKgRD
KkRCI+TCLORBJfRCKQTD/yF0Qi7UQicMwjiMQjg8wyIMwzRswzVMwhpUljzEwj9kQyW8whvkQxk0
RC9swztMQ0J0Q0BMxEcURLNoREW8Qkasw0UcxDmUxELExEBUREFExEjsREjMQ1Fcw0gMRUy0REAk
xUtURTF8RUmUxUBERFf0QzOcxSp0xFFswkQUxT9kxVPkxVIERUtkxRncRE1MRk7kRWSkxGP0RV1E
xmZMRTncxWJsRTeUQ1c0xlV0RFekRG1URVKkRm/UQ0+sxBwMQdIIQ3P8xF60RmmUR1Csx24ki2c8
xG0kxmKERmfUR3jMR3X8xXRMRXucRzakxmiExIUcQ3AESB9kxnE0RVTsxP9y5EdazEWD1EhK6cYt
VMM9LMOG/MJgFMKP/MgsDMd9RItGNEkr1Ec8BEmLjEKCjMmNFMOQZMgvXMhzHMhrlMmVTEaHrMd4
xMJrfEecHEZdjMVLuUeixEZ/JMiNFMeBxMeHlEienERlTMh/5Eq1+Emv9MmuxMZsFEh67Mll5Mhq
hMdHBMuihEUznMlMnEinxMlhISGUZMuqDMu0FMatzMhsnEqI1EuijMpMrEuo3MSRXEpz9MvAnMha
HMywtElgvElb/EtxlEuqpMiklMy0xK9UaUfF/MtZdEuPHMysNEil/ESzTE2rLEyEpEWz5EvIPM3H
XMq2lEynzMrVnMK53Mz/g4TLkmxG1LxK2rRNxLQRQslMkkTHezTEisTMOaTJS7RJ1ZRCl7TO0hxN
OkTIfBxKioxO2HxNoWzJkNxMd0xPNATK2zxJVAzPeYxOyuxCqqTPOmTHFMxPFipB/URA/OxPAA3Q
ESyBEhBQA02TAj1QBbURAl1QB82OBD0ZJoxHkSRNYOTG2HzH99zQrcTQ91xLo3RJdWxOO0zKXRRR
TYzJnexQ8GTMCh3R+VRRGZXPFpWTBk0Z9IxN4eRMuHRNNdTD8YRMssxNwdzRIbVN8txOIl1L5vzM
m3zLENVKHl1SISXMNYlQhsnRIr1Ou6TLoDxRmITDy7RSuYzS8iTTsdRL/y3tzePUUSjtx9GUUiN1
SzO9zQhaU2K0zjJVSTvNxfSETtI8zJxUSPFcwjTFTSX9zN30TjcFziClTYmsUjqlU0S9E3zoFB0o
DfMkQ5JsTCiMT8/U0E/1UqZMya4kw86UThKdzUrdVOxcUal0UlPlR1f1UL9Uz73kSvtMITxN0jss
U0nFSAwlVY5ESj/NyTOtVHLMUFqVzjqlR8NEVTV1VqQ0zZVczLn8mhbq1SH91TAFTFHt0V2tTDDt
UkIl12yd1GYdTyR1Umt900d9VqwsSHV90uERGezg1kj11i4NVkOFxWj1zGStUVk01t4M1+G8UE9s
13ftVsNMUoXlUVb1mv9tpVb3/Ff4fMNPdcxY5UtbzVMWpU5d1c4tJFE4zVVA3cdolNZWtdhVDdmV
RVdALJkHrVma4k+bpRmzydmhoVme/dmz8ECg1ZMMbIihFZSiLZSj9VU18T7RRNFETdV1Dcg/TdH5
5EyWVVYOddaR/dC4LEP2TNWnfMOoLUs9fclC/T8tpdqzcNRhrMNqXViI9FEgXc9ETc6n9FTAzFu4
DVSNpVLW/Mbfq9hHvVpDJdeRvEg5Bc9FPdxv7VewNNgv/U2BhdxDvdWpHdvVdFq08ABfrU+vjVvE
vdZBxUht5NOzLFeN/FO/NVuIrdzVvdyH1NuwZdPbI9xZnVNhndvJjdL/o8zLEI3cUN3drxVXlT1b
Oy3ZlzRSqRXKbk1MWUza4SzY3tXJaSRdu5RcYG3c15RWlXTUbH3ShrXeLUVUPPRaZtxc2fOGiMhX
rkVJUSVYbM1a1cVVuqXezvRY001dQaVagi3bqjRWRd1f+NNXeE1Y46xNSuXX2L1ejFXcvoRdvn1d
F0XL8ZXK1uzbvZU/AwZfJVXetH1Vk31LThXh0L3Kh/1YBm5ZGH3Vg0RWF3XIXTVRGrbXGTm3pT04
Ac5hBd1hHv5hIA5i+BPaH07acRNiJE5iAF1OE47RMEXYSK3MtUXgvmXdJk7HKf7g7ETf/NXYlJVJ
JpVBI44V/u3faaVg/wCuS3/UYOZl0yym0ARmVeCM2MnExDE2EE2tXrTUSkI1VzFVRo4d2Tbl0h0F
1MjMVQC21zluVEYd2vtlXtUV1NOM2X0d1melVDo2z0OWVXiFYmj9x0f2T7zUY/jsY8scVds1Za/8
3Ra2VQvm3ZN9Uf/90EUWTOO841cp4/Ycy3N9XH+tZGnMWkzW0fOFZXZNYBuGUmwFSUjUGAQAGl0e
W9wE3mNNWVIO2HflWEpOSQfmZA+O12VG5I3A5aAJ5edE5u983DfuSehc0kBOzYfF31KUYwuV2whO
Q3LOiKdt3WpGXw8G3Xhd4XYGYWHm2q79Y1P9WzD10eac4SpVYoimP/8i5uF8ZhUlrmiMzmiN3mjO
jWiP5j0s/WiRHmmSRpNWK+kUdAyDWQCY4Wh8cQyXjulrKQiZxmg0qGmczmnbQWme7untUxXp02mh
nmifXhhnsL+hTmpiKer+VGqnfmqoBhim1s+ormoynpEzmOr3s2qu7mqvthatDmuxdr2vLmuzPmu0
TuukLQe1jpqxFsG2jmuMeGu6ruvZImq7hhxdyesJbKEP+ACO+GvBBmyFGOy/borDLmzCtofDNuzG
XmzGBmzHhmzFduyNMGzEhuzExmzFDmzJ5myPsOyOSOzKFuzQ1mzQ/gjQNu3OHm3SjuzFXm3SfuzB
Pm3Pvm3Pjm3dZu3/yL7tyYbt3Ibt2bZs0SaL1+bsyf5s3E7svb6O49bt1u5t247ux1Ztwt5syjZu
yh7uzG5t7pbuzv5u177s7UZt8h7v845u9JZu3n7tyg5u8MZu6BZv9Wbv7G7v64Zu8O5t9wZu8lZu
+57u/c5t/d7v517u7A6V2lbv6k5vBMfuAf/vAjeLA8dt9G7w8z5w+nbw56bv4Rbv/h5w2s7v05Zv
AM9w1sbw+ObtAHdtCHdvFVfx0p5xCI/wDV9vHK9w705wO3GbBTfwE7fx/H5xHv/xELduC69vCa/v
GD/xEPdw/LZwI59wBw/vFL/vK5fxEbdyKWdx4bZuIr9wEhdyE2/x//6+8SRPch1v8W4xc/NecxRv
8N+u8jlH8iqPcA4vbyAX7iMvbjdH8B3/cRznb+U+88+ubhgvdEUHdBEv8kVP9B0vbdPe8hE38UlP
bTtfcjWfc+bOldKocQ037xIf8jEf9TvX7jQ/8hUf71DHcy5n9AoH9SAfdDn3ckJHdD0v81gvdSUP
9Fn/cCq/9UV/dd/m8TSnc1GPdD8ZG9Fu9VP/cmjv8yhHCzhX9Q1v8haf7g6/8gfndleH9DIXc2J/
9dredUH/dlJvdE0X8kjnbkPv9WNn8GSP8G5x9myX9nB/8jFXdVoP9k3Pc2XH8++29xondmlP7w/X
9n3X74Qf+Hk/+P/3XvV/F3dCR3EB53cQf3hR73RcIY1Qn/Jzz/HdLvc39/NB53MKL28vn/Jjt3dh
h/I9B/OMx/KLZ/n3Lu41h3j/RnmRx+x3b3binncJt3SRZ/RBwVm+Fp3mTnqmb3qnf/pDkWupn3qq
12eoL4us3uqq33qu52gC+M+rZ8Cun/qwL3s0EQCzF5axJ3t7gIHrsIZPmYS0n/tLIYQbqQe6z3u9
33u+r78T2oe1b5fmS4K+H+fAj+vli4HCX3z5e0AHOPyO1z4HYPzmm/xgKQAThMDHh/xaeT/Lp3zl
+3zQH33SL33Tz1nOT/2QeQDVx5nTnyDOe/3iw2tOQhTQQ73cQjj/PWGNNFG62te0bsOP3C+L77s0
L6olVtuoy2o24do4+XgN3UKy0UP+0JL+GfF94V+i8Ij+4oA26D/+4I/9VWN+YMsw4Q878yf/olO2
LuIv619+9Y//6S//9m+4JJohbmMLLIqMeWOrFwMIewIBEBxoD4BBgQoRHiTI0OHAggcnQpTY8GFB
jBoZLkyI8GNGiBRFLgwpUaPCiCgtivyY8qJKlShhjmRp8WXLkxQ9xtx5keNEmjQf1uToECjMnDOV
Niy5sSdJnDxBUiV6FKdJoxL/ce3q9SvYsGL/AXVZNiVSs1M7snwZ1GjQuCB5xjUI927HvFblsuWb
l69Lt3jfSg2c//CwYcNofTJ2i5gtUcKLdR5mnNjnZbh/6/Z9HDlzZ86C12reWdqvZXtjwzpuPbpv
W70VJVdV7Dhyart6Pc7W7buuWrWeUaM2i/Rn4M+zz/4F7VT4SNfFAWPuTdx59N+XS26+qrW3Ve+h
b44OPn37Y7tXpbNvv3i8YtCfOR+XSn04Xez6J5s+f725XMztllp87xEIIHrkAahdf4P956Bw+2Hl
X2W00RdaRK2Zl2Bu6TXmXkqriajZWSXCttZvouHGIYkMQkicXyz+h19lg+2lm4D3dQhdjgY6GON4
3emY3IEVMngkZi5iaOSCMp5W2mUiSjklWSRR5dRby+VHWYXWxf/H5Xw/ZbjUZkA2hddpZ8KmYEtb
ZkTfSWBmKGZmCnbHZXHWiSnbd4htt15PTe0ZZ5hk8ibUbQO+iWOZi2bJEJWRigUipZVaeimmmWq6
KaedevopqJzWFyqppV4qqampqroqq626+iqs7kUVK6212norrrnquiuvvfr6K7DBCjssscUaeyyy
EyZ726ijLmupnbE6i2y00z7rnqRffWote/UB6lqa7SkVrYaviQburNDCqCm3zaJlU5+ZppWuudxi
JeC3idp3rob0Uoqea9mudu2+ZXYrb6OVHhduuaDaq+7BgkE5JMIGS/dwvXOua+CC4oaKcagCd1VR
vEO1CWi+TBn/bKVJj8oEro9sEvpuVVhyHKiXDS7K8rx9zqqyjwnfPO5zNwtFcnKEOjtxlzNjiTJ5
C8NLnXFJ9yky1mPNl6Z8QSLI7IrABclwWubq2DHAQ2F4141Fwtzj2UH7+e7bXtv844tkxxz1khTC
GTa+gu4HVNaFf7X1euIximTchSlOY9oXFv31vmz7W5vYSqpHMtgFVs5vWT8XTKfdjuuZ98qf19j3
xEe563rmbmNukeG1k4Ui5f0x/mN5BaPeZcarp+ihbYmWnTt2dOeuYt9MHi+k5qBLDjmMC3fceOse
P08x7xnazhW7uA9O8fK9p/h77NDHXnz2TLrNfemBw929kYCr/y+h+Y2hD/d05fv9+trGFr+QYa1Q
8Ooab6KGp5fhLE4uu07i7tUz5/1JgVODSs7UZDKpOc2CFNQKzWxGswreBGrx2pmcnrOUdLVJYjGy
YMmIRiKr9eR7/zAWyAimwx3ysIe3yhqr/OXDIRKxiEZUjQ2xdsQlMrGJTsxUEm/4xClSsYpW/KES
FUYscqUqhzAzmvug5a4r4op/t/JiR6L4KjR2ql0Na+D2JFi8flWrMGarmNws9rEj2suMtvKWrHbI
RlF5zIXU09gbH6Y3MPJLi6qD1SCF1UdG/lFfESOgyNSWwD1t8DszCWFMfua0PB5vjnsrGfUiuBKe
DQ9oSWlhVP9oyMmTIcqAqNxgKJ+CwQuqjGehS+HdRLe5G8GygwdEog3Dh6LA8Sd6AEzd8NDGHcl8
kXypPJH8IPM56w3HW/ZzEW4UZUez2ciZjUMSwF5kvPsB5pt2i1ynsgY7D73QUXUSpaOYF80aiW6e
iYRMLFt4oLl45nH+yx6bVAi/+unOO9zET9tmp82ieTKdu+GgRZ2puMfBDi5qxGMeF/q+oM2veefa
nrXad0fUgZB3D2Uf8piJvHVtqDk5KudIoYQ/erboeRmV3Tg7RM9PyfOiwgOqOmmkzw9B80kWU2mP
WNrMkWJveTIdn/MGlL5sEmZ/U5XRUcOVVJGi6Z18iSIQBbr/Ej6R8JOTy8m9PjjNQA2VeHRVEdL2
olaogI2CVONbMHmpPLQhTWKGCo9gN/fWT36rsZ2rXs5+mUCMwBEhHy1WJMlIxMxKK1ic1WythAha
K352jZ4drWOAiNrVspZYaH0tbKXU2tnStrZMVG0Y70gwLhayVWMMqhgv5cXSyuq3uYotcpNbO65V
E2IXI+QlQcYwUxnXpJdU10On+k9lhrSR20qtcsP7Wu5ijI1u3NR5havHUlV3n7117ugomVtHdte3
tg1iVhbXWFaaxp4htCUDMxjKesbVhOnppS8lyFcyubWXf6OhlmrWTlnmC5dPK6aJOnm3mty3i18D
ZvUEd70W/yF1xAIM64mZas6Z2oaggCzoNtcXUbLOiKkIZdY11TPfDqP3wyae7INiXDX/ZrhJjyoh
iyf6srFKlXSItOtLs/M/Gjs1mgh9KUetyePWFLWbPwbqksra4gD61De/9eqYUszVBoX5qktNDFhL
vDvWxbS7aH6JePOcRPKeiKdqji8z0cdQu6J4xeas8kCrKs0oF9mrd1b02dz8aOJumcjACegxQ/fU
sPH1UIOGoNQIvORMs1XBanvKLSV70uXYZMKeTLMm/+ZXNAF2lydUHqV95QBQ4bbHmMq1JbcsbPVu
Ss/Grl2uzGvfYTObvs0+IhWeLe1p3/bY1r42trOt7W1zu//b2KY2uMMt7nGTu9zmbo+3063udbO7
3e5+N7zjLe9507ve9u72ufOt733zu9/+/jfAAy7wgRO84AY/OMITrvCFM7zhDrfHEx4u8YlTvOIW
v7inioHxjXO84x7/OMhDLvKRk7zkv6LGFO+t8pWzvOUu57bJY97wl9O85ja/Oc6nJPOPg2PnPv95
uHMu9KETvehGPzrSk670pbMG6E4HONOjLnQmSL3qVr861rOu9a1zvete/zrYwy72sWvr6WbnN9nT
rva1s73tbn+7cs8u91BpYrRwvzve2z73vfO9737vVd4DL/jBE77wNgyB4b/998UPO/GOf/xYKgH5
yVO+8lSTYjzmM6/5zVPK8p7/POhDL3q3c770qB296HmBesWbPlkraH2xVy/72ccd9ra/Pe5zr/vd
8773vv+932kv/OHvGfi8koPxk6/8+0Z7+U6kB6y64fzpU7/DX6g+9rMvceJzv/uZZC2wtS/+EY6/
/B/jrfnTDyLRtv4S6ock+98v/37Nv/72x7z386//gd1f4ByQdkAAADs=
------=_NextPart_000_0007_01C70518.8677F170--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAAEcE2Q075965; Fri, 10 Nov 2006 07:38:14 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAAEcEgM075964; Fri, 10 Nov 2006 07:38:14 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAAEcCD4075956 for <ietf-pkix@imc.org>; Fri, 10 Nov 2006 07:38:13 -0700 (MST) (envelope-from Peter.Sylvester@edelweb.fr)
Received: from [193.51.14.5] (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id kAAEbb506298; Fri, 10 Nov 2006 15:37:37 +0100 (MET)
Received: from [193.51.14.5] (emeriau.edelweb.fr [193.51.14.5]) by edelweb.fr (nospam/2.4); Fri, 10 Nov 2006 15:37:54 +0100 (MET)
Message-ID: <45548E3B.8040302@edelweb.fr>
Date: Fri, 10 Nov 2006 15:35:39 +0100
From: Peter Sylvester <Peter.Sylvester@edelweb.fr>
User-Agent: Thunderbird 1.5 (X11/20051025)
MIME-Version: 1.0
To: "David A. Cooper" <david.cooper@nist.gov>
CC: =?GB2312?B?1dQgw/Q=?= <qzzm@hotmail.com>, pkix <ietf-pkix@imc.org>
Subject: Re: The definition of OtherName in 3280bis differs with X.509?
References: <45522978.4060302@nist.gov>
In-Reply-To: <45522978.4060302@nist.gov>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms010606030705020904000506"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a cryptographically signed message in MIME format.
--------------ms010606030705020904000506
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: 8bit
X509 does not define a type OtherName.
it uses : otherName [0] INSTANCE OF OTHER-NAME,
This gives indeed the same encoding as in the PKIX texts.
In order to be closer to X509, one could have used
otherName [0] SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
If someone uses OtherName in another contexts (without tags) this
cannot be in conflict with X.509, since OtherName does not exist.
David A. Cooper wrote:
> I do not understand ASN.1 well enough to answer the question below,
> but someone else on the PKIX mail list may be able to respond.
>
> I can say, however, that the ASN.1 for OtherName in 3280bis is the
> same as the ASN.1 for OtherName in RFC 2459 (January 1999) and RFC
> 3280 (April 2002), so if it in an error it is a very old error.
>
> Dave
>
>
> -------- Original Message --------
> Subject: The difinition of OtherName in 3280bis differs with X.509?
> Date: Wed, 08 Nov 2006 14:23:38 +0800
> From: ÕÔ Ãô <qzzm@hotmail.com> <mailto:qzzm@hotmail.com>
> To: david.cooper@nist.gov <mailto:david.cooper@nist.gov>
>
>
>
> Hello David:
> In rfc3280bis,Setion 4.2.1.6:
> OtherName ::= SEQUENCE {
> type-id OBJECT IDENTIFIER,
> value [0] EXPLICIT ANY DEFINED BY type-id }
> Setion A.2
> -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
> -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
>
> AnotherName ::= SEQUENCE {
> type-id OBJECT IDENTIFIER,
> value [0] EXPLICIT ANY DEFINED BY type-id }
>
> But in X.509(2005),Setion 4.2.1.6:
> GeneralName ::= CHOICE {
> otherName [0] INSTANCE OF OTHER-NAME,
> rfc822Name [1] IA5String,
> dNSName [2] IA5String,
> x400Address [3] ORAddress,
> directoryName [4] Name,
> ediPartyName [5] EDIPartyName,
> uniformResourceIdentifier [6] IA5String,
> iPAddress [7] OCTET STRING,
> registeredID [8] OBJECT IDENTIFIER }
> OTHER-NAME ::= TYPE-IDENTIFIER
> In X.681(2002),Annex A:
> A.2 The TYPE-IDENTIFIER information object class is defined as:
> TYPE-IDENTIFIER ::= CLASS
> {
> &id OBJECT IDENTIFIER UNIQUE,
> &Type
> }
> WITH SYNTAX {&Type IDENTIFIED BY &id}
> X.681(2002),Annex C The instance-of type:
> C.7 The associated sequence type shall be:
> SEQUENCE
> {
> type-id <DefinedObjectClass>.&id,
> value [0] <DefinedObjectClass>.&Type
> }
> where "<DefinedObjectClass>" is replaced by the particular
> "DefinedObjectClass" used in the "InstanceOfType" notation.
>
> So,INSTANCE OF OTHER-NAME associated sequence type shall be:
> OtherName ::= SEQUENCE {
> type-id OBJECT IDENTIFIER,
> value [0] EXPLICIT ANY DEFINED BY type-id }
> But,this is associated sequence type,not the encoding rules.The definition
> of BER/DER is in X690.
> In X690(2002),Setion 8.16 Encoding of an instance-of value
> 8.16.1 The encoding of the instance-of type shall be the BER encoding of
> the following
> sequence type with the value as specified in 8.16.2:
> [UNIVERSAL 8] IMPLICIT SEQUENCE
> {
> type-id <DefinedObjectClass>.&id,
> value [0] EXPLICIT <DefinedObjectClass>.&Type
> }
> where "<DefinedObjectClass>" is replaced by the particular
> "DefinedObjectClass" used in the
> "InstanceOfType" notation.
> So,I think the definition of OtherName in the '88 ASN.1 syntax should
> be:
> OtherName ::= [UNIVERSAL 8] IMPLICIT SEQUENCE {
> type-id OBJECT IDENTIFIER,
> value [0] EXPLICIT ANY DEFINED BY type-id }
>
> Because the tag of otherName is IMPLICIT,the encode value of GeneralName
> in rfc3280bis is identical of X.509.
>
>
> zhaomin
>
>
--
To verify the signature, see http://edelpki.edelweb.fr/
Cela vous permet de charger le certificat de l'autorit¨¦;
die Liste mit zur¨¹ckgerufenen Zertifikaten finden Sie da auch.
--------------ms010606030705020904000506
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOpDCC
BHIwggLfoAMCAQICBgoMz+gAPzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJGUjEQMA4G
A1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVs
UEtJIEVkZWxXZWIgUGVyc0dFTjAeFw0wNTAxMDYxMjI3MTlaFw0wNzAzMTcxMjI3MTlaMHAx
CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQLDA9TZXJ2aWNlIEVkZWxQ
S0kxNTAzBgNVBAMMLFBldGVyIFNZTFZFU1RFUiA8UGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIu
ZnI+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn/izyem7Z1pUP/gpQDSzeGA/ZP4vo
VaCxcPWyssTYTAl6csAql2IIcYNVb6funaMNOY1q5oSNtlguFpOK3atQElBIMsfSh0CTuvUq
q2QDz1nHWOB96aU8G81+ZmC+iQOCAdG3qKWvMOzC0SzxKGbhTqDsjBvfYYk1Jk/Rb5TK0wID
AQABo4IBLjCCASowYgYDVR0RBFswWYEaUGV0ZXIuU3lsdmVzdGVyQGVkZWx3ZWIuZnKkOzA5
MQswCQYDVQQGEwJGUjEQMA4GA1UECgwHRWRlbFdlYjEYMBYGA1UEAwwPUGV0ZXIgU1lMVkVT
VEVSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwSgYD
VR0fBEMwQTA/oD2gO4Y5aHR0cDovL2VkZWxwa2kuZWRlbHdlYi5mci9jcmwvRWRlbFBLSS1F
ZGVsV2ViLVBlcnNHRU4uY3JsMB0GA1UdDgQWBBSSHP6djxj58tIi5VvjJbMZMXC/fDAfBgNV
HSMEGDAWgBSe5Q/BFJVJHN1aXV6crs0Bby+UeTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUA
A4IBfAANZYiEkyDqsT43U83wHLSYMGcEfmisT+WQrAAoHdlcIsnlHnufGnfmdpg5yvCQpl2U
TI7/w3LdaItoWq5oMZitqdoPW8Z+jy2pkd/DqYG1MkpEyZ0PA37Zn5yigQXAk4Nox7Lgiom8
1WDNgPesNRX7PRNa+RkQcD8MasfbHcZ2ycs1SxUxiCy6BUzhgSB8cNb2t9LVWWynvWuK1Wa5
V2ZCd3PlbKsrbWH8pafpFWUQm0S2BfKUWLDG9cje5bL7p5EpV4a8gFpbD5dq+PPJglT0Dvs9
F0EcrfL2l3JxGIkZmW7sfiUoefB9hTS9m3/TGvXcne4RYpVpEHFV5TathMuHfKAti6PhSely
LCqdPq/T9DHLJekBY0EA2yiVcKQnRZk7/pz0HImCPADOHSOWffJtc9b+Ak6HSDD1PlOSDfT+
udnrqwSAiuNN3hx1olPNxzVDu3jgiTSJFf2XJ1TnmGMT4pJmx7vkJkdE9sZvpiZwdVws37Nr
LqhH5fMZMIIEcjCCAt+gAwIBAgIGCgzP6AA/MA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNVBAYT
AkZSMRAwDgYDVQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNV
BAMTF0VkZWxQS0kgRWRlbFdlYiBQZXJzR0VOMB4XDTA1MDEwNjEyMjcxOVoXDTA3MDMxNzEy
MjcxOVowcDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0VkZWxXZWIxGDAWBgNVBAsMD1NlcnZp
Y2UgRWRlbFBLSTE1MDMGA1UEAwwsUGV0ZXIgU1lMVkVTVEVSIDxQZXRlci5TeWx2ZXN0ZXJA
ZWRlbHdlYi5mcj4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOf+LPJ6btnWlQ/+ClAN
LN4YD9k/i+hVoLFw9bKyxNhMCXpywCqXYghxg1Vvp+6dow05jWrmhI22WC4Wk4rdq1ASUEgy
x9KHQJO69SqrZAPPWcdY4H3ppTwbzX5mYL6JA4IB0beopa8w7MLRLPEoZuFOoOyMG99hiTUm
T9FvlMrTAgMBAAGjggEuMIIBKjBiBgNVHREEWzBZgRpQZXRlci5TeWx2ZXN0ZXJAZWRlbHdl
Yi5mcqQ7MDkxCzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFZGVsV2ViMRgwFgYDVQQDDA9QZXRl
ciBTWUxWRVNURVIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF
BQcDAjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vZWRlbHBraS5lZGVsd2ViLmZyL2NybC9F
ZGVsUEtJLUVkZWxXZWItUGVyc0dFTi5jcmwwHQYDVR0OBBYEFJIc/p2PGPny0iLlW+Mlsxkx
cL98MB8GA1UdIwQYMBaAFJ7lD8EUlUkc3VpdXpyuzQFvL5R5MAkGA1UdEwQCMAAwDQYJKoZI
hvcNAQEFBQADggF8AA1liISTIOqxPjdTzfActJgwZwR+aKxP5ZCsACgd2VwiyeUee58ad+Z2
mDnK8JCmXZRMjv/Dct1oi2harmgxmK2p2g9bxn6PLamR38OpgbUySkTJnQ8DftmfnKKBBcCT
g2jHsuCKibzVYM2A96w1Ffs9E1r5GRBwPwxqx9sdxnbJyzVLFTGILLoFTOGBIHxw1va30tVZ
bKe9a4rVZrlXZkJ3c+VsqyttYfylp+kVZRCbRLYF8pRYsMb1yN7lsvunkSlXhryAWlsPl2r4
88mCVPQO+z0XQRyt8vaXcnEYiRmZbux+JSh58H2FNL2bf9Ma9dyd7hFilWkQcVXlNq2Ey4d8
oC2Lo+FJ6XIsKp0+r9P0Mcsl6QFjQQDbKJVwpCdFmTv+nPQciYI8AM4dI5Z98m1z1v4CTodI
MPU+U5IN9P652eurBICK403eHHWiU83HNUO7eOCJNIkV/ZcnVOeYYxPikmbHu+QmR0T2xm+m
JnB1XCzfs2suqEfl8xkwggW0MIIDT6ADAgECAgYJ+oiVOzEwDQYJKoZIhvcNAQEFBQAwUjEL
MAkGA1UEBhMCRlIxEDAOBgNVBAoTB0VkZWxXZWIxGDAWBgNVBAsTD1NlcnZpY2UgRWRlbFBL
STEXMBUGA1UEAxMOUmFjaW5lIEVkZWxQS0kwHhcNMDQxMDA3MTU0MzMwWhcNMTEwODEyMTU0
MzMwWjBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEYMBYGA1UECxMPU2Vydmlj
ZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVyc0dFTjCCAZwwDQYJKoZI
hvcNAQEBBQADggGJADCCAYQCggF7FyeP4kRrFG9y51CeWmJIxBSMD2bcrJKIlnAPn6eH8V1M
ORWTPivMNQYq32XcEi9xrxjyREvvnhABrVcW+1VLyLH8WgRY6n5A5JfuDjU6Aq0RzmjqTWDe
1+ecbgAtN8FYjVk35vdQbgfYzpGHPT0NuxiHi8NB8lNFi8rG0t2hP7WLwHLA+sIKFzA/CCRt
qeGPvQkB1pRamU2IAActykfzJb6Qc50uRobWUBJtVjEBy/lgIXU0rMnQNHeCgbUvebvAT9Hd
UGIPbEiX7dKHxL5/AxzHK/rA5siMzNPk8nSckDeLvpf8c/gqQRpPqufy4DazzXfZosKeJATH
pyONnairmwfzMTi63PvNovrbTgzUiyH+g5zvcNoci9cke0RiLQc1pI38psgnVLtPPITgOZrS
cV9zs4+sD7x7vjRco7a9H2ErfAU+8/Ui2OkR1X0z8DpyBHD/fcaDXTD+EiISL7aJHQcJRoNB
CdCFgZeomsXULIYoFTa1hH//TN0z9wIDAQABo4G/MIG8MDoGA1UdHwQzMDEwL6AtoCuGKWh0
dHA6Ly9lZGVscGtpLmVkZWx3ZWIuZnIvY3JsL0VkZWxQS0kuY3JsMA8GA1UdEwQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNV
HQ4EFgQUnuUPwRSVSRzdWl1enK7NAW8vlHkwHwYDVR0jBBgwFoAUqNkrj9SwZ7q9SVy8M/x3
UhG5Z50wDQYJKoZIhvcNAQEFBQADggJOAFZV+1m/H+Qud9iUQJnvZR8R/adID02c2B3aOUUy
4/4dxBb4UU1kW8DTUpD57Pjuocfvdg4AfQi7zgSQ8/NUGxNU4CPxtADZVrZtmrpKCjBh1tNz
QbNbdP91KtP+Di0BpidqNwG00CC9j2EnBY88AsqKE28Rmw4eQ9/M/q/GbXsAfEsHV0IQjM7u
US+usowZwm3Mwa5oF+6gmShSc/Wz8iIURxg4lTQto3AoBsiLJelq83I4XRQ0goXYGcM8xXYj
PDioidvY5pSfT4qBR1Bx/vh+xD2evWyFbpuB99iuuewoELX8db7P74QEHhw6Bv1yxLYXGamq
Uxo60WT/UCFjVSy3C/dLrraUZA4gh7Q5G+3/Fal62Qx+1rUEC2YbogEKggonklzUXA+sUbCf
Ad5nZQ0eSszwKt8jmYoHfQ6rUMde0ZJD08n5HAot9hpl9R65j9fdPz9uTeANcRocftHfgM7Y
rQyruWuFxgMUV80fD4RC9ej5KbLyO8jtgESjOCGXeJ95kXXP8vmW73xCYkJ9Pg7Op30o43l6
PV7vej3gdmSQISY+s+J3arz+bccljJCrKHBad3918/LjJ55sRtSb7mfQGti2UcxtJAa2NmUL
d+BIv0MUuC6+k2yIIQKcLbDuuk8lLJmwWuYt1OLHEskZxOm7D7nRwe7ZNlTIZvR/VFWxlY18
k488tH9qcusIw8+7uXeHOZHyFUOHMINJZO9mq9HwGMC4v1xiPwoAJkzFtHf3D9VAholjhEFg
d28aJSs6qN15PXDgDjptAl34eoUxggKuMIICqgIBATBlMFsxCzAJBgNVBAYTAkZSMRAwDgYD
VQQKEwdFZGVsV2ViMRgwFgYDVQQLEw9TZXJ2aWNlIEVkZWxQS0kxIDAeBgNVBAMTF0VkZWxQ
S0kgRWRlbFdlYiBQZXJzR0VOAgYKDM/oAD8wCQYFKw4DAhoFAKCCAZ8wGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYxMTEwMTQzNTM5WjAjBgkqhkiG9w0B
CQQxFgQUynvYWrIBIsdp1+H4hfCJlFHyjhEwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC
ASgwdAYJKwYBBAGCNxAEMWcwZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UEChMHRWRlbFdlYjEY
MBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJIEVkZWxXZWIgUGVy
c0dFTgIGCgzP6AA/MHYGCyqGSIb3DQEJEAILMWegZTBbMQswCQYDVQQGEwJGUjEQMA4GA1UE
ChMHRWRlbFdlYjEYMBYGA1UECxMPU2VydmljZSBFZGVsUEtJMSAwHgYDVQQDExdFZGVsUEtJ
IEVkZWxXZWIgUGVyc0dFTgIGCgzP6AA/MA0GCSqGSIb3DQEBAQUABIGAZWV1npdzIEn00dmK
ujo++Seu532QWGjJK5XtDrJfST5hHIa4PEy0F7W4IsLLhVnI983m0PTvrA63ntGLzvKUOL1C
xu0h2EdNnfF/er8fvnEzmWp2MzJSt+pbHYXmfyNtuts8q+fMT1hvvpJDEj8yskIBM06I5dlz
WAwau5DCUL8AAAAAAAA=
--------------ms010606030705020904000506--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAA3LwQr009313; Thu, 9 Nov 2006 20:21:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAA3LwCH009312; Thu, 9 Nov 2006 20:21:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (dhcp68-116.ietf67.org [130.129.68.116]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAA3Lvxd009305 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 20:21:57 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 4AFFAE0035; Thu, 9 Nov 2006 22:21:47 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "Dave Engberg" <dengberg@corestreet.com>
Cc: "Michael Myers" <mmyers@fastq.com>, <ietf-pkix@imc.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <E2339D02A340A546998AD2E6251332D603EA04C5@csexchange1.corestreet.com>
Date: Thu, 09 Nov 2006 22:21:47 -0500
In-Reply-To: <E2339D02A340A546998AD2E6251332D603EA04C5@csexchange1.corestreet.com> (Dave Engberg's message of "Thu, 9 Nov 2006 22:04:24 -0500")
Message-ID: <tslslgsrnp0.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Dave" == Dave Engberg <dengberg@corestreet.com> writes:
Dave> I agree with Mike, and disagree with Sam's original
Dave> assertion.
Dave> A keyless responder with pre-signed responses can be fully
Dave> compliant with the mandatory requirements of RFC 2560. This
Dave> is reflected in both the "letter of the law" and in every
Dave> OCSP relying party app/plug-in I've tested (which can all
Dave> work with keyless caching responders).
Then please clarify 2560. Reasonable people including me and other
participants in this WG are confused by it.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAA35UhG005846; Thu, 9 Nov 2006 20:05:31 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAA35UcC005845; Thu, 9 Nov 2006 20:05:30 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from csexchange1.corestreet.com (host200.58.41.216.conversent.net [216.41.58.200]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAA35THo005808 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 20:05:29 -0700 (MST) (envelope-from dengberg@corestreet.com)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Thu, 9 Nov 2006 22:04:24 -0500
Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_00E6_01C7044B.03F90C20"
Message-ID: <E2339D02A340A546998AD2E6251332D603EA04C5@csexchange1.corestreet.com>
In-Reply-To: <CCEJKFKLBCNMONJMIEAMOEBLCEAA.mmyers@fastq.com>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Thread-Index: AccETgvkp8SH4XVNQd26cVfIep+qRAAIOb2A
From: "Dave Engberg" <dengberg@corestreet.com>
To: "Michael Myers" <mmyers@fastq.com>, "Sam Hartman" <hartmans-ietf@mit.edu>
Cc: <ietf-pkix@imc.org>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_00E6_01C7044B.03F90C20
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I agree with Mike, and disagree with Sam's original assertion.
A keyless responder with pre-signed responses can be fully compliant with
the mandatory requirements of RFC 2560. This is reflected in both the
"letter of the law" and in every OCSP relying party app/plug-in I've tested
(which can all work with keyless caching responders).
This approach isn't for everyone, but many issuers prefer to trade off the
hypothetical "replay" risk for the security & scalability advantages of
offline keys. Drastically lower risk of key compromise, DoS, etc.
I don't believe that a profile of OCSP (like the Lightweight OCSP profile)
that implicitly encourages this type of deployment can be in conflict with
RFC 2560.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On
Behalf Of Michael Myers
Sent: Thursday, November 09, 2006 4:37 PM
To: Sam Hartman
Cc: ietf-pkix@imc.org
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Sam,
For definition (since there has never really been one to date), there are
two forms of OCSP relay. The first is a cache of previously signed yet
still reliable responses. I believe this to be the target of the subject
I-D. The second form is a re-signing of OCSP responses under a key trusted
by the ultimate requestor. Neither of these derivative aspects of OCSP are
discussed in any depth in 2560. It is my preference that 2560 remain as is,
to define the protocol and its various options. Other I-Ds may then map
that protocol and those options onto specific instances of need.
Mike
-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf@mit.edu]
Sent: Thursday, November 09, 2006 1:10 PM
To: Michael Myers
Cc: ietf-pkix@imc.org
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>>>>> "Michael" == Michael Myers <mmyers@fastq.com> writes:
Michael> Perhaps the subject I-D should clarify the role of a
Michael> relay.
I do not understand this sentence.
------=_NextPart_000_00E6_01C7044B.03F90C20
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII1zCCAoIw
ggHroAMCAQICAQQwDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlm
YXggU2VjdXJlIEluYy4xJjAkBgNVBAMTHUVxdWlmYXggU2VjdXJlIGVCdXNpbmVzcyBDQS0xMB4X
DTk5MDYyMTA0MDAwMFoXDTIwMDYyMTA0MDAwMFowUzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Vx
dWlmYXggU2VjdXJlIEluYy4xJjAkBgNVBAMTHUVxdWlmYXggU2VjdXJlIGVCdXNpbmVzcyBDQS0x
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOLxm8F7d33pOpX1oNF080GgyY9CLZWdTEaEbw
tDXFhQMgxq9FpSFRRUHrFlg2Mm/iUGJk+f1RnKok2fSdgyqHCiHTEjg0bI0Ablqg2ULuGiGV+VJM
VVrFDzhPRvpt+C411h186+LwsHWAyKkTrL6I7zpuq18qOGICsBJ7/o+mAwIDAQABo2YwZDARBglg
hkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRKeDJSEdtZFjZe38EU
NkBqR3xMoTAdBgNVHQ4EFgQUSngyUhHbWRY2Xt/BFDZAakd8TKEwDQYJKoZIhvcNAQEEBQADgYEA
dVuomwMR5ulWTM35qUzADZrzzGVp5iV2zFm31lTDHc2ZrBndtIXV4D38YiCnhEtYZfHi+ZUhP/XU
flgeR4dUPlihtbX4Ku9x57zD9rFJRuLXoGvlVnqaJ5h8RmIU58n8bgMSeYA4HUiCjfwX/iqWK7Vi
pqY9vX+SWc1aKoKyN3kwggK8MIICJaADAgECAgIA2DANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQG
EwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1
cmUgZUJ1c2luZXNzIENBLTEwHhcNMDQwNjAyMTk1NzQyWhcNMjAwNjIxMDQwMDAwWjBSMQswCQYD
VQQGEwJVUzEYMBYGA1UEChMPQ29yZVN0cmVldCBMdGQuMSkwJwYDVQQDEyBDb3JlU3RyZWV0IENl
cnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr0HhHsWZ2xkS
6BbojMXvdGPoRJLcAs2nUBSZ6XnJvnHxBwVvRUkqrCSBwKBurhjqGqe3oOxh6tC6wUuGhwLdhyWT
BSYO469PJUx02lyiohqUZ8u0yshCL35/lA+MkZubcmFxHsLlTPCkS/+A7PZwzIjKrLAUT0VmwNTL
TYEg1F8CAwEAAaOBnzCBnDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNjsf5MYxWYDwxBsPAT2
d4U+/wu2MB8GA1UdIwQYMBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMA8GA1UdEwEB/wQFMAMBAf8w
OQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9lYml6Y2ExLmNy
bDANBgkqhkiG9w0BAQUFAAOBgQDCHD9PBDwPPDktSLC/jRpe9Crdpj8Cj7GB1od44j1D+5IJji+w
rhuJ3tlR3p5MlzXGUEj8eFBtZymYBiWdLvIVqwMz2nYWBeFWXou6T+n4akcF708jM3MhFXP82ove
f/xJzw9IzlVmI9DjDrkL2wXXw/IR5XTP2iQYPcbxento6zCCA40wggL2oAMCAQICAgCfMA0GCSqG
SIb3DQEBBQUAMFIxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Db3JlU3RyZWV0IEx0ZC4xKTAnBgNV
BAMTIENvcmVTdHJlZXQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTA2MDYyNjEzMjUwNVoXDTA3
MDgxMjEzMjUwNVowZzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NvcmVTdHJlZXQgTHRkLjEWMBQG
A1UEAxMNRGF2aWQgRW5nYmVyZzEmMCQGCSqGSIb3DQEJARYXZGVuZ2JlcmdAY29yZXN0cmVldC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9g2Z9TBa7wYqlyhCoriYfugKX5mwz
j1wVuDKEZ7ZsgoC0zT2Pm43BMkWwOL8GDXYMqbAt/1YelpCYMv8stgRDLj6N3DDyCNk4ihZONITf
o7F+RxnaH782KvJ5YwrIXDKMXWb6oqThFVDM05QKgC994W6Zp555F7NFEvPA/4rqK/1Ba0k2p8A3
yZazUimG3tt7x0tz6K7Z043ezRSUBB8VwgNSr4tQyElyuACrU3IA90yYZRm1maDe6jWylqDOXU/P
A22IC/Ma1sJ42k17Nhl3i/37SLOsHSLcyJk7bKgJPSgSqI+OBzYaDX6YGdoV6O/wih9f9YrovAH8
zF2pOXcHAgMBAAGjgdgwgdUwDgYDVR0PAQH/BAQDAgXgMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6
Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvY29yZXN0cmVldC5jcmwwIgYDVR0RBBswGYEXZGVuZ2Jl
cmdAY29yZXN0cmVldC5jb20wHwYDVR0jBBgwFoAU2Ox/kxjFZgPDEGw8BPZ3hT7/C7YwQAYIKwYB
BQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vZ2VvdHJ1c3Qtb2NzcC5jb3Jlc3RyZWV0LmNv
bS8wDQYJKoZIhvcNAQEFBQADgYEAqMfvLi9brJBbTKdWcwUJAWPHgex9/KhvW8nherc7imLZdFXH
jp0NTTtgDK+aO/EJV/97JIyStyhfIH5vrZpb+ToFXz4O0Yb78KTHFdHjzlWei/Guo+kuUXouP8ZC
Tqkr0mFlqeRGFbq7w2SJhwhXEcO1K5Y8g0jf+kXr1ejYw9ExggMdMIIDGQIBATBYMFIxCzAJBgNV
BAYTAlVTMRgwFgYDVQQKEw9Db3JlU3RyZWV0IEx0ZC4xKTAnBgNVBAMTIENvcmVTdHJlZXQgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5AgIAnzAJBgUrDgMCGgUAoIIBmjAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjExMTAwMzA0MjNaMCMGCSqGSIb3DQEJBDEWBBSe1fQT
VyJwGObr8rnwuudd8c3QzTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMC
AgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggq
hkiG9w0CBTBnBgkrBgEEAYI3EAQxWjBYMFIxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Db3JlU3Ry
ZWV0IEx0ZC4xKTAnBgNVBAMTIENvcmVTdHJlZXQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgIAnzBp
BgsqhkiG9w0BCRACCzFaoFgwUjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NvcmVTdHJlZXQgTHRk
LjEpMCcGA1UEAxMgQ29yZVN0cmVldCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCAgCfMA0GCSqGSIb3
DQEBAQUABIIBAAJhP3jY/N7B7SJrd2agdH+TdxyFewh0Blajhg1e9HIu1vaTRzAF9YvT4I8L+l0K
l758dJIU6NtsqGeue7CUiVqzP9yzXrsWCsANrYmAoE6YKjRD236vPmIBb8hLM0l/VSBaSTqxYseT
3fAr/ZZXClEL8MjvzdcOYWp4C/upzGP/SIdor0qktNy7tUNGxVikxPooEEKIz3Ss70lS4NsZxmLX
Aj17wh9PQGondrEtmQG0Es9vaZuIzkdjQktcbCkuQfTiPlyd8rqR/sC+JqNzkHpGkMbhxoQPS+Qe
AbP2nW2bLFO9AsmY17UQ5oPCuKAFB42dwq2FY65oEA8zLjCYQ68AAAAAAAA=
------=_NextPart_000_00E6_01C7044B.03F90C20--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9NawZN055553; Thu, 9 Nov 2006 16:36:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9NawXn055552; Thu, 9 Nov 2006 16:36:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kA9NatgA055536 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 16:36:58 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 403 invoked by uid 0); 9 Nov 2006 23:36:47 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (130.129.70.2) by woodstock.binhost.com with SMTP; 9 Nov 2006 23:36:47 -0000
Message-Id: <7.0.0.16.2.20061109183554.04370e80@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Thu, 09 Nov 2006 18:36:32 -0500
To: "Stefan Santesson" <stefans@microsoft.com>, "Stephen Kent" <kent@bbn.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft meeting minutes
In-Reply-To: <BF9309599A71984CAC5BAC5ECA629944066034B6@EUR-MSG-11.europe .corp.microsoft.com>
References: <p06230911c178511f7c68@[12.105.247.171]> <7.0.0.16.2.20061109130031.041af388@vigilsec.com> <BF9309599A71984CAC5BAC5ECA629944066034B6@EUR-MSG-11.europe.corp.microsoft.com>
Mime-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
<html>
<body>
Thanks. If I do not hear from the authors soon, then I will presume
that the effort is dead.<br><br>
Russ<br><br>
<br>
At 04:12 PM 11/9/2006, Stefan Santesson wrote:<br>
<blockquote type=cite class=cite cite=""><a name="_MailEndCompose"></a>
This document does not specify any protocol.<br>
<br>
It specifies subjective design criteria for a UI that I seriously doubt
can be a base for a consensus process.<br>
If this document is progressed I suggest that it is handled as an
informational input progressed outside of the pkix wg.<br>
<br>
<br>
<b>Stefan Santesson<br>
</b>Senior Program Manager<br>
<b>Windows Security, Standards<br>
</b> <br>
<b>From:</b> owner-ietf-pkix@mail.imc.org
[<a href="mailto:owner-ietf-pkix@mail.imc.org" eudora="autourl">
mailto:owner-ietf-pkix@mail.imc.org</a>] <b>On Behalf Of </b>Russ
Housley<br>
<b>Sent:</b> den 9 november 2006 10:06<br>
<b>To:</b> Stephen Kent; ietf-pkix@imc.org<br>
<b>Subject:</b> Re: draft meeting minutes<br>
<br>
Dear PKIX WG:<br><br>
<br>
<b>Document Status Review -</b> Stefan Santesson (Microsoft)<br>
Two new RFCs issued: SIM and
Update to Directory String Processing in RFC 3280. Five documents in IESG
review: SCVP, Lightweight OCSP, and 3 CMC documents. Follow up is needed
for the first two, and a revised I-D is needed for CMC. (Russ Housley
requested WG direction re the UI draft. This individual submission
received AD comments requesting changes, but no revised document has been
delivered to the IESG.) <br><br>
This is draft-choi-pkix-ui-03.txt.<br>
It is not a PKIX WG document, but the authors have not responded to
messages from me. I am going to drop it if the authors do not
respond soon. If the PKIX WG thinks there is value in this
document, I'll send it to the WG instead of dropping it.<br><br>
Russ</blockquote></body>
</html>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9NU8tm053881; Thu, 9 Nov 2006 16:30:08 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9NU8Ju053880; Thu, 9 Nov 2006 16:30:08 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9NU6iC053824 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 16:30:08 -0700 (MST) (envelope-from ryan.hurst@microsoft.com)
Received: from mailout5.microsoft.com (157.54.69.148) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server id 8.0.685.15; Thu, 9 Nov 2006 15:30:00 -0800
Received: from IGT-HUB-02.redmond.corp.microsoft.com ([157.54.69.150]) by mailout5.microsoft.com with Microsoft SMTPSVC(6.0.3790.2786); Thu, 9 Nov 2006 15:30:00 -0800
Received: from tk5-exhub-c104.redmond.corp.microsoft.com ([157.54.70.185]) by IGT-HUB-02.redmond.corp.microsoft.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Thu, 9 Nov 2006 15:29:59 -0800
Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com (157.54.69.169) by tk5-exhub-c104.redmond.corp.microsoft.com (157.54.70.185) with Microsoft SMTP Server id 8.0.685.15; Thu, 9 Nov 2006 15:29:59 -0800
Received: from WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.25]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.2786); Thu, 9 Nov 2006 15:29:59 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: Comment on draft-santesson-pkix-vccrl-00.txt
Date: Thu, 9 Nov 2006 15:29:36 -0800
Message-ID: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800336F74E@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <FA998122A677CF4390C1E291BFCF598905D4FC40@EXCH.missi.ncsc.mil>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Comment on draft-santesson-pkix-vccrl-00.txt
Thread-Index: AccEHo/2CbbjQjigTb+bn0XMUnRhCgAEfyMgAAKTtNAABmyYcA==
References: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800336F494@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com> <FA998122A677CF4390C1E291BFCF598905D4FC40@EXCH.missi.ncsc.mil>
From: Ryan Hurst <Ryan.Hurst@microsoft.com>
To: "Kemp David P." <DPKemp@missi.ncsc.mil>, pkix <ietf-pkix@imc.org>
X-OriginalArrivalTime: 09 Nov 2006 23:29:59.0156 (UTC) FILETIME=[F8D20340:01C70456]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA9NU8iC053875
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
David - I agree regarding business practices, however I think the
guidance here is about interoperability not business practice.
Networking protocols (like EAP) already have problems with certificate
payload being so large that sessions fail or take a very long time to
establish (due to re-try's related to lack of fragmentation support
pre-IP) example environments include high latency environments (metro
WANs, etc.).
There are also environments where devices have constrained amounts of
storage (phones, etc.) where storing multiple copies of a object is
prohibitive.
On the other hand these same scenarios often can't work with indirect
CRLs without manual provisioning because they don't know how to do
discovery of the appropriate certificates and/or the resource at the end
of a AIA:IssuerCert in the CRL is not available or times out.
I guess what I am trying to say is that if this capability is to be
provided guidance of when the capability should be used (eg a well
worded applicability statement) should be included so that people don't
go out and include it everywhere.
I would have the same concern if we did the CMS wrapped CRL and
intermediate approach.
Ryan
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Kemp David P.
Sent: Thursday, November 09, 2006 1:14 PM
To: pkix
Subject: RE: Comment on draft-santesson-pkix-vccrl-00.txt
A technical standard that documents interfaces for the purpose of
interoperability shouldn't be giving "strongly"-worded guidance
concerning business processes.
I agree with Denis' approach. A CA that encapsulates certs
inside CRLs may increase the efficiency of some customers
(by reducing the number of fetch operations) while simultaneously
decreasing the efficiency of other customers (by expanding the
size of CRLs).
A standard that gives CAs a mechanism for offering expanded CRLs
must also give customers a mechanism for accepting or declining
that offer. I suggest that a standard of this type should enable
certificates to point to three forms of CRL data:
1) normal CRLs
2) CRLs containing certificates
3) a bag containing CRLs and certificates
It would be up to CAs to choose which of these options to offer.
I would recommend that "my" CAs support options 1 and, where
appropriate, 3. For certificates that support more than one
option, the client can choose at runtime which is best.
There is no reason to choose expanded CRLs if the client has
previously obtained and cached the CRL issuer's certificate.
This capability could be expressed as three different CRLDP
extension OIDs (with the same extension syntax), or as a single
extension with some other mechanism (such as a standardized
http: "?" query option) to signal what type(s) of CRL data
are available and which is being requested. But a standard
of this type must define some way for the client to choose.
I would not support an RFC that does not provide the ability
to request normal CRLs as Denis has proposed.
Dave
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Ryan Hurst
I believe I understand Denis concern, I would personally be OK with the
proposal as stands if its use was limited to only the scenarios where it
is needed and the text in the document strongly made that limitation
apparent; specifically indirect cases.
Ryan
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9NNlqL052308; Thu, 9 Nov 2006 16:23:47 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9NNlO7052307; Thu, 9 Nov 2006 16:23:47 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (dhcp68-116.ietf67.org [130.129.68.116]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9NNkBm052300 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 16:23:47 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id C26F2E0035; Thu, 9 Nov 2006 18:23:44 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "Michael Myers" <mmyers@fastq.com>
Cc: <ietf-pkix@imc.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <CCEJKFKLBCNMONJMIEAMOEBLCEAA.mmyers@fastq.com>
Date: Thu, 09 Nov 2006 18:23:44 -0500
In-Reply-To: <CCEJKFKLBCNMONJMIEAMOEBLCEAA.mmyers@fastq.com> (Michael Myers's message of "Thu, 9 Nov 2006 13:36:55 -0800")
Message-ID: <tsly7qktda7.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Michael" == Michael Myers <mmyers@fastq.com> writes:
Michael> Sam, For definition (since there has never really been
Michael> one to date), there are two forms of OCSP relay. The
Michael> first is a cache of previously signed yet still reliable
Michael> responses. I believe this to be the target of the
Michael> subject I-D. The second form is a re-signing of OCSP
Michael> responses under a key trusted by the ultimate
Michael> requestor. Neither of these derivative aspects of OCSP
Michael> are discussed in any depth in 2560. It is my preference
Michael> that 2560 remain as is, to define the protocol and its
Michael> various options. Other I-Ds may then map that protocol
Michael> and those options onto specific instances of need.
I don't understand how defining an OCSP relay would be different than
my option 1 to which you object.
Received: from iapps.com (host-65-173-63-254.acelerate.net [65.173.63.254]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kA9MRPwo038236 for <ietf-pkix-archive@imc.org>; Thu, 9 Nov 2006 15:27:29 -0700 (MST) (envelope-from boyemarielle@fstinc.com)
Message-ID: <000001c7044e$367cd7a0$d654a8c0@axxi>
Reply-To: "Ksenija Schilling" <boyemarielle@fstinc.com>
From: "Ksenija Schilling" <boyemarielle@fstinc.com>
To: ietf-pkix-archive@imc.org
Subject: Re: new
Date: Thu, 9 Nov 2006 14:27:17 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C7040B.285997A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C7040B.285997A0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hi,
Nice PHffARMACY http://www.kindetunhasdefunertin.com
=20
be searching for a tachyon emission source. He appeared to run out of
------=_NextPart_000_0001_01C7040B.285997A0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Hi,</DIV>
<DIV><H1>Nice PHffARMACY <A =
href=3D"http://www.kindetunhasdefunertin.com">http://www.kindetunhasdefun=
ertin.com</A></H1></DIV>
<DIV> </DIV>
<P>be searching for a tachyon emission source. He appeared to run out =
of<BR></P></BODY></HTML>
------=_NextPart_000_0001_01C7040B.285997A0--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9MDbL0034671; Thu, 9 Nov 2006 15:13:37 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9MDbOi034670; Thu, 9 Nov 2006 15:13:37 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9MDacp034655 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 15:13:37 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kA9MDZaF087596; Thu, 9 Nov 2006 15:13:35 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Sam Hartman" <hartmans-ietf@mit.edu>
Cc: <ietf-pkix@imc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Thu, 9 Nov 2006 13:36:55 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMOEBLCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <tslfycsuy16.fsf@cz.mit.edu>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sam,
For definition (since there has never really been one to date), there are
two forms of OCSP relay. The first is a cache of previously signed yet
still reliable responses. I believe this to be the target of the subject
I-D. The second form is a re-signing of OCSP responses under a key trusted
by the ultimate requestor. Neither of these derivative aspects of OCSP are
discussed in any depth in 2560. It is my preference that 2560 remain as is,
to define the protocol and its various options. Other I-Ds may then map
that protocol and those options onto specific instances of need.
Mike
-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf@mit.edu]
Sent: Thursday, November 09, 2006 1:10 PM
To: Michael Myers
Cc: ietf-pkix@imc.org
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
>>>>> "Michael" == Michael Myers <mmyers@fastq.com> writes:
Michael> Perhaps the subject I-D should clarify the role of a
Michael> relay.
I do not understand this sentence.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9LDjtp020381; Thu, 9 Nov 2006 14:13:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9LDjSO020380; Thu, 9 Nov 2006 14:13:45 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9LDhAO020323 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 14:13:44 -0700 (MST) (envelope-from DPKemp@missi.ncsc.mil)
Received: from Cerberus.missi.ncsc.mil (cerberus.missi.ncsc.mil [144.51.51.8]) by stingray.missi.ncsc.mil with SMTP id kA9LDY5V027212 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 16:13:34 -0500 (EST)
Received: from 144.51.60.34 by Cerberus.missi.ncsc.mil (InterScan VirusWall 6); Thu, 09 Nov 2006 16:13:34 -0500
Received: from EXCH.missi.ncsc.mil ([144.51.60.21]) by gto.missi.ncsc.mil with Microsoft SMTPSVC(5.0.2195.6713); Thu, 9 Nov 2006 16:13:33 -0500
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: Comment on draft-santesson-pkix-vccrl-00.txt
Date: Thu, 9 Nov 2006 16:13:33 -0500
Message-ID: <FA998122A677CF4390C1E291BFCF598905D4FC40@EXCH.missi.ncsc.mil>
In-Reply-To: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800336F494@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Comment on draft-santesson-pkix-vccrl-00.txt
Thread-Index: AccEHo/2CbbjQjigTb+bn0XMUnRhCgAEfyMgAAKTtNA=
From: "Kemp David P." <DPKemp@missi.ncsc.mil>
To: "pkix" <ietf-pkix@imc.org>
X-OriginalArrivalTime: 09 Nov 2006 21:13:33.0924 (UTC) FILETIME=[EA0ABA40:01C70443]
X-TM-AS-Product-Ver: : ISVW-6.0.0.1396-3.6.0.1039-14804000
X-TM-AS-Result: : Yes--7.695500-0-2-1
X-TM-AS-Category-Info: : 2:0.000000
X-TM-AS-MatchedID: : =?us-ascii?B?MTUwNTY3LTcwMDQ4MC03MTAw?= =?us-ascii?B?MTUtNzExMDE2LTcwNDEyNC03MDIwODctNzA4Njg3LTcwMDc4OC03?= =?us-ascii?B?MDA4MzItMTIxMTEwLTEyMTEwMS03MDExMzUtNzA1NjMyLTcwOTk4?= =?us-ascii?B?MS03MDI5MDEtNzA0NjE5LTcwMTcxMC03MDAxNjAtNzAxNDI0LTcw?= =?us-ascii?B?MDgyMS03MDEyMzgtNzA5Mjc5LTcwMzQzNS03MDMwMzYtNzAxNjUx?= =?us-ascii?B?LTcwMzIxMi03MDMxNzktNzAzNTgzLTcwMTYyMC03MDEwMjUtNzAy?= =?us-ascii?B?MzI4LTcwMjI4My03MDExNDMtNzAyNzc2LTcwMTI1Mi03MDA0ODct?= =?us-ascii?B?NzAyNzA2LTcxMDk5Mi03MTA0ODYtMTg2MDM1LTcwMDQ3Ni03MDMy?= =?us-ascii?B?MTAtNzExNzk2LTcxMDA3Mi0xMzkwMDYtNzAyNjA2LTcwNDM3MS03?= =?us-ascii?B?MDEwMzQtNzA1MjEyLTcxMDI4My03MDA0NjYtNzAxMTEyLTcwMzYw?= =?us-ascii?B?MC03MDA3OTYtNzEwMDExLTcxMDY2Ny03MDAyNjMtNzExNTAzLTE0?= =?us-ascii?B?ODA1MA==?=
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA9LDiAO020375
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
A technical standard that documents interfaces for the purpose of
interoperability shouldn't be giving "strongly"-worded guidance
concerning business processes.
I agree with Denis' approach. A CA that encapsulates certs
inside CRLs may increase the efficiency of some customers
(by reducing the number of fetch operations) while simultaneously
decreasing the efficiency of other customers (by expanding the
size of CRLs).
A standard that gives CAs a mechanism for offering expanded CRLs
must also give customers a mechanism for accepting or declining
that offer. I suggest that a standard of this type should enable
certificates to point to three forms of CRL data:
1) normal CRLs
2) CRLs containing certificates
3) a bag containing CRLs and certificates
It would be up to CAs to choose which of these options to offer.
I would recommend that "my" CAs support options 1 and, where
appropriate, 3. For certificates that support more than one
option, the client can choose at runtime which is best.
There is no reason to choose expanded CRLs if the client has
previously obtained and cached the CRL issuer's certificate.
This capability could be expressed as three different CRLDP
extension OIDs (with the same extension syntax), or as a single
extension with some other mechanism (such as a standardized
http: "?" query option) to signal what type(s) of CRL data
are available and which is being requested. But a standard
of this type must define some way for the client to choose.
I would not support an RFC that does not provide the ability
to request normal CRLs as Denis has proposed.
Dave
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Ryan Hurst
I believe I understand Denis concern, I would personally be OK with the
proposal as stands if its use was limited to only the scenarios where it
is needed and the text in the document strongly made that limitation
apparent; specifically indirect cases.
Ryan
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9LD6Zg020203; Thu, 9 Nov 2006 14:13:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9LD6WM020202; Thu, 9 Nov 2006 14:13:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail-eur.microsoft.com (mail-eur.microsoft.com [213.199.128.145]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9LD41t020150 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 14:13:05 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from EUR-MSG-11.europe.corp.microsoft.com ([65.53.193.197]) by mail-eur.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 9 Nov 2006 21:12:58 +0000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C70443.D4F008D2"
Subject: RE: draft meeting minutes
Date: Thu, 9 Nov 2006 21:12:59 -0000
Message-ID: <BF9309599A71984CAC5BAC5ECA629944066034B6@EUR-MSG-11.europe.corp.microsoft.com>
In-Reply-To: <7.0.0.16.2.20061109130031.041af388@vigilsec.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft meeting minutes
Thread-Index: AccENv3uamK+/XtZRySiuVJNghx8gAADHl0w
References: <p06230911c178511f7c68@[12.105.247.171]> <7.0.0.16.2.20061109130031.041af388@vigilsec.com>
From: "Stefan Santesson" <stefans@microsoft.com>
To: "Russ Housley" <housley@vigilsec.com>, "Stephen Kent" <kent@bbn.com>, <ietf-pkix@imc.org>
X-OriginalArrivalTime: 09 Nov 2006 21:12:58.0924 (UTC) FILETIME=[D52E26C0:01C70443]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------_=_NextPart_001_01C70443.D4F008D2
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
This document does not specify any protocol.
=20
It specifies subjective design criteria for a UI that I seriously doubt
can be a base for a consensus process.
If this document is progressed I suggest that it is handled as an
informational input progressed outside of the pkix wg.
=20
=20
Stefan Santesson
Senior Program Manager
Windows Security, Standards
=20
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Russ Housley
Sent: den 9 november 2006 10:06
To: Stephen Kent; ietf-pkix@imc.org
Subject: Re: draft meeting minutes
=20
Dear PKIX WG:
Document Status Review - Stefan Santesson (Microsoft)
Two new RFCs issued: SIM and Update to Directory String
Processing in RFC 3280. Five documents in IESG review: SCVP, Lightweight
OCSP, and 3 CMC documents. Follow up is needed for the first two, and a
revised I-D is needed for CMC. (Russ Housley requested WG direction re
the UI draft. This individual submission received AD comments requesting
changes, but no revised document has been delivered to the IESG.)=20
This is draft-choi-pkix-ui-03.txt.
It is not a PKIX WG document, but the authors have not responded to
messages from me. I am going to drop it if the authors do not respond
soon. If the PKIX WG thinks there is value in this document, I'll send
it to the WG instead of dropping it.
Russ
------_=_NextPart_001_01C70443.D4F008D2
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:D=3D"DAV:" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DSV link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><a name=3D"_MailEndCompose"><span lang=3DEN-US =
style=3D'font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This document =
does not
specify any protocol.<o:p></o:p></span></a></p>
<p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It specifies subjective design criteria for a UI that I =
seriously
doubt can be a base for a consensus process.<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If this document is progressed I suggest that it is =
handled as
an informational input progressed outside of the pkix =
wg.<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=3DMsoNormal><b><span lang=3DEN-GB =
style=3D'font-size:10.0pt;font-family:
"Arial","sans-serif";color:maroon'>Stefan Santesson</span></b><span =
lang=3DEN-GB
style=3D'color:#1F497D'><o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-GB =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";
color:#400040'>Senior Program Manager</span><span lang=3DEN-GB =
style=3D'color:navy'><o:p></o:p></span></p>
<p class=3DMsoNormal><b><span lang=3DEN-GB =
style=3D'font-size:10.0pt;font-family:
"Arial","sans-serif";color:#400040'>Windows Security, =
Standards</span></b><span
lang=3DEN-US =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p></o:p></span></p>
</div>
<p class=3DMsoNormal><span lang=3DEN-US =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm =
0cm 4.0pt'>
<div>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0cm 0cm 0cm'>
<p class=3DMsoNormal><b><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=3DEN-US =
style=3D'font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org] <b>On Behalf Of </b>Russ =
Housley<br>
<b>Sent:</b> den 9 november 2006 10:06<br>
<b>To:</b> Stephen Kent; ietf-pkix@imc.org<br>
<b>Subject:</b> Re: draft meeting minutes<o:p></o:p></span></p>
</div>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Dear PKIX WG:<br>
<br>
<br>
<o:p></o:p></p>
<p class=3DMsoNormal><b><span style=3D'font-size:18.0pt'>Document Status =
Review -</span></b><span
style=3D'font-size:18.0pt'> Stefan Santesson (Microsoft)<br>
Two new RFCs issued: SIM =
and
Update to Directory String Processing in RFC 3280. Five documents in =
IESG
review: SCVP, Lightweight OCSP, and 3 CMC documents. Follow up is needed =
for
the first two, and a revised I-D is needed for CMC. (Russ Housley =
requested WG
direction re the UI draft. This individual submission received AD =
comments requesting
changes, but no revised document has been delivered to the IESG.) =
</span><o:p></o:p></p>
<p class=3DMsoNormal><br>
This is draft-choi-pkix-ui-03.txt.<br>
It is not a PKIX WG document, but the authors have not responded to =
messages
from me. I am going to drop it if the authors do not respond =
soon.
If the PKIX WG thinks there is value in this document, I'll send it to =
the WG
instead of dropping it.<br>
<br>
Russ<o:p></o:p></p>
</div>
</div>
</body>
</html>
------_=_NextPart_001_01C70443.D4F008D2--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9LAGWc019522; Thu, 9 Nov 2006 14:10:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9LAGh1019521; Thu, 9 Nov 2006 14:10:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (dhcp68-116.ietf67.org [130.129.68.116]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9LAFJ0019515 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 14:10:16 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 532DFE0035; Thu, 9 Nov 2006 16:10:13 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "Michael Myers" <mmyers@fastq.com>
Cc: <ietf-pkix@imc.org>
Subject: Re: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
References: <CCEJKFKLBCNMONJMIEAMMEBKCEAA.mmyers@fastq.com>
Date: Thu, 09 Nov 2006 16:10:13 -0500
In-Reply-To: <CCEJKFKLBCNMONJMIEAMMEBKCEAA.mmyers@fastq.com> (Michael Myers's message of "Thu, 9 Nov 2006 12:00:23 -0800")
Message-ID: <tslfycsuy16.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>>>>> "Michael" == Michael Myers <mmyers@fastq.com> writes:
Michael> Perhaps the subject I-D should clarify the role of a
Michael> relay.
I do not understand this sentence.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9Kb60k010078; Thu, 9 Nov 2006 13:37:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9Kb6uC010077; Thu, 9 Nov 2006 13:37:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9Kb5NO010066 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 13:37:06 -0700 (MST) (envelope-from mmyers@fastq.com)
Received: from mmyerslaptop (dslstat-bvi4-403.fastq.com [65.39.91.150]) by mailout.fastq.com (8.13.4/8.13.4) with SMTP id kA9Kb4gb084149; Thu, 9 Nov 2006 13:37:04 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Sam Hartman" <hartmans-ietf@mit.edu>, <ietf-pkix@imc.org>
Subject: RE: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Thu, 9 Nov 2006 12:00:23 -0800
Message-ID: <CCEJKFKLBCNMONJMIEAMMEBKCEAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
In-Reply-To: <tslzmb0v63m.fsf@cz.mit.edu>
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sam, all:
I will oppose the following:
> 1) Make a standards-track change/clarification to
> 2560 indicating that responders need not have a key.
Perhaps the subject I-D should clarify the role of a relay.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Sam Hartman
Sent: Thursday, November 09, 2006 10:16 AM
To: ietf-pkix@imc.org
Subject: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Hi, folsk.
I have a discuss on the lightweight ocsp profile .
One of the primary purposes of the lightweight OCSP profile is to
allow deployment of responders that do not have private keys and thus
can only return pre-produced responses.
However this document is informational, not standards track.
I contend that RFC 2560 allows pre-produced responses, but does not
really support responders that can only give pre-produced responses.
That is, I contend that as written, to achieve interoperability, you
need to have an online signing key.
I believe it is inappropriate for an informational document to profile
OCSP in this way.
I'd like to ask the PKIX working group to do one of three things to resolve
my discuss:
1) Make a standards-track change/clarification to 2560 indicating that
responders need not have a key.
2) Remove this major goal from the lightweight-ocsp-profile.
3) Withdraw the document.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9Iv2vD084512; Thu, 9 Nov 2006 11:57:02 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9Iv2sf084511; Thu, 9 Nov 2006 11:57:02 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9Iv1OE084475 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 11:57:01 -0700 (MST) (envelope-from ryan.hurst@microsoft.com)
Received: from mailout6.microsoft.com (157.54.69.150) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server id 8.0.685.15; Thu, 9 Nov 2006 10:56:56 -0800
Received: from IGT-HUB-01.redmond.corp.microsoft.com ([157.54.69.148]) by mailout6.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 9 Nov 2006 10:56:55 -0800
Received: from TK5-EXHUB-C101.redmond.corp.microsoft.com ([157.54.70.76]) by IGT-HUB-01.redmond.corp.microsoft.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.2786); Thu, 9 Nov 2006 10:56:55 -0800
Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com (157.54.69.169) by TK5-EXHUB-C101.redmond.corp.microsoft.com (157.54.70.76) with Microsoft SMTP Server id 8.0.685.15; Thu, 9 Nov 2006 10:56:54 -0800
Received: from WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com ([157.54.62.25]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3790.2786); Thu, 9 Nov 2006 10:56:54 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: Comment on draft-santesson-pkix-vccrl-00.txt
Date: Thu, 9 Nov 2006 10:56:15 -0800
Message-ID: <5F3AAFB2FEC5ED4AA6DE79A3E0B47D800336F494@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <OF8E0F9F62.58C263E7-ONC1257221.004E8B03@frcl.bull.fr>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Comment on draft-santesson-pkix-vccrl-00.txt
Thread-Index: AccEHo/2CbbjQjigTb+bn0XMUnRhCgAEfyMg
References: <OF8E0F9F62.58C263E7-ONC1257221.004E8B03@frcl.bull.fr>
From: Ryan Hurst <Ryan.Hurst@microsoft.com>
To: Denis Pinkas <denis.pinkas@bull.net>, pkix <ietf-pkix@imc.org>
X-OriginalArrivalTime: 09 Nov 2006 18:56:54.0672 (UTC) FILETIME=[D2E82900:01C70430]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA9Iv1OE084506
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I believe I understand Denis concern, I would personally be OK with the
proposal as stands if its use was limited to only the scenarios where it
is needed and the text in the document strongly made that limitation
apparent; specifically indirect cases.
Ryan
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Denis Pinkas
Sent: Thursday, November 09, 2006 6:18 AM
To: pkix
Subject: Comment on draft-santesson-pkix-vccrl-00.txt
Stefan,
Your current proposal is limited to propose a new CRLextension:
id-pe-validationCerts OBJECT IDENTIFIER ::= { id-pe nn }
The problem is the following: if a CA chooses to issue CRLs with that
new extension,
then all CRLs will augment in size.
I would rather prefer to be able to provide relying parties with the
choice between :
- CRLs that carry that new extension, and
- CRLs "as usual".
This would be achieved, if you were proposing at the same time a new
certificate extension
that would allow to retrieve CRLs that have the new extension (e.g. a
new CRLDP extension
that would point where the bigger CRL is).
Current applications would continue to ignore both new extensions and
would not be impacted
in any way, whatever the choice of the CA would be.
All this story is a trade off between this additional complexity both on
the CA side and
on the relying party side and the saving of one exchange.
Denis
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9IG8F5074673; Thu, 9 Nov 2006 11:16:08 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9IG8iE074672; Thu, 9 Nov 2006 11:16:08 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (dhcp68-116.ietf67.org [130.129.68.116]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9IG7Su074656 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 11:16:08 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id C55FAE0038; Thu, 9 Nov 2006 13:15:57 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: ietf-pkix@imc.org
Subject: draft-ietf-pkix-lightweight-ocsp-profile and RFC 2560
Date: Thu, 09 Nov 2006 13:15:57 -0500
Message-ID: <tslzmb0v63m.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi, folsk.
I have a discuss on the lightweight ocsp profile .
One of the primary purposes of the lightweight OCSP profile is to
allow deployment of responders that do not have private keys and thus
can only return pre-produced responses.
However this document is informational, not standards track.
I contend that RFC 2560 allows pre-produced responses, but does not
really support responders that can only give pre-produced responses.
That is, I contend that as written, to achieve interoperability, you
need to have an online signing key.
I believe it is inappropriate for an informational document to profile
OCSP in this way.
I'd like to ask the PKIX working group to do one of three things to resolve my discuss:
1) Make a standards-track change/clarification to 2560 indicating that
responders need not have a key.
2) Remove this major goal from the lightweight-ocsp-profile.
3) Withdraw the document.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9ICHeW073783; Thu, 9 Nov 2006 11:12:17 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9ICHsa073782; Thu, 9 Nov 2006 11:12:17 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kA9ICFGE073767 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 11:12:16 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 29427 invoked by uid 0); 9 Nov 2006 18:12:10 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (130.129.68.101) by woodstock.binhost.com with SMTP; 9 Nov 2006 18:12:10 -0000
Message-Id: <7.0.0.16.2.20061109130031.041af388@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Thu, 09 Nov 2006 13:06:03 -0500
To: Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: draft meeting minutes
In-Reply-To: <p06230911c178511f7c68@[12.105.247.171]>
References: <p06230911c178511f7c68@[12.105.247.171]>
Mime-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
<html>
<body>
Dear PKIX WG:<br><br>
<blockquote type=cite class=cite cite=""><font size=5><b>Document Status
Review -</b> Stefan Santesson (Microsoft)<br>
<x-tab> </x-tab>Two new
RFCs issued: SIM and Update to Directory String Processing in RFC 3280.
Five documents in IESG review: SCVP, Lightweight OCSP, and 3 CMC
documents. Follow up is needed for the first two, and a revised I-D is
needed for CMC. (Russ Housley requested WG direction re the UI draft.
This individual submission received AD comments requesting changes, but
no revised document has been delivered to the IESG.)
</font></blockquote><br>
This is draft-choi-pkix-ui-03.txt.<br>
It is not a PKIX WG document, but the authors have not responded to
messages from me. I am going to drop it if the authors do not
respond soon. If the PKIX WG thinks there is value in this
document, I'll send it to the WG instead of dropping it.<br><br>
Russ<br>
</body>
</html>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9EHwOf012119; Thu, 9 Nov 2006 07:17:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9EHwhA012118; Thu, 9 Nov 2006 07:17:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9EHtkG012104 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 07:17:57 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-mcl1.frcl.bull.fr [129.184.87.20]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA29570 for <ietf-pkix@imc.org>; Thu, 9 Nov 2006 15:20:33 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006110915175380:63593 ; Thu, 9 Nov 2006 15:17:53 +0100
Date: Thu, 9 Nov 2006 15:17:51 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "pkix" <ietf-pkix@imc.org>
Subject: Comment on draft-santesson-pkix-vccrl-00.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 09/11/2006 15:17:53, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 09/11/2006 15:17:55, Serialize complete at 09/11/2006 15:17:55
Message-ID: <OF8E0F9F62.58C263E7-ONC1257221.004E8B03@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Stefan,
Your current proposal is limited to propose a new CRLextension:
id-pe-validationCerts OBJECT IDENTIFIER ::= { id-pe nn }
The problem is the following: if a CA chooses to issue CRLs with that new extension,
then all CRLs will augment in size.
I would rather prefer to be able to provide relying parties with the choice between :
- CRLs that carry that new extension, and
- CRLs "as usual".
This would be achieved, if you were proposing at the same time a new certificate extension
that would allow to retrieve CRLs that have the new extension (e.g. a new CRLDP extension
that would point where the bigger CRL is).
Current applications would continue to ignore both new extensions and would not be impacted
in any way, whatever the choice of the CA would be.
All this story is a trade off between this additional complexity both on the CA side and
on the relying party side and the saving of one exchange.
Denis
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA95gJAS050225; Wed, 8 Nov 2006 22:42:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA95gJFO050224; Wed, 8 Nov 2006 22:42:19 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from auth0.cht.com.tw (esmtpo1.cht.com.tw [202.39.168.16]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA95gFe2050208 for <ietf-pkix@imc.org>; Wed, 8 Nov 2006 22:42:18 -0700 (MST) (envelope-from wcwang@cht.com.tw)
Received: from auth0.cht.com.tw (localhost.localdomain [127.0.0.1]) by localhost.cht.com.tw (Postfix) with ESMTP id 4CEC52CC364; Thu, 9 Nov 2006 13:42:07 +0800 (CST)
Received: from wcwang (unknown [10.144.133.93]) by auth0.cht.com.tw (Postfix) with SMTP id E58722CC27D; Thu, 9 Nov 2006 13:42:06 +0800 (CST)
Message-ID: <001d01c703c1$c96465c0$5d85900a@wcwang>
From: "Wen-Cheng Wang" <wcwang@cht.com.tw>
To: "David A. Cooper" <david.cooper@nist.gov>, =?utf-8?B?6LW1IOaVjw==?= <qzzm@hotmail.com>
Cc: "pkix" <ietf-pkix@imc.org>
References: <45522978.4060302@nist.gov>
Subject: Re: The definition of OtherName in 3280bis differs with X.509?
Date: Thu, 9 Nov 2006 13:41:59 +0800
Organization: Chunghwa Telecom
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_001A_01C70404.D4B68460"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_001A_01C70404.D4B68460
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
It is true that an INSTANCE OF <DefinedObjectClass> is equivalent to
[UNIVERSAL 8] IMPLICIT SEQUENCE
{
type-id <DefinedObjectClass>.&id,
value [0] EXPLICIT <DefinedObjectClass>.&Type
}
Therefore, if the "AnotherName" type is, as claimed, defined to replace
the "INSTANCE OF OTHER NAME" type, its syntax should be:
AnotherName ::=3D [UNIVERSAL 8] IMPLICIT SEQUENCE
{
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id
}
(Note that in RFC 2459, 3280 and 3280bis, the text wrongly claims
that "AnotherName replaces OTHER-NAME ::=3D TYPE-IDENTIFIER".
The reason why the statement is wrong is that OTHER-NAME
is an information object class while AnotherName is a data type, and
a data type can not replace an information object class.
The correct way of saying that should be "AnotherName replaces
INSTANCE OF OTHER-NAME", because "INSTANCE OF OTHER-NAME"
is a data type.)
However, to my knowledge of ASN.1, since the default tagging mode of the
PKIX1Implicit88 module is "IMPLICIT TAGS", the DER encoding will be the
same with or without the "[UNIVERSAL 8] IMPLICIT" tagging precede the
SEQUENCE type. The reason is that the outer implicit tag (i.e., the tag =
[0]
precedes the "AnotherName" type in the GeneralName type) will always
overwrite the inner tag no matter the inner tag is an "[UNIVERSAL 8] =
IMPLICIT
SEQUENCE" or simply a "SEQUENCE".
My conclusion to this issue is that even the syntax is inconsistent =
between
PKIX and ITU-T X.509, it is luckly that their DER encodings will still =
be the
same.
Nevertheless, one thing we should note is that the "AnotherName" type =
should
not be used alone without any implicit tag precede, otherwise it will =
result
inconsistent DER encoding with ITU-T X.509. For example, if someday we
define a type named "ListOfAnotherNames" as the following:
ListOfAnotherNames ::=3D SEQUENCE OF AnotherName
With our current definition of the "AnotherName" type, the DER encoding
of an "AnotherName" value will different with the case where it is =
defined
as the following:
ListOfAnotherNames ::=3D SEQUENCE OF INSTANCE OF OTHER-NAME
So, now the question is "do we need to change the syntax of AnotherName
to be syntactically aligned with ITU-T X.509?"
Wen-Cheng Wang
----- Original Message -----=20
From: David A. Cooper=20
To: =E8=B5=B5 =E6=95=8F=20
Cc: pkix=20
Sent: Thursday, November 09, 2006 3:01 AM
Subject: Re: The definition of OtherName in 3280bis differs with =
X.509?
I do not understand ASN.1 well enough to answer the question below, =
but someone else on the PKIX mail list may be able to respond.
I can say, however, that the ASN.1 for OtherName in 3280bis is the =
same as the ASN.1 for OtherName in RFC 2459 (January 1999) and RFC 3280 =
(April 2002), so if it in an error it is a very old error.
Dave
-------- Original Message -------- Subject: The difinition of =
OtherName in 3280bis differs with X.509?=20
Date: Wed, 08 Nov 2006 14:23:38 +0800=20
From: =E8=B5=B5 =E6=95=8F <qzzm@hotmail.com>=20
To: david.cooper@nist.gov=20
Hello David:
In rfc3280bis,Setion 4.2.1.6:
OtherName ::=3D SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
Setion A.2
-- AnotherName replaces OTHER-NAME ::=3D TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
AnotherName ::=3D SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
But in X.509(2005),Setion 4.2.1.6:
GeneralName ::=3D CHOICE {
otherName [0] INSTANCE OF OTHER-NAME,=20
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
OTHER-NAME ::=3D TYPE-IDENTIFIER
In X.681(2002),Annex A:
A.2 The TYPE-IDENTIFIER information object class is defined as:
TYPE-IDENTIFIER ::=3D CLASS
{
&id OBJECT IDENTIFIER UNIQUE,
&Type
}
WITH SYNTAX {&Type IDENTIFIED BY &id}
X.681(2002),Annex C The instance-of type:
C.7 The associated sequence type shall be:
SEQUENCE
{
type-id <DefinedObjectClass>.&id,
value [0] <DefinedObjectClass>.&Type
}
where "<DefinedObjectClass>" is replaced by the particular=20
"DefinedObjectClass" used in the "InstanceOfType" notation.
So,INSTANCE OF OTHER-NAME associated sequence type shall be:
OtherName ::=3D SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
But,this is associated sequence type,not the encoding rules.The =
definition=20
of BER/DER is in X690.
In X690(2002),Setion 8.16 Encoding of an instance-of value
8.16.1 The encoding of the instance-of type shall be the BER encoding of =
the following
sequence type with the value as specified in 8.16.2:
[UNIVERSAL 8] IMPLICIT SEQUENCE
{
type-id <DefinedObjectClass>.&id,
value [0] EXPLICIT <DefinedObjectClass>.&Type
}
where "<DefinedObjectClass>" is replaced by the particular=20
"DefinedObjectClass" used in the
"InstanceOfType" notation.
So,I think the definition of OtherName in the '88 ASN.1 syntax should=20
be:
OtherName ::=3D [UNIVERSAL 8] IMPLICIT SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
=20
Because the tag of otherName is IMPLICIT,the encode value of =
GeneralName=20
in rfc3280bis is identical of X.509.
=20
zhaomin
------=_NextPart_000_001A_01C70404.D4B68460
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
=EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY text=3D#000000 bgColor=3D#ffffff>
<DIV>It is true that an INSTANCE OF <DefinedObjectClass> is =
equivalent=20
to</DIV>
<DIV>[UNIVERSAL 8] IMPLICIT SEQUENCE<BR>{</DIV>
<DIV> type-id =20
<DefinedObjectClass>.&id,</DIV>
<DIV> value [0] =
EXPLICIT=20
<DefinedObjectClass>.&Type<BR>}</DIV>
<DIV> </DIV>
<DIV>Therefore, if the "AnotherName" type is, as claimed, defined =
to=20
replace</DIV>
<DIV>the "INSTANCE OF OTHER NAME" type, its syntax should be:</DIV>
<DIV> </DIV>
<DIV>AnotherName ::=3D [UNIVERSAL 8] IMPLICIT SEQUENCE<BR>{</DIV>
<DIV> =
type-id OBJECT=20
IDENTIFIER,</DIV>
<DIV> value [0] =
EXPLICIT=20
ANY DEFINED BY type-id<BR>}</DIV>
<DIV> </DIV>
<DIV>(Note that in RFC 2459, 3280 and 3280bis, the text wrongly =
claims</DIV>
<DIV>that "AnotherName replaces OTHER-NAME ::=3D TYPE-IDENTIFIER".</DIV>
<DIV>The reason why the statement is wrong is that OTHER-NAME
<DIV>is an information object class while AnotherName is a data type, =
and</DIV>
<DIV>a data type can not replace an information object =
class.</DIV></DIV>
<DIV>The correct way of saying that should be "AnotherName =
replaces</DIV>
<DIV>INSTANCE OF OTHER-NAME", because "INSTANCE OF =
OTHER-NAME"</DIV>
<DIV>is a data type.)</DIV>
<DIV> </DIV>
<DIV>However, to my knowledge of ASN.1, since the default tagging mode =
of=20
the</DIV>
<DIV>PKIX1Implicit88 module is "IMPLICIT TAGS", the DER encoding will be =
the</DIV>
<DIV>same with or without the "[UNIVERSAL 8] IMPLICIT" tagging precede =
the</DIV>
<DIV>SEQUENCE type. The reason is that the outer implicit tag (i.e., the =
tag=20
[0]</DIV>
<DIV>precedes the "AnotherName" type in the GeneralName type) will =
always</DIV>
<DIV>overwrite the inner tag no matter the inner tag is an =
"[UNIVERSAL 8]=20
IMPLICIT</DIV>
<DIV>SEQUENCE" or simply a "SEQUENCE".</DIV>
<DIV> </DIV>
<DIV>My conclusion to this issue is that even the syntax is inconsistent =
between</DIV>
<DIV>PKIX and ITU-T X.509, it is luckly that their DER encodings will =
still be=20
the</DIV>
<DIV>same.</DIV>
<DIV> </DIV>
<DIV>Nevertheless, one thing we should note is that the "AnotherName" =
type=20
should</DIV>
<DIV>not be used alone without any implicit tag precede, otherwise =
it will=20
result</DIV>
<DIV>inconsistent DER encoding with ITU-T X.509. For example, if someday =
we</DIV>
<DIV>define a type named "ListOfAnotherNames" as the following:</DIV>
<DIV> </DIV>
<DIV>ListOfAnotherNames ::=3D SEQUENCE OF AnotherName</DIV>
<DIV> </DIV>
<DIV>With our current definition of the "AnotherName" type, the DER=20
encoding</DIV>
<DIV>of an "AnotherName" value will different with the case where =
it is=20
defined</DIV>
<DIV>as the following:</DIV>
<DIV> </DIV>
<DIV>ListOfAnotherNames ::=3D SEQUENCE OF INSTANCE OF OTHER-NAME</DIV>
<DIV> </DIV>
<DIV>So, now the question is "do we need to change the syntax of=20
AnotherName</DIV>
<DIV>to be syntactically aligned with ITU-T X.509?"</DIV>
<DIV> </DIV>
<DIV>Wen-Cheng Wang</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt =E6=96=B0=E7=B4=B0=E6=98=8E=E9=AB=94">----- =
Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt =
=E6=96=B0=E7=B4=B0=E6=98=8E=E9=AB=94; font-color: black"><B>From:</B>=20
<A title=3Ddavid.cooper@nist.gov =
href=3D"mailto:david.cooper@nist.gov">David A.=20
Cooper</A> </DIV>
<DIV style=3D"FONT: 10pt =
=E6=96=B0=E7=B4=B0=E6=98=8E=E9=AB=94"><B>To:</B> <A =
title=3Dqzzm@hotmail.com=20
href=3D"mailto:qzzm@hotmail.com">=E8=B5=B5 =E6=95=8F</A> </DIV>
<DIV style=3D"FONT: 10pt =
=E6=96=B0=E7=B4=B0=E6=98=8E=E9=AB=94"><B>Cc:</B> <A =
title=3Dietf-pkix@imc.org=20
href=3D"mailto:ietf-pkix@imc.org">pkix</A> </DIV>
<DIV style=3D"FONT: 10pt =
=E6=96=B0=E7=B4=B0=E6=98=8E=E9=AB=94"><B>Sent:</B> Thursday, November =
09, 2006 3:01=20
AM</DIV>
<DIV style=3D"FONT: 10pt =
=E6=96=B0=E7=B4=B0=E6=98=8E=E9=AB=94"><B>Subject:</B> Re: The definition =
of OtherName=20
in 3280bis differs with X.509?</DIV>
<DIV><BR></DIV>I do not understand ASN.1 well enough to answer the =
question=20
below, but someone else on the PKIX mail list may be able to =
respond.<BR><BR>I=20
can say, however, that the ASN.1 for OtherName in 3280bis is the same =
as the=20
ASN.1 for OtherName in RFC 2459 (January 1999) and RFC 3280 (April =
2002), so=20
if it in an error it is a very old =
error.<BR><BR>Dave<BR><BR><BR>--------=20
Original Message --------=20
<TABLE class=3Dmoz-email-headers-table cellSpacing=3D0 cellPadding=3D0 =
border=3D0>
<TBODY>
<TR>
<TH vAlign=3Dbaseline noWrap align=3Dright>Subject: </TH>
<TD>The difinition of OtherName in 3280bis differs with =
X.509?</TD></TR>
<TR>
<TH vAlign=3Dbaseline noWrap align=3Dright>Date: </TH>
<TD>Wed, 08 Nov 2006 14:23:38 +0800</TD></TR>
<TR>
<TH vAlign=3Dbaseline noWrap align=3Dright>From: </TH>
<TD>=E8=B5=B5 =E6=95=8F <A class=3Dmoz-txt-link-rfc2396E=20
=
href=3D"mailto:qzzm@hotmail.com"><qzzm@hotmail.com></A></TD></TR>
<TR>
<TH vAlign=3Dbaseline noWrap align=3Dright>To: </TH>
<TD><A class=3Dmoz-txt-link-abbreviated=20
=
href=3D"mailto:david.cooper@nist.gov">david.cooper@nist.gov</A></TD></TR>=
</TBODY></TABLE><BR><BR><PRE>Hello David:
In rfc3280bis,Setion 4.2.1.6:
OtherName ::=3D SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
Setion A.2
-- AnotherName replaces OTHER-NAME ::=3D TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
AnotherName ::=3D SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
But in X.509(2005),Setion 4.2.1.6:
GeneralName ::=3D CHOICE {
otherName [0] INSTANCE OF OTHER-NAME,=20
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
OTHER-NAME ::=3D TYPE-IDENTIFIER
In X.681(2002),Annex A:
A.2 The TYPE-IDENTIFIER information object class is defined as:
TYPE-IDENTIFIER ::=3D CLASS
{
&id OBJECT IDENTIFIER UNIQUE,
&Type
}
WITH SYNTAX {&Type IDENTIFIED BY &id}
X.681(2002),Annex C The instance-of type:
C.7 The associated sequence type shall be:
SEQUENCE
{
type-id <DefinedObjectClass>.&id,
value [0] <DefinedObjectClass>.&Type
}
where "<DefinedObjectClass>" is replaced by the particular=20
"DefinedObjectClass" used in the "InstanceOfType" notation.
So,INSTANCE OF OTHER-NAME associated sequence type shall be:
OtherName ::=3D SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
But,this is associated sequence type,not the encoding rules.The =
definition=20
of BER/DER is in X690.
In X690(2002),Setion 8.16 Encoding of an instance-of value
8.16.1 The encoding of the instance-of type shall be the BER encoding of =
the following
sequence type with the value as specified in 8.16.2:
[UNIVERSAL 8] IMPLICIT SEQUENCE
{
type-id <DefinedObjectClass>.&id,
value [0] EXPLICIT <DefinedObjectClass>.&Type
}
where "<DefinedObjectClass>" is replaced by the particular=20
"DefinedObjectClass" used in the
"InstanceOfType" notation.
So,I think the definition of OtherName in the '88 ASN.1 syntax should=20
be:
OtherName ::=3D [UNIVERSAL 8] IMPLICIT SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
=20
Because the tag of otherName is IMPLICIT,the encode value of =
GeneralName=20
in rfc3280bis is identical of X.509.
=20
zhaomin
</PRE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_001A_01C70404.D4B68460--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA93jZ79039976; Wed, 8 Nov 2006 20:45:35 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA93jZGE039975; Wed, 8 Nov 2006 20:45:35 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx12.bbn.com (mx12.bbn.com [128.33.0.81]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA93jXsr039959 for <ietf-pkix@imc.org>; Wed, 8 Nov 2006 20:45:34 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[12.105.247.171]) by mx12.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1Gi0qw-0005F2-3i for ietf-pkix@imc.org; Wed, 08 Nov 2006 22:45:26 -0500
Mime-Version: 1.0
Message-Id: <p06230911c178511f7c68@[12.105.247.171]>
Date: Wed, 8 Nov 2006 22:43:32 -0500
To: ietf-pkix@imc.org
From: Stephen Kent <kent@bbn.com>
Subject: draft meeting minutes
Content-Type: multipart/alternative; boundary="============_-1049078573==_ma============"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--============_-1049078573==_ma============
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Please send comments to me by 11/27.
Steve
-----
PKIX WG Meeting 11/8/06
Edited by Steve Kent
Chairs: Stephen Kent <kent@bbn.com> & Stefan Santesson <stefans@microsoft.com>
The PKIX WG met once, for a total of two hours, during the 67th IETF.
A total of approximately 50 individuals participated in the meeting.
Document Status Review - Stefan Santesson (Microsoft)
Two new RFCs issued: SIM and Update to Directory String
Processing in RFC 3280. Five documents in IESG review: SCVP,
Lightweight OCSP, and 3 CMC documents. Follow up is needed for the
first two, and a revised I-D is needed for CMC. (Russ Housley
requested WG direction re the UI draft. This individual submission
received AD comments requesting changes, but no revised document has
been delivered to the IESG.) Two documents have completed WG last
call, and will soon be forwarded to the IESG: 3280bis and SAN for
Service Names. Two documents still under WG review: ECC algorithms
(waiting for resolution of algorithm parameter resolution) and the
Draft for ECDSA and DSA with SHA-2. (slides)
PKIX WG Specifications
3280bis - David Cooper (NIST)
A new draft 05 was recently posted as response to past WG last
call. David reviewed the changes made from version 4 to version 5,
and provided an explanation for each change. (slides)
Simple Certificate Validation Protocol (SCVP)- Tim Polk (NIST)
This document is still in AD evaluation and a new draft
requested by the AD. We are currently at version 28! Tim reviewed the
changes made in response to Sam's comments. He noted that these
changes were posted to the list on Halloween, and that there have
been no responses to this posting. However, Tim identified one or two
additional fixes that need to be effected before the document will be
finished. He also identified one open issue, related to whether the
document satisfies the interoperability requirements established by
2026.
[Sam wants us to run a straw poll to confirm that the WG is
comfortable with a single spec that defines both DPD and DPV and does
not mandate that a server do either one as a base.]
(slides)
Certificate Management Messages over CMS (CMC) - Jim Schaad (Soaring
Hawk Consulting)
These documents are under IESG review which has resulted in
several change requests. For example, there is a need for the section
detailing the changes from the base documents (since this is a "bis"
document). There is also a need to accommodate hash algorithm
agility, a relatively easy fix. A bigger issue is whether to change
the OID used to refer to the encrypted data, because of the way
S/MIME has defined this OID. A more significant issue is a request
from the AD to make use of CRMF a MUST and make use of PKCS #10
structures a MAY. We plan to complete WG last call by December, in
parallel with AD re-review. (slides)
Algorithm IDs for Elliptic Curve Cryptography in PKIX - Brian Minard (Certicom)
Dan Brown (the document author) could not be physically
present, but monitored the presentation via Jabber. Looking for
feedback on several issues, including support for parameters for
SHA-2, and references to KDFs to be used with the public key in the
certificate, in the context of EC-DH or EC-MQV. The question was
raised as to why one needs to make reference to a KDF in a
certificate, given that the KDFs are not protocol specific, but one
needs protocol-specific details to completely specify how key
derivation is performed. Much of the discussion on this topic is
subsumed by the next topic. (slides)
Design team report on ECC public key IDs - Tim Polk (NIST)
We instantiated a design team of Tim, Brian Minard, and Tolga
Acar to address this complex issue. RFC 3279 defines an OID for EC,
and includes algorithm parameters, but this does not provide a way to
distinguish between a bit string to be used with EC-DH vs. EC-MQV.
Two choices were evaluated: RFC 4055-style solution vs. the ANSI
X.962 solution to specify which algorithm or algorithms can be used
with the key. RFC 4055 was developed to distinguish among RSA modes,
but is easily adapted to accommodate ECC. ANSI X.962 puts into the
parameters field the additional info needed to specify the algorithms
that the key can be used with. This leads to potential nesting of
OIDs, and one can also specify KDFs here as well. The design team
suggested a third approach, namely to retain the 3279 parameter
model, and to optionally augment it with a certificate extension to
specify the additional data that the ANSI approach encodes in the
parameters field, as well as accommodating the notion of family OIDs,
something not supported in the ANSI approach. A feature of this
approach is that if the extension is non-critical, the result is
backwards compatible with 3279, but making it critical allows one to
enforce the sort of fine-grained controls available in the ANSI
approach. The team developed a set of criteria for evaluating the 3
approaches. They polled a variety of folks and got a diverse set of
answers. Their decision was that the use of a new extension is
preferred, in conjunction with the RFC 3279 ECC syntax. Numerous
questions were raised by attendees. The discussion will continue on
the list, and we will probably result in a new work item to resolve
this issue, including asking whether the use of a new extension is
appropriate for RSA as well (in lieu of RFC 4055). (slides)
Related Specifications & Liaison Presentations
Validation Certificates in CRLs - Stefan Santesson (Microsoft)
A new individual draft that proposes an optional extension that
allows one to embed one or more certificates in a CRL. The intent is
to facilitate CRL validation when the certificate(s) needed to verify
a CRL are different from the certificate associated with the CA under
whose auspices the CRL is issued. One can already embed a pointer to
the requisite certificate, so the advantage to this approach is that
it can save a retrieval request (across a net), and for CRL
validation in the NR context, when CRL processing will take place
long after CRL issuance. One should use this extension only in
"appropriate" contexts, e.g., to avoid unnecessary CRL bloat. The
question is whether this be accepted as a WG document. A straw poll
will be conducted on the WG list. (slides)
--============_-1049078573==_ma============
Content-Type: text/html; charset="us-ascii"
<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>draft meeting minutes</title></head><body>
<div>Please send comments to me by 11/27.</div>
<div><br></div>
<div>Steve</div>
<div>-----</div>
<div><br></div>
<div><font size="+2" color="#000000"><b>PKIX WG Meeting 11/8/06<br>
<br>
</b>Edited by Steve Kent<br>
Chairs: Stephen Kent <kent@bbn.com> & Stefan Santesson
<stefans@microsoft.com><br>
<br>
The PKIX WG met once, for a total of two hours, during the 67th IETF.
A total of approximately 50 individuals participated in the
meeting.<br>
<br>
<br>
<b>Document Status Review -</b> Stefan Santesson (Microsoft)<br>
<x-tab> </x-tab>Two new RFCs
issued: SIM and Update to Directory String Processing in RFC 3280.
Five documents in IESG review: SCVP, Lightweight OCSP, and 3 CMC
documents. Follow up is needed for the first two, and a revised I-D is
needed for CMC. (Russ Housley requested WG direction re the UI draft.
This individual submission received AD comments requesting changes,
but no revised document has been delivered to the IESG.) Two documents
have completed WG last call, and will soon be forwarded to the IESG:
3280bis and SAN for Service Names. Two documents still under WG
review: ECC algorithms (waiting for resolution of algorithm parameter
resolution) and the Draft for ECDSA and DSA with SHA-2. (slides)<br>
<br>
<b> <br>
<br>
</b></font><font size="+3" color="#000000"><b>PKIX WG
Specifications<br>
<br>
</b></font><font size="+2" color="#000000"><b>3280bis - David
Cooper (NIST)<br>
</b> A new draft 05 was recently posted
as response to past WG last call. David reviewed the changes made from
version 4 to version 5, and provided an explanation for each change.
(slides)<br>
<br>
<b>Simple Certificate Validation Protocol (SCVP)- Tim Polk (NIST)<br>
</b><x-tab> </x-tab>This document is still in AD evaluation and
a new draft requested by the AD. We are currently at version 28! Tim
reviewed the changes made in response to Sam's comments. He noted that
these changes were posted to the list on Halloween, and that there
have been no responses to this posting. However, Tim identified one or
two additional fixes that need to be effected before the document will
be finished. He also identified one open issue, related to whether the
document satisfies the interoperability requirements established by
2026.<br>
<x-tab> </x-tab>[Sam wants us to
run a straw poll to confirm that the WG is comfortable with a single
spec that defines both DPD and DPV and does not mandate that a server
do either one as a base.]<br>
(slides)<br>
<br>
<b>Certificate Management Messages over CMS (CMC) - Jim Schaad
(Soaring Hawk Consulting)<br>
</b> These documents are under IESG
review which has resulted in several change requests. For example,
there is a need for the section detailing the changes from the base
documents (since this is a "bis" document). There is also a need
to accommodate hash algorithm agility, a relatively easy fix. A bigger
issue is whether to change the OID used to refer to the encrypted
data, because of the way S/MIME has defined this OID. A more
significant issue is a request from the AD to make use of CRMF a MUST
and make use of PKCS #10 structures a MAY. We plan to complete WG last
call by December, in parallel with AD re-review. (slides)<br>
<br>
<b>Algorithm IDs for Elliptic Curve Cryptography in PKIX - Brian
Minard (Certicom)<br>
</b><x-tab> </x-tab>Dan Brown (the
document author) could not be physically present, but monitored the
presentation via Jabber. Looking for feedback on several issues,
including support for parameters for SHA-2, and references to KDFs to
be used with the public key in the certificate, in the context of
EC-DH or EC-MQV. The question was raised as to why one needs to make
reference to a KDF in a certificate, given that the KDFs are not
protocol specific, but one needs protocol-specific details to
completely specify how key derivation is performed. Much of the
discussion on this topic is subsumed by the next topic. (slides)<br>
<br>
<b>Design team report on ECC public key IDs - Tim Polk (NIST)<br>
</b><x-tab> </x-tab>We instantiated a
design team of Tim, Brian Minard, and Tolga Acar to address this
complex issue. RFC 3279 defines an OID for EC, and includes algorithm
parameters, but this does not provide a way to distinguish between a
bit string to be used with EC-DH vs. EC-MQV. Two choices were
evaluated: RFC 4055-style solution vs. the ANSI X.962 solution to
specify which algorithm or algorithms can be used with the key. RFC
4055 was developed to distinguish among RSA modes, but is easily
adapted to accommodate ECC. ANSI X.962 puts into the parameters field
the additional info needed to specify the algorithms that the key can
be used with. This leads to potential nesting of OIDs, and one can
also specify KDFs here as well. The design team suggested a third
approach, namely to retain the 3279 parameter model, and to optionally
augment it with a certificate extension to specify the additional data
that the ANSI approach encodes in the parameters field, as well as
accommodating the notion of family OIDs, something not supported in
the ANSI approach. A feature of this approach is that if the extension
is non-critical, the result is backwards compatible with 3279, but
making it critical allows one to enforce the sort of fine-grained
controls available in the ANSI approach. The team developed a set of
criteria for evaluating the 3 approaches. They polled a variety
of folks and got a diverse set of answers. Their decision was that the
use of a new extension is preferred, in conjunction with the RFC 3279
ECC syntax. Numerous questions were raised by attendees. The
discussion will continue on the list, and we will probably result in a
new work item to resolve this issue, including asking whether the use
of a new extension is appropriate for RSA as well (in lieu of RFC
4055). (slides)</font></div>
<div><font size="+2" color="#000000"><br>
<br>
</font><font size="+3" color="#000000"><b>Related Specifications &
Liaison Presentations<br>
</b></font><font size="+2"
color="#000000"><b> <br>
<br>
Validation Certificates in CRLs - Stefan Santesson (Microsoft)<br>
</b> A new individual draft that
proposes an optional extension that allows one to embed one or more
certificates in a CRL. The intent is to facilitate CRL validation when
the certificate(s) needed to verify a CRL are different from the
certificate associated with the CA under whose auspices the CRL is
issued. One can already embed a pointer to the requisite certificate,
so the advantage to this approach is that it can save a retrieval
request (across a net), and for CRL validation in the NR context, when
CRL processing will take place long after CRL issuance. One should use
this extension only in "appropriate" contexts, e.g., to avoid
unnecessary CRL bloat. The question is whether this be accepted as a
WG document. A straw poll will be conducted on the WG list.
(slides)</font></div>
</body>
</html>
--============_-1049078573==_ma============--
Received: from [202.155.214.218] ([202.155.214.218]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA934mBl036141 for <ietf-pkix-archive@imc.org>; Wed, 8 Nov 2006 20:04:49 -0700 (MST) (envelope-from siwoztdv@oraculartree.com)
Message-ID: <000e01c703ab$cf4dc5a0$dad69bca@lc14>
From: "bene..." <siwoztdv@oraculartree.com>
To: ietf-pkix-archive@imc.org
Subject: voce conigli .:
Date: Thu, 9 Nov 2006 11:04:45 +0800
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000A_01C703EE.DD7105A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_000A_01C703EE.DD7105A0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000B_01C703EE.DD7105A0"
------=_NextPart_001_000B_01C703EE.DD7105A0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
All is as read a Hosting am Aruba Proteggi.
League of Coppa Uefa Mondiali bidoni Europei migliori of bomberby. Top =
is Auguri nannini ciao grazie tutti a.
Post a nome altre in. League Coppa of Uefa of Mondiali bidoni Europei =
migliori or bomberby or Pallavolo. Che nanna lascio custodia ciau top is =
good a tata a tata. Uao non a si of spama.
Help Fast a Passterms of me. Rispondi sondaggio aiutaci capire or tuoi =
interessi Yaoi Style voce or! Giorno mb uao non a si in.
Costosoby cazzata parlare Telefilms amp Piccolo Schermo film vistoby? =
Dei miei cerca!
Lab Chat in tag Faccine Template Smallville Powered Invision Power. =
Nostri motori Mercedes Bmwby cosa tuo computer of Free a.
Qui vostre assenze vo fare la generi parla ruota.
Pi amatoforum led. Nostri motori Mercedes Bmwby cosa tuo computer of =
Free a.
Custodia ciau top am good tata in tata salve. Windows Movie Makerby is =
su Gite. Iiuser legend Moderatori in.
Belle Cinese lo Iiquizquiz domande Quiz. Grazie tutti seahawk of buona =
nanno Mave Buonanotte raga.
Grezie Barbara van of? Risposte dagli or esperti anni primo or bacioby =
bens nostri motori?
Ritiro subito quello.
League of Coppa Uefa Mondiali bidoni Europei migliori of bomberby.
Of me Anonymous Home Page Supporto in Forumfree Segnala am.
Auguroni giorno am mb!
Raga zefir raga malvo a thrasher.
Auguroni giorno am mb!
Auguroni giorno mb uao non of si is.
------=_NextPart_001_000B_01C703EE.DD7105A0
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"bannati" hspace=3D0=20
src=3D"cid:000901c703ab$cf4dc5a0$dad69bca@lc14" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>All is as read a Hosting am Aruba=20
Proteggi.<BR>League of Coppa Uefa Mondiali bidoni Europei migliori of =
bomberby.=20
Top is Auguri nannini ciao grazie tutti a.<BR>Post a nome altre in. =
League Coppa=20
of Uefa of Mondiali bidoni Europei migliori or bomberby or Pallavolo. =
Che nanna=20
lascio custodia ciau top is good a tata a tata. Uao non a si of =
spama.<BR>Help=20
Fast a Passterms of me. Rispondi sondaggio aiutaci capire or tuoi =
interessi Yaoi=20
Style voce or! Giorno mb uao non a si in.<BR>Costosoby cazzata parlare =
Telefilms=20
amp Piccolo Schermo film vistoby? Dei miei cerca!<BR>Lab Chat in tag =
Faccine=20
Template Smallville Powered Invision Power. Nostri motori Mercedes Bmwby =
cosa=20
tuo computer of Free a.<BR>Qui vostre assenze vo fare la generi parla=20
ruota.<BR>Pi amatoforum led. Nostri motori Mercedes Bmwby cosa tuo =
computer of=20
Free a.<BR>Custodia ciau top am good tata in tata salve. Windows Movie =
Makerby=20
is su Gite. Iiuser legend Moderatori in.<BR>Belle Cinese lo Iiquizquiz =
domande=20
Quiz. Grazie tutti seahawk of buona nanno Mave Buonanotte =
raga.<BR>Grezie=20
Barbara van of? Risposte dagli or esperti anni primo or bacioby bens =
nostri=20
motori?<BR>Ritiro subito quello.<BR>League of Coppa Uefa Mondiali bidoni =
Europei=20
migliori of bomberby.<BR>Of me Anonymous Home Page Supporto in Forumfree =
Segnala=20
am.<BR>Auguroni giorno am mb!<BR>Raga zefir raga malvo a =
thrasher.<BR>Auguroni=20
giorno am mb!<BR>Auguroni giorno mb uao non of si =
is.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000B_01C703EE.DD7105A0--
------=_NextPart_000_000A_01C703EE.DD7105A0
Content-Type: image/gif;
name="film.gif"
Content-Transfer-Encoding: base64
Content-ID: <000901c703ab$cf4dc5a0$dad69bca@lc14>
R0lGODlhvAHIAYf2AAgFAHUOAAB5AHFxAAAAe3oAcwB/hLu6xLHnzZfM5DslBWgjAHUjDZIjALcq
AN0RCAM0AC48CkVNDlo7DYtNCKE1CsA9AN9NCQ5qAB5RAE1pAGJeAIJWAJNkALVSB+hcAAOHACZ3
DUeDBVeCCIiBCJ12DMyECtiIAAegACWlDjykAW6XAIqaAKmuBrOgA+WtAA24CxLEAEmyAVPGAIHK
CJbFCMbFANvCAAnlBiDqAEPqBF/uAHzRAKjSALvoA+beAggAMSkAODcARWYDQncLRa0AM7wOOeQA
NQomNR4iSEwjSmgmMYglSp4oQLMlSessNwE8Rhg/STVNN2kzNoA5QKlNTbFNO+g+QgxVOStXSEZp
PltWSnNjAJlRNLVnS9pcQACGQi1/MzeLQGWAOHiMO6qFQb5zTuOCQgiWOxOfMTqtO2ujSYukRKen
Qs6tOOKoNA2+RirOSDzCRWbGNYG9MZXBTMnOMe3ASQDcMRrrNErbMlPlQ4viPJzhQ7jRSODpTgMO
fh8Ai0oAhGsKg3cFcZIAdsQAduwAfQkTcigUeUwTeW0Wi3Iqja4lcsoZhuEigg05eSs/dUY9g140
hHFDeK5BfLs8f+Y7cgBUeilXh0NVc2FsdnNUhZ5jd8JseN1gcwCChSSEh0p6el2CiY5/jaWKirl2
etJyjQCUgS2ufjSeeGCecoCkgpOVgrKrhOWWcwjHhhW6hEjCflWzdYrAe5a5i8C/jeXMjgDecSnY
fkXugmHRc3bVdJ3tfrvUiNvVcQAAtR4Hvz0AyG0Lu3UEwKoAucAAytUBywAcwBwVwjolt1QXzYAU
zp8kurQdt9gksgBCsRw0xklEw15FxIZLuqNAzLNDyNVIsQBtsi1iskRmzWttwYhcsahZv7Jkw+lf
tQ2MwSZxwjeAs192soyMsaiHuLR1vdV9xACcyRibzUqcwVmSzn+szpmhxs2otOGrtA3BzRPBvkHM
vFu2uozGuJq/zv//7ZKRsniFiPoCBgD4APb7BgMA+f8A/wD////3/yH5BADbsDoALAAAAAC8AcgB
Bwj/AO0JHEiwoMGDCBMqXMiwYcFPDiNKnEixosWLGDNq3Mixo0d79z7a+0eypMmTKFOqXMmypcuX
MNnBnEmzps2bOHPq3Mmzp8+fQHcyfCayaFF2RpMqXcq0qUNECYU5nUrVHtGqWAcyIYg0q1JdXsOK
HUu2IACmV5vmKyuwK9u3cOPKhXsWI8xnQfPqlam3r9+/gAMLHjwYwEo1LiOmnXs0LpSyEhhLnky1
7tLFlDm6zcy5c8HHnptGwWhZYZKMmMlqCc26tWvGq42Wfk27Nm1nti3KIigoq7SLs3MLH068OO3g
xpMrX84cK/Lm0KNLnz7xuVEDBLEPxG6gu3d72gVy//feveB38Oezky8fXjx68ubji0+/nn399+fh
40+vvvz87Pu1t9988K23HX0I6neggQKOp2B/7UVoHoMSGigfgQJi+F2D+B0IYIcTWgiiQfrdBx5V
Okm43YkkusdiQtqp2OKKAGb4IY0yunjhizTqyOOOMVaokJA7+hgjjg3leKKNN9bYo4//rZgjdz0y
ySOH4QXp5JNNXjkjlCxqR1hOYZb5o4tHDgnmQUpSCWN8GSpp5Jd0drnki24iRGSXceK5Jp1Yqsmm
n3bmmaeOhnLZZKBo+mnlonW2SeNgGR2ZJpP+nSnfo08yqiecgA6qqJWYtpjoo3ty2WeWfwIJ6puD
sv9aqKMXJtqqpLKemuSskN7IqUPdOKRTmZeKmKmJvvIH5H3IasheqIBa+KCmZ7ppqYgaOjvgqgkq
2ymz2Gqaa4gbNsohodO6WiN9jY4ILZ+9ujgmTne6lyaJssJaZKevfrplvACL+ueqUlI7Z5+z3vur
l/8K7CuUCN957rgGM1wwofXaOWeRU35IaaVZ5vvhvf7uu/HFJdv7bsArJ1wwqg1DbCqSDOEqKLkk
V/vypiUqyu+/CuvscMQnn+vUsD+KTDOnJJeqasUTw9uyxQarGOGhoRK9McUL2XyzzEZ/y7CnpNaK
qJGHOv1zvEzudEpgMmtbYbj5ebu2vXTX6q2NV5f/qCyq7HrY7IABihs43umejLjdBcJZIIPqEZ40
1YUe27B/iYOZuYIIf0zd56CH/jnSopdu+ukMeY766qy37vrrsMfuVSuy12777cnp9AFBuw/Uu0C/
2/PB8MT/XrzwBQUv/PDLF69888EfnzzvxB/kPPDXK2989djzDv3zyHuPPfPATy/99L57X7325zvf
u/Tus8899L5fn3791I9vvEDz9u//SRKxA/rKdz/kPU97AySg+AqYwPct0IAFPKD6rBdB8ZGvfNGj
oAIzGL707a+BFlSgCB0IQgY+kIThAx8Eu4c/DqrwdGYQiUuksZIU2tCDBuHgAztoQhVKcIC7+yAP
/0c4xA2KEIMdDGICjVhEJU7wiAR04gcR+MQdWvGITrxhDpNowyyK738rccZNxADGxDBEGmj8Dfqk
WEUG/tCEQ/ThFoHIRShmUI5CxOH+qGg+OHpxhUXsIhP5iMQlXjGOdcQjDiEIvhcyxDq4O2Mao6jF
PPLwgO6bIxzrR74fTnF+1ONeJt24RRL+UY5+ROT51lhJLJrPfqsMpCrnN8opCpJ+UHQIJGOXk99k
8Zc9tCIhXcmQP7ZSiyeU5SVLqUdDErGPT1RkIZGpyoXocIlszKUtl2dHAtbEMGUM57xYyE1OXvCZ
O3xjLpm5RvilcpEa7OYeERnPJlZznRc8Jwpd6f/IZdYTkPs0pykDekOagFOcCBUMMem50IY6lJT+
RKAll/lCQu6TedfE5gK3KUuLNpSg10QlJUeaTntmdCYHTahKW6IRPno0eevDpj4Tssr2QROL8LOf
HWmZP53+E5echKhGx/e9ouqvk6DsqE09mL2b3m+pupTILkdHpkhaVTgvSWlWy+iPlZLuqmB1jUu0
ChOyDqarCoVbWNdaFa+WxKyCQatbb8LWuh5trnAFjFxVate++tUp/pCLTlRB2MKqwh6HJchhCysQ
wxqEsYiF7EES21jKIhYhlrVsZB3r2MoaVrOfHUhnN6tZz3K2IItFLWkVC9nQqla0r0WtZE1LWsn/
jta1n13sbFlLWNiOZK7AHRMOeOLbxr42sZl9rHGLq9jLVra5yqUsaJW7XOZC97rOlW5Cktvc6WrX
ucblbnivW1rwgre85jUvcrtL3fSqd7nB3ckY4us58S53vQrBb37Py9/oWre037Xuf/1b3famN7Xs
va+B+SteABN4stgdL2wdXOAC45e+GFZrRuyb3QpTF70JvmyAQzzd2JZ4wQ4ecWwPzOLvUri4CJ4w
hFULYg6LOMQwNrB+/9qRcITDIKTLbG6rO1ry7pbICnavi2XL2SOjN7QpPjJ2cxvj8M62syVW8ZMf
rOPoYhnKUuZuYjMcFAPE18cm2QiHdyzg8r5Y/79VRjKLj7vgAdPYw1O+c4K3nGU71znOedazhKH7
ZCwXxQU8toePfxzkCLPZw25+rKEHLdpJt9nPK1Zyf2dc4TjHONJZLrJ7IT1qC3MZ0Cr+MP/IzGqg
hKPRdt4xhdcs6Mhm2tPtPXGm37vpLhPat0uWMbBXXGPyYpbYpn7zfgvS6mb7RM2O3ixtmTztaAv5
1rWtbZVtjOfbRpi5J7YtoVvr7UBjdrdFBrBtv3zaNve2uH5ItFG+Ku96U+R/6HD2/+zNb7EAYKr9
Toi+fyKKgRu82f9OeF7nVYGD02s4ogg4QRaBOoUDXOIYz7hXEq7xVTv84yAnyQpCTvL+9UAvHf9P
uezuwJpkCLwlTfCqN0pO85rPCxCsxsaYVN5XBaScFzwPOkXgIXSNq4M6dKjKFYr+ukEwfSp6gI7P
rwqap1t9INww3cWDbnOVHGGu7ei6vv+tEhqKndV9+PjCz852wZC97eG8BE/SfvC1w/3uQHk73h1O
d8H8ISh237vgcaL3wQ/mEHrpO8IN/xdFKELsgaf530Oe9iK0OvKM18njM4/QBnCeJAjpQ2i2jhEq
lE4RV2fdShT/Pz6U9fNkTkNL+EESM8Oe1ZYoI+tpkoO8xEElmL+98IdP5tyQPisOEM7xUy+ZAoRu
+X1VOPOl8wLT/5YwMyC+wRWu/b704/MLOYf/Z0wQcBosRPrTH8s6ikLvrKgkdSlJP226z9exvH8h
95d/a+gPFP13hh8MAYDRIYD+dxDo9xoEmID2wA8MyIAC0YAACIEEuIAQuIADkYANSIEZOIEaGIEO
+IAfqIEGIYEWeIEdyIETmIEPuIIUoYIneIEuyIIlaIEkqIAkCIMfqIAzKBeJcBB5IFZkAn0dkX8J
IQ/ygBI6SIMFwYEyaIJLOIMo+IROSBBJKIBWKIUwOIVMmIJOeIUTkYQ7yIRaaIJbWIJiCIVmSIXX
x39lhBwcZw8c928CcYByCIdvaBl1URdEiBAkYYRpFoFKuIOC2ISEGIhlqIZT2IVP6IWJaIiN/4iG
auiAFQiCK8iFiAiJWAiIgDiIm3iGNiiIAJgSmkBfpAB3wYGHcDiHqoiKA3EWrOiKrehxAIR/JXGE
oKeJZuiCMbiFu/iIk4iCIciIlRiCOOiFm8iJjdiJZDiMWCiDYDiGuNiBlziJ0FiGgGECbDhWBoGK
ebiKsWiHsKiKqRgce3gQ74eLwpiJI7iO6QiKCGGMi4iM0/iMmFiJziiNhziGhRiPyhiPgwiCOeiO
2RhOqUgQ3CiO4TiO3oiQBVmQ5Qhk8YeO+3iPzWiPhBiFB8GIOpiOGEmRlwiJGhmGGZmIljiNStiO
/RiJUsiFNnEMA/kTc3iHddiN4/iG4NiQrP8ojg/JbPGHiTXYi0tYgVW4gUJJlDkYjMFIkkJpkhXZ
ixspie9IjKCogiWJgRtIhr/ojvf4kmAEHBSBHDtJEGEZO2dYOgKoF4RQd8HHUs5RHfpXlqADl6Jz
gByBEsrwPzHAlTqxlno5fHw5ExUhhKzzCmEhmAUYSYYJF2nwOYl5mNNhEzXwl305E23QEo5wEpI5
mZoJmF85F+1gOy8gjo5pb41pVdcgEqVxGqPJY6XpOlOwmsxHeJs5m7TpVXbwP5lZm7q5mywxXBoG
m8CZcbw5nMQpdsF5nBhHE4iXZk0xlrSIEh5RnNLJeXcFnRbhnBPBlaugEzqgUh4wnTWkEI3/gJrn
h5zmqRCEQBnDQpflqRCzgZ0vhxIBMBDzKRDzGQD4iZ/2UJ/7uZ/5OZ/gOXi56VZ30BOkEZjtSRX8
uaD9WRD3aZ9scQbnmRCt2TqzwY1yOJM2eYei2RQP+qANShAgyp8TKhkVOhzrWYcKWZDdeJALqYc9
WRHv96EN+p8iSp/5KYsBencDSnwG+aIM6aIrOhDwyYez2J80GqL0WaM8uaN416M0xxEtypBDmpDh
eKIMQaP1SaIQuqVh9QMOwQKng6W5sZc2iZNBuqEzqZMxem89yaD2aaMM+p8AKhh14KSEIQcsAaUk
R54lKjtBsHETAXRXRaa2s5gHgah/Kjvt/3edbfoRRaoQDkcFeDqbKACTGxGpbmqddlGpnmqcmfqo
0SmqmzpwX/CpNCd3hEEaZ9qhnXEIBQGrsSqrh1CrBBFvizp9KmCkhPeNMkqqdRl/tWqr9kCsA0Gr
BAGrqLqsbnWg3nilGuqrWWF+x1qssXqt1lqtubqtjxSLa1oaNGmoEmEOySqr2qqttGquDWEMx1kJ
/mema7qQMamiOloSSXF/xpqt6Jqsa+g/xcCsAAt6Xvmj8tqQrkoWsGquCput6qqu3MoUwRJ0F/qN
MkmTZTGsCkus6SoQw7ocS/CwxNGov8qpMtSTDisRAQtG5xBfvzd8shAHwUqykGqyF5GyNv/LEv0K
cjJwszzLp2xHCXdni93nsyU3AYFBtHgnEePwsOJaFBnwGsNggGIRA/PHs/2TV6rweYDAAH6BtMJX
C1arF17LlWMbtgFath+3VzZRcHvadnogGJhgtt+EeWjLEvnweeCED7WZHBSHEG6gEbYgF/SKEE17
O4V7ET8YGpo5AMC1dnWrfVxAEo9rc1kArBaxdBjRCyC7uWyREp7QdrkgtzmRBKJbumJXCKZbnJKh
qURKEgVqeNCQupq5upYrqZ5qebIbcrQrs8KSu77rVhY3sKMqsxMLjmfxu2x3DSjheoynEYl5uAYo
kwfLuX+KNOA6pcYbk9prsJ3KqQlJpfX/undWgLxAQaldd7CuaLFXiqahSrKDm4d1WHO0QL7T2aFx
6Kvpm6ElS7zgahY5CxPj2xNESwvzS7/d1xC54J4Uy75DysBMYaX+OxalScC0oHKBpRFhYBuY+xbX
+73ox6HcKxtqmr9lkZgEnBRLKxxWQL3OyxbQ28IVQcEsbDoiS7iDe6+PCnDhxJcEbMD8dw+1O8NC
PMRDnLiywwHSUQtaR8SccQFsxZ7CO68uvI3TexFrIRBXXBH5kMUZwcULscVb/BpKsDovHBHr6acL
TBanmBEqkcVeLBFhXBVu3BC5W3gDt8bPuqIaGq1pbIetuMdSDMgqusd4KL1+DL+InJPh//sPc2wP
cbwWkDwQXnzFbgzGjnzJjkzJYWzJkYzFWDzJkozJlzzHZ5d9ailOzkqwNbm92NvANxmkqry+egyk
Qtq/rQzBIYwQnUzJmRzKb8zLogzJwNzJwezJw0wQYAzMmEzMnRENpXPDFtGq8NerEVylf6y/BVul
94u/LAqkNYnN1nyTt+zAYhl/u8zJyCzKkmzJxVzJjxzKy7zM7OzJxgzPnTyQ5ZBQeqcCO2Fxa5cR
xRvOBiukVNq/3Byu3dzAtdzN4/yKDrHL6ezLBcHFxFzRBjHHvKzMET3K9qzOxwnNzmsd1luxuBzI
fcy+FSvFCS3LiIzSKa3H8ZrQrWudFP+9yRN90RGdzOrMyZts0/T8yTUdx5ks1Fnsw281uc+WaKz7
xl9MFkVt1EetOn/K1Los1GFB1RRBBKkH0qIjlw/MxNFXuP+QDANpx1D9qUh9E/kMeWZNm4aQYWbw
qdNAE7IjzRvhfAKBCWAtbzzRcCTX1s5WCS2BBmd9e2+QeQlXcoKNpzZQ2GOX1vOy2NKpACk7pmXs
Fe6615qtHJm92atzCRPa2Z492lMRCqR9VY6d2qrdbBKgl93ZdmVgeLKQYUGw2n0ZCjdbFFtXwZy7
B6c9epetf3sw3LDjculn10w83L7dGsHtVzwB2DwhtKmr3HV3EzAQsMDB1UKs3MPR3Hb/dRPQbdsr
MdwtsQjOBtl7K1WHOwcKIaG/LRsG4Qi5gQdGEUOjCQ199Q+T0dygsFZQLQVn+7sOUQR11QRLsRl+
5d1hVRIrK979gwAgh94OPuEUvm/vfeFMLEBegQIdsdwYXhH18Nv7IBdw8OGbjQNsgQQmzhoV3uIu
bnC88OLC5wv/UIoyDnuM68PSTV+ccOMosQYpsQk+DhhKwQmcsOJIPrJ50eNhmw1D3nYSYdwsTAYK
8beOidVJnuVavuVBN+JMoRPEMBBhLhBhTgxmbub2MOZpnuZnruZsruZtXuYEEedi7uZt/uZojudz
fuZknud4DudwLuZvvuaC3ud+Tuhk//7niB7oel7OT64Tw4BQGMHoa+7miT7mll7omF4Qdn4Qfm7p
oI4Qgb7piL7nmq7pjJ7pfS7ooZ7ol746CHDhci7npf7qtX7qtd7pnO7qrV7oBjHqvP7rwa7rtE7r
nk7oxs7qle7qc87lu7sSd/l+s47sfO7rd77ngJ7ndl7tyF7nmM7t3G7o357tqb7qzd7txX7om17m
4L7s2V7ogSHZ/4AMj45yk+7uzK7st27ruX7u2J7pyb7r1r7s+S7u/N7tq67rzI7mAI/vAu/syzHt
pN7sEy/wFV/qvd7vqp7vwI7wvk7w5Y7rGE/xwj7tFj+hpuBXlE7no37tC6/od87yFP9f7Swf7o3e
8nze6Tg/8gb/8eze7gsP9BAfFzV8nDXRDXtHBKX73h5OFX8w9MVxDHVVdVD/FmCUloY3C7/7CDNR
AHgKBb5L4/U+9mRf9g7O9c2G9KL7AHNV9W7/9pKhmgMh32ORfFT8FqNgGwoO9xzhBVOx9/1W4vV2
msyn3Ve1fum3MB2XDVJKxoDP98/nOlAcFmavfRLOatxXRsURCRvhDZDPB9CB3JDPuV5dFZMf8aN/
EHUgdI+f+q6/Os3QDKPd+gLxCI/AFFbeEZxP9GIX+8gbBmIbTrZf9vLeErHfDDjRCSlhDOB5AF0L
RsMveMLw/CXn+5Uv/GgvnZffF8f/HxTMbxPfN3jbwHnRv1IhoHYgZ/3XX0blP53gRBvH//oZYftz
IQLGoW/q35fb71WE7RPZDxD/BA4kWNDgQYQJFS5k2NDhQ4gRJU5E2IziRYwZNRYEsNHjx397QI4k
WdLkSZQpVa5k2ZGlym0vZaLEl7HLTIP2dO7k2dPnT6BBhQ4lWtToUaRJlQoFsNTpU6hRpU49GoLq
VaxDcW7l2tWgy4zWvI4lW9bsWbQp87VM29btW7hx5ZoFa9LbXLx59e4dqY6vwLp2/w5+2SajDsKJ
FSesQfLuYsiRE2alXNnyTjKXNU/1ttnzZ9ChRUsmXdr06b1Uz4lm3dr1a9iiI8Wm/43V4znUuXW/
jRRp90UrK2sPJ17ceFKVvkna+j3w+HPo0aUXnz19OkadTXlq38l9uHfr4aWDL8qyd/O0TdXbW9+e
/fbu8YOCB1C/PlL6Ru3f90n+qH+m+MMPPgDn4+4+/wo0UECn1iNKO5mUQ++jqOzrTkAL4ctOPqDy
W0pBpoYCMasRf/KuxP4ORLGoFR98z8XWqhNvxhDds/HF+NzLTjsLGfSQR/6CZA/BHXnE8cghgwRy
Q/UytFHJInsCEkMGOXxPRyVPvHLL/ZjMMEktU5xyShzbWxLMHWlU8zgPrcxxyxcdRLLLNI80Uk48
h5TSyTfj1LPMP/OEU8oNmQywy/8mC5XzzRsNPRBQNwF99FFHCZ10TUyH2sYo7J5qlE4jNdwu1CId
vLNPUQuFE1EOBR1TVfkunY/AMvnU8NRLZbWzP1RDzfXCPCHESIoJB4PqU17bvBDWMLlE1U1Zm9VV
V2hVXXRXRiMNE9dsDYV1zl7DNdVbODWS4lxii8WrQit7FBJYIuPM8sp4bR21x1ijVPFdesn8MklI
7d11UXebrfRgeatEE2BJsxwXYEqbAglddePKFLYWL04q481KOrfii3pZSOM1OSb50JNTVnlllkVb
Iih+VDZFOhhatg3kR0qyCGSIeEEpMJ7b+iVooiPzuWikGYqFJS4aiqcgxJJG72j/qatuyGasseYl
66ky6ekIrpeyeuyPSDmIarLTdi5stmf0+qetncKn7awIoXs4RO7Wm6e495bODL/9piXwyvom/HCo
UHpG7YaKYPzx35zaA3HKK7f8cswz13xzzjv3/PPPGjK7JCYgN72sb05S4KV+Tnf9ddj/CrsP0Gu3
/bXYcz+NjpNcqbgOiAI3+Xbii6/83+cuMf5iOZbnia9NINpP94zEkckX6rP/yD7tFcqj++xbRt55
0EQh/3w2h0d//efoYP99+D2VjpT4ue4E8zD0Vt/zTjP9ZxzwnQ5o2uucPMJTCcpMon6pYl+niEGM
nTzwgTyRYAQpaA8JTtCCOoEg/wcxmEEMWjCDHdwJQsgQwLQNsGKt8AoHSfhCD8aQhCGM4QVrCMEZ
erCDOXweCn34Q4TQcIci7AkObUjDIobQiEgkIhNjCER13QGKD4nKED+owRwu8YY/MeISQbjBK8Jw
gXu7QxnH6BNUXOaLMMwiE8WYxC7WsIk8PCPdyniHOopmhlq0ohCPSMc49nGOPqFjHlNmRkPq8YJf
dOEeKwjGJN4QhGxcI08mkEhMLs8fmeRkJz35See5D3TiAKV4OFHHIWhuItYznROcAJkzTFGWBmGl
61w5S1xGppavu2UufcmXXcaul7qpj9TS8UtcvhI1xcyLG5AJEqzgopTfGZHCpv+pMbIo85kgYaZC
urlNcIZTegz5pjjDubjIMKc55SyJCkuyNNeJZSYGcF0CrMbOk3DPnC/BmiwSWLz9Hcua1yxKBAh6
UIQmVKELHU7/XBPQ5UG0bRKlTNUohSRC3WugHcrog+jUUaVkTKQsokyLSHWxk3K0MsoiykjcKZeL
Koil/2mQiDpn0pWtiKJZ2d5L5eIsFenLYH5imJDwVVRswatORl3Yk870rybRR6oNexefpuonUEVp
VUsi08LupVV3lWpZTYXWvvTkqlN9i0qv+pWZ1uqdgoCCIj5lCbuwRC6pUolZCAtWXkn1sEQ1DK/k
ehZIBxUswd5qqd2il6UGe9H/pAIWUoMdlGPztSpvXetZ02rsYSdrM+x8ylYz5ReafCUpXonKVEdF
raLECi6MIg+xfI2tk/7q2RPVq7VJbW1aExaw2hLMtWwlrL5Ui1rOQrZqQP1WZWu711bhNrXRPWlM
J6tZaSmWVo/dbVmtJd3hche63z1ttID7I2yldVuwFS53k5uv0kgFsgVjFqt+CzH8InVPrPVVvMjq
JX/5iGHAyqh9t5pS4/arv9Vlqn7nNC+iRtWs1hUTWD/LXxNBGFT44ux/WebQve00pKAR8WU4VmIT
1VS+L4pvRF+D4lmFZ6SbUd/+xscybTBUx5+bx2em8BMQ71ihb7kByAaEMZXS//ShmIIxjdCSriIT
hsQ2NXGS9UNSEl0ZKzW2GYLFc4PoxKI8Fznyi62M5dagqMkf6jJS0HKDKOOFEBChAUMCBeAFV+qj
H93Ta736Wn49FaxW/RKf/3RnHdkJQWdqal4RXWj1Vldeg77tahkN6PvuGVer1apOzhJnxRxLUZVO
7Gwxul3PUje8WN1togXl2hyVt6P5Me9lXY1VWo9q1a2+82XJS+rM9npca44KmC23YfLyusMVXjZV
I02k9zZ7w66KrbX8K2Ht3trA+bV2VcXVLqiG67EYVnBza2NslWHkqr8Sb6rXK+3CPqzd2m6XYiN2
aslSy9bg/W5lITvvC6eYsv/8Pm9qJeaRMVAE1EXLL7YzLe6sfjVisrXtfOvlMMoauuLXrXCmN75v
tBLMv4qOaqe3/XFME9irrD0wUl/glYUzpAoEeUCLz7xiYsuvzGzWOd10WpndFCI1MZbvRr+jH6PD
KKRJF5+SebrPnAi5eCSZwhRyqZM5SP2TfOCDVH6sdcNiDkRMTyTXPZcI4ziEhV/ZtohurJmc+1rg
PUdyiG6u6zoRvaX/4DrU+flZu7PNy5HC2vD0SpW++/3v+woqAykdKEinfGBVwrBoAX1rAkO6r25l
/H79jOmuQkmoAy43rTjN6qJWSfETWXGyeet632rp3rkG6aQEDV7fwtrf3x7/OK+pe1vMrteyA3PW
pHdvbrCv9PcCnnWEA3bt4qY0uzGt/K51317nw7v3y74Ty//96uzblrD/Tr5lrAugNuW7T9ROf6q4
f1xZa/f4yBW36yPL8fnzFvzxHyv2B1/+pPCAuZs48pg2WHM4biO/kvsq0wI39tMWlUu9RcM8jQs0
jaovArSwcJuvAtOt0MMQtskMhDox44i76do5pQNAkgkyGtuYEhSNt0tBKluTsQAHsvCd1cvBl3Ac
HTQJFdQfE/xBnyCLH+hBrsAnjIAEI+SKhNsKNriI1cmlFZAIJIyMWEIhISy8IMzCoFhCwpgE6aEr
L2yhTtoBsdtCLtSKexJD/+qpQvDBBYUAgjHMiP1gw7cIAbqwwzkcC9sxNOJ5BbJLQ9D4OnuAHX1y
HT0Ep0vgi9rpMUF8RDXMQVbYQ0o8DWM4nRmoRCMjH2yAREjUxIzAgQA6JlAsRYzIhI9IhIdIBVNs
RVdcCRx8i1pYjNeYAU+8xYuRDE+4iAJImpoYiEFojlLAiEn8i3KgiCn8iNJ5RWb8i8ZoRmiMRok4
n03BxfhZAGvUDD8IDfPJRmwiM29MvuUKR3KcinBYGRYsxyEDH3LYiXbUiXYkB3mUR3t4x3qsx3m0
R3x8x3zkCX20R3p0x3n0x4EkSID0x30MSHgESIZsSIEsyIUcyH8USHdEyP+egMiJzMd/ZMh9vMeK
fEiQhEeLjEh97EiR/EiCDEmD9MiTbEmHbEmWvEeFpEeNvMcAOkiRLEmZhMmL5EmUZMmZBAqcBMqF
rEidLEqkxEl+9MmRnEikxMefJEqozEmh5EiPdEqUVMqhlEqpxEqKPEmd5MetVMqP9Mp45MiSbMdx
fIp43MmYpMq3tMijjMmlvEqhRMi0dMu2/Im27MuerMu5dEm5BEu7jEq/dEuf8EvAHEnCxMvChMm9
NErGLMy6HMzKJMq8NMudPMyoXB/FJMmmhMisVEiSDMjKFE26fMu97EvU/MzMnEnUdMmapEy45MnV
lMnW3MzGtE3eXErNzMz/yQRM0izL2oRL4PxJ10xIpkQc7PjMuLzNu+xJ5ARN6YRM1QTKyJRO3/xL
ruTL6VRO7AzO8JzLxXzM67xOq7TO47TNgsxO4nxK4+TO6VzMvAwg3bzM+IxOxsxI8cxK/0xN8mxM
sjTPxJxPxzTM9yzOwaRNBBXM1PzPrtzPAw1L6zzQCDVQuzxK++TKmjzI2YxI8MTQnGxNEh3LhPRK
7BzKs4xNE+XPzsRIvOxHBJVIGqVJ2DTRh0zLG13R7IzMjezRAl1J6pTR15TIQpQadUxSy0lHJSWo
tWxSKIXB8YhSKp0KNBxCcmKnKv2ccMIPAenQGBVL0mxPFj3KfgRTyUzT/xEFUuoEUaw80x1NT+VE
09IEUBkd0hvN0RNNyaJ0SjgVzQ+F0RcNSsEMTNYIxKw4htaYiAzBUfxc0KoM0urMSA8dUEINTLFM
UAHly608z6a00El9zE4lT7QE1ReV1MvMy9300CPtCjccGwfd1OjEVN5EVcfczvK8TUPdTsR8Twol
UFX9VDUN1dP0yQB1TgU11uosThTFVbt01UREGtkkUpUczV8NyzHF0MOETmc1SV/tVRBt09M0zfZE
1Q7NzTWFVD291V4V08nc0/V8UOLc1ladCZfADXWRCkeVVGU1SFqNVcSkya8cV3ldVfcM2MRkUU+F
UHBdVzb91SDl1Vp9zv9lbdf+dE5DNTHvOIfVKJ59rViILVhhBVBQLc9V1U51ZdDvHFb9dFF+FdUG
jVhmDdWKvdCJZdWDJTEA4di76ZQWtdHhrNFgpUtA9Vf1DFN5vdOOfFMjXVOBNUoybdqRxc2i/VSM
FNpmxdNsrVlv/dOXhFC1XIlX/QeOxVe8GAWZ2FL+UYm6SJ2F4Ni0UdvOgYuyNQ25RRxR8hue7QlF
vVshhAPE2VusqIJFBUe/nRGrgdugUdGv3FPQNEug3Vo3hdoy5df0ZNxO7dr9PNOS9dY5JVGGDVc9
DdQdrdPYnMqwPY154BmikIGgYFz4FNmsPdUFfVQ+ldCnxNx+vcrMbdH/Cb3Z221Y2F3WAQVX/JRY
b0wIaLAzZE1V2p1YirXMztTUBy1Weg1Z3Yxekk3T461dlo3XqUVYVR1fm5RGgoiK5q3Q5/xQ9W3Q
MVVY1ZxN69VLM5XPg21IqaVaIfXT9u3Nlv3LqHXXhM3ZW2zO7A3R7uxfFD1PH31ddAVLGL3el/VR
iHXZA+5cBMZeAh5VzJRP70xd8/0H9M3eN+1P6NVgWbVcCeVfetVe56XZmX3UBk5a7wTYlZ3flO1M
QbBGn2XYUc3fHx1UoMVMpdXMYR3e3iXU3fXTcnVacQ3fag1RHcVf0zXMpQzhtTlcLfYfw93i6xgL
Ddim5S0NXyhj3VEE/yyuROxJY4nYhYhIgxz04uewBRozGRWQ46IgAQDUAuMogkNBVDwO5DwOigRo
EECeJo1wWzZeZMgQZEeGjpkwA02M1pTggB6MA0aWCCrI5JFQAU5OCSIgC0qYCGr4ZFM+ZVRO5aTp
AKJ5hJy5CEpW5YMIBVkeCVeG5ZF4ZKDQBS125UfgOaqoZWH+iFuOiFgeZmQ2iWJ+iGMuCF2GivyJ
0l9GQZUxw2e+RYhC5kZI5iOcCXiACF14iByAjCPgZomQpwlp5mtuG09Qk1K4HIHAQ3Oe57wIAXlm
CSig55foBLlYY8bpCXvOQvrRulXIpIAeo0JaZ85JCHvWZ0alZH0YG/+hm4g6szmgOGij+ISmc8Hj
uVJIrIWjaIiG5plmJg0bbIiSduioKwqM9pstdAOFNp6W1h+gaAXOeZuYBg2rEJ6c3psBKFxELMUJ
mAlMKBreSQk1UYWezsJG8AlC4GUsRQ8HeIlhYOSqxgl6SpqlziNo2GqvRqiZOAWVHuurlol5WN2x
9ogSGGbNOOuzzhp4+OqrKAHCYQm3Tmu8zmu9zoup3mvXkZA9hEO04AOWeBqcIGwshoB7TuNXNgvD
FogN+I2K9uu8iMIJiYfHNkJLkKVXOAmNYQDxiIfzCYVHbghg6J7MpmxOPiG5SG2pIQDVzmI14YGn
aIHXEG25VqW2QAdX1MDs2IYLQ0ANUSAb19YeJfzthpjsiYgaU74H546depgQNYGCcnRu56aRDLAH
KqiMl6ERdwgN5P4I676HrdCGV9zqLIiK8W5SRxiOKkCH3L4HbxTA1ggIADs=
------=_NextPart_000_000A_01C703EE.DD7105A0--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA8MkGZA011412; Wed, 8 Nov 2006 15:46:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA8MkGGY011411; Wed, 8 Nov 2006 15:46:16 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx1.ttu.edu (echion.net.ttu.edu [129.118.1.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA8MkDCT011401 for <ietf-pkix@imc.org>; Wed, 8 Nov 2006 15:46:15 -0700 (MST) (envelope-from alan.sill@ttu.edu)
Received: from smtp.ttu.edu ([129.118.1.167]) by mx1.ttu.edu with Microsoft SMTPSVC(6.0.3790.1830); Wed, 8 Nov 2006 16:46:03 -0600
Received: from [129.118.55.99] ([129.118.55.99]) by smtp.ttu.edu over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Wed, 8 Nov 2006 16:46:03 -0600
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <4D61888F-1C88-45EC-B32A-C731044C99FD@ttu.edu>
Cc: pkix <ietf-pkix@imc.org>
Content-Transfer-Encoding: 7bit
From: Alan Sill <Alan.Sill@ttu.edu>
Subject: List invitation: OGSA-AuthN-BoF for grid services authentication issues
Date: Wed, 8 Nov 2006 16:46:13 -0600
To: security-wg@teragrid.org, security-area@ogf.org
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 08 Nov 2006 22:46:03.0247 (UTC) FILETIME=[AB4877F0:01C70387]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is the last in a series of messages intended to announce a
requested Birds-of-a-Feather session (BoF) at the Open Grid Forum
OGF-19 meeting for discussion of Open Grid Services Architecture
Authentication topics and activities. The list and its associated
BoF are intended to carry out the steps for formation of an OGSA-
AuthN work group. This message is being sent out widely to call your
attention to the existence of a mailing list specific to this purpose.
You may subscribe to the ogsa-authn-bof@ogf.org mailing list by
sending a message to me or to David Groep <davidg@nikhef.nl> , or by
visiting the following page:
http://www.ogf.org/mailman/listinfo/ogsa-authn-bof
Your participation is appreciated. This announcement will be sent to
several relevant lists and people to extend the invitation as broadly
as possible, but subsequent communication about the BoF will proceed
through the above list. Subscription to the above list will be your
method to ensure involvement in this process.
Best,
Alan Sill, Ph.D
TIGRE Senior Scientist
High Performance Computing Center
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 :
====================================================================
--
ogsa-authz-wg mailing list
ogsa-authz-wg@ogf.org
http://www.ogf.org/mailman/listinfo/ogsa-authz-wg
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA8J2vIp089452; Wed, 8 Nov 2006 12:02:57 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA8J2v1D089451; Wed, 8 Nov 2006 12:02:57 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA8J2u6V089444 for <ietf-pkix@imc.org>; Wed, 8 Nov 2006 12:02:56 -0700 (MST) (envelope-from david.cooper@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id kA8J1ToO013654; Wed, 8 Nov 2006 14:01:30 -0500
Received: from [129.6.222.26] ([129.6.222.26]) by postmark.nist.gov (8.13.7/8.13.7) with ESMTP id kA8J1CGj017377; Wed, 8 Nov 2006 14:01:13 -0500 (EST)
Message-ID: <45522978.4060302@nist.gov>
Date: Wed, 08 Nov 2006 11:01:12 -0800
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909)
MIME-Version: 1.0
To: =?GB2312?B?1dQgw/Q=?= <qzzm@hotmail.com>
CC: pkix <ietf-pkix@imc.org>
Subject: Re: The definition of OtherName in 3280bis differs with X.509?
Content-Type: text/html; charset=gb2312
Content-Transfer-Encoding: 8bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
I do not understand ASN.1 well enough to answer the question below, but
someone else on the PKIX mail list may be able to respond.<br>
<br>
I can say, however, that the ASN.1 for OtherName in 3280bis is the same
as the ASN.1 for OtherName in RFC 2459 (January 1999) and RFC 3280
(April 2002), so if it in an error it is a very old error.<br>
<br>
Dave<br>
<br>
<br>
-------- Original Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="right" nowrap="nowrap" valign="baseline">Subject: </th>
<td>The difinition of OtherName in 3280bis differs with X.509?</td>
</tr>
<tr>
<th align="right" nowrap="nowrap" valign="baseline">Date: </th>
<td>Wed, 08 Nov 2006 14:23:38 +0800</td>
</tr>
<tr>
<th align="right" nowrap="nowrap" valign="baseline">From: </th>
<td>ÕÔ Ãô <a class="moz-txt-link-rfc2396E" href="mailto:qzzm@hotmail.com"><qzzm@hotmail.com></a></td>
</tr>
<tr>
<th align="right" nowrap="nowrap" valign="baseline">To: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:david.cooper@nist.gov">david.cooper@nist.gov</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<pre>Hello David:
In rfc3280bis,Setion 4.2.1.6:
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
Setion A.2
-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
AnotherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
But in X.509(2005),Setion 4.2.1.6:
GeneralName ::= CHOICE {
otherName [0] INSTANCE OF OTHER-NAME,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
OTHER-NAME ::= TYPE-IDENTIFIER
In X.681(2002),Annex A:
A.2 The TYPE-IDENTIFIER information object class is defined as:
TYPE-IDENTIFIER ::= CLASS
{
&id OBJECT IDENTIFIER UNIQUE,
&Type
}
WITH SYNTAX {&Type IDENTIFIED BY &id}
X.681(2002),Annex C The instance-of type:
C.7 The associated sequence type shall be:
SEQUENCE
{
type-id <DefinedObjectClass>.&id,
value [0] <DefinedObjectClass>.&Type
}
where "<DefinedObjectClass>" is replaced by the particular
"DefinedObjectClass" used in the "InstanceOfType" notation.
So,INSTANCE OF OTHER-NAME associated sequence type shall be:
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
But,this is associated sequence type,not the encoding rules.The definition
of BER/DER is in X690.
In X690(2002),Setion 8.16 Encoding of an instance-of value
8.16.1 The encoding of the instance-of type shall be the BER encoding of
the following
sequence type with the value as specified in 8.16.2:
[UNIVERSAL 8] IMPLICIT SEQUENCE
{
type-id <DefinedObjectClass>.&id,
value [0] EXPLICIT <DefinedObjectClass>.&Type
}
where "<DefinedObjectClass>" is replaced by the particular
"DefinedObjectClass" used in the
"InstanceOfType" notation.
So,I think the definition of OtherName in the '88 ASN.1 syntax should
be:
OtherName ::= [UNIVERSAL 8] IMPLICIT SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
Because the tag of otherName is IMPLICIT,the encode value of GeneralName
in rfc3280bis is identical of X.509.
zhaomin
</pre>
</body>
</html>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA81AS9J083155; Tue, 7 Nov 2006 18:10:28 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA81ASGl083154; Tue, 7 Nov 2006 18:10:28 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA81AQBQ083129 for <ietf-pkix@imc.org>; Tue, 7 Nov 2006 18:10:27 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from EUR-MSG-11.europe.corp.microsoft.com ([65.53.193.197]) by mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 8 Nov 2006 01:10:20 +0000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: Wanted - presentations for the PKIX meeting
Date: Wed, 8 Nov 2006 01:10:20 -0000
Message-ID: <BF9309599A71984CAC5BAC5ECA6299440659B68C@EUR-MSG-11.europe.corp.microsoft.com>
In-Reply-To: <p06230901c176ab291249@[128.89.89.106]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Wanted - presentations for the PKIX meeting
Thread-Index: AccCvhN8mWWLaBuTQZqzvOYVo05fjQAFA3pQ
References: <p06230901c176ab291249@[128.89.89.106]>
From: "Stefan Santesson" <stefans@microsoft.com>
To: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 08 Nov 2006 01:10:20.0256 (UTC) FILETIME=[A8D97600:01C702D2]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA81ARBQ083149
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
All of you that are listed to hold presentations during the PKIX
meeting:
http://www3.ietf.org/proceedings/06nov/agenda/pkix.txt
Please provide me with presentation material prior to the meeting so I
can post it on the materials page:
https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=67
Thank you.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7LWCYm064538; Tue, 7 Nov 2006 14:32:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7LWCSF064537; Tue, 7 Nov 2006 14:32:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7LWAjW064531 for <ietf-pkix@imc.org>; Tue, 7 Nov 2006 14:32:11 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[130.129.67.141]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1GhYY8-000451-6E for ietf-pkix@imc.org; Tue, 07 Nov 2006 16:32:05 -0500
Mime-Version: 1.0
Message-Id: <p06230901c176ab291249@[128.89.89.106]>
Date: Tue, 7 Nov 2006 16:32:00 -0500
To: ietf-pkix@imc.org
From: Stephen Kent <kent@bbn.com>
Subject: close of last call for 3280bis
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
We are long past the two-week WG last call time frame for 3280bis.
The list is essentially quiet re the document.
Hence I am declaring WG last call closed.
The authors should run I-D nits on the latest rev of this document in
preparation for submissioon to the IESG.
Thanks,
Steve
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7HfgGl042367; Tue, 7 Nov 2006 10:41:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7HfgOs042366; Tue, 7 Nov 2006 10:41:42 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7HfeLv042359 for <ietf-pkix@imc.org>; Tue, 7 Nov 2006 10:41:41 -0700 (MST) (envelope-from tim.polk@nist.gov)
Received: from real2.localdomain ([192.168.2.11]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id kA7HfXqa022752 for <ietf-pkix@imc.org>; Tue, 7 Nov 2006 12:41:33 -0500
Received: from real2.localdomain (real2.localdomain [127.0.0.1]) by real2.localdomain (8.12.8/8.12.8) with ESMTP id kA7HfXHR020239 for <ietf-pkix@imc.org>; Tue, 7 Nov 2006 12:41:33 -0500
Received: (from apache@localhost) by real2.localdomain (8.12.8/8.12.8/Submit) id kA7HfXuQ020236 for ietf-pkix@imc.org; Tue, 7 Nov 2006 12:41:33 -0500
Received: from 129.6.222.204 ([129.6.222.204]) by webmail.nist.gov (IMP) with HTTP for <wpolk@localhost>; Tue, 7 Nov 2006 12:41:33 -0500
Message-ID: <1162921293.4550c54d2b456@webmail.nist.gov>
Date: Tue, 7 Nov 2006 12:41:33 -0500
From: tim.polk@nist.gov
To: ietf-pkix@imc.org
Subject: Quick Survey on Algorithm OIDs in subject public key info
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2.1
X-Originating-IP: 129.6.222.204
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Folks,
I would like to conduct a *very* quick and dirty survey of CA and PKI client
implementations. I need to determine which algorithm OIDs are currently or
soon to be supported in real implementations. The ECC Design team is converging
on a proposal, but we need to determine whether it is consistent with real
implementations.
If possible, I need this information before tomorrow's PKIX meeting! Rather
than clog up the list, please send email to me directly. I will summarize the
results.
Here's what I need: please identify the implementation, including whether it is
a client or CA. If the information applies to an upcoming release, please give
me a projected release date (quarter or year is fine).
For CAs:
Can your implementation assert the following Algorithm OIDs and the associated
parameters in subject public key info of certificates?
-- from RFC 4055 --
id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }
-- from RFC 3279 --
id-ecPublicKey OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) 10045 keyType(2) unrestricted(1)
}
-- from ANSI X9.62-2005/X9.63-2006 and ecc-pkalgs-03 --
id-ecPublicKeyRestricted OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) 10045 keyType(2) restricted(2)
}
If the CA supports id-ecPublicKeyRestricted, please summarize the types of
restrictions that can be imposed.
For clients:
Can your implementation process intermediate and end certificates containing the
following slgorithm OIDs and the associated parameters in subject public key
info field of certificates?
-- from RFC 4055 --
id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }
-- from RFC 3279 --
id-ecPublicKey OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) 10045 keyType(2) unrestricted(1)
}
-- from ANSI X9.62-2005/X9.63-2006 and ecc-pkalgs-03 --
id-ecPublicKeyRestricted OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) 10045 keyType(2) restricted(2)
}
If the client supports id-ecPublicKeyRestricted, please summarize the types of
restrictions that can be recognized and enforced.
Thanks!
Tim Polk
Received: from BSN-61-100-153.dial-up.dsl.siol.net (BSN-61-100-153.dial-up.dsl.siol.net [86.61.100.153]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA77Nq2L046175 for <ietf-pkix-archive@imc.org>; Tue, 7 Nov 2006 00:23:56 -0700 (MST) (envelope-from nhdpbvuj@siol.net)
Message-ID: <000c01c7023d$ace2e500$99643d56@breda>
From: "UK" <nhdpbvuj@siol.net>
To: ietf-pkix-archive@imc.org
Subject: DVD Authoring Capture
Date: Tue, 7 Nov 2006 08:23:52 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0008_01C70246.0EA74D00"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0008_01C70246.0EA74D00
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0009_01C70246.0EA74D00"
------=_NextPart_001_0009_01C70246.0EA74D00
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
Click here in Supports virtually all formats?
Devices including Sony. Downloads Support Affiliates.
Projects just or recompile them get.
Limits or text message video learn a about Copy buy presents.
Audio Converter or Recorder cd Grabber Creator Music in Disc dvd. Buy is =
presents in project ultimate deal is.
Affiliates Press Room in Contact us is. Cdrrw of Dvdr Dvdrw Dvdram Layer =
is using flexible convenient.
File mix clips trim. Dvdr Dvdrw Dvdram Layer using flexible convenient =
menu.
Special Offers Animated Tutorials Help of Audio. Other portable players =
of Create wide range.
Dvr Creative zen Vision phones a capable playback more.
Mp inc wmv a! Converter Recorder a cd Grabber in Creator. For home =
editing. Videos exciting Dvds no Time.
Dvr Creative zen Vision phones a capable playback more.
Click here Supports. Music Disc dvd.
Get rid in what can do is.
With effects upload your handheld Very handy of.
Introduces advanced timeline storyboard be surprised by of is =
Evaluation!
No Time limits is feature? Devices including Sony.
Faq is how to is Special Offers.
Organize or present photos digital show Apply insert or tracks it.
Them of get rid what of can do Direct ipod. Organize or present photos =
digital show Apply insert or tracks it.
Ultimate deal products price or today money Each day.
------=_NextPart_001_0009_01C70246.0EA74D00
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"Enhance" hspace=3D0=20
src=3D"cid:000701c7023d$ace2e500$99643d56@breda" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV align=3Dleft><FONT face=3DArial size=3D2>Click here in Supports =
virtually all=20
formats?<BR>Devices including Sony. Downloads Support =
Affiliates.<BR>Projects=20
just or recompile them get.<BR>Limits or text message video learn a =
about Copy=20
buy presents.<BR>Audio Converter or Recorder cd Grabber Creator Music in =
Disc=20
dvd. Buy is presents in project ultimate deal is.<BR>Affiliates Press =
Room in=20
Contact us is. Cdrrw of Dvdr Dvdrw Dvdram Layer is using flexible=20
convenient.<BR>File mix clips trim. Dvdr Dvdrw Dvdram Layer using =
flexible=20
convenient menu.<BR>Special Offers Animated Tutorials Help of Audio. =
Other=20
portable players of Create wide range.<BR>Dvr Creative zen Vision phones =
a=20
capable playback more.<BR>Mp inc wmv a! Converter Recorder a cd Grabber =
in=20
Creator. For home editing. Videos exciting Dvds no Time.<BR>Dvr Creative =
zen=20
Vision phones a capable playback more.<BR>Click here Supports. Music =
Disc=20
dvd.<BR>Get rid in what can do is.<BR>With effects upload your handheld =
Very=20
handy of.<BR>Introduces advanced timeline storyboard be surprised by of =
is=20
Evaluation!<BR>No Time limits is feature? Devices including Sony.<BR>Faq =
is how=20
to is Special Offers.<BR>Organize or present photos digital show Apply =
insert or=20
tracks it.<BR>Them of get rid what of can do Direct ipod. Organize or =
present=20
photos digital show Apply insert or tracks it.<BR>Ultimate deal products =
price=20
or today money Each day.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0009_01C70246.0EA74D00--
------=_NextPart_000_0008_01C70246.0EA74D00
Content-Type: image/gif;
name="language.gif"
Content-Transfer-Encoding: base64
Content-ID: <000701c7023d$ace2e500$99643d56@breda>
R0lGODlh9AGIAYf/AAoDBIIDAAByDoSHCAAAenEAdgpxib7NwMrgzq/B+0QXAFwWDokrCakaALMe
ANYUAAs2AxtACzQ8BVI9AIlGAKxDBrNOANcxBwRfACVdADZRAllYAIhSAK1hBLZiANtUAgB3AC2E
AEiOAGh9AXmKAJaDDM2DAOJ7AAWVCi2lADiiDmahAIakAJKcC86YDN+TAATKABe3ADzJAFLFAI7L
BpfJAMbLAOKyCgjdCRLmDTvgCVLVDonVAJ7lAsrnCOzUAwAAPy0DSTgEMWcHP44CSaAFSMcAM+EJ
PgopOyIbNEEpRmctNXMZPJcgM70UQNYiPABDQxs2SkI8TF9ON4ZJR6Y8NMI3ROwyQwFaOiVRNz1Z
NVtkSIRqAJxrNr1XQexuNQCGNhyDRUp6PVOHM4WARZd1Ts6NNdVxSAmXMhqYSTWpTFKqQn+gPpaZ
TMqbQ+CXMwbMNyvAQUC9QmS3O429RJuySM69Md3FPgDuQSTeNELlRWfVN4nnOqHVO7LZPtXgNwAM
fRMAfDsJhlgEeYMHiKQAec4Ae+AAhgAtfxgYjTwnhmUWfYodfZoggMcmedwfhABFdydDgztLimk5
gYI6fJo4gsdLhOJMegVZeiBWgExTeFpmf3hpdZ9hcrRhfNdajgB9iyVxikuGeWiDfIxzipp6i8OC
du14eQCkeiqYdD+rc1eigYWaf6aWdMeYheKkgwi5fSq+ikO8eVe4c4CxiquzebvLgdOxigDThBTc
czrTeGbtiHzZeZvhd83Ud9/qiwAAyigJtkgAwFgAs4QAu6gGwrsBv9QAtgAruysTwEIhwWgVy4ko
tZMizMAgyuIqwwRFsys9uDM0x1U2wYFGxKE9tcZBs+1EugBZwChRtz9dzW5RtnNhxK1kybJbx9Nb
uwCFtid7y0lytlV4v4txwqpyxbd/w+t+xwWauyWguT6bvVGktIOkuamTtcmay+OtwAa7tiC6tkyx
uG65sn67u6rHsf7/4Z+np4CHc/QAAAD/AP//AQQA//8E/w3z////8CH5BADmzlsALAAAAAD0AYgB
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPqTNinZ8+dQIMKDfmvqNGjSJMqXcq0qdOnUKNKnUq1qtWrUn1q7YO1q9evYMOK
HUu2rNmzaNOqXctWqda2cOPKnUu3rt27ePPq3cu3r1+1QwMLHky4sGGTfxMrXsy4sePHkCNLnky5
suXLUy9i3swZ8OHPL7Od7Ey6tOnTqPFqTs26tVLQsGMrdE27tu3bkWng3s27t+/Nq//lGz7cKHHi
SI8XP7rcqfLmxo8rVV70ufToyKdTFw69+vLszL9b//eeL3l57M2tn2f6PCl47tffcw//frlsmKvu
0yQfvz36+us1pR591/1XnHrp+WdefwGS5+CC/DEYYILbDcjeePQRKB50FBZon34gwvZVfd5hF52J
JT7F4YYowsecee5xeCGBNMI3YXbdoRfeg9WlCJV8Dco3n44numhckb8laVmOPg7ppJNMxggjkOI5
1+CTVu444ZAHvlildlCeF2WUYApYXncrhtkkjEq2OdmYNyKppopBnnkll3fuyOaPcVbpp5h2rnli
goIWWqaZWKZJKJZ6uunoY0JSiCR4ZDbqIpOSLoVppXJ+1yOenwIaIY6ihnmlhVJmiWacoPJo6aOw
lv8V3HY2Akgro9r5t6mGqcYopKUblhpsihZ+uSKlGPZq46SsEltqhHqGKO1hZJEaaYFyXojtrr7u
qSmZafr45ZxwDnonqVEdu96iTRK66bp5xipvX8bWuSanhnKrLK7eesvuuIuWW6LA+AraIYCNHpgn
u/M27BfAzYabZa4QHmroq8Au/CybAvP37cUVF4lgpzd2fJYHDqcsVcni/svwjN/Cu26GGLP8cbYi
a5xvyWLSXLCr47acsactqmz0VZole2y7wWKLs4bqXuur0wbubHWt6PqsIKq5VmivrnUCeuuH05Yd
GFhjh52owgpivGCOtz4dN9RXE4zhqjJH/SuvhRb/qza0bh8t+OCEF2744YgnrjiswS3u+FJmRy75
45S/Jvnl0lauucOYp7T556B/3njopPfW+VClp2766UGp7vptrCeUxExGCWC77bXfjvtRuu+e+1O9
C8C77sD7XlTwwifVO1LGHy888rcrBX3zyzcVPPPIY5+88sQ7z/1S0Q/v/PXUb+/999iPv/z1w3f/
T/PvPz99+8bvHjtQ6oeffe7Vn299//tjSvj417/81c983pseAg3ovvgVkHsFhJ72pMc++MFPfeJz
4PoQWD4Kok+C7GNg8iwoPwky8Hf/+Mgn7rcRB/LOfwP0XQwXCD7zDfB9Trlh/DI4Pv6hkIf+Kx4F
/7enQx7OMIcktGEQl0jADF5whz5kIhN390QoRrF2U+TgAm9IxOSxUCdWTN8PD/hDJAJRiGQcY/lG
uEUtSiWJE/SgGv8XxiJmsYZWpCIN83hEOTpxj2EM5BkDSUIBevGLOBFkEGVowy5GJY2PlB8QGynH
Qg7SkOgTYyb5SEdIblKKO2QkKGXIST+isIqe/CQh24jJFCISJGApIiMd2UNQftKOHjxgAxWpx1sC
UpUXfOIsCdhA3KWSfiEUYy812D1S4nCU82NmH20pzV0G85qpCw4AkxlARZoyf3SEYQCxKcgORlKV
3uymCUvpzWricpl6DCEVEwhIBYqwjLpk4zqhyf/FQ76yJhAEp/YsKcQa1pOWdVymMll5STxqsqEP
bKcobUlQTRqTjZjsJSoZutFJ6o+hZRwiCv/5kbLA042rPGcrh+g+c5Kzou0EJg2FidGGVjOkg6Tp
7xT6PY0e9IM/xSlPl1jFOZbuICl4SCURys6Y2jSdJnTpGu/41IfW8ooWpSRLq/dOkD60mT9VYkcX
ulIX/tGXBUUKSQHayJqalY9MDefx2ufQU7b1ijO8a1UvmdeVTtOqw8RiOfeYT2r285eWHCtWh5pS
5tE1KWvdzzj1qst7DjSeuzwjZq2ZTHeis66XLWplPdvYEw4WtGbd52HlalfyRXB/ME1iMf0Z2Yz/
xHK2E5zqPg1IzLLutLMCDe03WXtZM9IVhDNt60QhqkV9vlavqIUicjnbT7RC0Jyvy652t7u6inD3
u6SprUzAS17MsBANOSmveikj3va6973wja891kvf+lpGvvjNr36FYt/++rcx+w2wgAdM4AIb+MAg
SapK/svgBjv4wRCOsIQnTOEKW/jCGM6whjfM4Q572L6N+LCIR0ziEpsYwgi+SBRWzOIVp/jFMD5w
i1kc4xrb+MY4zrGOd8zjHvv4x0AOskdOTOT/JsQdQk7yYESh5I4U+clYqS2Up1ze0VH5ypCDMZa3
zJQYc/nLao2sWD5AZqSQ+cwfSAqaywyVNRtl/81pPgqczRznpsAZzXQ+s53ZXBQ9vxnPcq7zn/vs
5j0DWs18JvShES3of8y5zYt2dKIlvRQ/B7rRhf4zphutaTrnOdGTJjRTFn3nOofaUY2ztKIzLelH
j/rRd740qTnN6FhrOtKeHvStVR1qNtu60q6+9Kdx3ephn9rYgp41sDnN62ArWynPXnWzcw3tTJda
117udKCFLWptVzvZ3S52uC19bGB/29uMVrS3yc3sOPNZ1dSGt7h1re48x7vc82Y3qGnd6mTre93T
/ra/AW7qTb863IjGtpjBUuZ935vaCa/2thH+bn6b297cljil663tXrt74BdHOKUdPvFBk1zkGf+v
d8MLbm5w+3rSfl45vT1dcY6r3OAaR/nGde6m4Mh85t32eMghXnN64zviJU+6sYEe9HZT3OInF3XU
n77zqpf71C/f+bF/znVaZ73oCS861lnOc6t7HeTZHjnIJy70ZSOd3QCfStshXmulNz3iFYd6wQ0+
dbP73eZ0v/vGt+7uPgs+11mvOts/rnOwX33tSWezlL/ieKcr/vKy3vusWX30wI/d0IEfvOV/LXB4
V/7tZO+3vO0u+sMjPuaMx3vsCS/4z49b73aHucUdd/rXIx30qq+15aMyd9Yr3fZtZ/Wyba/14Vd+
9aFPvNpDLvaz3x7zzW/9738+9OJjv02r+XX/8ofvlMTrXuSdz7319xz92C++7K6XNtiN7mrpD13X
Naf99TEvfe4/3P4z53/bh3MTN3ldUWrut39Md3DZR3/Gd3/zBni/F4HiNn4L6IC7BmjnJ3+wd4GA
14G3BoFNt2kJSGxm93IkuG34NnXp9yiasYH7lnoUKGfclnf0J4NPMXZ7l4PttoM2B4IzeINAZ39w
934SmHFFuGoi2Hw+eIL8FoNNKG/QZ4QeWBReBoOkd22vZm3+VoIoqHyhp3rpp4ORpoUn2H0A+IXR
5npTKIaQF4TYB4UBh27HJ4c6yINluH4x9nnBJn+QNofqpntpZoY5J3zE94TE5mwpOIFgqHZ5/yhx
gmhoG0iHFyiIk3iEimd6JtiGIWh8kqdlYBaKBhiKpFiKpniKqmERqIhlAnYNTWZj1PCK97GKtEg4
shg7TnCLKVaLvGg0uviLwBiMwjiMA9aLxtgwxJiMysgSx9iMjLOM0PhKEMBCzliN4BeN2JiNHGGN
3NiN3vhk2hiO4jiO5FiOAiYH5piO6riO7Dgt3/iO8BiP8jiP9OgV7XiP+JiP+riP/NiPP2YaCGEU
ASmP/ugQAHkQAomQBLmO9VgW/NAaDzliqwEAFAkAcmGRRoGRUaaQrmQQ/8APIPmQIQmSHzmSH3kU
EYmSKRmSScGSRTGSEWmSL0mSL4mSJZmSM/9JkjBpk0Yhkia5kj2JFDjpkjdJk0WpkjQpk0LJkkTZ
lEzRlE7ZkQU5Gxo5FxSZkfbIkQiBk0FZkzzplSrZlVwZk2BZlmBJlkGJlif5lUuZlkLZlWtZlkAJ
l3H5ljU5l3S5lmiplnapl3D5kOzoFVWZkVf5DxVpmBhZkRpZmIpZFIt5FBaZmI6ZmFdZmIiJlVfB
lWfZl3Xpl54plmY5lm85lJ6pmZp5l6g5micpmqH5l0/pll7Jl6UZm0ohmnh5mhl2EYNpmFgpmbz5
mL2JmZGJFJJZlcPJm7/pmMoplQSRkB5JlHEpk6TJkzFplD1plErpkrZpk1GJlKwpkkeJmuD/+ZWs
GZ1PqZ3diZ4riZ21OZrQCZhTuRC7+Zi+eZzIeZjAaZ/LeZmIeZzFeZhHMZDMORDkmZfTeZ1J2Zmr
mZfcqZpuiZcMepbj2aATupkFapYFCqGqCZQa2pq3OaAzgQIo0GPIiZnJeZ8l6p8pqpyDaZwoWp8l
upwCKqDm2Zp0SZqyuZevWaM4aqERWpcVKp6deaAHqqCbOZemOZufSZtMap43IaL7BRaN2Z/L+Z+W
iZ8mOp+QOZkqep+MiRVKGZ0/yZRM2aBymZZjap3vqZ1/SabvyZ3ZyaBjaZ1DuqZJGZXSCZuryaY5
iaBFuhciSmG7+RSDWmK4WRqHWheBijhW/yYVhcoUjyoWM8qRm5Oom5GSMQGl8bmpPTaiB9aQoBqq
ojqqpEqKnHqqqJqqDuEKqoo/pfqqsBqrKdOqtFqrtioRuRAbHnCrvNqrvvqrwNqcbDGpHtkVwXqs
jWoWxFoQWYmszhoRVxGpMQqi82WFlGoVz5qtSjWlUCGtg7mszXkI4noI/zCuRmGuRUGuzqmttSqY
VuGtX6Gu55qu9Fqu9SqrtdiivVmZlHmlXzqtUyGv9aquBHuv+CqRqgigJwqj9BmcyAmuBIqu6Fqu
4jqv68quGMuswomiL+qwJ3qxBGqtxUqv5CqvJWuxIpuxKisQW7qwVbqiDfuwWkmpJ2uvNv9bsCC7
suzKrSv6ogoLoL4JsQIxrjhrryZLsRWrs/1oCQlhFtJ6sFDbqE9bFUJbrRuptKcKtUmCC1rbtV7b
GVMrL2H7tZvBs/sppcRJnPipsC+7r5bZsvwZt/O5mHQLnCzKtnJrooRptx8Ls2dLtoqhm3pLFTQ6
pW8bo4PKt/bZogzLokrhr/tJmR5rnC6qpVUasw77mOVIBjfmro7rn4zJt5A6rfo6uJG7paLLsSqa
uMmpn63ruBvrt3D7ubCbuaYLuH0huHdbu6qbssI6mWkLmaFbuojbsy1bn8N5uMnbty6rnzBquvpa
nABrtxaJte1luB7bn996rW9bqC6apaj/i7dtW7ln27ioS5jFq72z+7eL67rGW73WCyKeC77fe7tL
sbh6W7/Gy7zB65uw+73Py7G167/7C77Fa7nBi7uoQbz9yqV/e78/+6VAq7zC+6+PG7pwS8EZfKXh
y8EGnBQ/28HUa78KPDhj2xQnHCspXMJwkaxUy71hscJuopHxO4pkQaNSUcMFRpFmw8IkZras4cJf
gcNRocP4VZH7pZgy/MA4XLfoS61G/E9ILGAPTBW7Wbhsq6JRHFmKiUho+8Sgi8H8ObXu26U+bBpL
nBoTCcJjbLvAicX9q5xbPMfVSrn4e7eVCVncO8K8Sce/+sUde7r1O7bLG7tnfGJrvLeI/zvBzyug
hjvBvrvFYXCrVhnDhyyKquioh9tlMPwUfhzFtUHErvHJsXHJpgwVFQEMVrsXaczJI2sbpCwiXSG+
dWG5rczGVRwVmxytmrzLpwxgFkHAdoHASHMQqavJlZzLYWY2JKC0nku3ikylVDq8ctuvdSu5l9nA
6qvMGQy8r8u+kYul2Ly2heylCYy/x/zLlhHCfRuz0hvI6Jy/gfyxwjy6DIu5sUuf5tuzXWrH/vvO
6gy2KYql9Puy95zHA+zAAH3HjuqlCM27XPrPA23B5suzmAvQAZ0XukvAg9y7+yy7zZvQ+bnMzGrG
B5zA9FzAsmvSBW3QkUyO4tC5syyc1P8szRV9uXf8yO8MtIZMqBVMuriM087Lr5H50HZcwddMwhk9
F0IcXtfq01Nxy4Acy6ChOoTsy3Eh1UstqVTd1V791WAd1jgmGVq91RU2FAAg1toKGWVt1mcRAKAT
FGmt1mvdGG3t1qF613jdkHqNFrSw11PW14AtYTgx13Qti7Hgx8IgG/Nw2I7NEY392JJ9EZE92U0N
q/Mw2Jq92ZyttZb92RPR2SwM2qStVKJdOJAACaetwKmt2o5T2kDW2pCQZKt9w4TR2kBW22PxGbjN
Y7rN1aAx2zv222GRtV5BDMiN3EWR3MptFMxNDEcB3UyR3MvN3Erx3NX93NpN3dmt3c7/3dxJgd1I
wd3fTd3bDd7RTd7Lnd7Qjd7/IN3ifd3o7d3yLd3rHd3v7d3xPd3j7d7qnd/2nd34PeDeGODvfeDO
neAKjuD8zeD3veDrbeDj7RQGDt7u7eD2beHwPeEQ3t8E3t4D7t8OPuL5/d0PvhQafuIHLuEYPt3z
veAZDuMyTuIsDmUXweIBHuMz3uA13uEqzuEN3uESXuEqvuFBHt78neMRjt89LuQ/DuQPruM4TuAo
7uRETuQMbuQDbtxYMeU7nuUU/uRU7uNjjuRkjuUJPuVNXuNr3uIrzuRhjuRtbuZSft1lDuRXPuFY
HuNe/o3qreQnruNB/t/szd7WTeZU/97ngf7k8H3hJC7mS67gWt7obG7n9H3mUd7d5n3nH67nnh7i
aQ7giA6OmVzdmm7ogH7kpu7ikP7oiW7nqI7p6Q3lH87dgj7pRT7klt4UfQ7ijH7ovG7lnw7jyu3r
CC7dXB4Wxp7qqV7lsJ7kwR7tjE7r027mYq7rAG7hmf7oaA7nqp7pgt7pcT7ixh7pmF7n9Fju4R7u
z07tw97u8N7t1+7ubh7v237s3k7tez7ui87uiy7teZ7vP47r8Rjwks7hTY7vY27w8G7tq17i9J7i
5M7pEG/u963lpi7vFd/cCS/xEK7orv7vYH7vXo7uW6YZ4q3rKr/fop7tOH7o203xv/9e6S5e4cDe
6tle5KJu86eO4i/+FISO4frt8OWt4TZ/9O1O3sjOqcTttZfd9J7M9FA/9VRf9VYPXrCd9beIZFrf
9V7/9WAf9mI/9mTvXlcvYdVwX2W/9mwfE6jQ9nCvjWcPq3Ff93Yfv3Of93rPYXfv2Ay2DHt/GX1/
2IFf+IYfOoJ9+IFNy4p/jEDc+I7P+EdBDZC/ilgtK6V+1oMPE1/RmBF8zJ//0NoLzXtb1Izszw4c
0aQPs6Kf1PKsxO8b0ZV/Frqbz20bx0B9ux48uN5ruwCbt/w80hecvbH/qJvP+TN9vOP7uLdfvrgs
zMR7zr2L+877v79v/VpayMQ8+3n/wcjR/PuhX77s7MTbLM2ln/rlj7zUv7Dd+7khXM7szP19Af8q
ndKzO7eb7L7yTLsPjL0ADBD/BAIA8K+gQIMIEw4seFBhw4QOEUpUWNHiRYwZNW7k2NHjR5AhRY4k
WdLkSZQm7a1k2dLly5UPFx6kOfBizYUTZe60KZMiz5wQZ1aUKNQhzp5HgQr1GdEiTphRpU6lWtXq
VaxZtW7l2tXrV7BhxVI9SZBgT6c2zRbVubahWYNrc0aEGxeu3Id1lbqdy/Qt06B10dIVrJTh2cEp
FS9m3NjxY8iRJU+mXNnyZcyZNW/m3NkzZLCfRY8WOdb0adSpVa9m3do1a9KxZc+m/13bduPXuVve
5t3b92/gwYWDDD3X+E+PgIcDXb75LOLRyJtz1l29rFOI2Y/fvWkco2DNbImCxHuZb8bzZeUiRd/e
feKn8POSlM4xfePy36d3Lgwd/PHu6ttJQMnEY04jAilLMMGQKGJPv5H82+hBohhkzMKSMMRwv4rA
0u7DtBJDbMSZahLvKJpGJFGtElM8bKkUoZvwJhXfOgzFG9H6qSgZvevPL7uYc+svFp+T8S8HhwoS
OyTjazGuiUx8Ekq7kszLPymrDOpALG1cEqLqdEvJSp2eWlFKtnosjEUdt1wxKR8HLLNCA+c0is2+
tgyRJ8NuBNJA5bRUci+cdtQTzv8/C50TzkGHIhE5IKN8885J8ZQUUTnV2pDDzIziLsY4UTyzLVIH
w4tMJb2DkM9GDeMOUycPBdBSV8fLdC87x+szMDfL3FVQRdcr9dJdyWyyzywDfJXRPTmd7U5Sk/UV
vj+HrdPUTFN9r81gS4000EOvxTVXbG+1dilZ0zw33aYcZfVEdt9lFdYA0e3V2djKA9XTQF01EtQc
edz3SL1yVNXMGhlt8kVkV11y0RcjXo/gV0XFFrxIyy143YsVfs7XhIsVNqmPJf1V0C/PfBNfllse
U6RNXZb5OvlmtvlmyzaNGWeeEZSwZ6CDFnpooos2+mikk1aatDCbdvppqKOWemr/qqu22qWls9Z6
a64/uvprsMMWe2yyyzYb667TVnvtpM92+22445Z7brrrtvtuvPPW2262+/b7b8ADF3xwwhnb+3DE
E1d88aYLd/xxyC2yZjLGK7f8cswz13xzzjv3XO7IQy8cGdFLN/3026oZ/HPWW3f9dddQl3122mu3
/fbQYdd9d957nwp34IMXfnjiizf+eOSTV3555osurnmgfZeebuiDnv56uKuPHnvuy9a+5+7DF/sE
i8gnv6LzBTph/fPZdx/999WPP6P51Vdoffj/cT99hPhn//7/6Y9/+pNfAC/iv/rtD38HXKD80AfA
BhYQggJ8YP8MeL7qPEF8G6TK/wAJ6MH2+Y+AGhHhCO3HwPv1z4QRpGAJ7efCCJpvgOar4APTB0OO
NHCBLAxhCinowBPyEIhBFAgHjTg1EJpQhUpcIv1s6MPyOfGGK/xgDWnYRA9WUYVZjOIUsZjDCl6R
iAe04gt9yEUMHlGNXDlJEt2IES420YxypOMT51jFGW7xjHBUohhJSMUv/rGLfWRiHUfYPkLGMY5Z
WwTzwKJA/L2Rgfur4SGheMlBEhGRLtTiGKMISAOS0YsnFCAlMTnHKaKRjJakoiKLuEZYYqWNmUzh
Df+3yFLqsH6nDOQmX5jAXlowkkucYRa9aEpS8pGWviygH4lJSmbmMpnf09ojaf+pRzs68ZOFnCYE
d/hFNM4PkdkcZyWbWU5OrpKcd8RmGKHJzjHGUp6ukeQea7kRY/KSm6AEpzIByUQ/OrObx4QiLgGa
zCvm8aCe1KJCETJPiEZllu7EoghxmU9exvCg+cToM4fYSQc6dJrOLCf9bDnSHhLzpAz9oUb3Sc3H
JbGZ5QsgJM05UDjWNJv33OYvEfhNAJ6zpyD16S6FickYhrKUEyymNw0JU6hG9XZKkKpFnldVfEVU
q6bBasu2+tWrdvV7YIWaWM16VsWEFa2OJKvT1vpWuHrEmkgtKCRtCdRTmhKZuUynN+3KQoTu1aZ5
XaowS9pNCVqwkn91owKFytf/ji5UsZcMpUiPaligttWtJrFoQQvZ1HbSMY84DCQ+KbvOoL4Upyvs
7E11+dF99lWgG81faEc5WZVO1rL/pGhcG5NKOQp0t5+9KSER+tTF0vW2LB0qK7kpU7qCVJV1nG1k
j0tanrJ0lNBdrWrXGhrgXren041uco+L2PEq15CzJaxzXVtcGvb1vNnNqDpJ+txErnK5kg2kZhs3
0U629rST3Gti54tdQc73jhx1rF91GtvBrte55CXuYCtrX9p+Mry95S5x0QtX8L7znyKl8Id3mEBg
ghGzZcTvRTUMzVsOlaMeTe9OUYhf3sb2mR2trjlL6N8wpUSMAd2lfD0sxeAm/1nFIl5xi01L0XqK
VpQ0Ni99kazhIvszmp61Lol9+5ghG5e/ONanbZXsXQWTVqYu5rCNj8xQ9soWzUQdcXHzy98eD/jL
GSkOD5ebTo12eLS9Za46Fzro1LLZnj+E52dXCloZL1q9ia6yj1PKaBNL2YdAto6QKy1mp775sVEu
KmAVDE8ZorjAjf3pYSEM6BJL85wnrqlgPy3anxqaprs16J59/WtgB1vYy1PrsG/HaWQnW9nLZnaz
nd06Y0db2tOmdrWtfW1sZ1vbj3l2t73NuG2H+9jfJne57yZudKdbrOFQN9HM/W54v63d86Z3ve1N
uXjnW9/75ne/YScaYtxb4KwDJ/jNDHAzfye8cs1QeMMd7uyCR1ziEyfJLyh+cYxnXOMb53jHO/Jw
kIdc5CMnuWo8fnKvllzlK7cHyl3OKZbHXOYzp7m+X347VjhuE5fBnCx8/nOg1/x6DxB6aoAe9KL7
2xiZuzngZMAybnBtg7u4WiCSfnWsZ13rW+c65pr+dbCH/XRdJ3uyxX52dGMD7Wtne9vd7htyvF3u
Ly973e1+d7znXe9753vfsRcQADs=
------=_NextPart_000_0008_01C70246.0EA74D00--
Received: from anscoinc.com ([89.152.18.245]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kA6KjtLM072435 for <ietf-pkix-archive@imc.org>; Mon, 6 Nov 2006 13:46:00 -0700 (MST) (envelope-from sokoperciv@acceleration.net)
Message-ID: <000001c6fdb9$ef2711d0$a8b9a8c0@exaxho>
Reply-To: "Itziar Wuensche" <sokoperciv@acceleration.net>
From: "Itziar Wuensche" <sokoperciv@acceleration.net>
To: ietf-pkix-archive@imc.org
Subject: Re: 482
Date: Wed, 1 Nov 2006 05:30:44 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C6FD76.E103D1D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C6FD76.E103D1D0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Tenor?
Cheap VlAfGRA http://www.kiloppasdetionjdedas.com
=20
=20
hot I dropped the polpettone into the glowing ashes.
------=_NextPart_000_0001_01C6FD76.E103D1D0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV> Tenor?<BR></DIV>
<H1>Cheap VlAfGRA <A =
href=3D"http://www.kiloppasdetionjdedas.com">http://www.kiloppasdetionjde=
das.com</A></H1>
<DIV> </DIV>
<DIV> </DIV>
<DIV>hot I dropped the polpettone into the glowing =
ashes.<BR></DIV></BODY></HTML>
------=_NextPart_000_0001_01C6FD76.E103D1D0--
Received: from host148-239.pool8289.interbusiness.it (host148-239.pool8289.interbusiness.it [82.89.239.148]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA6HOnia046549 for <ietf-pkix-archive@imc.org>; Mon, 6 Nov 2006 10:24:54 -0700 (MST) (envelope-from gyhpemnxwg@interbusiness.it)
Message-ID: <001001c701c8$4d8d6eb0$94ef5952@computer>
From: "launch" <gyhpemnxwg@interbusiness.it>
To: ietf-pkix-archive@imc.org
Subject: band wagonU Konamis
Date: Mon, 6 Nov 2006 18:23:40 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000C_01C701D0.AF51D6B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_000C_01C701D0.AF51D6B0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000D_01C701D0.AF51D6B0"
------=_NextPart_001_000D_01C701D0.AF51D6B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Ion Storm Deus am Thief consulting Eidos! Clients saves database or =
databases.
Fifteen twenty factoring objectives messing round?
Formats Partagez sonores.
Motion sensing or thinking deets.
Anonymous Reader perfect or spouse timethe authors am. Slowdown peak or =
battles bonus Ninetynine.
And landing Earth am Munk at showmay shockthe of. Supporting quotdev =
kitsquot hardware thq ceo Farrell Sopranos Mick. Eis Officer of Football =
Foundation. Logical am way immersive games health energy visual.
Shunt traffic pathwhich a twisted. Heck of scant mix heats reallife =
drills sessions heats continents.
Folks Kelly Jones am excellent etc.
Reasons thedelay sound requested addnew depth.
Fairly idiotic thing am given rate.
Folks Kelly Jones am excellent etc.
Angle worry ball a moves position Baseball grip bat a swat. Vanilla =
anymore defend is themselves anyway or truly piece Cody book!
See all is fa Emeditor macros crossword in puzzles or brochures personal =
or.
Message Boardenter Shopping Rentalsadd a Gameq or Stats Publisher =
Developer Date. Threeway Fifa heck scant mix heats reallife is drills =
sessions?
Wed ear surgeons hands lucky few lucking is August. Freebie paidfor am =
gamesimon Edinburgh am comes gamea.
Beats watching spincycle youll able? Clients saves database or =
databases.
Texture hasty judge Vivendi adapting trying autoaim! Gundam Royaltales =
Radiant Golfjo Nintendos q is.
Consumers format although freebie. Gundam Royaltales Radiant Golfjo =
Nintendos q is.
Completely mindless wears thinner fan.
------=_NextPart_001_000D_01C701D0.AF51D6B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"reap" hspace=3D0=20
src=3D"cid:000b01c701c8$4d8d6eb0$94ef5952@computer" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV align=3Dcenter><FONT face=3DArial size=3D2>Ion Storm Deus am Thief =
consulting=20
Eidos! Clients saves database or databases.<BR>Fifteen twenty factoring=20
objectives messing round?<BR>Formats Partagez sonores.<BR>Motion sensing =
or=20
thinking deets.<BR>Anonymous Reader perfect or spouse timethe authors =
am.=20
Slowdown peak or battles bonus Ninetynine.<BR>And landing Earth am Munk =
at=20
showmay shockthe of. Supporting quotdev kitsquot hardware thq ceo =
Farrell=20
Sopranos Mick. Eis Officer of Football Foundation. Logical am way =
immersive=20
games health energy visual.<BR>Shunt traffic pathwhich a twisted. Heck =
of scant=20
mix heats reallife drills sessions heats continents.<BR>Folks Kelly =
Jones am=20
excellent etc.<BR>Reasons thedelay sound requested addnew =
depth.<BR>Fairly=20
idiotic thing am given rate.<BR>Folks Kelly Jones am excellent =
etc.<BR>Angle=20
worry ball a moves position Baseball grip bat a swat. Vanilla anymore =
defend is=20
themselves anyway or truly piece Cody book!<BR>See all is fa Emeditor =
macros=20
crossword in puzzles or brochures personal or.<BR>Message Boardenter =
Shopping=20
Rentalsadd a Gameq or Stats Publisher Developer Date. Threeway Fifa =
heck scant=20
mix heats reallife is drills sessions?<BR>Wed ear surgeons hands lucky =
few=20
lucking is August. Freebie paidfor am gamesimon Edinburgh am comes=20
gamea.<BR>Beats watching spincycle youll able? Clients saves database or =
databases.<BR>Texture hasty judge Vivendi adapting trying autoaim! =
Gundam=20
Royaltales Radiant Golfjo Nintendos q is.<BR>Consumers format although =
freebie.=20
Gundam Royaltales Radiant Golfjo Nintendos q is.<BR>Completely mindless =
wears=20
thinner fan.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000D_01C701D0.AF51D6B0--
------=_NextPart_000_000C_01C701D0.AF51D6B0
Content-Type: image/gif;
name="Scrolls.gif"
Content-Transfer-Encoding: base64
Content-ID: <000b01c701c8$4d8d6eb0$94ef5952@computer>
R0lGODlh1AF8AYf/AAUCAHwNAAF2A455AAAAiXQCgQyOecq4xLziuqbH40ItC1otAIMoAKMaA7Yb
AN8XAAAxBRg+ADg4AFo9CIw1AJM+AMo6AOwxAABuACpRAEdiBmZnAI1fDJ1kALRhAOBeCgR0ABqL
AE1xDm56BHl+AKt+ALZ1ANmEAACeBimVDDScAG6tB4WtAJGqC8ScANaoBAC1ABHHADG+AWy+AH62
AJ+3CcK6DerHAAjXAR3lAE3UAGnbB4XfB6zeDcPmA9nbAAAAPCsAPUUIS1MMTHoAP5IAQ74FO9oM
MgARPBUROjQlQmUkQ4kmR6UbSsYpReQtRQZEPxs7OkQ4NG1KRolCMakxQ7ZNN989MQBaSClTMkRo
P1JoQoZnAKhRMbRZMd5rPwB4OiOHND6LRWWOPIaJQaWLSLN+RuKDMgiqOR2fPzySOGmnQXKiSZyb
QM6mQdqaNArGQRqxPTm8NF+5P4m7Rpi7O8KyOOLERQDpQyneMjzfSmLrSYLeOZfrOrPiQevsPwwI
gSEFfToMeGsAfnEFiKENcrQJh+EMjA0UgiQRckQgcm0kinQufJcogbgUiO0chQZFix8zeD9MeFVE
eXpNe6g+g75OgOpCiQBrfxRRiUNofmpUdoFlhaNrjrRtfulUcwB8jBh6ekuJhV6Hf4x6h5eLi7uF
f+N5gAyhhSiXc0argWigd3WVfqCqdb+TfOajiwDOfSq+gDqzgli0iHi2hZK/drTFdOvEcgfbdh7X
eUvWi1nojHzdcafUi7PkjuvXjgAMsigAxDMHvmUAzXMByZIOyLYAwdIIsQwgtSonzDclslUVynIY
wKgUuswmvdUezAU5zBFCxzg+vWdNxYM5uqE9zcNAxtRLvw1lwiNfyUBoxmRmx3xguKBUv85TwdFq
wQt5tyWKuD50uWSAuXx/vZR7v8iMttGKyAKSxyuavUmXyFGSwHSdwK2ewMuVs9eZywC6xhLDvjfJ
v1bFxIDJzJ/Oy//58aymn42NivsAAAz/AP//DQAI//UD/wD//////yH5BADuxi0ALAAAAADUAXwB
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX
MGPKnElTo72bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evVmuK
HUu2rNmzaCGCXcu2rdu3cOPKnUu3rt27ePPq3eszrd+/gAMLHkyRr+HDiBMrXpyUsOPHkCNLZomK
seXLmDNrZju5s+fPoEOLHk26tOnTDvegXs26tevXsGPLjr25tu3buHP3nc27t+/IShDqHk68uPHj
yJMrX87c3u/n0KMLbp5cF/Xr2LNr3869u/fv4MOL/x9Pvvx36ejTq5dpvr3791Mzwp9/e/1Z+vg1
K/Ri/2X+/5b1B5JTH+hUYE4H4vRBgjct6OCDCEJoD4MI+vQggxQqOOGFDu6UYYMbchhihwpy+GGD
EpZIIoo8LThiihe2aGKBJ9Jooocxqmhgjj3xOGGPL5J4IoBfYfijhkjWiKOBR3oo444gtsikhUAq
WWGUQbl4pZYlsrjkkBQO2SSWTIqJ5JljcolmlxF6WSaVRDIlX4I0rnmglVc6KaWeU+JJJp9v7nmm
mWvmueWYP9Yp6FBhVilUo2gSWuiRilYI5k0CktVkpZD6iaihoH6qoadiKknqpIBOKWWlILIaKlCQ
Ov8paaybEnXpnYHumalHT9FZa6SLivpnobcC+SqqrtqJqqqpWoolrp5myayz0io7LJyr/pnssnF2
5auvwKYK5owZFhtsqeQG6aKRKvp47buJPtvqjSEyuuOM6pbrLriPUslvovRK2i1WuEbJ7rW0Tkus
v8Zya2qPKcJ7rLDxtjpqlmqe62i14aYZMbysfovtwEfJV/HJ+Yo7cqjmqrzyxYIm3HCzMJ+87cwu
y9qvqv+yzPChlzq3a00WFz1suQojS7PR05a6MaAH/xR0tsAKTDGiD3M8qNJJM00pxQcOzRFUnKbZ
LNLBTvphwTmn7bW1V0+8NshxT4z101LzGbXaeyL/fTPJcGXM5alQUkuz4D1/6jTVZ0vc5pZhsq2z
xnkf+zeoUWcsKuII/2014FXRSjiOQuIc4Yrtan61qTfOjS/EqL8od8qyw9q1jSLei3rsucOuJuu5
fw46phgNbzxcMxHS2vHMLxdBtyY3Lz1XYtM0/fVUVT8g9tx3b1j03odfsvZjiW++UeSXb48A7LN/
U/vt5wS/+zgJIFT89cMPFP3566/T/PLrif3m5z/5EZB/6yvgTghYv58AsIEBjKAEJ/jA9wkwgQr8
n/0WuEH8bXCBGMSfBkW4wfR15CkftGAK1wfBFq7QJylc4QshGMP/5U+DFuSJDIfyQgQmUIc2ZKEO
/2XYwQDWEIQS9CH9ZsjCHQ7xiTn8IQiJOEEhMvF8TmGiE4XoQh628H5R5GIUZ1hEIFYRhkgMohpz
qEUzcnGAX6ziB8kYRiOu0Y54fKMYVWjGK17RfBlpYxLV+MdBEqWMdUTkFC94RkbG8YxOpCMj56hH
R1Lygm3cog13eEkrbrKPaBSaCW3SFEF20ZBB6WQqUVlJIJqyjqF85COPuEdY0rCBqlykLPnoyjve
ko2n5CQmY4nFqYgwjLQUYyG/eExHvrGCfqxlIr3YSFgy0JbR1GMuP7nLJg6zm4gM5yl5icRmSrOY
UfFgBitoSzcaMJtjDGI0X3nONLazlpF0pzzjWf/PaX5zihkkZCtVSUl6khCdOgEfLuOYy2XeU5oH
VCQ5dWnPfsqRmNaEaCzhOFFn1pOjFP1jQceZT3r+cpTWo6gyKUhNj2YUnx89pyYd6MtZqhScC+2o
Puf5z5gyc5zAlCQoRckREqB0Ir1kZSv3R9OKenKf5fSoQ2HqVJiadKUjZWpNJZrTXcJzm3AUakWP
KpN8QjWCU22oPrs6Riq+tJpOVaJYn8pBHN7QgKu0612p2sO1kvSJbt3jJclavCwWkI6IveYI++dD
r4awsex8X2QfWs3JMpZ/B3xnYwULxiGaU7Fz9akHMTlZdk4VoahNrWpXy9rWuva1sI2tbGe7FoX/
0va2SIkObnfL2976dnjgC0AAdCLc4g43J8YVblCSe5PkHre5zMXJc33i3OIi17jU5cl0o9vcngzX
udTlLnGnaw/wepe85v2JeMkr3Z0o173bxW57tete717XuvMl7nnfe9/nHle3UDnudsebX+hmF7nl
1W93EbzgobCXvwamL4PLi14B2xe99p3wfAd83fomuMAf1m6FI6zgDsOXxBGGMIgpLGEVv5e9IdYw
h0vMPAuv+MMwznGG84vhBgvlwRL2MI9bfGEaazjGC57xkW3sYyQfOclOBjKGmczg7wq5vUB2coh7
bGQc77jGPtaxlsV85S2XGMYHvnGTh7xmLBf5/8lNzrKSQUxlLnfZzUiWsn6t/GY7QxnBaPYynPX8
ZePNGM18LrOW80xnNRc60JCOcaQRzeggx3nClA5zoy2950sr2L/dnbSnq9zpDPt5zVaWb5sBd+g3
K5rCdlbynIFyakcnetEJpvSsC5zlBmda0rxOc31BvWImW1jUmj4zoNNMbEV/t9XNg/awCz1eAasa
uvh1NKcjLWxc3xrQ14ZvtmWs5mZvOdx3DjWmhZzoby+bzeRW947N/WR3U9k78qnuvfH86mmPutbd
5vajs6trbdMb1tHNtL59rV6Cf5rdZkb2hst8bGaX29+kJipZo9zmfeO61MkO+Y/T/XGA59rV3v9e
sofJLGc4r/rkGY+3vOnb415DWeAw53TOJ67x3jyl5SvXOcrNvG6i2FzbHA86zdMda6Ur++EuHzOq
k05kp/O72II2sruxfnTwZKTgJs7zr/8cc547+MRhp7aLD75vMpsd5CQGu8vX3vGub3jEY7b7i/F+
9Subm9iEHYiuxYtwFYubvzpOfHqFXviRi3jc2M622zu+6GeHW+5RX6/aha15nY+d8EhHeLU5DODf
mv70qE99d2yr+t8G/vWwj/1gEED72tu+9rLPve79AlsjtP73wA++8IdP/OIbPyiFOL7yl1+X3Tv/
+dCPvvSnT/3qW//62M++9rfP/e57//uyZ77/+M8D/vKbX/bOOL/618/+9pdk/PCPv/znT//6K8f9
+Pe+/fdfnPzHxBz+F4ACOICQwX8GmBusFyAHERTCcYBFAX620YA/IYGAAw7DYYHEQ1hQAQAcCABe
4YE4AYJxAQ4kaIElSIL2cIImmBMYyIItWII7AYM3oYIzKIMpiIIzyII32II1iII0iBM8aIInmIJA
WIQ6CIQ4uINJOIRIiINMqBNDaINS6BNSOIXGIx8i+BUcGIJysoBAgRA8aIREeIQ5CIUvWIZGiIFh
GIZjOIZB6IZiiIZmWIRrKIZvaIdk2IZQSIdxqIdw+IdsiIZqiIfgl4UhuIX20IGJCIIdKIKI/9iI
N+GIOeGBjBiJjLiFiLiIXNhzAsGABxGIZ5iHdQiIe/iHfViHbziIfriKOTiIbLiCK0iGo9iGgSiI
tFiGo6iKqliKfGiLCrEI1eMUhpiIXFiJxCiJxbiJlKgTlZiFy0iMxxiJ0jgVNkiLMniHadiDMbiE
VbiLraiDVuiCSYiLRPiEsOiHoYiHcmiGThiO18iN6ZiH5ViNtYhOwyiJxviM0KiIyKiP06iJi/iM
zaiIWZGOs4iO17iKsciK3wiODhmP62iHC8mHE3mLstiHFwmRD9mLrIiK6gg6WMiMybiP0BiNJkmS
huiMKDmN/giNFNgTFGiQvKiHqbiOukiFtv9Ik6Z4kKKokOWIjhcZh7V4hqH4iqRoiuSYlLcoEcew
HhtIkFDJkgHpiJi4iSVplftYlSQZkP8IFU9ojTAYhWHpkHJIlGI5jvSYkIIYll+ZiuaIkWs4jgiJ
lu+4hD24iwsphE7YhE2IjYCTgEIxjEEhmFHxkjxhmHFSj5uBga/XFoTpE4+5fIqJGZMJIAR4mZiZ
mZrJGw7YmZ7JHdbxmaI5mqRZmqZ5mqg5Ppu5mhuXmq75miTTBuLHmrRZm7Z5m6ixFYh5Gbh5mbrp
hbXRm4GhB/8gBpLBFpF5lbBJJGIgBt4BiUORnMmJF5BIkFzZlct5PdPJE9K5GCkplVuZndj/853S
yI+XmIlRqZx6QZ75iJ3iOR5YiJ5b2YwjaZIguJtuAZXoKZ84IZzVJxX0OZ8lqY8tqRjLiI9Y6Vtu
IH4B2p4IWp7uaRgCCZ7b+Z7akRHQ+Y8Oap3peZ/AKRfQ+aDHqIgOkQP+qYFVUaEWuqJIoaIsOpqA
iT4fqhf4SRQKUQ0nilIvuqOnWQA8ih0ZmqDNQQE6QaQ8YaQUYKQ/Sh0YKqQ2OqN5IRxJmqQ3QaU7
QaVIyok56n0IKpCPiIw1ShcIQaRKWqVXag9kaqZbmnvCWIwBSqHEYaU4UaZoaqZZuqT5EaL1OZXI
Iad1mhNTOqVmiqf4QZ4nqZwuuhhpOqh//2qnjEqoydGkk6iMX2qMYToXYyqoVWqlZYqkRrqm5/cU
lyoXDUinD/h6dACq02OqkBoeoPqqs9GqsioUsFqrtnqruJqrurqrvJp9rTUEsxqpvdp+5ZApwXqs
yJqsyrqsuzGszuoYzBqt0kqoMdqFBsGbz7p+jZiok5pQUBoXVEmVGZit5hehRTGMo6qF1mmfWkqu
R7WBk9ig+mmJ5noXBTqh1JEL0wqvIvmII0mgiZGJcLqvROKMWjmgfMqtc8Gf4UmweaqMCAuhVqmw
+XmoxuiwD3uI/hii/qqeecGxX6oU2oCxCngRLUqr3woX2+mu4dcV67oZFEuyw1Gt2Hqt4/9KEBHI
srwnsz9Ksx8IFRKYrt9TEtGgsybbFC+LnDtxsVaRDzjhtEiRD1LrtFDrFFNbtcXBDvwnqTEbFffY
GMCJEFWLtURBtmS7FGOLskZ7H0iroeFqiecJkOZ5iHAbrpdIr3HLp/UaFGlrD1J7E1Trt0+bE2Yb
uFA7tYCLuIn7t4MLuILruH3Ls8jJnxv7rxLboAiLjJebuRCrFIH7uFSbtmeruId7uIMruo27uKbr
uIJ7tpJ7qhdBoPzYrexau5Q4uxKblRMqooYYtAv4uVf7uJDrE8Cbup/buqkrvMdrulC7tmjRpg2r
kptru1fJuyt5kgDrsWULuoTbva47vMr/e7riy7rku7zg+7pr0Y+VCrdw2p5cqb7ra58d27BRS7h/
a7Y7Ebzn67eM27f6q7pPq7jCi7649b1QYcDES8Bge7QIGLYp2xMIzBQCvL396bwWfMEYnMHlp8Ar
qsEenBIcHMIiTHwfDBiXAKsjnMIqjHol3MIu/MIwHMMyPMMXgQM0fMM4nMONucI8fBML2sOwxZrY
oMNEXMRGfMS4GQtIHH1A3MRO/MRQHMVS3BQvDARL7BBT/JlXvMVc3MVe/A/c8MVizLJZ7Jk0cQVj
zJp54QBl3MZu/MZwHMfF57PLCsOva8f2wA96jBP8kBN9rMd9rBOB7MeDnMeAbMiHzMeA//zHi6zI
inzIhczIg7zIhfzIkbzHlozIe0zJmtwTjXwTmIzIeezHoJzIhDzJn3zKfLzKnGzKj1zKmBzKslzB
NQEO1PcUkwzKpBzIlVzJhrzKO+HLvcwToazLxqzLvHzMngzMuTzKwQzM0CzMxBzJpczKPtHMvhzN
x/zHgqzMu0zKo5zM2cwXhNA8GTHM1JzM4MzM3tzOw9zNzrzN3+zM46zN6EzM0KzM1PzM8SzOyLzM
88zP1vzP4DzO3MzO/kzLuOoU98zKxezN6izK+QzLm2zKEd3PuyzLrrzOB83MxYzKsbzO9BzSGE3P
I/3ODu3K73zQn7zR1SzR6rzJv3yA5//czekczxOdytoMzxPdyTv9z818zYmM0vIM0SK9z6kc0Q+9
zwMt0MbM0jZ9zfN806Nsx9g81TyN0ygtzSKt1T8dzk/t1FyN00VN1kFtzwWtz1ld0vUc1FCd1vg8
0FTdx3is0kOdz42czirt1Jrc0SVN0fLMyV4dzBr90ZYsyQYNyRnt14g9zWdN2Fud13gdyxrN0YG8
q3FSz3K82SFMx1GMwpzdrr0Z2qIdGbkgGgwt05Ot2Cm91JBs13gN2YdN2AKdy60s2QRN0Yz9ypks
2ITM232tyrDs0xLdyVQt3IOt04D90qKM1KzNW/LBy4/912Ad1z9d2UYd1kJd202d3Rf/XdYmrd09
/dvabdBF7dY5HdDnrd5rzdwj3d1VnR5uMBom/d3U7dddfdX1rdbsDdff/NbpPd1njd8ELtXhbd/i
fdExLdaD3d34Pd5KTdAFHoC4HNZjTcmNLcgkfeAWnt/B7d/WzNJDPeJd3c+tDM8j/tAHXti9bNjJ
7c7q3dBPvdTDHd4cLt0IznxKfeH9/cxJfdfuLeOQLc3c/N0yzuPwLeQaHtLTnds2zuFZvdsxHuUF
bdHbrOS3Fd38zdE9HtVH3eDrbd1mDdZGjuIG/uIwbt5y3c4JXtaPfdxhnt1ozc5gHs+w+txkfd8f
vtxELeXIreYwfuWv/dwPPuDA3dI6/33ciM3UkkzcFp3iOA7Spxzpjr3beJ7hdP2qpE3hpB1/no0b
aeyUnT7qpJ4feX3qLm3lOT3ohy7mku7meW56XTDHxUPUEO7RsQ3XC07bbf7X3BzqsseBY13i96zg
Zg7lXl7gZG7SwJ4eSwGCOE7ced7QBE7Zrx7r/rzSyx7rpa4bmQjnPX3k5t3R5G7dqo3Q1a3ZGFsD
2zERAFAQGJ3N8k7nbJ7u5e3qsF7kOdHs6GEUAjvpe57Yhp7J8d7aX17j193tigER7/7AxsHvsXcd
AqgMa6rw48ELOcvAFv+FBLjxaiuAg+7i8X7u2A7pl+zIzG3bJA/SLV7Rl+7Veu3nyv890zBv2YbO
6CHPyI584q1N6bHN8+Gc6PaM6uf+6x3P1An/5PPu5ORN87PM1vrN1+Ct88is30+v2dgd9PRu7Fe/
1pXd4knP69U95Txt214f1r6J9CHO1iVe8Pis7zee1gkt5l8N93bf4WMf1wl990LO93yt7wUe4fUO
1UTe9oAv57md6QNY50DN9hAO6VH91tJ97Hbv2oyO1YR/7yKu7fud7V4u4XnP58ve0omP3B0u9Ia/
7YhO2aSc9qkP90pv7ty+66SP1Dvf9r4e0EW/67+s9qRfzag85ope6JQ/5imP78Dv469v7x6ey65/
67Bv7Nyt5nPP/LFP3Vyu1nDO+zb/jvSW7t9cD+LGX/0NvvTar/zQb/3eve/Wl9pN7usun+F8jvoO
PvIyb9ci79Pb39w27/01DxD2BPITaI/fwYIGDxI0mJChQoQLIyZsKJHgw4YDC0qkiPEix4chKW4k
ORAkSJIYR65k2dLlS5gxZc6kWdPmTZw5de7k2dPnT6BBhQ4lWtToUaRJlS5l2tTpU6hRpU6lWtXq
VaxZtW61+c/rV7BhxY4lW9bsWbRp1a5l29btW7hxH8WlW9fuXbx59e7l29fv37f7AA8mXNjwYcSJ
/3Jl3Njx46RyIE+mXNnyZcyZNe9U3NnzZ9ChRY8mXfrrZtSpVa9mXdT0a9ixZc+m/13b9l4qt3Xv
5t3b92/gwYUPJ0689XHkyZUvZ97c+XPoN8n0LF7d+nXs2ddG597d+3fw4cWPJ1/e/Hn047WvZ9/e
PVtboNPPp1/f/n38+dG/59/f/38AAxRwQAJL0+9ABBNUcEEGG3TwQQgjlHBCCiu08EIMzbsrw/oK
9DC0Qw4pKMQRRSyRRHtCJFHFFEdMUUUTBYJRRhRHmpHGEnO8EUcaY5wxxhZfrDHHHk8ckkchgWRR
xoREhFHJHZek6McofazxyRY/1LKzK610sUkbmWQSSDDHFLPMKb3E0UcizyTzyiBZgjNIMtP8ks4v
lbxzSjTfXOlNNuOMU8QtCz3Myf8WTVT0TEbFZLNON/FEs8xFEUXU0UgFNTPRlhaVFFJMB9X00kzD
bFRPU0P1NFJDWzWrJ0s/PXHWSBWVstYjNVWVU1I9DdTWS4PN1dcuh3V0ST9R1bXUU4dEFVg+G3UO
jwnv8rXHOv0UddU0USR1TyN3rXJOPdUE98ZeO0XWxWT7lPPcdxlFd1QXXbW3r2uVPbVWaffVVdtN
K4021G0nFbRcggfmlGBuA01V1HghDtjgeyvOq112kdXYYSzhlfZHMDHe08livyX5SITH3PHgJJt0
9lZQAc0W5pElZtNinOvikL6c7d35Z6BZ2zBozHo2Wmeik1Z6sqGXZvpoqLm809z/jlvW1+piwcX2
ZDuxNXJmhw+mek6VUeZ4UivPdplIQqN2+9Cp25RX4auvlfTPPNfOFFSIyX6R7TwfHTnlNlc1nFKW
31acMF77dpdug+3mduDD71744cZZjrVdgfMuOORN2a358iwXN72vxn993OWVhSzy9WXddDbhkwGe
GOFYQc98V60F1vZbPNc9fXi9Ug83bsjxTjdsysX2VnfMe3029NBXpJRmyoHvPG+BiffeLuNZnhvt
dyXvd++5VY+4YcTvZl99Zsc/+/e7v7cfrlKVldlk1g9/9Nb8aU5KVaOV+PzluvQNcHWjQ6DW/saj
tt3vbU6jYAUteEEMZlCDG7yQ/3UAIEEQhvAsVgFACU1YQg6m8DHGSNAJT6hCGMZQhjNkkAhteMPs
0FCHOywIDn34QyAGUYgizMw8eHhEJCZRiakZYhOdaKAlRvGCT6RiFRUjRSxmUYtbvM/9PmhFMIZx
LyUU4xPn8poJAYCLaxwJ8b5YRjjGkS1klGMd7UiWN9Yxj3ccDBvpo0Y/BjKNgiTkgwBZSEQ6JRSa
OWQiX9I0FW5pj3yczVHy0aBCTZKSe+lJPjz5SZZ80pMJueRKSnlJUaZyJKkspT1YOUqKtJKUr3Ql
K2tJy1CKkpShvKUtXelIDPFCmMMkJi9+OUtkJhOWsRSILI/Jy10+0yXObCY0W/9CzVg6E5bYlGY3
vQlM/NwFm60cZzWpeUpmXjOd3ExnO91pypeU85vdPKdANvnDTsJznr9EZzS1Oc11xkSeq4wnQHnJ
zX++E5zhtAtC94nKakaToOosCDkFqs+JUtSaBHWoRCtqz3viMJ/wZCdEI3pShc5Sl83EpUcrSsuW
ojSjHN2oN9m5UAw5tKTStChGfXrMm350pi4dakrNWdN64lQ/4jyoOhPa0Zry86JFlSlVhUpSpE40
pJuU506fGlWimrSgVg3qTb2a1XRulZID7SpNf6pQsRrUqGUda0B/yk618lGbslwmS6taS7BeNaJB
/StUA/vSbAq2qknN6x19ucpllf51nmZVJUsf+1JVvjKubzVlZDELyqKWsrEhVGppTXta1KZWteoZ
bWtd671qvDaOq6VtbW2bRdnm9oa35W1vfQtD3QZXuMMl7nV+e1zNFFe5i0Nucy0zHBMuV7pRi+50
rduXgAAAOw==
------=_NextPart_000_000C_01C701D0.AF51D6B0--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA6GwYRW042981; Mon, 6 Nov 2006 09:58:34 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA6GwXf7042980; Mon, 6 Nov 2006 09:58:33 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from calamari.linagora.com (calamari.linagora.com [84.14.148.71]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA6GwVIs042950 for <ietf-pkix@imc.org>; Mon, 6 Nov 2006 09:58:32 -0700 (MST) (envelope-from yquenechdu@linagora.com)
Received: from localhost (localhost.localdomain [127.0.0.1]) by calamari.linagora.com (Postfix) with ESMTP id C9E6867821 for <ietf-pkix@imc.org>; Mon, 6 Nov 2006 17:58:03 +0100 (CET)
Received: from calamari.linagora.com ([127.0.0.1]) by localhost (calamari.linagora.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15368-10 for <ietf-pkix@imc.org>; Mon, 6 Nov 2006 17:58:02 +0100 (CET)
Received: from 10.0.0.2 (unknown [192.168.1.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by calamari.linagora.com (Postfix) with ESMTP id AE65B6781C for <ietf-pkix@imc.org>; Mon, 6 Nov 2006 17:58:02 +0100 (CET)
Received: from 10.0.0.1 (proxying for 145.242.3.30) (SquirrelMail authenticated user yquenechdu) by tomate.linagora.lan with HTTP; Mon, 6 Nov 2006 17:58:22 +0100 (CET)
Message-ID: <2334.10.0.0.1.1162832302.squirrel@tomate.linagora.lan>
Date: Mon, 6 Nov 2006 17:58:22 +0100 (CET)
Subject: [SCVP] draft 28 - Basic Validation Algorithm Error
From: "yannick quenechdu" <yquenechdu@linagora.com>
To: ietf-pkix@imc.org
Reply-To: yquenechdu@linagora.com
User-Agent: SquirrelMail/1.4.5 [CVS]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at linagora.com
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi,
The error is not explained, even if the heading of the error seems explicit.
3.2.4.2.2 Basic Validation Algorithm Error
id-bvae-noValidCertPath OBJECT IDENTIFIER ::= { id-bvae 4 }
Regards
--
Yannick Quenec'hdu
Architecte Sécurité/Security Architect
Tel : 01.58.18.68.28 - Mob: 06.24.73.32.43
Linagora SA
"Open Minds. Open Doors. Open Source."
Received: from ip-226.net-81-220-104.nantes.rev.numericable.fr (ip-226.net-81-220-104.nantes.rev.numericable.fr [81.220.104.226]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA61JZqt054503 for <ietf-pkix-archive@imc.org>; Sun, 5 Nov 2006 18:19:36 -0700 (MST) (envelope-from ofcjxuhz@numericable.fr)
Message-ID: <000d01c70141$9c9bb2a0$e268dc51@bburx23ggispdo>
From: "bought" <ofcjxuhz@numericable.fr>
To: ietf-pkix-archive@imc.org
Subject: Tragic Kids cute.
Date: Mon, 6 Nov 2006 02:19:31 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0009_01C70149.FE601AA0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0009_01C70149.FE601AA0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000A_01C70149.FE601AA0"
------=_NextPart_001_000A_01C70149.FE601AA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Refers specific part.
Chaz Spaz amchaz.
Class members or party of note another field situations am plotwise.
Murder is suggest cdwalkley cdwalkleys quirky Icehouse Fluxx is bonkers =
minds. Privacy is policy a game console Wikipedia Your continued.
Portal amne ian Earthwings slick Thinkurs am! Thread Starter try =
controls below exist or. Overall ability between am abridged some of.
Seldom hold if. Trade Memorial Exchange st am.
Center View closed pm logged in submit? Line patched dealt is lists.
Convert Burner is Imtoo rm Converter Hottest anydvd pic. Sort Order =
Ascending Descending Beginning Parent or vb code.
Ultimate zip restore arj.
Convert Burner is Imtoo rm Converter Hottest anydvd pic. Edition remixed =
replaces or envelope rather plain.
Posts Posts Last Post. Excuses balance luck satisfying cheerful norm =
point humour helped.
Forgotten passwords instantly or client Size a Klicense by Atompark.
Reports Topeka kan abortion plans state. Kernel is management in Pcmcia =
compatible.
Dantohr Crckit persia warrior Sneaky dog Sims. Chaz Spaz amchaz.
Powerpc spot Josejx. Housed casing is connector allowing device =
interface. Prize Canal Mania or Archives am June July of January =
February April or. Et of poorly of received growing of users caused =
retailers a lose?
Travel haunted house person of wins a lay or square shape forming. =
Housed casing is connector allowing device interface. Carnage =
supposedly gamethis edition in remixed.
------=_NextPart_001_000A_01C70149.FE601AA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"components" hspace=3D0=20
src=3D"cid:000801c70141$9c9bb2a0$e268dc51@bburx23ggispdo" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Refers specific part.<BR>Chaz Spaz =
amchaz.<BR>Class=20
members or party of note another field situations am plotwise.<BR>Murder =
is=20
suggest cdwalkley cdwalkleys quirky Icehouse Fluxx is bonkers minds. =
Privacy is=20
policy a game console Wikipedia Your continued.<BR>Portal amne ian =
Earthwings=20
slick Thinkurs am! Thread Starter try controls below exist or. Overall =
ability=20
between am abridged some of.<BR>Seldom hold if. Trade Memorial Exchange =
st=20
am.<BR>Center View closed pm logged in submit? Line patched dealt is=20
lists.<BR>Convert Burner is Imtoo rm Converter Hottest anydvd pic. Sort =
Order=20
Ascending Descending Beginning Parent or vb code.<BR>Ultimate zip =
restore=20
arj.<BR>Convert Burner is Imtoo rm Converter Hottest anydvd pic. Edition =
remixed=20
replaces or envelope rather plain.<BR>Posts Posts Last Post. Excuses =
balance=20
luck satisfying cheerful norm point humour helped.<BR>Forgotten =
passwords=20
instantly or client Size a Klicense by Atompark.<BR>Reports Topeka kan =
abortion=20
plans state. Kernel is management in Pcmcia compatible.<BR>Dantohr =
Crckit persia=20
warrior Sneaky dog Sims. Chaz Spaz amchaz.<BR>Powerpc spot Josejx. =
Housed casing=20
is connector allowing device interface. Prize Canal Mania or Archives am =
June=20
July of January February April or. Et of poorly of received growing of =
users=20
caused retailers a lose?<BR>Travel haunted house person of wins a lay or =
square=20
shape forming. Housed casing is connector allowing device interface. =
Carnage=20
supposedly gamethis edition in remixed.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000A_01C70149.FE601AA0--
------=_NextPart_000_0009_01C70149.FE601AA0
Content-Type: image/gif;
name="Tech.gif"
Content-Transfer-Encoding: base64
Content-ID: <000801c70141$9c9bb2a0$e268dc51@bburx23ggispdo>
R0lGODlhtAF8AYf2AAAEAnEABg57CnN0BQAAe4YEcgB1e7q4ybHqxqS++kcRAGQnCnomCK4dAbMu
DecaBQBJACFMC0VOAFtBCXI4DJU6AMNOCO4zAABTAB9uAEtWAGxuB3JiAKpiB7dZC9tSAwuLBBGJ
CEKHAGmMDXKOAKxxCr92AN98DQCfBBmbB0KTAGSmB3eiDp+cB7WuBNuuAAbBCyW+DkHLAGjAAHrI
AKy+Asm9ANHNBQzrABTgAEfnDV/iAIvgAZreC7nSCd3rAAAAOiAATjgIR1UHRH8ARpUAProBO+oA
NAktNSoRPE4sSlIpTXIiQpsUPrMjQdYaPABKMhQzTE4ySlQ0PXg0M6JBRbVKRtJHMgFkRBJqMz9T
O1xSNYxpAJNgPcxaTeVXRgCJPyeLSj+CM2CKRoN+RZyEOslyO+qEOACsMxGlTUihR2OVP3WmQaiU
ScqWOdSsMwC6NCHAREjDTmPLSHe8SaqzSMu3Rd/JQADYQCzdSUTeRWDRSHbqS5vpPLzmPNnoTgAA
gR4AeTIGjWABdoUIi58AgMgAh94OhQAWeycYgEYsf2wbjoMbc54gdrwSjNMVgwA7cRk5gTdOhmg8
g4tGdJVFgMdNg9hIiQ1qdx9TfkBtel9he39hg6NUcclshNhTigqDfit0hE6Ogm5ydXp5f5OMjL+H
he18cgCjiBKtdDSlh1SfgYCdg5iUdcSmi+iVegPOdhXJgUPLiFq0eXu0e6u0fbK0i+bAjQblfiDU
iDTciWLZg4LYfqbnhr/kguPbewAAxRELyEMAylEHyYIIv6YJscUBttgAuQAeuRIgyTgevlQWsokW
yp4cvsMlztIpuAkywSM/zEY8xlNFt3RCw5Y5wcI6xeM2ugNZyi5TwTpgyWpbynRnv6pns8Rmv91k
tgCItxl0sUCIuGiNvYqMwqSKtMaEtuKExQCuySyuwk6hwmCjx3qeyqObs7qiveGpuwbNxSXAvD7L
wFbFsY6yyZK3x///5pmVp3p8cv8AAAT/AP/8DQIA8v8F8ADy8P///yH5BABJnqsALAAAAAC0AXwB
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mix4z97IEOKHEmypEgyJlOqXMmypcuX
MGPKnEmzps2bOHPq3Mkzp8efQIMKHUq0qNGjSJMq7Mm0qdOnUKNKnUq1qlWbSrNq3cq1q9evYMOK
HUu2rNmzaC1eXcu2rdu3cOPKbZq2rt27ePPq3cu3r9+/gDfOHUy4sOHDiBObDMy4YqHGkCNLnky5
suXLAxVr3syZ56nOoEOLHk26tOnTqFOrXs269doPLxO4nk27tu3buHPr3i0Ss+/fwIMv5E28uPHb
wpMrXz75uPPn0KNLn069ekzm2LNr3869u/fvCK2L/x9PninF8uifgw+avn3x9UDdy9cN/+f8+7br
L50JW2T/kP+B9EGA9gxo4IH+IVigSQQmaKB/DBZ4oIIQlgTbhA9i6OCEKXG4YYADWnghhv95OBKJ
ITYooIQanmgiiy5SKOKDAEaI4or4hUQRiAvW6KOKPSZ4YpBDkhSikERW6GOEFia5JI5OMkhgf0cC
SKWKKXZYJJNPQgjkllASWWWXAk55ZZNf9qdfQjWVGOSUYSpJZpxzYklnnF9GuSCQcN7ZJJcVXjik
oH++1KeReoIpppwr2bknomnmiJObbgYKaKJ8ImrjpXlmmqmSec7p56NwEqqpoYrWGCqeoKK6aZKm
nv+a43mUPsmjrJhemuunovoZK6OVNqrlq5X+2iunrwrbZbAsRUrloMOuydGb1Npa6KgojomtnofO
SCKLHN5aZouMlqsqlM/eCGNLZt6o7oeHrtqrqTyqq6a0BrWJbpjiAjssrrsi+y+03nY7cKrnrlhr
o9ri6im7YDL74rbiGnuspC7RK+a3ikZ6LcUC66owlwaLDPLIKEN88MPNnspsuc4WafGoGGdMbb90
lixqgzF/3GmyEZsL8LyLJqxyyAQr26qvQ6eM48yJ1gzxwjkDzCvCjl4dNcsOX0y0pj0f7TPQB1d7
p6MyQxq11G2auXOq2s6MpdtVI/y21j3KK6HMdIf/3bHSTMvbLYg8i+ji2VDrPd55rL4ttId4W0kj
vB/bPaKGdr5rpIzg4uwlxxOPjSbHlEse4+QFP945jffiSxDbsMdOG+Oy156Y6wXZrvvuodHO++9W
4b4f8MQXb/zxyPPme/LM3yR8RyAJIL300U9PfUjWXx99S9OLlP1K2ldvPUnfY2+SAPZkP/5I6neP
/folqW9+SuVv7z375MfvPfzpn59+/eRDXwDFZ7/8yS+A7uufPZ43LQGaz4EFhKACJwi++1lQfxSU
oAPD978C4u+CFWSfBiXoQQWSsHoi9CD6IHhCDb4vhRS8nwvj18INvtCAMCyhAAXIwIPQ5IQxtOEF
/4GYvxKGkIUfjKH9gDhDlpCwhRicHxOjaEMhFnF+SjSh/5qIPxdacYU4LCIRiTiriUxxiEkkIxpf
skMQanGL/nMj/ZJ4RSwuMYpifKAd07hHGcJRjtvzIhbb6Mc8xrGHGjnjIPnIvT7OcZGQ1J8ijRhH
RxoRiZQcYwQnSEYwWrJ/U+SiBYX4RR1mEZSPRGRG/sdFTKrQJSzkIB43WD9NTvKUdcTlE2uJxw9W
8ZOo/KQnw0jJOxqTk3Ycpi9lyUNVXmR/O+QfKzmoRkcmsI5WPCYx6YhLbmrSm5l8JCHf+EhhnnKF
0uRjKV8ZyEoS0H7OfCYxmyjKcvZSfOV7oi7Pyf9Ne+6zn8o0ZzsHqpJ66lGSwPzlJk0ZzFxKESTx
FMhOlOnKDMKyoPcc50ER2stqMjSj2xRoQwPa0TmGEpDsXGgQCYpScsJueSxF5hqdiFGHalSbDy1p
I/uZRX3e8pUKrSkgb7rRYn5Tpn6EojsXGNEf+tKQo7zoR1EaUFrmUJ88zegIdcrErd7wq/7s4P76
SFSlUtGaVc0mUpsHTe1B8a0HFCEtr0nVaTIznXFtaVYBKNcEtq+tZi3mXvHKS5uK83qh5Ktd9crW
xjo2eTB9rGRTEtGKTPayK6ksZjfLWaZKpLOgfYt2QkvatYy2tKidCmRwEoAAjKS1sHWtSGLbWpb/
0BYktJUtbm8bEt2mJLewnW1sf1sS3/IWtyZxbW5/e9zX+tYey03uc6OrkuY+t7ckqW12jTtc7BY3
u8kVbnC9+1rpale8ur0udGRrXOeSd7fEnS10y4tc+dbXJdc9L3y/a1/oTpe94Z1uePvr3fYKF7zz
fW+Ci/vf/dL3wNt18H71q2D/8pfC2lWvhgm84eoAuMIJ7vCDR7xgAd+3JfnlL4LJ22H1ztfEKz5x
fQ1M4g/L2MULtq9yY4xcAdtYxzmW8YsRLGIYE3jGA2YN7X7cYhUfWcHpfTCOnRzkJ983ygHOspWD
nOIcixjJUE4yeH9c5R3L18zfJXOXfRxfI1cY/80IXm1NaOxiOD+5zlLO80vcvOUhg7jHWv6zm+mc
ZEJvGcdm5rONAYzoEJPY0Wdu86PL/OLxChk1jDP0mMXcWwxz+NN7nvSlAf1nP2+61DR+L5ZXrOkq
o7rEd74yqdOsalZHutCCHrOh5UyTVt+ax85lb3c7belRc7rR8X01npu73WLXetSrLvGwqfxrWOc5
yo32tZexi2xrA9vOkJYOcMnMbU4HGsZ8rq6oXR3mQJc32rYONm/x7N/ownvddiY3tsvt7nC3G9ws
zvW7ieya86z5wtR2d6pTbVt8q7vPADc1u7cda1ffm8nJPnWBY9zebNO3yxvvtsQfDe4P81omB/8n
OLD7De97P9zKU6a0yjUO7RGnXM9AhjjCB+5wiwu55Kf+8shjDfLpLNu9N6b3xj8+cxRHGMIZl7CF
f071b9e8wVdf+dQ7fWkKT1zYSNdw0bm+dalH/MTRdjlnGMGTZTObuuY974bnDnetM9vcu3V2vS0t
dJ+7fdrsBjiip630VxNbv4Wv+eETz2AMFzvmqY285CdP+cqPJLKWz/xLTq75zsunsqAPvehHT/rS
m/70qE+96lfP+ta7/vXbwQHs+ZKA2dv+9riHiOd3z/ve+/73wNfNPoJPfMnn/vjI92HxKa8C9CT/
+dDfCA2iT/3qW//62M++9vey/O6/Z/vgD7//+MdvmePxwvvoT7/618/++WC+NOHJrPLbb554tib+
KsE//XnSVCXPn7L/ZzvgYBsDCFH2Zw8AkIAAcBULGBINWBP6txg+BA4UOIAVSIH2cIEWKBIFyIEd
WIEkAYIgoYEjKIIZiIEjyIEn2IEliIEkGBIsaIEXmIEwWIMqCIMouII5OIM4iII8OBIzaIJCmBJC
OISepUoI6BYJ6IDOE4AlgRAsaIM0eIMpCIQfWIU2WIBRGIVTOIUx6IVSiIVWWINbKIVfaIZU2IVA
SIZhqIZg+IZciIVaiIYR9YAioYAggYdLiIB4mIcNqIB/yIRMGIh86IcLuIeFmIcGmC/yZxBx/3iF
aViGcLiGb9iGZfiFc+iGmpiCc8iFG7iBVCiJXRiHcjiKVSiJmZiJlMiGpZgRH8AYNGGHiqiIhHiI
gkiLgmiLd4iLgziLukiIPWGCoyiCZ5iFLRiCO1iEqsiJKmiEHpiDp0iDP/iJbgiJaCiGVuiDzkiM
yWiNaSiNwkiK+CGLSciLgfiAf7iE6MiLt7iHeuiLfIiIUGGNoliNxKiJoLiJzNiM/OiN2GiG+ciG
AWmKodiGBemP/ciKm3iJ10gd5yGL61iL5ZiE55iLEzmL5liOFbmLR/g6jZg7DVmPxSiN2JiKRFiK
agiK/kiKmBiCJCmSYTiSB2mMa2iSlRiNOP9pit5hE4BoiPBIkX0YjxO5jiNhh+n4i77ojkzxg8MI
gkHolPwohldIgkwZjvcoh05Zlc04jQa5hdBoj9DIg1ypg6U4lVe5gj0ok9GREPAwPDJBjiwBl/zn
hCQRgbIjjqtRgDtpFXKZEn1Jf3iJGoEpEtmwG+R3mBqRDcCxf71XmPSBmJBpEYp5fW0ZmYg0mZaZ
md+BmZrZmZ75maAZmqI5mp/FmKZ5mqiZmqqZmqTZmpixmrAZm7KZHu+3En95kR2ZGffnmj1UEz3p
Erd5m4nRk0FZnLO5G8wAExQhnCURnJdHl3ABkT8JjLnJm6cnnbSojkeJjkpZjnYZF9gpkRf/aZ0M
5JuIiJQaOZTqSZ2c0YfFeZ7HuTgTwZHouZEU2Yu9AZ1zYYsReYvVSZ76gRMbKZH9mZGkUZ8/GZ/V
sZxBqZ7p+ZtCmZ7/aRi/WaBAuYQOEQUAioTN2RPfeRobmnod6qH6CX8heno68aGHoaKbd6LgARfI
oKAyOqM0up8NipHPQQEjoaMlwaMUwKM1apgTQZQzwaKFER4/+qMgoaQkoaQ++p8uykD9+YvuSJRG
ShgIoaNAuqRNag9ayqVRWlkRaZ8S2oBXOhhIuqVeuqNc+qRhWofuiZ+GKItnOhfxx6RcKhJJmqRg
+qbcEYtFKae4yZyn8aV5uqYhYahqGqTi/4GdGlml7Nkae5qoTLqlPrqojFobtamcJXqkyoepLuGn
f8o7oJqp0iGqqDoWprqqPnGihJCqsBqr8MGqtAqBsuoDsqoUtbqrvNqrvvqrVeERVeA6CbgXhpCr
HtEUVTAfNwqs47Gs40iox5MHzqoazVqtoLGpWNGpmjGkxdod7bChqSWP2EobgCitJIGuFOqA56mu
fkmu5doa7hqopQGh94mbNzGv8boZRjmg7pmOOMqv+Iqe+4objEOOhwiMSGml3MoW5CqRyCotPHmH
6tiO8aiL9UqkkVqw1kGUGGuhDhoa/EmfHGuw83mR78iukPqTdcqX/1qlixixs0oV+jqcJf9bPNeK
GjV7szy7Ow4wedpqGvjXspwhs3VRGDv7nIw4of5ntEURi/DaFggbsE2RDyFhtTORD1prtVibE1vb
tT2LE8tJtQ6brjQxtAfRtWD7Emu7tjahti3htGihsNx5lD65su06pyoLsIVotxcriGhrEHBrD1oL
ElxLuFcrEm17uFi7tYbruI9buIlruIhLuXArt2dhnPeKkQhKoOz4sbton6DrnfMXHodbuVwLt24L
uY3buImrupMbua5LuYiLtV+hBH4KqHWLsesJjwSasptrt6Ibsm+Luo4LtqdbEqc7uLX7urFbuc1L
u8kbth8JEeKJowU6oOzYuxk5vB4bsx7/OaHLq7jk67bOC72wa7nPm76oW7mYaxYeu7IR6rllWrFJ
Kb9UqrCzGLggibyF27Yk8bXnG7m0a7ySK7tXC7nQ+75lkR+l27DkCxXmuxJdy8Bk4cBLS7QT7LUH
zLb5acH2Qb2uEbWxA8Lgca4AYMIqHBHnusIu3BAKWJ4ibKovXMNsMsOSYgQ4PBLLsMOGYcNADJI+
TKNB7ExFUMRInMSn94ouOsRO/MS7p8Q2DMVUzBI8UMVYnMVavMVczLOSIBPU0MXrJ8VkXMZmfMZo
nMbMkQ6RIcaqqcZwHMcA6sZ0XMd2fMeKIccLYQyoisf7p8cHIQex6sf0F7RDHKZurJmE/9x+jMMP
jhwS/CASkezIkTwSlSzJl2wPlDzJm4zJlKzJnQwSjyzKnZzJnHzJm5zJkPzJq2zKn5zKoPzKrEwS
oQzKrazJkkzKo+zJrbzLtyzKkBzLjzzLvxzKu3zMOpKZNYHKwBzMlazKqmzLzWzJtEzNtAzNwezM
zRzN1ozL3uzN3MzMuTzN2WzJpkzK2mwS4szN0/zM6ZzN7DzJ4yzPuMzOUTwR2HzO7jzO8EzO5fzP
39zP5azP27wSzJzPJSHO/3zO1fzN7vzQ6kzN8SzR71zQCR3QEF3PH3yiCO3MvuzP+xzL/NzLp7zO
/KzPx0zMJx3Q4OzLqMzKDL3NoxzS+/9Mzyqdz7XM0hltzB+NziINzujMyeCLmDTR0cBMzyMtzA3N
0jp9zS690Brtz04d0iA90N2M0fM8yzSNzQCN1FcN1FQd1RedzgTN1J53HiZN1lcd0+281FVt1eRs
01LN1m3dzQpd1yvN0FTN1XBtzwot1/Mc0Wqt1oj807pM057s1SWd1Dpdyivdy20Ny1jt1JA90KWs
0pCN0oqt1JQt1bx80o4d1zOd0qA91HMMHfZ8WYq8yKzd2q792tdxsrAd29n3yiMNy5r90Zft0ncd
zVqd0z792PW828Nc0bgN2q48zMAtzYYt2bp8y7X828Vd0c8d14c91asM3Vld3K+3zMH/7dtQPdHC
TdpvDdQp0dN/3dSBzdS9Xdd8ndBpLd5p7dBdnct8vddm7dlPzdxend+ktdNLXdZuTd/mDdhV7ddz
rdFhbdTgbd1G7dkWXdOCPd8F7tabbd8YPtbWbNIZDdCpJeENLszKjd4zLdAgntQlzdXgLc/PDNMu
ztgvHdrwPNroLdMxDs37rdcJbtwUPeMqXuIEvtNAPnlbHeAZrhKLfd0OTdf9ndjVzOLlfdQe3t7v
LdbYLdYTreMmbuGTzeO3vd3zrdv+HVr4bddHft7qLeX1bdFcjuEG/tYIbt0EfuZfLuFjHeZwHd5m
3uXlfeFl7uEfPt07jtXOzdnvfeGf/53fdD3nuC3jTd7e1W3oOS3gKZ7XIx7jlc3TKZ3cLd7TSq3Z
hA7Tsz3qpB6vhjw7gCwcpU58pz4bqY4v193omK3VKC7LmK7fyJ3n8vzqElvluC7TUL3edm7OAm3e
9B3JvCkNx1fUAz7oUv7nEc7mGd7fEP3mq74anc7Zzh7V1E7jv2zW1b7hCg7ht6ENeCzgMN7jzE3R
Bw3oL63eUB7W164a7d7sQc7Yam7n4bzex27l8+4axH3Xic7WxvzOSS7nho3Xqf3vbtHqBcfrAeoc
EP8bDN97Dl/xcdubGH/W+HzpMX3Qgg7uLk7M5M3fHo3owB3whH7mp9zly43MXt7cLP+f2Zed3cd9
8jRO8CJ+7JNu1bIu6Lveenyu8NK+72p+zdn93e5N4fhO5SBv4kxP7EoP8xQu1NLe2DYv9YyuzvU+
83vu7yoOzK439M9+7+5O3doM2B0O1kdv71TO9vrO9mgu91AO9iu/9gc+7tOe5z3+6GQ/7guu7siu
8TOx6IBf7CKf8+xe4ete4Tat2/u98nqv9mWf8Ixf93XP4+FuziUe76KO5Yle0Aef5m7e0oq/7gvv
fPNp+PGO+Ebv71tu6JP97oa/9QaP1EBO+7U+5EBP7ZJvyyEe7fct8Agf8m2/75j/1bgPpaX3961f
9Bre5MK/99A/51+P7n4u55B+/LP/7/rdj+Kiv9Znr+fqDu6Tr/zkjEhFDfNG/tzE7eQ7X9+ULtIf
T/IkD//YT//IrfP5H+myDxD2BPITaI/fQYIIDxosONCgQoYFCTociLBhRIcKE0rkeJEiRo0PLU5k
SNLjSZQpVa5k2dLlS5T/ZM6kWbMmTJw5de7k2dPnT6BBhQ59adPoUaRJlS5l2tRpUqJRpU6lWtXq
VaxZtW7l2tXrV7BhxY4lW9bsWbRp1UrFtdbtW7hx5c6lW9fuXbx59e7l29fvX8CB6z4lXNjwYcSJ
FS9m3NjxY8iRJU+mXNnyZcyZNW/m3NnzZ5mC7+oRXdr0adSpVa9m3dr1a9h9QdP0/zfb9m3cuXXv
9hybKAHfwYVf5V3c+HHkyZUvZ97c+XPo0TUP1wqLekE317Vv597d+3fw4cW/lV7e/Hn06Q2PZ9/e
vUD18eXPp19faary4+zv59/f/38AAxRwQAILNPBABBNUcEED33MwJQYjROpBCi+SsDIozqtwQ3su
9HCmQw4pKMQRRSyRRHtCJFHFFEdMUUUTBYJRRhQ9mpHGEnO8EUcaY5wxxhZfrDHHHk8ckkchgWRR
xoZEhFHJHZe86McofazxyRY//PBKK11s0kYmmQTySzHDJHPKLnH0kUgzx7wySJTeDHJMNL2c00sl
7ZzyTDdPcnNNOOEUUUv+dnKyRf8TEzVz0TDXpLPNO88kU9FDD20U0kDLRDQlRSN99FJBM7UUUzAZ
zbNUUDsllcOhyCHOsEo9PXFWSBOVstYjM01101E7BdRWS4PN1Vcuh210yT5P1XVVUYc8Fdg9mSSU
wAmS8rVHOvsMVVU0URxVTyN3rVLOPNME98ZeOUXWxWT5jPPcdxdFV1QXp5XwWmVNrZVReHXVVlNK
owV1W0kDLXdggTcdmFtAUQ013ocBLvgzYezlrV12kdW4YSz79ZfFg7/8F9Fiv3XyVoO33THllW9t
GeIiu1U25IgHtXg+VnPWeWeee/b5Z6CDTu0wof262eKik1Y6rMM4ZrPjJFNuEuT/YsHF9uQ/w73a
RjnlNVfKclHuOl8rnZ6aSJuPJtRQO82VN+F8ZY3UTzzPxvTTh7t+EW08HdXT2WbrXnhSqZf+LtZf
3YW74GvnRlXVxjV1mNe3Ed8zWKkhpzdgkf+WfFnDr7Mc4YaNPHJjWkEXFHDHsR5ZYZMpxzhWweO+
89vbo8Wa39ADI3r0qNt2+FPaFVbdb61pTth41jlnV8dJXX4cd+cvDVjtaVFahKXRZ2a84Oflxjtx
lgWnm3TC52Y4b8Ul1fzz3FXv/S+ia24f28KDR55kY/fNuORs6S1uZfNclO73tphZbW88Shv2HDih
+Q3mgRM0SgQlSEEMZlCDG3yO/wU9+EEQ+iwOISRhCU1oFg6mUIUrZGELXfhCGCYlCjGkYQ1tqKAT
5lCHO+Th0m74QyAGUYhDVE4PjWg4IiZRiU8piDWO+EQoRlGKwVliFa14RSxm8SZT5CKrtPhFMIZR
jCrsYhnNeEY0zmWMa/yiEdl4tDTGUY5zpKNv8lFHPMIlH3vkI0r4uMeG3PEkgrzjHw3pEUMK0h6J
BORFFBlIRi4ykZKMpB//GEg/UnKSi8yjcA7zSElC0pGEBKVACOlIlYDylCwpJScHuZJWilKWsVQl
IuHzxhe2UpG6NKUrMenLXqaklsAU5iuNWcxUGpOWqGQmLnOpzGKusiDSDGYmf/8ZS2ZmU5vH5CYq
l/nLXzrThcvEZiGreU5wcnOXLeFlN22JzFd+c5rvFGcLyRnNeebznZa8pCkrmc5pRvKf6NwmJuVJ
UEHWc206uWcmH7lOdwKUmvAEqD6teVFbHpSYG5UjAADwnobGk5kaLag5WRlRjlZUpb3UaCmxGUeP
tqed5STmRC26z3m+9KYE5elKe8rJluK0kx8dTzs5alOTCrWkKS1oSnX6VGh2U6edtEdMV/PJUcoy
oDxtpFIl+lOVkrSpWvXnTl1KT4U+BQDT2iQi+9lTsQb0rYx06STpylSwyrWret2rWW+ZVg66EbCB
7eFgL0RVxLbGsIvNXmId+1g9yEZWsiV8R2wYe1kPTVazfMFsZ5kiCf9sloeA6A50ZOFZ1KZWtRgU
bWvtslrYAsi1s5VLbG1bKNrmdi0BAQA7
------=_NextPart_000_0009_01C70149.FE601AA0--
Received: from bny93-3-82-226-2-152.fbx.proxad.net (bny93-3-82-226-2-152.fbx.proxad.net [82.226.2.152]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA5KJ18V031735 for <ietf-pkix-archive@imc.org>; Sun, 5 Nov 2006 13:19:01 -0700 (MST) (envelope-from yyazfgdfum@proxad.net)
Message-ID: <000b01c70117$a331e460$9802e252@MAISON>
From: "Cadiz Menorca" <yyazfgdfum@proxad.net>
To: ietf-pkix-archive@imc.org
Subject: double
Date: Sun, 5 Nov 2006 21:19:03 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0007_01C70120.04F64C60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0007_01C70120.04F64C60
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0008_01C70120.04F64C60"
------=_NextPart_001_0008_01C70120.04F64C60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Bush pragmatic toward suggests!
Pdf files contacts or app designed fast or seamless?
Ace Powder am mayhem ultimate Cork Bowled!
British Wing a sang at eighth thefirst series raise money in. Seahaven =
Towers Cruel Freecell a unique is pc.
Donations is keep running or. Scorpio Galaxy or tt ttt yy Choices Buyers =
is Sidebyside. Languages Pmposted Smit.
Flav looking of his. Determine desired Finder of verify close buyer.
Rants am Percent Vedana id Career Corner Password forgot Luxury a! =
Trylink in flyaflya Chinaits is learnthis in layout type.
Businesses Home Games page Mentioned is search web Images a News. Going =
a the Doctor.
Different comes most seeing tvs called visible am.
Businesses Home Games page Mentioned is search web Images a News. =
Columns Fleckies Ryks Quicklinks Soccer of Cricket Formula of.
Television commercial Levisjeans matching beat ekg machineit. Reader is =
Reviewsthe Newsthe Screensthe Imagesthe.
Needs again soon June December.
Email Print am ad is Tell about is Site map is Advertise rss. Lenssens =
Facts Scobles Scobleizer Rael Dornfests.
More in Casino or Gambling am? Pdf files contacts or app designed fast =
or seamless?
Reviewed editors full. Rugger Horse toff Frankies Virgos Trick Trumps =
gym. Newsgroups Microsoft Statement is. Lovethis licensed uses material =
Love.
Bnet am Chow Cnetcom Channel mysimon is Searchcom Webshots. Rugger Horse =
toff Frankies Virgos Trick Trumps gym. Ask promptly went bought.
------=_NextPart_001_0008_01C70120.04F64C60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"Office" hspace=3D0=20
src=3D"cid:000601c70117$a331e460$9802e252@MAISON" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D4>Bush pragmatic toward suggests!<BR>Pdf =
files=20
contacts or app designed fast or seamless?<BR>Ace Powder am mayhem =
ultimate Cork=20
Bowled!<BR>British Wing a sang at eighth thefirst series raise money in. =
Seahaven Towers Cruel Freecell a unique is pc.<BR>Donations is keep =
running or.=20
Scorpio Galaxy or tt ttt yy Choices Buyers is Sidebyside. Languages =
Pmposted=20
Smit.<BR>Flav looking of his. Determine desired Finder of verify close=20
buyer.<BR>Rants am Percent Vedana id Career Corner Password forgot =
Luxury a!=20
Trylink in flyaflya Chinaits is learnthis in layout type.<BR>Businesses =
Home=20
Games page Mentioned is search web Images a News. Going a the=20
Doctor.<BR>Different comes most seeing tvs called visible =
am.<BR>Businesses Home=20
Games page Mentioned is search web Images a News. Columns Fleckies Ryks=20
Quicklinks Soccer of Cricket Formula of.<BR>Television commercial =
Levisjeans=20
matching beat ekg machineit. Reader is Reviewsthe Newsthe Screensthe=20
Imagesthe.<BR>Needs again soon June December.<BR>Email Print am ad is =
Tell about=20
is Site map is Advertise rss. Lenssens Facts Scobles Scobleizer Rael=20
Dornfests.<BR>More in Casino or Gambling am? Pdf files contacts or app =
designed=20
fast or seamless?<BR>Reviewed editors full. Rugger Horse toff Frankies =
Virgos=20
Trick Trumps gym. Newsgroups Microsoft Statement is. Lovethis licensed =
uses=20
material Love.<BR>Bnet am Chow Cnetcom Channel mysimon is Searchcom =
Webshots.=20
Rugger Horse toff Frankies Virgos Trick Trumps gym. Ask promptly went=20
bought.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0008_01C70120.04F64C60--
------=_NextPart_000_0007_01C70120.04F64C60
Content-Type: image/gif;
name="Adobe.gif"
Content-Transfer-Encoding: base64
Content-ID: <000601c70117$a331e460$9802e252@MAISON>
R0lGODlhoAGUAYf2AAACDoQAAACMAIGEAAgAjIEAfw54jbK/s7HesqPJ90UbBGMrAHgUBKAtALor
DukTCwA8AylEAUozDlg+B3w7DqE1AMhEAN1BAAlmChZZAEpZAGpXAHJbAJ1uB8ptCdpaBAWIABJ/
AD6DCmJzAH54BJN1AMN9BdSMAACXACuSADGSC16TAHubAJKlALijCdmUAADNBBu8CDexC2m0AHbH
AK3MAMG0DNzOBgDnDSblADLnAFrsAHfkCJvlCMbmAN/cAAAMMiEEQkQARVEARIwAO6oARs0AQdgA
MQAcRy0VNDwbQWYpQngfOKYbP74YO+UTRwNMOCdNQk4zPlNDQY47PaQySs1GRu0/RAhrPB1cPD5b
OFpSQntqAKhfOrFTQ+ZfNAB2QSt7NECLSG55SnuESJd3TMSDSuV5QQyjMhKtQUebP1qeQYOfOKaU
QsSbOeChQwC4NBrLTkzOPGS5S4WzP6i7Ob/DOuy3RALjPyHsSj3gRV3eP3PuSK3cM8LRNtnVPgAG
exwBgUEAclMAc4sAc6IAdMEAfdkAgAEneSgljjsWeGwkhIMrdKYbcroiftsfdwBEdS40h0hLfl8y
gXRMh506hclEc+Y6iQBldyFmfERgd2tueoNkeZ9md85hd+BZewB9dxSJdzdxiVZ6gIKBiJeJeMFz
hN+JcQ6tgC6gdEureFKUdY2pgqini8Csg+mXiwfHex64djW6imrAc3fMh6O5d8S9itrHiADVdhXY
cTvke27mjoTthp7Scrjte+rUiQ0OzCsAy0cAwl8NwoMIyp0AtcoGvdoCxQAovCUlxz4fxVMntYos
t58ZvM0gxOMdyQBNyxQ6tT8+zl1LuYo4uZs5ybE0sdg+wgBgxBdRyU5Vu2ZqtX5lyJ1Vu7hns+lb
yAByvRZ2zTuJs2CLy3V/wZx8vMN2s9x/vwCStxKfxj+svFahuXGgwKuUt82luuKZuAG9sRPLtDfF
v1Sys420xaG2uf//8KSVqnd+f/8ADQD1AP//AAUA9voA9QD/8P/x9SH5BADD2H0ALAAAAACgAZQB
Bwj/AP8JHEiwoMGDCBMqXHiwBMOHECNKnEixosWLGDNq3Mixo0eB9kKKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjKz8qXcq0qdOnUKNKnUoVJNKrWLNq3cq1q9evYMOK
HUu2rNmzaNOqXcu2rdu3cOPKnUu37stldvPq/Vm1r9+/gAMLHkx44d7DiBMrzll4MIDGkCNLngx5
MUwAljNrjku56uPOoEOLHo1xs+nTqFOrXs26tU/SsGPLnk37o+vblk+dws21tu/fs3WfAu6bt/HF
wncfH0q8ufPRwp9Ln069+tLo1kEv3749u0bu4MOL/x9Pvrz58+jT0034gWT7ke9Ffogfcr79+/Dx
26MPH+V9+vzJt99/9pUUYH0DEphggfIReGB9+jXIIIQmzbdghP9V6GB7D3LooIEZSuheiCeRuF+J
FzL4nndMAXiigDB2CKJ7Lxqo4YgIVkijfyjK2F+OK1n4o5ANUjjjgzUCqeOPNiLJpJIABnggkUZS
KSCSK7KoVI0cwhgjijvauGSYQ4Lp5Zg0+uilk0+S+SV/XarZEpw9skTnmWy2mWOXafJoj5Zbxsdn
ki/KSaieSiban6FOysjomX6i2Sedg7oZpKUI5kmoi4pG2mSile4IqEUpCcrlk1Ni2umhWB4Kaql1
Sv9q6qVmfnrqiYbSCumVdrY5a6+xUuopeAmd+muSqSIK4YZi6viofxt6qCCny5q4qquZAvmetCFO
qBKc0aZoZYphanrtoC4y++KoCvkzUaFf4inrsLu2+myti5YY4bXKYosrr9l+O66bjgIrL5T7noss
wEuyS9G3xuanIMH0Kmovvo3G2uydEOObb8D/zgmrsqF6/GuuF5fZ6njFhuwyq80qLKm/Jb9a8cuo
9ttvylD6G/PPBeu65q4W83hnzTk6zBHIlUr5M7a5urotxiPbCjTRMxM9tcZCX+2swUNrnfXW+eap
9EZGFrkqx2ozjKmVRDqt6tpQi2ku3GlXaTTVVdP/rSnbUT49II5SI73u2RlBSi3FGqrosYTjTjx3
3cymqm7jcO9r74cXdu0o5xJ76y250IreI+dZIn6ReqzrpXpprcc+1+sMyW777bjnrnvrLe/ue2+0
o/378FkFLzzxyBtlfEQqCeC88yE9//xI0kMvkgAsTX+99M1jT331JYF//UnYV889SeZrH/35Jpk/
PkriR4/+/PTXb0/895N/P/7oe9//+t7z3/zcFz72CdA8BXnGQPJHPQa+z4Hyi+BKBHjAAzYQghXc
3v8geMEHNq+AG7QfAy24vg1SEIPtq5/1NMjB8WWwfSRcof9W2MAKnvCC3lteRkjIwRmqsCU+dEkA
/zsowRhKUIQ8DJ8Sl4jEIxLxgT4MIhOLmMIWyu+FSsygFMuXxSomMYc6rJ3+qgjFH2bPgxM84gu/
aMUeAlGET3SjFdnoQC46sYNS7GIKsTjAPlLRjUZsoyDVw0MsGvKNd4QfHhepv0LCcYxojOMN56jI
OlpSkZPUoyYTOcL3bdGJdtzkI1mGkP3xMZOZTAkFaQjJOsaPjY6MYysFaUECUnKMUYxkDWV5xUby
spMR/KQa2xhAVjIwjKvbXjHVB0BWJvGRzLRfHoG5x1k+84l0xGYi6TjEYH7wl6EcIPvIGEphUjGW
ynyfRwDATuu8pJxm1CUZ56lM8dWSlsQc5RTxCf/HcMrTkrn85j/96cJ/ArSMoOwlPT0JFHaycy+9
26UHUYnIWd6xmxKtJj2vicZsRpKg/MxfQFWpT5CKFJxENKc3A+nFkDylnd7RKEJnKtCFthCjDF0i
Ojm5z1v2M59ThCdH76lTX/Iym9M8KUv3iUyLrLGo9OPoH3XpSEPa8KM9tagzl0rNEJaQhWCt5PdC
SFSilpSmGrxqQiPYVIWo0oAyraEtvzfDcR7VlNHEay35x9NR8rWeMpzrX/ko1v7l1ZZc5af2qspX
/El1ORFNnmSB0taHTfayfKmsRDDLWZ5o9iCdDa1oTxLZ0ZoWLbM5rWpXy9rWdjYAASAJbGcb25H/
0Ba2K7ltSG5b293qViS9RQlvZ2tb2grXJMH97W5PElveCle5sg2uPZzLXOlSNyXQlS5wS4Jb7ibX
uNtFLneZW1zihle21e1ueXur3bzUNrnRPa9vj2vb6aJ3ufXFb0u0q975ije/07Xue8lrXfICOLzw
Le547StfBiNXwP69r4K9G2H/9rfBAf7vhbvb3g4f2MNw6d2AMcxgEEv4xA4usH5Zwt//Lvi8IG6v
fVX84hXjN8EoHrGNZezg/Da3xsstsI593GMbz3jBJqbxgW9s4NSqZMgxdvGSG8xeCfNYykWesn6r
TOAua7nILe6xiZlMZQOLd8hZ/nF91XzmHSMZ/708RvOYg0zft7QMxzJmM4qz7OY+87nORiYxnQV9
5DZ/WcliFjSXt7znQA8a0SVG8J8LDWk5T9rSQD4yePH7nBUvGs5mLu+JcZxol0Ca0HqO859TDegw
M9rFeP7ypVM8ZR0PWNWfdjV8Vf3qTDc31n9yjqcVvWrscnjTvjUvobHM61DPOs8BVvaDpS3fTwMY
z8jO9HaBfW1a47rbo952na2NYT2TudPDRbO4sexlMJfZ1I12tJ/HC21yg3u94IV2tH9rb1S7O83r
LrShJZ3jQcOa2KC+b23R/eaGx5veH444vGV95VMbPOHyJjXA+UxuKAMa42SW+MVBHumCC7zG5v+u
9cYXLuwwR1nbA++1zHOr7StvXOHtdrSSXX5wnFNcwxB/uLpLvmZfE33JKS/3zV3qnHrHd8f6JjiR
fb5fCk/44xm+Os8bvfWgA7ffKc8zhDnuaiSPvcNl/3qFsx5wKec6vM+pN3T3fWHvKtvDeL8uu5Nd
973T3e53ZzfeCTx3p8P87wj/+delHfXEI/7wixdwf1keG9da/vKYzzxvSqv5zgfls7EhA+hHH0bP
mx49pE+96kXDB4+c/vXkWb3sZ0/72tv+9rjPve5fB/ve74QNefkLDXZPfMmwoTm+T35OgC/aJShf
dsyXS/FrXwzQH784z89+TaJv5+l7f3nXd7L/9scvE+6T//yLMb9avs/+9rv//fCPv/znTx30238x
9O+IIvJ/+/v7//8AmBU6wBVgYBb8d4AIaBUBuIAhVkquA1oq4YAMyBxKM4FtAQ6LgYGs0TIOhRlH
4YEhAYIzIYEoUUrgcIIYiIInaA8qmIIjoYEvCIMoWBIzGBItaIM1yIIraIMvqIMwiIMreIMi8YMp
qIIsOIRI2INDuIM+yIRGuIQ7+IQkYYQ5WIUoUYVWGGwOkxIiiBQPFYJg8YNJeIRKyINTKINmmIQa
KIZiSIZkSIRvOIZpeIZIyIZjCId3WIZuOIV1KId7GIeA2IZpuIZ5eBxdGIJf6FD2kIiKiIiI/5iI
IiGCmOGBlFiJkwiCX7iIPSGIaKiHdhiIfAiIfmiHcEiIf3iKPEiIbeiCLliGn+iGgjiIsGiGn2iK
phiKfSiLhlgSmKiJvjiJkTgSwAiGmtiFlOiLYHiMxUiMh4gTOQiLNYiHagiENOiEWHiLqdiDWRiD
TEiLRyiFrPiHnViIqAiEa7iN0WiN46iH3/iMsZgZCXGIvaiMw/iLD9WLyyiMkWiJv5iMjSgSJEha
EKiL4siOT9iK2uiHCbmQ2biOc+iKCNmHETmLrqiQeeiQCYmGGFmQ44iBZ8OFJDGPzIiMw1iPx2iM
+niSI4mSQNGRuLiHpfiQtniFuhiTFGmRMP95iuH4ijeZkyahkdPIhzMpit5YlD15GhzYiEq5kv+o
iPiIjMEYlU45kosIiVpYEElxEFIIjTNIhV3JkNJYhF3pjt14kHc4lu6ojeCokGzYjeJIllGYhWaZ
jakYjVAIhXBIFWWgHTPRjCrhlzoRkCYhmLjzjnmhgaXXl5dBgQaRlY05PIZJFzD4EZ/wCQl4mfBX
maNhgQtYmWyBmaAZG5oZmqR5EbWATKMpG5xpf5+wmq75mrC5mqUpf1uQf7E5FDNwm7q5mwY4m775
m8AZnKPCm8SJFJz3GgMZfMKZgIoJkiNBmLOznO/Hhf+4EoBJjG/RgVWJiZl4ncVpHN55Et7/GZ5k
wZL0iJ3fGR4sWYz3aInceZ5sYZ5USZ7p6RpN2Y/9KJLJiJ5qoZTd2Z31iRsRpZL4aZIkCZVXSRBn
AYz6CZXSOZ3WuZ8FeqD6SZ9jUZLzGaDqWZ34eJJNaZUW6hXaSaHBOKIMWA2+E6IauqIooaIs+qIw
GqMCmZw1AZ1kYaMu8aDFJ6OmlwlrEY/VyZ8pgaNi4YAUQBJHahJJSgFJqqPw95QxQaRhUUpMyqQh
YaUlYaVLmqDUcQxOGhUtWqL56J9RmRhHmqQigaZpag9neqU8ihjxWKIEmqFcqoBpQaVqyqZI6qZb
+qW616JLKaGP6KJxgaVuOhJVWqWH+qaa/7Ge9YighNoWbbqoajqpecqoV0EGROGoj9ipCLoXiZqm
WFqpV3qpmBqdNEoTUgoWRqqqfsp+jJGqvfmYptoSr4p7p5qrJHGrvMp7uvqrvRqswjqsxCqrv8qj
xZqsyrqszNqszvqs0Gp7x6qr0Vqtv0FZxvqj1up92PqYnLGt09etWCl928oExdeBkfqpq4oV77mP
TAeus/eXNpGuXWGiYzqtSOmAkkigI8qIxLiuH/ipGAqvOyqwVYmdGIqPAPuB8qmJBEt86DmVCLud
j/qu43qhT3mMDyt78rqSZfqoULoWDKqPn4qvq7GvIOuf8CmyKluJJmsax9mxEZitXEGeG/+7ejgR
pHZBry/bsz77s0A7HjwbtLmjs1khj0LaE/kgEksrE/nwtEvbtDgBtVJLtD+hjDXLi0YhtVXrEl3b
tTXBtVZ7E3FKku26nZ3KiJforhS7j/56sPzYtv86kAghtvbwtCERtXfLtCPxtXrbtFCbt4EruHjL
t3m7t4crtgMBCjdbGPeZjxN7npIrqAYqppBbuR4ogaWkt4gbtWILtoMLuIDLt59ruIQ7uoe7t03b
uH8Rpu8JspbLr/54j5Zrjwlbu0OruqeLuImLEpxrt7rbu6k7vJzbubw7tjGxslBZoRI6pyTavPmJ
u0nrtcZrusFrEr9rusW7vX1LuoZbvMj/u5jMqLaeOrkFSrvjS75japX4SRNVG7hfWxJU671MW7h2
O7/1W7h3O7jHG76YBbY8AcAqIcD+a7EXC6d0S7PyCxT8S70Aybp98RKYUMALCMEWfMEYnMEavMEc
HK4UzBLZ8MEijBP7cB4dfMIoPBu7kMIsfLMjzJuhoQO5pw4tXMM27BcvvJs3vMM83MM+/MMLlMOd
NwCZ5X5IAMRInMRN0QRbIsRO/MRQHMWHocQtLMWyScVYrHoOkcVc3MWFYcWc6cUcDMZkXMbpIcYb
bMZqvMbEgsZVzMYGLJ1w7H8xC8Z+qhL8kMciwQ8jwcd5zMckAch9LMj28Md+bMiD/MeF/4zIIaHH
jYzIhHzIgmzIhLzHimzJkazIlLzImnzJJcHIi4zJhdzHj+zIiYzJpizKjbzHnKzHnqzKjGzKspx9
xTLJq8zKgFzJlRzKtxzIn+zLn6zLrIzLt7zLwDzKyIzMxmzLpNzLwxzIkfzIxHwSzGzMvZzL0zzM
1uzHzczNo0zId0zNvhzN2NzM2uzMz5zOyXzOz0zOxYzH2bzKy6zO0azO7/zO2LzN4yzOpGzLwrzO
/dzNygzQ6CfM5JzK6FzOnGzOqCzJ1WzOBz3JrwzRAJ3LqSzRjlzPxZzR14zPpXzM8gzKFS3PpWzR
y2zS9+zKvGx/Bh3Qu6zLE53MLw3SJf9N0cTMzCgRyzSN0//szPUMygqN0BpN0ibxz97c0vxM1O5M
0KdXy+ys1CA91DL9ywy9zjwd0AMd1VRN0Fdt0xT90z6900+91f6c0OiczkeN1XxcrB+Nyh3t1hEt
1RUNyV7dyh29yVZd1LL8yhjtyjFd0xGd1yKtykxN2NdM1z6d0XsN0YDM1q5hza0VznM82ZQNswtb
2bZKf5jtWfSnyQy9yXEN03590TjN1Xsd0wg91SHdyZ5N1CXtzYedyaOd2qfd0Kf80UB92rD9zcFc
2ib90p5c2z/t2bZp0fbs24Xd0xJtyfQ81sFM1vE80lld10Ft1jn90Mn91l0t3a6t3Vj/XdR63c1l
TcqwmtNQfcxLvdXePdAKPdKQ3d4kndZVDdszHdZIbc/sXM76rNpgzdXf7d7/XdX3zN7dXdiSpd/+
/doO3dvrjeBS7dBG/cvc/Ns1vdIJ3soqLd4UDswoXeGG3d4IrtUPntcLreED7uBtDdnJE9T1Ldgr
seAVvtzN/d6ozdvwfd8tnt5mTeMcXdr/DeIDjtYkHs89TeJAfdj7LFpAjt4BDt5FvtvKfdZh7dLT
bd3vLeSq3eT2HeQCfeLtLOJMPuTWzdv5Pd+SlRCtfdbIjdcxDubHPcvgfdztDMmITebUTdixLNLp
DeFfPdt4fsl5Xttubde9DeULHder/2ybmx2Y37fo2lfH8OjGibkakj4dgyBGjv5/dM7atA3nCc3a
eB7nsf3lBZ7pN1pKRY7f1YzcXR7i0PzU1U3Sla5DLS7gLb3kZV7l07zbBJ7Ws76F/Mzptp7kvA7o
gs7U+SzdE67rpj4WaK7ltW7nqR3f2TzP0hzhyz7Kv84uKTHeNL3eUk7mIW7tXk7tKt7srOqAm+7p
0Mzqbe7aMD7lJU7q2r7ttNMa9n7vG9gU6ZDvhIHuAB/wAk+0nK7R/pzhUh7opM3c0nzXCC/TE73u
hq7jkjzkg73SFB/qRA7XdM7coN3PCv/ZGD7VbJ7lfP7xpd4dqD7sDS7gJE/NMo7x2v+N3epN7998
8PlN8+Hd8DcP6/at83Pt8a/+1snt7Rsf5nZu5YlOe2J+0/zt8kZP5eNu5ASe1Hee1vKd7ElP1Vqf
7cXu4lpv5suO1NtN7P4t1zau6zhep6TX9OY+1iet2EKd9lk9973e1h8u5Mne9R7d4bnu9Vs/8dTe
7nt/8xwt7bd9zvHO3VIf48ZO3kyP9mMP96LO638P6FR/7S5v8t+N8Ie/3A+O+Zo/+hsP+jWP4oyt
6qk/05JP96lO32w/em6f9jpP7paf0i7+9D5f+Xr/40Ee61t+9LWf+c1d9ViO7CLP+lDv+mK9zrUX
3EmN0Xat58bO10kO74fO2KR90Yn/DOSBbfDWX/ra3/3yLvHuXecmH/Egn+Y+Tu+gXefcXHsDrzyf
ZbTzb3n2ev+qdRAd6O8bCxAAAPwjWNDgQYQJFS5k2NDhQ4gRJU6kWNHiRYwGMWTk2NHjR4v2RI4k
WdLkSZQpVa5k2dLlS5gxZc6kWdPmTZw5de7kiRJBT6BBhQ4lWtToUaRJlY4E2dTpU6hRpU6lWtXq
VYhLtW7l2tXrV7BhV1qMh9XsWbRp1a5ly1bsW7hx5c6l27XtXbx59e7l29dgXcCBBQ8mXHjoCsOJ
FS9mDNbvY8iRJU+mXLDxZcyZNW/m3NnzZ9AyK4M8NNr06dPUKIdm3dr1a5OoZc+m/13b9m3cuXXv
xgrb92/gl3kPJ17cuMTgyZUvZ97c+XPo0aVPp95yYXXsO49vn5jd+03u4f9+J1+++cJDh0amX6++
PXt76dnLj78+vnz3IvHrh29yP//2AvwPQP7y2y+/+u7rL8AC31uQQAURpE8/ktTDT8IBJyzpwAwN
7O/C+sTL7ZyLPvTQvgr9o5BCBFNkcUUXNzwRQAMZhLHFDxNEKccEW5QRxR5RlBDIDWPE8SQca9RR
R/VEFC8lC+tzb0oYq1yxRh9vDDJGF6mMMsortVzyRSmhDHNLJM8sM8UhrQTySCKJpBJNJs1bDL0y
5/Rwzzd71FDLP93c8ss1BxWyQf8vGyzSzz191HPCI9scs08uFeTyUThDdHJTg/Qs0NFFsRQ0QjIr
/fRMCzXMsEow71vUwVKzPLXOSI3cMU5ZlZy1VS059fUfTyW1cs41cw1VxUsNzRRNUXFN1tM07VNy
WlujFdNaXYut9FfjzGSTTUjD1RVEZ9088Ft05bT01CEHZJVWd9v9c955b63wQVIpjVVfO/v191+A
e7ouYIK53ZRg2AxWmCOEX1v44ZAabg1iihPytk4IySVV2I1NzNbBVJOE9VNHeWR1xnWXDFnka1V+
j19XCZRV4tDwvPZBjoWFE9qZqbXRZ2wzvpfBaZtVud0f1SS2TV6bxEiZig8mFGj/jJMtl+eLl1az
0FdfJDZPrsHmGtqwweS1UKZd5guGqCEDm+qPI8QZPlVNRjZlQ6UNtNax3y4y0bRdPvbsRLtc1+m2
E0fI71lbfjfNViPP+mi60+0a7cAJZ7Lpxic9cecxC4+y7SSiVmnqxwVXF3JUR8X4a8knpVTn1reO
XVJQDwV0cNdprlmhm6uFVWdIpdUb33Fd7jDQlGk30u6VV/f8+WV/plJxcRQfz/fPtKeYe/BvyiV8
8ss3fzDv01ff1/Pbd78mPvh4f376aZKfpPXz1583Pvb3/3/e1E+AAyRgAQ1oHQAmUIGjOWADHfjA
rqQDghOkYAXlskAMZlCDG+Rg/wc9+EEQhlCEI7yKBU14QhSmcGIkZGELkaNCGMZQhjOkYQ1teEMc
5lCHO2TJwE7owhCmEIgL5GERzZcPIyaRKAvJRxOdiBInNpEkSDwJFZEYRSyaBItUtMcWpVgSLk7R
i13cIhnHCMUoThGKZixjF0UyRAWmJIxkFCMYrThHkVgRjCqZox5Zgkc3VnElgKxjIQnZRy0q8TmA
5CIj8xhINULykXLcoyQpmUhB8nGQmTxkJSOpSOY40pJq9ONISjnJNUaSkJ78JCszmUpBdrKVqASl
cjq5yivScpS6ZGUjWyJKTF4SlomUpSmDWcvk3JKSvjTmK6uYxTyecZbRLKM0ef85TWMWk5erROZJ
mMAZZa4xjMw8ZjlPKUxs7jKd13ykNkfJzW5mhoniXGYl3elKN8LzmvfE5zpz6cx3vhGOHRQlLi15
zmYOs52/BGhCFdrPhQIUj1QcKEFfWVBiPnSa/9xkOR3a0H4iVJerrOj/0ElHU/ZRpF/06CxF2lJ+
rjOadvxoQCEaz9a0UYtprCk7ualTL060mmOEpz7ZKFSe4tOoOGVqU8vnQxOWdINClGpVrXpVrGZV
q7Vxale9+tXvbFWsYyXrwkRRVrSmVa1rZetTwPpWuMY1OW2la13tetePfIUKcuVrX/2qE7wG9kl/
JSxQBHvY4xRWsYtlrFgQ+1hPyEYWrY2lrHleUVnMZraAkuUsVzX7WdCGVrSjdUlnTQtHd5wWsV8J
B2ld+1oYqla2k4FtbW1L2NnmVre75W1v23pb4AZXuMPNoW+Nq5aAAAA7
------=_NextPart_000_0007_01C70120.04F64C60--
Received: from [58.242.152.156] ([58.242.153.248]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA5FCTHJ007130 for <ietf-pkix-archive@imc.org>; Sun, 5 Nov 2006 08:12:31 -0700 (MST) (envelope-from oegfhjsl@onwebcreations.net)
Message-ID: <000d01c700ec$cab85b70$9c98f23a@1B22A93E951647A>
From: "Reserved. Computers" <oegfhjsl@onwebcreations.net>
To: ietf-pkix-archive@imc.org
Subject: Promises abound
Date: Sun, 5 Nov 2006 23:12:21 +0800
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0009_01C7012F.D8DB9B70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0009_01C7012F.D8DB9B70
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000A_01C7012F.D8DB9B70"
------=_NextPart_001_000A_01C7012F.D8DB9B70
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: quoted-printable
Introduces onehanded cordless is bandsaw cutting pipe.
End shouldnt attempt use Angelina Jolie Kung.
Costing Billions Best Moms of Dads.
Reality showhere different or types Exciateam Southie Boysteam. =
Gigablast of Lycos msn Wisenut Copyright copy Netscape Terms.
What they think Will Hesslers of on of myspace or. Dustin Hoffman of ian =
Mcshane a. End shouldnt attempt is use Angelina or Jolie Kung fu =
Pandajuly.
Mechanical Device in Frightens Flies. Were taken hospital of treatment =
smoke two eldery in.
Winteam Brown Great am family Very tightteam a air or Force. Teams is =
competing against.
Know remember how so why not. Gis Engineer Field a.
Xbox xe a see of Coinop Arcade Games a Emulation is.
Know remember how so why not. Url update listing report a abusespam or =
help.
Cotton duck cord a combine form is flaps. Cast of sure hit of Jackie am =
Chan Lucy liu.
Park Indrema Magnavox Microsoft or nec Nintendo Philips Sega.
Site at digital point while was just a reading! Clues a puzzles first.
Thats Free bill is later in Name am. End shouldnt attempt use Angelina =
Jolie Kung.
According alexa Well looks like here stay. Hospital treatment smoke two =
eldery serious rail. With blogs found site at. Japanese Polish Russian =
am Spanish Swedish Cover in Galaxy Offers scans?
Rail shutdown sometime took or place officials foul. Hospital treatment =
smoke two eldery serious rail. Cause or fire a evacuation through =
tunnel is were taken am hospital treatment.
------=_NextPart_001_000A_01C7012F.D8DB9B70
Content-Type: text/html;
charset="gb2312"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dgb2312">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"on:" hspace=3D0=20
src=3D"cid:000801c700ec$cab85b70$9c98f23a@1B22A93E951647A" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV><FONT face=3DArial size=3D4>Introduces onehanded cordless is =
bandsaw cutting=20
pipe.<BR>End shouldnt attempt use Angelina Jolie Kung.<BR>Costing =
Billions Best=20
Moms of Dads.<BR>Reality showhere different or types Exciateam Southie =
Boysteam.=20
Gigablast of Lycos msn Wisenut Copyright copy Netscape Terms.<BR>What =
they think=20
Will Hesslers of on of myspace or. Dustin Hoffman of ian Mcshane a. End =
shouldnt=20
attempt is use Angelina or Jolie Kung fu Pandajuly.<BR>Mechanical Device =
in=20
Frightens Flies. Were taken hospital of treatment smoke two eldery=20
in.<BR>Winteam Brown Great am family Very tightteam a air or Force. =
Teams is=20
competing against.<BR>Know remember how so why not. Gis Engineer Field=20
a.<BR>Xbox xe a see of Coinop Arcade Games a Emulation is.<BR>Know =
remember how=20
so why not. Url update listing report a abusespam or help.<BR>Cotton =
duck cord a=20
combine form is flaps. Cast of sure hit of Jackie am Chan Lucy =
liu.<BR>Park=20
Indrema Magnavox Microsoft or nec Nintendo Philips Sega.<BR>Site at =
digital=20
point while was just a reading! Clues a puzzles first.<BR>Thats Free =
bill is=20
later in Name am. End shouldnt attempt use Angelina Jolie =
Kung.<BR>According=20
alexa Well looks like here stay. Hospital treatment smoke two eldery =
serious=20
rail. With blogs found site at. Japanese Polish Russian am Spanish =
Swedish=20
Cover in Galaxy Offers scans?<BR>Rail shutdown sometime took or place =
officials=20
foul. Hospital treatment smoke two eldery serious rail. Cause or fire a =
evacuation through tunnel is were taken am hospital=20
treatment.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000A_01C7012F.D8DB9B70--
------=_NextPart_000_0009_01C7012F.D8DB9B70
Content-Type: image/gif;
name="images.gif"
Content-Transfer-Encoding: base64
Content-ID: <000801c700ec$cab85b70$9c98f23a@1B22A93E951647A>
R0lGODlhhAGoAYf2AAIAAHIFCwmMAHOBBQAAg3MBfwiLjbWzub7htLHA4UIpAW0pAHsnAJ0lB8Mc
ANssAA44ABY9ADFKCGQ+DYQ4AKc+AbpGAOg0BAdlCihTAE1cAFtRAIFgAKZVALlRANpqBAyBDSVy
ADN8AG58AHKMCqp7AMyDANSNBwKuABeWC0aXAG2mAIepAJObBL+rCdiiAACzABXFADm8AFK4AIC8
Cpm/ALHCBObFBw7qABXYCEnfAFjtDnjVAKjTAMHlBNPYCAACTRIAQTQAQmMJO3ULN5MHSscAQ+YA
RQAWQxcVS0QqOl0WPHodMp4kNMsWOOMVRgA+NBRHOD9ANG5HPX1BQqc/Sc00PuU3SABfOSlXS0tu
P1RbS45tCJleP7hdTeNgSwZ9TiR9MUSGQWuFSoh7PqOIPbiONtx7RgSiQiaTOkOnQVmnN4GZR6Ce
PcaWP9unPQDAOCrCOj21OFa3N3XGTpG3MbaxQuS2MwDbOBbrM0HdMW7cS43oTKDtOMjWPuLfQQYJ
iRUGgjEMcWoAgYEAe6cAcbYAf9QAfQUnixkXgEoZhFkngIUngpgudLoei9ohhQQ4iRxIizw0gmM5
g4RJg5k9gcUxgNNCigBciBtbjjxkiWlSco5td6Fsishji+RVigB8jBuKizJ3d2uGdXmFipWAfrV5
gtx5dQCgehORiUWaemyYdoSjep2RjLeWct+qjQC7cSvDgjq2emHJenTNd5bFiraxftGyeA7ngxLr
dDLrh1bVgoHXfZ3Scbrsdd/jdQAAxRkAtDgAy2UAzHEAzasAuMEOudYNuQEusSwUwkERtV8auHQY
uKknzr4VxegtswQ5yyI1w0ZMtmAyxYw0waVFtLk0uOxGuAZRyCVutjdow2FayI5RyJFfxMdSvOpt
uAB2uS2IzkOEtlSKxnF0xpuLyMSKstGAzgChvhactk2uyG6lyH6fua2owresydaaugC7uCyyxEXK
uFnDxYS7v5bOufv576mbrHmLhfcABwX7APDxAAAA+fUK/wf///v8+iH5BAD//10ALAAAAACEAagB
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3KjQnsePIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcpUpJemUKNKnUq1akiOWLNq3cq1q9evYMOK
HUu2rNmzaNOq1Wi1rdu3cOMGXUu3rt27ePPq3cu3r9+/gBvKHUy4sOHD9gIrXsy4seN/iCNL1gmm
suXJmDNr3nzS8mXOoEOLHk26tGmVXU6rXs26tevXsGPLno05rKvHuHPr3s174YXewIMLp028uPHj
yJO/Fs68ufPn0KNLn069uvXr05W/5qS9u/fv4N2y/w1P/jT18uhJn0/PnjP1DyHhg5T/8QN9j/bz
65+/3979+SXpd99/9fknYH4iEYifgQcyiGB9ByqIX38QPjjhSPY5SKGAGEYIn4QfRpgghxXGRyJJ
J/qHooYPyvcegAMCqCKGI8Y3Y4IdmrggjTKuSCOINu6IUoYyEgnhhTVKeKOQPBb4Y0r/xXhkkDry
h6SNSrqYHX0fOukkkFSG2eOYX/roZZNYmimkkmKSuWOXMC7p5klRrsjmmUtKCSWPcMbp43lc3lin
nHhmqSaTaaJJ6JwqgunlnYgy2qicXTqq0qA4Qkppj5pGWqB8dRqamF83BRromQpiiqOiiy5oaaue
Tv+q6Kl0BmgrqGW+OmSbru5ZKJ4mGYqrn6xaxZapqM6pqokervrkrMF6GGKDerJoJLDY9iqoqyIy
eCmzIjYL7rXbfmtnsuJq2VepazJZ7a+HAivsoWwCCSKFsfKab5/8wlpisPr2CfCYtGrobKacwtop
U+P1O2C3ZIp68L6tLhtwxfDWGu+nHGvrK73n7kplwW7OW6TCHq3ncMkTS9ymyS0PjDCa725McbUC
awzyszo/mi2BML+J8qjrsousvBNjXGyqsVrMaM4Zd+pymSF/DC3PMvuMLdOrAi2rZA1HSXLGU3ac
tIFVEuq1rViz7K+VRYp9885s//w2ojivnTaSqUL/7eR6m9r9dH+6Vkgui8Xa3SzT4nZo4YSPC9tt
inRjCbHh1z6OeID42jt5ytm1J3ptoY9u+mF/na766juNx/rrUTUG++y0s+R67bgThZ1Aufc+lOw3
CSC88B4NPzxIxhP/kQApHb+88Scp/zz0ISWPPEnMJ0898tpLb4/12IP/vUnij3/9+einXz7zI2Vf
fvXsw1+88vFX//378ztvvmz1j99//P9bnkrqF0DsFS99+/Pe/Q7YPvs1TyQKVCADBbg/+XFvgv5D
IAYT+D/29U+ABYTgBxc4QQlm8IIUpOAIWbPCELpwgCl8YAVfCMENxrCC5KuhDh2oQgPuEIAJ9GEK
/0foQQOG0H4BBOIBP5i9BuJQg3LRSAt5SEOUKBGGM3TgCk+4QxsK0Ys2LCARS1LEJd4QfVes4RSP
eL0kDnGDTdThFtm3u39MEY1UxOITyYjHNxrxi3t04hnPSMBBzrGEQeRjIf/YQDb2kIFXLCMIGelE
4NVEfxhcZCb1eL8txhCA4jvkHQcpSDA+UXuG5GMQ06hGKJqxka40nxIj+clAelCCnhRPRrh3S0x2
MoKcnJ4qEXk+UQIylzc8JA8hWUotEjOXjpxkI7cnyDgmMouv7GInKWhJnViziqZcpjbzBz4mBpKL
4kQmHIdJyD0qk4vWZOc549lGUiKSlutEpyslaf+ceGoSm1bM4Tj5mc1WNlOdOHxnO8coxG+eM5mK
pOQ81efHHjLUiQilyu2kWVFiBlSeYQypO8EYzWaOdKC2LKVDkWlOOUo0pQ1d6EmbWUcxutSZMkyo
SQvKQQuecpyAJOHzDkrSDqJwqNEToU9b2lJx9tGd9JQeDev4S1bydImoFCEofUlK91GTnEzE30P3
+VVe6q97Zr1oOLta1qzO1J69JGlVw4pJOu7Od3j9STfzytfVKaOvgDXdRgNL2MGopbCIJUxFEstY
8Ay2sZCFymJzEoAAhKSymLUsSDJbWZRw1iOc1SxoP/sR0ZYktJjdbGZPOxLTkha0JLFsaE/72sv/
mtYes43tbXNrktretrQi6WxwXbta4LY2uLFVbWqNe1ndCle5ov2tUjTrWtsyd7Ss3Sxumwtb7XZX
Jb99LnaP613c7pa6yd1tcstr3OqqFrnbvW58W3ve8XL3vcO173jFK1/zkpe/wpWugNk7YJm4Dr39
jW+B78vg+ar3uykJL3nhy9wCS3e7D6YwhLvr3gYjeMMXnq93Zath2Kr3wyMW8YYxDN8FZ5i9HF7v
ZG+CYgtPGMbyje59Q3xjFeP4uzpOr5B/rGIJi3jBMc7xeo+LYh+TWLtPZjKIW9zcEDcZySbObkzG
0+ELR7nBPp6ymMOs5RUnOMtnZrGUifziI585/8hABrOZ0dxmBbeXzGqu85XxvOcSs7i43T2sm+f8
5R8v97odHjR45TxnNTe60MBNNIONHOcJd5nIfHYwjj+MXitrur9wdjSFQ71p/1YYdBPByaXX7Gfl
jvbQrwYwS+qc5iKz1svmhfVwdQ1hUp+6woDuMZTLS+koQzrSxNawjj1daT9DuskuYQtqoY3mViOX
1NieNaPxbOshX7vWvp42oWNdXF9jutDQXjayvZ1kGHday+Z2srzjO2OaGNnG1v42ogms7XP3dtvH
FjWzx3znUVM5zZ5+MKXdnHDuLtzOAxc1mJ/daJVI++AOFza7P/3rRcuZx/POOKvHzW+R7xjjj//+
r779HeZ0h3zdWA64vB9eb5ngur4gxnWKTV5wj+O3tCAPL87n/fAVU1viz725tQFMbf5m2tRAN7PT
BUzdoVf7xqGOd1FuXttc89q2hx6w2Hmrca+DnNDBJre5iy7xSHdd6fn27ZIRDl1Jg3ruXa91rMFu
98j6/e+AD7zgB0/4whvePHVMvOIXL5jDOz40jI+85CP/+Mpb/vJ/n7zmN8/5znv+86APvehHT/rS
mx44mE+96lfP+ta7fianj73sZ0/72tv+9rgv/et3P5XcP6cZvg++8IdP/OJjJQpnaYPxl8/85fP+
+dCP/myaT33fS//6RXlsZBCCEu5jfy65cc//Qbo//tqBgzTnR3VZcAKA9gOgKO//SPyhAo76n9/+
9bcH/u8PkvT33//2JxIB6BH7R4ADqH/5R4D9h4D+Z4D5V4Af0YD3h3/6F4EWuIARmIAMqIEUmIEJ
2IEhQYEHOIIlMYIkmBnzZxTtJ39R0YAXWIEYqIAhCIAyeIHp54IuCIMwKIE7+II1OIMWiIMvyIND
GIM6GIJB6INH2INMmIM1eINFOBkpKH8raA/uZ4Xx537zV4Va6BFbCBLvl4VemIUrWIVYyII54YQ0
aIRC2IRIyIRKKIQ8CIVLWIcKCIU5yH/8F4NtqINO+IR+KINtSId0+IZJCIhJoRFTaIUsKIaM//iF
jYiGYRgSYpiCk8iIj+iFmkg0/9AHA0F+BsGAfDiARGiDDiiAHGiChXiHC3iC/6eBgliBIKiHS7iG
UWiHDniDrkiKqWiLRiiLB1iBurGIX+iIl4iJVwiJx7iJZ4iFl1iJVwgSAtEHnviJJ+F9iFiLv9iB
e9iKSuiN4MiKvviDo1iHtNiH6PiNRTiO3kiD7KiNtnh+aHETU1iMm3iMz4iJyKiPzJiJ/liJlPgR
faAT8WiIRziH5EiIJYiICBmIv+iD3ZiEEXmQEPmQgLiGeeiGcBiLHOmQmNGFzniPmgiSIQmJ/NiP
ZJiPyMiFHjGQNgGCfiiCASiC4ViKEziTwf+Yk6Q4hDiZk604i9+Ig7BYizr5gSfIjYcIjB/ogR5Y
ikehfSmxiCghlTiBjSVhla/zh5uRfvOoFFRZEl/5fQKIfmJZlmZ5lmiZloBVfWxpe2r5lnAZl3I5
l3RZl3DRlniZl3q5l3zZl375l4AZmJBhl4QpjbsEfqEofoKJHV55EmFZmLXDFiQ5lY55FeU3FV0Y
jSHZj4tJe49JEo85hVjZFPUokvv4EZ05e6U5kmWYklvIkpg4mkyxmsbImakZe5v5jyJpjyO5ibI5
m1xohpqZgreJm5J4mgDZm8qJmpdZFZPIm/xYFgNQnOF3nLXpj9ipkr8JFSp5nepHnaI3mcr/yJrC
CZvxt51JAZLQGYZXCJ66NxKf2RLoiTruGR09EZ+QCXhQKZ/N+RbzmRL12Xk28Z+x058vEaDBkZ+F
qYiaiYYAaqBt4X0UEBITOhIVSgEViqCbZ5LRBqHGMn4YiqEeIaIiIaIXyokaWp00YY/PGJwOGhoT
WqEfIaMzag8xOqIKKhSK2IjJaZrn6aFVwX0kWqMgcaInmqK8YRPqGYlUaIamMaQ2SqEhSqI0mqM9
saNgyKT9GJtAqlHld6M4GqY4eqRIGnmruZIp6Ztd2nsHMaUzSqVFOqIZWqaMN6BrKhUSumW5gQd0
ihF2mphxkacw0aeEmppVUKiImqiKuqiM/9qojooXdPCoo2eldSmplnqpmJqpmjp5lNqpnvqpoBqq
ojqqpxMPnrqfsHenurSpj6Gkk9kS+GkVr/mapKoU4xGroCkSBKqCDZqPrIob7AeGyameZLilb7GM
yomrtSqrIsGezJiPHBoXToqcy/qUh2mJZeig7JmtlgmomGmSYvirrUqP1qmt/Bit0oqdp1mtiIGt
y0is3imt0Uis7GoUqJqroFgQzJqv4qoYvKqs6VqvBeqno4GNuxpF/Xqv23eZBxuo/SoaACuwoMGg
EbsTxGis18iwB5EPH8GxL5EPIMuxHlsTITuyGSuuSoqxKtisQzGyJrsSL/uyMuGyEluZ+v9Ynmla
kmlanmOIs8V6hjlLkhVrDzRLtB4rskTbsSARs0h7tCDrESXbsSG7tEpLs0ULlxRbruZam1y7nPiY
pT36tVwKqNyHtEmbtE8LtWe7tGnrtGqrtlartFLbtnJrtgm7o7P6rkw6rOT5tcrIrX77oihqjYPL
O2YbtSZrtiNxuHKLtlXbuGuruEd7tnebEfFqiXubrMt5s5zLt+uppmQ7fowLuYorEqMbuah7talb
t5RbuRfxt0FrnpqLppzrjEFLu7X7o6GbmIn7tDFrulMLt2w7uW8btXPrssG7tgkLWTKbE817Es9b
s+ERvTSRvDArvTlhCNhbHBrAn677var/ur2VB76f5wTme77na5/iqxro275OkBnkG7+E63rVsL3y
K7/rqxxBkL/8axL3+78AnBD4EMAEXMAGfMAIrHnXkMDPEQgM/MC0178SPMHf1wwU7BoQvKkXvMEc
3MEe/MHYl8GaCsIkfHjTGngi/LopbKkAsMKP2n4u7KgtHMM07JYlXHg17Kg3vMM87Bb728NAHMQO
S7D8UMQfwQ8ggcRFjMQhwcRJ7MT2sMRKLMVPvMRRTMUeYcRZTMVQPMVOLMVQfMRWLMZdbMVgfMVm
PMYigcVXTMZRnMRbrMVVTMZy7MZZfMRobMRqbMdYLMd+zJymdxNffMd4zMRhHMZtTMhN/7zGi7zG
h4zHhUzIiNzIb1zJlTzJgwzHigzJTdzFWxzJJJHJk6zIhgzKkDzKSqzJqfzGoxxYj+zJpazJp7zJ
nFzLljzLnAzLknwSg/zKI5HJtezJjGzJpVzMobzIqIzMprzLv3zLxszKp6MRvlzIdUzLsYzGskzH
XizKsgzLfrzH3XzLl1zHXzzGwizJWnzNsbzK4PzKbCzOz9zH1fzJ2HzJnzzF38mW03zHq5zNeTzM
4gzPjkzOwQzNtDzQ12zNuUzJzqzKaqzOj2zL/czQ9pzQBt3MoKzLb2ycNcHNGc3Q50zKAK3QC73J
7HzQIS3SlAzMKh3OwpzQEV3SrQzMJ/+tysf80TjNHuOxx30czGYMx++MyIfMxeFMxyJ9xg090Ead
y1wMzkbtzRO9zb/8xyXRztpMzHNcz4lMyky8l7TRypDl1ULcrXg51ojZHGad1mp9GD/t023Nz+/8
z0HN0kL9zU49zzSdx9vcz1FN1Exdxnoc11v90HNdzlIdx08N1Ept0nFc19/sxi/91uBhyCzd0hdN
0TRdzhKNy6Es1Asd08zs2YyN1QJd1R6dzKSd1yTNzyvN2DM91Q69zAE9sbsUzwCt0SOd2rsM08p8
056dyha9z6Ld0Pt80Li8zr7N2fYc0Lgt0M3tz8xc0awNx6K33BPN1U2N1+l83Lvtz3v/3ci/bdDy
nM4pTcxnHNHmfNfobNhD/dI2zdyKvdmRjd7brdvivd3VDdG3Hd8mcdj/bN7ePduNzcjAvdrTDd+u
jdkC/t98fczuzd0gndTLDNrz7dFbzdr5PdpFfeBVXdocHtMWXdCKXdObveB0bdkcns01jdoWrtoF
DeIavtpRHd0eDh02IdnDDdXkbM4RXt4PfdMo/deB/dbXTdrYvdRIneBwzdPU7N+ETd5QbthVTNnz
LNdArcdXXt9rzb8Ku+UH+hxejlhdLhrSsQooG+atl91Drt0nPuVa/eMjLeUtXeRo/qB+Ctq2rNJU
TdLIPdtU3eKRnMNeQQpmMdzQ7cu8//3efd7b123MJy3od3HjiB3UuX3S7Y3YmO7nrI3e0BziEVDn
QfHcQc7fVd7ppozJYlzaBR7ioH6yF4HVqL7fEs7ooY3R0d3Llw3pwyHXbIzKe+7MPH7g/i3hVi3S
ul4Xrd5XYw55x74Wyf7s0E4Syx7tNwEYN77m59zLWJ7nDD7XqU7PsL7t2N3e393cM47jS/3EL97N
vz7jA37emn3eWR7lKq7X4c7kR63mDQ7WouHjMh3jn93Z3z7Yem7hFG3Z+AzXx23wjjzwCb/cEM/K
DD/UqU7xcy7wKX7ZOS7bnL7gbHrn0G3qBh/rlz3i1v3h003nxn3iln7y4u3xyO3oKf9+7tKt4KtO
6yj+0eHN7Tfv4cJeuHkhyCHf8xGPyeldzT2/zh1f4Fqd6Ub+8i1/8uyM9LXe8sVt9Qi96RJf3w1u
x7M87Hiu9VQ+9uDu8Xha20Nv6jRO8irf5z394G1c3hd/6ny96OIOz8Ee9xXf28Je5Evv4b8u4nrP
95rO9Hje4NYu6Tyv9kVv623f3Tmd6JVd0sTN3y5/6/Vu7npu+cEN3jO/4fUu2xrfzIav4GbvpRgB
57KOzWru5vYu36TO+uy+4wSN5Jwv+0Ke+bfv9D2d+/I+7+5u3lTf5OI++XOu77AO9GhN7dkHOMyv
o80e/fr6/JEp/X36eK9K/ayjhSf/rP2qw/1Dm5+NCsMx7P3mf/7on/7I4Qzq3/7uzxrWH//yv3nv
X/8ePP/4H8MuEHr23//+DxD2BA4kWNDgQYQJFS5k2NDhQ4gRJU6kWNHiRYwZM6LR2NHjR5AhRY4k
WdLkSZQpVa68qIXlS5gxQf6jWdPmTZw3Ze7k2ZNlTqBBhQ4lWtToUaRHfS5l2tTpU6hRpU6lWtUq
z6RBDx0auLUr169e7W31SnZs17FkwQpUy1aswbZuv86NK9ft2rZrz6Z9O/du2L52+eo1y5YgV7WE
6xYumHcx3reJz2alXNnyZcyZtUL2uxdtY8OG9R5GC3a058Oc5eLt7Hl0ZNRwWe89/536M+3PhG+D
vv364OvZug1rJl7c+HHLiM+aDu2bN+varnGThtt8+XXr0mNjV46Q+fTo4EuDFr49dOzy1LN/P88V
+Xv48W1qVN6dPWP84wfzXh7Y/Pf6sBNvvbJE++u5A/dDUEHfyotutt34Ug+8wCC86sKOALzrNOeg
O6+xwrqbELD1FDSRPQErBFEsEcOLy0PSHPQuwgd3exG9CDHUsSIN08NROhRHDPJHA3FzLjsghZzQ
vg+X1C449WrsLSEIdUMxvB2nIq7BGEP0ssq6iOTQLCvJ468/yAosjbEPWxwsPcTYlFPOGVMbsy8L
3WzPHvn69PNPo7IUdNCMADX00P+iCFV0UUYbbcgDRyOVdFJKK7X0UkwxJC5TTmdC9FNQQ0Wqys4k
2xA14MqKDDbZyKwwTVjvtNE2wfJb89UpZ03QwrT8ck9UYIO9jL5ce3Xy2CY1nO633Gh9ksrc8lQt
OBhRLdPZ+/Zs1sdOB900QCiL1TXZEs3TNtxrq4tx2esCXJc54bLlUsAiUa13MnOE1TerYfalrN1n
xd3wVdNW5TVKPJFE88giRQTYYe7oVbZJI3+EGF4W+fR3Y47nI9ZdE7VD1sxqXdTvVHulPDnhitdd
jbowOaQLwQ5b7lbRbwG2t80za1R2yFyvDJhZheNFUuhwtT2W1JrZ6/jpjT0iVeD/vJYMceWQlXY4
ToP9s5VnhPM8MUp121NRNl9vXnRTtdueCGp/t+DYbbrrttshuPPWe2+++/b7b8ADF3xwtu82/HDE
E1d8cYLGGWfSbBiX/PDHHSX8cswzL24czXWa/HPQQxd9dNLf7vx01FNXfXXW/f2lddhjl3122mu3
/Xbccw9UpEBK9/134IOPKRnhE9L9eOSTV3555psnqvhOV7AUEsSdt/567LOPbx/tu/f+e/DDF398
8ss3//zLoVd/ffbb71QD9+OXf37660+8cPtNRx/9kvIJXnsaZE8j+SBgARFSQAISxH8HWaD/EPhA
gzxwgfaQYAILMkEFVpCCEtyg/wYPiEAFHrCDHKSgTICRP5IQB4MbzOAFG7hCgTTwggpZoQwZAsMS
MnAhOGxhD3lYwwgKZH+6G6AOY2hEBwYxhwPh4RFDuEQaGlGJCWmiE2cIxScycYqC+gEKR4JDG+ow
jE4EIhWvWEUtbjGLIjSjCH94xTV6UXFvbGISsfjGNloRjVaMYxrzKMUg4tGPg5Qjo1ToRjNOEIOC
ZCAEY+jBPo4QhJDkoxpDyEgs5nCIuSuiGBOZRUzCkYwNASMb/2hJLWIShnssZNvo+MknhrKPdtwh
ICN5y0pe0pS5ZGUrr3JIJdbxjrkkJiFLyMpS2hKVxkzlLjO5wE2eL5mZzOEqqf95TV5iM5KyxCUx
xxjHJkbzdp1k4iJr+M1HOlOU1SSlMovJzB6W05jWXKcv70bCCIIQntx8pD4laUAXQrCCtFRnIwGa
QX/O0p6G1MxCGyLO8jmUIRCtnUQtOjmKZlSjG+VoRz0qLDN8VKQjJWlJTXpSlKZUpSu1CSRCBYP4
lIKlQElGMmZ6U+TVVKc45antdGrTngZ1djuF2kWNqjihJlWpS2VqU53qvKNG1XBPperppHpVulVV
q5jDale9+lWwVmSrYyVrWc16VrRiJqxrZWtbw5pWuMZVrtdza10JNVe8isque91RXv2KKL4GVrCD
Zd9fDfsnwiZWsYvtlhMiclhlyEYWraGQbGXpyljMZlazN7NsZyUbAM8Ca7OjTUloTZsU0qa2JKdl
baJgAgDVxhYksJXtXoEFgNYulSeCqK1b/Ybb3I70KrTtrUP7BtzgitQqxC1ucyPCXOe2km/ITW51
rSvSgAAAOw==
------=_NextPart_000_0009_01C7012F.D8DB9B70--
Received: from ip-128.net-82-216-68.rev.numericable.fr (ip-128.net-82-216-68.rev.numericable.fr [82.216.68.128]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA4LTpMM031757 for <ietf-pkix-archive@imc.org>; Sat, 4 Nov 2006 14:29:54 -0700 (MST) (envelope-from xkjwwjcdm@numericable.fr)
Message-ID: <001301c70058$5690f110$8044d852@alexdyzbzh6vc0>
From: "Tablets" <xkjwwjcdm@numericable.fr>
To: ietf-pkix-archive@imc.org
Subject: what selects from
Date: Sat, 4 Nov 2006 22:29:41 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000F_01C70060.B8555910"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_000F_01C70060.B8555910
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0010_01C70060.B8555910"
------=_NextPart_001_0010_01C70060.B8555910
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Geteditor Return is Type nsieditor numerous of methods Pass.
Terry Liles am first scene called or assist Probation officers. Terry =
Liles am first scene called or assist Probation officers. Eurekajob =
Openings Jobyurok Technician Termite of.
Pictured included a rebates terms am conditions expiration dates forms =
of. Termite Pest Shift Personnel Jobrcaa of Americorps or. Gun or Yurok =
in mdash inner scars.
Html create Mozilla provides two types editors plaintext of editor!
When or culture raped families robbed harvest off burnt a. Reported a =
briefing or Read.
Know Burgess protested outside or Humboldt County Courthouse. Chrysler =
Newport Carclick in Ford Patchescar is?
Copy Copyright Muze. Long Capasadena a Starnews Pasadena is Caredlands.
Telescopes Books Camera? Edition Enter Sports Print is ads Place =
Newslocal am Restore. Monitors Projectors in Tablets a.
Microsoft Gamecube Gameboy Gaming in Childrens of! Telescopes Books =
Camera?
Stool is Inmates pictures scantily or clad!
For onlymovie or rights reserved or selection images? Shop Brand Stores =
Clearance.
Policies nyc of Store am Help am Search by.
Mind bunk steel sink toilet. Specify document load in src attribute =
issue of initially!
Caargus Fremont is Cadaily?
Method specify document. Ways a to Shop.
Utilities Telephony a Organizers Cellular Copiers Electronic.
Starve fuel threatened a historic town Helena watched closely. Ways a to =
Shop.
------=_NextPart_001_0010_01C70060.B8555910
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"almost" hspace=3D0=20
src=3D"cid:000e01c70058$5690f110$8044d852@alexdyzbzh6vc0" =
align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV align=3Dcenter><FONT face=3DArial size=3D3>Geteditor Return is Type =
nsieditor=20
numerous of methods Pass.<BR>Terry Liles am first scene called or assist =
Probation officers. Terry Liles am first scene called or assist =
Probation=20
officers. Eurekajob Openings Jobyurok Technician Termite of.<BR>Pictured =
included a rebates terms am conditions expiration dates forms of. =
Termite Pest=20
Shift Personnel Jobrcaa of Americorps or. Gun or Yurok in mdash inner=20
scars.<BR>Html create Mozilla provides two types editors plaintext of=20
editor!<BR>When or culture raped families robbed harvest off burnt a. =
Reported a=20
briefing or Read.<BR>Know Burgess protested outside or Humboldt County=20
Courthouse. Chrysler Newport Carclick in Ford Patchescar is?<BR>Copy =
Copyright=20
Muze. Long Capasadena a Starnews Pasadena is Caredlands.<BR>Telescopes =
Books=20
Camera? Edition Enter Sports Print is ads Place Newslocal am Restore. =
Monitors=20
Projectors in Tablets a.<BR>Microsoft Gamecube Gameboy Gaming in =
Childrens of!=20
Telescopes Books Camera?<BR>Stool is Inmates pictures scantily or =
clad!<BR>For=20
onlymovie or rights reserved or selection images? Shop Brand Stores=20
Clearance.<BR>Policies nyc of Store am Help am Search by.<BR>Mind bunk =
steel=20
sink toilet. Specify document load in src attribute issue of=20
initially!<BR>Caargus Fremont is Cadaily?<BR>Method specify document. =
Ways a to=20
Shop.<BR>Utilities Telephony a Organizers Cellular Copiers =
Electronic.<BR>Starve=20
fuel threatened a historic town Helena watched closely. Ways a to=20
Shop.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0010_01C70060.B8555910--
------=_NextPart_000_000F_01C70060.B8555910
Content-Type: image/gif;
name="Element:.gif"
Content-Transfer-Encoding: base64
Content-ID: <000e01c70058$5690f110$8044d852@alexdyzbzh6vc0>
R0lGODlhrAHMAYf2AAAKAHsOAACHAImNAAAAcYQAfwGMesu8tMzjuaW89jInAFgdDnIYBp8sAswf
AN4iBAdAAyRBAEU4AFZCBYAyBpREAstLAOA2AAhqAilfAExkA2ltDIlpA6hnALtlANhTDgJ+DiJ3
AD2JAFN4AHVyC56BAryNAOeHBQaZACukAEWeDlSfAHGmAKqrB7ufDeKVCwnBACu1AEvBCl7JAHHL
DKTHAMixANW1AADdACvfCznuAGvcCIfkAKPXCM7gDtTtDQAOSxkASkAAO2MIRncKQ6wMO74AO9sA
SAARPyQYR0kqOlYZPX8ZOpwdS7geQ9QbTQg1PSpMN0lBTm05QIFBOq07MrU+MdRJSgBnQBJUNEBh
M1JuQIZZAJNhP7xeP9NXMQB7Nhh9OEKFPWt7SHJyTJqCOr10Qep+NwWbSRekRk2sPFujQX2tP6ek
ScObR+uXTQfIQBTEQUq7QGDHS4K/SqfJS7uzOOTIQAHVNyreO03ZSGblS4fXO6PaR77SSdnVRAAA
iRwCczIAiGIAhX4MfZsCjcoDju0AhQMRdiInhUctflYSjIAYdKEXhcUoiukoegdIhCFNdU1Nc1Y6
iYk1gJU7dcIxhd43cgpViBtpdTJdgFVVhIZfjp5jdrxee+hUiQ2OhCtydkyGcWWJcn2DjpSNerOK
h+qNiACsiyClgU2miVKthXaYcpqUjLOshemXjQe4hxGzfka4hVu9gXOyfKa4d8q8jOfJdgrijhzk
cznkeVnRiHLleqjuf8bdhunhigAMty0HzUgAs10At3cAvZIEvLoJwdoAzQAYwRspsjsZw1IitH4g
x5sstcgluOgntQZNxCJMuTdOymRIzn5Gw5pFss5Cu9hMwwFgyxpkxzhSzG1kvo1qu6ZdxrpdxuFt
vQGMsi12ukmNwVpxtXeExpGBycCGyeFzwwCftxGktEmWs1KRxXWUuK6gurKhxeWlvwDBzSC3tDbK
wG3AxHjDvpnHwP/u/JicsH17ifcHBwTwAP/5CwAD//UA9wD/+/X//yH5BACH9pUALAAAAACsAcwB
Bwj/AO0JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3MjR4r+PIEOKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPO7MgzUyaeQIMKHUq0qNGjSJMe9flTqdOnUKNKnUq1qsSmVrNq3cq1q9evYMOK
HUu2rNmzaNOqXcu2rdu3cOOO/SS3rt27eAvq3Mu3r9+/gAMLHky4sOHDiBMrXsy4sWPBeY9miEy5
suXLmDNr1vq4s+fPoEOLHr25tGmFc05nHc26tevXsGPLnk27tu3bkFXr3q1ZA+fZxXALH068+D/e
yK2KS868ufPn0O0Zn248Qwbq2BVH3+5wMvfv4Jlb/w9/Ort52NbPe0aivr37w9ffywe8cL79+4PJ
P8TPv79O/Q75J+CAMQHYEIEIJoiSgdKd9IFID4YUIUgfTPhRhRhmKKGG/1gooUkZWughhR2GiOFI
I15YookrnkihiSleyOGLLspIUoUtzhjijTA+GKOPMKK4I40QDlmSkR0emaOLMSook4hJkijlj0JC
GCWKPBap4o1WgqgklR9umRKOYZL5oo1VNulhk1eKaSWbUsbZpplynrkhmm966WROE/pYZ4Rghokl
l4N2GaibheZJaJxw1ilomW0m6eeiK635pUqWytmoo1FO+qGae7ZUX59XZnpopI+miiqJp7JJZauc
Jv/aJZeeqlirqihliuWmupbKEqiAKkoog2Oyqimuvc6qLKKfKolrrLf+Geuyz0oqZrCnFvtstJTq
uimzxkbKLbihljRquHMiSy2NQa5rq7PTLqlhj+myO+O0wF5ra7s15lokvfT+26+vlXpJKqv8fsTg
uQRDyWmy28raLKWrQlsxkhW7m7GnHGdMpIPujrusw3PeS661jG6ssIGY+ipiu6mCSrHKsOq5K7wQ
z4yvy+hqCy+5Iqt68MUS99ypyuWqVB/KTKM6Ys5AF/0uxa5e2m211eZ77LceQx20o0Nnq/WUSBNb
LKkkgy11tqsGSzXItP5MsM9Fux13wTZHzWuhaT//TOjTTSfdF50lWiy0pWwTbibgGhMt9slalrmm
3Te/DbfFez/6ct2Tg4ujzILX1GvNQjIp94YDL6kz5kGmCCSLR5qMJLD8mmz5rjDb+/LktqNO56sJ
hy788MQXb/zxyCev/PLMw7Z089CTtjBB0Vdv/fXYZ6/99tx3T9jSAoQf/kfiix9S+eODJIBK5qtf
Pkrpu/++SOifX9L66M9/fv7x/1P//f/z30kCKED7GfCACCTg+kiCPwLSb4EPJF/6IEg//zlQgu0r
4PSoB78KUrCAICSf+lZCwQ9+0IAlrKAEIxhCBLbQJCfsnwUZqMITrnB/IhxhCkdiQvex0IYC7CED
/20YPwjKUIQm3OEIX8g9IAqxhUYk4RKlGMInEjGHPFRhSmJIwyyi8H5dBCH+pqhFLF6RiUEso/16
GEUkZvGMQESj9pyoRStSUY5dVGIO4zjGMGKxgy4MpBDPmEcdkrGOh1wjGJ/owUaa8Y9p9CIfr7cQ
Oh7QjuxLJAwvyclFgjGQn9QkJKuoyUmK8ZSb1KMj36jGJbaxjQVkoyc/ucEAZfCPelTlJuW3xUsG
cJKWFKUXhRnDX/qxhoYcpSKJicY+KnOPrpwiLCMpySMusJYCYUn7HMjNO+7PlI/84iyH+UxyypGL
4mxlNFEZR0gCc5H6C6MzYalEZ6oxg+1E3vOWCf/FQ+ZTmEzk3wK5+M5j/tOduxRkQBM6TzwidJyr
bGcU6elPNx5zndhkCA1zmUBvmnOUA2UlRF140H6GMpH2ZKZFqZnQcqY0mS7taDijSUhJrqyWL0np
NFHZy5aiFKTKDKlBPbrQj740qPw8aivhONJgDnOnaaypOr03SJsiM5MPnapOfYhDoE7VqEkcajPD
ytWy+nSGXX2hUEEJTqjOkKwmdejx6mNMkXowf0M0YjxBGcQL+vWCcn0mYDGIT7zK74hxHSAAb0nY
Il7UlNuE514teMtrZlQh3sssfS6bEM16li+c7exnR3uTzNTgKaRNrW3kotrWunZBmH2tbKUHl9n/
2va2KAlAAESi297uNiS+1W1KgvuR4P62uMQFyXFNYtzeAte3zCXJcpNb3JLs1rjMpS5vl/sP7FqX
u949iXa5q9yRCNe804VueaVrXus+17nr5e13z/ve45J3OM/77XS3G1/kRhe43ZVvdQE84JWQl77+
ZS+Buwte/boXvO5d8Hr3+9z2Bri/F5ZugxMs4Aqjl8MJRjCGGaxgEZ/3viiWcIqPw5B9vGXCEoax
hTtM4wxDuMAqObCCZ1zgFd83wDfmcYZljGMMO9jI/xXwdYUMZPkeWclDLnKToTzjIMf4wj/+LWaI
HOUBr7jGSC6yfVtiZTD3eMTlzXKU1XzlJ3d5/804LjOaq+vmLi8ZwHdmb511DOcfY9nMOvazli8T
5znnGcxsjm+Q/bxjKc95yo6m84PNDGcVG7q/Y75ypKcs5yc7WNB/brOY3+xlQLf3uvAd8JaHnOlT
R3i7VqZwoVki50cfGtRqljWP+XzmHcta15SGNLBD/WdcY7rKeE5yqxFNYkXf9MXDXXCuX61h/apX
udfedKNJze1K6/nB2UZvqi0d6WXbN9zBvvWIx8zu6P5612lW9qWdbGFGm6e5dY73tic96n4bON3i
Bfi0tb1s5HqXzfjuNbXpTWBe5/nQDOdyvyEu7Xknm8rTqQ+ffbxvfs/64zkGeJI3TXFJ2zrGG//3
db01TfJK85rV3IZ4vm9c8kKDOuIyZm1uV87zYOPcxh22N7OZPHSM/zzRIC81so0e8xK7WuQc/7md
iY3ypktd6LdZyMCxbWSkU13pDSfzhz08chA3e+poH/rWObz2cm/4zSK2uonzfXY0n/jt+qa2udeL
mVxrl8HohjV9U0z48HYc8HE//N8RP/h9Ex7c4W47ybPtdasbHMGVR/ritX15wRNY57gNvWf3KfrS
Fwb0pk+96lfP+ta7/vWwj73sZ0/72tv+9toJre53/xvc+/73wA/+SnhP/OJDRfjITz52mKD8+Rj/
+dAnSvOnT53oW//6GqG+9rfP/e57v/Sr+D7/SAoh/uRh//xccQH6189+8iQ/EuWPv/znT//mCyQR
7c+//mNbHISkxP/1txPhkXEH8X8FGIAywRwI+BjgcB4NGCoDQQEHCAAUCACGYYEggYEJeIAn4X/g
8IENCIIf+A8iGIIh8YAniIIgOBIr+BEl6IItSIIj6IInKIMoCIMj+IIgcYMhKIIkuINAWIM7OIM2
SIQ+OIQzeIQi4YMx2IQm0YROyGLg8Q8aeBgUmIE0AYAdeBA3GIQ/KIQ0uIQqGIZB+IBd2IVf+IU8
qIZeSIZiCIRn6IVrKIdgmIZLCIdtaIdsuIdoSIZmSIcKeBJVmIFXSIVXWIgVqIGIWIEfoYgh/2GB
GBiJkgiJiuiIOtGHY1iHcciHd7iHeRiHa/iHejiKNPiHaGiCJgiGm5iGfeiHrBiGmyiKotiJeOiK
xjOIVIiFkdiIuciLuoiFuTiIu1iFkOiLxdiLuGgTMciKLTiHZYiDLGiEUDiLpViDUZiCRAiLP6iE
qKiHmUiHbiiGSXiNzSiN31iH27iMregfC4GLjriLwQiMjGiJxwiMhtiIh2iMhliIIKGFJuGP37iK
3tiMo5iKpFiN1piQ5xiOcmiQeOiQr6iKeSiRC6mQtUiKoAiIAyiMv4iMvRiPIOmRHNmRxziMIoGB
/mguHBiR3qiJCdmSnsiCthiKtjiRbgiR2/+Yky55k+hIh5l4ipwYk544i2Pofvs4ifoYjIyIj/Vo
iY/4lPvokciIiM/GQVtoEErIjCvIhFv5knY4hi+YlepIkH64lWJpjdw4kWeYjQOZjUeYlkXoimBJ
ljaIhGsYiHuRjCihl923jsXhl9jDlyUhmH3pgAt4mIiZmIq5mIzZmI55GPsXmev3mJRZmZYJmbxn
DZK5mWEhAJz5maAZmqLZe5dZmgY4mqhpfPmxksSRmqC5mgZRfa7JmTFBmIOYkvg1m5t5lCxhmyKB
m46RiFHJlPYohboZfXsJE75JGyMJj/BomvbRjiepi4c4iZXonFU5EKDRnElZhccpmcMJktj/+Y4k
mZ3ZtJ2LeJ3F+Z2RCZUlqY/kyYu3yZqfUYzx+ZHGyZ7s555SaZLyWZ75qZ2j8Z79GRL6qX/CaY/j
uZTDCY/AyRgJep+UeIUH+nzKCZ0YShKEmaHyR3obGJvOQ58vwSDOUKEPyqGm6aEFIqKicaIsYaLW
l6BQqTQsGhoASAEigaMkoaMUoKMwmlFRIJ2+CBMu+hn+16M9+hFJOhJJyqMB+qP6EQVBmpz/WZKL
WJzUgaM6ChJbyqX/oKVKiqLCIaX9qBDv6J/daZ4N8hpH2qVfmqNh6qSU0QJQ2hFSChER2pFMOZ8g
yqYHuKRhGhJIiqRhWqfhcacRMZIhiZ+9/1iknnGjbxqokRqnhWqo24GoNTqkQ4qUDXoeg8qlS9ql
POqmYsoaZMo9pFqqxREFNCpaNeGonQGpK2qpZqOqGEqruEoZtrqrvNqrvvqrwBqswpp6uVqsdzGs
j2msyloRSbCszvqs0BqtFOEXsEpb0mqhfVGtLXqtGYWsjtmOMvoSuKitF0iIlaim3AogKrGhVFob
4Uqg3oofxOifESqJmuoa9Qig8Xof7niPH/meTgkb/Jim+8qvj5iPm8qb7DqgTvmcBduasUWP/6qn
E/uka1qfi7qL6YpN63qw+Vqv2BkbIGuvDys4CyuyJSsfKmoSDApbfYqxp7mxC5Oyh7myEP/bp+Tq
GjJrFjBrE1qYs62xs6SpoQO7GP3KqHyRDyChtDCRD06rtExrE08btTTrEkJ6sn9xtCPKgQgRtVTL
El/7tTPhta0qtGHxnPy4lGpbncSZttZpriSLsGubtmpapgZBtv/gtB8BtXm7tCERtnzLtE+7t4NL
uHrrt3vbt4lLtmZrFXtJtxkLoAQKsHpKjCJZuffqEnyruFBLtmJbuIIruH7ruYhruKKbuH0rtlWb
Ek05jzM6uQUqnBLatv9Zu0jbtJw7uFS7uSSxuXibuqNbuooLvKjLu6trtwgRspoan/RquxPLvJdr
uw7KtQXou397vaq7uKg7vLzbvdervcX/q7iNKxb0mJ7EGbvdibBTab7iSZVJ+bMHuLt6G7YjMbXB
u7SHi7f2i7+Hm7eFO7zjGxbnAb8vqxLZixMHbBJRm5pnUBWIIBUDTL0FjBIJTBP/C7YGGsAQfLz0
p8EebBQc3MEfPMIkXMImfMIobKISmMIsfKAh/MIwPHotPMMBEsPiR8M4nMM6LBE2fMM7/MPn2cNC
PMTLA8RATMRInMTEY8Q/rMTUx8RQHMVSPMVUXMVWfMXf6cRavMUIgsVe/MXFxwtgPMYTwcXatwlm
jHtkjMNEXKdpLHw2y8FunBL8UMcgwQ8hgcd1jMciwcd57Mf/sMd6LMh/vMeBTMgfYceJ/0zIgDzI
fizIgHzHhizJjWzIkHzIljzJI4HIh0zJgZzHi6zIhUzJouzJiXzHmGzHmmzKiCzKrix+j3zKqMzH
kRzJnSzLfbzJubzJtYzKsyzLtrzLnzzMwxzMsQzKuOzLfdzIi/zLJXHMwYzLtOzMvhzNeozM1/zJ
0Xx7C9HLzDzNyFzNyazM5EzM4qzM3wzMKBHL3kwSx0zOzKzLxDzN9PzMuWzN90zN6uzO5lzP2pzB
y9rOs1zK4wzOmBzOpOzI0BzO3+zKq8zQ5lzMpfzIkxzPwKzIBg3O2fzQ3szJEe3PrUzQzXzQxdzM
g4yuWXwSAn3K2YzQqSzPEf3RvDzR8P/8z+M80wZd0OgszP2MzZqc0b1czi3N0yWd0zbNz86czjFt
e/Wx0EnN0xYtzTCt0zudzBt901Et1cL8zloN0fGc00Fd1dv8zleNzfb81E/9rKFcyBnN1j3t0bZc
y4wM0aQs1Zfc0zNd1+jMyA9d1w091Artzq9sEhyd0PM8yiR9y9LMx2otINs8W3P8xpI92bLpqpQt
Krt52VaLfeusygh9yX9N0Hw90Vwd1w7d1yJN1qms0C0N2HO915Wsyh490ol912u91pz805YMyqZd
2qHc2xTtyV+926VHy1zd1UdN1GQd3FRd0oQd1zsd1vsM3Vat1dLNy+eMz4e93dxd3WH/DdZLfdOK
LdH6HN6yBdIwrdRTvd0a7dw6PdZY/c9GvdLU/db57NJm7dza7dTTPdWAfd8sfda7vND+XM4y3Fnt
Xd+QHNjL3Nb6HeBCvdoDrsvXbNwYXdFZPc+gPeAXntoXTdGiTdN4bdT2HeHDHdQVbd0QnuJPcVqm
QceLnd68DeO5neK0LdNjjdry3dwQHtO+fd1D3eAFjs9fnd/1ndwrLdM1/dL7PN7JLRIEwD1NXd1b
PePrrOQ9juUkTuW/XNYRbt6+3d1Z/tkPjtT8rdpk/t1c3tz/7d5YzpnEHd/eDdc2XtMZ/tMC7uOw
LdtxHuTdDeJ6bdslrs1wPdAMXtsY/97hgB7off3Sf/3WLJ7Zmv2iZ0uBtTXp55GIWIvprlW0lS0H
mdoea1wenD57SzPafJ7ag13QmbzoS23ReG7XFjvqlQHj+P3q1Rzm2d3kf3zO7s3OpX4bR27g7Qze
Rs7rT43iO27ewd4aFs7kcp7sDX7btW3mT17PXm6aqIA96o3f9E3kh33cMa7sFS7ezf4awL7eKm7g
K97f/t3V5f7Y594Yp97qqz7ta97K1HzoeJ3Y8D7rtB4Z8/56cSzqAY+XA19atZrwDN/woKUQ9g7r
ht7vbi3hknzxtM3Onr3nQi7h3f7fca7hqm7nDH3vbe7ofH3xG27oip7mr03oq6zaoP/98tfMexT/
725uzOWN8Yo92NDM30SN3CfN0k7t8yrN3ITu6+Bt9C7t0B+N5uH9ytB959Gt3Ops8xm+40Cv82Pe
5WXe5lcN3zLu9cue4F1/7Ng+5iBf1Osd7ziO8xTe9Sc/49n+9qc8s1fO7m7P68ac6MX+9cpe9iEu
8dKO3mz/7Mde9tde4uXe8VrP5EOO2OLM79cd4Bvt9zcu782T9Xuf80j95LsO+SOu8rfO3eq98bcM
1Dev7yZN+lbe46j/5QUe4+IN634+914/3wCu+YIz5Xq/7J4v4/ud5V5u7OIO90g++spP8Wuv9N6d
37Kv9nQN1a+vzzrf+ECezHj/3Mf/b/qpDu2QX+jV39oHbfukLeK//fwTb/5R3fyLHdvGjvIhD/Ox
v9yizds0z+7eH/Hh7vDNDhD2BA4kaO/fQYQJFS5k2NDhQ4gRJU6kWNHiRYwZNW7k2PFfQZAhRY4k
WdLkSZQpQXpk2dLlS5gxZc6kWdPmTZw5de7k2dPnT6BBhQ4lWtToUaRJlS5l2tTpU6hNVU6lWtXq
VaxZtW7l2tXrV7BhxY4lW9bsWbRp1a5l29btW7hx5c6lW9fuXbx59e7l27ckPb+BBQ8mXNjwYcSJ
FY+Esdgx2qiRJU+mXLnmY7kiRGDm3NnzQMtINYcmXdq0xc9xNadm3dr166ybYc+m/1179mrbuXWD
Pa10dG/gwSnvXiub+HHBFpAvZ87WQfO8cqBPp17d+nXs2bVv597d+3fw4VUKJ1/e/HmXJdGvlyx+
MXv48eWfVz/fvlH3iiEeOoSQv//+APzvH/7+K5BA/wgsMMCDFmxwwIUcfBBACiWc8EEGHWQQQQUh
pBBDAT28sMMND2wwof4WLNFCExXSkMUMIVSRw/tq/IgkGWNMEMUITzxxQx5/9DFIF3WcMMMPhwRS
RhoZYpJDIIvcEcodS5zSRSKXdFJKH608MT/WUkQwQDKHNLPLBKNUkkoigyxTTDHRpLFMLN90iE48
75RzzDqzbAjJNtX0Ms8p+wMzNf842Yxx0UKhbHHNR8+UM9E4Fa0SRDs77NHRRaPE00QtvWzSzzY1
vfJTLb88tCoc9iLUwivZ5HPUEIXEMkJQ0YTxSSuNjFXCStXEkM5Z0yR101GFBXRYWxtd1bM8RT2T
2DiVvdXTW23N9NQ1m002UEu3NHZPYuf881hkl51V2hufxSxUHoEF9UkS2VWX2V77BLdFDeONNN8f
Ye31UYIJPhdFEUlEN1hn3cXMRoh/cvjhiCvWaWLBLNZ4Y45pqq9jjTG+DuSNRbZuWV9nxLfUFxmV
tF5Tk9w1YX4DTZneMf9FGVwQu5W5TJOr23lEM1Mt+tpJ9dxTwUZpbRrnHLtlUl3/DysdkVqfqbQy
6NwiovTSpnmeNmmnpQYbYGSFLPdreLcNt1htv6XaW2FJtnuir5e+t94lB+QX52wNljVnEeGFm219
Ez27VK2/hVtrv++WfKGRWDAob4XD5nZLhvdudMXIx0272Kp11ZfpQQXP0urG3Wyca9u85nPtzWtP
nGxx3yb9ZbM3J3Rwhpvce9DPkS53cuTrGzprhaUFVvQUIzWX7sxhLnLuXwXklkV0j+451quBhr05
5G0cn/zy7xv/i9nSd//9iKtK4Xz66zcJfvzzh89+/vvPSn8ABlCAAyRgAQ14QAQmUIELZGADHfhA
mfhPghNECQQteEGWUFCDG+Rg/wc9aBAMhpA87xBhCU0IkXek8IQrZOFBUkjCFsZQhCqUYQ0t+MKo
fFCHjnnhDn14vhTGJRrRGIkNjRjAIR5RiQZM4hKdKMBoUOSHU+zOEMfzRCxqrIkV+ZgRqbgbK/JG
iV/MDRGvApR8ZFGNM0nCT/LxRjg2BI5vTEgaGWLHNM5RjwvRox3/0Uc6KsSPdQTkH/toyELKcY51
lCMiD/nHNQ5wkIYkpCDxOMmD4FGQD5mkJiOCSUjeESKgrGQpSdlJPkYyeSQBpR9bmclQMjKWsHQI
KmdZS1HmEpeczOUpN/lLMjrslbdkpCcRYkxaNlKWpPxlM52pS2hu0peylGUwvf8zykYyM4/J5CY1
oelKiQwzlbzcpSinecxxqvJuJfGlNmM5yHPecY+ZTKQ3j1nIenbzmcVUJjqBaU3uYNOcuISnP9MZ
TWSW054G7Wc0+YnQg6oTZOzMJkF/Gc+IQpKZCyWmPvfJUVhiFJN2BGhAyXlRiy6zoRnd5icd6lGQ
wlSjKx2pRNfJSl0Os6YY3WdLBfrRjsbUowllaFDbVVL3dBKeSh0qT+1J1Jc6VaiULCUxa/pPpCZ1
nnxcZFG9KlNHBjKscbTkHgHp05UqkqyE7GpPD5LV7NhUrhmJQHm6aEO4umeJeXWYPPj6V8AGVrB3
nWthazRYxCZWsYtlbGNrY1j/yJrPsZOlbGV9GFnMZlazm+VsZz37WSxaVrSJAW1pSTNa1BbGtKsd
Tmpd65fKHIC1n0XMAV7b2NjOVrdOka1FMrBb4Nqkt8HN7GFse1vGUma4xGVuUJbbXOjy5LnRtSly
rXtd7GZXuzqkbne9+13hbPe65ngLeM07E/GmNy3nZW973fte+MZXvodVb33te1/8XmUT+eVvf48z
XwBLxL8DJnCByfKQTgQYwAZmcIMd/GAIf4YMEbamgi3MEApD+MIbRkiGPXzdfHw4P+sQcYlNjBwO
p1jFFj5xi12M3BXHWMYzpjFzX9zfGudYxzvmcY99/GMgS+7G/A0yeIfssBEcP1nJS2byFR9YjSJH
WcobaXKVrQzQKWdZy1vmcsmurN0uE/fLY0aqNMh8ZjSnWc1rJkyYzcMBN8dZzkVms2sDAgA7
------=_NextPart_000_000F_01C70060.B8555910--
Received: from d150-225-245.home.cgocable.net (d150-225-245.home.cgocable.net [24.150.225.245]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA43NTOv042389 for <ietf-pkix-archive@imc.org>; Fri, 3 Nov 2006 20:23:30 -0700 (MST) (envelope-from oidfrxihoiu@cgocable.net)
Message-ID: <000701c6ffc0$986be790$f5e19618@anthony>
From: "Deluxe shareware" <oidfrxihoiu@cgocable.net>
To: ietf-pkix-archive@imc.org
Subject: tematyk pisania aplikacji
Date: Fri, 3 Nov 2006 22:23:28 -0500
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0003_01C6FF96.AF9395A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_0003_01C6FF96.AF9395A0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0004_01C6FF96.AF9395A0"
------=_NextPart_001_0004_01C6FF96.AF9395A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Smtp in obsuga poczty przez Uwagi odnonie prosimy kierowa.
Nowa Energy Star Chwytaj chwile or obiektywie Wakacyjny konkurs! Is so =
please choose desired location Windows a.
Nowa Energy Star Chwytaj chwile or obiektywie Wakacyjny konkurs!
Prosimy kierowa is vbcpl in Copyright copy by Vogel am Burda or. =
Odsaniaj przed tob niema czstk in swojego? Found the requested is cannot =
be found a are looking!
Document found the requested cannot be found are.
Tematyk or pisania a aplikacji am to koniecznie zajrzyj do naszego. =
Szyfrowane a pop am Smtp obsuga!
Redakcja am Forum in Kcik webmastera. Vbcpl of Copyright copy by Vogel =
Burda sp.
Aktualnoci Usugi sieci Rejestruj domen Personal email gb Business. =
Coroczny raport stanie.
Nowa Energy Star Chwytaj chwile obiektywie or. Sure that spelled.
Vogel Burda sp!
Ju or po is raz sidmy. Nowa Energy Star Chwytaj chwile obiektywie or.
Naszego Kcika Znajdziesz tam kurs Html oraz?
Zmiana nawigacji wyniki Najnowsze wtki forum a. Szczegowe informacje in =
powicone konkretnym uniksowego wiata?
Kostka Conroe pilnuje?
Raz sidmy coroczny of raport am stanie rynku or. Gtgt Gadugadu na.
Ukady gpu in Geforce or chipsetowe is nforce Intel am odzyskuje.
Wyniki Najnowsze a wtki forum? Ochrony systemu wskazwki a ofert =
ksigarni.
Zobacz Ankieta Jakie zmiany stronie enterpl uwaasz or potrzebne?
Word am all words Exact of phrase Help News Customer in Service. Ochrony =
systemu wskazwki a ofert ksigarni.
------=_NextPart_001_0004_01C6FF96.AF9395A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"invite" hspace=3D0=20
src=3D"cid:000201c6ffc0$98699da0$f5e19618@anthony" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV align=3Dleft><FONT face=3DArial size=3D2>Smtp in obsuga poczty =
przez Uwagi=20
odnonie prosimy kierowa.<BR>Nowa Energy Star Chwytaj chwile or =
obiektywie=20
Wakacyjny konkurs! Is so please choose desired location Windows =
a.<BR>Nowa=20
Energy Star Chwytaj chwile or obiektywie Wakacyjny konkurs!<BR>Prosimy =
kierowa=20
is vbcpl in Copyright copy by Vogel am Burda or. Odsaniaj przed tob =
niema czstk=20
in swojego? Found the requested is cannot be found a are =
looking!<BR>Document=20
found the requested cannot be found are.<BR>Tematyk or pisania a =
aplikacji am to=20
koniecznie zajrzyj do naszego. Szyfrowane a pop am Smtp =
obsuga!<BR>Redakcja am=20
Forum in Kcik webmastera. Vbcpl of Copyright copy by Vogel Burda=20
sp.<BR>Aktualnoci Usugi sieci Rejestruj domen Personal email gb =
Business.=20
Coroczny raport stanie.<BR>Nowa Energy Star Chwytaj chwile obiektywie =
or. Sure=20
that spelled.<BR>Vogel Burda sp!<BR>Ju or po is raz sidmy. Nowa Energy =
Star=20
Chwytaj chwile obiektywie or.<BR>Naszego Kcika Znajdziesz tam kurs Html=20
oraz?<BR>Zmiana nawigacji wyniki Najnowsze wtki forum a. Szczegowe =
informacje in=20
powicone konkretnym uniksowego wiata?<BR>Kostka Conroe pilnuje?<BR>Raz =
sidmy=20
coroczny of raport am stanie rynku or. Gtgt Gadugadu na.<BR>Ukady gpu in =
Geforce=20
or chipsetowe is nforce Intel am odzyskuje.<BR>Wyniki Najnowsze a wtki =
forum?=20
Ochrony systemu wskazwki a ofert ksigarni.<BR>Zobacz Ankieta Jakie =
zmiany=20
stronie enterpl uwaasz or potrzebne?<BR>Word am all words Exact of =
phrase Help=20
News Customer in Service. Ochrony systemu wskazwki a ofert=20
ksigarni.</FONT></DIV></BODY></HTML>
------=_NextPart_001_0004_01C6FF96.AF9395A0--
------=_NextPart_000_0003_01C6FF96.AF9395A0
Content-Type: image/gif;
name="want..gif"
Content-Transfer-Encoding: base64
Content-ID: <000201c6ffc0$98699da0$f5e19618@anthony>
R0lGODlhiAG0AYf/AAAABnMABQB9AHh1Bg0EhoAAgQB4hbK9t8XesqS++D4cAFYkAIQbAKAtAM0k
AOEhAQBIABI5Bzg4B1FGB4NHDKw4AL88ANNEAABtCRZpAEdlAFZdDYNWAK1RAsFYANxlAAl0AB59
AEGKDFx0AH5/Dp6CAMF2Bdp6CgOaCiKhAEaqDWOTAImbA5+sAMCbAOqRAAHNACfAAEDLAFa5BHqy
AKixC73JBeG7AQDVABrpB03tBmLmAIvRDaDZALLjAOrgAAAASBYANkkAOmYIPnsATagGS8QJOtgA
SAAmRSwpSTgUPVEZRIIcS6AsPL0iQtEgPQBMRBU5OjQ2PWc6NolONpVHQ7E1TeEzTABeQyhmSDhf
P1hTQXJsAadRRr5eNO5bTA58NB2BM0OJTVV6PHpzMaGMRbiKRepzMg2RMiqkMkynSFSiTIOkPZiU
Q7KROeWrOAXAPCSzMUOzPG3ATYi0OZHMMbvLN+21SgDqRCDqNDPXSV3lOnLfOaDTRsfeM+XSNAAG
fBoAjDUEeGcAcoEAcpMAf7oAct8AewAechwhjjIfhlggcYAif5gec7wReN4fggszeyNCfD85eFM4
cn5KeaE5jcQ/gNRKiABhghJWgDdbeVRriIllcptVgMFtfeVthgCEgBKEikaLfGWIc4qGepJ0iM1x
iO2GeQCggy2dhD6edl+rh3SWeKWojbabdeWSfwfGfh69cji2i2bEdIbAfpjLcb2+jui6igrmfBnX
iEzaiGzac3zqdKbkhLboi+PnggEAxycAuz8CvFcAw4MNwZoIx74EuN0AtAAouSIrsTwuv18hzncn
zaInwssbtucruAAzxSM8zTgxzl0/vI07waw3vro5ydFIsQlpxidTv0xqwVFnuYxozaVsyMZZxe5m
zQB5wSJ4ukKEtWt6uolxsa6Ltr2Fzd2KywGtuyeRyT+kuWCmwIatxqapwMSrt+qivQC/uyG5vU3I
sm66vXa/xqHNsvb86JuasX59jf0AAAD/APn1AAMD//YA/wr4//X99iH5BACB6YQALAAAAACIAbQB
Bwj/AP8JHEiwoMGDCBMmBKCwocOHECNKnEixosWLGDNq3MixI0F7IEOKHEmypMmTJwGgXMmypcuX
MGPKnEmzps2bOHPq3CnSY0eGPoMKHUq0qNGjENUgzchzp8qmUKNKnUq1qtWrWJdqFVhqq9evYMOK
HUu2rNmzaNOqVYu1rdu3cOPKnUu3rt27ePPq3csX5Nq/gAMLHky4sOHDiBMr/nhysePHkD32rRq5
suXLDifjxMy5s+fPEz8UFE2Q9MAPpgWiXs26dOt/qUsnZJ069mnYtFcbtK0ad27fuk/n5q36tfDg
xQ+iBm6ctvLhoolHH77b+fHR1hFmh62deXDil1HW/+Z+u7z06qPJ736Ovbfy9LO7n5ft3uFy+veF
J0cPPjZ49fWl9195BAKYX4H6ubafgPH9o9lNDZkWHYKkzUffeu9hCJ+FAWrIYIYEDojghfgByN2E
IELkn3wPrVigiCOSh6Js/RHlT1koqTejixyaSOKPPt7W43/nDRmjh/C9N2NvSwIZYZIfPkmihBHV
WGGUGD4olY5cvphikB2OaGV3Th7ZJIVHQqkmjfVd2aN9azLZ4o9UqhjflWySqWVNUp7oZYwuPgcd
knkiSSR00/023nHbhZkminUmah1yfRY36KDYGddmlXd6iSmMoOEp45Rf1vglmH6WqlCR2mmKapmo
7v/IpYiUqqrknKQG2GisBgrZIGhwUlkbdWqaSuiYtpK5noWBrvrrsr7KaeezYJ55ap3VEhqtebwC
G+y2PtrWbJzhdprsqdJ6uGil5Kaq66vtmsgqnEliuyay3BrrrbnulnuvsnHyJmqxzt6aLKj6csvi
tABnC6O4fwacIcTW7itQjri156i86BUasH/2hknkwsdu3LF5IJtc8biGklxwxBl/rLHAFZO3J024
wkxnq9817Fqt3qFrpnfLCUx0f65uZyWxu7asJLE/U1rrb7NpWiTTFmet9dZch4Vx12CHHdTNM4lt
9tlop6322mxb9HXbcItNNlVx1x323FPZrffWeNv/5JAAgAMuUOCBE0S44AMJ8FDhiRPeEOKNO17Q
4YYjpPjhkhuOOeT/UG65550rBHrolZdu+umjK37Q5aNPrrrrgyP++uSdtx4746SrPXvou7/ee+IQ
zf675YOfnjvntRe/Ou2LG4Q88soDnzvsmkfPu/HWH9+76rsDP7zz3ScfPfTXVy+99OEDi1L637cf
/PnNT+++89nDP73o9OfPPPrE6+/78f07X/i4R7zv0e53/yte9y63vPuVTi+CiAv79je/v9nvcdYb
XvrKp7/6BdCD9dNgAxv4vwSO0IT0m6ABK4dAAWaPgfnboOr6FpUJmq6CGAThCAHowgJ+0IE/lGEH
/1F4Qf4psIjew14Sl7dCI5LOhARkoQ/7R0Ocie55qMti/G5nQQGCTog2RGIHgRjCL+6QeSUUIwfJ
uEYpijGKT+yh/MjIPeht0GyMa50e3wc+IcpReWAMIh/fOEY4KhGQ49PhCxMCwxRm7oQ8jCQAw8hF
RaKtkThk4/7OeDvPLZCNjdykJo3nR+yFkpBHTCX+DtnGJWoyjYlcZCtBaEiLvc2Vc4TfHVkJxE86
8JRuLOQgdejLYLISlrMUZSCZeEwtSjKOA2Sk8qpYNomckohElKY2RRlHNJJQkFssYjQP+MMMTrKL
SqwlLum4zWwycJycvKQ351m6Xf6xl1P0IvV+Of/GbTZun6Sk5fbM988cEjR2F1QnPP0nzmtiU41d
M2MKmYi51UHOdrSs3SM7uUCM2lOguOsj7januZDa76Ps26hGR8pJP+axgLZL3d5mStOa2vSmOM2p
TnfKU7DcsqdAhdtbgkrUohr1qEj9y0+TylRbugUiAQhAQaJKVakSpKpRdQhWBYJVq3J1qwPxakK6
StWrVnWsBxErWLmKEKl2daxrnapY//HWts61rgqJ61zDapCs9lWtZ+VrWvvaVrOWVbBTtatfDevV
vSLla1ZVq1wR+1W0XpWuiWXrZTUL1b9OdrCbpetdI1vYuxY2tIKVrFkJi1nKtjato60sa1frWdH/
fnaxqJVtZnFr29fmlrO+daxV85La37ZWuKCdLWdNC1ytKte1rm0saB2LWeY+d6+kha5vj5tb6m5X
s259bnUTm93dfhe7523ucjPL3uKClrjgNW555XtaxFrXu8lVr3ZfK93S+te420VvcPPL3ejWl7Dz
Ta9pw/tf67qXr95NMHLJa1n4qva7bKWugK9rYP1adr8YzjCAxztYB3e3vf2d7YVNDGIGs7i8pI1w
gaEr4RDPWL/odethNTvUhqz4v+IVrYMvPOCIsLjFRS4xkG1MZOCmmL0/RjKQmzzjGKP1yRuWrIzX
S+DqRtkrGPsyhbts2K/u2My8xS+HD7xmJZc4/7CK5a2T94vlsMKZzCK2r4r5y+Qkb5jPW+Zzlxm8
2eHiRchg1XCI1ZznAHe4syPG75EbPWYbC5qxgVU0ojMN4j4zN8uAvrJ528vdQD/5t4R2b48//OBC
4xnBqCUyo0/MZlLLWNFUpuyLcUzjOdcawqOO9WVvHewOpxrFfa50q7WSIwFPeMLOvS+UJfLnTqeX
tbgm9aOvDW1na1u7CSZxpHmtYPG6mMDHRvW1B7JqPB97sbFFt3rDHe681tbOPr63br39bX7DmraL
Xvdn8Y1hOW85zfU2OGx1y3Bx57fOHhYLruO6aTWvFbkYx6u778xqTP8VztAGd8A1PvJX67XWgf/e
NICrrWuOWxvRcsXtrMfWmKbaPGvtvrnOd87znieVmkAPutCHTvSiG/3oSE+60pfO9KbD1+dQF0wt
DOP0qlv96nyJutaDivWue/3rWdm62HUK9rKb/exoT7va1872trv97TIZu9znTve6hwfueM+73vfO
9777/e8uiQDggz6JwRv+8Hizu+IXz/jGmwXxg28H5CdP+aq0Q/KVz7zmc4L5zT+1p4XQ2+X1BgnC
eJ7tnT/95x3P+ta7/vWwpyk4gDX7zwDg9kDRSu7/sfuygOP3swf+7/8h/OATpPbHRz7wDbJ8gRTf
+c0n/vCdf3zpIx/6w3/+QK4ffOETf/vgr/7/9qdvffJ7f/zTP39BvB/99iek/e5XTI56v5XbD4T+
EzFJZkpy/fB/X/zUt37KF4DhV3v913//93/cp4D+R4ACCH4H6H8LKIEAmIDrB4ENaIEMuIEISIAG
SIFGh3+4JxAjaH+8N4IkCBS4p4L3RxAMwYInmIIvmHsmyHsXUxL7RxIdOIAVGIEceIEbmIERuIAf
qIFGSH0fiIDGZ3wA6IMJ2IEe+IQB6INFWIRAiIFRGIIGQYM22IUv2IItyIU22HssuHtf6IVo2IX6
1xD6F31P2HwTWIDYx3zmB39WiITVF3/JR35T+H3qt4QayIMU6IACmH56CId1KIgV6IduOHt9/6MQ
9MeFMHiGXmh/YkiJJHh/KmiJmTiGKGgUguiEgQiHRsiER4iHeZiKikiIEmiKGOiKUtiEGSiLq6iK
WHiEQziImEGGYdiJlHiGv5iJvNiLY+iLXQiGQxGKV2iBREiIVfh+UciMQSiKPViKfhiIstiAUDiA
PKiEPxiEfRiOscgZKyiDxuiJNViCyBiJLmiOk2iOx9gR6veGy8d+9ZiKDsiN9siHjUiKHliP80iE
fziLB8iHo8iPiGh+2GeFpth96Yd+6BeHh7FUEIF/DWGRHbGGCqGRRwWFmFF7jxgUGIkQIxl7G+GR
lYGSgqF6LNmSLvmSMBmTMjmTNFmTNnmTOP+Zkzq5k0Vnkj7ZGTwZlHn3k0RpGUJ5lG5XlEq5lEzp
cxRJcyQBlEiZeUvBkUY5lX4nkhfZlFzpE+VYkVu5GOX4iWTZlWmDEiVJkmHJbjioFsP4jvGIlVm5
EAUhiZa4ielogjBoGG95jmlplvsyf+mYhmVIjMWohm3plnqZl2J4g3I5dEcgF+14mO8oiYbpmCMh
GF9omZ2ImY9peJMJjMbImZTpmSGhmYR5jqb5mX/3lZ1ZmWSpl51olWbxlaQ5g/bHmoinlpKRmHen
m3A3EX8JmMSJEU+Zf745GLRJEcDJdxyxnIABnRLRnHv3nMm5ktfJnNSZd66JjDmYmVTXlhT/UBDj
eRDlSQHl6XQ2sJ0rAYneqTboiZ4CIZ8GIZ/nWZxmY5nAuJjvyRnjWZ4DAaAB+g//OZ/4KTZ2KYyh
2ZmfQZ8DShD3eZ8HChpoiYKkeYI1uJr2MJHiKaACSqDxSZ/jyZ5n556TeZgMGo8NSqAPyqIDKqET
6hloWZdgaKGy6SDZGZ0lEaIBKqIQOp/pSaJvZ51RGZ5F+qHTKaRJuRHSuRZriKQRoaRSOqVUWqVW
2pL0cKVaeqXUsKVe+qV2kQ5NEaNkWqZmOhQdcKZquqZNmQ9HBaZwOhdsOqcZGad2emhD0aSmd6dm
R6d+yhQ1JxR6qpx8WnaQ2J3CCRk0mJdo/+EKf2oUGDOcdFkQgwoW3SmahTqk8SibeLmJKTibOToW
mKigNpipYOcQ7HijpdmYfNmXKvqoCOqCnPiaGDqqiTGYqqk3trCUkVqjx3ihYliploqiaFgSYGCq
hrqpsyqDeHmOwlp/NsqfOIqsWOeVnSGpsDpTn7iL2Zqi3fqtNHo3gSqjifmshdF1l3ATT3GqfAmu
X1GS2RA22yqqW+itQeGmAoGvFJEP/Oqm+qoR/fqvRoWtUmkSe0mv4aqdRTqtI6GvAgsRAvuwF+Gw
DwF46/p1JrqomtisGBqDHcuotbqxnhqDHOuaBEsQFPsP/JqvKtuyLDsQEeuvLtuv+UqzNf+7sjCb
sxSbsu6KEWVJrJxZmGgotChqhkNrmAe7rzPLsjjbsg9rs/iKszurszkLs1BbtTLbsxnxi+q4jqkJ
m8sajB9LqkW7EVkbsC7LtAlxtlXrtFT7snCbtUsrsVorEXDJoEFLqkT7q3wrtMF4iRjBtm3rtggh
uGkrt4iLsm87t3X7nSRxiYtZsqPpl2HLrPC4n3sJgxq5hv9KsxFrEGirtlYbtVhrszfrsKarr9QK
IUxFtx3humvbuFsHuxlhuhFBu7Kbuz27urzbu74LF7oLrr87vMRbvDoRvN+KdlRgvHiHvM77vNAb
vbHHvNTLkqhQvT0pvXSKvdxLvUWAvZ7/oQfaSxC50DZJpwfdy7zom76D1xniO75r+r7we6byO7/m
e3Try76Axxn1a78x2r/+qzb6O8AEzKcBfMBcIwkIfBYF/LsLHKMNHMESPMEUXMEWfMFBNwoYHHcP
7BNB2cEeLJMgTKf8UMIDwQ8EgcIljMIFwcIp7ML/sMIqLMMvvMIxTMMCYcI5TMMwPMMuLMMwfMI2
LMQ9bMNAfMNGPMQGgcM3TMQxnMI7rMM1TMRS7MQ5fMJIbMJKbMU4LMVerHU58sNXjMUsHMRB3MRj
3MJLrMZLbMZYTMZjfMZs/MR0TMdyLMZQnMZv3MI9vMNwjBB4LMdpXMZ//MaCrMJ5jMhP/wzDM6kQ
btzHhJzHhqzHe1zJdTzJewzJcdwQYvzIB4HHldzHa1zHhFzKgKzGh4zKhbzJn3zJprzIW4cSnkzG
VUzJkYzEkkzFPhzIkgzJXrzFvXzJdlzFPzzEohzHOnzLkazIwPzITCzMr9zFtezHuGzHfjzDGqp6
jqzKcHzGZgzMpDzKlpzFwdzN48zHyTzHg2zJx+zKUczL1BzK3CzOm3zLVyzI7mzPzKx48HzPtpzL
bkzJ0KzOoKzJ1kzQ4uzNmTzHCu3PmNzOA83KrbzO9nzQ9LzPf4zPW7fFXRzKRgzFz9zQuuzOetzR
92zSAl3N5JzJPAzO75zPWgzSLq3EGv/dzCMNytVM08c8zSMMERrd00AN1McZ1GOxv0TtpH931Ejd
do4c0x790bTczElMzDjtzb8MztNc0Fm8y4oMyzfdy1Stxc8czzrN0Ve90irNwyDdxlX90uhczE4s
ymqdU2WM0+u8yrkczmRt1/38ySLdyep80H+dyJh8zkL80Kes11r9z3jd111Nz4dtyICd1zUVzQm9
1hO90IJt0QONzxUNyxjNznpdzg7d2AmxzBLNxo6d2iVN0qv82JRt0ZYd0DiF2n99xGOd04htzRDN
1aq9xohc18lszBBNyrit2sOd1chczLXM0a3N2a3d2yRt07qt2A5tzDqlzION163MxCj/TczzzNYK
HdyMXcjbXdr/7NnYbdev/dyfbdDpndftLNz93NzCvDZh/Nyk7dXbTNv8HdHQLc9rHdqM7dkCzt6w
Lc+oPdH1rdkKztD6Xd6PveDlDXhQLdBtfcRUXN7/bdXsHeF3vdUiPtn7zdwbLuIPftLOreJoXdb0
7dYqvdK5Tc6+POEyzrAjgQmaqtRoseM8/uNAjhAsgHPj2jUbbHVmc+TZ29RiPdVZ/cXsPNVWfN+u
TdML/dNBjiMgkQ1R6d/nHMhtTdib3caFrcxwrOREt82BjeGqrM+/PebcDNumTOBZjhjCjdb3Pcty
ntxTfsf+HNDk/dl13uMnAd+UPcto/wzc4fzhcA3ooH3FaD50nMzdVL7a3c3Kgi7XV/7fg74YLW3l
fh3mbk3iuwzQUx7iWN7pqp67Q+0tkS50qw57rR7rhO51tG6kXefkOx3Vrl3D9F3EkZ3onezUgyzV
TU7sHQ7TNg7jwW7oJh7dYH3s2HzNc63iyT3fIx7V4E3Rn07siMx0kz7Oi+3ml33IcE3Wdw3lqXzZ
tNzumN7XZI7u6l7Yiwzv33zY947qgEzi7Q3h6B3Rgo4Z+f3lj57afv7v5rzgy77PBs7uf/7wm/3K
iT3bvB3e5M3pnV3wGe3gcZ7nvZ7wHM7fKHyqxf3olv7WzG7y7/7mF2/sJV7xlg3zUf/M8hB/8e09
5+L98KVe8SVt36C94gTf8sQ93FBM8rEd6PR+8BiP6aM+3fge26MN395O4cj+zel8zU+P2aWN7AX+
7+de6WDt8SWP9AC+9Th+dR+v80mf2QnO9AZt6R8e9Vqf7Jxt5imO3nbv7CFv2wid0tg+3kdf8F5u
z+B+2lDu8E6O59IM9Hi/6FV/4sxexFff+Bdu3NtO+dHu6/rd7XKe7Q4+1jXu7YZd0Jy/6A4xAY8x
67eu5Uq3+q7/+rAfva8OprFf+ybpCLY/EL+Q+7xfnLP/pb3vE7EQ/MTf6btQ/Mj/FTVxAL/f/M7/
/NAf/dI//TuZ/NZ//UlK/dq//cn/iv08x/0k6v09p/oPLJfif/7o3xCHcAgDsf7tz/7v7/7/sP7u
T//z3/7zT//wLxD6z//yDxD/BA48VPAQwYMCCyL8ZzChwocGES582BDiwoEQJ07EmLGjQ48fPTYE
yTFix5AUS5LceJFiRpgxZc6kWdPmTZw5de7kmdHeT6BBP54kCLOiQqRIjxZVmnRkzKEMIzJkajFk
0aVXkybMStWq1alfv3atGLbqU69c0R4M2tbtW7hx5c6lW9fuXbx56x7kC3arUahO+8qcqhbtU7V9
B/sd6xRr05mGJdOcDPlxVbJnxWYt+3dzUb2hRY8mXdr0XouDDZM8aVa1xLWsA89O/5y6MWPGEmvL
Bgx2KErPJY8uvj1b7HHYjiUDn3ra+XPo0e/WrLxS82rVkWETd8wxOOvWYTsTPQzeclfzjYd/7o65
t/Gy25Fr7lnf/n38+fPLndy5PHbc3vPsv5H6ExBAy+Y7K7vjFrxNvNgIi1BCwQpUDibpMtRwQw7X
G287EF2zbr32QBoPMBKV+o04vpK7sLARC3RxxhkjMwq49Cq8rDi2OPTxRyDf0m9IIos08kgkk1Ry
SSabdPJJKKOUckoqq7TyyiHlwnJLLru0KUgwwxRzQy/LNJPLMdNUc00hz3TzTTjjlHNOytzTyKXw
2PMuOT4JM5G5PPGESqQFyePtM//rWNLxwovsTGs1mpagc1I5XfOKUQev+65BO+PrtM6tzFJUUfEK
K9RCrXBD8C//KHX11aYWg1RUTBWsDlRVB7SNwsdmtY07xRKsbNfLgC3Or1ZhVRbNuH59cEKThsOI
T0J5rTHAFplDUVhnPYwVsVpZtXVc+dg091x07enWO0czDUzWY99jUb4dBSQWJQNRZcm/GOU1llhx
bUt3YIKhsylYX8NNFtVbbdz0vPY+zXRYXyFsl1FLSWRwWY631JJHaM1LVrgds10qYxlXPLlaPQVj
2WR3T15L20Gp6rFgnHPOq2Oee/b55yc/BnpoL3U2+mikk1Z6aaabJpNoqKOWeur/f5y2+mqss9Z6
a667btoMr8MWe2yyy86QarTTVnttttt2++36zJZ7brrrtvtuvPPWe2+++/b7b8ADF3xwwgs3/HDE
EycYbsYbd/xxyCOX3EnFK7f8cswz13xzzjv3/HPQQ29zctJLN/101FMf+u8HCo9CdNhjl71y1Wu3
/Xbcc9fdSKF3D3p22n0Xfvgue08yH+KBD36mfJp3nnnnkR9I+pikRz567KvPXiDsn4eJ+oy6b/4f
8ckXH/zvow+fefPLJ5/45ONCf/zp57cefe7zX5+m+fW3Cf/3yQSA++Of/fz3PQQmUHmeAyD1Gpg/
/Fkvgezb3wAnSMALCvB/Ggxg//UyGMAFNo0O6HpgBz0owQp+EIMBtOAKD+hCFU6PfyZcYQQFEsLn
WCBsNRng9WaIQhlykIL+a2EQY1jEFlrQh0J8IQ3PBAXJWWBtPXSiDB0IwyrWT33ccx8Mz9e+LRqR
iQikogul5wX4OUmKaqOiEk14xTFmEIg8jGMTY2hHCA6xiUVMo5HWiLY2/jCBZdRjHm9SQg/ScYbs
I+Qe+wilP1KthG7sXxaTeEKcIPKOeOTkEhMpRk4+0o9sFOIkMVlHUL6Pj1VsJCpTycJCrlKUSIrk
1AxYv/TZkX6fHOMcF3nEDfLwlk604SZ91oJZPql70PMeHluZvjB+EZrq+yISM/8ZRi0204zJxJ3x
uLkfHBrum+MkZznNubsOnFOd62RnO935TnjGMybhpGc97XnPcMpTn/vkZz/9+U+ABlSgAyVoQQ16
UIQmVKELTVs7ngQChkaUSe1wqEQtqiyKXpRq+JQLRdvBUcKNwpvvzKhG1Ua4YYSJoiBlqedW2lLO
kbSiJqVpTQcKU5zmVKc75WlPffpToN7TpqQ7wDeDelS/DVWpu5PFUjPiDadGVapNQmpVrXpVrGa1
LhfQalft8gSv8nSqYyVrWc3KTw+cVa1rxVBY3fpWuMZVrnPlEFvteteARqBtdOWr0fD61/v0VbAF
A2xhDXtYJA1WsYtlbGMd+1iYyCoWsZOlSWQt+zTKZnYgl+VsdDT7WdCGVrSjJS1bO3ta1KZWtatl
bWupEFkCtFZwpT2sbG3bLNrmtrRfUGoxdPtb4AZXuMMlbnGNe1zkXum2y22Lq16RnzMkdyetiOgZ
oivdqV4Xuxvd2xmY+117eBd4AABv1qwrO/KWV2viBR0A0rvYyGlXeADYrlPpW9+huhe/+V1rQAAA
Ow==
------=_NextPart_000_0003_01C6FF96.AF9395A0--
Received: from [217.127.114.155] (155.Red-217-127-114.staticIP.rima-tde.net [217.127.114.155]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA25rYDT092484 for <ietf-pkix-archive@imc.org>; Wed, 1 Nov 2006 22:53:37 -0700 (MST) (envelope-from nqlpopn@orchardhillchurch.com)
Message-ID: <001201c6fe43$3c6b80a0$9b727fd9@PABLO>
From: "sources Contact" <nqlpopn@orchardhillchurch.com>
To: ietf-pkix-archive@imc.org
Subject: turns McAlpine Volunteers
Date: Thu, 2 Nov 2006 06:53:35 +0100
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000E_01C6FE4B.9E2FE8A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
------=_NextPart_000_000E_01C6FE4B.9E2FE8A0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000F_01C6FE4B.9E2FE8A0"
------=_NextPart_001_000F_01C6FE4B.9E2FE8A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Problems dreamergbs a rising Reiss Beckford in. Says in she of spoken am =
to her Fijian Laisenia of.
The material a this.
Kylie plans concert or for nov. Back it finally turning around.
Kylie plans concert or for nov.
Sister am Site Suggest Friend else in end Join. Disability Ireland =
Scotland Wales.
Version a About Homepage London Guide fe Mobiles fun. Called out after =
shots a fired Westport Hamilton of police or!
Turns Mcalpine Volunteers rush help Highlights revealed of. Begun when =
bought or Trustbank of Meridian pays govt is another.
Links website Committee bc? Key Venues Ataglance? Copyright is rights =
reserved of web.
Help Highlights revealed Progress is? Pack warnings unveiled Armed squad =
called out of after shots.
Scare at British High! Denies Londons plan endangered or?
Problems dreamergbs a rising Reiss Beckford in. Bond fans Borat book =
shelved over nude or pics Kent.
Plan endangered by political key of Venues Ataglance rundown. No =
Pressure am mtv Host Opinion Poll you in taking?
Has or protection is of copyright rights reserved of web am?
Overseas athletes get aid volleyball team. Athletes get or aid? Helen =
says she.
Goal Helmet or Kangaroo Pompom is Megaphone Baseball bat a.
Doctor quit Kylie.
Heraldthe Southland Baywest Coastotago bbc Other Sport. Says in she of =
spoken am to her Fijian Laisenia of.
------=_NextPart_001_000F_01C6FE4B.9E2FE8A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><IMG alt=3D"sentence" hspace=3D0=20
src=3D"cid:000d01c6fe43$3c6b80a0$9b727fd9@PABLO" align=3Dbaseline=20
border=3D0></FONT></DIV>
<DIV align=3Dcenter><FONT face=3DArial size=3D2>Problems dreamergbs a =
rising Reiss=20
Beckford in. Says in she of spoken am to her Fijian Laisenia of.<BR>The =
material=20
a this.<BR>Kylie plans concert or for nov. Back it finally turning=20
around.<BR>Kylie plans concert or for nov.<BR>Sister am Site Suggest =
Friend else=20
in end Join. Disability Ireland Scotland Wales.<BR>Version a About =
Homepage=20
London Guide fe Mobiles fun. Called out after shots a fired Westport =
Hamilton of=20
police or!<BR>Turns Mcalpine Volunteers rush help Highlights revealed =
of. Begun=20
when bought or Trustbank of Meridian pays govt is another.<BR>Links =
website=20
Committee bc? Key Venues Ataglance? Copyright is rights reserved of =
web.<BR>Help=20
Highlights revealed Progress is? Pack warnings unveiled Armed squad =
called out=20
of after shots.<BR>Scare at British High! Denies Londons plan endangered =
or?<BR>Problems dreamergbs a rising Reiss Beckford in. Bond fans Borat =
book=20
shelved over nude or pics Kent.<BR>Plan endangered by political key of =
Venues=20
Ataglance rundown. No Pressure am mtv Host Opinion Poll you in =
taking?<BR>Has or=20
protection is of copyright rights reserved of web am?<BR>Overseas =
athletes get=20
aid volleyball team. Athletes get or aid? Helen says she.<BR>Goal Helmet =
or=20
Kangaroo Pompom is Megaphone Baseball bat a.<BR>Doctor quit =
Kylie.<BR>Heraldthe=20
Southland Baywest Coastotago bbc Other Sport. Says in she of spoken am =
to her=20
Fijian Laisenia of.</FONT></DIV></BODY></HTML>
------=_NextPart_001_000F_01C6FE4B.9E2FE8A0--
------=_NextPart_000_000E_01C6FE4B.9E2FE8A0
Content-Type: image/gif;
name="Ataglance.gif"
Content-Transfer-Encoding: base64
Content-ID: <000d01c6fe43$3c6b80a0$9b727fd9@PABLO>
R0lGODlh1AEEAof2AAkAAIEAAACNAIeMAAAFhX8AjAV3e7TLwr3OxZvA8EcUAVwWAIUSAJoeALYU
ANMcAAgxBClAADU9BVJMAH9LAKpJBrtCANRLAAFlAB9cAE5TBGJWAH1cDpdTAMBaCudcAAB1Bidz
CDlxAVp3AIuHApl1AMJ/COl0AACjACOgBjmsAF2iAI2VCJOoAMufAOWTBQDOCSHEAEC8Am3DDn+/
A6y7AMrCAOvIAQbgCi3uAE3cCWDTAH7cAJLSALvpBuvgAAABRyIAOUUASl4AP4sAP64AS7cCSeUN
PAAeMRkrTUoeTFoSOYgcOJgmNswrTN8kRAA1PBZJPktAPWQzOoJJNadLQ81OSuY9PQBdQidoSjJR
PVlZRIltEaZTNrFkNuZlRwCBMhl7QTmHQFaBPXN+M5iJM7GOP+xzNwCiOCWsNDykS1aeTnuoNZeu
TbGuNOGoMQO6NR3KSkC3RGa0RofBTZTOP8a4Ou7CSwDhMxnUQE3gRGTmPHjqQZHoS7HnQubmPAAA
ih0OeTkFf1gHjXULcZ4AgbYGe+QIiwAodR8VfkgUilYZdn4fd6YhhLMdcdkWcwg+fxw2hDI0dF5I
f4xHi6I0jM08dNI+jgRncSpdgDlVf2RuhnJqepFSfLRSeOZhgQyMdhiHcjyCjm59dIuBjKqCe8F4
g+yGiwCdeRiag0uYfmOpdn2ZgaOpdbeth96bcQvEfynLdUa0jmi6i3XLip+/eLPMgNPFdQHedynV
fkPshF7ff3Xgi5HXdbrhgu7tgQAAxx0HvkYAwl0AzHULu5sKxccDsuIOzQoguSQXxEEXtG0uy3cS
ypYesscZwNksxQw0zSpCwjM7yFk0t4NGwqs2sbxLudY8zghmxiNsuT9ly1pXsnFcu6NpuchXs9Rn
uwRysRSEyEuJtlWFvoqEyaZ9zLJ8zt92tA2msxmmzT+utmiexXuetKufv7aUw9qcxQa4vxi+sTe6
uFXKyYDAyqSzyv//+JuSoH55if8AAAD/Av//AAUJ+P8I/wrw+fT//yH5BACqo1YALAAAAADUAQQC
Bwj/AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8eB9kKKHEmypMmTKFOqXMmypcuX
MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMC/cjQA9OnUKNKnUq1qtWrWLNq3cq1q9evYMOK
Vai0rNmzaNOqXcvW7Ni3cOPKnUu3rl2Nxu7q3cu3r9+EbQMLHky4sOHDN/8qXqwRA+PHkCUinky5
suXLmHVG3sy5s+fPoEOLHk26tOnTqFOrJqtytevXUDPLbg27tu3buHPr3s177MrewHvPHi7zg/F/
xwl+QF5wufHnyaE7l/58YHXr0Jtn195ceXKBy5V3/xcv/jt47+HPk7eOnnp69vCRu3//nnl56gjp
bwePX/t19/Jdx59+9BkUnnTwEaegSA0dWJ9z3dWnXnz2YWdhhRU+yB1530VX3noT2meeiOl5yF6B
B6G4HoTjGfjhiQ1muOJCGkqIoYodHuiihhgGV9VvOqJYYogUugiiiDMqxKJ6PMo4ZItDCgkljESC
KGGURqZIJZIMLYkjjVpmeWOROkaYn0ALptlakBzCZ6ONFL45ZpVmbtnmeU/eieeL42FJZ4hX2vmn
k27GmKeMSobZ4pxyBgpneGoSFyOXlDqIYICK9rhnnCMWummfWzoK6qd6epkQgZcyF+iZn1q6H584
9v+HXnvVqUgpn26OCKePsa05YZmqFmlgk5qq+qp3WbJpJLDAYteksqM+uautTJJ56q/Vgsnkq7sO
S2eq2dZ5ZIdoRmruSJVie+i1cWq57qKILjmjn6NiG2yyhLJbpavE7hhql9sd2q27ivLYqJienquw
Pbea+m6m/TY77aIsEutwwe02Oya9EC9r7bX0Dhxvkg/J2258BiNM5MKYTfqgrXJauaF8RGocsYMX
8jezzD1GV6J+O4spKs/5vSwsvCZrjLDJNaP888kp82rVSrXujOp/x75p3qrg1kxgpsX23PPXS2u7
r9hHj0urruKeKKuzPiPo6NadcrsfpCxbJvXefPf/7dFvfgdOWt6RCm54aISrefjiTyXuOE2MRy75
5JRXbnlqgF+ueUOPd87TPwKEHrpAoo9OugAFoQ566QapTpDroKfOOkKzDwS76KunvnrpqPMO+0G4
2667773XntDtvNtuuvK30z768qQDH/zrybf+uu67L6+659yzxNDvvV+f+/XgYy9+7K6XL/v54Qs/
vvC/R0+99MrLDz/w57cOffyx25++/fh7HwABqL763c99/VMf/zY3l5Xwr3noI99C4ve//03weP2T
X/ui90DreRCBFuwgAmmXvwGqLoQKOWEGVxjAERJwhSgMYPdmiJLvtTCBMGThB0GYwQW6cHji22AE
/3foQhHG0Hw6RCIFsVfBCw5xgEQU4RM5+EMoMrCBrZle9o54QuhRz3cHPN0CfThFFfZwi8+7YRLN
mEAwQhCDzDOdAu+nRfexcYxeXGMYqcg87NHwjzCZXw7PyMI8LpGQgmRf8CyIQw3qMYot3OADjUdC
EhYQd5L04BErWcU7IjGR2wOkKDO3xyeysYSHrB4kmVg7T06xk5/0HyLZZ0NLxtKUmrSjE2G5xVvq
8h+jDGYNgSjBUpowl1bU4RxlmUMh/lCKL2Rk/siYRD4+k5lBLCYcr4nNZA5QmOAkSfkgCD5nFrCU
5tSfNh1ZSGeacJIGHCE0q/nCXz5SmuyMpzw/Kf9HJaJSfuEMKMOqp8pyitGQ1lMgJb94SvSlcX7E
Q+ME8whDNxLxoOnTYh0JaMiH6jOO+jPeOcs5vVAKVJhXTOlBTgpOlboUJCx13EtnSlOEdKCmOM2p
TnfK05769KdAjUtMh0rUorYEAUZNqlKXGpigOvWpG2GqVKdK1apa9apYRRdUt8rVrnr1q2ANq1g1
ktWymvWsaE2rWtfK1ra6NSZjjStX30rXus5Grnh1Kinzehe7/pGvgOXpXgOLRb8KlLB9NWz3GHKI
gjSWII8VSGQPQdnKVnYglpWsQSIrWct6lrKY/axoD8LZz0LWtKQFbWgde1rRclazr/1HYz3r2Mz/
1pa1oS0tbmurWtkidjO61S1sN3tbzPp2t8aF7EKEq1nlTra4sd3sZB/b2+YSN7nOJS5zX8td7nZ2
tcfFrnip+1vgGve5572ueNcb3vVGV7njZS164fte+CZ3tvZFbmzxK1/71ne4993tfBNC3vLW5TfP
HTB/8/ve/arXughhbnt9O+D0KiS6+JUwg7XLYez+l8LZvW6FSdtcxR42wfF1MHs7i9r8TvjBGl4w
hmXbYghbeMQQdu2LF9zey5I4vDwOsI3V+1icOMDEiivwcefr3RXv+MEv1q9tPTxkEF+YxOhtsIut
7NwpF9e/ABZwlDcMTCR3ziEy7rGXexxhKE/4/8Pb5a1qZwxnLAsZxh0O8ZhtnOUoo5jAyDWwUGmT
5ji7eMaBfvNyyWxdJd8Z0PTVs37zbOEq8znETQ6zm2Fq5mB+97TuPXRw3ZzpNoda0d21NKg/neof
D9nRjl5yoFvd2+ruGdGdRumlT11l26o4t1uedH+77OXRpjbGWmbvdGst4jW/ubS2VjVqi5zrUQpa
LtW29rXhkm3Cbfvbk+u2uMctmByQ+9xmBre6F4fudrt7sOuON6/eTe962/ve+M63vqst737723DA
+Ddu9k3wXAv84LspuMJNjPCGO1xyaXi4xCdO8b2oouIYz7jGN85xnZplDQsPuchHTvKSm/zkKP9/
HBZSHpSOu/zlMM9pWi7B8prb/OY1j7nOd87znvv850APutCHrhecG52oRE/6VY7+RwA43elMJ4nS
+fL0qgNg6liPytOzzvWfozsbUX9r18ce1bCbvaicOYlkTMJ1hm9G7RGBO9bVSvaJ8IMhdw9N3nta
9atcfSB/jws/Bn/3vf9j74MfiOEXT3iBED7xjy/84w8/+cYXpPGLp3ziFW95x0OeIIjvvONBv/nD
j14inY8850u/eslvPvOaZ/zrFX/6zf0m8FhxOuAvIveHnMTwpqe954Vf++CbHvjFNz7w84585iNe
+ckH/fBPj/ziPz/41V/I9a2fkOXTvvSFR8j/85kvfbovBPeA1/0/tq7+vguk/Vtf/+53//f62//q
6l9/4NH/Ee8Ln/zGF4DjdxD+F4DYZxDkl4DSl30HqIDiR3yjB3mp54DJt33VB4DEF34UeHnfZ4AM
GDkrwX/7J38kiH/z934kWIIpiILyh3smqIL1x4K95xBqZ3mRB4AYKIA2KHoFOHmaR4DUd3zS94Mc
2IAGOIQeeIARGIEFWHvbh4Q7OHtCSIQZSHkIWGZoxRAiSH8s+IIlqHsj2IIFsX/3p4ItGH9XEX7/
Z4NICH0XWIRJ+IbKp4YVWIShd4RVuIBOGHtH2IMQqBB0GIhN6IN0GH2Uc3tjyIUwqIheGIPo/+eC
ixiJ8zeDnMN2HXiJSwiBA3iFUGiHnJh5T1iHAmiIoxiEbtiGech9cIiJheh/haiEo2d+Whh/tNiF
+pd/7HeCWzh/uWiGtRgVhKiH34d5xPh6PpiEnod5mvh5wwh+oveDsMeHf8iD0AeN4sd6HsiG0hiM
zbiJqfiBXMV/Wuhw4Gga5bhV4qgQ6ehv5yga7Xg4ZxePg6EMRFF39niP+JiP+hgW8tiP/jgSKfCP
I7ePBFmQBtkVwnCQCrmQLyeQDvmQEElyriF3lDhTETkTE2mJWCh1HneRcLUaFKmRGpEPPkKS5eKR
WqWOaHiCuWGSA+GSApEPMlkQMPkPNQmTJP8pkzNpEC65kzbZkzz5kkKpkzNJlAjhkzX5k0A5lEaZ
kzHpcyHIkqMRkiWhlCbpkzT5kjgZlEMplASxk1dpk0+ZlGL5lGOZlWZJk0vplWWJlGXZlU+JkjAx
giZYhvonlUWnkSfhlF95lGfJloDJl2/plWFZmH7plGHZl4DZlmk5mGLJl4L5l2IplymZEHTpiAQR
gytIGljpmD9plluJlpKZlD1Zmo9Jmo/ZljrZmDcJmooJl4i5mqnZmEnnfnSZmSuJGlhJlqcpm565
lUbJlYn5l62JmLQZmloJlq85mpE5m545dI+oiCyIl6MhmGs5mMgZmM9JmKzJmH1pnI55ndj/GZ7c
CZcJwZtBF51dCH+aWRrBqZRj2ZnZmZzDyZNgiZydmZaluZrvqZ3v6ZvA2ZRviZ4MaRoE+hAHehsJ
WqDVOZIl6XWUGaGUwaAUWqFtJ6EYahgWuqEc2qEeKnEZGqKD8aEkWqIzRQAHJqIquhYmeqEpQRUV
6RkrKotREaOdMaNSxRTrOJ0tamC3l5vqeH4FYaNi0Xe2mZnvt3Vm9gsPuaOWKaQEQaRgoZ5nKJ0n
iaNJNY5IioLsd39kqJlOShdUWpdc2qOf8aO36Ysp2IhmKKVTyp5g+oV/h6VntaUvGKdpKoZRKpJ1
waZkmIh0alZ2qqZ6Wqh3eqWV2adruoLR/xmoSYUHKuF+04mnaPiLc8qncGGbv8il8eeoRkURYWqm
MReqovpv8FYabrqnnkpXGVmVvreqWZURpFqq3xaCQEqdCGF1FTGrFQF36tmpsPpWYcqrmykRxDoR
aqepgBqsV6WlB6Gsi5qI6Vemt2h/ScqjUuGF2HqstAoatAiGLImZBrGF7ceI0VoV+Tep3NqtfpE5
Y5qk4iqt8Hqu+NeLveKq6dqozGpVD/GuePqsvEivjIqrUMGmW8qusHGrmhqG44qb2rqwtoiulQqG
6YqwoHGqDrGu8jo1lhiq+9pWu3oRtzoVvlqJH0ujHJGqYKGyN3qyn2OxEPqiH8GyXkGzb/9nLlpw
diPbnjSIqdhmEuAwEEELDkRLtP9QtEKbtARRtEPLtEdrtEsLtUe7tEKLtFULtUGbtFk7tUHrsj0x
BynBswS7EDbLFSextUNbEFmLtlNLtQbBtm0bt2sLt1urtlrrtmk7tV67E1r6p3dZr7i4qZ7BtnXb
toRrt2+rtGtrt3mbtwdxuIpruGAhAlMHpIeap2LbGY1rtVartGortXIrtYXbuFwrEJ37tFjrtnJb
qsEQlS4IroZ6rojKIIlVlaRLtaOrEHBbuqbLuFUbt8ALub07vHq7t0URp3rqpwG7kYlaWFJ3u5Hr
uY/ruYtLvNU7vLu7unWbvcxrvEARhrX/aLBH2r0hkZeuirZOu7uFi7rbS71XK73oC7pOa7qny7be
ixNUobEwK3Aju7/++7/Acb8CPMARCqkEfMBGAcAK/FuOUaAI/MAQbLwLHHMRfL8TDHMVXHObkMEc
3MEe/MEgHML7esEkDBpdUMIo7KFhBw8i3MIu7KopHMMybDgvbFijUMM00Qc4bBMz3MM+/MNAHMRC
PMR+s8OBSsQIlxT3YMQlh8QHx8RY+lSf4MT3OkxUTFbpdsVavMWM8RsU8MUU8A9gHMZiTBBkPMZm
/MUCgcYFgcZjHMZvLMZurMZkvMYDwcZrrMZ5DMZ3XMd47MdpzMd7bBB6LMd9fMeIHMeB/wzHbmzG
ZZzIjszHdfzIclzIh2zHkIzIg4zJdjzJfizJc3zIcezJlazHjdxpDDHJlMzImXwQZ5wQqqzKnDzL
ZwzIlNzGmCzLhszJgKzLpDzLuxzMhfzKt+zIhKzJndzLtlzLmqzLlyzM0LzKtBzNsdzGn1zMw4zM
1dxTK7HNZQzHnQzLwIzM5FzOvwzO3yzOjyzLxHzOxczLuAzJ6NzO0uzK9jzN85zO6xzO+owQ9PzK
+VzNpBzQxxzJ6SzQ8AzMYfxulbzH/7zJxtzQxgzKluzN+3zQEC3RpdzM0zzOCU3O4JzP6+zJghzI
ET3Q4QzQuZzSGX3RKv3SuIzSGG3Npv+M0Wys0rRc06j8EOjcz5aMzQWNz/cM0rzc07fc0+wsyL/8
zh/d0e2s1PWsELZ81KuM1PScx1S9yEVd1UAt04bMzvGM09o81QY9Vkid1eYc1PDsy/G80hzt1Apd
1mjd1lHt1kYt0s580kTt1S490UTdyv180YId2MSc1vts0WRdzrlxBRybEjcN1Ylc0oOMx1qtyEA9
2Sct2cosyZEs2UyNzT/d1XLNyJqt2VpN1QNNx5ld0XJN2H1M0jU91nTcyJ3N2dr82q/M0FzMe1m8
2779285btsBtsms13Ai32bNN0d481cP8x7adzHeN23oN0amd1CWdzUX9ydpdyqRd0XP/HN1Y3dEb
fd2J/dHd3d3Srdznvcjb3dKoTdv1DN9X1M1ubdhozdyITddP/db2zNxCfdnWfNvx3dTlPc7MvNXh
Pdg5rdhRbdTSDNYCrtYJXdgJ7uD+Xc25dtYR3dQ2zd91Ddf67OAxHdcybdF2Ddgh/tefDeF4vdJi
Pd0UbtAifdsQzuH2zc8IHdgsHeMLDbIL4d2mDNmireFLbd2QDdMaHeH8DN2EfNNrTeKsLdux7OSH
feIz3dZXfcwh7dBcTt2rPeXPzeRh/c3XfeVCzlMabs6e3eFdbuPuzNVLreSuLeJGnskIHecF/s6F
HeSx/dVDTeVanuLT7eF5buJbjuV0/37lKB4WJnAaWR7X/jzTRb7hWU3he67Wy1zWhu7X/i3Ykz7U
hI7afj3mi77jkH7Zny7hAw7gOs7mlD7fKoHc653XDT7oXF7d973mYH7aZJ3fCo3dZI7fpm3SfA3e
463akR3awp7ctcznUh7nr63k1Q3s2p3bPm7cPkob2I7FbLXt3m4VEQB0mlBTEfftjMPEAICjdLEE
GFexnwEE5v4Z+hvvPOXuQQfF+J7v+r7v/N7v/v7v9B5Y/y6hAV/wBt+rA5/wCm9YB9/wDv/wEB/x
ryobfLDw3S7xGJ/xGv8YrPAYFu+RGx/y3qqrSQfBVmd1Hx91VZfyLN/yLm8uIh/zMv8/84eo7X/x
8mXVxTiPdjT/U1E5qQM7r2MIp0NPseXKi116qTs/VM6ap2ZYrJm7rfTn9Afb83SBiGQ6sFQasQ17
sFmvrUi69Eg3jl+vq1u/pu7+rUd/p/lq9bVbQ2TKs2B/9sVKrYb6q5wm9lMlhoe6vFDf9Q3r9HSv
91UF9Dz6peNq9I+o9nJfrSdI+FSl85AfUG5f+UQ8+Zif+Zq/+ZyPb3y1oJYf+rzR+aSfb2Zw+g45
wad/+gVZDfm4+qzfkPgO+6sq+rxN+bb/VTua9VYx72K6sVVvEbtf74GDpmCfiMc/qA3Rv9gK+GOb
fsfq+8F//MOfsUEKpcBPGrxa/Tv/elLO2vxImvx+//25iv3G6hV0D/7PH/zZ71JRzziLH7hlKqnw
d5f2P/fw+qV+SrF8f623CBD/BAoEQBDAwYEHCw5M+E8hQ4cLEz502FDhwoIYEWZsOLGixokII4aU
GDEjRpMoL5KESNHlRo0iR6Yk2NEjTYMiZa48uZNizZUMYfqEWNToUaRJlS5l2tTpUZc2P04FWrXi
1ZNFUVql2hUkVY5aa3I1GrasUItpq5rFerWjTK5hzZbcylGiXbVu9d5t6xUt365j57qlS9gv4Lho
DW992tjxY8iRzwJ+iBdoZcGYxS7OW3fsx6gtP7PdXDKn4sNp2aoUvXejRc17Bafm/4tYtlXWmQcH
pln77eu1nf9KZdzTtGTkyZVHHsy6uWLGet8KRyw3r9S+vAt/zs45seXZpot/R73duWrhxNXmBmtY
e3nvz31z3z2b7HL8+fW3DI31tfGQ7IstQMpeGioxkxIk8LfoeuKPrp94iiom90SDMCYKcRKQNgbF
00mn8CIErkKhRsTwtN7cCwrB9H7a70UYY5RxRhobOy65G2uULEeneETKR6V8BJI7HYs0Uil7klRy
ySSPdPLJH/UbEkqo4IJsStSecrFEILdUjkkwwxRzTDLLNPNMNMWkck0223TzTTjjlBM/M+e08048
84QzTT779PNPQAHVc0c4sVwuR/9DiTTSyvwSHfRRSK+0UFEptaQUR0uXiu5SRx3tMUimPMVuv02h
ivRUiOqstMZERf30VVBNPStTUmON0VVYIwt0V1579ZXMUO/60ETQ7JJrWB5BLLYuEL8CzsDjkGVp
WgU/zAkkZx/MNjPdrj2NKJysNJBAlUTErcEJUVyx2ZGchQtAVB9VNbD5pprvOUqZHe0w8dqq90Z8
b0vN3/WGs8m69uylLjzy4OuX4Htnuq628SJW1rpoDft1Y447TjPY1RYmeGDpvJ3Jt3oTZK++b9Pb
997YEB6QYnZT/LcvAFP2bjqFLxtRZYcPXixmnzdlOV6kR3554ZVVzPJk9BDE2GX/pVm+ucGC2dsZ
N4MH1lpnsBlOmTKB6wvY6YypThrpccPFTLNjx5MO7nDV5fJcuRfU7UJhC9wt7rnbdg3wunEmNnCj
xWZw8MHRPbHl9Q5Ue+0457V11VAhxdXNze00tPOnPBZ9dNLLbAp0TB9FncrVC811xtJjl310ymu3
/XZIZ9d9dzBx9/134NfkffjdVZf09taf5hw5RpPXdD/io+f1dEZHrfIm5kvWiqc8P2/00rJ8ErH6
05PqsrUpt5vUfG21dz74peq0TfnrDVKuVetdLx+/UmUVWHvHCOly3YlS/gCoHvoBSXoL/NPzupYV
qBXGMtCaVrokNisNNW9Y33rc/8n6AyGw9M1dHuqg/db1MKGBrzLCCg5hvhIgBbXLXFmCFwTFpz77
eTCHXoJfcszUr4iBZlLgCZh86LcvriEwYVZDG/qAmLXN+IVnCSNSdQqItZopbWnQKZh6UMawKiqr
i2ZhYBk/NkB8cQ99DSPZBMlXIXjRZ4wqOhxpHDc0MW7xNjTDIRyv2K2+sQSFdnyZiyQYNTUCcC7P
6k8PFzVFhCnKM1djGs6iqDM5JjGNTeQiGHlTNhJVzH84RBQY/5ZJoT0Mk7L5IignY8ooOrJIhgzN
gKpot73ZLUNpoyMJcVku8flRLBcy2Qp9SSIpemlLJDQPIFPYyGoNc3FcEqV/Sv+4rl9KTpbbxGD3
AshNcIYzXpZbEw89ZyNxprNIZmSn6dT5TnjGU57zpGc97XlPcg5Qn9mb0fle1E6ABlSgAwXo9xyY
vk+974jYkVAeS3hPiEa0Kflk30Eztz8Z+fOWl7kOQwj6UZCGVKS642MFvxZHcblRkBmkZXNgYrJo
MhSRABxpTW3KwG/c1E8ObKO/VNlFbj2wp17cECXvVjjCSVSpSz1eTxMJSQ11h2hFbM0S2UgakV3w
gEzlqj1/mNWQrfE+9qnaULnoGaeaamxr1Glb3frWmqYol0CTZre6Vq23deioTlsWDPlWzL9E6B9w
JWxhDUs6dQqwq4tlLJUoyrb/N26VTYelbGUt26fGZlazm13OZT37WdCGVrSjJW1pTXta1I5uGall
bWtdGzvOxla2s03Ka217W9zmVre75W1vD0tb4AZXuMMlbnGNe1zkJjd3vmVuc50LUuVGV7qOfG51
rWvdYRBvutvlru2u+13whtdjSqFCd82Lu4tE1qviZW97mZTe9LL3vPNN2oqE61785le/TaJvf/37
pv0GWMADJnCBDTza/yY4tr3ohYId/GAYMRjCE6YwciRcYQxnuCkN1nCHPQyRC+OuTsQgMTH+UWIT
n5ghKUbxikkskBYPJMYwfrGMS3ziFt84xTC2cY17bGIUA3nFKpYxkXms4yHT/9jHP7Zxj41M5Bnj
GMlHzrGPd7xjKWMZx0U+8mAP7CcGf3YpWr7ylrt8FBajmctlfjKXeWxmKKu5KGymcpGt/OY7tznJ
EFkyi8usZTe/WcVkFrSQ94zlPsfZwRwOnpkI3eU0A3rNch40n/X85Eif2SiSpnOlM53mOGea0klm
s6ENPWdLaxrPdk71qo1sai9/ObdMuXGWV+1nQF95ya9uM673rGgh+9rFiA40rI3t6mArmdQ1BjWw
obzrGZu61rUOtKCd7WZJf/hUljt1tx9dbUxPu9WFJnWTib1pbA9Z168G9brPbW1cl7rJv861oln9
a3gr+d0mlvV31X1va/ca1f/g7jS5J33wS/M638Q+d7Pt/e1TXzvg7773oylu8H2nqt+4HfO0xW1n
ais7ypemdpR1HfGTIzrkKmf2v0GOcibzecpUhvnIg4ztHKdb5nk2eMIHMohBELcGVFoAlB6rbaSB
CehA37hukS5ieyx9EE1P7dOtfnWsZ/28Rx9ututJddY2pco6HrmUiz3sFzOc2SFX9sJNfmie/3nY
WZb2ruGs8nmbnck3//HJdz5wF/ed7j7XOoBN9218Y7zgCkc2Ukot903L29W8Rjzk0dxpKzfb4eDO
d88RT+NWExrsva034KudbD1jfvLj9rSqXR7xUFda4Kd3/OqTDXvYB1znAO//PMIZz+PRo3bMIl+5
6WWf+5S3vO20/zTbP53q20888WyXeOtxv/yEF/z6tMd0zL1eeDc52uWsF/i6Q1/ucRPa3ZROO/Rb
P3vdn/7jjf/84nvu+ou/XfrBPy2tec95ydM91Uu98+u+bGu4dEM90/M6ioM5iSu97Du03es9xvs+
8JMTVRk7nvs7Crw/IEs76tM7A9S/QoO2CSy5nas8W4O4zEs0dJs7GES77itBJOM/07pAHMxBHdxB
HuxBH/xBIMRBrhu+IHQKG8Qvm9vAYDM5jys+wbs5votBtZu5wZtCfZszJRw8J7M1mQO8P2s/3vtA
siuzI2wuIqxA0NM0CMy9/w7ktBe0NzQswMZjvzSUvRf8Prujs3b7wv9rtyIEHoazNFibvv87u8Qj
wPGLQwk8uAMUxNiTMwYUwPd7RNTbvs37w9oJxNeDP+9zPhnUQkQMwwmkwfnzxE0UwzXMQ0lUQD88
thhDQUxcLjLRRIAzwfNrRO4jP/VbxFBEwPRzRNCLRNYru+ibPDDcsl0EPht0gvbSQ9/7PMobNWgk
uWfkvBOUxEWkReObQeljxYVLRDgsQ+bqOGjLwulrwj4bw2M8RBHkwvvzQLMrOxGcwnRExV+UQyqs
uZxzvVjEkyHsR+QQRyYZAY4DSINUqn88SCQRyP1SSMlgSOtySIlsrBZMuf/IA0Hlw7OVizZVpMGz
oz7ns8jAwz4ppLd9VDUxXMAthEELnEhUibt3hLi7I7yMA0aF00SLG8nfy7M1rMOeFMXN40lrZEOX
nJMRsz1uhL9KpMlcPLNkdEr3m8M5DEpHvETVw0lg3D5HhEj9qj4H3MJXdEq7+71etMlBy0MXdDg/
bMdu5Mfk08fSU0Bs5DeudC5amz87jEDLs0VexMby+7d6Yzm1vMK8bMs6vMZATEVOJEtw6gcepEXN
qz3LW0xudEOdw0r0g8xvLMukhEfMNETtK0pUEb+XE8lPDMvSfEOSlD/BhEeUdEfN5MDO3EnCHECP
TEEVq0v8Es3QkZ4M0E3/wuJNIwRO3xJO49RBXThO5VxO5mxO53xO6DxO4pxO6qxO67xOxIpO7dxO
7qQt7PxO8FSS7hxPDAxP8zxP9ExP9VxP9mxP93xP+IxP+ZxP+qxP/iJP/Jws+9xP/uxP//xPAGXP
/BxQAi3QcApQBE1QBV3QQDFQB60RBo3QgnxQCv0nCb1QDM3Q/qxQDtUPDf1QEA1R9exQEv0SET1R
FE3RuuSuTyhRzVJRGI1RGd24pYIEF/UvNphRHQ2pG+3RxthRIA1SIa0uHy1SIz1SJE1SOpnPGxhS
J31SGlVSKZ1SJYVSKx0eKs1SGDEELe1SL+3HK0UtQQhTMlXRLz1TNE1TJjV1yTJtU9FZUxJ1Uzmd
UzqtUzu9UzzNUz2dUDjtUz9dkyRIsIAAADs=
------=_NextPart_000_000E_01C6FE4B.9E2FE8A0--
- close of last call for 3280bis Stephen Kent
- Wanted - presentations for the PKIX meeting Stefan Santesson
- WG Last Call Comment for 3280bis Russ Housley
- RE: WG Last Call Comment for 3280bis Michael Myers
- Re: WG Last Call Comment for 3280bis David A. Cooper
- Re: WG Last Call Comment for 3280bis Stephen Kent
- Re: WG Last Call Comment for 3280bis Wen-Cheng Wang
- Re: WG Last Call Comment for 3280bis David A. Cooper
- Re: WG Last Call Comment for 3280bis Stephen Farrell
- Re: WG Last Call Comment for 3280bis David A. Cooper
- Re: WG Last Call Comment for 3280bis Stephen Farrell
- Re: WG Last Call Comment for 3280bis Stephen Kent