Re: [lamps] rollover of CA

"Brown, Wendy (10421)" <wendy.brown@protiviti.com> Fri, 03 September 2021 12:21 UTC

Return-Path: <wendy.brown@protiviti.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E753A1C42 for <spasm@ietfa.amsl.com>; Fri, 3 Sep 2021 05:21:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=protiviti.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKGmrbMJmvX7 for <spasm@ietfa.amsl.com>; Fri, 3 Sep 2021 05:21:22 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2072.outbound.protection.outlook.com [40.107.92.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F0443A1C3F for <spasm@ietf.org>; Fri, 3 Sep 2021 05:21:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z1hHFOFAA+Pj8n2q7Zja7EZj0LEYhW68qzotgKq700lsEx2clzf7X53Mh47A4oeGpDpOBg3/yY9qr+grNZD75t+lMtImpfGkBzl7MgTd/UD3xGKAA3+JkKTy7F99NXuEBHWPBQmIfCpFlAUlfyGYZROXin5me9aWl3AH+oWx2uQVhKpXc3FgjTDurnMWAmggK7611t5Xr3D10XB2ajn+6j6iOAKU8IczCNyBcU6vl30ptiEnJtG3IdEWRIZCf7pOonJnLie6hDbcKUR0als86awAL4j5kH930NrDvCNwXkSSsHOEj07HYxC+VW12lCnKGOKIxq53/pg3fiS6cApYZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8RnTx32y9GdYHRTFcmHMVjfL/AtFyM6ybXwWofTlDhg=; b=Wbxk57zxrU7X20Zry8uBY6KIRQrh2ZrsECud+0DJrsFghXczhI/p9DhX/hwsKlhZFeUfkmstHz1aHj8oUm4owSJaCQ3AsEyViUZnih6FbmsQyE8LID23G47xMzVCUWAyX0Hx9wrdY9b72mGaLS22huBIYTA2+oc3q6cJLaAoVSmGsuTiVttFK9GhMTGGYq3A0BcuNbHO5R5ExH9c7bIbbLKz5KMF7RkAfaYfikJYcOk+aPOQ1gpY4E5zOIFHne9H4tJEPkhL/SIjvQUEdmUVNbqReKD9g0FUaspPsepEo+hKhkx0bM1nVf1nvdiX+QvCCQKu/KcSOlIrRB0GhP3n9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=protiviti.com; dmarc=pass action=none header.from=protiviti.com; dkim=pass header.d=protiviti.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protiviti.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8RnTx32y9GdYHRTFcmHMVjfL/AtFyM6ybXwWofTlDhg=; b=Ur2RJ+OFVHzjZLpKOD+bI0s4gZYyBeKAKPS6tOamD5jN4LUJJiNHNmFmwhWCWbrctryVkd73hHkGE6bIPrzM9TPyuvIRXZHyuMFKf8vR83xU+1PyutYchSBJnNqVderHTDQOzfFP6ASt806/gk9XQ4CzdYvcS6YZVxYVBXDl85k=
Received: from SA1PR03MB6626.namprd03.prod.outlook.com (2603:10b6:806:1c9::21) by SA1PR03MB6595.namprd03.prod.outlook.com (2603:10b6:806:1ca::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.19; Fri, 3 Sep 2021 12:21:20 +0000
Received: from SA1PR03MB6626.namprd03.prod.outlook.com ([fe80::c846:14c5:6bc3:ef17]) by SA1PR03MB6626.namprd03.prod.outlook.com ([fe80::c846:14c5:6bc3:ef17%9]) with mapi id 15.20.4436.024; Fri, 3 Sep 2021 12:21:20 +0000
From: "Brown, Wendy (10421)" <wendy.brown@protiviti.com>
To: Tomas Gustavsson <tomas.gustavsson@primekey.com>, Deb Cooley <debcooley1@gmail.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
CC: SPASM <spasm@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [lamps] rollover of CA
Thread-Index: AQHXoLp1smomi5s+GUm2c5/ZxVqZtauSNQdw
Date: Fri, 03 Sep 2021 12:21:19 +0000
Message-ID: <SA1PR03MB662685DCB0CDF5BCACBDCEBEEECF9@SA1PR03MB6626.namprd03.prod.outlook.com>
References: <17240.1630591789@localhost> <CAErg=HH9o8wXgo9RS0GDrn6ZgL7TD3TF25PiUNW7XePML7252w@mail.gmail.com> <CAGgd1Odk-xVmYb8-i-1pCv-n=oeFCnjt-xsCC9mqvGowaLpeZg@mail.gmail.com> <SJ0PR22MB25424D58B3069358F1984B3EE8CF9@SJ0PR22MB2542.namprd22.prod.outlook.com>
In-Reply-To: <SJ0PR22MB25424D58B3069358F1984B3EE8CF9@SJ0PR22MB2542.namprd22.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_da623df2-7a25-4a8f-b59b-3a3459c1375f_Enabled=true; MSIP_Label_da623df2-7a25-4a8f-b59b-3a3459c1375f_SetDate=2021-09-03T12:00:09Z; MSIP_Label_da623df2-7a25-4a8f-b59b-3a3459c1375f_Method=Standard; MSIP_Label_da623df2-7a25-4a8f-b59b-3a3459c1375f_Name=General-PRO; MSIP_Label_da623df2-7a25-4a8f-b59b-3a3459c1375f_SiteId=16532572-d567-4d67-8727-f12f7bb6aed3; MSIP_Label_da623df2-7a25-4a8f-b59b-3a3459c1375f_ActionId=410e9024-0de1-4b7a-b328-d22df2e65634; MSIP_Label_da623df2-7a25-4a8f-b59b-3a3459c1375f_ContentBits=0
authentication-results: primekey.com; dkim=none (message not signed) header.d=none; primekey.com; dmarc=none action=none header.from=protiviti.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: efc5f9c4-3e46-4d39-35f0-08d96ed55618
x-ms-traffictypediagnostic: SA1PR03MB6595:
x-microsoft-antispam-prvs: <SA1PR03MB6595A3AD51C1A415F8AE3ACDEECF9@SA1PR03MB6595.namprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aYvJCHqVGUO3RPGkKUSOfHf2+LI5PIXA3+0K4U05kgP8G7uuA7zm2sFGcZmD89Wt0pQVBDqGywTe0iRwTIL2mw0UT6if2/wgMgaFGOPQ9jmnGTewdJtKL4VcbSAOhz4/5vY7U9iKsuU/3hEAUlnI+25ZHXHjSZykaM+L1u6dLgPWlnoeNr4UV4KtsaCAhvn2fxo6KkE3vYhB5UohVRGDmcdzQ3a0KWIH7495qDwDqzBbYF1cnJU//NDID3TX3b6Dpyr9eaJ+ZmS30oMhLl33Ztps+XedH/lrHDbMqc9DCz5fE/CuxGH3G0Jf8tOHZ7XqMUahhKMboQc67dSla0b8aXb1XqpHWXAm/Ij+xXWQLxH7akr7XT173NVdJZPNX791lvSrnjTybPLX3xlarkx/nwATCxSSgELcoCtHZFGfEfPeJhu7lZVvQQdViKoGoQPUzxMGuegdk/MwDXBRLwVTXYHnh1OwdFuSW/dDEsc18/40iDf+137kz++ynvALxUsTqBvuOaUvRCL3sfzB8d0fsksLxt/9r2kTsiajMJx9VQf0Z4D+tsUtRpUFdJRiymPdHw8R/+KzFoB6oe0VCDLHWO/fgefE6IKIjnYFsDKgCh/3DnERdBtXoOpdOOIJqPuYDMqFz0yFErFkPXYkGLWEIi3l06xTVf98Rx5thxfIgzPhz10frRq/bWAYH2z8dWDZg+FqYi0MOcv42if48w7MVh1PufxgQU+56L3WFpgIyzkXdLtVakgxPmnBkbbvvJyq8R9NGp4155dklLTAS5muOBaLBW6i3q4OHrWWpzbA3V8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR03MB6626.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(396003)(39860400002)(346002)(376002)(76116006)(8676002)(38070700005)(5660300002)(478600001)(66574015)(66946007)(7696005)(66476007)(4326008)(86362001)(66556008)(66446008)(33656002)(52536014)(2906002)(83380400001)(122000001)(64756008)(166002)(6506007)(54906003)(53546011)(55016002)(110136005)(38100700002)(71200400001)(26005)(966005)(186003)(9686003)(8936002)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: NzYffSF+hdZB+g2kwCHRpcqAjj6QogfFe93S6abwkdec+Yu5kKMUpOokYKMDJD+2Sdl6DlgjTGbaOyFq1u3EnL00PmCFwbkcb8f5H4DDxt1daUkiEp+NiD2VNsfWKCIfOoEE15Y8Uf8tIAkJScB8sSUu++ZSmJK7YWak3Daj9AN0b31YpXaWBf2AiDBnM5heuapLQ1/+HG4Ai1Mdafxni1HXUuvAvTlCB31y9iQQlU74SvAqAFZ3njrCuDtM+cWgB3cUjaRFApF3Z001fZuuKK4pWmsXstygaoIEKTFa9MvjEhYYN8LQRz0dcv15U9nBRA2Jn4sHJ3etQKdRHIkUPs4CwwdNMkOfQO2SyTDenH9Cmjcn5NBBrReL98wUI2w/tZ+KkLzveOLgqCNzcaSod6qS2SDh0/qNce5IUTMTk4ITtB5s9bHcCVvPniJ5Ae140BYgQgEtXDfi3Y2hLSG9QuKlassUaiWHqcTjs5go6MlkkV8UdHY/dZoD/+KOTmuHxPfr+0imuTlYe4azRQ7aN/JWM3z4u7pXh0Z2zTwByDNwBGu2tsxYuW7p0W3gdLhlf/DVlOZMFEiNbr0WdtzfkDPsnIdsDWdOMtTbT25JMfDHxkPCsgQ2yzxaYiJV9LMAvuF3BeJuRy2PCHnEydeD/C2/ZugXFrnTPdZDIzzUfYRJgPDpEBmbDBBWtTYacW9PhjQGq7jDA7MMa/BPqhJQ/alsVsL/j1iEwTF/ZetA9lpas3rBEujmxoP5iWR+xqs4ncf6pRwN8ajJFvmRVrkcrLVM6eUrpuganx+O9iMbTUvegEv3kFp7lcxzc6JF/GEnnx//s08KTX2SphkS/D0v1nfwxkWEaAXFWsf+t47Nkn48Fg5tbejTrQtqYsFxj07wTQrqh6j1FNNPlz7dYpEY6elDvUljrk5WUs7NielCY/SS/0uWukzWWDthP1adBIySKA7iqYnz7/NTEFt53WckH3T9Sjky0J/I/Vasz1YZotbDvteEywUqFnQELgcYQ4RxYmC+v4paRrR7/cPEfXU2ncCdIqh8pidYool7zPLmUGYOrm1wvomtwOxUYXHAfXrL6xv7X/v+dY+gYvIsupUgLf7Rdcg+MTbeDVuwEHfT13ntzKMRCVYW/qnWtGmDvt8N7EGH1FSF62VRRrPZWYX7bGWd/DPauBb0f6wF9D7Ok4uFSQXR2QvHuP9VQJk5hncMRvO1gLQ3DDu1LD59c0QDii7QeFY6S4RSzeRjvJnrlBjFClbxp8uCODSm0HPtcQjMsNeKk4SdboL/NABe+4hQHevjADequ56I8Xgmg1GeYVXzrWyiqIUmmCZcPreslNh5
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SA1PR03MB662685DCB0CDF5BCACBDCEBEEECF9SA1PR03MB6626namp_"
MIME-Version: 1.0
X-OriginatorOrg: protiviti.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR03MB6626.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: efc5f9c4-3e46-4d39-35f0-08d96ed55618
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2021 12:21:19.9599 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 16532572-d567-4d67-8727-f12f7bb6aed3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jK7gDcoQ9qzQ5C4zf1lt6rC09Xw2O3HmQmpr6LfMXPwmqT8z6I6bgTQno9EH+XchbBtT8VSy/lZuk3xovJIwDw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR03MB6595
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/-DYMxC0IGNri-oo1TzSVSqGAIAQ>
Subject: Re: [lamps] rollover of CA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2021 12:21:29 -0000

In the case of longer lived certificates (for example within Federal PKI most subscriber certs are 3 year) having the old CA key signed by the new key allows the certificates signed by the older key to be trusted with a path through the newer key to a trust anchor without having to maintain 2 distinct paths to that same trust anchor.

e-e -> ICA old key -> ICA new key - > root
vs
e-e -> ICA old key -> root AND  e-e -> ICA new key -> root

Key rollover is still fairly common within the US federal government.


Wendy Brown
Protiviti Government Services
wendy.brown@protiviti.com


From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Sent: Friday, September 3, 2021 2:21 AM
To: Deb Cooley <debcooley1@gmail.com>; Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: SPASM <spasm@ietf.org>; Michael Richardson <mcr+ietf@sandelman.ca>
Subject: Re: [lamps] rollover of CA

I remember being part of that discussion Michael.

RFC4210 describes it in section 4.2.
https://datatracker.ietf.org/doc/html/rfc4210#section-4.4

In reality I have only seen rollover using newWithOld, for example in ICAO 9303 part 12 (there called Link Certificate). The purpose being to be able to automatically update trust anchor with a new Root if you already trust the old Root.
https://www.icao.int/publications/Documents/9303_p12_cons_en.pdf

I have never understood the purpose  of, or seen a practical use, of OldWithNew. Therefore the CMP Update draft puts the link certificates as optional instead of mandatory.
https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cmp-updates#section-2.15

The old notion of having them as mandatory puts unrealistic burden on CA rollover imho.

Cheers,
Tomas

________________________________
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> on behalf of Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>>
Sent: Thursday, September 2, 2021 9:38 PM
To: Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>>
Cc: SPASM <spasm@ietf.org<mailto:spasm@ietf.org>>; Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>>
Subject: Re: [lamps] rollover of CA

CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec@keyfactor.com<mailto:InfoSec@keyfactor.com> with any questions.

What exactly are you interested in?

Today's CA systems do this in a variety of ways.

We (US DOD) have Root CAs, and sub CAs.  We don't roll any of that over.  We stand up new Roots and new subCAs.  In general, we don't name them the same.  When a new Root or sub CA is stood up, we make an announcement to the community and there is an app that makes it easier to do the trust store management. US Fed PKI just stood up a new Root CA for their Common Policy Root CA - same thing, different name, different keys, different dates, and (I think) different key sizes.

Some CA's will rekey.  Name remains the same, key changes, dates change (At least the expiry date).  I'm not (personally) familiar with how this is managed.   I want to say that Entrust's systems work that way (I could easily be wrong tho).

Ryan can tell you more about how the public trust stores manage a Root CA update/rekey/whatever.

Deb Cooley
decoole@nsa.gov<mailto:decoole@nsa.gov>





On Thu, Sep 2, 2021 at 11:09 AM Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>> wrote:
I mean, there's https://datatracker.ietf.org/doc/html/rfc4210#section-4.4<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4210%23section-4.4&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7Cf8cbc66140924bef39b908d96e49446d%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637662083233446087%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ol1o%2B3jtez%2BHp5nR48hT3drrlbQ83PRziNY23d4%2FUmI%3D&reserved=0> , but that's more or less unsupported, and would strongly recommend against it: the _key_ rollover creates vast issues with implementations.

Otherwise, if we're talking about (Subject + SPKI) changes, that's just normal cross-certification. RFC 4158 is not widely supported in implementations (particularly open-source software), so care must be taken.

Other protocols take different approaches (e.g. RFC 6489), tied in to the overall protocol.

On Thu, Sep 2, 2021 at 10:10 AM Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr%2Bietf@sandelman.ca>> wrote:

Hi, sometime in 2021, we had a thread discussing how to rollover a
certification authority, and the process of signing old CA with new CA.
I know that I wrote emails about this, but I can't find them
either in the archives or in my outbox.

I also can't find the RFC which describes this... somewhere in the 2000s?

--
Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr%2BIETF@sandelman.ca>>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide




_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7Cf8cbc66140924bef39b908d96e49446d%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637662083233446087%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=V%2BFJW5VpaD2K%2FWLw9cHTWcj3e02Q1z2Ob%2FB%2FS1uNb6k%3D&reserved=0>
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Ctomas.gustavsson%40primekey.com%7Cf8cbc66140924bef39b908d96e49446d%7Cc9ed4b459f70418aaa58f04c80848ca9%7C0%7C0%7C637662083233446087%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=V%2BFJW5VpaD2K%2FWLw9cHTWcj3e02Q1z2Ob%2FB%2FS1uNb6k%3D&reserved=0>
NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.