Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

"Kampanakis, Panos" <kpanos@amazon.com> Wed, 11 January 2023 17:13 UTC

Return-Path: <prvs=368fa0912=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6180C15B278 for <spasm@ietfa.amsl.com>; Wed, 11 Jan 2023 09:13:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.496
X-Spam-Level:
X-Spam-Status: No, score=-9.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Toe3M8IWXTm for <spasm@ietfa.amsl.com>; Wed, 11 Jan 2023 09:13:06 -0800 (PST)
Received: from smtp-fw-9102.amazon.com (smtp-fw-9102.amazon.com [207.171.184.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0420DC131C4D for <spasm@ietf.org>; Wed, 11 Jan 2023 09:13:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1673457186; x=1704993186; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=0pQ41DW2Tub3Kto29xMICEOCx99I0dlgWzZILlEYHtQ=; b=bPrY90CX8c459tfjvXGmRfkglKL4pFU6MSN24WKOtA2WsqBYCJBjuz5G vikVtfQKFDM07WKwmLDNX2SI/TPIqI63D2yByttEhDYk2YD1oKXouO7RN 5w2CQ8LYDwUpIoz/n9vxkZFt65IKMhnUqDkoHck7UJoiua8Z34QuEMozG w=;
X-IronPort-AV: E=Sophos;i="5.96,317,1665446400"; d="scan'208,217";a="299183838"
Thread-Topic: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-pdx-2c-m6i4x-94edd59b.us-west-2.amazon.com) ([10.25.36.210]) by smtp-border-fw-9102.sea19.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2023 17:12:54 +0000
Received: from EX13MTAUWB001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-pdx-2c-m6i4x-94edd59b.us-west-2.amazon.com (Postfix) with ESMTPS id A303E422BF; Wed, 11 Jan 2023 17:12:53 +0000 (UTC)
Received: from EX19D001ANA003.ant.amazon.com (10.37.240.188) by EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Wed, 11 Jan 2023 17:12:52 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA003.ant.amazon.com (10.37.240.188) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.7; Wed, 11 Jan 2023 17:12:51 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055]) by EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055%5]) with mapi id 15.02.1118.020; Wed, 11 Jan 2023 17:12:51 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Carl Wallace <carl@redhoundsoftware.com>, "aebecke@uwe.nsa.gov" <aebecke@uwe.nsa.gov>, LAMPS <spasm@ietf.org>
Thread-Index: AQHZJdhdlSUG6/tpUkqB+F6/gWzw8K6ZcD9A
Date: Wed, 11 Jan 2023 17:12:51 +0000
Message-ID: <e820c36095a04a3697b4345d06d2f392@amazon.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <6FB4E76C-0AFD-4D00-B0FC-63F244510530@vigilsec.com> <bd5a491c78c8406b8de6414aff4f5223@amazon.com> <SA0PR09MB72412D6BBBC556716B5FBDEDF1FF9@SA0PR09MB7241.namprd09.prod.outlook.com> <adfdcfcfb0f84c63b83bc60cb9a48cfa@amazon.com> <CH0PR11MB573917AD78637794B2A424249FFC9@CH0PR11MB5739.namprd11.prod.outlook.com> <ca14b6a4dc624d5a8721a76fba0e0b2f@amazon.com> <CH0PR11MB5739F7AB185E366BFEB9F1A69FFC9@CH0PR11MB5739.namprd11.prod.outlook.com> <774557DE-522F-4A3C-B360-6B7C9103F579@redhoundsoftware.com> <CH0PR11MB5739D1D766DDFC5B48D59E159FFC9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739D1D766DDFC5B48D59E159FFC9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.37.240.172]
Content-Type: multipart/alternative; boundary="_000_e820c36095a04a3697b4345d06d2f392amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/37M44viJpHzJczzQcFRQ12YgGpo>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2023 17:13:10 -0000

How is someone going to mix and match now?

  1.  Get two PIVs that have one classical, one PQ cert/private key each. All certs have the same DN.
  2.  Write a custom TLS app that allows them to start a TLS connection, generate one signature with one PIV’s classical private key. Then get the other PIV and sign the same TLS connection which is left in some sort of waiting state with the second PIV’s PQ private key?
If the draft is preventing that, then what stops this person that wants to mix and match write their own CSR application that signs with the classical private key from one PIV and then gets the other PIV to sign the CSR according to the draft?

I know we are speculating here since this is not what Allie has suggested so far, but sorry I don’t see the difference.

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: Wednesday, January 11, 2023 11:17 AM
To: Carl Wallace <carl@redhoundsoftware.com>; Kampanakis, Panos <kpanos@amazon.com>; aebecke@uwe.nsa.gov; LAMPS <spasm@ietf.org>
Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Sorry, I should be more precise:

By “mix & match” I mean that in the hybrid mode you present two certificates, one from each device when the relying party is really expecting you to present two certs from the same device. Yes you *could* structure your DNs or SANs to be unique per device, but this draft provides a binding mech that does not require any specific PKI naming conventions.


Under the assumption that this draft is providing a meaningful way to solve this problem, then I support its adoption.

If we believe that the mechanism in this draft is not doing that, ie that there are no PKI deployments in which this draft is actually providing stronger bindings than we already have with Subject / SAN names, then I may reconsider my support for adoption.

---
Mike Ounsworth

From: Carl Wallace <carl@redhoundsoftware.com<mailto:carl@redhoundsoftware.com>>
Sent: Wednesday, January 11, 2023 9:45 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; Kampanakis, Panos <kpanos@amazon.com<mailto:kpanos@amazon.com>>; aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [EXTERNAL] Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Inline…

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> on behalf of Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org>>
Date: Wednesday, January 11, 2023 at 10:12 AM
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>>, "aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov>" <aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov>>, LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

Again, I’m guessing at the intended use-case here.

Let’s say I am in possession of two PIV ID cards. They both belong to me, ergo will have the same Subject and SANs.

[CW] It is not necessarily the case that your two PIV cards would have the same subject DN or SAN. It’s common for people to be issued smart cards for different functions or even within different government agencies (or perhaps to have a personal card and a group/role card) such that one or both of subject DN and SAN differ.

But they are not the same device. If both PIV cards are hybrids, then there are 4 certs in play, all of which will have the same Subject and SANs, but you should not mix&match them. This draft provides a mechanism to tag which pairs of certs “belong together” even though they all belong to the same PKI logical entity.

[CW] I’m not certain what you mean by “mix and match” or why that ought not be done, but it sounds like you are suggesting the proposed new extension be used to bind one cert on a smart card to the other (presumably even if the holder only possesses one smart card). Why would that be needed? A common case is derived credentials, which typically do have same DN and SAN. Those are intended to be “mixed and matched”, i.e., I would expect to be able to access the same resources using my phone or tablet as I can with my PIV card (even if one featured RSA keys and the other EC keys).

[CW] The extension really can’t mean much more than that an entity is demonstrating control of the private key corresponding to the related cert identified in an attribute included in a CSR. The utility of this proof would be up to the relying party. Any proof of same identity or same hardware device would be achieved through something other than this extension (as currently described, anyway). If one were to require DNs to match (to avoid cross-organizational recognition), then Panos’ point seems right, i.e., why not just check the names.

---
Mike Ounsworth

From: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>>
Sent: Wednesday, January 11, 2023 8:49 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [EXTERNAL] RE: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
If the related certs have the same DN (I was calling it same Subject or SAN in my email) then the verifier can rest assured the two certs belong to the same entity without the need of a new extension. That is what I was originally pointing out. Now, if there is no identity overlap as Allie suggested then I was saying that I am not sure what the verifier is supposed to do when it is presented with these two related certs with completely different identities.

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth
Sent: Wednesday, January 11, 2023 8:33 AM
To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>>; aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov> <aebecke=40uwe.nsa.gov@dmarc.ietf.org<mailto:aebecke=40uwe.nsa.gov@dmarc.ietf.org>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Panos,

I assume in their use-case, endpoints will treat matching SANs as necessary but not sufficient.

Making up an example here, if you’re receiving a TLS client-auth connection from DN: cn=Alice,dc=example,dc=com then both certs had better have the same DN (otherwise it’s totally unclear which user is trying to log in) *PLUS* one of them had better have a RelatedCertificate extn that lines up with the other cert to prove that both private keys are contained on the same hardware device (or wtv the semantics of that extension mean in their environment).

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Kampanakis, Panos
Sent: Tuesday, January 10, 2023 8:43 PM
To: aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov> <aebecke=40uwe.nsa.gov@dmarc.ietf.org<mailto:aebecke=40uwe.nsa.gov@dmarc.ietf.org>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [EXTERNAL] Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hi Allie,
Thx. If there is no overlap between the Subject Name or SANs in the two related certs, should they be used at the same time in a PQ transition scenario since the verifier can only be talking to one identity at a time? To rephrase that, if the two related certs include completely different identities, wouldn’t that be a problem for the TLS, IKEv2, etc verifier?
- When the verifier is presented with a classical RSA peer cert, it confirms the identity of the cert is the identity it is talking to.
- When the verifier is presented with just one PQ peer related-cert, it will confirm the identity of the cert is the identity it is talking to.
- While still in the PQ transition phase, when the verifier is presented with one classical RSA peer cert and one PQ peer related-cert, what is it supposed to do if the identities in these certs are completely different? Verify only one identity and assume the other one belongs to the same peer because of POP at issuance?


From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of aebecke@uwe.nsa.gov<mailto:aebecke@uwe.nsa.gov>
Sent: Tuesday, January 10, 2023 12:38 PM
To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>>; Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Hi Panos,
  Thanks for the comments. It is not always the case that SANs will unambiguously identify a certificate, as they are not globally unique. Especially in the case that may arise in which a different CA has issued a related certificate, we want to provide strong assurance that the certificate is under the control of the correct end-entity. Matching names depends on mapping the namespaces of the issuers (which may suffice for discovery); our draft provides the existing (traditional) PoP nested in the new (PQC) PoP, which we think provides more assurance.

Cheers,
Alie

----
________________________________
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> on behalf of Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>>
Sent: Thursday, January 5, 2023 9:33 PM
To: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

My previous objections and concerns have not been addressed, but maybe I had misunderstood the spirit of the draft. So let me repeat the last, most important, question after Mike's presentation of the draft in IETF-115.

It seems that the draft just wants to provide an extension that says cert A and cert B are related and owned by the same entity and allow a CSR to prove that the requester of Cert B also owns the private key for Cert A. In other words the flow would work as:
- Entity X generates a CSR for CertA and proves it owns the private key for A. The issuer generates CertA after verifying the ownership of private key A and the identity of X.
- Entity X generates a CSR for CertB which is related to CertA and proves it owns the private key for A and B. The issuer generates CertB (related-to-CertA) after verifying the ownership of private keys A and B and the identity of X.
- Entity X owns CertA and CertB which it uses to be authenticated in protocol Y. The protocol Y verifier gets CertA and CertB, it verifies the peer owns the private key for CertA, CertB and it confirms it trusts these certs were issued for Entity X.

Now let's forget the draft and say we do not use a new X.509 or CSR extension. And let's say the flow now works as
- Entity X generates a CSR for CertA and proves it owns the private key for A. The issuer generates CertA after verifying the ownership of private key A and the identity of X.
- Entity X generates a CSR for CertB and proves it owns the private key for B. The issuer generates CertB after verifying the ownership of private key B and the identity of X.
- Entity X owns CertA and CertB which it uses to be authenticated in protocol Y. The protocol Y verifier gets CertA and CertB, it verifies the peer owns the private key for CertA, CertB and it confirms it trusts BOTH of these certs were issued for the same entity Entity X.

Why is the former flow better over the latter? In other words, if CertA and CertB were issued separately, why could the verifier not just use the Subject Name or SANs to confirm the certs relationship while verifying?



-----Original Message-----
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
Sent: Thursday, January 5, 2023 6:02 PM
To: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [EXTERNAL] [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Do the changes that were made in -02 of the Internet-Draft resolve the concerns that were previously raised?

On behalf of the LAMPS WG Chairs,
Russ


> On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
>
> There has been some discussion of https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-becker-guthrie-cert-binding-for-multi-auth%2F&data=05%7C01%7Caebecke%40uwe.nsa.gov%7Cd4dd908b5872439f1f0408daef96c7fd%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C638085728259980926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=nVzReEXbWrb8sHQPdGWv9G95WoP1GiKdjlHZP6DesmA%3D&reserved=0<https://urldefense.com/v3/__https:/gcc02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fdatatracker.ietf.org*2Fdoc*2Fdraft-becker-guthrie-cert-binding-for-multi-auth*2F&data=05*7C01*7Caebecke*40uwe.nsa.gov*7Cd4dd908b5872439f1f0408daef96c7fd*7Cd61e9a6ffc164f848a3e6eeff33e136b*7C0*7C0*7C638085728259980926*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=nVzReEXbWrb8sHQPdGWv9G95WoP1GiKdjlHZP6DesmA*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-Y8qCqXTj2!d7f04rwCDRu50-kA9UKkJme_ySd-Afo_1Wb-dRjV7Oezr0g4VpHXxYq1FxaLj8rCLEwQyFlPuSPMoyO5iHbXgQ0o4LMPjD4qXsgkQtebag$>.  During the discussion at IETF 114, we agree to have a call for adoption of this document.
>
> Should the LAMPS WG adopt “Related Certificates for Use in Multiple Authentications within a Protocol” indraft-becker-guthrie-cert-binding-for-multi-auth-01?
>
> Please reply to this message by Friday, 30 September 2022 to voice your support or opposition to adoption.
>
> On behalf of the LAMPS WG Chairs,
> Russ
>

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=05%7C01%7Caebecke%40uwe.nsa.gov%7Cd4dd908b5872439f1f0408daef96c7fd%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C638085728259980926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=qkCBqRILB587BacZgK9AHy6kqqQmfrTGeqv9dqm1RXg%3D&reserved=0<https://urldefense.com/v3/__https:/gcc02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Fmailman*2Flistinfo*2Fspasm&data=05*7C01*7Caebecke*40uwe.nsa.gov*7Cd4dd908b5872439f1f0408daef96c7fd*7Cd61e9a6ffc164f848a3e6eeff33e136b*7C0*7C0*7C638085728259980926*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=qkCBqRILB587BacZgK9AHy6kqqQmfrTGeqv9dqm1RXg*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-Y8qCqXTj2!d7f04rwCDRu50-kA9UKkJme_ySd-Afo_1Wb-dRjV7Oezr0g4VpHXxYq1FxaLj8rCLEwQyFlPuSPMoyO5iHbXgQ0o4LMPjD4qXsjiZu1rhQ$>
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=05%7C01%7Caebecke%40uwe.nsa.gov%7Cd4dd908b5872439f1f0408daef96c7fd%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C638085728259980926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=qkCBqRILB587BacZgK9AHy6kqqQmfrTGeqv9dqm1RXg%3D&reserved=0<https://urldefense.com/v3/__https:/gcc02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Fmailman*2Flistinfo*2Fspasm&data=05*7C01*7Caebecke*40uwe.nsa.gov*7Cd4dd908b5872439f1f0408daef96c7fd*7Cd61e9a6ffc164f848a3e6eeff33e136b*7C0*7C0*7C638085728259980926*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=qkCBqRILB587BacZgK9AHy6kqqQmfrTGeqv9dqm1RXg*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-Y8qCqXTj2!d7f04rwCDRu50-kA9UKkJme_ySd-Afo_1Wb-dRjV7Oezr0g4VpHXxYq1FxaLj8rCLEwQyFlPuSPMoyO5iHbXgQ0o4LMPjD4qXsjiZu1rhQ$>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!ZUMS1k83i98StJTO_4kmkV4RQ_MuqXrGbn4F4L_GU8lOAqRV5K-R6YNfePkWN23IZ8NXxkPUZT3av1IHUkQeEYw7$>