With everyday or cereal
"Miles Grant" <roecclesiastic@bestveeb.net> Fri, 01 December 2006 04:26 UTC
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gpzyt-000279-JY for smime-archive@ietf.org; Thu, 30 Nov 2006 23:26:35 -0500
Received: from [218.14.89.218] (helo=bestveeb.net) by chiedprmail1.ietf.org with smtp (Exim 4.43) id 1Gpzyp-00022U-Gd for smime-archive@ietf.org; Thu, 30 Nov 2006 23:26:33 -0500
Message-ID: <001201c71543$ecbf2350$074e1174@MIS33>
From: Miles Grant <roecclesiastic@bestveeb.net>
To: smime-archive <smime-archive@ietf.org>
Subject: With everyday or cereal
Date: Fri, 01 Dec 2006 12:26:28 +0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2962
X-Spam-Score: 4.3 (++++)
X-Scan-Signature: 7a6398bf8aaeabc7a7bb696b6b0a2aad
<BR><BR><BR>
The Bestest Replica Watches...
Quality Luxury trademarks!!<BR><BR><BR> No one will ever notice the difference.!!<BR> <BR><BR><BR>
Christmas Special discount!!<BR> We have a complete line of high quailty replicated products..<BR><BR>
Receive 25% off total price - when you buy 2 or more watches!!!<BR><BR><BR> <BR><BR> [1]Don't wast your time and order today here!!<BR>
References
1. file://localhost/home/cmf3/tasks/replica_05/MF0cRI/http://eclipse.luxurymerchandise.net/discordant/
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUNTcUF041434; Thu, 30 Nov 2006 16:29:38 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUNTcB1041433; Thu, 30 Nov 2006 16:29:38 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from [10.20.30.100] (dsl-63-249-108-169.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUNTaf3041424 for <ietf-smime@imc.org>; Thu, 30 Nov 2006 16:29:37 -0700 (MST) (envelope-from phoffman@imc.org)
Mime-Version: 1.0
Message-Id: <p06240870c1951983ae69@[10.20.30.100]>
In-Reply-To: <OFBFFFCDE8.7801D8D2-ONC1257236.005BBC6C@frcl.bull.fr>
References: <OFBFFFCDE8.7801D8D2-ONC1257236.005BBC6C@frcl.bull.fr>
Date: Thu, 30 Nov 2006 15:29:18 -0800
To: ietf-smime@imc.org
From: Paul Hoffman <phoffman@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
At 5:41 PM +0100 11/30/06, Denis Pinkas wrote:
>Transition can simply be accomplished by placing two signatures.
>I do not think that we need an amendment to CMS to say this, since
>it is obvious.
Fully disagree. We have examples where different developers thought
different things; documenting this is valuable.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUMM395034657; Thu, 30 Nov 2006 15:22:03 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUMM3wr034656; Thu, 30 Nov 2006 15:22:03 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from smtp102.biz.mail.re2.yahoo.com (smtp102.biz.mail.re2.yahoo.com [68.142.229.216]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAUMM1FF034602 for <ietf-smime@imc.org>; Thu, 30 Nov 2006 15:22:02 -0700 (MST) (envelope-from turners@ieca.com)
Received: (qmail 87949 invoked from network); 30 Nov 2006 22:21:56 -0000
Received: from unknown (HELO Wylie) (turners@ieca.com@70.18.234.145 with login) by smtp102.biz.mail.re2.yahoo.com with SMTP; 30 Nov 2006 22:21:54 -0000
X-YMail-OSG: 73vhY.oVM1nDJKZQ.1DW4lpVH6xJjcwZxuOdtX7s_DquUwhsRgI3oVELM8XJ0q69hahu.LenHE75BE_fTvJxlaFnyhobPooNK53YKyaAE_yYBtim8qQZ2w--
Reply-To: <turners@ieca.com>
From: "Turner, Sean P." <turners@ieca.com>
To: "'Denis Pinkas'" <denis.pinkas@bull.net>, "'ietf-smime'" <ietf-smime@imc.org>
Subject: RE: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
Date: Thu, 30 Nov 2006 17:23:30 -0500
Organization: IECA, Inc.
Message-ID: <009e01c714ce$2a849920$0201a8c0@Wylie>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_009F_01C714A4.41AE9120"
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <OFBFFFCDE8.7801D8D2-ONC1257236.005BBC6C@frcl.bull.fr>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Thread-Index: AccUowbSOiCCkGxXSIGMlxvsA+L9FgAJrmvA
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_009F_01C714A4.41AE9120
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Denis,
=20
Why is saying something about processing multiple signatures a bad idea? =
I
think it's a good idea to provide as much implementation advice as =
possible
especially knowing that some implementations will transition with =
multiple
signatures. I think including the text is much better than relying on =
the
collective obviousness of something.
=20
I am also confused about why you think the draft says "the message is =
valid
if". The draft doesn't not use the RFC 2119 words when describing
processing of multiple signatures ("usually" and "ought" are the two =
words
that stick out). Further, the draft then says application environments =
can
be configured to do other things ... so there's an out for environments =
that
want to act differently.
=20
spt
_____ =20
From: owner-ietf-smime@mail.imc.org =
[mailto:owner-ietf-smime@mail.imc.org]
On Behalf Of Denis Pinkas
Sent: Thursday, November 30, 2006 11:42 AM
To: ietf-smime
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
Russ,
=20
You are correct: "The current CMS specification says nothing about
validating multiple signatures. "
... and it should stay this way.
=20
The CMS specification should not attempt to enter the area of saying " =
The
message is valid if ...."
=20
Transition can simply be accomplished by placing two signatures.=20
I do not think that we need an amendment to CMS to say this, since it is
obvious.
=20
Denis
=20
_____ =20
Denis:
The current CMS specification says nothing about validating multiple
signatures. This means that it is unclear whether a message is valid if =
the
recipient cannot validate all of them. The S/MIME WG started by =
considering
two choices:
(1) The message is valid if any of the signatures is valid; and
(2) The message is valid if all of the signatures are valid.
Discussion on this mail list made it clear that neither of these =
approaches
was acceptable. There are some applications that have multiple signers, =
and
the application needs a valid signature for each one of them. So, we
settled on:
(3) The message is valid if one signature from each signer is valid.
Further discussion made it clear that the application was going to have =
to
be involved in determining which signatures are associated with the same
signer in some cases. However, in the most urgent case we are concerned
with RSA with SHA-1 and RSA with SHA-256, the same certificate will be =
used
for both signatures, so the same signer is obvious.
Russ
At 02:23 AM 11/30/2006, Denis Pinkas wrote:
Russ,=20
=20
Your short response below does not seem to me an objection to my
argumentation.
=20
You say: the application (...) can only verify one of the signatures.
I say: The *application* [will] be pleased if one of them is valid.
=20
The core issue is still that no change needs to be made to the CMS =
document.
Denis
_____ =20
Not so. If the application only implements SHA-1, then it can only =
verify
one of the signatures.
Russ
At 09:51 AM 11/29/2006, Denis Pinkas wrote:
Russ,
=20
Sorry, once again I disagree with the wording. The *application* can =
verify
both signatures and be pleased if one of them is valid.
No change needs to be made to the CMS document.
=20
Denis
=20
_____ =20
Denis:
We seem to be working on two different problems. We want to transition =
from
RSA with SHA-1 to RSA with SHA-256. So, the signer puts two signatures =
on
the message, since not all of the recipients support RSA with SHA-256 =
yet.
If either of the signatures can be validated by a recipient, then that
recipient will consider the message valid.
Russ
At 04:06 AM 11/29/2006, Denis Pinkas wrote:
Russ,
=20
I believe that we have a major disagreement on the goal of the proposed
document.
=20
The current goal is : =20
=20
... This document
provides replacement text for a few paragraphs, making it clear that
the protected content is valid if any of the digital signatures for a
particular signer is valid.
It is possible to check that a given signature is valid.
The golden rule is that only one signature can be verified at a time.=20
=20
This is fully different of saying that a "protected content" (i.e. a
document) is valid, which may mean to verify multiple signatures.
=20
As an example, a document can be said to be only be valid when it bears
three parallel signatures=20
from particular signers, and in addition of two them need to be
counter-signed by other particular signers.
=20
The verification of multiple signatures is at the level of the =
application,
not at the level of a CMS toolkit.
=20
Besides this major observation, there is no need to support multiple
signatures from the same signer for algorithm agility purposes.
=20
Finally, you raised the following question:
=20
"How does time-stamping facilitate the transition from RSA with SHA-1 to =
RSA
with SHA-256? =20
In fact, it make it worse. We need to transition the time stamp =
authority
signature too".
=20
Please refer to RFC 3126 :
=20
B.4.7 Time-Stamping for Long Life of Signature
79<?xml:namespace prefix =3D o ns =3D =
"urn:schemas-microsoft-com:office:office"
/>
=20
Signatures may need to be maintained, which means that for signatures =
that
need to last very long, more than one time-stamp=20
may need to be added later on, but only in case of a real collision. To
respond to your question, RSA with SHA-256 will need=20
to be mandatorilly used, when after X months of computation someone will
demonstrate a collision. Then since it takes X months=20
to make a collision, the signature maintenance needs to be made in a =
time
less than X months.
=20
Denis
=20
_____ =20
At 03:52 AM 11/28/2006, Denis Pinkas wrote:
Russ,
=20
See my comments embedded.
=20
Denis Pinkas, Denis.Pinkas@bull.net
2006-11-28=20
----- Message re=E7u -----=20
De : Russ Housley=20
=C0 : Denis Pinkas=20
Date : 2006-11-27, 20:03:31=20
Sujet : Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt=20
Denis:=20
>The issue is more complex than presented. :-(=20
>=20
>The idea is to say that a message is correctly signed by a given=20
>signer, if one of the signatures=20
>from the *same* signer computed using a different signature=20
>algorithm is valid.=20
>=20
>Correct ?=20
You did not acknowledged that this is the goal of the draft proposal.=20
The document is clear. It says:
... This document
provides replacement text for a few paragraphs, making it clear that
the protected content is valid if any of the digital signatures for a
particular signer is valid.
>=20
>In the same section from RFC 3852, just above we have:=20
>=20
>" The process by which signed-data is constructed involves the=20
> following steps:=20
>=20
> 1. For each signer, a message digest, or hash value, is computed=20
> on the content with a signer-specific message-digest algorithm.=20
> If the signer is signing any information other than the=20
> content, the message digest of the content and the other=20
> information are digested with the signer's message digest=20
> algorithm (see Section 5.4), and the result becomes the=20
> "message digest."=20
>=20
> 2. For each signer, the message digest is digitally signed using=20
> the signer's private key.=20
>=20
> 3. For each signer, the signature value and other signer-specific=20
> information are collected into a SignerInfo value, as defined=20
> in Section 5.3. Certificates and CRLs for each signer, and=20
> those not corresponding to any signer, are collected in this=20
> step.=20
>=20
> 4. The message digest algorithms for all the signers and the=20
> SignerInfo values for all the signers are collected together=20
> with the content into a SignedData value, as defined in Section=20
> 5.1".=20
>=20
>We should have a similar construct for verification, but we don't.=20
When CMS was first adopted by the S/MIME WG, we decided to keep the=20
specification as close to the structure of PKCS #7 v1.5 as=20
possible. The idea was to make it easy for one to determine the=20
differences. I see no reason why this discussion ought to change=20
that decision.=20
The text from PKCS # 7 v1.5 is:=20
A recipient verifies the signatures by decrypting the encrypted message
digest=20
for each signer with the signer's public key, then comparing the =
recovered
message=20
digest to an independently computed message digest. The signer's public =
key
is=20
either contained in a certificate included in the signer information, or =
is
referenced=20
by an issuer distinguished name and an issuer-specific serial number =
that
uniquely=20
identify the certificate for the public key.=20
The text from RFC 3852 is:=20
A recipient independently computes the message digest. This message =
digest
and=20
the signer's public key are used to verify the signature value. The
signer's public key=20
is referenced either by an issuer distinguished name along with an
issuer-specific=20
serial number or by a subject key identifier that uniquely identifies =
the
certificate=20
containing the public key. The signer's certificate can be included in =
the
SignedData=20
certificates field.=20
These texts are clearly insufficient, since they do not cover the case =
of
certificate substitution.=20
The new draft is wishing to cover the case of signatures from the same
signer.=20
It is restricted to the use of certificates. Then the only way to know =
that
is is the same signer=20
is to compare the certificates. We should say some words on how this
comparison shall be done.=20
If certificates are substituted, then we are also running into trouble.
This is not the issue at all. Different certificates may represent the =
same
signer in some applications.
>It should start with:=20
>=20
> The process by which signed-data is verified involves the=20
> following steps:=20
>=20
> 1. For each SignerInfo present in SignerInfos ...=20
>=20
>The exercise is more difficult than it looks, because unless=20
>ESSCertID is being used,=20
>it is not possible to know for sure that a signature is from the same
signer.=20
I recognize that this is true. That is the reason that the proposed=20
text points to the application that is using CMS to help when the sid=20
field is not sufficient.=20
The proposed text is clearly insufficient to cover the case.=20
The second point, which is even more important, is that I am not =
convinced=20
that this is the right way to solve the problem.
This discussion has been going on for about a year. If you are unhappy =
with
the proposed solution, do not ask for more work to be done on it. =
Instead,
propose an alternative. Without such, we should proceed on the current
course.
If the certificate is used for non repudiation purposes, then =
time-stamping
provides=20
all the necessary protection.
This make no sense to me at all. How does time-stamping facilitate the
transition from RSA with SHA-1 to RSA with SHA-256? In fact, it make it
worse. We need to transition the time stamp authority signature too.
Russ
_____ =20
_____ =20
_____ =20
_____ =20
------=_NextPart_000_009F_01C714A4.41AE9120
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.5730.11" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D421555121-30112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Denis,</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D421555121-30112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D421555121-30112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Why is saying something about processing =
multiple=20
signatures a bad idea? I think it's a good idea to provide as much =
implementation advice as possible especially knowing that some =
implementations=20
will transition with multiple signatures. I think including the =
text is=20
much better than relying on the collective obviousness of=20
something.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D421555121-30112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D421555121-30112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>I am also confused about why you think the =
draft says=20
"the message is valid if". The draft doesn't not use the RFC 2119 =
words=20
when describing processing of multiple signatures ("usually" and "ought" =
are the=20
two words that stick out). Further, the draft then says =
application=20
environments can be configured to do other things ... so there's an out =
for=20
environments that want to act differently.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D421555121-30112006><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial><FONT =
color=3D#0000ff><FONT size=3D2>s<SPAN=20
class=3D421555121-30112006>pt</SPAN></FONT></FONT></FONT><BR></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> owner-ietf-smime@mail.imc.org=20
[mailto:owner-ietf-smime@mail.imc.org] <B>On Behalf Of </B>Denis=20
Pinkas<BR><B>Sent:</B> Thursday, November 30, 2006 11:42 =
AM<BR><B>To:</B>=20
ietf-smime<BR><B>Subject:</B> Re: I-D=20
ACTION:draft-ietf-smime-cms-mult-sign-02.txt<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Russ,</DIV>
<DIV> </DIV>
<DIV>You are correct: "The current CMS specification says nothing about=20
validating multiple signatures. "</DIV>
<DIV> ... and it should stay this way.</DIV>
<DIV> </DIV>
<DIV>The CMS specification should not attempt to enter the area of =
saying=20
" The message is valid if ...."</DIV>
<DIV> </DIV>
<DIV>Transition can simply be accomplished by placing two signatures. =
<BR>I do=20
not think that we need an amendment to CMS to say this, since it is=20
obvious.</DIV>
<DIV> </DIV>
<DIV>Denis</DIV>
<DIV> </DIV>
<DIV>
<HR>
Denis:<BR><BR>The current CMS specification says nothing about =
validating=20
multiple signatures. This means that it is unclear whether a =
message is=20
valid if the recipient cannot validate all of them. The S/MIME WG =
started=20
by considering two choices:<BR><BR>(1) The message is valid if any of =
the=20
signatures is valid; and<BR>(2) The message is valid if all of the =
signatures=20
are valid.<BR><BR>Discussion on this mail list made it clear that =
neither of=20
these approaches was acceptable. There are some applications that =
have=20
multiple signers, and the application needs a valid signature for each =
one of=20
them. So, we settled on:<BR><BR>(3) The message is valid if one =
signature=20
from each signer is valid.<BR><BR>Further discussion made it clear that =
the=20
application was going to have to be involved in determining which =
signatures are=20
associated with the same signer in some cases. However, in the =
most urgent=20
case we are concerned with RSA with SHA-1 and RSA with SHA-256, the same =
certificate will be used for both signatures, so the same signer is=20
obvious.<BR><BR>Russ<BR><BR>At 02:23 AM 11/30/2006, Denis Pinkas=20
wrote:<BR></DIV>
<BLOCKQUOTE class=3Dcite cite=3D"" type=3D"cite">Russ, =
<BR> <BR>Your short=20
response below does not seem to me an objection to my=20
argumentation.<BR> <BR>You say: the application =
(...)=20
can only verify one of the signatures.<BR>I say: The =
*application* [will] be pleased if one of them is =
valid.<BR> <BR>The core=20
issue is still that no change needs to be made to the CMS=20
document.<BR>Denis<BR>
<HR>
Not so. If the application only implements SHA-1, then it can =
only=20
verify one of the signatures.<BR><BR>Russ<BR><BR>At 09:51 AM =
11/29/2006, Denis=20
Pinkas wrote:<BR>
<BLOCKQUOTE class=3Dcite cite=3D"" =
type=3D"cite">Russ,<BR> <BR>Sorry, once=20
again I disagree with the wording. The *application* can verify both =
signatures and be pleased if one of them is valid.<BR>No change =
needs to be=20
made to the CMS document.<BR> <BR>Denis<BR> <BR>
<HR>
Denis:<BR><BR>We seem to be working on two different problems. =
We want=20
to transition from RSA with SHA-1 to RSA with SHA-256. So, the =
signer=20
puts two signatures on the message, since not all of the recipients =
support=20
RSA with SHA-256 yet. If either of the signatures can be =
validated by=20
a recipient, then that recipient will consider the message=20
valid.<BR><BR>Russ<BR><BR><BR>At 04:06 AM 11/29/2006, Denis Pinkas=20
wrote:<BR>
<BLOCKQUOTE class=3Dcite cite=3D"" =
type=3D"cite">Russ,<BR> <BR>I believe=20
that we have a major disagreement on the goal of the proposed=20
document.<BR> <BR>The current goal is =
: =20
<BR> <BR> ... This document<BR> =
provides replacement text for a few paragraphs, making it clear=20
that<BR> the protected content is valid if any of the =
digital=20
signatures for a<BR> particular signer is valid.<BR>It =
is=20
possible to check that a given signature is valid.<BR>The golden =
rule is=20
that only one signature can be verified at a time. =
<BR> <BR>This is=20
fully different of saying that a "protected content" (i.e. a =
document) is=20
valid, which may mean to verify multiple =
signatures.<BR> <BR>As an=20
example, a document can be said to be only be valid when it bears =
three=20
parallel signatures <BR>from particular signers, and in addition =
of two=20
them need to be counter-signed by other particular=20
signers.<BR> <BR>The verification of multiple signatures is =
at the=20
level of the application, not at the level of a CMS=20
toolkit.<BR> <BR>Besides this major observation, there is no =
need to=20
support multiple signatures from the same signer for algorithm =
agility=20
purposes.<BR> <BR>Finally, you raised the following=20
question:<BR> <BR>"How does time-stamping facilitate the =
transition=20
from RSA with SHA-1 to RSA with SHA-256? <BR>In fact, it =
make it=20
worse. We need to transition the time stamp authority =
signature=20
too".<BR> <BR>Please refer to RFC 3126 =
:<BR> <BR><BR><FONT=20
face=3D"Courier New, Courier" size=3D2> B.4.7 =
Time-Stamping for=20
Long Life of=20
=
Signature &nbs=
p; =20
79<?xml:namespace prefix =3D o ns =3D=20
"urn:schemas-microsoft-com:office:office"=20
/><BR></FONT> <BR>Signatures may need to be maintained, =
which=20
means that for signatures that need to last very long, more than =
one=20
time-stamp <BR>may need to be added later on, but only in case of =
a real=20
collision. To respond to your question, RSA with SHA-256 will need =
<BR>to=20
be mandatorilly used, when after X months of computation someone =
will=20
demonstrate a collision. Then since it takes X months <BR>to make =
a=20
collision, the signature maintenance needs to be made in a time =
less than=20
X months.<BR> <BR>Denis<BR> <BR>
<HR>
At 03:52 AM 11/28/2006, Denis Pinkas wrote:<BR>
<BLOCKQUOTE class=3Dcite cite=3D"" =
type=3D"cite"> Russ,<BR> <BR>See=20
my comments embedded.<BR> <BR>Denis Pinkas, <A=20
href=3D"mailto =
:Denis.Pinkas@bull.net">Denis.Pinkas@bull.net</A><BR>2006-11-28=20
<DL>
<DD>----- Message re=E7u -----=20
<DD>De : <A href=3D"mailto :housley@vigilsec.com">Russ =
Housley</A>=20
<DD>=C0 : <A href=3D"mailto :denis.pinkas@bull.net">Denis =
Pinkas</A>=20
<DD>Date : 2006-11-27, 20:03:31=20
<DD>Sujet : Re: I-D =
ACTION:draft-ietf-smime-cms-mult-sign-02.txt=20
<DD>Denis:=20
<DD>>The issue is more complex than presented. :-(=20
<DD>>=20
<DD>>The idea is to say that a message is correctly signed =
by a=20
given=20
<DD>>signer, if one of the signatures=20
<DD>>from the *same* signer computed using a different =
signature=20
<DD>>algorithm is valid.=20
<DD>>=20
<DD>>Correct ?=20
<DD>You did not acknowledged that this is the goal of the =
draft=20
proposal. </DD></DL></BLOCKQUOTE>
<DL></DL><BR>The document is clear. It =
says:<BR><BR> ...=20
This document<BR> provides replacement text for a few=20
paragraphs, making it clear that<BR> the protected =
content is=20
valid if any of the digital signatures for a<BR> =
particular=20
signer is valid.<BR><BR>
<BLOCKQUOTE class=3Dcite cite=3D"" type=3D"cite">
<DL>
<DD>>=20
<DD>>In the same section from RFC 3852, just above we have: =
<DD>>=20
<DD>>" The process by which signed-data is constructed =
involves the=20
<DD>> following steps:=20
<DD>>=20
<DD>> 1. For each signer, a message digest, or hash value, =
is=20
computed=20
<DD>> on the content with a signer-specific message-digest=20
algorithm.=20
<DD>> If the signer is signing any information other than =
the=20
<DD>> content, the message digest of the content and the =
other=20
<DD>> information are digested with the signer's message =
digest=20
<DD>> algorithm (see Section 5.4), and the result becomes =
the=20
<DD>> "message digest."=20
<DD>>=20
<DD>> 2. For each signer, the message digest is digitally =
signed=20
using=20
<DD>> the signer's private key.=20
<DD>>=20
<DD>> 3. For each signer, the signature value and other=20
signer-specific=20
<DD>> information are collected into a SignerInfo value, as =
defined=20
<DD>> in Section 5.3. Certificates and CRLs for each =
signer, and=20
<DD>> those not corresponding to any signer, are collected =
in this=20
<DD>> step.=20
<DD>>=20
<DD>> 4. The message digest algorithms for all the signers =
and the=20
<DD>> SignerInfo values for all the signers are collected =
together=20
<DD>> with the content into a SignedData value, as defined =
in=20
Section=20
<DD>> 5.1".=20
<DD>>=20
<DD>>We should have a similar construct for verification, =
but we=20
don't.=20
<DD>When CMS was first adopted by the S/MIME WG, we decided to =
keep=20
the=20
<DD>specification as close to the structure of PKCS #7 v1.5 as =
<DD>possible. The idea was to make it easy for one to =
determine the=20
<DD>differences. I see no reason why this discussion ought to =
change=20
<DD>that decision.=20
<DD><FONT size=3D2>The text from PKCS # 7 v1.5 is:</FONT>=20
<DD><FONT face=3D"Times New Roman, Times">A recipient verifies =
the=20
signatures by decrypting the encrypted message digest=20
<DD>for each signer with the signer's public key, then =
comparing the=20
recovered message=20
<DD>digest to an independently computed message digest. The =
signer's=20
public key is=20
<DD>either contained in a certificate included in the signer=20
information, or is referenced=20
<DD>by an issuer distinguished name and an issuer-specific =
serial=20
number that uniquely=20
<DD>identify the certificate for the public key.</FONT>=20
<DD><FONT size=3D2>The text from RFC 3852 is:</FONT>=20
<DD><FONT size=3D2>A recipient independently computes the =
message=20
digest. This message digest and=20
<DD>the signer's public key are used to verify the signature=20
value. The signer's public key=20
<DD>is referenced either by an issuer distinguished name along =
with an=20
issuer-specific=20
<DD>serial number or by a subject key identifier that uniquely =
identifies the certificate=20
<DD>containing the public key. The signer's certificate =
can be=20
included in the SignedData=20
<DD>certificates field.</FONT>=20
<DD><FONT size=3D2>These texts are clearly insufficient, since =
they do=20
not cover the case of certificate substitution.</FONT>=20
<DD><FONT size=3D2>The new draft is wishing to cover the case =
of=20
signatures from the same signer.=20
<DD>It is restricted to the use of certificates. Then the only =
way to=20
know that is is the same signer=20
<DD>is to compare the certificates. We should say some words =
on how=20
this comparison shall be done.=20
<DD>If certificates are substituted, then we are also running =
into=20
trouble.</FONT></DD></DL></BLOCKQUOTE>
<DL></DL><BR>This is not the issue at all. Different =
certificates=20
may represent the same signer in some applications.<BR><BR>
<BLOCKQUOTE class=3Dcite cite=3D"" type=3D"cite">
<DL>
<DD>>It should start with:=20
<DD>>=20
<DD>> The process by which signed-data is verified involves =
the=20
<DD>> following steps:=20
<DD>>=20
<DD>> 1. For each SignerInfo present in SignerInfos ...=20
<DD>>=20
<DD>>The exercise is more difficult than it looks, because =
unless=20
<DD>>ESSCertID is being used,=20
<DD>>it is not possible to know for sure that a signature =
is from=20
the same signer.=20
<DD>I recognize that this is true. That is the reason that the =
proposed=20
<DD>text points to the application that is using CMS to help =
when the=20
sid=20
<DD>field is not sufficient.=20
<DD><FONT size=3D2>The proposed text is clearly insufficient =
to cover=20
the case.</FONT>=20
<DD><FONT size=3D2>The second point, which is even more =
important, is=20
that I am not convinced=20
<DD>that this is the right way to solve the=20
problem.</FONT></DD></DL></BLOCKQUOTE>
<DL></DL><BR>This discussion has been going on for about a =
year. If=20
you are unhappy with the proposed solution, do not ask for more =
work to be=20
done on it. Instead, propose an alternative. Without =
such, we=20
should proceed on the current course.<BR><BR>
<BLOCKQUOTE class=3Dcite cite=3D"" type=3D"cite">
<DL>
<DD><FONT size=3D2>If the certificate is used for non =
repudiation=20
purposes, then time-stamping provides=20
<DD>all the necessary =
protection.</FONT></DD></DL></BLOCKQUOTE>
<DL></DL><BR>This make no sense to me at all. How does =
time-stamping=20
facilitate the transition from RSA with SHA-1 to RSA with =
SHA-256? =20
In fact, it make it worse. We need to transition the time =
stamp=20
authority signature too.<BR><BR>Russ<BR>
<HR>
</BLOCKQUOTE>
<HR>
</BLOCKQUOTE>
<HR>
</BLOCKQUOTE>
<HR>
</BODY></HTML>
------=_NextPart_000_009F_01C714A4.41AE9120--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUGfxVf096279; Thu, 30 Nov 2006 09:41:59 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUGfxBk096278; Thu, 30 Nov 2006 09:41:59 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUGfuFM096267 for <ietf-smime@imc.org>; Thu, 30 Nov 2006 09:41:57 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id RAA24904 for <ietf-smime@imc.org>; Thu, 30 Nov 2006 17:44:51 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006113017420009:81618 ; Thu, 30 Nov 2006 17:42:00 +0100
Date: Thu, 30 Nov 2006 17:41:52 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "ietf-smime" <ietf-smime@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 30/11/2006 17:42:00, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 30/11/2006 17:42:01, Serialize complete at 30/11/2006 17:42:01
Message-ID: <OFBFFFCDE8.7801D8D2-ONC1257236.005BBC6C@frcl.bull.fr>
Content-Type: multipart/alternative; boundary="=====003_Dragon755635064380_====="
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
--=====003_Dragon755635064380_=====
Content-Transfer-Encoding: base64
Content-Type: text/plain;
charset="iso-8859-1"
UnVzcywNCg0KWW91IGFyZSBjb3JyZWN0OiAiVGhlIGN1cnJlbnQgQ01TIHNwZWNpZmljYXRpb24g
c2F5cyBub3RoaW5nIGFib3V0IHZhbGlkYXRpbmcgbXVsdGlwbGUgc2lnbmF0dXJlcy4gIg0KIC4u
LiBhbmQgaXQgc2hvdWxkIHN0YXkgdGhpcyB3YXkuDQoNClRoZSBDTVMgc3BlY2lmaWNhdGlvbiBz
aG91bGQgbm90IGF0dGVtcHQgdG8gZW50ZXIgdGhlIGFyZWEgb2Ygc2F5aW5nICIgVGhlIG1lc3Nh
Z2UgaXMgdmFsaWQgaWYgLi4uLiINCg0KVHJhbnNpdGlvbiBjYW4gc2ltcGx5IGJlIGFjY29tcGxp
c2hlZCBieSBwbGFjaW5nIHR3byBzaWduYXR1cmVzLiANCkkgZG8gbm90IHRoaW5rIHRoYXQgd2Ug
bmVlZCBhbiBhbWVuZG1lbnQgdG8gQ01TIHRvIHNheSB0aGlzLCBzaW5jZSBpdCBpcyBvYnZpb3Vz
Lg0KDQpEZW5pcw0KDQoNCg0KRGVuaXM6DQoNClRoZSBjdXJyZW50IENNUyBzcGVjaWZpY2F0aW9u
IHNheXMgbm90aGluZyBhYm91dCB2YWxpZGF0aW5nIG11bHRpcGxlIHNpZ25hdHVyZXMuICBUaGlz
IG1lYW5zIHRoYXQgaXQgaXMgdW5jbGVhciB3aGV0aGVyIGEgbWVzc2FnZSBpcyB2YWxpZCBpZiB0
aGUgcmVjaXBpZW50IGNhbm5vdCB2YWxpZGF0ZSBhbGwgb2YgdGhlbS4gIFRoZSBTL01JTUUgV0cg
c3RhcnRlZCBieSBjb25zaWRlcmluZyB0d28gY2hvaWNlczoNCg0KKDEpIFRoZSBtZXNzYWdlIGlz
IHZhbGlkIGlmIGFueSBvZiB0aGUgc2lnbmF0dXJlcyBpcyB2YWxpZDsgYW5kDQooMikgVGhlIG1l
c3NhZ2UgaXMgdmFsaWQgaWYgYWxsIG9mIHRoZSBzaWduYXR1cmVzIGFyZSB2YWxpZC4NCg0KRGlz
Y3Vzc2lvbiBvbiB0aGlzIG1haWwgbGlzdCBtYWRlIGl0IGNsZWFyIHRoYXQgbmVpdGhlciBvZiB0
aGVzZSBhcHByb2FjaGVzIHdhcyBhY2NlcHRhYmxlLiAgVGhlcmUgYXJlIHNvbWUgYXBwbGljYXRp
b25zIHRoYXQgaGF2ZSBtdWx0aXBsZSBzaWduZXJzLCBhbmQgdGhlIGFwcGxpY2F0aW9uIG5lZWRz
IGEgdmFsaWQgc2lnbmF0dXJlIGZvciBlYWNoIG9uZSBvZiB0aGVtLiAgU28sIHdlIHNldHRsZWQg
b246DQoNCigzKSBUaGUgbWVzc2FnZSBpcyB2YWxpZCBpZiBvbmUgc2lnbmF0dXJlIGZyb20gZWFj
aCBzaWduZXIgaXMgdmFsaWQuDQoNCkZ1cnRoZXIgZGlzY3Vzc2lvbiBtYWRlIGl0IGNsZWFyIHRo
YXQgdGhlIGFwcGxpY2F0aW9uIHdhcyBnb2luZyB0byBoYXZlIHRvIGJlIGludm9sdmVkIGluIGRl
dGVybWluaW5nIHdoaWNoIHNpZ25hdHVyZXMgYXJlIGFzc29jaWF0ZWQgd2l0aCB0aGUgc2FtZSBz
aWduZXIgaW4gc29tZSBjYXNlcy4gIEhvd2V2ZXIsIGluIHRoZSBtb3N0IHVyZ2VudCBjYXNlIHdl
IGFyZSBjb25jZXJuZWQgd2l0aCBSU0Egd2l0aCBTSEEtMSBhbmQgUlNBIHdpdGggU0hBLTI1Niwg
dGhlIHNhbWUgY2VydGlmaWNhdGUgd2lsbCBiZSB1c2VkIGZvciBib3RoIHNpZ25hdHVyZXMsIHNv
IHRoZSBzYW1lIHNpZ25lciBpcyBvYnZpb3VzLg0KDQpSdXNzDQoNCkF0IDAyOjIzIEFNIDExLzMw
LzIwMDYsIERlbmlzIFBpbmthcyB3cm90ZToNCg0KUnVzcywgDQogDQpZb3VyIHNob3J0IHJlc3Bv
bnNlIGJlbG93IGRvZXMgbm90IHNlZW0gdG8gbWUgYW4gb2JqZWN0aW9uIHRvIG15IGFyZ3VtZW50
YXRpb24uDQogDQpZb3Ugc2F5OiAgICB0aGUgYXBwbGljYXRpb24gKC4uLikgY2FuIG9ubHkgdmVy
aWZ5IG9uZSBvZiB0aGUgc2lnbmF0dXJlcy4NCkkgc2F5OiAgICBUaGUgKmFwcGxpY2F0aW9uKiBb
d2lsbF0gYmUgcGxlYXNlZCBpZiBvbmUgb2YgdGhlbSBpcyB2YWxpZC4NCiANClRoZSBjb3JlIGlz
c3VlIGlzIHN0aWxsIHRoYXQgbm8gY2hhbmdlIG5lZWRzIHRvIGJlIG1hZGUgdG8gdGhlIENNUyBk
b2N1bWVudC4NCkRlbmlzDQoNCg0KTm90IHNvLiAgSWYgdGhlIGFwcGxpY2F0aW9uIG9ubHkgaW1w
bGVtZW50cyBTSEEtMSwgdGhlbiBpdCBjYW4gb25seSB2ZXJpZnkgb25lIG9mIHRoZSBzaWduYXR1
cmVzLg0KDQpSdXNzDQoNCkF0IDA5OjUxIEFNIDExLzI5LzIwMDYsIERlbmlzIFBpbmthcyB3cm90
ZToNCg0KUnVzcywNCiANClNvcnJ5LCBvbmNlIGFnYWluIEkgZGlzYWdyZWUgd2l0aCB0aGUgd29y
ZGluZy4gVGhlICphcHBsaWNhdGlvbiogY2FuIHZlcmlmeSBib3RoIHNpZ25hdHVyZXMgYW5kIGJl
IHBsZWFzZWQgaWYgb25lIG9mIHRoZW0gaXMgdmFsaWQuDQpObyBjaGFuZ2UgbmVlZHMgdG8gYmUg
bWFkZSB0byB0aGUgQ01TIGRvY3VtZW50Lg0KIA0KRGVuaXMNCiANCg0KDQpEZW5pczoNCg0KV2Ug
c2VlbSB0byBiZSB3b3JraW5nIG9uIHR3byBkaWZmZXJlbnQgcHJvYmxlbXMuICBXZSB3YW50IHRv
IHRyYW5zaXRpb24gZnJvbSBSU0Egd2l0aCBTSEEtMSB0byBSU0Egd2l0aCBTSEEtMjU2LiAgU28s
IHRoZSBzaWduZXIgcHV0cyB0d28gc2lnbmF0dXJlcyBvbiB0aGUgbWVzc2FnZSwgc2luY2Ugbm90
IGFsbCBvZiB0aGUgcmVjaXBpZW50cyBzdXBwb3J0IFJTQSB3aXRoIFNIQS0yNTYgeWV0LiAgSWYg
ZWl0aGVyIG9mIHRoZSBzaWduYXR1cmVzIGNhbiBiZSB2YWxpZGF0ZWQgYnkgYSByZWNpcGllbnQs
IHRoZW4gdGhhdCByZWNpcGllbnQgd2lsbCBjb25zaWRlciB0aGUgbWVzc2FnZSB2YWxpZC4NCg0K
UnVzcw0KDQoNCkF0IDA0OjA2IEFNIDExLzI5LzIwMDYsIERlbmlzIFBpbmthcyB3cm90ZToNCg0K
UnVzcywNCiANCkkgYmVsaWV2ZSB0aGF0IHdlIGhhdmUgYSBtYWpvciBkaXNhZ3JlZW1lbnQgb24g
dGhlIGdvYWwgb2YgdGhlIHByb3Bvc2VkIGRvY3VtZW50Lg0KIA0KVGhlIGN1cnJlbnQgZ29hbCBp
cyA6ICAgICANCiANCiAgICAuLi4gVGhpcyBkb2N1bWVudA0KICAgcHJvdmlkZXMgcmVwbGFjZW1l
bnQgdGV4dCBmb3IgYSBmZXcgcGFyYWdyYXBocywgbWFraW5nIGl0IGNsZWFyIHRoYXQNCiAgIHRo
ZSBwcm90ZWN0ZWQgY29udGVudCBpcyB2YWxpZCBpZiBhbnkgb2YgdGhlIGRpZ2l0YWwgc2lnbmF0
dXJlcyBmb3IgYQ0KICAgcGFydGljdWxhciBzaWduZXIgaXMgdmFsaWQuDQpJdCBpcyBwb3NzaWJs
ZSB0byBjaGVjayB0aGF0IGEgZ2l2ZW4gc2lnbmF0dXJlIGlzIHZhbGlkLg0KVGhlIGdvbGRlbiBy
dWxlIGlzIHRoYXQgb25seSBvbmUgc2lnbmF0dXJlIGNhbiBiZSB2ZXJpZmllZCBhdCBhIHRpbWUu
IA0KIA0KVGhpcyBpcyBmdWxseSBkaWZmZXJlbnQgb2Ygc2F5aW5nIHRoYXQgYSAicHJvdGVjdGVk
IGNvbnRlbnQiIChpLmUuIGEgZG9jdW1lbnQpIGlzIHZhbGlkLCB3aGljaCBtYXkgbWVhbiB0byB2
ZXJpZnkgbXVsdGlwbGUgc2lnbmF0dXJlcy4NCiANCkFzIGFuIGV4YW1wbGUsIGEgZG9jdW1lbnQg
Y2FuIGJlIHNhaWQgdG8gYmUgb25seSBiZSB2YWxpZCB3aGVuIGl0IGJlYXJzIHRocmVlIHBhcmFs
bGVsIHNpZ25hdHVyZXMgDQpmcm9tIHBhcnRpY3VsYXIgc2lnbmVycywgYW5kIGluIGFkZGl0aW9u
IG9mIHR3byB0aGVtIG5lZWQgdG8gYmUgY291bnRlci1zaWduZWQgYnkgb3RoZXIgcGFydGljdWxh
ciBzaWduZXJzLg0KIA0KVGhlIHZlcmlmaWNhdGlvbiBvZiBtdWx0aXBsZSBzaWduYXR1cmVzIGlz
IGF0IHRoZSBsZXZlbCBvZiB0aGUgYXBwbGljYXRpb24sIG5vdCBhdCB0aGUgbGV2ZWwgb2YgYSBD
TVMgdG9vbGtpdC4NCiANCkJlc2lkZXMgdGhpcyBtYWpvciBvYnNlcnZhdGlvbiwgdGhlcmUgaXMg
bm8gbmVlZCB0byBzdXBwb3J0IG11bHRpcGxlIHNpZ25hdHVyZXMgZnJvbSB0aGUgc2FtZSBzaWdu
ZXIgZm9yIGFsZ29yaXRobSBhZ2lsaXR5IHB1cnBvc2VzLg0KIA0KRmluYWxseSwgeW91IHJhaXNl
ZCB0aGUgZm9sbG93aW5nIHF1ZXN0aW9uOg0KIA0KIkhvdyBkb2VzIHRpbWUtc3RhbXBpbmcgZmFj
aWxpdGF0ZSB0aGUgdHJhbnNpdGlvbiBmcm9tIFJTQSB3aXRoIFNIQS0xIHRvIFJTQSB3aXRoIFNI
QS0yNTY/ICANCkluIGZhY3QsIGl0IG1ha2UgaXQgd29yc2UuICBXZSBuZWVkIHRvIHRyYW5zaXRp
b24gdGhlIHRpbWUgc3RhbXAgYXV0aG9yaXR5IHNpZ25hdHVyZSB0b28iLg0KIA0KUGxlYXNlIHJl
ZmVyIHRvIFJGQyAzMTI2IDoNCiANCg0KICBCLjQuNyAgVGltZS1TdGFtcGluZyBmb3IgTG9uZyBM
aWZlIG9mIFNpZ25hdHVyZSAgICAgICAgICAgICAgICAgICAgNzk8P3htbDpuYW1lc3BhY2UgcHJl
Zml4ID0gbyBucyA9ICJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTpvZmZpY2UiIC8+
DQogDQpTaWduYXR1cmVzIG1heSBuZWVkIHRvIGJlIG1haW50YWluZWQsIHdoaWNoIG1lYW5zIHRo
YXQgZm9yIHNpZ25hdHVyZXMgdGhhdCBuZWVkIHRvIGxhc3QgdmVyeSBsb25nLCBtb3JlIHRoYW4g
b25lIHRpbWUtc3RhbXAgDQptYXkgbmVlZCB0byBiZSBhZGRlZCBsYXRlciBvbiwgYnV0IG9ubHkg
aW4gY2FzZSBvZiBhIHJlYWwgY29sbGlzaW9uLiBUbyByZXNwb25kIHRvIHlvdXIgcXVlc3Rpb24s
IFJTQSB3aXRoIFNIQS0yNTYgd2lsbCBuZWVkIA0KdG8gYmUgbWFuZGF0b3JpbGx5IHVzZWQsIHdo
ZW4gYWZ0ZXIgWCBtb250aHMgb2YgY29tcHV0YXRpb24gc29tZW9uZSB3aWxsIGRlbW9uc3RyYXRl
IGEgY29sbGlzaW9uLiBUaGVuIHNpbmNlIGl0IHRha2VzIFggbW9udGhzIA0KdG8gbWFrZSBhIGNv
bGxpc2lvbiwgdGhlIHNpZ25hdHVyZSBtYWludGVuYW5jZSBuZWVkcyB0byBiZSBtYWRlIGluIGEg
dGltZSBsZXNzIHRoYW4gWCBtb250aHMuDQogDQpEZW5pcw0KIA0KDQoNCkF0IDAzOjUyIEFNIDEx
LzI4LzIwMDYsIERlbmlzIFBpbmthcyB3cm90ZToNCg0KIFJ1c3MsDQogDQpTZWUgbXkgY29tbWVu
dHMgZW1iZWRkZWQuDQogDQpEZW5pcyBQaW5rYXMsIERlbmlzLlBpbmthc0BidWxsLm5ldA0KMjAw
Ni0xMS0yOCANCi0tLS0tIE1lc3NhZ2UgcmXndSAtLS0tLSANCkRlIDogUnVzcyBIb3VzbGV5IA0K
wCA6IERlbmlzIFBpbmthcyANCkRhdGUgOiAyMDA2LTExLTI3LCAyMDowMzozMSANClN1amV0IDog
UmU6IEktRCBBQ1RJT046ZHJhZnQtaWV0Zi1zbWltZS1jbXMtbXVsdC1zaWduLTAyLnR4dCANCkRl
bmlzOiANCj5UaGUgaXNzdWUgaXMgbW9yZSBjb21wbGV4IHRoYW4gcHJlc2VudGVkLiA6LSggDQo+
IA0KPlRoZSBpZGVhIGlzIHRvIHNheSB0aGF0IGEgbWVzc2FnZSBpcyBjb3JyZWN0bHkgc2lnbmVk
IGJ5IGEgZ2l2ZW4gDQo+c2lnbmVyLCBpZiBvbmUgb2YgdGhlIHNpZ25hdHVyZXMgDQo+ZnJvbSB0
aGUgKnNhbWUqIHNpZ25lciBjb21wdXRlZCB1c2luZyBhIGRpZmZlcmVudCBzaWduYXR1cmUgDQo+
YWxnb3JpdGhtIGlzIHZhbGlkLiANCj4gDQo+Q29ycmVjdCA/IA0KWW91IGRpZCBub3QgYWNrbm93
bGVkZ2VkIHRoYXQgdGhpcyBpcyB0aGUgZ29hbCBvZiB0aGUgZHJhZnQgcHJvcG9zYWwuIA0KDQpU
aGUgZG9jdW1lbnQgaXMgY2xlYXIuICBJdCBzYXlzOg0KDQogICAuLi4gVGhpcyBkb2N1bWVudA0K
ICAgcHJvdmlkZXMgcmVwbGFjZW1lbnQgdGV4dCBmb3IgYSBmZXcgcGFyYWdyYXBocywgbWFraW5n
IGl0IGNsZWFyIHRoYXQNCiAgIHRoZSBwcm90ZWN0ZWQgY29udGVudCBpcyB2YWxpZCBpZiBhbnkg
b2YgdGhlIGRpZ2l0YWwgc2lnbmF0dXJlcyBmb3IgYQ0KICAgcGFydGljdWxhciBzaWduZXIgaXMg
dmFsaWQuDQoNCg0KPiANCj5JbiB0aGUgc2FtZSBzZWN0aW9uIGZyb20gUkZDIDM4NTIsIGp1c3Qg
YWJvdmUgd2UgaGF2ZTogDQo+IA0KPiIgVGhlIHByb2Nlc3MgYnkgd2hpY2ggc2lnbmVkLWRhdGEg
aXMgY29uc3RydWN0ZWQgaW52b2x2ZXMgdGhlIA0KPiBmb2xsb3dpbmcgc3RlcHM6IA0KPiANCj4g
MS4gRm9yIGVhY2ggc2lnbmVyLCBhIG1lc3NhZ2UgZGlnZXN0LCBvciBoYXNoIHZhbHVlLCBpcyBj
b21wdXRlZCANCj4gb24gdGhlIGNvbnRlbnQgd2l0aCBhIHNpZ25lci1zcGVjaWZpYyBtZXNzYWdl
LWRpZ2VzdCBhbGdvcml0aG0uIA0KPiBJZiB0aGUgc2lnbmVyIGlzIHNpZ25pbmcgYW55IGluZm9y
bWF0aW9uIG90aGVyIHRoYW4gdGhlIA0KPiBjb250ZW50LCB0aGUgbWVzc2FnZSBkaWdlc3Qgb2Yg
dGhlIGNvbnRlbnQgYW5kIHRoZSBvdGhlciANCj4gaW5mb3JtYXRpb24gYXJlIGRpZ2VzdGVkIHdp
dGggdGhlIHNpZ25lcidzIG1lc3NhZ2UgZGlnZXN0IA0KPiBhbGdvcml0aG0gKHNlZSBTZWN0aW9u
IDUuNCksIGFuZCB0aGUgcmVzdWx0IGJlY29tZXMgdGhlIA0KPiAibWVzc2FnZSBkaWdlc3QuIiAN
Cj4gDQo+IDIuIEZvciBlYWNoIHNpZ25lciwgdGhlIG1lc3NhZ2UgZGlnZXN0IGlzIGRpZ2l0YWxs
eSBzaWduZWQgdXNpbmcgDQo+IHRoZSBzaWduZXIncyBwcml2YXRlIGtleS4gDQo+IA0KPiAzLiBG
b3IgZWFjaCBzaWduZXIsIHRoZSBzaWduYXR1cmUgdmFsdWUgYW5kIG90aGVyIHNpZ25lci1zcGVj
aWZpYyANCj4gaW5mb3JtYXRpb24gYXJlIGNvbGxlY3RlZCBpbnRvIGEgU2lnbmVySW5mbyB2YWx1
ZSwgYXMgZGVmaW5lZCANCj4gaW4gU2VjdGlvbiA1LjMuIENlcnRpZmljYXRlcyBhbmQgQ1JMcyBm
b3IgZWFjaCBzaWduZXIsIGFuZCANCj4gdGhvc2Ugbm90IGNvcnJlc3BvbmRpbmcgdG8gYW55IHNp
Z25lciwgYXJlIGNvbGxlY3RlZCBpbiB0aGlzIA0KPiBzdGVwLiANCj4gDQo+IDQuIFRoZSBtZXNz
YWdlIGRpZ2VzdCBhbGdvcml0aG1zIGZvciBhbGwgdGhlIHNpZ25lcnMgYW5kIHRoZSANCj4gU2ln
bmVySW5mbyB2YWx1ZXMgZm9yIGFsbCB0aGUgc2lnbmVycyBhcmUgY29sbGVjdGVkIHRvZ2V0aGVy
IA0KPiB3aXRoIHRoZSBjb250ZW50IGludG8gYSBTaWduZWREYXRhIHZhbHVlLCBhcyBkZWZpbmVk
IGluIFNlY3Rpb24gDQo+IDUuMSIuIA0KPiANCj5XZSBzaG91bGQgaGF2ZSBhIHNpbWlsYXIgY29u
c3RydWN0IGZvciB2ZXJpZmljYXRpb24sIGJ1dCB3ZSBkb24ndC4gDQpXaGVuIENNUyB3YXMgZmly
c3QgYWRvcHRlZCBieSB0aGUgUy9NSU1FIFdHLCB3ZSBkZWNpZGVkIHRvIGtlZXAgdGhlIA0Kc3Bl
Y2lmaWNhdGlvbiBhcyBjbG9zZSB0byB0aGUgc3RydWN0dXJlIG9mIFBLQ1MgIzcgdjEuNSBhcyAN
CnBvc3NpYmxlLiBUaGUgaWRlYSB3YXMgdG8gbWFrZSBpdCBlYXN5IGZvciBvbmUgdG8gZGV0ZXJt
aW5lIHRoZSANCmRpZmZlcmVuY2VzLiBJIHNlZSBubyByZWFzb24gd2h5IHRoaXMgZGlzY3Vzc2lv
biBvdWdodCB0byBjaGFuZ2UgDQp0aGF0IGRlY2lzaW9uLiANClRoZSB0ZXh0IGZyb20gUEtDUyAj
IDcgdjEuNSBpczogDQpBIHJlY2lwaWVudCB2ZXJpZmllcyB0aGUgc2lnbmF0dXJlcyBieSBkZWNy
eXB0aW5nIHRoZSBlbmNyeXB0ZWQgbWVzc2FnZSBkaWdlc3QgDQpmb3IgZWFjaCBzaWduZXIgd2l0
aCB0aGUgc2lnbmVyJ3MgcHVibGljIGtleSwgdGhlbiBjb21wYXJpbmcgdGhlIHJlY292ZXJlZCBt
ZXNzYWdlIA0KZGlnZXN0IHRvIGFuIGluZGVwZW5kZW50bHkgY29tcHV0ZWQgbWVzc2FnZSBkaWdl
c3QuIFRoZSBzaWduZXIncyBwdWJsaWMga2V5IGlzIA0KZWl0aGVyIGNvbnRhaW5lZCBpbiBhIGNl
cnRpZmljYXRlIGluY2x1ZGVkIGluIHRoZSBzaWduZXIgaW5mb3JtYXRpb24sIG9yIGlzIHJlZmVy
ZW5jZWQgDQpieSBhbiBpc3N1ZXIgZGlzdGluZ3Vpc2hlZCBuYW1lIGFuZCBhbiBpc3N1ZXItc3Bl
Y2lmaWMgc2VyaWFsIG51bWJlciB0aGF0IHVuaXF1ZWx5IA0KaWRlbnRpZnkgdGhlIGNlcnRpZmlj
YXRlIGZvciB0aGUgcHVibGljIGtleS4gDQpUaGUgdGV4dCBmcm9tIFJGQyAzODUyIGlzOiANCkEg
cmVjaXBpZW50IGluZGVwZW5kZW50bHkgY29tcHV0ZXMgdGhlIG1lc3NhZ2UgZGlnZXN0LiAgVGhp
cyBtZXNzYWdlIGRpZ2VzdCBhbmQgDQp0aGUgc2lnbmVyJ3MgcHVibGljIGtleSBhcmUgdXNlZCB0
byB2ZXJpZnkgdGhlIHNpZ25hdHVyZSB2YWx1ZS4gIFRoZSBzaWduZXIncyBwdWJsaWMga2V5IA0K
aXMgcmVmZXJlbmNlZCBlaXRoZXIgYnkgYW4gaXNzdWVyIGRpc3Rpbmd1aXNoZWQgbmFtZSBhbG9u
ZyB3aXRoIGFuIGlzc3Vlci1zcGVjaWZpYyANCnNlcmlhbCBudW1iZXIgb3IgYnkgYSBzdWJqZWN0
IGtleSBpZGVudGlmaWVyIHRoYXQgdW5pcXVlbHkgaWRlbnRpZmllcyB0aGUgY2VydGlmaWNhdGUg
DQpjb250YWluaW5nIHRoZSBwdWJsaWMga2V5LiAgVGhlIHNpZ25lcidzIGNlcnRpZmljYXRlIGNh
biBiZSBpbmNsdWRlZCBpbiB0aGUgU2lnbmVkRGF0YSANCmNlcnRpZmljYXRlcyBmaWVsZC4gDQpU
aGVzZSB0ZXh0cyBhcmUgY2xlYXJseSBpbnN1ZmZpY2llbnQsIHNpbmNlIHRoZXkgZG8gbm90IGNv
dmVyIHRoZSBjYXNlIG9mIGNlcnRpZmljYXRlIHN1YnN0aXR1dGlvbi4gDQpUaGUgbmV3IGRyYWZ0
IGlzIHdpc2hpbmcgdG8gY292ZXIgdGhlIGNhc2Ugb2Ygc2lnbmF0dXJlcyBmcm9tIHRoZSBzYW1l
IHNpZ25lci4gDQpJdCBpcyByZXN0cmljdGVkIHRvIHRoZSB1c2Ugb2YgY2VydGlmaWNhdGVzLiBU
aGVuIHRoZSBvbmx5IHdheSB0byBrbm93IHRoYXQgaXMgaXMgdGhlIHNhbWUgc2lnbmVyIA0KaXMg
dG8gY29tcGFyZSB0aGUgY2VydGlmaWNhdGVzLiBXZSBzaG91bGQgc2F5IHNvbWUgd29yZHMgb24g
aG93IHRoaXMgY29tcGFyaXNvbiBzaGFsbCBiZSBkb25lLiANCklmIGNlcnRpZmljYXRlcyBhcmUg
c3Vic3RpdHV0ZWQsIHRoZW4gd2UgYXJlIGFsc28gcnVubmluZyBpbnRvIHRyb3VibGUuDQoNClRo
aXMgaXMgbm90IHRoZSBpc3N1ZSBhdCBhbGwuICBEaWZmZXJlbnQgY2VydGlmaWNhdGVzIG1heSBy
ZXByZXNlbnQgdGhlIHNhbWUgc2lnbmVyIGluIHNvbWUgYXBwbGljYXRpb25zLg0KDQoNCj5JdCBz
aG91bGQgc3RhcnQgd2l0aDogDQo+IA0KPiBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWduZWQtZGF0
YSBpcyB2ZXJpZmllZCBpbnZvbHZlcyB0aGUgDQo+IGZvbGxvd2luZyBzdGVwczogDQo+IA0KPiAx
LiBGb3IgZWFjaCBTaWduZXJJbmZvIHByZXNlbnQgaW4gU2lnbmVySW5mb3MgLi4uIA0KPiANCj5U
aGUgZXhlcmNpc2UgaXMgbW9yZSBkaWZmaWN1bHQgdGhhbiBpdCBsb29rcywgYmVjYXVzZSB1bmxl
c3MgDQo+RVNTQ2VydElEIGlzIGJlaW5nIHVzZWQsIA0KPml0IGlzIG5vdCBwb3NzaWJsZSB0byBr
bm93IGZvciBzdXJlIHRoYXQgYSBzaWduYXR1cmUgaXMgZnJvbSB0aGUgc2FtZSBzaWduZXIuIA0K
SSByZWNvZ25pemUgdGhhdCB0aGlzIGlzIHRydWUuIFRoYXQgaXMgdGhlIHJlYXNvbiB0aGF0IHRo
ZSBwcm9wb3NlZCANCnRleHQgcG9pbnRzIHRvIHRoZSBhcHBsaWNhdGlvbiB0aGF0IGlzIHVzaW5n
IENNUyB0byBoZWxwIHdoZW4gdGhlIHNpZCANCmZpZWxkIGlzIG5vdCBzdWZmaWNpZW50LiANClRo
ZSBwcm9wb3NlZCB0ZXh0IGlzIGNsZWFybHkgaW5zdWZmaWNpZW50IHRvIGNvdmVyIHRoZSBjYXNl
LiANClRoZSBzZWNvbmQgcG9pbnQsIHdoaWNoIGlzIGV2ZW4gbW9yZSBpbXBvcnRhbnQsIGlzIHRo
YXQgSSBhbSBub3QgY29udmluY2VkIA0KdGhhdCB0aGlzIGlzIHRoZSByaWdodCB3YXkgdG8gc29s
dmUgdGhlIHByb2JsZW0uDQoNClRoaXMgZGlzY3Vzc2lvbiBoYXMgYmVlbiBnb2luZyBvbiBmb3Ig
YWJvdXQgYSB5ZWFyLiAgSWYgeW91IGFyZSB1bmhhcHB5IHdpdGggdGhlIHByb3Bvc2VkIHNvbHV0
aW9uLCBkbyBub3QgYXNrIGZvciBtb3JlIHdvcmsgdG8gYmUgZG9uZSBvbiBpdC4gIEluc3RlYWQs
IHByb3Bvc2UgYW4gYWx0ZXJuYXRpdmUuICBXaXRob3V0IHN1Y2gsIHdlIHNob3VsZCBwcm9jZWVk
IG9uIHRoZSBjdXJyZW50IGNvdXJzZS4NCg0KDQpJZiB0aGUgY2VydGlmaWNhdGUgaXMgdXNlZCBm
b3Igbm9uIHJlcHVkaWF0aW9uIHB1cnBvc2VzLCB0aGVuIHRpbWUtc3RhbXBpbmcgcHJvdmlkZXMg
DQphbGwgdGhlIG5lY2Vzc2FyeSBwcm90ZWN0aW9uLg0KDQpUaGlzIG1ha2Ugbm8gc2Vuc2UgdG8g
bWUgYXQgYWxsLiAgSG93IGRvZXMgdGltZS1zdGFtcGluZyBmYWNpbGl0YXRlIHRoZSB0cmFuc2l0
aW9uIGZyb20gUlNBIHdpdGggU0hBLTEgdG8gUlNBIHdpdGggU0hBLTI1Nj8gIEluIGZhY3QsIGl0
IG1ha2UgaXQgd29yc2UuICBXZSBuZWVkIHRvIHRyYW5zaXRpb24gdGhlIHRpbWUgc3RhbXAgYXV0
aG9yaXR5IHNpZ25hdHVyZSB0b28uDQoNClJ1c3MNCg==
--=====003_Dragon755635064380_=====
Content-Transfer-Encoding: base64
Content-Type: text/html;
charset="iso-8859-1"
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPg0KPE1FVEEgY29udGVudD0iTVNIVE1M
IDYuMDAuMjgwMC4xNTI4IiBuYW1lPUdFTkVSQVRPUj48L0hFQUQ+DQo8Qk9EWT4NCjxESVY+UnVz
cyw8L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPllvdSBhcmUgY29ycmVjdDogIlRoZSBj
dXJyZW50IENNUyBzcGVjaWZpY2F0aW9uIHNheXMgbm90aGluZyBhYm91dCANCnZhbGlkYXRpbmcg
bXVsdGlwbGUgc2lnbmF0dXJlcy4mbmJzcDsiPC9ESVY+DQo8RElWPiZuYnNwOy4uLiBhbmQgaXQm
bmJzcDtzaG91bGQgc3RheSB0aGlzIHdheS48L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElW
PlRoZSBDTVMgc3BlY2lmaWNhdGlvbiBzaG91bGQgbm90IGF0dGVtcHQgdG8gZW50ZXIgdGhlIGFy
ZWEgb2Ygc2F5aW5nIA0KIiZuYnNwO1RoZSBtZXNzYWdlIGlzIHZhbGlkIGlmIC4uLi4iPC9ESVY+
DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj5UcmFuc2l0aW9uIGNhbiBzaW1wbHkgYmUgYWNjb21w
bGlzaGVkIGJ5IHBsYWNpbmcgdHdvIHNpZ25hdHVyZXMuIDxCUj5JIGRvIA0Kbm90IHRoaW5rIHRo
YXQgd2UgbmVlZCBhbiBhbWVuZG1lbnQgdG8gQ01TIHRvIHNheSB0aGlzLCBzaW5jZSBpdCBpcyAN
Cm9idmlvdXMuPC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj5EZW5pczwvRElWPg0KPERJ
Vj4mbmJzcDs8L0RJVj4NCjxESVY+DQo8SFI+DQpEZW5pczo8QlI+PEJSPlRoZSBjdXJyZW50IENN
UyBzcGVjaWZpY2F0aW9uIHNheXMgbm90aGluZyBhYm91dCB2YWxpZGF0aW5nIA0KbXVsdGlwbGUg
c2lnbmF0dXJlcy4mbmJzcDsgVGhpcyBtZWFucyB0aGF0IGl0IGlzIHVuY2xlYXIgd2hldGhlciBh
IG1lc3NhZ2UgaXMgDQp2YWxpZCBpZiB0aGUgcmVjaXBpZW50IGNhbm5vdCB2YWxpZGF0ZSBhbGwg
b2YgdGhlbS4mbmJzcDsgVGhlIFMvTUlNRSBXRyBzdGFydGVkIA0KYnkgY29uc2lkZXJpbmcgdHdv
IGNob2ljZXM6PEJSPjxCUj4oMSkgVGhlIG1lc3NhZ2UgaXMgdmFsaWQgaWYgYW55IG9mIHRoZSAN
CnNpZ25hdHVyZXMgaXMgdmFsaWQ7IGFuZDxCUj4oMikgVGhlIG1lc3NhZ2UgaXMgdmFsaWQgaWYg
YWxsIG9mIHRoZSBzaWduYXR1cmVzIA0KYXJlIHZhbGlkLjxCUj48QlI+RGlzY3Vzc2lvbiBvbiB0
aGlzIG1haWwgbGlzdCBtYWRlIGl0IGNsZWFyIHRoYXQgbmVpdGhlciBvZiANCnRoZXNlIGFwcHJv
YWNoZXMgd2FzIGFjY2VwdGFibGUuJm5ic3A7IFRoZXJlIGFyZSBzb21lIGFwcGxpY2F0aW9ucyB0
aGF0IGhhdmUgDQptdWx0aXBsZSBzaWduZXJzLCBhbmQgdGhlIGFwcGxpY2F0aW9uIG5lZWRzIGEg
dmFsaWQgc2lnbmF0dXJlIGZvciBlYWNoIG9uZSBvZiANCnRoZW0uJm5ic3A7IFNvLCB3ZSBzZXR0
bGVkIG9uOjxCUj48QlI+KDMpIFRoZSBtZXNzYWdlIGlzIHZhbGlkIGlmIG9uZSBzaWduYXR1cmUg
DQpmcm9tIGVhY2ggc2lnbmVyIGlzIHZhbGlkLjxCUj48QlI+RnVydGhlciBkaXNjdXNzaW9uIG1h
ZGUgaXQgY2xlYXIgdGhhdCB0aGUgDQphcHBsaWNhdGlvbiB3YXMgZ29pbmcgdG8gaGF2ZSB0byBi
ZSBpbnZvbHZlZCBpbiBkZXRlcm1pbmluZyB3aGljaCBzaWduYXR1cmVzIGFyZSANCmFzc29jaWF0
ZWQgd2l0aCB0aGUgc2FtZSBzaWduZXIgaW4gc29tZSBjYXNlcy4mbmJzcDsgSG93ZXZlciwgaW4g
dGhlIG1vc3QgdXJnZW50IA0KY2FzZSB3ZSBhcmUgY29uY2VybmVkIHdpdGggUlNBIHdpdGggU0hB
LTEgYW5kIFJTQSB3aXRoIFNIQS0yNTYsIHRoZSBzYW1lIA0KY2VydGlmaWNhdGUgd2lsbCBiZSB1
c2VkIGZvciBib3RoIHNpZ25hdHVyZXMsIHNvIHRoZSBzYW1lIHNpZ25lciBpcyANCm9idmlvdXMu
PEJSPjxCUj5SdXNzPEJSPjxCUj5BdCAwMjoyMyBBTSAxMS8zMC8yMDA2LCBEZW5pcyBQaW5rYXMg
DQp3cm90ZTo8QlI+PC9ESVY+DQo8QkxPQ0tRVU9URSBjbGFzcz1jaXRlIGNpdGU9IiIgdHlwZT0i
Y2l0ZSI+UnVzcywgPEJSPiZuYnNwOzxCUj5Zb3VyIHNob3J0IA0KICByZXNwb25zZSBiZWxvdyBk
b2VzIG5vdCBzZWVtIHRvIG1lIGFuIG9iamVjdGlvbiB0byBteSANCiAgYXJndW1lbnRhdGlvbi48
QlI+Jm5ic3A7PEJSPllvdSBzYXk6Jm5ic3A7Jm5ic3A7Jm5ic3A7IHRoZSBhcHBsaWNhdGlvbiAo
Li4uKSANCiAgY2FuIG9ubHkgdmVyaWZ5IG9uZSBvZiB0aGUgc2lnbmF0dXJlcy48QlI+SSBzYXk6
Jm5ic3A7Jm5ic3A7Jm5ic3A7IFRoZSANCiAgKmFwcGxpY2F0aW9uKiBbd2lsbF0gYmUgcGxlYXNl
ZCBpZiBvbmUgb2YgdGhlbSBpcyB2YWxpZC48QlI+Jm5ic3A7PEJSPlRoZSBjb3JlIA0KICBpc3N1
ZSBpcyBzdGlsbCB0aGF0IG5vIGNoYW5nZSBuZWVkcyB0byBiZSBtYWRlIHRvIHRoZSBDTVMgDQog
IGRvY3VtZW50LjxCUj5EZW5pczxCUj4NCiAgPEhSPg0KICBOb3Qgc28uJm5ic3A7IElmIHRoZSBh
cHBsaWNhdGlvbiBvbmx5IGltcGxlbWVudHMgU0hBLTEsIHRoZW4gaXQgY2FuIG9ubHkgDQogIHZl
cmlmeSBvbmUgb2YgdGhlIHNpZ25hdHVyZXMuPEJSPjxCUj5SdXNzPEJSPjxCUj5BdCAwOTo1MSBB
TSAxMS8yOS8yMDA2LCBEZW5pcyANCiAgUGlua2FzIHdyb3RlOjxCUj4NCiAgPEJMT0NLUVVPVEUg
Y2xhc3M9Y2l0ZSBjaXRlPSIiIHR5cGU9ImNpdGUiPlJ1c3MsPEJSPiZuYnNwOzxCUj5Tb3JyeSwg
b25jZSANCiAgICBhZ2FpbiBJIGRpc2FncmVlIHdpdGggdGhlIHdvcmRpbmcuIFRoZSAqYXBwbGlj
YXRpb24qIGNhbiB2ZXJpZnkgYm90aCANCiAgICBzaWduYXR1cmVzIGFuZCBiZSBwbGVhc2VkIGlm
IG9uZSBvZiB0aGVtIGlzIHZhbGlkLjxCUj5ObyBjaGFuZ2UgbmVlZHMgdG8gYmUgDQogICAgbWFk
ZSB0byB0aGUgQ01TIGRvY3VtZW50LjxCUj4mbmJzcDs8QlI+RGVuaXM8QlI+Jm5ic3A7PEJSPg0K
ICAgIDxIUj4NCiAgICBEZW5pczo8QlI+PEJSPldlIHNlZW0gdG8gYmUgd29ya2luZyBvbiB0d28g
ZGlmZmVyZW50IHByb2JsZW1zLiZuYnNwOyBXZSB3YW50IA0KICAgIHRvIHRyYW5zaXRpb24gZnJv
bSBSU0Egd2l0aCBTSEEtMSB0byBSU0Egd2l0aCBTSEEtMjU2LiZuYnNwOyBTbywgdGhlIHNpZ25l
ciANCiAgICBwdXRzIHR3byBzaWduYXR1cmVzIG9uIHRoZSBtZXNzYWdlLCBzaW5jZSBub3QgYWxs
IG9mIHRoZSByZWNpcGllbnRzIHN1cHBvcnQgDQogICAgUlNBIHdpdGggU0hBLTI1NiB5ZXQuJm5i
c3A7IElmIGVpdGhlciBvZiB0aGUgc2lnbmF0dXJlcyBjYW4gYmUgdmFsaWRhdGVkIGJ5IA0KICAg
IGEgcmVjaXBpZW50LCB0aGVuIHRoYXQgcmVjaXBpZW50IHdpbGwgY29uc2lkZXIgdGhlIG1lc3Nh
Z2UgDQogICAgdmFsaWQuPEJSPjxCUj5SdXNzPEJSPjxCUj48QlI+QXQgMDQ6MDYgQU0gMTEvMjkv
MjAwNiwgRGVuaXMgUGlua2FzIA0Kd3JvdGU6PEJSPg0KICAgIDxCTE9DS1FVT1RFIGNsYXNzPWNp
dGUgY2l0ZT0iIiB0eXBlPSJjaXRlIj5SdXNzLDxCUj4mbmJzcDs8QlI+SSBiZWxpZXZlIA0KICAg
ICAgdGhhdCB3ZSBoYXZlIGEgbWFqb3IgZGlzYWdyZWVtZW50IG9uIHRoZSBnb2FsIG9mIHRoZSBw
cm9wb3NlZCANCiAgICAgIGRvY3VtZW50LjxCUj4mbmJzcDs8QlI+VGhlIGN1cnJlbnQgZ29hbCBp
cyA6Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IA0KICAgICAgPEJSPiZuYnNwOzxCUj4mbmJzcDsm
bmJzcDsmbmJzcDsgLi4uIFRoaXMgZG9jdW1lbnQ8QlI+Jm5ic3A7Jm5ic3A7IA0KICAgICAgcHJv
dmlkZXMgcmVwbGFjZW1lbnQgdGV4dCBmb3IgYSBmZXcgcGFyYWdyYXBocywgbWFraW5nIGl0IGNs
ZWFyIA0KICAgICAgdGhhdDxCUj4mbmJzcDsmbmJzcDsgdGhlIHByb3RlY3RlZCBjb250ZW50IGlz
IHZhbGlkIGlmIGFueSBvZiB0aGUgZGlnaXRhbCANCiAgICAgIHNpZ25hdHVyZXMgZm9yIGE8QlI+
Jm5ic3A7Jm5ic3A7IHBhcnRpY3VsYXIgc2lnbmVyIGlzIHZhbGlkLjxCUj5JdCBpcyANCiAgICAg
IHBvc3NpYmxlIHRvIGNoZWNrIHRoYXQgYSBnaXZlbiBzaWduYXR1cmUgaXMgdmFsaWQuPEJSPlRo
ZSBnb2xkZW4gcnVsZSBpcyANCiAgICAgIHRoYXQgb25seSBvbmUgc2lnbmF0dXJlIGNhbiBiZSB2
ZXJpZmllZCBhdCBhIHRpbWUuIDxCUj4mbmJzcDs8QlI+VGhpcyBpcyANCiAgICAgIGZ1bGx5IGRp
ZmZlcmVudCBvZiBzYXlpbmcgdGhhdCBhICJwcm90ZWN0ZWQgY29udGVudCIgKGkuZS4gYSBkb2N1
bWVudCkgaXMgDQogICAgICB2YWxpZCwgd2hpY2ggbWF5IG1lYW4gdG8gdmVyaWZ5IG11bHRpcGxl
IHNpZ25hdHVyZXMuPEJSPiZuYnNwOzxCUj5BcyBhbiANCiAgICAgIGV4YW1wbGUsIGEgZG9jdW1l
bnQgY2FuIGJlIHNhaWQgdG8gYmUgb25seSBiZSB2YWxpZCB3aGVuIGl0IGJlYXJzIHRocmVlIA0K
ICAgICAgcGFyYWxsZWwgc2lnbmF0dXJlcyA8QlI+ZnJvbSBwYXJ0aWN1bGFyIHNpZ25lcnMsIGFu
ZCBpbiBhZGRpdGlvbiBvZiB0d28gDQogICAgICB0aGVtIG5lZWQgdG8gYmUgY291bnRlci1zaWdu
ZWQgYnkgb3RoZXIgcGFydGljdWxhciANCiAgICAgIHNpZ25lcnMuPEJSPiZuYnNwOzxCUj5UaGUg
dmVyaWZpY2F0aW9uIG9mIG11bHRpcGxlIHNpZ25hdHVyZXMgaXMgYXQgdGhlIA0KICAgICAgbGV2
ZWwgb2YgdGhlIGFwcGxpY2F0aW9uLCBub3QgYXQgdGhlIGxldmVsIG9mIGEgQ01TIA0KICAgICAg
dG9vbGtpdC48QlI+Jm5ic3A7PEJSPkJlc2lkZXMgdGhpcyBtYWpvciBvYnNlcnZhdGlvbiwgdGhl
cmUgaXMgbm8gbmVlZCB0byANCiAgICAgIHN1cHBvcnQgbXVsdGlwbGUgc2lnbmF0dXJlcyBmcm9t
IHRoZSBzYW1lIHNpZ25lciBmb3IgYWxnb3JpdGhtIGFnaWxpdHkgDQogICAgICBwdXJwb3Nlcy48
QlI+Jm5ic3A7PEJSPkZpbmFsbHksIHlvdSByYWlzZWQgdGhlIGZvbGxvd2luZyANCiAgICAgIHF1
ZXN0aW9uOjxCUj4mbmJzcDs8QlI+IkhvdyBkb2VzIHRpbWUtc3RhbXBpbmcgZmFjaWxpdGF0ZSB0
aGUgdHJhbnNpdGlvbiANCiAgICAgIGZyb20gUlNBIHdpdGggU0hBLTEgdG8gUlNBIHdpdGggU0hB
LTI1Nj8mbmJzcDsgPEJSPkluIGZhY3QsIGl0IG1ha2UgaXQgDQogICAgICB3b3JzZS4mbmJzcDsg
V2UgbmVlZCB0byB0cmFuc2l0aW9uIHRoZSB0aW1lIHN0YW1wIGF1dGhvcml0eSBzaWduYXR1cmUg
DQogICAgICB0b28iLjxCUj4mbmJzcDs8QlI+UGxlYXNlIHJlZmVyIHRvIFJGQyAzMTI2IDo8QlI+
Jm5ic3A7PEJSPjxCUj48Rk9OVCANCiAgICAgIGZhY2U9IkNvdXJpZXIgTmV3LCBDb3VyaWVyIiBz
aXplPTI+Jm5ic3A7IEIuNC43Jm5ic3A7IFRpbWUtU3RhbXBpbmcgZm9yIA0KICAgICAgTG9uZyBM
aWZlIG9mIA0KICAgICAgU2lnbmF0dXJlJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IA0KICAgICAgNzkmbHQ7P3htbDpuYW1lc3BhY2UgcHJl
Zml4ID0gbyBucyA9IA0KICAgICAgInVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9m
ZmljZSIgDQogICAgICAvJmd0OzxCUj48L0ZPTlQ+Jm5ic3A7PEJSPlNpZ25hdHVyZXMgbWF5IG5l
ZWQgdG8gYmUgbWFpbnRhaW5lZCwgd2hpY2ggDQogICAgICBtZWFucyB0aGF0IGZvciBzaWduYXR1
cmVzIHRoYXQgbmVlZCB0byBsYXN0IHZlcnkgbG9uZywgbW9yZSB0aGFuIG9uZSANCiAgICAgIHRp
bWUtc3RhbXAgPEJSPm1heSBuZWVkIHRvIGJlIGFkZGVkIGxhdGVyIG9uLCBidXQgb25seSBpbiBj
YXNlIG9mIGEgcmVhbCANCiAgICAgIGNvbGxpc2lvbi4gVG8gcmVzcG9uZCB0byB5b3VyIHF1ZXN0
aW9uLCBSU0Egd2l0aCBTSEEtMjU2IHdpbGwgbmVlZCA8QlI+dG8gDQogICAgICBiZSBtYW5kYXRv
cmlsbHkgdXNlZCwgd2hlbiBhZnRlciBYIG1vbnRocyBvZiBjb21wdXRhdGlvbiBzb21lb25lIHdp
bGwgDQogICAgICBkZW1vbnN0cmF0ZSBhIGNvbGxpc2lvbi4gVGhlbiBzaW5jZSBpdCB0YWtlcyBY
IG1vbnRocyA8QlI+dG8gbWFrZSBhIA0KICAgICAgY29sbGlzaW9uLCB0aGUgc2lnbmF0dXJlIG1h
aW50ZW5hbmNlIG5lZWRzIHRvIGJlIG1hZGUgaW4gYSB0aW1lIGxlc3MgdGhhbiANCiAgICAgIFgg
bW9udGhzLjxCUj4mbmJzcDs8QlI+RGVuaXM8QlI+Jm5ic3A7PEJSPg0KICAgICAgPEhSPg0KICAg
ICAgQXQgMDM6NTIgQU0gMTEvMjgvMjAwNiwgRGVuaXMgUGlua2FzIHdyb3RlOjxCUj4NCiAgICAg
IDxCTE9DS1FVT1RFIGNsYXNzPWNpdGUgY2l0ZT0iIiB0eXBlPSJjaXRlIj4mbmJzcDtSdXNzLDxC
Uj4mbmJzcDs8QlI+U2VlIA0KICAgICAgICBteSBjb21tZW50cyBlbWJlZGRlZC48QlI+Jm5ic3A7
PEJSPkRlbmlzIFBpbmthcywgPEEgDQogICAgICAgIGhyZWY9Im1haWx0byA6RGVuaXMuUGlua2Fz
QGJ1bGwubmV0Ij5EZW5pcy5QaW5rYXNAYnVsbC5uZXQ8L0E+PEJSPjIwMDYtMTEtMjggDQoNCiAg
ICAgICAgPERMPg0KICAgICAgICAgIDxERD4tLS0tLSBNZXNzYWdlIHJl53UgLS0tLS0gDQogICAg
ICAgICAgPEREPkRlIDogPEEgaHJlZj0ibWFpbHRvIDpob3VzbGV5QHZpZ2lsc2VjLmNvbSI+UnVz
cyBIb3VzbGV5PC9BPiANCiAgICAgICAgICA8REQ+wCA6IDxBIGhyZWY9Im1haWx0byA6ZGVuaXMu
cGlua2FzQGJ1bGwubmV0Ij5EZW5pcyBQaW5rYXM8L0E+IA0KICAgICAgICAgIDxERD5EYXRlIDog
MjAwNi0xMS0yNywgMjA6MDM6MzEgDQogICAgICAgICAgPEREPlN1amV0IDogUmU6IEktRCBBQ1RJ
T046ZHJhZnQtaWV0Zi1zbWltZS1jbXMtbXVsdC1zaWduLTAyLnR4dCANCiAgICAgICAgICA8REQ+
RGVuaXM6IA0KICAgICAgICAgIDxERD4mZ3Q7VGhlIGlzc3VlIGlzIG1vcmUgY29tcGxleCB0aGFu
IHByZXNlbnRlZC4gOi0oIA0KICAgICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICAgIDxERD4mZ3Q7
VGhlIGlkZWEgaXMgdG8gc2F5IHRoYXQgYSBtZXNzYWdlIGlzIGNvcnJlY3RseSBzaWduZWQgYnkg
YSANCiAgICAgICAgICBnaXZlbiANCiAgICAgICAgICA8REQ+Jmd0O3NpZ25lciwgaWYgb25lIG9m
IHRoZSBzaWduYXR1cmVzIA0KICAgICAgICAgIDxERD4mZ3Q7ZnJvbSB0aGUgKnNhbWUqIHNpZ25l
ciBjb21wdXRlZCB1c2luZyBhIGRpZmZlcmVudCBzaWduYXR1cmUgDQogICAgICAgICAgPEREPiZn
dDthbGdvcml0aG0gaXMgdmFsaWQuIA0KICAgICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICAgIDxE
RD4mZ3Q7Q29ycmVjdCA/IA0KICAgICAgICAgIDxERD5Zb3UgZGlkIG5vdCBhY2tub3dsZWRnZWQg
dGhhdCB0aGlzIGlzIHRoZSBnb2FsIG9mIHRoZSBkcmFmdCANCiAgICAgICAgICBwcm9wb3NhbC4g
PC9ERD48L0RMPjwvQkxPQ0tRVU9URT4NCiAgICAgIDxETD48L0RMPjxCUj5UaGUgZG9jdW1lbnQg
aXMgY2xlYXIuJm5ic3A7IEl0IHNheXM6PEJSPjxCUj4mbmJzcDsmbmJzcDsgLi4uIA0KICAgICAg
VGhpcyBkb2N1bWVudDxCUj4mbmJzcDsmbmJzcDsgcHJvdmlkZXMgcmVwbGFjZW1lbnQgdGV4dCBm
b3IgYSBmZXcgDQogICAgICBwYXJhZ3JhcGhzLCBtYWtpbmcgaXQgY2xlYXIgdGhhdDxCUj4mbmJz
cDsmbmJzcDsgdGhlIHByb3RlY3RlZCBjb250ZW50IGlzIA0KICAgICAgdmFsaWQgaWYgYW55IG9m
IHRoZSBkaWdpdGFsIHNpZ25hdHVyZXMgZm9yIGE8QlI+Jm5ic3A7Jm5ic3A7IHBhcnRpY3VsYXIg
DQogICAgICBzaWduZXIgaXMgdmFsaWQuPEJSPjxCUj4NCiAgICAgIDxCTE9DS1FVT1RFIGNsYXNz
PWNpdGUgY2l0ZT0iIiB0eXBlPSJjaXRlIj4NCiAgICAgICAgPERMPg0KICAgICAgICAgIDxERD4m
Z3Q7IA0KICAgICAgICAgIDxERD4mZ3Q7SW4gdGhlIHNhbWUgc2VjdGlvbiBmcm9tIFJGQyAzODUy
LCBqdXN0IGFib3ZlIHdlIGhhdmU6IA0KICAgICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICAgIDxE
RD4mZ3Q7IiBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWduZWQtZGF0YSBpcyBjb25zdHJ1Y3RlZCBp
bnZvbHZlcyB0aGUgDQoNCiAgICAgICAgICA8REQ+Jmd0OyBmb2xsb3dpbmcgc3RlcHM6IA0KICAg
ICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICAgIDxERD4mZ3Q7IDEuIEZvciBlYWNoIHNpZ25lciwg
YSBtZXNzYWdlIGRpZ2VzdCwgb3IgaGFzaCB2YWx1ZSwgaXMgDQogICAgICAgICAgY29tcHV0ZWQg
DQogICAgICAgICAgPEREPiZndDsgb24gdGhlIGNvbnRlbnQgd2l0aCBhIHNpZ25lci1zcGVjaWZp
YyBtZXNzYWdlLWRpZ2VzdCANCiAgICAgICAgICBhbGdvcml0aG0uIA0KICAgICAgICAgIDxERD4m
Z3Q7IElmIHRoZSBzaWduZXIgaXMgc2lnbmluZyBhbnkgaW5mb3JtYXRpb24gb3RoZXIgdGhhbiB0
aGUgDQogICAgICAgICAgPEREPiZndDsgY29udGVudCwgdGhlIG1lc3NhZ2UgZGlnZXN0IG9mIHRo
ZSBjb250ZW50IGFuZCB0aGUgb3RoZXIgDQogICAgICAgICAgPEREPiZndDsgaW5mb3JtYXRpb24g
YXJlIGRpZ2VzdGVkIHdpdGggdGhlIHNpZ25lcidzIG1lc3NhZ2UgZGlnZXN0IA0KICAgICAgICAg
IDxERD4mZ3Q7IGFsZ29yaXRobSAoc2VlIFNlY3Rpb24gNS40KSwgYW5kIHRoZSByZXN1bHQgYmVj
b21lcyB0aGUgDQogICAgICAgICAgPEREPiZndDsgIm1lc3NhZ2UgZGlnZXN0LiIgDQogICAgICAg
ICAgPEREPiZndDsgDQogICAgICAgICAgPEREPiZndDsgMi4gRm9yIGVhY2ggc2lnbmVyLCB0aGUg
bWVzc2FnZSBkaWdlc3QgaXMgZGlnaXRhbGx5IHNpZ25lZCANCiAgICAgICAgICB1c2luZyANCiAg
ICAgICAgICA8REQ+Jmd0OyB0aGUgc2lnbmVyJ3MgcHJpdmF0ZSBrZXkuIA0KICAgICAgICAgIDxE
RD4mZ3Q7IA0KICAgICAgICAgIDxERD4mZ3Q7IDMuIEZvciBlYWNoIHNpZ25lciwgdGhlIHNpZ25h
dHVyZSB2YWx1ZSBhbmQgb3RoZXIgDQogICAgICAgICAgc2lnbmVyLXNwZWNpZmljIA0KICAgICAg
ICAgIDxERD4mZ3Q7IGluZm9ybWF0aW9uIGFyZSBjb2xsZWN0ZWQgaW50byBhIFNpZ25lckluZm8g
dmFsdWUsIGFzIGRlZmluZWQgDQoNCiAgICAgICAgICA8REQ+Jmd0OyBpbiBTZWN0aW9uIDUuMy4g
Q2VydGlmaWNhdGVzIGFuZCBDUkxzIGZvciBlYWNoIHNpZ25lciwgYW5kIA0KICAgICAgICAgIDxE
RD4mZ3Q7IHRob3NlIG5vdCBjb3JyZXNwb25kaW5nIHRvIGFueSBzaWduZXIsIGFyZSBjb2xsZWN0
ZWQgaW4gdGhpcyANCiAgICAgICAgICA8REQ+Jmd0OyBzdGVwLiANCiAgICAgICAgICA8REQ+Jmd0
OyANCiAgICAgICAgICA8REQ+Jmd0OyA0LiBUaGUgbWVzc2FnZSBkaWdlc3QgYWxnb3JpdGhtcyBm
b3IgYWxsIHRoZSBzaWduZXJzIGFuZCB0aGUgDQogICAgICAgICAgPEREPiZndDsgU2lnbmVySW5m
byB2YWx1ZXMgZm9yIGFsbCB0aGUgc2lnbmVycyBhcmUgY29sbGVjdGVkIHRvZ2V0aGVyIA0KICAg
ICAgICAgIDxERD4mZ3Q7IHdpdGggdGhlIGNvbnRlbnQgaW50byBhIFNpZ25lZERhdGEgdmFsdWUs
IGFzIGRlZmluZWQgaW4gDQogICAgICAgICAgU2VjdGlvbiANCiAgICAgICAgICA8REQ+Jmd0OyA1
LjEiLiANCiAgICAgICAgICA8REQ+Jmd0OyANCiAgICAgICAgICA8REQ+Jmd0O1dlIHNob3VsZCBo
YXZlIGEgc2ltaWxhciBjb25zdHJ1Y3QgZm9yIHZlcmlmaWNhdGlvbiwgYnV0IHdlIA0KICAgICAg
ICAgIGRvbid0LiANCiAgICAgICAgICA8REQ+V2hlbiBDTVMgd2FzIGZpcnN0IGFkb3B0ZWQgYnkg
dGhlIFMvTUlNRSBXRywgd2UgZGVjaWRlZCB0byBrZWVwIA0KICAgICAgICAgIHRoZSANCiAgICAg
ICAgICA8REQ+c3BlY2lmaWNhdGlvbiBhcyBjbG9zZSB0byB0aGUgc3RydWN0dXJlIG9mIFBLQ1Mg
IzcgdjEuNSBhcyANCiAgICAgICAgICA8REQ+cG9zc2libGUuIFRoZSBpZGVhIHdhcyB0byBtYWtl
IGl0IGVhc3kgZm9yIG9uZSB0byBkZXRlcm1pbmUgdGhlIA0KICAgICAgICAgIDxERD5kaWZmZXJl
bmNlcy4gSSBzZWUgbm8gcmVhc29uIHdoeSB0aGlzIGRpc2N1c3Npb24gb3VnaHQgdG8gY2hhbmdl
IA0KICAgICAgICAgIDxERD50aGF0IGRlY2lzaW9uLiANCiAgICAgICAgICA8REQ+PEZPTlQgc2l6
ZT0yPlRoZSB0ZXh0IGZyb20gUEtDUyAjIDcgdjEuNSBpczo8L0ZPTlQ+IA0KICAgICAgICAgIDxE
RD48Rk9OVCBmYWNlPSJUaW1lcyBOZXcgUm9tYW4sIFRpbWVzIj5BIHJlY2lwaWVudCB2ZXJpZmll
cyB0aGUgDQogICAgICAgICAgc2lnbmF0dXJlcyBieSBkZWNyeXB0aW5nIHRoZSBlbmNyeXB0ZWQg
bWVzc2FnZSBkaWdlc3QgDQogICAgICAgICAgPEREPmZvciBlYWNoIHNpZ25lciB3aXRoIHRoZSBz
aWduZXIncyBwdWJsaWMga2V5LCB0aGVuIGNvbXBhcmluZyB0aGUgDQogICAgICAgICAgcmVjb3Zl
cmVkIG1lc3NhZ2UgDQogICAgICAgICAgPEREPmRpZ2VzdCB0byBhbiBpbmRlcGVuZGVudGx5IGNv
bXB1dGVkIG1lc3NhZ2UgZGlnZXN0LiBUaGUgc2lnbmVyJ3MgDQogICAgICAgICAgcHVibGljIGtl
eSBpcyANCiAgICAgICAgICA8REQ+ZWl0aGVyIGNvbnRhaW5lZCBpbiBhIGNlcnRpZmljYXRlIGlu
Y2x1ZGVkIGluIHRoZSBzaWduZXIgDQogICAgICAgICAgaW5mb3JtYXRpb24sIG9yIGlzIHJlZmVy
ZW5jZWQgDQogICAgICAgICAgPEREPmJ5IGFuIGlzc3VlciBkaXN0aW5ndWlzaGVkIG5hbWUgYW5k
IGFuIGlzc3Vlci1zcGVjaWZpYyBzZXJpYWwgDQogICAgICAgICAgbnVtYmVyIHRoYXQgdW5pcXVl
bHkgDQogICAgICAgICAgPEREPmlkZW50aWZ5IHRoZSBjZXJ0aWZpY2F0ZSBmb3IgdGhlIHB1Ymxp
YyBrZXkuPC9GT05UPiANCiAgICAgICAgICA8REQ+PEZPTlQgc2l6ZT0yPlRoZSB0ZXh0IGZyb20g
UkZDIDM4NTIgaXM6PC9GT05UPiANCiAgICAgICAgICA8REQ+PEZPTlQgc2l6ZT0yPkEgcmVjaXBp
ZW50IGluZGVwZW5kZW50bHkgY29tcHV0ZXMgdGhlIG1lc3NhZ2UgDQogICAgICAgICAgZGlnZXN0
LiZuYnNwOyBUaGlzIG1lc3NhZ2UgZGlnZXN0IGFuZCANCiAgICAgICAgICA8REQ+dGhlIHNpZ25l
cidzIHB1YmxpYyBrZXkgYXJlIHVzZWQgdG8gdmVyaWZ5IHRoZSBzaWduYXR1cmUgDQogICAgICAg
ICAgdmFsdWUuJm5ic3A7IFRoZSBzaWduZXIncyBwdWJsaWMga2V5IA0KICAgICAgICAgIDxERD5p
cyByZWZlcmVuY2VkIGVpdGhlciBieSBhbiBpc3N1ZXIgZGlzdGluZ3Vpc2hlZCBuYW1lIGFsb25n
IHdpdGggYW4gDQogICAgICAgICAgaXNzdWVyLXNwZWNpZmljIA0KICAgICAgICAgIDxERD5zZXJp
YWwgbnVtYmVyIG9yIGJ5IGEgc3ViamVjdCBrZXkgaWRlbnRpZmllciB0aGF0IHVuaXF1ZWx5IA0K
ICAgICAgICAgIGlkZW50aWZpZXMgdGhlIGNlcnRpZmljYXRlIA0KICAgICAgICAgIDxERD5jb250
YWluaW5nIHRoZSBwdWJsaWMga2V5LiZuYnNwOyBUaGUgc2lnbmVyJ3MgY2VydGlmaWNhdGUgY2Fu
IGJlIA0KICAgICAgICAgIGluY2x1ZGVkIGluIHRoZSBTaWduZWREYXRhIA0KICAgICAgICAgIDxE
RD5jZXJ0aWZpY2F0ZXMgZmllbGQuPC9GT05UPiANCiAgICAgICAgICA8REQ+PEZPTlQgc2l6ZT0y
PlRoZXNlIHRleHRzIGFyZSBjbGVhcmx5IGluc3VmZmljaWVudCwgc2luY2UgdGhleSBkbyANCiAg
ICAgICAgICBub3QgY292ZXIgdGhlIGNhc2Ugb2YgY2VydGlmaWNhdGUgc3Vic3RpdHV0aW9uLjwv
Rk9OVD4gDQogICAgICAgICAgPEREPjxGT05UIHNpemU9Mj5UaGUgbmV3IGRyYWZ0IGlzIHdpc2hp
bmcgdG8gY292ZXIgdGhlIGNhc2Ugb2YgDQogICAgICAgICAgc2lnbmF0dXJlcyBmcm9tIHRoZSBz
YW1lIHNpZ25lci4gDQogICAgICAgICAgPEREPkl0IGlzIHJlc3RyaWN0ZWQgdG8gdGhlIHVzZSBv
ZiBjZXJ0aWZpY2F0ZXMuIFRoZW4gdGhlIG9ubHkgd2F5IHRvIA0KICAgICAgICAgIGtub3cgdGhh
dCBpcyBpcyB0aGUgc2FtZSBzaWduZXIgDQogICAgICAgICAgPEREPmlzIHRvIGNvbXBhcmUgdGhl
IGNlcnRpZmljYXRlcy4gV2Ugc2hvdWxkIHNheSBzb21lIHdvcmRzIG9uIGhvdyANCiAgICAgICAg
ICB0aGlzIGNvbXBhcmlzb24gc2hhbGwgYmUgZG9uZS4gDQogICAgICAgICAgPEREPklmIGNlcnRp
ZmljYXRlcyBhcmUgc3Vic3RpdHV0ZWQsIHRoZW4gd2UgYXJlIGFsc28gcnVubmluZyBpbnRvIA0K
ICAgICAgICAgIHRyb3VibGUuPC9GT05UPjwvREQ+PC9ETD48L0JMT0NLUVVPVEU+DQogICAgICA8
REw+PC9ETD48QlI+VGhpcyBpcyBub3QgdGhlIGlzc3VlIGF0IGFsbC4mbmJzcDsgRGlmZmVyZW50
IGNlcnRpZmljYXRlcyANCiAgICAgIG1heSByZXByZXNlbnQgdGhlIHNhbWUgc2lnbmVyIGluIHNv
bWUgYXBwbGljYXRpb25zLjxCUj48QlI+DQogICAgICA8QkxPQ0tRVU9URSBjbGFzcz1jaXRlIGNp
dGU9IiIgdHlwZT0iY2l0ZSI+DQogICAgICAgIDxETD4NCiAgICAgICAgICA8REQ+Jmd0O0l0IHNo
b3VsZCBzdGFydCB3aXRoOiANCiAgICAgICAgICA8REQ+Jmd0OyANCiAgICAgICAgICA8REQ+Jmd0
OyBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWduZWQtZGF0YSBpcyB2ZXJpZmllZCBpbnZvbHZlcyB0
aGUgDQogICAgICAgICAgPEREPiZndDsgZm9sbG93aW5nIHN0ZXBzOiANCiAgICAgICAgICA8REQ+
Jmd0OyANCiAgICAgICAgICA8REQ+Jmd0OyAxLiBGb3IgZWFjaCBTaWduZXJJbmZvIHByZXNlbnQg
aW4gU2lnbmVySW5mb3MgLi4uIA0KICAgICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICAgIDxERD4m
Z3Q7VGhlIGV4ZXJjaXNlIGlzIG1vcmUgZGlmZmljdWx0IHRoYW4gaXQgbG9va3MsIGJlY2F1c2Ug
dW5sZXNzIA0KICAgICAgICAgIDxERD4mZ3Q7RVNTQ2VydElEIGlzIGJlaW5nIHVzZWQsIA0KICAg
ICAgICAgIDxERD4mZ3Q7aXQgaXMgbm90IHBvc3NpYmxlIHRvIGtub3cgZm9yIHN1cmUgdGhhdCBh
IHNpZ25hdHVyZSBpcyBmcm9tIA0KICAgICAgICAgIHRoZSBzYW1lIHNpZ25lci4gDQogICAgICAg
ICAgPEREPkkgcmVjb2duaXplIHRoYXQgdGhpcyBpcyB0cnVlLiBUaGF0IGlzIHRoZSByZWFzb24g
dGhhdCB0aGUgDQogICAgICAgICAgcHJvcG9zZWQgDQogICAgICAgICAgPEREPnRleHQgcG9pbnRz
IHRvIHRoZSBhcHBsaWNhdGlvbiB0aGF0IGlzIHVzaW5nIENNUyB0byBoZWxwIHdoZW4gdGhlIA0K
ICAgICAgICAgIHNpZCANCiAgICAgICAgICA8REQ+ZmllbGQgaXMgbm90IHN1ZmZpY2llbnQuIA0K
ICAgICAgICAgIDxERD48Rk9OVCBzaXplPTI+VGhlIHByb3Bvc2VkIHRleHQgaXMgY2xlYXJseSBp
bnN1ZmZpY2llbnQgdG8gY292ZXIgDQogICAgICAgICAgdGhlIGNhc2UuPC9GT05UPiANCiAgICAg
ICAgICA8REQ+PEZPTlQgc2l6ZT0yPlRoZSBzZWNvbmQgcG9pbnQsIHdoaWNoIGlzIGV2ZW4gbW9y
ZSBpbXBvcnRhbnQsIGlzIA0KICAgICAgICAgIHRoYXQgSSBhbSBub3QgY29udmluY2VkIA0KICAg
ICAgICAgIDxERD50aGF0IHRoaXMgaXMgdGhlIHJpZ2h0IHdheSB0byBzb2x2ZSB0aGUgDQogICAg
ICBwcm9ibGVtLjwvRk9OVD48L0REPjwvREw+PC9CTE9DS1FVT1RFPg0KICAgICAgPERMPjwvREw+
PEJSPlRoaXMgZGlzY3Vzc2lvbiBoYXMgYmVlbiBnb2luZyBvbiBmb3IgYWJvdXQgYSB5ZWFyLiZu
YnNwOyBJZiANCiAgICAgIHlvdSBhcmUgdW5oYXBweSB3aXRoIHRoZSBwcm9wb3NlZCBzb2x1dGlv
biwgZG8gbm90IGFzayBmb3IgbW9yZSB3b3JrIHRvIGJlIA0KICAgICAgZG9uZSBvbiBpdC4mbmJz
cDsgSW5zdGVhZCwgcHJvcG9zZSBhbiBhbHRlcm5hdGl2ZS4mbmJzcDsgV2l0aG91dCBzdWNoLCB3
ZSANCiAgICAgIHNob3VsZCBwcm9jZWVkIG9uIHRoZSBjdXJyZW50IGNvdXJzZS48QlI+PEJSPg0K
ICAgICAgPEJMT0NLUVVPVEUgY2xhc3M9Y2l0ZSBjaXRlPSIiIHR5cGU9ImNpdGUiPg0KICAgICAg
ICA8REw+DQogICAgICAgICAgPEREPjxGT05UIHNpemU9Mj5JZiB0aGUgY2VydGlmaWNhdGUgaXMg
dXNlZCBmb3Igbm9uIHJlcHVkaWF0aW9uIA0KICAgICAgICAgIHB1cnBvc2VzLCB0aGVuIHRpbWUt
c3RhbXBpbmcgcHJvdmlkZXMgDQogICAgICAgICAgPEREPmFsbCB0aGUgbmVjZXNzYXJ5IHByb3Rl
Y3Rpb24uPC9GT05UPjwvREQ+PC9ETD48L0JMT0NLUVVPVEU+DQogICAgICA8REw+PC9ETD48QlI+
VGhpcyBtYWtlIG5vIHNlbnNlIHRvIG1lIGF0IGFsbC4mbmJzcDsgSG93IGRvZXMgdGltZS1zdGFt
cGluZyANCiAgICAgIGZhY2lsaXRhdGUgdGhlIHRyYW5zaXRpb24gZnJvbSBSU0Egd2l0aCBTSEEt
MSB0byBSU0Egd2l0aCBTSEEtMjU2PyZuYnNwOyANCiAgICAgIEluIGZhY3QsIGl0IG1ha2UgaXQg
d29yc2UuJm5ic3A7IFdlIG5lZWQgdG8gdHJhbnNpdGlvbiB0aGUgdGltZSBzdGFtcCANCiAgICAg
IGF1dGhvcml0eSBzaWduYXR1cmUgdG9vLjxCUj48QlI+UnVzczxCUj4NCiAgICAgIDxIUj4NCiAg
ICA8L0JMT0NLUVVPVEU+DQogICAgPEhSPg0KICA8L0JMT0NLUVVPVEU+DQogIDxIUj4NCjwvQkxP
Q0tRVU9URT4NCjxIUj4NCjwvQk9EWT48L0hUTUw+DQo=
--=====003_Dragon755635064380_=====--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAUGK4Mc093494; Thu, 30 Nov 2006 09:20:04 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAUGK4Gh093492; Thu, 30 Nov 2006 09:20:04 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAUGK2k1093464 for <ietf-smime@imc.org>; Thu, 30 Nov 2006 09:20:03 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 6311 invoked by uid 0); 30 Nov 2006 16:19:56 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 30 Nov 2006 16:19:56 -0000
Message-Id: <7.0.0.16.2.20061130110840.076c3910@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Thu, 30 Nov 2006 11:19:52 -0500
To: "Denis Pinkas" <denis.pinkas@bull.net>, "ietf-smime" <ietf-smime@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
In-Reply-To: <OFB83E3A9A.A039D70C-ONC1257236.00289987@frcl.bull.fr>
References: <OFB83E3A9A.A039D70C-ONC1257236.00289987@frcl.bull.fr>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
<html>
<body>
Denis:<br><br>
The current CMS specification says nothing about validating multiple
signatures. This means that it is unclear whether a message is
valid if the recipient cannot validate all of them. The S/MIME WG
started by considering two choices:<br><br>
(1) The message is valid if any of the signatures is valid; and<br>
(2) The message is valid if all of the signatures are valid.<br><br>
Discussion on this mail list made it clear that neither of these
approaches was acceptable. There are some applications that have
multiple signers, and the application needs a valid signature for each
one of them. So, we settled on:<br><br>
(3) The message is valid if one signature from each signer is
valid.<br><br>
Further discussion made it clear that the application was going to have
to be involved in determining which signatures are associated with the
same signer in some cases. However, in the most urgent case we are
concerned with RSA with SHA-1 and RSA with SHA-256, the same certificate
will be used for both signatures, so the same signer is obvious.<br><br>
Russ<br><br>
At 02:23 AM 11/30/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite="">Russ, <br>
<br>
Your short response below does not seem to me an objection to my
argumentation.<br>
<br>
You say: the application (...) can only verify one of
the signatures.<br>
I say: The *application* [will] be pleased if one of
them is valid.<br>
<br>
The core issue is still that no change needs to be made to the CMS
document.<br>
Denis<br>
<hr>
Not so. If the application only implements SHA-1, then it can only
verify one of the signatures.<br><br>
Russ<br><br>
At 09:51 AM 11/29/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite="">Russ,<br>
<br>
Sorry, once again I disagree with the wording. The *application* can
verify both signatures and be pleased if one of them is valid.<br>
No change needs to be made to the CMS document.<br>
<br>
Denis<br>
<br>
<hr>
Denis:<br><br>
We seem to be working on two different problems. We want to
transition from RSA with SHA-1 to RSA with SHA-256. So, the signer
puts two signatures on the message, since not all of the recipients
support RSA with SHA-256 yet. If either of the signatures can be
validated by a recipient, then that recipient will consider the message
valid.<br><br>
Russ<br><br>
<br>
At 04:06 AM 11/29/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite="">Russ,<br>
<br>
I believe that we have a major disagreement on the goal of the proposed
document.<br>
<br>
The current goal is : <br>
<br>
... This document<br>
provides replacement text for a few paragraphs, making it
clear that<br>
the protected content is valid if any of the digital
signatures for a<br>
particular signer is valid.<br>
It is possible to check that a given signature is valid.<br>
The golden rule is that only one signature can be verified at a time.
<br>
<br>
This is fully different of saying that a "protected content"
(i.e. a document) is valid, which may mean to verify multiple
signatures.<br>
<br>
As an example, a document can be said to be only be valid when it bears
three parallel signatures <br>
from particular signers, and in addition of two them need to be
counter-signed by other particular signers.<br>
<br>
The verification of multiple signatures is at the level of the
application, not at the level of a CMS toolkit.<br>
<br>
Besides this major observation, there is no need to support multiple
signatures from the same signer for algorithm agility purposes.<br>
<br>
Finally, you raised the following question:<br>
<br>
"How does time-stamping facilitate the transition from RSA with
SHA-1 to RSA with SHA-256? <br>
In fact, it make it worse. We need to transition the time stamp
authority signature too".<br>
<br>
Please refer to RFC 3126 :<br>
<br><br>
<font face="Courier New, Courier" size=2> B.4.7 Time-Stamping
for Long Life of
Signature
79<?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><br>
</font> <br>
Signatures may need to be maintained, which means that for signatures
that need to last very long, more than one time-stamp <br>
may need to be added later on, but only in case of a real collision. To
respond to your question, RSA with SHA-256 will need <br>
to be mandatorilly used, when after X months of computation someone will
demonstrate a collision. Then since it takes X months <br>
to make a collision, the signature maintenance needs to be made in a time
less than X months.<br>
<br>
Denis<br>
<br>
<hr>
At 03:52 AM 11/28/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite=""> Russ,<br>
<br>
See my comments embedded.<br>
<br>
Denis Pinkas,
<a href="mailto :Denis.Pinkas@bull.net">Denis.Pinkas@bull.net</a><br>
2006-11-28
<dl>
<dd>----- Message reçu -----
<dd>De : <a href="mailto :housley@vigilsec.com">Russ Housley</a>
<dd>À : <a href="mailto :denis.pinkas@bull.net">Denis Pinkas</a>
<dd>Date : 2006-11-27, 20:03:31
<dd>Sujet : Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
<dd>Denis:
<dd>>The issue is more complex than presented. :-(
<dd>>
<dd>>The idea is to say that a message is correctly signed by a given
<dd>>signer, if one of the signatures
<dd>>from the *same* signer computed using a different signature
<dd>>algorithm is valid.
<dd>>
<dd>>Correct ?
<dd>You did not acknowledged that this is the goal of the draft proposal.
</blockquote>
</dl><br>
The document is clear. It says:<br><br>
... This document<br>
provides replacement text for a few paragraphs, making it
clear that<br>
the protected content is valid if any of the digital
signatures for a<br>
particular signer is
valid.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd>>
<dd>>In the same section from RFC 3852, just above we have:
<dd>>
<dd>>" The process by which signed-data is constructed involves
the
<dd>> following steps:
<dd>>
<dd>> 1. For each signer, a message digest, or hash value, is computed
<dd>> on the content with a signer-specific message-digest algorithm.
<dd>> If the signer is signing any information other than the
<dd>> content, the message digest of the content and the other
<dd>> information are digested with the signer's message digest
<dd>> algorithm (see Section 5.4), and the result becomes the
<dd>> "message digest."
<dd>>
<dd>> 2. For each signer, the message digest is digitally signed using
<dd>> the signer's private key.
<dd>>
<dd>> 3. For each signer, the signature value and other
signer-specific
<dd>> information are collected into a SignerInfo value, as defined
<dd>> in Section 5.3. Certificates and CRLs for each signer, and
<dd>> those not corresponding to any signer, are collected in this
<dd>> step.
<dd>>
<dd>> 4. The message digest algorithms for all the signers and the
<dd>> SignerInfo values for all the signers are collected together
<dd>> with the content into a SignedData value, as defined in Section
<dd>> 5.1".
<dd>>
<dd>>We should have a similar construct for verification, but we
don't.
<dd>When CMS was first adopted by the S/MIME WG, we decided to keep the
<dd>specification as close to the structure of PKCS #7 v1.5 as
<dd>possible. The idea was to make it easy for one to determine the
<dd>differences. I see no reason why this discussion ought to change
<dd>that decision.
<dd><font size=2>The text from PKCS # 7 v1.5 is:</font>
<dd><font face="Times New Roman, Times">A recipient verifies the
signatures by decrypting the encrypted message digest
<dd>for each signer with the signer's public key, then comparing the
recovered message
<dd>digest to an independently computed message digest. The signer's
public key is
<dd>either contained in a certificate included in the signer information,
or is referenced
<dd>by an issuer distinguished name and an issuer-specific serial number
that uniquely
<dd>identify the certificate for the public key.</font>
<dd><font size=2>The text from RFC 3852 is:</font>
<dd><font size=2>A recipient independently computes the message
digest. This message digest and
<dd>the signer's public key are used to verify the signature value.
The signer's public key
<dd>is referenced either by an issuer distinguished name along with an
issuer-specific
<dd>serial number or by a subject key identifier that uniquely identifies
the certificate
<dd>containing the public key. The signer's certificate can be
included in the SignedData
<dd>certificates field.</font>
<dd><font size=2>These texts are clearly insufficient, since they do not
cover the case of certificate substitution.</font>
<dd><font size=2>The new draft is wishing to cover the case of signatures
from the same signer.
<dd>It is restricted to the use of certificates. Then the only way to
know that is is the same signer
<dd>is to compare the certificates. We should say some words on how this
comparison shall be done.
<dd>If certificates are substituted, then we are also running into
trouble.</font></blockquote>
</dl><br>
This is not the issue at all. Different certificates may represent
the same signer in some
applications.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd>>It should start with:
<dd>>
<dd>> The process by which signed-data is verified involves the
<dd>> following steps:
<dd>>
<dd>> 1. For each SignerInfo present in SignerInfos ...
<dd>>
<dd>>The exercise is more difficult than it looks, because unless
<dd>>ESSCertID is being used,
<dd>>it is not possible to know for sure that a signature is from the
same signer.
<dd>I recognize that this is true. That is the reason that the proposed
<dd>text points to the application that is using CMS to help when the sid
<dd>field is not sufficient.
<dd><font size=2>The proposed text is clearly insufficient to cover the
case.</font>
<dd><font size=2>The second point, which is even more important, is that
I am not convinced
<dd>that this is the right way to solve the problem.</font></blockquote>
</dl><br>
This discussion has been going on for about a year. If you are
unhappy with the proposed solution, do not ask for more work to be done
on it. Instead, propose an alternative. Without such, we
should proceed on the current
course.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd><font size=2>If the certificate is used for non repudiation purposes,
then time-stamping provides
<dd>all the necessary protection.</font></blockquote>
</dl><br>
This make no sense to me at all. How does time-stamping facilitate
the transition from RSA with SHA-1 to RSA with SHA-256? In fact, it
make it worse. We need to transition the time stamp authority
signature too.<br><br>
Russ<br>
<hr>
</blockquote><hr>
</blockquote><hr>
</blockquote></body>
</html>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAU7NRMF033889; Thu, 30 Nov 2006 00:23:27 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAU7NRRs033888; Thu, 30 Nov 2006 00:23:27 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAU7NOiL033879 for <ietf-smime@imc.org>; Thu, 30 Nov 2006 00:23:25 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-mcl1.frcl.bull.fr [129.184.87.20]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id IAA22990 for <ietf-smime@imc.org>; Thu, 30 Nov 2006 08:26:19 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006113008232738:64320 ; Thu, 30 Nov 2006 08:23:27 +0100
Date: Thu, 30 Nov 2006 08:23:20 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "ietf-smime" <ietf-smime@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 30/11/2006 08:23:27, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 30/11/2006 08:23:28, Serialize complete at 30/11/2006 08:23:28
Message-ID: <OFB83E3A9A.A039D70C-ONC1257236.00289987@frcl.bull.fr>
Content-Type: multipart/alternative; boundary="=====003_Dragon145422622535_====="
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
--=====003_Dragon145422622535_=====
Content-Transfer-Encoding: base64
Content-Type: text/plain;
charset="iso-8859-1"
UnVzcywgDQoNCllvdXIgc2hvcnQgcmVzcG9uc2UgYmVsb3cgZG9lcyBub3Qgc2VlbSB0byBtZSBh
biBvYmplY3Rpb24gdG8gbXkgYXJndW1lbnRhdGlvbi4NCg0KWW91IHNheTogICAgdGhlIGFwcGxp
Y2F0aW9uICguLi4pIGNhbiBvbmx5IHZlcmlmeSBvbmUgb2YgdGhlIHNpZ25hdHVyZXMuDQpJIHNh
eTogICAgVGhlICphcHBsaWNhdGlvbiogW3dpbGxdIGJlIHBsZWFzZWQgaWYgb25lIG9mIHRoZW0g
aXMgdmFsaWQuDQoNClRoZSBjb3JlIGlzc3VlIGlzIHN0aWxsIHRoYXQgbm8gY2hhbmdlIG5lZWRz
IHRvIGJlIG1hZGUgdG8gdGhlIENNUyBkb2N1bWVudC4NCg0KRGVuaXMNCg0KDQoNCk5vdCBzby4g
IElmIHRoZSBhcHBsaWNhdGlvbiBvbmx5IGltcGxlbWVudHMgU0hBLTEsIHRoZW4gaXQgY2FuIG9u
bHkgdmVyaWZ5IG9uZSBvZiB0aGUgc2lnbmF0dXJlcy4NCg0KUnVzcw0KDQpBdCAwOTo1MSBBTSAx
MS8yOS8yMDA2LCBEZW5pcyBQaW5rYXMgd3JvdGU6DQoNClJ1c3MsDQogDQpTb3JyeSwgb25jZSBh
Z2FpbiBJIGRpc2FncmVlIHdpdGggdGhlIHdvcmRpbmcuIFRoZSAqYXBwbGljYXRpb24qIGNhbiB2
ZXJpZnkgYm90aCBzaWduYXR1cmVzIGFuZCBiZSBwbGVhc2VkIGlmIG9uZSBvZiB0aGVtIGlzIHZh
bGlkLg0KTm8gY2hhbmdlIG5lZWRzIHRvIGJlIG1hZGUgdG8gdGhlIENNUyBkb2N1bWVudC4NCiAN
CkRlbmlzDQogDQoNCg0KRGVuaXM6DQoNCldlIHNlZW0gdG8gYmUgd29ya2luZyBvbiB0d28gZGlm
ZmVyZW50IHByb2JsZW1zLiAgV2Ugd2FudCB0byB0cmFuc2l0aW9uIGZyb20gUlNBIHdpdGggU0hB
LTEgdG8gUlNBIHdpdGggU0hBLTI1Ni4gIFNvLCB0aGUgc2lnbmVyIHB1dHMgdHdvIHNpZ25hdHVy
ZXMgb24gdGhlIG1lc3NhZ2UsIHNpbmNlIG5vdCBhbGwgb2YgdGhlIHJlY2lwaWVudHMgc3VwcG9y
dCBSU0Egd2l0aCBTSEEtMjU2IHlldC4gIElmIGVpdGhlciBvZiB0aGUgc2lnbmF0dXJlcyBjYW4g
YmUgdmFsaWRhdGVkIGJ5IGEgcmVjaXBpZW50LCB0aGVuIHRoYXQgcmVjaXBpZW50IHdpbGwgY29u
c2lkZXIgdGhlIG1lc3NhZ2UgdmFsaWQuDQoNClJ1c3MNCg0KDQpBdCAwNDowNiBBTSAxMS8yOS8y
MDA2LCBEZW5pcyBQaW5rYXMgd3JvdGU6DQoNClJ1c3MsDQogDQpJIGJlbGlldmUgdGhhdCB3ZSBo
YXZlIGEgbWFqb3IgZGlzYWdyZWVtZW50IG9uIHRoZSBnb2FsIG9mIHRoZSBwcm9wb3NlZCBkb2N1
bWVudC4NCiANClRoZSBjdXJyZW50IGdvYWwgaXMgOiAgICAgDQogDQogICAgLi4uIFRoaXMgZG9j
dW1lbnQNCiAgIHByb3ZpZGVzIHJlcGxhY2VtZW50IHRleHQgZm9yIGEgZmV3IHBhcmFncmFwaHMs
IG1ha2luZyBpdCBjbGVhciB0aGF0DQogICB0aGUgcHJvdGVjdGVkIGNvbnRlbnQgaXMgdmFsaWQg
aWYgYW55IG9mIHRoZSBkaWdpdGFsIHNpZ25hdHVyZXMgZm9yIGENCiAgIHBhcnRpY3VsYXIgc2ln
bmVyIGlzIHZhbGlkLg0KSXQgaXMgcG9zc2libGUgdG8gY2hlY2sgdGhhdCBhIGdpdmVuIHNpZ25h
dHVyZSBpcyB2YWxpZC4NClRoZSBnb2xkZW4gcnVsZSBpcyB0aGF0IG9ubHkgb25lIHNpZ25hdHVy
ZSBjYW4gYmUgdmVyaWZpZWQgYXQgYSB0aW1lLiANCiANClRoaXMgaXMgZnVsbHkgZGlmZmVyZW50
IG9mIHNheWluZyB0aGF0IGEgInByb3RlY3RlZCBjb250ZW50IiAoaS5lLiBhIGRvY3VtZW50KSBp
cyB2YWxpZCwgd2hpY2ggbWF5IG1lYW4gdG8gdmVyaWZ5IG11bHRpcGxlIHNpZ25hdHVyZXMuDQog
DQpBcyBhbiBleGFtcGxlLCBhIGRvY3VtZW50IGNhbiBiZSBzYWlkIHRvIGJlIG9ubHkgYmUgdmFs
aWQgd2hlbiBpdCBiZWFycyB0aHJlZSBwYXJhbGxlbCBzaWduYXR1cmVzIA0KZnJvbSBwYXJ0aWN1
bGFyIHNpZ25lcnMsIGFuZCBpbiBhZGRpdGlvbiBvZiB0d28gdGhlbSBuZWVkIHRvIGJlIGNvdW50
ZXItc2lnbmVkIGJ5IG90aGVyIHBhcnRpY3VsYXIgc2lnbmVycy4NCiANClRoZSB2ZXJpZmljYXRp
b24gb2YgbXVsdGlwbGUgc2lnbmF0dXJlcyBpcyBhdCB0aGUgbGV2ZWwgb2YgdGhlIGFwcGxpY2F0
aW9uLCBub3QgYXQgdGhlIGxldmVsIG9mIGEgQ01TIHRvb2xraXQuDQogDQpCZXNpZGVzIHRoaXMg
bWFqb3Igb2JzZXJ2YXRpb24sIHRoZXJlIGlzIG5vIG5lZWQgdG8gc3VwcG9ydCBtdWx0aXBsZSBz
aWduYXR1cmVzIGZyb20gdGhlIHNhbWUgc2lnbmVyIGZvciBhbGdvcml0aG0gYWdpbGl0eSBwdXJw
b3Nlcy4NCiANCkZpbmFsbHksIHlvdSByYWlzZWQgdGhlIGZvbGxvd2luZyBxdWVzdGlvbjoNCiAN
CiJIb3cgZG9lcyB0aW1lLXN0YW1waW5nIGZhY2lsaXRhdGUgdGhlIHRyYW5zaXRpb24gZnJvbSBS
U0Egd2l0aCBTSEEtMSB0byBSU0Egd2l0aCBTSEEtMjU2PyAgDQpJbiBmYWN0LCBpdCBtYWtlIGl0
IHdvcnNlLiAgV2UgbmVlZCB0byB0cmFuc2l0aW9uIHRoZSB0aW1lIHN0YW1wIGF1dGhvcml0eSBz
aWduYXR1cmUgdG9vIi4NCiANClBsZWFzZSByZWZlciB0byBSRkMgMzEyNiA6DQogDQoNCiAgQi40
LjcgIFRpbWUtU3RhbXBpbmcgZm9yIExvbmcgTGlmZSBvZiBTaWduYXR1cmUgICAgICAgICAgICAg
ICAgICAgIDc5PD94bWw6bmFtZXNwYWNlIHByZWZpeCA9IG8gbnMgPSAidXJuOnNjaGVtYXMtbWlj
cm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiAvPg0KIA0KU2lnbmF0dXJlcyBtYXkgbmVlZCB0byBi
ZSBtYWludGFpbmVkLCB3aGljaCBtZWFucyB0aGF0IGZvciBzaWduYXR1cmVzIHRoYXQgbmVlZCB0
byBsYXN0IHZlcnkgbG9uZywgbW9yZSB0aGFuIG9uZSB0aW1lLXN0YW1wIA0KbWF5IG5lZWQgdG8g
YmUgYWRkZWQgbGF0ZXIgb24sIGJ1dCBvbmx5IGluIGNhc2Ugb2YgYSByZWFsIGNvbGxpc2lvbi4g
VG8gcmVzcG9uZCB0byB5b3VyIHF1ZXN0aW9uLCBSU0Egd2l0aCBTSEEtMjU2IHdpbGwgbmVlZCAN
CnRvIGJlIG1hbmRhdG9yaWxseSB1c2VkLCB3aGVuIGFmdGVyIFggbW9udGhzIG9mIGNvbXB1dGF0
aW9uIHNvbWVvbmUgd2lsbCBkZW1vbnN0cmF0ZSBhIGNvbGxpc2lvbi4gVGhlbiBzaW5jZSBpdCB0
YWtlcyBYIG1vbnRocyANCnRvIG1ha2UgYSBjb2xsaXNpb24sIHRoZSBzaWduYXR1cmUgbWFpbnRl
bmFuY2UgbmVlZHMgdG8gYmUgbWFkZSBpbiBhIHRpbWUgbGVzcyB0aGFuIFggbW9udGhzLg0KIA0K
RGVuaXMNCiANCg0KDQpBdCAwMzo1MiBBTSAxMS8yOC8yMDA2LCBEZW5pcyBQaW5rYXMgd3JvdGU6
DQoNCiBSdXNzLA0KIA0KU2VlIG15IGNvbW1lbnRzIGVtYmVkZGVkLg0KIA0KRGVuaXMgUGlua2Fz
LCBEZW5pcy5QaW5rYXNAYnVsbC5uZXQNCjIwMDYtMTEtMjggDQotLS0tLSBNZXNzYWdlIHJl53Ug
LS0tLS0gDQpEZSA6IFJ1c3MgSG91c2xleSANCsAgOiBEZW5pcyBQaW5rYXMgDQpEYXRlIDogMjAw
Ni0xMS0yNywgMjA6MDM6MzEgDQpTdWpldCA6IFJlOiBJLUQgQUNUSU9OOmRyYWZ0LWlldGYtc21p
bWUtY21zLW11bHQtc2lnbi0wMi50eHQgDQpEZW5pczogDQo+VGhlIGlzc3VlIGlzIG1vcmUgY29t
cGxleCB0aGFuIHByZXNlbnRlZC4gOi0oIA0KPiANCj5UaGUgaWRlYSBpcyB0byBzYXkgdGhhdCBh
IG1lc3NhZ2UgaXMgY29ycmVjdGx5IHNpZ25lZCBieSBhIGdpdmVuIA0KPnNpZ25lciwgaWYgb25l
IG9mIHRoZSBzaWduYXR1cmVzIA0KPmZyb20gdGhlICpzYW1lKiBzaWduZXIgY29tcHV0ZWQgdXNp
bmcgYSBkaWZmZXJlbnQgc2lnbmF0dXJlIA0KPmFsZ29yaXRobSBpcyB2YWxpZC4gDQo+IA0KPkNv
cnJlY3QgPyANCllvdSBkaWQgbm90IGFja25vd2xlZGdlZCB0aGF0IHRoaXMgaXMgdGhlIGdvYWwg
b2YgdGhlIGRyYWZ0IHByb3Bvc2FsLiANCg0KVGhlIGRvY3VtZW50IGlzIGNsZWFyLiAgSXQgc2F5
czoNCg0KICAgLi4uIFRoaXMgZG9jdW1lbnQNCiAgIHByb3ZpZGVzIHJlcGxhY2VtZW50IHRleHQg
Zm9yIGEgZmV3IHBhcmFncmFwaHMsIG1ha2luZyBpdCBjbGVhciB0aGF0DQogICB0aGUgcHJvdGVj
dGVkIGNvbnRlbnQgaXMgdmFsaWQgaWYgYW55IG9mIHRoZSBkaWdpdGFsIHNpZ25hdHVyZXMgZm9y
IGENCiAgIHBhcnRpY3VsYXIgc2lnbmVyIGlzIHZhbGlkLg0KDQoNCj4gDQo+SW4gdGhlIHNhbWUg
c2VjdGlvbiBmcm9tIFJGQyAzODUyLCBqdXN0IGFib3ZlIHdlIGhhdmU6IA0KPiANCj4iIFRoZSBw
cm9jZXNzIGJ5IHdoaWNoIHNpZ25lZC1kYXRhIGlzIGNvbnN0cnVjdGVkIGludm9sdmVzIHRoZSAN
Cj4gZm9sbG93aW5nIHN0ZXBzOiANCj4gDQo+IDEuIEZvciBlYWNoIHNpZ25lciwgYSBtZXNzYWdl
IGRpZ2VzdCwgb3IgaGFzaCB2YWx1ZSwgaXMgY29tcHV0ZWQgDQo+IG9uIHRoZSBjb250ZW50IHdp
dGggYSBzaWduZXItc3BlY2lmaWMgbWVzc2FnZS1kaWdlc3QgYWxnb3JpdGhtLiANCj4gSWYgdGhl
IHNpZ25lciBpcyBzaWduaW5nIGFueSBpbmZvcm1hdGlvbiBvdGhlciB0aGFuIHRoZSANCj4gY29u
dGVudCwgdGhlIG1lc3NhZ2UgZGlnZXN0IG9mIHRoZSBjb250ZW50IGFuZCB0aGUgb3RoZXIgDQo+
IGluZm9ybWF0aW9uIGFyZSBkaWdlc3RlZCB3aXRoIHRoZSBzaWduZXIncyBtZXNzYWdlIGRpZ2Vz
dCANCj4gYWxnb3JpdGhtIChzZWUgU2VjdGlvbiA1LjQpLCBhbmQgdGhlIHJlc3VsdCBiZWNvbWVz
IHRoZSANCj4gIm1lc3NhZ2UgZGlnZXN0LiIgDQo+IA0KPiAyLiBGb3IgZWFjaCBzaWduZXIsIHRo
ZSBtZXNzYWdlIGRpZ2VzdCBpcyBkaWdpdGFsbHkgc2lnbmVkIHVzaW5nIA0KPiB0aGUgc2lnbmVy
J3MgcHJpdmF0ZSBrZXkuIA0KPiANCj4gMy4gRm9yIGVhY2ggc2lnbmVyLCB0aGUgc2lnbmF0dXJl
IHZhbHVlIGFuZCBvdGhlciBzaWduZXItc3BlY2lmaWMgDQo+IGluZm9ybWF0aW9uIGFyZSBjb2xs
ZWN0ZWQgaW50byBhIFNpZ25lckluZm8gdmFsdWUsIGFzIGRlZmluZWQgDQo+IGluIFNlY3Rpb24g
NS4zLiBDZXJ0aWZpY2F0ZXMgYW5kIENSTHMgZm9yIGVhY2ggc2lnbmVyLCBhbmQgDQo+IHRob3Nl
IG5vdCBjb3JyZXNwb25kaW5nIHRvIGFueSBzaWduZXIsIGFyZSBjb2xsZWN0ZWQgaW4gdGhpcyAN
Cj4gc3RlcC4gDQo+IA0KPiA0LiBUaGUgbWVzc2FnZSBkaWdlc3QgYWxnb3JpdGhtcyBmb3IgYWxs
IHRoZSBzaWduZXJzIGFuZCB0aGUgDQo+IFNpZ25lckluZm8gdmFsdWVzIGZvciBhbGwgdGhlIHNp
Z25lcnMgYXJlIGNvbGxlY3RlZCB0b2dldGhlciANCj4gd2l0aCB0aGUgY29udGVudCBpbnRvIGEg
U2lnbmVkRGF0YSB2YWx1ZSwgYXMgZGVmaW5lZCBpbiBTZWN0aW9uIA0KPiA1LjEiLiANCj4gDQo+
V2Ugc2hvdWxkIGhhdmUgYSBzaW1pbGFyIGNvbnN0cnVjdCBmb3IgdmVyaWZpY2F0aW9uLCBidXQg
d2UgZG9uJ3QuIA0KV2hlbiBDTVMgd2FzIGZpcnN0IGFkb3B0ZWQgYnkgdGhlIFMvTUlNRSBXRywg
d2UgZGVjaWRlZCB0byBrZWVwIHRoZSANCnNwZWNpZmljYXRpb24gYXMgY2xvc2UgdG8gdGhlIHN0
cnVjdHVyZSBvZiBQS0NTICM3IHYxLjUgYXMgDQpwb3NzaWJsZS4gVGhlIGlkZWEgd2FzIHRvIG1h
a2UgaXQgZWFzeSBmb3Igb25lIHRvIGRldGVybWluZSB0aGUgDQpkaWZmZXJlbmNlcy4gSSBzZWUg
bm8gcmVhc29uIHdoeSB0aGlzIGRpc2N1c3Npb24gb3VnaHQgdG8gY2hhbmdlIA0KdGhhdCBkZWNp
c2lvbi4gDQpUaGUgdGV4dCBmcm9tIFBLQ1MgIyA3IHYxLjUgaXM6IA0KQSByZWNpcGllbnQgdmVy
aWZpZXMgdGhlIHNpZ25hdHVyZXMgYnkgZGVjcnlwdGluZyB0aGUgZW5jcnlwdGVkIG1lc3NhZ2Ug
ZGlnZXN0IA0KZm9yIGVhY2ggc2lnbmVyIHdpdGggdGhlIHNpZ25lcidzIHB1YmxpYyBrZXksIHRo
ZW4gY29tcGFyaW5nIHRoZSByZWNvdmVyZWQgbWVzc2FnZSANCmRpZ2VzdCB0byBhbiBpbmRlcGVu
ZGVudGx5IGNvbXB1dGVkIG1lc3NhZ2UgZGlnZXN0LiBUaGUgc2lnbmVyJ3MgcHVibGljIGtleSBp
cyANCmVpdGhlciBjb250YWluZWQgaW4gYSBjZXJ0aWZpY2F0ZSBpbmNsdWRlZCBpbiB0aGUgc2ln
bmVyIGluZm9ybWF0aW9uLCBvciBpcyByZWZlcmVuY2VkIA0KYnkgYW4gaXNzdWVyIGRpc3Rpbmd1
aXNoZWQgbmFtZSBhbmQgYW4gaXNzdWVyLXNwZWNpZmljIHNlcmlhbCBudW1iZXIgdGhhdCB1bmlx
dWVseSANCmlkZW50aWZ5IHRoZSBjZXJ0aWZpY2F0ZSBmb3IgdGhlIHB1YmxpYyBrZXkuIA0KVGhl
IHRleHQgZnJvbSBSRkMgMzg1MiBpczogDQpBIHJlY2lwaWVudCBpbmRlcGVuZGVudGx5IGNvbXB1
dGVzIHRoZSBtZXNzYWdlIGRpZ2VzdC4gIFRoaXMgbWVzc2FnZSBkaWdlc3QgYW5kIA0KdGhlIHNp
Z25lcidzIHB1YmxpYyBrZXkgYXJlIHVzZWQgdG8gdmVyaWZ5IHRoZSBzaWduYXR1cmUgdmFsdWUu
ICBUaGUgc2lnbmVyJ3MgcHVibGljIGtleSANCmlzIHJlZmVyZW5jZWQgZWl0aGVyIGJ5IGFuIGlz
c3VlciBkaXN0aW5ndWlzaGVkIG5hbWUgYWxvbmcgd2l0aCBhbiBpc3N1ZXItc3BlY2lmaWMgDQpz
ZXJpYWwgbnVtYmVyIG9yIGJ5IGEgc3ViamVjdCBrZXkgaWRlbnRpZmllciB0aGF0IHVuaXF1ZWx5
IGlkZW50aWZpZXMgdGhlIGNlcnRpZmljYXRlIA0KY29udGFpbmluZyB0aGUgcHVibGljIGtleS4g
IFRoZSBzaWduZXIncyBjZXJ0aWZpY2F0ZSBjYW4gYmUgaW5jbHVkZWQgaW4gdGhlIFNpZ25lZERh
dGEgDQpjZXJ0aWZpY2F0ZXMgZmllbGQuIA0KVGhlc2UgdGV4dHMgYXJlIGNsZWFybHkgaW5zdWZm
aWNpZW50LCBzaW5jZSB0aGV5IGRvIG5vdCBjb3ZlciB0aGUgY2FzZSBvZiBjZXJ0aWZpY2F0ZSBz
dWJzdGl0dXRpb24uIA0KVGhlIG5ldyBkcmFmdCBpcyB3aXNoaW5nIHRvIGNvdmVyIHRoZSBjYXNl
IG9mIHNpZ25hdHVyZXMgZnJvbSB0aGUgc2FtZSBzaWduZXIuIA0KSXQgaXMgcmVzdHJpY3RlZCB0
byB0aGUgdXNlIG9mIGNlcnRpZmljYXRlcy4gVGhlbiB0aGUgb25seSB3YXkgdG8ga25vdyB0aGF0
IGlzIGlzIHRoZSBzYW1lIHNpZ25lciANCmlzIHRvIGNvbXBhcmUgdGhlIGNlcnRpZmljYXRlcy4g
V2Ugc2hvdWxkIHNheSBzb21lIHdvcmRzIG9uIGhvdyB0aGlzIGNvbXBhcmlzb24gc2hhbGwgYmUg
ZG9uZS4gDQpJZiBjZXJ0aWZpY2F0ZXMgYXJlIHN1YnN0aXR1dGVkLCB0aGVuIHdlIGFyZSBhbHNv
IHJ1bm5pbmcgaW50byB0cm91YmxlLg0KDQpUaGlzIGlzIG5vdCB0aGUgaXNzdWUgYXQgYWxsLiAg
RGlmZmVyZW50IGNlcnRpZmljYXRlcyBtYXkgcmVwcmVzZW50IHRoZSBzYW1lIHNpZ25lciBpbiBz
b21lIGFwcGxpY2F0aW9ucy4NCg0KDQo+SXQgc2hvdWxkIHN0YXJ0IHdpdGg6IA0KPiANCj4gVGhl
IHByb2Nlc3MgYnkgd2hpY2ggc2lnbmVkLWRhdGEgaXMgdmVyaWZpZWQgaW52b2x2ZXMgdGhlIA0K
PiBmb2xsb3dpbmcgc3RlcHM6IA0KPiANCj4gMS4gRm9yIGVhY2ggU2lnbmVySW5mbyBwcmVzZW50
IGluIFNpZ25lckluZm9zIC4uLiANCj4gDQo+VGhlIGV4ZXJjaXNlIGlzIG1vcmUgZGlmZmljdWx0
IHRoYW4gaXQgbG9va3MsIGJlY2F1c2UgdW5sZXNzIA0KPkVTU0NlcnRJRCBpcyBiZWluZyB1c2Vk
LCANCj5pdCBpcyBub3QgcG9zc2libGUgdG8ga25vdyBmb3Igc3VyZSB0aGF0IGEgc2lnbmF0dXJl
IGlzIGZyb20gdGhlIHNhbWUgc2lnbmVyLiANCkkgcmVjb2duaXplIHRoYXQgdGhpcyBpcyB0cnVl
LiBUaGF0IGlzIHRoZSByZWFzb24gdGhhdCB0aGUgcHJvcG9zZWQgDQp0ZXh0IHBvaW50cyB0byB0
aGUgYXBwbGljYXRpb24gdGhhdCBpcyB1c2luZyBDTVMgdG8gaGVscCB3aGVuIHRoZSBzaWQgDQpm
aWVsZCBpcyBub3Qgc3VmZmljaWVudC4gDQpUaGUgcHJvcG9zZWQgdGV4dCBpcyBjbGVhcmx5IGlu
c3VmZmljaWVudCB0byBjb3ZlciB0aGUgY2FzZS4gDQpUaGUgc2Vjb25kIHBvaW50LCB3aGljaCBp
cyBldmVuIG1vcmUgaW1wb3J0YW50LCBpcyB0aGF0IEkgYW0gbm90IGNvbnZpbmNlZCANCnRoYXQg
dGhpcyBpcyB0aGUgcmlnaHQgd2F5IHRvIHNvbHZlIHRoZSBwcm9ibGVtLg0KDQpUaGlzIGRpc2N1
c3Npb24gaGFzIGJlZW4gZ29pbmcgb24gZm9yIGFib3V0IGEgeWVhci4gIElmIHlvdSBhcmUgdW5o
YXBweSB3aXRoIHRoZSBwcm9wb3NlZCBzb2x1dGlvbiwgZG8gbm90IGFzayBmb3IgbW9yZSB3b3Jr
IHRvIGJlIGRvbmUgb24gaXQuICBJbnN0ZWFkLCBwcm9wb3NlIGFuIGFsdGVybmF0aXZlLiAgV2l0
aG91dCBzdWNoLCB3ZSBzaG91bGQgcHJvY2VlZCBvbiB0aGUgY3VycmVudCBjb3Vyc2UuDQoNCg0K
SWYgdGhlIGNlcnRpZmljYXRlIGlzIHVzZWQgZm9yIG5vbiByZXB1ZGlhdGlvbiBwdXJwb3Nlcywg
dGhlbiB0aW1lLXN0YW1waW5nIHByb3ZpZGVzIA0KYWxsIHRoZSBuZWNlc3NhcnkgcHJvdGVjdGlv
bi4NCg0KVGhpcyBtYWtlIG5vIHNlbnNlIHRvIG1lIGF0IGFsbC4gIEhvdyBkb2VzIHRpbWUtc3Rh
bXBpbmcgZmFjaWxpdGF0ZSB0aGUgdHJhbnNpdGlvbiBmcm9tIFJTQSB3aXRoIFNIQS0xIHRvIFJT
QSB3aXRoIFNIQS0yNTY/ICBJbiBmYWN0LCBpdCBtYWtlIGl0IHdvcnNlLiAgV2UgbmVlZCB0byB0
cmFuc2l0aW9uIHRoZSB0aW1lIHN0YW1wIGF1dGhvcml0eSBzaWduYXR1cmUgdG9vLg0KDQpSdXNz
DQo=
--=====003_Dragon145422622535_=====
Content-Transfer-Encoding: base64
Content-Type: text/html;
charset="iso-8859-1"
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPg0KPE1FVEEgY29udGVudD0iTVNIVE1M
IDYuMDAuMjgwMC4xNTI4IiBuYW1lPUdFTkVSQVRPUj48L0hFQUQ+DQo8Qk9EWT4NCjxESVY+UnVz
cywgPC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj5Zb3VyIHNob3J0IHJlc3BvbnNlIGJl
bG93IGRvZXMgbm90IHNlZW0gdG8gbWUgYW4gb2JqZWN0aW9uIHRvIG15IA0KYXJndW1lbnRhdGlv
bi48L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPllvdSBzYXk6Jm5ic3A7Jm5ic3A7Jm5i
c3A7IHRoZSBhcHBsaWNhdGlvbiAoLi4uKSBjYW4gb25seSB2ZXJpZnkgb25lIG9mIHRoZSANCnNp
Z25hdHVyZXMuPEJSPkkgc2F5OiZuYnNwOyZuYnNwOyZuYnNwOyBUaGUgKmFwcGxpY2F0aW9uKiBb
d2lsbF0mbmJzcDtiZSBwbGVhc2VkIA0KaWYgb25lIG9mIHRoZW0gaXMgdmFsaWQuPC9ESVY+DQo8
RElWPiZuYnNwOzwvRElWPg0KPERJVj5UaGUgY29yZSBpc3N1ZSBpcyBzdGlsbCB0aGF0IG5vIGNo
YW5nZSBuZWVkcyB0byBiZSBtYWRlIHRvIHRoZSBDTVMgDQpkb2N1bWVudC48QlI+PC9ESVY+DQo8
RElWPkRlbmlzPEJSPjwvRElWPg0KPERJVj4NCjxIUj4NCk5vdCBzby4mbmJzcDsgSWYgdGhlIGFw
cGxpY2F0aW9uIG9ubHkgaW1wbGVtZW50cyBTSEEtMSwgdGhlbiBpdCBjYW4gb25seSB2ZXJpZnkg
DQpvbmUgb2YgdGhlIHNpZ25hdHVyZXMuPEJSPjxCUj5SdXNzPEJSPjxCUj5BdCAwOTo1MSBBTSAx
MS8yOS8yMDA2LCBEZW5pcyBQaW5rYXMgDQp3cm90ZTo8QlI+PC9ESVY+DQo8QkxPQ0tRVU9URSBj
bGFzcz1jaXRlIGNpdGU9IiIgdHlwZT0iY2l0ZSI+UnVzcyw8QlI+Jm5ic3A7PEJSPlNvcnJ5LCBv
bmNlIA0KICBhZ2FpbiBJIGRpc2FncmVlIHdpdGggdGhlIHdvcmRpbmcuIFRoZSAqYXBwbGljYXRp
b24qIGNhbiB2ZXJpZnkgYm90aCANCiAgc2lnbmF0dXJlcyBhbmQgYmUgcGxlYXNlZCBpZiBvbmUg
b2YgdGhlbSBpcyB2YWxpZC48QlI+Tm8gY2hhbmdlIG5lZWRzIHRvIGJlIA0KICBtYWRlIHRvIHRo
ZSBDTVMgZG9jdW1lbnQuPEJSPiZuYnNwOzxCUj5EZW5pczxCUj4mbmJzcDs8QlI+DQogIDxIUj4N
CiAgRGVuaXM6PEJSPjxCUj5XZSBzZWVtIHRvIGJlIHdvcmtpbmcgb24gdHdvIGRpZmZlcmVudCBw
cm9ibGVtcy4mbmJzcDsgV2Ugd2FudCANCiAgdG8gdHJhbnNpdGlvbiBmcm9tIFJTQSB3aXRoIFNI
QS0xIHRvIFJTQSB3aXRoIFNIQS0yNTYuJm5ic3A7IFNvLCB0aGUgc2lnbmVyIA0KICBwdXRzIHR3
byBzaWduYXR1cmVzIG9uIHRoZSBtZXNzYWdlLCBzaW5jZSBub3QgYWxsIG9mIHRoZSByZWNpcGll
bnRzIHN1cHBvcnQgDQogIFJTQSB3aXRoIFNIQS0yNTYgeWV0LiZuYnNwOyBJZiBlaXRoZXIgb2Yg
dGhlIHNpZ25hdHVyZXMgY2FuIGJlIHZhbGlkYXRlZCBieSBhIA0KICByZWNpcGllbnQsIHRoZW4g
dGhhdCByZWNpcGllbnQgd2lsbCBjb25zaWRlciB0aGUgbWVzc2FnZSANCiAgdmFsaWQuPEJSPjxC
Uj5SdXNzPEJSPjxCUj48QlI+QXQgMDQ6MDYgQU0gMTEvMjkvMjAwNiwgRGVuaXMgUGlua2FzIHdy
b3RlOjxCUj4NCiAgPEJMT0NLUVVPVEUgY2xhc3M9Y2l0ZSBjaXRlPSIiIHR5cGU9ImNpdGUiPlJ1
c3MsPEJSPiZuYnNwOzxCUj5JIGJlbGlldmUgdGhhdCANCiAgICB3ZSBoYXZlIGEgbWFqb3IgZGlz
YWdyZWVtZW50IG9uIHRoZSBnb2FsIG9mIHRoZSBwcm9wb3NlZCANCiAgICBkb2N1bWVudC48QlI+
Jm5ic3A7PEJSPlRoZSBjdXJyZW50IGdvYWwgaXMgOiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAN
CiAgICA8QlI+Jm5ic3A7PEJSPiZuYnNwOyZuYnNwOyZuYnNwOyAuLi4gVGhpcyBkb2N1bWVudDxC
Uj4mbmJzcDsmbmJzcDsgcHJvdmlkZXMgDQogICAgcmVwbGFjZW1lbnQgdGV4dCBmb3IgYSBmZXcg
cGFyYWdyYXBocywgbWFraW5nIGl0IGNsZWFyIHRoYXQ8QlI+Jm5ic3A7Jm5ic3A7IA0KICAgIHRo
ZSBwcm90ZWN0ZWQgY29udGVudCBpcyB2YWxpZCBpZiBhbnkgb2YgdGhlIGRpZ2l0YWwgc2lnbmF0
dXJlcyBmb3IgDQogICAgYTxCUj4mbmJzcDsmbmJzcDsgcGFydGljdWxhciBzaWduZXIgaXMgdmFs
aWQuPEJSPkl0IGlzIHBvc3NpYmxlIHRvIGNoZWNrIA0KICAgIHRoYXQgYSBnaXZlbiBzaWduYXR1
cmUgaXMgdmFsaWQuPEJSPlRoZSBnb2xkZW4gcnVsZSBpcyB0aGF0IG9ubHkgb25lIA0KICAgIHNp
Z25hdHVyZSBjYW4gYmUgdmVyaWZpZWQgYXQgYSB0aW1lLiA8QlI+Jm5ic3A7PEJSPlRoaXMgaXMg
ZnVsbHkgZGlmZmVyZW50IA0KICAgIG9mIHNheWluZyB0aGF0IGEgInByb3RlY3RlZCBjb250ZW50
IiAoaS5lLiBhIGRvY3VtZW50KSBpcyB2YWxpZCwgd2hpY2ggbWF5IA0KICAgIG1lYW4gdG8gdmVy
aWZ5IG11bHRpcGxlIHNpZ25hdHVyZXMuPEJSPiZuYnNwOzxCUj5BcyBhbiBleGFtcGxlLCBhIGRv
Y3VtZW50IA0KICAgIGNhbiBiZSBzYWlkIHRvIGJlIG9ubHkgYmUgdmFsaWQgd2hlbiBpdCBiZWFy
cyB0aHJlZSBwYXJhbGxlbCBzaWduYXR1cmVzIA0KICAgIDxCUj5mcm9tIHBhcnRpY3VsYXIgc2ln
bmVycywgYW5kIGluIGFkZGl0aW9uIG9mIHR3byB0aGVtIG5lZWQgdG8gYmUgDQogICAgY291bnRl
ci1zaWduZWQgYnkgb3RoZXIgcGFydGljdWxhciBzaWduZXJzLjxCUj4mbmJzcDs8QlI+VGhlIHZl
cmlmaWNhdGlvbiBvZiANCiAgICBtdWx0aXBsZSBzaWduYXR1cmVzIGlzIGF0IHRoZSBsZXZlbCBv
ZiB0aGUgYXBwbGljYXRpb24sIG5vdCBhdCB0aGUgbGV2ZWwgb2YgDQogICAgYSBDTVMgdG9vbGtp
dC48QlI+Jm5ic3A7PEJSPkJlc2lkZXMgdGhpcyBtYWpvciBvYnNlcnZhdGlvbiwgdGhlcmUgaXMg
bm8gbmVlZCANCiAgICB0byBzdXBwb3J0IG11bHRpcGxlIHNpZ25hdHVyZXMgZnJvbSB0aGUgc2Ft
ZSBzaWduZXIgZm9yIGFsZ29yaXRobSBhZ2lsaXR5IA0KICAgIHB1cnBvc2VzLjxCUj4mbmJzcDs8
QlI+RmluYWxseSwgeW91IHJhaXNlZCB0aGUgZm9sbG93aW5nIA0KICAgIHF1ZXN0aW9uOjxCUj4m
bmJzcDs8QlI+IkhvdyBkb2VzIHRpbWUtc3RhbXBpbmcgZmFjaWxpdGF0ZSB0aGUgdHJhbnNpdGlv
biANCiAgICBmcm9tIFJTQSB3aXRoIFNIQS0xIHRvIFJTQSB3aXRoIFNIQS0yNTY/Jm5ic3A7IDxC
Uj5JbiBmYWN0LCBpdCBtYWtlIGl0IA0KICAgIHdvcnNlLiZuYnNwOyBXZSBuZWVkIHRvIHRyYW5z
aXRpb24gdGhlIHRpbWUgc3RhbXAgYXV0aG9yaXR5IHNpZ25hdHVyZSANCiAgICB0b28iLjxCUj4m
bmJzcDs8QlI+UGxlYXNlIHJlZmVyIHRvIFJGQyAzMTI2IDo8QlI+Jm5ic3A7PEJSPjxCUj48Rk9O
VCANCiAgICBmYWNlPSJDb3VyaWVyIE5ldywgQ291cmllciIgc2l6ZT0yPiZuYnNwOyBCLjQuNyZu
YnNwOyBUaW1lLVN0YW1waW5nIGZvciBMb25nIA0KICAgIExpZmUgb2YgDQogICAgU2lnbmF0dXJl
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
IA0KICAgIDc5Jmx0Oz94bWw6bmFtZXNwYWNlIHByZWZpeCA9IG8gbnMgPSANCiAgICAidXJuOnNj
aGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiANCiAgICAvJmd0OzxCUj48L0ZPTlQ+
Jm5ic3A7PEJSPlNpZ25hdHVyZXMgbWF5IG5lZWQgdG8gYmUgbWFpbnRhaW5lZCwgd2hpY2ggbWVh
bnMgDQogICAgdGhhdCBmb3Igc2lnbmF0dXJlcyB0aGF0IG5lZWQgdG8gbGFzdCB2ZXJ5IGxvbmcs
IG1vcmUgdGhhbiBvbmUgdGltZS1zdGFtcCANCiAgICA8QlI+bWF5IG5lZWQgdG8gYmUgYWRkZWQg
bGF0ZXIgb24sIGJ1dCBvbmx5IGluIGNhc2Ugb2YgYSByZWFsIGNvbGxpc2lvbi4gVG8gDQogICAg
cmVzcG9uZCB0byB5b3VyIHF1ZXN0aW9uLCBSU0Egd2l0aCBTSEEtMjU2IHdpbGwgbmVlZCA8QlI+
dG8gYmUgbWFuZGF0b3JpbGx5IA0KICAgIHVzZWQsIHdoZW4gYWZ0ZXIgWCBtb250aHMgb2YgY29t
cHV0YXRpb24gc29tZW9uZSB3aWxsIGRlbW9uc3RyYXRlIGEgDQogICAgY29sbGlzaW9uLiBUaGVu
IHNpbmNlIGl0IHRha2VzIFggbW9udGhzIDxCUj50byBtYWtlIGEgY29sbGlzaW9uLCB0aGUgDQog
ICAgc2lnbmF0dXJlIG1haW50ZW5hbmNlIG5lZWRzIHRvIGJlIG1hZGUgaW4gYSB0aW1lIGxlc3Mg
dGhhbiBYIA0KICAgIG1vbnRocy48QlI+Jm5ic3A7PEJSPkRlbmlzPEJSPiZuYnNwOzxCUj4NCiAg
ICA8SFI+DQogICAgQXQgMDM6NTIgQU0gMTEvMjgvMjAwNiwgRGVuaXMgUGlua2FzIHdyb3RlOjxC
Uj4NCiAgICA8QkxPQ0tRVU9URSBjbGFzcz1jaXRlIGNpdGU9IiIgdHlwZT0iY2l0ZSI+Jm5ic3A7
UnVzcyw8QlI+Jm5ic3A7PEJSPlNlZSBteSANCiAgICAgIGNvbW1lbnRzIGVtYmVkZGVkLjxCUj4m
bmJzcDs8QlI+RGVuaXMgUGlua2FzLCA8QSANCiAgICAgIGhyZWY9Im1haWx0byA6RGVuaXMuUGlu
a2FzQGJ1bGwubmV0Ij5EZW5pcy5QaW5rYXNAYnVsbC5uZXQ8L0E+PEJSPjIwMDYtMTEtMjggDQoN
CiAgICAgIDxETD4NCiAgICAgICAgPEREPi0tLS0tIE1lc3NhZ2UgcmXndSAtLS0tLSANCiAgICAg
ICAgPEREPkRlIDogPEEgaHJlZj0ibWFpbHRvIDpob3VzbGV5QHZpZ2lsc2VjLmNvbSI+UnVzcyBI
b3VzbGV5PC9BPiANCiAgICAgICAgPEREPsAgOiA8QSBocmVmPSJtYWlsdG8gOmRlbmlzLnBpbmth
c0BidWxsLm5ldCI+RGVuaXMgUGlua2FzPC9BPiANCiAgICAgICAgPEREPkRhdGUgOiAyMDA2LTEx
LTI3LCAyMDowMzozMSANCiAgICAgICAgPEREPlN1amV0IDogUmU6IEktRCBBQ1RJT046ZHJhZnQt
aWV0Zi1zbWltZS1jbXMtbXVsdC1zaWduLTAyLnR4dCANCiAgICAgICAgPEREPkRlbmlzOiANCiAg
ICAgICAgPEREPiZndDtUaGUgaXNzdWUgaXMgbW9yZSBjb21wbGV4IHRoYW4gcHJlc2VudGVkLiA6
LSggDQogICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICA8REQ+Jmd0O1RoZSBpZGVhIGlzIHRvIHNh
eSB0aGF0IGEgbWVzc2FnZSBpcyBjb3JyZWN0bHkgc2lnbmVkIGJ5IGEgZ2l2ZW4gDQoNCiAgICAg
ICAgPEREPiZndDtzaWduZXIsIGlmIG9uZSBvZiB0aGUgc2lnbmF0dXJlcyANCiAgICAgICAgPERE
PiZndDtmcm9tIHRoZSAqc2FtZSogc2lnbmVyIGNvbXB1dGVkIHVzaW5nIGEgZGlmZmVyZW50IHNp
Z25hdHVyZSANCiAgICAgICAgPEREPiZndDthbGdvcml0aG0gaXMgdmFsaWQuIA0KICAgICAgICA8
REQ+Jmd0OyANCiAgICAgICAgPEREPiZndDtDb3JyZWN0ID8gDQogICAgICAgIDxERD5Zb3UgZGlk
IG5vdCBhY2tub3dsZWRnZWQgdGhhdCB0aGlzIGlzIHRoZSBnb2FsIG9mIHRoZSBkcmFmdCANCiAg
ICAgICAgcHJvcG9zYWwuIDwvREQ+PC9ETD48L0JMT0NLUVVPVEU+DQogICAgPERMPjwvREw+PEJS
PlRoZSBkb2N1bWVudCBpcyBjbGVhci4mbmJzcDsgSXQgc2F5czo8QlI+PEJSPiZuYnNwOyZuYnNw
OyAuLi4gDQogICAgVGhpcyBkb2N1bWVudDxCUj4mbmJzcDsmbmJzcDsgcHJvdmlkZXMgcmVwbGFj
ZW1lbnQgdGV4dCBmb3IgYSBmZXcgDQogICAgcGFyYWdyYXBocywgbWFraW5nIGl0IGNsZWFyIHRo
YXQ8QlI+Jm5ic3A7Jm5ic3A7IHRoZSBwcm90ZWN0ZWQgY29udGVudCBpcyANCiAgICB2YWxpZCBp
ZiBhbnkgb2YgdGhlIGRpZ2l0YWwgc2lnbmF0dXJlcyBmb3IgYTxCUj4mbmJzcDsmbmJzcDsgcGFy
dGljdWxhciANCiAgICBzaWduZXIgaXMgdmFsaWQuPEJSPjxCUj4NCiAgICA8QkxPQ0tRVU9URSBj
bGFzcz1jaXRlIGNpdGU9IiIgdHlwZT0iY2l0ZSI+DQogICAgICA8REw+DQogICAgICAgIDxERD4m
Z3Q7IA0KICAgICAgICA8REQ+Jmd0O0luIHRoZSBzYW1lIHNlY3Rpb24gZnJvbSBSRkMgMzg1Miwg
anVzdCBhYm92ZSB3ZSBoYXZlOiANCiAgICAgICAgPEREPiZndDsgDQogICAgICAgIDxERD4mZ3Q7
IiBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWduZWQtZGF0YSBpcyBjb25zdHJ1Y3RlZCBpbnZvbHZl
cyB0aGUgDQogICAgICAgIDxERD4mZ3Q7IGZvbGxvd2luZyBzdGVwczogDQogICAgICAgIDxERD4m
Z3Q7IA0KICAgICAgICA8REQ+Jmd0OyAxLiBGb3IgZWFjaCBzaWduZXIsIGEgbWVzc2FnZSBkaWdl
c3QsIG9yIGhhc2ggdmFsdWUsIGlzIA0KICAgICAgICBjb21wdXRlZCANCiAgICAgICAgPEREPiZn
dDsgb24gdGhlIGNvbnRlbnQgd2l0aCBhIHNpZ25lci1zcGVjaWZpYyBtZXNzYWdlLWRpZ2VzdCBh
bGdvcml0aG0uIA0KDQogICAgICAgIDxERD4mZ3Q7IElmIHRoZSBzaWduZXIgaXMgc2lnbmluZyBh
bnkgaW5mb3JtYXRpb24gb3RoZXIgdGhhbiB0aGUgDQogICAgICAgIDxERD4mZ3Q7IGNvbnRlbnQs
IHRoZSBtZXNzYWdlIGRpZ2VzdCBvZiB0aGUgY29udGVudCBhbmQgdGhlIG90aGVyIA0KICAgICAg
ICA8REQ+Jmd0OyBpbmZvcm1hdGlvbiBhcmUgZGlnZXN0ZWQgd2l0aCB0aGUgc2lnbmVyJ3MgbWVz
c2FnZSBkaWdlc3QgDQogICAgICAgIDxERD4mZ3Q7IGFsZ29yaXRobSAoc2VlIFNlY3Rpb24gNS40
KSwgYW5kIHRoZSByZXN1bHQgYmVjb21lcyB0aGUgDQogICAgICAgIDxERD4mZ3Q7ICJtZXNzYWdl
IGRpZ2VzdC4iIA0KICAgICAgICA8REQ+Jmd0OyANCiAgICAgICAgPEREPiZndDsgMi4gRm9yIGVh
Y2ggc2lnbmVyLCB0aGUgbWVzc2FnZSBkaWdlc3QgaXMgZGlnaXRhbGx5IHNpZ25lZCANCiAgICAg
ICAgdXNpbmcgDQogICAgICAgIDxERD4mZ3Q7IHRoZSBzaWduZXIncyBwcml2YXRlIGtleS4gDQog
ICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICA8REQ+Jmd0OyAzLiBGb3IgZWFjaCBzaWduZXIsIHRo
ZSBzaWduYXR1cmUgdmFsdWUgYW5kIG90aGVyIA0KICAgICAgICBzaWduZXItc3BlY2lmaWMgDQog
ICAgICAgIDxERD4mZ3Q7IGluZm9ybWF0aW9uIGFyZSBjb2xsZWN0ZWQgaW50byBhIFNpZ25lcklu
Zm8gdmFsdWUsIGFzIGRlZmluZWQgDQogICAgICAgIDxERD4mZ3Q7IGluIFNlY3Rpb24gNS4zLiBD
ZXJ0aWZpY2F0ZXMgYW5kIENSTHMgZm9yIGVhY2ggc2lnbmVyLCBhbmQgDQogICAgICAgIDxERD4m
Z3Q7IHRob3NlIG5vdCBjb3JyZXNwb25kaW5nIHRvIGFueSBzaWduZXIsIGFyZSBjb2xsZWN0ZWQg
aW4gdGhpcyANCiAgICAgICAgPEREPiZndDsgc3RlcC4gDQogICAgICAgIDxERD4mZ3Q7IA0KICAg
ICAgICA8REQ+Jmd0OyA0LiBUaGUgbWVzc2FnZSBkaWdlc3QgYWxnb3JpdGhtcyBmb3IgYWxsIHRo
ZSBzaWduZXJzIGFuZCB0aGUgDQogICAgICAgIDxERD4mZ3Q7IFNpZ25lckluZm8gdmFsdWVzIGZv
ciBhbGwgdGhlIHNpZ25lcnMgYXJlIGNvbGxlY3RlZCB0b2dldGhlciANCiAgICAgICAgPEREPiZn
dDsgd2l0aCB0aGUgY29udGVudCBpbnRvIGEgU2lnbmVkRGF0YSB2YWx1ZSwgYXMgZGVmaW5lZCBp
biBTZWN0aW9uIA0KDQogICAgICAgIDxERD4mZ3Q7IDUuMSIuIA0KICAgICAgICA8REQ+Jmd0OyAN
CiAgICAgICAgPEREPiZndDtXZSBzaG91bGQgaGF2ZSBhIHNpbWlsYXIgY29uc3RydWN0IGZvciB2
ZXJpZmljYXRpb24sIGJ1dCB3ZSANCiAgICAgICAgZG9uJ3QuIA0KICAgICAgICA8REQ+V2hlbiBD
TVMgd2FzIGZpcnN0IGFkb3B0ZWQgYnkgdGhlIFMvTUlNRSBXRywgd2UgZGVjaWRlZCB0byBrZWVw
IHRoZSANCiAgICAgICAgPEREPnNwZWNpZmljYXRpb24gYXMgY2xvc2UgdG8gdGhlIHN0cnVjdHVy
ZSBvZiBQS0NTICM3IHYxLjUgYXMgDQogICAgICAgIDxERD5wb3NzaWJsZS4gVGhlIGlkZWEgd2Fz
IHRvIG1ha2UgaXQgZWFzeSBmb3Igb25lIHRvIGRldGVybWluZSB0aGUgDQogICAgICAgIDxERD5k
aWZmZXJlbmNlcy4gSSBzZWUgbm8gcmVhc29uIHdoeSB0aGlzIGRpc2N1c3Npb24gb3VnaHQgdG8g
Y2hhbmdlIA0KICAgICAgICA8REQ+dGhhdCBkZWNpc2lvbi4gDQogICAgICAgIDxERD48Rk9OVCBz
aXplPTI+VGhlIHRleHQgZnJvbSBQS0NTICMgNyB2MS41IGlzOjwvRk9OVD4gDQogICAgICAgIDxE
RD48Rk9OVCBmYWNlPSJUaW1lcyBOZXcgUm9tYW4sIFRpbWVzIj5BIHJlY2lwaWVudCB2ZXJpZmll
cyB0aGUgDQogICAgICAgIHNpZ25hdHVyZXMgYnkgZGVjcnlwdGluZyB0aGUgZW5jcnlwdGVkIG1l
c3NhZ2UgZGlnZXN0IA0KICAgICAgICA8REQ+Zm9yIGVhY2ggc2lnbmVyIHdpdGggdGhlIHNpZ25l
cidzIHB1YmxpYyBrZXksIHRoZW4gY29tcGFyaW5nIHRoZSANCiAgICAgICAgcmVjb3ZlcmVkIG1l
c3NhZ2UgDQogICAgICAgIDxERD5kaWdlc3QgdG8gYW4gaW5kZXBlbmRlbnRseSBjb21wdXRlZCBt
ZXNzYWdlIGRpZ2VzdC4gVGhlIHNpZ25lcidzIA0KICAgICAgICBwdWJsaWMga2V5IGlzIA0KICAg
ICAgICA8REQ+ZWl0aGVyIGNvbnRhaW5lZCBpbiBhIGNlcnRpZmljYXRlIGluY2x1ZGVkIGluIHRo
ZSBzaWduZXIgDQogICAgICAgIGluZm9ybWF0aW9uLCBvciBpcyByZWZlcmVuY2VkIA0KICAgICAg
ICA8REQ+YnkgYW4gaXNzdWVyIGRpc3Rpbmd1aXNoZWQgbmFtZSBhbmQgYW4gaXNzdWVyLXNwZWNp
ZmljIHNlcmlhbCBudW1iZXIgDQogICAgICAgIHRoYXQgdW5pcXVlbHkgDQogICAgICAgIDxERD5p
ZGVudGlmeSB0aGUgY2VydGlmaWNhdGUgZm9yIHRoZSBwdWJsaWMga2V5LjwvRk9OVD4gDQogICAg
ICAgIDxERD48Rk9OVCBzaXplPTI+VGhlIHRleHQgZnJvbSBSRkMgMzg1MiBpczo8L0ZPTlQ+IA0K
ICAgICAgICA8REQ+PEZPTlQgc2l6ZT0yPkEgcmVjaXBpZW50IGluZGVwZW5kZW50bHkgY29tcHV0
ZXMgdGhlIG1lc3NhZ2UgDQogICAgICAgIGRpZ2VzdC4mbmJzcDsgVGhpcyBtZXNzYWdlIGRpZ2Vz
dCBhbmQgDQogICAgICAgIDxERD50aGUgc2lnbmVyJ3MgcHVibGljIGtleSBhcmUgdXNlZCB0byB2
ZXJpZnkgdGhlIHNpZ25hdHVyZSANCiAgICAgICAgdmFsdWUuJm5ic3A7IFRoZSBzaWduZXIncyBw
dWJsaWMga2V5IA0KICAgICAgICA8REQ+aXMgcmVmZXJlbmNlZCBlaXRoZXIgYnkgYW4gaXNzdWVy
IGRpc3Rpbmd1aXNoZWQgbmFtZSBhbG9uZyB3aXRoIGFuIA0KICAgICAgICBpc3N1ZXItc3BlY2lm
aWMgDQogICAgICAgIDxERD5zZXJpYWwgbnVtYmVyIG9yIGJ5IGEgc3ViamVjdCBrZXkgaWRlbnRp
ZmllciB0aGF0IHVuaXF1ZWx5IA0KICAgICAgICBpZGVudGlmaWVzIHRoZSBjZXJ0aWZpY2F0ZSAN
CiAgICAgICAgPEREPmNvbnRhaW5pbmcgdGhlIHB1YmxpYyBrZXkuJm5ic3A7IFRoZSBzaWduZXIn
cyBjZXJ0aWZpY2F0ZSBjYW4gYmUgDQogICAgICAgIGluY2x1ZGVkIGluIHRoZSBTaWduZWREYXRh
IA0KICAgICAgICA8REQ+Y2VydGlmaWNhdGVzIGZpZWxkLjwvRk9OVD4gDQogICAgICAgIDxERD48
Rk9OVCBzaXplPTI+VGhlc2UgdGV4dHMgYXJlIGNsZWFybHkgaW5zdWZmaWNpZW50LCBzaW5jZSB0
aGV5IGRvIG5vdCANCiAgICAgICAgY292ZXIgdGhlIGNhc2Ugb2YgY2VydGlmaWNhdGUgc3Vic3Rp
dHV0aW9uLjwvRk9OVD4gDQogICAgICAgIDxERD48Rk9OVCBzaXplPTI+VGhlIG5ldyBkcmFmdCBp
cyB3aXNoaW5nIHRvIGNvdmVyIHRoZSBjYXNlIG9mIA0KICAgICAgICBzaWduYXR1cmVzIGZyb20g
dGhlIHNhbWUgc2lnbmVyLiANCiAgICAgICAgPEREPkl0IGlzIHJlc3RyaWN0ZWQgdG8gdGhlIHVz
ZSBvZiBjZXJ0aWZpY2F0ZXMuIFRoZW4gdGhlIG9ubHkgd2F5IHRvIA0KICAgICAgICBrbm93IHRo
YXQgaXMgaXMgdGhlIHNhbWUgc2lnbmVyIA0KICAgICAgICA8REQ+aXMgdG8gY29tcGFyZSB0aGUg
Y2VydGlmaWNhdGVzLiBXZSBzaG91bGQgc2F5IHNvbWUgd29yZHMgb24gaG93IHRoaXMgDQogICAg
ICAgIGNvbXBhcmlzb24gc2hhbGwgYmUgZG9uZS4gDQogICAgICAgIDxERD5JZiBjZXJ0aWZpY2F0
ZXMgYXJlIHN1YnN0aXR1dGVkLCB0aGVuIHdlIGFyZSBhbHNvIHJ1bm5pbmcgaW50byANCiAgICAg
ICAgdHJvdWJsZS48L0ZPTlQ+PC9ERD48L0RMPjwvQkxPQ0tRVU9URT4NCiAgICA8REw+PC9ETD48
QlI+VGhpcyBpcyBub3QgdGhlIGlzc3VlIGF0IGFsbC4mbmJzcDsgRGlmZmVyZW50IGNlcnRpZmlj
YXRlcyBtYXkgDQogICAgcmVwcmVzZW50IHRoZSBzYW1lIHNpZ25lciBpbiBzb21lIGFwcGxpY2F0
aW9ucy48QlI+PEJSPg0KICAgIDxCTE9DS1FVT1RFIGNsYXNzPWNpdGUgY2l0ZT0iIiB0eXBlPSJj
aXRlIj4NCiAgICAgIDxETD4NCiAgICAgICAgPEREPiZndDtJdCBzaG91bGQgc3RhcnQgd2l0aDog
DQogICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICA8REQ+Jmd0OyBUaGUgcHJvY2VzcyBieSB3aGlj
aCBzaWduZWQtZGF0YSBpcyB2ZXJpZmllZCBpbnZvbHZlcyB0aGUgDQogICAgICAgIDxERD4mZ3Q7
IGZvbGxvd2luZyBzdGVwczogDQogICAgICAgIDxERD4mZ3Q7IA0KICAgICAgICA8REQ+Jmd0OyAx
LiBGb3IgZWFjaCBTaWduZXJJbmZvIHByZXNlbnQgaW4gU2lnbmVySW5mb3MgLi4uIA0KICAgICAg
ICA8REQ+Jmd0OyANCiAgICAgICAgPEREPiZndDtUaGUgZXhlcmNpc2UgaXMgbW9yZSBkaWZmaWN1
bHQgdGhhbiBpdCBsb29rcywgYmVjYXVzZSB1bmxlc3MgDQogICAgICAgIDxERD4mZ3Q7RVNTQ2Vy
dElEIGlzIGJlaW5nIHVzZWQsIA0KICAgICAgICA8REQ+Jmd0O2l0IGlzIG5vdCBwb3NzaWJsZSB0
byBrbm93IGZvciBzdXJlIHRoYXQgYSBzaWduYXR1cmUgaXMgZnJvbSB0aGUgDQogICAgICAgIHNh
bWUgc2lnbmVyLiANCiAgICAgICAgPEREPkkgcmVjb2duaXplIHRoYXQgdGhpcyBpcyB0cnVlLiBU
aGF0IGlzIHRoZSByZWFzb24gdGhhdCB0aGUgcHJvcG9zZWQgDQogICAgICAgIDxERD50ZXh0IHBv
aW50cyB0byB0aGUgYXBwbGljYXRpb24gdGhhdCBpcyB1c2luZyBDTVMgdG8gaGVscCB3aGVuIHRo
ZSANCiAgICAgICAgc2lkIA0KICAgICAgICA8REQ+ZmllbGQgaXMgbm90IHN1ZmZpY2llbnQuIA0K
ICAgICAgICA8REQ+PEZPTlQgc2l6ZT0yPlRoZSBwcm9wb3NlZCB0ZXh0IGlzIGNsZWFybHkgaW5z
dWZmaWNpZW50IHRvIGNvdmVyIHRoZSANCiAgICAgICAgY2FzZS48L0ZPTlQ+IA0KICAgICAgICA8
REQ+PEZPTlQgc2l6ZT0yPlRoZSBzZWNvbmQgcG9pbnQsIHdoaWNoIGlzIGV2ZW4gbW9yZSBpbXBv
cnRhbnQsIGlzIHRoYXQgDQogICAgICAgIEkgYW0gbm90IGNvbnZpbmNlZCANCiAgICAgICAgPERE
PnRoYXQgdGhpcyBpcyB0aGUgcmlnaHQgd2F5IHRvIHNvbHZlIHRoZSANCiAgICBwcm9ibGVtLjwv
Rk9OVD48L0REPjwvREw+PC9CTE9DS1FVT1RFPg0KICAgIDxETD48L0RMPjxCUj5UaGlzIGRpc2N1
c3Npb24gaGFzIGJlZW4gZ29pbmcgb24gZm9yIGFib3V0IGEgeWVhci4mbmJzcDsgSWYgDQogICAg
eW91IGFyZSB1bmhhcHB5IHdpdGggdGhlIHByb3Bvc2VkIHNvbHV0aW9uLCBkbyBub3QgYXNrIGZv
ciBtb3JlIHdvcmsgdG8gYmUgDQogICAgZG9uZSBvbiBpdC4mbmJzcDsgSW5zdGVhZCwgcHJvcG9z
ZSBhbiBhbHRlcm5hdGl2ZS4mbmJzcDsgV2l0aG91dCBzdWNoLCB3ZSANCiAgICBzaG91bGQgcHJv
Y2VlZCBvbiB0aGUgY3VycmVudCBjb3Vyc2UuPEJSPjxCUj4NCiAgICA8QkxPQ0tRVU9URSBjbGFz
cz1jaXRlIGNpdGU9IiIgdHlwZT0iY2l0ZSI+DQogICAgICA8REw+DQogICAgICAgIDxERD48Rk9O
VCBzaXplPTI+SWYgdGhlIGNlcnRpZmljYXRlIGlzIHVzZWQgZm9yIG5vbiByZXB1ZGlhdGlvbiAN
CiAgICAgICAgcHVycG9zZXMsIHRoZW4gdGltZS1zdGFtcGluZyBwcm92aWRlcyANCiAgICAgICAg
PEREPmFsbCB0aGUgbmVjZXNzYXJ5IHByb3RlY3Rpb24uPC9GT05UPjwvREQ+PC9ETD48L0JMT0NL
UVVPVEU+DQogICAgPERMPjwvREw+PEJSPlRoaXMgbWFrZSBubyBzZW5zZSB0byBtZSBhdCBhbGwu
Jm5ic3A7IEhvdyBkb2VzIHRpbWUtc3RhbXBpbmcgDQogICAgZmFjaWxpdGF0ZSB0aGUgdHJhbnNp
dGlvbiBmcm9tIFJTQSB3aXRoIFNIQS0xIHRvIFJTQSB3aXRoIFNIQS0yNTY/Jm5ic3A7IEluIA0K
ICAgIGZhY3QsIGl0IG1ha2UgaXQgd29yc2UuJm5ic3A7IFdlIG5lZWQgdG8gdHJhbnNpdGlvbiB0
aGUgdGltZSBzdGFtcCBhdXRob3JpdHkgDQogICAgc2lnbmF0dXJlIHRvby48QlI+PEJSPlJ1c3M8
QlI+DQogICAgPEhSPg0KICA8L0JMT0NLUVVPVEU+DQogIDxIUj4NCjwvQkxPQ0tRVU9URT4NCjxI
Uj4NCjwvQk9EWT48L0hUTUw+DQo=
--=====003_Dragon145422622535_=====--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kATJUIq8077053; Wed, 29 Nov 2006 12:30:18 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kATJUIR2077052; Wed, 29 Nov 2006 12:30:18 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kATJUHq8077046 for <ietf-smime@imc.org>; Wed, 29 Nov 2006 12:30:17 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 12587 invoked by uid 0); 29 Nov 2006 19:30:09 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 29 Nov 2006 19:30:09 -0000
Message-Id: <7.0.0.16.2.20061129142927.07ce4c98@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 29 Nov 2006 14:30:04 -0500
To: "Denis Pinkas" <denis.pinkas@bull.net>, "ietf-smime" <ietf-smime@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
In-Reply-To: <OFE5BB6918.6D32D5B5-ONC1257235.0051A5E0@frcl.bull.fr>
References: <OFE5BB6918.6D32D5B5-ONC1257235.0051A5E0@frcl.bull.fr>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
<html>
<body>
Not so. If the application only implements SHA-1, then it can only
verify one of the signatures.<br><br>
Russ<br><br>
At 09:51 AM 11/29/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite="">Russ,<br>
<br>
Sorry, once again I disagree with the wording. The *application* can
verify both signatures and be pleased if one of them is valid.<br>
No change needs to be made to the CMS document.<br>
<br>
Denis<br>
<br>
<hr>
Denis:<br><br>
We seem to be working on two different problems. We want to
transition from RSA with SHA-1 to RSA with SHA-256. So, the signer
puts two signatures on the message, since not all of the recipients
support RSA with SHA-256 yet. If either of the signatures can be
validated by a recipient, then that recipient will consider the message
valid.<br><br>
Russ<br><br>
<br>
At 04:06 AM 11/29/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite="">Russ,<br>
<br>
I believe that we have a major disagreement on the goal of the proposed
document.<br>
<br>
The current goal is : <br>
<br>
... This document<br>
provides replacement text for a few paragraphs, making it
clear that<br>
the protected content is valid if any of the digital
signatures for a<br>
particular signer is valid.<br>
It is possible to check that a given signature is valid.<br>
The golden rule is that only one signature can be verified at a time.
<br>
<br>
This is fully different of saying that a "protected content"
(i.e. a document) is valid, which may mean to verify multiple
signatures.<br>
<br>
As an example, a document can be said to be only be valid when it bears
three parallel signatures <br>
from particular signers, and in addition of two them need to be
counter-signed by other particular signers.<br>
<br>
The verification of multiple signatures is at the level of the
application, not at the level of a CMS toolkit.<br>
<br>
Besides this major observation, there is no need to support multiple
signatures from the same signer for algorithm agility purposes.<br>
<br>
Finally, you raised the following question:<br>
<br>
"How does time-stamping facilitate the transition from RSA with
SHA-1 to RSA with SHA-256? <br>
In fact, it make it worse. We need to transition the time stamp
authority signature too".<br>
<br>
Please refer to RFC 3126 :<br>
<br><br>
<font face="Courier New, Courier" size=2> B.4.7 Time-Stamping
for Long Life of
Signature
79<?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><br>
</font> <br>
Signatures may need to be maintained, which means that for signatures
that need to last very long, more than one time-stamp <br>
may need to be added later on, but only in case of a real collision. To
respond to your question, RSA with SHA-256 will need <br>
to be mandatorilly used, when after X months of computation someone will
demonstrate a collision. Then since it takes X months <br>
to make a collision, the signature maintenance needs to be made in a time
less than X months.<br>
<br>
Denis<br>
<br>
<hr>
At 03:52 AM 11/28/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite=""> Russ,<br>
<br>
See my comments embedded.<br>
<br>
Denis Pinkas,
<a href="mailto :Denis.Pinkas@bull.net">Denis.Pinkas@bull.net</a><br>
2006-11-28
<dl>
<dd>----- Message reçu -----
<dd>De : <a href="mailto :housley@vigilsec.com">Russ Housley</a>
<dd>À : <a href="mailto :denis.pinkas@bull.net">Denis Pinkas</a>
<dd>Date : 2006-11-27, 20:03:31
<dd>Sujet : Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
<dd>Denis:
<dd>>The issue is more complex than presented. :-(
<dd>>
<dd>>The idea is to say that a message is correctly signed by a given
<dd>>signer, if one of the signatures
<dd>>from the *same* signer computed using a different signature
<dd>>algorithm is valid.
<dd>>
<dd>>Correct ?
<dd>You did not acknowledged that this is the goal of the draft proposal.
</blockquote>
</dl><br>
The document is clear. It says:<br><br>
... This document<br>
provides replacement text for a few paragraphs, making it
clear that<br>
the protected content is valid if any of the digital
signatures for a<br>
particular signer is
valid.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd>>
<dd>>In the same section from RFC 3852, just above we have:
<dd>>
<dd>>" The process by which signed-data is constructed involves
the
<dd>> following steps:
<dd>>
<dd>> 1. For each signer, a message digest, or hash value, is computed
<dd>> on the content with a signer-specific message-digest algorithm.
<dd>> If the signer is signing any information other than the
<dd>> content, the message digest of the content and the other
<dd>> information are digested with the signer's message digest
<dd>> algorithm (see Section 5.4), and the result becomes the
<dd>> "message digest."
<dd>>
<dd>> 2. For each signer, the message digest is digitally signed using
<dd>> the signer's private key.
<dd>>
<dd>> 3. For each signer, the signature value and other
signer-specific
<dd>> information are collected into a SignerInfo value, as defined
<dd>> in Section 5.3. Certificates and CRLs for each signer, and
<dd>> those not corresponding to any signer, are collected in this
<dd>> step.
<dd>>
<dd>> 4. The message digest algorithms for all the signers and the
<dd>> SignerInfo values for all the signers are collected together
<dd>> with the content into a SignedData value, as defined in Section
<dd>> 5.1".
<dd>>
<dd>>We should have a similar construct for verification, but we
don't.
<dd>When CMS was first adopted by the S/MIME WG, we decided to keep the
<dd>specification as close to the structure of PKCS #7 v1.5 as
<dd>possible. The idea was to make it easy for one to determine the
<dd>differences. I see no reason why this discussion ought to change
<dd>that decision.
<dd><font size=2>The text from PKCS # 7 v1.5 is:</font>
<dd><font face="Times New Roman, Times">A recipient verifies the
signatures by decrypting the encrypted message digest
<dd>for each signer with the signer's public key, then comparing the
recovered message
<dd>digest to an independently computed message digest. The signer's
public key is
<dd>either contained in a certificate included in the signer information,
or is referenced
<dd>by an issuer distinguished name and an issuer-specific serial number
that uniquely
<dd>identify the certificate for the public key.</font>
<dd><font size=2>The text from RFC 3852 is:</font>
<dd><font size=2>A recipient independently computes the message
digest. This message digest and
<dd>the signer's public key are used to verify the signature value.
The signer's public key
<dd>is referenced either by an issuer distinguished name along with an
issuer-specific
<dd>serial number or by a subject key identifier that uniquely identifies
the certificate
<dd>containing the public key. The signer's certificate can be
included in the SignedData
<dd>certificates field.</font>
<dd><font size=2>These texts are clearly insufficient, since they do not
cover the case of certificate substitution.</font>
<dd><font size=2>The new draft is wishing to cover the case of signatures
from the same signer.
<dd>It is restricted to the use of certificates. Then the only way to
know that is is the same signer
<dd>is to compare the certificates. We should say some words on how this
comparison shall be done.
<dd>If certificates are substituted, then we are also running into
trouble.</font></blockquote>
</dl><br>
This is not the issue at all. Different certificates may represent
the same signer in some
applications.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd>>It should start with:
<dd>>
<dd>> The process by which signed-data is verified involves the
<dd>> following steps:
<dd>>
<dd>> 1. For each SignerInfo present in SignerInfos ...
<dd>>
<dd>>The exercise is more difficult than it looks, because unless
<dd>>ESSCertID is being used,
<dd>>it is not possible to know for sure that a signature is from the
same signer.
<dd>I recognize that this is true. That is the reason that the proposed
<dd>text points to the application that is using CMS to help when the sid
<dd>field is not sufficient.
<dd><font size=2>The proposed text is clearly insufficient to cover the
case.</font>
<dd><font size=2>The second point, which is even more important, is that
I am not convinced
<dd>that this is the right way to solve the problem.</font></blockquote>
</dl><br>
This discussion has been going on for about a year. If you are
unhappy with the proposed solution, do not ask for more work to be done
on it. Instead, propose an alternative. Without such, we
should proceed on the current
course.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd><font size=2>If the certificate is used for non repudiation purposes,
then time-stamping provides
<dd>all the necessary protection.</font></blockquote>
</dl><br>
This make no sense to me at all. How does time-stamping facilitate
the transition from RSA with SHA-1 to RSA with SHA-256? In fact, it
make it worse. We need to transition the time stamp authority
signature too.<br><br>
Russ<br>
<hr>
</blockquote><hr>
</blockquote></body>
</html>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kATEqLME045040; Wed, 29 Nov 2006 07:52:21 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kATEqKSm045039; Wed, 29 Nov 2006 07:52:20 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kATEqIKl045029 for <ietf-smime@imc.org>; Wed, 29 Nov 2006 07:52:19 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA49098 for <ietf-smime@imc.org>; Wed, 29 Nov 2006 15:55:12 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006112915514877:47286 ; Wed, 29 Nov 2006 15:51:48 +0100
Date: Wed, 29 Nov 2006 15:51:40 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "ietf-smime" <ietf-smime@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 29/11/2006 15:51:48, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 29/11/2006 15:52:23, Serialize complete at 29/11/2006 15:52:23
Message-ID: <OFE5BB6918.6D32D5B5-ONC1257235.0051A5E0@frcl.bull.fr>
Content-Type: multipart/alternative; boundary="=====003_Dragon528764586370_====="
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
--=====003_Dragon528764586370_=====
Content-Transfer-Encoding: base64
Content-Type: text/plain;
charset="iso-8859-1"
UnVzcywNCg0KU29ycnksIG9uY2UgYWdhaW4gSSBkaXNhZ3JlZSB3aXRoIHRoZSB3b3JkaW5nLiBU
aGUgKmFwcGxpY2F0aW9uKiBjYW4gdmVyaWZ5IGJvdGggc2lnbmF0dXJlcyBhbmQgYmUgcGxlYXNl
ZCBpZiBvbmUgb2YgdGhlbSBpcyB2YWxpZC4NCk5vIGNoYW5nZSBuZWVkcyB0byBiZSBtYWRlIHRv
IHRoZSBDTVMgZG9jdW1lbnQuDQogDQpEZW5pcw0KDQoNCg0KRGVuaXM6DQoNCldlIHNlZW0gdG8g
YmUgd29ya2luZyBvbiB0d28gZGlmZmVyZW50IHByb2JsZW1zLiAgV2Ugd2FudCB0byB0cmFuc2l0
aW9uIGZyb20gUlNBIHdpdGggU0hBLTEgdG8gUlNBIHdpdGggU0hBLTI1Ni4gIFNvLCB0aGUgc2ln
bmVyIHB1dHMgdHdvIHNpZ25hdHVyZXMgb24gdGhlIG1lc3NhZ2UsIHNpbmNlIG5vdCBhbGwgb2Yg
dGhlIHJlY2lwaWVudHMgc3VwcG9ydCBSU0Egd2l0aCBTSEEtMjU2IHlldC4gIElmIGVpdGhlciBv
ZiB0aGUgc2lnbmF0dXJlcyBjYW4gYmUgdmFsaWRhdGVkIGJ5IGEgcmVjaXBpZW50LCB0aGVuIHRo
YXQgcmVjaXBpZW50IHdpbGwgY29uc2lkZXIgdGhlIG1lc3NhZ2UgdmFsaWQuDQoNClJ1c3MNCg0K
DQpBdCAwNDowNiBBTSAxMS8yOS8yMDA2LCBEZW5pcyBQaW5rYXMgd3JvdGU6DQoNClJ1c3MsDQog
DQpJIGJlbGlldmUgdGhhdCB3ZSBoYXZlIGEgbWFqb3IgZGlzYWdyZWVtZW50IG9uIHRoZSBnb2Fs
IG9mIHRoZSBwcm9wb3NlZCBkb2N1bWVudC4NCiANClRoZSBjdXJyZW50IGdvYWwgaXMgOiAgICAg
DQogDQogICAgLi4uIFRoaXMgZG9jdW1lbnQNCiAgIHByb3ZpZGVzIHJlcGxhY2VtZW50IHRleHQg
Zm9yIGEgZmV3IHBhcmFncmFwaHMsIG1ha2luZyBpdCBjbGVhciB0aGF0DQogICB0aGUgcHJvdGVj
dGVkIGNvbnRlbnQgaXMgdmFsaWQgaWYgYW55IG9mIHRoZSBkaWdpdGFsIHNpZ25hdHVyZXMgZm9y
IGENCiAgIHBhcnRpY3VsYXIgc2lnbmVyIGlzIHZhbGlkLg0KSXQgaXMgcG9zc2libGUgdG8gY2hl
Y2sgdGhhdCBhIGdpdmVuIHNpZ25hdHVyZSBpcyB2YWxpZC4NClRoZSBnb2xkZW4gcnVsZSBpcyB0
aGF0IG9ubHkgb25lIHNpZ25hdHVyZSBjYW4gYmUgdmVyaWZpZWQgYXQgYSB0aW1lLiANCiANClRo
aXMgaXMgZnVsbHkgZGlmZmVyZW50IG9mIHNheWluZyB0aGF0IGEgInByb3RlY3RlZCBjb250ZW50
IiAoaS5lLiBhIGRvY3VtZW50KSBpcyB2YWxpZCwgd2hpY2ggbWF5IG1lYW4gdG8gdmVyaWZ5IG11
bHRpcGxlIHNpZ25hdHVyZXMuDQogDQpBcyBhbiBleGFtcGxlLCBhIGRvY3VtZW50IGNhbiBiZSBz
YWlkIHRvIGJlIG9ubHkgYmUgdmFsaWQgd2hlbiBpdCBiZWFycyB0aHJlZSBwYXJhbGxlbCBzaWdu
YXR1cmVzIA0KZnJvbSBwYXJ0aWN1bGFyIHNpZ25lcnMsIGFuZCBpbiBhZGRpdGlvbiBvZiB0d28g
dGhlbSBuZWVkIHRvIGJlIGNvdW50ZXItc2lnbmVkIGJ5IG90aGVyIHBhcnRpY3VsYXIgc2lnbmVy
cy4NCiANClRoZSB2ZXJpZmljYXRpb24gb2YgbXVsdGlwbGUgc2lnbmF0dXJlcyBpcyBhdCB0aGUg
bGV2ZWwgb2YgdGhlIGFwcGxpY2F0aW9uLCBub3QgYXQgdGhlIGxldmVsIG9mIGEgQ01TIHRvb2xr
aXQuDQogDQpCZXNpZGVzIHRoaXMgbWFqb3Igb2JzZXJ2YXRpb24sIHRoZXJlIGlzIG5vIG5lZWQg
dG8gc3VwcG9ydCBtdWx0aXBsZSBzaWduYXR1cmVzIGZyb20gdGhlIHNhbWUgc2lnbmVyIGZvciBh
bGdvcml0aG0gYWdpbGl0eSBwdXJwb3Nlcy4NCiANCkZpbmFsbHksIHlvdSByYWlzZWQgdGhlIGZv
bGxvd2luZyBxdWVzdGlvbjoNCiANCiJIb3cgZG9lcyB0aW1lLXN0YW1waW5nIGZhY2lsaXRhdGUg
dGhlIHRyYW5zaXRpb24gZnJvbSBSU0Egd2l0aCBTSEEtMSB0byBSU0Egd2l0aCBTSEEtMjU2PyAg
DQpJbiBmYWN0LCBpdCBtYWtlIGl0IHdvcnNlLiAgV2UgbmVlZCB0byB0cmFuc2l0aW9uIHRoZSB0
aW1lIHN0YW1wIGF1dGhvcml0eSBzaWduYXR1cmUgdG9vIi4NCiANClBsZWFzZSByZWZlciB0byBS
RkMgMzEyNiA6DQogDQoNCiAgQi40LjcgIFRpbWUtU3RhbXBpbmcgZm9yIExvbmcgTGlmZSBvZiBT
aWduYXR1cmUgICAgICAgICAgICAgICAgICAgIDc5PD94bWw6bmFtZXNwYWNlIHByZWZpeCA9IG8g
bnMgPSAidXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiAvPg0KIA0KU2ln
bmF0dXJlcyBtYXkgbmVlZCB0byBiZSBtYWludGFpbmVkLCB3aGljaCBtZWFucyB0aGF0IGZvciBz
aWduYXR1cmVzIHRoYXQgbmVlZCB0byBsYXN0IHZlcnkgbG9uZywgbW9yZSB0aGFuIG9uZSB0aW1l
LXN0YW1wIA0KbWF5IG5lZWQgdG8gYmUgYWRkZWQgbGF0ZXIgb24sIGJ1dCBvbmx5IGluIGNhc2Ug
b2YgYSByZWFsIGNvbGxpc2lvbi4gVG8gcmVzcG9uZCB0byB5b3VyIHF1ZXN0aW9uLCBSU0Egd2l0
aCBTSEEtMjU2IHdpbGwgbmVlZCANCnRvIGJlIG1hbmRhdG9yaWxseSB1c2VkLCB3aGVuIGFmdGVy
IFggbW9udGhzIG9mIGNvbXB1dGF0aW9uIHNvbWVvbmUgd2lsbCBkZW1vbnN0cmF0ZSBhIGNvbGxp
c2lvbi4gVGhlbiBzaW5jZSBpdCB0YWtlcyBYIG1vbnRocyANCnRvIG1ha2UgYSBjb2xsaXNpb24s
IHRoZSBzaWduYXR1cmUgbWFpbnRlbmFuY2UgbmVlZHMgdG8gYmUgbWFkZSBpbiBhIHRpbWUgbGVz
cyB0aGFuIFggbW9udGhzLg0KIA0KRGVuaXMNCiANCg0KDQpBdCAwMzo1MiBBTSAxMS8yOC8yMDA2
LCBEZW5pcyBQaW5rYXMgd3JvdGU6DQoNCiBSdXNzLA0KIA0KU2VlIG15IGNvbW1lbnRzIGVtYmVk
ZGVkLg0KIA0KRGVuaXMgUGlua2FzLCBEZW5pcy5QaW5rYXNAYnVsbC5uZXQNCjIwMDYtMTEtMjgg
DQotLS0tLSBNZXNzYWdlIHJl53UgLS0tLS0gDQpEZSA6IFJ1c3MgSG91c2xleSANCsAgOiBEZW5p
cyBQaW5rYXMgDQpEYXRlIDogMjAwNi0xMS0yNywgMjA6MDM6MzEgDQpTdWpldCA6IFJlOiBJLUQg
QUNUSU9OOmRyYWZ0LWlldGYtc21pbWUtY21zLW11bHQtc2lnbi0wMi50eHQNCg0KRGVuaXM6DQoN
Cj5UaGUgaXNzdWUgaXMgbW9yZSBjb21wbGV4IHRoYW4gcHJlc2VudGVkLiA6LSggDQo+IA0KPlRo
ZSBpZGVhIGlzIHRvIHNheSB0aGF0IGEgbWVzc2FnZSBpcyBjb3JyZWN0bHkgc2lnbmVkIGJ5IGEg
Z2l2ZW4gDQo+c2lnbmVyLCBpZiBvbmUgb2YgdGhlIHNpZ25hdHVyZXMgDQo+ZnJvbSB0aGUgKnNh
bWUqIHNpZ25lciBjb21wdXRlZCB1c2luZyBhIGRpZmZlcmVudCBzaWduYXR1cmUgDQo+YWxnb3Jp
dGhtIGlzIHZhbGlkLiANCj4gDQo+Q29ycmVjdCA/IA0KWW91IGRpZCBub3QgYWNrbm93bGVkZ2Vk
IHRoYXQgdGhpcyBpcyB0aGUgZ29hbCBvZiB0aGUgZHJhZnQgcHJvcG9zYWwuIA0KDQpUaGUgZG9j
dW1lbnQgaXMgY2xlYXIuICBJdCBzYXlzOg0KDQogICAuLi4gVGhpcyBkb2N1bWVudA0KICAgcHJv
dmlkZXMgcmVwbGFjZW1lbnQgdGV4dCBmb3IgYSBmZXcgcGFyYWdyYXBocywgbWFraW5nIGl0IGNs
ZWFyIHRoYXQNCiAgIHRoZSBwcm90ZWN0ZWQgY29udGVudCBpcyB2YWxpZCBpZiBhbnkgb2YgdGhl
IGRpZ2l0YWwgc2lnbmF0dXJlcyBmb3IgYQ0KICAgcGFydGljdWxhciBzaWduZXIgaXMgdmFsaWQu
DQoNCg0KIA0KPiANCj5JbiB0aGUgc2FtZSBzZWN0aW9uIGZyb20gUkZDIDM4NTIsIGp1c3QgYWJv
dmUgd2UgaGF2ZTogDQo+IA0KPiIgVGhlIHByb2Nlc3MgYnkgd2hpY2ggc2lnbmVkLWRhdGEgaXMg
Y29uc3RydWN0ZWQgaW52b2x2ZXMgdGhlIA0KPiBmb2xsb3dpbmcgc3RlcHM6IA0KPiANCj4gMS4g
Rm9yIGVhY2ggc2lnbmVyLCBhIG1lc3NhZ2UgZGlnZXN0LCBvciBoYXNoIHZhbHVlLCBpcyBjb21w
dXRlZCANCj4gb24gdGhlIGNvbnRlbnQgd2l0aCBhIHNpZ25lci1zcGVjaWZpYyBtZXNzYWdlLWRp
Z2VzdCBhbGdvcml0aG0uIA0KPiBJZiB0aGUgc2lnbmVyIGlzIHNpZ25pbmcgYW55IGluZm9ybWF0
aW9uIG90aGVyIHRoYW4gdGhlIA0KPiBjb250ZW50LCB0aGUgbWVzc2FnZSBkaWdlc3Qgb2YgdGhl
IGNvbnRlbnQgYW5kIHRoZSBvdGhlciANCj4gaW5mb3JtYXRpb24gYXJlIGRpZ2VzdGVkIHdpdGgg
dGhlIHNpZ25lcidzIG1lc3NhZ2UgZGlnZXN0IA0KPiBhbGdvcml0aG0gKHNlZSBTZWN0aW9uIDUu
NCksIGFuZCB0aGUgcmVzdWx0IGJlY29tZXMgdGhlIA0KPiAibWVzc2FnZSBkaWdlc3QuIiANCj4g
DQo+IDIuIEZvciBlYWNoIHNpZ25lciwgdGhlIG1lc3NhZ2UgZGlnZXN0IGlzIGRpZ2l0YWxseSBz
aWduZWQgdXNpbmcgDQo+IHRoZSBzaWduZXIncyBwcml2YXRlIGtleS4gDQo+IA0KPiAzLiBGb3Ig
ZWFjaCBzaWduZXIsIHRoZSBzaWduYXR1cmUgdmFsdWUgYW5kIG90aGVyIHNpZ25lci1zcGVjaWZp
YyANCj4gaW5mb3JtYXRpb24gYXJlIGNvbGxlY3RlZCBpbnRvIGEgU2lnbmVySW5mbyB2YWx1ZSwg
YXMgZGVmaW5lZCANCj4gaW4gU2VjdGlvbiA1LjMuIENlcnRpZmljYXRlcyBhbmQgQ1JMcyBmb3Ig
ZWFjaCBzaWduZXIsIGFuZCANCj4gdGhvc2Ugbm90IGNvcnJlc3BvbmRpbmcgdG8gYW55IHNpZ25l
ciwgYXJlIGNvbGxlY3RlZCBpbiB0aGlzIA0KPiBzdGVwLiANCj4gDQo+IDQuIFRoZSBtZXNzYWdl
IGRpZ2VzdCBhbGdvcml0aG1zIGZvciBhbGwgdGhlIHNpZ25lcnMgYW5kIHRoZSANCj4gU2lnbmVy
SW5mbyB2YWx1ZXMgZm9yIGFsbCB0aGUgc2lnbmVycyBhcmUgY29sbGVjdGVkIHRvZ2V0aGVyIA0K
PiB3aXRoIHRoZSBjb250ZW50IGludG8gYSBTaWduZWREYXRhIHZhbHVlLCBhcyBkZWZpbmVkIGlu
IFNlY3Rpb24gDQo+IDUuMSIuIA0KPiANCj5XZSBzaG91bGQgaGF2ZSBhIHNpbWlsYXIgY29uc3Ry
dWN0IGZvciB2ZXJpZmljYXRpb24sIGJ1dCB3ZSBkb24ndC4NCg0KV2hlbiBDTVMgd2FzIGZpcnN0
IGFkb3B0ZWQgYnkgdGhlIFMvTUlNRSBXRywgd2UgZGVjaWRlZCB0byBrZWVwIHRoZSANCnNwZWNp
ZmljYXRpb24gYXMgY2xvc2UgdG8gdGhlIHN0cnVjdHVyZSBvZiBQS0NTICM3IHYxLjUgYXMgDQpw
b3NzaWJsZS4gVGhlIGlkZWEgd2FzIHRvIG1ha2UgaXQgZWFzeSBmb3Igb25lIHRvIGRldGVybWlu
ZSB0aGUgDQpkaWZmZXJlbmNlcy4gSSBzZWUgbm8gcmVhc29uIHdoeSB0aGlzIGRpc2N1c3Npb24g
b3VnaHQgdG8gY2hhbmdlIA0KdGhhdCBkZWNpc2lvbi4NCg0KIA0KVGhlIHRleHQgZnJvbSBQS0NT
ICMgNyB2MS41IGlzOg0KDQogDQpBIHJlY2lwaWVudCB2ZXJpZmllcyB0aGUgc2lnbmF0dXJlcyBi
eSBkZWNyeXB0aW5nIHRoZSBlbmNyeXB0ZWQgbWVzc2FnZSBkaWdlc3QgDQpmb3IgZWFjaCBzaWdu
ZXIgd2l0aCB0aGUgc2lnbmVyJ3MgcHVibGljIGtleSwgdGhlbiBjb21wYXJpbmcgdGhlIHJlY292
ZXJlZCBtZXNzYWdlIA0KZGlnZXN0IHRvIGFuIGluZGVwZW5kZW50bHkgY29tcHV0ZWQgbWVzc2Fn
ZSBkaWdlc3QuIFRoZSBzaWduZXIncyBwdWJsaWMga2V5IGlzIA0KZWl0aGVyIGNvbnRhaW5lZCBp
biBhIGNlcnRpZmljYXRlIGluY2x1ZGVkIGluIHRoZSBzaWduZXIgaW5mb3JtYXRpb24sIG9yIGlz
IHJlZmVyZW5jZWQgDQpieSBhbiBpc3N1ZXIgZGlzdGluZ3Vpc2hlZCBuYW1lIGFuZCBhbiBpc3N1
ZXItc3BlY2lmaWMgc2VyaWFsIG51bWJlciB0aGF0IHVuaXF1ZWx5IA0KaWRlbnRpZnkgdGhlIGNl
cnRpZmljYXRlIGZvciB0aGUgcHVibGljIGtleS4gDQpUaGUgdGV4dCBmcm9tIFJGQyAzODUyIGlz
OiANCiANCkEgcmVjaXBpZW50IGluZGVwZW5kZW50bHkgY29tcHV0ZXMgdGhlIG1lc3NhZ2UgZGln
ZXN0LiAgVGhpcyBtZXNzYWdlIGRpZ2VzdCBhbmQgDQp0aGUgc2lnbmVyJ3MgcHVibGljIGtleSBh
cmUgdXNlZCB0byB2ZXJpZnkgdGhlIHNpZ25hdHVyZSB2YWx1ZS4gIFRoZSBzaWduZXIncyBwdWJs
aWMga2V5IA0KaXMgcmVmZXJlbmNlZCBlaXRoZXIgYnkgYW4gaXNzdWVyIGRpc3Rpbmd1aXNoZWQg
bmFtZSBhbG9uZyB3aXRoIGFuIGlzc3Vlci1zcGVjaWZpYyANCnNlcmlhbCBudW1iZXIgb3IgYnkg
YSBzdWJqZWN0IGtleSBpZGVudGlmaWVyIHRoYXQgdW5pcXVlbHkgaWRlbnRpZmllcyB0aGUgY2Vy
dGlmaWNhdGUgDQpjb250YWluaW5nIHRoZSBwdWJsaWMga2V5LiAgVGhlIHNpZ25lcidzIGNlcnRp
ZmljYXRlIGNhbiBiZSBpbmNsdWRlZCBpbiB0aGUgU2lnbmVkRGF0YSANCmNlcnRpZmljYXRlcyBm
aWVsZC4gDQogDQpUaGVzZSB0ZXh0cyBhcmUgY2xlYXJseSBpbnN1ZmZpY2llbnQsIHNpbmNlIHRo
ZXkgZG8gbm90IGNvdmVyIHRoZSBjYXNlIG9mIGNlcnRpZmljYXRlIHN1YnN0aXR1dGlvbi4gDQog
DQpUaGUgbmV3IGRyYWZ0IGlzIHdpc2hpbmcgdG8gY292ZXIgdGhlIGNhc2Ugb2Ygc2lnbmF0dXJl
cyBmcm9tIHRoZSBzYW1lIHNpZ25lci4gDQpJdCBpcyByZXN0cmljdGVkIHRvIHRoZSB1c2Ugb2Yg
Y2VydGlmaWNhdGVzLiBUaGVuIHRoZSBvbmx5IHdheSB0byBrbm93IHRoYXQgaXMgaXMgdGhlIHNh
bWUgc2lnbmVyIA0KaXMgdG8gY29tcGFyZSB0aGUgY2VydGlmaWNhdGVzLiBXZSBzaG91bGQgc2F5
IHNvbWUgd29yZHMgb24gaG93IHRoaXMgY29tcGFyaXNvbiBzaGFsbCBiZSBkb25lLiANCklmIGNl
cnRpZmljYXRlcyBhcmUgc3Vic3RpdHV0ZWQsIHRoZW4gd2UgYXJlIGFsc28gcnVubmluZyBpbnRv
IHRyb3VibGUuDQoNClRoaXMgaXMgbm90IHRoZSBpc3N1ZSBhdCBhbGwuICBEaWZmZXJlbnQgY2Vy
dGlmaWNhdGVzIG1heSByZXByZXNlbnQgdGhlIHNhbWUgc2lnbmVyIGluIHNvbWUgYXBwbGljYXRp
b25zLg0KDQoNCiANCj5JdCBzaG91bGQgc3RhcnQgd2l0aDogDQo+IA0KPiBUaGUgcHJvY2VzcyBi
eSB3aGljaCBzaWduZWQtZGF0YSBpcyB2ZXJpZmllZCBpbnZvbHZlcyB0aGUgDQo+IGZvbGxvd2lu
ZyBzdGVwczogDQo+IA0KPiAxLiBGb3IgZWFjaCBTaWduZXJJbmZvIHByZXNlbnQgaW4gU2lnbmVy
SW5mb3MgLi4uIA0KPiANCj5UaGUgZXhlcmNpc2UgaXMgbW9yZSBkaWZmaWN1bHQgdGhhbiBpdCBs
b29rcywgYmVjYXVzZSB1bmxlc3MgDQo+RVNTQ2VydElEIGlzIGJlaW5nIHVzZWQsIA0KPml0IGlz
IG5vdCBwb3NzaWJsZSB0byBrbm93IGZvciBzdXJlIHRoYXQgYSBzaWduYXR1cmUgaXMgZnJvbSB0
aGUgc2FtZSBzaWduZXIuDQoNCkkgcmVjb2duaXplIHRoYXQgdGhpcyBpcyB0cnVlLiBUaGF0IGlz
IHRoZSByZWFzb24gdGhhdCB0aGUgcHJvcG9zZWQgDQp0ZXh0IHBvaW50cyB0byB0aGUgYXBwbGlj
YXRpb24gdGhhdCBpcyB1c2luZyBDTVMgdG8gaGVscCB3aGVuIHRoZSBzaWQgDQpmaWVsZCBpcyBu
b3Qgc3VmZmljaWVudC4gDQogDQpUaGUgcHJvcG9zZWQgdGV4dCBpcyBjbGVhcmx5IGluc3VmZmlj
aWVudCB0byBjb3ZlciB0aGUgY2FzZS4gDQogDQpUaGUgc2Vjb25kIHBvaW50LCB3aGljaCBpcyBl
dmVuIG1vcmUgaW1wb3J0YW50LCBpcyB0aGF0IEkgYW0gbm90IGNvbnZpbmNlZCANCnRoYXQgdGhp
cyBpcyB0aGUgcmlnaHQgd2F5IHRvIHNvbHZlIHRoZSBwcm9ibGVtLg0KDQpUaGlzIGRpc2N1c3Np
b24gaGFzIGJlZW4gZ29pbmcgb24gZm9yIGFib3V0IGEgeWVhci4gIElmIHlvdSBhcmUgdW5oYXBw
eSB3aXRoIHRoZSBwcm9wb3NlZCBzb2x1dGlvbiwgZG8gbm90IGFzayBmb3IgbW9yZSB3b3JrIHRv
IGJlIGRvbmUgb24gaXQuICBJbnN0ZWFkLCBwcm9wb3NlIGFuIGFsdGVybmF0aXZlLiAgV2l0aG91
dCBzdWNoLCB3ZSBzaG91bGQgcHJvY2VlZCBvbiB0aGUgY3VycmVudCBjb3Vyc2UuDQoNCg0KIA0K
SWYgdGhlIGNlcnRpZmljYXRlIGlzIHVzZWQgZm9yIG5vbiByZXB1ZGlhdGlvbiBwdXJwb3Nlcywg
dGhlbiB0aW1lLXN0YW1waW5nIHByb3ZpZGVzIA0KYWxsIHRoZSBuZWNlc3NhcnkgcHJvdGVjdGlv
bi4NCg0KVGhpcyBtYWtlIG5vIHNlbnNlIHRvIG1lIGF0IGFsbC4gIEhvdyBkb2VzIHRpbWUtc3Rh
bXBpbmcgZmFjaWxpdGF0ZSB0aGUgdHJhbnNpdGlvbiBmcm9tIFJTQSB3aXRoIFNIQS0xIHRvIFJT
QSB3aXRoIFNIQS0yNTY/ICBJbiBmYWN0LCBpdCBtYWtlIGl0IHdvcnNlLiAgV2UgbmVlZCB0byB0
cmFuc2l0aW9uIHRoZSB0aW1lIHN0YW1wIGF1dGhvcml0eSBzaWduYXR1cmUgdG9vLg0KDQpSdXNz
DQo=
--=====003_Dragon528764586370_=====
Content-Transfer-Encoding: base64
Content-Type: text/html;
charset="iso-8859-1"
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPg0KPE1FVEEgY29udGVudD0iTVNIVE1M
IDYuMDAuMjgwMC4xNTI4IiBuYW1lPUdFTkVSQVRPUj48L0hFQUQ+DQo8Qk9EWT4NCjxESVY+UnVz
cyw8L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPlNvcnJ5LCBvbmNlIGFnYWluIEkgZGlz
YWdyZWUgd2l0aCB0aGUgd29yZGluZy4gVGhlICphcHBsaWNhdGlvbiogY2FuIHZlcmlmeSANCmJv
dGggc2lnbmF0dXJlcyBhbmQgYmUgcGxlYXNlZCBpZiBvbmUgb2YgdGhlbSBpcyB2YWxpZC48L0RJ
Vj4NCjxESVY+Tm8gY2hhbmdlIG5lZWRzIHRvIGJlIG1hZGUgdG8gdGhlIENNUyBkb2N1bWVudC48
L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPkRlbmlzPC9ESVY+DQo8RElWPiZuYnNwOzwv
RElWPg0KPERJVj4NCjxIUj4NCkRlbmlzOjxCUj48QlI+V2Ugc2VlbSB0byBiZSB3b3JraW5nIG9u
IHR3byBkaWZmZXJlbnQgcHJvYmxlbXMuJm5ic3A7IFdlIHdhbnQgdG8gDQp0cmFuc2l0aW9uIGZy
b20gUlNBIHdpdGggU0hBLTEgdG8gUlNBIHdpdGggU0hBLTI1Ni4mbmJzcDsgU28sIHRoZSBzaWdu
ZXIgcHV0cyANCnR3byBzaWduYXR1cmVzIG9uIHRoZSBtZXNzYWdlLCBzaW5jZSBub3QgYWxsIG9m
IHRoZSByZWNpcGllbnRzIHN1cHBvcnQgUlNBIHdpdGggDQpTSEEtMjU2IHlldC4mbmJzcDsgSWYg
ZWl0aGVyIG9mIHRoZSBzaWduYXR1cmVzIGNhbiBiZSB2YWxpZGF0ZWQgYnkgYSByZWNpcGllbnQs
IA0KdGhlbiB0aGF0IHJlY2lwaWVudCB3aWxsIGNvbnNpZGVyIHRoZSBtZXNzYWdlIHZhbGlkLjxC
Uj48QlI+UnVzczxCUj48QlI+PEJSPkF0IA0KMDQ6MDYgQU0gMTEvMjkvMjAwNiwgRGVuaXMgUGlu
a2FzIHdyb3RlOjxCUj48L0RJVj4NCjxCTE9DS1FVT1RFIGNsYXNzPWNpdGUgY2l0ZT0iIiB0eXBl
PSJjaXRlIj5SdXNzLDxCUj4mbmJzcDs8QlI+SSBiZWxpZXZlIHRoYXQgDQogIHdlIGhhdmUgYSBt
YWpvciBkaXNhZ3JlZW1lbnQgb24gdGhlIGdvYWwgb2YgdGhlIHByb3Bvc2VkIA0KICBkb2N1bWVu
dC48QlI+Jm5ic3A7PEJSPlRoZSBjdXJyZW50IGdvYWwgaXMgOiZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyANCiAgPEJSPiZuYnNwOzxCUj4mbmJzcDsmbmJzcDsmbmJzcDsgLi4uIFRoaXMgZG9jdW1l
bnQ8QlI+Jm5ic3A7Jm5ic3A7IHByb3ZpZGVzIA0KICByZXBsYWNlbWVudCB0ZXh0IGZvciBhIGZl
dyBwYXJhZ3JhcGhzLCBtYWtpbmcgaXQgY2xlYXIgdGhhdDxCUj4mbmJzcDsmbmJzcDsgDQogIHRo
ZSBwcm90ZWN0ZWQgY29udGVudCBpcyB2YWxpZCBpZiBhbnkgb2YgdGhlIGRpZ2l0YWwgc2lnbmF0
dXJlcyBmb3IgDQogIGE8QlI+Jm5ic3A7Jm5ic3A7IHBhcnRpY3VsYXIgc2lnbmVyIGlzIHZhbGlk
LjxCUj5JdCBpcyBwb3NzaWJsZSB0byBjaGVjayB0aGF0IA0KICBhIGdpdmVuIHNpZ25hdHVyZSBp
cyB2YWxpZC48QlI+VGhlIGdvbGRlbiBydWxlIGlzIHRoYXQgb25seSBvbmUgc2lnbmF0dXJlIGNh
biANCiAgYmUgdmVyaWZpZWQgYXQgYSB0aW1lLiA8QlI+Jm5ic3A7PEJSPlRoaXMgaXMgZnVsbHkg
ZGlmZmVyZW50IG9mIHNheWluZyB0aGF0IGEgDQogICJwcm90ZWN0ZWQgY29udGVudCIgKGkuZS4g
YSBkb2N1bWVudCkgaXMgdmFsaWQsIHdoaWNoIG1heSBtZWFuIHRvIHZlcmlmeSANCiAgbXVsdGlw
bGUgc2lnbmF0dXJlcy48QlI+Jm5ic3A7PEJSPkFzIGFuIGV4YW1wbGUsIGEgZG9jdW1lbnQgY2Fu
IGJlIHNhaWQgdG8gYmUgDQogIG9ubHkgYmUgdmFsaWQgd2hlbiBpdCBiZWFycyB0aHJlZSBwYXJh
bGxlbCBzaWduYXR1cmVzIDxCUj5mcm9tIHBhcnRpY3VsYXIgDQogIHNpZ25lcnMsIGFuZCBpbiBh
ZGRpdGlvbiBvZiB0d28gdGhlbSBuZWVkIHRvIGJlIGNvdW50ZXItc2lnbmVkIGJ5IG90aGVyIA0K
ICBwYXJ0aWN1bGFyIHNpZ25lcnMuPEJSPiZuYnNwOzxCUj5UaGUgdmVyaWZpY2F0aW9uIG9mIG11
bHRpcGxlIHNpZ25hdHVyZXMgaXMgYXQgDQogIHRoZSBsZXZlbCBvZiB0aGUgYXBwbGljYXRpb24s
IG5vdCBhdCB0aGUgbGV2ZWwgb2YgYSBDTVMgDQogIHRvb2xraXQuPEJSPiZuYnNwOzxCUj5CZXNp
ZGVzIHRoaXMgbWFqb3Igb2JzZXJ2YXRpb24sIHRoZXJlIGlzIG5vIG5lZWQgdG8gDQogIHN1cHBv
cnQgbXVsdGlwbGUgc2lnbmF0dXJlcyBmcm9tIHRoZSBzYW1lIHNpZ25lciBmb3IgYWxnb3JpdGht
IGFnaWxpdHkgDQogIHB1cnBvc2VzLjxCUj4mbmJzcDs8QlI+RmluYWxseSwgeW91IHJhaXNlZCB0
aGUgZm9sbG93aW5nIA0KICBxdWVzdGlvbjo8QlI+Jm5ic3A7PEJSPiJIb3cgZG9lcyB0aW1lLXN0
YW1waW5nIGZhY2lsaXRhdGUgdGhlIHRyYW5zaXRpb24gZnJvbSANCiAgUlNBIHdpdGggU0hBLTEg
dG8gUlNBIHdpdGggU0hBLTI1Nj8mbmJzcDsgPEJSPkluIGZhY3QsIGl0IG1ha2UgaXQgd29yc2Uu
Jm5ic3A7IA0KICBXZSBuZWVkIHRvIHRyYW5zaXRpb24gdGhlIHRpbWUgc3RhbXAgYXV0aG9yaXR5
IHNpZ25hdHVyZSANCiAgdG9vIi48QlI+Jm5ic3A7PEJSPlBsZWFzZSByZWZlciB0byBSRkMgMzEy
NiA6PEJSPiZuYnNwOzxCUj48QlI+PEZPTlQgDQogIGZhY2U9IkNvdXJpZXIgTmV3LCBDb3VyaWVy
IiBzaXplPTI+Jm5ic3A7IEIuNC43Jm5ic3A7IFRpbWUtU3RhbXBpbmcgZm9yIExvbmcgDQogIExp
ZmUgb2YgDQogIFNpZ25hdHVyZSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyANCiAgNzkmbHQ7P3htbDpuYW1lc3BhY2UgcHJlZml4ID0gbyBu
cyA9ICJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTpvZmZpY2UiIA0KICAvJmd0OzxC
Uj48L0ZPTlQ+Jm5ic3A7PEJSPlNpZ25hdHVyZXMgbWF5IG5lZWQgdG8gYmUgbWFpbnRhaW5lZCwg
d2hpY2ggbWVhbnMgDQogIHRoYXQgZm9yIHNpZ25hdHVyZXMgdGhhdCBuZWVkIHRvIGxhc3QgdmVy
eSBsb25nLCBtb3JlIHRoYW4gb25lIHRpbWUtc3RhbXAgDQogIDxCUj5tYXkgbmVlZCB0byBiZSBh
ZGRlZCBsYXRlciBvbiwgYnV0IG9ubHkgaW4gY2FzZSBvZiBhIHJlYWwgY29sbGlzaW9uLiBUbyAN
CiAgcmVzcG9uZCB0byB5b3VyIHF1ZXN0aW9uLCBSU0Egd2l0aCBTSEEtMjU2IHdpbGwgbmVlZCA8
QlI+dG8gYmUgbWFuZGF0b3JpbGx5IA0KICB1c2VkLCB3aGVuIGFmdGVyIFggbW9udGhzIG9mIGNv
bXB1dGF0aW9uIHNvbWVvbmUgd2lsbCBkZW1vbnN0cmF0ZSBhIGNvbGxpc2lvbi4gDQogIFRoZW4g
c2luY2UgaXQgdGFrZXMgWCBtb250aHMgPEJSPnRvIG1ha2UgYSBjb2xsaXNpb24sIHRoZSBzaWdu
YXR1cmUgDQogIG1haW50ZW5hbmNlIG5lZWRzIHRvIGJlIG1hZGUgaW4gYSB0aW1lIGxlc3MgdGhh
biBYIA0KICBtb250aHMuPEJSPiZuYnNwOzxCUj5EZW5pczxCUj4mbmJzcDs8QlI+DQogIDxIUj4N
CiAgQXQgMDM6NTIgQU0gMTEvMjgvMjAwNiwgRGVuaXMgUGlua2FzIHdyb3RlOjxCUj4NCiAgPEJM
T0NLUVVPVEUgY2xhc3M9Y2l0ZSBjaXRlPSIiIHR5cGU9ImNpdGUiPiZuYnNwO1J1c3MsPEJSPiZu
YnNwOzxCUj5TZWUgbXkgDQogICAgY29tbWVudHMgZW1iZWRkZWQuPEJSPiZuYnNwOzxCUj5EZW5p
cyBQaW5rYXMsIDxBIA0KICAgIGhyZWY9Im1haWx0byA6RGVuaXMuUGlua2FzQGJ1bGwubmV0Ij5E
ZW5pcy5QaW5rYXNAYnVsbC5uZXQ8L0E+PEJSPjIwMDYtMTEtMjggDQoNCiAgICA8REw+DQogICAg
ICA8REQ+LS0tLS0gTWVzc2FnZSByZed1IC0tLS0tIA0KICAgICAgPEREPkRlIDogPEEgaHJlZj0i
bWFpbHRvIDpob3VzbGV5QHZpZ2lsc2VjLmNvbSI+UnVzcyBIb3VzbGV5PC9BPiANCiAgICAgIDxE
RD7AIDogPEEgaHJlZj0ibWFpbHRvIDpkZW5pcy5waW5rYXNAYnVsbC5uZXQiPkRlbmlzIFBpbmth
czwvQT4gDQogICAgICA8REQ+RGF0ZSA6IDIwMDYtMTEtMjcsIDIwOjAzOjMxIA0KICAgICAgPERE
PlN1amV0IDogUmU6IEktRCBBQ1RJT046ZHJhZnQtaWV0Zi1zbWltZS1jbXMtbXVsdC1zaWduLTAy
LnR4dDxCUj4NCiAgICAgIDxERD5EZW5pczo8QlI+DQogICAgICA8REQ+Jmd0O1RoZSBpc3N1ZSBp
cyBtb3JlIGNvbXBsZXggdGhhbiBwcmVzZW50ZWQuIDotKCANCiAgICAgIDxERD4mZ3Q7IA0KICAg
ICAgPEREPiZndDtUaGUgaWRlYSBpcyB0byBzYXkgdGhhdCBhIG1lc3NhZ2UgaXMgY29ycmVjdGx5
IHNpZ25lZCBieSBhIGdpdmVuIA0KICAgICAgPEREPiZndDtzaWduZXIsIGlmIG9uZSBvZiB0aGUg
c2lnbmF0dXJlcyANCiAgICAgIDxERD4mZ3Q7ZnJvbSB0aGUgKnNhbWUqIHNpZ25lciBjb21wdXRl
ZCB1c2luZyBhIGRpZmZlcmVudCBzaWduYXR1cmUgDQogICAgICA8REQ+Jmd0O2FsZ29yaXRobSBp
cyB2YWxpZC4gDQogICAgICA8REQ+Jmd0OyANCiAgICAgIDxERD4mZ3Q7Q29ycmVjdCA/IA0KICAg
ICAgPEREPllvdSBkaWQgbm90IGFja25vd2xlZGdlZCB0aGF0IHRoaXMgaXMgdGhlIGdvYWwgb2Yg
dGhlIGRyYWZ0IHByb3Bvc2FsLiANCiAgICAgIDwvREQ+PC9ETD48L0JMT0NLUVVPVEU+DQogIDxE
TD48L0RMPjxCUj5UaGUgZG9jdW1lbnQgaXMgY2xlYXIuJm5ic3A7IEl0IHNheXM6PEJSPjxCUj4m
bmJzcDsmbmJzcDsgLi4uIA0KICBUaGlzIGRvY3VtZW50PEJSPiZuYnNwOyZuYnNwOyBwcm92aWRl
cyByZXBsYWNlbWVudCB0ZXh0IGZvciBhIGZldyBwYXJhZ3JhcGhzLCANCiAgbWFraW5nIGl0IGNs
ZWFyIHRoYXQ8QlI+Jm5ic3A7Jm5ic3A7IHRoZSBwcm90ZWN0ZWQgY29udGVudCBpcyB2YWxpZCBp
ZiBhbnkgb2YgDQogIHRoZSBkaWdpdGFsIHNpZ25hdHVyZXMgZm9yIGE8QlI+Jm5ic3A7Jm5ic3A7
IHBhcnRpY3VsYXIgc2lnbmVyIGlzIA0KICB2YWxpZC48QlI+PEJSPg0KICA8QkxPQ0tRVU9URSBj
bGFzcz1jaXRlIGNpdGU9IiIgdHlwZT0iY2l0ZSI+DQogICAgPERMPg0KICAgICAgPEREPiANCiAg
ICAgIDxERD4mZ3Q7IA0KICAgICAgPEREPiZndDtJbiB0aGUgc2FtZSBzZWN0aW9uIGZyb20gUkZD
IDM4NTIsIGp1c3QgYWJvdmUgd2UgaGF2ZTogDQogICAgICA8REQ+Jmd0OyANCiAgICAgIDxERD4m
Z3Q7IiBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWduZWQtZGF0YSBpcyBjb25zdHJ1Y3RlZCBpbnZv
bHZlcyB0aGUgDQogICAgICA8REQ+Jmd0OyBmb2xsb3dpbmcgc3RlcHM6IA0KICAgICAgPEREPiZn
dDsgDQogICAgICA8REQ+Jmd0OyAxLiBGb3IgZWFjaCBzaWduZXIsIGEgbWVzc2FnZSBkaWdlc3Qs
IG9yIGhhc2ggdmFsdWUsIGlzIGNvbXB1dGVkIA0KICAgICAgPEREPiZndDsgb24gdGhlIGNvbnRl
bnQgd2l0aCBhIHNpZ25lci1zcGVjaWZpYyBtZXNzYWdlLWRpZ2VzdCBhbGdvcml0aG0uIA0KICAg
ICAgPEREPiZndDsgSWYgdGhlIHNpZ25lciBpcyBzaWduaW5nIGFueSBpbmZvcm1hdGlvbiBvdGhl
ciB0aGFuIHRoZSANCiAgICAgIDxERD4mZ3Q7IGNvbnRlbnQsIHRoZSBtZXNzYWdlIGRpZ2VzdCBv
ZiB0aGUgY29udGVudCBhbmQgdGhlIG90aGVyIA0KICAgICAgPEREPiZndDsgaW5mb3JtYXRpb24g
YXJlIGRpZ2VzdGVkIHdpdGggdGhlIHNpZ25lcidzIG1lc3NhZ2UgZGlnZXN0IA0KICAgICAgPERE
PiZndDsgYWxnb3JpdGhtIChzZWUgU2VjdGlvbiA1LjQpLCBhbmQgdGhlIHJlc3VsdCBiZWNvbWVz
IHRoZSANCiAgICAgIDxERD4mZ3Q7ICJtZXNzYWdlIGRpZ2VzdC4iIA0KICAgICAgPEREPiZndDsg
DQogICAgICA8REQ+Jmd0OyAyLiBGb3IgZWFjaCBzaWduZXIsIHRoZSBtZXNzYWdlIGRpZ2VzdCBp
cyBkaWdpdGFsbHkgc2lnbmVkIHVzaW5nIA0KICAgICAgPEREPiZndDsgdGhlIHNpZ25lcidzIHBy
aXZhdGUga2V5LiANCiAgICAgIDxERD4mZ3Q7IA0KICAgICAgPEREPiZndDsgMy4gRm9yIGVhY2gg
c2lnbmVyLCB0aGUgc2lnbmF0dXJlIHZhbHVlIGFuZCBvdGhlciBzaWduZXItc3BlY2lmaWMgDQoN
CiAgICAgIDxERD4mZ3Q7IGluZm9ybWF0aW9uIGFyZSBjb2xsZWN0ZWQgaW50byBhIFNpZ25lcklu
Zm8gdmFsdWUsIGFzIGRlZmluZWQgDQogICAgICA8REQ+Jmd0OyBpbiBTZWN0aW9uIDUuMy4gQ2Vy
dGlmaWNhdGVzIGFuZCBDUkxzIGZvciBlYWNoIHNpZ25lciwgYW5kIA0KICAgICAgPEREPiZndDsg
dGhvc2Ugbm90IGNvcnJlc3BvbmRpbmcgdG8gYW55IHNpZ25lciwgYXJlIGNvbGxlY3RlZCBpbiB0
aGlzIA0KICAgICAgPEREPiZndDsgc3RlcC4gDQogICAgICA8REQ+Jmd0OyANCiAgICAgIDxERD4m
Z3Q7IDQuIFRoZSBtZXNzYWdlIGRpZ2VzdCBhbGdvcml0aG1zIGZvciBhbGwgdGhlIHNpZ25lcnMg
YW5kIHRoZSANCiAgICAgIDxERD4mZ3Q7IFNpZ25lckluZm8gdmFsdWVzIGZvciBhbGwgdGhlIHNp
Z25lcnMgYXJlIGNvbGxlY3RlZCB0b2dldGhlciANCiAgICAgIDxERD4mZ3Q7IHdpdGggdGhlIGNv
bnRlbnQgaW50byBhIFNpZ25lZERhdGEgdmFsdWUsIGFzIGRlZmluZWQgaW4gU2VjdGlvbiANCiAg
ICAgIDxERD4mZ3Q7IDUuMSIuIA0KICAgICAgPEREPiZndDsgDQogICAgICA8REQ+Jmd0O1dlIHNo
b3VsZCBoYXZlIGEgc2ltaWxhciBjb25zdHJ1Y3QgZm9yIHZlcmlmaWNhdGlvbiwgYnV0IHdlIA0K
ICAgICAgZG9uJ3QuPEJSPg0KICAgICAgPEREPldoZW4gQ01TIHdhcyBmaXJzdCBhZG9wdGVkIGJ5
IHRoZSBTL01JTUUgV0csIHdlIGRlY2lkZWQgdG8ga2VlcCB0aGUgDQogICAgICA8REQ+c3BlY2lm
aWNhdGlvbiBhcyBjbG9zZSB0byB0aGUgc3RydWN0dXJlIG9mIFBLQ1MgIzcgdjEuNSBhcyANCiAg
ICAgIDxERD5wb3NzaWJsZS4gVGhlIGlkZWEgd2FzIHRvIG1ha2UgaXQgZWFzeSBmb3Igb25lIHRv
IGRldGVybWluZSB0aGUgDQogICAgICA8REQ+ZGlmZmVyZW5jZXMuIEkgc2VlIG5vIHJlYXNvbiB3
aHkgdGhpcyBkaXNjdXNzaW9uIG91Z2h0IHRvIGNoYW5nZSANCiAgICAgIDxERD50aGF0IGRlY2lz
aW9uLjxCUj4NCiAgICAgIDxERD4gDQogICAgICA8REQ+PEZPTlQgc2l6ZT0yPlRoZSB0ZXh0IGZy
b20gUEtDUyAjIDcgdjEuNSBpczo8L0ZPTlQ+PEJSPg0KICAgICAgPEREPiANCiAgICAgIDxERD48
Rk9OVCBmYWNlPSJUaW1lcyBOZXcgUm9tYW4sIFRpbWVzIj5BIHJlY2lwaWVudCB2ZXJpZmllcyB0
aGUgDQogICAgICBzaWduYXR1cmVzIGJ5IGRlY3J5cHRpbmcgdGhlIGVuY3J5cHRlZCBtZXNzYWdl
IGRpZ2VzdCANCiAgICAgIDxERD5mb3IgZWFjaCBzaWduZXIgd2l0aCB0aGUgc2lnbmVyJ3MgcHVi
bGljIGtleSwgdGhlbiBjb21wYXJpbmcgdGhlIA0KICAgICAgcmVjb3ZlcmVkIG1lc3NhZ2UgDQog
ICAgICA8REQ+ZGlnZXN0IHRvIGFuIGluZGVwZW5kZW50bHkgY29tcHV0ZWQgbWVzc2FnZSBkaWdl
c3QuIFRoZSBzaWduZXIncyANCiAgICAgIHB1YmxpYyBrZXkgaXMgDQogICAgICA8REQ+ZWl0aGVy
IGNvbnRhaW5lZCBpbiBhIGNlcnRpZmljYXRlIGluY2x1ZGVkIGluIHRoZSBzaWduZXIgaW5mb3Jt
YXRpb24sIA0KICAgICAgb3IgaXMgcmVmZXJlbmNlZCANCiAgICAgIDxERD5ieSBhbiBpc3N1ZXIg
ZGlzdGluZ3Vpc2hlZCBuYW1lIGFuZCBhbiBpc3N1ZXItc3BlY2lmaWMgc2VyaWFsIG51bWJlciAN
CiAgICAgIHRoYXQgdW5pcXVlbHkgDQogICAgICA8REQ+aWRlbnRpZnkgdGhlIGNlcnRpZmljYXRl
IGZvciB0aGUgcHVibGljIGtleS48L0ZPTlQ+IA0KICAgICAgPEREPjxGT05UIHNpemU9Mj5UaGUg
dGV4dCBmcm9tIFJGQyAzODUyIGlzOjwvRk9OVD4gDQogICAgICA8REQ+IA0KICAgICAgPEREPjxG
T05UIHNpemU9Mj5BIHJlY2lwaWVudCBpbmRlcGVuZGVudGx5IGNvbXB1dGVzIHRoZSBtZXNzYWdl
IA0KICAgICAgZGlnZXN0LiZuYnNwOyBUaGlzIG1lc3NhZ2UgZGlnZXN0IGFuZCANCiAgICAgIDxE
RD50aGUgc2lnbmVyJ3MgcHVibGljIGtleSBhcmUgdXNlZCB0byB2ZXJpZnkgdGhlIHNpZ25hdHVy
ZSB2YWx1ZS4mbmJzcDsgDQogICAgICBUaGUgc2lnbmVyJ3MgcHVibGljIGtleSANCiAgICAgIDxE
RD5pcyByZWZlcmVuY2VkIGVpdGhlciBieSBhbiBpc3N1ZXIgZGlzdGluZ3Vpc2hlZCBuYW1lIGFs
b25nIHdpdGggYW4gDQogICAgICBpc3N1ZXItc3BlY2lmaWMgDQogICAgICA8REQ+c2VyaWFsIG51
bWJlciBvciBieSBhIHN1YmplY3Qga2V5IGlkZW50aWZpZXIgdGhhdCB1bmlxdWVseSBpZGVudGlm
aWVzIA0KICAgICAgdGhlIGNlcnRpZmljYXRlIA0KICAgICAgPEREPmNvbnRhaW5pbmcgdGhlIHB1
YmxpYyBrZXkuJm5ic3A7IFRoZSBzaWduZXIncyBjZXJ0aWZpY2F0ZSBjYW4gYmUgDQogICAgICBp
bmNsdWRlZCBpbiB0aGUgU2lnbmVkRGF0YSANCiAgICAgIDxERD5jZXJ0aWZpY2F0ZXMgZmllbGQu
PC9GT05UPiANCiAgICAgIDxERD4gDQogICAgICA8REQ+PEZPTlQgc2l6ZT0yPlRoZXNlIHRleHRz
IGFyZSBjbGVhcmx5IGluc3VmZmljaWVudCwgc2luY2UgdGhleSBkbyBub3QgDQogICAgICBjb3Zl
ciB0aGUgY2FzZSBvZiBjZXJ0aWZpY2F0ZSBzdWJzdGl0dXRpb24uPC9GT05UPiANCiAgICAgIDxE
RD4gDQogICAgICA8REQ+PEZPTlQgc2l6ZT0yPlRoZSBuZXcgZHJhZnQgaXMgd2lzaGluZyB0byBj
b3ZlciB0aGUgY2FzZSBvZiBzaWduYXR1cmVzIA0KICAgICAgZnJvbSB0aGUgc2FtZSBzaWduZXIu
IA0KICAgICAgPEREPkl0IGlzIHJlc3RyaWN0ZWQgdG8gdGhlIHVzZSBvZiBjZXJ0aWZpY2F0ZXMu
IFRoZW4gdGhlIG9ubHkgd2F5IHRvIGtub3cgDQogICAgICB0aGF0IGlzIGlzIHRoZSBzYW1lIHNp
Z25lciANCiAgICAgIDxERD5pcyB0byBjb21wYXJlIHRoZSBjZXJ0aWZpY2F0ZXMuIFdlIHNob3Vs
ZCBzYXkgc29tZSB3b3JkcyBvbiBob3cgdGhpcyANCiAgICAgIGNvbXBhcmlzb24gc2hhbGwgYmUg
ZG9uZS4gDQogICAgICA8REQ+SWYgY2VydGlmaWNhdGVzIGFyZSBzdWJzdGl0dXRlZCwgdGhlbiB3
ZSBhcmUgYWxzbyBydW5uaW5nIGludG8gDQogICAgICB0cm91YmxlLjwvRk9OVD48L0REPjwvREw+
PC9CTE9DS1FVT1RFPg0KICA8REw+PC9ETD48QlI+VGhpcyBpcyBub3QgdGhlIGlzc3VlIGF0IGFs
bC4mbmJzcDsgRGlmZmVyZW50IGNlcnRpZmljYXRlcyBtYXkgDQogIHJlcHJlc2VudCB0aGUgc2Ft
ZSBzaWduZXIgaW4gc29tZSBhcHBsaWNhdGlvbnMuPEJSPjxCUj4NCiAgPEJMT0NLUVVPVEUgY2xh
c3M9Y2l0ZSBjaXRlPSIiIHR5cGU9ImNpdGUiPg0KICAgIDxETD4NCiAgICAgIDxERD4gDQogICAg
ICA8REQ+Jmd0O0l0IHNob3VsZCBzdGFydCB3aXRoOiANCiAgICAgIDxERD4mZ3Q7IA0KICAgICAg
PEREPiZndDsgVGhlIHByb2Nlc3MgYnkgd2hpY2ggc2lnbmVkLWRhdGEgaXMgdmVyaWZpZWQgaW52
b2x2ZXMgdGhlIA0KICAgICAgPEREPiZndDsgZm9sbG93aW5nIHN0ZXBzOiANCiAgICAgIDxERD4m
Z3Q7IA0KICAgICAgPEREPiZndDsgMS4gRm9yIGVhY2ggU2lnbmVySW5mbyBwcmVzZW50IGluIFNp
Z25lckluZm9zIC4uLiANCiAgICAgIDxERD4mZ3Q7IA0KICAgICAgPEREPiZndDtUaGUgZXhlcmNp
c2UgaXMgbW9yZSBkaWZmaWN1bHQgdGhhbiBpdCBsb29rcywgYmVjYXVzZSB1bmxlc3MgDQogICAg
ICA8REQ+Jmd0O0VTU0NlcnRJRCBpcyBiZWluZyB1c2VkLCANCiAgICAgIDxERD4mZ3Q7aXQgaXMg
bm90IHBvc3NpYmxlIHRvIGtub3cgZm9yIHN1cmUgdGhhdCBhIHNpZ25hdHVyZSBpcyBmcm9tIHRo
ZSANCiAgICAgIHNhbWUgc2lnbmVyLjxCUj4NCiAgICAgIDxERD5JIHJlY29nbml6ZSB0aGF0IHRo
aXMgaXMgdHJ1ZS4gVGhhdCBpcyB0aGUgcmVhc29uIHRoYXQgdGhlIHByb3Bvc2VkIA0KICAgICAg
PEREPnRleHQgcG9pbnRzIHRvIHRoZSBhcHBsaWNhdGlvbiB0aGF0IGlzIHVzaW5nIENNUyB0byBo
ZWxwIHdoZW4gdGhlIHNpZCANCiAgICAgIDxERD5maWVsZCBpcyBub3Qgc3VmZmljaWVudC4gDQog
ICAgICA8REQ+IA0KICAgICAgPEREPjxGT05UIHNpemU9Mj5UaGUgcHJvcG9zZWQgdGV4dCBpcyBj
bGVhcmx5IGluc3VmZmljaWVudCB0byBjb3ZlciB0aGUgDQogICAgICBjYXNlLjwvRk9OVD4gDQog
ICAgICA8REQ+IA0KICAgICAgPEREPjxGT05UIHNpemU9Mj5UaGUgc2Vjb25kIHBvaW50LCB3aGlj
aCBpcyBldmVuIG1vcmUgaW1wb3J0YW50LCBpcyB0aGF0IEkgDQogICAgICBhbSBub3QgY29udmlu
Y2VkIA0KICAgICAgPEREPnRoYXQgdGhpcyBpcyB0aGUgcmlnaHQgd2F5IHRvIHNvbHZlIHRoZSAN
CiAgcHJvYmxlbS48L0ZPTlQ+PC9ERD48L0RMPjwvQkxPQ0tRVU9URT4NCiAgPERMPjwvREw+PEJS
PlRoaXMgZGlzY3Vzc2lvbiBoYXMgYmVlbiBnb2luZyBvbiBmb3IgYWJvdXQgYSB5ZWFyLiZuYnNw
OyBJZiB5b3UgDQogIGFyZSB1bmhhcHB5IHdpdGggdGhlIHByb3Bvc2VkIHNvbHV0aW9uLCBkbyBu
b3QgYXNrIGZvciBtb3JlIHdvcmsgdG8gYmUgZG9uZSBvbiANCiAgaXQuJm5ic3A7IEluc3RlYWQs
IHByb3Bvc2UgYW4gYWx0ZXJuYXRpdmUuJm5ic3A7IFdpdGhvdXQgc3VjaCwgd2Ugc2hvdWxkIA0K
ICBwcm9jZWVkIG9uIHRoZSBjdXJyZW50IGNvdXJzZS48QlI+PEJSPg0KICA8QkxPQ0tRVU9URSBj
bGFzcz1jaXRlIGNpdGU9IiIgdHlwZT0iY2l0ZSI+DQogICAgPERMPg0KICAgICAgPEREPiANCiAg
ICAgIDxERD48Rk9OVCBzaXplPTI+SWYgdGhlIGNlcnRpZmljYXRlIGlzIHVzZWQgZm9yIG5vbiBy
ZXB1ZGlhdGlvbiBwdXJwb3NlcywgDQogICAgICB0aGVuIHRpbWUtc3RhbXBpbmcgcHJvdmlkZXMg
DQogICAgICA8REQ+YWxsIHRoZSBuZWNlc3NhcnkgcHJvdGVjdGlvbi48L0ZPTlQ+PC9ERD48L0RM
PjwvQkxPQ0tRVU9URT4NCiAgPERMPjwvREw+PEJSPlRoaXMgbWFrZSBubyBzZW5zZSB0byBtZSBh
dCBhbGwuJm5ic3A7IEhvdyBkb2VzIHRpbWUtc3RhbXBpbmcgDQogIGZhY2lsaXRhdGUgdGhlIHRy
YW5zaXRpb24gZnJvbSBSU0Egd2l0aCBTSEEtMSB0byBSU0Egd2l0aCBTSEEtMjU2PyZuYnNwOyBJ
biANCiAgZmFjdCwgaXQgbWFrZSBpdCB3b3JzZS4mbmJzcDsgV2UgbmVlZCB0byB0cmFuc2l0aW9u
IHRoZSB0aW1lIHN0YW1wIGF1dGhvcml0eSANCiAgc2lnbmF0dXJlIHRvby48QlI+PEJSPlJ1c3M8
QlI+DQogIDxIUj4NCjwvQkxPQ0tRVU9URT4NCjxIUj4NCjwvQk9EWT48L0hUTUw+DQo=
--=====003_Dragon528764586370_=====--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kATEioJ5044488; Wed, 29 Nov 2006 07:44:50 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kATEio9W044487; Wed, 29 Nov 2006 07:44:50 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kATEimT7044467 for <ietf-smime@imc.org>; Wed, 29 Nov 2006 07:44:49 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 4107 invoked by uid 0); 29 Nov 2006 14:44:43 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 29 Nov 2006 14:44:43 -0000
Message-Id: <7.0.0.16.2.20061129090220.07c2ec80@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 29 Nov 2006 09:09:10 -0500
To: "Denis Pinkas" <denis.pinkas@bull.net>, "ietf-smime" <ietf-smime@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
In-Reply-To: <OF87FCBBD0.FB250CED-ONC1257235.00320C59@frcl.bull.fr>
References: <OF87FCBBD0.FB250CED-ONC1257235.00320C59@frcl.bull.fr>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
<html>
<body>
Denis:<br><br>
We seem to be working on two different problems. We want to
transition from RSA with SHA-1 to RSA with SHA-256. So, the signer
puts two signatures on the message, since not all of the recipients
support RSA with SHA-256 yet. If either of the signatures can be
validated by a recipient, then that recipient will consider the message
valid.<br><br>
Russ<br><br>
<br>
At 04:06 AM 11/29/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite="">Russ,<br>
<br>
I believe that we have a major disagreement on the goal of the proposed
document.<br>
<br>
The current goal is : <br>
<br>
... This document<br>
provides replacement text for a few paragraphs, making it
clear that<br>
the protected content is valid if any of the digital
signatures for a<br>
particular signer is valid.<br>
It is possible to check that a given signature is valid.<br>
The golden rule is that only one signature can be verified at a time.
<br>
<br>
This is fully different of saying that a "protected content"
(i.e. a document) is valid, which may mean to verify multiple
signatures.<br>
<br>
As an example, a document can be said to be only be valid when it bears
three parallel signatures <br>
from particular signers, and in addition of two them need to be
counter-signed by other particular signers.<br>
<br>
The verification of multiple signatures is at the level of the
application, not at the level of a CMS toolkit.<br>
<br>
Besides this major observation, there is no need to support multiple
signatures from the same signer for algorithm agility purposes.<br>
<br>
Finally, you raised the following question:<br>
<br>
"How does time-stamping facilitate the transition from RSA with
SHA-1 to RSA with SHA-256? <br>
In fact, it make it worse. We need to transition the time stamp
authority signature too".<br>
<br>
Please refer to RFC 3126 :<br>
<br><br>
<font face="Courier New, Courier" size=2> B.4.7 Time-Stamping
for Long Life of
Signature
79<?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><br>
</font> <br>
Signatures may need to be maintained, which means that for signatures
that need to last very long, more than one time-stamp <br>
may need to be added later on, but only in case of a real collision. To
respond to your question, RSA with SHA-256 will need <br>
to be mandatorilly used, when after X months of computation someone will
demonstrate a collision. Then since it takes X months <br>
to make a collision, the signature maintenance needs to be made in a time
less than X months.<br>
<br>
Denis<br>
<br>
<hr>
At 03:52 AM 11/28/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite=""> Russ,<br>
<br>
See my comments embedded.<br>
<br>
Denis Pinkas,
<a href="mailto :Denis.Pinkas@bull.net">Denis.Pinkas@bull.net</a><br>
2006-11-28
<dl>
<dd>----- Message reçu -----
<dd>De : <a href="mailto :housley@vigilsec.com">Russ Housley</a>
<dd>À : <a href="mailto :denis.pinkas@bull.net">Denis Pinkas</a>
<dd>Date : 2006-11-27, 20:03:31
<dd>Sujet : Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt<br>
<dd>Denis:<br>
<dd>>The issue is more complex than presented. :-(
<dd>>
<dd>>The idea is to say that a message is correctly signed by a given
<dd>>signer, if one of the signatures
<dd>>from the *same* signer computed using a different signature
<dd>>algorithm is valid.
<dd>>
<dd>>Correct ?
<dd>You did not acknowledged that this is the goal of the draft proposal.
</blockquote>
</dl><br>
The document is clear. It says:<br><br>
... This document<br>
provides replacement text for a few paragraphs, making it
clear that<br>
the protected content is valid if any of the digital
signatures for a<br>
particular signer is
valid.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd>
<dd>>
<dd>>In the same section from RFC 3852, just above we have:
<dd>>
<dd>>" The process by which signed-data is constructed involves
the
<dd>> following steps:
<dd>>
<dd>> 1. For each signer, a message digest, or hash value, is
computed
<dd>> on the content with a signer-specific message-digest algorithm.
<dd>> If the signer is signing any information other than the
<dd>> content, the message digest of the content and the other
<dd>> information are digested with the signer's message digest
<dd>> algorithm (see Section 5.4), and the result becomes the
<dd>> "message digest."
<dd>>
<dd>> 2. For each signer, the message digest is digitally signed
using
<dd>> the signer's private key.
<dd>>
<dd>> 3. For each signer, the signature value and other
signer-specific
<dd>> information are collected into a SignerInfo value, as defined
<dd>> in Section 5.3. Certificates and CRLs for each signer, and
<dd>> those not corresponding to any signer, are collected in this
<dd>> step.
<dd>>
<dd>> 4. The message digest algorithms for all the signers and the
<dd>> SignerInfo values for all the signers are collected together
<dd>> with the content into a SignedData value, as defined in Section
<dd>> 5.1".
<dd>>
<dd>>We should have a similar construct for verification, but we
don't.<br>
<dd>When CMS was first adopted by the S/MIME WG, we decided to keep the
<dd>specification as close to the structure of PKCS #7 v1.5 as
<dd>possible. The idea was to make it easy for one to determine the
<dd>differences. I see no reason why this discussion ought to change
<dd>that decision.<br>
<dd>
<dd><font size=2>The text from PKCS # 7 v1.5 is:</font><br>
<dd>
<dd><font face="Times New Roman, Times">A recipient verifies the
signatures by decrypting the encrypted message digest
<dd>for each signer with the signer's public key, then comparing the
recovered message
<dd>digest to an independently computed message digest. The signer's
public key is
<dd>either contained in a certificate included in the signer information,
or is referenced
<dd>by an issuer distinguished name and an issuer-specific serial number
that uniquely
<dd>identify the certificate for the public key.</font>
<dd><font size=2>The text from RFC 3852 is:</font>
<dd>
<dd><font size=2>A recipient independently computes the message
digest. This message digest and
<dd>the signer's public key are used to verify the signature value.
The signer's public key
<dd>is referenced either by an issuer distinguished name along with an
issuer-specific
<dd>serial number or by a subject key identifier that uniquely identifies
the certificate
<dd>containing the public key. The signer's certificate can be
included in the SignedData
<dd>certificates field.</font>
<dd>
<dd><font size=2>These texts are clearly insufficient, since they do not
cover the case of certificate substitution.</font>
<dd>
<dd><font size=2>The new draft is wishing to cover the case of signatures
from the same signer.
<dd>It is restricted to the use of certificates. Then the only way to
know that is is the same signer
<dd>is to compare the certificates. We should say some words on how this
comparison shall be done.
<dd>If certificates are substituted, then we are also running into
trouble.</font></blockquote>
</dl><br>
This is not the issue at all. Different certificates may represent
the same signer in some
applications.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd>
<dd>>It should start with:
<dd>>
<dd>> The process by which signed-data is verified involves the
<dd>> following steps:
<dd>>
<dd>> 1. For each SignerInfo present in SignerInfos ...
<dd>>
<dd>>The exercise is more difficult than it looks, because unless
<dd>>ESSCertID is being used,
<dd>>it is not possible to know for sure that a signature is from the
same signer.<br>
<dd>I recognize that this is true. That is the reason that the proposed
<dd>text points to the application that is using CMS to help when the sid
<dd>field is not sufficient.
<dd>
<dd><font size=2>The proposed text is clearly insufficient to cover the
case.</font>
<dd>
<dd><font size=2>The second point, which is even more important, is that
I am not convinced
<dd>that this is the right way to solve the problem.</font></blockquote>
</dl><br>
This discussion has been going on for about a year. If you are
unhappy with the proposed solution, do not ask for more work to be done
on it. Instead, propose an alternative. Without such, we
should proceed on the current
course.<br><br><blockquote type=cite class=cite cite="">
<dl>
<dd>
<dd><font size=2>If the certificate is used for non repudiation purposes,
then time-stamping provides
<dd>all the necessary protection.</font></blockquote>
</dl><br>
This make no sense to me at all. How does time-stamping facilitate
the transition from RSA with SHA-1 to RSA with SHA-256? In fact, it
make it worse. We need to transition the time stamp authority
signature too.<br><br>
Russ<br>
<hr>
</blockquote></body>
</html>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAT96q25006883; Wed, 29 Nov 2006 02:06:52 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAT96qdi006882; Wed, 29 Nov 2006 02:06:52 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAT96pZK006871 for <ietf-smime@imc.org>; Wed, 29 Nov 2006 02:06:52 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA40384 for <ietf-smime@imc.org>; Wed, 29 Nov 2006 10:09:45 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006112910065615:36908 ; Wed, 29 Nov 2006 10:06:56 +0100
Date: Wed, 29 Nov 2006 10:06:48 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "ietf-smime" <ietf-smime@imc.org>
Subject: Re: WG LAST CALL: draft-ietf-smime-escertid-02.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 29/11/2006 10:06:56, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 29/11/2006 10:06:56, Serialize complete at 29/11/2006 10:06:56
Message-ID: <OF5799FEF0.E39800EA-ONC1257235.003212DC@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Russ,
>[ Changing the Subject to match the document being discussed. ]
>
>Denis:
>
>>13. Page 7. The text states:
>>
>> serialNumber holds the serial number that uniquely identifies the
>> certificate.
>>
>>This text is misleading since serial number does not always allow
>>to uniquely identify a certificate. Replace with:
>>
>> serialNumber holds the serial number of the certificate.
>
>The serial number must be unique for the CA (not universally
>unique). I think adding some words to clarify this would be better
>than dropping words.
I agree. What about:
serialNumber holds the serial number that uniquely identifies
a certificate issued by a given CA.
Denis
>Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAT96eGi006864; Wed, 29 Nov 2006 02:06:40 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAT96esM006863; Wed, 29 Nov 2006 02:06:40 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAT96brV006852 for <ietf-smime@imc.org>; Wed, 29 Nov 2006 02:06:38 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA46718 for <ietf-smime@imc.org>; Wed, 29 Nov 2006 10:09:30 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006112910063958:36906 ; Wed, 29 Nov 2006 10:06:39 +0100
Date: Wed, 29 Nov 2006 10:06:31 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "ietf-smime" <ietf-smime@imc.org>
Subject: Re: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 29/11/2006 10:06:39, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 29/11/2006 10:06:42, Serialize complete at 29/11/2006 10:06:42
Message-ID: <OF87FCBBD0.FB250CED-ONC1257235.00320C59@frcl.bull.fr>
Content-Type: multipart/alternative; boundary="=====003_Dragon072383382566_====="
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
--=====003_Dragon072383382566_=====
Content-Transfer-Encoding: base64
Content-Type: text/plain;
charset="iso-8859-1"
UnVzcywNCg0KSSBiZWxpZXZlIHRoYXQgd2UgaGF2ZSBhIG1ham9yIGRpc2FncmVlbWVudCBvbiB0
aGUgZ29hbCBvZiB0aGUgcHJvcG9zZWQgZG9jdW1lbnQuDQoNClRoZSBjdXJyZW50IGdvYWwgaXMg
OiAgICAgDQoNCiAgICAuLi4gVGhpcyBkb2N1bWVudA0KICAgcHJvdmlkZXMgcmVwbGFjZW1lbnQg
dGV4dCBmb3IgYSBmZXcgcGFyYWdyYXBocywgbWFraW5nIGl0IGNsZWFyIHRoYXQNCiAgIHRoZSBw
cm90ZWN0ZWQgY29udGVudCBpcyB2YWxpZCBpZiBhbnkgb2YgdGhlIGRpZ2l0YWwgc2lnbmF0dXJl
cyBmb3IgYQ0KICAgcGFydGljdWxhciBzaWduZXIgaXMgdmFsaWQuDQoNCkl0IGlzIHBvc3NpYmxl
IHRvIGNoZWNrIHRoYXQgYSBnaXZlbiBzaWduYXR1cmUgaXMgdmFsaWQuDQpUaGUgZ29sZGVuIHJ1
bGUgaXMgdGhhdCBvbmx5IG9uZSBzaWduYXR1cmUgY2FuIGJlIHZlcmlmaWVkIGF0IGEgdGltZS4g
DQoNClRoaXMgaXMgZnVsbHkgZGlmZmVyZW50IG9mIHNheWluZyB0aGF0IGEgInByb3RlY3RlZCBj
b250ZW50IiAoaS5lLiBhIGRvY3VtZW50KSBpcyB2YWxpZCwgd2hpY2ggbWF5IG1lYW4gdG8gdmVy
aWZ5IG11bHRpcGxlIHNpZ25hdHVyZXMuDQoNCkFzIGFuIGV4YW1wbGUsIGEgZG9jdW1lbnQgY2Fu
IGJlIHNhaWQgdG8gYmUgb25seSBiZSB2YWxpZCB3aGVuIGl0IGJlYXJzIHRocmVlIHBhcmFsbGVs
IHNpZ25hdHVyZXMgDQpmcm9tIHBhcnRpY3VsYXIgc2lnbmVycywgYW5kIGluIGFkZGl0aW9uIG9m
IHR3byB0aGVtIG5lZWQgdG8gYmUgY291bnRlci1zaWduZWQgYnkgb3RoZXIgcGFydGljdWxhciBz
aWduZXJzLg0KDQpUaGUgdmVyaWZpY2F0aW9uIG9mIG11bHRpcGxlIHNpZ25hdHVyZXMgaXMgYXQg
dGhlIGxldmVsIG9mIHRoZSBhcHBsaWNhdGlvbiwgbm90IGF0IHRoZSBsZXZlbCBvZiBhIENNUyB0
b29sa2l0Lg0KDQpCZXNpZGVzIHRoaXMgbWFqb3Igb2JzZXJ2YXRpb24sIHRoZXJlIGlzIG5vIG5l
ZWQgdG8gc3VwcG9ydCBtdWx0aXBsZSBzaWduYXR1cmVzIGZyb20gdGhlIHNhbWUgc2lnbmVyIGZv
ciBhbGdvcml0aG0gYWdpbGl0eSBwdXJwb3Nlcy4NCg0KRmluYWxseSwgeW91IHJhaXNlZCB0aGUg
Zm9sbG93aW5nIHF1ZXN0aW9uOg0KDQoiSG93IGRvZXMgdGltZS1zdGFtcGluZyBmYWNpbGl0YXRl
IHRoZSB0cmFuc2l0aW9uIGZyb20gUlNBIHdpdGggU0hBLTEgdG8gUlNBIHdpdGggU0hBLTI1Nj8g
IA0KSW4gZmFjdCwgaXQgbWFrZSBpdCB3b3JzZS4gIFdlIG5lZWQgdG8gdHJhbnNpdGlvbiB0aGUg
dGltZSBzdGFtcCBhdXRob3JpdHkgc2lnbmF0dXJlIHRvbyIuDQoNClBsZWFzZSByZWZlciB0byBS
RkMgMzEyNiA6DQoNCiAgQi40LjcgIFRpbWUtU3RhbXBpbmcgZm9yIExvbmcgTGlmZSBvZiBTaWdu
YXR1cmUgICAgICAgICAgICAgICAgICAgIDc5DQoNClNpZ25hdHVyZXMgbWF5IG5lZWQgdG8gYmUg
bWFpbnRhaW5lZCwgd2hpY2ggbWVhbnMgdGhhdCBmb3Igc2lnbmF0dXJlcyB0aGF0IG5lZWQgdG8g
bGFzdCB2ZXJ5IGxvbmcsIG1vcmUgdGhhbiBvbmUgdGltZS1zdGFtcCANCm1heSBuZWVkIHRvIGJl
IGFkZGVkIGxhdGVyIG9uLCBidXQgb25seSBpbiBjYXNlIG9mIGEgcmVhbCBjb2xsaXNpb24uIFRv
IHJlc3BvbmQgdG8geW91ciBxdWVzdGlvbiwgUlNBIHdpdGggU0hBLTI1NiB3aWxsIG5lZWQgDQp0
byBiZSBtYW5kYXRvcmlsbHkgdXNlZCwgd2hlbiBhZnRlciBYIG1vbnRocyBvZiBjb21wdXRhdGlv
biBzb21lb25lIHdpbGwgZGVtb25zdHJhdGUgYSBjb2xsaXNpb24uIFRoZW4gc2luY2UgaXQgdGFr
ZXMgWCBtb250aHMgDQp0byBtYWtlIGEgY29sbGlzaW9uLCB0aGUgc2lnbmF0dXJlIG1haW50ZW5h
bmNlIG5lZWRzIHRvIGJlIG1hZGUgaW4gYSB0aW1lIGxlc3MgdGhhbiBYIG1vbnRocy4NCg0KRGVu
aXMNCg0KDQoNCkF0IDAzOjUyIEFNIDExLzI4LzIwMDYsIERlbmlzIFBpbmthcyB3cm90ZToNCg0K
IFJ1c3MsDQogDQpTZWUgbXkgY29tbWVudHMgZW1iZWRkZWQuDQogDQpEZW5pcyBQaW5rYXMsIERl
bmlzLlBpbmthc0BidWxsLm5ldA0KMjAwNi0xMS0yOCANCg0KLS0tLS0gTWVzc2FnZSByZed1IC0t
LS0tIA0KDQpEZSA6IFJ1c3MgSG91c2xleSANCg0KwCA6IERlbmlzIFBpbmthcyANCg0KRGF0ZSA6
IDIwMDYtMTEtMjcsIDIwOjAzOjMxDQoNClN1amV0IDogUmU6IEktRCBBQ1RJT046ZHJhZnQtaWV0
Zi1zbWltZS1jbXMtbXVsdC1zaWduLTAyLnR4dA0KDQoNCkRlbmlzOg0KDQoNCj5UaGUgaXNzdWUg
aXMgbW9yZSBjb21wbGV4IHRoYW4gcHJlc2VudGVkLiA6LSgNCg0KPg0KDQo+VGhlIGlkZWEgaXMg
dG8gc2F5IHRoYXQgYSBtZXNzYWdlIGlzIGNvcnJlY3RseSBzaWduZWQgYnkgYSBnaXZlbiANCg0K
PnNpZ25lciwgaWYgb25lIG9mIHRoZSBzaWduYXR1cmVzDQoNCj5mcm9tIHRoZSAqc2FtZSogc2ln
bmVyIGNvbXB1dGVkIHVzaW5nIGEgZGlmZmVyZW50IHNpZ25hdHVyZSANCg0KPmFsZ29yaXRobSBp
cyB2YWxpZC4NCg0KPg0KDQo+Q29ycmVjdCA/DQoNCllvdSBkaWQgbm90IGFja25vd2xlZGdlZCB0
aGF0IHRoaXMgaXMgdGhlIGdvYWwgb2YgdGhlIGRyYWZ0IHByb3Bvc2FsLiANCg0KVGhlIGRvY3Vt
ZW50IGlzIGNsZWFyLiAgSXQgc2F5czoNCg0KICAgLi4uIFRoaXMgZG9jdW1lbnQNCiAgIHByb3Zp
ZGVzIHJlcGxhY2VtZW50IHRleHQgZm9yIGEgZmV3IHBhcmFncmFwaHMsIG1ha2luZyBpdCBjbGVh
ciB0aGF0DQogICB0aGUgcHJvdGVjdGVkIGNvbnRlbnQgaXMgdmFsaWQgaWYgYW55IG9mIHRoZSBk
aWdpdGFsIHNpZ25hdHVyZXMgZm9yIGENCiAgIHBhcnRpY3VsYXIgc2lnbmVyIGlzIHZhbGlkLg0K
DQoNCg0KDQo+DQoNCj5JbiB0aGUgc2FtZSBzZWN0aW9uIGZyb20gUkZDIDM4NTIsIGp1c3QgYWJv
dmUgd2UgaGF2ZToNCg0KPg0KDQo+IiBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWduZWQtZGF0YSBp
cyBjb25zdHJ1Y3RlZCBpbnZvbHZlcyB0aGUNCg0KPiBmb2xsb3dpbmcgc3RlcHM6DQoNCj4NCg0K
PiAxLiBGb3IgZWFjaCBzaWduZXIsIGEgbWVzc2FnZSBkaWdlc3QsIG9yIGhhc2ggdmFsdWUsIGlz
IGNvbXB1dGVkDQoNCj4gb24gdGhlIGNvbnRlbnQgd2l0aCBhIHNpZ25lci1zcGVjaWZpYyBtZXNz
YWdlLWRpZ2VzdCBhbGdvcml0aG0uDQoNCj4gSWYgdGhlIHNpZ25lciBpcyBzaWduaW5nIGFueSBp
bmZvcm1hdGlvbiBvdGhlciB0aGFuIHRoZQ0KDQo+IGNvbnRlbnQsIHRoZSBtZXNzYWdlIGRpZ2Vz
dCBvZiB0aGUgY29udGVudCBhbmQgdGhlIG90aGVyDQoNCj4gaW5mb3JtYXRpb24gYXJlIGRpZ2Vz
dGVkIHdpdGggdGhlIHNpZ25lcidzIG1lc3NhZ2UgZGlnZXN0DQoNCj4gYWxnb3JpdGhtIChzZWUg
U2VjdGlvbiA1LjQpLCBhbmQgdGhlIHJlc3VsdCBiZWNvbWVzIHRoZQ0KDQo+ICJtZXNzYWdlIGRp
Z2VzdC4iDQoNCj4NCg0KPiAyLiBGb3IgZWFjaCBzaWduZXIsIHRoZSBtZXNzYWdlIGRpZ2VzdCBp
cyBkaWdpdGFsbHkgc2lnbmVkIHVzaW5nDQoNCj4gdGhlIHNpZ25lcidzIHByaXZhdGUga2V5Lg0K
DQo+DQoNCj4gMy4gRm9yIGVhY2ggc2lnbmVyLCB0aGUgc2lnbmF0dXJlIHZhbHVlIGFuZCBvdGhl
ciBzaWduZXItc3BlY2lmaWMNCg0KPiBpbmZvcm1hdGlvbiBhcmUgY29sbGVjdGVkIGludG8gYSBT
aWduZXJJbmZvIHZhbHVlLCBhcyBkZWZpbmVkDQoNCj4gaW4gU2VjdGlvbiA1LjMuIENlcnRpZmlj
YXRlcyBhbmQgQ1JMcyBmb3IgZWFjaCBzaWduZXIsIGFuZA0KDQo+IHRob3NlIG5vdCBjb3JyZXNw
b25kaW5nIHRvIGFueSBzaWduZXIsIGFyZSBjb2xsZWN0ZWQgaW4gdGhpcw0KDQo+IHN0ZXAuDQoN
Cj4NCg0KPiA0LiBUaGUgbWVzc2FnZSBkaWdlc3QgYWxnb3JpdGhtcyBmb3IgYWxsIHRoZSBzaWdu
ZXJzIGFuZCB0aGUNCg0KPiBTaWduZXJJbmZvIHZhbHVlcyBmb3IgYWxsIHRoZSBzaWduZXJzIGFy
ZSBjb2xsZWN0ZWQgdG9nZXRoZXINCg0KPiB3aXRoIHRoZSBjb250ZW50IGludG8gYSBTaWduZWRE
YXRhIHZhbHVlLCBhcyBkZWZpbmVkIGluIFNlY3Rpb24NCg0KPiA1LjEiLg0KDQo+DQoNCj5XZSBz
aG91bGQgaGF2ZSBhIHNpbWlsYXIgY29uc3RydWN0IGZvciB2ZXJpZmljYXRpb24sIGJ1dCB3ZSBk
b24ndC4NCg0KDQpXaGVuIENNUyB3YXMgZmlyc3QgYWRvcHRlZCBieSB0aGUgUy9NSU1FIFdHLCB3
ZSBkZWNpZGVkIHRvIGtlZXAgdGhlIA0KDQpzcGVjaWZpY2F0aW9uIGFzIGNsb3NlIHRvIHRoZSBz
dHJ1Y3R1cmUgb2YgUEtDUyAjNyB2MS41IGFzIA0KDQpwb3NzaWJsZS4gVGhlIGlkZWEgd2FzIHRv
IG1ha2UgaXQgZWFzeSBmb3Igb25lIHRvIGRldGVybWluZSB0aGUgDQoNCmRpZmZlcmVuY2VzLiBJ
IHNlZSBubyByZWFzb24gd2h5IHRoaXMgZGlzY3Vzc2lvbiBvdWdodCB0byBjaGFuZ2UgDQoNCnRo
YXQgZGVjaXNpb24uDQoNCg0KDQpUaGUgdGV4dCBmcm9tIFBLQ1MgIyA3IHYxLjUgaXM6DQoNCg0K
DQoNCkEgcmVjaXBpZW50IHZlcmlmaWVzIHRoZSBzaWduYXR1cmVzIGJ5IGRlY3J5cHRpbmcgdGhl
IGVuY3J5cHRlZCBtZXNzYWdlIGRpZ2VzdCANCg0KZm9yIGVhY2ggc2lnbmVyIHdpdGggdGhlIHNp
Z25lcidzIHB1YmxpYyBrZXksIHRoZW4gY29tcGFyaW5nIHRoZSByZWNvdmVyZWQgbWVzc2FnZSAN
Cg0KZGlnZXN0IHRvIGFuIGluZGVwZW5kZW50bHkgY29tcHV0ZWQgbWVzc2FnZSBkaWdlc3QuIFRo
ZSBzaWduZXIncyBwdWJsaWMga2V5IGlzIA0KDQplaXRoZXIgY29udGFpbmVkIGluIGEgY2VydGlm
aWNhdGUgaW5jbHVkZWQgaW4gdGhlIHNpZ25lciBpbmZvcm1hdGlvbiwgb3IgaXMgcmVmZXJlbmNl
ZCANCg0KYnkgYW4gaXNzdWVyIGRpc3Rpbmd1aXNoZWQgbmFtZSBhbmQgYW4gaXNzdWVyLXNwZWNp
ZmljIHNlcmlhbCBudW1iZXIgdGhhdCB1bmlxdWVseSANCg0KaWRlbnRpZnkgdGhlIGNlcnRpZmlj
YXRlIGZvciB0aGUgcHVibGljIGtleS4NCg0KVGhlIHRleHQgZnJvbSBSRkMgMzg1MiBpczoNCg0K
DQoNCkEgcmVjaXBpZW50IGluZGVwZW5kZW50bHkgY29tcHV0ZXMgdGhlIG1lc3NhZ2UgZGlnZXN0
LiAgVGhpcyBtZXNzYWdlIGRpZ2VzdCBhbmQgDQoNCnRoZSBzaWduZXIncyBwdWJsaWMga2V5IGFy
ZSB1c2VkIHRvIHZlcmlmeSB0aGUgc2lnbmF0dXJlIHZhbHVlLiAgVGhlIHNpZ25lcidzIHB1Ymxp
YyBrZXkgDQoNCmlzIHJlZmVyZW5jZWQgZWl0aGVyIGJ5IGFuIGlzc3VlciBkaXN0aW5ndWlzaGVk
IG5hbWUgYWxvbmcgd2l0aCBhbiBpc3N1ZXItc3BlY2lmaWMgDQoNCnNlcmlhbCBudW1iZXIgb3Ig
YnkgYSBzdWJqZWN0IGtleSBpZGVudGlmaWVyIHRoYXQgdW5pcXVlbHkgaWRlbnRpZmllcyB0aGUg
Y2VydGlmaWNhdGUgDQoNCmNvbnRhaW5pbmcgdGhlIHB1YmxpYyBrZXkuICBUaGUgc2lnbmVyJ3Mg
Y2VydGlmaWNhdGUgY2FuIGJlIGluY2x1ZGVkIGluIHRoZSBTaWduZWREYXRhIA0KDQpjZXJ0aWZp
Y2F0ZXMgZmllbGQuDQoNCg0KDQpUaGVzZSB0ZXh0cyBhcmUgY2xlYXJseSBpbnN1ZmZpY2llbnQs
IHNpbmNlIHRoZXkgZG8gbm90IGNvdmVyIHRoZSBjYXNlIG9mIGNlcnRpZmljYXRlIHN1YnN0aXR1
dGlvbi4NCg0KDQoNClRoZSBuZXcgZHJhZnQgaXMgd2lzaGluZyB0byBjb3ZlciB0aGUgY2FzZSBv
ZiBzaWduYXR1cmVzIGZyb20gdGhlIHNhbWUgc2lnbmVyLiANCg0KSXQgaXMgcmVzdHJpY3RlZCB0
byB0aGUgdXNlIG9mIGNlcnRpZmljYXRlcy4gVGhlbiB0aGUgb25seSB3YXkgdG8ga25vdyB0aGF0
IGlzIGlzIHRoZSBzYW1lIHNpZ25lciANCg0KaXMgdG8gY29tcGFyZSB0aGUgY2VydGlmaWNhdGVz
LiBXZSBzaG91bGQgc2F5IHNvbWUgd29yZHMgb24gaG93IHRoaXMgY29tcGFyaXNvbiBzaGFsbCBi
ZSBkb25lLg0KDQpJZiBjZXJ0aWZpY2F0ZXMgYXJlIHN1YnN0aXR1dGVkLCB0aGVuIHdlIGFyZSBh
bHNvIHJ1bm5pbmcgaW50byB0cm91YmxlLg0KDQpUaGlzIGlzIG5vdCB0aGUgaXNzdWUgYXQgYWxs
LiAgRGlmZmVyZW50IGNlcnRpZmljYXRlcyBtYXkgcmVwcmVzZW50IHRoZSBzYW1lIHNpZ25lciBp
biBzb21lIGFwcGxpY2F0aW9ucy4NCg0KDQoNCg0KPkl0IHNob3VsZCBzdGFydCB3aXRoOg0KDQo+
DQoNCj4gVGhlIHByb2Nlc3MgYnkgd2hpY2ggc2lnbmVkLWRhdGEgaXMgdmVyaWZpZWQgaW52b2x2
ZXMgdGhlDQoNCj4gZm9sbG93aW5nIHN0ZXBzOg0KDQo+DQoNCj4gMS4gRm9yIGVhY2ggU2lnbmVy
SW5mbyBwcmVzZW50IGluIFNpZ25lckluZm9zIC4uLg0KDQo+DQoNCj5UaGUgZXhlcmNpc2UgaXMg
bW9yZSBkaWZmaWN1bHQgdGhhbiBpdCBsb29rcywgYmVjYXVzZSB1bmxlc3MgDQoNCj5FU1NDZXJ0
SUQgaXMgYmVpbmcgdXNlZCwNCg0KPml0IGlzIG5vdCBwb3NzaWJsZSB0byBrbm93IGZvciBzdXJl
IHRoYXQgYSBzaWduYXR1cmUgaXMgZnJvbSB0aGUgc2FtZSBzaWduZXIuDQoNCg0KSSByZWNvZ25p
emUgdGhhdCB0aGlzIGlzIHRydWUuIFRoYXQgaXMgdGhlIHJlYXNvbiB0aGF0IHRoZSBwcm9wb3Nl
ZCANCg0KdGV4dCBwb2ludHMgdG8gdGhlIGFwcGxpY2F0aW9uIHRoYXQgaXMgdXNpbmcgQ01TIHRv
IGhlbHAgd2hlbiB0aGUgc2lkIA0KDQpmaWVsZCBpcyBub3Qgc3VmZmljaWVudC4NCg0KDQoNClRo
ZSBwcm9wb3NlZCB0ZXh0IGlzIGNsZWFybHkgaW5zdWZmaWNpZW50IHRvIGNvdmVyIHRoZSBjYXNl
Lg0KDQoNCg0KVGhlIHNlY29uZCBwb2ludCwgd2hpY2ggaXMgZXZlbiBtb3JlIGltcG9ydGFudCwg
aXMgdGhhdCBJIGFtIG5vdCBjb252aW5jZWQgDQoNCnRoYXQgdGhpcyBpcyB0aGUgcmlnaHQgd2F5
IHRvIHNvbHZlIHRoZSBwcm9ibGVtLg0KDQpUaGlzIGRpc2N1c3Npb24gaGFzIGJlZW4gZ29pbmcg
b24gZm9yIGFib3V0IGEgeWVhci4gIElmIHlvdSBhcmUgdW5oYXBweSB3aXRoIHRoZSBwcm9wb3Nl
ZCBzb2x1dGlvbiwgZG8gbm90IGFzayBmb3IgbW9yZSB3b3JrIHRvIGJlIGRvbmUgb24gaXQuICBJ
bnN0ZWFkLCBwcm9wb3NlIGFuIGFsdGVybmF0aXZlLiAgV2l0aG91dCBzdWNoLCB3ZSBzaG91bGQg
cHJvY2VlZCBvbiB0aGUgY3VycmVudCBjb3Vyc2UuDQoNCg0KDQoNCklmIHRoZSBjZXJ0aWZpY2F0
ZSBpcyB1c2VkIGZvciBub24gcmVwdWRpYXRpb24gcHVycG9zZXMsIHRoZW4gdGltZS1zdGFtcGlu
ZyBwcm92aWRlcyANCg0KYWxsIHRoZSBuZWNlc3NhcnkgcHJvdGVjdGlvbi4NCg0KVGhpcyBtYWtl
IG5vIHNlbnNlIHRvIG1lIGF0IGFsbC4gIEhvdyBkb2VzIHRpbWUtc3RhbXBpbmcgZmFjaWxpdGF0
ZSB0aGUgdHJhbnNpdGlvbiBmcm9tIFJTQSB3aXRoIFNIQS0xIHRvIFJTQSB3aXRoIFNIQS0yNTY/
ICBJbiBmYWN0LCBpdCBtYWtlIGl0IHdvcnNlLiAgV2UgbmVlZCB0byB0cmFuc2l0aW9uIHRoZSB0
aW1lIHN0YW1wIGF1dGhvcml0eSBzaWduYXR1cmUgdG9vLg0KDQpSdXNzDQo=
--=====003_Dragon072383382566_=====
Content-Transfer-Encoding: base64
Content-Type: text/html;
charset="iso-8859-1"
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu
dD0idGV4dC9odG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPg0KPE1FVEEgY29udGVudD0iTVNIVE1M
IDYuMDAuMjgwMC4xNTI4IiBuYW1lPUdFTkVSQVRPUj48L0hFQUQ+DQo8Qk9EWT4NCjxESVY+UnVz
cyw8L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPkkgYmVsaWV2ZSB0aGF0IHdlIGhhdmUg
YSBtYWpvciBkaXNhZ3JlZW1lbnQgb24gdGhlIGdvYWwgb2YgdGhlIHByb3Bvc2VkIA0KZG9jdW1l
bnQuPC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj5UaGUgY3VycmVudCBnb2FsIGlzIDom
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj4m
bmJzcDsmbmJzcDsmbmJzcDsgLi4uIFRoaXMgZG9jdW1lbnQ8QlI+Jm5ic3A7Jm5ic3A7IHByb3Zp
ZGVzIHJlcGxhY2VtZW50IA0KdGV4dCBmb3IgYSBmZXcgcGFyYWdyYXBocywgbWFraW5nIGl0IGNs
ZWFyIHRoYXQ8QlI+Jm5ic3A7Jm5ic3A7IHRoZSBwcm90ZWN0ZWQgDQpjb250ZW50IGlzIHZhbGlk
IGlmIGFueSBvZiB0aGUgZGlnaXRhbCBzaWduYXR1cmVzIGZvciBhPEJSPiZuYnNwOyZuYnNwOyAN
CnBhcnRpY3VsYXIgc2lnbmVyIGlzIHZhbGlkLjxCUj48L0RJVj4NCjxESVY+SXQgaXMgcG9zc2li
bGUgdG8gY2hlY2sgdGhhdCBhIGdpdmVuIHNpZ25hdHVyZSBpcyB2YWxpZC48L0RJVj4NCjxESVY+
VGhlIGdvbGRlbiBydWxlIGlzIHRoYXQgb25seSBvbmUgc2lnbmF0dXJlIGNhbiBiZSB2ZXJpZmll
ZCBhdCBhJm5ic3A7dGltZS4gDQo8L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPlRoaXMg
aXMgZnVsbHkgZGlmZmVyZW50IG9mIHNheWluZyB0aGF0IGEgInByb3RlY3RlZCBjb250ZW50IiAo
aS5lLiBhIA0KZG9jdW1lbnQpJm5ic3A7aXMgdmFsaWQsIHdoaWNoIG1heSBtZWFuIHRvIHZlcmlm
eSBtdWx0aXBsZSBzaWduYXR1cmVzLjwvRElWPg0KPERJVj4mbmJzcDs8L0RJVj4NCjxESVY+QXMg
YW4gZXhhbXBsZSwgYSBkb2N1bWVudCBjYW4gYmUgc2FpZCB0byBiZSBvbmx5IGJlIHZhbGlkIHdo
ZW4mbmJzcDtpdCANCmJlYXJzIHRocmVlIHBhcmFsbGVsIHNpZ25hdHVyZXMgPEJSPmZyb20gcGFy
dGljdWxhciBzaWduZXJzLCBhbmQgaW4gDQphZGRpdGlvbiZuYnNwO29mIHR3byZuYnNwO3RoZW0g
bmVlZCB0byBiZSBjb3VudGVyLXNpZ25lZCBieSBvdGhlciBwYXJ0aWN1bGFyIA0Kc2lnbmVycy48
L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPlRoZSB2ZXJpZmljYXRpb24gb2YgbXVsdGlw
bGUgc2lnbmF0dXJlcyBpcyBhdCB0aGUgbGV2ZWwgb2YgdGhlIGFwcGxpY2F0aW9uLCANCm5vdCBh
dCB0aGUgbGV2ZWwgb2YgYSBDTVMgdG9vbGtpdC48L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8
RElWPkJlc2lkZXMgdGhpcyBtYWpvciBvYnNlcnZhdGlvbiwgdGhlcmUgaXMgbm8gbmVlZCB0byBz
dXBwb3J0IG11bHRpcGxlIA0Kc2lnbmF0dXJlcyBmcm9tIHRoZSBzYW1lIHNpZ25lciBmb3IgYWxn
b3JpdGhtIGFnaWxpdHkgcHVycG9zZXMuPC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj5G
aW5hbGx5LCB5b3UgcmFpc2VkIHRoZSBmb2xsb3dpbmcgcXVlc3Rpb246PC9ESVY+DQo8RElWPiZu
YnNwOzwvRElWPg0KPERJVj4iSG93IGRvZXMgdGltZS1zdGFtcGluZyBmYWNpbGl0YXRlIHRoZSB0
cmFuc2l0aW9uIGZyb20gUlNBIHdpdGggU0hBLTEgdG8gDQpSU0Egd2l0aCBTSEEtMjU2PyZuYnNw
OyA8QlI+SW4gZmFjdCwgaXQgbWFrZSBpdCB3b3JzZS4mbmJzcDsgV2UgbmVlZCB0byANCnRyYW5z
aXRpb24gdGhlIHRpbWUgc3RhbXAgYXV0aG9yaXR5IHNpZ25hdHVyZSB0b28iLjwvRElWPg0KPERJ
Vj4mbmJzcDs8L0RJVj4NCjxESVY+UGxlYXNlIHJlZmVyIHRvIFJGQyAzMTI2IDo8L0RJVj4NCjxE
SVY+Jm5ic3A7PC9ESVY+DQo8RElWPg0KPFAgY2xhc3M9TXNvUGxhaW5UZXh0IHN0eWxlPSJNQVJH
SU46IDBjbSAwY20gMHB0Ij48Rk9OVCBzaXplPTI+PEZPTlQgDQpmYWNlPSJDb3VyaWVyIE5ldyI+
PFNQQU4gc3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4mbmJzcDsgPC9TUEFOPkIuNC43PFNQQU4g
DQpzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyA8L1NQQU4+VGltZS1TdGFtcGluZyBm
b3IgTG9uZyBMaWZlIG9mIA0KU2lnbmF0dXJlPFNQQU4gDQpzdHlsZT0ibXNvLXNwYWNlcnVuOiB5
ZXMiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyANCjwvU1BBTj43OTw/eG1sOm5hbWVzcGFjZSBwcmVmaXggPSBvIG5zID0gDQoidXJuOnNj
aGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiAvPjxvOnA+PC9vOnA+PC9GT05UPjwv
Rk9OVD48L1A+PC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj5TaWduYXR1cmVzIG1heSBu
ZWVkIHRvIGJlIG1haW50YWluZWQsIHdoaWNoIG1lYW5zIHRoYXQmbmJzcDtmb3Igc2lnbmF0dXJl
cyANCnRoYXQgbmVlZCB0byBsYXN0IHZlcnkgbG9uZywgbW9yZSB0aGFuIG9uZSB0aW1lLXN0YW1w
IDxCUj5tYXkgbmVlZCB0byBiZSBhZGRlZCANCmxhdGVyIG9uLCBidXQgb25seSBpbiBjYXNlIG9m
IGEgcmVhbCBjb2xsaXNpb24uIFRvIHJlc3BvbmQgdG8geW91ciBxdWVzdGlvbiwgUlNBIA0Kd2l0
aCBTSEEtMjU2IHdpbGwgbmVlZCA8QlI+dG8gYmUgbWFuZGF0b3JpbGx5IHVzZWQsIHdoZW4gYWZ0
ZXIgWCBtb250aHMgb2YgDQpjb21wdXRhdGlvbiBzb21lb25lIHdpbGwgZGVtb25zdHJhdGUgYSBj
b2xsaXNpb24uIFRoZW4gc2luY2UgaXQgdGFrZXMgWCBtb250aHMgDQo8QlI+dG8gbWFrZSBhIGNv
bGxpc2lvbiwgdGhlIHNpZ25hdHVyZSBtYWludGVuYW5jZSBuZWVkcyB0byBiZSBtYWRlJm5ic3A7
aW4gYSANCnRpbWUgbGVzcyB0aGFuJm5ic3A7WCBtb250aHMuPC9ESVY+DQo8RElWPiZuYnNwOzwv
RElWPg0KPERJVj5EZW5pczwvRElWPg0KPERJVj4mbmJzcDs8L0RJVj4NCjxESVY+DQo8SFI+DQpB
dCAwMzo1MiBBTSAxMS8yOC8yMDA2LCBEZW5pcyBQaW5rYXMgd3JvdGU6PEJSPjwvRElWPg0KPEJM
T0NLUVVPVEUgY2xhc3M9Y2l0ZSBjaXRlPSIiIHR5cGU9ImNpdGUiPiZuYnNwO1J1c3MsPEJSPiZu
YnNwOzxCUj5TZWUgbXkgDQogIGNvbW1lbnRzIGVtYmVkZGVkLjxCUj4mbmJzcDs8QlI+RGVuaXMg
UGlua2FzLCA8QSANCiAgaHJlZj0ibWFpbHRvIDpEZW5pcy5QaW5rYXNAYnVsbC5uZXQiPkRlbmlz
LlBpbmthc0BidWxsLm5ldDwvQT48QlI+MjAwNi0xMS0yOCANCiAgPEJSPg0KICA8REw+DQogICAg
PEREPi0tLS0tIE1lc3NhZ2UgcmXndSAtLS0tLSA8QlI+DQogICAgPEREPkRlIDo8L0I+IDxBIGhy
ZWY9Im1haWx0byA6aG91c2xleUB2aWdpbHNlYy5jb20iPlJ1c3MgSG91c2xleTwvQT4gPEJSPg0K
ICAgIDxERD7AIDo8L0I+IDxBIGhyZWY9Im1haWx0byA6ZGVuaXMucGlua2FzQGJ1bGwubmV0Ij5E
ZW5pcyBQaW5rYXM8L0E+IDxCUj4NCiAgICA8REQ+RGF0ZSA6PC9CPiAyMDA2LTExLTI3LCAyMDow
MzozMTxCUj4NCiAgICA8REQ+U3VqZXQgOjwvQj4gUmU6IEktRCBBQ1RJT046ZHJhZnQtaWV0Zi1z
bWltZS1jbXMtbXVsdC1zaWduLTAyLnR4dDxCUj48QlI+DQogICAgPEREPkRlbmlzOjxCUj48QlI+
DQogICAgPEREPiZndDtUaGUgaXNzdWUgaXMgbW9yZSBjb21wbGV4IHRoYW4gcHJlc2VudGVkLiA6
LSg8QlI+DQogICAgPEREPiZndDs8QlI+DQogICAgPEREPiZndDtUaGUgaWRlYSBpcyB0byBzYXkg
dGhhdCBhIG1lc3NhZ2UgaXMgY29ycmVjdGx5IHNpZ25lZCBieSBhIGdpdmVuIA0KPEJSPg0KICAg
IDxERD4mZ3Q7c2lnbmVyLCBpZiBvbmUgb2YgdGhlIHNpZ25hdHVyZXM8QlI+DQogICAgPEREPiZn
dDtmcm9tIHRoZSAqc2FtZSogc2lnbmVyIGNvbXB1dGVkIHVzaW5nIGEgZGlmZmVyZW50IHNpZ25h
dHVyZSA8QlI+DQogICAgPEREPiZndDthbGdvcml0aG0gaXMgdmFsaWQuPEJSPg0KICAgIDxERD4m
Z3Q7PEJSPg0KICAgIDxERD4mZ3Q7Q29ycmVjdCA/PEJSPg0KICAgIDxERD5Zb3UgZGlkIG5vdCBh
Y2tub3dsZWRnZWQgdGhhdCB0aGlzIGlzIHRoZSBnb2FsIG9mIHRoZSBkcmFmdCBwcm9wb3NhbC4g
DQogICAgPC9ERD48L0RMPjwvQkxPQ0tRVU9URT4NCjxETD48L0RMPjxCUj5UaGUgZG9jdW1lbnQg
aXMgY2xlYXIuJm5ic3A7IEl0IHNheXM6PEJSPjxCUj4mbmJzcDsmbmJzcDsgLi4uIFRoaXMgDQpk
b2N1bWVudDxCUj4mbmJzcDsmbmJzcDsgcHJvdmlkZXMgcmVwbGFjZW1lbnQgdGV4dCBmb3IgYSBm
ZXcgcGFyYWdyYXBocywgbWFraW5nIA0KaXQgY2xlYXIgdGhhdDxCUj4mbmJzcDsmbmJzcDsgdGhl
IHByb3RlY3RlZCBjb250ZW50IGlzIHZhbGlkIGlmIGFueSBvZiB0aGUgDQpkaWdpdGFsIHNpZ25h
dHVyZXMgZm9yIGE8QlI+Jm5ic3A7Jm5ic3A7IHBhcnRpY3VsYXIgc2lnbmVyIGlzIHZhbGlkLjxC
Uj48QlI+DQo8QkxPQ0tRVU9URSBjbGFzcz1jaXRlIGNpdGU9IiIgdHlwZT0iY2l0ZSI+DQogIDxE
TD4NCiAgICA8REQ+PEJSPiZuYnNwOw0KICAgIDxERD4mZ3Q7PEJSPg0KICAgIDxERD4mZ3Q7SW4g
dGhlIHNhbWUgc2VjdGlvbiBmcm9tIFJGQyAzODUyLCBqdXN0IGFib3ZlIHdlIGhhdmU6PEJSPg0K
ICAgIDxERD4mZ3Q7PEJSPg0KICAgIDxERD4mZ3Q7IiBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWdu
ZWQtZGF0YSBpcyBjb25zdHJ1Y3RlZCBpbnZvbHZlcyB0aGU8QlI+DQogICAgPEREPiZndDsgZm9s
bG93aW5nIHN0ZXBzOjxCUj4NCiAgICA8REQ+Jmd0OzxCUj4NCiAgICA8REQ+Jmd0OyAxLiBGb3Ig
ZWFjaCBzaWduZXIsIGEgbWVzc2FnZSBkaWdlc3QsIG9yIGhhc2ggdmFsdWUsIGlzIA0KY29tcHV0
ZWQ8QlI+DQogICAgPEREPiZndDsgb24gdGhlIGNvbnRlbnQgd2l0aCBhIHNpZ25lci1zcGVjaWZp
YyBtZXNzYWdlLWRpZ2VzdCBhbGdvcml0aG0uPEJSPg0KICAgIDxERD4mZ3Q7IElmIHRoZSBzaWdu
ZXIgaXMgc2lnbmluZyBhbnkgaW5mb3JtYXRpb24gb3RoZXIgdGhhbiB0aGU8QlI+DQogICAgPERE
PiZndDsgY29udGVudCwgdGhlIG1lc3NhZ2UgZGlnZXN0IG9mIHRoZSBjb250ZW50IGFuZCB0aGUg
b3RoZXI8QlI+DQogICAgPEREPiZndDsgaW5mb3JtYXRpb24gYXJlIGRpZ2VzdGVkIHdpdGggdGhl
IHNpZ25lcidzIG1lc3NhZ2UgZGlnZXN0PEJSPg0KICAgIDxERD4mZ3Q7IGFsZ29yaXRobSAoc2Vl
IFNlY3Rpb24gNS40KSwgYW5kIHRoZSByZXN1bHQgYmVjb21lcyB0aGU8QlI+DQogICAgPEREPiZn
dDsgIm1lc3NhZ2UgZGlnZXN0LiI8QlI+DQogICAgPEREPiZndDs8QlI+DQogICAgPEREPiZndDsg
Mi4gRm9yIGVhY2ggc2lnbmVyLCB0aGUgbWVzc2FnZSBkaWdlc3QgaXMgZGlnaXRhbGx5IHNpZ25l
ZCANCnVzaW5nPEJSPg0KICAgIDxERD4mZ3Q7IHRoZSBzaWduZXIncyBwcml2YXRlIGtleS48QlI+
DQogICAgPEREPiZndDs8QlI+DQogICAgPEREPiZndDsgMy4gRm9yIGVhY2ggc2lnbmVyLCB0aGUg
c2lnbmF0dXJlIHZhbHVlIGFuZCBvdGhlciANCiAgICBzaWduZXItc3BlY2lmaWM8QlI+DQogICAg
PEREPiZndDsgaW5mb3JtYXRpb24gYXJlIGNvbGxlY3RlZCBpbnRvIGEgU2lnbmVySW5mbyB2YWx1
ZSwgYXMgZGVmaW5lZDxCUj4NCiAgICA8REQ+Jmd0OyBpbiBTZWN0aW9uIDUuMy4gQ2VydGlmaWNh
dGVzIGFuZCBDUkxzIGZvciBlYWNoIHNpZ25lciwgYW5kPEJSPg0KICAgIDxERD4mZ3Q7IHRob3Nl
IG5vdCBjb3JyZXNwb25kaW5nIHRvIGFueSBzaWduZXIsIGFyZSBjb2xsZWN0ZWQgaW4gdGhpczxC
Uj4NCiAgICA8REQ+Jmd0OyBzdGVwLjxCUj4NCiAgICA8REQ+Jmd0OzxCUj4NCiAgICA8REQ+Jmd0
OyA0LiBUaGUgbWVzc2FnZSBkaWdlc3QgYWxnb3JpdGhtcyBmb3IgYWxsIHRoZSBzaWduZXJzIGFu
ZCB0aGU8QlI+DQogICAgPEREPiZndDsgU2lnbmVySW5mbyB2YWx1ZXMgZm9yIGFsbCB0aGUgc2ln
bmVycyBhcmUgY29sbGVjdGVkIHRvZ2V0aGVyPEJSPg0KICAgIDxERD4mZ3Q7IHdpdGggdGhlIGNv
bnRlbnQgaW50byBhIFNpZ25lZERhdGEgdmFsdWUsIGFzIGRlZmluZWQgaW4gU2VjdGlvbjxCUj4N
CiAgICA8REQ+Jmd0OyA1LjEiLjxCUj4NCiAgICA8REQ+Jmd0OzxCUj4NCiAgICA8REQ+Jmd0O1dl
IHNob3VsZCBoYXZlIGEgc2ltaWxhciBjb25zdHJ1Y3QgZm9yIHZlcmlmaWNhdGlvbiwgYnV0IHdl
IA0KICAgIGRvbid0LjxCUj48QlI+DQogICAgPEREPldoZW4gQ01TIHdhcyBmaXJzdCBhZG9wdGVk
IGJ5IHRoZSBTL01JTUUgV0csIHdlIGRlY2lkZWQgdG8ga2VlcCB0aGUgPEJSPg0KICAgIDxERD5z
cGVjaWZpY2F0aW9uIGFzIGNsb3NlIHRvIHRoZSBzdHJ1Y3R1cmUgb2YgUEtDUyAjNyB2MS41IGFz
IDxCUj4NCiAgICA8REQ+cG9zc2libGUuIFRoZSBpZGVhIHdhcyB0byBtYWtlIGl0IGVhc3kgZm9y
IG9uZSB0byBkZXRlcm1pbmUgdGhlIDxCUj4NCiAgICA8REQ+ZGlmZmVyZW5jZXMuIEkgc2VlIG5v
IHJlYXNvbiB3aHkgdGhpcyBkaXNjdXNzaW9uIG91Z2h0IHRvIGNoYW5nZSA8QlI+DQogICAgPERE
PnRoYXQgZGVjaXNpb24uPEJSPg0KICAgIDxERD48QlI+Jm5ic3A7DQogICAgPEREPjxGT05UIHNp
emU9Mj5UaGUgdGV4dCBmcm9tIFBLQ1MgIyA3IHYxLjUgaXM6PEJSPjwvRk9OVD4NCiAgICA8REQ+
PEJSPjxCUj4mbmJzcDsNCiAgICA8REQ+PEZPTlQgZmFjZT0iVGltZXMgTmV3IFJvbWFuLCBUaW1l
cyI+QSByZWNpcGllbnQgdmVyaWZpZXMgdGhlIHNpZ25hdHVyZXMgDQogICAgYnkgZGVjcnlwdGlu
ZyB0aGUgZW5jcnlwdGVkIG1lc3NhZ2UgZGlnZXN0IDxCUj4NCiAgICA8REQ+Zm9yIGVhY2ggc2ln
bmVyIHdpdGggdGhlIHNpZ25lcidzIHB1YmxpYyBrZXksIHRoZW4gY29tcGFyaW5nIHRoZSANCiAg
ICByZWNvdmVyZWQgbWVzc2FnZSA8QlI+DQogICAgPEREPmRpZ2VzdCB0byBhbiBpbmRlcGVuZGVu
dGx5IGNvbXB1dGVkIG1lc3NhZ2UgZGlnZXN0LiBUaGUgc2lnbmVyJ3MgcHVibGljIA0KICAgIGtl
eSBpcyA8QlI+DQogICAgPEREPmVpdGhlciBjb250YWluZWQgaW4gYSBjZXJ0aWZpY2F0ZSBpbmNs
dWRlZCBpbiB0aGUgc2lnbmVyIGluZm9ybWF0aW9uLCBvciANCiAgICBpcyByZWZlcmVuY2VkIDxC
Uj4NCiAgICA8REQ+YnkgYW4gaXNzdWVyIGRpc3Rpbmd1aXNoZWQgbmFtZSBhbmQgYW4gaXNzdWVy
LXNwZWNpZmljIHNlcmlhbCBudW1iZXIgDQogICAgdGhhdCB1bmlxdWVseSA8QlI+DQogICAgPERE
PmlkZW50aWZ5IHRoZSBjZXJ0aWZpY2F0ZSBmb3IgdGhlIHB1YmxpYyBrZXkuPEJSPjwvRk9OVD4N
CiAgICA8REQ+PEZPTlQgc2l6ZT0yPlRoZSB0ZXh0IGZyb20gUkZDIDM4NTIgaXM6PEJSPjwvRk9O
VD4NCiAgICA8REQ+PEJSPiZuYnNwOw0KICAgIDxERD48Rk9OVCBzaXplPTI+QSByZWNpcGllbnQg
aW5kZXBlbmRlbnRseSBjb21wdXRlcyB0aGUgbWVzc2FnZSANCiAgICBkaWdlc3QuJm5ic3A7IFRo
aXMgbWVzc2FnZSBkaWdlc3QgYW5kIDxCUj4NCiAgICA8REQ+dGhlIHNpZ25lcidzIHB1YmxpYyBr
ZXkgYXJlIHVzZWQgdG8gdmVyaWZ5IHRoZSBzaWduYXR1cmUgdmFsdWUuJm5ic3A7IA0KICAgIFRo
ZSBzaWduZXIncyBwdWJsaWMga2V5IDxCUj4NCiAgICA8REQ+aXMgcmVmZXJlbmNlZCBlaXRoZXIg
YnkgYW4gaXNzdWVyIGRpc3Rpbmd1aXNoZWQgbmFtZSBhbG9uZyB3aXRoIGFuIA0KICAgIGlzc3Vl
ci1zcGVjaWZpYyA8QlI+DQogICAgPEREPnNlcmlhbCBudW1iZXIgb3IgYnkgYSBzdWJqZWN0IGtl
eSBpZGVudGlmaWVyIHRoYXQgdW5pcXVlbHkgaWRlbnRpZmllcyANCiAgICB0aGUgY2VydGlmaWNh
dGUgPEJSPg0KICAgIDxERD5jb250YWluaW5nIHRoZSBwdWJsaWMga2V5LiZuYnNwOyBUaGUgc2ln
bmVyJ3MgY2VydGlmaWNhdGUgY2FuIGJlIA0KICAgIGluY2x1ZGVkIGluIHRoZSBTaWduZWREYXRh
IDxCUj4NCiAgICA8REQ+Y2VydGlmaWNhdGVzIGZpZWxkLjxCUj48L0ZPTlQ+DQogICAgPEREPjxC
Uj4mbmJzcDsNCiAgICA8REQ+PEZPTlQgc2l6ZT0yPlRoZXNlIHRleHRzIGFyZSBjbGVhcmx5IGlu
c3VmZmljaWVudCwgc2luY2UgdGhleSBkbyBub3QgDQogICAgY292ZXIgdGhlIGNhc2Ugb2YgY2Vy
dGlmaWNhdGUgc3Vic3RpdHV0aW9uLjxCUj48L0ZPTlQ+DQogICAgPEREPjxCUj4mbmJzcDsNCiAg
ICA8REQ+PEZPTlQgc2l6ZT0yPlRoZSBuZXcgZHJhZnQgaXMgd2lzaGluZyB0byBjb3ZlciB0aGUg
Y2FzZSBvZiBzaWduYXR1cmVzIA0KICAgIGZyb20gdGhlIHNhbWUgc2lnbmVyLiA8QlI+DQogICAg
PEREPkl0IGlzIHJlc3RyaWN0ZWQgdG8gdGhlIHVzZSBvZiBjZXJ0aWZpY2F0ZXMuIFRoZW4gdGhl
IG9ubHkgd2F5IHRvIGtub3cgDQogICAgdGhhdCBpcyBpcyB0aGUgc2FtZSBzaWduZXIgPEJSPg0K
ICAgIDxERD5pcyB0byBjb21wYXJlIHRoZSBjZXJ0aWZpY2F0ZXMuIFdlIHNob3VsZCBzYXkgc29t
ZSB3b3JkcyBvbiBob3cgdGhpcyANCiAgICBjb21wYXJpc29uIHNoYWxsIGJlIGRvbmUuPEJSPg0K
ICAgIDxERD5JZiBjZXJ0aWZpY2F0ZXMgYXJlIHN1YnN0aXR1dGVkLCB0aGVuIHdlIGFyZSBhbHNv
IHJ1bm5pbmcgaW50byANCiAgICB0cm91YmxlLjwvRk9OVD48L0REPjwvREw+PC9CTE9DS1FVT1RF
Pg0KPERMPjwvREw+PEJSPlRoaXMgaXMgbm90IHRoZSBpc3N1ZSBhdCBhbGwuJm5ic3A7IERpZmZl
cmVudCBjZXJ0aWZpY2F0ZXMgbWF5IA0KcmVwcmVzZW50IHRoZSBzYW1lIHNpZ25lciBpbiBzb21l
IGFwcGxpY2F0aW9ucy48QlI+PEJSPg0KPEJMT0NLUVVPVEUgY2xhc3M9Y2l0ZSBjaXRlPSIiIHR5
cGU9ImNpdGUiPg0KICA8REw+DQogICAgPEREPjxCUj4mbmJzcDsNCiAgICA8REQ+Jmd0O0l0IHNo
b3VsZCBzdGFydCB3aXRoOjxCUj4NCiAgICA8REQ+Jmd0OzxCUj4NCiAgICA8REQ+Jmd0OyBUaGUg
cHJvY2VzcyBieSB3aGljaCBzaWduZWQtZGF0YSBpcyB2ZXJpZmllZCBpbnZvbHZlcyB0aGU8QlI+
DQogICAgPEREPiZndDsgZm9sbG93aW5nIHN0ZXBzOjxCUj4NCiAgICA8REQ+Jmd0OzxCUj4NCiAg
ICA8REQ+Jmd0OyAxLiBGb3IgZWFjaCBTaWduZXJJbmZvIHByZXNlbnQgaW4gU2lnbmVySW5mb3Mg
Li4uPEJSPg0KICAgIDxERD4mZ3Q7PEJSPg0KICAgIDxERD4mZ3Q7VGhlIGV4ZXJjaXNlIGlzIG1v
cmUgZGlmZmljdWx0IHRoYW4gaXQgbG9va3MsIGJlY2F1c2UgdW5sZXNzIDxCUj4NCiAgICA8REQ+
Jmd0O0VTU0NlcnRJRCBpcyBiZWluZyB1c2VkLDxCUj4NCiAgICA8REQ+Jmd0O2l0IGlzIG5vdCBw
b3NzaWJsZSB0byBrbm93IGZvciBzdXJlIHRoYXQgYSBzaWduYXR1cmUgaXMgZnJvbSB0aGUgDQog
ICAgc2FtZSBzaWduZXIuPEJSPjxCUj4NCiAgICA8REQ+SSByZWNvZ25pemUgdGhhdCB0aGlzIGlz
IHRydWUuIFRoYXQgaXMgdGhlIHJlYXNvbiB0aGF0IHRoZSBwcm9wb3NlZCA8QlI+DQogICAgPERE
PnRleHQgcG9pbnRzIHRvIHRoZSBhcHBsaWNhdGlvbiB0aGF0IGlzIHVzaW5nIENNUyB0byBoZWxw
IHdoZW4gdGhlIHNpZCANCiAgICA8QlI+DQogICAgPEREPmZpZWxkIGlzIG5vdCBzdWZmaWNpZW50
LjxCUj4NCiAgICA8REQ+PEJSPiZuYnNwOw0KICAgIDxERD48Rk9OVCBzaXplPTI+VGhlIHByb3Bv
c2VkIHRleHQgaXMgY2xlYXJseSBpbnN1ZmZpY2llbnQgdG8gY292ZXIgdGhlIA0KICAgIGNhc2Uu
PEJSPjwvRk9OVD4NCiAgICA8REQ+PEJSPiZuYnNwOw0KICAgIDxERD48Rk9OVCBzaXplPTI+VGhl
IHNlY29uZCBwb2ludCwgd2hpY2ggaXMgZXZlbiBtb3JlIGltcG9ydGFudCwgaXMgdGhhdCBJIA0K
ICAgIGFtIG5vdCBjb252aW5jZWQgPEJSPg0KICAgIDxERD50aGF0IHRoaXMgaXMgdGhlIHJpZ2h0
IHdheSB0byBzb2x2ZSB0aGUgDQpwcm9ibGVtLjwvRk9OVD48L0REPjwvREw+PC9CTE9DS1FVT1RF
Pg0KPERMPjwvREw+PEJSPlRoaXMgZGlzY3Vzc2lvbiBoYXMgYmVlbiBnb2luZyBvbiBmb3IgYWJv
dXQgYSB5ZWFyLiZuYnNwOyBJZiB5b3UgDQphcmUgdW5oYXBweSB3aXRoIHRoZSBwcm9wb3NlZCBz
b2x1dGlvbiwgZG8gbm90IGFzayBmb3IgbW9yZSB3b3JrIHRvIGJlIGRvbmUgb24gDQppdC4mbmJz
cDsgSW5zdGVhZCwgcHJvcG9zZSBhbiBhbHRlcm5hdGl2ZS4mbmJzcDsgV2l0aG91dCBzdWNoLCB3
ZSBzaG91bGQgcHJvY2VlZCANCm9uIHRoZSBjdXJyZW50IGNvdXJzZS48QlI+PEJSPg0KPEJMT0NL
UVVPVEUgY2xhc3M9Y2l0ZSBjaXRlPSIiIHR5cGU9ImNpdGUiPg0KICA8REw+DQogICAgPEREPjxC
Uj4mbmJzcDsNCiAgICA8REQ+PEZPTlQgc2l6ZT0yPklmIHRoZSBjZXJ0aWZpY2F0ZSBpcyB1c2Vk
IGZvciBub24gcmVwdWRpYXRpb24gcHVycG9zZXMsIA0KICAgIHRoZW4gdGltZS1zdGFtcGluZyBw
cm92aWRlcyA8QlI+DQogICAgPEREPmFsbCB0aGUgbmVjZXNzYXJ5IHByb3RlY3Rpb24uPC9GT05U
PjwvREQ+PC9ETD48L0JMT0NLUVVPVEU+DQo8REw+PC9ETD48QlI+VGhpcyBtYWtlIG5vIHNlbnNl
IHRvIG1lIGF0IGFsbC4mbmJzcDsgSG93IGRvZXMgdGltZS1zdGFtcGluZyANCmZhY2lsaXRhdGUg
dGhlIHRyYW5zaXRpb24gZnJvbSBSU0Egd2l0aCBTSEEtMSB0byBSU0Egd2l0aCBTSEEtMjU2PyZu
YnNwOyBJbiANCmZhY3QsIGl0IG1ha2UgaXQgd29yc2UuJm5ic3A7IFdlIG5lZWQgdG8gdHJhbnNp
dGlvbiB0aGUgdGltZSBzdGFtcCBhdXRob3JpdHkgDQpzaWduYXR1cmUgdG9vLjxCUj48QlI+UnVz
czxCUj4NCjxIUj4NCjwvQk9EWT48L0hUTUw+DQo=
--=====003_Dragon072383382566_=====--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASHBiwV005792; Tue, 28 Nov 2006 10:11:44 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASHBiSK005791; Tue, 28 Nov 2006 10:11:44 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kASHBghP005783 for <ietf-smime@imc.org>; Tue, 28 Nov 2006 10:11:43 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 3412 invoked by uid 0); 28 Nov 2006 17:11:38 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 28 Nov 2006 17:11:38 -0000
Message-Id: <7.0.0.16.2.20061128120811.07c590b8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Tue, 28 Nov 2006 12:10:38 -0500
To: Denis.Pinkas@bull.net, "ietf-smime"<ietf-smime@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: WG LAST CALL: draft-ietf-smime-escertid-02.txt
In-Reply-To: <DreamMail__154126_16942128548@msga-001.frcl.bull.fr>
References: <456BB455.5050408@sendmail.com> <DreamMail__154126_16942128548@msga-001.frcl.bull.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
[ Changing the Subject to match the document being discussed. ]
Denis:
>13. Page 7. The text states:
>
> serialNumber holds the serial number that uniquely identifies the
> certificate.
>
>This text is misleading since serial number does not always allow
>to uniquely identify a certificate. Replace with:
>
> serialNumber holds the serial number of the certificate.
The serial number must be unique for the CA (not universally
unique). I think adding some words to clarify this would be better
than dropping words.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASFnD0q093120; Tue, 28 Nov 2006 08:49:13 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASFnD46093119; Tue, 28 Nov 2006 08:49:13 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kASFnBKM093104 for <ietf-smime@imc.org>; Tue, 28 Nov 2006 08:49:11 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 14333 invoked by uid 0); 28 Nov 2006 15:49:07 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 28 Nov 2006 15:49:07 -0000
Message-Id: <7.0.0.16.2.20061128095751.07bcc380@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Tue, 28 Nov 2006 10:49:05 -0500
To: Denis.Pinkas@bull.net, "ietf-smime"<ietf-smime@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
In-Reply-To: <DreamMail__095224_34170516317@msga-001.frcl.bull.fr>
References: <7.0.0.16.2.20061127132244.073ccfb8@vigilsec.com> <DreamMail__095224_34170516317@msga-001.frcl.bull.fr>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
<html>
<body>
At 03:52 AM 11/28/2006, Denis Pinkas wrote:<br>
<blockquote type=cite class=cite cite=""> Russ,<br>
<br>
See my comments embedded.<br>
<br>
Denis Pinkas,
<a href="mailto :Denis.Pinkas@bull.net">Denis.Pinkas@bull.net</a><br>
2006-11-28 <br>
<dl>
<dd>----- Message reçu ----- <br>
<dd>De :</b> <a href="mailto :housley@vigilsec.com">Russ Housley</a>
<br>
<dd>À :</b> <a href="mailto :denis.pinkas@bull.net">Denis Pinkas</a>
<br>
<dd>Date :</b> 2006-11-27, 20:03:31<br>
<dd>Sujet :</b> Re: I-D
ACTION:draft-ietf-smime-cms-mult-sign-02.txt<br><br>
<dd>Denis:<br><br>
<dd>>The issue is more complex than presented. :-(<br>
<dd>><br>
<dd>>The idea is to say that a message is correctly signed by a given
<br>
<dd>>signer, if one of the signatures<br>
<dd>>from the *same* signer computed using a different signature <br>
<dd>>algorithm is valid.<br>
<dd>><br>
<dd>>Correct ?<br>
<dd>You did not acknowledged that this is the goal of the draft proposal.
</blockquote>
</dl><br>
The document is clear. It says:<br><br>
... This document<br>
provides replacement text for a few paragraphs, making it
clear that<br>
the protected content is valid if any of the digital
signatures for a<br>
particular signer is valid.<br><br>
<blockquote type=cite class=cite cite="">
<dl>
<dd> <br>
<dd>><br>
<dd>>In the same section from RFC 3852, just above we have:<br>
<dd>><br>
<dd>>" The process by which signed-data is constructed involves
the<br>
<dd>> following steps:<br>
<dd>><br>
<dd>> 1. For each signer, a message digest, or hash value, is
computed<br>
<dd>> on the content with a signer-specific message-digest
algorithm.<br>
<dd>> If the signer is signing any information other than the<br>
<dd>> content, the message digest of the content and the other<br>
<dd>> information are digested with the signer's message digest<br>
<dd>> algorithm (see Section 5.4), and the result becomes the<br>
<dd>> "message digest."<br>
<dd>><br>
<dd>> 2. For each signer, the message digest is digitally signed
using<br>
<dd>> the signer's private key.<br>
<dd>><br>
<dd>> 3. For each signer, the signature value and other
signer-specific<br>
<dd>> information are collected into a SignerInfo value, as
defined<br>
<dd>> in Section 5.3. Certificates and CRLs for each signer, and<br>
<dd>> those not corresponding to any signer, are collected in
this<br>
<dd>> step.<br>
<dd>><br>
<dd>> 4. The message digest algorithms for all the signers and
the<br>
<dd>> SignerInfo values for all the signers are collected
together<br>
<dd>> with the content into a SignedData value, as defined in
Section<br>
<dd>> 5.1".<br>
<dd>><br>
<dd>>We should have a similar construct for verification, but we
don't.<br><br>
<dd>When CMS was first adopted by the S/MIME WG, we decided to keep the
<br>
<dd>specification as close to the structure of PKCS #7 v1.5 as <br>
<dd>possible. The idea was to make it easy for one to determine the <br>
<dd>differences. I see no reason why this discussion ought to change
<br>
<dd>that decision.<br>
<dd> <br>
<dd><font size=2>The text from PKCS # 7 v1.5 is:<br>
</font>
<dd> <br><br>
<dd><font face="Times New Roman, Times">A recipient verifies the
signatures by decrypting the encrypted message digest <br>
<dd>for each signer with the signer's public key, then comparing the
recovered message <br>
<dd>digest to an independently computed message digest. The signer's
public key is <br>
<dd>either contained in a certificate included in the signer information,
or is referenced <br>
<dd>by an issuer distinguished name and an issuer-specific serial number
that uniquely <br>
<dd>identify the certificate for the public key.<br>
</font>
<dd><font size=2>The text from RFC 3852 is:<br>
</font>
<dd> <br>
<dd><font size=2>A recipient independently computes the message
digest. This message digest and <br>
<dd>the signer's public key are used to verify the signature value.
The signer's public key <br>
<dd>is referenced either by an issuer distinguished name along with an
issuer-specific <br>
<dd>serial number or by a subject key identifier that uniquely identifies
the certificate <br>
<dd>containing the public key. The signer's certificate can be
included in the SignedData <br>
<dd>certificates field.<br>
</font>
<dd> <br>
<dd><font size=2>These texts are clearly insufficient, since they do not
cover the case of certificate substitution.<br>
</font>
<dd> <br>
<dd><font size=2>The new draft is wishing to cover the case of signatures
from the same signer. <br>
<dd>It is restricted to the use of certificates. Then the only way to
know that is is the same signer <br>
<dd>is to compare the certificates. We should say some words on how this
comparison shall be done.<br>
<dd>If certificates are substituted, then we are also running into
trouble.</font></blockquote>
</dl><br>
This is not the issue at all. Different certificates may represent
the same signer in some applications.<br><br>
<blockquote type=cite class=cite cite="">
<dl>
<dd> <br>
<dd>>It should start with:<br>
<dd>><br>
<dd>> The process by which signed-data is verified involves the<br>
<dd>> following steps:<br>
<dd>><br>
<dd>> 1. For each SignerInfo present in SignerInfos ...<br>
<dd>><br>
<dd>>The exercise is more difficult than it looks, because unless
<br>
<dd>>ESSCertID is being used,<br>
<dd>>it is not possible to know for sure that a signature is from the
same signer.<br><br>
<dd>I recognize that this is true. That is the reason that the proposed
<br>
<dd>text points to the application that is using CMS to help when the sid
<br>
<dd>field is not sufficient.<br>
<dd> <br>
<dd><font size=2>The proposed text is clearly insufficient to cover the
case.<br>
</font>
<dd> <br>
<dd><font size=2>The second point, which is even more important, is that
I am not convinced <br>
<dd>that this is the right way to solve the problem.</font></blockquote>
</dl><br>
This discussion has been going on for about a year. If you are
unhappy with the proposed solution, do not ask for more work to be done
on it. Instead, propose an alternative. Without such, we
should proceed on the current course.<br><br>
<blockquote type=cite class=cite cite="">
<dl>
<dd> <br>
<dd><font size=2>If the certificate is used for non repudiation purposes,
then time-stamping provides <br>
<dd>all the necessary protection.</font></blockquote>
</dl><br>
This make no sense to me at all. How does time-stamping facilitate
the transition from RSA with SHA-1 to RSA with SHA-256? In fact, it
make it worse. We need to transition the time stamp authority
signature too.<br><br>
Russ<br>
</body>
</html>
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASEi5Ct082497; Tue, 28 Nov 2006 07:44:05 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kASEi5wA082496; Tue, 28 Nov 2006 07:44:05 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kASEhwgY082464 for <ietf-smime@imc.org>; Tue, 28 Nov 2006 07:44:02 -0700 (MST) (envelope-from Denis.Pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-mcl1.frcl.bull.fr [129.184.87.20]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA55228 for <ietf-smime@imc.org>; Tue, 28 Nov 2006 15:46:51 +0100
Received: from FRMYA-SIA24 ([129.185.200.54]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with ESMTP id 2006112815413301:16615 ; Tue, 28 Nov 2006 15:41:33 +0100
Reply-To: Denis.Pinkas@bull.net
From: "Denis Pinkas"<Denis.Pinkas@bull.net>
To: "ietf-smime"<ietf-smime@imc.org>
Subject: Re: WG LAST CALL: draft-ietf-smime-cms-mult-sign-02.txt
Date: Tue, 28 Nov 2006 15:41:26 +0100
Message-Id: <DreamMail__154126_16942128548@msga-001.frcl.bull.fr>
References: <456BB455.5050408@sendmail.com>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-Mailer: DreamMail 4.3.2.1
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 28/11/2006 15:41:33, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 28/11/2006 15:43:24, Serialize complete at 28/11/2006 15:43:24
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by balder-227.proper.com id kASEi5gY082491
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
You will find hereafter, 14 comments on draft-ietf-smime-escertid-02.txt
1. Editorial. The draft states: « Expires: October 3, 2006”. The document is expired !
2. Editorial. The issue date is: April 2006. This date is incorrect.
3. Editorial. Page 3. Section 2. Third paragraph. There are four typos.
Change :
Applications SHOULD recognize both attributes as long as
they consider SHA-1 able to distingusih between two different
certificates. (I.e. the possiblity of a collision is suffiently
low.)
into:
Applications SHOULD recognize both attributes as long as
they consider SHA-1 able to distinguish between two different
certificates. (i.e. the possibility of a collision is sufficiently
low.)
4. Editorial. Page 4. Section 3.
The draft states:
SigningCertificateV2 is identified by the OID:
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1)
The attribute has the ASN.1 definition:
SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 }
whereas it should state :
SigningCertificateV2 is identified by the OID:
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 }
The attribute has the ASN.1 definition:
SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL
}
5. Page 4. The text states:
The first certificate identified in the
sequence of certificate identifiers MUST be the certificate used
to verify the signature.
whereas it should state :
The first certificate identified in the
sequence of certificate identifiers MUST be the certificate
to be used to verify the signature.
6. Editorial. Page 6. The text states:
Hashes are convient in that they
are frequently used by certificate stores as a method of indexing and
retrieving certificates as well.
whereas it should state :
Hashes are convenient in that they
are frequently used by certificate stores as a method of indexing and
retrieving certificates as well.
7. Editorial. Page 6. The text states:
The use of the hash is required by
this structure since the detection of substitued certificates is
based on the fact they would map to different hash values.
whereas it should state :
The use of the hash is required by
this structure since the detection of substituted certificates is
based on the fact they would map to different hash values.
8. Page 6. The text states:
The issuer/serial number pair is the method of identification of
certificates used in [PKIXCERT].
whereas it should state :
The issuer/serial number pair is the information to be used to
look for certificates used in [PKIXCERT] when they are not a priori
known.
9. Page 6. The text states:
That document imposes a restriction
for certificates that the issuer DN must be present.
This sentence is not understandable and does not exist for the version 1.
Please delete or explain.
10. Page 6. The text states:
The issuer/
serial number pair would therefore normally be sufficient to identify
the correct signing certificate. (This assumes the same issuer name
is not re-used from the set of trust anchors.) The issuer/serial
number pair can be stored in the sid field of the SignerInfo object.
However the sid field is not covered by the signature.
This text is not necessary and is misleading. It is also quite strange
to see that the text for v2 is very different from the text for v1.
Nevertheless, since the next sentence is fully sufficient, then it is
proposed to suppress it.
11. Editorial. Page 6. Change “they” by “it”. The text states:
In the cases
where the issuer/serial number pair is not used in the sid or the
issuer/serial number pair needs to be signed, they SHOULD be placed
in the issuerSerial field of the ESSCertIDv2 structure.
whereas it should state :
In the cases
where the issuer/serial number pair is not used in the sid or the
issuer/serial number pair needs to be signed, it SHOULD be placed
in the issuerSerial field of the ESSCertIDv2 structure.
12. Page 7. The text states:
issuerSerial holds the identification of the certificate. The
issuerSerial would normally be present unless the value can be
inferred from other information.
It would be worth to add at the end of that sentence:
(e.g. the sid field of the SignerInfo object).
13. Page 7. The text states:
serialNumber holds the serial number that uniquely identifies the
certificate.
This text is misleading since serial number does not always allow
to uniquely identify a certificate. Replace with:
serialNumber holds the serial number of the certificate.
14. Page 8. The text states:
The first certificate identified in the sequence of certificate
identifiers MUST be the certificate used to verify the signature.
Replace with:
The first certificate identified in the sequence of certificate
identifiers MUST be the certificate to be used to verify the signature.
Denis
---------
De : owner-ietf-smime
À : ietf-smime
Date : 2006-11-28, 05:00:21
Sujet : WG LAST CALL: draft-ietf-smime-cms-mult-sign-02.txt
This message initiates an SMIME Working Group Last Call on the document:
Title : Cryptographic Message Syntax (CMS) Multiple Signer Clarification
Author(s) : R. Housley
Filename : draft-ietf-smime-cms-mult-sign-02.txt
Pages : 5
Date : 2006-11-9
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-smime-cms-mult-sign-02.txt
The purpose of this WG Last Call is to ensure that the Working Group has
achieved consensus that the document is suitable for publication as an
Informational RFC.
Please review the document for both technical and editorial problems.
Technical issues should be discussed on this list. Editorial issues may
be sent to the document editor.
The Last Call period will end on Monday, December 11, 2006.
Upon completion of the last call, the WG chairs will take action based
upon the consensus of the WG. Possible actions include:
1) recommending to the IETF Security Area Directors
that the document, after possible editorial or
other minor changes, be considered by the IESG
for publication as an Informational RFC
(which generally involves an IETF-wide Last Call); or
2) requiring that outstanding issues be adequately
addressed prior to further action (including,
possibly, another WG Last Call).
Remember that it is our responsibility as Working Group members to
ensure the quality of our documents and of the Internet Standards
process. So, please read and comment!
Blake
--
Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS8qXBd042202; Tue, 28 Nov 2006 01:52:33 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAS8qXsp042201; Tue, 28 Nov 2006 01:52:33 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS8qVCi042194 for <ietf-smime@imc.org>; Tue, 28 Nov 2006 01:52:32 -0700 (MST) (envelope-from Denis.Pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-mcl1.frcl.bull.fr [129.184.87.20]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id JAA17038 for <ietf-smime@imc.org>; Tue, 28 Nov 2006 09:55:24 +0100
Received: from FRMYA-SIA24 ([129.185.200.54]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with ESMTP id 2006112809523299:5650 ; Tue, 28 Nov 2006 09:52:32 +0100
Reply-To: Denis.Pinkas@bull.net
From: "Denis Pinkas"<Denis.Pinkas@bull.net>
To: "ietf-smime"<ietf-smime@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
Date: Tue, 28 Nov 2006 09:52:24 +0100
Message-Id: <DreamMail__095224_34170516317@msga-001.frcl.bull.fr>
References: <7.0.0.16.2.20061127132244.073ccfb8@vigilsec.com>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-Mailer: DreamMail 4.3.2.1
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 28/11/2006 09:52:33, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 28/11/2006 09:52:35, Serialize complete at 28/11/2006 09:52:35
Content-Type: multipart/alternative; boundary="----=_NextPart_06112809522122726747818_002"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
------=_NextPart_06112809522122726747818_002
Content-Transfer-Encoding: base64
Content-Type: text/plain;
charset="ISO-8859-1"
IFJ1c3MsDQoNClNlZSBteSBjb21tZW50cyBlbWJlZGRlZC4NCg0KRGVuaXMgUGlua2FzLCBEZW5p
cy5QaW5rYXNAYnVsbC5uZXQNCjIwMDYtMTEtMjggDQotLS0tLSBNZXNzYWdlIHJl53UgLS0tLS0g
DQpEZSA6IFJ1c3MgSG91c2xleSANCsAgOiBEZW5pcyBQaW5rYXMgDQpEYXRlIDogMjAwNi0xMS0y
NywgMjA6MDM6MzENClN1amV0IDogUmU6IEktRCBBQ1RJT046ZHJhZnQtaWV0Zi1zbWltZS1jbXMt
bXVsdC1zaWduLTAyLnR4dA0KDQoNCkRlbmlzOg0KDQo+VGhlIGlzc3VlIGlzIG1vcmUgY29tcGxl
eCB0aGFuIHByZXNlbnRlZC4gOi0oDQo+DQo+VGhlIGlkZWEgaXMgdG8gc2F5IHRoYXQgYSBtZXNz
YWdlIGlzIGNvcnJlY3RseSBzaWduZWQgYnkgYSBnaXZlbiANCj5zaWduZXIsIGlmIG9uZSBvZiB0
aGUgc2lnbmF0dXJlcw0KPmZyb20gdGhlICpzYW1lKiBzaWduZXIgY29tcHV0ZWQgdXNpbmcgYSBk
aWZmZXJlbnQgc2lnbmF0dXJlIA0KPmFsZ29yaXRobSBpcyB2YWxpZC4NCj4NCj5Db3JyZWN0ID8N
Cg0KWW91IGRpZCBub3QgYWNrbm93bGVkZ2VkIHRoYXQgdGhpcyBpcyB0aGUgZ29hbCBvZiB0aGUg
ZHJhZnQgcHJvcG9zYWwuIA0KDQo+DQo+SW4gdGhlIHNhbWUgc2VjdGlvbiBmcm9tIFJGQyAzODUy
LCBqdXN0IGFib3ZlIHdlIGhhdmU6DQo+DQo+IiBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWduZWQt
ZGF0YSBpcyBjb25zdHJ1Y3RlZCBpbnZvbHZlcyB0aGUNCj4gZm9sbG93aW5nIHN0ZXBzOg0KPg0K
PiAxLiBGb3IgZWFjaCBzaWduZXIsIGEgbWVzc2FnZSBkaWdlc3QsIG9yIGhhc2ggdmFsdWUsIGlz
IGNvbXB1dGVkDQo+IG9uIHRoZSBjb250ZW50IHdpdGggYSBzaWduZXItc3BlY2lmaWMgbWVzc2Fn
ZS1kaWdlc3QgYWxnb3JpdGhtLg0KPiBJZiB0aGUgc2lnbmVyIGlzIHNpZ25pbmcgYW55IGluZm9y
bWF0aW9uIG90aGVyIHRoYW4gdGhlDQo+IGNvbnRlbnQsIHRoZSBtZXNzYWdlIGRpZ2VzdCBvZiB0
aGUgY29udGVudCBhbmQgdGhlIG90aGVyDQo+IGluZm9ybWF0aW9uIGFyZSBkaWdlc3RlZCB3aXRo
IHRoZSBzaWduZXIncyBtZXNzYWdlIGRpZ2VzdA0KPiBhbGdvcml0aG0gKHNlZSBTZWN0aW9uIDUu
NCksIGFuZCB0aGUgcmVzdWx0IGJlY29tZXMgdGhlDQo+ICJtZXNzYWdlIGRpZ2VzdC4iDQo+DQo+
IDIuIEZvciBlYWNoIHNpZ25lciwgdGhlIG1lc3NhZ2UgZGlnZXN0IGlzIGRpZ2l0YWxseSBzaWdu
ZWQgdXNpbmcNCj4gdGhlIHNpZ25lcidzIHByaXZhdGUga2V5Lg0KPg0KPiAzLiBGb3IgZWFjaCBz
aWduZXIsIHRoZSBzaWduYXR1cmUgdmFsdWUgYW5kIG90aGVyIHNpZ25lci1zcGVjaWZpYw0KPiBp
bmZvcm1hdGlvbiBhcmUgY29sbGVjdGVkIGludG8gYSBTaWduZXJJbmZvIHZhbHVlLCBhcyBkZWZp
bmVkDQo+IGluIFNlY3Rpb24gNS4zLiBDZXJ0aWZpY2F0ZXMgYW5kIENSTHMgZm9yIGVhY2ggc2ln
bmVyLCBhbmQNCj4gdGhvc2Ugbm90IGNvcnJlc3BvbmRpbmcgdG8gYW55IHNpZ25lciwgYXJlIGNv
bGxlY3RlZCBpbiB0aGlzDQo+IHN0ZXAuDQo+DQo+IDQuIFRoZSBtZXNzYWdlIGRpZ2VzdCBhbGdv
cml0aG1zIGZvciBhbGwgdGhlIHNpZ25lcnMgYW5kIHRoZQ0KPiBTaWduZXJJbmZvIHZhbHVlcyBm
b3IgYWxsIHRoZSBzaWduZXJzIGFyZSBjb2xsZWN0ZWQgdG9nZXRoZXINCj4gd2l0aCB0aGUgY29u
dGVudCBpbnRvIGEgU2lnbmVkRGF0YSB2YWx1ZSwgYXMgZGVmaW5lZCBpbiBTZWN0aW9uDQo+IDUu
MSIuDQo+DQo+V2Ugc2hvdWxkIGhhdmUgYSBzaW1pbGFyIGNvbnN0cnVjdCBmb3IgdmVyaWZpY2F0
aW9uLCBidXQgd2UgZG9uJ3QuDQoNCldoZW4gQ01TIHdhcyBmaXJzdCBhZG9wdGVkIGJ5IHRoZSBT
L01JTUUgV0csIHdlIGRlY2lkZWQgdG8ga2VlcCB0aGUgDQpzcGVjaWZpY2F0aW9uIGFzIGNsb3Nl
IHRvIHRoZSBzdHJ1Y3R1cmUgb2YgUEtDUyAjNyB2MS41IGFzIA0KcG9zc2libGUuIFRoZSBpZGVh
IHdhcyB0byBtYWtlIGl0IGVhc3kgZm9yIG9uZSB0byBkZXRlcm1pbmUgdGhlIA0KZGlmZmVyZW5j
ZXMuIEkgc2VlIG5vIHJlYXNvbiB3aHkgdGhpcyBkaXNjdXNzaW9uIG91Z2h0IHRvIGNoYW5nZSAN
CnRoYXQgZGVjaXNpb24uDQoNCg0KVGhlIHRleHQgZnJvbSBQS0NTICMgNyB2MS41IGlzOg0KDQpB
IHJlY2lwaWVudCB2ZXJpZmllcyB0aGUgc2lnbmF0dXJlcyBieSBkZWNyeXB0aW5nIHRoZSBlbmNy
eXB0ZWQgbWVzc2FnZSBkaWdlc3QgDQpmb3IgZWFjaCBzaWduZXIgd2l0aCB0aGUgc2lnbmVyJ3Mg
cHVibGljIGtleSwgdGhlbiBjb21wYXJpbmcgdGhlIHJlY292ZXJlZCBtZXNzYWdlIA0KZGlnZXN0
IHRvIGFuIGluZGVwZW5kZW50bHkgY29tcHV0ZWQgbWVzc2FnZSBkaWdlc3QuIFRoZSBzaWduZXIn
cyBwdWJsaWMga2V5IGlzIA0KZWl0aGVyIGNvbnRhaW5lZCBpbiBhIGNlcnRpZmljYXRlIGluY2x1
ZGVkIGluIHRoZSBzaWduZXIgaW5mb3JtYXRpb24sIG9yIGlzIHJlZmVyZW5jZWQgDQpieSBhbiBp
c3N1ZXIgZGlzdGluZ3Vpc2hlZCBuYW1lIGFuZCBhbiBpc3N1ZXItc3BlY2lmaWMgc2VyaWFsIG51
bWJlciB0aGF0IHVuaXF1ZWx5IA0KaWRlbnRpZnkgdGhlIGNlcnRpZmljYXRlIGZvciB0aGUgcHVi
bGljIGtleS4NClRoZSB0ZXh0IGZyb20gUkZDIDM4NTIgaXM6DQoNCkEgcmVjaXBpZW50IGluZGVw
ZW5kZW50bHkgY29tcHV0ZXMgdGhlIG1lc3NhZ2UgZGlnZXN0LiAgVGhpcyBtZXNzYWdlIGRpZ2Vz
dCBhbmQgDQp0aGUgc2lnbmVyJ3MgcHVibGljIGtleSBhcmUgdXNlZCB0byB2ZXJpZnkgdGhlIHNp
Z25hdHVyZSB2YWx1ZS4gIFRoZSBzaWduZXIncyBwdWJsaWMga2V5IA0KaXMgcmVmZXJlbmNlZCBl
aXRoZXIgYnkgYW4gaXNzdWVyIGRpc3Rpbmd1aXNoZWQgbmFtZSBhbG9uZyB3aXRoIGFuIGlzc3Vl
ci1zcGVjaWZpYyANCnNlcmlhbCBudW1iZXIgb3IgYnkgYSBzdWJqZWN0IGtleSBpZGVudGlmaWVy
IHRoYXQgdW5pcXVlbHkgaWRlbnRpZmllcyB0aGUgY2VydGlmaWNhdGUgDQpjb250YWluaW5nIHRo
ZSBwdWJsaWMga2V5LiAgVGhlIHNpZ25lcidzIGNlcnRpZmljYXRlIGNhbiBiZSBpbmNsdWRlZCBp
biB0aGUgU2lnbmVkRGF0YSANCmNlcnRpZmljYXRlcyBmaWVsZC4NCg0KVGhlc2UgdGV4dHMgYXJl
IGNsZWFybHkgaW5zdWZmaWNpZW50LCBzaW5jZSB0aGV5IGRvIG5vdCBjb3ZlciB0aGUgY2FzZSBv
ZiBjZXJ0aWZpY2F0ZSBzdWJzdGl0dXRpb24uDQoNClRoZSBuZXcgZHJhZnQgaXMgd2lzaGluZyB0
byBjb3ZlciB0aGUgY2FzZSBvZiBzaWduYXR1cmVzIGZyb20gdGhlIHNhbWUgc2lnbmVyLiANCkl0
IGlzIHJlc3RyaWN0ZWQgdG8gdGhlIHVzZSBvZiBjZXJ0aWZpY2F0ZXMuIFRoZW4gdGhlIG9ubHkg
d2F5IHRvIGtub3cgdGhhdCBpcyBpcyB0aGUgc2FtZSBzaWduZXIgDQppcyB0byBjb21wYXJlIHRo
ZSBjZXJ0aWZpY2F0ZXMuIFdlIHNob3VsZCBzYXkgc29tZSB3b3JkcyBvbiBob3cgdGhpcyBjb21w
YXJpc29uIHNoYWxsIGJlIGRvbmUuDQpJZiBjZXJ0aWZpY2F0ZXMgYXJlIHN1YnN0aXR1dGVkLCB0
aGVuIHdlIGFyZSBhbHNvIHJ1bm5pbmcgaW50byB0cm91YmxlLg0KDQo+SXQgc2hvdWxkIHN0YXJ0
IHdpdGg6DQo+DQo+IFRoZSBwcm9jZXNzIGJ5IHdoaWNoIHNpZ25lZC1kYXRhIGlzIHZlcmlmaWVk
IGludm9sdmVzIHRoZQ0KPiBmb2xsb3dpbmcgc3RlcHM6DQo+DQo+IDEuIEZvciBlYWNoIFNpZ25l
ckluZm8gcHJlc2VudCBpbiBTaWduZXJJbmZvcyAuLi4NCj4NCj5UaGUgZXhlcmNpc2UgaXMgbW9y
ZSBkaWZmaWN1bHQgdGhhbiBpdCBsb29rcywgYmVjYXVzZSB1bmxlc3MgDQo+RVNTQ2VydElEIGlz
IGJlaW5nIHVzZWQsDQo+aXQgaXMgbm90IHBvc3NpYmxlIHRvIGtub3cgZm9yIHN1cmUgdGhhdCBh
IHNpZ25hdHVyZSBpcyBmcm9tIHRoZSBzYW1lIHNpZ25lci4NCg0KSSByZWNvZ25pemUgdGhhdCB0
aGlzIGlzIHRydWUuIFRoYXQgaXMgdGhlIHJlYXNvbiB0aGF0IHRoZSBwcm9wb3NlZCANCnRleHQg
cG9pbnRzIHRvIHRoZSBhcHBsaWNhdGlvbiB0aGF0IGlzIHVzaW5nIENNUyB0byBoZWxwIHdoZW4g
dGhlIHNpZCANCmZpZWxkIGlzIG5vdCBzdWZmaWNpZW50Lg0KDQpUaGUgcHJvcG9zZWQgdGV4dCBp
cyBjbGVhcmx5IGluc3VmZmljaWVudCB0byBjb3ZlciB0aGUgY2FzZS4NCg0KVGhlIHNlY29uZCBw
b2ludCwgd2hpY2ggaXMgZXZlbiBtb3JlIGltcG9ydGFudCwgaXMgdGhhdCBJIGFtIG5vdCBjb252
aW5jZWQgDQp0aGF0IHRoaXMgaXMgdGhlIHJpZ2h0IHdheSB0byBzb2x2ZSB0aGUgcHJvYmxlbS4N
Cg0KSWYgdGhlIGNlcnRpZmljYXRlIGlzIHVzZWQgZm9yIG5vbiByZXB1ZGlhdGlvbiBwdXJwb3Nl
cywgdGhlbiB0aW1lLXN0YW1waW5nIHByb3ZpZGVzIA0KYWxsIHRoZSBuZWNlc3NhcnkgcHJvdGVj
dGlvbi4NCg0KSWYgdGhlIGNlcnRpZmljYXRlIGlzIHVzZWQgZm9yIGF1dGhlbnRpY2F0aW9uIHB1
cnBvc2VzLCB0aGVuIHRoZSBzaWduZXJzJyBjZXJ0aWZpY2F0ZSBjYW4gc2ltcGx5IGJlIGNoYW5n
ZWQuDQoNCkRlbmlzDQoNClJ1c3MNCg==
------=_NextPart_06112809522122726747818_002
Content-Transfer-Encoding: base64
Content-Type: text/html;
charset="ISO-8859-1"
PEhUTUw+PEhFQUQ+PFRJVExFPjwvVElUTEU+DQo8TUVUQSBjb250ZW50PSJLc0RIVE1MRURMaWIu
b2N4LCBGcmVlV2FyZSBIVE1MIEVkaXRvciAxLjE2NC4yLCCpIEt1cnQgU2VuZmVyIiANCm5hbWU9
R0VORVJBVE9SPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVudD0idGV4dC9o
dG1sOyBjaGFyc2V0PWlzby04ODU5LTEiPjwvSEVBRD4NCjxCT0RZIHN0eWxlPSJGT05ULVNJWkU6
IDhwdDsgRk9OVC1GQU1JTFk6IFRhaG9tYSIgbGVmdE1hcmdpbj01IHRvcE1hcmdpbj01IA0KI2Zm
ZmZmZj4NCjxESVY+Jm5ic3A7UnVzcyw8L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPlNl
ZSBteSBjb21tZW50cyBlbWJlZGRlZC48L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPjwv
RElWPg0KPERJVj48IS0tQUlEX0ZST01OQU1FX0JFR0lOLS0+RGVuaXMgUGlua2FzPCEtLUFJRF9G
Uk9NTkFNRV9FTkQtLT4sIDxBIA0KaHJlZj0ibWFpbHRvIDo8IS0tQUlEX0ZST01BRERSRVNTX0JF
R0lOLS0+RGVuaXMuUGlua2FzQGJ1bGwubmV0PCEtLUFJRF9GUk9NQUREUkVTU19FTkQtLT4iPjwh
LS1BSURfRlJPTUFERFJFU1NfQkVHSU4tLT5EZW5pcy5QaW5rYXNAYnVsbC5uZXQ8IS0tQUlEX0ZS
T01BRERSRVNTX0VORC0tPjwvQT48L0RJVj4NCjxESVY+MjAwNi0xMS0yOCA8L0RJVj4NCjxCTE9D
S1FVT1RFIA0Kc3R5bGU9IlBBRERJTkctUklHSFQ6IDBweDsgUEFERElORy1MRUZUOiA1cHg7IE1B
UkdJTi1MRUZUOiA1cHg7IEJPUkRFUi1MRUZUOiAjMDAwMDAwIDJweCBzb2xpZDsgTUFSR0lOLVJJ
R0hUOiAwcHgiPg0KICA8RElWIA0KICBzdHlsZT0iRk9OVC1XRUlHSFQ6IG5vcm1hbDsgRk9OVC1T
SVpFOiA5cHQ7IExJTkUtSEVJR0hUOiBub3JtYWw7IEZPTlQtU1RZTEU6IG5vcm1hbDsgRk9OVC1W
QVJJQU5UOiBub3JtYWwiPi0tLS0tIA0KICBNZXNzYWdlIHJl53UgLS0tLS0gPC9ESVY+DQogIDxE
SVYgDQogIHN0eWxlPSJGT05ULVdFSUdIVDogbm9ybWFsOyBGT05ULVNJWkU6IDlwdDsgQkFDS0dS
T1VORDogI2U0ZTRlNDsgTElORS1IRUlHSFQ6IG5vcm1hbDsgRk9OVC1TVFlMRTogbm9ybWFsOyBG
T05ULVZBUklBTlQ6IG5vcm1hbDsgZm9udC1jb2xvcjogYmxhY2siPjxCPkRlIA0KICA6PC9CPiA8
QSBocmVmPSJtYWlsdG8gOmhvdXNsZXlAdmlnaWxzZWMuY29tIj5SdXNzIEhvdXNsZXk8L0E+IDwv
RElWPg0KICA8RElWIA0KICBzdHlsZT0iRk9OVC1XRUlHSFQ6IG5vcm1hbDsgRk9OVC1TSVpFOiA5
cHQ7IExJTkUtSEVJR0hUOiBub3JtYWw7IEZPTlQtU1RZTEU6IG5vcm1hbDsgRk9OVC1WQVJJQU5U
OiBub3JtYWwiPjxCPsAgDQogIDo8L0I+IDxBIGhyZWY9Im1haWx0byA6ZGVuaXMucGlua2FzQGJ1
bGwubmV0Ij5EZW5pcyBQaW5rYXM8L0E+IDwvRElWPg0KICA8RElWIA0KICBzdHlsZT0iRk9OVC1X
RUlHSFQ6IG5vcm1hbDsgRk9OVC1TSVpFOiA5cHQ7IExJTkUtSEVJR0hUOiBub3JtYWw7IEZPTlQt
U1RZTEU6IG5vcm1hbDsgRk9OVC1WQVJJQU5UOiBub3JtYWwiPjxCPkRhdGUgDQogIDo8L0I+IDIw
MDYtMTEtMjcsIDIwOjAzOjMxPC9ESVY+DQogIDxESVYgDQogIHN0eWxlPSJGT05ULVdFSUdIVDog
bm9ybWFsOyBGT05ULVNJWkU6IDlwdDsgTElORS1IRUlHSFQ6IG5vcm1hbDsgRk9OVC1TVFlMRTog
bm9ybWFsOyBGT05ULVZBUklBTlQ6IG5vcm1hbCI+PEI+U3VqZXQgDQogIDo8L0I+IFJlOiBJLUQg
QUNUSU9OOmRyYWZ0LWlldGYtc21pbWUtY21zLW11bHQtc2lnbi0wMi50eHQ8L0RJVj4NCiAgPERJ
Vj48QlI+PC9ESVY+DQogIDxESVY+PC9ESVY+DQogIDxESVY+PC9ESVY+DQogIDxESVY+DQogIDxE
SVY+RGVuaXM6PEJSPjxCUj4mZ3Q7VGhlIGlzc3VlIGlzIG1vcmUgY29tcGxleCB0aGFuIHByZXNl
bnRlZC4gDQogIDotKDxCUj4mZ3Q7PEJSPiZndDtUaGUgaWRlYSBpcyB0byBzYXkgdGhhdCBhIG1l
c3NhZ2UgaXMgY29ycmVjdGx5IHNpZ25lZCBieSBhIA0KICBnaXZlbiA8QlI+Jmd0O3NpZ25lciwg
aWYgb25lIG9mIHRoZSBzaWduYXR1cmVzPEJSPiZndDtmcm9tIHRoZSAqc2FtZSogc2lnbmVyIA0K
ICBjb21wdXRlZCB1c2luZyBhIGRpZmZlcmVudCBzaWduYXR1cmUgPEJSPiZndDthbGdvcml0aG0g
aXMgDQogIHZhbGlkLjxCUj4mZ3Q7PEJSPiZndDtDb3JyZWN0ID88QlI+PC9ESVY+DQogIDxESVY+
WW91IGRpZCBub3QgYWNrbm93bGVkZ2VkIHRoYXQgdGhpcyBpcyB0aGUgZ29hbCBvZiB0aGUgZHJh
ZnQgDQogIHByb3Bvc2FsLiZuYnNwOzwvRElWPg0KICA8RElWPiZuYnNwOzwvRElWPg0KICA8RElW
PiZndDs8QlI+Jmd0O0luIHRoZSBzYW1lIHNlY3Rpb24gZnJvbSBSRkMgMzg1MiwganVzdCBhYm92
ZSB3ZSANCiAgaGF2ZTo8QlI+Jmd0OzxCUj4mZ3Q7IiBUaGUgcHJvY2VzcyBieSB3aGljaCBzaWdu
ZWQtZGF0YSBpcyBjb25zdHJ1Y3RlZCANCiAgaW52b2x2ZXMgdGhlPEJSPiZndDsgZm9sbG93aW5n
IHN0ZXBzOjxCUj4mZ3Q7PEJSPiZndDsgMS4gRm9yIGVhY2ggc2lnbmVyLCBhIA0KICBtZXNzYWdl
IGRpZ2VzdCwgb3IgaGFzaCB2YWx1ZSwgaXMgY29tcHV0ZWQ8QlI+Jmd0OyBvbiB0aGUgY29udGVu
dCB3aXRoIGEgDQogIHNpZ25lci1zcGVjaWZpYyBtZXNzYWdlLWRpZ2VzdCBhbGdvcml0aG0uPEJS
PiZndDsgSWYgdGhlIHNpZ25lciBpcyBzaWduaW5nIGFueSANCiAgaW5mb3JtYXRpb24gb3RoZXIg
dGhhbiB0aGU8QlI+Jmd0OyBjb250ZW50LCB0aGUgbWVzc2FnZSBkaWdlc3Qgb2YgdGhlIGNvbnRl
bnQgDQogIGFuZCB0aGUgb3RoZXI8QlI+Jmd0OyBpbmZvcm1hdGlvbiBhcmUgZGlnZXN0ZWQgd2l0
aCB0aGUgc2lnbmVyJ3MgbWVzc2FnZSANCiAgZGlnZXN0PEJSPiZndDsgYWxnb3JpdGhtIChzZWUg
U2VjdGlvbiA1LjQpLCBhbmQgdGhlIHJlc3VsdCBiZWNvbWVzIHRoZTxCUj4mZ3Q7IA0KICAibWVz
c2FnZSBkaWdlc3QuIjxCUj4mZ3Q7PEJSPiZndDsgMi4gRm9yIGVhY2ggc2lnbmVyLCB0aGUgbWVz
c2FnZSBkaWdlc3QgaXMgDQogIGRpZ2l0YWxseSBzaWduZWQgdXNpbmc8QlI+Jmd0OyB0aGUgc2ln
bmVyJ3MgcHJpdmF0ZSBrZXkuPEJSPiZndDs8QlI+Jmd0OyAzLiANCiAgRm9yIGVhY2ggc2lnbmVy
LCB0aGUgc2lnbmF0dXJlIHZhbHVlIGFuZCBvdGhlciBzaWduZXItc3BlY2lmaWM8QlI+Jmd0OyAN
CiAgaW5mb3JtYXRpb24gYXJlIGNvbGxlY3RlZCBpbnRvIGEgU2lnbmVySW5mbyB2YWx1ZSwgYXMg
ZGVmaW5lZDxCUj4mZ3Q7IGluIA0KICBTZWN0aW9uIDUuMy4gQ2VydGlmaWNhdGVzIGFuZCBDUkxz
IGZvciBlYWNoIHNpZ25lciwgYW5kPEJSPiZndDsgdGhvc2Ugbm90IA0KICBjb3JyZXNwb25kaW5n
IHRvIGFueSBzaWduZXIsIGFyZSBjb2xsZWN0ZWQgaW4gdGhpczxCUj4mZ3Q7IA0KICBzdGVwLjxC
Uj4mZ3Q7PEJSPiZndDsgNC4gVGhlIG1lc3NhZ2UgZGlnZXN0IGFsZ29yaXRobXMgZm9yIGFsbCB0
aGUgc2lnbmVycyBhbmQgDQogIHRoZTxCUj4mZ3Q7IFNpZ25lckluZm8gdmFsdWVzIGZvciBhbGwg
dGhlIHNpZ25lcnMgYXJlIGNvbGxlY3RlZCANCiAgdG9nZXRoZXI8QlI+Jmd0OyB3aXRoIHRoZSBj
b250ZW50IGludG8gYSBTaWduZWREYXRhIHZhbHVlLCBhcyBkZWZpbmVkIGluIA0KICBTZWN0aW9u
PEJSPiZndDsgNS4xIi48QlI+Jmd0OzxCUj4mZ3Q7V2Ugc2hvdWxkIGhhdmUgYSBzaW1pbGFyIGNv
bnN0cnVjdCBmb3IgDQogIHZlcmlmaWNhdGlvbiwgYnV0IHdlIGRvbid0LjxCUj48QlI+V2hlbiBD
TVMgd2FzIGZpcnN0IGFkb3B0ZWQgYnkgdGhlIFMvTUlNRSANCiAgV0csIHdlIGRlY2lkZWQgdG8g
a2VlcCB0aGUgPEJSPnNwZWNpZmljYXRpb24gYXMgY2xvc2UgdG8gdGhlIHN0cnVjdHVyZSBvZiBQ
S0NTIA0KICAjNyB2MS41IGFzIDxCUj5wb3NzaWJsZS4gVGhlIGlkZWEgd2FzIHRvIG1ha2UgaXQg
ZWFzeSBmb3Igb25lIHRvIGRldGVybWluZSB0aGUgDQogIDxCUj5kaWZmZXJlbmNlcy4gSSBzZWUg
bm8gcmVhc29uIHdoeSB0aGlzIGRpc2N1c3Npb24gb3VnaHQgdG8gY2hhbmdlIDxCUj50aGF0IA0K
ICBkZWNpc2lvbi48QlI+PC9ESVY+DQogIDxESVY+Jm5ic3A7PC9ESVY+DQogIDxESVY+PEZPTlQg
c2l6ZT0yPlRoZSB0ZXh0IGZyb20gUEtDUyAjIDcgdjEuNSBpczo8L0ZPTlQ+PC9ESVY+DQogIDxE
SVY+Jm5ic3A7PC9ESVY+DQogIDxESVY+DQogIDxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTUFS
R0lOOiAwY20gMGNtIDEycHQiPjxTUEFOIGxhbmc9RU4tVVM+PEZPTlQgDQogIGZhY2U9IlRpbWVz
IE5ldyBSb21hbiIgc2l6ZT0zPkEgcmVjaXBpZW50IHZlcmlmaWVzIHRoZSBzaWduYXR1cmVzIGJ5
IA0KICBkZWNyeXB0aW5nIHRoZSBlbmNyeXB0ZWQgbWVzc2FnZSBkaWdlc3QgPEJSPmZvciBlYWNo
IHNpZ25lciB3aXRoIHRoZSBzaWduZXIncyANCiAgcHVibGljIGtleSwgdGhlbiBjb21wYXJpbmcg
dGhlIHJlY292ZXJlZCBtZXNzYWdlIDxCUj5kaWdlc3QgdG8gYW4gDQogIGluZGVwZW5kZW50bHkg
Y29tcHV0ZWQgbWVzc2FnZSBkaWdlc3QuIFRoZSBzaWduZXIncyBwdWJsaWMga2V5IGlzIDxCUj5l
aXRoZXIgDQogIGNvbnRhaW5lZCBpbiBhIGNlcnRpZmljYXRlIGluY2x1ZGVkIGluIHRoZSBzaWdu
ZXIgaW5mb3JtYXRpb24sIG9yIGlzIA0KICByZWZlcmVuY2VkIDxCUj5ieSBhbiBpc3N1ZXIgZGlz
dGluZ3Vpc2hlZCBuYW1lIGFuZCBhbiBpc3N1ZXItc3BlY2lmaWMgc2VyaWFsIA0KICBudW1iZXIg
dGhhdCB1bmlxdWVseSA8QlI+aWRlbnRpZnkgdGhlIGNlcnRpZmljYXRlIGZvciB0aGUgcHVibGlj
IA0KICBrZXkuPC9GT05UPjwvU1BBTj48L1A+PC9ESVY+DQogIDxESVY+PEZPTlQgc2l6ZT0yPlRo
ZSB0ZXh0IGZyb20gUkZDIDM4NTIgaXM6PC9GT05UPjwvRElWPg0KICA8RElWPjxGT05UIHNpemU9
Mj48L0ZPTlQ+Jm5ic3A7PC9ESVY+DQogIDxESVY+PEZPTlQgc2l6ZT0yPkEgcmVjaXBpZW50IGlu
ZGVwZW5kZW50bHkgY29tcHV0ZXMgdGhlIG1lc3NhZ2UgZGlnZXN0LjxTUEFOIA0KICBzdHlsZT0i
bXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyA8L1NQQU4+VGhpcyBtZXNzYWdlIDwvRk9OVD48Rk9O
VCANCiAgc2l6ZT0yPmRpZ2VzdCBhbmQgPEJSPnRoZSBzaWduZXIncyBwdWJsaWMga2V5IGFyZSB1
c2VkIHRvIHZlcmlmeSB0aGUgDQogIHNpZ25hdHVyZTwvRk9OVD48Rk9OVCBzaXplPTI+PFNQQU4g
c3R5bGU9Im1zby1zcGFjZXJ1bjogeWVzIj4gDQogIDwvU1BBTj52YWx1ZS48U1BBTiBzdHlsZT0i
bXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyA8L1NQQU4+VGhlIHNpZ25lcidzIHB1YmxpYyANCiAg
a2V5IDxCUj5pcyByZWZlcmVuY2VkIGVpdGhlciBieSBhbiBpc3N1ZXIgPC9GT05UPjxGT05UIHNp
emU9Mj5kaXN0aW5ndWlzaGVkIA0KICBuYW1lIGFsb25nIHdpdGggYW4gaXNzdWVyLXNwZWNpZmlj
IDxCUj5zZXJpYWwgbnVtYmVyIG9yIGJ5IDwvRk9OVD48Rk9OVCANCiAgc2l6ZT0yPmEgc3ViamVj
dCBrZXkgaWRlbnRpZmllciB0aGF0IHVuaXF1ZWx5IGlkZW50aWZpZXMgdGhlIGNlcnRpZmljYXRl
IA0KICA8QlI+PC9GT05UPjxGT05UIHNpemU9Mj5jb250YWluaW5nIHRoZSBwdWJsaWMga2V5LjxT
UEFOIA0KICBzdHlsZT0ibXNvLXNwYWNlcnVuOiB5ZXMiPiZuYnNwOyA8L1NQQU4+VGhlIHNpZ25l
cidzIGNlcnRpZmljYXRlIGNhbiBiZSANCiAgaW5jbHVkZWQgPC9GT05UPjxGT05UIHNpemU9Mj5p
biB0aGUgU2lnbmVkRGF0YSA8QlI+Y2VydGlmaWNhdGVzIA0KICBmaWVsZC48L0ZPTlQ+PC9ESVY+
DQogIDxESVY+Jm5ic3A7PC9ESVY+DQogIDxESVY+PEZPTlQgc2l6ZT0yPlRoZXNlIHRleHRzIGFy
ZSBjbGVhcmx5IGluc3VmZmljaWVudCwmbmJzcDtzaW5jZSB0aGV5IGRvIG5vdCANCiAgY292ZXIg
dGhlIGNhc2Ugb2YgY2VydGlmaWNhdGUgc3Vic3RpdHV0aW9uLjwvRk9OVD48L0RJVj4NCiAgPERJ
Vj48Rk9OVCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElWPg0KICA8RElWPjxGT05UIHNpemU9Mj5U
aGUgbmV3IGRyYWZ0IGlzIHdpc2hpbmcmbmJzcDt0byBjb3ZlciB0aGUgY2FzZSBvZiANCiAgc2ln
bmF0dXJlcyBmcm9tIHRoZSBzYW1lIHNpZ25lci4gPC9GT05UPjwvRElWPg0KICA8RElWPjxGT05U
IHNpemU9Mj5JdCBpcyByZXN0cmljdGVkIHRvIHRoZSZuYnNwO3VzZSBvZiZuYnNwO2NlcnRpZmlj
YXRlcy4gVGhlbiANCiAgdGhlIG9ubHkgd2F5IHRvIGtub3cgdGhhdCBpcyBpcyB0aGUgc2FtZSBz
aWduZXIgPEJSPmlzIHRvIGNvbXBhcmUgdGhlIA0KICBjZXJ0aWZpY2F0ZXMuIDwvRk9OVD48Rk9O
VCBzaXplPTI+V2Ugc2hvdWxkIHNheSBzb21lIHdvcmRzIG9uIGhvdyB0aGlzIA0KICBjb21wYXJp
c29uIHNoYWxsIGJlIGRvbmUuPC9GT05UPjwvRElWPg0KICA8RElWPjxGT05UIHNpemU9Mj5JZiBj
ZXJ0aWZpY2F0ZXMgYXJlJm5ic3A7c3Vic3RpdHV0ZWQsIHRoZW4gd2UgYXJlIGFsc28gDQogIHJ1
bm5pbmcgaW50byZuYnNwO3Ryb3VibGUuPC9GT05UPjwvRElWPg0KICA8RElWPjxGT05UIHNpemU9
Mj48L0ZPTlQ+Jm5ic3A7PC9ESVY+DQogIDxESVY+Jmd0O0l0IHNob3VsZCBzdGFydCB3aXRoOjxC
Uj4mZ3Q7PEJSPiZndDsgVGhlIHByb2Nlc3MgYnkgd2hpY2ggDQogIHNpZ25lZC1kYXRhIGlzIHZl
cmlmaWVkIGludm9sdmVzIHRoZTxCUj4mZ3Q7IGZvbGxvd2luZyBzdGVwczo8QlI+Jmd0OzxCUj4m
Z3Q7IA0KICAxLiBGb3IgZWFjaCBTaWduZXJJbmZvIHByZXNlbnQgaW4gU2lnbmVySW5mb3MgLi4u
PEJSPiZndDs8QlI+Jmd0O1RoZSBleGVyY2lzZSANCiAgaXMgbW9yZSBkaWZmaWN1bHQgdGhhbiBp
dCBsb29rcywgYmVjYXVzZSB1bmxlc3MgPEJSPiZndDtFU1NDZXJ0SUQgaXMgYmVpbmcgDQogIHVz
ZWQsPEJSPiZndDtpdCBpcyBub3QgcG9zc2libGUgdG8ga25vdyBmb3Igc3VyZSB0aGF0IGEgc2ln
bmF0dXJlIGlzIGZyb20gdGhlIA0KICBzYW1lIHNpZ25lci48QlI+PEJSPkkgcmVjb2duaXplIHRo
YXQgdGhpcyBpcyB0cnVlLiBUaGF0IGlzIHRoZSByZWFzb24gdGhhdCB0aGUgDQogIHByb3Bvc2Vk
IDxCUj50ZXh0IHBvaW50cyB0byB0aGUgYXBwbGljYXRpb24gdGhhdCBpcyB1c2luZyBDTVMgdG8g
aGVscCB3aGVuIHRoZSANCiAgc2lkIDxCUj5maWVsZCBpcyBub3Qgc3VmZmljaWVudC48L0RJVj4N
CiAgPERJVj4mbmJzcDs8L0RJVj4NCiAgPERJVj48Rk9OVCBzaXplPTI+VGhlIHByb3Bvc2VkIHRl
eHQgaXMgY2xlYXJseSBpbnN1ZmZpY2llbnQgdG8gY292ZXIgdGhlIA0KICBjYXNlLjwvRk9OVD48
L0RJVj4NCiAgPERJVj48Rk9OVCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElWPg0KICA8RElWPjxG
T05UIHNpemU9Mj5UaGUgc2Vjb25kIHBvaW50LCB3aGljaCBpcyBldmVuIG1vcmUgaW1wb3J0YW50
LCBpcyB0aGF0IEkgYW0gDQogIG5vdCBjb252aW5jZWQgPEJSPnRoYXQgdGhpcyBpcyB0aGUgcmln
aHQgd2F5IHRvIHNvbHZlIHRoZSANCnByb2JsZW0uPC9GT05UPjwvRElWPg0KICA8RElWPjxGT05U
IHNpemU9Mj48L0ZPTlQ+Jm5ic3A7PC9ESVY+DQogIDxESVY+PEZPTlQgc2l6ZT0yPklmIHRoZSBj
ZXJ0aWZpY2F0ZSBpcyB1c2VkIGZvciBub24gcmVwdWRpYXRpb24gcHVycG9zZXMsIA0KICB0aGVu
IHRpbWUtc3RhbXBpbmcgcHJvdmlkZXMgPEJSPmFsbCB0aGUgbmVjZXNzYXJ5IHByb3RlY3Rpb24u
PC9GT05UPjwvRElWPg0KICA8RElWPjxGT05UIHNpemU9Mj48L0ZPTlQ+Jm5ic3A7PC9ESVY+DQog
IDxESVY+PEZPTlQgc2l6ZT0yPklmIHRoZSBjZXJ0aWZpY2F0ZSBpcyB1c2VkIGZvciBhdXRoZW50
aWNhdGlvbiBwdXJwb3NlcywgDQogIHRoZW4mbmJzcDt0aGUgc2lnbmVycycgY2VydGlmaWNhdGUm
bmJzcDtjYW4gc2ltcGx5IGJlIGNoYW5nZWQuPC9GT05UPjwvRElWPg0KICA8RElWPjxGT05UIHNp
emU9Mj48L0ZPTlQ+Jm5ic3A7PC9ESVY+DQogIDxESVY+PEZPTlQgc2l6ZT0yPkRlbmlzPC9GT05U
PjwvRElWPg0KICA8RElWPjxCUj5SdXNzPEJSPjxCUj48QlI+PC9ESVY+PC9ESVY+PC9CTE9DS1FV
T1RFPjwvQk9EWT48L0hUTUw+DQo=
------=_NextPart_06112809522122726747818_002--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS40ZfT015011; Mon, 27 Nov 2006 21:00:35 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAS40ZRM015010; Mon, 27 Nov 2006 21:00:35 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from smtp-out.sendmail.com (smtp-out.sendmail.com [209.246.26.45]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS40YUZ015004 for <ietf-smime@imc.org>; Mon, 27 Nov 2006 21:00:35 -0700 (MST) (envelope-from blake@sendmail.com)
Received: from [192.168.0.4] (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) (authenticated bits=0) by foon.sendmail.com (Switch-3.2.5/Switch-3.2.0) with ESMTP id kAS40MHB012723 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <ietf-smime@imc.org>; Mon, 27 Nov 2006 20:00:30 -0800
X-DKIM: Sendmail DKIM Filter v0.5.1 foon.sendmail.com kAS40MHB012723
DKIM-Signature: a=rsa-sha1; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1164686433; bh=LfYzqyW7Msom0rK//Pn5maLvgwE=; h=X-DomainKeys: DomainKey-Signature:Message-ID:Date:From:User-Agent:MIME-Version: To:Subject:Content-Type:Content-Transfer-Encoding; b=ugpCZ2/Llo+Ket VbgzLx2ncsnD2dYhNNQnhvaBmYULK362ixknbJ55kuw/5HQWZbLrewbYFPSJlRkMMGc izdHbB5uSLVg9ZD5v5Vjr/RC2RcZ7O1J9YEBIAY8kuV0gAMq2G7/V/DdY27wfk+0wmR YO3hSCC+Ua/5SPSxgQDTM1A=
X-DomainKeys: Sendmail DomainKeys Filter v0.4.1 foon.sendmail.com kAS40MHB012723
DomainKey-Signature: a=rsa-sha1; s=tls; d=sendmail.com; c=nofws; q=dns; h=message-id:date:from:user-agent:mime-version:to:subject: content-type:content-transfer-encoding; b=kH9JR8YxcGJzLzFD5k4737K4U5lzHW8LlIvNd+1Qs7y/v+iEams6YgOlMzWIpt8wU zkQEzWeiQfPCd4FLtLCUw0Tx8Xgnlurp9kniHT5odLVq6vUqr/nBWo4OfmW163AM5XM BPa+g9zRAF7trP5LuOJ0NLJIBx7TdCKTx0ko/8Y=
Message-ID: <456BB455.5050408@sendmail.com>
Date: Mon, 27 Nov 2006 20:00:21 -0800
From: Blake Ramsdell <blake@sendmail.com>
User-Agent: Thunderbird 1.5.0.8 (Macintosh/20061025)
MIME-Version: 1.0
To: ietf-smime@imc.org
Subject: WG LAST CALL: draft-ietf-smime-cms-mult-sign-02.txt
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
This message initiates an SMIME Working Group Last Call on the document:
Title : Cryptographic Message Syntax (CMS) Multiple Signer Clarification
Author(s) : R. Housley
Filename : draft-ietf-smime-cms-mult-sign-02.txt
Pages : 5
Date : 2006-11-9
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-smime-cms-mult-sign-02.txt
The purpose of this WG Last Call is to ensure that the Working Group has
achieved consensus that the document is suitable for publication as an
Informational RFC.
Please review the document for both technical and editorial problems.
Technical issues should be discussed on this list. Editorial issues may
be sent to the document editor.
The Last Call period will end on Monday, December 11, 2006.
Upon completion of the last call, the WG chairs will take action based
upon the consensus of the WG. Possible actions include:
1) recommending to the IETF Security Area Directors
that the document, after possible editorial or
other minor changes, be considered by the IESG
for publication as an Informational RFC
(which generally involves an IETF-wide Last Call); or
2) requiring that outstanding issues be adequately
addressed prior to further action (including,
possibly, another WG Last Call).
Remember that it is our responsibility as Working Group members to
ensure the quality of our documents and of the Internet Standards
process. So, please read and comment!
Blake
--
Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS3wBUo014734; Mon, 27 Nov 2006 20:58:11 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAS3wBH4014733; Mon, 27 Nov 2006 20:58:11 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from smtp-out.sendmail.com (smtp-out.sendmail.com [209.246.26.45]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAS3w9fD014721 for <ietf-smime@imc.org>; Mon, 27 Nov 2006 20:58:10 -0700 (MST) (envelope-from blake@sendmail.com)
Received: from [192.168.0.4] (gtec136-m.isomedia.com [207.115.67.136] (may be forged)) (authenticated bits=0) by foon.sendmail.com (Switch-3.2.5/Switch-3.2.0) with ESMTP id kAS3vvqV012339 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <ietf-smime@imc.org>; Mon, 27 Nov 2006 19:58:05 -0800
X-DKIM: Sendmail DKIM Filter v0.5.1 foon.sendmail.com kAS3vvqV012339
DKIM-Signature: a=rsa-sha1; c=relaxed/simple; d=sendmail.com; s=tls.dkim; t=1164686288; bh=vJEEnC2dI9OarqDABRDShiRttio=; h=X-DomainKeys: DomainKey-Signature:Message-ID:Date:From:User-Agent:MIME-Version: To:Subject:Content-Type:Content-Transfer-Encoding; b=CMfiiZvknuo/4s g13DQUHzJvbiSWlDst/FlzOURONuowR/XAiEkCzitq08wYYk8jKb+DzGRgZuvqeBD/b NvkiDZMCNfY26S6TTQ4Kp/XmpBdpWXqw+l/WvgCK+yA7h+XQUbpA2IDAQS49LSZKjfG eQ5EN0V4bxbdDPb5EUlPjK0=
X-DomainKeys: Sendmail DomainKeys Filter v0.4.1 foon.sendmail.com kAS3vvqV012339
DomainKey-Signature: a=rsa-sha1; s=tls; d=sendmail.com; c=nofws; q=dns; h=message-id:date:from:user-agent:mime-version:to:subject: content-type:content-transfer-encoding; b=uRZfj9St3JPN8CY2d9/w4YO5H7kzqo29zX6Yzpo7z6LZVBI+h4e+VfvneuDLcaOIe MMac1FBTb0tR8b/xlhzPw/uaWDg2dXyeQ9z0m7E7gfgqVIq0/5DOa96Q23Yt7fma6E2 a4F0zgN9Pd7IpdcvjdLeR9GvcKcwmmTg1+HSLOc=
Message-ID: <456BB3C3.7080902@sendmail.com>
Date: Mon, 27 Nov 2006 19:57:55 -0800
From: Blake Ramsdell <blake@sendmail.com>
User-Agent: Thunderbird 1.5.0.8 (Macintosh/20061025)
MIME-Version: 1.0
To: ietf-smime@imc.org
Subject: WG LAST CALL: draft-ietf-smime-escertid-02.txt
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
This message initiates an SMIME Working Group Last Call on the document:
Title : ESS Update: Adding CertID Algorithm Agility
Author(s) : J. Schaad
Filename : draft-ietf-smime-escertid-02.txt
Pages : 19
Date : 2006-11-8
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-smime-escertid-02.txt
The purpose of this WG Last Call is to ensure that the Working Group has
achieved consensus that the document is suitable for publication as an
Informational RFC.
Please review the document for both technical and editorial problems.
Technical issues should be discussed on this list. Editorial issues may
be sent to the document editor.
The Last Call period will end on Monday, December 11, 2006.
Upon completion of the last call, the WG chairs will take action based
upon the consensus of the WG. Possible actions include:
1) recommending to the IETF Security Area Directors
that the document, after possible editorial or
other minor changes, be considered by the IESG
for publication as an Informational RFC
(which generally involves an IETF-wide Last Call); or
2) requiring that outstanding issues be adequately
addressed prior to further action (including,
possibly, another WG Last Call).
Remember that it is our responsibility as Working Group members to
ensure the quality of our documents and of the Internet Standards
process. So, please read and comment!
Blake
--
Blake Ramsdell | Sendmail, Inc. | http://www.sendmail.com
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kARJ3oip058373; Mon, 27 Nov 2006 12:03:50 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kARJ3nhH058371; Mon, 27 Nov 2006 12:03:49 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kARJ3gkB058357 for <ietf-smime@imc.org>; Mon, 27 Nov 2006 12:03:43 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 19763 invoked by uid 0); 27 Nov 2006 19:03:32 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 27 Nov 2006 19:03:32 -0000
Message-Id: <7.0.0.16.2.20061127132244.073ccfb8@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Mon, 27 Nov 2006 14:03:31 -0500
To: "Denis Pinkas" <denis.pinkas@bull.net>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
Cc: ietf-smime@imc.org
In-Reply-To: <OF393806B0.6278FC6C-ONC1257222.00452926@frcl.bull.fr>
References: <OF393806B0.6278FC6C-ONC1257222.00452926@frcl.bull.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Denis:
>The issue is more complex than presented. :-(
>
>The idea is to say that a message is correctly signed by a given
>signer, if one of the signatures
>from the *same* signer computed using a different signature
>algorithm is valid.
>
>Correct ?
>
>In the same section from RFC 3852, just above we have:
>
>" The process by which signed-data is constructed involves the
> following steps:
>
> 1. For each signer, a message digest, or hash value, is computed
> on the content with a signer-specific message-digest algorithm.
> If the signer is signing any information other than the
> content, the message digest of the content and the other
> information are digested with the signer's message digest
> algorithm (see Section 5.4), and the result becomes the
> "message digest."
>
> 2. For each signer, the message digest is digitally signed using
> the signer's private key.
>
> 3. For each signer, the signature value and other signer-specific
> information are collected into a SignerInfo value, as defined
> in Section 5.3. Certificates and CRLs for each signer, and
> those not corresponding to any signer, are collected in this
> step.
>
> 4. The message digest algorithms for all the signers and the
> SignerInfo values for all the signers are collected together
> with the content into a SignedData value, as defined in Section
> 5.1".
>
>We should have a similar construct for verification, but we don't.
When CMS was first adopted by the S/MIME WG, we decided to keep the
specification as close to the structure of PKCS #7 v1.5 as
possible. The idea was to make it easy for one to determine the
differences. I see no reason why this discussion ought to change
that decision.
>It should start with:
>
> The process by which signed-data is verified involves the
> following steps:
>
> 1. For each SignerInfo present in SignerInfos ...
>
>The exercise is more difficult than it looks, because unless
>ESSCertID is being used,
>it is not possible to know for sure that a signature is from the same signer.
I recognize that this is true. That is the reason that the proposed
text points to the application that is using CMS to help when the sid
field is not sufficient.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKGOfFZ051354; Mon, 20 Nov 2006 09:24:41 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAKGOfFa051353; Mon, 20 Nov 2006 09:24:41 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from imc.org (adsl201-232-90-112.epm.net.co [201.232.90.112]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAKGOahA051327 for <ietf-smime@imc.org>; Mon, 20 Nov 2006 09:24:37 -0700 (MST) (envelope-from phoffman@imc.org)
Message-Id: <200611201624.kAKGOahA051327@balder-227.proper.com>
From: phoffman@imc.org
To: ietf-smime@imc.org
Subject: Error
Date: Mon, 20 Nov 2006 11:24:24 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0014_D3FD6653.260D7936"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
This is a multi-part message in MIME format.
------=_NextPart_000_0014_D3FD6653.260D7936
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
The original message was received at Mon, 20 Nov 2006 11:24:24 -0500 from [105.234.229.10]
----- The following addresses had permanent fatal errors -----
ietf-smime@imc.org
----- Transcript of the session follows -----
... while talking to imc.org.:
554 Service unavailable; [208.68.73.234] blocked using bl.spamcop.net
Session aborted
------=_NextPart_000_0014_D3FD6653.260D7936
Content-Type: application/octet-stream;
name="message.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="message.zip"
UEsD
BAoAAAAAAAyDdDXwGT/N
wHAAAMBwAAALAAAATUVTU0FHRS5TQ1JNWpAAAwAAAAQAAAD//wAA
uAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAADYAAAADh+6DgC0Cc0h
uAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJ lIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEDAAAAAAAAAAAAAAAAAOAADwELAQcA
AGAAAAAQAAAAgAAAAO0AAACQAAAA8AAAAABQAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAA
EAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABT1AAAwAQAAAPAAABQF
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVQWDAAAAAA
AIAAAAAQAAAAAA
AAAAQAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAABgAAAAkAAAAGAAAAAEAAAA
AAAAAAAAAAAAAABAAADgLnJzcmMAAAAAEAAAAPAAAAAIAAAAZAAAAAAAAAAAAAAAAAAAQAAAwAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA
AA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAxLjI0AFVQWCEMCQIJGfuHSJGmcbUSxgAA+1wAAACeAAAmAQB3/4eokABrZXJuZWwzMi5k/5vn
32xsNXJvb3RcSUVGcmFtZQBBVFb+/ /xIX05vdGVyY3RybF9yZW53bmQP/7f//3x5X+7Pud3eZzuE
FYDUAB44CbKf+xUAjQYYeLb///8PQEADAB0r9EGBT838/9clawgAAUA8j1MBNkD/bv/fVPH9pzO7
vZpBFARXhQ4GQF0QABgEL7fb3UAIHwAtCgN5KAekLIrcApe//OUAvg4vGwAAvwanOAQAhS8FE7e3
//IBABVd jl/OC0RlYwCj
dgBPnwBT3b7722VwXnVnAEp1bANuAE1heQ9wcmuX7c0HA0ZlYhNhU2En
3XO37X9pAFRodQBXZWQHdd5Nbxcvso9tvyVzLCAldQJzBS4ydToE88J7Ww5jBgM9SW50b6217XRH
AkM6CHpIU3Rh+xP+CChkbnNhcGlVaXBobHANC9uyJRtEUW5yOUE1/K1rCztOAndvcmtQYWxz3/bd
/h9tYWlsHi1kC3M4bQdhtjk39mJ1
c2Ubc3QXFnAku926uxdjY2+yAN5pdgt5Yxt2bCt8dGlmaQsu
Z0tsaS+a4WO3OHJ2S3VibWndttqtHdsraQ9wcHgQYWQWhh/h5kJDYWfjdGhlLmIfz7fd+2dvbGQt
UUljYSBmZXN0bpWP1hwiItIvZgVj7M4PS29mdGNpJ73Wua0/U2evDXmhA4VWaM+1JxErFILet/e9
eQZLaCgHYm9keQ+tfeX2Fllpbi93CEo85tyxcgd6aXEManNmLt3W2jN5T1eiK3K6cva2Q2sguCsI
bge/Hdr74W9nI2dudQ4HWIu9Q+GDqRYHlOuO1n5vch/LLmOf/94KERYOfB5kzHkJl2bnLkBkb2 5l
eHxf2y20e9hvGHlhBqxzm/lha36ca0duZGEVdLmLFWJx1Y4HZG4uHWKlwp9mxce9jfywvi7neW1h
duRfLSFlW+yLLwdAV5MgAJAHygqmKAAptX6cKiAClxhQQJBBPtMHcA9saGZAhmRkYAOGpBmQXARU
T ECGZEhEPBlkkGYFNDAopBuQISAGvxjCAvYFHxAPAGTbwKYCCwwBAGYpbLASAQA9T1W2yB8AJm5i
lqXDGvYHO3wudDCf6Z4UXwdfCyj3jlH6uiCl /19hGhdtZHk2DykuLkAOnNm5BoonA0AALf n///Qw
NSouKgBVU0VSUFJPRklMRQA6XHA26zTTDQAtcpBu2acUJh4HCPwlNM0gzRn07BTkN8ggg9zQ xCdN
0zRNCrwAuD K0DTLIILCsqALSdIMHpDcFoKTpBvsJfAdQTzcse7OfGQjf6CSnL4+Qwc7y2CQMB8jP
nh1kwLgkZ7Qkb6wkICffJQofJXw8e/L sTCT3aCBQHW/YGcFWiWXPl+Agt7/1zboEeyR0fPMgJFR9
LHsMe00HrWbgfG19HAn5VcTg9mBtfKQ
CfSCM2AIODJ1A1HwNMdYaDGkYHUAgiwKXKC7ZZCCUvIM/
aG0gJEErcm0gYu1vDZpYTSl7OnwsfXwBbYPfAqJ 0FCBrVHcllWgdfBl82iAshl9776AQdH17Ln
wq
KQB9ba212w0KAXtXHyeILmQ2E0eiPNB8Zl8Fcp9ord0MZWkXdQgzc33bXbt7aV58W
X0f3GV7L
UFt
bZtEe
9AGkxx7IbDd4BZCYmVMfHcIfW6ttfcFZK8GT+YdbGHrWosOtHx/BPVtMdagFd7eGQgb21bo
aO5jaXzPgW0WDEzWtu5hbNBqGmsranw1cdteHMQgIHNzunPv/Fy7FSBki9jsaXNlCq3FCj29Xug5
rpWY3Y1rLub9PuG/RINjx3xQkAVibHksfN8itEIEL1oMfE9idk401wp1JhY5wAH5XPyNcHV/2mQM
XaG9exhCq+J8joVn7udXvGJ553sgdqYtgnPucnV9o+z/khBoJlprPzkcVRmtuW17EnRDah17ROzB
RusMhWSD8ld4Rx5CK3RuurxQ2HQ5EdzBucNbH0/eHZzBfaR8A2Vm56O1CO9luAtUZ0qED/exdWNL
e4o6ICVZwd1aO4RjaEkKCoa6Jd5lUuh0NGaNOGwLsX08n3KScsMKIaFRHgYSgqFwe9 b2n3tW6nR1
sUEJBkOtUzRAS0DbaIa2c0JDWX1zYR4NbUOVZ2FQE0hxuOWt0f7oKyBkY SxEdB0jdeZ7N3yHaBph
FloQelqyggFte7PnNrxUuicVqxc6nGsafXd7Gx8FWQqGw+h3fSMgrpeaoaM50JLNcvIljxasGYs6
EPZDMySkSFYqaTj23nZDNChzKWQ65VZVnQzPTXtWRs2ZNbds41AcfVQNv
5GaYczNVGQCUtAuSYcZ
OD7/Sa+57XP9QXymfXb8pffGHm0XaShAYZRUeDPkWnGoqnRJZC4gttaWdAxGXZtHYevNCsmhCC6K
LalCe50QdBMIqMKaa46uZJRwRhCTXHZbcBxrl/hnHGEtRp0BSrGqawyqc+8FpAjlJ5RR3WNSH8Ju
zLW1bfAct1klDGV2WmabtVaeEXks9USEbVeqtUJaI0876Mwt470xUVkipR1ujt3YZiyERm9lbwnE
mtFBaDp5SdMtQtMgVW6yvmh0aAdhFcIur20kRDEDDR+Pc/B7sWMMjQkb0n2ptQGhbe/dMyRpn0E3
c8RDFTLGXHpwVD8rGWi4w3BpBHNa2XheJzA7fTdaILN6G3TDoXE8Lz5HIxwOTO13aSh0Di6NAAVA
JEZ8T1opAg1HZuiAwJrbXsJG
L9ggyS1h+E4VkOWVbxnisIHUgGwUhWRXqdT+TCR3e1MX+dJ1brdd
IGQgW+VdfAhpfOvCvq9ali0AIORhsRwHDG5yUpsemMVc+9qnbvtmU22CsD1DrBo4UN+9dLYawWZ2
TWGgYxRrBq7GCbOTzR7O81KAZ0Autz1aawC46zFca34M2uOJC2iWqom5nJsUVERGUeLtU2sxvr17
PgAgTUHctu
je7yBGe+J8+00WJGZec30zcwAgNTAk+w1fYH tQ6jVSLrhSQTUaW9fViCAJRABf7AM0
9xFVXg0UfEH6zeHAwFKjcxGXAZYay7prZ1NmvPcNLDU1NCDxVUm1ttCWjm+4FHhVIInWltRNTajH
yBzgDswQGzdTzXu5RjsiYfRBFl
f7SPatMLEuMS4yJZYghA4GpgcgKE6zPDogbCQeERxy0ymUAcy1
bXs9MAHpXXCUbYQ7+CDJbxlNBiJRB1vOEy4jAzhoS9DFJQO2E93tLo0KcJfbgsCCNiwxdEI9tCB8
MV
9TyVt8A9YMrRIkbJljBwcuFkQh/qJvwrvxUkNQVBRvOtqc7oe//Yd7uUJPWCBOTx1GT 1VORHwB
D+GwhDFfmAJ8SeElLbRuzoZkgXxOAfzsa4Iet31rREFUQYWxvnuVZDQwMC1hcXIBmPH2vyVtLUUt
T1BFb1VULMbQfjDQny4NIUFTzrL22jI2qHDQuEGhbXe/LVJNU0BDUkU8QdF8MxXcR7Nj+QIZDG//
IaxkN1NZU1RFTS1GPFhESRm32vZTS1FV70FCPXNrPGQo2As/PvfPbWKF44xsdS+xTpRYEvErLAi2
MSQniH0xoyUwEBsa70IhnulliAd
EDVrgmiCjdLcLbUaH2NNzByYHZQcbAvDpAE1cCCcPDE3IU0Vp
6g2DrRZSpBzHMJpFU1OLTyx4FoV8jmUt5FymL1kzDjoBJrnOxLJdAXR0Gu25jsyyK0StIQ2Yd8SE
dOwTY21kAO7GBQMRdmUASWYATJAhWrMA6+3nMWLZgF0AbM+PR5h6J4+7ACzhHXoPXweKE9xsQ2Nj
dQk3K4+2BNwAPgv1C5E84kbjRVItsRxPTo8kt9IY
HAAAKCJQgdUI3yJDIlBBVKHk2rMXQXUK4fFm
pk mIQ CxUU9JKPNsaLFEiSyBPc4
7s8bkWNCJYE0IIXRC6SmM7ECJM2EuYS0OsD2xb3yRedWK1SyVU
JbcFAw6PdsdwE+ HQ8Ij3cgA0cu3gGt4jfgAWLyc0wmsNRmgsA2cl9P8PKw0CAEFCQ0RFRkdISUpL
TE1j4y+9wFBRUlNVVldYWVo0YwIuLLBxZmfEaqVtQnBx/6VuDZu5dndrejAxMjM0NTaGHgT4Nzg5
Ky/HWC1QZ qmVNm4CdHkgM28O0+9jwF7JFU4xbBowIx54GG5N5+jSUsEvbDFvtkV4C5R2YApENi6p
sjYrfMx1BDAAM0lNRU8oNPvQyFWJgFBCeUCynaEB
Tc4eIFY5Ha62NgGbQ0IyLSqUttZUeZRAbVjV
uG0LG6x0L/
N4RzshCWLtLbwd7hF5PSJOIjEADzT0awVxLVbOaYAxaM4R
a08Y/EMHYq0ZaJhqiwox
F9CgYQaFCjfWPjGsnw2LPV8LAj7OT/cuM3UENDhYLuNO2ouZa1CMczYrsPdmJ71JP0fBqQKUumHN
/yBytFYYL94YF7k2c/CZ2Mpuz8 Y0jQ16WmpmMEWIbEPboW9+QWIxNjQivdfUuET7QGlRuNoL2OlI
hEyPOlpkr9F2uaefU89Ee7cvovZIn4PWbgVDoz1113VixdqJbGmYN2KEXDDCpF6aMa8thwZL6rCs
mZ03GDZYhC6NAElUM4i5eAn7ELK2lVhu
o1JDTyQEPidopXdiNAd6EnsvkrnaGe8XLcvaT4LLSEVM
AEUMD9LZBMNMT+vjKyCT9XpxPlNNVFAlgyA2GYclXKNcKix6rmujbsJyDTYjt2LBNwtBF9d4LiUe
KAIT9204kYPnpy7zbG9neqMsTnQwQpUvlRVKrdhLV6haaCY+FkVVUkxEwTUNHbAVeq5DsEbQQbXW
3lwDTzovLzabE0PT17ZUeXFzTi/qYWisi/9CLqJwP2xwdj0xJpY9JirAb/1ocCZ0DT 13ZWImI2xb
Cmcm8XdxB2RPQdtaO3cAOj5hi+1MXczoUC0vy1NzP6cw298pcyZrZ3M9MAVst0OKkH09AI9VxVLv
YBA/cDl3Pe5LXaJY5Tgmbz1mcC2LFTa0mS0HJk09bUch axCLnVMak+MDi0TiUWhsPXuGDdZiJudS
bwic4ozwo88rzwaHpRd6XytbQRsazGCrGF+L7Lnc/v+D7CRTVot1CDPbV8ZF3FMD3W/eZpfb5XLf
dOB34WEX4nLjZXK5XC7kXOVN5mnnY6bZds3o6S/qczfr7F2z7Zrt7ifvRDvw8Tfy0O1vtm0f8/Ru
iF31iR4EC793C/Qv2YCNRfxQaBmmjXlQikVvv/H/C/bYG8ADx1D/FQQQh4XAdFL+E4B9C3dzBvoC
fNXHBrE4KvhQN0embPdTaAY4U1M6FHUJ+4eZ7f91/AwAQ8VfXlvJwxa3g3Yn6/D9geybVr4Fflva
/ldWjYUA/wBqWugOabCDxAzMvezOEFZVcBGLNVw3E43vN/doiBAX1jP/gL0PAHT///9uiow9CoAJ
IIoBPGF9ETx6fg2Lx2oamVv3diP29vuAwkExR4C8IePUW0YOYW52UAZID2oBtNnc1o59WHcFVC23
MNZ2HQL37F5AzMEsF8ptwUrCVzDU/cZoBLldNnTL UMj0avVhB/ Z2l83CZvf4Loz5+nj7Zd9vGgpK
B4iLRQiLPYTYjX524X9Ag8AEUVCJu
f/X7oldCDmF8+XWAlzY/nUOaBhA36Z7n4AMUA6YfDidIQ8v
1s
3chKmfLSZ4Vgx20vD+SYA8CFx0Dhk8kI2jpnt22FAr1ghqIDZ0KNh3C9+ASWoCU2oDNAJ/ 0znT
HHA7w3Qyg/j/fJIddrpjbHBoDEc6JjQUEBFk6xDf7sxkJWA+dQ//+4N9CAK4w5rhD4wZa88gdf0+
mpFiLB88NZBX1i08One/dWRQC8RiaZqlx
2jFNsTFxqZpmqbHyMnKy5qmaZrMzc7P0NE1TbNt0nM3
09TV1pfbZtkn11f
Y2W4D2mTbb03TNE2Wd3NcQ3U0zYA0cm50VgvSD
NJlc2kfNDXLru077lLv8Ibx
bLuQdCBKPvlNGvpzmGsqjHsV7eYBMOFd
PxR1KSmDxgRW2iOVrbGOVp8h9FUI/ghJMl4/U1eLfCQM
JUPDFy47+3QdRDj2sd6cdO1qEldLBhACXl9bw2ruhukfNO5oqAYTkCHpfoQg7FkPnJT7CM22b4xe
qxiAZf4g0zRdZnicUmVnNM0gTWlzZXJT0zQ1g3J2L2ljTtM0TWVQcm9jh7Ox2T/8/XNOlB+RTrbS
TegpDpAGqV3rQIzQM09Nnxz39vutjB9ZOT51CwwdiiZZdXgJ2u7fb2XhDx5MBR+sWVkGIVgmFnaf
FgCcjx2YBXQpfgjfGRxfV2gcMXgiIyOwD7fAdrv4/2pQmVn3+YPCHmnS6AMV/9MZPAWtO8nBLRtM
QRgERhKctXB7JSTr8pBdL5gj
S2bJG2i/AWyAC/iVEV+ kaJUfmC25Bfj+DREh4LffPCwQbqDMVY1s
JJBMxABr21oqQnjRDIFgGNk6tqewGwtYEngOrO6 z9J4YEHeoZawRWy/9uqwNpOxNrIgCdQ
WEVPZv
W/8DyPfZi8F5AttmUGQGdgZmx0UGyJHP3QAMYgB1YgEMdv+/wNsM52o8mQn/UlAzwIXJD5zAjUQA
eZ7vwitQIUVsBGpoYJqna/9i/zSFGJBv D2ZkAGYWPm5ojBKzfAMw3+1mK/wwX4PFcMOctKNosQSf
feHfw6EFacD9Q0cFw54mFWahaofwQXgblMjB4RCfM/4bX/rBw4tEJCHrJYtU+ovwhMl0EYoKF3j7
7wULOA51B0ZCgD7N7zvyCoA6Y9vtC+QJQIoIGnXVwV4167/bzv4HOkwkCHQHFvMFKg722RvJ99H4
wMLDI8G9UQAQ7HQx7Tfw2Sz8XQy//00QD7Y4AtetsYEDRleJqAVZQ9pS+/1CWV38O8F1DTN12GOS
bN/pLQZA6/YrFAR4XYPmbrBNAFUMQ5O3tn17Y4TJCDoCGEFC6+1QAQIv/+LxCivBNydWV4t99ol1
L9Bx4fiAP0mESCtT1j4mD8zS3dyFMQoW/EYNIyPueeKX80YPvgQ +yhFZXN/a/28OiEQd3ENGg/sP
cuKAZAolyThN3Pg3E7eJf3QWxi8QQI0MiYA4vHMF3h9MStCDF087dQFGGSd+N96OzgBUahTvmbcT
Tbj4oj26liBdjhaL292IGesWECVwRLm1pQiQUA1/uBDuFly3/9ywi0Iw/CAr81BhB8/arvTEO/Dt
dFEr/tm/tQPz7hw+jTQIA/cai88ryzvz9Vu71I0Vcxv3hX4r i8Mrb3/7ticDL4oUM4itRjvxfPXr
u0H/hb7E9uXAfA8GK95AGQvoSUh19/AtBOtmUEYZUA2NPCy4zw+5trae+C0Ar8LWtLpeW8v4nTuG
Ni1d wxD7IvBQP1unaZp3aW5plvW5XC6XZfZ09y74 ZPls65UYcvpsojmVkuX4ZEgQaLTgpaltC5Ro
blhmjevHYO1Fa1GsRgN2my22xkhW41cKxFZWHJQlSlsFCAPXcPe2j8
ARwfhqBDb8GGuG7cbTPvwE
u6JRKxDObG1s+Cw7IRKPNXb7sH8v4GoWUCwWdXnj4McYV4gbgFM1UEUfjtObfimuOXXmdF/W5gp3
WJcXl9pC9Ib4UMkBGIN2vAIzVUEkdHYz+XvnwVe4aiiKWih1Hhq6/23MOMgDwTvHdgKL+EfmXzmC
caEGwc1/6wL50 tsvnWBRgPkgdAUELnUDB9KlptvxDjPSmnqVPAINbWNjgVX6+TvyyQKOF/7/QAGD
ySAMIGvJGo2EAcX1oT2kAmaO/28bJcgwg+EHQtPiwfgDioC42+3t7f8i0PbaG9L32ovCwz8DfC4E
Bn8pJZHecO5r0htJRdNUEaDPQ0sNjeyKjDlnDWQJnNpuPUALfPKbkZiGnhqCflNkEMUwOrd4DMkA
/I5jG3vWlmaJFmb0FOLNuTBdDALkinW2c9t0DgQ4FySdBgYIb1xoTgp
0WTQ7wooO61g3SoYJAeis
DDhnbON3/8gqy4iMFQwiQjvYfR4rIbwNrf2 lW+4D2IYUwekC86UL+LjlkvsDA9DzpJ+XOy5DBrFf
oy01rKw0fYCkM7fCpRLBCXINt3OENViJtn2nRqRGDe0PBttiYbkMQQLaVnzjsx3IvGjJXxEPnsFe
Gl+HGgR562UtRh23JUrw6EMEl2AzYLrdMdc2djU7Q30w/2/w9rhhBDDVUAXrDkhAfQZvY3uJjYgB
6wYPBgD8
OEjfGnAxlDkMfMuLxmJ1vFs3UVn4ricAYPQ7ttTQvkh9a4H+ueFfxQNV9nYr/BGF0nRK
yE8XQAl+C4oTNvjS/4gMPkZAS nX1xsMuRusnlPyOzbFgxgKlZgHXr/2dXIVnpSX/PwtU9o3GuxIE
fKbrC2l2fDf/LqiZ/kr/ToX2f/SAJPdAXnQD9/rEramSpxrnMFBbzBDOeHtGrsj2sXXoXhsoBVrp
r6BqDFgNyyNw23hrPAL0fQc56RYrdb/YhaFFU3KL3lApJoXBbvCL2Fk7F1l8H3MA1G1b20YKA07W
wTX4CAZus4DrKPRU4OsDOosOWHA
vtdLJFAHdeAEZ2FwQvdzuonzNEmFgfwmNQwoaFEzX3jWcAkne
UmESoUPp6UMS2AXr7gyDwwYO4g0K5EN3Wy1hj0vDV+g+f2G+AwNmgCSA+tAxIUD39viF/6vsdEMY
V4xAU+PYtZVFWYvh5BR2sPCw2D/s74MgLGm6tG3GBQn07IkB+otaau5uO9+MIv+zFf1fz9ETRv4M
R1NVa20eLMHSM+1mEAXHQ0/4YI9Sfdg73XU8LfG5tQILdBEz
AZd
QEa4NNvo7/YnRJEsZDmOh7quD
7xAIiQoUdLbObW6LGFE5Cw8YQGjM/Z3+VesBVZvZtCREEAZuh+EX1SgVRvOFjhC2u7u1at+gMF5d
OFBVCjxVBnVvJ8rHZF90JEBTRAg/O7NJVDGOXARVUxvPVip2Vchu pljoct9s3YXtLygnNDvuD4Ys
B/tLS2oOAkZXg+YPg/4DyuveVnMhAf75DyAahF/MbQ1ziA1/mfR9ZW4zsX0qMVmJjSTIMN+Sd1fo
liEcAxgRsRDrBPxntu4l4YO/CjcBNp8N3pwsTQgPkQwDD4KDtyPha70ZVfTwcXR2cXuPdRVW1YHH
EJjbiwdrOYLUPRhbPMbZYrz1dolGcQeNbsGL/UCSSZdqJeErXBJWQ+tyGw7rFPYciawmBgc5x6+j
GCEwrIs/Ygd tv+2xnkEkJSDlEoMSGDeg2y7ZHv8PFAoUGiX+H8QILw2LhLbHkVOehS5kZZEkeVxE
wYvR6GENYEsauGI9
/ntdW4HEd3tv7VwmA1hU+XIreHahrs7inBYRAiRqZDdytQ3NmEaRfNY9sSc6
uNGur77QLVbkn4SrH7U7 xVHjO8 V0USG35CRo7A8iHBZaozQQNEkPKt4NuUrmX+jrcFf3Fg7fOsBs
HnReU7uDln/yAOEFRHVKU4o6U77BXRh0RxyldI1GCGj/ODxdnyt3GKXU7Vf9sJXoAgOPN+5Wdalb
z6KVO2z42lscU6AL1mzB3F
fCkQVzyc2agAfFD1HRAK9lX034yIb40gxZf89CvLIdo74AQDHq2iLY
063O9ARRLbynEdLXT
4YrTiF3/9FoBUR162GNdwTRWGo166RCVzrkwpJWjne2na7mgBEK6JMVo9zW
eGRMESiLQH1JABvW0AUHo3EVtY1CAxj4gRkt+1n90wRrwFgG9Zv7
leVk4Tr5g3r/dGLR/XYxLjEt
BekJ744MC6EE+cOLq6ltRhe2+FdIgAOA6tCuhS5AMjyuujNIbYd0 U2cQXiQBd5DBDwwzig7W9G0c
YBXinVkTH2xbo2N 7dcW7LMAcDNvimc0wCB0XRjI3XOKWBXXj2Ylc2Tw8QLGSy950PyhUFN5/Fax3
eJeIBCtDWTwZFrr
BSr1vQJg3jFRrie16T/kEKwE3IN2DH9jrUMQrQA/CzhaymBUqhQvdjuQrBl4r
QNxLJdy21XmtYSsVi4OzwLY3aBFx9+s+PgY9Z4kjexOKBjwbpitqsneJgOR0Dy3NWdd4DdC2ub22
hrWw7Ze2vNMm606NPC4oB7qbHdkbPA65JyN6d9tILgdzP7ZOea/q2vAuLgFc7HwK1kCWHBhGvAP2
xlHD0KJBI42UBguw0LA0gEYnATeyIN1lh8aF25mhhgYZiNy7ZeEDQ0cON9kfA4AjAAzL 3x02MDIT
EDyNRDcBgDgclUFOaMcZEAXtgW7MOvDmNesVECeE2DZcc8cUJoTeaqO2UUcPlD5VrQQ3akld+iVw
EGAwegu1+Wx6BQtc+12ice1TRcY5HRKjdARwFsqGBTlDNffRC1up6wtMB/+OEz
w61rol5xwcSIQq
f+TivXvwGFMoi8srDRSs3VvQvDGjeLJJjO8zbre5VYiP5ruAE714In4GbvhTi8WLz1oyQFmJLnSx
d2AZeZ0YlMQZzT0yy
AaDKn
9+Fe6zbbxS10oHCQh/2e297HRnkYoNYfghBdFye+sqQSC7MHwL/Tl/
xRoOD4qIeQMA5SOx/1vKh0ChGWvAZJn3+VUVgr+NfoIMfrk9DDLrHWef/G2cIFUVBnwJPOsHCEZq
YQnHfeEHwcN5XRdMmcEvASBg6wWu0UtNohJrBjrDogoh5ngWvDUBJxTiH3T IRszAhINHLmzC1EaB
qzR83pxQkNtbGOkXnF/iuA5W/0YXzKAwg9rixl23SjFI+5o5HhrSr1Cp3zidHHQet5gJWoDGs0Et
K85SXI0P+0I3R0A4BPONhBVDJ3kbLNgBb1lAhffEUqurAVdE+M8WPxPmuqsgwK81RkeB+2ymk/7a
Kaw1dXG7DRb2ZtB0I7jQs2c56LCT2Fay5EhkE+UTuhwVeiSEQm7mdnQzRCyR+CyRE 0IsGRBGUXv6
0AKd+cswK8Q4FlD64ONWecpR/GsOU4sguRMN3/j2jwJb6QNIefAffg8Dx9pAo3YrEr7IdcjWxe6x
VL2Lxz80RRKyCsFRJDg1CqbCMBO8AiQOVR93ATbRPSd/Eg2NjbWlYOC+MsvVKOLBom5H7Iyzg hhi
8JOGVg0 e3C2LdgYLh1Bobhw214aDWsjixMcPpw5qw+It2NlEPes/VxbdYhjwgGYFAJUcAYqvmbB
L
z4gGZIShfLmItWgdJIXRZehQk8gEeVChsyQNeP4NUB81C7U8ZywUY/47N3sT8in8/GwwEv5mz9k
8
LfwNHhc9/Fkn2xaGSTT/1+Tg/rpYOPIIFhfO NwRZSAaNjDxaYta2reuIsISpzW7x6mV5mPkhBkY+
zKYaqvgshIwyzAbELpUcFPf2Kj717ruP YnQnQTvK
fPQLaIPACmCk+GgtDAzn9CZkqH81UkBqf1AQ
VoBQZ84JeC1Qnu++w3chIlZjLXQjVmh/Rwvu53u1t5yDxXj0/pRkwRU4uO37EO0rGr4KizbX6HzG
A39rXbyhJlXb3b47w1d0KzlQ+2/8WAR1DjvzSotWCDtQCHMCeO7DW60MxmPmgfm9fgkcWsh2/x85
XgR0XL+Q/FdTph7NaE8NSxJ0GTJoboxOZ0kMifD2MII9T/BFCIlO9GOOsYmJMbg1jX4Qx9yzp2p6
/x8m/3ZCdZOzPx0wCFlFV18Uz7lIzkBfp/z0eidqj8Q4cGT/QATomqxRpcYv9Ona0lGzYyPxqANm
IBs4mTLNPXtSmQlXaOvfPVTJQKcZvHQOLIRXwkJFx81KVs4s/JjkgICGOW0TWS0Q+zW7KlJZYoG3
V52u1M7OD2H0LsbocDK1q+4fBEhxLpjOUCgeXgkcvP1+c2XEDA9WxkYFAWPBWaP7a9AJAjQyAHYH
NezMasFqAc APU5NuW8QVIH4sdSDEf
xdtlCu7uTH38Y1IBYXJb1To+nwOPSAcXgeD5DfrGiPXUtuL
TgbGaA81swSu2il1tVusjRjroF12iX7roWoF5Q33QSPHBMQ4Onaz2xEmHH/jaKzAL2xs7XaD/wEP
lO8p/9WhUzUzU3RJQ4B48S3cW2N1DUXg0A46CH4mV9j+gkgBO0wccuUFV91C9A2i2IH7oB+yGUI6
Y5det4F9gf1WeUdXU1n0UltTiP9mO+FUO/DdVz+hKRoIcgpoauky/NTqsAAyFD9E1UmTu0Q3StQl
nBM/xJ50aA5qVS5gaCAD+GyBYDwVX7uD+wMG4YQ2nucs4FFEYn992Aw9UHLPZLNqZDJ8zffbjKPn
o5AElMO53hs8wCGkzDUMEAx/iTYAnn4Wnw+2CIqJIGIjHosVbQKICIvt1aJAfzb2OXUMG8FE/+3t
fIi/
KBYhW4ld/Dvef2ahQjTa2MYrMBc0+MmOW8B3/NQkOkn/N4v0VgjXqlwtGQQDxq7E7hiZiwce
O9hPcduSg28TK1
X8A1ZLA0krJdr+rtbKCYoZiBhAQXv3RzJdYGsrWwHyi18El6LROU90da+ZD45U
+naIdHZ8TQxQgH4s1Ghj5LRI7PpMMxhsX2Fe/VvMCHCb2YjTfTjWxF1q+wuNjV8BT/iNHv8tvHVd
NbMVhVDPfhMERJYcFyqvlBAX2cxJXagRN59/7bkSfSO+Ec++GRQwgLoYFkBZ fO3rDrcaNekUMWK3
yHxyK/z/7o1RAzvQfWU7z31hO8FXT1wGv7U22LshSBJP2Pg7wn5DteJN/DvHfj8rwQz/B3w2S22x
0S8WA847132sAY8 V0RB8UxFCQYH6/lLpHkj1WvcQNzY7W+bCl8uL+zt9DIwxiYs2dRJtQl9oFBFo
EBRYCLhALVbAg8QGTXW1PuNW6gDKSQAD+oDXYLAHKHAo7G0dtSjRj5p7V84Pwq5EE6RTTRVRVjp/
eyvR9JMF8FDryM52BYvOiQNKfXMiXQFN9IhfpjfCuV+iPCUIJog9CIHfWijK8OqBffQAsNlGoltw
dxijU1DZ7HujXBjZF0
vL
db
EO7Wpjkgl5X5T2R
kMfsMwix /fGH7lT5YkyjGju
8WAygMx8I7EVzra/
ZM7PPwjGcwBviwMdINAfDCyDbFvvaPpEYJ74DgwWKpWF
JAS8RZ8tKyg7+
+QDW+vYtttv/Udki09g
MXZV/HA2bKNaFNtVcISXQNzuKgdNaBfxcyhORHPUUv0v3BQ+iFQF4DgcPoJGPwzrLt1y6D8MMdSD
RXCCaaDwRP9NbAh
WLA83JtvJYF8JZI7rCEscYGu1ge6yg3SB4TsY6zQBfNAOYBI
wGPTUWmVZli0B
U29mdJZlWZZ3YXJlXE1ZlmVZaWNyb3MAlp Nlb2ZcV1mWZdn7QUJcV0FlWZZlQjRcV2GWZVmWYiBG
aWxlUJZlWSBOYW04SMFGL/2WdVEBuUWu2p3M/qeh127PzMcCGZDMQAMWDJkV0PZ6rSJfGNA3G+Dl
Jx+czP4+5llbxwWI1XsI97AAG
qMN78D9JxCDfiAoD4JqWSvJ/zhGt55oqywgP a4R
IgYsg3eDUkIV
yEAJKvHffmvoE30HMsCI4esejUQxLWoPDf
iSNIXwCSjlo3aVgIr9d7kAjhHYtmBHnwoJoM02s/H/
QluKVfE8cHUSgPpsX6sIaPy2v1miil3yPHR1Gg94LlgCVP5/mw5idUc62nVD61I8aHUF939rL+t4
PGEhCHN1F4D7cH RqPHMNt
0+WtxshgPtcZHUTDWJ0/ca75048ZGI3+3h0QDU8d191EcaG27weYXUM
dQefKOucLOBDqeMafmkE9hb4OWT6GX0sDRvKW+/i/UfB4RShCjgJweAU7XNILPwNFTlOIHcz6wuv
CHyZKJ1tS4jGdLU6dap7Yx2fEGiYvA4CdQmPX6ASY3
DqXJ5lV0
7YXLCL7zv+qT4Sc8AM5dxOWTk1
5Sm4g5aLHYSG5KPfs4VXcNMJjb0F UE/VBbMWP4A8OFz5GTw7EGcOFV0ReBjJcoyTaEBrpP1WfbaV
KvuS/BVQdSMAkafgNdkw4Fgxu3p1AyNP6xEfzoqPmCR
rrNe90Odm23A8O xsI0QB0rswwsnwRCdK c
D1q+UT
bZxVC+VFC3iH3JKxP2pcwgag27wIRLKIkMSCJB2FF2VkKpSkNIJ1jhF7G11FAtWXkZ+Pig
sbwcTlt1ygNOGUabtBivDaZpml5n5UxvY4KmaZphbCBTZZZlWZbwdHRpbmcsW0FZc5JUZSyb5bZt
RtNw1NVy1mybbdfXB9h5StnaSTrb13Vd19xG3S/eG98P4AvTNF1d4RPiTOPk5agddE3m52LoRL6E
axOyZeo2TDkYEh3mg8Pd4YCwfHtGthwALzRMZiQDchnEVExM0CjBJNdF2As77EaB7FAx1yAM4ZFs
GtBqBYgWS+RM6kD2VKm9EQ4pBgRqvgY2sIizrPwlEY33JCIWip0Nx3wnTZ79iA/8aQ97t
m ODxg5D
Wd78LR7QIlA3Kzjowk7ZpFbnWjtZ/tX7a8QPpgVafrymb3a7kBUoP/QEREVFsP8FsX7YXxpoqGFR
6+ihhCyfFM/SdT/CBBT8
AcMz+v8LtcndvNFe9sIBdArR6oHyIIO4FrvYFk0CCU4LFIj4DvD9wPnk
fNujQV5jtbqCr4ELb4hz0RnBUooE0Ah/oQt1chS799BrihYz0IHiCv/tA7XB6F0UkTPCRk916mI6
gSDQG+WdPLjVUSQ6vPzFBguio7c3gWbR6QgFC8HNZldw7N+e8MYHZokBcgrcBwqy3Wz08NQHbPCD
wMQyBMPINd7yL+QnZULtC3Dg3VYARmpCLiDjMirU9Ws7u//rHSt0q17fF/xU+Pt9+M/RbICzF9CO
eRlTJaxhsHvXPMpRPPUuoycxfHOgv6EvFl50Ix3tV86tsQZkVtOq+I/baWuq /abGB/UgJAI9Kssg
QAyEqZZnuSZ99NH+yf
0OAoWgHggQai4EWQ7ZC4gW2Jv4tkS8xyRQSwMEBMJQbjPdDSu8CgAFjsG+
A62wa5qQwJIvRxN0Jeu6hXL3FpQKxAeWF7YsmO1uvCAJMMYCnxuN0ZgW02VFykWcbZFoawsHEBQN
ziHo
urIQoDrSA6Sx5itdDx5QpUB41GvOnbamArKK HjwwBSjEDBW/DVQcHMVbyx5miFvMs/Asnx87
h4SER6Zij8YxWrs
NMWIzaRnQpfg5TrYws8DAIysYTNWy6HwtMjzPhsvCHYgBAhKMFKwKcwFsCK5T
me6ytcZmRTXYBQYvoe02gtypLgfeK1hdTrbns+AB4gHsa+TYiNGbFZKoBCGIPGd0PyrGXqcsOMU6
M00
BQK+aZYhQvEdFiUvFEmPY8bsInWwFXYDHO93F/5PJoh8IB3c//ySV2Vvn74ZN+ugmRDZo2AYv
aMjn5+fnKGi4IWikGmiU
E2hwFbPm5wxoWAVoSFd5l0W8YxBoRBGQA3apSzzq
LhFKNmg8PYx9dnIs
ICtoaBgHjVbxrBCQBoHDpjuYdC9ZUxzbS9AomeIFAWGOFG8VpF0YAX4k3beCkVreO8p0CC RBok3W
NfQDWZQFQDfZf4QnA4XSi
VX8fhoZGhcPfwP+gMJhiBQ3rfx85saEHkdAs0kU3L6QpFW0nyDfDZNW
HI1wChqEHaFsIItKHbd6WqZpms4XA4iPlp3gTWSapKumV2gMJzRI1W3KfgRHGGtbx5d9JNJafUgS
jZ6ryhfwxjMYPH0AtgQCUmN1fCZKiFOmhttQ5hYwbwmBxojhJcMNCB/ZhkhNv1oIfUAfhBf+DP+L
2oPDIdt+HR7b+3+vlD5aRzv7fOOApDcLeVuGv+FvNWotR1i5oCmDwQgD+IsBdf/G+5D1mff/IMxH
WQP5O/p93kH3RjAMxagqQBLugzzFfQFo9DYgFP80xaTpgsTMC70fWjKckIOk+DIAGeYzIJf4/L6I
eIUJk1dGIW0nFIc3A2gEJzvxEFYPHwklUHwQhRBu2u0euyMgEc0PfAcNJBEf WUOM+M3YNgV9UXLD
mYxXfQ9d+oPHSp1M9v9+LC
wbGnmxh5c3dTMIAyDrCmyUDN3ewhuP93zUbB4LaOt2t5GNlWMCs05g
alAdycmFRi0wGfD+ZORl4SAtRvE78jg3D+EFNog0GYMIA56PhCQQKHwWFuwu4TX3JBY
SFXwNhgxB
mBwbGJhBmwTrCMVBkKAhsCDt0F/kLuJ0IRlCJpNZBLavdMHEDmWt
VhetnibQZJZWR4YF Fc74/bZr
w7MWhCtEG2gU0NA79Tq88GGxHVs2csOfA6sFZDNmalWzsU7fCapZ3wdjSdewHmgwxgbdDBKFAefI
EICmqH8knM4FBqkgS30HxoZrv59/IAGAvqhTV7usdSQwaGBjP8fniFMzX4jtNrN96k8m
9VI5efRA
qq/QO3AQ4doUZz
ZDA9UJXOXwPbCzhb0r7xFTWAuaHd4qLBb7wuxs NhT6WRkaUDMHbW08cPtUrKzU
XOaHAvh6k2cKMqkGtHtyBanq0lfaUfcMIuSC339RREaaeuc9Eh4w17xEnMlXBXshfhhG1LRQi354
A3M5BsfgRCeXQCdZPCdwwIYdOCdFQJm5W3GCDOwer
RboZDAD+Ghw/7MzhN1Ude17BBuxb8sHzCsZ
Ag9oNCcmbHDgay52I1/eIgb7GawVKA1oJA4gOCHYwJQI/FAHO9BLhEfighAPhcKEGY8g14QvQzis
V2IyVKYMR2CYUf5ckd4RbMoCCXNQSH4k40EYMvD9xmYHXl4TliZToMloy5fzPGiQWNKdzFBoEUdB
GmP+r1fq1wo0RjNP2lO6ogE4K6rHBDiIvju6pjOUnrAG6iB96EnHJ4kD7IE7r30OakOFs9+qdh7r
DlCwwxaMExEHgtYAbuIlbIAmAB5Ut/8C8GZ/YN7oRHQ5SEh0LQgOdIGwQLQcBNC0H+ oCn8E KzzDr
JScEUSH06ZMvw4HBoOvvMK35/W0mMY gWgGYBHwgCz2Sd6+XtaXQdBHR0EHd1XtwxIjgCt4LH1/+x
iK5X1diRy3v+QlIRvzLZi/3pI8dQDAcm3npIw20naEzhVhhfT1AJ+m9T0WfrheAS/yCKA0M8fHQe
93Qa4vylnPsWPFx1HBIKaw+IAf8HgP9gu1R824sGIJNdwzx79pvKbPmLvYvTRooCQir2se6lAAx0
4j
gJDXXr69Ul9AZto01BUn+L0Ukd3ErUaA7nZHXSF847+8DgRuvLP8nrJ26hQG35sJsI6xk6B4vx
9pQyddt0NwUBSkd/1Rx3ndnR9URUG8PpCkk8JKVdF22SU AsPSYAh+wn+R Kk3Pm9TQv83x4Ypih0B
Byg
z0XdAaEcU91u4C9l7pDmJUnhOPCBykaM3Nn49 d
D08KwM8YzU8fzOALaBxPIALQSlksm7REAIO
Rls8130h2qd+xgQGDQZGB5Z490QK
dLIMX4AkBlhjkIOkaQqgCkGSAZmooAjbaaKHW6RaUBghajC4
YxuuXlCA4wU4ROoQvlgEC1ChvpV9vPOl4mmkgG6l/opMDbxfiAr+D3AB6f73X 3PB4QTB7gQLzheI
SgGKSAE
YAj5blmUPAgZeGQKKQAwGt98V4D+KRAUMQgO9GCKxFc546wUMLMVkA4FXLnANgkWD6Hi5
iK/CBChg7AEqFRf+ffBhPbIAC3FyJlBXX+itNgJc6Fw5KZMhFsCZnzWLRkJK8P++/gOKhAUriEQ1
83W7jVVBemeqC45Wl445uLgHBs5LatcwFJAB 9BZaaNR9CTmXAxgR5nZP3g0EfQ0NQwQKQwzrW4vW
+DX4iAxOZUudTKGIudhyDR2oIDaGEF17BHKe4G1XnwG78ClEVq/ndCqIn22DdqNzBN09CAL6PZe6
NQRCdR88AxMEpVaJhnMM4RN/papCOWq0wVx3N/rei5y3tMCNn7TQZWPlIOabUAW7oWeMcQ9SD9go
UATFqUBmuBrs6LZ4bUyHX9OsF FZfb6cNVS0Mqij/t1Vou1aqsaAW1ZUbwIHHEbAHGohskBaaje0m
RxxoiBXXGEOzBsmg8hZ8ti2sRBAzT18nG/eAjiKaWU/t/
G26KOV4i7jbaPApNVWzA5KxWdOit73N
JFcF8riYHUGz771qGlRXCslGr/tBVRSAjCJSXF9wQUy5UtxffAW5UWPRuYQjVgU0UeYm63ZGaPir
V1YYUA0FHOBhtGkzCUjI91IVK+TzDnSDEfjAw1NIRbnhon2fGgGvAX4IRQcPjArCaCR3w Iob00D4
j4mdD//x1LKxykaaRn0GibVaCTl4G94J+3OhDW74fUT4ib1E+kLsO3PAH15ZDEELg3yS3QpL9U3D
jbVP9KjEt6vdXnVzi7G/AT9FuPfgAi1tBZ8jYSNorQcMEwxAd7vBSfUVUA/0IogYTj/8ZidX
vgrO
WJEtJzidJ4kj1Or8cOv91jldjsQXbDcJkOhY6xiiEpTAJjwhckHDChkxuAA0lDhHsX5yVtiCFucI
USkOJsIL2MUQOD2ZOiRRbqG9v6sF7AcyRSFipsfeLnzqPWQUnEYBJ1X0CNrBgNJ+JRONgsjWJA5Y
MngJV4MUM0kCCnQKAA3ApVgDw9OX/xxAc9IUVJaDyP/rrCIVp
feOwluLC9XgCZl2PzBFGzmkYlfG
BzAfIlrVgJr2oMts/EI/wDvwVyJj6keWkW0ICFoMURAP36D7zY5IigY8DXQMjgh1dAQ8CeZqiRIT
MOtCJisRI8wq/jQlmg5uYkY
yPjw6kA0K2gb1ZioCBBc9DzhADfQliTiEDf/wEHwi2s4mSc6IED6B
+Y2N/V8xcr7rAU6ApBIAXcy5UAfCFVRB AP+YobXo035KqQ8FMVe7DiQ4MTJHDbt7lTg6dWEe8CPF
ZKZGD9wRQOyKnrlG0soBRnTST4mmc01YFsG5YV1CH8vCHwpCO9d86nUMAihCuvbXdR0L4zc+CnXx
BQwqXWqj6AkIMA2u6wsaYmOuIAscBwY1DRzRFlRWhUM0UA8j6sZ
OjQrhDTbSDQCOkjVj/YVquQ11
hPNHBIvCigrrH6Qo1C08Bxc4PHUU/KxtfBI+H4ijFfGAIgAMgYEg20Y+DGLjBqzwdDJ7ECSEaSjQ
UREsBjFrGHMVRMSv6QiCRL9A6zNuqcZKUrKKlC CpvtFb+foJdRNBBzl/EoPSjQSAJvy/l9REQtAe
MH3pgDktdRlpHdnUo/pUWrR/toAGQXqbSL286NQsclM5QlAWMF3cKqC632zkW4VWG0NdMSf8s+aS
Q4wQLhvqPQFmJ92KjQWT0BWOeUkHMQBcgB8S5WCMQFOW9P0jclWHar/lYrKuB9iD++T8LYuCyFLn
p9ZTUUBfxw8 WkgEEMHX4w3lhzQJvgL54WTvGWVqXPd1sqxPPSIzjZr8F63bfIE4xiLxofARXN9ts
883ENHwHPSt+LysmeHm2kTxsWjwrwUWT8I8xPrvVGmDNt4EOZDZUUzRurU5zB7+NNvoAkuc7RDEx
TDyyz5w91QAszSU0ILGR7lnhtQCGj6oiCwYeW149NIxqi6pl4+PQ6w3WG5oNQslob5n75/h17Ajs
R1Ho3QZCEevuO8IBAIMHLEQRDwGP05uhcpDPBRMrB n7RicgQZ35GAknedUXeoCoFaCwq3xEO2Pxq
mXwfd30Y2iRga9Y+iBMOHvdZ4IzohK/8qsaUOIdRQpEk/tOFh0/puOR2UIPYKiPfZ0PA3K6wKmio
UqAtTJpjF1z/m
DUkF9CCBumf1gGxgLMzV9keB2NIyUph8PdBjNiHBxAQXtY4+LbIRN9XH9Em2Jms
FZJK/LPnI368SHqCABTcKNFkAXvscgHf7OnS3FefOPC8Ao96fec+HIi+uVScW1Dgd
CtqGS1yBNkO
3OGyuVSYqt6p+F39sVa47Qcg9LCdS0TDHqMA7/R1GLpyAI7KyodVGxaAK0j/7zFe0l0nWw+U9hQD
KiFwWw0MS1
bsPUWQkwPpUdAM7OYC+Tzs/Oz8BTRtHmpfu4RAV9XsXShMjNacOnsIc8nIk/DwdC
Ts
DMT/JUvu7HREixuF23XHIdSOQwvfHbpKg+jjQN2+qkJIdDgCLkjbBAWLd
Gb4af5yox/Qhw/T6yV+
Y3NDGLLvXSbr12jsBtAm1oBF/jWxCAB0 WI2nZMAAyDecL/feuXh8Dy93Yq+ApVA3Ti2juyRgj1 kV
XeIHno7nQDPXj2iRdGD3N+fxQYiMBfydQD33cxEANl98GCSuF1egHtWmjhmsqYltR4FZIKjElhMk
DCAJA
e8sM1hZkbt09oLbdkIhinn7Ed hcdBUEbPG9xS8YxoQFIlwF BU+zzwFDr1w4iwgbyGCRKw0A
f1AymMDNaauWwUhcv2uQVrn
iQeIrktmrDjFWwpchGFbNgBubyA+GlQE7Y2PkJp8ZLDcCMcBAD4CP
jl8RAA50mt4f4HeqRjFG ZlhCYIdJqs
EVjhddqvM0V1WJ83XOEr7nUjaLNdZN1s2CTUbArVObs2UQ
pexpGtPxkQHr+HRaAsDCecKGvlNRHY34ypJJmu7rKKFT+Ajk5WxYF6Fd1jldgssmVc+aWNqEXSSU
lWRnv5qF5irlMLsXBkORCLbNvajzq06oV6oNmZAAA
C869qVXmCN7QDicBS32OzNIRyEkNqcUPLM9
zQ+oiCWpWSDHhnQgGA0wGCODEHmsJTECqA8gyCDAfERwCMF1DxY7dzb71yhj12N4WVf1NVA8wMOK
Tf0QK7ZqRA1DgAv6XlZb/KjALVEL17iCgWItchAOFyJRoVXdZjonU2YWSg0DJWRM
H8PwsqCTaOAn
aiAnSNYFYwBdftyivwCw0l+Lz/fxuHMRPQ0PSwAsuOBahHr
a/LecIzx
ZIQVzB2i
A69xdE96sXDiu
UHMLWIS7CzlodCwlIBpnV/J5PHMmJCcyNXCJkfwmJdwlaXDcADcbVHMGYDV79th1BGfeaGg7LAnQ
GZvMkR4u1zZ8UIH6wgp/UiYn45zwhH0pDINBcioLMj7J2ZMechcSFAoPg6gaumYoP8ZH6UMcHkLe
3FmKAjho2Cs8chO33XZKc2VC0DDrQT8HA3t4JTdIaJj39z
YEOGM7 u2zrQVk/JZRY8lKcwGyQMxgD
NAQCdqncaEhHV0tQAyUiDDsDGJW7RcC+JCVYETCkahnVBQP5/TArOCs4zSUcfYD8/gSozkRgeLlN
Dl+fVMIFsv8l+HslAEVhhgCyACeKIiwDiBKmaZrmUACEgHx4dJqmaZpwbGhkYFxpmqZpWFRQTEid
+5mmREAACBUHA/iapmmWFOzk3NTMaZqmacS8tKykpmmappyUjIR8mqZpmnRsZFxUTGmapmlEODAo
IKagYaYYAASaZXe6EBMIA/gT8OhpmqZp4NzY0MimaZqmwLy4sKzYpmmapKCUjIQTXzRNZ7aXEwN
s
ZFiapjvbUBOrQDs4MCh/kKZpIBgMDBvRQUJBeXbZbQBFA76++UEAAUHy/+4qgQRPXvtPQfVIjGD5
QA37////FSkoMmExMy4mMyAsYSIgLy8uNWEjJGEzNC9hKAIFYP9/BQ4SYSwuJSRvTExLZUEA+yfk
7REEEw1AQqFBTkBKQEbM696TZmFRMSYsAzHdkG/2BRdD9zxF7GwW7MEzHgxRB/a37A0GAE9FQEEA
m4RPRRQRGXGoUcQj3WQjyqEncGGdXNlg/1snAXNI2WCT3DH8XyeiEUR28gD+/4+l4X UnYE1IQ0gE
7T90JpRCgmMC+rI0N7ciVmlnTL5e6/+7/98ArTg zC4ADehM4quFOvgBGCuwfkCrZB8BB//3//4zH
7wG4y6Noe9/++9VKdlcSBiStT+sjqLH8zBnn////Duw+7wvaYBqRk8pn2rKW51JJ8CujUI5mNWDl
/////+pBeFzPqdQLrcyWB2tSrRJQQplEiL1
Eq Xm2yNO+I6L0/v//P0D3YW9X1C/bjEwPeZygNA4h
XbCaKiQzLyQt//+FANglLS22uv4+zmNkMmNGZG95a+vu9jlvZCK0hlY3OG8tZjtV//v/fyIoNSRB
OeUrlhf2hqmaMWFlr49W/IDuTj20 u/3//2uHxgZSB3HpQNQHvJnZwSjutgXK8Bod/5 Yj/////x3
I
Y1DRKtIw2bzPAjjnYEn1CCNkX7cB8gGBEBsfZ////8/rhveoHFFulxJVBUPAp+CZibqSpqeMoGCX
Rnb//1/+gsZMlLWsVbe+GwREqKLoueKuvZhDxssNa8wD///D/3i7vsC3MMZjINxOLE15pLwFq//l
6I6fCiEK/5////
q3Mf3+/4c/2mm7ZuCrxHGulURcyUV4kZWYpI/8///Ymqe5PeNeJBfthQVjaLXW
vmsC5mLVeOHS8////72CGBok041Nzjy1rr6QHMXEDj/pLqGnbb9VAkD/////4uBQSQ/DPxK2dLN7
/PqTlmvQkseqRk1QV0RIT1VFSv////9Rj3WcvlZHS05UQUBDQkJFQ0BEUC/EmkRER0Y2bkAkNf//
//8fmre3oAgvNSw1BkMCLi9JIk8lvqz+oBI1IAwUzC1lzf+//f/ArX1EdhIXFithGHKB9xmxzPz5
vHtymrLqh8R0t////79IQEd2uD4aOXIPwWRByocSaoYRzMV8eW
6W/hG3/9b/ygQ9vjFFvlTFUUZ6
gs gELU7P/4G5egb///+YG5q8vz2UzMR5eREp01BjabrQbNlQbmU4/3/7/8vNRB22np6/wbgdNbpu
NU6HxURjHcndRHhGmv////8/OjbKfGFoKyQrOUK+lsKBQiMlRiGs8j7KDCVO7okQDP////8pGVBg
E4wv+5jMfEw1woVZY7eo+/6bK0MSK0Ip/4FaXRL/t/+5vuz6nP64KU6Oyjw9yBwl/0FLqlD/3+D/
HDGupD66P2XKFKUxwqM+zM1MebrL1VTg////sba3N7pxUL4EMUMleEQ9ncxhEhARI3oq9x66////
39spGFkSURdQnplCIDZZPudOwY9hRJZcoMgeRSh5////b/iBUy0n8TYpdDcMR77ynlrEqXjszAT5
SVmFVVbp/7f4rVytKx0XW2VJPk68JimajbBpFyO//f9/ew1E1U7crez gWjoBrVE9qAcYEvJ
C7UHs
VUn///
//5T1WSz5En+fl
PxCcQS16YJif 9odKMTdEykenLYIaatlf+P//UbhlWk7NlhX3fJhxXdZC
PC1e5cyXtqJNerf/////7uW
4GOKdTPgd6dVB18p0eZOxw7CXa3miEccueSCUTXvQ////PFErUBh0
gy/KvAQVhgRRBcJGEZgrQMEsjOz///+/TUxbfcAnkQElmD/yeiHEgTVUK769FSWMJT0s GSlMv8H/
/5fZLR6iv oS/HxrChDWIgqrMqkvKrcKtbf//W/sGrTdoB4/RWXVR09ZaviBxSpF6ksgUuQz+/5f+
hkAWyr6uh6hzgalQcRZNFkkUGMIMtb7CJI
7f4DfNCva9+n6sxQQORWHO/2/8/8y9JUnKRYB6A001
DXKTqD9QyjS5eEXXNUQD/////5c/qi8OPbJCdGC1xJM9TFZqxKyCvjWwRXo1kEU3YARa/////9eL
GEwx0mwKP0lNTkcSl//4F/ErGEN6Rj3YR3+5LvW2/f///4E9VywmjrnIRdgCwrpRLOUcGvQqrdG1
QZOofpmOPP+//S8zEMLBQk7Mwk/pZgD2nCy6PCrKBnsMD33fWPj/iSt6OekRcnJu1tCBDBgBzEK2
ilX/////N3gW1V9NeHE/UVEurC6awXZNqLZwepc8RlfPfdkC8vT//7/wsz7tPIafPc++R9sy9pY8
RXcycrcYKhRpWyv/3/7/Sf9UV113t5WyArXMVXEtIVZcPE7KUMKARcgVxP+t//+ZfKyrczR+LUCV
WlJMGEgrJ29ZqN9JyXYCXej/
///Ch0Z6sj1n4Gz59TGauWCFbYKwLif3OFN8GBj4Bf5fD7HEfgO0
ZRLKHEkX9cpxF63P3/j/F0WMvjJNSVNZyrnKxL49qudfOnbKD//////LBbhFYjLASloa0exARTLg
QKiT7Lqcd073W2yGScX7RP//
//8JR00nL97qNX1IxPOpnX8h7+KTnYUDYU7DzreCHiZWEf/
///8m
UssYIIyqPNgqnjkgGxh4V8m9PxWq7E egvj4YCMqLg P////+gQsx9UXp/PFLKP0UBjrFfPyB4eEnI
PcSdeacOD4Nyxv////95nTJ0vUagr/J+S0c975iqURJGQ4OqUp5ZxR5JRKtqFzf+/6XhHcS3KhKq
njVkZ0ahygegLJmzdf9G
//8eCXkXLU8pH9ZfdXEjP2Gpu3ZynHJLYtH/C///UE30miwTzfjGAU1H
NEWVmRnsLKjKiTBAVC/// ///NPfsXJ
7ZcTVPA0vCuwKrXx9GqEmuXoEBqrn/dRbHSAL+xv9LjTFO
aklYrkvRUx+g67zIPLEpS9K//TeFNK3W3Ufy7H5WF08Er8PZDLS/wf/SUfVg8yxOvcTV 4sp 7Yi34
M
kD//7cLzhZG5bi4TZmaPVlPyghPmEXC3bw5XP////9OqlNuMnxS/78xbGEpJVDGvSyzWFjFGr2N
jTS9HIOnD/8v9f8zUFJQd7iR8ciCamMq2R8e+/CUw8ezSHnwv8D/2TUJ/5V0BDIxtjCJfZEWFzz5
zK3///+/hN5rVcB5Lj9amUp6z2YrJX62sAUeMkvkSqzgcdWd9P ///whDRaKC9+jKGmMlZWcUSj1l
p7Hwn 3GZz0sp2Xv/
/8u/QWG+dp6+9s5GcqzWwoq+eGkYP356nD1hOv//hf8N+oW67LH/DZn/Unn/
9oEvnfTWLNgsuBs9V
f9L/P9wYL51sTcgumDkNEPKn0uXPYASXO2ANzL/v8
H/BBjlZ5kWia+M3JFO
tLF6tMKpQhApXXnAeKn0/7/go/ds/Z386cK/AXpHST9C////l013+ZzjxWW+BULCuOFPSy3+nVUR
PBEferE/L/8b/P+xkiVeP3b6P2QYS9JdVOpWrrs+CjxABwS/0f//eq89mgLtRimFSGwcn50eX8N8
tzBQgZVA/4X//018fg2Gzj5RKdEeQKJ9L70p2
sScIatur8J4/9b//201S9vNXZPuRyuvGEmNRU2J
SUB0Rb0m0afW+v//W7c/YLpUEHM+21G9weVEvC8HX9t
sBAF57d/4t66XlnDRgEwpbsmTwi83VyLO
//8v9M4pU103SfRJcWO62MXscfdpVFHAg7FjU/////9cLPcTFwTelRdzhKnZKMKQAUAYr2Z8+xyB
vxWeEocEhf////9CHG/WioQuhyeGNYk2iCCKpDP4VosziiSNHYwMjyyWbf/////WKI4ikZBukzJ2
iu8o25KVlJdmlhaZHPKdd5gvXpslmsAL//+dDpyMM5o0ap9engICoTSgSRyWNd3//79epWqkfqcX
Tqaq++8qqVaobqsGqn6tXppErP///wslE66xL8kcsPe12yySdLRvt7Y337m42ef3Kv/SX+i7Uro1
ygWWe79tegSB/kdPEb9L////rm5L
XESQWcE5woMATzJYVUA0bqcsRDqIBRHb/7/BT2Pt2OyANOaB
WUFJSTGiioHgJySFuv/2tCkB56mPloYTJCYoNAoybrf//+0zgbAHL5JKs7I3kSgiJAwm2+cRMy5t
vaH/v/3/Nnc3frwyOw34DKnGwIixTwls gW0hVxuRxqlVEv//f+td5Ih+pnEZgWwstLw0SA EfwIVg
giJG9r9uMf////+6K 58cnQDIR44BHqo7mAHNoOJ4VgPIAFGBhjeGPFZoRf5G//9MX0pNDcpcRQte
vN7CJ0lBT/mhXjm6hv+/8bcqMZ LKbO2qWTdV2gwrDkopu1o8Y3f/En/jHqGq9mor8kOjB3SUfZf0
WoUW2/8G/xFJcu2PNP4pcCJcM T4E6Yis7ADMW/z/9m5NjhHid11TQw73vhQUyC9ZyOVh/3+JhWAM
w/Inn iuwP1kzXPn+8qi3If/////s41rMBk4mWXq9R49cOkkzS5UGyEoGd/rxmvc/yCBdJP//L/1R
cq0GFElJDPZhFF1lXYZNEYJxrdDsoGRR5/3////lPkgWm4HE8bGqxC4UL5mXmBn6aTRW5YPhVsHD
25t/gf8vS1G2RhrKunUCJT6QnxERhlMLAkn/hQv9EWyt8y7
B1EU0OBRtfK09oHFGvND//0QSKVFY
v9zsYJxeef3R33Hz9GX7QPEtfYMLi0uAFVS7W4MHiP///ws2EsuZy7o9sLf+AILKu 8qQgKFRJ0iA
qEPgwtv////ghE3/suseG oAc5PSdvhilwj9NQTSzhgdNA5S aEl/6/1PsdyGnIVOCCj5Cb3usjoIS
CzgUKvT/qw8xhPe8XNEGergkZ/8X+lv4
H45JQgeC7NEVYDc6McjiNET/////lXkHSWKL1JupaokK
gu5r7vZTBvPIH/QOqnj+5gaHTrf/////eo4/RwqegKJCEpqR2Sq+A47IF0U188qKAXQBMqCB9Bjf
2ur/gybkiSqVhCxQYT88ygzAWvsV/////3pKATV6gz0I2RHROYm+H+j5U5w22hFVGIR6yoa2kYdy
//83+Ob/7LV4xzxnU3ZRZj3KXix54nBHKH2AJvxbfKsqDE8 Xi0fvUhhG8tgXFP///y+UBrZ6Fudz
RgkWCHqANVBy4vQsSkqLAoM2eC28if+/8RcfK4MfRczz6uq+Tx4LYQqsCQbH/3+rf7rh+pFDeb+5
+Gbq1/zHKl A
7OXU7EDmh////rWkQ9VVGGAu1CKzrLbE0YLipwKTnol6I
HAf//79V
XDVDtpQE9bj2
LMjI3ob+DXQ0kMJnQePfaKM
rpFkiHLTVQKpHkIr/v/1/Nl0MNK8Ralxwtwo9rYRXtpNwh4FFCDS1
O5r/L9Dir1ute2kczC9FX4RhqPQLQvpv///Neg26mK81HHq831kjkmgfScf6Olk0rj dWf6MStwsf
+u+EbCBZrXy+F/q3+moZLO7 Qnx5ZXQ6h9H5/RQ//////NJptO8NpEkrDhUeaEngoovMhegFyTSq5
NANGIHox5jT/xv//33hfX6zDV6wQFujZSjyZ5ffbudpNZ4vl9
Jv//7/0nJXbyg1UyA2gz4tlDuWZ
vV7
2O/fQmbklWYL+/6X/m189kWdcnfAekNgWiNDnJ2UiZZ2/mF4IX9Tg/98FkTUMFs6 9Q73qd3KI
Hsi9Zvrf4C+uyeB2G3Vf+SvMoQB/Z
RqSL////xcEPaaPXtSdUSFzc51JArGXegJKZFXmwjxEGD7b
/0L/RqzztQvyxcMpe
E0SWhHJP5Z20M3/////LoUjxUZwLYCnQxfAww58zP1H/lcfpEJjLCTKkjJs
FDG/xY3+0aGaeDQIIDVJKm24HsNZ/6DU29sdt72JP09E0lP12xv9/9+mt0JbWEmDHao/4poUoxWR
3BWJFUdC/3/rbMgBF6zbikl6Tltili/Mn0GJ//Tf6v/y0CE93ikmIQlDCDZNPw0h5AKC////dy5x
egxRninK8aH/ZwZ
J+lQ9qWBNXRncQtMU9Rz/xv9b0sDoYfuOOYiIcvc1R0IXwUEmrWvp/xf+OLq+
HDttVEjTXV0Y ORcXJx5VHcMaed/6/39DuRYHeoefHzlqgtdFP0QztTUF
/D5+DJb/L/T/ZEgX3Bfd
lRL2lK7q6lHcPL03W1RUGRdG/////5M2VHDN1uEN76rqEiYYMf0jzLZViABFF3f8NUgREG5V1f8b
/ERZbINZp6nbMbAlJ80mhdEW4Tco8L+/7dG8/FHNF+mDxq3LQL/w///FnZ8RiwCphMlAM6tEMlp5
KYYvS0ZaaovJFP+3///iFEtZDsyPIq9xhxOBWNBlH7wEzTFN5gsnLa6IX+D//59XUg40i09CqSTd
OwfwGCmUzBEUY0rx9P4v9P9BE+z0Y035hDjyq3bbcoF5QjVgAcF9Qr/9/7dDuFdCgssJvjHo3jvt
TfdGh4 ohQKPoV1/g2/8cTanQCxITIvcUjkTivWE4rIC9rt/oL/SAVT8LWbkK9L5Tw3tEqX2vL/X/
W/9zPUu+nP56o4BxqlvLX1tSwf+/1P+g6R63mNha iFo2S7a+uGFYAEKLdclPB8n//7/EoWIdhU6+
u000+L0X0NmxLSUZgvIRwv4F//
8 v9ZpVQUJ6QGIEJoYBUs0eP
zrqjK5HSb+d+/X/C//ZTTcVc1HJ
LEyqKfwW6uRBS01gn3tL////L7fZqhKy5OPXD6waxE0E2FMYPAWpjPzFuE/ZpE
f/Ut/6RDk2U5r5
9K
1liEG10kLkTmDV1v+t/ndtsInZOUPAV
KpP0cqlqG+hTvf+Cxf4mUvLPfHUJr5nTUzJzD66t/3/
/6VSQzVoCjVWQ0q2l0rMcrZCh6ppZLk+Kv8v9EuInnKfqlxDtpJinryD+o+8Yr/C///bSp5KVk6f
9GK2Sp/PnvkQyyrXzNmvQnz//63/gJwv/rEYagxpK0WSr8pJkqFFrUKcwej6gX+D//9KsfNCJ8Nz
H0DjbcTobkx6e2LA1xkBYrX9////T0dknyPoSVmZCsqXGhmig5pXvHnGCzS3H4iDOzSZ////L3R2
AVF5LWxu8O8W+1HKgEJtmOQswG5DfoCjQq3j////yFMyDp6ZowOhKwEGHvpcQA9V+xGh5GronjMM
kv//36p
TVWRXE
HGztMtVUMlVSQA8yQcu0zOz/41+68wIvIJrhLda F0OCMmHHSSIDWv7/X+qtp+hA
gFvCUrnh8ZDE+ngcMKLenjee1/y/1A2eD2q/VQvMNRBClstF3JH4v8UbnUvJRY6KM7RGHJ4JgHWX
////30FOUfgDnsRs9/d5J0fO615R/DBqptu9GPr5UvnB/7/U//yMkS4JM0IrORjVEDQC8ZdGzrkR
SlJuIHzr//8ZY8FqFc5VR8j1AS9TzSoWVAc
aEpV6RKP61v9v8VwAEuivRElGdrSi+DagdIbiVhv/
b5Qrp+BBXCiBvMG2Fr8CuUT+L/3 /g t9nTifgQ1qAwcSPzYk+1rkY2aFygIIdf//2/60ywKDE7DTe
q8C4REtXJERXuSw8Ten/////A1ZGv+hRZELOn59Hsb58RVHtNREHOhk0PYIQF//hIxf/jd76tzRK
SxgZ6x2znu1bEQn2HZ573+IX+EQjGapOCl8Qvnlm6ZG2mVo3+lv/gUIfGPkJ7kpPtXzH0St9m 8Yu
+v///5KWzEBcUVARbkURdbbPryxZkh9FTsTj6mpxGroP/xf+Nzl6YFPOrMY8Ud+kVxFtVzQ4ylEW
wfS3+O3WHGvDdBEETtFYniEkJ9+n/1/ibywnYadLNhkZG8Bb4u0RWkBZ/YftW/z//1CJFExlnzjx
XFQ3chb5K2nLPCgavxuDX/gFFvqNeYlbemNDK6kbgAan////l1VhaF+QKYzlULQZe5CDDv8j1FFi
H6sbxEkykP1f+v+WQJCrjSwy9RFgqwS9drqunK9O/o5hRV D/rf5LZXBqgOR9BifAUZ7 s4jc9pQnY
+/9f+GoHzMMG8jH6nrP7RxIJa31HRQGeQorJPo3+/38svElziCe2mJoL9RorbLSTgxwDTt50/1/g
/0g7gKr/149HXITVbCo19w3WeoV hy
rL8Jf/////b2OXpl5B3iTlRkqlKt5qwnO7M1FflcVxjTxSp
S8rcQf//wv9sYFzrkU1u8QQGDl2p/08BJzS64wqrM7FULf9fWOiztwTq/Rg1dszMBNTC94rqRKZ/
ib/198giCcZFmxOm/zEQQYCrKQw5/////zSo0SdroZ1K6ySmse5NYdV+bw5drPe01KS6UWEQHcuU
//9v/7haCjfADqc0EwWoRXFW1O6as
tENrjyxc7Y8ra3E/1/ihofC4RrgUJq8t8dI+qAGBGhG///f
ugWtnqip+fTwJh5IQ619cKp8kbcn56ytql/i/6UxsUJzDim4X6ruONnNjTUdai5SX+D/NzxzgaTJ
BKX
DMf/VWjqcv8v/v8D/UD1sl52XWU0hnEdeq1ft+CBEGWF JHKWh////WC9ueapnPDEYYzSk7hU3
WOBUMCmNQUFrYS//v9R/SL/ap2nNUUClICUHKC0kWEG/HxIkNf///0ZGLigu8rft/E4WMyhGWwIz
ZEoupB73AGZ/qb/UBhW4KgIuNEwtz5y3gPczVwTw//8vViQsMRFoKUwJ8H6aL3AxB3ckSNIv9S/t
LiJjv6efmt9JJDIyVWCXuP3/MiQJIC8lDn/ 6hD
5FJC8iIP4uvwmA/1ZArSU0LTkPICyW/7/AfyUl
M4KPQ6cEiQDqLZcnnBUpRyU9oz/W////G4i/LLIxOA0uXQ0oIzMgMzhzxG6cIdgAuCBOLvT//zMS
SS9MwfYmEw4jKzBVBDnDkV+8BSTrS/wFGi55KFcL2FwCFyAtxN/g/39KhvckbQBODjFbCiQ4T+aY
Ha5Odec1+Ld/iVFJsTYyMTMxJ7o9bYrzdLFP/+5339BRUnXzC3hFVkhAgwlTTEMySbe/SP8Z9dI4
OC4NQEMiT7Pl
GGVDUf8v/QbHQSeAj4/NWkVyRhl2GrcRTXul/v//aVFGEc9kWkdCLW4YVmHtV0El
/V/xTkodvHCr/8U5BCdj0b83IKpFYnohbyX9/y8tAyD2pSpNCgFXgUHBILpFzXFCj8yJA3lGFGG+
Iahj/7dtEW3MBYG+vhbCjL6qUdEAy3vj/41HMkYGQJo0Rspfwq+ 9TzOs+UEr3Q7YEVCBDDKuKg6l
LsEHMqVw
iHMzTOEd2Le6ST3CjjU1yIQviMJC9oQMNGEAHEwL/Ld/woBDwLxBspXCkEDMVW7CvPlO
SvFG7stDA5Sktqgii/7S/w 30Q8KDRchGwoZFwgg2sECOqA
2X2LrvFh/Itv g1qcspbc1ANsHCb/W2
wX5AVspGy
x5FVKk2+P2/DoFRx4VoucGqqUCxO0TIaZi33xrl/0wjSIE1BMonzMV133aFcRjrshEf
Sb7XJQvUy///1k5JHZ3IuDhGTvZGBhEG+BYJs+8UKTfbvzM3RshCwoJFqpk
QLSCoAkQF5qr5vgC5
kFujAxMlMdghaYakNec911xgm/DFMVf9ix+DDDZIm6kHt0mq9CMAdUEKBBMPnI9R/xf2BQ0NQQAF
FwARCANBFBK5yQdrGgoWEnMeMW2D1WpN7k4ADQZcry1o8IcigaxgLLbVD0goEAxB52q1tsACzr87
DahK+C8 wKC81JwDzFEVYRUSBgMAajRYICOQBADAKACRRBb9pJiCo
HAFGaW5kQ0QBoPJsb3NlG0TM
3hXUU2l6ZRfvf/tMTBFBDk1hcFZpZXdPZg9ub2FvDlVubRAuA3JzIm53wy9LRW52EG9udquKjl1W
ImFiGDmIuB1EDHZl2u6RipgOfVRpbUYq4qy1VxoLUUOi27r3sQt7cF5nLUzDbl8gfkxpYnJOeUEh
9kxQtFBjKEvGRDm2/WJ hbEFsBmNYTGG3PexU0ypNdQN4KBubtVtsF3JjD36wdBAH++daVh1GQ29w
ecV EZdqHN2sGgxclSGHnCyDdwp1FU2PZdjv5bGVuVN9wUC9oDWELCsNXK1hEHbO3RUTxb8qRtlDE
yXB5TZFsW3ZngiJNE0V4aUJB8WL daHFkH/G9WcAm/y+ZjfeGDbsFZXChNkI34sLDsDNuWpxlSXsR
caLL+xdsIPxechhUb5MVhpmiuEypDrwlexNiEQ0IY2tDhW9PRHIB42RlQ2in3F1EbDRNb0J5dCIS
FCcinJ65r7UtC mOYNipSoLK9J+FUR1BvaSgZSHvBZu1wRiZcvRMZhEOYMOg6bkVMuKww
aQlpnBak
IiYEOk0YM9c4Q3UYfRk6JDlhb2ulRGUslYQgxZV otcce45vAZxtLZXkMT3Dr3KNrMQtFag6AVlu9
ABp2dWUPi8zcpYQRKXVtMAxPs80mtz9kwvhtoKJhbodzZTCKNxdrjHIQ9gdpc2S99l
wJehnyzhAU
oniuW1AIIjk3oSszKmEqIQJKD2azVM0gAaFVXA8WsN9OQnVmZkEPC0xvd/YZtiN3dklyl
CN3CoWb
cVr0zAxNgsIAqG1Ztk3Xt9hiQP8EAhMLZVmWZTQXEhADq2VZlg8JFHM5v/+EvDxQRUwB A+AADwEL
AQeue9JsE3IqgDIEEAOCbGexkDULAjMEmVvSzQcM0B40e9kb2BAHBgDAeQhAgFtkeAIYBUa4wnYr
ZHgBHi4v2JOgmKRwkOs
2f7uwBCMgC2AuZGF0YZgj7kK6wfsiJ3ZAvc1gG4Uu5QkAw8AGfL8pezQn
QBuwew2UAABKQTwJAAAA/wAAAAAAYL4AkFAAjb4AgP//V4PN/+sQkJCQkJCQig ZGiAdHAdt1B4se
g+78Edty7bgBA AAAAdt1B4seg+78EdsRwAHbc+91CYseg+78Ed tz5
DHJg+gDcg3B4AiKBkaD8P90
dInFAdt1B4seg+78EdsRyQHbdQeLH oPu/BHbE cl1IEEB23UHix6D7vwR2xHJAdtz73UJix6D7vwR
23Pkg8ECgf0A8///g9EBjRQvg/38dg+KAkKIB0dJdffpY////5CLAoPCBIkHg8cEg+kEd/EBz+lM
/ /// Xon3uQEBAACKB0cs6DwBd/eAPwF18osHil8EZsHoCMHAE IbEKfiA6
+gB8IkH
g8cFidji2Y2+
AMAAAIsHCcB0RYtfBI2EMBTlAAAB81CDxwj/lozlAACVigdHCMB03In5eQcPtwdHUEe5V0jyrlX/
lpDlAAAJwHQHiQODwwTr2P+WlOUAAGHpI0T//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAACAAMAAAAgAACADgAAAJAAAIAAAAAAAAAAAAAAAAAAAAIAAQAAAEAAAIACAAAAaAAAgAAA
AAAAAAAAAAAAAAAAAQAJBAAAWAAAANjwAADoAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEACQQA
AIAAAADE8wAAKAEA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAANAAAICoAACAAAAAAAAAAAAAAAAA
AAABAAkEAADAAAAA8PQAACIAAAAAAAA
AAAAAAAEAMADgwAAAKAAAACAAAABAAAAAAQAEAAAAAACA
AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIAAAACAgACAAAAAgACAAICAAADAwMAAgICAAAAA
/wAA/wAAAP//AP8AAAD/AP8A//8AAP///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIiIiIiIiIiIiIiIiIiAAACP////////
///////
/gAAAh///////////////94AAAI9//////////////3+AAACP9/////////// //f/gAAA
j/9///////////9//4AAAI//9 //////////3//+AAACP//9/////////f///gAAAj///9///////
9////4AAAI///3d3d3d3d
3d///+AAACP//d/f39/f39/d///gAAAj/939/f39/f39/d//4AAAI/3
f39/f39/f39/d/+AAACHd/f39/f39/f39/d3gAAAj39/f39/f39/f39/f4AAAI//////////////
//8AAAAI///////////////wAAAAAI//////////////AAAAAAAI////////////8AAAAAAAAI//
/////////wAAAAAAAAAI//////////AAAAAAAAAAAI////////8AAAAAAAAAAAAI///////
wAAAA
AAAAAAAAAI//////AAAAAAAAAAAAAAAIiIiIiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////8AAAAPAAAADwAAAA8AAAAPAAAAD
wAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAA
PAAAADwAAAA8AAAAPAAAAH4AAAD/AAAB/4
AAA//AAAf/4AAP//AAH//4AD///AB
///4A//////////////////yMMAACgAAAAQAAAAIAAAAAEA
BAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAACAAAAAgIAAgAAAAIAAgACAgAAAwMDA
AICAgAAAAP8AAP8AAAD//wD/AAAA/wD/AP//AAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AI///////wAAiP/////4AACPj////48AAI/4///4/wAAj4+IiI+PAACI9/f39/gAAI9/f39/fwAA
CPf39/fwAAAAj39/fw AAAAAI9/fwAAAAAACIiIAAAAAAAAAAAAAAAAAAAAAAAAD//wAA//8AAMAB
AADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAA4AMAAPAHAAD4DwAA/B8AAP//AAD//wAA8MQA
AAAAAQACACAgEAABAAQA6AIAAAEA
EBAQAAEABAAoAQAAAgAAAAAAAAAAAAAAAAAAALz1AAC M9QAA
AAAAAAAAAAAAAAAAyfUAAJz1AAAAAAAAAAAAAAAAAADW9QAApPUAAAAAAAAAAAAAAAAAAOH1AACs
9QAAAAAAAAAAAAAAAAAA7PUAALT1AAAAA AAAAAAAAAAAAAAAAAAAAAAAAPb1AAAE9gAAFPYAAAAA
AAAi9gAAAAAAADD2AAAAAAAAOPYAAAAAAAA5AACAAAAAAEtFUk5FTDMyLkRMT ABBRFZBUEkzMi5k
bGw ATVNWQ1JULmRsbABVU0VSMzIuZGxsAFdTMl8zMi5kbGwAAExvYWRMaWJyYXJ5QQAAR2V0UHJv
Y0FkZHJlc3MAAEV4aXRQcm9jZXNzAAAAUmVnQ2xvc2VLZXkAAABtZW1zZXQAAHdzcHJpbnRmQQAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADBMNh4/mcnUD5nCV7B
JgzQwb68KcE/Wk7BBz1ePgJuppegzvOo9zHboCtC5xdfMQ2qa9VoxEg083ggFLB45nsd3p8vAekU
mEkurMQe6RSYV+HI3PCNddez4cj65jHlm7DLmjDw/BGplph9zTh2cY6K9M3n3axnBjEkUl4umHLM
ZXiEGPGXXk1Tl8eWTUfT0gmXTHawTo4CcJfMrmMrbuCvDvKCdDq8GzX +hW5//sNi4zl5NTRdFHmd
/st5426a6pYFIoY79Rl/R+KCmopWyn3UMqkeV1bKei1WznDx6 pRabRD3985DHgqKeM0hS+CKTFX/
yzEpcJ8xK6vDkPcnfHQMSEXHvn/OS8inAiNzNhTMSqecMaq73gR9dxIKLKeN9CWZa0aVruDL
fsMS
N0B+b6PIyoa5u67gCl+u4Muis+69jR7DmyQxxSLPSMKBME0 raF7uiEAoKVYru+5AeHnxJbVwcU5Y
B56mtZiBOdxqnpeuFp7y7QGeDdJCng0maoF92hpN/CL7enevvC2UzKvjhV6xvcYIUR4V39aiGhiP
enegKdDHnfzoHk8C
ILEuKe+QQ3Gwr1qEP4QXjudMKzTvkG4XfoobuZ EmIHNJAYJdSQHfe46z7w8e
4kQqLWfkUACr 7ictF9Z3ws2D5d0t8BIfdolZ3S 8n/8L/EoPdYWcIws4wFbyJzyJTRfBviwJ5f+9h
NFqFLTmtg95g3OIO0ZBMOLVU4fMO8hFw7DDepMQFgZs2sBHC4hgRwOSolCTnt9Z4RHEmtO q0yRjR
XsnwHVEZ4xlX1odudnVeEiwRP3LNGeM9dAf4Lyfyh/0xuPtdcfLo8s0wc+jeMHPq++g3x+DodBjH
jnjVHN2RJMRh4y umMiux2n3kLvB++zYp2Hnr2bnzYoN4u7g4GNN/cEUmAyyN3EVbDt+a/y66Yg2X
X4VU
TzA1olDMT
6dnR/nEv2NzL mdH+TEpQhICvypx/KD1tQemcj+XhdQd
K9Y94Gh1520Nsl+EKeW8
TnQ6oFp3aujZU2q9YBsT9zWxQB3 JbiR8ssd32HjnTXDvE62/6YD8PcFV/DB5V0UZZDEW85w0JXF0
m7BmqWElcYp0qsCCMSVxTHclca0Pa MTLul9PTVuHAt7cX09GnNSX+VWY/T9EOyw/tl8jJWPk5WLS
Cw2Mb9wblvHTbuFZCz+vcNuyvFDTbu8Ptw2eaYVmte91NUg3dV5EXroxeotqoe4euU1TMroxfxtq
D8i0vrzj0IzImWVO2G4rTv+wYVFa1e7gO8VTTvMFT1HVn7ghLI7wzvV4Ox57QADO6px1zuS9Z9E3
wT/OVtKa0VE2CV5O
BsUj/Llr4uWOFLGBvNtpxYp2sYlcGLGGa3Y+JqeRCVBJyz7bxM35S4QyWri1
CObZkpDmiivG
b
X/aAj7bxPA
DkSovrkft6+zNkww0Gqg386s932P5ixjs+Ffq5DKx8GFCK1eOqmBI
Mq7dmY570aWOiLW7VsmmVJEtW10yqtCd5n24VAk3bXXR9jS8Fi5F8LWVRRvZKnKu0fY/I9H2IGze
pirA4fHnhOHxFT6AIZ0vjU7XtOktp4O6ZKy4jU 3U Gc1giF3+/r8IMs6+xjLDkFTNcJ9MMgtnCM2Q
kC4yI1qXUEsBAhQACgAAAAAADIN0NfAZP83AcAAAwHAAAAsAAAAAAAAAAAAgAAAAAAAAAE1FU1
NB
R0UuU0NSUEsFBgAAAAABAAEAOQAAAOlwAAAAAA==
------=_NextPart_000_0014_D3FD6653.260D7936--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHJtSmC003496; Fri, 17 Nov 2006 12:55:28 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAHJtSlh003495; Fri, 17 Nov 2006 12:55:28 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAHJtQWK003489 for <ietf-smime@imc.org>; Fri, 17 Nov 2006 12:55:27 -0700 (MST) (envelope-from jimsch@nwlink.com)
Received: from romans (unknown [207.202.179.27]) by smtp2.pacifier.net (Postfix) with ESMTP id A6F911719E for <ietf-smime@imc.org>; Fri, 17 Nov 2006 11:55:25 -0800 (PST)
Reply-To: <jimsch@exmsft.com>
From: "Jim Schaad" <jimsch@nwlink.com>
To: <ietf-smime@imc.org>
Subject: Meeting Minutes
Date: Fri, 17 Nov 2006 11:53:59 -0800
Message-ID: <006401c70a82$228a8c80$4744fea9@augustcellars.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Thread-Index: AccKgh864ed4WoRYS5ivcvYwvD6mpg==
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
S/MIME IETF Face-to-Face Meeting Minutes
Chairperson Blake Ramsdell started the meeting with the traditional agenda
bashing. No changes were made in the agenda for the meeting.
Blake then gave a status report on the the groups progress since the last
meeting. The expectation is that working group last call will start on the
ESS certificate id and CMS multiple signature drafts as soon updates to the
documents are published. This should be by the begining of next week. The
RSA-KEM draft is still waiting for the X9.44 group to finish before it can
progress. The caDES document has expired and is waiting for the ESS CertID
draft to finish.
The question was raised again by the chair about the issue of taking our
documents from their current RFC status up to Draft Standard status. If
people actually want this to happen, please comment on the list. The
current status is seen as sufficent by most implementers in the room and
there seems to be no real push to try and make things happen.
Finally Blake looked at the proposed updated milestones for the group. The
proposed milestones where agreed to by the attendees without comment. The
proposed milestones are:
IBE - last call at first of year
KEM - when X9.44 finishes
Jim Schaad then gave a more detailed status call on several documents before
the working group. The first is an indirect issue, but is blocking the
symetric key distribution document. The CMC document is currently being
re-edited to deal with issues from the AD review. When this is complete it
will go to working group last call and AD review at the same time.
One of the issues raised in the CMC review is the status of the id-data
content type. The S/MIME working group essentially uses this as if it were
id-mime-data, but did not actually assign a new content type at the time the
S/MIME group was doing the V3 documents for backwards compatablity. The
id-data type is acutally setup for unstructured data. A proposal has been
made and is to be placed on the list about creating a new id-cct-blob and
re-defining id-data to be for mime. Comments should go the the list.
The ESS CertID draft has been updated on the web site and should be ready
for last call. The current issues raised on the list are not understood as
being issues and the author therefore recomments no changes.
The Multiple Signature Draft from Jim Schaad and Sean Turner is about half
finished. They will publish the current state of the document in order to
get a first cut of feedback within the next two weeks.
Mark Schertler then presented the current state of the Identity Based
Encrypted drafts. The CMS draft should be substantually complete and he
requests that people in the group read it. The Acrichtecture draft is
almost complete, it still needs to get the XML registry finialized with IANA
and then both those documents should be ready for last call. The final
draft is the math draft and is being progressed as an independent submission
(draft-martin-ibcs-00.txt).
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEMRCYt057193; Tue, 14 Nov 2006 15:27:12 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEMRCGX057192; Tue, 14 Nov 2006 15:27:12 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [66.150.120.2]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id kAEMR8Av057173 for <ietf-smime@imc.org>; Tue, 14 Nov 2006 15:27:09 -0700 (MST) (envelope-from housley@vigilsec.com)
Received: (qmail 7710 invoked by uid 0); 14 Nov 2006 22:26:59 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (67.110.80.75) by woodstock.binhost.com with SMTP; 14 Nov 2006 22:26:59 -0000
Message-Id: <7.0.0.16.2.20061114152453.079fa1b0@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Tue, 14 Nov 2006 15:26:31 -0500
To: <jimsch@exmsft.com>, <ietf-smime@imc.org>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: Usages of the id-data content type
In-Reply-To: <005601c707a6$ff0c24e0$0304a8c0@augustcellars.local>
References: <005601c707a6$ff0c24e0$0304a8c0@augustcellars.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Jim:
>Do you believe that the S/MIME group should define a new OID for a
>unstructured content type and reserve id-data for mime data?
Too many implementations use id-data in the context of MIME. It is
too later to change this situation.
A new OID for unstructured binary data is fine with me.
Russ
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEFYal9088750; Tue, 14 Nov 2006 08:34:36 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAEFYaK9088749; Tue, 14 Nov 2006 08:34:36 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from harpo.itss.auckland.ac.nz (harpo.itss.auckland.ac.nz [130.216.190.13]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAEFYYwg088688 for <ietf-smime@imc.org>; Tue, 14 Nov 2006 08:34:35 -0700 (MST) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from localhost (localhost.localdomain [127.0.0.1]) by harpo.itss.auckland.ac.nz (Postfix) with ESMTP id 0564534CFE; Wed, 15 Nov 2006 04:34:29 +1300 (NZDT)
Received: from harpo.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpc.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11626-17; Wed, 15 Nov 2006 04:34:28 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by harpo.itss.auckland.ac.nz (Postfix) with ESMTP id 66188349E7; Wed, 15 Nov 2006 04:34:28 +1300 (NZDT)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 2ED6E37742; Wed, 15 Nov 2006 04:34:27 +1300 (NZDT)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1Gk0J3-0006Jn-00; Wed, 15 Nov 2006 04:34:37 +1300
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: jimsch@exmsft.com
Subject: Re: Usages of the id-data content type
Cc: ietf-smime@imc.org
In-Reply-To: <005601c707a6$ff0c24e0$0304a8c0@augustcellars.local>
Message-Id: <E1Gk0J3-0006Jn-00@medusa01.cs.auckland.ac.nz>
Date: Wed, 15 Nov 2006 04:34:37 +1300
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
"Jim Schaad" <jimsch@nwlink.com> writes:
>Please respond to the following question:
>
>Do you believe that the S/MIME group should define a new OID for a
>unstructured content type and reserve id-data for mime data?
Definitely not. id-data is currently used for PDFs, Word docs, XML, EDI, and
who knows how many other content-types. If the S/MIME WG feels the need for a
specific type for MIME data, they should go the other way round and define an
id-mime. The horse bolted on id-data long ago.
Peter.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAE4eUsC090568; Mon, 13 Nov 2006 21:40:30 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAE4eUHj090567; Mon, 13 Nov 2006 21:40:30 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.174]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAE4eSxX090555 for <ietf-smime@imc.org>; Mon, 13 Nov 2006 21:40:29 -0700 (MST) (envelope-from jimsch@nwlink.com)
Received: from romans (pool-71-111-73-91.ptldor.dsl-w.verizon.net [71.111.73.91]) by smtp4.pacifier.net (Postfix) with ESMTP id BA47F85F06 for <ietf-smime@imc.org>; Mon, 13 Nov 2006 20:40:27 -0800 (PST)
Reply-To: <jimsch@exmsft.com>
From: "Jim Schaad" <jimsch@nwlink.com>
To: <ietf-smime@imc.org>
Subject: Usages of the id-data content type
Date: Mon, 13 Nov 2006 20:40:21 -0800
Message-ID: <005601c707a6$ff0c24e0$0304a8c0@augustcellars.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Thread-index: AccHpv33lCV7+TNySpqJ2INf1wJ5Xg==
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
At the meeting last week I presented an issue about the use of the id-data
content type that was raised in a review of the CMC documents.
Id-data is currently defined as being for unstructured data, but the S/MIME
working group treats it as being only for mime based data. This can lead to
some intesting issues in trying to parse messages and deciding what to do
with this content for automatic processors.
Please respond to the following question:
Do you believe that the S/MIME group should define a new OID for a
unstructured content type and reserve id-data for mime data?
Jim
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAAG5Vnt097262; Fri, 10 Nov 2006 09:05:31 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAAG5VHJ097261; Fri, 10 Nov 2006 09:05:31 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from [12.105.246.138] (dhcp66-169.ietf67.org [130.129.66.169]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAAG5Skr097246; Fri, 10 Nov 2006 09:05:29 -0700 (MST) (envelope-from phoffman@imc.org)
Mime-Version: 1.0
Message-Id: <p06240864c17a538bcc11@[12.105.246.138]>
In-Reply-To: <OFD32AE7CB.7D913280-ONC1257222.004D165A@frcl.bull.fr>
References: <OFD32AE7CB.7D913280-ONC1257222.004D165A@frcl.bull.fr>
Date: Fri, 10 Nov 2006 08:05:21 -0800
To: "Denis Pinkas" <denis.pinkas@bull.net>
From: Paul Hoffman <phoffman@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-escertid-02.txt
Cc: "ietf-smime@imc.org" <ietf-smime@imc.org>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
At 3:01 PM +0100 11/10/06, Denis Pinkas wrote:
>The document states: Expires: October 3, 2006
>
>The document that has been published on November 8 is expired.
No, it is not. It is still in the I-D repository, and therefore not expired.
>Please resubmit a valid document.
This is a waste of WG time.
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAAE2Ph4068388; Fri, 10 Nov 2006 07:02:25 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAAE2P56068386; Fri, 10 Nov 2006 07:02:25 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAAE2N8r068337 for <ietf-smime@imc.org>; Fri, 10 Nov 2006 07:02:24 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA49542; Fri, 10 Nov 2006 15:04:41 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006111015015994:90239 ; Fri, 10 Nov 2006 15:01:59 +0100
Date: Fri, 10 Nov 2006 15:01:57 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Cc: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-escertid-02.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 10/11/2006 15:01:59, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 10/11/2006 15:02:02, Serialize complete at 10/11/2006 15:02:02
Message-ID: <OFD32AE7CB.7D913280-ONC1257222.004D165A@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
The document states: Expires: October 3, 2006
The document that has been published on November 8 is expired.
Please resubmit a valid document.
Denis
>A New Internet-Draft is available from the on-line Internet-Drafts
>directories.
>This draft is a work item of the S/MIME Mail Security Working Group of the IETF.
>
> Title : ESS Update: Adding CertID Algorithm Agility
> Author(s) : J. Schaad
> Filename : draft-ietf-smime-escertid-02.txt
> Pages : 19
> Date : 2006-11-8
>
>In the original Enhanced Security Services for S/MIME draft, a
> structure for cryptographically linking the certificate to be used in
> validation with the signature was introduced, this structure was
> hardwired to use SHA-1. This document allows for the structure to
> have algorithm agility and defines new attributes to deal with the
> updating.
>
>A URL for this Internet-Draft is:
>http://www.ietf.org/internet-drafts/draft-ietf-smime-escertid-02.txt
>
>To remove yourself from the I-D Announcement list, send a message to
>i-d-announce-request@ietf.org with the word unsubscribe in the body of
>the message.
>You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
>to change your subscription settings.
>
>Internet-Drafts are also available by anonymous FTP. Login with the
>username "anonymous" and a password of your e-mail address. After
>logging in, type "cd internet-drafts" and then
>"get draft-ietf-smime-escertid-02.txt".
>
>A list of Internet-Drafts directories can be found in
>http://www.ietf.org/shadow.html
>or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>Internet-Drafts can also be obtained by e-mail.
>
>Send a message to:
> mailserv@ietf.org.
>In the body type:
> "FILE /internet-drafts/draft-ietf-smime-escertid-02.txt".
>
>NOTE: The mail server at ietf.org can return the document in
> MIME-encoded form by using the "mpack" utility. To use this
> feature, insert the command "ENCODING mime" before the "FILE"
> command. To decode the response(s), you will need "munpack" or
> a MIME-compliant mail reader. Different MIME-compliant mail readers
> exhibit different behavior, especially when dealing with
> "multipart" MIME messages (i.e. documents which have been split
> up into multiple messages), so check your local documentation on
> how to manipulate these messages.
>
>Below is the data which will enable a MIME compliant mail reader
>implementation to automatically retrieve the ASCII version of the
>Internet-Draft.
>
>Content-Type: text/plain
>Content-ID: <2006-11-8132553.I-D@ietf.org>
>
>ENCODING mime
>FILE /internet-drafts/draft-ietf-smime-escertid-02.txt
>
Regards,
Denis Pinkas
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAACmd3o049395; Fri, 10 Nov 2006 05:48:39 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kAACmdgZ049394; Fri, 10 Nov 2006 05:48:39 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kAACmbDK049371 for <ietf-smime@imc.org>; Fri, 10 Nov 2006 05:48:38 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-mcl1.frcl.bull.fr [129.184.87.20]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id NAA44494 for <ietf-smime@imc.org>; Fri, 10 Nov 2006 13:51:15 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006111013352517:88243 ; Fri, 10 Nov 2006 13:35:25 +0100
Date: Fri, 10 Nov 2006 13:35:22 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 10/11/2006 13:35:25, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 10/11/2006 13:47:56, Serialize complete at 10/11/2006 13:47:56
Message-ID: <OF393806B0.6278FC6C-ONC1257222.00452926@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Russ,
The issue is more complex than presented. :-(
The idea is to say that a message is correctly signed by a given signer, if one of the signatures
from the *same* signer computed using a different signature algorithm is valid.
Correct ?
In the same section from RFC 3852, just above we have:
" The process by which signed-data is constructed involves the
following steps:
1. For each signer, a message digest, or hash value, is computed
on the content with a signer-specific message-digest algorithm.
If the signer is signing any information other than the
content, the message digest of the content and the other
information are digested with the signer's message digest
algorithm (see Section 5.4), and the result becomes the
"message digest."
2. For each signer, the message digest is digitally signed using
the signer's private key.
3. For each signer, the signature value and other signer-specific
information are collected into a SignerInfo value, as defined
in Section 5.3. Certificates and CRLs for each signer, and
those not corresponding to any signer, are collected in this
step.
4. The message digest algorithms for all the signers and the
SignerInfo values for all the signers are collected together
with the content into a SignedData value, as defined in Section
5.1".
We should have a similar construct for verification, but we don't.
It should start with:
The process by which signed-data is verified involves the
following steps:
1. For each SignerInfo present in SignerInfos ...
The exercise is more difficult than it looks, because unless ESSCertID is being used,
it is not possible to know for sure that a signature is from the same signer.
Denis
>A New Internet-Draft is available from the on-line Internet-Drafts
>directories.
>This draft is a work item of the S/MIME Mail Security Working Group of the IETF.
>
> Title : Cryptographic Message Syntax (CMS) Multiple Signer Clarification
> Author(s) : R. Housley
> Filename : draft-ietf-smime-cms-mult-sign-02.txt
> Pages : 5
> Date : 2006-11-9
>
>This document updates the Cryptographic Message Syntax (CMS), which
> is published in RFC 3852. This document clarifies the proper
> handling of the SignedData protected content type when more than one
> digital signature is present.
>
>A URL for this Internet-Draft is:
>http://www.ietf.org/internet-drafts/draft-ietf-smime-cms-mult-sign-02.txt
>
>To remove yourself from the I-D Announcement list, send a message to
>i-d-announce-request@ietf.org with the word unsubscribe in the body of
>the message.
>You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
>to change your subscription settings.
>
>Internet-Drafts are also available by anonymous FTP. Login with the
>username "anonymous" and a password of your e-mail address. After
>logging in, type "cd internet-drafts" and then
>"get draft-ietf-smime-cms-mult-sign-02.txt".
>
>A list of Internet-Drafts directories can be found in
>http://www.ietf.org/shadow.html
>or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>Internet-Drafts can also be obtained by e-mail.
>
>Send a message to:
> mailserv@ietf.org.
>In the body type:
> "FILE /internet-drafts/draft-ietf-smime-cms-mult-sign-02.txt".
>
>NOTE: The mail server at ietf.org can return the document in
> MIME-encoded form by using the "mpack" utility. To use this
> feature, insert the command "ENCODING mime" before the "FILE"
> command. To decode the response(s), you will need "munpack" or
> a MIME-compliant mail reader. Different MIME-compliant mail readers
> exhibit different behavior, especially when dealing with
> "multipart" MIME messages (i.e. documents which have been split
> up into multiple messages), so check your local documentation on
> how to manipulate these messages.
>
>Below is the data which will enable a MIME compliant mail reader
>implementation to automatically retrieve the ASCII version of the
>Internet-Draft.
>
>Content-Type: text/plain
>Content-ID: <2006-11-9160843.I-D@ietf.org>
>
>ENCODING mime
>FILE /internet-drafts/draft-ietf-smime-cms-mult-sign-02.txt
>
Regards,
Denis Pinkas
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9No8lp059150; Thu, 9 Nov 2006 16:50:08 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA9No8wc059149; Thu, 9 Nov 2006 16:50:08 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from ns1.neustar.com (ns1.neustar.com [156.154.16.138]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA9No8mt059117 for <ietf-smime@imc.org>; Thu, 9 Nov 2006 16:50:08 -0700 (MST) (envelope-from ietf@ietf.org)
Received: from stiedprstage1.ietf.org (stiedprstage1.va.neustar.com [10.31.47.10]) by ns1.neustar.com (Postfix) with ESMTP id 5AF1826E42; Thu, 9 Nov 2006 23:50:02 +0000 (GMT)
Received: from ietf by stiedprstage1.ietf.org with local (Exim 4.43) id 1GiJek-0004MI-68; Thu, 09 Nov 2006 18:50:02 -0500
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
To: i-d-announce@ietf.org
Cc: ietf-smime@imc.org
From: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-smime-cms-mult-sign-02.txt
Message-Id: <E1GiJek-0004MI-68@stiedprstage1.ietf.org>
Date: Thu, 09 Nov 2006 18:50:02 -0500
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the S/MIME Mail Security Working Group of the IETF.
Title : Cryptographic Message Syntax (CMS) Multiple Signer Clarification
Author(s) : R. Housley
Filename : draft-ietf-smime-cms-mult-sign-02.txt
Pages : 5
Date : 2006-11-9
This document updates the Cryptographic Message Syntax (CMS), which
is published in RFC 3852. This document clarifies the proper
handling of the SignedData protected content type when more than one
digital signature is present.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-smime-cms-mult-sign-02.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of
the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the
username "anonymous" and a password of your e-mail address. After
logging in, type "cd internet-drafts" and then
"get draft-ietf-smime-cms-mult-sign-02.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-ietf-smime-cms-mult-sign-02.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ietf.org"
Content-Type: text/plain
Content-ID: <2006-11-9160843.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-smime-cms-mult-sign-02.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-smime-cms-mult-sign-02.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2006-11-9160843.I-D@ietf.org>
--OtherAccess--
--NextPart--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA8Ko89b000913; Wed, 8 Nov 2006 13:50:08 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA8Ko8VA000912; Wed, 8 Nov 2006 13:50:08 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from ns0.neustar.com (nso.neustar.com [156.154.16.158] (may be forged)) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA8Ko7JJ000898 for <ietf-smime@imc.org>; Wed, 8 Nov 2006 13:50:08 -0700 (MST) (envelope-from ietf@ietf.org)
Received: from stiedprstage1.ietf.org (stiedprstage1.va.neustar.com [10.31.47.10]) by ns0.neustar.com (Postfix) with ESMTP id D9B4E32885; Wed, 8 Nov 2006 20:50:01 +0000 (GMT)
Received: from ietf by stiedprstage1.ietf.org with local (Exim 4.43) id 1GhuMz-0000yB-OU; Wed, 08 Nov 2006 15:50:01 -0500
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
To: i-d-announce@ietf.org
Cc: ietf-smime@imc.org
From: Internet-Drafts@ietf.org
Subject: I-D ACTION:draft-ietf-smime-escertid-02.txt
Message-Id: <E1GhuMz-0000yB-OU@stiedprstage1.ietf.org>
Date: Wed, 08 Nov 2006 15:50:01 -0500
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
--NextPart
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the S/MIME Mail Security Working Group of the IETF.
Title : ESS Update: Adding CertID Algorithm Agility
Author(s) : J. Schaad
Filename : draft-ietf-smime-escertid-02.txt
Pages : 19
Date : 2006-11-8
In the original Enhanced Security Services for S/MIME draft, a
structure for cryptographically linking the certificate to be used in
validation with the signature was introduced, this structure was
hardwired to use SHA-1. This document allows for the structure to
have algorithm agility and defines new attributes to deal with the
updating.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-smime-escertid-02.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request@ietf.org with the word unsubscribe in the body of
the message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the
username "anonymous" and a password of your e-mail address. After
logging in, type "cd internet-drafts" and then
"get draft-ietf-smime-escertid-02.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv@ietf.org.
In the body type:
"FILE /internet-drafts/draft-ietf-smime-escertid-02.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
--NextPart
Content-Type: Multipart/Alternative; Boundary="OtherAccess"
--OtherAccess
Content-Type: Message/External-body;
access-type="mail-server";
server="mailserv@ietf.org"
Content-Type: text/plain
Content-ID: <2006-11-8132553.I-D@ietf.org>
ENCODING mime
FILE /internet-drafts/draft-ietf-smime-escertid-02.txt
--OtherAccess
Content-Type: Message/External-body;
name="draft-ietf-smime-escertid-02.txt";
site="ftp.ietf.org";
access-type="anon-ftp";
directory="internet-drafts"
Content-Type: text/plain
Content-ID: <2006-11-8132553.I-D@ietf.org>
--OtherAccess--
--NextPart--
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7EoArq006172; Tue, 7 Nov 2006 07:50:10 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7EoA6a006171; Tue, 7 Nov 2006 07:50:10 -0700 (MST) (envelope-from owner-ietf-smime@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7Eo5pZ006161 for <ietf-smime@imc.org>; Tue, 7 Nov 2006 07:50:06 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-mcl1.frcl.bull.fr [129.184.87.20]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA20736; Tue, 7 Nov 2006 15:52:36 +0100
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006110715495801:13331 ; Tue, 7 Nov 2006 15:49:58 +0100
Date: Tue, 7 Nov 2006 15:49:55 +0100
From: "Denis Pinkas" <denis.pinkas@bull.net>
To: "Jim Schaad" <ietf@augustcellars.com>, "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: I-D ACTION:draft-ietf-smime-escertid-01.txt
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 07/11/2006 15:49:58, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 07/11/2006 15:50:00, Serialize complete at 07/11/2006 15:50:00
Message-ID: <OF25377C1C.BC969554-ONC125721F.00517A9B@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Jim,
>Demis,
^^
Denis
>The statement in parens is not meant to be true, it is meant to state a
>condition under which the preceding statement would be sufficent. Thus it
>starts "This assumes..."
The text states:
The issuer/serial number pair would therefore normally be sufficient to identify
the correct signing certificate. (This assumes the same issuer name
is not re-used from the set of trust anchors.)
We cannot construct on assumptions, in particular since there is no standardized way
to know when this assumption would be met.
>If you think that the issuer/serial number pair is insufficent to identify a
>certificate, have you filed a defect report with X.509?
If you think that the issuer/serial number pair is sufficient to identify a certificate,
why have you issued RFC 2634 ? :-)
The issuer/serial number pair is only sufficient when it is possible to know the name of the CA
that has issued a certificate to that issuer (and recursively up to a trust anchor).
> I don't see a
>significant difference in content between the second sentence you have and
>sentences 2 and 3 in my paragraph.
I see it. If you don't care, it would save much time to take my wording proposal.
> I would be more worried about an
>attacker re-using the same issuer name rather than the re-use of the same
>issuer name in a single tree of certificate authorities.
The use of the same issuer name is not necessarily an attack.
>I am unconvinced that in cases where the issuer/serial is not used in the
>sid, it needs to be placed in the cert id structure.
Your original text is:
The issuer/serial
number pair can be stored in the sid field of the SignerInfo object.
However the sid field is not covered by the signature. In the cases
where the issuer/serial number pair is not used in the sid or the
issuer/serial number need to be signed, they should be placed in the
issuerSerial field of the ESSCertIDv2 structure.
> This is only a hint
>for finding the certificate and is not good identification. The true
>identification is going to be the hash of the certificate.
We both agree.
> Thus I don't see
>the need for the statement einging "In the cases ..." Additionally this is
>covered in my current last sentence of the text.
I tried to use your text as much as possible. So the two sentences are similar:
Yours:
In the cases where the issuer/serial number pair is not used in the sid
or the issuer/serial number need to be signed, they should be placed in the
issuerSerial field of the ESSCertIDv2 structure.
Mine:
In the cases where the issuer/serial number pair is not used in the sid,
it should be placed in the issuerSerial field of the ESSCertIDv2 structure.
>I think that the order you are placing the paragraphs is backwards. The
>most important thing is the reason why the hash value is there rather than
>why issuer/serial is not a good method.
It is a matter of presentation, but it is necessary to explain in the case of an *accidental* name collision
why issuer/serial may be insufficient. The three scenario of attack do NOT cover the case of name collision
because it is not necessarilly an attack: it may happen by accident. The case of name collision is not covered
in the security considerations section either.
Another option would be to add text in the security considerations section, which would then allow
to shorten the explanations in the main body of the document.
I am unhappy with the current text. In order to move forward, would you be able to make a new text
proposal that would possibly satisfy both of us ?
Denis
>Jim
>
>
>> -----Original Message-----
>> From: owner-ietf-smime@mail.imc.org
>> [mailto:owner-ietf-smime@mail.imc.org] On Behalf Of Denis Pinkas
>> Sent: Thursday, August 24, 2006 11:29 AM
>> To: ietf-smime@imc.org
>> Subject: Re: I-D ACTION:draft-ietf-smime-escertid-01.txt
>>
>>
>> Jim,
>>
>> In order to solve my two concerns, the faster is to propose a
>> text replacement.
>> I hope this will clarify my statements.
>>
>> The statement in the parenthesis is not true. The
>> issuer/serial number is not sufficient.
>>
>> I propose the following as a global replacement:
>>
>> The issuer/serial number pair is the method of identification of
>> certificates used in [PKIXCERT]. The issuer/serial number pair may
>> be insufficient since two or more CAs with the same DN
>> could exist in different branches from a given certification tree. The
>> issuer/serial number pair may be used as a hint to fetch the
>> certificate(s). The issuer/serial number pair can be stored in the
>> sid field of the SignerInfo object. In the cases where the
>> issuer/serial number pair is not used in the sid, it should be
>> placed in the issuerSerial field of the ESSCertIDv2 structure.
>> In some cases, hashes are used by certificate stores as a method of
>> indexing and retrieving certificates, hence another reason for
>> having the issuer/serial number pair optional.
>>
>> The hash of the entire certificate allows for a verifier to check
>> that the certificate used in the verification process is indeed the
>> one the signer intended to be used. The use of the hash is
>> required by this structure since the detection of substituted
>> certificates with the same DN and serial number is based on the
>> fact they would map to different hash values.
>>
>> Denis
>>
>> > I have several problems with draft-ietf-smime-escertid-01.txt.
>> >
>> > In RFC 2634, we have section "5.4 called Signing Certificate
>> > Attribute Definition"
>> >
>> > The proposal is to add a section 5.4.1 to define the v2 version
>> > first (!) and then the current version (with SHA-1).
>> > This should be done in the reverse way:
>> >
>> > - first a section 5.4.1 to define the current version (with SHA-1),
>> > - then a section 5.4.2 to define the v2 version.
>>
>> I prefer the existing ordering. I would rather have the
>> items that people are to be using occur first and then
>> obsolete items rather than the other way around. I have not
>> changed this.
>>
>> >
>> > After this restructuring, I have some problems with the
>> text itself :
>> >
>> > Issue 1 (page 4):
>> >
>> > "Applications SHOULD recognize both attributes as long as
>> > they consider SHA-1 to be sufficiently descriminating".
>> >
>> > "descriminating" is not crystal clear for me. Would it be
>> possible
>> > to have the same idea expressed using a different wording ?
>>
>> Done
>>
>> >
>> > Issue 2 (pages 4 & 5):
>> >
>> > There is a duplication of the same paragraph (one is enough):
>> >
>> > "The signing certificate attribute is designed to prevent the
>> > simple
>> > substitution and re-issue attacks, and to allow for a
>> restricted
>> > set
>> > of authorization certificates to be used in verifying a
>> signature".
>>
>> I believe that not having any descriptive text at these
>> locations and jumping directly into the ASN.1 to be a poor
>> choice. I have not changed this.
>>
>> >
>> > Issue 3 (page 7):
>> >
>> > "The issuer/serial number pair would therefore normally be
>> > sufficient
>> > to identify the correct signing certificate. (This assumes the
>> > same
>> > issuer name is not re-used from the set of trust anchors.)"
>> >
>> > The assumption between the parenthesis is insufficient to
>> correctly
>> > identify the correct signing certificate. The sentence needs to be
>> > changed.
>>
>> I do not understand your statement. If the statement in
>> parenthesis is true, then it is sufficent. If the statement
>> in the parenthesis is not true, then issuer/serial number is
>> not sufficent. Please re-read the text and explain better
>> what your problem is.
>>
>> >
>> > Issue 4 (page 7):
>> >
>> > "In the cases
>> > where the issuer/serial number pair is not used in the sid or the
>> > issuer/serial number need to be signed, they should be
>> placed in
>> > the
>> > issuerSerial field of the ESSCertIDv2 structure."
>> >
>> > The issuer/serial number pair can be used in the sid, but
>> since it
>> > is unsigned, it is insufficient to correctly identify the correct
>> > signing certificate.
>> > So this rational is incorrect. The sentence needs to be changed.
>>
>> I have no idea what you are trying to state here. My
>> sentence and your comment do not seem to be coming from the
>> same context. Please re-read the sentence.
>> >
>> >
>> > Finally, I would propose that the next draft proposes a global
>> > replacement for section 5.4 to make sure that the whole section is
>> > consistent (and that the text in it is not redondant).
>>
>> I can understand your concern, however I believe that the
>> current layout is better and more explicit for the RFC editor.
>>
>> Jim
>>
>> >
>> > Denis
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > >A New Internet-Draft is available from the on-line
>> Internet-Drafts
>> > directories.
>> > >This draft is a work item of the S/MIME Mail Security
>> Working Group
>> > of the IETF.
>> > >
>> > > Title : ESS Update: Adding CertID
>> Algorithm Agility
>> > > Author(s) : J. Schaad
>> > > Filename : draft-ietf-smime-escertid-01.txt
>> > > Pages : 18
>> > > Date : 2006-4-18
>> > >
>> > >In the original Enhanced Security Services for S/MIME draft, a
>> > >structure for cryptographically linking the certificate to
>> be used in
>> > >validation with the signature was introduced, this structure was
>> > >hardwired to use SHA-1. This document allows for the
>> structure to
>> > >have algorithm agility and defines new attributes to deal
>> with the
>> > >updating.
>> > >
>> > >A URL for this Internet-Draft is:
>> >
>> >http://www.ietf.org/internet-drafts/draft-ietf-smime-escertid-01.txt
>> > >
>> > >To remove yourself from the I-D Announcement list, send a
>> message to
>> > >i-d-announce-request@ietf.org with the word unsubscribe in
>> the body
>> > of the message.
>> > >You can also visit
>> > https://www1.ietf.org/mailman/listinfo/I-D-announce
>> > >to change your subscription settings.
>> > >
>> > >
>> > >Internet-Drafts are also available by anonymous FTP.
>> Login with the
>> > username >"anonymous" and a password of your e-mail address. After
>> > logging in, >type "cd internet-drafts" and then
>> > > "get draft-ietf-smime-escertid-01.txt".
>> > >
>> > >A list of Internet-Drafts directories can be found in
>> > >http://www.ietf.org/shadow.html >or
>> > ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>> > >
>> > >
>> > >Internet-Drafts can also be obtained by e-mail.
>> > >
>> > >Send a message to:
>> > > mailserv@ietf.org.
>> > >In the body type:
>> > > "FILE /internet-drafts/draft-ietf-smime-escertid-01.txt".
>> > >
>> > >NOTE: The mail server at ietf.org can return
>> the document in
>> > > MIME-encoded form by using the "mpack" utility. To use this
>> > > feature, insert the command "ENCODING mime" before
>> the "FILE"
>> > > command. To decode the response(s), you will need
>> "munpack" or
>> > > a MIME-compliant mail reader. Different MIME-compliant
>> > mail readers
>> > > exhibit different behavior, especially when dealing with
>> > > "multipart" MIME messages (i.e. documents
>> which have been
>> split
>> > > up into multiple messages), so check your local
>> documentation on
>> > > how to manipulate these messages.
>> > >
>> > >
>> > >Below is the data which will enable a MIME compliant mail reader
>> > >implementation to automatically retrieve the ASCII version of the
>> > >Internet-Draft.
>> > >
>> > >Content-Type: text/plain
>> > >Content-ID: <2006-4-18160113.I-D@ietf.org>
>> > >
>> > >ENCODING mime
>> > >FILE /internet-drafts/draft-ietf-smime-escertid-01.txt
>> > >
>> >
>> > Regards,
>> >
>> > Denis Pinkas
>>
>>
>>
>>
>>
>>
>
>
>
Regards,
Denis Pinkas
- With everyday or cereal Miles Grant