From deian@eng.ucsd.edu Sat Apr 1 13:32:44 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9053B124BE8 for ; Sat, 1 Apr 2017 13:32:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eng.ucsd.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1xIwyfn-rQZ for ; Sat, 1 Apr 2017 13:32:42 -0700 (PDT) Received: from mail-pg0-x242.google.com (mail-pg0-x242.google.com [IPv6:2607:f8b0:400e:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 591191293FC for ; Sat, 1 Apr 2017 13:32:42 -0700 (PDT) Received: by mail-pg0-x242.google.com with SMTP id o123so22965231pga.1 for ; Sat, 01 Apr 2017 13:32:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eng.ucsd.edu; s=google; h=sender:from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kKJe9TG9kJE3C8Zw1ooyCUKThu6ZdGoNY7sVsGepixs=; b=O/rnZ/MlnTd1sCxG75RnIve12kBwp26ECTv8FX3aBElVJ85LeF4NjwKpGikJ0g7B8z nztlCAs2pvYveHhWiVcWpngkvESiIofPFg756OYIpRAO6pqZ+UhonsHfVEiVaxu6ZdQW 48siPjsu8BpHdq5UL3buxWPnh0+jiFhpJtjoU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:mime-version:subject:in-reply-to :date:cc:content-transfer-encoding:message-id:references:to; bh=kKJe9TG9kJE3C8Zw1ooyCUKThu6ZdGoNY7sVsGepixs=; b=jmIHySW5m5xWcEejbE68Q6Tu+h7AY91OdOoNZIqN/Rc5raaMLDfAt+p1D28S81qYqt pAWSjkiL34d543/uerArB1G4qtTOy46tHZInhC0rNINv/mZIB5Rx+4XkOoKcRUa/fRe+ +7KAzPpBUryAMvEFjCfQNAJ0aGq+zAen6jcCU70b6MNbVASJAljQJD0R2q9wsLTl7tJk TrCY/Cl7chAWHH9c3RwYs9way97BKLpBeUb+GORpJI+Hzux5b6cdnaOAsNye42Mj+nDW 3/myBDZuHaoJ2fl1rfR6Jz2ByX/rm9V5BW6VW0YR9EU8jeugwdANJN8iJJjAhVyjkqa2 6LaQ== X-Gm-Message-State: AFeK/H3puMqgB4kU9l6kGwWOS0y8hY4tDPULCu+T3v7/AwX5iZweKE8oMj8EEONGT6uZCiCw X-Received: by 10.99.115.16 with SMTP id o16mr9424676pgc.4.1491078761904; Sat, 01 Apr 2017 13:32:41 -0700 (PDT) Received: from [192.168.1.4] ([192.80.7.66]) by smtp.gmail.com with ESMTPSA id l29sm17513494pfb.118.2017.04.01.13.32.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Apr 2017 13:32:40 -0700 (PDT) Sender: Deian Stefan From: Deian Stefan X-Google-Original-From: Deian Stefan Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) In-Reply-To: Date: Sat, 1 Apr 2017 13:32:39 -0700 Cc: David Mazieres expires 2017-06-27 PDT , Paul Hoffman , ilc@ietf.org, "saag@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <7A8F415A-3BE0-46D4-80FF-B8DB50634B94@vpnc.org> <87inmsxq9f.fsf@ta.scs.stanford.edu> To: Eric Rescorla X-Mailer: Apple Mail (2.3259) Archived-At: Subject: Re: [saag] [Ilc] Distributed ledgers and control X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 20:34:41 -0000 On Wed, Mar 29, 2017 at 6:24 AM, Eric Rescorla wrote: >=20 > On Wed, Mar 29, 2017 at 6:43 AM, David Mazieres > wrote >>=20 >> Furthermore, the notion of a blockchain-esque public log can be >> leveraged for various forms of transparency. For instance, last year >> there was a controversy in which Apple claimed to refuse an FBI = request >> to sign a special compromised iPhone bootloader. Unfortunately, for = all >> we know, Apple may have signed the software after all while claiming = not >> to for the PR benefit. That they probably didn't yields the worst of >> both worlds--angering the FBI and still spooking potential customers. >> Requiring firmware updates to be published in a public log would = allow >> the public to verify whether or not such activity is happening. >=20 >=20 > Just for those who may not be tracking this kind of work, this is = something > that's starting to happen, though typically with semi-centralized = consensus > mechanisms. In that form, it's generally known as "Binary = Transparency". >=20 > See, for instance: >=20 > - https://groups.google.com/forum/#!forum/binary-transparency > and > - https://wiki.mozilla.org/Security/Binary_Transparency Piggybacking on CT seems pretty interesting (and pretty clever!). For = things like Firefox releases this is also likely sufficient. I think this problem = gets a bit more complicated when you have many, different parties that are releasing = software. I=E2=80=99ve been meaning to chime in on this list especially since = David I think talked about it in the in-person meeting: one thing we=E2=80=99ve been been looking = at UCSD is how to build uncurated package management systems/software distribution systems = like npm where average developers or CI tools push = releases. We have a short position paper describing the beginning of this work here: =20 - https://cseweb.ucsd.edu/~dstefan/pubs/brown:2017:spam.pdf (or = http://spam.programming.systems) Beyond transparency, we also want to (1) allow developers to mark = certain versions of packages as vulnerable (2) provide key continuity to avoid burdening developers with = key management and revocation and (3) make it easy to write tooling and policies to really make it = possible to only install packages/libraries you trust. The blockchain-eque public log is hugely important for what we=E2=80=99re = trying to do because we=E2=80=99re trying to manage not only project data/metadata, but also user data/metadata. = Moreover, we really care about latency: a developer waiting 15 minutes to publish a package is likely a = deal-breaker. -deian= From nobody Sun Apr 2 21:13:41 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DC68126D73 for ; Sun, 2 Apr 2017 21:13:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3Y7anA295ou for ; Sun, 2 Apr 2017 21:13:37 -0700 (PDT) Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D543127078 for ; Sun, 2 Apr 2017 21:13:37 -0700 (PDT) Received: from plata.local (unknown [184.170.93.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id 91C186D57F; Mon, 3 Apr 2017 00:13:36 -0400 (EDT) To: saag@ietf.org References: <7A8F415A-3BE0-46D4-80FF-B8DB50634B94@vpnc.org> From: iang Message-ID: <56344012-6710-1483-fb52-c81b1ab93428@iang.org> Date: Mon, 3 Apr 2017 00:13:36 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <7A8F415A-3BE0-46D4-80FF-B8DB50634B94@vpnc.org> Content-Type: multipart/alternative; boundary="------------DABEBB8B69349FF7F225CCB4" Archived-At: Subject: Re: [saag] Distributed ledgers and control X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2017 04:13:40 -0000 This is a multi-part message in MIME format. --------------DABEBB8B69349FF7F225CCB4 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Referring to the article. I'd argue (and it's arguable) that governance is out of scope of the IETF. > *Regardless of the model, my point is that blockchain technologies cannot escape the problem of governance.* Full agreement. > And this leads me to my final point, a provocation:*once you address the problem of governance, you no longer need blockchain;*you can just as well use conventional technology that assumes a trusted central party to enforce the rules, because you’re already trusting somebody (or some organization/process) to make the rules. I call this blockchain’s ‘governance paradox’: once you master it, you no longer need it. I agree that blockchain has no easy answers to governance, apparently. But... The paradox is only assuming that governance is of a form to replace or neuter the distributed nature of blockchain. This is not necessarily so. Designs have been deployed (bitshares, steem to my knowledge) that distributed the voting for changes onto the chain itself. Other designs have been mooted (DAMN, my work) that resolve disputes after the fact and preserve the entry of parties without being denied by governance (in other words, work happily with psuedonyms). In short, governance is how we as humans govern the system, and while powerful third parties are popular solutions, they are by no means the only solution. The challenge is to improve the existing governance mechanisms of extant blockchains and not lose the benefit in the process. Or to design new blockchains around distributed governance mechanisms where the older designs fall short. iang ps: on R3's Corda design: > Indeed, R3’s design seems to have something called “uniqueness services”, which look a lot like trusted third-party enforcers (though this isn’t clear from thewhite paper ). RSCoin likewise relies entirely on trusted third parties. although I accept it might be hard to read in the Intro because there is so much packed into the paper - the 'uniqueness service isn't obligatory or centralised. Firstly, the design is that the developer of a contract can choose where in the protocol flow of a contract that a race condition or similar might occur, and at that point a third party is brought on to do that mediation. Secondly, the choice of the third party is left to the parties to the contract, they can use themselves, or someone else, or they can rotate. Thirdly, the use of the third party is (in some handwavy sense) not dependent on the nature of the transaction. In sum, the third party 'uniqueness service' can be organised in such a way that he does not become a defacto enforcer. Disclosure - I was co-author on the Intro white paper. RSCoin is of course a completely separate beast - it is a digital cash server oriented from the start to one issuer, one governance, one huge cash issue. Centralised administration was assumed, as far as I can see (I've read the paper and heard a talk, I suppose there could be something I missed). On 28/03/2017 14:38, Paul Hoffman wrote: > Greetings. A few folks have recently been discussing which ledger and > ledger-esque protocols should be used with upcoming IETF protocols. It > is easy to conflate the governance of the ledger with its uses. A good > article that helps make the distinction is: > > https://www.oii.ox.ac.uk/blog/the-blockchain-paradox-why-distributed-ledger-technologies-may-do-little-to-transform-the-economy/ > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --------------DABEBB8B69349FF7F225CCB4 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit

Referring to the article.

I'd argue (and it's arguable) that governance is out of scope of the IETF.

> Regardless of the model, my point is that blockchain technologies cannot escape the problem of governance.

Full agreement.

> And this leads me to my final point, a provocation: once you address the problem of governance, you no longer need blockchain; you can just as well use conventional technology that assumes a trusted central party to enforce the rules, because you’re already trusting somebody (or some organization/process) to make the rules. I call this blockchain’s ‘governance paradox’: once you master it, you no longer need it.

I agree that blockchain has no easy answers to governance, apparently.  But...

The paradox is only assuming that governance is of a form to replace or neuter the distributed nature of blockchain.  This is not necessarily so.  Designs have been deployed (bitshares, steem to my knowledge) that distributed the voting for changes onto the chain itself.  Other designs have been mooted (DAMN, my work) that resolve disputes after the fact and preserve the entry of parties without being denied by governance (in other words, work happily with psuedonyms).

In short, governance is how we as humans govern the system, and while powerful third parties are popular solutions, they are by no means the only solution.  The challenge is to improve the existing governance mechanisms of extant blockchains and not lose the benefit in the process.  Or to design new blockchains around distributed governance mechanisms where the older designs fall short.

iang


ps: on R3's Corda design:

> Indeed, R3’s design seems to have something called “uniqueness services”, which look a lot like trusted third-party enforcers (though this isn’t clear from the white paper). RSCoin likewise relies entirely on trusted third parties.

although I accept it might be hard to read in the Intro because there is so much packed into the paper - the 'uniqueness service isn't obligatory or centralised.  Firstly, the design is that the developer of a contract can choose where in the protocol flow of a contract that a race condition or similar might occur, and at that point a third party is brought on to do that mediation.  Secondly, the choice of the third party is left to the parties to the contract, they can use themselves, or someone else, or they can rotate.  Thirdly, the use of the third party is (in some handwavy sense) not dependent on the nature of the transaction.  In sum, the third party 'uniqueness service' can be organised in such a way that he does not become a defacto enforcer.  Disclosure - I was co-author on the Intro white paper.

RSCoin is of course a completely separate beast - it is a digital cash server oriented from the start to one issuer, one governance, one huge cash issue.  Centralised administration was assumed, as far as I can see (I've read the paper and heard a talk, I suppose there could be something I missed).



On 28/03/2017 14:38, Paul Hoffman wrote:
Greetings. A few folks have recently been discussing which ledger and ledger-esque protocols should be used with upcoming IETF protocols. It is easy to conflate the governance of the ledger with its uses. A good article that helps make the distinction is:

https://www.oii.ox.ac.uk/blog/the-blockchain-paradox-why-distributed-ledger-technologies-may-do-little-to-transform-the-economy/

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

--------------DABEBB8B69349FF7F225CCB4-- From nobody Mon Apr 3 00:10:53 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 639FD127097 for ; Mon, 3 Apr 2017 00:10:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.922 X-Spam-Level: X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=philips.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBrOP6FBFjnb for ; Mon, 3 Apr 2017 00:10:44 -0700 (PDT) Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0139.outbound.protection.outlook.com [104.47.0.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22DBE12708C for ; Mon, 3 Apr 2017 00:10:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Philips.onmicrosoft.com; s=selector1-philips-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GRJtNzg4M3dwbIdc1EFxCV+oY1rGGsQOizFdjGDplqM=; b=SqHruLWfOfai7o/njmbnKcNkQllJl4wnHY1K/CPLO5IfV6VrEDU3Lz/G/b5CfI3b25FwjZSSrRnPbI+x1qAgovxgjm1Tpi8GZs4AvoACDJoBW5KhXdastuQ3tceVgMpx30RdfRkzA/3ou5UARntUjHj4i3K1v65T84kQ1BCobow= Received: from DB5P122CA0002.EURP122.PROD.OUTLOOK.COM (129.75.100.208) by HE1P122MB0025.EURP122.PROD.OUTLOOK.COM (129.75.100.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Mon, 3 Apr 2017 07:10:40 +0000 Received: from AM1FFO11FD040.protection.gbl (2a01:111:f400:7e00::113) by DB5P122CA0002.outlook.office365.com (2603:10a6:20:2::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10 via Frontend Transport; Mon, 3 Apr 2017 07:10:40 +0000 Authentication-Results: spf=neutral (sender IP is 23.103.228.68) smtp.mailfrom=philips.com; irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=philips.com; Received-SPF: Neutral (protection.outlook.com: 23.103.228.68 is neither permitted nor denied by domain of philips.com) Received: from 011-smtp-out.Philips.com (23.103.228.68) by AM1FFO11FD040.mail.protection.outlook.com (10.174.64.229) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.5 via Frontend Transport; Mon, 3 Apr 2017 07:10:39 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com (141.251.190.209) by DBXPR90MB0159.MGDPHG.emi.philips.com (141.251.118.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Mon, 3 Apr 2017 07:10:38 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) by DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) with mapi id 15.01.1005.014; Mon, 3 Apr 2017 07:10:38 +0000 From: "Garcia-Morchon O, Oscar" To: "T2TRG@irtf.org" , "saag@ietf.org" CC: "Kumar, Sandeep" , Mohit Sethi Thread-Topic: New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt Thread-Index: AQHSqhfOYH/eADzk1kGNnz4+4VUtI6GzOqGg Date: Mon, 3 Apr 2017 07:10:38 +0000 Message-ID: <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> In-Reply-To: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [62.140.132.44] X-MS-Office365-Filtering-Correlation-Id: 4868cca0-37b8-4198-b19e-08d47a608900 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OrganizationHeadersPreserved: DBXPR90MB0159.MGDPHG.emi.philips.com X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:23.103.228.68; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39850400002)(39400400002)(39450400003)(39860400002)(39840400002)(2980300002)(189002)(199003)(377454003)(377424004)(13464003)(9170700003)(2906002)(356003)(53546009)(33646002)(53936002)(15650500001)(55016002)(2900100001)(4326008)(106466001)(7736002)(105586002)(6306002)(305945005)(108616004)(230783001)(54906002)(38730400002)(54356999)(50986999)(5660300001)(76176999)(86362001)(6116002)(102836003)(189998001)(3846002)(8936002)(8676002)(23676002)(66066001)(81166006)(24736003)(229853002)(2501003)(2950100002)(7696004); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1P122MB0025; H:011-smtp-out.Philips.com; FPR:; SPF:Neutral; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; AM1FFO11FD040; 1:JYc0O0DaRFmzARlO+WOzsrOl2jzfHu5ThGIJQDola++xtNhOz1cZJ9UiuoMxc7URNc9U3SkkrTkrYk1Q0Km2KVbGiihwzZ5SXhtOB9N7RGMoVAIWO5yg5ZQ1vxauDGFaWHVh0T+mhIFnNeV4n6f1N2EHY3iaAwwDzqcQ+o1P4Qvqy2SwZc3OhSViOGRcI54d/9zLG3hCLCM/5wL7w1/lpmJykBHk9Vxj7/E+gVFy5zTVQrmox7acgYWz247ImtOL8ZetmOWlx7xOtrmEDlYLmI9wn96cCibLJK4AvvuynBCy1j6a7vdEC3rFBhxs7HNeVMKjGFvIAc0bmkhI6kb/YXC9zwVHrT/pchgTPuqGH8ut1Q1CZf3F034+gjxkpzvVXK1f0yP2lQLR4eUBPMExGZCWiJkKn07cbk8eTW1jFAnhUsLKJzYswkP+OivslZPieEFca/dl8Sh64ZmOR/DXSofPhA6kyeaEGzZ4N0sE8tgI9tu7PbX+nJBM0YEAxw4a+xstrpZFVQR9EDUmbAwI/g== X-CrossPremisesHeadersPromoted: AM1FFO11FD040.protection.gbl X-CrossPremisesHeadersFiltered: AM1FFO11FD040.protection.gbl X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:HE1P122MB0025; X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0025; 3:DO50Cpyovd8gxFRbal26FYFFyitgYeEAxHvlHCkVJHxRe/26G+kqhIjDERMxqqgt12UWU+aBfdNBGVh0kBV8VYMTEZKtfLoIReLXaKTG3LsE+VWZHA95s7A9d8KdVTQUM7wimqVg4Ue1gAn7vMOEga3HtHkOLaSnci8Tsk8+3Adjv9rxP6Zx4wUWPRPCO7c8rF1bf2tVMh417vBJKogngm1SkvDjOqGo61xqpFNv5Q0Pdak47P4WlIW3RelTR++Wt9kT2rTx9trB3wNEc0ezPKkdNO4X1OPR6YZ+Fe26wTsFB5D0xZHwIRSVK+ucP5CjArtcLQY/Yg0RbnFQPchQEC8t1K0xxz7JI0sVE8AvRrRSSbiR0cbFdQSxEkywGO8irAvw4UTH8qRZBcef//cHyJ+2w/Q7nwndMVfI/1DGpRjQg3btpP+EpqzciwMYz/3ftP+6tauklfYZ5TaBTKt3ifEZDvBdOPnRiJXx6u0ZIxUu5vi7UnwQyKi6TTJyOU+W X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0025; 25:WQZTNs/P7czxrtv6l1aa0aw4z8xY+jct86RqlZOtPPPaVhnxqoI20Gl8Y8Mb/tmyF+BXbHZ9iPEcR+QBy3D40fxGkynreqURAecsmyTZW4qDDCXuuysKZOj5ogcUXSQ1Rgl/e+BeIPSiVhfqd2hBZH/JIeCQOTfAbfauTTeUnpYsN3P+NOLKKrUdqjpKD6mnfhPtf1hwsU+L/fbrWt9tGWuU9pcLG+4/mxTGJ27APFn3dFGb37p/gjWxkMoxNJgRHZps3WZ7gXLbzWukAcELpg2KM/ztmaPGOAGomxk3FlV0AQSWuv1lZMx4QPfA1Nyjmxjz58vcfsIM0MWB6lLW3NFd+DFphb1gQ717nVdDwAlvL+omdO8Yw4KUOUJk7w3G4qQRFFeZ8BPZ28s9C2QB9vzF7x3moSkeQPkyqkdNv3a4kdpH2x05/4ixapn3UbFuy1/BfFWuxG6zm2+YUlU/Uw==; 31:DWZBAZTQafiq1OeXLBTo5Iky/6Vg4Mn77c4XDiSpjC+Z6oFWJBzkpa68b8/gAkxGIbn5d3JrssHKMixd0/pAnlm+eWJvFW9bJ1FvafeixWAnAa2KNetrZlZFtlaU6mACs7stcyxaqGLWcKD6RIhnutgnlZ7LWjDKRKIhqrtcIp0WrryZ27dV+rt2UhYmA+0wz+3lxCPdH/f9v6F3O07syXBfWlN7JAHwmAYRFHadP48VWFwpMYKvAnjPsdYRigptB/m1U5kna81DPRfMxJUkdw== X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0025; 20:XVifmNqczIl5jNhUNZjYicUqUkUnsOWdcbMrPJg3WzuFr5w+5VEMA7qR5Bkqc5lFNaDelDIlKmLKIDrAHLh1Ebpig2wnNuKt3zw9uAcb5z7wU6sgOwDq8dTcuhFS2Mu9WlWFWL1gxWAKXsQu9pNrcIfH6fZYcaDCLrCW9B69ysaLZetxc+7pLTgXp5MsoXF7RZ5nBXF5shPRi/ecZajCy4WupX617yLFSVwnkfJQbxJnoBiSLWV9wZkKguS2R33KMht542NMr9t4MaqRfnoITkpVOjSs9CesEMIPpiE8+lKJ8740x3a/zM4a3nQ2TrZMTY5UhgG51QmbSzB7fKBNvNiu2XwI1s7yph5ZhNsg3HyRO9WZIetgkTuo3c9+zIWPsc2hTS0g+6zmgJq3CPYcPg01n0tmBupeRL/TVGgQV8MqZpUUjz707HJB+FRopOa0otex+Se8OVeX1spA5bTGqO5cITGz3y0JiCTdOlkSrI4If2zDrwqVMjqmIAAymDnu X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(278428928389397)(120809045254105)(192374486261705)(260087099026482); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(13018025)(13016025)(10201501046)(3002001)(93006095)(93003095)(6055026)(6041248)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(6072148); SRVR:HE1P122MB0025; BCL:0; PCL:0; RULEID:; SRVR:HE1P122MB0025; X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0025; 4:OWhj32qPT0ycT78cVmdhykHBAKpeGBccp2YJ4nBV+Z6FveeABwLkgdQM9cxTfq8LJmiJXwsYaU0WWtihREgJ897aMvjGQlbzSvvofH0+ZhjMRKuy2eCdJ9t5aoIMxkcLtAqHWpdKPz2YBZHWe2P0jk504H6MHWfYxCHOlu0CkUNI7XzBgJx9a/VQRs8TTwF1/B9xkpFv9J0kQAaneib6EHd6IsSK44D/xzvMI2UjcPU6Zx0aMsGFWAQ2cZ2lWGJA9D5w/snpFWQ+EAxK+CQFRXVDU/+yfKWM1+WnSeZMcl1mohs9VWAf/6Njfi/KygF7UoPNJm8HhFe9+kR0ZarvwDDT+kPycXUv+gbfBvc5N6xrLnr8GM5YugsIpnxfEgjfc+8i3TjBoXpw9d8FKbP8kV0Q4CRJwotc3o2CeFEOnX1jlCtV1CPb4cu/RNFXd8bSkG+A1HTVMpeJpeQH+Dzaz+VlD6fyWb9+g6zcum4Tp9b5gZ34rKMHiDq+ErZIyELl0FYXeQ5j8NZMLYH30V2TNy3cBS/v8+fM8ykbahZOQ/TlaHCvxhPEVn+bWBYJfjslLHs/RvF9H+jbFP5HW9AI+B8qHgoiYnfWlv5ocIfCBww5Md4aNVZ27S2nAX45iV2C3wtRMnnGcIrG5/UpMRv+CnaW+47qaXZMI6wn58WADcubONRv66ll2hto02RnEirM+fvN6YYzqLZwJr0kzV+rJbOhpM2z+vmqkismXkRt+iqXgjB07XoTB8hTRQcbGgL3HavgXlRUChRRwUcxkeELyhf0PkP1hbw4ActBhBS/WsWW2nxmRPKQWvPQt74d/DXCjO5+D/RG92eVLAfFoVelx2SJvYrSn9J1WwAAIsy/+6qmLDkfXTJhhw8vCXXOYuEjL3a+prmyN+tW3/c9ci+6wg== X-Forefront-PRVS: 0266491E90 X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtIRTFQMTIyTUIwMDI1OzIzOjBMSGllNUZYWEVTbDBROWY4bThMN0RDcmxL?= =?utf-8?B?eVB0bERTd1dXMGNtSDRpTnlVaWhiQ0d0RUhwQVVHRWlPUGJkcnpCdzhGbGds?= =?utf-8?B?VVF1ZHc5RjFNWCtnWmRDbSt4S0dsY1RDa1VUTFRLODlVTkluM2RUVG5TNXdM?= =?utf-8?B?WlZobGJkRWNJVmtmWWRaL2M2bEJsMXpwdklvZXUwU0pyOGJWSS9qSm5lQmdm?= =?utf-8?B?SWE1c1QyRnNPbXE2MnR6eS9DTXpUL2VsRkx4dmpyTmQvbWxReHRWd1ZBZlVL?= =?utf-8?B?TjZBakc4bTB4dXpLc1MwU05pL1hITUZ1SlEzTjRpV2EwcGxSSnRGZ1RyeDJm?= =?utf-8?B?ajRsTXhIM2gvd2t0SHQwRm00ZEVyUENpRTRQTjV2NWpvVHVaV3I3YjFMNnBX?= =?utf-8?B?UDQ2Z1hkTENqd25LbFI3TGxGeS9McHl5dlpSUlh4Skt2Rmt6RWI3WVFnTzkz?= =?utf-8?B?cVpWM1hFTWUxNTduS2Q0NWhLSkEyS3VhNVVsTEJESlppZ0J5by9iZUtsSEo2?= =?utf-8?B?aHVRZVZSZE1mWTZtTWhITGYxeTAzQkpHL1NMS09GVkptMUE0ZHZwM0YrVWRI?= =?utf-8?B?UkhjdFlLWFp5NlJaVkRrSzJqTVdoNGFRTWt0WXRKZzlpQ1pub21VN1VqZmRJ?= =?utf-8?B?R2NKdCtMekJOTnY2MUpEaThGZUxxUmlaN3pQY2swNWFsUHhBMVM2MzlzRG1S?= =?utf-8?B?MjBMWEJwYzAvbzRsZ3FGbU04SkN4cXZjN1FNZDZHbDdrT0lSQno4OERYdDBL?= =?utf-8?B?VHNLeWJXNTg4ZlpCdW45YVZwQzZPcVNxVnc3MHc2QU1DY1BVZmpZdVI5dC85?= =?utf-8?B?ZnQyUXVHSEV4WnRRbHRWT0xGVlJ0aEwrcFlpeVVJemdPT1hMRzdub1c0ejgy?= =?utf-8?B?SHJoQ1FhNDFsODF3Z1FvMmhOeXFQN3hPaW1BOWpZNnZNTFRBWjQrVjR6eW5y?= =?utf-8?B?L0NybHlNc3FsV0M2ZjdXSERZTytqUlJPT29oL3BRVEk4anpxREhXeWlNcTJu?= =?utf-8?B?aUgrYjF3U1EwVVlTSWtScTN3Tkh4VFNyY3BUM3VMcjZ4YlFwVEZ3N0xKdEJt?= =?utf-8?B?cjBkK1ROc2s3b01PNHgyVUJNQklHb0VLTENIdjY5UDQ5anRtNmh0cWJqcEJU?= =?utf-8?B?UGpSL0FaMDJaKy8yUE5pem1kWUd5ZnRBNzJpOW5ZcjlaeVlnWEkwbTNHbitr?= =?utf-8?B?RHFRcnQ5eVBSZVdhMFM2MDdFMVB4UjViL1YyZ0YrZE5pN0RVZTMzS1hYdU8y?= =?utf-8?B?T0dUVGt3c1F1Ujl5QnNJMUhvZmpvR1JkRTY4MnlXM3M2N3lqcFpSQS82L01l?= =?utf-8?B?ektLdENkQ08xVEpWSmRhQ0xTLzlSNTBPbVl1dHBMc1E5Mi9OMGNYYWZIR1Y4?= =?utf-8?B?U0NkUVNrRjl2ZHlEMUlXMFlJeS83M3A2cXp3L0Q0KzlKNDhRQ1J4aERpU0FR?= =?utf-8?B?cjdHK2FJUkVQelk1cWYyanhJU3dNc1ZJOTdFR3gvSTMyN2ZrTXBjV29MR2xG?= =?utf-8?B?bTRtK20rS09mTW4wcWEzWW1iZTJjb0Z1cUJvN1JMd1lPeUpxbzJoVUMyKzg4?= =?utf-8?B?THlaOENPMXgzTzNLNE1ITUR0ODVKL1BibE1mY2FxbUNnRTJXR0dFUGdwRmUw?= =?utf-8?B?VUlMNmxac3ZocG5wMDI0bUcrMFFveERsQ3M1SGYrWU9Ob2VUWDUzS05HeUhj?= =?utf-8?Q?nRyhyhTIP9YzbEHBG4=3D?= X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0025; 6:uUIEnmzMumgrQJvTp6LWcdsuZO63dTjsDaJDcAc45dJ/8Zv+qUCTOJymm0odtt2jOBt3fOp01ESD6mqvc4mOaV0H8A6lWays5Qs5ziA1SAjTbekg7yU1UmngzEtlYAAbKN0aIjRSd4OEUoWONW2crBVW0HrF8RGljP6WXzc8iLyLoM46PvoOHroE7ThO0NPeUPSGcFr0XtvOnZekYgoQld1Kr7YLQw3j6lm0CfVKi10m7y3URxng33zUWn0ysaR5bGvjQfWsJ6B29nc7dPPV/1llAtH9TXYXT3CEEv00C+6xtcP2HUG8177hEYNA43mwsSMmxLKA9HxsKWvF4pGdmgsXsdtJx249Hoo9Hc1jCK2Fgm9GdSy4Qg5xDQ0FgPm/pLf/oe5KebAh7bucGR0+AZqsK74RDpybn4QnyeLoCY4=; 5:Ia9m3OiSwnZEkK485AK1dVzKGTr3hlOYID/GPkpcacT/FP/515aKxup+0C8yY2noR5MgDh3AcK2mfcgQIQ96DSBYnEHvarGSxN7PuXbQ5h68MiiDUSg+X/PRwYfAaqMWw+Z37fsroIjYnmd6MG8QNw==; 24:jcPACCCIMHey3QWPtMMYT/p2F/sHC87tEwCq0HEt3fAIkuFv6H1Ai82sWVEOkyuERXssU6iWS63j7frcQ8njI38WmWBQ1vGibEdwW4WA8bw= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0025; 7:Pnlhy5Qdt9OUtXEMdWBQBQBvoHG50pmKdRGkJzVrc0nv7b5z6OxJ+AGWbinvTQLN2F4LTdnUA3VDIOBavU0dE1GO+PkaoMLYWsI5SFi80GWmBzdTyioUh4LqAF67jC00NpPZKGPgrZXIuU8zd3u/K8LGIxN6jJeV1n7vg3AnStAasAh6nan0CMNAonVvgolDjXVad53bEBb3pzs9FqaiwIptxmjVOypgzcxS+HS6tIlks0dPIm1BMg8JlZ5FAAeEgzsOEIDDolxDe5GPCLTv65MBcYRThLsHgjdBKxa2eVLofIe1EHj5FJp8a4IeXOcHLt9o0qw22UK0tUoX+sw2uA== X-OriginatorOrg: philips.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Apr 2017 07:10:39.9119 (UTC) X-MS-Exchange-CrossTenant-Id: 1a407a2d-7675-4d17-8692-b3ac285306e4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1a407a2d-7675-4d17-8692-b3ac285306e4; Ip=[23.103.228.68]; Helo=[011-smtp-out.Philips.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P122MB0025 X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 04 X-MS-Exchange-CrossPremises-AuthSource: DB5PR9001MB0165.MGDPHG.emi.philips.com X-MS-Exchange-CrossPremises-SCL: 1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: 62.140.132.44 X-MS-Exchange-CrossPremises-disclaimer-hash: 7fd5309d68bb4378c576a4d2c2ad972d336f5eb0475879c2a0b14da1aac98972 X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0 X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0; X-OrganizationHeadersPreserved: HE1P122MB0025.EURP122.PROD.OUTLOOK.COM Archived-At: Subject: Re: [saag] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2017 07:10:48 -0000 SGksDQoNCndlIGhhdmUgc3VibWl0dGVkIGEgbmV3IHZlcnNpb24gb2YgdGhlIEludGVybmV0IERy YWZ0IG9uIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGZvciB0aGUgSW9ULg0KQ29tbWVudHMgYXJl IHdlbGNvbWUuDQoNCmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pcnRmLXQydHJn LWlvdC1zZWNjb25zLTAyDQoNClJlZ2FyZHMsIE9zY2FyLg0KDQotLS0tLU9yaWdpbmFsIE1lc3Nh Z2UtLS0tLQ0KRnJvbTogaW50ZXJuZXQtZHJhZnRzQGlldGYub3JnIFttYWlsdG86aW50ZXJuZXQt ZHJhZnRzQGlldGYub3JnXQ0KU2VudDogRnJpZGF5LCBNYXJjaCAzMSwgMjAxNyAyOjExIFBNDQpU bzogTW9oaXQgU2V0aGkgPG1vaGl0QHBpdWhhLm5ldD47IEt1bWFyLCBTYW5kZWVwIDxzYW5kZWVw Lmt1bWFyQHBoaWxpcHMuY29tPjsgS3VtYXIsIFNhbmRlZXAgPHNhbmRlZXAua3VtYXJAcGhpbGlw cy5jb20+OyBHYXJjaWEtTW9yY2hvbiBPLCBPc2NhciA8b3NjYXIuZ2FyY2lhLW1vcmNob25AcGhp bGlwcy5jb20+OyBpcnRmLWNoYWlyQGlydGYub3JnOyB0MnRyZy1jaGFpcnNAaWV0Zi5vcmcNClN1 YmplY3Q6IE5ldyBWZXJzaW9uIE5vdGlmaWNhdGlvbiBmb3IgZHJhZnQtaXJ0Zi10MnRyZy1pb3Qt c2VjY29ucy0wMi50eHQNCg0KDQpBIG5ldyB2ZXJzaW9uIG9mIEktRCwgZHJhZnQtaXJ0Zi10MnRy Zy1pb3Qtc2VjY29ucy0wMi50eHQNCmhhcyBiZWVuIHN1Y2Nlc3NmdWxseSBzdWJtaXR0ZWQgYnkg T3NjYXIgR2FyY2lhLU1vcmNob24gYW5kIHBvc3RlZCB0byB0aGUgSUVURiByZXBvc2l0b3J5Lg0K DQpOYW1lOmRyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2NvbnMNClJldmlzaW9uOjAyDQpUaXRsZTpT dGF0ZSBvZiB0aGUgQXJ0IGFuZCBDaGFsbGVuZ2VzIGZvciB0aGUgSW50ZXJuZXQgb2YgVGhpbmdz DQpEb2N1bWVudCBkYXRlOjIwMTctMDMtMzENCkdyb3VwOnQydHJnDQpQYWdlczo1Ng0KVVJMOiAg ICAgICAgICAgIGh0dHBzOi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1pcnRm LXQydHJnLWlvdC1zZWNjb25zLTAyLnR4dA0KU3RhdHVzOiAgICAgICAgIGh0dHBzOi8vZGF0YXRy YWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2NvbnMvDQpIdG1saXpl ZDogICAgICAgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlydGYtdDJ0cmctaW90 LXNlY2NvbnMtMDINCkh0bWxpemVkOiAgICAgICBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3Jn L2RvYy9odG1sL2RyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2NvbnMtMDINCkRpZmY6ICAgICAgICAg ICBodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaXJ0Zi10MnRyZy1pb3Qt c2VjY29ucy0wMg0KDQpBYnN0cmFjdDoNCiAgIFRoZSBJbnRlcm5ldCBvZiBUaGluZ3MgY29uY2Vw dCByZWZlcnMgdG8gdGhlIHVzYWdlIG9mIHN0YW5kYXJkDQogICBJbnRlcm5ldCBwcm90b2NvbHMg dG8gYWxsb3cgZm9yIGh1bWFuLXRvLXRoaW5nIG9yIHRoaW5nLXRvLXRoaW5nDQogICBjb21tdW5p Y2F0aW9uLiAgVGhlIHNlY3VyaXR5IG5lZWRzIGFyZSB3ZWxsLXJlY29nbml6ZWQgYW5kIGFuZCBt YW55DQogICBzdGFuZGFyZGl6YXRpb24gc3RlcHMgaGF2ZSBiZWVuIHRha2VuLCBmb3IgZXhhbXBs ZSwgc3BlY2lmaWNhdGlvbiBvZg0KICAgQ29BUCBvdmVyIERUTFMuICBIb3dldmVyLCBzZWN1cml0 eSBjaGFsbGVuZ2VzIHN0aWxsIGV4aXN0IGFuZCB0aGVyZQ0KICAgYXJlIHNvbWUgdXNlIGNhc2Vz IHRoYXQgbGFjayBhIHN1aXRhYmxlIHNvbHV0aW9uLiAgVGhpcyBkb2N1bWVudA0KICAgZmlyc3Qg cHJvdmlkZXMgYW4gb3ZlcnZpZXcgb2Ygc2VjdXJpdHkgYXJjaGl0ZWN0dXJlLCBpdHMgZGVwbG95 bWVudA0KICAgbW9kZWwsIHNlY3VyaXR5IG5lZWRzIGluIHRoZSBjb250ZXh0IG9mIHRoZSBsaWZl Y3ljbGUgb2YgYSB0aGluZywgYXMNCiAgIHdlbGwgYXMgdGhlIHN0YXRlIG9mIHRoZSBhcnQgb24g SW9UIHNlY3VyaXR5LiAgVGhlbiwgd2UgZGlzY3VzcyB0aGUNCiAgIGNvbmNlcHQgb2Ygc2VjdXJp dHkgcHJvZmlsZXMgZm9yIHRoZSBzdWNjZXNzZnVsIHJvbGwtb3V0IG9mIHNlY3VyZQ0KICAgSW9U IGFwcGxpY2F0aW9ucyBhbmQgZGVzY3JpYmUgcmVtYWluaW5nIHNlY3VyaXR5IGNoYWxsZW5nZXMg aW4gdGhlDQogICBJb1QuDQoNCg0KDQoNClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBj b3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb24gdW50aWwgdGhlIGh0 bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdCB0b29scy5pZXRmLm9yZy4N Cg0KVGhlIElFVEYgU2VjcmV0YXJpYXQNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXw0KVGhlIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGlzIG1lc3NhZ2UgbWF5IGJlIGNv bmZpZGVudGlhbCBhbmQgbGVnYWxseSBwcm90ZWN0ZWQgdW5kZXIgYXBwbGljYWJsZSBsYXcuIFRo ZSBtZXNzYWdlIGlzIGludGVuZGVkIHNvbGVseSBmb3IgdGhlIGFkZHJlc3NlZShzKS4gSWYgeW91 IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgeW91IGFyZSBoZXJlYnkgbm90aWZpZWQg dGhhdCBhbnkgdXNlLCBmb3J3YXJkaW5nLCBkaXNzZW1pbmF0aW9uLCBvciByZXByb2R1Y3Rpb24g b2YgdGhpcyBtZXNzYWdlIGlzIHN0cmljdGx5IHByb2hpYml0ZWQgYW5kIG1heSBiZSB1bmxhd2Z1 bC4gSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlIGNvbnRhY3Qg dGhlIHNlbmRlciBieSByZXR1cm4gZS1tYWlsIGFuZCBkZXN0cm95IGFsbCBjb3BpZXMgb2YgdGhl IG9yaWdpbmFsIG1lc3NhZ2UuDQo= From nobody Mon Apr 3 02:22:39 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EAD612960B for ; Mon, 3 Apr 2017 02:22:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rCOLxq0sILM for ; Mon, 3 Apr 2017 02:22:36 -0700 (PDT) Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08C3D129590 for ; Mon, 3 Apr 2017 02:22:36 -0700 (PDT) Received: by mail-qt0-x230.google.com with SMTP id n21so106780490qta.1 for ; Mon, 03 Apr 2017 02:22:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1MrBRrC9Mpzhkt93LeZ8ICnsrSkUCwGbzqC0lN9e134=; b=qmd0pe8ALd3I0+Lh3ihpNF2fGK28XoJ6xlFzfjb3HmY8pl4XzrFPaUCOS+0N+Ihwue PU5KyKgkVFDUywuTu8+KD0IXVwOMEzD+NjcLisMDNuAje2CI8i3/RoJ8e27dakqTMOlO VbYZIKtmz7TQWsoJl2SOhJ7iR+GZx0Y9Q7XM00Zm5qcPf5Vj+eD9N9dW/P2Hb1+8x2/U yxTUfuD28AubmVY3XEaJdoPFLTLFBuRW3kbioTyBm6osa83YHQW+OqiAixwCC7zjQTsW JgtzmAOxtw2/CqynL9Dw8VwdmZA6rth5UVSYIQwtzaXMU2tLCcY+4VxehbL5OIEssSct Oakw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1MrBRrC9Mpzhkt93LeZ8ICnsrSkUCwGbzqC0lN9e134=; b=iWM9oayXVbKic4iCDlR8siXgqeLNVQvlAMcGbK/2jQ1NKXd0u3cX/ingF+DpN3X1b/ q6gnOTPd+H3wvhXALssB1Tm3keoLAYTCDcsGQ5P8taaiwFhZBT83sRPZPvVan40xosMA WbVucuaUC6+Bn9VHMOzLeC+fxyBgbmv0edLuwDnUWU/RDEKg0pJqAxoLH9rMRK4PEMUP mImlvkZQSNPDP+M50MYI2z4SXq0tBTQlKWmfLxgTT0Av7Sf2FTEeFHADewdY/U1DhzT7 FE6CSedJ/UDhd0bqy9OTtZC+LYL7ttmm/j80k43QWjwdfFZHclelx5GrURzq40cTFj7P O7gA== X-Gm-Message-State: AFeK/H2vTBGOCRDBkYO4zzfQe94w56dxxqlWYWs3XGVMz1CkCvz05odhhwlUqQg8TMhqo1CRN0VsUHJ+mQ2OGA== X-Received: by 10.237.36.53 with SMTP id r50mr16643287qtc.46.1491211355074; Mon, 03 Apr 2017 02:22:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.175.216 with HTTP; Mon, 3 Apr 2017 02:21:54 -0700 (PDT) In-Reply-To: References: From: Nikos Mavrogiannopoulos Date: Mon, 3 Apr 2017 11:21:54 +0200 Message-ID: To: "Moriarty, Kathleen" Cc: IETF SAAG , "mnystrom@microsoft.com" , "bkaliski@verisign.com" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [saag] encrypted files with UTF-8/16 passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2017 09:22:38 -0000 I have put an initial draft suggesting the utilization of RFC7613 for UTF-8 password normalization. I'd appreciate comments on the approach and on the usage of RFC7613 in general. https://gitlab.com/nmav/ietf-pkcs5 PS. I've started a discussion on the suitability of RFC7613 for passwords at the precis list: https://mailarchive.ietf.org/arch/msg/precis/WRFASSjZzb2ddqZJc5bkOlslOLE On Fri, Mar 24, 2017 at 3:53 PM, Moriarty, Kathleen wrote: > Hi Nikos, > > They are just informational because they were contributed as existing sta= ndards. Change control has been handed over to the IETF, so an update coul= d happen to make them standards track. Or you could start an updated draft= to add what you need and we'll figure out if it has to stay informational = or not. > > Thanks, > Kathleen > > Sent from my iPhone > >> On Mar 24, 2017, at 4:08 AM, Nikos Mavrogiannopoulos wrote: >> >> Hi, >> PKCS#8 (rfc8018) and PKCS#12 (rfc7292) can be used to encrypt keys >> and certificates with a password. In the first case, PKCS#8 utilizes >> PKCS#5 for converting a password to an encryption key, and PKCS#5 >> requires a password to be in UTF-8. For PKCS#12, a password is input >> in UTF-16 format (mentioned as BMPString in the document) in some >> preset schemes, but uses UTF-8 for newer schemes like AES via PKCS#5. >> >> However, UTF-8 (and UTF-16) are ambiguous. The same string may have >> multiple representations, and for that, there are some guidelines in >> RFC7613 to prepare a unicode string for a password, but they do not >> update either of these documents. >> >> Given that these are informational RFCs, which would be the proper >> method to propose an update on them based on these lines and requiring >> RFC7613 processing for passwords entered in UTF-8? >> >> regards, >> Nikos From nobody Mon Apr 3 07:40:28 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1B2129400 for ; Mon, 3 Apr 2017 07:40:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aist.go.jp Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iowAh4bdrna for ; Mon, 3 Apr 2017 07:40:23 -0700 (PDT) Received: from JPN01-OS2-obe.outbound.protection.outlook.com (mail-os2jpn01on0078.outbound.protection.outlook.com [104.47.92.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E937C126D85 for ; Mon, 3 Apr 2017 07:40:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/+6D/UWry5Co5pnV2RggA9ldJUfXiWkodYkEmzKOiZE=; b=L3GM0eXj+XTh8/zZQEXckqNMQGGwfg924uXgQSY9PfitfOxhEFQZluDPN9i1E33FjVVo66AXJM66BVl/VfK7FtMAzcDcv0BnKLtSJpJmyg4+9wkdyMs/HtrgxHQukKVR6U4d+AL4qdE5Odg0Stdk+44HcpGW8Pov1Z9PwCiyo1k= Received: from KAXPR01MB1222.jpnprd01.prod.outlook.com (10.171.237.136) by KAXPR01MB1222.jpnprd01.prod.outlook.com (10.171.237.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Mon, 3 Apr 2017 14:40:19 +0000 Received: from KAXPR01MB1222.jpnprd01.prod.outlook.com ([10.171.237.136]) by KAXPR01MB1222.jpnprd01.prod.outlook.com ([10.171.237.136]) with mapi id 15.01.1005.017; Mon, 3 Apr 2017 14:40:19 +0000 From: =?iso-2022-jp?B?GyRCQmc0ZDQyGyhC?= To: Nikos Mavrogiannopoulos , "Moriarty, Kathleen" CC: "mnystrom@microsoft.com" , IETF SAAG , "bkaliski@verisign.com" Thread-Topic: [saag] encrypted files with UTF-8/16 passwords Thread-Index: AQHSpK6FCEPueigTX0a+XfRhaW83NaGzbhoAgABUxVA= Date: Mon, 3 Apr 2017 14:40:19 +0000 Message-ID: References: In-Reply-To: Accept-Language: ja-JP, en-US Content-Language: ja-JP X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=aist.go.jp; x-originating-ip: [163.221.153.14] x-microsoft-exchange-diagnostics: 1; KAXPR01MB1222; 7:cxWfKjUN47fhLD/O8B++AtlphbEC8PMn4Dkf/TNv0iXRVxZ2dQhAVZGP1kcbeMfoQvUmkyv24SoFk0zi5graaSnnkTUdnJmCGtGEtqRa7orZyH4g+kh9r14tRmuQW7Llyos4AIKQOJOH8an62Y+MDpm3Ko68iCoFGTaEd1gwFyVm4lHjtYBe29WcGkmo1Ua+PG3stddVelC3IIIMUJ9qC3yXYPimRdwpYCGw64l60QU7OZu7tPygrKKhOf8/KmGkwr92hAylFw6ELEwB6q7KSTjZzDsL/VsPR+hCqpezLnRJ6ihUZ+MVTShXlRrLHJUbERSID4QdrXhxwCOesVpiYg== x-ms-office365-filtering-correlation-id: 3aeb899c-bb19-4d67-63e1-08d47a9f59fb x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:KAXPR01MB1222; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(4782527817362)(56004941905204); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(20161123562025)(20161123560025)(20161123555025)(20161123564025)(6072148); SRVR:KAXPR01MB1222; BCL:0; PCL:0; RULEID:; SRVR:KAXPR01MB1222; x-forefront-prvs: 0266491E90 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39450400003)(39860400002)(39840400002)(39410400002)(39850400002)(39400400002)(15594002)(377454003)(13464003)(24454002)(6436002)(77096006)(229853002)(39060400002)(6506006)(8666007)(7736002)(38730400002)(122556002)(189998001)(55016002)(85182001)(2950100002)(42882006)(6246003)(99286003)(54906002)(53936002)(7696004)(74482002)(9686003)(6306002)(74316002)(2906002)(66066001)(86362001)(3660700001)(305945005)(33656002)(97736004)(3280700002)(8676002)(81166006)(5660300001)(551544002)(8936002)(2900100001)(4326008)(6116002)(102836003)(5003630100001)(3846002)(50986999)(76176999)(54356999)(53546009)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:KAXPR01MB1222; H:KAXPR01MB1222.jpnprd01.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: aist.go.jp X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2017 14:40:19.3024 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 18a7fec8-652f-409b-8369-272d9ce80620 X-MS-Exchange-Transport-CrossTenantHeadersStamped: KAXPR01MB1222 Archived-At: Subject: Re: [saag] encrypted files with UTF-8/16 passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2017 14:40:26 -0000 Dear Nikos, It's interesting. A few quick comments from me: 1) Because RFC 7613 specifies multiple profiles, the OpaqueString profile should be explicitly cited, like: "... MUST be prepared using OpaqueString profile (Section 4.2) of [RFC7613]." 2) Exception rule for the empty string can be more verbose. e.g. "As an exception to the OpaqueString profile, an empty password=20 string MAY be used if and only if the input is also empty; an empty string generated from any non-empty input MUST NOT be used." 3) For PKCS #12, the use of the UTF-16 (or UCS-2) encoding is contradictory= to RFC 7613, so it might be good to explicitly say=20 "use big-endian {UTF-16 or UCS-2}, regardless of Section 4.2.1 of [RFC76= 13]". 4) Also, the handling of the non-BMP positions seems better if more explici= t: Choices seems to be "{MUST or MAY} be encoded using UTF-16",=20 or "SHOULD NOT accept any codepoints beyond BMP". My preference is "MAY" (although it is a slight extension to original PK= CS#12). --=20 Yutaka OIWA, Ph.D. Leader, Cyber Physical Architecture Research Group Information Technology Research Institute National Institute of Advanced Industrial Science and Technology (AIST) Mail addresses: , OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D 3139 8677 9BD2 4405 46B5= ] > -----Original Message----- > From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Nikos > Mavrogiannopoulos > Sent: Monday, April 3, 2017 6:22 PM > To: Moriarty, Kathleen > Cc: mnystrom@microsoft.com; IETF SAAG ; bkaliski@verisign.= com > Subject: Re: [saag] encrypted files with UTF-8/16 passwords >=20 > I have put an initial draft suggesting the utilization of RFC7613 for > UTF-8 password normalization. I'd appreciate comments on the approach and= on > the usage of RFC7613 in general. >=20 > https://gitlab.com/nmav/ietf-pkcs5 >=20 >=20 >=20 > PS. I've started a discussion on the suitability of RFC7613 for passwords= at > the precis list: > https://mailarchive.ietf.org/arch/msg/precis/WRFASSjZzb2ddqZJc5bkOlslOLE >=20 >=20 > On Fri, Mar 24, 2017 at 3:53 PM, Moriarty, Kathleen > wrote: > > Hi Nikos, > > > > They are just informational because they were contributed as existing > standards. Change control has been handed over to the IETF, so an update= could > happen to make them standards track. Or you could start an updated draft= to > add what you need and we'll figure out if it has to stay informational or= not. > > > > Thanks, > > Kathleen > > > > Sent from my iPhone > > > >> On Mar 24, 2017, at 4:08 AM, Nikos Mavrogiannopoulos > wrote: > >> > >> Hi, > >> PKCS#8 (rfc8018) and PKCS#12 (rfc7292) can be used to encrypt keys > >> and certificates with a password. In the first case, PKCS#8 utilizes > >> PKCS#5 for converting a password to an encryption key, and PKCS#5 > >> requires a password to be in UTF-8. For PKCS#12, a password is input > >> in UTF-16 format (mentioned as BMPString in the document) in some > >> preset schemes, but uses UTF-8 for newer schemes like AES via PKCS#5. > >> > >> However, UTF-8 (and UTF-16) are ambiguous. The same string may have > >> multiple representations, and for that, there are some guidelines in > >> RFC7613 to prepare a unicode string for a password, but they do not > >> update either of these documents. > >> > >> Given that these are informational RFCs, which would be the proper > >> method to propose an update on them based on these lines and > >> requiring > >> RFC7613 processing for passwords entered in UTF-8? > >> > >> regards, > >> Nikos >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From BATV+babdbe883c5a61297b2b+4971+infradead.org+dwmw2@twosheds.srs.infradead.org Mon Apr 3 07:54:21 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E259126D85 for ; Mon, 3 Apr 2017 07:54:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=infradead.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bsbOOmKGk115 for ; Mon, 3 Apr 2017 07:54:18 -0700 (PDT) Received: from twosheds.infradead.org (twosheds.infradead.org [IPv6:2001:8b0:10b:1:21d:7dff:fe04:dbe2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A35211270A0 for ; Mon, 3 Apr 2017 07:54:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=twosheds.20170209; h=Mime-Version:Date:Content-Type: References:In-Reply-To:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=vIQJMl9hRE+DBnJlwgeH1vcAVZ6cNS7brAugM8gaTjI=; b=fiE/AQYBTbBU6Adaq+MIydIWs NUyE/sysEC3vH3fFYoUpWBfscH6Jod4LGoHXrPtLpaiw9R0yqgpgBwZ5OF0NE4ohRNBeXK9WHzmWy wQOln50A2U7rcY3KhqpM2uxnv2M7uj8ot2ozR0xlhFcGQarlfcbhstxWQGlLhIkewxBq9uLuSi/UK 1chiakUcWenB7Ftieajp674IsZ0MypI5XOHwH5ob/Z/yiR9xRilzx0qvbQrm7/f4m65ru8U+wIJNK klCDitmkVrRUMWsJodsRDp1EWdmwzjWsPfn/c6w7PICQqToD+rzu8M/FcRNzSC5PXvt2hPC6T6gzK K81wnBliQ==; Received: from [2001:8b0:10b:1:609a:d7da:a357:4309] by twosheds.infradead.org with esmtpsa (Exim 4.87 #1 (Red Hat Linux)) id 1cv3Mu-0004P4-MR; Mon, 03 Apr 2017 14:54:08 +0000 Message-ID: <1491231248.6020.71.camel@infradead.org> From: David Woodhouse To: Nikos Mavrogiannopoulos , "Moriarty, Kathleen" Cc: "mnystrom@microsoft.com" , IETF SAAG , "bkaliski@verisign.com" In-Reply-To: References: Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-Ic9BGXocgWsztAdsUDQD" Date: Mon, 03 Apr 2017 15:54:08 +0100 Mime-Version: 1.0 X-Mailer: Evolution 3.18.5.2-0ubuntu3.1 X-SRS-Rewrite: SMTP reverse-path rewritten from by twosheds.infradead.org. See http://www.infradead.org/rpr.html Archived-At: Subject: Re: [saag] encrypted files with UTF-8/16 passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2017 15:04:32 -0000 --=-Ic9BGXocgWsztAdsUDQD Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2017-04-03 at 11:21 +0200, Nikos Mavrogiannopoulos wrote: > I have put an initial draft suggesting the utilization of RFC7613 for > UTF-8 password normalization. I'd appreciate comments on the approach > and on the usage of RFC7613 in general. >=20 > https://gitlab.com/nmav/ietf-pkcs5 The reference to RFC8018 is missing. Using the methods (especially Normalization Form C) from RFC7613 makes complete sense. RFC7613 only talks of UTF-8 but we actually need the equivalent for UTF-16, for at least some forms of PKCS#12. I'm a bit lost when you talk of using UTF-8 passwords in PKCS#12. Is that really what people do, dependent on the encryption method in use? I thought PKCS#12 was *always* BMPString? I already heckled on IRC your first email in this thread, in which you stated that "PKCS#5 requires a password to be in UTF-8". It doesn't; it merely identifies it as a possibility (penultimate paragraph of =C2=A73): =C2=A0=C2=A0=C2=A0Throughout this document, a password is considered to be = an octet =C2=A0=C2=A0=C2=A0string of arbitrary length whose interpretation as a text= string is =C2=A0=C2=A0=C2=A0unspecified.=C2=A0=C2=A0In the interest of interoperabili= ty, however, it is =C2=A0=C2=A0=C2=A0recommended that applications follow some common text enc= oding rules. =C2=A0=C2=A0=C2=A0ASCII and UTF-8 [RFC3629] are two possibilities.=C2=A0=C2= =A0(ASCII is a subset =C2=A0=C2=A0=C2=A0of UTF-8.) Given the interoperability concerns with existing files, and the fact that *trying* a password is free, it does make sense to list a number of options for attempting to decrypt a file given a password in some local charset (which might be a legacy non-UTF8 one). I'd attempted that in http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#rfc.section= .7 Of course, for *creating* such files we can be more prescriptive... --=-Ic9BGXocgWsztAdsUDQD Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDzUw ggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQG EwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRU UCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTE0MTIyMjAw MDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1h bmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEw PwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBF bWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAImxDdp6UxlOcFIdvFamBia3 uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdhTpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYep LkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayT QLm1CJM6nCpToxDbPSBhPFUDjtlOdiUCISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9 UjewM2ktQ+v61qXxl3dnUYzZ7ifrvKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3Rh UL7GQD/L5OKfoiECAwEAAaOCARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1Qa MB0GA1UdDgQWBBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/ BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRV HSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw LnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb4yJj nFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ26Y3NOh7 4AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT9HaSyoY0B7ks yuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInltukWeh95FPZKEBom +nyK+5swggU9MIIEJaADAgECAhBqC1BYlVMtBFBN4igR/howMA0GCSqGSIb3DQEBCwUAMIGbMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xp ZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTYxMjIwMDAwMDAwWhcN MTcxMjIwMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkd213MkBpbmZyYWRlYWQub3JnMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbTrFaiGdvN2pThnR9q+4eaXB2wQZQNqhter5ZrJ pPO47e87bZ+f1tmYoh6+rB90G/XN24NErPRfvU4zVzNT9pCtCzSSVnBlZQBpaEYMKhcXo5PGKNsm An8BoGwNXjlxwbBNRaNO+ky0wNCaMNd1JLxEuvqg9J7rrcpHhWmnpXD5IKa8gv9GyVAJgOpiBOts p91sShc2kHvWJ5waPEWPCHDH9J+twGGKqKIIU7fdbURLUgUL1wlDSAHf/lgIAVCSj2H2HpoGqHpy HgOAClX9iRSLNa0Znj8HTaqfOwxXevsz1KkLFY+Ahm426GIEqdfkK2iT6Hhgc7tjNO3f8i5ALQID AQABo4IB8TCCAe0wHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFILE dmHLtK6oxmFJZvBhTQhvqrS0MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7 BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2 Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v Y3NwLmNvbW9kb2NhLmNvbTAeBgNVHREEFzAVgRNkd213MkBpbmZyYWRlYWQub3JnMA0GCSqGSIb3 DQEBCwUAA4IBAQA+AfvNhFwtapF5Lzjapgul3zYuEnMfR538Ya1vhP8wuOkcoJeT2gEFXzVO2WUu eWM0g0/DumnRB53htV/Qq/+vsL0i6a2+iOO7kHi5O7bZkgbdNv0t2lzonDUHi6LTa7NUj+tv+j6y hW+iNquC3ACP1dIZH8gJmicHblW63qRgp6wxhn315MLBeavi3uiSag2eeKFePiTIwJjN2UYq6kWg PL5G/Ycf9x/xN1XBTfJiURc0FsXhrA98VMWnt52C5Lo4txhGjzTI+IZg40b3YDs6E7mTYb5KKmbc QZA9priOFDdj1z5W9BdWhU6I/D0P9y8Z4Tr6+ZscMUVD0RqWy2LeMIIFPTCCBCWgAwIBAgIQagtQ WJVTLQRQTeIoEf4aMDANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExp bWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg U2VjdXJlIEVtYWlsIENBMB4XDTE2MTIyMDAwMDAwMFoXDTE3MTIyMDIzNTk1OVowJDEiMCAGCSqG SIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMG06xWohnbzdqU4Z0favuHmlwdsEGUDaobXq+WayaTzuO3vO22fn9bZmKIevqwfdBv1zduD RKz0X71OM1czU/aQrQs0klZwZWUAaWhGDCoXF6OTxijbJgJ/AaBsDV45ccGwTUWjTvpMtMDQmjDX dSS8RLr6oPSe663KR4Vpp6Vw+SCmvIL/RslQCYDqYgTrbKfdbEoXNpB71iecGjxFjwhwx/SfrcBh iqiiCFO33W1ES1IFC9cJQ0gB3/5YCAFQko9h9h6aBqh6ch4DgApV/YkUizWtGZ4/B02qnzsMV3r7 M9SpCxWPgIZuNuhiBKnX5Ctok+h4YHO7YzTt3/IuQC0CAwEAAaOCAfEwggHtMB8GA1UdIwQYMBaA FJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBSCxHZhy7SuqMZhSWbwYU0Ib6q0tDAOBgNV HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYBBAGyMQED BQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEBMCswKQYIKwYB BQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMF0GA1UdHwRWMFQwUqBQoE6GTGh0 dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5k U2VjdXJlRW1haWxDQS5jcmwwgZAGCCsGAQUFBwEBBIGDMIGAMFgGCCsGAQUFBzAChkxodHRwOi8v Y3J0LmNvbW9kb2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3Vy ZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0R BBcwFYETZHdtdzJAaW5mcmFkZWFkLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAPgH7zYRcLWqReS84 2qYLpd82LhJzH0ed/GGtb4T/MLjpHKCXk9oBBV81TtllLnljNINPw7pp0Qed4bVf0Kv/r7C9Iumt vojju5B4uTu22ZIG3Tb9Ldpc6Jw1B4ui02uzVI/rb/o+soVvojargtwAj9XSGR/ICZonB25Vut6k YKesMYZ99eTCwXmr4t7okmoNnnihXj4kyMCYzdlGKupFoDy+Rv2HH/cf8TdVwU3yYlEXNBbF4awP fFTFp7edguS6OLcYRo80yPiGYONG92A7OhO5k2G+Sipm3EGQPaa4jhQ3Y9c+VvQXVoVOiPw9D/cv GeE6+vmbHDFFQ9Ealsti3jGCA9MwggPPAgEBMIGwMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMS R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0Eg TGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFu ZCBTZWN1cmUgRW1haWwgQ0ECEGoLUFiVUy0EUE3iKBH+GjAwDQYJYIZIAWUDBAIBBQCgggHzMBgG CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDQwMzE0NTQwOFowLwYJ KoZIhvcNAQkEMSIEIBJGE42N2SitqnQ2Uqnj6a7TyZKgc4YyavEwZTr+hQlMMIHBBgkrBgEEAYI3 EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01P RE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQagtQ WJVTLQRQTeIoEf4aMDCBwwYLKoZIhvcNAQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYD VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E TyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRp b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQagtQWJVTLQRQTeIoEf4aMDANBgkqhkiG9w0BAQEFAASC AQCi08EptuOZLUwgC8cdXXH9lw4MWuUkKykMwe1dqfs9viZe9DtFpT4m53Wu8T/rh3hJ/SI0NogL lxKgzehhS7qQ+Tgs1UUtbZeWMEW4HZvpBTokaPn2boFy7rQI187h/2fglzKHT+jFZ4xO37zs0HE7 xSCOS4gccrF9ZWaOIfIZ7s7liBdvvbYHm17755RC9CnDbl3JX/PQZ5qwPBVOIu2BjbgZRWK89Hs5 3GBtghOeA8yeXJ6/tpDmLVbHMOuXdhfn+WQlyeQ1HdZTaoXfnxd+RlkLf1oB16KtaZM3CQzO/cWS El7hNLdnCMc0e65XQ072azXK2aBju7eH01Bn34VrAAAAAAAA --=-Ic9BGXocgWsztAdsUDQD-- From nobody Mon Apr 3 11:26:06 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 630C61294E2 for ; Mon, 3 Apr 2017 11:25:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m05FkA52AU48 for ; Mon, 3 Apr 2017 11:25:49 -0700 (PDT) Received: from mail-in22.apple.com (mail-out22.apple.com [17.171.2.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB5312945E for ; Mon, 3 Apr 2017 11:25:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1491243946; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=aqB1DCFhR3C3sucGwjg1EXvYbnwslYGpH6xuejQHf7Y=; b=yqDlcVWtLW8hOEVIvFOeT0IbI2aFSt6HOtlzoXUhrkyyoahUzfvPULdC6jYNB4as V4i9trYRgL0okUF2HZhMqF4fpSecnNPgUqyYy+CAu4/oP5yMLoJ7xeh72UoZutBS N/hjgPdRAfoJ7eJnAHRU7x8rPlCKX+2XfrSnw5PFCi3EG0Dk/20isrV/abUmIAWj jc7cMGMhXlRXCRdlaUBC/ArPGVlzsfZPuaqdurxMi1MRu5coA0SJmJAZxfIEOdD8 E0Iy5wL66CfX5qFe1excRCt9mJ9CaDUe30xroCVMeSUSGHbLD2ebte02WutOmp2D 2r3e8TNS+loaIV/z8BcDMg==; Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) by mail-in22.apple.com (Apple Secure Mail Relay) with SMTP id 17.7E.23264.9A392E85; Mon, 3 Apr 2017 11:25:46 -0700 (PDT) X-AuditID: 11ab0216-e218d9a000005ae0-97-58e293a97095 Received: from nwk-phonehomebzp-sz01 (nwk-phonehomebzp-sz01.apple.com [17.151.62.64]) by relay6.apple.com (Apple SCV relay) with SMTP id 87.77.31597.8A392E85; Mon, 3 Apr 2017 11:25:45 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from [17.153.71.197] (unknown [17.153.71.197]) by nwk-phonehomebzp-sz01.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0ONU004LLJ6WJI50@nwk-phonehomebzp-sz01.apple.com>; Mon, 03 Apr 2017 11:25:44 -0700 (PDT) Sender: dschinazi@apple.com From: David Schinazi In-reply-to: <2DD56D786E600F45AC6BDE7DA4E8A8C118BB7D3A@eusaamb107.ericsson.se> Date: Mon, 03 Apr 2017 11:25:44 -0700 Cc: Jim Schaad , Daniel Migault , "spasm@ietf.org" , IPsecME WG , "saag@ietf.org" , "tls@ietf.org" Message-id: References: <149073663013.1172.4888065212435317707.idtracker@ietfa.amsl.com> <051401d2a80b$e9bdea90$bd39bfb0$@augustcellars.com> <2DD56D786E600F45AC6BDE7DA4E8A8C118BB7D3A@eusaamb107.ericsson.se> To: "curdle@ietf.org" X-Mailer: Apple Mail (2.3251) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBLMWRmVeSWpSXmKPExsUi2FAYpbtq8qMIg6eLOS22LpzFbDFl+h42 i9XTv7NZ7N/ygs1iSn8nk8W8a8kWn853MTqwe2ycM53N49fXq2weS5b8ZApgjuKySUnNySxL LdK3S+DKWHdpGXPBNKmKA4s+MTcwzhDtYuTkkBAwkdg4ez4jiC0ksI9R4vD+EJj4ko+/2LoY uYDixxglXmzbzgyS4BUQlPgx+R5LFyMHB7OAvMTB87IgYWYBLYnvj1pZIOoXMklsPnKNFSQh LCAt0XXhLpQdIHHxyH1mkF42oIYDa4xAwpwCfhKPLr8GK2ERUJWYvOczE8gcZoHbjBLzpq1h hdhrI/F/2SxmiEOBDjp7rATEFhFQlzhxaAcrxNGyEp+e/2QHaZYQuM4m8Wj+TrYJjMKzkNw9 C+HuWUjuXsDIvIpRODcxM0c3M8/ISC+xoCAnVS85P3cTIygqVjOJ7WC899rwEKMAB6MSD69H 96MIIdbEsuLK3EOM0hwsSuK8InfvRQgJpCeWpGanphakFsUXleakFh9iZOLglGpgVI85Zvnm Qf3Fro21ufJsll3bDSWvSr3eePS/9b8FBTsPG7/uuukyfZbULd7p11Kf6VTPj524XUWf98zB UNHEF3xpC4KTmu5uyLxfcILvsWLLVodHBxiF/9wL6pO6F/h376ceJg8RLuZL2lXec/dddWOy tDrzU31C6bar8j92vHgwsauSv255oxJLcUaioRZzUXEiAHCmXpZrAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFIsWRmVeSWpSXmKPExsUiON3OQXfl5EcRBo/28lpsXTiL2WLK9D1s Fqunf2ez2L/lBZvFlP5OJot515ItPp3vYnRg99g4Zzqbx6+vV9k8liz5yRTAHMVlk5Kak1mW WqRvl8CVse7SMuaCaVIVBxZ9Ym5gnCHaxcjJISFgIrHk4y+2LkYuDiGBY4wSL7ZtZwZJ8AoI SvyYfI+li5GDg1lAXuLgeVmQMLOAlsT3R60sEPULmSQ2H7nGCpIQFpCW6LpwF8oOkLh45D4z SC8bUMOBNUYgYU4BP4lHl1+DlbAIqEpM3vOZCWQOs8BtRol509awQuy1kfi/bBbYDWAHnT1W AmKLCKhLnDi0gxXiaFmJT89/sk9gFJiF5NRZCKfOQnLqAkbmVYwCRak5iZVmeokFBTmpesn5 uZsYQUHcUBi1g7FhudUhRgEORiUe3gVOjyKEWBPLiitzDzFKcDArifBemQgU4k1JrKxKLcqP LyrNSS0+xFgF9MBEZinR5HxghOWVxBuamBiYGBubGRubm5hTRVhJnDen/F6EkEB6Yklqdmpq QWoRzHImDk6pBkbZIIlSxetqol5XrE8XeD/4xmT/LPTutbxJf5alF9/Ml/V4+0f2xt412/6l L+ZecLv6VjBb+M49uV1buaZLzo3fkrpj6cbuP5Pvzmlwl3AQ3d9hp6Mfc9p37UwLbim1iyXy pf2S3C7HjCeEMOgaqVxI8jmjw297as+hwvXvel/fCL1nGMpTJ6vEUpyRaKjFXFScCADgdmvP vQIAAA== Archived-At: Subject: Re: [saag] [Curdle] New Version Notification for draft-ietf-curdle-pkix-04.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2017 18:25:51 -0000 Thanks for the update! I've reviewed -04 and I think the draft is ready to move forward. Regards, David Schinazi > On Mar 28, 2017, at 15:43, Daniel Migault wrote: > > Hi, > > Thank you Jim for the update. Here is the version resulting from the discussion we had during the WG meeting yesterday. Please review the document and provide your feed backs by April 4 so we can move the draft to the IESG. > > Yours, > Daniel > > -----Original Message----- > From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Jim Schaad > Sent: Tuesday, March 28, 2017 4:40 PM > To: curdle@ietf.org > Subject: [Curdle] FW: New Version Notification for draft-ietf-curdle-pkix-04.txt > > Here is the promised updated draft. > > Changes: > 1. Fixed an example that David Benjamin found was wrong. (Incorrect sign bit in public key.) 2. Remove all of the pre-hash text except to note that it does exist. > 3. No changes to the OID arc being used despite the agreement during the meeting. After the meeting, Russ, the chairs and I had a short talk and decided that this did not need to occur. The problem was only with getting new values assigned not with the current values which were already assigned. > > That should be the final issues in the draft > > Jim > > >> -----Original Message----- >> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] >> Sent: Tuesday, March 28, 2017 4:31 PM >> To: Jim Schaad ; Simon Josefsson >> >> Subject: New Version Notification for draft-ietf-curdle-pkix-04.txt >> >> >> A new version of I-D, draft-ietf-curdle-pkix-04.txt has been >> successfully submitted by Jim Schaad and posted to the IETF repository. >> >> Name: draft-ietf-curdle-pkix >> Revision: 04 >> Title: Algorithm Identifiers for Ed25519, Ed448, X25519 and X448 for >> use in the Internet X.509 Public Key Infrastructure >> Document date: 2017-03-28 >> Group: curdle >> Pages: 15 >> URL: https://www.ietf.org/internet-drafts/draft-ietf-curdle-pkix-04.txt >> Status: https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/ >> Htmlized: https://tools.ietf.org/html/draft-ietf-curdle-pkix-04 >> Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-curdle-pkix-04 >> Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-curdle-pkix-04 >> >> Abstract: >> This document specifies algorithm identifiers and ASN.1 encoding >> formats for Elliptic Curve constructs using the Curve25519 and >> Curve448 curves. The signature algorithms covered are Ed25519 and >> Ed448. The key agreement algorithm covered are X25519 and X448. The >> encoding for Public Key, Private Key and EdDSA digital signature >> structures is provided. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat > > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle From nobody Mon Apr 3 18:53:15 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A3071294DC for ; Mon, 3 Apr 2017 18:53:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.308 X-Spam-Level: X-Spam-Status: No, score=-0.308 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jqZ9ncfHi-1 for ; Mon, 3 Apr 2017 18:53:12 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9F10129536 for ; Mon, 3 Apr 2017 18:53:11 -0700 (PDT) Received: from [10.0.0.194] (unknown [80.12.33.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 18A8B80A75; Tue, 4 Apr 2017 03:53:09 +0200 (CEST) To: Eric Rescorla , "saag@ietf.org" References: From: Fernando Gont X-Enigmail-Draft-Status: N1110 Cc: Ivan Arce Message-ID: Date: Mon, 3 Apr 2017 23:44:52 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [saag] Draft minutes X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 01:53:14 -0000 Folks, FWIW, this is not really a comment/correction/comment on the minutes themselves, but rather on what was said. FWIW, I didn't attend the meeting -- hence I'm commenting on the minutes, what I would've said dring the meeting. On 03/31/2017 03:15 PM, Eric Rescorla wrote: [....] > *** Open Mic > Ingo Stieglitz : Thank you. You are all awesome. Is there any work here > on ICMP NATing IIRC, behave did publish a spec on this. Don't remember the RFC number, though. > Kathleen: Recommend you ask in Ops > Yoav Nir: A couple IETFs ago, started to discuss 3552bis, what should go > into security considerations. I did a first transposition, called for > comments, and got nothing. We shouldn't send the message that there's > nothing to add since 2003 [by publishing a new unchanged document]. We > need people to propose text and ideas. We did provide input on this. Please see: draft-gont-numeric-ids-sec-considerations-00. At the time (one year ago) there was some discussion on whether to publish this document as is, or whether to incorporate it in to RFC3552bis. FWIW, time-wise, it looks lie it might be sensible to publish this doc as a stand-alone update to rfc3552, though. At the time of this writing, there are documents still being published with the requirements for numeric ids underspecified. Besides our comments on numeric ids, I seem to remember that Mike St Johns sent a lengthy email with a lot of suggestions related to IoT. > Kathleen: How many people interested in an update? [about 20 hands]. > Please discuss on SAAG list. FWIW, I'm interested in seeing an update. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Apr 4 00:01:52 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B1E1126579 for ; Tue, 4 Apr 2017 00:01:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5igy2KlW2nQa for ; Tue, 4 Apr 2017 00:01:48 -0700 (PDT) Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7534112957A for ; Tue, 4 Apr 2017 00:01:48 -0700 (PDT) Received: by mail-qk0-x231.google.com with SMTP id p22so133812123qka.3 for ; Tue, 04 Apr 2017 00:01:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=eke8WYGLcUOnl8rblJCaCjuNWFvePJyRXHJcqjDT9w8=; b=SgQBIlwVOg89SFw/Y8plokUXuFuhvRxYolOuMZUti4hPBAS5l5Z4lLSpIYtE5ATRcG FcWgbPPvWsN6e+E9SUSwymIYMMxpiw6Mr1bmsUdXOy00O50AQyhPd4wQVL5uNIkalrYI 6P8Pb2e3lyX7qqR1Sbrbhu7LtDjRzY6YXwmKH0i7bR0XSRKzkXUsZMJOBLrIh+mPOU2y Mu0cotjWx7AbBrVacMspj+LRiTiUyr4K7TdKiW1XMcNLhj7HtK+lXCC9LJXxIqgmf8ea EX2RDoGf22xabdHIrau+YEZD5p89ezJykurUezZilpFf7Tc6oiulRiXvB39IOTHkoNc0 tJGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=eke8WYGLcUOnl8rblJCaCjuNWFvePJyRXHJcqjDT9w8=; b=QY01SuK3R4E6SLrryWA2PnPWnOqOmifPKncXt9c12vIOFP+cvzw0h+Ib9qtcjESlB4 H21DNPe9gmEiBtCO0TE3v32dnYvf7a6oyHXjTuakisGgiOOgSxqfxlTHuRDhNkIiBogR WFnNARUFkVyhZpicx/9ne7Eg20l54uCdQixyCaeRaE9V96T7m0Sm8Q0x3d62qLdieo/F dDoY+6U7oKRT5anbrjlWz06sisygrmLqz2dRlqMFgDIq9epCfOhlu/AVebqSJ4C1lo5U 9feN9UBDPe76dS6zHR0ZZC7KHAG2bQ6480oZ5pJ9PVnxaWSPjw61k9lPJG8kKpj19Fw5 1A9w== X-Gm-Message-State: AFeK/H24r6/8gLqUoxIz0+Ajm2LWVvD8kb/6bLOX+6huNFWbIvly2pDBl+YOjqrSsVO+3tiJ+i/13/HLpWVIng== X-Received: by 10.55.64.139 with SMTP id n133mr19938247qka.38.1491289307594; Tue, 04 Apr 2017 00:01:47 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.175.216 with HTTP; Tue, 4 Apr 2017 00:01:07 -0700 (PDT) In-Reply-To: References: From: Nikos Mavrogiannopoulos Date: Tue, 4 Apr 2017 09:01:07 +0200 Message-ID: To: =?UTF-8?B?5aSn5bKp5a+b?= Cc: "Moriarty, Kathleen" , "mnystrom@microsoft.com" , IETF SAAG , "bkaliski@verisign.com" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [saag] encrypted files with UTF-8/16 passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 07:01:50 -0000 On Mon, Apr 3, 2017 at 4:40 PM, =E5=A4=A7=E5=B2=A9=E5=AF=9B wrote: > Dear Nikos, > > It's interesting. A few quick comments from me: Thank you, very nice comments. Replying inline too. > 1) Because RFC 7613 specifies multiple profiles, > the OpaqueString profile should be explicitly cited, like: > "... MUST be prepared using OpaqueString profile (Section 4.2) of > [RFC7613]." Done. > 2) Exception rule for the empty string can be more verbose. > e.g. "As an exception to the OpaqueString profile, an empty password > string MAY be used if and only if the input is also empty; > an empty string generated from any non-empty input MUST NOT be used." Done. > 3) For PKCS #12, the use of the UTF-16 (or UCS-2) encoding is contradicto= ry to > RFC 7613, so it might be good to explicitly say > "use big-endian {UTF-16 or UCS-2}, regardless of Section 4.2.1 of [RFC= 7613]". I also like that, however is that possible? Can we override the ASN.1 definition of BMPString and allow UTF-16 to be stored in that field? regards, Nikos From nobody Tue Apr 4 00:06:56 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C499129551 for ; Tue, 4 Apr 2017 00:06:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7RY_sGM4oFd for ; Tue, 4 Apr 2017 00:06:52 -0700 (PDT) Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54DBB127071 for ; Tue, 4 Apr 2017 00:06:52 -0700 (PDT) Received: by mail-qk0-x236.google.com with SMTP id d10so134430245qke.1 for ; Tue, 04 Apr 2017 00:06:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ieA4yZFxtRLaKd7zfn5PWdKoksK/wA080PRd6WG6G4g=; b=VRlD4TSPGbuAR0qGd97Y4v6SNVfEzJsNXAonpUxjQBVChw0SYIldMV86BpjSXu45sJ UeO5C2+GHf3pEjzl1NgGkKsiVpQwr2EGYUwwnBU4DHs7kteamSsvd7kMChX57vh/ynLj ZGZqDW9qVN77VaN0XAbwnvqpIskauwtYsyuGx8g13w7xDKFRyw3GyEFjsT9RbIUPhHNV EAWJqzyD+kdx5+zglx+sIvCVPMjpRMPYEzzSBx7eQMFEluJ28GDuGYPzm7zPUYg5hRS/ vY8egsGME+oCRbLVoBv4ccDRMwM+bIV5FlbjARn1y2ZXiyqxYgjnXpc046EKBbobICyY BytQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ieA4yZFxtRLaKd7zfn5PWdKoksK/wA080PRd6WG6G4g=; b=ntS0HySgMbqJy/q8O1iaaIfIjcsO1YZpxc7pOSJ5n7iAmre3P+auUcCgIy9Bo9ZLcT MbdA/TT/xgVXoBv1PJtAFsG2N1jOMXccvj0A8GOsKht1Zpg5OYk6QHw+/2GWMROkQ12q jXuwHjzZJ1TCvHiPMkKGSYaKZ5PI2JJgLWzRYxcOma0mi84U3eAk6tZkBONQq6OSL8Ma D5EWrp7ZxkJHqKslqNXtCuvCe0+aH7TblBZvPqkU8cNg1hwxnqXGDqdyFbzNtZYZKHnY uoDF4b4SjVyOk4Ck4Am314V2H4izSuy5xIbcZ+MU+5MNXxmmD0aLRiaCxEa93f8k/UAn 0iZw== X-Gm-Message-State: AFeK/H1Dtll8eHmBcGrMaLbZ7pK9blmjwpK9A6s2iGVxgWuSNEoKAeLYPYFkFBJdSCsHh3Ui1rGE1R85HW1zjg== X-Received: by 10.55.203.142 with SMTP id u14mr10267856qkl.169.1491289611449; Tue, 04 Apr 2017 00:06:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.175.216 with HTTP; Tue, 4 Apr 2017 00:06:11 -0700 (PDT) In-Reply-To: <1491231248.6020.71.camel@infradead.org> References: <1491231248.6020.71.camel@infradead.org> From: Nikos Mavrogiannopoulos Date: Tue, 4 Apr 2017 09:06:11 +0200 Message-ID: To: David Woodhouse Cc: "Moriarty, Kathleen" , "mnystrom@microsoft.com" , IETF SAAG , "bkaliski@verisign.com" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [saag] encrypted files with UTF-8/16 passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 07:06:55 -0000 On Mon, Apr 3, 2017 at 4:54 PM, David Woodhouse wrote= : > On Mon, 2017-04-03 at 11:21 +0200, Nikos Mavrogiannopoulos wrote: >> I have put an initial draft suggesting the utilization of RFC7613 for >> UTF-8 password normalization. I'd appreciate comments on the approach >> and on the usage of RFC7613 in general. >> >> https://gitlab.com/nmav/ietf-pkcs5 > > The reference to RFC8018 is missing. > > Using the methods (especially Normalization Form C) from RFC7613 makes > complete sense. RFC7613 only talks of UTF-8 but we actually need the > equivalent for UTF-16, for at least some forms of PKCS#12. > I'm a bit lost when you talk of using UTF-8 passwords in PKCS#12. Is > that really what people do, dependent on the encryption method in use? > I thought PKCS#12 was *always* BMPString? That's partially true. The MAC in PKCS#12 *always* uses the password as a BMPString. However, the encrypted sections (keys, certificates) do not have to be. In fact if you intend to use the AES-128 algorithm in PKCS#12, the only way is to utilize the PKCS#5 encryption method which uses/suggests UTF-8 (or ASCII). > I already heckled on IRC your first email in this thread, in which you > stated that "PKCS#5 requires a password to be in UTF-8". It doesn't; it > merely identifies it as a possibility (penultimate paragraph of =C2=A73): > Throughout this document, a password is considered to be an octet > string of arbitrary length whose interpretation as a text string is > unspecified. In the interest of interoperability, however, it is > recommended that applications follow some common text encoding rules. > ASCII and UTF-8 [RFC3629] are two possibilities. (ASCII is a subset > of UTF-8.) > Given the interoperability concerns with existing files, and the fact > that *trying* a password is free, it does make sense to list a number > of options for attempting to decrypt a file given a password in some > local charset (which might be a legacy non-UTF8 one). I'd attempted > that in > http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#rfc.secti= on.7 > > Of course, for *creating* such files we can be more prescriptive... Should/may I copy this section as an informative section for applications wanting backwards compatibility? regards, Nikos From BATV+f397c9c21c3cf60bfd8f+4972+infradead.org+dwmw2@twosheds.srs.infradead.org Tue Apr 4 00:17:57 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08B0E126579 for ; Tue, 4 Apr 2017 00:17:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=infradead.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59EkDo1sB7ao for ; Tue, 4 Apr 2017 00:17:53 -0700 (PDT) Received: from twosheds.infradead.org (twosheds.infradead.org [IPv6:2001:8b0:10b:1:21d:7dff:fe04:dbe2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43F2E129537 for ; Tue, 4 Apr 2017 00:17:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=twosheds.20170209; h=Mime-Version:Date:Content-Type: References:In-Reply-To:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=+Zjjcc6hDYZHUGYHXfM+5LnYia0hPftn9Z+8vbAMH/Y=; b=Jl147TDVsoVR0agaIRbyrhu90 jxxkPKajk4Ap30r6wUN50315c9EsFt8n4lDVO0EM+xSjJdBuB0OHlaWRglzf/EIerZZvGAJPFinsP an7ENbzFmRgT4K5BzGSJCiE1d4U/Y7je8qYDzorFQgAKSoRA43bXEjewBHrCqZj1kGE0m68P1XJgm HQfOucBM/ZOIx8DLMtZmKATuuAN8VsBJ54Fy5F4tHv2MCuGbpNCFEwJ407AZuJwZZp3QuqT2zeWb2 NvlqU4YxlxsIEFG7pYPeho9mAqQTrCcb6KlsBOHIiYUaz2gjdk2K42hA+XdAI9vwYU0e65eg+L8ux 21JjUsTEA==; Received: from [54.239.6.185] (helo=uc8d3ff76b9bc5848a9cc.drs10.amazon.com) by twosheds.infradead.org with esmtpsa (Exim 4.87 #1 (Red Hat Linux)) id 1cvIik-0001cN-T9; Tue, 04 Apr 2017 07:17:43 +0000 Message-ID: <1491290261.6218.12.camel@infradead.org> From: David Woodhouse To: Nikos Mavrogiannopoulos Cc: "Moriarty, Kathleen" , "mnystrom@microsoft.com" , IETF SAAG , "bkaliski@verisign.com" In-Reply-To: References: <1491231248.6020.71.camel@infradead.org> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-6IEL3v4MXFi8VpjCuHFV" Date: Tue, 04 Apr 2017 08:17:41 +0100 Mime-Version: 1.0 X-Mailer: Evolution 3.18.5.2-0ubuntu3.1 X-SRS-Rewrite: SMTP reverse-path rewritten from by twosheds.infradead.org. See http://www.infradead.org/rpr.html Archived-At: Subject: Re: [saag] encrypted files with UTF-8/16 passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 07:19:00 -0000 --=-6IEL3v4MXFi8VpjCuHFV Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2017-04-04 at 09:06 +0200, Nikos Mavrogiannopoulos wrote: > That's partially true. The MAC in PKCS#12 *always* uses the password > as a BMPString. However, the encrypted sections (keys, certificates) > do not have to be. In fact if you intend to use the AES-128 algorithm > in PKCS#12, the only way is to utilize the PKCS#5 encryption method > which uses/suggests UTF-8 (or ASCII). PKCS#5 mentions UTF-8 as a possibility, sure. But it precedes that by recommending "that applications follow some common text encoding rules." The idea of using PKCS#5 within the context of PKCS#12 where a common text encoding (BMPString) *is* actually specified for some purposes, and deciding *not* to use the same text encoding as the PKCS#12 container... makes me want to go and smash my head against the wall until the pain stops. Do applications *really* use a different encoding for different parts of the data, like that? Really? Unless it is a well-established practice, I do not think we should encourage it. My own best practice document hadn't even listed it as something which should be *tried* for decoding a file. > > Given the interoperability concerns with existing files, and the fact > > that *trying* a password is free, it does make sense to list a number > > of options for attempting to decrypt a file given a password in some > > local charset (which might be a legacy non-UTF8 one). I'd attempted > > that in > > http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#rfc.sec= tion.7 > >=20 > > Of course, for *creating* such files we can be more prescriptive... > > Should/may I copy this section as an informative section for > applications wanting backwards compatibility? Absolutely. It may even make sense to remove that entire section from my document and just defer to yours, depending on how much you want to include. --=-6IEL3v4MXFi8VpjCuHFV Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDzUw ggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQG EwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRU UCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTE0MTIyMjAw MDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1h bmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEw PwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBF bWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAImxDdp6UxlOcFIdvFamBia3 uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdhTpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYep LkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayT QLm1CJM6nCpToxDbPSBhPFUDjtlOdiUCISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9 UjewM2ktQ+v61qXxl3dnUYzZ7ifrvKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3Rh UL7GQD/L5OKfoiECAwEAAaOCARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1Qa MB0GA1UdDgQWBBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/ BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRV HSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw LnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb4yJj nFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ26Y3NOh7 4AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT9HaSyoY0B7ks yuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInltukWeh95FPZKEBom +nyK+5swggU9MIIEJaADAgECAhBqC1BYlVMtBFBN4igR/howMA0GCSqGSIb3DQEBCwUAMIGbMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xp ZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTYxMjIwMDAwMDAwWhcN MTcxMjIwMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkd213MkBpbmZyYWRlYWQub3JnMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbTrFaiGdvN2pThnR9q+4eaXB2wQZQNqhter5ZrJ pPO47e87bZ+f1tmYoh6+rB90G/XN24NErPRfvU4zVzNT9pCtCzSSVnBlZQBpaEYMKhcXo5PGKNsm An8BoGwNXjlxwbBNRaNO+ky0wNCaMNd1JLxEuvqg9J7rrcpHhWmnpXD5IKa8gv9GyVAJgOpiBOts p91sShc2kHvWJ5waPEWPCHDH9J+twGGKqKIIU7fdbURLUgUL1wlDSAHf/lgIAVCSj2H2HpoGqHpy HgOAClX9iRSLNa0Znj8HTaqfOwxXevsz1KkLFY+Ahm426GIEqdfkK2iT6Hhgc7tjNO3f8i5ALQID AQABo4IB8TCCAe0wHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFILE dmHLtK6oxmFJZvBhTQhvqrS0MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7 BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2 Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v Y3NwLmNvbW9kb2NhLmNvbTAeBgNVHREEFzAVgRNkd213MkBpbmZyYWRlYWQub3JnMA0GCSqGSIb3 DQEBCwUAA4IBAQA+AfvNhFwtapF5Lzjapgul3zYuEnMfR538Ya1vhP8wuOkcoJeT2gEFXzVO2WUu eWM0g0/DumnRB53htV/Qq/+vsL0i6a2+iOO7kHi5O7bZkgbdNv0t2lzonDUHi6LTa7NUj+tv+j6y hW+iNquC3ACP1dIZH8gJmicHblW63qRgp6wxhn315MLBeavi3uiSag2eeKFePiTIwJjN2UYq6kWg PL5G/Ycf9x/xN1XBTfJiURc0FsXhrA98VMWnt52C5Lo4txhGjzTI+IZg40b3YDs6E7mTYb5KKmbc QZA9priOFDdj1z5W9BdWhU6I/D0P9y8Z4Tr6+ZscMUVD0RqWy2LeMIIFPTCCBCWgAwIBAgIQagtQ WJVTLQRQTeIoEf4aMDANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExp bWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg U2VjdXJlIEVtYWlsIENBMB4XDTE2MTIyMDAwMDAwMFoXDTE3MTIyMDIzNTk1OVowJDEiMCAGCSqG SIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMG06xWohnbzdqU4Z0favuHmlwdsEGUDaobXq+WayaTzuO3vO22fn9bZmKIevqwfdBv1zduD RKz0X71OM1czU/aQrQs0klZwZWUAaWhGDCoXF6OTxijbJgJ/AaBsDV45ccGwTUWjTvpMtMDQmjDX dSS8RLr6oPSe663KR4Vpp6Vw+SCmvIL/RslQCYDqYgTrbKfdbEoXNpB71iecGjxFjwhwx/SfrcBh iqiiCFO33W1ES1IFC9cJQ0gB3/5YCAFQko9h9h6aBqh6ch4DgApV/YkUizWtGZ4/B02qnzsMV3r7 M9SpCxWPgIZuNuhiBKnX5Ctok+h4YHO7YzTt3/IuQC0CAwEAAaOCAfEwggHtMB8GA1UdIwQYMBaA FJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBSCxHZhy7SuqMZhSWbwYU0Ib6q0tDAOBgNV HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYBBAGyMQED BQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEBMCswKQYIKwYB BQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMF0GA1UdHwRWMFQwUqBQoE6GTGh0 dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5k U2VjdXJlRW1haWxDQS5jcmwwgZAGCCsGAQUFBwEBBIGDMIGAMFgGCCsGAQUFBzAChkxodHRwOi8v Y3J0LmNvbW9kb2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3Vy ZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0R BBcwFYETZHdtdzJAaW5mcmFkZWFkLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAPgH7zYRcLWqReS84 2qYLpd82LhJzH0ed/GGtb4T/MLjpHKCXk9oBBV81TtllLnljNINPw7pp0Qed4bVf0Kv/r7C9Iumt vojju5B4uTu22ZIG3Tb9Ldpc6Jw1B4ui02uzVI/rb/o+soVvojargtwAj9XSGR/ICZonB25Vut6k YKesMYZ99eTCwXmr4t7okmoNnnihXj4kyMCYzdlGKupFoDy+Rv2HH/cf8TdVwU3yYlEXNBbF4awP fFTFp7edguS6OLcYRo80yPiGYONG92A7OhO5k2G+Sipm3EGQPaa4jhQ3Y9c+VvQXVoVOiPw9D/cv GeE6+vmbHDFFQ9Ealsti3jGCA9MwggPPAgEBMIGwMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMS R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0Eg TGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFu ZCBTZWN1cmUgRW1haWwgQ0ECEGoLUFiVUy0EUE3iKBH+GjAwDQYJYIZIAWUDBAIBBQCgggHzMBgG CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDQwNDA3MTc0MVowLwYJ KoZIhvcNAQkEMSIEIOt5fABx0yC1LR5u7p9DZRWMHG+yQWk/4+Fq9CcVIrOAMIHBBgkrBgEEAYI3 EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01P RE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQagtQ WJVTLQRQTeIoEf4aMDCBwwYLKoZIhvcNAQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYD VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E TyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRp b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQagtQWJVTLQRQTeIoEf4aMDANBgkqhkiG9w0BAQEFAASC AQBFaB1yOqMoX2RvF4UGyxLfIULGPN6viux9eRc2qaoqJMXsXL5wK4XY3MKOWqNafgS1ty0OIRUW g7tXHuUZYox9RM8S8/D5sG5F+8tCol8pMQmWTmjz0ue5Itutq/pges+8MrZlm5X0ah5UXxJ6orKI Q543HlOrjfM6OyBKG0ApizAUU2BTAuFZu5J3kJNUInMZbySA/yTLAFi4FmOYaYq5Zmdjo9T7MHBf r/t//poSj0KvsKdcGG6um7toWXhb2Sd5CEVP3hZ6eeGL1yTelZAUQL2sPUdK/+siy9x0dbU0o1M2 pKrYAB9qFv1SqJkOZgTYLPTTvXzpcMgri1Sf7F2oAAAAAAAA --=-6IEL3v4MXFi8VpjCuHFV-- From nobody Tue Apr 4 03:32:29 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF7AB129481 for ; Tue, 4 Apr 2017 03:32:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.522 X-Spam-Level: X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qv3J0lSJfnSK for ; Tue, 4 Apr 2017 03:32:25 -0700 (PDT) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6D871294B3 for ; Tue, 4 Apr 2017 03:32:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5534; q=dns/txt; s=iport; t=1491301942; x=1492511542; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=K666VkHvngKQX/Lii7vWq2Py2tmFnn8QjTemOYzPCNU=; b=UZmAbp0JtLfQvWf50pA5cAs368wc7mA7p+pu2G0lXX2z2n0O2TKDGW2V ZM/olPA8Ra4p+8d0ecJmzPkMgDuiH8/efFaoxnUkboBaUZ97mdGYqkaD+ /cVpaUjBe+vKe8cWEU+sNwBX8ZrIFHnLtrQtX5T7Lc0BtMVPGLMfLJfV3 E=; X-Files: signature.asc : 481 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BdAgCpdeNY/4sNJK1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1RhgQuDY4oSkToflVOCDh8NhXYCgzk/GAECAQEBAQEBAWsohRU?= =?us-ascii?q?BAQEBAwEBIUsJAgwECxEBAwEBAScDAgInHwMGCAYBDAYCAQEXiXMOrXKCJopaA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBAQEBAQEBDg+IUwiCYoMXhEOCXwEEj2eNBoN8ggx1i1O?= =?us-ascii?q?BfVWEWYM2hluTdR84gQUlFggYFRgphls+NQGJGgEBAQ?= X-IronPort-AV: E=Sophos;i="5.36,275,1486425600"; d="asc'?scan'208";a="403375376" Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 04 Apr 2017 10:32:21 +0000 Received: from [10.86.249.69] (bxb-vpn3-325.cisco.com [10.86.249.69]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v34AWJdi007140; Tue, 4 Apr 2017 10:32:20 GMT To: "Garcia-Morchon O, Oscar" , "T2TRG@irtf.org" , "saag@ietf.org" References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> Cc: Mohit Sethi , "Kumar, Sandeep" From: Eliot Lear Message-ID: <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> Date: Tue, 4 Apr 2017 12:32:18 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="aUcstIoefVj0errnF8vn8lGrNWw4LST4A" Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 10:32:28 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --aUcstIoefVj0errnF8vn8lGrNWw4LST4A Content-Type: multipart/mixed; boundary="U9DRgbcT18BkQ2wrsVvFXirs0bo7GAVcG"; protected-headers="v1" From: Eliot Lear To: "Garcia-Morchon O, Oscar" , "T2TRG@irtf.org" , "saag@ietf.org" Cc: Mohit Sethi , "Kumar, Sandeep" Message-ID: <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> Subject: Re: [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> In-Reply-To: <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> --U9DRgbcT18BkQ2wrsVvFXirs0bo7GAVcG Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Oscar, While I appreciate the draft, there is an elephant in the room. Not a day passes when we hear of yet another compromise of a so-called "IoT" system. Sometimes these compromises are trivial, and sometimes they are involved. At the end of the day, the sheer quantity of Things mandates some form of network-level protection that the draft should discuss, to protect those devices from attack. As was mentioned in the f2f, what if Bob turns out to be, or becomes evil, or is otherwise 0wn3d by Chuck? Eliot On 4/3/17 9:10 AM, Garcia-Morchon O, Oscar wrote: > Hi, > > we have submitted a new version of the Internet Draft on security consi= derations for the IoT. > Comments are welcome. > > https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-02 > > Regards, Oscar. > > -----Original Message----- > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > Sent: Friday, March 31, 2017 2:11 PM > To: Mohit Sethi ; Kumar, Sandeep ; Kumar, Sandeep ; Garcia-Morchon O, Osc= ar ; irtf-chair@irtf.org; t2trg-chairs@= ietf.org > Subject: New Version Notification for draft-irtf-t2trg-iot-seccons-02.t= xt > > > A new version of I-D, draft-irtf-t2trg-iot-seccons-02.txt > has been successfully submitted by Oscar Garcia-Morchon and posted to t= he IETF repository. > > Name:draft-irtf-t2trg-iot-seccons > Revision:02 > Title:State of the Art and Challenges for the Internet of Things > Document date:2017-03-31 > Group:t2trg > Pages:56 > URL: https://www.ietf.org/internet-drafts/draft-irtf-t2trg-i= ot-seccons-02.txt > Status: https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-s= eccons/ > Htmlized: https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccon= s-02 > Htmlized: https://datatracker.ietf.org/doc/html/draft-irtf-t2trg-= iot-seccons-02 > Diff: https://www.ietf.org/rfcdiff?url2=3Ddraft-irtf-t2trg-io= t-seccons-02 > > Abstract: > The Internet of Things concept refers to the usage of standard > Internet protocols to allow for human-to-thing or thing-to-thing > communication. The security needs are well-recognized and and many > standardization steps have been taken, for example, specification of= > CoAP over DTLS. However, security challenges still exist and there > are some use cases that lack a suitable solution. This document > first provides an overview of security architecture, its deployment > model, security needs in the context of the lifecycle of a thing, as= > well as the state of the art on IoT security. Then, we discuss the > concept of security profiles for the successful roll-out of secure > IoT applications and describe remaining security challenges in the > IoT. > > > > > Please note that it may take a couple of minutes from the time of submi= ssion until the htmlized version and diff are available at tools.ietf.org= =2E > > The IETF Secretariat > > > ________________________________ > The information contained in this message may be confidential and legal= ly protected under applicable law. The message is intended solely for the= addressee(s). If you are not the intended recipient, you are hereby noti= fied that any use, forwarding, dissemination, or reproduction of this mes= sage is strictly prohibited and may be unlawful. If you are not the inten= ded recipient, please contact the sender by return e-mail and destroy all= copies of the original message. > _______________________________________________ > T2TRG mailing list > T2TRG@irtf.org > https://www.irtf.org/mailman/listinfo/t2trg > --U9DRgbcT18BkQ2wrsVvFXirs0bo7GAVcG-- --aUcstIoefVj0errnF8vn8lGrNWw4LST4A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQEcBAEBCAAGBQJY43YzAAoJEIe2a0bZ0nozip8H/RWVpDY6MuSzezFpp5b+pHdi 956cdwaCvEyugltDTCJ6A2zzANu0WXoj1WQqW2lgmEI4aEG+UMUwnctkJGplZHd0 rybeaOswyOF7NYK8BVyk5TG7DSqFZHXvoP0wU2B5jWZ+xhfbbrm4pr/wyqn4wIWM iA9ILRxgyEu7E0mXbxUqPQjOUhYxoXwKGcCMRKMAgD2EjkPzfeE+E44w9lxa4I0/ Lql8AOasFV1SrSOv2UElE0CZkjZp+0PSWss8ImG73xPoTeCCjfSDmLinKvp8AXh0 3+VLiEzvlEiSzISSssafFI8wHko5vUM2utVQwIly3aFBT/3YN57M58j1m4xz8A8= =KNnX -----END PGP SIGNATURE----- --aUcstIoefVj0errnF8vn8lGrNWw4LST4A-- From nobody Tue Apr 4 07:22:15 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB801296BE for ; Tue, 4 Apr 2017 07:22:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.619 X-Spam-Level: X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEC_xgOGv7tR for ; Tue, 4 Apr 2017 07:22:06 -0700 (PDT) Received: from smtp152.dfw.emailsrvr.com (smtp152.dfw.emailsrvr.com [67.192.241.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C7AE129634 for ; Tue, 4 Apr 2017 07:22:05 -0700 (PDT) Received: from smtp12.relay.dfw1a.emailsrvr.com (localhost [127.0.0.1]) by smtp12.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id DE2C140287; Tue, 4 Apr 2017 10:22:04 -0400 (EDT) X-Auth-ID: bgreene@senki.org Received: by smtp12.relay.dfw1a.emailsrvr.com (Authenticated sender: bgreene-AT-senki.org) with ESMTPSA id 5B774402BF; Tue, 4 Apr 2017 10:22:04 -0400 (EDT) X-Sender-Id: bgreene@senki.org Received: from [172.16.1.5] (c-73-92-124-43.hsd1.ca.comcast.net [73.92.124.43]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:587 (trex/5.7.12); Tue, 04 Apr 2017 10:22:04 -0400 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) From: Barry Raveendran Greene In-Reply-To: <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> Date: Tue, 4 Apr 2017 07:22:03 -0700 Cc: "Garcia-Morchon O, Oscar" , "T2TRG@irtf.org" , "saag@ietf.org" , Mohit Sethi , "Kumar, Sandeep" Content-Transfer-Encoding: quoted-printable Message-Id: <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> To: Eliot Lear X-Mailer: Apple Mail (2.3259) Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 14:22:08 -0000 Hi Team, I agree with Eliot. The draft is disconnected with reality. I attend a = lot of =E2=80=9CIoT Hack-a-thons=E2=80=9D out in Asia (my wife is = usually a judge). These are always huge events whose participation = exceeds the organizer=E2=80=99s expectations. At no time do I see any of = the teams ever think about security. The few times I offer to give = =E2=80=9Cmini-IoT security workshops=E2=80=9D get little interest. Why? = Because everyone is focused on the IoT coding for the function - not the = lifecycle.=20 The reality with IoT devices is that drafts like this are idea, but = don=E2=80=99t match reality. I=E2=80=99m now thinking a head what we = have to do on the Network in Operators when my =E2=80=9Crate of customer = infection=E2=80=9D goes from 20% - 30% (today) to 70% - 80%. Connected = Appliances with a +10 year lifecycle with the owners not maintaining = them, is a new world for us. I survey of all the IoT Security =E2=80=9Cstandards=E2=80=9D and = =E2=80=9Cguidelines=E2=80=9D assumes we can remediate the violated IoT = device. I put forward for the IETF that we cannot assume remediation. We = have to assume that we cannot remediate. Hence, we need other tools in = the network to mitigate the risk.=20 Barry > On Apr 4, 2017, at 3:32 AM, Eliot Lear wrote: >=20 > Hi Oscar, >=20 > While I appreciate the draft, there is an elephant in the room. Not a > day passes when we hear of yet another compromise of a so-called "IoT" > system. Sometimes these compromises are trivial, and sometimes they = are > involved. At the end of the day, the sheer quantity of Things = mandates > some form of network-level protection that the draft should discuss, = to > protect those devices from attack. As was mentioned in the f2f, what = if > Bob turns out to be, or becomes evil, or is otherwise 0wn3d by Chuck? >=20 > Eliot >=20 >=20 > On 4/3/17 9:10 AM, Garcia-Morchon O, Oscar wrote: >> Hi, >>=20 >> we have submitted a new version of the Internet Draft on security = considerations for the IoT. >> Comments are welcome. >>=20 >> https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-02 >>=20 >> Regards, Oscar. >>=20 >> -----Original Message----- >> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] >> Sent: Friday, March 31, 2017 2:11 PM >> To: Mohit Sethi ; Kumar, Sandeep = ; Kumar, Sandeep ; = Garcia-Morchon O, Oscar ; = irtf-chair@irtf.org; t2trg-chairs@ietf.org >> Subject: New Version Notification for = draft-irtf-t2trg-iot-seccons-02.txt >>=20 >>=20 >> A new version of I-D, draft-irtf-t2trg-iot-seccons-02.txt >> has been successfully submitted by Oscar Garcia-Morchon and posted to = the IETF repository. >>=20 >> Name:draft-irtf-t2trg-iot-seccons >> Revision:02 >> Title:State of the Art and Challenges for the Internet of Things >> Document date:2017-03-31 >> Group:t2trg >> Pages:56 >> URL: = https://www.ietf.org/internet-drafts/draft-irtf-t2trg-iot-seccons-02.txt >> Status: = https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-seccons/ >> Htmlized: = https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-02 >> Htmlized: = https://datatracker.ietf.org/doc/html/draft-irtf-t2trg-iot-seccons-02 >> Diff: = https://www.ietf.org/rfcdiff?url2=3Ddraft-irtf-t2trg-iot-seccons-02 >>=20 >> Abstract: >> The Internet of Things concept refers to the usage of standard >> Internet protocols to allow for human-to-thing or thing-to-thing >> communication. The security needs are well-recognized and and many >> standardization steps have been taken, for example, specification = of >> CoAP over DTLS. However, security challenges still exist and there >> are some use cases that lack a suitable solution. This document >> first provides an overview of security architecture, its deployment >> model, security needs in the context of the lifecycle of a thing, = as >> well as the state of the art on IoT security. Then, we discuss the >> concept of security profiles for the successful roll-out of secure >> IoT applications and describe remaining security challenges in the >> IoT. >>=20 >>=20 >>=20 >>=20 >> Please note that it may take a couple of minutes from the time of = submission until the htmlized version and diff are available at = tools.ietf.org. >>=20 >> The IETF Secretariat >>=20 >>=20 >> ________________________________ >> The information contained in this message may be confidential and = legally protected under applicable law. The message is intended solely = for the addressee(s). If you are not the intended recipient, you are = hereby notified that any use, forwarding, dissemination, or reproduction = of this message is strictly prohibited and may be unlawful. If you are = not the intended recipient, please contact the sender by return e-mail = and destroy all copies of the original message. >> _______________________________________________ >> T2TRG mailing list >> T2TRG@irtf.org >> https://www.irtf.org/mailman/listinfo/t2trg >>=20 >=20 >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Tue Apr 4 08:39:48 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72784129717 for ; Tue, 4 Apr 2017 08:39:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8kZBdMPNmG9 for ; Tue, 4 Apr 2017 08:39:29 -0700 (PDT) Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8C491296E5 for ; Tue, 4 Apr 2017 08:39:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1491320364; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=c3Ej7qso2fQl3ZbvjqAnUcD43bbgy/FW5MdFSflIKOI=; b=Az5VdoBa9xGr0geZ5oV3rxbIjbJ0MAZo0P+MLGJ3egzs0peDuIWvt/TREJhlTKjy liMh04yfEphrtXqjZazrZ68N6VM1NpUW+qfZVc1ZZOfSu1bNM4vtGpu4ituLOO+g uqWLrSzSqhMHHKPiFc+K2UjCDApqyDXgByufhpi5jDZoYP4fEZdwqP2nL7HEErHO 4KZEVvx6/FT3i5CVgTPZe8HSxxJHKUTeJuUBM5SCo4+IcLz0UqDpAklIgj7uZR8w JuPmlIbwtu+b1Z+YKeBhKIKytPQ2C/LCCMZcODiVRsWhoBGdETkx7jdzzbpat5yR 9U4EjEDs0rQ5yQy+41siOw==; Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id 47.2D.25383.C2EB3E85; Tue, 4 Apr 2017 08:39:24 -0700 (PDT) X-AuditID: 11973e12-003389a000006327-80-58e3be2c8244 Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by relay2.apple.com (Apple SCV relay) with SMTP id C5.7C.06512.C2EB3E85; Tue, 4 Apr 2017 08:39:24 -0700 (PDT) MIME-version: 1.0 Content-type: multipart/alternative; boundary="Boundary_(ID_FllJHYsVcP3xBGnsK7b52A)" Received: from [17.153.62.197] by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0ONW00H6265NOG30@nwk-mmpp-sz10.apple.com>; Tue, 04 Apr 2017 08:39:24 -0700 (PDT) Sender: tpauly@apple.com From: Tommy Pauly Message-id: <87BF9C95-B970-4579-AC73-A5E1EC7F2BF8@apple.com> Date: Tue, 04 Apr 2017 08:39:23 -0700 In-reply-to: Cc: "curdle@ietf.org" , IPsecME WG , Daniel Migault , Jim Schaad , "spasm@ietf.org" , "tls@ietf.org" , "saag@ietf.org" To: David Schinazi References: <149073663013.1172.4888065212435317707.idtracker@ietfa.amsl.com> <051401d2a80b$e9bdea90$bd39bfb0$@augustcellars.com> <2DD56D786E600F45AC6BDE7DA4E8A8C118BB7D3A@eusaamb107.ericsson.se> X-Mailer: Apple Mail (2.3263) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrMLMWRmVeSWpSXmKPExsUi2FDorKuz73GEwY9N0hZbF85itpgyfQ+b xerp39ks9m95wWYxpb+TyWLetWSLT+e7GB3YPTbOmc7m8evrVTaPJUt+MgUwR3HZpKTmZJal FunbJXBlNC08w1zwbjJjxbp/81gaGGc2MXYxcnBICJhI/FqR28XIxSEksJdRYuqn/axdjJxg 8d5dn5khEocYJSbufgeW4BUQlPgx+R4LiM0sECbx581Jdoiir4wSW3/1s4FMFRaQkNi8JxGk hk1AReL4tw3MEL02Em+2f2cHsYUFAiQuHrkPFmcRUJXofDcVbCangK3E8slbwBYzCzQwSbyZ /JcJJCEioCGxrWkBK8Syn4wSG3s+QJ0qK9G9cBpYh4TAdzaJNQf/s05gFJqF5NpZSK6FsLUk vj9qBYpzANnyEgfPy0KENSWe3fsEVaIt8eTdBdYFjGyrGIVyEzNzdDPzTPQSCwpyUvWS83M3 MYJiabqd0A7GU6usDjEKcDAq8fBemPE4Qog1say4MvcQozQHi5I4b8CdexFCAumJJanZqakF qUXxRaU5qcWHGJk4OKUaGHX0H9dtW+b2u3+LfH/h9ezVyQeKj1zyMd+l3N1rbTZtEd/jbRyx Dxt2f2iQTnb4/Obw/0Mr+C+y1T3O3HPRZFaID9vfyPrXdz5uS9l0KWRCqaHxl2eLS0Vml0xU 0BPe3Vrq6VkRJH/g7l3tS7cPnAuIfN/4dpNVjlCnldK8j3VXhJQsZY6GLlRiKc5INNRiLipO BAAkoxtAhgIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrHIsWRmVeSWpSXmKPExsUi2FBcpauz73GEwelZwhZbF85itpgyfQ+b xerp39ks9m95wWYxpb+TyWLetWSLT+e7GB3YPTbOmc7m8evrVTaPJUt+MgUwR3HZpKTmZJal FunbJXBlNC08w1zwbjJjxbp/81gaGGc2MXYxcnJICJhI9O76zNzFyMUhJHCIUWLi7nesIAle AUGJH5PvsYDYzAJhEn/enGSHKPrKKLH1Vz9bFyMHh7CAhMTmPYkgNWwCKhLHv21ghui1kXiz /Ts7iC0sECBx8ch9sDiLgKpE57upYDM5BWwllk/eAraYWaCBSeLN5L9MIAkRAQ2JbU0LWCGW /WSU2NjzgRXiVFmJ7oXTmCcw8s9CcuAsJAdC2FoS3x+1AsU5gGx5iYPnZSHCmhLP7n2CKtGW ePLuAusCRrZVjAJFqTmJlUZ6iQUFOal6yfm5mxjBwV/ovIPx2DKrQ4wCHIxKPLwXZjyOEGJN LCuuzAWGEgezkgiv/R6gEG9KYmVValF+fFFpTmrxIcaJjEBvTmSWEk3OB8ZmXkm8oYmJgYmx sZmxsbmJOS2FlcR5c8rvRQgJpCeWpGanphakFsEcxcTBKdXA6MM4uzd10kED8clhtuwcE0Tm 3l874yDPz7fiXFtj7t/5xchbnqRSZ3HiVe2sirzO+0KNblNdp/h+/rtcqLW0ifXP8l2n7GuW 5fcpXi9KSNrREhZvty6bZZNW9pL6DImZ18xPbWqdtlpPxLVrt+7lYLkuWTZp7Y0/3J0ftvzM Snsu3p3/VGepEktxRqKhFnNRcSIAtItIifECAAA= Archived-At: Subject: Re: [saag] [Curdle] New Version Notification for draft-ietf-curdle-pkix-04.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2017 15:39:32 -0000 --Boundary_(ID_FllJHYsVcP3xBGnsK7b52A) Content-type: text/plain; CHARSET=US-ASCII Content-transfer-encoding: 7BIT I've gone through my review of the draft as well, and I think this version looks good! Thanks, Tommy > On Apr 3, 2017, at 11:25 AM, David Schinazi wrote: > > Thanks for the update! > > I've reviewed -04 and I think the draft is ready to move forward. > > Regards, > David Schinazi > > >> On Mar 28, 2017, at 15:43, Daniel Migault > wrote: >> >> Hi, >> >> Thank you Jim for the update. Here is the version resulting from the discussion we had during the WG meeting yesterday. Please review the document and provide your feed backs by April 4 so we can move the draft to the IESG. >> >> Yours, >> Daniel >> >> -----Original Message----- >> From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Jim Schaad >> Sent: Tuesday, March 28, 2017 4:40 PM >> To: curdle@ietf.org >> Subject: [Curdle] FW: New Version Notification for draft-ietf-curdle-pkix-04.txt >> >> Here is the promised updated draft. >> >> Changes: >> 1. Fixed an example that David Benjamin found was wrong. (Incorrect sign bit in public key.) 2. Remove all of the pre-hash text except to note that it does exist. >> 3. No changes to the OID arc being used despite the agreement during the meeting. After the meeting, Russ, the chairs and I had a short talk and decided that this did not need to occur. The problem was only with getting new values assigned not with the current values which were already assigned. >> >> That should be the final issues in the draft >> >> Jim >> >> >>> -----Original Message----- >>> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] >>> Sent: Tuesday, March 28, 2017 4:31 PM >>> To: Jim Schaad ; Simon Josefsson >>> >>> Subject: New Version Notification for draft-ietf-curdle-pkix-04.txt >>> >>> >>> A new version of I-D, draft-ietf-curdle-pkix-04.txt has been >>> successfully submitted by Jim Schaad and posted to the IETF repository. >>> >>> Name: draft-ietf-curdle-pkix >>> Revision: 04 >>> Title: Algorithm Identifiers for Ed25519, Ed448, X25519 and X448 for >>> use in the Internet X.509 Public Key Infrastructure >>> Document date: 2017-03-28 >>> Group: curdle >>> Pages: 15 >>> URL: https://www.ietf.org/internet-drafts/draft-ietf-curdle-pkix-04.txt >>> Status: https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/ >>> Htmlized: https://tools.ietf.org/html/draft-ietf-curdle-pkix-04 >>> Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-curdle-pkix-04 >>> Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-curdle-pkix-04 >>> >>> Abstract: >>> This document specifies algorithm identifiers and ASN.1 encoding >>> formats for Elliptic Curve constructs using the Curve25519 and >>> Curve448 curves. The signature algorithms covered are Ed25519 and >>> Ed448. The key agreement algorithm covered are X25519 and X448. The >>> encoding for Public Key, Private Key and EdDSA digital signature >>> structures is provided. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >> >> >> _______________________________________________ >> Curdle mailing list >> Curdle@ietf.org >> https://www.ietf.org/mailman/listinfo/curdle >> >> _______________________________________________ >> Curdle mailing list >> Curdle@ietf.org >> https://www.ietf.org/mailman/listinfo/curdle > > _______________________________________________ > Curdle mailing list > Curdle@ietf.org > https://www.ietf.org/mailman/listinfo/curdle --Boundary_(ID_FllJHYsVcP3xBGnsK7b52A) Content-type: text/html; CHARSET=US-ASCII Content-transfer-encoding: quoted-printable
I've gone through my review of the draft as = well, and I think this version looks good!

Thanks,
Tommy

On Apr 3, 2017, at 11:25 AM, David Schinazi = <dschinazi@apple.com> wrote:

Thanks for the update!
I've reviewed -04 and I think the draft is ready = to move forward.

Regards,
David Schinazi

On Mar 28, 2017, at 15:43, = Daniel Migault <daniel.migault@ericsson.com> wrote:

Hi, 

Thank you Jim for the update. Here is the = version resulting from the discussion we had during the WG meeting = yesterday.  Please review the document and provide your feed backs = by April 4 so we can move the draft to the IESG. 

Yours, 
Daniel

-----Original = Message-----
From: Curdle [mailto:curdle-bounces@ietf.org] On Behalf Of Jim = Schaad
Sent: Tuesday, March 28, 2017 4:40 PM
To: curdle@ietf.org
Subject: [Curdle] FW: New = Version Notification for draft-ietf-curdle-pkix-04.txt

Here is the promised updated draft.

Changes:
1.  Fixed an example that David = Benjamin found was wrong.  (Incorrect sign bit in public key.) 2. =  Remove all of the pre-hash text except to note that it does = exist.
3.  No changes to the OID arc being used = despite the agreement during the meeting.  After the meeting, Russ, = the chairs and I had a short talk and decided that this did not need to = occur.  The problem was only with getting new values assigned not = with the current values which were already assigned.

That should be the final issues in the draft

Jim


-----Original Message-----
From: = internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
Sent: = Tuesday, March 28, 2017 4:31 PM
To: Jim Schaad <ietf@augustcellars.com>; Simon Josefsson 
<simon@josefsson.org>
Subject: New = Version Notification for draft-ietf-curdle-pkix-04.txt


A new version of I-D, = draft-ietf-curdle-pkix-04.txt has been 
successfully = submitted by Jim Schaad and posted to the IETF repository.

Name: draft-ietf-curdle-pkix
Revision: 04
Title: Algorithm Identifiers for = Ed25519, Ed448, X25519 and X448 for
use in the Internet = X.509 Public Key Infrastructure
Document date: = 2017-03-28
Group: curdle
Pages: 15
URL: =            https://www.ietf.org/internet-drafts/draft-ietf-curdle-pkix-04.= txt
Status: =         https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/Htmlized:       https://tools.ietf.org/html/draft-ietf-curdle-pkix-04
Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-curdle-pkix-04=
Diff: =           https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-curdle-pkix-04

Abstract:
 This = document specifies algorithm identifiers and ASN.1 encoding
 formats for Elliptic Curve constructs using the = Curve25519 and
 Curve448 curves.  The signature = algorithms covered are Ed25519 and
 Ed448.  The = key agreement algorithm covered are X25519 and X448.  The
 encoding for Public Key, Private Key and EdDSA digital = signature
 structures is provided.




Please note that = it may take a couple of minutes from the time of 
submission = until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

_______________________________________________
Curdle mailing list
Curdle@ietf.org
https://www.ietf.org/mailman/listinfo/curdle

= --Boundary_(ID_FllJHYsVcP3xBGnsK7b52A)-- From nobody Tue Apr 4 23:44:33 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F63E12922E for ; Tue, 4 Apr 2017 23:44:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cXTwCs2k7bD for ; Tue, 4 Apr 2017 23:44:30 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53278128B44 for ; Tue, 4 Apr 2017 23:44:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1491374670; x=1522910670; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=zXP8PZ+lBcyjEQpSmjc/CM+EhbDPCK41Ra4LsdKqu0U=; b=yEXJ5zcIhzmC5aiLLQ4OS3HQ/3dczQuYXX1TDKys22NkK7fui9JsEWX8 BJXIuc0XzzXfJAWRrdv4XSQ4OPU7mxVhu8osNzr0nXY6Msb3kFV8hQtg/ eMEW29+ls8FDDq//xx8GOycnA3U7LhU6iDNjP1t+iUWyWiCECPjcfV2cW 6To/uQ4HPOTeOwLro0cim+uBY8R6zkbUoX6KG5yg9b0nDe6Kdj/qS9HBI LCXA2CUsO5nbOMUbb1GZJhpFMifO5w3R1DiKtVcfyEJKEE/xr07yTOOmc VJ0F/XjtfjjU23ECTzIAUF2neWF7kw/Chc3F+cbqi+HDNzGe1iBS82/Y4 w==; X-IronPort-AV: E=Sophos;i="5.36,277,1486378800"; d="scan'208";a="147970755" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-ogg-b.UoA.auckland.ac.nz) ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 05 Apr 2017 18:44:28 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 5 Apr 2017 18:44:28 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Wed, 5 Apr 2017 18:44:28 +1200 From: Peter Gutmann To: Barry Raveendran Greene , Eliot Lear CC: Mohit Sethi , "T2TRG@irtf.org" , "saag@ietf.org" , "Kumar, Sandeep" Thread-Topic: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt Thread-Index: AQHSqhfOYH/eADzk1kGNnz4+4VUtI6GzOqGggAEFfACAAEAxgIAB20R+ Date: Wed, 5 Apr 2017 06:44:27 +0000 Message-ID: <1491374652157.84909@cs.auckland.ac.nz> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com>, <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> In-Reply-To: <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 06:44:33 -0000 Barry Raveendran Greene writes:=0A= =0A= >I survey of all the IoT Security =93standards=94 and =93guidelines=94 assu= mes we can=0A= >remediate the violated IoT device. I put forward for the IETF that we cann= ot=0A= >assume remediation. We have to assume that we cannot remediate. Hence, we= =0A= >need other tools in the network to mitigate the risk.=0A= =0A= That's always struck me as a bit odd as well when I read some standard for= =0A= secure firmware update, for IoS devices like the Raspberry Pi and similar= =0A= Linux-based/like devices the update process is already sorted (apt-get upda= te)=0A= and for SCADA/embedded or whatever running some RTOS it can't be updated,= =0A= whatever you ship today will be used in that form for the next ten to twent= y=0A= years (or more, I've seen fifty-year-old ladder logic controllers still in= =0A= active use). So the diagram in Figure 1 is replaced after "application=0A= running" with a dotted line leading up to the present day, there's no updat= es,=0A= no reconfiguration, no maintenance and re-bootstrapping, it just keeps runn= ing=0A= once put into service.=0A= =0A= I don't want to start nitpicking individual bits of the draft, but I think = it=0A= would help if it laid out what's meant by "IoT", are we talking Android pho= nes=0A= (mentioned in one place), fridges, PLCs, routers, what? Or perhaps come up= =0A= with a few sample device profiles and provide specific advice for each case= .=0A= At the moment it's so generic that it seems to be one-size-fits-nothing...= =0A= it's like trying to write safe-driving instructions that have to cover cars= ,=0A= buses, trucks, motorbikes, locomotives, boats, oil tankers, jet skis, jet= =0A= aircraft, jet bikes, scooters, and submarines.=0A= =0A= Peter.= From nobody Wed Apr 5 02:13:32 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8769A129418 for ; Wed, 5 Apr 2017 02:13:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PgqFqJkikFwv for ; Wed, 5 Apr 2017 02:13:28 -0700 (PDT) Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B671129412 for ; Wed, 5 Apr 2017 02:13:28 -0700 (PDT) Received: by mail-qk0-x22a.google.com with SMTP id g195so5433442qke.2 for ; Wed, 05 Apr 2017 02:13:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Y1KuTqlgjciPqbL3UscaD5TKS/yxG6x5BThjc0MHTU8=; b=Ob7bkwg02iKXsVaPagAN6QnK1R6LFZJxksSoIYCaI9W/riHBkcbSJ7WvrorWf+jhBP gFS/IOX3pw76zk9f03eawHtgZS0b0RI3lFJ5/t1h8NZ+X3ot1j6CaNBjc8NqE3wHlxQh Jhi7SL9zAFVSXhYXBFf8JeuxsAEhqaVftWPyQvEefFAdSa/xN+nADnUaPFZ6tqmqJLf2 8Gj0y/Kx5wKo60KXvC9Mf9/MzelWaxIvnyTEQTaf1IzQJ9m3bKMMRHrur3qip5xRS0YT dtdSnVGH0CxO+dD44kIn6vPNb+qId7jikFcMFNZn4oA1VOfJV0qN/jPnWC/PMSbqUfw3 PAvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Y1KuTqlgjciPqbL3UscaD5TKS/yxG6x5BThjc0MHTU8=; b=WCk0qQSEju2Q3lMH7ndHcfnvwqyuRIbJm/Uuvx3BcrA1yJyuHJOWwBu/e3t3h/8Gsr bVCAKZa3SrnA+8sYm14bSzFK4feQl/MficPbIlGWWbRZIIQSdpMd611AkD6Lf+emVwtb O2R9rbZZqchll7hmzyTud9tt4SVLTKsVx/rgxILoMM1BfjWyFr+xi1TYBNFSRSz3g427 NOrIo7qi2W6lgoOsfrwzEwezs3Ght690yeKa+xkwXzBOgD7vVNbxxLG4zODd/xGbqbra ReyzdmNrGvDXZs2RJZpXef6fnmEmJTg4pZ5by59gAwyBF1u9Jfm2B5JGSswgf9ilaywU JFag== X-Gm-Message-State: AFeK/H1Vq+qkrzIhy2zbNUlFDFZ+NGh3MEP53r+E1s18PBwl9ALIpnKZ2sg7MRX8FL/LhA9wtDMydTH2U+l8Lw== X-Received: by 10.55.135.66 with SMTP id j63mr25045991qkd.310.1491383607602; Wed, 05 Apr 2017 02:13:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.175.216 with HTTP; Wed, 5 Apr 2017 02:12:47 -0700 (PDT) In-Reply-To: <1491290261.6218.12.camel@infradead.org> References: <1491231248.6020.71.camel@infradead.org> <1491290261.6218.12.camel@infradead.org> From: Nikos Mavrogiannopoulos Date: Wed, 5 Apr 2017 11:12:47 +0200 Message-ID: To: David Woodhouse Cc: "Moriarty, Kathleen" , "mnystrom@microsoft.com" , IETF SAAG , "bkaliski@verisign.com" Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: Re: [saag] encrypted files with UTF-8/16 passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 09:13:30 -0000 On Tue, Apr 4, 2017 at 9:17 AM, David Woodhouse wrote: > On Tue, 2017-04-04 at 09:06 +0200, Nikos Mavrogiannopoulos wrote: >> That's partially true. The MAC in PKCS#12 *always* uses the password >> as a BMPString. However, the encrypted sections (keys, certificates) >> do not have to be. In fact if you intend to use the AES-128 algorithm >> in PKCS#12, the only way is to utilize the PKCS#5 encryption method >> which uses/suggests UTF-8 (or ASCII). > PKCS#5 mentions UTF-8 as a possibility, sure. But it precedes that by > recommending "that applications follow some common text encoding > rules." Hopefully the draft I'm proposing clarifies this part by mandating UTF-8 for all PKCS#5 mechanisms. > The idea of using PKCS#5 within the context of PKCS#12 where a common > text encoding (BMPString) *is* actually specified for some purposes, > and deciding *not* to use the same text encoding as the PKCS#12 > container... makes me want to go and smash my head against the wall > until the pain stops. > Do applications *really* use a different encoding for different parts > of the data, like that? Really? Unless it is a well-established > practice, I do not think we should encourage it. All existing software treats those files like that as far as I know. PKCS#12 definitions apply to the OIDs/algorithms defined within the document only, not to other mechanisms. > My own best practice document hadn't even listed it as something which > should be *tried* for decoding a file. I do not think there is an ambiguity there given that all software I have tested is compatible. >> > Given the interoperability concerns with existing files, and the fact >> > that *trying* a password is free, it does make sense to list a number >> > of options for attempting to decrypt a file given a password in some >> > local charset (which might be a legacy non-UTF8 one). I'd attempted >> > that in >> > http://david.woodhou.se/draft-woodhouse-cert-best-practice.html#rfc.section.7 >> > Of course, for *creating* such files we can be more prescriptive... >> Should/may I copy this section as an informative section for >> applications wanting backwards compatibility? > Absolutely. It may even make sense to remove that entire section from > my document and just defer to yours, depending on how much you want to > include. Done. I have not included the second part on openssl 1.1.0. I believe assuming input is in UTF-8 is a good practice if it is documented. Character sets are not something we should be concerned today. regards, Nikos From BATV+f448afa6c40205be055d+4973+infradead.org+dwmw2@twosheds.srs.infradead.org Wed Apr 5 02:54:19 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5F212778D for ; Wed, 5 Apr 2017 02:54:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=infradead.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COPqz5pxfgsP for ; Wed, 5 Apr 2017 02:54:17 -0700 (PDT) Received: from twosheds.infradead.org (twosheds.infradead.org [IPv6:2001:8b0:10b:1:21d:7dff:fe04:dbe2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25A66129426 for ; Wed, 5 Apr 2017 02:54:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=twosheds.20170209; h=Mime-Version:Date:Content-Type: References:In-Reply-To:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=PZf/RY5+rMc+A/We7rTExbsKxn83v5gdhmWnH2iiIXY=; b=pb5PXnctiQOfDvHFTRuBNykVy DQ73EvDKGMu8H025kz9FpXl99maV8ysN3ac1Jb2byitgcXneOJRagKAzACn5pOpTIlfRyMqsemVFN hvyLMQWbF4EorGDvIHwGIt36hhVHwVdTv+q/xj1mO6i3i4w0aPq8bup6dkytBNlXAJcPu4hIxl/09 aTOlGZyGR6r3zdwdWJHBmz1/80Td4IuGqMSZZNb7OJ3ODiELWA+cVpsoX/zs44vnSCTcBEhdIO9rL rn4IGxwX75mEjV+VC8jkfQJI+1sN+SsR56BHfgisKftRaPdC7i4+ydNTHoRvwho5crVZTy5iqsRt7 MJptYvsJw==; Received: from [54.239.6.185] (helo=uc8d3ff76b9bc5848a9cc.ant.amazon.com) by twosheds.infradead.org with esmtpsa (Exim 4.87 #1 (Red Hat Linux)) id 1cvhde-00057b-T6; Wed, 05 Apr 2017 09:54:07 +0000 Message-ID: <1491386046.22176.18.camel@infradead.org> From: David Woodhouse To: Nikos Mavrogiannopoulos Cc: "Moriarty, Kathleen" , "mnystrom@microsoft.com" , IETF SAAG , "bkaliski@verisign.com" In-Reply-To: References: <1491231248.6020.71.camel@infradead.org> <1491290261.6218.12.camel@infradead.org> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-w3Sm3NBe+8Q8NIJ/vr/S" Date: Wed, 05 Apr 2017 11:54:06 +0200 Mime-Version: 1.0 X-Mailer: Evolution 3.18.5.2-0ubuntu3.1 X-SRS-Rewrite: SMTP reverse-path rewritten from by twosheds.infradead.org. See http://www.infradead.org/rpr.html Archived-At: Subject: Re: [saag] encrypted files with UTF-8/16 passwords X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 09:56:12 -0000 --=-w3Sm3NBe+8Q8NIJ/vr/S Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2017-04-05 at 11:12 +0200, Nikos Mavrogiannopoulos wrote: >=20 > > The idea of using PKCS#5 within the context of PKCS#12 where a common > > text encoding (BMPString) *is* actually specified for some purposes, > > and deciding *not* to use the same text encoding as the PKCS#12 > > container... makes me want to go and smash my head against the wall > > until the pain stops. > > Do applications *really* use a different encoding for different parts > > of the data, like that? Really? Unless it is a well-established > > practice, I do not think we should encourage it. >=20 > All existing software treats those files like that as far as I know. > PKCS#12 definitions apply to the OIDs/algorithms defined within the > document only, not to other mechanisms. Hm, what about OpenSSL? OpenSSL doesn't do any real charset conversion, which is why they've moved from one bug with PKCS#12 in 1.0.x... to a *different* bug in 1.1.0 instead of actually fixing it. And yet the above would *require* a proper conversion between BMPString and UTF-8... --=-w3Sm3NBe+8Q8NIJ/vr/S Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDzUw ggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQG EwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRU UCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTE0MTIyMjAw MDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1h bmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEw PwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBF bWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAImxDdp6UxlOcFIdvFamBia3 uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdhTpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYep LkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayT QLm1CJM6nCpToxDbPSBhPFUDjtlOdiUCISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9 UjewM2ktQ+v61qXxl3dnUYzZ7ifrvKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3Rh UL7GQD/L5OKfoiECAwEAAaOCARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1Qa MB0GA1UdDgQWBBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/ BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRV HSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw LnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb4yJj nFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ26Y3NOh7 4AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT9HaSyoY0B7ks yuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInltukWeh95FPZKEBom +nyK+5swggU9MIIEJaADAgECAhBqC1BYlVMtBFBN4igR/howMA0GCSqGSIb3DQEBCwUAMIGbMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xp ZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTYxMjIwMDAwMDAwWhcN MTcxMjIwMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkd213MkBpbmZyYWRlYWQub3JnMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbTrFaiGdvN2pThnR9q+4eaXB2wQZQNqhter5ZrJ pPO47e87bZ+f1tmYoh6+rB90G/XN24NErPRfvU4zVzNT9pCtCzSSVnBlZQBpaEYMKhcXo5PGKNsm An8BoGwNXjlxwbBNRaNO+ky0wNCaMNd1JLxEuvqg9J7rrcpHhWmnpXD5IKa8gv9GyVAJgOpiBOts p91sShc2kHvWJ5waPEWPCHDH9J+twGGKqKIIU7fdbURLUgUL1wlDSAHf/lgIAVCSj2H2HpoGqHpy HgOAClX9iRSLNa0Znj8HTaqfOwxXevsz1KkLFY+Ahm426GIEqdfkK2iT6Hhgc7tjNO3f8i5ALQID AQABo4IB8TCCAe0wHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFILE dmHLtK6oxmFJZvBhTQhvqrS0MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7 BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2 Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v Y3NwLmNvbW9kb2NhLmNvbTAeBgNVHREEFzAVgRNkd213MkBpbmZyYWRlYWQub3JnMA0GCSqGSIb3 DQEBCwUAA4IBAQA+AfvNhFwtapF5Lzjapgul3zYuEnMfR538Ya1vhP8wuOkcoJeT2gEFXzVO2WUu eWM0g0/DumnRB53htV/Qq/+vsL0i6a2+iOO7kHi5O7bZkgbdNv0t2lzonDUHi6LTa7NUj+tv+j6y hW+iNquC3ACP1dIZH8gJmicHblW63qRgp6wxhn315MLBeavi3uiSag2eeKFePiTIwJjN2UYq6kWg PL5G/Ycf9x/xN1XBTfJiURc0FsXhrA98VMWnt52C5Lo4txhGjzTI+IZg40b3YDs6E7mTYb5KKmbc QZA9priOFDdj1z5W9BdWhU6I/D0P9y8Z4Tr6+ZscMUVD0RqWy2LeMIIFPTCCBCWgAwIBAgIQagtQ WJVTLQRQTeIoEf4aMDANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExp bWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg U2VjdXJlIEVtYWlsIENBMB4XDTE2MTIyMDAwMDAwMFoXDTE3MTIyMDIzNTk1OVowJDEiMCAGCSqG SIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMG06xWohnbzdqU4Z0favuHmlwdsEGUDaobXq+WayaTzuO3vO22fn9bZmKIevqwfdBv1zduD RKz0X71OM1czU/aQrQs0klZwZWUAaWhGDCoXF6OTxijbJgJ/AaBsDV45ccGwTUWjTvpMtMDQmjDX dSS8RLr6oPSe663KR4Vpp6Vw+SCmvIL/RslQCYDqYgTrbKfdbEoXNpB71iecGjxFjwhwx/SfrcBh iqiiCFO33W1ES1IFC9cJQ0gB3/5YCAFQko9h9h6aBqh6ch4DgApV/YkUizWtGZ4/B02qnzsMV3r7 M9SpCxWPgIZuNuhiBKnX5Ctok+h4YHO7YzTt3/IuQC0CAwEAAaOCAfEwggHtMB8GA1UdIwQYMBaA FJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBSCxHZhy7SuqMZhSWbwYU0Ib6q0tDAOBgNV HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYBBAGyMQED BQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEBMCswKQYIKwYB BQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMF0GA1UdHwRWMFQwUqBQoE6GTGh0 dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5k U2VjdXJlRW1haWxDQS5jcmwwgZAGCCsGAQUFBwEBBIGDMIGAMFgGCCsGAQUFBzAChkxodHRwOi8v Y3J0LmNvbW9kb2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3Vy ZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0R BBcwFYETZHdtdzJAaW5mcmFkZWFkLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAPgH7zYRcLWqReS84 2qYLpd82LhJzH0ed/GGtb4T/MLjpHKCXk9oBBV81TtllLnljNINPw7pp0Qed4bVf0Kv/r7C9Iumt vojju5B4uTu22ZIG3Tb9Ldpc6Jw1B4ui02uzVI/rb/o+soVvojargtwAj9XSGR/ICZonB25Vut6k YKesMYZ99eTCwXmr4t7okmoNnnihXj4kyMCYzdlGKupFoDy+Rv2HH/cf8TdVwU3yYlEXNBbF4awP fFTFp7edguS6OLcYRo80yPiGYONG92A7OhO5k2G+Sipm3EGQPaa4jhQ3Y9c+VvQXVoVOiPw9D/cv GeE6+vmbHDFFQ9Ealsti3jGCA9MwggPPAgEBMIGwMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMS R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0Eg TGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFu ZCBTZWN1cmUgRW1haWwgQ0ECEGoLUFiVUy0EUE3iKBH+GjAwDQYJYIZIAWUDBAIBBQCgggHzMBgG CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDQwNTA5NTQwNlowLwYJ KoZIhvcNAQkEMSIEIMaxZ2vReqzGHXpKUiS0Slbjmc66EX20jYO5sM5YnHlrMIHBBgkrBgEEAYI3 EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01P RE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQagtQ WJVTLQRQTeIoEf4aMDCBwwYLKoZIhvcNAQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYD VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E TyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRp b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQagtQWJVTLQRQTeIoEf4aMDANBgkqhkiG9w0BAQEFAASC AQBFFHF0YSbxhJ/ZhWTHx4xmVOvR71nPRt1EAlNpS2f++RrKS2O7fDYPVdRD0vAibVhYOdsPbUwP PomHh4NvJ46MDI6x6DIcLZ88FBWIwkhdmMZe9/N6HHF987+YbdKmXjcOXLqnxrdUHyuPB4BiYd0y cC6+pBYvR+8QINn1xHGvk05RAJ/ZMQes2IM5Na3B0hJh33DR0z2IlvBhc0+6zFxTQGlHkF4yyz28 TO9ZVqiUJniZNfkpq5vFF4b1ltFSSOfjoxrvn1SCima45tUA1LNi8jPIB6XMKEq6Rp9tf4mu7tIX juU6yEQJNTFa8B0BG2TPmj/a+XtTXvAR7MfpXMm9AAAAAAAA --=-w3Sm3NBe+8Q8NIJ/vr/S-- From nobody Wed Apr 5 06:56:46 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF2A812944A for ; Wed, 5 Apr 2017 06:56:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.696 X-Spam-Level: X-Spam-Status: No, score=-4.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xA2-f0GiKRa for ; Wed, 5 Apr 2017 06:56:35 -0700 (PDT) Received: from smtp96.iad3a.emailsrvr.com (smtp96.iad3a.emailsrvr.com [173.203.187.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6822A129437 for ; Wed, 5 Apr 2017 06:56:32 -0700 (PDT) Received: from smtp5.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp5.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 119D225BA1; Wed, 5 Apr 2017 09:56:25 -0400 (EDT) X-Auth-ID: bgreene@senki.org Received: by smtp5.relay.iad3a.emailsrvr.com (Authenticated sender: bgreene-AT-senki.org) with ESMTPSA id 5F2F725B84; Wed, 5 Apr 2017 09:56:24 -0400 (EDT) X-Sender-Id: bgreene@senki.org Received: from [172.16.1.5] (c-73-92-124-43.hsd1.ca.comcast.net [73.92.124.43]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:587 (trex/5.7.12); Wed, 05 Apr 2017 09:56:25 -0400 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) From: Barry Raveendran Greene In-Reply-To: <1491374652157.84909@cs.auckland.ac.nz> Date: Wed, 5 Apr 2017 06:56:22 -0700 Cc: Eliot Lear , Mohit Sethi , "T2TRG@irtf.org" , "saag@ietf.org" , "Kumar, Sandeep" Content-Transfer-Encoding: quoted-printable Message-Id: References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> <1491374652157.84909@cs.auckland.ac.nz> To: Peter Gutmann X-Mailer: Apple Mail (2.3259) Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 13:56:38 -0000 > On Apr 4, 2017, at 11:44 PM, Peter Gutmann = wrote: >=20 > I don't want to start nitpicking individual bits of the draft I=E2=80=99m OK with the draft. It is a good solid document for anyone = who is taking an interest in secure IoT or looking to build a =E2=80=9CRFP= security requirements=E2=80=9D checklist. We need this. Good work.=20 But, from an IETF POV =E2=80=A6. where we have to think forward to the = next set of engineering problems, we need to be mindful of your = illustration =E2=80=A6 > So the diagram in Figure 1 is replaced after "application > running" with a dotted line leading up to the present day, there's no = updates, > no reconfiguration, no maintenance and re-bootstrapping, it just keeps = running > once put into service. What does a network do? Lets start digging into that problem.=20= From nobody Thu Apr 6 00:27:51 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2E0D129401 for ; Thu, 6 Apr 2017 00:27:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.697 X-Spam-Level: X-Spam-Status: No, score=-4.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=philips.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HxsBU5AjahXW for ; Thu, 6 Apr 2017 00:27:47 -0700 (PDT) Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0113.outbound.protection.outlook.com [104.47.0.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6B47129436 for ; Thu, 6 Apr 2017 00:27:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Philips.onmicrosoft.com; s=selector1-philips-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7lRn9kPXoR6+N3l6fRTQWb3ryGwGrRDJ09dpd3C8JyE=; b=VYTe03p79GLoNvulTZV5b1KGx0HBnhHBdkYaf1zmT58zLv2MT01KHCUqvtDMam9EDS/Fw6Wy+Y5UNIVAYNRN549EORt3JCDri0XCPCpM9q+F9p9aC0auzUlYWlLVELaVbU6fVJtAtN4HJARjO0Jyccpk63M3KyteW7nEoIZVvyE= Received: from VI1P122CA0001.EURP122.PROD.OUTLOOK.COM (129.75.100.79) by DB6P122MB0054.EURP122.PROD.OUTLOOK.COM (129.75.140.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Thu, 6 Apr 2017 07:27:20 +0000 Received: from AM1FFO11FD030.protection.gbl (2a01:111:f400:7e00::195) by VI1P122CA0001.outlook.office365.com (2603:10a6:820:2::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10 via Frontend Transport; Thu, 6 Apr 2017 07:27:20 +0000 Authentication-Results: spf=neutral (sender IP is 23.103.228.84) smtp.mailfrom=philips.com; senki.org; dkim=none (message not signed) header.d=none;senki.org; dmarc=none action=none header.from=philips.com; Received-SPF: Neutral (protection.outlook.com: 23.103.228.84 is neither permitted nor denied by domain of philips.com) Received: from 011-smtp-out.Philips.com (23.103.228.84) by AM1FFO11FD030.mail.protection.outlook.com (10.174.64.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.5 via Frontend Transport; Thu, 6 Apr 2017 07:27:19 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com (141.251.190.209) by DB4PR90MB0154.MGDPHG.emi.philips.com (141.251.118.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Thu, 6 Apr 2017 07:27:19 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) by DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) with mapi id 15.01.1005.021; Thu, 6 Apr 2017 07:27:18 +0000 From: "Garcia-Morchon O, Oscar" To: Barry Raveendran Greene , Eliot Lear CC: Mohit Sethi , "T2TRG@irtf.org" , "saag@ietf.org" , "Kumar, Sandeep" Thread-Topic: [T2TRG] [saag] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt Thread-Index: AQHSrU7cvzf1hQr0UkqI7jTw+zz3ZaG22tnw Date: Thu, 6 Apr 2017 07:27:18 +0000 Message-ID: <532caf552ceb42c1914a7b500ad50546@DB5PR9001MB0165.MGDPHG.emi.philips.com> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> In-Reply-To: <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [62.140.137.117] X-MS-Office365-Filtering-Correlation-Id: 0424e21e-e970-4e98-bb4a-08d47cbe5c5f Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OrganizationHeadersPreserved: DB4PR90MB0154.MGDPHG.emi.philips.com X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:23.103.228.84; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39410400002)(39400400002)(39860400002)(39850400002)(39840400002)(2980300002)(374574003)(13464003)(24454002)(189002)(377424004)(199003)(55904004)(377454003)(9170700003)(189998001)(53936002)(50466002)(2950100002)(107886003)(33646002)(24736003)(8936002)(8676002)(38730400002)(23676002)(105586002)(7696004)(229853002)(86362001)(106466001)(356003)(81166006)(6116002)(15650500001)(2900100001)(7736002)(2906002)(54906002)(102836003)(230783001)(66066001)(53546009)(47776003)(6306002)(93886004)(305945005)(5660300001)(50986999)(6246003)(76176999)(4326008)(3846002)(54356999)(55016002); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6P122MB0054; H:011-smtp-out.Philips.com; FPR:; SPF:Neutral; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; AM1FFO11FD030; 1:TYowwcAnuoXaImirW7HW0Px01WWJsc7OXzOPoBPLvyP1PwkeY5thYPHIMUeU2cIbboAJfnss0Gu1hvb3Oks3CKzfPsVoUHpbtzea7N1wX6OKiFHmVEwNb2j60NgxPdFQzmytVBYSYTF23W6LFCEGo8xzU127dv0gubf2g9LZR25M2vmaxrX/UFgJF6DOeyeElJkXDA3OdwcHGB9CodKT008g7iWyIvbJA6xN9Vs9nAF4mP11J+CTCp8vo5qAOVJNqc/YXVXycSZITLz2YT3aZzpv2fAQ50CErtEAviUkN7VKq4b4vH2WoCOH2CBZxUe3Tj+HO+P8FKkTNsqz2vFFv/qk2rxxhDQwQ0KLBHr1edTE0eYSntY2i5R2f2aaxKr/uhg6Zt+vLLdOVo998Fi4iJLeP148eamGlwZ0Jtp1fKwbwrrhO3byvSXDNdKibgGfY0uPhgN49o0HVH/c1wNcX3m1ivboMejpXVEbdMxBAu+Oz6RBtYaFJBmdqt2Jezeni2FrclStwNg0ddgkqRG9kA== X-CrossPremisesHeadersPromoted: AM1FFO11FD030.protection.gbl X-CrossPremisesHeadersFiltered: AM1FFO11FD030.protection.gbl X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:DB6P122MB0054; X-Microsoft-Exchange-Diagnostics: 1; DB6P122MB0054; 3:91nyqtqfLP2stSAMt6I4cQbsyysoss85pHg8mJrkUOkxAVrQGQgoWkX5B92ghhIXiJBjdZRRrt4NlGZL6An86Qv0L+8PeyNkyXh2h75JcZKUoCblgRJ+OLB8BQqakKh120JMYEBIo4rkIRc6LgIMtqE3khN3Y4tbR9MEXFCh2QcFS7F6dk4WpW3mcUnoyitxkdgMa5Jr3vvncsFTRVSHmMoUIoyROPurCGxmX4BeQ05DIVAWOlnnKUlCfB6uUmz9ILnNOf9atS0bRhrv4tVCi3fs9F7u928H8/vJntG9uWXV2GjLt7bPmYOtmHUW9Nf51vkRbIZUvguyddkEi0evB8KDGkz1hFLUZ/t3A5CdbWeVfbsSlSESwmck+Wd/Ir0u/R5lvfOA4h6/Og3pwLce7XkkSxKhcbWV4MyJI9dhN+jMz1fnUf5kfvqNUt6Mz3INRQEScOrzujTMI8JyWiQvVLDBZJM8d1imd2cGyfkEMVCn1zA1c9joSOd+QPXqJHr9 X-Microsoft-Exchange-Diagnostics: 1; DB6P122MB0054; 25:bftaTwFe+qX0BweZ/ozyhPj/KmZeNmaC0+FAUYpWcZA+aIqUepEvgMCIDLB3+bf7/V8asrvwlg5CsKOdMA1O0Ots5myTklEFwePmTfHOT2HNWehWTPKky2fIZ7n1/wNrPoufwM4zOj/ZRqlzbEbM7slpZjBdfxRS6PC7ertYzTSVVvHnNuigv1R6JDDIQM9SNJN+DRRCFTEAznfwu2TFIkcz+RPtit22+OQN0RLMGfOAHh91NXs+Mnag72v4cZc9EvO3Vy/h6sMhgib05OThTU/M6WpQ0/zVHxscvufxihxI8OiLUqqrFk/J4Vgxkb0FsKGDN2pBpJPUHIq8H+CeLRN7X5RLEKCk2fscJ+HGFahbURAVO+HJ21OCZetR0PG33R/3yi3GvZW4gh6mli6pezEAKtx8C1ObeZReeENjuMZjHrbemWM/wf2EhnlY28/O; 31:Qk/PQhZTa4ZlPvNKi0d0NlLRg3efd6CJCxo6SyXiiEiavYwVQ1qRfPWRZOMMxNVVm51vcVx5Z1zIuwMN+TZeIeoJSYZobfqwtJn7UyyNTXVW1hwnsrFTQnAKgGkGwjMzqqy4wUfckGESUpWvFm5rrS10yG4oR7coG4CQWzSa6/7gqnZshf5PEha24qpzelEkMzFPffaAtAme29LuiCKA91vQx4+cR7K5aG0YlQo9TyynIchUfB1N7V7fnK+mVQE7nbv1BKQoG8MN4n9I9zXkcA== X-Microsoft-Exchange-Diagnostics: 1; DB6P122MB0054; 20:q0z984J3OWD2EtubcUjuk1QJu0kvVLvBkXjP72xvcd76rECmTNJyR6MeVEeGdbVwC2A3Iucar322RTY60Sel2SnKitAp26LBud6/5WE3nvdMVoRcdVSBN95Ps+CFpaxJorRixQWCiyP1uAIJHzoovwd4ETlDrzeTk2RnxllIgPeRVnCIvbg3Gs23yHLa/2Gep/GZDgaJdTBvA2WeE4cLTn9KpPsceJuFnrMSyV6tuEdVyneYgulKmRN5Qah/NxSElbKohuFdSpOp8m7TMCHrh04kGddA3Ew8JnmF7J7+oXDU3qSCHO9Qdl8TvsU06KRq24yvbqV19YxWe7HC25B5NT1G2zerMRSpxNwmpJnx6ZXc2PDmokKt1zz4e5fJ4gwizOGG4d2OgSR0A5cvhpYjD7OCeXNk1zuuiZp+/RIIdUSl9oUECkNzWYmjYaFkMqBqnNEbr122xVwCDc92sSxoM+PUHcEnlNhNDhKKGldozyZK1otu8nyxh+T6RcOTj3hF X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(37575265505322)(278428928389397)(120809045254105)(192374486261705)(95692535739014)(260087099026482); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(13018025)(13016025)(93006095)(93003095)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(20161123564025)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(6072148); SRVR:DB6P122MB0054; BCL:0; PCL:0; RULEID:; SRVR:DB6P122MB0054; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjZQMTIyTUIwMDU0OzQ6THhSdDFxZlllV1RDZkExWUFYelRscVNNZS9F?= =?utf-8?B?bjdacGFYVDdoemxKaDd4QU1MaUN5bk1RSkFtQUFjc2tZY0Z1N0tYNEhCWUdW?= =?utf-8?B?UklESjU2RGtzZ25aT282NjBtMnRKczhOTmlySzZrcHlWcnNSV01rc0syOXpK?= =?utf-8?B?bFFnVTJ2b1FEaUlHWXdTTmRPV2hZKzZpUThMUHdJM2hCUzFQWWxCaWtnNXZI?= =?utf-8?B?dlk5c3FaQVEvbStxMEtTSG9wOHRvNmxYT3d0MllMVGoxbkdXY3FQZGVvZVli?= =?utf-8?B?QWJHbXZ4TUV1Um4zQ1RtN3ZIT01aTitPeHBPTngwOGIxNldYTzIrTlBpYTRI?= =?utf-8?B?Z00zeEtYR09zYi9ZNE1kZTN0aGNIbEoyTkdycXN6NWo0UXd5N3h0aEsrSHkv?= =?utf-8?B?MWEwU0dPamd3Ry82Ni9DeVpWZzM3RU1mZG5Ub3FDTTJTNGFocGl4Z2MxTElq?= =?utf-8?B?a2JCWlp1a2lTd1pUcGdPTmZyUDd3VDQ4alZQNG9uNzZyTDFvWWNHenRFWEpT?= =?utf-8?B?U3ROKzh1dG5FNUE0RWE3L1U3WnNaRVJrUkY5QW5KRXZhbXp4UTh4Skl4dDE1?= =?utf-8?B?NmxQTmE3VDVrTUUzM2pWeDhvMjNxY2lxSDdWOHlNMFNRdjZrVlhsWmZiUHVC?= =?utf-8?B?amhWL1FJbFdaUjdHaVhNakNJY25kWkFiQWZ5VDZGVXFyNkNvZHh3L3ZNT1VY?= =?utf-8?B?bWYzNldrRlM4eWpxU1pmQlVuV3U4dXFhcEtaZlVqK29paHRmNkhCSi9XcWZw?= =?utf-8?B?UTVoaHN6VzZMZ1RNUGVmNU5lckdycEt3aGhMYlg0bDQ2NDUrTGFpWElpdGl0?= =?utf-8?B?MDRCK0h0enZqa2VFWTNUT2RlMEFETVk2Tmw0b2xuRjFQWXBjRjBFQnhLY3R2?= =?utf-8?B?WGwyUUREd0ZXdGNRUWlEMnB4RG5pY3IzTm1yeDZzMnRrcHBXck5IbDNmelBr?= =?utf-8?B?TDNoeWpDWDR4SDM2K3pDdlV4NlV1RXZwZlJNS3hBN3F6M3EzVGJ5dy9yNElV?= =?utf-8?B?WlV2bHlkVWQ3YnUrMUlPM2xtQlM1UUtScXNpVzB1U0Q3aks1dmt5TjdIK3di?= =?utf-8?B?Y2c3UEFubmF2OWprdDZNT3F6aCs5bENadGJmTVVDZjcvL1Z5OGFNK25MdGt6?= =?utf-8?B?Wjlac0w4ZTFobW80TFJYbFZNVWZweGZnZHRkUkV6WWI3R3JnNE5sR3RvajB6?= =?utf-8?B?YmNOUEU0azBtYmp5WHdVTnRGVEVYaldTNWY2Q2JOTDRtNCt6aXdzSENsd3dV?= =?utf-8?B?ZENVNW8rMGRaOFN3VjFzM1VPOTFWbmoxTENXcEU1dGxneDhOcTdGMVJVUDI1?= =?utf-8?Q?MDt4rqCEpWhjN3gdV84IrJvKTDRVXnE=3D?= X-Forefront-PRVS: 02698DF457 X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjZQMTIyTUIwMDU0OzIzOjFscEY5WWczalRDQkZCck41QUdlRldaK2xp?= =?utf-8?B?M2h1YjFuZFBxRFBSclkxUjlETTNvWU5UdnRvRHU3dXpKQ21Cb3BxS2xIMW82?= =?utf-8?B?YXc4Q1VTSnFMdFQ5ZmpDclFIeGRnWkdkVWFNdy9iSTVVeW95MWtWdGJVZ3Aw?= =?utf-8?B?OTdtU1BvU0ZpTFVNSE9QdEh0QjNLbzh4dlEvYnkrQWFoMFpnUkEwWmRmOWZM?= =?utf-8?B?SW9UM1JCTk84WlRvTWpUNHgxczA1MkpnNTh5ZWY3QkdzRmp6Yzg5eEFDaU5o?= =?utf-8?B?c1RWbG9aeVErc0JkSEl6VGozZlpybnhqTkRMR3VqdkJGUDF4dFl4RDVzSGk5?= =?utf-8?B?eVRVL2NEbHhzYmNZbVVLZTNyOUZ1YUNvZEY2NWs1aDg4dHQyQ3AyWGlpZHIz?= =?utf-8?B?cHpiVkdRUndGNGVoK0hoTTNkWmxQeXJxS0lIeER6QTNEQWxkaDFvb0h6SVVk?= =?utf-8?B?OHFyZTdGQWt5T08wMVdtb2JiZUNUK2wxbTFINHNuRVBqc01pMkZmQU1tTE42?= =?utf-8?B?NkovaGhBSHpkV2lwN2dMNXRRNGVMckg3QWRtNUV1aHRPTGtLSHRlSWxRV0xQ?= =?utf-8?B?ZnE1ZjdWdG8xNFF4SHl3QmtPV1Fpd3dqSWs3bCt3dXRKQlg2Q05vWFJsb0Vk?= =?utf-8?B?K2srTUFIVW8zK0RxcWJPQVVlaE44UVB0cE13WG9DK1FoRktsTFp4YWU5NG1x?= =?utf-8?B?OTRRd3lpRXRwRHZBTkcwRHV0dWtZYSsvbzNOSjNicHM3WWNjTENxN0xYaUFC?= =?utf-8?B?aCtGSm53WHNuSDhPUlVxWWtrSThpb2VvaTA0a0tGM2RPbzFxa3pXRU11TlFa?= =?utf-8?B?bk9JZG5HM1lmbFJ1VEU3TDBuTFlRQ0RwU2RPWXQ0MUlJK24waGJmaG1iSFJK?= =?utf-8?B?MHBObTIxMnB5MVdQd2NIbFpXTWFDVGE3VVAyLzlWK0p5YnM5bTNZQjBkRVlY?= =?utf-8?B?YnZHT3RoMHFXVk1HWEVxK09Id01kaXI5VXpyR1gvaTArWjM4M3pzZS9wbzI3?= =?utf-8?B?T05sQW5DVW55UFova1FqZkJlV1kxZWpVTklRVDdxUFRHdFhyQ2hpS1lLcVN5?= =?utf-8?B?N1psaUZJbksvLys0UXRVc1BpaVlZdXhORzlBNW5BQXhwc0t5S1hHWGkxdURv?= =?utf-8?B?TXBIOXRsV2pBeTRMUkczTEpZdzgrYjE4RGE0MXdyRTNOSUJNYldDWDVsd2tO?= =?utf-8?B?SzArdkRoNWhkRFVtWVZaV0dabE1JYll5d3hNcXNuSTlQOVN3S00rMU5pVTcx?= =?utf-8?B?MmIxYU90OHVGcjdDZ0FqelVVUFFkU2NGbmQxOWtPUXhNaWxPc01KbHJHZDdy?= =?utf-8?B?cjZvRzJlWEpSMXZXRTA0TUJFUVViOWZkSi9SUXdlTFRlZTFzVXNVMlovdmd3?= =?utf-8?B?ZGVrYlZkbi94R2hSVmNMeHhWaW9EQlBDUHp1YzAya1VxaTZKWTdGN2hQU05N?= =?utf-8?B?R2t2MjlmZkphOTRzNWc2TDZJVTl6L29jTU10R09EbE9XZEI1OVBnMUxJVXo4?= =?utf-8?B?amhib2ZEekwrK2s3M0dlWWJ6UTZQSXJIRUJrM2tJbVRSMzNtcGVhSzVOejU4?= =?utf-8?B?Yy9KYjZvSGNiUkVzQmhKU1hyL0NINnF4QXRoL1FnbnBzOGlMODF3LzVYMFd1?= =?utf-8?B?RmxycHdleXVzZkg0UFFybHh1TStSME5VVlNuK3FEc2krMFJZbU5OM0JCRnpH?= =?utf-8?B?WWJPazgxQStQV0dtVTFoZGREQVRGQnR2THdVYlREMThYRjhOZEcrRXNoa0k3?= =?utf-8?B?SldlZ2FWcHNWTWdYeG1BbWlhNjIyR3BteFloZnM4RWdxUDd2S2k0aVBON0FE?= =?utf-8?B?NmlLSzFvcXBXdWRRTjBKKzVKSWlERzlVZTA2d1E2V3Nlb2lmQ1pyQWxyMjQy?= =?utf-8?Q?iFj2g82RoGA=3D?= X-Microsoft-Exchange-Diagnostics: 1; DB6P122MB0054; 6:qdMI0GiPUzd264R2RBCbvMrpviz+n1Hxa7ZnedEHweMhHG7HGY20PAG2raW5ni23kZb4h0CmXeBAbV4+G47EK2KnadGRChrdVhdv5FikUfLCKtOFimObR+w25FOKQTD9DOfOAlxppobQp/bOWaf7mPrx2x0hEC66euMpcibP+Yo/vq+bMzhuEx0ZeasWU8wnMOftk4CbZe3uBcxW9KhoCQeXgVePd1A1iBv7ZrxGgw04V2mopJpV0W1VgDFJ96Bjhr9PEKI6WIuX0EhAe3HhpM/5fkOYhPZ/PB27ec1f0NvLDZLocj8Hr4ay7/m5gS63RTHlDxzb9nQPc51HuYRELAfYJ94imAoUtpaXP+Y/C1M4/FJmPSTKRcM63LGab5ICjaLxCyWFSyMS4NuGSuzZHbRohe1jpErA3wFTbMIXtnw=; 5:CZA9+vLXDw4OYd4/6DHdNgtKhhsR7xr4z8HUI5EujQK8CUeYbA4Rfyvw7DdN+qf9iv8x17jjg/5xkkb/aAjFDJ4y/RdHQsQtC532qlj9qwcvt8iTKiViV0cNBaLzizFhqC1TxetzggNP8dporVshtQ==; 24:ZlGLbR6poG+ANaX1e8I/39l2rsBVxwUNcp1/j4wECgiB2GOxYAS9mQzNwZrqqkclRG5UiHgFPmBYv+yICJ6LNMgefqRl3eyPgc1bfdk1Rrc= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DB6P122MB0054; 7:5VY0WqamKXakQ9OI5/fv3wqw75rADc6fTbC06OSfM8Vg71OYeokFQ64qz+qFzeLyqBojbvTJ7Zij8ogJFkTGiyuaopCaGDQZgL/mvOtxxc5S7iVoJ27bs674UZZNqCpvaaq5N7lhIcZStsHmLsXsfQCKBqC0IpyM1D6LIuUojUqEOKs+qiseXUG+nH0YFCJ8ZdB8+LhbZ15r7OwRfux/SW8LVZ/c9WBPJRfzJPEWE9pMVlVmg84cdxX0+mx0iDEuHguQrG7HR27qwMbDc3YDISHI+h2ruAAE00kK8nuS8zj9RubYeQAEeWxKOf/bke53MjMZ02narp0xAFVHdnkFiQ== X-OriginatorOrg: philips.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2017 07:27:19.9930 (UTC) X-MS-Exchange-CrossTenant-Id: 1a407a2d-7675-4d17-8692-b3ac285306e4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1a407a2d-7675-4d17-8692-b3ac285306e4; Ip=[23.103.228.84]; Helo=[011-smtp-out.Philips.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P122MB0054 X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 04 X-MS-Exchange-CrossPremises-AuthSource: DB5PR9001MB0165.MGDPHG.emi.philips.com X-MS-Exchange-CrossPremises-SCL: 1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: 62.140.137.117 X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0 X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0; X-OrganizationHeadersPreserved: DB6P122MB0054.EURP122.PROD.OUTLOOK.COM Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 07:27:51 -0000 SGkgQmFycnksDQoNCkl0IGlzIHNhZCB0byBoZWFyIHlvdXIgZXhwZXJpZW5jZSBkdXJpbmcgdGhl IGhhY2stYS10aG9ucy4gTmV0d29yayBzZWN1cml0eSBjYW4gaW5kZWVkIG1pdGlnYXRlIHRocmVh dHMgaWYgZGV2aWNlcyBoYXZlIGNlcnRhaW4gc2VjdXJpdHkgdnVsbmVyYWJpbGl0aWVzLiBXaGlj aCBtZXRob2RzIHdvdWxkIHlvdSBzdWdnZXN0IHRvIGluY2x1ZGUgaW4gdGhlIGRvY3VtZW50PyBX aGF0IGFyZSB0aGUga2V5IGNoYWxsZW5nZXMgaW4geW91ciBvcGluaW9uIGZvciBJb1QgbmV0d29y ayBzZWN1cml0eT8NCg0KVGhlcmUgYXJlIG90aGVyIHJlcXVpcmVkIGZ1bmN0aW9uYWxpdGllcyBu ZXh0IHRvIG5ldHdvcmsgc2VjdXJpdHksIGZvciBpbnN0YW5jZSwgdHJhbnNwb3J0IHNlY3VyaXR5 IG9yIHNlY3VyaXR5IHNvZnR3YXJlIHVwZGF0ZXMuIFdlIGJlbGlldmUgdGhhdCBpdCBpcyBhbHNv IGltcG9ydGFudCB0byBtZW50aW9uIHRob3NlLiBEbyB5b3UgYWdyZWU/IEl0IGNhbiBhbHdheXMg aGFwcGVuIHRoYXQgZGV2aWNlcyAoZXZlbiBuZXR3b3JraW5nIGRldmljZXMgc3VjaCBhcyBJb1Qg cm91dGVycywuLi4pIGhhdmUgdnVsbmVyYWJpbGl0aWVzIGFuZCB3ZSBoYXZlIHRvIHJlbWVkaWF0 ZSB0aGVtLg0KDQpUaGUgZG9jdW1lbnQgZGVzY3JpYmVzIHRoZW0gaW4gdGhlIGNvbnRleHQgb2Yg dGhlIGxpZmVjeWNsZSBvZiBhIGRldmljZSBzaW5jZSB0aGlzIHN1bW1hcml6ZXMgdGhlIGludGVy YWN0aW9ucyBvZiB1c2VycywgbWFudWZhY3R1cmVycywgYW5kIG5ldHdvcmsgb3BlcmF0b3JzLiBX ZSBiZWxpZXZlIHRoYXQgaXQgaXMgaW1wb3J0YW50IHRvIGRlc2NyaWJlIHRoZXNlIGludGVyYWN0 aW9ucyBzaW5jZSB0aGV5IHNob3cgaG93IHVzZXJzIHVzZSB0aGUgSW9UIHN5c3RlbXMsIHRoZSBj aGFsbGVuZ2VzIGZvciBtYW51ZmFjdHVyZXMsIGV0Yy4gRG8geW91IGFncmVlPw0KDQpSZWdhcmRz LCBPc2Nhci4NCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IFQyVFJHIFttYWls dG86dDJ0cmctYm91bmNlc0BpcnRmLm9yZ10gT24gQmVoYWxmIE9mIEJhcnJ5IFJhdmVlbmRyYW4g R3JlZW5lDQpTZW50OiBUdWVzZGF5LCBBcHJpbCA0LCAyMDE3IDQ6MjIgUE0NClRvOiBFbGlvdCBM ZWFyIDxsZWFyQGNpc2NvLmNvbT4NCkNjOiBHYXJjaWEtTW9yY2hvbiBPLCBPc2NhciA8b3NjYXIu Z2FyY2lhLW1vcmNob25AcGhpbGlwcy5jb20+OyBNb2hpdCBTZXRoaSA8bW9oaXQubS5zZXRoaUBl cmljc3Nvbi5jb20+OyBUMlRSR0BpcnRmLm9yZzsgc2FhZ0BpZXRmLm9yZzsgS3VtYXIsIFNhbmRl ZXAgPHNhbmRlZXAua3VtYXJAcGhpbGlwcy5jb20+DQpTdWJqZWN0OiBSZTogW1QyVFJHXSBbc2Fh Z10gTmV3IFZlcnNpb24gTm90aWZpY2F0aW9uIGZvciBkcmFmdC1pcnRmLXQydHJnLWlvdC1zZWNj b25zLTAyLnR4dA0KDQpIaSBUZWFtLA0KDQpJIGFncmVlIHdpdGggRWxpb3QuIFRoZSBkcmFmdCBp cyBkaXNjb25uZWN0ZWQgd2l0aCByZWFsaXR5LiBJIGF0dGVuZCBhIGxvdCBvZiDigJxJb1QgIEhh Y2stYS10aG9uc+KAnSBvdXQgaW4gQXNpYSAobXkgd2lmZSBpcyB1c3VhbGx5IGEganVkZ2UpLiBU aGVzZSBhcmUgYWx3YXlzIGh1Z2UgZXZlbnRzIHdob3NlIHBhcnRpY2lwYXRpb24gZXhjZWVkcyB0 aGUgb3JnYW5pemVy4oCZcyBleHBlY3RhdGlvbnMuIEF0IG5vIHRpbWUgZG8gSSBzZWUgYW55IG9m IHRoZSB0ZWFtcyBldmVyIHRoaW5rIGFib3V0IHNlY3VyaXR5LiBUaGUgZmV3IHRpbWVzIEkgb2Zm ZXIgdG8gZ2l2ZSDigJxtaW5pLUlvVCBzZWN1cml0eSB3b3Jrc2hvcHPigJ0gZ2V0IGxpdHRsZSBp bnRlcmVzdC4gV2h5PyBCZWNhdXNlIGV2ZXJ5b25lIGlzIGZvY3VzZWQgb24gdGhlIElvVCBjb2Rp bmcgZm9yIHRoZSBmdW5jdGlvbiAtIG5vdCB0aGUgbGlmZWN5Y2xlLiANCg0KVGhlIHJlYWxpdHkg d2l0aCBJb1QgZGV2aWNlcyBpcyB0aGF0IGRyYWZ0cyBsaWtlIHRoaXMgYXJlIGlkZWEsIGJ1dCBk b27igJl0IG1hdGNoIHJlYWxpdHkuIEnigJltIG5vdyB0aGlua2luZyBhIGhlYWQgd2hhdCB3ZSBo YXZlIHRvIGRvIG9uIHRoZSBOZXR3b3JrIGluIE9wZXJhdG9ycyB3aGVuIG15IOKAnHJhdGUgb2Yg Y3VzdG9tZXIgaW5mZWN0aW9u4oCdIGdvZXMgZnJvbSAyMCUgLSAzMCUgKHRvZGF5KSB0byA3MCUg LSA4MCUuIENvbm5lY3RlZCBBcHBsaWFuY2VzIHdpdGggYSArMTAgeWVhciBsaWZlY3ljbGUgd2l0 aCB0aGUgb3duZXJzIG5vdCBtYWludGFpbmluZyB0aGVtLCBpcyBhIG5ldyB3b3JsZCBmb3IgdXMu DQoNCkkgc3VydmV5IG9mIGFsbCB0aGUgSW9UIFNlY3VyaXR5IOKAnHN0YW5kYXJkc+KAnSBhbmQg 4oCcZ3VpZGVsaW5lc+KAnSBhc3N1bWVzIHdlIGNhbiByZW1lZGlhdGUgdGhlIHZpb2xhdGVkIElv VCBkZXZpY2UuIEkgcHV0IGZvcndhcmQgZm9yIHRoZSBJRVRGIHRoYXQgd2UgY2Fubm90IGFzc3Vt ZSByZW1lZGlhdGlvbi4gV2UgaGF2ZSB0byBhc3N1bWUgdGhhdCB3ZSBjYW5ub3QgcmVtZWRpYXRl LiBIZW5jZSwgd2UgbmVlZCBvdGhlciB0b29scyBpbiB0aGUgbmV0d29yayB0byBtaXRpZ2F0ZSB0 aGUgcmlzay4gDQoNCkJhcnJ5DQoNCj4gT24gQXByIDQsIDIwMTcsIGF0IDM6MzIgQU0sIEVsaW90 IExlYXIgPGxlYXJAY2lzY28uY29tPiB3cm90ZToNCj4gDQo+IEhpIE9zY2FyLA0KPiANCj4gV2hp bGUgSSBhcHByZWNpYXRlIHRoZSBkcmFmdCwgdGhlcmUgaXMgYW4gZWxlcGhhbnQgaW4gdGhlIHJv b20uICBOb3QgYSANCj4gZGF5IHBhc3NlcyB3aGVuIHdlIGhlYXIgb2YgeWV0IGFub3RoZXIgY29t cHJvbWlzZSBvZiBhIHNvLWNhbGxlZCAiSW9UIg0KPiBzeXN0ZW0uICBTb21ldGltZXMgdGhlc2Ug Y29tcHJvbWlzZXMgYXJlIHRyaXZpYWwsIGFuZCBzb21ldGltZXMgdGhleSANCj4gYXJlIGludm9s dmVkLiAgQXQgdGhlIGVuZCBvZiB0aGUgZGF5LCB0aGUgc2hlZXIgcXVhbnRpdHkgb2YgVGhpbmdz IA0KPiBtYW5kYXRlcyBzb21lIGZvcm0gb2YgbmV0d29yay1sZXZlbCBwcm90ZWN0aW9uIHRoYXQg dGhlIGRyYWZ0IHNob3VsZCANCj4gZGlzY3VzcywgdG8gcHJvdGVjdCB0aG9zZSBkZXZpY2VzIGZy b20gYXR0YWNrLiAgQXMgd2FzIG1lbnRpb25lZCBpbiANCj4gdGhlIGYyZiwgd2hhdCBpZiBCb2Ig dHVybnMgb3V0IHRvIGJlLCBvciBiZWNvbWVzIGV2aWwsIG9yIGlzIG90aGVyd2lzZSAwd24zZCBi eSBDaHVjaz8NCj4gDQo+IEVsaW90DQo+IA0KPiANCj4gT24gNC8zLzE3IDk6MTAgQU0sIEdhcmNp YS1Nb3JjaG9uIE8sIE9zY2FyIHdyb3RlOg0KPj4gSGksDQo+PiANCj4+IHdlIGhhdmUgc3VibWl0 dGVkIGEgbmV3IHZlcnNpb24gb2YgdGhlIEludGVybmV0IERyYWZ0IG9uIHNlY3VyaXR5IGNvbnNp ZGVyYXRpb25zIGZvciB0aGUgSW9ULg0KPj4gQ29tbWVudHMgYXJlIHdlbGNvbWUuDQo+PiANCj4+ IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pcnRmLXQydHJnLWlvdC1zZWNjb25z LTAyDQo+PiANCj4+IFJlZ2FyZHMsIE9zY2FyLg0KPj4gDQo+PiAtLS0tLU9yaWdpbmFsIE1lc3Nh Z2UtLS0tLQ0KPj4gRnJvbTogaW50ZXJuZXQtZHJhZnRzQGlldGYub3JnIFttYWlsdG86aW50ZXJu ZXQtZHJhZnRzQGlldGYub3JnXQ0KPj4gU2VudDogRnJpZGF5LCBNYXJjaCAzMSwgMjAxNyAyOjEx IFBNDQo+PiBUbzogTW9oaXQgU2V0aGkgPG1vaGl0QHBpdWhhLm5ldD47IEt1bWFyLCBTYW5kZWVw IA0KPj4gPHNhbmRlZXAua3VtYXJAcGhpbGlwcy5jb20+OyBLdW1hciwgU2FuZGVlcCANCj4+IDxz YW5kZWVwLmt1bWFyQHBoaWxpcHMuY29tPjsgR2FyY2lhLU1vcmNob24gTywgT3NjYXIgDQo+PiA8 b3NjYXIuZ2FyY2lhLW1vcmNob25AcGhpbGlwcy5jb20+OyBpcnRmLWNoYWlyQGlydGYub3JnOyAN Cj4+IHQydHJnLWNoYWlyc0BpZXRmLm9yZw0KPj4gU3ViamVjdDogTmV3IFZlcnNpb24gTm90aWZp Y2F0aW9uIGZvciANCj4+IGRyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2NvbnMtMDIudHh0DQo+PiAN Cj4+IA0KPj4gQSBuZXcgdmVyc2lvbiBvZiBJLUQsIGRyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2Nv bnMtMDIudHh0DQo+PiBoYXMgYmVlbiBzdWNjZXNzZnVsbHkgc3VibWl0dGVkIGJ5IE9zY2FyIEdh cmNpYS1Nb3JjaG9uIGFuZCBwb3N0ZWQgdG8gdGhlIElFVEYgcmVwb3NpdG9yeS4NCj4+IA0KPj4g TmFtZTpkcmFmdC1pcnRmLXQydHJnLWlvdC1zZWNjb25zDQo+PiBSZXZpc2lvbjowMg0KPj4gVGl0 bGU6U3RhdGUgb2YgdGhlIEFydCBhbmQgQ2hhbGxlbmdlcyBmb3IgdGhlIEludGVybmV0IG9mIFRo aW5ncyANCj4+IERvY3VtZW50IGRhdGU6MjAxNy0wMy0zMSBHcm91cDp0MnRyZw0KPj4gUGFnZXM6 NTYNCj4+IFVSTDogICAgICAgICAgICBodHRwczovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFm dHMvZHJhZnQtaXJ0Zi10MnRyZy1pb3Qtc2VjY29ucy0wMi50eHQNCj4+IFN0YXR1czogICAgICAg ICBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pcnRmLXQydHJnLWlvdC1z ZWNjb25zLw0KPj4gSHRtbGl6ZWQ6ICAgICAgIGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9k cmFmdC1pcnRmLXQydHJnLWlvdC1zZWNjb25zLTAyDQo+PiBIdG1saXplZDogICAgICAgaHR0cHM6 Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9kcmFmdC1pcnRmLXQydHJnLWlvdC1zZWNj b25zLTAyDQo+PiBEaWZmOiAgICAgICAgICAgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91 cmwyPWRyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2NvbnMtMDINCj4+IA0KPj4gQWJzdHJhY3Q6DQo+ PiAgIFRoZSBJbnRlcm5ldCBvZiBUaGluZ3MgY29uY2VwdCByZWZlcnMgdG8gdGhlIHVzYWdlIG9m IHN0YW5kYXJkDQo+PiAgIEludGVybmV0IHByb3RvY29scyB0byBhbGxvdyBmb3IgaHVtYW4tdG8t dGhpbmcgb3IgdGhpbmctdG8tdGhpbmcNCj4+ICAgY29tbXVuaWNhdGlvbi4gIFRoZSBzZWN1cml0 eSBuZWVkcyBhcmUgd2VsbC1yZWNvZ25pemVkIGFuZCBhbmQgbWFueQ0KPj4gICBzdGFuZGFyZGl6 YXRpb24gc3RlcHMgaGF2ZSBiZWVuIHRha2VuLCBmb3IgZXhhbXBsZSwgc3BlY2lmaWNhdGlvbiBv Zg0KPj4gICBDb0FQIG92ZXIgRFRMUy4gIEhvd2V2ZXIsIHNlY3VyaXR5IGNoYWxsZW5nZXMgc3Rp bGwgZXhpc3QgYW5kIHRoZXJlDQo+PiAgIGFyZSBzb21lIHVzZSBjYXNlcyB0aGF0IGxhY2sgYSBz dWl0YWJsZSBzb2x1dGlvbi4gIFRoaXMgZG9jdW1lbnQNCj4+ICAgZmlyc3QgcHJvdmlkZXMgYW4g b3ZlcnZpZXcgb2Ygc2VjdXJpdHkgYXJjaGl0ZWN0dXJlLCBpdHMgZGVwbG95bWVudA0KPj4gICBt b2RlbCwgc2VjdXJpdHkgbmVlZHMgaW4gdGhlIGNvbnRleHQgb2YgdGhlIGxpZmVjeWNsZSBvZiBh IHRoaW5nLCBhcw0KPj4gICB3ZWxsIGFzIHRoZSBzdGF0ZSBvZiB0aGUgYXJ0IG9uIElvVCBzZWN1 cml0eS4gIFRoZW4sIHdlIGRpc2N1c3MgdGhlDQo+PiAgIGNvbmNlcHQgb2Ygc2VjdXJpdHkgcHJv ZmlsZXMgZm9yIHRoZSBzdWNjZXNzZnVsIHJvbGwtb3V0IG9mIHNlY3VyZQ0KPj4gICBJb1QgYXBw bGljYXRpb25zIGFuZCBkZXNjcmliZSByZW1haW5pbmcgc2VjdXJpdHkgY2hhbGxlbmdlcyBpbiB0 aGUNCj4+ICAgSW9ULg0KPj4gDQo+PiANCj4+IA0KPj4gDQo+PiBQbGVhc2Ugbm90ZSB0aGF0IGl0 IG1heSB0YWtlIGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGltZSBvZiBzdWJtaXNzaW9u IHVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQgdG9v bHMuaWV0Zi5vcmcuDQo+PiANCj4+IFRoZSBJRVRGIFNlY3JldGFyaWF0DQo+PiANCj4+IA0KPj4g X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4+IFRoZSBpbmZvcm1hdGlvbiBjb250 YWluZWQgaW4gdGhpcyBtZXNzYWdlIG1heSBiZSBjb25maWRlbnRpYWwgYW5kIGxlZ2FsbHkgcHJv dGVjdGVkIHVuZGVyIGFwcGxpY2FibGUgbGF3LiBUaGUgbWVzc2FnZSBpcyBpbnRlbmRlZCBzb2xl bHkgZm9yIHRoZSBhZGRyZXNzZWUocykuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNp cGllbnQsIHlvdSBhcmUgaGVyZWJ5IG5vdGlmaWVkIHRoYXQgYW55IHVzZSwgZm9yd2FyZGluZywg ZGlzc2VtaW5hdGlvbiwgb3IgcmVwcm9kdWN0aW9uIG9mIHRoaXMgbWVzc2FnZSBpcyBzdHJpY3Rs eSBwcm9oaWJpdGVkIGFuZCBtYXkgYmUgdW5sYXdmdWwuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRl bmRlZCByZWNpcGllbnQsIHBsZWFzZSBjb250YWN0IHRoZSBzZW5kZXIgYnkgcmV0dXJuIGUtbWFp bCBhbmQgZGVzdHJveSBhbGwgY29waWVzIG9mIHRoZSBvcmlnaW5hbCBtZXNzYWdlLg0KPj4gX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4+IFQyVFJHIG1h aWxpbmcgbGlzdA0KPj4gVDJUUkdAaXJ0Zi5vcmcNCj4+IGh0dHBzOi8vd3d3LmlydGYub3JnL21h aWxtYW4vbGlzdGluZm8vdDJ0cmcNCj4+IA0KPiANCj4gDQo+IF9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IHNhYWcgbWFpbGluZyBsaXN0DQo+IHNhYWdA aWV0Zi5vcmcNCj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zYWFnDQoN Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpUMlRSRyBt YWlsaW5nIGxpc3QNClQyVFJHQGlydGYub3JnDQpodHRwczovL3d3dy5pcnRmLm9yZy9tYWlsbWFu L2xpc3RpbmZvL3QydHJnDQo= From nobody Thu Apr 6 00:28:33 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C6A8126C7B for ; Thu, 6 Apr 2017 00:28:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.921 X-Spam-Level: X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=philips.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qBg6m0M5-KDL for ; Thu, 6 Apr 2017 00:28:28 -0700 (PDT) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0107.outbound.protection.outlook.com [104.47.2.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 188051293DF for ; Thu, 6 Apr 2017 00:27:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Philips.onmicrosoft.com; s=selector1-philips-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=XDDl9iIZd5p2b4mFnxny40cVrccp4Q0Np2N3QMTBVOA=; b=NYvomx1B8NqOlYbbpiYVwUa+QnplYosuSyM2683jY70BJ9wH0F7WjdXXcWHzVYbRp2gRbZk/rmz+T7y8YuBx8ShqOsCOhlHfd+eo6wYC1R7jZDTFSlwbYCi787Pcdyz/kSMMsamCBkOu/5P1VkXDpYbqRu6XNooParimHGAqA8E= Received: from VI1P122CA0008.EURP122.PROD.OUTLOOK.COM (129.75.142.82) by HE1P122MB0042.EURP122.PROD.OUTLOOK.COM (129.75.140.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Thu, 6 Apr 2017 07:27:40 +0000 Received: from AM1FFO11FD046.protection.gbl (2a01:111:f400:7e00::104) by VI1P122CA0008.outlook.office365.com (2603:10a6:820:1c::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10 via Frontend Transport; Thu, 6 Apr 2017 07:27:40 +0000 Authentication-Results: spf=neutral (sender IP is 23.103.247.180) smtp.mailfrom=philips.com; cs.auckland.ac.nz; dkim=none (message not signed) header.d=none;cs.auckland.ac.nz; dmarc=none action=none header.from=philips.com; Received-SPF: Neutral (protection.outlook.com: 23.103.247.180 is neither permitted nor denied by domain of philips.com) Received: from 011-smtp-out.Philips.com (23.103.247.180) by AM1FFO11FD046.mail.protection.outlook.com (10.174.65.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.5 via Frontend Transport; Thu, 6 Apr 2017 07:27:39 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com (141.251.190.209) by DB5PR9001MB0165.MGDPHG.emi.philips.com (141.251.190.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Thu, 6 Apr 2017 07:27:39 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) by DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) with mapi id 15.01.1005.021; Thu, 6 Apr 2017 07:27:38 +0000 From: "Garcia-Morchon O, Oscar" To: Peter Gutmann , Barry Raveendran Greene , Eliot Lear CC: Mohit Sethi , "T2TRG@irtf.org" , "saag@ietf.org" , "Kumar, Sandeep" , "Garcia-Morchon O, Oscar" Thread-Topic: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt Thread-Index: AQHSrdgeSEucviIKrk+lU0K6113ww6G23pSg Date: Thu, 6 Apr 2017 07:27:38 +0000 Message-ID: <0f486dc8e90844658f8107f44486b5cd@DB5PR9001MB0165.MGDPHG.emi.philips.com> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com>, <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> <1491374652157.84909@cs.auckland.ac.nz> In-Reply-To: <1491374652157.84909@cs.auckland.ac.nz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [62.140.137.117] X-MS-Office365-Filtering-Correlation-Id: 15c2abfb-3466-499a-d52e-08d47cbe6819 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OrganizationHeadersPreserved: DB5PR9001MB0165.MGDPHG.emi.philips.com X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:23.103.247.180; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(39850400002)(39450400003)(39410400002)(39400400002)(39840400002)(2980300002)(374574003)(13464003)(189002)(199003)(377454003)(55904004)(9170700003)(230783001)(6306002)(54906002)(2906002)(66066001)(6116002)(7696004)(106466001)(4326008)(6246003)(8746002)(8676002)(8936002)(23726003)(189998001)(102836003)(3846002)(81166006)(53936002)(50466002)(38730400002)(107886003)(55016002)(93886004)(2950100002)(7736002)(105586002)(53546009)(33646002)(2900100001)(24736003)(86362001)(50986999)(47776003)(46406003)(305945005)(5660300001)(15650500001)(229853002)(76176999)(356003)(97756001)(54356999); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1P122MB0042; H:011-smtp-out.Philips.com; FPR:; SPF:Neutral; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; AM1FFO11FD046; 1:hOb9scb1gYSeCkPg1PzLlG8QFIRW1YG2RfJILfx5S+QnTXC/kGBC3N3yOq/hnnMSFbuB9UhP+YdGv0xJLKOI+qxFOUk/cCnDkwSGYzzzSMgYN2hSswVU4izZlO8abCxJc/Klyp69jQAZrcUrmfw2M1ZgqusakET2wVE7xV/aGTH2/bU7bHJi94r9QWkVPFvvR/KWoRribHl4q0LQuHw3oStuKA0qQk3RUPkA/8reO+oHguqXzsUfll63k17aHr5gWvRqb7RMdACVnNj4jVkt3LfXDEYU/S4tpVe8rWuOzqQ1l8IMDY4YKGRDT71aT82KrOQxFH8HTUUUddXtqAace9kAt9UgTpeE5/UGXxlrqK9YSH99j7d7F9Q15w7NZqLvZXglaXXmBHv/LJgbRxJ1HhtzgJ56TmkCQr88TUAFbTx/WXr4WIYCqGlMrW/MzDLKALFHOkAQfdbJgEQv/9y5UIb6jQcAsqQMmzn2wGlyfjjGOBRU4LbaoOS9O9tjKjUnikd+VGgsc52xycgImbP8XQ== X-CrossPremisesHeadersPromoted: AM1FFO11FD046.protection.gbl X-CrossPremisesHeadersFiltered: AM1FFO11FD046.protection.gbl X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:HE1P122MB0042; X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0042; 3:IGdPl3EcNGLaaNW+OscFlJcBFwPamkXkDR/7HCGK/Ytfu/IG/PRALXkTGzpp5zfsstZyfSm3AT3LhsF3IamZk87X1S7klTUohSyZoC9Nsy4JccA0LDp3/kP7OrsI/a6C9pKA1kpvr/c2QfiHLbM4n5Wj9hjzMwObUnOHrKtMFJ459jnFuyJgrIWViZSd1A+7QuXCacnyyLG/wHzyOxUQCvIbs6zb9rodt2ePknz1Pwc4dP52ADG1DF7V/K/IRzFAAvhmYfE/ZmYTNqa0Ma0NgfQSjaGYUg9GceV1cMMAZBnHLgxqFJsZ+H0iW6/0Cb/AiFVCeR/06nfViAnX6I1cawC6T4gM2qHznsiQ3FswTDrJJ4lYnps2F4P1/d+IRwafM5rLLW+Z/SxT6I9qAzxtIFvJesjPtTAyUCxeKainV0kbtn92HrR+upISfOcO1qrVF9dKesJR/trC6dMfG6YW6Qz0gMc86qHPl5qNMFlQQZ+ghLEwZ8u244yQofyOizur X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0042; 25:pquWuJrZwQZNyV0wgVWPi+HNCR40sUeJRrVCjTAaUnVy3CzM/00tqxi1/tzAES1Vx1Djs1o0kTP53/ZEjntF8Hs/7PV12EOaw8TWVaeHkFdJ7XS3PS/V1XxpHGkn4nsKBqXkDQjw6LNGPzC9dYSVG7aaWha2lKYBi+A+LK7d84VRjoi7BTuPXdPY9rEvwN89h+CG0ayr50agMBvNDERNo7OgM91pvZEnCTUZvnJ0YXrXcnv9Q2yTH5M0QDU7uv6y8h+KZuwk1qkZggr2zEfXankxyQP3q/KNaM5Sx8HjQyABJpTckBo5nf+9u8FHSFBru1OIXzMI+VgD3yRFcBdtmhZE+IGVRij22fsl66ouq/ChEqIRkeyH9kmJmeNY7E9EiwTAwFftnrF2tbehHfdwAUu8VV3pMC1v9H4eEOsWZ4PKzdESRCxRdOdoPcz19NUHDUMg0o+no3uHmhuGGqZp8A==; 31:FlCYCArrv71ZcvOp812EjtXyBW72e2EJep45TJbXIki5zaSRiV0HEGXzEHrUzj3a4CgMIvY7R2CQvsKeAfx2HdxqbzeHMRsRJzUH+JrOKjTi5SYpogqJz8d5ekQNg0kbsFLBYdDp4xRz2NhP04n2ecRbviPeO+WtNVqIO5Fo4hLfHQllHy5bbHFwJ4q21T1+0iUlP1EgjiVeBA0hhgDPaS4eITnD99CxGVwaWzwAcjmuRbeXP0mnVbGdEscFRG3CkomvZvxDRhzUqH+A4HAo8g== X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0042; 20:lh65v+r/sM1RC9IylbUZDOkB3E2rb/FJdyNYYM8uyQI0QcFE+ZlL0AViLqqINIadIYJo1UfsDlaQJr37p41Ygd7GPUVDnvd+9l8Dzu8bSOzhBehECYrLrU40sDCx2Ew0cxQZk80jd7JvXHOx75xFUTlYpotfkjeyvq9QdHmlQpj2F51w/9Vx8pDkSgAo2iobZR+IRnU3ZcEoEo49yIE0hMUt+lTADDUtdYUB9NLVhO8rRcQQqI287wt8WZX2v9kIlwZ9q0HevqkI9b/aY5fd5m8VvE/6XO7cj4FSHBr7xs4XwW8EzAMNF0ali6908C17T+/oNl+xKnBFoTkNKIXGDp4CI4CzYUo2T2GPpyLO1A3FBDvWWY1z0UWrNEJiu8psVKBa2WwPk9xTcdM+1sxd6NaBbD9iyqMBswEIx/2SU/Sqv4/Og28FDjUTYBv1ItFEElqR67uzi/jx2tuCLXXXfPQsC3+LeyRfIC5cjx/IQxffwuz8z1QFi3hB4J2og7vB X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(37575265505322)(192374486261705)(95692535739014)(260087099026482); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(13018025)(13016025)(93006095)(93003095)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(20161123562025)(20161123564025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(6072148); SRVR:HE1P122MB0042; BCL:0; PCL:0; RULEID:; SRVR:HE1P122MB0042; X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0042; 4:H9qIn82Cr+xElZw8+eLf1L1TW/TF0A764A72x+mOU0cHH3pszX0Qw+sVS1U5XwdPE3qvnrEmGranULI3lWBERz7HlXOJokoiiVROwFdC9vSk2thvpdaf5MWnIK0bx6i4G1zwn/4moXrmq34a3VMcrTILYwdyR2/uyrnmLGhkWHkQl8px0A5T3dX2KFpmiOy4o5XGiuc4UUejYt3dR0UBpzM8G459Y8u8ReotPcGVBvhObOabDRTeLbA9TaalWI1LTsw4AGd4T8esf7Xv/PtNISZ+1R+UtR0dJChUCL0Gelcj43fvSCVQu/apkZFmKTkWF/xfZRbl0jXKA71W7lx8ifXz21R1hL2ya9GEwcuHvSSYtRs8SZK2SuVErCiyRkW+XuUJ0B5xN9+dZowgfG5d30ZDLHtUXxUW5DDhQqJAiWbU1NH5HIOHkiz6Y7gR06x2Q8xo4IfNKNRk4/WplRXaEPTFBs5JSNuLB7xoxp9QBeGM37x2Nhr5Sge0MHZfdAzhyB4abvWXqOGjBNeVSSsTu/wEge5AxGMCVdztbcDA6B2shvG8iggBgiDMv0P893zmPB2+62A/skxzXzIox2bpZ0wy7G3ZsTnOiMJ0oaWgqsslrR8j2g1ONkuR/wTJQs+PzgJlTrNYbRNDAF8TSdvOLXpwdjLnawH6UksosxrWJeKILMPdJyoKZn7k1EV92y+koJ3lcmDqKZhnEf3+O2ZKK2Hp/8jBKLwI3atNGOelHISgluB/PWfAGnNqpZsyrjxZbmfdxefc4X5I8eDXN+jHVolEXdh0pktn6+gwfXfYQb0mExWviU+8pf0M/RJxVKi3bDI1aVW5k59VhtJHQvS4pKFiWuwzmHxYLh9UWln9EXnmHrqRsK9URaIsyyqmAhsM7dTRg0cjm+t4MeVZ599Upw== X-Forefront-PRVS: 02698DF457 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1P122MB0042; 23:Umhs9pMq2DqvGYINQWkOC41Bp7DNVju+wHFbHVIoh?= =?us-ascii?Q?FjSdQa2oMmO/EiPStpJmgFv5m8KAAmeJ+VLNc1WlPQQYahUUl7cg7TL+PbrD?= =?us-ascii?Q?LGy8vgZXeiG5RtY/NK4LkJl4Htea1m8n/LIGdpan/jkRcEz/qCLA8rn4C8E4?= =?us-ascii?Q?Ah9vCd1jd4KylbGuaZ3pWvx0U0e1mPAvsID4tGTYr3Bpi5F/C/ug7sPPdHDO?= =?us-ascii?Q?ncdQsWdhpya47E7NQ939zSSBeUMHmQM0ehAckvEbVpiqgQsVe1FWJKpFDS47?= =?us-ascii?Q?gPdPnj4iPmaFu6BdQogCmqN9WTQkelPke3h23mnrGSfZ+KtWUvJqdjkhG/a7?= =?us-ascii?Q?gV59fIrRCAzVUZ2yI6HxfaYNZWYATnsGeg8RgiIMQ/egmakVOUNSIkQA8Um2?= =?us-ascii?Q?YgPp/HlTKTR50ui4o6S8dS4MhZlyg49+XBrvanoRoMNOZZZxl6cMbmPX5TC+?= =?us-ascii?Q?/T1HsILahzFd7m9ekvYbh+T4GsXbLgdZL0zSzHnN7Zt811GxuHYgp2t7VD9z?= =?us-ascii?Q?bAaoQCW7TuUNshorN3Ph3vj8odskOrX9EJwy4mkQCe6RwfQ1ktxCEv7a222d?= =?us-ascii?Q?xpqrthz9Y7RsdqVi2MqNF0DQP8B2jGe/GKODYlLFlbyqCLk6iRnsoMc3l1k5?= =?us-ascii?Q?ZBpVEWuMizsd8JVEMdr/9wKgdGFsJhDkPehgcr1YrEUiq4NU5uhBdJLcg2mx?= =?us-ascii?Q?GTWcPGwaiAAEYzTptDh8eLGknFYWc+B21E42iOCnSqYcJf+6wsS+scKWFioG?= =?us-ascii?Q?whJigqXi/z9wmOAeaM3MY8u4qeKhM/+nIJKfiAdhS5pZOWPKv4x6BJeIh4d9?= =?us-ascii?Q?U/2Blv1bFMvl/Y35bWXD0i+XmJIi+utupNvfJxw3uiOY3LPWV7QKY1WDPL9u?= =?us-ascii?Q?sfAeVvAtvtbBmJ2bVak+3BIG2lUKOVHAK614e4QIALjMmtUdZCV5tqMoJS8e?= =?us-ascii?Q?SA3ciAyMZAqeCyX4Pc8/slhCuRzlRTm3lq8MAmtVFbA/ZQRIGY65mqJxJORM?= =?us-ascii?Q?fUxieH0XAbNZcgoMQxJzBQsdi9SzDTeHmcsummybNLCENMkS0ypbUDTRYdYz?= =?us-ascii?Q?24jnf5+cXaUcPD6JLpbIqQlalt7cX8lPkVWJcvh9vm/aHuRapeFeQX5Xlygb?= =?us-ascii?Q?zkm3B7qBZkK8VLsHVbdp8YTXqA8mADmoN+De9LhmeUid5HrFLjOb1KP8Wbua?= =?us-ascii?Q?PQw00ZkaPxVhRywxHqlMDtya/oxq9VyZutotTAqrfLDyEePDnJFm9dHVn9DY?= =?us-ascii?Q?XxQJ1NKLBqwMps8MFucQBRtVvytwgU+Udh1c6fyJOCKf4DFioTDwnAXcttT9?= =?us-ascii?Q?VUgIW4wlfquVZ2zQk3TLJcB1AZ/Iz4BbmvNfDZX4p4pNZHOvhhSvzwH1hZRj?= =?us-ascii?Q?wDFmF1lyVEQIKim9QSIu/K7kR+UkZ+fH3+GXXnhhtWYgVAn?= X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0042; 6:/XCLas+0/SPnW36wgvp8HZfETYoSj+wlFFEEkE9i1ZwtRP6PK95/gu/kqlzXqiJx+dh7Vg7rQtY9aiDi6C/Eyt00JyUi7O/G0QvzIBqgzhsvI4JuHv3/zbENbm51K8lxV4DoODglKX9NCRojUsMQwE0IvwphjxkL/hwjiT7yvu4GWuz1BbvZp1Uh6frNKjfX6xRk9jZWzgt/rYoEtYMsCCxACGb0AeznwuMXlO7th/LkmH/Edpp7M+1/lfYNmia2ZQHE7PoOqbQxQlHFw2e3XlluRTIQ8D0wkMOuJZIs9N8WudWhtUnzbD2MiH2BI4Lsn5VkzEPKZVRihkeoSNV+AQG88yvbvjmbSDewzqillufyjoSwkA1McwQgFA24kSFW5b1GaekjBv1uJVWOURxjXxQC+Y82QXQhM65LvReCNUs=; 5:hq/LuzLGo4NrudTv79qaq+MaGvn+ONE/OaNY7fTONmUMaFwPmrm7sJybw11WgWvE9j6bwMYNnCUwTkkHFDyQowQ1/K6XtqIhOSmroWeHMZGofHFwH7L2TXAYxLKC7kyytVIH4TQXEIUFjTxPKykNHA==; 24:PNDGbE5A0VdLc7gx4dTEg9EBMs8IVcinWHziuaLP0LwD/10x7pp/3XH6TYZejajI8Q5oyJVzRchjNLqzN4FC1DfFpj1ibZqi5FXvynXcgXo= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0042; 7:mVLd/7iNhIukpCKzF5shU7zQphGAEwRZE63Crlivliu9hNo9vNUIOZQc+U9ULphqdxVyraaEh/4Dkv5JwiZNHvUDi7vJkT4Ym+aENKEsNVh8FeNOzWW4NHCyTWGFqEEnDmgn1FMAkr8YfJgtsT8VLhPe7akuVoDpwff0JJPPez2vXJkjqdWg3LCzAL1hPweXNLgXSSJe05zrV2Rhc0eSur6WeucZ7PF+mLZIi7x9McKJILXN8p+ZwypFEihyQzH9X4f30o7P/KzoPG/0fyVpxW6ydFQsIe8nhwXmxoeIsvXyU5NO1DknAjsEkWjTLicUqpVx7ogAKWo/oecLE1NjGA== X-OriginatorOrg: philips.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2017 07:27:39.7612 (UTC) X-MS-Exchange-CrossTenant-Id: 1a407a2d-7675-4d17-8692-b3ac285306e4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1a407a2d-7675-4d17-8692-b3ac285306e4; Ip=[23.103.247.180]; Helo=[011-smtp-out.Philips.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P122MB0042 X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 04 X-MS-Exchange-CrossPremises-AuthSource: DB5PR9001MB0165.MGDPHG.emi.philips.com X-MS-Exchange-CrossPremises-SCL: 1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: 62.140.137.117 X-MS-Exchange-CrossPremises-disclaimer-hash: 7fd5309d68bb4378c576a4d2c2ad972d336f5eb0475879c2a0b14da1aac98972 X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0 X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0; X-OrganizationHeadersPreserved: HE1P122MB0042.EURP122.PROD.OUTLOOK.COM Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 07:28:32 -0000 Dear Peter, Thanks for your remark. IoT is indeed a broad concept. We will refer to the= definition of device classes. Do you think that this is a good approach? >>>" At the moment it's so generic that it seems to be one-size-fits-nothin= g... it's like trying to write safe-driving instructions that have to cover cars= , buses, trucks, motorbikes, locomotives, boats, oil tankers, jet skis, jet= aircraft, jet bikes, scooters, and submarines." I agree that writing safe-driving instructions for cars, jets, etc ... is d= ifficult. The jet goes faster than the car so I fully agree, recommending a= common speed limit does not make sense. However, there are common guidelin= es, for instance, do not collide as a general rule. It is not the intention of the draft to create common instructions. As for = the cars, jets, ... this does not make sense. The main goals are: - summarize existing solutions out there and in IETF - summarize security considerations and challenges that should be addressed= in the future Which existing solutions, security considerations, or challenges apply to a= n given IoT system depend on the IoT system itself and how it is used (this= is similar to the example of cars, ...). In the document: - we have some text on the process to identify risks, threats, and mitigati= on strategies that should help system designers and implementers. - Similarly to the different transportation means that require different sa= fety guidelines, we also have some initial text discussing security profile= s. In an abstract way, this is the same idea... IoT systems (transportation= systems) are very diverse and addressing the security threats require some= specific type of solutions. A security profile could include some recommen= dations/guidelines for a specific type of IoT systems. Does this make sense to you? Kind regards, Oscar. -----Original Message----- From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Peter Gutmann Sent: Wednesday, April 5, 2017 8:44 AM To: Barry Raveendran Greene ; Eliot Lear Cc: Mohit Sethi ; T2TRG@irtf.org; saag@ietf.org= ; Kumar, Sandeep Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-i= ot-seccons-02.txt Barry Raveendran Greene writes: >I survey of all the IoT Security "standards" and "guidelines" assumes >we can remediate the violated IoT device. I put forward for the IETF >that we cannot assume remediation. We have to assume that we cannot >remediate. Hence, we need other tools in the network to mitigate the risk. That's always struck me as a bit odd as well when I read some standard for = secure firmware update, for IoS devices like the Raspberry Pi and similar L= inux-based/like devices the update process is already sorted (apt-get updat= e) and for SCADA/embedded or whatever running some RTOS it can't be updated= , whatever you ship today will be used in that form for the next ten to twe= nty years (or more, I've seen fifty-year-old ladder logic controllers still= in active use). So the diagram in Figure 1 is replaced after "application= running" with a dotted line leading up to the present day, there's no upda= tes, no reconfiguration, no maintenance and re-bootstrapping, it just keeps= running once put into service. I don't want to start nitpicking individual bits of the draft, but I think = it would help if it laid out what's meant by "IoT", are we talking Android = phones (mentioned in one place), fridges, PLCs, routers, what? Or perhaps = come up with a few sample device profiles and provide specific advice for e= ach case. At the moment it's so generic that it seems to be one-size-fits-nothing... it's like trying to write safe-driving instructions that have to cover cars= , buses, trucks, motorbikes, locomotives, boats, oil tankers, jet skis, jet= aircraft, jet bikes, scooters, and submarines. Peter. _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag ________________________________ The information contained in this message may be confidential and legally p= rotected under applicable law. The message is intended solely for the addre= ssee(s). If you are not the intended recipient, you are hereby notified tha= t any use, forwarding, dissemination, or reproduction of this message is st= rictly prohibited and may be unlawful. If you are not the intended recipien= t, please contact the sender by return e-mail and destroy all copies of the= original message. From nobody Thu Apr 6 00:29:25 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA65129416 for ; Thu, 6 Apr 2017 00:29:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.911 X-Spam-Level: X-Spam-Status: No, score=-2.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=philips.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T_sKREC31ALS for ; Thu, 6 Apr 2017 00:29:20 -0700 (PDT) Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00095.outbound.protection.outlook.com [40.107.0.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F5F112941A for ; Thu, 6 Apr 2017 00:28:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Philips.onmicrosoft.com; s=selector1-philips-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=BWfT7/GetihXCoyE7gnwMTKjKHDPEdEB/n25j6zSosA=; b=Nd7TYJZ3389xB7t5RXua0FgAKeFgXDoFWSMOuKmePkyR2RG1p33wcBPN6cM5BkX856HFSsSMLUt75cIYw1lG5bkzhpMArxbqOe3NHttt41TnriVtLPBnvBIRpyNcfL+oDiWpvxbL/oNZJ2pHhX1uRrCdbI8Gmm6w1EiwYWbpePs= Received: from AM4P122CA0001.EURP122.PROD.OUTLOOK.COM (2603:10a6:220:1a::15) by DB5P122MB0023.EURP122.PROD.OUTLOOK.COM (2603:10a6:20:2::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Thu, 6 Apr 2017 07:28:09 +0000 Received: from AM1FFO11FD004.protection.gbl (2a01:111:f400:7e00::121) by AM4P122CA0001.outlook.office365.com (2603:10a6:220:1a::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10 via Frontend Transport; Thu, 6 Apr 2017 07:28:09 +0000 Authentication-Results: spf=neutral (sender IP is 23.103.228.116) smtp.mailfrom=philips.com; cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=philips.com; Received-SPF: Neutral (protection.outlook.com: 23.103.228.116 is neither permitted nor denied by domain of philips.com) Received: from 011-smtp-out.Philips.com (23.103.228.116) by AM1FFO11FD004.mail.protection.outlook.com (10.174.64.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.5 via Frontend Transport; Thu, 6 Apr 2017 07:28:09 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com (141.251.190.209) by AMXPR90MB0150.MGDPHG.emi.philips.com (141.251.118.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Thu, 6 Apr 2017 07:28:08 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) by DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) with mapi id 15.01.1005.021; Thu, 6 Apr 2017 07:28:08 +0000 From: "Garcia-Morchon O, Oscar" To: Eliot Lear , "T2TRG@irtf.org" , "saag@ietf.org" CC: Mohit Sethi , "Kumar, Sandeep" Thread-Topic: [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt Thread-Index: AQHSqhfOYH/eADzk1kGNnz4+4VUtI6GzOqGggAHOpwCAAdZw4A== Date: Thu, 6 Apr 2017 07:28:08 +0000 Message-ID: <4459c5f266fc4e7bb34a040dd3b14b57@DB5PR9001MB0165.MGDPHG.emi.philips.com> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> In-Reply-To: <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [62.140.137.117] X-MS-Office365-Filtering-Correlation-Id: c05cccd6-12f0-40cf-ae97-08d47cbe79d0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OrganizationHeadersPreserved: AMXPR90MB0150.MGDPHG.emi.philips.com X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:23.103.228.116; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39400400002)(39840400002)(39860400002)(39410400002)(39450400003)(39850400002)(2980300002)(189002)(377454003)(24454002)(13464003)(374574003)(55904004)(377424004)(199003)(9170700003)(6116002)(3846002)(33646002)(102836003)(38730400002)(107886003)(105586002)(106466001)(230783001)(2950100002)(7696004)(4326008)(53546009)(76176999)(54356999)(50986999)(189998001)(50466002)(2900100001)(15650500001)(53936002)(66066001)(47776003)(356003)(2906002)(6306002)(8676002)(8936002)(81166006)(24736003)(55016002)(7736002)(54906002)(5660300001)(2501003)(23676002)(2201001)(6246003)(305945005)(229853002)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB5P122MB0023; H:011-smtp-out.Philips.com; FPR:; SPF:Neutral; MLV:sfv; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; AM1FFO11FD004; 1:pweI5Iy599vQEdaY4o5VL9h3XA3gW6Yc4Cto673pUlH9CPx5USgkfhot689DdmIN+xNkG2PUcXFQSwA5rvYbRmPVqJue6Ba3ZTEohC/6dtNLxG5j2A2A2XxnPAJYNjnJZQgXgXFcEUrHmDCHQlf9/FSwCw4vA20XZC40sPwF3GKTWC0PJ2q5X9WtdEl80ifU35b9rFXDIry3Gjlgo9pK/tgEOvEPuMsdS/APV0jdDautDF2mo6QWpFS3Cto/aOUoHUUmS3tKAShfpCmPaPR62ndVb+1k8eP2RC/KA535O+Bjx9yyN3sTFNLcR8FI4wT7Jbt4w8g5m4aP2lnUAw2UaSGHDjka4b0gm5SonlIUeskywgqQ6DR1MHAIYswZeVng7syvRoCQauhM8Mj2e8kt4/1NTwkKJ9XvaJ/Q4ap++FVRYFwBv8UvRAUhdV8NpBGHOKQVBePqQ41V2b7MPE86kmoF2aA3geIe7jKBrhSCP/lgAAb/q0TUU0tiNo0Qxf3zVeRSvrNRabDYm5S/5f/O0A== X-CrossPremisesHeadersPromoted: AM1FFO11FD004.protection.gbl X-CrossPremisesHeadersFiltered: AM1FFO11FD004.protection.gbl X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:DB5P122MB0023; X-Microsoft-Exchange-Diagnostics: 1; DB5P122MB0023; 3:ZD7UOVkz3n8Yk33O3FpPgMsP6Z0oCPArfcOrFUjpeWL1hOrxilHtyW+JTzZdX6Tj9/IDVFPWeHMbF97WAhmYXjVzWETYbWKoTBNlhMxlllND/aaYk6h1JqOL58qdY3T+3hfuiS7qbxh1OrlD+lGQ/ivJQSRrMAXAcL9T8XY6+sPVljtqk3hD7+NznAAJQKtd/0oiJgHL4RvzzQxxUc/KmpDC5dqaN/Pfd1hv/fE7AoFATUH4AMMmnwR7UXY9Km4tGNuZG3krGD+l9tLeJ5m7skSBpPDvS5h+FfH+Pk4AK8nsZY6EXih3VVRxgwa18hyRlcfSUkPIqlQ8JWnvMtZg+R6UZP5Kx1P/NuhLiYKyEi7iXQi6aTXXXUH6+fCavaIx39m9ut7EBl5iNYEQ0uyq+P+QhQpfyhOlzJkkLG0emHWayVVHoXkUU27oy5OXPieFsJc+ERqByJCWxBjJQ3tps2oomyTGZVD7LS/Oo6fwRVgQpUKvOL81hWIRwygFG26l X-Microsoft-Exchange-Diagnostics: 1; DB5P122MB0023; 25:Kd+zyO8EvPytiNRigl/fnZYFW5apyPOMR90z13gZdljLQS9rs9SUTgbHiMxa1/AWlv7IMocWnCrm/aoTtQGASupxPnaUkv4IQV3mK059cC67DwKePRc1Krhbbx7O94m7SGQ0GHBmQ9YbktSzhphHX+8nS3tE/aIHS46ugtimpoFANx/aYcx2hrXy6EXE/dZjcrJwHPqVLMzt5z2S1Uek0HUwj6+80DW/BW2tcO3j29SA8mX0dK3aEJAKKzGSPutkXQQcz/XkzmW3PeT3X5w13StRrEczn5SRl0AV+4mRVcKStER8UdreuAUkQ7gpIKLTpV6K/B6ZIzM3OkVAffldm7Ecw7j9LsTlg6XKO8Z7dfNbaMAM1y6k2vfSm2pC/FfUYb5xiKYs93Eqx60mKYmAbjk5zumg5QFSuemfWn40R3/mmDr1yYTa97OJnoY4oY6ZqGLU5z00f4L9S8fqZAcdCw==; 31:xuNlDbjaq6hSiQ1AlAXMN+NHh/zVTDUMiVK9pUSrcY3kw+bTumA3IhhQG9O58AjvPlXEpW7MplHYSiWmHecsH5bQedsuISk7L/pjN0JMXaVBUvvY6UzOUG2SfE4txp1daWj+MF7uP40H8L5SpayDB9iv+Y2mHo0reuk5l/ukquHZmgkGUZnfYXPtCu+k7j2oolDpQwvR2fF70SbN6UdpcsfTh96aodQWMzYAoKx/+4DYqY9EJS4zCs23IcSXKTjDGEmG89942j9DE5MA53//qw== X-Microsoft-Exchange-Diagnostics: 1; DB5P122MB0023; 20:ETFHKLvM8c2hB+RHIcBLa4pD/dUJLUx6tTYuGkQUGtNR614NgKmIJY8dE9GvHCHQ+hu44cxWzB7JEJPkO8zr/2rwsxGeCXf4F2MToTDltFUt6oQSGN76deSgQm7xhcuqFWlefv2V5aFOXw0RGfVOw5RLrin/kkywHXyKj/ZgmvlugQw7iEcGEsdVQ4IrKEWOxqgfvoEA8bjU6u6aHsiMQTeXrdvj1sU9jI1WlVqrUJYirQq0gBbYFD2tec8kqcXQD6efre9G/kcacUAKf0DnBZusWEsH6fWRF70uNVmgi81ZZtAUdUF+y8zARmXsupcHeWZpyjNTuMFUI/P+QNVT0NgImcLWRazg76uGgoTL6ovzX3a6wcWtQgoF6jCPz/ty7jqlUud4pUASR/dhe2nbdrFFaVpXLhB39PGi/exDGldRed59wtn6svHQINa0mG0XrzSL0nhBioSFAOBCDbHW5vkmIlR0GnFgneaISQr5fl60xY418atp9ZLtczBDdObS X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(37575265505322)(278428928389397)(120809045254105)(192374486261705)(95692535739014)(260087099026482); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(13016025)(13018025)(3002001)(93006095)(93003095)(10201501046)(6055026)(6041248)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(20161123564025)(20161123562025)(6072148); SRVR:DB5P122MB0023; BCL:0; PCL:0; RULEID:; SRVR:DB5P122MB0023; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjVQMTIyTUIwMDIzOzQ6NjlNUzI0ZU03TzkzWThOVUNQaXZiZnJrWkMy?= =?utf-8?B?SkpxcVZTczByeHMvWEQ5SytSODZENExTWW52K0I4eU1tK1VDYUI2Q0djWVpJ?= =?utf-8?B?cnpGYWYySnhFUWZqWnFCbWhxemNuRDJDRmozRjVsZVZMZXdRQmhzZS9GWjZV?= =?utf-8?B?SjRyZjVRVTFwbFhRb3BUVWNDRllRZnFLdzl1eE4yZit6dmZ2cnhJdGF3Rm5M?= =?utf-8?B?MEs2ZlU5TzNQdkw0MWNTUU5oWk1VZ1crUElGMkl6azJHNURmYkxtRjk1RGR0?= =?utf-8?B?WDRnN1MwM29VS3prNFJ0UUVWdlZPTklkanNMMi9mNGdVUHUxWmFUUlFJWEty?= =?utf-8?B?dDFBNDV5ZTdQRjUxZzdtS05xc0J4Y3RKWVR4MGx1Rm9nenA1SDdqQld5YmdE?= =?utf-8?B?YUdLZ21wOHd3amhYRFFKOGZ1a0RoYlNTc2NYbFlmL0VneTFyTmxXTE5aN1Rv?= =?utf-8?B?am9XZEpEYlA4RjBwL2hYRitOdlNkYUQzenR5eWl1K2pXUFI1dTA1UFJvL2tV?= =?utf-8?B?NGpKUTFtOEFCTitFeVo1aTZIQkZ2M1VmS29jYk9RRVFrL1kra3dLQ0tkdTgy?= =?utf-8?B?QURLeHZ4SlFjZCtXNGExa3ZLWlEvbXFYTDY4NWI4OUZWQU42SmdFQlNyTTMz?= =?utf-8?B?b1JYV1VqaDRRclAwbE1nQzRYL2FDR2hvcnNzZEhIMWFHenF6Q0Zyb0tPME41?= =?utf-8?B?MERWd09NVWpITEQ2MDZQL3NDcG5mc3Q5ZmI0M2lWZUV1d2RWVStVVm9vRW02?= =?utf-8?B?cUJSZWozUlJ4MzRCWmZkdjR5Y3ZYbURiWUlUWm1xZHN3b1p3dkx6Nmw4Smlr?= =?utf-8?B?WmUzNFJLMDVjZi9SRG5xV3lsS2xzK3lpeW5EREVnakdtYU9hbjhNYXU1Snpn?= =?utf-8?B?ZFhYNElxanJZOVhjQTVVV29CVkwvTEl3V2tiNUJqK3pIaUlPaytJWUp4MzBh?= =?utf-8?B?NGJzUE5CMEpvYWxxSkNVOWlGWngxa2FGTmVaVkIxQ3FCcUFWVnJmZTFkNlY4?= =?utf-8?B?c2NkNDBSL2Y1MzBSeHJOWVovRWhVL0RCNWRZRWZjQUJYT2h5YUpiN2pmeE5o?= =?utf-8?B?MVMzNHhBR1BIMTd3ZDF1ZEdpT2c5em9zM1pSdUIwVEZRZHlybloyM2UxVmk2?= =?utf-8?B?UDdsQkZmK3BONDZ2NzVveVlhYVVHUXpScXlzZmFVMzRQYzJtR3lWRGtmV2p4?= =?utf-8?B?SEpVaVVNYmFsVHF6VStnZDVwcjVoMnFCWlROWWFOcFJSeFJsRXdXdmFwbzhI?= =?utf-8?B?SFExNjJQNXhhbUdmc3piU1VPMGU2OTVYb21vaFc2V1dWbkcvWHRwekd3THJO?= =?utf-8?Q?YnFSICuBAylCGBmCWvO4Ryd574rSJzU=3D?= X-Forefront-PRVS: 02698DF457 X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjVQMTIyTUIwMDIzOzIzOi9EcW9tckwwQnY2cVNldEl5OUh6eWpObVRS?= =?utf-8?B?c2k3UG1CZVAwNCs3VmZvekM1ZllmbmdtUFVXTUJocXNUTTVXV2s5QVFGWGQy?= =?utf-8?B?am5rTGI5bjJXZDlzanY0d2YxZXZCODc5TG9uaVN6dlRHdFluZWx3czhPdnBD?= =?utf-8?B?ZUdmZnhoSkdSTG52c2o5UmF2ZjVVeXYxaTVyMVlrZDNFcnV4NStCK2JNUGpo?= =?utf-8?B?MkpQOFF0ODFNV1FlTjJpSE5lRUJpRjZHYk9lZFJvVktEWCtWMXRaQUsxMWpG?= =?utf-8?B?SEhua3k3bEdvV29lUzEwTWc0d0RKdTJHdFFrR3pXZ3JhTHZ1MjN0eVBvTy93?= =?utf-8?B?eXJ4YVVvMGVjUUIyMDlRNFZ1WXZadUxiVjlrVGo5UmpWTURKbWorNXA5ZGlx?= =?utf-8?B?bUl2WnQ1Qnl5ZVM5aWxaVU1SRnpsUTRVVjFJS0RGYnd4djUybGFhd3FGeWNE?= =?utf-8?B?TnRYLzhwQ3hsMG1rRDBkS0YvM0liN1Q5bzZqL2dBZjBDQ0t5VWJNOTcyMTZn?= =?utf-8?B?enlud0lSVWtubWMyZTdwNFhHaGVya1BRdm14NG5KWDNlWmZIMzdEcWptUVI0?= =?utf-8?B?L3pYUlZyQWlCc3BKenAwL2xqYnBRTXhOblZReFppK3ZiTHQwMVUrL1pjMC80?= =?utf-8?B?cWRvK2FGVWdNWW5tajRhRWZzcmQyUkhkRnpEOURJRTlvRUt0ODdxSzJzN0Z1?= =?utf-8?B?TXZwbS9FaitTcGNJYVVzZTZEdk02ZlI5Y1ZzS0VsblNvMlprRWpiVUZydThj?= =?utf-8?B?dmlha0gvcUVZSVNOVStpL1dWVmlZOENYVDdObGJpZWJTT05YV1RyK2VtdCtH?= =?utf-8?B?MFhoU3pJQXlRNGNMZUNxYytFdnRNVkNScDNsK1NSdWpZNnBNMXFDYTdkbjkv?= =?utf-8?B?OFU4MnpUMFFrQ0VFb0czZEJBaGR5Q3lMUHVINE9sTURpV3dvckxlV2tJTWVW?= =?utf-8?B?VE5FVTJPVFhIWittUUoxR3dxTVUyUWtGTUFsVkxCcWlpanZhS28yWHVvTm9V?= =?utf-8?B?OFBJdUw5SGwvdjRtOEVuN1NTenZTRGk5ZFd1dmYyaW1qMWhsOElqbTlkeG5J?= =?utf-8?B?RFRmcW5oUnFyWkpyQ2g5OGFtZlV1WkFpeFBZcThueHo2aDVFL3FzK0NuejIx?= =?utf-8?B?bmN2WDEvNjNSSEM3TDR6eUtPUmhFT2ZwNlRnTFdOZVgyTFRHM0Q2OWh3d3Z2?= =?utf-8?B?ZHQ2Njc0OFdLUUtSMlpmZmVEbWM2aUZhT2VxYTJiT1ZqRnNaVEliTDBKY1BB?= =?utf-8?B?MXp1UXdISEN2UzR4WGNHSjNNYXlFek9JaExXeUxxamdqeDRwbDhnazhzeDg1?= =?utf-8?B?TGN5NWVoOUNtMHprVjhvNUZVWDBRUVhiZU16cXNFaVJuMEFKdGtpK0t2MHc0?= =?utf-8?B?blVGRTE4WGYxdHJKeTRvWGNCdHZlK001UkJhNHhVdURxUnhMd2VET0dKci9O?= =?utf-8?B?ajhoYlhlVVgxVjJueThCbWV0SGVOalF6b0VPV2dkQ1lPR3d3bUhVcyt6QlV1?= =?utf-8?B?V1NSMFY0a0E1aTZjWmVMRUVFRFViMVpmaFRCMzVGUGU1Nm11ckJEWTlUWldM?= =?utf-8?B?MkhnaHZRWWRwdTBOVzd3QmZiZjJDUU5aRW40OUZoWm4vTlo0dUNoZXZmVVdk?= =?utf-8?B?TmpMYlplbEVBN1hKQ1dzN0NvTkljU01hZS9ZMjUzdmlmL0JNTy82eVJnL004?= =?utf-8?B?MldCUEY0UGdaejlrL2ZDZnJUNlFrdWJhRkE5a2srMkJzVkJCem9JWXc4aGY5?= =?utf-8?B?NHRjdGdIR3VkV2czdlRjZk9mamxZNE1uR0ZSa3I5L3N5eVZ1Z3FjalM4bGdH?= =?utf-8?B?a0NHR3FRSVF1YU5TVU9uQUk2UzM1S0xpQTBRM2U3WVNmc3dNSUxOOVJ4NHF0?= =?utf-8?Q?uyHjtKblt0ETPyzzAfYt0Zt4ZTeb4UaK?= X-Microsoft-Exchange-Diagnostics: 1; DB5P122MB0023; 6:285Jf5HGeLVbQecZGYXQR8YQQX8XYV1eOLePGmvc9F5NXqSNEMArNrYeZQ0VwyFzqrcKXeghtRV8DT2l1VYoJa0w+FJrDLEhniywohjHiPUGFE9Xhhh2C13qGLMlRhggYEDCuPOEce+LfezGG2PjgQ+4DjgmMSDNhhe9Kortw6D6tMn09/ITuCYHd4vZYRsG+2Z0NBWhMZBpmxRKLvyHWz9SYwoKjm33qaL6ZH8SEkAuPlhK/tKqakGQlKosttMwtTpQ5phWkSZ/iNq5DIZg8SFSsLhs5yvq7e9rNJ6HRXygQ8i2sdhx3Td6tQeorZgeIulNiAP8CzD95TgS1KMknxS9lEfALS/2bngtBgsOkxRAxNWY2M+5nb/lC6o5zyQO6+qhPAdseFBk5IafXaSa4gQLLObrZft8VDCtDxMXepc=; 5:pXYOd/1KXq7IoA/fI2sIYut0pzYhhiFZs+iBDWs8rX8tS4Ifaps2zTbn6Fwz+Ep69t48Nxy81Wn7GYEx5cJdFU0Yuf0qTBxuXbX+jc9Fm64HR11P2KG5U2dsj2R6eBRuPztxRbCfKmTDfIPv84voMQ==; 24:feQhirB+RFLNi68289XjLXQlnBn1NsfCacOjDMqdu8uiyydSGLsQrvjyOJ77RbWulRp/OfoE6pvmR+d0AvcyDX6f2/fUiiv7IhNFruiR0cE= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DB5P122MB0023; 7:AzDuLYlfHQhq7vNg1uI66FG0AvSNdC4QD501/dKP2pjWEvU8fAlWDGztBMQrtm3OlR3NzvmBxXiTm2qHSOW53HaQv+5iaGPHL6FdqU4iQGObFymsns7T+gemfj5cNojuIMAeWDNeZqP17Hay0hP64b25INGoNPYCK5c5No7UNkGvGFG8AGQhYuO9LB33SzCLetEnFQ3cA/BuAEFBraKHdk898b4j60bt5WK9nxRfbph6FC4PRZv1MeLLN4MKv93R4PHa2TjgFG1dxJl52D0Wz6dn3eEwL3Y8q+FC3DXVOgh30TVgf305V4i5TW86luAruaOkkR5gQA/lklJn2Kgn4Q== X-OriginatorOrg: philips.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2017 07:28:09.4496 (UTC) X-MS-Exchange-CrossTenant-Id: 1a407a2d-7675-4d17-8692-b3ac285306e4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1a407a2d-7675-4d17-8692-b3ac285306e4; Ip=[23.103.228.116]; Helo=[011-smtp-out.Philips.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5P122MB0023 X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 04 X-MS-Exchange-CrossPremises-AuthSource: DB5PR9001MB0165.MGDPHG.emi.philips.com X-MS-Exchange-CrossPremises-SCL: 1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: 62.140.137.117 X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0 X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0; X-OrganizationHeadersPreserved: DB5P122MB0023.EURP122.PROD.OUTLOOK.COM Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 07:29:23 -0000 SGkgRWxpb3QsDQoNCkl0IGlzIGEgdmVyeSBnb29kIHBvaW50LiBUaGFua3MuDQoNCklvVCBpbnZv bHZlcyB2ZXJ5IGRpZmZlcmVudCBhc3BlY3RzIHRoYXQgd2UgdHJ5IHRvIHJlZmxlY3QgaW4gdGhl IGRvY3VtZW50LiBPbmUgb2YgdGhlbSBpcyBpbmRlZWQgbmV0d29yayBzZWN1cml0eSB3aXRoIHRo ZSBnb2FsIHRvIHByb3RlY3QgZGV2aWNlcyBmcm9tIGF0dGFjayBidXQgYWxzbyB0aGUgbmV0d29y ayBmcm9tIGNvbXByb21pc2VkIGRldmljZXMuDQoNCkluIHRoZSBkb2N1bWVudCwgd2UgcmVmZXIg dG8geW91ciBvbmdvaW5nIHdvcmsgb24gTVVELiBXaGljaCBvdGhlciB0eXBlIG9mIG1ldGhvZHMg ZG8geW91IGhhdmUgaW4gbWluZCBvciBkbyB5b3UgdGhpbmsgdGhhdCBzaG91bGQgYmUgaW5jbHVk ZWQgaW4gdGhlIGRvY3VtZW50Pw0KDQpSZWdhcmRzLCBPc2Nhci4NCg0KLS0tLS1PcmlnaW5hbCBN ZXNzYWdlLS0tLS0NCkZyb206IEVsaW90IExlYXIgW21haWx0bzpsZWFyQGNpc2NvLmNvbV0gDQpT ZW50OiBUdWVzZGF5LCBBcHJpbCA0LCAyMDE3IDEyOjMyIFBNDQpUbzogR2FyY2lhLU1vcmNob24g TywgT3NjYXIgPG9zY2FyLmdhcmNpYS1tb3JjaG9uQHBoaWxpcHMuY29tPjsgVDJUUkdAaXJ0Zi5v cmc7IHNhYWdAaWV0Zi5vcmcNCkNjOiBNb2hpdCBTZXRoaSA8bW9oaXQubS5zZXRoaUBlcmljc3Nv bi5jb20+OyBLdW1hciwgU2FuZGVlcCA8c2FuZGVlcC5rdW1hckBwaGlsaXBzLmNvbT4NClN1Ympl Y3Q6IFJlOiBbVDJUUkddIE5ldyBWZXJzaW9uIE5vdGlmaWNhdGlvbiBmb3IgZHJhZnQtaXJ0Zi10 MnRyZy1pb3Qtc2VjY29ucy0wMi50eHQNCg0KSGkgT3NjYXIsDQoNCldoaWxlIEkgYXBwcmVjaWF0 ZSB0aGUgZHJhZnQsIHRoZXJlIGlzIGFuIGVsZXBoYW50IGluIHRoZSByb29tLiAgTm90IGEgZGF5 IHBhc3NlcyB3aGVuIHdlIGhlYXIgb2YgeWV0IGFub3RoZXIgY29tcHJvbWlzZSBvZiBhIHNvLWNh bGxlZCAiSW9UIg0Kc3lzdGVtLiAgU29tZXRpbWVzIHRoZXNlIGNvbXByb21pc2VzIGFyZSB0cml2 aWFsLCBhbmQgc29tZXRpbWVzIHRoZXkgYXJlIGludm9sdmVkLiAgQXQgdGhlIGVuZCBvZiB0aGUg ZGF5LCB0aGUgc2hlZXIgcXVhbnRpdHkgb2YgVGhpbmdzIG1hbmRhdGVzIHNvbWUgZm9ybSBvZiBu ZXR3b3JrLWxldmVsIHByb3RlY3Rpb24gdGhhdCB0aGUgZHJhZnQgc2hvdWxkIGRpc2N1c3MsIHRv IHByb3RlY3QgdGhvc2UgZGV2aWNlcyBmcm9tIGF0dGFjay4gIEFzIHdhcyBtZW50aW9uZWQgaW4g dGhlIGYyZiwgd2hhdCBpZiBCb2IgdHVybnMgb3V0IHRvIGJlLCBvciBiZWNvbWVzIGV2aWwsIG9y IGlzIG90aGVyd2lzZSAwd24zZCBieSBDaHVjaz8NCg0KRWxpb3QNCg0KDQpPbiA0LzMvMTcgOTox MCBBTSwgR2FyY2lhLU1vcmNob24gTywgT3NjYXIgd3JvdGU6DQo+IEhpLA0KPg0KPiB3ZSBoYXZl IHN1Ym1pdHRlZCBhIG5ldyB2ZXJzaW9uIG9mIHRoZSBJbnRlcm5ldCBEcmFmdCBvbiBzZWN1cml0 eSBjb25zaWRlcmF0aW9ucyBmb3IgdGhlIElvVC4NCj4gQ29tbWVudHMgYXJlIHdlbGNvbWUuDQo+ DQo+IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pcnRmLXQydHJnLWlvdC1zZWNj b25zLTAyDQo+DQo+IFJlZ2FyZHMsIE9zY2FyLg0KPg0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2Ut LS0tLQ0KPiBGcm9tOiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmcgW21haWx0bzppbnRlcm5ldC1k cmFmdHNAaWV0Zi5vcmddDQo+IFNlbnQ6IEZyaWRheSwgTWFyY2ggMzEsIDIwMTcgMjoxMSBQTQ0K PiBUbzogTW9oaXQgU2V0aGkgPG1vaGl0QHBpdWhhLm5ldD47IEt1bWFyLCBTYW5kZWVwIA0KPiA8 c2FuZGVlcC5rdW1hckBwaGlsaXBzLmNvbT47IEt1bWFyLCBTYW5kZWVwIA0KPiA8c2FuZGVlcC5r dW1hckBwaGlsaXBzLmNvbT47IEdhcmNpYS1Nb3JjaG9uIE8sIE9zY2FyIA0KPiA8b3NjYXIuZ2Fy Y2lhLW1vcmNob25AcGhpbGlwcy5jb20+OyBpcnRmLWNoYWlyQGlydGYub3JnOyANCj4gdDJ0cmct Y2hhaXJzQGlldGYub3JnDQo+IFN1YmplY3Q6IE5ldyBWZXJzaW9uIE5vdGlmaWNhdGlvbiBmb3Ig DQo+IGRyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2NvbnMtMDIudHh0DQo+DQo+DQo+IEEgbmV3IHZl cnNpb24gb2YgSS1ELCBkcmFmdC1pcnRmLXQydHJnLWlvdC1zZWNjb25zLTAyLnR4dA0KPiBoYXMg YmVlbiBzdWNjZXNzZnVsbHkgc3VibWl0dGVkIGJ5IE9zY2FyIEdhcmNpYS1Nb3JjaG9uIGFuZCBw b3N0ZWQgdG8gdGhlIElFVEYgcmVwb3NpdG9yeS4NCj4NCj4gTmFtZTpkcmFmdC1pcnRmLXQydHJn LWlvdC1zZWNjb25zDQo+IFJldmlzaW9uOjAyDQo+IFRpdGxlOlN0YXRlIG9mIHRoZSBBcnQgYW5k IENoYWxsZW5nZXMgZm9yIHRoZSBJbnRlcm5ldCBvZiBUaGluZ3MgDQo+IERvY3VtZW50IGRhdGU6 MjAxNy0wMy0zMSBHcm91cDp0MnRyZw0KPiBQYWdlczo1Ng0KPiBVUkw6ICAgICAgICAgICAgaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzL2RyYWZ0LWlydGYtdDJ0cmctaW90LXNl Y2NvbnMtMDIudHh0DQo+IFN0YXR1czogICAgICAgICBodHRwczovL2RhdGF0cmFja2VyLmlldGYu b3JnL2RvYy9kcmFmdC1pcnRmLXQydHJnLWlvdC1zZWNjb25zLw0KPiBIdG1saXplZDogICAgICAg aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2NvbnMt MDINCj4gSHRtbGl6ZWQ6ICAgICAgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0 bWwvZHJhZnQtaXJ0Zi10MnRyZy1pb3Qtc2VjY29ucy0wMg0KPiBEaWZmOiAgICAgICAgICAgaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91cmwyPWRyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2Nv bnMtMDINCj4NCj4gQWJzdHJhY3Q6DQo+ICAgIFRoZSBJbnRlcm5ldCBvZiBUaGluZ3MgY29uY2Vw dCByZWZlcnMgdG8gdGhlIHVzYWdlIG9mIHN0YW5kYXJkDQo+ICAgIEludGVybmV0IHByb3RvY29s cyB0byBhbGxvdyBmb3IgaHVtYW4tdG8tdGhpbmcgb3IgdGhpbmctdG8tdGhpbmcNCj4gICAgY29t bXVuaWNhdGlvbi4gIFRoZSBzZWN1cml0eSBuZWVkcyBhcmUgd2VsbC1yZWNvZ25pemVkIGFuZCBh bmQgbWFueQ0KPiAgICBzdGFuZGFyZGl6YXRpb24gc3RlcHMgaGF2ZSBiZWVuIHRha2VuLCBmb3Ig ZXhhbXBsZSwgc3BlY2lmaWNhdGlvbiBvZg0KPiAgICBDb0FQIG92ZXIgRFRMUy4gIEhvd2V2ZXIs IHNlY3VyaXR5IGNoYWxsZW5nZXMgc3RpbGwgZXhpc3QgYW5kIHRoZXJlDQo+ICAgIGFyZSBzb21l IHVzZSBjYXNlcyB0aGF0IGxhY2sgYSBzdWl0YWJsZSBzb2x1dGlvbi4gIFRoaXMgZG9jdW1lbnQN Cj4gICAgZmlyc3QgcHJvdmlkZXMgYW4gb3ZlcnZpZXcgb2Ygc2VjdXJpdHkgYXJjaGl0ZWN0dXJl LCBpdHMgZGVwbG95bWVudA0KPiAgICBtb2RlbCwgc2VjdXJpdHkgbmVlZHMgaW4gdGhlIGNvbnRl eHQgb2YgdGhlIGxpZmVjeWNsZSBvZiBhIHRoaW5nLCBhcw0KPiAgICB3ZWxsIGFzIHRoZSBzdGF0 ZSBvZiB0aGUgYXJ0IG9uIElvVCBzZWN1cml0eS4gIFRoZW4sIHdlIGRpc2N1c3MgdGhlDQo+ICAg IGNvbmNlcHQgb2Ygc2VjdXJpdHkgcHJvZmlsZXMgZm9yIHRoZSBzdWNjZXNzZnVsIHJvbGwtb3V0 IG9mIHNlY3VyZQ0KPiAgICBJb1QgYXBwbGljYXRpb25zIGFuZCBkZXNjcmliZSByZW1haW5pbmcg c2VjdXJpdHkgY2hhbGxlbmdlcyBpbiB0aGUNCj4gICAgSW9ULg0KPg0KPg0KPg0KPg0KPiBQbGVh c2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUgdGlt ZSBvZiBzdWJtaXNzaW9uIHVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBh dmFpbGFibGUgYXQgdG9vbHMuaWV0Zi5vcmcuDQo+DQo+IFRoZSBJRVRGIFNlY3JldGFyaWF0DQo+ DQo+DQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IFRoZSBpbmZvcm1hdGlv biBjb250YWluZWQgaW4gdGhpcyBtZXNzYWdlIG1heSBiZSBjb25maWRlbnRpYWwgYW5kIGxlZ2Fs bHkgcHJvdGVjdGVkIHVuZGVyIGFwcGxpY2FibGUgbGF3LiBUaGUgbWVzc2FnZSBpcyBpbnRlbmRl ZCBzb2xlbHkgZm9yIHRoZSBhZGRyZXNzZWUocykuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRl ZCByZWNpcGllbnQsIHlvdSBhcmUgaGVyZWJ5IG5vdGlmaWVkIHRoYXQgYW55IHVzZSwgZm9yd2Fy ZGluZywgZGlzc2VtaW5hdGlvbiwgb3IgcmVwcm9kdWN0aW9uIG9mIHRoaXMgbWVzc2FnZSBpcyBz dHJpY3RseSBwcm9oaWJpdGVkIGFuZCBtYXkgYmUgdW5sYXdmdWwuIElmIHlvdSBhcmUgbm90IHRo ZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFzZSBjb250YWN0IHRoZSBzZW5kZXIgYnkgcmV0dXJu IGUtbWFpbCBhbmQgZGVzdHJveSBhbGwgY29waWVzIG9mIHRoZSBvcmlnaW5hbCBtZXNzYWdlLg0K PiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBUMlRS RyBtYWlsaW5nIGxpc3QNCj4gVDJUUkdAaXJ0Zi5vcmcNCj4gaHR0cHM6Ly93d3cuaXJ0Zi5vcmcv bWFpbG1hbi9saXN0aW5mby90MnRyZw0KPg0KDQoNCg0K From nobody Thu Apr 6 01:47:33 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDA2312783A for ; Thu, 6 Apr 2017 01:47:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.521 X-Spam-Level: X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GeaM9LDO0uB for ; Thu, 6 Apr 2017 01:47:29 -0700 (PDT) Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5597A126DEE for ; Thu, 6 Apr 2017 01:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18601; q=dns/txt; s=iport; t=1491468448; x=1492678048; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=tK2UMrvbtW0DkQroroN2NXhok3cEIvXsQTr7Qtfe6vs=; b=WFfBBhKF3XHY0m3+7SFCEbimlb2pEemoPPHUHNSsuanQ2Ib2K6SE1r/a I33ALYrXZEoFfzxJbjSGbT3D4IuZBZn3nc7mWnDv4VI0E440DRJQ6HKPk 2BPbb28/IMnoCZ6HdGWYV5K2Vhad4Per3LWU2/YE4IFz+3VnlzpRW1bGu g=; X-Files: signature.asc : 481 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CTAgBQ/+VY/xbLJq1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBhDWBC4NjihJzkCofkCGFNIIPHwEMhXYCg34YAQIBAQEBAQEBayi?= =?us-ascii?q?FFQEBAQEDAQEhSwkCDAQLEQEDAQEBJwMCAicfAwYIBgEMBgIBAReJcw6qX4ImK?= =?us-ascii?q?4o9AQEBAQEBAQEBAQEBAQEBAQEBAQEBDg+IUwmCYoMXhEWCXwEEj2mNB4N8gg1?= =?us-ascii?q?1i1WBfVWEWYM2hluTdh84gQUlFggYFRgphFsdgWU+NQGJEAEBAQ?= X-IronPort-AV: E=Sophos;i="5.37,283,1488844800"; d="asc'?scan'208,217";a="650944043" Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Apr 2017 08:47:25 +0000 Received: from [10.61.218.220] ([10.61.218.220]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id v368lO5J012449; Thu, 6 Apr 2017 08:47:25 GMT To: "Garcia-Morchon O, Oscar" , "T2TRG@irtf.org" , "saag@ietf.org" References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> <4459c5f266fc4e7bb34a040dd3b14b57@DB5PR9001MB0165.MGDPHG.emi.philips.com> Cc: Mohit Sethi , "Kumar, Sandeep" From: Eliot Lear Message-ID: <9224da8b-0065-a429-4f36-ca84e61be2a3@cisco.com> Date: Thu, 6 Apr 2017 10:47:24 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <4459c5f266fc4e7bb34a040dd3b14b57@DB5PR9001MB0165.MGDPHG.emi.philips.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3WtQJajSRsMDQvi05SFqfEMdA4aOknAgB" Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 08:47:32 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3WtQJajSRsMDQvi05SFqfEMdA4aOknAgB Content-Type: multipart/mixed; boundary="5hH7vEWTl539tepHMh64l1titXTnBe7je"; protected-headers="v1" From: Eliot Lear To: "Garcia-Morchon O, Oscar" , "T2TRG@irtf.org" , "saag@ietf.org" Cc: Mohit Sethi , "Kumar, Sandeep" Message-ID: <9224da8b-0065-a429-4f36-ca84e61be2a3@cisco.com> Subject: Re: [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> <4459c5f266fc4e7bb34a040dd3b14b57@DB5PR9001MB0165.MGDPHG.emi.philips.com> In-Reply-To: <4459c5f266fc4e7bb34a040dd3b14b57@DB5PR9001MB0165.MGDPHG.emi.philips.com> --5hH7vEWTl539tepHMh64l1titXTnBe7je Content-Type: multipart/alternative; boundary="------------8669FFD664B1BEDFC83FEBED" This is a multi-part message in MIME format. --------------8669FFD664B1BEDFC83FEBED Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Oscar, First of all, I realized I was reading the old version of the draft. My apologies. This having been said, I would suggest the following: * In discussing bootstrapping in Section 7.2, assuredly we should talk about the work going on in the ANIMA working group (draft-ietf-anima-bootstrapping-keyinfra). Not all devices are so constrained as to be unable to use the established PKI, and indeed the cost of doing so for onboarding is dropping by the day. * Consider refocusing Section 7.11 on the role of firewalls, access points, and access switches in protecting IoT (really all) devices.=20 I would resituate it or directly next to E2E security, and then discuss the relative merits and risks. If it is possible to do so, match the flow you have built in Section 3.2 (the numbered points) in later sections. * In Section 4, you've done an excellent job of discussing threat vectors. Without being hyperbolic about it (and this might be hard), it might be good to remind people of some consequences of penetration. Broadly speaking I see this as enabling of direct attacks (e.g., causing the device to fail to correctly perform its function), or indirect attacks (making use of the device to attack other devices). These are obviously not mutually exclusive. * I would move the attack discussion in 7.11 into Section 4, and I would move Section 4 above Section 3, the logic here being to first have the threat discussion, and then discuss how they are remediated.= * Bullet point 6 on extraction of private information is important to include. However, I would suggest NOT making generalizations as to how well a device protects private data. It is sufficient to say that when a device does not go to some pains to protect that data, if the device is physically unprotected, so then is the data. Hope this helps... Eliot On 4/6/17 9:28 AM, Garcia-Morchon O, Oscar wrote: > Hi Eliot, > > It is a very good point. Thanks. > > IoT involves very different aspects that we try to reflect in the docum= ent. One of them is indeed network security with the goal to protect devi= ces from attack but also the network from compromised devices. > > In the document, we refer to your ongoing work on MUD. Which other type= of methods do you have in mind or do you think that should be included i= n the document? > > Regards, Oscar. > > -----Original Message----- > From: Eliot Lear [mailto:lear@cisco.com]=20 > Sent: Tuesday, April 4, 2017 12:32 PM > To: Garcia-Morchon O, Oscar ; T2TRG@i= rtf.org; saag@ietf.org > Cc: Mohit Sethi ; Kumar, Sandeep > Subject: Re: [T2TRG] New Version Notification for draft-irtf-t2trg-iot-= seccons-02.txt > > Hi Oscar, > > While I appreciate the draft, there is an elephant in the room. Not a = day passes when we hear of yet another compromise of a so-called "IoT" > system. Sometimes these compromises are trivial, and sometimes they ar= e involved. At the end of the day, the sheer quantity of Things mandates= some form of network-level protection that the draft should discuss, to = protect those devices from attack. As was mentioned in the f2f, what if = Bob turns out to be, or becomes evil, or is otherwise 0wn3d by Chuck? > > Eliot > > > On 4/3/17 9:10 AM, Garcia-Morchon O, Oscar wrote: >> Hi, >> >> we have submitted a new version of the Internet Draft on security cons= iderations for the IoT. >> Comments are welcome. >> >> https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-02 >> >> Regards, Oscar. >> >> -----Original Message----- >> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] >> Sent: Friday, March 31, 2017 2:11 PM >> To: Mohit Sethi ; Kumar, Sandeep=20 >> ; Kumar, Sandeep=20 >> ; Garcia-Morchon O, Oscar=20 >> ; irtf-chair@irtf.org;=20 >> t2trg-chairs@ietf.org >> Subject: New Version Notification for=20 >> draft-irtf-t2trg-iot-seccons-02.txt >> >> >> A new version of I-D, draft-irtf-t2trg-iot-seccons-02.txt >> has been successfully submitted by Oscar Garcia-Morchon and posted to = the IETF repository. >> >> Name:draft-irtf-t2trg-iot-seccons >> Revision:02 >> Title:State of the Art and Challenges for the Internet of Things=20 >> Document date:2017-03-31 Group:t2trg >> Pages:56 >> URL: https://www.ietf.org/internet-drafts/draft-irtf-t2trg-= iot-seccons-02.txt >> Status: https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-= seccons/ >> Htmlized: https://tools.ietf.org/html/draft-irtf-t2trg-iot-secco= ns-02 >> Htmlized: https://datatracker.ietf.org/doc/html/draft-irtf-t2trg= -iot-seccons-02 >> Diff: https://www.ietf.org/rfcdiff?url2=3Ddraft-irtf-t2trg-i= ot-seccons-02 >> >> Abstract: >> The Internet of Things concept refers to the usage of standard >> Internet protocols to allow for human-to-thing or thing-to-thing >> communication. The security needs are well-recognized and and many= >> standardization steps have been taken, for example, specification o= f >> CoAP over DTLS. However, security challenges still exist and there= >> are some use cases that lack a suitable solution. This document >> first provides an overview of security architecture, its deployment= >> model, security needs in the context of the lifecycle of a thing, a= s >> well as the state of the art on IoT security. Then, we discuss the= >> concept of security profiles for the successful roll-out of secure >> IoT applications and describe remaining security challenges in the >> IoT. >> >> >> >> >> Please note that it may take a couple of minutes from the time of subm= ission until the htmlized version and diff are available at tools.ietf.or= g. >> >> The IETF Secretariat >> >> >> ________________________________ >> The information contained in this message may be confidential and lega= lly protected under applicable law. The message is intended solely for th= e addressee(s). If you are not the intended recipient, you are hereby not= ified that any use, forwarding, dissemination, or reproduction of this me= ssage is strictly prohibited and may be unlawful. If you are not the inte= nded recipient, please contact the sender by return e-mail and destroy al= l copies of the original message. >> _______________________________________________ >> T2TRG mailing list >> T2TRG@irtf.org >> https://www.irtf.org/mailman/listinfo/t2trg >> > > --------------8669FFD664B1BEDFC83FEBED Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

Hi Oscar,

First of all, I realized I was reading the old version of the draft.=C2=A0 My apologies.=C2=A0 This having been said, I would sug= gest the following:

  • In discussing bootstrapping in Section 7.2, assuredly we should talk about the work going on in the ANIMA working group (draft-ietf-anima-bootstrapping-keyinfra).=C2=A0 Not all devices = are so constrained as to be unable to use the established PKI, and indeed the cost of doing so for onboarding is dropping by the day.
  • Consider refocusing Section 7.11 on the role of firewalls, access points, and access switches in protecting IoT (really all) devices.=C2=A0 I would resituate it or directly next to E2E security, and then discuss the relative merits and risks.=C2=A0 I= f it is possible to do so, match the flow you have built in Section 3.2 (the numbered points) in later sections.
  • In Section 4, you've done an excellent job of discussing threat vectors.=C2=A0 Without being hyperbolic about it (and this= might be hard), it might be good to remind people of some consequences of penetration.=C2=A0 Broadly speaking I see this as= enabling of direct attacks (e.g., causing the device to fail to correctly perform its function), or indirect attacks (making use of the device to attack other devices).=C2=A0 These are obviously= not mutually exclusive.
  • I would move the attack discussion in 7.11 into Section 4, and I would move Section 4 above Section 3, the logic here being to first have the threat discussion, and then discuss how they are remediated.
  • Bullet point 6 on extraction of private information is important to include.=C2=A0 However, I would suggest NOT making generalizations as to how well a device protects private data.=C2= =A0 It is sufficient to say that when a device does not go to some pains to protect that data, if the device is physically unprotected, so then is the data.
Hope this helps...

Eliot
On 4/6/17 9:28 AM, Garcia-Morchon O, Oscar wrote:
Hi Eliot,

It is a very good point. Thanks.

IoT involves very different aspects that we try to reflect in the documen=
t. One of them is indeed network security with the goal to protect device=
s from attack but also the network from compromised devices.

In the document, we refer to your ongoing work on MUD. Which other type o=
f methods do you have in mind or do you think that should be included in =
the document?

Regards, Oscar.

-----Original Message-----
From: Eliot Lear [mailto:lear@cisco.com]=20
Sent: Tuesday, April 4, 2017 12:32 PM
To: Garcia-Morchon O, Oscar <oscar.garcia-morchon@philips.c=
om>; T2TRG@irtf.org; saag@ietf.org
Cc: Mohit Sethi <mohit.m.sethi@ericsson.com>; Kumar, San=
deep <sandeep.kumar@philips.com>
Subject: Re: [T2TRG] New Version Notification for draft-irtf-t2trg-iot-se=
ccons-02.txt

Hi Oscar,

While I appreciate the draft, there is an elephant in the room.  Not a da=
y passes when we hear of yet another compromise of a so-called "IoT"
system.  Sometimes these compromises are trivial, and sometimes they are =
involved.  At the end of the day, the sheer quantity of Things mandates s=
ome form of network-level protection that the draft should discuss, to pr=
otect those devices from attack.  As was mentioned in the f2f, what if Bo=
b turns out to be, or becomes evil, or is otherwise 0wn3d by Chuck?

Eliot


On 4/3/17 9:10 AM, Garcia-Morchon O, Oscar wrote:

Hi,

we have submitted a new version of the Internet Draft on security conside=
rations for the IoT.
Comments are welcome.

https://tools.ietf.org/html/draft-irtf-t2t=
rg-iot-seccons-02

Regards, Oscar.

-----Original Message-----
From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.=
org]
Sent: Friday, March 31, 2017 2:11 PM
To: Mohit Sethi <mohit@piuha.net>; Kumar, Sandeep=20
<sandeep.kumar@philips.com>; Kumar, Sandeep=20
<sandeep.kumar@philips.com>; Garcia-Morchon O, Oscar=20
<oscar.garcia-morchon@philips.com>; irtf-chair@irtf=
=2Eorg;=20
t2trg-chairs@ietf.org
Subject: New Version Notification for=20
draft-irtf-t2trg-iot-seccons-02.txt


A new version of I-D, draft-irtf-t2trg-iot-seccons-02.txt
has been successfully submitted by Oscar Garcia-Morchon and posted to the=
 IETF repository.

Name:draft-irtf-t2trg-iot-seccons
Revision:02
Title:State of the Art and Challenges for the Internet of Things=20
Document date:2017-03-31 Group:t2trg
Pages:56
URL:            https://www.i=
etf.org/internet-drafts/draft-irtf-t2trg-iot-seccons-02.txt
Status:         https://datatracker.iet=
f.org/doc/draft-irtf-t2trg-iot-seccons/
Htmlized:       https://tools.ietf.org/htm=
l/draft-irtf-t2trg-iot-seccons-02
Htmlized:       https://datatrac=
ker.ietf.org/doc/html/draft-irtf-t2trg-iot-seccons-02
Diff:           https://www.ietf.o=
rg/rfcdiff?url2=3Ddraft-irtf-t2trg-iot-seccons-02

Abstract:
   The Internet of Things concept refers to the usage of standard
   Internet protocols to allow for human-to-thing or thing-to-thing
   communication.  The security needs are well-recognized and and many
   standardization steps have been taken, for example, specification of
   CoAP over DTLS.  However, security challenges still exist and there
   are some use cases that lack a suitable solution.  This document
   first provides an overview of security architecture, its deployment
   model, security needs in the context of the lifecycle of a thing, as
   well as the state of the art on IoT security.  Then, we discuss the
   concept of security profiles for the successful roll-out of secure
   IoT applications and describe remaining security challenges in the
   IoT.




Please note that it may take a couple of minutes from the time of submiss=
ion until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


________________________________
The information contained in this message may be confidential and legally=
 protected under applicable law. The message is intended solely for the a=
ddressee(s). If you are not the intended recipient, you are hereby notifi=
ed that any use, forwarding, dissemination, or reproduction of this messa=
ge is strictly prohibited and may be unlawful. If you are not the intende=
d recipient, please contact the sender by return e-mail and destroy all c=
opies of the original message.
_______________________________________________
T2TRG mailing list
T2TR=
G@irtf.org
https://www.irtf.org/mailman/listinfo/t2trg

--------------8669FFD664B1BEDFC83FEBED-- --5hH7vEWTl539tepHMh64l1titXTnBe7je-- --3WtQJajSRsMDQvi05SFqfEMdA4aOknAgB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQEcBAEBCAAGBQJY5gCdAAoJEIe2a0bZ0nozpqkH/RAWj0BHgl+4W6m/CgmeGo1t Y/s+nx6PDJr0q0m6StjcgxY0+UXrHXcJS50Sl74jv6d48fnHvxbeV1uogMfykCR7 GdVi+OIM3E419TAYbUkGLkEQcJkY6r+/GP/wPRlm2Ie/NKCV8oQDitkdDFcbycUE Fp2DPnrHrbCvRL9mkhUID3wUQig8k3MRi5QeXpEPPNHB/WW+SXPby7FXtSpxR+y/ fteyCGnEJ+Y1btC6O7eAyzLrGMOXPczOZ+pmdAMpTRxbMDJEU3nsFHsxXxqU9CI1 ZjZ6QZBS/gbX+EpbeAWKiKSEXnYW//OpFylmCObpSR3l+kqzJq9Mt1NmJjW9HvY= =+0Vz -----END PGP SIGNATURE----- --3WtQJajSRsMDQvi05SFqfEMdA4aOknAgB-- From nobody Thu Apr 6 07:33:05 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280881294B9 for ; Thu, 6 Apr 2017 07:33:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdgKX1TO9pqO for ; Thu, 6 Apr 2017 07:33:02 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5426F127BA3 for ; Thu, 6 Apr 2017 07:33:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1491489180; x=1523025180; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=gtfp7rhGY050dhhnyY4lgLWgcYbxWQfWY4A2EgZkcT4=; b=k0ee4Al70qmU31H8WLaBKOAAXLNv60FBzQG7SUOe+Qc6bCdawFRTWsmY NHS7P614zDeSHhxwNFM4Ppk7rp9senIfUM4bFmzhmDfz9Z5o2RvNrGBbX BHNLC54L3WmhAhlNDvbmS2f1ItfV4cvUGmF5U9fQWAjB2hkZkMB2DsMT8 Kao3S5M2ZWTRZT0UxFstyhlt37gtIklJHxfVexkPj+H21+m8vAqYh5BkO UOO4u2QZ4UiuCteWt9ayjuW3cK8MejkeVkZSWfNVsy3XD9u5E1YkOqK9m qicYj4POTbwwKL8Jw5jtnN4yBVuWPZe2MKyHKxQD0n3BCtIjj181jQqJd Q==; X-IronPort-AV: E=Sophos;i="5.37,160,1488798000"; d="scan'208";a="148274403" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.4 - Outgoing - Outgoing Received: from uxcn13-tdc-c.uoa.auckland.ac.nz ([10.6.3.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 07 Apr 2017 02:32:56 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-c.UoA.auckland.ac.nz (10.6.3.24) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 7 Apr 2017 02:32:56 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Fri, 7 Apr 2017 02:32:56 +1200 From: Peter Gutmann To: "Garcia-Morchon O, Oscar" , "Barry Raveendran Greene" , Eliot Lear CC: Mohit Sethi , "T2TRG@irtf.org" , "saag@ietf.org" , "Kumar, Sandeep" Thread-Topic: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt Thread-Index: AQHSqhfOYH/eADzk1kGNnz4+4VUtI6GzOqGggAEFfACAAEAxgIAB20R+gADVnQCAAT/tSg== Date: Thu, 6 Apr 2017 14:32:56 +0000 Message-ID: <1491489157910.81916@cs.auckland.ac.nz> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com>, <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> <1491374652157.84909@cs.auckland.ac.nz>, <0f486dc8e90844658f8107f44486b5cd@DB5PR9001MB0165.MGDPHG.emi.philips.com> In-Reply-To: <0f486dc8e90844658f8107f44486b5cd@DB5PR9001MB0165.MGDPHG.emi.philips.com> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 14:33:04 -0000 Garcia-Morchon O, Oscar writes:=0A= =0A= >The main goals are:=0A= >- summarize existing solutions out there and in IETF=0A= >- summarize security considerations and challenges that should be addresse= d=0A= > in the future=0A= =0A= The problem is that almost everyone else who has any interest in the IoS ha= s=0A= also published their own checklist or guidelines or BCP or whatever they fe= lt=0A= like doing. It's not that we have a lack of guidelines, we have as many as= =0A= you like (and that's not just IoS-specific stuff but includes any book on= =0A= secure programming, security engineering, and so on), but no-one uses them.= =0A= So it seems like we need to look at why people aren't using them, and how w= e=0A= can get them used. Why does every J.Random Linux distro come with hardened= =0A= system binaries and libraries and books and howto's on further hardening=0A= things, but every IoS device feature strcpy() into fixed-size buffers and X= SS=0A= and directory-traversal bugs like it was 1995?=0A= =0A= The problem with the non-specificity of many of the guidelines is that you = end=0A= up with something that tries to cover, for example, a Raspberry Pi, which i= s=0A= essentially a Unix server and for which you don't need any new guidelines= =0A= because any reference on setting up and hardening a Unix box will do, and a= t=0A= the other end of the spectrum a PLC running what's labelled as an RTOS but= =0A= which is really just a big binary blob containing device drivers, a task=0A= scheduler, a network stack, and the application, all running in ring zero w= ith=0A= no protection features.=0A= =0A= So the document currently is an interesting overview of IoS security issues= ,=0A= and better than most I've seen, but there's no obvious answer to a question= =0A= like "I have a PLC, what steps should I take to secure it?". Instead, it's= a=0A= survey of every possible technology and mechanism that could be applied to = the=0A= problem, which leads to an obvious suggestion of submitting it as a paper f= or=0A= Computing Surveys instead of publishing it as an RFC, since it reads very m= uch=0A= like a Computing Surveys paper and would probably work well there.=0A= =0A= Peter.= From nobody Fri Apr 7 07:17:31 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CA4F124B0A for ; Fri, 7 Apr 2017 07:17:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tr2zkIUOp1TR for ; Fri, 7 Apr 2017 07:17:22 -0700 (PDT) Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E171243F3 for ; Fri, 7 Apr 2017 07:17:21 -0700 (PDT) Received: by mail-yb0-x22b.google.com with SMTP id l201so17390250ybf.0 for ; Fri, 07 Apr 2017 07:17:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xhQ2jGpX6v1gn/BZ0dXHZVhmSGafo9HY+wK+rSpEH0U=; b=e3VKceJV/6XGr8ejL+nu2HyiG1NQOaRPO4fzgIfctdKjxIde+YIMQ3lhDdcUO7WHgK WqUYGpPvf8WF26mJqnL+4fnxS/euL+oPT8wt1WenrzKuAIDg5krd3ap9/nsTVkaEZxZS f4/Y6f/TELdRrq92ml8l8k1SnxWEeJBPRHHSxowr1aWSZo5mBap8dCPMmj7zpoTKpFLU 4kMYkrtVsk4sKhehAANfIaSx5LIFTgbYghKgX1ULUs0+GBge8ETbmHRoCopL8BgenZlK 6FiXe8KrJbGDIVUmS6cckrukAg3hbSiXu595Wtuuglnb/bDyRr/MBt7Bj82qDGskY8wz /JWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xhQ2jGpX6v1gn/BZ0dXHZVhmSGafo9HY+wK+rSpEH0U=; b=FQxbf6ZsnBo0UJRoNBaK6aL485uHClQK8STEf1JSJmNzrSCMULsv3G29hrW84oQAia l+Q+VFAtqGiIH241OkJxCgEQ+FY4tdJmtdoF7gKvhmTW8QuA21Uw36QASOKMm1Nc0FUp r9LLRONTXC1fB1VaqbsI4ra7hO5Y4Cg+35ZTOn9lLEKUM2YREbi0uVbYsvwKZ7o5V7ZX HV0oKfkm/i2SWDo1U6p4e0M+gPe/HzfkoSGJmSFnpopr+8aj6sb3nMwrtDfgNOQDuna9 j0mqLB9yJ4yQ4EIuQSLI++lDG0e0ZfUw6rdWJ53oaRgCxXz/T/8c4LalVulfpjkBTkP/ W8qA== X-Gm-Message-State: AFeK/H1KF+eoiZZbZUeemFUHnRQ5SazVh75KLV/q+pb732VIvOkJIQpb/+7ymK6nBQkqqD2Tc5wWov/ntbOb/Nq6 X-Received: by 10.37.164.68 with SMTP id f62mr24739646ybi.78.1491574640376; Fri, 07 Apr 2017 07:17:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.203.148 with HTTP; Fri, 7 Apr 2017 07:16:49 -0700 (PDT) In-Reply-To: <1491489157910.81916@cs.auckland.ac.nz> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> <1491374652157.84909@cs.auckland.ac.nz> <0f486dc8e90844658f8107f44486b5cd@DB5PR9001MB0165.MGDPHG.emi.philips.com> <1491489157910.81916@cs.auckland.ac.nz> From: Thorsten Dahm Date: Fri, 7 Apr 2017 15:16:49 +0100 Message-ID: To: "T2TRG@irtf.org" , "saag@ietf.org" Cc: "Garcia-Morchon O, Oscar" , Barry Raveendran Greene , Eliot Lear , Mohit Sethi , "Kumar, Sandeep" , Peter Gutmann Content-Type: multipart/alternative; boundary=f403045c6a9698f3d9054c944879 Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Apr 2017 14:17:25 -0000 --f403045c6a9698f3d9054c944879 Content-Type: text/plain; charset=UTF-8 Hi all, I also agree with the statements of the folks who previously commented on the topic. Before the IETF in Chicago I had a private chat with Oscar and pointed out the missing details on mitigation of the risks he points out in his document. Not sure if that should be added to an already long document or if we should split it into a separate document. And yes, while it is a good document and we should have it, documents alone don't change much. What we need are products that implement the best practices as well as network operators and consumers who refuse to connect insecure dishwashers to their enterprise or home network. Without market pressure and holding manufacturers accountable for the damage their products may cause it's hard to convince them to spend money on IoT security. Taking a step back, I doubt that IoT will be able to take care of itself in the next couple of years, so we have to rely on operators to do the job for the manufacturers while we push BCPs and standards like the current document to them. IMHO the extensive usage of features like private VLANs is still very painful and even in combination with stuff like MUD, it would only solve parts of the problem. We as operators probably need to rethink the stack from L1 to L7 and reach out to other Working Groups outside of the IoT / Security space to address the need. The bootstrapping work in ANIMA is a good example for that. We may can't avoid completely connecting devices that use strcpy() into fixed-size buffers to our networks, but we can prevent them from disturbing other devices on the network and limiting the blast radius in case of a (unavoidable?) compromise. Maybe a good topic to be picked up by the T2TRG is the question of how to protect the network from compromised devices, the majority of the work as I can see it focuses currently on the security of the Thing itself. cheers, Thorsten On 6 April 2017 at 15:32, Peter Gutmann wrote: > Garcia-Morchon O, Oscar writes: > > >The main goals are: > >- summarize existing solutions out there and in IETF > >- summarize security considerations and challenges that should be > addressed > > in the future > > The problem is that almost everyone else who has any interest in the IoS > has > also published their own checklist or guidelines or BCP or whatever they > felt > like doing. It's not that we have a lack of guidelines, we have as many as > you like (and that's not just IoS-specific stuff but includes any book on > secure programming, security engineering, and so on), but no-one uses them. > So it seems like we need to look at why people aren't using them, and how > we > can get them used. Why does every J.Random Linux distro come with hardened > system binaries and libraries and books and howto's on further hardening > things, but every IoS device feature strcpy() into fixed-size buffers and > XSS > and directory-traversal bugs like it was 1995? > > The problem with the non-specificity of many of the guidelines is that you > end > up with something that tries to cover, for example, a Raspberry Pi, which > is > essentially a Unix server and for which you don't need any new guidelines > because any reference on setting up and hardening a Unix box will do, and > at > the other end of the spectrum a PLC running what's labelled as an RTOS but > which is really just a big binary blob containing device drivers, a task > scheduler, a network stack, and the application, all running in ring zero > with > no protection features. > > So the document currently is an interesting overview of IoS security > issues, > and better than most I've seen, but there's no obvious answer to a question > like "I have a PLC, what steps should I take to secure it?". Instead, > it's a > survey of every possible technology and mechanism that could be applied to > the > problem, which leads to an obvious suggestion of submitting it as a paper > for > Computing Surveys instead of publishing it as an RFC, since it reads very > much > like a Computing Surveys paper and would probably work well there. > > Peter. > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > -- Thorsten Dahm Network Engineer Google Ireland Ltd. The Gasworks, Barrow Street Dublin 4, Ireland Registered in Dublin, Ireland Registration Number: 368047 --f403045c6a9698f3d9054c944879 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi all,

I also agree with the statement= s of the folks who previously commented on the topic. Before the IETF in Ch= icago I had a private chat with Oscar and pointed out the missing details o= n mitigation of the risks he points out in his document. Not sure if that s= hould be added to an already long document or if we should split it into a = separate document. And yes, while it is a good document and we should have = it, documents alone don't change much. What we need are products that i= mplement the best practices as well as network operators and consumers who = refuse to connect insecure dishwashers to their enterprise or home network.= Without market pressure and holding manufacturers accountable for the dama= ge their products may cause it's hard to convince them to spend money o= n IoT security.

Taking a step back, I doubt that I= oT will be able to take care of itself in the next couple of years, so we h= ave to rely on operators to do the job for the manufacturers while we push = BCPs and standards like the current document to them. IMHO the extensive us= age of features like private VLANs is still very painful and even in combin= ation with stuff like MUD, it would only solve parts of the problem. We as = operators probably need to rethink the stack from L1 to L7 and reach out to= other Working Groups outside of the IoT / Security space to address the ne= ed. The bootstrapping work in ANIMA is a good example for that. We may can&= #39;t avoid completely connecting devices that use strcpy() into fixed-size= buffers to our networks, but we can prevent them from disturbing other dev= ices on the network and limiting the blast radius in case of a (unavoidable= ?) compromise.=C2=A0

Maybe a good topic to be pick= ed up by the T2TRG is the question of how to protect the network from compr= omised devices, the majority of the work as I can see it focuses currently = on the security of the Thing itself.

cheers,
=
Thorsten

On 6 April 2017 at 15:32, Peter Gutmann <pgut001@cs.auckla= nd.ac.nz> wrote:
Garcia-Morchon O, Oscar <oscar.garcia-morchon@philips.com> writes:

>The main goals are:
>- summarize existing solutions out there and in IETF
>- summarize security considerations and challenges that should be addre= ssed
>=C2=A0 in the future

The problem is that almost everyone else who has any interest in the= IoS has
also published their own checklist or guidelines or BCP or whatever they fe= lt
like doing.=C2=A0 It's not that we have a lack of guidelines, we have a= s many as
you like (and that's not just IoS-specific stuff but includes any book = on
secure programming, security engineering, and so on), but no-one uses them.=
So it seems like we need to look at why people aren't using them, and h= ow we
can get them used.=C2=A0 Why does every J.Random Linux distro come with har= dened
system binaries and libraries and books and howto's on further hardenin= g
things, but every IoS device feature strcpy() into fixed-size buffers and X= SS
and directory-traversal bugs like it was 1995?

The problem with the non-specificity of many of the guidelines is that you = end
up with something that tries to cover, for example, a Raspberry Pi, which i= s
essentially a Unix server and for which you don't need any new guidelin= es
because any reference on setting up and hardening a Unix box will do, and a= t
the other end of the spectrum a PLC running what's labelled as an RTOS = but
which is really just a big binary blob containing device drivers, a task scheduler, a network stack, and the application, all running in ring zero w= ith
no protection features.

So the document currently is an interesting overview of IoS security issues= ,
and better than most I've seen, but there's no obvious answer to a = question
like "I have a PLC, what steps should I take to secure it?".=C2= =A0 Instead, it's a
survey of every possible technology and mechanism that could be applied to = the
problem, which leads to an obvious suggestion of submitting it as a paper f= or
Computing Surveys instead of publishing it as an RFC, since it reads very m= uch
like a Computing Surveys paper and would probably work well there.

Peter.
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag



--
=
Thorsten = Dahm

Network Engineer
Google Ireland Ltd.
The Gasworks, Barrow= Street
Dublin 4,=C2=A0 Ireland

Registered in Dublin, Ireland
= Registration Number: 368047
--f403045c6a9698f3d9054c944879-- From nobody Mon Apr 10 00:26:16 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A19C4129458 for ; Mon, 10 Apr 2017 00:26:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.911 X-Spam-Level: X-Spam-Status: No, score=-2.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=philips.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WSs6T4bqGId0 for ; Mon, 10 Apr 2017 00:26:10 -0700 (PDT) Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00093.outbound.protection.outlook.com [40.107.0.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E569D127698 for ; Mon, 10 Apr 2017 00:26:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Philips.onmicrosoft.com; s=selector1-philips-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5b6Iz1/6C7Rr6ev4V98uQ2+PurPDOf2Dvs1S2hKXDi8=; b=M7iJB38PPyAeXdDJaNZKARmQlMSJZ2Lpz8gaunHiYF44cqtE/Ad1Y1dpM87f7Hn+4AF+yUjE/rH8Z7BcZpE8dA4F6yBbzS3qMUl28734LWfMU/Idivtimdehw4aeLYesVlHwIKLmzGmWlYg7D+n1xxTV0gJ9PO0tDBsi8rO11/4= Received: from DB5P122CA0007.EURP122.PROD.OUTLOOK.COM (129.75.164.145) by HE1P122MB0012.EURP122.PROD.OUTLOOK.COM (129.75.100.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.17; Mon, 10 Apr 2017 07:26:06 +0000 Received: from AM1FFO11FD038.protection.gbl (2a01:111:f400:7e00::102) by DB5P122CA0007.outlook.office365.com (2603:10a6:20:1e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.17 via Frontend Transport; Mon, 10 Apr 2017 07:26:06 +0000 Authentication-Results: spf=neutral (sender IP is 23.103.247.180) smtp.mailfrom=philips.com; google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=philips.com; Received-SPF: Neutral (protection.outlook.com: 23.103.247.180 is neither permitted nor denied by domain of philips.com) Received: from 011-smtp-out.Philips.com (23.103.247.180) by AM1FFO11FD038.mail.protection.outlook.com (10.174.64.227) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.14 via Frontend Transport; Mon, 10 Apr 2017 07:26:05 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com (141.251.190.209) by DB5PR9001MB0167.MGDPHG.emi.philips.com (141.251.190.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.17; Mon, 10 Apr 2017 07:26:04 +0000 Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) by DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) with mapi id 15.01.1019.024; Mon, 10 Apr 2017 07:26:04 +0000 From: "Garcia-Morchon O, Oscar" To: Thorsten Dahm , "T2TRG@irtf.org" , "saag@ietf.org" CC: Barry Raveendran Greene , Eliot Lear , Mohit Sethi , "Kumar, Sandeep" , Peter Gutmann , "Garcia-Morchon O, Oscar" Thread-Topic: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt Thread-Index: AQHSrdgeSEucviIKrk+lU0K6113ww6G23pSggAGLGACAAY3UgIAEPrsw Date: Mon, 10 Apr 2017 07:26:04 +0000 Message-ID: <0257915cc65245fe84de054c66fdca59@DB5PR9001MB0165.MGDPHG.emi.philips.com> References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com> <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org> <1491374652157.84909@cs.auckland.ac.nz> <0f486dc8e90844658f8107f44486b5cd@DB5PR9001MB0165.MGDPHG.emi.philips.com> <1491489157910.81916@cs.auckland.ac.nz> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [62.140.137.32] X-MS-Office365-Filtering-Correlation-Id: 2a5879e4-9d69-4111-7d59-08d47fe2d9db Content-Type: multipart/alternative; boundary="_000_0257915cc65245fe84de054c66fdca59DB5PR9001MB0165MGDPHGem_" MIME-Version: 1.0 X-OrganizationHeadersPreserved: DB5PR9001MB0167.MGDPHG.emi.philips.com X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:23.103.247.180; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(39850400002)(39840400002)(39860400002)(39450400003)(39410400002)(39400400002)(2980300002)(85714005)(374574003)(377454003)(199003)(43544003)(189002)(24454002)(53754006)(9170700003)(7110500001)(189998001)(8936002)(3846002)(790700001)(6116002)(102836003)(229853002)(50986999)(2201001)(66066001)(76176999)(24736003)(2906002)(4326008)(38730400002)(356003)(8676002)(81166006)(2900100001)(86362001)(53546009)(106466001)(105586002)(33646002)(2420400007)(7906003)(7736002)(93886004)(108616004)(230783001)(2501003)(236005)(6306002)(54896002)(54906002)(54356999)(512874002)(2950100002)(5660300001)(55016002)(7696004)(6246003)(84326002)(606005)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1P122MB0012; H:011-smtp-out.Philips.com; FPR:; SPF:Neutral; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; AM1FFO11FD038; 1:swY6lWqos7Bi+p/SMMI4BuFt1j+Cdg3Y7Xlbr/yMqpoEtFZAgrCwR42tPaNCEDM5gClsYoEzK0Pz7aIl7RPuLjlXnqYl9wp+PrSlJ6jC4ITqqF5opCWLOhmXgRBTMGFIQ2Ws2dc4iy/WJpyKGhKIoRBsRnBY2BRQdCsKVt95fPb1GOu6qTckliQhHCEK9QZKzigZ5uYkTD1Hn1a5dw3SmD/PNAKYLzgTsyVoOAmaTR4OWwa1uoQAtIVcd/jMGFD4X3G96pQVynFJF0mCEmwitegORrUJI9PFByCwzc/WJJGGSVtMnCQ5IN1l4eSK36A0oBzcPUFAynIFDYCA9MZc+BE/du45pSAB2BH3GWtwK5UTf3Di/aIG4TYlnrF1dkUBwC2AvA55Qox91GWWP764DsIL2P2V1s76T0h1uX4gqd9Fg7s297wgWUhc8/4xCcfUbLHE/kbpZyAvdjdmansBXYIZlTsUV3VcQA6f5X4Tj6NaOnvGqF07QzvQGi6JMllegMN+L8TwupTUHVsM5/3StA== X-CrossPremisesHeadersPromoted: AM1FFO11FD038.protection.gbl X-CrossPremisesHeadersFiltered: AM1FFO11FD038.protection.gbl X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:HE1P122MB0012; X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0012; 3:bF5KiGv8s+Ze3I15Y5pzFZ+3pGYijjEeFmiDldW0mknf5pRk1te5hIjbu4OJXM4MHaqBWJU1+mSIcI5WP1jaQ0l0LYvIRuC30s3jrghpiBAl0uRobg84ukgjp87kfDmx/9fQnmFftHp7pTkakhDT3V8PMXHOYRHF/1BG7km6A21CDhhUnMK828D6HANCsdZc7FwIfS5qU3jovbq0b9QUBzToCd7mx/cDM3frOcX1kaXnxOIBtnIDgNAGFyVxg18x9q36mNXaw62kmDaD1AOD+Z0roDF8MqIvMOeyRJ+lxvjl2W+qEHAoHzOfY9NdArQUogRQd8a27rGFUpUxL2tEzNocN/opQn9pIRNkFnCspeedG1xAeJ4esS6jNw7e5xiMhg/kzlpMPdU2z8gdd6U2zzxlTFrXFhGPE24r7s9ieWzEVWk24LsGmR4RnCvQfe4Ll5FTWp+ZB7h8EXYf+7jAXw==; 25:/ZnxuZdUh7KmDpf/pSL0rT0zIFX4IwTVMr/O+JajDUfl04Gb5vks5gNtnrEtJpmsuwYBdaoz0lGtdeYpdbeKcgQA9HONnME27DbnhQNHZoXNaMbA+1qvtNQ+95XeTVtfrj0SGz/plAdXj2nLC5s1AiAabwQ4lFrkPqZRl6rvydIblqV4uFvUytwbTUu0aN53fozKN6GPJR2PVNpFinkNd8csiAMqVntovgRb65W/sb+IMJ6oZV2N6kZwvKGIkpNEGWXByqJUyz26Y8gQTmNJqJ0bkQKM06F3ycUF8H99+3m+Azc8GQUXfXWk+qRWUbzYJWrGsyKrDH3euQbAqQA95c7IYISbyQcWKQfIctemXJPLCOxPL+Hee6NbBdW50JYJ6PMz8bZQMntzToBo7b0CYgJIgGHc0M90QgSpoGGjw9iaEMIkSVF4Yu6NLJzrVxi6J0uCHXQEoDbymUrTl0lesw== X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0012; 31:4pEKPTcse1RjDmGjCOITZpJ+2iyJ/L9Yef0SYqpEyYIlZHIDlWeBjVr87k+MduPIGUWH9Uu7mhWUlxsgw4mMhADFK/KEIt/Nmlg3hd7wgNA5+EXaIAIG2rT9DrEN7wuACK04fEGoenWDvQZeLzKI8kVwr8NHI+ckFdsEfWcQcYKDSlDUZFDUuzdO3sYcdlcPhfYgSvnQOCTC3hHKSuQ8h+LwgcBlHOMRifj+YPw2rSYBwbctdJty8zrrewSKNHEqZHnxRGwbYnUg94FIjUnXrhOQaxy8mB5Dg+nZNXhiszY=; 20:k9mATkZ0Zu4iC/1/Z2AmIXYWOCyiz7hPC4rm/YotMpFfJi94IbN1pLQ7INXCpj8aMiKfUoHfpzEYnskgqcOhISqGSTSFfaw/z2FxpOtiEO+Me0SCITe5MGSNuNYBOm/xO8QmVQq4JKSkJnxSIgxVf65hWNHlYP7GQw0guEYrCRijggKLVidGf5gu3gxy7uF2m7P2KU5uS6RtTo2w91z0+mz4tkAVprVSSMYxYuI9BTqMe889vXkrv//SS7ZpJamY77tfYkdzWI05hl/YxyuioEGx2p1bND/fijEtYoLy3Dok5hcsKWrayUgKSBjlBuCh8ByJaA9kcOlfh2LmpExgfBUFzOUyp78+sJnXNAjfs0MUkFohMlmcyvq891USVqpI5AWq7yAmtElKgnsbYEI2wA1WuXXPXDuoIHHdsN526887A61hb42yp0s8I6SLUEHCf8JsSnjananIdjG0KbPgFIvywbBliyGG8dJ9O6Ji0V+uuTUNmZ1Qzq/oR5fpc+94 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(37575265505322)(158342451672863)(192374486261705)(211936372134217)(95692535739014)(21748063052155)(260087099026482)(21532816269658); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(13016025)(13018025)(93006095)(93003095)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(6072148); SRVR:HE1P122MB0012; BCL:0; PCL:0; RULEID:; SRVR:HE1P122MB0012; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1P122MB0012; 4:rSm5UHonbelG5CeGJZNNsF5hXUIK86GP5VA3ezHcXD?= =?us-ascii?Q?qNr+3DXUtT3Q/BveOtDni5W9hBEeFI3ag9/gVyR/HHNXbPgnclmbhSr0U2Eh?= =?us-ascii?Q?gFUxff8/wGMck4gFHxfEZV5qMSmvrMU5J01KoLX5czwghMTcS9DUZ6h1qHIx?= =?us-ascii?Q?7/Yco5670hwWOPPmX2Zdpalkf4gG8jVOeDt7pKwGbDFtMHhdZbYpVGBaFugn?= =?us-ascii?Q?otNoFW/BrrgVOSFDwH9y9AUKmnsruCUEVWvn/MRsENqyR2KDG4ah1z0ljsp9?= =?us-ascii?Q?b5BuZ/NmkV8YJkv2VJqG1xGQ1VEFKv2jzEqFZQD0wM03L2lF8DNmAYNZi/w5?= =?us-ascii?Q?vri1DW4g+lJ84MRcoAU8Ea5PP8kBMn8kvxhD7tk3qIIpHW6LLem2EC0Mr6jC?= =?us-ascii?Q?9kewqPlKbhAvu7B8ri+88yiYVpiMsjy0IWCk+KuCQJykEu6fSDgxSKqGGWVd?= =?us-ascii?Q?T6CawrLCIB2mTBNlPkmqwjGKRw1z64HLCjsmHaeJNgkLQatdVCa6bjIyndw7?= =?us-ascii?Q?alF9C6xALEjjN2grhwyreO0EKjY29N3khAIlt6/TeQnb+XXRD+PV7fNd8hod?= =?us-ascii?Q?+PZFB/SJJ2/uTg7yxS7gsZ69OBI87QvtGZGdGKNSSW1jnzZovv2V+uwiSVWV?= =?us-ascii?Q?f6WIb7bj6ruGuj50nK1rU//lJjAmOAhF+kdtgH8BAlozjW6OeTthVCZdZzW8?= =?us-ascii?Q?gGStMvMIbJyL1vTXQxFhA2RspJXxsrIGPYqCfweWpjlWAxEODD4PFHfipV2Q?= =?us-ascii?Q?0EmIkKRGWYV5+oGA95HYPUvN1IDj6fk8sbwKyFm3jbE1Ah8n6t0HCsJ/em8t?= =?us-ascii?Q?BzPmiOgMpg6Ax82S6WRgkzJVr4o3vvYa0fnTdfPSbfP24GsBEUn3WVLOHsfK?= =?us-ascii?Q?j4Lpx7cOFqkDASsK5kc4PC/a50EKu89R/6oTl5i4PGVrWTphgovqsWYJpFFI?= =?us-ascii?Q?qEW/hC5qX+3rKJaAyul9msTuawL5LNjutEkYCy+xSUQ24BVNWuuAJohiGC3q?= =?us-ascii?Q?PFbTBUJva5RHEplj6m3eLsRWjD0hMULeWvfaa9WdNcJ52nBWrU6d2gQ1SNRi?= =?us-ascii?Q?v9kFU=3D?= X-Forefront-PRVS: 027367F73D X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1P122MB0012; 23:Kpr0ffH0CoCy9FC5efzd8L7pQjgeKYRc1ijDw4xmu?= =?us-ascii?Q?igFKBXsiZMqylQkcV1AnzdER3BF692mriw/MDmp2h42H7Y4jo8XCWts2nmZO?= =?us-ascii?Q?UWb+xcn1a986QbrpIIUHrPYrkVCFZILWnqJDIMTcvO5mQT2VQOI/0+whVRni?= =?us-ascii?Q?BTtAE1f5Xg6CCDUXYzhIqJOFzY5zYCoGIeP6QkbpcEllVep+O/QSgGd0meGw?= =?us-ascii?Q?IlXeFClZ+Qm+79nj3uOIFD4SWAPnLmb9hws1UwMXWIlldf9ICKOTF3ciBROc?= =?us-ascii?Q?IApTUni5Lvgv/Q1dxWxPJuKQqHmrJTK8GTHZPPszXoCAfBRKPmlETE/wODlh?= =?us-ascii?Q?b7xjTsGxXphjQnn3zxKPrT2UiFl0IS3rNhaMkZ4cB6qvHITzWHd1gW5syqi3?= =?us-ascii?Q?TK6l0MARm6QIgsUiS7ZCLi2fz/h9u/4LS+aD2viv9Lzl7uBuJz26zHA40CoB?= =?us-ascii?Q?XVdEr1+KSsFpEpPnHe6XTPz38WECV5/ageqQdPiNJjwoIayB21X3E+sAPkcy?= =?us-ascii?Q?wMWJcrPvEp8rK6/cOUw7keKgx04+x60vqtXP3aBuMdNNCGKkyRt+TTYaZ0oK?= =?us-ascii?Q?zEoYf9nuAHPyDrU4889BZQ2E5AAsOs0dxP5B60O4NhUAIV2zd6i3bOXJpdYH?= =?us-ascii?Q?rb1XixI3bp4sQm+qPQAqg8/spOV/VvuFkqpbXIStWf7Pl7Xdeah7dQ4qlJZU?= =?us-ascii?Q?eE01L3j0OJMuudvfznJjAk5xJHjm4IwAgo84Gt2cr9uErzDQrUuenZqj6fGx?= =?us-ascii?Q?tMJWXE7IfFtPIoHs5Gqy0ygdkk8YQB9Q2CzXmTDbd9AsvLMpZgdP3wP32hby?= =?us-ascii?Q?+SEg4QLO8OxqbFISbWLhHOyuxH44obY2U8oCcg6OkEdfqBkpOO6t+66DIL/D?= =?us-ascii?Q?PueNPBktNSAs/WJ0+8Y66EFh8gsgpksopF0ivXo9nNUv4wseihkSRml00Tib?= =?us-ascii?Q?MgygCypCPmv10CuhX2aXab1YheYLW4pkL4FrnYAxIbhM7uIbsjHID/XTe6Kl?= =?us-ascii?Q?3mWIiMm72vm36RrOnYlOXJz8JoB/Fn1S2dQOHfik7Jd9mnpk0BD70/mdCv88?= =?us-ascii?Q?K5ziAarkUQ36laOoXRCsOHq1Ej3srIG8fuVBFxz0bIUKwMMnVR2ck27Y8DYc?= =?us-ascii?Q?11YsF/lzI4zzAEjgqyj72ZQXEEprSdg2OwZgl3GSemLUdj3zzwgnweCUEXmd?= =?us-ascii?Q?qDHK4wO1XEpJ9p6dYaiJ8sM60YPtGicmx4hnnYFEJioOcP6BobWCY0YBWXFG?= =?us-ascii?Q?CKRhfKbIzLf4DMqMFriT7OTfGJkBYWcPuAg6heDoGo5BQ2vdjeILY4TkqHPt?= =?us-ascii?Q?ovPJ6GveArAzpY4AOCM9wz9zSjrh1wrKYxvpnChU43zpvjCDt+Y+pBE3qgKD?= =?us-ascii?Q?zwgs9ewIWdOtt1uOzdkTKmw7PE6+E/a8ve/iAymxJNET2Ugd7RKuzHWXZA0b?= =?us-ascii?Q?2TRbxY91oKa+upXZ8SjQEGx1m0gd8hYLt0VWFMHUJ4TwFzJDNYE6Bg0m3zxG?= =?us-ascii?Q?RwxNNYlCW3bWQ=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0012; 6:xrajbW1th6ERfPKhCNcDYlwgCoaInY+eJBQRxrc8vJ8JQ4o+7r3nTutShnZo7CQTolPp5nGfVvSPTLNEwSilWQBLOjojCNSBRiaKdWA7Hef5BFGNSpBzqEqZJ4LR5PhSqL2CaqgDM0r6QD3WLs5MBT/U/vCs0QGNXF3qBXeigQuAUoi2TGtHUMCxgoIkBlSve4FUNBeuIFZzvs4BSbxkmadXe0mljzy5bNfhIOzePsnvxkTOtwwDuhPFModQMGlgkUC5Bqg5mHKaVqXWBp86umAx5w1yIlsbUZDUAB/YzS/sGIsxgUSg0gCNiSHTeyomMaWssJTwbBuNGFsJu/6hTOESNea+lVs1eU9o3yaSO+fAXWadK5owF3PJz2Qpiuj/I0JXpuAKaAQe7JQtQnwzyU20ocveXU58JsG6/qThOc1u6EBnjm6a+pxHtFjNQvC+Oyip39NelMuNDnhK+ELRr4BzrIO37san/3xEj6cnja8=; 5:oabdo5CK7FyhhHbGOkWfaeSb69CUkij40gg8BqZO76JJzu6IN2tp+lv2+JT41xE2iRBWXw4TWD0PIjoLP161ndeujI9SPbBvJVXN8rUSwV9LF5EP36vX2AjUhupohizpFnZxiFCoA2cnlCsE3wQZRw==; 24:Jws0eQBX/w86rnh5bo+E827hmEAZqelRVQf7/klsWzPxrZZC4IC39OAHeZC55TMpwnSQmEVtZuFtC0eEiu87HAjaKDWrsWKgASXDTqjeT5M= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; HE1P122MB0012; 7:1zXI+NMw/QockEd13fC0OxH3oJqM8yGnTOq/s0UjERTbiI1E8vGKPm41BgvbqO2OHae4OHtwD5bh6i85YPk33etbW8wnX2360G0DpGfwege5rUusUMEj/NPp3tUOI6JHriZsxHG0kK0z90F+r2fmguIeBHUTerw9LBCKnaOvjDG41ZiGsr0ckYYByhC3FqYy67yqo9MTW9imRr1OyK/4MSGu6aNG3D9kziNQSZhkCC89c6Ypsmz4P/CTXRMCR+zwcAn0yeX2+fVI+SAMUGm8sRmM4Nvv/pDaPBaUPMYR4ifnaAwvj3owsfsVcGDCjhfy2FcnTGvFG+OjxkmEtyI7Dw== X-OriginatorOrg: philips.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Apr 2017 07:26:05.9211 (UTC) X-MS-Exchange-CrossTenant-Id: 1a407a2d-7675-4d17-8692-b3ac285306e4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1a407a2d-7675-4d17-8692-b3ac285306e4; Ip=[23.103.247.180]; Helo=[011-smtp-out.Philips.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P122MB0012 X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 04 X-MS-Exchange-CrossPremises-AuthSource: DB5PR9001MB0165.MGDPHG.emi.philips.com X-MS-Exchange-CrossPremises-SCL: 1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: 62.140.137.32 X-MS-Exchange-CrossPremises-disclaimer-hash: 7fd5309d68bb4378c576a4d2c2ad972d336f5eb0475879c2a0b14da1aac98972 X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0 X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0; X-OrganizationHeadersPreserved: HE1P122MB0012.EURP122.PROD.OUTLOOK.COM Archived-At: Subject: Re: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2017 07:26:15 -0000 --_000_0257915cc65245fe84de054c66fdca59DB5PR9001MB0165MGDPHGem_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgVGhvcnN0ZW4sDQoNCkkgZnVsbHkgYWdyZWUgd2l0aCB5b3VyIGVtYWlsLg0KDQpSZWdhcmRp bmc6IOKAnEkgaGFkIGEgcHJpdmF0ZSBjaGF0IHdpdGggT3NjYXIgYW5kIHBvaW50ZWQgb3V0IHRo ZSBtaXNzaW5nIGRldGFpbHMgb24gbWl0aWdhdGlvbiBvZiB0aGUgcmlza3MgaGUgcG9pbnRzIG91 dCBpbiBoaXMgZG9jdW1lbnQuIE5vdCBzdXJlIGlmIHRoYXQgc2hvdWxkIGJlIGFkZGVkIHRvIGFu IGFscmVhZHkgbG9uZyBkb2N1bWVudCBvciBpZiB3ZSBzaG91bGQgc3BsaXQgaXQgaW50byBhIHNl cGFyYXRlIGRvY3VtZW50LuKAnQ0KDQpJIGFncmVlIHRoYXQgaGF2aW5nIHN1Y2ggYSBkb2N1bWVu dCB3b3VsZCBiZSBncmVhdC4gUGVyc29uYWxseSwgSSB3b3VsZCBub3QgaW5jbHVkZSB0aGUgbWl0 aWdhdGlvbiBzdHJhdGVnaWVzIGluIHRoaXMgZG9jdW1lbnQgc2luY2UgdGhpcyBkb2N1bWVudCBp cyBhbHJlYWR5IHByZXR0eSBsb25nLiBJIGFsc28gdGhpbmsgdGhhdCBqdXN0IGEgbGlzdCBvZiBt aXRpZ2F0aW9uIHN0cmF0ZWdpZXMgd2lsbCBiZSByYXRoZXIgbG9uZyBhbmQgYWxzbyBjb25mdXNp bmcgZm9yIGRlc2lnbmVycy4gQSBkZXNpZ25lciB3aWxsIHN0aWxsIGFzayBoaW1zZWxmLCB3aGF0 IGRvIEkgcmVhbGx5IG5lZWQgdG8gcHJvdGVjdCDigJxteeKAnSBJb1Qgc3lzdGVtPw0KDQpXaGF0 IGFib3V0IHRoZSBmb2xsb3dpbmc/IFdlIGNvdWxkIGhhdmUgYSBkaWZmZXJlbnQgZG9jdW1lbnQg dGhhdCBpbmNsdWRlczoNCg0KDQoNCi0gICAgICAgICAgRXh0ZW5kZWQgdGV4dCByZWxhdGVkIHRv IGhvdyB0byBkZWFsIHdpdGggdGhyZWF0cyAocGFnZSAxMiBpbiB0aGUgY3VycmVudCBkb2N1bWVu dCBzdGFydGluZyB3aXRoIOKAnERlYWxpbmcgd2l0aCBhYm92ZSB0aHJlYXRzIGFuZCBmaW5kaW5n IHN1aXRhYmxlIHNlY3VyaXR5IG1pdGlnYXRpb25zIGlzIGNoYWxsZW5naW5nOiB0aGVyZSBhcmUg dmVyeSBzb3BoaXN0aWNhdGVkIHRocmVhdHMgdGhhdCBhIHZlcnkgcG93ZXJmdWwgYXR0YWNrZXIg Y291bGQgdXNlOyBhbHNvLCBuZXcgdGhyZWF0cyBhbmQgZXhwbG9pdHMgYXBwZWFyIGluIGEgZGFp bHkgYmFzaXMuICBUaGVyZWZvcmUsIHRoZSBleGlzdGVuY2Ugb2YgcHJvcGVyIHNlY3VyZSBwcm9k dWN0IGNyZWF0aW9uIHByb2Nlc3NlcyB0aGF0IGFsbG93IG1hbmFnaW5nIGFuZCBtaW5pbWl6aW5n IHJpc2tzIGR1cmluZyB0aGUgbGlmZWN5Y2xlIG9mIHRoZSBJb1QgZGV2aWNlcyBpcyBhdCBsZWFz dCBhcyBpbXBvcnRhbnQgYXMgYmVpbmcgYXdhcmUgb2YgdGhlIHRocmVhdHMuICBBIG5vbi1leGhh dXN0aXZlIGxpc3Qgb2YgcmVsZXZhbnQgcHJvY2Vzc2VzIGluY2x1ZGU64oCdDQoNCi0gICAgICAg ICAgTWl0aWdhdGlvbiBzdHJhdGVnaWVzOiBoZXJlIHdlIGNhbiBsaXN0IG1haW4gbWl0aWdhdGlv biBzdHJhdGVnaWVzIHRvIGRlYWwgd2l0aCBkaWZmZXJlbnQgdHlwZXMgb2YgdGhyZWF0cy4NCg0K LSAgICAgICAgICBTZWN1cml0eSBwcm9maWxlcyAoc2VjdGlvbiA2IGluIGN1cnJlbnQgZG9jdW1l bnQsIHRoaXMgc2VjdGlvbiB3b3VsZCBiZSByZW1vdmVkIGZyb20gdGhlIGN1cnJlbnQgZG9jdW1l bnQpIHRoYXQgaWxsdXN0cmF0ZSB3aGljaCBtaXRpZ2F0aW9uIHN0cmF0ZWdpZXMgc2hvdWxkIGJl IGFwcGxpZWQgdG8gZGlmZmVyZW50IGNsYXNzZXMgb2YgdXNlIGNhc2VzIChJIGJlbGlldmUgdGhh dCB0aGlzIG1ha2VzIGxvdHMgb2Ygc2Vuc2Ugc2luY2Ugbm90IGFsbCBjbGFzc2VzIG9mIHVzZSBj YXNlcyB3aWxsIGJlIGV4cG9zZWQgdG8gdGhlIHNhbWUgdGhyZWF0cywgYW5kIHRodXMsIG1pdGln YXRpb24gc3RyYXRlZ2llcyB3aWxsIGFsc28gYmUgZGlmZmVyZW50LikNCg0KDQoNClJlZ2FyZHMs IE9zY2FyLg0KDQoNCg0KDQoNCkZyb206IFRob3JzdGVuIERhaG0gW21haWx0bzp0aG9yc3RlbmRs dXhAZ29vZ2xlLmNvbV0NClNlbnQ6IEZyaWRheSwgQXByaWwgNywgMjAxNyA0OjE3IFBNDQpUbzog VDJUUkdAaXJ0Zi5vcmc7IHNhYWdAaWV0Zi5vcmcNCkNjOiBHYXJjaWEtTW9yY2hvbiBPLCBPc2Nh ciA8b3NjYXIuZ2FyY2lhLW1vcmNob25AcGhpbGlwcy5jb20+OyBCYXJyeSBSYXZlZW5kcmFuIEdy ZWVuZSA8YmdyZWVuZUBzZW5raS5vcmc+OyBFbGlvdCBMZWFyIDxsZWFyQGNpc2NvLmNvbT47IE1v aGl0IFNldGhpIDxtb2hpdC5tLnNldGhpQGVyaWNzc29uLmNvbT47IEt1bWFyLCBTYW5kZWVwIDxz YW5kZWVwLmt1bWFyQHBoaWxpcHMuY29tPjsgUGV0ZXIgR3V0bWFubiA8cGd1dDAwMUBjcy5hdWNr bGFuZC5hYy5uej4NClN1YmplY3Q6IFJlOiBbc2FhZ10gW1QyVFJHXSBOZXcgVmVyc2lvbiBOb3Rp ZmljYXRpb24gZm9yIGRyYWZ0LWlydGYtdDJ0cmctaW90LXNlY2NvbnMtMDIudHh0DQoNCkhpIGFs bCwNCg0KSSBhbHNvIGFncmVlIHdpdGggdGhlIHN0YXRlbWVudHMgb2YgdGhlIGZvbGtzIHdobyBw cmV2aW91c2x5IGNvbW1lbnRlZCBvbiB0aGUgdG9waWMuIEJlZm9yZSB0aGUgSUVURiBpbiBDaGlj YWdvIEkgaGFkIGEgcHJpdmF0ZSBjaGF0IHdpdGggT3NjYXIgYW5kIHBvaW50ZWQgb3V0IHRoZSBt aXNzaW5nIGRldGFpbHMgb24gbWl0aWdhdGlvbiBvZiB0aGUgcmlza3MgaGUgcG9pbnRzIG91dCBp biBoaXMgZG9jdW1lbnQuIE5vdCBzdXJlIGlmIHRoYXQgc2hvdWxkIGJlIGFkZGVkIHRvIGFuIGFs cmVhZHkgbG9uZyBkb2N1bWVudCBvciBpZiB3ZSBzaG91bGQgc3BsaXQgaXQgaW50byBhIHNlcGFy YXRlIGRvY3VtZW50LiBBbmQgeWVzLCB3aGlsZSBpdCBpcyBhIGdvb2QgZG9jdW1lbnQgYW5kIHdl IHNob3VsZCBoYXZlIGl0LCBkb2N1bWVudHMgYWxvbmUgZG9uJ3QgY2hhbmdlIG11Y2guIFdoYXQg d2UgbmVlZCBhcmUgcHJvZHVjdHMgdGhhdCBpbXBsZW1lbnQgdGhlIGJlc3QgcHJhY3RpY2VzIGFz IHdlbGwgYXMgbmV0d29yayBvcGVyYXRvcnMgYW5kIGNvbnN1bWVycyB3aG8gcmVmdXNlIHRvIGNv bm5lY3QgaW5zZWN1cmUgZGlzaHdhc2hlcnMgdG8gdGhlaXIgZW50ZXJwcmlzZSBvciBob21lIG5l dHdvcmsuIFdpdGhvdXQgbWFya2V0IHByZXNzdXJlIGFuZCBob2xkaW5nIG1hbnVmYWN0dXJlcnMg YWNjb3VudGFibGUgZm9yIHRoZSBkYW1hZ2UgdGhlaXIgcHJvZHVjdHMgbWF5IGNhdXNlIGl0J3Mg aGFyZCB0byBjb252aW5jZSB0aGVtIHRvIHNwZW5kIG1vbmV5IG9uIElvVCBzZWN1cml0eS4NCg0K VGFraW5nIGEgc3RlcCBiYWNrLCBJIGRvdWJ0IHRoYXQgSW9UIHdpbGwgYmUgYWJsZSB0byB0YWtl IGNhcmUgb2YgaXRzZWxmIGluIHRoZSBuZXh0IGNvdXBsZSBvZiB5ZWFycywgc28gd2UgaGF2ZSB0 byByZWx5IG9uIG9wZXJhdG9ycyB0byBkbyB0aGUgam9iIGZvciB0aGUgbWFudWZhY3R1cmVycyB3 aGlsZSB3ZSBwdXNoIEJDUHMgYW5kIHN0YW5kYXJkcyBsaWtlIHRoZSBjdXJyZW50IGRvY3VtZW50 IHRvIHRoZW0uIElNSE8gdGhlIGV4dGVuc2l2ZSB1c2FnZSBvZiBmZWF0dXJlcyBsaWtlIHByaXZh dGUgVkxBTnMgaXMgc3RpbGwgdmVyeSBwYWluZnVsIGFuZCBldmVuIGluIGNvbWJpbmF0aW9uIHdp dGggc3R1ZmYgbGlrZSBNVUQsIGl0IHdvdWxkIG9ubHkgc29sdmUgcGFydHMgb2YgdGhlIHByb2Js ZW0uIFdlIGFzIG9wZXJhdG9ycyBwcm9iYWJseSBuZWVkIHRvIHJldGhpbmsgdGhlIHN0YWNrIGZy b20gTDEgdG8gTDcgYW5kIHJlYWNoIG91dCB0byBvdGhlciBXb3JraW5nIEdyb3VwcyBvdXRzaWRl IG9mIHRoZSBJb1QgLyBTZWN1cml0eSBzcGFjZSB0byBhZGRyZXNzIHRoZSBuZWVkLiBUaGUgYm9v dHN0cmFwcGluZyB3b3JrIGluIEFOSU1BIGlzIGEgZ29vZCBleGFtcGxlIGZvciB0aGF0LiBXZSBt YXkgY2FuJ3QgYXZvaWQgY29tcGxldGVseSBjb25uZWN0aW5nIGRldmljZXMgdGhhdCB1c2Ugc3Ry Y3B5KCkgaW50byBmaXhlZC1zaXplIGJ1ZmZlcnMgdG8gb3VyIG5ldHdvcmtzLCBidXQgd2UgY2Fu IHByZXZlbnQgdGhlbSBmcm9tIGRpc3R1cmJpbmcgb3RoZXIgZGV2aWNlcyBvbiB0aGUgbmV0d29y ayBhbmQgbGltaXRpbmcgdGhlIGJsYXN0IHJhZGl1cyBpbiBjYXNlIG9mIGEgKHVuYXZvaWRhYmxl PykgY29tcHJvbWlzZS4NCg0KTWF5YmUgYSBnb29kIHRvcGljIHRvIGJlIHBpY2tlZCB1cCBieSB0 aGUgVDJUUkcgaXMgdGhlIHF1ZXN0aW9uIG9mIGhvdyB0byBwcm90ZWN0IHRoZSBuZXR3b3JrIGZy b20gY29tcHJvbWlzZWQgZGV2aWNlcywgdGhlIG1ham9yaXR5IG9mIHRoZSB3b3JrIGFzIEkgY2Fu IHNlZSBpdCBmb2N1c2VzIGN1cnJlbnRseSBvbiB0aGUgc2VjdXJpdHkgb2YgdGhlIFRoaW5nIGl0 c2VsZi4NCg0KY2hlZXJzLA0KVGhvcnN0ZW4NCg0KT24gNiBBcHJpbCAyMDE3IGF0IDE1OjMyLCBQ ZXRlciBHdXRtYW5uIDxwZ3V0MDAxQGNzLmF1Y2tsYW5kLmFjLm56PG1haWx0bzpwZ3V0MDAxQGNz LmF1Y2tsYW5kLmFjLm56Pj4gd3JvdGU6DQpHYXJjaWEtTW9yY2hvbiBPLCBPc2NhciA8b3NjYXIu Z2FyY2lhLW1vcmNob25AcGhpbGlwcy5jb208bWFpbHRvOm9zY2FyLmdhcmNpYS1tb3JjaG9uQHBo aWxpcHMuY29tPj4gd3JpdGVzOg0KDQo+VGhlIG1haW4gZ29hbHMgYXJlOg0KPi0gc3VtbWFyaXpl IGV4aXN0aW5nIHNvbHV0aW9ucyBvdXQgdGhlcmUgYW5kIGluIElFVEYNCj4tIHN1bW1hcml6ZSBz ZWN1cml0eSBjb25zaWRlcmF0aW9ucyBhbmQgY2hhbGxlbmdlcyB0aGF0IHNob3VsZCBiZSBhZGRy ZXNzZWQNCj4gIGluIHRoZSBmdXR1cmUNCg0KVGhlIHByb2JsZW0gaXMgdGhhdCBhbG1vc3QgZXZl cnlvbmUgZWxzZSB3aG8gaGFzIGFueSBpbnRlcmVzdCBpbiB0aGUgSW9TIGhhcw0KYWxzbyBwdWJs aXNoZWQgdGhlaXIgb3duIGNoZWNrbGlzdCBvciBndWlkZWxpbmVzIG9yIEJDUCBvciB3aGF0ZXZl ciB0aGV5IGZlbHQNCmxpa2UgZG9pbmcuICBJdCdzIG5vdCB0aGF0IHdlIGhhdmUgYSBsYWNrIG9m IGd1aWRlbGluZXMsIHdlIGhhdmUgYXMgbWFueSBhcw0KeW91IGxpa2UgKGFuZCB0aGF0J3Mgbm90 IGp1c3QgSW9TLXNwZWNpZmljIHN0dWZmIGJ1dCBpbmNsdWRlcyBhbnkgYm9vayBvbg0Kc2VjdXJl IHByb2dyYW1taW5nLCBzZWN1cml0eSBlbmdpbmVlcmluZywgYW5kIHNvIG9uKSwgYnV0IG5vLW9u ZSB1c2VzIHRoZW0uDQpTbyBpdCBzZWVtcyBsaWtlIHdlIG5lZWQgdG8gbG9vayBhdCB3aHkgcGVv cGxlIGFyZW4ndCB1c2luZyB0aGVtLCBhbmQgaG93IHdlDQpjYW4gZ2V0IHRoZW0gdXNlZC4gIFdo eSBkb2VzIGV2ZXJ5IEouUmFuZG9tIExpbnV4IGRpc3RybyBjb21lIHdpdGggaGFyZGVuZWQNCnN5 c3RlbSBiaW5hcmllcyBhbmQgbGlicmFyaWVzIGFuZCBib29rcyBhbmQgaG93dG8ncyBvbiBmdXJ0 aGVyIGhhcmRlbmluZw0KdGhpbmdzLCBidXQgZXZlcnkgSW9TIGRldmljZSBmZWF0dXJlIHN0cmNw eSgpIGludG8gZml4ZWQtc2l6ZSBidWZmZXJzIGFuZCBYU1MNCmFuZCBkaXJlY3RvcnktdHJhdmVy c2FsIGJ1Z3MgbGlrZSBpdCB3YXMgMTk5NT8NCg0KVGhlIHByb2JsZW0gd2l0aCB0aGUgbm9uLXNw ZWNpZmljaXR5IG9mIG1hbnkgb2YgdGhlIGd1aWRlbGluZXMgaXMgdGhhdCB5b3UgZW5kDQp1cCB3 aXRoIHNvbWV0aGluZyB0aGF0IHRyaWVzIHRvIGNvdmVyLCBmb3IgZXhhbXBsZSwgYSBSYXNwYmVy cnkgUGksIHdoaWNoIGlzDQplc3NlbnRpYWxseSBhIFVuaXggc2VydmVyIGFuZCBmb3Igd2hpY2gg eW91IGRvbid0IG5lZWQgYW55IG5ldyBndWlkZWxpbmVzDQpiZWNhdXNlIGFueSByZWZlcmVuY2Ug b24gc2V0dGluZyB1cCBhbmQgaGFyZGVuaW5nIGEgVW5peCBib3ggd2lsbCBkbywgYW5kIGF0DQp0 aGUgb3RoZXIgZW5kIG9mIHRoZSBzcGVjdHJ1bSBhIFBMQyBydW5uaW5nIHdoYXQncyBsYWJlbGxl ZCBhcyBhbiBSVE9TIGJ1dA0Kd2hpY2ggaXMgcmVhbGx5IGp1c3QgYSBiaWcgYmluYXJ5IGJsb2Ig Y29udGFpbmluZyBkZXZpY2UgZHJpdmVycywgYSB0YXNrDQpzY2hlZHVsZXIsIGEgbmV0d29yayBz dGFjaywgYW5kIHRoZSBhcHBsaWNhdGlvbiwgYWxsIHJ1bm5pbmcgaW4gcmluZyB6ZXJvIHdpdGgN Cm5vIHByb3RlY3Rpb24gZmVhdHVyZXMuDQoNClNvIHRoZSBkb2N1bWVudCBjdXJyZW50bHkgaXMg YW4gaW50ZXJlc3Rpbmcgb3ZlcnZpZXcgb2YgSW9TIHNlY3VyaXR5IGlzc3VlcywNCmFuZCBiZXR0 ZXIgdGhhbiBtb3N0IEkndmUgc2VlbiwgYnV0IHRoZXJlJ3Mgbm8gb2J2aW91cyBhbnN3ZXIgdG8g YSBxdWVzdGlvbg0KbGlrZSAiSSBoYXZlIGEgUExDLCB3aGF0IHN0ZXBzIHNob3VsZCBJIHRha2Ug dG8gc2VjdXJlIGl0PyIuICBJbnN0ZWFkLCBpdCdzIGENCnN1cnZleSBvZiBldmVyeSBwb3NzaWJs ZSB0ZWNobm9sb2d5IGFuZCBtZWNoYW5pc20gdGhhdCBjb3VsZCBiZSBhcHBsaWVkIHRvIHRoZQ0K cHJvYmxlbSwgd2hpY2ggbGVhZHMgdG8gYW4gb2J2aW91cyBzdWdnZXN0aW9uIG9mIHN1Ym1pdHRp bmcgaXQgYXMgYSBwYXBlciBmb3INCkNvbXB1dGluZyBTdXJ2ZXlzIGluc3RlYWQgb2YgcHVibGlz aGluZyBpdCBhcyBhbiBSRkMsIHNpbmNlIGl0IHJlYWRzIHZlcnkgbXVjaA0KbGlrZSBhIENvbXB1 dGluZyBTdXJ2ZXlzIHBhcGVyIGFuZCB3b3VsZCBwcm9iYWJseSB3b3JrIHdlbGwgdGhlcmUuDQoN ClBldGVyLg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18N CnNhYWcgbWFpbGluZyBsaXN0DQpzYWFnQGlldGYub3JnPG1haWx0bzpzYWFnQGlldGYub3JnPg0K aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zYWFnDQoNCg0KDQotLQ0KVGhv cnN0ZW4gRGFobQ0KDQpOZXR3b3JrIEVuZ2luZWVyDQpHb29nbGUgSXJlbGFuZCBMdGQuDQpUaGUg R2Fzd29ya3MsIEJhcnJvdyBTdHJlZXQNCkR1YmxpbiA0LCAgSXJlbGFuZA0KDQpSZWdpc3RlcmVk IGluIER1YmxpbiwgSXJlbGFuZA0KUmVnaXN0cmF0aW9uIE51bWJlcjogMzY4MDQ3DQoNCl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fDQpUaGUgaW5mb3JtYXRpb24gY29udGFpbmVkIGlu IHRoaXMgbWVzc2FnZSBtYXkgYmUgY29uZmlkZW50aWFsIGFuZCBsZWdhbGx5IHByb3RlY3RlZCB1 bmRlciBhcHBsaWNhYmxlIGxhdy4gVGhlIG1lc3NhZ2UgaXMgaW50ZW5kZWQgc29sZWx5IGZvciB0 aGUgYWRkcmVzc2VlKHMpLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCB5 b3UgYXJlIGhlcmVieSBub3RpZmllZCB0aGF0IGFueSB1c2UsIGZvcndhcmRpbmcsIGRpc3NlbWlu YXRpb24sIG9yIHJlcHJvZHVjdGlvbiBvZiB0aGlzIG1lc3NhZ2UgaXMgc3RyaWN0bHkgcHJvaGli aXRlZCBhbmQgbWF5IGJlIHVubGF3ZnVsLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVj aXBpZW50LCBwbGVhc2UgY29udGFjdCB0aGUgc2VuZGVyIGJ5IHJldHVybiBlLW1haWwgYW5kIGRl c3Ryb3kgYWxsIGNvcGllcyBvZiB0aGUgb3JpZ2luYWwgbWVzc2FnZS4NCg== --_000_0257915cc65245fe84de054c66fdca59DB5PR9001MB0165MGDPHGem_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1 IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0 b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg Um9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0 dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpwLm1zb25vcm1hbDAs IGxpLm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1h bDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIu MHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4uRW1haWxT dHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTkNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtY29tcG9zZTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu cy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXIN Cgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1w cmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6 ZXhwb3J0LW9ubHk7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0K CW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3Bh Z2U6V29yZFNlY3Rpb24xO30NCi8qIExpc3QgRGVmaW5pdGlvbnMgKi8NCkBsaXN0IGwwDQoJe21z by1saXN0LWlkOjEwNTg1NDE3ODsNCgltc28tbGlzdC10eXBlOmh5YnJpZDsNCgltc28tbGlzdC10 ZW1wbGF0ZS1pZHM6MTg0NzIxNjM2IC0xNzk2MzQwMjQ4IDY3Njk4NjkxIDY3Njk4NjkzIDY3Njk4 Njg5IDY3Njk4NjkxIDY3Njk4NjkzIDY3Njk4Njg5IDY3Njk4NjkxIDY3Njk4NjkzO30NCkBsaXN0 IGwwOmxldmVsMQ0KCXttc28tbGV2ZWwtc3RhcnQtYXQ6MDsNCgltc28tbGV2ZWwtbnVtYmVyLWZv cm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6LTsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9u ZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWlu Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCW1zby1mYXJlYXN0LWZvbnQt ZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iOw0KCW1zby1iaWRpLWZvbnQtZmFtaWx5OiJUaW1lcyBO ZXcgUm9tYW4iO30NCkBsaXN0IGwwOmxldmVsMg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpi dWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWwzDQoJe21zby1sZXZlbC1u dW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRh Yi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw0DQoJ e21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJ bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0 Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDA6 bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4 dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp b246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3 Ijt9DQpAbGlzdCBsMDpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0K CW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2 ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFt aWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3Jt YXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9u ZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWlu Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMDpsZXZlbDgNCgl7bXNvLWxldmVsLW51 bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1z dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwwOmxldmVsOQ0K CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0K CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm dDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCm9sDQoJ e21hcmdpbi1ib3R0b206MGluO30NCnVsDQoJe21hcmdpbi1ib3R0b206MGluO30NCi0tPjwvc3R5 bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0 IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDld Pjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRp dCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVh ZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYg Y2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy aWY7Y29sb3I6IzFGNDk3RCI+SGkgVGhvcnN0ZW4sPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjojMUY0OTdEIj5JIGZ1bGx5IGFncmVlIHdpdGggeW91ciBlbWFpbC48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6 IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPlJlZ2FyZGluZzog4oCcPC9zcGFuPkkg aGFkIGEgcHJpdmF0ZSBjaGF0IHdpdGggT3NjYXIgYW5kIHBvaW50ZWQgb3V0IHRoZSBtaXNzaW5n IGRldGFpbHMgb24gbWl0aWdhdGlvbiBvZiB0aGUgcmlza3MgaGUgcG9pbnRzIG91dCBpbiBoaXMg ZG9jdW1lbnQuIE5vdCBzdXJlIGlmIHRoYXQNCiBzaG91bGQgYmUgYWRkZWQgdG8gYW4gYWxyZWFk eSBsb25nIGRvY3VtZW50IG9yIGlmIHdlIHNob3VsZCBzcGxpdCBpdCBpbnRvIGEgc2VwYXJhdGUg ZG9jdW1lbnQuPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPuKAnTxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0 OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+SSBhZ3JlZSB0aGF0IGhhdmluZyBzdWNoIGEg ZG9jdW1lbnQgd291bGQgYmUgZ3JlYXQuIFBlcnNvbmFsbHksIEkgd291bGQgbm90IGluY2x1ZGUg dGhlIG1pdGlnYXRpb24gc3RyYXRlZ2llcyBpbiB0aGlzIGRvY3VtZW50IHNpbmNlIHRoaXMgZG9j dW1lbnQgaXMgYWxyZWFkeQ0KIHByZXR0eSBsb25nLiBJIGFsc28gdGhpbmsgdGhhdCBqdXN0IGEg bGlzdCBvZiBtaXRpZ2F0aW9uIHN0cmF0ZWdpZXMgd2lsbCBiZSByYXRoZXIgbG9uZyBhbmQgYWxz byBjb25mdXNpbmcgZm9yIGRlc2lnbmVycy4gQSBkZXNpZ25lciB3aWxsIHN0aWxsIGFzayBoaW1z ZWxmLCB3aGF0IGRvIEkgcmVhbGx5IG5lZWQgdG8gcHJvdGVjdCDigJxteeKAnSBJb1Qgc3lzdGVt PzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z ZXJpZjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+V2hhdCBhYm91dCB0 aGUgZm9sbG93aW5nPyBXZSBjb3VsZCBoYXZlIGEgZGlmZmVyZW50IGRvY3VtZW50IHRoYXQgaW5j bHVkZXM6PG86cD48L286cD48L3NwYW4+PC9wPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVp biI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcHJlPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbjt0ZXh0LWluZGVudDotLjI1aW47 bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzEiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z ZXJpZjtjb2xvcjojMUY0OTdEIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4tPHNwYW4g c3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgPC9zcGFuPjwvc3Bh bj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5FeHRlbmRl ZCB0ZXh0IHJlbGF0ZWQgdG8gaG93IHRvIGRlYWwgd2l0aCB0aHJlYXRzIChwYWdlIDEyIGluIHRo ZSBjdXJyZW50IGRvY3VtZW50IHN0YXJ0aW5nIHdpdGgg4oCcPC9zcGFuPjxzcGFuIHN0eWxlPSJj b2xvcjpibGFjayI+RGVhbGluZyB3aXRoIGFib3ZlIHRocmVhdHMgYW5kIGZpbmRpbmcgc3VpdGFi bGUgc2VjdXJpdHkgbWl0aWdhdGlvbnMgaXMgY2hhbGxlbmdpbmc6IHRoZXJlIGFyZSB2ZXJ5IHNv cGhpc3RpY2F0ZWQgdGhyZWF0cyB0aGF0IGEgdmVyeSBwb3dlcmZ1bCBhdHRhY2tlciBjb3VsZCB1 c2U7IGFsc28sIG5ldyB0aHJlYXRzIGFuZCBleHBsb2l0cyBhcHBlYXIgaW4gYSBkYWlseSBiYXNp cy4mbmJzcDsgVGhlcmVmb3JlLCB0aGUgZXhpc3RlbmNlIG9mIHByb3BlciBzZWN1cmUgcHJvZHVj dCBjcmVhdGlvbiBwcm9jZXNzZXMgdGhhdCBhbGxvdyBtYW5hZ2luZyBhbmQgbWluaW1pemluZyBy aXNrcyBkdXJpbmcgdGhlIGxpZmVjeWNsZSBvZiB0aGUgSW9UIGRldmljZXMgaXMgYXQgbGVhc3Qg YXMgaW1wb3J0YW50IGFzIGJlaW5nIGF3YXJlIG9mIHRoZSB0aHJlYXRzLiZuYnNwOyBBIG5vbi1l eGhhdXN0aXZlIGxpc3Qgb2YgcmVsZXZhbnQgcHJvY2Vzc2VzIGluY2x1ZGU6PC9zcGFuPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss c2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj7igJ08bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxw cmUgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW47dGV4dC1pbmRlbnQ6LS4yNWluO21zby1saXN0Omww IGxldmVsMSBsZm8xIj48IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6 IzFGNDk3RCI+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+LTxzcGFuIHN0eWxlPSJmb250 OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDwvc3Bhbj48L3NwYW4+PC9zcGFuPjwh W2VuZGlmXT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+TWl0aWdhdGlvbiBzdHJhdGVn aWVzOiBoZXJlIHdlIGNhbiBsaXN0IG1haW4gbWl0aWdhdGlvbiBzdHJhdGVnaWVzIHRvIGRlYWwg d2l0aCBkaWZmZXJlbnQgdHlwZXMgb2YgdGhyZWF0cy4gPG86cD48L286cD48L3NwYW4+PC9wcmU+ DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluO3RleHQtaW5kZW50Oi0uMjVpbjttc28tbGlz dDpsMCBsZXZlbDEgbGZvMSI+PCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOiMxRjQ5N0QiPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPi08c3BhbiBzdHlsZT0i Zm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8L3NwYW4+PC9zcGFuPjwvc3Bh bj48IVtlbmRpZl0+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPlNlY3VyaXR5IHByb2Zp bGVzIChzZWN0aW9uIDYgaW4gY3VycmVudCBkb2N1bWVudCwgdGhpcyBzZWN0aW9uIHdvdWxkIGJl IHJlbW92ZWQgZnJvbSB0aGUgY3VycmVudCBkb2N1bWVudCkgdGhhdCBpbGx1c3RyYXRlIHdoaWNo IG1pdGlnYXRpb24gc3RyYXRlZ2llcyBzaG91bGQgYmUgYXBwbGllZCB0byBkaWZmZXJlbnQgY2xh c3NlcyBvZiB1c2UgY2FzZXMgKEkgYmVsaWV2ZSB0aGF0IHRoaXMgbWFrZXMgbG90cyBvZiBzZW5z ZSBzaW5jZSBub3QgYWxsIGNsYXNzZXMgb2YgdXNlIGNhc2VzIHdpbGwgYmUgZXhwb3NlZCB0byB0 aGUgc2FtZSB0aHJlYXRzLCBhbmQgdGh1cywgbWl0aWdhdGlvbiBzdHJhdGVnaWVzIHdpbGwgYWxz byBiZSBkaWZmZXJlbnQuKTxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMt c2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cHJl PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5SZWdhcmRzLCBPc2Nhci48bzpwPjwvbzpw Pjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFG NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bh bj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gVGhvcnN0ZW4gRGFobSBbbWFpbHRvOnRob3JzdGVuZGx1 eEBnb29nbGUuY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IEZyaWRheSwgQXByaWwgNywgMjAxNyA0 OjE3IFBNPGJyPg0KPGI+VG86PC9iPiBUMlRSR0BpcnRmLm9yZzsgc2FhZ0BpZXRmLm9yZzxicj4N CjxiPkNjOjwvYj4gR2FyY2lhLU1vcmNob24gTywgT3NjYXIgJmx0O29zY2FyLmdhcmNpYS1tb3Jj aG9uQHBoaWxpcHMuY29tJmd0OzsgQmFycnkgUmF2ZWVuZHJhbiBHcmVlbmUgJmx0O2JncmVlbmVA c2Vua2kub3JnJmd0OzsgRWxpb3QgTGVhciAmbHQ7bGVhckBjaXNjby5jb20mZ3Q7OyBNb2hpdCBT ZXRoaSAmbHQ7bW9oaXQubS5zZXRoaUBlcmljc3Nvbi5jb20mZ3Q7OyBLdW1hciwgU2FuZGVlcCAm bHQ7c2FuZGVlcC5rdW1hckBwaGlsaXBzLmNvbSZndDs7IFBldGVyIEd1dG1hbm4gJmx0O3BndXQw MDFAY3MuYXVja2xhbmQuYWMubnomZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbc2FhZ10g W1QyVFJHXSBOZXcgVmVyc2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LWlydGYtdDJ0cmctaW90 LXNlY2NvbnMtMDIudHh0PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SGkg YWxsLDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBhbHNv IGFncmVlIHdpdGggdGhlIHN0YXRlbWVudHMgb2YgdGhlIGZvbGtzIHdobyBwcmV2aW91c2x5IGNv bW1lbnRlZCBvbiB0aGUgdG9waWMuIEJlZm9yZSB0aGUgSUVURiBpbiBDaGljYWdvIEkgaGFkIGEg cHJpdmF0ZSBjaGF0IHdpdGggT3NjYXIgYW5kIHBvaW50ZWQgb3V0IHRoZSBtaXNzaW5nIGRldGFp bHMgb24gbWl0aWdhdGlvbiBvZiB0aGUgcmlza3MgaGUgcG9pbnRzIG91dCBpbiBoaXMgZG9jdW1l bnQuDQogTm90IHN1cmUgaWYgdGhhdCBzaG91bGQgYmUgYWRkZWQgdG8gYW4gYWxyZWFkeSBsb25n IGRvY3VtZW50IG9yIGlmIHdlIHNob3VsZCBzcGxpdCBpdCBpbnRvIGEgc2VwYXJhdGUgZG9jdW1l bnQuIEFuZCB5ZXMsIHdoaWxlIGl0IGlzIGEgZ29vZCBkb2N1bWVudCBhbmQgd2Ugc2hvdWxkIGhh dmUgaXQsIGRvY3VtZW50cyBhbG9uZSBkb24ndCBjaGFuZ2UgbXVjaC4gV2hhdCB3ZSBuZWVkIGFy ZSBwcm9kdWN0cyB0aGF0IGltcGxlbWVudCB0aGUgYmVzdA0KIHByYWN0aWNlcyBhcyB3ZWxsIGFz IG5ldHdvcmsgb3BlcmF0b3JzIGFuZCBjb25zdW1lcnMgd2hvIHJlZnVzZSB0byBjb25uZWN0IGlu c2VjdXJlIGRpc2h3YXNoZXJzIHRvIHRoZWlyIGVudGVycHJpc2Ugb3IgaG9tZSBuZXR3b3JrLiBX aXRob3V0IG1hcmtldCBwcmVzc3VyZSBhbmQgaG9sZGluZyBtYW51ZmFjdHVyZXJzIGFjY291bnRh YmxlIGZvciB0aGUgZGFtYWdlIHRoZWlyIHByb2R1Y3RzIG1heSBjYXVzZSBpdCdzIGhhcmQgdG8g Y29udmluY2UNCiB0aGVtIHRvIHNwZW5kIG1vbmV5IG9uIElvVCBzZWN1cml0eS48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGFraW5nIGEgc3Rl cCBiYWNrLCBJIGRvdWJ0IHRoYXQgSW9UIHdpbGwgYmUgYWJsZSB0byB0YWtlIGNhcmUgb2YgaXRz ZWxmIGluIHRoZSBuZXh0IGNvdXBsZSBvZiB5ZWFycywgc28gd2UgaGF2ZSB0byByZWx5IG9uIG9w ZXJhdG9ycyB0byBkbyB0aGUgam9iIGZvciB0aGUgbWFudWZhY3R1cmVycyB3aGlsZSB3ZSBwdXNo IEJDUHMgYW5kIHN0YW5kYXJkcyBsaWtlIHRoZSBjdXJyZW50IGRvY3VtZW50IHRvIHRoZW0uDQog SU1ITyB0aGUgZXh0ZW5zaXZlIHVzYWdlIG9mIGZlYXR1cmVzIGxpa2UgcHJpdmF0ZSBWTEFOcyBp cyBzdGlsbCB2ZXJ5IHBhaW5mdWwgYW5kIGV2ZW4gaW4gY29tYmluYXRpb24gd2l0aCBzdHVmZiBs aWtlIE1VRCwgaXQgd291bGQgb25seSBzb2x2ZSBwYXJ0cyBvZiB0aGUgcHJvYmxlbS4gV2UgYXMg b3BlcmF0b3JzIHByb2JhYmx5IG5lZWQgdG8gcmV0aGluayB0aGUgc3RhY2sgZnJvbSBMMSB0byBM NyBhbmQgcmVhY2ggb3V0IHRvIG90aGVyIFdvcmtpbmcNCiBHcm91cHMgb3V0c2lkZSBvZiB0aGUg SW9UIC8gU2VjdXJpdHkgc3BhY2UgdG8gYWRkcmVzcyB0aGUgbmVlZC4gVGhlIGJvb3RzdHJhcHBp bmcgd29yayBpbiBBTklNQSBpcyBhIGdvb2QgZXhhbXBsZSBmb3IgdGhhdC4gV2UgbWF5IGNhbid0 IGF2b2lkIGNvbXBsZXRlbHkgY29ubmVjdGluZyBkZXZpY2VzIHRoYXQgdXNlIHN0cmNweSgpIGlu dG8gZml4ZWQtc2l6ZSBidWZmZXJzIHRvIG91ciBuZXR3b3JrcywgYnV0IHdlIGNhbiBwcmV2ZW50 IHRoZW0NCiBmcm9tIGRpc3R1cmJpbmcgb3RoZXIgZGV2aWNlcyBvbiB0aGUgbmV0d29yayBhbmQg bGltaXRpbmcgdGhlIGJsYXN0IHJhZGl1cyBpbiBjYXNlIG9mIGEgKHVuYXZvaWRhYmxlPykgY29t cHJvbWlzZS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+TWF5YmUgYSBnb29kIHRvcGljIHRvIGJlIHBpY2tlZCB1cCBieSB0aGUgVDJU UkcgaXMgdGhlIHF1ZXN0aW9uIG9mIGhvdyB0byBwcm90ZWN0IHRoZSBuZXR3b3JrIGZyb20gY29t cHJvbWlzZWQgZGV2aWNlcywgdGhlIG1ham9yaXR5IG9mIHRoZSB3b3JrIGFzIEkgY2FuIHNlZSBp dCBmb2N1c2VzIGN1cnJlbnRseSBvbiB0aGUgc2VjdXJpdHkgb2YgdGhlIFRoaW5nIGl0c2VsZi48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Y2hl ZXJzLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ VGhvcnN0ZW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+T24gNiBBcHJpbCAyMDE3IGF0IDE1OjMyLCBQZXRlciBHdXRtYW5uICZsdDs8YSBocmVm PSJtYWlsdG86cGd1dDAwMUBjcy5hdWNrbGFuZC5hYy5ueiIgdGFyZ2V0PSJfYmxhbmsiPnBndXQw MDFAY3MuYXVja2xhbmQuYWMubno8L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxibG9j a3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0 O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0 OjBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5HYXJjaWEtTW9yY2hvbiBPLCBPc2NhciAmbHQ7 PGEgaHJlZj0ibWFpbHRvOm9zY2FyLmdhcmNpYS1tb3JjaG9uQHBoaWxpcHMuY29tIj5vc2Nhci5n YXJjaWEtbW9yY2hvbkBwaGlsaXBzLmNvbTwvYT4mZ3Q7IHdyaXRlczo8YnI+DQo8YnI+DQomZ3Q7 VGhlIG1haW4gZ29hbHMgYXJlOjxicj4NCiZndDstIHN1bW1hcml6ZSBleGlzdGluZyBzb2x1dGlv bnMgb3V0IHRoZXJlIGFuZCBpbiBJRVRGPGJyPg0KJmd0Oy0gc3VtbWFyaXplIHNlY3VyaXR5IGNv bnNpZGVyYXRpb25zIGFuZCBjaGFsbGVuZ2VzIHRoYXQgc2hvdWxkIGJlIGFkZHJlc3NlZDxicj4N CiZndDsmbmJzcDsgaW4gdGhlIGZ1dHVyZTxicj4NCjxicj4NClRoZSBwcm9ibGVtIGlzIHRoYXQg YWxtb3N0IGV2ZXJ5b25lIGVsc2Ugd2hvIGhhcyBhbnkgaW50ZXJlc3QgaW4gdGhlIElvUyBoYXM8 YnI+DQphbHNvIHB1Ymxpc2hlZCB0aGVpciBvd24gY2hlY2tsaXN0IG9yIGd1aWRlbGluZXMgb3Ig QkNQIG9yIHdoYXRldmVyIHRoZXkgZmVsdDxicj4NCmxpa2UgZG9pbmcuJm5ic3A7IEl0J3Mgbm90 IHRoYXQgd2UgaGF2ZSBhIGxhY2sgb2YgZ3VpZGVsaW5lcywgd2UgaGF2ZSBhcyBtYW55IGFzPGJy Pg0KeW91IGxpa2UgKGFuZCB0aGF0J3Mgbm90IGp1c3QgSW9TLXNwZWNpZmljIHN0dWZmIGJ1dCBp bmNsdWRlcyBhbnkgYm9vayBvbjxicj4NCnNlY3VyZSBwcm9ncmFtbWluZywgc2VjdXJpdHkgZW5n aW5lZXJpbmcsIGFuZCBzbyBvbiksIGJ1dCBuby1vbmUgdXNlcyB0aGVtLjxicj4NClNvIGl0IHNl ZW1zIGxpa2Ugd2UgbmVlZCB0byBsb29rIGF0IHdoeSBwZW9wbGUgYXJlbid0IHVzaW5nIHRoZW0s IGFuZCBob3cgd2U8YnI+DQpjYW4gZ2V0IHRoZW0gdXNlZC4mbmJzcDsgV2h5IGRvZXMgZXZlcnkg Si5SYW5kb20gTGludXggZGlzdHJvIGNvbWUgd2l0aCBoYXJkZW5lZDxicj4NCnN5c3RlbSBiaW5h cmllcyBhbmQgbGlicmFyaWVzIGFuZCBib29rcyBhbmQgaG93dG8ncyBvbiBmdXJ0aGVyIGhhcmRl bmluZzxicj4NCnRoaW5ncywgYnV0IGV2ZXJ5IElvUyBkZXZpY2UgZmVhdHVyZSBzdHJjcHkoKSBp bnRvIGZpeGVkLXNpemUgYnVmZmVycyBhbmQgWFNTPGJyPg0KYW5kIGRpcmVjdG9yeS10cmF2ZXJz YWwgYnVncyBsaWtlIGl0IHdhcyAxOTk1Pzxicj4NCjxicj4NClRoZSBwcm9ibGVtIHdpdGggdGhl IG5vbi1zcGVjaWZpY2l0eSBvZiBtYW55IG9mIHRoZSBndWlkZWxpbmVzIGlzIHRoYXQgeW91IGVu ZDxicj4NCnVwIHdpdGggc29tZXRoaW5nIHRoYXQgdHJpZXMgdG8gY292ZXIsIGZvciBleGFtcGxl LCBhIFJhc3BiZXJyeSBQaSwgd2hpY2ggaXM8YnI+DQplc3NlbnRpYWxseSBhIFVuaXggc2VydmVy IGFuZCBmb3Igd2hpY2ggeW91IGRvbid0IG5lZWQgYW55IG5ldyBndWlkZWxpbmVzPGJyPg0KYmVj YXVzZSBhbnkgcmVmZXJlbmNlIG9uIHNldHRpbmcgdXAgYW5kIGhhcmRlbmluZyBhIFVuaXggYm94 IHdpbGwgZG8sIGFuZCBhdDxicj4NCnRoZSBvdGhlciBlbmQgb2YgdGhlIHNwZWN0cnVtIGEgUExD IHJ1bm5pbmcgd2hhdCdzIGxhYmVsbGVkIGFzIGFuIFJUT1MgYnV0PGJyPg0Kd2hpY2ggaXMgcmVh bGx5IGp1c3QgYSBiaWcgYmluYXJ5IGJsb2IgY29udGFpbmluZyBkZXZpY2UgZHJpdmVycywgYSB0 YXNrPGJyPg0Kc2NoZWR1bGVyLCBhIG5ldHdvcmsgc3RhY2ssIGFuZCB0aGUgYXBwbGljYXRpb24s IGFsbCBydW5uaW5nIGluIHJpbmcgemVybyB3aXRoPGJyPg0Kbm8gcHJvdGVjdGlvbiBmZWF0dXJl cy48YnI+DQo8YnI+DQpTbyB0aGUgZG9jdW1lbnQgY3VycmVudGx5IGlzIGFuIGludGVyZXN0aW5n IG92ZXJ2aWV3IG9mIElvUyBzZWN1cml0eSBpc3N1ZXMsPGJyPg0KYW5kIGJldHRlciB0aGFuIG1v c3QgSSd2ZSBzZWVuLCBidXQgdGhlcmUncyBubyBvYnZpb3VzIGFuc3dlciB0byBhIHF1ZXN0aW9u PGJyPg0KbGlrZSAmcXVvdDtJIGhhdmUgYSBQTEMsIHdoYXQgc3RlcHMgc2hvdWxkIEkgdGFrZSB0 byBzZWN1cmUgaXQ/JnF1b3Q7LiZuYnNwOyBJbnN0ZWFkLCBpdCdzIGE8YnI+DQpzdXJ2ZXkgb2Yg ZXZlcnkgcG9zc2libGUgdGVjaG5vbG9neSBhbmQgbWVjaGFuaXNtIHRoYXQgY291bGQgYmUgYXBw bGllZCB0byB0aGU8YnI+DQpwcm9ibGVtLCB3aGljaCBsZWFkcyB0byBhbiBvYnZpb3VzIHN1Z2dl c3Rpb24gb2Ygc3VibWl0dGluZyBpdCBhcyBhIHBhcGVyIGZvcjxicj4NCkNvbXB1dGluZyBTdXJ2 ZXlzIGluc3RlYWQgb2YgcHVibGlzaGluZyBpdCBhcyBhbiBSRkMsIHNpbmNlIGl0IHJlYWRzIHZl cnkgbXVjaDxicj4NCmxpa2UgYSBDb21wdXRpbmcgU3VydmV5cyBwYXBlciBhbmQgd291bGQgcHJv YmFibHkgd29yayB3ZWxsIHRoZXJlLjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48YnI+DQpQZXRlci48YnI+DQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCnNhYWcgbWFpbGluZyBsaXN0PGJyPg0KPGEg aHJlZj0ibWFpbHRvOnNhYWdAaWV0Zi5vcmciPnNhYWdAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJl Zj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zYWFnIiB0YXJnZXQ9Il9i bGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zYWFnPC9hPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyIGNsZWFyPSJhbGwiPg0KPG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tIDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPlRob3JzdGVuIERhaG08YnI+DQo8YnI+DQpOZXR3b3JrIEVuZ2luZWVyPGJy Pg0KR29vZ2xlIElyZWxhbmQgTHRkLjxicj4NClRoZSBHYXN3b3JrcywgQmFycm93IFN0cmVldDxi cj4NCkR1YmxpbiA0LCZuYnNwOyBJcmVsYW5kPGJyPg0KPGJyPg0KUmVnaXN0ZXJlZCBpbiBEdWJs aW4sIElyZWxhbmQ8YnI+DQpSZWdpc3RyYXRpb24gTnVtYmVyOiAzNjgwNDc8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxicj4NCjxocj4NCjxmb250IGZhY2U9IkFyaWFs IiBjb2xvcj0iR3JheSIgc2l6ZT0iMSI+VGhlIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGlz IG1lc3NhZ2UgbWF5IGJlIGNvbmZpZGVudGlhbCBhbmQgbGVnYWxseSBwcm90ZWN0ZWQgdW5kZXIg YXBwbGljYWJsZSBsYXcuIFRoZSBtZXNzYWdlIGlzIGludGVuZGVkIHNvbGVseSBmb3IgdGhlIGFk ZHJlc3NlZShzKS4gSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgeW91IGFy ZSBoZXJlYnkgbm90aWZpZWQNCiB0aGF0IGFueSB1c2UsIGZvcndhcmRpbmcsIGRpc3NlbWluYXRp b24sIG9yIHJlcHJvZHVjdGlvbiBvZiB0aGlzIG1lc3NhZ2UgaXMgc3RyaWN0bHkgcHJvaGliaXRl ZCBhbmQgbWF5IGJlIHVubGF3ZnVsLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBp ZW50LCBwbGVhc2UgY29udGFjdCB0aGUgc2VuZGVyIGJ5IHJldHVybiBlLW1haWwgYW5kIGRlc3Ry b3kgYWxsIGNvcGllcyBvZiB0aGUgb3JpZ2luYWwgbWVzc2FnZS48YnI+DQo8L2ZvbnQ+DQo8L2Jv ZHk+DQo8L2h0bWw+DQo= --_000_0257915cc65245fe84de054c66fdca59DB5PR9001MB0165MGDPHGem_-- From nobody Mon Apr 10 05:30:47 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27E001294BD for ; Mon, 10 Apr 2017 05:30:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.711 X-Spam-Level: X-Spam-Status: No, score=0.711 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A-ALeecAFIgV for ; Mon, 10 Apr 2017 05:30:44 -0700 (PDT) Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 703F71294C4 for ; Mon, 10 Apr 2017 05:30:43 -0700 (PDT) Received: by mail-wr0-x231.google.com with SMTP id l28so18284386wre.0 for ; Mon, 10 Apr 2017 05:30:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ui9QPh5e5RtZpFoIIbl+ssX99QvmvmsdzTM1KaEW3j0=; b=Ib5DN0cx6kUSfnLjKjX30biKVsKsHnyAspIhyhJNUWOo3K/4/sTSkhiI6AKq8IEsrP YZLeOcNZld2vVN40pDupu48thC3fi++VE1aUDD7gZ9R+wiYAwakXA/6itDPNCEhbsIjj gwSkNrI3UwhGpPoBI/770wjnVGBpRTKsNKxwNwQa/EVONHru+gPWyw2blo0mRMB8YZIR TpI1+z4hemt5H87dLvuAgVy03pIfmPlwtcsauwOGEDhnn/Ace/Lk8RE0e0v6a5ezkPcN WPqmCs52SfZJkskDD5CC9vPFooQH1igkgyA0ZLmiN/9izLM90EPh8AAP7yJ1pxtlCam7 8Jog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ui9QPh5e5RtZpFoIIbl+ssX99QvmvmsdzTM1KaEW3j0=; b=shOH9dHQZy/fJPIs4Zi+s+jRDiUxovehfx44WgQzFVerL3f8ZXrvo1PmpqiqJRc1IM 4+Dfobcf8ICkgl+zNZEOwCgX1ynPSaVbGC/rNkxx4LMOOyuruFCdYnaVMtEHODhRR9Ae OtUgwaRqEXmEwqH7Om1zaPCChzGbdmMAJ8/ywcQSu2Phl/HLH2YflsF8FeB5Qs1bhU6c P9c1p88VvYX+v7JvK6s3pzIUZPFvUv6kg/9OqlSj/t8V68/pqYuKbJaCA22ws0mYvGnJ 3VZygK6paPDTPaWOtIizVU1F4kQjRZ2D3BlBqPGBq+OLs+IcucW2ZxR1/eS4kGnYdvsk ww8w== X-Gm-Message-State: AN3rC/7ZxB9AOwjre/fgyEBi80CVmn9gjXZxLs9yhNbJEJST8yN9igZtusXBwX4DOgo9DZPp3dXbhXO8SC7eaw== X-Received: by 10.223.139.22 with SMTP id n22mr17606524wra.38.1491827441731; Mon, 10 Apr 2017 05:30:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.151.140 with HTTP; Mon, 10 Apr 2017 05:30:41 -0700 (PDT) From: Dmitry Belyavsky Date: Mon, 10 Apr 2017 15:30:41 +0300 Message-ID: To: "saag@ietf.org" Content-Type: multipart/alternative; boundary=f403045e9d74bb11ce054ccf244e Archived-At: Subject: [saag] A proposal: Certificate Limitation Policy X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2017 12:30:46 -0000 --f403045e9d74bb11ce054ccf244e Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello all, I have a proposal inspired by the last "Google vs Symantec" case. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Certificate Limitation Profile Binary trust model standardized as a set of trusted anchors and CRLs/OCSP services does not cover all corner cases in the modern crypto world. There is a need in more differentiated limitations. Some of them are suggested by Google when it limits the usage of Symantec=E2=80=99s certificates. The CRL profile does not fit the purpose of such limitations. The CRLs are issued by the same CAs that are subject to be limited. So I suggest a cryptographically protected format of description of such limitations. The structure of suggested format is: - The date of issuance - The certificate with limited trust (serial + issuer), may be accompanied with optional fingerprint - The limitations applied to the certificate and/or all the descendants of it in the chain of trust. Each limitation is specified by its own OID and applicability period. It can have none/any/both of periodStart and periodEnd values. The suggested list of limitations: - maxPeriodStart (do not trust the certs issued after) - maxPeriodEnd (do not trust the certs after) - validityPeriod (take minimal value from =E2=80=9Cnative=E2=80=9D validit= y period and specified in the limitation file) - ignoreX509Extensions (e.g. EV) - extraX509Extensions (treat all the certificates as having such an extension) - requiredX509extensions (do not trust the certificates ) The resulting file should be signed by the key with a special keyUsage/extendedKeyUsage flag. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Is anybody interested in this proposal? Thank you! --=20 SY, Dmitry Belyavsky --f403045e9d74bb11ce054ccf244e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hello= all,


I have a prop= osal inspired by the last "Google vs Symantec" case.


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D

Certificate Limitation = Profile


Binary trust model standardized as a set of trusted anchors= and CRLs/OCSP services does not cover all corner cases in the modern crypt= o world. There is a need in more differentiated limitations. Some of them a= re suggested by Google when it limits the usage of =C2=A0Symantec=E2=80=99s= certificates.


The CRL profile does not fit the purpose of such limitat= ions. The CRLs are issued by the same CAs that are subject to be limited. S= o I suggest a cryptographically protected format of description of such lim= itations.


The struc= ture of suggested format is:

  • The date of issuance

  • The certificate with limited trust (ser= ial + issuer), may be accompanied with optional fingerprint

    • =
  • =

    = The limitations applied to the certificate an= d/or all the descendants of it in the chain of trust.

<= br>

Each li= mitation is specified by its own OID and applicability period. It can have = none/any/both of periodStart and periodEnd values.


The suggested list o= f limitations:

    maxPeriodStart (do not trust the certs issued af= ter)

  • maxPeriodEnd (do not trus= t the certs after)

  • validityPer= iod (take minimal value from =E2=80=9Cnative=E2=80=9D validity period and s= pecified in the limitation file)

  • ignoreX509Extensions (e.g. EV)

  • extraX509Extensions (treat all the certificates as having such an exten= sion)

  • requiredX509extensions (= do not trust the certificates )


The resulting file should be = signed by the key with a special keyUsage/extendedKeyUsage flag.

=
=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Is anybody interested= in this proposal?

Thank you!
<= br>
--
SY, Dmitry Belyavsky
--f403045e9d74bb11ce054ccf244e-- From nobody Sun Apr 16 18:28:31 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF9BA129431; Sun, 16 Apr 2017 18:28:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bkCneQlT10dF; Sun, 16 Apr 2017 18:28:27 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D94A512941D; Sun, 16 Apr 2017 18:28:27 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 355A9A004126; Sun, 16 Apr 2017 18:28:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Z5WCNEeeYbtQ35 nWt2A0wJKaZlM=; b=W/Io3D3HSX6/n7J+WOfrdPVrxmf5+J94raGtcCiNp1+W0D TOf3GnHZIxiNFXj3S0ycA8O3qL/XafFH21oGiQSJSImoB5LfwJHcbAFgYlma9iOr 1Wi4US64lyCHl/BC5g0vlwtDw/oSnN57qPFZE6qMOLpx2Ibo+H504WeGcpXyo= Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 4653CA004125; Sun, 16 Apr 2017 18:28:26 -0700 (PDT) Date: Sun, 16 Apr 2017 20:28:24 -0500 From: Nico Williams To: Michael Richardson Cc: David Woodhouse , spasm@ietf.org, Security Area Advisory Group Message-ID: <20170417012822.GD23461@localhost> References: <1474280601.144982.263.camel@infradead.org> <1474314996.144982.391.camel@infradead.org> <22611.1474382971@obiwan.sandelman.ca> <1474387066.144982.443.camel@infradead.org> <27908.1474417791@obiwan.sandelman.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <27908.1474417791@obiwan.sandelman.ca> User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 01:28:29 -0000 On Tue, Sep 20, 2016 at 08:29:51PM -0400, Michael Richardson wrote: > David Woodhouse wrote: > > And looking beyond files: if I go and purchase a hardware crypto device > > like a Yubikey, and plug it into my system. I install the OpenSC > > package which has a PKCS#11 provider module for it, and provision a key > > in it.... now, how do I use it? That's what RFC7512 is for! But you knew this :) > > The answer should be simple. I determine a RFC7512 identifier for the > > key I want to use (e.g. 'pkcs11:manufacturer=piv_II;id=%01') and then > > every application in the system SHOULD just accept that identifier in > > place of a filename. > > yes, that would be great. Maybe we need to register the pkcs11: URI, such > that we can then say it's a URI, and file:// would also naturally work. Did you mean "register the PKCS#11 URI _scheme_"? That's what RFC7512 does. Incidentally, PKCS#11 works reasonably well for these things, even though there isn't an exact mapping to PIV cards. This affects token selection, which is a problem because if you pick the wrong token you might end up locking it out. If multi-seat, multi-user systems were still common, the token selection problem would be even more relevant. Fortunately multi-seat is mostly a thing the past. Though those could come back. Even without multi-seat in the picture there can be multiple tokens on a system: - a TPM - some other non-removable token - one or more removable tokens (a user might have more than one) - soft tokens Token selection is a non-trivial task. I've seen a fair amount of variability by token. Problems that make the token selection harder: - tokens that have useless labels - tokens that also have no public objects (or none with user identifying data, such as certs) To a large degree PKCS#11 URIs help address this: you write a URI for the token and object(s) you want to use. Of course, that is still deep magic for many users and admins... They really should not have to. But there are many tokens that must be used via their own PKCS#11 providers, so PKCS#11 URIs are pretty much the only way to bridge the gap. Nico -- From nobody Sun Apr 16 18:44:29 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC9CC12894A; Sun, 16 Apr 2017 18:44:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.8 X-Spam-Level: X-Spam-Status: No, score=-4.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nh_N5ozvkkPj; Sun, 16 Apr 2017 18:44:19 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1217312702E; Sun, 16 Apr 2017 18:44:19 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 53651A004126; Sun, 16 Apr 2017 18:44:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=0K8mGUSHY6aWXB HaVO0ARNQRxVo=; b=R9J44ia1jhnVbSi6GscNdnF2ZGQl3mCYMnc4GGW28qL4xd 7tkKw8KCdiih7yKZ1EjGAQU6hFp268fWcQFab/kBp9RwGBWeRu5NZwwMvMPNmyUu AOUGpetTcNwssIonpZF+pEmNs+gnm+YYDH7+M3+AW4dEdhksnnQO+iB8UXkWg= Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 606D2A004125; Sun, 16 Apr 2017 18:44:17 -0700 (PDT) Date: Sun, 16 Apr 2017 20:44:15 -0500 From: Nico Williams To: David Woodhouse Cc: Ted Lemon , Nikos Mavrogiannopoulos , "spasm@ietf.org" , Michael Richardson , Security Area Advisory Group Message-ID: <20170417014414.GE23461@localhost> References: <22611.1474382971@obiwan.sandelman.ca> <1474387066.144982.443.camel@infradead.org> <1474470703731.18547@cs.auckland.ac.nz> <1474495074.30494.21.camel@infradead.org> <1474520671777.43424@cs.auckland.ac.nz> <1474540039.45169.62.camel@infradead.org> <881A4E2D-82C6-46B4-8A48-2FB1E3604E70@deployingradius.com> <1474560485.45169.92.camel@infradead.org> <1474570865.30494.68.camel@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1474570865.30494.68.camel@infradead.org> User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 01:44:20 -0000 On Thu, Sep 22, 2016 at 08:01:05PM +0100, David Woodhouse wrote: > Is that what you were after? I did consider writing that one down too, > but figured it was a little too esoteric. And perhaps we should have > exposed the TPM via a PKCS#11 provider in the first place anyway. PKCS#11 all the way please. It's a clunky API, sure, but it is the one that's most widely implemented, both in terms of apps and providers. And we absolutely need a few decent PKCS#11 URI implementations. > > [...] > > I absolutely agree that applications MUST NOT rely on having access to > the actual private key material. They need to support using opaque keys > from hardware and software tokens. But I was envisaging that PKCS#11 > would be the vehicle for that. Yes. PKCS#11 pls. Nico -- From nobody Sun Apr 16 18:45:31 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A806612941D; Sun, 16 Apr 2017 18:45:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.8 X-Spam-Level: X-Spam-Status: No, score=-4.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHdOGXk0L56d; Sun, 16 Apr 2017 18:45:22 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D139B128B38; Sun, 16 Apr 2017 18:45:22 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 63DB1A004126; Sun, 16 Apr 2017 18:45:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Yt+5HpjYkLlXb0 LUEnJhdsF0iSo=; b=p7/y0PmlM4ZiE/pYiisCR9dumB5KJzbMovGvkNYvnXxMW8 Uog7wm4jpxWKk570WiaZ0qb7i/u/gJVuRbjXrTKx0xqlOyXRptYX6M2CDLgaDJQu aA9pXX3Bk7wVtnpXf1/D8yd/A0wWFCYB/pZ3AZKpOQ+uh1+FTRNndiN6G/vMI= Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 9FF31A004125; Sun, 16 Apr 2017 18:45:21 -0700 (PDT) Date: Sun, 16 Apr 2017 20:45:19 -0500 From: Nico Williams To: Ted Lemon Cc: David Woodhouse , Nikos Mavrogiannopoulos , "spasm@ietf.org" , Michael Richardson , Security Area Advisory Group Message-ID: <20170417014518.GF23461@localhost> References: <1474387066.144982.443.camel@infradead.org> <1474470703731.18547@cs.auckland.ac.nz> <1474495074.30494.21.camel@infradead.org> <1474520671777.43424@cs.auckland.ac.nz> <1474540039.45169.62.camel@infradead.org> <881A4E2D-82C6-46B4-8A48-2FB1E3604E70@deployingradius.com> <1474560485.45169.92.camel@infradead.org> <1474570865.30494.68.camel@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 01:45:24 -0000 On Thu, Sep 22, 2016 at 03:26:10PM -0400, Ted Lemon wrote: > Well, here is the reason that I carefully said "not a security expert" > earlier. I suspect that PKCS#11 is a better answer than a shim. Thanks > for the clue stick! PKCS#11 *is* a shim. But one with a standard API. From nobody Sun Apr 16 18:50:56 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F445127B52; Sun, 16 Apr 2017 18:50:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.799 X-Spam-Level: X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZjNlky5HsKs; Sun, 16 Apr 2017 18:50:53 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47F9E124217; Sun, 16 Apr 2017 18:50:53 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 5E061A004126; Sun, 16 Apr 2017 18:50:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=HrtH7uPwO9lOXc QqlArVoVvo0Ik=; b=aRTY9PnBi9Ps1c3wGSvRCeF8GTwHVnPKQL4eukK7x/v1Nz S5RMc/Z4ipt+l8jQxjXh3+3UzDJe+TdVHlu2isSoc/4PjEklgxy4KDOaHCAoSbNK PZSu9XRcza6p3bVDIzG0FTc5hqfg/5hdSQYg3WcWsL0DX54raj+1OzT+JQU48= Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 9D919A004125; Sun, 16 Apr 2017 18:50:48 -0700 (PDT) Date: Sun, 16 Apr 2017 20:50:46 -0500 From: Nico Williams To: Nikos Mavrogiannopoulos Cc: David Woodhouse , spasm@ietf.org, Michael Richardson , Security Area Advisory Group , Sean Leonard Message-ID: <20170417015045.GG23461@localhost> References: <22611.1474382971@obiwan.sandelman.ca> <1474387598.144982.452.camel@infradead.org> <6A89750D-EAF8-45A0-97AD-0137A2CB8352@seantek.com> <1474881447.45169.205.camel@infradead.org> <1eb84be4-1c5a-066e-f82d-1cd98c2dddd0@seantek.com> <1474919326.45169.305.camel@infradead.org> <6a3feeee-c575-8763-6e2a-ed9d07dbdfc0@seantek.com> <1474925522.45169.337.camel@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 01:50:55 -0000 On Tue, Sep 27, 2016 at 10:15:56AM +0200, Nikos Mavrogiannopoulos wrote: > On Mon, Sep 26, 2016 at 11:32 PM, David Woodhouse wrote: > >> This is surprising, because RFC 7512 Section 4.1. registers it as a > >> permanent URI scheme in the Permanent URI Schemes Registry. =:-O > >> > >> I thought that the whole point of a document called "The PKCS #11 URI > >> Scheme" would be to make PKCS #11 items accessible in URI protocol > >> slots, and conversely, to make URI protocol slots useful to PKCS > >> #11-consuming applications (in addition to other URI items such as http: > >> , ldap: , data: , etc.). > > Perhaps that was the intent; we would have to ask its authors. I cannot > > tell. But it doesn't seem stunningly useful in that form to me., That was absolutely the intent: to make it possible to write PKCS#11 applications that can be "configured" in a common manner. (I was involved in the review process, as well as early on before any I-Ds were submitted.) In particular, it's nice to have a string that can be cut-n-pasted and written into config files, passed into command-lines, ... > I am not one of the authors, but I participated in the drafting of > that document. The intent was to provide a consistent way for > applications to access objects stored in PKCS#11 tokens. A URI (a > string of characters identifying a resource) seemed the appropriate > way to do it. > >>URIs are meant for Internet-accessing things > > Not the PKCS#11 URI. Nor file: URIs. Anyone who doesn't like this can say that PKCS#11 URIs aren't, that they are something else that looks and smells like a URI. Though, you know, there are "PKCS#11 agents" for accessing remote tokens. Of course, to the application the resource still looks local. But to the user it is remote. This makes the PKCS#11 URI scheme a rather reasonable thing to has as a URI scheme. Nico -- From nobody Sun Apr 16 19:19:20 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D981F129442; Sun, 16 Apr 2017 19:19:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6RWZQ3YqRKt; Sun, 16 Apr 2017 19:19:16 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74AFC12943C; Sun, 16 Apr 2017 19:19:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1492395555; x=1523931555; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=q/cx49kEvgX3Ijv7VILJ4lwdUlo6qdYqU+OBI3q2npg=; b=JvcwKWEY7GFwpsJrCfT4rZJxB/EzJPyV3XeMkYNmn6NxbOCIETrxnsBR ihMy9xU/RTvAisLAzf8nq5aKJ8Sof3ydKXkr03APjKQzcka5cCAgHVBiO bmAFHAuYjpYi12yORG0xk3eQFuyAWusxOAfTXhYLbweaqVoEaURqSwVrq Etz/JPvgBrvjI+r9fn9MyU4sshzL0nMmq2Yj/k9NHVQqakz+4unompp2u YrRwfjYDUkqw0F0DAPEvHwlaa1f7yh1WpI3mwNUXdfDEBrajUo+22wAO6 T03UtrdALgR8e2MjheObneIRTBWJd/whpH8a3zwZXxM/PMpytoP0Rlf02 w==; X-IronPort-AV: E=Sophos;i="5.37,210,1488798000"; d="scan'208";a="150349559" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.9 - Outgoing - Outgoing Received: from uxcn13-tdc-e.uoa.auckland.ac.nz ([10.6.3.9]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 17 Apr 2017 14:18:59 +1200 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.29) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 17 Apr 2017 14:18:59 +1200 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::3ccc:9df5:6df4:210e]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::3ccc:9df5:6df4:210e%14]) with mapi id 15.00.1263.000; Mon, 17 Apr 2017 14:18:58 +1200 From: Peter Gutmann To: Nico Williams , David Woodhouse CC: Nikos Mavrogiannopoulos , "spasm@ietf.org" , Security Area Advisory Group , "Michael Richardson" Thread-Topic: [saag] [Spasm] Best practices for applications using X.509 client certificates Thread-Index: AQHStyCgMq8Zv9U89U+sx9IkE71UPA== Date: Mon, 17 Apr 2017 02:18:58 +0000 Message-ID: <1492395524112.64825@cs.auckland.ac.nz> References: <22611.1474382971@obiwan.sandelman.ca> <1474387066.144982.443.camel@infradead.org> <1474470703731.18547@cs.auckland.ac.nz> <1474495074.30494.21.camel@infradead.org> <1474520671777.43424@cs.auckland.ac.nz> <1474540039.45169.62.camel@infradead.org> <881A4E2D-82C6-46B4-8A48-2FB1E3604E70@deployingradius.com> <1474560485.45169.92.camel@infradead.org> <1474570865.30494.68.camel@infradead.org>,<20170417014414.GE23461@localhost> In-Reply-To: <20170417014414.GE23461@localhost> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 02:19:18 -0000 Nico Williams writes:=0A= =0A= >And we absolutely need a few decent PKCS#11 URI implementations.=0A= =0A= That was going to be my response to your previous message, pointing to a sp= ec=0A= that nothing seems to implement isn't terribly useful. Is there any=0A= freely/publicly-available implementation that supports it? More to the poi= nt,=0A= are there several of them so I generalise their usage to see how to apply i= t=0A= to typical devices in the field?=0A= =0A= Peter.=0A= From nobody Sun Apr 16 20:45:11 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC4F127B5A; Sun, 16 Apr 2017 20:45:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.799 X-Spam-Level: X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Fp-utbad3tK; Sun, 16 Apr 2017 20:45:01 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B93E91286B2; Sun, 16 Apr 2017 20:45:01 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id F1EB4A004127; Sun, 16 Apr 2017 20:44:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=OwTyKpypZBipQn Jnwc5OXP40EFs=; b=wtTixCIUXXGUea83TXI9dl+Kau4omYqf4D4wSvK7YItP+4 FQ4QohM8bPtrWd+ZBABxPe5zkhAsQv/NVRicDP7M8lVT33g385iNIxvj4Q/KjM+9 ohlWvK9WM19meMzglnGkEPOKrfcPWFloKKikheogyoRYbEVtkh57GgjvTRmSM= Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 3B378A004125; Sun, 16 Apr 2017 20:44:59 -0700 (PDT) Date: Sun, 16 Apr 2017 22:44:57 -0500 From: Nico Williams To: Peter Gutmann Cc: David Woodhouse , Nikos Mavrogiannopoulos , "spasm@ietf.org" , Security Area Advisory Group , Michael Richardson Message-ID: <20170417034456.GH23461@localhost> References: <1474470703731.18547@cs.auckland.ac.nz> <1474495074.30494.21.camel@infradead.org> <1474520671777.43424@cs.auckland.ac.nz> <1474540039.45169.62.camel@infradead.org> <881A4E2D-82C6-46B4-8A48-2FB1E3604E70@deployingradius.com> <1474560485.45169.92.camel@infradead.org> <1474570865.30494.68.camel@infradead.org> <20170417014414.GE23461@localhost> <1492395524112.64825@cs.auckland.ac.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1492395524112.64825@cs.auckland.ac.nz> User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 03:45:03 -0000 On Mon, Apr 17, 2017 at 02:18:58AM +0000, Peter Gutmann wrote: > Nico Williams writes: > >And we absolutely need a few decent PKCS#11 URI implementations. > > That was going to be my response to your previous message, pointing to > a spec that nothing seems to implement isn't terribly useful. Is > there any freely/publicly-available implementation that supports it? > More to the point, are there several of them so I generalise their > usage to see how to apply it to typical devices in the field? There appear to be a number of implementations. A few minutes searching turned up a few things. Most aren't standalone PKCS#11 URI implementations, rather they are embedded in larger projects: - p11-kit (https://github.com/p11-glue/p11-kit) (BSD 3-clause, no advertising clause) - NSS? - http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12633.html - https://github.com/varunnaganathan/nss - http://arunnsblog.com/tag/native-pkcs11/ - GnuTLS? - http://man7.org/linux/man-pages/man1/p11tool.1.html - https://www.gnu.org/software/gnutls/clang/report-sQaOHg.html - libcryptoutil (Illumos) (this one is standalone, and is CDDL'ed) http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libcryptoutil/ - http://www.pkcs11interop.net/extensions/uri/ And a few others. So it seems there's at least a few implementations, and at least one standalone one. Now, we should probably talk (maybe not here though, right?) about what a PKCS#11 URI implementation really entails. The bare minimum would be this: - parse(URI) -> parsed form - open(URI) -> PKCS#11 module handle, session handle, object handle (May require interaction to prompt for PIN.) - search(partial URI) -> set of {module, [session], [object]} handles? Ideally also: - a "guru" UI for constructing and inspecting URIs Nico -- From nobody Sun Apr 16 20:50:57 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6D88127B5A; Sun, 16 Apr 2017 20:50:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.799 X-Spam-Level: X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lrn0heHPi10m; Sun, 16 Apr 2017 20:50:48 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E589127333; Sun, 16 Apr 2017 20:50:48 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 206B9A004127; Sun, 16 Apr 2017 20:50:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=mbf1OefRBNZUaH yIjkx2qA1Fub0=; b=eFtwmEFcvlGGyWR3Fq1RsWNgMstLkMpH1/Sl6ao8tG0gSf 8/5aDrycuc4Fi49KjvN6F+zEutOfhsuj7H7PkGERxazR2pFazq/WRebd6BUqSHCu Y1op9IHyIaJgk6oijjkhAGNtaFTF2YaUqhZVCO10a0uNL2xcBpbRQ19xPb7Pc= Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 8AADAA004125; Sun, 16 Apr 2017 20:50:47 -0700 (PDT) Date: Sun, 16 Apr 2017 22:50:45 -0500 From: Nico Williams To: Alan DeKok Cc: David Woodhouse , spasm@ietf.org, Michael Richardson , Security Area Advisory Group , Winter Stefan Message-ID: <20170417035044.GI23461@localhost> References: <1474280601.144982.263.camel@infradead.org> <1474314996.144982.391.camel@infradead.org> <22611.1474382971@obiwan.sandelman.ca> <1474387598.144982.452.camel@infradead.org> <11F16CFE-3554-4F07-811A-8F5D4BE3A6AE@deployingradius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <11F16CFE-3554-4F07-811A-8F5D4BE3A6AE@deployingradius.com> User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 03:50:50 -0000 On Tue, Sep 20, 2016 at 12:36:01PM -0400, Alan DeKok wrote: > On Sep 20, 2016, at 12:06 PM, David Woodhouse wrote: > > It also seems that the proposal you reference doesn't have any kind of > > support for using keys from hardware. If the key I want to use is > > identified by an RFC7512 PKCS#11 URI, how do I indicate *that* in this > > format? > > The proposal would need updating to handle that. We really need to push PKCS#11 URIs. It's the only hope we have to make sense of the configuration mess. Got private keys lying around in whatever format? Use a softtoken. Got private keys in a TPM or other HW? Use an appropriate PKCS#11 provider. Nico -- From nobody Sun Apr 16 20:57:55 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC8111201F2; Sun, 16 Apr 2017 20:57:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.8 X-Spam-Level: X-Spam-Status: No, score=-4.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5bor2D6jXE6H; Sun, 16 Apr 2017 20:57:48 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFCA7128708; Sun, 16 Apr 2017 20:57:48 -0700 (PDT) Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 3845CA004126; Sun, 16 Apr 2017 20:57:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=v5KEGbKiqWqEi50t2+qjLj/L/ss=; b=aeseK19JHiH p0Ms/7uv7KC8J+rN4hHOdodIsbw3UoE4loyennlWGLb8SoC+CQz+HWWaMjkpGCY3 k6HYbiDZjArpoXVP4de+r3Y7izVzqr1MHThqkHvwAhOOahQGWkVe2nOhRo9V2yJ1 MY+XVyLVqjZKYMXnRFSZ1rcbxwGAapPQ= Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 708E4A004125; Sun, 16 Apr 2017 20:57:47 -0700 (PDT) Date: Sun, 16 Apr 2017 22:57:45 -0500 From: Nico Williams To: David Woodhouse Cc: Sean Leonard , Watson Ladd , spasm@ietf.org, Michael Richardson , Security Area Advisory Group Message-ID: <20170417035744.GJ23461@localhost> References: <6A89750D-EAF8-45A0-97AD-0137A2CB8352@seantek.com> <1474881447.45169.205.camel@infradead.org> <1eb84be4-1c5a-066e-f82d-1cd98c2dddd0@seantek.com> <1474919326.45169.305.camel@infradead.org> <1474921558.45169.314.camel@infradead.org> <1c555d80-991c-cca7-4018-be220cdddcdf@seantek.com> <1474929821.11690.66.camel@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <1474929821.11690.66.camel@infradead.org> User-Agent: Mutt/1.5.24 (2015-08-30) Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 03:57:54 -0000 On Mon, Sep 26, 2016 at 11:43:41PM +0100, David Woodhouse wrote: > On Mon, 2016-09-26 at 14:55 -0700, Sean Leonard wrote: > > When I use cryptographic tokens such as smart cards, the private key=A0 > > never leaves the token. So, there is no password: it's irrelevant.=A0 > > Sometimes the token is configured with a PIN, but the PIN is not the=A0 > > subject of this PKCS #8 EncryptedPrivateKeyInfo discussion. >=20 > Well... looking a bit further back in the thread (or indeed at > $SUBJECT), this was about application best practice. And I probably > *do* need to look at what to do with non-ASCII PINs and C_Login(). _That_ you have to take to OASIS. Consensus _here_ is nice, but it's needed _there_. There's basically these choices: - applications apply some sort of normalization, possibly just a conversion to Unicode (if needed) and a Unicode NF We might need to go this route if OASIS doesn't want to specify this. - providers apply some sort of normalization -- whatever they want Obviously they can do whatever they want. But they do need to know what codeset the input is encoded in. - both do - neither does -- wish the user luck > And again, I think the recommendation there needs to be the same as > PKCs#8: By all means *try* the local character set of the current > system, but make sure you also try UTF-8. I'll update my draft. Oh? And in what form? NF(K)C? NF(K)D? Nico --=20 From BATV+e6c74ddaaf06eea689c2+4985+infradead.org+dwmw2@twosheds.srs.infradead.org Mon Apr 17 12:19:04 2017 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBD113179E; Mon, 17 Apr 2017 12:19:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=infradead.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iWWUkHXDw14r; Mon, 17 Apr 2017 12:19:02 -0700 (PDT) Received: from twosheds.infradead.org (twosheds.infradead.org [IPv6:2001:8b0:10b:1:21d:7dff:fe04:dbe2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 443A4131794; Mon, 17 Apr 2017 12:19:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=twosheds.20170209; h=Mime-Version:Date:Content-Type: References:In-Reply-To:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=QHhiGCV8kZM+KtnTigMMw2AiIsYtL8Bgn+Gammes6yI=; b=Katb2VHQfbxGasCG0mdkz75V4 oD08ug59aeJlGSewqfcLeE06x6b8UVlmj7rrnCvzOQ083iUBGV7edph4T6r50biy63OTswsSBf33H JyUAClf8eOItutVByZkGjpjbLvUdIS6s92CJkiP+C/6k0UkiYOFvZ9Ql6NK9BpVr97hHrmdTrRm3U +SUP59CZT0zuzpYI5zuEiYrA+xB8oIYCJAmUQRWMHLorKO1wmxvIlcGJDzt5TNX5AorKudzJR7Ebr 5rkBCdLQdfMBCrXd8VGo5Kcu3xHBGDUm9M/ZhPX+p5vhzM89lkWJCNlhD8S5XOQuL12WNxG8uxDyd tk18hZSqw==; Received: from [2001:8b0:10b:1:3c04:d60a:4890:fc01] by twosheds.infradead.org with esmtpsa (Exim 4.87 #1 (Red Hat Linux)) id 1d0CAj-0005Jl-FU; Mon, 17 Apr 2017 19:18:49 +0000 Message-ID: <1492456728.17682.182.camel@infradead.org> From: David Woodhouse To: Nico Williams , Peter Gutmann Cc: Nikos Mavrogiannopoulos , "spasm@ietf.org" , Security Area Advisory Group , Michael Richardson In-Reply-To: <20170417034456.GH23461@localhost> References: <1474470703731.18547@cs.auckland.ac.nz> <1474495074.30494.21.camel@infradead.org> <1474520671777.43424@cs.auckland.ac.nz> <1474540039.45169.62.camel@infradead.org> <881A4E2D-82C6-46B4-8A48-2FB1E3604E70@deployingradius.com> <1474560485.45169.92.camel@infradead.org> <1474570865.30494.68.camel@infradead.org> <20170417014414.GE23461@localhost> <1492395524112.64825@cs.auckland.ac.nz> <20170417034456.GH23461@localhost> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-e6HklEj2pgegEgtLq3Dy" Date: Mon, 17 Apr 2017 20:18:48 +0100 Mime-Version: 1.0 X-Mailer: Evolution 3.18.5.2-0ubuntu3.1 X-SRS-Rewrite: SMTP reverse-path rewritten from by twosheds.infradead.org. See http://www.infradead.org/rpr.html Archived-At: Subject: Re: [saag] [Spasm] Best practices for applications using X.509 client certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Apr 2017 19:21:08 -0000 --=-e6HklEj2pgegEgtLq3Dy Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2017-04-16 at 22:44 -0500, Nico Williams wrote: > On Mon, Apr 17, 2017 at 02:18:58AM +0000, Peter Gutmann wrote: > >=20 > > Nico Williams writes: > > >=20 > > > And we absolutely need a few decent PKCS#11 URI implementations. > > That was going to be my response to your previous message, pointing to > > a spec that nothing seems to implement isn't terribly useful.=C2=A0=C2= =A0Is > > there any freely/publicly-available implementation that supports it? It's not *that* unimplemented. The Fedora packaging guidelines say that any application packaged for Fedora which can take a key/cert from a file SHOULD also accept a PKCS#11 URI transparently in place of a filename. And although compliance isn't ubiquitous, there are plenty of packages which do comply. They're even building curl against something other than NSS in the upcoming release, which means we can close *that* bug too. > > More to the point, are there several of them so I generalise their > > usage to see how to apply it to typical devices in the field? > There appear to be a number of implementations. >=20 > A few minutes searching turned up a few things.=C2=A0=C2=A0Most aren't st= andalone > PKCS#11 URI implementations, rather they are embedded in larger > projects: >=20 > =C2=A0- p11-kit (https://github.com/p11-glue/p11-kit) (BSD 3-clause, no a= dvertising clause) >=20 > =C2=A0- NSS? > =C2=A0=C2=A0=C2=A0=C2=A0- http://www.mail-archive.com/dev-tech-crypto@lis= ts.mozilla.org/msg12633.html > =C2=A0=C2=A0=C2=A0=C2=A0- https://github.com/varunnaganathan/nss Those are the same, FWIW. That's the GSoC project I mentored last year. > =C2=A0- http://arunnsblog.com/tag/native-pkcs11/ >=20 > =C2=A0- GnuTLS? > =C2=A0=C2=A0=C2=A0=C2=A0- http://man7.org/linux/man-pages/man1/p11tool.1.= html > =C2=A0=C2=A0=C2=A0=C2=A0- https://www.gnu.org/software/gnutls/clang/repor= t-sQaOHg.html >=20 > =C2=A0- libcryptoutil (Illumos) (this one is standalone, and is CDDL'ed) > =C2=A0=C2=A0=C2=A0http://src.illumos.org/source/xref/illumos-gate/usr/src= /lib/libcryptoutil/ >=20 > =C2=A0- http://www.pkcs11interop.net/extensions/uri/ >=20 > And a few others. Including in the OpenSSL PKCS#11 engine. Although I'd like to ditch that and just use p11-kit's. > So it seems there's at least a few implementations, and at least one > standalone one. >=20 > Now, we should probably talk (maybe not here though, right?) about > what > a PKCS#11 URI implementation really entails.=C2=A0=C2=A0The bare minimum = would > be > this: >=20 > =C2=A0- parse(URI) -> parsed form >=20 > =C2=A0- open(URI) -> PKCS#11 module handle, session handle, object handle >=20 > =C2=A0=C2=A0=C2=A0(May require interaction to prompt for PIN.) >=20 > =C2=A0- search(partial URI) -> set of {module, [session], [object]} > handles? >=20 > Ideally also: >=20 > =C2=A0- a "guru" UI for constructing and inspecting URIs >=20 > Nico --=-e6HklEj2pgegEgtLq3Dy Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDzUw ggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQG EwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRU UCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTE0MTIyMjAw MDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1h bmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEw PwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBF bWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAImxDdp6UxlOcFIdvFamBia3 uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdhTpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYep LkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayT QLm1CJM6nCpToxDbPSBhPFUDjtlOdiUCISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9 UjewM2ktQ+v61qXxl3dnUYzZ7ifrvKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3Rh UL7GQD/L5OKfoiECAwEAAaOCARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1Qa MB0GA1UdDgQWBBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/ BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRV HSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw LnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb4yJj nFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ26Y3NOh7 4AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT9HaSyoY0B7ks yuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInltukWeh95FPZKEBom +nyK+5swggU9MIIEJaADAgECAhBqC1BYlVMtBFBN4igR/howMA0GCSqGSIb3DQEBCwUAMIGbMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk MRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xp ZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTYxMjIwMDAwMDAwWhcN MTcxMjIwMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkd213MkBpbmZyYWRlYWQub3JnMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbTrFaiGdvN2pThnR9q+4eaXB2wQZQNqhter5ZrJ pPO47e87bZ+f1tmYoh6+rB90G/XN24NErPRfvU4zVzNT9pCtCzSSVnBlZQBpaEYMKhcXo5PGKNsm An8BoGwNXjlxwbBNRaNO+ky0wNCaMNd1JLxEuvqg9J7rrcpHhWmnpXD5IKa8gv9GyVAJgOpiBOts p91sShc2kHvWJ5waPEWPCHDH9J+twGGKqKIIU7fdbURLUgUL1wlDSAHf/lgIAVCSj2H2HpoGqHpy HgOAClX9iRSLNa0Znj8HTaqfOwxXevsz1KkLFY+Ahm426GIEqdfkK2iT6Hhgc7tjNO3f8i5ALQID AQABo4IB8TCCAe0wHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFILE dmHLtK6oxmFJZvBhTQhvqrS0MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZ MBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7 BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D UFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2 Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMw gYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVu dEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v Y3NwLmNvbW9kb2NhLmNvbTAeBgNVHREEFzAVgRNkd213MkBpbmZyYWRlYWQub3JnMA0GCSqGSIb3 DQEBCwUAA4IBAQA+AfvNhFwtapF5Lzjapgul3zYuEnMfR538Ya1vhP8wuOkcoJeT2gEFXzVO2WUu eWM0g0/DumnRB53htV/Qq/+vsL0i6a2+iOO7kHi5O7bZkgbdNv0t2lzonDUHi6LTa7NUj+tv+j6y hW+iNquC3ACP1dIZH8gJmicHblW63qRgp6wxhn315MLBeavi3uiSag2eeKFePiTIwJjN2UYq6kWg PL5G/Ycf9x/xN1XBTfJiURc0FsXhrA98VMWnt52C5Lo4txhGjzTI+IZg40b3YDs6E7mTYb5KKmbc QZA9priOFDdj1z5W9BdWhU6I/D0P9y8Z4Tr6+ZscMUVD0RqWy2LeMIIFPTCCBCWgAwIBAgIQagtQ WJVTLQRQTeIoEf4aMDANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExp bWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg U2VjdXJlIEVtYWlsIENBMB4XDTE2MTIyMDAwMDAwMFoXDTE3MTIyMDIzNTk1OVowJDEiMCAGCSqG SIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMG06xWohnbzdqU4Z0favuHmlwdsEGUDaobXq+WayaTzuO3vO22fn9bZmKIevqwfdBv1zduD RKz0X71OM1czU/aQrQs0klZwZWUAaWhGDCoXF6OTxijbJgJ/AaBsDV45ccGwTUWjTvpMtMDQmjDX dSS8RLr6oPSe663KR4Vpp6Vw+SCmvIL/RslQCYDqYgTrbKfdbEoXNpB71iecGjxFjwhwx/SfrcBh iqiiCFO33W1ES1IFC9cJQ0gB3/5YCAFQko9h9h6aBqh6ch4DgApV/YkUizWtGZ4/B02qnzsMV3r7 M9SpCxWPgIZuNuhiBKnX5Ctok+h4YHO7YzTt3/IuQC0CAwEAAaOCAfEwggHtMB8GA1UdIwQYMBaA FJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBSCxHZhy7SuqMZhSWbwYU0Ib6q0tDAOBgNV HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYBBAGyMQED BQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEBMCswKQYIKwYB BQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMF0GA1UdHwRWMFQwUqBQoE6GTGh0 dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5k U2VjdXJlRW1haWxDQS5jcmwwgZAGCCsGAQUFBwEBBIGDMIGAMFgGCCsGAQUFBzAChkxodHRwOi8v Y3J0LmNvbW9kb2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3Vy ZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0R BBcwFYETZHdtdzJAaW5mcmFkZWFkLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAPgH7zYRcLWqReS84 2qYLpd82LhJzH0ed/GGtb4T/MLjpHKCXk9oBBV81TtllLnljNINPw7pp0Qed4bVf0Kv/r7C9Iumt vojju5B4uTu22ZIG3Tb9Ldpc6Jw1B4ui02uzVI/rb/o+soVvojargtwAj9XSGR/ICZonB25Vut6k YKesMYZ99eTCwXmr4t7okmoNnnihXj4kyMCYzdlGKupFoDy+Rv2HH/cf8TdVwU3yYlEXNBbF4awP fFTFp7edguS6OLcYRo80yPiGYONG92A7OhO5k2G+Sipm3EGQPaa4jhQ3Y9c+VvQXVoVOiPw9D/cv GeE6+vmbHDFFQ9Ealsti3jGCA9MwggPPAgEBMIGwMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMS R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0Eg TGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFu ZCBTZWN1cmUgRW1haWwgQ0ECEGoLUFiVUy0EUE3iKBH+GjAwDQYJYIZIAWUDBAIBBQCgggHzMBgG CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDQxNzE5MTg0OFowLwYJ KoZIhvcNAQkEMSIEIMHwxdcV+lA0G1nESYj45OW8JPfiSOYIAUBWHFF3KODkMIHBBgkrBgEEAYI3 EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01P RE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQagtQ WJVTLQRQTeIoEf4aMDCBwwYLKoZIhvcNAQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYD VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E TyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRp b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQagtQWJVTLQRQTeIoEf4aMDANBgkqhkiG9w0BAQEFAASC AQAsCPVvyOcDlghcKaYhT6ew3LR3Uww6GHilyN5XdUO0KUHoEt1MR8pw/p7NW/ICaYUNJNM0/f1u zX11FGpJa2WauNN6aYV01PEoqWlHxZYOnBjKJ/8ABl5UIqz4nXyvs3GUvsGr1CRpd9uhX3mttJmR rmsNWkRsJRC6oFxQcg/DkYhHX8o+9lTZRLnBbPN3rKZ9m6OcVCBMDMcY2R/vCHjIT2iz52jGGz79 17mBq2P0uKh7D2TMFzaaTTuapA5IAjMCnnxwh7dOs3scmdqSlOtJmR3a4FWp8cRyw8rWWsXPRcCm LQnCv5d4ZcSxMHZgrZspOPHS/lBIYvq7ngAH5XrfAAAAAAAA --=-e6HklEj2pgegEgtLq3Dy--