Return-Path: X-Original-To: uta@ietfa.amsl.com Delivered-To: uta@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 770F812947C for ; Thu, 5 Jan 2017 04:29:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.1 X-Spam-Level: X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDpIpPplfYEM for ; Thu, 5 Jan 2017 04:29:52 -0800 (PST) Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7621A1288B8 for ; Thu, 5 Jan 2017 04:29:46 -0800 (PST) Received: by mail-yw0-x229.google.com with SMTP id a10so340982713ywa.3 for ; Thu, 05 Jan 2017 04:29:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=R9i/6GCIC2kHRbJikh3wD21irYBEJF8jnVyy2sQtKmM=; b=QnF+JL8XARw+B5AFrJUJWSGUYdrEXMzRVsqCxUxqjIEqF34m0gz/EV4TsGtwAiBh6C JKyCvf4rlHDDqrtF8r5ICHj3LCKGa+qNZaC98+HeA2TFCNQqooXJiYHCaKPYRd1E4j8W Xoa/Rjm3+u3Xas6+7Jv3gIqMW+KkEEmlJ+iaaK1aRitXmRVe1diPioCs8tBAsEqt1nOz o1O8iVH/6puFCdfT5XbzmQX3u/sTg/E3tdq0yf4Cdieg7L+CE3hQnhwyxeo5rDCfsuUe DJHzEFrFf3Fh5fnCH2ek6hN/N3rHizkTE+z2v77mlOgQoG5p3daRRqXcwadLtxTJoAjd LQRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=R9i/6GCIC2kHRbJikh3wD21irYBEJF8jnVyy2sQtKmM=; b=UgBwtWWi2EjwLD+fVfAkb721xuUnXHPyUSpDy4zeSyzsLWSCavpaBiA8GJRBxO7DDe nzNV1UYE55vWwXmdp/XTWrfoMrRZlNY/QUY6mVOMZvFXiJk+1wOmv/fk5VPzGoI/+FJC 1zEvSi1Xk1B16WDTehBmrZhKiC8Uwm76/KKME4slVeBBR7b3hbBFfDqGj/CW2M5/+HtA oh7pHEbMQo4fIxFEcalwfh/fzCiIvYcyFF/biRlhqIDDZWYv3jPC8JGvv2q2HbpNM336 PImmTuwncreu+jmMng0nlJ9KIRDZMivKm9VttE3vfxRog6o3+sqSfzlgOFdZ2pY1X6g3 eRMA== X-Gm-Message-State: AIkVDXIlQw7dZBzqH+2YBQ5Df0LepX/XlE6m8VwmwvGlg+zyV9kX5luxoVHjo+ef2rOGwYjHDrrj/NYatWuFmcob X-Received: by 10.129.173.93 with SMTP id l29mr65696574ywk.351.1483619385287; Thu, 05 Jan 2017 04:29:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.37.217.84 with HTTP; Thu, 5 Jan 2017 04:29:44 -0800 (PST) In-Reply-To: <20170104171617.GE24134@blitiri.com.ar> References: <20170104171617.GE24134@blitiri.com.ar> From: Daniel Margolis Date: Thu, 5 Jan 2017 05:29:44 -0700 Message-ID: To: Alberto Bertogli Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="f403045e8a1a7aa0810545580ec9" Archived-At: Cc: uta@ietf.org Subject: Re: [Uta] MTA-STS - Questions on implementing the latest (02) draft X-BeenThere: uta@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: UTA working group mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 12:29:54 -0000 --f403045e8a1a7aa0810545580ec9 Content-Type: multipart/alternative; boundary=f403045e8a1a71b1dc0545580e18 --f403045e8a1a71b1dc0545580e18 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Inline: On Wed, Jan 4, 2017 at 10:16 AM, Alberto Bertogli wrote: > > Hi! Happy new year! > > I had some time during the holidays and started to do a basic > implementation of the latest MTA-STS draft. > > While doing so, there were a couple of things I wasn't sure about so I'd > thought I'd ask: > > - What happens if the "mx" field is missing from the policy? > Should the MTA skip checking the field but honour the rest of the polic= y, > treat the policy as invalid, or assume no MX is valid? > The "mx" field is required, so if it is missing, the policy is invalid and should not be honored. (It doesn't make sense to honor the policy anyway, I would say, since a policy without allowed MXs is essentially a way of saying, "There should be TLS and the server identity should match the MX, whatever the MX is." I guess this prevents SSL stripping, but doesn't prevent DNS injection, so it's of relatively little value.) > - For the case of an internationalized domain name, the "mx" field should > include domain patterns in their U form (e.g. "*.=C3=B1aca.com > "), A form > ("*.*.xn--aca-6ma.com"), or both can be present? > I suppose this is underspecified in the draft! I would say based on https://tools.ietf.org/html/rfc6125#section-6.4.2 that it makes the most sense for this to be in the A-form, since otherwise the MTA would have to convert to the A form for checking. What do you think? I proably can make a quick change to clarify this if it seems reasonable to those on this list. > - The TXT record is on "_mta-sts" but the policy is on "mta-sts". Is that > intentional? Why not putting both on the same domain, to simplify thing= s? > Yes, this is intentional. The underscore in "_mta-sts" was kept to be similar to that in (e.g.) _dmarc TXT records, but for the HTTP host this seemed inadvisable: https://www.ietf.org/mail-archive/web/uta/current/msg01524.html. > > - The draft says that clients MUST check the TXT record, but it seems to = me > it's totaly possible to make a reasonable implementation without doing > so. > Is it worth using "MUST" for this? > I imagine this is related to the previous discussion we had, but > forcing MTAs to check seemed quite strong so I was wondering if > there was something else. > I think there's some utility in specifying this as at least a SHOULD so as to ensure common behavior--otherwise, a recipient domain that updates its HTTP but not TXT will work some of the time for some senders, I guess? That seems risky. But need it be a MUST? Probably not. The truth of the matter is, as you say, that nobody would really know (except from slightly higher request rates) if your implementation did HTTP-only. ;) I'm open to making this a SHOULD, but it's not something I have a strong feeling about one way or another. What do you (and others) think--worth changing to SHOULD? Better to keep a "MUST"? > > > Thanks! > Alberto > > > In case you're curious, the implementation I have so far is at > https://blitiri.com.ar/git/r/chasquid/b/sts/, in particular > https://blitiri.com.ar/git/r/chasquid/c/febad008f38c9ac980a4c0a6179a76 > 81fed7f125/ > (patch and branch are subject to rebasing). > > It's mostly fetching, parsing and checking. It has no caching or > reporting yet; I will add them later, but thought these questions are > independent anyway. > I feel slightly bad for not having shared this earlier, but I wrote a toy implementation here: https://github.com/danmarg/smtp-sts. As with yours, it does not do caching or reporting; I wrote it merely to power this: http://sts.x.af0.net. Feel free to copy any code you like, of course, though it's a little late for that. ;) > > The integration into the MTA itself will come later too, but I expect it > to be roughly similar to the integration into the smtp-check tool, which > is included. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta > --f403045e8a1a71b1dc0545580e18 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Inli= ne:

On= Wed, Jan 4, 2017 at 10:16 AM, Alberto Bertogli <albertito@blitiri.= com.ar> wrote:

Hi! Happy new year!

I had some time during the holidays and started to do a basic
implementation of the latest MTA-STS draft.

While doing so, there were a couple of things I wasn't sure about so I&= #39;d
thought I'd ask:

- What happens if the "mx" field is missing from the policy?
=C2=A0 Should the MTA skip checking the field but honour the rest of the po= licy,
=C2=A0 treat the policy as invalid, or assume no MX is valid?

The "mx" field is required, so if it is mi= ssing, the policy is invalid and should not be honored. (It doesn't mak= e sense to honor the policy anyway, I would say, since a policy without all= owed MXs is essentially a way of saying, "There should be TLS and the = server identity should match the MX, whatever the MX is." I guess this= prevents SSL stripping, but doesn't prevent DNS injection, so it's= of relatively little value.)=C2=A0
=C2=A0
- For the case of an internationalized domain name, the "mx" fiel= d should
=C2=A0 include domain patterns in their U form (e.g. "*.=C3=B1aca.com= "), A form
=C2=A0 ("*.*.xn--aca-6ma.com"), or both can be present?

I suppose this is underspecified in the draft!<= /div>

I would say based on https://tools.ietf.org/html/rfc6125#sectio= n-6.4.2 that it makes the most sense for this to be in the A-form, sinc= e otherwise the MTA would have to convert to the A form for checking. What = do you think?=C2=A0

I proably can make a quick cha= nge to clarify this if it seems reasonable to those on this list.=C2=A0
=C2=A0
- The TXT record is on "_mta-sts" but the policy is on "mta-= sts". Is that
=C2=A0 intentional? Why not putting both on the same domain, to simplify th= ings?

Yes, this is intentional. The und= erscore in "_mta-sts" was kept to be similar to that in (e.g.) _d= marc TXT records, but for the HTTP host this seemed inadvisable:=C2=A0http= s://www.ietf.org/mail-archive/web/uta/current/msg01524.html.=C2=A0
=C2=A0

- The draft says that clients MUST check the TXT record, but it seems to me=
=C2=A0 it's totaly possible to make a reasonable implementation without= doing so.
=C2=A0 Is it worth using "MUST" for this?
=C2=A0 I imagine this is related to the previous discussion we had, but
=C2=A0 forcing MTAs to check seemed quite strong so I was wondering if
=C2=A0 there was something else.

I thin= k there's some utility in specifying this as at least a SHOULD so as to= ensure common behavior--otherwise, a recipient domain that updates its HTT= P but not TXT will work some of the time for some senders, I guess? That se= ems risky.=C2=A0

But need it be a MUST? Probably n= ot. The truth of the matter is, as you say, that nobody would really know (= except from slightly higher request rates) if your implementation did HTTP-= only. ;)=C2=A0

I'm open to making this a SHOUL= D, but it's not something I have a strong feeling about one way or anot= her. What do you (and others) think--worth changing to SHOULD? Better to ke= ep a "MUST"?
=C2=A0


Thanks!
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Alberto


In case you're curious, the implementation I have so far is at
https://blitiri.com.ar/git/r/chasquid/b/sts/, i= n particular
https://blitiri.com= .ar/git/r/chasquid/c/febad008f38c9ac980a4c0a6179a7681fed7f12= 5/
(patch and branch are subject to rebasing).

It's mostly fetching, parsing and checking. It has no caching or
reporting yet; I will add them later, but thought these questions are
independent anyway.

I feel slightly bad= for not having shared this earlier, but I wrote a toy implementation here:= =C2=A0https://github.com/da= nmarg/smtp-sts. As with yours, it does not do caching or reporting; I w= rote it merely to power this: http://sts.x= .af0.net.=C2=A0

Feel free to copy any code you= like, of course, though it's a little late for that. ;)=C2=A0
=C2=A0

The integration into the MTA itself will come later too, but I expect it to be roughly similar to the integration into the smtp-check tool, which is included.

_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta

--f403045e8a1a71b1dc0545580e18-- --f403045e8a1a7aa0810545580ec9 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIS7QYJKoZIhvcNAQcCoIIS3jCCEtoCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ghBTMIIEXDCCA0SgAwIBAgIOSBtqDm4P/739RPqw/wcwDQYJKoZIhvcNAQELBQAwZDELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVy c29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hBMjU2IC0gRzIwHhcNMTYwNjE1MDAwMDAwWhcNMjEw NjE1MDAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEiMCAG A1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALR23lKtjlZW/17kthzYcMHHKFgywfc4vLIjfq42NmMWbXkNUabIgS8KX4PnIFsTlD6F GO2fqnsTygvYPFBSMX4OCFtJXoikP2CQlEvO7WooyE94tqmqD+w0YtyP2IB5j4KvOIeNv1Gbnnes BIUWLFxs1ERvYDhmk+OrvW7Vd8ZfpRJj71Rb+QQsUpkyTySaqALXnyztTDp1L5d1bABJN/bJbEU3 Hf5FLrANmognIu+Npty6GrA6p3yKELzTsilOFmYNWg7L838NS2JbFOndl+ce89gM36CW7vyhszi6 6LqqzJL8MsmkP53GGhf11YMP9EkmawYouMDP/PwQYhIiUO0CAwEAAaOCASIwggEeMA4GA1UdDwEB /wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIB ADAdBgNVHQ4EFgQUyzgSsMeZwHiSjLMhleb0JmLA4D8wHwYDVR0jBBgwFoAUJiSSix/TRK+xsBtt r+500ox4AAMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9n c3BlcnNvbmFsc2lnbnB0bnJzc2hhMmcyLmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG 9w0BAQsFAAOCAQEACskdySGYIOi63wgeTmljjA5BHHN9uLuAMHotXgbYeGVrz7+DkFNgWRQ/dNse Qa4e+FeHWq2fu73SamhAQyLigNKZF7ZzHPUkSpSTjQqVzbyDaFHtRBAwuACuymaOWOWPePZXOH9x t4HPwRQuur57RKiEm1F6/YJVQ5UTkzAyPoeND/y1GzXS4kjhVuoOQX3GfXDZdwoN8jMYBZTO0H5h isymlIl6aot0E5KIKqosW6mhupdkS1ZZPp4WXR4frybSkLejjmkTYCTUmh9DuvKEQ1Ge7siwsWgA NS1Ln+uvIuObpbNaeAyMZY0U5R/OyIDaq+m9KXPYvrCZ0TCLbcKuRzCCBB4wggMGoAMCAQICCwQA AAAAATGJxkCyMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAt IFIzMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTExMDgwMjEw MDAwMFoXDTI5MDMyOTEwMDAwMFowZDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24g bnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVyc29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hB MjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg/hRKosYAGP+P7mIdq5NB Kr3J0tg+8lPATlgp+F6W9CeIvnXRGUvdniO+BQnKxnX6RsC3AnE0hUUKRaM9/RDDWldYw35K+sge C8fWXvIbcYLXxWkXz+Hbxh0GXG61Evqux6i2sKeKvMr4s9BaN09cqJ/wF6KuP9jSyWcyY+IgL6u2 52my5UzYhnbf7D7IcC372bfhwM92n6r5hJx3r++rQEMHXlp/G9J3fftgsD1bzS7J/uHMFpr4MXua eoiMLV5gdmo0sQg23j4pihyFlAkkHHn4usPJ3EePw7ewQT6BUTFyvmEB+KDoi7T4RCAZDstgfpzD rR/TNwrK8/FXoqnFAgMBAAGjgegwgeUwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C AQEwHQYDVR0OBBYEFCYkkosf00SvsbAbba/udNKMeAADMEcGA1UdIARAMD4wPAYEVR0gADA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8E LzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMB8GA1UdIwQY MBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQACAFVjHihZCV/IqJYt 7Nig/xek+9g0dmv1oQNGYI1WWeqHcMAV1h7cheKNr4EOANNvJWtAkoQz+076Sqnq0Puxwymj0/+e oQJ8GRODG9pxlSn3kysh7f+kotX7pYX5moUa0xq3TCjjYsF3G17E27qvn8SJwDsgEImnhXVT5vb7 qBYKadFizPzKPmwsJQDPKX58XmPxMcZ1tG77xCQEXrtABhYC3NBhu8+c5UoinLpBQC1iBnNpNwXT Lmd4nQdf9HCijG1e8myt78VP+QSwsaDT7LVcLT2oDPVggjhVcwljw3ePDwfGP9kNrR+lc8XrfClk WbrdhC2o4Ui28dtIVHd3MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAw TDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24x EzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEG A1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5Bngi FvXAg7aEyiie/QV2EcWtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X 17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hp sk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7 DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBL QNvAUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25s bwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV 3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyr VQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E 7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9fMIIEajCCA1KgAwIBAgIMefUloYHzSGHxvhoTMA0G CSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIw IAYDVQQDExlHbG9iYWxTaWduIEhWIFMvTUlNRSBDQSAxMB4XDTE2MTEyMjE4NDIxM1oXDTE3MDUy MTE4NDIxM1owJTEjMCEGCSqGSIb3DQEJAQwUZG1hcmdvbGlzQGdvb2dsZS5jb20wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVZeMgUxvBZAIC2QAMYEvZok17Coe5EZf6rdTm4bN/hx8+ q9CiMoFwC7tXxS091f9wnwQv9TZBRfYZq3/Z1u7WF1MSj1X8Ddfo+/y2ae5sf/Stn8mCKvRF2kVd yrG5pfiD3re49+a5SIOA/EXF8nIc5tT52XGLyQ7X4OH85pFc0KJW5DoXjUhlYMdMuLcVZxgmMyF0 TM3y3zJ82oXwXbjGxzyoBGiCMZ7SazcvUiH6l/dXE8ITtMNSl2JfV4zuPLRrq8M+8VSw4TZ0WdHR iEH66x2WPkP2GHB2VzMAe5MT03fS4xY7PzOHnrX+LXUGPBz8SLopJATblErlv4am5cGPAgMBAAGj ggFxMIIBbTAfBgNVHREEGDAWgRRkbWFyZ29saXNAZ29vZ2xlLmNvbTBQBggrBgEFBQcBAQREMEIw QAYIKwYBBQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzaHZzbWlt ZWNhMS5jcnQwHQYDVR0OBBYEFN9KM4M2uNz3WAAm1cJXg4N5P0o/MB8GA1UdIwQYMBaAFMs4ErDH mcB4koyzIZXm9CZiwOA/MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0 dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDsGA1UdHwQ0MDIwMKAuoCyGKmh0 dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NodnNtaW1lY2ExLmNybDAOBgNVHQ8BAf8EBAMCBaAw HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQB6v2N2ySCp H9nWObqr0Vt4DnGPi1eIgcyagCKHkxcLYw/chdimjGaNvv91Y7wZVUQuulgC8cXN4uQ80A4TXGWW o03viEEa1lSd4KcdrBDOnYipjH3h2/aTs9KArFH12Rk0o2Bjl7zeXLWVyafWfTY06DqBNtWw5D1N XynQNh6eoH33VxfpUo7aMdY+tpPXdrQ0PWjSY1M1jjYGf6++hhfh91QBGsiaVUw6QSL0qS/Ib6tg 5wPUGBUTjS1QkSousJTh61Gy9miSCGK+bMPflop+32V08iIy+vKPAYrdhlbZb+s75CLDMDY52g27 8Khm2RrbmO+9D86TfsmHlIPvWfo/MYICXjCCAloCAQEwXDBMMQswCQYDVQQGEwJCRTEZMBcGA1UE ChMQR2xvYmFsU2lnbiBudi1zYTEiMCAGA1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMQIM efUloYHzSGHxvhoTMA0GCWCGSAFlAwQCAQUAoIHUMC8GCSqGSIb3DQEJBDEiBCA0gAQW0dGEXCcO kaptUL8vd2RE2w6tnQYPGnHXCFWb7zAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0xNzAxMDUxMjI5NDVaMGkGCSqGSIb3DQEJDzFcMFowCwYJYIZIAWUDBAEqMAsGCWCG SAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwCwYJKoZIhvcNAQEKMAsGCSqGSIb3DQEB BzALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAbaJHjFbIj54VvpthVKtx+Gu27zsqGjWJ TsB2bQc8vmzEifznUwG1kC7LCCXpVSfXNdMQWYimPAoH++35eg66ccyj3pVG9NoYuChsF6Y3ZfzF dlQX81XFTNmT8RpwJTe5pN5gtwYzrS6uP+9SX0gK9+fNamvKOBFQUdr42NDmFivfXgsku6Mdm4k6 8TGzr+wAAkDkJKNKtbigUoWJ6n0J46ZFPUQf/3JZk7ngwui9tk9BqsZeNPQNyvuqJwrAeFJcqg6g Bwm/UIHs8AKQTOSOYCZBxTr6Tvfvq7cJM2jHUYc93lU7Noj8lHcuLac/gyrO3rK1Z2fLjKDbY/4L BLm51g== --f403045e8a1a7aa0810545580ec9--