RE: SCVP-15
"Michael Myers" <mmyers@fastq.com> Sat, 31 July 2004 16:10 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA03754 for <pkix-archive@lists.ietf.org>; Sat, 31 Jul 2004 12:10:17 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6VF8K4O074524; Sat, 31 Jul 2004 08:08:20 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6VF8KM3074523; Sat, 31 Jul 2004 08:08:20 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6VF8JfJ074517 for <ietf-pkix@imc.org>; Sat, 31 Jul 2004 08:08:19 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-106.fastq.com [65.39.92.106]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6VF8I892619; Sat, 31 Jul 2004 08:08:18 -0700 (MST) (envelope-from mmyers@fastq.com)
From: Michael Myers <mmyers@fastq.com>
To: Trevor Freeman <trevorf@exchange.microsoft.com>, ietf-pkix@imc.org
Subject: RE: SCVP-15
Date: Sat, 31 Jul 2004 08:07:31 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDMECFDOAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
In-Reply-To: <A24D60A1195E4549960ED2B9D28786724D62F5@DF-SEADOG-MSG.exchange.corp.microsoft.com>
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
3379's definitions work well for 3379, but I think the document should
say that with respect to 3379, "DPD" in this document (i.e. SCVP) means
a request where:
1. certChecks contains at most id-stc-build-pkc-path; AND
2. wantBack contains at most either one or both of
{id-swb-pkc-cert-path, id-swb-pkc-revocation-info}.
while "DPV" means a request that includes any of the other values
defined for use in these two elements.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Trevor Freeman
Sent: Friday, July 30, 2004 10:38 PM
To: Michael Myers; ietf-pkix@imc.org
Subject: RE: SCVP-15
Hi Mike,
Sorry for the slow response but I am on vacation so am not reading mail
as frequently as normal. I agree with your point on needing clear
definitions for DPD and DPV but I think the ones provided in 3379 are
adequate. That would simply require adding references to sections 2 and
3 of the RFC.
Do you agree?
Trevor
* -----Original Message-----
* From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]
* On Behalf Of Michael Myers
* Sent: Thursday, July 22, 2004 11:43 AM
* To: ietf-pkix@imc.org
* Subject: Re: SCVP-15
*
*
* Trevor,
*
* Section 3.2.10, extracted below, is a good step forward to closure on
* the issue. Given its definition as a BOOLEAN in Query syntax, I am
* comfortable with its default to TRUE.
*
* The second paragraph however needs an implementable definition of DPD
* vice DPV with respect to SCVP ASN.1 in order to assert that that a
* request is in error if it asks for a validation assertion in the
context
* of signResponse set to FALSE.
*
* Mike
*
*
*
*
* 3.2.10 signResponse
*
* The signResponse specifies if the client requires the server to
* sign a response to the validation request. If the client is
* performing full chain validation on the response and it is not
* concerned about the authenticity of the source of the data, then
* the client does not benefit from the signature on the response in
* which case it can indicate to the server that the signature is
* unnecessary via the signResponse value.
*
* SCVP clients that support DPD MUST support setting this value to
* FALSE. Since DPV responses must be signed, DPV only SCVP clients
* MUST NOT to support this value. SCVP servers SHOULD support
* returning unsigned responses. It is a local policy decision on the
* part of the server to return signed or unsigned responses if this
* value is set to FALSE.
*
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6VF8K4O074524; Sat, 31 Jul 2004 08:08:20 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6VF8KM3074523; Sat, 31 Jul 2004 08:08:20 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6VF8JfJ074517 for <ietf-pkix@imc.org>; Sat, 31 Jul 2004 08:08:19 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-106.fastq.com [65.39.92.106]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6VF8I892619; Sat, 31 Jul 2004 08:08:18 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Trevor Freeman" <trevorf@exchange.microsoft.com>, <ietf-pkix@imc.org>
Subject: RE: SCVP-15
Date: Sat, 31 Jul 2004 08:07:31 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDMECFDOAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
In-Reply-To: <A24D60A1195E4549960ED2B9D28786724D62F5@DF-SEADOG-MSG.exchange.corp.microsoft.com>
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
3379's definitions work well for 3379, but I think the document should
say that with respect to 3379, "DPD" in this document (i.e. SCVP) means
a request where:
1. certChecks contains at most id-stc-build-pkc-path; AND
2. wantBack contains at most either one or both of
{id-swb-pkc-cert-path, id-swb-pkc-revocation-info}.
while "DPV" means a request that includes any of the other values
defined for use in these two elements.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Trevor Freeman
Sent: Friday, July 30, 2004 10:38 PM
To: Michael Myers; ietf-pkix@imc.org
Subject: RE: SCVP-15
Hi Mike,
Sorry for the slow response but I am on vacation so am not reading mail
as frequently as normal. I agree with your point on needing clear
definitions for DPD and DPV but I think the ones provided in 3379 are
adequate. That would simply require adding references to sections 2 and
3 of the RFC.
Do you agree?
Trevor
* -----Original Message-----
* From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]
* On Behalf Of Michael Myers
* Sent: Thursday, July 22, 2004 11:43 AM
* To: ietf-pkix@imc.org
* Subject: Re: SCVP-15
*
*
* Trevor,
*
* Section 3.2.10, extracted below, is a good step forward to closure on
* the issue. Given its definition as a BOOLEAN in Query syntax, I am
* comfortable with its default to TRUE.
*
* The second paragraph however needs an implementable definition of DPD
* vice DPV with respect to SCVP ASN.1 in order to assert that that a
* request is in error if it asks for a validation assertion in the
context
* of signResponse set to FALSE.
*
* Mike
*
*
*
*
* 3.2.10 signResponse
*
* The signResponse specifies if the client requires the server to
* sign a response to the validation request. If the client is
* performing full chain validation on the response and it is not
* concerned about the authenticity of the source of the data, then
* the client does not benefit from the signature on the response in
* which case it can indicate to the server that the signature is
* unnecessary via the signResponse value.
*
* SCVP clients that support DPD MUST support setting this value to
* FALSE. Since DPV responses must be signed, DPV only SCVP clients
* MUST NOT to support this value. SCVP servers SHOULD support
* returning unsigned responses. It is a local policy decision on the
* part of the server to return signed or unsigned responses if this
* value is set to FALSE.
*
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6V8EcFW004596; Sat, 31 Jul 2004 01:14:38 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6V8EcWo004595; Sat, 31 Jul 2004 01:14:38 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from exchange.microsoft.com (exchange.microsoft.com [131.107.8.3] (may be forged)) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6V8Ebjx004586 for <ietf-pkix@imc.org>; Sat, 31 Jul 2004 01:14:37 -0700 (PDT) (envelope-from trevorf@microsoft.com)
Received: from DF-VRS-01.redmond.corp.microsoft.com ([157.54.4.14]) by exchange.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Sat, 31 Jul 2004 01:14:37 -0700
Received: from 10.197.0.83 by DF-VRS-01.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Sat, 31 Jul 2004 01:14:37 -0700
Received: from df-fido-msg.exchange.corp.microsoft.com ([157.54.6.241]) by DF-BEG.mercury.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 31 Jul 2004 01:14:37 -0700
Received: from DF-SEADOG-MSG.exchange.corp.microsoft.com ([157.54.6.247]) by df-fido-msg.exchange.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Sat, 31 Jul 2004 01:14:22 -0700
Content-class: urn:content-classes:message
Subject: RE: Comments on draft-ietf-pkix-scvp-15.txt
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Date: Sat, 31 Jul 2004 01:14:39 -0700
Message-ID: <A24D60A1195E4549960ED2B9D28786724D62F7@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Comments on draft-ietf-pkix-scvp-15.txt
thread-index: AcR0y61O5+JpFJqhSoqtt96FZBiJaAB9Sekw
From: "Trevor Freeman" <trevorf@exchange.microsoft.com>
To: "Denis Pinkas" <Denis.Pinkas@bull.net>
Cc: "pkix" <ietf-pkix@imc.org>
X-OriginalArrivalTime: 31 Jul 2004 08:14:22.0556 (UTC) FILETIME=[62C7D9C0:01C476D6]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6V8Ebjx004588
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi Denis,
Sorry for the delayed response but I am on vacation. Comments below.
Trevor
* -----Original Message-----
* From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]
* On Behalf Of Denis Pinkas
* Sent: Wednesday, July 28, 2004 10:10 AM
* To: pkix
* Subject: Comments on draft-ietf-pkix-scvp-15.txt
*
*
* Comments on draft-ietf-pkix-scvp-15.txt
* Simple Certificate Validation Protocol (SCVP) alias
* Complex Certificate Validation Protocol (CCVP).
*
* 1. The abstract is still omitting to use the term "validation policy".
A
* certificate can only be valid according to a validation policy. A
* certification
* path can only be constructed according to a validation policy.
*
* The current abstract is:
*
* SCVP allows a client to offload certificate handling to a server.
* The server can provide the client with a variety of valuable
* information about the certificate, such as whether the certificate
* is valid, a certification path to a trust anchor, and revocation
* status. SCVP has many purposes, including simplifying client
* implementations and allowing companies to centralize trust and
* policy management.
*
* Change the abstract into:
*
* SCVP allows a client to offload certificate handling to a server.
* The server can provide the client with a variety of valuable
* information about the certificate, such as whether the certificate
* is valid according to a validation policy, a certification path to
* one of the trust anchors from a validation policy, and revocation
* status of every element from a certification path. SCVP has many
* purposes, including simplifying client implementations and allowing
* companies to centralize trust and policy management.
[TF] How about
SCVP allows a client to offload certificate handling to a server. The
server can provide the client with a variety of valuable information
about the certificate, such as whether the certificate is valid
according to a validation policy i.e. a certification path to one of the
policies trust anchors, and revocation status of every element from a
certification path conforms to the policy requirements. SCVP has many
purposes, including simplifying client implementations and allowing
companies to centralize trust and policy management.
*
* 2. Section 1. Introduction
*
* Some text in this section is incorrect.
*
* " The first class of application wants just two things. First, they
* want confirmation that the public key belongs to the identity named
* in the certificate. Second, they want to know if the public key
* can be used for the intended purpose. The client completely
* delegates certification path construction and validation to the
* SCVP server".
*
* The rational of the first sentence has noting to do with the second
* sentence.
* Simply looking at the content of the certificate allows to answer the
two
* questions. There is no need to use a server to get that information.
[TF] I disagree that they are unrelated. It is perfectly legitimate to
ask the serve to check aspects of the certificate since this is a minor
increment to the path validation.
*
*
* 3. In section 1.3 Validation Policies the text states:
*
* " In SCVP, a validation policy can be explicitly expressed by passing
* all the parameters in the request where the request comprises of a
* validation algorithm for certificate path processing and the input
* parameters to the algorithm. Alternatively a validation policy can
* be indirectly referenced by a mutually agreed value such as an OID
* or URL where the value indicates either are a partial or full set
* of parameters necessary to complete the validation."
*
* The two alternatives should be at the same level, or emphasis should
* even be
* placed on the second alternative.
[TF] you comments makes no sense to me. Can you rephrase.
*
* In order to support thing clients, it is necessary to be able to
simply
* use an
* OID
[TF] I disagree that it is necessary for this clients to use an OID.
Untimely is a deployment and implementation decision.
(forget about instable / temporary URLs) which either tells
* everything to
* the server, or if no OID is being used by the client, an OID supplied
by
* the
* server which tells every to the client.
[TF] OIDs are supported in SCVP15 so I don't understand you point.
*
* Note: URNs could be used, but not URLs.
[TF] URLs are easier and simpler.
*
* There is a major difference between a validation policy and a
validation
* algorithm. A validation policy is a set of rules which includes many
* algorithms
* and their associated parameters.
*
* ValidationAlg is currently defined as:
*
* ValidationAlg ::= SEQUENCE {
* valAlgId OBJECT IDENTIFIER,
* parameters ANY DEFINED BY valAlgId OPTIONAL }
*
* A parameter, called validationPol should be introduced in the query to
* allow the
* use of a simple OID to reference a full policy or to define a
validation
* policy,
[TF] ValidationPolRef allows the use of a simple OID as you describe.
THE request support all common parameters required by pkix and is
extensible. Is there a requirement in 3379 that SCVP 15 does not
support?
* i.e. first a validation algorithm compliant with [PKIX-1] section 6.1
* coming
* with its associated parameters and additional algorithms coming with
their
* associated parameters.
[TF] I missed making validationAlg optional. Once that is corrected I
don't see an issue that requires making the other changes to Validation
policy you discuss..
*
* ValidationPol should be defined as :
*
* ValidationPol ::= CHOICE {
* valPolRef OBJECT IDENTIFIER,
* valPolDef ValPolRef }
*
* ValPolDef ::= SEQUENCE {
* valPolId OBJECT IDENTIFIER,
* parameters ANY DEFINED BY valPolId OPTIONAL }
*
* When using valPolRef, all algorithms and parameters are fixed.
* When using valPolDef, some parameters may be dynamic.
*
* The current structure of ValPolicy defined in section 4.11 on page 38,
* would be
* used for the parameters of a specific validation policy defined in
this
* document, i.e. id-svp-defaultValAlg OBJECT IDENTIFIER ::= { id-svp 1 }
*
* The text should thus not state:
*
* "When the id-svp-defaultValAlg appears as an valAlgId, the
* parameters MUST be absent."
[TF] Given that all parameters assonated with the default policy can be
expressed elsewhere in the request this is appropriate. As a general
principal since the validation policy is a deployment specific decision,
I don't see how you proposal is workable. Clients cannot be expected to
support any arbitrary set of parameters in order to implement a given
deployment.
*
* The parameters for the default validation policy shall be the
parameters
* of
* ValPolDef. The overall structure of the request would be greatly
* simplified.
*
* Note also that the ValidationAlg parameter has been omitted to be
* described at
* the right place, i.e. in sequence after section 3.2.4, but is
described in
* section 3.2.12 as:
*
* 3.2.12 validationAlg
*
* The validationAlg item, defines the validation algorithm to be used
* by the SCVP server during certificate validation. The value of
* this item can be determined by agreement between the client and the
* server, and is represented as an object identifier. The server
* might want to assign additional object identifiers that indicate
* that some settings are used in addition to others given in the
* request. In this way, the validation algorithm object identifier
* can be a shorthand for some SCVP options, but not others.
*
* The validationAlg item uses the ValidationAlg type, which has the
* following syntax:
*
* ValidationAlg ::= SEQUENCE {
* valAlgId OBJECT IDENTIFIER,
* parameters ANY DEFINED BY valAlgId OPTIONAL }
*
* Path processing is only one of the many checks that can be done, since
* many
* additional checks about the content of the certificate can be done in
* addition
* to the certificate path processing algorithm defined by [PKIX-1] in
* section
* 6.1.1.
*
* It is thus inappropriate to limit in general the parameters to those
of
* section
* 6.1.1., thus why all parameters associated with a given validation
* algorithm
[TF] SCVP does not limit the parameters to the path processing
parameters. However since those parameters are a common set of
parameters it standardized their use so they can be reused across
multiple validation policies or validation algorithms use while leaving
room for other to be defined.
* shall always be included in the parameters of ValPolDef.
*
* The text also states:
*
* "The SCVP server can assign validation algorithm object identifiers
* which indicate that some predefined settings are used in addition
* to values provided in the SCVP request."
[TF] This is true for both the policy and algorithm so this needs to be
expanded to include both in the text.
*
* Why this ? If the client specifies a validation policy either the
server
* supports it or returns an error. If the client does not specify a
* validation
* policy in its request, then the server has to return the default
* validation
* policy which it has been used (and which may have nothing to do with
the
* so-
* called default validation policy defined in section 3.2.12.1.)
*
* The following text extracted from the document, highlights the
confusion
* between
* a validation policy and a validation algorithm.
*
* " For a certification path to be considered valid under a particular
* validation policy, it MUST be a valid certification path as defined
* in [PKIX-1] and all validation policy constraints that apply to the
* certification path MUST be verified. Applications MAY place
* additional requirements on the validation algorithm."
[TF] I don't see that as a problem. In the example validation algorithm
given a application such as an email client can be configured to use a
specific validation algorithm because it always wants the name
comparison to be performed. That is totally independent of broader the
validation policy
*
*
* 4. In section 3 Validation Request, the text states:
*
* " All SCVP clients MUST support SignedData for signed requests and
* responses."
*
* For certification path discovery signed responses are not necessary,
nor
* are
* signed requests necessary. For certificate validation according to a
* validation
* policy signed responses are necessary, but signed requests are not
* necessary. So
* this requirement should be modified.
[TF] If you read 3.2.10 you will see that a client can request that the
response not be signed. However it is a local policy decision on the
server to sign if this value is set. So a DPD only client has to deal
with signed responses even it is only to decode the response. It is not
required to validate the signature.
*
*
* 5. Similar considerations apply for authenticatedData for signed
* requests and
* responses.
*
*
* 6. The current query, which is far too complicated, is currently
* composed of 21
* items as follows:
*
* Query ::= SEQUENCE {
* queriedCerts SEQUENCE SIZE (1..MAX) OF CertReference,
* checks CertChecks,
* wantBack WantBack,
* validationAlg ValidationAlg,
* requestRefHash BOOLEAN DEFAULT TRUE,
* fullPolResponse [0] BOOLEAN DEFAULT FALSE,
* inhibitPolMap [1] BOOLEAN DEFAULT FALSE,
* requireExplicitPol [2] BOOLEAN DEFAULT FALSE,
* ignoreAnyPol [3] BOOLEAN DEFAULT FALSE,
* IsCA [4] BOOLEAN DEFAULT FALSE,
* SignResponse [5] BOOLEAN DEFAULT TRUE,
* serverContextInfo [6] OCTET STRING OPTIONAL,
* validityTime [7] GeneralizedTime OPTIONAL,
* trustAnchors [8] TrustAnchors OPTIONAL,
* intermediateCerts [9] CertBundle OPTIONAL,
* revInfos [10] RevocationInfos OPTIONAL,
* keyUsage [11] KeyUsage OPTIONAL,
* extendedKeyUsage [12] ExtKeyUsageSyntax OPTIONAL,
* queryExtensions [13] Extensions OPTIONAL
* producedAt [14] GeneralizedTime OPTIONAL
* validationPolRef [15] ValidationPolRef OPTIONAL}
*
* Taking into consideration the move of the so-called parameters of the
* default
* validation algorithm :
*
* validationPol ValidationPol,
* inhibitPolMap [1] BOOLEAN DEFAULT FALSE,
* requireExplicitPol [2] BOOLEAN DEFAULT FALSE,
* ignoreAnyPol [3] BOOLEAN DEFAULT FALSE,
* IsCA [4] BOOLEAN DEFAULT FALSE,
* trustAnchors [8] TrustAnchors OPTIONAL,
* keyUsage [11] KeyUsage OPTIONAL,
* extendedKeyUsage [12] ExtKeyUsageSyntax OPTIONAL,
*
*
* In fact as set of parameters is defined on page 38 as:
*
* ValPolicy ::=SEQUENCE {
* validationAlg ValidationAlg,
* inhibitPolMap [1] BOOLEAN DEFAULT FALSE,
* requireExplicitPol [2] BOOLEAN DEFAULT FALSE,
* ignoreAnyPol [3] BOOLEAN DEFAULT FALSE,
* isCA [4] BOOLEAN DEFAULT FALSE,
* trustAnchors [5] TrustAnchors,
* keyUsage [6] KeyUsage OPTIONAL,
* extendedKeyUsage [7] ExtKeyUsageSyntax OPTIONAL}
*
* and it would make sense to use that structure which groups them and
use
* it as
* the parameters to be associated with id-svp 1.
*
* The query could then be simplified as follows:
*
* Query ::= SEQUENCE {
* queriedCerts SEQUENCE SIZE (1..MAX) OF CertReference,
* checks CertChecks,
* wantBack WantBack,
* requestRefHash BOOLEAN DEFAULT TRUE,
* fullPolResponse [0] BOOLEAN DEFAULT FALSE,
* signResponse [1] BOOLEAN DEFAULT TRUE,
* serverContextInfo OCTET STRING OPTIONAL,
* validationPol ValidationPol OPTIONAL,
* -- if missing in the query, then MUST be present in the response
* validityTime GeneralizedTime OPTIONAL,
* intermediateCerts CertBundle OPTIONAL,
* revInfos RevocationInfos OPTIONAL,
* queryExtensions [2] Extensions OPTIONAL,
* producedAt [3] GeneralizedTime OPTIONAL
* }
*
* Below the new definition of ValidationPol is copied again.
*
* ValidationPol ::= CHOICE {
* valPolRef OBJECT IDENTIFIER,
* valPolDef ValPolDef }
*
* ValPolDef ::= SEQUENCE {
* valPolId OBJECT IDENTIFIER,
* parameters ANY DEFINED BY valPolId OPTIONAL }
*
[TF] Given that many of the parameters are either defaulted or optional,
I don't agree that moving them around achieves anything other than
document churn. This is a stylistic rater than a technical issue.
*
* 7. The SCVP response is currently defined on page 27 as follows:
*
* CVResponse ::= SEQUENCE {
* scvpVersion INTEGER,
* policyID INTEGER,
* producedAt GeneralizedTime,
* responseStatus ResponseStatus,
* requestRef RequestReference,
* requestor [1] OCTET STRING OPTIONAL,
* responder [2] OCTET STRING OPTIONAL,
* replyObjects [3] ReplyObjects OPTIONAL,
* requestNonce [4] OCTET STRING OPTIONAL,
* serverContextInfo [5] OCTET STRING OPTIONAL,
* valPolResponse [6] ValPolicy OPTIONAL,
* validationPolRef [7] ValidationPolicyRef OPTIONAL
* respExtensions [8] Extensions OPTIONAL }
*
* policyID is mandatory and does not make sense when a validation policy
* reference
* is being used. It should be deleted.
[TF] The relevance of the policyID depends on the validation policy so
rather than have the server figure our that dependency, its simpler to
mandate the policyID be present.
*
* responder is for SCVP server relay only and the text omits to mention
it.
[TF] I will add text to that effect.
*
* requestor is primarily for SCVP server relay and that this parameter
* should not
* have to be supported by a client.
[TF] A server who relays a request is by definition also a client. Any
client who is not concerned with these values can ignore them.
*
* Defining these two parameters as respExtensions would only thin
clients
* and non
* relaying servers to simply forget about them.
*
* It is thus proposed to simplify the structure as follows:
*
* CVResponse ::= SEQUENCE {
* scvpVersion INTEGER,
* requestNonce OCTET STRING OPTIONAL,
* producedAt GeneralizedTime,
* requestRef RequestReference,
* validationPol ValidationPol OPTIONAL,
* -- if missing in the query, then MUST be present
* responseStatus ResponseStatus,
* replyObjects [1] ReplyObjects OPTIONAL,
* serverContextInfo [2] OCTET STRING OPTIONAL,
* respExtensions [3] Extensions OPTIONAL }
*
*
* 8. The Server Policies Request is currently defined on page 40 as
follows:
*
* PolRequest ::= SEQUENCE {
* scvpVersion INTEGER }
*
* The current idea is to use a mechanisms similar to the CRL mechanism
to
* detect
* if the response is current or is a replay. It should be able to
support
* a nonce.
*
* The structure should thus be changed to:
*
* PolRequest ::= SEQUENCE {
* scvpVersion INTEGER,
* requestNonce OCTET STRING OPTIONAL }
[TF] Agreed.
*
*
* 9. The Server Policies Response is currently defined on page 40 as
* follows:
*
* PoliciesResponse ::= SEQUENCE {
* scvpVersion INTEGER,
* DefaultPolicyID INTEGER,
* thisUpdate GeneralizedTime,
* nextUpdate GeneralizedTime,
* trustAnchors TrustAnchors,
* validationPolices SEQUENCE OF ValidationPolRef,
* validationAlgs SEQUENCE OF OBJECT IDENTIFIER,
* authPolicies SEQUENCE OF AuthPolicy,
* responseTypes ResponseTypes,
* defaultValPol ValPolicy,
* clockSkew INTEGER OPTIONAL,
* authDataCert Certificate OPTIONAL }
*
*
* DefaultPolicyID and defaultValPol do not need to be present,
[TF] The PolicyID is the server policy so needs to be present.
* default
* policy may simply be the first policy of the SEQUENCE of validation
* policies
* that is returned.
*
* nextUpdate should be OPTIONAL since a server may choose to always send
a
* fresh
* response.
[TF] simply omitting the nextUpdate by itself is ambiguous sine the
client cannot tell if the policy is in response to the request or has
infinite lifetime. If the client submits a nonce then the server can
either return a fresh policy or the cached version. If the client omits
the nonce then the server MUST return the cached version with the
nextUpdate.
*
* trustAnchors is a parameter of one specify validation policy and thus
* should not
* be present at that level.
[TF] Clients are not mandated to use validation policy so this is
appropriate at this level
*
* validationPolices should be used to define a sequence of validation
policy
* references and/or a sequence of validation policy definitions. See
below.
*
* validationAlgs may be inner component of validation policy definition.
[TF] Again validation policies are not mandatory in deployments.
*
* authPolicies is unclear, since all responses MUST be signed.
[TF] This is for auth to the server.
Deleted for
* simplification.
*
* defaultValPol is not needed, if the default policy is simply the first
* policy of
* the SEQUENCE of validation policies that is returned.
*
* The name of authDataCert should be changed into serverCert.
[TF] The authDataCert is the certificate used for the authenticated data
requests/responses. The name differentiates it form the signing cert
returned in the CMS envelope.
*
* The structure should thus be changed to:
*
* PoliciesResponse ::= SEQUENCE {
* scvpVersion INTEGER,
* responseNonce OCTET STRING OPTIONAL,
* thisUpdate GeneralizedTime,
* nextUpdate GeneralizedTime OPTIONAL,
* validationPolicies SEQUENCE OF ValidationPol,
* -- the default validation policy is the first of the sequence
* responseTypes ResponseTypes,
* clockSkew INTEGER OPTIONAL,
* serverCert Certificate OPTIONAL }
[TF] The revised SCVP server policy response is now
PoliciesResponse ::= SEQUENCE {
scvpVersion INTEGER,
DefaultPolicyID INTEGER,
thisUpdate GeneralizedTime,
nextUpdate GeneralizedTime OPTIONAL,
trustAnchors TrustAnchors,
validationPolices SEQUENCE OF ValidationPolRef,
validationAlgs SEQUENCE OF OBJECT IDENTIFIER,
authPolicies SEQUENCE OF AuthPolicy,
responseTypes ResponseTypes,
defaultValPol ValPolicy,
clockSkew INTEGER OPTIONAL,
requestNonce OCTET STRING OPTIONAL,
authDataCert Certificate OPTIONAL }
*
*
* Denis
*
*
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6V5bepj050162; Fri, 30 Jul 2004 22:37:40 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6V5beg4050160; Fri, 30 Jul 2004 22:37:40 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from exchange.microsoft.com (exchange.microsoft.com [131.107.8.3] (may be forged)) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6V5bdPR050127 for <ietf-pkix@imc.org>; Fri, 30 Jul 2004 22:37:39 -0700 (PDT) (envelope-from trevorf@microsoft.com)
Received: from DF-VRS-01.redmond.corp.microsoft.com ([157.54.4.14]) by exchange.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Fri, 30 Jul 2004 22:37:44 -0700
Received: from 10.197.0.83 by DF-VRS-01.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Fri, 30 Jul 2004 22:37:44 -0700
Received: from df-fido-msg.exchange.corp.microsoft.com ([157.54.6.241]) by DF-BEG.mercury.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 30 Jul 2004 22:37:43 -0700
Received: from DF-SEADOG-MSG.exchange.corp.microsoft.com ([157.54.6.243]) by df-fido-msg.exchange.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Fri, 30 Jul 2004 22:38:12 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: SCVP-15
Date: Fri, 30 Jul 2004 22:37:42 -0700
Message-ID: <A24D60A1195E4549960ED2B9D28786724D62F5@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: SCVP-15
thread-index: AcRwIL4Nn5hmHS3ES22EU5RBR7YtVAGnz2kQ
From: "Trevor Freeman" <trevorf@exchange.microsoft.com>
To: "Michael Myers" <mmyers@fastq.com>, <ietf-pkix@imc.org>
X-OriginalArrivalTime: 31 Jul 2004 05:38:12.0782 (UTC) FILETIME=[91F5CCE0:01C476C0]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6V5bdPR050152
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi Mike,
Sorry for the slow response but I am on vacation so am not reading mail
as frequently as normal. I agree with your point on needing clear
definitions for DPD and DPV but I think the ones provided in 3379 are
adequate. That would simply require adding references to sections 2 and
3 of the RFC.
Do you agree?
Trevor
* -----Original Message-----
* From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]
* On Behalf Of Michael Myers
* Sent: Thursday, July 22, 2004 11:43 AM
* To: ietf-pkix@imc.org
* Subject: Re: SCVP-15
*
*
* Trevor,
*
* Section 3.2.10, extracted below, is a good step forward to closure on
* the issue. Given its definition as a BOOLEAN in Query syntax, I am
* comfortable with its default to TRUE.
*
* The second paragraph however needs an implementable definition of DPD
* vice DPV with respect to SCVP ASN.1 in order to assert that that a
* request is in error if it asks for a validation assertion in the
context
* of signResponse set to FALSE.
*
* Mike
*
*
*
*
* 3.2.10 signResponse
*
* The signResponse specifies if the client requires the server to
* sign a response to the validation request. If the client is
* performing full chain validation on the response and it is not
* concerned about the authenticity of the source of the data, then
* the client does not benefit from the signature on the response in
* which case it can indicate to the server that the signature is
* unnecessary via the signResponse value.
*
* SCVP clients that support DPD MUST support setting this value to
* FALSE. Since DPV responses must be signed, DPV only SCVP clients
* MUST NOT to support this value. SCVP servers SHOULD support
* returning unsigned responses. It is a local policy decision on the
* part of the server to return signed or unsigned responses if this
* value is set to FALSE.
*
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6UDN08i061442; Fri, 30 Jul 2004 06:23:00 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6UDN0kf061440; Fri, 30 Jul 2004 06:23:00 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from iscan03.secomtrust.net (iscan01.secomtrust.net [61.114.177.102]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6UDMnn9061407 for <ietf-pkix@imc.org>; Fri, 30 Jul 2004 06:22:49 -0700 (PDT) (envelope-from shimaoka@secom.ne.jp)
Received: (qmail 17902 invoked by alias); 30 Jul 2004 13:22:42 -0000
Delivered-To: alias-map-ietf-pkix@imc.org@MAP
Received: (qmail 17892 invoked by alias); 30 Jul 2004 13:22:41 -0000
Received: from localhost (HELO mail.secomtrust.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2004 13:22:41 -0000
Received: (qmail 23911 invoked from network); 30 Jul 2004 13:22:41 -0000
Received: from unknown (HELO ?192.168.1.5?) (172.30.253.98) by mail with SMTP; 30 Jul 2004 13:22:41 -0000
Date: Fri, 30 Jul 2004 22:22:48 +0900
From: Masaki SHIMAOKA <shimaoka@secom.ne.jp>
To: <ietf-ltans@imc.org>, <pki4ipsec@icsalabs.com>, <ietf-pkix@imc.org>, <ietf-smime@imc.org>, ietf-tls@lists.certicom.com
Subject: multi-domain PKI unofficial BoF
Cc: mpki@jnsa.org
Message-Id: <20040730221340.7157.SHIMAOKA@secom.ne.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.11.02 [ja]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
All,
# Sorry for any cross-postings.
I am going to hold a unofficial BoF for Best Current Practice (BCP) of multi-domain
PKI in the 60th IETF meeting at San Diego.
Date/Time and Room are not decided yet, but it will be held at Aug 4 or
5. If you have interest in this issue, please check your mailing list and
board at IETF reception. I will announce additional information there.
Purpose of this BoF is to make a consensus of the following:
* What is the multi-domain PKI?
* What is the problem in multi-domain PKI?
* Shall we solve this problem?
Summary:
There are many PKIs in the actual world, and they have of course
different architectures and different policies.
So when some PKIs assemble, it will bring some problems.
Assembling the PKIs is hard problem because it may require full understanding of not only PKI but LDAP and so on.
Therefore, I think that we should show some technical idea about assembling PKIs.
My opinion for this theme is described in my following personal I-D:
http://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-04-20040730r1.txt
If we make a rough consensus, following this discussion I would like to
review my I-D with you.
Thanks,
shima
-----
Masaki SHIMAOKA
SECOM Trust.net
Tel: +81 422 91 8498 (ext.3635); Mitaka
Tel: +81 3 5775 8661 (ext.3485); Harajuku
Fax: +81 422 45 0536
e-mail: shimaoka@secom.ne.jp
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6U6NAnZ041918; Thu, 29 Jul 2004 23:23:10 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6U6NApB041917; Thu, 29 Jul 2004 23:23:10 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from lon1-mail-1.visp.demon.net (IDENT:mirapoint@lon1-mail-1.visp.demon.net [193.195.70.4]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6U6MuSV041770 for <ietf-pkix@imc.org>; Thu, 29 Jul 2004 23:23:09 -0700 (PDT) (envelope-from d.w.chadwick@salford.ac.uk)
Received: from salford.ac.uk (adslbcn-1-139.easynet.es [62.93.178.139] (may be forged)) by lon1-mail-1.visp.demon.net (MOS 3.4.6-GR) with ESMTP id BMC16460 (AUTH maggiewilliams@beeb.net); Fri, 30 Jul 2004 07:11:27 +0100 (BST)
Message-ID: <4109E630.1BEC3535@salford.ac.uk>
Date: Fri, 30 Jul 2004 07:09:52 +0100
From: David Chadwick <d.w.chadwick@salford.ac.uk>
Organization: University of Salford
X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: David Chadwick CHADWICK <D.W.Chadwick@salford.ac.uk>
Subject: 8th IFIP TC-6 TC-11 Conference on Communications and Multimedia Security
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sorry for any cross postings, but it is the last few days for reduced
registration fees,
regards
David
======================================
Eighth IFIP TC-6 TC-11 Conference on
Communications and Multimedia Security
======================================
15-18 September 2004
CALL FOR PARTICIPATION
Please register online at:
https://venables-0179.salford.ac.uk/eCMS2004/
A discount is available for early registration (before July 31st 2004).
The Eighth IFIP Conference on Communications and Multimedia Security
will be held at the Beech Hill Hotel, overlooking Lake Windermere in the
beautiful Emglish Lake District.
The opening keynote speech will be given by Karl-Heinz Brandenburg, the
inventor of MP3, who will talk about Digital Rights Management issues.
En exciting programme has been organised, with Sessions:
- - Privacy/Anonymity
- - Mobile Security
- - Digital Signatures
- - Cryptography
- - Multimedia Security
- - Application Level Security
A panel session will be ogranised on "Security in Microsoft .Net"
On the final day (Saturday) walks will be arranged around the lakes or,
for the more intrepid participants, over the mountains.
A full programme may be found on the conference website at:
http://sec.isi.salford.ac.uk/cms2004/Program/index.html
The conference is organized by the Informatics Research Institute and
the Information Systems Security Research Group at the University of
Salford.
Informal enquiries may be addressed to: Info-CMS2004@salford.ac.uk
We look forward to hearing from you and seeing you in September.
Best wishes,
Professor David Chadwick: Programme Chair
Professor Grahame Cooper: Organizing Chair
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6TKPUIs003103; Thu, 29 Jul 2004 13:25:30 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6TKPUnC003102; Thu, 29 Jul 2004 13:25:30 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6TKPT3n003096 for <ietf-pkix@imc.org>; Thu, 29 Jul 2004 13:25:29 -0700 (PDT) (envelope-from Steve.Hanna@Sun.COM)
Received: from phys-bur1-1 ([129.148.13.15]) by brmea-mail-4.sun.com (8.12.10/8.12.9) with ESMTP id i6TKNG53029575 for <ietf-pkix@imc.org>; Thu, 29 Jul 2004 14:23:16 -0600 (MDT)
Received: from conversion-daemon.bur-mail2.east.sun.com by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) id <0I1M00F01R671A@bur-mail2.east.sun.com> (original mail from Steve.Hanna@Sun.COM) for ietf-pkix@imc.org; Thu, 29 Jul 2004 16:25:33 -0400 (EDT)
Received: from sun.com (dhcp-ubur02-75-154.East.Sun.COM [129.148.75.154]) by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) with ESMTPA id <0I1M00GK8RELLC@bur-mail2.east.sun.com>; Thu, 29 Jul 2004 16:25:33 -0400 (EDT)
Date: Thu, 29 Jul 2004 16:15:14 -0400
From: Steve Hanna <Steve.Hanna@Sun.COM>
Subject: Re: New I-D on Intl Strings in Certs
In-reply-to: <6.1.1.1.2.20040712132632.03b49e80@mail.binhost.com>
To: Russ Housley <housley@vigilsec.com>
Cc: ietf-pkix@imc.org
Message-id: <41095AD2.9050807@sun.com>
MIME-version: 1.0
Content-type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary=------------ms050700070501020205040605
X-Accept-Language: en-us, en
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20031111
References: <40F2867D.6090408@sun.com> <6.1.1.1.2.20040712132632.03b49e80@mail.binhost.com>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--------------ms050700070501020205040605
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Russ Housley wrote:
> I would like to see an additional section in this document. When
> otherName forms are registered, some of these will in include text
> strings. However, they will probably not make use of GeneralName or
> Name. Therefore, I think it would be useful to list the ASN.1 types
> where these rules should be applied. UTF8String is obvious. What
> else?
In my experience, many name forms have their own matching
rules. For instance, DNS names are case-insensitive.
RFC822Names use receiver-specific matching conventions in
the localpart and case-insensitive matching for the domain.
I'd be reluctant to specify any rules for future name forms,
but maybe we can come up with some guidelines. For instance,
we could say that name forms that include Unicode strings
(BMPString, UnicodeString, or UTF8String) SHOULD consider
using a variant of the stringprep algorithm and MUST specify
a clear, well-defined algorithm for name matching or
prohibit the use of these name forms in name constraints.
Would that address your concern?
Thanks,
Steve
P.S. Maybe this document should describe how to handle
international characters when matching DNS names, URIs,
and RFC 822 names in certificates (in name constraints).
But I'd be inclined to specify these in separate documents,
especially since internationalization of email addresses
is not settled yet.
--------------ms050700070501020205040605
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNzCC
AvYwggJfoAMCAQICAww3ZDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNDI4MjEwMTE0WhcNMDUwNDI4MjEwMTE0
WjBoMQ4wDAYDVQQEEwVIYW5uYTEVMBMGA1UEKhMMU3RlcGhlbiBSb3NzMRswGQYDVQQDExJT
dGVwaGVuIFJvc3MgSGFubmExIjAgBgkqhkiG9w0BCQEWE3N0ZXZlLmhhbm5hQHN1bi5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC11rLYp70KnKGmV6pNTFRhWBwq47mV
4hU6EaZxo6I3Vw96Rd3E4TH3SAthIl5N4/tpiMPtlTBiJOU6QHSlz1DgTCclmTK6taqtEyLq
amez8vYgSdOEnOFRYILptjbEwpE+yeUmFKOmZ7zSwBMqRQatMHMaLVUJJ3Ygw1V7fKSwvVU0
OJ8c+c3sJRtRyDLxq/vMzYQP+wyqRqlJPTHGFqVuMp0FZIV5X76z+O+W90m9jXjirz91Jz+W
N6rwqmPi8Qy0uxBKm6NKT1371p+WYaK9OfGk8vGbJ8ZsTP3DyQhuuemYPbkKPtoII6WnHIGT
/DOy2G7gff7GOIhUrs7PziddAgMBAAGjMDAuMB4GA1UdEQQXMBWBE3N0ZXZlLmhhbm5hQHN1
bi5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQB++aOP6sZVYlqBGc92hZ61
FHST+OqnKZHRGkqEO94RoxdeaSUFKVO2IaKLMBmqNzmh3N3pIsIKiLhJNvDgLhlRrMRVfR29
uixjTsprR26AacMx/gCiCstGIjkzTb83xAvZay5hnzUmlt/LSNX8e6jTNav6LP64WC+C7Tul
fM/PzDCCAvYwggJfoAMCAQICAww3ZDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNDI4MjEwMTE0WhcNMDUwNDI4
MjEwMTE0WjBoMQ4wDAYDVQQEEwVIYW5uYTEVMBMGA1UEKhMMU3RlcGhlbiBSb3NzMRswGQYD
VQQDExJTdGVwaGVuIFJvc3MgSGFubmExIjAgBgkqhkiG9w0BCQEWE3N0ZXZlLmhhbm5hQHN1
bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC11rLYp70KnKGmV6pNTFRh
WBwq47mV4hU6EaZxo6I3Vw96Rd3E4TH3SAthIl5N4/tpiMPtlTBiJOU6QHSlz1DgTCclmTK6
taqtEyLqamez8vYgSdOEnOFRYILptjbEwpE+yeUmFKOmZ7zSwBMqRQatMHMaLVUJJ3Ygw1V7
fKSwvVU0OJ8c+c3sJRtRyDLxq/vMzYQP+wyqRqlJPTHGFqVuMp0FZIV5X76z+O+W90m9jXji
rz91Jz+WN6rwqmPi8Qy0uxBKm6NKT1371p+WYaK9OfGk8vGbJ8ZsTP3DyQhuuemYPbkKPtoI
I6WnHIGT/DOy2G7gff7GOIhUrs7PziddAgMBAAGjMDAuMB4GA1UdEQQXMBWBE3N0ZXZlLmhh
bm5hQHN1bi5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQB++aOP6sZVYlqB
Gc92hZ61FHST+OqnKZHRGkqEO94RoxdeaSUFKVO2IaKLMBmqNzmh3N3pIsIKiLhJNvDgLhlR
rMRVfR29uixjTsprR26AacMx/gCiCstGIjkzTb83xAvZay5hnzUmlt/LSNX8e6jTNav6LP64
WC+C7TulfM/PzDCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UE
ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG
SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBa
Fw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs
dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRw
nd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn
8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJg
t/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJ
KoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A
9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH
1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDDdkMAkGBSsOAwIa
BQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA0MDcy
OTIwMTUxNFowIwYJKoZIhvcNAQkEMRYEFAlmvyUikceHTB3a/dextANXkKYmMFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMN2QwegYLKoZIhvcNAQkQAgsxa6Bp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDDdkMA0G
CSqGSIb3DQEBAQUABIIBADzCm5StxmcokSbrFPQ22HwXkM7mOdYc6ko7bIhBo0eigXdhK9Uh
kKFNc53Q6FjqJUzPlIvxkO0mdlKJM9MxsgboLsP0Bs3pRCy3UIvk+G6HpC38yVrWyKkd8Dyh
mploKUlkPi4nvs+ncNv72qOhR4iytGaGH8UCBkMDlTvo8nLPxsTC/jniDP6qBHTpd30tX803
0uz5ti0uKidCXyMyHszqWBrx8Wrb2TPDV2p8VDWO1Vfz8xelbitiX8hYTktmzuX0jYIl5+nf
JH8yLULiG0ffDk0M8OYT45IjqeTuhS29YldhglL2Z+EV/TIaKNOZ8DHCGM3BBVtC3e/DweL4
7tQAAAAAAAA=
--------------ms050700070501020205040605--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6TKPPw4003084; Thu, 29 Jul 2004 13:25:25 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6TKPPIl003083; Thu, 29 Jul 2004 13:25:25 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6TKPLXx003067 for <ietf-pkix@imc.org>; Thu, 29 Jul 2004 13:25:22 -0700 (PDT) (envelope-from Steve.Hanna@Sun.COM)
Received: from phys-bur1-1 ([129.148.13.15]) by brmea-mail-4.sun.com (8.12.10/8.12.9) with ESMTP id i6TKN757029503 for <ietf-pkix@imc.org>; Thu, 29 Jul 2004 14:23:08 -0600 (MDT)
Received: from conversion-daemon.bur-mail2.east.sun.com by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) id <0I1M00F01R671A@bur-mail2.east.sun.com> (original mail from Steve.Hanna@Sun.COM) for ietf-pkix@imc.org; Thu, 29 Jul 2004 16:25:25 -0400 (EDT)
Received: from sun.com (dhcp-ubur02-75-154.East.Sun.COM [129.148.75.154]) by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) with ESMTPA id <0I1M00GJUREDLC@bur-mail2.east.sun.com>; Thu, 29 Jul 2004 16:25:25 -0400 (EDT)
Date: Thu, 29 Jul 2004 16:15:05 -0400
From: Steve Hanna <Steve.Hanna@Sun.COM>
Subject: Re: New I-D on Intl Strings in Certs
In-reply-to: <E1BlUgC-00059V-CV@medusa01>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: ietf-pkix@imc.org, Steve Hanna <shanna@funk.com>
Message-id: <41095AC9.9000200@sun.com>
MIME-version: 1.0
Content-type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary=------------ms000908030802010008090303
X-Accept-Language: en-us, en
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20031111
References: <E1BlUgC-00059V-CV@medusa01>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--------------ms000908030802010008090303
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Peter,
I apologize for taking so long to respond to
your email. I'm changing jobs (moving from
Sun to a small software company, Funk Software).
Arranging the changeover has kept me busy.
Unfortunately, I won't be able to attend
IETF 60 next week since that will be my first
week at Funk. But I hope things will continue
smoothly on Monday. My new email address will
be shanna@funk.com. Anyway, on to business.
Let me respond to your comments.
Peter Gutmann wrote:
> Steve Hanna <Steve.Hanna@Sun.COM> writes:
>>Path validation will fail when a relying party uses binary comparison to
>>match X.500 names that differ slightly if the match is performed as part of
>>subject-issuer name chaining or permittedSubtrees processing.
>
> This begs the question of "Why the &*^#&$# would any CA in its right mind ever
> issue a certificate where the issuer.suject DN gratuitously differs from the
> subject.issuer DN by an extra space or something similar?". You'd have to
> deliberately add code to break the DN as it goes from parent to child. Why
> not say:
>
> Any CA that issues certificates where the issuer.suject DN gratuitously
> differs from the subject.issuer DN should be considered broken, with
> handling of its certs not guaranteed by this specification.
>
> (you can rephrase that as MUST and whatnot if you want).
In general, I agree that it's best to avoid any
differences between the subject name of one
certificate and the issuer name of the next.
However, there are times when such a difference
is inevitable. For example, some CAs require
(because of technical or policy reasons) that
a particular encoding be used in all certs
that they issue. This encoding may differ from
the one used by other CAs for the same names.
More important is the problem of name constraints.
It's common for a certificate to include a name
constraint which applies to subject names and
subject alternative names in many other certificates.
These certificates may use different encodings for
those subject names and subject alternative names
than the one used in the name constraint. They may
also have minor differences in capitalization or
spacing. Therefore, it's important to support matching
distinguished names while ignoring unimportant
differences (as described in X.509).
>>This algorithm SHOULD NOT be used for matching CRL
>>distribution point names or cRLIssuer. A binary
>>comparison SHOULD be used for such mapping.
>
> Is there any reason why binary comparison is OK for finding
> who issued a CRL, but not for who issued a cert?
As you said above, its better to use binary matching
when possible. In this case, I don't see any reason
not to. A CA should easily be able to provide an
exact binary value for CRL distribution point name
and cRLIssuer. Also, the only binding between a
certificate and its CRL issuer is the name (cRLIssuer).
With subject-issuer name chaining, the subject public
key of a certificate must verify the signature on the
subsequent certificate. This reinforces the need to
avoid malicious or accidental mismatches with cRLIssuer.
>>More substantial problems can occur if a relying party uses binary comparison
>>to determine that an X.500 name does not match excludedSubtrees and the CA
>>expected that it would match because of the more lenient processing.
>
> It doesn't matter what algorithm they use, you can always escape
> excludedSubtrees by clever encoding of your DNs (see the X.509 style guide for
> the details). The draft should warn (like the RFC currently does) that you
> can't rely on excludedSubtrees to exclude certs from non-cooperating cert
> issuers (that is, ones that will create DNs with strings encoded so as to
> avoid the exclusion).
I agree that using excludedSubTrees is not a good idea.
We'll strengthen the wording in the next revision.
Thanks,
Steve
--------------ms000908030802010008090303
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNzCC
AvYwggJfoAMCAQICAww3ZDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNDI4MjEwMTE0WhcNMDUwNDI4MjEwMTE0
WjBoMQ4wDAYDVQQEEwVIYW5uYTEVMBMGA1UEKhMMU3RlcGhlbiBSb3NzMRswGQYDVQQDExJT
dGVwaGVuIFJvc3MgSGFubmExIjAgBgkqhkiG9w0BCQEWE3N0ZXZlLmhhbm5hQHN1bi5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC11rLYp70KnKGmV6pNTFRhWBwq47mV
4hU6EaZxo6I3Vw96Rd3E4TH3SAthIl5N4/tpiMPtlTBiJOU6QHSlz1DgTCclmTK6taqtEyLq
amez8vYgSdOEnOFRYILptjbEwpE+yeUmFKOmZ7zSwBMqRQatMHMaLVUJJ3Ygw1V7fKSwvVU0
OJ8c+c3sJRtRyDLxq/vMzYQP+wyqRqlJPTHGFqVuMp0FZIV5X76z+O+W90m9jXjirz91Jz+W
N6rwqmPi8Qy0uxBKm6NKT1371p+WYaK9OfGk8vGbJ8ZsTP3DyQhuuemYPbkKPtoII6WnHIGT
/DOy2G7gff7GOIhUrs7PziddAgMBAAGjMDAuMB4GA1UdEQQXMBWBE3N0ZXZlLmhhbm5hQHN1
bi5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQB++aOP6sZVYlqBGc92hZ61
FHST+OqnKZHRGkqEO94RoxdeaSUFKVO2IaKLMBmqNzmh3N3pIsIKiLhJNvDgLhlRrMRVfR29
uixjTsprR26AacMx/gCiCstGIjkzTb83xAvZay5hnzUmlt/LSNX8e6jTNav6LP64WC+C7Tul
fM/PzDCCAvYwggJfoAMCAQICAww3ZDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNDI4MjEwMTE0WhcNMDUwNDI4
MjEwMTE0WjBoMQ4wDAYDVQQEEwVIYW5uYTEVMBMGA1UEKhMMU3RlcGhlbiBSb3NzMRswGQYD
VQQDExJTdGVwaGVuIFJvc3MgSGFubmExIjAgBgkqhkiG9w0BCQEWE3N0ZXZlLmhhbm5hQHN1
bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC11rLYp70KnKGmV6pNTFRh
WBwq47mV4hU6EaZxo6I3Vw96Rd3E4TH3SAthIl5N4/tpiMPtlTBiJOU6QHSlz1DgTCclmTK6
taqtEyLqamez8vYgSdOEnOFRYILptjbEwpE+yeUmFKOmZ7zSwBMqRQatMHMaLVUJJ3Ygw1V7
fKSwvVU0OJ8c+c3sJRtRyDLxq/vMzYQP+wyqRqlJPTHGFqVuMp0FZIV5X76z+O+W90m9jXji
rz91Jz+WN6rwqmPi8Qy0uxBKm6NKT1371p+WYaK9OfGk8vGbJ8ZsTP3DyQhuuemYPbkKPtoI
I6WnHIGT/DOy2G7gff7GOIhUrs7PziddAgMBAAGjMDAuMB4GA1UdEQQXMBWBE3N0ZXZlLmhh
bm5hQHN1bi5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQB++aOP6sZVYlqB
Gc92hZ61FHST+OqnKZHRGkqEO94RoxdeaSUFKVO2IaKLMBmqNzmh3N3pIsIKiLhJNvDgLhlR
rMRVfR29uixjTsprR26AacMx/gCiCstGIjkzTb83xAvZay5hnzUmlt/LSNX8e6jTNav6LP64
WC+C7TulfM/PzDCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UE
ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG
SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBa
Fw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs
dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRw
nd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn
8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJg
t/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJ
KoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A
9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH
1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDDdkMAkGBSsOAwIa
BQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA0MDcy
OTIwMTUwNVowIwYJKoZIhvcNAQkEMRYEFK9VFo8ULZtVOlT7HDWyIbT10gRiMFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMN2QwegYLKoZIhvcNAQkQAgsxa6Bp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDDdkMA0G
CSqGSIb3DQEBAQUABIIBABtujhoDdQn729OTDg/NAVyknc1qAy8YKxTYr66tSZmq8Twuzfq/
jM10M3/z3GtUJHu9pm1a6b94jNEAnnqQT3pUVZuhel4WhgH5dZ/7NwQUC873JhD1uTvhZ+J4
1euZZ0+t8fg5d4K6239xrBwIaJRuTuoJJmZE0MZafysGOWKvKwumEsjDDx8kQrs0p/OXjbtm
/5KNb5xcbCWgGjuAVdskQnvBujzb4ziPEXJjrSnJVA9OqAFLJzR7HUO/Ee8youQuz/mZSAxU
cgoD49GLDOz62iLcl8YrDlFDeTWCbYiCxryZkVJJmYJMO8lSoZZ5UpSkDpiYaVG3FicJLFUF
3sgAAAAAAAA=
--------------ms000908030802010008090303--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6T77DI2078369; Thu, 29 Jul 2004 00:07:13 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6T77D4I078368; Thu, 29 Jul 2004 00:07:13 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6T77B9T078314 for <ietf-pkix@imc.org>; Thu, 29 Jul 2004 00:07:12 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA22342; Thu, 29 Jul 2004 09:17:31 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id JAA24252; Thu, 29 Jul 2004 09:07:05 +0200
Message-ID: <4108A1C7.5050302@bull.net>
Date: Thu, 29 Jul 2004 09:05:43 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: Peter Sylvester <Peter.Sylvester@edelweb.fr>
CC: ietf-pkix@imc.org
Subject: Comments on SCVP15
References: <200407281233.i6SCX2g12828@chandon.edelweb.fr>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Peter,
I am in general agreement with the *technical* comments you sent.
The current version of SCVP is still not compliant with RFC 3379.
A large amount of work still needs to be done on this draft.
It is also a pitty that the new draft (15) has only be officially
distributed on July 20.
On May 17, Trevor said: "I will be posting SCVP 15 shortly so you can review
the latest draft." I replied: "An extract of the proposal sent to the
mailing list and targeted to this problem would probably save another round."
Should I undertstand that, for Trevor, "shortly" practically means "more
than 2 months" ?
Now awaiting SCVP-16 ... or much better, before issuing it, a response to
the many technical comments raised on this mailing list on SCVP-15.
Denis
(as "someone participating in this list who agrees with something or
considers it as useful").
> it seems to me that some of the results of discussions between
> the editor and me have been forgotten or so.
>
>
> I still think that the scvp is not conformant to RFC 3379
> and/or the editors has not done something as announced.
>
> 1) RFC 3379 says:
> The DPV request MUST allow the client to request that the server
> include in its response additional information which will allow
> relying parties not trusting the DPV server to be confident that the
> certificate validation has correctly been performed. Such
> information may (not necessarily exclusively) consist of a
> certification path, revocation status information from authorized CRL
> issuers or authorized OCSP responders, revocation status information
> from CRL issuers or OCSP responders trusted under the validation
> policy, time-stamp tokens from TSAs responders trusted under the
> validation policy, or a DPV response from a DPV server that is
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> trusted under the validation policy. When the certificate is valid
> according to the validation policy, the server MUST, upon request,
> include that information in the response. However, the server MAY
> omit that information when the certificate is invalid or when it
> cannot determine the validity.
>
> ==> no provision (as far as I see).
>
>
> 2) RFC 3379 says:
> When the DPV request is authenticated, the client SHOULD be able to
> include a client identifier in the request for the DPV server to copy
> into the response. Mechanisms for matching this identifier with the
> authenticated identity depends on local DPV server conditions and/or
> the validation policy. The DPV server MAY choose to blindly copy the
> identifier, omit the identifier, or return an error response.
>
> The current text is SCVP says:
>
> The OPTIONAL requestor item is used to identify the requestor. The
> value is only of local significance to the requestor. If the SCVP
> client includes a requestor value in the request, then the SCVP
> server MUST return the same value if the server is generating a
> specific response.
>
>
> tf also said:
>
>
>>Given there are plenty of ways a client can generate a "unique" as well
>>as other behaviors like it can encode a DN in the octet sting if it
>>likes I don't see a problem. Its down to the client to do what it thinks
>>fit. The value is simply replayed by the server so it is treated a
>>binary blob.
>
>
> There is nothing else possible for the server except copying, or,
> no mechanisms to match this with the some authenticated entity
> can be safely developped if it is solely 'up to the client to encode whatever'.
>
> I had proposed two changes to the logic of 0 terminated octet strings by:
>
> - a sequence of octet strings allowing a real opaque string.
> - a choice of generalname
>
> I.e.
>
> Identifiers ::= SEQUENCE OF {
> CHOICE {
> opaqueId OCTET STRING,
> nameId GeneralName
> }
>
> No comment to this proposition as far as I remember.
>
> 3) In May 204 trevor wrote:
>
>
>>I think we can use the Cert sign bit in key usage so the is CA bit can
>>be removed from SCVP15
>
>
> which was not done.
>
> 4) Somewhat related to this, and to the provisions to search in DPD or validate
> in DPV several types of extensions, I had proposed to opetionally search
> for the pathlength basicconstraint. if for example a client has a
> cert and a CA cert then one could use it to search only for CAs that
> have at least a pathlength of 1.
>
>
> I seem to understand that the rule in this WG is:
>
> - editor, chairmen, iesg says something ==> accepted if no response
> - others ==> rejected if no response from anyone.
>
> all totally independant of the content of the comment.
>
> At least point 3 doesn't fit into this rule.
>
> I'd like to to see whether there is someone participating
> in this list who agrees with something or considers it as useful ...
>
> Thanks for consideration
> Peter
>
>
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6T3aXas088625; Wed, 28 Jul 2004 20:36:33 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6T3aXNN088624; Wed, 28 Jul 2004 20:36:33 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6T3aVaY088588 for <ietf-pkix@imc.org>; Wed, 28 Jul 2004 20:36:32 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from medusa01 (medusa01.cs.auckland.ac.nz [130.216.34.33]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 8D1941CD922; Thu, 29 Jul 2004 15:34:09 +1200 (NZST)
Received: from pgut001 by medusa01 with local (Exim 4.32) id 1Bq1ia-0003Eg-I7; Thu, 29 Jul 2004 15:36:32 +1200
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: ietf-pkix@imc.org, mario.ivkovic@iaik.tugraz.at
Subject: Re: Time-Stamp Protocol (TCP-based protocol)
In-Reply-To: <410783F2.6080905@iaik.tugraz.at>
Message-Id: <E1Bq1ia-0003Eg-I7@medusa01>
Date: Thu, 29 Jul 2004 15:36:32 +1200
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
mario ivkovic <mario.ivkovic@iaik.tugraz.at> writes:
>If the client sends a tsaMsg to a tsa server and the server answers with
>partialMsgRep, who is responsible for closing the tcp/ip connection? (client
>or server)
Whoever puts "Connection: Close" in the HTTP header.
Peter.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6SH78EY035600; Wed, 28 Jul 2004 10:07:08 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6SH78pw035599; Wed, 28 Jul 2004 10:07:08 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6SH76s3035551 for <ietf-pkix@imc.org>; Wed, 28 Jul 2004 10:07:07 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from cln-m001.frcl.bull.fr (cln-m001.frcl.bull.fr [129.182.91.40]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id TAA48790 for <ietf-pkix@imc.org>; Wed, 28 Jul 2004 19:17:24 +0200
Received: from bull.net ([129.181.81.11]) by cln-m001.frcl.bull.fr (Lotus Domino Release 5.0.10) with ESMTP id 2004072819065685:2079 ; Wed, 28 Jul 2004 19:06:56 +0200
Message-ID: <4107DDDB.7050607@bull.net>
Date: Wed, 28 Jul 2004 19:09:47 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: pkix <ietf-pkix@imc.org>
Subject: Comments on draft-ietf-pkix-scvp-15.txt
X-MIMETrack: Itemize by SMTP Server on CLN-M001/FR/BULL(Release 5.0.10 |March 22, 2002) at 28/07/2004 19:06:59, Serialize by Router on CLN-M001/FR/BULL(Release 5.0.10 |March 22, 2002) at 28/07/2004 19:07:01, Serialize complete at 28/07/2004 19:07:01
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Comments on draft-ietf-pkix-scvp-15.txt
Simple Certificate Validation Protocol (SCVP) alias
Complex Certificate Validation Protocol (CCVP).
1. The abstract is still omitting to use the term "validation policy". A
certificate can only be valid according to a validation policy. A
certification
path can only be constructed according to a validation policy.
The current abstract is:
SCVP allows a client to offload certificate handling to a server.
The server can provide the client with a variety of valuable
information about the certificate, such as whether the certificate
is valid, a certification path to a trust anchor, and revocation
status. SCVP has many purposes, including simplifying client
implementations and allowing companies to centralize trust and
policy management.
Change the abstract into:
SCVP allows a client to offload certificate handling to a server.
The server can provide the client with a variety of valuable
information about the certificate, such as whether the certificate
is valid according to a validation policy, a certification path to
one of the trust anchors from a validation policy, and revocation
status of every element from a certification path. SCVP has many
purposes, including simplifying client implementations and allowing
companies to centralize trust and policy management.
2. Section 1. Introduction
Some text in this section is incorrect.
" The first class of application wants just two things. First, they
want confirmation that the public key belongs to the identity named
in the certificate. Second, they want to know if the public key
can be used for the intended purpose. The client completely
delegates certification path construction and validation to the
SCVP server".
The rational of the first sentence has noting to do with the second
sentence.
Simply looking at the content of the certificate allows to answer the two
questions. There is no need to use a server to get that information.
3. In section 1.3 Validation Policies the text states:
" In SCVP, a validation policy can be explicitly expressed by passing
all the parameters in the request where the request comprises of a
validation algorithm for certificate path processing and the input
parameters to the algorithm. Alternatively a validation policy can
be indirectly referenced by a mutually agreed value such as an OID
or URL where the value indicates either are a partial or full set
of parameters necessary to complete the validation."
The two alternatives should be at the same level, or emphasis should
even be
placed on the second alternative.
In order to support thing clients, it is necessary to be able to simply
use an
OID (forget about instable / temporary URLs) which either tells
everything to
the server, or if no OID is being used by the client, an OID supplied by
the
server which tells every to the client.
Note: URNs could be used, but not URLs.
There is a major difference between a validation policy and a validation
algorithm. A validation policy is a set of rules which includes many
algorithms
and their associated parameters.
ValidationAlg is currently defined as:
ValidationAlg ::= SEQUENCE {
valAlgId OBJECT IDENTIFIER,
parameters ANY DEFINED BY valAlgId OPTIONAL }
A parameter, called validationPol should be introduced in the query to
allow the
use of a simple OID to reference a full policy or to define a validation
policy,
i.e. first a validation algorithm compliant with [PKIX-1] section 6.1
coming
with its associated parameters and additional algorithms coming with their
associated parameters.
ValidationPol should be defined as :
ValidationPol ::= CHOICE {
valPolRef OBJECT IDENTIFIER,
valPolDef ValPolRef }
ValPolDef ::= SEQUENCE {
valPolId OBJECT IDENTIFIER,
parameters ANY DEFINED BY valPolId OPTIONAL }
When using valPolRef, all algorithms and parameters are fixed.
When using valPolDef, some parameters may be dynamic.
The current structure of ValPolicy defined in section 4.11 on page 38,
would be
used for the parameters of a specific validation policy defined in this
document, i.e. id-svp-defaultValAlg OBJECT IDENTIFIER ::= { id-svp 1 }
The text should thus not state:
"When the id-svp-defaultValAlg appears as an valAlgId, the
parameters MUST be absent."
The parameters for the default validation policy shall be the parameters of
ValPolDef. The overall structure of the request would be greatly
simplified.
Note also that the ValidationAlg parameter has been omitted to be
described at
the right place, i.e. in sequence after section 3.2.4, but is described in
section 3.2.12 as:
3.2.12 validationAlg
The validationAlg item, defines the validation algorithm to be used
by the SCVP server during certificate validation. The value of
this item can be determined by agreement between the client and the
server, and is represented as an object identifier. The server
might want to assign additional object identifiers that indicate
that some settings are used in addition to others given in the
request. In this way, the validation algorithm object identifier
can be a shorthand for some SCVP options, but not others.
The validationAlg item uses the ValidationAlg type, which has the
following syntax:
ValidationAlg ::= SEQUENCE {
valAlgId OBJECT IDENTIFIER,
parameters ANY DEFINED BY valAlgId OPTIONAL }
Path processing is only one of the many checks that can be done, since many
additional checks about the content of the certificate can be done in
addition
to the certificate path processing algorithm defined by [PKIX-1] in section
6.1.1.
It is thus inappropriate to limit in general the parameters to those of
section
6.1.1., thus why all parameters associated with a given validation
algorithm
shall always be included in the parameters of ValPolDef.
The text also states:
"The SCVP server can assign validation algorithm object identifiers
which indicate that some predefined settings are used in addition
to values provided in the SCVP request."
Why this ? If the client specifies a validation policy either the server
supports it or returns an error. If the client does not specify a
validation
policy in its request, then the server has to return the default validation
policy which it has been used (and which may have nothing to do with the so-
called default validation policy defined in section 3.2.12.1.)
The following text extracted from the document, highlights the confusion
between
a validation policy and a validation algorithm.
" For a certification path to be considered valid under a particular
validation policy, it MUST be a valid certification path as defined
in [PKIX-1] and all validation policy constraints that apply to the
certification path MUST be verified. Applications MAY place
additional requirements on the validation algorithm."
4. In section 3 Validation Request, the text states:
" All SCVP clients MUST support SignedData for signed requests and
responses."
For certification path discovery signed responses are not necessary, nor
are
signed requests necessary. For certificate validation according to a
validation
policy signed responses are necessary, but signed requests are not
necessary. So
this requirement should be modified.
5. Similar considerations apply for authenticatedData for signed
requests and
responses.
6. The current query, which is far too complicated, is currently
composed of 21
items as follows:
Query ::= SEQUENCE {
queriedCerts SEQUENCE SIZE (1..MAX) OF CertReference,
checks CertChecks,
wantBack WantBack,
validationAlg ValidationAlg,
requestRefHash BOOLEAN DEFAULT TRUE,
fullPolResponse [0] BOOLEAN DEFAULT FALSE,
inhibitPolMap [1] BOOLEAN DEFAULT FALSE,
requireExplicitPol [2] BOOLEAN DEFAULT FALSE,
ignoreAnyPol [3] BOOLEAN DEFAULT FALSE,
IsCA [4] BOOLEAN DEFAULT FALSE,
SignResponse [5] BOOLEAN DEFAULT TRUE,
serverContextInfo [6] OCTET STRING OPTIONAL,
validityTime [7] GeneralizedTime OPTIONAL,
trustAnchors [8] TrustAnchors OPTIONAL,
intermediateCerts [9] CertBundle OPTIONAL,
revInfos [10] RevocationInfos OPTIONAL,
keyUsage [11] KeyUsage OPTIONAL,
extendedKeyUsage [12] ExtKeyUsageSyntax OPTIONAL,
queryExtensions [13] Extensions OPTIONAL
producedAt [14] GeneralizedTime OPTIONAL
validationPolRef [15] ValidationPolRef OPTIONAL}
Taking into consideration the move of the so-called parameters of the
default
validation algorithm :
validationPol ValidationPol,
inhibitPolMap [1] BOOLEAN DEFAULT FALSE,
requireExplicitPol [2] BOOLEAN DEFAULT FALSE,
ignoreAnyPol [3] BOOLEAN DEFAULT FALSE,
IsCA [4] BOOLEAN DEFAULT FALSE,
trustAnchors [8] TrustAnchors OPTIONAL,
keyUsage [11] KeyUsage OPTIONAL,
extendedKeyUsage [12] ExtKeyUsageSyntax OPTIONAL,
In fact as set of parameters is defined on page 38 as:
ValPolicy ::=SEQUENCE {
validationAlg ValidationAlg,
inhibitPolMap [1] BOOLEAN DEFAULT FALSE,
requireExplicitPol [2] BOOLEAN DEFAULT FALSE,
ignoreAnyPol [3] BOOLEAN DEFAULT FALSE,
isCA [4] BOOLEAN DEFAULT FALSE,
trustAnchors [5] TrustAnchors,
keyUsage [6] KeyUsage OPTIONAL,
extendedKeyUsage [7] ExtKeyUsageSyntax OPTIONAL}
and it would make sense to use that structure which groups them and use
it as
the parameters to be associated with id-svp 1.
The query could then be simplified as follows:
Query ::= SEQUENCE {
queriedCerts SEQUENCE SIZE (1..MAX) OF CertReference,
checks CertChecks,
wantBack WantBack,
requestRefHash BOOLEAN DEFAULT TRUE,
fullPolResponse [0] BOOLEAN DEFAULT FALSE,
signResponse [1] BOOLEAN DEFAULT TRUE,
serverContextInfo OCTET STRING OPTIONAL,
validationPol ValidationPol OPTIONAL,
-- if missing in the query, then MUST be present in the response
validityTime GeneralizedTime OPTIONAL,
intermediateCerts CertBundle OPTIONAL,
revInfos RevocationInfos OPTIONAL,
queryExtensions [2] Extensions OPTIONAL,
producedAt [3] GeneralizedTime OPTIONAL
}
Below the new definition of ValidationPol is copied again.
ValidationPol ::= CHOICE {
valPolRef OBJECT IDENTIFIER,
valPolDef ValPolDef }
ValPolDef ::= SEQUENCE {
valPolId OBJECT IDENTIFIER,
parameters ANY DEFINED BY valPolId OPTIONAL }
7. The SCVP response is currently defined on page 27 as follows:
CVResponse ::= SEQUENCE {
scvpVersion INTEGER,
policyID INTEGER,
producedAt GeneralizedTime,
responseStatus ResponseStatus,
requestRef RequestReference,
requestor [1] OCTET STRING OPTIONAL,
responder [2] OCTET STRING OPTIONAL,
replyObjects [3] ReplyObjects OPTIONAL,
requestNonce [4] OCTET STRING OPTIONAL,
serverContextInfo [5] OCTET STRING OPTIONAL,
valPolResponse [6] ValPolicy OPTIONAL,
validationPolRef [7] ValidationPolicyRef OPTIONAL
respExtensions [8] Extensions OPTIONAL }
policyID is mandatory and does not make sense when a validation policy
reference
is being used. It should be deleted.
responder is for SCVP server relay only and the text omits to mention it.
requestor is primarily for SCVP server relay and that this parameter
should not
have to be supported by a client.
Defining these two parameters as respExtensions would only thin clients
and non
relaying servers to simply forget about them.
It is thus proposed to simplify the structure as follows:
CVResponse ::= SEQUENCE {
scvpVersion INTEGER,
requestNonce OCTET STRING OPTIONAL,
producedAt GeneralizedTime,
requestRef RequestReference,
validationPol ValidationPol OPTIONAL,
-- if missing in the query, then MUST be present
responseStatus ResponseStatus,
replyObjects [1] ReplyObjects OPTIONAL,
serverContextInfo [2] OCTET STRING OPTIONAL,
respExtensions [3] Extensions OPTIONAL }
8. The Server Policies Request is currently defined on page 40 as follows:
PolRequest ::= SEQUENCE {
scvpVersion INTEGER }
The current idea is to use a mechanisms similar to the CRL mechanism to
detect
if the response is current or is a replay. It should be able to support
a nonce.
The structure should thus be changed to:
PolRequest ::= SEQUENCE {
scvpVersion INTEGER,
requestNonce OCTET STRING OPTIONAL }
9. The Server Policies Response is currently defined on page 40 as follows:
PoliciesResponse ::= SEQUENCE {
scvpVersion INTEGER,
DefaultPolicyID INTEGER,
thisUpdate GeneralizedTime,
nextUpdate GeneralizedTime,
trustAnchors TrustAnchors,
validationPolices SEQUENCE OF ValidationPolRef,
validationAlgs SEQUENCE OF OBJECT IDENTIFIER,
authPolicies SEQUENCE OF AuthPolicy,
responseTypes ResponseTypes,
defaultValPol ValPolicy,
clockSkew INTEGER OPTIONAL,
authDataCert Certificate OPTIONAL }
DefaultPolicyID and defaultValPol do not need to be present, since the
default
policy may simply be the first policy of the SEQUENCE of validation
policies
that is returned.
nextUpdate should be OPTIONAL since a server may choose to always send a
fresh
response.
trustAnchors is a parameter of one specify validation policy and thus
should not
be present at that level.
validationPolices should be used to define a sequence of validation policy
references and/or a sequence of validation policy definitions. See below.
validationAlgs may be inner component of validation policy definition.
authPolicies is unclear, since all responses MUST be signed. Deleted for
simplification.
defaultValPol is not needed, if the default policy is simply the first
policy of
the SEQUENCE of validation policies that is returned.
The name of authDataCert should be changed into serverCert.
The structure should thus be changed to:
PoliciesResponse ::= SEQUENCE {
scvpVersion INTEGER,
responseNonce OCTET STRING OPTIONAL,
thisUpdate GeneralizedTime,
nextUpdate GeneralizedTime OPTIONAL,
validationPolicies SEQUENCE OF ValidationPol,
-- the default validation policy is the first of the sequence
responseTypes ResponseTypes,
clockSkew INTEGER OPTIONAL,
serverCert Certificate OPTIONAL }
Denis
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6SCXAAY059223; Wed, 28 Jul 2004 05:33:10 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6SCXAdC059222; Wed, 28 Jul 2004 05:33:10 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6SCX8mn059181 for <ietf-pkix@imc.org>; Wed, 28 Jul 2004 05:33:09 -0700 (PDT) (envelope-from Peter.Sylvester@edelweb.fr)
Received: from chandon.edelweb.fr (localhost [127.0.0.1]) by edelweb.fr (8.11.7p1+Sun/8.11.7) with ESMTP id i6SCX3N14347; Wed, 28 Jul 2004 14:33:03 +0200 (MEST)
Received: from chandon.edelweb.fr (chandon.edelweb.fr [193.51.14.162]) by edelweb.fr (nospam/1.8); Wed, 28 Jul 2004 14:33:03 +0200 (MET DST)
Received: (from peter@localhost) by chandon.edelweb.fr (8.11.7p1+Sun/8.11.7) id i6SCX2g12828; Wed, 28 Jul 2004 14:33:02 +0200 (MEST)
Date: Wed, 28 Jul 2004 14:33:02 +0200 (MEST)
From: Peter Sylvester <Peter.Sylvester@edelweb.fr>
Message-Id: <200407281233.i6SCX2g12828@chandon.edelweb.fr>
To: tim.polk@nist.gov
Subject: Re: PKIX WG Agenda for 60th IETF (second try!)
Cc: ietf-pkix@imc.org
X-Sun-Charset: US-ASCII
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
it seems to me that some of the results of discussions between
the editor and me have been forgotten or so.
I still think that the scvp is not conformant to RFC 3379
and/or the editors has not done something as announced.
1) RFC 3379 says:
The DPV request MUST allow the client to request that the server
include in its response additional information which will allow
relying parties not trusting the DPV server to be confident that the
certificate validation has correctly been performed. Such
information may (not necessarily exclusively) consist of a
certification path, revocation status information from authorized CRL
issuers or authorized OCSP responders, revocation status information
from CRL issuers or OCSP responders trusted under the validation
policy, time-stamp tokens from TSAs responders trusted under the
validation policy, or a DPV response from a DPV server that is
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
trusted under the validation policy. When the certificate is valid
according to the validation policy, the server MUST, upon request,
include that information in the response. However, the server MAY
omit that information when the certificate is invalid or when it
cannot determine the validity.
==> no provision (as far as I see).
2) RFC 3379 says:
When the DPV request is authenticated, the client SHOULD be able to
include a client identifier in the request for the DPV server to copy
into the response. Mechanisms for matching this identifier with the
authenticated identity depends on local DPV server conditions and/or
the validation policy. The DPV server MAY choose to blindly copy the
identifier, omit the identifier, or return an error response.
The current text is SCVP says:
The OPTIONAL requestor item is used to identify the requestor. The
value is only of local significance to the requestor. If the SCVP
client includes a requestor value in the request, then the SCVP
server MUST return the same value if the server is generating a
specific response.
tf also said:
> Given there are plenty of ways a client can generate a "unique" as well
> as other behaviors like it can encode a DN in the octet sting if it
> likes I don't see a problem. Its down to the client to do what it thinks
> fit. The value is simply replayed by the server so it is treated a
> binary blob.
There is nothing else possible for the server except copying, or,
no mechanisms to match this with the some authenticated entity
can be safely developped if it is solely 'up to the client to encode whatever'.
I had proposed two changes to the logic of 0 terminated octet strings by:
- a sequence of octet strings allowing a real opaque string.
- a choice of generalname
I.e.
Identifiers ::= SEQUENCE OF {
CHOICE {
opaqueId OCTET STRING,
nameId GeneralName
}
No comment to this proposition as far as I remember.
3) In May 204 trevor wrote:
> I think we can use the Cert sign bit in key usage so the is CA bit can
> be removed from SCVP15
which was not done.
4) Somewhat related to this, and to the provisions to search in DPD or validate
in DPV several types of extensions, I had proposed to opetionally search
for the pathlength basicconstraint. if for example a client has a
cert and a CA cert then one could use it to search only for CAs that
have at least a pathlength of 1.
I seem to understand that the rule in this WG is:
- editor, chairmen, iesg says something ==> accepted if no response
- others ==> rejected if no response from anyone.
all totally independant of the content of the comment.
At least point 3 doesn't fit into this rule.
I'd like to to see whether there is someone participating
in this list who agrees with something or considers it as useful ...
Thanks for consideration
Peter
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6SAkIPs025761; Wed, 28 Jul 2004 03:46:18 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6SAkITo025760; Wed, 28 Jul 2004 03:46:18 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailrelay01.tugraz.at (mailrelay.tu-graz.ac.at [129.27.3.7]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6SAkEj7025658 for <ietf-pkix@imc.org>; Wed, 28 Jul 2004 03:46:17 -0700 (PDT) (envelope-from mario.ivkovic@iaik.tugraz.at)
Received: from iaik.at (mailhost.iaik.tu-graz.ac.at [129.27.152.30]) by mailrelay01.tugraz.at (8.13.0/8.13.0) with ESMTP id i6SAk8ij003918 for <ietf-pkix@imc.org>; Wed, 28 Jul 2004 12:46:09 +0200 (CEST)
Received: from iaik.tugraz.at [129.27.152.103] by iaik.at with ESMTP (SMTPD32-7.07) id A3F11039008C; Wed, 28 Jul 2004 12:46:09 +0200
Message-ID: <410783F2.6080905@iaik.tugraz.at>
Date: Wed, 28 Jul 2004 12:46:10 +0200
From: mario ivkovic <mario.ivkovic@iaik.tugraz.at>
User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Time-Stamp Protocol (TCP-based protocol)
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.44
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
If the client sends a tsaMsg to a tsa server and the server answers with
partialMsgRep, who is responsible for closing the tcp/ip connection?
(client or server)
Should the client send a pollReq in the same connection as the tsaMsg?
Thanks,
Mario Ivkovic
--
Mario Ivkovic, IAIK - Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5528
Fax: +43 316 873 5520
http://jce.iaik.tugraz.at
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6RFkUkf064404; Tue, 27 Jul 2004 08:46:30 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6RFkUOQ064403; Tue, 27 Jul 2004 08:46:30 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av1-1-sn3.vrr.skanova.net (av1-1-sn3.vrr.skanova.net [81.228.9.105]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6RFkTST064395 for <ietf-pkix@imc.org>; Tue, 27 Jul 2004 08:46:29 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: by av1-1-sn3.vrr.skanova.net (Postfix, from userid 502) id C2EC337E6D; Tue, 27 Jul 2004 17:46:26 +0200 (CEST)
Received: from smtp1-2-sn3.vrr.skanova.net (smtp1-2-sn3.vrr.skanova.net [81.228.9.178]) by av1-1-sn3.vrr.skanova.net (Postfix) with ESMTP id B693337E42 for <ietf-pkix@imc.org>; Tue, 27 Jul 2004 17:46:26 +0200 (CEST)
Received: from arport (t11o913p74.telia.com [213.64.28.74]) by smtp1-2-sn3.vrr.skanova.net (Postfix) with SMTP id C42F43800F for <ietf-pkix@imc.org>; Tue, 27 Jul 2004 17:46:25 +0200 (CEST)
Message-ID: <001b01c473f0$70677470$0500a8c0@arport>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: <ietf-pkix@imc.org>
References: <73388857A695D31197EF00508B08F29806EE1B4B@ntmsg0131.corpmail.telstra.com.au> <00a001c46f36$a5abe6c0$0500a8c0@arport>
Subject: Re: pkix-pi-10.txt - Usage Models
Date: Tue, 27 Jul 2004 17:43:17 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
As far as I can see the PI extension adds nothing to existing single-
assigner (name space) PKIs like DoD's and various Citizen schemes.
In these PKIs a static RFC 3739-compliant assignment of serialNumber
as PI value suffices. This is how it is done today and nobody has
expressed that something is really "missing".
Therefore, the PI extension should IMHO be (re)targeted at PKI networks
that at least _plan_ to accept multiple assigners. This BTW means a
_lot_ more than adding some PI crypto-software with respect to RPs.
However, this also makes the specification of the assigner-part much
more important than has been expressed in some off-list messages like
"assigner is only read by machines", which does not tell the whole story.
Assigners will in multi-assigner PKIs be stored in user or customer
databases and will definitely be read and communicated by humans.
VAT and DUNS are example of two common assigners that are important
to distinguish both for legal and technical reasons.
With this I mean, that OIDs should not be the _only_ assigner choice as
this would probably put a "stigma" on the PI scheme as the world outside
of the IETF is fairly ignorant of OIDs. Neither do I believe that a true
multi-assigner PI scheme would gain by putting assigner values in
special places, disconnected from their closely associated value parts.
That is, a *genuine* PI is a two-dimensional name, similar to an e-mail address.
For historical reasons (X.520) we must accept a compromise but this
compromise can still be more or less tasty.
================================================
It is important to note that there currently probably does not exist
a single multi-assigner PKI-based network.
================================================
/Anders
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6R003lh001923; Mon, 26 Jul 2004 17:00:03 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6R003Mp001922; Mon, 26 Jul 2004 17:00:03 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailbo.vtcif.telstra.com.au (mailbo.vtcif.telstra.com.au [202.12.144.19]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6R002Jt001907 for <ietf-pkix@imc.org>; Mon, 26 Jul 2004 17:00:03 -0700 (PDT) (envelope-from James.H.Manger@team.telstra.com)
Received: from mailbi.vtcif.telstra.com.au (mailbi.vtcif.telstra.com.au [202.12.142.19]) by mailbo.vtcif.telstra.com.au (Postfix) with ESMTP id 3347A22E42 for <ietf-pkix@imc.org>; Tue, 27 Jul 2004 09:59:58 +1000 (EST)
Received: from mail2.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.vtcif.telstra.com.au (Postfix) with ESMTP id BF2F91DA81 for <ietf-pkix@imc.org>; Tue, 27 Jul 2004 09:59:57 +1000 (EST)
Received: from WSMSG0004.srv.dir.telstra.com (wsmsg0004.srv.dir.telstra.com [192.74.168.133]) by mail2.cdn.telstra.com.au (Postfix) with ESMTP id 7364941E3A for <ietf-pkix@imc.org>; Tue, 27 Jul 2004 09:59:57 +1000 (EST)
content-class: urn:content-classes:message
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Tue, 27 Jul 2004 09:58:45 +1000
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Message-ID: <73388857A695D31197EF00508B08F29806EE1B57@ntmsg0131.corpmail.telstra.com.au>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Thread-Index: AcRy/v8BKZJRiv7YTTWa4trhEA1tvgAa8t6g
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6R003Jt001917
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Denis,
"deepest serialNumber value" meant the deepest serialNumber value, regardless of whether the RDN it was in was the deepest RDN, the 2nd deepest RDN etc. We now both agree on the logic, so if you think my words are confusing I can live with your words.
Richard,
Including the PI extension with an absent identifierValue when the subject DN is cn="John Doe" , o="Acme Ltd" serialNumber="DUNS554433", c=US would not be sane, as you note. However, it would not be the fault of the PI extension or the DN. It would simply be a straight out lie by the CA. The syntax does not (and cannot) prevent lies.
----------
From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
Sent: Monday, 26 July 2004 7:28 PM
> I still suggest using my original text changes.
Your original text was: "when identifierValue is absent the
deepest serialNumber value is used". I would guess that you mean:
"when identifierValue is absent, the value contained in the
serialNumber of the deepest RDN SHALL be used."
I would propose instead to re-use my text, modified by David,
with an additional modification for the item 2. This leads to:
1 - if there are one or more RDNs containing a serialNumber
attribute (alone or accompanied by other attributes), then
the value contained in the serialNumber of the deepest
such RDN SHALL be used as the identifierValue.
2 - otherwise, the Permanent Identifier definition is invalid
and the Permanent Identifier SHALL not be used.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QG6m4w094538; Mon, 26 Jul 2004 09:06:48 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6QG6mHb094537; Mon, 26 Jul 2004 09:06:48 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QG6lNH094518 for <ietf-pkix@imc.org>; Mon, 26 Jul 2004 09:06:48 -0700 (PDT) (envelope-from tim.polk@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.12.10/8.12.10) with ESMTP id i6QG6KaK005317; Mon, 26 Jul 2004 12:06:20 -0400
Received: from krdp8.nist.gov (seclab14.ncsl.nist.gov [129.6.52.54]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i6QG68mb024467; Mon, 26 Jul 2004 12:06:08 -0400 (EDT)
Message-Id: <5.1.0.14.2.20040726120513.00aed188@email.nist.gov>
X-Sender: wpolk@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Mon, 26 Jul 2004 12:09:51 -0400
To: agenda@ietf.org
From: Tim Polk <tim.polk@nist.gov>
Subject: PKIX WG Agenda for 60th IETF (second try!)
Cc: kent@bbn.com, ietf-pkix@imc.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-NIST-MailScanner: Found to be clean
X-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Please substitute the following agenda for this morning's
submission. There were numerous typos in the original.
Thanks,
Tim Polk
---------------------------------------------
PKIX WG (pkix-wg)
Wednesday August 4, 2004 0900-1130
=================================
CHAIR: Stephen Kent <kent@bbn.com>, Tim Polk <tim.polk@nist.gov>
AGENDA:
1. WG Status and Direction
1.1 Document Status Review [Tim Polk (NIST)]
The working group has a number of Internet-Drafts. Many
documents are with the ADs or in various stages of WG Last Call.
Several others are ready for Last Call. (10 min.)
1.2 Proposed WG Milestones [Tim Polk (NIST)]
The working group milestones are out of date. New milestones are
needed; these milestones need to satisfy IESG direction for an orderly
closeout of WG activities. (10 min.)
2. PKIX WG Specifications
2.1 LDAP Specifications
The PKIX WG has a number of LDAP-based specifications supporting
publication and distribution of certificates and CRLs.
2.1 LDAP Schemas, String Values, and more
- David Chadwick (U. of Salford)
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ldap-crl-schema-02.txt
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ldap-ac-schema-01.txt
The WG has a suite of LDAP-PKIX drafts forming a comprehensive solution
for LDAP based PKI information distribution. New drafts of two
documents
have been submitted since IETF 59; additional drafts will be published
soon after this meeting; the presenter will discuss the changes in the
and highlight issues that must be resolved before Last Call. (15 min.)
2.2 Practical Considerations for Use of LDAP in PKIX
- Kurt Zeilenga (LDAPbis WG co-chair)
(no draft)
Practical considerations must be considered to maximize the utility
and interoperability of LDAP-based PKIs. This presentation will
highlight known issues and (where applicable) ways to address them.
(10 min.)
2.3 Matching Text Strings in PKIX Certificates
- Paul Hoffman (IMC) and Steve Hanna (Sun)
http://www.ietf.org/internet-drafts/draft-hoffman-pkix-stringmatch-00.txt
This specification describes the use of Stringprep to support comparison
and matching of international text strings. This document resolves
an open
issue from RFC 3280, where the minimum requirements for name comparison
were specified as binary matching. Since the publication of RFC 3280,
the stringprep specification has been completed, providing a solid
basis for
comparison and matching of test strings in PKIX certificates. (15 min.)
[see also
http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-strprep-04.txt]
2.4 RFC 3280 Progression
- Tim Polk (NIST)
(no draft)
NIST will present the current plan and milestones for progression of
RFC 3280 to Draft Standard. (5 min.)
2.5 Subject Identification Method
- Speaker TBD
http://www.ietf.org/internet-drafts/draft-ietf-pkix-sim-03.txt
A new draft of the Subject Identification Method has been submitted
since
IETF 59. The document is relatively stable and mature. WG Last Call is
expected for the next draft of this document. (15 min.)
2.6 SCVP Progression
- Speaker TBD
http://www.ietf.org/internet-drafts/draft-ietf-pkix-scvp-15.txt
This document has been in WG Last Call since early 2004. Completion
of WG Last
Call was blocked by newly identified implementation requirements for
unsigned
messages to support DPD. Early proposals did not satisfy RFC 3739,
and were
rejected. A new draft has been submitted since IETF 59 which
satisfies both
RFC 3379 and the requirements for unsigned messages. (5 min.)
3. Related Specifications & Liaison Presentations
Time allowing, liaison presentations will be accommodated to ensure the
PKIX WG is aware of related specifications currently progressing as
individual
drafts.
3.1 Specification of OCSP in IKEv2
- Mike Myers (TraceRoute)
(no draft)
This presentation will highlight issues with the specification of OCSP
in IKEv2. (10 min.)
3.2 User Interface Requirement for the Internet X.509 Public Key Infrastructure
- Tae Choi (KISA)
http://www.ietf.org/internet-drafts/draft-choi-pkix-ui-00.txt
This document provides basic requirements of user interface at PKI
client
software that satisfy a full of PKI implementation with usability.
To meet
with the requirements, it defines root CA certificate trust mechanism,
certificate sharing mechanism, and certificate representation
method. (10 min.)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QFncRm082099; Mon, 26 Jul 2004 08:49:38 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6QFncB8082098; Mon, 26 Jul 2004 08:49:38 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from nb2.stroeder.com (d29-52.vdsl.isp-service.de [83.122.29.52]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QFnb7W081892 for <ietf-pkix@imc.org>; Mon, 26 Jul 2004 08:49:37 -0700 (PDT) (envelope-from michael@stroeder.com)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by nb2.stroeder.com (Postfix) with ESMTP id 40E30CFB78; Mon, 26 Jul 2004 17:44:49 +0200 (CEST)
Message-ID: <410526F0.2090803@stroeder.com>
Date: Mon, 26 Jul 2004 17:44:48 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616
X-Accept-Language: de-de, de, en-us, en
MIME-Version: 1.0
To: "Jaleel P.A" <jaleelpa@hotmail.com>
Cc: ietf-pkix@imc.org
Subject: Re: how to add 'ValidFrom' parameter in conf file ?
References: <BAY19-DAV9sn2Yf0scL00079d86@hotmail.com>
In-Reply-To: <BAY19-DAV9sn2Yf0scL00079d86@hotmail.com>
X-Enigmail-Version: 0.84.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Jaleel P.A wrote:
>
> I tried by adding the UTC formatted time at 'default_startdate' of
> 'CA_default' section.
The PKIX mailing list is the wrong forum for discussing this. I guess you
won't get an answer here.
You might want to post your questions on the openssl-users mailing list (see
http://www.openssl.org/support/).
Ciao, Michael.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QDpLKi042775; Mon, 26 Jul 2004 06:51:21 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6QDpLL0042774; Mon, 26 Jul 2004 06:51:21 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QDpKMg042767 for <ietf-pkix@imc.org>; Mon, 26 Jul 2004 06:51:21 -0700 (PDT) (envelope-from tim.polk@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.12.10/8.12.10) with ESMTP id i6QDp7aK002596; Mon, 26 Jul 2004 09:51:07 -0400
Received: from krdp8.nist.gov (seclab14.ncsl.nist.gov [129.6.52.54]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i6QDommb012103; Mon, 26 Jul 2004 09:50:48 -0400 (EDT)
Message-Id: <5.1.0.14.2.20040726095025.03520e48@email.nist.gov>
X-Sender: wpolk@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Mon, 26 Jul 2004 09:54:31 -0400
To: agenda@ietf.org
From: Tim Polk <tim.polk@nist.gov>
Subject: PKIX WG Agenda for 60th IETF
Cc: kent@bbn.com, ietf-pkix@imc.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-NIST-MailScanner: Found to be clean
X-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
PKIX WG (pkix-wg)
Wednesday August 4, 2004 0900-1130
=================================
CHAIR: Stephen Kent <kent@bbn.com>, Tim Polk <tim.polk@nist.gov>
AGENDA:
1. WG Status and Direction
1.1 Document Status Review [Tim Polk (NIST)]
The working group has a number of Internet-Drafts. Many
documents are with the ADs or in various stages of WG Last Call.
Several others are ready for Last Call. (10 min.)
1.2 Proposed WG Milestones [Tim Polk (NIST)]
The working group milestones are out of date. New milestones are
needed; these milestones need to satisfy IESG direction for an orderly
closeout of WG activities. (10 min.)
2. PKIX WG Specifications
2.1 LDAP Specifications
The PKIX WG has a number of LDAP-based specifications supporting
publciation and distribution of certificates and CRLs.
2.1 LDAP Schemas, String Values, and more
- David Chadwick (U. of Salford)
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ldap-crl-schema-02.txt
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ldap-ac-schema-01.txt
The WG has a suite of LDAP-PKIX drafts forming a comprehensive solution
for LDAP based PKI information distribution. New drafts of two
documenta
have been submitted since IETF 59; additional drafts will be published
soon after this meeting; the presenter will discuss the changes in the
and highlight issues that must be resolved before Last Call. (15 min.)
2.2 Practical Considerations for Use of LDAP in PKIX
- Kent Zeilenga (LDAP WG co-chair)
(no draft)
Practical considerations must be considered to maximize the utility
and interoperability of LDAP-based PKIs. This presentation will
highlight known issues and (where applicable) ways to address them.
(10 min.)
2.3 Matching Text Strings in PKIX Certificates
- Paul Hoffman (IMC) and Steve Hanna (Sun)
http://www.ietf.org/internet-drafts/draft-hoffman-pkix-stringmatch-00.txt
This specification describes the use of Stringprep to support comparison
and matching of international text strings. This document resolves
an open
issue from RFC 3280, where the minimum requirements for name comparison
were specified as binary matching. Since the publication of RFC 3280,
the strinprep specifation has been completed, providing a solid
basis for
comparison and matching of test strings in PKIX certificates. (15 min.)
[see also
http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-strprep-04.txt]
2.4 RFC 3280 Progression
- Tim Polk (NIST)
(no draft)
NIST will present the current plan and milestones for progression of
RFC 3280 to Draft Standard. (5 min.)
2.5 Subject Identification Method
- Speaker TBD
http://www.ietf.org/internet-drafts/draft-ietf-pkix-sim-03.txt
A new draft of the Subject Identification Method has been submitted
since
IETF 59. The document is relatively stable and mature. WG Last Call is
expected for the next draft of this document. (15 min.)
2.6 SCVP Progression
- TBD
http://www.ietf.org/internet-drafts/draft-ietf-pkix-scvp-15.txt
This document has been in WG Last Call since early 2004. Completion
of WG Last
Call was blocked by newly identified implementation requirements for
unsigned
messages to support DPD. Early propsals did not satisfy RFC 3739,
and were
rejected. A new draft has been submitted since IETF 59 which
satisfies both
RFC 3739 and the requirements for unsigned messages. (5 min.)
3. Related Specifications & Liaison Presentations
Time allowing, liaison presentations will be accommodated to ensure the
PKIX WG is aware of related specifications currently progressing as
individual
drafts.
3.1 Specification of OCSP in IKEv2
- Mike Myers (TraceRoute)
(no draft)
This presentation will highlight issues with the specification of OCSP
in IKEv2. (10 min.)
3.2 User Interface Requirement for the Internet X.509 Public Key Infrastructure
- Tae Choi (KISA)
http://www.ietf.org/internet-drafts/draft-choi-pkix-ui-00.txt
This document provides basic requirements of user interface at PKI
client
software that satisfy a full of PKI implementation with usability.
To meet
with the requirements, it defines root CA certificate trust mechanism,
certificate sharing mechanism, and certificate representation
method. (10 min.)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QDhbpa041942; Mon, 26 Jul 2004 06:43:37 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6QDhbei041941; Mon, 26 Jul 2004 06:43:37 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from hotmail.com (bay19-dav9.bay19.hotmail.com [64.4.53.189]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QDhafW041916 for <ietf-pkix@imc.org>; Mon, 26 Jul 2004 06:43:36 -0700 (PDT) (envelope-from jaleelpa@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 26 Jul 2004 06:36:15 -0700
Received: from 203.123.181.226 by bay19-dav9.bay19.hotmail.com with DAV; Mon, 26 Jul 2004 09:49:43 +0000
X-Originating-IP: [203.123.181.226]
X-Originating-Email: [jaleelpa@hotmail.com]
X-Sender: jaleelpa@hotmail.com
From: "Jaleel P.A" <jaleelpa@hotmail.com>
To: <ietf-pkix@imc.org>
Subject: RE: how to add 'ValidFrom' parameter in conf file ?
Date: Mon, 26 Jul 2004 15:19:42 +0530
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
In-Reply-To: <BAY19-DAV12UEjvWImB0003ab21@hotmail.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Thread-Index: AcQnw/jU0rLVV64rRZ24IYUJCq38pwBgsBfAEmGa0BAAChJPsA==
Message-ID: <BAY19-DAV9sn2Yf0scL00079d86@hotmail.com>
X-OriginalArrivalTime: 26 Jul 2004 13:36:15.0798 (UTC) FILETIME=[864DF560:01C47315]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I tried by adding the UTC formatted time at 'default_startdate' of
'CA_default' section.
Ex :
[CA_default]
default_startdate = "040801102530Z"
But still SSL takes the current date.
Any guess ?
Thanks
Jal
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On
Behalf Of Jaleel P.A
Sent: Monday, July 26, 2004 10:30 AM
To: ietf-pkix@imc.org
Subject: how to add 'ValidFrom' parameter in conf file ?
Hi
How to add a 'ValidFrom' parameter in Conf file. Is there any predefined
section in conf file for this ?
Thanks
Jaleel
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QAhRSS019974; Mon, 26 Jul 2004 03:43:27 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6QAhRkp019973; Mon, 26 Jul 2004 03:43:27 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from nic.lp.se (nic.lp.se [213.212.3.208]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6QAhPYA019930 for <ietf-pkix@imc.org>; Mon, 26 Jul 2004 03:43:26 -0700 (PDT) (envelope-from levitte@lp.se)
Received: from localhost (127.0.0.1) by nic.lp.se (MX V5.3 VnHj) with ESMTP; Mon, 26 Jul 2004 12:18:12 +0200
Date: Mon, 26 Jul 2004 12:42:53 +0200 (CEST)
Message-ID: <20040726.124253.63510941.levitte@lp.se>
To: Denis.Pinkas@bull.net
CC: James.H.Manger@team.telstra.com, ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
From: Richard Levitte - VMS Whacker <levitte@lp.se>
In-Reply-To: <4104CE92.9020903@bull.net>
References: <73388857A695D31197EF00508B08F29806EE1B50@ntmsg0131.corpmail.telstra.com.au> <4104CE92.9020903@bull.net>
X-URL: http://www.lp.se/
X-Waved: dead chicken, GNU emacs 21.3.1, Mew version 4.0.65
X-Mew: See http://www.mew.org/
X-Mailer: Mew version 4.0.65 on Emacs 21.3 / Mule 5.0 (SAKAKI)
MIME-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hey guys,
I've lurked for a while, and have perhaps not entirely followed, so I
appologise in advance for jumping in like this.
I'm curious about the following:
In message <4104CE92.9020903@bull.net> on Mon, 26 Jul 2004 11:27:46 +0200, Denis Pinkas <Denis.Pinkas@bull.net> said:
Denis.Pinkas> > Thanks David.
Denis.Pinkas> >
Denis.Pinkas> >>cn="John Doe" , o="Acme Ltd" serialNumber="DUNS554433", c=US
Denis.Pinkas>
Denis.Pinkas> I would propose instead to re-use my text, modified by
Denis.Pinkas> David, with an additional modification for the item 2.
Denis.Pinkas> This leads to:
Denis.Pinkas>
Denis.Pinkas> 1 - if there are one or more RDNs containing a
Denis.Pinkas> serialNumber attribute (alone or accompanied by
Denis.Pinkas> other attributes), then the value contained in the
Denis.Pinkas> serialNumber of the deepest such RDN SHALL be used
Denis.Pinkas> as the identifierValue.
What would that mean for a DN like the one quoted above? Does it mean
that John Doe would get serialNumber="DUNS554433" as PI by default?
What would then happen if J. Random Luser also gets a DN from Acme Ltd,
like this:
cn="J. Random Luser", o="Acme Ltd" serialNumber="DUNS554422", c=US
Does that mean that J. Random Luser also would get
serialNumber="DUNS554433" as PI by default?
If that's what you mean, then it doesn't feel sane to me.
-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte | http://richard.levitte.org/ | Tunnlandsv. 52
Levitte Programming | http://www.lp.se/ | S-168 36 Bromma
T: +46-708-26 53 44 | | SWEDEN
"Price, performance, quality... choose the two you like"
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6Q9TIK6093885; Mon, 26 Jul 2004 02:29:18 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6Q9TIgB093884; Mon, 26 Jul 2004 02:29:18 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6Q9TDPR093813 for <ietf-pkix@imc.org>; Mon, 26 Jul 2004 02:29:15 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA37174; Mon, 26 Jul 2004 11:39:27 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id LAA29388; Mon, 26 Jul 2004 11:28:59 +0200
Message-ID: <4104CE92.9020903@bull.net>
Date: Mon, 26 Jul 2004 11:27:46 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B50@ntmsg0131.corpmail.telstra.com.au>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
James,
> Thanks David.
>
>>cn="John Doe" , o="Acme Ltd" serialNumber="DUNS554433", c=US
>
> Denis's "problem" DN does not need to be solved. The DN does NOT contain a PI for the subject so the CA will not include a PI extension saying it does. End of story.
>
> Russ's "problem" DN does not need to be solved. As David notes, an attribute type is not allowed to appear more than once in an RDN.
>
> I still suggest using my original text changes.
Your original text was: "when identifierValue is absent the
deepest serialNumber value is used". I would guess that you mean:
"when identifierValue is absent, the value contained in the
serialNumber of the deepest RDN SHALL be used."
I would propose instead to re-use my text, modified by David,
with an additional modification for the item 2. This leads to:
1 - if there are one or more RDNs containing a serialNumber
attribute (alone or accompanied by other attributes), then
the value contained in the serialNumber of the deepest
such RDN SHALL be used as the identifierValue.
2 - otherwise, the Permanent Identifier definition is invalid
and the Permanent Identifier SHALL not be used.
Denis
> -----Original Message-----
> From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]
> Sent: Thursday, 22 July 2004 5:58 AM
> To: Denis Pinkas
> Cc: Russ Housley; Manger, James H; ietf-pkix@imc.org
> Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber
> attribute
>
>
> Denis,
>
> Your two conditions below are logical but unnecessarily
> restrictive.
>
> Consider James' original (correct) example:
>
> [1] cn="John Doe" serialNumber=12345, o="Acme Ltd"
> serialNumber="DUNS 554433", c=US
>
> and a modification (poorly-structured, but legal) that uses
> only single-valued RDNs:
>
> [2] cn="John Doe", serialNumber=12345, o="Acme Ltd",
> serialNumber="DUNS 554433", c=US
>
> and your example:
>
> [3] cn="John Doe", o="Acme Ltd", serialNumber="DUNS 554433", c=US
>
>
> I do not believe it is necessary to prohibit [2] in order to
> prevent [3]. Instead, if the SAN identifierValue is absent:
>
> 1 - if there are one or more RDNs containing a serialNumber
> attribute (alone or accompanied by other attributes), then
> the value contained in the serialNumber of the deepest
> such RDN shall be used as the identifierValue.
>
> 2 - otherwise, the CA is in error.
>
>
> X.501 (02/2001) section 9.3, which appears to be normative,
> not informative, prohibits a given attribute type from
> appearing more than once in the same RDN. The origin of
> Russ' comments regarding the possibility of multiple
> serialNumber attributes in a single RDN is unclear.
>
> Dave
>
>
>
> Denis Pinkas wrote:
>
>
>>1 - if there is one serialNumber attribute alone in a RDN (i.e. no
>> other attribute is present in that RDN), then *there shall
>> only be one such RDN and* the value contained in the
>> serialNumber attribute shall be used as the identifierValue;
>>
>>2 - if there is no serialNumber attribute alone in a RDN, then the
>> deepest RDN shall include a *single* serialNumber attribute
>> and the value contained in that serialNumber shall be used
>> as the identifierValue.
>>
>>Denis
>
>
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6Q5L8KZ005013; Sun, 25 Jul 2004 22:21:08 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6Q5L84H005012; Sun, 25 Jul 2004 22:21:08 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from hotmail.com (bay19-dav12.bay19.hotmail.com [64.4.53.192]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6Q5L87o004949 for <ietf-pkix@imc.org>; Sun, 25 Jul 2004 22:21:08 -0700 (PDT) (envelope-from jaleelpa@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 25 Jul 2004 22:20:12 -0700
Received: from 203.123.181.226 by bay19-dav12.bay19.hotmail.com with DAV; Mon, 26 Jul 2004 04:59:42 +0000
X-Originating-IP: [203.123.181.226]
X-Originating-Email: [jaleelpa@hotmail.com]
X-Sender: jaleelpa@hotmail.com
From: "Jaleel P.A" <jaleelpa@hotmail.com>
To: <ietf-pkix@imc.org>
Subject: how to add 'ValidFrom' parameter in conf file ?
Date: Mon, 26 Jul 2004 10:29:42 +0530
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
In-Reply-To: <BAY10-DAV37Rf6Ci6nx00048bd6@hotmail.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Thread-Index: AcQnw/jU0rLVV64rRZ24IYUJCq38pwBgsBfAEmGa0BA=
Message-ID: <BAY19-DAV12UEjvWImB0003ab21@hotmail.com>
X-OriginalArrivalTime: 26 Jul 2004 05:20:12.0643 (UTC) FILETIME=[3A14EB30:01C472D0]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi
How to add a 'ValidFrom' parameter in Conf file. Is there any predefined
section in conf file for this ?
Thanks
Jaleel
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6N9D1r1078911; Fri, 23 Jul 2004 02:13:02 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6N9D1PU078910; Fri, 23 Jul 2004 02:13:01 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from polito.it (anacreon.polito.it [130.192.3.82]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6N9CwwN078885 for <ietf-pkix@imc.org>; Fri, 23 Jul 2004 02:12:59 -0700 (PDT) (envelope-from massimiliano.pala@polito.it)
Received: from [130.192.1.59] ([130.192.1.59] verified) by polito.it (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 6121677 for ietf-pkix@imc.org; Fri, 23 Jul 2004 10:46:45 +0200
Message-ID: <4100CE95.5060206@polito.it>
Date: Fri, 23 Jul 2004 10:38:45 +0200
From: Massimiliano Pala <massimiliano.pala@polito.it>
Organization: Politecnico di Torino
User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <002101c46b50$342174a0$7101a8c0@gemsec.com> <40F82418.3080307@nma.com> <p06110403bd1de535f889@[10.20.30.249]> <p06110412bd1df2a828b0@[128.89.89.75]> <40FB9247.40509@swisssign.com>
In-Reply-To: <40FB9247.40509@swisssign.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms070000030901080401020603"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a cryptographically signed message in MIME format.
--------------ms070000030901080401020603
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Joseph Doekbrijder wrote:
> Interesting issue, which leaves me with a question:
> The only thing a spammer can not do (or maybe only once) is digitally
> sign his spam! Upon abuse, The cert can be put on the receivers
> "black-list", the cert could be revoked by CA and/or RA and the
> IssuingParty can be contacted if abuse continues...
> Would it thus not be an interesting approach to build a mail filter that
> filters out all non digitally signed email?
> It is clear, this is something for the future, but from a theoretical
> point-of-view: Some feedback from the experts out there would be
> interesting for me. In other words, can we take this any further?
Actually we do believe this could be an interesting approach to investigate.
At present we are working on an Email Policy Enforcer (EMPE) that seems
to be promising and uses strong authentication methods to solve some of
the email-related issues. I guess we'll be able to publish something about it in
the near future.
If it is not so OT I will send a pointer to it to the list.
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] massimiliano.pala@polito.it
Tel.: +39 (0)11 564 7081
http://security.polito.it Fax: +39 178 270 2077
Mobile: +39 (0)347 7222 365
Politecnico di Torino (EuroPKI)
Certification Authority Informations:
Authority Access Point http://ca.polito.it
Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html
Certificate Revocation List: http://ca.polito.it/crl02/crl.crl
--o------------------------------------------------------------------------
--------------ms070000030901080401020603
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIU7zCC
BIMwggNroAMCAQICAQswDQYJKoZIhvcNAQEFBQAwQTEQMA4GA1UEChMHRXVyb1BLSTEtMCsG
A1UEAxMkRXVyb1BLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAxMTIxMjEw
MDAwMFoXDTA2MTIzMTEwMDAwMFowUTELMAkGA1UEBhMCSVQxEDAOBgNVBAoTB0V1cm9QS0kx
MDAuBgNVBAMTJ0V1cm9QS0kgSXRhbGlhbiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAP7ay1Eyxgv7fW1lpkRT4bljS3Cf7Z5m/KaX
pQEsMQfihBXvocVGVqYCTbXl1u+9rbyVV8MtoaZFE2Eb+8tKTA6D2UJpVln2GinHi1Cs+wIV
6Sz55wKaN3tKzGMw3L/H3ADNiYottP//ge3S1P6j0bcGhQ/p/xOGzmALt8CB7KCtn9+VHV8D
vcmOqmmQVcymUz9MCN68ZzfLvefAnUzWoIN72fxJDRG8szLj1IYxHOPsoLVID20yGDdyppHt
Vr1xUY4rGo5jPCuI79/QxNhQeDyWQo2x2jqM3nVmVXDFRJIms1j7BWpuiEhs0ZJWkaQXd29g
mBeZopvMKyAXO3XDDv8CAwEAAaOCAXQwggFwMEwGCWCGSAGG+EIBDQQ/Fj1Jc3N1ZWQgdW5k
ZXIgcG9saWN5OgogaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9yb290L2Nwcy8xLjEvMDgG
CCsGAQUFBwEBBCwwKjAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AuZXVyb3BraS5vcmc6ODAy
NjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL3Jvb3QvY3Js
L2NybC5kZXIwTgYDVR0gBEcwRTBDBgorBgEEAakHAQEBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6
Ly93d3cuZXVyb3BraS5vcmcvY2Evcm9vdC9jcHMvMS4xLzAfBgNVHSMEGDAWgBSM3IuxpUqQ
506Icxg8ndVefuSyzTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB9jAdBgNVHQ4EFgQUqjwT
yUkLXM240yDgxZWXMzNdJBMwDQYJKoZIhvcNAQEFBQADggEBAGuphjJQE0RQ28euKSOZ7Q4b
vGgPeO8WgGiUHrpZ6vI2+/knSqqK0AQ7j5+4viGMJgm2x8JnYq9ZYy1i0wFrYIxE/G2fw8cW
1P/8sCNzqTj+SO0/2KpJ0BkvuTSG2r1NTeg6a5r61a4jUqp4upKxuzgu6unsw/+RkU2KzlNm
053JOcsM82dIN3NBr+hZs/0IFiMW1GJB2P7225WWDF01OtQcmLYspoiffUPy2g+g4FD5IxHF
HKvCG1b9zHmfJoaDn5y+kQQpHs/ZIZeUyNe9ULifu3GgGQKp9sj6bpbGfjW3LAhhG6Ldhf8+
Azi6vNmzQwCbegU26NFazErhLS5qDXQwggU+MIIEJqADAgECAgIBaDANBgkqhkiG9w0BAQUF
ADBRMQswCQYDVQQGEwJJVDEQMA4GA1UEChMHRXVyb1BLSTEwMC4GA1UEAxMnRXVyb1BLSSBJ
dGFsaWFuIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAxMTIxNDEwMDAwMFoXDTA2MTIz
MTA5MDAwMFowZTELMAkGA1UEBhMCSVQxHjAcBgNVBAoTFVBvbGl0ZWNuaWNvIGRpIFRvcmlu
bzE2MDQGA1UEAxMtUG9saXRlY25pY28gZGkgVG9yaW5vIENlcnRpZmljYXRpb24gQXV0aG9y
aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9sfcfWMG/mS8O69abPfnUWci
6TfUncSlfs8SzpwAsoW1/OJpGVtxq1yKQrP8WqiixEcZWSvnlOcyRj/C0tz3JLQKSAyrHKGS
Dkn5Md4HCue+L1JHQ3Ba14eQOj7rAugFgE+6LenTAvguOQl74/t9C93Ldm1NY+t1Fs36oPhP
JQ5inrZ6D8P9ol4s/ecyPhhQaU1tioqQy1d01gXTrmI2eH6Ui0AkyexVcxFpXR7qnvPV7huE
+ZTDU77t9jx24smmJuSxlA8HQS8I+qCytDhOYsKm676n1a4wpE9VunoVAm/+7tajm31ZYaxT
njX891kfFGoFi/J3tIRc67vh8Joy+wIDAQABo4ICCjCCAgYwdQYJYIZIAYb4QgENBGgWZklz
c3VlZCB1bmRlciBwb2xpY2llczoKIGh0dHA6Ly93d3cuZXVyb3BraS5vcmcvY2Evcm9vdC9j
cHMvMS4xLwogaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC9jcHMvMS4xLzBcBggrBgEF
BQcBAQRQME4wKAYIKwYBBQUHMAGGHGh0dHA6Ly9vY3NwLmV1cm9wa2kub3JnOjgwMjYwIgYI
KwYBBQUHMAKGFmh0dHA6Ly93d3cuZXVyb3BraS5vcmcwOwYDVR0fBDQwMjAwoC6gLIYqaHR0
cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC9jcmwwMi9jcmwuZGVyMIGTBgNVHSAEgYswgYgw
QwYKKwYBBAGpBwEBATA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3LmV1cm9wa2kub3JnL2Nh
L3Jvb3QvY3BzLzEuMS8wQQYKKwYBBAGpBwIBATAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3
LmV1cm9wa2kub3JnL2NhL2l0L2Nwcy8xLjEvMB8GA1UdIwQYMBaAFKo8E8lJC1zNuNMg4MWV
lzMzXSQTMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgH2MB0GA1UdDgQWBBT0DG1tnl9M
YlY5geDe+Y8vN6CExTANBgkqhkiG9w0BAQUFAAOCAQEAXx26gpm/oiG7ti2+e1Lwmnqn6jk0
ihxIxccazoTAjWzq60x+MhIJsIgRfGtv5U2XzEWc15UZru6srk8TqctT6EbqRMTCtx6mxPd6
RpKp3jepigGOkwnJsnjjUPC/tHmfJHNcll3Rk6a4OIvazlwOoCuQ8D0N9sAGtx35+T+tAyph
NU9yHtC3dpvQotLmJFo2Pr6sTy2ijCqQnHxJ2sZUEAlNEunKFP8y3uPfwvE0FEC7lONkUx+U
79yAlwPvBvASUopIQPy7BQ9IMupkj/1DmUvml/05f+DYv2x7UbiUlp1ksQXzs+WLxB2NADfn
CaPNvqphRz5KhJGOTJpc8CZ+UDCCBY8wggR3oAMCAQICAgFnMA0GCSqGSIb3DQEBBQUAMGUx
CzAJBgNVBAYTAklUMR4wHAYDVQQKExVQb2xpdGVjbmljbyBkaSBUb3Jpbm8xNjA0BgNVBAMT
LVBvbGl0ZWNuaWNvIGRpIFRvcmlubyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDAy
MDMxNTAwMDBaFw0wNTEyMzExMjAwMDBaMH0xCzAJBgNVBAYTAklUMR4wHAYDVQQKExVQb2xp
dGVjbmljbyBkaSBUb3Jpbm8xMTAvBgNVBAsTKERpcGFydGltZW50byBkaSBBdXRvbWF0aWNh
IGUgSW5mb3JtYXRpY2ExGzAZBgNVBAMTEk1hc3NpbWlsaWFubyAgUGFsYTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAq9EaJRA7cRia5n0014UeruZBPwDwNyEpWxIvWqVG6taEt1P1
wApd7oKi7yhUL8yUpX2eEQdLj/yjCQOr1NqmkL5MwiZhVtwcli3/3G0OayKu/i6yRIW24SM5
sbNLO4hhZYSiHAMlZ/U5Y6r6zFvxRbIK9/mB/wrJ6HIzOzC+xncCAwEAAaOCArMwggKvMIGV
BglghkgBhvhCAQ0EgYcWgYRJc3N1ZWQgdW5kZXIgcG9saWNpZXM6CiBodHRwOi8vd3d3LmV1
cm9wa2kub3JnL2NhL3Jvb3QvY3BzLzEuMS8KIGh0dHA6Ly93d3cuZXVyb3BraS5vcmcvY2Ev
aXQvY3BzLzEuMS8KIGh0dHA6Ly9jYS5wb2xpdG8uaXQvY3BzLzIuMS8wEQYJYIZIAYb4QgEB
BAQDAgCwMGMGCCsGAQUFBwEBBFcwVTAoBggrBgEFBQcwAYYcaHR0cDovL29jc3AuZXVyb3Br
aS5vcmc6ODAyNjApBggrBgEFBQcwAoYdaHR0cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC8w
MgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NhLnBvbGl0by5pdC9jcmwwMi9jcmwuZGVyMAwG
A1UdEwEB/wQCMAAwPgYDVR0RBDcwNYEbbWFzc2ltaWxpYW5vLnBhbGFAcG9saXRvLml0oBYG
CisGAQQBlWICAQGgCBYGMTIxNTc1MIHNBgNVHSAEgcUwgcIwQwYKKwYBBAGpBwEBATA1MDMG
CCsGAQUFBwIBFidodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL3Jvb3QvY3BzLzEuMS8wQQYK
KwYBBAGpBwIBATAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LmV1cm9wa2kub3JnL2NhL2l0
L2Nwcy8xLjEvMDgGCisGAQQBlWIBAgEwKjAoBggrBgEFBQcCARYcaHR0cDovL2NhLnBvbGl0
by5pdC9jcHMvMi4xLzALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFKBsBAutUrWisrKMhGDw86gH
WDoSMB8GA1UdIwQYMBaAFPQMbW2eX0xiVjmB4N75jy83oITFMA0GCSqGSIb3DQEBBQUAA4IB
AQDrwXGLgvcDvhk2w6AFLp3DIhWl4zX9G6W4v9gis9vBHkIHQUg2iBmbVEeCn9XrSIXtuleH
uyYI+uu+KUdoCqt9XEFlL6eYnvrZNc7wWkH+msZwc11C+8UibhzaUezlEqTm9l+08xucAJER
4q489+2ZY7Kf8tFB1n4edgtg8rxrlNX++ZqqrJCnYWQvv0e4Hmav+CKnuMT+Y1qVv3BW6HDD
OBljhSEx6+cmooIPoWy8/5W/aGl5WEr1aCUZ/o8DODPxUIwEcUHV+m4EuQz7j0XLLcyC62Lc
FCx7+itzdJ61epbCmOgTNSWJFryVPClhlM3YFzFxL9Ae7mFmTdUbkdyKMIIFjzCCBHegAwIB
AgICAWcwDQYJKoZIhvcNAQEFBQAwZTELMAkGA1UEBhMCSVQxHjAcBgNVBAoTFVBvbGl0ZWNu
aWNvIGRpIFRvcmlubzE2MDQGA1UEAxMtUG9saXRlY25pY28gZGkgVG9yaW5vIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5MB4XDTA0MDIwMzE1MDAwMFoXDTA1MTIzMTEyMDAwMFowfTELMAkG
A1UEBhMCSVQxHjAcBgNVBAoTFVBvbGl0ZWNuaWNvIGRpIFRvcmlubzExMC8GA1UECxMoRGlw
YXJ0aW1lbnRvIGRpIEF1dG9tYXRpY2EgZSBJbmZvcm1hdGljYTEbMBkGA1UEAxMSTWFzc2lt
aWxpYW5vICBQYWxhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr0RolEDtxGJrmfTTX
hR6u5kE/APA3ISlbEi9apUbq1oS3U/XACl3ugqLvKFQvzJSlfZ4RB0uP/KMJA6vU2qaQvkzC
JmFW3ByWLf/cbQ5rIq7+LrJEhbbhIzmxs0s7iGFlhKIcAyVn9TljqvrMW/FFsgr3+YH/Csno
cjM7ML7GdwIDAQABo4ICszCCAq8wgZUGCWCGSAGG+EIBDQSBhxaBhElzc3VlZCB1bmRlciBw
b2xpY2llczoKIGh0dHA6Ly93d3cuZXVyb3BraS5vcmcvY2Evcm9vdC9jcHMvMS4xLwogaHR0
cDovL3d3dy5ldXJvcGtpLm9yZy9jYS9pdC9jcHMvMS4xLwogaHR0cDovL2NhLnBvbGl0by5p
dC9jcHMvMi4xLzARBglghkgBhvhCAQEEBAMCALAwYwYIKwYBBQUHAQEEVzBVMCgGCCsGAQUF
BzABhhxodHRwOi8vb2NzcC5ldXJvcGtpLm9yZzo4MDI2MCkGCCsGAQUFBzAChh1odHRwOi8v
d3d3LmV1cm9wa2kub3JnL2NhL2l0LzAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY2EucG9s
aXRvLml0L2NybDAyL2NybC5kZXIwDAYDVR0TAQH/BAIwADA+BgNVHREENzA1gRttYXNzaW1p
bGlhbm8ucGFsYUBwb2xpdG8uaXSgFgYKKwYBBAGVYgIBAaAIFgYxMjE1NzUwgc0GA1UdIASB
xTCBwjBDBgorBgEEAakHAQEBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cuZXVyb3BraS5v
cmcvY2Evcm9vdC9jcHMvMS4xLzBBBgorBgEEAakHAgEBMDMwMQYIKwYBBQUHAgEWJWh0dHA6
Ly93d3cuZXVyb3BraS5vcmcvY2EvaXQvY3BzLzEuMS8wOAYKKwYBBAGVYgECATAqMCgGCCsG
AQUFBwIBFhxodHRwOi8vY2EucG9saXRvLml0L2Nwcy8yLjEvMAsGA1UdDwQEAwIE8DAdBgNV
HQ4EFgQUoGwEC61StaKysoyEYPDzqAdYOhIwHwYDVR0jBBgwFoAU9AxtbZ5fTGJWOYHg3vmP
LzeghMUwDQYJKoZIhvcNAQEFBQADggEBAOvBcYuC9wO+GTbDoAUuncMiFaXjNf0bpbi/2CKz
28EeQgdBSDaIGZtUR4Kf1etIhe26V4e7Jgj6674pR2gKq31cQWUvp5ie+tk1zvBaQf6axnBz
XUL7xSJuHNpR7OUSpOb2X7TzG5wAkRHirjz37Zljsp/y0UHWfh52C2DyvGuU1f75mqqskKdh
ZC+/R7geZq/4Iqe4xP5jWpW/cFbocMM4GWOFITHr5yaigg+hbLz/lb9oaXlYSvVoJRn+jwM4
M/FQjARxQdX6bgS5DPuPRcstzILrYtwULHv6K3N0nrV6lsKY6BM1JYkWvJU8KWGUzdgXMXEv
0B7uYWZN1RuR3IoxggLAMIICvAIBATBrMGUxCzAJBgNVBAYTAklUMR4wHAYDVQQKExVQb2xp
dGVjbmljbyBkaSBUb3Jpbm8xNjA0BgNVBAMTLVBvbGl0ZWNuaWNvIGRpIFRvcmlubyBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eQICAWcwCQYFKw4DAhoFAKCCAaswGAYJKoZIhvcNAQkDMQsG
CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQwNzIzMDgzODQ1WjAjBgkqhkiG9w0BCQQx
FgQU2s7EL/Zkjy9fFmXnF3Z5UjCzQtowUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw
egYJKwYBBAGCNxAEMW0wazBlMQswCQYDVQQGEwJJVDEeMBwGA1UEChMVUG9saXRlY25pY28g
ZGkgVG9yaW5vMTYwNAYDVQQDEy1Qb2xpdGVjbmljbyBkaSBUb3Jpbm8gQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkCAgFnMHwGCyqGSIb3DQEJEAILMW2gazBlMQswCQYDVQQGEwJJVDEeMBwG
A1UEChMVUG9saXRlY25pY28gZGkgVG9yaW5vMTYwNAYDVQQDEy1Qb2xpdGVjbmljbyBkaSBU
b3Jpbm8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCAgFnMA0GCSqGSIb3DQEBAQUABIGAWZYa
uEYVrYfnztmusQDJgLeJHO5VnLM/UYFdeDXTExaLiFty3zXXI/c6ovDXCGnPQUrmJ7szaR0r
vBe1ga9zUSKK9wCqbyJYFvkdlnaraHE5N3hBfFtpCeUGLp0bRMOy+XcuWsffuxAuJV947g2m
krBumvjwdYtasL0Sq+QuA7oAAAAAAAA=
--------------ms070000030901080401020603--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6N8RmSY063756; Fri, 23 Jul 2004 01:27:48 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6N8RmV8063755; Fri, 23 Jul 2004 01:27:48 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6N8RkqP063689 for <ietf-pkix@imc.org>; Fri, 23 Jul 2004 01:27:47 -0700 (PDT) (envelope-from olivier.dubuisson@francetelecom.com)
Received: from ftrdmel10.rd.francetelecom.fr ([10.193.117.156]) by parsmtp1.rd.francetelecom.com with Microsoft SMTPSVC(6.0.3790.0); Fri, 23 Jul 2004 10:27:33 +0200
Received: from [10.193.13.101] ([10.193.13.101]) by ftrdmel10.rd.francetelecom.fr with Microsoft SMTPSVC(5.0.2195.6713); Fri, 23 Jul 2004 10:27:33 +0200
Message-ID: <4100CBF4.4000105@francetelecom.com>
Date: Fri, 23 Jul 2004 10:27:32 +0200
From: Olivier Dubuisson <Olivier.Dubuisson@francetelecom.com>
Organization: France Telecom R&D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: PI: 10: Split Identity++
References: <73388857A695D31197EF00508B08F29806EE1B56@ntmsg0131.corpmail.telstra.com.au>
In-Reply-To: <73388857A695D31197EF00508B08F29806EE1B56@ntmsg0131.corpmail.telstra.com.au>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 23 Jul 2004 08:27:33.0114 (UTC) FILETIME=[E6AF6DA0:01C4708E]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Manger, James H wrote:
>
> URL vs OID:
> URLs as identifiers are fantastic: just by reading the URL you can often learn a lot, type it into a browser and (quite often) you can get a detailed explanation. An OID is less human-friendly, but type it into google (instead of the address bar) and (quite often) you can get a detailed explanation just as easily. The pervasiveness of OIDs in certs, there small size, structure and stability make them a good enough choice for identifying PI types.
Some information that may be of interest to your group:
- RFC 3061 (http://zvon.org/tmRFC/RFC3061/Output/) defines a URN for OIDs.
- There is a repository of 65,000+ OIDs at http://oid.elibel.tm.fr
- This repository offers a kind of OID resolution system by catenating
your OID (in ASN.1 or dotted notation, see
http://asn1.elibel.tm.fr/oid/faq.htm#6) after the URL
http://oid.elibel.tm.fr/ (e.g., http://oid.elibel.tm.fr/1.3.6.1 )
- This repository is planned to get a more official status by moving to
the ITU website (hopefully by the end of this year).
- It is planned to develop a web service for OID resolution (probably
not before mid-2005).
--
Olivier DUBUISSON (ITU-T ASN.1 Project leader)
France Telecom
Recherche & Developpement / Research & Development Division
DR&D/MAPS/AMS - 22307 Lannion Cedex - France
t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6N1XVea078630; Thu, 22 Jul 2004 18:33:31 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6N1XVJM078629; Thu, 22 Jul 2004 18:33:31 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailao.vtcif.telstra.com.au (mailao.vtcif.telstra.com.au [202.12.144.17]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6N1X1t2078557 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 18:33:30 -0700 (PDT) (envelope-from James.H.Manger@team.telstra.com)
Received: from mailai.vtcif.telstra.com.au (mailai.vtcif.telstra.com.au [202.12.142.17]) by mailao.vtcif.telstra.com.au (Postfix) with ESMTP id 541AC228A2 for <ietf-pkix@imc.org>; Fri, 23 Jul 2004 11:32:48 +1000 (EST)
Received: from mail2.cdn.telstra.com.au (localhost [127.0.0.1]) by mailai.vtcif.telstra.com.au (Postfix) with ESMTP id D72E71DA81 for <ietf-pkix@imc.org>; Fri, 23 Jul 2004 11:32:47 +1000 (EST)
Received: from WSMSG0004.srv.dir.telstra.com (wsmsg0004.srv.dir.telstra.com [192.74.168.133]) by mail2.cdn.telstra.com.au (Postfix) with ESMTP id 8A9C541E03 for <ietf-pkix@imc.org>; Fri, 23 Jul 2004 11:32:47 +1000 (EST)
content-class: urn:content-classes:message
Subject: RE: PI: 10: Split Identity++
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Fri, 23 Jul 2004 11:29:49 +1000
Message-ID: <73388857A695D31197EF00508B08F29806EE1B56@ntmsg0131.corpmail.telstra.com.au>
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: pkix-pi-10 - Split Identity++
Thread-Index: AcRwM/nnuG5n4u5OQByrH8lqZx6rjgAFFwNQ
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6N1XVt2078624
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
URL vs OID:
URLs as identifiers are fantastic: just by reading the URL you can often learn a lot, type it into a browser and (quite often) you can get a detailed explanation. An OID is less human-friendly, but type it into google (instead of the address bar) and (quite often) you can get a detailed explanation just as easily. The pervasiveness of OIDs in certs, there small size, structure and stability make them a good enough choice for identifying PI types.
> O=http://registry.us.gov
A solution that enforces extra structure on DNs (eg inserting the assigner in the DN) does not sound like it will be too successful. From your DN, it would be reasonable to guess that John Smith works for the registry department of the US government... but that is probably not what you meant.
The type, assigner and permanence of a value can be considered meta-data for that value. It is not unreasonable (nor uncommon) to have the meta-data "half" somewhere else.
> CN=John Smith, serialNumber=6756565, O=http://registry.us.gov, C=US
Even for your DN you still envisage a PI extension -- presumably to flag the O & SN attributes as a {PI-assigner, PI-value} pair. Those flags are required to properly interpret the DN as a PI. Hence, you will still have part of the identity somewhere else -- perhaps only a quarter, not a half ;-)
X.501 actually provides a mechanism to describe some meta-data about an attribute: the attribute type OID, its associated ATTRIBUTE object class value and the meta-data for its supertypes. X.501 defines a limited variety of meta-data for an attribute, such as how to match & sort values and whether or not a value is unique for an entry. The PI issue could be solved by extending this meta-data, defining some new generic types with well-defined permanence properties (eg employeeId, companyId), arranging them in a type hierarchy, subtyping specific PIs from those types, ensuring directories publish their schema and getting PKI products to consult that schema. I see the PI certificate extension as a short cut to that sort of solution by representing a small part of the schema directly in a certificate in a specialised manner.
> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> Sent: Friday, 23 July 2004 5:59 AM
> To: ietf-pkix@imc.org
> Subject: PI: 10: Split Identity++
>
> Although I triggered the (un)deprecation of serialNumber as PI value objects, I am still not completely satisfied with the result.
>
> Consider the following PI-enabled citizen certificate:
>
> CN=John Smith, serialNumber=6756565, C=US
> PI-assigner: 2.4.4.282.2
>
> I believe this would make more sense:
>
> CN=John Smith, serialNumber=6756565, O=http://registry.us.gov, C=US
>
> Apart from pure esthetics, an advantage of putting the assigner in the DN as well, is that the DN becomes a TRUE SUPERSET of PI. Using URIs, DNs in PI-augmented certificates also become TRUE globally unique identifiers (GUIDs).
>
> Having one "half" of the identity in the DN and the other half somewhere else, is IMHO not a very "clean" solution. No other PKI name constructs are designed that way AFAIK.
>
> P.S. I did not bother with describing the PI extension in the second case as I would like to begin with the important stuff first D.S.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MK26lm048343; Thu, 22 Jul 2004 13:02:06 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6MK25Lk048342; Thu, 22 Jul 2004 13:02:05 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av1-1-sn3.vrr.skanova.net (av1-1-sn3.vrr.skanova.net [81.228.9.105]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MK25cG048321 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 13:02:05 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: by av1-1-sn3.vrr.skanova.net (Postfix, from userid 502) id CA93E37ECF; Thu, 22 Jul 2004 22:01:57 +0200 (CEST)
Received: from smtp1-1-sn3.vrr.skanova.net (smtp1-1-sn3.vrr.skanova.net [81.228.9.177]) by av1-1-sn3.vrr.skanova.net (Postfix) with ESMTP id 4BEEB37E4C for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 22:01:57 +0200 (CEST)
Received: from arport (t12o913p37.telia.com [213.64.28.157]) by smtp1-1-sn3.vrr.skanova.net (Postfix) with SMTP id 58C3D3800A for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 22:01:56 +0200 (CEST)
Message-ID: <010601c47026$549ab630$0500a8c0@arport>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: <ietf-pkix@imc.org>
Subject: Re: pkix-pi-10 - Split Identity++
Date: Thu, 22 Jul 2004 21:58:59 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Although I triggered the (un)deprecation of serialNumber as PI
value objects, I am still not completely satisfied with the result.
Consider the following PI-enabled citizen certificate:
CN=John Smith, serialNumber=6756565, C=US
PI-assigner: 2.4.4.282.2
I believe this would make more sense:
CN=John Smith, serialNumber=6756565, O=http://registry.us.gov, C=US
Apart from pure esthetics, an advantage of putting the assigner in the DN as
well, is that the DN becomes a TRUE SUPERSET of PI. Using URIs,
DNs in PI-augmented certificates also become TRUE globally unique
identifiers (GUIDs).
Having one "half" of the identity in the DN and the other half somewhere
else, is IMHO not a very "clean" solution. No other PKI name constructs
are designed that way AFAIK.
Anders R
P.S. I did not bother with describing the PI extension in the second
case as I would like to begin with the important stuff first D.S.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MIhbP6042580; Thu, 22 Jul 2004 11:43:37 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6MIhbPE042579; Thu, 22 Jul 2004 11:43:37 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MIha5o042572 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 11:43:37 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-106.fastq.com [65.39.92.106]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6MIha841934 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 11:43:36 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: <ietf-pkix@imc.org>
Subject: Re: SCVP-15
Date: Thu, 22 Jul 2004 11:42:54 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDCEAPDOAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <6.1.1.1.2.20040721121259.0391cca8@mail.binhost.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Trevor,
Section 3.2.10, extracted below, is a good step forward to closure on
the issue. Given its definition as a BOOLEAN in Query syntax, I am
comfortable with its default to TRUE.
The second paragraph however needs an implementable definition of DPD
vice DPV with respect to SCVP ASN.1 in order to assert that that a
request is in error if it asks for a validation assertion in the context
of signResponse set to FALSE.
Mike
3.2.10 signResponse
The signResponse specifies if the client requires the server to
sign a response to the validation request. If the client is
performing full chain validation on the response and it is not
concerned about the authenticity of the source of the data, then
the client does not benefit from the signature on the response in
which case it can indicate to the server that the signature is
unnecessary via the signResponse value.
SCVP clients that support DPD MUST support setting this value to
FALSE. Since DPV responses must be signed, DPV only SCVP clients
MUST NOT to support this value. SCVP servers SHOULD support
returning unsigned responses. It is a local policy decision on the
part of the server to return signed or unsigned responses if this
value is set to FALSE.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MFFbd5024051; Thu, 22 Jul 2004 08:15:37 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6MFFb8d024050; Thu, 22 Jul 2004 08:15:37 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6MFFa6w024042 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 08:15:36 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 3716 invoked by uid 0); 22 Jul 2004 15:08:24 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.94.19) by woodstock.binhost.com with SMTP; 22 Jul 2004 15:08:24 -0000
Message-Id: <6.1.1.1.2.20040722080258.08257d30@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Thu, 22 Jul 2004 08:08:12 -0400
To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Cc: ietf-pkix@imc.org
In-Reply-To: <200407211952.i6LJqXAJ022508@stingray.missi.ncsc.mil>
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au> <6.1.1.1.2.20040721105229.035faf80@mail.binhost.com> <40FE9323.8090306@bull.net> <200407211952.i6LJqXAJ022508@stingray.missi.ncsc.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Dave:
I reread it, and you are correct.
The first time I read it, the part that stuck with me was: "The set that
forms an RDN contains exactly one AttributeTypeAndDistinguishedValue for
each attribute which contains distinguished values in the entry ..." Which
made me think that non-distinguished values could employ a second instance
of the same attribute type. Not so. It goes on to say: "... that is, a
given attribute type cannot appear twice in the same RDN."
My issue is resolved.
Russ
At 03:57 PM 7/21/2004, David P. Kemp wrote:
>X.501 (02/2001) section 9.3, which appears to be normative,
>not informative, prohibits a given attribute type from
>appearing more than once in the same RDN. The origin of
>Russ' comments regarding the possibility of multiple
>serialNumber attributes in a single RDN is unclear.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MDoDQ0015321; Thu, 22 Jul 2004 06:50:13 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6MDoDnc015320; Thu, 22 Jul 2004 06:50:13 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ns3.worldcall.net.pk (ns3.worldcall.net.pk [203.81.192.10]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MDoBpj015310 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 06:50:12 -0700 (PDT) (envelope-from faisal.maqsood@ascertia.com)
Received: from ascertiafm ([203.81.200.124]) by ns3.worldcall.net.pk (8.12.5+Sun/8.12.5) with SMTP id i6MDjfTq023942; Thu, 22 Jul 2004 19:45:42 +0600 (PKST)
Message-ID: <00d501c46ff3$773d0400$9c00a8c0@ascertia.com.pk>
From: "Faisal Maqsood" <faisal.maqsood@ascertia.com>
To: <ietf-pkix@imc.org>
Subject: SCVP Structure Suggestions
Date: Thu, 22 Jul 2004 18:54:47 +0500
Organization: Ascertia Ltd
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D2_01C4701D.5C30C8C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_00D2_01C4701D.5C30C8C0
Content-Type: text/plain;
charset="unicode"
Content-Transfer-Encoding: quoted-printable
H=00i=00,=00=0D=00=0A=
=00=0D=00=0A=
=00I=00 =00h=00a=00v=00e=00 =00b=00e=00e=00n=00 =
=00l=00o=00o=00k=00i=00n=00g=00 =00a=00t=00 =00t=00h=00e=00 =
=00S=00C=00V=00P=00 =00D=00r=00a=00f=00t=00 =001=004=00 =00a=00n=00d=00 =
=00I=00 =00t=00h=00i=00n=00k=00 =00i=00t=00 =00c=00a=00n=00 =00b=00e=00 =
=00i=00m=00p=00r=00o=00v=00e=00d=00 =00a=00 =00b=00i=00t=00.=00 =00=0D=00=0A=
=00(=00I=00 =00k=00n=00o=00w=00 =00d=00r=00a=00f=00t=00 =001=005=00 =
=00i=00s=00 =00p=00u=00b=00l=00i=00s=00h=00e=00d=00 =00b=00u=00t=00 =
=00t=00h=00e=00s=00e=00 =00c=00h=00a=00n=00g=00e=00s=00 =00a=00r=00e=00 =
=00a=00l=00s=00o=00 =00n=00o=00t=00 =00t=00h=00e=00r=00e=00)=00=0D=00=0A=
=00=0D=00=0A=
=00N=00o=00t=00e=00:=00 =00M=00y=00 =00p=00r=00o=00p=00o=00s=00e=00d=00 =
=00A=00S=00N=00 =00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =
=00m=00i=00g=00h=00t=00 =00n=00o=00t=00 =00b=00e=00 =001=000=000=00%=00 =
=00c=00o=00r=00r=00e=00c=00t=00 =00a=00n=00d=00 =00I=00 =
=00h=00a=00v=00e=00 =00n=00o=00t=00 =00f=00u=00l=00l=00y=00 =
=00c=00a=00l=00c=00u=00l=00a=00t=00e=00d=00 =00i=00t=00s=00 =
=00p=00r=00o=00s=00 =00o=00r=00 =00c=00o=00n=00s=00.=00=0D=00=0A=
=00 =00 =001=00.=00.=00 =00I=00 =00d=00o=00n=00'=00t=00 =
=00f=00i=00n=00d=00 =00a=00n=00y=00 =00g=00o=00o=00d=00 =
=00r=00e=00a=00s=00o=00n=00 =00o=00f=00 =00p=00l=00a=00c=00i=00n=00g=00 =
=00"=00r=00e=00q=00u=00e=00s=00t=00"=00 =00O=00c=00t=00e=00t=00 =
=00S=00t=00r=00i=00n=00g=00 =00i=00n=00s=00i=00d=00e=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00.=00 =00I=00 =
=00t=00h=00i=00n=00k=00 =00i=00t=00 =00s=00h=00o=00u=00l=00d=00 =
=00b=00e=00 =00r=00e=00m=00o=00v=00e=00d=00 =00=0D=00=0A=
=00 =00 =002=00.=00.=00 =00T=00h=00e=00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00-=00>=00r=00e=00q=00u=00e=00s=00=
t=00 =00a=00n=00d=00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00-=00>=00r=00e=00s=00p=00o=00n=00=
s=00e=00 =00s=00h=00o=00u=00l=00d=00 =00a=00l=00s=00o=00 =00b=00e=00 =
=00r=00e=00m=00o=00v=00e=00d=00 =00a=00s=00 =00I=00 =
=00d=00o=00n=00'=00t=00 =00f=00i=00n=00d=00 =00a=00n=00y=00 =
=00r=00e=00a=00l=00 =00u=00s=00e=00 =00o=00f=00 =00t=00h=00i=00s=00.=00 =
=00=0D=00=0A=
=00 =00 =003=00.=00.=00 =00I=00n=00 =00t=00h=00e=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00-=00>=00Q=00u=00e=00r=00y=00 =
=00o=00n=00e=00 =00c=00a=00n=00 =00s=00p=00e=00c=00i=00f=00y=00 =
=00C=00h=00e=00c=00k=00s=00 =00a=00n=00d=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00.=00 =00R=00e=00q=00u=00e=00s=00t=00 =
=00A=00S=00N=00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =
=00s=00h=00o=00u=00l=00d=00 =00b=00e=00 =00s=00i=00m=00i=00l=00a=00r=00 =
=00t=00o=00 =00t=00h=00e=00 =00s=00t=00r=00a=00t=00e=00g=00y=00 =
=00u=00s=00e=00d=00 =00i=00n=00 =00t=00h=00e=00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00-=00>=00C=00e=00r=00t=00R=00e=00=
p=00l=00y=00 =00i=00.=00e=00 =00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =
=00a=00n=00d=00 =00W=00a=00n=00t=00B=00a=00c=00k=00 =
=00s=00h=00o=00u=00l=00d=00 =00a=00l=00s=00o=00 =00b=00e=00 =
=00p=00r=00e=00s=00e=00n=00t=00 =00a=00l=00o=00n=00g=00 =
=00w=00i=00t=00h=00 =00C=00e=00r=00t=00.=00 =00I=00 =
=00w=00o=00u=00l=00d=00 =00p=00r=00o=00p=00o=00s=00e=00 =00t=00h=00e=00 =
=00f=00o=00l=00l=00o=00w=00i=00n=00g=00 =
=00s=00t=00r=00u=00c=00t=00u=00r=00e=00.=00=0D=00=0A=
=00Q=00u=00e=00r=00y=00 =00:=00:=00=3D=00 =
=00S=00E=00Q=00U=00E=00N=00C=00E=00 =00{=00 =00=0D=00=0A=
=00 =00Q=00u=00e=00r=00i=00e=00d=00C=00e=00r=00t=00s=00 =
=00S=00E=00Q=00U=00E=00N=00C=00E=00 =00S=00I=00Z=00E=00 =
=00(=001=00.=00.=00M=00A=00X=00)=00 =00O=00F=00 =
=00C=00e=00r=00t=00C=00o=00n=00f=00i=00g=00,=00 =00=0D=00=0A=
=00 =00C=00h=00e=00c=00k=00s=00 =00 =00 =00 =00 =00[=000=00]=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00,=00=0D=00=0A=
=00 =00W=00a=00n=00t=00B=00a=00c=00k=00 =00 =00 =00 =00[=001=00]=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00,=00=0D=00=0A=
=00 =00.=00.=00.=00.=00.=00=0D=00=0A=
=00 =00 =00 =00 =00}=00=0D=00=0A=
=00=0D=00=0A=
=00C=00e=00r=00t=00C=00o=00n=00f=00i=00g=00:=00:=00=3D=00 =
=00S=00E=00Q=00U=00E=00N=00C=00E=00{=00=0D=00=0A=
=00 =00C=00e=00r=00t=00 =00 =
=00C=00e=00r=00t=00R=00e=00f=00e=00r=00e=00n=00c=00e=00,=00=0D=00=0A=
=00 =00C=00h=00e=00c=00k=00s=00 =00 =00 =00 =00 =00 =00[=000=00]=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00,=00 =00 =00 =00=0D=00=0A=
=00 =00W=00a=00n=00t=00B=00a=00c=00k=00 =00 =00 =00 =00[=001=00]=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00 =00 =00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00=0D=00=0A=
=00}=00=0D=00=0A=
=00=0D=00=0A=
=00=0D=00=0A=
=00N=00o=00t=00e=00:=00 =00P=00l=00a=00c=00i=00n=00g=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00a=00n=00d=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00 =00i=00n=00 =
=00R=00e=00f=00e=00r=00e=00n=00c=00e=00 =00A=00S=00N=00 =
=00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =00h=00a=00v=00e=00 =003=00 =
=00b=00e=00n=00e=00f=00i=00t=00s=00 =00=0D=00=0A=
=00 =00 =00a=00.=00.=00 =00U=00s=00e=00r=00 =00c=00a=00n=00 =
=00d=00e=00f=00i=00n=00e=00 =00W=00a=00n=00t=00B=00a=00c=00k=00,=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00f=00o=00r=00 =
=00e=00a=00c=00h=00 =00C=00e=00r=00t=00i=00f=00i=00c=00a=00t=00e=00 =
=00s=00e=00p=00e=00r=00a=00t=00e=00l=00y=00 =
=00p=00r=00o=00v=00i=00d=00i=00n=00g=00 =00g=00r=00e=00a=00t=00e=00r=00 =
=00f=00l=00e=00x=00i=00b=00i=00l=00i=00t=00y=00.=00 =00T=00h=00e=00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00-=00>=00C=00e=00r=00t=00R=00e=00=
p=00l=00y=00 =00A=00S=00N=00 =00s=00t=00r=00u=00c=00t=00u=00r=00e=00 =
=00a=00l=00r=00e=00a=00d=00y=00 =00s=00u=00p=00p=00o=00r=00t=00s=00 =
=00s=00e=00p=00e=00r=00a=00t=00e=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00,=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00f=00o=00r=00 =
=00e=00a=00c=00h=00 =00C=00e=00r=00t=00i=00f=00i=00c=00a=00t=00e=00.=00 =
=00=0D=00=0A=
=00 =00 =00b=00.=00.=00 =00W=00a=00n=00t=00B=00a=00c=00k=00,=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00i=00n=00s=00i=00d=00e=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00-=00>=00Q=00u=00e=00r=00y=00 =
=00A=00S=00N=00 =00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =
=00s=00h=00o=00u=00l=00d=00 =00r=00e=00m=00a=00i=00n=00 =00t=00o=00 =
=00p=00r=00o=00v=00i=00d=00e=00 =00d=00e=00f=00a=00u=00l=00t=00 =
=00s=00e=00t=00t=00i=00n=00g=00s=00 =00b=00u=00t=00 =
=00w=00o=00u=00l=00d=00 =00b=00e=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00.=00 =00I=00f=00 =00i=00n=00 =
=00C=00e=00r=00t=00C=00o=00n=00f=00i=00g=00 =00o=00n=00e=00 =
=00d=00o=00e=00s=00 =00n=00o=00t=00 =00p=00r=00o=00v=00i=00d=00e=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00 =00a=00n=00d=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00t=00h=00e=00n=00 =
=00t=00h=00e=00s=00e=00 =00d=00e=00f=00a=00u=00l=00t=00 =
=00v=00a=00l=00u=00e=00s=00 =
=00(=00C=00V=00R=00e=00q=00u=00e=00s=00t=00-=00>=00Q=00u=00e=00r=00y=00-=00=
>=00W=00a=00n=00t=00B=00a=00c=00k=00,=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00-=00>=00Q=00u=00e=00r=00y=00-=00>=00=
C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00)=00 =00M=00U=00S=00T=00 =
=00b=00e=00 =00p=00r=00e=00s=00e=00n=00t=00 =00a=00n=00d=00 =
=00u=00s=00e=00d=00.=00 =00=0D=00=0A=
=00 =00 =00c=00.=00.=00 =00B=00e=00n=00e=00f=00i=00t=00 =00o=00f=00 =
=00p=00r=00o=00v=00i=00d=00i=00n=00g=00 =00C=00h=00e=00c=00k=00s=00 =
=00a=00n=00d=00 =00W=00a=00n=00t=00B=00a=00c=00k=00 =
=00i=00n=00s=00i=00d=00e=00 =00Q=00u=00e=00r=00y=00 =
=00w=00o=00u=00l=00d=00 =00b=00e=00 =00t=00o=00 =00a=00l=00l=00o=00w=00 =
=00s=00o=00m=00e=00 =00o=00r=00 =00a=00l=00l=00 =00o=00f=00 =
=00t=00h=00e=00 =00C=00e=00r=00t=00 =00i=00n=00s=00i=00d=00e=00 =
=00C=00e=00r=00t=00C=00o=00n=00f=00i=00g=00 =00t=00o=00 =00u=00s=00e=00 =
=00d=00e=00f=00a=00u=00l=00t=00 =00C=00h=00e=00c=00k=00s=00 =00+=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00 =00s=00e=00t=00t=00i=00n=00g=00s=00 =
=00t=00h=00u=00s=00 =00r=00e=00d=00u=00c=00i=00n=00g=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00 =00s=00i=00z=00e=00 =
=00a=00n=00d=00 =00t=00h=00u=00s=00 =00r=00e=00d=00u=00c=00e=00s=00 =
=00n=00e=00t=00w=00o=00r=00k=00 =00l=00o=00a=00d=00.=00=0D=00=0A=
=00 =00 =00 =00 =004=00.=00 =00 =00 =00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00 =
=00s=00t=00r=00u=00c=00t=00u=00r=00e=00 =00n=00e=00e=00d=00s=00 =
=00a=00l=00s=00o=00 =00t=00o=00 =00b=00e=00 =00u=00p=00d=00a=00t=00e=00 =
=00t=00o=00 =00m=00a=00p=00 =00w=00i=00t=00h=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00 =00o=00p=00t=00i=00o=00n=00s=00 =
=00b=00y=00 =00i=00n=00t=00r=00o=00d=00u=00c=00i=00n=00g=00 =
=00t=00w=00o=00 =00n=00e=00w=00 =00o=00p=00t=00i=00o=00n=00a=00l=00 =
=00o=00b=00j=00e=00c=00t=00s=00 =00a=00s=00 =
=00b=00e=00l=00o=00w=00:=00=0D=00=0A=
=00=0D=00=0A=
=00 =00 =00 =00 =00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00 =
=00:=00:=00=3D=00 =00S=00E=00Q=00U=00E=00N=00C=00E=00 =00{=00 =00=0D=00=0A=
=00 =00 =00 =00 =00 =00 =00 =00 =00 =
=00s=00c=00v=00p=00V=00e=00r=00s=00i=00o=00n=00 =
=00I=00N=00T=00E=00G=00E=00R=00,=00 =00=0D=00=0A=
=00 =00 =00 =00 =00 =00 =00 =00 =00 =00.=00.=00.=00.=00.=00.=00.=00=0D=00=0A=
=00 =00 =00 =00 =00 =00 =00 =00 =00 =
=00R=00e=00p=00l=00y=00C=00h=00e=00c=00k=00s=00 =00[=008=00]=00 =
=00R=00e=00p=00l=00y=00C=00h=00e=00c=00k=00s=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00,=00 =00=0D=00=0A=
=00 =00 =00 =00 =00 =00 =00 =00 =00 =
=00R=00e=00p=00l=00y=00W=00a=00n=00t=00B=00a=00c=00k=00s=00 =
=00[=009=00]=00 =
=00R=00e=00p=00l=00y=00W=00a=00n=00t=00B=00a=00c=00k=00s=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00=0D=00=0A=
=00 =00 =00 =00 =00 =00}=00=0D=00=0A=
=00=0D=00=0A=
=00I=00n=00 =00a=00d=00d=00i=00t=00i=00o=00n=00 =
=00C=00e=00r=00t=00R=00e=00p=00l=00y=00 =
=00A=00S=00N=00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =
=00s=00h=00o=00u=00l=00d=00 =00a=00l=00s=00o=00 =00b=00e=00 =
=00c=00h=00a=00n=00g=00e=00d=00 =00t=00o=00 =00m=00a=00k=00e=00 =
=00R=00e=00p=00l=00y=00C=00h=00e=00c=00k=00s=00 =00a=00n=00d=00 =
=00R=00e=00p=00l=00y=00W=00a=00n=00t=00B=00a=00c=00k=00s=00 =00a=00s=00 =
=00o=00p=00t=00i=00o=00n=00a=00l=00.=00=0D=00=0A=
=00=0D=00=0A=
=00A=00l=00s=00o=00 =00i=00n=00 =00Q=00u=00e=00r=00y=00,=00 =
=00a=00l=00l=00 =00f=00l=00a=00g=00s=00 =
=00(=00R=00e=00q=00u=00e=00s=00t=00R=00e=00f=00H=00a=00s=00h=00,=00 =
=00I=00n=00c=00l=00u=00d=00e=00P=00o=00l=00R=00e=00s=00p=00o=00n=00s=00e=00=
,=00 =00I=00n=00h=00i=00b=00i=00t=00P=00o=00l=00M=00a=00p=00,=00 =
=00R=00e=00q=00u=00i=00r=00e=00E=00x=00p=00l=00i=00c=00i=00t=00P=00o=00l=00=
,=00 =00I=00g=00n=00o=00r=00e=00A=00n=00y=00P=00o=00l=00,=00 =
=00I=00s=00C=00A=00)=00 =00s=00h=00o=00u=00l=00d=00 =00b=00e=00 =
=00o=00p=00t=00i=00o=00n=00a=00l=00 =00i=00n=00s=00t=00e=00a=00d=00 =
=00o=00f=00 =00m=00e=00n=00d=00a=00t=00o=00r=00y=00 =00a=00s=00 =
=00a=00l=00l=00 =00t=00h=00e=00s=00e=00 =00h=00a=00v=00e=00 =
=00d=00e=00f=00a=00u=00l=00t=00 =00v=00a=00l=00u=00e=00s=00 =
=00a=00n=00d=00 =00t=00o=00 =00m=00a=00k=00e=00 =00t=00h=00e=00s=00e=00 =
=00o=00p=00t=00i=00o=00n=00a=00l=00 =00w=00i=00l=00l=00 =
=00r=00e=00d=00u=00c=00e=00 =00n=00e=00t=00w=00o=00r=00k=00 =
=00l=00o=00a=00d=00.=00=0D=00=0A=
=00=0D=00=0A=
=00R=00e=00g=00a=00r=00d=00s=00,=00=0D=00=0A=
=00F=00a=00i=00s=00a=00l=00 =00M=00a=00q=00s=00o=00o=00d=00=0D=00=0A=
=00=0D=00=0A=
=00
------=_NextPart_000_00D2_01C4701D.5C30C8C0
Content-Type: text/html;
charset="unicode"
Content-Transfer-Encoding: quoted-printable
=FF=FE<=00!=00D=00O=00C=00T=00Y=00P=00E=00 =00H=00T=00M=00L=00 =
=00P=00U=00B=00L=00I=00C=00 =
=00"=00-=00/=00/=00W=003=00C=00/=00/=00D=00T=00D=00 =00H=00T=00M=00L=00 =
=004=00.=000=00 =
=00T=00r=00a=00n=00s=00i=00t=00i=00o=00n=00a=00l=00/=00/=00E=00N=00"=00>=00=
=0D=00=0A=
=00<=00H=00T=00M=00L=00 =00x=00m=00l=00n=00s=00:=00s=00t=001=00 =
=00=3D=00 =
=00"=00u=00r=00n=00:=00s=00c=00h=00e=00m=00a=00s=00-=00m=00i=00c=00r=00o=00=
s=00o=00f=00t=00-=00c=00o=00m=00:=00o=00f=00f=00i=00c=00e=00:=00s=00m=00a=
=00r=00t=00t=00a=00g=00s=00"=00 =00x=00m=00l=00n=00s=00:=00o=00 =
=00=3D=00 =00=0D=00=0A=
=00"=00u=00r=00n=00:=00s=00c=00h=00e=00m=00a=00s=00-=00m=00i=00c=00r=00o=00=
s=00o=00f=00t=00-=00c=00o=00m=00:=00o=00f=00f=00i=00c=00e=00:=00o=00f=00f=
=00i=00c=00e=00"=00>=00<=00H=00E=00A=00D=00>=00<=00B=00A=00S=00E=00 =
=00=0D=00=0A=
=00h=00r=00e=00f=00=3D=00"=00f=00i=00l=00e=00:=00/=00/=00F=00:=00\=00_=00=
B=00a=00c=00k=00U=00p=00-=00F=00M=00\=00E=00m=00a=00i=00l=00 =
=00S=00i=00g=00n=00a=00t=00u=00r=00e=00\=00"=00>=00=0D=00=0A=
=00<=00M=00E=00T=00A=00 =
=00h=00t=00t=00p=00-=00e=00q=00u=00i=00v=00=3D=00C=00o=00n=00t=00e=00n=00=
t=00-=00T=00y=00p=00e=00 =
=00c=00o=00n=00t=00e=00n=00t=00=3D=00"=00t=00e=00x=00t=00/=00h=00t=00m=00=
l=00;=00 =
=00c=00h=00a=00r=00s=00e=00t=00=3D=00u=00n=00i=00c=00o=00d=00e=00"=00>=00=
=0D=00=0A=
=00<=00M=00E=00T=00A=00 =
=00c=00o=00n=00t=00e=00n=00t=00=3D=00"=00M=00S=00H=00T=00M=00L=00 =
=005=00.=005=000=00.=004=001=003=004=00.=006=000=000=00"=00 =
=00n=00a=00m=00e=00=3D=00G=00E=00N=00E=00R=00A=00T=00O=00R=00>=00<=00/=00=
H=00E=00A=00D=00>=00=0D=00=0A=
=00<=00B=00O=00D=00Y=00 =
=00b=00g=00C=00o=00l=00o=00r=00=3D=00#=00f=00f=00f=00f=00f=00f=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00H=00i=00,=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00<=00/=00D=00I=00V=00>=00=0D=
=00=0A=
=00<=00D=00I=00V=00>=00I=00 =00h=00a=00v=00e=00 =00b=00e=00e=00n=00 =
=00l=00o=00o=00k=00i=00n=00g=00 =00a=00t=00 =00t=00h=00e=00 =
=00S=00C=00V=00P=00 =00D=00r=00a=00f=00t=00 =001=004=00 =00a=00n=00d=00 =
=00I=00 =00t=00h=00i=00n=00k=00 =00i=00t=00 =00c=00a=00n=00 =00b=00e=00 =
=00i=00m=00p=00r=00o=00v=00e=00d=00 =00a=00 =00=0D=00=0A=
=00b=00i=00t=00.=00 =00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00(=00I=00 =00k=00n=00o=00w=00 =
=00d=00r=00a=00f=00t=00 =001=005=00 =00i=00s=00 =
=00p=00u=00b=00l=00i=00s=00h=00e=00d=00 =00b=00u=00t=00 =
=00t=00h=00e=00s=00e=00 =00c=00h=00a=00n=00g=00e=00s=00 =00a=00r=00e=00 =
=00a=00l=00s=00o=00 =00n=00o=00t=00 =
=00t=00h=00e=00r=00e=00)=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00<=00/=00D=00I=00V=00>=00=0D=
=00=0A=
=00<=00D=00I=00V=00>=00N=00o=00t=00e=00:=00&=00n=00b=00s=00p=00;=00M=00y=00=
=00p=00r=00o=00p=00o=00s=00e=00d=00 =00A=00S=00N=00 =
=00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =00m=00i=00g=00h=00t=00 =
=00n=00o=00t=00 =00b=00e=00 =001=000=000=00%=00 =
=00c=00o=00r=00r=00e=00c=00t=00 =00a=00n=00d=00 =00I=00 =
=00h=00a=00v=00e=00 =00=0D=00=0A=
=00n=00o=00t=00 =00f=00u=00l=00l=00y=00 =
=00c=00a=00l=00c=00u=00l=00a=00t=00e=00d=00 =00i=00t=00s=00 =
=00p=00r=00o=00s=00 =00o=00r=00 =
=00c=00o=00n=00s=00.=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00O=00L=00>=00=0D=00=0A=
=00 =00 =00<=00L=00I=00>=00I=00 =00d=00o=00n=00'=00t=00 =
=00f=00i=00n=00d=00 =00a=00n=00y=00 =00g=00o=00o=00d=00 =
=00r=00e=00a=00s=00o=00n=00 =00o=00f=00 =00p=00l=00a=00c=00i=00n=00g=00 =
=00"=00r=00e=00q=00u=00e=00s=00t=00"=00 =00O=00c=00t=00e=00t=00 =
=00S=00t=00r=00i=00n=00g=00 =00i=00n=00s=00i=00d=00e=00 =00=0D=00=0A=
=00 =00 =00C=00V=00R=00e=00q=00u=00e=00s=00t=00.=00 =00I=00 =
=00t=00h=00i=00n=00k=00 =00i=00t=00 =00s=00h=00o=00u=00l=00d=00 =
=00b=00e=00 =00r=00e=00m=00o=00v=00e=00d=00 =00=0D=00=0A=
=00 =00 =00<=00L=00I=00>=00T=00h=00e=00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00-=00&=00g=00t=00;=00r=00e=00q=00=
u=00e=00s=00t=00 =00a=00n=00d=00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00-=00&=00g=00t=00;=00r=00e=00s=00=
p=00o=00n=00s=00e=00 =00s=00h=00o=00u=00l=00d=00 =00a=00l=00s=00o=00 =
=00b=00e=00 =00=0D=00=0A=
=00 =00 =00r=00e=00m=00o=00v=00e=00d=00 =00a=00s=00 =00I=00 =
=00d=00o=00n=00'=00t=00 =00f=00i=00n=00d=00 =00a=00n=00y=00 =
=00r=00e=00a=00l=00 =00u=00s=00e=00 =00o=00f=00 =00t=00h=00i=00s=00.=00 =
=00=0D=00=0A=
=00 =00 =00<=00L=00I=00>=00I=00n=00 =00t=00h=00e=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00-=00&=00g=00t=00;=00Q=00u=00e=00r=00=
y=00 =00o=00n=00e=00 =00c=00a=00n=00 =00s=00p=00e=00c=00i=00f=00y=00 =
=00C=00h=00e=00c=00k=00s=00 =00a=00n=00d=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00.=00 =00R=00e=00q=00u=00e=00s=00t=00 =
=00=0D=00=0A=
=00 =00 =00A=00S=00N=00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =
=00s=00h=00o=00u=00l=00d=00 =00b=00e=00 =00s=00i=00m=00i=00l=00a=00r=00 =
=00t=00o=00 =00t=00h=00e=00 =00s=00t=00r=00a=00t=00e=00g=00y=00 =
=00u=00s=00e=00d=00 =00i=00n=00 =00t=00h=00e=00 =00=0D=00=0A=
=00 =00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00-=00&=00g=00t=00;=00C=00e=00r=00=
t=00R=00e=00p=00l=00y=00 =00i=00.=00e=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00a=00n=00d=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00 =00s=00h=00o=00u=00l=00d=00 =
=00a=00l=00s=00o=00 =00b=00e=00 =00p=00r=00e=00s=00e=00n=00t=00 =00=0D=00=0A=
=00 =00 =00a=00l=00o=00n=00g=00 =00w=00i=00t=00h=00 =
=00C=00e=00r=00t=00.=00 =00I=00 =00w=00o=00u=00l=00d=00 =
=00p=00r=00o=00p=00o=00s=00e=00 =00t=00h=00e=00 =
=00f=00o=00l=00l=00o=00w=00i=00n=00g=00 =
=00s=00t=00r=00u=00c=00t=00u=00r=00e=00.=00<=00/=00L=00I=00>=00<=00/=00O=00=
L=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00Q=00u=00e=00r=00y=00 =00:=00:=00=3D=00 =
=00S=00E=00Q=00U=00E=00N=00C=00E=00 =00{=00 =
=00<=00B=00R=00>=00&=00n=00b=00s=00p=00;=00Q=00u=00e=00r=00i=00e=00d=00C=00=
e=00r=00t=00s=00&=00n=00b=00s=00p=00;=00S=00E=00Q=00U=00E=00N=00C=00E=00 =
=00S=00I=00Z=00E=00 =00(=001=00.=00.=00M=00A=00X=00)=00 =00O=00F=00 =
=00=0D=00=0A=
=00C=00e=00r=00t=00C=00o=00n=00f=00i=00g=00,=00 =
=00<=00B=00R=00>=00&=00n=00b=00s=00p=00;=00C=00h=00e=00c=00k=00s=00&=00n=00=
b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=
=00s=00p=00;=00 =
=00[=000=00]=00&=00n=00b=00s=00p=00;=00C=00e=00r=00t=00C=00h=00e=00c=00k=00=
s=00 =00=0D=00=0A=
=00O=00P=00T=00I=00O=00N=00A=00L=00,=00<=00B=00R=00>=00&=00n=00b=00s=00p=00=
;=00W=00a=00n=00t=00B=00a=00c=00k=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=
=00p=00;=00&=00n=00b=00s=00p=00;=00 =
=00[=001=00]=00&=00n=00b=00s=00p=00;=00W=00a=00n=00t=00B=00a=00c=00k=00 =
=00=0D=00=0A=
=00O=00P=00T=00I=00O=00N=00A=00L=00,=00<=00B=00R=00>=00&=00n=00b=00s=00p=00=
;=00.=00.=00.=00.=00.=00<=00B=00R=00>=00&=00n=00b=00s=00p=00;=00&=00n=00b=
=00s=00p=00;=00&=00n=00b=00s=00p=00;=00 =
=00}=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00<=00/=00D=00I=00V=00>=00=0D=
=00=0A=
=00<=00D=00I=00V=00>=00C=00e=00r=00t=00C=00o=00n=00f=00i=00g=00:=00:=00=3D=
=00 =00=0D=00=0A=
=00S=00E=00Q=00U=00E=00N=00C=00E=00{=00<=00B=00R=00>=00&=00n=00b=00s=00p=00=
;=00C=00e=00r=00t=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00C=00e=
=00r=00t=00R=00e=00f=00e=00r=00e=00n=00c=00e=00,=00<=00B=00R=00>=00&=00n=00=
b=00s=00p=00;=00C=00h=00e=00c=00k=00s=00&=00n=00b=00s=00p=00;=00&=00n=00b=
=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00=
s=00p=00;=00 =00=0D=00=0A=
=00[=000=00]=00&=00n=00b=00s=00p=00;=00C=00e=00r=00t=00C=00h=00e=00c=00k=00=
s=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00,=00&=00n=00b=00s=00p=00;=00&=00n=00b=00=
s=00p=00;=00 =
=00<=00B=00R=00>=00&=00n=00b=00s=00p=00;=00W=00a=00n=00t=00B=00a=00c=00k=00=
&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00 =
=00=0D=00=0A=
=00[=001=00]=00&=00n=00b=00s=00p=00;=00W=00a=00n=00t=00B=00a=00c=00k=00&=00=
n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00<=00B=00R=00>=00}=00<=00/=00D=00I=00V=00=
>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00<=00/=00D=00I=00V=00>=00=0D=
=00=0A=
=00<=00D=00I=00V=00>=00<=00B=00R=00>=00N=00o=00t=00e=00:=00 =
=00P=00l=00a=00c=00i=00n=00g=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00a=00n=00d=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00 =00i=00n=00 =
=00R=00e=00f=00e=00r=00e=00n=00c=00e=00 =00A=00S=00N=00 =
=00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =00h=00a=00v=00e=00 =003=00 =
=00=0D=00=0A=
=00b=00e=00n=00e=00f=00i=00t=00s=00 =00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00U=00L=00>=00=0D=00=0A=
=00 =00 =00<=00L=00I=00>=00U=00s=00e=00r=00 =00c=00a=00n=00 =
=00d=00e=00f=00i=00n=00e=00 =00W=00a=00n=00t=00B=00a=00c=00k=00,=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00f=00o=00r=00 =
=00e=00a=00c=00h=00 =00C=00e=00r=00t=00i=00f=00i=00c=00a=00t=00e=00 =
=00s=00e=00p=00e=00r=00a=00t=00e=00l=00y=00 =00=0D=00=0A=
=00 =00 =00p=00r=00o=00v=00i=00d=00i=00n=00g=00 =
=00g=00r=00e=00a=00t=00e=00r=00 =
=00f=00l=00e=00x=00i=00b=00i=00l=00i=00t=00y=00.=00 =00T=00h=00e=00 =
=00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00-=00&=00g=00t=00;=00C=00e=00r=00=
t=00R=00e=00p=00l=00y=00 =00A=00S=00N=00 =
=00s=00t=00r=00u=00c=00t=00u=00r=00e=00 =00=0D=00=0A=
=00 =00 =00a=00l=00r=00e=00a=00d=00y=00 =
=00s=00u=00p=00p=00o=00r=00t=00s=00 =00s=00e=00p=00e=00r=00a=00t=00e=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00,=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00f=00o=00r=00 =
=00e=00a=00c=00h=00 =00C=00e=00r=00t=00i=00f=00i=00c=00a=00t=00e=00.=00 =
=00=0D=00=0A=
=00 =00 =00<=00L=00I=00>=00W=00a=00n=00t=00B=00a=00c=00k=00,=00 =
=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =00i=00n=00s=00i=00d=00e=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00-=00&=00g=00t=00;=00Q=00u=00e=00r=00=
y=00 =00A=00S=00N=00 =00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =
=00s=00h=00o=00u=00l=00d=00 =00=0D=00=0A=
=00 =00 =00r=00e=00m=00a=00i=00n=00 =00t=00o=00 =
=00p=00r=00o=00v=00i=00d=00e=00 =00d=00e=00f=00a=00u=00l=00t=00 =
=00s=00e=00t=00t=00i=00n=00g=00s=00 =00b=00u=00t=00 =
=00w=00o=00u=00l=00d=00 =00b=00e=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00.=00 =00I=00f=00 =00i=00n=00 =
=00C=00e=00r=00t=00C=00o=00n=00f=00i=00g=00 =00o=00n=00e=00 =00=0D=00=0A=
=00 =00 =00d=00o=00e=00s=00 =00n=00o=00t=00 =
=00p=00r=00o=00v=00i=00d=00e=00 =00W=00a=00n=00t=00B=00a=00c=00k=00 =
=00a=00n=00d=00 =00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00 =
=00t=00h=00e=00n=00 =00t=00h=00e=00s=00e=00 =
=00d=00e=00f=00a=00u=00l=00t=00 =00v=00a=00l=00u=00e=00s=00 =00=0D=00=0A=
=00 =00 =
=00(=00C=00V=00R=00e=00q=00u=00e=00s=00t=00-=00&=00g=00t=00;=00Q=00u=00e=00=
r=00y=00-=00&=00g=00t=00;=00W=00a=00n=00t=00B=00a=00c=00k=00,=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00-=00&=00g=00t=00;=00Q=00u=00e=00r=00=
y=00-=00&=00g=00t=00;=00C=00e=00r=00t=00C=00h=00e=00c=00k=00s=00)=00 =
=00M=00U=00S=00T=00 =00b=00e=00 =00=0D=00=0A=
=00 =00 =00p=00r=00e=00s=00e=00n=00t=00 =00a=00n=00d=00 =
=00u=00s=00e=00d=00.=00 =00=0D=00=0A=
=00 =00 =00<=00L=00I=00>=00B=00e=00n=00e=00f=00i=00t=00 =00o=00f=00 =
=00p=00r=00o=00v=00i=00d=00i=00n=00g=00 =00C=00h=00e=00c=00k=00s=00 =
=00a=00n=00d=00 =00W=00a=00n=00t=00B=00a=00c=00k=00 =
=00i=00n=00s=00i=00d=00e=00 =00Q=00u=00e=00r=00y=00 =
=00w=00o=00u=00l=00d=00 =00b=00e=00 =00t=00o=00 =00a=00l=00l=00o=00w=00 =
=00=0D=00=0A=
=00 =00 =00s=00o=00m=00e=00 =00o=00r=00 =00a=00l=00l=00 =00o=00f=00 =
=00t=00h=00e=00 =00C=00e=00r=00t=00 =00i=00n=00s=00i=00d=00e=00 =
=00C=00e=00r=00t=00C=00o=00n=00f=00i=00g=00 =00t=00o=00 =00u=00s=00e=00 =
=00d=00e=00f=00a=00u=00l=00t=00 =00C=00h=00e=00c=00k=00s=00 =00+=00 =
=00W=00a=00n=00t=00B=00a=00c=00k=00 =00=0D=00=0A=
=00 =00 =00s=00e=00t=00t=00i=00n=00g=00s=00 =00t=00h=00u=00s=00 =
=00r=00e=00d=00u=00c=00i=00n=00g=00 =
=00C=00V=00R=00e=00q=00u=00e=00s=00t=00 =00s=00i=00z=00e=00 =
=00a=00n=00d=00 =00t=00h=00u=00s=00 =00r=00e=00d=00u=00c=00e=00s=00 =
=00n=00e=00t=00w=00o=00r=00k=00 =
=00l=00o=00a=00d=00.=00<=00/=00L=00I=00>=00<=00/=00U=00L=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00=
n=00b=00s=00p=00;=00 =
=004=00.=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00=
p=00;=00 =00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00 =
=00s=00t=00r=00u=00c=00t=00u=00r=00e=00 =00n=00e=00e=00d=00s=00 =
=00a=00l=00s=00o=00 =00t=00o=00 =00=0D=00=0A=
=00b=00e=00 =00u=00p=00d=00a=00t=00e=00 =00t=00o=00 =00m=00a=00p=00 =
=00w=00i=00t=00h=00 =00C=00V=00R=00e=00q=00u=00e=00s=00t=00 =
=00o=00p=00t=00i=00o=00n=00s=00 =00b=00y=00 =
=00i=00n=00t=00r=00o=00d=00u=00c=00i=00n=00g=00 =00t=00w=00o=00 =
=00n=00e=00w=00 =00o=00p=00t=00i=00o=00n=00a=00l=00 =
=00o=00b=00j=00e=00c=00t=00s=00 =00=0D=00=0A=
=00a=00s=00 =00b=00e=00l=00o=00w=00:=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00<=00/=00D=00I=00V=00>=00=0D=
=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00=
n=00b=00s=00p=00;=00 =00C=00V=00R=00e=00s=00p=00o=00n=00s=00e=00 =
=00:=00:=00=3D=00 =00S=00E=00Q=00U=00E=00N=00C=00E=00 =00{=00 =
=00<=00B=00R=00>=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00=
b=00s=00p=00;=00 =00=0D=00=0A=
=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00=
=
=00&=00n=00b=00s=00p=00;=00s=00c=00v=00p=00V=00e=00r=00s=00i=00o=00n=00&=00=
n=00b=00s=00p=00;=00I=00N=00T=00E=00G=00E=00R=00,=00&=00n=00b=00s=00p=00;=
=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00=
n=00b=00s=00p=00;=00 =
=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00=
&=00n=00b=00s=00p=00;=00 =00=0D=00=0A=
=00.=00.=00.=00.=00.=00.=00.=00<=00B=00R=00>=00&=00n=00b=00s=00p=00;=00&=00=
n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=
=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00=
b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00R=00e=00p=00l=00y=00C=00h=00e=00c=
=00k=00s=00&=00n=00b=00s=00p=00;=00[=008=00]=00 =00=0D=00=0A=
=00R=00e=00p=00l=00y=00C=00h=00e=00c=00k=00s=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00,=00 =
=00<=00B=00R=00>=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00=
b=00s=00p=00;=00 =
=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00=
=00=0D=00=0A=
=00&=00n=00b=00s=00p=00;=00R=00e=00p=00l=00y=00W=00a=00n=00t=00B=00a=00c=00=
k=00s=00&=00n=00b=00s=00p=00;=00[=009=00]=00 =
=00R=00e=00p=00l=00y=00W=00a=00n=00t=00B=00a=00c=00k=00s=00 =
=00O=00P=00T=00I=00O=00N=00A=00L=00<=00B=00R=00>=00&=00n=00b=00s=00p=00;=00=
&=00n=00b=00s=00p=00;=00&=00n=00b=00s=00p=00;=00 =00=0D=00=0A=
=00&=00n=00b=00s=00p=00;=00}=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00<=00/=00D=00I=00V=00>=00=0D=
=00=0A=
=00<=00D=00I=00V=00>=00I=00n=00 =00a=00d=00d=00i=00t=00i=00o=00n=00 =
=00C=00e=00r=00t=00R=00e=00p=00l=00y=00 =
=00A=00S=00N=00S=00t=00r=00u=00c=00t=00u=00r=00e=00 =
=00s=00h=00o=00u=00l=00d=00 =00a=00l=00s=00o=00 =00b=00e=00 =
=00c=00h=00a=00n=00g=00e=00d=00 =00t=00o=00 =00m=00a=00k=00e=00 =00=0D=00=0A=
=00R=00e=00p=00l=00y=00C=00h=00e=00c=00k=00s=00 =00a=00n=00d=00 =
=00R=00e=00p=00l=00y=00W=00a=00n=00t=00B=00a=00c=00k=00s=00 =00a=00s=00 =
=00o=00p=00t=00i=00o=00n=00a=00l=00.=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00&=00n=00b=00s=00p=00;=00<=00/=00D=00I=00V=00>=00=0D=
=00=0A=
=00<=00D=00I=00V=00>=00A=00l=00s=00o=00 =00i=00n=00 =
=00Q=00u=00e=00r=00y=00,=00 =00a=00l=00l=00 =00f=00l=00a=00g=00s=00 =
=00(=00R=00e=00q=00u=00e=00s=00t=00R=00e=00f=00H=00a=00s=00h=00,=00 =
=00I=00n=00c=00l=00u=00d=00e=00P=00o=00l=00R=00e=00s=00p=00o=00n=00s=00e=00=
,=00 =00=0D=00=0A=
=00I=00n=00h=00i=00b=00i=00t=00P=00o=00l=00M=00a=00p=00,=00 =
=00R=00e=00q=00u=00i=00r=00e=00E=00x=00p=00l=00i=00c=00i=00t=00P=00o=00l=00=
,=00 =00I=00g=00n=00o=00r=00e=00A=00n=00y=00P=00o=00l=00,=00 =
=00I=00s=00C=00A=00)=00 =00s=00h=00o=00u=00l=00d=00 =00b=00e=00 =
=00o=00p=00t=00i=00o=00n=00a=00l=00 =00=0D=00=0A=
=00i=00n=00s=00t=00e=00a=00d=00 =00o=00f=00 =
=00m=00e=00n=00d=00a=00t=00o=00r=00y=00 =00a=00s=00 =00a=00l=00l=00 =
=00t=00h=00e=00s=00e=00 =00h=00a=00v=00e=00 =
=00d=00e=00f=00a=00u=00l=00t=00 =00v=00a=00l=00u=00e=00s=00 =
=00a=00n=00d=00 =00t=00o=00 =00m=00a=00k=00e=00 =00t=00h=00e=00s=00e=00 =
=00o=00p=00t=00i=00o=00n=00a=00l=00 =00=0D=00=0A=
=00w=00i=00l=00l=00 =00r=00e=00d=00u=00c=00e=00 =
=00n=00e=00t=00w=00o=00r=00k=00 =
=00l=00o=00a=00d=00.=00<=00B=00R=00>=00<=00/=00D=00I=00V=00>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00R=00e=00g=00a=00r=00d=00s=00,=00<=00/=00D=00I=00V=00=
>=00=0D=00=0A=
=00<=00D=00I=00V=00>=00<=00S=00P=00A=00N=00 =00=0D=00=0A=
=00s=00t=00y=00l=00e=00=3D=00"=00F=00O=00N=00T=00-=00S=00I=00Z=00E=00:=00=
=007=00.=005=00p=00t=00;=00 =00C=00O=00L=00O=00R=00:=00 =
=00n=00a=00v=00y=00;=00 =
=00F=00O=00N=00T=00-=00F=00A=00M=00I=00L=00Y=00:=00 =
=00V=00e=00r=00d=00a=00n=00a=00;=00 =
=00m=00s=00o=00-=00n=00o=00-=00p=00r=00o=00o=00f=00:=00 =
=00y=00e=00s=00"=00>=00F=00a=00i=00s=00a=00l=00&=00n=00b=00s=00p=00;=00M=00=
a=00q=00s=00o=00o=00d=00<=00/=00S=00P=00A=00N=00>=00<=00/=00D=00I=00V=00>=
=00=0D=00=0A=
=00<=00D=00I=00V=00>=00<=00S=00P=00A=00N=00 =00=0D=00=0A=
=00s=00t=00y=00l=00e=00=3D=00"=00F=00O=00N=00T=00-=00S=00I=00Z=00E=00:=00=
=007=00.=005=00p=00t=00;=00 =00C=00O=00L=00O=00R=00:=00 =
=00n=00a=00v=00y=00;=00 =
=00F=00O=00N=00T=00-=00F=00A=00M=00I=00L=00Y=00:=00 =
=00V=00e=00r=00d=00a=00n=00a=00;=00 =
=00m=00s=00o=00-=00n=00o=00-=00p=00r=00o=00o=00f=00:=00 =
=00y=00e=00s=00"=00>=00<=00/=00S=00P=00A=00N=00>=00&=00n=00b=00s=00p=00;=00=
<=00/=00D=00I=00V=00>=00<=00/=00D=00I=00V=00>=00<=00/=00D=00I=00V=00>=00<=
=00/=00B=00O=00D=00Y=00>=00<=00/=00H=00T=00M=00L=00>=00=0D=00=0A=
=00
------=_NextPart_000_00D2_01C4701D.5C30C8C0--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MCp8Uu010332; Thu, 22 Jul 2004 05:51:08 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6MCp8OE010331; Thu, 22 Jul 2004 05:51:08 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MCp74q010322 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 05:51:08 -0700 (PDT) (envelope-from DPKemp@missi.ncsc.mil)
Message-ID: <200407221245.i6MCjbAJ008226@stingray.missi.ncsc.mil>
Date: Thu, 22 Jul 2004 08:50:56 -0400
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Fisher, James L." <jlf@mitretek.org>
CC: ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <D6F85F437959E24C99E2EE757453E82BED647F@email1.mitretek.org>
In-Reply-To: <D6F85F437959E24C99E2EE757453E82BED647F@email1.mitretek.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 22 Jul 2004 12:51:03.0252 (UTC) FILETIME=[8BD94940:01C46FEA]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
James,
A "Relative Distinguished Name" (RDN) references one element
or object in a tree, like a single "folder" in a Windows
file pathname. But unlike a folder name, an RDN may contain
more than one attribute as long as they all have different
types. [ cn="John Smith" sn=12345 ] is a single RDN with two
names, whereas [ cn="John Smith", sn=12345 ] (note the comma)
is two RDNs each with a single name.
A Distinguished Name (DN) is a full path through the tree.
There may be multiple DC= or OU= attributes at different
levels in the tree, but only one at a given level.
Dave
Fisher, James L. wrote:
>>Russ's "problem" DN does not need to be solved. As David notes, an
>
> attribute type is not allowed to appear more than once in an RDN.
>
> But we frequently see DNs containing multiple "dc=" and "ou="
> attributes. Are those certs in violation of RFC3280 since Section
> 4.1.2.6 references to X.501 names?
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6MBIgVY001455; Thu, 22 Jul 2004 04:18:42 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6MBIgd5001454; Thu, 22 Jul 2004 04:18:42 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail45.messagelabs.com (mail45.messagelabs.com [140.174.2.179]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6MBIfED001432 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 04:18:41 -0700 (PDT) (envelope-from jlf@mitretek.org)
X-VirusChecked: Checked
X-Env-Sender: jlf@mitretek.org
X-Msg-Ref: server-5.tower-45.messagelabs.com!1090495109!4337911
X-StarScan-Version: 5.2.10; banners=-,-,-
X-Originating-IP: [141.156.156.57]
Received: (qmail 8887 invoked from network); 22 Jul 2004 11:18:29 -0000
Received: from mtk-news1.mitretek.org (141.156.156.57) by server-5.tower-45.messagelabs.com with SMTP; 22 Jul 2004 11:18:29 -0000
Received: from email1.mitretek.org (localhost [127.0.0.1]) by mtk-news1.mitretek.org (8.12.10/8.12.10) with ESMTP id i6MBISQm020153 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 07:18:29 -0400 (EDT)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 22 Jul 2004 07:18:22 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Message-ID: <D6F85F437959E24C99E2EE757453E82BED647F@email1.mitretek.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Thread-Index: AcRvXffs1xwifDvaQHivIbbSzMcgggAI4a2gABaZgJA=
From: "Fisher, James L." <jlf@mitretek.org>
To: <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6MBIfED001449
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> Russ's "problem" DN does not need to be solved. As David notes, an
attribute type is not allowed to appear more than once in an RDN.
But we frequently see DNs containing multiple "dc=" and "ou="
attributes. Are those certs in violation of RFC3280 since Section
4.1.2.6 references to X.501 names?
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6M1nemp054359; Wed, 21 Jul 2004 18:49:40 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6M1neck054358; Wed, 21 Jul 2004 18:49:40 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailao.vtcif.telstra.com.au (mailao.vtcif.telstra.com.au [202.12.144.17]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6M1ncJJ054349 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 18:49:39 -0700 (PDT) (envelope-from James.H.Manger@team.telstra.com)
Received: from mailbi.vtcif.telstra.com.au (mailbi.vtcif.telstra.com.au [202.12.142.19]) by mailao.vtcif.telstra.com.au (Postfix) with ESMTP id C554D23C11 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 11:49:35 +1000 (EST)
Received: from mail.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.vtcif.telstra.com.au (Postfix) with ESMTP id 4626A1DA83 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 11:49:35 +1000 (EST)
Received: from WSMSG0004.srv.dir.telstra.com (wsmsg0004.srv.dir.telstra.com [192.74.168.133]) by mail.cdn.telstra.com.au (8.8.2/8.6.9) with ESMTP id LAA01508 for <ietf-pkix@imc.org>; Thu, 22 Jul 2004 11:49:35 +1000 (EST)
content-class: urn:content-classes:message
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Thu, 22 Jul 2004 10:40:00 +1000
Message-ID: <73388857A695D31197EF00508B08F29806EE1B50@ntmsg0131.corpmail.telstra.com.au>
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Thread-Topic: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Thread-Index: AcRvXffs1xwifDvaQHivIbbSzMcgggAI4a2g
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6M1ndJJ054353
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Thanks David.
> cn="John Doe" , o="Acme Ltd" serialNumber="DUNS554433", c=US
Denis's "problem" DN does not need to be solved. The DN does NOT contain a PI for the subject so the CA will not include a PI extension saying it does. End of story.
Russ's "problem" DN does not need to be solved. As David notes, an attribute type is not allowed to appear more than once in an RDN.
I still suggest using my original text changes.
-----Original Message-----
From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil]
Sent: Thursday, 22 July 2004 5:58 AM
To: Denis Pinkas
Cc: Russ Housley; Manger, James H; ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber
attribute
Denis,
Your two conditions below are logical but unnecessarily
restrictive.
Consider James' original (correct) example:
[1] cn="John Doe" serialNumber=12345, o="Acme Ltd"
serialNumber="DUNS 554433", c=US
and a modification (poorly-structured, but legal) that uses
only single-valued RDNs:
[2] cn="John Doe", serialNumber=12345, o="Acme Ltd",
serialNumber="DUNS 554433", c=US
and your example:
[3] cn="John Doe", o="Acme Ltd", serialNumber="DUNS 554433", c=US
I do not believe it is necessary to prohibit [2] in order to
prevent [3]. Instead, if the SAN identifierValue is absent:
1 - if there are one or more RDNs containing a serialNumber
attribute (alone or accompanied by other attributes), then
the value contained in the serialNumber of the deepest
such RDN shall be used as the identifierValue.
2 - otherwise, the CA is in error.
X.501 (02/2001) section 9.3, which appears to be normative,
not informative, prohibits a given attribute type from
appearing more than once in the same RDN. The origin of
Russ' comments regarding the possibility of multiple
serialNumber attributes in a single RDN is unclear.
Dave
Denis Pinkas wrote:
>
> 1 - if there is one serialNumber attribute alone in a RDN (i.e. no
> other attribute is present in that RDN), then *there shall
> only be one such RDN and* the value contained in the
> serialNumber attribute shall be used as the identifierValue;
>
> 2 - if there is no serialNumber attribute alone in a RDN, then the
> deepest RDN shall include a *single* serialNumber attribute
> and the value contained in that serialNumber shall be used
> as the identifierValue.
>
> Denis
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LJwW0b021773; Wed, 21 Jul 2004 12:58:32 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LJwWCL021772; Wed, 21 Jul 2004 12:58:32 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LJwVpb021764 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 12:58:31 -0700 (PDT) (envelope-from DPKemp@missi.ncsc.mil)
Message-ID: <200407211952.i6LJqXAJ022508@stingray.missi.ncsc.mil>
Date: Wed, 21 Jul 2004 15:57:54 -0400
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Denis Pinkas <Denis.Pinkas@bull.net>
CC: Russ Housley <housley@vigilsec.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au> <6.1.1.1.2.20040721105229.035faf80@mail.binhost.com> <40FE9323.8090306@bull.net>
In-Reply-To: <40FE9323.8090306@bull.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 21 Jul 2004 19:57:55.0437 (UTC) FILETIME=[037CD1D0:01C46F5D]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Denis,
Your two conditions below are logical but unnecessarily
restrictive.
Consider James' original (correct) example:
[1] cn="John Doe" serialNumber=12345, o="Acme Ltd"
serialNumber="DUNS 554433", c=US
and a modification (poorly-structured, but legal) that uses
only single-valued RDNs:
[2] cn="John Doe", serialNumber=12345, o="Acme Ltd",
serialNumber="DUNS 554433", c=US
and your example:
[3] cn="John Doe", o="Acme Ltd", serialNumber="DUNS 554433", c=US
I do not believe it is necessary to prohibit [2] in order to
prevent [3]. Instead, if the SAN identifierValue is absent:
1 - if there are one or more RDNs containing a serialNumber
attribute (alone or accompanied by other attributes), then
the value contained in the serialNumber of the deepest
such RDN shall be used as the identifierValue.
2 - otherwise, the CA is in error.
X.501 (02/2001) section 9.3, which appears to be normative,
not informative, prohibits a given attribute type from
appearing more than once in the same RDN. The origin of
Russ' comments regarding the possibility of multiple
serialNumber attributes in a single RDN is unclear.
Dave
Denis Pinkas wrote:
>
> 1 - if there is one serialNumber attribute alone in a RDN (i.e. no
> other attribute is present in that RDN), then *there shall
> only be one such RDN and* the value contained in the
> serialNumber attribute shall be used as the identifierValue;
>
> 2 - if there is no serialNumber attribute alone in a RDN, then the
> deepest RDN shall include a *single* serialNumber attribute
> and the value contained in that serialNumber shall be used
> as the identifierValue.
>
> Denis
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGflwC003618; Wed, 21 Jul 2004 09:41:47 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LGfl79003617; Wed, 21 Jul 2004 09:41:47 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGfk9Q003607 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 09:41:46 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA08038; Wed, 21 Jul 2004 18:52:02 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id SAA09711; Wed, 21 Jul 2004 18:41:36 +0200
Message-ID: <40FE9C88.8030208@bull.net>
Date: Wed, 21 Jul 2004 18:40:40 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: Alberti Antoine <aalberti@axway.com>
CC: Russ Housley <housley@vigilsec.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <C1D2450FEBBA8C49BAA732EFB008A9ED0D805D@WEXCHBE01-VS.ptx.fr.sopra>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6LGfl9Q003612
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> I wonder if it is realistic to set constraints on DNs in the PKI standards:
> one may not be able to use a DN that existed before the certificate
> creation or renewal if the DN does not match the new rules. In this case,
> what does the DN mean if it has to change from time to time, that is to
> say if it does not identify the owner of the cert (I know it is already
> the case, but it is not necessarily a reason to make this even more
> true) ?
Using a serialNumber attribute is not mandatory to be able to use the PI
feature. Some forms of DN will be able to support a serialNumber as the
value of the identifierValue, while some others will not. In such a case, an
explicit identifierValue can be used.
The proposed text only excludes the case where a RDN sequence would contain
two or more serialNumber attributes in isolation. This is none of the
examples given.
The constraint seems thus reasonable.
Denis
> Regards.
> Antoine Alberti.
>
>
>>-----Message d'origine-----
>>De : owner-ietf-pkix@mail.imc.org
>>[mailto:owner-ietf-pkix@mail.imc.org]De la part de Denis Pinkas
>>Envoyé : mercredi 21 juillet 2004 18:01
>>À : Russ Housley
>>Cc : Manger, James H; ietf-pkix@imc.org
>>Objet : Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber
>>attribute
>>
>>
>>
>>Russ,
>>
>>I would think that you wrote this e-mail before getting mine
>>on the same
>>topic. When reading your e-mail, I would believe that the two
>>cases would
>>need to be changed from:
>>
>>1 - if there is one serialNumber attribute alone in a RDN (i.e. no
>> other attribute is present in that RDN), then the value contained
>> in that serialNumber shall be used as the identifierValue;
>>
>>2 - if there is no serialNumber attribute alone in a RDN, then the
>> deepest RDN shall include a serialNumber attribute and the
>> value contained in that serialNumber shall be used as the
>> identifierValue.
>>
>>to:
>>
>>1 - if there is one serialNumber attribute alone in a RDN (i.e. no
>> other attribute is present in that RDN), then *there shall
>> only be one such RDN and* the value contained in the
>> serialNumber attribute shall be used as the identifierValue;
>>
>>2 - if there is no serialNumber attribute alone in a RDN, then the
>> deepest RDN shall include a *single* serialNumber attribute
>> and the value contained in that serialNumber shall be used
>> as the identifierValue.
>>
>>Denis
>>
>>
>>
>>>James:
>>>
>>>The authors put the serial number restriction into the document in
>>>response to a comment from me. In the example that you
>>
>>provide, there
>>
>>>is not a problem. However, one can construct a
>>
>>distinguished name that
>>
>>>is ambiguous. The X.500 series of documents give us a very complex
>>>structure for Name:
>>>
>>> Name ::= CHOICE {
>>> RDNSequence }
>>>
>>> RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
>>>
>>> RelativeDistinguishedName ::=
>>> SET OF AttributeTypeAndValue
>>>
>>> AttributeTypeAndValue ::= SEQUENCE {
>>> type AttributeType,
>>> value AttributeValue }
>>>
>>> AttributeType ::= OBJECT IDENTIFIER
>>>
>>> AttributeValue ::= ANY DEFINED BY AttributeType
>>>
>>>Since RelativeDistinguishedName is a SET, it is possible to
>>
>>have more
>>
>>>than one attribute at the same level. If this level were
>>
>>to include
>>
>>>more than one SerialNumber attribute, then it would not be
>>
>>clear which
>>
>>>one to use as the permanent identifier. Since it is a SET,
>>
>>one cannot
>>
>>>rely on order to help resolve this issue. They would be
>>
>>equally "deep"
>>
>>>in the RDNSequence.
>>>
>>>I admit that no one in their right mind would design a
>>
>>schema like this,
>>
>>>but sadly, the structure permits an uninformed person to make some
>>>really bad choices. Further, guidance in this area was
>>
>>removed from the
>>
>>>X.500 series of documents. The informative information
>>
>>that was once
>>
>>>present was removed because some implementors treated it as
>>
>>normative.
>>
>>>Russ
>>>
>>>
>>>At 01:07 AM 7/19/2004, Manger, James H wrote:
>>>
>>>
>>>>1.
>>>>The ability to flag a serialNumber attribute value in the
>>>
>>subject name
>>
>>>>as a permanent identifier is a nice feature. Requiring that there
>>>>only be a single serialNumber attribute, however, is unnecessarily
>>>>restrictive. It seems quite sensible to use serialNumber
>>>
>>attributes
>>
>>>>to hold company numbers, org unit ids and/or personal
>>>
>>identifiers.
>>
>>>>For example: cn="John Doe" serialNumber=12345, o="Acme Ltd"
>>>>serialNumber="DUNS 554433", c=US. The PI extension would
>>>
>>refer to 12345.
>>
>>>>[Section 2] Change the ASN.1 comment for the
>>>
>>identifierValue field of
>>
>>>>PermanentIdentifier to:
>>>>" -- if absent, use the deepest serialNumber attribute
>>>
>>value in the
>>
>>>>subject DN"
>>>>
>>>>[Section 2] Change the paragraph that begins "When the
>>>
>>identifierValue
>>
>>>>field is absent" to:
>>>>"When the identifierValue field is absent, then the deepest
>>>>serialNumber attribute value from the subject DN is the
>>>
>>value to be
>>
>>>>taken for the identifierValue. An attribute is "deeper"
>>>
>>if it occurs
>>
>>>>later in the sequence of RDNs that make up the DN. A "deeper"
>>>>attribute occurs earlier in the string representation of a DN
>>>>[RFC2253], which start encoding the last element of the
>>>
>>RDN sequence
>>
>>>>that makes up a DN and moves backwards towards the first. The
>>>>PermanentIdentifier SHALL NOT be used if there is no serialNumber
>>>>attribute in the subject DN.
>>>>
>>>>
>>>>
>>>>2.
>>>>Why can't the assigner field be present but the
>>>
>>identifierValue field
>>
>>>>be absent (refer to the serialNumber attribute)? An absent
>>>>identifierValue is simply "shorthand" to avoid duplicating
>>>
>>a value --
>>
>>>>it doesn't really have any sematic value so shouldn't have
>>>
>>any impact
>>
>>>>on the assigner field (or vice versa).
>>>>
>>>>
>>>>
>>>>3.
>>>>The security considerations section mentions an
>>>
>>identifierType field
>>
>>>>that no longer exists.
>>>>
>>>>
>>>>
>>>>>----------
>>>>>From: Internet-Drafts@ietf.org
>>>>
>>>>[mailto:Internet-Drafts@ietf.org]
>>>>
>>>>>Sent: Wednesday, 14 July 2004 6:05 AM
>>>>>
>>>>> Title : Internet X.509 Public Key Infrastructure
>>>>
>>>>Permanent Identifier
>>>>
>>>>> Author(s) : D. Pinkas, T. Gindin
>>>>> Filename : draft-ietf-pkix-pi-10.txt
>>>>> Date : 2004-7-13
>>>>>
>>>>>http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>>>>>
>>>>> ----------
>>>>> From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
>>>>> Sent: Thursday, 15 July 2004 6:06 PM
>>>>> Cc: ietf-pkix@imc.org
>>>>>
>>>>
>>>> ... the definition of the PI has been
>>>
>>changed to allow
>>
>>>>to use the serialNumber attribute from the subject DN.
>>>
>>>
>>>
>>
>>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGKhoo099437; Wed, 21 Jul 2004 09:20:43 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LGKhbA099436; Wed, 21 Jul 2004 09:20:43 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from outbound1.sopragroup.com (outbound1.z-ptx-11.fr.sopragroup.com [81.80.239.198]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGKfCb099364 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 09:20:42 -0700 (PDT) (envelope-from aalberti@axway.com)
Received: by outbound1.sopragroup.com (8.12.10/8.12.10/outbound-A02) with ESMTP id i6LGK6Kp006886; Wed, 21 Jul 2004 18:20:07 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.0.6556.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Date: Wed, 21 Jul 2004 18:20:06 +0200
Message-ID: <C1D2450FEBBA8C49BAA732EFB008A9ED0D805D@WEXCHBE01-VS.ptx.fr.sopra>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Thread-Index: AcRvPMxYAgDEz69MTIOwiUH7/WDo3gAANlPg
From: "Alberti Antoine" <aalberti@axway.com>
To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Russ Housley" <housley@vigilsec.com>
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, <ietf-pkix@imc.org>
X-OriginalArrivalTime: 21 Jul 2004 16:27:16.0062 (UTC) FILETIME=[95D53FE0:01C46F3F]
X-Scanned-By: MIMEDefang 2.38
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6LGKhCb099431
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I wonder if it is realistic to set constraints on DNs in the PKI standards: one may not be able to use a DN that existed before the certificate creation or renewal if the DN does not match the new rules. In this case, what does the DN mean if it has to change from time to time, that is to say if it does not identify the owner of the cert (I know it is already the case, but it is not necessarily a reason to make this even more true) ?
Regards.
Antoine Alberti.
> -----Message d'origine-----
> De : owner-ietf-pkix@mail.imc.org
> [mailto:owner-ietf-pkix@mail.imc.org]De la part de Denis Pinkas
> Envoyé : mercredi 21 juillet 2004 18:01
> À : Russ Housley
> Cc : Manger, James H; ietf-pkix@imc.org
> Objet : Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber
> attribute
>
>
>
> Russ,
>
> I would think that you wrote this e-mail before getting mine
> on the same
> topic. When reading your e-mail, I would believe that the two
> cases would
> need to be changed from:
>
> 1 - if there is one serialNumber attribute alone in a RDN (i.e. no
> other attribute is present in that RDN), then the value contained
> in that serialNumber shall be used as the identifierValue;
>
> 2 - if there is no serialNumber attribute alone in a RDN, then the
> deepest RDN shall include a serialNumber attribute and the
> value contained in that serialNumber shall be used as the
> identifierValue.
>
> to:
>
> 1 - if there is one serialNumber attribute alone in a RDN (i.e. no
> other attribute is present in that RDN), then *there shall
> only be one such RDN and* the value contained in the
> serialNumber attribute shall be used as the identifierValue;
>
> 2 - if there is no serialNumber attribute alone in a RDN, then the
> deepest RDN shall include a *single* serialNumber attribute
> and the value contained in that serialNumber shall be used
> as the identifierValue.
>
> Denis
>
>
> > James:
> >
> > The authors put the serial number restriction into the document in
> > response to a comment from me. In the example that you
> provide, there
> > is not a problem. However, one can construct a
> distinguished name that
> > is ambiguous. The X.500 series of documents give us a very complex
> > structure for Name:
> >
> > Name ::= CHOICE {
> > RDNSequence }
> >
> > RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
> >
> > RelativeDistinguishedName ::=
> > SET OF AttributeTypeAndValue
> >
> > AttributeTypeAndValue ::= SEQUENCE {
> > type AttributeType,
> > value AttributeValue }
> >
> > AttributeType ::= OBJECT IDENTIFIER
> >
> > AttributeValue ::= ANY DEFINED BY AttributeType
> >
> > Since RelativeDistinguishedName is a SET, it is possible to
> have more
> > than one attribute at the same level. If this level were
> to include
> > more than one SerialNumber attribute, then it would not be
> clear which
> > one to use as the permanent identifier. Since it is a SET,
> one cannot
> > rely on order to help resolve this issue. They would be
> equally "deep"
> > in the RDNSequence.
> >
> > I admit that no one in their right mind would design a
> schema like this,
> > but sadly, the structure permits an uninformed person to make some
> > really bad choices. Further, guidance in this area was
> removed from the
> > X.500 series of documents. The informative information
> that was once
> > present was removed because some implementors treated it as
> normative.
> >
> > Russ
> >
> >
> > At 01:07 AM 7/19/2004, Manger, James H wrote:
> >
> >> 1.
> >> The ability to flag a serialNumber attribute value in the
> subject name
> >> as a permanent identifier is a nice feature. Requiring that there
> >> only be a single serialNumber attribute, however, is unnecessarily
> >> restrictive. It seems quite sensible to use serialNumber
> attributes
> >> to hold company numbers, org unit ids and/or personal
> identifiers.
> >> For example: cn="John Doe" serialNumber=12345, o="Acme Ltd"
> >> serialNumber="DUNS 554433", c=US. The PI extension would
> refer to 12345.
> >>
> >> [Section 2] Change the ASN.1 comment for the
> identifierValue field of
> >> PermanentIdentifier to:
> >> " -- if absent, use the deepest serialNumber attribute
> value in the
> >> subject DN"
> >>
> >> [Section 2] Change the paragraph that begins "When the
> identifierValue
> >> field is absent" to:
> >> "When the identifierValue field is absent, then the deepest
> >> serialNumber attribute value from the subject DN is the
> value to be
> >> taken for the identifierValue. An attribute is "deeper"
> if it occurs
> >> later in the sequence of RDNs that make up the DN. A "deeper"
> >> attribute occurs earlier in the string representation of a DN
> >> [RFC2253], which start encoding the last element of the
> RDN sequence
> >> that makes up a DN and moves backwards towards the first. The
> >> PermanentIdentifier SHALL NOT be used if there is no serialNumber
> >> attribute in the subject DN.
> >>
> >>
> >>
> >> 2.
> >> Why can't the assigner field be present but the
> identifierValue field
> >> be absent (refer to the serialNumber attribute)? An absent
> >> identifierValue is simply "shorthand" to avoid duplicating
> a value --
> >> it doesn't really have any sematic value so shouldn't have
> any impact
> >> on the assigner field (or vice versa).
> >>
> >>
> >>
> >> 3.
> >> The security considerations section mentions an
> identifierType field
> >> that no longer exists.
> >>
> >>
> >> > ----------
> >> > From: Internet-Drafts@ietf.org
> >> [mailto:Internet-Drafts@ietf.org]
> >> > Sent: Wednesday, 14 July 2004 6:05 AM
> >> >
> >> > Title : Internet X.509 Public Key Infrastructure
> >> Permanent Identifier
> >> > Author(s) : D. Pinkas, T. Gindin
> >> > Filename : draft-ietf-pkix-pi-10.txt
> >> > Date : 2004-7-13
> >> >
> >> > http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
> >> >
> >> > ----------
> >> > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
> >> > Sent: Thursday, 15 July 2004 6:06 PM
> >> > Cc: ietf-pkix@imc.org
> >> >
> >> ... the definition of the PI has been
> changed to allow
> >> to use the serialNumber attribute from the subject DN.
> >
> >
> >
>
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LGDcpg098801; Wed, 21 Jul 2004 09:13:38 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LGDcKG098800; Wed, 21 Jul 2004 09:13:38 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6LGDbcG098793 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 09:13:38 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 6222 invoked by uid 0); 21 Jul 2004 16:06:41 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.154.86) by woodstock.binhost.com with SMTP; 21 Jul 2004 16:06:41 -0000
Message-Id: <6.1.1.1.2.20040721121259.0391cca8@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Wed, 21 Jul 2004 12:14:07 -0400
To: Denis Pinkas <Denis.Pinkas@bull.net>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
In-Reply-To: <40FE9323.8090306@bull.net>
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au> <6.1.1.1.2.20040721105229.035faf80@mail.binhost.com> <40FE9323.8090306@bull.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Denis:
Yes, I did write this before I saw your response.
Russ
At 12:00 PM 7/21/2004, Denis Pinkas wrote:
>Russ,
>
>I would think that you wrote this e-mail before getting mine on the same
>topic. When reading your e-mail, I would believe that the two cases would
>need to be changed from:
>
>1 - if there is one serialNumber attribute alone in a RDN (i.e. no
> other attribute is present in that RDN), then the value contained
> in that serialNumber shall be used as the identifierValue;
>
>2 - if there is no serialNumber attribute alone in a RDN, then the
> deepest RDN shall include a serialNumber attribute and the
> value contained in that serialNumber shall be used as the
> identifierValue.
>
>to:
>
>1 - if there is one serialNumber attribute alone in a RDN (i.e. no
> other attribute is present in that RDN), then *there shall
> only be one such RDN and* the value contained in the
> serialNumber attribute shall be used as the identifierValue;
>
>2 - if there is no serialNumber attribute alone in a RDN, then the
> deepest RDN shall include a *single* serialNumber attribute
> and the value contained in that serialNumber shall be used
> as the identifierValue.
>
>Denis
>
>
>>James:
>>The authors put the serial number restriction into the document in
>>response to a comment from me. In the example that you provide, there is
>>not a problem. However, one can construct a distinguished name that is
>>ambiguous. The X.500 series of documents give us a very complex
>>structure for Name:
>> Name ::= CHOICE {
>> RDNSequence }
>> RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
>> RelativeDistinguishedName ::=
>> SET OF AttributeTypeAndValue
>> AttributeTypeAndValue ::= SEQUENCE {
>> type AttributeType,
>> value AttributeValue }
>> AttributeType ::= OBJECT IDENTIFIER
>> AttributeValue ::= ANY DEFINED BY AttributeType
>>Since RelativeDistinguishedName is a SET, it is possible to have more
>>than one attribute at the same level. If this level were to include more
>>than one SerialNumber attribute, then it would not be clear which one to
>>use as the permanent identifier. Since it is a SET, one cannot rely on
>>order to help resolve this issue. They would be equally "deep" in the
>>RDNSequence.
>>I admit that no one in their right mind would design a schema like this,
>>but sadly, the structure permits an uninformed person to make some really
>>bad choices. Further, guidance in this area was removed from the X.500
>>series of documents. The informative information that was once present
>>was removed because some implementors treated it as normative.
>>Russ
>>
>>At 01:07 AM 7/19/2004, Manger, James H wrote:
>>
>>>1.
>>>The ability to flag a serialNumber attribute value in the subject name
>>>as a permanent identifier is a nice feature. Requiring that there only
>>>be a single serialNumber attribute, however, is unnecessarily
>>>restrictive. It seems quite sensible to use serialNumber attributes to
>>>hold company numbers, org unit ids and/or personal identifiers.
>>>For example: cn="John Doe" serialNumber=12345, o="Acme Ltd"
>>>serialNumber="DUNS 554433", c=US. The PI extension would refer to 12345.
>>>
>>>[Section 2] Change the ASN.1 comment for the identifierValue field of
>>>PermanentIdentifier to:
>>>" -- if absent, use the deepest serialNumber attribute value in the
>>>subject DN"
>>>
>>>[Section 2] Change the paragraph that begins "When the identifierValue
>>>field is absent" to:
>>>"When the identifierValue field is absent, then the deepest serialNumber
>>>attribute value from the subject DN is the value to be taken for the
>>>identifierValue. An attribute is "deeper" if it occurs later in the
>>>sequence of RDNs that make up the DN. A "deeper" attribute occurs
>>>earlier in the string representation of a DN [RFC2253], which start
>>>encoding the last element of the RDN sequence that makes up a DN and
>>>moves backwards towards the first. The PermanentIdentifier SHALL NOT be
>>>used if there is no serialNumber attribute in the subject DN.
>>>
>>>
>>>
>>>2.
>>>Why can't the assigner field be present but the identifierValue field be
>>>absent (refer to the serialNumber attribute)? An absent identifierValue
>>>is simply "shorthand" to avoid duplicating a value -- it doesn't really
>>>have any sematic value so shouldn't have any impact on the assigner
>>>field (or vice versa).
>>>
>>>
>>>
>>>3.
>>>The security considerations section mentions an identifierType field
>>>that no longer exists.
>>>
>>>
>>> > ----------
>>> > From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
>>> > Sent: Wednesday, 14 July 2004 6:05 AM
>>> >
>>> > Title : Internet X.509 Public Key Infrastructure
>>> Permanent Identifier
>>> > Author(s) : D. Pinkas, T. Gindin
>>> > Filename : draft-ietf-pkix-pi-10.txt
>>> > Date : 2004-7-13
>>> >
>>> > http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>>> >
>>> > ----------
>>> > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
>>> > Sent: Thursday, 15 July 2004 6:06 PM
>>> > Cc: ietf-pkix@imc.org
>>> >
>>> ... the definition of the PI has been changed to allow
>>> to use the serialNumber attribute from the subject DN.
>>
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LG1huY097791; Wed, 21 Jul 2004 09:01:43 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LG1hqK097790; Wed, 21 Jul 2004 09:01:43 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LG1gor097779 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 09:01:42 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA32066; Wed, 21 Jul 2004 18:11:57 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id SAA02689; Wed, 21 Jul 2004 18:01:31 +0200
Message-ID: <40FE9323.8090306@bull.net>
Date: Wed, 21 Jul 2004 18:00:35 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
CC: "Manger, James H" <James.H.Manger@team.telstra.com>, ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au> <6.1.1.1.2.20040721105229.035faf80@mail.binhost.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
I would think that you wrote this e-mail before getting mine on the same
topic. When reading your e-mail, I would believe that the two cases would
need to be changed from:
1 - if there is one serialNumber attribute alone in a RDN (i.e. no
other attribute is present in that RDN), then the value contained
in that serialNumber shall be used as the identifierValue;
2 - if there is no serialNumber attribute alone in a RDN, then the
deepest RDN shall include a serialNumber attribute and the
value contained in that serialNumber shall be used as the
identifierValue.
to:
1 - if there is one serialNumber attribute alone in a RDN (i.e. no
other attribute is present in that RDN), then *there shall
only be one such RDN and* the value contained in the
serialNumber attribute shall be used as the identifierValue;
2 - if there is no serialNumber attribute alone in a RDN, then the
deepest RDN shall include a *single* serialNumber attribute
and the value contained in that serialNumber shall be used
as the identifierValue.
Denis
> James:
>
> The authors put the serial number restriction into the document in
> response to a comment from me. In the example that you provide, there
> is not a problem. However, one can construct a distinguished name that
> is ambiguous. The X.500 series of documents give us a very complex
> structure for Name:
>
> Name ::= CHOICE {
> RDNSequence }
>
> RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
>
> RelativeDistinguishedName ::=
> SET OF AttributeTypeAndValue
>
> AttributeTypeAndValue ::= SEQUENCE {
> type AttributeType,
> value AttributeValue }
>
> AttributeType ::= OBJECT IDENTIFIER
>
> AttributeValue ::= ANY DEFINED BY AttributeType
>
> Since RelativeDistinguishedName is a SET, it is possible to have more
> than one attribute at the same level. If this level were to include
> more than one SerialNumber attribute, then it would not be clear which
> one to use as the permanent identifier. Since it is a SET, one cannot
> rely on order to help resolve this issue. They would be equally "deep"
> in the RDNSequence.
>
> I admit that no one in their right mind would design a schema like this,
> but sadly, the structure permits an uninformed person to make some
> really bad choices. Further, guidance in this area was removed from the
> X.500 series of documents. The informative information that was once
> present was removed because some implementors treated it as normative.
>
> Russ
>
>
> At 01:07 AM 7/19/2004, Manger, James H wrote:
>
>> 1.
>> The ability to flag a serialNumber attribute value in the subject name
>> as a permanent identifier is a nice feature. Requiring that there
>> only be a single serialNumber attribute, however, is unnecessarily
>> restrictive. It seems quite sensible to use serialNumber attributes
>> to hold company numbers, org unit ids and/or personal identifiers.
>> For example: cn="John Doe" serialNumber=12345, o="Acme Ltd"
>> serialNumber="DUNS 554433", c=US. The PI extension would refer to 12345.
>>
>> [Section 2] Change the ASN.1 comment for the identifierValue field of
>> PermanentIdentifier to:
>> " -- if absent, use the deepest serialNumber attribute value in the
>> subject DN"
>>
>> [Section 2] Change the paragraph that begins "When the identifierValue
>> field is absent" to:
>> "When the identifierValue field is absent, then the deepest
>> serialNumber attribute value from the subject DN is the value to be
>> taken for the identifierValue. An attribute is "deeper" if it occurs
>> later in the sequence of RDNs that make up the DN. A "deeper"
>> attribute occurs earlier in the string representation of a DN
>> [RFC2253], which start encoding the last element of the RDN sequence
>> that makes up a DN and moves backwards towards the first. The
>> PermanentIdentifier SHALL NOT be used if there is no serialNumber
>> attribute in the subject DN.
>>
>>
>>
>> 2.
>> Why can't the assigner field be present but the identifierValue field
>> be absent (refer to the serialNumber attribute)? An absent
>> identifierValue is simply "shorthand" to avoid duplicating a value --
>> it doesn't really have any sematic value so shouldn't have any impact
>> on the assigner field (or vice versa).
>>
>>
>>
>> 3.
>> The security considerations section mentions an identifierType field
>> that no longer exists.
>>
>>
>> > ----------
>> > From: Internet-Drafts@ietf.org
>> [mailto:Internet-Drafts@ietf.org]
>> > Sent: Wednesday, 14 July 2004 6:05 AM
>> >
>> > Title : Internet X.509 Public Key Infrastructure
>> Permanent Identifier
>> > Author(s) : D. Pinkas, T. Gindin
>> > Filename : draft-ietf-pkix-pi-10.txt
>> > Date : 2004-7-13
>> >
>> > http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>> >
>> > ----------
>> > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
>> > Sent: Thursday, 15 July 2004 6:06 PM
>> > Cc: ietf-pkix@imc.org
>> >
>> ... the definition of the PI has been changed to allow
>> to use the serialNumber attribute from the subject DN.
>
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LFQQLK094339; Wed, 21 Jul 2004 08:26:26 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LFQQjT094338; Wed, 21 Jul 2004 08:26:26 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av3-2-sn4.m-sp.skanova.net (av3-2-sn4.m-sp.skanova.net [81.228.10.113]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LFQP9k094317 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 08:26:26 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: by av3-2-sn4.m-sp.skanova.net (Postfix, from userid 502) id 9ECA037ED6; Wed, 21 Jul 2004 17:26:14 +0200 (CEST)
Received: from smtp2-2-sn4.m-sp.skanova.net (smtp2-2-sn4.m-sp.skanova.net [81.228.10.182]) by av3-2-sn4.m-sp.skanova.net (Postfix) with ESMTP id 8DA7037E46; Wed, 21 Jul 2004 17:26:14 +0200 (CEST)
Received: from arport (t11o913p10.telia.com [213.64.28.10]) by smtp2-2-sn4.m-sp.skanova.net (Postfix) with SMTP id 8714337E49; Wed, 21 Jul 2004 17:26:11 +0200 (CEST)
Message-ID: <00a001c46f36$a5abe6c0$0500a8c0@arport>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: <ietf-pkix@imc.org>
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, "Denis Pinkas" <Denis.Pinkas@bull.net>
References: <73388857A695D31197EF00508B08F29806EE1B4B@ntmsg0131.corpmail.telstra.com.au>
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Date: Wed, 21 Jul 2004 17:23:14 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Denis,
James is probably right regarding multiple serialNumbers.
But why didn't you rather showed him that you actually can handle multiple
PI's by using the subjectAltName-only variant for the company ID?
However, that James put a DUNS 554433 "sort-of-PI" in the subject
DN, again illustrates the obvious: It is non-intuitive to put names
in other places than in DNs. This includes assigners as well.
That X.520 does not support assigners is hardly an argument as
the X.500 people apparently didn't understood the importance of
permanent identifier concepts, so we are now actually "patching"
X.500. Patches usually "look" ugly but they may "work" completely
OK anyway.
We may ignore this fact, but it will most likely just show up again in
homebrewed constructs like the one James (accidentally?) created.
To further complicate things: That the "subject" is John Doe
is only valid from a strict X.500 point of view. If this certificate
is actually associated with a signed purchase order that a relying
party (supplier) has just received, they hardly regard John Doe
(who they may never ever have heard of) as the "important" thing
but rather "Acme Ltd" and "DUNS 554433". Well, I actually
lied here because they will not bother with the certificate DN
at all as this name scheme is entirely different to the name
schemes used in business messages. Only X.500 experts can
on case-per-case basis, manually and only occasionally do this
name matching. That PIs insist on using OIDs for authorities,
thereby avoiding intelligible expressions like "DUNS" or
http://www.dnb.com/duns, will postpone this for security
reasons highly wanted name matching for yet another decade.
e-Business folks generally have no idea what an OID is, and
before PIs they had no reason to know it either.
============================================
A properly designed PI OTOH, could be the bridge between
identities in certificates and business messages that X.500
as it stands today never achieved, and never will either!
============================================
But if the only goal is to get PI out now, I guess we might as well
support things like James' "sort-of-PI" scheme by keeping focus on
the "deepest" serialNumber.
That was deep :-)
Anders
----- Original Message -----
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "Denis Pinkas" <Denis.Pinkas@bull.net>; <ietf-pkix@imc.org>
Sent: Wednesday, July 21, 2004 03:15
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
That is wrong.
A DN names an object by describing a path to it through a hierarchy of
other objects. Each RDN consists of attributes of one of those *other*
objects. Only the last RDN has attributes of the actual named object.
A serialNumber attribute (like any other attribute) can appear multiple
times -- once for each level of the hierarchy (ie once for each RDN).
RDN = *Relative* Distinguished Name.
[Note. No attribute type can appear multiple times within a single RDN.]
In my sample DN:
cn="John Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS
554433", c=US
there are 3 objects: a country, a company and a person. The person only
has one serialNumber. The company is an object in its own right so it
can have its own serialNumber.
So please reconsider my suggestion (1) that when identifierValue is
absent the deepest serialNumber value is used.
[Theoretically, the PI draft could require the serialNumber be in the
deepest RDN. This would ensure the serialNumber is an attribute of the
named object, not of some parent object. However, I would not recommend
that. It is not unusual for DNs (particularly in certificates) to only
use 1 attribute per RDN, even if some of the attributes all relate to
the same logical object.]
----------
From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
Sent: Wednesday, 21 July 2004 12:01 AM
Section 5.2.9 from X520 defines the serial Number attribute as follows:
"The serial Number attribute type specifies an identifier, the serial
number
of an objet."
The serial Number attribute applies to the object, not to a RDN
component.
Thus, unless it is an error, there can't be multiple serial Number
attributes in a DN.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LF2gh2090932; Wed, 21 Jul 2004 08:02:42 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LF2gfN090931; Wed, 21 Jul 2004 08:02:42 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6LF2fwZ090925 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 08:02:42 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 20365 invoked by uid 0); 21 Jul 2004 14:55:27 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.137.25) by woodstock.binhost.com with SMTP; 21 Jul 2004 14:55:27 -0000
Message-Id: <6.1.1.1.2.20040721105229.035faf80@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Wed, 21 Jul 2004 11:02:43 -0400
To: "Manger, James H" <James.H.Manger@team.telstra.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
In-Reply-To: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmai l.telstra.com.au>
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
James:
The authors put the serial number restriction into the document in response
to a comment from me. In the example that you provide, there is not a
problem. However, one can construct a distinguished name that is
ambiguous. The X.500 series of documents give us a very complex structure
for Name:
Name ::= CHOICE {
RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::=
SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY DEFINED BY AttributeType
Since RelativeDistinguishedName is a SET, it is possible to have more than
one attribute at the same level. If this level were to include more than
one SerialNumber attribute, then it would not be clear which one to use as
the permanent identifier. Since it is a SET, one cannot rely on order to
help resolve this issue. They would be equally "deep" in the RDNSequence.
I admit that no one in their right mind would design a schema like this,
but sadly, the structure permits an uninformed person to make some really
bad choices. Further, guidance in this area was removed from the X.500
series of documents. The informative information that was once present was
removed because some implementors treated it as normative.
Russ
At 01:07 AM 7/19/2004, Manger, James H wrote:
>1.
>The ability to flag a serialNumber attribute value in the subject name as
>a permanent identifier is a nice feature. Requiring that there only be a
>single serialNumber attribute, however, is unnecessarily restrictive. It
>seems quite sensible to use serialNumber attributes to hold company
>numbers, org unit ids and/or personal identifiers. For example: cn="John
>Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS 554433",
>c=US. The PI extension would refer to 12345.
>
>[Section 2] Change the ASN.1 comment for the identifierValue field of
>PermanentIdentifier to:
>" -- if absent, use the deepest serialNumber attribute value in the
>subject DN"
>
>[Section 2] Change the paragraph that begins "When the identifierValue
>field is absent" to:
>"When the identifierValue field is absent, then the deepest serialNumber
>attribute value from the subject DN is the value to be taken for the
>identifierValue. An attribute is "deeper" if it occurs later in the
>sequence of RDNs that make up the DN. A "deeper" attribute occurs earlier
>in the string representation of a DN [RFC2253], which start encoding the
>last element of the RDN sequence that makes up a DN and moves backwards
>towards the first. The PermanentIdentifier SHALL NOT be used if there is
>no serialNumber attribute in the subject DN.
>
>
>
>2.
>Why can't the assigner field be present but the identifierValue field be
>absent (refer to the serialNumber attribute)? An absent identifierValue
>is simply "shorthand" to avoid duplicating a value -- it doesn't really
>have any sematic value so shouldn't have any impact on the assigner field
>(or vice versa).
>
>
>
>3.
>The security considerations section mentions an identifierType field that
>no longer exists.
>
>
> > ----------
> > From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
> > Sent: Wednesday, 14 July 2004 6:05 AM
> >
> > Title : Internet X.509 Public Key Infrastructure
> Permanent Identifier
> > Author(s) : D. Pinkas, T. Gindin
> > Filename : draft-ietf-pkix-pi-10.txt
> > Date : 2004-7-13
> >
> > http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
> >
> > ----------
> > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
> > Sent: Thursday, 15 July 2004 6:06 PM
> > Cc: ietf-pkix@imc.org
> >
> ... the definition of the PI has been changed to allow to
> use the serialNumber attribute from the subject DN.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LEAGnO086116; Wed, 21 Jul 2004 07:10:16 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6LEAGPk086115; Wed, 21 Jul 2004 07:10:16 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6LEAE7L086108 for <ietf-pkix@imc.org>; Wed, 21 Jul 2004 07:10:15 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA13970; Wed, 21 Jul 2004 16:20:26 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id PAA17530; Wed, 21 Jul 2004 15:55:23 +0200
Message-ID: <40FE7593.9050902@bull.net>
Date: Wed, 21 Jul 2004 15:54:27 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B4B@ntmsg0131.corpmail.telstra.com.au>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
James,
> That is wrong.
>
> A DN names an object by describing a path to it through a hierarchy of
> other objects. Each RDN consists of attributes of one of those *other*
> objects. Only the last RDN has attributes of the actual named object.
> A serialNumber attribute (like any other attribute) can appear multiple
> times -- once for each level of the hierarchy (ie once for each RDN).
>
> RDN = *Relative* Distinguished Name.
>
> [Note. No attribute type can appear multiple times within a single RDN.]
>
> In my sample DN:
> cn="John Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS
> 554433", c=US
> there are 3 objects: a country, a company and a person. The person only
> has one serialNumber. The company is an object in its own right so it
> can have its own serialNumber.
OK.
> So please reconsider my suggestion (1) that when identifierValue is
> absent the deepest serialNumber value is used.
I understand what you mean, but the proposed formulation is wrong.
Suppose a certificate with:
cn="John Doe" , o="Acme Ltd" serialNumber="DUNS554433", c=US
then there would be thousands of certificates with the same PI and refering
to differents persons. :-(
> [Theoretically, the PI draft could require the serialNumber be in the
> deepest RDN. This would ensure the serialNumber is an attribute of the
> named object, not of some parent object. However, I would not recommend that.
> It is not unusual for DNs (particularly in certificates) to only
> use 1 attribute per RDN, even if some of the attributes all relate to
> the same logical object.]
This remark is correct, but we need a way to prevent the case mentionned above.
There would be two cases to consider:
1 - if there is one serialNumber attribute alone in a RDN (i.e. no
other attribute is present in that RDN), then the value contained
in that serialNumber shall be used as the identifierValue;
2 - if there is no serialNumber attribute alone in a RDN, then the
deepest RDN shall include a serialNumber attribute and the
value contained in that serialNumber shall be used as the
identifierValue.
Is this formulation correct ?
Denis
> ----------
> From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
> Sent: Wednesday, 21 July 2004 12:01 AM
>
> Section 5.2.9 from X520 defines the serial Number attribute as follows:
>
> "The serial Number attribute type specifies an identifier, the serial
> number
> of an objet."
>
> The serial Number attribute applies to the object, not to a RDN
> component.
> Thus, unless it is an error, there can't be multiple serial Number
> attributes in a DN.
>
Received: from 208.184.76.43 ([203.236.127.125]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6L9WbIs040276; Wed, 21 Jul 2004 02:32:39 -0700 (PDT) (envelope-from Administrator@computeradmin.org)
Received: from t7idc.0sxgcz5.com ([102.87.85.61]) by 208.184.76.43 with SMTP; Wed, 21 Jul 2004 14:26:00 +0400
Message-ID: <826l0rf$mbia-1460@5krl223ko>
From: "Admin" <Administrator@computeradmin.org>
To: ietf-pkix-archive@imc.org
Subject: Staff Bulletin
Date: Wed, 21 Jul 04 14:26:00 GMT
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Internet Mail Service (5.5.2650.21)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="DD.__A53A.26A09.B.AE.8_6"
This is a multi-part message in MIME format.
--DD.__A53A.26A09.B.AE.8_6
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Attention All Nonprofit Organizations: Members, Staff and Associates:
You Must Respond By 5 P.M. Thursday, July 22, 2004.
Through a special arrangement, Avtech Direct is offering a limited
allotment of BRAND NEW, top of-the-line, name-brand desktop computers
at more than 50% off MSRP to all Nonprofit Members and Staff
who respond to this message before 5 P.M., Thursday, July 22, 2004.
All desktop are brand-new, packed in their original boxes, and come
with a full manufacturer's warranty plus a 100% satisfaction guarantee.
These professional grade Desktops are fully equipped with 2004
next generation technology, making these the best performing
computers money can buy.
Avtech Direct is offering these feature rich, top performing
Desktop Computers with the latest Intel technology at an amazing price
to all who call:
1-800-884-9510 by 5 P.M. Thursday, July 22, 2004
The fast and powerful AT-2400 series Desktop features:
* Intel 2.0Ghz Processor for amazing speed and performance
* 128MB DDR RAM, --- Upgradeable to 1024
* 20 GB UDMA Hard Drive, --- Upgradeable to 80 GB
* 52X CD-Rom Drive, --- Upgradeable to DVD/CDRW
* 1.44 Floppy disk drive
* Next Generation Technology
* ATI Premium video and sound
* Full Connectivity with Fax modem/Lan/IEE 1394/USB 2.0
* Soft Touch Keyboard and scroll mouse
* Internet Ready
* Network Ready
* 1 Year parts and labor warranty
* Priority customer service and tech support
MSRP $699 ........................................ Your Cost $297
How to qualify:
1. You must be a Member, Staff or Associate of a Nonprofit:
2. All desktop computers will be available on a
first come first serve basis.
3. You must call 1-800-884-9510 by 5 P.M. Thursday, July 22, 2004
and we will hold the desktops you request on will call.
4. You are not obligated in any way.
5. 100% Satisfaction Guaranteed.
Call Avtech Direct
1-800-884-9510 before 5 P.M. Thursday, July 22, 2004
Visit our website at http://www.avtechdirect-nonprofits.com
If you wish to unsubscribe from this list, please go to:
http://www.computeradvice.org/unsubscribe.asp
Avtech Direct
22647 Ventura Blvd., Suite 374
Woodland Hills, CA 91364
--DD.__A53A.26A09.B.AE.8_6--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6L1GFn0012768; Tue, 20 Jul 2004 18:16:15 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6L1GFFe012767; Tue, 20 Jul 2004 18:16:15 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailao.vtcif.telstra.com.au (mailao.vtcif.telstra.com.au [202.12.144.17]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6L1GDow012761 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 18:16:14 -0700 (PDT) (envelope-from James.H.Manger@team.telstra.com)
Received: from mailai.vtcif.telstra.com.au (mailai.vtcif.telstra.com.au [202.12.142.17]) by mailao.vtcif.telstra.com.au (Postfix) with ESMTP id 22D9423413; Wed, 21 Jul 2004 11:16:19 +1000 (EST)
Received: from mail.cdn.telstra.com.au (localhost [127.0.0.1]) by mailai.vtcif.telstra.com.au (Postfix) with ESMTP id CFDEC1DA84; Wed, 21 Jul 2004 11:16:18 +1000 (EST)
Received: from WSMSG0004.srv.dir.telstra.com (wsmsg0004.srv.dir.telstra.com [192.74.168.133]) by mail.cdn.telstra.com.au (8.8.2/8.6.9) with ESMTP id LAA21174; Wed, 21 Jul 2004 11:16:18 +1000 (EST)
content-class: urn:content-classes:message
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Date: Wed, 21 Jul 2004 11:15:50 +1000
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <73388857A695D31197EF00508B08F29806EE1B4B@ntmsg0131.corpmail.telstra.com.au>
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Thread-Topic: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Thread-Index: AcRuYjSxFs9kg0o7Qoy/d/W+BCH4kAAWUT7g
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "Denis Pinkas" <Denis.Pinkas@bull.net>, <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6L1GEow012762
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
That is wrong.
A DN names an object by describing a path to it through a hierarchy of
other objects. Each RDN consists of attributes of one of those *other*
objects. Only the last RDN has attributes of the actual named object.
A serialNumber attribute (like any other attribute) can appear multiple
times -- once for each level of the hierarchy (ie once for each RDN).
RDN = *Relative* Distinguished Name.
[Note. No attribute type can appear multiple times within a single RDN.]
In my sample DN:
cn="John Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS
554433", c=US
there are 3 objects: a country, a company and a person. The person only
has one serialNumber. The company is an object in its own right so it
can have its own serialNumber.
So please reconsider my suggestion (1) that when identifierValue is
absent the deepest serialNumber value is used.
[Theoretically, the PI draft could require the serialNumber be in the
deepest RDN. This would ensure the serialNumber is an attribute of the
named object, not of some parent object. However, I would not recommend
that. It is not unusual for DNs (particularly in certificates) to only
use 1 attribute per RDN, even if some of the attributes all relate to
the same logical object.]
----------
From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
Sent: Wednesday, 21 July 2004 12:01 AM
Section 5.2.9 from X520 defines the serial Number attribute as follows:
"The serial Number attribute type specifies an identifier, the serial
number
of an objet."
The serial Number attribute applies to the object, not to a RDN
component.
Thus, unless it is an error, there can't be multiple serial Number
attributes in a DN.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6L00kHB005227; Tue, 20 Jul 2004 17:00:46 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6L00k5x005224; Tue, 20 Jul 2004 17:00:46 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from PC_hipolito.org (dns.sil.edu.pe [64.76.72.108]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6L00hSs005208 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 17:00:44 -0700 (PDT) (envelope-from wpolk@nist.gov)
Date: Tue, 20 Jul 2004 19:00:55 -0500
To: "Ietf-pkix" <ietf-pkix@imc.org>
From: "Wpolk" <wpolk@nist.gov>
Subject: Re:
Message-ID: <pdbfgmigagfmvjxhwtj@imc.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--------xubcldenbrrseomxjanc"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
----------xubcldenbrrseomxjanc
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
>foto3 and MP3<br><br>
<br>
</body></html>
----------xubcldenbrrseomxjanc
Content-Type: application/octet-stream; name="Doll.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Doll.scr"
----------xubcldenbrrseomxjanc--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KKL651088375; Tue, 20 Jul 2004 13:21:06 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KKL6Vb088374; Tue, 20 Jul 2004 13:21:06 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KKL5dT088368 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 13:21:05 -0700 (PDT) (envelope-from dinaras@cnri.reston.va.us)
Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA25882; Tue, 20 Jul 2004 16:21:07 -0400 (EDT)
Message-Id: <200407202021.QAA25882@ietf.org>
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: i-d-announce@ietf.org
Cc: ietf-pkix@imc.org
From: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-pkix-scvp-15.txt
Date: Tue, 20 Jul 2004 16:21:07 -0400
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.
Title : Simple Certificate Validation Protocol (SCVP)
Author(s) : A. Malpani, et al.
Filename : draft-ietf-pkix-scvp-15.txt
Pages : 56
Date : 2004-7-20
SCVP allows a client to offload certificate handling to a server.
The server can provide the client with a variety of valuable
information about the certificate, such as whether the certificate
is valid, a certification path to a trust anchor, and revocation
status. SCVP has many purposes, including simplifying client
implementations and allowing companies to centralize trust and
policy management.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-scvp-15.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-pkix-scvp-15.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-ietf-pkix-scvp-15.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ietf.org"
Content-Type: text/plain
Content-ID: <2004-7-20160313.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-pkix-scvp-15.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-pkix-scvp-15.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2004-7-20160313.I-D@ietf.org>
--OtherAccess--
--NextPart--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KKKeeU088353; Tue, 20 Jul 2004 13:20:40 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KKKeiQ088352; Tue, 20 Jul 2004 13:20:40 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KKKdGN088345 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 13:20:39 -0700 (PDT) (envelope-from dinaras@cnri.reston.va.us)
Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA25809; Tue, 20 Jul 2004 16:20:41 -0400 (EDT)
Message-Id: <200407202020.QAA25809@ietf.org>
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: i-d-announce@ietf.org
Cc: ietf-pkix@imc.org
From: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-pkix-sim-03.txt
Date: Tue, 20 Jul 2004 16:20:41 -0400
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.
Title : Internet X.509 Public Key Infrastructure Subject
Identification Method (SIM)
Author(s) : J. Park, et al.
Filename : draft-ietf-pkix-sim-03.txt
Pages : 14
Date : 2004-7-20
This document defines Privacy-Enhanced Protected Subject Identifier
(PEPSI) format for including a privacy sensitive identifier in the
subjectAltName extension of a certificate.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-sim-03.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-pkix-sim-03.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-ietf-pkix-sim-03.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ietf.org"
Content-Type: text/plain
Content-ID: <2004-7-20160303.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-pkix-sim-03.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-pkix-sim-03.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2004-7-20160303.I-D@ietf.org>
--OtherAccess--
--NextPart--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KGmhQ3055119; Tue, 20 Jul 2004 09:48:43 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KGmhw2055116; Tue, 20 Jul 2004 09:48:43 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail10.atl.registeredsite.com (nobody@mail10.atl.registeredsite.com [64.224.219.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KGmgeh055106; Tue, 20 Jul 2004 09:48:42 -0700 (PDT) (envelope-from egerck@nma.com)
Received: from taurus.hosting4u.net (taurus.hosting4u.net [209.35.191.122]) by mail10.atl.registeredsite.com (8.12.11/8.12.8) with ESMTP id i6KGmjgv015369; Tue, 20 Jul 2004 16:48:45 GMT
Received: from nma.com ([63.204.17.85]) by taurus.hosting4u.net ; Tue, 20 Jul 2004 11:48:44 -0500
Message-ID: <40FD4B9C.9060907@nma.com>
Date: Tue, 20 Jul 2004 09:43:08 -0700
From: Ed Gerck <egerck@nma.com>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Joseph Doekbrijder <joseph.doekbrijder@swisssign.com>
CC: Christine Karman <christine@izecom.com>, ietf-smime@imc.org, ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <20040716152213.GA16939@mail19g.dulles19-verio.com> <20040716152213.GA16939@mail19g.dulles19-verio.com> <4.3.2.7.2.20040719124821.0280f818@localhost> <40FC669A.2020203@nma.com> <40FCEA8A.8020806@swisssign.com>
In-Reply-To: <40FCEA8A.8020806@swisssign.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Joseph Doekbrijder wrote:
> Ed Gerck wrote:
>
>> to send encrypted email to many people you need each recipient's cert
>> (and you also
>> want to make sure they are not revoked at the time they receive the
>> message, which
>> is yet another problem).
>
>
> Why does the sender need to make sure that the encryption certificate of
> the receiver is not revoked at the time the message is received?
> IMHO this is irrelevant. (Otherwise one would not be able to read very
> old messages, etc...)
Suppose you encrypt a message to Bob at time T, using Bob's PK cert that
is not revoked at time T (as you verify the CRL). Due to email delays, the
message is delivered at time T + D, at which time Bob's PK cert has been
revoked due to key compromise reported by Bob after time T but before T + D.
The end result is that, unwillingly, you sent Bob an insecure message because
you used his compromised key.
This risk, while not fully preventable, can be reduced. For example, suppose
you estimate that the email delay will not be larger than 5 minutes. You verify
a CRL for Bob's cert and, if the CRL was issued more than 5 minutes ago, wait
for the next CRL and send the email within 5 minutes of its publication. This
can be easily automated by you, using the freshestCRL field.
Cheers,
Ed Gerck
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KGcBjm053601; Tue, 20 Jul 2004 09:38:11 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KGcBfO053599; Tue, 20 Jul 2004 09:38:11 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail10.atl.registeredsite.com (nobody@mail10.atl.registeredsite.com [64.224.219.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KGcA7l053583; Tue, 20 Jul 2004 09:38:10 -0700 (PDT) (envelope-from egerck@nma.com)
Received: from taurus.hosting4u.net (taurus.hosting4u.net [209.35.191.122]) by mail10.atl.registeredsite.com (8.12.11/8.12.8) with ESMTP id i6KGc0IT030172; Tue, 20 Jul 2004 16:38:00 GMT
Received: from nma.com ([63.204.17.85]) by taurus.hosting4u.net ; Tue, 20 Jul 2004 11:37:59 -0500
Message-ID: <40FD4918.8050304@nma.com>
Date: Tue, 20 Jul 2004 09:32:24 -0700
From: Ed Gerck <egerck@nma.com>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Al Arsenault <aarsenau@bbn.com>
CC: Christine Karman <christine@izecom.com>, ietf-smime@imc.org, ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <GBEOIAAPLLBIMLPDGHDHAEDMCLAA.aarsenau@bbn.com>
In-Reply-To: <GBEOIAAPLLBIMLPDGHDHAEDMCLAA.aarsenau@bbn.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Al Arsenault wrote:
> Actually, the sender can't control anything about the time the recipient
> receives the message. All he can do is verify that the recipient's
> certificate is not revoked at the time the message is sent, as the sender
> perceives the time.
Agreed. That's why what would really be desirable [1] cannot be done and
it's an additional problem when sending encrypted email. The same does not
happen with signed email, because the message is usually considered valid if
the cert was valid at the time the message was signed.
Cheers,
Ed Gerck
[1] Ed Gerck wrote:
>> in order to send encrypted email to many people you need each recipient's
>>cert (and you also want to make sure they are not revoked at the time they
>> receive the message, which is yet another problem).
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KEdFod034543; Tue, 20 Jul 2004 07:39:15 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KEdFRp034542; Tue, 20 Jul 2004 07:39:15 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from chris.org (gw.huntprop.com [216.109.168.29]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6KEdDcE034526 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 07:39:14 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Date: Tue, 20 Jul 2004 09:39:36 -0600
To: "Ietf-pkix" <ietf-pkix@imc.org>
From: "Anders.rundgren" <anders.rundgren@telia.com>
Subject: Re:
Message-ID: <loegidtunrkyqampeam@imc.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--------milcaxnupfxgfmsfrctl"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
----------milcaxnupfxgfmsfrctl
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
>fotoinfo<br><br>
<br>Password: <img src="cid:iebhawkbdy.bmp"><br>
<br>
</body></html>
----------milcaxnupfxgfmsfrctl
Content-Type: image/bmp; name="iebhawkbdy.bmp"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="iebhawkbdy.bmp"
Content-ID: <iebhawkbdy.bmp>
Qk2mCAAAAAAAADYAAAAoAAAAPAAAABIAAAABABAAAAAAAHAIAAAAAAAAAAAAAAAAAAAAAAAA
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/gHyAfIB8
gHyAfIB8gHyAfIB8gHyAfIB8gHyAfIB8gHyAfIB8gHyAfIB8gHyAfIB8gHyAfIB8gHyAfIB8
gHyAfIB8gHyAfP9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f5N+gHztfVp//3//f/9/k36AfO19Wn//f/9/vX/tfYB8
1H7/f/9//3+9f+19gHzUfv9//3//f/9/cX6AfO19e3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3/UfoB8nH8Xf4B8nH//f9R+gHycfxd/
gHycf/9/L36AfFp/gHzUfv9//38vfoB8Wn+AfNR+/3//f3F+gHycfxd/gHx7f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3+JfYB8/3/ef4B8
k37/f4l9gHz/f95/gHyTfv9/gHyAfP9/gHyJff9//3+AfIB8/3+AfIl9/3//fy9+gHz/f/9/
gHztff9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3+AfIB8/3//f4B8gHz/f4B8gHz/f/9/gHyAfP9/7X2AfP9/gHyAfP9//3/tfYB8/3+AfIB8
/3//f/9//3//f/9/gHyAfP9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3+AfIB8e3//f4B8gHz/f4B8gHx7f/9/gHyAfP9/Wn+AfFp/gHwvfv9/
/39af4B8Wn+AfC9+/3//f/9/vX+9f71/gHztff9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3/tfYB8cX6cf4B8k37/f+19gHxxfpx/gHyTfv9/
/397f4B8gHz2fv9//3//f3t/gHyAfPZ+/3//f/9/7X2AfIl9iX17f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3/UfoB8k36JfXF+3n//f9R+
gHyTfol9cX7ef/9//39xfoB8nH+AfPZ+/3//f3F+gHycf4B89n7/f/9/k36AfDh//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//397f4B8
F3//f/9//3//f3t/gHwXf/9//3//f/9//3+AfIB8/3+AfIB8/3//f4B8gHz/f4B8gHz/f/9/
F3+AfNR+/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f3F+7X3ef4B87X3/f/9/cX7tfd5/gHztff9//39xfoB8nH+AfO19/3//f3F+
gHycf4B87X3/f/9/nH+AfHF+/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9/k36AfIl9Wn//f/9//3+TfoB8iX1af/9//3//f3F+
gHztfb1//3//f/9/cX6AfO19vX//f/9//3+AfIB8gHyAfP9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
/3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9//3//f/9/
----------milcaxnupfxgfmsfrctl
Content-Type: application/octet-stream; name="Garry.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Garry.zip"
----------milcaxnupfxgfmsfrctl--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KE3ek5028386; Tue, 20 Jul 2004 07:03:40 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KE3eaU028385; Tue, 20 Jul 2004 07:03:40 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KE3cV4028367 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 07:03:39 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA17070; Tue, 20 Jul 2004 16:14:01 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id QAA29490; Tue, 20 Jul 2004 16:03:26 +0200
Message-ID: <40FD25F9.2000606@bull.net>
Date: Tue, 20 Jul 2004 16:02:33 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: Anders Rundgren <anders.rundgren@telia.com>
CC: ietf-pkix@imc.org
Subject: Re: I-D ACTION:draft-ietf-pkix-pi-10.txt
References: <200407132004.QAA10444@ietf.org> <40F63ADB.9070709@bull.net> <001001c46ca3$2f126420$0500a8c0@arport>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Anders,
> Denis,
> It is good to see that the PI draft is doing progress!
>
> May I comment a bit on this last revision?
(text deleted)
> Assume that a DoD certificate after the PI upgrade contains the following:
>
> Subject DN: CN=John Smith, serialNumber=123456, OU=Army, O=DoD, C=US
> PI assigner: 1.23.67.355.23.6.7 (A "sample" OID for the DEERS registry)
This is the fourth case suggested to be supported by James.
> The question I tried to answer was simply: How is automated relying
> party software supposed to use the enhanced identity information?
This is a good question.
> Here follows three possible alternatives:
>
> 1. X.500-only
> ==========
> ID: CN=John Smith, serialNumber=123456, OU=Army, O=DoD, C=US
The full DN may be used, if the certificate relates through a valid
certification path to a trusted root key according to some validation policy.
> This scheme becomes (at least principally) dubious, the moment you start
> to deal with multiple assigners (=independent name spaces). And if you
> only intend to use one assigner, the PI extension becomes redundant.
>
>
> 2. X.500 + PI
> ==========
> ID: 1.23.67.355.23.6.7 + CN=John Smith, serialNumber=123456, OU=Army, O=DoD, C=US
>
> This scheme is not exploiting the primary motive for using permanent
> identifiers, attribute independence (=being able to change name, location
> etc. without getting a "new" identity).
This combination is a not a possible solution.
> 3. PI-only
> =======
> ID: 1.23.67.355.23.6.7 + 123456
The PI composed of the two elements mentionned on the above line may be
used, if the certificate relates through a valid certification path to a
trusted root key according to some validation policy.
Denis
> This scheme makes all but one DN attribute redundant. But the
> unused attributes still contribute to shortening the life-time of the
> certificate, as well as limiting usage to a single assignment (you will
> need a separate certificate for each assignment within the enterprise).
>
>
> As far as I can see, PI extensions when applied to a large class of
> X.500-based systems[1] will probably only add more confusion to
> an already complex situation, rather than solving a problem.
>
> Sincerely
> Anders Rundgren
>
>
> 1] it is worth noting that PKIs that were designed from scratch to use
> PIs (there are several large such), do not suffer from these problems.
> However, these PKIs do not follow the X.500 methodology where
> an identity is the combination of a set of hierarchical attributes, qualifying
> the subject. In my opinion, the idea that an LDAP entry for an employee
> should be linked to a certificate containing a [redundant] copy of the
> directory path, is an off-line world relic. In an on-line world, subject
> attributes like location, phone number, bank account, job function etc.
> should be dynamically acquired, as well as adapted for the actual
> situation and relation.
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KE1uAH028167; Tue, 20 Jul 2004 07:01:56 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KE1uQq028166; Tue, 20 Jul 2004 07:01:56 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KE1t3d028142 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 07:01:56 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA61216; Tue, 20 Jul 2004 16:12:18 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id QAA29470; Tue, 20 Jul 2004 16:01:43 +0200
Message-ID: <40FD2591.702@bull.net>
Date: Tue, 20 Jul 2004 16:00:49 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: ietf-pkix@imc.org
Subject: Re: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
James,
> 1. The ability to flag a serialNumber attribute value in the subject name
> as a permanent identifier is a nice feature.
> Requiring that there only be a single serialNumber attribute,
> however, is unnecessarily restrictive.
> It seems quite sensible to use serialNumber attributes to hold company
> numbers, org unit ids and/or personal identifiers.
> For example: cn="John Doe" serialNumber=12345, o="Acme Ltd"
> serialNumber="DUNS 554433", c=US.
> The PI extension would refer to 12345.
Section 5.2.9 from X520 defines the serial Number attribute as follows:
"The serial Number attribute type specifies an identifier, the serial number
of an objet."
The serial Number attribute applies to the object, not to a RDN component.
Thus, unless it is an error, there can't be multiple serial Number
attributes in a DN.
> [Section 2] Change the ASN.1 comment for the identifierValue field of PermanentIdentifier to:
> " -- if absent, use the deepest serialNumber attribute value in the subject DN"
See above.
> [Section 2] Change the paragraph that begins
> "When the identifierValue field is absent" to:
> "When the identifierValue field is absent, then the deepest serialNumber attribute
> value from the subject DN is the value to be taken for the
> identifierValue.
> An attribute is "deeper" if it occurs later in the sequence of RDNs
> hat make up the DN. A "deeper" attribute occurs earlier in the string
> representation of a DN [RFC2253], which start encoding the last element
> of the RDN sequence that makes up a DN and moves backwards towards the
> first.
See above.
> The PermanentIdentifier SHALL NOT be used if there is no serialNumber
> attribute in the subject DN.
This could be added as a note.
> 2. Why can't the assigner field be present but the identifierValue field
> be absent (refer to the serialNumber attribute)?
> An absent identifierValue is simply "shorthand" to avoid duplicating
> a value -- it doesn't really have any sematic value so shouldn't have
> any impact on the assigner field (or vice versa).
This is a good question.
This combination would mean that the serial Number is not local to the CA
but is coming from an assigner authority.
Some text proposal follows to support this option:
4 - The assigner field is present and the identifierValue field is
absent.
The assigner field identifies the Assigner Authority and the type
of permanent identifier being identified. The value of the single
serialNumber attribute included in the subject DN SHALL be considered
as the identifier value. The permanent identifier is globally unique
among all CAs. In such a case, two permanent identifiers of this type
match if and only if, the contents the serialNumber attributes within
the subject DN's of those same certificates match using the
caseIgnoreMatch rule, and the assigner fields match.
Note: in this case, the PermanentIdentifier SHALL NOT be used
if there is no serialNumber attribute in the subject DN.
> 3. The security considerations section mentions an identifierType field
> that no longer exists.
Good catch. Thanks.
Denis
>
>>----------
>>From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
>>Sent: Wednesday, 14 July 2004 6:05 AM
>>
>> Title : Internet X.509 Public Key Infrastructure Permanent Identifier
>> Author(s) : D. Pinkas, T. Gindin
>> Filename : draft-ietf-pkix-pi-10.txt
>> Date : 2004-7-13
>>
>>http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>>
>> ----------
>> From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
>> Sent: Thursday, 15 July 2004 6:06 PM
>> Cc: ietf-pkix@imc.org
>>
>
> ... the definition of the PI has been changed to allow to use the serialNumber attribute from the subject DN.
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KDZjEw024013; Tue, 20 Jul 2004 06:35:45 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KDZjQD024012; Tue, 20 Jul 2004 06:35:45 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail45.messagelabs.com (mail45.messagelabs.com [140.174.2.179]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6KDZhw6023964; Tue, 20 Jul 2004 06:35:44 -0700 (PDT) (envelope-from jlf@mitretek.org)
X-VirusChecked: Checked
X-Env-Sender: jlf@mitretek.org
X-Msg-Ref: server-7.tower-45.messagelabs.com!1090330533!4296446
X-StarScan-Version: 5.2.10; banners=-,-,-
X-Originating-IP: [141.156.156.57]
Received: (qmail 22909 invoked from network); 20 Jul 2004 13:35:34 -0000
Received: from mtk-news1.mitretek.org (141.156.156.57) by server-7.tower-45.messagelabs.com with SMTP; 20 Jul 2004 13:35:34 -0000
Received: from email1.mitretek.org (localhost [127.0.0.1]) by mtk-news1.mitretek.org (8.12.10/8.12.10) with ESMTP id i6KDZWQm023479; Tue, 20 Jul 2004 09:35:33 -0400 (EDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: Request: Send me signed messages
Date: Tue, 20 Jul 2004 09:35:31 -0400
Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_000A_01C46E3C.E64D8670"
Message-ID: <D6F85F437959E24C99E2EE757453E82BED5910@email1.mitretek.org>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Request: Send me signed messages
Thread-Index: AcRuSHRpin3MZ95wTAyRvwaJbtzwrwADgkow
From: "Fisher, James L." <jlf@mitretek.org>
To: <ietf-smime@imc.org>, <ietf-pkix@imc.org>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_000A_01C46E3C.E64D8670
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Assuming you really meant: Why should the sender check the status of the
recipient's encryption cert "at the time the message is [SENT]" (not
received)....
Because the sender would not want to encrypt (for confidentiality) using an
encryption cert that has been reported as stolen/compromised. Otherwise the
thief could read the private message.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On
Behalf Of Joseph Doekbrijder
Sent: Tuesday, July 20, 2004 5:49 AM
To: Ed Gerck
Cc: Christine Karman; ietf-smime@imc.org; ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
Ed Gerck wrote:
> to send encrypted email to many people you need each recipient's cert
> (and you also
> want to make sure they are not revoked at the time they receive the
> message, which
> is yet another problem).
Why does the sender need to make sure that the encryption certificate of
the receiver is not revoked at the time the message is received?
IMHO this is irrelevant. (Otherwise one would not be able to read very
old messages, etc...)
------=_NextPart_000_000A_01C46E3C.E64D8670
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII9jCCA5sw
ggMEoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwgbIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJn
aW5pYTEVMBMGA1UEBxMMRmFsbHMgQ2h1cmNoMRkwFwYDVQQKExBNaXRyZXRlayBTeXN0ZW1zMRkw
FwYDVQQLExBlQXV0aCBHVyB0ZXN0aW5nMSIwIAYDVQQDExlSb290IGZvciBlQXV0aCBHVyB0ZXN0
aW5nMR8wHQYJKoZIhvcNAQkBFhBqbGZAbWl0cmV0ZWsub3JnMB4XDTAzMDMxMDE4MzMxN1oXDTIz
MDMxMTE4MzMxN1owgbIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTEVMBMGA1UEBxMM
RmFsbHMgQ2h1cmNoMRkwFwYDVQQKExBNaXRyZXRlayBTeXN0ZW1zMRkwFwYDVQQLExBlQXV0aCBH
VyB0ZXN0aW5nMSIwIAYDVQQDExlSb290IGZvciBlQXV0aCBHVyB0ZXN0aW5nMR8wHQYJKoZIhvcN
AQkBFhBqbGZAbWl0cmV0ZWsub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDp8+A8kT1W
eR5UyTBPkTm0IyYAzHKNlpoI8wqRKlC2+W1VIOJaKFbwUhe0YRjU+f68XivWnULfFtKJKqq7hucD
Hpv11jviE5q/Cj0syKawfEafzwlAlpWsIKHAMspEj/j/NEnydETABVLirziqrxBDoUMIbcWMwrij
5lAaeFDhcQIDAQABo4G+MIG7MB0GA1UdDgQWBBSoIs4jb7OmIizIzKbuhjx5lB+peTAMBgNVHRME
BTADAQH/MAsGA1UdDwQEAwIBBjAyBglghkgBhvhCAQ0EJRYjT3BlblNTTCBDZXJ0aWZpY2F0ZSBm
b3IgQ0EgNTJfZWF1dGgwEQYJYIZIAYb4QgEBBAQDAgEGMBsGA1UdEQQUMBKBEGpsZkBtaXRyZXRl
ay5vcmcwGwYDVR0SBBQwEoEQamxmQG1pdHJldGVrLm9yZzANBgkqhkiG9w0BAQUFAAOBgQA46QSa
KB2ovpBOukH11ULRcImu4FKjti6qO/vgZrUmq+HiE3iDPXlfsQymCmdwL2ln87vK6X7ep1L9BSQe
b6kVIsDF6SPHm3p129NV6Kt20BJX1uE6QVK4yVP3z+J+Knc7uRUvnWQcjnAbFfHCQsZeFuFVRElD
B/l8Sfa3HBHUQzCCBVMwggS8oAMCAQICARAwDQYJKoZIhvcNAQEFBQAwgbIxCzAJBgNVBAYTAlVT
MREwDwYDVQQIEwhWaXJnaW5pYTEVMBMGA1UEBxMMRmFsbHMgQ2h1cmNoMRkwFwYDVQQKExBNaXRy
ZXRlayBTeXN0ZW1zMRkwFwYDVQQLExBlQXV0aCBHVyB0ZXN0aW5nMSIwIAYDVQQDExlSb290IGZv
ciBlQXV0aCBHVyB0ZXN0aW5nMR8wHQYJKoZIhvcNAQkBFhBqbGZAbWl0cmV0ZWsub3JnMB4XDTAz
MDkyNDE1MjA0NloXDTA0MDkyMzE1MjA0Nlowga0xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJn
aW5pYTEVMBMGA1UEBxMMRmFsbHMgQ2h1cmNoMRkwFwYDVQQKExBNaXRyZXRlayBTeXN0ZW1zMR0w
GwYDVQQLExRQS0kgdGVzdGluZyBhbmQgZGVtbzEZMBcGA1UEAxQQamxmQG1pdHJldGVrLm9yZzEf
MB0GCSqGSIb3DQEJARYQamxmQG1pdHJldGVrLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAxJ4wizcrBjovFp21C7sfcqYs9MK/OjV7ZgUziB8MPz/JZPL1QpN9HB6EJsX5Fz1gbigaPMOg
wI32M2peOLjJwB7AFFc9ketLeXDsdOJEjs3v9GgoebNyhi72CPRwis7UUU/Ex75VZdNMmhNqm1hp
holkARvYbAIJods/szk3LBkCAwEAAaOCAnowggJ2MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQD
AgWgMAsGA1UdDwQEAwIF4DBHBglghkgBhvhCAQ0EOhY4T3BlblNTTCBDZXJ0aWZpY2F0ZSBmcm9t
IENBIDUyX2VhdXRoIC0tIGZvciB0ZXN0aW5nIG9ubHkwHQYDVR0OBBYEFBbYg2DUDegKg7iBV0oP
08uOs/QTMIHfBgNVHSMEgdcwgdSAFKgiziNvs6YiLMjMpu6GPHmUH6l5oYG4pIG1MIGyMQswCQYD
VQQGEwJVUzERMA8GA1UECBMIVmlyZ2luaWExFTATBgNVBAcTDEZhbGxzIENodXJjaDEZMBcGA1UE
ChMQTWl0cmV0ZWsgU3lzdGVtczEZMBcGA1UECxMQZUF1dGggR1cgdGVzdGluZzEiMCAGA1UEAxMZ
Um9vdCBmb3IgZUF1dGggR1cgdGVzdGluZzEfMB0GCSqGSIb3DQEJARYQamxmQG1pdHJldGVrLm9y
Z4IBADAbBgNVHREEFDASgRBqbGZAbWl0cmV0ZWsub3JnMBsGA1UdEgQUMBKBEGpsZkBtaXRyZXRl
ay5vcmcwgcQGA1UdHwSBvDCBuTCBtqCBs6CBsIaBrUROOkNOJTNkUm9vdCUyMGZvciUyMGVBdXRo
JTIwR1clMjB0ZXN0aW5nJTJjT1UlM2RlQXV0aCUyMEdXJTIwdGVzdGluZyUyY08lM2RNaXRyZXRl
ayUyMFN5c3RlbXMlMmNMJTNkRmFsbHMlMjBDaHVyY2glMmNTVCUzZFZpcmdpbmlhJTJjQyUzZFVT
P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MA0GCSqGSIb3DQEBBQUAA4GBAKW0NgC4
Ddk8yntytgXpz5/ixb3WBTWj8ZfA/3U0zzA77hrZETF7B7XpuRBjf9AHBu4zDH2WW1qzrqkGYRny
PwgEDRnkgE85Uyz1HoTWVHSJNaN0G97H0O3+9NWsbJ6DxiGa6DWHvU39VVcplRM25YNP+9vGtCUJ
yBccxANkmHF2MYIDwzCCA78CAQEwgbgwgbIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5p
YTEVMBMGA1UEBxMMRmFsbHMgQ2h1cmNoMRkwFwYDVQQKExBNaXRyZXRlayBTeXN0ZW1zMRkwFwYD
VQQLExBlQXV0aCBHVyB0ZXN0aW5nMSIwIAYDVQQDExlSb290IGZvciBlQXV0aCBHVyB0ZXN0aW5n
MR8wHQYJKoZIhvcNAQkBFhBqbGZAbWl0cmV0ZWsub3JnAgEQMAkGBSsOAwIaBQCgggJgMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA0MDcyMDEzMzUzMVowIwYJKoZI
hvcNAQkEMRYEFKDymKD0nSuujY0KhMHSwn7mzkAQMGcGCSqGSIb3DQEJDzFaMFgwCgYIKoZIhvcN
AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo
MAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHJBgkrBgEEAYI3EAQxgbswgbgwgbIxCzAJBgNVBAYTAlVT
MREwDwYDVQQIEwhWaXJnaW5pYTEVMBMGA1UEBxMMRmFsbHMgQ2h1cmNoMRkwFwYDVQQKExBNaXRy
ZXRlayBTeXN0ZW1zMRkwFwYDVQQLExBlQXV0aCBHVyB0ZXN0aW5nMSIwIAYDVQQDExlSb290IGZv
ciBlQXV0aCBHVyB0ZXN0aW5nMR8wHQYJKoZIhvcNAQkBFhBqbGZAbWl0cmV0ZWsub3JnAgEQMIHL
BgsqhkiG9w0BCRACCzGBu6CBuDCBsjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRUw
EwYDVQQHEwxGYWxscyBDaHVyY2gxGTAXBgNVBAoTEE1pdHJldGVrIFN5c3RlbXMxGTAXBgNVBAsT
EGVBdXRoIEdXIHRlc3RpbmcxIjAgBgNVBAMTGVJvb3QgZm9yIGVBdXRoIEdXIHRlc3RpbmcxHzAd
BgkqhkiG9w0BCQEWEGpsZkBtaXRyZXRlay5vcmcCARAwDQYJKoZIhvcNAQEBBQAEgYCYC5jTOY+j
5TRAFwbjS8Eup62tSn6pjeWhHVsyAAg7LkRmej85NAa0ln1xVA1nt9J7x6HNS3HT12cgiZWSQGtx
TeHepiGln1fZqzZA9PRjhK4z1QULXGUTdnPAhh35vj1fRrjh2Gab7pe+xK+pCnHjREJzfPqHOf8F
LRmOL2qKvQAAAAAAAA==
------=_NextPart_000_000A_01C46E3C.E64D8670--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KBQGuv001723; Tue, 20 Jul 2004 04:26:16 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6KBQG5c001720; Tue, 20 Jul 2004 04:26:16 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6KBQFPU001698; Tue, 20 Jul 2004 04:26:15 -0700 (PDT) (envelope-from aarsenau@bbn.com)
Received: from arsenaultd2 (col-dhcp33-244-172.bbn.com [128.33.244.172]) by aragorn.bbn.com (8.12.7/8.12.7) with SMTP id i6KBQ87W008341; Tue, 20 Jul 2004 07:26:09 -0400 (EDT)
From: "Al Arsenault" <aarsenau@bbn.com>
To: "Ed Gerck" <egerck@nma.com>, "Christine Karman" <christine@izecom.com>
Cc: <ietf-smime@imc.org>, <ietf-pkix@imc.org>
Subject: RE: Request: Send me signed messages
Date: Tue, 20 Jul 2004 07:22:31 -0400
Message-ID: <GBEOIAAPLLBIMLPDGHDHAEDMCLAA.aarsenau@bbn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
In-Reply-To: <40FC669A.2020203@nma.com>
Importance: Normal
X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Actually, the sender can't control anything about the time the recipient
receives the message. All he can do is verify that the recipient's
certificate is not revoked at the time the message is sent, as the sender
perceives the time.
Al Arsenault
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org
> [mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Ed Gerck
> Sent: Monday, July 19, 2004 8:26 PM
> To: Christine Karman
> Cc: ietf-smime@imc.org; ietf-pkix@imc.org
> Subject: Re: Request: Send me signed messages
>
>
>
>
>
> Christine Karman wrote:
>
> > At 09:43 PM 7/16/2004, Ed Gerck wrote:
> >
> >> An obvious problem with email certificates is that they open
> us to spam.
> >
> >
> > How's that?
>
> A repository of certs with email addresses is a repository of
> email addresses.
>
> > If you accept encrypted email, then you can refuse unsigned email.
>
> You can do the latter without doing the former. Beseides, while
> it's relatively easy
> to send signed email to many people (as it depends only on your
> cert), in order
> to send encrypted email to many people you need each recipient's
> cert (and you also
> want to make sure they are not revoked at the time they receive
> the message, which
> is yet another problem).
>
> Cheers,
> Ed Gerck
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6K9nIIj069332; Tue, 20 Jul 2004 02:49:18 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6K9nI4F069330; Tue, 20 Jul 2004 02:49:18 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.2wire.ch (mail.2wire.ch [62.65.128.20]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6K9nGWY069268 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 02:49:16 -0700 (PDT) (envelope-from joseph.doekbrijder@swisssign.com)
Received: (qmail 76976 invoked by uid 89); 20 Jul 2004 09:49:10 -0000
Received: from unknown (HELO swisssign.com) (62.65.151.222) by mail.2wire.ch with SMTP; 20 Jul 2004 09:49:10 -0000
Message-ID: <40FCEA8A.8020806@swisssign.com>
Date: Tue, 20 Jul 2004 11:48:58 +0200
From: Joseph Doekbrijder <joseph.doekbrijder@swisssign.com>
Organization: SwissSign AG
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
X-Accept-Language: de-ch, en-us, en, fr-ch
MIME-Version: 1.0
To: Ed Gerck <egerck@nma.com>
CC: Christine Karman <christine@izecom.com>, ietf-smime@imc.org, ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <20040716152213.GA16939@mail19g.dulles19-verio.com> <20040716152213.GA16939@mail19g.dulles19-verio.com> <4.3.2.7.2.20040719124821.0280f818@localhost> <40FC669A.2020203@nma.com>
In-Reply-To: <40FC669A.2020203@nma.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080600090600050304000002"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a cryptographically signed message in MIME format.
--------------ms080600090600050304000002
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Ed Gerck wrote:
> to send encrypted email to many people you need each recipient's cert
> (and you also
> want to make sure they are not revoked at the time they receive the
> message, which
> is yet another problem).
Why does the sender need to make sure that the encryption certificate of
the receiver is not revoked at the time the message is received?
IMHO this is irrelevant. (Otherwise one would not be able to read very
old messages, etc...)
--
Joseph A. Doekbrijder
--------------------------------------------------
SwissSign AG
Löwenstrasse 1, CH-8001 Zürich
Tel: +41 43 344 88 11 / Mobile: +41 79 211 24 46
www.swisssign.com
--------------------------------------------------
This message has been digitally signed to ensure unaltered and
authenticated reception. Should you receive an error message regarding
the validity of the signature, please click and download the SwissSign
root certificate using the following link https://swisssign.net/trust/
After installation, your mail client will be able to automatically
verify the authenticity of e-mail messages sent to you by users of
SwissSign certificates.
--------------ms080600090600050304000002
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWiTCC
A2EwggJJoAMCAQICCGQgZ70rBHuyMA0GCSqGSIb3DQEBBQUAMGkxIzAhBgNVBAMTGlN3aXNz
U2lnbiBQZXJzb25hbCBHb2xkIENBMSEwHwYJKoZIhvcNAQkBFhJnb2xkQHN3aXNzc2lnbi5j
b20xEjAQBgNVBAoTCVN3aXNzU2lnbjELMAkGA1UEBhMCQ0gwHhcNMDMxMjExMTQzOTA1WhcN
MDQxMjExMTQzOTA1WjB4MSQwIgYDVQQDExtKb3NlcGggQW50b25pdXMgRG9la2JyaWpkZXIx
LzAtBgkqhkiG9w0BCQEWIGpvc2VwaC5kb2VrYnJpamRlckBzd2lzc3NpZ24uY29tMRIwEAYD
VQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNIMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCpc7LucWH/EP2YmDBOMZVmPzy8JfYovxAL8wbfuXjFQLg4/orh+8AonyozzaK0fJzFw/D4
46z3siNvu065E6AKM3BFPSsyS5RrUPnYjtxcLAmfv+OsR5gAMA1hhsS571XCWaVPvEuCIltW
RvpcKVeuAsdpR6p7eW7UPQuO0EgR4QIDAQABo4GBMH8wHwYDVR0jBBgwFoAU8jaGz72k1nnf
MpmM0FlpHQWVLIYwDgYDVR0PAQH/BAQDAgQwMB8GA1UdJQQYMBYGCisGAQQBgjcKAwQGCCsG
AQUFBwMEMCsGA1UdEQQkMCKBIGpvc2VwaC5kb2VrYnJpamRlckBzd2lzc3NpZ24uY29tMA0G
CSqGSIb3DQEBBQUAA4IBAQBY4/HrZkMYrF0LKNWpDrYTbEM7wRjHKtpjMHWb1DlAm1qRBWAB
0Ns/jyCHLedGlRydHuVPh+THO9PPgRESIWoWq88uz+gpue3A4DWpuk7BqrYKXFfKTa1uKsfE
L62LJ0cO8Q09aCkkEpETL8u92s68328QPhSgFmX5wgToyG3Vw2EOMTcbCeKFRYSkZTywe2NV
IMkDKKUDuRYBYZZ1Db8P3SzF26bszuUH+4HsbgIg8K+mrEeln9aHpbujAUVx8huCpYR25Ziz
rtK2vHmDd2VQUfOs+gA4dns7Ys+sOYXYWn2ZvXycCirQktDuaOTAxRXrBXByGLTNDsJBsNQI
FbZdMIIDqTCCApGgAwIBAgIIXLEyej+EomAwDQYJKoZIhvcNAQEFBQAwZDEcMBoGA1UEAxMT
U3dpc3NTaWduIFNpbHZlciBDQTEjMCEGCSqGSIb3DQEJARYUc2lsdmVyQHN3aXNzc2lnbi5j
b20xEjAQBgNVBAoTCVN3aXNzU2lnbjELMAkGA1UEBhMCQ0gwHhcNMDMxMDEyMTEzODIyWhcN
MTUxMDA2MTMzNjU3WjBgMRowGAYDVQQDExFTd2lzc1NpZ24gR29sZCBDQTEhMB8GCSqGSIb3
DQEJARYSZ29sZEBzd2lzc3NpZ24uY29tMRIwEAYDVQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYT
AkNIMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstKfzDugVAxC63Qhl8+Cko7T
Kjh0aMls6o0iYfPE6LU9jRHGRE2FyEoI4+3EgotNIVEX7GOTtQUL3YRzkJ55T/urzNtWDead
etokNxoH1KrYObxIuFeSyepEN/QKcNedliNqwGF3wPqKCGna554QeyV44pRhvNH3+hFL3Mz3
Tazf2wtmE/et/JSAFFUPWfSqrugURE1G2kaB9o2tt/BFtEjslSD41D9g7nexjvgHDyRKsoY3
FoEHexV/ttvFZNzGJJ7NLwgC84JvCdLi3RvNyGfiWnqkjuRdQOohAsWNJcjn7aoksB5y/Ipr
BjsivtY/LBYQ7zq+Sc8v+8bf3T1lzwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
AQH/BAUwAwEB/zAdBgNVHQ4EFgQUtGz1MEEswDyRjDQnY/pVvPzntD8wHwYDVR0jBBgwFoAU
EvoMgVv/f9El2B5zMDUPRhg2snUwDQYJKoZIhvcNAQEFBQADggEBADG0plqQXp/SAJjFJYax
q1R+3LaDheER1IgXaIem+nofwcBaCvEP+vkWkEuBwFbvI97tKlO6oY1WtVlJHbkfHXcvRAiv
s8W9EbuQlXJ9g1J+ZKJbnI/KmTwsNYvHj5PBe9+PwvA1oZwTJDEEBSaUcdOxaNw3ceka7oTd
dWXfAWUhGXDmS3O2yTHVovUrFAshmYEz9r4YRvbUzkKYcP12zOu2UmdrCOzSWua2EOuSimLM
se00IOJTlhJMfL+ly6O8G1MA7wTqKkSgnDbVe0XsMQYmSJaiVqSkRGIUYE7mvlq9YKCguBZ1
fpmurO0BeWvmzZxZT/7VBjcfMzwS1tZ4CeAwggOuMIIClqADAgECAggQSAsMRGstRTANBgkq
hkiG9w0BAQUFADBgMRowGAYDVQQDExFTd2lzc1NpZ24gR29sZCBDQTEhMB8GCSqGSIb3DQEJ
ARYSZ29sZEBzd2lzc3NpZ24uY29tMRIwEAYDVQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNI
MB4XDTAzMTAxMjExNTgyMloXDTA2MTAxMjExNTgyMlowaTEjMCEGA1UEAxMaU3dpc3NTaWdu
IFBlcnNvbmFsIEdvbGQgQ0ExITAfBgkqhkiG9w0BCQEWEmdvbGRAc3dpc3NzaWduLmNvbTES
MBAGA1UEChMJU3dpc3NTaWduMQswCQYDVQQGEwJDSDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMZmnWhcHmQ8GZB+9uoZyb+LmqUqYRWWL6vSFwWMSQdtn7aMT0zVI1N37y2I
LN5/KurG53SonxgMfwqsxgdD3jI77yyJwsN0aMdBDotcL+pXSJqlC1gpDsVHtMIyQs5PqYTx
Y3uUJVbBERchLFLv/2VJ0iBGXg009lyNVULa9VFcG/F2UF34YranOWBW4OSQowf1kJYNXr4A
eKhpLnNhv30/fdIMRrihygQCPaMJ0nQAEuBVbFSfOUQPvMDDBwYKC+yMkcm5QWgnVGXAeyrA
x7k8+rKPfNbYqnyeL9aAnyUMkYm6FtUsaM5I6HNWJY63gfqqPeprFuogZNY1Rwq2mNMCAwEA
AaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPI2hs+9
pNZ53zKZjNBZaR0FlSyGMB8GA1UdIwQYMBaAFLRs9TBBLMA8kYw0J2P6Vbz857Q/MA0GCSqG
SIb3DQEBBQUAA4IBAQCuHGJh9r2LiKenYuA4Imi1TZ0YWVB0o2Kfo6HD3CPZwavyPzXiShM0
0PGIoX/bs+K36PYj24E6gdp78B4hzqPP525wUapDy/WX8nur8XbrcdEwffWy+Cmz593an7Xy
iFl18wIDGLGkpGpwtM/Jiu2QLUughU7Eh0/i6R1+oUPLF9wYcB0eoYnDBK0KWFvTEWkLAWYb
F45PV4tsBXWI+UTQBB93rgdjQbJNxSv7K/kLAQY/mWs9fF2jp4X8+UMthm28TkHE7VAok0md
Ma9x3X1ZrMDmb3ijkUxwJhFewelg9vMZdcXUHjezw5J83L5I8aBQmfKIHLDEg2XVcQUhMi/B
MIIDwDCCAqigAwIBAgIJAOjyHqbBu/cuMA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNVBAYTAkNI
MRIwEAYDVQQKEwlTd2lzc1NpZ24xMjAwBgNVBAMTKVN3aXNzU2lnbiBDQSAoUlNBIElLIE1h
eSA2IDE5OTkgMTg6MDA6NTgpMR8wHQYJKoZIhvcNAQkBFhBjYUBTd2lzc1NpZ24uY29tMB4X
DTAzMTAwNjEzMzY1N1oXDTE1MTAwNjEzMzY1N1owZDEcMBoGA1UEAxMTU3dpc3NTaWduIEJy
b256ZSBDQTEjMCEGCSqGSIb3DQEJARYUYnJvbnplQHN3aXNzc2lnbi5jb20xEjAQBgNVBAoT
CVN3aXNzU2lnbjELMAkGA1UEBhMCQ0gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDA0TvGY7vE2Z2U4Ootl3tb6AZN4SPTTN6HYMyzL9OeKWzlMfnwJqEzv4yjkFMcaStrmyRO
PMkwLEWcd3FiaxKBmr0eCN9ybgZuhKvSxYfaqcM5QAgPqK6yA2WQ+sgWAUlEH4PdhCUYd84q
eOlswzzrtbggVWQsbh/LoT7edOeBJlDiIHufmmXTl5X7psFIImkWJbnegd7fidhRuUxMJF0X
LcA/9WaJzZDZSmGONRSP+WOzlM/o4xunjPwIoCWKSIo9NMWtJ29az01/TcLehpyMjQg7a+PJ
3yFtl5PbS25Jm7W9IopISNPGYzucjOIVKYo9BQ5F32lGn8NJl418yNttAgMBAAGjYzBhMA4G
A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRygIjtngs9r6moa09a
F+LUoY5lJDAfBgNVHSMEGDAWgBSW13HNOSrU/IixiqtTeGnvj0d+FjANBgkqhkiG9w0BAQUF
AAOCAQEApFfZjNGeQ7OtxCPI3mI1rjF2gbxMTMtMeJeaxH2QSJsrvcKRQ29v0wzDLMmeKFR8
d3B8PDh8aqw2IGz1X3FcIn7CUTdoOvFCGuW0SpdvKzgt3RVOpp4HFcfMK6mxubSHCBV6f66A
UyxbK+Sv7Rpwn3BZ6AYndMzYMEk6IrAvrurIz6h2DTrwEO3oH1GKRpYljlcoh+mKEnvZit6b
vGNcLpLTMZNe+0dlKzw1uHNI9gqteNqn/BqunMDAqPcBX4uZ0em7P/ZJ8+SACnsz96+R5MSV
EeoFqWQoRQAxNgjUXTy0xYa4cGRqeXtTO/s3mKgDBWktCFXU0f0kb0IQIBmGqDCCA/gwggLg
oAMCAQICCQDemCdyDdsdVTANBgkqhkiG9w0BAQUFADBkMRwwGgYDVQQDExNTd2lzc1NpZ24g
QnJvbnplIENBMSMwIQYJKoZIhvcNAQkBFhRicm9uemVAc3dpc3NzaWduLmNvbTESMBAGA1UE
ChMJU3dpc3NTaWduMQswCQYDVQQGEwJDSDAeFw0wMzEwMTIxMTM2MzJaFw0xNTEwMDYxMzM2
NTdaMGQxHDAaBgNVBAMTE1N3aXNzU2lnbiBTaWx2ZXIgQ0ExIzAhBgkqhkiG9w0BCQEWFHNp
bHZlckBzd2lzc3NpZ24uY29tMRIwEAYDVQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNIMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzPdBfCH+e+kxpt0cSTkKm1pJXXdRCNJ8
mrbsNpuX2O290pzz1dEF7DKFCH+k9bm8Yqj1KgyhKrt7JoNGUHW83sU+8jjrYG/ZPrfusCH+
4iiVZciBCvPdM1t0qvPZvWrKVYdIb+3t8aQz8+L08zFLdkxG49M+4cMW5srECPy4YJ3kJzVr
awrXBMAchqviMngsyWuKw5qV5FA9pp36wDsumItoZXL3BOsMsU2lh3z/OLhDpXA5D83mgEOW
RbqkfSWyaT1lcIuoMZ/XMdT8ahU+3GWnZ8O9tQFg0//SfrlT3Zsp7Hhx0XEtsuIKQZTrsUHj
QzR+bk9RlKLz3Sy5nxPRRQIDAQABo4GsMIGpMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQS+gyBW/9/0SXYHnMwNQ9GGDaydTAfBgNVHSMEGDAWgBRygIjt
ngs9r6moa09aF+LUoY5lJDBGBgNVHR8EPzA9MDugOaA3hjVodHRwczovL3N3aXNzc2lnbi5u
ZXQvY2dpLWJpbi9hdXRob3JpdHkvY3JsP2NhPUJyb256ZTANBgkqhkiG9w0BAQUFAAOCAQEA
qaVWxVi644azmxYNNglkRVA5pFsU3zN4zepYrjEmamFgGROsNKYCwf06cGDHXsJyxZzkzFPG
FTR5/pRLoDWnEuFgfm+a6XA9qTUecun+909Dkz8EbNk/KsWaGEG+HxMjwnusctjeWhO32rRH
+AWJW9VhNR+ggbkGwbVadRClY7359ChoWTwkySWb2hjTZU3BOnqAOYJ2QPKiWMrGODN9Jo94
+hfxcD6o08ak5KY/5Bza4EEL/sbS/quhoCZsg8TBD4+KeXgbVqU9XlPHk/gq1RTy49SPmRkQ
lgwFSvQRRAD/5oQX3ZKxhXAVsEYHyGvqCsFvXWKagulb5NjNdD0pyTCCBAEwggLpoAMCAQIC
CQCVT/juYWAhTDANBgkqhkiG9w0BAQUFADBpMSMwIQYDVQQDExpTd2lzc1NpZ24gUGVyc29u
YWwgR29sZCBDQTEhMB8GCSqGSIb3DQEJARYSZ29sZEBzd2lzc3NpZ24uY29tMRIwEAYDVQQK
EwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNIMB4XDTAzMTIxMDIxNDAwMVoXDTA0MTIxMDIxNDAw
MVoweDEkMCIGA1UEAxMbSm9zZXBoIEFudG9uaXVzIERvZWticmlqZGVyMS8wLQYJKoZIhvcN
AQkBFiBqb3NlcGguZG9la2JyaWpkZXJAc3dpc3NzaWduLmNvbTESMBAGA1UEChMJU3dpc3NT
aWduMQswCQYDVQQGEwJDSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJVGvsFb
4Ufs++D4cxTnv2yHvmLjKZQ2qfPT7YO2dfffZbiba4qkKQ8xLE05D1EqlLvXm+4dRksjDhty
OzwZeWajZ/TGwPgP3jXOURlqkyhVrX0kt5EzW5EokcMC/Ais422LqtJ5kq2nOvK7NGYtevS0
pMbHi5NZtkWUwVZaRjjOJaTGO2xDkjAOdYIyI8vdEIedJIW6LGHIZsYjI+yW7sUlI6hCXhrV
nsmdu/shG/TTsvDQUW28Yl7/l/uvikFsuy4erDKDHcbth/xKsI/KkfX40jGqGI0SlQ7fHBph
DwbnbOKJJSu1wgMT1dvuwLyFEBqyf0OSPZROpK11T3d2LdcCAwEAAaOBnDCBmTAfBgNVHSME
GDAWgBTyNobPvaTWed8ymYzQWWkdBZUshjAOBgNVHQ8BAf8EBAMCA8gwKQYDVR0lBCIwIAYI
KwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3FAICMDsGA1UdEQQ0MDKgMAYKKwYBBAGCNxQC
A6AiDCBqb3NlcGguZG9la2JyaWpkZXJAc3dpc3NzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOC
AQEAZTUBqQgk5nB+0W7Mozv/uD6lRurjZhWShstlaQ43qvVHcsDgb4mW/bynla9BDmM/NsQU
43ZsoFxjkJsxFCpgm5BuMt1KuD7FSHJ0mxRswaGf9mHxftU1cu/YhY/AjrsFHEnsPHZaYAAm
jcKunHgT+yckvUZR3RQDkgVE4PQ3YpsG1EPKQSEAFbmWAd4+TxJmuBXThDM63gOkY4Q7gE1b
Y1kjkdRlJ2TZ/gOItQ3AsfwS7mq+ANYnUBrWkrnUd85Nmgzv5ys7zxuz9tp64vS+xYW98mri
ruGl9stN/b7SbOFTsp8SUm83e9qPOQZRYPS6TYYKUObj3LbaXJEIqKD51DGCA2IwggNeAgEB
MHYwaTEjMCEGA1UEAxMaU3dpc3NTaWduIFBlcnNvbmFsIEdvbGQgQ0ExITAfBgkqhkiG9w0B
CQEWEmdvbGRAc3dpc3NzaWduLmNvbTESMBAGA1UEChMJU3dpc3NTaWduMQswCQYDVQQGEwJD
SAIJAJVP+O5hYCFMMAkGBSsOAwIaBQCgggHBMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTA0MDcyMDA5NDkwNVowIwYJKoZIhvcNAQkEMRYEFPsQjDKAfN16
PQ3cLhzCMYqNiUPiMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC
AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGEBgkrBgEEAYI3
EAQxdzB1MGkxIzAhBgNVBAMTGlN3aXNzU2lnbiBQZXJzb25hbCBHb2xkIENBMSEwHwYJKoZI
hvcNAQkBFhJnb2xkQHN3aXNzc2lnbi5jb20xEjAQBgNVBAoTCVN3aXNzU2lnbjELMAkGA1UE
BhMCQ0gCCGQgZ70rBHuyMIGGBgsqhkiG9w0BCRACCzF3oHUwaTEjMCEGA1UEAxMaU3dpc3NT
aWduIFBlcnNvbmFsIEdvbGQgQ0ExITAfBgkqhkiG9w0BCQEWEmdvbGRAc3dpc3NzaWduLmNv
bTESMBAGA1UEChMJU3dpc3NTaWduMQswCQYDVQQGEwJDSAIIZCBnvSsEe7IwDQYJKoZIhvcN
AQEBBQAEggEAUibz/rnjBYH2gqFJ3tTAEkaF6+Y1A4otwihodHSF06wGQLD9zj/GG09awCHz
xDcS0qi8CGHcn7LUx3hpr/etjOD2vCYJjFVGtHSE6y9wG3+vz2Eh7Ons4NRGhNt7Lu/CB8yu
sMQ9La5hpxiiT2NP3xE2EFuSPpWZKoW3lIC9OM+lYVB5J3sWc7vYX2HNcMBpg+wqkXQd35E8
pXokxaGC3/9lzbVJNYjx0eeeDqWeE8VFyAP5p0nKZ3TQA6ZHtUKiW1TQcacYRwfWFkuKq59t
VdCRoxlaRXovPN43OPKMdCp4SicM1CFsZgisuUSreKOM3WTXMt2BjnH0Zl8Uz8P8xAAAAAAA
AA==
--------------ms080600090600050304000002--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6K7gLlJ013877; Tue, 20 Jul 2004 00:42:21 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6K7gLJF013876; Tue, 20 Jul 2004 00:42:21 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail6.hitachi.co.jp (mail6.hitachi.co.jp [133.145.228.41]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6K7gK6Q013868 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 00:42:21 -0700 (PDT) (envelope-from mishima@sdl.hitachi.co.jp)
Received: from mc3.mcg.hitachi.co.jp by mail6.hitachi.co.jp (8.9.3p3/3.7W-mail6) id QAA16835; Tue, 20 Jul 2004 16:42:20 +0900 (JST)
Received: (from root@localhost) by mc3.mcg.hitachi.co.jp (8.11.6+Sun/8.11.6) id i6K7gJX08473 for ietf-pkix@imc.org; Tue, 20 Jul 2004 16:42:19 +0900 (JST)
Received: from unknown [192.168.2.1] by mc3.mcg.hitachi.co.jp with SMTP id SAA08468; Tue, 20 Jul 2004 16:42:18 +0900
Received: from navsg2.hitachi.co.jp by navsg2.hitachi.co.jp (8.9.3/3.7W-navsg2) id QAA03869; Tue, 20 Jul 2004 16:42:18 +0900 (JST)
Received: from hsdlgw92.sdl.hitachi.co.jp ([133.144.7.20]) by navsg2.hitachi.co.jp (SAVSMTP 3.1.6.45) with SMTP id M2004072016421724041 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 16:42:17 +0900
Received: from vgate2.sdl.hitachi.co.jp by hsdlgw92.sdl.hitachi.co.jp (8.9.3/3.7W01100113) id QAA13162; Tue, 20 Jul 2004 16:42:19 +0900
Received: from yokolab1.sdl.hitachi.co.jp ([133.144.101.11]) by vgate2.sdl.hitachi.co.jp (SAVSMTP 3.1.1.32) with SMTP id M2004072016385824606 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 16:38:58 +0900
Received: from sdl.hitachi.co.jp (ip06145.sdl.hitachi.co.jp [133.144.6.145]) by yokolab1.sdl.hitachi.co.jp (8.12.11/3.7W04031011) with ESMTP id i6K7gI3C029699 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 16:42:18 +0900
Message-ID: <40FCCD39.5030706@sdl.hitachi.co.jp>
Date: Tue, 20 Jul 2004 16:43:53 +0900
From: Hisanori Mishima <mishima@sdl.hitachi.co.jp>
Organization: Systems Development Lab., Hitachi, Ltd., Japan
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, ko-kr, zh
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Asia PKI Interoperability Guideline v1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Dear PKIX members,
I'm Hisanori Mishima, chair of Interoperability WG (IOWG),
Asia PKI Forum (APKI-F).
I'd like to announce our recent two news
related to multi-domain PKI Interoperability.
First is,
we have finalized
"Asia PKI Interoperability Guideline v1.0"
as a technical standard for multi-domain PKI interoperability
during its annual meeting in March 2004 (Singapore).
We opened it to public from our Web site;
http://www.asia-pkiforum.org/
"Resource".
Second is,
JKST-IWG (PKI interoperability proof experiment team in APKI-F,
consisted of Japan, Korea, Singapore and Chinese Taipei)
have opened the Web version of "Asia PKI Interoperability Guideline".
URL is following;
"CA-CA Interoperability Guideline, 1st edition"
http://www.japanpkiforum.jp/CAGuideline/guideline/index.html
I hope many people will visit to our web sites.
Best Regards,
Hisanori Mishima
------------------------------------------------------------------
The Asia PKI Forum is an international, non-profit-organization,
established on June 13, 2001, promoting joint-work for the secure
interoperability between country's/area's PKIs
as the infrastructures in the Asia/Oceania Region.
http://www.asia-pkiforum.org/
------------------------------------------------------------------
mishima@sdl.hitachi.co.jp
Senior Manager
7th Research Dept.
(Security systems Research Dept.)
Hitachi, Ltd., Systems Development Laboratory
Tel:+81-44-549-1266
Fax:+81-44-549-1382
Hitachi System Plaza Shinkawasaki,
890, Kashimada, Saiwai-ku, Kawasaki-shi,
Kanagawa-ken, 212-8567 Japan
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6K0V43E079077; Mon, 19 Jul 2004 17:31:04 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6K0V4Ut079075; Mon, 19 Jul 2004 17:31:04 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail5.atl.registeredsite.com (nobody@mail5.atl.registeredsite.com [64.224.219.79]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6K0V3pa079062; Mon, 19 Jul 2004 17:31:03 -0700 (PDT) (envelope-from egerck@nma.com)
Received: from taurus.hosting4u.net (taurus.hosting4u.net [209.35.191.122]) by mail5.atl.registeredsite.com (8.12.11/8.12.8) with ESMTP id i6K0V8Zu006417; Tue, 20 Jul 2004 00:31:08 GMT
Received: from nma.com ([63.204.17.85]) by taurus.hosting4u.net ; Mon, 19 Jul 2004 19:31:05 -0500
Message-ID: <40FC669A.2020203@nma.com>
Date: Mon, 19 Jul 2004 17:26:02 -0700
From: Ed Gerck <egerck@nma.com>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Christine Karman <christine@izecom.com>
CC: ietf-smime@imc.org, ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <20040716152213.GA16939@mail19g.dulles19-verio.com> <20040716152213.GA16939@mail19g.dulles19-verio.com> <4.3.2.7.2.20040719124821.0280f818@localhost>
In-Reply-To: <4.3.2.7.2.20040719124821.0280f818@localhost>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Christine Karman wrote:
> At 09:43 PM 7/16/2004, Ed Gerck wrote:
>
>> An obvious problem with email certificates is that they open us to spam.
>
>
> How's that?
A repository of certs with email addresses is a repository of email addresses.
> If you accept encrypted email, then you can refuse unsigned email.
You can do the latter without doing the former. Beseides, while it's relatively easy
to send signed email to many people (as it depends only on your cert), in order
to send encrypted email to many people you need each recipient's cert (and you also
want to make sure they are not revoked at the time they receive the message, which
is yet another problem).
Cheers,
Ed Gerck
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6K075aV074611; Mon, 19 Jul 2004 17:07:05 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6K0752i074609; Mon, 19 Jul 2004 17:07:05 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailbo.vtcif.telstra.com.au (mailbo.vtcif.telstra.com.au [202.12.144.19]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6K073Q0074573 for <ietf-pkix@imc.org>; Mon, 19 Jul 2004 17:07:04 -0700 (PDT) (envelope-from James.H.Manger@team.telstra.com)
Received: from mailbi.vtcif.telstra.com.au (mailbi.vtcif.telstra.com.au [202.12.142.19]) by mailbo.vtcif.telstra.com.au (Postfix) with ESMTP id 98A3F234AC for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 10:07:02 +1000 (EST)
Received: from mail.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.vtcif.telstra.com.au (Postfix) with ESMTP id 423311DA83 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 10:07:02 +1000 (EST)
Received: from WSMSG0004.srv.dir.telstra.com (wsmsg0004.srv.dir.telstra.com [192.74.168.133]) by mail.cdn.telstra.com.au (8.8.2/8.6.9) with ESMTP id KAA00607 for <ietf-pkix@imc.org>; Tue, 20 Jul 2004 10:07:02 +1000 (EST)
content-class: urn:content-classes:message
Subject: RE: PI: 10: single serialNumber attribute
Date: Tue, 20 Jul 2004 10:05:59 +1000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <73388857A695D31197EF00508B08F29806EE1B44@ntmsg0131.corpmail.telstra.com.au>
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Thread-Topic: I-D ACTION:draft-ietf-pkix-pi-10.txt
Thread-Index: AcRpISpRw39Rj0boTiKQ1oDDudjrzgEIUs5QACocGpA=
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6K074Q0074598
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sure, that DN has 2 permanent identifiers.
However, only one is a PI for this subject. A cert for this subject can ignore the other PI. An 'instanceNumber' is unnecessary as DNs are hierarchical so the "deepest" serialNumber attribute will always be the most specific to the subject.
> ----------
> From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> Sent: Monday, 19 July 2004 7:52 PM
> To: Manger, James H; ietf-pkix@imc.org
>
> But is this not actually a prime example of a scheme using TWO PIs?
>
> This would however also require an updated specification where something like an optional "instanceNumber" would be featured to point out the actual serialNumber to use.
>
>
>> For example: cn="John Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS 554433", c=US. The PI extension would refer to 12345.
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JJx0Lf028999; Mon, 19 Jul 2004 12:59:00 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6JJx0TW028998; Mon, 19 Jul 2004 12:59:00 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JJwv2T028991 for <ietf-pkix@imc.org>; Mon, 19 Jul 2004 12:58:59 -0700 (PDT) (envelope-from dinaras@cnri.reston.va.us)
Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA19612; Mon, 19 Jul 2004 15:58:59 -0400 (EDT)
Message-Id: <200407191958.PAA19612@ietf.org>
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: i-d-announce@ietf.org
Cc: ietf-pkix@imc.org
From: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-pkix-ldap-ac-schema-01.txt
Date: Mon, 19 Jul 2004 15:58:59 -0400
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.
Title : Internet X.509 Public Key Infrastructure LDAP
Schema for X.509 Attribute Certificates
Author(s) : D. Chadwick, M. Sahalayev
Filename : draft-ietf-pkix-ldap-ac-schema-01.txt
Pages : 0
Date : 2004-7-19
This document describes an LDAP schema for X.509 attribute certificates (ACs). Each AC is broken down into a set of attribute types. These attributes can then be stored in an AC entry. An object class is defined for this AC entry. Each attribute type uses an existing LDAP syntax, so that no new matching rules need to be defined.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ldap-ac-schema-01.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-pkix-ldap-ac-schema-01.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-ietf-pkix-ldap-ac-schema-01.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ietf.org"
Content-Type: text/plain
Content-ID: <2004-7-19152742.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-pkix-ldap-ac-schema-01.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-pkix-ldap-ac-schema-01.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2004-7-19152742.I-D@ietf.org>
--OtherAccess--
--NextPart--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JFmasj083788; Mon, 19 Jul 2004 08:48:36 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6JFmaUo083787; Mon, 19 Jul 2004 08:48:36 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from FatDNS.com (host166-69.discord.birch.net [65.16.166.69]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JFmZ6Z083779 for <ietf-pkix@imc.org>; Mon, 19 Jul 2004 08:48:35 -0700 (PDT) (envelope-from Scott@XRamp.com)
Received: from SN [65.16.166.68] by FatDNS.com with ESMTP (SMTPD32-7.07) id AD51D710086; Mon, 19 Jul 2004 10:48:33 -0500
Reply-To: <Scott@XRamp.com>
From: "Scott Harris" <Scott@XRamp.com>
To: "'Joseph Doekbrijder'" <joseph.doekbrijder@swisssign.com>
Cc: <ietf-pkix@imc.org>
Subject: RE: Request: Send me signed messages
Date: Mon, 19 Jul 2004 10:47:40 -0500
Organization: XRamp Technologies, Inc.
MIME-Version: 1.0
Content-Type: application/x-pkcs7-mime; smime-type=signed-data; name="smime.p7m"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7m"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
In-Reply-To: <40FB9247.40509@swisssign.com>
thread-index: AcRtgpcDRr6T6OxBQTmM3crI8ubp4QAHWf2w
Message-Id: <200407191048444.SM01248@SN>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEVUNvbnRl
bnQtVHlwZTogdGV4dC9wbGFpbjsNCgljaGFyc2V0PSJpc28tODg1OS0xIg0KQ29udGVudC1UcmFu
c2Zlci1FbmNvZGluZzogOGJpdA0KDQoEghAASGksDQoNCkFsdGhvdWdoIHRoaXMgaXMgbXkgZmly
c3QgcG9zdCwgSSBoYXZlIGJlZW4gc3Vic2NyaWJlZCB0byB0aGlzIGxpc3QgZm9yDQpxdWl0ZSBz
b21lIHRpbWUgYW5kIEkga25vdyBhIGZldyBvZiB5b3UgcGVyc29uYWxseS4NCg0KSSB3b3JrIGZv
ciBhIGNvbXBhbnkgY2FsbGVkIFhSYW1wIGFuZCB3ZSBhcmUgYSBUcnVzdGVkIENBIHdobyBpc3N1
ZXMNCldlYnNlcnZlciBDZXJ0cyBhbmQgZW1haWwgY2VydHMuDQoNCkkgYW0gdmVyeSBpbnRlcmVz
dGVkIGluIGNyZWF0aW5nIGEgY2VudHJhbGl6ZWQgcmVwb3NpdG9yeSBmb3IgZW1haWwNCmNlcnRp
ZmljYXRlcyB0aGF0IHdpbGwgaW50ZXJmYWNlIHdpdGggT3V0bG9vayBhbmQgRXVkb3JhIChhcyB3
ZWxsIGFzIG90aGVyDQpwb3B1bGFyIG1haWwgc3lzdGVtcykgYW5kIGFsbG93IHBlb3BsZSB0byBn
cmFiIHNvbWVvbmUncyBlbWFpbCBjZXJ0aWZpY2F0ZQ0KYmFzZWQgb24gdGhlaXIgZW1haWwgYWRk
cmVzcyBhbmQgZW5jcnlwdCBhIG1lc3NhZ2UgdG8gdGhlbSB3aXRob3V0IHRoZQ0Kc3RhbmRhcmQg
c3dhcHBpbmcgb2YgY2VydGlmaWNhdGVzLiAgVGhlIHN5c3RlbSBzaG91bGQgYmUgZmFpcmx5IHNl
YW1sZXNzIGFuZA0KZWFzeSB0byB1c2UuDQoNClRoaXMgZG9lcyBub3QgY2F1c2UgYW55IHNwYW0g
cHJvYmxlbXMgYXMgdGhlIHNwYW1tZXIgd291bGQgaGF2ZSB0byBoYXZlIHRoZQ0KZW1haWwgYWRk
cmVzcyBpbiBvcmRlciB0byBnZXQgYSBjZXJ0aWZpY2F0ZSBiYWNrLiAgV2UgY2FuIGFsc28gc2V0
IHVwIHRoZQ0KcmVwb3NpdG9yeSBzbyB0aGF0IGl0IHJlcXVpcmVzIGEgbG9naW4gdGhhdCBjYW4g
YmUgcmVqZWN0ZWQgaWYgc29tZW9uZSBpcw0KYWJ1c2luZyB0aGUgc3lzdGVtLg0KDQpJIGhhdmUg
cGxheWVkIGFyb3VuZCB3aXRoIHRoaXMgaWRlYSB1c2luZyBMREFQLCBob3dldmVyIGl0IHdhcyBx
dWl0ZQ0KYW50aWNsaW1hY3RpYyAtIHBvc3NpYmx5IEkgc2ltcGx5IGRvIG5vdCB1bmRlcnN0YW5k
IExEQVAgd2VsbCBlbm91Z2guICBJDQp0aGluayBpdCB3aWxsIGhhdmUgdG8gYmUgYSBjdXN0b20g
dG9vbGJhciBhcHAuICBJIGhhdmUgYWxzbyBwbGF5ZWQgYXJvdW5kDQp3aXRoIGFkZGluZyBhICJD
b250YWN0IiB3aXRoIHRoZSBjZXJ0aWZpY2F0ZSwgYnV0IEkgY2FuJ3Qgc2VlbSB0byBiZSBhYmxl
IHRvDQpkbyB0aGlzIHByb2dyYW1tYXRpY2FsbHkgLSBNUyBsZXRzIHlvdSBhZGQgYSBjb250YWN0
IHByb2dyYW1tYXRpY2FsbHksIGJ1dA0KdGhlIHBpZWNlIHRvIGFkZCBhIGNlcnQgaXMgbm90IGlt
cGxlbWVudGVkICh0aGVyZSBpcyBhIHZhcmlhYmxlIHRoZXJlLCBidXQNCk1TIGFkbWl0cyB0aGF0
IGl0IGRvZXNuJ3Qgd29yaykuICBNYXliZSB3ZSB3aWxsIGhhdmUgdG8gc3RvcmUgdmNhcmRzIHdp
dGgNCnRoZSBjZXJ0aWZpY2F0ZSBpbiB0aGVtIGluIGEgZGF0YWJhc2UgYW5kIGRvbGUgdGhlbSBv
dXQgdGhhdCB3YXkuDQoNCkFueWhvdywgbG9uZyBzdG9yeSBzaG9ydCwgZW1haWwgY2VydHMgc2hv
dWxkIGJlIGdvaW5nIG1haW5zdHJlYW0gc29vbiwgYW5kDQppdCBtYXkgZXZlbnR1YWxseSBiZSB0
aGUgYW5zd2VyIHRvIHNwYW0sIGJ1dCB0aGVyZSBuZWVkcyB0byBiZSBhIGJldHRlciB3YXkNCnRv
IGhhbmRsZSB0aGUgZGlzdHJpYnV0aW9uIG9mIGNlcnRpZmljYXRlcyBmb3IgdGhlbSB0byByZWFs
bHkgc3RhcnQgdGFraW5nDQpvZmYuDQoNCklmIHlvdSBhcmUgaW50ZXJlc3RlZCBpbiBwYXJ0aWNp
cGF0aW5nIGluIHRoZSBwcm9qZWN0LCBwbGVhc2UgY29udGFjdCBtZSBhbmQNCmluZGljYXRlIHdo
YXQgeW91IHdhbnQgdG8gY29udHJpYnV0ZSwgdGhlIHByb2plY3Qgd2lsbCBuZWVkIHByb2dyYW1t
ZXJzLCBhDQpwb2xpY3kvcGxhbm5pbmcgYm9hcmQsIHdlYiBkZXZlbG9wZXJzLCBhbmQgb3RoZXJz
IHRoYXQgSSBoYXZlbid0IHRob3VnaHQgb2YNCnlldC4gIFhSYW1wIHdpbGwgY29udHJpYnV0ZSBz
ZXJ2ZXJzLCBhY2Nlc3MgdG8gYSBUcnVzdGVkIENBLCBwcm9ncmFtbWVycyBhbmQNCndlYiBkZXZl
bG9wZXJzLiAgKFByb2dyYW1tZXJzIGFuZCB3ZWIgZGV2ZWxvcGVycyBmcm9tIFhSYW1wIGFyZSBv
biBhIGxpbWl0ZWQNCmJhc2lzIGFzIG91ciBpbnRlcm5hbCBwcm9qZWN0IGxpc3QgaXMgcXVpdGUg
bG9uZykuDQoNCkkgbG9vayBmb3J3YXJkIHRvIGhlYXJpbmcgcmVzcG9uc2VzIHRvIHRoaXMgcHJv
amVjdCBhbmQgYW55IGlkZWFzIHRoYXQgeW91DQpndXlzIG1heSBoYXZlIGluIHRoaXMgcmVnYXJk
LiAgQWRkaXRpb25hbGx5LCBpZiB0aGVyZSBpcyBhbnl0aGluZyB0aGF0IFhSYW1wDQpjYW4gZG8g
dG8gYXNzaXN0IG90aGVyIHByb2plY3RzIHRoYXQgeW91IG1heSBiZSBpbnZvbHZlZCBpbiwgcGxl
YXNlIGZlZWwNCmZyZWUgdG8gYXNrLg0KDQpCZXN0IFJlZ2FyZHMsDQpTY290dCBIYXJyaXMNClhS
YW1wIFRlY2hub2xvZ2llcywgSW5jLg0KODg4LTkwLVhSQU1QICAoODg4LTkwOS03MjY3KQ0KMjEw
LTY5NS00MzQ1DQoNCmh0dHA6Ly93d3cuWFJhbXAuY29tDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1l
c3NhZ2UtLS0tLQ0KRnJvbTogb3duZXItaWV0Zi1wa2l4QG1haWwuaW1jLm9yZyBbbWFpbHRvOm93
bmVyLWlldGYtcGtpeEBtYWlsLmltYy5vcmddIE9uDQpCZWhhbGYgT2YgSm9zZXBoIERvZWticmlq
ZGVyDQpTZW50OiBNb25kYXksIEp1bHkgMTksIDIwMDQgNDoyMCBBTQ0KVG86IFN0ZXBoZW4gS2Vu
dA0KQ2M6IEVkIEdlcmNrOyBpZXRmLXBraXhAaW1jLm9yZw0KU3ViamVjdDogUmU6IFJlcXVlc3Q6
IFNlbmQgbWUgc2lnbmVkIG1lc3NhZ2VzDQoNCkludGVyZXN0aW5nIGlzc3VlLCB3aGljaCBsZWF2
ZXMgbWUgd2l0aCBhIHF1ZXN0aW9uOg0KVGhlIG9ubHkgdGhpbmcgYSBzcGFtbWVyIGNhbiBub3Qg
ZG8gKG9yIG1heWJlIG9ubHkgb25jZSkgaXMgZGlnaXRhbGx5IHNpZ24NCmhpcyBzcGFtISBVcG9u
IGFidXNlLCBUaGUgY2VydCBjYW4gYmUgcHV0IG9uIHRoZSByZWNlaXZlcnMgImJsYWNrLWxpc3Qi
LCB0aGUNCmNlcnQgY291bGQgYmUgcmV2b2tlZCBieSBDQSBhbmQvb3IgUkEgYW5kIHRoZSBJc3N1
aW5nUGFydHkgY2FuIGJlIGNvbnRhY3RlZA0KaWYgYWJ1c2UgY29udGludWVzLi4uDQpXb3VsZCBp
dCB0aHVzIG5vdCBiZSBhbiBpbnRlcmVzdGluZyBhcHByb2FjaCB0byBidWlsZCBhIG1haWwgZmls
dGVyIHRoYXQNCmZpbHRlcnMgb3V0IGFsbCBub24gZGlnaXRhbGx5IHNpZ25lZCBlbWFpbD8NCkl0
IGlzIGNsZWFyLCB0aGlzIGlzIHNvbWV0aGluZyBmb3IgdGhlIGZ1dHVyZSwgYnV0IGZyb20gYSB0
aGVvcmV0aWNhbA0KcG9pbnQtb2YtdmlldzogU29tZSBmZWVkYmFjayBmcm9tIHRoZSBleHBlcnRz
IG91dCB0aGVyZSB3b3VsZCBiZSBpbnRlcmVzdGluZw0KZm9yIG1lLiBJbiBvdGhlciB3b3Jkcywg
Y2FuIHdlIHRha2UgdGhpcyBhbnkgZnVydGhlcj8NCg0KQ2hlZXJzDQoNCkpvc2gNCg0KU3RlcGhl
biBLZW50IHdyb3RlOg0KDQo+DQo+IEkgdmlldyBQZXRlcidzIHNvbGljaXRhdGlvbiBmb3Igc2ln
bmVkIGUtbWFpbCB0byBiZSBhcHByb3ByaWF0ZSBmb3INCj4gdGhlIFBLSVggV0cgbGlzdC4NCj4N
Cj4gU3RldmUNCj4NCg0KLS0NCkpvc2VwaCBBLiBEb2VrYnJpamRlcg0KLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NClN3aXNzU2lnbiBBRw0KTPZ3ZW5z
dHJhc3NlIDEsIENILTgwMDEgWvxyaWNoDQpUZWw6ICs0MSA0MyAzNDQgODggMTEgLyBNb2JpbGU6
ICs0MSA3OSAyMTEgMjQgNDYgd3d3LnN3aXNzc2lnbi5jb20NCi0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNClRoaXMgbWVzc2FnZSBoYXMgYmVlbiBk
aWdpdGFsbHkgc2lnbmVkIHRvIGVuc3VyZSB1bmFsdGVyZWQgYW5kIGF1dGhlbnRpY2F0ZWQNCnJl
Y2VwdGlvbi4gU2hvdWxkIHlvdSByZWNlaXZlIGFuIGVycm9yIG1lc3NhZ2UgcmVnYXJkaW5nIHRo
ZSB2YWxpZGl0eSBvZiB0aGUNCnNpZ25hdHVyZSwgcGxlYXNlIGNsaWNrIGFuZCBkb3dubG9hZCB0
aGUgU3dpc3NTaWduIHJvb3QgY2VydGlmaWNhdGUgdXNpbmcNCnRoZSBmb2xsb3dpbmcgbGluayAg
aHR0cHM6Ly9zd2lzc3NpZ24ubgSBrWV0L3RydXN0LyBBZnRlciBpbnN0YWxsYXRpb24sIHlvdXIN
Cm1haWwgY2xpZW50IHdpbGwgYmUgYWJsZSB0byBhdXRvbWF0aWNhbGx5IHZlcmlmeSB0aGUgYXV0
aGVudGljaXR5IG9mIGUtbWFpbA0KbWVzc2FnZXMgc2VudCB0byB5b3UgYnkgdXNlcnMgb2YgU3dp
c3NTaWduIGNlcnRpZmljYXRlcy4NCg0KAAAAAAAAoIIPqTCCA3UwggJdoAMCAQICCwIAAAAAANZ4
t5QFMA0GCSqGSIb3DQEBBAUAMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52
LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwHhcNOTgw
OTAxMTIwMDAwWhcNMTQwMTI4MTIwMDAwWjBXMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFs
U2lnbiBudi1zYTEQMA4GA1UECxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2g7mmY3Oo+NPin778YuDJWvqSB/xKrC5
lREEvfBj0eJnZs8c3c8bSCvujYmOmq8pgGWr6cctEsurHExwB6E9CjDNFY1P+N3UjFAVHO9Q7sQu
9/zpUvKRfeBt1TUwjl5Dc/JB6dVq47KJOlY5OG8GPIhpWypNxadUuGyJzJv5PMrl/Yn1EjySeJbW
3HRuk0Rh0Y3HRrJ1DoboGYrVbWzVeBaVounICjjr8iQTT3NUkxOFOhu8HjS1iwWMuXeLsdsfIJGr
CVNukM57N3S5cEeRIlFjFnmusa5BJgjIGSvRRqpI1mQq14M0/ywqwWwZQ0oHhefTfPYhaO/q8lKf
f5OQzwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAAYwHQYDVR0OBBYEFGB7ZhpFDZfKiVAvfQTNNKj/
/P1LMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBAK6qn/y30ssfXzkpKBieNMls
T28a8GSicEpPE4abYCie6IFJmH0Ku+WwnT02248FUf8JMSof3Yl3ng8ubJUE7YbLtAA/hAJNgGoq
LXgLrm8rooNEgx/NUIJMJK+996W0yFoP9OdHXkmON5b+mogFOtnA2ymH5hmWR6c6poyLPHf+RmOn
U9oh0ax+SaJL5sNnWS+zig67LL2pqkJ8NcHYf9WnMTpOY0M5rwiwYTSM05ipQzT2D4cpO53CVliY
d8P3G6z2nfg+qqdURfD1+dUxZf5rWJxxsx7XUuoyF/xAYB3JeSSy9mz9qGYOgt2Yy9rCRE8uoHvy
92ssdhGERop4o+MwggPnMIICz6ADAgECAgsEAAAAAAD5f6ouHjANBgkqhkiG9w0BAQUFADBXMQsw
CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UECxMHUm9vdCBDQTEb
MBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTAzMTIxNjEzMDAwMFoXDTE0MDEyNzExMDAw
MFowcTEoMCYGA1UEAxMfR2xvYmFsU2lnbiBSb290U2lnbiBQYXJ0bmVycyBDQTEdMBsGA1UECxMU
Um9vdFNpZ24gUGFydG5lcnMgQ0ExGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExCzAJBgNVBAYT
AkJFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAve8w8TDxNKmJZXdNRqeNkP2uT47K
KBe6WeOokgpFAyqKj+UJUFVSgfCjkbHZEiqB9sIDHDyCwHLN8acA1/VUnApH7pqVQZKOoK0JPdPr
onStnxkgCbZ9pl41n085agO1iq0flmJrF7mrh2DVXW3ZksnQE67UiNlQqESRBLDqR+pfsu0EwdcB
fCH4xHEj/GtMZUQzw40d5tJmHFIpRsQG5ws18FkBZgCJz5zje3iqU+LurDWV5/1d10KUldMabjFV
R9frrcdMn1RxgxoXyPnnzlgB9Da/rj9Zn2V8QAdccyA0ohLDSfRoQGkeieCF6Tq3l2O7R7A5a0EA
fvVLuH/jIQIDAQABo4GZMIGWMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBRWhOy1caXnY9jbUQTW+ubwSFJJzjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmds
b2JhbHNpZ24ubmV0L1Jvb3QuY3JsMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0G
CSqGSIb3DQEBBQUAA4IBAQBcLy5nSiaz57U/NTzdoAPtVpr5RDdSFjBlx9FOog+Nt7a2Z47nTOyN
lb7mzqcieHSs1/h0mbP3zosTONWWzI12xS84sjquYb4Lh5njIWJkIzmNhPaFjfd3/7A4BvB+wUhf
te5YJgZmBSJ0koOn27X5kuPowxksLmPvux/f+fcHR2YNB4mXfvgzLJ7LrhQ98Rzfo/F5r8iSj5Rx
xNFExVTbHrULCqlCo6/WQzkd7o+TmFhbvm6cC/Vj7F6ZwvlU+gEHRtoNsGQkz47RBh1PPKJjd0Vb
pLxfsIC7MeALVAFcFh1yTtUqaUfRG2Z+XwFu8TWRa+Au/rBF2BYntcWLwtpTMIIEDDCCAvSgAwIB
AgIKfKQP3gAAAAAF6jANBgkqhkiG9w0BAQUFADCBkTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRl
eGFzMRQwEgYDVQQHEwtTYW4gQW50b25pbzEOMAwGA1UECxMFR1MgQ0ExJDAiBgNVBAoTG1hSYW1w
IFNlY3VyaXR5IFNlcnZpY2VzIEluYzEmMCQGA1UEAxMdWFJhbXAgU2VjdXJpdHkgU2VydmljZXMg
R1MgQ0EwHhcNMDQwNDA5MjExMTQ5WhcNMDUwNDA5MjEyMTQ5WjCBjTELMAkGA1UEBhMCVVMxDjAM
BgNVBAgTBVRleGFzMRQwEgYDVQQHEwtTYW4gQW50b25pbzEhMB8GA1UEChMYWFJhbXAgVGVjaG5v
bG9naWVzLCBJbmMuMRUwEwYDVQQDEwxTY290dCBIYXJyaXMxHjAcBgkqhkiG9w0BCQEWD1Njb3R0
QFhSYW1wLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzP2qtvPX0qnTIHsvsHox0TRY
5vuhx6/77MqoD4iEYVp4Zmey71lBvFe8nrXFwTQUtrl/S8iBS6Cn1oXyVea3NlWgqkI6lriHxQ1C
1kWfPUL+zfEgsXdjx9I80dJGfnP9hjjn/KtRs8v6YFddAXbhax/EWt83hXrwQK1TcCs9sjECAwEA
AaOB6zCB6DAOBgNVHQ8BAf8EBAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAw
DgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBQf+NR5JpQ/MUDn
/NM+Hy4ixsLZtDATBgNVHSUEDDAKBggrBgEFBQcDBDAfBgNVHSMEGDAWgBSeH6VOTvHoSAQQ8/1t
bwoGr//HOzA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnhyYW1wc2VjdXJpdHkuY29tL1hS
YW1wR1NDQS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAHouQ+vfoX9OlwXvnI5AIo2LZ0Ns9FDaE1Py
5B8oBj8Qsfd343/5SqG8lPGugZXBsFFokvm7961zaqkydYkGpTkOwzoqN2iYcYAfON69SlHLHtFs
NVQKlo3IUYSTovDmX/cxFeVLT/petV0NGqYF7gOOowTSqAnZIT9oVnYMFX/nQ9WWCr5cRYAMIveE
GuABQooGOjgHUiMxpK2kaGtwbLlrPyObYkyOITulrdB1gDN2suVmZe4Sq/uoe06r5llOG8uMf/zJ
4r/x5Jj0eTEkTN7iw85SIKS7xghk1dzY8kKqEX8Sy588gmwUBJKfFC399l5M2jmrONZM3Dg2TXX5
R3gwggQxMIIDGaADAgECAgsEAAAAAAD5f8YjKTANBgkqhkiG9w0BAQUFADBxMSgwJgYDVQQDEx9H
bG9iYWxTaWduIFJvb3RTaWduIFBhcnRuZXJzIENBMR0wGwYDVQQLExRSb290U2lnbiBQYXJ0bmVy
cyBDQTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTELMAkGA1UEBhMCQkUwHhcNMDMxMjE2MTQw
MDAwWhcNMTMxMjE2MTQwMDAwWjCBkTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRQwEgYD
VQQHEwtTYW4gQW50b25pbzEOMAwGA1UECxMFR1MgQ0ExJDAiBgNVBAoTG1hSYW1wIFNlY3VyaXR5
IFNlcnZpY2VzIEluYzEmMCQGA1UEAxMdWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgR1MgQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiuD+bhQX0A4z92419hSIstqoMYI4PaD2L5f4f
yWzvDPT3WohDXbyJltBN0sTbrtjD3574pZXa0TEOVB/cMHe8I3xsjpilFhBpBMPDBgU+6+aTPsb0
5d/Ao2VAt3r/psj98tmwE0+Ng/LBrMLhiv3Qj5EW0wQqbhsdODeNDVmM5yMyZAguF8duskI667SM
8CVNQMpEF71pNPs851mVP8xKHpM7uyQBwHi0hLswaDaEcJuRL701t3ZmLNlMTtnaTMxWP8SuatF9
TeTko6/nWE4707o1FDtxn6xp8ReR3+nHffg1WSc+GZwvtXNK31zZeCNctr6R4Q6VIZwbSIxjDB7F
AgMBAAGjgagwgaUwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE
FJ4fpU5O8ehIBBDz/W1vCgav/8c7MD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFs
c2lnbi5uZXQvUm9vdFNpZ25QYXJ0bmVycy5jcmwwHwYDVR0jBBgwFoAUVoTstXGl52PY21EE1vrm
8EhSSc4wDQYJKoZIhvcNAQEFBQADggEBALcBJaUFHLyJFOtXqvfnKh+L1eat3lnq7taPdL7V3prH
BPxxIJDyKPVYiwD5w9/eFtYn6b+a9RhIWilxL3lc+zZYt3OuphmJmrrmEOIAg6JvsKmjIesqRY6H
iKCw5MLS5VxIZCgOERIdoIRVLTdkRhcKAWsp1TZkWLHaZDdBr6SLl6P0wtCxitj7asf7kEeEamHe
SNoM5urDtwkF0PQ1jLxyVNg8SEpMSPW64VO1gcGUKWuzsQlWH1mp4b/FGAjnXcGwBwiuN8RmfG4l
Efbw5bMYts+Adxop8EN0psDo+PVB8L+LAabZAtWTyJkHK/thLvDhlpdtpoDQs3ZeHoA2fhExggNs
MIIDaAIBATCBoDCBkTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRQwEgYDVQQHEwtTYW4g
QW50b25pbzEOMAwGA1UECxMFR1MgQ0ExJDAiBgNVBAoTG1hSYW1wIFNlY3VyaXR5IFNlcnZpY2Vz
IEluYzEmMCQGA1UEAxMdWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgR1MgQ0ECCnykD94AAAAABeow
CQYFKw4DAhoFAKCCAiEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MDQwNzE5MTU0NzQwWjAjBgkqhkiG9w0BCQQxFgQURSDflsVAkBprQkNgxb3HimRdj48wWAYJKoZI
hvcNAQkPMUswSTAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgbEGCSsGAQQBgjcQBDGBozCBoDCBkTELMAkGA1UE
BhMCVVMxDjAMBgNVBAgTBVRleGFzMRQwEgYDVQQHEwtTYW4gQW50b25pbzEOMAwGA1UECxMFR1Mg
Q0ExJDAiBgNVBAoTG1hSYW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEmMCQGA1UEAxMdWFJhbXAg
U2VjdXJpdHkgU2VydmljZXMgR1MgQ0ECCnykD94AAAAABeowgbMGCyqGSIb3DQEJEAILMYGjoIGg
MIGRMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxFDASBgNVBAcTC1NhbiBBbnRvbmlvMQ4w
DAYDVQQLEwVHUyBDQTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMSYwJAYD
VQQDEx1YUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBHUyBDQQIKfKQP3gAAAAAF6jANBgkqhkiG9w0B
AQEFAASBgArdRnMLEDCDgUIb5peomrdeacCUy8QsY1fYZvoVrNPIgZtFeOdCthPSmWIerXABqLq/
RH353C6c1FSYwnEU0PwED5SvEenh+tXVawJwjdk5oMarqU90gxaTzWkpAi/RVsHADDeSQuCGSPXu
5ipTwtNLgPzc5lUM/+9LgFoJg2BfAAAAAAAA
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JDNfo0058916; Mon, 19 Jul 2004 06:23:41 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6JDNfge058913; Mon, 19 Jul 2004 06:23:41 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-vbr1.xs4all.nl (smtp-vbr1.xs4all.nl [194.109.24.21]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JDNeQl058899; Mon, 19 Jul 2004 06:23:40 -0700 (PDT) (envelope-from christine@izecom.com)
Received: from pengo (extra1.izecom.com [195.64.86.233]) by smtp-vbr1.xs4all.nl (8.12.11/8.12.11) with SMTP id i6JDNcB2002686; Mon, 19 Jul 2004 15:23:38 +0200 (CEST) (envelope-from christine@izecom.com)
Message-Id: <4.3.2.7.2.20040719151703.01558ec0@localhost>
X-Sender: chklaptp@pop.xs4all.nl@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Mon, 19 Jul 2004 15:19:57 +0200
To: ietf-smime@imc.org, ietf-pkix@imc.org
From: Christine Karman <christine@izecom.com>
Subject: Re: Request: Send me signed messages
In-Reply-To: <40FBC8F8.7020003@mitre.org>
References: <4.3.2.7.2.20040719124821.0280f818@localhost> <20040716152213.GA16939@mail19g.dulles19-verio.com> <20040716152213.GA16939@mail19g.dulles19-verio.com> <4.3.2.7.2.20040719124821.0280f818@localhost>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="{39DCBED5-7FEB-4056-8C10-05B4D010B916}"
X-Izemail-Send-Version: 1.4.1.516 (POP3)
X-Virus-Scanned: by XS4ALL Virus Scanner
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
--{39DCBED5-7FEB-4056-8C10-05B4D010B916}
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 03:13 PM 7/19/2004, you wrote:
>Um, the cert tends to have your (valid) email address in it.
Peter already has my email address through this list, so why shouldn't I
send him my certificates?
dagdag
Christine
--
Izecom BV
Secure e-mail and digital signatures
www.izecom.com
if your outlook can't reply to a signed message, go to
www.izecom.com/reply.html
--{39DCBED5-7FEB-4056-8C10-05B4D010B916}
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIJ/rwYJKoZIhvcNAQcCoIJ/oDCCf5wCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCfVAw
ggH6MIIBYwICAaMwDQYJKoZIhvcNAQEEBQAwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBD
b3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdDAeFw05NjAyMjMyMzAxMDBa
Fw0wNjAyMjMyMzU5MDBaMEUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24x
HDAaBgNVBAMTE0dURSBDeWJlclRydXN0IFJvb3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ALjmT7rbmHxxfK9Et9MPRtlk5ZPBQo7HukmNNS1654u95QUxWcaxLwoM+5+nP6IJZoRWHjcpG4fp
fgzKmp+lf/UVlKPVokaC2GhM0TcVBmivvfiws/Ap9ZVaCRZhdwoiJdRPRarHveWW3/nUqI5CzCTA
HpEnSrVtBoBjOcSiXjgDAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAErN1xl8d4WFVgADUgUt7MQ8j
Y+c98wP59Daou9njpZdN6isp4NZqc4HmwImj0/HgpaUiN5pjwkggtNty48j22Xy+sa9T2hS0IbjW
1Zbj/k4MWWK2mkr5Qt2Mb4Gpcf/0CnJtbUQOnfN0dKjVNEnpXp7ptHrh5VofhDCc05+lJdgwggH6
MIIBYwICAaMwDQYJKoZIhvcNAQEEBQAwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jw
b3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdDAeFw05NjAyMjMyMzAxMDBaFw0w
NjAyMjMyMzU5MDBaMEUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24xHDAa
BgNVBAMTE0dURSBDeWJlclRydXN0IFJvb3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjm
T7rbmHxxfK9Et9MPRtlk5ZPBQo7HukmNNS1654u95QUxWcaxLwoM+5+nP6IJZoRWHjcpG4fpfgzK
mp+lf/UVlKPVokaC2GhM0TcVBmivvfiws/Ap9ZVaCRZhdwoiJdRPRarHveWW3/nUqI5CzCTAHpEn
SrVtBoBjOcSiXjgDAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAErN1xl8d4WFVgADUgUt7MQ8jY+c9
8wP59Daou9njpZdN6isp4NZqc4HmwImj0/HgpaUiN5pjwkggtNty48j22Xy+sa9T2hS0IbjW1Zbj
/k4MWWK2mkr5Qt2Mb4Gpcf/0CnJtbUQOnfN0dKjVNEnpXp7ptHrh5VofhDCc05+lJdgwggI9MIIB
pgIRAM26f1bw3+S8VP4irLNyqlUwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp
YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0fzGVuDLDQVoQYh5oG
mxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHiTkVWaR94AoDa3EeRKbs2yWNcxeDX
LYd7obcysHswuiovMaruo2fa2wIDAQABMA0GCSqGSIb3DQEBAgUAA4GBAEw/uIvGaN/uQzMOXemm
yweETXoz/5Ib9Dat2JUiNmgRbHxCzPOcLsQHPxSwD0//kJJ2+eK8SumPzaCACvfFKfGCIl24sd2B
I6N7JRVGMHkW+OoFS5R/HcIcyOO39BBAPBPDXx9T6EjkhrR7oTWweyW6uNOOqz84nQA0AJjz0XGU
MIIDYjCCAsugAwIBAgIQC9oLF8E/iY6rCXR6tM4uMzANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFBy
aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1
OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3Jw
LiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5k
aXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqBS7lI
E1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc48zG
mo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaOBsDCBrTAPBgNVHRMECDAGAQH/AgEAMEcG
A1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNvbS9y
ZXBvc2l0b3J5L1JQQTAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9w
Y2ExLmNybDALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMA0GCSqGSIb3DQEBAgUAA4GB
AAJ9nm9FSziguN7pU2QhvORMK48e/pJArNgKOWqhMiEsB5urWf7SYhp9VTiwN3Pc9AdmY2K94VNw
UofnqNhS6VstquHez6wxVNSLGcjYI6jvBCsyfSwYHMh8iagud/JE0WUKTXS17tMbknN0Lok7NRNy
50AxmtOyxKvnVr6L4/sVMIIDgTCCAmmgAwIBAgIRAK9oyzx6IyABA/lsASJjcVowDQYJKoZIhvcN
AQEFBQAwgYMxEjAQBgNVBAoTCUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWls
LmNvbTEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQG
EwJOTDETMBEGA1UEAxMKSXplbWFpbCBDQTAeFw0wNDA3MDIxMzI1NThaFw0wNTA4MDkxMzI1NTha
MGwxCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xEDAOBgNVBAoTB2l6ZW1haWwxIDAe
BgkqhkiG9w0BCQEWEWl6ZW1haWxAeHM0YWxsLm5sMRUwEwYDVQQDEwxpemVtYWlsIHVzZXIwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUhMm9LUQrLi84yO6NkKaR61aqySUIjs8YIyZfkqMmP
zj5akgD6pGs0lT45iiEiq54gsqjQM/i2z/ewq67L7elOpE5q2au4Qbw99u10QNPuk/o1EEOFcuNC
ybnYib4YfZP7ZDjK+1lDELtiJEsXIZDEDPHBsZoHefaXPOSiRF6tAgMBAAGjgYkwgYYwCQYDVR0T
BAIwADA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVt
YWlsLjEuY3JsMBwGA1UdEQQVMBOBEWl6ZW1haWxAeHM0YWxsLm5sMB0GA1UdJQQWMBQGCCsGAQUF
BwMEBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAVAzoUYQrRYeIqkp9RMvUtah7JYIv/dLb
LOHfzUSCl69ZsE5ViKgXiHZZnbCE7CmenF/uIr4/zhgHD8refpBMrA2w10adrHsDV2CJTYhJ5XmX
r++5454iqCIG3EJ6C4sDWo9S685iF+rv7tpWUim+zmhbcHcLLp9pJ4u7tQz+Zs9Rj4CdbXpeUA8Y
RES4ahyw9rjUAs3aRXTxFUFrEFOrmM0UnXz9HjDeNTjHpFLS14jwXP/ymN8YaDzXaP06nTHSHiP/
BMnkBHgRtAIpVUzpCdO+BP61E9QEJ2KIgGZWveQWHvZB3stwVYPTmkICPAu0V7faiKwGY/feO+UR
P38XyTCCA4QwggJsoAMCAQICEQDKIGQhZRNna+i/El4nuWG0MA0GCSqGSIb3DQEBBQUAMIGDMRIw
EAYDVQQKEwlJemVjb20gQlYxHzAdBgkqhkiG9w0BCQEWEGluZm9AaXplbWFpbC5jb20xFjAUBgNV
BAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxEzARBgNV
BAMTCkl6ZW1haWwgQ0EwHhcNMDQwMzEyMTQwMTI0WhcNMDUwNDE5MTQwMTI0WjBrMQswCQYDVQQG
EwJOTDESMBAGA1UEBxMJQW1zdGVyZGFtMRIwEAYDVQQKEwlJemVjb20gQlYxHjAcBgkqhkiG9w0B
CQEWD2luZm9AaXplY29tLmNvbTEUMBIGA1UEAxMLSW5mbyBJemVjb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAO1S2s95QBpWP86MDekCIQqu9WjXTurDRV/qgq5Dx7ZjuJlrO+NlRRGM/JjS
OqZ0gAq14PSUm5HZfaorxANZxuw+g6+rd5kTUZZcWKca3yt+zc3h+xkF+AIrbcYAMxHSjYZP6SvN
sFn8TV1wcwRgo3GVxR1uUiXNJoBz44JSmqFDAgMBAAGjgY0wgYowDwYDVR0TBAgwBgEBAAIBADA8
BgNVHR8ENTAzMDGgL6AthitodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVtYWlsLjEu
Y3JsMBoGA1UdEQQTMBGBD2luZm9AaXplY29tLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYB
BQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAFt+s913of0Jm1T5Pw1Tyw6voXR0dYCW+aoXfjasJKPN
K0fIqo5QZPZpZj4XZ2mOaJfztu55xg8hojMrmragzJgArWcGqmM1HRrUjlr4QKbn0HmC7gwVp/g2
b187mWu9CIBHFmhyHxOSx6JsgX2ORXJYu+JL3sa5rLiK6iNzVNjN/aSlzQNdZaUxZ2WRq1p/7BWC
jP9zPN/bLhgP1nE5uTF2vQ1scvMn2J5Gt575FYeN9Xm59D1/Eu59q/I248AhR3gqrnS7u/ky+zVs
I0pp0q5RXHZDa5PlmuMNFef5CwbKere6hQSZ5GP2MWtPoHZvipfqvurM7/XMEP/VtH8ZlzgwggOH
MIICb6ADAgECAhAWMW7s5NRjM+GG8hzGoth4MA0GCSqGSIb3DQEBBQUAMIGDMRIwEAYDVQQKEwlJ
emVjb20gQlYxHzAdBgkqhkiG9w0BCQEWEGluZm9AaXplbWFpbC5jb20xFjAUBgNVBAgTDU5vb3Jk
LUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxEzARBgNVBAMTCkl6ZW1h
aWwgQ0EwHhcNMDQwNzA1MjA0NjEyWhcNMDUwODEyMjA0NjEyWjBxMQswCQYDVQQGEwJOTDEPMA0G
A1UEBxMGSHVpemVuMRIwEAYDVQQKEwlaYXBob2QgQlYxIjAgBgkqhkiG9w0BCQEWE2NocmlzdGlu
ZUBrYXJtYW4ubmwxGTAXBgNVBAMTEENocmlzdGluZSBLYXJtYW4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKcx2YA0uKM0aXWukpbfrLj3ird+UNKTcpnG6h9ZncOOt3ZWfc7fZpEhNC8dFjk2
meJeenNVjwfqeRuZCCmIROfYpyLl2s7GENUPoqo6lKjaYtU6O8GlLOY850BDv880vs8SzavmzbkH
QOd/mO8NTmObAnjdAzJJiGJ4ywF1/Yh5AgMBAAGjgYswgYgwCQYDVR0TBAIwADA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVtYWlsLjEuY3JsMB4GA1Ud
EQQXMBWBE2NocmlzdGluZUBrYXJtYW4ubmwwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC
MA0GCSqGSIb3DQEBBQUAA4IBAQAorgNK9BiyU48AcCw/ywgHuhkkhZ2LvFo+DE1GJdufaAcb6Ko4
5tqCLQcIZNlLdX5zBH5uuPVaV7i9nkOk8A3dech2Zdv0V/3yfsFyHy8DUdmiH66qezEKwUkLZo4R
oGT/Yi+FRxdUtMgek56YBhWlqCaXqZwUchbMfUN4WzV6fN159x2zhc6Uv+ktFnILLcNKvOpCCy+M
5yDOeq6aiG0KOpuxy0ZiXPF3LHKEkBsdfSkzokFd9xda3vGVFa3e7gSCUv7QrYJdHIRtlq5nszi9
8DYudJsBfkLOizWNn8F85XMb0yHBAyDTIO2Z+NcHhlMOy2XbvtmwxP3IEDcy1j8AMIIDjjCCAnag
AwIBAgIRANv4dRuNkzqiKDNkv8sV0R0wDQYJKoZIhvcNAQEFBQAwgY4xEjAQBgNVBAoTCUl6ZWNv
bSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNvbTEMMAoGA1UECBMDbi9hMRIwEAYD
VQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSgwJgYDVQQDEx9JemVtYWlsIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MB4XDTA0MDExOTE2MTc1NloXDTA1MDExMTIzMDAwMFowaTELMAkGA1UEBhMC
TkwxEjAQBgNVBAcTCWFtc3RlcmRhbTENMAsGA1UEChMEbm9uZTEhMB8GCSqGSIb3DQEJARYSWDEw
X19fQGhvdG1haWwuY29tMRQwEgYDVQQDEwtXZW5keSBXZWJlcjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAtTPyFNVgiHFXAeq3A1IB+QjHq1VffIS4loWiGAguoEKZD37WLpK7wjuBaN2ful4F
p99ORUSXlP3DRwJH2XnVwJAaGlHYz/k05nLS+XAP/Sy/hivYi6M+Am+IpDM4sYhZsRp7dofwUclJ
NUjWrHAWN2R4EHiTQWxBQSV8A/zRrBECAwEAAaOBjjCBizAPBgNVHRMECDAGAQEAAgEAMDoGA1Ud
HwQzMDEwL6AtoCuGKWh0dHA6Ly93d3cuaXplY29tLmNvbS9pemVtYWlsL2l6ZW1haWwuY3JsMB0G
A1UdEQQWMBSBElgxMF9fX0Bob3RtYWlsLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUH
AwIwDQYJKoZIhvcNAQEFBQADggEBABhGlLSdO5r0yl9prOweu3krWAZA5obMTSkWA0azKR/2u2OW
5+8TS4CsLEQ2+I7iza1C7Qz62fuc+mcLBRGW0Zc5h0htbY50noAJhrWAmWHPcJtB6xVmyNg2T5m8
0WE2xujRWFPeoj1ZeOzcuWoVeuTpxqgO/t1i1JJgYDsYCSMRdVE0ZkwP0THl3P+WnAiDJog2y3ai
N+CaVKrmKxlNdTr+5Hj3QKSf78MwDN62cjV4LMBa1YK2QhhsfeQWKW7Tq6RAZPaSbyzmncmBmj10
x+MtbiyElMc0PY0V1x4VoUvdIrAOZnjUkb8rgsIhqWDFf54oG3/L1X7lD2pj0qOwdyUwggOQMIIC
eKADAgECAhEA8bb9H6pp50jmGkQbFyVs8DANBgkqhkiG9w0BAQUFADCBgzESMBAGA1UEChMJSXpl
Y29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMRYwFAYDVQQIEw1Ob29yZC1I
b2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYDVQQDEwpJemVtYWls
IENBMB4XDTA0MDUwNDE1NTUyOFoXDTA1MDYxMTE1NTUyOFowczELMAkGA1UEBhMCTkwxEjAQBgNV
BAcTCUFtc3RlcmRhbTEQMA4GA1UEChMHaXplbWFpbDEiMCAGCSqGSIb3DQEJARYTbGljZW5zZUBp
emVtYWlsLmNvbTEaMBgGA1UEAxMRSXplbWFpbCBsaWNlbnNpbmcwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBANtw+PIWiwmBSgp7DOdw7fV12nHM9DvzhyK3SGnnsVIL7qCz64vyLc+MVYV/aTxV
qu0j7s+uxmFyR36wwPjAdJnvOSyVd9cB0ZKByzAbgKhWfVUiEt7NhC0HDXa7yxMll8JvV1OIM13c
aVKD6stM/n84abjKH+AIniYP2EKNDaPxAgMBAAGjgZEwgY4wDwYDVR0TBAgwBgEBAAIBADA8BgNV
HR8ENTAzMDGgL6AthitodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVtYWlsLjEuY3Js
MB4GA1UdEQQXMBWBE2xpY2Vuc2VAaXplbWFpbC5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBeOiT+ZsP/fivt9J8ADDvSvTIGXuja4HuwUFZQGg70
FUkccBVedgGQPspfWwK61IJilCrjGiHzTcVKdbDEuX0hSuMjU0tZ1qQI6LRJjNOsS9+ui8KegxYL
GY4YwIlXCKYwslxDZKH5eFtN9GLZ/MiA4630uciywMO015bepJtNiGy/LPfDZuRFvEm2RLGp5Gk4
jh9v9o45rbnAdQh9EWQ0JkNxxNkjpxPqCMZ1Q9r8jVtUlXaxg2jyTgUniKX6Hsc6YQykB3wlAAsV
eiitoAK4FFlXvIAXzx85QbvARXX+sfpekrCb4WwZ7DkQqHeG2yMXmsiP2IBAcXhhJX84EihfMIID
kjCCAnqgAwIBAgIQTFu6Av1P0TWBAjiHCtoWWTANBgkqhkiG9w0BAQUFADCBgzESMBAGA1UEChMJ
SXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMRYwFAYDVQQIEw1Ob29y
ZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYDVQQDEwpJemVt
YWlsIENBMB4XDTA0MDUwNDE0MDQyOFoXDTA1MDYxMTE0MDQyOFowdDELMAkGA1UEBhMCTkwxEjAQ
BgNVBAcTCUFtc3RlcmRhbTEQMA4GA1UEChMHaXplbWFpbDEkMCIGCSqGSIb3DQEJARYVY2hyaXN0
aW5lQGl6ZW1haWwuY29tMRkwFwYDVQQDExBDaHJpc3RpbmUgS2FybWFuMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDO3icNfM1EKNiU3Gkhy8AJXObNtWRtop78Yqpxr/KoHEvjQlLW2g6SQ7Qn
xvPS5EV7kjda/nkpRTknyVLSy9zzPEYZ0LTpjjYEnLI0//QEK6MyKRdQmilz+Q+avnGDSFIG9O8f
MLVZZenTibAV3EZXF+mQ3dIExe9fVgwDYLEXtwIDAQABo4GTMIGQMA8GA1UdEwQIMAYBAQACAQAw
PAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL3d3dy5pemVjb20uY29tL2l6ZW1haWwvaXplbWFpbC4x
LmNybDAgBgNVHREEGTAXgRVjaHJpc3RpbmVAaXplbWFpbC5jb20wHQYDVR0lBBYwFAYIKwYBBQUH
AwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQB/k/ue+oOkz3q1h4c1Ijbv0tfo6kfGc3XG
CIcvG4s8RC/QohqrTQJ5BM/w4YtufKchQIR/mp8yY2l67F8V2pdr5FXxsX59pwb451NZ+crkWA7e
lG95WxBT+i8fAhwS1SErVhOt3bMO/0m7eN2Z70sQ4eqFfl1rhbhD9X4VEXavvCfW9GtwP5aSDbuu
wro2eQP5mQVn5dPCpHl6kAzFrPiSou+1MGiV+Gox7JTogbni3N7GylM9mhWn/+2cNok2i17PuDNt
Qf8NjPCYQ8WPJXto3XOZXszWY5qYHPoQcZHl9QYivYQioIlpmLN0dTurKJuE7Hy+O4BKex0djPkx
eVn6MIIDmTCCAoGgAwIBAgIRAKeR0C5POj1DS7I/H+1RU4wwDQYJKoZIhvcNAQEFBQAwgY4xEjAQ
BgNVBAoTCUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNvbTEMMAoGA1UE
CBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSgwJgYDVQQDEx9JemVtYWls
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMDkyOTA5NTYxM1oXDTA0MTAwNTA5NTYxM1ow
cjELMAkGA1UEBhMCTkwxEjAQBgNVBAcTCWFtc3RlcmRhbTEPMA0GA1UEChMGaXplY29tMSMwIQYJ
KoZIhvcNAQkBFhRjaHJpc3RpbmVAaXplY29tLmNvbTEZMBcGA1UEAxMQY2hyaXN0aW5lIGthcm1h
bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvMeT43uZD+4Iuo3WHApeGdDHkMds8EUJopnw
t6CGb8RvOA57/Jj7DPaSEJ7sYzSaG7/hs0EkAJP22glMdvF/HWWOXIwfCRlgJQuuV18xlhidrvnH
PC7id+ZF2llKYOpPMgYgmD0TPAkZrC/a/be2LrdGEo4LOZ1Lv8A5oBEpCbMCAwEAAaOBkDCBjTAd
BgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDwYDVR0TBAgwBgEBAAIBADA6BgNVHR8EMzAx
MC+gLaArhilodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVtYWlsLmNybDAfBgNVHREE
GDAWgRRjaHJpc3RpbmVAaXplY29tLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAPCwtn5fWFkkulP1Q
cr4Csh3/dOX0MSdea9ytcZSyt3qHuPXtohTjLDIgs06dUfFUixg84cmCTUz6J0VQ+X5iLsTWLSqs
nLgAMnGkoi74P1NpF14Hc7lRwUFvZeAlrZfR95DOIZut9FjSUSkzSb+l93rf8VMvwLf8Vw094ebY
xSYHLnftzarEYzaKurmEbxE88awii4/zy0O5SNjL55uhssF10DNRiXA480XG+xknI4l37AbWrmSh
CQ2tG6Cn1LRk+gmAMZSIHIkLUpBvuCCH/jlH3hrmQPJ4QPxnyJMsoFD4sQfwpAGGDhbxhxZlROLt
iLRl0fHaOpdnF6cWL7VWPDCCA5wwggKEoAMCAQICEQD9iPEGreUnKhViN1t47Me5MA0GCSqGSIb3
DQEBBQUAMIGDMRIwEAYDVQQKEwlJemVjb20gQlYxHzAdBgkqhkiG9w0BCQEWEGluZm9AaXplbWFp
bC5jb20xFjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UE
BhMCTkwxEzARBgNVBAMTCkl6ZW1haWwgQ0EwHhcNMDQwNzAyMTMzOTExWhcNMDUwODA5MTMzOTEx
WjB7MQswCQYDVQQGEwJOTDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZJemVjb20xLDAq
BgkqhkiG9w0BCQEWHWNocmlzdGluZUBleGNoYW5nZS5pemVjb20uY29tMRkwFwYDVQQDExBDaHJp
c3RpbmUgS2FybWFuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoZ5kxMcLcP7Y+HaLur1Tr
JI3taGLC8AyMkhqJEnkqAjKZdNrOaz6UvcLk8kS1oDh8IfqydERMqc3YqA7r0Je+Sx4yF2vhJz1x
sD+lFoudDCYaFc2trCn1KeJZLlCZhp5Ahgx0F7bYz/y5cXaAqUAUzXjKE8ShIEt4JI0NeJHHMwID
AQABo4GVMIGSMAkGA1UdEwQCMAAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL3d3dy5pemVjb20u
Y29tL2l6ZW1haWwvaXplbWFpbC4xLmNybDAoBgNVHREEITAfgR1jaHJpc3RpbmVAZXhjaGFuZ2Uu
aXplY29tLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQAD
ggEBADuKmNoozkq4RkR2lHw/FpOQGOijr/i1YkHtngXh9IPGxLxRhRbL6eKA4/y+5fLO1GqtHTiz
TQehu88l6EboqRcLySNxiLgg7M8QpO29L9EfJ6e3B+WWVtrBYWSzWoGQmOs7xcQd2NdYglByDe1Y
35YjLnXwXrjtj2SQ/T5KNTkZ15SIQ1e6FSDHvkz7qRj1FVEh/OKZt1msNaZV+wEF/J1HShlEewSK
kDbRNdtzHn+w9WDZhZ7dyrINQnDegkpYzCy4BlT9rZ3ks4APrgUcw2pO9XSgpNoOYqX20eHygJ/k
gWpmmwvUcIzPV5Hbgk1zqhYGg+Dj7f7I82lYWiPOy/swggOrMIICk6ADAgECAhEA9+XuYyRdDqQq
pEhPtyq8FzANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcN
AQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQsw
CQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDMwMTI5MTYyMDQ2WhcNMTYwMjAyMTYyMDQ2WjCBkTESMBAGA1UEChMJSXplY29tIEJWMR4w
HAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1z
dGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQD1d6FaoPQAryNJ6kaXmYym
fctZb3fQ9evlG1yQ/9G1UC7TxMg4CQgu+XHlKObac6pt1hQdq8hGAwujIjSBofy8og2LEsOBv++C
1NVCR3T2T5UYg4n+OrjQ+9ZDgFVEiZ3/SZsxiAB4+EVJCuBF8AuF3R76k3B4EQ7kaD45iQSUZTp/
kH5wfcseIyF8nskQkoaMwewUYYMCn+N5BNwr2JyoKD42pH8VP/HDp6Hfm5zEvkDviEW+iDTq7ybk
wA4HZjtFPY08cChjLdYJ1h5JmZZidBrQZGfRYEK959B20vqYKQx/Bw/QQEFXZ2fP6fP3dcTuWfTq
PyBrDVsEwMSJsej7AgERMA0GCSqGSIb3DQEBBQUAA4IBAQCLt6PZessm/z3pSZ8HVBKwLPzsxsGA
fwgkMwo4NAb193WYQGRguu1JRqYyBgunXJj+MsvCgxr0Cbr7AvVSN4GKK/QJcfL4rr24zUOdqt6d
ioMgk6gsn7ts2J8bbzK4+Jp6UJPco9IHhnTorqI5jZlNTZ43D4chALTqZH3HShJr3vJZ/nUKyIpu
P7ITYZR3x1S4RUyqIIcHkosAkaH8yyhqlUnKA5xFeHUkeFE86JyrM1c5lowvZETWCWQkmy6Au6X1
kbk60lpptDdPn15RUHnSYzwVeXkpmZEPhS7cs134nBRXB5RFDGmQDbcMH6E9xMvJDI/FUCvyJ1Z1
F8+nciUHMIIDqzCCApOgAwIBAgIRAPfl7mMkXQ6kKqRIT7cqvBcwDQYJKoZIhvcNAQEFBQAwgZEx
EjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYD
VQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNv
bSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMDEyOTE2MjA0NloXDTE2MDIwMjE2
MjA0NlowgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20u
Y29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNV
BAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkqhkiG9w0BAQEF
AAOCAQ0AMIIBCAKCAQEA9XehWqD0AK8jSepGl5mMpn3LWW930PXr5RtckP/RtVAu08TIOAkILvlx
5Sjm2nOqbdYUHavIRgMLoyI0gaH8vKINixLDgb/vgtTVQkd09k+VGIOJ/jq40PvWQ4BVRImd/0mb
MYgAePhFSQrgRfALhd0e+pNweBEO5Gg+OYkElGU6f5B+cH3LHiMhfJ7JEJKGjMHsFGGDAp/jeQTc
K9icqCg+NqR/FT/xw6eh35ucxL5A74hFvog06u8m5MAOB2Y7RT2NPHAoYy3WCdYeSZmWYnQa0GRn
0WBCvefQdtL6mCkMfwcP0EBBV2dnz+nz93XE7ln06j8gaw1bBMDEibHo+wIBETANBgkqhkiG9w0B
AQUFAAOCAQEAi7ej2XrLJv896UmfB1QSsCz87MbBgH8IJDMKODQG9fd1mEBkYLrtSUamMgYLp1yY
/jLLwoMa9Am6+wL1UjeBiiv0CXHy+K69uM1DnarenYqDIJOoLJ+7bNifG28yuPiaelCT3KPSB4Z0
6K6iOY2ZTU2eNw+HIQC06mR9x0oSa97yWf51CsiKbj+yE2GUd8dUuEVMqiCHB5KLAJGh/MsoapVJ
ygOcRXh1JHhRPOicqzNXOZaML2RE1glkJJsugLul9ZG5OtJaabQ3T59eUVB50mM8FXl5KZmRD4Uu
3LNd+JwUVweURQxpkA23DB+hPcTLyQyPxVAr8idWdRfPp3IlBzCCA6swggKToAMCAQICEQD35e5j
JF0OpCqkSE+3KrwXMA0GCSqGSIb3DQEBBQUAMIGRMRIwEAYDVQQKEwlJemVjb20gQlYxHjAcBgkq
hkiG9w0BCQEWD2luZm9AaXplY29tLmNvbTEMMAoGA1UECBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJk
YW0xCzAJBgNVBAYTAk5MMSwwKgYDVQQDEyNJemVjb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTAeFw0wMzAxMjkxNjIwNDZaFw0xNjAyMDIxNjIwNDZaMIGRMRIwEAYDVQQKEwlJemVjb20g
QlYxHjAcBgkqhkiG9w0BCQEWD2luZm9AaXplY29tLmNvbTEMMAoGA1UECBMDbi9hMRIwEAYDVQQH
EwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSwwKgYDVQQDEyNJemVjb20gUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAPV3oVqg9ACvI0nq
RpeZjKZ9y1lvd9D16+UbXJD/0bVQLtPEyDgJCC75ceUo5tpzqm3WFB2ryEYDC6MiNIGh/LyiDYsS
w4G/74LU1UJHdPZPlRiDif46uND71kOAVUSJnf9JmzGIAHj4RUkK4EXwC4XdHvqTcHgRDuRoPjmJ
BJRlOn+QfnB9yx4jIXyeyRCShozB7BRhgwKf43kE3CvYnKgoPjakfxU/8cOnod+bnMS+QO+IRb6I
NOrvJuTADgdmO0U9jTxwKGMt1gnWHkmZlmJ0GtBkZ9FgQr3n0HbS+pgpDH8HD9BAQVdnZ8/p8/d1
xO5Z9Oo/IGsNWwTAxImx6PsCAREwDQYJKoZIhvcNAQEFBQADggEBAIu3o9l6yyb/PelJnwdUErAs
/OzGwYB/CCQzCjg0BvX3dZhAZGC67UlGpjIGC6dcmP4yy8KDGvQJuvsC9VI3gYor9Alx8viuvbjN
Q52q3p2KgyCTqCyfu2zYnxtvMrj4mnpQk9yj0geGdOiuojmNmU1NnjcPhyEAtOpkfcdKEmve8ln+
dQrIim4/shNhlHfHVLhFTKoghweSiwCRofzLKGqVScoDnEV4dSR4UTzonKszVzmWjC9kRNYJZCSb
LoC7pfWRuTrSWmm0N0+fXlFQedJjPBV5eSmZkQ+FLtyzXficFFcHlEUMaZANtwwfoT3Ey8kMj8VQ
K/InVnUXz6dyJQcwggOrMIICk6ADAgECAhEA9+XuYyRdDqQqpEhPtyq8FzANBgkqhkiG9w0BAQUF
ADCBkTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20x
DDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMj
SXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDMwMTI5MTYyMDQ2WhcNMTYw
MjAyMTYyMDQ2WjCBkTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6
ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEs
MCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
DQEBAQUAA4IBDQAwggEIAoIBAQD1d6FaoPQAryNJ6kaXmYymfctZb3fQ9evlG1yQ/9G1UC7TxMg4
CQgu+XHlKObac6pt1hQdq8hGAwujIjSBofy8og2LEsOBv++C1NVCR3T2T5UYg4n+OrjQ+9ZDgFVE
iZ3/SZsxiAB4+EVJCuBF8AuF3R76k3B4EQ7kaD45iQSUZTp/kH5wfcseIyF8nskQkoaMwewUYYMC
n+N5BNwr2JyoKD42pH8VP/HDp6Hfm5zEvkDviEW+iDTq7ybkwA4HZjtFPY08cChjLdYJ1h5JmZZi
dBrQZGfRYEK959B20vqYKQx/Bw/QQEFXZ2fP6fP3dcTuWfTqPyBrDVsEwMSJsej7AgERMA0GCSqG
SIb3DQEBBQUAA4IBAQCLt6PZessm/z3pSZ8HVBKwLPzsxsGAfwgkMwo4NAb193WYQGRguu1JRqYy
BgunXJj+MsvCgxr0Cbr7AvVSN4GKK/QJcfL4rr24zUOdqt6dioMgk6gsn7ts2J8bbzK4+Jp6UJPc
o9IHhnTorqI5jZlNTZ43D4chALTqZH3HShJr3vJZ/nUKyIpuP7ITYZR3x1S4RUyqIIcHkosAkaH8
yyhqlUnKA5xFeHUkeFE86JyrM1c5lowvZETWCWQkmy6Au6X1kbk60lpptDdPn15RUHnSYzwVeXkp
mZEPhS7cs134nBRXB5RFDGmQDbcMH6E9xMvJDI/FUCvyJ1Z1F8+nciUHMIIDqzCCApOgAwIBAgIR
APfl7mMkXQ6kKqRIT7cqvBcwDQYJKoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEe
MBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFt
c3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MB4XDTAzMDEyOTE2MjA0NloXDTE2MDIwMjE2MjA0NlowgZExEjAQBgNVBAoTCUl6
ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQ
BgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA9XehWqD0
AK8jSepGl5mMpn3LWW930PXr5RtckP/RtVAu08TIOAkILvlx5Sjm2nOqbdYUHavIRgMLoyI0gaH8
vKINixLDgb/vgtTVQkd09k+VGIOJ/jq40PvWQ4BVRImd/0mbMYgAePhFSQrgRfALhd0e+pNweBEO
5Gg+OYkElGU6f5B+cH3LHiMhfJ7JEJKGjMHsFGGDAp/jeQTcK9icqCg+NqR/FT/xw6eh35ucxL5A
74hFvog06u8m5MAOB2Y7RT2NPHAoYy3WCdYeSZmWYnQa0GRn0WBCvefQdtL6mCkMfwcP0EBBV2dn
z+nz93XE7ln06j8gaw1bBMDEibHo+wIBETANBgkqhkiG9w0BAQUFAAOCAQEAi7ej2XrLJv896Umf
B1QSsCz87MbBgH8IJDMKODQG9fd1mEBkYLrtSUamMgYLp1yY/jLLwoMa9Am6+wL1UjeBiiv0CXHy
+K69uM1DnarenYqDIJOoLJ+7bNifG28yuPiaelCT3KPSB4Z06K6iOY2ZTU2eNw+HIQC06mR9x0oS
a97yWf51CsiKbj+yE2GUd8dUuEVMqiCHB5KLAJGh/MsoapVJygOcRXh1JHhRPOicqzNXOZaML2RE
1glkJJsugLul9ZG5OtJaabQ3T59eUVB50mM8FXl5KZmRD4Uu3LNd+JwUVweURQxpkA23DB+hPcTL
yQyPxVAr8idWdRfPp3IlBzCCA6swggKToAMCAQICEQD35e5jJF0OpCqkSE+3KrwXMA0GCSqGSIb3
DQEBBQUAMIGRMRIwEAYDVQQKEwlJemVjb20gQlYxHjAcBgkqhkiG9w0BCQEWD2luZm9AaXplY29t
LmNvbTEMMAoGA1UECBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSwwKgYD
VQQDEyNJemVjb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMzAxMjkxNjIwNDZa
Fw0xNjAyMDIxNjIwNDZaMIGRMRIwEAYDVQQKEwlJemVjb20gQlYxHjAcBgkqhkiG9w0BCQEWD2lu
Zm9AaXplY29tLmNvbTEMMAoGA1UECBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYT
Ak5MMSwwKgYDVQQDEyNJemVjb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJ
KoZIhvcNAQEBBQADggENADCCAQgCggEBAPV3oVqg9ACvI0nqRpeZjKZ9y1lvd9D16+UbXJD/0bVQ
LtPEyDgJCC75ceUo5tpzqm3WFB2ryEYDC6MiNIGh/LyiDYsSw4G/74LU1UJHdPZPlRiDif46uND7
1kOAVUSJnf9JmzGIAHj4RUkK4EXwC4XdHvqTcHgRDuRoPjmJBJRlOn+QfnB9yx4jIXyeyRCShozB
7BRhgwKf43kE3CvYnKgoPjakfxU/8cOnod+bnMS+QO+IRb6INOrvJuTADgdmO0U9jTxwKGMt1gnW
HkmZlmJ0GtBkZ9FgQr3n0HbS+pgpDH8HD9BAQVdnZ8/p8/d1xO5Z9Oo/IGsNWwTAxImx6PsCAREw
DQYJKoZIhvcNAQEFBQADggEBAIu3o9l6yyb/PelJnwdUErAs/OzGwYB/CCQzCjg0BvX3dZhAZGC6
7UlGpjIGC6dcmP4yy8KDGvQJuvsC9VI3gYor9Alx8viuvbjNQ52q3p2KgyCTqCyfu2zYnxtvMrj4
mnpQk9yj0geGdOiuojmNmU1NnjcPhyEAtOpkfcdKEmve8ln+dQrIim4/shNhlHfHVLhFTKoghweS
iwCRofzLKGqVScoDnEV4dSR4UTzonKszVzmWjC9kRNYJZCSbLoC7pfWRuTrSWmm0N0+fXlFQedJj
PBV5eSmZkQ+FLtyzXficFFcHlEUMaZANtwwfoT3Ey8kMj8VQK/InVnUXz6dyJQcwggOrMIICk6AD
AgECAhEA9+XuYyRdDqQqpEhPtyq8FzANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXplY29t
IEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UE
BxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDMwMTI5MTYyMDQ2WhcNMTYwMjAyMTYyMDQ2WjCBkTESMBAGA1UE
ChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24v
YTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3Qg
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQD1
d6FaoPQAryNJ6kaXmYymfctZb3fQ9evlG1yQ/9G1UC7TxMg4CQgu+XHlKObac6pt1hQdq8hGAwuj
IjSBofy8og2LEsOBv++C1NVCR3T2T5UYg4n+OrjQ+9ZDgFVEiZ3/SZsxiAB4+EVJCuBF8AuF3R76
k3B4EQ7kaD45iQSUZTp/kH5wfcseIyF8nskQkoaMwewUYYMCn+N5BNwr2JyoKD42pH8VP/HDp6Hf
m5zEvkDviEW+iDTq7ybkwA4HZjtFPY08cChjLdYJ1h5JmZZidBrQZGfRYEK959B20vqYKQx/Bw/Q
QEFXZ2fP6fP3dcTuWfTqPyBrDVsEwMSJsej7AgERMA0GCSqGSIb3DQEBBQUAA4IBAQCLt6PZessm
/z3pSZ8HVBKwLPzsxsGAfwgkMwo4NAb193WYQGRguu1JRqYyBgunXJj+MsvCgxr0Cbr7AvVSN4GK
K/QJcfL4rr24zUOdqt6dioMgk6gsn7ts2J8bbzK4+Jp6UJPco9IHhnTorqI5jZlNTZ43D4chALTq
ZH3HShJr3vJZ/nUKyIpuP7ITYZR3x1S4RUyqIIcHkosAkaH8yyhqlUnKA5xFeHUkeFE86JyrM1c5
lowvZETWCWQkmy6Au6X1kbk60lpptDdPn15RUHnSYzwVeXkpmZEPhS7cs134nBRXB5RFDGmQDbcM
H6E9xMvJDI/FUCvyJ1Z1F8+nciUHMIIDqzCCApOgAwIBAgIRAPfl7mMkXQ6kKqRIT7cqvBcwDQYJ
KoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0Bp
emVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwx
LDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMDEyOTE2
MjA0NloXDTE2MDIwMjE2MjA0NlowgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJ
ARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkG
A1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIB
IDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA9XehWqD0AK8jSepGl5mMpn3LWW930PXr5Rtc
kP/RtVAu08TIOAkILvlx5Sjm2nOqbdYUHavIRgMLoyI0gaH8vKINixLDgb/vgtTVQkd09k+VGIOJ
/jq40PvWQ4BVRImd/0mbMYgAePhFSQrgRfALhd0e+pNweBEO5Gg+OYkElGU6f5B+cH3LHiMhfJ7J
EJKGjMHsFGGDAp/jeQTcK9icqCg+NqR/FT/xw6eh35ucxL5A74hFvog06u8m5MAOB2Y7RT2NPHAo
Yy3WCdYeSZmWYnQa0GRn0WBCvefQdtL6mCkMfwcP0EBBV2dnz+nz93XE7ln06j8gaw1bBMDEibHo
+wIBETANBgkqhkiG9w0BAQUFAAOCAQEAi7ej2XrLJv896UmfB1QSsCz87MbBgH8IJDMKODQG9fd1
mEBkYLrtSUamMgYLp1yY/jLLwoMa9Am6+wL1UjeBiiv0CXHy+K69uM1DnarenYqDIJOoLJ+7bNif
G28yuPiaelCT3KPSB4Z06K6iOY2ZTU2eNw+HIQC06mR9x0oSa97yWf51CsiKbj+yE2GUd8dUuEVM
qiCHB5KLAJGh/MsoapVJygOcRXh1JHhRPOicqzNXOZaML2RE1glkJJsugLul9ZG5OtJaabQ3T59e
UVB50mM8FXl5KZmRD4Uu3LNd+JwUVweURQxpkA23DB+hPcTLyQyPxVAr8idWdRfPp3IlBzCCA/ww
ggLkoAMCAQICEQCRHMRCX7eVQZ+iLXT3DluVMA0GCSqGSIb3DQEBBQUAMIGRMRIwEAYDVQQKEwlJ
emVjb20gQlYxHjAcBgkqhkiG9w0BCQEWD2luZm9AaXplY29tLmNvbTEMMAoGA1UECBMDbi9hMRIw
EAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSwwKgYDVQQDEyNJemVjb20gUm9vdCBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMzAxMjkxNjIxMjhaFw0xNDAyMDIxNjIxMjhaMIGOMRIw
EAYDVQQKEwlJemVjb20gQlYxHzAdBgkqhkiG9w0BCQEWEGluZm9AaXplbWFpbC5jb20xDDAKBgNV
BAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEoMCYGA1UEAxMfSXplbWFp
bCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB
AKj+sHuVMe3CzjFCVBIDUNLpX7WCFKN8MuJZ8aqJMHvA5Y4+B7mOdLNXfnmNbrlfYw0lMViVeLIs
zvrbte0OVh94ixmbQfxwcSVEmgskUYUcORDUf5g5SD+JNdOxFy59O/A/fLBsp7sAZ2aLelZdVYHq
AnzUC1TWgnsr6H+Dc5SqHv34p3/Mm4QCZ9CuCAN15vffkBbRyQ63JDwWIhJ7Q6nXCfto6q+fSMo0
OeePmCWym1NoExdTni5AcSgiuiVl7JBTG9pFx9gbhQXGEyV+j0N+nlZonFqx8sQU6Yg4SaYl1uwx
PJgXOAujvll3ZKseHhW66gwfba8+Xm85fo0UmxkCARGjUjBQMAsGA1UdDwQEAwIBBjAPBgNVHRME
CDAGAQH/AgEAMBEGCWCGSAGG+EIBAQQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUH
AwIwDQYJKoZIhvcNAQEFBQADggEBAPHKL+veBSUYXXFoZQwn/2f0sIZbVut+lqdBplaYwYevSXcb
x4DKzDuF5nweUAbuZly7N5GZo80/6isk/O7xKBWSgxRqNVcl/ifUVdtwNbYqvCxSMn50APyoMJSg
1cmKf9SNKRLf4GSXsyZzEO8LqamzJJqHSCCpai0/TP7/xYpdjScMW7k+57KyEJnF+8chKv16hGWW
NmVXHVM1WyUOaobjaT4VH6tQmD5PyuBenKJ4Tp66xQHdD0CiuGSyoVh9jLegx61JV2f3JvHB8Erz
wa0mQf4pY0iL2icbkAQQgM7BRwxHhs5lt7FEB1rYFItwvTF01jVL1VvTFHsR9iRGJM8wggP8MIIC
5KADAgECAhEAkRzEQl+3lUGfoi109w5blTANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXpl
Y29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAG
A1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkwHhcNMDMwMTI5MTYyMTI4WhcNMTQwMjAyMTYyMTI4WjCBjjESMBAG
A1UEChMJSXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMQwwCgYDVQQI
EwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxKDAmBgNVBAMTH0l6ZW1haWwg
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCo
/rB7lTHtws4xQlQSA1DS6V+1ghSjfDLiWfGqiTB7wOWOPge5jnSzV355jW65X2MNJTFYlXiyLM76
27XtDlYfeIsZm0H8cHElRJoLJFGFHDkQ1H+YOUg/iTXTsRcufTvwP3ywbKe7AGdmi3pWXVWB6gJ8
1AtU1oJ7K+h/g3OUqh79+Kd/zJuEAmfQrggDdeb335AW0ckOtyQ8FiISe0Op1wn7aOqvn0jKNDnn
j5glsptTaBMXU54uQHEoIrolZeyQUxvaRcfYG4UFxhMlfo9Dfp5WaJxasfLEFOmIOEmmJdbsMTyY
FzgLo75Zd2SrHh4VuuoMH22vPl5vOX6NFJsZAgERo1IwUDALBgNVHQ8EBAMCAQYwDwYDVR0TBAgw
BgEB/wIBADARBglghkgBhvhCAQEEBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC
MA0GCSqGSIb3DQEBBQUAA4IBAQDxyi/r3gUlGF1xaGUMJ/9n9LCGW1brfpanQaZWmMGHr0l3G8eA
ysw7heZ8HlAG7mZcuzeRmaPNP+orJPzu8SgVkoMUajVXJf4n1FXbcDW2KrwsUjJ+dAD8qDCUoNXJ
in/UjSkS3+Bkl7MmcxDvC6mpsySah0ggqWotP0z+/8WKXY0nDFu5PueyshCZxfvHISr9eoRlljZl
Vx1TNVslDmqG42k+FR+rUJg+T8rgXpyieE6eusUB3Q9AorhksqFYfYy3oMetSVdn9ybxwfBK88Gt
JkH+KWNIi9onG5AEEIDOwUcMR4bOZbexRAda2BSLcL0xdNY1S9Vb0xR7EfYkRiTPMIIEDTCCAvWg
AwIBAgIQZukaRJOd0047Jqoo58OaMjANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXplY29t
IEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UE
BxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDMxMDA5MDkzOTIyWhcNMTQxMDEzMDkzOTIyWjCBgzESMBAGA1UE
ChMJSXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMRYwFAYDVQQIEw1O
b29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYDVQQDEwpJ
emVtYWlsIENBMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAk5I0X5lf7qjlX7k8iWRz
Rxh+BHrQRCT+Wc3elx2OF1BkIPpYgxrfbik9z2+Ag3N2ya6fh1oQ83XcxnP7OuHaT/ePKFEVzBo3
0pqfSd+QuGERp99iAnglxeTDwtatd86vIMB7/XwlZtrbjo0v3FC4vE7zoBHnNL5D+IjxFbcEBaVZ
vMJT7f8SZShzM23yrnlXVYcaC4C6H9p2cyafag1KVe1+rSUgpefKt16wxVQFuTJOl1tViFJdiGlA
COwUvQ0buhcCmY5uaH5owOolEjNUjfy3F4iPTj3QDS/lD4Kc+zeBHTNIe4iPyN1G12Lu2GQl+NAY
7t5KM0xK3svD+L18XwIBEaNvMG0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3d3dy5pemVjb20u
Y29tL2l6ZW1haWwvaXplcm9vdC5jcmwwCwYDVR0PBAQDAgEGMA8GA1UdEwQIMAYBAf8CAQEwEQYJ
YIZIAYb4QgEBBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCfSVaVl9acK4iqjnOwhPjzZAuy7Hhb
XraNK7Zl0ZAmCLgDlWGe+tjPTOJ5jg6miO1u4jKY/T4+WltYt1m4OcqSNT8ZsXWA4vDZZ69Br7jJ
eOHwr99UZtTLJSwNtURgeDb0390XiCyiMJgF/yRlPrPBBoXutyZ7OImIypYytrHDq//esWntMZgk
sYk6XvIw0yLvrbIiFJzQvpR8F3I03XGu1xEswWd/1NA+D13JYLv4J6WXLKR7KR81qqfkj9Jds31C
7R1rl6AZpnVHHtaGAS8SjHQbgrh/PtLFTCFTFcZvAvTawPpGRvxZlDgZDI+TQf50EJY47zHdUMch
VuSnY2UBMIIEDTCCAvWgAwIBAgIQZukaRJOd0047Jqoo58OaMjANBgkqhkiG9w0BAQUFADCBkTES
MBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNV
BAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29t
IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDMxMDA5MDkzOTIyWhcNMTQxMDEzMDkz
OTIyWjCBgzESMBAGA1UEChMJSXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwu
Y29tMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYT
Ak5MMRMwEQYDVQQDEwpJemVtYWlsIENBMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA
k5I0X5lf7qjlX7k8iWRzRxh+BHrQRCT+Wc3elx2OF1BkIPpYgxrfbik9z2+Ag3N2ya6fh1oQ83Xc
xnP7OuHaT/ePKFEVzBo30pqfSd+QuGERp99iAnglxeTDwtatd86vIMB7/XwlZtrbjo0v3FC4vE7z
oBHnNL5D+IjxFbcEBaVZvMJT7f8SZShzM23yrnlXVYcaC4C6H9p2cyafag1KVe1+rSUgpefKt16w
xVQFuTJOl1tViFJdiGlACOwUvQ0buhcCmY5uaH5owOolEjNUjfy3F4iPTj3QDS/lD4Kc+zeBHTNI
e4iPyN1G12Lu2GQl+NAY7t5KM0xK3svD+L18XwIBEaNvMG0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0
cDovL3d3dy5pemVjb20uY29tL2l6ZW1haWwvaXplcm9vdC5jcmwwCwYDVR0PBAQDAgEGMA8GA1Ud
EwQIMAYBAf8CAQEwEQYJYIZIAYb4QgEBBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCfSVaVl9ac
K4iqjnOwhPjzZAuy7HhbXraNK7Zl0ZAmCLgDlWGe+tjPTOJ5jg6miO1u4jKY/T4+WltYt1m4OcqS
NT8ZsXWA4vDZZ69Br7jJeOHwr99UZtTLJSwNtURgeDb0390XiCyiMJgF/yRlPrPBBoXutyZ7OImI
ypYytrHDq//esWntMZgksYk6XvIw0yLvrbIiFJzQvpR8F3I03XGu1xEswWd/1NA+D13JYLv4J6WX
LKR7KR81qqfkj9Jds31C7R1rl6AZpnVHHtaGAS8SjHQbgrh/PtLFTCFTFcZvAvTawPpGRvxZlDgZ
DI+TQf50EJY47zHdUMchVuSnY2UBMIIEDTCCAvWgAwIBAgIQZukaRJOd0047Jqoo58OaMjANBgkq
hkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6
ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEs
MCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDMxMDA5MDkz
OTIyWhcNMTQxMDEzMDkzOTIyWjCBgzESMBAGA1UEChMJSXplY29tIEJWMR8wHQYJKoZIhvcNAQkB
FhBpbmZvQGl6ZW1haWwuY29tMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0
ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYDVQQDEwpJemVtYWlsIENBMIIBIDANBgkqhkiG9w0BAQEF
AAOCAQ0AMIIBCAKCAQEAk5I0X5lf7qjlX7k8iWRzRxh+BHrQRCT+Wc3elx2OF1BkIPpYgxrfbik9
z2+Ag3N2ya6fh1oQ83XcxnP7OuHaT/ePKFEVzBo30pqfSd+QuGERp99iAnglxeTDwtatd86vIMB7
/XwlZtrbjo0v3FC4vE7zoBHnNL5D+IjxFbcEBaVZvMJT7f8SZShzM23yrnlXVYcaC4C6H9p2cyaf
ag1KVe1+rSUgpefKt16wxVQFuTJOl1tViFJdiGlACOwUvQ0buhcCmY5uaH5owOolEjNUjfy3F4iP
Tj3QDS/lD4Kc+zeBHTNIe4iPyN1G12Lu2GQl+NAY7t5KM0xK3svD+L18XwIBEaNvMG0wOgYDVR0f
BDMwMTAvoC2gK4YpaHR0cDovL3d3dy5pemVjb20uY29tL2l6ZW1haWwvaXplcm9vdC5jcmwwCwYD
VR0PBAQDAgEGMA8GA1UdEwQIMAYBAf8CAQEwEQYJYIZIAYb4QgEBBAQDAgEGMA0GCSqGSIb3DQEB
BQUAA4IBAQCfSVaVl9acK4iqjnOwhPjzZAuy7HhbXraNK7Zl0ZAmCLgDlWGe+tjPTOJ5jg6miO1u
4jKY/T4+WltYt1m4OcqSNT8ZsXWA4vDZZ69Br7jJeOHwr99UZtTLJSwNtURgeDb0390XiCyiMJgF
/yRlPrPBBoXutyZ7OImIypYytrHDq//esWntMZgksYk6XvIw0yLvrbIiFJzQvpR8F3I03XGu1xEs
wWd/1NA+D13JYLv4J6WXLKR7KR81qqfkj9Jds31C7R1rl6AZpnVHHtaGAS8SjHQbgrh/PtLFTCFT
FcZvAvTawPpGRvxZlDgZDI+TQf50EJY47zHdUMchVuSnY2UBMIIEDTCCAvWgAwIBAgIQZukaRJOd
0047Jqoo58OaMjANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZI
hvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFt
MQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkwHhcNMDMxMDA5MDkzOTIyWhcNMTQxMDEzMDkzOTIyWjCBgzESMBAGA1UEChMJSXplY29tIEJW
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5k
MRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYDVQQDEwpJemVtYWlsIENBMIIB
IDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAk5I0X5lf7qjlX7k8iWRzRxh+BHrQRCT+Wc3e
lx2OF1BkIPpYgxrfbik9z2+Ag3N2ya6fh1oQ83XcxnP7OuHaT/ePKFEVzBo30pqfSd+QuGERp99i
AnglxeTDwtatd86vIMB7/XwlZtrbjo0v3FC4vE7zoBHnNL5D+IjxFbcEBaVZvMJT7f8SZShzM23y
rnlXVYcaC4C6H9p2cyafag1KVe1+rSUgpefKt16wxVQFuTJOl1tViFJdiGlACOwUvQ0buhcCmY5u
aH5owOolEjNUjfy3F4iPTj3QDS/lD4Kc+zeBHTNIe4iPyN1G12Lu2GQl+NAY7t5KM0xK3svD+L18
XwIBEaNvMG0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3d3dy5pemVjb20uY29tL2l6ZW1haWwv
aXplcm9vdC5jcmwwCwYDVR0PBAQDAgEGMA8GA1UdEwQIMAYBAf8CAQEwEQYJYIZIAYb4QgEBBAQD
AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCfSVaVl9acK4iqjnOwhPjzZAuy7HhbXraNK7Zl0ZAmCLgD
lWGe+tjPTOJ5jg6miO1u4jKY/T4+WltYt1m4OcqSNT8ZsXWA4vDZZ69Br7jJeOHwr99UZtTLJSwN
tURgeDb0390XiCyiMJgF/yRlPrPBBoXutyZ7OImIypYytrHDq//esWntMZgksYk6XvIw0yLvrbIi
FJzQvpR8F3I03XGu1xEswWd/1NA+D13JYLv4J6WXLKR7KR81qqfkj9Jds31C7R1rl6AZpnVHHtaG
AS8SjHQbgrh/PtLFTCFTFcZvAvTawPpGRvxZlDgZDI+TQf50EJY47zHdUMchVuSnY2UBMIIEDTCC
AvWgAwIBAgIQZukaRJOd0047Jqoo58OaMjANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXpl
Y29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAG
A1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkwHhcNMDMxMDA5MDkzOTIyWhcNMTQxMDEzMDkzOTIyWjCBgzESMBAG
A1UEChMJSXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMRYwFAYDVQQI
Ew1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYDVQQD
EwpJemVtYWlsIENBMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAk5I0X5lf7qjlX7k8
iWRzRxh+BHrQRCT+Wc3elx2OF1BkIPpYgxrfbik9z2+Ag3N2ya6fh1oQ83XcxnP7OuHaT/ePKFEV
zBo30pqfSd+QuGERp99iAnglxeTDwtatd86vIMB7/XwlZtrbjo0v3FC4vE7zoBHnNL5D+IjxFbcE
BaVZvMJT7f8SZShzM23yrnlXVYcaC4C6H9p2cyafag1KVe1+rSUgpefKt16wxVQFuTJOl1tViFJd
iGlACOwUvQ0buhcCmY5uaH5owOolEjNUjfy3F4iPTj3QDS/lD4Kc+zeBHTNIe4iPyN1G12Lu2GQl
+NAY7t5KM0xK3svD+L18XwIBEaNvMG0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3d3dy5pemVj
b20uY29tL2l6ZW1haWwvaXplcm9vdC5jcmwwCwYDVR0PBAQDAgEGMA8GA1UdEwQIMAYBAf8CAQEw
EQYJYIZIAYb4QgEBBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCfSVaVl9acK4iqjnOwhPjzZAuy
7HhbXraNK7Zl0ZAmCLgDlWGe+tjPTOJ5jg6miO1u4jKY/T4+WltYt1m4OcqSNT8ZsXWA4vDZZ69B
r7jJeOHwr99UZtTLJSwNtURgeDb0390XiCyiMJgF/yRlPrPBBoXutyZ7OImIypYytrHDq//esWnt
MZgksYk6XvIw0yLvrbIiFJzQvpR8F3I03XGu1xEswWd/1NA+D13JYLv4J6WXLKR7KR81qqfkj9Jd
s31C7R1rl6AZpnVHHtaGAS8SjHQbgrh/PtLFTCFTFcZvAvTawPpGRvxZlDgZDI+TQf50EJY47zHd
UMchVuSnY2UBMIIEDTCCAvWgAwIBAgIQZukaRJOd0047Jqoo58OaMjANBgkqhkiG9w0BAQUFADCB
kTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAK
BgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXpl
Y29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDMxMDA5MDkzOTIyWhcNMTQxMDEz
MDkzOTIyWjCBgzESMBAGA1UEChMJSXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1h
aWwuY29tMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNV
BAYTAk5MMRMwEQYDVQQDEwpJemVtYWlsIENBMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKC
AQEAk5I0X5lf7qjlX7k8iWRzRxh+BHrQRCT+Wc3elx2OF1BkIPpYgxrfbik9z2+Ag3N2ya6fh1oQ
83XcxnP7OuHaT/ePKFEVzBo30pqfSd+QuGERp99iAnglxeTDwtatd86vIMB7/XwlZtrbjo0v3FC4
vE7zoBHnNL5D+IjxFbcEBaVZvMJT7f8SZShzM23yrnlXVYcaC4C6H9p2cyafag1KVe1+rSUgpefK
t16wxVQFuTJOl1tViFJdiGlACOwUvQ0buhcCmY5uaH5owOolEjNUjfy3F4iPTj3QDS/lD4Kc+zeB
HTNIe4iPyN1G12Lu2GQl+NAY7t5KM0xK3svD+L18XwIBEaNvMG0wOgYDVR0fBDMwMTAvoC2gK4Yp
aHR0cDovL3d3dy5pemVjb20uY29tL2l6ZW1haWwvaXplcm9vdC5jcmwwCwYDVR0PBAQDAgEGMA8G
A1UdEwQIMAYBAf8CAQEwEQYJYIZIAYb4QgEBBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCfSVaV
l9acK4iqjnOwhPjzZAuy7HhbXraNK7Zl0ZAmCLgDlWGe+tjPTOJ5jg6miO1u4jKY/T4+WltYt1m4
OcqSNT8ZsXWA4vDZZ69Br7jJeOHwr99UZtTLJSwNtURgeDb0390XiCyiMJgF/yRlPrPBBoXutyZ7
OImIypYytrHDq//esWntMZgksYk6XvIw0yLvrbIiFJzQvpR8F3I03XGu1xEswWd/1NA+D13JYLv4
J6WXLKR7KR81qqfkj9Jds31C7R1rl6AZpnVHHtaGAS8SjHQbgrh/PtLFTCFTFcZvAvTawPpGRvxZ
lDgZDI+TQf50EJY47zHdUMchVuSnY2UBMIIEpjCCBA+gAwIBAgIQSbfsXkUnPyoY6/2SwmV/3TAN
BgkqhkiG9w0BAQQFADCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S
UEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNz
IDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDAeFw0wNDAx
MDYwMDAwMDBaFw0wNTAxMDgyMzU5NTlaMIIBGDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAd
BgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20v
cmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBl
cnNvbmEgTm90IFZhbGlkYXRlZDE0MDIGA1UECxMrRGlnaXRhbCBJRCBDbGFzcyAxIC0gTWljcm9z
b2Z0IEZ1bGwgU2VydmljZTEZMBcGA1UEAxQQQ2hyaXN0aW5lIEthcm1hbjEjMCEGCSqGSIb3DQEJ
ARYUY2hyaXN0aW5lQGl6ZWNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO3VYgkA
Ungi83pdruymuGDn13rt2F6EM/50HnBNf0RNQzHVJ5AqGdqlYlb9LgB4Trv0u3N+SDgiXGtpiGaJ
zPdUbS3foY4wIkrrtWQ0jkcBo7pJtP89z2ou+Rkl0lKaQBzCuvjsDVEm3GGNfgtJNbMMENieRVx2
lVor/Ec0inIFAgMBAAGjggE4MIIBNDAJBgNVHRMEAjAAMIGsBgNVHSAEgaQwgaEwgZ4GC2CGSAGG
+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsG
AQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBi
eSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBWZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4Aw
MAYKYIZIAYb4RQEGBwQiFiA0MWJkN2IwYzE1OTdmYTVmYjllZDk1NTQ0MzJiYmExNDAzBgNVHR8E
LDAqMCigJqAkhiJodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9jbGFzczEuY3JsMA0GCSqGSIb3DQEB
BAUAA4GBABkFgcq+QFjgGnGIOU9TQSP1g+8V9+tPYmbwa4tSFqI2x4TSDq0OL5+F0+PzHxabfPJT
LVQfbbueOQCMk3qGSEoKD++iBBuDIgXs5GxDJrfRsemhfzIbnco0xATxL6qUplE8tYo5yDrbDJ7O
NGxLO+wg2yn0nuLTWDE7YCP+GGmUMIIEyDCCBDGgAwIBAgIEAgACmzANBgkqhkiG9w0BAQUFADBF
MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMRwwGgYDVQQDExNHVEUgQ3li
ZXJUcnVzdCBSb290MB4XDTAyMDgyNzE5MDcwMFoXDTA2MDIyMzIzNTkwMFowgdwxCzAJBgNVBAYT
AkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRlZDEdMBsGA1UECxMUQ29tb2RvIFRydXN0IE5ldHdv
cmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25zIG9mIHVzZTogaHR0cDovL3d3dy5jb21v
ZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNVBAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNV
BAMTI0NvbW9kbyBDbGFzcyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAsR5gZuBDBp4naC8CmceI34Xr22Xs1Elnei4fzdwVLNYerPKdRjpdA8A9
BSxaGA1ZJUKjcsCtKNKtPDHiSwf7XpjrqDPWabJanuosSaYmLkzwzKtA0qreLE6Btbp7uFzQe71H
9cAG0sDk10fbYkCvoRxRAxjbuNC7lMc8eeolZK4mGeE8Zkdnkp17Vas0wnVu2SeOnYzwHdprnIYE
opC16p2Mz/s5Q6jwGC2e9xkQLJwv4dCx/9dZxM1AMvnXgdtRHPJBUoFBsYO4yAn+mSJHgE+cy67g
KNUcrHBHsCWroThCF2v6am6NX3n49ikDMKRuRtSFXapAmTh22x4BfeUMpQIDAQABo4IBpzCCAaMw
RQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JM
LzIwMDYvY2RwLmNybDAdBgNVHQ4EFgQU9lIiFxUTCANZvxiVn0i0uen++GYwgZIGA1UdIASBijCB
hzBJBgoqhkiG+GMBAgEFMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93d3cucHVibGljLXRydXN0LmNv
bS9DUFMvT21uaVJvb3QuaHRtbDA6BgwrBgEEAbIxAQIBAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6
Ly9zZWN1cmUuY29tb2RvLm5ldC9DUDBYBgNVHSMEUTBPoUmkRzBFMQswCQYDVQQGEwJVUzEYMBYG
A1UEChMPR1RFIENvcnBvcmF0aW9uMRwwGgYDVQQDExNHVEUgQ3liZXJUcnVzdCBSb290ggIBozAr
BgNVHRAEJDAigA8yMDAyMDgyNzE5MDczMVqBDzIwMDUwMjIzMjM1OTAwWjAOBgNVHQ8BAf8EBAMC
AeYwDwYDVR0TBAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOBgQC2p7B6cYvgurOBHjYyeoYY1vGr
TTkIcQZaZ6BLAeUwQG2JtZ4VqrHH9ArGXA7pN96ol8fczs1x+3QCB9xfFScIUwd21LkG6cJ3UB7K
ybDCRoGAAK1EqlzWINlVMr5WlvHqvaDjvA2AOurM+5pX7XilNj1W6tHndMo0w8+xUengDDCCBMgw
ggQxoAMCAQICBAIAApswDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dU
RSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdDAeFw0wMjA4MjcxOTA3
MDBaFw0wNjAyMjMyMzU5MDBaMIHcMQswCQYDVQQGEwJHQjEXMBUGA1UEChMOQ29tb2RvIExpbWl0
ZWQxHTAbBgNVBAsTFENvbW9kbyBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz1UZXJtcyBhbmQgQ29u
ZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2RvLm5ldC9yZXBvc2l0b3J5MR8wHQYDVQQL
ExYoYykyMDAyIENvbW9kbyBMaW1pdGVkMSwwKgYDVQQDEyNDb21vZG8gQ2xhc3MgMyBTZWN1cml0
eSBTZXJ2aWNlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALEeYGbgQwaeJ2gv
ApnHiN+F69tl7NRJZ3ouH83cFSzWHqzynUY6XQPAPQUsWhgNWSVCo3LArSjSrTwx4ksH+16Y66gz
1mmyWp7qLEmmJi5M8MyrQNKq3ixOgbW6e7hc0Hu9R/XABtLA5NdH22JAr6EcUQMY27jQu5THPHnq
JWSuJhnhPGZHZ5Kde1WrNMJ1btknjp2M8B3aa5yGBKKQteqdjM/7OUOo8BgtnvcZECycL+HQsf/X
WcTNQDL514HbURzyQVKBQbGDuMgJ/pkiR4BPnMuu4CjVHKxwR7Alq6E4Qhdr+mpujV95+PYpAzCk
bkbUhV2qQJk4dtseAX3lDKUCAwEAAaOCAacwggGjMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93
d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDA2L2NkcC5jcmwwHQYDVR0OBBYEFPZS
IhcVEwgDWb8YlZ9ItLnp/vhmMIGSBgNVHSAEgYowgYcwSQYKKoZIhvhjAQIBBTA7MDkGCCsGAQUF
BwIBFi1odHRwOi8vd3d3LnB1YmxpYy10cnVzdC5jb20vQ1BTL09tbmlSb290Lmh0bWwwOgYMKwYB
BAGyMQECAQMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1AwWAYD
VR0jBFEwT6FJpEcwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoG
A1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdIICAaMwKwYDVR0QBCQwIoAPMjAwMjA4MjcxOTA3MzFa
gQ8yMDA1MDIyMzIzNTkwMFowDgYDVR0PAQH/BAQDAgHmMA8GA1UdEwQIMAYBAf8CAQAwDQYJKoZI
hvcNAQEFBQADgYEAtqewenGL4LqzgR42MnqGGNbxq005CHEGWmegSwHlMEBtibWeFaqxx/QKxlwO
6TfeqJfH3M7Ncft0AgfcXxUnCFMHdtS5BunCd1AeysmwwkaBgACtRKpc1iDZVTK+Vpbx6r2g47wN
gDrqzPuaV+14pTY9VurR53TKNMPPsVHp4AwwggV6MIIEYqADAgECAhEAnytBMGb8ejNXdO1SevpL
3zANBgkqhkiG9w0BAQUFADCB3DELMAkGA1UEBhMCR0IxFzAVBgNVBAoTDkNvbW9kbyBMaW1pdGVk
MR0wGwYDVQQLExRDb21vZG8gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRp
dGlvbnMgb2YgdXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMW
KGMpMjAwMiBDb21vZG8gTGltaXRlZDEsMCoGA1UEAxMjQ29tb2RvIENsYXNzIDMgU2VjdXJpdHkg
U2VydmljZXMgQ0EwHhcNMDQwNTEwMDAwMDAwWhcNMDUwNTEwMjM1OTU5WjCB4DE1MDMGA1UECxMs
Q29tb2RvIFRydXN0IE5ldHdvcmsgLSBQRVJTT05BIE5PVCBWQUxJREFURUQxRjBEBgNVBAsTPVRl
cm1zIGFuZCBDb25kaXRpb25zIG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRv
cnkxHzAdBgNVBAsTFihjKTIwMDMgQ29tb2RvIExpbWl0ZWQxGTAXBgNVBAMTEENocmlzdGluZSBL
YXJtYW4xIzAhBgkqhkiG9w0BCQEWFGNocmlzdGluZUBpemVjb20uY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDME34pF9A6lo1iaFrD9G8NhNMafomtO8xd4TQiBUlEthWWUctIuYS/JTye
mbCVM+WDkKuSDBZ/weTJNii49ERcfV9xN90BCyZ+do1qoTRb0DYyvwq60Ap7IQd6f6LqPV6RLoQk
OL+vcygQ4CIO4dvz6v9Ek9Bon4CCoK15hho46wIDAQABo4IBszCCAa8wHwYDVR0jBBgwFoAU9lIi
FxUTCANZvxiVn0i0uen++GYwHQYDVR0OBBYEFOJBJQ/E+V7WGdFfLEYJZBOJyqyDMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjBG
BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5j
b21vZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0hjJodHRwOi8vY3JsLmNvbW9kby5uZXQv
Q2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDA6oDigNoY0aHR0cDovL2NybC5jb21vZG9jYS5j
b20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDAtoCugKYEnQ2xhc3MzU2VjdXJpdHlTZXJ2
aWNlc18yQGNybC5jb21vZG8ubmV0MBEGCWCGSAGG+EIBAQQEAwIFIDAfBgNVHREEGDAWgRRjaHJp
c3RpbmVAaXplY29tLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAXiuAsCipKZVyyg5cJrgn8a1hRIbx
EsqAMDFOeEwUiwHwa4SwtvmJnpTermSLUIa2ObLq6hf+ODYknuHFISQlC0nY92XficF6Nz3tRvo1
1CU89/wovFcncSjhrrMqo67CjcKAKcGqf96WC8VL72F+SUF1QL2NIlVGqrBdo6/FQxZ86p6m1Wns
No73V+N2NudMWB5hqvSK0IVbyBJtvDgFzZmqCjsyK1vWS7STMvU0StiKN2zzkg20rrqbaUJHpVJw
WavcPRe65nAqnje5X8qDvCugo+CMdSckflHMeBxm85rgVIe60Q/jdeepxdWtjxQOA4YUtvUdVtlz
wRGDb/wYcTCCBXowggRioAMCAQICEQCfK0EwZvx6M1d07VJ6+kvfMA0GCSqGSIb3DQEBBQUAMIHc
MQswCQYDVQQGEwJHQjEXMBUGA1UEChMOQ29tb2RvIExpbWl0ZWQxHTAbBgNVBAsTFENvbW9kbyBU
cnVzdCBOZXR3b3JrMUYwRAYDVQQLEz1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6
Ly93d3cuY29tb2RvLm5ldC9yZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAyIENvbW9kbyBMaW1p
dGVkMSwwKgYDVQQDEyNDb21vZG8gQ2xhc3MgMyBTZWN1cml0eSBTZXJ2aWNlcyBDQTAeFw0wNDA1
MTAwMDAwMDBaFw0wNTA1MTAyMzU5NTlaMIHgMTUwMwYDVQQLEyxDb21vZG8gVHJ1c3QgTmV0d29y
ayAtIFBFUlNPTkEgTk9UIFZBTElEQVRFRDFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMg
b2YgdXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAw
MyBDb21vZG8gTGltaXRlZDEZMBcGA1UEAxMQQ2hyaXN0aW5lIEthcm1hbjEjMCEGCSqGSIb3DQEJ
ARYUY2hyaXN0aW5lQGl6ZWNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMwTfikX
0DqWjWJoWsP0bw2E0xp+ia07zF3hNCIFSUS2FZZRy0i5hL8lPJ6ZsJUz5YOQq5IMFn/B5Mk2KLj0
RFx9X3E33QELJn52jWqhNFvQNjK/CrrQCnshB3p/ouo9XpEuhCQ4v69zKBDgIg7h2/Pq/0ST0Gif
gIKgrXmGGjjrAgMBAAGjggGzMIIBrzAfBgNVHSMEGDAWgBT2UiIXFRMIA1m/GJWfSLS56f74ZjAd
BgNVHQ4EFgQU4kElD8T5XtYZ0V8sRglkE4nKrIMwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC
MAAwIAYDVR0lBBkwFwYIKwYBBQUHAwQGCysGAQQBsjEBAwUCMEYGA1UdIAQ/MD0wOwYMKwYBBAGy
MQECAQEBMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMIGwBgNV
HR8EgagwgaUwOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvLm5ldC9DbGFzczNTZWN1cml0eVNlcnZp
Y2VzXzIuY3JsMDqgOKA2hjRodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DbGFzczNTZWN1cml0eVNl
cnZpY2VzXzIuY3JsMC2gK6ApgSdDbGFzczNTZWN1cml0eVNlcnZpY2VzXzJAY3JsLmNvbW9kby5u
ZXQwEQYJYIZIAYb4QgEBBAQDAgUgMB8GA1UdEQQYMBaBFGNocmlzdGluZUBpemVjb20uY29tMA0G
CSqGSIb3DQEBBQUAA4IBAQBeK4CwKKkplXLKDlwmuCfxrWFEhvESyoAwMU54TBSLAfBrhLC2+Yme
lN6uZItQhrY5surqF/44NiSe4cUhJCULSdj3Zd+JwXo3Pe1G+jXUJTz3/Ci8VydxKOGusyqjrsKN
woApwap/3pYLxUvvYX5JQXVAvY0iVUaqsF2jr8VDFnzqnqbVaew2jvdX43Y250xYHmGq9IrQhVvI
Em28OAXNmaoKOzIrW9ZLtJMy9TRK2Io3bPOSDbSuuptpQkelUnBZq9w9F7rmcCqeN7lfyoO8K6Cj
4Ix1JyR+Ucx4HGbzmuBUh7rRD+N156nF1a2PFA4DhhS29R1W2XPBEYNv/BhxMYICJzCCAiMCAQEw
gfIwgdwxCzAJBgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRlZDEdMBsGA1UECxMUQ29t
b2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25zIG9mIHVzZTog
aHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNVBAsTFihjKTIwMDIgQ29tb2Rv
IExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBDbGFzcyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBAhEA
nytBMGb8ejNXdO1SevpL3zAJBgUrDgMCGgUAoIGLMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTA0MDcxOTEzMjM0MFowIwYJKoZIhvcNAQkEMRYEFHmVwJ8VJ8fnoY/S
49Unxoy4K/FVMCwGCSqGSIb3DQEJDzEfMB0wDwYIKoZIhvcNAwIwAwIBOjAKBggqhkiG9w0DBzAN
BgkqhkiG9w0BAQEFAASBgHi+V3GbiS45daTatiwQgqvKQ25JQeOLLxEH5+0sbDuqBY3FmjtPtZ0B
12ERcrY83B6nx7wRc9iWpPnrkKromqYb3vB84FNpGL8bGgmykIfdWQ5SaZ9n0hE9Wz1PQUWBspyY
+5chtk7l13Rq9a5Lx+kDbdCVn1JD/RcjQGn7qdqX
--{39DCBED5-7FEB-4056-8C10-05B4D010B916}--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JDDfUA057128; Mon, 19 Jul 2004 06:13:41 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6JDDfOd057124; Mon, 19 Jul 2004 06:13:41 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-mclean.mitre.org (smtpproxy2.mitre.org [192.80.55.71]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JDDdwM057087; Mon, 19 Jul 2004 06:13:39 -0700 (PDT) (envelope-from tmiller@mitre.org)
Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (8.11.6/8.11.6) with ESMTP id i6JDDdM28312; Mon, 19 Jul 2004 09:13:39 -0400
Received: from MAILHUB2 (mailhub2.mitre.org [129.83.221.18]) by smtp-mclean.mitre.org (8.11.6/8.11.6) with ESMTP id i6JDDbS28237; Mon, 19 Jul 2004 09:13:37 -0400
Received: from unity-15-148.mitre.org (129.83.15.148) by mailhub2.mitre.org with SMTP id 3716441; Mon, 19 Jul 2004 09:13:29 -0400
Message-ID: <40FBC8F8.7020003@mitre.org>
Date: Mon, 19 Jul 2004 08:13:28 -0500
From: "Timothy J. Miller" <tmiller@mitre.org>
User-Agent: Mozilla Thunderbird 0.7.1 (Windows/20040626)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Christine Karman <christine@izecom.com>
CC: ietf-smime@imc.org, ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <20040716152213.GA16939@mail19g.dulles19-verio.com> <20040716152213.GA16939@mail19g.dulles19-verio.com> <4.3.2.7.2.20040719124821.0280f818@localhost>
In-Reply-To: <4.3.2.7.2.20040719124821.0280f818@localhost>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Christine Karman wrote:
> How's that?
> If you accept encrypted email, then you can refuse unsigned email.
> Besides, most of our customers use gateway decryption, which allows them
> to do content scanning.
Um, the cert tends to have your (valid) email address in it. (And
support for certs without an rfc822Name is spotty at best.)
-- Tim
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JAqAGP031515; Mon, 19 Jul 2004 03:52:10 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6JAqAVO031513; Mon, 19 Jul 2004 03:52:10 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-vbr13.xs4all.nl (smtp-vbr13.xs4all.nl [194.109.24.33]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6JAq9X4031492; Mon, 19 Jul 2004 03:52:09 -0700 (PDT) (envelope-from christine@izecom.com)
Received: from pengo (extra1.izecom.com [195.64.86.233]) by smtp-vbr13.xs4all.nl (8.12.11/8.12.11) with SMTP id i6JAq765010006; Mon, 19 Jul 2004 12:52:07 +0200 (CEST) (envelope-from christine@izecom.com)
Message-Id: <4.3.2.7.2.20040719124821.0280f818@localhost>
X-Sender: chklaptp@pop.xs4all.nl@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Mon, 19 Jul 2004 12:51:33 +0200
To: ietf-smime@imc.org, ietf-pkix@imc.org
From: Christine Karman <christine@izecom.com>
Subject: Re: Request: Send me signed messages
Cc: ietf-smime@imc.org, ietf-pkix@imc.org
In-Reply-To: <40F82FD2.5010503@nma.com>
References: <20040716152213.GA16939@mail19g.dulles19-verio.com> <20040716152213.GA16939@mail19g.dulles19-verio.com>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="{3F37A849-88DC-48F3-9919-8C59370BA4BF}"
X-Izemail-Send-Version: 1.4.1.516 (POP3)
X-Virus-Scanned: by XS4ALL Virus Scanner
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
--{3F37A849-88DC-48F3-9919-8C59370BA4BF}
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 09:43 PM 7/16/2004, Ed Gerck wrote:
>An obvious problem with email certificates is that they open us to spam.
How's that?
If you accept encrypted email, then you can refuse unsigned email. Besides,
most of our customers use gateway decryption, which allows them to do
content scanning.
dagdag
Christine
--
Izecom BV
Secure e-mail and digital signatures
www.izecom.com
if your outlook can't reply to a signed message, go to
www.izecom.com/reply.html
--{3F37A849-88DC-48F3-9919-8C59370BA4BF}
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIJ+YwYJKoZIhvcNAQcCoIJ+VDCCflACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCfF4w
ggH6MIIBYwICAaMwDQYJKoZIhvcNAQEEBQAwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBD
b3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdDAeFw05NjAyMjMyMzAxMDBa
Fw0wNjAyMjMyMzU5MDBaMEUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24x
HDAaBgNVBAMTE0dURSBDeWJlclRydXN0IFJvb3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ALjmT7rbmHxxfK9Et9MPRtlk5ZPBQo7HukmNNS1654u95QUxWcaxLwoM+5+nP6IJZoRWHjcpG4fp
fgzKmp+lf/UVlKPVokaC2GhM0TcVBmivvfiws/Ap9ZVaCRZhdwoiJdRPRarHveWW3/nUqI5CzCTA
HpEnSrVtBoBjOcSiXjgDAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAErN1xl8d4WFVgADUgUt7MQ8j
Y+c98wP59Daou9njpZdN6isp4NZqc4HmwImj0/HgpaUiN5pjwkggtNty48j22Xy+sa9T2hS0IbjW
1Zbj/k4MWWK2mkr5Qt2Mb4Gpcf/0CnJtbUQOnfN0dKjVNEnpXp7ptHrh5VofhDCc05+lJdgwggI9
MIIBpgIRAM26f1bw3+S8VP4irLNyqlUwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAV
BgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1
YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0fzGVuDLDQVoQY
h5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHiTkVWaR94AoDa3EeRKbs2yWNc
xeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0GCSqGSIb3DQEBAgUAA4GBAEw/uIvGaN/uQzMO
XemmyweETXoz/5Ib9Dat2JUiNmgRbHxCzPOcLsQHPxSwD0//kJJ2+eK8SumPzaCACvfFKfGCIl24
sd2BI6N7JRVGMHkW+OoFS5R/HcIcyOO39BBAPBPDXx9T6EjkhrR7oTWweyW6uNOOqz84nQA0AJjz
0XGUMIIDYjCCAsugAwIBAgIQC9oLF8E/iY6rCXR6tM4uMzANBgkqhkiG9w0BAQIFADBfMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj
IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEy
MjM1OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5j
b3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg
SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqB
S7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc
48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaOBsDCBrTAPBgNVHRMECDAGAQH/AgEA
MEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNv
bS9yZXBvc2l0b3J5L1JQQTAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLnZlcmlzaWduLmNv
bS9wY2ExLmNybDALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMA0GCSqGSIb3DQEBAgUA
A4GBAAJ9nm9FSziguN7pU2QhvORMK48e/pJArNgKOWqhMiEsB5urWf7SYhp9VTiwN3Pc9AdmY2K9
4VNwUofnqNhS6VstquHez6wxVNSLGcjYI6jvBCsyfSwYHMh8iagud/JE0WUKTXS17tMbknN0Lok7
NRNy50AxmtOyxKvnVr6L4/sVMIIDgTCCAmmgAwIBAgIRAK9oyzx6IyABA/lsASJjcVowDQYJKoZI
hvcNAQEFBQAwgYMxEjAQBgNVBAoTCUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVt
YWlsLmNvbTEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYD
VQQGEwJOTDETMBEGA1UEAxMKSXplbWFpbCBDQTAeFw0wNDA3MDIxMzI1NThaFw0wNTA4MDkxMzI1
NThaMGwxCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xEDAOBgNVBAoTB2l6ZW1haWwx
IDAeBgkqhkiG9w0BCQEWEWl6ZW1haWxAeHM0YWxsLm5sMRUwEwYDVQQDEwxpemVtYWlsIHVzZXIw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUhMm9LUQrLi84yO6NkKaR61aqySUIjs8YIyZfk
qMmPzj5akgD6pGs0lT45iiEiq54gsqjQM/i2z/ewq67L7elOpE5q2au4Qbw99u10QNPuk/o1EEOF
cuNCybnYib4YfZP7ZDjK+1lDELtiJEsXIZDEDPHBsZoHefaXPOSiRF6tAgMBAAGjgYkwgYYwCQYD
VR0TBAIwADA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9p
emVtYWlsLjEuY3JsMBwGA1UdEQQVMBOBEWl6ZW1haWxAeHM0YWxsLm5sMB0GA1UdJQQWMBQGCCsG
AQUFBwMEBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAVAzoUYQrRYeIqkp9RMvUtah7JYIv
/dLbLOHfzUSCl69ZsE5ViKgXiHZZnbCE7CmenF/uIr4/zhgHD8refpBMrA2w10adrHsDV2CJTYhJ
5XmXr++5454iqCIG3EJ6C4sDWo9S685iF+rv7tpWUim+zmhbcHcLLp9pJ4u7tQz+Zs9Rj4CdbXpe
UA8YRES4ahyw9rjUAs3aRXTxFUFrEFOrmM0UnXz9HjDeNTjHpFLS14jwXP/ymN8YaDzXaP06nTHS
HiP/BMnkBHgRtAIpVUzpCdO+BP61E9QEJ2KIgGZWveQWHvZB3stwVYPTmkICPAu0V7faiKwGY/fe
O+URP38XyTCCA4QwggJsoAMCAQICEQDKIGQhZRNna+i/El4nuWG0MA0GCSqGSIb3DQEBBQUAMIGD
MRIwEAYDVQQKEwlJemVjb20gQlYxHzAdBgkqhkiG9w0BCQEWEGluZm9AaXplbWFpbC5jb20xFjAU
BgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxEzAR
BgNVBAMTCkl6ZW1haWwgQ0EwHhcNMDQwMzEyMTQwMTI0WhcNMDUwNDE5MTQwMTI0WjBrMQswCQYD
VQQGEwJOTDESMBAGA1UEBxMJQW1zdGVyZGFtMRIwEAYDVQQKEwlJemVjb20gQlYxHjAcBgkqhkiG
9w0BCQEWD2luZm9AaXplY29tLmNvbTEUMBIGA1UEAxMLSW5mbyBJemVjb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAO1S2s95QBpWP86MDekCIQqu9WjXTurDRV/qgq5Dx7ZjuJlrO+NlRRGM
/JjSOqZ0gAq14PSUm5HZfaorxANZxuw+g6+rd5kTUZZcWKca3yt+zc3h+xkF+AIrbcYAMxHSjYZP
6SvNsFn8TV1wcwRgo3GVxR1uUiXNJoBz44JSmqFDAgMBAAGjgY0wgYowDwYDVR0TBAgwBgEBAAIB
ADA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVtYWls
LjEuY3JsMBoGA1UdEQQTMBGBD2luZm9AaXplY29tLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDBAYI
KwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAFt+s913of0Jm1T5Pw1Tyw6voXR0dYCW+aoXfjas
JKPNK0fIqo5QZPZpZj4XZ2mOaJfztu55xg8hojMrmragzJgArWcGqmM1HRrUjlr4QKbn0HmC7gwV
p/g2b187mWu9CIBHFmhyHxOSx6JsgX2ORXJYu+JL3sa5rLiK6iNzVNjN/aSlzQNdZaUxZ2WRq1p/
7BWCjP9zPN/bLhgP1nE5uTF2vQ1scvMn2J5Gt575FYeN9Xm59D1/Eu59q/I248AhR3gqrnS7u/ky
+zVsI0pp0q5RXHZDa5PlmuMNFef5CwbKere6hQSZ5GP2MWtPoHZvipfqvurM7/XMEP/VtH8Zlzgw
ggOHMIICb6ADAgECAhAWMW7s5NRjM+GG8hzGoth4MA0GCSqGSIb3DQEBBQUAMIGDMRIwEAYDVQQK
EwlJemVjb20gQlYxHzAdBgkqhkiG9w0BCQEWEGluZm9AaXplbWFpbC5jb20xFjAUBgNVBAgTDU5v
b3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxEzARBgNVBAMTCkl6
ZW1haWwgQ0EwHhcNMDQwNzA1MjA0NjEyWhcNMDUwODEyMjA0NjEyWjBxMQswCQYDVQQGEwJOTDEP
MA0GA1UEBxMGSHVpemVuMRIwEAYDVQQKEwlaYXBob2QgQlYxIjAgBgkqhkiG9w0BCQEWE2Nocmlz
dGluZUBrYXJtYW4ubmwxGTAXBgNVBAMTEENocmlzdGluZSBLYXJtYW4wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAKcx2YA0uKM0aXWukpbfrLj3ird+UNKTcpnG6h9ZncOOt3ZWfc7fZpEhNC8d
Fjk2meJeenNVjwfqeRuZCCmIROfYpyLl2s7GENUPoqo6lKjaYtU6O8GlLOY850BDv880vs8Szavm
zbkHQOd/mO8NTmObAnjdAzJJiGJ4ywF1/Yh5AgMBAAGjgYswgYgwCQYDVR0TBAIwADA8BgNVHR8E
NTAzMDGgL6AthitodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVtYWlsLjEuY3JsMB4G
A1UdEQQXMBWBE2NocmlzdGluZUBrYXJtYW4ubmwwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUF
BwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAorgNK9BiyU48AcCw/ywgHuhkkhZ2LvFo+DE1GJdufaAcb
6Ko45tqCLQcIZNlLdX5zBH5uuPVaV7i9nkOk8A3dech2Zdv0V/3yfsFyHy8DUdmiH66qezEKwUkL
Zo4RoGT/Yi+FRxdUtMgek56YBhWlqCaXqZwUchbMfUN4WzV6fN159x2zhc6Uv+ktFnILLcNKvOpC
Cy+M5yDOeq6aiG0KOpuxy0ZiXPF3LHKEkBsdfSkzokFd9xda3vGVFa3e7gSCUv7QrYJdHIRtlq5n
szi98DYudJsBfkLOizWNn8F85XMb0yHBAyDTIO2Z+NcHhlMOy2XbvtmwxP3IEDcy1j8AMIIDjjCC
AnagAwIBAgIRANv4dRuNkzqiKDNkv8sV0R0wDQYJKoZIhvcNAQEFBQAwgY4xEjAQBgNVBAoTCUl6
ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNvbTEMMAoGA1UECBMDbi9hMRIw
EAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSgwJgYDVQQDEx9JemVtYWlsIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5MB4XDTA0MDExOTE2MTc1NloXDTA1MDExMTIzMDAwMFowaTELMAkGA1UE
BhMCTkwxEjAQBgNVBAcTCWFtc3RlcmRhbTENMAsGA1UEChMEbm9uZTEhMB8GCSqGSIb3DQEJARYS
WDEwX19fQGhvdG1haWwuY29tMRQwEgYDVQQDEwtXZW5keSBXZWJlcjCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAtTPyFNVgiHFXAeq3A1IB+QjHq1VffIS4loWiGAguoEKZD37WLpK7wjuBaN2f
ul4Fp99ORUSXlP3DRwJH2XnVwJAaGlHYz/k05nLS+XAP/Sy/hivYi6M+Am+IpDM4sYhZsRp7dofw
UclJNUjWrHAWN2R4EHiTQWxBQSV8A/zRrBECAwEAAaOBjjCBizAPBgNVHRMECDAGAQEAAgEAMDoG
A1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly93d3cuaXplY29tLmNvbS9pemVtYWlsL2l6ZW1haWwuY3Js
MB0GA1UdEQQWMBSBElgxMF9fX0Bob3RtYWlsLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYB
BQUHAwIwDQYJKoZIhvcNAQEFBQADggEBABhGlLSdO5r0yl9prOweu3krWAZA5obMTSkWA0azKR/2
u2OW5+8TS4CsLEQ2+I7iza1C7Qz62fuc+mcLBRGW0Zc5h0htbY50noAJhrWAmWHPcJtB6xVmyNg2
T5m80WE2xujRWFPeoj1ZeOzcuWoVeuTpxqgO/t1i1JJgYDsYCSMRdVE0ZkwP0THl3P+WnAiDJog2
y3aiN+CaVKrmKxlNdTr+5Hj3QKSf78MwDN62cjV4LMBa1YK2QhhsfeQWKW7Tq6RAZPaSbyzmncmB
mj10x+MtbiyElMc0PY0V1x4VoUvdIrAOZnjUkb8rgsIhqWDFf54oG3/L1X7lD2pj0qOwdyUwggOQ
MIICeKADAgECAhEA8bb9H6pp50jmGkQbFyVs8DANBgkqhkiG9w0BAQUFADCBgzESMBAGA1UEChMJ
SXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMRYwFAYDVQQIEw1Ob29y
ZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYDVQQDEwpJemVt
YWlsIENBMB4XDTA0MDUwNDE1NTUyOFoXDTA1MDYxMTE1NTUyOFowczELMAkGA1UEBhMCTkwxEjAQ
BgNVBAcTCUFtc3RlcmRhbTEQMA4GA1UEChMHaXplbWFpbDEiMCAGCSqGSIb3DQEJARYTbGljZW5z
ZUBpemVtYWlsLmNvbTEaMBgGA1UEAxMRSXplbWFpbCBsaWNlbnNpbmcwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANtw+PIWiwmBSgp7DOdw7fV12nHM9DvzhyK3SGnnsVIL7qCz64vyLc+MVYV/
aTxVqu0j7s+uxmFyR36wwPjAdJnvOSyVd9cB0ZKByzAbgKhWfVUiEt7NhC0HDXa7yxMll8JvV1OI
M13caVKD6stM/n84abjKH+AIniYP2EKNDaPxAgMBAAGjgZEwgY4wDwYDVR0TBAgwBgEBAAIBADA8
BgNVHR8ENTAzMDGgL6AthitodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVtYWlsLjEu
Y3JsMB4GA1UdEQQXMBWBE2xpY2Vuc2VAaXplbWFpbC5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwQG
CCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBeOiT+ZsP/fivt9J8ADDvSvTIGXuja4HuwUFZQ
Gg70FUkccBVedgGQPspfWwK61IJilCrjGiHzTcVKdbDEuX0hSuMjU0tZ1qQI6LRJjNOsS9+ui8Ke
gxYLGY4YwIlXCKYwslxDZKH5eFtN9GLZ/MiA4630uciywMO015bepJtNiGy/LPfDZuRFvEm2RLGp
5Gk4jh9v9o45rbnAdQh9EWQ0JkNxxNkjpxPqCMZ1Q9r8jVtUlXaxg2jyTgUniKX6Hsc6YQykB3wl
AAsVeiitoAK4FFlXvIAXzx85QbvARXX+sfpekrCb4WwZ7DkQqHeG2yMXmsiP2IBAcXhhJX84Eihf
MIIDkjCCAnqgAwIBAgIQTFu6Av1P0TWBAjiHCtoWWTANBgkqhkiG9w0BAQUFADCBgzESMBAGA1UE
ChMJSXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMRYwFAYDVQQIEw1O
b29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYDVQQDEwpJ
emVtYWlsIENBMB4XDTA0MDUwNDE0MDQyOFoXDTA1MDYxMTE0MDQyOFowdDELMAkGA1UEBhMCTkwx
EjAQBgNVBAcTCUFtc3RlcmRhbTEQMA4GA1UEChMHaXplbWFpbDEkMCIGCSqGSIb3DQEJARYVY2hy
aXN0aW5lQGl6ZW1haWwuY29tMRkwFwYDVQQDExBDaHJpc3RpbmUgS2FybWFuMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDO3icNfM1EKNiU3Gkhy8AJXObNtWRtop78Yqpxr/KoHEvjQlLW2g6S
Q7QnxvPS5EV7kjda/nkpRTknyVLSy9zzPEYZ0LTpjjYEnLI0//QEK6MyKRdQmilz+Q+avnGDSFIG
9O8fMLVZZenTibAV3EZXF+mQ3dIExe9fVgwDYLEXtwIDAQABo4GTMIGQMA8GA1UdEwQIMAYBAQAC
AQAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL3d3dy5pemVjb20uY29tL2l6ZW1haWwvaXplbWFp
bC4xLmNybDAgBgNVHREEGTAXgRVjaHJpc3RpbmVAaXplbWFpbC5jb20wHQYDVR0lBBYwFAYIKwYB
BQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQB/k/ue+oOkz3q1h4c1Ijbv0tfo6kfG
c3XGCIcvG4s8RC/QohqrTQJ5BM/w4YtufKchQIR/mp8yY2l67F8V2pdr5FXxsX59pwb451NZ+crk
WA7elG95WxBT+i8fAhwS1SErVhOt3bMO/0m7eN2Z70sQ4eqFfl1rhbhD9X4VEXavvCfW9GtwP5aS
Dbuuwro2eQP5mQVn5dPCpHl6kAzFrPiSou+1MGiV+Gox7JTogbni3N7GylM9mhWn/+2cNok2i17P
uDNtQf8NjPCYQ8WPJXto3XOZXszWY5qYHPoQcZHl9QYivYQioIlpmLN0dTurKJuE7Hy+O4BKex0d
jPkxeVn6MIIDkjCCAnqgAwIBAgIQTFu6Av1P0TWBAjiHCtoWWTANBgkqhkiG9w0BAQUFADCBgzES
MBAGA1UEChMJSXplY29tIEJWMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMRYwFAYD
VQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMRMwEQYD
VQQDEwpJemVtYWlsIENBMB4XDTA0MDUwNDE0MDQyOFoXDTA1MDYxMTE0MDQyOFowdDELMAkGA1UE
BhMCTkwxEjAQBgNVBAcTCUFtc3RlcmRhbTEQMA4GA1UEChMHaXplbWFpbDEkMCIGCSqGSIb3DQEJ
ARYVY2hyaXN0aW5lQGl6ZW1haWwuY29tMRkwFwYDVQQDExBDaHJpc3RpbmUgS2FybWFuMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO3icNfM1EKNiU3Gkhy8AJXObNtWRtop78Yqpxr/KoHEvj
QlLW2g6SQ7QnxvPS5EV7kjda/nkpRTknyVLSy9zzPEYZ0LTpjjYEnLI0//QEK6MyKRdQmilz+Q+a
vnGDSFIG9O8fMLVZZenTibAV3EZXF+mQ3dIExe9fVgwDYLEXtwIDAQABo4GTMIGQMA8GA1UdEwQI
MAYBAQACAQAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL3d3dy5pemVjb20uY29tL2l6ZW1haWwv
aXplbWFpbC4xLmNybDAgBgNVHREEGTAXgRVjaHJpc3RpbmVAaXplbWFpbC5jb20wHQYDVR0lBBYw
FAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQB/k/ue+oOkz3q1h4c1Ijbv
0tfo6kfGc3XGCIcvG4s8RC/QohqrTQJ5BM/w4YtufKchQIR/mp8yY2l67F8V2pdr5FXxsX59pwb4
51NZ+crkWA7elG95WxBT+i8fAhwS1SErVhOt3bMO/0m7eN2Z70sQ4eqFfl1rhbhD9X4VEXavvCfW
9GtwP5aSDbuuwro2eQP5mQVn5dPCpHl6kAzFrPiSou+1MGiV+Gox7JTogbni3N7GylM9mhWn/+2c
Nok2i17PuDNtQf8NjPCYQ8WPJXto3XOZXszWY5qYHPoQcZHl9QYivYQioIlpmLN0dTurKJuE7Hy+
O4BKex0djPkxeVn6MIIDmTCCAoGgAwIBAgIRAKeR0C5POj1DS7I/H+1RU4wwDQYJKoZIhvcNAQEF
BQAwgY4xEjAQBgNVBAoTCUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNv
bTEMMAoGA1UECBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSgwJgYDVQQD
Ex9JemVtYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMDkyOTA5NTYxM1oXDTA0MTAw
NTA5NTYxM1owcjELMAkGA1UEBhMCTkwxEjAQBgNVBAcTCWFtc3RlcmRhbTEPMA0GA1UEChMGaXpl
Y29tMSMwIQYJKoZIhvcNAQkBFhRjaHJpc3RpbmVAaXplY29tLmNvbTEZMBcGA1UEAxMQY2hyaXN0
aW5lIGthcm1hbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvMeT43uZD+4Iuo3WHApeGdDH
kMds8EUJopnwt6CGb8RvOA57/Jj7DPaSEJ7sYzSaG7/hs0EkAJP22glMdvF/HWWOXIwfCRlgJQuu
V18xlhidrvnHPC7id+ZF2llKYOpPMgYgmD0TPAkZrC/a/be2LrdGEo4LOZ1Lv8A5oBEpCbMCAwEA
AaOBkDCBjTAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDwYDVR0TBAgwBgEBAAIBADA6
BgNVHR8EMzAxMC+gLaArhilodHRwOi8vd3d3Lml6ZWNvbS5jb20vaXplbWFpbC9pemVtYWlsLmNy
bDAfBgNVHREEGDAWgRRjaHJpc3RpbmVAaXplY29tLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAPCwt
n5fWFkkulP1Qcr4Csh3/dOX0MSdea9ytcZSyt3qHuPXtohTjLDIgs06dUfFUixg84cmCTUz6J0VQ
+X5iLsTWLSqsnLgAMnGkoi74P1NpF14Hc7lRwUFvZeAlrZfR95DOIZut9FjSUSkzSb+l93rf8VMv
wLf8Vw094ebYxSYHLnftzarEYzaKurmEbxE88awii4/zy0O5SNjL55uhssF10DNRiXA480XG+xkn
I4l37AbWrmShCQ2tG6Cn1LRk+gmAMZSIHIkLUpBvuCCH/jlH3hrmQPJ4QPxnyJMsoFD4sQfwpAGG
DhbxhxZlROLtiLRl0fHaOpdnF6cWL7VWPDCCA5wwggKEoAMCAQICEQD9iPEGreUnKhViN1t47Me5
MA0GCSqGSIb3DQEBBQUAMIGDMRIwEAYDVQQKEwlJemVjb20gQlYxHzAdBgkqhkiG9w0BCQEWEGlu
Zm9AaXplbWFpbC5jb20xFjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRh
bTELMAkGA1UEBhMCTkwxEzARBgNVBAMTCkl6ZW1haWwgQ0EwHhcNMDQwNzAyMTMzOTExWhcNMDUw
ODA5MTMzOTExWjB7MQswCQYDVQQGEwJOTDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZJ
emVjb20xLDAqBgkqhkiG9w0BCQEWHWNocmlzdGluZUBleGNoYW5nZS5pemVjb20uY29tMRkwFwYD
VQQDExBDaHJpc3RpbmUgS2FybWFuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoZ5kxMcLc
P7Y+HaLur1TrJI3taGLC8AyMkhqJEnkqAjKZdNrOaz6UvcLk8kS1oDh8IfqydERMqc3YqA7r0Je+
Sx4yF2vhJz1xsD+lFoudDCYaFc2trCn1KeJZLlCZhp5Ahgx0F7bYz/y5cXaAqUAUzXjKE8ShIEt4
JI0NeJHHMwIDAQABo4GVMIGSMAkGA1UdEwQCMAAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL3d3
dy5pemVjb20uY29tL2l6ZW1haWwvaXplbWFpbC4xLmNybDAoBgNVHREEITAfgR1jaHJpc3RpbmVA
ZXhjaGFuZ2UuaXplY29tLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDQYJKoZI
hvcNAQEFBQADggEBADuKmNoozkq4RkR2lHw/FpOQGOijr/i1YkHtngXh9IPGxLxRhRbL6eKA4/y+
5fLO1GqtHTizTQehu88l6EboqRcLySNxiLgg7M8QpO29L9EfJ6e3B+WWVtrBYWSzWoGQmOs7xcQd
2NdYglByDe1Y35YjLnXwXrjtj2SQ/T5KNTkZ15SIQ1e6FSDHvkz7qRj1FVEh/OKZt1msNaZV+wEF
/J1HShlEewSKkDbRNdtzHn+w9WDZhZ7dyrINQnDegkpYzCy4BlT9rZ3ks4APrgUcw2pO9XSgpNoO
YqX20eHygJ/kgWpmmwvUcIzPV5Hbgk1zqhYGg+Dj7f7I82lYWiPOy/swggOrMIICk6ADAgECAhEA
9+XuYyRdDqQqpEhPtyq8FzANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXplY29tIEJWMR4w
HAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1z
dGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkwHhcNMDMwMTI5MTYyMDQ2WhcNMTYwMjAyMTYyMDQ2WjCBkTESMBAGA1UEChMJSXpl
Y29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAG
A1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQD1d6FaoPQA
ryNJ6kaXmYymfctZb3fQ9evlG1yQ/9G1UC7TxMg4CQgu+XHlKObac6pt1hQdq8hGAwujIjSBofy8
og2LEsOBv++C1NVCR3T2T5UYg4n+OrjQ+9ZDgFVEiZ3/SZsxiAB4+EVJCuBF8AuF3R76k3B4EQ7k
aD45iQSUZTp/kH5wfcseIyF8nskQkoaMwewUYYMCn+N5BNwr2JyoKD42pH8VP/HDp6Hfm5zEvkDv
iEW+iDTq7ybkwA4HZjtFPY08cChjLdYJ1h5JmZZidBrQZGfRYEK959B20vqYKQx/Bw/QQEFXZ2fP
6fP3dcTuWfTqPyBrDVsEwMSJsej7AgERMA0GCSqGSIb3DQEBBQUAA4IBAQCLt6PZessm/z3pSZ8H
VBKwLPzsxsGAfwgkMwo4NAb193WYQGRguu1JRqYyBgunXJj+MsvCgxr0Cbr7AvVSN4GKK/QJcfL4
rr24zUOdqt6dioMgk6gsn7ts2J8bbzK4+Jp6UJPco9IHhnTorqI5jZlNTZ43D4chALTqZH3HShJr
3vJZ/nUKyIpuP7ITYZR3x1S4RUyqIIcHkosAkaH8yyhqlUnKA5xFeHUkeFE86JyrM1c5lowvZETW
CWQkmy6Au6X1kbk60lpptDdPn15RUHnSYzwVeXkpmZEPhS7cs134nBRXB5RFDGmQDbcMH6E9xMvJ
DI/FUCvyJ1Z1F8+nciUHMIIDqzCCApOgAwIBAgIRAPfl7mMkXQ6kKqRIT7cqvBcwDQYJKoZIhvcN
AQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20u
Y29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNV
BAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMDEyOTE2MjA0NloX
DTE2MDIwMjE2MjA0NlowgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5m
b0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMC
TkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkq
hkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA9XehWqD0AK8jSepGl5mMpn3LWW930PXr5RtckP/RtVAu
08TIOAkILvlx5Sjm2nOqbdYUHavIRgMLoyI0gaH8vKINixLDgb/vgtTVQkd09k+VGIOJ/jq40PvW
Q4BVRImd/0mbMYgAePhFSQrgRfALhd0e+pNweBEO5Gg+OYkElGU6f5B+cH3LHiMhfJ7JEJKGjMHs
FGGDAp/jeQTcK9icqCg+NqR/FT/xw6eh35ucxL5A74hFvog06u8m5MAOB2Y7RT2NPHAoYy3WCdYe
SZmWYnQa0GRn0WBCvefQdtL6mCkMfwcP0EBBV2dnz+nz93XE7ln06j8gaw1bBMDEibHo+wIBETAN
BgkqhkiG9w0BAQUFAAOCAQEAi7ej2XrLJv896UmfB1QSsCz87MbBgH8IJDMKODQG9fd1mEBkYLrt
SUamMgYLp1yY/jLLwoMa9Am6+wL1UjeBiiv0CXHy+K69uM1DnarenYqDIJOoLJ+7bNifG28yuPia
elCT3KPSB4Z06K6iOY2ZTU2eNw+HIQC06mR9x0oSa97yWf51CsiKbj+yE2GUd8dUuEVMqiCHB5KL
AJGh/MsoapVJygOcRXh1JHhRPOicqzNXOZaML2RE1glkJJsugLul9ZG5OtJaabQ3T59eUVB50mM8
FXl5KZmRD4Uu3LNd+JwUVweURQxpkA23DB+hPcTLyQyPxVAr8idWdRfPp3IlBzCCA6swggKToAMC
AQICEQD35e5jJF0OpCqkSE+3KrwXMA0GCSqGSIb3DQEBBQUAMIGRMRIwEAYDVQQKEwlJemVjb20g
QlYxHjAcBgkqhkiG9w0BCQEWD2luZm9AaXplY29tLmNvbTEMMAoGA1UECBMDbi9hMRIwEAYDVQQH
EwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSwwKgYDVQQDEyNJemVjb20gUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0wMzAxMjkxNjIwNDZaFw0xNjAyMDIxNjIwNDZaMIGRMRIwEAYDVQQK
EwlJemVjb20gQlYxHjAcBgkqhkiG9w0BCQEWD2luZm9AaXplY29tLmNvbTEMMAoGA1UECBMDbi9h
MRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSwwKgYDVQQDEyNJemVjb20gUm9vdCBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAPV3
oVqg9ACvI0nqRpeZjKZ9y1lvd9D16+UbXJD/0bVQLtPEyDgJCC75ceUo5tpzqm3WFB2ryEYDC6Mi
NIGh/LyiDYsSw4G/74LU1UJHdPZPlRiDif46uND71kOAVUSJnf9JmzGIAHj4RUkK4EXwC4XdHvqT
cHgRDuRoPjmJBJRlOn+QfnB9yx4jIXyeyRCShozB7BRhgwKf43kE3CvYnKgoPjakfxU/8cOnod+b
nMS+QO+IRb6INOrvJuTADgdmO0U9jTxwKGMt1gnWHkmZlmJ0GtBkZ9FgQr3n0HbS+pgpDH8HD9BA
QVdnZ8/p8/d1xO5Z9Oo/IGsNWwTAxImx6PsCAREwDQYJKoZIhvcNAQEFBQADggEBAIu3o9l6yyb/
PelJnwdUErAs/OzGwYB/CCQzCjg0BvX3dZhAZGC67UlGpjIGC6dcmP4yy8KDGvQJuvsC9VI3gYor
9Alx8viuvbjNQ52q3p2KgyCTqCyfu2zYnxtvMrj4mnpQk9yj0geGdOiuojmNmU1NnjcPhyEAtOpk
fcdKEmve8ln+dQrIim4/shNhlHfHVLhFTKoghweSiwCRofzLKGqVScoDnEV4dSR4UTzonKszVzmW
jC9kRNYJZCSbLoC7pfWRuTrSWmm0N0+fXlFQedJjPBV5eSmZkQ+FLtyzXficFFcHlEUMaZANtwwf
oT3Ey8kMj8VQK/InVnUXz6dyJQcwggOrMIICk6ADAgECAhEA9+XuYyRdDqQqpEhPtyq8FzANBgkq
hkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6
ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEs
MCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDMwMTI5MTYy
MDQ2WhcNMTYwMjAyMTYyMDQ2WjCBkTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkB
Fg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYD
VQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEg
MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQD1d6FaoPQAryNJ6kaXmYymfctZb3fQ9evlG1yQ
/9G1UC7TxMg4CQgu+XHlKObac6pt1hQdq8hGAwujIjSBofy8og2LEsOBv++C1NVCR3T2T5UYg4n+
OrjQ+9ZDgFVEiZ3/SZsxiAB4+EVJCuBF8AuF3R76k3B4EQ7kaD45iQSUZTp/kH5wfcseIyF8nskQ
koaMwewUYYMCn+N5BNwr2JyoKD42pH8VP/HDp6Hfm5zEvkDviEW+iDTq7ybkwA4HZjtFPY08cChj
LdYJ1h5JmZZidBrQZGfRYEK959B20vqYKQx/Bw/QQEFXZ2fP6fP3dcTuWfTqPyBrDVsEwMSJsej7
AgERMA0GCSqGSIb3DQEBBQUAA4IBAQCLt6PZessm/z3pSZ8HVBKwLPzsxsGAfwgkMwo4NAb193WY
QGRguu1JRqYyBgunXJj+MsvCgxr0Cbr7AvVSN4GKK/QJcfL4rr24zUOdqt6dioMgk6gsn7ts2J8b
bzK4+Jp6UJPco9IHhnTorqI5jZlNTZ43D4chALTqZH3HShJr3vJZ/nUKyIpuP7ITYZR3x1S4RUyq
IIcHkosAkaH8yyhqlUnKA5xFeHUkeFE86JyrM1c5lowvZETWCWQkmy6Au6X1kbk60lpptDdPn15R
UHnSYzwVeXkpmZEPhS7cs134nBRXB5RFDGmQDbcMH6E9xMvJDI/FUCvyJ1Z1F8+nciUHMIIDqzCC
ApOgAwIBAgIRAPfl7mMkXQ6kKqRIT7cqvBcwDQYJKoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6
ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQ
BgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMDEyOTE2MjA0NloXDTE2MDIwMjE2MjA0NlowgZExEjAQ
BgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQI
EwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBS
b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKC
AQEA9XehWqD0AK8jSepGl5mMpn3LWW930PXr5RtckP/RtVAu08TIOAkILvlx5Sjm2nOqbdYUHavI
RgMLoyI0gaH8vKINixLDgb/vgtTVQkd09k+VGIOJ/jq40PvWQ4BVRImd/0mbMYgAePhFSQrgRfAL
hd0e+pNweBEO5Gg+OYkElGU6f5B+cH3LHiMhfJ7JEJKGjMHsFGGDAp/jeQTcK9icqCg+NqR/FT/x
w6eh35ucxL5A74hFvog06u8m5MAOB2Y7RT2NPHAoYy3WCdYeSZmWYnQa0GRn0WBCvefQdtL6mCkM
fwcP0EBBV2dnz+nz93XE7ln06j8gaw1bBMDEibHo+wIBETANBgkqhkiG9w0BAQUFAAOCAQEAi7ej
2XrLJv896UmfB1QSsCz87MbBgH8IJDMKODQG9fd1mEBkYLrtSUamMgYLp1yY/jLLwoMa9Am6+wL1
UjeBiiv0CXHy+K69uM1DnarenYqDIJOoLJ+7bNifG28yuPiaelCT3KPSB4Z06K6iOY2ZTU2eNw+H
IQC06mR9x0oSa97yWf51CsiKbj+yE2GUd8dUuEVMqiCHB5KLAJGh/MsoapVJygOcRXh1JHhRPOic
qzNXOZaML2RE1glkJJsugLul9ZG5OtJaabQ3T59eUVB50mM8FXl5KZmRD4Uu3LNd+JwUVweURQxp
kA23DB+hPcTLyQyPxVAr8idWdRfPp3IlBzCCA6swggKToAMCAQICEQD35e5jJF0OpCqkSE+3KrwX
MA0GCSqGSIb3DQEBBQUAMIGRMRIwEAYDVQQKEwlJemVjb20gQlYxHjAcBgkqhkiG9w0BCQEWD2lu
Zm9AaXplY29tLmNvbTEMMAoGA1UECBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYT
Ak5MMSwwKgYDVQQDEyNJemVjb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMzAx
MjkxNjIwNDZaFw0xNjAyMDIxNjIwNDZaMIGRMRIwEAYDVQQKEwlJemVjb20gQlYxHjAcBgkqhkiG
9w0BCQEWD2luZm9AaXplY29tLmNvbTEMMAoGA1UECBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJkYW0x
CzAJBgNVBAYTAk5MMSwwKgYDVQQDEyNJemVjb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAPV3oVqg9ACvI0nqRpeZjKZ9y1lvd9D1
6+UbXJD/0bVQLtPEyDgJCC75ceUo5tpzqm3WFB2ryEYDC6MiNIGh/LyiDYsSw4G/74LU1UJHdPZP
lRiDif46uND71kOAVUSJnf9JmzGIAHj4RUkK4EXwC4XdHvqTcHgRDuRoPjmJBJRlOn+QfnB9yx4j
IXyeyRCShozB7BRhgwKf43kE3CvYnKgoPjakfxU/8cOnod+bnMS+QO+IRb6INOrvJuTADgdmO0U9
jTxwKGMt1gnWHkmZlmJ0GtBkZ9FgQr3n0HbS+pgpDH8HD9BAQVdnZ8/p8/d1xO5Z9Oo/IGsNWwTA
xImx6PsCAREwDQYJKoZIhvcNAQEFBQADggEBAIu3o9l6yyb/PelJnwdUErAs/OzGwYB/CCQzCjg0
BvX3dZhAZGC67UlGpjIGC6dcmP4yy8KDGvQJuvsC9VI3gYor9Alx8viuvbjNQ52q3p2KgyCTqCyf
u2zYnxtvMrj4mnpQk9yj0geGdOiuojmNmU1NnjcPhyEAtOpkfcdKEmve8ln+dQrIim4/shNhlHfH
VLhFTKoghweSiwCRofzLKGqVScoDnEV4dSR4UTzonKszVzmWjC9kRNYJZCSbLoC7pfWRuTrSWmm0
N0+fXlFQedJjPBV5eSmZkQ+FLtyzXficFFcHlEUMaZANtwwfoT3Ey8kMj8VQK/InVnUXz6dyJQcw
ggOrMIICk6ADAgECAhEA9+XuYyRdDqQqpEhPtyq8FzANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UE
ChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24v
YTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3Qg
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDMwMTI5MTYyMDQ2WhcNMTYwMjAyMTYyMDQ2WjCB
kTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZIhvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAK
BgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXpl
Y29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAw
ggEIAoIBAQD1d6FaoPQAryNJ6kaXmYymfctZb3fQ9evlG1yQ/9G1UC7TxMg4CQgu+XHlKObac6pt
1hQdq8hGAwujIjSBofy8og2LEsOBv++C1NVCR3T2T5UYg4n+OrjQ+9ZDgFVEiZ3/SZsxiAB4+EVJ
CuBF8AuF3R76k3B4EQ7kaD45iQSUZTp/kH5wfcseIyF8nskQkoaMwewUYYMCn+N5BNwr2JyoKD42
pH8VP/HDp6Hfm5zEvkDviEW+iDTq7ybkwA4HZjtFPY08cChjLdYJ1h5JmZZidBrQZGfRYEK959B2
0vqYKQx/Bw/QQEFXZ2fP6fP3dcTuWfTqPyBrDVsEwMSJsej7AgERMA0GCSqGSIb3DQEBBQUAA4IB
AQCLt6PZessm/z3pSZ8HVBKwLPzsxsGAfwgkMwo4NAb193WYQGRguu1JRqYyBgunXJj+MsvCgxr0
Cbr7AvVSN4GKK/QJcfL4rr24zUOdqt6dioMgk6gsn7ts2J8bbzK4+Jp6UJPco9IHhnTorqI5jZlN
TZ43D4chALTqZH3HShJr3vJZ/nUKyIpuP7ITYZR3x1S4RUyqIIcHkosAkaH8yyhqlUnKA5xFeHUk
eFE86JyrM1c5lowvZETWCWQkmy6Au6X1kbk60lpptDdPn15RUHnSYzwVeXkpmZEPhS7cs134nBRX
B5RFDGmQDbcMH6E9xMvJDI/FUCvyJ1Z1F8+nciUHMIIDqzCCApOgAwIBAgIRAPfl7mMkXQ6kKqRI
T7cqvBcwDQYJKoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJ
ARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkG
A1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X
DTAzMDEyOTE2MjA0NloXDTE2MDIwMjE2MjA0NlowgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwG
CSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3Rl
cmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA9XehWqD0AK8jSepGl5mMpn3L
WW930PXr5RtckP/RtVAu08TIOAkILvlx5Sjm2nOqbdYUHavIRgMLoyI0gaH8vKINixLDgb/vgtTV
Qkd09k+VGIOJ/jq40PvWQ4BVRImd/0mbMYgAePhFSQrgRfALhd0e+pNweBEO5Gg+OYkElGU6f5B+
cH3LHiMhfJ7JEJKGjMHsFGGDAp/jeQTcK9icqCg+NqR/FT/xw6eh35ucxL5A74hFvog06u8m5MAO
B2Y7RT2NPHAoYy3WCdYeSZmWYnQa0GRn0WBCvefQdtL6mCkMfwcP0EBBV2dnz+nz93XE7ln06j8g
aw1bBMDEibHo+wIBETANBgkqhkiG9w0BAQUFAAOCAQEAi7ej2XrLJv896UmfB1QSsCz87MbBgH8I
JDMKODQG9fd1mEBkYLrtSUamMgYLp1yY/jLLwoMa9Am6+wL1UjeBiiv0CXHy+K69uM1DnarenYqD
IJOoLJ+7bNifG28yuPiaelCT3KPSB4Z06K6iOY2ZTU2eNw+HIQC06mR9x0oSa97yWf51CsiKbj+y
E2GUd8dUuEVMqiCHB5KLAJGh/MsoapVJygOcRXh1JHhRPOicqzNXOZaML2RE1glkJJsugLul9ZG5
OtJaabQ3T59eUVB50mM8FXl5KZmRD4Uu3LNd+JwUVweURQxpkA23DB+hPcTLyQyPxVAr8idWdRfP
p3IlBzCCA6swggKToAMCAQICEQD35e5jJF0OpCqkSE+3KrwXMA0GCSqGSIb3DQEBBQUAMIGRMRIw
EAYDVQQKEwlJemVjb20gQlYxHjAcBgkqhkiG9w0BCQEWD2luZm9AaXplY29tLmNvbTEMMAoGA1UE
CBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSwwKgYDVQQDEyNJemVjb20g
Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMzAxMjkxNjIwNDZaFw0xNjAyMDIxNjIw
NDZaMIGRMRIwEAYDVQQKEwlJemVjb20gQlYxHjAcBgkqhkiG9w0BCQEWD2luZm9AaXplY29tLmNv
bTEMMAoGA1UECBMDbi9hMRIwEAYDVQQHEwlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSwwKgYDVQQD
EyNJemVjb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQAD
ggENADCCAQgCggEBAPV3oVqg9ACvI0nqRpeZjKZ9y1lvd9D16+UbXJD/0bVQLtPEyDgJCC75ceUo
5tpzqm3WFB2ryEYDC6MiNIGh/LyiDYsSw4G/74LU1UJHdPZPlRiDif46uND71kOAVUSJnf9JmzGI
AHj4RUkK4EXwC4XdHvqTcHgRDuRoPjmJBJRlOn+QfnB9yx4jIXyeyRCShozB7BRhgwKf43kE3CvY
nKgoPjakfxU/8cOnod+bnMS+QO+IRb6INOrvJuTADgdmO0U9jTxwKGMt1gnWHkmZlmJ0GtBkZ9Fg
Qr3n0HbS+pgpDH8HD9BAQVdnZ8/p8/d1xO5Z9Oo/IGsNWwTAxImx6PsCAREwDQYJKoZIhvcNAQEF
BQADggEBAIu3o9l6yyb/PelJnwdUErAs/OzGwYB/CCQzCjg0BvX3dZhAZGC67UlGpjIGC6dcmP4y
y8KDGvQJuvsC9VI3gYor9Alx8viuvbjNQ52q3p2KgyCTqCyfu2zYnxtvMrj4mnpQk9yj0geGdOiu
ojmNmU1NnjcPhyEAtOpkfcdKEmve8ln+dQrIim4/shNhlHfHVLhFTKoghweSiwCRofzLKGqVScoD
nEV4dSR4UTzonKszVzmWjC9kRNYJZCSbLoC7pfWRuTrSWmm0N0+fXlFQedJjPBV5eSmZkQ+FLtyz
XficFFcHlEUMaZANtwwfoT3Ey8kMj8VQK/InVnUXz6dyJQcwggP8MIIC5KADAgECAhEAkRzEQl+3
lUGfoi109w5blTANBgkqhkiG9w0BAQUFADCBkTESMBAGA1UEChMJSXplY29tIEJWMR4wHAYJKoZI
hvcNAQkBFg9pbmZvQGl6ZWNvbS5jb20xDDAKBgNVBAgTA24vYTESMBAGA1UEBxMJQW1zdGVyZGFt
MQswCQYDVQQGEwJOTDEsMCoGA1UEAxMjSXplY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkwHhcNMDMwMTI5MTYyMTI4WhcNMTQwMjAyMTYyMTI4WjCBjjESMBAGA1UEChMJSXplY29tIEJW
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQGl6ZW1haWwuY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcT
CUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxKDAmBgNVBAMTH0l6ZW1haWwgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCo/rB7lTHtws4xQlQSA1DS
6V+1ghSjfDLiWfGqiTB7wOWOPge5jnSzV355jW65X2MNJTFYlXiyLM7627XtDlYfeIsZm0H8cHEl
RJoLJFGFHDkQ1H+YOUg/iTXTsRcufTvwP3ywbKe7AGdmi3pWXVWB6gJ81AtU1oJ7K+h/g3OUqh79
+Kd/zJuEAmfQrggDdeb335AW0ckOtyQ8FiISe0Op1wn7aOqvn0jKNDnnj5glsptTaBMXU54uQHEo
IrolZeyQUxvaRcfYG4UFxhMlfo9Dfp5WaJxasfLEFOmIOEmmJdbsMTyYFzgLo75Zd2SrHh4VuuoM
H22vPl5vOX6NFJsZAgERo1IwUDALBgNVHQ8EBAMCAQYwDwYDVR0TBAgwBgEB/wIBADARBglghkgB
hvhCAQEEBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUA
A4IBAQDxyi/r3gUlGF1xaGUMJ/9n9LCGW1brfpanQaZWmMGHr0l3G8eAysw7heZ8HlAG7mZcuzeR
maPNP+orJPzu8SgVkoMUajVXJf4n1FXbcDW2KrwsUjJ+dAD8qDCUoNXJin/UjSkS3+Bkl7MmcxDv
C6mpsySah0ggqWotP0z+/8WKXY0nDFu5PueyshCZxfvHISr9eoRlljZlVx1TNVslDmqG42k+FR+r
UJg+T8rgXpyieE6eusUB3Q9AorhksqFYfYy3oMetSVdn9ybxwfBK88GtJkH+KWNIi9onG5AEEIDO
wUcMR4bOZbexRAda2BSLcL0xdNY1S9Vb0xR7EfYkRiTPMIID/DCCAuSgAwIBAgIRAJEcxEJft5VB
n6ItdPcOW5UwDQYJKoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3
DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTEL
MAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
MB4XDTAzMDEyOTE2MjEyOFoXDTE0MDIwMjE2MjEyOFowgY4xEjAQBgNVBAoTCUl6ZWNvbSBCVjEf
MB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNvbTEMMAoGA1UECBMDbi9hMRIwEAYDVQQHEwlB
bXN0ZXJkYW0xCzAJBgNVBAYTAk5MMSgwJgYDVQQDEx9JemVtYWlsIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAqP6we5Ux7cLOMUJUEgNQ0ulf
tYIUo3wy4lnxqokwe8Dljj4HuY50s1d+eY1uuV9jDSUxWJV4sizO+tu17Q5WH3iLGZtB/HBxJUSa
CyRRhRw5ENR/mDlIP4k107EXLn078D98sGynuwBnZot6Vl1VgeoCfNQLVNaCeyvof4NzlKoe/fin
f8ybhAJn0K4IA3Xm99+QFtHJDrckPBYiEntDqdcJ+2jqr59IyjQ554+YJbKbU2gTF1OeLkBxKCK6
JWXskFMb2kXH2BuFBcYTJX6PQ36eVmicWrHyxBTpiDhJpiXW7DE8mBc4C6O+WXdkqx4eFbrqDB9t
rz5ebzl+jRSbGQIBEaNSMFAwCwYDVR0PBAQDAgEGMA8GA1UdEwQIMAYBAf8CAQAwEQYJYIZIAYb4
QgEBBAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOC
AQEA8cov694FJRhdcWhlDCf/Z/SwhltW636Wp0GmVpjBh69JdxvHgMrMO4XmfB5QBu5mXLs3kZmj
zT/qKyT87vEoFZKDFGo1VyX+J9RV23A1tiq8LFIyfnQA/KgwlKDVyYp/1I0pEt/gZJezJnMQ7wup
qbMkmodIIKlqLT9M/v/Fil2NJwxbuT7nsrIQmcX7xyEq/XqEZZY2ZVcdUzVbJQ5qhuNpPhUfq1CY
Pk/K4F6conhOnrrFAd0PQKK4ZLKhWH2Mt6DHrUlXZ/cm8cHwSvPBrSZB/iljSIvaJxuQBBCAzsFH
DEeGzmW3sUQHWtgUi3C9MXTWNUvVW9MUexH2JEYkzzCCBA0wggL1oAMCAQICEGbpGkSTndNOOyaq
KOfDmjIwDQYJKoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJ
ARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkG
A1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X
DTAzMTAwOTA5MzkyMloXDTE0MTAxMzA5MzkyMlowgYMxEjAQBgNVBAoTCUl6ZWNvbSBCVjEfMB0G
CSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNvbTEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAG
A1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDETMBEGA1UEAxMKSXplbWFpbCBDQTCCASAwDQYJ
KoZIhvcNAQEBBQADggENADCCAQgCggEBAJOSNF+ZX+6o5V+5PIlkc0cYfgR60EQk/lnN3pcdjhdQ
ZCD6WIMa324pPc9vgINzdsmun4daEPN13MZz+zrh2k/3jyhRFcwaN9Kan0nfkLhhEaffYgJ4JcXk
w8LWrXfOryDAe/18JWba246NL9xQuLxO86AR5zS+Q/iI8RW3BAWlWbzCU+3/EmUoczNt8q55V1WH
GguAuh/adnMmn2oNSlXtfq0lIKXnyrdesMVUBbkyTpdbVYhSXYhpQAjsFL0NG7oXApmObmh+aMDq
JRIzVI38txeIj0490A0v5Q+CnPs3gR0zSHuIj8jdRtdi7thkJfjQGO7eSjNMSt7Lw/i9fF8CARGj
bzBtMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly93d3cuaXplY29tLmNvbS9pemVtYWlsL2l6ZXJv
b3QuY3JsMAsGA1UdDwQEAwIBBjAPBgNVHRMECDAGAQH/AgEBMBEGCWCGSAGG+EIBAQQEAwIBBjAN
BgkqhkiG9w0BAQUFAAOCAQEAn0lWlZfWnCuIqo5zsIT482QLsux4W162jSu2ZdGQJgi4A5VhnvrY
z0zieY4OpojtbuIymP0+PlpbWLdZuDnKkjU/GbF1gOLw2WevQa+4yXjh8K/fVGbUyyUsDbVEYHg2
9N/dF4gsojCYBf8kZT6zwQaF7rcmeziJiMqWMraxw6v/3rFp7TGYJLGJOl7yMNMi762yIhSc0L6U
fBdyNN1xrtcRLMFnf9TQPg9dyWC7+CellyykeykfNaqn5I/SXbN9Qu0da5egGaZ1Rx7WhgEvEox0
G4K4fz7SxUwhUxXGbwL02sD6Rkb8WZQ4GQyPk0H+dBCWOO8x3VDHIVbkp2NlATCCBA0wggL1oAMC
AQICEGbpGkSTndNOOyaqKOfDmjIwDQYJKoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBC
VjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcT
CUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MB4XDTAzMTAwOTA5MzkyMloXDTE0MTAxMzA5MzkyMlowgYMxEjAQBgNVBAoT
CUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNvbTEWMBQGA1UECBMNTm9v
cmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDETMBEGA1UEAxMKSXpl
bWFpbCBDQTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAJOSNF+ZX+6o5V+5PIlkc0cY
fgR60EQk/lnN3pcdjhdQZCD6WIMa324pPc9vgINzdsmun4daEPN13MZz+zrh2k/3jyhRFcwaN9Ka
n0nfkLhhEaffYgJ4JcXkw8LWrXfOryDAe/18JWba246NL9xQuLxO86AR5zS+Q/iI8RW3BAWlWbzC
U+3/EmUoczNt8q55V1WHGguAuh/adnMmn2oNSlXtfq0lIKXnyrdesMVUBbkyTpdbVYhSXYhpQAjs
FL0NG7oXApmObmh+aMDqJRIzVI38txeIj0490A0v5Q+CnPs3gR0zSHuIj8jdRtdi7thkJfjQGO7e
SjNMSt7Lw/i9fF8CARGjbzBtMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly93d3cuaXplY29tLmNv
bS9pemVtYWlsL2l6ZXJvb3QuY3JsMAsGA1UdDwQEAwIBBjAPBgNVHRMECDAGAQH/AgEBMBEGCWCG
SAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAn0lWlZfWnCuIqo5zsIT482QLsux4W162
jSu2ZdGQJgi4A5VhnvrYz0zieY4OpojtbuIymP0+PlpbWLdZuDnKkjU/GbF1gOLw2WevQa+4yXjh
8K/fVGbUyyUsDbVEYHg29N/dF4gsojCYBf8kZT6zwQaF7rcmeziJiMqWMraxw6v/3rFp7TGYJLGJ
Ol7yMNMi762yIhSc0L6UfBdyNN1xrtcRLMFnf9TQPg9dyWC7+CellyykeykfNaqn5I/SXbN9Qu0d
a5egGaZ1Rx7WhgEvEox0G4K4fz7SxUwhUxXGbwL02sD6Rkb8WZQ4GQyPk0H+dBCWOO8x3VDHIVbk
p2NlATCCBA0wggL1oAMCAQICEGbpGkSTndNOOyaqKOfDmjIwDQYJKoZIhvcNAQEFBQAwgZExEjAQ
BgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQI
EwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBS
b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMTAwOTA5MzkyMloXDTE0MTAxMzA5Mzky
MlowgYMxEjAQBgNVBAoTCUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNv
bTEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJO
TDETMBEGA1UEAxMKSXplbWFpbCBDQTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAJOS
NF+ZX+6o5V+5PIlkc0cYfgR60EQk/lnN3pcdjhdQZCD6WIMa324pPc9vgINzdsmun4daEPN13MZz
+zrh2k/3jyhRFcwaN9Kan0nfkLhhEaffYgJ4JcXkw8LWrXfOryDAe/18JWba246NL9xQuLxO86AR
5zS+Q/iI8RW3BAWlWbzCU+3/EmUoczNt8q55V1WHGguAuh/adnMmn2oNSlXtfq0lIKXnyrdesMVU
BbkyTpdbVYhSXYhpQAjsFL0NG7oXApmObmh+aMDqJRIzVI38txeIj0490A0v5Q+CnPs3gR0zSHuI
j8jdRtdi7thkJfjQGO7eSjNMSt7Lw/i9fF8CARGjbzBtMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6
Ly93d3cuaXplY29tLmNvbS9pemVtYWlsL2l6ZXJvb3QuY3JsMAsGA1UdDwQEAwIBBjAPBgNVHRME
CDAGAQH/AgEBMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAn0lWlZfWnCuI
qo5zsIT482QLsux4W162jSu2ZdGQJgi4A5VhnvrYz0zieY4OpojtbuIymP0+PlpbWLdZuDnKkjU/
GbF1gOLw2WevQa+4yXjh8K/fVGbUyyUsDbVEYHg29N/dF4gsojCYBf8kZT6zwQaF7rcmeziJiMqW
Mraxw6v/3rFp7TGYJLGJOl7yMNMi762yIhSc0L6UfBdyNN1xrtcRLMFnf9TQPg9dyWC7+Cellyyk
eykfNaqn5I/SXbN9Qu0da5egGaZ1Rx7WhgEvEox0G4K4fz7SxUwhUxXGbwL02sD6Rkb8WZQ4GQyP
k0H+dBCWOO8x3VDHIVbkp2NlATCCBA0wggL1oAMCAQICEGbpGkSTndNOOyaqKOfDmjIwDQYJKoZI
hvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVj
b20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAq
BgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMTAwOTA5Mzky
MloXDTE0MTAxMzA5MzkyMlowgYMxEjAQBgNVBAoTCUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQ
aW5mb0BpemVtYWlsLmNvbTEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVy
ZGFtMQswCQYDVQQGEwJOTDETMBEGA1UEAxMKSXplbWFpbCBDQTCCASAwDQYJKoZIhvcNAQEBBQAD
ggENADCCAQgCggEBAJOSNF+ZX+6o5V+5PIlkc0cYfgR60EQk/lnN3pcdjhdQZCD6WIMa324pPc9v
gINzdsmun4daEPN13MZz+zrh2k/3jyhRFcwaN9Kan0nfkLhhEaffYgJ4JcXkw8LWrXfOryDAe/18
JWba246NL9xQuLxO86AR5zS+Q/iI8RW3BAWlWbzCU+3/EmUoczNt8q55V1WHGguAuh/adnMmn2oN
SlXtfq0lIKXnyrdesMVUBbkyTpdbVYhSXYhpQAjsFL0NG7oXApmObmh+aMDqJRIzVI38txeIj049
0A0v5Q+CnPs3gR0zSHuIj8jdRtdi7thkJfjQGO7eSjNMSt7Lw/i9fF8CARGjbzBtMDoGA1UdHwQz
MDEwL6AtoCuGKWh0dHA6Ly93d3cuaXplY29tLmNvbS9pemVtYWlsL2l6ZXJvb3QuY3JsMAsGA1Ud
DwQEAwIBBjAPBgNVHRMECDAGAQH/AgEBMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQUF
AAOCAQEAn0lWlZfWnCuIqo5zsIT482QLsux4W162jSu2ZdGQJgi4A5VhnvrYz0zieY4OpojtbuIy
mP0+PlpbWLdZuDnKkjU/GbF1gOLw2WevQa+4yXjh8K/fVGbUyyUsDbVEYHg29N/dF4gsojCYBf8k
ZT6zwQaF7rcmeziJiMqWMraxw6v/3rFp7TGYJLGJOl7yMNMi762yIhSc0L6UfBdyNN1xrtcRLMFn
f9TQPg9dyWC7+CellyykeykfNaqn5I/SXbN9Qu0da5egGaZ1Rx7WhgEvEox0G4K4fz7SxUwhUxXG
bwL02sD6Rkb8WZQ4GQyPk0H+dBCWOO8x3VDHIVbkp2NlATCCBA0wggL1oAMCAQICEGbpGkSTndNO
OyaqKOfDmjIwDQYJKoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3
DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTEL
MAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
MB4XDTAzMTAwOTA5MzkyMloXDTE0MTAxMzA5MzkyMlowgYMxEjAQBgNVBAoTCUl6ZWNvbSBCVjEf
MB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNvbTEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDES
MBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDETMBEGA1UEAxMKSXplbWFpbCBDQTCCASAw
DQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAJOSNF+ZX+6o5V+5PIlkc0cYfgR60EQk/lnN3pcd
jhdQZCD6WIMa324pPc9vgINzdsmun4daEPN13MZz+zrh2k/3jyhRFcwaN9Kan0nfkLhhEaffYgJ4
JcXkw8LWrXfOryDAe/18JWba246NL9xQuLxO86AR5zS+Q/iI8RW3BAWlWbzCU+3/EmUoczNt8q55
V1WHGguAuh/adnMmn2oNSlXtfq0lIKXnyrdesMVUBbkyTpdbVYhSXYhpQAjsFL0NG7oXApmObmh+
aMDqJRIzVI38txeIj0490A0v5Q+CnPs3gR0zSHuIj8jdRtdi7thkJfjQGO7eSjNMSt7Lw/i9fF8C
ARGjbzBtMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly93d3cuaXplY29tLmNvbS9pemVtYWlsL2l6
ZXJvb3QuY3JsMAsGA1UdDwQEAwIBBjAPBgNVHRMECDAGAQH/AgEBMBEGCWCGSAGG+EIBAQQEAwIB
BjANBgkqhkiG9w0BAQUFAAOCAQEAn0lWlZfWnCuIqo5zsIT482QLsux4W162jSu2ZdGQJgi4A5Vh
nvrYz0zieY4OpojtbuIymP0+PlpbWLdZuDnKkjU/GbF1gOLw2WevQa+4yXjh8K/fVGbUyyUsDbVE
YHg29N/dF4gsojCYBf8kZT6zwQaF7rcmeziJiMqWMraxw6v/3rFp7TGYJLGJOl7yMNMi762yIhSc
0L6UfBdyNN1xrtcRLMFnf9TQPg9dyWC7+CellyykeykfNaqn5I/SXbN9Qu0da5egGaZ1Rx7WhgEv
Eox0G4K4fz7SxUwhUxXGbwL02sD6Rkb8WZQ4GQyPk0H+dBCWOO8x3VDHIVbkp2NlATCCBA0wggL1
oAMCAQICEGbpGkSTndNOOyaqKOfDmjIwDQYJKoZIhvcNAQEFBQAwgZExEjAQBgNVBAoTCUl6ZWNv
bSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYDVQQIEwNuL2ExEjAQBgNV
BAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNvbSBSb290IENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5MB4XDTAzMTAwOTA5MzkyMloXDTE0MTAxMzA5MzkyMlowgYMxEjAQBgNV
BAoTCUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWlsLmNvbTEWMBQGA1UECBMN
Tm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQGEwJOTDETMBEGA1UEAxMK
SXplbWFpbCBDQTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBAJOSNF+ZX+6o5V+5PIlk
c0cYfgR60EQk/lnN3pcdjhdQZCD6WIMa324pPc9vgINzdsmun4daEPN13MZz+zrh2k/3jyhRFcwa
N9Kan0nfkLhhEaffYgJ4JcXkw8LWrXfOryDAe/18JWba246NL9xQuLxO86AR5zS+Q/iI8RW3BAWl
WbzCU+3/EmUoczNt8q55V1WHGguAuh/adnMmn2oNSlXtfq0lIKXnyrdesMVUBbkyTpdbVYhSXYhp
QAjsFL0NG7oXApmObmh+aMDqJRIzVI38txeIj0490A0v5Q+CnPs3gR0zSHuIj8jdRtdi7thkJfjQ
GO7eSjNMSt7Lw/i9fF8CARGjbzBtMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly93d3cuaXplY29t
LmNvbS9pemVtYWlsL2l6ZXJvb3QuY3JsMAsGA1UdDwQEAwIBBjAPBgNVHRMECDAGAQH/AgEBMBEG
CWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAn0lWlZfWnCuIqo5zsIT482QLsux4
W162jSu2ZdGQJgi4A5VhnvrYz0zieY4OpojtbuIymP0+PlpbWLdZuDnKkjU/GbF1gOLw2WevQa+4
yXjh8K/fVGbUyyUsDbVEYHg29N/dF4gsojCYBf8kZT6zwQaF7rcmeziJiMqWMraxw6v/3rFp7TGY
JLGJOl7yMNMi762yIhSc0L6UfBdyNN1xrtcRLMFnf9TQPg9dyWC7+CellyykeykfNaqn5I/SXbN9
Qu0da5egGaZ1Rx7WhgEvEox0G4K4fz7SxUwhUxXGbwL02sD6Rkb8WZQ4GQyPk0H+dBCWOO8x3VDH
IVbkp2NlATCCBA0wggL1oAMCAQICEGbpGkSTndNOOyaqKOfDmjIwDQYJKoZIhvcNAQEFBQAwgZEx
EjAQBgNVBAoTCUl6ZWNvbSBCVjEeMBwGCSqGSIb3DQEJARYPaW5mb0BpemVjb20uY29tMQwwCgYD
VQQIEwNuL2ExEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxLDAqBgNVBAMTI0l6ZWNv
bSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAzMTAwOTA5MzkyMloXDTE0MTAxMzA5
MzkyMlowgYMxEjAQBgNVBAoTCUl6ZWNvbSBCVjEfMB0GCSqGSIb3DQEJARYQaW5mb0BpemVtYWls
LmNvbTEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQswCQYDVQQG
EwJOTDETMBEGA1UEAxMKSXplbWFpbCBDQTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB
AJOSNF+ZX+6o5V+5PIlkc0cYfgR60EQk/lnN3pcdjhdQZCD6WIMa324pPc9vgINzdsmun4daEPN1
3MZz+zrh2k/3jyhRFcwaN9Kan0nfkLhhEaffYgJ4JcXkw8LWrXfOryDAe/18JWba246NL9xQuLxO
86AR5zS+Q/iI8RW3BAWlWbzCU+3/EmUoczNt8q55V1WHGguAuh/adnMmn2oNSlXtfq0lIKXnyrde
sMVUBbkyTpdbVYhSXYhpQAjsFL0NG7oXApmObmh+aMDqJRIzVI38txeIj0490A0v5Q+CnPs3gR0z
SHuIj8jdRtdi7thkJfjQGO7eSjNMSt7Lw/i9fF8CARGjbzBtMDoGA1UdHwQzMDEwL6AtoCuGKWh0
dHA6Ly93d3cuaXplY29tLmNvbS9pemVtYWlsL2l6ZXJvb3QuY3JsMAsGA1UdDwQEAwIBBjAPBgNV
HRMECDAGAQH/AgEBMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAn0lWlZfW
nCuIqo5zsIT482QLsux4W162jSu2ZdGQJgi4A5VhnvrYz0zieY4OpojtbuIymP0+PlpbWLdZuDnK
kjU/GbF1gOLw2WevQa+4yXjh8K/fVGbUyyUsDbVEYHg29N/dF4gsojCYBf8kZT6zwQaF7rcmeziJ
iMqWMraxw6v/3rFp7TGYJLGJOl7yMNMi762yIhSc0L6UfBdyNN1xrtcRLMFnf9TQPg9dyWC7+Cel
lyykeykfNaqn5I/SXbN9Qu0da5egGaZ1Rx7WhgEvEox0G4K4fz7SxUwhUxXGbwL02sD6Rkb8WZQ4
GQyPk0H+dBCWOO8x3VDHIVbkp2NlATCCBKYwggQPoAMCAQICEEm37F5FJz8qGOv9ksJlf90wDQYJ
KoZIhvcNAQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln
biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBB
IEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAx
IENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDQwMTA2
MDAwMDAwWhcNMDUwMTA4MjM1OTU5WjCCARgxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3Jl
cG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJz
b25hIE5vdCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29m
dCBGdWxsIFNlcnZpY2UxGTAXBgNVBAMUEENocmlzdGluZSBLYXJtYW4xIzAhBgkqhkiG9w0BCQEW
FGNocmlzdGluZUBpemVjb20uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDt1WIJAFJ4
IvN6Xa7sprhg59d67dhehDP+dB5wTX9ETUMx1SeQKhnapWJW/S4AeE679Ltzfkg4IlxraYhmicz3
VG0t36GOMCJK67VkNI5HAaO6SbT/Pc9qLvkZJdJSmkAcwrr47A1RJtxhjX4LSTWzDBDYnkVcdpVa
K/xHNIpyBQIDAQABo4IBODCCATQwCQYDVR0TBAIwADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhF
AQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEF
BQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkg
cmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMDAG
CmCGSAGG+EUBBgcEIhYgNDFiZDdiMGMxNTk3ZmE1ZmI5ZWQ5NTU0NDMyYmJhMTQwMwYDVR0fBCww
KjAooCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQQF
AAOBgQAZBYHKvkBY4BpxiDlPU0Ej9YPvFffrT2Jm8GuLUhaiNseE0g6tDi+fhdPj8x8Wm3zyUy1U
H227njkAjJN6hkhKCg/vogQbgyIF7ORsQya30bHpoX8yG53KNMQE8S+qlKZRPLWKOcg62wyezjRs
SzvsINsp9J7i01gxO2Aj/hhplDCCBMgwggQxoAMCAQICBAIAApswDQYJKoZIhvcNAQEFBQAwRTEL
MAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVy
VHJ1c3QgUm9vdDAeFw0wMjA4MjcxOTA3MDBaFw0wNjAyMjMyMzU5MDBaMIHcMQswCQYDVQQGEwJH
QjEXMBUGA1UEChMOQ29tb2RvIExpbWl0ZWQxHTAbBgNVBAsTFENvbW9kbyBUcnVzdCBOZXR3b3Jr
MUYwRAYDVQQLEz1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2Rv
Lm5ldC9yZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAyIENvbW9kbyBMaW1pdGVkMSwwKgYDVQQD
EyNDb21vZG8gQ2xhc3MgMyBTZWN1cml0eSBTZXJ2aWNlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALEeYGbgQwaeJ2gvApnHiN+F69tl7NRJZ3ouH83cFSzWHqzynUY6XQPAPQUs
WhgNWSVCo3LArSjSrTwx4ksH+16Y66gz1mmyWp7qLEmmJi5M8MyrQNKq3ixOgbW6e7hc0Hu9R/XA
BtLA5NdH22JAr6EcUQMY27jQu5THPHnqJWSuJhnhPGZHZ5Kde1WrNMJ1btknjp2M8B3aa5yGBKKQ
teqdjM/7OUOo8BgtnvcZECycL+HQsf/XWcTNQDL514HbURzyQVKBQbGDuMgJ/pkiR4BPnMuu4CjV
HKxwR7Alq6E4Qhdr+mpujV95+PYpAzCkbkbUhV2qQJk4dtseAX3lDKUCAwEAAaOCAacwggGjMEUG
A1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8y
MDA2L2NkcC5jcmwwHQYDVR0OBBYEFPZSIhcVEwgDWb8YlZ9ItLnp/vhmMIGSBgNVHSAEgYowgYcw
SQYKKoZIhvhjAQIBBTA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3LnB1YmxpYy10cnVzdC5jb20v
Q1BTL09tbmlSb290Lmh0bWwwOgYMKwYBBAGyMQECAQMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
c2VjdXJlLmNvbW9kby5uZXQvQ1AwWAYDVR0jBFEwT6FJpEcwRTELMAkGA1UEBhMCVVMxGDAWBgNV
BAoTD0dURSBDb3Jwb3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdIICAaMwKwYD
VR0QBCQwIoAPMjAwMjA4MjcxOTA3MzFagQ8yMDA1MDIyMzIzNTkwMFowDgYDVR0PAQH/BAQDAgHm
MA8GA1UdEwQIMAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADgYEAtqewenGL4LqzgR42MnqGGNbxq005
CHEGWmegSwHlMEBtibWeFaqxx/QKxlwO6TfeqJfH3M7Ncft0AgfcXxUnCFMHdtS5BunCd1Aeysmw
wkaBgACtRKpc1iDZVTK+Vpbx6r2g47wNgDrqzPuaV+14pTY9VurR53TKNMPPsVHp4AwwggV6MIIE
YqADAgECAhEAnytBMGb8ejNXdO1SevpL3zANBgkqhkiG9w0BAQUFADCB3DELMAkGA1UEBhMCR0Ix
FzAVBgNVBAoTDkNvbW9kbyBMaW1pdGVkMR0wGwYDVQQLExRDb21vZG8gVHJ1c3QgTmV0d29yazFG
MEQGA1UECxM9VGVybXMgYW5kIENvbmRpdGlvbnMgb2YgdXNlOiBodHRwOi8vd3d3LmNvbW9kby5u
ZXQvcmVwb3NpdG9yeTEfMB0GA1UECxMWKGMpMjAwMiBDb21vZG8gTGltaXRlZDEsMCoGA1UEAxMj
Q29tb2RvIENsYXNzIDMgU2VjdXJpdHkgU2VydmljZXMgQ0EwHhcNMDQwNTEwMDAwMDAwWhcNMDUw
NTEwMjM1OTU5WjCB4DE1MDMGA1UECxMsQ29tb2RvIFRydXN0IE5ldHdvcmsgLSBQRVJTT05BIE5P
VCBWQUxJREFURUQxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25zIG9mIHVzZTogaHR0cDov
L3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNVBAsTFihjKTIwMDMgQ29tb2RvIExpbWl0
ZWQxGTAXBgNVBAMTEENocmlzdGluZSBLYXJtYW4xIzAhBgkqhkiG9w0BCQEWFGNocmlzdGluZUBp
emVjb20uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDME34pF9A6lo1iaFrD9G8NhNMa
fomtO8xd4TQiBUlEthWWUctIuYS/JTyembCVM+WDkKuSDBZ/weTJNii49ERcfV9xN90BCyZ+do1q
oTRb0DYyvwq60Ap7IQd6f6LqPV6RLoQkOL+vcygQ4CIO4dvz6v9Ek9Bon4CCoK15hho46wIDAQAB
o4IBszCCAa8wHwYDVR0jBBgwFoAU9lIiFxUTCANZvxiVn0i0uen++GYwHQYDVR0OBBYEFOJBJQ/E
+V7WGdFfLEYJZBOJyqyDMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcG
CCsGAQUFBwMEBgsrBgEEAbIxAQMFAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEBATArMCkGCCsG
AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0
hjJodHRwOi8vY3JsLmNvbW9kby5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDA6oDig
NoY0aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yLmNybDAt
oCugKYEnQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18yQGNybC5jb21vZG8ubmV0MBEGCWCGSAGG+EIB
AQQEAwIFIDAfBgNVHREEGDAWgRRjaHJpc3RpbmVAaXplY29tLmNvbTANBgkqhkiG9w0BAQUFAAOC
AQEAXiuAsCipKZVyyg5cJrgn8a1hRIbxEsqAMDFOeEwUiwHwa4SwtvmJnpTermSLUIa2ObLq6hf+
ODYknuHFISQlC0nY92XficF6Nz3tRvo11CU89/wovFcncSjhrrMqo67CjcKAKcGqf96WC8VL72F+
SUF1QL2NIlVGqrBdo6/FQxZ86p6m1WnsNo73V+N2NudMWB5hqvSK0IVbyBJtvDgFzZmqCjsyK1vW
S7STMvU0StiKN2zzkg20rrqbaUJHpVJwWavcPRe65nAqnje5X8qDvCugo+CMdSckflHMeBxm85rg
VIe60Q/jdeepxdWtjxQOA4YUtvUdVtlzwRGDb/wYcTGCAc0wggHJAgEBMIGYMIGDMRIwEAYDVQQK
EwlJemVjb20gQlYxHzAdBgkqhkiG9w0BCQEWEGluZm9AaXplbWFpbC5jb20xFjAUBgNVBAgTDU5v
b3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTELMAkGA1UEBhMCTkwxEzARBgNVBAMTCkl6
ZW1haWwgQ0ECEExbugL9T9E1gQI4hwraFlkwCQYFKw4DAhoFAKCBizAYBgkqhkiG9w0BCQMxCwYJ
KoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDA3MTkxMDUyMDhaMCMGCSqGSIb3DQEJBDEWBBSK
3xxsOqnmUCXkl3X8Ue0Mu+IaZzAsBgkqhkiG9w0BCQ8xHzAdMA8GCCqGSIb3DQMCMAMCATowCgYI
KoZIhvcNAwcwDQYJKoZIhvcNAQEBBQAEgYBP+QT4y46F/TPMrHxJu63rl+zauRGQU9xXM1Jm6m7T
3ruTB6UKH+e/XM/JOHfC/ognCrG325VICXmxpBhJuuB1Drc1JNs1zqabnNzdTAtTtYjw7ozamg/E
PNUs2VowKpB+qNNw2v1Q0axy5F2BOU2o/xNstuzLQ4NSpP4WH8ca5A==
--{3F37A849-88DC-48F3-9919-8C59370BA4BF}--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6J9tCfV009368; Mon, 19 Jul 2004 02:55:12 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6J9tC8R009367; Mon, 19 Jul 2004 02:55:12 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av1-2-sn3.vrr.skanova.net (av1-2-sn3.vrr.skanova.net [81.228.9.106]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6J9tCiB009319 for <ietf-pkix@imc.org>; Mon, 19 Jul 2004 02:55:12 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: by av1-2-sn3.vrr.skanova.net (Postfix, from userid 502) id 6D2C837EC5; Mon, 19 Jul 2004 11:55:07 +0200 (CEST)
Received: from smtp1-1-sn3.vrr.skanova.net (smtp1-1-sn3.vrr.skanova.net [81.228.9.177]) by av1-2-sn3.vrr.skanova.net (Postfix) with ESMTP id 5FD6337E43; Mon, 19 Jul 2004 11:55:07 +0200 (CEST)
Received: from arport (t10o913p74.telia.com [213.64.27.194]) by smtp1-1-sn3.vrr.skanova.net (Postfix) with SMTP id 4209438005; Mon, 19 Jul 2004 11:55:05 +0200 (CEST)
Message-ID: <004001c46d76$11c554d0$0500a8c0@arport>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, <ietf-pkix@imc.org>
References: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au>
Subject: Re: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Date: Mon, 19 Jul 2004 11:52:12 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
>Requiring that there only be a single serialNumber attribute, however,
>is unnecessarily restrictive. It seems quite sensible to use serialNumber
>attributes to hold company numbers, org unit ids and/or personal identifiers.
>For example: cn="John Doe" serialNumber=12345, o="Acme Ltd"
>serialNumber="DUNS 554433", c=US. The PI extension would refer to 12345.
I believe examples like this are very good in order to achieve some
genuine understanding (beyond ASN.1).
But is this not actually a prime example of a scheme using TWO PIs?
This would however also require an updated specification where
something like an optional "instanceNumber" would be featured to
point out the actual serialNumber to use.
Anders
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6J9KT35093904; Mon, 19 Jul 2004 02:20:29 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6J9KT12093903; Mon, 19 Jul 2004 02:20:29 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.2wire.ch (mail.2wire.ch [62.65.128.20]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6J9KO6n093825 for <ietf-pkix@imc.org>; Mon, 19 Jul 2004 02:20:27 -0700 (PDT) (envelope-from joseph.doekbrijder@swisssign.com)
Received: (qmail 41765 invoked by uid 89); 19 Jul 2004 09:20:17 -0000
Received: from unknown (HELO swisssign.com) (62.65.151.222) by mail.2wire.ch with SMTP; 19 Jul 2004 09:20:17 -0000
Message-ID: <40FB9247.40509@swisssign.com>
Date: Mon, 19 Jul 2004 11:20:07 +0200
From: Joseph Doekbrijder <joseph.doekbrijder@swisssign.com>
Organization: SwissSign AG
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
X-Accept-Language: de-ch, en-us, en, fr-ch
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>
CC: Ed Gerck <egerck@nma.com>, ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <002101c46b50$342174a0$7101a8c0@gemsec.com> <40F82418.3080307@nma.com> <p06110403bd1de535f889@[10.20.30.249]> <p06110412bd1df2a828b0@[128.89.89.75]>
In-Reply-To: <p06110412bd1df2a828b0@[128.89.89.75]>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080902030006090102000008"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a cryptographically signed message in MIME format.
--------------ms080902030006090102000008
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Interesting issue, which leaves me with a question:
The only thing a spammer can not do (or maybe only once) is digitally
sign his spam! Upon abuse, The cert can be put on the receivers
"black-list", the cert could be revoked by CA and/or RA and the
IssuingParty can be contacted if abuse continues...
Would it thus not be an interesting approach to build a mail filter that
filters out all non digitally signed email?
It is clear, this is something for the future, but from a theoretical
point-of-view: Some feedback from the experts out there would be
interesting for me. In other words, can we take this any further?
Cheers
Josh
Stephen Kent wrote:
>
> I view Peter's solicitation for signed e-mail to be appropriate for
> the PKIX WG list.
>
> Steve
>
--
Joseph A. Doekbrijder
--------------------------------------------------
SwissSign AG
Löwenstrasse 1, CH-8001 Zürich
Tel: +41 43 344 88 11 / Mobile: +41 79 211 24 46
www.swisssign.com
--------------------------------------------------
This message has been digitally signed to ensure unaltered and
authenticated reception. Should you receive an error message regarding
the validity of the signature, please click and download the SwissSign
root certificate using the following link https://swisssign.net/trust/
After installation, your mail client will be able to automatically
verify the authenticity of e-mail messages sent to you by users of
SwissSign certificates.
--------------ms080902030006090102000008
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWiTCC
A2EwggJJoAMCAQICCGQgZ70rBHuyMA0GCSqGSIb3DQEBBQUAMGkxIzAhBgNVBAMTGlN3aXNz
U2lnbiBQZXJzb25hbCBHb2xkIENBMSEwHwYJKoZIhvcNAQkBFhJnb2xkQHN3aXNzc2lnbi5j
b20xEjAQBgNVBAoTCVN3aXNzU2lnbjELMAkGA1UEBhMCQ0gwHhcNMDMxMjExMTQzOTA1WhcN
MDQxMjExMTQzOTA1WjB4MSQwIgYDVQQDExtKb3NlcGggQW50b25pdXMgRG9la2JyaWpkZXIx
LzAtBgkqhkiG9w0BCQEWIGpvc2VwaC5kb2VrYnJpamRlckBzd2lzc3NpZ24uY29tMRIwEAYD
VQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNIMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCpc7LucWH/EP2YmDBOMZVmPzy8JfYovxAL8wbfuXjFQLg4/orh+8AonyozzaK0fJzFw/D4
46z3siNvu065E6AKM3BFPSsyS5RrUPnYjtxcLAmfv+OsR5gAMA1hhsS571XCWaVPvEuCIltW
RvpcKVeuAsdpR6p7eW7UPQuO0EgR4QIDAQABo4GBMH8wHwYDVR0jBBgwFoAU8jaGz72k1nnf
MpmM0FlpHQWVLIYwDgYDVR0PAQH/BAQDAgQwMB8GA1UdJQQYMBYGCisGAQQBgjcKAwQGCCsG
AQUFBwMEMCsGA1UdEQQkMCKBIGpvc2VwaC5kb2VrYnJpamRlckBzd2lzc3NpZ24uY29tMA0G
CSqGSIb3DQEBBQUAA4IBAQBY4/HrZkMYrF0LKNWpDrYTbEM7wRjHKtpjMHWb1DlAm1qRBWAB
0Ns/jyCHLedGlRydHuVPh+THO9PPgRESIWoWq88uz+gpue3A4DWpuk7BqrYKXFfKTa1uKsfE
L62LJ0cO8Q09aCkkEpETL8u92s68328QPhSgFmX5wgToyG3Vw2EOMTcbCeKFRYSkZTywe2NV
IMkDKKUDuRYBYZZ1Db8P3SzF26bszuUH+4HsbgIg8K+mrEeln9aHpbujAUVx8huCpYR25Ziz
rtK2vHmDd2VQUfOs+gA4dns7Ys+sOYXYWn2ZvXycCirQktDuaOTAxRXrBXByGLTNDsJBsNQI
FbZdMIIDqTCCApGgAwIBAgIIXLEyej+EomAwDQYJKoZIhvcNAQEFBQAwZDEcMBoGA1UEAxMT
U3dpc3NTaWduIFNpbHZlciBDQTEjMCEGCSqGSIb3DQEJARYUc2lsdmVyQHN3aXNzc2lnbi5j
b20xEjAQBgNVBAoTCVN3aXNzU2lnbjELMAkGA1UEBhMCQ0gwHhcNMDMxMDEyMTEzODIyWhcN
MTUxMDA2MTMzNjU3WjBgMRowGAYDVQQDExFTd2lzc1NpZ24gR29sZCBDQTEhMB8GCSqGSIb3
DQEJARYSZ29sZEBzd2lzc3NpZ24uY29tMRIwEAYDVQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYT
AkNIMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstKfzDugVAxC63Qhl8+Cko7T
Kjh0aMls6o0iYfPE6LU9jRHGRE2FyEoI4+3EgotNIVEX7GOTtQUL3YRzkJ55T/urzNtWDead
etokNxoH1KrYObxIuFeSyepEN/QKcNedliNqwGF3wPqKCGna554QeyV44pRhvNH3+hFL3Mz3
Tazf2wtmE/et/JSAFFUPWfSqrugURE1G2kaB9o2tt/BFtEjslSD41D9g7nexjvgHDyRKsoY3
FoEHexV/ttvFZNzGJJ7NLwgC84JvCdLi3RvNyGfiWnqkjuRdQOohAsWNJcjn7aoksB5y/Ipr
BjsivtY/LBYQ7zq+Sc8v+8bf3T1lzwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
AQH/BAUwAwEB/zAdBgNVHQ4EFgQUtGz1MEEswDyRjDQnY/pVvPzntD8wHwYDVR0jBBgwFoAU
EvoMgVv/f9El2B5zMDUPRhg2snUwDQYJKoZIhvcNAQEFBQADggEBADG0plqQXp/SAJjFJYax
q1R+3LaDheER1IgXaIem+nofwcBaCvEP+vkWkEuBwFbvI97tKlO6oY1WtVlJHbkfHXcvRAiv
s8W9EbuQlXJ9g1J+ZKJbnI/KmTwsNYvHj5PBe9+PwvA1oZwTJDEEBSaUcdOxaNw3ceka7oTd
dWXfAWUhGXDmS3O2yTHVovUrFAshmYEz9r4YRvbUzkKYcP12zOu2UmdrCOzSWua2EOuSimLM
se00IOJTlhJMfL+ly6O8G1MA7wTqKkSgnDbVe0XsMQYmSJaiVqSkRGIUYE7mvlq9YKCguBZ1
fpmurO0BeWvmzZxZT/7VBjcfMzwS1tZ4CeAwggOuMIIClqADAgECAggQSAsMRGstRTANBgkq
hkiG9w0BAQUFADBgMRowGAYDVQQDExFTd2lzc1NpZ24gR29sZCBDQTEhMB8GCSqGSIb3DQEJ
ARYSZ29sZEBzd2lzc3NpZ24uY29tMRIwEAYDVQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNI
MB4XDTAzMTAxMjExNTgyMloXDTA2MTAxMjExNTgyMlowaTEjMCEGA1UEAxMaU3dpc3NTaWdu
IFBlcnNvbmFsIEdvbGQgQ0ExITAfBgkqhkiG9w0BCQEWEmdvbGRAc3dpc3NzaWduLmNvbTES
MBAGA1UEChMJU3dpc3NTaWduMQswCQYDVQQGEwJDSDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMZmnWhcHmQ8GZB+9uoZyb+LmqUqYRWWL6vSFwWMSQdtn7aMT0zVI1N37y2I
LN5/KurG53SonxgMfwqsxgdD3jI77yyJwsN0aMdBDotcL+pXSJqlC1gpDsVHtMIyQs5PqYTx
Y3uUJVbBERchLFLv/2VJ0iBGXg009lyNVULa9VFcG/F2UF34YranOWBW4OSQowf1kJYNXr4A
eKhpLnNhv30/fdIMRrihygQCPaMJ0nQAEuBVbFSfOUQPvMDDBwYKC+yMkcm5QWgnVGXAeyrA
x7k8+rKPfNbYqnyeL9aAnyUMkYm6FtUsaM5I6HNWJY63gfqqPeprFuogZNY1Rwq2mNMCAwEA
AaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPI2hs+9
pNZ53zKZjNBZaR0FlSyGMB8GA1UdIwQYMBaAFLRs9TBBLMA8kYw0J2P6Vbz857Q/MA0GCSqG
SIb3DQEBBQUAA4IBAQCuHGJh9r2LiKenYuA4Imi1TZ0YWVB0o2Kfo6HD3CPZwavyPzXiShM0
0PGIoX/bs+K36PYj24E6gdp78B4hzqPP525wUapDy/WX8nur8XbrcdEwffWy+Cmz593an7Xy
iFl18wIDGLGkpGpwtM/Jiu2QLUughU7Eh0/i6R1+oUPLF9wYcB0eoYnDBK0KWFvTEWkLAWYb
F45PV4tsBXWI+UTQBB93rgdjQbJNxSv7K/kLAQY/mWs9fF2jp4X8+UMthm28TkHE7VAok0md
Ma9x3X1ZrMDmb3ijkUxwJhFewelg9vMZdcXUHjezw5J83L5I8aBQmfKIHLDEg2XVcQUhMi/B
MIIDwDCCAqigAwIBAgIJAOjyHqbBu/cuMA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNVBAYTAkNI
MRIwEAYDVQQKEwlTd2lzc1NpZ24xMjAwBgNVBAMTKVN3aXNzU2lnbiBDQSAoUlNBIElLIE1h
eSA2IDE5OTkgMTg6MDA6NTgpMR8wHQYJKoZIhvcNAQkBFhBjYUBTd2lzc1NpZ24uY29tMB4X
DTAzMTAwNjEzMzY1N1oXDTE1MTAwNjEzMzY1N1owZDEcMBoGA1UEAxMTU3dpc3NTaWduIEJy
b256ZSBDQTEjMCEGCSqGSIb3DQEJARYUYnJvbnplQHN3aXNzc2lnbi5jb20xEjAQBgNVBAoT
CVN3aXNzU2lnbjELMAkGA1UEBhMCQ0gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDA0TvGY7vE2Z2U4Ootl3tb6AZN4SPTTN6HYMyzL9OeKWzlMfnwJqEzv4yjkFMcaStrmyRO
PMkwLEWcd3FiaxKBmr0eCN9ybgZuhKvSxYfaqcM5QAgPqK6yA2WQ+sgWAUlEH4PdhCUYd84q
eOlswzzrtbggVWQsbh/LoT7edOeBJlDiIHufmmXTl5X7psFIImkWJbnegd7fidhRuUxMJF0X
LcA/9WaJzZDZSmGONRSP+WOzlM/o4xunjPwIoCWKSIo9NMWtJ29az01/TcLehpyMjQg7a+PJ
3yFtl5PbS25Jm7W9IopISNPGYzucjOIVKYo9BQ5F32lGn8NJl418yNttAgMBAAGjYzBhMA4G
A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRygIjtngs9r6moa09a
F+LUoY5lJDAfBgNVHSMEGDAWgBSW13HNOSrU/IixiqtTeGnvj0d+FjANBgkqhkiG9w0BAQUF
AAOCAQEApFfZjNGeQ7OtxCPI3mI1rjF2gbxMTMtMeJeaxH2QSJsrvcKRQ29v0wzDLMmeKFR8
d3B8PDh8aqw2IGz1X3FcIn7CUTdoOvFCGuW0SpdvKzgt3RVOpp4HFcfMK6mxubSHCBV6f66A
UyxbK+Sv7Rpwn3BZ6AYndMzYMEk6IrAvrurIz6h2DTrwEO3oH1GKRpYljlcoh+mKEnvZit6b
vGNcLpLTMZNe+0dlKzw1uHNI9gqteNqn/BqunMDAqPcBX4uZ0em7P/ZJ8+SACnsz96+R5MSV
EeoFqWQoRQAxNgjUXTy0xYa4cGRqeXtTO/s3mKgDBWktCFXU0f0kb0IQIBmGqDCCA/gwggLg
oAMCAQICCQDemCdyDdsdVTANBgkqhkiG9w0BAQUFADBkMRwwGgYDVQQDExNTd2lzc1NpZ24g
QnJvbnplIENBMSMwIQYJKoZIhvcNAQkBFhRicm9uemVAc3dpc3NzaWduLmNvbTESMBAGA1UE
ChMJU3dpc3NTaWduMQswCQYDVQQGEwJDSDAeFw0wMzEwMTIxMTM2MzJaFw0xNTEwMDYxMzM2
NTdaMGQxHDAaBgNVBAMTE1N3aXNzU2lnbiBTaWx2ZXIgQ0ExIzAhBgkqhkiG9w0BCQEWFHNp
bHZlckBzd2lzc3NpZ24uY29tMRIwEAYDVQQKEwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNIMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzPdBfCH+e+kxpt0cSTkKm1pJXXdRCNJ8
mrbsNpuX2O290pzz1dEF7DKFCH+k9bm8Yqj1KgyhKrt7JoNGUHW83sU+8jjrYG/ZPrfusCH+
4iiVZciBCvPdM1t0qvPZvWrKVYdIb+3t8aQz8+L08zFLdkxG49M+4cMW5srECPy4YJ3kJzVr
awrXBMAchqviMngsyWuKw5qV5FA9pp36wDsumItoZXL3BOsMsU2lh3z/OLhDpXA5D83mgEOW
RbqkfSWyaT1lcIuoMZ/XMdT8ahU+3GWnZ8O9tQFg0//SfrlT3Zsp7Hhx0XEtsuIKQZTrsUHj
QzR+bk9RlKLz3Sy5nxPRRQIDAQABo4GsMIGpMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQS+gyBW/9/0SXYHnMwNQ9GGDaydTAfBgNVHSMEGDAWgBRygIjt
ngs9r6moa09aF+LUoY5lJDBGBgNVHR8EPzA9MDugOaA3hjVodHRwczovL3N3aXNzc2lnbi5u
ZXQvY2dpLWJpbi9hdXRob3JpdHkvY3JsP2NhPUJyb256ZTANBgkqhkiG9w0BAQUFAAOCAQEA
qaVWxVi644azmxYNNglkRVA5pFsU3zN4zepYrjEmamFgGROsNKYCwf06cGDHXsJyxZzkzFPG
FTR5/pRLoDWnEuFgfm+a6XA9qTUecun+909Dkz8EbNk/KsWaGEG+HxMjwnusctjeWhO32rRH
+AWJW9VhNR+ggbkGwbVadRClY7359ChoWTwkySWb2hjTZU3BOnqAOYJ2QPKiWMrGODN9Jo94
+hfxcD6o08ak5KY/5Bza4EEL/sbS/quhoCZsg8TBD4+KeXgbVqU9XlPHk/gq1RTy49SPmRkQ
lgwFSvQRRAD/5oQX3ZKxhXAVsEYHyGvqCsFvXWKagulb5NjNdD0pyTCCBAEwggLpoAMCAQIC
CQCVT/juYWAhTDANBgkqhkiG9w0BAQUFADBpMSMwIQYDVQQDExpTd2lzc1NpZ24gUGVyc29u
YWwgR29sZCBDQTEhMB8GCSqGSIb3DQEJARYSZ29sZEBzd2lzc3NpZ24uY29tMRIwEAYDVQQK
EwlTd2lzc1NpZ24xCzAJBgNVBAYTAkNIMB4XDTAzMTIxMDIxNDAwMVoXDTA0MTIxMDIxNDAw
MVoweDEkMCIGA1UEAxMbSm9zZXBoIEFudG9uaXVzIERvZWticmlqZGVyMS8wLQYJKoZIhvcN
AQkBFiBqb3NlcGguZG9la2JyaWpkZXJAc3dpc3NzaWduLmNvbTESMBAGA1UEChMJU3dpc3NT
aWduMQswCQYDVQQGEwJDSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJVGvsFb
4Ufs++D4cxTnv2yHvmLjKZQ2qfPT7YO2dfffZbiba4qkKQ8xLE05D1EqlLvXm+4dRksjDhty
OzwZeWajZ/TGwPgP3jXOURlqkyhVrX0kt5EzW5EokcMC/Ais422LqtJ5kq2nOvK7NGYtevS0
pMbHi5NZtkWUwVZaRjjOJaTGO2xDkjAOdYIyI8vdEIedJIW6LGHIZsYjI+yW7sUlI6hCXhrV
nsmdu/shG/TTsvDQUW28Yl7/l/uvikFsuy4erDKDHcbth/xKsI/KkfX40jGqGI0SlQ7fHBph
DwbnbOKJJSu1wgMT1dvuwLyFEBqyf0OSPZROpK11T3d2LdcCAwEAAaOBnDCBmTAfBgNVHSME
GDAWgBTyNobPvaTWed8ymYzQWWkdBZUshjAOBgNVHQ8BAf8EBAMCA8gwKQYDVR0lBCIwIAYI
KwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3FAICMDsGA1UdEQQ0MDKgMAYKKwYBBAGCNxQC
A6AiDCBqb3NlcGguZG9la2JyaWpkZXJAc3dpc3NzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOC
AQEAZTUBqQgk5nB+0W7Mozv/uD6lRurjZhWShstlaQ43qvVHcsDgb4mW/bynla9BDmM/NsQU
43ZsoFxjkJsxFCpgm5BuMt1KuD7FSHJ0mxRswaGf9mHxftU1cu/YhY/AjrsFHEnsPHZaYAAm
jcKunHgT+yckvUZR3RQDkgVE4PQ3YpsG1EPKQSEAFbmWAd4+TxJmuBXThDM63gOkY4Q7gE1b
Y1kjkdRlJ2TZ/gOItQ3AsfwS7mq+ANYnUBrWkrnUd85Nmgzv5ys7zxuz9tp64vS+xYW98mri
ruGl9stN/b7SbOFTsp8SUm83e9qPOQZRYPS6TYYKUObj3LbaXJEIqKD51DGCA2IwggNeAgEB
MHYwaTEjMCEGA1UEAxMaU3dpc3NTaWduIFBlcnNvbmFsIEdvbGQgQ0ExITAfBgkqhkiG9w0B
CQEWEmdvbGRAc3dpc3NzaWduLmNvbTESMBAGA1UEChMJU3dpc3NTaWduMQswCQYDVQQGEwJD
SAIJAJVP+O5hYCFMMAkGBSsOAwIaBQCgggHBMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTA0MDcxOTA5MjAxM1owIwYJKoZIhvcNAQkEMRYEFGCT59u8lXmH
LUFia3r6w/c+XqpCMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC
AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGEBgkrBgEEAYI3
EAQxdzB1MGkxIzAhBgNVBAMTGlN3aXNzU2lnbiBQZXJzb25hbCBHb2xkIENBMSEwHwYJKoZI
hvcNAQkBFhJnb2xkQHN3aXNzc2lnbi5jb20xEjAQBgNVBAoTCVN3aXNzU2lnbjELMAkGA1UE
BhMCQ0gCCGQgZ70rBHuyMIGGBgsqhkiG9w0BCRACCzF3oHUwaTEjMCEGA1UEAxMaU3dpc3NT
aWduIFBlcnNvbmFsIEdvbGQgQ0ExITAfBgkqhkiG9w0BCQEWEmdvbGRAc3dpc3NzaWduLmNv
bTESMBAGA1UEChMJU3dpc3NTaWduMQswCQYDVQQGEwJDSAIIZCBnvSsEe7IwDQYJKoZIhvcN
AQEBBQAEggEAhsbskbeaasmC7KiKDxCcHq/Wf1EXkYpGRUWbOqeXxdxCzplxpx2BICW4XgGd
+BveCmZRsZbWtHx/6DfLMjUJhelWpptCi8koNE/oAwm5l4ijHgu4eDyJsQ5KL+5+aoovVQsY
yZYsTnlGVgQyOgJasqFq5ddZXM67m5PBRp1LVUXqmnYMj6PXwLvT+JMpSHQtPOlVdEewPl8U
iS0/3qV82bIYVq3wdANbC5mN6bbQdPsjCThyRuNw+PqbDx064fQHdDUU6oN07lqKD6QpQ3MV
wfbEiDpswJYvsgcRi0j8tzRdAl+PdwO63YDPj8UTc1u3gqmhHhTgqjnIwf+gJg4SVAAAAAAA
AA==
--------------ms080902030006090102000008--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6J58DVR079231; Sun, 18 Jul 2004 22:08:13 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6J58D6D079230; Sun, 18 Jul 2004 22:08:13 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailbo.vtcif.telstra.com.au (mailbo.vtcif.telstra.com.au [202.12.144.19]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6J58Cs8079178 for <ietf-pkix@imc.org>; Sun, 18 Jul 2004 22:08:13 -0700 (PDT) (envelope-from James.H.Manger@team.telstra.com)
Received: from mailbi.vtcif.telstra.com.au (mailbi.vtcif.telstra.com.au [202.12.142.19]) by mailbo.vtcif.telstra.com.au (Postfix) with ESMTP id 8103D23198 for <ietf-pkix@imc.org>; Mon, 19 Jul 2004 15:08:12 +1000 (EST)
Received: from mail.cdn.telstra.com.au (localhost [127.0.0.1]) by mailbi.vtcif.telstra.com.au (Postfix) with ESMTP id 22C851DA82 for <ietf-pkix@imc.org>; Mon, 19 Jul 2004 15:08:12 +1000 (EST)
Received: from WSMSG0004.srv.dir.telstra.com (wsmsg0004.srv.dir.telstra.com [192.74.168.133]) by mail.cdn.telstra.com.au (8.8.2/8.6.9) with ESMTP id PAA01964 for <ietf-pkix@imc.org>; Mon, 19 Jul 2004 15:08:11 +1000 (EST)
content-class: urn:content-classes:message
Subject: RE: PI: 10: draft-ietf-pkix-pi-10.txt - single serialNumber attribute
Date: Mon, 19 Jul 2004 15:07:53 +1000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <73388857A695D31197EF00508B08F29806EE1B42@ntmsg0131.corpmail.telstra.com.au>
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Thread-Topic: I-D ACTION:draft-ietf-pkix-pi-10.txt
Thread-Index: AcRpISpRw39Rj0boTiKQ1oDDudjrzgEIUs5Q
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6J58Ds8079225
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
1.
The ability to flag a serialNumber attribute value in the subject name as a permanent identifier is a nice feature. Requiring that there only be a single serialNumber attribute, however, is unnecessarily restrictive. It seems quite sensible to use serialNumber attributes to hold company numbers, org unit ids and/or personal identifiers. For example: cn="John Doe" serialNumber=12345, o="Acme Ltd" serialNumber="DUNS 554433", c=US. The PI extension would refer to 12345.
[Section 2] Change the ASN.1 comment for the identifierValue field of PermanentIdentifier to:
" -- if absent, use the deepest serialNumber attribute value in the subject DN"
[Section 2] Change the paragraph that begins "When the identifierValue field is absent" to:
"When the identifierValue field is absent, then the deepest serialNumber attribute value from the subject DN is the value to be taken for the identifierValue. An attribute is "deeper" if it occurs later in the sequence of RDNs that make up the DN. A "deeper" attribute occurs earlier in the string representation of a DN [RFC2253], which start encoding the last element of the RDN sequence that makes up a DN and moves backwards towards the first. The PermanentIdentifier SHALL NOT be used if there is no serialNumber attribute in the subject DN.
2.
Why can't the assigner field be present but the identifierValue field be absent (refer to the serialNumber attribute)? An absent identifierValue is simply "shorthand" to avoid duplicating a value -- it doesn't really have any sematic value so shouldn't have any impact on the assigner field (or vice versa).
3.
The security considerations section mentions an identifierType field that no longer exists.
> ----------
> From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
> Sent: Wednesday, 14 July 2004 6:05 AM
>
> Title : Internet X.509 Public Key Infrastructure Permanent Identifier
> Author(s) : D. Pinkas, T. Gindin
> Filename : draft-ietf-pkix-pi-10.txt
> Date : 2004-7-13
>
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>
> ----------
> From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
> Sent: Thursday, 15 July 2004 6:06 PM
> Cc: ietf-pkix@imc.org
>
... the definition of the PI has been changed to allow to use the serialNumber attribute from the subject DN.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6I8jiL3064410; Sun, 18 Jul 2004 01:45:44 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6I8jiAb064408; Sun, 18 Jul 2004 01:45:44 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av7-1-sn4.m-sp.skanova.net (av7-1-sn4.m-sp.skanova.net [81.228.10.110]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6I8jgjw064305 for <ietf-pkix@imc.org>; Sun, 18 Jul 2004 01:45:43 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: by av7-1-sn4.m-sp.skanova.net (Postfix, from userid 502) id 612C337EB9; Sun, 18 Jul 2004 10:45:31 +0200 (CEST)
Received: from smtp2-2-sn4.m-sp.skanova.net (smtp2-2-sn4.m-sp.skanova.net [81.228.10.182]) by av7-1-sn4.m-sp.skanova.net (Postfix) with ESMTP id 51FC737E46; Sun, 18 Jul 2004 10:45:31 +0200 (CEST)
Received: from arport (t12o913p98.telia.com [213.64.28.218]) by smtp2-2-sn4.m-sp.skanova.net (Postfix) with SMTP id A4D8E37E46; Sun, 18 Jul 2004 10:45:27 +0200 (CEST)
Message-ID: <001001c46ca3$2f126420$0500a8c0@arport>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: <ietf-pkix@imc.org>
Cc: "David Kemp" <dpkemp@missi.ncsc.mil>, "Denis Pinkas" <Denis.Pinkas@bull.net>
References: <200407132004.QAA10444@ietf.org> <40F63ADB.9070709@bull.net>
Subject: Re: I-D ACTION:draft-ietf-pkix-pi-10.txt
Date: Sun, 18 Jul 2004 10:42:35 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Denis,
It is good to see that the PI draft is doing progress!
May I comment a bit on this last revision?
>After side discussions initiated by Anders Rundgren and followed
>by Peter Gutmann, I have discussed with my co-editor, the PKIX
>chairs and the security Area Director.
I would like to mention that David Kemp, in his quest for a more
"sane" (Dave's wording) solution for DoD, also posted a scheme
that eliminated the data redundancy or alien CA registry requirements
that my "real world, paper example" :-) showed. Dave's suggestion
was BTW pretty close to the proposed revision.
Talking about DoD's use of PIs, I do not believe that their current scheme
is "insane" but maybe a tiny, tiny bit "ugly". A simple RFC3739 "filtering"
process would be enough to make it "beautiful", in X.500 terms.
It is not over until it is over
====================
However, when I performed another "real world, paper example"
on a PI-augmented DoD scheme, I did note a rather significant
loss of "sanity" that I believe the list could comment on as it should
be fairly applicable to most enterprise PKIs.
Assume that a DoD certificate after the PI upgrade contains the following:
Subject DN: CN=John Smith, serialNumber=123456, OU=Army, O=DoD, C=US
PI assigner: 1.23.67.355.23.6.7 (A "sample" OID for the DEERS registry)
The question I tried to answer was simply: How is automated relying
party software supposed to use the enhanced identity information?
Here follows three possible alternatives:
1. X.500-only
==========
ID: CN=John Smith, serialNumber=123456, OU=Army, O=DoD, C=US
This scheme becomes (at least principally) dubious, the moment you start
to deal with multiple assigners (=independent name spaces). And if you
only intend to use one assigner, the PI extension becomes redundant.
2. X.500 + PI
==========
ID: 1.23.67.355.23.6.7 + CN=John Smith, serialNumber=123456, OU=Army, O=DoD, C=US
This scheme is not exploiting the primary motive for using permanent
identifiers, attribute independence (=being able to change name, location
etc. without getting a "new" identity).
3. PI-only
=======
ID: 1.23.67.355.23.6.7 + 123456
This scheme makes all but one DN attribute redundant. But the
unused attributes still contribute to shortening the life-time of the
certificate, as well as limiting usage to a single assignment (you will
need a separate certificate for each assignment within the enterprise).
As far as I can see, PI extensions when applied to a large class of
X.500-based systems[1] will probably only add more confusion to
an already complex situation, rather than solving a problem.
Sincerely
Anders Rundgren
1] it is worth noting that PKIs that were designed from scratch to use
PIs (there are several large such), do not suffer from these problems.
However, these PKIs do not follow the X.500 methodology where
an identity is the combination of a set of hierarchical attributes, qualifying
the subject. In my opinion, the idea that an LDAP entry for an employee
should be linked to a certificate containing a [redundant] copy of the
directory path, is an off-line world relic. In an on-line world, subject
attributes like location, phone number, bank account, job function etc.
should be dynamically acquired, as well as adapted for the actual
situation and relation.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GNCBtS061614; Fri, 16 Jul 2004 16:12:11 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GNCBeW061612; Fri, 16 Jul 2004 16:12:11 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GNC95h061603 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 16:12:09 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-106.fastq.com [65.39.92.106]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6GNC9897299; Fri, 16 Jul 2004 16:12:09 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Tim Polk" <tim.polk@nist.gov>, "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Fri, 16 Jul 2004 16:11:28 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDCEPNDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <5.1.0.14.2.20040716103110.0303da18@email.nist.gov>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Tim,
I think a face-to-face is useful in this instance.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
Sent: Friday, July 16, 2004 7:39 AM
To: Michael Myers; Russ Housley; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
Mike,
Why delay to San Diego?
Really, it makes no sense to require a DPV client to be capable of
asserting a flag that will incur a response it cannot hope to
process!!! That is the result if a client that does not implement path
validation asserts that flag!
I strongly believe that:
(1) some clients will be DPV-only since they will not include an X.509
path
validation module, and need not implement the flag at all;
(2) some clients will be designed for unsigned DPD only, and will be
hard-wired to assert the flag; and
(3) some clients will support unsigned DPD as well asat least one of (a)
signed DPD and (b) DPV, and will need to implement flag and provide
configuration
Let's forward a spec that reflects this reality.
Tim
At 03:14 PM 7/15/2004 -0700, Michael Myers wrote:
>Russ,
>
>Seems a matter for San Diego at this point.
>
>Mike
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Russ Housley
>Sent: Wednesday, July 14, 2004 2:10 PM
>To: Michael Myers; Tim Polk; ietf-pkix@imc.org
>Subject: RE: Unsigned DPD responses for SCVP15
>
>
>
>Mike:
>
>Recently, I have done a fair amount of work in the wireless space, and
I
>am
>convinced that clients on these devices with limited processing
>capabilities will make use of DPV. So, maybe what we need is a profile
>at
>the end of the document that lists the features that must be
implemented
>to
>be considered a DPV client, a DPV server, a DPD client, and a DPD
>server. This should be pretty easy to put together, although I doubt
>that
>it can be done before the draft deadline for the San Diego meeting.
>
>Russ
>
>At 04:03 PM 7/14/2004, Michael Myers wrote:
> >I'm not sure that can be predicted to such a degree.
> >
> >When Carlisle Adams, Stephen Farrell and I first addressed introduced
> >DPV and DPD to the WG, it was Stephen who was forceful in convincing
> >Carlisle and I that one of the most difficult issues wrt PKI was
simply
> >acquiring the data necessary to path validation. This was due in no
> >small part to the various protocols and schemas associated with that
> >process, as now amply documented in 3379. Further, a "client" is not
> >just, for example, a web browser. It could be amalgamation of back
> >office mechanisms, AAA, Radius and what have you. I suspect there
>might
> >come to exist a non-trivial number of such instances.
> >
> >Also, are you saying that in your view an SCVP client is compliant if
>it
> >fails to allow use of id-stc-build-pkc-path in CertChecks syntax and
> >id-swb-pkc-cert-path and id-swb-pkc-revocation-info in the WantBack
> >syntax?
> >
> >Mike
> >
> >-----Original Message-----
> >From: Russ Housley [mailto:housley@vigilsec.com]
> >Sent: Wednesday, July 14, 2004 12:37 PM
> >To: Michael Myers; Tim Polk; ietf-pkix@imc.org
> >Subject: RE: Unsigned DPD responses for SCVP15
> >
> >
> >I do not accept your assumption. I expect many clients to be
DPV-only.
> >
> >Russ
> >
> >At 03:31 PM 7/14/2004, Michael Myers wrote:
> > >True, SCVP clients that assert the OID that drives a server to
>produce
> >a
> > >validity assertion MUST accept and process a signature. But
assuming
> > >that same client is also implemented to assert simply a return of
> >{path,
> > >rev-info}, then it seems reasonable to assume it should also be
>capable
> > >of asserting the flag.
> > >
> > >
> > >Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GL3LEA040438; Fri, 16 Jul 2004 14:03:21 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GL3Lol040437; Fri, 16 Jul 2004 14:03:21 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GL3Kd0040418 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 14:03:20 -0700 (PDT) (envelope-from kent@bbn.com)
Received: from [128.89.89.75] (dhcp89-089-075.bbn.com [128.89.89.75]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i6GL3G7X001855; Fri, 16 Jul 2004 17:03:16 -0400 (EDT)
Mime-Version: 1.0
X-Sender: kent@po2.bbn.com
Message-Id: <p06110412bd1df2a828b0@[128.89.89.75]>
In-Reply-To: <p06110403bd1de535f889@[10.20.30.249]>
References: <002101c46b50$342174a0$7101a8c0@gemsec.com> <40F82418.3080307@nma.com> <p06110403bd1de535f889@[10.20.30.249]>
Date: Fri, 16 Jul 2004 17:03:11 -0400
To: Ed Gerck <egerck@nma.com>
From: Stephen Kent <kent@bbn.com>
Subject: Re: Request: Send me signed messages
Cc: ietf-pkix@imc.org
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I view Peter's solicitation for signed e-mail to be appropriate for
the PKIX WG list.
Steve
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GJkFIH028283; Fri, 16 Jul 2004 12:46:16 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GJkFUs028282; Fri, 16 Jul 2004 12:46:15 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail5.atl.registeredsite.com (nobody@mail5.atl.registeredsite.com [64.224.219.79]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GJkFYB028263; Fri, 16 Jul 2004 12:46:15 -0700 (PDT) (envelope-from egerck@nma.com)
Received: from taurus.hosting4u.net (taurus.hosting4u.net [209.35.191.122]) by mail5.atl.registeredsite.com (8.12.11/8.12.8) with ESMTP id i6GJkIGD027520; Fri, 16 Jul 2004 19:46:18 GMT
Received: from nma.com ([63.204.17.85]) by taurus.hosting4u.net ; Fri, 16 Jul 2004 14:46:14 -0500
Message-ID: <40F82FD2.5010503@nma.com>
Date: Fri, 16 Jul 2004 12:43:14 -0700
From: Ed Gerck <egerck@nma.com>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Peter Hesse <pmhesse@geminisecurity.com>
CC: ietf-smime@imc.org, ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <20040716152213.GA16939@mail19g.dulles19-verio.com>
In-Reply-To: <20040716152213.GA16939@mail19g.dulles19-verio.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Peter Hesse wrote:
> Obviously before I share the collected certificates with any other
> researchers, I will require a similar promise for those researchers to keep
> the email addresses therein confidential.
Peter,
An obvious problem with email certificates is that they open us to spam.
You promised you will not share (emails) what you promised to share (certs
with emails). I am glad you agree your two promises were not consistent.
Also, please take a look at your message in the PKIX archive:
http://www.imc.org/ietf-pkix/mail-archive/msg02908.html
You will notice that PKIX protects your email address.
Of course, I am familiar with your name in this list. One more
reason for you to be thankful that I used my time to point out
what you missed. It can happen to any one of us.
Cheers,
Ed Gerck
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GJMPkp023847; Fri, 16 Jul 2004 12:22:25 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GJMPIw023845; Fri, 16 Jul 2004 12:22:25 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail19g.dulles19-verio.com (mail19g.dulles19-verio.com [198.170.241.21]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6GJM9w4023798 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 12:22:23 -0700 (PDT) (envelope-from pmhesse@geminisecurity.com)
Received: from www.geminisecurity.com (161.58.96.110) by mail19g.dulles19-verio.com (RS ver 1.0.94vs) with SMTP id 0-0169395732; Fri, 16 Jul 2004 15:22:13 -0400 (EDT)
From: "Peter Hesse" <pmhesse@geminisecurity.com>
To: "'Ed Gerck'" <egerck@nma.com>
Cc: <ietf-smime@imc.org>, <ietf-pkix@imc.org>
Subject: RE: Request: Send me signed messages
Date: Fri, 16 Jul 2004 15:22:12 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Thread-Index: AcRraAsW0jX4x0V6T5a6urh3NWIY8AAAU4sw
In-Reply-To: <40F82418.3080307@nma.com>
Message-ID: <20040716152213.GA16939@mail19g.dulles19-verio.com>
X-Loop-Detect: 1
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Ed,
I do not see why you felt it necessary to send this spiteful message. I
have been an active participant in PKIX for 7 years now (S/MIME somewhat
less time), and I'm the editor and co-author of the current PKIX document on
certification path building. I am not subscribed to the list to spam or to
burden the list. As I said in my earlier message, I thought that these
lists contained the largest groups of individuals capable of sending signed
email messages.
Obviously before I share the collected certificates with any other
researchers, I will require a similar promise for those researchers to keep
the email addresses therein confidential.
If anyone is afraid of what I might do with the collected email messages or
certificates, just don't send me a message. I won't be offended. I am
confident that those that know me, know of me, or know of my company have no
such fears; many have already sent me messages. For that I thank you, and I
expect that the resultant set of data will be useful in the creation and
improvement of certification path development and validation software in the
years to come.
--Peter
+---------------------------------------------------------------+
| Peter Hesse pmhesse@geminisecurity.com |
| Phone: (703)934-2031 Gemini Security Solutions, Inc. |
| ICQ: 1942828 www.geminisecurity.com |
+---------------------------------------------------------------+
"Pay no attention to what the critics say; there has never been
a statue set up in honor of a critic." --Jean Sibelius
> -----Original Message-----
> From: owner-ietf-smime@mail.imc.org
> [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Ed Gerck
> Sent: Friday, July 16, 2004 2:53 PM
> To: Peter Hesse
> Cc: ietf-smime@imc.org; ietf-pkix@imc.org
> Subject: Re: Request: Send me signed messages
>
>
>
>
> Peter Hesse wrote:
>
> > All,
> >
> > We are looking to get a cache of many "real-world"
> certificates with
> > which to do some testing related to certificate path
> building and validation.
> > Since most email clients send the signer's path (or some
> portion thereof)
> > with signed messages, I'd love to receive signed messages
> from anyone
> > that is willing to send one. I expect the S/MIME and PKIX
> lists have
> > a high quantity of individuals with the capability to send
> S/MIME signed messages.
>
> Comments below.
>
> > You have my personal guarantee that your email addresses
> will not be
> > used or stored by us; I have no desire to alienate the community!
>
> This is your promise #1.
>
> > You can reply to this message (NOT THE LIST) and sign your
> reply, or
> > send directly to certs@geminisecurity.com.
> >
> > I would be willing to share the resultant set of certificates with
> > researchers interested in similar work.
>
> This your promise #2. Do you think there is any conflict with
> your promise #1? What do you think we know the "resultant
> set of certificates"
> contain?
>
> COMMENTS: Your message is off-topic and a spam. It's free to
> subscribe and listen to the traffic if you wish. Please don't
> burden this list.
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GIu8uU019230; Fri, 16 Jul 2004 11:56:08 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GIu8Dm019227; Fri, 16 Jul 2004 11:56:08 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail8.atl.registeredsite.com (nobody@mail8.atl.registeredsite.com [64.224.219.82]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GIu76e019216; Fri, 16 Jul 2004 11:56:07 -0700 (PDT) (envelope-from egerck@nma.com)
Received: from taurus.hosting4u.net (taurus.hosting4u.net [209.35.191.122]) by mail8.atl.registeredsite.com (8.12.11/8.12.8) with ESMTP id i6GIu7NJ032231; Fri, 16 Jul 2004 18:56:07 GMT
Received: from nma.com ([63.204.17.85]) by taurus.hosting4u.net ; Fri, 16 Jul 2004 13:56:06 -0500
Message-ID: <40F82418.3080307@nma.com>
Date: Fri, 16 Jul 2004 11:53:12 -0700
From: Ed Gerck <egerck@nma.com>
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Peter Hesse <certs@geminisecurity.com>
CC: ietf-smime@imc.org, ietf-pkix@imc.org
Subject: Re: Request: Send me signed messages
References: <002101c46b50$342174a0$7101a8c0@gemsec.com>
In-Reply-To: <002101c46b50$342174a0$7101a8c0@gemsec.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Peter Hesse wrote:
> All,
>
> We are looking to get a cache of many "real-world" certificates with which
> to do some testing related to certificate path building and validation.
> Since most email clients send the signer's path (or some portion thereof)
> with signed messages, I'd love to receive signed messages from anyone that
> is willing to send one. I expect the S/MIME and PKIX lists have a high
> quantity of individuals with the capability to send S/MIME signed messages.
Comments below.
> You have my personal guarantee that your email addresses will not be used or
> stored by us; I have no desire to alienate the community!
This is your promise #1.
> You can reply to this message (NOT THE LIST) and sign your reply, or send
> directly to certs@geminisecurity.com.
>
> I would be willing to share the resultant set of certificates with
> researchers interested in similar work.
This your promise #2. Do you think there is any conflict with your
promise #1? What do you think we know the "resultant set of certificates"
contain?
COMMENTS: Your message is off-topic and a spam. It's free to subscribe and
listen to the traffic if you wish. Please don't burden this list.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GI20ir010193; Fri, 16 Jul 2004 11:02:00 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GI202v010192; Fri, 16 Jul 2004 11:02:00 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GI1xZh010181 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 11:02:00 -0700 (PDT) (envelope-from tim.polk@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.12.10/8.12.10) with ESMTP id i6GI1jC0023593; Fri, 16 Jul 2004 14:01:45 -0400
Received: from krdp8.nist.gov (seclab14.ncsl.nist.gov [129.6.52.54]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i6GI1Umb025296; Fri, 16 Jul 2004 14:01:30 -0400 (EDT)
Message-Id: <5.1.0.14.2.20040716135942.02da4d00@email.nist.gov>
X-Sender: wpolk@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 16 Jul 2004 14:05:06 -0400
To: housley@vigilsec.com, ietf-pkix@imc.org
From: Tim Polk <tim.polk@nist.gov>
Subject: forwarding
Cc: Stephen Kent <kent@bbn.com>, smb@att.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-NIST-MailScanner: Found to be clean
X-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Folks,
Last Call for "Certification Path Building" has been successfully completed.
All technical issues raised on the list have been resolved in the
current draft, available at
http://www.ietf.org/internet-drafts/draft-ietf-pkix-certpathbuild-04.txt
As a result, I am forwarding the document to the ADs and requesting
progression as an informational track RFC.
Thanks,
Tim Polk
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GHrLHv008986; Fri, 16 Jul 2004 10:53:21 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GHrLGC008985; Fri, 16 Jul 2004 10:53:21 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GHrK1c008971 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 10:53:20 -0700 (PDT) (envelope-from tim.polk@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.12.10/8.12.10) with ESMTP id i6GHrGaK031049 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 13:53:16 -0400
Received: from krdp8.nist.gov (seclab14.ncsl.nist.gov [129.6.52.54]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i6GHqvmb018497 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 13:52:57 -0400 (EDT)
Message-Id: <5.1.0.14.2.20040716134947.02f7da90@email.nist.gov>
X-Sender: wpolk@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 16 Jul 2004 13:56:33 -0400
To: ietf-pkix@imc.org
From: Tim Polk <tim.polk@nist.gov>
Subject: WG Last Call: CertStore
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-NIST-MailScanner: Found to be clean
X-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Folks,
This message initiates working group last call for "Certificate Store
Access via HTTP" This document is currently available at
http://www.ietf.org/internet-drafts/draft-ietf-pkix-certstore-http-07.txt.
The document was intended for progression as Standards Track, so last call
will be two weeks. That is, Last Call for this document closes on or after
July 30, 2004.
This specification specifies the conventions for using the Hypertext
Transfer Protocol (HTTP/HTTPS) as an interface mechanism to obtain
certificates and certificate revocation lists (CRLs) from PKI repositories.
Thanks,
Tim Polk
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GGGcov092513; Fri, 16 Jul 2004 09:16:38 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GGGc6X092511; Fri, 16 Jul 2004 09:16:38 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail19g.dulles19-verio.com (mail19g.dulles19-verio.com [198.170.241.21] (may be forged)) by above.proper.com (8.12.11/8.12.9) with SMTP id i6GGGbd9092431 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 09:16:38 -0700 (PDT) (envelope-from certs@geminisecurity.com)
Received: from www.geminisecurity.com (161.58.96.110) by mail19g.dulles19-verio.com (RS ver 1.0.94vs) with SMTP id 4-0614554564; Fri, 16 Jul 2004 12:16:10 -0400 (EDT)
Message-ID: <002101c46b50$342174a0$7101a8c0@gemsec.com>
From: "Peter Hesse" <certs@geminisecurity.com>
To: <ietf-smime@imc.org>, <ietf-pkix@imc.org>
Subject: Request: Send me signed messages
Date: Fri, 16 Jul 2004 12:16:02 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Loop-Detect: 1
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
All,
We are looking to get a cache of many "real-world" certificates with which
to do some testing related to certificate path building and validation.
Since most email clients send the signer's path (or some portion thereof)
with signed messages, I'd love to receive signed messages from anyone that
is willing to send one. I expect the S/MIME and PKIX lists have a high
quantity of individuals with the capability to send S/MIME signed messages.
You have my personal guarantee that your email addresses will not be used or
stored by us; I have no desire to alienate the community!
You can reply to this message (NOT THE LIST) and sign your reply, or send
directly to certs@geminisecurity.com.
I would be willing to share the resultant set of certificates with
researchers interested in similar work. Please contact me on my normal
address, pmhesse[at]geminisecurity[dot]com if you are interested.
Thanks,
--Peter Hesse
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GFVJrd085862; Fri, 16 Jul 2004 08:31:19 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GFVJqI085861; Fri, 16 Jul 2004 08:31:19 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GFVG5T085833 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 08:31:18 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from medusa01 (medusa01.cs.auckland.ac.nz [130.216.34.33]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 7C0001CDAAC; Sat, 17 Jul 2004 03:29:27 +1200 (NZST)
Received: from pgut001 by medusa01 with local (Exim 4.32) id 1BlUgC-00059V-CV; Sat, 17 Jul 2004 03:31:20 +1200
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: ietf-pkix@imc.org, Steve.Hanna@Sun.COM
Subject: Re: New I-D on Intl Strings in Certs
In-Reply-To: <40F2867D.6090408@sun.com>
Message-Id: <E1BlUgC-00059V-CV@medusa01>
Date: Sat, 17 Jul 2004 03:31:20 +1200
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Steve Hanna <Steve.Hanna@Sun.COM> writes:
>So please review this document and send comments to the PKIX list.
Here's mine.
>This algorithm SHOULD NOT be used for matching CRL distribution point names
>or cRLIssuer. A binary comparison SHOULD be used for such mapping.
Is there any reason why binary comparison is OK for finding who issued a CRL,
but not for who issued a cert?
>Path validation will fail when a relying party uses binary comparison to
>match X.500 names that differ slightly if the match is performed as part of
>subject-issuer name chaining or permittedSubtrees processing.
This begs the question of "Why the &*^#&$# would any CA in its right mind ever
issue a certificate where the issuer.suject DN gratuitously differs from the
subject.issuer DN by an extra space or something similar?". You'd have to
deliberately add code to break the DN as it goes from parent to child. Why
not say:
Any CA that issues certificates where the issuer.suject DN gratuitously
differs from the subject.issuer DN should be considered broken, with
handling of its certs not guaranteed by this specification.
(you can rephrase that as MUST and whatnot if you want).
>More substantial problems can occur if a relying party uses binary comparison
>to determine that an X.500 name does not match excludedSubtrees and the CA
>expected that it would match because of the more lenient processing.
It doesn't matter what algorithm they use, you can always escape
excludedSubtrees by clever encoding of your DNs (see the X.509 style guide for
the details). The draft should warn (like the RFC currently does) that you
can't rely on excludedSubtrees to exclude certs from non-cooperating cert
issuers (that is, ones that will create DNs with strings encoded so as to
avoid the exclusion).
Peter.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GEZwKU075692; Fri, 16 Jul 2004 07:35:58 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GEZwju075691; Fri, 16 Jul 2004 07:35:58 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GEZt8p075685 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 07:35:56 -0700 (PDT) (envelope-from tim.polk@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.12.10/8.12.10) with ESMTP id i6GEZmaK021990; Fri, 16 Jul 2004 10:35:48 -0400
Received: from krdp8.nist.gov (seclab14.ncsl.nist.gov [129.6.52.54]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i6GEZImb003466; Fri, 16 Jul 2004 10:35:18 -0400 (EDT)
Message-Id: <5.1.0.14.2.20040716103110.0303da18@email.nist.gov>
X-Sender: wpolk@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 16 Jul 2004 10:38:54 -0400
To: "Michael Myers" <mmyers@fastq.com>, "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
From: Tim Polk <tim.polk@nist.gov>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <EOEGJNFMMIBDKGFONJJDKEPJDNAA.mmyers@fastq.com>
References: <6.1.1.1.2.20040714170612.0873c2c0@mail.binhost.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-NIST-MailScanner: Found to be clean
X-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike,
Why delay to San Diego?
Really, it makes no sense to require a DPV client to be capable of
asserting a flag that will incur a response it cannot hope to
process!!! That is the result if a client that does not implement path
validation asserts that flag!
I strongly believe that:
(1) some clients will be DPV-only since they will not include an X.509 path
validation module, and need not implement the flag at all;
(2) some clients will be designed for unsigned DPD only, and will be
hard-wired to assert the flag; and
(3) some clients will support unsigned DPD as well asat least one of (a)
signed DPD and (b) DPV, and will need to implement flag and provide
configuration
Let's forward a spec that reflects this reality.
Tim
At 03:14 PM 7/15/2004 -0700, Michael Myers wrote:
>Russ,
>
>Seems a matter for San Diego at this point.
>
>Mike
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Russ Housley
>Sent: Wednesday, July 14, 2004 2:10 PM
>To: Michael Myers; Tim Polk; ietf-pkix@imc.org
>Subject: RE: Unsigned DPD responses for SCVP15
>
>
>
>Mike:
>
>Recently, I have done a fair amount of work in the wireless space, and I
>am
>convinced that clients on these devices with limited processing
>capabilities will make use of DPV. So, maybe what we need is a profile
>at
>the end of the document that lists the features that must be implemented
>to
>be considered a DPV client, a DPV server, a DPD client, and a DPD
>server. This should be pretty easy to put together, although I doubt
>that
>it can be done before the draft deadline for the San Diego meeting.
>
>Russ
>
>At 04:03 PM 7/14/2004, Michael Myers wrote:
> >I'm not sure that can be predicted to such a degree.
> >
> >When Carlisle Adams, Stephen Farrell and I first addressed introduced
> >DPV and DPD to the WG, it was Stephen who was forceful in convincing
> >Carlisle and I that one of the most difficult issues wrt PKI was simply
> >acquiring the data necessary to path validation. This was due in no
> >small part to the various protocols and schemas associated with that
> >process, as now amply documented in 3379. Further, a "client" is not
> >just, for example, a web browser. It could be amalgamation of back
> >office mechanisms, AAA, Radius and what have you. I suspect there
>might
> >come to exist a non-trivial number of such instances.
> >
> >Also, are you saying that in your view an SCVP client is compliant if
>it
> >fails to allow use of id-stc-build-pkc-path in CertChecks syntax and
> >id-swb-pkc-cert-path and id-swb-pkc-revocation-info in the WantBack
> >syntax?
> >
> >Mike
> >
> >-----Original Message-----
> >From: Russ Housley [mailto:housley@vigilsec.com]
> >Sent: Wednesday, July 14, 2004 12:37 PM
> >To: Michael Myers; Tim Polk; ietf-pkix@imc.org
> >Subject: RE: Unsigned DPD responses for SCVP15
> >
> >
> >I do not accept your assumption. I expect many clients to be DPV-only.
> >
> >Russ
> >
> >At 03:31 PM 7/14/2004, Michael Myers wrote:
> > >True, SCVP clients that assert the OID that drives a server to
>produce
> >a
> > >validity assertion MUST accept and process a signature. But assuming
> > >that same client is also implemented to assert simply a return of
> >{path,
> > >rev-info}, then it seems reasonable to assume it should also be
>capable
> > >of asserting the flag.
> > >
> > >
> > >Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GEQpVk074515; Fri, 16 Jul 2004 07:26:51 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6GEQpOH074514; Fri, 16 Jul 2004 07:26:51 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6GEQnel074507 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 07:26:50 -0700 (PDT) (envelope-from tim.polk@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.12.10/8.12.10) with ESMTP id i6GEQAaK019743; Fri, 16 Jul 2004 10:26:10 -0400
Received: from krdp8.nist.gov (seclab14.ncsl.nist.gov [129.6.52.54]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i6GEPimb024098; Fri, 16 Jul 2004 10:25:44 -0400 (EDT)
Message-Id: <5.1.0.14.2.20040716102712.03036580@email.nist.gov>
X-Sender: wpolk@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 16 Jul 2004 10:29:20 -0400
To: "Michael Myers" <mmyers@fastq.com>, "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
From: Tim Polk <tim.polk@nist.gov>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <EOEGJNFMMIBDKGFONJJDAEPFDNAA.mmyers@fastq.com>
References: <6.1.1.1.2.20040714151323.03c73638@mail.binhost.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-NIST-MailScanner: Found to be clean
X-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike,
If the client is implemented to permit asserting simply a return of {path,
rev-info}, then it is required to be capable of asserting the flag.
That is different from requiring this for all clients.
Tim
At 12:31 PM 7/14/2004 -0700, Michael Myers wrote:
>True, SCVP clients that assert the OID that drives a server to produce a
>validity assertion MUST accept and process a signature. But assuming
>that same client is also implemented to assert simply a return of {path,
>rev-info}, then it seems reasonable to assume it should also be capable
>of asserting the flag.
>
>
>Mike
>
>-----Original Message-----
>From: Russ Housley [mailto:housley@vigilsec.com]
>Sent: Wednesday, July 14, 2004 12:14 PM
>To: Michael Myers; Tim Polk; ietf-pkix@imc.org
>Subject: RE: Unsigned DPD responses for SCVP15
>
>
>There is no need for DPV clients to assert the flag!
>
>Russ
>
>At 12:16 PM 7/14/2004, Michael Myers wrote:
> >I would add one other requirement. Clients MUST be capable of
>asserting
> >the flag.
> >
> >Mike
> >
> >-----Original Message-----
> >From: owner-ietf-pkix@mail.imc.org
> >[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
> >Sent: Wednesday, July 14, 2004 6:50 AM
> >To: Russ Housley; ietf-pkix@imc.org
> >Subject: Re: Unsigned DPD responses for SCVP15
> >
> >
> >
> >
> >
> >I also prefer the client-side flag option. However, I *strongly*
> >believe
> >that the default behavior (i.e., in the absence of the flag) should be
> >"signature is REQUIRED" on the SCVP response.
> >
> >In this way, the default behavior for SCVP always satisfies the
> >requirements specified in RFC 3379. Where the client has explicitly
> >determined that source authentication is not required, the client may
> >explicitly state this.
> >
> >I believe this option boils down to four fairly simple statements.
> >
> >(1) Where an SCVP request omits the "not going to authenticate" flag,
> >the
> >server is required to sign the response or return an error.
> >
> >(2) Where an SCVP request includes the flag, the server may include or
> >omit
> >the signature on the response. (So, a server that *always* signs
> >responses
> >doesn't need to process this flag...)
> >
> >(3) An SCVP client MUST NOT assert the "not going to authenticate" flag
> >and
> >request a statement about validity.
> >
> >(4) Where the request did not assert the new flag, the SCVP client MUST
> >process the digital signature on a response.
> >
> >I believe these changes would result in a protocol whose default
> >behavior
> >satisfies all the requirements in 3379, permits the employment of
> >unsigned
> >messages for DPD, and precludes any ambiguity in the implementation of
> >mixed mode servers.
> >
> >Tim Polk
> >
> >
> >
> >
> >At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
> >
> >
> > >My personal preference Option #2; however, I think that absence of
>this
> > >flag should indicate that the response should be signed. One needs
>to
> > >make a guess about deployment to select the best semantic for this
> > >situation, and my guess is that server authentication will be
> >important.
> > >
> > >Russ
> > >
> > >
> > >Trevor Freeman wrote:
> > >>I have been asked to add unsigned responses for DPD clients to
>SCVP15.
> > >>There are two models proposed on how we accomplish that both of
>which
> > >>meet the requirements for 3379. I would therefore like some feedback
> >on
> > >>how the group views the two mechanisms
> > >>
> > >>Global Server Policy that it is DPD only
> > >>The first proposal is to make the option controlled by the server as
>a
> > >>global policy. Therefore the server would publish via policy that is
> >only
> > >>supports DPD as such never signs a response. DPV client and DPD
> >clients
> > >>wanting a signed response then know to use another server.
> > >>
> > >>SCVP Request option to not sign response
> > >>The second option is to leave it to the client to signal to the
>server
> >it
> > >>does not need a signature on the response by a new flag in the
>request
> > >>(or its twin the flag indicates it does want a signature on the
> > >>response). This allows clients to be benevolent towards the server
>by
> > >>asking it to skip the signature. Server can still at their
>discretion
> > >>still sign.
> > >>
> > >>Needless to say it is possible to hybridize the two but I am hopeful
> >we
> > >>can try and keep this as simple as possible be picking on of the
>two.
> > >>Trevor
> > >
> > >
> > >
> > >
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6G1NGaX054199; Thu, 15 Jul 2004 18:23:16 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6G1NGvp054198; Thu, 15 Jul 2004 18:23:16 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ns01.secom.co.jp (ns01.secom.co.jp [61.114.178.247]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6G1NFKB054174 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 18:23:15 -0700 (PDT) (envelope-from k-urushima@secom.co.jp)
Received: from mlit02.intra.secom.co.jp ([172.21.1.41]) by ns01.secom.co.jp (8.11.7-20030918/3.7W) with ESMTP id i6G1N7w25782 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 10:23:07 +0900 (JST)
Received: from sectrl.isl.secom.co.jp (localhost [127.0.0.1]) by mlit02.intra.secom.co.jp (8.11.3/3.7W) with ESMTP id i6G1N7K17763 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 10:23:07 +0900
Received: from isis.sp.isl.secom.co.jp (isis.isl.secom.co.jp [10.131.16.23]) by sectrl.isl.secom.co.jp (Postfix) with ESMTP id 0ECF41E72E for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 10:23:07 +0900 (JST)
Received: from PC6 (pc6.isl.secom.co.jp [10.131.129.79]) by isis.sp.isl.secom.co.jp (8.9.1+3.1W/3.7W-Isis.1) with SMTP id KAA27013 for <ietf-pkix@imc.org>; Fri, 16 Jul 2004 10:23:06 +0900
Message-ID: <003801c46ad3$71f4f860$4f81830a@PC6>
From: "Kenji URUSHIMA" <k-urushima@secom.co.jp>
To: <ietf-pkix@imc.org>
Subject: Announce: Challenge PKI Test Suite 2.0 available
Date: Fri, 16 Jul 2004 10:23:05 +0900
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
All,
The 'Challenge PKI Project' will announce
the release of 'Challenge PKI Test Suite 2.0', an open source
freeware which helps you to test multi-domain
PKI interoperability.
It has following features.
- Multi Domain PKI testing environment using only ONE Linux PC.
- Open Source Software distributed as BSD lincence.
- Multiple CA certificate issuance
- Multiple LDAP repository
- Test case database for certificate path processing and timestamp testing
- Easy accessible web browser based interface
- Flexible certificate and CRL issuance (e.g. any special extensions,
distinguish name which contains special characters such like
UTF8String of European, Chinese, Korean or Japanese languages)
- Cooperative test case design environment.
- Easy to re-build test environment.
- Cross certification with CA products.
- OCSP Responder and Japanese GPKI CVS(Certificate Validation Server)
Simulator
- RFC 3161 Timestamp request and response generator.
* DOWNLOAD
http://www.jnsa.org/mpki/
http://www.jnsa.org/mpki/ts/cpkits-2.0.2-21.i386.rpm RedHat RPM
http://www.jnsa.org/mpki/ts/cpkits-2.0.2-21.src.rpm RedHat SRPM
http://www.jnsa.org/mpki/ts/cpkits-2.0.2-21.tar.gz Tar Archive
http://www.jnsa.org/mpki/ts/cpki_testcase_jgpki2_20040709.tar.gz
Japanese Government PKI Testcase
Other test cases will be provided near in future.
Online document can be found at the following URLs.
Challenge PKI Project
http://www.jnsa.org/mpki/
Challenge PKI Test Suite 2.0 Document
http://www.jnsa.org/mpki/ts/
Japanese Government PKI Test Case
http://www.jnsa.org/mpki/ts/testcase_jgpki2/
* SYSTEM REQUIREMENTS
Intel(R) Pentium(R) compatible processor 300MHz or above
RedHat 7.3 or later
64MB RAM or above
200MB of available hard-disk space
NIC
We recommend RedHat 7.3 or later for the operating system but
it's easy to port other operating systems.
We have already tested on Solaris and FreeBSD.
* CHALLENGE PKI PROJECT
The 'Challenge PKI Project' is established as one of activities
in the NPO Japan Network Security Association (JNSA).
Our goal is ensure PKI interoperability and contribute actively to
development and spread of reliable PKI applications in future
electronic society.
* CONTACT
Feel free to mail 'mpki at jnsa.org'
if you have any questions, comments or contributions of
source code or documents.
Enjoy.
-- Kenji URUSHIMA (Challenge PKI Project, SECOM Co., Ltd.)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6FMEiVp025852; Thu, 15 Jul 2004 15:14:44 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6FMEihx025851; Thu, 15 Jul 2004 15:14:44 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6FMEh7S025836 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 15:14:43 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-106.fastq.com [65.39.92.106]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6FMEh845542; Thu, 15 Jul 2004 15:14:43 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Thu, 15 Jul 2004 15:14:03 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDKEPJDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <6.1.1.1.2.20040714170612.0873c2c0@mail.binhost.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
Seems a matter for San Diego at this point.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Russ Housley
Sent: Wednesday, July 14, 2004 2:10 PM
To: Michael Myers; Tim Polk; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
Mike:
Recently, I have done a fair amount of work in the wireless space, and I
am
convinced that clients on these devices with limited processing
capabilities will make use of DPV. So, maybe what we need is a profile
at
the end of the document that lists the features that must be implemented
to
be considered a DPV client, a DPV server, a DPD client, and a DPD
server. This should be pretty easy to put together, although I doubt
that
it can be done before the draft deadline for the San Diego meeting.
Russ
At 04:03 PM 7/14/2004, Michael Myers wrote:
>I'm not sure that can be predicted to such a degree.
>
>When Carlisle Adams, Stephen Farrell and I first addressed introduced
>DPV and DPD to the WG, it was Stephen who was forceful in convincing
>Carlisle and I that one of the most difficult issues wrt PKI was simply
>acquiring the data necessary to path validation. This was due in no
>small part to the various protocols and schemas associated with that
>process, as now amply documented in 3379. Further, a "client" is not
>just, for example, a web browser. It could be amalgamation of back
>office mechanisms, AAA, Radius and what have you. I suspect there
might
>come to exist a non-trivial number of such instances.
>
>Also, are you saying that in your view an SCVP client is compliant if
it
>fails to allow use of id-stc-build-pkc-path in CertChecks syntax and
>id-swb-pkc-cert-path and id-swb-pkc-revocation-info in the WantBack
>syntax?
>
>Mike
>
>-----Original Message-----
>From: Russ Housley [mailto:housley@vigilsec.com]
>Sent: Wednesday, July 14, 2004 12:37 PM
>To: Michael Myers; Tim Polk; ietf-pkix@imc.org
>Subject: RE: Unsigned DPD responses for SCVP15
>
>
>I do not accept your assumption. I expect many clients to be DPV-only.
>
>Russ
>
>At 03:31 PM 7/14/2004, Michael Myers wrote:
> >True, SCVP clients that assert the OID that drives a server to
produce
>a
> >validity assertion MUST accept and process a signature. But assuming
> >that same client is also implemented to assert simply a return of
>{path,
> >rev-info}, then it seems reasonable to assume it should also be
capable
> >of asserting the flag.
> >
> >
> >Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6FFjUjP061664; Thu, 15 Jul 2004 08:45:30 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6FFjU8M061663; Thu, 15 Jul 2004 08:45:30 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6FFjSSO061645 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 08:45:29 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 4109 invoked by uid 0); 15 Jul 2004 15:39:57 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.40.47) by woodstock.binhost.com with SMTP; 15 Jul 2004 15:39:57 -0000
Message-Id: <6.1.1.1.2.20040715114512.0399cec0@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Thu, 15 Jul 2004 11:45:40 -0400
To: "Manger, James H" <James.H.Manger@team.telstra.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <73388857A695D31197EF00508B08F29806EE1B39@ntmsg0131.corpmai l.telstra.com.au>
References: <73388857A695D31197EF00508B08F29806EE1B39@ntmsg0131.corpmail.telstra.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Thanks for the suggestion. It works for me.
Russ
At 01:22 AM 7/15/2004, Manger, James H wrote:
>How about "Clients that can use SCVP for DPD MUST be capable of asserting
>the flag".
>
>Mike might be satisfied - the feature will be usable.
>Russ might be satisfied - a DPV-only client can ignore this feature.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6FA89vZ097363; Thu, 15 Jul 2004 03:08:09 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6FA899q097362; Thu, 15 Jul 2004 03:08:09 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mh.pvt.cz (spider.pvt.cz [194.149.101.200]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6FA87rt097331 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 03:08:08 -0700 (PDT) (envelope-from Jaroslav.Pinkava@pvt.cz)
Received: from PHAWEX01.pvt.cz (phaw02.pvt.cz [172.17.21.21]) by mh.pvt.cz (8.11.2/8.11.2) with ESMTP id i6FA7Xh04728; Thu, 15 Jul 2004 12:07:33 +0200
Received: from brnw00.pvt.cz ([172.17.41.10]) by PHAWEX01.pvt.cz with Microsoft SMTPSVC(5.0.2195.5329); Thu, 15 Jul 2004 12:06:47 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-2"
Subject: RE: I-D ACTION:draft-ietf-pkix-pi-10.txt
content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Date: Thu, 15 Jul 2004 12:06:47 +0200
Message-ID: <8D6175338BE782478D2A7035315851C634DD9A@brnw00.pvt.cz>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: I-D ACTION:draft-ietf-pkix-pi-10.txt
Thread-Index: AcRqUefW0kXKvJdfT2W7YUd15iP4aAAAOg3w
From: "Pinkava Jaroslav" <Jaroslav.Pinkava@pvt.cz>
To: "Denis Pinkas" <Denis.Pinkas@bull.net>
Cc: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 15 Jul 2004 10:06:47.0647 (UTC) FILETIME=[708F0EF0:01C46A53]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6FA88rt097354
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
The adress http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
doesn´t work.
J. Pinkava
-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@bull.net]
Sent: Thursday, July 15, 2004 10:06 AM
Cc: ietf-pkix@imc.org
Subject: Re: I-D ACTION:draft-ietf-pkix-pi-10.txt
Some information about the major changes done to this draft.
After side discussions initiated by Anders Rundgren and followed by Peter
Gutmann, I have discussed with my co-editor, the PKIX chairs and the
security Area Director.
As the result of this, the definition of the PI has been changed to allow to
use the serialNumber attribute from the subject DN.
In the previous draft, there were 2 options or variants for the PI which was
defined as:
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String,
identifierType OBJECT IDENTIFIER OPTIONAL
}
In draft 10, there are now 3 options or variants for the PI which has been
redefined as:
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use the serialNumber attribute
if there is a single such attribute present
in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
the certificate issuer
}
For further details, please take a look at the draft.
(and if you take a close look, you will find a "typo" ASN.1 error,
that will need to be corrected by re-issuing a new draft). :-(
Denis
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.
>
> Title : Internet X.509 Public Key Infrastructure Permanent Identifier
> Author(s) : D. Pinkas, T. Gindin
> Filename : draft-ietf-pkix-pi-10.txt
> Pages : 13
> Date : 2004-7-13
>
> This document define a new form of name, called permanent
> identifier, that may be included in the subjectAltName extension
> of a public key certificate issued to an entity.
> The permanent identifier is an optional feature that may be used
> by a CA to indicate that the certificate relates to the same
> entity even if the name or the affiliation of that entity stored
> in the subject or another name form in the subjectAltName extension
> has changed.
> The subject name, carried in the subject field, is only unique
> for each subject entity certified by the one CA as defined by the
> issuer name field. Also, the new name form can carry a
> name that is unique for each subject entity certified by a CA.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>
> To remove yourself from the I-D Announcement list, send a message to
> i-d-announce-request@ietf.org with the word unsubscribe in the body of the message.
> You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
> to change your subscription settings.
>
>
> Internet-Drafts are also available by anonymous FTP. Login with the username
> "anonymous" and a password of your e-mail address. After logging in,
> type "cd internet-drafts" and then
> "get draft-ietf-pkix-pi-10.txt".
>
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>
> Internet-Drafts can also be obtained by e-mail.
>
> Send a message to:
> mailserv@ietf.org.
> In the body type:
> "FILE /internet-drafts/draft-ietf-pkix-pi-10.txt".
>
> NOTE: The mail server at ietf.org can return the document in
> MIME-encoded form by using the "mpack" utility. To use this
> feature, insert the command "ENCODING mime" before the "FILE"
> command. To decode the response(s), you will need "munpack" or
> a MIME-compliant mail reader. Different MIME-compliant mail readers
> exhibit different behavior, especially when dealing with
> "multipart" MIME messages (i.e. documents which have been split
> up into multiple messages), so check your local documentation on
> how to manipulate these messages.
>
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6F85xM3043317; Thu, 15 Jul 2004 01:05:59 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6F85xOI043316; Thu, 15 Jul 2004 01:05:59 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6F85u6l043224 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 01:05:57 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA19064 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 10:16:10 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id KAA29668 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 10:05:35 +0200
Message-ID: <40F63ADB.9070709@bull.net>
Date: Thu, 15 Jul 2004 10:05:47 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
CC: ietf-pkix@imc.org
Subject: Re: I-D ACTION:draft-ietf-pkix-pi-10.txt
References: <200407132004.QAA10444@ietf.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Some information about the major changes done to this draft.
After side discussions initiated by Anders Rundgren and followed by Peter
Gutmann, I have discussed with my co-editor, the PKIX chairs and the
security Area Director.
As the result of this, the definition of the PI has been changed to allow to
use the serialNumber attribute from the subject DN.
In the previous draft, there were 2 options or variants for the PI which was
defined as:
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String,
identifierType OBJECT IDENTIFIER OPTIONAL
}
In draft 10, there are now 3 options or variants for the PI which has been
redefined as:
PermanentIdentifier ::= SEQUENCE {
identifierValue UTF8String OPTIONAL,
-- if absent, use the serialNumber attribute
if there is a single such attribute present
in the subject DN
assigner OBJECT IDENTIFIER OPTIONAL
-- if absent, the assigner is
the certificate issuer
}
For further details, please take a look at the draft.
(and if you take a close look, you will find a "typo" ASN.1 error,
that will need to be corrected by re-issuing a new draft). :-(
Denis
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.
>
> Title : Internet X.509 Public Key Infrastructure Permanent Identifier
> Author(s) : D. Pinkas, T. Gindin
> Filename : draft-ietf-pkix-pi-10.txt
> Pages : 13
> Date : 2004-7-13
>
> This document define a new form of name, called permanent
> identifier, that may be included in the subjectAltName extension
> of a public key certificate issued to an entity.
> The permanent identifier is an optional feature that may be used
> by a CA to indicate that the certificate relates to the same
> entity even if the name or the affiliation of that entity stored
> in the subject or another name form in the subjectAltName extension
> has changed.
> The subject name, carried in the subject field, is only unique
> for each subject entity certified by the one CA as defined by the
> issuer name field. Also, the new name form can carry a
> name that is unique for each subject entity certified by a CA.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
>
> To remove yourself from the I-D Announcement list, send a message to
> i-d-announce-request@ietf.org with the word unsubscribe in the body of the message.
> You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
> to change your subscription settings.
>
>
> Internet-Drafts are also available by anonymous FTP. Login with the username
> "anonymous" and a password of your e-mail address. After logging in,
> type "cd internet-drafts" and then
> "get draft-ietf-pkix-pi-10.txt".
>
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>
> Internet-Drafts can also be obtained by e-mail.
>
> Send a message to:
> mailserv@ietf.org.
> In the body type:
> "FILE /internet-drafts/draft-ietf-pkix-pi-10.txt".
>
> NOTE: The mail server at ietf.org can return the document in
> MIME-encoded form by using the "mpack" utility. To use this
> feature, insert the command "ENCODING mime" before the "FILE"
> command. To decode the response(s), you will need "munpack" or
> a MIME-compliant mail reader. Different MIME-compliant mail readers
> exhibit different behavior, especially when dealing with
> "multipart" MIME messages (i.e. documents which have been split
> up into multiple messages), so check your local documentation on
> how to manipulate these messages.
>
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6F5N4Z8063120; Wed, 14 Jul 2004 22:23:04 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6F5N4AV063118; Wed, 14 Jul 2004 22:23:04 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailbo.ntcif.telstra.com.au (mailbo.ntcif.telstra.com.au [202.12.233.19]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6F5N3iA062896 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 22:23:04 -0700 (PDT) (envelope-from James.H.Manger@team.telstra.com)
Received: from mailai.ntcif.telstra.com.au (mailai.ntcif.telstra.com.au [202.12.162.17]) by mailbo.ntcif.telstra.com.au (Postfix) with ESMTP id BCBB212C59 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 15:22:58 +1000 (EST)
Received: from mail2.cdn.telstra.com.au (localhost [127.0.0.1]) by mailai.ntcif.telstra.com.au (Postfix) with ESMTP id 69167FF83 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 15:22:58 +1000 (EST)
Received: from WSMSG0004.srv.dir.telstra.com (wsmsg0004.srv.dir.telstra.com [192.74.168.133]) by mail2.cdn.telstra.com.au (Postfix) with ESMTP id 3BB6741E73 for <ietf-pkix@imc.org>; Thu, 15 Jul 2004 15:22:58 +1000 (EST)
content-class: urn:content-classes:message
Subject: RE: Unsigned DPD responses for SCVP15
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Thu, 15 Jul 2004 15:22:52 +1000
Message-ID: <73388857A695D31197EF00508B08F29806EE1B39@ntmsg0131.corpmail.telstra.com.au>
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Unsigned DPD responses for SCVP15
Thread-Index: AcRp9TvN4kpe21UvThmTmW3ckYPAxwANeY/A
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: <ietf-pkix@imc.org>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6F5N4iA063109
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
How about "Clients that can use SCVP for DPD MUST be capable of asserting the flag".
Mike might be satisfied - the feature will be usable.
Russ might be satisfied - a DPV-only client can ignore this feature.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6ELAKAo074609; Wed, 14 Jul 2004 14:10:20 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6ELAKfY074608; Wed, 14 Jul 2004 14:10:20 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6ELAJvh074592 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 14:10:19 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 23638 invoked by uid 0); 14 Jul 2004 21:05:02 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.95.220) by woodstock.binhost.com with SMTP; 14 Jul 2004 21:05:02 -0000
Message-Id: <6.1.1.1.2.20040714170612.0873c2c0@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Wed, 14 Jul 2004 17:10:28 -0400
To: "Michael Myers" <mmyers@fastq.com>, "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <EOEGJNFMMIBDKGFONJJDEEPGDNAA.mmyers@fastq.com>
References: <6.1.1.1.2.20040714153615.0876ae08@mail.binhost.com> <EOEGJNFMMIBDKGFONJJDEEPGDNAA.mmyers@fastq.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike:
Recently, I have done a fair amount of work in the wireless space, and I am
convinced that clients on these devices with limited processing
capabilities will make use of DPV. So, maybe what we need is a profile at
the end of the document that lists the features that must be implemented to
be considered a DPV client, a DPV server, a DPD client, and a DPD
server. This should be pretty easy to put together, although I doubt that
it can be done before the draft deadline for the San Diego meeting.
Russ
At 04:03 PM 7/14/2004, Michael Myers wrote:
>I'm not sure that can be predicted to such a degree.
>
>When Carlisle Adams, Stephen Farrell and I first addressed introduced
>DPV and DPD to the WG, it was Stephen who was forceful in convincing
>Carlisle and I that one of the most difficult issues wrt PKI was simply
>acquiring the data necessary to path validation. This was due in no
>small part to the various protocols and schemas associated with that
>process, as now amply documented in 3379. Further, a "client" is not
>just, for example, a web browser. It could be amalgamation of back
>office mechanisms, AAA, Radius and what have you. I suspect there might
>come to exist a non-trivial number of such instances.
>
>Also, are you saying that in your view an SCVP client is compliant if it
>fails to allow use of id-stc-build-pkc-path in CertChecks syntax and
>id-swb-pkc-cert-path and id-swb-pkc-revocation-info in the WantBack
>syntax?
>
>Mike
>
>-----Original Message-----
>From: Russ Housley [mailto:housley@vigilsec.com]
>Sent: Wednesday, July 14, 2004 12:37 PM
>To: Michael Myers; Tim Polk; ietf-pkix@imc.org
>Subject: RE: Unsigned DPD responses for SCVP15
>
>
>I do not accept your assumption. I expect many clients to be DPV-only.
>
>Russ
>
>At 03:31 PM 7/14/2004, Michael Myers wrote:
> >True, SCVP clients that assert the OID that drives a server to produce
>a
> >validity assertion MUST accept and process a signature. But assuming
> >that same client is also implemented to assert simply a return of
>{path,
> >rev-info}, then it seems reasonable to assume it should also be capable
> >of asserting the flag.
> >
> >
> >Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EK4HG8063172; Wed, 14 Jul 2004 13:04:17 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EK4HS7063171; Wed, 14 Jul 2004 13:04:17 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EK4G4s063163 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 13:04:16 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-106.fastq.com [65.39.92.106]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6EK4F821049; Wed, 14 Jul 2004 13:04:15 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Wed, 14 Jul 2004 13:03:33 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDEEPGDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <6.1.1.1.2.20040714153615.0876ae08@mail.binhost.com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I'm not sure that can be predicted to such a degree.
When Carlisle Adams, Stephen Farrell and I first addressed introduced
DPV and DPD to the WG, it was Stephen who was forceful in convincing
Carlisle and I that one of the most difficult issues wrt PKI was simply
acquiring the data necessary to path validation. This was due in no
small part to the various protocols and schemas associated with that
process, as now amply documented in 3379. Further, a "client" is not
just, for example, a web browser. It could be amalgamation of back
office mechanisms, AAA, Radius and what have you. I suspect there might
come to exist a non-trivial number of such instances.
Also, are you saying that in your view an SCVP client is compliant if it
fails to allow use of id-stc-build-pkc-path in CertChecks syntax and
id-swb-pkc-cert-path and id-swb-pkc-revocation-info in the WantBack
syntax?
Mike
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Wednesday, July 14, 2004 12:37 PM
To: Michael Myers; Tim Polk; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
I do not accept your assumption. I expect many clients to be DPV-only.
Russ
At 03:31 PM 7/14/2004, Michael Myers wrote:
>True, SCVP clients that assert the OID that drives a server to produce
a
>validity assertion MUST accept and process a signature. But assuming
>that same client is also implemented to assert simply a return of
{path,
>rev-info}, then it seems reasonable to assume it should also be capable
>of asserting the flag.
>
>
>Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EJb1RX058808; Wed, 14 Jul 2004 12:37:01 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EJb1Hv058807; Wed, 14 Jul 2004 12:37:01 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6EJb0v9058800 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 12:37:00 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 28093 invoked by uid 0); 14 Jul 2004 19:31:44 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.10.112) by woodstock.binhost.com with SMTP; 14 Jul 2004 19:31:44 -0000
Message-Id: <6.1.1.1.2.20040714153615.0876ae08@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Wed, 14 Jul 2004 15:37:27 -0400
To: "Michael Myers" <mmyers@fastq.com>, "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <EOEGJNFMMIBDKGFONJJDAEPFDNAA.mmyers@fastq.com>
References: <6.1.1.1.2.20040714151323.03c73638@mail.binhost.com> <EOEGJNFMMIBDKGFONJJDAEPFDNAA.mmyers@fastq.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I do not accept your assumption. I expect many clients to be DPV-only.
Russ
At 03:31 PM 7/14/2004, Michael Myers wrote:
>True, SCVP clients that assert the OID that drives a server to produce a
>validity assertion MUST accept and process a signature. But assuming
>that same client is also implemented to assert simply a return of {path,
>rev-info}, then it seems reasonable to assume it should also be capable
>of asserting the flag.
>
>
>Mike
>
>-----Original Message-----
>From: Russ Housley [mailto:housley@vigilsec.com]
>Sent: Wednesday, July 14, 2004 12:14 PM
>To: Michael Myers; Tim Polk; ietf-pkix@imc.org
>Subject: RE: Unsigned DPD responses for SCVP15
>
>
>There is no need for DPV clients to assert the flag!
>
>Russ
>
>At 12:16 PM 7/14/2004, Michael Myers wrote:
> >I would add one other requirement. Clients MUST be capable of
>asserting
> >the flag.
> >
> >Mike
> >
> >-----Original Message-----
> >From: owner-ietf-pkix@mail.imc.org
> >[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
> >Sent: Wednesday, July 14, 2004 6:50 AM
> >To: Russ Housley; ietf-pkix@imc.org
> >Subject: Re: Unsigned DPD responses for SCVP15
> >
> >
> >
> >
> >
> >I also prefer the client-side flag option. However, I *strongly*
> >believe
> >that the default behavior (i.e., in the absence of the flag) should be
> >"signature is REQUIRED" on the SCVP response.
> >
> >In this way, the default behavior for SCVP always satisfies the
> >requirements specified in RFC 3379. Where the client has explicitly
> >determined that source authentication is not required, the client may
> >explicitly state this.
> >
> >I believe this option boils down to four fairly simple statements.
> >
> >(1) Where an SCVP request omits the "not going to authenticate" flag,
> >the
> >server is required to sign the response or return an error.
> >
> >(2) Where an SCVP request includes the flag, the server may include or
> >omit
> >the signature on the response. (So, a server that *always* signs
> >responses
> >doesn't need to process this flag...)
> >
> >(3) An SCVP client MUST NOT assert the "not going to authenticate" flag
> >and
> >request a statement about validity.
> >
> >(4) Where the request did not assert the new flag, the SCVP client MUST
> >process the digital signature on a response.
> >
> >I believe these changes would result in a protocol whose default
> >behavior
> >satisfies all the requirements in 3379, permits the employment of
> >unsigned
> >messages for DPD, and precludes any ambiguity in the implementation of
> >mixed mode servers.
> >
> >Tim Polk
> >
> >
> >
> >
> >At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
> >
> >
> > >My personal preference Option #2; however, I think that absence of
>this
> > >flag should indicate that the response should be signed. One needs
>to
> > >make a guess about deployment to select the best semantic for this
> > >situation, and my guess is that server authentication will be
> >important.
> > >
> > >Russ
> > >
> > >
> > >Trevor Freeman wrote:
> > >>I have been asked to add unsigned responses for DPD clients to
>SCVP15.
> > >>There are two models proposed on how we accomplish that both of
>which
> > >>meet the requirements for 3379. I would therefore like some feedback
> >on
> > >>how the group views the two mechanisms
> > >>
> > >>Global Server Policy that it is DPD only
> > >>The first proposal is to make the option controlled by the server as
>a
> > >>global policy. Therefore the server would publish via policy that is
> >only
> > >>supports DPD as such never signs a response. DPV client and DPD
> >clients
> > >>wanting a signed response then know to use another server.
> > >>
> > >>SCVP Request option to not sign response
> > >>The second option is to leave it to the client to signal to the
>server
> >it
> > >>does not need a signature on the response by a new flag in the
>request
> > >>(or its twin the flag indicates it does want a signature on the
> > >>response). This allows clients to be benevolent towards the server
>by
> > >>asking it to skip the signature. Server can still at their
>discretion
> > >>still sign.
> > >>
> > >>Needless to say it is possible to hybridize the two but I am hopeful
> >we
> > >>can try and keep this as simple as possible be picking on of the
>two.
> > >>Trevor
> > >
> > >
> > >
> > >
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EJWZIO058069; Wed, 14 Jul 2004 12:32:35 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EJWZs8058068; Wed, 14 Jul 2004 12:32:35 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EJWZaE058056 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 12:32:35 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-106.fastq.com [65.39.92.106]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6EJWX816909; Wed, 14 Jul 2004 12:32:33 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Wed, 14 Jul 2004 12:31:54 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDAEPFDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <6.1.1.1.2.20040714151323.03c73638@mail.binhost.com>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
True, SCVP clients that assert the OID that drives a server to produce a
validity assertion MUST accept and process a signature. But assuming
that same client is also implemented to assert simply a return of {path,
rev-info}, then it seems reasonable to assume it should also be capable
of asserting the flag.
Mike
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Wednesday, July 14, 2004 12:14 PM
To: Michael Myers; Tim Polk; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
There is no need for DPV clients to assert the flag!
Russ
At 12:16 PM 7/14/2004, Michael Myers wrote:
>I would add one other requirement. Clients MUST be capable of
asserting
>the flag.
>
>Mike
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
>Sent: Wednesday, July 14, 2004 6:50 AM
>To: Russ Housley; ietf-pkix@imc.org
>Subject: Re: Unsigned DPD responses for SCVP15
>
>
>
>
>
>I also prefer the client-side flag option. However, I *strongly*
>believe
>that the default behavior (i.e., in the absence of the flag) should be
>"signature is REQUIRED" on the SCVP response.
>
>In this way, the default behavior for SCVP always satisfies the
>requirements specified in RFC 3379. Where the client has explicitly
>determined that source authentication is not required, the client may
>explicitly state this.
>
>I believe this option boils down to four fairly simple statements.
>
>(1) Where an SCVP request omits the "not going to authenticate" flag,
>the
>server is required to sign the response or return an error.
>
>(2) Where an SCVP request includes the flag, the server may include or
>omit
>the signature on the response. (So, a server that *always* signs
>responses
>doesn't need to process this flag...)
>
>(3) An SCVP client MUST NOT assert the "not going to authenticate" flag
>and
>request a statement about validity.
>
>(4) Where the request did not assert the new flag, the SCVP client MUST
>process the digital signature on a response.
>
>I believe these changes would result in a protocol whose default
>behavior
>satisfies all the requirements in 3379, permits the employment of
>unsigned
>messages for DPD, and precludes any ambiguity in the implementation of
>mixed mode servers.
>
>Tim Polk
>
>
>
>
>At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
>
>
> >My personal preference Option #2; however, I think that absence of
this
> >flag should indicate that the response should be signed. One needs
to
> >make a guess about deployment to select the best semantic for this
> >situation, and my guess is that server authentication will be
>important.
> >
> >Russ
> >
> >
> >Trevor Freeman wrote:
> >>I have been asked to add unsigned responses for DPD clients to
SCVP15.
> >>There are two models proposed on how we accomplish that both of
which
> >>meet the requirements for 3379. I would therefore like some feedback
>on
> >>how the group views the two mechanisms
> >>
> >>Global Server Policy that it is DPD only
> >>The first proposal is to make the option controlled by the server as
a
> >>global policy. Therefore the server would publish via policy that is
>only
> >>supports DPD as such never signs a response. DPV client and DPD
>clients
> >>wanting a signed response then know to use another server.
> >>
> >>SCVP Request option to not sign response
> >>The second option is to leave it to the client to signal to the
server
>it
> >>does not need a signature on the response by a new flag in the
request
> >>(or its twin the flag indicates it does want a signature on the
> >>response). This allows clients to be benevolent towards the server
by
> >>asking it to skip the signature. Server can still at their
discretion
> >>still sign.
> >>
> >>Needless to say it is possible to hybridize the two but I am hopeful
>we
> >>can try and keep this as simple as possible be picking on of the
two.
> >>Trevor
> >
> >
> >
> >
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EJEroL055077; Wed, 14 Jul 2004 12:14:53 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EJErqF055076; Wed, 14 Jul 2004 12:14:53 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from imo-m16.mx.aol.com (imo-m16.mx.aol.com [64.12.138.206]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EJEqKp055058 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 12:14:52 -0700 (PDT) (envelope-from THayes0993@aol.com)
Received: from THayes0993@aol.com by imo-m16.mx.aol.com (mail_out_v37_r2.6.) id 6.129.461bcc8c (15901); Wed, 14 Jul 2004 15:14:37 -0400 (EDT)
Received: from pc655301.ad.aol.aoltw.net (h-10-169-149-117.nscp.aoltw.net [10.169.149.117]) by air-id09.mx.aol.com (v100.23) with ESMTP id MAILINID94-3e1d40f5861a96; Wed, 14 Jul 2004 15:14:37 -0400
Date: Wed, 14 Jul 2004 12:14:32 -0700
From: "Terry Hayes" <thayes0993@aol.com>
Subject: RE: Unsigned DPD responses for SCVP15
To: "Michael Myers" <mmyers@fastq.com>, "Tim Polk" <tim.polk@nist.gov>, "Russ Housley" <housley@vigilsec.com>, ietf-pkix@imc.org
In-Reply-To: <EOEGJNFMMIBDKGFONJJDEEPEDNAA.mmyers@fastq.com>
Message-ID: <40F58618.3030706@aol.com>
References: <EOEGJNFMMIBDKGFONJJDEEPEDNAA.mmyers@fastq.com>
X-Mailer: AOL Fanfare (20040710Branch.4205.94 Win)
Organization: AOL
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
X-AOL-IP: 10.169.149.117
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike,
The client should not be required to have this capability. If a client applicatio will never assert the flag because of its operating environment and policy, why should it be required to implement code that can set it? The need to assert the flag (or not) can be predicted ahead of time in some environments.
Terry
Michael Myers wrote on 7/14/2004, 11:57 AM:
>
> I thought we were done too until I read more carefully your proposed
> text. I do believe the requirement is necessary or I wouldn't have
> brought it up. The need to assert the flag cannot be 100% predicted
> ahead of time. Given the presumptive definition of the flag, I believe
> interoperability would benefit. It doesn't say the flag must be used,
> but only that the capability we all worked so hard on to define is an
> assumption rather than a stovepipe.
>
> Mike
>
>
>
> -----Original Message-----
> From: Tim Polk [mailto:tim.polk@nist.gov]
> Sent: Wednesday, July 14, 2004 11:18 AM
> To: Michael Myers; Russ Housley; ietf-pkix@imc.org
> Subject: RE: Unsigned DPD responses for SCVP15
>
>
>
> Mike,
>
> Geez... read your last message and thought we were done!
>
> I don't believe this requirement is necessary. An SCVP client that
> doesn't
> perform local path validation (i.e., a DPV client *only*) doesn't need
> to
> be able to assert this flag. An SCVP client that is designed to always
> perform local path validation (i.e., DPD *only*) might be designed so
> this
> was configurable, or could be designed to always assert this flag.
>
> Let's drop this one and claim victory/bipartisan agreement/etc...
>
> Thanks,
>
> Tim
>
> At 09:16 AM 7/14/2004 -0700, Michael Myers wrote:
> >I would add one other requirement. Clients MUST be capable of
> asserting
> >the flag.
> >
> >Mike
> >
> >-----Original Message-----
> >From: owner-ietf-pkix@mail.imc.org
> >[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
> >Sent: Wednesday, July 14, 2004 6:50 AM
> >To: Russ Housley; ietf-pkix@imc.org
> >Subject: Re: Unsigned DPD responses for SCVP15
> >
> >
> >
> >
> >
> >I also prefer the client-side flag option. However, I *strongly*
> >believe
> >that the default behavior (i.e., in the absence of the flag) should be
> >"signature is REQUIRED" on the SCVP response.
> >
> >In this way, the default behavior for SCVP always satisfies the
> >requirements specified in RFC 3379. Where the client has explicitly
> >determined that source authentication is not required, the client may
> >explicitly state this.
> >
> >I believe this option boils down to four fairly simple statements.
> >
> >(1) Where an SCVP request omits the "not going to authenticate" flag,
> >the
> >server is required to sign the response or return an error.
> >
> >(2) Where an SCVP request includes the flag, the server may include or
> >omit
> >the signature on the response. (So, a server that *always* signs
> >responses
> >doesn't need to process this flag...)
> >
> >(3) An SCVP client MUST NOT assert the "not going to authenticate" flag
> >and
> >request a statement about validity.
> >
> >(4) Where the request did not assert the new flag, the SCVP client MUST
> >process the digital signature on a response.
> >
> >I believe these changes would result in a protocol whose default
> >behavior
> >satisfies all the requirements in 3379, permits the employment of
> >unsigned
> >messages for DPD, and precludes any ambiguity in the implementation of
> >mixed mode servers.
> >
> >Tim Polk
> >
> >
> >
> >
> >At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
> >
> >
> > >My personal preference Option #2; however, I think that absence of
> this
> > >flag should indicate that the response should be signed. One needs
> to
> > >make a guess about deployment to select the best semantic for this
> > >situation, and my guess is that server authentication will be
> >important.
> > >
> > >Russ
> > >
> > >
> > >Trevor Freeman wrote:
> > >>I have been asked to add unsigned responses for DPD clients to
> SCVP15.
> > >>There are two models proposed on how we accomplish that both of
> which
> > >>meet the requirements for 3379. I would therefore like some feedback
> >on
> > >>how the group views the two mechanisms
> > >>
> > >>Global Server Policy that it is DPD only
> > >>The first proposal is to make the option controlled by the server as
> a
> > >>global policy. Therefore the server would publish via policy that is
> >only
> > >>supports DPD as such never signs a response. DPV client and DPD
> >clients
> > >>wanting a signed response then know to use another server.
> > >>
> > >>SCVP Request option to not sign response
> > >>The second option is to leave it to the client to signal to the
> server
> >it
> > >>does not need a signature on the response by a new flag in the
> request
> > >>(or its twin the flag indicates it does want a signature on the
> > >>response). This allows clients to be benevolent towards the server
> by
> > >>asking it to skip the signature. Server can still at their
> discretion
> > >>still sign.
> > >>
> > >>Needless to say it is possible to hybridize the two but I am hopeful
> >we
> > >>can try and keep this as simple as possible be picking on of the
> two.
> > >>Trevor
> > >
> > >
> > >
> > >
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EJDQf6054780; Wed, 14 Jul 2004 12:13:26 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EJDPgQ054778; Wed, 14 Jul 2004 12:13:25 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6EJDOHf054772 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 12:13:24 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 21431 invoked by uid 0); 14 Jul 2004 19:08:08 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.10.112) by woodstock.binhost.com with SMTP; 14 Jul 2004 19:08:08 -0000
Message-Id: <6.1.1.1.2.20040714151323.03c73638@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Wed, 14 Jul 2004 15:13:51 -0400
To: "Michael Myers" <mmyers@fastq.com>, "Tim Polk" <tim.polk@nist.gov>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <EOEGJNFMMIBDKGFONJJDCEPCDNAA.mmyers@fastq.com>
References: <5.1.0.14.2.20040714092035.03448ea0@email.nist.gov> <EOEGJNFMMIBDKGFONJJDCEPCDNAA.mmyers@fastq.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
There is no need for DPV clients to assert the flag!
Russ
At 12:16 PM 7/14/2004, Michael Myers wrote:
>I would add one other requirement. Clients MUST be capable of asserting
>the flag.
>
>Mike
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
>Sent: Wednesday, July 14, 2004 6:50 AM
>To: Russ Housley; ietf-pkix@imc.org
>Subject: Re: Unsigned DPD responses for SCVP15
>
>
>
>
>
>I also prefer the client-side flag option. However, I *strongly*
>believe
>that the default behavior (i.e., in the absence of the flag) should be
>"signature is REQUIRED" on the SCVP response.
>
>In this way, the default behavior for SCVP always satisfies the
>requirements specified in RFC 3379. Where the client has explicitly
>determined that source authentication is not required, the client may
>explicitly state this.
>
>I believe this option boils down to four fairly simple statements.
>
>(1) Where an SCVP request omits the "not going to authenticate" flag,
>the
>server is required to sign the response or return an error.
>
>(2) Where an SCVP request includes the flag, the server may include or
>omit
>the signature on the response. (So, a server that *always* signs
>responses
>doesn't need to process this flag...)
>
>(3) An SCVP client MUST NOT assert the "not going to authenticate" flag
>and
>request a statement about validity.
>
>(4) Where the request did not assert the new flag, the SCVP client MUST
>process the digital signature on a response.
>
>I believe these changes would result in a protocol whose default
>behavior
>satisfies all the requirements in 3379, permits the employment of
>unsigned
>messages for DPD, and precludes any ambiguity in the implementation of
>mixed mode servers.
>
>Tim Polk
>
>
>
>
>At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
>
>
> >My personal preference Option #2; however, I think that absence of this
> >flag should indicate that the response should be signed. One needs to
> >make a guess about deployment to select the best semantic for this
> >situation, and my guess is that server authentication will be
>important.
> >
> >Russ
> >
> >
> >Trevor Freeman wrote:
> >>I have been asked to add unsigned responses for DPD clients to SCVP15.
> >>There are two models proposed on how we accomplish that both of which
> >>meet the requirements for 3379. I would therefore like some feedback
>on
> >>how the group views the two mechanisms
> >>
> >>Global Server Policy that it is DPD only
> >>The first proposal is to make the option controlled by the server as a
> >>global policy. Therefore the server would publish via policy that is
>only
> >>supports DPD as such never signs a response. DPV client and DPD
>clients
> >>wanting a signed response then know to use another server.
> >>
> >>SCVP Request option to not sign response
> >>The second option is to leave it to the client to signal to the server
>it
> >>does not need a signature on the response by a new flag in the request
> >>(or its twin the flag indicates it does want a signature on the
> >>response). This allows clients to be benevolent towards the server by
> >>asking it to skip the signature. Server can still at their discretion
> >>still sign.
> >>
> >>Needless to say it is possible to hybridize the two but I am hopeful
>we
> >>can try and keep this as simple as possible be picking on of the two.
> >>Trevor
> >
> >
> >
> >
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EIw3DD052461; Wed, 14 Jul 2004 11:58:03 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EIw3fo052460; Wed, 14 Jul 2004 11:58:03 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EIw2FW052454 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 11:58:02 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-106.fastq.com [65.39.92.106]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6EIw1813055; Wed, 14 Jul 2004 11:58:01 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Tim Polk" <tim.polk@nist.gov>, "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Wed, 14 Jul 2004 11:57:23 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDEEPEDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
In-Reply-To: <5.1.0.14.2.20040714141700.031bef98@email.nist.gov>
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I thought we were done too until I read more carefully your proposed
text. I do believe the requirement is necessary or I wouldn't have
brought it up. The need to assert the flag cannot be 100% predicted
ahead of time. Given the presumptive definition of the flag, I believe
interoperability would benefit. It doesn't say the flag must be used,
but only that the capability we all worked so hard on to define is an
assumption rather than a stovepipe.
Mike
-----Original Message-----
From: Tim Polk [mailto:tim.polk@nist.gov]
Sent: Wednesday, July 14, 2004 11:18 AM
To: Michael Myers; Russ Housley; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
Mike,
Geez... read your last message and thought we were done!
I don't believe this requirement is necessary. An SCVP client that
doesn't
perform local path validation (i.e., a DPV client *only*) doesn't need
to
be able to assert this flag. An SCVP client that is designed to always
perform local path validation (i.e., DPD *only*) might be designed so
this
was configurable, or could be designed to always assert this flag.
Let's drop this one and claim victory/bipartisan agreement/etc...
Thanks,
Tim
At 09:16 AM 7/14/2004 -0700, Michael Myers wrote:
>I would add one other requirement. Clients MUST be capable of
asserting
>the flag.
>
>Mike
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
>Sent: Wednesday, July 14, 2004 6:50 AM
>To: Russ Housley; ietf-pkix@imc.org
>Subject: Re: Unsigned DPD responses for SCVP15
>
>
>
>
>
>I also prefer the client-side flag option. However, I *strongly*
>believe
>that the default behavior (i.e., in the absence of the flag) should be
>"signature is REQUIRED" on the SCVP response.
>
>In this way, the default behavior for SCVP always satisfies the
>requirements specified in RFC 3379. Where the client has explicitly
>determined that source authentication is not required, the client may
>explicitly state this.
>
>I believe this option boils down to four fairly simple statements.
>
>(1) Where an SCVP request omits the "not going to authenticate" flag,
>the
>server is required to sign the response or return an error.
>
>(2) Where an SCVP request includes the flag, the server may include or
>omit
>the signature on the response. (So, a server that *always* signs
>responses
>doesn't need to process this flag...)
>
>(3) An SCVP client MUST NOT assert the "not going to authenticate" flag
>and
>request a statement about validity.
>
>(4) Where the request did not assert the new flag, the SCVP client MUST
>process the digital signature on a response.
>
>I believe these changes would result in a protocol whose default
>behavior
>satisfies all the requirements in 3379, permits the employment of
>unsigned
>messages for DPD, and precludes any ambiguity in the implementation of
>mixed mode servers.
>
>Tim Polk
>
>
>
>
>At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
>
>
> >My personal preference Option #2; however, I think that absence of
this
> >flag should indicate that the response should be signed. One needs
to
> >make a guess about deployment to select the best semantic for this
> >situation, and my guess is that server authentication will be
>important.
> >
> >Russ
> >
> >
> >Trevor Freeman wrote:
> >>I have been asked to add unsigned responses for DPD clients to
SCVP15.
> >>There are two models proposed on how we accomplish that both of
which
> >>meet the requirements for 3379. I would therefore like some feedback
>on
> >>how the group views the two mechanisms
> >>
> >>Global Server Policy that it is DPD only
> >>The first proposal is to make the option controlled by the server as
a
> >>global policy. Therefore the server would publish via policy that is
>only
> >>supports DPD as such never signs a response. DPV client and DPD
>clients
> >>wanting a signed response then know to use another server.
> >>
> >>SCVP Request option to not sign response
> >>The second option is to leave it to the client to signal to the
server
>it
> >>does not need a signature on the response by a new flag in the
request
> >>(or its twin the flag indicates it does want a signature on the
> >>response). This allows clients to be benevolent towards the server
by
> >>asking it to skip the signature. Server can still at their
discretion
> >>still sign.
> >>
> >>Needless to say it is possible to hybridize the two but I am hopeful
>we
> >>can try and keep this as simple as possible be picking on of the
two.
> >>Trevor
> >
> >
> >
> >
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EIF2ts045073; Wed, 14 Jul 2004 11:15:02 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EIF2av045072; Wed, 14 Jul 2004 11:15:02 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EIF0fB045060 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 11:15:01 -0700 (PDT) (envelope-from tim.polk@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.12.10/8.12.10) with ESMTP id i6EIEIC0015770; Wed, 14 Jul 2004 14:14:18 -0400
Received: from krdp8.nist.gov (seclab14.ncsl.nist.gov [129.6.52.54]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i6EIE6mb027883; Wed, 14 Jul 2004 14:14:06 -0400 (EDT)
Message-Id: <5.1.0.14.2.20040714141700.031bef98@email.nist.gov>
X-Sender: wpolk@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 14 Jul 2004 14:17:44 -0400
To: "Michael Myers" <mmyers@fastq.com>, "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
From: Tim Polk <tim.polk@nist.gov>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <EOEGJNFMMIBDKGFONJJDCEPCDNAA.mmyers@fastq.com>
References: <5.1.0.14.2.20040714092035.03448ea0@email.nist.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-NIST-MailScanner: Found to be clean
X-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike,
Geez... read your last message and thought we were done!
I don't believe this requirement is necessary. An SCVP client that doesn't
perform local path validation (i.e., a DPV client *only*) doesn't need to
be able to assert this flag. An SCVP client that is designed to always
perform local path validation (i.e., DPD *only*) might be designed so this
was configurable, or could be designed to always assert this flag.
Let's drop this one and claim victory/bipartisan agreement/etc...
Thanks,
Tim
At 09:16 AM 7/14/2004 -0700, Michael Myers wrote:
>I would add one other requirement. Clients MUST be capable of asserting
>the flag.
>
>Mike
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
>Sent: Wednesday, July 14, 2004 6:50 AM
>To: Russ Housley; ietf-pkix@imc.org
>Subject: Re: Unsigned DPD responses for SCVP15
>
>
>
>
>
>I also prefer the client-side flag option. However, I *strongly*
>believe
>that the default behavior (i.e., in the absence of the flag) should be
>"signature is REQUIRED" on the SCVP response.
>
>In this way, the default behavior for SCVP always satisfies the
>requirements specified in RFC 3379. Where the client has explicitly
>determined that source authentication is not required, the client may
>explicitly state this.
>
>I believe this option boils down to four fairly simple statements.
>
>(1) Where an SCVP request omits the "not going to authenticate" flag,
>the
>server is required to sign the response or return an error.
>
>(2) Where an SCVP request includes the flag, the server may include or
>omit
>the signature on the response. (So, a server that *always* signs
>responses
>doesn't need to process this flag...)
>
>(3) An SCVP client MUST NOT assert the "not going to authenticate" flag
>and
>request a statement about validity.
>
>(4) Where the request did not assert the new flag, the SCVP client MUST
>process the digital signature on a response.
>
>I believe these changes would result in a protocol whose default
>behavior
>satisfies all the requirements in 3379, permits the employment of
>unsigned
>messages for DPD, and precludes any ambiguity in the implementation of
>mixed mode servers.
>
>Tim Polk
>
>
>
>
>At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
>
>
> >My personal preference Option #2; however, I think that absence of this
> >flag should indicate that the response should be signed. One needs to
> >make a guess about deployment to select the best semantic for this
> >situation, and my guess is that server authentication will be
>important.
> >
> >Russ
> >
> >
> >Trevor Freeman wrote:
> >>I have been asked to add unsigned responses for DPD clients to SCVP15.
> >>There are two models proposed on how we accomplish that both of which
> >>meet the requirements for 3379. I would therefore like some feedback
>on
> >>how the group views the two mechanisms
> >>
> >>Global Server Policy that it is DPD only
> >>The first proposal is to make the option controlled by the server as a
> >>global policy. Therefore the server would publish via policy that is
>only
> >>supports DPD as such never signs a response. DPV client and DPD
>clients
> >>wanting a signed response then know to use another server.
> >>
> >>SCVP Request option to not sign response
> >>The second option is to leave it to the client to signal to the server
>it
> >>does not need a signature on the response by a new flag in the request
> >>(or its twin the flag indicates it does want a signature on the
> >>response). This allows clients to be benevolent towards the server by
> >>asking it to skip the signature. Server can still at their discretion
> >>still sign.
> >>
> >>Needless to say it is possible to hybridize the two but I am hopeful
>we
> >>can try and keep this as simple as possible be picking on of the two.
> >>Trevor
> >
> >
> >
> >
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EGHdcO024754; Wed, 14 Jul 2004 09:17:39 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EGHdBa024753; Wed, 14 Jul 2004 09:17:39 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EGHdwg024747 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 09:17:39 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6EGHYS64271; Wed, 14 Jul 2004 09:17:34 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Tim Polk" <tim.polk@nist.gov>, "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Wed, 14 Jul 2004 09:16:55 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDCEPCDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
In-Reply-To: <5.1.0.14.2.20040714092035.03448ea0@email.nist.gov>
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I would add one other requirement. Clients MUST be capable of asserting
the flag.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk
Sent: Wednesday, July 14, 2004 6:50 AM
To: Russ Housley; ietf-pkix@imc.org
Subject: Re: Unsigned DPD responses for SCVP15
I also prefer the client-side flag option. However, I *strongly*
believe
that the default behavior (i.e., in the absence of the flag) should be
"signature is REQUIRED" on the SCVP response.
In this way, the default behavior for SCVP always satisfies the
requirements specified in RFC 3379. Where the client has explicitly
determined that source authentication is not required, the client may
explicitly state this.
I believe this option boils down to four fairly simple statements.
(1) Where an SCVP request omits the "not going to authenticate" flag,
the
server is required to sign the response or return an error.
(2) Where an SCVP request includes the flag, the server may include or
omit
the signature on the response. (So, a server that *always* signs
responses
doesn't need to process this flag...)
(3) An SCVP client MUST NOT assert the "not going to authenticate" flag
and
request a statement about validity.
(4) Where the request did not assert the new flag, the SCVP client MUST
process the digital signature on a response.
I believe these changes would result in a protocol whose default
behavior
satisfies all the requirements in 3379, permits the employment of
unsigned
messages for DPD, and precludes any ambiguity in the implementation of
mixed mode servers.
Tim Polk
At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
>My personal preference Option #2; however, I think that absence of this
>flag should indicate that the response should be signed. One needs to
>make a guess about deployment to select the best semantic for this
>situation, and my guess is that server authentication will be
important.
>
>Russ
>
>
>Trevor Freeman wrote:
>>I have been asked to add unsigned responses for DPD clients to SCVP15.
>>There are two models proposed on how we accomplish that both of which
>>meet the requirements for 3379. I would therefore like some feedback
on
>>how the group views the two mechanisms
>>
>>Global Server Policy that it is DPD only
>>The first proposal is to make the option controlled by the server as a
>>global policy. Therefore the server would publish via policy that is
only
>>supports DPD as such never signs a response. DPV client and DPD
clients
>>wanting a signed response then know to use another server.
>>
>>SCVP Request option to not sign response
>>The second option is to leave it to the client to signal to the server
it
>>does not need a signature on the response by a new flag in the request
>>(or its twin the flag indicates it does want a signature on the
>>response). This allows clients to be benevolent towards the server by
>>asking it to skip the signature. Server can still at their discretion
>>still sign.
>>
>>Needless to say it is possible to hybridize the two but I am hopeful
we
>>can try and keep this as simple as possible be picking on of the two.
>>Trevor
>
>
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EFaYDu012015; Wed, 14 Jul 2004 08:36:34 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EFaY1g012014; Wed, 14 Jul 2004 08:36:34 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EFaYRK011995 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 08:36:34 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6EFaXS56131; Wed, 14 Jul 2004 08:36:33 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Wed, 14 Jul 2004 08:35:54 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDGEPBDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
In-Reply-To: <6.1.1.1.2.20040714095818.036976d8@mail.binhost.com>
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Yes. I'm all for the flag. And I said, I can live with the default as
defined. So I'll just leave it at that.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Russ Housley
Sent: Wednesday, July 14, 2004 7:02 AM
To: Michael Myers; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
Mike:
Different servers will have different default path discovery policies.
RFC 3379 says:
For the client to be confident that all of the elements from the
response originate from the expected DPD server, an authenticated
response MAY be required. For example, the server might sign the
response or data authentication might also be achieved using a
lower-layer security protocol.
So, all we are discussing is whether the protocol requirement in this
MAY
statement is the default or not.
Russ
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EEMtEQ079486; Wed, 14 Jul 2004 07:22:55 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EEMtJv079484; Wed, 14 Jul 2004 07:22:55 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from csexchange1.corestreet.com (csexchange1.corestreet.com [68.162.232.134]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EEMsvK079442 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 07:22:54 -0700 (PDT) (envelope-from dengberg@corestreet.com)
Content-class: urn:content-classes:message
Subject: RE: Unsigned DPD responses for SCVP15
MIME-Version: 1.0
Date: Wed, 14 Jul 2004 10:23:17 -0400
Content-Type: multipart/signed; boundary="----=_NextPart_000_001E_01C4698C.84789750"; protocol="application/x-pkcs7-signature"; micalg=SHA1
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Message-ID: <E2339D02A340A546998AD2E6251332D61E3DF4@csexchange1.corestreet.com>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Unsigned DPD responses for SCVP15
Thread-Index: AcRprPN7f4/5/nAeSx+ugCiwXK6C4gAALrKg
From: "Dave Engberg" <dengberg@corestreet.com>
To: <ietf-pkix@imc.org>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_001E_01C4698C.84789750
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I have a mild preference for defaulting to "unsigned permitted if no request
flag present", but would also be happy with Tim's proposal.
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On
Behalf Of Tim Polk
Sent: Wednesday, July 14, 2004 9:50 AM
To: Russ Housley; ietf-pkix@imc.org
Subject: Re: Unsigned DPD responses for SCVP15
I also prefer the client-side flag option. However, I *strongly* believe
that the default behavior (i.e., in the absence of the flag) should be
"signature is REQUIRED" on the SCVP response.
In this way, the default behavior for SCVP always satisfies the
requirements specified in RFC 3379. Where the client has explicitly
determined that source authentication is not required, the client may
explicitly state this.
I believe this option boils down to four fairly simple statements.
(1) Where an SCVP request omits the "not going to authenticate" flag, the
server is required to sign the response or return an error.
(2) Where an SCVP request includes the flag, the server may include or omit
the signature on the response. (So, a server that *always* signs responses
doesn't need to process this flag...)
(3) An SCVP client MUST NOT assert the "not going to authenticate" flag and
request a statement about validity.
(4) Where the request did not assert the new flag, the SCVP client MUST
process the digital signature on a response.
I believe these changes would result in a protocol whose default behavior
satisfies all the requirements in 3379, permits the employment of unsigned
messages for DPD, and precludes any ambiguity in the implementation of mixed
mode servers.
Tim Polk
------=_NextPart_000_001E_01C4698C.84789750
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII1jCCAoIw
ggHroAMCAQICAQQwDQYJKoZIhvcNAQEEBQAwUzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlm
YXggU2VjdXJlIEluYy4xJjAkBgNVBAMTHUVxdWlmYXggU2VjdXJlIGVCdXNpbmVzcyBDQS0xMB4X
DTk5MDYyMTA0MDAwMFoXDTIwMDYyMTA0MDAwMFowUzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Vx
dWlmYXggU2VjdXJlIEluYy4xJjAkBgNVBAMTHUVxdWlmYXggU2VjdXJlIGVCdXNpbmVzcyBDQS0x
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOLxm8F7d33pOpX1oNF080GgyY9CLZWdTEaEbw
tDXFhQMgxq9FpSFRRUHrFlg2Mm/iUGJk+f1RnKok2fSdgyqHCiHTEjg0bI0Ablqg2ULuGiGV+VJM
VVrFDzhPRvpt+C411h186+LwsHWAyKkTrL6I7zpuq18qOGICsBJ7/o+mAwIDAQABo2YwZDARBglg
hkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRKeDJSEdtZFjZe38EU
NkBqR3xMoTAdBgNVHQ4EFgQUSngyUhHbWRY2Xt/BFDZAakd8TKEwDQYJKoZIhvcNAQEEBQADgYEA
dVuomwMR5ulWTM35qUzADZrzzGVp5iV2zFm31lTDHc2ZrBndtIXV4D38YiCnhEtYZfHi+ZUhP/XU
flgeR4dUPlihtbX4Ku9x57zD9rFJRuLXoGvlVnqaJ5h8RmIU58n8bgMSeYA4HUiCjfwX/iqWK7Vi
pqY9vX+SWc1aKoKyN3kwggK8MIICJaADAgECAgIA2DANBgkqhkiG9w0BAQUFADBTMQswCQYDVQQG
EwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1
cmUgZUJ1c2luZXNzIENBLTEwHhcNMDQwNjAyMTk1NzQyWhcNMjAwNjIxMDQwMDAwWjBSMQswCQYD
VQQGEwJVUzEYMBYGA1UEChMPQ29yZVN0cmVldCBMdGQuMSkwJwYDVQQDEyBDb3JlU3RyZWV0IENl
cnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr0HhHsWZ2xkS
6BbojMXvdGPoRJLcAs2nUBSZ6XnJvnHxBwVvRUkqrCSBwKBurhjqGqe3oOxh6tC6wUuGhwLdhyWT
BSYO469PJUx02lyiohqUZ8u0yshCL35/lA+MkZubcmFxHsLlTPCkS/+A7PZwzIjKrLAUT0VmwNTL
TYEg1F8CAwEAAaOBnzCBnDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNjsf5MYxWYDwxBsPAT2
d4U+/wu2MB8GA1UdIwQYMBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMA8GA1UdEwEB/wQFMAMBAf8w
OQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9lYml6Y2ExLmNy
bDANBgkqhkiG9w0BAQUFAAOBgQDCHD9PBDwPPDktSLC/jRpe9Crdpj8Cj7GB1od44j1D+5IJji+w
rhuJ3tlR3p5MlzXGUEj8eFBtZymYBiWdLvIVqwMz2nYWBeFWXou6T+n4akcF708jM3MhFXP82ove
f/xJzw9IzlVmI9DjDrkL2wXXw/IR5XTP2iQYPcbxento6zCCA4wwggL1oAMCAQICARkwDQYJKoZI
hvcNAQEFBQAwUjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NvcmVTdHJlZXQgTHRkLjEpMCcGA1UE
AxMgQ29yZVN0cmVldCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDQwNzEyMTMwMjE4WhcNMDUw
NzI2MTMwMjE4WjBnMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPQ29yZVN0cmVldCBMdGQuMRYwFAYD
VQQDEw1EYXZpZCBFbmdiZXJnMSYwJAYJKoZIhvcNAQkBFhdkZW5nYmVyZ0Bjb3Jlc3RyZWV0LmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMJXX+JZ1oaEb2TCawk31rzpOIRTHZyP
UGTUGNyMasqczNZATvXu2RTlon8dwEuO4evr5KE9iDe0jQSkj1g5HBEsFAH+JPU7Y0uYupm/kiyr
6FiyhBCQtWhrcNii0yahcIEbH/fBAf5V10Y2wHKFrPH6uTrj+YGhBpaXxkEZpXCe2QZtkR/kcbKa
QaMCaU27vLAZ4QT6vJTf5oG/SD1KU232kYttiLeRjnePWipH8In7crGPhgJCeQP5UtE9uHDjOStt
eZxXsWAzU7oW9nb9jHL2xOWPQyhBs4JaPvgSdFkenI6L8flsQm72U8lrV/4dqKu330m5pH89XTYl
o2PcqIUCAwEAAaOB2DCB1TAOBgNVHQ8BAf8EBAMCBeAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9jb3Jlc3RyZWV0LmNybDAiBgNVHREEGzAZgRdkZW5nYmVy
Z0Bjb3Jlc3RyZWV0LmNvbTAfBgNVHSMEGDAWgBTY7H+TGMVmA8MQbDwE9neFPv8LtjBABggrBgEF
BQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9nZW90cnVzdC1vY3NwLmNvcmVzdHJlZXQuY29t
LzANBgkqhkiG9w0BAQUFAAOBgQAtAQMtzyIzARw6d/sy1qPn+Mqr7aPEJFofkSW57NE639PcrXmC
E9LzVm5mtmoNkeeyHDOgla79ez8MzndDxhlwQvNdaiu124jWbgEoHC1q2K4McbaJlxjhPbCpFr7Z
CzxQxOmFxXjb16XGotrxX1aj2YWuAAdt9H3x+tHBXCn+WDGCAxowggMWAgEBMFcwUjELMAkGA1UE
BhMCVVMxGDAWBgNVBAoTD0NvcmVTdHJlZXQgTHRkLjEpMCcGA1UEAxMgQ29yZVN0cmVldCBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkCARkwCQYFKw4DAhoFAKCCAZgwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQwNzE0MTQyMjUxWjAjBgkqhkiG9w0BCQQxFgQUU/b+Nlwz
nU7Hhd/j66+y80HHICIwZgYJKwYBBAGCNxAEMVkwVzBSMQswCQYDVQQGEwJVUzEYMBYGA1UEChMP
Q29yZVN0cmVldCBMdGQuMSkwJwYDVQQDEyBDb3JlU3RyZWV0IENlcnRpZmljYXRlIEF1dGhvcml0
eQIBGTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG
9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTBoBgsq
hkiG9w0BCRACCzFZoFcwUjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NvcmVTdHJlZXQgTHRkLjEp
MCcGA1UEAxMgQ29yZVN0cmVldCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkCARkwDQYJKoZIhvcNAQEB
BQAEggEAWwncF8UluEtRBqVpquL/50WgRA4ismn2j6w3L0TubHWpWCxwftbQkcram/FkY+FU7x0n
lG0WCeuuQd5EnkeyVce/nXFDVF6E8GOuVwah88LYxZJ0XIukNgBOH8NhFc3WnCMY9B7bCgO8BF3q
YJRmq5tNMXZokDCgr5sqlX3H8CieGhpNnk3lmIuesjJZFz09L6B7Pvr8zhbaXjfC7lgx/YlFafs0
OMBkinMkMof04C1JV6x1lYzDvCxHVuOBRunxCD/end1FaFsURQeNkkZaJANX65MSfQPdtsNvwZkP
rnlmfHu7mEynm2f3GzZpqWvwNx9qeSx8N7tdxl42Pw9+PgAAAAAAAA==
------=_NextPart_000_001E_01C4698C.84789750--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EE1wha072196; Wed, 14 Jul 2004 07:01:58 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EE1w60072195; Wed, 14 Jul 2004 07:01:58 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6EE1vBB072178 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 07:01:58 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 7370 invoked by uid 0); 14 Jul 2004 13:56:40 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.160.169) by woodstock.binhost.com with SMTP; 14 Jul 2004 13:56:40 -0000
Message-Id: <6.1.1.1.2.20040714095818.036976d8@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Wed, 14 Jul 2004 10:02:01 -0400
To: "Michael Myers" <mmyers@fastq.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <EOEGJNFMMIBDKGFONJJDAEOODNAA.mmyers@fastq.com>
References: <6.1.1.1.2.20040713164727.0a112a38@mail.binhost.com> <EOEGJNFMMIBDKGFONJJDAEOODNAA.mmyers@fastq.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike:
Different servers will have different default path discovery policies.
RFC 3379 says:
For the client to be confident that all of the elements from the
response originate from the expected DPD server, an authenticated
response MAY be required. For example, the server might sign the
response or data authentication might also be achieved using a
lower-layer security protocol.
So, all we are discussing is whether the protocol requirement in this MAY
statement is the default or not.
Russ
At 05:47 PM 7/13/2004, Michael Myers wrote:
>Russ,
>
>So what if no optional parameters are present in the request to
>facilitate path navigation? What if all the defined ASN.1 defaults are
>taken? What if its a simple enterprise-level issue? Does it not make
>sense to default to the larger case, and to reserve an upscope in
>security diligence to those environments subject to cross-domain source
>authenticity concerns? Or is the latter the larger case? I argue that,
>in the absence of the flag, should it come to pass in -15, SCVP
>responses containing ONLY {path, rev-info} MAY be signed.
>
>Mike
>
>-----Original Message-----
>From: Russ Housley [mailto:housley@vigilsec.com]
>Sent: Tuesday, July 13, 2004 1:54 PM
>To: Michael Myers; ietf-pkix@imc.org
>Subject: RE: Unsigned DPD responses for SCVP15
>
>
>In DPD, the server is doing more than just returning signed objects.
>The
>server is constructing a certification path too. In a world with
>cross-certification and bridge CAs, there can be more than one choice
>for
>valid paths. This is a topic that has received plenty of discussion
>elsewhere, and I hope we do not need to revisit all of the nooks and
>crannies of that topic here. So, a different collection of signed
>object
>can be returned, each of which is valid, and each of which represents a
>different amount of effort on the part of the client to validate. Given
>this situation, I believe that the client will want to be able to
>confirm
>the source of the path.
>
>Russ
>
>
>At 01:38 PM 7/13/2004, Michael Myers wrote:
> >Russ,
> >
> >As you know, I disagree on the default. My point is that DPD as
> >originally conceived and further defined by the requirements
> >RFC is to a first degree simply a proxy for the various
> >protocols and schemas devised over the years to acquire these
> >data.
> >
> >I can live with the default as defined but I think it is useful
> >and necessary to establish why super-signing of previously
> >signed data is a good thing. Hypothetical replay attacks have
> >been proposed. OK, fine. So we have a flag that enables an
> >environment to assert source authenticity so those become
> >reality.
> >
> >But these data, i.e. {path, rev-info}, are not only signed but
> >dated with respect to their reliability. That was the basis of
> >the original theory behind the notion that these data can be
> >made public without any concern for their source. I have yet to
> >hear a refutation of those prior assumptions.
> >
> >If source authenticity in important in this instance, does that
> >then mean all extant protocols and schemas are at risk? If so,
> >why?
> >
> >Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EDlLll068308; Wed, 14 Jul 2004 06:47:21 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6EDlLpR068307; Wed, 14 Jul 2004 06:47:21 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.nist.gov (rimp1.nist.gov [129.6.16.226]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6EDlK2O068283 for <ietf-pkix@imc.org>; Wed, 14 Jul 2004 06:47:21 -0700 (PDT) (envelope-from tim.polk@nist.gov)
Received: from postmark.nist.gov (pushme.nist.gov [129.6.16.92]) by smtp.nist.gov (8.12.10/8.12.10) with ESMTP id i6EDlBaK032002; Wed, 14 Jul 2004 09:47:11 -0400
Received: from krdp8.nist.gov (seclab14.ncsl.nist.gov [129.6.52.54]) by postmark.nist.gov (8.12.5/8.12.5) with ESMTP id i6EDkomb006494; Wed, 14 Jul 2004 09:46:50 -0400 (EDT)
Message-Id: <5.1.0.14.2.20040714092035.03448ea0@email.nist.gov>
X-Sender: wpolk@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 14 Jul 2004 09:50:28 -0400
To: Russ Housley <housley@vigilsec.com>, ietf-pkix@imc.org
From: Tim Polk <tim.polk@nist.gov>
Subject: Re: Unsigned DPD responses for SCVP15
In-Reply-To: <6.1.1.1.2.20040713123533.09c07938@mail.binhost.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-NIST-MailScanner: Found to be clean
X-MailScanner-From: tim.polk@nist.gov
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I also prefer the client-side flag option. However, I *strongly* believe
that the default behavior (i.e., in the absence of the flag) should be
"signature is REQUIRED" on the SCVP response.
In this way, the default behavior for SCVP always satisfies the
requirements specified in RFC 3379. Where the client has explicitly
determined that source authentication is not required, the client may
explicitly state this.
I believe this option boils down to four fairly simple statements.
(1) Where an SCVP request omits the "not going to authenticate" flag, the
server is required to sign the response or return an error.
(2) Where an SCVP request includes the flag, the server may include or omit
the signature on the response. (So, a server that *always* signs responses
doesn't need to process this flag...)
(3) An SCVP client MUST NOT assert the "not going to authenticate" flag and
request a statement about validity.
(4) Where the request did not assert the new flag, the SCVP client MUST
process the digital signature on a response.
I believe these changes would result in a protocol whose default behavior
satisfies all the requirements in 3379, permits the employment of unsigned
messages for DPD, and precludes any ambiguity in the implementation of
mixed mode servers.
Tim Polk
At 12:38 PM 7/13/2004 -0400, Russ Housley wrote:
>My personal preference Option #2; however, I think that absence of this
>flag should indicate that the response should be signed. One needs to
>make a guess about deployment to select the best semantic for this
>situation, and my guess is that server authentication will be important.
>
>Russ
>
>
>Trevor Freeman wrote:
>>I have been asked to add unsigned responses for DPD clients to SCVP15.
>>There are two models proposed on how we accomplish that both of which
>>meet the requirements for 3379. I would therefore like some feedback on
>>how the group views the two mechanisms
>>
>>Global Server Policy that it is DPD only
>>The first proposal is to make the option controlled by the server as a
>>global policy. Therefore the server would publish via policy that is only
>>supports DPD as such never signs a response. DPV client and DPD clients
>>wanting a signed response then know to use another server.
>>
>>SCVP Request option to not sign response
>>The second option is to leave it to the client to signal to the server it
>>does not need a signature on the response by a new flag in the request
>>(or its twin the flag indicates it does want a signature on the
>>response). This allows clients to be benevolent towards the server by
>>asking it to skip the signature. Server can still at their discretion
>>still sign.
>>
>>Needless to say it is possible to hybridize the two but I am hopeful we
>>can try and keep this as simple as possible be picking on of the two.
>>Trevor
>
>
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DNWYRg092490; Tue, 13 Jul 2004 16:32:34 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DNWYtT092489; Tue, 13 Jul 2004 16:32:34 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DNWXrR092483 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 16:32:33 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6DNWWS77552; Tue, 13 Jul 2004 16:32:32 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Stephen Kent" <kent@bbn.com>
Cc: <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Tue, 13 Jul 2004 16:31:52 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDOEOPDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <p06110401bd198e07d7df@[10.84.130.144]>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Steve,
There exists no SHALL statement in the SCVP I-D that compels an
environment to institute a locally unique and technically enforceable
policy with respect to SCVP. Nor does there exist guidance on how to
implement such. I think we are best off with the flag.
Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DMhkDH089216; Tue, 13 Jul 2004 15:43:46 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DMhkCA089215; Tue, 13 Jul 2004 15:43:46 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from aragorn.bbn.com (aragorn.bbn.com [128.33.0.62]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DMhjJO089206 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 15:43:46 -0700 (PDT) (envelope-from kent@bbn.com)
Received: from [10.84.130.144] (ramblo.bbn.com [128.33.0.51]) by aragorn.bbn.com (8.12.7/8.12.7) with ESMTP id i6DMhX7Z025700; Tue, 13 Jul 2004 18:43:35 -0400 (EDT)
Mime-Version: 1.0
X-Sender: kent@localhost
Message-Id: <p06110401bd198e07d7df@[10.84.130.144]>
In-Reply-To: <EOEGJNFMMIBDKGFONJJDMEOFDNAA.mmyers@fastq.com>
References: <EOEGJNFMMIBDKGFONJJDMEOFDNAA.mmyers@fastq.com>
Date: Tue, 13 Jul 2004 09:10:54 -0400
To: "Michael Myers" <mmyers@fastq.com>
From: Stephen Kent <kent@bbn.com>
Subject: RE: Unsigned DPD responses for SCVP15
Cc: <ietf-pkix@imc.org>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
At 6:57 PM -0700 7/12/04, Michael Myers wrote:
>Given the two alternatives of:
>
>1. An approach requiring explicit policies; or
>
>2. Client-side assertion of a new flag as Tim proposed;
>
>I prefer #2 for the following reasons.
>
>The SCVP I-D asserts no requirement that a server MUST have a
>unique policy. The I-D supports this by making optional all
>such elements beyond the default defined by RFC3280. An
>explicit OID-based approach forces the issue for servers that
>wish to support unsigned DPD.
I thought that the requirements RFC required a default policy, which
would be unique, to allow a client to not have to always specify a
policy. of course, one does not take full advantage of the
capabilities of SCVP if you do this, i.e., you don't get to use
application context specific cert validation.
>A non-trivial subset of environments don't even know what an OID
>is (think credit unions), let alone the technical details of
>what must go into a policy as it relates to this context. The
>contents of such are not well defined. Absent that, there
>exists no basis to implement correponding enforcement logic that
>is ensured to be interoperable across the Internet.
This paragraph seems very confusing. Of course many users will not
know what OIDs are, but they also usually don't know many details of
Internet technology are. what "enforcement logic" are you referring
to here? Cert evaluation is, in general, a local matter controlled by
a relying party. the problem of a cert user choosing the right cert
to provide to a relying party, is outside the scope of SCVP.
>The I-D provides no means for technical implementation and
>enforcement of a policy-based approach; it is non-implementable.
>Further, the I-D provides no means to discriminate between DPD
>and DPV. Even assuming in the future a consensus on a
>technically enforceable security assertion grammar, the subject
>I-D defines no technical means to even say "DPD".
I have no idea what you are referring to in this paragraph. Please try again.
Steve
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DLmDZs084762; Tue, 13 Jul 2004 14:48:13 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DLmDZm084761; Tue, 13 Jul 2004 14:48:13 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DLmD6F084755 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 14:48:13 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6DLmGS55347; Tue, 13 Jul 2004 14:48:16 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Tue, 13 Jul 2004 14:47:37 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDAEOODNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <6.1.1.1.2.20040713164727.0a112a38@mail.binhost.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
So what if no optional parameters are present in the request to
facilitate path navigation? What if all the defined ASN.1 defaults are
taken? What if its a simple enterprise-level issue? Does it not make
sense to default to the larger case, and to reserve an upscope in
security diligence to those environments subject to cross-domain source
authenticity concerns? Or is the latter the larger case? I argue that,
in the absence of the flag, should it come to pass in -15, SCVP
responses containing ONLY {path, rev-info} MAY be signed.
Mike
-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com]
Sent: Tuesday, July 13, 2004 1:54 PM
To: Michael Myers; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
In DPD, the server is doing more than just returning signed objects.
The
server is constructing a certification path too. In a world with
cross-certification and bridge CAs, there can be more than one choice
for
valid paths. This is a topic that has received plenty of discussion
elsewhere, and I hope we do not need to revisit all of the nooks and
crannies of that topic here. So, a different collection of signed
object
can be returned, each of which is valid, and each of which represents a
different amount of effort on the part of the client to validate. Given
this situation, I believe that the client will want to be able to
confirm
the source of the path.
Russ
At 01:38 PM 7/13/2004, Michael Myers wrote:
>Russ,
>
>As you know, I disagree on the default. My point is that DPD as
>originally conceived and further defined by the requirements
>RFC is to a first degree simply a proxy for the various
>protocols and schemas devised over the years to acquire these
>data.
>
>I can live with the default as defined but I think it is useful
>and necessary to establish why super-signing of previously
>signed data is a good thing. Hypothetical replay attacks have
>been proposed. OK, fine. So we have a flag that enables an
>environment to assert source authenticity so those become
>reality.
>
>But these data, i.e. {path, rev-info}, are not only signed but
>dated with respect to their reliability. That was the basis of
>the original theory behind the notion that these data can be
>made public without any concern for their source. I have yet to
>hear a refutation of those prior assumptions.
>
>If source authenticity in important in this instance, does that
>then mean all extant protocols and schemas are at risk? If so,
>why?
>
>Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DKrEK0080526; Tue, 13 Jul 2004 13:53:14 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DKrEc6080525; Tue, 13 Jul 2004 13:53:14 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6DKrD8K080519 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 13:53:14 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 24535 invoked by uid 0); 13 Jul 2004 20:48:11 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.188.72) by woodstock.binhost.com with SMTP; 13 Jul 2004 20:48:11 -0000
Message-Id: <6.1.1.1.2.20040713164727.0a112a38@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Tue, 13 Jul 2004 16:53:30 -0400
To: "Michael Myers" <mmyers@fastq.com>, <ietf-pkix@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: Unsigned DPD responses for SCVP15
In-Reply-To: <EOEGJNFMMIBDKGFONJJDEEOJDNAA.mmyers@fastq.com>
References: <6.1.1.1.2.20040713123533.09c07938@mail.binhost.com> <EOEGJNFMMIBDKGFONJJDEEOJDNAA.mmyers@fastq.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
In DPD, the server is doing more than just returning signed objects. The
server is constructing a certification path too. In a world with
cross-certification and bridge CAs, there can be more than one choice for
valid paths. This is a topic that has received plenty of discussion
elsewhere, and I hope we do not need to revisit all of the nooks and
crannies of that topic here. So, a different collection of signed object
can be returned, each of which is valid, and each of which represents a
different amount of effort on the part of the client to validate. Given
this situation, I believe that the client will want to be able to confirm
the source of the path.
Russ
At 01:38 PM 7/13/2004, Michael Myers wrote:
>Russ,
>
>As you know, I disagree on the default. My point is that DPD as
>originally conceived and further defined by the requirements
>RFC is to a first degree simply a proxy for the various
>protocols and schemas devised over the years to acquire these
>data.
>
>I can live with the default as defined but I think it is useful
>and necessary to establish why super-signing of previously
>signed data is a good thing. Hypothetical replay attacks have
>been proposed. OK, fine. So we have a flag that enables an
>environment to assert source authenticity so those become
>reality.
>
>But these data, i.e. {path, rev-info}, are not only signed but
>dated with respect to their reliability. That was the basis of
>the original theory behind the notion that these data can be
>made public without any concern for their source. I have yet to
>hear a refutation of those prior assumptions.
>
>If source authenticity in important in this instance, does that
>then mean all extant protocols and schemas are at risk? If so,
>why?
>
>Mike
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Russ Housley
>Sent: Tuesday, July 13, 2004 9:39 AM
>To: ietf-pkix@imc.org
>Subject: Re: Unsigned DPD responses for SCVP15
>
>
>
>
>My personal preference Option #2; however, I think that absence
>of this
>flag should indicate that the response should be signed. One
>needs to make
>a guess about deployment to select the best semantic for this
>situation,
>and my guess is that server authentication will be important.
>
>Russ
>
>
>Trevor Freeman wrote:
> >I have been asked to add unsigned responses for DPD clients to
>SCVP15.
> >There are two models proposed on how we accomplish that both of
>which meet
> >the requirements for 3379. I would therefore like some feedback
>on how the
> >group views the two mechanisms
> >
> >Global Server Policy that it is DPD only
> >The first proposal is to make the option controlled by the
>server as a
> >global policy. Therefore the server would publish via policy
>that is only
> >supports DPD as such never signs a response. DPV client and DPD
>clients
> >wanting a signed response then know to use another server.
> >
> >SCVP Request option to not sign response
> >The second option is to leave it to the client to signal to the
>server it
> >does not need a signature on the response by a new flag in the
>request (or
> >its twin the flag indicates it does want a signature on the
>response).
> >This allows clients to be benevolent towards the server by
>asking it to
> >skip the signature. Server can still at their discretion still
>sign.
> >
> >Needless to say it is possible to hybridize the two but I am
>hopeful we
> >can try and keep this as simple as possible be picking on of
>the two.
> >Trevor
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DK4ket077066; Tue, 13 Jul 2004 13:04:46 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DK4k96077065; Tue, 13 Jul 2004 13:04:46 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DK4iTF077054 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 13:04:45 -0700 (PDT) (envelope-from dinaras@cnri.reston.va.us)
Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA10444; Tue, 13 Jul 2004 16:04:46 -0400 (EDT)
Message-Id: <200407132004.QAA10444@ietf.org>
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
To: i-d-announce@ietf.org
Cc: ietf-pkix@imc.org
From: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-pkix-pi-10.txt
Date: Tue, 13 Jul 2004 16:04:46 -0400
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.
Title : Internet X.509 Public Key Infrastructure Permanent Identifier
Author(s) : D. Pinkas, T. Gindin
Filename : draft-ietf-pkix-pi-10.txt
Pages : 13
Date : 2004-7-13
This document define a new form of name, called permanent
identifier, that may be included in the subjectAltName extension
of a public key certificate issued to an entity.
The permanent identifier is an optional feature that may be used
by a CA to indicate that the certificate relates to the same
entity even if the name or the affiliation of that entity stored
in the subject or another name form in the subjectAltName extension
has changed.
The subject name, carried in the subject field, is only unique
for each subject entity certified by the one CA as defined by the
issuer name field. Also, the new name form can carry a
name that is unique for each subject entity certified by a CA.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-pi-10.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-pkix-pi-10.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-ietf-pkix-pi-10.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ietf.org"
Content-Type: text/plain
Content-ID: <2004-7-13145230.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-pkix-pi-10.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-pkix-pi-10.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2004-7-13145230.I-D@ietf.org>
--OtherAccess--
--NextPart--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DIugRk071723; Tue, 13 Jul 2004 11:56:42 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DIug8g071722; Tue, 13 Jul 2004 11:56:42 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DIugTg071716 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 11:56:42 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6DIuiS20313; Tue, 13 Jul 2004 11:56:44 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Trevor Freeman" <trevorf@exchange.microsoft.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Tue, 13 Jul 2004 11:56:06 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDEEOKDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <A24D60A1195E4549960ED2B9D28786723A8790@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Trevor,
There is no requirement that an SCVP server MUST operate under an
explicit and technically enforceable policy document. There is no SHALL
statement to this effect in the Sections 3, 4 or 5. A casual parse of
the optional and default elements of SCVP's ASN.1 supports this.
I see that you ultimately restated your original request to the WG.
Thus Russ, Dave, Denis and I are still back to now what is your option
(B).
Mike
-----Original Message-----
From: Trevor Freeman [mailto:trevorf@exchange.microsoft.com]
Sent: Tuesday, July 13, 2004 11:29 AM
To: Michael Myers; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
Hi Mike,
Let me restate the question then.
The SCVP server publishes a policy document (see SCVP section 6) which
defines the default server behavior for that instance of server and the
set of validation policies it recognizes. We can add a flag to that
policy to indicate the server will only support DPD and in that mode the
server would not sign SCVP responses. We could also add another flag to
say the server was cached responses only.
The alternative if to have the client use a request flag and the server
can either process the request or return an error. If the objective to
support DPD only servers then having the server publish its DPD only
seems cleaner and simpler from the client perspective rather than have
the DPV client try and get an error back.
There is still the unanswered question of the value of having an SCVP
server support mixed mode operation i.e. it can return either signed or
unsigned responses based on the request flag. With the above server
policy flag we can support always sign or never sign which means I ca
sign all responses or lock a server to DPD only and never sign
responses. If you want to have a low cost to deploy server then I would
have thought you would lock it down to DPD only. Once you take the cost
hit to deploy a signing SCVP server, beyond the CPU savings for not
dsigning some responses, what is the benefit over always signing policy
if you have a signing server given requests can be anonymous?
Therefore to support unsigned DPD do we
(A) add a flag to the Server policy response (SCVP section 6) to allow
the server to always sign or never sign?
Or
(B) Do we add a flag to the client request to allow the client to
express a preference to sign or not
If we want to support DPD only servers then option A meets that goal. If
we want to support mixed mode operation where a SCVP server can support
both signed and unsigned responses and that that there is tangible
benefits to mixed mode over always signing vs. never signing, then we
need option B.
Trevor
* -----Original Message-----
* From: Michael Myers [mailto:mmyers@fastq.com]
* Sent: Tuesday, July 13, 2004 10:26 AM
* To: Trevor Freeman; ietf-pkix@imc.org
* Subject: RE: Unsigned DPD responses for SCVP15
*
* Trevor,
*
* I believe Dave, Denis and I thought we were talking two
* alternative mechanisms to address the unsigned DPD consensus: a
* mechanism based on explicit policy OR a mechanism based on a new
* request flag, as you had earlier posted.
*
* Your discussion below, i.e. "it seems prudent to have a flag in
* the server policy" is confusing in that context.
*
* Please clarify what you are asking the WG to consider.
*
* Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DIShgK070064; Tue, 13 Jul 2004 11:28:43 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DISh5g070063; Tue, 13 Jul 2004 11:28:43 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from exchange.microsoft.com ([131.107.8.3]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DISgJM070057 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 11:28:42 -0700 (PDT) (envelope-from trevorf@microsoft.com)
Received: from DF-VRS-01.redmond.corp.microsoft.com ([157.54.4.14]) by exchange.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Tue, 13 Jul 2004 11:28:42 -0700
Received: from 10.197.0.83 by DF-VRS-01.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Tue, 13 Jul 2004 11:28:46 -0700
Received: from df-fido-msg.exchange.corp.microsoft.com ([157.54.6.241]) by DF-BEG.mercury.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 13 Jul 2004 11:28:47 -0700
Received: from DF-SEADOG-MSG.exchange.corp.microsoft.com ([157.54.6.243]) by df-fido-msg.exchange.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Tue, 13 Jul 2004 11:28:38 -0700
x-mimeole: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: Unsigned DPD responses for SCVP15
Date: Tue, 13 Jul 2004 11:28:46 -0700
Message-ID: <A24D60A1195E4549960ED2B9D28786723A8790@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Unsigned DPD responses for SCVP15
Thread-Index: AcRo/nx/AaaoEu2NRzODJlWYHxBSswAA1paQ
From: "Trevor Freeman" <trevorf@exchange.microsoft.com>
To: "Michael Myers" <mmyers@fastq.com>, <ietf-pkix@imc.org>
X-OriginalArrivalTime: 13 Jul 2004 18:28:38.0978 (UTC) FILETIME=[377C0A20:01C46907]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6DISgJM070058
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi Mike,
Let me restate the question then.
The SCVP server publishes a policy document (see SCVP section 6) which
defines the default server behavior for that instance of server and the
set of validation policies it recognizes. We can add a flag to that
policy to indicate the server will only support DPD and in that mode the
server would not sign SCVP responses. We could also add another flag to
say the server was cached responses only.
The alternative if to have the client use a request flag and the server
can either process the request or return an error. If the objective to
support DPD only servers then having the server publish its DPD only
seems cleaner and simpler from the client perspective rather than have
the DPV client try and get an error back.
There is still the unanswered question of the value of having an SCVP
server support mixed mode operation i.e. it can return either signed or
unsigned responses based on the request flag. With the above server
policy flag we can support always sign or never sign which means I can
sign all responses or lock a server to DPD only and never sign
responses. If you want to have a low cost to deploy server then I would
have thought you would lock it down to DPD only. Once you take the cost
hit to deploy a signing SCVP server, beyond the CPU savings for not
signing some responses, what is the benefit over always signing policy
if you have a signing server given requests can be anonymous?
Therefore to support unsigned DPD do we
(A) add a flag to the Server policy response (SCVP section 6) to allow
the server to always sign or never sign?
Or
(B) Do we add a flag to the client request to allow the client to
express a preference to sign or not
If we want to support DPD only servers then option A meets that goal. If
we want to support mixed mode operation where a SCVP server can support
both signed and unsigned responses and that that there is tangible
benefits to mixed mode over always signing vs. never signing, then we
need option B.
Trevor
* -----Original Message-----
* From: Michael Myers [mailto:mmyers@fastq.com]
* Sent: Tuesday, July 13, 2004 10:26 AM
* To: Trevor Freeman; ietf-pkix@imc.org
* Subject: RE: Unsigned DPD responses for SCVP15
*
* Trevor,
*
* I believe Dave, Denis and I thought we were talking two
* alternative mechanisms to address the unsigned DPD consensus: a
* mechanism based on explicit policy OR a mechanism based on a new
* request flag, as you had earlier posted.
*
* Your discussion below, i.e. "it seems prudent to have a flag in
* the server policy" is confusing in that context.
*
* Please clarify what you are asking the WG to consider.
*
* Mike
*
*
*
*
* -----Original Message-----
* From: Trevor Freeman [mailto:trevorf@exchange.microsoft.com]
* Sent: Tuesday, July 13, 2004 10:06 AM
* To: Michael Myers; ietf-pkix@imc.org
* Subject: RE: Unsigned DPD responses for SCVP15
*
*
*
* Mike,
* We seem to have merges multiple threads here. The question on
* how SCVP
* supports unsigned DPD reprocess was the topic of this thread.
*
* Tim proposed a new optional flag in the request. Given some of
* the other
* discussions where in some instances SCVP server would be
* unwilling to do
* anything other than return unsigned responses, it seems prudent
* to have
* a flag in the server policy so DPV clients and DPD clients
* wanting
* signed responses don't waste their time. Given that SCVP
* requests can be
* unauthenticated, what is the benefit of having a SCVP server
* which
* returns both signed and unsigned responses depending on the
* unauthenticated request? That scenario today would have the
* server
* signing all response and the client can choose to ignore the
* signature
* if required. Concerns around server security or sever
* scalability, or
* freshness of SCVP responses are address by having a server only
* do
* unsigned DPD responses. I am simply trying to understand what
* problem we
* seek to address by the mixed mode SCVP server.
*
* Trevor
*
* * -----Original Message-----
* * From: Michael Myers [mailto:mmyers@fastq.com]
* * Sent: Monday, July 12, 2004 6:58 PM
* * To: Trevor Freeman; ietf-pkix@imc.org
* * Subject: RE: Unsigned DPD responses for SCVP15
* *
* * Given the two alternatives of:
* *
* * 1. An approach requiring explicit policies; or
* *
* * 2. Client-side assertion of a new flag as Tim proposed;
* *
* * I prefer #2 for the following reasons.
* *
* * The SCVP I-D asserts no requirement that a server MUST have a
* * unique policy. The I-D supports this by making optional all
* * such elements beyond the default defined by RFC3280. An
* * explicit OID-based approach forces the issue for servers that
* * wish to support unsigned DPD.
* *
* * A non-trivial subset of environments don't even know what an
* OID
* * is (think credit unions), let alone the technical details of
* * what must go into a policy as it relates to this context. The
* * contents of such are not well defined. Absent that, there
* * exists no basis to implement correponding enforcement logic
* that
* * is ensured to be interoperable across the Internet.
* *
* * The I-D provides no means for technical implementation and
* * enforcement of a policy-based approach; it is
* non-implementable.
* * Further, the I-D provides no means to discriminate between DPD
* * and DPV. Even assuming in the future a consensus on a
* * technically enforceable security assertion grammar, the
* subject
* * I-D defines no technical means to even say "DPD".
* *
* * Mike
* *
* *
*
*
*
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DHd41H064580; Tue, 13 Jul 2004 10:39:04 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DHd4Qf064579; Tue, 13 Jul 2004 10:39:04 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DHd304064573 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 10:39:03 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6DHd5S03870; Tue, 13 Jul 2004 10:39:05 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Tue, 13 Jul 2004 10:38:27 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDEEOJDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <6.1.1.1.2.20040713123533.09c07938@mail.binhost.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Russ,
As you know, I disagree on the default. My point is that DPD as
originally conceived and further defined by the requirements
RFC is to a first degree simply a proxy for the various
protocols and schemas devised over the years to acquire these
data.
I can live with the default as defined but I think it is useful
and necessary to establish why super-signing of previously
signed data is a good thing. Hypothetical replay attacks have
been proposed. OK, fine. So we have a flag that enables an
environment to assert source authenticity so those become
reality.
But these data, i.e. {path, rev-info}, are not only signed but
dated with respect to their reliability. That was the basis of
the original theory behind the notion that these data can be
made public without any concern for their source. I have yet to
hear a refutation of those prior assumptions.
If source authenticity in important in this instance, does that
then mean all extant protocols and schemas are at risk? If so,
why?
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Russ Housley
Sent: Tuesday, July 13, 2004 9:39 AM
To: ietf-pkix@imc.org
Subject: Re: Unsigned DPD responses for SCVP15
My personal preference Option #2; however, I think that absence
of this
flag should indicate that the response should be signed. One
needs to make
a guess about deployment to select the best semantic for this
situation,
and my guess is that server authentication will be important.
Russ
Trevor Freeman wrote:
>I have been asked to add unsigned responses for DPD clients to
SCVP15.
>There are two models proposed on how we accomplish that both of
which meet
>the requirements for 3379. I would therefore like some feedback
on how the
>group views the two mechanisms
>
>Global Server Policy that it is DPD only
>The first proposal is to make the option controlled by the
server as a
>global policy. Therefore the server would publish via policy
that is only
>supports DPD as such never signs a response. DPV client and DPD
clients
>wanting a signed response then know to use another server.
>
>SCVP Request option to not sign response
>The second option is to leave it to the client to signal to the
server it
>does not need a signature on the response by a new flag in the
request (or
>its twin the flag indicates it does want a signature on the
response).
>This allows clients to be benevolent towards the server by
asking it to
>skip the signature. Server can still at their discretion still
sign.
>
>Needless to say it is possible to hybridize the two but I am
hopeful we
>can try and keep this as simple as possible be picking on of
the two.
>Trevor
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DHQFtt063885; Tue, 13 Jul 2004 10:26:15 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DHQFlB063884; Tue, 13 Jul 2004 10:26:15 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DHQFAe063878 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 10:26:15 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6DHQHS01160; Tue, 13 Jul 2004 10:26:17 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Trevor Freeman" <trevorf@exchange.microsoft.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Tue, 13 Jul 2004 10:25:39 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDAEOJDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <A24D60A1195E4549960ED2B9D28786723A871B@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Trevor,
I believe Dave, Denis and I thought we were talking two
alternative mechanisms to address the unsigned DPD consensus: a
mechanism based on explicit policy OR a mechanism based on a new
request flag, as you had earlier posted.
Your discussion below, i.e. "it seems prudent to have a flag in
the server policy" is confusing in that context.
Please clarify what you are asking the WG to consider.
Mike
-----Original Message-----
From: Trevor Freeman [mailto:trevorf@exchange.microsoft.com]
Sent: Tuesday, July 13, 2004 10:06 AM
To: Michael Myers; ietf-pkix@imc.org
Subject: RE: Unsigned DPD responses for SCVP15
Mike,
We seem to have merges multiple threads here. The question on
how SCVP
supports unsigned DPD reprocess was the topic of this thread.
Tim proposed a new optional flag in the request. Given some of
the other
discussions where in some instances SCVP server would be
unwilling to do
anything other than return unsigned responses, it seems prudent
to have
a flag in the server policy so DPV clients and DPD clients
wanting
signed responses don't waste their time. Given that SCVP
requests can be
unauthenticated, what is the benefit of having a SCVP server
which
returns both signed and unsigned responses depending on the
unauthenticated request? That scenario today would have the
server
signing all response and the client can choose to ignore the
signature
if required. Concerns around server security or sever
scalability, or
freshness of SCVP responses are address by having a server only
do
unsigned DPD responses. I am simply trying to understand what
problem we
seek to address by the mixed mode SCVP server.
Trevor
* -----Original Message-----
* From: Michael Myers [mailto:mmyers@fastq.com]
* Sent: Monday, July 12, 2004 6:58 PM
* To: Trevor Freeman; ietf-pkix@imc.org
* Subject: RE: Unsigned DPD responses for SCVP15
*
* Given the two alternatives of:
*
* 1. An approach requiring explicit policies; or
*
* 2. Client-side assertion of a new flag as Tim proposed;
*
* I prefer #2 for the following reasons.
*
* The SCVP I-D asserts no requirement that a server MUST have a
* unique policy. The I-D supports this by making optional all
* such elements beyond the default defined by RFC3280. An
* explicit OID-based approach forces the issue for servers that
* wish to support unsigned DPD.
*
* A non-trivial subset of environments don't even know what an
OID
* is (think credit unions), let alone the technical details of
* what must go into a policy as it relates to this context. The
* contents of such are not well defined. Absent that, there
* exists no basis to implement correponding enforcement logic
that
* is ensured to be interoperable across the Internet.
*
* The I-D provides no means for technical implementation and
* enforcement of a policy-based approach; it is
non-implementable.
* Further, the I-D provides no means to discriminate between DPD
* and DPV. Even assuming in the future a consensus on a
* technically enforceable security assertion grammar, the
subject
* I-D defines no technical means to even say "DPD".
*
* Mike
*
*
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DH5tAn061634; Tue, 13 Jul 2004 10:05:55 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DH5t0F061633; Tue, 13 Jul 2004 10:05:55 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from exchange.microsoft.com ([131.107.8.3]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DH5s6a061627 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 10:05:54 -0700 (PDT) (envelope-from trevorf@microsoft.com)
Received: from DF-VRS-01.redmond.corp.microsoft.com ([157.54.4.14]) by exchange.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Tue, 13 Jul 2004 10:05:54 -0700
Received: from 10.197.0.83 by DF-VRS-01.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Tue, 13 Jul 2004 10:05:58 -0700
Received: from df-fido-msg.exchange.corp.microsoft.com ([157.54.6.241]) by DF-BEG.mercury.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 13 Jul 2004 10:06:08 -0700
Received: from DF-SEADOG-MSG.exchange.corp.microsoft.com ([157.54.6.243]) by df-fido-msg.exchange.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Tue, 13 Jul 2004 10:05:52 -0700
x-mimeole: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: Unsigned DPD responses for SCVP15
Date: Tue, 13 Jul 2004 10:05:58 -0700
Message-ID: <A24D60A1195E4549960ED2B9D28786723A871B@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Unsigned DPD responses for SCVP15
Thread-Index: AcRofOIU9rHwdocSSeKR44mD8Hy0swAfKMJw
From: "Trevor Freeman" <trevorf@exchange.microsoft.com>
To: "Michael Myers" <mmyers@fastq.com>, <ietf-pkix@imc.org>
X-OriginalArrivalTime: 13 Jul 2004 17:05:52.0366 (UTC) FILETIME=[A72730E0:01C468FB]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6DH5s6a061628
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mike,
We seem to have merges multiple threads here. The question on how SCVP
supports unsigned DPD reprocess was the topic of this thread.
Tim proposed a new optional flag in the request. Given some of the other
discussions where in some instances SCVP server would be unwilling to do
anything other than return unsigned responses, it seems prudent to have
a flag in the server policy so DPV clients and DPD clients wanting
signed responses don't waste their time. Given that SCVP requests can be
unauthenticated, what is the benefit of having a SCVP server which
returns both signed and unsigned responses depending on the
unauthenticated request? That scenario today would have the server
signing all response and the client can choose to ignore the signature
if required. Concerns around server security or sever scalability, or
freshness of SCVP responses are address by having a server only do
unsigned DPD responses. I am simply trying to understand what problem we
seek to address by the mixed mode SCVP server.
Trevor
* -----Original Message-----
* From: Michael Myers [mailto:mmyers@fastq.com]
* Sent: Monday, July 12, 2004 6:58 PM
* To: Trevor Freeman; ietf-pkix@imc.org
* Subject: RE: Unsigned DPD responses for SCVP15
*
* Given the two alternatives of:
*
* 1. An approach requiring explicit policies; or
*
* 2. Client-side assertion of a new flag as Tim proposed;
*
* I prefer #2 for the following reasons.
*
* The SCVP I-D asserts no requirement that a server MUST have a
* unique policy. The I-D supports this by making optional all
* such elements beyond the default defined by RFC3280. An
* explicit OID-based approach forces the issue for servers that
* wish to support unsigned DPD.
*
* A non-trivial subset of environments don't even know what an OID
* is (think credit unions), let alone the technical details of
* what must go into a policy as it relates to this context. The
* contents of such are not well defined. Absent that, there
* exists no basis to implement correponding enforcement logic that
* is ensured to be interoperable across the Internet.
*
* The I-D provides no means for technical implementation and
* enforcement of a policy-based approach; it is non-implementable.
* Further, the I-D provides no means to discriminate between DPD
* and DPV. Even assuming in the future a consensus on a
* technically enforceable security assertion grammar, the subject
* I-D defines no technical means to even say "DPD".
*
* Mike
*
*
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DGd3kp059556; Tue, 13 Jul 2004 09:39:03 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DGd3lN059555; Tue, 13 Jul 2004 09:39:03 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6DGd2ar059541 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 09:39:02 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 30383 invoked by uid 0); 13 Jul 2004 16:34:01 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (141.156.184.240) by woodstock.binhost.com with SMTP; 13 Jul 2004 16:34:01 -0000
Message-Id: <6.1.1.1.2.20040713123533.09c07938@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Tue, 13 Jul 2004 12:38:56 -0400
To: ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: Unsigned DPD responses for SCVP15
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
My personal preference Option #2; however, I think that absence of this
flag should indicate that the response should be signed. One needs to make
a guess about deployment to select the best semantic for this situation,
and my guess is that server authentication will be important.
Russ
Trevor Freeman wrote:
>I have been asked to add unsigned responses for DPD clients to SCVP15.
>There are two models proposed on how we accomplish that both of which meet
>the requirements for 3379. I would therefore like some feedback on how the
>group views the two mechanisms
>
>Global Server Policy that it is DPD only
>The first proposal is to make the option controlled by the server as a
>global policy. Therefore the server would publish via policy that is only
>supports DPD as such never signs a response. DPV client and DPD clients
>wanting a signed response then know to use another server.
>
>SCVP Request option to not sign response
>The second option is to leave it to the client to signal to the server it
>does not need a signature on the response by a new flag in the request (or
>its twin the flag indicates it does want a signature on the response).
>This allows clients to be benevolent towards the server by asking it to
>skip the signature. Server can still at their discretion still sign.
>
>Needless to say it is possible to hybridize the two but I am hopeful we
>can try and keep this as simple as possible be picking on of the two.
>Trevor
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DG7PaK057415; Tue, 13 Jul 2004 09:07:25 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6DG7OUU057414; Tue, 13 Jul 2004 09:07:24 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6DG7ObS057402 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 09:07:24 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6DG7OS85368 for <ietf-pkix@imc.org>; Tue, 13 Jul 2004 09:07:25 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Tue, 13 Jul 2004 09:06:46 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDIEOHDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <EOEGJNFMMIBDKGFONJJDMEOCDNAA.mmyers@fastq.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I hate to keep ringing this bell, but there is no technical
means to say "DPD" in SCVP. So should the flag-based option
come to pass, it will need to be defined in terms of response
content. That is, language along the lines of "MAY sign
responses containing ONLY {path, rev-info} but MUST sign
validity assertions." The flag would sharpen the MAY.
Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D6qoTf027318; Mon, 12 Jul 2004 23:52:50 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6D6qoBA027317; Mon, 12 Jul 2004 23:52:50 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D6qm0M027261 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 23:52:49 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from clbull.frcl.bull.fr (IDENT:root@clbull.frcl.bull.fr [129.182.8.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA47698; Tue, 13 Jul 2004 09:02:59 +0200
Received: from bull.net (frcls4013.frcl.bull.fr [129.182.108.120]) by clbull.frcl.bull.fr (8.9.3/8.9.3) with ESMTP id IAA29788; Tue, 13 Jul 2004 08:52:24 +0200
Message-ID: <40F386BB.4010003@bull.net>
Date: Tue, 13 Jul 2004 08:52:43 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: Trevor Freeman <trevorf@microsoft.com>
CC: ietf-pkix@imc.org
Subject: Re: Unsigned DPD responses for SCVP15
References: <A24D60A1195E4549960ED2B9D28786723A85D6@DF-SEADOG-MSG.exchange.corp.microsoft.com> <40F34DA9.7060407@corestreet.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Trevor,
Like Mike and David, I also support Option #2.
Denis
> My preference is the same as Mike's (Option #2, server may choose not to
> sign {path, rev-info} unless client indicates signing is required with a
> request flag).
>
> This gives the greatest flexibility to deployers, who can deploy servers
> that either:
>
> (a) always sign everything
>
> (b) never sign anything and return errors if requested to
>
> (c) sign if client asks for a signature, don't sign if client
> doesn't ask and response type permits.
>
> Trevor's Option #1 (Fixed server policy) only permits deployments of (a)
> and (b). I believe that (c) is a potentially useful configuration, and
> I don't think there's a strong reason to absolutely preclude it.
>
> Thanks
>
>
> Trevor Freeman wrote:
>
>> I have been asked to add unsigned responses for DPD clients to SCVP15.
>> There are two models proposed on how we accomplish that both of which
>> meet the requirements for 3379. I would therefore like some feedback
>> on how the group views the two mechanisms
>>
>>
>>
>> Global Server Policy that it is DPD only
>>
>> The first proposal is to make the option controlled by the server as a
>> global policy. Therefore the server would publish via policy that is
>> only supports DPD as such never signs a response. DPV client and DPD
>> clients wanting a signed response then know to use another server.
>>
>>
>>
>> SCVP Request option to not sign response
>>
>> The second option is to leave it to the client to signal to the server
>> it does not need a signature on the response by a new flag in the
>> request (or its twin the flag indicates it does want a signature on
>> the response). This allows clients to be benevolent towards the server
>> by asking it to skip the signature. Server can still at their
>> discretion still sign.
>>
>>
>>
>> Needless to say it is possible to hybridize the two but I am hopeful
>> we can try and keep this as simple as possible be picking on of the two.
>>
>> Trevor
>>
>
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D2mhgU091797; Mon, 12 Jul 2004 19:48:43 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6D2mhL2091796; Mon, 12 Jul 2004 19:48:43 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D2mgNA091777 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 19:48:43 -0700 (PDT) (envelope-from dave@corestreet.com)
Received: from localhost (h005008001124.ne.client2.attbi.com[66.31.43.88]) by comcast.net (sccrmhc11) with ESMTP id <20040713024843011009odhee>; Tue, 13 Jul 2004 02:48:44 +0000
Received: from localhost ([127.0.0.1] helo=corestreet.com ident=dave) by localhost with esmtp (Exim 3.35 #1 (Debian)) id 1BkDM2-0007OC-00 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 22:49:14 -0400
Message-ID: <40F34DA9.7060407@corestreet.com>
Date: Mon, 12 Jul 2004 22:49:13 -0400
From: David Engberg <dave@corestreet.com>
Organization: CoreStreet
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: Unsigned DPD responses for SCVP15
References: <A24D60A1195E4549960ED2B9D28786723A85D6@DF-SEADOG-MSG.exchange.corp.microsoft.com>
In-Reply-To: <A24D60A1195E4549960ED2B9D28786723A85D6@DF-SEADOG-MSG.exchange.corp.microsoft.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
My preference is the same as Mike's (Option #2, server may choose not to
sign {path, rev-info} unless client indicates signing is required with a
request flag).
This gives the greatest flexibility to deployers, who can deploy servers
that either:
(a) always sign everything
(b) never sign anything and return errors if requested to
(c) sign if client asks for a signature, don't sign if client
doesn't ask and response type permits.
Trevor's Option #1 (Fixed server policy) only permits deployments of (a)
and (b). I believe that (c) is a potentially useful configuration, and
I don't think there's a strong reason to absolutely preclude it.
Thanks
Trevor Freeman wrote:
> I have been asked to add unsigned responses for DPD clients to SCVP15.
> There are two models proposed on how we accomplish that both of which
> meet the requirements for 3379. I would therefore like some feedback on
> how the group views the two mechanisms
>
>
>
> Global Server Policy that it is DPD only
>
> The first proposal is to make the option controlled by the server as a
> global policy. Therefore the server would publish via policy that is
> only supports DPD as such never signs a response. DPV client and DPD
> clients wanting a signed response then know to use another server.
>
>
>
> SCVP Request option to not sign response
>
> The second option is to leave it to the client to signal to the server
> it does not need a signature on the response by a new flag in the
> request (or its twin the flag indicates it does want a signature on the
> response). This allows clients to be benevolent towards the server by
> asking it to skip the signature. Server can still at their discretion
> still sign.
>
>
>
> Needless to say it is possible to hybridize the two but I am hopeful we
> can try and keep this as simple as possible be picking on of the two.
>
> Trevor
>
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D1wHa0087977; Mon, 12 Jul 2004 18:58:17 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6D1wHFm087976; Mon, 12 Jul 2004 18:58:17 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D1wG2K087970 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 18:58:16 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6D1wLS06790; Mon, 12 Jul 2004 18:58:21 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Trevor Freeman" <trevorf@exchange.microsoft.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Mon, 12 Jul 2004 18:57:43 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDMEOFDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <A24D60A1195E4549960ED2B9D28786723A8604@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Given the two alternatives of:
1. An approach requiring explicit policies; or
2. Client-side assertion of a new flag as Tim proposed;
I prefer #2 for the following reasons.
The SCVP I-D asserts no requirement that a server MUST have a
unique policy. The I-D supports this by making optional all
such elements beyond the default defined by RFC3280. An
explicit OID-based approach forces the issue for servers that
wish to support unsigned DPD.
A non-trivial subset of environments don't even know what an OID
is (think credit unions), let alone the technical details of
what must go into a policy as it relates to this context. The
contents of such are not well defined. Absent that, there
exists no basis to implement correponding enforcement logic that
is ensured to be interoperable across the Internet.
The I-D provides no means for technical implementation and
enforcement of a policy-based approach; it is non-implementable.
Further, the I-D provides no means to discriminate between DPD
and DPV. Even assuming in the future a consensus on a
technically enforceable security assertion grammar, the subject
I-D defines no technical means to even say "DPD".
Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D1BMdb084286; Mon, 12 Jul 2004 18:11:22 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6D1BMQm084285; Mon, 12 Jul 2004 18:11:22 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from exchange.microsoft.com ([131.107.8.3]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D1BLbL084279 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 18:11:21 -0700 (PDT) (envelope-from trevorf@microsoft.com)
Received: from DF-VRS-01.redmond.corp.microsoft.com ([157.54.4.14]) by exchange.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Mon, 12 Jul 2004 18:11:20 -0700
Received: from 10.197.0.83 by DF-VRS-01.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 12 Jul 2004 18:11:27 -0700
Received: from df-fido-msg.exchange.corp.microsoft.com ([157.54.6.241]) by DF-BEG.mercury.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 12 Jul 2004 18:11:25 -0700
Received: from DF-SEADOG-MSG.exchange.corp.microsoft.com ([157.54.6.243]) by df-fido-msg.exchange.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 12 Jul 2004 18:11:24 -0700
x-mimeole: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: Unsigned DPD responses for SCVP15
Date: Mon, 12 Jul 2004 18:11:13 -0700
Message-ID: <A24D60A1195E4549960ED2B9D28786723A8604@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Unsigned DPD responses for SCVP15
Thread-Index: AcRodCli/NnxQv4NRbWnACwcClcimQAAWKAQ
From: "Trevor Freeman" <trevorf@exchange.microsoft.com>
To: "Michael Myers" <mmyers@fastq.com>, <ietf-pkix@imc.org>
X-OriginalArrivalTime: 13 Jul 2004 01:11:24.0247 (UTC) FILETIME=[50B1B670:01C46876]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i6D1BLbL084280
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I should have added that we need some rationale as well so I get some
context why. We need to consider this change in light of all SCVP users,
not just the DPD camp.
Trevor
* -----Original Message-----
* From: Michael Myers [mailto:mmyers@fastq.com]
* Sent: Monday, July 12, 2004 5:55 PM
* To: Trevor Freeman; ietf-pkix@imc.org
* Subject: RE: Unsigned DPD responses for SCVP15
*
* Trevor,
*
* I prefer the client-side flag option, with absence of the flag
* defaulting to no signatures on SCVP responses containing ONLY
* {path, rev-info}.
*
* Mike
*
*
* -----Original Message-----
* From: owner-ietf-pkix@mail.imc.org
* [mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Trevor Freeman
* Sent: Monday, July 12, 2004 5:10 PM
* To: ietf-pkix@imc.org
* Subject: Unsigned DPD responses for SCVP15
*
*
* I have been asked to add unsigned responses for DPD clients to
* SCVP15. There are two models proposed on how we accomplish that
* both of which meet the requirements for 3379. I would therefore
* like some feedback on how the group views the two mechanisms
*
* Global Server Policy that it is DPD only
* The first proposal is to make the option controlled by the
* server as a global policy. Therefore the server would publish
* via policy that is only supports DPD as such never signs a
* response. DPV client and DPD clients wanting a signed response
* then know to use another server.
*
* SCVP Request option to not sign response
* The second option is to leave it to the client to signal to the
* server it does not need a signature on the response by a new
* flag in the request (or its twin the flag indicates it does want
* a signature on the response). This allows clients to be
* benevolent towards the server by asking it to skip the
* signature. Server can still at their discretion still sign.
*
* Needless to say it is possible to hybridize the two but I am
* hopeful we can try and keep this as simple as possible be
* picking on of the two.
* Trevor
*
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D0u0QC082650; Mon, 12 Jul 2004 17:56:00 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6D0u0k7082649; Mon, 12 Jul 2004 17:56:00 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D0u0i7082643 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 17:56:00 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6D0u4S95741; Mon, 12 Jul 2004 17:56:04 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: "Trevor Freeman" <trevorf@Exchange.Microsoft.com>, <ietf-pkix@imc.org>
Subject: RE: Unsigned DPD responses for SCVP15
Date: Mon, 12 Jul 2004 17:55:18 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDMEOCDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <A24D60A1195E4549960ED2B9D28786723A85D6@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Trevor,
I prefer the client-side flag option, with absence of the flag
defaulting to no signatures on SCVP responses containing ONLY
{path, rev-info}.
Mike
-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Trevor Freeman
Sent: Monday, July 12, 2004 5:10 PM
To: ietf-pkix@imc.org
Subject: Unsigned DPD responses for SCVP15
I have been asked to add unsigned responses for DPD clients to
SCVP15. There are two models proposed on how we accomplish that
both of which meet the requirements for 3379. I would therefore
like some feedback on how the group views the two mechanisms
Global Server Policy that it is DPD only
The first proposal is to make the option controlled by the
server as a global policy. Therefore the server would publish
via policy that is only supports DPD as such never signs a
response. DPV client and DPD clients wanting a signed response
then know to use another server.
SCVP Request option to not sign response
The second option is to leave it to the client to signal to the
server it does not need a signature on the response by a new
flag in the request (or its twin the flag indicates it does want
a signature on the response). This allows clients to be
benevolent towards the server by asking it to skip the
signature. Server can still at their discretion still sign.
Needless to say it is possible to hybridize the two but I am
hopeful we can try and keep this as simple as possible be
picking on of the two.
Trevor
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D09Y8Z079572; Mon, 12 Jul 2004 17:09:34 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6D09Y6H079571; Mon, 12 Jul 2004 17:09:34 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from exchange.microsoft.com ([131.107.8.3]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6D09XL7079564 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 17:09:33 -0700 (PDT) (envelope-from trevorf@microsoft.com)
Received: from DF-VRS-01.redmond.corp.microsoft.com ([157.54.4.14]) by exchange.microsoft.com with Microsoft SMTPSVC(6.0.3790.1069); Mon, 12 Jul 2004 17:09:35 -0700
Received: from 10.197.0.83 by DF-VRS-01.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 12 Jul 2004 17:09:39 -0700
Received: from df-fido-msg.exchange.corp.microsoft.com ([157.54.6.241]) by DF-BEG.mercury.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 12 Jul 2004 17:09:38 -0700
Received: from DF-SEADOG-MSG.exchange.corp.microsoft.com ([157.54.6.243]) by df-fido-msg.exchange.corp.microsoft.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 12 Jul 2004 17:09:37 -0700
x-mimeole: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPartTM-000-516d6b34-abf2-4b52-88ea-4aaf7d1b9505"
Subject: Unsigned DPD responses for SCVP15
Date: Mon, 12 Jul 2004 17:09:34 -0700
Message-ID: <A24D60A1195E4549960ED2B9D28786723A85D6@DF-SEADOG-MSG.exchange.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Unsigned DPD responses for SCVP15
Thread-Index: AcRoba2ZYOoqnYLyTJOjoQpI21+/FQ==
From: "Trevor Freeman" <trevorf@exchange.microsoft.com>
To: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 13 Jul 2004 00:09:37.0125 (UTC) FILETIME=[AF13C950:01C4686D]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPartTM-000-516d6b34-abf2-4b52-88ea-4aaf7d1b9505
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C4686D.AEFCAA7E"
------_=_NextPart_001_01C4686D.AEFCAA7E
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
I have been asked to add unsigned responses for DPD clients to SCVP15.
There are two models proposed on how we accomplish that both of which
meet the requirements for 3379. I would therefore like some feedback on
how the group views the two mechanisms
=20
Global Server Policy that it is DPD only
The first proposal is to make the option controlled by the server as a
global policy. Therefore the server would publish via policy that is
only supports DPD as such never signs a response. DPV client and DPD
clients wanting a signed response then know to use another server.
=20
SCVP Request option to not sign response
The second option is to leave it to the client to signal to the server
it does not need a signature on the response by a new flag in the
request (or its twin the flag indicates it does want a signature on the
response). This allows clients to be benevolent towards the server by
asking it to skip the signature. Server can still at their discretion
still sign.
=20
Needless to say it is possible to hybridize the two but I am hopeful we
can try and keep this as simple as possible be picking on of the two.
Trevor
------_=_NextPart_001_01C4686D.AEFCAA7E
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Device Font 10cpi";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Device Font 10cpi";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0pt;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:612.0pt 792.0pt;
margin:0pt 31.3pt 0pt 31.25pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>I have been asked to add unsigned responses for DPD clients to =
SCVP15.
There are two models proposed on how we accomplish that both of which =
meet the
requirements for 3379. I would therefore like some feedback on how the =
group
views the two mechanisms</span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'> </span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Global Server Policy that it is DPD only</span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>The first proposal is to make the option controlled by the =
server as a
global policy. Therefore the server would publish via policy that is =
only
supports DPD as such never signs a response. DPV client and DPD clients =
wanting
a signed response then know to use another server.</span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'> </span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>SCVP Request option to not sign response</span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>The second option is to leave it to the client to signal to the =
server
it does not need a signature on the response by a new flag in the =
request (or
its twin the flag indicates it does want a signature on the response). =
This
allows clients to be benevolent towards the server by asking it to skip =
the
signature. Server can still at their discretion still =
sign.</span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'> </span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Needless to say it is possible to hybridize the two but I am =
hopeful we
can try and keep this as simple as possible be picking on of the =
two.</span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>Trevor</span></font></p>
</div>
</body>
</html>
------_=_NextPart_001_01C4686D.AEFCAA7E--
------=_NextPartTM-000-516d6b34-abf2-4b52-88ea-4aaf7d1b9505--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6CMNBTf070326; Mon, 12 Jul 2004 15:23:11 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6CMNBMt070325; Mon, 12 Jul 2004 15:23:11 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6CMNAQo070315 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 15:23:11 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i6CMN9S66204 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 15:23:09 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: <ietf-pkix@imc.org>
Subject: OCSP in IKEv2
Date: Mon, 12 Jul 2004 15:22:32 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDCEOADNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
x-mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
In-Reply-To: <6.1.1.1.2.20040712132632.03b49e80@mail.binhost.com>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
All,
Please consider and comment on the following.
Discussions will be held on the IPSEC list.
Michael Myers
-----Original Message-----
From: i-d-announce-bounces@ietf.org
Sent: Monday, July 12, 2004 12:36 PM
A New Internet-Draft is available from the on-line
Internet-Drafts directories.
Title : OCSP Extensions to IKEv2
Author(s) : M. Myers, H. Tschofenig
Filename : draft-myers-ipsec-ikev2-oscp-00.txt
Pages : 8
Date : 2004-7-12
While IKEv2 supports public key based authentication (PKI), the
corresponding use of in-band CRLs is problematic due to
unbounded CRL
size. The size of an OCSP response is however well-bounded and
small.
This document defines two extensions to IKEv2 which enable the
use of
OCSP for in-band signaling of certificate revocation status.
Two new
content encodings are defined for use in the CERTREQ and CERT
payloads:
OCSP Responder Hash and OCSP Response. An OCSP Responder Hash
CERTREQ
payload triggers transmission of an OCSP Response CERT payload.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-myers-ipsec-ikev2-oscp
-00.txt
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6CHTgsT043234; Mon, 12 Jul 2004 10:29:42 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6CHTgoS043233; Mon, 12 Jul 2004 10:29:42 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [144.202.240.3]) by above.proper.com (8.12.11/8.12.9) with SMTP id i6CHTfVN043227 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 10:29:41 -0700 (PDT) (envelope-from housley@vigilsec.com)
Received: (qmail 20870 invoked by uid 0); 12 Jul 2004 17:24:53 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.11.103) by woodstock.binhost.com with SMTP; 12 Jul 2004 17:24:53 -0000
Message-Id: <6.1.1.1.2.20040712132632.03b49e80@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1
Date: Mon, 12 Jul 2004 13:29:58 -0400
To: ietf-pkix@imc.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: New I-D on Intl Strings in Certs
In-Reply-To: <40F2867D.6090408@sun.com>
References: <40F2867D.6090408@sun.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Many thanks to Steve and Paul for generating this document.
I would like to see an additional section in this document. When otherName
forms are registered, some of these will in include text strings. However,
they will probably not make use of GeneralName or Name. Therefore, I think
it would be useful to list the ASN.1 types where these rules should be
applied. UTF8String is obvious. What esle?
Russ
At 08:39 AM 7/12/2004, Steve Hanna wrote:
>Among the recent flurry of Internet Draft
>announcements was the one below. This is
>the long-promised document by Paul Hoffman
>and myself on how to handle Unicode and
>other international strings in certificates.
>
>Please review the document, considering
>especially the open issues highlighted
>therein. We will lead a discussion on
>these topics at IETF 60, but it would be
>great to get an email discussion going
>first.
>
>We have coordinated with the ISO, ldapbis,
>and idn folks on this effort. We want to
>make sure all our documents are compatible
>so that you can use the same techniques
>(and the same code) for comparing X.500
>names with all these standards. That's why
>this document is fairly small, pointing
>people to the ldapbis specs for details.
>
>So please review this document and send
>comments to the PKIX list.
>
>Thanks,
>
>Steve
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6CCbCpl019194; Mon, 12 Jul 2004 05:37:12 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6CCbCUj019193; Mon, 12 Jul 2004 05:37:12 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6CCaf8j019157 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 05:37:12 -0700 (PDT) (envelope-from Steve.Hanna@Sun.COM)
Received: from phys-bur1-1 ([129.148.13.15]) by brmea-mail-4.sun.com (8.12.10/8.12.9) with ESMTP id i6CCYa53025399 for <ietf-pkix@imc.org>; Mon, 12 Jul 2004 06:34:36 -0600 (MDT)
Received: from conversion-daemon.bur-mail2.east.sun.com by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) id <0I0Q00N01O290W@bur-mail2.east.sun.com> (original mail from Steve.Hanna@Sun.COM) for ietf-pkix@imc.org; Mon, 12 Jul 2004 08:36:43 -0400 (EDT)
Received: from sun.com (vpn-129-150-64-92.East.Sun.COM [129.150.64.92]) by bur-mail2.east.sun.com (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) with ESMTPA id <0I0Q00IXTOD6Z5@bur-mail2.east.sun.com> for ietf-pkix@imc.org; Mon, 12 Jul 2004 08:36:43 -0400 (EDT)
Date: Mon, 12 Jul 2004 08:39:25 -0400
From: Steve Hanna <Steve.Hanna@Sun.COM>
Subject: New I-D on Intl Strings in Certs
To: ietf-pkix@imc.org
Message-id: <40F2867D.6090408@sun.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii; format=flowed
Content-transfer-encoding: 7BIT
X-Accept-Language: en-us, en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Among the recent flurry of Internet Draft
announcements was the one below. This is
the long-promised document by Paul Hoffman
and myself on how to handle Unicode and
other international strings in certificates.
Please review the document, considering
especially the open issues highlighted
therein. We will lead a discussion on
these topics at IETF 60, but it would be
great to get an email discussion going
first.
We have coordinated with the ISO, ldapbis,
and idn folks on this effort. We want to
make sure all our documents are compatible
so that you can use the same techniques
(and the same code) for comparing X.500
names with all these standards. That's why
this document is fairly small, pointing
people to the ldapbis specs for details.
So please review this document and send
comments to the PKIX list.
Thanks,
Steve
-------- Original Message --------
Subject: I-D ACTION:draft-hoffman-pkix-stringmatch-00.txt
Date: Fri, 09 Jul 2004 15:26:26 -0400
From: Internet-Drafts@ietf.org
Reply-To: internet-drafts@ietf.org
To: i-d-announce@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
Title : Matching Text Strings in PKIX Certificates
Author(s) : P. Hoffman, S. Hanna
Filename : draft-hoffman-pkix-stringmatch-00.txt
Pages : 0
Date : 2004-7-9
Strings of text appear in many fields in PKIX certificates. Some
applications need to compare the values in these fields to strings
from other certificates, or to values obtained in other manners.
For many string encodings, this can be done in an octet-by-octet
fashion. Other encodings, however, require preparation before the
strings can be compared. This document describes that preparation
and when it needs to be applied.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-hoffman-pkix-stringmatch-00.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of
the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-hoffman-pkix-stringmatch-00.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-hoffman-pkix-stringmatch-00.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i69LQI3N009023; Fri, 9 Jul 2004 14:26:18 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i69LQI4A009022; Fri, 9 Jul 2004 14:26:18 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i69LPuqn008991 for <ietf-pkix@imc.org>; Fri, 9 Jul 2004 14:26:18 -0700 (PDT) (envelope-from dave@corestreet.com)
Received: from localhost (h005008001124.ne.client2.attbi.com[66.31.43.88]) by comcast.net (rwcrmhc13) with ESMTP id <2004070921255601500i15h2e>; Fri, 9 Jul 2004 21:25:56 +0000
Received: from localhost ([127.0.0.1] helo=corestreet.com ident=dave) by localhost with esmtp (Exim 3.35 #1 (Debian)) id 1Bj2st-0003jd-00; Fri, 09 Jul 2004 17:26:19 -0400
Message-ID: <40EF0D7A.2080002@corestreet.com>
Date: Fri, 09 Jul 2004 17:26:18 -0400
From: David Engberg <dave@corestreet.com>
Organization: CoreStreet
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Michael Myers <mmyers@fastq.com>
CC: ietf-pkix@imc.org
Subject: Re: SCVP responses containing only {path, rev-info}
References: <EOEGJNFMMIBDKGFONJJDEEMMDNAA.mmyers@fastq.com>
In-Reply-To: <EOEGJNFMMIBDKGFONJJDEEMMDNAA.mmyers@fastq.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
I support this proposal.
I do agree with Mike, and would also prefer to invert #2 (DPD may be
unsigned unless client explicitly requests a signature), but I would
ultimately be fine with either form.
Thanks
Michael Myers wrote:
> ...
> The proposed mechanism is as follows. Assume there exists a new
> SCVP request flag governing the production of DPD signatures.
> Then:
>
> (1) If the client indicates DPD signatures are not required,
> the server MAY return an unsigned response, a signed
> response, or an error.
>
> (2) If the new request flag is not present, the server MUST
> return a signed response or an error.
>
> (3) Unless the client indicates signatures are not required,
> the client MUST verify the signature on the response.
>
> I would prefer to invert the sense of #2 since by RFC 3379's
> definition DPD is to a first degree just a proxy for the diverse
> protocols and schemas currently used to access PKI information.
> Where the previously hypothesized replay attacks become reality,
> turn on the flag. But maybe that is just me.
>
> I think it is time others were given the opportunity to voice
> their opinions.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i69KeVt4005898; Fri, 9 Jul 2004 13:40:31 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i69KeVFU005897; Fri, 9 Jul 2004 13:40:31 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mailout.fastq.com (mailout.fastq.com [204.62.193.66]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i69KeTkZ005891 for <ietf-pkix@imc.org>; Fri, 9 Jul 2004 13:40:30 -0700 (PDT) (envelope-from mmyers@fastq.com)
Received: from MMyersLapTop (dslstat-ppp-241.fastq.com [65.39.92.241]) by mailout.fastq.com (8.11.6-2003091800/8.11.3.FastQ-MailOut) with SMTP id i69KeXS11187 for <ietf-pkix@imc.org>; Fri, 9 Jul 2004 13:40:34 -0700 (MST) (envelope-from mmyers@fastq.com)
From: "Michael Myers" <mmyers@fastq.com>
To: <ietf-pkix@imc.org>
Subject: SCVP responses containing only {path, rev-info}
Date: Fri, 9 Jul 2004 13:40:01 -0700
Message-ID: <EOEGJNFMMIBDKGFONJJDEEMMDNAA.mmyers@fastq.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <33E7A1613A3480448996047B69308A2F02559605@df-grommit-01.dogfood>
Importance: Normal
x-mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
All,
Apologies in advance for the awkward subject line but the SCVP
I-D provides no explicit means to say "DPD". Nonetheless, for
the purposes of this note, interpret "DPD" as a macro for "SCVP
responses containing ONLY {path, rev-info}".
You may recall some time ago discussions on whether or not DPD
should be signed. It was concluded that because the data
objects contained in such a response are themselves signed, the
security assurances afforded by overlaying an additional
signature were of such a degree that the risks are a matter of
local policy--providing that the document defined a means to
enable activation of DPD signing.
Since the development of that rough consensus, several off-list
discussions have been conducted with a view towards the precise
definition of those means. The most recently proposed mechanism
appears to enable a consensus that will close this issue. With
additional apologies in advance to all participants in the
off-list discussions, I believe it is time to bring this issue
to the WG.
The proposed mechanism is as follows. Assume there exists a new
SCVP request flag governing the production of DPD signatures.
Then:
(1) If the client indicates DPD signatures are not required,
the server MAY return an unsigned response, a signed
response, or an error.
(2) If the new request flag is not present, the server MUST
return a signed response or an error.
(3) Unless the client indicates signatures are not required,
the client MUST verify the signature on the response.
I would prefer to invert the sense of #2 since by RFC 3379's
definition DPD is to a first degree just a proxy for the diverse
protocols and schemas currently used to access PKI information.
Where the previously hypothesized replay attacks become reality,
turn on the flag. But maybe that is just me.
I think it is time others were given the opportunity to voice
their opinions.
Thoughts, anyone?
Mike
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i69HLMnO091876; Fri, 9 Jul 2004 10:21:22 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i69HLMoT091875; Fri, 9 Jul 2004 10:21:22 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from csexchange1.corestreet.com (csexchange1.corestreet.com [68.162.232.134]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i69HLKvr091849 for <ietf-pkix@imc.org>; Fri, 9 Jul 2004 10:21:21 -0700 (PDT) (envelope-from shitchings@corestreet.com)
Content-class: urn:content-classes:message
Subject: SCVP Questions
MIME-Version: 1.0
Date: Fri, 9 Jul 2004 13:21:18 -0400
Content-Type: multipart/signed; boundary="----=_NextPart_000_0026_01C465B7.9E1C1E80"; protocol="application/x-pkcs7-signature"; micalg=SHA1
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Message-ID: <E2339D02A340A546998AD2E6251332D61E3BF7@csexchange1.corestreet.com>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: SCVP Questions
Thread-Index: AcRl2SUA01wYTmC+RFmj9bntVdtD+w==
From: "Seth Hitchings" <shitchings@corestreet.com>
To: <ietf-pkix@imc.org>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_0026_01C465B7.9E1C1E80
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I have a few questions about the way in which SCVP CVResponses to failed
requests are constructed. I'm working with draft 14 of the spec.
First, assume that a request includes a bad check OID. Section 3.2.2 states that:
"For each check, the SCVP server MUST perform all of the requested checks, or
return an error."
In this case, I would expect the server to send back a ResponseStatus (section 4.4)
of 27, unsupportedChecks. I find the term unsupported somewhat ambiguous, since
there is a difference between unsupported and unrecognized, but that's a
side issue. What I'm uncertain of is why the CertReply has a possible status
of 1, unrecognizedCheck. If the check is unrecognized, the SCVP server is obliged
to return an error response per section 3.2.2, and therefore shouldn't be returning
any CertReply.
I have the same issue with ReplyStatus 3, unrecognizedWantBack, since section
3.2.3 states that:
"For each type of information specified in the request, the server MUST return
information regarding its finding (in a successful request)."
I have the same issue with ReplyStatus 7, unrecognizedExtension. First, I assume
this refers to queryExtensions? Section 3.2.18 states that
"An SCVP server MUST rejeft the query if it encounters a critical extension
it does not recognize..."
If the entire query is to be rejected, then why unrecognizedExtension a possible
ReplyStatus?
I have the same issue with ReplyStatus 8, unavailableValidityTime. Validity time
applies to all queriedCerts, so why indicate the error on a per ReplyStatus basis?
In general, it seems that errors that prevent the query from being processed
should be reported at the ResponseStatus level. In this case, no CertReply
objects would be expected in the response. Only those errors that are specific
to an individual query cert should be reported at the CertReply level.
Second, I find the use of ReplyWantBacks and ReplyChecks difficult in failure
cases. Assume that a request asks for a certification path to be built for a single
certificate. If no path can be built, the ReplyStatus is 10, certPathConstructFail,
and the ReplyChecks for the certification path building check is 1, "Could
not build a path". If a client sees the ReplyStatus, why would it bother checking
the CertReply? Additionally, the ReplyWantBack is required, but what value can I
include? I couldn't build a CertPath.
The only case that I can see in which including ReplyChecks and ReplyWantBacks
in a CertReply with a non-success status makes sense is when the cert path
is not valid. In that case, the client may still want the cert path back, invalid
or not, especially when using untrusted SCVP.
Third, I'm unclear on exactly how keyUsage, extendedKeyUsage and isCA are used.
Must the SCVP server fail a check if the queried cert does not meet the criteria
of any of these parameters? If so, what is the expected ReplyStatus? Is it
validation failure, certPathNotValid? If so, are these parameters taken into
account only when building valid paths, and not when simply building an unvalidated
path?
Thanks,
Seth Hitchings
------=_NextPart_000_0026_01C465B7.9E1C1E80
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOgzCCBF8w
ggNHoAMCAQICECAT0p7OwWWiTUxNNKPTlu0wDQYJKoZIhvcNAQEFBQAwTjETMBEGCgmSJomT8ixk
ARkWA2NvbTEaMBgGCgmSJomT8ixkARkWCkNvcmVTdHJlZXQxGzAZBgNVBAMTEkNvcmVTdHJlZXQg
Um9vdCBDQTAeFw0wMzEwMTcxODI2MjRaFw0yMzEwMTcxODM0MzBaME4xEzARBgoJkiaJk/IsZAEZ
FgNjb20xGjAYBgoJkiaJk/IsZAEZFgpDb3JlU3RyZWV0MRswGQYDVQQDExJDb3JlU3RyZWV0IFJv
b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8uGS+2D6uxSRa9Ldkd4D3HuEo
g8CJIc39jK2AHkULWaPmbYFTyAAyVnOiKtAZFGUyN1uj+XW46JJI1xZDOqlwnww/MQRzd5xq7sJH
y3bx5HjmGrhitZox3mqW8SFAMR7491wuGEmViw5xhv+eQKwa+EBUrOmN4ng0lHNMh9brEEqT9gNb
4EUHCANIHlSZ/gd8GwVStgFVo48ZpS/GSeXpu7lYiaxMIr5EpCbjBalSC6NGjCXy0OxX2sJvrWNn
CXBVluGv9jZLnuuALHEN0gDUI/iih3bcG5mRz//9ntuCLwD81eWDhWCUarjdF+khOMnzukvoTEi8
N7uD6v9PbYZPAgMBAAGjggE3MIIBMzATBgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUp7YMqlf701pkw6/uBoO+KGLHoKswEAYJKwYBBAGC
NxUBBAMCAQAwgcwGA1UdIASBxDCBwTCBvgYHKwYBBAHqRDCBsjBCBggrBgEFBQcCARY2aHR0cDov
L3d3dy5jb3Jlc3RyZWV0LmNvbS9wa2kvcG9saWN5L0NvcmVTdHJlZXRDUFMucGRmMGwGCCsGAQUF
BwICMGAeXgBDAG8AcgBlAFMAdAByAGUAZQB0ACAATAB0AGQALgAgAEMAZQByAHQAaQBmAGkAYwBh
AHQAZQAgAFAAcgBhAGMAdABpAGMAZQBzACAAUwB0AGEAdABlAG0AZQBuAHQwDQYJKoZIhvcNAQEF
BQADggEBAHQ+FzirKSSMFjSLK5W3f0LR/QKVNgNRdiaCOQ+rU+St4qwcJY+x72HGXpBP+6UV4qUN
g9gPPaEP+Reyyj8Qcjkt1QE1QAmvR02nM3NUDpWQEBFpd30r7DhapeLV+T+9llzAAWKami87Ik/f
CL2jGeZfz7lTl2rXN+w2jYdM27PRQ6DAV3ns4osR9HTCX3Vge4b6MBVkLqKQyjMT8uhUIvIisKcU
axzzMWFZXm3q4M55JEdrYC3rCytBAbIYnqyk0LLLi1jRAyVvqmvLaHJ+ydhyR5NyNN5aWSLlX1Uz
iBn4SXlee1uCKzBDK5I30fXYyNI5nZ5aUg4FC+/w21tlpD0wggTKMIIDsqADAgECAhMzAAAAEpOB
cMC8OvwnAAAAAAASMA0GCSqGSIb3DQEBBQUAME4xEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJ
kiaJk/IsZAEZFgpDb3JlU3RyZWV0MRswGQYDVQQDExJDb3JlU3RyZWV0IFJvb3QgQ0EwHhcNMDMx
MTExMTU1NzE1WhcNMDUxMTExMTYwNzE1WjBWMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZIm
iZPyLGQBGRYKQ29yZVN0cmVldDEjMCEGA1UEAxMaQ29yZVN0cmVldCBJbnRlcm1lZGlhdGUgQ0Ew
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmCHBA7GiJsMJDk5qxBtKhBPYUqpcZR5uQ
fqWtbJ5oC47TCbBc0+mwcUqq24OqVAoP7lpGWa7M/CfTo87xNPzcF6xJlFQqc/BZt3bX4dwnk0n+
Jrakmaqy29eq74aenPzHCTIB9xfOkfI077u2H90F2R7QKecnWa1igUORpIdRXOAWt7cTyvZGSN9H
el5YcCt3y2nFJPnyS8AT1AGSNxB+EG5d9CrYhsDlxrV/joHzGcBMv/F3D0nBOimKACnLVeIq5zza
tlWf1w2nndjKuMuZnC27xj+5t1uTyXZDUIxnPuzt45dSMbT/F60F7P1SfpXLlDNlOyznKqP6AiIc
WWDxAgMBAAGjggGXMIIBkzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR2rJTl6xcvTnQ+9No5
RiBDdVvU6jALBgNVHQ8EBAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAwgcwGA1UdIASBxDCBwTCBvgYH
KwYBBAHqRDCBsjBCBggrBgEFBQcCARY2aHR0cDovL3d3dy5jb3Jlc3RyZWV0LmNvbS9wa2kvcG9s
aWN5L0NvcmVTdHJlZXRDUFMucGRmMGwGCCsGAQUFBwICMGAeXgBDAG8AcgBlAFMAdAByAGUAZQB0
ACAATAB0AGQALgAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAFAAcgBhAGMAdABpAGMAZQBzACAA
UwB0AGEAdABlAG0AZQBuAHQwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwHwYDVR0jBBgwFoAU
p7YMqlf701pkw6/uBoO+KGLHoKswNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8v
b2NzcC5jb3Jlc3RyZWV0LmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAFwsKvYKAR3/A5BsEUnpaV1D
LDs3tSCtNPnv8Kvwu80HA96/W6RE0fGzEiMdFm8BtmKhshHY3u86INR0VFSdrYlK1TcXumgEJbxv
F49OcsGzJsC9FJFgHgXHr31IwiyYzu3LaDmlCIY3L6LpPqOhZ+gxHDadD/kzZC9pD/cmIX3ANSfI
2nA/1O60dehwkxL0VZDdCWWwzPHmFXWvDTfcdzunwtWZYf/ZGR5uswmg6AOHB12MuT1lvKzck8m9
7xxFVZzn6cRB1dTy+28p/g4lknnb3eqSz4obfm6LCJQpKMjccYNHLog7LC1qop0ZorGrEc1Il3TM
ttInUnZkv+0u3EQwggVOMIIENqADAgECAgc9AAAAAABjMA0GCSqGSIb3DQEBBQUAMFYxEzARBgoJ
kiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpDb3JlU3RyZWV0MSMwIQYDVQQDExpDb3Jl
U3RyZWV0IEludGVybWVkaWF0ZSBDQTAeFw0wNDA1MDMxNTE0NTlaFw0wNTA1MDMxNTE0NTlaMGEx
EzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpjb3Jlc3RyZWV0MRQwEgYDVQQL
EwtDUy1FbXBsb3llZTEYMBYGA1UEAxMPSGl0Y2hpbmdzLCBTZXRoMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyPEMYYuVnz3q084slSSchJCyhDS77kVDcii9QbUawHOe14cFJunwQfGE
cH+l2GusRbkuXCuVu8T9erFM6zQm4+GlmSNg69+Demo+0kRelrIFxmyykd9ZnCYwWiaXKPB9iVU/
zWJmrhVdsAXYj7/fTmCRckk6Qo4KXpI2pvayXlBuAsnU6gi58b4a6xsr9E+IJeLnnWL/QMLcxZj0
hdCIMkJv+yz7HqvJ+/dFkPazCJnNxFWvCimlvy6IhiTz/rQbZtSgFqLQ7jjxD+z35AOQ/bU15URR
iEt2+4Woq1lJQ7CUtxPVC4/cjK63YGuZYuKCDdxTdxS2D1VS7iKWJLm16QIDAQABo4ICFDCCAhAw
HQYDVR0OBBYEFHgGdd7M6vjLnBwUrXcddqaPz/77MB8GA1UdIwQYMBaAFHaslOXrFy9OdD702jlG
IEN1W9TqMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jYS5jb3Jlc3RyZWV0LmNvbTo4MS9DZXJ0
RW5yb2xsL0NvcmVTdHJlZXQlMjBJbnRlcm1lZGlhdGUlMjBDQS5jcmwwNwYIKwYBBQUHAQEEKzAp
MCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5jb3Jlc3RyZWV0LmNvbS8wDAYDVR0TAQH/BAIwADAL
BgNVHQ8EBAMCBLAwPgYJKwYBBAGCNxUHBDEwLwYnKwYBBAGCNxUIgtvBQoOglSiF/ZcDg+LAB4Gh
5nGBdIPUyHuFsf0NAgFkAgEfMDEGA1UdJQQqMCgGCCsGAQUFBwMFBggrBgEFBQcDBwYIKwYBBQUH
AwIGCCsGAQUFBwMEMD8GCSsGAQQBgjcVCgQyMDAwCgYIKwYBBQUHAwUwCgYIKwYBBQUHAwcwCgYI
KwYBBQUHAwIwCgYIKwYBBQUHAwQwJAYDVR0RBB0wG4EZc2hpdGNoaW5nc0Bjb3Jlc3RyZWV0LmNv
bTBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D
AgcwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQEFBQADggEBADKe1tyGSGY/hkESTZKdY44FvIkIlpMn
JOtJDXjMutvpSulesWn+3ExTRyXBnJBU+nNsPru5zvHxEpUYMhO6vCYXCMqJb1X5iL/uY7MfvFPF
vIgH2/k9IUmWGxgF+yOfYZ/kI0GMOZ94HM5faZeJpUcwfoa/jtbnTL9bfmXdhIg4mzJhkouAQD5q
M5upWW/ZqcUo1O02pa5LawvcDmwALZYPC31CtR740OzDJ9LQeUV2MJJhiUGQJU7wtygcNAw89lBC
SBethwv+pOwtMAX3FjxbRE1QKQRTNUuZ+Gz+YTD9vprsoZpw/Rv4dME1x9unMWS6jxM4KZKgFy29
f1iWTD0xggM4MIIDNAIBATBhMFYxEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZ
FgpDb3JlU3RyZWV0MSMwIQYDVQQDExpDb3JlU3RyZWV0IEludGVybWVkaWF0ZSBDQQIHPQAAAAAA
YzAJBgUrDgMCGgUAoIIBrDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0wNDA3MDkxNzIxMTdaMCMGCSqGSIb3DQEJBDEWBBSFVkGNj6IOyv//5MEqW8LKTWinyDBnBgkq
hkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAH
BgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTBwBgkrBgEEAYI3EAQx
YzBhMFYxEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpDb3JlU3RyZWV0MSMw
IQYDVQQDExpDb3JlU3RyZWV0IEludGVybWVkaWF0ZSBDQQIHPQAAAAAAYzByBgsqhkiG9w0BCRAC
CzFjoGEwVjETMBEGCgmSJomT8ixkARkWA2NvbTEaMBgGCgmSJomT8ixkARkWCkNvcmVTdHJlZXQx
IzAhBgNVBAMTGkNvcmVTdHJlZXQgSW50ZXJtZWRpYXRlIENBAgc9AAAAAABjMA0GCSqGSIb3DQEB
AQUABIIBAFNEGjeIuAyCjCOQGsNvuJJiNnbPun9MQXL/EP2WSVhy31QEG0mXirXQN051Rp8WTc30
rXgVXef172Ya8Eox2ruQqnNpSnLMS7OXBhCAjMScq10pA5dRW5QtPZda69NUNKe6IPTWmfRJIAxc
UFbyszo/ke3mJgh3nKvlVrBu6B/q3m4/BDACXU8NYjNsnirIcPff7J/59jcIgv3JMdC4h22kMplM
WCXPM8hOLKs/qRJQdewqA+FxTaoL9klHLP/4R3YTBhpMWwz4nKBiJbXdJVPajqP2IQKlwGv6Rwt3
FRBhfMCT0St51pvz2tciTL4KTfNTXwt7qTjbPjO1uQwhS0oAAAAAAAA=
------=_NextPart_000_0026_01C465B7.9E1C1E80--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i69DYOnx068291; Fri, 9 Jul 2004 06:34:24 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i69DYOmg068290; Fri, 9 Jul 2004 06:34:24 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from dswu17.btconnect.com (c2bapps9.btconnect.com [193.113.154.18]) by above.proper.com (8.12.11/8.12.9) with SMTP id i69DYMQj068264 for <ietf-pkix@imc.org>; Fri, 9 Jul 2004 06:34:23 -0700 (PDT) (envelope-from pope@secstan.com)
Received: from varws7 (actually host 24.131.136.81.in-addr.arpa) by dswu17 with SMTP-CUST (XT-PP) with ESMTP; Fri, 9 Jul 2004 14:30:43 +0100
From: "Nick Pope" <pope@secstan.com>
To: <ietf-pkix@imc.org>
Subject: OASIS Digital Signature Services TC announcement
Date: Fri, 9 Jul 2004 14:33:13 +0100
Message-ID: <NCBBIDOLIPNCGDJKAHCDKEOFJOAA.pope@secstan.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4939.300
Importance: Normal
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
The OASIS Digital Signature Services TC is developing techniques to support
the processing of digital signatures, including defining an interface for
requesting that a web service produce and/or verify a digital signature.
The TC has recently agreed two Committee Draft specifications:
- Digital Signature Service (DSS) Core Protocols, Elements and Bindings,
available at
http://docs.oasis-open.org/dss/cd/oasis-dss-1[1].0-core-spec-cd.pdf
- XML Timestamping DSS Profile, available at:
http://docs.oasis-open.org/dss/cd/oasis-dss-1[1].0-profiles-timestamping-spe
c-cd.pdf
The DSS schema is available at:
http://docs.oasis-open.org/dss/cd/oasis-dss-1[1].0-core-schema-cd.xsd.xml
Additional DSS profiles nearing completion for:
- Asynchronous operation
- Code signing
- Entity seal
- Electronic Post Mark (EPM)
- German signature law
- Policy wise operation
- Web services security
- XML Advanced Electronic Signature (XAdES)
Comments may be sent via the OASIS DSS web page:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss
Once the first set of profiles have been agreed as Committee Drafts, the TC
will be asking for a more formal public review of the full set of
specifications.
Nick Pope & Juan Carlos Cruellas
Co-Chairs OASIS Digital Signature Services TC
Received: from A-DYZSU9H2YKIS0 ([218.55.41.39]) by above.proper.com (8.12.11/8.12.9) with SMTP id i67BeL1C009959; Wed, 7 Jul 2004 04:40:29 -0700 (PDT) (envelope-from Administration@computeradmin.org)
Received: from [129.120.78.156] by A-DYZSU9H2YKIS0 id <5722317-52896>; Wed, 07 Jul 2004 14:34:50 +0200
Message-ID: <s$v$5td$9067-8--7sqmmki36@wu133rq95ki.zo>
From: "Admin" <Administration@computeradmin.org>
To: tf-medfree@imc.org
Subject: ADV: Attention All Nonprofit Organizations: Members, Staff and Associates:
Date: Wed, 07 Jul 04 14:34:50 GMT
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: QUALCOMM Windows Eudora Version 5.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="9D05C96_B9.."
This is a multi-part message in MIME format.
--9D05C96_B9..
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Attention All Nonprofit Organizations: Members, Staff and Associates:
You Must Respond By 5 P.M. Thursday, July 8, 2004.
Through a special arrangement, Avtech Direct is offering a limited
allotment of BRAND NEW, top of-the-line, name-brand desktop computers
at more than 50% off MSRP to all Nonprofit Members and Staff
who respond to this message before 5 P.M., Thursday, July 8, 2004.
All desktop are brand-new, packed in their original boxes, and come
with a full manufacturer's warranty plus a 100% satisfaction guarantee.
These professional grade Desktops are fully equipped with 2004
next generation technology, making these the best performing
computers money can buy.
Avtech Direct is offering these feature rich, top performing
Desktop Computers with the latest Intel technology at an amazing price
to all who call:
1-800-884-9510 by 5 P.M. Thursday, July 8, 2004
The fast and powerful AT-2400 series Desktop features:
* Intel 2.0Ghz Processor for amazing speed and performance
* 128MB DDR RAM, --- Upgradeable to 1024
* 20 GB UDMA Hard Drive, --- Upgradeable to 80 GB
* 52X CD-Rom Drive, --- Upgradeable to DVD/CDRW
* 1.44 Floppy disk drive
* Next Generation Technology
* ATI Premium video and sound
* Full Connectivity with Fax modem/Lan/IEE 1394/USB 2.0
* Soft Touch Keyboard and scroll mouse
* Internet Ready
* Network Ready
* 1 Year parts and labor warranty
* Priority customer service and tech support
MSRP $699 ........................................ Your Cost $297
How to qualify:
1. You must be a Member, Staff or Associate of a Nonprofit:
2. All desktop computers will be available on a
first come first serve basis.
3. You must call 1-800-884-9510 by 5 P.M. Thursday, July 8, 2004
and we will hold the desktops you request on will call.
4. You are not obligated in any way.
5. 100% Satisfaction Guaranteed.
Call Avtech Direct
1-800-884-9510 before 5 P.M. Thursday, July 8, 2004
Visit our website at http://www.avtechdirect-nonprofits.com
AVtech Direct
22647 Ventura Blvd., Suite 374
Woodland Hills, CA 91364.
If you wish to unsubscribe from this list, please go to:
http://www.computeradvice.org/unsubscribe.asp
--9D05C96_B9..--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i631bUgf019932; Fri, 2 Jul 2004 18:37:30 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i631bU03019931; Fri, 2 Jul 2004 18:37:30 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from peacock.verisign.com (peacock.verisign.com [65.205.251.73]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i631bS4P019914 for <ietf-pkix@imc.org>; Fri, 2 Jul 2004 18:37:28 -0700 (PDT) (envelope-from pbaker@verisign.com)
Received: from mou1wnexc02.vcorp.ad.vrsn.com (verisign.com [65.205.251.54] (may be forged)) by peacock.verisign.com (8.12.10/) with ESMTP id i631bQ1m004699; Fri, 2 Jul 2004 18:37:26 -0700
Received: by mou1wnexc02.vcorp.ad.vrsn.com with Internet Mail Service (5.5.2657.72) id <NQPCYHV0>; Fri, 2 Jul 2004 18:37:26 -0700
Message-ID: <C6DDA43B91BFDA49AA2F1E473732113E010BE8E2@mou1wnexm05.vcorp.ad.vrsn.com>
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: "'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>, aalberti@axway.com, ietf-pkix@imc.org
Subject: RE: Cross-certification
Date: Fri, 2 Jul 2004 18:37:25 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
> "Alberti Antoine" <aalberti@axway.com> writes:
>
> >Would there be any document where cross-certification and
> non-hierarchical
> >infrastructures are defined, please ?
>
> I believe H.P.Lovecraft has published some works on this.
>
> Peter.
Stamp on the toes of the CA and you will get some very cross
indeed certification.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i62Ete8s061371; Fri, 2 Jul 2004 07:55:40 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i62Ete29061370; Fri, 2 Jul 2004 07:55:40 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from puzzle.pobox.com (puzzle.pobox.com [207.8.214.3]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i62EtdqB061361 for <ietf-pkix@imc.org>; Fri, 2 Jul 2004 07:55:40 -0700 (PDT) (envelope-from eldub@pobox.com)
Received: from localhost.localdomain (localhost [127.0.0.1]) by puzzle.pobox.com (Postfix) with ESMTP id 7F6E51393E8; Fri, 2 Jul 2004 10:55:14 -0400 (EDT)
Received: from distopia (c-24-17-200-151.client.comcast.net [24.17.200.151]) by puzzle.pobox.com (Postfix) with ESMTP id 26AD113940C; Fri, 2 Jul 2004 10:55:13 -0400 (EDT)
From: "Laudon Williams" <eldub@pobox.com>
To: "'Wahaj'" <wahaj.khan@ascertia.com>, <ietf-pkix@imc.org>
Subject: RE: Difference between a p12 and pfx file
Date: Fri, 2 Jul 2004 07:55:26 -0700
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_0022_01C46009.F051EE90"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Thread-Index: AcRgKVwzlzqtx4mSTXSrkz1TVn3EVwAGzSnA
In-Reply-To: <004f01c4601e$28659d90$0600a8c0@ascertia.com.pk>
Message-Id: <20040702145513.26AD113940C@puzzle.pobox.com>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_0022_01C46009.F051EE90
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0023_01C46009.F051EE90"
------=_NextPart_001_0023_01C46009.F051EE90
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
No. They are the same.
-Laudon
_____
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On
Behalf Of Wahaj
Sent: Friday, July 02, 2004 3:20 AM
To: ietf-pkix@imc.org
Subject: Difference between a p12 and pfx file
Hi,
Does any one know whether there is a difference in format of a .pfx and .p12
file or they are the same.
Regards,
Wahaj
Ascertia Ltd
Orchard Building
Royal Holloway
Egham, Surrey
United Kingdom
TW20 0EX
t. +44 (0)1784 497321
f. +44 (0)1784 497301
www.ascertia.com
_____
Applied Trust
_____
**NOTICE***
This e-mail message is confidential, intended only for the
named recipient(s) above and may contain information
that is privileged, attorney work product or exempt from
disclosure under applicable law. If you have received this
message in error, or are not the named recipient(s), please
immediately delete this e-mail message from your computer.
------=_NextPart_001_0023_01C46009.F051EE90
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<base href=3D"file:///F:\Data\Ascertia\Documents\General\Company\">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Ascertia LtdOrchard BuildingRoyal HollowayEgham, SurreyUnited
KingdomTW20 0EXt</title>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"country-region"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1027" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>No. They are the =
same.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>-Laudon<o:p></o:p></span></font></p>=
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>
</span></font></div>
<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> =
owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org] <b><span =
style=3D'font-weight:bold'>On
Behalf Of </span></b>Wahaj<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Friday, July 02, =
2004 3:20
AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> ietf-pkix@imc.org<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Difference =
between a p12
and pfx file</span></font><o:p></o:p></p>
</div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Hi,<o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Does any one know whether there is a difference in format of a =
.pfx and
.p12 file or they are the same. <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Regards,<o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Wahaj<o:p></o:p></span></font></p>
</div>
<table class=3DMsoNormalTable border=3D0 cellspacing=3D0 cellpadding=3D0 =
width=3D"100%"
style=3D'width:100.0%'>
<tr height=3D139 style=3D'height:104.25pt'>
<td width=3D"96%" height=3D139 valign=3Dtop =
style=3D'width:96.0%;padding:0in 0in 0in 0in;
height:104.25pt'>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=3D1 color=3Dnavy face=3DVerdana><span =
style=3D'font-size:7.5pt;font-family:Verdana;
color:navy'><br>
Ascertia Ltd<br>
<ST1:PLACE><ST1:PLACENAME><ST1:PLACE><ST1:PLACENAME><st1:place =
w:st=3D"on"><st1:PlaceName
=
w:st=3D"on">Orchard</ST1:PLACENAME></ST1:PLACE></ST1:PLACENAME></st1:Plac=
eName>
<ST1:PLACETYPE><st1:PlaceType =
w:st=3D"on"><ST1:PLACETYPE>Building</st1:PlaceType></st1:place><br>
=
<ST1:PLACE><ST1:PLACENAME></ST1:PLACENAME></ST1:PLACE></ST1:PLACETYPE></S=
T1:PLACETYPE>Royal
<ST1:PLACENAME>Holloway<br>
Egham, <ST1:PLACE><ST1:PLACE><st1:place =
w:st=3D"on">Surrey</st1:place><br>
=
<ST1:COUNTRY-REGION><ST1:PLACE></ST1:PLACE></ST1:COUNTRY-REGION></ST1:PLA=
CE><ST1:COUNTRY-REGION><ST1:PLACE><st1:country-region
w:st=3D"on"><st1:place w:st=3D"on">United =
Kingdom</st1:place></st1:country-region><br>
</ST1:PLACE></ST1:COUNTRY-REGION></ST1:PLACE>TW20 0EX<br>
<br>
t. +44 (0)1784 497321<br>
f. +44 (0)1784 497301</span></font><o:p></o:p></p>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=3D1 color=3Dnavy face=3DVerdana><span =
style=3D'font-size:7.5pt;font-family:Verdana;
color:navy'><a =
href=3D"http://www.ascertia.com">www.ascertia.com</a></span></font><o:p><=
/o:p></p>
</td>
</tr>
<tr height=3D155 style=3D'height:116.25pt'>
<td width=3D"96%" height=3D155 style=3D'width:96.0%;padding:0in 0in =
0in 0in;
height:116.25pt'>
<div>
<div class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>
<hr size=3D1 width=3D"100%" noshade color=3D"#8c378b" align=3Dleft>
</span></font></div>
</div>
<p class=3DMsoNormal><font size=3D1 color=3Dnavy face=3DVerdana><span
=
style=3D'font-size:7.5pt;font-family:Verdana;color:navy'> &nbs=
p; </span></font><img
border=3D0 width=3D81 height=3D50 id=3D"_x0000_i1026"
src=3D"cid:image001.gif@01C46009.EF20C190"><em><i><font size=3D6 =
color=3Dteal
face=3D"Times New Roman"><span =
style=3D'font-size:24.0pt;color:teal'>  =
; =
Applied Trust</span></font></i></em><o:p></o:p></p>
<div>
<div class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>
<hr size=3D1 width=3D"100%" noshade color=3D"#8c378b" align=3Dleft>
</span></font></div>
</div>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'> <o:p></o:p></span></font></p>
</td>
</tr>
<tr height=3D102 style=3D'height:76.5pt'>
<td width=3D"96%" height=3D102 valign=3Dtop =
style=3D'width:96.0%;padding:0in 0in 0in 0in;
height:76.5pt'>
<table class=3DMsoNormalTable border=3D0 cellspacing=3D0 =
cellpadding=3D0 width=3D440
style=3D'width:330.0pt' height=3D103>
<tr>
<td style=3D'padding:0in 0in 0in 0in'>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto'><font size=3D1 color=3D"#999999" face=3DVerdana><span =
style=3D'font-size:
7.5pt;font-family:Verdana;color:#999999'>**NOTICE***<br>
This e-mail message is confidential, intended only for the <br>
named recipient(s) above and may contain information<br>
that is privileged, attorney work product or exempt from<br>
disclosure under applicable law. If you have received this<br>
message in error, or are not the named recipient(s), please<br>
immediately delete this e-mail message from your computer. =
</span></font><o:p></o:p></p>
</td>
</tr>
</table>
<p class=3DMsoNormal><font size=3D3 face=3D"Arial Unicode MS"><span
style=3D'font-size:12.0pt;font-family:"Arial Unicode =
MS"'><o:p></o:p></span></font></p>
</td>
</tr>
</ST1:PLACENAME></ST1:PLACE>
</table>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_001_0023_01C46009.F051EE90--
------=_NextPart_000_0022_01C46009.F051EE90
Content-Type: image/gif;
name="image001.gif"
Content-Transfer-Encoding: base64
Content-ID: <image001.gif@01C46009.EF20C190>
R0lGODlhUQAyAHcAMSH+GlNvZnR3YXJlOiBNaWNyb3NvZnQgT2ZmaWNlACH5BAEAAAAALAAAAAAB
AAEAgAAAAAECAwICRAEAOw==
------=_NextPart_000_0022_01C46009.F051EE90--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i62AG38U038541; Fri, 2 Jul 2004 03:16:03 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i62AG3fC038540; Fri, 2 Jul 2004 03:16:03 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from ns3.worldcall.net.pk (ns3.worldcall.net.pk [203.81.192.10]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i62AG1eB038524 for <ietf-pkix@imc.org>; Fri, 2 Jul 2004 03:16:02 -0700 (PDT) (envelope-from wahaj.khan@ascertia.com)
Received: from identrusva1 ([203.81.199.82]) by ns3.worldcall.net.pk (8.12.11/8.12.11) with SMTP id i62ABYLC028931 for <ietf-pkix@imc.org>; Fri, 2 Jul 2004 16:11:47 +0600 (PKST)
Message-ID: <004f01c4601e$28659d90$0600a8c0@ascertia.com.pk>
From: "Wahaj" <wahaj.khan@ascertia.com>
To: <ietf-pkix@imc.org>
Subject: Difference between a p12 and pfx file
Date: Fri, 2 Jul 2004 15:19:57 +0500
MIME-Version: 1.0
Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_004B_01C46048.091A3200"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-Scanned-By: MIMEDefang 2.39
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_004B_01C46048.091A3200
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_004C_01C46048.091A3200"
------=_NextPart_001_004C_01C46048.091A3200
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Ascertia LtdOrchard BuildingRoyal HollowayEgham, SurreyUnited =
KingdomTW20 0EXtHi,
Does any one know whether there is a difference in format of a .pfx and =
.p12 file or they are the same.=20
Regards,
Wahaj
Ascertia Ltd
Orchard Building
Royal Holloway
Egham, Surrey
United Kingdom
TW20 0EX
t. +44 (0)1784 497321
f. +44 (0)1784 497301
www.ascertia.com
=20
-------------------------------------------------------------------------=
-
Applied Trust
-------------------------------------------------------------------------=
-
=20
=20
**NOTICE***
This e-mail message is confidential, intended only for the=20
named recipient(s) above and may contain information
that is privileged, attorney work product or exempt from
disclosure under applicable law. If you have received this
message in error, or are not the named recipient(s), please
immediately delete this e-mail message from your computer.=20
=20
=20
=20
------=_NextPart_001_004C_01C46048.091A3200
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:v =3D "urn:schemas-microsoft-com:vml" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word"><HEAD><TITLE>Ascertia LtdOrchard =
BuildingRoyal HollowayEgham, SurreyUnited KingdomTW20 0EXt</TITLE><BASE=20
href=3Dfile://F:\Data\Ascertia\Documents\General\Company\>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3DWord.Document name=3DProgId>
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<META content=3D"Microsoft Word 9" name=3DOriginator><LINK=20
href=3D"./Ascertia%20Ltd_files/filelist.xml" rel=3DFile-List><LINK=20
href=3D"./Ascertia%20Ltd_files/editdata.mso" =
rel=3DEdit-Time-Data><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]--><!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>Atiq Ur Rahman</o:Author>
<o:LastAuthor>Atiq Ur Rahman</o:LastAuthor>
<o:Revision>2</o:Revision>
<o:TotalTime>3</o:TotalTime>
<o:Created>2004-04-14T10:40:00Z</o:Created>
<o:LastSaved>2004-04-14T10:48:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Words>87</o:Words>
<o:Characters>497</o:Characters>
<o:Company>Ascertia Ltd.</o:Company>
<o:Lines>4</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>610</o:CharactersWithSpaces>
<o:Version>9.2720</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:PunctuationKerning/>
</w:WordDocument>
</xml><![endif]-->
<STYLE>
<!--
/* Font Definitions */
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;
mso-font-charset:128;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:-1 -369098753 63 0 4129023 0;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:536871559 0 0 0 415 0;}
@font-face
{font-family:"\@Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;
mso-font-charset:128;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:-1 -369098753 63 0 4129023 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
p
{margin-right:0in;
mso-margin-top-alt:auto;
mso-margin-bottom-alt:auto;
margin-left:0in;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1032"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1"/>
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=3DEN-US style=3D"tab-interval: .5in" vLink=3Dpurple =
link=3Dblue=20
bgColor=3D#ffffff>
<DIV>Hi,</DIV>
<DIV> </DIV>
<DIV>Does any one know whether there is a difference in format of a .pfx =
and=20
.p12 file or they are the same. </DIV>
<DIV> </DIV>
<DIV>Regards,</DIV>
<DIV>Wahaj</DIV>
<DIV class=3DSection1>
<TABLE=20
style=3D"WIDTH: 100%; mso-cellspacing: 0in; mso-padding-alt: 0in 0in 0in =
0in"=20
cellSpacing=3D0 cellPadding=3D0 width=3D"100%" border=3D0>
<TBODY>
<TR style=3D"HEIGHT: 104.25pt">
<TD=20
style=3D"PADDING-RIGHT: 0in; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; =
WIDTH: 96%; PADDING-TOP: 0in; HEIGHT: 104.25pt"=20
vAlign=3Dtop width=3D"96%">
<P class=3DMsoNormal=20
style=3D"mso-margin-top-alt: auto; mso-margin-bottom-alt: =
auto"><SPAN=20
style=3D"FONT-SIZE: 7.5pt; COLOR: navy; FONT-FAMILY: =
Verdana"><BR>Ascertia=20
Ltd<BR><ST1:PLACE><ST1:PLACENAME><ST1:PLACE><ST1:PLACENAME><SPAN=20
style=3D"mso-no-proof: =
yes">Orchard</SPAN></ST1:PLACENAME></ST1:PLACE></ST1:PLACENAME><SPAN=20
style=3D"mso-no-proof: yes"> </SPAN><ST1:PLACETYPE><SPAN=20
style=3D"mso-no-proof: =
yes"><ST1:PLACETYPE>Building</SPAN><BR><ST1:PLACE><ST1:PLACENAME></ST1:PL=
ACETYPE></ST1:PLACETYPE><SPAN=20
style=3D"mso-no-proof: yes">Royal</ST1:PLACENAME>=20
<ST1:PLACENAME>Holloway<BR>Egham, =
</SPAN><ST1:PLACE><ST1:PLACE><SPAN=20
style=3D"mso-no-proof: =
yes">Surrey</SPAN><BR><ST1:COUNTRY-REGION><ST1:PLACE></ST1:PLACE></ST1:PL=
ACE><ST1:COUNTRY-REGION><ST1:PLACE><SPAN=20
style=3D"mso-no-proof: yes">United=20
=
Kingdom</SPAN><BR></ST1:PLACE></ST1:COUNTRY-REGION></ST1:PLACE></ST1:COUN=
TRY-REGION><SPAN=20
style=3D"mso-no-proof: yes">TW20 0EX<BR><BR>t. +44 (0)1784=20
497321<BR>f. +44 (0)1784 497301</SPAN></SPAN><SPAN=20
style=3D"mso-no-proof: yes"><o:p></o:p></P></SPAN>
<P class=3DMsoNormal=20
style=3D"mso-margin-top-alt: auto; mso-margin-bottom-alt: =
auto"><SPAN=20
style=3D"FONT-SIZE: 7.5pt; COLOR: navy; FONT-FAMILY: Verdana"><A=20
href=3D"http://www.ascertia.com"><SPAN=20
style=3D"mso-no-proof: =
yes">www.ascertia.com</A></SPAN></SPAN><SPAN=20
style=3D"mso-no-proof: yes"><o:p></o:p></P></SPAN></TD></TR>
<TR style=3D"HEIGHT: 116.25pt; mso-yfti-irow: 1">
<TD=20
style=3D"PADDING-RIGHT: 0in; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; =
WIDTH: 96%; PADDING-TOP: 0in; HEIGHT: 116.25pt"=20
width=3D"96%">
<DIV class=3DMsoNormal>
<HR align=3Dleft width=3D"100%" color=3D#8c378b noShade SIZE=3D1>
</DIV><SPAN=20
style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: =
AR-SA"></SPAN></SPAN><SPAN=20
style=3D"mso-no-proof: yes"><SPAN style=3D"mso-no-proof: yes">
<P class=3DMsoNormal><SPAN=20
style=3D"FONT-SIZE: 7.5pt; COLOR: navy; FONT-FAMILY: =
Verdana"> =20
</SPAN></SPAN><SPAN style=3D"mso-no-proof: yes"><!--[if gte vml =
1]><v:shapetype
id=3D"_x0000_t75" coordsize=3D"21600,21600" o:spt=3D"75" =
o:preferrelative=3D"t"
path=3D"m@4@5l@4@11@9@11@9@5xe" filled=3D"f" stroked=3D"f">
<v:stroke joinstyle=3D"miter"/>
<v:formulas>
<v:f eqn=3D"if lineDrawn pixelLineWidth 0"/>
<v:f eqn=3D"sum @0 1 0"/>
<v:f eqn=3D"sum 0 0 @1"/>
<v:f eqn=3D"prod @2 1 2"/>
<v:f eqn=3D"prod @3 21600 pixelWidth"/>
<v:f eqn=3D"prod @3 21600 pixelHeight"/>
<v:f eqn=3D"sum @0 0 1"/>
<v:f eqn=3D"prod @6 1 2"/>
<v:f eqn=3D"prod @7 21600 pixelWidth"/>
<v:f eqn=3D"sum @8 21600 0"/>
<v:f eqn=3D"prod @7 21600 pixelHeight"/>
<v:f eqn=3D"sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok=3D"f" gradientshapeok=3D"t" =
o:connecttype=3D"rect"/>
<o:lock v:ext=3D"edit" aspectratio=3D"t"/>
</v:shapetype><v:shape id=3D"_x0000_i1026" type=3D"#_x0000_t75" =
alt=3D"" style=3D'width:60.75pt;
height:37.5pt'/><![endif]--><![if !vml]><IMG height=3D50=20
src=3D"cid:004a01c4601e$2041b900$0600a8c0@ascertia.com.pk" =
width=3D81 border=3D0=20
v:shapes=3D"_x0000_i1026"><![endif]></SPAN><EM><SPAN=20
style=3D"FONT-SIZE: 24pt; COLOR: teal"><SPAN=20
style=3D"mso-no-proof: =
yes"> &n=
bsp; =20
Applied Trust</SPAN></SPAN></EM><SPAN=20
style=3D"mso-no-proof: yes"><o:p></o:p></P></SPAN>
<DIV class=3DMsoNormal>
<HR align=3Dleft width=3D"100%" color=3D#8c378b noShade SIZE=3D1>
</DIV><SPAN=20
style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; =
mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; =
mso-fareast-language: EN-US; mso-bidi-language: =
AR-SA"></SPAN></SPAN><SPAN=20
style=3D"mso-no-proof: yes">
<P class=3DMsoNormal=20
style=3D"mso-margin-top-alt: auto; mso-margin-bottom-alt: =
auto"><SPAN=20
style=3D"mso-no-proof: =
yes"> <o:p></o:p></P></SPAN></SPAN></TD></TR><SPAN=20
style=3D"mso-no-proof: yes">
<TR style=3D"HEIGHT: 76.5pt; mso-yfti-irow: 2; mso-yfti-lastrow: yes">
<TD=20
style=3D"PADDING-RIGHT: 0in; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; =
WIDTH: 96%; PADDING-TOP: 0in; HEIGHT: 76.5pt"=20
vAlign=3Dtop width=3D"96%">
<TABLE=20
style=3D"WIDTH: 330pt; mso-cellspacing: 0in; mso-padding-alt: 0in =
0in 0in 0in"=20
height=3D103 cellSpacing=3D0 cellPadding=3D0 width=3D440 =
border=3D0>
<TBODY>
<TR style=3D"mso-yfti-irow: 0; mso-yfti-lastrow: yes">
<TD=20
style=3D"PADDING-RIGHT: 0in; PADDING-LEFT: 0in; =
PADDING-BOTTOM: 0in; PADDING-TOP: 0in">
<P class=3DMsoNormal=20
style=3D"mso-margin-top-alt: auto; mso-margin-bottom-alt: =
auto"><SPAN=20
style=3D"FONT-SIZE: 7.5pt; COLOR: #999999; FONT-FAMILY: =
Verdana">**NOTICE***<BR>This=20
e-mail message is confidential, intended only for the =
<BR>named=20
recipient(s) above and may contain information<BR>that is=20
privileged, attorney work product or exempt =
from<BR>disclosure under=20
applicable law. If you have received this<BR>message in =
error, or=20
are not the named recipient(s), please<BR>immediately delete =
this=20
e-mail message from your computer. </SPAN></SPAN><SPAN=20
style=3D"mso-no-proof: =
yes"><o:p></o:p></P></SPAN></TD></TR></TBODY></TABLE>
<P class=3DMsoNormal><SPAN=20
style=3D"FONT-FAMILY: 'Arial Unicode =
MS'"><o:p></o:p></SPAN></P></TD></TR></ST1:PLACENAME></ST1:PLACE></ST1:PL=
ACE></TBODY></TABLE>
<P=20
class=3DMsoNormal><![if =
!supportEmptyParas]><![endif]> <o:p></o:p></P></DIV></SPAN></BODY></=
HTML>
------=_NextPart_001_004C_01C46048.091A3200--
------=_NextPart_000_004B_01C46048.091A3200
Content-Type: application/octet-stream;
name="image001.gif"
Content-Transfer-Encoding: base64
Content-ID: <004a01c4601e$2041b900$0600a8c0@ascertia.com.pk>
R0lGODlhUQAyAHcBMSH+GlNvZnR3YXJlOiBNaWNyb3NvZnQgT2ZmaWNlACH5BAEAAAEALAAAAAAB
AAEAgAAAAIGBgQICTAEAOw==
------=_NextPart_000_004B_01C46048.091A3200--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i627GDln071390; Fri, 2 Jul 2004 00:16:13 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i627GDWC071389; Fri, 2 Jul 2004 00:16:13 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from nb2.stroeder.com (du-006-030.access.de.clara.net [212.82.229.30]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i627GBRU071355 for <ietf-pkix@imc.org>; Fri, 2 Jul 2004 00:16:12 -0700 (PDT) (envelope-from michael@stroeder.com)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by nb2.stroeder.com (Postfix) with ESMTP id 5FDC4B0382 for <ietf-pkix@imc.org>; Fri, 2 Jul 2004 09:14:44 +0200 (CEST)
Message-ID: <40E50B64.8030709@stroeder.com>
Date: Fri, 02 Jul 2004 09:14:44 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616
X-Accept-Language: de-de, de, en-us, en
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: Cross-certification
References: <C1D2450FEBBA8C49BAA732EFB008A9ED0D8037@WEXCHBE01-VS.ptx.fr.sopra> <002b01c45f6c$43016c90$0500a8c0@arport> <40E444DA.2090203@free.fr>
In-Reply-To: <40E444DA.2090203@free.fr>
X-Enigmail-Version: 0.84.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Jean-Marc Desperrier wrote:
>
> Anders Rundgren wrote:
>
>> Although slightly off-topic, may I add that cross-certification is
>> unlikely to ever be a main-stream activity as neither commercial CAs
>> or private enterprises having many partners feel any particular need
>> or interest in these schemes
>
> There was a presentation by a member of the Asia PKI Forum in the ETSI
> security plugtests, that showed they were concretely interested in
> getting this to work to
Watching PPT slides showing that someone is "interested in" something is
completely different from having it already in production in a reasonable
big deployment.
=> I don't buy that.
Ciao, Michael.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61Kr045083257; Thu, 1 Jul 2004 13:53:00 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i61Kr0F7083256; Thu, 1 Jul 2004 13:53:00 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av1-2-sn3.vrr.skanova.net (av1-2-sn3.vrr.skanova.net [81.228.9.106]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61Kqx3K083249 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 13:52:59 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: by av1-2-sn3.vrr.skanova.net (Postfix, from userid 502) id 69DD337E83; Thu, 1 Jul 2004 22:52:58 +0200 (CEST)
Received: from smtp1-1-sn3.vrr.skanova.net (smtp1-1-sn3.vrr.skanova.net [81.228.9.177]) by av1-2-sn3.vrr.skanova.net (Postfix) with ESMTP id 5B33437E43; Thu, 1 Jul 2004 22:52:58 +0200 (CEST)
Received: from arport (t8o913p66.telia.com [213.64.26.186]) by smtp1-1-sn3.vrr.skanova.net (Postfix) with SMTP id 285C938011; Thu, 1 Jul 2004 22:52:56 +0200 (CEST)
Message-ID: <00cc01c45fad$0d78fbb0$0500a8c0@arport>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "Jean-Marc Desperrier" <jmdesp@free.fr>, <ietf-pkix@imc.org>
References: <C1D2450FEBBA8C49BAA732EFB008A9ED0D8037@WEXCHBE01-VS.ptx.fr.sopra> <002b01c45f6c$43016c90$0500a8c0@arport> <40E444DA.2090203@free.fr>
Subject: Re: Cross-certification
Date: Thu, 1 Jul 2004 22:50:32 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sure J-M,
But note, I explicitely mentioned private enterprises and
commercial CAs as no likely targets for cross-cert.
Regarding ETSI, PKI-forum etc.
All these places lack an "informaton model", they believe
that security = cryptography and trustworty CAs. Security
in an organizational environment has other dimensions
that the end-to-end model can't support. Not a single paper
has been written explaining how archiving, authorization
privacy, etc. is supposed to be handled in a true end-to-end model.
Which is sort of understandable as it is technically infeasible.
It was amusing to read on the S/MIME list, Phill H-B claim
that this (e2e) model have made us stuck for ten years in the
same place. But as I said, in Scandinavia and in Estonia
we have given up this model and I believe for good.
There is a reason....
Wrong! There are *numerous* reasons.
A simple one is that I used to buy computers from DELL, not
from Michael Dell. And DELL knows me as a company account
with Anders Rundgren as contact person. One of them.
Anders
----- Original Message -----
From: "Jean-Marc Desperrier" <jmdesp@free.fr>
To: <ietf-pkix@imc.org>
Sent: Thursday, July 01, 2004 19:07
Subject: Re: Cross-certification
Anders Rundgren wrote:
> Although slightly off-topic, may I add that cross-certification is
> unlikely to ever be a main-stream activity as neither commercial CAs
> or private enterprises having many partners feel any particular need
> or interest in these schemes
There was a presentation by a member of the Asia PKI Forum in the ETSI
security plugtests, that showed they were concretely interested in
getting this to work to enable inter country level exchange in Asia.
That would cover exchange between China; Hong Kong, Japan, South Korea,
Singapore, etc...
Also if one is interesting in checking how cross-certification can work
concretely the best place is certainly to go check all the US Federal
Bridge Certification Authority related links.
http://csrc.nist.gov/pki/fbca/welcome.html
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61H7fCk060725; Thu, 1 Jul 2004 10:07:41 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i61H7fin060724; Thu, 1 Jul 2004 10:07:41 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-ft6.fr.colt.net (smtp-ft6.fr.colt.net [213.41.78.209]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61H7eri060717 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 10:07:40 -0700 (PDT) (envelope-from jmdesp@free.fr)
Received: from free.fr (host.104.92.68.195.rev.coltfrance.com [195.68.92.104]) by smtp-ft6.fr.colt.net with ESMTP id i61H7dh25235 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 19:07:39 +0200
Message-ID: <40E444DA.2090203@free.fr>
Date: Thu, 01 Jul 2004 19:07:38 +0200
From: Jean-Marc Desperrier <jmdesp@free.fr>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:) Gecko/20040226
X-Accept-Language: fr, en-us, en
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: Cross-certification
References: <C1D2450FEBBA8C49BAA732EFB008A9ED0D8037@WEXCHBE01-VS.ptx.fr.sopra> <002b01c45f6c$43016c90$0500a8c0@arport>
In-Reply-To: <002b01c45f6c$43016c90$0500a8c0@arport>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Anders Rundgren wrote:
> Although slightly off-topic, may I add that cross-certification is
> unlikely to ever be a main-stream activity as neither commercial CAs
> or private enterprises having many partners feel any particular need
> or interest in these schemes
There was a presentation by a member of the Asia PKI Forum in the ETSI
security plugtests, that showed they were concretely interested in
getting this to work to enable inter country level exchange in Asia.
That would cover exchange between China; Hong Kong, Japan, South Korea,
Singapore, etc...
Also if one is interesting in checking how cross-certification can work
concretely the best place is certainly to go check all the US Federal
Bridge Certification Authority related links.
http://csrc.nist.gov/pki/fbca/welcome.html
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61GlRcJ059205; Thu, 1 Jul 2004 09:47:27 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i61GlRip059204; Thu, 1 Jul 2004 09:47:27 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-ft5.fr.colt.net (smtp-ft5.fr.colt.net [213.41.78.204]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61GlQHN059194 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 09:47:26 -0700 (PDT) (envelope-from jmdesp@free.fr)
Received: from free.fr (host.104.92.68.195.rev.coltfrance.com [195.68.92.104]) by smtp-ft5.fr.colt.net with ESMTP id i61GlIV07450 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 18:47:23 +0200
Message-ID: <40E44016.20607@free.fr>
Date: Thu, 01 Jul 2004 18:47:18 +0200
From: Jean-Marc Desperrier <jmdesp@free.fr>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:) Gecko/20040226
X-Accept-Language: fr, en-us, en
MIME-Version: 1.0
To: ietf-pkix@imc.org
Subject: Re: Cross-certification
References: <C1D2450FEBBA8C49BAA732EFB008A9ED0D8037@WEXCHBE01-VS.ptx.fr.sopra>
In-Reply-To: <C1D2450FEBBA8C49BAA732EFB008A9ED0D8037@WEXCHBE01-VS.ptx.fr.sopra>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Alberti Antoine wrote:
> [...] the second document Craig Borysowich indicated gives an example
> of an authority that has several public keys. I suppose this is a
> consequence of a key renewal (is it really the only case ?). But then,
> the cross-certification is not valid anymore, is it ? I assume
> certifying means signing a public key, but I may be wrong.
The CA should get a cross-certificate for it's new key to simplify the case.
It's up to proper implementation of path validation to correctly handle
the fact the CA has several different key/certificate, and to be able
select the correct path.
But according to RFC2510 (&2.4.1), it is not strictly required to get a
new cross-certificate.
When getting a certificate for it's new key, the CA should generate a
"old with new" and a "new with old" certificate, and the path validation
should be able to switch from one of the key to the other by following
here what we could call a mono-entity cross-certification.
This said it will change the length of the path, which can break the
verification depending on the constraints, so it is much better to get
one cross-certificate per key.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61D9NHE042407; Thu, 1 Jul 2004 06:09:23 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i61D9NIF042406; Thu, 1 Jul 2004 06:09:23 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from av4-1-sn3.vrr.skanova.net (av4-1-sn3.vrr.skanova.net [81.228.9.111]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61D9M3p042382 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 06:09:23 -0700 (PDT) (envelope-from anders.rundgren@telia.com)
Received: by av4-1-sn3.vrr.skanova.net (Postfix, from userid 502) id D163337EE1; Thu, 1 Jul 2004 15:09:12 +0200 (CEST)
Received: from smtp1-2-sn3.vrr.skanova.net (smtp1-2-sn3.vrr.skanova.net [81.228.9.178]) by av4-1-sn3.vrr.skanova.net (Postfix) with ESMTP id C0AB437E42; Thu, 1 Jul 2004 15:09:12 +0200 (CEST)
Received: from arport (t11o913p71.telia.com [213.64.28.71]) by smtp1-2-sn3.vrr.skanova.net (Postfix) with SMTP id 0A0813800C; Thu, 1 Jul 2004 15:09:09 +0200 (CEST)
Message-ID: <002b01c45f6c$43016c90$0500a8c0@arport>
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: "Alberti Antoine" <aalberti@axway.com>, <ietf-pkix@imc.org>
References: <C1D2450FEBBA8C49BAA732EFB008A9ED0D8037@WEXCHBE01-VS.ptx.fr.sopra>
Subject: Re: Cross-certification
Date: Thu, 1 Jul 2004 15:06:44 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0028_01C45F7D.05AB2730"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_0028_01C45F7D.05AB2730
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cross-certificationAntoine,
Although slightly off-topic, may I add that cross-certification is =
unlikely to ever be a main-stream activity as neither commercial CAs or =
private enterprises having many partners feel any particular need or =
interest in these schemes that are based on the same intellectual =
foundation as public LDAP directories. You may be interested to hear =
that governments in Scandinavia have found a much more useful way to =
communicate and that is using domain-based security. This reduces the =
number of external CA certificates and keys to an absolute minimum.
Anders Rundgren
----- Original Message -----=20
From: Alberti Antoine=20
To: ietf-pkix@imc.org=20
Sent: Thursday, July 01, 2004 11:29
Subject: RE: Cross-certification
Thanks for the answers. Wouldn't this issue diserve a little bit of a =
specification ? For instance, I understand cross-certification when an =
authority has several certificate with the same public key and the same =
subjectDN, but the second document Craig Borysowich indicated gives an =
example of an authority that has several public keys. I suppose this is =
a consequence of a key renewal (is it really the only case ?). But then, =
the cross-certification is not valid anymore, is it ? I assume =
certifying means signing a public key, but I may be wrong.
-----Message d'origine-----
De : Borysowich, Craig (CSS) [mailto:Craig.Borysowich@css.gov.on.ca]
Envoy=E9 : mercredi 30 juin 2004 20:15
=C0 : Alberti Antoine
Objet : RE: Cross-certification
http://www.au-kbc.org/bpmain1/PKI/cross_certification.pdf
http://www.geminisecurity.com/docs/ndss050.doc
These papers may give you some insight...
-----Original Message-----
From: Alberti Antoine [mailto:aalberti@axway.com]
Sent: Wednesday, June 30, 2004 11:16 AM
To: ietf-pkix@imc.org
Subject: Cross-certification
Would there be any document where cross-certification and =
non-hierarchical infrastructures are defined, please ?=20
Regards.=20
=
=20
Antoine Alberti Axway. a Sopra Group =
company =20
Tel : +33 (0)1 47 17 24 37 XFB R&D=20
Fax : +33 (0)1 47 17 24 25 26 Rue des =
Pavillons=20
email: aalberti@axway.com 92807 Puteaux =
Cedex - France=20
------=_NextPart_000_0028_01C45F7D.05AB2730
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Cross-certification</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Antoine,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Although slightly off-topic, may I add =
that=20
cross-certification is unlikely to ever be a main-stream activity as =
neither=20
commercial CAs or private enterprises having many partners feel any =
particular need or interest in these schemes that are based on the =
same=20
intellectual foundation as public LDAP directories. You may be =
interested=20
to hear that governments in Scandinavia have found a much more useful =
way to=20
communicate and that is using domain-based security. This reduces =
the=20
number of external CA certificates and keys to an absolute =
minimum.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Anders Rundgren</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Daalberti@axway.com =
href=3D"mailto:aalberti@axway.com">Alberti=20
Antoine</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dietf-pkix@imc.org=20
href=3D"mailto:ietf-pkix@imc.org">ietf-pkix@imc.org</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, July 01, 2004 =
11:29</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: =
Cross-certification</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D954191209-01072004>Thanks for the answers. Wouldn't this issue =
diserve a=20
little bit of a specification ? For instance, I understand =
cross-certification=20
when an authority has several certificate with the same public key and =
the=20
same subjectDN, but the second document Craig Borysowich indicated =
gives an=20
example of an authority that has several public keys. I suppose =
this is a=20
consequence of a key renewal (is it really the only case =
?). But=20
then, the cross-certification is not valid anymore, is it ? I assume=20
certifying means signing a public key, but I may be =
wrong.</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Message d'origine-----<BR><B>De :</B> Borysowich, =
Craig=20
(CSS) =
[mailto:Craig.Borysowich@css.gov.on.ca]<BR><B>Envoy=E9 :</B>=20
mercredi 30 juin 2004 20:15<BR><B>=C0 :</B> Alberti=20
Antoine<BR><B>Objet :</B> RE: =
Cross-certification<BR><BR></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><A=20
=
href=3D"http://www.au-kbc.org/bpmain1/PKI/cross_certification.pdf">http:/=
/www.au-kbc.org/bpmain1/PKI/cross_certification.pdf</A></FONT></DIV>
<DIV><SPAN class=3D967451218-30062004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D967451218-30062004><FONT face=3DArial =
color=3D#0000ff size=3D2><A=20
=
href=3D"http://www.geminisecurity.com/docs/ndss050.doc">http://www.gemini=
security.com/docs/ndss050.doc</A></FONT></SPAN></DIV>
<DIV><SPAN class=3D967451218-30062004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D967451218-30062004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>These papers may give you some =
insight...</FONT></SPAN></DIV>
<BLOCKQUOTE>
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Alberti =
Antoine=20
[mailto:aalberti@axway.com]<BR><B>Sent:</B> Wednesday, June 30, =
2004 11:16=20
AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B>=20
Cross-certification<BR><BR></FONT></DIV><!-- Converted from =
text/rtf format -->
<P><FONT face=3DArial size=3D2>Would there be any document where=20
cross-certification and non-hierarchical infrastructures are =
defined,=20
please ?</FONT> <BR><FONT face=3DArial size=3D2>Regards.</FONT> =
</P>
<UL>
<P><SPAN =
lang=3Den-us><U><B> =20
<FONT face=3DTahoma=20
=
size=3D2> &nbs=
p;  =
; =
&=
nbsp; &n=
bsp; &nb=
sp; &nbs=
p;  =
; =
&=
nbsp; =20
</FONT></B></U></SPAN></P>
<P><SPAN =
lang=3Den-us><B> <FONT=20
face=3DTahoma size=3D2>Antoine Alberti=20
=
</FONT></B></SPAN><B><SPAN=20
lang=3Dfr></SPAN><SPAN lang=3Dfr>=20
</SPAN><SPAN=20
lang=3Dfr></SPAN><SPAN lang=3Dfr> <FONT face=3D"Arial Black"=20
color=3D#808080>Axwa</FONT><FONT face=3D"Arial Black"=20
color=3D#ff0000>y.</FONT></SPAN></B><SPAN lang=3Dfr><FONT =
face=3DTahoma=20
size=3D2> a Sopra Group company =
</FONT></SPAN><BR><SPAN=20
lang=3Den-us> <FONT =
face=3DTahoma=20
size=3D2>Tel : +33 (0)1 47 17 24 =
37 =20
</FONT></SPAN><SPAN=20
lang=3Den-us><B> <FONT face=3DTahoma color=3D#0000ff =
size=3D2>XF</FONT><FONT=20
face=3DTahoma color=3D#ff0000 size=3D2>B</FONT><FONT =
face=3DTahoma size=3D2>=20
R&D</FONT></B></SPAN> <BR><SPAN=20
lang=3Den-us> <FONT =
face=3DTahoma=20
size=3D2>Fax : +33 (0)1 47 17 24 =
25 =20
26 Rue des=20
Pavillons</FONT></SPAN> <BR><SPAN=20
lang=3Den-us> <FONT =
face=3DTahoma=20
size=3D2>email: aalberti@axway.com</FONT></SPAN><SPAN=20
lang=3Dfr> =20
</SPAN><SPAN =
lang=3Den-us> <FONT=20
face=3DTahoma size=3D2>92807 Puteaux Cedex - =
France</FONT></SPAN><SPAN=20
lang=3Dfr></SPAN>=20
</P><BR><BR></UL></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0028_01C45F7D.05AB2730--
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61C2K8N033317; Thu, 1 Jul 2004 05:02:20 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i61C2K6T033316; Thu, 1 Jul 2004 05:02:20 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i61C2J0n033271 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 05:02:20 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from medusa01 (medusa01.cs.auckland.ac.nz [130.216.34.33]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 2B6FC1CD962; Fri, 2 Jul 2004 00:01:12 +1200 (NZST)
Received: from pgut001 by medusa01 with local (Exim 4.32) id 1Bg0Gi-0006bO-7C; Fri, 02 Jul 2004 00:02:20 +1200
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: aalberti@axway.com, ietf-pkix@imc.org
Subject: Re: Cross-certification
In-Reply-To: <C1D2450FEBBA8C49BAA732EFB008A9ED012D234A@WEXCHBE01-VS.ptx.fr.sopra>
Message-Id: <E1Bg0Gi-0006bO-7C@medusa01>
Date: Fri, 02 Jul 2004 00:02:20 +1200
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
"Alberti Antoine" <aalberti@axway.com> writes:
>Would there be any document where cross-certification and non-hierarchical
>infrastructures are defined, please ?
I believe H.P.Lovecraft has published some works on this.
Peter.
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i619Tr81000424; Thu, 1 Jul 2004 02:29:53 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i619Tr2N000423; Thu, 1 Jul 2004 02:29:53 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from outbound1.sopragroup.com (outbound1.z-ptx-11.fr.sopragroup.com [81.80.239.198]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i619Tpck000382 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 02:29:52 -0700 (PDT) (envelope-from aalberti@axway.com)
Received: by outbound1.sopragroup.com (8.12.10/8.12.10/outbound-A02) with ESMTP id i619TkKp026998 for <ietf-pkix@imc.org>; Thu, 1 Jul 2004 11:29:46 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.0.6556.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C45F4D.F282F2AA"
Subject: RE: Cross-certification
Date: Thu, 1 Jul 2004 11:29:45 +0200
Message-ID: <C1D2450FEBBA8C49BAA732EFB008A9ED0D8037@WEXCHBE01-VS.ptx.fr.sopra>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Cross-certification
Thread-Index: AcRezlHeBZHN+hQLTGyvsYLdkwR4XQAfTEyw
From: "Alberti Antoine" <aalberti@axway.com>
To: <ietf-pkix@imc.org>
X-OriginalArrivalTime: 01 Jul 2004 09:36:17.0765 (UTC) FILETIME=[DC14B950:01C45F4E]
X-Scanned-By: MIMEDefang 2.38
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------_=_NextPart_001_01C45F4D.F282F2AA
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thanks for the answers. Wouldn't this issue diserve a little bit of a =
specification ? For instance, I understand cross-certification when an =
authority has several certificate with the same public key and the same =
subjectDN, but the second document Craig Borysowich indicated gives an =
example of an authority that has several public keys. I suppose this is =
a consequence of a key renewal (is it really the only case ?). But then, =
the cross-certification is not valid anymore, is it ? I assume =
certifying means signing a public key, but I may be wrong.
-----Message d'origine-----
De : Borysowich, Craig (CSS) [mailto:Craig.Borysowich@css.gov.on.ca]
Envoy=E9 : mercredi 30 juin 2004 20:15
=C0 : Alberti Antoine
Objet : RE: Cross-certification
http://www.au-kbc.org/bpmain1/PKI/cross_certification.pdf
=20
http://www.geminisecurity.com/docs/ndss050.doc
=20
These papers may give you some insight...
-----Original Message-----
From: Alberti Antoine [mailto:aalberti@axway.com]
Sent: Wednesday, June 30, 2004 11:16 AM
To: ietf-pkix@imc.org
Subject: Cross-certification
Would there be any document where cross-certification and =
non-hierarchical infrastructures are defined, please ?=20
Regards.=20
=
=20
Antoine Alberti Axway. a Sopra Group company =
Tel : +33 (0)1 47 17 24 37 XFB R&D=20
Fax : +33 (0)1 47 17 24 25 26 Rue des Pavillons=20
email: aalberti@axway.com 92807 Puteaux Cedex - =
France=20
------_=_NextPart_001_01C45F4D.F282F2AA
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<TITLE>Cross-certification</TITLE>
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D954191209-01072004>Thanks=20
for the answers. Wouldn't this issue diserve a little bit of a =
specification ?=20
For instance, I understand cross-certification when an authority has =
several=20
certificate with the same public key and the same subjectDN, but the =
second=20
document Craig Borysowich indicated gives an example of an authority =
that has=20
several public keys. I suppose this is a consequence of a key =
renewal=20
(is it really the only case ?). But then, the cross-certification =
is not=20
valid anymore, is it ? I assume certifying means signing a public key, =
but I may=20
be wrong.</SPAN></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Message d'origine-----<BR><B>De :</B> Borysowich, =
Craig (CSS)=20
[mailto:Craig.Borysowich@css.gov.on.ca]<BR><B>Envoy=E9 :</B> =
mercredi 30=20
juin 2004 20:15<BR><B>=C0 :</B> Alberti =
Antoine<BR><B>Objet :</B> RE:=20
Cross-certification<BR><BR></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><A=20
=
href=3D"http://www.au-kbc.org/bpmain1/PKI/cross_certification.pdf">http:/=
/www.au-kbc.org/bpmain1/PKI/cross_certification.pdf</A></FONT></DIV>
<DIV><SPAN class=3D967451218-30062004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D967451218-30062004><FONT face=3DArial =
color=3D#0000ff size=3D2><A=20
=
href=3D"http://www.geminisecurity.com/docs/ndss050.doc">http://www.gemini=
security.com/docs/ndss050.doc</A></FONT></SPAN></DIV>
<DIV><SPAN class=3D967451218-30062004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D967451218-30062004><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>These papers may give you some insight...</FONT></SPAN></DIV>
<BLOCKQUOTE>
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Alberti Antoine=20
[mailto:aalberti@axway.com]<BR><B>Sent:</B> Wednesday, June 30, 2004 =
11:16=20
AM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B>=20
Cross-certification<BR><BR></FONT></DIV><!-- Converted from text/rtf =
format -->
<P><FONT face=3DArial size=3D2>Would there be any document where=20
cross-certification and non-hierarchical infrastructures are =
defined, please=20
?</FONT> <BR><FONT face=3DArial size=3D2>Regards.</FONT> </P>
<UL>
<P><SPAN =
lang=3Den-us><U><B> <FONT=20
face=3DTahoma=20
=
size=3D2> &nbs=
p;  =
; =
&=
nbsp; &n=
bsp; &nb=
sp; &nbs=
p;  =
; =
&=
nbsp; =20
</FONT></B></U></SPAN></P>
<P><SPAN =
lang=3Den-us><B> <FONT=20
face=3DTahoma size=3D2>Antoine Alberti=20
=
</FONT></B></SPAN><B><SPAN=20
lang=3Dfr></SPAN><SPAN lang=3Dfr>=20
</SPAN><SPAN=20
lang=3Dfr></SPAN><SPAN lang=3Dfr> <FONT face=3D"Arial Black"=20
color=3D#808080>Axwa</FONT><FONT face=3D"Arial Black"=20
color=3D#ff0000>y.</FONT></SPAN></B><SPAN lang=3Dfr><FONT =
face=3DTahoma=20
size=3D2> a Sopra Group company =
</FONT></SPAN><BR><SPAN=20
lang=3Den-us> <FONT =
face=3DTahoma=20
size=3D2>Tel : +33 (0)1 47 17 24 37 =20
</FONT></SPAN><SPAN=20
lang=3Den-us><B> <FONT face=3DTahoma color=3D#0000ff =
size=3D2>XF</FONT><FONT=20
face=3DTahoma color=3D#ff0000 size=3D2>B</FONT><FONT face=3DTahoma =
size=3D2>=20
R&D</FONT></B></SPAN> <BR><SPAN=20
lang=3Den-us> <FONT =
face=3DTahoma=20
size=3D2>Fax : +33 (0)1 47 17 24 25 =20
26 Rue des=20
Pavillons</FONT></SPAN> <BR><SPAN=20
lang=3Den-us> <FONT =
face=3DTahoma=20
size=3D2>email: aalberti@axway.com</FONT></SPAN><SPAN=20
lang=3Dfr> =20
</SPAN><SPAN =
lang=3Den-us> <FONT=20
face=3DTahoma size=3D2>92807 Puteaux Cedex - =
France</FONT></SPAN><SPAN=20
lang=3Dfr></SPAN> =
</P><BR><BR></UL></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C45F4D.F282F2AA--
- RE: SCVP-15 Trevor Freeman
- RE: SCVP-15 Michael Myers
- RE: SCVP-15 Trevor Freeman
- RE: SCVP-15 Michael Myers