From nobody Tue Apr 1 19:57:18 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3FC11A00B2 for ; Tue, 1 Apr 2014 19:57:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.378 X-Spam-Level: X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id veAc08LPBjMq for ; Tue, 1 Apr 2014 19:57:15 -0700 (PDT) Received: from mail-oa0-x22c.google.com (mail-oa0-x22c.google.com [IPv6:2607:f8b0:4003:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 2DAC61A00AA for ; Tue, 1 Apr 2014 19:57:15 -0700 (PDT) Received: by mail-oa0-f44.google.com with SMTP id n16so12295707oag.3 for ; Tue, 01 Apr 2014 19:57:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=lczttZNZVwD1ktTz6KMD1Gm1JP6Zvrglg5Uidw9tk0U=; b=ZHPp+Wb2c9cguIzTb9SrbLZKnihWDy2CSy7SJ1wxO3LHTKCJJILzeCK0n/JHl7lANI rOiJU3ZVpx3Zd9RRZyX4yfASWMwZy+7YIYoS0wJda0o16SIWihpEVXjFGaSMRxsDRxeE Y7ouke+/zLRcWDUj/IKbAS4+aYf8GH2omnf10= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=lczttZNZVwD1ktTz6KMD1Gm1JP6Zvrglg5Uidw9tk0U=; b=Ibz9ZzxA/R2xDXwj1fCajo7SKftyaAoOpDBSuWeaoaExlsEc30zDWG6i2AB6nwIeO3 KyPVMl+aOt952ByV/FqsVV0dEkKiMvj5s0LsOcEaxxQtTBmehF3ctvwq1p1EdCslvGWI MolriA2SMC58pV5oezhjncDqMVI/WcHGf7OWJlNTGGA+qMt82cj2b07/1uTnlQFl6+UW BybwA2BqwQzz3mxpryskG6hL0ptVQngQxxJaMiJiZHE/u63gQqVCZmIsTfFDKWWsawv0 Od/mt+JSdz2XvcZjSXgbdq9uViHAQH/9lqIUYEeP+/FEuguhF9d+9Qt2hRLgP21yh7uZ MMHg== X-Gm-Message-State: ALoCoQlRrMAr6agyI1tMwtWqtwasA1ViOZQACBsF7A8nWop4PA8e26i6teedIPiby7hU1CH1Jlzy MIME-Version: 1.0 X-Received: by 10.60.37.99 with SMTP id x3mr32495266oej.2.1396407431270; Tue, 01 Apr 2014 19:57:11 -0700 (PDT) Received: by 10.60.54.99 with HTTP; Tue, 1 Apr 2014 19:57:11 -0700 (PDT) Date: Wed, 2 Apr 2014 08:27:11 +0530 Message-ID: From: Prabath Siriwardena To: "oauth@ietf.org WG" Content-Type: multipart/alternative; boundary=089e01176279e7288504f60670af Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/nByFX340cPWkNxhCl4uXz3k3CrA Subject: [OAUTH-WG] A possible typo in introspection spec X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 02:57:16 -0000 --089e01176279e7288504f60670af Content-Type: text/plain; charset=ISO-8859-1 https://tools.ietf.org/html/draft-richer-oauth-introspection-04 token_type_hint OPTIONAL. A hint about the type of the token submitted for *revocation*. I guess *revocation* should be corrected as *introspection* ? Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +94 71 809 6732 http://blog.facilelogin.com http://blog.api-security.org --089e01176279e7288504f60670af Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
https://tools.ietf.org/html/draft-richer-oauth-introspect= ion-04

token_type_hint =A0OPTIONAL. =A0A hint about the type of = the token=A0submitted for=A0revocation.

I guess=A0revocation should be corrected as intros= pection ?

Thanks & Regards,
Prabath

Twitter : @pra= bath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://blog.api-security.org
--089e01176279e7288504f60670af-- From nobody Tue Apr 1 20:37:36 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78DD01A00DA for ; Tue, 1 Apr 2014 20:37:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3EDh9UZ8vt_W for ; Tue, 1 Apr 2014 20:37:30 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id 76D001A00C6 for ; Tue, 1 Apr 2014 20:37:30 -0700 (PDT) Received: from BL2PR03CA018.namprd03.prod.outlook.com (10.141.66.26) by BY2PR03MB027.namprd03.prod.outlook.com (10.255.240.41) with Microsoft SMTP Server (TLS) id 15.0.913.9; Wed, 2 Apr 2014 03:37:25 +0000 Received: from BN1AFFO11FD015.protection.gbl (2a01:111:f400:7c10::192) by BL2PR03CA018.outlook.office365.com (2a01:111:e400:c1b::26) with Microsoft SMTP Server (TLS) id 15.0.898.11 via Frontend Transport; Wed, 2 Apr 2014 03:37:25 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD015.mail.protection.outlook.com (10.58.52.75) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Wed, 2 Apr 2014 03:37:24 +0000 Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.193) by TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.3.174.2; Wed, 2 Apr 2014 03:36:54 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0174.002; Wed, 2 Apr 2014 03:36:54 +0000 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) Thread-Index: Ac9OJMm2QQWqL+riTTewCyU8ts655A== Date: Wed, 2 Apr 2014 03:36:53 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.33] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A132083TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(199002)(189002)(81342001)(54356001)(90146001)?= =?us-ascii?Q?(87266001)(2656002)(65816001)(56776001)(85806002)(77982001)(?= =?us-ascii?Q?97736001)(83072002)(59766001)(81686001)(85852003)(74662001)(?= =?us-ascii?Q?54316002)(15975445006)(84676001)(16236675002)(76482001)(5681?= =?us-ascii?Q?6005)(66066001)(69226001)(55846006)(80022001)(31966008)(7118?= =?us-ascii?Q?6001)(87936001)(81816001)(83322001)(16796002)(44976005)(1930?= =?us-ascii?Q?0405004)(512954002)(93516002)(95416001)(76786001)(46102001)(?= =?us-ascii?Q?92566001)(86362001)(79102001)(94316002)(95666003)(98676001)(?= =?us-ascii?Q?92726001)(74706001)(47446002)(74876001)(76796001)(77096001)(?= =?us-ascii?Q?86612001)(20776003)(49866001)(74366001)(63696002)(2009001)(7?= =?us-ascii?Q?4502001)(93136001)(33656001)(53806001)(76176001)(85306002)(9?= =?us-ascii?Q?7186001)(51856001)(50986001)(97336001)(84326002)(47736001)(9?= =?us-ascii?Q?4946001)(81542001)(19580395003)(16297215004)(15202345003)(80?= =?us-ascii?Q?976001)(4396001)(47976001)(99396002)(6606295002);DIR:OUT;SFP?= =?us-ascii?Q?:1101;SCL:1;SRVR:BY2PR03MB027;H:mail.microsoft.com;FPR:FC405?= =?us-ascii?Q?CBA.9E3A66D6.F7D1BF4B.44F0F559.201DC;MLV:sfv;PTR:InfoDomainN?= =?us-ascii?Q?onexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0169092318 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/00QDP0CFO6mdpACunldhFfqhVWE Subject: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 03:37:34 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A132083TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I've written a concise Internet-Draft on proof-of-possession for JWTs with = John Bradley and Hannes Tschofenig. Quoting from the abstract: This specification defines how to express a declaration in a JSON Web Token= (JWT) that the presenter of the JWT possesses a particular key and that th= e recipient can cryptographically confirm proof-of-possession of the key by= the presenter. This property is also sometimes described as the presenter = being a holder-of-key. This specification intentionally does not specify the means of communicatin= g the proof-of-possession JWT, nor the messages used to exercise the proof = key, as these are necessarily application-specific. Rather, this specifica= tion defines a proof-of-possession JWT data structure to be used by other s= pecifications that do define those things. The specification is available at: * http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-0= 0 An HTML formatted version is available at: * http://self-issued.info/docs/draft-jones-oauth-proof-of-possession= -00.html -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1210 and as= @selfissued. --_000_4E1F6AAD24975D4BA5B16804296739439A132083TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I’ve written a concise Internet-Draft on proof= -of-possession for JWTs with John Bradley and Hannes Tschofenig.  Quot= ing from the abstract:

 

This specification def= ines how to express a declaration in a JSON Web Token (JWT) that the presen= ter of the JWT possesses a particular key and that the recipient can crypto= graphically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as = the presenter being a holder-of-key.

 

This specification intentionally does not specify th= e means of communicating the proof-of-possession JWT, nor the messages used= to exercise the proof key, as these are necessarily application-specific.&= nbsp; Rather, this specification defines a proof-of-possession JWT data structure to be used by other specification= s that do define those things.

 

The specification is available at:

·        http://tools.ietf.org/html/draft-jones-= oauth-proof-of-possession-00

 

An HTML formatted version is available at:

·        http://self-issued.info/docs/dra= ft-jones-oauth-proof-of-possession-00.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1210 and as @selfissued.

 

--_000_4E1F6AAD24975D4BA5B16804296739439A132083TK5EX14MBXC286r_-- From nobody Tue Apr 1 22:50:33 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F35951A0138 for ; Tue, 1 Apr 2014 22:50:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.202 X-Spam-Level: X-Spam-Status: No, score=-0.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SdDFaooWRwrN for ; Tue, 1 Apr 2014 22:50:28 -0700 (PDT) Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id E02401A0137 for ; Tue, 1 Apr 2014 22:50:27 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.97,778,1389704400"; d="scan'208";a="5210449" Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipocvi.tcif.telstra.com.au with ESMTP; 02 Apr 2014 16:42:40 +1100 X-IronPort-AV: E=McAfee;i="5400,1158,7395"; a="206238874" Received: from wsmsg3705.srv.dir.telstra.com ([172.49.40.203]) by ipcdvi.tcif.telstra.com.au with ESMTP; 02 Apr 2014 16:50:23 +1100 Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3705.srv.dir.telstra.com ([172.49.40.203]) with mapi; Wed, 2 Apr 2014 16:50:23 +1100 From: "Manger, James" To: "oauth@ietf.org" Date: Wed, 2 Apr 2014 16:50:22 +1100 Thread-Topic: Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) Thread-Index: Ac9OJMm2QQWqL+riTTewCyU8ts655AABhU1A Message-ID: <255B9BB34FB7D647A506DC292726F6E115446A5608@WSMSG3153V.srv.dir.telstra.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qPBXbsu2akmQMuohNJXZrkxW3CA Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 05:50:32 -0000 PiBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1qb25lcy1vYXV0aC1wcm9vZi1vZi1w b3NzZXNzaW9uLTAwDQoNCg0KQSBuZXcgcmVnaXN0cnkgZm9yICJjbmYiIG1lbWJlcnMgaXMgYSBi aXQgc3RyYW5nZS4gQSBKV1QgQ2xhaW0gU2V0IGhhcyBzbyBmYXIgYmVlbiBhIGZsYXQgc3RydWN0 dXJlLCB3aXRoIG1ldGFkYXRhIHN1Y2ggZXhwaXJ5IGRhdGUgImV4cCIgYWxvbmdzaWRlIGNsYWlt cyBzdWNoIGFzICJnaXZlbl9uYW1lIi4gVGhpcyBzcGVjIHN0YXJ0cyBpbnRyb2R1Y2luZyBzdHJ1 Y3R1cmUgYnkgd3JhcHBpbmcgbWVtYmVycyBpbiBhICJjbmYiIChjb25maXJtYXRpb24pIG9iamVj dC4gSXQgaXMgbm90IGNsZWFyIHRvIG1lIHdoaWNoIG5ldyB0aGluZ3Mgd291bGQgZ28gaW4gImNu ZiIgdmVyc3VzIGdvaW5nIGluIHRvIHRoZSB0b3AtbGV2ZWwgb2YgdGhlIEpXVCBjbGFpbSBzZXQu IEJvdGggbG9jYXRpb25zIGhhdmUgYSAiTVVTVCBpZ25vcmUiIHBvbGljeSBmb3IgdW5yZWNvZ25p emVkIG1lbWJlcnMuDQoNCg0KICAgIihJbiBzb21lIGFwcGxpY2F0aW9ucywgdGhlIHN1YmplY3Qg aWRlbnRpZmllciB3aWxsIGJlIHJlbGF0aXZlDQogICB0byB0aGUgaXNzdWVyIGlkZW50aWZpZWQg YnkgdGhlICJpc3MiIChpc3N1ZXIpIGNsYWltLikiDQoNClRoaXMgaXNu4oCZdCB2ZXJ5IGhlbHBm dWwgYXMgaXQgZ2l2ZXMgbm8gaGludCBhYm91dCB3aGVuIHRoaXMgaXMgb3IgaXNu4oCZdCB0aGUg Y2FzZS4gSSBndWVzcyB0aGlzIGlzIGp1c3QgcmV3b3JkaW5nIGEgZmxhdyBmcm9tIEpXVC4NCg0K DQpDb3VsZCB0aGUgSldFIGV4YW1wbGUgcGxlYXNlIGluY2x1ZGUgYSAia2lkIj8gVGhlIHJlY2lw aWVudCBuZWVkcyB0byBrbm93IHdoaWNoIGtleSB0byB1c2UgdG8gZGVjcnlwdCB0aGUgbWVzc2Fn ZS4gSldTIHNheXMgd2UgU0hPVUxEIGRvIHRoaXMgW0pXUyDCpzYgMm5kIHBhcmFncmFwaF0uIFtQ LlMuIFdlcmVu4oCZdCB3ZSBnb2luZyB0byBpbmNsdWRlICJraWQiIGlzIGFsbW9zdCBhbGwgdGhl IGV4YW1wbGVzIGluIEpXRT9dDQoNCllvdSBtYXkgYXMgd2VsbCBkcm9wIHRoZSAiY3R5Ijoiandr K2pzb24iIG1lbWJlciBhcyB0aGlzIGlzIGltcGxpZWQgYnkgdGhlIEpPU0UgbWVzc2FnZSBiZWlu ZyB0aGUgdmFsdWUgb2YgYSAiandrIiBtZW1iZXIuDQoNCg0KT3BlbklEIENvbm5lY3QgaGFzIGFs cmVhZHkgZGVmaW5lZCBhICJzdWJfandrIiBmaWVsZCB0aGF0IHBlcmZvcm1zIGEgc2ltaWxhciBy b2xlIHRvICJjbmYiOnsiandrIn0uDQpbaHR0cDovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNv bm5lY3QtY29yZS0xXzAuaHRtbCNTZWxmSXNzdWVkUmVzcG9uc2VdDQoNCg0KUGVyaGFwcyB0aGUg YmlnZ2VzdCBzZWN1cml0eSBjb25zaWRlcmF0aW9uIGlzIG1pc3Npbmc6ICJjbmYiIG1heSBiZSBp Z25vcmVkLiBBIHJlY2lwaWVudCB0aGF0IGRvZXNuJ3QgdW5kZXJzdGFuZGluZyAiY25mIiBpcyBs aWtlbHkgdG8gYWNjZXB0IGEgSldUIGFzIGEgYmVhcmVyIHRva2VuIHdpdGhvdXQgZG9pbmcgYW55 IHByb29mLW9mLXBvc3Nlc3Npb24uDQoNCi0tDQpKYW1lcyBNYW5nZXINCg== From nobody Wed Apr 2 06:44:57 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60B581A0209 for ; Wed, 2 Apr 2014 06:44:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZKRL6WLQ0Pbu for ; Wed, 2 Apr 2014 06:44:49 -0700 (PDT) Received: from mail-qg0-f42.google.com (mail-qg0-f42.google.com [209.85.192.42]) by ietfa.amsl.com (Postfix) with ESMTP id 952AB1A01D9 for ; Wed, 2 Apr 2014 06:44:49 -0700 (PDT) Received: by mail-qg0-f42.google.com with SMTP id q107so214534qgd.1 for ; Wed, 02 Apr 2014 06:44:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=B8oxte+Qc7zBuCtdAE+ZOkdiWx94FmSXjtyAJyYWKkk=; b=AlQ9mstfbFpCj7Ffym/DVPI/f/fHPrhJaEy+fP51uhbXjWnQdYoxdeL/ctQ7vtwR9A GaDHPtHbRlEbQIsiScnTwKTvzF2uUsJ5TigLsBg3pEMkYJJ974Vw4pEOrL92efrPfvwd G3q0VrGzFpA77CSDk9tc8BsKOrl3hjcoaNH1625a588/D7bq0jO3bXO0bHbIR2E8lIWO P+hIJRpvwQU8bQ5A5U0Z2j4YbNi5pCb7pFoQvGT21L4QuIbd8ErgodbzNAXYbUcfW8G5 fel3sssd9qwTsAn7cTmsym3xOrTyy23O4YrAW+g88GR/s1z7idiPCrLR6HdSDJqO9lOd Xhqw== X-Gm-Message-State: ALoCoQm6KK4e6y3U9SEpNurmch08QvkKsnatcrD++haPtPJ0Y6SrVbZRYnTX2vGvV1FvIi5Ps0em X-Received: by 10.224.49.67 with SMTP id u3mr628385qaf.63.1396446285408; Wed, 02 Apr 2014 06:44:45 -0700 (PDT) Received: from [107.16.249.57] ([107.16.249.57]) by mx.google.com with ESMTPSA id u59sm2675880qga.8.2014.04.02.06.44.44 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Apr 2014 06:44:44 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <255B9BB34FB7D647A506DC292726F6E115446A5608@WSMSG3153V.srv.dir.telstra.com> Date: Wed, 2 Apr 2014 09:44:34 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <0AEB91A8-B99B-4263-AB26-353F3ED27288@ve7jtb.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E115446A5608@WSMSG3153V.srv.dir.telstra.com> To: "Manger, James" X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/LDBT-u0-e8ckK8mtsLyDWzXuf-0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 13:44:54 -0000 Thanks for the feedback. inline On Apr 2, 2014, at 1:50 AM, Manger, James = wrote: >> http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 >=20 >=20 > A new registry for "cnf" members is a bit strange. A JWT Claim Set has = so far been a flat structure, with metadata such expiry date "exp" = alongside claims such as "given_name". This spec starts introducing = structure by wrapping members in a "cnf" (confirmation) object. It is = not clear to me which new things would go in "cnf" versus going in to = the top-level of the JWT claim set. Both locations have a "MUST ignore" = policy for unrecognized members. This is the first draft so this needs to be fleshed out. The idea is to = have a single object that contains what in SAML would be the subject = confirmation information. I expect hat the protocols using this are = going to determine what claims need to go in cnf. =20 As an example for bearer tokens there might be an expirey time for = presentment that is separate from the tokens lifetime as represented by = "exp" at the top level. This may not be a great example as people in general don't understand = the difference between the two exp in SAML:) =20 But in general cnf contains claims that are required to confirm that the = presenter is the subject/issuer or a designated agent. >=20 >=20 > "(In some applications, the subject identifier will be relative > to the issuer identified by the "iss" (issuer) claim.)" >=20 > This isn=92t very helpful as it gives no hint about when this is or = isn=92t the case. I guess this is just rewording a flaw from JWT. This is one thing we have been wrangling over the wording of. In the simple case where there is a "sub" then the key represents the = proof key of the presenter or a authorized agent on there behalf. There are some slippery bits even in that as it is the recipient that is = trusting the issuer to put in the correct cnf information. Especially in = cases where there may be multiple hops the key may be that of a RS that = the user has no direct trust relationship with. In the case where there is no subject, I tend to think of the JWT as = having a implicit subject that is the issuer as that is really the only = thing the claims could be about in the absence of a explicit subject. A JWT without a subject could have a claim about a user that is logged = into me but the me is the issuer. So as in the case of there being no explicit subject the cnf is of the = iss or a agent it has designated. In principal if a intermediary receives the token and sends it to a STS = like service the resulting JWT would then have the STS as the iss and = the original iss as the sub. Though that is outside of this spec. Trying to come up with a simple explanation without dragging a bunch of = other stuff in to the spec is not easy. Perhaps something more like the cnf must evaluate to true for the = presenter of the JWT otherwise the token is not being presented by a = party authorized by the issuer, given that the recipient's primary trust = relationship is with the issuer. Trying to say who the presenter is may just be too confusing at this = level. Thoughts and wording input appreciated. >=20 >=20 > Could the JWE example please include a "kid"? The recipient needs to = know which key to use to decrypt the message. JWS says we SHOULD do this = [JWS =A76 2nd paragraph]. [P.S. Weren=92t we going to include "kid" is = almost all the examples in JWE?] Yes it should include a "kid" >=20 > You may as well drop the "cty":"jwk+json" member as this is implied by = the JOSE message being the value of a "jwk" member. >=20 It may be useful to libraries processing the JWE. >=20 > OpenID Connect has already defined a "sub_jwk" field that performs a = similar role to "cnf":{"jwk"}. > = [http://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedResponse] As you have pointed out connect self Issued needs an errata to address a = problem anyway. They are similar though the self issued case is more like a JWT that = would be used as a proof mechanism rather than as a pop token itself. Perhaps there is a case where the iss is using it's signing key for = signing the token and via tls channel binding for presentment as an = example.=20 The connect case doesn't require a presentment proof so is a bit = different. =20 I take your point and will think about it a bit more. >=20 >=20 > Perhaps the biggest security consideration is missing: "cnf" may be = ignored. A recipient that doesn't understanding "cnf" is likely to = accept a JWT as a bearer token without doing any proof-of-possession. >=20 I think the protocol using the JWT would likely be where the requirement = would be enforced along with the presentment mechanism. John B. > -- > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Wed Apr 2 07:27:51 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 978BC1A022C for ; Wed, 2 Apr 2014 07:27:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.209 X-Spam-Level: X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PrbV90ITu6Oz for ; Wed, 2 Apr 2014 07:27:45 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 8345A1A01E6 for ; Wed, 2 Apr 2014 07:27:45 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 307981F062E; Wed, 2 Apr 2014 10:27:41 -0400 (EDT) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 1E72B1F061F; Wed, 2 Apr 2014 10:27:41 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 2 Apr 2014 10:27:40 -0400 Message-ID: <533C1E4F.30205@mitre.org> Date: Wed, 2 Apr 2014 10:27:27 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Prabath Siriwardena , "oauth@ietf.org WG" References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------020305010706020301090804" X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/UTGQnBf2GXpyyG-9roSLVG4JwUk Subject: Re: [OAUTH-WG] A possible typo in introspection spec X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 14:27:49 -0000 --------------020305010706020301090804 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Thanks, that is in fact a typo. I've got an issue for this: https://github.com/jricher/oauth-spec/issues/75 I just haven't edited/updated the introspection draft in a while. -- Justin On 04/01/2014 10:57 PM, Prabath Siriwardena wrote: > https://tools.ietf.org/html/draft-richer-oauth-introspection-04 > > token_type_hint OPTIONAL. A hint about the type of the > token submitted for *revocation*. > > I guess *revocation* should be corrected as *introspection* ? > > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://blog.api-security.org > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------020305010706020301090804 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Thanks, that is in fact a typo. I've got an issue for this:

https://github.com/jricher/oauth-spec/issues/75

I just haven't edited/updated the introspection draft in a while.

 -- Justin

On 04/01/2014 10:57 PM, Prabath Siriwardena wrote:
https://tools.ietf.org/html/draft-richer-oauth-introspection-04

token_type_hint  OPTIONAL.  A hint about the type of the token submitted for revocation.

I guess revocation should be corrected as introspection ?

Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://blog.api-security.org


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------020305010706020301090804-- From nobody Wed Apr 2 10:48:09 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A5621A02E5 for ; Wed, 2 Apr 2014 10:48:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THabGjKM2Ctv for ; Wed, 2 Apr 2014 10:48:00 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD321A02D4 for ; Wed, 2 Apr 2014 10:48:00 -0700 (PDT) Received: from BY2PR03CA034.namprd03.prod.outlook.com (10.242.234.155) by BY2PR03MB175.namprd03.prod.outlook.com (10.242.36.148) with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 2 Apr 2014 17:47:53 +0000 Received: from BN1AFFO11FD024.protection.gbl (2a01:111:f400:7c10::140) by BY2PR03CA034.outlook.office365.com (2a01:111:e400:2c2c::27) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Wed, 2 Apr 2014 17:47:53 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD024.mail.protection.outlook.com (10.58.52.84) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Wed, 2 Apr 2014 17:47:52 +0000 Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.193) by TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.3.174.2; Wed, 2 Apr 2014 17:47:15 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0174.002; Wed, 2 Apr 2014 17:47:14 +0000 From: Mike Jones To: John Bradley , "Manger, James" Thread-Topic: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) Thread-Index: AQHPTnnAeMPKUegAs06Cn/74D6P3OJr+lJ2g Date: Wed, 2 Apr 2014 17:47:13 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A13406F@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E115446A5608@WSMSG3153V.srv.dir.telstra.com> <0AEB91A8-B99B-4263-AB26-353F3ED27288@ve7jtb.com> In-Reply-To: <0AEB91A8-B99B-4263-AB26-353F3ED27288@ve7jtb.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.76] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A13406FTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(51704005)(24454002)(377454003)(51914003)(1890?= =?us-ascii?Q?02)(199002)(13464003)(2656002)(90146001)(77982001)(74502001)?= =?us-ascii?Q?(15395725003)(87266001)(85306002)(97736001)(19300405004)(568?= =?us-ascii?Q?16005)(95666003)(87936001)(80022001)(79102001)(80976001)(477?= =?us-ascii?Q?36001)(85852003)(81816001)(20776003)(512934002)(16236675002)?= =?us-ascii?Q?(66066001)(98676001)(31966008)(97186001)(74662001)(99396002)?= =?us-ascii?Q?(63696002)(16796002)(15975445006)(4396001)(15202345003)(9256?= =?us-ascii?Q?6001)(94946001)(47976001)(59766001)(85806002)(83072002)(8432?= =?us-ascii?Q?6002)(65816001)(83322001)(50986001)(81342001)(74706001)(4497?= =?us-ascii?Q?6005)(53806001)(19580405001)(95416001)(54316002)(86362001)(8?= =?us-ascii?Q?1686001)(19580395003)(71186001)(2009001)(49866001)(6806004)(?= =?us-ascii?Q?81542001)(86612001)(92726001)(97336001)(51856001)(93516002)(?= =?us-ascii?Q?94316002)(56776001)(84676001)(76482001)(76796001)(46102001)(?= =?us-ascii?Q?76786001)(54356001)(47446002)(33656001)(93136001)(69226001)(?= =?us-ascii?Q?74876001)(74366001)(77096001);DIR:OUT;SFP:1101;SCL:1;SRVR:BY?= =?us-ascii?Q?2PR03MB175;H:mail.microsoft.com;FPR:CE5CF1D5.A2F27145.BDF3B1?= =?us-ascii?Q?8B.5EE8C940.20668;MLV:sfv;PTR:InfoDomainNonexistent;MX:1;A:1?= =?us-ascii?Q?;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0169092318 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/no1cxpl713sxOJhGHn5RIadqCHc Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 17:48:06 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A13406FTK5EX14MBXC286r_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks for the comments, James. Comments inline marked with "Mike>". -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley Sent: Wednesday, April 02, 2014 6:45 AM To: Manger, James Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (= JWTs) Thanks for the feedback. inline On Apr 2, 2014, at 1:50 AM, Manger, James > wrote: >> http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 > > > A new registry for "cnf" members is a bit strange. A JWT Claim Set has so= far been a flat structure, with metadata such expiry date "exp" alongside = claims such as "given_name". This spec starts introducing structure by wrap= ping members in a "cnf" (confirmation) object. It is not clear to me which = new things would go in "cnf" versus going in to the top-level of the JWT cl= aim set. Both locations have a "MUST ignore" policy for unrecognized member= s. This is the first draft so this needs to be fleshed out. The idea is to ha= ve a single object that contains what in SAML would be the subject confirma= tion information. I expect hat the protocols using this are going to dete= rmine what claims need to go in cnf. As an example for bearer tokens there might be an expirey time for presentm= ent that is separate from the tokens lifetime as represented by "exp" at th= e top level. This may not be a great example as people in general don't understand the d= ifference between the two exp in SAML:) But in general cnf contains claims that are required to confirm that the pr= esenter is the subject/issuer or a designated agent. Mike> Another possible example is that a "kid" (Key ID) value might be use= d in the "cnf" (confirmation) object, rather than including the key directl= y. This actually matches the SAML construct in which the SubjectConfirmati= on element contains a KeyInfo element that contains a KeyName element, rath= er than the key value. In this case, you need the "kid" to be within the "= cnf" object to distinguish it from the "kid" referring to the signing key. > > > "(In some applications, the subject identifier will be relative > to the issuer identified by the "iss" (issuer) claim.)" > > This isn't very helpful as it gives no hint about when this is or isn't t= he case. I guess this is just rewording a flaw from JWT. This is one thing we have been wrangling over the wording of. In the simple case where there is a "sub" then the key represents the proof= key of the presenter or a authorized agent on there behalf. There are some slippery bits even in that as it is the recipient that is tr= usting the issuer to put in the correct cnf information. Especially in case= s where there may be multiple hops the key may be that of a RS that the use= r has no direct trust relationship with. In the case where there is no subject, I tend to think of the JWT as having= a implicit subject that is the issuer as that is really the only thing the= claims could be about in the absence of a explicit subject. A JWT without a subject could have a claim about a user that is logged into= me but the me is the issuer. So as in the case of there being no explicit subject the cnf is of the iss = or a agent it has designated. In principal if a intermediary receives the token and sends it to a STS lik= e service the resulting JWT would then have the STS as the iss and the orig= inal iss as the sub. Though that is outside of this spec. Trying to come up with a simple explanation without dragging a bunch of oth= er stuff in to the spec is not easy. Perhaps something more like the cnf must evaluate to true for the presenter= of the JWT otherwise the token is not being presented by a party authorize= d by the issuer, given that the recipient's primary trust relationship is w= ith the issuer. Trying to say who the presenter is may just be too confusing at this level. Thoughts and wording input appreciated. Mike> I agree with John that it's up to applications using this spec to say= who the presenter is - just like it's up to applications using JWT to spec= ify what the values of the "iss" and "sub" fields are for that application,= and which of them are required. That said, suggestions on how to make thi= s clearer would of course be welcomed. > > > Could the JWE example please include a "kid"? The recipient needs to know= which key to use to decrypt the message. JWS says we SHOULD do this [JWS = =A76 2nd paragraph]. [P.S. Weren't we going to include "kid" is almost all = the examples in JWE?] Yes it should include a "kid" Mike> You mean adding a "kid" to the JWE Header? Yes, I can do that in the= next revision. (No "kid" is needed in the proof-of-possession key because= it's passed by value, so there's no ambiguity what the key is.) > > You may as well drop the "cty":"jwk+json" member as this is implied by th= e JOSE message being the value of a "jwk" member. > It may be useful to libraries processing the JWE. Mike> I agree with James that, in context, it's already known that the cont= ent type of the JWE Plaintext is a JWK, and so this can be dropped (which i= s allowed in the JWK spec). > > OpenID Connect has already defined a "sub_jwk" field that performs a simi= lar role to "cnf":{"jwk"}. > [http://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedResponse] As you have pointed out connect self Issued needs an errata to address a pr= oblem anyway. They are similar though the self issued case is more like a JWT that would = be used as a proof mechanism rather than as a pop token itself. Perhaps there is a case where the iss is using it's signing key for signing= the token and via tls channel binding for presentment as an example. The connect case doesn't require a presentment proof so is a bit different. I take your point and will think about it a bit more. > > > Perhaps the biggest security consideration is missing: "cnf" may be ignor= ed. A recipient that doesn't understanding "cnf" is likely to accept a JWT = as a bearer token without doing any proof-of-possession. > I think the protocol using the JWT would likely be where the requirement wo= uld be enforced along with the presentment mechanism. Mike> I agree with John here. I can easily imagine use cases in which it'= s up to the recipient how often to check possession. For instance, it migh= t decide to incur the additional overhead only if possession hadn't been ch= ecked for longer than a certain time threshold. We don't want to preclude = those use cases. -- Mike John B. > -- > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A13406FTK5EX14MBXC286r_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Thanks for the comm= ents, James.  Comments inline marked with "Mike>".

 

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Wednesday, April 02, 2014 6:45 AM
To: Manger, James
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (= JWTs)

 

Thanks for the feedback.

 

inline

On Apr 2, 2014, at 1:50 AM, Manger, James <James.H.Manger@team.telstra.com> w= rote:

 

>> http://tools.ietf.org= /html/draft-jones-oauth-proof-of-possession-00

>

>

> A new registry for "cnf" members i= s a bit strange. A JWT Claim Set has so far been a flat structure, with met= adata such expiry date "exp" alongside claims such as "given= _name". This spec starts introducing structure by wrapping members in a "cnf" (confirmation) object. It is not clear to me which ne= w things would go in "cnf" versus going in to the top-level of th= e JWT claim set. Both locations have a "MUST ignore" policy for u= nrecognized members.

 

This is the first draft so this needs to be flesh= ed out.  The idea is to have a single object that contains what in SAM= L would be the subject confirmation information.   I expect hat t= he protocols using this are going to determine what claims need to go in cnf.  

 

As an example for bearer tokens there might be an= expirey time for presentment that is separate from the tokens lifetime as = represented by "exp" at the top level.

This may not be a great example as people in gene= ral don't understand the difference between the two exp in SAML:) &nbs= p;

 

But in general cnf contains claims that are requi= red to confirm that the presenter is the subject/issuer or a designated age= nt.

 

Mike>  Anot= her possible example is that a “kid” (Key ID) value might be us= ed in the “cnf” (confirmation) object, rather than including th= e key directly.  This actually matches the SAML construct in which the SubjectConfirmation element contains a KeyInfo element that contains a Key= Name element, rather than the key value.  In this case, you need the &= #8220;kid” to be within the “cnf” object to distinguish i= t from the “kid” referring to the signing key.

 

>

>

>   "(In some applications, the= subject identifier will be relative

>   to the issuer identified by the = "iss" (issuer) claim.)"

>

> This isn’t very helpful as it gives no= hint about when this is or isn’t the case. I guess this is just rewo= rding a flaw from JWT.

 

This is one thing we have been wrangling over the= wording of.

 

In the simple case where there is a "sub&quo= t; then the key represents the proof key of the presenter or a authorized a= gent on there behalf.

 

There are some slippery bits even in that as it i= s the recipient that is trusting the issuer to put in the correct cnf infor= mation. Especially in cases where there may be multiple hops the key may be= that of a RS that the user has no direct trust relationship with.

 

In the case where there is no subject, I tend to = think of the JWT as having a implicit subject that is the issuer as that is= really the only thing the claims could be about in the absence of a explic= it subject.

A JWT without a subject could have a claim about = a user that is logged into me but the me is the issuer.

 

So as in the case of there being no explicit subj= ect the cnf is of the iss or a agent it has designated.

 

In principal if a intermediary receives the token= and sends it to a STS like service the resulting JWT would then have the S= TS as the iss and the original iss as the sub.  Though that is outside= of this spec.

 

Trying to come up with a simple explanation witho= ut dragging a bunch of other stuff in to the spec is not easy.

 

Perhaps something more like the cnf must evaluate= to true for the presenter of the JWT otherwise the token is not being pres= ented by a party authorized by the issuer, given that the recipient's prima= ry trust relationship is with the issuer.

 

Trying to say who the presenter is may just be to= o confusing at this level.

 

Thoughts and wording input appreciated.

 

Mike> I agree wi= th John that it’s up to applications using this spec to say who the p= resenter is – just like it’s up to applications using JWT to sp= ecify what the values of the “iss” and “sub” fields= are for that application, and which of them are required.  That said, suggest= ions on how to make this clearer would of course be welcomed.

 

>

>

> Could the JWE example please include a "= ;kid"? The recipient needs to know which key to use to decrypt the mes= sage. JWS says we SHOULD do this [JWS =A76 2nd paragraph]. [P.S. Weren̵= 7;t we going to include "kid" is almost all the examples in JWE?]

 

Yes it should include a "kid"

 

Mike> You mean a= dding a “kid” to the JWE Header?  Yes, I can do that in th= e next revision.  (No “kid” is needed in the proof-of-poss= ession key because it’s passed by value, so there’s no ambiguit= y what the key is.)

 

>

> You may as well drop the "cty":&qu= ot;jwk+json" member as this is implied by the JOSE message being t= he value of a "jwk" member.

>

It may be useful to libraries processing the JWE.=

 

Mike> I agree wi= th James that, in context, it’s already known that the content type o= f the JWE Plaintext is a JWK, and so this can be dropped (which is allowed = in the JWK spec).

 

>

> OpenID Connect has already defined a "s= ub_jwk" field that performs a similar role to "cnf":{"j= wk"}.

> [http://openid.net/specs/openid-connect-core= -1_0.html#SelfIssuedResponse]

 

As you have pointed out connect self Issued needs= an errata to address a problem anyway.

 

They are similar though the self issued case is m= ore like a JWT that would be used as a proof mechanism rather than as a pop= token itself.

 

Perhaps there is a case where the iss is using it= 's signing key for signing the token and via tls channel binding for presen= tment as an example.

 

The connect case doesn't require a presentment pr= oof so is a bit different.   

 

I take your point and will think about it a bit m= ore.

 

>

>

> Perhaps the biggest security consideration i= s missing: "cnf" may be ignored. A recipient that doesn't underst= anding "cnf" is likely to accept a JWT as a bearer token without = doing any proof-of-possession.

>

 

I think the protocol using the JWT would likely b= e where the requirement would be enforced along with the presentment mechan= ism.

 

Mike>  I ag= ree with John here.  I can easily imagine use cases in which it’= s up to the recipient how often to check possession.  For instance, it= might decide to incur the additional overhead only if possession hadn’t been checked for longer than a certain time threshold.  = We don’t want to preclude those use cases.

 

   &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;          -- Mike

 

John B.

 

> --

> James Manger

> ____________________________________________= ___

> OAuth mailing list

> OAuth@ietf.org<= /o:p>

> https://w= ww.ietf.org/mailman/listinfo/oauth

 

_______________________________________________

OAuth mailing list

OAuth@ietf.org=

https://www.ie= tf.org/mailman/listinfo/oauth

--_000_4E1F6AAD24975D4BA5B16804296739439A13406FTK5EX14MBXC286r_-- From nobody Wed Apr 2 13:37:54 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1851A03D7 for ; Wed, 2 Apr 2014 13:37:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.7 X-Spam-Level: X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WZzIXyp5AGPk for ; Wed, 2 Apr 2014 13:37:45 -0700 (PDT) Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6581A03D2 for ; Wed, 2 Apr 2014 13:37:44 -0700 (PDT) Received: by mail-qg0-f49.google.com with SMTP id e89so776618qgf.8 for ; Wed, 02 Apr 2014 13:37:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=fRD7YYGjqU8eSAbRPCc3hQawpPlqlnNOnRXBC3niEB8=; b=N32FPparfhvi3EiCw7dvLmwR451h6nOGJoT0YgWiERO+ZwpGLQYnChLOF3uEtKgpNS 4ejYisi0D540yK6tI4qiOhjJvieFk8oRk21eSwgLMowlK6v7VgYFsKyZXCKSgtJzP+Hq 18eYyOjBvHhL3YP72x1PWrU9ICLteMfpULX85p6mL3rMmJmjd5hZVb/yH6M/YdIX28ZG uP6d1zXPQ0Y5r8sWs/bBQocGluNWxqblcllmN6icYOqN78uOTiJG+icXr6q4oZcTF/BK Zzkmo9NAcoN4AImet1FAVVqi3sshbrJtKpWO97td40Mjsa5Ywr5Gf4wVLmzV0JM3tdPP Qw2g== MIME-Version: 1.0 X-Received: by 10.140.108.138 with SMTP id j10mr2997273qgf.7.1396471060953; Wed, 02 Apr 2014 13:37:40 -0700 (PDT) Received: by 10.96.36.229 with HTTP; Wed, 2 Apr 2014 13:37:40 -0700 (PDT) Date: Wed, 2 Apr 2014 13:37:40 -0700 Message-ID: From: =?ISO-8859-1?Q?Andr=E9_DeMarre?= To: OAuth WG Content-Type: text/plain; charset=ISO-8859-1 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/H6KqOc5A--xXJ5MHwpfGDOuA32c Subject: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 20:37:51 -0000 We have a mobile app which operates as an OAuth 2.0 public client (w/client credentials). It uses the resource owner password credentials grant type for authorized communication with our resource servers. We are working on a software update and want to change the registered client_id and client_secret for the new app version (register a new client at the auth server). The problem is that after the app updates on users' devices, it will inherit the app data of the previous version, including the access and refresh tokens. Since the token scope issued to the new client might be different, we know that we want the new app version to discard the previous version's access tokens. But what about the refresh token? Technically, the new version of the app will be a different client, but the core OAuth spec section 6 says "the refresh token is bound to the client to which it was issued." So what should we do? We can program the app to discard the previous version's refresh token, but that would inconvenience our users to re-enter their password after the software update. I'm tempted to allow the new client to use the refresh token issued to the previous client, but that violates the spec. Does the OAuth community have any insight here? Thank you. Kind Regards, Andre DeMarre From nobody Wed Apr 2 14:38:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 860FF1A03EA for ; Wed, 2 Apr 2014 14:38:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.378 X-Spam-Level: X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyVFFla98cFM for ; Wed, 2 Apr 2014 14:38:40 -0700 (PDT) Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 353741A03E8 for ; Wed, 2 Apr 2014 14:38:40 -0700 (PDT) Received: by mail-ob0-f176.google.com with SMTP id wp18so984905obc.7 for ; Wed, 02 Apr 2014 14:38:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=W9jVSjLBZJAGmqRIsRV8WzrAkfWRljeIgnlM+yMMfuY=; b=IXA/efVdnD6ILROUWm95rTm+on4xnmIXGrvCO8b03JCyF0dwl0QOHB+aNSdi4FmSFe 9PleuqcJQ9gDbHA89cJNKC20D8Wme/OyAo/K7TJgp/dFcTwDcAh33fnBClOtlOT3lk0k 2A2IcpFt6VFnBL3kDOEq1vxGYWQMs7+cww9FM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=W9jVSjLBZJAGmqRIsRV8WzrAkfWRljeIgnlM+yMMfuY=; b=jTVAozHHyF7aOdZxO5v+YZgRkLOx4vj5edIKEydG7ivFtOFj9e5I0jv7BxTsiHeaDQ cg0L3nwgH1cZDj10sMKFNSAAcE3w71DFBTvzcKyFMJDpdbh7nKJCtVUIJPbncFUt2oGs kJhQB+FOyLuEup2sdN+wQwXdTq42XVUbulsICqEKba01JbPwS6rKsFacvfxk9wh6fm5N GeR+owXrYtlUwpKshi6Z4+RyJFqqU/TXyleO4WOjsW1vfk4G9zK7X5SmiONQ0DlhWrpN 0k/eu1M47+vq8nD1WKEgAa/1QdXtINtUCUCQfA6tY/KkEwYkDPCUxz5yI6bvVnfImpAo Abww== X-Gm-Message-State: ALoCoQkjd6BTlDg+1GUz4yU9tdTNKDKI9BvqLFS3YjXYKb+yzi3Ab5bpgRK2Lm6gMTPSPWuCzdZK MIME-Version: 1.0 X-Received: by 10.182.230.135 with SMTP id sy7mr2145165obc.24.1396474715722; Wed, 02 Apr 2014 14:38:35 -0700 (PDT) Received: by 10.60.54.99 with HTTP; Wed, 2 Apr 2014 14:38:35 -0700 (PDT) Date: Thu, 3 Apr 2014 03:08:35 +0530 Message-ID: From: Prabath Siriwardena To: "oauth@ietf.org WG" Content-Type: multipart/alternative; boundary=001a11c336765fa07004f6161b8c Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/w0A86bfZTv09cJkpl4hS9Sw6-bU Subject: [OAUTH-WG] Chain Grant Type for OAuth2 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 21:38:44 -0000 --001a11c336765fa07004f6161b8c Content-Type: text/plain; charset=ISO-8859-1 Is the $subject still active...? http://tools.ietf.org/html/draft-hunt-oauth-chain-01 I guess it would be more meaningful to add an "audience" parameter to the chained token request.. WDYT..? Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +94 71 809 6732 http://blog.facilelogin.com http://blog.api-security.org --001a11c336765fa07004f6161b8c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Is the $subject still active...?


I guess i= t would be more meaningful to add an "audience" parameter to the = chained token request..

WDYT..?

Thanks & Regards,=
Prabath

Twitter : @prabath
LinkedIn :=A0h= ttp://www.linkedin.com/in/prabathsiriwardena

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://blog.api-security.org
--001a11c336765fa07004f6161b8c-- From nobody Wed Apr 2 15:51:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB62C1A03F3 for ; Wed, 2 Apr 2014 15:51:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.911 X-Spam-Level: X-Spam-Status: No, score=-3.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBmCPUGaXM6m for ; Wed, 2 Apr 2014 15:51:44 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 183391A040D for ; Wed, 2 Apr 2014 15:51:44 -0700 (PDT) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s32MpckH026037 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 Apr 2014 22:51:38 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s32Mpbj1002447 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Apr 2014 22:51:38 GMT Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s32Mpbqa018783; Wed, 2 Apr 2014 22:51:37 GMT Received: from [192.168.1.186] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 Apr 2014 15:51:36 -0700 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: Phil Hunt In-Reply-To: Date: Wed, 2 Apr 2014 15:51:35 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <1783183C-08FF-46C8-97D1-96BDA0115B2C@oracle.com> References: To: =?windows-1252?Q?Andr=E9_DeMarre?= X-Mailer: Apple Mail (2.1874) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/x9HRUjFcpBSfcFb7IuHPYML4aKU Cc: OAuth WG Subject: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 22:51:48 -0000 I don=92t see a strong reason to standardize behaviour here. But it = seems like a change in scope after a client upgrade is a good reason to = expire existing tokens and re-authorize as well as simply expire tokens. Some may choose to be very conservative and always expire tokens on any = client update. But I think that unless there is a critical security due = to the nature of the client and/or server, there is no reason to assume = it is necessary beyond =93good practice=94. One good reason for expiring tokens is that you are forcing the client = to re-confirm it has the new client credential and it is still valid. If you revoke tokens and refresh tokens, your authorization and = authentication system might inspect browser cookies that hold the = previous SSO state and/or previous authorization state. Thus you could = avoid re-authenticating the user and simply ask about the new scopes. Phil @independentid www.independentid.com phil.hunt@oracle.com On Apr 2, 2014, at 1:37 PM, Andr=E9 DeMarre = wrote: > We have a mobile app which operates as an OAuth 2.0 public client > (w/client credentials). It uses the resource owner password > credentials grant type for authorized communication with our resource > servers. >=20 > We are working on a software update and want to change the registered > client_id and client_secret for the new app version (register a new > client at the auth server). The problem is that after the app updates > on users' devices, it will inherit the app data of the previous > version, including the access and refresh tokens. >=20 > Since the token scope issued to the new client might be different, we > know that we want the new app version to discard the previous > version's access tokens. But what about the refresh token? > Technically, the new version of the app will be a different client, > but the core OAuth spec section 6 says "the refresh token is bound to > the client to which it was issued." So what should we do? >=20 > We can program the app to discard the previous version's refresh > token, but that would inconvenience our users to re-enter their > password after the software update. >=20 > I'm tempted to allow the new client to use the refresh token issued to > the previous client, but that violates the spec. >=20 > Does the OAuth community have any insight here? Thank you. >=20 > Kind Regards, > Andre DeMarre >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Apr 3 01:42:01 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71BA81A0117 for ; Thu, 3 Apr 2014 01:42:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKT8lwuhOFjJ for ; Thu, 3 Apr 2014 01:41:56 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id EF6DC1A0116 for ; Thu, 3 Apr 2014 01:41:55 -0700 (PDT) Received: from [192.168.131.138] ([80.92.119.215]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0Lu8Ri-1XDJQ91atC-011Vzd for ; Thu, 03 Apr 2014 10:41:51 +0200 Message-ID: <533D1E8D.5000401@gmx.net> Date: Thu, 03 Apr 2014 10:40:45 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="iObiTrcQbgaGCgGNDvp0fKn3vVcCmMhwv" X-Provags-ID: V03:K0:qTBLWm1MKyOZih1+ALcRWQ3tb0pnVp56ZdJq2yznquidANvfXCz gDt+lhm9+wm0H5xGrQnJ2P62vohvlXf543sv3br1cMsRH4vFu0baMJEXvyGQ6uY4PeKhZTT PcJdu/ZkoucXABW7r/OIPSE13jECFOlf5efuyMsL+bU9Jus8GFpSm9HJdhcmyJKFPEE7rWN GCSAnH1g79jhkHDdvBQIw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/sGtAsXbOIF8_1lKY9YVCkKLkaCc Subject: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 08:42:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --iObiTrcQbgaGCgGNDvp0fKn3vVcCmMhwv Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, as discussed during the last IETF meeting we are re-factoring our documents on proof-of-possession. (As a reminder, here is the presentation I have during the OAuth meeting: http://www.ietf.org/proceedings/89/slides/slides-89-oauth-0.pptx)* Mike had already posted draft-jones-oauth-proof-of-possession-00 and now I have added the architecture document, which provides an overview of the different pieces. Here is the document for you to look at: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 Ciao Hannes --iObiTrcQbgaGCgGNDvp0fKn3vVcCmMhwv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTPR6NAAoJEGhJURNOOiAtTUUH+wdW/PzZ9jqNCdHgzQP4eDJG 0kf3hOoIKUR8pQLUf0vPUdcMKeyjtpKxEA71JyYZCokt/kdgYhZiQ8qZOiSBawB5 LmiDQJicNhkPIPjK9JSQGAe8uemMYRTH94UMUV0NBKzsj/I+eXXDs2A7Ne+LUdjJ m2fdedQ9zsneK0+NYY2KfvKcmxaXwBq8UZSiKjWxCfUKccvdFWIsIrmLdEkxjZZm sr1xU+C/ZosflnVsW6IUD8uh1gIoxo9hMGxR8NZTUDCLodXyI2bQi8KXsny72Z1V Z0maNV0zfJUFHAaIMIJqghAQLgLdMRh0hVaXWIELlFe0ypdIFoh1tU0Mz+r7zHs= =sitQ -----END PGP SIGNATURE----- --iObiTrcQbgaGCgGNDvp0fKn3vVcCmMhwv-- From nobody Thu Apr 3 03:13:45 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EAF61A0134 for ; Thu, 3 Apr 2014 03:13:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.552 X-Spam-Level: X-Spam-Status: No, score=-1.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAEjCR8TaLqf for ; Thu, 3 Apr 2014 03:13:40 -0700 (PDT) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by ietfa.amsl.com (Postfix) with ESMTP id 17DBF1A011C for ; Thu, 3 Apr 2014 03:13:39 -0700 (PDT) Received: from [88.128.80.2] (helo=[10.53.168.21]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1WVeeD-0005UO-Aq; Thu, 03 Apr 2014 12:13:25 +0200 References: <1783183C-08FF-46C8-97D1-96BDA0115B2C@oracle.com> Mime-Version: 1.0 (1.0) In-Reply-To: <1783183C-08FF-46C8-97D1-96BDA0115B2C@oracle.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: <4FDD0389-40AB-421F-BB3C-62DE0E47297E@lodderstedt.net> X-Mailer: iPad Mail (11D167) From: Torsten Lodderstedt Date: Thu, 3 Apr 2014 12:13:25 +0200 To: Phil Hunt X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/A9cdtXgG6Eh_XlFOKnSINDsF5ow Cc: OAuth WG Subject: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 10:13:44 -0000 Hi Andre, I would expect the AS to treat a client with a different client id as anothe= r client. So the new client should not be able to use the "old" refresh toke= ns. Some further questions/remarks: - if you utilize refresh tokens, access tokens should be transient. Right? S= o you don't need to bother - public client means w/o secret - there is no security benefit of having a s= ecret for the type of client you described (see Spec section 10) Regards, Torsten. > Am 03.04.2014 um 00:51 schrieb Phil Hunt : >=20 > I don=E2=80=99t see a strong reason to standardize behaviour here. But it= seems like a change in scope after a client upgrade is a good reason to exp= ire existing tokens and re-authorize as well as simply expire tokens. >=20 > Some may choose to be very conservative and always expire tokens on any cl= ient update. But I think that unless there is a critical security due to the= nature of the client and/or server, there is no reason to assume it is nece= ssary beyond =E2=80=9Cgood practice=E2=80=9D. >=20 > One good reason for expiring tokens is that you are forcing the client to r= e-confirm it has the new client credential and it is still valid. >=20 > If you revoke tokens and refresh tokens, your authorization and authentica= tion system might inspect browser cookies that hold the previous SSO state a= nd/or previous authorization state. Thus you could avoid re-authenticating t= he user and simply ask about the new scopes. >=20 > Phil >=20 > @independentid > www.independentid.com > phil.hunt@oracle.com >=20 >> On Apr 2, 2014, at 1:37 PM, Andr=C3=A9 DeMarre w= rote: >>=20 >> We have a mobile app which operates as an OAuth 2.0 public client >> (w/client credentials). It uses the resource owner password >> credentials grant type for authorized communication with our resource >> servers. >>=20 >> We are working on a software update and want to change the registered >> client_id and client_secret for the new app version (register a new >> client at the auth server). The problem is that after the app updates >> on users' devices, it will inherit the app data of the previous >> version, including the access and refresh tokens. >>=20 >> Since the token scope issued to the new client might be different, we >> know that we want the new app version to discard the previous >> version's access tokens. But what about the refresh token? >> Technically, the new version of the app will be a different client, >> but the core OAuth spec section 6 says "the refresh token is bound to >> the client to which it was issued." So what should we do? >>=20 >> We can program the app to discard the previous version's refresh >> token, but that would inconvenience our users to re-enter their >> password after the software update. >>=20 >> I'm tempted to allow the new client to use the refresh token issued to >> the previous client, but that violates the spec. >>=20 >> Does the OAuth community have any insight here? Thank you. >>=20 >> Kind Regards, >> Andre DeMarre >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Apr 3 06:43:48 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D134C1A0205 for ; Thu, 3 Apr 2014 06:43:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.01 X-Spam-Level: X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z9ZXASKOS9Dw for ; Thu, 3 Apr 2014 06:43:37 -0700 (PDT) Received: from omr-m02.mx.aol.com (omr-m02.mx.aol.com [64.12.143.76]) by ietfa.amsl.com (Postfix) with ESMTP id 784FF1A0204 for ; Thu, 3 Apr 2014 06:43:27 -0700 (PDT) Received: from mtaout-mae01.mx.aol.com (mtaout-mae01.mx.aol.com [172.26.254.141]) by omr-m02.mx.aol.com (Outbound Mail Relay) with ESMTP id 2A5697022B761; Thu, 3 Apr 2014 09:43:23 -0400 (EDT) Received: from [10.172.4.228] (unknown [10.172.4.228]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mae01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id C91D9380000A3; Thu, 3 Apr 2014 09:43:22 -0400 (EDT) Message-ID: <533D657A.2020106@aol.com> Date: Thu, 03 Apr 2014 09:43:22 -0400 From: George Fletcher Organization: AOL LLC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Torsten Lodderstedt , Phil Hunt References: <1783183C-08FF-46C8-97D1-96BDA0115B2C@oracle.com> <4FDD0389-40AB-421F-BB3C-62DE0E47297E@lodderstedt.net> In-Reply-To: <4FDD0389-40AB-421F-BB3C-62DE0E47297E@lodderstedt.net> Content-Type: multipart/alternative; boundary="------------070505040606000308020008" x-aol-global-disposition: G X-AOL-VSS-INFO: 5600.1067/97355 X-AOL-VSS-CODE: clean DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1396532603; bh=3a/DgYsJHHA/QN4/+PT+2x8tdZb/d8GnHdsR1RJbijw=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=Bu41qMPXpCV9oZeRVtVPhrQrrmADFkoiUBkmlnIL7bFVi7AccU+17rlTKFNX/s+cM AwG/5sRV7pOqIMC7wWGjNhhMgfJRlVe+FCkSswYWFZkcLRQ818FyRQEcWVbis/5G4f KkIFQqOSp6+et7+/M5OOxs+81lPTPOt34/kypO8w= x-aol-sid: 3039ac1afe8d533d657a7c42 X-AOL-IP: 10.172.4.228 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Zvg8AAQgjp9D-XrYfTs4NGqOmVI Cc: OAuth WG Subject: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 13:43:43 -0000 This is a multi-part message in MIME format. --------------070505040606000308020008 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Torsten, We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind). Andre got me thinking about this and here is what I'm leaning towards implementing in our system. Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token). This allows the AS to do the following checks... 1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything). 2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token 3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced 4. Verify the audience of the JWT If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id. Interested in feedback as to the viability of this. Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us. Thanks, George On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: > Hi Andre, > > I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens. > > Some further questions/remarks: > - if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother > - public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10) > > Regards, > Torsten. > >> Am 03.04.2014 um 00:51 schrieb Phil Hunt : >> >> I don’t see a strong reason to standardize behaviour here. But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens. >> >> Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond “good practiceâ€. >> >> One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid. >> >> If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state. Thus you could avoid re-authenticating the user and simply ask about the new scopes. >> >> Phil >> >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >> >>> On Apr 2, 2014, at 1:37 PM, André DeMarre wrote: >>> >>> We have a mobile app which operates as an OAuth 2.0 public client >>> (w/client credentials). It uses the resource owner password >>> credentials grant type for authorized communication with our resource >>> servers. >>> >>> We are working on a software update and want to change the registered >>> client_id and client_secret for the new app version (register a new >>> client at the auth server). The problem is that after the app updates >>> on users' devices, it will inherit the app data of the previous >>> version, including the access and refresh tokens. >>> >>> Since the token scope issued to the new client might be different, we >>> know that we want the new app version to discard the previous >>> version's access tokens. But what about the refresh token? >>> Technically, the new version of the app will be a different client, >>> but the core OAuth spec section 6 says "the refresh token is bound to >>> the client to which it was issued." So what should we do? >>> >>> We can program the app to discard the previous version's refresh >>> token, but that would inconvenience our users to re-enter their >>> password after the software update. >>> >>> I'm tempted to allow the new client to use the refresh token issued to >>> the previous client, but that violates the spec. >>> >>> Does the OAuth community have any insight here? Thank you. >>> >>> Kind Regards, >>> Andre DeMarre >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- George Fletcher --------------070505040606000308020008 Content-Type: multipart/related; boundary="------------040903020604070105030005" --------------040903020604070105030005 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Hi Torsten,

We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of this.

Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us.

Thanks,
George
On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10)

Regards,
Torsten.


Am 03.04.2014 um 00:51 schrieb Phil Hunt <phil.hunt@oracle.com>:

I don’t see a strong reason to standardize behaviour here.  But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond “good practiceâ€.

One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state.  Thus you could avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com


On Apr 2, 2014, at 1:37 PM, André DeMarre <andredemarre@gmail.com> wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
George Fletcher
--------------040903020604070105030005 Content-Type: image/png; name="XeC" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="XeC" iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk uBMSLBA0IWgCCa4JDoHB3SHI4AzMMMO49bRWnfePe7mzz+7m2eyGvbn3efvzz9DVVb86p7pO 86tTp05Lly9fvnz5shC4ubm5ubm5ubm5uf0m3bt/1KhRo0aNGn92cdzc3Nzc3Nzc3Nz+Z7ly 5cqVK1dA/rML4ubm5ubm5ubm5va/gTtxdnNzc3Nzc3Nzc/sd3Imzm5ubm5ubm5ub2+/gTpzd 3Nzc3Nzc3Nzcfgd34uzm5ubm5ubm5ub2O+j+aACr1W632f7zhQw40JEEUii7pAYgxkhhkh9o B5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8L8Pc7BsbcoGuRs8DV0XzEfBGU8VwwHgfpW9LZ AeoSuZj+NUiHc3/O+BKcHa1pWUPAeC74WtQPIMbaYi1J4Pj42aE7s0GskRsoB4B7rpXqYNBe Z6/KWAbqIWmU0hG0XPWhuSBYP8pc4IyF3GHZpTMPQm7RnMjsoZCbZOunZoHF25FuuwSW59b8 2RvBPtA+1doT9M+8N/jZQJroHeKXBpaEjFOZmZCzMpOUHuDqJK2TK4CoSiddVdBmeX4fkB9s B3Nzc4+B4m8qbL4HmZPTPdK/AY/TIXciMkGLV370eglmL88o750gTDw1VgT918bN8kFQv3DV 136BGoNqfViuEdSQKhYLfw5aKddi1z2QNoi2RILwl4LFJZAaYyYIRC4uXABI/8cHqfAfUxLe Q0IGApjABNDNlZYqA+H1tcSHqRvh0MYzHS5vAGHUP3eNgl5Tm8xu2Bick+WlUiRoe8RsPMH3 uec3xnwgL5P85b2gu2bqbj4B0TNPJh1qABn5rDa1HTxJSFpyaRl4vQ2endML7A8TPJRf4WHM m9LP14N0TdfOthmymqbMEFcha2DOWJ8J4H1L96XhLgQv908qcB2K7yqUXXoDWLvZJ+oWQ2p4 UmBuKEQ1Cl0phoJ1vJptmQIFj3jkRlYHv34FPoucCblNrU9TPwc/f4+OgfvhUuOYzw7sAutK tWtKYxgQ0WLgzLng+EHupnwMZbcU/zh0Mzz+7NnX2eXh0JhL0ctnQ5aP1XK9O3i1l0f6+kHy /aSKPt6w4N6UqFWz/uxm7ubm5ubm5vY+vL8eZxmBBmRKJvyA2mjiAkjLxBuhgjRc3JJ9AZt+ q7gIzoepSxObgzHAJ5/XBdD8tY+1qkATXUnzV6C/IKteZ0HzEzHqChAWMdMZCMp1KULUBs57 vfbvDIYvvOMDPwJtiusjx0UgWtTVqoKQXbvsjcHpk+QXuxfUj3M/Su8I6nBnM9unIBZkJmVP BsewzCNpN0C6qDxTZ4NI0F2Xu4Oy1nDXMBQM9U2Z+oXg6fS8bj4M5mPmNR5VwfCxbqL+FSie rjTHJ6B3CsU5HEzrTJf0JUD5QAqTg0De5DrpCgCtorOSrSgondVP7HVBn8gkVxCYeum7aJPB mOph89oA0khHHXs38B7qedQ8BcQBtZyzGQStCekacAY8l/scCTOBzkuv09+Gx8Njcl4eBcs0 S2WbBvKHyjjxK2gDpM+lEJAWsIswEIlSIBYAxF+lzP9BBQRQVApFgFSTOtJGcLYWr1zPIN/s cG+/etDP0r5b00NQ/2CF5DLfQdBPQQQY4dLgG/q7n8HDYc9b36sKWfnTB1r8gBvyYrkzGDox VvoazI2830SMAiVMKWXXQchbv6+sFrApWULvCVX7lNjerhX45UgJRU5C5tHU/YFp4DvUo1pg eSjUPrBbkTXgzHYULSpB1vnsXJ7C/cIvlDt6KLQovI5XGyjsiLCULQ83pzw4nDES3trTt2TM BN1+acTruuC1Q67uXAlvaiQdevo93Cp3v+ZPs0FbaWntXwjCwj0adtoGuubGPrpB4HXaPEoX BUnOpJUZL+HXT5/5Hr8Cmc0y+zyKBlfr7LScHEi7mzAqoxDkjrK9dEX/2c3bzc3Nzc3N7X36 wz3O/8WJhACpkLBJQSAu8UQsBa2udFd8AXIl/TLlHKg7LfHWSsBV+TvDHJDnGdrr5oMySRmq XgZxV+4taoI2UO6nlQYpTKzWjQHhrwmnHqQxzkWWISCV0k/xGATqF2K8ywpa2fgGj6qDlmi/ 7dwG0q/yQt16MJz1HOo/DZyHLOcsySCdcRVU4sDl7+zjnAiuT+0N7J+BGqE0F3XBsEjfUu8B hm1eZu+6IEfZhjtmAor9jq0NeC2UWkmnQDovWyUjqPNdk+2lQP9IvkwAOLbLY7T+YB7jYTbH AOOy81l+BrWSNk2bCWKZzZzdC6RNWpCyApyqxZQ1ATyLGAZ4rgIU7K5PQDtp3ZT2BWCQr+qj wDokR35bHfRLPQ4HB4BvUkAR/9mQeTfdlr4EXox99Vl6EFQ8UbpFqC+4XroGaQD95E9YAGgi VVoCSMgilv9Ikv/PBFrCAGgilqsgHkll+Qmk++JrxQJajtpQmwPWJ9TUXkExW8FR+c2Q0C31 cFIZqNGj3O6iXSCsZ0BqaBLYNPWQ6yxk/JJ1z/EVPBiVWujZD5D2pe2n16Xg9tXYyPsdIeUb S0KKN6j3sxdkp4JPqL7o7XTQp/htcq6HRssKdSxfHVzltIJyApwdfffsExPI23Tfh1QCqTRJ xnhouLVSmcY/Q6X5Bb2rvIGsu5HHEi5C/S9qSd16wv3PY94+fQOPGz2w7HgNzwPtGxyXIOOl PvD5EPCej2qaBdWKlb3QsBr4fxqZ4h8L/q0D/b07QdrSt0Mzx0PKukyj+BqerX38cWIVEA20 o+bJYKuTmZF/LrgSVJ/sBMgoxc3XnwJQ/89u5G5ubm5ubm7vx/tLnGX+IxnzIwsTcFBqynPQ tRAj6AGuYO260wDKKnFW3ADlVpHyxXJA/UosdN4G5ZSzZ+aHIMbr+5t8QX6upYjOIGrJbXR9 QOonxzMHtLicqekKaJdyOyR1BN0+fSWPHLC9UmPFCND6JA+LbwauHOtCWwYwTfpauQFyX6UJ J4D8hrHed0H3QDquLwPee71GK4XB0daxV+oGzkLacLUTuBarRfEGw3qx05gKrj7aQHELNDvB 0lTwKupVRdcb7FnWVVnfgnzducuVAp4llQPyc5Dvmq8aI0EuqKZLJUBaa6/hbAjWvc4WtiLA Fqm30gLsU3L0ljugT9ar2YeBOx7ngsqBsZurV/YQcJ6wv+IZZLqyP0ztBp6VA/unfgH60mFa ySPgPd93k9/P8GD54/j4VlDy68I7gkqA7gudl2gP6hTxiWwEuY7kKX4BcVfkogAKEtr/8QkK nIDAl0LATFFXvAK5qawwEHJic6bYasCVqbcq3eoCCaUzzsTdg5zaOW+0jlD5bYWPS0wBUw+P BkGh8HJpQq/nveA766Efdu4DXVXdodzt4Jqq/yalDxT5NbB3/iS4P/f5fZ8l4NjnKmR9Bd43 EqvfqwgRwf6tS30GGSfszVN9oNC4gBUNVsLrEW9rHp4OH65v5mreC3xS7FsNY6FMVCnPwmsg pnh86mMfeJ0Yvz82HSy3bd9ZesIL69vCx66Aa4NYoESDf1lrSsIlEFusG8O/gFJ1SucvtwqC AoNG+JwFz190mvUxJG6Mv56ig8RtGV+/ioZXckLEs7kQFBt2mV8hc/XzsLS1wCG9XToCmaUy Thk7g3zXp5PnJKA6Y/7sRu7m5ubm5ub2frzfxFkG8RSXeANSWSJJAWFjhhwC8if0lBaAqOzV w7wTpMsc1U8GeaBslRwgPza0iQgEKQC9LgvEHHzZCZJLHBf7QBuXG5e8GHimC/L2A/myx+WA L0H1z+r6eihIFqmaWgcUNaBc+CzQfkiwvMwEramrkToFlHue1pBY4JZJ9bgJIi33W3UiiHLq Z/ISMFilV1oMSBFatpYIUo69oMsCrnzyUOcKUBoo5eV00B3RcpVpIL0UT8Q8EJIySz8cOEMt 0QrM6aKT1hrUBLrKJUHuZX5sugfyAuVbnRfgsoaJ2mBt62qrzgItWdqkfAa2BEuwbQEYTuPK XAfKRt14XoD5meGpuQuk5U9faykMuu95qW2ELKvU2RgJPoHBT6MkyBlqbeO6Aq/1cXLaPCjW ulj/4Iqgpth/UUNBPJMW4Q/YgL/3A+sSoAEqmlQIpL18IdaAOKb1EN+B+YRpidEEzYPrPKm5 Ho42u3DgzgjYfeT82h0H4Rj3lp3pBjVuFB1eagvomkmqrxXyj/AtFBYNZfYUrlVxBSQXzZ37 6gq8kVODf6kJwfX9XzsLg+Oi1NC6HPxrm0eaPwbFO/teZgrEnHo71NUbLJ7W0mduQ5kV+QqE 34O4fWlX7qfCwNNtP+4TAmujt+p/DoGUnrb1jwZA7dgSJTuNgifjX6TefwA5FcRBz2MQOcir r+4K2JpkVfF8DaU8ix6v+gtU+rqAqcRaMP9g1HnmwtvliTXSn8PLEon7bu6BQzduTN57CEIe +uqcZaHBqSJBLWZARJL/hNoWMP5iKiVVh8zX/t0ta+BthdxzcTX/DS22MpWpDEfnHZ13dB7s 9N/pv9MfnjR60uhJI1BXqavUVVDkyyJfFvkS2h9sf7D9Qeic0jmlcwoo1ZXqSvV/Q7nc/q+q Vq1atWrVf367Kc2nNJ/SHLrM6zKvy7y/jXPixIkTJ06An5+fn5/fHy/ns53Pdj7bmfe6YMGC BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjNPTACpj3JBrg5Mkqb4BIN2Te2c swWUHKmOUgsYKdU1jQDxQqRIs4Bm0lnWgrgrbdbOgxRmOO5ZDfhE2W4qBtoVxxdZPwHztWDx CcgFfEWgJ8iWcE9zKshr9C75DLDJNMtzPUjn5S3mkuD6MuMLyxIQA+1e9oYg9TfGKgkgqfbj rhBQfrFb1c1gD3fkd3qD6rRfd4wGFqtbRXnQTZFKKmaQvtBNknqC1MeU69UbRIpor70AVwM1 1JUJ5jXqCTkXXLf1hZRFoCzSXVIfgHxMaizpQSuX29XeG9Qnjr3sAeN4XY55Eqgxzsr2EZC9 I3t4alMwq16D/BqA7wJfp+cOyJmR1TH9c6B4SujLUWCfYaxs9AbDS9/8kdvg6dpXkanfQeHT hfcFh4H0g3RdVAGuihi5HFAWSbwCPNDhB9hwYAUEGiaQIiQ9GojD4i4CyE8/+QEoVXQfizng 3OPM5/gVAgf6SmolaORVoWHUBrCMNqx6Fg26WtqJmJEgNc5MrpgOVfqX3VmjIvwQ9kvzn65B 6OjQ/qZqUGNE6U/qDobWX5Q9k28ePC6cOflNEuz56Nil76uCYZxyK6kYWBurgb6z4HbCY8+A B+DXw5DquwZiPJ9LV/bD1923bTY4IKi7oaM8Daz9Ml4G7ga1pCJST0HEm4B1RaIhZ6DlfNRR sMiW+heag6m9hyzVgZsFHze/vAGe1Ik1xBQHuYU5w8MM8Tff3k7YCOGpns8CH0K5lIDDTa+D b5GgSnF9wd+Zr33JpaA11ZVMegG57dR1Fj/Qh4h9D7dBStmU+MSLABR7nw124amFpxaegp1N djbZ2SRvud6ld+ld/Fdi/dDjocdDD3jY7WG3h93gRtMbTW80hQXDFgxbMAy4yU1uvudvE7ff LWRGyIyQGaAMV4Yrw397PY8xHmM8xvz3lav7wu4Luy/Me/1fCS1++P1ZB8vNzc3tf5D3lzjD f/Rk6oXAC0jnObeBl1jEGqAcYZIZRKiWpo0BbbHLO3ckSJPkw2YLSLOMh/gKpCVimboQRBrB IhCEQa6kqwxSVWuvrBxwybTINYIyx2Okb1+QWvtd9u0FuhtyV7kfiM2uWdo2kPYUqRxWBqRS upK6QkAPdaPLAko1mfg6YD/mnJPyATjDM/tlx4ArxXLEFQjWqtYbtj6Q+7V1Ze4rcPm50kQ2 SF9LO3UtQFkun5MXgbGeoaKxP4gyht7SALBPdCY7N4B0TJ3vqg1qea24EgJSLa2jqA+yQ3rk agSuIY7higSePiab0Q6u7fat9j2gHXUVdP4K8i7dbP0isMXavlOPg10vQrJLgumkT7ruDRjL 6H/VTQHF26nYt4N9cPqk+Gfgdc13QcAOsJ62VjeVhqy52RdtaeCT6R1vuAPqHnW2eA00xEEd EIXFTO17kHKlLdJL4KS0XMoBkUG4uAdo3KEYcJ6mruGgnRWxyimQL7DOWARSO71Nz7SAb3F5 jsMA6gdSg4xsSAvLUKkAqj5zxP10OJx97fTjC2B6bZJT6oDhkT4trCCkF8+eb54MZ1onHbSm QeKy1C9v74bkbGe7FDOoHXI+E15geqhVT6sF2kXboMRbIO4E9wypAOVTIgfUXACOU9Y9rk2Q 2Vl2OTtAwaMRA2sPg8eBj/fF/whhoYHL/ZtA0oDsRWljIbmaJSylJRi65h53zIBqbUt3b2wC +5PshEAveBuT2SqmO0xr0MM0wBd0bfSTzZ/Aa2dyy6zyEGN4efz4Gfjl4uXJ2y5D07lVu3ww DHy+sUeHPIETda/NvFkTspdorz2/A/by1ftoWqdPnz59+jTsHL9z/M7xYKxtrG2sDbPiZ8XP iocm3zb5tsm3IJ2Xzkvn4UzmmcwzmTAjdEbojNC8BOic9Zz1nBXqUY96/z3fMW5/x9YGWxts bQB+b/ze+L35s0vj5ubm5vZ7vc95nKX/vNVvkQoAHlJZ0Q0wc1+aC9IrSin9QQ11zEytDQy1 mLI+BlmQrjsBWl9ayuEgnRFD+QrwkA4px4DCtl5ZD4E4ndX8DJQ1nt7+HUGqq5tq7A3SMZoo Kmj5tBznVVCfyW8dD0DerJ1lM7DRMccxEUQV/J3fgzPE/io3BqTq4oE6DXT5dXcNTcF2Laen JRsy66ZmZSwCu2YZ49BAPFCzxF3QTZTTlfLg4WP41ZwMnh8bBnsUA31LqaccD9plcYuFQD9l s/4X0IUYwkyFgbbSR/JCcM1xZTg/AP0n+vPyL2BsZDQpTcFrojnB8z7of1EKGQJArFEXqg1A v19ZK/uBtt1lt+vB7mXxSLGB7JRvucygHZIaacfAtimrZ/oRSLsbV+zBXlCzHNuseyHnC8tD xwuQtkiZUkvQlosL6iXQ/aTEK5vBbDCM8qgOynzZZFwBbBVBkgdI5cQC6QBwmrbkAgNFqPwp sFQaKvWHzCrZB9PjwHzBXB0fyC6oF0lGyBjqMKVdhJdpb47FLwPXfHlKbh9In+sslngeCmzy G5J/H7im51b0leDBh7G/3giGo89vttr0KbyambzjWSFoUqbYxkYfgyFSMvt2AulXw0ytIZgy fFvojeBdnbFVj4HrLFUyEyB7mnP6k7Pw8puElkmR0LBKRUvYVShxwa9IsAy6o8oHt6dDZGjA VUM0GMfZPQNHQtsStTNaeMBY70GFBi+DwDch33mtgSZTaxSsfBAkh9c6MRYO97184tAW+PlU dLOVP8Kjwq9Mr9dC4Xmh1QKPwZNdj1+eOQOJtsRvbjeC6neKTy3VCgqeCNjy6tn7a1zbt2/f vn173uthw4YNGzYMmu9pvqf5nrxb6fJwebg8HBo9afSk0ROYtHPSzkk7oVVIq5BWIZBzJudM zpm/jR+/P35//H4Yt3Xc1nFbod7Deg/rPYR6HvU86nnAhMYTGk9oDAntEtoltPs7BfzPnu53 PeEdO3bs2LEj1KxZs2bNmtDh8w6fd/gcdkzcMXHHxLz138nIyMjIyMi7hf/u78N6D+s9rAdd 07umd02HTQ82Pdj04G/3u3nz5s2bN+cdj2YBzQKaBcCpYqeKnSr2t3Hf7e+91f9/iH+2HupV 9ap69beHkjRt2rRp06Zwz3DPcM/wt8d938x9M/fNhK6FuxbuWjjv8272otmLZi9g0clFJxed BFtpW2lb6d8u9y35lnxL/ts4A64MuDLgCrxo9qLZi2Z/vL5/+Hxzc3P7/7331+P8boxsFhAC Ul3s7AKG0kN0ArWz1FJeDDI8ZSmod5KeP30N2ktzZkhXkD1Nc6WyoNWjIqWB/uKm1B+kqvqO noDkaTgo9QDpsfa59hKwawHqLhBN5FO6AoCHdkHqC1J7qigPgUS5spQBDBcjdYOB0apTGwbS Nq9+AbtBP8gvI9QO4iPRT90K/hOD24TsBPOs1JYZ+UE7Yl1l7QhyojSVDKC4I962D3Rt5KLK erB5uqKEF+SMs7d3NgJuOqu4/MG1RRvriAGnQ72iVgWeiq1qNCjlmM4HIH2p/GhoBIb9tNZW AxZzMBHg6uG4oC8M9KaBKQMclZzfOxaAtkCMcpQD123HMmsIaD84r7h8QTqpK24oDcau5gyf c2B7kl4iqS9YXqcVi/eAzG+y4iP6QMFC+ZoFjgDlNlP0n8OrOxl+cdsht1Nu67hn4HfV44rv Agia7l2+6M/g6sZ+VwhIZUW8XAQQ0gj6glRXC2Y5GKqbdAZ/iFoVllDUCywrxXHxESTeiPnl 1WAILui3xloQDI08+yZrkBWUNtnmB5eWPB6YvAuMQ4w1Mp+BZ3GljecbMJ/Tpum/gqBWprOV PwTxiTJP0kPAAY+eAV+Bxz4lI/8xUG+6soxfQ+UllUuXegxKhLS54AU4N+BCqQtToJNX1cTm 3aBMi6rHSv4MLyyvL2YNhZTcV+WFL/idDf0lcjL4hHoce+wAwzDTEE8Vfni023noNNzbHFvr yhHISMpc6LcdNrQ9lLGzAPj7+Xfy7gXFMqNa+44AbVhODc0B5qYeB8Oeg+6Q/ro9DX6Jutry RCUwJ/rJvsvAXEO3wb/BH29WYrAYLAbDnR/u/HDnB6A85Smflxj+I+0i2kW0i4B2h9sdbnf4 b9/PXZq7NHcpDI0eGj00GhITExMTE6HOqDqj6owCR1lHWUdZOJV1KutUVt4QkO0523O254CX l5eXlxfs2r1r967dsLDbwm4Lu4F+mX6ZfhlU1iprlbW8xGhR/0X9F/UHebe8W94NXelK1/9L +SfunLhz4k5IaJbQLKEZ8CM/8mPe+wcSDiQcSIBly5YtW7Ys7wKicGzh2MKxMGv/rP2z9gNL WcrSf1/9/1kfffTRRx999Ntjh0uWLFmyZEmY23lu57md/3G8f7UeW4puKbqlKBToXKBzgc4Q uzd2b+zevLj58uXLly8fGBoYGhj+4nz+6eeffv7p57zyGWYZZhlmQRW1ilpFhec1ntd4XgN2 RO2I2hEF2cezj2cfh8/5nM//TvmnT58+ffp0iCCCCPIuAO+OuDvi7gj43PG543MHbGADG97D 5/avnm9ubm5u76/HWQMkkPLhIgfEtxSgDYjqLJK2g/whIa7LIG+Q95lvgWNRbqHcKSBuqCZn AMg9pKdSFRDbSOAIEClVEdNBOiG/UJ6AeCoqiZ9Ba6J9px0AFpEi5YBk4TppQB25tq4QSEWk FYYI0OK1gZIGUjlRXAsFJUCKNI4BZbb/es/WQGkPf/UjkCv71DHYwayFnDJFgnmheYNrFXiP CuyjJIPxsddXWjGwNXCOsgyB9Mnp5ZOPgeV55uS3XUF9LQo5C4C2mm3qcHAutw9xfgmuz9Xb oh84BgqTVBbEZ3JRuSsot+Q1uhVg/sq4w9AW/D73auc5DnzP+qT6TARTC2M1szcYhvsUCvgJ tPXaauktyLtFSWJBt06+jweIVa7uDh2olezfZ+cAE5TRpnqQ8WuC/slASN2bWjetOrxIer0u cRkcn/brh9+1gM2nj/VbvgWWf7/92PdX4Yfo6Gk7KsCrAUljEpNAf1Bs0X0Lao7oJ30GWmst iaJgqqe7qisH54LvZF7rA7eqxPV83AaY4UpXfgbPEGWU3xowe3sWMY4HQyF9uGKF1Onpm1Ki QdmtzDAcBc+p+ob5ukDudMsMz2EQnmGS8m8F/+0+0/SxYPzK3CnnDLRZXn1i1b6ghnAz9xaU OVq0j197OFn/fMiN43D0+NWPz5+GOrPK/9jjGpwbcKfQ2/Gw/ouNh4+Mg5f+sZNjJoIx2NjA yxvUMvJK+zaosqzEyFbTICXt5eIcFS7l3GpzvinUT62cU+QIBIwKdBVbCuZ+xj2OOWCpYO2Z PhCezXwxKn4axFhTuj4Khgs3Ht7ccxouj3jp2rsA7JGipHoWnP2thdKvw8vFiXrllz/erCxL LUstS8FZ3lneWT5veVBQUFBQ0N+uv8SyxLLEkvcw2V///eabb7755pu89Y8kH0k+kpyXeHzw wQcffPABLO+7vO/yvrDq6qqrq67mLX+33qHPD31+6C8yoE0PNz3c9DDv9bshJN9W+LbCtxVg ZujM0Jmhee9vbbi14daG/7j+dUfXHV13NOxvs7/N/jbQ5ViXY12O5b3/44MfH/z4Fz2C7xKw bd7bvLd5wxAxRAwRvx3/fdX/nxUXFxcXF5eXqP7133f7+b3+1XocXXB0wdEFsGfqnql7pv5t 3I0bN27cuBGKLy6+uPjivzjudX+s+2PdvNez281uN7sdrBywcsDKAXl3APR39Xf1d+HY3GNz j80Fm81m+68fzPoL7x6C3PV81/Ndz2FFmRVlVpTJe/9B3Qd1H/zF/v5dn9s/Ot/c3Nzc3u8Y ZxlwoYjnQBDp2ACFfaSDeKEdV5eDmCFmOjqAYY7PrJCBoHymtJHLgVgi+ojxICVJaXJlYKC4 J2wgnotHohtwnSbyWZCDFBuBwHw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graKH GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+NKV7XoDcD7PbqF+DuKCNMRQA 2aDrbowD5zC1quM1kCHdsHmB8wwhSh2QzvjpvfpCysVsKTcHssOzMlIHgW1u9qqsE+D9uWmA x1iQKstL5BJg8leW6z4AuZvujNII9LL6i2sG2HroHfpC4NrBN+ImGDe55jhaAjWVMkSCyO96 JXcC+13Ho9yJYPpUv8gYBUqslmbcAzkjM6Kzt8GO1YdeXDwJ966lXV9fEzxOG6oX+RWUHuqC qFZwq9f9clcmQO5YW459JUw62H3Q7CJgaCuPUbqA0lzXQ9sID0rGJz2ZA7pxxhJp8SC7NO+M XXBv3stNt25B8mWbZ/JiCG2p8/aPAdvknKm50WD81uuucS34ZXvsdc4Gj1rqIf02sF/QHbZN ANPpELvUHwxzTJPVOEj0tByLrwxZca7kN6+guldRtdU+8NykO+BxAWp1KNf1/jG43vnXw9Zb UGVy9QKG+uDoy9QSQeDnbdqf5AvFFpUtXiMd9r+Ifr6pCegmEJkSB5kfG542NoKzh/VX8RYK XgqtV7gqxHrHn8ztBecSHpe86QG+Qeazxhlgv24tlDwTtMPqbMMM8O3hddTSAFxl02e5RkPq 106jaSY4L+umaycgo5P9YnpZyCmQW87YEoCMP9KkzA/MD8wPQFonrZPW5fVAp3dN75reFYJ/ Cv4p+Ke89VOiUqJSoiC2UGyh2EJ/Gy+lbUrblLZ5r+//cP+H+z8A4YQTDrt37969e3fe39/y bjtrgjXBmgBvHr55+OYvEueGYxuObTgWaElLWkKDLQ22NNiS9/7rkNchr0N+O5F6Z8T3I74f 8f3f9uy+2+6vb+E3ndR0UtNJwCY2sSmvx30Zy1j2f6nHv1p/FrKQhfzT3vcsEv9d9Xg35OLd 5/dOLUMtQ62/GMoR2DyweWBzuOS45Ljk+Mdxa/9a+9favwJtaUtbKNqtaLei3YAAAgjIG1Ly vurbYmqLqS3+zoXCb51vbm5ubu+8z+noBDKIF1IY8SB9Jr6VuoMoILUT20CLoLEcB9IXWrHc BJBHBNyP9Ae1h2ihHgTdMHawBMQZMnECh0kWj0HazSQpBcRHklHoQERQXw4EiooB2jyQ1lKV R0AMy8QhoJL8NUtAlLQtzN4F3NS/8iwEsqoMlvtAduFngU9KQ5LuVM9LvmDd5DCJr8G2xvCz eSy4fpF/tDYEg6p4W/KD6Yjnp/6+INfWj5Lmg+Qn6bSXoDilpror4Fqvfm9YCaZCPt+av4H0 /Nb4jJ6gK5UzJLM/hC0x3jSfB2t51yciH0g/KIV0V0B7KYKJg9yBFs+cKmDrllk/czpkj8z+ MuUZWJd4bPFuC/YPXN1cL0EMcupyeoDHeWOE70sQUaKcOgB08/DiMzCOsj/JBZRW8nKnP+gK 2/rmzIXAQj6FgmuCbtSbx2WbAqla1+SvIOzDYKNrIjhvGse/Hg0vtj2qY8sP32zatPCHZjDw ZOe9nctAYsuEh1lr4UZYQujtCIj+7oXX/Cfgs118HVAI0h+kNLYPAaWBcl9eCHHB0gClFZhS dDXMHaHk2RJfma9CRsPkA86fwXgpeGZ2DJSqLQqo3vDmg4TabxaBMUE6oA8E76Fe5nwvwKFa ryv3oOnyehkN94DfLK9A/0Lw5nbapuAXUGJRvra6PfBG//qCZQQ0OV8rueBWeBTxqK98ESqM rT6v5OeQu87+1Yf14Hq3mEmvZ4B/paCrPvPgqRYz53oEtNzRdH3fFXCk/rUB90KhQcUiJfU2 ePxFXImH/cBjhnmc9yFQDulSH8sQ3F6/zdIQkrrqSnjfAG2omOoZCtJa9WbOPpBdynK2Q2Bb 0w5RGzj3x5rVu1v5pS6UulDqAjzgAQ+Ag7MPzj44G/rTn/5/sf681Hmp81JhHvOYBxw8ePDg wYPw2WefffbZZ38b33bRdtF2EehCF7pAwJSAKQFTwPuR9yPvR79dLtMa0xrTmt9fD+mmdFP6 e7N4vBvrfJGLXPzbt38rgdFWaau0VX9n+WBtsDb4L47fMGWYMgzwwQefP6/+/27/XfUQVUQV UQV4yEP+4kJJp9PpdH/gf5N3QzP+y7tZX5rSlKb/ffV1J8xubm7/yPucjk5CAP4ilQDgZ2Ri gLsiUmoLUgBfacVAbmGuEPg9iH1yoZyTwFJRngOAXptFOPCYKRwBMQo/IQEtCJOXgfS9Nl87 CuKMMGpDgA7KWLkPiATRRooHaQlntMEgPlHyG1+AmJQbn3EDtH45vWLrgfSD91Dvl5D79MbD W8EgdntX9OkLjiR1l/4Q5J5NbZmZC5Jd6pPTFBwrhGLZDRm6jOrJe0G3Wv5emgy6R8otgydI /vIi3RfgMcf7pd9WUGbntvCTwbQ6JzJrAAR+Zy5uHAauEF1z/RZQguSOylGgj3OKswcYhslR 0hwIPGq441sCXBGeZ429IPes43v/XyB1ra20/hYkrXTOs0aCrVhKv+zjoK102e31wJQoXTVd BsN66YLYBR535bJKOTA2cbrskaAuf9D7+iDwtpecWfwM+GwLn+78CJIWZc6ze4LjTGbvnAjI bpqgL3IVSnfPX7fZIAj9zrtsvs1wcE30uuhOkHxd+sr6HbyIT5h5aT4E3PYZbPwaCn4ZUN/b Ai9d2hspChwWl8ZOKEbw+cqn4dLqmCWXfCDuRdqD3IUQtlhf1+8rCBkRsc78KRgXy/XrrgQm KOsTa0PcxMzqTxpDAT+P6MipUG52mLHmRYjb9KZm/DW4MyVjxauq8GJ0Qu3kDVBgWqHwoC5Q /If8Z4JugH8xf9lvC/hXCdiQ+wmIlnJXXRIU7FLqx4L9IOUTy6dyInR43bpV+XlwdNLBAsoT MCaaZluHQ13/qgOLrQePq8o2509QunzJy8FdwS7ZLxoC4aS40uLlPLCvllube4H+K2Nv6Qno SjnGZQ+C0Jc+DQMkeB1lqxB/Awp+7XPe9z+GJrR4H82re3T36O7RMItZzALWVl1bdW1V8N/p v9N/J7Sd2XZm25l5Ccgl5yXnJScs279s/7L9vx23YOeCnQt2BiQkJOiUv1P+TvlheJfhXYZ3 yVvv8bjH4x6Pg5cvX758+RIKzC8wv8B8MPcy9zL3gvCE8ITwhLyHsE4vOb3k9JL/6nDm9OLT i08vBlrTmtYQ2T6yfWR7MM00zTTNBFuGLcOW8fuPh8cmj00emyA4LjguOA6So5KjkqPgZPeT 3U92h3YJ7RLaJcCRo0eOHjkKdKMb3d5//f+n+HfV490dDnaxi11gvm++b74PYRFhEWEReUMg 3s360rJly5YtW+bd+ejQsUPHDh3z4p3scbLHyR7/c+vr5ubm9o+836EaABIqEuCUQtADe4VE QZBtfKdrDWKINMKjHijbDEuVNSAeCy/1C1D7kK3eB+mJtFrbAXJNsVv5FNgm0qRMECWVHVot kEeL6q45oC1Se8k2kJvK4yU9aBfEJN0GUGZq653nwFlfNFP9IMf3eo0r40HUFvOdp0CZFjEm 2AuyCsTeTi0LydeSctKvgNrX9dz+C+RMSolOngbPRyfvz3oLWYd0awwdQTlkbOhZAIJeyB8b YyFfkLmIR3fQlTVLWbNBPqOLf90OfDP9JslBYJsohrrWg9RAP8m7FhgqGNd47QX7Y60nXUFt KTcwbgFDR+Np43SQL+kNehNIoTqT4xswxPk8MpQFU0NpfOAkSMhSV1i6glbFLqUvAs+rhqoi Fcw1RCWpGpjfykvVvqB8Is/X7wSpxr0iMRch4LBfaecQ8Pkw6lHcRYiNS3jw5lPInm+sm/Y5 lCtU6nDHWuA73epf9AH86h0/5OE3kJSZ0eH6RDD4BquJ+0A+I4137AP/Wt4nvP3A8ci6WXoB voMMO31TITvFsUA4ICjTfNpQBMKHe+6NVCHxSawh/zowVAlabd0MmQvizz39GaIGBwcGxUDP nk1f9GwJx55eX7ytCLyckrXqyQVIvGQvlbEU7vfPir3yI2RnZ31j3AcBlXy+za0GZz45OTWu D2T+WGm3KxU6+jbrFq6HoI2BD7w/gzMDLv348CW0eNRYKucDL+Y87/i2M6QsSrucNQ10ZQxh 2k7w6+5f2icVPE4GLlU8Ie1ZYrrVH27Yr0++2whefJfZ9qkA/5H6k8GfgOWIc8szBbyO6JJs U8DRUMxVZMjZ4+iSUQm882kdgj+A7MvKQBEBVHw/zarNz21+bvMzXDlw5cCVA3C4w+EOhzvA nDlz5syZAws8Fngs8ADZQ/aQPcDxteNrx9d5D5n9V0/sX/UUtj/U/lD7Q7A5enP05mj4Xv+9 /ns9PPF84vnEM68n8d00dtzgBjdgQ40NNTbUAHrRi17Qt3Tf0n1Lw5dFvizyZRGYHTk7cnYk 7L+z/87+O3kPB77T19bX1tf2zx2D/8N/9kh2Wd9lfZf1sHr16tWrV8OcTnM6zekEW4tvLb61 OLwIeBHw4v/yEOX7qv+f7X3V4900h/aL9ov2i/DFnC/mfDEHxsaNjRsbB/lu5ruZ7yb0mdhn Yp+JsChxUeKixLw7GvvD94fvD4fnpZ+Xfl46L867Mfbv4v/p9X3DG9zTALq5uf0L3m/i/B/T 0TkxASY8xUsA9moJwA5pGDWBsqK2poHwlGKkZBClpfW6HKCZFC56grRPLOEisFeOlaeB+nPW 4CdTwd7+xf7bniBPDPAv9BHoM01PDSq47lh1tg9B931Y2ZIdQJP1VwJPga4DdZVK4Ih4uzS3 IaQ9Th366hTgyv8s9FuI2x+XmNQN7N/Zr2mHQIwVJ1xBYPvW+jUm8KnkWc1vJhRsV6hakRQI jPW7EpkCnh2MX/mYQIrVZdEcnNe1M7lnweptPZkhgFuW0OxIyN6WFp0IGPU+PY0xYIwzHZPb gO6RrqjcHKTb8mTdjyAdp7DUAqQW4rRUBXR91C1qNBClXckdA54vPQfI08AzwCfZxxNc53JO cgMME0WYownoF6sxtuNgfmo/rD4E/XSP9gEnAEVZlH4EtKvP+qXehJT8znxyY9AnGtp4dgdl uaWFawvE9TWtv1AOCA64krsOPHZZKhfbBl6NfT/1ioCiDU0n6p+Gxj5Vb1WdD6/L5TZ6tAW2 lDtZfONm8PPwcgRfAFvF5B3Sd3C3sd3p9RV45tNuVh8JtVrWSXmUDEn5EqMze0LOgOyxrmx4 vjtbfzEa1GaOaGME1N1a6kWjfhC+It6erx74GH3igj6EVFOSNX4geF0sPSnSA7Ia5wyLLQ6m fqablifgWmyPTd0D27/dV+3ER5DPkD9/uDcUaxvhV3AxuBbbf1ZHQlm19PyIMfC81Mtjb8+B 5zLvLw3FwFjA3MI7HPQbXO1EN8gU0itHPTA89itaehS0lkuMq7cJsrtk1I2rCK9mJKvWlfBS zlqb4w2yJwP108Fkzylp/wEkX6/+2Vlg9iDLFPYe29Z/JoqzB88ePHswVIqtFFspFnZP2T1l 9xR43ux5s+fNwGgymowmaLGnxZ4We2DMgDEDxgyAsTFjY8bG/G3YsLCwsLAwWLN6zeo1q2F5 meVllpeBy99e/vbytyDdkG5IN6ByxcoVK1eE4dJwabgEJXNL5pbMzYvTtVDXQl0LgTpeHa+O h62vtr7a+gpuHLpx6MahvP30ftb7We9n0OVol6NdjpI3puRf1L98//L9y0NO75zeOb3zpkdL vJF4I/EGTPOc5jnNE2a3n91+dvt/X/3/bO+rHkMYwhBg/ab1m9ZvgsuXL1++fBly7+bezb0L LGYxi6H7ie4nup8A+YX8Qn4B27Zv275tO9xYc2PNjTXgV9mvsl9l6Dur76y+s2D4sOHDhg8D mtOc5n9+ff96OkI3Nze330v6jy9GIWrUqFGjRo1/PoDVarfbbPzXrBp4AC7gDhYkEMvwkM6C fIEfpQ+Azsx2hYP2jbrZngZSrNxUbgFSQdnT2B24pfkr9UD7TndQNAX16+R7d05B7vAzQw6/ BhGvC/ftCYZS4a9CMkAUzXqYsgDkAb7rveuDcUblVp29QKknfaxrD5mxZ2dcaQ7JvV8NiV0B T/3idE+SIHN++istPzh+Ur/TEkGxqYG2x2D4UTYY6kNYo4DNAXMhfETUwsjPgB3KeF0uaD/L I6WR4GpBjiMcqGQPdE4AubO+kb4H+B2NulKgCMQffXrm5TcgXZGny4NB3Jani5ZgK2+/ZVsG IsplUZeD1EF0lWsCRs2kzQJ1k/2A9SfQ5qtf8QzsT+RZWODty9wJmQPAejtzUeoX4BtqeCqV APMkexe2gWmMVtpQBPQ234e+AgQJPbNDwGRVV6iD4cSo0o1ep0PMN/KuBxXBp7+9nNcEyNgn TmZokP6xukc9A4WmeSXUOAclPEOV8tEgj9VPzf0FrNXtafpNENDO9JHoAdd/eh52fRVExXuP q7YIUtPejnx9E/SPPZ35CkHS9kzvuwWgUMHQxq6+YPhMfhHwBXBXnHTFQuqm9Ddpo2BUlX6j vikA+nVyI88EiPV6s+7hKoiucafH7kWgP+vYbEwDtaxjvakHPH/1tkaagPAigd7aFZDSTZ97 mcH3Q913RS6CttLWWukF1ZtXLFBzEAR5+X/i2QPCL+e779cMjlvPXH30PWT0TSn96ibU8697 utyXYPdzFJSPg+KnWy+tgFL7is7N3wn25h7ddakl7Iw4WXBXNIR+F+RnHwZp8zKq5T6A8Br6 y5ZokMZo54UEIiLSJzUT8l+O7OVdAiYrvb47sfLPbub/73nXo76mypoqa6rkLX/3cGCpc6XO lToHN4feHHpzKAy5MeTGkBt5Q1kunL9w/sJ50G/Qb9Bv+LNr4+bm5ub2P92VK1euXLnyPnuc FQQCyJA8kEGqK24ggfQFN9gIWkccwhvke2yVO4IYroW7uoBSRhrnkQnaNtFUKQ8MYon6BKSu mq+YDlJ1xyluAqu8Bhb4AcS+rKSM1WDd/PKThJGgzXC0y1kNUr/kjhmpoEvNb35zEaQJ+V+X Ogee+avsK7kUbEdSgxNHQ9CHPvMj64BzuEGz7AWtlU04k8FvlWfV/D+B+b6SqAaByShKCRfk Lre+yJoMOk/9WONL0G9Rbeoq8M5QeoqSYPo4KC74OZj2579UaCUoxfyneNQFUS5ji+UiZH1o PZb7K1gr2DfZHKD7VtqlOwNqPmm0yARaSXZpIsgL5VaKBURbbYRuEohD0iD1SzAsUTKVlhDw hWmiTzrkbLBPzOoDunDnd9kmUNfZ+jkU0KqZl/p8CgJHTPZCUEzeMw0bADnntZgA2pjMsp51 wH+SXy3POKiUUeaTqBh4OePpV8WaQuLg1BKBvqB4qPWlDZC409Y5syeYXnrZpFBgnzy98Hp4 lhHfy3oDCjSX79TuBVrd7O26cyC+cUUF7QH1vO1kViKE5fg3r9gRrAHZGZkdwFFbCiQX1IP0 ztkGud86R9sscDLx+rSzU8D8xHw0dAFca/J45881ofyEAqsiHGAMtw7wi4IbPe4mZnaBBocr iEbPILlRdsWn+SHjsHX1nULgddP7XNAYKF6lVGCtZlAsp/iysJ/hxdVn9+M7g2loxh3jV5Bz L/5M7G0ocaPsush0cM63TZPNkO/byNtBdrhT9bbytDzoD7p6Ck8wPVIKphwEr88998W/AP1R c3llMuS/5oh22MC203MHDjAO0MU7+4NzuHLZPAfi5zguOZ4Bs/7spv7/JsMGwwbDBrg66Oqg q4Pyfrhi0/BNwzcNh9CI0IjQvxiD++4hxKYTm05sOhH0qfpUfeqfXQs3Nzc3t/9t/niPc67d bnMCGhouQMOAAlIEqTiBqsRyHcQ4fKkIkhOrbAftqjbK3g7EK2mm/jQo86V4CoFUhK+1SSCK iyDJAGKEY0P2SrC2vv7o5COw3njc4eFbcNWyFssdA4YKvn2DZTBMLz607Lfgmm3/KnMp+Eyr 9qB5DZBLyD0MuWB//Krn87eQM/b2zJvN4PKRNGPuDnirpRRIKwz5k7y+8W8Oun2ObvZsMI2U 3iodwXjeVExfCYwxxLsGQ3BUvudR/SHgZbW1VS+ALIerQQ9Acul7azXB9uzG6vvbIefsywsJ n0NqwZzBOfvBmmR/5CgL2iJmajngeOu46bgDopq0XsQA5UQvrRrwpStRWwJamPOp5glisC5I uQ5MMpY0poD1vPVU1jzI2JHoGz8NsrNv17krQ+DDoDEhh8GzeeCRsIWgZfvuDTkE1pNafeNy eHjA02VvB5aFhgeutmBYKu6p3UF7bl0tmyHrkH2l6geW1hk/a/3Blc81M2cLqOnWGOcusE12 rrE1AV2u3qV8A9qvzvr2nuC6qD6Uw8BQTR9rHAZUVDoKfzAeMY3xPgyeDwy95B6g+9C0UMwD Rynx0OQNqk3XSQsBJUy3SE6BwC2+p51nwcvpd9hzMVRYX2J2k3GgvHEla/ngUcyTfk+uQWBq QKi5EcS3ir/96DnUy9cgpMYv4Hpt/TR4LwTvDq1rfgjesZ5dfUpBbpp9EEXhzbWXSuY10KKt rlfnoGxGlTkVMuDR3ZilrzvAS9831WKNkPxpks+zQhC3L3V/3GhQLD7ZaRp4mkzzsg6CPCa9 j6sv2Dd7BLj6Q0A1/3H+X0DqQlef7KlgnST3lqtDTljGwoxE+C560uaLaX92M/9/V9r8tPlp 82HpuaXnlp6Di2Uvlr1YFrJ6ZvXM6pk333Wzps2aNmsKw6sPrz68Opg3mTeZN/3ZpXdzc3Nz +9/iXY/zH0+cHfZc23OQikvhUikQD8RbEQckkCxVA1TSSAOpM0GiMFCFFcpxED+KYa7ywFR5 pvQIpIEiUkwG1zIW6w6C3ET/XH8b1Bkxb0/shxc7t07ZEgVpv+R8YtoC5gee431GgX8vryiD Fcwi4BdpHXg8rHqmvgeYvcp0rlEY5EjilJugfmMzZd0D16obSbe+h6fak4m3+kDudC1D/ALe P0gLQm6Dep7lhhTwnu69x7cIeEQZ83v0A3MVzxcesWB2Vk4oNg74Idjhmx/EbltZ2xXQfWuZ nzkHcoMennilg5S9LysmxkC2l/UTayVwdpfaagoIC8PFQnA8dnzt+A4cg11G61cgzyBYFAPO a5f4CYjUopQKoO2T+igakGp4rWwGtYoYSBLYLtk+sAyHzMFvH+duh4w7GV1tz0DZHroiYCqI mSbh+QNkOB17rL0g7Y0rK707pOYkifSSYNFlTM1cB7aXltqZj8F+wrHRlQ76LdyRL4Be1rUw bAL5gr6/XgNTiFFneAnSZtmu1AbFoS+qnwlyY7mfXBnkKfI4cQbETFFSjgStiZpBOXCO177S CoBWm+aqN4h72g7hAHmcPEXfFZSpxmKml2AsZnok1QbDaB9j8AbQN/X18I8Bv+cBNwOiQFfI XNK4FJzPk+NetIOMWtaPH4dCEY9Inf42qDsc9zxqQsPZDfL3bwDmcbquzrbgvC/rxBSQWzkK eR+D3PJvKzxqDLmvpU/lZsBe7bq0C1ST6GzsDA9LPW9/yQZii9Xz6S7I6pUzVv4A9H1Nm1zD wFrQfDt2ATDG8bm0DKxmZy1lAph+8Wuhi4HXD9PqpBeG1AZJPbgC+x3LWp2v+Wc3dzc3Nzc3 N7c/4v0N1ciVAqQZIKqIr8URkDylohiAnuIunwKpjKULiLJStlBAqiMsojYQpqyRBgLHtYHS OhAJoqC2EuTvlefSftB9lrU2tgE8PLRNt/06XPvk+XbRHQo9LlenkglKJdYbXPkiOANiNz6+ CLoLnhvlq6DvEp4euQnkcP18r89Ac7pu2peC8omhquc8yB1ut+hnQKEbYU2jWoL1sDYqJxUS dr+xOqqBHGw+ZN4Ahs36VKUnGIr4tjXPBQYaOssJ4KqR/XPmJdB/6bPD+AQwp5/KyIacXY9e vSgNubMTvs7RwNlTPSsSQHhKPswA7Zg6UlwF7SJNtXCQjsmV5NYgN3cFaONBDRWhjpIghUlH 5KMgd5cnyckgdxPJaiVAr33ONHDk0832PQq5ozx/8boPuUOiNjpLQmp139K5YyCnVvaitC2Q /n3cuJiDkL4j4UWiAXKe5rS0hYAcK9/RtoNXgtcY73AIvOl3y/8LMGV7n/M6BMY9HqGmZaBb Zcqv3w46Rd4ofwvaehHLLRBXhVXsBSk/rcU00JWUPpMOgnRRiZbuAkZptn4WKBHyYiJBvi2W S01BC9N6KfdAayXGu1qBOtZeSLNDzh57pvUu2JpZZbUS5N54G5TYCsTQ1EtJrSC74Nuqfk4w feJVyy8EvD82VnKkgP8qj9n+zeFOx6en7QJqq1EWKRye/nB36cVXYHHIvTxWQL4VoZs9o6DW lhqnGhaBG36PJ8esB+tJo1XbCEUKFcsN+haMG+XJXhbQpaqJZfqAXxnfDVVrgse5gC6Bc+FU qSvXt6wDNTnzi4QuEHjT4wtpBHgUkF9W/gru/vj26JXCENg0ZLypFaibRRn7u9krYv/s5u7m 5ubm5ub2PvzxxHmg+I5NQF3pnmQBYmhGc+Ah3cXHwA+cldeDyM9SZQBIdbRXLh1QSnRRygEL pCx+Bi2TRpQE/Q/6/Lo4yPnynse1WEhtdi87uRIUeFwpp04ilBnXon2F+eC7OTS/bwNwVvd/ UXQViO3as9yh4GqT3SurARgvh22VvEBqIirLWaA1c8y3nwVR0elPMmQfdzwK2ge2rVlXnVXB 2TOzY9xK0PbZRrgWgKWk+qX0MRiClQbybjB+VNoR5QWSL9tdl8DV++WF11ZwnEk6mT4ftB1Z ZtcH4KolX5evgmui84hWHkS66xgrQJqASQwDXUN5n9wVnF9pKVo7YLWkyp2BWdo9vgZRQxTX GoPopW51TQAe6Md5zoKsBtJ8j48hKdtZVrNAqrA2y/oEUpe82RVXFpIOv+72aj+kibefJbQH 7aL6g6sjeF7x3xywGKI8ixYp6AIPs5/idQv03xpOK0fBddI1QbOCo6ftK6sOclMzv8/sAGJs +khxFeSdYrpkBG07HcRuYIwcK/mALp+ySLcTDMmKj1IYlJJKtqKBzqz4yj+CVkLeJy8Gua2S xG3Q5ei2SkYwVNMt0m0ENptL6X3AM8NriFcOaMWUdLkqODNcK0Q1sGdY67kqQ+6lnA9zSoKt SsrBrJaQskiZZ4gG81qvLeZUKD6mTMPa4WB84RfgfQTKHS92KLw2BMeGRYd0B9NO003DQDB2 NQwVs6BiYNNV9bzB9IW5me4wEMgq6oDSj3B5Bxg6eBgDGoLtrWipfgi+VczfG2dC2cySnXuP had+L7Keh0FuG4f+9QnwCgvUedeBgk28Y58shKyinrmZNyAsIl89r7KAO212c3Nzc3P7f8Z7 6HFmgpoCfCiOyJuB2RSVEgC7tJruoO0RY1Qd6FbxVtcIHG+l6bQEqb04K4JA7qL0lseCrqVr qrwWuPMfYV01k9NTakLhHnU61BgPUcOHFf84FKRnXuUNdsgt9aL+gzKghtl6ZewG+bn80pUf TNsL7ig3GbQurnU2P2CT/pY0E7QWr3dmTANXA/s+1QUZP2XPzu4AmYfezkzZC67t1gBbVwju 7VvJfwYE7Qho7hUGyg9KPiJAPf5mSWoqiOmFXoasAmW70abzAc5RUBcNopCUzxUFSiOmSEZQ jmrz6AWSUXohTQXpmOhEBIjKWqyrPigXpNnCAMpaaZr8E2hlpMvKxyC2GHZ63AF7f/3nXgqk TFBHKDXh7de52yw+kFg3/tWLs5Cy+vHbh8ch5Wbyg6SToLQxTjHmgv83EUXCvwTP1cFtglqB nKCPwQzOTpYbtkDIepb8NDUSHN0cg7VyoNSTK+ozwTTebDO8BY8Azx1eQ8Fjpmd1z41gnOCh mBqDoYfxa2MG6HbqF+pPg05WKusTQBqtHMIbRHWhilyQhguD1hW0y+pw7VfQVmgnXApoi13X HP1AfO2o5BoCWgGXQX0A6J0HHP1Al+L6ULKCAXm87jl43/EyG2aDa5f3r8ZEcLZ02rQ4yBlt CXM2BcvO3O254+DpgYsfnqoI9tyIo+FXobgrdFjdhhCuyz8t8DPQNooApxO0666PzE7w6ulZ k2jI6Zfjaw0B+bz8iXwZMtan9bJ8CqYBpqEmB0R+HTDXOwfU865B2iKo+EG5r0qsBd2vpjUF SsGVvnfDnx0DW6ay2DEVSocU31ZsC9w8FJO5/zvIOepY8WgF8D/o1+Xc3Nzc3Nzc/pg/nDjr uuo/Mn0EajFnIWdzYJj0BfWAhayX5oGczGh5Oziau1o6jOB4mbzg7UdgCDMmmZwgbwwICPgV XJsd3o5KID/TqVJNMKwpWaP4JAjuEWVXs0Ed72X36g1Mybqb8BYUq9zV+RWoj6yrsrqCElZ8 ec0bIB80zfAdBdRWC6iTQQSrZeydILfPi9qJhcG2Imu8LR+4WtmStKnAdemMXza4TkplVBne vIo/nBgLrgB7gsUIYYUjixcYCnKSq5dzGejLMknsBlEuMin4A9BHhizyPgdiqy3ONgPwy75t 3wpisH6yuAa6R+pFloCrseOQOgCELD2kHogBLKEa6A7r5hq7gM1uXOW9EzKXGU6YJ0KyZrvk SITED950fjkZEivcX3fXG5J8XzteTQVum2p6hEJg68LeRaaBuUxgCb9m4CjpLOkcA9njkh6m DgK1mq2SmgymJuYhhqvguzLQ1+878NsQ0iDoKviNDPjZvw/4TvOe7tUHzEs9C5m6gG6m/oWu CSiHpGLKOBA/MkgsB62vGMAykD8UQVIiiP7spyUwUnQSm0C9qk7TPgT20FE0A05rR4QFXD9q N7Td4Gqi7lQbg+ap3VSPgEhwDndeA2c766DcYFA72YtZ74HrR/WEYzK4UtTFYhoYOuseSJXB tNh3m7E3+FT0ESYJcr+353MNhbcDUgclB8KPQze3+KkP+F8M+DhoB4QsDG4fVAoqx1YYUOIX KFu6zL6CCyFzdOpe6T44Bkr3Xdfh7e2EU6nLwDDbEKT/Bcp7VvUvkh+kzboJcltQrNoN5zoo saSIr+Eo3H3+a3vHJ/Dk9d2Dd6PA52z5mWWOQT21zJY+R+H0o8sT9pYG4IM/u5G7ubm5ubm5 vR9/OHE+W+/iyMujoFa5qver1gb5urRNJIBYLZK020C0NFxOAbm89JNSFjxWByQFX4ekygld k1PAt6Bpmf0yGC4ZSkmfg7Ze9WQLGDqHphYZBerVrF7Z60FUc+jsP4G0UHolHQay5M7GONAP K9K42legXx4kIm8C0fZbub+CGKvz1D8H+uVO0LJAuWmfLTSQU5Unxt3gud0zyXALvDy9GwQ2 AmeWmJD/R7B4JC6LKwNx3z29eHcbWHekpabUgbCfooIKvgXjLWv7nChQNqSGpRlAF+nT2vcB aL2dT1y3QW4hV5SagOED0UiOAvtCTWi7QFdDOagsBFcDrY7WD9Q6GHTbwBXvd9xvKKQ6nZGa BHGzk4ckroSEtY/1dyfC62sPQx6sBeta1yytAPhujCqerzUYdwdO8PkZnF7OzepcSGkcN+fN dJCfqNcJh+B6QfUCC0NoWqlT+VwQ2iBydehc8P3R39PXFzxOmyeaMsBQWr9a8QS9QbogBYEi CR1dQFxTm4qKYH3smqV+B9pj7QutMUjP5UeyAbTrrlfqJHAN1KzaMNDKiYOiOSiNRQvygTRE aiiVAeWhvFr0BqUyQkoG5RLrlOogIWfLgK6sXhhegWOK6WvzEXD1Uau7QkBscFkcVrDXdky3 DQRXOWtJaw1wDLEvdg4FZaIqaZlgCDFVkm+BxwRTjt8HYL1n7ewoCWn9MountYfkolm+6eUg e1aONX0xpF1LrvQ2G+rfrn+5/k0w/OT71K8ABHUJ2umXCa4a6gh1Nujy6x2KA9QWrngRCy7F VVz+GVJJNuZ8CzkjMi4nnIVMR+L0Z9/Cxac5u2N7Q4lxxSNL2aH25jI9G2/+s5u3m5ubm5ub 2/v0hxPn7NbpUfaaoBulZEnFwdVMraD5gdxTGs1BEBNwiNkgdZXrSddAaewpeUSCKSBwsu9k cHZx3HbGgmdT73F+2eB6oY5T14FYb74ZNBh0maZwfxO4imW9TW0B+i9Npc3XQKkePqTUApCe U09ZDuAYnVsJxGdKf+UViLJSTXxBtNKeauNA7JXniQpAMOO10SCPlEa7OoDXMLms9SQ4R2sR zr1g3OGfoCsMrhhLeMS38FafkP6yPThPWJNjakDw5+FHA6eCV1O/uxGjQctv7W3/GMQcqZ3y AJybXd84r4BYpa0SFpDuSiPEEZD7O7s6fgGpgW6uvjDYS3mOCgqB2FD7I1ssxH77cvTjfvAq 69aTm/sgsfkbXs0AJc6/p29T8B0fWSYiFpTaoqe0HtJLvCmR5ADdKM2uLILIbyLnhZeHAnHF jxYaD8Fb8yWFrwbfAr7ZXifBdFV/2LAb+JH1SiNQW6mq+grkuVo9oYFrMiOpAfZZ6kY1H2hj RQgGoLHkL38HBotOJ+cD3WCpJ7mgBUpfaSPBdc61QekCtlHqfbUkODOZJY6Bq4v6ldofnJ00 ozgNylb5SykK9E7piLQN1FLaEw6DXVKTXT+AKEs1RoAUIXZIlUG5pNtk+hZEH+kToxmUj/RP PBJAn+u6aJ8A+lXWOtb74Iq3p9vvga6u+tDZGvQdzCWVTDB8Zjru4wHZW3OT7UPgTeuEPUmR YBtnn+bsBrw0NjB1Bv8lXl96lYHszIwdOd3AWtcyJucnsCc46jo8IXewzd+RBrmvrFtzK8Kb 5Lf709uCZa2lffJh8B3rO0eZCdbi9nC1Bfz64cPK976B5L0pjd4UgnrUp+4faF/vfsAjJycn JycH6m+pv6X+lr9dL6NwRuGMwnCg/YH2B9pDb0tvS28LrKu2rtq6ajBkyJAhQ4a8/y+QtWvX rl279l+P/0e3d3Nzc3Nz++/0hxPnGz891+4+haj4h60i10DlkuVHFp8COSVsU+w+oDRkk5gN bCBeHAHXXKfFeRP8Ovos994N7BGnpS/BkeVs5PocpJGSwkmQmivnlQogAlmuewK6LT6JJiPg S2NJD9oRta9qAfkjSjuaAUOk3vqPQHsg5qtnQT5MjPYGxPbcAqmtwb4tPSP5JdhfWc+mpwFN Xa7UdvBo7etSz+IhtVZij/j2kG9OyOchNcF/q//cSBUyvcyvPYtDup+rr/QAXJ3eNExfAt5D LIOzreBfMcg3/CQYd5lr+JpBq6kW09aCFCxCJStITx2dteEgL9LZfFuAJdq3hfcDeDw3q2Fa JLzIvHf8/jp4Pvrmrmu5kJ1se2YpAx6xkVvy54Khg19/z+tg3Zx5NfsZaMVyatq/g3BbRP2I lVCkV5kyReMhf/4Cr/KPAe+TvkN8ToDcQjkqTwLpc2kyu0FEqme0pyA6av1cBUHs5nPagKua 2COGgyjDK+aA9EbWy6dBdNO8teGg/aQN1IzgKscBLoPukPSK+aCvrZSWWoLYL0a5DoEo7Tgj moAzVB2rXgRXpvjVVQjEM+0m8SA9UadwEBhMuNQVxCsh4Q1ijMgS5UG8FU1FARC5YqK4CmKb Nk3rA9JcnPQD1zXxVvIB0U/52hgBclmP8oZE0EcYntpHgXzP8YutJ+j0jk326qAEOHY4vgL9 XnMHgzfkPtSN0NeCdGvW99lOONT4iO50FdB9pj9r3gD608o1ZSTkjss6m/EW0uel3UopCmpN Kd55BzQfrZwrGVxXxTrdUjBcNeyRKoMrRPPwDAA/nX8pLxNIO2iu1oWky2nfZU4CalKWVf96 +yq6qOiioovgp+k/Tf9pOtStWLdi3Yog35Zvy7fz1nv3k9uFFxReUHgBSCbJJJlg4NWBVwde /fd9gQysOLDiwIp/3vb/buK6uC6uw+5mu5vtbgZd07umd03/HRuuYQ1r4O7du3fv3oWYmJiY mBhwVnBWcFaA4Njg2OBYaPio4aOGj8Bwz3DPcO9vw2R2z+ye2R327t27d+9e6O/s7+zvzHv/ ud9zv+d+cHX11dVXV+ctrz6s+rDqw6BwRuGMwhn/uLjHCx0vdLwQZERnRGdEQ9fCXQt3LfzP H6+/vhByXxi5ubn9v+YPJ84vNqX0eXIezhS4XS3AAqU+KLEzcgDocuRX8mIQ34m2UnGgMy9p CDiIwQXqWc2o6UGqLy1iGEgP5a+YCOwhWwoAVlAGE1BetNfWgFgiLVFWAS4xX/0UdPc4ISqA OIxFfgLivujg9Ab9Qv1xz47gNKX2fNEPsgdcLHp6LqiFkvomdQZxUz2TWwmeN7m/4lkpuPnZ wx/f+IG0zd5AigFfUWqsdyHQv1DOJH0I6jS8vMuAwemnhP8Cumu6ItIFyNzlOp7WBhwbMwKS LeDv6dxoHQzmk4YN5rsglVIDDSNBd8a7cvBCSKrnlRKwCB5MTXj7RgfPrl6XrvWBx573jt5I BUd+xWnQgc9XBeYVyAE5TRcsDYCsFW9Wp94GX8WjurkxlChQK7LSRSh4ruTkwgkQtDzgXOAe 0E/Wf6jvCdJB1lIDxGJV0iqCSNMScIKwikHCDLLKd6wAZToLJQ3UL6WtfAq00lZoK0GsFEFa BOir01rqA+KoVIaZIJfV7omBIC6Lr9kJ4jB9tK7AdpFPrAWlmlxYpIFpmhSs5IL9c/WoqA4u GaOQQVuqLRZzQT2tTtAeg1aOgsIA1BL7NA1EazFT6guk0o5dIB0QbRkDorHYLlqB+B6ZAFAX iJoiP9BWpEhJoLWR+xu8QAoyHlS+AH15pby+PIjD0ge5k4FJzrqun0EaIt2hFii3lT2mmZB5 3lJA/hTsd9SJzuvgHeR7zDsGDPM9VY8KYD8kqcr3kFkq7VaSGXgi35OrgtgtpqkBYO1i2+8a BEnfpJzPGQnGC4aBymvw6ujT2LwYtDdin/oT8AeTVh8fHx8fH/Cb6DfRbyK8bvi64euGUIAC FPiL9d4lzvVO1jtZ7yTQmta0hu9uf3f7u9swpPqQ6kOq5yUyNe/UvFPzDjzxfeL7xBdaTG0x tcVUiF4YvTB6IVhLW0tbS0OhtEJphdLgju6O7o7ubxOg34pfYUCFARUGwItmL5q9aJZ3AVC1 atWqVav+7faNAxoHNA6Amzdv3rx5E8RgMVgMBnWVukpdBaXPlT5X+hxUXFVxVcU/cCHyez3b +Wzns53waMujLY+2QPqX6V+mf/n7t3887vG4x+Mg3j/eP94fOk/uPLnzZFBqKDWUGnDBdsF2 wQZXKl+pfKUy1KMe9f5ie62iVlGrCGffnn179i04VzpXOv/OT7efX3F+xfkV0Glfp32d9oFY I9aINbDPvs++zw6FKczvyX9fTHkx5cUUGJw2OG1wGr9/Qzc3N7f/n5H/aIBCg8y60HHwWry6 mjAVfr508MTZZ2A6arCZvwSthmjGciCCeB6C9KW0RFoCqLhwghggpvE9SCvEcak6SBDBABAn RRHxAUhTpE1KDMibRLTWC7hDcVaDVkJapHsDNNJ2uzxB2y35MQrUEpbGCfPBcTBhxP1ZYK33 0i/mKGjjXRHpu4AsrZP9OJh+9CpjWg91BtVqWNEDasU0dtX3AePq4JzISpDS1rbB8wBILq+F /jvA84XZy2My6FSvCV6bwbOyd8XIr0GsVuoFBEDm15mFLT6Q8bHlfPZPYH/oMcGnMiS/8W7v fw0enn9T/5UBYjacK3/mEcTsvLXkehg4ehiPeRwFc3jk8dAPwFXD4bCrYP3gbeP0e1D4qyhT yD5oVL35/DqtoeK56rcrfAdRNyOGRZYGrxeGqUYrKC20c9o60B0TxbTmYFoq95LXgr4KReSV oKsmPpeqghQrWvANcECdpwaD7gPtnBoJSiwLtEdg/EDpIo8GvcxeEQbSZ669rtvg2OTs7+oK 1iHO711pkDvOqajrQRsrVlMAjA/1djEBdAelw65BIHfSGmrRoEzXzroughIkZFEMdNfkXuSA cknuLnJAuiAFSWVAuiqNEbVADqOJ6AC6D+V4qT8Ytso6+THoG0svpSpg7CWtl9qDYaDUnWAw zJeuiw6ghEo9pOGgXNBlGi+BQfJ46r0azPvMrTzegscX8lapNJg3S9+ofcHXw6uGvgp4f6zL UbZAVsWUqJQHYK9kz7JGQ+idsKmhDyDybES1IutAviuumHqDPJ71whN0/ZTZyhWwjXQM0DpB evvMGZZ7oN5WW6vdQHaIBc7I99dQi2UVyyqWBc92PNvxbEfe8syTmSczT4Kzv7O/sz+Evg59 Hfr698ft3Llz586d8xK5IulF0oukQ48ePXr06AG+T3yf+D7558sbOTtyduRsaJ/QPqF9Atz5 /s73d77/7fXvjbw38t5IqLKmypoqa6B7ZvfM7pnQ8W3Htx3fwrXB1wZfG/zPl8Nms9lsNnBe dl52Xv7923k/8n7k/QjKli1btmzZf36/DzY/2PxgM1STqknVJNCN0I3QjQCpqlRVqgrVq1ev Xr06lD5f+nzp83+7/eVvL397+VsoWbJkyZIlf3s/73563HrOes56Dqznreet50G/Qb9Bv+Ef l/NU1qmsU1l5rw9GHIw4GJF33E6cOHHixAnYErMlZksMbG+0vdH2RhBdJLpIdJG89X7v5/B7 473rYU+JSolKicqLs3///v3798PZs2fPnj2bt/zdhcqpYqeKnSoGDofD4XDA0aNHjx49Ctu8 t3lv84bDHQ53ONzht8v97sLv7oi7I+6OgD1T90zdMxWeT3o+6fkk2PV81/Ndz2GH7w7fHb55 5X/U4FGDRw3++fPEzc3tf58/3OMsG+R1HgOh4e6Kxrp3oLq5cnrh9mB1Op7Y24IcL5+SjoM0 gp0iB8QR8VzUBO5whUvAXGm69BmIG1pt7TVQQosnC/hBPiLlAm0YLU6CeExVqR/wmFtiCrCN HHEDtBTpI8kI8jbXohQfSJ14qMbGX0CzXv7yflkwfV9rS/UaIIp5N/cdCFLS/R63Af9lxouG ZZBZRV/Ovxk4dhv1pkRwpjqme64ELcJU19AKzPUNmnEE6BroZnmOBPVTvnXuBkMT2UcYwfDQ p2/ACsgNsDw1tALrclMtY33IvRDQJ/x7+PXI63txpeHex2cfnHXCM/OjL56awFnG55rHQPAs FlDV/1Nwds6OtJUA/XYt2nUHyq+q1KIMUHJYhdUl4iC/KWpVvlPgsUzXWT8Zcs5ZhlvWg727 GCa+AcNWXXlDNJi+0B8ylALHVHs9+3eg5GLEC5RZcgCfgmbVjNou4GdphigKjrKuQFcP0KaK C9wFW0vR37UWRIBqFt7gaq7FUA7kZ9J0bQpI+bR8YhM4X4qiUk1QakgFRSEwrNG3EWkgpzFS fAFKIH3EY1By5GipBaitRSNpIDirqIlkAFXFIOkuSLvQ1OWgDKcN+8FwRNdYXgRSmjSR+eD6 Vo3RfgVptgr1QHsqPhS1QGvAY8kEcobUgARQO3AFLxAXxXkyQFop3ZYjQa1nCDZsAK0LH0kf g9Fke2CzAnbHDPv3wGPzTaUpiEzachCyC1ubWl6BEbMwuiDkk3yrQxaBtF/pbvgM3o6L+/jR InDdJth+GNSF8lGhQq4597TaCmx7rCbHA/DIUQbLEe+voRb5ssiXRb6Ea6HXQq+Fgmula6Vr JbwY+WLki5FQpH+R/kX6A0MZytB/HK906dKlS5fOS+Te6N/o3+ih0ZJGSxot+Yv9di/SvUh3 OHv37N2zd39/eSMORByIOAByjBwjx4C6Vl2rrv3t9Tvk65CvQz5IOJBwIOEA3K9zv879OpBy LOVYyjEQW8VWsRWoTGUq/+P9J3dK7pTcKS/R0t3R3dHdga65XXO75oKHh4eHh8dvbx8yI2RG yIy/WLCWtaz9h7v9L+ld07umd4X4NfFr4tfA0c1HNx/dDPaL9ov2ixDeNrxteFuoP6b+mPpj gMc85jHE7o3dG7sX7JPsk+yToNj4YuOLjYdTnOLU39lP3U11N9XdBD8f/vnwz4eBOOKIgzZh bcLahP3jcjbyaeTTyAee8IQnQLuIdhHtIuBE1xNdT3QFzxjPGM8Y6LWh14ZeG0DKlDKlTLja 8GrDqw3hQpkLZS6UgSbPmjxr8uy393O+z/k+5/v8/nj5ffL75PeBN+3etHvTDvyv+l/1vwq5 ubm5ublg72fvZ+8HpJNOOiQcTDiYcBDyv83/Nv9buH79+vXr1yEiIiIiIgJaZrfMbpkN93+8 /+P9H+Fy/8v9L/eHhtsabmu47bfL/e7CcmOtjbU21oIuQV2CugSBT6ZPpk9m3rMH7y48S1CC Er//NHFzc/tf6A/3ODtuGJ7GW+CpZ+xnx9uAd3Gv3l6VQL4qpmp7QLKLC+JrEL3EZWxADq94 DjzgKU9B/la6Io0AR13Ha2cPsO9ylnLWA1mTK8tvQOwSy0QYkEWWiAOpEn5kAOXEM+JBHq/h lCE342qxM4Eg1U/Pyq0K0vDSrSu6wGd8k197bYFgS5sjAz8A38Eto7qUgODeVXpVzIbQ1IC1 3h+AcQI/KoNB/cR02kMFZYfumikWlL2612YB9qualzUc1F6OCeo5sLe1T7YUAVsXS4uMPeBV InB4cHVweRW8UEqG+4Y3X72pCTHrzu07ex+edXtUL6YX2Bd77zM+BtNjnyp+PcHZOSckNxK8 nihT5aZQY1TN11XsUPmXOksq/Qz5e+bvnq887DMcrn74BaxN3fzrj6vgh5E7tm3/GtZ4bZix YQ2c+vXC0bMfw5tTSWfjvgPDUZOPXB9ks+6kbgq4rmtnxGdAtLxU1xvkt4ax+uGg/9DUXL8Z PE4YPtAPAcMQxkkXQXogvNXZYBok54grYGgiz5X2AKPFNVEM1AZqAdc4sO50fe0cBNZvbPNd FUEeLOpJZcEn0/xauQGmBXqdVAD0emmKWh4MxaRp6grwqKF8T34wL5M/kn4F/RY5iu6g7laf qLvAsdKpuW6A86iaqHUC12SytH7gmkcbLRacqhjiygDXdW2E2h1cFnWJ2AmuNqKN9jM42on6 IglcSWIExUB+rfPUdwfDVtNXHh5gemI8Z9oCHisIFmXAlGJaJ7UH7xBTvDINsk+lN0l9BJaJ lhPZ9cDvaMgYn0NQuECB6wV9wFRZf87bCoYY4wyPTNBmyUNN5SFnU+4wUR9cg1x7zTPfX0M1 /mD8wfgDhMeHx4fHQ2xwbHBscN4QjaLRRaOLRv/+eO96QN/RrmnXtGsgr5PXyevylktDpCHS vzA29a/HYP8j73oGnzx98vTJ07we38qDKw+u/C/0NL8bWvFuqMe7hDVncc7inMV/+OP4h1wu l8vlAssZyxnLGehSsEvBLgWhz9k+Z/uchcCXgS8DX8LJYieLnSwGuUtzl+YuzRuqUud+nft1 7vMPL4TeJYjNJzef3HwyNAtoFtAsAK4Pvj74+r9w3N55/fPrn1//DJUGVRpUaVDeBRY3uclN qHil4pWKV+DVT69+evXT+4/3LgF+lzgnH0k+knwk706GPFweLg/P62FPmJ0wO2E25MuXL1++ fPByysspL6dAyV4le5XslVeOUpZSllIWiGsT1yauzW+X968vLCNmR8yOmA2nep7qeaon3L59 +/bt23mJc4vmLZq3aP7vP6/c3Nz+fH+4x7lc6/zba00Gg5AfZPrBm+KJHoktoFi5olsK3YGs ajkds0eC/oT+oX4kMIHNVAb6EUQd4JK4wnXI9MiIyDoIATMDPQMsoHUTpbUokLZKEdJIIF1c EbVB3GUM20DaKa+WPcHVJLNMsgLW+rHh8TfAmZAWaL0FwZf6rRqwC/TngrtH3AHnCHuq3QrG LQWOlVkG4iP7F/br4N+16my/NPCYdnHLk6bwqubLC8mrwTaGKLkmuKo4AuwnwbDf4C0sIL91 PlOjQDqoRtuXgVRBCGkz2E56HfL8EJ6/TnqYNBUe2S9PuHgSniY/Wv3gc8jq4rHceA18k7zq e60AOcXayH4HfGwerU0zIOJh0eP5B0Lol0VP5VsJhjv6HcahcOfBvWP3e8C9pjE5z+rA6/jY M2/soIxQtuhfgy1TfeH4Eu7qYz54ngWHvzle66QfVNld0VJuHJRoWPRh4VxQPtYVNNSHxIGJ uYl1Icgr6EDQUtA1EU/1ncE8W6+qXhBSKnROSCfwfGCe6V8NHJ/YLzs+B+ceV5jrEDg/c+Vo nYEGcgvlC1AmiTrSAJADdJ/qLJCWlHPYUgoyG2Xpk0+Bb1fvj/1WgGGXcbkpBbinmPgWXONd FV0/gnOO6zybQe0qBoiNoI0WX5EMaj/xGd7Afp5oK0EbLxCXACvp/Ap8yhjRCuRa4iO+AjzF MdEURGEeiPMglRWqKAvqEPFY7AHhEudEDMjT5NfSSZAKGoubhoDhOy2Dk+A1yN7SehxEsqEo m4BCIkgpDVl3U18mbwTPZv6DXAL8lwS09ysFocfFOWkjJJ1IvPr2BDhShLAkQUZAVmF7JdBe 6T/2PPD+G2yxnsV6FusJt9bdWndrHahX1avqVQhYELAgYMG/HjeiXUS7iHbwZP6T+U/mQylK UQp4uvPpzqc7gbOc5ey/Hv8fSUxMTExMhB7DewzvMRzMKeYUcwrExcXFxcUBhznMYf7robt/ lFC+u5CwGq1GqxGMtY21jbUh5EzImZAz/756vGO6b7pvug9Vo6tGV40GQ11DXUNd4B73uAeV HJUclRywaeSmkZtGQtq1tGtp1yB5TvKc5DmwcePGjRs3/m3cd0MJunXr1q1bN0iZmzI3ZS5E RUVFRUWBiBJRIgqi50bPjZ77r5f/3VhpubfcW+79d1b4z+P/7uFJylOe8u8vXkhcSFxIHKQ+ Tn2c+hjehLwJeRMCYSXCSoSVAOWIckQ5kjd0ybjduN24HUzJpmRTMlhuWm5absLG6xuvb7xO 3h0DBQUFpPPSeek80Jve/J3y/PWFZYvAFoEtAiF1dOro1NHw9tDbQ28Pwa1Xt17degUc5ShH oRWtaPVvP7vc3Nz+TH84cY6vm/zZsxPQ3KNOVDsFzt++8uxKCNi8XD3sNaBQbD41qhYowXJv ZT/QVVQW20B7zWZtFGhl1SzXXqCR6Kt9C9LHoqI8BuSlLJang3O3a6fzFsgF5CSlBUgRUhQD AadkwAy8ti21jALRzXrNXhw8TlcoVz0X9B7hZYrWAO217dfc7iAFKHeMp0F8gkVeAS7f1GBL ezCWDu9XuAb4d6w1tdTP4Pwx+0tbIKRHZi9xDQIaG7/SpYHWTPVxtAYmOQtnHgNKqO3UV2A/ FtGt4CR4sT/7tb0EPC14OfLiSXgWca/brWxIG6ovpV8NHi1N2b4mcK109naUBPmQfFN6DspW nwP6FfBi5pslLztB3OmkT+OzwLbfVtrVHeL3Jf6SfBNspa1lHVVAFyd3VOqBmiKaOQJBtHZl iJvgChN6cR8ydmdH2b+HAz8fO3y6P1y0XMm8XgvkZ/JKnRVyDuR+lHse5DrSaKkkmPObAs21 QBxgp9QGfNr4XvIoBd3fdPBuWw38fXwHBQwEQ1d9NaMP6H807DDUhqwR2YtyksEx2/m1Mw3e NkrpmhgCV6tcr3t7BKSuSRuV6g/BZ0JLBLwGU5apqPkX8MwxbTX7QkWlfPXyLvDqZvT1vgTq Le1zrSVorenJVtDGitlacdAGaTLbQNwWLUQFkD6RRkinQRupfao1A+GLygPQPEWEqAvaMfER H4D0kpqiGUhDtR8ZAtpAESiSQK1JdbEDtCasFzkgW4wLDZdBX40e6o/gUdNa1fYxiPGGqXI+ MNfQ6it9wSplJqXNBTnXOE9fBCI6FiC0DJQ6WvBZ5Ifg84XhjnkpmD/wKKP3BQ9d6JqIhQA0 /COzavy1dwnSmZ5nep7pCeXnl59ffj6/ewjDb6lbt27dunUh2ivaK9oLft35685fd0LhwoUL Fy78Fz3RQxjCv2F2hGq3qt2qdgv219lfZ38dMM00zTTNzOthDw4PDg8Oh8ttL7e93BZqUpOa /5d473okK1CBCn/5RklKUpL3Lrtnds/snuC9zXub9zYoWLBgwYIF84YGVKxVsVbFWnk9+A/1 D/UP9RDaOrR1aGvIdyDfgXwHfvvw/tbsFO/2l9IwpWFKQxApIkWkgO8E3wm+E4BBDGLQP1+f /B3zd8zfEe7UuFPjTo28sdrv3K50u9LtShDVM6pnVM/3H0+WZVmWIXha8LTgafCwwMMCDwtA h4MdDnY4CLp5unm6eXCx38V+F/tB8ezi2cWz8+L5NPJp5NMIGu9ovKPxDghuGdwyuCVkn84+ nX0a4jziPOI8/nG539nVbFezXc2gzdI2S9sshdK20rbSNsjfM3/P/D1hz8s9L/e8BC5xiUvv ++xyc3P7n+QPJ86lyxVrVXUG5M5xPM6+DN5jPX41fwLJO+P3J38K+TxCfPzjIetD6zGpE9ya eW/PlSUQVNv3ZVhhiKn6us6FLhDh71+2YHOIvJBzpoQOCsQV3V2wPRjX69NN40A8kHK1WHBK 6mPXbNC/EOliPzBKtuAFhm/yzQ3VwMtYZ37jDuBqKQdwH2SVB+IAUJy7WjDQ3pirpIKugX8T f0BL15fyGArmgBJ3S4wAvxLxczMyQGtz7soNJ1hjtZ+lOuB6kPM2NQAso7OfOwPAtb7QwdJv IflLz+k+peDVjDv6a8fhRck7C25aIOW5NoX+oDvu9dRrPhgsSje2QtaM7Io5IyC9gXrZNgji J2a0fVsAXCMdPtoGcFRQy2oHQIkzTDdYQC2k9lQtoA1ydnbZQF4u38UC2mbXClcHUFuJc8ob IAdFfQquvs55ajqYq5nqe20DSw1rqNYM1JFOW+5IMA007jF9B65Mra/qD1m+2S2sOlAzXW2l FEgqk2rKaghrx/yYsbMD+Ez0Kel5HsrtLxFX4iNQV2kbtNrw4HmM16NzoBugt8gNwVrd9oHt HFjJ9XKcBMyipDwEtC5KC/kUOE47nqTvA/HANdDxCRiKG1P1HaGIo8DrwpPA74HvvYA5IOao D7XBIN1BEhdAv0LpqmsOrlvqMuc00DqobykALBYuUQaEnTNiOdBcZBEI0kS8RX/QPhcz5fUg 2mjp6jcgXaE8NUALVVuqC0Cup5znLqgLpLMiC+inVwx+oO+pDdT2gjnWNsxZAfjcECLfAm2v qK9bC9ZH6WVSF4Kc5L3Xoz9Um1FvVeWBUPVNtWqVbgHnpTJUBi1KFOfeP92c/iGlulJdqQ4f Vf+o+kfV//H6f51o/da0YKkFUwumFoSWsS1jW8aCabRptGl03q3wGFOMKcb0r8f/vcvLZpbN LJv5/o/bv9ueFnta7GkBH/ERHwE1dDV0NXRwvvD5wucLw1avrV5bvYCtbGUrhLQKaRXSChr3 aNyjcY9/fb91R9cdXXc0RPeI7hHdAyhKUYpCA2MDYwPjvx63nkc9j3oecC76XPS5aNiWsi1l W0re+8Gvgl8Fv4J6m+ptqrcJaEpTmr7/ePmT8iflT4Lkuclzk+eCVwmvEl4lQBevi9fFg2Wp Zallad56hBFGGDRs2LBhw4Zw9sOzH579MG/ozLux7rUX115cezG/2eP81yoOrDiw4kDYH74/ fH84SBOlidJEkDpJnaROUP9G/Rv1b/zh08jNze1/Aeny5cuXL18WokaNGjVq1PjXA2lBrkHq dUhNTduQdAk8Bpmf+u2Duz88fH5qDMS6Yh1pvaCIrui20icgsWt2p2e/wv0FzwufCYbwFM+N +cPgdeGEqfHHoGVs3cN9i4N3qFc7023wM/o89y8I/leCZoW8AHWJaCFmgbo25fyvj0BNU7N1 VcEwOXxnmZkg37I/VyVQY5QZ6lgQslRWXgI6P/Ub6RGofYxt5MKgOyFvU26D1evhhlu3ILPw /sAjcfB2RGLTzG8gu6J9We5TcLzMnWSIBF1igXIlraCmV9pdOgCeHXo0/84cuBN2LN+ekfDk atLgDAvkNvAw+54H3yOeAZ5fgr27daO1CqQUypiZ2h4snR0B1gega6fP0t8H1a6liDOga6O7 YWgL2iy5tpYCtFX1og44ZtnnOGeCOCbqa71AipBq4Q9amBYtSoLwFsHsBZElojUZ5MdyF6kh yI/kfXJ7kC/KA6RqIE2Xlkm9gR8lM73BMc7xRi0Phmh9G2U/qJJ4o90BaaxorjQFySV9zi8g hUr5tX7g8iZJywJdsmzX1QfDIP0leSao89SToinID6XjSn7QtrgixTmgE3OFDvQnTbm6nSB6 aVvVCVBwdlSlfCcgdF9oSPA2yDc47Hh4CQh/G7I7LB2cVudw7RPItGU2Sd8LgWsDFwTeBckg Zeh7gVxB/kT7AtS7/x97bxmntbUubl8ryaPjwwwyuHtxd2lxd9cChRZpgWLFpaWlWKFYcYq7 Oy3u7sUZGJhhXB5Jst4P58w7+7f36b+bwt49MteXmSdZWbnXLcmdOyuJsVq/ANIiG1lGgr7a qOT1B9FJvBbfg7pL+VVxgbeWZ4xZGNQSWiGzNLg6exfJiyB7C6vYDdoiKpm9gE+8NfWuoI92 l3JfhZQlHs0YDq4lRgz5IKGne4K3K1h0+2DHEMi1MFfu7Ceh6uMySonvoEjnIgvzzwE1yqep 9Ro4+luzOv4HJIK/JP6S+Esi2FfaV9pXQhlZRpaRcHnJ5SWXl0Dct3Hfxn0LdevWrVu37rvv 738b27Zt27ZtGzRv3rx58+Z/tTTppJNOOum8b86ePXv27FlQe/fu3bt37/HjUx+qeFu2//LL hJllwWX1lk/ZBqK2ctLnLjzk2dB7t+FCwK3fzm2A0O/9zbyxUHt1jRHVssEr+bLp80HwvOGL +o8Lw5sFsfNTQiBqcFLJyD6gPRR7o8Ph+f2XCyPXg/lhypuUjyHn3BwPcuUAbyHGak5QB5gD XXPBmsOeGPQYzFNqRV8FhK9q1b8FxVTzOmcBT8XnrALKiUO6Ad55d0ecKwVxzU/uP3oH4opv +HTPXoge+tvu1wHgcTEvuAYoDZzNsw8Fa9msYwrsh8B2lQqVeAyvlZj4p7/C9U8O63sbw6OU pzlefAGx/bWvfJ5CwGwf034Z5BS9kr4bYg4n9ImtCgkXkz9PrANMVG+LAaAFKg/EA7ANtG7S hoLoIG7qp0G5JneaK8DbxtveUEEvYtzSG4KcKUfJZWCcMO7qHwN7UE0Bor3SnoMgFXnTrADs l0eJAPO6ecrMB6YuHTInGFOlkB+BHmts0HuBrCifmb+B5ZhWSFQGWU0clbdAXpO1hQvkcqOZ 0RNMq7naDAbTSUk6AfvMVuZZMKSZ1VwDZpzcLteCDJGT2Q9mZnOCWQ/MivIX8xmYZ81w/QjI rOJTNQxet4+clXAWottEf/lmJ3gaeDumPADjrB7sDYfQE6FPM+WEiA6vFkc4wLrEtsU2ECxh lsb2AHi28lmbxwYoq9Wq4jIk5U4p71kHl85d3XJlOkTliboQVRW0QtbV2nLwifIpZO8Ar7NF RcVWgnOfXyp5pRFEzX9TJ2IjZPwtY5uggqDdVG86ooEIZa/yEtRcFDT7gjHcXKoPAcLVu8pP kFLRNcpzDYzL+gDjV4haFj8/IQo8+VNqup+D75eGXdwF/x4ZA4JH/dXh/seEngk9E3om7X3N p+aemntqLpjbze3mdqgWWy22WizYctly2XL91dL+9+OPXhuXTjrppJPO/2zCw8PDw8Pfw1SN cz+d9z8u4PH6nA2vFQfbECOhxFgIau/bKigaXk90Pbt5BYLXeJSgNvDk8JPZj45B3Dz3wwQD zs96fPhZNcgabbsdZIF8W0OalLgFr9TXlZIWgS3cPjBuD9ws/LrNOX8oPCbfqSKVIHBAVk+e E+Car33nNx9MX/mJsh7UaaK0cRqS895Q9vQAy/IM/fLsAK28/5OgO+A69bLGby5w33pcMiIA xC9aiG8k+OSv4alTAfy9GVOy7gD7xOBOQV0gZs3J3dcKgDkqaFTAXXipmDmil8ODfefqnIqC 54OeBDyJh6ihGOpZcIY6D9tNYIX4UeiQ1DKxQsIDSMyUHJD4DJTPrTOUuWCfb99j6QFytBEu X4OnkzHV7QsM4gBvgI5mb/ERyAdmIb0OKIPFh8wCo6/8j7m5c7RsSmkQI42H5mdgG2zLL34E M1HWUKMhOT4pUTdBSVZnYICcQj3lHphDjPvmBRCfc1G5D8oqsZQfwZvLHWdGgnGHUhQGDnFH /xy8lc1Tsj5osfyktALGsFoWBdPLBlkVxEzztLgI4nvxiiAQ0WQ1C4N8LvNTDWRR+nMWlJJ6 I9EbNH9LoDEDzLOyqpwLiRmS0M9CxOpXpV6tAqfdsczaAej14IS6CewDnQ2dLeDhN4+zPbkK Hs3TxywJruuuhQlfQuKmxBoh7eHVk5iTMQpEf5cwI3YVsC5+sLYIHhUOn/vUBiWPfyDy74Lw Y8+mJ++HSL+YPDE1QdSLXqcPBaWZOkmeBrWh8qXND7Snln3yOuR0Z3qdZSuYnZlj5AQtXAzT RoO9pnZc5IMEPW5m7FRQvnQed7SHiwl3Wj98BU9WPi36YhJ8TNH4fH91tP8T+FT3qe5THZrT nObwN//8J9nIxp+4sE4nnXTSSSed/028c+Ls6mSr7FHg8VdRXV5HQHDHgL6nB8CDsU/vpuhQ /FzIw9ohcNBzoen6POBpYBw1N0IOsvvnqQ2ZA7SjGYB6jcv0a9wZaq6v7a57EJ6celLmoT+4 T7nvJA8EF7HZjFrg7aUfcn8J+nU5zqOD8sTyyK88UMLYqX8BIrsY7a4GnuDfuDcd3iStm70z GULqdMjWIyfY5+TJVcYBtl25KzsTQb1uraxOAU4rxbUn4B0QXeBFNCRmudDx7FjQqlk3JUgw Dma5E9YDHt+/vODKHnhW+kbpa7ngdc6U2e6DIGc4/H1fga2p9Wf1B0gumdw08Tm8qZ3wc+yv 4Lmo5zVOgJghjqq1wRPuyuz5AvQW3rVGEfAuMgvIZSD3yDixCmQGaTIRpEemmH1BpIh2BIKI VjvIcSDaskysAVsH22eqH4gaZi7qgFTMICM/WOc4HyiXQG/pXmWUBTOr/tgIBy1cyyPKglwj uxsXgI/FHTEGjA9ltLwN+hK9orkE5AAG0Q7EIDVYywxmFTleClD2yxViIsjNYob8AmQVc5xZ CZjNYT4HESOyi1eAITaJGaAvMuPNTqBGM1gtD2Y9TwPvQVA1SxEGgRqntdJ2QcyAuIxJ/eBS hatzb92AXAty3Emwg+wrb1hbwpsO0U+jc4KlgmW8egz88/l95ZcLPLu8eyWQkJhUOD4OkryJ 3RNPgjFFfs0acB1zByTkgxN1z9RPmAVipqyujgN5jEJqIVDKKN8rGeFB70e3w28BtcREmQLm RG4aP8DrLK+qRGSBvCJbw0ytwP9zvy8ybQNRUC2lVQR0/Y7ZERL8I3NFfw4cFMfUw+Bt73nj TX3LwOC/OszTSSeddNJJJ533wbsnzuvNMQRC0qg3Qa44sBgxKfYrYGvoMz+wArzwE/WuecHy QaaeekNIsRub3nwOiateWQLD4ZO4lhn6jwbfZtZdPp1ATGauOR3y9s7TrJAboh7HT33hhEu3 EmL2/AwBm72TynWBTAXV4tYPwR3j2aIngFiu2W1fgdGXZYYT1Nn+vfySIXBVlU8q7gf7L8Xr 1ggHUc60eiuA7Gwe02+BudFbhJHg+fBV+dvjIK7hzpHb/cDTMfa4nhn8FpbfWqMBvHQkjY2P h6fei0NOj4eITdG3YipCclHxQmkJ/j87ivhkBhmgvzDqQsL5xAwJS8B91ThjDgS5iufiLgin edvcCLK+iKEtmH5yAe2BH2VJsoJsKe/JfiAqs59bIKrTChfIL+VRqQNLzBH4gnmTOXI6uB/o g/RE0J6JEoofiO7iA+zAd3pGvTKYFuOh3ALyhlmcmyAClKdKfpB95Bm5AehMKSUMjN9kFrMF sIFy8gWorUVvRYCIEj3kBjBbSB/agVHOiDNOA5JCcjOoU5Qs6qdgfi3bmpNAbpRb5UQQP4iG IiNYDol2XAatn6UhnwIFMPkR9K/N0twBdyl3ojEB5COzn6wFIq/YqFSEewd+q/w8AnSX0d/I DOoIrbF6DpQEJb/yC0RbYhfHdYNslrA5oc0gpnzcm9jsoLczM8h24DnlPuiNASVFLa42A08G zyD3BaCFOUZMB+W+ckndCpqvJpRtoEwQFVkD4rqaXTVBNpIRYgu83vFmXdItcHxnXfomF1iH WwY7L4PtvC0qICtIq5ZJ6QXuePeOlBaQUiV+eNw2MPY4w6yVgE1E/tVBnk466aSTTjrpvB/e OXGO/+pNg+SxkPmipWXR4tAnsEnk0A5gfRi0yFsDDi69UnDtLPB2dnZwXQefI/bApKawsfmp obPGQ5cizqKfPwXX3uQt4jSc6bEz5rAFnHd9FoZooNdQdhmTId+g4It5r8Hz+XGrIopAaKGA 2c+vgq8jqE2mcDAbm8ONJaBsFP1tp8AyMWxpnk9B+d6vflASMFwpKgXI254j3logyyoHtWOA S1sj34A3+UnSnSXgmf16auxJUEdliS9YBTyJwVf83HB3wK+/HNkAz5c92vVgILyuoOcyC4A2 xzHVrw2oY/hYnoS4m0kp8Ycg8bKrtGswWNrZTPUQ6Nf0YsYRUKxKvLgAsh1rzRjwbvZuN74C DjBVPAM1WqujfgpmQaOQPhL0SXopPQgUm9JXCQSWymFiDpj3zDzmBvAekWPkHvBIuRIDFIeS SVwGfuaq+BXMdeYDcweIUTKDKA7eGM9I/TjQUpQSe4Hy4rhsBUaMXG1mBXWwGqvsAS6KYbIC mI2NT4wyIOvIzihgLjNWG9lBzap113aA3CCPmQKUKmIKu0DLptVR74EcKjPJTqDuF7f4HtTP tdl8BXp740s5AFgjc+ELRlOjlhEJymZNUw4AVZlj7gC9r3lRaqBEaPOVbKAHSa+5F5imn5I1 QQ/VX5lr4HHbJz6v3wAPlC3yBYjlykdmJrDett5QPwTvfa/HXRCMI0Y3cxGoh9Qm2jKQQTLA BMRGo50yEMylYii1Qe1OitwJ5mj5sfYFyMfmS6lCxA9Rw2MrgH+oXxmfpZD5i+D2NjsoWblh /QzUDiKz+AK8SUkrEr8HraP1ju+Evzq800knnXTSSSed98k7J86FBmcaU2kn9Jdtmw/PBD7+ QQUdX0NU/1en3uSBxByRefxuwZ2uT24/LACvXr32efEQlLXWfBlywi7L2SKH+oFzivqzz2CI /c479mkGeFnf0+K305D0c2Jo8iSIT0w882ot+MV5tvhMgex9slbP3BCCKmQysiWDe0dKR08P 4DU97C5Qh4Ucya0BdVJmvtkHyjnjmJEJ9BLKMFESlAPyEZeA8mZRlxe0gQFxPrGgqpnm+PaA DLcqf1e6DbzxcWVPssCz85cOXugAEX3iva6skPKZWK75g62sOd54Csnnk08n6hCbkjwufjl4 mpmjjO6g9tZjpQ5ypVzHj+At6o0wu4F3pOEykkCZSZC6DEjiMfXA2ONdbhwB87UZo+8AbZxy Vv0MRJgyVEwDbzm9o14UxGaqiuIgnpnPpR1kPxEn+oKRWY6QQ0GMZaC8B7IsPXGBvCza0hrU 4SIQAWYuc49cCvKRsoqn/Mf7RzeC2KE0F2dB7BRTyA3ymv5ERgB1ZGtqgubRNmnBIDYoVlEI qMI0eRtEBVFABID5sVnMbApiLh/KFWBMoA4rwXvMpcmOYBaTV2UOsK7SViq5wfzVHCE2Atlk Q8qCXCHGUwfkUzlfBgN9ZR7zAogbcjPFQGY2B8pjYHbjEjPBu9Dcb9QGdbX2sRYCErO32RnM D+UBowHIeWYOeR/kN7KVzAXyhFyjzwalr5hmzgcmqF20K2ApaSmrANT8j2/m6pX0156uYFtp 3aZmh5Sz7m/FIAj/4HXXyNbg88D+gY8bfE1ndPB68MSKCSIYzALeSPc5ME+kHFNuAy1p9VcH eTrppJNOOumk835458Q5l8xeL+uPcLb31cTjjeHYvfO2wzng+ciYb8IDwLE2Q+WYKeDfMXCz owXEKC+Ge2aDbxfnUHsgJGRzzXheHRI2mWcSgOwt/PoGXAf/rwOSyyaA776MyY6sIBy8kjYo N67E2iaX4J7lds7zv0HOZwWn5C0J9LQcsLUCaumFXdNBiw3IlPknkNNsi1gL0jQ26DVAlBN3 lQRQHsphRlOQRaTpeAq2snm6FasLGRZlDMlrgM/QzHvzzYBrk1f/tGQsvAx/PObJAYgZaxTh IzB2ihS+B/fKlJFJI0APVkZRA9xJ3kbGYjA3mdGMAvnE/NxcDmZ9M9RcA8ZE2UFuBaO0mcls A+Ijpby8CSxlPIXB7CsLma9BbmWe6AhmHK9lJhCFZDnWAqHkoB5IX8rIbEAeMZVNIHpSWFYC mWD2l7HAITGBF6B0lylEArdEd5EJ5FcUUL4GsxVWPQXkJPNzagCFGSjWgHFSD5IXQP1BLS6C QH1hqabcB7lNdhSRwEA5VPYD9tCYySDzmHa5G2iqZJBrwLxkVDIfg8xqHBddQGTUuimxYC1t DRU24BvraeUJKDX0ffILMKbzrZkL5BTzjbYGOE0vZgBVyWFmAKOV+Uj+DKjysBYCYjsWkQ3M XrK0PhDkKDzMAUqYsUYOEGOEVcsF+kL9OW1BKSICRB4QZfnY/AhEDpnN/BjMETwQ98CYbpY2 WoIorusyFEzVvCu6gPG9PlCWBk910R0LKOu1WkpmeBMb7ZcyGF7X9At5EwPOqfYo506wvhBz nMch+TOxzMwFngMpB90B/xkkt989UO/evXv37t1/xyEhnXTSSSeddP73UrBgwYIFC/757d85 cT6W/eb6XSvg6eXoxXEDwVnQ2kP7EfQnxhGzK4iw2IVWAzKGZngVUB5cX2W0v6gJmTt7chYu CS/DEqZEtAefB9YQ60l4uP71B8Yy8JsfVyFCA0s3bb7uAM3mFMk9wbP/QR+5Hu6svO7c1hYy jsuaoDeCCpdrXOj/FSQXTbGmDAPVphZ1OkA0co7L0gN4LsNlDVBqEEJ/MI8Ji8gCMpxo0x/E Bu1EpkCwd8301DoI4rs8G/foA7jS5pfcx8vCm69TMnhiIXkN88V0cO61BToDQM8uNokASCrp up7iC95F+mJzJYj2Ikk5DUqkml3rB2Z7fapnPygXzZZmLCiRagklF5iNzYfyBJCdygwHoQiP uAvMltPkJsBGMT4Dacpi8jSIb0UlZQzIXrKrbA5aHcsErSYYC80B5odgzjbrmzNArSwyilBQ bit3lFZgvjCD5HMwm1CarUf/b/QAAIAASURBVGBJsPS0FQK9gpFVzw6mYUw2WwLtpZ0RYEqz tXwNwGQzMyjxSiV1Hyhj1KvqSTDyGJ2M7qAWFgXEZpBZzRSjHMj18iUXAVOtIi4AXwsL/UAm U4YYkAs8RU3ALGZUN/eCjBZt1RXATY7K5SDPyY9kf6A0reUKkDeMYviD+Elk0YuB6K0oygWg oryrbADzkHnerAVkE1H8AGIktYxdQDcZa24G7wfMMT8AcUAuVzMDhylsngKxV+1mzAE5WBul LQWjpNFXbAS1gaJJXzCXyxAlAegi8vEYLCtFRaUOeEvo4wwbRK+PGZRYGkI7BtkTLeDbx4n1 CQirPp1soJ/SKwg30IXn/x0CPZ100kknnXTSeXeUd+3Atc6zL9INxW05bWZzKFm3ZNuEJpDl 1xxlxK8QEZly3TMM7vb/bURERvBp5rqn+YE869/7zTnI07BQwXzlITIiuYzsCGYRbiR/A1FL Ei/e2wivbie0e/I5RJdK3vbiLFy+drXXsWLgMyCkdL7GcIYr1fdXgoStEZ8+HAiK1TbJ0h+M r2RG/QWYh6hnrwjUpafIDlSkgTwClKEen4NSwVwpxoJZhfvmTGA2073B8Cj2zKozURDe7LHf MytEDfMslZ+B9pXtobMOBOzx+dB3LKjLlZ+UO2AGSI3HYI235bCNA6Wuckl9COZSc6sxD5QN ykZlKWihWkGtCCgDlI7KERBZsfAUxF2xT3wJykdKN+VLEDnUIqoDLFktxawXQT6VF2V1sJSw lNBygf2k/ZT9Kli7W5pYPWCrYbtoTwDHWXsfx0hQVik7tP6gVlfraJ1Bu6Hp6hMQe0RuyoBy QPlEXQsOi22ePQycG+13bcXBPsd625oLrC/U4ZYzoEyQKO2BnUZ+cw6IOub3cilYMqtb1XEg TWpwAYwoOZc7YH7DGNaDfGSGmidBJFKVGmDU1zPLXGC2dofJKDCPGKOVayCryrM0BFFb2JXK wCIO8AlQlIXiNYgfxGg1AUS48BU7gQUsYhXQli7yBohK4gNhgJxgFpYtwbSaRZXWoKiKxdoD LMnaFudpkBXNfcodMF7rpdkLTGKzOhKYba6hMhjr9fJmOBhCjzctwBH5TDYBo4D3mP4YjJ+8 mcxdoN83huu9IarPm1mJpSDmcVx4YhOgtbS7B4D2hdKNvWDUMjPrZf/q8E4nnXTSSSeddN4n 71xxdgyzX7CPhfit7mkJjSEsmY+cXcFngnypfwRZwoMa2eMh9Ko20H8h5GiVwao8gd82xa95 tRiyf2ovX+YzKDq/5JrsUfCkzLO7Vx9B4ul402cUaFhmWPKAetfSOSEIlOPuzbZZEHTQXwlY CRGPYgsn14O9NQ7UmBsC7VZ3vDY9LyQ9kUe0RqC0EtFyIMhs4oGcB2QkWukC7BHtZGswy9NO 9gXlgNJGiwZvg9hrcWXghnq+15kiEDUkKTRpKSR55TDle3D2drT0CQVlr3xpnALvOPcpdx7A IcaLraBcFt0UAUqcUsMMB32+56Z+E5Rx4qbiAtFcK6NWBXrIDuIHEOuIM74EaeeIbALUprs4 Dubn0kI4mE6zrGwOyg/KCvUnUBXVqdYDIYWpnAJDNVzGEFC6qzuVH0FsE8eUM6AOsRjar2Ae Mkubp0Efb9TVb4M2Wx2vLgJjmZlkXgYmywLsB8sEtaoSD+KpEq9UAaWB0kWpCsYNvYP0ABWY LJOA38QKpoKYKgaJq6DNtrVSfcF45nrguQTmYT2zngWUioqPUh5IML8V0WCWFDlEJRCzZSkO giyj9lKfgpZZ3ag5QCbJeDM3kIeVIhNoN5RR2odAV4HMC8wUw9VRIOYwhjogbMpA2RnEc16J JyB6qwtEHrBetJXw8we5CruoAuoCOip1Aa9ckHgRvDM9I1IegDnTaKCYwHDzK/M5KNvlNfYA NtFfNgMz0FynTwV1vdpRSwBxSuZXioHjmGOIfRko67UmtjuQMCWpgHEWPIu9zY1AUJup/mIf yAhp9y4B2v7VIZ5OOumkk0466bwv3rni/Lp7ZKaULWANsk2z94JgERKZuyW47EpU3CWwdKWo HAv6OuvSlNMQEen+JiY3JPdLzpuyB66Vebn+4F24V+P56Gu1IT76TV1ZDixRjnH2e+B0BJ/x XQps0s+r50B2MnoZ9+BRgfvWZ8GQUDrmqtoLXhw2Lj6Kh3urHg5ZvASct+03rPXB/Jp6hgtY xhX1CHBFPJQmkFEu5wdghdnW3AzWuZZaWjK8Hn6nys2r8LTTg54PPoE3UZ4Tuj/IIDHdooEt wPZGbQauDZ7KnmuQXFPXPNvBzC2vmVbwrPSU854EY6pxQLeDdsryxLoQvMv0SsYGkNI4ay4F W3NLCeUxKMe1rpoNVE2tqV0AyzhLE0t9sBW2fGYJAq5yVVYHilNSdgAG8in1QOwRu1kHspbM YdwH188pI5LfgLe7N9DTE7zF9BdGX9ANI4+xHdQwtZiaAsoNcUGZDspn4jZXQCpMMm+CuKyM V3IBY+QaOQhIogRjQCxRUrgCcqfIxBegLde2aydBn2h+b24FtYlcLmqAbZi1lG0KqM21+9aa oIZoTvUHkGVlEVELpMWcaC4HM5yp5Ab1RwapCmhPleYWPxBrKaZ8DWaMaaUpGHuMZ2YAePt5 u+hbwLJC7NUKg2WJ4mO5BNa91s+dj8H8xmwii4BZXN9p7gPPwJTbiTPB80nyg4RykFwrqV78 MDA+8C7VK4FPHT81MAWy3MkaWaAgBK0LXp7zItg6+fTLsB6cgYGNMn4MIftDp+acCYHfhnTK nhcc/QLGh/QDv6pBA7I0g4zHMi0Ms4Hla8eqwCLg7apvUUuD5Tux3FgEWidRVRvzV4f32zOs 9rDaw2pD28NtD7c9nLZ8et7peafn/aul+79D2bJly5Z9izsWf9/+r7LXv2q/cUfijsQdgS83 fLnhyw1Q7Xa129VuQ5WBVQZWGQgDbw68OfAmvBj3YtyLcSA/lh/Lj2HWrFmzZs2CWv61/Gv5 Q+UVlVdUXgEDlg5YOmApPH/+/Pnzd5hM9a52+lfze/b47+Ivf8TlcpfLXS4HgwcPHjx4cNrf vyf1U/ep4/q9v/9X+av99F3j8Z/1g38X71xxzn42YzvrDciyKNtOv2AI/yH6XsxleOp5si/l CCjN1ZmuMeB5pJRM+QredIg96D8efIKUjo56kPKDbJbYGNx19U1GdkhO9Jaw9wH7/fi8caGg DPA/7o0Ho6M2Rx0PnhTTz5wFynnRJfExKB9qTZJGwbNub7qGZoelH+yaumkutG9Yzs+RHUr0 q3a+x0RIXO86nJALtFO0tGogM8iStADRQgSoVUCOMu64H8JvZS6Wu3gOorrEmLHtISHe85KT YClhv+5YCGqouKl0guTTKXWSPwN3ZznHDAJyKJFaLbBMsgzSdDCnGo2VqUArpYdYBdbZ1lHa OjBXmz+bB8A8KueLgaCd0DaoZUGOklPwB2W8MlqZAHKW/M5YDZziKZNAnBa/iP5grjA3yLWg 9lS7KpFgLafVs80Hda6yRBsM5hC5jk7gjdNHGftBDVHzKp1B8RAt1oHe2Fht+ID2qfZIqwtK gqpY84I2RXUqBhgpxiMjHkQDYRc1gNMYcgBYB2vltBEgK3CTb0EpJ6qJQkBtuQ0fUC+LqWp7 0EaoS83GYAQZVYweIIexxbwCROGUX4N2QotRG4MYJB6zBMz+RkFpBRlp7pS/gKjKRLERiBMj lN9AvaQ8UUuD55S3hGcBWI6qO7QA8FZxn3a9BO9R44hxFrQb2hXtZ1BrqvmEL5jlzJb6T8Bi 8UTzglJXK6A9ASO/uVq+BL8rfrV9vaDmCXqTIR/Iq/pK4whYaloVbR84fW05tThgvnlUPwFc oLO3Jli+USaTBOpiMUvNBdai9oX2iqBVUW4oJUDpIIYpbUDdrTwWUwHo9teF99tzNP5o/NF4 OHfv3L1z94A61KEObAjaELQhCIYznOF/tZDp/AOnup3qdupvPO2vste/ar+pJ9zDLw6/OPwC unfv3r17d8jim8U3iy9M6zat27RuMPr06NOjT0NPb09vTy+srr66+urqMOjMoDODzoD6ifqJ +gl8n/R90vdJ8M2Sb5Z8swTmnpp7au6pd9f7fzd+zx7/Xfzl99A/0D/QP4CpiVMTpybCU89T z1MPGOeMc8a5tHbeHt4e3h4QPi58XPg4GFR5UOVBlSHwQeCDwAd/9Sj++/BX++mJ2Sdmn5j9 9vH4z/rBv5t3rjjrdyxJroVwt8nDV4+tcGX6naV3dkKmatmq+haAlIsy+fULiLwQXdJRAZT7 Isi2HSJXJHUxL0DMgLi8/jvB29Rom+EA2PoEfRb3AJIreXslLoM3B55mTVIg7uTrie4JYI4z bskl4PJJmapWgdeJsZ3imkNEx+jS4ePhbr7wl7GfwoqLh5tNiYNw253eRyaDPZu9jV9dMLOb BfSuINaK/bIVKA+1L5Wl4HoQuS2iIDy+f/PUzTcQ0yZlrjsaEusYU1kI1iqO72x9wDPGW8C4 DCk/ehalZAK9MqVJBGOJuccYCkIRN2gK5kmziQmILqzjPmgHtH7aSrD01z7WJJivzUryN9A/ 0hvpu8DIbAQbjUHWlHVlfzAXmj+b60AuNQeZu0B+KmvzE4g8wiNaAIvoxnpgDNfMJGCRWC8r AkuZoQ8GEcZuQwMeypccA9FFmadkBnWZ+kBtCcoSdZa6CSwLtc3aTJA/yd1UAjbLpaIkKAaT lWsgXJQSu4FRMoVfQBY0x8nboK5QWiuDgI0oyn0wpphLjXUgOoqBigKiu+ihXgc8hItqYFlm 2afVByWLEq10A+t16zXrCZDPcBqxIG5RQTYDGWx+Y5wDPUiP16+CXGs+kw3Au8kY4i0FSUvc 0/X5oC8zxuIP6mt1nTYB0BDiI/A29bbXd4N3tneBcRxkJWk3NoDeQz/kvQfJvya3iN8IETVf XnrSCqIXRg0MnwvJHROaRb4AM8FbLHE7JGVNahV3GuLrx+eI6wBJzqT7yV+A63N3mPcxJBRM 6pMSBAmuxKoJoyDuSmKPxHjwnjOaenaBrbU6y7z5/gL1YPTB6IPRaZXgFjla5GiRA5pNbDax 2UTYPnb72O1j09rHxsbGxsbCiBEjRowYAQ23N9zecHta+5Efjfxo5Edp7caGjw0fG562fb/y /cr3K/+Py/tc7HOxz0Xo3Llz586d4Xa129VuV0tb37t37969e8PkyZMnT56ctnzni50vdr6A rxp+1fCrhrBv3759+/ZB69atW7dunTaexo0bN27cGJZdW3Zt2bV/1ENqJWTVrVW3Vt2CDgkd EjokQGJiYmJiYloloklYk7AmYWmVjNRx/hHvW66oHFE5onJAf7W/2l9Nq4ylrr+58ubKmyt/ X56pb6a+mfoGmu5uurvpbphfYn6J+SX+sV1q5eb37PW2+nlbuX9vv/8sraa2mtpq6u9XuiIi IiIiIiB0a+jW0K3Q92Lfi30vpm2X5UWWF1lewK1BtwbdGgT2KvYq9ipp8dKlc5fOXTqnxUEq uq7ruv7Py/l7ek/VX+odm7p169atWzct3n489+O5H//mRP9n/TVVP3Pcc9xz3Gn9L1iwYMGC Bf+8Pf7IXybtmbRn0h7YtWvXrl270tanJiwNnjV41uAZvDnw5sCbA+/Pzqmsqbmm5pqakCtX rly5ckG2bNmyZcv2j+3+/wplGcpQJs1Pyywss7DMQmi0vdH2RtvT9Pu2vO1x9O/tlJoApm7X pUiXIl2KwPOMzzM+z/iv94N39dP3Zdc/G4//rB/8u3nnxNlbxAj3nwjeqGi7ZQD4ZDA9Aa0g 4zUnmX6AwplCt4Y8AkdGH0tsP0h4rPR71QC0VdYy0dOBx4lDojRwl9F7JTQFYsV3yS4w5viW j7sKvtvsHscr8Mmk1rEOAUrr21y7wLbPr5drJHhGe0pZ3kB4w/DbygVwfZky11UFtNoBTUIO wpJKWx8NnQUJc8L73joD2nDbZz5PwQzV+3p/AU5qg5UAiK73qNjDcvDsyQv/50cgJjYlxFsR jNdKBfU0WFKs5y19wZXo6e1+BckTvMXdTUGUES4xHWRu47r5EgxFr6sXAbMJrc19IIsbX5iP gFiznvkpKIPFb0IB0ViOEavBzGs6zJzAcc7J9mDeNK8bFUEMET0EoEaqKSICFIMatAT52shr VAfjnB7jOQn6G3ON2QxkNumVOYAhMjcrwVHXptmjwLrN0s4SDNbsFmkNAWtrS1FrLRAFzTey HPChLMpCUPuoA9SWIB4p34nFoEQr5ZVRoPZQgpU9wM/48xuYA8yHpj/QhKz0AvOa3CGXAJvE dY4AsWIqVUFDc1nzgNZTK2ezg62+zeaTAo5vHZF+VcHhdvTxvwGOus6dfnXBNsZayLkT/Gv4 HgkqBH5N/R8FNwFjgpHBeALmNe6wH/xWBEwNngVaW1tZ+36QxXjIZvD66h30TGCcNQqabjAj zaqyCriCkm8ldQfvV57AFCvo7dw5kz8G1/aE32I7witHxJQXN+HxZ4+W3LfDo2+f9X9yAcJb Ri6MnQ7xXd1bvYUhbqX7LPEQPjCmT0pFiDyW0sIbAjEtkuL1UxAVHNfNfRBSTnpaGftBeYjF rP/+AnVitonZJmaD7zt83+H7DrD16danW5/Cwj4L+yzsA790+qXTL53S2k87MO3AtAMQ+jT0 aehT2PVi14tdL2Dbs23Ptj2DsPFh48PGwzdtv2n7TVuYmHVi1olZ07ZfVGZRmUVlfn95JWsl ayUrXFh4YeGFheCZ65nrmQtRUVFRUVFwdenVpVeXpm13qd+lfpf6QeXrla9Xvg5r7629t/Ye fFz649Ifl04bz/Jry68tvwY/nv/x/I/n/1gva1avWb1mddoJI/XAnZqo11hTY02NNTDz15m/ zvz1j/t733J9k++bfN/kS5tasG3btm3btsGnyz5d9ukymFFwRsEZ/4+3pdSqWatmrZqwtMLS CksrwKrVq1avWv3/8JPfsdfb6udt5f69/b4vUk/oe7Pvzb43O1iWWZZZlqUl8BG7I3ZH7Iai 3Yp2K9oNyl0ud7ncZRgeMDxgeAAcmn5o+qHp0MPbw9vDC9lfZ3+d/TVMaDKhyYQm7y5f6gVO YGBgYGBg2gXY1tCtoVtDIaFDQoeEDmnt39Vfy4lyopyAJZeXXF5yGVZUWVFlRZW3t8fvtatf v379+vXhQO4DuQ/kTlt/5syZM2fOQKFOhToV6gQZPsrwUYaP3p+dUy+Q1tRYU2NNDRhWa1it YbV+v/3jzY83P94MSj+ln9IPGjVu1LhR47QLzcZhjcMah8G1AdcGXBvw9vK87XH07wmpF1Iv pB7saban2Z5mUHtd7XW118H0o9OPTj/6r/eDv+dt/fR98bbx+LZ+8O/mnRNn+yRvN+8+CF7s v96nKYQ4/PdZuoOS31xrVIC4VUaS4whoTcz7sh4EjtL2Z8gKtsW2VcZFcF1QskdsB08p747Y OPAkJGX3ywA5L/r3y5IA9orygd4QLL8lLlCjwHHByGMrDZYpjo3yCWR4lWWStQSEhGQopw+D MHfwXJ/CkHw2yqJYIbyVa1rKaVhzd0PbL/sCsUkytgaIBZahzuag7ZJVaA4R5581ulcI3hSM aZ7ogtjX+k7zFKgZLULrB2KCKK/MhqS8KS8TOoJ7hZ7gmQ5iuNHU/BnQqSVWAT+bg0V5UIfw ufIRyKtM1y+Ckc38Ro8Eo53hNTYDixhFOTAbm53kWlBsSoISDMqX4kNWgaW39qmoBvJ7Disl Qc2jnbf0BXFTGaFmAOO+mYNpQCZi5WEQbUR9pSowRExSJ4FRWy6gO8iZ5lTsYGzRx3g3gfJa bBc7Qe2vjlHLAJ1owD0Q3UVb0QXUlapbvQF0Ff7sBeVHtZLaF3isxAoLiLniLk1B2cA5FoOq q3M4Ddp6Za9yA8QdWUYMBq2l9QftCmSalrV+ruGQ5VaW5vmd4Dcx4GlILghcF5KYsS6EujP/ mrMqhGYLK5rDHwKvZiyZKTdkapIlNPcosF9zTghKgkw/ZJmdtx0oyzSHOgaMA/oc9yTQR3gj dBPMr4xT+jdgfm3s9h4CucY4Yl4BcwPTlFIg8hBnDgE9yfDXG4CzpP+9wMNgHWUb4GgBRgNZ yagBSQ8S9sddBc9nrlXJZcCcbn5nrAHLPssB2wRwNHfWDJoP9mW2ogFZwPxItHY8gaSR+i+2 TZC43pOZ6SADlM/UQe8vUFMPkGN3jt05dicsX758+fLlaQeYGd/N+G7Gd2ntT3U/1f1Ud+h1 pteZXmdA+UT5RPkExGKxWCyG7nO7z+0+F052O9nt5J+4hZeaAF9cdHHRxUVplb5ySjmlnALa Ve2qdhWip0VPi54Gl5XLymUFKlasWLFiRVhacWnFpRUheGPwxuCNsH74+uHrh8P88/PPzz8P 5o/mj+aPv7//Nq3btG7TOm1cqVNMmu1utrvZ7rR2LSNbRraMhLPzz84/O/+Px/W+5UpNNP5e rirLqyyvshzm95jfY36P3+8v9YQaEhISEhKSdmv6bXlb/byr3H/E31eonmx5suXJln8c9z9U sEpTmtKwo9GORjsaQd9FfRf1XQR5DuY5mOcgTG0xtcXUFv+4v5xTck7JOQWqOas5qznhWcZn GZ9lhMWXF19efPnPjyOV1FvhqRV6TdM0TUvzg9QLsT9rj7+nbN+yfcv2TavA/1m/+D1SK7YP v3z45cMvIf7b+G/jv4XdE3ZP2D0Bmr5s+rLpy/dv5xkdZ3Sc0RF6dO/RvUd3yPhVxq8yfvX7 /QdvCt4UvCmtkrt50+ZNmzfByiorq6ysAm/2v9n/Zj9M2jtp76S9f8Ku73gcbZKlSZYmWf7G vlEto1pGwaW+l/pe6vvv94O39dP3Zde/54/i8W394N/NO89xto3XrihlIPEXt7+lJZgBmr/V Da5Z+ksjCTS7bXfSWJB79dNyFoiy5l3XPHDmxsI4iBhg/Gb/GGyDtMMpi8E2QfnBuggStsQN xx/MM+7mSbvBmKK0dmYBvxFh5WwxkHA7sYxPJXh11PUyqR8EPLGvUTdCQH3O+hwH+/WwoXGR 4God390vEi50Dp/wYgUU7Xig9dLyUK1QvUZ9toH4TPWK4RCe497UJ5kgxpWS7KoG7hv6Vj0P OEr6fukoCuYlOVAOA9dQV4zrAfCEbeI0GOXkFGMq0FuOV56BuUNekgtBDGcjK4FD2OUWkLvM lbIN8Fo0lOtAHFA8YjlofbUG2udgzjdnyyBQpdZC+wTMMWaSuQ9Ef+EUxUBdrW5QWoJ5xjwj jwNj5QEKgDKCA+o3oGQTiuIF7ZL2RtQB/Y0+Sn8GopCaX00AJVmUFTNBmaYcFK+Bl8Kp3gA+ F/15BarQymg5QHloCOM8sFm+JATkYSWrfAKiguyn9gdRRASIU6D8QllygZxPqGgK4rHwWlzg +1PA/YDLYD/nI/13gp5NP2vcg7hP4za8ugKsN6KSKoD7h6RyUVNBWNSs9hcgT5rX9Y6gf68X 9EwBdYAaFjsB/Kb47rMPAHerlP4pdkioEP95TD8wL3pKemeBUUwPdQ8D+SEVzPYgJ4ipykrg ihil3AZxlFeyPOgBxiciCGybnDEBJtgWOL/zHwnJ7ZOJtIB+xQjw1oCgJ/6ujNEQ+HVQjywh IL5Sc/MxiKIa9lugVbKUdZQCmSyLUQ+0JK24dhO0fOaslI9Av+vpmXwF9HaGwhBgy9tG1H/N 9wW/L/h9Qbj74O6Duw/g2pBrQ64NgaUnlp5YegIYzGAGwxzmMAeQpWVpWRq0fdo+bd8/9icu ioviIpjPzGfmM6ATnej0z8tT/HTx08VPw73d93bf2w0Xil0odqEYlNpZamepnWA9bz1vPQ/7 W+1vtb8V+K3yW+W3CoJuBd0KugWfVf6s8meVIXRf6L7QfWmV1apVq1atWhV2sIMd/4/922/Z b9lvpf2OzBmZMzIn1NpTa0+tPUBZylIWsGLFCmKamCam/fG4Um+Zvi+5jB+NH40fwWxltjL/ i29Ipl745CIXuf6L/lIrq+/K2+rnXeX+I+YUm1NsTjHwdvR29HaEz2yf2T6zwcsmL5u8bAKb Nm3atGlTWnv3Kfcp9ykYEzgmcEwgHH119NXRV2m3fgfdHHRz0E2wDbcNtw2Hc73O9TrXK60i 3aN4j+I9isPnPp/7fO4DB7ce3HpwK+yK3RW7KxZGM5rR76BfcUlcEpeARjSi0X+x/j/jjWCC CX53f31ffvF7pCZStWfVnlV7Fuxov6P9jvZwZemVpVeWwsSvJn418Z9IZN7WzqlTgY72ONrj aA+YUXZG2Rn/ReKV2m7GkxlPZjyBxnMbz208F0KjQ6NDoyGUUEKB4GfBz4KfwfNPnn/y/JO3 18P7Po4qi5XFyuK0fv/dfvC2fvq+7Pq28ZjKP+sHa/3W+q31e3v7/lneueIc40z40OgK5jg1 g6c7eD/ROxIPL7dHDkv5FvTvk4SaHYIqq6dCfoNMGQJ+S3SCGm6cE0sg4yHfhgFTIGOjDJ+L 2WCpbakd1R9CQ4MPWYqAs5tfRltf8B1ta8B2iJqfdCrmDOgZ/T1xyyB0cLZpKRIyfBCwxFkY lO32kcyAxHxxXZgMrlduf++n4DnmuJvSGtYFnOu6vjvsK7YzaMlScFd7ueaRH7xo8sTxPAzi OnoCvPkhebfxtTke1CaWLpYfwNtDz+M9AK6RnhTPMJBFGKLOAdbQWakApk3OMYeD7EOs7AfS V56XD8CobUbKDcBE5bnSCsRRdYfyOchFFOMLUFqxQNQC8aN8zUPQ8+vn9HNgDpF+8hHIK/JX eRyMNcZ0cxHgJBkJ5gXzmLkPZG/Z2+wJ6iR1rjIUlFZKO1EP1FHqBGUeKD+LRaIbqK/UcHUH KPuUfco0UL4Xk0V+sJS2DLR8A1pLZbuaD7Si6nQtCjSnVl2rDVqSFmMpCdbK1pu2/WDZouWz +oOcJiJEGFiz2fysGvjU9X/qdxWsA+377DlBNjSnmTMgMe+bpREXgV7e2UnlQLkrsmn5gMny pvIM1Ouc9/QHpaJcYIwHyz2lt1IIrN0tb1QVfGb524MuQHDtkCsZV0DOTLmHFHwNmVpk35QP yF4s770PAiHHpXzzS1eEsGm5Py3xJWS9nWdOiTmQ5Ycc8wofhexl88aXKgO5tfwLS68BtY41 d2BF8L0dPDijG/JX+GBwtZMQlDnMv/A9cCwOfhOSBD5B/n2CCoP4UGtpKQzGU9byBajLtZXq bpABSa0jD0Firujvnn8HKZ2TBqfsAaOSsUj6vL9Abftt22/bfptWCW0T0yamTQx8+eDLB18+ gKs/Xf3p6k9p7VPntK0YuGLgioFpTzWn/l22fNnyZcvTEsJ/ltTtUysVhZMKJxVOgs31Ntfb XA9KmaXMUmZaxWpl1ZVVV1aFStcrXa90Pa2fK1euXLlyBQZcHXB1wNW0KQGplYf/n/+sMP4R WSdknZB1Qlql6cKFCxcuXEirTI4cMXLEyBF/3M/7liu14vL3c9DPy/PyvISvMn+V+avM789P fs9eb6ufd5U7db+/a6+mWZtmbZo2d9G6zLrM+jcJQOry1L+pt7RTK3SpF26p/ncg14FcB3Kl 3epOnTI0r8S8EvNKwA89f+j5Q8+08Ue2iGwR2QLyx+ePzx//7npOfbtH6pSS1LmaqXcoFolF YpH4m/G/J399Wz9423apUzbmG/ON+QbUvl/7fu37oF3TrmnX/ri/t7Xzuvvr7q+7n5Z4pf7N sjPLziw707ZLvcOW+lBj+wLtC7QvABsfbny48WGavKl2rlSxUsVKFd9eb+96HN35cufLnX9T md8SuiV0SyiUvlD6QukL/34/eFs/fV92fdt4fFs/+HfzzhVn++1M4THlQKz01vFkAu81r27v DYm73cPiLBD0iXwcuggKtM68IMswCL3p2yLjt3A7wtLjRRC8ir/f0cwI9rNKqYCOICaK5OQ6 8Gp50gtjGGhnY8tbt0Bw5+Bh2lnwlAte82YkhEc+dqScgAwtHHX9p0NSRf8qXgVISOjt+wP4 DfD3yNlg6xQi7BPB44z47vVwiD3jrfxqFpyocO+jIwXB2J4UZZkC4eviK7tWQtJLt8N7AUyL yGmuA62G9qE2Blw/6Xk8TcBbwqjt/Rr0mZQV80AMMxaZvUE2EJvYCnKVnEQ8mPPNkUYoKCuV nGIXmC3M3sYe0EfqX+lzQRugLbSMBjFMXBFVwdhgLNBnAvkUUxwBI59nn3kBuIakLih9xBTR BkQBESMaARWYxGAwfpFNjQxg3pFr5SaQjyklfgRznfyQWFDXis/lbWA1kxgJAnFJvAZZT9bn DRjH9Xn6KlC+0MZrp0G5oRwVbmAS2cRJkB/Jp3INiMlCUQsDD7VQZSVowlLEmgSWebbnjtYg 74kF1m9AuSvGaRXANTEpR2JrMD9gs2c7yNJqWWsSiCjFbV0A2ibx2DMZNKtqVcNBbW075FwG IoflsVWCz9c+uwP7glpf22mrDbqUQ8wEMHvQR3wJ1tc+C/0HgriMv9IQ1L5aa6sVaEdOtoP8 lWC5HpQwspo20BTLXetQcA1LSUq4DNYCql3vBwFd/X/N9hOYE5hqFADlqbpcLQ5ypCzHETA+ NYWsDqK92CB7gL/0nWW9CvpF10D9HLiea2HWs+B4ErI4rAdYwhxzfKuBGC+GKFOAYe8nULud 7Hay20noXap3qd6lQIlUIpVIUFeqK9WVMGbRmEVjFqW1H5VhVIZRGWDq6Kmjp46GZnea3Wl2 J219kR1FdhTZkfZwyx9R+Hjh44WPQ6dznc51Ogc/8zM/A5VvVL5R+Qbc9rntc9sHsoRnCc8S Do5YR6wjFiJzROaIzJE2tYOSlKRk2sMvqQ8Tpj4FX9osbZY20/Y3a+GshbMW/v8F9d9l/Pjx 48ePh0lfT/p60tfg2ura6toKjlWOVY5V8EXWL7J+kfWPx/m+5Rr14agPR32YlmiuC1sXti4M nIOdg52DYWzmsZnH/gsS57+31/hK4yuNr/TP6+fPyv17fvJHbB61edTmUcAoRjHqH9efmXdm 3pl5QC1qUQuuV7pe6XoluM51rv8X/aVWuO7MujPrzqy0E6+nj6ePpw9UMCoYFQwYmXNkzpE5 313fqQ+PTdYn65N1aJCxQcYGGdP01Xpn652tdwJd6UrX9+evb+sHv2eP32tX5HiR40WOg72y vbK98j8/RePP2jlny5wtc7b8x+XWqdap1qlpv8MmhE0ImwC9C/Qu0LsAvHj14tWLVzDz+Mzj M4+D5QfLD5Yf0uwwdPrQ6UOnv72873ocffjhww8ffpj2MGVwruBcwbng6/tf3//6PkT3ju4d 3ftf7wepvK2fvi+7pl6A/bPxmK1KtirZ/ou52r/nB/9uxH/MZZOyQoUKFSpUePsOenww9n7x vVA6MN+u8vXAFaVf8PwK587ceX7qCgSsdw70GQ2Zy/hXyPYSzFfKXks3ePP81UcRF+DOwkcl 4hpA6MzMJy23oMSNTO1znoMnzd70dnvBvwU1zP4Q2VKbGD8UfGzBQ/SWoNwwKsiF8GJVXGl3 LQjqLQ5lWwDm08Txyb9ApmlZRmeIBf+b1l0pdyC2ZJLD5QbvVu1A7HTIfS24ZMU+UOBxsKuu A7ZfXtJnyTK4UvppicfXIOVT2dG6BMLOZBufOwYSo5M2xm2GZ9Ne1H+yF4z8Ip/2EMzjhk12 BRTyyOsg2nGTZWCGStMsDHKfPCu7g8glmot2YJ40D5g7QcmpDlYqgbJWXFEXgrxjfCFfAg7R V74A8xO+FpPB/MW8aZwF5VtcNAbKyXWiOYjKygUxAoRbuYsOloIa9oYgHoml9AFljBIhb4DS RzmgbgElXN1qmwTaCe2B2h+0EO2OrTPIKeQ2N4C8IVOkC+zH7Vecj8Gq2TI624D6XCmqlgIl ozrYehYsidbPbVlAidFeqF3A2C+6sR2UsuKR5Qhw2ww174I7wlU9aTawi4nGJ+DoY+9qfwXm KuOspyXoY1wjUr4DraK2wzoYRDnLTusYEN+rq6xzQS5gldoNTMMMM1eDPCVCNAXEM2W5shfM 3eZhfQG4lqU8TegAii97ZDzI2vgrncEbYTZWS0LKhIScMRfB3d+bkvIpBPcOrhTyGfh+75sY 8hW457p9UoqCftZ8mTwBLMuU7eo+sOR1DA+uA+5od1vPagj8woG2EJQD/OAdC7E1EzyJ34K6 wfrU7ymo+ZRGRINykKt6XshRNmOczReW2JdeXvzLvz+w00knnXT+LKkVyMvqZfWyCt91+K7D dx3+/bfE/6eSescmtYKczv8Ozp49e/bs2fdQcX41MzaP6oUzPzwIu30G5G7Pk4RREDLA51un Hyi63wnlLES9tt6L3AoXE85GvrkIvhUcp8RJsLWSFdQ2kGEuQRkmgJrfN6c5AfJccaqWy/D8 7NMn0XGgb7NOScoGcf2T53lrgJbHPO4TCs4hqrTMA08+d4JcBc5tgYPFEUjMK5a/bAGv/GJv 6YXBtsvW17cY+A03c/hOhXIjCuyp/hwMJbalbQrEZI//JWEcuL4wyhp1QNmsVRIfgtilnpWn wW1xf+RtAkYlfZm0gIzUipkC5HJzgtkUZIjMJq+CrMBgmRnMs/KYjAb1ppinWoBsHKY5yHzy EVFAT7OXOAjGWLnZEEBNXBLgjmwgZoI8L4KxgTJQOUZrUELFZ+px4Im8LWJA+slT5jKgpSgt KoDxgcxhZgNHb9slZzCoU7WeqgrWcfZPfX4D/x8DXob8BuKg+Ey6QBku+lkUMK1GV88qME3j inkCbL/ZrfaFoOW3DbUvA/lEdLA0AzVZHaEKsJxRt2ofgR5nFvFUBuE26no+AllZGkZ1UKpp vqoHfM74jfZJBHOgd50xCog2O3m6ghA8YyjYbvu2CvSClllrpoWA2kv72f4EzBPGT3IYiDOi ibwNZkuOyUmgN9DbG9XBvKGfTykM5mp3keQjYK0nfYyb4HloBBEL7q+8C/WcEKtE/xRTGJJm Jh+NyQLaAJrIMaArrh5Jv4JZJct9sxPYSzgK2r2gH/IYciuIsso2OR+8m5KyxI0FOU32VIfC m73uqkkuMJebBfUWIHpaL1j3gjWLMdm1GYyx+m/yFQTm8J3hWxq0fjjV28DyvzrU00knnXTe jt0Td0/cPTHt/bpT506dO3Uuv1/iTyed/0O8c+Kc41Wm5cqnENfddSqiNwQcUFc560CGjpqP YyXEWJKzJTYA9yjtF/1zKGYWCPI1ILmcsUT2By1e3WyfArbXCTcto8Esn+Ly1oVAM/Cq79dg T3G1NiaDj5+YkXUUuNfbP3v9EtxXjdkpJ4H93gaOliAWMigmAlzl9a7addC2KsU1BYKGhLQN PgGu285rrsFgjokZ5LgCIV8FWHOFwK+3TnU5dhg8p5jPXtA76N+Z48Gy2VpMtAUWijYEgneq MVAPBmugw/SZBZYbziC/WNAjvEPlHeAyDhEA9okOu/MC2IbZrtuLg1nA+E3vA94juvSGgXJX naD2BSHprfwMxjyjg/4JKFeVD2UyWO5YI/2qgmkVD82ywBoZITaC9qOlrm0V8Ebm5QgYwd4w 9y+gDhZljBKgLbN4rQVAi9QqWvOA+qVmtWjAUkUoX4Iln2WcswmYvyKN/aANUnZrn4DoTC/Z EdTy6nw1CIxPzAt6DuArHil9QIwXG7gCbJM15HOQzWQfvRpobbkmD4DqsPZ0lAEjVrZRnoKY ozZVz4H+ibeGtwfIH4ihElg/swy1FQPHYXt760Vw39F/lA3AXGYm6BaQg8xvjVBQfhOtcIOI 5r7hD8YHJCk9wHhg9DI7AGdlNZkbfE/5BDtfgPxR32F+CxHnI+2RIyHa8Wbgqy7gaeWulvgQ zBPGQbMppFz0ZjOfg7mUw4ofRF2IbBUxAnzmOgcG5ARbB0cG398g7kzC19G5wP6h02stBeKZ OtG+AbwJ7mPuWmAbq/pZOoHlqP6rchaSY7xZk+aDM49vkYAVEDc3oUuiD/heUgMtU986nNJJ J510/nKavGzysslLaEIT3sPb+v7Pse3ptqfbnv7VUqTzr+Ld3+N8ICGDKyvk7BK8LjPgW8BW 2PkEEkup8XowqAv139QoyBCu5fGpCcE5c14xPgN7BXtmpT6ENMkaFnYcolRLeGxheJX3VSHr L5D3vn/xEiGQUc1UIHAZZHD53XWbkKGDLSlTL1C+4mNrA+ABa+VO8L5JaSNPgG2s5UetDzhz 2xqqM8G921719UKIbhZ559EB+KBw7geltoIYq/jRAJ4Vibj4oD94vzSvGw4wb5nV+QnEF0oD JQ7MPGZu0QuUKK2z+hICy4ecDN0JobkzL8/tC1m75L5fwB/CDucsk0+HoE4Zn2WrDz6uIL9M y8F3XobPsjwAfzX0XvYmEPhLprK5HOCvh1bP8SkENM/wQ9gK8A0MrBfqBL/OQfszbwG/kMA2 mX4B/8tBN0LLgqOi382g5+D43K9D8Bnwyx80LONhcI4K+D5TfrAu8rkVtAXUMEdz/9ogSlo7 +uQE6wF7Sd8DoB61xjvmgrW27a7PKlDHWV0OP6Ch7Ufnr2CuV2qqc0CpoB6x9galpfrcYgHb p5antjVgf26PdBwAo7V5xgwDMUmroP0Aoop6UNkLWoQlTN0BIlJEKEFgn26/7BwPPi18Mvsm gN3pYwn4GGRPkdWyC5SBRi/zOWhPRCTRwG7zA5cKnnB3gbhG4Mqc0idxHiRVj1sUOwhcHVPa JfmC8kxZrswBZaW2xzoKjAXmVE8VCO0QeMWxDDLnDykQVBOUT5XlNg3sT+ydHR0h8/2cvjmt kPFK9nPZR0Ngo8AKgbvA38e/iG9FsDy3PdIyQGD9wNLBLyCkVGCPTLXBaijXzaOg5dcuKCXB vKJ4RCwYs8QAfRjY+lrraCuACYymCehjRG82gncIO/k//InXdNJJJ53/q2R7ne11ttd/tRTp /Kt454qz5TP928CxYLaOPmppCq/buZelrAMtJMiVUhIS8nDA2APGkYjv3IchqJxzoRYLtm3q z4ovxI6VJx8lgiNDQG/nIUg67poavxbOLblx/gKgfWGdqPYBxwH/2nwMrvEJcXoT0MtQiZ/A J8r3pVITLHVdp5wh4O2Q/MSTDO7MQW21hmCZlOzv+yGEWLR5sgMULJgta8VGIAelDFdSQNtr HhVVwd1I72PkBG8R+Vx+Co5m6ihegCzAalkayMNZbRxo56zL/T8Bo4q5wfsavIuTBydfA9lG NpbXQflBG2TtC+pZ6wPfrKAuVYs7loIyQG3p1kEO1K8bjUGUpZHRGkRTNReVwZKorvBxglwr f/aWBLOCWdMsBkp9YdEWg5lCMaMeMEnUUY6BPcn+sZ8FhE2uN8+AIfkCH+BbUdQcC9oH//HW DXWqmCQ7Aq9wug0QrVmlrgJxiyjZArQWZnP9ZzB1T3ziLKCJ8oX1ESj51FjtUzAm62F4wWxD I3oDk2R/2RioK/eLDGBcNRoaGcGoqD9IGQRGA30Hw8Bz2/vSNQWSZ8fFRGcE2037TFsnsHe3 93ccAx8tYFtILxD+Yro2BZQ+Zkf3SDCHyV0iD5iX5AA+BtskNaNyDJIruKt6+0KMNW5LQhLg 8mvumAqWW+rP6gLwPe/3S+B1CNgf8n3my6A6nK8yDQLliZaJRqB+YBtiKQ/qXGOkBGQdUVpO AWWO5muJAgy1v2MoeINSliRtBdfZ5GYJNgia7NfMbxuo+dWi1u6QPNb9XfI6MNoRoe4DvaBu 8DWoedXKdgHqMussCgNFtB1aPwA6/9VBnk466aSTTjrpvB/eOXF+eSn6p4T58Giseji6Laib /YryGdi7Jtfz7QSm09VNHoXErR5LShyYLtdre0fINMHxOKcTor5JjLlzDfJWtXWz54XkDFo1 LRvEjnPnMzqDkZjQPfkI+BXL3sszERyN7T+7b0HSL1cnunaCt4q1qKZDpjV+b4L6g7MF9e3r IUMHdZ3zF0h85ukX0RxqbCvtrncPcu/OMKTgRnhsv/38TmZwfyqvmAoYmcQIozAYK1ml3wZZ 2xyqHQCZVw4V9QCX8FfzgvKhZYmjCsieSk7tJthKOub43QPvOm8ezzTQ6lszadVAqSSeag3A LK5XTqkLBBJhNAK+MhPFaFBuq61FOyBczNZ6gXbC2sDRF4wNMoZdYM1rnWxRQN7R4427IH8y 2vAENI+2SqwEz0/6+eQIMOfIZ7YhoE1nqPwJZBtjcEpl8JY3r3n7gGe8PsGVHUR95bicB/ZB tq2+fcA1wx2WPBLorOSmHmjf0N4WDeTVsnjzgPAxutEdVF3Nog0DY7Dh9rYH82P9A+99UEsw y7wNrh7JxRKbQNy6uKpvDoO7p3u6qxAYy/XqrtxgzWrpoA0H93T3DVEKkkLihisjwH3bPS6l B5gexbBNARqb/b29IKVBYnziavB74X/CbwnYnvgRfAhsK2x3baXBEmzJbTFBPyIrGmXAkd/R 3/4laPUd3Xwfgf69PEYOCLmfpbZ1JriXJO/xfgbeGt5I1yYQ4cLtLQXudim1EquCOYET4hQo m5RfEtqAu1pKnYSa4Fc2aHiABZwDfKf6noGk/PFNEm+DOGYk6OtAWyOsBIL7Y7eNeuD5OOVc 3H0wPWpGUsBvoFrIJ8ufDKp00kknnXTSSee/Je/+OrquzuaJDcGWYi/k+BxSYvU+5n4IqG+r 51MC8u7PVd9ZGO5leXYz+g24TiX/oD6CxJaukIh7YN1h36iEQezhxGBtM+iNU+YYtyHpgVIs JRs48qtF/U6AuPVsS7Id4jumvPJq4L2t7/M9Dm67UdKVEXIkBe70PISs3cpXDNoEyiVH05gP oWgfvUm5J1C2YcFR7RqAs7RvsdBIsJ+U+r1wUFtf7iGegr5SHyxeg7rfzCFugNFOjPJMAzOb LG72A9rKNUYOkCvM7eY9sHxjKaA1Ac+nZl+jOKj17RPsMaBs0+pbPgIx35wvd4HopGfxxoJ+ wuhiXgdTkZP1i6DekBkt/cFywvqztQB4N3r7GxOBDWK/0h/0456W+iJQ2pJZWQPGx94XcUvA UyylgKcTqJ3UN85JIMpZ8yuHwCznjXR/CXK8kcdbE4w7XDeXg5JDpph+YL1lWW8dDy5Lil+S H+hhepXkQ6D11NZbQsGzzrgivwXPDvdub16wLtQU2zhQLikl1DNgLNavuA+BvZDlmroPXDGJ A+KnQ2KnhKbR48FcoC8xHoLe09Mn+TdQ3UqM9huYhckjLoHeUz9k2EE0lUO82SB5xusGLzWw ZXKu9XkCyn4GCy8Y4d4UbxxENX7zJmUXONt6RxlBoM22VLMHgjJS2aktB1sn2wSrHYz+Yqk2 DOLLuycZI8AMkr/hAe9cfYI3M2izrNu1ZyD2GV8pFcHzlfdX/R54BniGesaBu35KuYTDoGbW 9tiGgOpVMsrGoH/ukZ7B8HLNq7uvAyEpKF6JbQHWAmp5mRds6+z3fXuApZ422scJ7gopd1K+ Ae2p2sUGKLvMc+7yQFPgPbwnNp100kknnXTS+et558TZOKuvtJSA0BuOYnYTXsQmtPZuAU2R dkcLSGnt7WMegpSvY360CPC/7J/HPwke9gnP+OwpeFulJKpdwc/Hb57eEaRqPlZHgHhodIyd C+YOdZx6EKK/eTFFqQSZPgv6yb4MfGtmX2mWB+VBwgBnL/Braw1P1MCb50kJcyJ0qNe40uSP Id9POSvXnA6eAD0fX4OaW+lvZABxPHqS33Ng95tfvHnB2t9SzvoQjJXqI/kSlOtGV60LiP0M FifBfGCO8h6ClMMJ56OqgB7kqeIIBKWPEqVGgblZe25vCOYTbbztR5ATjWqyINgW2+vYS4E1 SJ1m/RpS8rlax58C2YSh+IH3urHX+AVUYemt5QAxw5zg6Q1mbU8793XAobZTR4IrOfFcwm0w Gxv39UdgjbQXkbHg8SY+fF0ZbPPt1e0vwHeqf9eg3qAeUUpYVoM+ynhg2MBT17POVQjUp5ZY ZSaIMlw1DoEyX1tquwfe5tKRcg20ujRXOkBs4+j9EclgqavGK+fAzGze069ByiJWSQuY1c1p Rl5Qv1YTVD+gC2eULiC6ih/RQS9ijjROgeqvnxdfgLeuvsDIB2Yzc6d3GpiR5mMxBMxwVomR QEkaiNVgvW7ZY/0MjIcclxHgHSKvIEEdJBoq00EmS2QlkOFyt5wLnqbuGO9cMNsoEYYHrKOt Z22PQA/01DTjwb1ULxs7A0SEvsVbAZSyag/xGLQZwq1lAW16QLPgCeAMDHRnOgI8ND+Xq0CO 0KfrVcEs5PnJmAyOOc4NmCA8VPSOBjoov1qTgCZihdgKfrn9HgZ/B95D7ntGKYjv+sb+ahgQ +1eHeDrppJNOOumk875454cDtQb2G/IoxNc3xkf2AX2155T7PMRUis6c0h2ue+4OS8wNSQ1t O2gAbx556r+YCmFZgrbIMMhcJMMdZSkkvXZOTb4L7GOl7AxKdzXA8hiCu1oOe6eArblawBwH j6slBsbegISxScG6A9ydmOkuBcWfZhpW+xkMKN565rqbkHtijry1V0DyI9dDry94snk/jPsJ nj98Xv3qMohqfitr+FDImGz71lkObJo6U7WBMlg5yUOQD0Rr4xyItcouZQ5IzYzgCcjdRgt9 LmjD1bXWp+Dc7XcxUzj4fhX4VWgZcKg+yT71wHrB6bGMBts92wdqSRBIZ+JtcPwccCSwNPje 868a3BKclx3VbbnAFqTN18uCOgQhf4X4EXEfvTkOiWXjd0ZXA+Un9YUWD3pDfY7XASnl4iu8 coC5R2/gfQhygghX/cFoLQPMVaCP1Hu6LoA5nfXyPtjL2S84qoCWw1LHuh+0XywHHadA3lB+ trwB+aWItUjw9HJV84wDva53oKcsJGZNeBh1EVwvUzLEZ4LkBq5piTVAPhW6uRrMtfKe3ACi idgifYDjtBB7wPQ1WhprwZxsBHt1YLze1TMMjAHeEboNzJfmCm8L8B7yznR3BhlkthV3wF3G O8VTD6xD7Jd9+4O2XfnSuhF4Ib1kB3WHVk/rCt5zei/9e/CEe9aljAZzgBGj3wWzPN9SCSy/ 2kY6IkA9af3arxSw337e8hTsZZwFfGuDc1HgswzPwKe6f/7QrGDrZYm3FQTLBMsrWy9w+3ry G7+C9qnSVG0Hzk3OR/ZW4JPXr2VQFATUCLaGdAWfqIBq/vFgaWtvajsO2kHZwlsY1NW2ypb3 9PGT/85Mzzs97/S8/7g89T2m/y5Sv+Q1a9asWbNmQS3/Wv61/NO+/JX6YZPnz58/f/78r9ba /xxWr169evXqtA8YpH4BcuDNgTcH3oSoHFE5onL8++T5V/vV7/nz/3b+3fH672Lr061Ptz6F qW+mvpn65h/X/3fz73T+Z/DOibPLZhsVvxccfoHnfJ6C5bFPKdkaEiON8jEmRH0W/f2b9ZBt kSUx4BzEVowvpKwH35y2/Vlygk8O+7fKBSiQM+SJbzQExPqkKIsgVx+/fpmmg5agFVa/Astl ucK6GLRJXndAIYg69+puYmP4YEaIteAX0PZOj7tTz4BzRoiWNR+4f3DFJM4BkVNG6qUh7trL 4Fe9Qe3ivRdwFZQ1CWHGAsgcm0X33wRKE3HfrAzqE/WR7SXIIUYbb0sQYbK6/hHYB9meWGeD z8ygWaFdwL9Rpu5ZfwDbPP9FfhlBTbA9sZ0GS1eHy7ke/M4H2UOXg6eHPj/pJSQ6486/2gbq ee/8xC7gCUiuF7cA3IOTc8dVh+SSiV/FHwIscqN5Dnx1v2pBI0G9qc5jAyi3rcvVhmDd4XQ7 /MH+pWOvf33wXRkUkzEMfPL6+PqeANlLdxubQBYQ/dXuoG3TktT9YNY2e3rrQNLQpBHxX0LK IrdMLgXR818NeF4OXpx9XvDec0iZ6noSfQDcH7jKpSwEfbd3n1ETzE3GMbMYsEYuZTN4Snpi PVPAW8areC6DYTVK6nlA6a+EKo1BVBEW0RvMdpQXvwItlFhlFhAotog1oE1VB1g3gnpEjBJO 8Jb3Vk7+AJTDajbVCra9ttw+10BDrazVBFFMKCIZlPlaY+0IqCn2VfbSYH1k7W4PBbWn2lIZ DbKefkBvBOKUjPPeAct4W7JqguOAs0TGQWA2VWar7UBpb51vDwdrRkuQfSoYmzwXPQ/A9VXi 1riLQA051/sCqMAoV1dwW1yN45dA8t7ku/GtwH3cdSGhFrgvJk1OeglmP+/OlFiw9XB+ZfkA QsaFvMr07V8d3v96Uj95+1dzYvaJ2Sdmp50Ie57peabnGfh06adLP10KZ+efnX92PnzT9pu2 37T9q6X978+xY8eOHTuWdiFS4/Man9f4HIauHbp26Fo41e1Ut1PdYEahGYVmFPqrpX1//Hfx 53T+HEfaHWl3pF3aBdC0g9MOTjsIFxdeXHhxYVq7/6v+nc774Z0TZx/T3S/jZAg0fa05b0NY Of+TYY2g9t2ca8oWgvrbazwqfwaChwU9FClQ5ut8h7J1Ablfq2t4wPehz9fB9+FpvsRZSc0h LneKj6U5GGXF8JTcoGwW6+zJkHF5YMHMdSHbTdUvpho0vFxoR8nB0NOv79U59cEVJDuaVcG4 6nmYMgC0OVqM/TikTEgqHh8Ajl72JcpZiIl+lv9FcbD9aLVbo6DwoNKRZQTYemo/iA9AKya2 WaqCbG5G0BGMSNFI/Q4UU/vVvhKUbcpDcQfkCyO75zcwfDz25K5g/Oqql/Aa9GOu1om1wJM1 uXliI5CGkdmyHJzzfczgleDOktwv6S6kZEx+E2eA8a3+gTwDSkulvrUMuG8YY1LGgPbQtkp7 Bs68gZaQBLCd93nqNxn87gfHZXoAjqSgnzMtBssO2xuHDnqSrugfgznUuGAsAWGaD82vgYlG SaMSeDyu9a4RYO1vq2mpBdplbYclHvzGBW8P6QdhtbI5Co8GvyE+v2X6Aswf9JEpDcD4wNjs XQDugZ4g93XwqJ4z7uZgbNMX68fB9EqplwHvcL2rdxLovuYhAzC6U0s+AyNFX+KZDeYL46Jn DahJyh4xE5Sr6h5LK9ByW2N9V4NfcIbKGV9BkBnySbaMYG1mn+1XEMQi+0zn56BmsYbZ4oAL xrfiU7B25gPrCJDZRZS6CeQknGp+UB9pv1h+AVlKHhF3QTlp5NNfgyzuHeLVgEpGPeNXULco JZUMQJz6mT0PqFOtN2wq2Nc7j/uMg9CPM87JXBns/R1fB4SBb++Ag5kqQcCagMuZQkGJ0ho7 74C4qua2zAPrVdtpnzZgrtVGOvKApYh9o7P6+wvU2NjY2NjYtE+mNtzecHvD7dBsYrOJzSam ffI1td2+ffv27dsHrVu3bt26NbTI0SJHixzQuHHjxo0bw7Jry64tu/aP+/m9ytPfLx8bPjZ8 bHja7z4X+1zsc/Eft0ut9DTd3XR3090wv8T8EvNLvP34W01tNbXV1N+Xz17FXsVeBdoebnu4 7WHo0rlL5y6d0/SUiq7ruq7/eTv8s/r5++UzOs7oOKMjNAlrEtYkDL498u2Rb4+k2S31vblz is4pOqdo2vZ/1o7vqs89zfY029Ms7fcn5T8p/0l5qNC/Qv8K/WH/1P1T909N+yTxu+pz7qm5 p+aeSrNXlyJdinQpAs8zPs/4POM/bvdHfvW28fJ7/vy2/UREREREREAPbw9vDy80b968efPm aXb9Iz9ZdWvVrVW3oENCh4QOCe8ex+9br4mJiYmJiTB48ODBgwen+XPqHZ1UPfyz43tf/prK ae9p72kvvJr0atKrSWlfQPyr/Dud/528c+IckCvgoDMXJEYmnohYBZ7LSXei2oJ+Abw/wNhB 3ZLWlYeP2zTePWA9hGb0809Jhnx9stbLMgyyLNA+9TsNmRs5W1pXQIYcGTsbJ+Gl4Qmy3oKn HybejZoMSj53mXv9oIFaztK+JnTp2FeZWxSUFgEl/QWIkt6v1WIg2qlB6g3Qb8pRxkmQ/ubH nieQ1N+72PU9xPZ8+TpiJOT8ruTJaq/BZ2FozhxjwZFgWatlAntezdcSCEYXucOcD4oDH+Mj UCeK/uI4uB8l13e9AXd+1379Gcj55nVcoEt3sHsDSJte3TsLjH36N54boGUXG4x+wD5rFUcM aHfs/r4WcOCs7u8APrSeUQ6BdYejquMX8A31TwguBY4LPrsDJ4FtnP173wiwhMv6Ig/od1J+ c88FMUqrYPGCus9az1EVLPjagoPB+rNvwaATID5Vt1m+BM8cc7XaAizNnfEBJcH6q/NIhmHg tPr3DzsJvof9CmQsBL4dg8qElgBnu6BxmeZD1oF5JpX6EkITsy7IEw7BOzONyOEPwdsyncjx E/i2D4rKXAMshW1JvoGgJFrq+cwBv3oBBzJVgKCFGSpnuwaOPr4rMmng9zA4X/afIaRdttFF lkNInhztim+CYJE5OO+3EJIt08h8j8He2udkxskg6ihl1eJgqaP+Ij4GZa50Gr+CsdeonFwK Up6kdIr9BLxfpnSPnwvM0mu6OoMR4mmfHAZKNhlo1gKjpr5eyQ5mdoI9C8FsKctbFPBU9GQz osC71vNjUi8w+nk8KZNAKSgLmXVBLOQO84DbwpTtwVPcvcvTGPQd3ih9NcgcpsecA4qPMkb+ AHoB9yZjI6hWfMRFcOa0WGTE+wvUaQemHZh2AEKfhj4NfQq7Xux6sesFbHu27dm2ZxA2Pmx8 2Pi0iurae2vvrb0HH5f+uPTHpdNuWS6/tvza8mvw4/kfz/94/s/LMzHrxKwTs6b9XlRmUZlF Zf6xXa2atWrWqglLKyytsLQCrFq9avWq1e9PL6mUu1zucrnLMDxgeMDwADg0/dD0Q9PTEpjs r7O/zv4aJjSZ0GTCX/BFhzrD6wyvMzwt0Vk/fP3w9cOh3fR209tNh6X9l/Zf2h/Wrlu7bu26 tO3+1Xb8PZ49f/b82d9MaenevXv37t3TEsH27du3b98ebjtvO287331/IfVC6oXUS0toaq+r va72Oph+dPrR6Uf/sf0f+dXbxsvv+fPb9jM9bnrc9Dj46NFHjz56BNu2bdu2bRtk35t9b/a9 /7w+1qxes3rN6ne3//vW64IFCxYsWJCWwO58sfPFzhdQY02NNTXWwMxfZ/4689d/fnzvm9Fb Rm8ZvSXtQvX3+Hf7dzr/u3jnhwPF2uCDUcvAXtmyI6gtJG+M3el5DrYXLHD4wO6Ju0bMOgbm FlfPhJGQ/0nm67WmgzXJvcwzHB7pxokbk6HoTfuYamGQ/LXwxFSGo2Hna0TnhoKVQkbnGg5d V3dt92UuyHI2/9qyNvD0837j/Qn0rp4d+hJQHqqv5UlQcpJJjQZ9nTfMFQhimBlpeMF3lX19 cHXId6fsT9UKg/++rM6gEpDULnKWezJkaBy4368iaPWifkjuD7K+e53bDfKRuZayoFzXhqmD QcxJOew6AimfJNSJXgAer7Wn8zhYimsvmQcuM2WGax1oDbWrlqugRskrMheYY6XbqAdilwgR W0F/qdf1/AoWq+WqzQHGF651CWtA/yYp1hgCQlefaOvAOsje0/dHEEPV25aioCbYvleWg35X X+ruD1QyrhvTgQXyNyMPiHAlk7YMjLvyjToOlHzKKWMUiA94yiEwHup7xBVQQqydZFZgr3Ja nQbmHD2PcRe0O9b+1u/AJ7tlQ6YZ4GxpRoYmgdLT4qe2AbyeeSlXwTvb8yrpM+CcMVl+AqpH 6y76g5wvflbKgmWKMk6sAumRPxqXwKgjFVEaQOhqRZD+PFM6gd7AbEdRMFrqTndPsBWyvlCK ATeM7hYTjHyGy10O7De0ME2C8bn1sL0hKHvxMwH7R5YGYi4YF81rsi7oUg81o8AsLqKMEFAm Kesso0AtqxV0BIFqitvaNdAClNp6POiFva88Q0Cs5ws1HLQyag5Lf3B/5L5qdAJXtOeOoYLS RmlomQOGahaU24Gp0iWug6iieu3fgbhiqW72Ah+v2kTfBHbD2lWN+c8gaffugXqq+6nup7rD zsw7M+/MDMrPys/Kz2nru3fo3qF7B2jUrVG3Rt3gaP6j+Y/mh0t9L/W91BfWx66PXR8Ld8/f PX/3PJiNzEZmI6AXvej1rzvApJ5gLSGWEEsIeOt763vrAxe4wIXf3y61wvRky5MtT7b8fr+p XLhw4cKFv+kv55ScU3JOgWq7qu2qtgt+zvhzxp8zwuLLiy8vvgyjGc3of92w/4ES80rMKzEP xGKxWCz+L5ZvFVvFVvCW9Zb1lk3Tz9KKSysurfjudnxbfeaOzh2dOxoIJphgGLRy0MpBKyHH vhz7cuyDTt93+r7T9zAl55ScU3LCdraznT9PkyxNsjT5m9c3toxqGdUyCn4a+9PYn8YCJzjB iX+U9/f86m3j5fd4235kKVlKloKJ2SZmm5gNuMc97kG9zfU219sMU5jClP+HHtq0btO6TWtQ bim3lFuw9NzSc0vP/Xn7v2+9Ho0/Gn80HtZdXHdx3UWgM53pDC0jW0a2jISl85fOXzofaEpT mv7x+N6Xv/59/P8Regm9hF6Cf5t/p/O/i3dOnH+z/tbKo0G2aP+2RnuwT1W+NOfB6fXPC106 Bb+0ftTh2A7IfzV4RdhYKDwu380i2+F1D/xfrobLte+eez0PsjmydNCTAEeSr8sLHxQt8Em+ idA+a7sVgxpAkCVLUOl4cG9Nmpx8EIxEyxt5BpS24or2GcivzVVGA1AKabnoDUZbV0LyPWCq 9tJ6EZQDyhqfA2Bccs16NQ+836V8YZsAIXfC/HJ2hewJ2edlmwAXzMffR+0F5bTHUFqA2cns ayaCVtdS1vYNiH3eHN7FoGawT7Q0BksTpauIBr6Qyw1A7KSw8hQ0zTLDvgnUuY52zjcgaumd vAKUkeZQ0wbiJ5eeXB28ud1PXXPA1Mz23mXgtekrXRpo8WonZTXor8xw8yJYqjha+RQGpZR6 Q+sFsqjZXXYG/bbQZAGQlYwS3sVgL2+bpYSAY6K9g304yEipiu6AVfqbA8DV3zsn5RjoxV2N RBtQ6lgr2YeBck7cUbeAto72TAHrZVukDAexg/lmKMS2SPgwKRvw0ngtV4J2WYuyHgIlzNpY vQ/G567JKVdB7jK3u4tB8lzxkIOgGvKcng0su9UDWiEQ1+RUMyuoL6lotAHlvqxgFAM1QP3M cQucydoItRaIadpj4xDIhsSqnSHgA/+igdHgyq6X5zoYocY28yFYM9o3aHNBLpD5jTHgbeVZ RAq4o7wr3N+Bw24bpzUFcUKYyn3Q93u3GX1BO67WFFtBLWDrabeDeCTzyjcguihlxWvwSZSF lN8gaKLPEb/h4NqovzAOgV7edClfgiygP5FlQL2uTjEXgpbBdsRWGvx/sZxVR4JV2oJFRQA+ eR+BKkvL0rI0aPu0fdq+f1wvLoqL4iKYz8xn5jMYbA42B5sQui90X+i+tEpS1apVq1atCjvY wY5/Yr+euZ65nrl/Xm7LMssyy7K3325OsTnF5hQDb0dvR29H+Mz2me0zG7xs8rLJyyawadOm TZs2pbU/1+tcr3O94ObKmytvroQexXsU71EcPvf53OdzHzi49eDWg1thV+yu2F2x7y9x/mf1 8/cJ8x8tTyX1lvi72vFt9Zl6y/5R30d9H/WFShUrVaxUEey37LfstyDo06BPgz6F1y1et3jd 4j0o8u9QFiuLlcVpfv/3/JFfvW280IlOdHr3flKnBqiH1EPqob9pd0lcEpf+eNyp+k3lfdn/ fek1MmdkzsicUGtPrT219gBlKUtZwIoVK4hpYpqY9s+P7/d4W399W4I2Bm0M2vjX+Xc6/7N5 58TZszHuW0t+SDmoNYzXwfqVmBZYEuxDjabGG/D/1mdxrhHwpoBy1AiA6+UfPbiZCFlyh9wI nAn+NTJ94lsfXi/zhN5KhKoLC5Wt3xo6FvwwcXAMWMP8i+aJAO/6lFfJ90G5qTpEYdDC5M9q H5C9ZHa9Bph7eGGcAOU2s8Ql8KzwHkqJAOcc/4iQxxA55EWGl7fBMs/S0vADa2dnpH0iKB5L I0dlCFuZo1LWXeA8an1x6ygkXPe0sw0AY7xcLBLA+dqaz1YOEo7FFY6bB8S4prsqgGVIwHeO JHAHuLPqecDW0h7obASMFR+SGdyz48q+fgC2+vaffQ+D2CKyaV+BNtMyz/4SxGD1J+0J2LAF 2UcC98VuUR7EauNTIxsY3+kV3RNAza8EqxHgye6ppecE23KtqlYf1G+sVpsJ8iP5rboGKGi8 1htDwqBYLeoFUM046O4L7sN6ZXkD7M99L/nHg/bU9p1vS7DUtWjaVtBKqHetN4Gl5no9EMQS ucXzHWi/ksHSGhy/aGXNwmBrYr8groHzrvOpWgrUeBnuzQ1ysPWUaoKnpnuzkRtSnEYe6Qf2 Uc57fvkh5YK3HXHgXct3yjFwX9C36j5ga6nmVzuAel/9yfIhyIXKJLkNHCmOQ/amIH6U9dXq oJeSYd56EHDEkdWSFbSGamdrJtBXmz0YCeKBqKgYIGdbUsTH4H2kLycYLD9YZmqJYNYwK8mf QZnguGg5Dt6O3g2ukqA200arKojqcrnMAWYzc6URAiKz8kaVoORmp1YYfLITIw0QFRhtNgfr Qr5WfgZPsL7EvAvu6+a3RhjYnij35DfgHGnNbq3wn0Hy4bsHaurbIVYMXDFwxUDor/ZX+6tp 65ctX7Z82XKouqPqjqo74OSck3NOzoFtV7dd3XYVMtzOcDvDbThz5syZM2f+puPSlKY0cIlL XALLNcs1yzWIioqKioqC+33v973fF1jBClb8vnypb7X4o0TwnyVr06xNs/5Nxco61TrVOjXt d65cuXLlypX2+1bUrahbUTCvxLwS80pAUvek7kndwb+KfxX/KhDpjnRHuqHI7CKzi8z+83L9 Wf38Wa5cuXLlypW3t+O76rP6ieonqp9I625W11ldZ3WFwAWBCwIXQGSOyByROaC6tbq1uvXd x7nz5c6XO19CBzrQAdgSuiV0SyiUvlD6Qum3qCSm8rbx8vek+vPb9pO0MGlh0kLY67fXb68f tKQlLYH9rfa32t8KmMxkJv/77P++9Zp1QtYJWSfAlBZTWkxpkRZPL8a9GPdiHJwZcWbEmRHA fvaz/8/7w9v669tS/Xb129Vv//v8O53/Xbxz4uy8658nZDZk7e5fKFchKFUx00e560LQpYCD Xj84a/629XESXBwV2frWGdA3Z6rl3AjBhmeUJwCKrPfMc8RD3W2NRs8+CsWC8vesHACuJWKc sx+IoeJraz+QkWKhXg9Q5CaSQX4gyjIMRAc5VOkKaogyXS0JepxsriSBo7Vttm9HiHv06njs c/jt4tXsp2Oh0KDScyq8BjWD9sy2CuR+EPcg667sDbOtAp8g+3L7cVCypPR3zQKmGQeVeLBE WDLY5oI1wb7JsQGMIpYR6seglydCXAIfq+88//Gg7/GGe+qDMVgf4C0AjmzO8IC14B2qR/I9 KNW0F2p3UCtYIukFyqfmDDEfRAFlj7IbjDjjql4ZPPvdlVIegPpEua3tAnlRBsjNQKzWWvEH uUdMkh+Dd70nIrkxcEOJVs6CMdt9wdMBZFn5m6gFQrWG+o4G50vnYIs/sIpvjBxgLvGMN5aA 55rpMR6Bt4ni474Gxin9lXEL5FW9ipwJZhh9zCdgibSYmgHWnhQQLSBxRMLEpMdglDTCmQqW z9SDsjnoJrdMA3yfBkwJeAWucO9gJRpkgmLoIyFTnsCFAbfBz2PrqRQAy1ZttVIURKgoptQA 70XPLP1jUEeQUfkIxBr1vCIhqYJnrT4QLCOUx+ZaUAapZdXpYBSTHczL4P3NM9E9BCjHVrUA eMd6Tuk6mFm8n7qbgG2ibZbWAoTdfMImUF7STC4FY4PeVn8MtgLWr7UAUFuLEZZxoFc35psH QX4jZpq9QTyWnQ0N1CvqbW0RyGPqeiUIXLuS9riqg3FP8ZetwTihvRA3QRv4/7X3nmFSVdui 9rtC5arOuQlNlhwkGUiSRXISAQXJooCgqIACSgYVRECCAoIiiARRckbJOefYNHROlWuF74e3 v/bi5mzdsI/7nlPvn/nMsMYYa82a1aNHjTmXMUfaDMx9PAu1YJPKpNGTRk8aDW0vtr3Y9mJh f4UfK/xY4cfCzUqbqm2qtqka9O3bt2/fvhB2Lexa2DWoodXQamhQfl/5feX3wcz5M+fPnA/D GMYwoGf5nuV7loc+c/vM7TMXGoxoMKLBiIfbVSCn++Huh7sfhm/5lm95/Pww6odRP4wCRjGK UX/sLzhO6uLMizMvziyMSPn7+/v7+0MdtY5aR4X3ir9X/L3i/7odf/X5PCoFm67+6jw+6vPs VrZb2W5lIaNHRo+MHvBj/I/xP8aD71ffr75fC4/7GzVm1JhRY4Dv+Z7v//X7vN70etPrTaHl nZZ3Wt6BiKSIpIgkmHJlypUpV/66vL+6Xgp48PM8N3Ju5Ny/IMf5tPNp59OFubbfdvq207ed oEmTJk2aNAGptlRbqv3fN/+P+7mOGzdu3Lhx8NGUj6Z8NAW8a71rvWvBssyyzLIMRiSOSByR +Nfl/jP+2ef1r/Lf/fkO8j8L4bf/XHW9Tp06derU+esCnk3qP7pYX6j7ffGTNbfBO3u733gt DU4nXnn9zFxYUv7nrssHgHjB/rapCdz7KX1Bchq83LDW0w02Qse81mU+/AV83wa6mWeDuMZ2 2LQJDF/ZbthjQRisDdZ9oHr1H51vgbhdeNsyEfQXhKVyNIjHeVHZCuzVUqRrQI6xuHwTcjul D7wdBVmbU49ldgf1TeWlzOKQOLJU0yoOsK62NInaCNIm01ipL1yrfuCNHU74yPdR9blT4PIb 91PSpoPxgKlkyAkIW5jQs1hFcDbP/un+K+Cbo87SW4LBYDsV0gMEh7ol8CMwQbP6i4HwGWPE lSC2kKob5oJ2WMyQc8DaM7xV3B1Q93mecfeFvLHZxVIPgh6tlgpsAsNpeZlcDAy/mEJsyaDt 4mnxHKiKLz33GGgLDJWsp0AeIq6VSoBu0JrrX4F0WJ5jGAR8wTvCUdBMeoK2B+SvjcstGog/ 6HHKJfCVcRfNqwaBXH9/70SQ50k7zL1AeEIqL9hBqCaO0u6AvFHKt4WA/LJxg7EU6NFatcA4 EGZqY7Xb4H3PN9q7ELRUvaxqBeWa/4S/IdivWvuY9oIJ26VQQDmtNpIywfK1ZZfRBGFDrZGG HiAsDMT7G4DxO8MV6R0wvCg1E6qDuZjhqtgIpB6ik3DwVw08ofcDd7p3lScf5JO6WX0flGJq mE8Cf3hge6AOGC7KRw0WULtpg2gOdBHWsQP0EaqD0cBx8U0OAU/rDuUJsA2zSxFu0E4Kz8lV QKohXzHp4O3lHeOOA22jsilQDYxfGctKfhC6invEuqD4hbHCfNB+VhqJ/YBQzRqYBcZbpsrS FxC10nrXPgtC60e8YR4Fb77z/tH3z/3dyzxIkP9MCnJV/2qO6n8qBTnA1atVr1a9GoRdD7se dh2yJmdNzppceJpEwakN/y7+pz3XIEH+Ezh06NChQ4ceQ8SZVCEs/CScr3ltwPHqMPO5b65P bwmemsoZ+3nIn2nw6iKIu3NHpjaGV2ZGN6uzD9pVqf7DBx0h92xOqqs3eEPTOl3eA4kHnrY1 7gH+AepqZRGI4/UkJRdETVho7A1CrthAGAzCcD1LXwBaPWGKvAiYzGxlJZisQkPDk+CbIF3x ZEBu1yO7Nh4H15DN8069AbFTxzYZdxf0u5X3Rl8F/ROeEndC7LVipZNWQNFK4VvCG8K15zM7 OQ+CzxAQvR+BVlJXhFiQ7xmvWUzgPpH7XFZXMKy0PGFRQEqWzkuLQe1Ma6EnGNrJa4z3QP1E GyE9BcxWVweSIbDddT9zEfjnenf4a4HlpPkVSxIIqdwzGUA7pffQWoIezgfacvDPCTzlrQLC hyjSWhDWk274EZR5gbOBW0Cy3t3/IshDxHx9FfgPBc4rYSD2E0eKx0E8LP6q3wSxnzHK6ICQ BaFnwhTgKe3ZQCKwRbpmHgS+CZ5avj7gT/ENcnUCLUZPcJ0G9wpPas73YClvHWdzg2+tUlUd BOpFbaI6G6wzbZeNI0FqY40zOsB42TBWsoL8iexhCRjXSu/r3wG3+Uw9B84e/obiOyA9LwSk weD6zl+aUDDsE3dzB4TWvsiABYzHDWcNq8Ff3Pdd4HsItPR/ok4F6T1NVYaBdFQ6JSaAbbr1 fEgJkBeKz4t9wdfTe9zbCVybPIu9s0HpIA6WJPDvdBdVLWDuYvjW8DJIH/r6+RpDoJL6sWcA qD4GeiqBOEseY1oOiqwmCQPBaXeGutuC6azxB3MfUH/wz/QngXWApb28B7QwYZl5Iqi/qPvF FSBfsB4SToDglVfLc/7uZR4kSJD/TvZ59nn2eeCM5YzljAX6V+hfoX8FWFF3Rd0VdaF6TPWY 6jGPridIkCB/H4/sOFu+MVV3vQgh2b4XooDk5ffcgW8halvcYG08mM5pqZmnoaMz+uvax6DN ltZHxnrh1m7v4DQNrJfTv3b/DJHFKi14sihoC7SlnAYhSR+n9wU1RF+Q3REku3gozA1s4KJw EfRr+m1xLhCq/ujvBFKadantObhd+caRA1Xg7pAJH49bDaYev/6Y2h20Er590m0QP/Umqi1A VvDL1eCOuK/tjiywzYma7PgCyolVvKU6wv6Zt15MPQD+BF9N30sQeNZXVPkQDL3NQ8P3g7A/ Z1nWK6CX9Rv9KaD/bPzVshXoo5eQ3gNlubJOfw2UDUqE6wLgE/OFTPCvy96RGgpSb8M0gwVM Gy0/hVcHz6ve055lYLlkbWU9BGppta92FkzV+EyqD9Imabn8M/CGeJW9oG1UP1DXg5amugz7 QSjFTbUySC8L7yu54Nf86dooELpoNwMfQ9TzITG2RPBe9Hzr+Q7yxVxr1kagk/q0fzjoafwg rQFLY9v60DsglJG2ij1B15Vl3qXga+1b7+4PUjNDA+Pz4Khk72I5DUIpzS33BnWf9opSEpRm VFDngO+872reXdA/0tZr34F81TDe2haEG8JPppeA8ZwV/GD92brZACjXtaniIKCG3oSZ4I3w PeP/FrQTwj6hLxj2GG9aG4Cvma+TdxB4triPee5C1vPOdjnVwDTBYJMug+GSPMowBLL3OVv6 R0L4dsdHVhc4Ntr3i41BbSt2NbwH2Tucaz3fg8klhAUiIDBBswjvgn5YiJevgLxRGi19AabD pt7yDPB/7+3rvQaiUYjgCPi/VHyB9aC41UjlCNgbGN+Xo8B8xTwk1AHSKXG+/BwAY1D/7mUe JMh/Jutur7u97vbfbcXjY+CCgQsGLoCRtUbWGlkLGlgbWBtYoeIrFV+p+ApM2Dhh44SN/347 /qc91yBB/pN4ZMf5yS5hDYv0g5wb4uSQGAibYWvp2AKhlUwdA+uhe8UuEW8NhEqVSvbtNhu0 TdH5UTsh7Ilz3oPbwZYRnVbeAabnwhZG3ANfeODHQD+QntfO+1uBOFmfKi8EcS7HTQdB7avP 0T8BoTIWfzswdjS9Z14P7minmlYPTs3+9OrHSVB24cFOGX6wVX9iZxkNwr4y1A2JAWv18oNK 7wPFExCUfLBmFm1UdC1Yj9lam5xQxBp1KyoTwhraT4TtAOcRV3zeNnC1cP7gToaw3OhG8T3B WMI807oK/I3UimoImEeZB1kjQd8rbNVngfqC/5rfBpYDhvKGF0B5RX7bVg7MT1jTAzFAEbWu fz74LvmOe6qDsavhOfkTCPQPtFIag9BDWi43A8P70jA1HRSJDcq3IE7RncJeMFSV4yw+0OOl 9tpRoIfeytMehAihvTwJDLNMM4yvg3Gc4ZwxC7x9nPeyN0CqfO+1lCog9jY8b1wHst1Q2RQD JrtpmnEryCPk9cau4B/tPeoeDGKqdML4E0gu4z1TFBhayL3FCJBnckW5CIau5rekm0AH/YhJ A994ZYB/LHBKi5W6Au3EC/rr4F/u3e9fDOJnep28yxDdIizCLIN4U3UwEAxTZY9pDxg2GLEO AE8/f9eAFQIt1QqBOyDXUUaIIhhaC7X1aSBtNcYTD4pP7SeuBP0T7ftAMgijxERjUwh/Jap/ dGPwD/BNVnuBftzfTb0DqihulmqCeanpiKksWOeZZ1viQd+rLxVrgWmLYZG0FQw1hUpSKqiX lSv+RAgcl7MpDcIt06+WV8Bj9e1XioLVZDjJixCzMfwJ4yAIbxbWM7wsqIFAP6UWsPvvXuJB gvznUiStSFqRtL/bisdHzPsx78e8D0tYwpJ/NKAOdfgXUiL/Kv/TnmuQIP9JPLLjHIKcGLsY vCNDm+enQZGbxesEOkGHeU/eGZwL8TNKZdaMAvc+Yax4G8QynqWuMxB6pnTXqpOBG+Jcw1YI SL5Y73ww7BI3mupAoHx+mZt7QXzeSmIL0FP4SOoHwmwO+d8F3hTj5Pvg/dLtdt2G/cWXvvX1 ArD2yvkoSoKEBe8aWumQ3ffC1DNlAf1SnbsRoO1XPnB9BtJBy0JzEQitnHishA3MlwwVxG0g Rzm6Wd4Dc29LY7sLDHctcx254HK7emSuAVuV8CJxw8D4knlyyGDI6Xj/2I2awDva80I9MB+y Lbf/AloZdYf/Y9BExglJIFmoLGwHxawu4joE3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYh G7RG+v7A5yB4heGaD6SZ8i5LOliWGo+JL4P3BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e /Sv4Rwfsvnch+rOiHUrVAdMm6T3jfJBkjvp9INXXPMpXoDT0L3GtBmmQsbUaDoF030fqRvDN 84z2GUFtKn4khkJIFQfWL0E/zwJWgzvV/Yo3FdTqWh1vCbA9Y/pBugNhaY7XQ0qC4tHe9N0G eYBez1ADpONChhAA603TQn0+eJ/zLRc9kD47d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1C TzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuaXOBIrLJOA2UZ4S20pMQluaIMn0A4V5bmcjd4An4 jd6DkHvcHa/eArGKMNezBOQnxe9CfgXPEM8xXzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2 H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0AOv7dizxIkCBBggQJ8nh4ZMf5biNnP2MbCM+M 76O2BF9K+gc3XwTPCzmHMsdC/nGhhKcTmFZLtS29QbnKZ/onIOXrLZgBTFDr+SeDuFTsbhwO qq7sz6oB+mD1B/0rED41vR0WB/qLGJRpwHjtonYCTFONZc1r4VCHg0sPZ8Ox1052z9wBPTN6 zX35eQiZ+Vx2TROkr+jz8bDm4FKcRTI7QE7+hgrLXweH+dl7L74Cposltsetg5y62Y1cReBO udxelniI/SbuRvQiSG+VV887Gdxd8q23doL7VZfPVQvsgxw9Qu+AdbLppm0m6BmBDq6eoIYE dun3wRBlMjqeBN0rhIpzQV9LnD4H1KeVov4rYOhhHCcfB4PTOjhiCOhJ2sdiCnBNm6dcAs0f WO3aAYEhvlOeyyD/ZKgpjgRflveaexDo433xgg38myhv+gGsr1sPhxYFew9bafEd0AKe/c7K YEm1n9U2gGu6Ipvbgmuqt5v7HBiqyLM9G0APDcR4YkEaLHXVngS7wzzU3AaYJmVaNkLuBWGf rxo4RHmxaQL4RwQG8AF4ve6u3qvgGpy/J30XRO6IjLX+AObGhkzxA8iMyVvnnA+5ZbLn5fsg 7JPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38jfOvg+lJ623DSMitnvuBegf8HQOjfDWB2WJH 9oN8Ql5ueBeUc/lj8oaBPMNQ0TAP+ERbqncH49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5 Xss3D0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLzalUw+G1rxG0QWKL21uuBt6US76kI5hRjijgI vN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY6PeF10M8f/fyDhIkSJAgQYI8Th7Zca50tXLT YmcgeezZM+6W0PiHpz09VkD8RzXNdZcBw0xlrDpo1ZQtnADhO+FLcSOwTcgyzAHdoGb6XwJh slhGzAT9HachKw8Mo/Xm1iPATPErsTX4jztL5FcAYZwwVy0CWotAPzbC7ct3xskDoZHhpWb1 0yCq7VOlKqSAq8b9SSmvgiDk7MzbD2Eni5wsEQ+m/BIvVjoKmU/O6rKkPcRLozv0vw45lZzW wMtg/MoaFTMNykwuubtkGNxseT8qrzLkzshNsE8E99G8QPqXYPnaYSteCSy1Q0aEC2AYwO28 ZhCywtFRlsH5s+ew2w+O8rbbIRWAGsJ+qQjIu8OrhX8K/jtCtPFzULcpX/oiwVspZ3fGUNCr 6X2Ul4F48YokgLRTGi80AnGrECWGgjjGLJoGg7mC7bp9HYQWNVosaWB9y7LGXAT8+c63nBNB neff6pkPGU/mH9PiwFnXP0fbAvoRKU6sBo6zoZ+Zq4C8W3xfuwGGHVJRvROwk9p+E7jK5i9U OoLaUl+hXwFNFQzGbaB11VRtF5iaydvFdChhLF0y4T7ILfUz2ki42iVFz+8GEoahchz4z2qt tLLgv6S/Q38Ifyn017AwyNqQ08BdHDI8uUfzs8Fy1jxe+xKUS852Sj3QbRj1GJCPGcfJs0DP Ig0TqD+qM9TxYNxnOmwKBW2mJij1wdDbNNEYD0p71aI9A4E07Qf9Z7C+bM023YXATvWYMAky Dme1yNgD9tH2tx0XwXjUMNj4AUhRcl/zRfCI7p6uO4CiO5RZoG7SbwvrANVdwZUMgTDJL94D cxX/ldxlUMlS3BQVgMj7lqWOZMgZmTrAfxVC20fbHdnw3/p6uiBBggQJEiTIv5VHP1VjlPeZ 29eg+qUSE8oWhUo0iX6xAmiKNVJsB/5WmR2z64P4tXmDKQpEhQ+UZFDnCgMUGxhrmXPsL4G6 XHxGHwpq69yV7tIQqK3fs/cBywvxIfoGyO+Qt8FXBEK1sIthM8HT2P+jvy48c6Lhe2XMEN8h UQ1vAj4lz5DWFVQ1t3NOEzAmuHRyQWweU8o8GwyfhIfEPA9ct40PKw/+k7n3c8tB1MTY6XEv QsxW+ydqaZCSYwZbIsF+NOS4sA6M1cLGxKSC81J6kZsdwFPM0zp+I5jNltXhy0C0u17zOiCs nHGXeQHYxgo/KA1AtqrpqSII54RzUjXQ3vJMzX8f1K/V7ZIFxMXaJKkl+O4Jc9SWoBzTquvT Qf/Kv8oXDXIzS0vbLyDU1JIUN+hu5RnXdlCLeDZIm0GMFyYatwNHhFLe+aAX1bJcv4JQ17DD Ng7UteoP/oEQqlrqycXAes563dYerOcNS/V6YH1dnhoSAerIwBDf8xA47Z+g/gz2WiGHhCUQ 4TDNNbwGeT38/cTp4H/O09C/CpJKxCw2SaDEKQuly5C73lXSewiKRMW8bQ0D98vuyYEykFVc 6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawx AdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMFM4KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtD QNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0M Sl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+CrUXEDyEX/u7lHSRIkCBBggR5nIiPKkC6qTfI E+Hps821DgpwxTbP8CXkhab2udMG9k74sceKcHDtvHMmeQ24h2dmZ78NSvn82PyXIL3Wyf1H VoD6tPsLZyrkVsp5VQXUpyxnQ78D5Yh/l2IF5b561ZIHwlL5uiBB6Ba7ZNwOcRmxLUNeB189 VxnX+yCecsyJyQC9hPOQtgbECZmVM38G8RvDcKsXpHkhfUKPgPCc7ZytEui7pL2GSBBy/Z84 20Ipc/GMYrsh7F7E11odcGyzqr58CLWEdooJBUk25pqHgntq1tSU0aDGSlVME8BzSBhiew/O z0v+OHs05A31RWi1wfRT6N7E62A32eZHtIXsjvnDvYDvK9eM/L2Q3TIrPaUVuN92385dAupp /2DXKTC/bwpIDcFa1NiK9mCqarJaBoF6WT8ujgflYuAlVwXIvpRbJvk65DtdC51DIONuTrw6 EFLaZXbJKw+Ri0KibFPAUtb0vmEv6Ke1Jz0XQTihvyw6wLHAoplfh5CdjqFhE8AQbX7SMgTE aKmGYz3klMqbLa4CZ69cq28yKKf8C10HwNfD87bvPfC95F/pjADrFilbUyD2k5BnLfNA+UFd q4eBc4rvLfckcIerbbTDYNONr+oVQUvjOckO4mg1XI0AQzmhrTgPol4LNYRngzzLtN7aDqwp 1k+s20B6luHycNAXCU8TANOroioPAVNJw2vSPBA6SomEgT83cF39EvzXfd9olUEr58cngWmo HM96MLUU3zd8Bsal0htySRBaCFON18B1Le81fzNwZXmaOLeBL4fmuh+kUONGYxUQ21hKWb6B sJsh/ew7oeTRkmlFS4LWU84I3QBpE/I2eWdA3CuJ3SLdYDqj9RWL/t3LO0iQIEGCBAnyOHnk iHMxl7Vlg9cgoX4JtZYR8kyZK1MT4HKl4zUPz4WM69HLxcHw0/S959Y+DUm5puRii6HenG5h nQVgt2GswQ40cu3LDofAlpz16RvA5HxiWaWqkN0uNfHwHpBa6c9YzoNhr+mdajPA3yiwSVGA fuoVfTLIJ4UcwxcgVBX6SxdBOZayKP0WKH2knyypYI6PLBNjB6F83KkEAxi/DksNaQPCVa2q XhsMybZnTM0ge76t7oVJkDE7t+6xzfDEL09cj2gN9w/k9/YPAsczUV8Xy4Os0neXX60P3i3O 7vnPgfkFmznMBcJ8f777Lcjt5iur/wDakDSnayOEfGFsr6kQ8X7M8OitoM/TQrQKYJ7obJg/ FiJXhM4Jqw36CQziG+D63H/Tcx/yj7pb+z8Fj8FT2lsThFSpv7kVaHfoL4gg1tLbqAPBJXi/ yTeC0IaqLIT4npFzHeMgNNT0mtAAXEO9i7RtILwn9hR2g2W7sZ10HXwlA630vpBzIjsvqz/4 SyoXmQOeT5V453eg39He9E0H+2fGGUoHCFz0+QLFwTPDP4uBEFcvbHj0CbjZN2N55huQ3dM1 T3sSAl/rxcUvwDLdNDpQGeypxtflMsAwdZvyETDC2EWqAvkrvBUZA7kN3HO8djAukyKlHyHu 27Dq5vEgJos7pXqgTDF3MpnAWNm/298KtIPCBt4EcYiSLJQEPVuppo8Hk8skUhx8rb1TfJNA WiZMFFMgp3tewLUVAlXUCXpdCMRoq5TvwLDBdNRqBe8ZX5rrGIS+Eno4fCEolxW/9jkoY/RN CiCu1acbfoZi0WGnxKNQ6WoZQ1JXsHxoKGMbBlIPebO9OUQkRWSGK3B8+a+9LzWFajy9nf1/ 9zIPEiRIkCBBgjwOHjni/OSExnM7vg5+j9pZWQTSCYPJIgMjIubLmyCnvfubvNqQMUae7CoD IWGJC/VKEGiU8fG1dDC+G1k+ciQww3MscwhEvRBbzHEDpDrmScahEFkpusYTFyBqVdxzpfqC clL5QR8KQhQb9Vogfq+fYzXoVwUvX4K2E/QM0D9TywohwDpbI8cm0G2+JdqrYBhgsBg2gWRO WhC2GNioTxbXgV9033XPgjLbi8RFfQb50/QUPRTcE7NmZHwBxUIjtouVwLDJMTmqOZhrOCLC roNvfHaTtAogJGgfGaeAeYFtvq0FeK74Ogs/Qd5ova3sgByPEG2eBp7PlbFCH9C2au2lsWDY bt5u84D2pjZCTQPXKddNVzeQzqqZ/p2Q8GJ4tD0UiiXHXAl/H4wBbZFPAymgHg2kg6OaeYHt azBvNC41tAXLTMNhaReY78mHDd3hRsu07Myj4LfpA9WvwNbZOtlRCtzjXC29YXD31YzEzKWQ U8F1Nu8TcL/grZ49BTwz3VHpdUD5LtDHmQ+um57GWhhI0dJJbSEUeyb6m6g0OBd+4+X0CEhu kh3i7QvZPVyDPXNBmKsr6noINUn1xdUQM9dWX2wHwlpjQ6kUZFmcNaV88H8T+EF9D6Ijw1pa 1oFtkfmAwQIE9Ne0DZB+NkvKqw/Z03PfddnAW9Nj9XwG3m35vvzvwL3J1SK3E0gvMsv7EagG b4Z4CvRsvb3cBrLPOhf5WkHmGGcxTytIu5ZTPycXskc6R7uXQfbh3OY5HcB4xuhhDhjLipuF XRCywva08VMIW2QPt20BQ8CQwzRI3Fc8JWo7xN+K6x4XAaFrTeG2e1D0cukLZeZDoLZ7qGaC a97j5osN/+7lHSRIkCBBggR5nDxyxNlxIiosoSZob+hLSQBRN0YYTkL66zk/ZL8ALu2O5b4N ag4rf6faTaj0ddWljUaBctw0V74LUn3tkG4BtZY3z/UDcEDoRHNgpbrcVRq0+/k/e54HsVxE 64S7IE0OrFKug/aLuIqtQEnxFXTwz1Kb+V4F0wh/P/8tUNsox6QvQc815duHgbDB3U+eANwH aTsYVyfWiq0AfK8kBz4Df+uMBneLQl4/R+e0LCjXvIbxybpw9si5Awt8ULdtla/Kvwz2Tvqi mOXw6wrvhqK9Iefw3UEXS4NnWN7rqSvA0ib81YjDIA0KvOWbBVqiMkAbC9oY4+XoKpD3pP6M +j0o7/oauFqA4br6nbYfXC95DrnLgK2TdZHjOITMFRpLh8D6saGd4WeQdjBXOwBJh+JnRA4C 11GfoCwBz6T8ZTnNoMik2GPREeCs4A1Va4FYR/5YtkCR5+2fF7sFokHHq4Jnqvuycxk473tS c7eA96hnmccL5q2mE6ZQYKaw1/QJ2C9a14fYwDJQDhXeBMscqZryJZjGGT+1GuHqlLvXnNPB tUDL8fUHyy7D26brEL0ppIJpEaSMTx16LwyiFzh6W18Ee3Nb29BqcC5wZ/z958D0oSnKPgwc Lximm8uBbFASXANA66KliXsg2ZQ7QmkOerK6zn8TtKq8YOwMOY3UIYEU0ERvJ2UVaM8rF1xb wDlF/lbPANEuVNd7QHggumbcuxCYoNQnC+Rw8b56Hhxplk/FU6Dn6gP1RDCul3dpT0HIbbOF IqDuCdzy9QDzdvuecBPoK/1b9I4Q9lNsSXs0RF0ova/cWvBka7qpD0Snx5eMaQbhxoS10Slw JH7NoF9tcGPt/VfvhACd/p6FnZOTk5OTA0uWLFmyZElhe69evXr16gVhYWFhYWF/j21BggQJ EiTI/6s8suOsXxYS9UWg2lx18kdDlnJ/+pUYKDFFtVkqQbkJVeVn+0Jikaqbnn4WtB9imiWW BfGG/4YvAcSreoiwEJzv32p1ajBY02O9VcqD7nQPzH8D+MjdP7s2cC/i24SqoF8SG+mZoD8j 3EMGaZ+eJqwEvRZJgZPg/dgX7uoNgZrXVyRvBW2h1pfukNNXtue9BI5Td1ZenAbeTcd6HKsK lief2FniHJgrV9NKHwT9vrd2yAR48q0in1k84BvWZOPta1CxfIX3W0dC81l1B3prQeqpqU9+ 1wlOfekeFucB96eZV+6eALmhJd3xFpgmm4+F/QK+O/k/Z28C98ScI9kfg8FnshtbgVBcmCf0 APdhPUn+FCzPGV1h5cH7jbqEvZDTQloiNgdfZGAbPSF6o+MFmwAmk7m87QPIb+PMdd+FQIR5 oqkphC60Pm09CbHPhHeQ08DbxDdZHwNO8vJzr4DUS7ipfwjSbHtJwxiwXTe3Dv0EvKN9jSz9 gQ7Kp4GqIEYbdOM1yO7s3qZ8D4GFfkGYBOyUh4uV4OwnNxPT0iFwRY7TZoHDaNpoKgPMUupk lIO77dNHi93B/qTla5MHSBPTPAJkmLJ+Mn8JYb+GTYkeCnHG8BTrCMiVc2rk3Qe/y19efwky RuXecX4GvrXqCfUyRK0I+cXcGEyi6QP9DbC9GRggHoQMjaPyPpDjJDX8EkTvDTluigVTWXmx mgX+Vv664g7wPMc2tRxI3YyCQQdps3bUUh30ynrDwI+gbtA66zMhf6m7suoA6VXTbuMiyOvq 3OcdAY4T5k2GlZCwNuFYzHYQyosHrEtBba1Wky+C/Ujs1rhLEBjjWux6Bw76DriPmeBk9ZtN buh/38Ju2LBhw4YNCx3oAgoc6ZMnT548efLvsy9IkCBB/qfgdLpcPh9Mn75o0a+/wuXLN29m Z//79JUtm5QUHg5vv9237zPPgN1us5lMv7fH5wsEYMqU3bsvXIDLl7OyvN5/pz0REWYzvPtu w4bly4PdbjIZDIX9Xq+maRrs2ZOZmZcHubmKoij/PntCQ2VZlqFBg8jIkBAwm0VRfOT8ikIe /VSNba4NrjXgzXdfylkMtlphq2KHQtEmrYrWqQjaZM7phyFQVnlbTQV9nlf13gL6imF6a1CN gbdcRjCHh78aWQvkmkUXlq8I0nR7vZBGoG+zRYaPAU1T7cI7oPcQvqclCHM5L8SAVoGufA+m tYLDMR3UejZb+HoI31y7WkJtOHXkbiOvH47Xjvn80iXoOlrKuhUO9zeV1+9+DAlXS7xTLBxs b5t6xb8KUhnz7LBPQEJv7f8Imr7RxD+qIuif6dn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPh OphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrkH8/eBYGZnmbaIRBai/vYAcKvhlmiHcRbgQmW r0EJlasYPwb3NnNfOR6klb7PPD3Al6e+zDeQv9DVNvdjMJ9SHXnPQfaQjDv3fwTmmb8O7w/M DLRSNoA4Ql6kTgHzSssq03oQhtFBPgF6fiDUexpCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg 6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2Rtz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqF LU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72ZqXMAPNWy1emryHrRP6v3tvgae+N9SVBkaz4 ORFnwLDfUNM6G3hJ7eiNhvAToc+aG4E63t88rz+kxrjCXZ0hUxO+kQeA/jFp2seg9aQUTcD0 rcFlTAT1oPCcfgQCP2sfa3PBNz4wW/sFlCeV1z3dQaqkfSbUBH0IrTwiONZYk+STUKJiMWcZ DSL6RV2MrAWGj/2vaOkQ/lO0M3onmG6LS8RQOHBw7epjy+CX0xedlz+BtHjFoF35930xPIzd u3fv3r0bTp06derUKbhx48aNGzcK+0uUKFGiRInCcQUOdpAgQYIE+deYMmX+/D17IDMzLy8Q gDJlSpWKigJBEARBeHx6dF3XdR3S0jIynM5CvRMmDB/erFnhuAkTtm07exY8Hk0TBHj66WLF IiJ+s+dx3vdv1sCNG5mZTmeh3ilTXnihevXCcTt2ZGTk5IDVKkmSBNWqhYba7fB4rQH9/wSr 7t71eHy+Qr2tWsXEREQ8Pj2P7Di7yzmLZz8FxgvGBeY5IOWGTAjfBx6nt42nGAjFtNtCKqgr 5K2MA+EJsYU+GqQ4QgwbQd+mvuN+CYzPF/++4jkwHrFtd1wDtTY/cR2IYZBYFAwmvaf/KQg8 K/jYCBzUG4u5oHuFw/odoDV11DAQb/r3GIqBtXzDN2q9Aflns5K2ZENOmeRd/g6Q15Rd7t2g Tit1pGhV+LXt5XN7M6DZ3pCT5V4Cb1jaUfNRuP/JbUumAsa6hiVZwyG7S8ri+ycge9H9AVdS 4FTfWy8mR4H1A0ejkF/A/QJflWsP3qE3DxzbBPkjs/emt4aQW5ERMZvAWN9i9teBgNNXPPdl kPqJ7YWhYO9pjQhpBUw3WIzDT64S6AAAO9dJREFUwPicnCxOhNBccYF2DgwljLcdh+DujbwJ eiz4Orq+870EWaf0AYY8UOoZc6J0KDI3pKTxY8gcl7XYPRykBdzScyDP5f5Zt4CvlFrfZwa5 hLxESAdvea2U9hzILcSQ3DfhnpZzzrUHJNFYw1ERjLUMPmNDME0yVHK8CNbj3PDuA999zxdZ qaCeZJpuBdMQ8zYtBJTj6ntaFSjyXGylslMhvF5ErO0MeF50XZDnQl5K9kVPB3D10Mb5O4Gj hv2c5Th4GweStTLg7alupQPEvhGzMOo0WOdaW1uKwF3HvfHZbggMCvT3HAOO6rMCKyDH4F3r d4HwhfyKtSEEFmu3qQvm2Zb5xm/AeEDOlo6DMloLFzuCYgzc9xYD2wzDcGE1WL6UHXJpkH+U VoRfgdyN/tOBTmCfbNwstoNyQ4vWi02FYv2LTS12HwwrhbvSmxAbETk0/BpEhUd+GdUFLr35 a9Ll72Fdm02ldodC8l1fWVcuyB3Fbfa3/s8i2fp4vxz+K6pVq1atWrXC+syZM2fOnPnPxwUJ EiRIkH+Nc+euXMnKgvj4xMSwMLh58969vLx/nz673WIxGAr1PsiZMykpublQunRcXFgYHDhw +3ZGxr/Pnrg4m81sLtT7IOnpfr+iQMmSdrvBABcueDyef+MLwsLDJUmWIT39Nwf6cfPIjnPK G1eN118BnzX1TtYEqHaj89qOGeCP8JUNvAL6SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7X CMSSYpT8OWg/C3fkROCq1ifQBISXhEWCGwKThNfFKSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wF vhK+CpQBtbz7ZeVrKDMi4Y0qn8It1evZ+xFkhMsH8ndCokm76mgPKS+o38qfQ1bN+73u7YZP HW9f/3Qp3DSlGQIfQOQY0+S8maAfVGY7R0JmjGuR51XwfGFfX7w6xHcv+lNSAjA35PnQzZB+ Nyq32CHwHkjvlBwL3jPG58x7wBES+nbIbRBu8YWeBOZscUFAgrCAQVevgv6eetXphNDOxpfF UmDeJYUFouBqq+SXc06Cr72WZ60H6n76SS7QO1JTGwbyT0Jn/SykpuaG+HeDrbGjvLkNyIPk qpb+4K3hyfS8D6GZcm9VAjHAK8J1MJaVu9hOgznMHG6OAeM8+xZPBghFaMkNELcJycIToBbV Pgx8D7Zlcrp0DcwvG0tFTQfv076OuVVBaEsL42Hw5QSeUOaAb7vz2fwcCDQ1rbW6wWV0z8id CPoC4W3lIyjuDe8l1ACjS4iUxkO22bNAuwcxXUJ3WPIh9KQpXTsBOUn5i/N7gFvVPtfdQBzp hk9By6Y3TcF80VbZmgOWVwxPG46C2lQ/onYFNUbdJnQGtY9+RLwB8lpJD9QGU19zfdkP4etD Zzk6gHe5N0m+DO6PfbV8lcB2xGCXJkLxzbFnQ89DrLHY8uJvgl5U+NgSAPtBsavxFCR9UMqS 2BJcgeyb7mmw+YWfN+y7AXe65N66UQcsxfnEGwfKLB0hCnj23/fl8I8oyF1evHjx4sWLoXfv 3r179y7sL2gP5jgHCRIkyONBUTRNVSE397eUjUeXFwh4veD1uly/T7Wz28PC4uIK9RTofRC/ 3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz711KPbW6CnQO8f70dVdR0yMhTlH/Xv2LFly9Gj sG/fgQM3bkC9ek89VaIENG7cvHnNmn/dngI9BXofN4+c9ZHtVxtljIeMAG3z2oD8naBI10Ho qu/SooESrOIYCBOFVcIWIF3fKxwG4WNhmVAd/EWuhvxiAmVndl7ObhBvyMlyALRIoZv4Juhb 8QhlQLgtfE4PYJRQVbsGdGCIUBF0kUp6NRDGCs2FYiAuJ5pp4FOEd/V1UHR86S8aXoSmibWm d2wJ9mfN5eJrwuXNGfL5MmA2W06GZsO+5INPHygPNy9azHfeBr/VWtOzA+wtyn5R+hRUq/bC +8/nQKlG1crUHQRDS/ev1aUL1HNU0GM+gtj3WZU3F6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0 N/e+D8bG9uoh7UHL1EX5GHh6emZ6JoHxSflOIB+8eD91/wjn42+8fv87SLakf5dxC7zZnlGu UiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hpr2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoY Uj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivg0LBlibtj89rqQ+LGtu2MpGAWxmT0H/FuUmf4w yP8299n8REg5dP+L5CmgOtRegRmQH6KEeV+G60czJ51cBHI94ZZ3JrBLv5R7Gty/+pf5S8G9 I5k3Mq1g+FyK9O8E+xPWEtJbkGLMKO6cB85Jntv+HeCr6K3m/R48s32bA05Q7rNKWABSKT7T ZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUIdNL3ipmQ+XFelnYHrsy52Ss9ATI2ZidlXgFl h/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTvDn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLD v1z56kInSN+btyetAzjrZnW63xr8IzzT7v/w+Bfsn6VgE+CfbX9UatasWbNmzX9edtnRZUeX HX/fc3ncdJzUcVLHSYX397DnUjDuP4UVjhWOFY4/P28F5eURl0dcHvF3W1/IpMxJmZMyYX7/ +f3n9//r1+d3y++W3w2eMj5lfMpYeJ93Wt5peafl3313/7mfnyD/N6qqKKoKqqqqmvavlz6f 1+t2w6RJQ4Y0bgzr18+bN2BAYfnH637T+yB+v8/n94PfHwgoSmG5f//HH7/9dmH5YP+jl7/p fZBAQNMANO03N/bB8sCBU6cyM8FsjoxMTCysP2z8ny0L9D5uHjniLNcpbY2ZBuaM8JXhs0Df wZOMAb0x3XgNhJ1arD8B1G/12/pbILQV3zKsBvE5obSUCOJBobthOUg77TExS0F9V/+BeBA9 PKmUB6Epz0lm0A/oY2gIegOM9AKiEYTmIHQRntLfANrqtfXToGewWuwB4k+iZjkAykG5WGAW FNWK6g1ugbhaRroMmZniqMu34LozNe36j3Ax/foZT20ot7JxyjMvwNlPfux0oj+EDSzewZEC 5aPLLK20GV481u1Gr4pg3WorZnoednXeWfq7YtB4T8zt/DEQcuJ4rrYRzlb0v1HqDmR9pB1W JoJvUUaRlAVg7C1NL1oW5BH2J8OjwPeJf0beR5Djy1uRNwPcZQMzhI6QfdB7V88C0zHDp4Ym YPhWWBeoAGIP5ahbgECY1yUng3mK5SfT8xCY5n/FZ4WcQ3kvZZ8DWxHLHMsYUJ7RLJYz4Lzk LSJ9BMZScnHjSfAb9TnaEVDOB4Z6LoNtkmGWbRt42uWvDkwB/1e+1lnXwPWhcvOyEVJPpe3P WAHSz3JjLoFhmTDVMhq8672i1Bn0VVK0OQz4UqySHwCX39856ySItZhu/wXyyuUPy4uGs/dv vO9KgpIH40dFqRBzxrrfkQgpz6U9lb8fvF3J8o8FSy1GyWvAXEZOJRvCvgmtbF4EwjfCPNMx UPaKF6WlIO81rJfeBzUucFf8GXLD89/JzgRqEiW1Aetg6zFrRYiZG9JebwFqrr+naRUY2pu7 GJ+AIlPC14bthYibxaS4BSBvstRxXAO1pncwIyH6q3hL5HmQVVvvMB0OvPTLL5eqw97Eo61P vQjpDdgQ+Am0L4wzo2TwPk23u5+C0F5qKlUE7v07lu3DKchZ3rNnz549e/7YX5Bz16BBgwYN GhTmOj8uIptFNotsBq+//vrrr7/+x37HZcdlx+X/3mfydzL2x7E/jv0R7Ha73W7/u60ppG7d unXr1oWxS8cuHbu0sH18m/Ftxrd5+DzGfRP3Tdw3f7f1haxpvqb5muZQvEPxDsU7wAAGMOAv XL99+/bt27dDoEqgSqBKYfuWjls6bukIfelL37/7JoP8x6MoBY5sgcv2rzFlyptvNm0KpUoV KxYV9cf+B+UX6H0Qv9/jCQTA77da/6tNeH7/bykUiuLxuFyF7bJssdhsoOuqqigQCLhc+fm/ tVutIIoGw+83Iz6o90ECgd82B6pqYR7y75Fli8Xh+GP9YeP/LAV6HzeP7DhnWe8mJPeCuOHh W8t8BMKnaryeBQzmdSyAT8+VLoC4TnxOmA0E+FSKAe1zrYXWB6QWRYeXXQziAevg6L0gRKiD fXtBW6/fkE8DI8XRLAbBoq/Xh4GeQihmEErgoiZQU/9YMIB+hRK6DbinG/UfQG/OOa0vSB3k OlICKM+onyu/gHTfMMW6E57YHVuqQXeIyNV/DjkJUYESh83bYfXpxVmb46BUu4qnI1xQPbfa IVNDSA65G3uuEiTUSzumbYfIN+2l7R2gTLWwFZY3QWirtUh4AVIWyimXPoV7CfYNoc+BXouw st+Dc+m9b87JkGfP/DnZB+HTIhclrgd9pnWmwws5VQLdtOqgjvQ60k6CoYU8VPwOYtZGFI96 EQwdSFHHQur+rAZ3KkBojdAKEc+CVtR3UjoIoVEhethMsO+w3JZ2gPMX9y/u4eBv6T2SvweE y4ZOxlggXe/puw+uHM8dzzSwjDa9JO8DdZgywesC9x1vvqsIePMCLTI9oG0y7vD1AHm9oZV9 KriHuZ/OeRbEXPMcqQ1YF5v3cBLkBsJ7+mkQ0cfYnoK48OjoKkcgf5Lr+ZyrUOROZOPY6yB9 JS5L7wsJm0OjQiZCVrnMJZ6VcPerTHJ+hlKvxD9p3wSBWCE/UAvECeYZlgmgzKELn4A9nimK F0zLxFP6RTA4xXZyVcjcldc04xuITrDHG6ZA3MWo92J+AvM75q/lY5DyTGZ3d3m4OTa1+b2h UPal0suKnAPHpiLvRpcEw0JjF9tJ8LTPvxboBVH1YpJi9kLIspg5UQ3hxjvnWt31weE3TmSc rAb3L+pV9SOgjpA/i7oGTPdHpxwE41zrdPkmmNpakuJffPwL9p9REFEucKDHjx8/fvz4wv6x Y8eOHTsWkpKSkpKSHr/+AgexdULrhNYJ/2BAAgkkgDZPm6fNgy/rfFnnyzqwbt26devWQUZG RkZGBkRFRUVFRUG7du3atWsHfQ71OdTnEIiDxEHioMJIXIHD9MOoH0b9MKowMndrza01t9bA 0aNHjx49Wqi+4Lq4uLi4uDiwLLMssywDZzlnOWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgWu60 3Gm5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrWsOaPt1uQY140rWha0TRotKTRkkZLHp8d1bXq WnUNbre43eJ2C7j7490f7/74x/t+kBLbSmwrsQ1KUIISv2sfz3jG/1fz+DZv83ah/cUmFptY bCLU+bLOl3W+hKxOWZ2yOsGOaTum7Zj25+fn2qprq66tgqmlppaaWgrOnj179uzZQrXlXir3 UrmXYOi5oeeGnoPZ+2fvn/27FwsVyBuWNixtWNrDc/sfZGPaxrSNaVDu03KflvsUjEuMS4xL fuc41+hbo28N4DjHOf7on6PPfJ/5PvPBpvRN6ZvSwel0Op1OqPFFjS9qfAHjx40fN34cRN2O uh11u1Cfb79vv28/dJ3WdVrXaZA3I29G3gwYcnbI2SFnoWVMy5iWMY9vXT1sXqd2mdplapfH /73x/zqK8puDqSiP5qiVLv1/O8zt2w8fvnr1P9f7IH6/z1cQCf59RLpy5YEDJ0worEdEVKhQ qxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOmaFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PeBwkE fnP4H/ZvhSybzWbzH9unTp0yZcOGh99/nTo1axYpAvXrN278+82ID+p93DxyqoYh3x8auA3h VU1LQ0ZCIInKwhug1xc+FJ4FYZm4wrABeErwSpnACmE3JqCnMss9DrShuS3SxgAVtNviaaA1 7wjLQGgs9tPdgEwzfTYgkkU0YBDMSEAq+dwC/Xk66MkgVBOq6g7gO55XvgVd0Ib4JdB7M93Y A6R5QqjUHNTeyjnPSQhPcljLX4XyVUqObTUdvLfl7w2NwSyWaW3rCz0cL05o0wwcTTwjI/qD /+79obn7wSmcO5SaDCFzDbfDdkLxpZGBuK6gD5T7SUUgdFjRFaa+EDncVjnPDpGj7V9KyWAe GLez3DYw7jeMt6wAd4Msx10J1PaeCz4nhEwPeTa0KThaxpwucgFia0Vdj0mF2LiomOgJEOkN DY3WoXTfouGlz0LET7YzIXshap+jp6EimHbow92fgtTY+3bWJkhKiRwg74HQboYyylSw2aTP vRvBsIbyzkSwfmUsZW4I3v4eeyAJsr/NVNM+B89+9w6fBpi1BMc3YIrTjlbWIOykqW/JELA2 Mty09AXuqnbzQnDsMe0tng/ZzVyB9GHgf1GfRlHIapTazaWA4W391ZAm4F7pTc5vDKVSY44W nwe2D+S08L3gauab7T0KscsjEq03wL7btMi0A+LLRbQLj4PEBmFFrZ+Dt3n+2YAdHBssqjgK jC30T5QkyKh8/9XbfcH/o39z6gDITfQsy+gEV1amlT/VAy4m3AlPXgq5B/LOuotDhWMVzhZJ gBKdSgslvgPTAVOvUAVcxdw7te/BesxRKawphBHzXlQu3Lt+69usUnD0yWPZp27DjZL5+9yH wVtf94h9wTPWsyH3dXB+7ryblgiGLMu9qGXgnqJvNH/x+BZqwfFx48aNGzdu3MPHFTjODxtX 4EjfvHnz5s2bD5dTcP1fPbauwIF52E/9m4puKrqpKCy7sOzCsguFP7GX3V12d9ndMD13eu70 3MJ6Qf83w78Z/s3wx/c8Uz9K/Sj1I+g0udPkTpMhZ0fOjpwdMH3X9F3TdxWOW/rs0meXPgtr otdEr4mGZjea3Wh2o/Cn/bSP0j5K++jhenJ35u7M3Qn5ZfPL5pf91+1YtnzZ8mXLC+1oPqr5 qOajoOyMsjPKzih0mP+7SU5OTk5OLnTcnx367NBnh/51OZO3Tt46eSscH3B8wPEBMGHjhI0T NsLUzlM7T+0MybHJscmxhRHxiRMmTpj4OwcgfkP8hvgN8F6z95q91+yf67ufcD/hfgKcqHWi 1olahQ5u0/Cm4U3D4UbTG01vNIWrV69evXr14XL+7Px9ZfjK8JUBvnV86/jWAY0cjRyNHDCp +KTik4rDxYsXL168CLMqzao0q9LD9bT7qN1H7T76Lz4nj2ldPa55/d/Cv5qqkZeXlXXvXmH5 IA/2/9lUjUDA5/P5fnOcf4s8/1aeOfPFF2PGFJYF7StXjhrVp09h2atX3bplysDmzRMmvPYa zJo1cGDnzrBly8SJr78OtWvHxlosf5RfoPdB/P7fco1V9bdzOB4sJclkMpv/WNpsiYmlSz+8 PHny6lWf7+FyC/Q+bh7ZcTYuMmcYn4DwPqEHImJAe1OfoLhByBdChFQgDZPeENiuVxaWgfCB +Kk0AYRPfNNzZ4F6Ka9OXgiIXwjzzHtB7Sdk6KtAqK1/zUygkj5SiADdTQkEQEIA0PPIwAvC HOYIDUD/BkmYC3qWOs0jgdjJc8XTC+jl9nnXASZmaykgVBeqkAViPektpsL9lVnV0++BuPva U1fTYayl26qhb0KVYxXqt74K1erVebFVO2iV9VLTTv3AMK7Cx4nh8NPKna12rIbt7fZmnd4E xlOBOVoeVGzsCA9vAPEOPcHzHpTym6Jzn4TyT8dcNraFkKS4vmUEkPZa9jm6g29z1qtpZ8A/ zHnR1RuMybIltCzoz5tMkWcgbUPeAK0K3K2SO93XCDK3OcuobSF1e+ZBtwjpX2YPcn0J91pk bMn5FszHzdUkJwi3/WnaMJC7MFkdClHZ1leEyhD9nfULcw1wnJNtahmwnjG9YYwHf4zyOvXB O1S9kZsKuWJgz4lISHstp+a5M5C1I9Dz0nBw1vJ97Y4F6Q47DDK4WwdCPPOBcKm/4R64e/qM ORUhf3tgf/JCSO+Xc+zmDMj4MOdrzz3IWOs0pr0HhhfCrjv6QojgyI7aAo52pq+xQ5gh5LCx AggvK1NN4yD/Qn6C51kwnpDOKB7gKdFOO1C7i3bbWtBmm5v6BoHQ3tY/JxlyLwWKp3eGy/Xv hV6Lg/RIz5l7F6HIyFKdw2ZAscPFWpfuA4IixFv7g7tYfvFAOlhiHYNCXoPQ1TF3YipD+mfJ oXn74Ezska9PCXDzxdyDuWGg1jUMN5wCOms+oQuwWmgi1AbphfDUonGgbJBD4wUQssThwp/4 A/5nKTiPucDxLYgYPXhO8z+jIDXjwVznAjkFcgv0/FX5BQ7M6tWrV69e/cey3oV6F+pdgO1T t0/dPrXwujFjxowZMwbqf1P/m/rfwOg1o9eM/l0E98Hxj0qRtkXaFmlbGMEriBxmTc6anDW5 cNye7nu67+leWB+6bOiyoctgwNEBRwcchfDr4dfDr//77XgwpWaIeYh5iBleX/z64tcXQ8jb IW+HvP34ns+fJfS50OdCn4PZvtm+2T5ofa/1vdb/QnpSwX0XMH3G9BnTZ8C27G3Z27JhiGmI aYgJlpmXmZeZIS4lLiUupXC8cbFxsXExxD4f+3zs8/9c3+ZJmydt/l3OcJMmTZo0aQKN32n8 TuN3Ctu3dNrSact/8RKjPzt/+37Z98u+XwrrBSkwja40utLoCiw6sejEohPQo0ePHj16/FFP 4vjE8YnjoVt+t/xu+YV68qbnTc+bXjjuca2rxzWv/1t4MFXjz5Y7dixZ8sYbheWDPNj/4PUP T9X47Rzngojzg5HnwnH/uL1du6efrl4dHA6L5R9Fgrt3r1evatU/yi/Q+yCFEeff6g+WBRHn v1q+8EKjRhUrPlzuvyvi/MipGsVnR/Yu9gUYbpqPWh2grdCztXIgxHNDvw26Ve8qbAYxgSlK A2CEMM/6HfieypmZdx38xz1S6GEwGgw9pB4gdlYvB5YCa/UweSOwXOype0H4VJ9LPuj79Qv8 CkI/oQvLQI3U22gJIHXVSgpXwTcg/22fAEKKx+m9C4IulzUtAKmVaZ22BoRnZVFuAfoi7Yg6 CgwbvCs9sdAw9Elf++oQft12q1QC+ML92d4BYO8WPaz4CHAYhQYlGkKUN8mt/AQRnog3w56A PX32DNv+EaxKvXQgsyLETPPU0y9AqQthE21twRgv7vZGQZGuYaLaBNY+oVUiD47ZDHVKDQRt d1bfO+sg8FHe+vS9wNtqT70nWKqFNA4/ANoieZ0wG/zP+btrW8B9P29keg4EIn0h+e3AXt3c UhoMkb1sqnkT2M8aDljLgudTvbEeBlF1wxcbJkPEgLDEsFxI+yrje89SsA2WP3etAdNGOVPa B2nFsoTUHZDwbmTfuG6QvsM3NHoopH/pq39lANgjrfUdo0EfL71nViF9jVu7tQ6ExXmx8gkI OW75LrYoSD9Zf3RvAFsFR+vQeSB2U36I+AyMv4p3jMmgTSXJ9RPcqn93QkZZ8L3qTXeuhqKN YxbbS8LNvWlV9JfAnaCsSu8PRXLCW8p9IDBH+cJ8CNwtPM8FwiH7vru/NgMiy9i/LXIOXK8G BlIKbNGmBcZRUKJjzLZyJ6DI7aKflDwEYa+HD49fAv5WgclSQ3DX8lfwhULosfAOEbHguBxd MaIjZD+VvsW5FG6ePhV7fj3ccWS/mToAtGnGyNChwDz1FeEt0Lqy3ncWxAqmxmEmEKZqRwIR oD3tq5B9AKT7Ad0VA5R8PAv1wdSK9evXr1+/vjAi/GfPYy7IbX6QAjkFch+m959R4MAkjUoa lTTqvxjowcPvjiMSjgnHhGNAM5rRDITjwnHhdz+Na/20flq/P4p5sF09rB5WD/9zO8WB4kBx 4O/qC8WF4sI/jtP76f30foAVK9bf2VnAMY5xDOhMZzr/+ef0V+0IVA1UDVQtrEsDpYHSQBDs gl2wgzRKGiWN+uf6HjchK0JWhKwAcZQ4SvwH+v/s/HyY+GHih4nQ7ot2X7T7Ag6/cPiFwy/A oT6H+hzqAxsTNyZuTIRlU5dNXTYVVrGKVf+KwTWoQQ3YOH3j9I2/czgL/mF8kIKUjcE1BtcY /A9SNv7s/BWkUPxh3P9JfflnSLWl2lLtf67nQf7VdfXP5jXI/01hqsY/dmQfp57fy39YqkYg 4PX+fnPgw3hY//Llhw5dvgzLlh05cuMGfPBBy5ZVq0LnzjVrli4NtWuXK5eU9Nv1x479Ue8f 9fzfEecHeViqxvjxnToVL/5w++/cycvLzwe3+x/L/Y+NOJuPuurJTcBQle5SUQB9LreB60Il 4SqIPvk1+TaoCJP1tcAw4ZB+BNT3vTOki+BrJtWMnQXiIGkhClBGO8sC0IcK73EDOK+v0CNB T8dDBLAHJ+dB76rXYT4Y+ksH5e/A0NQ4w1gFpEOOxJi6kLzeN8FYFC4tzhylz4Oc6b5iwhCQ fhRb0waUjcou/04IKRJfvOwPEGqPTiraEbw/KF73fRA+E9sxEJS31EzvUgg8E1jiHQ7aSe+b 6jxI6B1XofphaLemtvR0Raj/WeUKEXkQNqREHUNdUNYYB/g+hhKW6J0RMVAuquwzISegmm4N zakBT4w0SloLCFOiQ4ovA4mwxsVagtrIdyOnLrjic46kTAAuaTWYAqEnQn+JHAWxYxJ9SbmQ eLfo6yWGQKjPVimiFAjXDTPk8hC6P3pBRAAcJssU09eQujetXc5VOLP9Ytm0jyB3szfEvxxs ve0tIrLBPt8m2dpC1Z5JW4svhjI9IuKKRYHBThvfl1AsP+pQiZ+h/KCw7HrvQNFL9oZFvwbb VYvFUg9KJ5Q4X7kFRNjCekUeh4gJoaa4iSBPkaSIcuDpqh7zKKAM1+25e8Akmqebu0H4WvuL hEHCx3EbQ/aBKuKyVoOoN6N+dnwLT54pWybhLISG2z4O7QfSZCFSbgG2UEuypSdY3bZeRiuI zUxtzYch9nZYfNJ8KNO1eEZZGcofqPBMzaZgTw75PvEXyO3mmqznQ84Qr0m5D9Y6kTmRNcE0 PnJ2ZB7k6nf75laBW2ePvXTiBKQeyOpz/TCoEeaqllTQX5GijedBU/RVeisQSgifUwS4r273 1gPF5lvnvA9KJfVZ13VQrDyn7H58C7XAgS1evHjx33+RFPzBf/DV2n+WgusedBwK9Py7cqEb r2y8svHKwvpHmz7a9NEm2Fd+X/l95WHChAkTfp+L17RJ0yZNmxTWC3JwUzembkzdCKsar2q8 qjHcHXt37N2xj8/OZ4Y8M+SZIYX1mS/PfHnmy7BAWCAsECC7c3bn7H/BYf6r1D5R+0TtE4X1 zw58duCzAzD3yNwjc4/899nxZ/mr8/Om7U3bm7bCHOfqR6ofqX4EBtUeVHtQbbC+aX3T+uYf I6zCQmGhsLAwV7ggxeBhXAm9EnolFK6/c/2d6+8Uyn/wl5GCiHDK2JSxKWPh7Ndnvz779b/+ PJ5Z+szSZ363CfOTfZ/s+2Qf7Oy6s+vOrvDq3FfnvjoXVlxecXnFI2yefdR1FeRfozB14q9F nJs0GTjw228Lywd5sP+Pcv6xox4I/HYs3IOnXjzIw9p3775yJTW1sH/x4gMHrlx5+PUFZYHe P44r2Bz4j1MqZPm31IwHy717r19PSYHz510uj+ePZX7+b+c1PzxV4z90c6Dt18ixcYtA7yDV MVwCcTljeR+UFP/uQC/wPeFZ5a4CpldCsX8GxmLCaP0MnJ1zLTezD4Q2TOqe1BqMo5mhDQPv h0JbcQEIP/Oz7gP9HY5rySDOELpLh0GowkZhNehnqUUZcL7mzMu5BqtnrDm7wQK+z1VzxHao tu2pNvW3gV7EcJddIPWQ0+SzIEZr25QSoPUTTxh6AS9TS/gcAk/5b+hnQfRLrdkOrNe7kgnC Ct4SJwNzxST1ZaCINli2QqAHaeJbIK5MfKdqCah8WPzAvh5KvG5acHoWZJUKT80ZCeKFvKMe G4ifJL77hAcqjam0N3ABElenpTmnwqmkLJ+yDs7MFS/b34E75c1Nku6AdjNvZ9oo8HXKbJra H7Si9i9Dt4L9vZAvQxQw/WxpakoE8RP7V/YzoAWUTv6mkLY9J1roB65invNqLrhm6C8adoIY I5dUbwBDtS/1KLjzWtrpDC+wSX3NEAphzUOLW86A8qJ0xrcfSm0L6VP8BZATDPMiikLeGZfH sxj0GcJW37tg3qINDNsJtNYaMwBMk+T24ldgvESriDQw9LX1zbkInu89UtZFyDTmduYLUMf6 JyafhzKlYmLLByB0vLQv/hWwrQubgQ+USq5TTgnuj0hWXaMhrZcz1WUB88tm1XQaxKbCTvUI ONLMk209ILRcRL2QeWAf6zCErQDzh/aZlorgy/eVFHaD8wPnIL8A0rumd0zhEKnGLo5ZAubO 5p2GUZA/8Xav1E8hfc3NfldNkNckV7tVGjwYDeGfgTqUMcbXQZ+izVF/+/wNUi+Afkc/pFcC bQSxemUgQshS14FoJ9r4NvAsLfVq/2eRtH98C7Yg97jgfObc3Nzc3NzCekH5sMjyPzt140E9 /y5e9rzsedkDft2v+3VYN2LdiHUjYETGiIwRGRB9K/pW9C0YWGxgsYHFoEegR6DH776Qh9uG 24bbYKZ5pnmmGb4b+d3I70ZC9O3o29G3IY000h6Dnb2r9K7Suwrcf+H+C/dfgC0Tt0zcMhGK 7S62u9huiJwcOTlyMmRuzdya+W980U1/vb/eX4d7I++NvDcSNqRsSNmQApUiKkVUiihMUShw VP9u/ur8FDiw01dMXzF9BYywjbCNsIF6SD2kHircjDmi+IjiI373j2OH9A7pHdLhx24/dvux W+GmwYdtYivYVMl5znMeWn3Q6oNWH/wxVaRgs93nfM7nwJZJWyZtmQSVvq30baVv+cv07du3 b9++4JzpnOmcCZt3b969eTdsvLXx1sZbUNtf21/bX7j58V/lUddVkH8NVf3tFdIPc2T/dbn/ tbwCvQ8SCPj9fj9I0m+nZjyMglM1HuTChbt3f/9ilQfrD7u+QO8f7fkt8vuwxAmbzW63WMDn U5Tfj9i+/eDB5GTQtEAgNfWP1z3xRFKS2QzVqj355D8K8BTofdwIBw8ePHjwoK7XqVOnTp06 f12AG1eD7JrAZcNJe1cQsvhQqwJaPf8X/kPgi3F38/jAZgyfG7EI1Mv6W74+cH7K1sjjPaBk ZJ3R1a+D9dXw44ZBoJ5XM/Uk4Kjq1LcB2/QV6qsg9DQ8aSgH15PuJp9bDsU3x9QqXReUPko7 PQ72ZOx1HqkOzl9dFjUSaOX4vmh3KJlZylfkFyh/L36dIRmsXaxF2Q9qebWFeA+kDsI4ToJS Xt3s3QOiX+guHwXhNamSOAv0t7X20j5gjfiJFgD9OQQhAcT9uqi8C/4azgp5HcCYYmijLgT1 BdfkjDdAm5/xcuZ3ILkip4d1Bu+dzI33HaBPTp+a/gZIu2SdFeBNle540iAr6frOnHRYfW1P ifst4Piw7J+kdPAv8Y7Lmg3+THeL7MkgVJNHWi5D2JshdSI2gePt0A3mjWByGF7T7wED1e5+ GbwVXeu934Iv27898Bkoy/SL2jDwx/qvetPBN9BlyTkAZqdlnXUwRGRHvhH2FnjvuMd4u4Kn mDvL+TNkVs3KSW0M6nRho/M2aO2Fly1FwdnZvz07HULyHCvEKuBPc28TPoTc+u5cV08olxY/ ruhnIF8QoyyV4WZ4xs27R8FQV95u6QVRa8LU2PYQucd83lQatD36KKUL3B10Z5h3G2he4yDW gWNCqGQVwPyK/I31JsTkxm+wKRDRPLJ4VCYYBpmvhZwD7QNlt+FNcKU6yyv54M1UNwSGg0UJ Oxd2DEKXhc8JuwdiRe1nww5wRt3Pud8ZfN9kD7iTCh6f8nnuZMj2u94OHIC8bfqosK6glxbn mY9BYAIzpOfAd195n9cg0CvQPdAaAgeUlb7ToMwIdPKeAxaq9zxTQaqkL/H1hGOp+z7dcOrx L9wCx7bg9IACB/pfJTQ0NDQ0FIYNGzZs2LB/v+Mc5K9R8MtASuuU1imtoU18m/g28YW5zS/t eWnPS3sK6xvbbmy7se3fbXWQIP87qFz5+eenTYMqVWrWLF/+X5fzzTcffti6dWG9e/cPPviv TpU4ffro0QsX4MyZjRtHjixsj47u3HnKFDCZihWLjy9sT07++ONXXimsFykyYsTSpQ9vf5B/ Ns7nu3373j1IT//++3ffLWwfPPjo0Rs3oFKlhASr9Y9y09Lu3zcY4MSJe/f+yj8efn9+flYW tG5dv35o6B/7z55NSXG7Yc6cmjVLlPjzch/GoUOHDh069Bgizprq+dHbHwzfGptajoDWRvtY 7whyWeO3huogLzEp5kRQQ/Th2vfAEs96/wRwfO7Yb9sFxi8s8w29Qdws1RVNID4hXBSeBa0t L6o/gBQtZxheh9S87Nkp+XD9jesLDm2B4m3iusQ1gcwv3LXdg8DpNE0wvQTFVpZZWLEo+Iu4 38INt2bcf9k1GBLc4X3tN8F6xF7WkA16LW0wQ4HjenP9PIgThYWiH4QlYif5C9CL6l9oU0Dr zw/eLKCiuk4dDtJi8YRlJOhHxEHGeyDPdqyLjALNr7YLhILewTBNXQnKQktVZ3OQ21ruxL4P 5rDI+ubZQM+YxNJ9gcmONjGTwXJPMsvRELG4+izvEXjjdI33zn0Hvy7bc+HET7Buzv4y6ldw 7zXT6dAkUA7ldUrfB9kHMivffx+8ee6NlsUQvi3sZkR9CDsdWtZuA0uLyFuWfNCf0ZeoA0Df oHj9q8FfxTfOtB1cwyz1DKfBdF6OlQZB5sXsL73fg/dZZXfgXZDPG8cHjkHOEm+f7CFgbWPe Y5kI9kjLOts9MB22tPO1BHmNYZy2BVx38kLcMyGsWMTMsCTIr+03+o5Azor8jjm9QTgsjRA3 gfELwwTDy3B5zM2G13LA9pr1kKEdhG4Ja2T0Q9SoYheLrIfIaSGR4U0h/HaYz9EJTDNMzlAd DOVs2+3jIGAIrJCGgWt87k++JyF/ne9i4HmQzNYcw1gIPxZzNVYCyw7rIYcJlFfyLnr3QUb2 ndu3hkLGmrtVLqyHQLzeOG8eaJ/o7wjvQ36Su6r2DTi7q3JeDQhka0W0peCvpn6njwBlm95B fwLU/UpfdTP4qwfeDESCPl7bqk4F/aTaN/AMqIFAE9/7j75QH0aBY1vg6BY40AUO1q1bt27d uvXw6wtSMQo2CRbICb5R8D+TgmPndn2z65td30A/+tEPYDrTmV54XNubmW9mvpn5d1sbJMj/ LjTtt8hwfn5WVn4+mExW6z865/iv4vf/45xhn8/t9vkK9T5IIPDbm/N0PS/P6QRR/Meb/P5q CsfDxmmax+P1gqL84zcD+ny/2Zmd7XYrCoSGWizy77zPUqWiojye386HDgmBCxcyMwUB/ut4 OTz9dIkS8fG/RbLd7sL23FyPR1EK9T5uHtlxVia78vWfwFAv7BsxDtSl/o1qTfDN0ucHloGx oakJMSC3lhsaEsFzKPCVrxmI54Ul2hwwLDN3NrwD98fcv31zHSjblV/934MJ6Su9JziO2oaG H4T8p3K65fnA/qr5WsQYMJU2r7cPhKhw+2ZzBDhXO4uc0eDKipR2uV9CYoXIGVFpYNtheUmt Dynfpu31l4FijcKLmE6B2lTwUQSU0UrJwGEQJoltxUZAURYKYSBs5768EnSb6M4eB0JtaohV gUjFqT4Lyl2nK+cpMDS2Ny3SGtTKwj31EshOx/W4GmA4aw+Lqwzas8oRZzaobbwH8yuAsZ65 XvTPoO4wrLY9C+rn2su6BJpVftl8GGzVyx+r/x48X7Z8n6f7QLmJZapt+BoWdP3hq8N14fJW q1zqJHgrupplrALPwPxrubHg35G28e4QcM3P22weD6FfOvKjoiEkOWSF6SDYLltfMX8Hoe+G fORQIOp8VC01DfxnPWtcz4JBsSXmlYPAbqWvWBqURK+mbwL505L5xTpCXp/ct7wamJoY3jBX A+muuiYkFdwGd03/ArDvt/QXSkH8jxEVo0+DHcOzCZMhbbqxVcorELLLfsA2EaL2hayK3g3O TkXf9vQBwyzjNXaDIyXcausHlmtmZ9hXYGwom+2DIeDXtktPgb9owEQM5OSkf+F9AQJfqzls Be1XYxdze7B8FTrS8i7Yq4avjXgepGK+g7ggt+HN4+kbwNUu635yb1DOKgvTPwZbF/uX2nzw bVGuWBaAt6x/j78b2EVLknYIpPWBee6i4PtQqaCXBr2+XIF8UG5rfdVQ0J8yxfEhKH11k/40 aMe0TZoIwiXBYPSDIior5Ef4yfXPUuDoFjjSDx4jV3COawEFuczVqlWrVq3av9++II+Hqq9W fbXqq7CUpSwFGMIQhjyq1CBBgjwOnniiVKmICLhzJyUlIwPi4hISoqIenwNdQIHDfP/+b3oK 9D5IxYrFi0dEwOnTt25lZoIohoaGhEBY2KBB8+f/cfzD2v/ZOF33eDwe0LTc3Lw8qFKlePHI yD9eFxpqNMryb6/m9vshIeG3BIqwMItFkiArSxQlCYoXDw3Ny4O6dRMTbTaQJEEQ/4udeLdu /aY3P1/XZRlycjweVYWUlNxcv79Q7+PmkVM17jW4+O6NLRC5/okpxUZAIN3TSS0BSqYaGxgF pt7GlobjoMuKy2eD3JG7ux4KgbxZ+ldyVShy+bmqz7SBbE+O51598C1XhimjwZRt/EasBmff uJzwawrkXlJfy38ZypSKXl6qKySokWsq5sLpThecx/Pg3Pt3/RcuwcUzd09LdaDKmxU/avkC 1JlQKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtAn6I1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs 65cGQHoX76wbZSFiWES7kF6gfep0ZU+BcIvJWfEDCJ3j6FWuHvjaaRXcF4APBFmUQdhFitwL xC+0iMAwUGboP2ttQNTFqoY3gEQ9WksF4St9nn4a1HS9gZAAVGSfFAW2LyxV5EawKnRGn0/u wrq2R403+oCeYJsedRHck72NA/VAXe8ukfsr6Bc9M/OugShrp/xLwfqenCfNAPMuexd7Pjgs Dot1NoSMsL5kPg3m6WaTQQbDCHmU+hxov5KiGcBfWv1Y8YJ+UiuldAdtnnY60A0CJuVpVQNP Ne/r/tEgrJSThedBmivEiTVBmiYsEC6BtkBrIQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1 SdDCWSOcA21SoKGYCt7K3mZaeXDu9RbzByAwKrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQ uhagiC92kO0S3AncfyPjZ8hXciqkfwHZtVMTLnaG3Pw0j386qMfYFPgV5DiljZYEoklcaWoA rDaa5QiQPxTXSUVBf4d3pHfAP0Ety7ugf0K+PhYQaCScBD1B+EVcAXwgbpHmgy5rp/RaoL0l 3BB3gp4hnpOnwY/dfh75/bbHv3CDBAkSJMh/BllZOTlOJ/Tu/c47X38N589fuZL2ODZZPIQK FcqUiYmBxYunTn35ZYiICAv7/ZtJ09Nzc51OeOGF0aMXLoSTJ69c+UfnRD8uqlUrUyY+Hn76 aeLEfv0gOjo09Pf2ZGf/Fjv+4IMzZ5KTIS3tt8jzv4uYGKtVluHDDytXLlIEwsMfjwP92FI1 5HGO74xrITA9p26+G/RXsr/N2QXCeFeKywr66LLzSrUEtbS7j3s5OItvPvfr2xBmfvHtdvkg 7LMkCMchYaLxlaIDIHuQu0qeHU5kHNcOzABLWaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI 2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBfJz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXe FeaAOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD5dVXeh4vBcphfbphPugLTcM1H0SfiohMvggV txf53JcE0cnWxom7AIs42OAB/RsRrSEwSdgshoAALY2tQPhQr65WAH0dPdgAbBeWChNBDBdu Uwy0mXRSAhDQlCLaQRAq+nPzdRA3ZDS5DsjjtLnq+yD3MXe1bwDthbASkZdA+SWkasRVUHv5 Bef34O/v25zfAZTowBitJgQ2ZE3Lugg5zqxn5PZgqm/8UHwHzBbTDkt7MFUyDDeVBjHcNE/a ANINSZYPglTXUM66E4x75CZiezCYQ/YSAGSe01JA8DJBXAJCiC7pG0Brqt+iLChD9VStD6jl lEgWQX5zpQyvgG9tTh9vLHh7B6YoIgTEQAnlAqhH2ctZkNeYks3zwLjUusI2FYwdzA2sByFu lH25cSnU6FxuZtQaqPFdzZcrz4C4z5Iul5oCm9/dOuvrkpD6Rt6km6WheoOavrZtYPWmNfd+ HgL6Zs+rhpLQ9Lsqteqnw5W4sx0yysKxb4+VO18B7izKisgaA77nlcFKF7CMNS0z9wL5mOFV Qz/QKqpF9HdBraV9qZwA/WthgPgtiM317mIoaJf1u5oBtOP6PnUU0O3f9+UQJEiQIEH+fgoc 1/Xr589/7bW/25pCx/XQoc8/f/PNv9uaQsd19ux/vInv/zUe2XG2zFcm+1tBYPnNvHvrgUhf C08V0J7xFvG/CMbdQpuSa4BQ1yzXz8AW//XAEjB9EhMZUg0My5kmb4TMt9xrMwQ4vv748H2z IGGmcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8Fp05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUt pNS43ufKXLiw4Kr3WgYc2ZLUPiIBnutScaa9FwRWBZb5JoG8zRRheRbUw9p6bwoIp4Q5pqJA X72MEA6GDywTTbsgpkQFrQyQfPiU58owKLVbiohbCfZLrkhLW7iWunn3qjiwzy2dVq0NCOuE jlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/IPGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9Q PwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2gBxj2R8RDcY8y4XISyDWsMyx/Qimn0Pd4QJo U5z9s2LBixKrzYXA+/o9LQe0Q3pxTQdnc89az3EQX3b58y+DIqm79ItAc93NGRBWCWfESWBc yBPCedB3in3oA/qrwiLBBUJDFgsJoM/nJ3E16JOEhYSA1l9/VtkHepjwnlgG9NeEovJdENZK 2+UWIJ00HDMcBPlkSIOwW2CZZplm+xnMDuMa80GIy7S6tZ1Qo2nx2hY7VGtVu0rVZyBud1m5 hgTKIuGcORoCJ/WZ7ISG79Z3dxkHziLOQKN3IaJXwmulP4doS/eFZfeAfaGjTBkZQi+F9S7+ HlTIrDntbj9I2lq967mh8L17+a0Nt8H/Xn7OOQ8kd0z9OrsiqD3FaZITjA6zZj0KhkRpiWE+ yGZpofgM0A2n2Bn0VWq8dga0gcpx/TMAytHo717mQYIECRIkSJDHwSM7ztIG+Yh0GnS3o77t RxA2xaTFjgKhAxeETKCS7JebgG/5nbjrN0DuEvVq+BiQ34+JiP0WPCGB+/nVIW90XvK9QVB9 a+W6dRdCdP/w6fE2OJB+vvGG0RAebeseMwn0dvJ1w5twbuDx6jt2gXGmtW3xxVB8pu3L8tFQ a1vZq0/Z4EKDyJ4lAeF59UvtaaiaUdYTKYBvtOvZ9PdAeMvTOKslaKtk1VYcxOXW/jYf6I0M ecYfQLpk3ihGQ8rAE/LVSpByNve9C+3AtiD+Q1MWRKRGNU6aCeXfr+xrOQQ85orV7vpBT86q da8I+Bbc63zjB9CTXO/lVAVVCi/vWAuGZyPio/OAJ4RhodWAs/RT5oH+POcYDZwimZWgtRR+ 5EPwfeLvoDcDX75/A07QBsh3DZ3BezuwyL0MMHgPu7eDkJe7KvMXMOWbsu/bwNrSPibMD8W2 FEuMSoH20X3rN6sC99Pv3c5+CW6vuBZ/Nx9u988Y7OoJmZ+5SwSmQv5J/0KhDrhz9HPKSRBa q5H6SAiEqmjx4D6hpmvdgSeEcfp60KOFPcwD1vIhmSDGiEPFp0CMMnxg+AGEDVKk4RuQ1xla GxuANEPOkCeCPMLgMb4PhiTxLXk5MJ7OPAuGaNUaSAdtWkbD+9XhueLPdyjVHJ5+tg3tS4L3 PbF11E3wzQ+M9UaDflj8wtcMxFjpstgZpBfNYbZFEDVKrmDJB30MVc2LIbFY0b1NxkHApExV toI/03/ZfxyM79t2m1tA4Lw6OKwtPP1q9XZVfBA/Jyyj2KuQfNC9TX8Jtp/b8uleF6TMyXzj 7i7wmA1n5fVgEZSvTMfBtNJU07gBxEPiPvEoyBGGJ+Xfjs8JxpyDBAkSJEiQ/yE8co5zkCBB ggQJEiRIkCD/kynIcX7kNwcGCRIkSJAgQYIECfK/gaDjHCRIkCBBggQJEiTInyDoOAcJEiRI kCBBggQJ8icIOs5BggQJEiRIkCBBgvwJgo5zkCBBggQJEiRIkCB/gv//OLqC3YJBggQJEiRI kCBBggT5I/8fGIb3tyeqXWgAAAAASUVORK5CYII= --------------040903020604070105030005-- --------------070505040606000308020008-- From nobody Thu Apr 3 07:43:44 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F34A1A01DC for ; Thu, 3 Apr 2014 07:43:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.551 X-Spam-Level: X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PBZfYAT8-WK for ; Thu, 3 Apr 2014 07:43:37 -0700 (PDT) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.94]) by ietfa.amsl.com (Postfix) with ESMTP id 1ECB21A01C2 for ; Thu, 3 Apr 2014 07:43:35 -0700 (PDT) Received: from [80.187.106.103] (helo=[100.92.235.95]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from ) id 1WVirQ-0007FN-Pk; Thu, 03 Apr 2014 16:43:21 +0200 Date: Thu, 03 Apr 2014 16:43:16 +0200 Message-ID: Importance: normal From: Torsten Lodderstedt To: George Fletcher , Phil Hunt MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--_com.android.email_2956890847555390" X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2TZnKY0oIHhMPG7MOB7sN4iC4Mo Cc: OAuth WG Subject: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 14:43:41 -0000 ----_com.android.email_2956890847555390 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 SGkgR2VvcmdlLAoKaWYgeW91IHdhbnQgdG8gZWZmZWN0aXZlbHkgcHJlc2V2ZSB0aGUgcmVmcmVz aCB0b2tlbiwgd2h5IGRvZXNuJ3QgdGhlIEFTIGp1c3QgdHJlYXQgdGhlIG5ldyBjbGllbnQgaWQg YXMgYW4gYWxpYXMgb2YgdGhlIHRoZSBvbGQgY2xpZW50IGlkPwoKcmVnYXJkcywKVG9yc3Rlbi4K Ci0tLS0tLS0tIFVyc3Byw7xuZ2xpY2hlIE5hY2hyaWNodCAtLS0tLS0tLQpWb246IEdlb3JnZSBG bGV0Y2hlciA8Z2ZmbGV0Y2hAYW9sLmNvbT4gCkRhdHVtOjAzLjA0LjIwMTQgIDE1OjQzICAoR01U KzAxOjAwKSAKQW46IFRvcnN0ZW4gTG9kZGVyc3RlZHQgPHRvcnN0ZW5AbG9kZGVyc3RlZHQubmV0 PixQaGlsIEh1bnQgPHBoaWwuaHVudEBvcmFjbGUuY29tPiAKQ2M6IE9BdXRoIFdHIDxvYXV0aEBp ZXRmLm9yZz4gCkJldHJlZmY6IFJlOiBbT0FVVEgtV0ddIEhhbmRsaW5nIHN0b3JlZCB0b2tlbnMg aW4gbW9iaWxlIGFwcCBhZnRlciBzb2Z0d2FyZSB1cGRhdGUgd2l0aCBjbGllbnQgY3JlZGVudGlh bCBjaGFuZ2UgCgpIaSBUb3JzdGVuLAoKV2UgYWN0dWFsbHkgaGF2ZSB0aGUgc2FtZSBpc3N1ZS4g RGVwbG95ZWQgY2xpZW50cyBpbiB0aGUgZmllbGQgd2hlcmUgd2Ugd2FudCB0byB1cGRhdGUgdGhl IGNsaWVudF9pZCBhbmQgZG9pbmcgc28gaW52YWxpZGF0ZXMgdGhlIGV4aXN0aW5nIHJlZnJlc2hf dG9rZW4gc3RvcmVkIHdpdGggdGhlIGNsaWVudC4gRnJvbSBhIHVzZXIgZXhwZXJpZW5jZSBwZXJz cGVjdGl2ZSwgdGhpcyBpcyBhIHBhaW4gYW5kIGZyb20gYSByaXNrIHBlcnNwZWN0aXZlIEkgdGhp bmsgaXQncyBmaW5lIHRvIGVmZmVjdGl2ZWx5IGRvIGEgInRva2VuIGV4Y2hhbmdlIiBmcm9tIHRo ZSBvbGQgcmVmcmVzaF90b2tlbiB0byB0aGUgbmV3IG9uZSAod2l0aCB0aGUgYXBwcm9wcmlhdGUg c2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgaW4gbWluZCkuCgpBbmRyZSBnb3QgbWUgdGhpbmtpbmcg YWJvdXQgdGhpcyBhbmQgaGVyZSBpcyB3aGF0IEknbSBsZWFuaW5nIHRvd2FyZHMgaW1wbGVtZW50 aW5nIGluIG91ciBzeXN0ZW0uCgpVc2UgdGhlIEpXVCBDbGllbnQgQXNzZXJ0aW9uIGZsb3cgcmVx dWVzdGluZyBhbiBhdXRob3JpemF0aW9uIGdyYW50IGZvciB0aGUgZXhpc3RpbmcgdXNlci4gVGhl IEpXVCB3b3VsZCBjb250YWluIGFuICJpc3MiIG9mIHRoZSBuZXcgY2xpZW50X2lkLCBhICJzdWIi IG9mIHRoZSB1c2VyaWQgdGhlIGNsaWVudCBzaG91bGQgYWxyZWFkeSBrbm93IGFib3V0LCBhbiAi YXVkIiBvZiB0aGUgQXV0aG9yaXphdGlvbiBTZXJ2ZXIsIGEgc2hvcnQgbGl2ZWQgImV4cCIgdmFs dWUgYXMgdGhpcyBpcyBlZmZlY3RpdmVseSBhIG9uZS10aW1lIHRva2VuIGV4Y2hhbmdlLCBhbmQg YW4gYWRkaXRpb25hbCBjbGFpbSBvZiB0aGUgb2xkIHJlZnJlc2hfdG9rZW4uIE1heWJlIGFuIGFk ZGl0aW9uYWwgY2xhaW0gd2l0aCB0aGUgb2xkIGNsaWVudF9pZCBhcyB3ZWxsIChzdGlsbCB0aGlu a2luZyBhYm91dCB0aGF0IGFzIHRoZSBjbGllbnRfaWQgaXMgYWxyZWFkeSBhc3NvY2lhdGVkIHdp dGggdGhlIHJlZnJlc2hfdG9rZW4pLgoKVGhpcyBhbGxvd3MgdGhlIEFTIHRvIGRvIHRoZSBmb2xs b3dpbmcgY2hlY2tzLi4uCjEuIE1ha2Ugc3VyZSB0aGUgYXNzZXJ0aW9uIGlzIGJlaW5nIHByZXNl bnRlZCBieSB0aGUgbmV3IGNsaWVudCAodGhlIGxldmVsIG9mIHN1cmV0eSBpcyBiYXNlZCBvbiB0 aGUgcmlzayBhc3NvY2lhdGVkIHdpdGggdGhlIGNsaWVudC4gSWYgdGhlIGNsaWVudCBpcyBwcm92 aXNpb25lZCB3aXRoIGFkZGl0aW9uYWwga2V5cyBzb21lIGhvdyB0aGF0J3MgbXVjaCBzdHJvbmdl ciB0aGFuIGp1c3QgdXNpbmcgYSBjbGllbnRfc2VjcmV0IHdoaWNoLCBhcyB5b3UgcG9pbnQgb3V0 LCBkb2Vzbid0IHJlYWxseSBwcm92ZSBhbnl0aGluZykuCjIuIFZlcmlmeSB0aGF0IHRoZSAic3Vi IiB2YWx1ZSBpbiB0aGUgSldUIGlzIHRoZSBzYW1lIGFzIHRoYXQgaWRlbnRpZmllZCBieSB0aGUg cmVmcmVzaF90b2tlbgozLiBWZXJpZnkgdGhhdCB0aGUgY2xpZW50X2lkIGRlZmluZWQgYXMgdGhl ICJpc3N1ZXIiIGlzIGFsbG93ZWQgdG8gbWFrZSB0aGlzIHRva2VuIGV4Y2hhbmdlIGNhbGwgYW5k IHRoYXQgdGhlIGNsaWVudF9pZCBpbiB0aGUgcmVmcmVzaF90b2tlbiBpcyBvbmUgb2YgdGhvc2Ug YmVpbmcgcmVwbGFjZWQKNC4gVmVyaWZ5IHRoZSBhdWRpZW5jZSBvZiB0aGUgSldUCgpJZiBhbGwg dGhlIGNoZWNrcyBwYXNzLCB0aGVuIGEgbmV3IHJlZnJlc2hfdG9rZW4gY2FuIGJlIGlzc3VlZCwg d2l0aCBleGFjdGx5IHRoZSBzYW1lIHNjb3BlcyBhcyB0aGUgIm9sZCIgcmVmcmVzaF90b2tlbiAo bm8gYWJpbGl0eSBpbiB0aGlzIGZsb3cgdG8gY2hhbmdlIHNjb3BlcykuIFRoZSBzZW1hbnRpY3Mg b2YgdGhlIHJlZnJlc2hfdG9rZW4gKGUuZy4gYXV0aE4gdGltZSwgZXhwaXJ5IHRpbWUsIGV0Yykg bmVlZCB0byBiZSBjb3BpZWQgdG8gdGhlIG5ldyByZWZyZXNoX3Rva2VuLiBJbiBvdGhlciB3b3Jk cyB0aGVyZSBzaG91bGQgYmUgbm8gd2F5IHRvICJleHRlbmQiIHRoZSBsaWZldGltZSBvZiB0aGUg cmVmcmVzaF90b2tlbiB2aWEgdGhpcyBtZWNoYW5pc20uIEl0J3MgcHVyZWx5IGEgdG9rZW4gZXhj aGFuZ2UgdG8gcHJvdmlkZSBhIG5ldyByZWZyZXNoX3Rva2VuIG1hcHBlZCB0byB0aGUgbmV3IGNs aWVudF9pZC4KCkludGVyZXN0ZWQgaW4gZmVlZGJhY2sgYXMgdG8gdGhlIHZpYWJpbGl0eSBvZiB0 aGlzLgoKUGhpbCwgSSBhZ3JlZSB0aGlzIGRvZXNuJ3QgbmVlZCB0byBiZSBzdGFuZGFyZGl6ZWQs IGFuZCBJIHdvdWxkIGxpa2UgdG8gc2VlIHRoZSBjb21tdW5pdHkgc3RhcnQgY29sbGVjdGluZyBz b21lICJiZXN0IHByYWN0aWNlcyIgdG8gaGVscCBvdGhlcnMgdGhhdCBjb21lIGFjcm9zcyB0aGUg c2FtZSB1c2UgY2FzZS4gSXQgd2lsbCBlbnN1cmUgICAgICAgYSBtb3JlIHNlY3VyZSBpbnRlcm5l dCBmb3IgYWxsIG9mIHVzLgoKVGhhbmtzLApHZW9yZ2UKCk9uIDQvMy8xNCwgNjoxMyBBTSwgVG9y c3RlbiBMb2RkZXJzdGVkdCB3cm90ZToKSGkgQW5kcmUsCgpJIHdvdWxkIGV4cGVjdCB0aGUgQVMg dG8gdHJlYXQgYSBjbGllbnQgd2l0aCBhIGRpZmZlcmVudCBjbGllbnQgaWQgYXMgYW5vdGhlciBj bGllbnQuIFNvIHRoZSBuZXcgY2xpZW50IHNob3VsZCBub3QgYmUgYWJsZSB0byB1c2UgdGhlICJv bGQiIHJlZnJlc2ggdG9rZW5zLgoKU29tZSBmdXJ0aGVyIHF1ZXN0aW9ucy9yZW1hcmtzOgotIGlm IHlvdSB1dGlsaXplIHJlZnJlc2ggdG9rZW5zLCBhY2Nlc3MgdG9rZW5zIHNob3VsZCBiZSB0cmFu c2llbnQuIFJpZ2h0PyBTbyB5b3UgZG9uJ3QgbmVlZCB0byBib3RoZXIKLSBwdWJsaWMgY2xpZW50 IG1lYW5zIHcvbyBzZWNyZXQgLSB0aGVyZSBpcyBubyBzZWN1cml0eSBiZW5lZml0IG9mIGhhdmlu ZyBhIHNlY3JldCBmb3IgdGhlIHR5cGUgb2YgY2xpZW50IHlvdSBkZXNjcmliZWQgKHNlZSBTcGVj IHNlY3Rpb24gMTApCgpSZWdhcmRzLApUb3JzdGVuLgoKQW0gMDMuMDQuMjAxNCB1bSAwMDo1MSBz Y2hyaWViIFBoaWwgSHVudCA8cGhpbC5odW50QG9yYWNsZS5jb20+OgoKSSBkb27igJl0IHNlZSBh IHN0cm9uZyByZWFzb24gdG8gc3RhbmRhcmRpemUgYmVoYXZpb3VyIGhlcmUuICBCdXQgaXQgc2Vl bXMgbGlrZSBhIGNoYW5nZSBpbiBzY29wZSBhZnRlciBhIGNsaWVudCB1cGdyYWRlIGlzIGEgZ29v ZCByZWFzb24gdG8gZXhwaXJlIGV4aXN0aW5nIHRva2VucyBhbmQgcmUtYXV0aG9yaXplIGFzIHdl bGwgYXMgc2ltcGx5IGV4cGlyZSB0b2tlbnMuCgpTb21lIG1heSBjaG9vc2UgdG8gYmUgdmVyeSBj b25zZXJ2YXRpdmUgYW5kIGFsd2F5cyBleHBpcmUgdG9rZW5zIG9uIGFueSBjbGllbnQgdXBkYXRl LiBCdXQgSSB0aGluayB0aGF0IHVubGVzcyB0aGVyZSBpcyBhIGNyaXRpY2FsIHNlY3VyaXR5IGR1 ZSB0byB0aGUgbmF0dXJlIG9mIHRoZSBjbGllbnQgYW5kL29yIHNlcnZlciwgdGhlcmUgaXMgbm8g cmVhc29uIHRvIGFzc3VtZSBpdCBpcyBuZWNlc3NhcnkgYmV5b25kIOKAnGdvb2QgcHJhY3RpY2Xi gJ0uCgpPbmUgZ29vZCByZWFzb24gZm9yIGV4cGlyaW5nIHRva2VucyBpcyB0aGF0IHlvdSBhcmUg Zm9yY2luZyB0aGUgY2xpZW50IHRvIHJlLWNvbmZpcm0gaXQgaGFzIHRoZSBuZXcgY2xpZW50IGNy ZWRlbnRpYWwgYW5kIGl0IGlzIHN0aWxsIHZhbGlkLgoKSWYgeW91IHJldm9rZSB0b2tlbnMgYW5k IHJlZnJlc2ggdG9rZW5zLCB5b3VyIGF1dGhvcml6YXRpb24gYW5kIGF1dGhlbnRpY2F0aW9uIHN5 c3RlbSBtaWdodCBpbnNwZWN0IGJyb3dzZXIgY29va2llcyB0aGF0IGhvbGQgdGhlIHByZXZpb3Vz IFNTTyBzdGF0ZSBhbmQvb3IgcHJldmlvdXMgYXV0aG9yaXphdGlvbiBzdGF0ZS4gIFRodXMgeW91 IGNvdWxkIGF2b2lkIHJlLWF1dGhlbnRpY2F0aW5nIHRoZSB1c2VyIGFuZCBzaW1wbHkgYXNrIGFi b3V0IHRoZSBuZXcgc2NvcGVzLgoKUGhpbAoKQGluZGVwZW5kZW50aWQKd3d3LmluZGVwZW5kZW50 aWQuY29tCnBoaWwuaHVudEBvcmFjbGUuY29tCgpPbiBBcHIgMiwgMjAxNCwgYXQgMTozNyBQTSwg QW5kcsOpIERlTWFycmUgPGFuZHJlZGVtYXJyZUBnbWFpbC5jb20+IHdyb3RlOgoKV2UgaGF2ZSBh IG1vYmlsZSBhcHAgd2hpY2ggb3BlcmF0ZXMgYXMgYW4gT0F1dGggMi4wIHB1YmxpYyBjbGllbnQK KHcvY2xpZW50IGNyZWRlbnRpYWxzKS4gSXQgdXNlcyB0aGUgcmVzb3VyY2Ugb3duZXIgcGFzc3dv cmQKY3JlZGVudGlhbHMgZ3JhbnQgdHlwZSBmb3IgYXV0aG9yaXplZCBjb21tdW5pY2F0aW9uIHdp dGggb3VyIHJlc291cmNlCnNlcnZlcnMuCgpXZSBhcmUgd29ya2luZyBvbiBhIHNvZnR3YXJlIHVw ZGF0ZSBhbmQgd2FudCB0byBjaGFuZ2UgdGhlIHJlZ2lzdGVyZWQKY2xpZW50X2lkIGFuZCBjbGll bnRfc2VjcmV0IGZvciB0aGUgbmV3IGFwcCB2ZXJzaW9uIChyZWdpc3RlciBhIG5ldwpjbGllbnQg YXQgdGhlIGF1dGggc2VydmVyKS4gVGhlIHByb2JsZW0gaXMgdGhhdCBhZnRlciB0aGUgYXBwIHVw ZGF0ZXMKb24gdXNlcnMnIGRldmljZXMsIGl0IHdpbGwgaW5oZXJpdCB0aGUgYXBwIGRhdGEgb2Yg dGhlIHByZXZpb3VzCnZlcnNpb24sIGluY2x1ZGluZyB0aGUgYWNjZXNzIGFuZCByZWZyZXNoIHRv a2Vucy4KClNpbmNlIHRoZSB0b2tlbiBzY29wZSBpc3N1ZWQgdG8gdGhlIG5ldyBjbGllbnQgbWln aHQgYmUgZGlmZmVyZW50LCB3ZQprbm93IHRoYXQgd2Ugd2FudCB0aGUgbmV3IGFwcCB2ZXJzaW9u IHRvIGRpc2NhcmQgdGhlIHByZXZpb3VzCnZlcnNpb24ncyBhY2Nlc3MgdG9rZW5zLiBCdXQgd2hh dCBhYm91dCB0aGUgcmVmcmVzaCB0b2tlbj8KVGVjaG5pY2FsbHksIHRoZSBuZXcgdmVyc2lvbiBv ZiB0aGUgYXBwIHdpbGwgYmUgYSBkaWZmZXJlbnQgY2xpZW50LApidXQgdGhlIGNvcmUgT0F1dGgg c3BlYyBzZWN0aW9uIDYgc2F5cyAidGhlIHJlZnJlc2ggdG9rZW4gaXMgYm91bmQgdG8KdGhlIGNs aWVudCB0byB3aGljaCBpdCB3YXMgaXNzdWVkLiIgU28gd2hhdCBzaG91bGQgd2UgZG8/CgpXZSBj YW4gcHJvZ3JhbSB0aGUgYXBwIHRvIGRpc2NhcmQgdGhlIHByZXZpb3VzIHZlcnNpb24ncyByZWZy ZXNoCnRva2VuLCBidXQgdGhhdCB3b3VsZCBpbmNvbnZlbmllbmNlIG91ciB1c2VycyB0byByZS1l bnRlciB0aGVpcgpwYXNzd29yZCBhZnRlciB0aGUgc29mdHdhcmUgdXBkYXRlLgoKSSdtIHRlbXB0 ZWQgdG8gYWxsb3cgdGhlIG5ldyBjbGllbnQgdG8gdXNlIHRoZSByZWZyZXNoIHRva2VuIGlzc3Vl ZCB0bwp0aGUgcHJldmlvdXMgY2xpZW50LCBidXQgdGhhdCB2aW9sYXRlcyB0aGUgc3BlYy4KCkRv ZXMgdGhlIE9BdXRoIGNvbW11bml0eSBoYXZlIGFueSBpbnNpZ2h0IGhlcmU/IFRoYW5rIHlvdS4K CktpbmQgUmVnYXJkcywKQW5kcmUgRGVNYXJyZQoKX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18KT0F1dGggbWFpbGluZyBsaXN0Ck9BdXRoQGlldGYub3JnCmh0 dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgKX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KT0F1dGggbWFpbGluZyBsaXN0Ck9BdXRo QGlldGYub3JnCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgKX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KT0F1dGggbWFpbGlu ZyBsaXN0Ck9BdXRoQGlldGYub3JnCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vb2F1dGgKCi0tIAo= ----_com.android.email_2956890847555390 Content-Type: multipart/relative; boundary="--_com.android.email_2956891593283311" ----_com.android.email_2956891593283311 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0 L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPjwvaGVhZD48Ym9keSA+SGkgR2VvcmdlLDxkaXY+PGJyPjwv ZGl2PjxkaXY+aWYgeW91IHdhbnQgdG8gZWZmZWN0aXZlbHkgcHJlc2V2ZSB0aGUgcmVmcmVzaCB0 b2tlbiwgd2h5IGRvZXNuJ3QgdGhlIEFTIGp1c3QgdHJlYXQgdGhlIG5ldyBjbGllbnQgaWQgYXMg YW4gYWxpYXMgb2YgdGhlIHRoZSBvbGQgY2xpZW50IGlkPzwvZGl2PjxkaXY+PGJyPjwvZGl2Pjxk aXY+cmVnYXJkcyw8L2Rpdj48ZGl2PlRvcnN0ZW4uPC9kaXY+PGJyPjxicj4tLS0tLS0tLSBVcnNw csO8bmdsaWNoZSBOYWNocmljaHQgLS0tLS0tLS08YnI+Vm9uOiBHZW9yZ2UgRmxldGNoZXIgPGdm ZmxldGNoQGFvbC5jb20+IDxicj5EYXR1bTowMy4wNC4yMDE0ICAxNTo0MyAgKEdNVCswMTowMCkg PGJyPkFuOiBUb3JzdGVuIExvZGRlcnN0ZWR0IDx0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldD4sUGhp bCBIdW50IDxwaGlsLmh1bnRAb3JhY2xlLmNvbT4gPGJyPkNjOiBPQXV0aCBXRyA8b2F1dGhAaWV0 Zi5vcmc+IDxicj5CZXRyZWZmOiBSZTogW09BVVRILVdHXSBIYW5kbGluZyBzdG9yZWQgdG9rZW5z IGluIG1vYmlsZSBhcHAgYWZ0ZXIgc29mdHdhcmUgdXBkYXRlIHdpdGggY2xpZW50IGNyZWRlbnRp YWwgY2hhbmdlIDxicj48YnI+CiAgICA8Zm9udCBmYWNlPSJIZWx2ZXRpY2EsIEFyaWFsLCBzYW5z LXNlcmlmIj5IaSBUb3JzdGVuLDxicj4KICAgICAgPGJyPgogICAgICBXZSBhY3R1YWxseSBoYXZl IHRoZSBzYW1lIGlzc3VlLiBEZXBsb3llZCBjbGllbnRzIGluIHRoZSBmaWVsZAogICAgICB3aGVy ZSB3ZSB3YW50IHRvIHVwZGF0ZSB0aGUgY2xpZW50X2lkIGFuZCBkb2luZyBzbyBpbnZhbGlkYXRl cyB0aGUKICAgICAgZXhpc3RpbmcgcmVmcmVzaF90b2tlbiBzdG9yZWQgd2l0aCB0aGUgY2xpZW50 LiBGcm9tIGEgdXNlcgogICAgICBleHBlcmllbmNlIHBlcnNwZWN0aXZlLCB0aGlzIGlzIGEgcGFp biBhbmQgZnJvbSBhIHJpc2sgcGVyc3BlY3RpdmUKICAgICAgSSB0aGluayBpdCdzIGZpbmUgdG8g ZWZmZWN0aXZlbHkgZG8gYSAidG9rZW4gZXhjaGFuZ2UiIGZyb20gdGhlCiAgICAgIG9sZCByZWZy ZXNoX3Rva2VuIHRvIHRoZSBuZXcgb25lICh3aXRoIHRoZSBhcHByb3ByaWF0ZSBzZWN1cml0eQog ICAgICBjb25zaWRlcmF0aW9ucyBpbiBtaW5kKS48YnI+CiAgICAgIDxicj4KICAgICAgQW5kcmUg Z290IG1lIHRoaW5raW5nIGFib3V0IHRoaXMgYW5kIGhlcmUgaXMgd2hhdCBJJ20gbGVhbmluZwog ICAgICB0b3dhcmRzIGltcGxlbWVudGluZyBpbiBvdXIgc3lzdGVtLjxicj4KICAgICAgPGJyPgog ICAgICBVc2UgdGhlIEpXVCBDbGllbnQgQXNzZXJ0aW9uIGZsb3cgcmVxdWVzdGluZyBhbiBhdXRo b3JpemF0aW9uCiAgICAgIGdyYW50IGZvciB0aGUgZXhpc3RpbmcgdXNlci4gVGhlIEpXVCB3b3Vs ZCBjb250YWluIGFuICJpc3MiIG9mIHRoZQogICAgICBuZXcgY2xpZW50X2lkLCBhICJzdWIiIG9m IHRoZSB1c2VyaWQgdGhlIGNsaWVudCBzaG91bGQgYWxyZWFkeQogICAgICBrbm93IGFib3V0LCBh biAiYXVkIiBvZiB0aGUgQXV0aG9yaXphdGlvbiBTZXJ2ZXIsIGEgc2hvcnQgbGl2ZWQKICAgICAg ImV4cCIgdmFsdWUgYXMgdGhpcyBpcyBlZmZlY3RpdmVseSBhIG9uZS10aW1lIHRva2VuIGV4Y2hh bmdlLCBhbmQKICAgICAgYW4gYWRkaXRpb25hbCBjbGFpbSBvZiB0aGUgb2xkIHJlZnJlc2hfdG9r ZW4uIE1heWJlIGFuIGFkZGl0aW9uYWwKICAgICAgY2xhaW0gd2l0aCB0aGUgb2xkIGNsaWVudF9p ZCBhcyB3ZWxsIChzdGlsbCB0aGlua2luZyBhYm91dCB0aGF0IGFzCiAgICAgIHRoZSBjbGllbnRf aWQgaXMgYWxyZWFkeSBhc3NvY2lhdGVkIHdpdGggdGhlIHJlZnJlc2hfdG9rZW4pLjxicj4KICAg ICAgPGJyPgogICAgICBUaGlzIGFsbG93cyB0aGUgQVMgdG8gZG8gdGhlIGZvbGxvd2luZyBjaGVj a3MuLi48YnI+CiAgICAgIDEuIE1ha2Ugc3VyZSB0aGUgYXNzZXJ0aW9uIGlzIGJlaW5nIHByZXNl bnRlZCBieSB0aGUgbmV3IGNsaWVudAogICAgICAodGhlIGxldmVsIG9mIHN1cmV0eSBpcyBiYXNl ZCBvbiB0aGUgcmlzayBhc3NvY2lhdGVkIHdpdGggdGhlCiAgICAgIGNsaWVudC4gSWYgdGhlIGNs aWVudCBpcyBwcm92aXNpb25lZCB3aXRoIGFkZGl0aW9uYWwga2V5cyBzb21lIGhvdwogICAgICB0 aGF0J3MgbXVjaCBzdHJvbmdlciB0aGFuIGp1c3QgdXNpbmcgYSBjbGllbnRfc2VjcmV0IHdoaWNo LCBhcyB5b3UKICAgICAgcG9pbnQgb3V0LCBkb2Vzbid0IHJlYWxseSBwcm92ZSBhbnl0aGluZyku PGJyPgogICAgICAyLiBWZXJpZnkgdGhhdCB0aGUgInN1YiIgdmFsdWUgaW4gdGhlIEpXVCBpcyB0 aGUgc2FtZSBhcyB0aGF0CiAgICAgIGlkZW50aWZpZWQgYnkgdGhlIHJlZnJlc2hfdG9rZW48YnI+ CiAgICAgIDMuIFZlcmlmeSB0aGF0IHRoZSBjbGllbnRfaWQgZGVmaW5lZCBhcyB0aGUgImlzc3Vl ciIgaXMgYWxsb3dlZCB0bwogICAgICBtYWtlIHRoaXMgdG9rZW4gZXhjaGFuZ2UgY2FsbCBhbmQg dGhhdCB0aGUgY2xpZW50X2lkIGluIHRoZQogICAgICByZWZyZXNoX3Rva2VuIGlzIG9uZSBvZiB0 aG9zZSBiZWluZyByZXBsYWNlZDxicj4KICAgICAgNC4gVmVyaWZ5IHRoZSBhdWRpZW5jZSBvZiB0 aGUgSldUPGJyPgogICAgICA8YnI+CiAgICAgIElmIGFsbCB0aGUgY2hlY2tzIHBhc3MsIHRoZW4g YSBuZXcgcmVmcmVzaF90b2tlbiBjYW4gYmUgaXNzdWVkLAogICAgICB3aXRoIGV4YWN0bHkgdGhl IHNhbWUgc2NvcGVzIGFzIHRoZSAib2xkIiByZWZyZXNoX3Rva2VuIChubwogICAgICBhYmlsaXR5 IGluIHRoaXMgZmxvdyB0byBjaGFuZ2Ugc2NvcGVzKS4gVGhlIHNlbWFudGljcyBvZiB0aGUKICAg ICAgcmVmcmVzaF90b2tlbiAoZS5nLiBhdXRoTiB0aW1lLCBleHBpcnkgdGltZSwgZXRjKSBuZWVk IHRvIGJlCiAgICAgIGNvcGllZCB0byB0aGUgbmV3IHJlZnJlc2hfdG9rZW4uIEluIG90aGVyIHdv cmRzIHRoZXJlIHNob3VsZCBiZSBubwogICAgICB3YXkgdG8gImV4dGVuZCIgdGhlIGxpZmV0aW1l IG9mIHRoZSByZWZyZXNoX3Rva2VuIHZpYSB0aGlzCiAgICAgIG1lY2hhbmlzbS4gSXQncyBwdXJl bHkgYSB0b2tlbiBleGNoYW5nZSB0byBwcm92aWRlIGEgbmV3CiAgICAgIHJlZnJlc2hfdG9rZW4g bWFwcGVkIHRvIHRoZSBuZXcgY2xpZW50X2lkLjxicj4KICAgICAgPGJyPgogICAgICBJbnRlcmVz dGVkIGluIGZlZWRiYWNrIGFzIHRvIHRoZSB2aWFiaWxpdHkgb2YgdGhpcy48YnI+CiAgICAgIDxi cj4KICAgICAgUGhpbCwgSSBhZ3JlZSB0aGlzIGRvZXNuJ3QgbmVlZCB0byBiZSBzdGFuZGFyZGl6 ZWQsIGFuZCBJIHdvdWxkCiAgICAgIGxpa2UgdG8gc2VlIHRoZSBjb21tdW5pdHkgc3RhcnQgY29s bGVjdGluZyBzb21lICJiZXN0IHByYWN0aWNlcyIKICAgICAgdG8gaGVscCBvdGhlcnMgdGhhdCBj b21lIGFjcm9zcyB0aGUgc2FtZSB1c2UgY2FzZS4gSXQgd2lsbCBlbnN1cmUKICAgICAgYSBtb3Jl IHNlY3VyZSBpbnRlcm5ldCBmb3IgYWxsIG9mIHVzLjxicj4KICAgICAgPGJyPgogICAgICBUaGFu a3MsPGJyPgogICAgICBHZW9yZ2U8YnI+CiAgICAgIDxicj4KICAgIDwvZm9udD4KICAgIDxkaXYg Y2xhc3M9Im1vei1jaXRlLXByZWZpeCI+T24gNC8zLzE0LCA2OjEzIEFNLCBUb3JzdGVuIExvZGRl cnN0ZWR0CiAgICAgIHdyb3RlOjxicj4KICAgIDwvZGl2PgogICAgPGJsb2NrcXVvdGUgY2l0ZT0i bWlkOjRGREQwMzg5LTQwQUItNDIxRi1CQjNDLTYyREUwRTQ3Mjk3RUBsb2RkZXJzdGVkdC5uZXQi IHR5cGU9ImNpdGUiPgogICAgICA8cHJlIHdyYXA9IiI+SGkgQW5kcmUsCgpJIHdvdWxkIGV4cGVj dCB0aGUgQVMgdG8gdHJlYXQgYSBjbGllbnQgd2l0aCBhIGRpZmZlcmVudCBjbGllbnQgaWQgYXMg YW5vdGhlciBjbGllbnQuIFNvIHRoZSBuZXcgY2xpZW50IHNob3VsZCBub3QgYmUgYWJsZSB0byB1 c2UgdGhlICJvbGQiIHJlZnJlc2ggdG9rZW5zLgoKU29tZSBmdXJ0aGVyIHF1ZXN0aW9ucy9yZW1h cmtzOgotIGlmIHlvdSB1dGlsaXplIHJlZnJlc2ggdG9rZW5zLCBhY2Nlc3MgdG9rZW5zIHNob3Vs ZCBiZSB0cmFuc2llbnQuIFJpZ2h0PyBTbyB5b3UgZG9uJ3QgbmVlZCB0byBib3RoZXIKLSBwdWJs aWMgY2xpZW50IG1lYW5zIHcvbyBzZWNyZXQgLSB0aGVyZSBpcyBubyBzZWN1cml0eSBiZW5lZml0 IG9mIGhhdmluZyBhIHNlY3JldCBmb3IgdGhlIHR5cGUgb2YgY2xpZW50IHlvdSBkZXNjcmliZWQg KHNlZSBTcGVjIHNlY3Rpb24gMTApCgpSZWdhcmRzLApUb3JzdGVuLgoKPC9wcmU+CiAgICAgIDxi bG9ja3F1b3RlIHR5cGU9ImNpdGUiPgogICAgICAgIDxwcmUgd3JhcD0iIj5BbSAwMy4wNC4yMDE0 IHVtIDAwOjUxIHNjaHJpZWIgUGhpbCBIdW50IDxhIGNsYXNzPSJtb3otdHh0LWxpbmstcmZjMjM5 NkUiIGhyZWY9Im1haWx0bzpwaGlsLmh1bnRAb3JhY2xlLmNvbSI+Jmx0O3BoaWwuaHVudEBvcmFj bGUuY29tJmd0OzwvYT46CgpJIGRvbuKAmXQgc2VlIGEgc3Ryb25nIHJlYXNvbiB0byBzdGFuZGFy ZGl6ZSBiZWhhdmlvdXIgaGVyZS4gIEJ1dCBpdCBzZWVtcyBsaWtlIGEgY2hhbmdlIGluIHNjb3Bl IGFmdGVyIGEgY2xpZW50IHVwZ3JhZGUgaXMgYSBnb29kIHJlYXNvbiB0byBleHBpcmUgZXhpc3Rp bmcgdG9rZW5zIGFuZCByZS1hdXRob3JpemUgYXMgd2VsbCBhcyBzaW1wbHkgZXhwaXJlIHRva2Vu cy4KClNvbWUgbWF5IGNob29zZSB0byBiZSB2ZXJ5IGNvbnNlcnZhdGl2ZSBhbmQgYWx3YXlzIGV4 cGlyZSB0b2tlbnMgb24gYW55IGNsaWVudCB1cGRhdGUuIEJ1dCBJIHRoaW5rIHRoYXQgdW5sZXNz IHRoZXJlIGlzIGEgY3JpdGljYWwgc2VjdXJpdHkgZHVlIHRvIHRoZSBuYXR1cmUgb2YgdGhlIGNs aWVudCBhbmQvb3Igc2VydmVyLCB0aGVyZSBpcyBubyByZWFzb24gdG8gYXNzdW1lIGl0IGlzIG5l Y2Vzc2FyeSBiZXlvbmQg4oCcZ29vZCBwcmFjdGljZeKAnS4KCk9uZSBnb29kIHJlYXNvbiBmb3Ig ZXhwaXJpbmcgdG9rZW5zIGlzIHRoYXQgeW91IGFyZSBmb3JjaW5nIHRoZSBjbGllbnQgdG8gcmUt Y29uZmlybSBpdCBoYXMgdGhlIG5ldyBjbGllbnQgY3JlZGVudGlhbCBhbmQgaXQgaXMgc3RpbGwg dmFsaWQuCgpJZiB5b3UgcmV2b2tlIHRva2VucyBhbmQgcmVmcmVzaCB0b2tlbnMsIHlvdXIgYXV0 aG9yaXphdGlvbiBhbmQgYXV0aGVudGljYXRpb24gc3lzdGVtIG1pZ2h0IGluc3BlY3QgYnJvd3Nl ciBjb29raWVzIHRoYXQgaG9sZCB0aGUgcHJldmlvdXMgU1NPIHN0YXRlIGFuZC9vciBwcmV2aW91 cyBhdXRob3JpemF0aW9uIHN0YXRlLiAgVGh1cyB5b3UgY291bGQgYXZvaWQgcmUtYXV0aGVudGlj YXRpbmcgdGhlIHVzZXIgYW5kIHNpbXBseSBhc2sgYWJvdXQgdGhlIG5ldyBzY29wZXMuCgpQaGls CgpAaW5kZXBlbmRlbnRpZAo8YSBjbGFzcz0ibW96LXR4dC1saW5rLWFiYnJldmlhdGVkIiBocmVm PSJodHRwOi8vd3d3LmluZGVwZW5kZW50aWQuY29tIj53d3cuaW5kZXBlbmRlbnRpZC5jb208L2E+ CjxhIGNsYXNzPSJtb3otdHh0LWxpbmstYWJicmV2aWF0ZWQiIGhyZWY9Im1haWx0bzpwaGlsLmh1 bnRAb3JhY2xlLmNvbSI+cGhpbC5odW50QG9yYWNsZS5jb208L2E+Cgo8L3ByZT4KICAgICAgICA8 YmxvY2txdW90ZSB0eXBlPSJjaXRlIj4KICAgICAgICAgIDxwcmUgd3JhcD0iIj5PbiBBcHIgMiwg MjAxNCwgYXQgMTozNyBQTSwgQW5kcsOpIERlTWFycmUgPGEgY2xhc3M9Im1vei10eHQtbGluay1y ZmMyMzk2RSIgaHJlZj0ibWFpbHRvOmFuZHJlZGVtYXJyZUBnbWFpbC5jb20iPiZsdDthbmRyZWRl bWFycmVAZ21haWwuY29tJmd0OzwvYT4gd3JvdGU6CgpXZSBoYXZlIGEgbW9iaWxlIGFwcCB3aGlj aCBvcGVyYXRlcyBhcyBhbiBPQXV0aCAyLjAgcHVibGljIGNsaWVudAoody9jbGllbnQgY3JlZGVu dGlhbHMpLiBJdCB1c2VzIHRoZSByZXNvdXJjZSBvd25lciBwYXNzd29yZApjcmVkZW50aWFscyBn cmFudCB0eXBlIGZvciBhdXRob3JpemVkIGNvbW11bmljYXRpb24gd2l0aCBvdXIgcmVzb3VyY2UK c2VydmVycy4KCldlIGFyZSB3b3JraW5nIG9uIGEgc29mdHdhcmUgdXBkYXRlIGFuZCB3YW50IHRv IGNoYW5nZSB0aGUgcmVnaXN0ZXJlZApjbGllbnRfaWQgYW5kIGNsaWVudF9zZWNyZXQgZm9yIHRo ZSBuZXcgYXBwIHZlcnNpb24gKHJlZ2lzdGVyIGEgbmV3CmNsaWVudCBhdCB0aGUgYXV0aCBzZXJ2 ZXIpLiBUaGUgcHJvYmxlbSBpcyB0aGF0IGFmdGVyIHRoZSBhcHAgdXBkYXRlcwpvbiB1c2Vycycg ZGV2aWNlcywgaXQgd2lsbCBpbmhlcml0IHRoZSBhcHAgZGF0YSBvZiB0aGUgcHJldmlvdXMKdmVy c2lvbiwgaW5jbHVkaW5nIHRoZSBhY2Nlc3MgYW5kIHJlZnJlc2ggdG9rZW5zLgoKU2luY2UgdGhl IHRva2VuIHNjb3BlIGlzc3VlZCB0byB0aGUgbmV3IGNsaWVudCBtaWdodCBiZSBkaWZmZXJlbnQs IHdlCmtub3cgdGhhdCB3ZSB3YW50IHRoZSBuZXcgYXBwIHZlcnNpb24gdG8gZGlzY2FyZCB0aGUg cHJldmlvdXMKdmVyc2lvbidzIGFjY2VzcyB0b2tlbnMuIEJ1dCB3aGF0IGFib3V0IHRoZSByZWZy ZXNoIHRva2VuPwpUZWNobmljYWxseSwgdGhlIG5ldyB2ZXJzaW9uIG9mIHRoZSBhcHAgd2lsbCBi ZSBhIGRpZmZlcmVudCBjbGllbnQsCmJ1dCB0aGUgY29yZSBPQXV0aCBzcGVjIHNlY3Rpb24gNiBz YXlzICJ0aGUgcmVmcmVzaCB0b2tlbiBpcyBib3VuZCB0bwp0aGUgY2xpZW50IHRvIHdoaWNoIGl0 IHdhcyBpc3N1ZWQuIiBTbyB3aGF0IHNob3VsZCB3ZSBkbz8KCldlIGNhbiBwcm9ncmFtIHRoZSBh cHAgdG8gZGlzY2FyZCB0aGUgcHJldmlvdXMgdmVyc2lvbidzIHJlZnJlc2gKdG9rZW4sIGJ1dCB0 aGF0IHdvdWxkIGluY29udmVuaWVuY2Ugb3VyIHVzZXJzIHRvIHJlLWVudGVyIHRoZWlyCnBhc3N3 b3JkIGFmdGVyIHRoZSBzb2Z0d2FyZSB1cGRhdGUuCgpJJ20gdGVtcHRlZCB0byBhbGxvdyB0aGUg bmV3IGNsaWVudCB0byB1c2UgdGhlIHJlZnJlc2ggdG9rZW4gaXNzdWVkIHRvCnRoZSBwcmV2aW91 cyBjbGllbnQsIGJ1dCB0aGF0IHZpb2xhdGVzIHRoZSBzcGVjLgoKRG9lcyB0aGUgT0F1dGggY29t bXVuaXR5IGhhdmUgYW55IGluc2lnaHQgaGVyZT8gVGhhbmsgeW91LgoKS2luZCBSZWdhcmRzLApB bmRyZSBEZU1hcnJlCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXwpPQXV0aCBtYWlsaW5nIGxpc3QKPGEgY2xhc3M9Im1vei10eHQtbGluay1hYmJyZXZpYXRl ZCIgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9yZzwvYT4KPGEgY2xh c3M9Im1vei10eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9vYXV0aCI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5m by9vYXV0aDwvYT4KPC9wcmU+CiAgICAgICAgPC9ibG9ja3F1b3RlPgogICAgICAgIDxwcmUgd3Jh cD0iIj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpPQXV0 aCBtYWlsaW5nIGxpc3QKPGEgY2xhc3M9Im1vei10eHQtbGluay1hYmJyZXZpYXRlZCIgaHJlZj0i bWFpbHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9yZzwvYT4KPGEgY2xhc3M9Im1vei10 eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby9vYXV0aCI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwv YT4KPC9wcmU+CiAgICAgIDwvYmxvY2txdW90ZT4KICAgICAgPHByZSB3cmFwPSIiPl9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCk9BdXRoIG1haWxpbmcgbGlz dAo8YSBjbGFzcz0ibW96LXR4dC1saW5rLWFiYnJldmlhdGVkIiBocmVmPSJtYWlsdG86T0F1dGhA aWV0Zi5vcmciPk9BdXRoQGlldGYub3JnPC9hPgo8YSBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0 ZXh0IiBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIj5o dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPgo8L3ByZT4KICAg IDwvYmxvY2txdW90ZT4KICAgIDxicj4KICAgIDxkaXYgY2xhc3M9Im1vei1zaWduYXR1cmUiPi0t IDxicj4KICAgICAgPGEgaHJlZj0iaHR0cDovL2Nvbm5lY3QubWUvZ2ZmbGV0Y2giIHRpdGxlPSJW aWV3IGZ1bGwgY2FyZCBvbgogICAgICAgIENvbm5lY3QuTWUiPjxpbWcgc3JjPSJjaWQ6X2NvbV9h bmRyb2lkX2VtYWlsX2F0dGFjaG1lbnRwcm92aWRlcl80XzIwMjdfUkFXQHNlYy5nYWxheHl0YWIi IGFsdD0iR2VvcmdlIEZsZXRjaGVyIiBoZWlnaHQ9IjExMyIgd2lkdGg9IjM1OSI+PC9hPjwvZGl2 PgogIAoKPC9ib2R5Pg== ----_com.android.email_2956891593283311 Content-Type: image/png; name="XeC" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="XeC"; size=80975 Content-ID: _com_android_email_attachmentprovider_4_2027_RAW@sec.galaxytab iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAACXBI WXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAkuBMSLBA0 IWgCCa4JDoHB3SHI4AzMMMO49bRWnfePe7mzz+7m2eyGvbn3efvzz9DVVb86p7pO86tTp05Lly9f vnz5shC4ubm5ubm5ubm5uf0m3bt/1KhRo0aNGn92cdzc3Nzc3Nzc3Nz+Z7ly5cqVK1dA/rML4ubm 5ubm5ubm5va/gTtxdnNzc3Nzc3Nzc/sd3Imzm5ubm5ubm5ub2+/gTpzd3Nzc3Nzc3Nzcfgd34uzm 5ubm5ubm5ub2O+j+aACr1W632f7zhQw40JEEUii7pAYgxkhhkh9oB5zFHWFAjKWodQOI0pauqeXB VvNt0isv0K8L8Pc7BsbcoGuRs8DV0XzEfBGU8VwwHgfpW9LZAeoSuZj+NUiHc3/O+BKcHa1pWUPA eC74WtQPIMbaYi1J4Pj42aE7s0GskRsoB4B7rpXqYNBeZ6/KWAbqIWmU0hG0XPWhuSBYP8pc4IyF 3GHZpTMPQm7RnMjsoZCbZOunZoHF25FuuwSW59b82RvBPtA+1doT9M+8N/jZQJroHeKXBpaEjFOZ mZCzMpOUHuDqJK2TK4CoSiddVdBmeX4fkB9sB3Nzc4+B4m8qbL4HmZPTPdK/AY/TIXciMkGLV370 eglmL88o750gTDw1VgT918bN8kFQv3DV136BGoNqfViuEdSQKhYLfw5aKddi1z2QNoi2RILwl4LF JZAaYyYIRC4uXABI/8cHqfAfUxLeQ0IGApjABNDNlZYqA+H1tcSHqRvh0MYzHS5vAGHUP3eNgl5T m8xu2Bick+WlUiRoe8RsPMH3uec3xnwgL5P85b2gu2bqbj4B0TNPJh1qABn5rDa1HTxJSFpyaRl4 vQ2endML7A8TPJRf4WHMm9LP14N0TdfOthmymqbMEFcha2DOWJ8J4H1L96XhLgQv908qcB2K7yqU XXoDWLvZJ+oWQ2p4UmBuKEQ1Cl0phoJ1vJptmQIFj3jkRlYHv34FPoucCblNrU9TPwc/f4+Ogfvh UuOYzw7sAutKtWtKYxgQ0WLgzLng+EHupnwMZbcU/zh0Mzz+7NnX2eXh0JhL0ctnQ5aP1XK9O3i1 l0f6+kHy/aSKPt6w4N6UqFWz/uxm7ubm5ubm5vY+vL8eZxmBBmRKJvyA2mjiAkjLxBuhgjRc3JJ9 AZt+q7gIzoepSxObgzHAJ5/XBdD8tY+1qkATXUnzV6C/IKteZ0HzEzHqChAWMdMZCMp1KULUBs57 vfbvDIYvvOMDPwJtiusjx0UgWtTVqoKQXbvsjcHpk+QXuxfUj3M/Su8I6nBnM9unIBZkJmVPBsew zCNpN0C6qDxTZ4NI0F2Xu4Oy1nDXMBQM9U2Z+oXg6fS8bj4M5mPmNR5VwfCxbqL+FSierjTHJ6B3 CsU5HEzrTJf0JUD5QAqTg0De5DrpCgCtorOSrSgondVP7HVBn8gkVxCYeum7aJPBmOph89oA0khH HXs38B7qedQ8BcQBtZyzGQStCekacAY8l/scCTOBzkuv09+Gx8Njcl4eBcs0S2WbBvKHyjjxK2gD pM+lEJAWsIswEIlSIBYAxF+lzP9BBQRQVApFgFSTOtJGcLYWr1zPIN/scG+/etDP0r5b00NQ/2CF 5DLfQdBPQQQY4dLgG/q7n8HDYc9b36sKWfnTB1r8gBvyYrkzGDoxVvoazI2830SMAiVMKWXXQchb v6+sFrApWULvCVX7lNjerhX45UgJRU5C5tHU/YFp4DvUo1pgeSjUPrBbkTXgzHYULSpB1vnsXJ7C /cIvlDt6KLQovI5XGyjsiLCULQ83pzw4nDES3trTt2TMBN1+acTruuC1Q67uXAlvaiQdevo93Cp3 v+ZPs0FbaWntXwjCwj0adtoGuubGPrpB4HXaPEoXBUnOpJUZL+HXT5/5Hr8Cmc0y+zyKBlfr7LSc HEi7mzAqoxDkjrK9dEX/2c3bzc3Nzc3N7X36wz3O/8WJhACpkLBJQSAu8UQsBa2udFd8AXIl/TLl HKg7LfHWSsBV+TvDHJDnGdrr5oMySRmqXgZxV+4taoI2UO6nlQYpTKzWjQHhrwmnHqQxzkWWISCV 0k/xGATqF2K8ywpa2fgGj6qDlmi/7dwG0q/yQt16MJz1HOo/DZyHLOcsySCdcRVU4sDl7+zjnAiu T+0N7J+BGqE0F3XBsEjfUu8Bhm1eZu+6IEfZhjtmAor9jq0NeC2UWkmnQDovWyUjqPNdk+2lQP9I vkwAOLbLY7T+YB7jYTbHAOOy81l+BrWSNk2bCWKZzZzdC6RNWpCyApyqxZQ1ATyLGAZ4rgIU7K5P QDtp3ZT2BWCQr+qjwDokR35bHfRLPQ4HB4BvUkAR/9mQeTfdlr4EXox99Vl6EFQ8UbpFqC+4XroG aQD95E9YAGgiVVoCSMgilv9Ikv/PBFrCAGgilqsgHkll+Qmk++JrxQJajtpQmwPWJ9TUXkExW8FR +c2Q0C31cFIZqNGj3O6iXSCsZ0BqaBLYNPWQ6yxk/JJ1z/EVPBiVWujZD5D2pe2n16Xg9tXYyPsd IeUbS0KKN6j3sxdkp4JPqL7o7XTQp/htcq6HRssKdSxfHVzltIJyApwdfffsExPI23Tfh1QCqTRJ xnhouLVSmcY/Q6X5Bb2rvIGsu5HHEi5C/S9qSd16wv3PY94+fQOPGz2w7HgNzwPtGxyXIOOlPvD5 EPCej2qaBdWKlb3QsBr4fxqZ4h8L/q0D/b07QdrSt0Mzx0PKukyj+BqerX38cWIVEA20o+bJYKuT mZF/LrgSVJ/sBMgoxc3XnwJQ/89u5G5ubm5ubm7vx/tLnGX+IxnzIwsTcFBqynPQtRAj6AGuYO26 0wDKKnFW3ADlVpHyxXJA/UosdN4G5ZSzZ+aHIMbr+5t8QX6upYjOIGrJbXR9QOonxzMHtLicqekK aJdyOyR1BN0+fSWPHLC9UmPFCND6JA+LbwauHOtCWwYwTfpauQFyX6UJJ4D8hrHed0H3QDquLwPe e71GK4XB0daxV+oGzkLacLUTuBarRfEGw3qx05gKrj7aQHELNDvB0lTwKupVRdcb7FnWVVnfgnzd ucuVAp4llQPyc5Dvmq8aI0EuqKZLJUBaa6/hbAjWvc4WtiLAFqm30gLsU3L0ljugT9ar2YeBOx7n gsqBsZurV/YQcJ6wv+IZZLqyP0ztBp6VA/unfgH60mFaySPgPd93k9/P8GD54/j4VlDy68I7gkqA 7gudl2gP6hTxiWwEuY7kKX4BcVfkogAKEtr/8QkKnIDAl0LATFFXvAK5qawwEHJic6bYasCVqbcq 3eoCCaUzzsTdg5zaOW+0jlD5bYWPS0wBUw+PBkGh8HJpQq/nveA766Efdu4DXVXdodzt4Jqq/yal DxT5NbB3/iS4P/f5fZ8l4NjnKmR9Bd43EqvfqwgRwf6tS30GGSfszVN9oNC4gBUNVsLrEW9rHp4O H65v5mreC3xS7FsNY6FMVCnPwmsgpnh86mMfeJ0Yvz82HSy3bd9ZesIL69vCx66Aa4NYoESDf1lr SsIlEFusG8O/gFJ1SucvtwqCAoNG+JwFz190mvUxJG6Mv56ig8RtGV+/ioZXckLEs7kQFBt2mV8h c/XzsLS1wCG9XToCmaUyThk7g3zXp5PnJKA6Y/7sRu7m5ubm5ub2frzfxFkG8RSXeANSWSJJAWFj hhwC8if0lBaAqOzVw7wTpMsc1U8GeaBslRwgPza0iQgEKQC9LgvEHHzZCZJLHBf7QBuXG5e8GHim C/L2A/myx+WAL0H1z+r6eihIFqmaWgcUNaBc+CzQfkiwvMwEramrkToFlHue1pBY4JZJ9bgJIi33 W3UiiHLqZ/ISMFilV1oMSBFatpYIUo69oMsCrnzyUOcKUBoo5eV00B3RcpVpIL0UT8Q8EJIySz8c OEMt0QrM6aKT1hrUBLrKJUHuZX5sugfyAuVbnRfgsoaJ2mBt62qrzgItWdqkfAa2BEuwbQEYTuPK XAfKRt14XoD5meGpuQuk5U9faykMuu95qW2ELKvU2RgJPoHBT6MkyBlqbeO6Aq/1cXLaPCjWulj/ 4Iqgpth/UUNBPJMW4Q/YgL/3A+sSoAEqmlQIpL18IdaAOKb1EN+B+YRpidEEzYPrPKm5Ho42u3Dg zgjYfeT82h0H4Rj3lp3pBjVuFB1eagvomkmqrxXyj/AtFBYNZfYUrlVxBSQXzZ376gq8kVODf6kJ wfX9XzsLg+Oi1NC6HPxrm0eaPwbFO/teZgrEnHo71NUbLJ7W0mduQ5kV+QqE34O4fWlX7qfCwNNt P+4TAmujt+p/DoGUnrb1jwZA7dgSJTuNgifjX6TefwA5FcRBz2MQOcirr+4K2JpkVfF8DaU8ix6v +gtU+rqAqcRaMP9g1HnmwtvliTXSn8PLEon7bu6BQzduTN57CEIe+uqcZaHBqSJBLWZARJL/hNoW MP5iKiVVh8zX/t0ta+BthdxzcTX/DS22MpWpDEfnHZ13dB7s9N/pv9MfnjR60uhJI1BXqavUVVDk yyJfFvkS2h9sf7D9Qeic0jmlcwoo1ZXqSvV/Q7nc/q+qVq1atWrVf367Kc2nNJ/SHLrM6zKvy7y/ jXPixIkTJ06An5+fn5/fHy/ns53Pdj7bmfe6YMGCBQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZAC Ik48lj4FjjNPTACpj3JBrg5Mkqb4BIN2Te2cswWUHKmOUgsYKdU1jQDxQqRIs4Bm0lnWgrgrbdbO gxRmOO5ZDfhE2W4qBtoVxxdZPwHztWDxCcgFfEWgJ8iWcE9zKshr9C75DLDJNMtzPUjn5S3mkuD6 MuMLyxIQA+1e9oYg9TfGKgkgqfbjrhBQfrFb1c1gD3fkd3qD6rRfd4wGFqtbRXnQTZFKKmaQvtBN knqC1MeU69UbRIpor70AVwM11JUJ5jXqCTkXXLf1hZRFoCzSXVIfgHxMaizpQSuX29XeG9Qnjr3s AeN4XY55Eqgxzsr2EZC9I3t4alMwq16D/BqA7wJfp+cOyJmR1TH9c6B4SujLUWCfYaxs9AbDS9/8 kdvg6dpXkanfQeHThfcFh4H0g3RdVAGuihi5HFAWSbwCPNDhB9hwYAUEGiaQIiQ9GojD4i4CyE8/ +QEoVXQfizng3OPM5/gVAgf6SmolaORVoWHUBrCMNqx6Fg26WtqJmJEgNc5MrpgOVfqX3VmjIvwQ 9kvzn65B6OjQ/qZqUGNE6U/qDobWX5Q9k28ePC6cOflNEuz56Nil76uCYZxyK6kYWBurgb6z4HbC Y8+AB+DXw5DquwZiPJ9LV/bD1923bTY4IKi7oaM8Daz9Ml4G7ga1pCJST0HEm4B1RaIhZ6DlfNRR sMiW+heag6m9hyzVgZsFHze/vAGe1Ik1xBQHuYU5w8MM8Tff3k7YCOGpns8CH0K5lIDDTa+Db5Gg SnF9wd+Zr33JpaA11ZVMegG57dR1Fj/Qh4h9D7dBStmU+MSLABR7nw124amFpxaegp1NdjbZ2SRv ud6ld+ld/Fdi/dDjocdDD3jY7WG3h93gRtMbTW80hQXDFgxbMAy4yU1uvudvE7ffLWRGyIyQGaAM V4Yrw397PY8xHmM8xvz3lav7wu4Luy/Me/1fCS1++P1ZB8vNzc3tf5D3lzjDf/Rk6oXAC0jnObeB l1jEGqAcYZIZRKiWpo0BbbHLO3ckSJPkw2YLSLOMh/gKpCVimboQRBrBIhCEQa6kqwxSVWuvrBxw ybTINYIyx2Okb1+QWvtd9u0FuhtyV7kfiM2uWdo2kPYUqRxWBqRSupK6QkAPdaPLAko1mfg6YD/m nJPyATjDM/tlx4ArxXLEFQjWqtYbtj6Q+7V1Ze4rcPm50kQ2SF9LO3UtQFkun5MXgbGeoaKxP4gy ht7SALBPdCY7N4B0TJ3vqg1qea24EgJSLa2jqA+yQ3rkagSuIY7higSePiab0Q6u7fat9j2gHXUV dP4K8i7dbP0isMXavlOPg10vQrJLgumkT7ruDRjL6H/VTQHF26nYt4N9cPqk+Gfgdc13QcAOsJ62 VjeVhqy52RdtaeCT6R1vuAPqHnW2eA00xEEdEIXFTO17kHKlLdJL4KS0XMoBkUG4uAdo3KEYcJ6m ruGgnRWxyimQL7DOWARSO71Nz7SAb3F5jsMA6gdSg4xsSAvLUKkAqj5zxP10OJx97fTjC2B6bZJT 6oDhkT4trCCkF8+eb54MZ1onHbSmQeKy1C9v74bkbGe7FDOoHXI+E15geqhVT6sF2kXboMRbIO4E 9wypAOVTIgfUXACOU9Y9rk2Q2Vl2OTtAwaMRA2sPg8eBj/fF/whhoYHL/ZtA0oDsRWljIbmaJSyl JRi65h53zIBqbUt3b2wC+5PshEAveBuT2SqmO0xr0MM0wBd0bfSTzZ/Aa2dyy6zyEGN4efz4Gfjl 4uXJ2y5D07lVu3wwDHy+sUeHPIETda/NvFkTspdorz2/A/by1ftoWqdPnz59+jTsHL9z/M7xYKxt rG2sDbPiZ8XPiocm3zb5tsm3IJ2Xzkvn4UzmmcwzmTAjdEbojNC8BOic9Zz1nBXqUY96/z3fMW5/ x9YGWxtsbQB+b/ze+L35s0vj5ubm5vZ7vc95nKX/vNVvkQoAHlJZ0Q0wc1+aC9IrSin9QQ11zEyt DQy1mLI+BlmQrjsBWl9ayuEgnRFD+QrwkA4px4DCtl5ZD4E4ndX8DJQ1nt7+HUGqq5tq7A3SMZoo Kmj5tBznVVCfyW8dD0DerJ1lM7DRMccxEUQV/J3fgzPE/io3BqTq4oE6DXT5dXcNTcF2LaenJRsy 66ZmZSwCu2YZ49BAPFCzxF3QTZTTlfLg4WP41ZwMnh8bBnsUA31LqaccD9plcYuFQD9ls/4X0IUY wkyFgbbSR/JCcM1xZTg/AP0n+vPyL2BsZDQpTcFrojnB8z7of1EKGQJArFEXqg1Av19ZK/uBtt1l t+vB7mXxSLGB7JRvucygHZIaacfAtimrZ/oRSLsbV+zBXlCzHNuseyHnC8tDxwuQtkiZUkvQlosL 6iXQ/aTEK5vBbDCM8qgOynzZZFwBbBVBkgdI5cQC6QBwmrbkAgNFqPwpsFQaKvWHzCrZB9PjwHzB XB0fyC6oF0lGyBjqMKVdhJdpb47FLwPXfHlKbh9In+sslngeCmzyG5J/H7im51b0leDBh7G/3giG o89vttr0KbyambzjWSFoUqbYxkYfgyFSMvt2AulXw0ytIZgyfFvojeBdnbFVj4HrLFUyEyB7mnP6 k7Pw8puElkmR0LBKRUvYVShxwa9IsAy6o8oHt6dDZGjAVUM0GMfZPQNHQtsStTNaeMBY70GFBi+D wDch33mtgSZTaxSsfBAkh9c6MRYO97184tAW+PlUdLOVP8Kjwq9Mr9dC4Xmh1QKPwZNdj1+eOQOJ tsRvbjeC6neKTy3VCgqeCNjy6tn7a1zbt2/fvn173uthw4YNGzYMmu9pvqf5nrxb6fJwebg8HBo9 afSk0ROYtHPSzkk7oVVIq5BWIZBzJudMzpm/jR+/P35//H4Yt3Xc1nFbod7Deg/rPYR6HvU86nnA hMYTGk9oDAntEtoltPs7BfzPnu53PeEdO3bs2LEj1KxZs2bNmtDh8w6fd/gcdkzcMXHHxLz138nI yMjIyMi7hf/u78N6D+s9rAdd07umd02HTQ82Pdj04G/3u3nz5s2bN+cdj2YBzQKaBcCpYqeKnSr2 t3Hf7e+91f9/iH+2HupV9ap69beHkjRt2rRp06Zwz3DPcM/wt8d938x9M/fNhK6FuxbuWjjv8272 otmLZi9g0clFJxedBFtpW2lb6d8u9y35lnxL/ts4A64MuDLgCrxo9qLZi2Z/vL5/+Hxzc3P7/733 1+P8boxsFhACUl3s7AKG0kN0ArWz1FJeDDI8ZSmod5KeP30N2ktzZkhXkD1Nc6WyoNWjIqWB/uKm 1B+kqvqOnoDkaTgo9QDpsfa59hKwawHqLhBN5FO6AoCHdkHqC1J7qigPgUS5spQBDBcjdYOB0apT GwbSNq9+AbtBP8gvI9QO4iPRT90K/hOD24TsBPOs1JYZ+UE7Yl1l7QhyojSVDKC4I962D3Rt5KLK erB5uqKEF+SMs7d3NgJuOqu4/MG1RRvriAGnQ72iVgWeiq1qNCjlmM4HIH2p/GhoBIb9tNZWAxZz MBHg6uG4oC8M9KaBKQMclZzfOxaAtkCMcpQD123HMmsIaD84r7h8QTqpK24oDcau5gyfc2B7kl4i qS9YXqcVi/eAzG+y4iP6QMFC+ZoFjgDlNlP0n8OrOxl+cdsht1Nu67hn4HfV44rvAgia7l2+6M/g 6sZ+VwhIZUW8XAQQ0gj6glRXC2Y5GKqbdAZ/iFoVllDUCywrxXHxESTeiPnl1WAILui3xloQDI08 +yZrkBWUNtnmB5eWPB6YvAuMQ4w1Mp+BZ3GljecbMJ/Tpum/gqBWprOVPwTxiTJP0kPAAY+eAV+B xz4lI/8xUG+6soxfQ+UllUuXegxKhLS54AU4N+BCqQtToJNX1cTm3aBMi6rHSv4MLyyvL2YNhZTc V+WFL/idDf0lcjL4hHoce+wAwzDTEE8Vfni023noNNzbHFvryhHISMpc6LcdNrQ9lLGzAPj7+Xfy 7gXFMqNa+44AbVhODc0B5qYeB8Oeg+6Q/ro9DX6JutryRCUwJ/rJvsvAXEO3wb/BH29WYrAYLAbD nR/u/HDnB6A85Smflxj+I+0i2kW0i4B2h9sdbnf4b9/PXZq7NHcpDI0eGj00GhITExMTE6HOqDqj 6owCR1lHWUdZOJV1KutUVt4QkO0523O254CXl5eXlxfs2r1r967dsLDbwm4Lu4F+mX6ZfhlU1ipr lbW8xGhR/0X9F/UHebe8W94NXelK1/9L+SfunLhz4k5IaJbQLKEZ8CM/8mPe+wcSDiQcSIBly5Yt W7Ys7wKicGzh2MKxMGv/rP2z9gNLWcrSf1/9/1kfffTRRx999Ntjh0uWLFmyZEmY23lu57md/3G8 f7UeW4puKbqlKBToXKBzgc4Quzd2b+zevLj58uXLly8fGBoYGhj+4nz+6eeffv7p57zyGWYZZhlm QRW1ilpFhec1ntd4XgN2RO2I2hEF2cezj2cfh8/5nM//TvmnT58+ffp0iCCCCPIuAO+OuDvi7gj4 3PG543MHbGADG97D5/avnm9ubm5u76/HWQMkkPLhIgfEtxSgDYjqLJK2g/whIa7LIG+Q95lvgWNR bqHcKSBuqCZnAMg9pKdSFRDbSOAIEClVEdNBOiG/UJ6AeCoqiZ9Ba6J9px0AFpEi5YBk4TppQB25 tq4QSEWkFYYI0OK1gZIGUjlRXAsFJUCKNI4BZbb/es/WQGkPf/UjkCv71DHYwayFnDJFgnmheYNr FXiPCuyjJIPxsddXWjGwNXCOsgyB9Mnp5ZOPgeV55uS3XUF9LQo5C4C2mm3qcHAutw9xfgmuz9Xb oh84BgqTVBbEZ3JRuSsot+Q1uhVg/sq4w9AW/D73auc5DnzP+qT6TARTC2M1szcYhvsUCvgJtPXa auktyLtFSWJBt06+jweIVa7uDh2olezfZ+cAE5TRpnqQ8WuC/slASN2bWjetOrxIer0ucRkcn/br h9+1gM2nj/VbvgWWf7/92PdX4Yfo6Gk7KsCrAUljEpNAf1Bs0X0Lao7oJ30GWmstiaJgqqe7qisH 54LvZF7rA7eqxPV83AaY4UpXfgbPEGWU3xowe3sWMY4HQyF9uGKF1Onpm1KiQdmtzDAcBc+p+ob5 ukDudMsMz2EQnmGS8m8F/+0+0/SxYPzK3CnnDLRZXn1i1b6ghnAz9xaUOVq0j197OFn/fMiN43D0 +NWPz5+GOrPK/9jjGpwbcKfQ2/Gw/ouNh4+Mg5f+sZNjJoIx2NjAyxvUMvJK+zaosqzEyFbTICXt 5eIcFS7l3GpzvinUT62cU+QIBIwKdBVbCuZ+xj2OOWCpYO2ZPhCezXwxKn4axFhTuj4Khgs3Ht7c cxouj3jp2rsA7JGipHoWnP2thdKvw8vFiXrllz/erCxLLUstS8FZ3lneWT5veVBQUFBQ0N+uv8Sy xLLEkvcw2V///eabb7755pu89Y8kH0k+kpyXeHzwwQcffPABLO+7vO/yvrDq6qqrq67mLX+33qHP D31+6C8yoE0PNz3c9DDv9bshJN9W+LbCtxVgZujM0Jmhee9vbbi14daG/7j+dUfXHV13NOxvs7/N /jbQ5ViXY12O5b3/44MfH/z4Fz2C7xKwbd7bvLd5wxAxRAwRvx3/fdX/nxUXFxcXF5eXqP7133f7 +b3+1XocXXB0wdEFsGfqnql7pv5t3I0bN27cuBGKLy6+uPjivzjudX+s+2PdvNez281uN7sdrByw csDKAXl3APR39Xf1d+HY3GNzj80Fm81m+68fzPoL7x6C3PV81/Ndz2FFmRVlVpTJe/9B3Qd1H/zF /v5dn9s/Ot/c3Nzc3u8YZxlwoYjnQBDp2ACFfaSDeKEdV5eDmCFmOjqAYY7PrJCBoHymtJHLgVgi +ojxICVJaXJlYKC4J2wgnotHohtwnSbyWZCDFBuBwHw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4F rTPl5J0graKHGAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+NKV7XoDcD7PbqF+D uKCNMRQA2aDrbowD5zC1quM1kCHdsHmB8wwhSh2QzvjpvfpCysVsKTcHssOzMlIHgW1u9qqsE+D9 uWmAx1iQKstL5BJg8leW6z4AuZvujNII9LL6i2sG2HroHfpC4NrBN+ImGDe55jhaAjWVMkSCyO96 JXcC+13Ho9yJYPpUv8gYBUqslmbcAzkjM6Kzt8GO1YdeXDwJ966lXV9fEzxOG6oX+RWUHuqCqFZw q9f9clcmQO5YW459JUw62H3Q7CJgaCuPUbqA0lzXQ9sID0rGJz2ZA7pxxhJp8SC7NO+MXXBv3stN t25B8mWbZ/JiCG2p8/aPAdvknKm50WD81uuucS34ZXvsdc4Gj1rqIf02sF/QHbZNANPpELvUHwxz TJPVOEj0tByLrwxZca7kN6+guldRtdU+8NykO+BxAWp1KNf1/jG43vnXw9ZbUGVy9QKG+uDoy9QS QeDnbdqf5AvFFpUtXiMd9r+Ifr6pCegmEJkSB5kfG542NoKzh/VX8RYKXgqtV7gqxHrHn8ztBecS Hpe86QG+Qeazxhlgv24tlDwTtMPqbMMM8O3hddTSAFxl02e5RkPq106jaSY4L+umaycgo5P9YnpZ yCmQW87YEoCMP9KkzA/MD8wPQFonrZPW5fVAp3dN75reFYJ/Cv4p+Ke89VOiUqJSoiC2UGyh2EJ/ Gy+lbUrblLZ5r+//cP+H+z8A4YQTDrt37969e3fe39/ybjtrgjXBmgBvHr55+OYvEueGYxuObTgW aElLWkKDLQ22NNiS9/7rkNchr0N+O5F6Z8T3I74f8f3f9uy+2+6vb+E3ndR0UtNJwCY2sSmvx30Z y1j2f6nHv1p/FrKQhfzT3vcsEv9d9Xg35OLd5/dOLUMtQ62/GMoR2DyweWBzuOS45Ljk+Mdxa/9a +9favwJtaUtbKNqtaLei3YAAAgjIG1LyvurbYmqLqS3+zoXCb51vbm5ubu+8z+noBDKIF1IY8SB9 Jr6VuoMoILUT20CLoLEcB9IXWrHcBJBHBNyP9Ae1h2ihHgTdMHawBMQZMnECh0kWj0HazSQpBcRH klHoQERQXw4EiooB2jyQ1lKVR0AMy8QhoJL8NUtAlLQtzN4F3NS/8iwEsqoMlvtAduFngU9KQ5Lu VM9LvmDd5DCJr8G2xvCzeSy4fpF/tDYEg6p4W/KD6Yjnp/6+INfWj5Lmg+Qn6bSXoDilpror4Fqv fm9YCaZCPt+av4H0/Nb4jJ6gK5UzJLM/hC0x3jSfB2t51yciH0g/KIV0V0B7KYKJg9yBFs+cKmDr llk/czpkj8z+MuUZWJd4bPFuC/YPXN1cL0EMcupyeoDHeWOE70sQUaKcOgB08/DiMzCOsj/JBZRW 8nKnP+gK2/rmzIXAQj6FgmuCbtSbx2WbAqla1+SvIOzDYKNrIjhvGse/Hg0vtj2qY8sP32zatPCH ZjDwZOe9nctAYsuEh1lr4UZYQujtCIj+7oXX/Cfgs118HVAI0h+kNLYPAaWBcl9eCHHB0gClFZhS dDXMHaHk2RJfma9CRsPkA86fwXgpeGZ2DJSqLQqo3vDmg4TabxaBMUE6oA8E76Fe5nwvwKFaryv3 oOnyehkN94DfLK9A/0Lw5nbapuAXUGJRvra6PfBG//qCZQQ0OV8rueBWeBTxqK98ESqMrT6v5OeQ u87+1Yf14Hq3mEmvZ4B/paCrPvPgqRYz53oEtNzRdH3fFXCk/rUB90KhQcUiJfU2ePxFXImH/cBj hnmc9yFQDulSH8sQ3F6/zdIQkrrqSnjfAG2omOoZCtJa9WbOPpBdynK2Q2Bb0w5RGzj3x5rVu1v5 pS6UulDqAjzgAQ+Ag7MPzj44G/rTn/5/sf681Hmp81JhHvOYBxw8ePDgwYPw2WefffbZZ38b33bR dtF2EehCF7pAwJSAKQFTwPuR9yPvR79dLtMa0xrTmt9fD+mmdFP6e7N4vBvrfJGLXPzbt38rgdFW aau0VX9n+WBtsDb4L47fMGWYMgzwwQefP6/+/27/XfUQVUQVUQV4yEP+4kJJp9PpdH/gf5N3QzP+ y7tZX5rSlKb/ffV1J8xubm7/yPucjk5CAP4ilQDgZ2RigLsiUmoLUgBfacVAbmGuEPg9iH1yoZyT wFJRngOAXptFOPCYKRwBMQo/IQEtCJOXgfS9Nl87CuKMMGpDgA7KWLkPiATRRooHaQlntMEgPlHy G1+AmJQbn3EDtH45vWLrgfSD91Dvl5D79MbDW8EgdntX9OkLjiR1l/4Q5J5NbZmZC5Jd6pPTFBwr hGLZDRm6jOrJe0G3Wv5emgy6R8otgydI/vIi3RfgMcf7pd9WUGbntvCTwbQ6JzJrAAR+Zy5uHAau EF1z/RZQguSOylGgj3OKswcYhslR0hwIPGq441sCXBGeZ429IPes43v/XyB1ra20/hYkrXTOs0aC rVhKv+zjoK102e31wJQoXTVdBsN66YLYBR535bJKOTA2cbrskaAuf9D7+iDwtpecWfwM+GwLn+78 CJIWZc6ze4LjTGbvnAjIbpqgL3IVSnfPX7fZIAj9zrtsvs1wcE30uuhOkHxd+sr6HbyIT5h5aT4E 3PYZbPwaCn4ZUN/bAi9d2hspChwWl8ZOKEbw+cqn4dLqmCWXfCDuRdqD3IUQtlhf1+8rCBkRsc78 KRgXy/XrrgQmKOsTa0PcxMzqTxpDAT+P6MipUG52mLHmRYjb9KZm/DW4MyVjxauq8GJ0Qu3kDVBg WqHwoC5Q/If8Z4JugH8xf9lvC/hXCdiQ+wmIlnJXXRIU7FLqx4L9IOUTy6dyInR43bpV+XlwdNLB AsoTMCaaZluHQ13/qgOLrQePq8o2509QunzJy8FdwS7ZLxoC4aS40uLlPLCvllube4H+K2Nv6Qno SjnGZQ+C0Jc+DQMkeB1lqxB/Awp+7XPe9z+GJrR4H82re3T36O7RMItZzALWVl1bdW1V8N/pv9N/ J7Sd2XZm25l5Ccgl5yXnJScs279s/7L9vx23YOeCnQt2BiQkJOiUv1P+TvlheJfhXYZ3yVvv8bjH 4x6Pg5cvX758+RIKzC8wv8B8MPcy9zL3gvCE8ITwhLyHsE4vOb3k9JL/6nDm9OLTi08vBlrTmtYQ 2T6yfWR7MM00zTTNBFuGLcOW8fuPh8cmj00emyA4LjguOA6So5KjkqPgZPeT3U92h3YJ7RLaJcCR o0eOHjkKdKMb3d5//f+n+HfV490dDnaxi11gvm++b74PYRFhEWEReUMg3s360rJly5YtW+bd+ejQ sUPHDh3z4p3scbLHyR7/c+vr5ubm9o+836EaABIqEuCUQtADe4VEQZBtfKdrDWKINMKjHijbDEuV NSAeCy/1C1D7kK3eB+mJtFrbAXJNsVv5FNgm0qRMECWVHVotkEeL6q45oC1Se8k2kJvK4yU9aBfE JN0GUGZq653nwFlfNFP9IMf3eo0r40HUFvOdp0CZFjEm2AuyCsTeTi0LydeSctKvgNrX9dz+C+RM SolOngbPRyfvz3oLWYd0awwdQTlkbOhZAIJeyB8bYyFfkLmIR3fQlTVLWbNBPqOLf90OfDP9JslB YJsohrrWg9RAP8m7FhgqGNd47QX7Y60nXUFtKTcwbgFDR+Np43SQL+kNehNIoTqT4xswxPk8MpQF U0NpfOAkSMhSV1i6glbFLqUvAs+rhqoiFcw1RCWpGpjfykvVvqB8Is/X7wSpxr0iMRch4LBfaecQ 8Pkw6lHcRYiNS3jw5lPInm+sm/Y5lCtU6nDHWuA73epf9AH86h0/5OE3kJSZ0eH6RDD4BquJ+0A+ I4137AP/Wt4nvP3A8ci6WXoBvoMMO31TITvFsUA4ICjTfNpQBMKHe+6NVCHxSawh/zowVAlabd0M mQvizz39GaIGBwcGxUDPnk1f9GwJx55eX7ytCLyckrXqyQVIvGQvlbEU7vfPir3yI2RnZ31j3AcB lXy+za0GZz45OTWuD2T+WGm3KxU6+jbrFq6HoI2BD7w/gzMDLv348CW0eNRYKucDL+Y87/i2M6Qs SrucNQ10ZQxh2k7w6+5f2icVPE4GLlU8Ie1ZYrrVH27Yr0++2whefJfZ9qkA/5H6k8GfgOWIc8sz BbyO6JJsU8DRUMxVZMjZ4+iSUQm882kdgj+A7MvKQBEBVHw/zarNz21+bvMzXDlw5cCVA3C4w+EO hzvAnDlz5syZAws8Fngs8ADZQ/aQPcDxteNrx9d5D5n9V0/sX/UUtj/U/lD7Q7A5enP05mj4Xv+9 /ns9PPF84vnEM68n8d00dtzgBjdgQ40NNTbUAHrRi17Qt3Tf0n1Lw5dFvizyZRGYHTk7cnYk7L+z /87+O3kPB77T19bX1tf2zx2D/8N/9kh2Wd9lfZf1sHr16tWrV8OcTnM6zekEW4tvLb61OLwIeBHw 4v/yEOX7qv+f7X3V4900h/aL9ov2i/DFnC/mfDEHxsaNjRsbB/lu5ruZ7yb0mdhnYp+JsChxUeKi xLw7GvvD94fvD4fnpZ+Xfl46L867Mfbv4v/p9X3DG9zTALq5uf0L3m/i/B/T0TkxASY8xUsA9moJ wA5pGDWBsqK2poHwlGKkZBClpfW6HKCZFC56grRPLOEisFeOlaeB+nPW4CdTwd7+xf7bniBPDPAv 9BHoM01PDSq47lh1tg9B931Y2ZIdQJP1VwJPga4DdZVK4Ih4uzS3IaQ9Th366hTgyv8s9FuI2x+X mNQN7N/Zr2mHQIwVJ1xBYPvW+jUm8KnkWc1vJhRsV6hakRQIjPW7EpkCnh2MX/mYQIrVZdEcnNe1 M7lnweptPZkhgFuW0OxIyN6WFp0IGPU+PY0xYIwzHZPbgO6RrqjcHKTb8mTdjyAdp7DUAqQW4rRU BXR91C1qNBClXckdA54vPQfI08AzwCfZxxNc53JOcgMME0WYownoF6sxtuNgfmo/rD4E/XSP9gEn AEVZlH4EtKvP+qXehJT8znxyY9AnGtp4dgdluaWFawvE9TWtv1AOCA64krsOPHZZKhfbBl6NfT/1 ioCiDU0n6p+Gxj5Vb1WdD6/L5TZ6tAW2lDtZfONm8PPwcgRfAFvF5B3Sd3C3sd3p9RV45tNuVh8J tVrWSXmUDEn5EqMze0LOgOyxrmx4vjtbfzEa1GaOaGME1N1a6kWjfhC+It6erx74GH3igj6EVFOS NX4geF0sPSnSA7Ia5wyLLQ6mfqablifgWmyPTd0D27/dV+3ER5DPkD9/uDcUaxvhV3AxuBbbf1ZH Qlm19PyIMfC81Mtjb8+B5zLvLw3FwFjA3MI7HPQbXO1EN8gU0itHPTA89itaehS0lkuMq7cJsrtk 1I2rCK9mJKvWlfBSzlqb4w2yJwP108Fkzylp/wEkX6/+2Vlg9iDLFPYe29Z/JoqzB88ePHswVIqt FFspFnZP2T1l9xR43ux5s+fNwGgymowmaLGnxZ4We2DMgDEDxgyAsTFjY8bG/G3YsLCwsLAwWLN6 zeo1q2F5meVllpeBy99e/vbytyDdkG5IN6ByxcoVK1eE4dJwabgEJXNL5pbMzYvTtVDXQl0LgTpe Ha+Oh62vtr7a+gpuHLpx6MahvP30ftb7We9n0OVol6NdjpI3puRf1L98//L9y0NO75zeOb3zpkdL vJF4I/EGTPOc5jnNE2a3n91+dvt/X/3/bO+rHkMYwhBg/ab1m9ZvgsuXL1++fBly7+bezb0LLGYx i6H7ie4nup8A+YX8Qn4B27Zv275tO9xYc2PNjTXgV9mvsl9l6Dur76y+s2D4sOHDhg8DmtOc5n9+ ff96OkI3Nze330v6jy9GIWrUqFGjRo1/PoDVarfbbPzXrBp4AC7gDhYkEMvwkM6CfIEfpQ+Azsx2 hYP2jbrZngZSrNxUbgFSQdnT2B24pfkr9UD7TndQNAX16+R7d05B7vAzQw6/BhGvC/ftCYZS4a9C MkAUzXqYsgDkAb7rveuDcUblVp29QKknfaxrD5mxZ2dcaQ7JvV8NiV0BT/3idE+SIHN++istPzh+ Ur/TEkGxqYG2x2D4UTYY6kNYo4DNAXMhfETUwsjPgB3KeF0uaD/LI6WR4GpBjiMcqGQPdE4AubO+ kb4H+B2NulKgCMQffXrm5TcgXZGny4NB3Jani5ZgK2+/ZVsGIsplUZeD1EF0lWsCRs2kzQJ1k/2A 9SfQ5qtf8QzsT+RZWODty9wJmQPAejtzUeoX4BtqeCqVAPMkexe2gWmMVtpQBPQ234e+AgQJPbND wGRVV6iD4cSo0o1ep0PMN/KuBxXBp7+9nNcEyNgnTmZokP6xukc9A4WmeSXUOAclPEOV8tEgj9VP zf0FrNXtafpNENDO9JHoAdd/eh52fRVExXuPq7YIUtPejnx9E/SPPZ35CkHS9kzvuwWgUMHQxq6+ YPhMfhHwBXBXnHTFQuqm9Ddpo2BUlX6jvikA+nVyI88EiPV6s+7hKoiucafH7kWgP+vYbEwDtaxj vakHPH/1tkaagPAigd7aFZDSTZ97mcH3Q913RS6CttLWWukF1ZtXLFBzEAR5+X/i2QPCL+e779cM jlvPXH30PWT0TSn96ibU8697utyXYPdzFJSPg+KnWy+tgFL7is7N3wn25h7ddakl7Iw4WXBXNIR+ F+RnHwZp8zKq5T6A8Br6y5ZokMZo54UEIiLSJzUT8l+O7OVdAiYrvb47sfLPbub/73nXo76mypoq a6rkLX/3cGCpc6XOlToHN4feHHpzKAy5MeTGkBt5Q1kunL9w/sJ50G/Qb9Bv+LNr4+bm5ub2P92V K1euXLnyPnucFQQCyJA8kEGqK24ggfQFN9gIWkccwhvke2yVO4IYroW7uoBSRhrnkQnaNtFUKQ8M Yon6BKSumq+YDlJ1xyluAqu8Bhb4AcS+rKSM1WDd/PKThJGgzXC0y1kNUr/kjhmpoEvNb35zEaQJ +V+XOgee+avsK7kUbEdSgxNHQ9CHPvMj64BzuEGz7AWtlU04k8FvlWfV/D+B+b6SqAaByShKCRfk Lre+yJoMOk/9WONL0G9Rbeoq8M5QeoqSYPo4KC74OZj2579UaCUoxfyneNQFUS5ji+UiZH1oPZb7 K1gr2DfZHKD7VtqlOwNqPmm0yARaSXZpIsgL5VaKBURbbYRuEohD0iD1SzAsUTKVlhDwhWmiTzrk bLBPzOoDunDnd9kmUNfZ+jkU0KqZl/p8CgJHTPZCUEzeMw0bADnntZgA2pjMsp51wH+SXy3POKiU UeaTqBh4OePpV8WaQuLg1BKBvqB4qPWlDZC409Y5syeYXnrZpFBgnzy98Hp4lhHfy3oDCjSX79Tu BVrd7O26cyC+cUUF7QH1vO1kViKE5fg3r9gRrAHZGZkdwFFbCiQX1IP0ztkGud86R9sscDLx+rSz U8D8xHw0dAFca/J45881ofyEAqsiHGAMtw7wi4IbPe4mZnaBBocriEbPILlRdsWn+SHjsHX1nULg ddP7XNAYKF6lVGCtZlAsp/iysJ/hxdVn9+M7g2loxh3jV5BzL/5M7G0ocaPsush0cM63TZPNkO/b yNtBdrhT9bbytDzoD7p6Ck8wPVIKphwEr88998W/AP1Rc3llMuS/5oh22MC203MHDjAO0MU7+4Nz uHLZPAfi5zguOZ4Bs/7spv7/JsMGwwbDBrg66Oqgq4Pyfrhi0/BNwzcNh9CI0IjQvxiD++4hxKYT m05sOhH0qfpUfeqfXQs3Nzc3t/9t/niPc67dbnMCGhouQMOAAlIEqTiBqsRyHcQ4fKkIkhOrbAft qjbK3g7EK2mm/jQo86V4CoFUhK+1SSCKiyDJAGKEY0P2SrC2vv7o5COw3njc4eFbcNWyFssdA4YK vn2DZTBMLz607Lfgmm3/KnMp+Eyr9qB5DZBLyD0MuWB//Krn87eQM/b2zJvN4PKRNGPuDnirpRRI Kwz5k7y+8W8Oun2ObvZsMI2U3iodwXjeVExfCYwxxLsGQ3BUvudR/SHgZbW1VS+ALIerQQ9Acul7 azXB9uzG6vvbIefsywsJn0NqwZzBOfvBmmR/5CgL2iJmajngeOu46bgDopq0XsQA5UQvrRrwpStR WwJamPOp5glisC5IuQ5MMpY0poD1vPVU1jzI2JHoGz8NsrNv17krQ+DDoDEhh8GzeeCRsIWgZfvu DTkE1pNafeNyeHjA02VvB5aFhgeutmBYKu6p3UF7bl0tmyHrkH2l6geW1hk/a/3Blc81M2cLqOnW GOcusE12rrE1AV2u3qV8A9qvzvr2nuC6qD6Uw8BQTR9rHAZUVDoKfzAeMY3xPgyeDwy95B6g+9C0 UMwDRynx0OQNqk3XSQsBJUy3SE6BwC2+p51nwcvpd9hzMVRYX2J2k3GgvHEla/ngUcyTfk+uQWBq QKi5EcS3ir/96DnUy9cgpMYv4Hpt/TR4LwTvDq1rfgjesZ5dfUpBbpp9EEXhzbWXSuY10KKtrlfn oGxGlTkVMuDR3ZilrzvAS9831WKNkPxpks+zQhC3L3V/3GhQLD7ZaRp4mkzzsg6CPCa9j6sv2Dd7 BLj6Q0A1/3H+X0DqQlef7KlgnST3lqtDTljGwoxE+C560uaLaX92M/9/V9r8tPlp82HpuaXnlp6D i2Uvlr1YFrJ6ZvXM6pk333Wzps2aNmsKw6sPrz68Opg3mTeZN/3ZpXdzc3Nz+9/iXY/zH0+cHfZc 23OQikvhUikQD8RbEQckkCxVA1TSSAOpM0GiMFCFFcpxED+KYa7ywFR5pvQIpIEiUkwG1zIW6w6C 3ET/XH8b1Bkxb0/shxc7t07ZEgVpv+R8YtoC5gee431GgX8vryiDFcwi4BdpHXg8rHqmvgeYvcp0 rlEY5EjilJugfmMzZd0D16obSbe+h6fak4m3+kDudC1D/ALeP0gLQm6Dep7lhhTwnu69x7cIeEQZ 83v0A3MVzxcesWB2Vk4oNg74Idjhmx/EbltZ2xXQfWuZnzkHcoMennilg5S9LysmxkC2l/UTayVw dpfaagoIC8PFQnA8dnzt+A4cg11G61cgzyBYFAPOa5f4CYjUopQKoO2T+igakGp4rWwGtYoYSBLY Ltk+sAyHzMFvH+duh4w7GV1tz0DZHroiYCqImSbh+QNkOB17rL0g7Y0rK707pOYkifSSYNFlTM1c B7aXltqZj8F+wrHRlQ76LdyRL4Be1rUwbAL5gr6/XgNTiFFneAnSZtmu1AbFoS+qnwlyY7mfXBnk KfI4cQbETFFSjgStiZpBOXCO177SCoBWm+aqN4h72g7hAHmcPEXfFZSpxmKml2AsZnok1QbDaB9j 8AbQN/X18I8Bv+cBNwOiQFfIXNK4FJzPk+NetIOMWtaPH4dCEY9Inf42qDsc9zxqQsPZDfL3bwDm cbquzrbgvC/rxBSQWzkKeR+D3PJvKzxqDLmvpU/lZsBe7bq0C1ST6GzsDA9LPW9/yQZii9Xz6S7I 6pUzVv4A9H1Nm1zDwFrQfDt2ATDG8bm0DKxmZy1lAph+8Wuhi4HXD9PqpBeG1AZJPbgC+x3LWp2v +Wc3dzc3Nzc3N7c/4v0N1ciVAqQZIKqIr8URkDylohiAnuIunwKpjKULiLJStlBAqiMsojYQpqyR BgLHtYHSOhAJoqC2EuTvlefSftB9lrU2tgE8PLRNt/06XPvk+XbRHQo9LlenkglKJdYbXPkiOANi Nz6+CLoLnhvlq6DvEp4euQnkcP18r89Ac7pu2peC8omhquc8yB1ut+hnQKEbYU2jWoL1sDYqJxUS dr+xOqqBHGw+ZN4Ahs36VKUnGIr4tjXPBQYaOssJ4KqR/XPmJdB/6bPD+AQwp5/KyIacXY9evSgN ubMTvs7RwNlTPSsSQHhKPswA7Zg6UlwF7SJNtXCQjsmV5NYgN3cFaONBDRWhjpIghUlH5KMgd5cn yckgdxPJaiVAr33ONHDk0832PQq5ozx/8boPuUOiNjpLQmp139K5YyCnVvaitC2Q/n3cuJiDkL4j 4UWiAXKe5rS0hYAcK9/RtoNXgtcY73AIvOl3y/8LMGV7n/M6BMY9HqGmZaBbZcqv3w46Rd4ofwva ehHLLRBXhVXsBSk/rcU00JWUPpMOgnRRiZbuAkZptn4WKBHyYiJBvi2WS01BC9N6KfdAayXGu1qB OtZeSLNDzh57pvUu2JpZZbUS5N54G5TYCsTQ1EtJrSC74Nuqfk4wfeJVyy8EvD82VnKkgP8qj9n+ zeFOx6en7QJqq1EWKRye/nB36cVXYHHIvTxWQL4VoZs9o6DWlhqnGhaBG36PJ8esB+tJo1XbCEUK FcsN+haMG+XJXhbQpaqJZfqAXxnfDVVrgse5gC6Bc+FUqSvXt6wDNTnzi4QuEHjT4wtpBHgUkF9W /gru/vj26JXCENg0ZLypFaibRRn7u9krYv/s5u7m5ubm5ub2PvzxxHmg+I5NQF3pnmQBYmhGc+Ah 3cXHwA+cldeDyM9SZQBIdbRXLh1QSnRRygELpCx+Bi2TRpQE/Q/6/Lo4yPnynse1WEhtdi87uRIU eFwpp04ilBnXon2F+eC7OTS/bwNwVvd/UXQViO3as9yh4GqT3SurARgvh22VvEBqIirLWaA1c8y3 nwVR0elPMmQfdzwK2ge2rVlXnVXB2TOzY9xK0PbZRrgWgKWk+qX0MRiClQbybjB+VNoR5QWSL9td l8DV++WF11ZwnEk6mT4ftB1ZZtcH4KolX5evgmui84hWHkS66xgrQJqASQwDXUN5n9wVnF9pKVo7 YLWkyp2BWdo9vgZRQxTXGoPopW51TQAe6Md5zoKsBtJ8j48hKdtZVrNAqrA2y/oEUpe82RVXFpIO v+72aj+kibefJbQH7aL6g6sjeF7x3xywGKI8ixYp6AIPs5/idQv03xpOK0fBddI1QbOCo6ftK6sO clMzv8/sAGJs+khxFeSdYrpkBG07HcRuYIwcK/mALp+ySLcTDMmKj1IYlJJKtqKBzqz4yj+CVkLe Jy8Gua2SxG3Q5ei2SkYwVNMt0m0ENptL6X3AM8NriFcOaMWUdLkqODNcK0Q1sGdY67kqQ+6lnA9z SoKtSsrBrJaQskiZZ4gG81qvLeZUKD6mTMPa4WB84RfgfQTKHS92KLw2BMeGRYd0B9NO003DQDB2 NQwVs6BiYNNV9bzB9IW5me4wEMgq6oDSj3B5Bxg6eBgDGoLtrWipfgi+VczfG2dC2cySnXuPhad+ L7Keh0FuG4f+9QnwCgvUedeBgk28Y58shKyinrmZNyAsIl89r7KAO212c3Nzc3P7f8Z76HFmgpoC fCiOyJuB2RSVEgC7tJruoO0RY1Qd6FbxVtcIHG+l6bQEqb04K4JA7qL0lseCrqVrqrwWuPMfYV01 k9NTakLhHnU61BgPUcOHFf84FKRnXuUNdsgt9aL+gzKghtl6ZewG+bn80pUfTNsL7ig3GbQurnU2 P2CT/pY0E7QWr3dmTANXA/s+1QUZP2XPzu4AmYfezkzZC67t1gBbVwju7VvJfwYE7Qho7hUGyg9K PiJAPf5mSWoqiOmFXoasAmW70abzAc5RUBcNopCUzxUFSiOmSEZQjmrz6AWSUXohTQXpmOhEBIjK WqyrPigXpNnCAMpaaZr8E2hlpMvKxyC2GHZ63AF7f/3nXgqkTFBHKDXh7de52yw+kFg3/tWLs5Cy +vHbh8ch5Wbyg6SToLQxTjHmgv83EUXCvwTP1cFtglqBnKCPwQzOTpYbtkDIepb8NDUSHN0cg7Vy oNSTK+ozwTTebDO8BY8Azx1eQ8Fjpmd1z41gnOChmBqDoYfxa2MG6HbqF+pPg05WKusTQBqtHMIb RHWhilyQhguD1hW0y+pw7VfQVmgnXApoi13XHP1AfO2o5BoCWgGXQX0A6J0HHP1Al+L6ULKCAXm8 7jl43/EyG2aDa5f3r8ZEcLZ02rQ4yBltCXM2BcvO3O254+DpgYsfnqoI9tyIo+FXobgrdFjdhhCu yz8t8DPQNooApxO0666PzE7w6ulZk2jI6Zfjaw0B+bz8iXwZMtan9bJ8CqYBpqEmB0R+HTDXOwfU 865B2iKo+EG5r0qsBd2vpjUFSsGVvnfDnx0DW6ay2DEVSocU31ZsC9w8FJO5/zvIOepY8WgF8D/o 1+Xc3Nzc3Nzc/pg/nDjruuo/Mn0EajFnIWdzYJj0BfWAhayX5oGczGh5Oziau1o6jOB4mbzg7Udg CDMmmZwgbwwICPgVXJsd3o5KID/TqVJNMKwpWaP4JAjuEWVXs0Ed72X36g1Mybqb8BYUq9zV+RWo j6yrsrqCElZ8ec0bIB80zfAdBdRWC6iTQQSrZeydILfPi9qJhcG2Imu8LR+4WtmStKnAdemMXza4 TkplVBnevIo/nBgLrgB7gsUIYYUjixcYCnKSq5dzGejLMknsBlEuMin4A9BHhizyPgdiqy3ONgPw y75t3wpisH6yuAa6R+pFloCrseOQOgCELD2kHogBLKEa6A7r5hq7gM1uXOW9EzKXGU6YJ0KyZrvk SITED950fjkZEivcX3fXG5J8XzteTQVum2p6hEJg68LeRaaBuUxgCb9m4CjpLOkcA9njkh6mDgK1 mq2SmgymJuYhhqvguzLQ1+878NsQ0iDoKviNDPjZvw/4TvOe7tUHzEs9C5m6gG6m/oWuCSiHpGLK OBA/MkgsB62vGMAykD8UQVIiiP7spyUwUnQSm0C9qk7TPgT20FE0A05rR4QFXD9qN7Td4Gqi7lQb g+ap3VSPgEhwDndeA2c766DcYFA72YtZ74HrR/WEYzK4UtTFYhoYOuseSJXBtNh3m7E3+FT0ESYJ cr+353MNhbcDUgclB8KPQze3+KkP+F8M+DhoB4QsDG4fVAoqx1YYUOIXKFu6zL6CCyFzdOpe6T44 Bkr3Xdfh7e2EU6nLwDDbEKT/Bcp7VvUvkh+kzboJcltQrNoN5zoosaSIr+Eo3H3+a3vHJ/Dk9d2D d6PA52z5mWWOQT21zJY+R+H0o8sT9pYG4IM/u5G7ubm5ubm5vR9/OHE+W+/iyMujoFa5qver1gb5 urRNJIBYLZK020C0NFxOAbm89JNSFjxWByQFX4ekygldk1PAt6Bpmf0yGC4ZSkmfg7Ze9WQLGDqH phYZBerVrF7Z60FUc+jsP4G0UHolHQay5M7GONAPK9K42legXx4kIm8C0fZbub+CGKvz1D8H+uVO 0LJAuWmfLTSQU5Unxt3gud0zyXALvDy9GwQ2AmeWmJD/R7B4JC6LKwNx3z29eHcbWHekpabUgbCf ooIKvgXjLWv7nChQNqSGpRlAF+nT2vcBaL2dT1y3QW4hV5SagOED0UiOAvtCTWi7QFdDOagsBFcD rY7WD9Q6GHTbwBXvd9xvKKQ6nZGaBHGzk4ckroSEtY/1dyfC62sPQx6sBeta1yytAPhujCqerzUY dwdO8PkZnF7OzepcSGkcN+fNdJCfqNcJh+B6QfUCC0NoWqlT+VwQ2iBydehc8P3R39PXFzxOmyea MsBQWr9a8QS9QbogBYEiCR1dQFxTm4qKYH3smqV+B9pj7QutMUjP5UeyAbTrrlfqJHAN1KzaMNDK iYOiOSiNRQvygTREaiiVAeWhvFr0BqUyQkoG5RLrlOogIWfLgK6sXhhegWOK6WvzEXD1Uau7QkBs cFkcVrDXdky3DQRXOWtJaw1wDLEvdg4FZaIqaZlgCDFVkm+BxwRTjt8HYL1n7ewoCWn9MountYfk olm+6eUge1aONX0xpF1LrvQ2G+rfrn+5/k0w/OT71K8ABHUJ2umXCa4a6gh1Nujy6x2KA9QWrngR Cy7FVVz+GVJJNuZ8CzkjMi4nnIVMR+L0Z9/Cxac5u2N7Q4lxxSNL2aH25jI9G2/+s5u3m5ubm5ub 2/v0hxPn7NbpUfaaoBulZEnFwdVMraD5gdxTGs1BEBNwiNkgdZXrSddAaewpeUSCKSBwsu9kcHZx 3HbGgmdT73F+2eB6oY5T14FYb74ZNBh0maZwfxO4imW9TW0B+i9Npc3XQKkePqTUApCeU09ZDuAY nVsJxGdKf+UViLJSTXxBtNKeauNA7JXniQpAMOO10SCPlEa7OoDXMLms9SQ4R2sRzr1g3OGfoCsM rhhLeMS38FafkP6yPThPWJNjakDw5+FHA6eCV1O/uxGjQctv7W3/GMQcqZ3yAJybXd84r4BYpa0S FpDuSiPEEZD7O7s6fgGpgW6uvjDYS3mOCgqB2FD7I1ssxH77cvTjfvAq69aTm/sgsfkbXs0AJc6/ p29T8B0fWSYiFpTaoqe0HtJLvCmR5ADdKM2uLILIbyLnhZeHAnHFjxYaD8Fb8yWFrwbfAr7ZXifB dFV/2LAb+JH1SiNQW6mq+grkuVo9oYFrMiOpAfZZ6kY1H2hjRQgGoLHkL38HBotOJ+cD3WCpJ7mg BUpfaSPBdc61QekCtlHqfbUkODOZJY6Bq4v6ldofnJ00ozgNylb5SykK9E7piLQN1FLaEw6DXVKT XT+AKEs1RoAUIXZIlUG5pNtk+hZEH+kToxmUj/RPPBJAn+u6aJ8A+lXWOtb74Iq3p9vvga6u+tDZ GvQdzCWVTDB8Zjru4wHZW3OT7UPgTeuEPUmRYBtnn+bsBrw0NjB1Bv8lXl96lYHszIwdOd3AWtcy JucnsCc46jo8IXewzd+RBrmvrFtzK8Kb5Lf709uCZa2lffJh8B3rO0eZCdbi9nC1Bfz64cPK976B 5L0pjd4UgnrUp+4faF/vfsAjJycnJycH6m+pv6X+lr9dL6NwRuGMwnCg/YH2B9pDb0tvS28LrKu2 rtq6ajBkyJAhQ4a8/y+QtWvXrl279l+P/0e3d3Nzc3Nz++/0hxPnGz891+4+haj4h60i10DlkuVH Fp8COSVsU+w+oDRkk5gNbCBeHAHXXKfFeRP8Ovos994N7BGnpS/BkeVs5PocpJGSwkmQmivnlQog AlmuewK6LT6JJiPgS2NJD9oRta9qAfkjSjuaAUOk3vqPQHsg5qtnQT5MjPYGxPbcAqmtwb4tPSP5 JdhfWc+mpwFNXa7UdvBo7etSz+IhtVZij/j2kG9OyOchNcF/q//cSBUyvcyvPYtDup+rr/QAXJ3e NExfAt5DLIOzreBfMcg3/CQYd5lr+JpBq6kW09aCFCxCJStITx2dteEgL9LZfFuAJdq3hfcDeDw3 q2FaJLzIvHf8/jp4Pvrmrmu5kJ1se2YpAx6xkVvy54Khg19/z+tg3Zx5NfsZaMVyatq/g3BbRP2I lVCkV5kyReMhf/4Cr/KPAe+TvkN8ToDcQjkqTwLpc2kyu0FEqme0pyA6av1cBUHs5nPagKua2COG gyjDK+aA9EbWy6dBdNO8teGg/aQN1IzgKscBLoPukPSK+aCvrZSWWoLYL0a5DoEo7TgjmoAzVB2r XgRXpvjVVQjEM+0m8SA9UadwEBhMuNQVxCsh4Q1ijMgS5UG8FU1FARC5YqK4CmKbNk3rA9JcnPQD 1zXxVvIB0U/52hgBclmP8oZE0EcYntpHgXzP8YutJ+j0jk326qAEOHY4vgL9XnMHgzfkPtSN0NeC dGvW99lOONT4iO50FdB9pj9r3gD608o1ZSTkjss6m/EW0uel3UopCmpNKd55BzQfrZwrGVxXxTrd UjBcNeyRKoMrRPPwDAA/nX8pLxNIO2iu1oWky2nfZU4CalKWVf96+yq6qOiioovgp+k/Tf9pOtSt WLdi3Yog35Zvy7fz1nv3k9uFFxReUHgBSCbJJJlg4NWBVwde/fd9gQysOLDiwIp/3vb/buK6uC6u w+5mu5vtbgZd07umd03/HRuuYQ1r4O7du3fv3oWYmJiYmBhwVnBWcFaA4Njg2OBYaPio4aOGj8Bw z3DPcO9vw2R2z+ye2R327t27d+9e6O/s7+zvzHv/ud9zv+d+cHX11dVXV+ctrz6s+rDqw6BwRuGM whn/uLjHCx0vdLwQZERnRGdEQ9fCXQt3LfzPH6+/vhByXxi5ubn9v+YPJ84vNqX0eXIezhS4XS3A AqU+KLEzcgDocuRX8mIQ34m2UnGgMy9pCDiIwQXqWc2o6UGqLy1iGEgP5a+YCOwhWwoAVlAGE1Be tNfWgFgiLVFWAS4xX/0UdPc4ISqAOIxFfgLivujg9Ab9Qv1xz47gNKX2fNEPsgdcLHp6LqiFkvom dQZxUz2TWwmeN7m/4lkpuPnZwx/f+IG0zd5AigFfUWqsdyHQv1DOJH0I6jS8vMuAwemnhP8Cumu6 ItIFyNzlOp7WBhwbMwKSLeDv6dxoHQzmk4YN5rsglVIDDSNBd8a7cvBCSKrnlRKwCB5MTXj7RgfP rl6XrvWBx573jt5IBUd+xWnQgc9XBeYVyAE5TRcsDYCsFW9Wp94GX8WjurkxlChQK7LSRSh4ruTk wgkQtDzgXOAe0E/Wf6jvCdJB1lIDxGJV0iqCSNMScIKwikHCDLLKd6wAZToLJQ3UL6WtfAq00lZo K0GsFEFaBOir01rqA+KoVIaZIJfV7omBIC6Lr9kJ4jB9tK7AdpFPrAWlmlxYpIFpmhSs5IL9c/Wo qA4uGaOQQVuqLRZzQT2tTtAeg1aOgsIA1BL7NA1EazFT6guk0o5dIB0QbRkDorHYLlqB+B6ZAFAX iJoiP9BWpEhJoLWR+xu8QAoyHlS+AH15pby+PIjD0ge5k4FJzrqun0EaIt2hFii3lT2mmZB53lJA /hTsd9SJzuvgHeR7zDsGDPM9VY8KYD8kqcr3kFkq7VaSGXgi35OrgtgtpqkBYO1i2+8aBEnfpJzP GQnGC4aBymvw6ujT2LwYtDdin/oT8AeTVh8fHx8fH/Cb6DfRbyK8bvi64euGUIACFPiL9d4lzvVO 1jtZ7yTQmta0hu9uf3f7u9swpPqQ6kOq5yUyNe/UvFPzDjzxfeL7xBdaTG0xtcVUiF4YvTB6IVhL W0tbS0OhtEJphdLgju6O7o7ubxOg34pfYUCFARUGwItmL5q9aJZ3AVC1atWqVav+7faNAxoHNA6A mzdv3rx5E8RgMVgMBnWVukpdBaXPlT5X+hxUXFVxVcU/cCHyez3b+Wzns53waMujLY+2QPqX6V+m f/n7t3887vG4x+Mg3j/eP94fOk/uPLnzZFBqKDWUGnDBdsF2wQZXKl+pfKUy1KMe9f5ie62iVlGr CGffnn179i04VzpXOv/OT7efX3F+xfkV0Glfp32d9oFYI9aINbDPvs++zw6FKczvyX9fTHkx5cUU GJw2OG1wGr9/Qzc3N7f/n5H/aIBCg8y60HHwWry6mjAVfr508MTZZ2A6arCZvwSthmjGciCCeB6C 9KW0RFoCqLhwghggpvE9SCvEcak6SBDBABAnRRHxAUhTpE1KDMibRLTWC7hDcVaDVkJapHsDNNJ2 uzxB2y35MQrUEpbGCfPBcTBhxP1ZYK330i/mKGjjXRHpu4AsrZP9OJh+9CpjWg91BtVqWNEDasU0 dtX3AePq4JzISpDS1rbB8wBILq+F/jvA84XZy2My6FSvCV6bwbOyd8XIr0GsVuoFBEDm15mFLT6Q 8bHlfPZPYH/oMcGnMiS/8W7vfw0enn9T/5UBYjacK3/mEcTsvLXkehg4ehiPeRwFc3jk8dAPwFXD 4bCrYP3gbeP0e1D4qyhTyD5oVL35/DqtoeK56rcrfAdRNyOGRZYGrxeGqUYrKC20c9o60B0TxbTm YFoq95LXgr4KReSVoKsmPpeqghQrWvANcECdpwaD7gPtnBoJSiwLtEdg/EDpIo8GvcxeEQbSZ669 rtvg2OTs7+oK1iHO711pkDvOqajrQRsrVlMAjA/1djEBdAelw65BIHfSGmrRoEzXzroughIkZFEM dNfkXuSAcknuLnJAuiAFSWVAuiqNEbVADqOJ6AC6D+V4qT8Ytso6+THoG0svpSpg7CWtl9qDYaDU nWAwzJeuiw6ghEo9pOGgXNBlGi+BQfJ46r0azPvMrTzegscX8lapNJg3S9+ofcHXw6uGvgp4f6zL UbZAVsWUqJQHYK9kz7JGQ+idsKmhDyDybES1IutAviuumHqDPJ71whN0/ZTZyhWwjXQM0DpBevvM GZZ7oN5WW6vdQHaIBc7I99dQi2UVyyqWBc92PNvxbEfe8syTmSczT4Kzv7O/sz+Evg59Hfr698ft 3Llz586d8xK5IulF0oukQ48ePXr06AG+T3yf+D7558sbOTtyduRsaJ/QPqF9Atz5/s73d77/7fXv jbw38t5IqLKmypoqa6B7ZvfM7pnQ8W3Htx3fwrXB1wZfG/zPl8Nms9lsNnBedl52Xv7923k/8n7k /QjKli1btmzZf36/DzY/2PxgM1STqknVJNCN0I3QjQCpqlRVqgrVq1evXr06lD5f+nzp83+7/eVv L397+VsoWbJkyZIlf3s/73563HrOes56Dqznreet50G/Qb9Bv+Efl/NU1qmsU1l5rw9GHIw4GJF3 3E6cOHHixAnYErMlZksMbG+0vdH2RhBdJLpIdJG89X7v5/B7473rYU+JSolKicqLs3///v3798PZ s2fPnj2bt/zdhcqpYqeKnSoGDofD4XDA0aNHjx49Ctu8t3lv84bDHQ53ONzht8v97sLv7oi7I+6O gD1T90zdMxWeT3o+6fkk2PV81/Ndz2GH7w7fHb555X/U4FGDRw3++fPEzc3tf58/3OMsG+R1HgOh 4e6Kxrp3oLq5cnrh9mB1Op7Y24IcL5+SjoM0gp0iB8QR8VzUBO5whUvAXGm69BmIG1pt7TVQQosn C/hBPiLlAm0YLU6CeExVqR/wmFtiCrCNHHEDtBTpI8kI8jbXohQfSJ14qMbGX0CzXv7yflkwfV9r S/UaIIp5N/cdCFLS/R63Af9lxouGZZBZRV/Ovxk4dhv1pkRwpjqme64ELcJU19AKzPUNmnEE6Bro ZnmOBPVTvnXuBkMT2UcYwfDQp2/ACsgNsDw1tALrclMtY33IvRDQJ/x7+PXI63txpeHex2cfnHXC M/OjL56awFnG55rHQPAsFlDV/1Nwds6OtJUA/XYt2nUHyq+q1KIMUHJYhdUl4iC/KWpVvlPgsUzX WT8Zcs5ZhlvWg727GCa+AcNWXXlDNJi+0B8ylALHVHs9+3eg5GLEC5RZcgCfgmbVjNou4GdphigK jrKuQFcP0KaKC9wFW0vR37UWRIBqFt7gaq7FUA7kZ9J0bQpI+bR8YhM4X4qiUk1QakgFRSEwrNG3 EWkgpzFSfAFKIH3EY1By5GipBaitRSNpIDirqIlkAFXFIOkuSLvQ1OWgDKcN+8FwRNdYXgRSmjSR +eD6Vo3RfgVptgr1QHsqPhS1QGvAY8kEcobUgARQO3AFLxAXxXkyQFop3ZYjQa1nCDZsAK0LH0kf g9Fke2CzAnbHDPv3wGPzTaUpiEzachCyC1ubWl6BEbMwuiDkk3yrQxaBtF/pbvgM3o6L+/jRInDd Jth+GNSF8lGhQq4597TaCmx7rCbHA/DIUQbLEe+voRb5ssiXRb6Ea6HXQq+Fgmula6VrJbwY+WLk i5FQpH+R/kX6A0MZytB/HK906dKlS5fOS+Te6N/o3+ih0ZJGSxot+Yv9di/SvUh3OHv37N2zd39/ eSMORByIOAByjBwjx4C6Vl2rrv3t9Tvk65CvQz5IOJBwIOEA3K9zv879OpByLOVYyjEQW8VWsRWo TGUq/+P9J3dK7pTcKS/R0t3R3dHdga65XXO75oKHh4eHh8dvbx8yI2RGyIy/WLCWtaz9h7v9L+ld 07umd4X4NfFr4tfA0c1HNx/dDPaL9ov2ixDeNrxteFuoP6b+mPpjgMc85jHE7o3dG7sX7JPsk+yT oNj4YuOLjYdTnOLU39lP3U11N9XdBD8f/vnwz4eBOOKIgzZhbcLahP3jcjbyaeTTyAee8IQnQLuI dhHtIuBE1xNdT3QFzxjPGM8Y6LWh14ZeG0DKlDKlTLja8GrDqw3hQpkLZS6UgSbPmjxr8uy393O+ z/k+5/v8/nj5ffL75PeBN+3etHvTDvyv+l/1vwq5ubm5ublg72fvZ+8HpJNOOiQcTDiYcBDyv83/ Nv9buH79+vXr1yEiIiIiIgJaZrfMbpkN93+8/+P9H+Fy/8v9L/eHhtsabmu47bfL/e7CcmOtjbU2 1oIuQV2CugSBT6ZPpk9m3rMH7y48S1CCEr//NHFzc/tf6A/3ODtuGJ7GW+CpZ+xnx9uAd3Gv3l6V QL4qpmp7QLKLC+JrEL3EZWxADq94DjzgKU9B/la6Io0AR13Ha2cPsO9ylnLWA1mTK8tvQOwSy0QY kEWWiAOpEn5kAOXEM+JBHq/hlCE342qxM4Eg1U/Pyq0K0vDSrSu6wGd8k197bYFgS5sjAz8A38Et o7qUgODeVXpVzIbQ1IC13h+AcQI/KoNB/cR02kMFZYfumikWlL2612YB9qualzUc1F6OCeo5sLe1 T7YUAVsXS4uMPeBVInB4cHVweRW8UEqG+4Y3X72pCTHrzu07ex+edXtUL6YX2Bd77zM+BtNjnyp+ PcHZOSckNxK8nihT5aZQY1TN11XsUPmXOksq/Qz5e+bvnq887DMcrn74BaxN3fzrj6vgh5E7tm3/ GtZ4bZixYQ2c+vXC0bMfw5tTSWfjvgPDUZOPXB9ks+6kbgq4rmtnxGdAtLxU1xvkt4ax+uGg/9DU XL8ZPE4YPtAPAcMQxkkXQXogvNXZYBok54grYGgiz5X2AKPFNVEM1AZqAdc4sO50fe0cBNZvbPNd FUEeLOpJZcEn0/xauQGmBXqdVAD0emmKWh4MxaRp6grwqKF8T34wL5M/kn4F/RY5iu6g7lafqLvA sdKpuW6A86iaqHUC12SytH7gmkcbLRacqhjiygDXdW2E2h1cFnWJ2AmuNqKN9jM42on6IglcSWIE xUB+rfPUdwfDVtNXHh5gemI8Z9oCHisIFmXAlGJaJ7UH7xBTvDINsk+lN0l9BJaJlhPZ9cDvaMgY n0NQuECB6wV9wFRZf87bCoYY4wyPTNBmyUNN5SFnU+4wUR9cg1x7zTPfX0M1/mD8wfgDhMeHx4fH Q2xwbHBscN4QjaLRRaOLRv/+eO96QN/RrmnXtGsgr5PXyevylktDpCHSvzA29a/HYP8j73oGnzx9 8vTJ07we38qDKw+u/C/0NL8bWvFuqMe7hDVncc7inMV/+OP4h1wul8vlAssZyxnLGehSsEvBLgWh z9k+Z/uchcCXgS8DX8LJYieLnSwGuUtzl+YuzRuqUud+nft17vMPL4TeJYjNJzef3HwyNAtoFtAs AK4Pvj74+r9w3N55/fPrn1//DJUGVRpUaVDeBRY3uclNqHil4pWKV+DVT69+evXT+4/3LgF+lzgn H0k+knwk706GPFweLg/P62FPmJ0wO2E25MuXL1++fPByysspL6dAyV4le5XslVeOUpZSllIWiGsT 1yauzW+X968vLCNmR8yOmA2nep7qeaon3L59+/bt23mJc4vmLZq3aP7vP6/c3Nz+fH+4x7lc6/zb a00Gg5AfZPrBm+KJHoktoFi5olsK3YGsajkds0eC/oT+oX4kMIHNVAb6EUQd4JK4wnXI9MiIyDoI ATMDPQMsoHUTpbUokLZKEdJIIF1cEbVB3GUM20DaKa+WPcHVJLNMsgLW+rHh8TfAmZAWaL0FwZf6 rRqwC/TngrtH3AHnCHuq3QrGLQWOlVkG4iP7F/br4N+16my/NPCYdnHLk6bwqubLC8mrwTaGKLkm uKo4AuwnwbDf4C0sIL91PlOjQDqoRtuXgVRBCGkz2E56HfL8EJ6/TnqYNBUe2S9PuHgSniY/Wv3g c8jq4rHceA18k7zqe60AOcXayH4HfGwerU0zIOJh0eP5B0Lol0VP5VsJhjv6HcahcOfBvWP3e8C9 pjE5z+rA6/jYM2/soIxQtuhfgy1TfeH4Eu7qYz54ngWHvzle66QfVNld0VJuHJRoWPRh4VxQPtYV NNSHxIGJuYl1Icgr6EDQUtA1EU/1ncE8W6+qXhBSKnROSCfwfGCe6V8NHJ/YLzs+B+ceV5jrEDg/ c+VonYEGcgvlC1AmiTrSAJADdJ/qLJCWlHPYUgoyG2Xpk0+Bb1fvj/1WgGGXcbkpBbinmPgWXONd FV0/gnOO6zybQe0qBoiNoI0WX5EMaj/xGd7Afp5oK0EbLxCXACvp/Ap8yhjRCuRa4iO+AjzFMdEU RGEeiPMglRWqKAvqEPFY7AHhEudEDMjT5NfSSZAKGoubhoDhOy2Dk+A1yN7SehxEsqEom4BCIkgp DVl3U18mbwTPZv6DXAL8lwS09ysFocfFOWkjJJ1IvPr2BDhShLAkQUZAVmF7JdBe6T/2PPD+G2yx nsV6FusJt9bdWndrHahX1avqVQhYELAgYMG/HjeiXUS7iHbwZP6T+U/mQylKUQp4uvPpzqc7gbOc 5ey/Hv8fSUxMTExMhB7DewzvMRzMKeYUcwrExcXFxcUBhznMYf7robt/lFC+u5CwGq1GqxGMtY21 jbUh5EzImZAz/756vGO6b7pvug9Vo6tGV40GQ11DXUNd4B73uAeVHJUclRywaeSmkZtGQtq1tGtp 1yB5TvKc5DmwcePGjRs3/m3cd0MJunXr1q1bN0iZmzI3ZS5ERUVFRUWBiBJRIgqi50bPjZ77r5f/ 3VhpubfcW+79d1b4z+P/7uFJylOe8u8vXkhcSFxIHKQ+Tn2c+hjehLwJeRMCYSXCSoSVAOWIckQ5 kjd0ybjduN24HUzJpmRTMlhuWm5absLG6xuvb7xO3h0DBQUFpPPSeek80Jve/J3y/PWFZYvAFoEt AiF1dOro1NHw9tDbQ28Pwa1Xt17degUc5ShHoRWtaPVvP7vc3Nz+TH84cY6vm/zZsxPQ3KNOVDsF zt++8uxKCNi8XD3sNaBQbD41qhYowXJvZT/QVVQW20B7zWZtFGhl1SzXXqCR6Kt9C9LHoqI8BuSl LJang3O3a6fzFsgF5CSlBUgRUhQDAadkwAy8ti21jALRzXrNXhw8TlcoVz0X9B7hZYrWAO217dfc 7iAFKHeMp0F8gkVeAS7f1GBLezCWDu9XuAb4d6w1tdTP4Pwx+0tbIKRHZi9xDQIaG7/SpYHWTPVx tAYmOQtnHgNKqO3UV2A/FtGt4CR4sT/7tb0EPC14OfLiSXgWca/brWxIG6ovpV8NHi1N2b4mcK10 9naUBPmQfFN6DspWnwP6FfBi5pslLztB3OmkT+OzwLbfVtrVHeL3Jf6SfBNspa1lHVVAFyd3VOqB miKaOQJBtHZliJvgChN6cR8ydmdH2b+HAz8fO3y6P1y0XMm8XgvkZ/JKnRVyDuR+lHse5DrSaKkk mPObAs21QBxgp9QGfNr4XvIoBd3fdPBuWw38fXwHBQwEQ1d9NaMP6H807DDUhqwR2YtyksEx2/m1 Mw3eNkrpmhgCV6tcr3t7BKSuSRuV6g/BZ0JLBLwGU5apqPkX8MwxbTX7QkWlfPXyLvDqZvT1vgTq Le1zrSVorenJVtDGitlacdAGaTLbQNwWLUQFkD6RRkinQRupfao1A+GLygPQPEWEqAvaMfERH4D0 kpqiGUhDtR8ZAtpAESiSQK1JdbEDtCasFzkgW4wLDZdBX40e6o/gUdNa1fYxiPGGqXI+MNfQ6it9 wSplJqXNBTnXOE9fBCI6FiC0DJQ6WvBZ5Ifg84XhjnkpmD/wKKP3BQ9d6JqIhQA0/COzavy1dwnS mZ5nep7pCeXnl59ffj6/ewjDb6lbt27dunUh2ivaK9oLft35685fd0LhwoULFy78Fz3RQxjCv2F2 hGq3qt2qdgv219lfZ38dMM00zTTNzOthDw4PDg8Oh8ttL7e93BZqUpOa/5d473okK1CBCn/5RklK UpL3Lrtnds/snuC9zXub9zYoWLBgwYIF84YGVKxVsVbFWnk9+A/1D/UP9RDaOrR1aGvIdyDfgXwH fvvw/tbsFO/2l9IwpWFKQxApIkWkgO8E3wm+E4BBDGLQP1+f/B3zd8zfEe7UuFPjTo28sdrv3K50 u9LtShDVM6pnVM/3H0+WZVmWIXha8LTgafCwwMMCDwtAh4MdDnY4CLp5unm6eXCx38V+F/tB8ezi 2cWz8+L5NPJp5NMIGu9ovKPxDghuGdwyuCVkn84+nX0a4jziPOI8/nG539nVbFezXc2gzdI2S9ss hdK20rbSNsjfM3/P/D1hz8s9L/e8BC5xiUvv++xyc3P7n+QPJ86lyxVrVXUG5M5xPM6+DN5jPX41 fwLJO+P3J38K+TxCfPzjIetD6zGpE9yaeW/PlSUQVNv3ZVhhiKn6us6FLhDh71+2YHOIvJBzpoQO CsQV3V2wPRjX69NN40A8kHK1WHBK6mPXbNC/EOliPzBKtuAFhm/yzQ3VwMtYZ37jDuBqKQdwH2SV B+IAUJy7WjDQ3pirpIKugX8Tf0BL15fyGArmgBJ3S4wAvxLxczMyQGtz7soNJ1hjtZ+lOuB6kPM2 NQAso7OfOwPAtb7QwdJvIflLz+k+peDVjDv6a8fhRck7C25aIOW5NoX+oDvu9dRrPhgsSje2QtaM 7Io5IyC9gXrZNgjiJ2a0fVsAXCMdPtoGcFRQy2oHQIkzTDdYQC2k9lQtoA1ydnbZQF4u38UC2mbX ClcHUFuJc8obIAdFfQquvs55ajqYq5nqe20DSw1rqNYM1JFOW+5IMA007jF9B65Mra/qD1m+2S2s OlAzXW2lFEgqk2rKaghrx/yYsbMD+Ez0Kel5HsrtLxFX4iNQV2kbtNrw4HmM16NzoBugt8gNwVrd 9oHtHFjJ9XKcBMyipDwEtC5KC/kUOE47nqTvA/HANdDxCRiKG1P1HaGIo8DrwpPA74HvvYA5IOao D7XBIN1BEhdAv0LpqmsOrlvqMuc00DqobykALBYuUQaEnTNiOdBcZBEI0kS8RX/QPhcz5fUg2mjp 6jcgXaE8NUALVVuqC0Cup5znLqgLpLMiC+inVwx+oO+pDdT2gjnWNsxZAfjcECLfAm2vqK9bC9ZH 6WVSF4Kc5L3Xoz9Um1FvVeWBUPVNtWqVbgHnpTJUBi1KFOfeP92c/iGlulJdqQ4fVf+o+kfV//H6 f51o/da0YKkFUwumFoSWsS1jW8aCabRptGl03q3wGFOMKcb0r8f/vcvLZpbNLJv5/o/bv9ueFnta 7GkBH/ERHwE1dDV0NXRwvvD5wucLw1avrV5bvYCtbGUrhLQKaRXSChr3aNyjcY9/fb91R9cdXXc0 RPeI7hHdAyhKUYpCA2MDYwPjvx63nkc9j3oecC76XPS5aNiWsi1lW0re+8Gvgl8Fv4J6m+ptqrcJ aEpTmr7/ePmT8iflT4Lkuclzk+eCVwmvEl4lQBevi9fFg2WpZallad56hBFGGDRs2LBhw4Zw9sOz H579MG/ozLux7rUX115cezG/2eP81yoOrDiw4kDYH74/fH84SBOlidJEkDpJnaROUP9G/Rv1b/zh 08jNze1/Aeny5cuXL18WokaNGjVq1PjXA2lBrkHqdUhNTduQdAk8Bpmf+u2Duz88fH5qDMS6Yh1p vaCIrui20icgsWt2p2e/wv0FzwufCYbwFM+N+cPgdeGEqfHHoGVs3cN9i4N3qFc7023wM/o89y8I /leCZoW8AHWJaCFmgbo25fyvj0BNU7N1VcEwOXxnmZkg37I/VyVQY5QZ6lgQslRWXgI6P/Ub6RGo fYxt5MKgOyFvU26D1evhhlu3ILPw/sAjcfB2RGLTzG8gu6J9We5TcLzMnWSIBF1igXIlraCmV9pd OgCeHXo0/84cuBN2LN+ekfDkatLgDAvkNvAw+54H3yOeAZ5fgr27daO1CqQUypiZ2h4snR0B1geg a6fP0t8H1a6liDOga6O7YWgL2iy5tpYCtFX1og44ZtnnOGeCOCbqa71AipBq4Q9amBYtSoLwFsHs BZElojUZ5MdyF6khyI/kfXJ7kC/KA6RqIE2Xlkm9gR8lM73BMc7xRi0Phmh9G2U/qJJ4o90Baaxo rjQFySV9zi8ghUr5tX7g8iZJywJdsmzX1QfDIP0leSao89SToinID6XjSn7QtrgixTmgE3OFDvQn Tbm6nSB6aVvVCVBwdlSlfCcgdF9oSPA2yDc47Hh4CQh/G7I7LB2cVudw7RPItGU2Sd8LgWsDFwTe BckgZeh7gVxB/kT7AtS7/x97bxmntbUubl8ryaPjwwwyuHtxd2lxd9cChRZpgWLFpaWlWKFYcYq7 Oy3u7sUZGJhhXB5Jst4P58w7+7f36b+bwt49MteXmSdZWbnXLcmdOyuJsVq/ANIiG1lGgr7aqOT1 B9FJvBbfg7pL+VVxgbeWZ4xZGNQSWiGzNLg6exfJiyB7C6vYDdoiKpm9gE+8NfWuoI92l3JfhZQl Hs0YDq4lRgz5IKGne4K3K1h0+2DHEMi1MFfu7Ceh6uMySonvoEjnIgvzzwE1yqep9Ro4+luzOv4H JIK/JP6S+Esi2FfaV9pXQhlZRpaRcHnJ5SWXl0Dct3Hfxn0LdevWrVu37rvv738b27Zt27ZtGzRv 3rx58+Z/tTTppJNOOum8b86ePXv27FlQe/fu3bt37/HjUx+qeFu2//LLhJllwWX1lk/ZBqK2ctLn Ljzk2dB7t+FCwK3fzm2A0O/9zbyxUHt1jRHVssEr+bLp80HwvOGL+o8Lw5sFsfNTQiBqcFLJyD6g PRR7o8Ph+f2XCyPXg/lhypuUjyHn3BwPcuUAbyHGak5QB5gDXXPBmsOeGPQYzFNqRV8FhK9q1b8F xVTzOmcBT8XnrALKiUO6Ad55d0ecKwVxzU/uP3oH4opv+HTPXoge+tvu1wHgcTEvuAYoDZzNsw8F a9msYwrsh8B2lQqVeAyvlZj4p7/C9U8O63sbw6OUpzlefAGx/bWvfJ5CwGwf034Z5BS9kr4bYg4n 9ImtCgkXkz9PrANMVG+LAaAFKg/EA7ANtG7ShoLoIG7qp0G5JneaK8DbxtveUEEvYtzSG4KcKUfJ ZWCcMO7qHwN7UE0Bor3SnoMgFXnTrADsl0eJAPO6ecrMB6YuHTInGFOlkB+BHmts0HuBrCifmb+B 5ZhWSFQGWU0clbdAXpO1hQvkcqOZ0RNMq7naDAbTSUk6AfvMVuZZMKSZ1VwDZpzcLteCDJGT2Q9m ZnOCWQ/MivIX8xmYZ81w/QjIrOJTNQxet4+clXAWottEf/lmJ3gaeDumPADjrB7sDYfQE6FPM+WE iA6vFkc4wLrEtsU2ECxhlsb2AHi28lmbxwYoq9Wq4jIk5U4p71kHl85d3XJlOkTliboQVRW0QtbV 2nLwifIpZO8Ar7NFRcVWgnOfXyp5pRFEzX9TJ2IjZPwtY5uggqDdVG86ooEIZa/yEtRcFDT7gjHc XKoPAcLVu8pPkFLRNcpzDYzL+gDjV4haFj8/IQo8+VNqup+D75eGXdwF/x4ZA4JH/dXh/seEngk9 E3om7X3Np+aemntqLpjbze3mdqgWWy22WizYctly2XL91dL+9+OPXhuXTjrppJPO/2zCw8PDw8Pf w1SNcz+d9z8u4PH6nA2vFQfbECOhxFgIau/bKigaXk90Pbt5BYLXeJSgNvDk8JPZj45B3Dz3wwQD zs96fPhZNcgabbsdZIF8W0OalLgFr9TXlZIWgS3cPjBuD9ws/LrNOX8oPCbfqSKVIHBAVk+eE+Ca r33nNx9MX/mJsh7UaaK0cRqS895Q9vQAy/IM/fLsAK28/5OgO+A69bLGby5w33pcMiIAxC9aiG8k +OSv4alTAfy9GVOy7gD7xOBOQV0gZs3J3dcKgDkqaFTAXXipmDmil8ODfefqnIqC54OeBDyJh6ih GOpZcIY6D9tNYIX4UeiQ1DKxQsIDSMyUHJD4DJTPrTOUuWCfb99j6QFytBEuX4OnkzHV7QsM4gBv gI5mb/ERyAdmIb0OKIPFh8wCo6/8j7m5c7RsSmkQI42H5mdgG2zLL34EM1HWUKMhOT4pUTdBSVZn YICcQj3lHphDjPvmBRCfc1G5D8oqsZQfwZvLHWdGgnGHUhQGDnFH/xy8lc1Tsj5osfyktALGsFoW BdPLBlkVxEzztLgI4nvxiiAQ0WQ1C4N8LvNTDWRR+nMWlJJ6I9EbNH9LoDEDzLOyqpwLiRmS0M9C xOpXpV6tAqfdsczaAej14IS6CewDnQ2dLeDhN4+zPbkKHs3TxywJruuuhQlfQuKmxBoh7eHVk5iT MQpEf5cwI3YVsC5+sLYIHhUOn/vUBiWPfyDy74LwY8+mJ++HSL+YPDE1QdSLXqcPBaWZOkmeBrWh 8qXND7Snln3yOuR0Z3qdZSuYnZlj5AQtXAzTRoO9pnZc5IMEPW5m7FRQvnQed7SHiwl3Wj98BU9W Pi36YhJ8TNH4fH91tP8T+FT3qe5THZrTnObwN//8J9nIxp+4sE4nnXTSSSed/028c+Ls6mSr7FHg 8VdRXV5HQHDHgL6nB8CDsU/vpuhQ/FzIw9ohcNBzoen6POBpYBw1N0IOsvvnqQ2ZA7SjGYB6jcv0 a9wZaq6v7a57EJ6celLmoT+4T7nvJA8EF7HZjFrg7aUfcn8J+nU5zqOD8sTyyK88UMLYqX8BIrsY 7a4GnuDfuDcd3iStm70zGULqdMjWIyfY5+TJVcYBtl25KzsTQb1uraxOAU4rxbUn4B0QXeBFNCRm udDx7FjQqlk3JUgwDma5E9YDHt+/vODKHnhW+kbpa7ngdc6U2e6DIGc4/H1fga2p9Wf1B0gumdw0 8Tm8qZ3wc+yv4Lmo5zVOgJghjqq1wRPuyuz5AvQW3rVGEfAuMgvIZSD3yDixCmQGaTIRpEemmH1B pIh2BIKIVjvIcSDaskysAVsH22eqH4gaZi7qgFTMICM/WOc4HyiXQG/pXmWUBTOr/tgIBy1cyyPK glwjuxsXgI/FHTEGjA9ltLwN+hK9orkE5AAG0Q7EIDVYywxmFTleClD2yxViIsjNYob8AmQVc5xZ CZjNYT4HESOyi1eAITaJGaAvMuPNTqBGM1gtD2Y9TwPvQVA1SxEGgRqntdJ2QcyAuIxJ/eBShatz b92AXAty3Emwg+wrb1hbwpsO0U+jc4KlgmW8egz88/l95ZcLPLu8eyWQkJhUOD4OkryJ3RNPgjFF fs0acB1zByTkgxN1z9RPmAVipqyujgN5jEJqIVDKKN8rGeFB70e3w28BtcREmQLmRG4aP8DrLK+q RGSBvCJbw0ytwP9zvy8ybQNRUC2lVQR0/Y7ZERL8I3NFfw4cFMfUw+Bt73njTX3LwOC/OszTSSed dNJJJ533wbsnzuvNMQRC0qg3Qa44sBgxKfYrYGvoMz+wArzwE/WuecHyQaaeekNIsRub3nwOiate WQLD4ZO4lhn6jwbfZtZdPp1ATGauOR3y9s7TrJAboh7HT33hhEu3EmL2/AwBm72TynWBTAXV4tYP wR3j2aIngFiu2W1fgdGXZYYT1Nn+vfySIXBVlU8q7gf7L8Xr1ggHUc60eiuA7Gwe02+BudFbhJHg +fBV+dvjIK7hzpHb/cDTMfa4nhn8FpbfWqMBvHQkjY2Ph6fei0NOj4eITdG3YipCclHxQmkJ/j87 ivhkBhmgvzDqQsL5xAwJS8B91ThjDgS5iufiLginedvcCLK+iKEtmH5yAe2BH2VJsoJsKe/JfiAq s59bIKrTChfIL+VRqQNLzBH4gnmTOXI6uB/og/RE0J6JEoofiO7iA+zAd3pGvTKYFuOh3ALyhlmc myAClKdKfpB95Bm5AehMKSUMjN9kFrMFsIFy8gWorUVvRYCIEj3kBjBbSB/agVHOiDNOA5JCcjOo U5Qs6qdgfi3bmpNAbpRb5UQQP4iGIiNYDol2XAatn6UhnwIFMPkR9K/N0twBdyl3ojEB5COzn6wF Iq/YqFSEewd+q/w8AnSX0d/IDOoIrbF6DpQEJb/yC0RbYhfHdYNslrA5oc0gpnzcm9jsoLczM8h2 4DnlPuiNASVFLa42A08GzyD3BaCFOUZMB+W+ckndCpqvJpRtoEwQFVkD4rqaXTVBNpIRYgu83vFm XdItcHxnXfomF1iHWwY7L4PtvC0qICtIq5ZJ6QXuePeOlBaQUiV+eNw2MPY4w6yVgE1E/tVBnk46 6aSTTjrpvB/eOXGO/+pNg+SxkPmipWXR4tAnsEnk0A5gfRi0yFsDDi69UnDtLPB2dnZwXQefI/bA pKawsfmpobPGQ5cizqKfPwXX3uQt4jSc6bEz5rAFnHd9FoZooNdQdhmTId+g4It5r8Hz+XGrIopA aKGA2c+vgq8jqE2mcDAbm8ONJaBsFP1tp8AyMWxpnk9B+d6vflASMFwpKgXI254j3logyyoHtWOA S1sj34A3+UnSnSXgmf16auxJUEdliS9YBTyJwVf83HB3wK+/HNkAz5c92vVgILyuoOcyC4A2xzHV rw2oY/hYnoS4m0kp8Ycg8bKrtGswWNrZTPUQ6Nf0YsYRUKxKvLgAsh1rzRjwbvZuN74CDjBVPAM1 WqujfgpmQaOQPhL0SXopPQgUm9JXCQSWymFiDpj3zDzmBvAekWPkHvBIuRIDFIeSSVwGfuaq+BXM deYDcweIUTKDKA7eGM9I/TjQUpQSe4Hy4rhsBUaMXG1mBXWwGqvsAS6KYbICmI2NT4wyIOvIzihg LjNWG9lBzap113aA3CCPmQKUKmIKu0DLptVR74EcKjPJTqDuF7f4HtTPtdl8BXp740s5AFgjc+EL RlOjlhEJymZNUw4AVZlj7gC9r3lRaqBEaPOVbKAHSa+5F5imn5I1QQ/VX5lr4HHbJz6v3wAPlC3y BYjlykdmJrDett5QPwTvfa/HXRCMI0Y3cxGoh9Qm2jKQQTLABMRGo50yEMylYii1Qe1OitwJ5mj5 sfYFyMfmS6lCxA9Rw2MrgH+oXxmfpZD5i+D2NjsoWblh/QzUDiKz+AK8SUkrEr8HraP1ju+Evzq8 00knnXTSSSed98k7J86FBmcaU2kn9Jdtmw/PBD7+QQUdX0NU/1en3uSBxByRefxuwZ2uT24/LACv Xr32efEQlLXWfBlywi7L2SKH+oFzivqzz2CI/c479mkGeFnf0+K305D0c2Jo8iSIT0w882ot+MV5 tvhMgex9slbP3BCCKmQysiWDe0dKR08P4DU97C5Qh4Ucya0BdVJmvtkHyjnjmJEJ9BLKMFESlAPy EZeA8mZRlxe0gQFxPrGgqpnm+PaADLcqf1e6DbzxcWVPssCz85cOXugAEX3iva6skPKZWK75g62s Od54Csnnk08n6hCbkjwufjl4mpmjjO6g9tZjpQ5ypVzHj+At6o0wu4F3pOEykkCZSZC6DEjiMfXA 2ONdbhwB87UZo+8AbZxyVv0MRJgyVEwDbzm9o14UxGaqiuIgnpnPpR1kPxEn+oKRWY6QQ0GMZaC8 B7IsPXGBvCza0hrU4SIQAWYuc49cCvKRsoqn/Mf7RzeC2KE0F2dB7BRTyA3ymv5ERgB1ZGtqgubR NmnBIDYoVlEIqMI0eRtEBVFABID5sVnMbApiLh/KFWBMoA4rwXvMpcmOYBaTV2UOsK7SViq5wfzV HCE2AtlkQ8qCXCHGUwfkUzlfBgN9ZR7zAogbcjPFQGY2B8pjYHbjEjPBu9Dcb9QGdbX2sRYCErO3 2RnMD+UBowHIeWYOeR/kN7KVzAXyhFyjzwalr5hmzgcmqF20K2ApaSmrANT8j2/m6pX0156uYFtp 3aZmh5Sz7m/FIAj/4HXXyNbg88D+gY8bfE1ndPB68MSKCSIYzALeSPc5ME+kHFNuAy1p9VcHeTrp pJNOOumk835458Q5l8xeL+uPcLb31cTjjeHYvfO2wzng+ciYb8IDwLE2Q+WYKeDfMXCzowXEKC+G e2aDbxfnUHsgJGRzzXheHRI2mWcSgOwt/PoGXAf/rwOSyyaA776MyY6sIBy8kjYoN67E2iaX4J7l ds7zv0HOZwWn5C0J9LQcsLUCaumFXdNBiw3IlPknkNNsi1gL0jQ26DVAlBN3lQRQHsphRlOQRaTp eAq2snm6FasLGRZlDMlrgM/QzHvzzYBrk1f/tGQsvAx/PObJAYgZaxThIzB2ihS+B/fKlJFJI0AP VkZRA9xJ3kbGYjA3mdGMAvnE/NxcDmZ9M9RcA8ZE2UFuBaO0mclsA+Ijpby8CSxlPIXB7CsLma9B bmWe6AhmHK9lJhCFZDnWAqHkoB5IX8rIbEAeMZVNIHpSWFYCmWD2l7HAITGBF6B0lylEArdEd5EJ 5FcUUL4GsxVWPQXkJPNzagCFGSjWgHFSD5IXQP1BLS6CQH1hqabcB7lNdhSRwEA5VPYD9tCYySDz mHa5G2iqZJBrwLxkVDIfg8xqHBddQGTUuimxYC1tDRU24BvraeUJKDX0ffILMKbzrZkL5BTzjbYG OE0vZgBVyWFmAKOV+Uj+DKjysBYCYjsWkQ3MXrK0PhDkKDzMAUqYsUYOEGOEVcsF+kL9OW1BKSIC RB4QZfnY/AhEDpnN/BjMETwQ98CYbpY2WoIorusyFEzVvCu6gPG9PlCWBk910R0LKOu1WkpmeBMb 7ZcyGF7X9At5EwPOqfYo506wvhBznMch+TOxzMwFngMpB90B/xkkt989UO/evXv37t1/xyEhnXTS SSeddP73UrBgwYIFC/757d85cT6W/eb6XSvg6eXoxXEDwVnQ2kP7EfQnxhGzK4iw2IVWAzKGZngV UB5cX2W0v6gJmTt7chYuCS/DEqZEtAefB9YQ60l4uP71B8Yy8JsfVyFCA0s3bb7uAM3mFMk9wbP/ QR+5Hu6svO7c1hYyjsuaoDeCCpdrXOj/FSQXTbGmDAPVphZ1OkA0co7L0gN4LsNlDVBqEEJ/MI8J i8gCMpxo0x/EBu1EpkCwd8301DoI4rs8G/foA7jS5pfcx8vCm69TMnhiIXkN88V0cO61BToDQM8u NokASCrpup7iC95F+mJzJYj2Ikk5DUqkml3rB2Z7fapnPygXzZZmLCiRagklF5iNzYfyBJCdygwH oQiPuAvMltPkJsBGMT4Dacpi8jSIb0UlZQzIXrKrbA5aHcsErSYYC80B5odgzjbrmzNArSwyilBQ bit3lFZgvjCD5HMwm1CarUf/b/QAAIAASURBVGBJsPS0FQK9gpFVzw6mYUw2WwLtpZ0RYEqztXwN wGQzMyjxSiV1Hyhj1KvqSTDyGJ2M7qAWFgXEZpBZzRSjHMj18iUXAVOtIi4AXwsL/UAmU4YYkAs8 RU3ALGZUN/eCjBZt1RXATY7K5SDPyY9kf6A0reUKkDeMYviD+Elk0YuB6K0oygWgoryrbADzkHne rAVkE1H8AGIktYxdQDcZa24G7wfMMT8AcUAuVzMDhylsngKxV+1mzAE5WBulLQWjpNFXbAS1gaJJ XzCXyxAlAegi8vEYLCtFRaUOeEvo4wwbRK+PGZRYGkI7BtkTLeDbx4n1CQirPp1soJ/SKwg30IXn /x0CPZ100kknnXTSeXeUd+3Atc6zL9INxW05bWZzKFm3ZNuEJpDl1xxlxK8QEZly3TMM7vb/bURE RvBp5rqn+YE869/7zTnI07BQwXzlITIiuYzsCGYRbiR/A1FLEi/e2wivbie0e/I5RJdK3vbiLFy+ drXXsWLgMyCkdL7GcIYr1fdXgoStEZ8+HAiK1TbJ0h+Mr2RG/QWYh6hnrwjUpafIDlSkgTwClKEe n4NSwVwpxoJZhfvmTGA2073B8Cj2zKozURDe7LHfMytEDfMslZ+B9pXtobMOBOzx+dB3LKjLlZ+U O2AGSI3HYI235bCNA6Wuckl9COZSc6sxD5QNykZlKWihWkGtCCgDlI7KERBZsfAUxF2xT3wJykdK N+VLEDnUIqoDLFktxawXQT6VF2V1sJSwlNBygf2k/ZT9Kli7W5pYPWCrYbtoTwDHWXsfx0hQVik7 tP6gVlfraJ1Bu6Hp6hMQe0RuyoByQPlEXQsOi22ePQycG+13bcXBPsd625oLrC/U4ZYzoEyQKO2B nUZ+cw6IOub3cilYMqtb1XEgTWpwAYwoOZc7YH7DGNaDfGSGmidBJFKVGmDU1zPLXGC2dofJKDCP GKOVayCryrM0BFFb2JXKwCIO8AlQlIXiNYgfxGg1AUS48BU7gQUsYhXQli7yBohK4gNhgJxgFpYt wbSaRZXWoKiKxdoDLMnaFudpkBXNfcodMF7rpdkLTGKzOhKYba6hMhjr9fJmOBhCjzctwBH5TDYB o4D3mP4YjJ+8mcxdoN83huu9IarPm1mJpSDmcVx4YhOgtbS7B4D2hdKNvWDUMjPrZf/q8E4nnXTS SSeddN4n71xxdgyzX7CPhfit7mkJjSEsmY+cXcFngnypfwRZwoMa2eMh9Ko20H8h5GiVwao8gd82 xa95tRiyf2ovX+YzKDq/5JrsUfCkzLO7Vx9B4ul402cUaFhmWPKAetfSOSEIlOPuzbZZEHTQXwlY CRGPYgsn14O9NQ7UmBsC7VZ3vDY9LyQ9kUe0RqC0EtFyIMhs4oGcB2QkWukC7BHtZGswy9NO9gXl gNJGiwZvg9hrcWXghnq+15kiEDUkKTRpKSR55TDle3D2drT0CQVlr3xpnALvOPcpdx7AIcaLraBc Ft0UAUqcUsMMB32+56Z+E5Rx4qbiAtFcK6NWBXrIDuIHEOuIM74EaeeIbALUprs4Dubn0kI4mE6z rGwOyg/KCvUnUBXVqdYDIYWpnAJDNVzGEFC6qzuVH0FsE8eUM6AOsRjar2AeMkubp0Efb9TVb4M2 Wx2vLgJjmZlkXgYmywLsB8sEtaoSD+KpEq9UAaWB0kWpCsYNvYP0ABWYLJOA38QKpoKYKgaJq6DN trVSfcF45nrguQTmYT2zngWUioqPUh5IML8V0WCWFDlEJRCzZSkOgiyj9lKfgpZZ3ag5QCbJeDM3 kIeVIhNoN5RR2odAV4HMC8wUw9VRIOYwhjogbMpA2RnEc16JJyB6qwtEHrBetJXw8we5CruoAuoC Oip1Aa9ckHgRvDM9I1IegDnTaKCYwHDzK/M5KNvlNfYANtFfNgMz0FynTwV1vdpRSwBxSuZXioHj mGOIfRko67UmtjuQMCWpgHEWPIu9zY1AUJup/mIfyAhp9y4B2v7VIZ5OOumkk0466bwv3rni/Lp7 ZKaULWANsk2z94JgERKZuyW47EpU3CWwdKWoHAv6OuvSlNMQEen+JiY3JPdLzpuyB66Vebn+4F24 V+P56Gu1IT76TV1ZDixRjnH2e+B0BJ/xXQps0s+r50B2MnoZ9+BRgfvWZ8GQUDrmqtoLXhw2Lj6K h3urHg5ZvASct+03rPXB/Jp6hgtYxhX1CHBFPJQmkFEu5wdghdnW3AzWuZZaWjK8Hn6nys2r8LTT g54PPoE3UZ4Tuj/IIDHdooEtwPZGbQauDZ7KnmuQXFPXPNvBzC2vmVbwrPSU854EY6pxQLeDdsry xLoQvMv0SsYGkNI4ay4FW3NLCeUxKMe1rpoNVE2tqV0AyzhLE0t9sBW2fGYJAq5yVVYHilNSdgAG 8in1QOwRu1kHspbMYdwH188pI5LfgLe7N9DTE7zF9BdGX9ANI4+xHdQwtZiaAsoNcUGZDspn4jZX QCpMMm+CuKyMV3IBY+QaOQhIogRjQCxRUrgCcqfIxBegLde2aydBn2h+b24FtYlcLmqAbZi1lG0K qM21+9aaoIZoTvUHkGVlEVELpMWcaC4HM5yp5Ab1RwapCmhPleYWPxBrKaZ8DWaMaaUpGHuMZ2YA ePt5u+hbwLJC7NUKg2WJ4mO5BNa91s+dj8H8xmwii4BZXN9p7gPPwJTbiTPB80nyg4RykFwrqV78 MDA+8C7VK4FPHT81MAWy3MkaWaAgBK0LXp7zItg6+fTLsB6cgYGNMn4MIftDp+acCYHfhnTKnhcc /QLGh/QDv6pBA7I0g4zHMi0Ms4Hla8eqwCLg7apvUUuD5Tux3FgEWidRVRvzV4f32zOs9rDaw2pD 28NtD7c9nLZ8et7peafn/aul+79D2bJly5Z9izsWf9/+r7LXv2q/cUfijsQdgS83fLnhyw1Q7Xa1 29VuQ5WBVQZWGQgDbw68OfAmvBj3YtyLcSA/lh/Lj2HWrFmzZs2CWv61/Gv5Q+UVlVdUXgEDlg5Y OmApPH/+/Pnzd5hM9a52+lfze/b47+Ivf8TlcpfLXS4HgwcPHjx4cNrfvyf1U/ep4/q9v/9X+av9 9F3j8Z/1g38X71xxzn42YzvrDciyKNtOv2AI/yH6XsxleOp5si/lCCjN1ZmuMeB5pJRM+QredIg9 6D8efIKUjo56kPKDbJbYGNx19U1GdkhO9Jaw9wH7/fi8caGgDPA/7o0Ho6M2Rx0PnhTTz5wFynnR JfExKB9qTZJGwbNub7qGZoelH+yaumkutG9Yzs+RHUr0q3a+x0RIXO86nJALtFO0tGogM8iStADR QgSoVUCOMu64H8JvZS6Wu3gOorrEmLHtISHe85KTYClhv+5YCGqouKl0guTTKXWSPwN3ZznHDAJy KJFaLbBMsgzSdDCnGo2VqUArpYdYBdbZ1lHaOjBXmz+bB8A8KueLgaCd0DaoZUGOklPwB2W8MlqZ AHKW/M5YDZziKZNAnBa/iP5grjA3yLWg9lS7KpFgLafVs80Hda6yRBsM5hC5jk7gjdNHGftBDVHz Kp1B8RAt1oHe2Fht+ID2qfZIqwtKgqpY84I2RXUqBhgpxiMjHkQDYRc1gNMYcgBYB2vltBEgK3CT b0EpJ6qJQkBtuQ0fUC+LqWp70EaoS83GYAQZVYweIIexxbwCROGUX4N2QotRG4MYJB6zBMz+RkFp BRlp7pS/gKjKRLERiBMjlN9AvaQ8UUuD55S3hGcBWI6qO7QA8FZxn3a9BO9R44hxFrQb2hXtZ1Br qvmEL5jlzJb6T8Bi8UTzglJXK6A9ASO/uVq+BL8rfrV9vaDmCXqTIR/Iq/pK4whYaloVbR84fW05 tThgvnlUPwFcoLO3Jli+USaTBOpiMUvNBdai9oX2iqBVUW4oJUDpIIYpbUDdrTwWUwHo9teF99tz NP5o/NF4OHfv3L1z94A61KEObAjaELQhCIYznOF/tZDp/AOnup3qdupvPO2vste/ar+pJ9zDLw6/ OPwCunfv3r17d8jim8U3iy9M6zat27RuMPr06NOjT0NPb09vTy+srr66+urqMOjMoDODzoD6ifqJ +gl8n/R90vdJ8M2Sb5Z8swTmnpp7au6pd9f7fzd+zx7/Xfzl99A/0D/QP4CpiVMTpybCU89Tz1MP GOeMc8a5tHbeHt4e3h4QPi58XPg4GFR5UOVBlSHwQeCDwAd/9Sj++/BX++mJ2Sdmn5j99vH4z/rB v5t3rjjrdyxJroVwt8nDV4+tcGX6naV3dkKmatmq+haAlIsy+fULiLwQXdJRAZT7Isi2HSJXJHUx L0DMgLi8/jvB29Rom+EA2PoEfRb3AJIreXslLoM3B55mTVIg7uTrie4JYI4zbskl4PJJmapWgdeJ sZ3imkNEx+jS4ePhbr7wl7GfwoqLh5tNiYNw253eRyaDPZu9jV9dMLObBfSuINaK/bIVKA+1L5Wl 4HoQuS2iIDy+f/PUzTcQ0yZlrjsaEusYU1kI1iqO72x9wDPGW8C4DCk/ehalZAK9MqVJBGOJuccY CkIRN2gK5kmziQmILqzjPmgHtH7aSrD01z7WJJivzUryN9A/0hvpu8DIbAQbjUHWlHVlfzAXmj+b 60AuNQeZu0B+KmvzE4g8wiNaAIvoxnpgDNfMJGCRWC8rAkuZoQ8GEcZuQwMeypccA9FFmadkBnWZ +kBtCcoSdZa6CSwLtc3aTJA/yd1UAjbLpaIkKAaTlWsgXJQSu4FRMoVfQBY0x8nboK5QWiuDgI0o yn0wpphLjXUgOoqBigKiu+ihXgc8hItqYFlm2afVByWLEq10A+t16zXrCZDPcBqxIG5RQTYDGWx+ Y5wDPUiP16+CXGs+kw3Au8kY4i0FSUvc0/X5oC8zxuIP6mt1nTYB0BDiI/A29bbXd4N3tneBcRxk JWk3NoDeQz/kvQfJvya3iN8IETVfXnrSCqIXRg0MnwvJHROaRb4AM8FbLHE7JGVNahV3GuLrx+eI 6wBJzqT7yV+A63N3mPcxJBRM6pMSBAmuxKoJoyDuSmKPxHjwnjOaenaBrbU6y7z5/gL1YPTB6IPR aZXgFjla5GiRA5pNbDax2UTYPnb72O1j09rHxsbGxsbCiBEjRowYAQ23N9zecHta+5Efjfxo5Edp 7caGjw0fG562fb/y/cr3K/+Py/tc7HOxz0Xo3Llz586d4Xa129VuV0tb37t37969e8PkyZMnT56c tnzni50vdr6Arxp+1fCrhrBv3759+/ZB69atW7dunTaexo0bN27cGJZdW3Zt2bV/1ENqJWTVrVW3 Vt2CDgkdEjokQGJiYmJiYloloklYk7AmYWmVjNRx/hHvW66oHFE5onJAf7W/2l9Nq4ylrr+58ubK myt/X56pb6a+mfoGmu5uurvpbphfYn6J+SX+sV1q5eb37PW2+nlbuX9vv/8sraa2mtpq6u9XuiIi IiIiIiB0a+jW0K3Q92Lfi30vpm2X5UWWF1lewK1BtwbdGgT2KvYq9ipp8dKlc5fOXTqnxUEquq7r uv7Py/l7ek/VX+odm7p169atWzct3n489+O5H//mRP9n/TVVP3Pcc9xz3Gn9L1iwYMGCBf+8Pf7I XybtmbRn0h7YtWvXrl270tanJiwNnjV41uAZvDnw5sCbA+/Pzqmsqbmm5pqakCtXrly5ckG2bNmy Zcv2j+3+/wplGcpQJs1Pyywss7DMQmi0vdH2RtvT9Pu2vO1x9O/tlJoApm7XpUiXIl2KwPOMzzM+ z/iv94N39dP3Zdc/G4//rB/8u3nnxNlbxAj3nwjeqGi7ZQD4ZDA9Aa0g4zUnmX6AwplCt4Y8AkdG H0tsP0h4rPR71QC0VdYy0dOBx4lDojRwl9F7JTQFYsV3yS4w5viWj7sKvtvsHscr8Mmk1rEOAUrr 21y7wLbPr5drJHhGe0pZ3kB4w/DbygVwfZky11UFtNoBTUIOwpJKWx8NnQUJc8L73joD2nDbZz5P wQzV+3p/AU5qg5UAiK73qNjDcvDsyQv/50cgJjYlxFsRjNdKBfU0WFKs5y19wZXo6e1+BckTvMXd TUGUES4xHWRu47r5EgxFr6sXAbMJrc19IIsbX5iPgFiznvkpKIPFb0IB0ViOEavBzGs6zJzAcc7J 9mDeNK8bFUEMET0EoEaqKSICFIMatAT52shrVAfjnB7jOQn6G3ON2QxkNumVOYAhMjcrwVHXptmj wLrN0s4SDNbsFmkNAWtrS1FrLRAFzTeyHPChLMpCUPuoA9SWIB4p34nFoEQr5ZVRoPZQgpU9wM/4 8xuYA8yHpj/QhKz0AvOa3CGXAJvEdY4AsWIqVUFDc1nzgNZTK2ezg62+zeaTAo5vHZF+VcHhdvTx vwGOus6dfnXBNsZayLkT/Gv4HgkqBH5N/R8FNwFjgpHBeALmNe6wH/xWBEwNngVaW1tZ+36QxXjI ZvD66h30TGCcNQqabjAjzaqyCriCkm8ldQfvV57AFCvo7dw5kz8G1/aE32I7witHxJQXN+HxZ4+W 3LfDo2+f9X9yAcJbRi6MnQ7xXd1bvYUhbqX7LPEQPjCmT0pFiDyW0sIbAjEtkuL1UxAVHNfNfRBS TnpaGftBeYjFrP/+AnVitonZJmaD7zt83+H7DrD16danW5/Cwj4L+yzsA790+qXTL53S2k87MO3A tAMQ+jT0aehT2PVi14tdL2Dbs23Ptj2DsPFh48PGwzdtv2n7TVuYmHVi1olZ07ZfVGZRmUVlfn95 JWslayUrXFh4YeGFheCZ65nrmQtRUVFRUVFwdenVpVeXpm13qd+lfpf6QeXrla9Xvg5r7629t/Ye fFz649Ifl04bz/Jry68tvwY/nv/x/I/n/1gva1avWb1mddoJI/XAnZqo11hTY02NNTDz15m/zvz1 j/t733J9k++bfN/kS5tasG3btm3btsGnyz5d9ukymFFwRsEZ/4+3pdSqWatmrZqwtMLSCksrwKrV q1avWv3/8JPfsdfb6udt5f69/b4vUk/oe7Pvzb43O1iWWZZZlqUl8BG7I3ZH7Iai3Yp2K9oNyl0u d7ncZRgeMDxgeAAcmn5o+qHp0MPbw9vDC9lfZ3+d/TVMaDKhyYQm7y5f6gVOYGBgYGBg2gXY1tCt oVtDIaFDQoeEDmnt39Vfy4lyopyAJZeXXF5yGVZUWVFlRZW3t8fvtatfv379+vXhQO4DuQ/kTlt/ 5syZM2fOQKFOhToV6gQZPsrwUYaP3p+dUy+Q1tRYU2NNDRhWa1itYbV+v/3jzY83P94MSj+ln9IP GjVu1LhR47QLzcZhjcMah8G1AdcGXBvw9vK87XH07wmpF1IvpB7saban2Z5mUHtd7XW118H0o9OP Tj/6r/eDv+dt/fR98bbx+LZ+8O/mnRNn+yRvN+8+CF7sv96nKYQ4/PdZuoOS31xrVIC4VUaS4who Tcz7sh4EjtL2Z8gKtsW2VcZFcF1QskdsB08p747YOPAkJGX3ywA5L/r3y5IA9orygd4QLL8lLlCj wHHByGMrDZYpjo3yCWR4lWWStQSEhGQopw+DMHfwXJ/CkHw2yqJYIbyVa1rKaVhzd0PbL/sCsUky tgaIBZahzuag7ZJVaA4R5581ulcI3hSMaZ7ogtjX+k7zFKgZLULrB2KCKK/MhqS8KS8TOoJ7hZ7g mQ5iuNHU/BnQqSVWAT+bg0V5UIfwufIRyKtM1y+Ckc38Ro8Eo53hNTYDixhFOTAbm53kWlBsSoIS DMqX4kNWgaW39qmoBvJ7DislQc2jnbf0BXFTGaFmAOO+mYNpQCZi5WEQbUR9pSowRExSJ4FRWy6g O8iZ5lTsYGzRx3g3gfJabBc7Qe2vjlHLAJ1owD0Q3UVb0QXUlapbvQF0Ff7sBeVHtZLaF3isxAoL iLniLk1B2cA5FoOqq3M4Ddp6Za9yA8QdWUYMBq2l9QftCmSalrV+ruGQ5VaW5vmd4Dcx4GlILghc F5KYsS6EujP/mrMqhGYLK5rDHwKvZiyZKTdkapIlNPcosF9zTghKgkw/ZJmdtx0oyzSHOgaMA/oc 9yTQR3gjdBPMr4xT+jdgfm3s9h4CucY4Yl4BcwPTlFIg8hBnDgE9yfDXG4CzpP+9wMNgHWUb4GgB RgNZyagBSQ8S9sddBc9nrlXJZcCcbn5nrAHLPssB2wRwNHfWDJoP9mW2ogFZwPxItHY8gaSR+i+2 TZC43pOZ6SADlM/UQe8vUFMPkGN3jt05dicsX758+fLlaQeYGd/N+G7Gd2ntT3U/1f1Ud+h1pteZ XmdA+UT5RPkExGKxWCyG7nO7z+0+F052O9nt5J+4hZeaAF9cdHHRxUVplb5ySjmlnALaVe2qdhWi p0VPi54Gl5XLymUFKlasWLFiRVhacWnFpRUheGPwxuCNsH74+uHrh8P88/PPzz8P5o/mj+aPv7// Nq3btG7TOm1cqVNMmu1utrvZ7rR2LSNbRraMhLPzz84/O/+Px/W+5UpNNP5erirLqyyvshzm95jf Y36P3+8v9YQaEhISEhKSdmv6bXlb/byr3H/E31eonmx5suXJln8c9z9UsEpTmtKwo9GORjsaQd9F fRf1XQR5DuY5mOcgTG0xtcXUFv+4v5xTck7JOQWqOas5qznhWcZnGZ9lhMWXF19efPnPjyOV1Fvh qRV6TdM0TUvzg9QLsT9rj7+nbN+yfcv2TavA/1m/+D1SK7YPv3z45cMvIf7b+G/jv4XdE3ZP2D0B mr5s+rLpy/dv5xkdZ3Sc0RF6dO/RvUd3yPhVxq8yfvX7/QdvCt4UvCmtkrt50+ZNmzfByiorq6ys Am/2v9n/Zj9M2jtp76S9f8Ku73gcbZKlSZYmWf7GvlEto1pGwaW+l/pe6vvv94O39dP3Zde/54/i 8W394N/NO89xto3XrihlIPEXt7+lJZgBmr/VDa5Z+ksjCTS7bXfSWJB79dNyFoiy5l3XPHDmxsI4 iBhg/Gb/GGyDtMMpi8E2QfnBuggStsQNxx/MM+7mSbvBmKK0dmYBvxFh5WwxkHA7sYxPJXh11PUy qR8EPLGvUTdCQH3O+hwH+/WwoXGR4God390vEi50Dp/wYgUU7Xig9dLyUK1QvUZ9toH4TPWK4RCe 497UJ5kgxpWS7KoG7hv6Vj0POEr6fukoCuYlOVAOA9dQV4zrAfCEbeI0GOXkFGMq0FuOV56BuUNe kgtBDGcjK4FD2OUWkLvMlbIN8Fo0lOtAHFA8YjlofbUG2udgzjdnyyBQpdZC+wTMMWaSuQ9Ef+EU xUBdrW5QWoJ5xjwjjwNj5QEKgDKCA+o3oGQTiuIF7ZL2RtQB/Y0+Sn8GopCaX00AJVmUFTNBmaYc FK+Bl8Kp3gA+F/15BarQymg5QHloCOM8sFm+JATkYSWrfAKiguyn9gdRRASIU6D8QllygZxPqGgK 4rHwWlzg+1PA/YDLYD/nI/13gp5NP2vcg7hP4za8ugKsN6KSKoD7h6RyUVNBWNSs9hcgT5rX9Y6g f68X9EwBdYAaFjsB/Kb47rMPAHerlP4pdkioEP95TD8wL3pKemeBUUwPdQ8D+SEVzPYgJ4ipykrg ihil3AZxlFeyPOgBxiciCGybnDEBJtgWOL/zHwnJ7ZOJtIB+xQjw1oCgJ/6ujNEQ+HVQjywhIL5S c/MxiKIa9lugVbKUdZQCmSyLUQ+0JK24dhO0fOaslI9Av+vpmXwF9HaGwhBgy9tG1H/N9wW/L/h9 Qbj74O6Duw/g2pBrQ64NgaUnlp5YegIYzGAGwxzmMAeQpWVpWRq0fdo+bd8/9icuioviIpjPzGfm M6ATnej0z8tT/HTx08VPw73d93bf2w0Xil0odqEYlNpZamepnWA9bz1vPQ/7W+1vtb8V+K3yW+W3 CoJuBd0KugWfVf6s8meVIXRf6L7QfWmV1apVq1atWhV2sIMd/4/922/Zb9lvpf2OzBmZMzIn1NpT a0+tPUBZylIWsGLFCmKamCam/fG4Um+Zvi+5jB+NH40fwWxltjL/i29Ipl745CIXuf6L/lIrq+/K 2+rnXeX+I+YUm1NsTjHwdvR29HaEz2yf2T6zwcsmL5u8bAKbNm3atGlTWnv3Kfcp9ykYEzgmcEwg HH119NXRV2m3fgfdHHRz0E2wDbcNtw2Hc73O9TrXK60i3aN4j+I9isPnPp/7fO4DB7ce3HpwK+yK 3RW7KxZGM5rR76BfcUlcEpeARjSi0X+x/j/jjWCCCX53f31ffvF7pCZStWfVnlV7Fuxov6P9jvZw ZemVpVeWwsSvJn418Z9IZN7WzqlTgY72ONrjaA+YUXZG2Rn/ReKV2m7GkxlPZjyBxnMbz208F0Kj Q6NDoyGUUEKB4GfBz4KfwfNPnn/y/JO318P7Po4qi5XFyuK0fv/dfvC2fvq+7Pq28ZjKP+sHa/3W +q31e3v7/lneueIc40z40OgK5jg1g6c7eD/ROxIPL7dHDkv5FvTvk4SaHYIqq6dCfoNMGQJ+S3SC Gm6cE0sg4yHfhgFTIGOjDJ+L2WCpbakd1R9CQ4MPWYqAs5tfRltf8B1ta8B2iJqfdCrmDOgZ/T1x yyB0cLZpKRIyfBCwxFkYlO32kcyAxHxxXZgMrlduf++n4DnmuJvSGtYFnOu6vjvsK7YzaMlScFd7 ueaRH7xo8sTxPAziOnoCvPkhebfxtTke1CaWLpYfwNtDz+M9AK6RnhTPMJBFGKLOAdbQWakApk3O MYeD7EOs7AfSV56XD8CobUbKDcBE5bnSCsRRdYfyOchFFOMLUFqxQNQC8aN8zUPQ8+vn9HNgDpF+ 8hHIK/JXeRyMNcZ0cxHgJBkJ5gXzmLkPZG/Z2+wJ6iR1rjIUlFZKO1EP1FHqBGUeKD+LRaIbqK/U cHUHKPuUfco0UL4Xk0V+sJS2DLR8A1pLZbuaD7Si6nQtCjSnVl2rDVqSFmMpCdbK1pu2/WDZouWz +oOcJiJEGFiz2fysGvjU9X/qdxWsA+377DlBNjSnmTMgMe+bpREXgV7e2UnlQLkrsmn5gMnypvIM 1Ouc9/QHpaJcYIwHyz2lt1IIrN0tb1QVfGb524MuQHDtkCsZV0DOTLmHFHwNmVpk35QPyF4s770P AiHHpXzzS1eEsGm5Py3xJWS9nWdOiTmQ5Ycc8wofhexl88aXKgO5tfwLS68BtY41d2BF8L0dPDij G/JX+GBwtZMQlDnMv/A9cCwOfhOSBD5B/n2CCoP4UGtpKQzGU9byBajLtZXqbpABSa0jD0Firujv nn8HKZ2TBqfsAaOSsUj6vL9Abftt22/bfptWCW0T0yamTQx8+eDLB18+gKs/Xf3p6k9p7VPntK0Y uGLgioFpTzWn/l22fNnyZcvTEsJ/ltTtUysVhZMKJxVOgs31NtfbXA9KmaXMUmZaxWpl1ZVVV1aF StcrXa90Pa2fK1euXLlyBQZcHXB1wNW0KQGplYf/n/+sMP4RWSdknZB1Qlql6cKFCxcuXEirTI4c MXLEyBF/3M/7liu14vL3c9DPy/PyvISvMn+V+avM789Pfs9eb6ufd5U7db+/a6+mWZtmbZo2d9G6 zLrM+jcJQOry1L+pt7RTK3SpF26p/ncg14FcB3Kl3epOnTI0r8S8EvNKwA89f+j5Q8+08Ue2iGwR 2QLyx+ePzx//7npOfbtH6pSS1LmaqXcoFolFYpH4m/G/J399Wz9423apUzbmG/ON+QbUvl/7fu37 oF3TrmnX/ri/t7Xzuvvr7q+7n5Z4pf7NsjPLziw707ZLvcOW+lBj+wLtC7QvABsfbny48WGavKl2 rlSxUsVKFd9eb+96HN35cufLnX9Tmd8SuiV0SyiUvlD6QukL/34/eFs/fV92fdt4fFs/+HfzzhVn ++1M4THlQKz01vFkAu81r27vDYm73cPiLBD0iXwcuggKtM68IMswCL3p2yLjt3A7wtLjRRC8ir/f 0cwI9rNKqYCOICaK5OQ68Gp50gtjGGhnY8tbt0Bw5+Bh2lnwlAte82YkhEc+dqScgAwtHHX9p0NS Rf8qXgVISOjt+wP4DfD3yNlg6xQi7BPB44z47vVwiD3jrfxqFpyocO+jIwXB2J4UZZkC4eviK7tW QtJLt8N7AUyLyGmuA62G9qE2Blw/6Xk8TcBbwqjt/Rr0mZQV80AMMxaZvUE2EJvYCnKVnEQ8mPPN kUYoKCuVnGIXmC3M3sYe0EfqX+lzQRugLbSMBjFMXBFVwdhgLNBnAvkUUxwBI59nn3kBuIakLih9 xBTRBkQBESMaARWYxGAwfpFNjQxg3pFr5SaQjyklfgRznfyQWFDXis/lbWA1kxgJAnFJvAZZT9bn DRjH9Xn6KlC+0MZrp0G5oRwVbmAS2cRJkB/Jp3INiMlCUQsDD7VQZSVowlLEmgSWebbnjtYg74kF 1m9AuSvGaRXANTEpR2JrMD9gs2c7yNJqWWsSiCjFbV0A2ibx2DMZNKtqVcNBbW075FwGIoflsVWC z9c+uwP7glpf22mrDbqUQ8wEMHvQR3wJ1tc+C/0HgriMv9IQ1L5aa6sVaEdOtoP8lWC5HpQwspo2 0BTLXetQcA1LSUq4DNYCql3vBwFd/X/N9hOYE5hqFADlqbpcLQ5ypCzHETA+NYWsDqK92CB7gL/0 nWW9CvpF10D9HLiea2HWs+B4ErI4rAdYwhxzfKuBGC+GKFOAYe8nULud7Hay20noXap3qd6lQIlU IpVIUFeqK9WVMGbRmEVjFqW1H5VhVIZRGWDq6Kmjp46GZnea3Wl2J219kR1FdhTZkfZwyx9R+Hjh 44WPQ6dznc51Ogc/8zM/A5VvVL5R+Qbc9rntc9sHsoRnCc8SDo5YR6wjFiJzROaIzJE2tYOSlKRk 2sMvqQ8Tpj4FX9osbZY20/Y3a+GshbMW/v8F9d9l/Pjx48ePh0lfT/p60tfg2ura6toKjlWOVY5V 8EXWL7J+kfWPx/m+5Rr14agPR32YlmiuC1sXti4MnIOdg52DYWzmsZnH/gsS57+31/hK4yuNr/TP 6+fPyv17fvJHbB61edTmUcAoRjHqH9efmXdm3pl5QC1qUQuuV7pe6XoluM51rv8X/aVWuO7MujPr zqy0E6+nj6ePpw9UMCoYFQwYmXNkzpE5313fqQ+PTdYn65N1aJCxQcYGGdP01Xpn652tdwJd6UrX 9+evb+sHv2eP32tX5HiR40WOg72yvbK98j8/RePP2jlny5wtc7b8x+XWqdap1qlpv8MmhE0ImwC9 C/Qu0LsAvHj14tWLVzDz+MzjM4+D5QfLD5Yf0uwwdPrQ6UOnv72873ocffjhww8ffpj2MGVwruBc wbng6/tf3//6PkT3ju4d3ftf7wepvK2fvi+7pl6A/bPxmK1KtirZ/ou52r/nB/9uxH/MZZOyQoUK FSpUePsOenww9n7xvVA6MN+u8vXAFaVf8PwK587ceX7qCgSsdw70GQ2Zy/hXyPYSzFfKXks3ePP8 1UcRF+DOwkcl4hpA6MzMJy23oMSNTO1znoMnzd70dnvBvwU1zP4Q2VKbGD8UfGzBQ/SWoNwwKsiF 8GJVXGl3LQjqLQ5lWwDm08Txyb9ApmlZRmeIBf+b1l0pdyC2ZJLD5QbvVu1A7HTIfS24ZMU+UOBx sKuuA7ZfXtJnyTK4UvppicfXIOVT2dG6BMLOZBufOwYSo5M2xm2GZ9Ne1H+yF4z8Ip/2EMzjhk12 BRTyyOsg2nGTZWCGStMsDHKfPCu7g8glmot2YJ40D5g7QcmpDlYqgbJWXFEXgrxjfCFfAg7RV74A 8xO+FpPB/MW8aZwF5VtcNAbKyXWiOYjKygUxAoRbuYsOloIa9oYgHoml9AFljBIhb4DSRzmgbgEl XN1qmwTaCe2B2h+0EO2OrTPIKeQ2N4C8IVOkC+zH7Vecj8Gq2TI624D6XCmqlgIlozrYehYsidbP bVlAidFeqF3A2C+6sR2UsuKR5Qhw2ww174I7wlU9aTawi4nGJ+DoY+9qfwXmKuOspyXoY1wjUr4D raK2wzoYRDnLTusYEN+rq6xzQS5gldoNTMMMM1eDPCVCNAXEM2W5shfM3eZhfQG4lqU8TegAii97 ZDzI2vgrncEbYTZWS0LKhIScMRfB3d+bkvIpBPcOrhTyGfh+75sY8hW457p9UoqCftZ8mTwBLMuU 7eo+sOR1DA+uA+5od1vPagj8woG2EJQD/OAdC7E1EzyJ34K6wfrU7ymo+ZRGRINykKt6XshRNmOc zReW2JdeXvzLvz+w00knnXT+LKkVyMvqZfWyCt91+K7Ddx3+/bfE/6eSescmtYKczv8Ozp49e/bs 2fdQcX41MzaP6oUzPzwIu30G5G7Pk4RREDLA51unHyi63wnlLES9tt6L3AoXE85GvrkIvhUcp8RJ sLWSFdQ2kGEuQRkmgJrfN6c5AfJccaqWy/D87NMn0XGgb7NOScoGcf2T53lrgJbHPO4TCs4hqrTM A08+d4JcBc5tgYPFEUjMK5a/bAGv/GJv6YXBtsvW17cY+A03c/hOhXIjCuyp/hwMJbalbQrEZI// JWEcuL4wyhp1QNmsVRIfgtilnpWnwW1xf+RtAkYlfZm0gIzUipkC5HJzgtkUZIjMJq+CrMBgmRnM s/KYjAb1ppinWoBsHKY5yHzyEVFAT7OXOAjGWLnZEEBNXBLgjmwgZoI8L4KxgTJQOUZrUELFZ+px 4Im8LWJA+slT5jKgpSgtKoDxgcxhZgNHb9slZzCoU7WeqgrWcfZPfX4D/x8DXob8BuKg+Ey6QBku +lkUMK1GV88qME3jinkCbL/ZrfaFoOW3DbUvA/lEdLA0AzVZHaEKsJxRt2ofgR5nFvFUBuE26no+ AllZGkZ1UKppvqoHfM74jfZJBHOgd50xCog2O3m6ghA8YyjYbvu2CvSClllrpoWA2kv72f4EzBPG T3IYiDOiibwNZkuOyUmgN9DbG9XBvKGfTykM5mp3keQjYK0nfYyb4HloBBEL7q+8C/WcEKtE/xRT GJJmJh+NyQLaAJrIMaArrh5Jv4JZJct9sxPYSzgK2r2gH/IYciuIsso2OR+8m5KyxI0FOU32VIfC m73uqkkuMJebBfUWIHpaL1j3gjWLMdm1GYyx+m/yFQTm8J3hWxq0fjjV28DyvzrU00knnXTejt0T d0/cPTHt/bpT506dO3Uuv1/iTyed/0O8c+Kc41Wm5cqnENfddSqiNwQcUFc560CGjpqPYyXEWJKz JTYA9yjtF/1zKGYWCPI1ILmcsUT2By1e3WyfArbXCTcto8Esn+Ly1oVAM/Cq79dgT3G1NiaDj5+Y kXUUuNfbP3v9EtxXjdkpJ4H93gaOliAWMigmAlzl9a7addC2KsU1BYKGhLQNPgGu285rrsFgjokZ 5LgCIV8FWHOFwK+3TnU5dhg8p5jPXtA76N+Z48Gy2VpMtAUWijYEgneqMVAPBmugw/SZBZYbziC/ WNAjvEPlHeAyDhEA9okOu/MC2IbZrtuLg1nA+E3vA94juvSGgXJXnaD2BSHprfwMxjyjg/4JKFeV D2UyWO5YI/2qgmkVD82ywBoZITaC9qOlrm0V8Ebm5QgYwd4w9y+gDhZljBKgLbN4rQVAi9QqWvOA +qVmtWjAUkUoX4Iln2WcswmYvyKN/aANUnZrn4DoTC/ZEdTy6nw1CIxPzAt6DuArHil9QIwXG7gC bJM15HOQzWQfvRpobbkmD4DqsPZ0lAEjVrZRnoKYozZVz4H+ibeGtwfIH4ihElg/swy1FQPHYXt7 60Vw39F/lA3AXGYm6BaQg8xvjVBQfhOtcIOI5r7hD8YHJCk9wHhg9DI7AGdlNZkbfE/5BDtfgPxR 32F+CxHnI+2RIyHa8Wbgqy7gaeWulvgQzBPGQbMppFz0ZjOfg7mUw4ofRF2IbBUxAnzmOgcG5ARb B0cG398g7kzC19G5wP6h02stBeKZOtG+AbwJ7mPuWmAbq/pZOoHlqP6rchaSY7xZk+aDM49vkYAV EDc3oUuiD/heUgMtU986nNJJJ510/nKavGzysslLaEIT3sPb+v7Pse3ptqfbnv7VUqTzr+Ld3+N8 ICGDKyvk7BK8LjPgW8BW2PkEEkup8XowqAv139QoyBCu5fGpCcE5c14xPgN7BXtmpT6ENMkaFnYc olRLeGxheJX3VSHrL5D3vn/xEiGQUc1UIHAZZHD53XWbkKGDLSlTL1C+4mNrA+ABa+VO8L5JaSNP gG2s5UetDzhz2xqqM8G921719UKIbhZ559EB+KBw7geltoIYq/jRAJ4Vibj4oD94vzSvGw4wb5nV +QnEF0oDJQ7MPGZu0QuUKK2z+hICy4ecDN0JobkzL8/tC1m75L5fwB/CDucsk0+HoE4Zn2WrDz6u IL9My8F3XobPsjwAfzX0XvYmEPhLprK5HOCvh1bP8SkENM/wQ9gK8A0MrBfqBL/OQfszbwG/kMA2 mX4B/8tBN0LLgqOi382g5+D43K9D8Bnwyx80LONhcI4K+D5TfrAu8rkVtAXUMEdz/9ogSlo7+uQE 6wF7Sd8DoB61xjvmgrW27a7PKlDHWV0OP6Ch7Ufnr2CuV2qqc0CpoB6x9galpfrcYgHbp5antjVg f26PdBwAo7V5xgwDMUmroP0Aoop6UNkLWoQlTN0BIlJEKEFgn26/7BwPPi18MvsmgN3pYwn4GGRP kdWyC5SBRi/zOWhPRCTRwG7zA5cKnnB3gbhG4Mqc0idxHiRVj1sUOwhcHVPaJfmC8kxZrswBZaW2 xzoKjAXmVE8VCO0QeMWxDDLnDykQVBOUT5XlNg3sT+ydHR0h8/2cvjmtkPFK9nPZR0Ngo8AKgbvA 38e/iG9FsDy3PdIyQGD9wNLBLyCkVGCPTLXBaijXzaOg5dcuKCXBvKJ4RCwYs8QAfRjY+lrraCuA CYymCehjRG82gncIO/k//InXdNJJJ53/q2R7ne11ttd/tRTp/Kt454qz5TP928CxYLaOPmppCq/b uZelrAMtJMiVUhIS8nDA2APGkYjv3IchqJxzoRYLtm3qz4ovxI6VJx8lgiNDQG/nIUg67poavxbO Lblx/gKgfWGdqPYBxwH/2nwMrvEJcXoT0MtQiZ/AJ8r3pVITLHVdp5wh4O2Q/MSTDO7MQW21hmCZ lOzv+yGEWLR5sgMULJgta8VGIAelDFdSQNtrHhVVwd1I72PkBG8R+Vx+Co5m6ihegCzAalkayMNZ bRxo56zL/T8Bo4q5wfsavIuTBydfA9lGNpbXQflBG2TtC+pZ6wPfrKAuVYs7loIyQG3p1kEO1K8b jUGUpZHRGkRTNReVwZKorvBxglwrf/aWBLOCWdMsBkp9YdEWg5lCMaMeMEnUUY6BPcn+sZ8FhE2u N8+AIfkCH+BbUdQcC9oH//HWDXWqmCQ7Aq9wug0QrVmlrgJxiyjZArQWZnP9ZzB1T3ziLKCJ8oX1 ESj51FjtUzAm62F4wWxDI3oDk2R/2RioK/eLDGBcNRoaGcGoqD9IGQRGA30Hw8Bz2/vSNQWSZ8fF RGcE2037TFsnsHe393ccAx8tYFtILxD+Yro2BZQ+Zkf3SDCHyV0iD5iX5AA+BtskNaNyDJIruKt6 +0KMNW5LQhLg8mvumAqWW+rP6gLwPe/3S+B1CNgf8n3my6A6nK8yDQLliZaJRqB+YBtiKQ/qXGOk BGQdUVpOAWWO5muJAgy1v2MoeINSliRtBdfZ5GYJNgia7NfMbxuo+dWi1u6QPNb9XfI6MNoRoe4D vaBu8DWoedXKdgHqMussCgNFtB1aPwA6/9VBnk466aSTTjrpvB/eOXF+eSn6p4T58Giseji6Laib /YryGdi7Jtfz7QSm09VNHoXErR5LShyYLtdre0fINMHxOKcTor5JjLlzDfJWtXWz54XkDFo1LRvE jnPnMzqDkZjQPfkI+BXL3sszERyN7T+7b0HSL1cnunaCt4q1qKZDpjV+b4L6g7MF9e3rIUMHdZ3z F0h85ukX0RxqbCvtrncPcu/OMKTgRnhsv/38TmZwfyqvmAoYmcQIozAYK1ml3wZZ2xyqHQCZVw4V 9QCX8FfzgvKhZYmjCsieSk7tJthKOub43QPvOm8ezzTQ6lszadVAqSSeag3ALK5XTqkLBBJhNAK+ MhPFaFBuq61FOyBczNZ6gXbC2sDRF4wNMoZdYM1rnWxRQN7R4427IH8y2vAENI+2SqwEz0/6+eQI MOfIZ7YhoE1nqPwJZBtjcEpl8JY3r3n7gGe8PsGVHUR95bicB/ZBtq2+fcA1wx2WPBLorOSmHmjf 0N4WDeTVsnjzgPAxutEdVF3Nog0DY7Dh9rYH82P9A+99UEswy7wNrh7JxRKbQNy6uKpvDoO7p3u6 qxAYy/XqrtxgzWrpoA0H93T3DVEKkkLihisjwH3bPS6lB5gexbBNARqb/b29IKVBYnziavB74X/C bwnYnvgRfAhsK2x3baXBEmzJbTFBPyIrGmXAkd/R3/4laPUd3Xwfgf69PEYOCLmfpbZ1JriXJO/x fgbeGt5I1yYQ4cLtLQXudim1EquCOYET4hQom5RfEtqAu1pKnYSa4Fc2aHiABZwDfKf6noGk/PFN Em+DOGYk6OtAWyOsBIL7Y7eNeuD5OOVc3H0wPWpGUsBvoFrIJ8ufDKp00kknnXTSSee/Je/+Orqu zuaJDcGWYi/k+BxSYvU+5n4IqG+r51MC8u7PVd9ZGO5leXYz+g24TiX/oD6CxJaukIh7YN1h36iE QezhxGBtM+iNU+YYtyHpgVIsJRs48qtF/U6AuPVsS7Id4jumvPJq4L2t7/M9Dm67UdKVEXIkBe70 PISs3cpXDNoEyiVH05gPoWgfvUm5J1C2YcFR7RqAs7RvsdBIsJ+U+r1wUFtf7iGegr5SHyxeg7rf zCFugNFOjPJMAzObLG72A9rKNUYOkCvM7eY9sHxjKaA1Ac+nZl+jOKj17RPsMaBs0+pbPgIx35wv d4HopGfxxoJ+wuhiXgdTkZP1i6DekBkt/cFywvqztQB4N3r7GxOBDWK/0h/0456W+iJQ2pJZWQPG x94XcUvAUyylgKcTqJ3UN85JIMpZ8yuHwCznjXR/CXK8kcdbE4w7XDeXg5JDpph+YL1lWW8dDy5L il+SH+hhepXkQ6D11NZbQsGzzrgivwXPDvdub16wLtQU2zhQLikl1DNgLNavuA+BvZDlmroPXDGJ A+KnQ2KnhKbR48FcoC8xHoLe09Mn+TdQ3UqM9huYhckjLoHeUz9k2EE0lUO82SB5xusGLzWwZXKu 9XkCyn4GCy8Y4d4UbxxENX7zJmUXONt6RxlBoM22VLMHgjJS2aktB1sn2wSrHYz+Yqk2DOLLuycZ I8AMkr/hAe9cfYI3M2izrNu1ZyD2GV8pFcHzlfdX/R54BniGesaBu35KuYTDoGbW9tiGgOpVMsrG oH/ukZ7B8HLNq7uvAyEpKF6JbQHWAmp5mRds6+z3fXuApZ422scJ7gopd1K+Ae2p2sUGKLvMc+7y QFPgPbwnNp100kknnXTS+et558TZOKuvtJSA0BuOYnYTXsQmtPZuAU2RdkcLSGnt7WMegpSvY360 CPC/7J/HPwke9gnP+OwpeFulJKpdwc/Hb57eEaRqPlZHgHhodIydC+YOdZx6EKK/eTFFqQSZPgv6 yb4MfGtmX2mWB+VBwgBnL/Braw1P1MCb50kJcyJ0qNe40uSPId9POSvXnA6eAD0fX4OaW+lvZABx PHqS33Ng95tfvHnB2t9SzvoQjJXqI/kSlOtGV60LiP0MFifBfGCO8h6ClMMJ56OqgB7kqeIIBKWP EqVGgblZe25vCOYTbbztR5ATjWqyINgW2+vYS4E1SJ1m/RpS8rlax58C2YSh+IH3urHX+AVUYemt 5QAxw5zg6Q1mbU8793XAobZTR4IrOfFcwm0wGxv39UdgjbQXkbHg8SY+fF0ZbPPt1e0vwHeqf9eg 3qAeUUpYVoM+ynhg2MBT17POVQjUp5ZYZSaIMlw1DoEyX1tquwfe5tKRcg20ujRXOkBs4+j9Eclg qavGK+fAzGze069ByiJWSQuY1c1pRl5Qv1YTVD+gC2eULiC6ih/RQS9ijjROgeqvnxdfgLeuvsDI B2Yzc6d3GpiR5mMxBMxwVomRQEkaiNVgvW7ZY/0MjIcclxHgHSKvIEEdJBoq00EmS2QlkOFyt5wL nqbuGO9cMNsoEYYHrKOtZ22PQA/01DTjwb1ULxs7A0SEvsVbAZSyag/xGLQZwq1lAW16QLPgCeAM DHRnOgI8ND+Xq0CO0KfrVcEs5PnJmAyOOc4NmCA8VPSOBjoov1qTgCZihdgKfrn9HgZ/B95D7ntG KYjv+sb+ahgQ+1eHeDrppJNOOumk875454cDtQb2G/IoxNc3xkf2AX2155T7PMRUis6c0h2ue+4O S8wNSQ1tO2gAbx556r+YCmFZgrbIMMhcJMMdZSkkvXZOTb4L7GOl7AxKdzXA8hiCu1oOe6eArbla wBwHj6slBsbegISxScG6A9ydmOkuBcWfZhpW+xkMKN565rqbkHtijry1V0DyI9dDry94snk/jPsJ nj98Xv3qMohqfitr+FDImGz71lkObJo6U7WBMlg5yUOQD0Rr4xyItcouZQ5IzYzgCcjdRgt9LmjD 1bXWp+Dc7XcxUzj4fhX4VWgZcKg+yT71wHrB6bGMBts92wdqSRBIZ+JtcPwccCSwNPje868a3BKc lx3VbbnAFqTN18uCOgQhf4X4EXEfvTkOiWXjd0ZXA+Un9YUWD3pDfY7XASnl4iu8coC5R2/gfQhy gghX/cFoLQPMVaCP1Hu6LoA5nfXyPtjL2S84qoCWw1LHuh+0XywHHadA3lB+trwB+aWItUjw9HJV 84wDva53oKcsJGZNeBh1EVwvUzLEZ4LkBq5piTVAPhW6uRrMtfKe3ACiidgifYDjtBB7wPQ1Whpr wZxsBHt1YLze1TMMjAHeEboNzJfmCm8L8B7yznR3BhlkthV3wF3GO8VTD6xD7Jd9+4O2XfnSuhF4 Ib1kB3WHVk/rCt5zei/9e/CEe9aljAZzgBGj3wWzPN9SCSy/2kY6IkA9af3arxSw337e8hTsZZwF fGuDc1HgswzPwKe6f/7QrGDrZYm3FQTLBMsrWy9w+3ryG7+C9qnSVG0Hzk3OR/ZW4JPXr2VQFATU CLaGdAWfqIBq/vFgaWtvajsO2kHZwlsY1NW2ypb39PGT/85Mzzs97/S8/7g89T2m/y5Sv+Q1a9as WbNmQS3/Wv61/NO+/JX6YZPnz58/f/78r9ba/xxWr169evXqtA8YpH4BcuDNgTcH3oSoHFE5onL8 ++T5V/vV7/nz/3b+3fH672Lr061Ptz6FqW+mvpn65h/X/3fz73T+Z/DOibPLZhsVvxccfoHnfJ6C 5bFPKdkaEiON8jEmRH0W/f2b9ZBtkSUx4BzEVowvpKwH35y2/Vlygk8O+7fKBSiQM+SJbzQExPqk KIsgVx+/fpmmg5agFVa/AstlucK6GLRJXndAIYg69+puYmP4YEaIteAX0PZOj7tTz4BzRoiWNR+4 f3DFJM4BkVNG6qUh7trL4Fe9Qe3ivRdwFZQ1CWHGAsgcm0X33wRKE3HfrAzqE/WR7SXIIUYbb0sQ YbK6/hHYB9meWGeDz8ygWaFdwL9Rpu5ZfwDbPP9FfhlBTbA9sZ0GS1eHy7ke/M4H2UOXg6eHPj/p JSQ6486/2gbqee/8xC7gCUiuF7cA3IOTc8dVh+SSiV/FHwIscqN5Dnx1v2pBI0G9qc5jAyi3rcvV hmDd4XQ7/MH+pWOvf33wXRkUkzEMfPL6+PqeANlLdxubQBYQ/dXuoG3TktT9YNY2e3rrQNLQpBHx X0LKIrdMLgXR818NeF4OXpx9XvDec0iZ6noSfQDcH7jKpSwEfbd3n1ETzE3GMbMYsEYuZTN4Snpi PVPAW8areC6DYTVK6nlA6a+EKo1BVBEW0RvMdpQXvwItlFhlFhAotog1oE1VB1g3gnpEjBJO8Jb3 Vk7+AJTDajbVCra9ttw+10BDrazVBFFMKCIZlPlaY+0IqCn2VfbSYH1k7W4PBbWn2lIZDbKefkBv BOKUjPPeAct4W7JqguOAs0TGQWA2VWar7UBpb51vDwdrRkuQfSoYmzwXPQ/A9VXi1riLQA051/sC qMAoV1dwW1yN45dA8t7ku/GtwH3cdSGhFrgvJk1OeglmP+/OlFiw9XB+ZfkAQsaFvMr07V8d3v96 Uj95+1dzYvaJ2Sdmp50Ie57peabnGfh06adLP10KZ+efnX92PnzT9pu237T9q6X978+xY8eOHTuW diFS4/Man9f4HIauHbp26Fo41e1Ut1PdYEahGYVmFPqrpX1//Hfx53T+HEfaHWl3pF3aBdC0g9MO TjsIFxdeXHhxYVq7/6v+nc774Z0TZx/T3S/jZAg0fa05b0NYOf+TYY2g9t2ca8oWgvrbazwqfwaC hwU9FClQ5ut8h7J1Ablfq2t4wPehz9fB9+FpvsRZSc0hLneKj6U5GGXF8JTcoGwW6+zJkHF5YMHM dSHbTdUvpho0vFxoR8nB0NOv79U59cEVJDuaVcG46nmYMgC0OVqM/TikTEgqHh8Ajl72JcpZiIl+ lv9FcbD9aLVbo6DwoNKRZQTYemo/iA9AKya2WaqCbG5G0BGMSNFI/Q4UU/vVvhKUbcpDcQfkCyO7 5zcwfDz25K5g/Oqql/Aa9GOu1om1wJM1uXliI5CGkdmyHJzzfczgleDOktwv6S6kZEx+E2eA8a3+ gTwDSkulvrUMuG8YY1LGgPbQtkp7Bs68gZaQBLCd93nqNxn87gfHZXoAjqSgnzMtBssO2xuHDnqS rugfgznUuGAsAWGaD82vgYlGSaMSeDyu9a4RYO1vq2mpBdplbYclHvzGBW8P6QdhtbI5Co8GvyE+ v2X6Aswf9JEpDcD4wNjsXQDugZ4g93XwqJ4z7uZgbNMX68fB9EqplwHvcL2rdxLovuYhAzC6U0s+ AyNFX+KZDeYL46JnDahJyh4xE5Sr6h5LK9ByW2N9V4NfcIbKGV9BkBnySbaMYG1mn+1XEMQi+0zn 56BmsYbZ4oALxrfiU7B25gPrCJDZRZS6CeQknGp+UB9pv1h+AVlKHhF3QTlp5NNfgyzuHeLVgEpG PeNXULcoJZUMQJz6mT0PqFOtN2wq2Nc7j/uMg9CPM87JXBns/R1fB4SBb++Ag5kqQcCagMuZQkGJ 0ho774C4qua2zAPrVdtpnzZgrtVGOvKApYh9o7P6+wvU2NjY2NjYtE+mNtzecHvD7dBsYrOJzSam ffI1td2+ffv27dsHrVu3bt26NbTI0SJHixzQuHHjxo0bw7Jry64tu/aP+/m9ytPfLx8bPjZ8bHja 7z4X+1zsc/Eft0ut9DTd3XR3090wv8T8EvNLvP34W01tNbXV1N+Xz17FXsVeBdoebnu47WHo0rlL 5y6d0/SUiq7ruq7/eTv8s/r5++UzOs7oOKMjNAlrEtYkDL498u2Rb4+k2S31vblzis4pOqdo2vZ/ 1o7vqs89zfY029Ms7fcn5T8p/0l5qNC/Qv8K/WH/1P1T909N+yTxu+pz7qm5p+aeSrNXlyJdinQp As8zPs/4POM/bvdHfvW28fJ7/vy2/UREREREREAPbw9vDy80b968efPmaXb9Iz9ZdWvVrVW3oENC h4QOCe8ex+9br4mJiYmJiTB48ODBgwen+XPqHZ1UPfyz43tf/prKae9p72kvvJr0atKrSWlfQPyr /Dud/528c+IckCvgoDMXJEYmnohYBZ7LSXei2oJ+Abw/wNhB3ZLWlYeP2zTePWA9hGb0809Jhnx9 stbLMgyyLNA+9TsNmRs5W1pXQIYcGTsbJ+Gl4Qmy3oKnHybejZoMSj53mXv9oIFaztK+JnTp2FeZ WxSUFgEl/QWIkt6v1WIg2qlB6g3Qb8pRxkmQ/ubHnieQ1N+72PU9xPZ8+TpiJOT8ruTJaq/BZ2Fo zhxjwZFgWatlAntezdcSCEYXucOcD4oDH+MjUCeK/uI4uB8l13e9AXd+1379Gcj55nVcoEt3sHsD SJte3TsLjH36N54boGUXG4x+wD5rFUcMaHfs/r4WcOCs7u8APrSeUQ6BdYejquMX8A31TwguBY4L PrsDJ4FtnP173wiwhMv6Ig/od1J+c88FMUqrYPGCus9az1EVLPjagoPB+rNvwaATID5Vt1m+BM8c c7XaAizNnfEBJcH6q/NIhmHgtPr3DzsJvof9CmQsBL4dg8qElgBnu6BxmeZD1oF5JpX6EkITsy7I Ew7BOzONyOEPwdsyncjxE/i2D4rKXAMshW1JvoGgJFrq+cwBv3oBBzJVgKCFGSpnuwaOPr4rMmng 9zA4X/afIaRdttFFlkNInhztim+CYJE5OO+3EJIt08h8j8He2udkxskg6ihl1eJgqaP+Ij4GZa50 Gr+CsdeonFwKUp6kdIr9BLxfpnSPnwvM0mu6OoMR4mmfHAZKNhlo1gKjpr5eyQ5mdoI9C8FsKctb FPBU9GQzosC71vNjUi8w+nk8KZNAKSgLmXVBLOQO84DbwpTtwVPcvcvTGPQd3ih9NcgcpsecA4qP Mkb+AHoB9yZjI6hWfMRFcOa0WGTE+wvUaQemHZh2AEKfhj4NfQq7Xux6sesFbHu27dm2ZxA2Pmx8 2Pi0iurae2vvrb0HH5f+uPTHpdNuWS6/tvza8mvw4/kfz/94/s/LMzHrxKwTs6b9XlRmUZlFZf6x Xa2atWrWqglLKyytsLQCrFq9avWq1e9PL6mUu1zucrnLMDxgeMDwADg0/dD0Q9PTEpjsr7O/zv4a JjSZ0GTCX/BFhzrD6wyvMzwt0Vk/fP3w9cOh3fR209tNh6X9l/Zf2h/Wrlu7bu26tO3+1Xb8PZ49 f/b82d9MaenevXv37t3TEsH27du3b98ebjtvO287331/IfVC6oXUS0toaq+rva72Oph+dPrR6Uf/ sf0f+dXbxsvv+fPb9jM9bnrc9Dj46NFHjz56BNu2bdu2bRtk35t9b/a9/7w+1qxes3rN6ne3//vW 64IFCxYsWJCWwO58sfPFzhdQY02NNTXWwMxfZ/4689d/fnzvm9FbRm8ZvSXtQvX3+Hf7dzr/u3jn hwPF2uCDUcvAXtmyI6gtJG+M3el5DrYXLHD4wO6Ju0bMOgbmFlfPhJGQ/0nm67WmgzXJvcwzHB7p xokbk6HoTfuYamGQ/LXwxFSGo2Hna0TnhoKVQkbnGg5dV3dt92UuyHI2/9qyNvD0837j/Qn0rp4d +hJQHqqv5UlQcpJJjQZ9nTfMFQhimBlpeMF3lX19cHXId6fsT9UKg/++rM6gEpDULnKWezJkaBy4 368iaPWifkjuD7K+e53bDfKRuZayoFzXhqmDQcxJOew6AimfJNSJXgAer7Wn8zhYimsvmQcuM2WG ax1oDbWrlqugRskrMheYY6XbqAdilwgRW0F/qdf1/AoWq+WqzQHGF651CWtA/yYp1hgCQlefaOvA Osje0/dHEEPV25aioCbYvleWg35XX+ruD1QyrhvTgQXyNyMPiHAlk7YMjLvyjToOlHzKKWMUiA94 yiEwHup7xBVQQqydZFZgr3JanQbmHD2PcRe0O9b+1u/AJ7tlQ6YZ4GxpRoYmgdLT4qe2AbyeeSlX wTvb8yrpM+CcMVl+AqpH6y76g5wvflbKgmWKMk6sAumRPxqXwKgjFVEaQOhqRZD+PFM6gd7AbEdR MFrqTndPsBWyvlCKATeM7hYTjHyGy10O7De0ME2C8bn1sL0hKHvxMwH7R5YGYi4YF81rsi7oUg81 o8AsLqKMEFAmKesso0AtqxV0BIFqitvaNdAClNp6POiFva88Q0Cs5ws1HLQyag5Lf3B/5L5qdAJX tOeOoYLSRmlomQOGahaU24Gp0iWug6iieu3fgbhiqW72Ah+v2kTfBHbD2lWN+c8gaffugXqq+6nu p7rDzsw7M+/MDMrPys/Kz2nru3fo3qF7B2jUrVG3Rt3gaP6j+Y/mh0t9L/W91BfWx66PXR8Ld8/f PX/3PJiNzEZmI6AXvej1rzvApJ5gLSGWEEsIeOt763vrAxe4wIXf3y61wvRky5MtT7b8fr+pXLhw 4cKFv+kv55ScU3JOgWq7qu2qtgt+zvhzxp8zwuLLiy8vvgyjGc3of92w/4ES80rMKzEPxGKxWCz+ L5ZvFVvFVvCW9Zb1lk3Tz9KKSysurfjudnxbfeaOzh2dOxoIJphgGLRy0MpBKyHHvhz7cuyDTt93 +r7T9zAl55ScU3LCdraznT9PkyxNsjT5m9c3toxqGdUyCn4a+9PYn8YCJzjBiX+U9/f86m3j5fd4 235kKVlKloKJ2SZmm5gNuMc97kG9zfU219sMU5jClP+HHtq0btO6TWtQbim3lFuw9NzSc0vP/Xn7 v2+9Ho0/Gn80HtZdXHdx3UWgM53pDC0jW0a2jISl85fOXzofaEpTmv7x+N6Xv/59/P8Regm9hF6C f5t/p/O/i3dOnH+z/tbKo0G2aP+2RnuwT1W+NOfB6fXPC106Bb+0ftTh2A7IfzV4RdhYKDwu380i 2+F1D/xfrobLte+eez0PsjmydNCTAEeSr8sLHxQt8Em+idA+a7sVgxpAkCVLUOl4cG9Nmpx8EIxE yxt5BpS24or2GcivzVVGA1AKabnoDUZbV0LyPWCq9tJ6EZQDyhqfA2Bccs16NQ+836V8YZsAIXfC /HJ2hewJ2edlmwAXzMffR+0F5bTHUFqA2cnsayaCVtdS1vYNiH3eHN7FoGawT7Q0BksTpauIBr6Q yw1A7KSw8hQ0zTLDvgnUuY52zjcgaumdvAKUkeZQ0wbiJ5eeXB28ud1PXXPA1Mz23mXgtekrXRpo 8WonZTXor8xw8yJYqjha+RQGpZR6Q+sFsqjZXXYG/bbQZAGQlYwS3sVgL2+bpYSAY6K9g304yEip iu6AVfqbA8DV3zsn5RjoxV2NRBtQ6lgr2YeBck7cUbeAto72TAHrZVukDAexg/lmKMS2SPgwKRvw 0ngtV4J2WYuyHgIlzNpYvQ/G567JKVdB7jK3u4tB8lzxkIOgGvKcng0su9UDWiEQ1+RUMyuoL6lo tAHlvqxgFAM1QP3McQucydoItRaIadpj4xDIhsSqnSHgA/+igdHgyq6X5zoYocY28yFYM9o3aHNB LpD5jTHgbeVZRAq4o7wr3N+Bw24bpzUFcUKYyn3Q93u3GX1BO67WFFtBLWDrabeDeCTzyjcguihl xWvwSZSFlN8gaKLPEb/h4NqovzAOgV7edClfgiygP5FlQL2uTjEXgpbBdsRWGvx/sZxVR4JV2oJF RQA+eR+BKkvL0rI0aPu0fdq+f1wvLoqL4iKYz8xn5jMYbA42B5sQui90X+i+tEpS1apVq1atCjvY wY5/Yr+euZ65nrl/Xm7LMssyy7K3325OsTnF5hQDb0dvR29H+Mz2me0zG7xs8rLJyyawadOmTZs2 pbU/1+tcr3O94ObKmytvroQexXsU71EcPvf53OdzHzi49eDWg1thV+yu2F2x7y9x/mf18/cJ8x8t TyX1lvi72vFt9Zl6y/5R30d9H/WFShUrVaxUEey37LfstyDo06BPgz6F1y1et3jd4j0o8u9QFiuL lcVpfv/3/JFfvW280IlOdHr3flKnBqiH1EPqob9pd0lcEpf+eNyp+k3lfdn/fek1MmdkzsicUGtP rT219gBlKUtZwIoVK4hpYpqY9s+P7/d4W399W4I2Bm0M2vjX+Xc6/7N558TZszHuW0t+SDmoNYzX wfqVmBZYEuxDjabGG/D/1mdxrhHwpoBy1AiA6+UfPbiZCFlyh9wInAn+NTJ94lsfXi/zhN5KhKoL C5Wt3xo6FvwwcXAMWMP8i+aJAO/6lFfJ90G5qTpEYdDC5M9qH5C9ZHa9Bph7eGGcAOU2s8Ql8Kzw HkqJAOcc/4iQxxA55EWGl7fBMs/S0vADa2dnpH0iKB5LI0dlCFuZo1LWXeA8an1x6ygkXPe0sw0A Y7xcLBLA+dqaz1YOEo7FFY6bB8S4prsqgGVIwHeOJHAHuLPqecDW0h7obASMFR+SGdyz48q+fgC2 +vaffQ+D2CKyaV+BNtMyz/4SxGD1J+0J2LAF2UcC98VuUR7EauNTIxsY3+kV3RNAza8EqxHgye6p pecE23KtqlYf1G+sVpsJ8iP5rboGKGi81htDwqBYLeoFUM046O4L7sN6ZXkD7M99L/nHg/bU9p1v S7DUtWjaVtBKqHetN4Gl5no9EMQSucXzHWi/ksHSGhy/aGXNwmBrYr8groHzrvOpWgrUeBnuzQ1y sPWUaoKnpnuzkRtSnEYe6Qf2Uc57fvkh5YK3HXHgXct3yjFwX9C36j5ga6nmVzuAel/9yfIhyIXK JLkNHCmOQ/amIH6U9dXqoJeSYd56EHDEkdWSFbSGamdrJtBXmz0YCeKBqKgYIGdbUsTH4H2kLycY LD9YZmqJYNYwK8mfQZnguGg5Dt6O3g2ukqA200arKojqcrnMAWYzc6URAiKz8kaVoORmp1YYfLIT Iw0QFRhtNgfrQr5WfgZPsL7EvAvu6+a3RhjYnij35DfgHGnNbq3wn0Hy4bsHaurbIVYMXDFwxUDo r/ZX+6tp65ctX7Z82XKouqPqjqo74OSck3NOzoFtV7dd3XYVMtzOcDvDbThz5syZM2f+puPSlKY0 cIlLXALLNcs1yzWIioqKioqC+33v973fF1jBClb8vnypb7X4o0TwnyVr06xNs/5Nxco61TrVOjXt d65cuXLlypX2+1bUrahbUTCvxLwS80pAUvek7kndwb+KfxX/KhDpjnRHuqHI7CKzi8z+83L9Wf38 Wa5cuXLlypW3t+O76rP6ieonqp9I625W11ldZ3WFwAWBCwIXQGSOyByROaC6tbq1uvXdx7nz5c6X O19CBzrQAdgSuiV0SyiUvlD6Qum3qCSm8rbx8vek+vPb9pO0MGlh0kLY67fXb68ftKQlLYH9rfa3 2t8KmMxkJv/77P++9Zp1QtYJWSfAlBZTWkxpkRZPL8a9GPdiHJwZcWbEmRHAfvaz/8/7w9v669tS /Xb129Vv//v8O53/Xbxz4uy8658nZDZk7e5fKFchKFUx00e560LQpYCDXj84a/629XESXBwV2frW GdA3Z6rl3AjBhmeUJwCKrPfMc8RD3W2NRs8+CsWC8vesHACuJWKcsx+IoeJraz+QkWKhXg9Q5CaS QX4gyjIMRAc5VOkKaogyXS0JepxsriSBo7Vttm9HiHv06njsc/jt4tXsp2Oh0KDScyq8BjWD9sy2 CuR+EPcg667sDbOtAp8g+3L7cVCypPR3zQKmGQeVeLBEWDLY5oI1wb7JsQGMIpYR6seglydCXAIf q+88//Gg7/GGe+qDMVgf4C0AjmzO8IC14B2qR/I9KNW0F2p3UCtYIukFyqfmDDEfRAFlj7IbjDjj ql4ZPPvdlVIegPpEua3tAnlRBsjNQKzWWvEHuUdMkh+Dd70nIrkxcEOJVs6CMdt9wdMBZFn5m6gF QrWG+o4G50vnYIs/sIpvjBxgLvGMN5aA55rpMR6Bt4ni474Gxin9lXEL5FW9ipwJZhh9zCdgibSY mgHWnhQQLSBxRMLEpMdglDTCmQqWz9SDsjnoJrdMA3yfBkwJeAWucO9gJRpkgmLoIyFTnsCFAbfB z2PrqRQAy1ZttVIURKgoptQA70XPLP1jUEeQUfkIxBr1vCIhqYJnrT4QLCOUx+ZaUAapZdXpYBST HczL4P3NM9E9BCjHVrUAeMd6Tuk6mFm8n7qbgG2ibZbWAoTdfMImUF7STC4FY4PeVn8MtgLWr7UA UFuLEZZxoFc35psHQX4jZpq9QTyWnQ0N1CvqbW0RyGPqeiUIXLuS9riqg3FP8ZetwTihvRA3QRv4 /7X3nmFSVdui9rtC5arOuQlNlhwkGUiSRXISAQXJooCgqIACSgYVRECCAoIiiARRckbJOefYNHRO lWuF74e3v/bi5mzdsI/7nlPvn/nMsMYYa82a1aNHjTmXMUfaDMx9PAu1YJPKpNGTRk8aDW0vtr3Y 9mJhf4UfK/xY4cfCzUqbqm2qtqka9O3bt2/fvhB2Lexa2DWoodXQamhQfl/5feX3wcz5M+fPnA/D GMYwoGf5nuV7loc+c/vM7TMXGoxoMKLBiIfbVSCn++Huh7sfhm/5lm95/Pww6odRP4wCRjGKUX/s LzhO6uLMizMvziyMSPn7+/v7+0MdtY5aR4X3ir9X/L3i/7odf/X5PCoFm67+6jw+6vPsVrZb2W5l IaNHRo+MHvBj/I/xP8aD71ffr75fC4/7GzVm1JhRY4Dv+Z7v//X7vN70etPrTaHlnZZ3Wt6BiKSI pIgkmHJlypUpV/66vL+6Xgp48PM8N3Ju5Ny/IMf5tPNp59OFubbfdvq207edoEmTJk2aNAGptlRb qv3fN/+P+7mOGzdu3Lhx8NGUj6Z8NAW8a71rvWvBssyyzLIMRiSOSByR+Nfl/jP+2ef1r/Lf/fkO 8j8L4bf/XHW9Tp06derU+esCnk3qP7pYX6j7ffGTNbfBO3u733gtDU4nXnn9zFxYUv7nrssHgHjB /rapCdz7KX1Bchq83LDW0w02Qse81mU+/AV83wa6mWeDuMZ22LQJDF/ZbthjQRisDdZ9oHr1H51v gbhdeNsyEfQXhKVyNIjHeVHZCuzVUqRrQI6xuHwTcjulD7wdBVmbU49ldgf1TeWlzOKQOLJU0yoO sK62NInaCNIm01ipL1yrfuCNHU74yPdR9blT4PIb91PSpoPxgKlkyAkIW5jQs1hFcDbP/un+K+Cb o87SW4LBYDsV0gMEh7ol8CMwQbP6i4HwGWPElSC2kKob5oJ2WMyQc8DaM7xV3B1Q93mecfeFvLHZ xVIPgh6tlgpsAsNpeZlcDAy/mEJsyaDt4mnxHKiKLz33GGgLDJWsp0AeIq6VSoBu0JrrX4F0WJ5j GAR8wTvCUdBMeoK2B+SvjcstGog/6HHKJfCVcRfNqwaBXH9/70SQ50k7zL1AeEIqL9hBqCaO0u6A vFHKt4WA/LJxg7EU6NFatcA4EGZqY7Xb4H3PN9q7ELRUvaxqBeWa/4S/IdivWvuY9oIJ26VQQDmt NpIywfK1ZZfRBGFDrZGGHiAsDMT7G4DxO8MV6R0wvCg1E6qDuZjhqtgIpB6ik3DwVw08ofcDd7p3 lScf5JO6WX0flGJqmE8Cf3hge6AOGC7KRw0WULtpg2gOdBHWsQP0EaqD0cBx8U0OAU/rDuUJsA2z SxFu0E4Kz8lVQKohXzHp4O3lHeOOA22jsilQDYxfGctKfhC6invEuqD4hbHCfNB+VhqJ/YBQzRqY BcZbpsrSFxC10nrXPgtC60e8YR4Fb77z/tH3z/3dyzxIkP9MCnJV/2qO6n8qBTnA1atVr1a9GoRd D7sedh2yJmdNzppceJpEwakN/y7+pz3XIEH+Ezh06NChQ4ceQ8SZVCEs/CScr3ltwPHqMPO5b65P bwmemsoZ+3nIn2nw6iKIu3NHpjaGV2ZGN6uzD9pVqf7DBx0h92xOqqs3eEPTOl3eA4kHnrY17gH+ AepqZRGI4/UkJRdETVho7A1CrthAGAzCcD1LXwBaPWGKvAiYzGxlJZisQkPDk+CbIF3xZEBu1yO7 Nh4H15DN8069AbFTxzYZdxf0u5X3Rl8F/ROeEndC7LVipZNWQNFK4VvCG8K15zM7OQ+CzxAQvR+B VlJXhFiQ7xmvWUzgPpH7XFZXMKy0PGFRQEqWzkuLQe1Ma6EnGNrJa4z3QP1EGyE9BcxWVweSIbDd dT9zEfjnenf4a4HlpPkVSxIIqdwzGUA7pffQWoIezgfacvDPCTzlrQLChyjSWhDWk274EZR5gbOB W0Cy3t3/IshDxHx9FfgPBc4rYSD2E0eKx0E8LP6q3wSxnzHK6ICQBaFnwhTgKe3ZQCKwRbpmHgS+ CZ5avj7gT/ENcnUCLUZPcJ0G9wpPas73YClvHWdzg2+tUlUdBOpFbaI6G6wzbZeNI0FqY40zOsB4 2TBWsoL8iexhCRjXSu/r3wG3+Uw9B84e/obiOyA9LwSkweD6zl+aUDDsE3dzB4TWvsiABYzHDWcN q8Ff3Pdd4HsItPR/ok4F6T1NVYaBdFQ6JSaAbbr1fEgJkBeKz4t9wdfTe9zbCVybPIu9s0HpIA6W JPDvdBdVLWDuYvjW8DJIH/r6+RpDoJL6sWcAqD4GeiqBOEseY1oOiqwmCQPBaXeGutuC6azxB3Mf UH/wz/QngXWApb28B7QwYZl5Iqi/qPvFFSBfsB4SToDglVfLc/7uZR4kSJD/TvZ59nn2eeCM5Yzl jAX6V+hfoX8FWFF3Rd0VdaF6TPWY6jGPridIkCB/H4/sOFu+MVV3vQgh2b4XooDk5ffcgW8halvc YG08mM5pqZmnoaMz+uvax6DNltZHxnrh1m7v4DQNrJfTv3b/DJHFKi14sihoC7SlnAYhSR+n9wU1 RF+Q3REku3gozA1s4KJwEfRr+m1xLhCq/ujvBFKadantObhd+caRA1Xg7pAJH49bDaYev/6Y2h20 Er590m0QP/Umqi1AVvDL1eCOuK/tjiywzYma7PgCyolVvKU6wv6Zt15MPQD+BF9N30sQeNZXVPkQ DL3NQ8P3g7A/Z1nWK6CX9Rv9KaD/bPzVshXoo5eQ3gNlubJOfw2UDUqE6wLgE/OFTPCvy96RGgpS b8M0gwVMGy0/hVcHz6ve055lYLlkbWU9BGppta92FkzV+EyqD9Imabn8M/CGeJW9oG1UP1DXg5am ugz7QSjFTbUySC8L7yu54Nf86dooELpoNwMfQ9TzITG2RPBe9Hzr+Q7yxVxr1kagk/q0fzjoafwg rQFLY9v60DsglJG2ij1B15Vl3qXga+1b7+4PUjNDA+Pz4Khk72I5DUIpzS33BnWf9opSEpRmVFDn gO+872reXdA/0tZr34F81TDe2haEG8JPppeA8ZwV/GD92brZACjXtaniIKCG3oSZ4I3wPeP/FrQT wj6hLxj2GG9aG4Cvma+TdxB4triPee5C1vPOdjnVwDTBYJMug+GSPMowBLL3OVv6R0L4dsdHVhc4 Ntr3i41BbSt2NbwH2Tucaz3fg8klhAUiIDBBswjvgn5YiJevgLxRGi19AabDpt7yDPB/7+3rvQai UYjgCPi/VHyB9aC41UjlCNgbGN+Xo8B8xTwk1AHSKXG+/BwAY1D/7mUeJMh/Jutur7u97vbfbcXj Y+CCgQsGLoCRtUbWGlkLGlgbWBtYoeIrFV+p+ApM2Dhh44SN/347/qc91yBB/pN4ZMf5yS5hDYv0 g5wb4uSQGAibYWvp2AKhlUwdA+uhe8UuEW8NhEqVSvbtNhu0TdH5UTsh7Ilz3oPbwZYRnVbeAabn whZG3ANfeODHQD+QntfO+1uBOFmfKi8EcS7HTQdB7avP0T8BoTIWfzswdjS9Z14P7minmlYPTs3+ 9OrHSVB24cFOGX6wVX9iZxkNwr4y1A2JAWv18oNK7wPFExCUfLBmFm1UdC1Yj9lam5xQxBp1KyoT whraT4TtAOcRV3zeNnC1cP7gToaw3OhG8T3BWMI807oK/I3UimoImEeZB1kjQd8rbNVngfqC/5rf BpYDhvKGF0B5RX7bVg7MT1jTAzFAEbWufz74LvmOe6qDsavhOfkTCPQPtFIag9BDWi43A8P70jA1 HRSJDcq3IE7RncJeMFSV4yw+0OOl9tpRoIfeytMehAihvTwJDLNMM4yvg3Gc4ZwxC7x9nPeyN0Cq fO+1lCog9jY8b1wHst1Q2RQDJrtpmnEryCPk9cau4B/tPeoeDGKqdML4E0gu4z1TFBhayL3FCJBn ckW5CIau5rekm0AH/YhJA994ZYB/LHBKi5W6Au3EC/rr4F/u3e9fDOJnep28yxDdIizCLIN4U3Uw EAxTZY9pDxg2GLEOAE8/f9eAFQIt1QqBOyDXUUaIIhhaC7X1aSBtNcYTD4pP7SeuBP0T7ftAMgij xERjUwh/Jap/dGPwD/BNVnuBftzfTb0DqihulmqCeanpiKksWOeZZ1viQd+rLxVrgWmLYZG0FQw1 hUpSKqiXlSv+RAgcl7MpDcIt06+WV8Bj9e1XioLVZDjJixCzMfwJ4yAIbxbWM7wsqIFAP6UWsPvv XuJBgvznUiStSFqRtL/bisdHzPsx78e8D0tYwpJ/NKAOdfgXUiL/Kv/TnmuQIP9JPLLjHIKcGLsY vCNDm+enQZGbxesEOkGHeU/eGZwL8TNKZdaMAvc+Yax4G8QynqWuMxB6pnTXqpOBG+Jcw1YISL5Y 73ww7BI3mupAoHx+mZt7QXzeSmIL0FP4SOoHwmwO+d8F3hTj5Pvg/dLtdt2G/cWXvvX1ArD2yvko SoKEBe8aWumQ3ffC1DNlAf1SnbsRoO1XPnB9BtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29L Y7sLDHctcx254HK7emSuAVuV8CJxw8D4knlyyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/Y9BE xglJIFmoLGwHxawu4joE3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7A5yB4heGaD6SZ 8i5LOliWGo+JL4P3BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+rOiHUrVAdMm 6T3jfJBkjvp9INXXPMpXoDT0L3GtBmmQsbUaDoF030fqRvDN84z2GUFtKn4khkJIFQfWL0E/zwJW gzvV/Yo3FdTqWh1vCbA9Y/pBugNhaY7XQ0qC4tHe9N0GeYBez1ADpONChhAA603TQn0+eJ/zLRc9 kD47d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuaXOB IrLJOA2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMNezBOQnxe9CfgXPEM8xXzMw 9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0AOv7dizxI kCBBggQJ8nh4ZMf5biNnP2MbCM+M76O2BF9K+gc3XwTPCzmHMsdC/nGhhKcTmFZLtS29QbnKZ/on IOXrLZgBTFDr+SeDuFTsbhwOqq7sz6oB+mD1B/0rED41vR0WB/qLGJRpwHjtonYCTFONZc1r4VCH g0sPZ8Ox1052z9wBPTN6zX35eQiZ+Vx2TROkr+jz8bDm4FKcRTI7QE7+hgrLXweH+dl7L74Cposl tsetg5y62Y1cReBOudxelniI/SbuRvQiSG+VV887Gdxd8q23doL7VZfPVQvsgxw9Qu+AdbLppm0m 6BmBDq6eoIYEdun3wRBlMjqeBN0rhIpzQV9LnD4H1KeVov4rYOhhHCcfB4PTOjhiCOhJ2sdiCnBN m6dcAs0fWO3aAYEhvlOeyyD/ZKgpjgRflveaexDo433xgg38myhv+gGsr1sPhxYFew9bafEd0AKe /c7KYEm1n9U2gGu6Ipvbgmuqt5v7HBiqyLM9G0APDcR4YkEaLHXVngS7wzzU3AaYJmVaNkLuBWGf rxo4RHmxaQL4RwQG8AF4ve6u3qvgGpy/J30XRO6IjLX+AObGhkzxA8iMyVvnnA+5ZbLn5fsg7JPQ N+2RoIrCe2IDUNcSLb4CBkvedqUrqM38jfOvg+lJ623DSMitnvuBegf8HQOjfDWB2WJH9oN8Ql5u eBeUc/lj8oaBPMNQ0TAP+ERbqncH49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3D0L6GVfI GSBdtXQwDoSAQTlm+AC0OsLzalUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47a JXgivdKoYt9DXlR2W/EY6PeF10M8f/fyDhIkSJAgQYI8Th7Zca50tXLTYmcgeezZM+6W0PiHpz09 VkD8RzXNdZcBw0xlrDpo1ZQtnADhO+FLcSOwTcgyzAHdoGb6XwJhslhGzAT9HachKw8Mo/Xm1iPA TPErsTX4jztL5FcAYZwwVy0CWotAPzbC7ct3xskDoZHhpWb10yCq7VOlKqSAq8b9SSmvgiDk7Mzb D2Eni5wsEQ+m/BIvVjoKmU/O6rKkPcRLozv0vw45lZzWwMtg/MoaFTMNykwuubtkGNxseT8qrzLk zshNsE8E99G8QPqXYPnaYSteCSy1Q0aEC2AYwO28ZhCywtFRlsH5s+ew2w+O8rbbIRWAGsJ+qQjI u8OrhX8K/jtCtPFzULcpX/oiwVspZ3fGUNCr6X2Ul4F48YokgLRTGi80AnGrECWGgjjGLJoGg7mC 7bp9HYQWNVosaWB9y7LGXAT8+c63nBNBneff6pkPGU/mH9PiwFnXP0fbAvoRKU6sBo6zoZ+Zq4C8 W3xfuwGGHVJRvROwk9p+E7jK5i9UOoLaUl+hXwFNFQzGbaB11VRtF5iaydvFdChhLF0y4T7ILfUz 2ki42iVFz+8GEoahchz4z2qttLLgv6S/Q38Ifyn017AwyNqQ08BdHDI8uUfzs8Fy1jxe+xKUS852 Sj3QbRj1GJCPGcfJs0DPIg0TqD+qM9TxYNxnOmwKBW2mJij1wdDbNNEYD0p71aI9A4E07Qf9Z7C+ bM023YXATvWYMAkyDme1yNgD9tH2tx0XwXjUMNj4AUhRcl/zRfCI7p6uO4CiO5RZoG7SbwvrANVd wZUMgTDJL94DcxX/ldxlUMlS3BQVgMj7lqWOZMgZmTrAfxVC20fbHdnw3/p6uiBBggQJEiTIv5VH P1VjlPeZ29eg+qUSE8oWhUo0iX6xAmiKNVJsB/5WmR2z64P4tXmDKQpEhQ+UZFDnCgMUGxhrmXPs L4G6XHxGHwpq69yV7tIQqK3fs/cBywvxIfoGyO+Qt8FXBEK1sIthM8HT2P+jvy48c6Lhe2XMEN8h UQ1vAj4lz5DWFVQ1t3NOEzAmuHRyQWweU8o8GwyfhIfEPA9ct40PKw/+k7n3c8tB1MTY6XEvQsxW +ydqaZCSYwZbIsF+NOS4sA6M1cLGxKSC81J6kZsdwFPM0zp+I5jNltXhy0C0u17zOiCsnHGXeQHY xgo/KA1AtqrpqSII54RzUjXQ3vJMzX8f1K/V7ZIFxMXaJKkl+O4Jc9SWoBzTquvTQf/Kv8oXDXIz S0vbLyDU1JIUN+hu5RnXdlCLeDZIm0GMFyYatwNHhFLe+aAX1bJcv4JQ17DDNg7UteoP/oEQqlrq ycXAes563dYerOcNS/V6YH1dnhoSAerIwBDf8xA47Z+g/gz2WiGHhCUQ4TDNNbwGeT38/cTp4H/O 09C/CpJKxCw2SaDEKQuly5C73lXSewiKRMW8bQ0D98vuyYEykFVc6y10AfW2L83TA5SVzryM61D0 K2t/tQE419t2h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJ FA+AMFM4KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXy Rzqj8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0MSl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C rUXEDyEX/u7lHSRIkCBBggR5nIiPKkC6qTfIE+Hps821DgpwxTbP8CXkhab2udMG9k74sceKcHDt vHMmeQ24h2dmZ78NSvn82PyXIL3Wyf1HVoD6tPsLZyrkVsp5VQXUpyxnQ78D5Yh/l2IF5b561ZIH wlL5uiBB6Ba7ZNwOcRmxLUNeB189VxnX+yCecsyJyQC9hPOQtgbECZmVM38G8RvDcKsXpHkhfUKP gPCc7ZytEui7pL2GSBBy/Z8420Ipc/GMYrsh7F7E11odcGyzqr58CLWEdooJBUk25pqHgntq1tSU 0aDGSlVME8BzSBhiew/Oz0v+OHs05A31RWi1wfRT6N7E62A32eZHtIXsjvnDvYDvK9eM/L2Q3TIr PaUVuN92385dAupp/2DXKTC/bwpIDcFa1NiK9mCqarJaBoF6WT8ujgflYuAlVwXIvpRbJvk65Dtd C51DIONuTrw6EFLaZXbJKw+Ri0KibFPAUtb0vmEv6Ke1Jz0XQTihvyw6wLHAoplfh5CdjqFhE8AQ bX7SMgTEaKmGYz3klMqbLa4CZ69cq28yKKf8C10HwNfD87bvPfC95F/pjADrFilbUyD2k5BnLfNA +UFdq4eBc4rvLfckcIerbbTDYNONr+oVQUvjOckO4mg1XI0AQzmhrTgPol4LNYRngzzLtN7aDqwp 1k+s20B6luHycNAXCU8TANOroioPAVNJw2vSPBA6SomEgT83cF39EvzXfd9olUEr58cngWmoHM96 MLUU3zd8Bsal0htySRBaCFON18B1Le81fzNwZXmaOLeBL4fmuh+kUONGYxUQ21hKWb6BsJsh/ew7 oeTRkmlFS4LWU84I3QBpE/I2eWdA3CuJ3SLdYDqj9RWL/t3LO0iQIEGCBAnyOHnkiHMxl7Vlg9cg oX4JtZYR8kyZK1MT4HKl4zUPz4WM69HLxcHw0/S959Y+DUm5puRii6HenG5hnQVgt2GswQ40cu3L DofAlpz16RvA5HxiWaWqkN0uNfHwHpBa6c9YzoNhr+mdajPA3yiwSVGAfuoVfTLIJ4UcwxcgVBX6 SxdBOZayKP0WKH2knyypYI6PLBNjB6F83KkEAxi/DksNaQPCVa2qXhsMybZnTM0ge76t7oVJkDE7 t+6xzfDEL09cj2gN9w/k9/YPAsczUV8Xy4Os0neXX60P3i3O7vnPgfkFmznMBcJ8f777Lcjt5iur /wDakDSnayOEfGFsr6kQ8X7M8OitoM/TQrQKYJ7obJg/FiJXhM4Jqw36CQziG+D63H/Tcx/yj7pb +z8Fj8FT2lsThFSpv7kVaHfoL4gg1tLbqAPBJXi/yTeC0IaqLIT4npFzHeMgNNT0mtAAXEO9i7Rt ILwn9hR2g2W7sZ10HXwlA630vpBzIjsvqz/4SyoXmQOeT5V453eg39He9E0H+2fGGUoHCFz0+QLF wTPDP4uBEFcvbHj0CbjZN2N55huQ3dM1T3sSAl/rxcUvwDLdNDpQGeypxtflMsAwdZvyETDC2EWq AvkrvBUZA7kN3HO8djAukyKlHyHu27Dq5vEgJos7pXqgTDF3MpnAWNm/298KtIPCBt4EcYiSLJQE PVuppo8Hk8skUhx8rb1TfJNAWiZMFFMgp3tewLUVAlXUCXpdCMRoq5TvwLDBdNRqBe8ZX5rrGIS+ Eno4fCEolxW/9jkoY/RNCiCu1acbfoZi0WGnxKNQ6WoZQ1JXsHxoKGMbBlIPebO9OUQkRWSGK3B8 +a+9LzWFajy9nf1/9zIPEiRIkCBBgjwOHjni/OSExnM7vg5+j9pZWQTSCYPJIgMjIubLmyCnvfub vNqQMUae7CoDIWGJC/VKEGiU8fG1dDC+G1k+ciQww3MscwhEvRBbzHEDpDrmScahEFkpusYTFyBq VdxzpfqCclL5QR8KQhQb9Vogfq+fYzXoVwUvX4K2E/QM0D9TywohwDpbI8cm0G2+JdqrYBhgsBg2 gWROWhC2GNioTxbXgV9033XPgjLbi8RFfQb50/QUPRTcE7NmZHwBxUIjtouVwLDJMTmqOZhrOCLC roNvfHaTtAogJGgfGaeAeYFtvq0FeK74Ogs/Qd5ova3sgByPEG2eBp7PlbFCH9C2au2lsWDYbt5u 84D2pjZCTQPXKddNVzeQzqqZ/p2Q8GJ4tD0UiiXHXAl/H4wBbZFPAymgHg2kg6OaeYHtazBvNC41 tAXLTMNhaReY78mHDd3hRsu07Myj4LfpA9WvwNbZOtlRCtzjXC29YXD31YzEzKWQU8F1Nu8TcL/g rZ49BTwz3VHpdUD5LtDHmQ+um57GWhhI0dJJbSEUeyb6m6g0OBd+4+X0CEhukh3i7QvZPVyDPXNB mKsr6noINUn1xdUQM9dWX2wHwlpjQ6kUZFmcNaV88H8T+EF9D6Ijw1pa1oFtkfmAwQIE9Ne0DZB+ NkvKqw/Z03PfddnAW9Nj9XwG3m35vvzvwL3J1SK3E0gvMsv7EagGb4Z4CvRsvb3cBrLPOhf5WkHm GGcxTytIu5ZTPycXskc6R7uXQfbh3OY5HcB4xuhhDhjLipuFXRCywva08VMIW2QPt20BQ8CQwzRI 3Fc8JWo7xN+K6x4XAaFrTeG2e1D0cukLZeZDoLZ7qGaCa97j5osN/+7lHSRIkCBBggR5nDxyxNlx IiosoSZob+hLSQBRN0YYTkL66zk/ZL8ALu2O5b4Nag4rf6faTaj0ddWljUaBctw0V74LUn3tkG4B tZY3z/UDcEDoRHNgpbrcVRq0+/k/e54HsVxE64S7IE0OrFKug/aLuIqtQEnxFXTwz1Kb+V4F0wh/ P/8tUNsox6QvQc815duHgbDB3U+eANwHaTsYVyfWiq0AfK8kBz4Df+uMBneLQl4/R+e0LCjXvIbx ybpw9si5Awt8ULdtla/Kvwz2TvqimOXw6wrvhqK9Iefw3UEXS4NnWN7rqSvA0ib81YjDIA0KvOWb BVqiMkAbC9oY4+XoKpD3pP6M+j0o7/oauFqA4br6nbYfXC95DrnLgK2TdZHjOITMFRpLh8D6saGd 4WeQdjBXOwBJh+JnRA4C11GfoCwBz6T8ZTnNoMik2GPREeCs4A1Va4FYR/5YtkCR5+2fF7sFokHH q4Jnqvuycxk473tSc7eA96hnmccL5q2mE6ZQYKaw1/QJ2C9a14fYwDJQDhXeBMscqZryJZjGGT+1 GuHqlLvXnNPBtUDL8fUHyy7D26brEL0ppIJpEaSMTx16LwyiFzh6W18Ee3Nb29BqcC5wZ/z958D0 oSnKPgwcLximm8uBbFASXANA66KliXsg2ZQ7QmkOerK6zn8TtKq8YOwMOY3UIYEU0ERvJ2UVaM8r F1xbwDlF/lbPANEuVNd7QHggumbcuxCYoNQnC+Rw8b56Hhxplk/FU6Dn6gP1RDCul3dpT0HIbbOF IqDuCdzy9QDzdvuecBPoK/1b9I4Q9lNsSXs0RF0ova/cWvBka7qpD0Snx5eMaQbhxoS10SlwJH7N oF9tcGPt/VfvhACd/p6FnZOTk5OTA0uWLFmyZElhe69evXr16gVhYWFhYWF/j21BggQJEiTI/6s8 suOsXxYS9UWg2lx18kdDlnJ/+pUYKDFFtVkqQbkJVeVn+0Jikaqbnn4WtB9imiWWBfGG/4YvAcSr eoiwEJzv32p1ajBY02O9VcqD7nQPzH8D+MjdP7s2cC/i24SqoF8SG+mZoD8j3EMGaZ+eJqwEvRZJ gZPg/dgX7uoNgZrXVyRvBW2h1pfukNNXtue9BI5Td1ZenAbeTcd6HKsKlief2FniHJgrV9NKHwT9 vrd2yAR48q0in1k84BvWZOPta1CxfIX3W0dC81l1B3prQeqpqU9+1wlOfekeFucB96eZV+6eALmh Jd3xFpgmm4+F/QK+O/k/Z28C98ScI9kfg8FnshtbgVBcmCf0APdhPUn+FCzPGV1h5cH7jbqEvZDT QloiNgdfZGAbPSF6o+MFmwAmk7m87QPIb+PMdd+FQIR5oqkphC60Pm09CbHPhHeQ08DbxDdZHwNO 8vJzr4DUS7ipfwjSbHtJwxiwXTe3Dv0EvKN9jSz9gQ7Kp4GqIEYbdOM1yO7s3qZ8D4GFfkGYBOyU h4uV4OwnNxPT0iFwRY7TZoHDaNpoKgPMUupklIO77dNHi93B/qTla5MHSBPTPAJkmLJ+Mn8JYb+G TYkeCnHG8BTrCMiVc2rk3Qe/y19efwkyRuXecX4GvrXqCfUyRK0I+cXcGEyi6QP9DbC9GRggHoQM jaPyPpDjJDX8EkTvDTluigVTWXmxmgX+Vv664g7wPMc2tRxI3YyCQQdps3bUUh30ynrDwI+gbtA6 6zMhf6m7suoA6VXTbuMiyOvq3OcdAY4T5k2GlZCwNuFYzHYQyosHrEtBba1Wky+C/Ujs1rhLEBjj Wux6Bw76DriPmeBk9ZtNbuh/38Ju2LBhw4YNCx3oAgoc6ZMnT548efLvsy9IkCBB/qfgdLpcPh9M n75o0a+/wuXLN29mZ//79JUtm5QUHg5vv9237zPPgN1us5lMv7fH5wsEYMqU3bsvXIDLl7OyvN5/ pz0REWYzvPtuw4bly4PdbjIZDIX9Xq+maRrs2ZOZmZcHubmKoij/PntCQ2VZlqFBg8jIkBAwm0VR fOT8ikIe/VSNba4NrjXgzXdfylkMtlphq2KHQtEmrYrWqQjaZM7phyFQVnlbTQV9nlf13gL6imF6 a1CNgbdcRjCHh78aWQvkmkUXlq8I0nR7vZBGoG+zRYaPAU1T7cI7oPcQvqclCHM5L8SAVoGufA+m tYLDMR3UejZb+HoI31y7WkJtOHXkbiOvH47Xjvn80iXoOlrKuhUO9zeV1+9+DAlXS7xTLBxsb5t6 xb8KUhnz7LBPQEJv7f8Imr7RxD+qIuif6dn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwf ZDW6lwlhYmzZoh+AqYwtMmQxeHrkH8/eBYGZnmbaIRBai/vYAcKvhlmiHcRbgQmWr0EJlasYPwb3 NnNfOR6klb7PPD3Al6e+zDeQv9DVNvdjMJ9SHXnPQfaQjDv3fwTmmb8O7w/MDLRSNoA4Ql6kTgHz Sssq03oQhtFBPgF6fiDUexpCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44 Yt0CYbkRt+wGcD2Rtz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efA n5PzlnoWMt72ZqXMAPNWy1emryHrRP6v3tvgae+N9SVBkaz4ORFnwLDfUNM6G3hJ7eiNhvAToc+a G4E63t88rz+kxrjCXZ0hUxO+kQeA/jFp2seg9aQUTcD0rcFlTAT1oPCcfgQCP2sfa3PBNz4wW/sF lCeV1z3dQaqkfSbUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/2vaOkQ/lO0M3onmG6LS8RQ OHBw7epjy+CX0xedlz+BtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcK+0uUKFGiRInC cQUOdpAgQYIE+deYMmX+/D17IDMzLy8QgDJlSpWKigJBEARBeHx6dF3XdR3S0jIynM5CvRMmDB/e rFnhuAkTtm07exY8Hk0TBHj66WLFIiJ+s+dx3vdv1sCNG5mZTmeh3ilTXnihevXCcTt2ZGTk5IDV KkmSBNWqhYba7fB4rQH9/wSr7t71eHy+Qr2tWsXEREQ8Pj2P7Di7yzmLZz8FxgvGBeY5IOWGTAjf Bx6nt42nGAjFtNtCKqgr5K2MA+EJsYU+GqQ4QgwbQd+mvuN+CYzPF/++4jkwHrFtd1wDtTY/cR2I YZBYFAwmvaf/KQg8K/jYCBzUG4u5oHuFw/odoDV11DAQb/r3GIqBtXzDN2q9Aflns5K2ZENOmeRd /g6Q15Rd7t2gTit1pGhV+LXt5XN7M6DZ3pCT5V4Cb1jaUfNRuP/JbUumAsa6hiVZwyG7S8ri+ycg e9H9AVdS4FTfWy8mR4H1A0ejkF/A/QJflWsP3qE3DxzbBPkjs/emt4aQW5ERMZvAWN9i9teBgNNX PPdlkPqJ7YWhYO9pjQhpBUw3WIzDT64S6AAAO9dJREFUwPicnCxOhNBccYF2DgwljLcdh+DujbwJ eiz4Orq+870EWaf0AYY8UOoZc6J0KDI3pKTxY8gcl7XYPRykBdzScyDP5f5Zt4CvlFrfZwa5hLxE SAdvea2U9hzILcSQ3DfhnpZzzrUHJNFYw1ERjLUMPmNDME0yVHK8CNbj3PDuA999zxdZqaCeZJpu BdMQ8zYtBJTj6ntaFSjyXGylslMhvF5ErO0MeF50XZDnQl5K9kVPB3D10Mb5O4Gjhv2c5Th4GweS tTLg7alupQPEvhGzMOo0WOdaW1uKwF3HvfHZbggMCvT3HAOO6rMCKyDH4F3rd4HwhfyKtSEEFmu3 qQvm2Zb5xm/AeEDOlo6DMloLFzuCYgzc9xYD2wzDcGE1WL6UHXJpkH+UVoRfgdyN/tOBTmCfbNws toNyQ4vWi02FYv2LTS12HwwrhbvSmxAbETk0/BpEhUd+GdUFLr35a9Ll72Fdm02ldodC8l1fWVcu yB3Fbfa3/s8i2fp4vxz+K6pVq1atWrXC+syZM2fOnPnPxwUJEiRIkH+Nc+euXMnKgvj4xMSwMLh5 8969vLx/nz673WIxGAr1PsiZMykpublQunRcXFgYHDhw+3ZGxr/Pnrg4m81sLtT7IOnpfr+iQMmS drvBABcueDyef+MLwsLDJUmWIT39Nwf6cfPIjnPKG1eN118BnzX1TtYEqHaj89qOGeCP8JUNvAL6 SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8OWg/C3fkROCq1ifQBISXhEWCGwKThNfF KSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8It1evZ+xFkhMsH8ndC okm76mgPKS+o38qfQ1bN+73u7YZPHW9f/3Qp3DSlGQIfQOQY0+S8maAfVGY7R0JmjGuR51XwfGFf X7w6xHcv+lNSAjA35PnQzZB+Nyq32CHwHkjvlBwL3jPG58x7wBES+nbIbRBu8YWeBOZscUFAgrCA QVevgv6eetXphNDOxpfFUmDeJYUFouBqq+SXc06Cr72WZ60H6n76SS7QO1JTGwbyT0Jn/SykpuaG +HeDrbGjvLkNyIPkqpb+4K3hyfS8D6GZcm9VAjHAK8J1MJaVu9hOgznMHG6OAeM8+xZPBghFaMkN ELcJycIToBbVPgx8D7Zlcrp0DcwvG0tFTQfv076OuVVBaEsL42Hw5QSeUOaAb7vz2fwcCDQ1rbW6 wWV0z8idCPoC4W3lIyjuDe8l1ACjS4iUxkO22bNAuwcxXUJ3WPIh9KQpXTsBOUn5i/N7gFvVPtfd QBzphk9By6Y3TcF80VbZmgOWVwxPG46C2lQ/onYFNUbdJnQGtY9+RLwB8lpJD9QGU19zfdkP4etD Zzk6gHe5N0m+DO6PfbV8lcB2xGCXJkLxzbFnQ89DrLHY8uJvgl5U+NgSAPtBsavxFCR9UMqS2BJc geyb7mmw+YWfN+y7AXe65N66UQcsxfnEGwfKLB0hCnj23/fl8I8oyF1evHjx4sWLoXfv3r179y7s L2gP5jgHCRIkyONBUTRNVSE397eUjUeXFwh4veD1uly/T7Wz28PC4uIK9RTofRC/3+8PBOD27Zwc p7OwPTX11KkDBwrrsbFVqz711KPbW6CnQO8f70dVdR0yMhTlH/Xv2LFly9GjsG/fgQM3bkC9ek89 VaIENG7cvHnNmn/dngI9BXofN4+c9ZHtVxtljIeMAG3z2oD8naBI10Hoqu/SooESrOIYCBOFVcIW IF3fKxwG4WNhmVAd/EWuhvxiAmVndl7ObhBvyMlyALRIoZv4Juhb8QhlQLgtfE4PYJRQVbsGdGCI UBF0kUp6NRDGCs2FYiAuJ5pp4FOEd/V1UHR86S8aXoSmibWmd2wJ9mfN5eJrwuXNGfL5MmA2W06G ZsO+5INPHygPNy9azHfeBr/VWtOzA+wtyn5R+hRUq/bC+8/nQKlG1crUHQRDS/ev1aUL1HNU0GM+ gtj3WZU3F6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ6JoHxSflO IB+8eD91/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hpr2UY dkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivg0LBlibtj8 9rqQ+LGtu2MpGAWxmT0H/FuUmf4wyP8299n8REg5dP+L5CmgOtRegRmQH6KEeV+G60czJ51cBHI9 4ZZ3JrBLv5R7Gty/+pf5S8G9I5k3Mq1g+FyK9O8E+xPWEtJbkGLMKO6cB85Jntv+HeCr6K3m/R48 s32bA05Q7rNKWABSKT7TZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUIdNL3ipmQ+XFelnYHrsy5 2Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTvDn9l7UNwNIx7PrYz5I1zpgmv wpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7v/w+Bfsn6VgE+CfbX9UatasWbNmzX9e dtnRZUeXHX/fc3ncdJzUcVLHSYX397DnUjDuP4UVjhWOFY4/P28F5eURl0dcHvF3W1/IpMxJmZMy YX7/+f3n9//r1+d3y++W3w2eMj5lfMpYeJ93Wt5peafl3313/7mfnyD/N6qqKKoKqqqqmvavlz6f 1+t2w6RJQ4Y0bgzr18+bN2BAYfnH637T+yB+v8/n94PfHwgoSmG5f//HH7/9dmH5YP+jl7/pfZBA QNMANO03N/bB8sCBU6cyM8FsjoxMTCysP2z8ny0L9D5uHjniLNcpbY2ZBuaM8JXhs0DfwZOMAb0x 3XgNhJ1arD8B1G/12/pbILQV3zKsBvE5obSUCOJBobthOUg77TExS0F9V/+BeBA9PKmUB6Epz0lm 0A/oY2gIegOM9AKiEYTmIHQRntLfANrqtfXToGewWuwB4k+iZjkAykG5WGAWFNWK6g1ugbhaRroM mZniqMu34LozNe36j3Ax/foZT20ot7JxyjMvwNlPfux0oj+EDSzewZEC5aPLLK20GV481u1Gr4pg 3WorZnoednXeWfq7YtB4T8zt/DEQcuJ4rrYRzlb0v1HqDmR9pB1WJoJvUUaRlAVg7C1NL1oW5BH2 J8OjwPeJf0beR5Djy1uRNwPcZQMzhI6QfdB7V88C0zHDp4YmYPhWWBeoAGIP5ahbgECY1yUng3mK 5SfT8xCY5n/FZ4WcQ3kvZZ8DWxHLHMsYUJ7RLJYz4LzkLSJ9BMZScnHjSfAb9TnaEVDOB4Z6LoNt kmGWbRt42uWvDkwB/1e+1lnXwPWhcvOyEVJPpe3PWAHSz3JjLoFhmTDVMhq8672i1Bn0VVK0OQz4 UqySHwCX39856ySItZhu/wXyyuUPy4uGs/dvvO9KgpIH40dFqRBzxrrfkQgpz6U9lb8fvF3J8o8F Sy1GyWvAXEZOJRvCvgmtbF4EwjfCPNMxUPaKF6WlIO81rJfeBzUucFf8GXLD89/JzgRqEiW1Aetg 6zFrRYiZG9JebwFqrr+naRUY2pu7GJ+AIlPC14bthYibxaS4BSBvstRxXAO1pncwIyH6q3hL5HmQ VVvvMB0OvPTLL5eqw97Eo61PvQjpDdgQ+Am0L4wzo2TwPk23u5+C0F5qKlUE7v07lu3DKchZ3rNn z549e/7YX5Bz16BBgwYNGhTmOj8uIptFNotsBq+//vrrr7/+x37HZcdlx+X/3mfydzL2x7E/jv0R 7Ha73W7/u60ppG7dunXr1oWxS8cuHbu0sH18m/Ftxrd5+DzGfRP3Tdw3f7f1haxpvqb5muZQvEPx DsU7wAAGMOAvXL99+/bt27dDoEqgSqBKYfuWjls6bukIfelL37/7JoP8x6MoBY5sgcv2rzFlyptv Nm0KpUoVKxYV9cf+B+UX6H0Qv9/jCQTA77da/6tNeH7/bykUiuLxuFyF7bJssdhsoOuqqigQCLhc +fm/tVutIIoGw+83Iz6o90ECgd82B6pqYR7y75Fli8Xh+GP9YeP/LAV6HzeP7DhnWe8mJPeCuOHh W8t8BMKnaryeBQzmdSyAT8+VLoC4TnxOmA0E+FSKAe1zrYXWB6QWRYeXXQziAevg6L0gRKiDfXtB W6/fkE8DI8XRLAbBoq/Xh4GeQihmEErgoiZQU/9YMIB+hRK6DbinG/UfQG/OOa0vSB3kOlICKM+o nyu/gHTfMMW6E57YHVuqQXeIyNV/DjkJUYESh83bYfXpxVmb46BUu4qnI1xQPbfaIVNDSA65G3uu EiTUSzumbYfIN+2l7R2gTLWwFZY3QWirtUh4AVIWyimXPoV7CfYNoc+BXouwst+Dc+m9b87JkGfP /DnZB+HTIhclrgd9pnWmwws5VQLdtOqgjvQ60k6CoYU8VPwOYtZGFI96EQwdSFHHQur+rAZ3KkBo jdAKEc+CVtR3UjoIoVEhethMsO+w3JZ2gPMX9y/u4eBv6T2SvweEy4ZOxlggXe/puw+uHM8dzzSw jDa9JO8DdZgywesC9x1vvqsIePMCLTI9oG0y7vD1AHm9oZV9KriHuZ/OeRbEXPMcqQ1YF5v3cBLk BsJ7+mkQ0cfYnoK48OjoKkcgf5Lr+ZyrUOROZOPY6yB9JS5L7wsJm0OjQiZCVrnMJZ6VcPerTHJ+ hlKvxD9p3wSBWCE/UAvECeYZlgmgzKELn4A9nimKF0zLxFP6RTA4xXZyVcjcldc04xuITrDHG6ZA 3MWo92J+AvM75q/lY5DyTGZ3d3m4OTa1+b2hUPal0suKnAPHpiLvRpcEw0JjF9tJ8LTPvxboBVH1 YpJi9kLIspg5UQ3hxjvnWt31weE3TmScrAb3L+pV9SOgjpA/i7oGTPdHpxwE41zrdPkmmNpakuJf fPwL9p9REFEucKDHjx8/fvz4wv6xY8eOHTsWkpKSkpKSHr/+AgexdULrhNYJ/2BAAgkkgDZPm6fN gy/rfFnnyzqwbt26devWQUZGRkZGBkRFRUVFRUG7du3atWsHfQ71OdTnEIiDxEHioMJIXIHD9MOo H0b9MKowMndrza01t9bA0aNHjx49Wqi+4Lq4uLi4uDiwLLMssywDZzlnOWc5GH5x+MXhF6FpRNOI phGgVFGqKFVgWu603Gm5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrWsOaPt1uQY140rWha0TRotKTR kkZLHp8d1bXqWnUNbre43eJ2C7j7490f7/74x/t+kBLbSmwrsQ1KUIISv2sfz3jG/1fz+DZv83ah /cUmFptYbCLU+bLOl3W+hKxOWZ2yOsGOaTum7Zj25+fn2qprq66tgqmlppaaWgrOnj179uzZQrXl Xir3UrmXYOi5oeeGnoPZ+2fvn/27FwsVyBuWNixtWNrDc/sfZGPaxrSNaVDu03KflvsUjEuMS4xL fuc41+hbo28N4DjHOf7on6PPfJ/5PvPBpvRN6ZvSwel0Op1OqPFFjS9qfAHjx40fN34cRN2Ouh11 u1Cfb79vv28/dJ3WdVrXaZA3I29G3gwYcnbI2SFnoWVMy5iWMY9vXT1sXqd2mdplapfH/73x/zqK 8puDqSiP5qiVLv1/O8zt2w8fvnr1P9f7IH6/z1cQCf59RLpy5YEDJ0worEdEVKhQqxbExXm9v8+B vnEjOzszEwwGtzsnB2rWLFOmaFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PeBwkEfnP4H/ZvhSybzWbz H9unTp0yZcOGh99/nTo1axYpAvXrN278+82ID+p93DxyqoYh3x8auA3hVU1LQ0ZCIInKwhug1xc+ FJ4FYZm4wrABeErwSpnACmE3JqCnMss9DrShuS3SxgAVtNviaaA17wjLQGgs9tPdgEwzfTYgkkU0 YBDMSEAq+dwC/Xk66MkgVBOq6g7gO55XvgVd0Ib4JdB7M93YA6R5QqjUHNTeyjnPSQhPcljLX4Xy VUqObTUdvLfl7w2NwSyWaW3rCz0cL05o0wwcTTwjI/qD/+79obn7wSmcO5SaDCFzDbfDdkLxpZGB uK6gD5T7SUUgdFjRFaa+EDncVjnPDpGj7V9KyWAeGLez3DYw7jeMt6wAd4Msx10J1PaeCz4nhEwP eTa0KThaxpwucgFia0Vdj0mF2LiomOgJEOkNDY3WoXTfouGlz0LET7YzIXshap+jp6EimHbow92f gtTY+3bWJkhKiRwg74HQboYyylSw2aTPvRvBsIbyzkSwfmUsZW4I3v4eeyAJsr/NVNM+B89+9w6f Bpi1BMc3YIrTjlbWIOykqW/JELA2Mty09AXuqnbzQnDsMe0tng/ZzVyB9GHgf1GfRlHIapTazaWA 4W391ZAm4F7pTc5vDKVSY44Wnwe2D+S08L3gauab7T0KscsjEq03wL7btMi0A+LLRbQLj4PEBmFF rZ+Dt3n+2YAdHBssqjgKjC30T5QkyKh8/9XbfcH/o39z6gDITfQsy+gEV1amlT/VAy4m3AlPXgq5 B/LOuotDhWMVzhZJgBKdSgslvgPTAVOvUAVcxdw7te/BesxRKawphBHzXlQu3Lt+69usUnD0yWPZ p27DjZL5+9yHwVtf94h9wTPWsyH3dXB+7ryblgiGLMu9qGXgnqJvNH/x+BZqwfFx48aNGzdu3MPH FTjODxtX4EjfvHnz5s2bD5dTcP1fPbauwIF52E/9m4puKrqpKCy7sOzCsguFP7GX3V12d9ndMD13 eu703MJ6Qf83w78Z/s3wx/c8Uz9K/Sj1I+g0udPkTpMhZ0fOjpwdMH3X9F3TdxWOW/rs0meXPgtr otdEr4mGZjea3Wh2o/Cn/bSP0j5K++jhenJ35u7M3Qn5ZfPL5pf91+1YtnzZ8mXLC+1oPqr5qOaj oOyMsjPKzih0mP+7SU5OTk5OLnTcnx367NBnh/51OZO3Tt46eSscH3B8wPEBMGHjhI0TNsLUzlM7 T+0MybHJscmxhRHxiRMmTpj4OwcgfkP8hvgN8F6z95q91+yf67ufcD/hfgKcqHWi1olahQ5u0/Cm 4U3D4UbTG01vNIWrV69evXr14XL+7Px9ZfjK8JUBvnV86/jWAY0cjRyNHDCp+KTik4rDxYsXL168 CLMqzao0q9LD9bT7qN1H7T76Lz4nj2ldPa55/d/Cv5qqkZeXlXXvXmH5IA/2/9lUjUDA5/P5fnOc f4s8/1aeOfPFF2PGFJYF7StXjhrVp09h2atX3bplysDmzRMmvPYazJo1cGDnzrBly8SJr78OtWvH xlosf5RfoPdB/P7fco1V9bdzOB4sJclkMpv/WNpsiYmlSz+8PHny6lWf7+FyC/Q+bh7ZcTYuMmcY n4DwPqEHImJAe1OfoLhByBdChFQgDZPeENiuVxaWgfCB+Kk0AYRPfNNzZ4F6Ka9OXgiIXwjzzHtB 7Sdk6KtAqK1/zUygkj5SiADdTQkEQEIA0PPIwAvCHOYIDUD/BkmYC3qWOs0jgdjJc8XTC+jl9nnX ASZmaykgVBeqkAViPektpsL9lVnV0++BuPvaU1fTYayl26qhb0KVYxXqt74K1erVebFVO2iV9VLT Tv3AMK7Cx4nh8NPKna12rIbt7fZmnd4ExlOBOVoeVGzsCA9vAPEOPcHzHpTym6Jzn4TyT8dcNraF kKS4vmUEkPZa9jm6g29z1qtpZ8A/zHnR1RuMybIltCzoz5tMkWcgbUPeAK0K3K2SO93XCDK3Ocuo bSF1e+ZBtwjpX2YPcn0J91pkbMn5FszHzdUkJwi3/WnaMJC7MFkdClHZ1leEyhD9nfULcw1wnJNt ahmwnjG9YYwHf4zyOvXBO1S9kZsKuWJgz4lISHstp+a5M5C1I9Dz0nBw1vJ97Y4F6Q47DDK4WwdC PPOBcKm/4R64e/qMORUhf3tgf/JCSO+Xc+zmDMj4MOdrzz3IWOs0pr0HhhfCrjv6QojgyI7aAo52 pq+xQ5gh5LCxAggvK1NN4yD/Qn6C51kwnpDOKB7gKdFOO1C7i3bbWtBmm5v6BoHQ3tY/JxlyLwWK p3eGy/XvhV6Lg/RIz5l7F6HIyFKdw2ZAscPFWpfuA4IixFv7g7tYfvFAOlhiHYNCXoPQ1TF3YipD +mfJoXn74Ezska9PCXDzxdyDuWGg1jUMN5wCOms+oQuwWmgi1AbphfDUonGgbJBD4wUQssThwp/4 A/5nKTiPucDxLYgYPXhO8z+jIDXjwVznAjkFcgv0/FX5BQ7M6tWrV69e/cey3oV6F+pdgO1Tt0/d PrXwujFjxowZMwbqf1P/m/rfwOg1o9eM/l0E98Hxj0qRtkXaFmlbGMEriBxmTc6anDW5cNye7nu6 7+leWB+6bOiyoctgwNEBRwcchfDr4dfDr//77XgwpWaIeYh5iBleX/z64tcXQ8jbIW+HvP34ns+f JfS50OdCn4PZvtm+2T5ofa/1vdb/QnpSwX0XMH3G9BnTZ8C27G3Z27JhiGmIaYgJlpmXmZeZIS4l LiUupXC8cbFxsXExxD4f+3zs8/9c3+ZJmydt/l3OcJMmTZo0aQKN32n8TuN3Ctu3dNrSact/8RKj Pzt/+37Z98u+XwrrBSkwja40utLoCiw6sejEohPQo0ePHj16/FFP4vjE8YnjoVt+t/xu+YV68qbn Tc+bXjjuca2rxzWv/1t4MFXjz5Y7dixZ8sYbheWDPNj/4PUPT9X47Rzngojzg5HnwnH/uL1du6ef rl4dHA6L5R9Fgrt3r1evatU/yi/Q+yCFEeff6g+WBRHnv1q+8EKjRhUrPlzuvyvi/MipGsVnR/Yu 9gUYbpqPWh2grdCztXIgxHNDvw26Ve8qbAYxgSlKA2CEMM/6HfieypmZdx38xz1S6GEwGgw9pB4g dlYvB5YCa/UweSOwXOype0H4VJ9LPuj79Qv8CkI/oQvLQI3U22gJIHXVSgpXwTcg/22fAEKKx+m9 C4IulzUtAKmVaZ22BoRnZVFuAfoi7Yg6CgwbvCs9sdAw9Elf++oQft12q1QC+ML92d4BYO8WPaz4 CHAYhQYlGkKUN8mt/AQRnog3w56APX32DNv+EaxKvXQgsyLETPPU0y9AqQthE21twRgv7vZGQZGu YaLaBNY+oVUiD47ZDHVKDQRtd1bfO+sg8FHe+vS9wNtqT70nWKqFNA4/ANoieZ0wG/zP+btrW8B9 P29keg4EIn0h+e3AXt3cUhoMkb1sqnkT2M8aDljLgudTvbEeBlF1wxcbJkPEgLDEsFxI+yrje89S sA2WP3etAdNGOVPaB2nFsoTUHZDwbmTfuG6QvsM3NHoopH/pq39lANgjrfUdo0EfL71nViF9jVu7 tQ6ExXmx8gkIOW75LrYoSD9Zf3RvAFsFR+vQeSB2U36I+AyMv4p3jMmgTSXJ9RPcqn93QkZZ8L3q TXeuhqKNYxbbS8LNvWlV9JfAnaCsSu8PRXLCW8p9IDBH+cJ8CNwtPM8FwiH7vru/NgMiy9i/LXIO XK8GBlIKbNGmBcZRUKJjzLZyJ6DI7aKflDwEYa+HD49fAv5WgclSQ3DX8lfwhULosfAOEbHguBxd MaIjZD+VvsW5FG6ePhV7fj3ccWS/mToAtGnGyNChwDz1FeEt0Lqy3ncWxAqmxmEmEKZqRwIRoD3t q5B9AKT7Ad0VA5R8PAv1wdSK9evXr1+/vjAi/GfPYy7IbX6QAjkFch+m959R4MAkjUoalTTqvxjo wcPvjiMSjgnHhGNAM5rRDITjwnHhdz+Na/20flq/P4p5sF09rB5WD/9zO8WB4kBx4O/qC8WF4sI/ jtP76f30foAVK9bf2VnAMY5xDOhMZzr/+ef0V+0IVA1UDVQtrEsDpYHSQBDsgl2wgzRKGiWN+uf6 HjchK0JWhKwAcZQ4SvwH+v/s/HyY+GHih4nQ7ot2X7T7Ag6/cPiFwy/AoT6H+hzqAxsTNyZuTIRl U5dNXTYVVrGKVf+KwTWoQQ3YOH3j9I2/czgL/mF8kIKUjcE1BtcY/A9SNv7s/BWkUPxh3P9Jffln SLWl2lLtf67nQf7VdfXP5jXI/01hqsY/dmQfp57fy39YqkYg4PX+fnPgw3hY//Llhw5dvgzLlh05 cuMGfPBBy5ZVq0LnzjVrli4NtWuXK5eU9Nv1x479Ue8f9fzfEecHeViqxvjxnToVL/5w++/cycvL zwe3+x/L/Y+NOJuPuurJTcBQle5SUQB9LreB60Il4SqIPvk1+TaoCJP1tcAw4ZB+BNT3vTOki+Br JtWMnQXiIGkhClBGO8sC0IcK73EDOK+v0CNBT8dDBLAHJ+dB76rXYT4Y+ksH5e/A0NQ4w1gFpEOO xJi6kLzeN8FYFC4tzhylz4Oc6b5iwhCQfhRb0waUjcou/04IKRJfvOwPEGqPTiraEbw/KF73fRA+ E9sxEJS31EzvUgg8E1jiHQ7aSe+b6jxI6B1XofphaLemtvR0Raj/WeUKEXkQNqREHUNdUNYYB/g+ hhKW6J0RMVAuquwzISegmm4NzakBT4w0SloLCFOiQ4ovA4mwxsVagtrIdyOnLrjic46kTAAuaTWY AqEnQn+JHAWxYxJ9SbmQeLfo6yWGQKjPVimiFAjXDTPk8hC6P3pBRAAcJssU09eQujetXc5VOLP9 Ytm0jyB3szfEvxxsve0tIrLBPt8m2dpC1Z5JW4svhjI9IuKKRYHBThvfl1AsP+pQiZ+h/KCw7Hrv QNFL9oZFvwbbVYvFUg9KJ5Q4X7kFRNjCekUeh4gJoaa4iSBPkaSIcuDpqh7zKKAM1+25e8Akmqeb u0H4WvuLhEHCx3EbQ/aBKuKyVoOoN6N+dnwLT54pWybhLISG2z4O7QfSZCFSbgG2UEuypSdY3bZe RiuIzUxtzYch9nZYfNJ8KNO1eEZZGcofqPBMzaZgTw75PvEXyO3mmqznQ84Qr0m5D9Y6kTmRNcE0 PnJ2ZB7k6nf75laBW2ePvXTiBKQeyOpz/TCoEeaqllTQX5GijedBU/RVeisQSgifUwS4r2731gPF 5lvnvA9KJfVZ13VQrDyn7H58C7XAgS1evHjx33+RFPzBf/DV2n+WgusedBwK9Py7cqEbr2y8svHK wvpHmz7a9NEm2Fd+X/l95WHChAkTfp+L17RJ0yZNmxTWC3JwUzembkzdCKsar2q8qjHcHXt37N2x j8/OZ4Y8M+SZIYX1mS/PfHnmy7BAWCAsECC7c3bn7H/BYf6r1D5R+0TtE4X1zw58duCzAzD3yNwj c4/899nxZ/mr8/Om7U3bm7bCHOfqR6ofqX4EBtUeVHtQbbC+aX3T+uYfI6zCQmGhsLAwV7ggxeBh XAm9EnolFK6/c/2d6+8Uyn/wl5GCiHDK2JSxKWPh7Ndnvz779b/+PJ5Z+szSZ363CfOTfZ/s+2Qf 7Oy6s+vOrvDq3FfnvjoXVlxecXnFI2yefdR1FeRfozB14q9FnJs0GTjw228Lywd5sP+Pcv6xox4I /HYs3IOnXjzIw9p3775yJTW1sH/x4gMHrlx5+PUFZYHeP44r2Bz4j1MqZPm31IwHy717r19PSYHz 510uj+ePZX7+b+c1PzxV4z90c6Dt18ixcYtA7yDVMVwCcTljeR+UFP/uQC/wPeFZ5a4CpldCsX8G xmLCaP0MnJ1zLTezD4Q2TOqe1BqMo5mhDQPvh0JbcQEIP/Oz7gP9HY5rySDOELpLh0GowkZhNehn qUUZcL7mzMu5BqtnrDm7wQK+z1VzxHaotu2pNvW3gV7EcJddIPWQ0+SzIEZr25QSoPUTTxh6AS9T S/gcAk/5b+hnQfRLrdkOrNe7kgnCCt4SJwNzxST1ZaCINli2QqAHaeJbIK5MfKdqCah8WPzAvh5K vG5acHoWZJUKT80ZCeKFvKMeG4ifJL77hAcqjam0N3ABElenpTmnwqmkLJ+yDs7MFS/b34E75c1N ku6AdjNvZ9oo8HXKbJraH7Si9i9Dt4L9vZAvQxQw/WxpakoE8RP7V/YzoAWUTv6mkLY9J1roB65i nvNqLrhm6C8adoIYI5dUbwBDtS/1KLjzWtrpDC+wSX3NEAphzUOLW86A8qJ0xrcfSm0L6VP8BZAT DPMiikLeGZfHsxj0GcJW37tg3qINDNsJtNYaMwBMk+T24ldgvESriDQw9LX1zbkInu89UtZFyDTm duYLUMf6JyafhzKlYmLLByB0vLQv/hWwrQubgQ+USq5TTgnuj0hWXaMhrZcz1WUB88tm1XQaxKbC TvUIONLMk209ILRcRL2QeWAf6zCErQDzh/aZlorgy/eVFHaD8wPnIL8A0rumd0zhEKnGLo5ZAubO 5p2GUZA/8Xav1E8hfc3NfldNkNckV7tVGjwYDeGfgTqUMcbXQZ+izVF/+/wNUi+Afkc/pFcCbQSx emUgQshS14FoJ9r4NvAsLfVq/2eRtH98C7Yg97jgfObc3Nzc3NzCekH5sMjyPzt140E9/y5e9rzs edkDft2v+3VYN2LdiHUjYETGiIwRGRB9K/pW9C0YWGxgsYHFoEegR6DH776Qh9uG24bbYKZ5pnmm Gb4b+d3I70ZC9O3o29G3IY000h6Dnb2r9K7Suwrcf+H+C/dfgC0Tt0zcMhGK7S62u9huiJwcOTly MmRuzdya+W980U1/vb/eX4d7I++NvDcSNqRsSNmQApUiKkVUiihMUShwVP9u/ur8FDiw01dMXzF9 BYywjbCNsIF6SD2kHircjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GmwYdtYivYVMl5znMeWn3Q 6oNWH/wxVaRgs93nfM7nwJZJWyZtmQSVvq30baVv+cv07du3b9++4JzpnOmcCZt3b969eTdsvLXx 1sZbUNtf21/bX7j58V/lUddVkH8NVf3tFdIPc2T/dbn/tbwCvQ8SCPj9fj9I0m+nZjyMglM1HuTC hbt3f/9ilQfrD7u+QO8f7fkt8vuwxAmbzW63WMDnU5Tfj9i+/eDB5GTQtEAgNfWP1z3xRFKS2QzV qj355D8K8BTofdwIBw8ePHjwoK7XqVOnTp06f12AG1eD7JrAZcNJe1cQsvhQqwJaPf8X/kPgi3F3 8/jAZgyfG7EI1Mv6W74+cH7K1sjjPaBkZJ3R1a+D9dXw44ZBoJ5XM/Uk4Kjq1LcB2/QV6qsg9DQ8 aSgH15PuJp9bDsU3x9QqXReUPko7PQ72ZOx1HqkOzl9dFjUSaOX4vmh3KJlZylfkFyh/L36dIRms XaxF2Q9qebWFeA+kDsI4ToJSXt3s3QOiX+guHwXhNamSOAv0t7X20j5gjfiJFgD9OQQhAcT9uqi8 C/4azgp5HcCYYmijLgT1BdfkjDdAm5/xcuZ3ILkip4d1Bu+dzI33HaBPTp+a/gZIu2SdFeBNle54 0iAr6frOnHRYfW1Pifst4Piw7J+kdPAv8Y7Lmg3+THeL7MkgVJNHWi5D2JshdSI2gePt0A3mjWBy GF7T7wED1e5+GbwVXeu934Iv27898Bkoy/SL2jDwx/qvetPBN9BlyTkAZqdlnXUwRGRHvhH2Fnjv uMd4u4KnmDvL+TNkVs3KSW0M6nRho/M2aO2Fly1FwdnZvz07HULyHCvEKuBPc28TPoTc+u5cV08o lxY/ruhnIF8QoyyV4WZ4xs27R8FQV95u6QVRa8LU2PYQucd83lQatD36KKUL3B10Z5h3G2he4yDW gWNCqGQVwPyK/I31JsTkxm+wKRDRPLJ4VCYYBpmvhZwD7QNlt+FNcKU6yyv54M1UNwSGg0UJOxd2 DEKXhc8JuwdiRe1nww5wRt3Pud8ZfN9kD7iTCh6f8nnuZMj2u94OHIC8bfqosK6glxbnmY9BYAIz pOfAd195n9cg0CvQPdAaAgeUlb7ToMwIdPKeAxaq9zxTQaqkL/H1hGOp+z7dcOrxL9wCx7bg9IAC B/pfJTQ0NDQ0FIYNGzZs2LB/v+Mc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7 se3fbXWQIP87qFz5+eenTYMqVWrWLF/+X5fzzTcffti6dWG9e/cPPvivTpU4ffro0QsX4MyZjRtH jixsj47u3HnKFDCZihWLjy9sT07++ONXXimsFykyYsTSpQ9vf5B/Ns7nu3373j1IT//++3ffLWwf PPjo0Rs3oFKlhASr9Y9y09Lu3zcY4MSJe/f+yj8efn9+flYWtG5dv35o6B/7z55NSXG7Yc6cmjVL lPjzch/GoUOHDh069Bgizprq+dHbHwzfGptajoDWRvtY7whyWeO3huogLzEp5kRQQ/Th2vfAEs96 /wRwfO7Yb9sFxi8s8w29Qdws1RVNID4hXBSeBa0tL6o/gBQtZxheh9S87Nkp+XD9jesLDm2B4m3i usQ1gcwv3LXdg8DpNE0wvQTFVpZZWLEo+Iu438INt2bcf9k1GBLc4X3tN8F6xF7WkA16LW0wQ4Hj enP9PIgThYWiH4QlYif5C9CL6l9oU0Drzw/eLKCiuk4dDtJi8YRlJOhHxEHGeyDPdqyLjALNr7YL hILewTBNXQnKQktVZ3OQ21ruxL4P5rDI+ubZQM+YxNJ9gcmONjGTwXJPMsvRELG4+izvEXjjdI33 zn0Hvy7bc+HET7Buzv4y6ldw7zXT6dAkUA7ldUrfB9kHMivffx+8ee6NlsUQvi3sZkR9CDsdWtZu A0uLyFuWfNCf0ZeoA0DfoHj9q8FfxTfOtB1cwyz1DKfBdF6OlQZB5sXsL73fg/dZZXfgXZDPG8cH jkHOEm+f7CFgbWPeY5kI9kjLOts9MB22tPO1BHmNYZy2BVx38kLcMyGsWMTMsCTIr+03+o5Azor8 jjm9QTgsjRA3gfELwwTDy3B5zM2G13LA9pr1kKEdhG4Ja2T0Q9SoYheLrIfIaSGR4U0h/HaYz9EJ TDNMzlAdDOVs2+3jIGAIrJCGgWt87k++JyF/ne9i4HmQzNYcw1gIPxZzNVYCyw7rIYcJlFfyLnr3 QUb2ndu3hkLGmrtVLqyHQLzeOG8eaJ/o7wjvQ36Su6r2DTi7q3JeDQhka0W0peCvpn6njwBlm95B fwLU/UpfdTP4qwfeDESCPl7bqk4F/aTaN/AMqIFAE9/7j75QH0aBY1vg6BY40AUO1q1bt27duvXw 6wtSMQo2CRbICb5R8D+TgmPndn2z65td30A/+tEPYDrTmV54XNubmW9mvpn5d1sbJMj/LjTtt8hw fn5WVn4+mExW6z865/iv4vf/45xhn8/t9vkK9T5IIPDbm/N0PS/P6QRR/Meb/P5qCsfDxmmax+P1 gqL84zcD+ny/2Zmd7XYrCoSGWizy77zPUqWiojye386HDgmBCxcyMwUB/ut4OTz9dIkS8fG/RbLd 7sL23FyPR1EK9T5uHtlxVia78vWfwFAv7BsxDtSl/o1qTfDN0ucHloGxoakJMSC3lhsaEsFzKPCV rxmI54Ul2hwwLDN3NrwD98fcv31zHSjblV/934MJ6Su9JziO2oaGH4T8p3K65fnA/qr5WsQYMJU2 r7cPhKhw+2ZzBDhXO4uc0eDKipR2uV9CYoXIGVFpYNtheUmtDynfpu31l4FijcKLmE6B2lTwUQSU 0UrJwGEQJoltxUZAURYKYSBs5768EnSb6M4eB0JtaohVgUjFqT4Lyl2nK+cpMDS2Ny3SGtTKwj31 EshOx/W4GmA4aw+Lqwzas8oRZzaobbwH8yuAsZ65XvTPoO4wrLY9C+rn2su6BJpVftl8GGzVyx+r /x48X7Z8n6f7QLmJZapt+BoWdP3hq8N14fJWq1zqJHgrupplrALPwPxrubHg35G28e4QcM3P22we D6FfOvKjoiEkOWSF6SDYLltfMX8Hoe+GfORQIOp8VC01DfxnPWtcz4JBsSXmlYPAbqWvWBqURK+m bwL505L5xTpCXp/ct7wamJoY3jBXA+muuiYkFdwGd03/ArDvt/QXSkH8jxEVo0+DHcOzCZMhbbqx VcorELLLfsA2EaL2hayK3g3OTkXf9vQBwyzjNXaDIyXcausHlmtmZ9hXYGwom+2DIeDXtktPgb9o wEQM5OSkf+F9AQJfqzlsBe1XYxdze7B8FTrS8i7Yq4avjXgepGK+g7ggt+HN4+kbwNUu635yb1DO KgvTPwZbF/uX2nzwbVGuWBaAt6x/j78b2EVLknYIpPWBee6i4PtQqaCXBr2+XIF8UG5rfdVQ0J8y xfEhKH11k/40aMe0TZoIwiXBYPSDIior5Ef4yfXPUuDoFjjSDx4jV3COawEFuczVqlWrVq3av9++ II+Hqq9WfbXqq7CUpSwFGMIQhjyq1CBBgjwOnniiVKmICLhzJyUlIwPi4hISoqIenwNdQIHDfP/+ b3oK9D5IxYrFi0dEwOnTt25lZoIohoaGhEBY2KBB8+f/cfzD2v/ZOF33eDwe0LTc3Lw8qFKlePHI yD9eFxpqNMryb6/m9vshIeG3BIqwMItFkiArSxQlCYoXDw3Ny4O6dRMTbTaQJEEQ/4udeLdu/aY3 P1/XZRlycjweVYWUlNxcv79Q7+PmkVM17jW4+O6NLRC5/okpxUZAIN3TSS0BSqYaGxgFpt7Globj oMuKy2eD3JG7ux4KgbxZ+ldyVShy+bmqz7SBbE+O51598C1XhimjwZRt/EasBmffuJzwawrkXlJf y38ZypSKXl6qKySokWsq5sLpThecx/Pg3Pt3/RcuwcUzd09LdaDKmxU/avkC1JlQKbPYaHjiWNQG oSUIJQ0dxWIgbtS36CtAn6I1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX76wbZSFiWES7 kF6gfep0ZU+BcIvJWfEDCJ3j6FWuHvjaaRXcF4APBFmUQdhFitwLxC+0iMAwUGboP2ttQNTFqoY3 gEQ9WksF4St9nn4a1HS9gZAAVGSfFAW2LyxV5EawKnRGn0/uwrq2R403+oCeYJsedRHck72NA/VA Xe8ukfsr6Bc9M/OugShrp/xLwfqenCfNAPMuexd7PjgsDot1NoSMsL5kPg3m6WaTQQbDCHmU+hxo v5KiGcBfWv1Y8YJ+UiuldAdtnnY60A0CJuVpVQNPNe/r/tEgrJSThedBmivEiTVBmiYsEC6BtkBr IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21SoKGYCt7K3mZaeXDu9RbzByAwKrA1 kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfwHZtVMTLnaG3Pw0 j386qMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP0Ety7ugf0K+PhYQaCScBD1B +EVcAXwgbpHmgy5rp/RaoL0l3BB3gp4hnpOnwY/dfh75/bbHv3CDBAkSJMh/BllZOTlOJ/Tu/c47 X38N589fuZL2ODZZPIQKFcqUiYmBxYunTn35ZYiICAv7/ZtJ09Nzc51OeOGF0aMXLoSTJ69c+Ufn RD8uqlUrUyY+Hn76aeLEfv0gOjo09Pf2ZGf/Fjv+4IMzZ5KTIS3tt8jzv4uYGKtVluHDDytXLlIE wsMfjwP92FI15HGO74xrITA9p26+G/RXsr/N2QXCeFeKywr66LLzSrUEtbS7j3s5OItvPvfr2xBm fvHtdvkg7LMkCMchYaLxlaIDIHuQu0qeHU5kHNcOzABLWaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68 LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBfJz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXe FeaAOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD5dVXeh4vBcphfbphPugLTcM1H0SfiohMvggVtxf5 3JcE0cnWxom7AIs42OAB/RsRrSEwSdgshoAALY2tQPhQr65WAH0dPdgAbBeWChNBDBduUwy0mXRS AhDQlCLaQRAq+nPzdRA3ZDS5DsjjtLnq+yD3MXe1bwDthbASkZdA+SWkasRVUHv5Bef34O/v25zf AZTowBitJgQ2ZE3Lugg5zqxn5PZgqm/8UHwHzBbTDkt7MFUyDDeVBjHcNE/aANINSZYPglTXUM66 E4x75CZiezCYQ/YSAGSe01JA8DJBXAJCiC7pG0Brqt+iLChD9VStD6jllEgWQX5zpQyvgG9tTh9v LHh7B6YoIgTEQAnlAqhH2ctZkNeYks3zwLjUusI2FYwdzA2sByFulH25cSnU6FxuZtQaqPFdzZcr z4C4z5Iul5oCm9/dOuvrkpD6Rt6km6WheoOavrZtYPWmNfd+HgL6Zs+rhpLQ9Lsqteqnw5W4sx0y ysKxb4+VO18B7izKisgaA77nlcFKF7CMNS0z9wL5mOFVQz/QKqpF9HdBraV9qZwA/WthgPgtiM31 7mIoaJf1u5oBtOP6PnUU0O3f9+UQJEiQIEH+fgoc1/Xr589/7bW/25pCx/XQoc8/f/PNv9uaQsd1 9ux/vInv/zUe2XG2zFcm+1tBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ1yzXz8AW//XAEjB9 EhMZUg0My5kmb4TMt9xrMwQ4vv748H2zIGGmcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8Fp05d+zJN BPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKXLiw4Kr3WgYc2ZLUPiIBnutScaa9FwRWBZb5JoG8 zRRheRbUw9p6bwoIp4Q5pqJAX72MEA6GDywTTbsgpkQFrQyQfPiU58owKLVbiohbCfZLrkhLW7iW unn3qjiwzy2dVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/IPGCF0JNs0Bfq59FBSGYU R0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2gBxj2R8RDcY8y4XISyDWsMyx /Qimn0Pd4QJoU5z9s2LBixKrzYXA+/o9LQe0Q3pxTQdnc89az3EQX3b58y+DIqm79ItAc93NGRBW CWfESWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoM/nJ3E16JOEhYSA1l9/VtkHepjwnlgG9NeEovJd ENZK2+UWIJ00HDMcBPlkSIOwW2CZZplm+xnMDuMa80GIy7S6tZ1Qo2nx2hY7VGtVu0rVZyBud1m5 hgTKIuGcORoCJ/WZ7ISG79Z3dxkHziLOQKN3IaJXwmulP4doS/eFZfeAfaGjTBkZQi+F9S7+HlTI rDntbj9I2lq967mh8L17+a0Nt8H/Xn7OOQ8kd0z9OrsiqD3FaZITjA6zZj0KhkRpiWE+yGZpofgM 0A2n2Bn0VWq8dga0gcpx/TMAytHo717mQYIECRIkSJDHwSM7ztIG+Yh0GnS3o77tRxA2xaTFjgKh AxeETKCS7JebgG/5nbjrN0DuEvVq+BiQ34+JiP0WPCGB+/nVIW90XvK9QVB9a+W6dRdCdP/w6fE2 OJB+vvGG0RAebeseMwn0dvJ1w5twbuDx6jt2gXGmtW3xxVB8pu3L8tFQa1vZq0/Z4EKDyJ4lAeF5 9UvtaaiaUdYTKYBvtOvZ9PdAeMvTOKslaKtk1VYcxOXW/jYf6I0MecYfQLpk3ihGQ8rAE/LVSpBy Nve9C+3AtiD+Q1MWRKRGNU6aCeXfr+xrOQQ85orV7vpBT86qda8I+Bbc63zjB9CTXO/lVAVVCi/v WAuGZyPio/OAJ4RhodWAs/RT5oH+POcYDZwimZWgtRR+5EPwfeLvoDcDX75/A07QBsh3DZ3Bezuw yL0MMHgPu7eDkJe7KvMXMOWbsu/bwNrSPibMD8W2FEuMSoH20X3rN6sC99Pv3c5+CW6vuBZ/Nx9u 988Y7OoJmZ+5SwSmQv5J/0KhDrhz9HPKSRBaq5H6SAiEqmjx4D6hpmvdgSeEcfp60KOFPcwD1vIh mSDGiEPFp0CMMnxg+AGEDVKk4RuQ1xlaGxuANEPOkCeCPMLgMb4PhiTxLXk5MJ7OPAuGaNUaSAdt WkbD+9XhueLPdyjVHJ5+tg3tS4L3PbF11E3wzQ+M9UaDflj8wtcMxFjpstgZpBfNYbZFEDVKrmDJ B30MVc2LIbFY0b1NxkHApExVtoI/03/ZfxyM79t2m1tA4Lw6OKwtPP1q9XZVfBA/Jyyj2KuQfNC9 TX8Jtp/b8uleF6TMyXzj7i7wmA1n5fVgEZSvTMfBtNJU07gBxEPiPvEoyBGGJ+Xfjs8JxpyDBAkS JEiQ/yE8co5zkCBBggQJEiRIkCD/kynIcX7kNwcGCRIkSJAgQYIECfK/gaDjHCRIkCBBggQJEiTI nyDoOAcJEiRIkCBBggQJ8icIOs5BggQJEiRIkCBBgvwJgo5zkCBBggQJEiRIkCB/gv//OLqC3YJB ggQJEiRIkCBBggT5I/8fGIb3tyeqXWgAAAAASUVORK5C YII= ----_com.android.email_2956891593283311-- ----_com.android.email_2956890847555390-- From nobody Thu Apr 3 07:51:29 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B66CB1A01EF for ; Thu, 3 Apr 2014 07:51:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.209 X-Spam-Level: X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M8I3HNZ_HOOI for ; Thu, 3 Apr 2014 07:51:15 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id D666C1A01D7 for ; Thu, 3 Apr 2014 07:51:14 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 825621F039D; Thu, 3 Apr 2014 10:51:10 -0400 (EDT) Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 66EFD1F066F; Thu, 3 Apr 2014 10:51:10 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 3 Apr 2014 10:51:10 -0400 Message-ID: <533D754F.6010909@mitre.org> Date: Thu, 3 Apr 2014 10:50:55 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Torsten Lodderstedt , George Fletcher , Phil Hunt References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------080800060609010407040808" X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/P91sJsXbw_WHdIBbXLLhtIMzQlQ Cc: OAuth WG Subject: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 14:51:25 -0000 --------------080800060609010407040808 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 8bit This is the question I had. The spec says not to share refresh tokens across clients, so it all depends on whether or not you consider a new version a new client. I've usually seen client_id stay the same across versions, since it's considered "the same client", but you could easily consider the new client_id an alias of the old client_id and consider the two of them flavors of "the same client". Another option is to put all existing refresh tokens into a one-time-use bucket when the upgrade happens, so that the client gets issued a new refresh token the first time (and last time) it uses the old token with the new client_id. -- Justin On 04/03/2014 10:43 AM, Torsten Lodderstedt wrote: > Hi George, > > if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id? > > regards, > Torsten. > > -------- Ursprüngliche Nachricht -------- > Von: George Fletcher > Datum:03.04.2014 15:43 (GMT+01:00) > An: Torsten Lodderstedt ,Phil Hunt > Cc: OAuth WG > Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change > > Hi Torsten, > > We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind). > > Andre got me thinking about this and here is what I'm leaning towards implementing in our system. > > Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token). > > This allows the AS to do the following checks... > 1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything). > 2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token > 3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced > 4. Verify the audience of the JWT > > If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id. > > Interested in feedback as to the viability of this. > > Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us. > > Thanks, > George > > On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: > Hi Andre, > > I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens. > > Some further questions/remarks: > - if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother > - public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10) > > Regards, > Torsten. > > Am 03.04.2014 um 00:51 schrieb Phil Hunt : > > I don't see a strong reason to standardize behaviour here. But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens. > > Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond "good practice". > > One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid. > > If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state. Thus you could avoid re-authenticating the user and simply ask about the new scopes. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > On Apr 2, 2014, at 1:37 PM, André DeMarre wrote: > > We have a mobile app which operates as an OAuth 2.0 public client > (w/client credentials). It uses the resource owner password > credentials grant type for authorized communication with our resource > servers. > > We are working on a software update and want to change the registered > client_id and client_secret for the new app version (register a new > client at the auth server). The problem is that after the app updates > on users' devices, it will inherit the app data of the previous > version, including the access and refresh tokens. > > Since the token scope issued to the new client might be different, we > know that we want the new app version to discard the previous > version's access tokens. But what about the refresh token? > Technically, the new version of the app will be a different client, > but the core OAuth spec section 6 says "the refresh token is bound to > the client to which it was issued." So what should we do? > > We can program the app to discard the previous version's refresh > token, but that would inconvenience our users to re-enter their > password after the software update. > > I'm tempted to allow the new client to use the refresh token issued to > the previous client, but that violates the spec. > > Does the OAuth community have any insight here? Thank you. > > Kind Regards, > Andre DeMarre > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > Hi George, > > if you want to effectively preseve the refresh token, why doesn't the > AS just treat the new client id as an alias of the the old client id? > > regards, > Torsten. > > > -------- Ursprüngliche Nachricht -------- > Von: George Fletcher > Datum:03.04.2014 15:43 (GMT+01:00) > An: Torsten Lodderstedt ,Phil Hunt > Cc: OAuth WG > Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after > software update with client credential change > > Hi Torsten, > > We actually have the same issue. Deployed clients in the field where > we want to update the client_id and doing so invalidates the existing > refresh_token stored with the client. From a user experience > perspective, this is a pain and from a risk perspective I think it's > fine to effectively do a "token exchange" from the old refresh_token > to the new one (with the appropriate security considerations in mind). > > Andre got me thinking about this and here is what I'm leaning towards > implementing in our system. > > Use the JWT Client Assertion flow requesting an authorization grant > for the existing user. The JWT would contain an "iss" of the new > client_id, a "sub" of the userid the client should already know about, > an "aud" of the Authorization Server, a short lived "exp" value as > this is effectively a one-time token exchange, and an additional claim > of the old refresh_token. Maybe an additional claim with the old > client_id as well (still thinking about that as the client_id is > already associated with the refresh_token). > > This allows the AS to do the following checks... > 1. Make sure the assertion is being presented by the new client (the > level of surety is based on the risk associated with the client. If > the client is provisioned with additional keys some how that's much > stronger than just using a client_secret which, as you point out, > doesn't really prove anything). > 2. Verify that the "sub" value in the JWT is the same as that > identified by the refresh_token > 3. Verify that the client_id defined as the "issuer" is allowed to > make this token exchange call and that the client_id in the > refresh_token is one of those being replaced > 4. Verify the audience of the JWT > > If all the checks pass, then a new refresh_token can be issued, with > exactly the same scopes as the "old" refresh_token (no ability in this > flow to change scopes). The semantics of the refresh_token (e.g. authN > time, expiry time, etc) need to be copied to the new refresh_token. In > other words there should be no way to "extend" the lifetime of the > refresh_token via this mechanism. It's purely a token exchange to > provide a new refresh_token mapped to the new client_id. > > Interested in feedback as to the viability of this. > > Phil, I agree this doesn't need to be standardized, and I would like > to see the community start collecting some "best practices" to help > others that come across the same use case. It will ensure a more > secure internet for all of us. > > Thanks, > George > > On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: >> Hi Andre, >> >> I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens. >> >> Some further questions/remarks: >> - if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother >> - public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10) >> >> Regards, >> Torsten. >> >>> Am 03.04.2014 um 00:51 schrieb Phil Hunt: >>> >>> I don't see a strong reason to standardize behaviour here. But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens. >>> >>> Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond "good practice". >>> >>> One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid. >>> >>> If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state. Thus you could avoid re-authenticating the user and simply ask about the new scopes. >>> >>> Phil >>> >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>>> On Apr 2, 2014, at 1:37 PM, André DeMarre wrote: >>>> >>>> We have a mobile app which operates as an OAuth 2.0 public client >>>> (w/client credentials). It uses the resource owner password >>>> credentials grant type for authorized communication with our resource >>>> servers. >>>> >>>> We are working on a software update and want to change the registered >>>> client_id and client_secret for the new app version (register a new >>>> client at the auth server). The problem is that after the app updates >>>> on users' devices, it will inherit the app data of the previous >>>> version, including the access and refresh tokens. >>>> >>>> Since the token scope issued to the new client might be different, we >>>> know that we want the new app version to discard the previous >>>> version's access tokens. But what about the refresh token? >>>> Technically, the new version of the app will be a different client, >>>> but the core OAuth spec section 6 says "the refresh token is bound to >>>> the client to which it was issued." So what should we do? >>>> >>>> We can program the app to discard the previous version's refresh >>>> token, but that would inconvenience our users to re-enter their >>>> password after the software update. >>>> >>>> I'm tempted to allow the new client to use the refresh token issued to >>>> the previous client, but that violates the spec. >>>> >>>> Does the OAuth community have any insight here? Thank you. >>>> >>>> Kind Regards, >>>> Andre DeMarre >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > -- > George Fletcher > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------080800060609010407040808 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit This is the question I had. The spec says not to share refresh tokens across clients, so it all depends on whether or not you consider a new version a new client. I've usually seen client_id stay the same across versions, since it's considered "the same client", but you could easily consider the new client_id an alias of the old client_id and consider the two of them flavors of "the same client".

Another option is to put all existing refresh tokens into a one-time-use bucket when the upgrade happens, so that the client gets issued a new refresh token the first time (and last time) it uses the old token with the new client_id.

 -- Justin

On 04/03/2014 10:43 AM, Torsten Lodderstedt wrote:
Hi George,

if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id?

regards,
Torsten.

-------- Ursprüngliche Nachricht --------
Von: George Fletcher <gffletch@aol.com> 
Datum:03.04.2014  15:43  (GMT+01:00) 
An: Torsten Lodderstedt <torsten@lodderstedt.net>,Phil Hunt <phil.hunt@oracle.com> 
Cc: OAuth WG <oauth@ietf.org> 
Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change 

Hi Torsten,

We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of this.

Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure       a more secure internet for all of us.

Thanks,
George

On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10)

Regards,
Torsten.

Am 03.04.2014 um 00:51 schrieb Phil Hunt <phil.hunt@oracle.com>:

I don’t see a strong reason to standardize behaviour here.  But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond “good practice”.

One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state.  Thus you could avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

On Apr 2, 2014, at 1:37 PM, André DeMarre <andredemarre@gmail.com> wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Hi George,

if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id?

regards,
Torsten.


-------- Ursprüngliche Nachricht --------
Von: George Fletcher
Datum:03.04.2014 15:43 (GMT+01:00)
An: Torsten Lodderstedt ,Phil Hunt
Cc: OAuth WG
Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change

Hi Torsten,

We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of this.

Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us.

Thanks,
George
On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10)

Regards,
Torsten.


Am 03.04.2014 um 00:51 schrieb Phil Hunt <phil.hunt@oracle.com>:

I don’t see a strong reason to standardize behaviour here.  But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond “good practice”.

One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state.  Thus you could avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com


On Apr 2, 2014, at 1:37 PM, André DeMarre <andredemarre@gmail.com> wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
George Fletcher


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------080800060609010407040808-- From nobody Thu Apr 3 08:24:29 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29D171A026A for ; Thu, 3 Apr 2014 08:24:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.799 X-Spam-Level: X-Spam-Status: No, score=-1.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cIqHf2mlCEA0 for ; Thu, 3 Apr 2014 08:24:19 -0700 (PDT) Received: from omr-m10.mx.aol.com (omr-m10.mx.aol.com [64.12.143.86]) by ietfa.amsl.com (Postfix) with ESMTP id E378A1A0204 for ; Thu, 3 Apr 2014 08:24:18 -0700 (PDT) Received: from mtaout-mbc02.mx.aol.com (mtaout-mbc02.mx.aol.com [172.26.221.142]) by omr-m10.mx.aol.com (Outbound Mail Relay) with ESMTP id A24EA700000A2; Thu, 3 Apr 2014 11:24:14 -0400 (EDT) Received: from [10.172.4.228] (unknown [10.172.4.228]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mbc02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 86A20380000AB; Thu, 3 Apr 2014 11:24:13 -0400 (EDT) Message-ID: <533D7D1D.3020103@aol.com> Date: Thu, 03 Apr 2014 11:24:13 -0400 From: George Fletcher Organization: AOL LLC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Justin Richer , Torsten Lodderstedt , Phil Hunt References: <533D754F.6010909@mitre.org> In-Reply-To: <533D754F.6010909@mitre.org> Content-Type: multipart/alternative; boundary="------------040604080902070705030802" x-aol-global-disposition: G X-AOL-VSS-INFO: 5600.1067/97356 X-AOL-VSS-CODE: clean DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1396538654; bh=wZv7Iplw59apNpYtEFo/rMB092mBJZuoAROmMXMElXc=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=ZbUZDa/g7a1E/9gaE0KkuyXmvC9ChG++kSkoTv9nAlHnfRJxY0zGpTG2ZIzGbSiVh kRyAq5OEXV0Hq1wnl1o5I+XATt5tN+9Fo8t0ioI9vqyHW5T3LwwSB6l1AriMdTVnkA jVQK+XvykQYcxBA/K2MSa5tckt87UIU6RHnEBYM4= x-aol-sid: 3039ac1add8e533d7d1d1abd X-AOL-IP: 10.172.4.228 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Kt4a7DVbHqNaS84jVRYPezVXbFc Cc: OAuth WG Subject: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 15:24:26 -0000 This is a multi-part message in MIME format. --------------040604080902070705030802 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Comments inline... On 4/3/14, 10:50 AM, Justin Richer wrote: > This is the question I had. The spec says not to share refresh tokens > across clients, so it all depends on whether or not you consider a new > version a new client. I've usually seen client_id stay the same across > versions, since it's considered "the same client", but you could > easily consider the new client_id an alias of the old client_id and > consider the two of them flavors of "the same client". There are times where you want to track the change of semantics within a client. But yes, as Torsten says, we could treat the new client_id as an "alias" of the old client_id and issue a new set of tokens (refresh and access). I lose the ability to do the "sub" check (though that could be an additional parameter on the refresh_token call). Note that it also requires the client to be able to handle getting both a refresh_token and access_token on the response. That would be good client behavior anyway. And I agree that at token exchange time, the old refresh_token (and it's access tokens) would be revoked. > > Another option is to put all existing refresh tokens into a > one-time-use bucket when the upgrade happens, so that the client gets > issued a new refresh token the first time (and last time) it uses the > old token with the new client_id. > > -- Justin > > On 04/03/2014 10:43 AM, Torsten Lodderstedt wrote: >> Hi George, >> >> if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id? >> >> regards, >> Torsten. >> >> -------- Ursprüngliche Nachricht -------- >> Von: George Fletcher >> Datum:03.04.2014 15:43 (GMT+01:00) >> An: Torsten Lodderstedt,Phil Hunt >> Cc: OAuth WG >> Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change >> >> Hi Torsten, >> >> We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind). >> >> Andre got me thinking about this and here is what I'm leaning towards implementing in our system. >> >> Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token). >> >> This allows the AS to do the following checks... >> 1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything). >> 2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token >> 3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced >> 4. Verify the audience of the JWT >> >> If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id. >> >> Interested in feedback as to the viability of this. >> >> Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us. >> >> Thanks, >> George >> >> On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: >> Hi Andre, >> >> I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens. >> >> Some further questions/remarks: >> - if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother >> - public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10) >> >> Regards, >> Torsten. >> >> Am 03.04.2014 um 00:51 schrieb Phil Hunt: >> >> I don't see a strong reason to standardize behaviour here. But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens. >> >> Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond "good practice". >> >> One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid. >> >> If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state. Thus you could avoid re-authenticating the user and simply ask about the new scopes. >> >> Phil >> >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >> >> On Apr 2, 2014, at 1:37 PM, André DeMarre wrote: >> >> We have a mobile app which operates as an OAuth 2.0 public client >> (w/client credentials). It uses the resource owner password >> credentials grant type for authorized communication with our resource >> servers. >> >> We are working on a software update and want to change the registered >> client_id and client_secret for the new app version (register a new >> client at the auth server). The problem is that after the app updates >> on users' devices, it will inherit the app data of the previous >> version, including the access and refresh tokens. >> >> Since the token scope issued to the new client might be different, we >> know that we want the new app version to discard the previous >> version's access tokens. But what about the refresh token? >> Technically, the new version of the app will be a different client, >> but the core OAuth spec section 6 says "the refresh token is bound to >> the client to which it was issued." So what should we do? >> >> We can program the app to discard the previous version's refresh >> token, but that would inconvenience our users to re-enter their >> password after the software update. >> >> I'm tempted to allow the new client to use the refresh token issued to >> the previous client, but that violates the spec. >> >> Does the OAuth community have any insight here? Thank you. >> >> Kind Regards, >> Andre DeMarre >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> Hi George, >> >> if you want to effectively preseve the refresh token, why doesn't the >> AS just treat the new client id as an alias of the the old client id? >> >> regards, >> Torsten. >> >> >> -------- Ursprüngliche Nachricht -------- >> Von: George Fletcher >> Datum:03.04.2014 15:43 (GMT+01:00) >> An: Torsten Lodderstedt ,Phil Hunt >> Cc: OAuth WG >> Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after >> software update with client credential change >> >> Hi Torsten, >> >> We actually have the same issue. Deployed clients in the field where >> we want to update the client_id and doing so invalidates the existing >> refresh_token stored with the client. From a user experience >> perspective, this is a pain and from a risk perspective I think it's >> fine to effectively do a "token exchange" from the old refresh_token >> to the new one (with the appropriate security considerations in mind). >> >> Andre got me thinking about this and here is what I'm leaning towards >> implementing in our system. >> >> Use the JWT Client Assertion flow requesting an authorization grant >> for the existing user. The JWT would contain an "iss" of the new >> client_id, a "sub" of the userid the client should already know >> about, an "aud" of the Authorization Server, a short lived "exp" >> value as this is effectively a one-time token exchange, and an >> additional claim of the old refresh_token. Maybe an additional claim >> with the old client_id as well (still thinking about that as the >> client_id is already associated with the refresh_token). >> >> This allows the AS to do the following checks... >> 1. Make sure the assertion is being presented by the new client (the >> level of surety is based on the risk associated with the client. If >> the client is provisioned with additional keys some how that's much >> stronger than just using a client_secret which, as you point out, >> doesn't really prove anything). >> 2. Verify that the "sub" value in the JWT is the same as that >> identified by the refresh_token >> 3. Verify that the client_id defined as the "issuer" is allowed to >> make this token exchange call and that the client_id in the >> refresh_token is one of those being replaced >> 4. Verify the audience of the JWT >> >> If all the checks pass, then a new refresh_token can be issued, with >> exactly the same scopes as the "old" refresh_token (no ability in >> this flow to change scopes). The semantics of the refresh_token (e.g. >> authN time, expiry time, etc) need to be copied to the new >> refresh_token. In other words there should be no way to "extend" the >> lifetime of the refresh_token via this mechanism. It's purely a token >> exchange to provide a new refresh_token mapped to the new client_id. >> >> Interested in feedback as to the viability of this. >> >> Phil, I agree this doesn't need to be standardized, and I would like >> to see the community start collecting some "best practices" to help >> others that come across the same use case. It will ensure a more >> secure internet for all of us. >> >> Thanks, >> George >> >> On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: >>> Hi Andre, >>> >>> I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens. >>> >>> Some further questions/remarks: >>> - if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother >>> - public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10) >>> >>> Regards, >>> Torsten. >>> >>>> Am 03.04.2014 um 00:51 schrieb Phil Hunt: >>>> >>>> I don't see a strong reason to standardize behaviour here. But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens. >>>> >>>> Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond "good practice". >>>> >>>> One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid. >>>> >>>> If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state. Thus you could avoid re-authenticating the user and simply ask about the new scopes. >>>> >>>> Phil >>>> >>>> @independentid >>>> www.independentid.com >>>> phil.hunt@oracle.com >>>> >>>>> On Apr 2, 2014, at 1:37 PM, André DeMarre wrote: >>>>> >>>>> We have a mobile app which operates as an OAuth 2.0 public client >>>>> (w/client credentials). It uses the resource owner password >>>>> credentials grant type for authorized communication with our resource >>>>> servers. >>>>> >>>>> We are working on a software update and want to change the registered >>>>> client_id and client_secret for the new app version (register a new >>>>> client at the auth server). The problem is that after the app updates >>>>> on users' devices, it will inherit the app data of the previous >>>>> version, including the access and refresh tokens. >>>>> >>>>> Since the token scope issued to the new client might be different, we >>>>> know that we want the new app version to discard the previous >>>>> version's access tokens. But what about the refresh token? >>>>> Technically, the new version of the app will be a different client, >>>>> but the core OAuth spec section 6 says "the refresh token is bound to >>>>> the client to which it was issued." So what should we do? >>>>> >>>>> We can program the app to discard the previous version's refresh >>>>> token, but that would inconvenience our users to re-enter their >>>>> password after the software update. >>>>> >>>>> I'm tempted to allow the new client to use the refresh token issued to >>>>> the previous client, but that violates the spec. >>>>> >>>>> Does the OAuth community have any insight here? Thank you. >>>>> >>>>> Kind Regards, >>>>> Andre DeMarre >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> -- >> George Fletcher >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- George Fletcher --------------040604080902070705030802 Content-Type: multipart/related; boundary="------------060806010707000809090802" --------------060806010707000809090802 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Comments inline...
On 4/3/14, 10:50 AM, Justin Richer wrote:
This is the question I had. The spec says not to share refresh tokens across clients, so it all depends on whether or not you consider a new version a new client. I've usually seen client_id stay the same across versions, since it's considered "the same client", but you could easily consider the new client_id an alias of the old client_id and consider the two of them flavors of "the same client".
There are times where you want to track the change of semantics within a client. But yes, as Torsten says, we could treat the new client_id as an "alias" of the old client_id and issue a new set of tokens (refresh and access). I lose the ability to do the "sub" check (though that could be an additional parameter on the refresh_token call). Note that it also requires the client to be able to handle getting both a refresh_token and access_token on the response. That would be good client behavior anyway.

And I agree that at token exchange time, the old refresh_token (and it's access tokens) would be revoked.

Another option is to put all existing refresh tokens into a one-time-use bucket when the upgrade happens, so that the client gets issued a new refresh token the first time (and last time) it uses the old token with the new client_id.

 -- Justin

On 04/03/2014 10:43 AM, Torsten Lodderstedt wrote:
Hi George,

if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id?

regards,
Torsten.

-------- Ursprüngliche Nachricht --------
Von: George Fletcher <gffletch@aol.com> 
Datum:03.04.2014  15:43  (GMT+01:00) 
An: Torsten Lodderstedt <torsten@lodderstedt.net>,Phil Hunt <phil.hunt@oracle.com> 
Cc: OAuth WG <oauth@ietf.org> 
Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change 

Hi Torsten,

We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of this.

Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure       a more secure internet for all of us.

Thanks,
George

On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10)

Regards,
Torsten.

Am 03.04.2014 um 00:51 schrieb Phil Hunt <phil.hunt@oracle.com>:

I don’t see a strong reason to standardize behaviour here.  But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond “good practice”.

One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state.  Thus you could avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

On Apr 2, 2014, at 1:37 PM, André DeMarre <andredemarre@gmail.com> wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Hi George,

if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id?

regards,
Torsten.


-------- Ursprüngliche Nachricht --------
Von: George Fletcher
Datum:03.04.2014 15:43 (GMT+01:00)
An: Torsten Lodderstedt ,Phil Hunt
Cc: OAuth WG
Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change

Hi Torsten,

We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of this.

Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us.

Thanks,
George
On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10)

Regards,
Torsten.


Am 03.04.2014 um 00:51 schrieb Phil Hunt <phil.hunt@oracle.com>:

I don’t see a strong reason to standardize behaviour here.  But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond “good practice”.

One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state.  Thus you could avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com


On Apr 2, 2014, at 1:37 PM, André DeMarre <andredemarre@gmail.com> wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
George Fletcher


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
George Fletcher
--------------060806010707000809090802 Content-Type: image/png; name="XeC" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="XeC" iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk uBMSLBA0IWgCCa4JDoHB3SHI4AzMMMO49bRWnfePe7mzz+7m2eyGvbn3efvzz9DVVb86p7pO 86tTp05Lly9fvnz5shC4ubm5ubm5ubm5uf0m3bt/1KhRo0aNGn92cdzc3Nzc3Nzc3Nz+Z7ly 5cqVK1dA/rML4ubm5ubm5ubm5va/gTtxdnNzc3Nzc3Nzc/sd3Imzm5ubm5ubm5ub2+/gTpzd 3Nzc3Nzc3Nzcfgd34uzm5ubm5ubm5ub2O+j+aACr1W632f7zhQw40JEEUii7pAYgxkhhkh9o B5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8L8Pc7BsbcoGuRs8DV0XzEfBGU8VwwHgfpW9LZ AeoSuZj+NUiHc3/O+BKcHa1pWUPAeC74WtQPIMbaYi1J4Pj42aE7s0GskRsoB4B7rpXqYNBe Z6/KWAbqIWmU0hG0XPWhuSBYP8pc4IyF3GHZpTMPQm7RnMjsoZCbZOunZoHF25FuuwSW59b8 2RvBPtA+1doT9M+8N/jZQJroHeKXBpaEjFOZmZCzMpOUHuDqJK2TK4CoSiddVdBmeX4fkB9s B3Nzc4+B4m8qbL4HmZPTPdK/AY/TIXciMkGLV370eglmL88o750gTDw1VgT918bN8kFQv3DV 136BGoNqfViuEdSQKhYLfw5aKddi1z2QNoi2RILwl4LFJZAaYyYIRC4uXABI/8cHqfAfUxLe Q0IGApjABNDNlZYqA+H1tcSHqRvh0MYzHS5vAGHUP3eNgl5Tm8xu2Bick+WlUiRoe8RsPMH3 uec3xnwgL5P85b2gu2bqbj4B0TNPJh1qABn5rDa1HTxJSFpyaRl4vQ2endML7A8TPJRf4WHM m9LP14N0TdfOthmymqbMEFcha2DOWJ8J4H1L96XhLgQv908qcB2K7yqUXXoDWLvZJ+oWQ2p4 UmBuKEQ1Cl0phoJ1vJptmQIFj3jkRlYHv34FPoucCblNrU9TPwc/f4+OgfvhUuOYzw7sAutK tWtKYxgQ0WLgzLng+EHupnwMZbcU/zh0Mzz+7NnX2eXh0JhL0ctnQ5aP1XK9O3i1l0f6+kHy /aSKPt6w4N6UqFWz/uxm7ubm5ubm5vY+vL8eZxmBBmRKJvyA2mjiAkjLxBuhgjRc3JJ9AZt+ q7gIzoepSxObgzHAJ5/XBdD8tY+1qkATXUnzV6C/IKteZ0HzEzHqChAWMdMZCMp1KULUBs57 vfbvDIYvvOMDPwJtiusjx0UgWtTVqoKQXbvsjcHpk+QXuxfUj3M/Su8I6nBnM9unIBZkJmVP BsewzCNpN0C6qDxTZ4NI0F2Xu4Oy1nDXMBQM9U2Z+oXg6fS8bj4M5mPmNR5VwfCxbqL+FSie rjTHJ6B3CsU5HEzrTJf0JUD5QAqTg0De5DrpCgCtorOSrSgondVP7HVBn8gkVxCYeum7aJPB mOph89oA0khHHXs38B7qedQ8BcQBtZyzGQStCekacAY8l/scCTOBzkuv09+Gx8Njcl4eBcs0 S2WbBvKHyjjxK2gDpM+lEJAWsIswEIlSIBYAxF+lzP9BBQRQVApFgFSTOtJGcLYWr1zPIN/s cG+/etDP0r5b00NQ/2CF5DLfQdBPQQQY4dLgG/q7n8HDYc9b36sKWfnTB1r8gBvyYrkzGDox VvoazI2830SMAiVMKWXXQchbv6+sFrApWULvCVX7lNjerhX45UgJRU5C5tHU/YFp4DvUo1pg eSjUPrBbkTXgzHYULSpB1vnsXJ7C/cIvlDt6KLQovI5XGyjsiLCULQ83pzw4nDES3trTt2TM BN1+acTruuC1Q67uXAlvaiQdevo93Cp3v+ZPs0FbaWntXwjCwj0adtoGuubGPrpB4HXaPEoX BUnOpJUZL+HXT5/5Hr8Cmc0y+zyKBlfr7LScHEi7mzAqoxDkjrK9dEX/2c3bzc3Nzc3N7X36 wz3O/8WJhACpkLBJQSAu8UQsBa2udFd8AXIl/TLlHKg7LfHWSsBV+TvDHJDnGdrr5oMySRmq XgZxV+4taoI2UO6nlQYpTKzWjQHhrwmnHqQxzkWWISCV0k/xGATqF2K8ywpa2fgGj6qDlmi/ 7dwG0q/yQt16MJz1HOo/DZyHLOcsySCdcRVU4sDl7+zjnAiuT+0N7J+BGqE0F3XBsEjfUu8B hm1eZu+6IEfZhjtmAor9jq0NeC2UWkmnQDovWyUjqPNdk+2lQP9IvkwAOLbLY7T+YB7jYTbH AOOy81l+BrWSNk2bCWKZzZzdC6RNWpCyApyqxZQ1ATyLGAZ4rgIU7K5PQDtp3ZT2BWCQr+qj wDokR35bHfRLPQ4HB4BvUkAR/9mQeTfdlr4EXox99Vl6EFQ8UbpFqC+4XroGaQD95E9YAGgi VVoCSMgilv9Ikv/PBFrCAGgilqsgHkll+Qmk++JrxQJajtpQmwPWJ9TUXkExW8FR+c2Q0C31 cFIZqNGj3O6iXSCsZ0BqaBLYNPWQ6yxk/JJ1z/EVPBiVWujZD5D2pe2n16Xg9tXYyPsdIeUb S0KKN6j3sxdkp4JPqL7o7XTQp/htcq6HRssKdSxfHVzltIJyApwdfffsExPI23Tfh1QCqTRJ xnhouLVSmcY/Q6X5Bb2rvIGsu5HHEi5C/S9qSd16wv3PY94+fQOPGz2w7HgNzwPtGxyXIOOl PvD5EPCej2qaBdWKlb3QsBr4fxqZ4h8L/q0D/b07QdrSt0Mzx0PKukyj+BqerX38cWIVEA20 o+bJYKuTmZF/LrgSVJ/sBMgoxc3XnwJQ/89u5G5ubm5ubm7vx/tLnGX+IxnzIwsTcFBqynPQ tRAj6AGuYO260wDKKnFW3ADlVpHyxXJA/UosdN4G5ZSzZ+aHIMbr+5t8QX6upYjOIGrJbXR9 QOonxzMHtLicqekKaJdyOyR1BN0+fSWPHLC9UmPFCND6JA+LbwauHOtCWwYwTfpauQFyX6UJ J4D8hrHed0H3QDquLwPee71GK4XB0daxV+oGzkLacLUTuBarRfEGw3qx05gKrj7aQHELNDvB 0lTwKupVRdcb7FnWVVnfgnzducuVAp4llQPyc5Dvmq8aI0EuqKZLJUBaa6/hbAjWvc4WtiLA Fqm30gLsU3L0ljugT9ar2YeBOx7ngsqBsZurV/YQcJ6wv+IZZLqyP0ztBp6VA/unfgH60mFa ySPgPd93k9/P8GD54/j4VlDy68I7gkqA7gudl2gP6hTxiWwEuY7kKX4BcVfkogAKEtr/8QkK nIDAl0LATFFXvAK5qawwEHJic6bYasCVqbcq3eoCCaUzzsTdg5zaOW+0jlD5bYWPS0wBUw+P BkGh8HJpQq/nveA766Efdu4DXVXdodzt4Jqq/yalDxT5NbB3/iS4P/f5fZ8l4NjnKmR9Bd43 EqvfqwgRwf6tS30GGSfszVN9oNC4gBUNVsLrEW9rHp4OH65v5mreC3xS7FsNY6FMVCnPwmsg pnh86mMfeJ0Yvz82HSy3bd9ZesIL69vCx66Aa4NYoESDf1lrSsIlEFusG8O/gFJ1SucvtwqC AoNG+JwFz190mvUxJG6Mv56ig8RtGV+/ioZXckLEs7kQFBt2mV8hc/XzsLS1wCG9XToCmaUy Thk7g3zXp5PnJKA6Y/7sRu7m5ubm5ub2frzfxFkG8RSXeANSWSJJAWFjhhwC8if0lBaAqOzV w7wTpMsc1U8GeaBslRwgPza0iQgEKQC9LgvEHHzZCZJLHBf7QBuXG5e8GHimC/L2A/myx+WA L0H1z+r6eihIFqmaWgcUNaBc+CzQfkiwvMwEramrkToFlHue1pBY4JZJ9bgJIi33W3UiiHLq Z/ISMFilV1oMSBFatpYIUo69oMsCrnzyUOcKUBoo5eV00B3RcpVpIL0UT8Q8EJIySz8cOEMt 0QrM6aKT1hrUBLrKJUHuZX5sugfyAuVbnRfgsoaJ2mBt62qrzgItWdqkfAa2BEuwbQEYTuPK XAfKRt14XoD5meGpuQuk5U9faykMuu95qW2ELKvU2RgJPoHBT6MkyBlqbeO6Aq/1cXLaPCjW ulj/4Iqgpth/UUNBPJMW4Q/YgL/3A+sSoAEqmlQIpL18IdaAOKb1EN+B+YRpidEEzYPrPKm5 Ho42u3DgzgjYfeT82h0H4Rj3lp3pBjVuFB1eagvomkmqrxXyj/AtFBYNZfYUrlVxBSQXzZ37 6gq8kVODf6kJwfX9XzsLg+Oi1NC6HPxrm0eaPwbFO/teZgrEnHo71NUbLJ7W0mduQ5kV+QqE 34O4fWlX7qfCwNNtP+4TAmujt+p/DoGUnrb1jwZA7dgSJTuNgifjX6TefwA5FcRBz2MQOcir r+4K2JpkVfF8DaU8ix6v+gtU+rqAqcRaMP9g1HnmwtvliTXSn8PLEon7bu6BQzduTN57CEIe +uqcZaHBqSJBLWZARJL/hNoWMP5iKiVVh8zX/t0ta+BthdxzcTX/DS22MpWpDEfnHZ13dB7s 9N/pv9MfnjR60uhJI1BXqavUVVDkyyJfFvkS2h9sf7D9Qeic0jmlcwoo1ZXqSvV/Q7nc/q+q Vq1atWrVf367Kc2nNJ/SHLrM6zKvy7y/jXPixIkTJ06An5+fn5/fHy/ns53Pdj7bmfe6YMGC BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjNPTACpj3JBrg5Mkqb4BIN2Te2c swWUHKmOUgsYKdU1jQDxQqRIs4Bm0lnWgrgrbdbOgxRmOO5ZDfhE2W4qBtoVxxdZPwHztWDx CcgFfEWgJ8iWcE9zKshr9C75DLDJNMtzPUjn5S3mkuD6MuMLyxIQA+1e9oYg9TfGKgkgqfbj rhBQfrFb1c1gD3fkd3qD6rRfd4wGFqtbRXnQTZFKKmaQvtBNknqC1MeU69UbRIpor70AVwM1 1JUJ5jXqCTkXXLf1hZRFoCzSXVIfgHxMaizpQSuX29XeG9Qnjr3sAeN4XY55Eqgxzsr2EZC9 I3t4alMwq16D/BqA7wJfp+cOyJmR1TH9c6B4SujLUWCfYaxs9AbDS9/8kdvg6dpXkanfQeHT hfcFh4H0g3RdVAGuihi5HFAWSbwCPNDhB9hwYAUEGiaQIiQ9GojD4i4CyE8/+QEoVXQfizng 3OPM5/gVAgf6SmolaORVoWHUBrCMNqx6Fg26WtqJmJEgNc5MrpgOVfqX3VmjIvwQ9kvzn65B 6OjQ/qZqUGNE6U/qDobWX5Q9k28ePC6cOflNEuz56Nil76uCYZxyK6kYWBurgb6z4HbCY8+A B+DXw5DquwZiPJ9LV/bD1923bTY4IKi7oaM8Daz9Ml4G7ga1pCJST0HEm4B1RaIhZ6DlfNRR sMiW+heag6m9hyzVgZsFHze/vAGe1Ik1xBQHuYU5w8MM8Tff3k7YCOGpns8CH0K5lIDDTa+D b5GgSnF9wd+Zr33JpaA11ZVMegG57dR1Fj/Qh4h9D7dBStmU+MSLABR7nw124amFpxaegp1N djbZ2SRvud6ld+ld/Fdi/dDjocdDD3jY7WG3h93gRtMbTW80hQXDFgxbMAy4yU1uvudvE7ff LWRGyIyQGaAMV4Yrw397PY8xHmM8xvz3lav7wu4Luy/Me/1fCS1++P1ZB8vNzc3tf5D3lzjD f/Rk6oXAC0jnObeBl1jEGqAcYZIZRKiWpo0BbbHLO3ckSJPkw2YLSLOMh/gKpCVimboQRBrB IhCEQa6kqwxSVWuvrBxwybTINYIyx2Okb1+QWvtd9u0FuhtyV7kfiM2uWdo2kPYUqRxWBqRS upK6QkAPdaPLAko1mfg6YD/mnJPyATjDM/tlx4ArxXLEFQjWqtYbtj6Q+7V1Ze4rcPm50kQ2 SF9LO3UtQFkun5MXgbGeoaKxP4gyht7SALBPdCY7N4B0TJ3vqg1qea24EgJSLa2jqA+yQ3rk agSuIY7higSePiab0Q6u7fat9j2gHXUVdP4K8i7dbP0isMXavlOPg10vQrJLgumkT7ruDRjL 6H/VTQHF26nYt4N9cPqk+Gfgdc13QcAOsJ62VjeVhqy52RdtaeCT6R1vuAPqHnW2eA00xEEd EIXFTO17kHKlLdJL4KS0XMoBkUG4uAdo3KEYcJ6mruGgnRWxyimQL7DOWARSO71Nz7SAb3F5 jsMA6gdSg4xsSAvLUKkAqj5zxP10OJx97fTjC2B6bZJT6oDhkT4trCCkF8+eb54MZ1onHbSm QeKy1C9v74bkbGe7FDOoHXI+E15geqhVT6sF2kXboMRbIO4E9wypAOVTIgfUXACOU9Y9rk2Q 2Vl2OTtAwaMRA2sPg8eBj/fF/whhoYHL/ZtA0oDsRWljIbmaJSylJRi65h53zIBqbUt3b2wC +5PshEAveBuT2SqmO0xr0MM0wBd0bfSTzZ/Aa2dyy6zyEGN4efz4Gfjl4uXJ2y5D07lVu3ww DHy+sUeHPIETda/NvFkTspdorz2/A/by1ftoWqdPnz59+jTsHL9z/M7xYKxtrG2sDbPiZ8XP iocm3zb5tsm3IJ2Xzkvn4UzmmcwzmTAjdEbojNC8BOic9Zz1nBXqUY96/z3fMW5/x9YGWxts bQB+b/ze+L35s0vj5ubm5vZ7vc95nKX/vNVvkQoAHlJZ0Q0wc1+aC9IrSin9QQ11zEytDQy1 mLI+BlmQrjsBWl9ayuEgnRFD+QrwkA4px4DCtl5ZD4E4ndX8DJQ1nt7+HUGqq5tq7A3SMZoo Kmj5tBznVVCfyW8dD0DerJ1lM7DRMccxEUQV/J3fgzPE/io3BqTq4oE6DXT5dXcNTcF2Laen JRsy66ZmZSwCu2YZ49BAPFCzxF3QTZTTlfLg4WP41ZwMnh8bBnsUA31LqaccD9plcYuFQD9l s/4X0IUYwkyFgbbSR/JCcM1xZTg/AP0n+vPyL2BsZDQpTcFrojnB8z7of1EKGQJArFEXqg1A v19ZK/uBtt1lt+vB7mXxSLGB7JRvucygHZIaacfAtimrZ/oRSLsbV+zBXlCzHNuseyHnC8tD xwuQtkiZUkvQlosL6iXQ/aTEK5vBbDCM8qgOynzZZFwBbBVBkgdI5cQC6QBwmrbkAgNFqPwp sFQaKvWHzCrZB9PjwHzBXB0fyC6oF0lGyBjqMKVdhJdpb47FLwPXfHlKbh9In+sslngeCmzy G5J/H7im51b0leDBh7G/3giGo89vttr0KbyambzjWSFoUqbYxkYfgyFSMvt2AulXw0ytIZgy fFvojeBdnbFVj4HrLFUyEyB7mnP6k7Pw8puElkmR0LBKRUvYVShxwa9IsAy6o8oHt6dDZGjA VUM0GMfZPQNHQtsStTNaeMBY70GFBi+DwDch33mtgSZTaxSsfBAkh9c6MRYO97184tAW+PlU dLOVP8Kjwq9Mr9dC4Xmh1QKPwZNdj1+eOQOJtsRvbjeC6neKTy3VCgqeCNjy6tn7a1zbt2/f vn173uthw4YNGzYMmu9pvqf5nrxb6fJwebg8HBo9afSk0ROYtHPSzkk7oVVIq5BWIZBzJudM zpm/jR+/P35//H4Yt3Xc1nFbod7Deg/rPYR6HvU86nnAhMYTGk9oDAntEtoltPs7BfzPnu53 PeEdO3bs2LEj1KxZs2bNmtDh8w6fd/gcdkzcMXHHxLz138nIyMjIyMi7hf/u78N6D+s9rAdd 07umd02HTQ82Pdj04G/3u3nz5s2bN+cdj2YBzQKaBcCpYqeKnSr2t3Hf7e+91f9/iH+2HupV 9ap69beHkjRt2rRp06Zwz3DPcM/wt8d938x9M/fNhK6FuxbuWjjv8272otmLZi9g0clFJxed BFtpW2lb6d8u9y35lnxL/ts4A64MuDLgCrxo9qLZi2Z/vL5/+Hxzc3P7/7331+P8boxsFhAC Ul3s7AKG0kN0ArWz1FJeDDI8ZSmod5KeP30N2ktzZkhXkD1Nc6WyoNWjIqWB/uKm1B+kqvqO noDkaTgo9QDpsfa59hKwawHqLhBN5FO6AoCHdkHqC1J7qigPgUS5spQBDBcjdYOB0apTGwbS Nq9+AbtBP8gvI9QO4iPRT90K/hOD24TsBPOs1JYZ+UE7Yl1l7QhyojSVDKC4I962D3Rt5KLK erB5uqKEF+SMs7d3NgJuOqu4/MG1RRvriAGnQ72iVgWeiq1qNCjlmM4HIH2p/GhoBIb9tNZW AxZzMBHg6uG4oC8M9KaBKQMclZzfOxaAtkCMcpQD123HMmsIaD84r7h8QTqpK24oDcau5gyf c2B7kl4iqS9YXqcVi/eAzG+y4iP6QMFC+ZoFjgDlNlP0n8OrOxl+cdsht1Nu67hn4HfV44rv Agia7l2+6M/g6sZ+VwhIZUW8XAQQ0gj6glRXC2Y5GKqbdAZ/iFoVllDUCywrxXHxESTeiPnl 1WAILui3xloQDI08+yZrkBWUNtnmB5eWPB6YvAuMQ4w1Mp+BZ3GljecbMJ/Tpum/gqBWprOV PwTxiTJP0kPAAY+eAV+Bxz4lI/8xUG+6soxfQ+UllUuXegxKhLS54AU4N+BCqQtToJNX1cTm 3aBMi6rHSv4MLyyvL2YNhZTcV+WFL/idDf0lcjL4hHoce+wAwzDTEE8Vfni023noNNzbHFvr yhHISMpc6LcdNrQ9lLGzAPj7+Xfy7gXFMqNa+44AbVhODc0B5qYeB8Oeg+6Q/ro9DX6Jutry RCUwJ/rJvsvAXEO3wb/BH29WYrAYLAbDnR/u/HDnB6A85Smflxj+I+0i2kW0i4B2h9sdbnf4 b9/PXZq7NHcpDI0eGj00GhITExMTE6HOqDqj6owCR1lHWUdZOJV1KutUVt4QkO0523O254CX l5eXlxfs2r1r967dsLDbwm4Lu4F+mX6ZfhlU1iprlbW8xGhR/0X9F/UHebe8W94NXelK1/9L +SfunLhz4k5IaJbQLKEZ8CM/8mPe+wcSDiQcSIBly5YtW7Ys7wKicGzh2MKxMGv/rP2z9gNL WcrSf1/9/1kfffTRRx999Ntjh0uWLFmyZEmY23lu57md/3G8f7UeW4puKbqlKBToXKBzgc4Q uzd2b+zevLj58uXLly8fGBoYGhj+4nz+6eeffv7p57zyGWYZZhlmQRW1ilpFhec1ntd4XgN2 RO2I2hEF2cezj2cfh8/5nM//TvmnT58+ffp0iCCCCPIuAO+OuDvi7gj43PG543MHbGADG97D 5/avnm9ubm5u76/HWQMkkPLhIgfEtxSgDYjqLJK2g/whIa7LIG+Q95lvgWNRbqHcKSBuqCZn AMg9pKdSFRDbSOAIEClVEdNBOiG/UJ6AeCoqiZ9Ba6J9px0AFpEi5YBk4TppQB25tq4QSEWk FYYI0OK1gZIGUjlRXAsFJUCKNI4BZbb/es/WQGkPf/UjkCv71DHYwayFnDJFgnmheYNrFXiP CuyjJIPxsddXWjGwNXCOsgyB9Mnp5ZOPgeV55uS3XUF9LQo5C4C2mm3qcHAutw9xfgmuz9Xb oh84BgqTVBbEZ3JRuSsot+Q1uhVg/sq4w9AW/D73auc5DnzP+qT6TARTC2M1szcYhvsUCvgJ tPXaauktyLtFSWJBt06+jweIVa7uDh2olezfZ+cAE5TRpnqQ8WuC/slASN2bWjetOrxIer0u cRkcn/brh9+1gM2nj/VbvgWWf7/92PdX4Yfo6Gk7KsCrAUljEpNAf1Bs0X0Lao7oJ30GWmst iaJgqqe7qisH54LvZF7rA7eqxPV83AaY4UpXfgbPEGWU3xowe3sWMY4HQyF9uGKF1Onpm1Ki QdmtzDAcBc+p+ob5ukDudMsMz2EQnmGS8m8F/+0+0/SxYPzK3CnnDLRZXn1i1b6ghnAz9xaU OVq0j197OFn/fMiN43D0+NWPz5+GOrPK/9jjGpwbcKfQ2/Gw/ouNh4+Mg5f+sZNjJoIx2NjA yxvUMvJK+zaosqzEyFbTICXt5eIcFS7l3GpzvinUT62cU+QIBIwKdBVbCuZ+xj2OOWCpYO2Z PhCezXwxKn4axFhTuj4Khgs3Ht7ccxouj3jp2rsA7JGipHoWnP2thdKvw8vFiXrllz/erCxL LUstS8FZ3lneWT5veVBQUFBQ0N+uv8SyxLLEkvcw2V///eabb7755pu89Y8kH0k+kpyXeHzw wQcffPABLO+7vO/yvrDq6qqrq67mLX+33qHPD31+6C8yoE0PNz3c9DDv9bshJN9W+LbCtxVg ZujM0Jmhee9vbbi14daG/7j+dUfXHV13NOxvs7/N/jbQ5ViXY12O5b3/44MfH/z4Fz2C7xKw bd7bvLd5wxAxRAwRvx3/fdX/nxUXFxcXF5eXqP7133f7+b3+1XocXXB0wdEFsGfqnql7pv5t 3I0bN27cuBGKLy6+uPjivzjudX+s+2PdvNez281uN7sdrBywcsDKAXl3APR39Xf1d+HY3GNz j80Fm81m+68fzPoL7x6C3PV81/Ndz2FFmRVlVpTJe/9B3Qd1H/zF/v5dn9s/Ot/c3Nzc3u8Y ZxlwoYjnQBDp2ACFfaSDeKEdV5eDmCFmOjqAYY7PrJCBoHymtJHLgVgi+ojxICVJaXJlYKC4 J2wgnotHohtwnSbyWZCDFBuBwHw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graKH GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+NKV7XoDcD7PbqF+DuKCNMRQA 2aDrbowD5zC1quM1kCHdsHmB8wwhSh2QzvjpvfpCysVsKTcHssOzMlIHgW1u9qqsE+D9uWmA x1iQKstL5BJg8leW6z4AuZvujNII9LL6i2sG2HroHfpC4NrBN+ImGDe55jhaAjWVMkSCyO96 JXcC+13Ho9yJYPpUv8gYBUqslmbcAzkjM6Kzt8GO1YdeXDwJ966lXV9fEzxOG6oX+RWUHuqC qFZwq9f9clcmQO5YW459JUw62H3Q7CJgaCuPUbqA0lzXQ9sID0rGJz2ZA7pxxhJp8SC7NO+M XXBv3stNt25B8mWbZ/JiCG2p8/aPAdvknKm50WD81uuucS34ZXvsdc4Gj1rqIf02sF/QHbZN ANPpELvUHwxzTJPVOEj0tByLrwxZca7kN6+guldRtdU+8NykO+BxAWp1KNf1/jG43vnXw9Zb UGVy9QKG+uDoy9QSQeDnbdqf5AvFFpUtXiMd9r+Ifr6pCegmEJkSB5kfG542NoKzh/VX8RYK XgqtV7gqxHrHn8ztBecSHpe86QG+Qeazxhlgv24tlDwTtMPqbMMM8O3hddTSAFxl02e5RkPq 106jaSY4L+umaycgo5P9YnpZyCmQW87YEoCMP9KkzA/MD8wPQFonrZPW5fVAp3dN75reFYJ/ Cv4p+Ke89VOiUqJSoiC2UGyh2EJ/Gy+lbUrblLZ5r+//cP+H+z8A4YQTDrt37969e3fe39/y bjtrgjXBmgBvHr55+OYvEueGYxuObTgWaElLWkKDLQ22NNiS9/7rkNchr0N+O5F6Z8T3I74f 8f3f9uy+2+6vb+E3ndR0UtNJwCY2sSmvx30Zy1j2f6nHv1p/FrKQhfzT3vcsEv9d9Xg35OLd 5/dOLUMtQ62/GMoR2DyweWBzuOS45Ljk+Mdxa/9a+9favwJtaUtbKNqtaLei3YAAAgjIG1Ly vurbYmqLqS3+zoXCb51vbm5ubu+8z+noBDKIF1IY8SB9Jr6VuoMoILUT20CLoLEcB9IXWrHc BJBHBNyP9Ae1h2ihHgTdMHawBMQZMnECh0kWj0HazSQpBcRHklHoQERQXw4EiooB2jyQ1lKV R0AMy8QhoJL8NUtAlLQtzN4F3NS/8iwEsqoMlvtAduFngU9KQ5LuVM9LvmDd5DCJr8G2xvCz eSy4fpF/tDYEg6p4W/KD6Yjnp/6+INfWj5Lmg+Qn6bSXoDilpror4Fqvfm9YCaZCPt+av4H0 /Nb4jJ6gK5UzJLM/hC0x3jSfB2t51yciH0g/KIV0V0B7KYKJg9yBFs+cKmDrllk/czpkj8z+ MuUZWJd4bPFuC/YPXN1cL0EMcupyeoDHeWOE70sQUaKcOgB08/DiMzCOsj/JBZRW8nKnP+gK 2/rmzIXAQj6FgmuCbtSbx2WbAqla1+SvIOzDYKNrIjhvGse/Hg0vtj2qY8sP32zatPCHZjDw ZOe9nctAYsuEh1lr4UZYQujtCIj+7oXX/Cfgs118HVAI0h+kNLYPAaWBcl9eCHHB0gClFZhS dDXMHaHk2RJfma9CRsPkA86fwXgpeGZ2DJSqLQqo3vDmg4TabxaBMUE6oA8E76Fe5nwvwKFa ryv3oOnyehkN94DfLK9A/0Lw5nbapuAXUGJRvra6PfBG//qCZQQ0OV8rueBWeBTxqK98ESqM rT6v5OeQu87+1Yf14Hq3mEmvZ4B/paCrPvPgqRYz53oEtNzRdH3fFXCk/rUB90KhQcUiJfU2 ePxFXImH/cBjhnmc9yFQDulSH8sQ3F6/zdIQkrrqSnjfAG2omOoZCtJa9WbOPpBdynK2Q2Bb 0w5RGzj3x5rVu1v5pS6UulDqAjzgAQ+Ag7MPzj44G/rTn/5/sf681Hmp81JhHvOYBxw8ePDg wYPw2WefffbZZ38b33bRdtF2EehCF7pAwJSAKQFTwPuR9yPvR79dLtMa0xrTmt9fD+mmdFP6 e7N4vBvrfJGLXPzbt38rgdFWaau0VX9n+WBtsDb4L47fMGWYMgzwwQefP6/+/27/XfUQVUQV UQV4yEP+4kJJp9PpdH/gf5N3QzP+y7tZX5rSlKb/ffV1J8xubm7/yPucjk5CAP4ilQDgZ2Ri gLsiUmoLUgBfacVAbmGuEPg9iH1yoZyTwFJRngOAXptFOPCYKRwBMQo/IQEtCJOXgfS9Nl87 CuKMMGpDgA7KWLkPiATRRooHaQlntMEgPlHyG1+AmJQbn3EDtH45vWLrgfSD91Dvl5D79MbD W8EgdntX9OkLjiR1l/4Q5J5NbZmZC5Jd6pPTFBwrhGLZDRm6jOrJe0G3Wv5emgy6R8otgydI /vIi3RfgMcf7pd9WUGbntvCTwbQ6JzJrAAR+Zy5uHAauEF1z/RZQguSOylGgj3OKswcYhslR 0hwIPGq441sCXBGeZ429IPes43v/XyB1ra20/hYkrXTOs0aCrVhKv+zjoK102e31wJQoXTVd BsN66YLYBR535bJKOTA2cbrskaAuf9D7+iDwtpecWfwM+GwLn+78CJIWZc6ze4LjTGbvnAjI bpqgL3IVSnfPX7fZIAj9zrtsvs1wcE30uuhOkHxd+sr6HbyIT5h5aT4E3PYZbPwaCn4ZUN/b Ai9d2hspChwWl8ZOKEbw+cqn4dLqmCWXfCDuRdqD3IUQtlhf1+8rCBkRsc78KRgXy/XrrgQm KOsTa0PcxMzqTxpDAT+P6MipUG52mLHmRYjb9KZm/DW4MyVjxauq8GJ0Qu3kDVBgWqHwoC5Q /If8Z4JugH8xf9lvC/hXCdiQ+wmIlnJXXRIU7FLqx4L9IOUTy6dyInR43bpV+XlwdNLBAsoT MCaaZluHQ13/qgOLrQePq8o2509QunzJy8FdwS7ZLxoC4aS40uLlPLCvllube4H+K2Nv6Qno SjnGZQ+C0Jc+DQMkeB1lqxB/Awp+7XPe9z+GJrR4H82re3T36O7RMItZzALWVl1bdW1V8N/p v9N/J7Sd2XZm25l5Ccgl5yXnJScs279s/7L9vx23YOeCnQt2BiQkJOiUv1P+TvlheJfhXYZ3 yVvv8bjH4x6Pg5cvX758+RIKzC8wv8B8MPcy9zL3gvCE8ITwhLyHsE4vOb3k9JL/6nDm9OLT i08vBlrTmtYQ2T6yfWR7MM00zTTNBFuGLcOW8fuPh8cmj00emyA4LjguOA6So5KjkqPgZPeT 3U92h3YJ7RLaJcCRo0eOHjkKdKMb3d5//f+n+HfV490dDnaxi11gvm++b74PYRFhEWEReUMg 3s360rJly5YtW+bd+ejQsUPHDh3z4p3scbLHyR7/c+vr5ubm9o+836EaABIqEuCUQtADe4VE QZBtfKdrDWKINMKjHijbDEuVNSAeCy/1C1D7kK3eB+mJtFrbAXJNsVv5FNgm0qRMECWVHVot kEeL6q45oC1Se8k2kJvK4yU9aBfEJN0GUGZq653nwFlfNFP9IMf3eo0r40HUFvOdp0CZFjEm 2AuyCsTeTi0LydeSctKvgNrX9dz+C+RMSolOngbPRyfvz3oLWYd0awwdQTlkbOhZAIJeyB8b YyFfkLmIR3fQlTVLWbNBPqOLf90OfDP9JslBYJsohrrWg9RAP8m7FhgqGNd47QX7Y60nXUFt KTcwbgFDR+Np43SQL+kNehNIoTqT4xswxPk8MpQFU0NpfOAkSMhSV1i6glbFLqUvAs+rhqoi Fcw1RCWpGpjfykvVvqB8Is/X7wSpxr0iMRch4LBfaecQ8Pkw6lHcRYiNS3jw5lPInm+sm/Y5 lCtU6nDHWuA73epf9AH86h0/5OE3kJSZ0eH6RDD4BquJ+0A+I4137AP/Wt4nvP3A8ci6WXoB voMMO31TITvFsUA4ICjTfNpQBMKHe+6NVCHxSawh/zowVAlabd0MmQvizz39GaIGBwcGxUDP nk1f9GwJx55eX7ytCLyckrXqyQVIvGQvlbEU7vfPir3yI2RnZ31j3AcBlXy+za0GZz45OTWu D2T+WGm3KxU6+jbrFq6HoI2BD7w/gzMDLv348CW0eNRYKucDL+Y87/i2M6QsSrucNQ10ZQxh 2k7w6+5f2icVPE4GLlU8Ie1ZYrrVH27Yr0++2whefJfZ9qkA/5H6k8GfgOWIc8szBbyO6JJs U8DRUMxVZMjZ4+iSUQm882kdgj+A7MvKQBEBVHw/zarNz21+bvMzXDlw5cCVA3C4w+EOhzvA nDlz5syZAws8Fngs8ADZQ/aQPcDxteNrx9d5D5n9V0/sX/UUtj/U/lD7Q7A5enP05mj4Xv+9 /ns9PPF84vnEM68n8d00dtzgBjdgQ40NNTbUAHrRi17Qt3Tf0n1Lw5dFvizyZRGYHTk7cnYk 7L+z/87+O3kPB77T19bX1tf2zx2D/8N/9kh2Wd9lfZf1sHr16tWrV8OcTnM6zekEW4tvLb61 OLwIeBHw4v/yEOX7qv+f7X3V4900h/aL9ov2i/DFnC/mfDEHxsaNjRsbB/lu5ruZ7yb0mdhn Yp+JsChxUeKixLw7GvvD94fvD4fnpZ+Xfl46L867Mfbv4v/p9X3DG9zTALq5uf0L3m/i/B/T 0TkxASY8xUsA9moJwA5pGDWBsqK2poHwlGKkZBClpfW6HKCZFC56grRPLOEisFeOlaeB+nPW 4CdTwd7+xf7bniBPDPAv9BHoM01PDSq47lh1tg9B931Y2ZIdQJP1VwJPga4DdZVK4Ih4uzS3 IaQ9Th366hTgyv8s9FuI2x+XmNQN7N/Zr2mHQIwVJ1xBYPvW+jUm8KnkWc1vJhRsV6hakRQI jPW7EpkCnh2MX/mYQIrVZdEcnNe1M7lnweptPZkhgFuW0OxIyN6WFp0IGPU+PY0xYIwzHZPb gO6RrqjcHKTb8mTdjyAdp7DUAqQW4rRUBXR91C1qNBClXckdA54vPQfI08AzwCfZxxNc53JO cgMME0WYownoF6sxtuNgfmo/rD4E/XSP9gEnAEVZlH4EtKvP+qXehJT8znxyY9AnGtp4dgdl uaWFawvE9TWtv1AOCA64krsOPHZZKhfbBl6NfT/1ioCiDU0n6p+Gxj5Vb1WdD6/L5TZ6tAW2 lDtZfONm8PPwcgRfAFvF5B3Sd3C3sd3p9RV45tNuVh8JtVrWSXmUDEn5EqMze0LOgOyxrmx4 vjtbfzEa1GaOaGME1N1a6kWjfhC+It6erx74GH3igj6EVFOSNX4geF0sPSnSA7Ia5wyLLQ6m fqablifgWmyPTd0D27/dV+3ER5DPkD9/uDcUaxvhV3AxuBbbf1ZHQlm19PyIMfC81Mtjb8+B 5zLvLw3FwFjA3MI7HPQbXO1EN8gU0itHPTA89itaehS0lkuMq7cJsrtk1I2rCK9mJKvWlfBS zlqb4w2yJwP108Fkzylp/wEkX6/+2Vlg9iDLFPYe29Z/JoqzB88ePHswVIqtFFspFnZP2T1l 9xR43ux5s+fNwGgymowmaLGnxZ4We2DMgDEDxgyAsTFjY8bG/G3YsLCwsLAwWLN6zeo1q2F5 meVllpeBy99e/vbytyDdkG5IN6ByxcoVK1eE4dJwabgEJXNL5pbMzYvTtVDXQl0LgTpeHa+O h62vtr7a+gpuHLpx6MahvP30ftb7We9n0OVol6NdjpI3puRf1L98//L9y0NO75zeOb3zpkdL vJF4I/EGTPOc5jnNE2a3n91+dvt/X/3/bO+rHkMYwhBg/ab1m9ZvgsuXL1++fBly7+bezb0L LGYxi6H7ie4nup8A+YX8Qn4B27Zv275tO9xYc2PNjTXgV9mvsl9l6Dur76y+s2D4sOHDhg8D mtOc5n9+ff96OkI3Nze330v6jy9GIWrUqFGjRo1/PoDVarfbbPzXrBp4AC7gDhYkEMvwkM6C fIEfpQ+Azsx2hYP2jbrZngZSrNxUbgFSQdnT2B24pfkr9UD7TndQNAX16+R7d05B7vAzQw6/ BhGvC/ftCYZS4a9CMkAUzXqYsgDkAb7rveuDcUblVp29QKknfaxrD5mxZ2dcaQ7JvV8NiV0B T/3idE+SIHN++istPzh+Ur/TEkGxqYG2x2D4UTYY6kNYo4DNAXMhfETUwsjPgB3KeF0uaD/L I6WR4GpBjiMcqGQPdE4AubO+kb4H+B2NulKgCMQffXrm5TcgXZGny4NB3Jani5ZgK2+/ZVsG IsplUZeD1EF0lWsCRs2kzQJ1k/2A9SfQ5qtf8QzsT+RZWODty9wJmQPAejtzUeoX4BtqeCqV APMkexe2gWmMVtpQBPQ234e+AgQJPbNDwGRVV6iD4cSo0o1ep0PMN/KuBxXBp7+9nNcEyNgn TmZokP6xukc9A4WmeSXUOAclPEOV8tEgj9VPzf0FrNXtafpNENDO9JHoAdd/eh52fRVExXuP q7YIUtPejnx9E/SPPZ35CkHS9kzvuwWgUMHQxq6+YPhMfhHwBXBXnHTFQuqm9Ddpo2BUlX6j vikA+nVyI88EiPV6s+7hKoiucafH7kWgP+vYbEwDtaxjvakHPH/1tkaagPAigd7aFZDSTZ97 mcH3Q913RS6CttLWWukF1ZtXLFBzEAR5+X/i2QPCL+e779cMjlvPXH30PWT0TSn96ibU8697 utyXYPdzFJSPg+KnWy+tgFL7is7N3wn25h7ddakl7Iw4WXBXNIR+F+RnHwZp8zKq5T6A8Br6 y5ZokMZo54UEIiLSJzUT8l+O7OVdAiYrvb47sfLPbub/73nXo76mypoqa6rkLX/3cGCpc6XO lToHN4feHHpzKAy5MeTGkBt5Q1kunL9w/sJ50G/Qb9Bv+LNr4+bm5ub2P92VK1euXLnyPnuc FQQCyJA8kEGqK24ggfQFN9gIWkccwhvke2yVO4IYroW7uoBSRhrnkQnaNtFUKQ8MYon6BKSu mq+YDlJ1xyluAqu8Bhb4AcS+rKSM1WDd/PKThJGgzXC0y1kNUr/kjhmpoEvNb35zEaQJ+V+X Ogee+avsK7kUbEdSgxNHQ9CHPvMj64BzuEGz7AWtlU04k8FvlWfV/D+B+b6SqAaByShKCRfk Lre+yJoMOk/9WONL0G9Rbeoq8M5QeoqSYPo4KC74OZj2579UaCUoxfyneNQFUS5ji+UiZH1o PZb7K1gr2DfZHKD7VtqlOwNqPmm0yARaSXZpIsgL5VaKBURbbYRuEohD0iD1SzAsUTKVlhDw hWmiTzrkbLBPzOoDunDnd9kmUNfZ+jkU0KqZl/p8CgJHTPZCUEzeMw0bADnntZgA2pjMsp51 wH+SXy3POKiUUeaTqBh4OePpV8WaQuLg1BKBvqB4qPWlDZC409Y5syeYXnrZpFBgnzy98Hp4 lhHfy3oDCjSX79TuBVrd7O26cyC+cUUF7QH1vO1kViKE5fg3r9gRrAHZGZkdwFFbCiQX1IP0 ztkGud86R9sscDLx+rSzU8D8xHw0dAFca/J45881ofyEAqsiHGAMtw7wi4IbPe4mZnaBBocr iEbPILlRdsWn+SHjsHX1nULgddP7XNAYKF6lVGCtZlAsp/iysJ/hxdVn9+M7g2loxh3jV5Bz L/5M7G0ocaPsush0cM63TZPNkO/byNtBdrhT9bbytDzoD7p6Ck8wPVIKphwEr88998W/AP1R c3llMuS/5oh22MC203MHDjAO0MU7+4NzuHLZPAfi5zguOZ4Bs/7spv7/JsMGwwbDBrg66Oqg q4Pyfrhi0/BNwzcNh9CI0IjQvxiD++4hxKYTm05sOhH0qfpUfeqfXQs3Nzc3t/9t/niPc67d bnMCGhouQMOAAlIEqTiBqsRyHcQ4fKkIkhOrbAftqjbK3g7EK2mm/jQo86V4CoFUhK+1SSCK iyDJAGKEY0P2SrC2vv7o5COw3njc4eFbcNWyFssdA4YKvn2DZTBMLz607Lfgmm3/KnMp+Eyr 9qB5DZBLyD0MuWB//Krn87eQM/b2zJvN4PKRNGPuDnirpRRIKwz5k7y+8W8Oun2ObvZsMI2U 3iodwXjeVExfCYwxxLsGQ3BUvudR/SHgZbW1VS+ALIerQQ9Acul7azXB9uzG6vvbIefsywsJ n0NqwZzBOfvBmmR/5CgL2iJmajngeOu46bgDopq0XsQA5UQvrRrwpStRWwJamPOp5glisC5I uQ5MMpY0poD1vPVU1jzI2JHoGz8NsrNv17krQ+DDoDEhh8GzeeCRsIWgZfvuDTkE1pNafeNy eHjA02VvB5aFhgeutmBYKu6p3UF7bl0tmyHrkH2l6geW1hk/a/3Blc81M2cLqOnWGOcusE12 rrE1AV2u3qV8A9qvzvr2nuC6qD6Uw8BQTR9rHAZUVDoKfzAeMY3xPgyeDwy95B6g+9C0UMwD Rynx0OQNqk3XSQsBJUy3SE6BwC2+p51nwcvpd9hzMVRYX2J2k3GgvHEla/ngUcyTfk+uQWBq QKi5EcS3ir/96DnUy9cgpMYv4Hpt/TR4LwTvDq1rfgjesZ5dfUpBbpp9EEXhzbWXSuY10KKt rlfnoGxGlTkVMuDR3ZilrzvAS9831WKNkPxpks+zQhC3L3V/3GhQLD7ZaRp4mkzzsg6CPCa9 j6sv2Dd7BLj6Q0A1/3H+X0DqQlef7KlgnST3lqtDTljGwoxE+C560uaLaX92M/9/V9r8tPlp 82HpuaXnlp6Di2Uvlr1YFrJ6ZvXM6pk333Wzps2aNmsKw6sPrz68Opg3mTeZN/3ZpXdzc3Nz +9/iXY/zH0+cHfZc23OQikvhUikQD8RbEQckkCxVA1TSSAOpM0GiMFCFFcpxED+KYa7ywFR5 pvQIpIEiUkwG1zIW6w6C3ET/XH8b1Bkxb0/shxc7t07ZEgVpv+R8YtoC5gee431GgX8vryiD Fcwi4BdpHXg8rHqmvgeYvcp0rlEY5EjilJugfmMzZd0D16obSbe+h6fak4m3+kDudC1D/ALe P0gLQm6Dep7lhhTwnu69x7cIeEQZ83v0A3MVzxcesWB2Vk4oNg74Idjhmx/EbltZ2xXQfWuZ nzkHcoMennilg5S9LysmxkC2l/UTayVwdpfaagoIC8PFQnA8dnzt+A4cg11G61cgzyBYFAPO a5f4CYjUopQKoO2T+igakGp4rWwGtYoYSBLYLtk+sAyHzMFvH+duh4w7GV1tz0DZHroiYCqI mSbh+QNkOB17rL0g7Y0rK707pOYkifSSYNFlTM1cB7aXltqZj8F+wrHRlQ76LdyRL4Be1rUw bAL5gr6/XgNTiFFneAnSZtmu1AbFoS+qnwlyY7mfXBnkKfI4cQbETFFSjgStiZpBOXCO177S CoBWm+aqN4h72g7hAHmcPEXfFZSpxmKml2AsZnok1QbDaB9j8AbQN/X18I8Bv+cBNwOiQFfI XNK4FJzPk+NetIOMWtaPH4dCEY9Inf42qDsc9zxqQsPZDfL3bwDmcbquzrbgvC/rxBSQWzkK eR+D3PJvKzxqDLmvpU/lZsBe7bq0C1ST6GzsDA9LPW9/yQZii9Xz6S7I6pUzVv4A9H1Nm1zD wFrQfDt2ATDG8bm0DKxmZy1lAph+8Wuhi4HXD9PqpBeG1AZJPbgC+x3LWp2v+Wc3dzc3Nzc3 N7c/4v0N1ciVAqQZIKqIr8URkDylohiAnuIunwKpjKULiLJStlBAqiMsojYQpqyRBgLHtYHS OhAJoqC2EuTvlefSftB9lrU2tgE8PLRNt/06XPvk+XbRHQo9LlenkglKJdYbXPkiOANiNz6+ CLoLnhvlq6DvEp4euQnkcP18r89Ac7pu2peC8omhquc8yB1ut+hnQKEbYU2jWoL1sDYqJxUS dr+xOqqBHGw+ZN4Ahs36VKUnGIr4tjXPBQYaOssJ4KqR/XPmJdB/6bPD+AQwp5/KyIacXY9e vSgNubMTvs7RwNlTPSsSQHhKPswA7Zg6UlwF7SJNtXCQjsmV5NYgN3cFaONBDRWhjpIghUlH 5KMgd5cnyckgdxPJaiVAr33ONHDk0832PQq5ozx/8boPuUOiNjpLQmp139K5YyCnVvaitC2Q /n3cuJiDkL4j4UWiAXKe5rS0hYAcK9/RtoNXgtcY73AIvOl3y/8LMGV7n/M6BMY9HqGmZaBb Zcqv3w46Rd4ofwvaehHLLRBXhVXsBSk/rcU00JWUPpMOgnRRiZbuAkZptn4WKBHyYiJBvi2W S01BC9N6KfdAayXGu1qBOtZeSLNDzh57pvUu2JpZZbUS5N54G5TYCsTQ1EtJrSC74Nuqfk4w feJVyy8EvD82VnKkgP8qj9n+zeFOx6en7QJqq1EWKRye/nB36cVXYHHIvTxWQL4VoZs9o6DW lhqnGhaBG36PJ8esB+tJo1XbCEUKFcsN+haMG+XJXhbQpaqJZfqAXxnfDVVrgse5gC6Bc+FU qSvXt6wDNTnzi4QuEHjT4wtpBHgUkF9W/gru/vj26JXCENg0ZLypFaibRRn7u9krYv/s5u7m 5ubm5ub2PvzxxHmg+I5NQF3pnmQBYmhGc+Ah3cXHwA+cldeDyM9SZQBIdbRXLh1QSnRRygEL pCx+Bi2TRpQE/Q/6/Lo4yPnynse1WEhtdi87uRIUeFwpp04ilBnXon2F+eC7OTS/bwNwVvd/ UXQViO3as9yh4GqT3SurARgvh22VvEBqIirLWaA1c8y3nwVR0elPMmQfdzwK2ge2rVlXnVXB 2TOzY9xK0PbZRrgWgKWk+qX0MRiClQbybjB+VNoR5QWSL9tdl8DV++WF11ZwnEk6mT4ftB1Z ZtcH4KolX5evgmui84hWHkS66xgrQJqASQwDXUN5n9wVnF9pKVo7YLWkyp2BWdo9vgZRQxTX GoPopW51TQAe6Md5zoKsBtJ8j48hKdtZVrNAqrA2y/oEUpe82RVXFpIOv+72aj+kibefJbQH 7aL6g6sjeF7x3xywGKI8ixYp6AIPs5/idQv03xpOK0fBddI1QbOCo6ftK6sOclMzv8/sAGJs +khxFeSdYrpkBG07HcRuYIwcK/mALp+ySLcTDMmKj1IYlJJKtqKBzqz4yj+CVkLeJy8Gua2S xG3Q5ei2SkYwVNMt0m0ENptL6X3AM8NriFcOaMWUdLkqODNcK0Q1sGdY67kqQ+6lnA9zSoKt SsrBrJaQskiZZ4gG81qvLeZUKD6mTMPa4WB84RfgfQTKHS92KLw2BMeGRYd0B9NO003DQDB2 NQwVs6BiYNNV9bzB9IW5me4wEMgq6oDSj3B5Bxg6eBgDGoLtrWipfgi+VczfG2dC2cySnXuP had+L7Keh0FuG4f+9QnwCgvUedeBgk28Y58shKyinrmZNyAsIl89r7KAO212c3Nzc3P7f8Z7 6HFmgpoCfCiOyJuB2RSVEgC7tJruoO0RY1Qd6FbxVtcIHG+l6bQEqb04K4JA7qL0lseCrqVr qrwWuPMfYV01k9NTakLhHnU61BgPUcOHFf84FKRnXuUNdsgt9aL+gzKghtl6ZewG+bn80pUf TNsL7ig3GbQurnU2P2CT/pY0E7QWr3dmTANXA/s+1QUZP2XPzu4AmYfezkzZC67t1gBbVwju 7VvJfwYE7Qho7hUGyg9KPiJAPf5mSWoqiOmFXoasAmW70abzAc5RUBcNopCUzxUFSiOmSEZQ jmrz6AWSUXohTQXpmOhEBIjKWqyrPigXpNnCAMpaaZr8E2hlpMvKxyC2GHZ63AF7f/3nXgqk TFBHKDXh7de52yw+kFg3/tWLs5Cy+vHbh8ch5Wbyg6SToLQxTjHmgv83EUXCvwTP1cFtglqB nKCPwQzOTpYbtkDIepb8NDUSHN0cg7VyoNSTK+ozwTTebDO8BY8Azx1eQ8Fjpmd1z41gnOCh mBqDoYfxa2MG6HbqF+pPg05WKusTQBqtHMIbRHWhilyQhguD1hW0y+pw7VfQVmgnXApoi13X HP1AfO2o5BoCWgGXQX0A6J0HHP1Al+L6ULKCAXm87jl43/EyG2aDa5f3r8ZEcLZ02rQ4yBlt CXM2BcvO3O254+DpgYsfnqoI9tyIo+FXobgrdFjdhhCuyz8t8DPQNooApxO0666PzE7w6ulZ k2jI6Zfjaw0B+bz8iXwZMtan9bJ8CqYBpqEmB0R+HTDXOwfU865B2iKo+EG5r0qsBd2vpjUF SsGVvnfDnx0DW6ay2DEVSocU31ZsC9w8FJO5/zvIOepY8WgF8D/o1+Xc3Nzc3Nzc/pg/nDjr uuo/Mn0EajFnIWdzYJj0BfWAhayX5oGczGh5Oziau1o6jOB4mbzg7UdgCDMmmZwgbwwICPgV XJsd3o5KID/TqVJNMKwpWaP4JAjuEWVXs0Ed72X36g1Mybqb8BYUq9zV+RWoj6yrsrqCElZ8 ec0bIB80zfAdBdRWC6iTQQSrZeydILfPi9qJhcG2Imu8LR+4WtmStKnAdemMXza4TkplVBne vIo/nBgLrgB7gsUIYYUjixcYCnKSq5dzGejLMknsBlEuMin4A9BHhizyPgdiqy3ONgPwy75t 3wpisH6yuAa6R+pFloCrseOQOgCELD2kHogBLKEa6A7r5hq7gM1uXOW9EzKXGU6YJ0KyZrvk SITED950fjkZEivcX3fXG5J8XzteTQVum2p6hEJg68LeRaaBuUxgCb9m4CjpLOkcA9njkh6m DgK1mq2SmgymJuYhhqvguzLQ1+878NsQ0iDoKviNDPjZvw/4TvOe7tUHzEs9C5m6gG6m/oWu CSiHpGLKOBA/MkgsB62vGMAykD8UQVIiiP7spyUwUnQSm0C9qk7TPgT20FE0A05rR4QFXD9q N7Td4Gqi7lQbg+ap3VSPgEhwDndeA2c766DcYFA72YtZ74HrR/WEYzK4UtTFYhoYOuseSJXB tNh3m7E3+FT0ESYJcr+353MNhbcDUgclB8KPQze3+KkP+F8M+DhoB4QsDG4fVAoqx1YYUOIX KFu6zL6CCyFzdOpe6T44Bkr3Xdfh7e2EU6nLwDDbEKT/Bcp7VvUvkh+kzboJcltQrNoN5zoo saSIr+Eo3H3+a3vHJ/Dk9d2Dd6PA52z5mWWOQT21zJY+R+H0o8sT9pYG4IM/u5G7ubm5ubm5 vR9/OHE+W+/iyMujoFa5qver1gb5urRNJIBYLZK020C0NFxOAbm89JNSFjxWByQFX4ekygld k1PAt6Bpmf0yGC4ZSkmfg7Ze9WQLGDqHphYZBerVrF7Z60FUc+jsP4G0UHolHQay5M7GONAP K9K42legXx4kIm8C0fZbub+CGKvz1D8H+uVO0LJAuWmfLTSQU5Unxt3gud0zyXALvDy9GwQ2 AmeWmJD/R7B4JC6LKwNx3z29eHcbWHekpabUgbCfooIKvgXjLWv7nChQNqSGpRlAF+nT2vcB aL2dT1y3QW4hV5SagOED0UiOAvtCTWi7QFdDOagsBFcDrY7WD9Q6GHTbwBXvd9xvKKQ6nZGa BHGzk4ckroSEtY/1dyfC62sPQx6sBeta1yytAPhujCqerzUYdwdO8PkZnF7OzepcSGkcN+fN dJCfqNcJh+B6QfUCC0NoWqlT+VwQ2iBydehc8P3R39PXFzxOmyeaMsBQWr9a8QS9QbogBYEi CR1dQFxTm4qKYH3smqV+B9pj7QutMUjP5UeyAbTrrlfqJHAN1KzaMNDKiYOiOSiNRQvygTRE aiiVAeWhvFr0BqUyQkoG5RLrlOogIWfLgK6sXhhegWOK6WvzEXD1Uau7QkBscFkcVrDXdky3 DQRXOWtJaw1wDLEvdg4FZaIqaZlgCDFVkm+BxwRTjt8HYL1n7ewoCWn9MountYfkolm+6eUg e1aONX0xpF1LrvQ2G+rfrn+5/k0w/OT71K8ABHUJ2umXCa4a6gh1Nujy6x2KA9QWrngRCy7F VVz+GVJJNuZ8CzkjMi4nnIVMR+L0Z9/Cxac5u2N7Q4lxxSNL2aH25jI9G2/+s5u3m5ubm5ub 2/v0hxPn7NbpUfaaoBulZEnFwdVMraD5gdxTGs1BEBNwiNkgdZXrSddAaewpeUSCKSBwsu9k cHZx3HbGgmdT73F+2eB6oY5T14FYb74ZNBh0maZwfxO4imW9TW0B+i9Npc3XQKkePqTUApCe U09ZDuAYnVsJxGdKf+UViLJSTXxBtNKeauNA7JXniQpAMOO10SCPlEa7OoDXMLms9SQ4R2sR zr1g3OGfoCsMrhhLeMS38FafkP6yPThPWJNjakDw5+FHA6eCV1O/uxGjQctv7W3/GMQcqZ3y AJybXd84r4BYpa0SFpDuSiPEEZD7O7s6fgGpgW6uvjDYS3mOCgqB2FD7I1ssxH77cvTjfvAq 69aTm/sgsfkbXs0AJc6/p29T8B0fWSYiFpTaoqe0HtJLvCmR5ADdKM2uLILIbyLnhZeHAnHF jxYaD8Fb8yWFrwbfAr7ZXifBdFV/2LAb+JH1SiNQW6mq+grkuVo9oYFrMiOpAfZZ6kY1H2hj RQgGoLHkL38HBotOJ+cD3WCpJ7mgBUpfaSPBdc61QekCtlHqfbUkODOZJY6Bq4v6ldofnJ00 ozgNylb5SykK9E7piLQN1FLaEw6DXVKTXT+AKEs1RoAUIXZIlUG5pNtk+hZEH+kToxmUj/RP PBJAn+u6aJ8A+lXWOtb74Iq3p9vvga6u+tDZGvQdzCWVTDB8Zjru4wHZW3OT7UPgTeuEPUmR YBtnn+bsBrw0NjB1Bv8lXl96lYHszIwdOd3AWtcyJucnsCc46jo8IXewzd+RBrmvrFtzK8Kb 5Lf709uCZa2lffJh8B3rO0eZCdbi9nC1Bfz64cPK976B5L0pjd4UgnrUp+4faF/vfsAjJycn JycH6m+pv6X+lr9dL6NwRuGMwnCg/YH2B9pDb0tvS28LrKu2rtq6ajBkyJAhQ4a8/y+QtWvX rl279l+P/0e3d3Nzc3Nz++/0hxPnGz891+4+haj4h60i10DlkuVHFp8COSVsU+w+oDRkk5gN bCBeHAHXXKfFeRP8Ovos994N7BGnpS/BkeVs5PocpJGSwkmQmivnlQogAlmuewK6LT6JJiPg S2NJD9oRta9qAfkjSjuaAUOk3vqPQHsg5qtnQT5MjPYGxPbcAqmtwb4tPSP5JdhfWc+mpwFN Xa7UdvBo7etSz+IhtVZij/j2kG9OyOchNcF/q//cSBUyvcyvPYtDup+rr/QAXJ3eNExfAt5D LIOzreBfMcg3/CQYd5lr+JpBq6kW09aCFCxCJStITx2dteEgL9LZfFuAJdq3hfcDeDw3q2Fa JLzIvHf8/jp4Pvrmrmu5kJ1se2YpAx6xkVvy54Khg19/z+tg3Zx5NfsZaMVyatq/g3BbRP2I lVCkV5kyReMhf/4Cr/KPAe+TvkN8ToDcQjkqTwLpc2kyu0FEqme0pyA6av1cBUHs5nPagKua 2COGgyjDK+aA9EbWy6dBdNO8teGg/aQN1IzgKscBLoPukPSK+aCvrZSWWoLYL0a5DoEo7Tgj moAzVB2rXgRXpvjVVQjEM+0m8SA9UadwEBhMuNQVxCsh4Q1ijMgS5UG8FU1FARC5YqK4CmKb Nk3rA9JcnPQD1zXxVvIB0U/52hgBclmP8oZE0EcYntpHgXzP8YutJ+j0jk326qAEOHY4vgL9 XnMHgzfkPtSN0NeCdGvW99lOONT4iO50FdB9pj9r3gD608o1ZSTkjss6m/EW0uel3UopCmpN Kd55BzQfrZwrGVxXxTrdUjBcNeyRKoMrRPPwDAA/nX8pLxNIO2iu1oWky2nfZU4CalKWVf96 +yq6qOiioovgp+k/Tf9pOtStWLdi3Yog35Zvy7fz1nv3k9uFFxReUHgBSCbJJJlg4NWBVwde /fd9gQysOLDiwIp/3vb/buK6uC6uw+5mu5vtbgZd07umd03/HRuuYQ1r4O7du3fv3oWYmJiY mBhwVnBWcFaA4Njg2OBYaPio4aOGj8Bwz3DPcO9vw2R2z+ye2R327t27d+9e6O/s7+zvzHv/ ud9zv+d+cHX11dVXV+ctrz6s+rDqw6BwRuGMwhn/uLjHCx0vdLwQZERnRGdEQ9fCXQt3LfzP H6+/vhByXxi5ubn9v+YPJ84vNqX0eXIezhS4XS3AAqU+KLEzcgDocuRX8mIQ34m2UnGgMy9p CDiIwQXqWc2o6UGqLy1iGEgP5a+YCOwhWwoAVlAGE1BetNfWgFgiLVFWAS4xX/0UdPc4ISqA OIxFfgLivujg9Ab9Qv1xz47gNKX2fNEPsgdcLHp6LqiFkvomdQZxUz2TWwmeN7m/4lkpuPnZ wx/f+IG0zd5AigFfUWqsdyHQv1DOJH0I6jS8vMuAwemnhP8Cumu6ItIFyNzlOp7WBhwbMwKS LeDv6dxoHQzmk4YN5rsglVIDDSNBd8a7cvBCSKrnlRKwCB5MTXj7RgfPrl6XrvWBx573jt5I BUd+xWnQgc9XBeYVyAE5TRcsDYCsFW9Wp94GX8WjurkxlChQK7LSRSh4ruTkwgkQtDzgXOAe 0E/Wf6jvCdJB1lIDxGJV0iqCSNMScIKwikHCDLLKd6wAZToLJQ3UL6WtfAq00lZoK0GsFEFa BOir01rqA+KoVIaZIJfV7omBIC6Lr9kJ4jB9tK7AdpFPrAWlmlxYpIFpmhSs5IL9c/WoqA4u GaOQQVuqLRZzQT2tTtAeg1aOgsIA1BL7NA1EazFT6guk0o5dIB0QbRkDorHYLlqB+B6ZAFAX iJoiP9BWpEhJoLWR+xu8QAoyHlS+AH15pby+PIjD0ge5k4FJzrqun0EaIt2hFii3lT2mmZB5 3lJA/hTsd9SJzuvgHeR7zDsGDPM9VY8KYD8kqcr3kFkq7VaSGXgi35OrgtgtpqkBYO1i2+8a BEnfpJzPGQnGC4aBymvw6ujT2LwYtDdin/oT8AeTVh8fHx8fH/Cb6DfRbyK8bvi64euGUIAC FPiL9d4lzvVO1jtZ7yTQmta0hu9uf3f7u9swpPqQ6kOq5yUyNe/UvFPzDjzxfeL7xBdaTG0x tcVUiF4YvTB6IVhLW0tbS0OhtEJphdLgju6O7o7ubxOg34pfYUCFARUGwItmL5q9aJZ3AVC1 atWqVav+7faNAxoHNA6Amzdv3rx5E8RgMVgMBnWVukpdBaXPlT5X+hxUXFVxVcU/cCHyez3b +Wzns53waMujLY+2QPqX6V+mf/n7t3887vG4x+Mg3j/eP94fOk/uPLnzZFBqKDWUGnDBdsF2 wQZXKl+pfKUy1KMe9f5ie62iVlGrCGffnn179i04VzpXOv/OT7efX3F+xfkV0Glfp32d9oFY I9aINbDPvs++zw6FKczvyX9fTHkx5cUUGJw2OG1wGr9/Qzc3N7f/n5H/aIBCg8y60HHwWry6 mjAVfr508MTZZ2A6arCZvwSthmjGciCCeB6C9KW0RFoCqLhwghggpvE9SCvEcak6SBDBABAn RRHxAUhTpE1KDMibRLTWC7hDcVaDVkJapHsDNNJ2uzxB2y35MQrUEpbGCfPBcTBhxP1ZYK33 0i/mKGjjXRHpu4AsrZP9OJh+9CpjWg91BtVqWNEDasU0dtX3AePq4JzISpDS1rbB8wBILq+F /jvA84XZy2My6FSvCV6bwbOyd8XIr0GsVuoFBEDm15mFLT6Q8bHlfPZPYH/oMcGnMiS/8W7v fw0enn9T/5UBYjacK3/mEcTsvLXkehg4ehiPeRwFc3jk8dAPwFXD4bCrYP3gbeP0e1D4qyhT yD5oVL35/DqtoeK56rcrfAdRNyOGRZYGrxeGqUYrKC20c9o60B0TxbTmYFoq95LXgr4KReSV oKsmPpeqghQrWvANcECdpwaD7gPtnBoJSiwLtEdg/EDpIo8GvcxeEQbSZ669rtvg2OTs7+oK 1iHO711pkDvOqajrQRsrVlMAjA/1djEBdAelw65BIHfSGmrRoEzXzroughIkZFEMdNfkXuSA cknuLnJAuiAFSWVAuiqNEbVADqOJ6AC6D+V4qT8Ytso6+THoG0svpSpg7CWtl9qDYaDUnWAw zJeuiw6ghEo9pOGgXNBlGi+BQfJ46r0azPvMrTzegscX8lapNJg3S9+ofcHXw6uGvgp4f6zL UbZAVsWUqJQHYK9kz7JGQ+idsKmhDyDybES1IutAviuumHqDPJ71whN0/ZTZyhWwjXQM0DpB evvMGZZ7oN5WW6vdQHaIBc7I99dQi2UVyyqWBc92PNvxbEfe8syTmSczT4Kzv7O/sz+Evg59 Hfr698ft3Llz586d8xK5IulF0oukQ48ePXr06AG+T3yf+D7558sbOTtyduRsaJ/QPqF9Atz5 /s73d77/7fXvjbw38t5IqLKmypoqa6B7ZvfM7pnQ8W3Htx3fwrXB1wZfG/zPl8Nms9lsNnBe dl52Xv7923k/8n7k/QjKli1btmzZf36/DzY/2PxgM1STqknVJNCN0I3QjQCpqlRVqgrVq1ev Xr06lD5f+nzp83+7/eVvL397+VsoWbJkyZIlf3s/73563HrOes56Dqznreet50G/Qb9Bv+Ef l/NU1qmsU1l5rw9GHIw4GJF33E6cOHHixAnYErMlZksMbG+0vdH2RhBdJLpIdJG89X7v5/B7 473rYU+JSolKicqLs3///v3798PZs2fPnj2bt/zdhcqpYqeKnSoGDofD4XDA0aNHjx49Ctu8 t3lv84bDHQ53ONzht8v97sLv7oi7I+6OgD1T90zdMxWeT3o+6fkk2PV81/Ndz2GH7w7fHb55 5X/U4FGDRw3++fPEzc3tf58/3OMsG+R1HgOh4e6Kxrp3oLq5cnrh9mB1Op7Y24IcL5+SjoM0 gp0iB8QR8VzUBO5whUvAXGm69BmIG1pt7TVQQosnC/hBPiLlAm0YLU6CeExVqR/wmFtiCrCN HHEDtBTpI8kI8jbXohQfSJ14qMbGX0CzXv7yflkwfV9rS/UaIIp5N/cdCFLS/R63Af9lxouG ZZBZRV/Ovxk4dhv1pkRwpjqme64ELcJU19AKzPUNmnEE6BroZnmOBPVTvnXuBkMT2UcYwfDQ p2/ACsgNsDw1tALrclMtY33IvRDQJ/x7+PXI63txpeHex2cfnHXCM/OjL56awFnG55rHQPAs FlDV/1Nwds6OtJUA/XYt2nUHyq+q1KIMUHJYhdUl4iC/KWpVvlPgsUzXWT8Zcs5ZhlvWg727 GCa+AcNWXXlDNJi+0B8ylALHVHs9+3eg5GLEC5RZcgCfgmbVjNou4GdphigKjrKuQFcP0KaK C9wFW0vR37UWRIBqFt7gaq7FUA7kZ9J0bQpI+bR8YhM4X4qiUk1QakgFRSEwrNG3EWkgpzFS fAFKIH3EY1By5GipBaitRSNpIDirqIlkAFXFIOkuSLvQ1OWgDKcN+8FwRNdYXgRSmjSR+eD6 Vo3RfgVptgr1QHsqPhS1QGvAY8kEcobUgARQO3AFLxAXxXkyQFop3ZYjQa1nCDZsAK0LH0kf g9Fke2CzAnbHDPv3wGPzTaUpiEzachCyC1ubWl6BEbMwuiDkk3yrQxaBtF/pbvgM3o6L+/jR InDdJth+GNSF8lGhQq4597TaCmx7rCbHA/DIUQbLEe+voRb5ssiXRb6Ea6HXQq+Fgmula6Vr JbwY+WLki5FQpH+R/kX6A0MZytB/HK906dKlS5fOS+Te6N/o3+ih0ZJGSxot+Yv9di/SvUh3 OHv37N2zd39/eSMORByIOAByjBwjx4C6Vl2rrv3t9Tvk65CvQz5IOJBwIOEA3K9zv879OpBy LOVYyjEQW8VWsRWoTGUq/+P9J3dK7pTcKS/R0t3R3dHdga65XXO75oKHh4eHh8dvbx8yI2RG yIy/WLCWtaz9h7v9L+ld07umd4X4NfFr4tfA0c1HNx/dDPaL9ov2ixDeNrxteFuoP6b+mPpj gMc85jHE7o3dG7sX7JPsk+yToNj4YuOLjYdTnOLU39lP3U11N9XdBD8f/vnwz4eBOOKIgzZh bcLahP3jcjbyaeTTyAee8IQnQLuIdhHtIuBE1xNdT3QFzxjPGM8Y6LWh14ZeG0DKlDKlTLja 8GrDqw3hQpkLZS6UgSbPmjxr8uy393O+z/k+5/v8/nj5ffL75PeBN+3etHvTDvyv+l/1vwq5 ubm5ublg72fvZ+8HpJNOOiQcTDiYcBDyv83/Nv9buH79+vXr1yEiIiIiIgJaZrfMbpkN93+8 /+P9H+Fy/8v9L/eHhtsabmu47bfL/e7CcmOtjbU21oIuQV2CugSBT6ZPpk9m3rMH7y48S1CC Er//NHFzc/tf6A/3ODtuGJ7GW+CpZ+xnx9uAd3Gv3l6VQL4qpmp7QLKLC+JrEL3EZWxADq94 DjzgKU9B/la6Io0AR13Ha2cPsO9ylnLWA1mTK8tvQOwSy0QYkEWWiAOpEn5kAOXEM+JBHq/h lCE342qxM4Eg1U/Pyq0K0vDSrSu6wGd8k197bYFgS5sjAz8A38Eto7qUgODeVXpVzIbQ1IC1 3h+AcQI/KoNB/cR02kMFZYfumikWlL2612YB9qualzUc1F6OCeo5sLe1T7YUAVsXS4uMPeBV InB4cHVweRW8UEqG+4Y3X72pCTHrzu07ex+edXtUL6YX2Bd77zM+BtNjnyp+PcHZOSckNxK8 nihT5aZQY1TN11XsUPmXOksq/Qz5e+bvnq887DMcrn74BaxN3fzrj6vgh5E7tm3/GtZ4bZix YQ2c+vXC0bMfw5tTSWfjvgPDUZOPXB9ks+6kbgq4rmtnxGdAtLxU1xvkt4ax+uGg/9DUXL8Z PE4YPtAPAcMQxkkXQXogvNXZYBok54grYGgiz5X2AKPFNVEM1AZqAdc4sO50fe0cBNZvbPNd FUEeLOpJZcEn0/xauQGmBXqdVAD0emmKWh4MxaRp6grwqKF8T34wL5M/kn4F/RY5iu6g7laf qLvAsdKpuW6A86iaqHUC12SytH7gmkcbLRacqhjiygDXdW2E2h1cFnWJ2AmuNqKN9jM42on6 IglcSWIExUB+rfPUdwfDVtNXHh5gemI8Z9oCHisIFmXAlGJaJ7UH7xBTvDINsk+lN0l9BJaJ lhPZ9cDvaMgYn0NQuECB6wV9wFRZf87bCoYY4wyPTNBmyUNN5SFnU+4wUR9cg1x7zTPfX0M1 /mD8wfgDhMeHx4fHQ2xwbHBscN4QjaLRRaOLRv/+eO96QN/RrmnXtGsgr5PXyevylktDpCHS vzA29a/HYP8j73oGnzx98vTJ07we38qDKw+u/C/0NL8bWvFuqMe7hDVncc7inMV/+OP4h1wu l8vlAssZyxnLGehSsEvBLgWhz9k+Z/uchcCXgS8DX8LJYieLnSwGuUtzl+YuzRuqUud+nft1 7vMPL4TeJYjNJzef3HwyNAtoFtAsAK4Pvj74+r9w3N55/fPrn1//DJUGVRpUaVDeBRY3uclN qHil4pWKV+DVT69+evXT+4/3LgF+lzgnH0k+knwk706GPFweLg/P62FPmJ0wO2E25MuXL1++ fPByysspL6dAyV4le5XslVeOUpZSllIWiGsT1yauzW+X968vLCNmR8yOmA2nep7qeaon3L59 +/bt23mJc4vmLZq3aP7vP6/c3Nz+fH+4x7lc6/zba00Gg5AfZPrBm+KJHoktoFi5olsK3YGs ajkds0eC/oT+oX4kMIHNVAb6EUQd4JK4wnXI9MiIyDoIATMDPQMsoHUTpbUokLZKEdJIIF1c EbVB3GUM20DaKa+WPcHVJLNMsgLW+rHh8TfAmZAWaL0FwZf6rRqwC/TngrtH3AHnCHuq3QrG LQWOlVkG4iP7F/br4N+16my/NPCYdnHLk6bwqubLC8mrwTaGKLkmuKo4AuwnwbDf4C0sIL91 PlOjQDqoRtuXgVRBCGkz2E56HfL8EJ6/TnqYNBUe2S9PuHgSniY/Wv3gc8jq4rHceA18k7zq e60AOcXayH4HfGwerU0zIOJh0eP5B0Lol0VP5VsJhjv6HcahcOfBvWP3e8C9pjE5z+rA6/jY M2/soIxQtuhfgy1TfeH4Eu7qYz54ngWHvzle66QfVNld0VJuHJRoWPRh4VxQPtYVNNSHxIGJ uYl1Icgr6EDQUtA1EU/1ncE8W6+qXhBSKnROSCfwfGCe6V8NHJ/YLzs+B+ceV5jrEDg/c+Vo nYEGcgvlC1AmiTrSAJADdJ/qLJCWlHPYUgoyG2Xpk0+Bb1fvj/1WgGGXcbkpBbinmPgWXONd FV0/gnOO6zybQe0qBoiNoI0WX5EMaj/xGd7Afp5oK0EbLxCXACvp/Ap8yhjRCuRa4iO+AjzF MdEURGEeiPMglRWqKAvqEPFY7AHhEudEDMjT5NfSSZAKGoubhoDhOy2Dk+A1yN7SehxEsqEo m4BCIkgpDVl3U18mbwTPZv6DXAL8lwS09ysFocfFOWkjJJ1IvPr2BDhShLAkQUZAVmF7JdBe 6T/2PPD+G2yxnsV6FusJt9bdWndrHahX1avqVQhYELAgYMG/HjeiXUS7iHbwZP6T+U/mQylK UQp4uvPpzqc7gbOc5ey/Hv8fSUxMTExMhB7DewzvMRzMKeYUcwrExcXFxcUBhznMYf7robt/ lFC+u5CwGq1GqxGMtY21jbUh5EzImZAz/756vGO6b7pvug9Vo6tGV40GQ11DXUNd4B73uAeV HJUclRywaeSmkZtGQtq1tGtp1yB5TvKc5DmwcePGjRs3/m3cd0MJunXr1q1bN0iZmzI3ZS5E RUVFRUWBiBJRIgqi50bPjZ77r5f/3VhpubfcW+79d1b4z+P/7uFJylOe8u8vXkhcSFxIHKQ+ Tn2c+hjehLwJeRMCYSXCSoSVAOWIckQ5kjd0ybjduN24HUzJpmRTMlhuWm5absLG6xuvb7xO 3h0DBQUFpPPSeek80Jve/J3y/PWFZYvAFoEtAiF1dOro1NHw9tDbQ28Pwa1Xt17degUc5ShH oRWtaPVvP7vc3Nz+TH84cY6vm/zZsxPQ3KNOVDsFzt++8uxKCNi8XD3sNaBQbD41qhYowXJv ZT/QVVQW20B7zWZtFGhl1SzXXqCR6Kt9C9LHoqI8BuSlLJang3O3a6fzFsgF5CSlBUgRUhQD AadkwAy8ti21jALRzXrNXhw8TlcoVz0X9B7hZYrWAO217dfc7iAFKHeMp0F8gkVeAS7f1GBL ezCWDu9XuAb4d6w1tdTP4Pwx+0tbIKRHZi9xDQIaG7/SpYHWTPVxtAYmOQtnHgNKqO3UV2A/ FtGt4CR4sT/7tb0EPC14OfLiSXgWca/brWxIG6ovpV8NHi1N2b4mcK109naUBPmQfFN6DspW nwP6FfBi5pslLztB3OmkT+OzwLbfVtrVHeL3Jf6SfBNspa1lHVVAFyd3VOqBmiKaOQJBtHZl iJvgChN6cR8ydmdH2b+HAz8fO3y6P1y0XMm8XgvkZ/JKnRVyDuR+lHse5DrSaKkkmPObAs21 QBxgp9QGfNr4XvIoBd3fdPBuWw38fXwHBQwEQ1d9NaMP6H807DDUhqwR2YtyksEx2/m1Mw3e NkrpmhgCV6tcr3t7BKSuSRuV6g/BZ0JLBLwGU5apqPkX8MwxbTX7QkWlfPXyLvDqZvT1vgTq Le1zrSVorenJVtDGitlacdAGaTLbQNwWLUQFkD6RRkinQRupfao1A+GLygPQPEWEqAvaMfER H4D0kpqiGUhDtR8ZAtpAESiSQK1JdbEDtCasFzkgW4wLDZdBX40e6o/gUdNa1fYxiPGGqXI+ MNfQ6it9wSplJqXNBTnXOE9fBCI6FiC0DJQ6WvBZ5Ifg84XhjnkpmD/wKKP3BQ9d6JqIhQA0 /COzavy1dwnSmZ5nep7pCeXnl59ffj6/ewjDb6lbt27dunUh2ivaK9oLft35685fd0LhwoUL Fy78Fz3RQxjCv2F2hGq3qt2qdgv219lfZ38dMM00zTTNzOthDw4PDg8Oh8ttL7e93BZqUpOa /5d473okK1CBCn/5RklKUpL3Lrtnds/snuC9zXub9zYoWLBgwYIF84YGVKxVsVbFWnk9+A/1 D/UP9RDaOrR1aGvIdyDfgXwHfvvw/tbsFO/2l9IwpWFKQxApIkWkgO8E3wm+E4BBDGLQP1+f /B3zd8zfEe7UuFPjTo28sdrv3K50u9LtShDVM6pnVM/3H0+WZVmWIXha8LTgafCwwMMCDwtA h4MdDnY4CLp5unm6eXCx38V+F/tB8ezi2cWz8+L5NPJp5NMIGu9ovKPxDghuGdwyuCVkn84+ nX0a4jziPOI8/nG539nVbFezXc2gzdI2S9sshdK20rbSNsjfM3/P/D1hz8s9L/e8BC5xiUvv ++xyc3P7n+QPJ86lyxVrVXUG5M5xPM6+DN5jPX41fwLJO+P3J38K+TxCfPzjIetD6zGpE9ya eW/PlSUQVNv3ZVhhiKn6us6FLhDh71+2YHOIvJBzpoQOCsQV3V2wPRjX69NN40A8kHK1WHBK 6mPXbNC/EOliPzBKtuAFhm/yzQ3VwMtYZ37jDuBqKQdwH2SVB+IAUJy7WjDQ3pirpIKugX8T f0BL15fyGArmgBJ3S4wAvxLxczMyQGtz7soNJ1hjtZ+lOuB6kPM2NQAso7OfOwPAtb7QwdJv IflLz+k+peDVjDv6a8fhRck7C25aIOW5NoX+oDvu9dRrPhgsSje2QtaM7Io5IyC9gXrZNgji J2a0fVsAXCMdPtoGcFRQy2oHQIkzTDdYQC2k9lQtoA1ydnbZQF4u38UC2mbXClcHUFuJc8ob IAdFfQquvs55ajqYq5nqe20DSw1rqNYM1JFOW+5IMA007jF9B65Mra/qD1m+2S2sOlAzXW2l FEgqk2rKaghrx/yYsbMD+Ez0Kel5HsrtLxFX4iNQV2kbtNrw4HmM16NzoBugt8gNwVrd9oHt HFjJ9XKcBMyipDwEtC5KC/kUOE47nqTvA/HANdDxCRiKG1P1HaGIo8DrwpPA74HvvYA5IOao D7XBIN1BEhdAv0LpqmsOrlvqMuc00DqobykALBYuUQaEnTNiOdBcZBEI0kS8RX/QPhcz5fUg 2mjp6jcgXaE8NUALVVuqC0Cup5znLqgLpLMiC+inVwx+oO+pDdT2gjnWNsxZAfjcECLfAm2v qK9bC9ZH6WVSF4Kc5L3Xoz9Um1FvVeWBUPVNtWqVbgHnpTJUBi1KFOfeP92c/iGlulJdqQ4f Vf+o+kfV//H6f51o/da0YKkFUwumFoSWsS1jW8aCabRptGl03q3wGFOMKcb0r8f/vcvLZpbN LJv5/o/bv9ueFnta7GkBH/ERHwE1dDV0NXRwvvD5wucLw1avrV5bvYCtbGUrhLQKaRXSChr3 aNyjcY9/fb91R9cdXXc0RPeI7hHdAyhKUYpCA2MDYwPjvx63nkc9j3oecC76XPS5aNiWsi1l W0re+8Gvgl8Fv4J6m+ptqrcJaEpTmr7/ePmT8iflT4Lkuclzk+eCVwmvEl4lQBevi9fFg2Wp Zallad56hBFGGDRs2LBhw4Zw9sOzH579MG/ozLux7rUX115cezG/2eP81yoOrDiw4kDYH74/ fH84SBOlidJEkDpJnaROUP9G/Rv1b/zh08jNze1/Aeny5cuXL18WokaNGjVq1PjXA2lBrkHq dUhNTduQdAk8Bpmf+u2Duz88fH5qDMS6Yh1pvaCIrui20icgsWt2p2e/wv0FzwufCYbwFM+N +cPgdeGEqfHHoGVs3cN9i4N3qFc7023wM/o89y8I/leCZoW8AHWJaCFmgbo25fyvj0BNU7N1 VcEwOXxnmZkg37I/VyVQY5QZ6lgQslRWXgI6P/Ub6RGofYxt5MKgOyFvU26D1evhhlu3ILPw /sAjcfB2RGLTzG8gu6J9We5TcLzMnWSIBF1igXIlraCmV9pdOgCeHXo0/84cuBN2LN+ekfDk atLgDAvkNvAw+54H3yOeAZ5fgr27daO1CqQUypiZ2h4snR0B1gega6fP0t8H1a6liDOga6O7 YWgL2iy5tpYCtFX1og44ZtnnOGeCOCbqa71AipBq4Q9amBYtSoLwFsHsBZElojUZ5MdyF6kh yI/kfXJ7kC/KA6RqIE2Xlkm9gR8lM73BMc7xRi0Phmh9G2U/qJJ4o90BaaxorjQFySV9zi8g hUr5tX7g8iZJywJdsmzX1QfDIP0leSao89SToinID6XjSn7QtrgixTmgE3OFDvQnTbm6nSB6 aVvVCVBwdlSlfCcgdF9oSPA2yDc47Hh4CQh/G7I7LB2cVudw7RPItGU2Sd8LgWsDFwTeBckg Zeh7gVxB/kT7AtS7/x97bxmntbUubl8ryaPjwwwyuHtxd2lxd9cChRZpgWLFpaWlWKFYcYq7 Oy3u7sUZGJhhXB5Jst4P58w7+7f36b+bwt49MteXmSdZWbnXLcmdOyuJsVq/ANIiG1lGgr7a qOT1B9FJvBbfg7pL+VVxgbeWZ4xZGNQSWiGzNLg6exfJiyB7C6vYDdoiKpm9gE+8NfWuoI92 l3JfhZQlHs0YDq4lRgz5IKGne4K3K1h0+2DHEMi1MFfu7Ceh6uMySonvoEjnIgvzzwE1yqep 9Ro4+luzOv4HJIK/JP6S+Esi2FfaV9pXQhlZRpaRcHnJ5SWXl0Dct3Hfxn0LdevWrVu37rvv 738b27Zt27ZtGzRv3rx58+Z/tTTppJNOOum8b86ePXv27FlQe/fu3bt37/HjUx+qeFu2//LL hJllwWX1lk/ZBqK2ctLnLjzk2dB7t+FCwK3fzm2A0O/9zbyxUHt1jRHVssEr+bLp80HwvOGL +o8Lw5sFsfNTQiBqcFLJyD6gPRR7o8Ph+f2XCyPXg/lhypuUjyHn3BwPcuUAbyHGak5QB5gD XXPBmsOeGPQYzFNqRV8FhK9q1b8FxVTzOmcBT8XnrALKiUO6Ad55d0ecKwVxzU/uP3oH4opv +HTPXoge+tvu1wHgcTEvuAYoDZzNsw8Fa9msYwrsh8B2lQqVeAyvlZj4p7/C9U8O63sbw6OU pzlefAGx/bWvfJ5CwGwf034Z5BS9kr4bYg4n9ImtCgkXkz9PrANMVG+LAaAFKg/EA7ANtG7S hoLoIG7qp0G5JneaK8DbxtveUEEvYtzSG4KcKUfJZWCcMO7qHwN7UE0Bor3SnoMgFXnTrADs l0eJAPO6ecrMB6YuHTInGFOlkB+BHmts0HuBrCifmb+B5ZhWSFQGWU0clbdAXpO1hQvkcqOZ 0RNMq7naDAbTSUk6AfvMVuZZMKSZ1VwDZpzcLteCDJGT2Q9mZnOCWQ/MivIX8xmYZ81w/QjI rOJTNQxet4+clXAWottEf/lmJ3gaeDumPADjrB7sDYfQE6FPM+WEiA6vFkc4wLrEtsU2ECxh lsb2AHi28lmbxwYoq9Wq4jIk5U4p71kHl85d3XJlOkTliboQVRW0QtbV2nLwifIpZO8Ar7NF RcVWgnOfXyp5pRFEzX9TJ2IjZPwtY5uggqDdVG86ooEIZa/yEtRcFDT7gjHcXKoPAcLVu8pP kFLRNcpzDYzL+gDjV4haFj8/IQo8+VNqup+D75eGXdwF/x4ZA4JH/dXh/seEngk9E3om7X3N p+aemntqLpjbze3mdqgWWy22WizYctly2XL91dL+9+OPXhuXTjrppJPO/2zCw8PDw8Pfw1SN cz+d9z8u4PH6nA2vFQfbECOhxFgIau/bKigaXk90Pbt5BYLXeJSgNvDk8JPZj45B3Dz3wwQD zs96fPhZNcgabbsdZIF8W0OalLgFr9TXlZIWgS3cPjBuD9ws/LrNOX8oPCbfqSKVIHBAVk+e E+Car33nNx9MX/mJsh7UaaK0cRqS895Q9vQAy/IM/fLsAK28/5OgO+A69bLGby5w33pcMiIA xC9aiG8k+OSv4alTAfy9GVOy7gD7xOBOQV0gZs3J3dcKgDkqaFTAXXipmDmil8ODfefqnIqC 54OeBDyJh6ihGOpZcIY6D9tNYIX4UeiQ1DKxQsIDSMyUHJD4DJTPrTOUuWCfb99j6QFytBEu X4OnkzHV7QsM4gBvgI5mb/ERyAdmIb0OKIPFh8wCo6/8j7m5c7RsSmkQI42H5mdgG2zLL34E M1HWUKMhOT4pUTdBSVZnYICcQj3lHphDjPvmBRCfc1G5D8oqsZQfwZvLHWdGgnGHUhQGDnFH /xy8lc1Tsj5osfyktALGsFoWBdPLBlkVxEzztLgI4nvxiiAQ0WQ1C4N8LvNTDWRR+nMWlJJ6 I9EbNH9LoDEDzLOyqpwLiRmS0M9CxOpXpV6tAqfdsczaAej14IS6CewDnQ2dLeDhN4+zPbkK Hs3TxywJruuuhQlfQuKmxBoh7eHVk5iTMQpEf5cwI3YVsC5+sLYIHhUOn/vUBiWPfyDy74Lw Y8+mJ++HSL+YPDE1QdSLXqcPBaWZOkmeBrWh8qXND7Snln3yOuR0Z3qdZSuYnZlj5AQtXAzT RoO9pnZc5IMEPW5m7FRQvnQed7SHiwl3Wj98BU9WPi36YhJ8TNH4fH91tP8T+FT3qe5THZrT nObwN//8J9nIxp+4sE4nnXTSSSed/028c+Ls6mSr7FHg8VdRXV5HQHDHgL6nB8CDsU/vpuhQ /FzIw9ohcNBzoen6POBpYBw1N0IOsvvnqQ2ZA7SjGYB6jcv0a9wZaq6v7a57EJ6celLmoT+4 T7nvJA8EF7HZjFrg7aUfcn8J+nU5zqOD8sTyyK88UMLYqX8BIrsY7a4GnuDfuDcd3iStm70z GULqdMjWIyfY5+TJVcYBtl25KzsTQb1uraxOAU4rxbUn4B0QXeBFNCRmudDx7FjQqlk3JUgw Dma5E9YDHt+/vODKHnhW+kbpa7ngdc6U2e6DIGc4/H1fga2p9Wf1B0gumdw08Tm8qZ3wc+yv 4Lmo5zVOgJghjqq1wRPuyuz5AvQW3rVGEfAuMgvIZSD3yDixCmQGaTIRpEemmH1BpIh2BIKI VjvIcSDaskysAVsH22eqH4gaZi7qgFTMICM/WOc4HyiXQG/pXmWUBTOr/tgIBy1cyyPKglwj uxsXgI/FHTEGjA9ltLwN+hK9orkE5AAG0Q7EIDVYywxmFTleClD2yxViIsjNYob8AmQVc5xZ CZjNYT4HESOyi1eAITaJGaAvMuPNTqBGM1gtD2Y9TwPvQVA1SxEGgRqntdJ2QcyAuIxJ/eBS hatzb92AXAty3Emwg+wrb1hbwpsO0U+jc4KlgmW8egz88/l95ZcLPLu8eyWQkJhUOD4OkryJ 3RNPgjFFfs0acB1zByTkgxN1z9RPmAVipqyujgN5jEJqIVDKKN8rGeFB70e3w28BtcREmQLm RG4aP8DrLK+qRGSBvCJbw0ytwP9zvy8ybQNRUC2lVQR0/Y7ZERL8I3NFfw4cFMfUw+Bt73nj TX3LwOC/OszTSSeddNJJJ533wbsnzuvNMQRC0qg3Qa44sBgxKfYrYGvoMz+wArzwE/WuecHy QaaeekNIsRub3nwOiateWQLD4ZO4lhn6jwbfZtZdPp1ATGauOR3y9s7TrJAboh7HT33hhEu3 EmL2/AwBm72TynWBTAXV4tYPwR3j2aIngFiu2W1fgdGXZYYT1Nn+vfySIXBVlU8q7gf7L8Xr 1ggHUc60eiuA7Gwe02+BudFbhJHg+fBV+dvjIK7hzpHb/cDTMfa4nhn8FpbfWqMBvHQkjY2P h6fei0NOj4eITdG3YipCclHxQmkJ/j87ivhkBhmgvzDqQsL5xAwJS8B91ThjDgS5iufiLgin edvcCLK+iKEtmH5yAe2BH2VJsoJsKe/JfiAqs59bIKrTChfIL+VRqQNLzBH4gnmTOXI6uB/o g/RE0J6JEoofiO7iA+zAd3pGvTKYFuOh3ALyhlmcmyAClKdKfpB95Bm5AehMKSUMjN9kFrMF sIFy8gWorUVvRYCIEj3kBjBbSB/agVHOiDNOA5JCcjOoU5Qs6qdgfi3bmpNAbpRb5UQQP4iG IiNYDol2XAatn6UhnwIFMPkR9K/N0twBdyl3ojEB5COzn6wFIq/YqFSEewd+q/w8AnSX0d/I DOoIrbF6DpQEJb/yC0RbYhfHdYNslrA5oc0gpnzcm9jsoLczM8h24DnlPuiNASVFLa42A08G zyD3BaCFOUZMB+W+ckndCpqvJpRtoEwQFVkD4rqaXTVBNpIRYgu83vFmXdItcHxnXfomF1iH WwY7L4PtvC0qICtIq5ZJ6QXuePeOlBaQUiV+eNw2MPY4w6yVgE1E/tVBnk466aSTTjrpvB/e OXGO/+pNg+SxkPmipWXR4tAnsEnk0A5gfRi0yFsDDi69UnDtLPB2dnZwXQefI/bApKawsfmp obPGQ5cizqKfPwXX3uQt4jSc6bEz5rAFnHd9FoZooNdQdhmTId+g4It5r8Hz+XGrIopAaKGA 2c+vgq8jqE2mcDAbm8ONJaBsFP1tp8AyMWxpnk9B+d6vflASMFwpKgXI254j3logyyoHtWOA S1sj34A3+UnSnSXgmf16auxJUEdliS9YBTyJwVf83HB3wK+/HNkAz5c92vVgILyuoOcyC4A2 xzHVrw2oY/hYnoS4m0kp8Ycg8bKrtGswWNrZTPUQ6Nf0YsYRUKxKvLgAsh1rzRjwbvZuN74C DjBVPAM1WqujfgpmQaOQPhL0SXopPQgUm9JXCQSWymFiDpj3zDzmBvAekWPkHvBIuRIDFIeS SVwGfuaq+BXMdeYDcweIUTKDKA7eGM9I/TjQUpQSe4Hy4rhsBUaMXG1mBXWwGqvsAS6KYbIC mI2NT4wyIOvIzihgLjNWG9lBzap113aA3CCPmQKUKmIKu0DLptVR74EcKjPJTqDuF7f4HtTP tdl8BXp740s5AFgjc+ELRlOjlhEJymZNUw4AVZlj7gC9r3lRaqBEaPOVbKAHSa+5F5imn5I1 QQ/VX5lr4HHbJz6v3wAPlC3yBYjlykdmJrDett5QPwTvfa/HXRCMI0Y3cxGoh9Qm2jKQQTLA BMRGo50yEMylYii1Qe1OitwJ5mj5sfYFyMfmS6lCxA9Rw2MrgH+oXxmfpZD5i+D2NjsoWblh /QzUDiKz+AK8SUkrEr8HraP1ju+Evzq800knnXTSSSed98k7J86FBmcaU2kn9Jdtmw/PBD7+ QQUdX0NU/1en3uSBxByRefxuwZ2uT24/LACvXr32efEQlLXWfBlywi7L2SKH+oFzivqzz2CI /c479mkGeFnf0+K305D0c2Jo8iSIT0w882ot+MV5tvhMgex9slbP3BCCKmQysiWDe0dKR08P 4DU97C5Qh4Ucya0BdVJmvtkHyjnjmJEJ9BLKMFESlAPyEZeA8mZRlxe0gQFxPrGgqpnm+PaA DLcqf1e6DbzxcWVPssCz85cOXugAEX3iva6skPKZWK75g62sOd54Csnnk08n6hCbkjwufjl4 mpmjjO6g9tZjpQ5ypVzHj+At6o0wu4F3pOEykkCZSZC6DEjiMfXA2ONdbhwB87UZo+8AbZxy Vv0MRJgyVEwDbzm9o14UxGaqiuIgnpnPpR1kPxEn+oKRWY6QQ0GMZaC8B7IsPXGBvCza0hrU 4SIQAWYuc49cCvKRsoqn/Mf7RzeC2KE0F2dB7BRTyA3ymv5ERgB1ZGtqgubRNmnBIDYoVlEI qMI0eRtEBVFABID5sVnMbApiLh/KFWBMoA4rwXvMpcmOYBaTV2UOsK7SViq5wfzVHCE2Atlk Q8qCXCHGUwfkUzlfBgN9ZR7zAogbcjPFQGY2B8pjYHbjEjPBu9Dcb9QGdbX2sRYCErO32RnM D+UBowHIeWYOeR/kN7KVzAXyhFyjzwalr5hmzgcmqF20K2ApaSmrANT8j2/m6pX0156uYFtp 3aZmh5Sz7m/FIAj/4HXXyNbg88D+gY8bfE1ndPB68MSKCSIYzALeSPc5ME+kHFNuAy1p9VcH eTrppJNOOumk835458Q5l8xeL+uPcLb31cTjjeHYvfO2wzng+ciYb8IDwLE2Q+WYKeDfMXCz owXEKC+Ge2aDbxfnUHsgJGRzzXheHRI2mWcSgOwt/PoGXAf/rwOSyyaA776MyY6sIBy8kjYo N67E2iaX4J7lds7zv0HOZwWn5C0J9LQcsLUCaumFXdNBiw3IlPknkNNsi1gL0jQ26DVAlBN3 lQRQHsphRlOQRaTpeAq2snm6FasLGRZlDMlrgM/QzHvzzYBrk1f/tGQsvAx/PObJAYgZaxTh IzB2ihS+B/fKlJFJI0APVkZRA9xJ3kbGYjA3mdGMAvnE/NxcDmZ9M9RcA8ZE2UFuBaO0mcls A+Ijpby8CSxlPIXB7CsLma9BbmWe6AhmHK9lJhCFZDnWAqHkoB5IX8rIbEAeMZVNIHpSWFYC mWD2l7HAITGBF6B0lylEArdEd5EJ5FcUUL4GsxVWPQXkJPNzagCFGSjWgHFSD5IXQP1BLS6C QH1hqabcB7lNdhSRwEA5VPYD9tCYySDzmHa5G2iqZJBrwLxkVDIfg8xqHBddQGTUuimxYC1t DRU24BvraeUJKDX0ffILMKbzrZkL5BTzjbYGOE0vZgBVyWFmAKOV+Uj+DKjysBYCYjsWkQ3M XrK0PhDkKDzMAUqYsUYOEGOEVcsF+kL9OW1BKSICRB4QZfnY/AhEDpnN/BjMETwQ98CYbpY2 WoIorusyFEzVvCu6gPG9PlCWBk910R0LKOu1WkpmeBMb7ZcyGF7X9At5EwPOqfYo506wvhBz nMch+TOxzMwFngMpB90B/xkkt989UO/evXv37t1/xyEhnXTSSSeddP73UrBgwYIFC/757d85 cT6W/eb6XSvg6eXoxXEDwVnQ2kP7EfQnxhGzK4iw2IVWAzKGZngVUB5cX2W0v6gJmTt7chYu CS/DEqZEtAefB9YQ60l4uP71B8Yy8JsfVyFCA0s3bb7uAM3mFMk9wbP/QR+5Hu6svO7c1hYy jsuaoDeCCpdrXOj/FSQXTbGmDAPVphZ1OkA0co7L0gN4LsNlDVBqEEJ/MI8Ji8gCMpxo0x/E Bu1EpkCwd8301DoI4rs8G/foA7jS5pfcx8vCm69TMnhiIXkN88V0cO61BToDQM8uNokASCrp up7iC95F+mJzJYj2Ikk5DUqkml3rB2Z7fapnPygXzZZmLCiRagklF5iNzYfyBJCdygwHoQiP uAvMltPkJsBGMT4Dacpi8jSIb0UlZQzIXrKrbA5aHcsErSYYC80B5odgzjbrmzNArSwyilBQ bit3lFZgvjCD5HMwm1CarUf/b/QAAIAASURBVGBJsPS0FQK9gpFVzw6mYUw2WwLtpZ0RYEqz tXwNwGQzMyjxSiV1Hyhj1KvqSTDyGJ2M7qAWFgXEZpBZzRSjHMj18iUXAVOtIi4AXwsL/UAm U4YYkAs8RU3ALGZUN/eCjBZt1RXATY7K5SDPyY9kf6A0reUKkDeMYviD+Elk0YuB6K0oygWg oryrbADzkHnerAVkE1H8AGIktYxdQDcZa24G7wfMMT8AcUAuVzMDhylsngKxV+1mzAE5WBul LQWjpNFXbAS1gaJJXzCXyxAlAegi8vEYLCtFRaUOeEvo4wwbRK+PGZRYGkI7BtkTLeDbx4n1 CQirPp1soJ/SKwg30IXn/x0CPZ100kknnXTSeXeUd+3Atc6zL9INxW05bWZzKFm3ZNuEJpDl 1xxlxK8QEZly3TMM7vb/bURERvBp5rqn+YE869/7zTnI07BQwXzlITIiuYzsCGYRbiR/A1FL Ei/e2wivbie0e/I5RJdK3vbiLFy+drXXsWLgMyCkdL7GcIYr1fdXgoStEZ8+HAiK1TbJ0h+M r2RG/QWYh6hnrwjUpafIDlSkgTwClKEen4NSwVwpxoJZhfvmTGA2073B8Cj2zKozURDe7LHf MytEDfMslZ+B9pXtobMOBOzx+dB3LKjLlZ+UO2AGSI3HYI235bCNA6Wuckl9COZSc6sxD5QN ykZlKWihWkGtCCgDlI7KERBZsfAUxF2xT3wJykdKN+VLEDnUIqoDLFktxawXQT6VF2V1sJSw lNBygf2k/ZT9Kli7W5pYPWCrYbtoTwDHWXsfx0hQVik7tP6gVlfraJ1Bu6Hp6hMQe0RuyoBy QPlEXQsOi22ePQycG+13bcXBPsd625oLrC/U4ZYzoEyQKO2BnUZ+cw6IOub3cilYMqtb1XEg TWpwAYwoOZc7YH7DGNaDfGSGmidBJFKVGmDU1zPLXGC2dofJKDCPGKOVayCryrM0BFFb2JXK wCIO8AlQlIXiNYgfxGg1AUS48BU7gQUsYhXQli7yBohK4gNhgJxgFpYtwbSaRZXWoKiKxdoD LMnaFudpkBXNfcodMF7rpdkLTGKzOhKYba6hMhjr9fJmOBhCjzctwBH5TDYBo4D3mP4YjJ+8 mcxdoN83huu9IarPm1mJpSDmcVx4YhOgtbS7B4D2hdKNvWDUMjPrZf/q8E4nnXTSSSeddN4n 71xxdgyzX7CPhfit7mkJjSEsmY+cXcFngnypfwRZwoMa2eMh9Ko20H8h5GiVwao8gd82xa95 tRiyf2ovX+YzKDq/5JrsUfCkzLO7Vx9B4ul402cUaFhmWPKAetfSOSEIlOPuzbZZEHTQXwlY CRGPYgsn14O9NQ7UmBsC7VZ3vDY9LyQ9kUe0RqC0EtFyIMhs4oGcB2QkWukC7BHtZGswy9NO 9gXlgNJGiwZvg9hrcWXghnq+15kiEDUkKTRpKSR55TDle3D2drT0CQVlr3xpnALvOPcpdx7A IcaLraBcFt0UAUqcUsMMB32+56Z+E5Rx4qbiAtFcK6NWBXrIDuIHEOuIM74EaeeIbALUprs4 Dubn0kI4mE6zrGwOyg/KCvUnUBXVqdYDIYWpnAJDNVzGEFC6qzuVH0FsE8eUM6AOsRjar2Ae Mkubp0Efb9TVb4M2Wx2vLgJjmZlkXgYmywLsB8sEtaoSD+KpEq9UAaWB0kWpCsYNvYP0ABWY LJOA38QKpoKYKgaJq6DNtrVSfcF45nrguQTmYT2zngWUioqPUh5IML8V0WCWFDlEJRCzZSkO giyj9lKfgpZZ3ag5QCbJeDM3kIeVIhNoN5RR2odAV4HMC8wUw9VRIOYwhjogbMpA2RnEc16J JyB6qwtEHrBetJXw8we5CruoAuoCOip1Aa9ckHgRvDM9I1IegDnTaKCYwHDzK/M5KNvlNfYA NtFfNgMz0FynTwV1vdpRSwBxSuZXioHjmGOIfRko67UmtjuQMCWpgHEWPIu9zY1AUJup/mIf yAhp9y4B2v7VIZ5OOumkk0466bwv3rni/Lp7ZKaULWANsk2z94JgERKZuyW47EpU3CWwdKWo HAv6OuvSlNMQEen+JiY3JPdLzpuyB66Vebn+4F24V+P56Gu1IT76TV1ZDixRjnH2e+B0BJ/x XQps0s+r50B2MnoZ9+BRgfvWZ8GQUDrmqtoLXhw2Lj6Kh3urHg5ZvASct+03rPXB/Jp6hgtY xhX1CHBFPJQmkFEu5wdghdnW3AzWuZZaWjK8Hn6nys2r8LTTg54PPoE3UZ4Tuj/IIDHdooEt wPZGbQauDZ7KnmuQXFPXPNvBzC2vmVbwrPSU854EY6pxQLeDdsryxLoQvMv0SsYGkNI4ay4F W3NLCeUxKMe1rpoNVE2tqV0AyzhLE0t9sBW2fGYJAq5yVVYHilNSdgAG8in1QOwRu1kHspbM YdwH188pI5LfgLe7N9DTE7zF9BdGX9ANI4+xHdQwtZiaAsoNcUGZDspn4jZXQCpMMm+CuKyM V3IBY+QaOQhIogRjQCxRUrgCcqfIxBegLde2aydBn2h+b24FtYlcLmqAbZi1lG0KqM21+9aa oIZoTvUHkGVlEVELpMWcaC4HM5yp5Ab1RwapCmhPleYWPxBrKaZ8DWaMaaUpGHuMZ2YAePt5 u+hbwLJC7NUKg2WJ4mO5BNa91s+dj8H8xmwii4BZXN9p7gPPwJTbiTPB80nyg4RykFwrqV78 MDA+8C7VK4FPHT81MAWy3MkaWaAgBK0LXp7zItg6+fTLsB6cgYGNMn4MIftDp+acCYHfhnTK nhcc/QLGh/QDv6pBA7I0g4zHMi0Ms4Hla8eqwCLg7apvUUuD5Tux3FgEWidRVRvzV4f32zOs 9rDaw2pD28NtD7c9nLZ8et7peafn/aul+79D2bJly5Z9izsWf9/+r7LXv2q/cUfijsQdgS83 fLnhyw1Q7Xa129VuQ5WBVQZWGQgDbw68OfAmvBj3YtyLcSA/lh/Lj2HWrFmzZs2CWv61/Gv5 Q+UVlVdUXgEDlg5YOmApPH/+/Pnzd5hM9a52+lfze/b47+Ivf8TlcpfLXS4HgwcPHjx4cNrf vyf1U/ep4/q9v/9X+av99F3j8Z/1g38X71xxzn42YzvrDciyKNtOv2AI/yH6XsxleOp5si/l CCjN1ZmuMeB5pJRM+QredIg96D8efIKUjo56kPKDbJbYGNx19U1GdkhO9Jaw9wH7/fi8caGg DPA/7o0Ho6M2Rx0PnhTTz5wFynnRJfExKB9qTZJGwbNub7qGZoelH+yaumkutG9Yzs+RHUr0 q3a+x0RIXO86nJALtFO0tGogM8iStADRQgSoVUCOMu64H8JvZS6Wu3gOorrEmLHtISHe85KT YClhv+5YCGqouKl0guTTKXWSPwN3ZznHDAJyKJFaLbBMsgzSdDCnGo2VqUArpYdYBdbZ1lHa OjBXmz+bB8A8KueLgaCd0DaoZUGOklPwB2W8MlqZAHKW/M5YDZziKZNAnBa/iP5grjA3yLWg 9lS7KpFgLafVs80Hda6yRBsM5hC5jk7gjdNHGftBDVHzKp1B8RAt1oHe2Fht+ID2qfZIqwtK gqpY84I2RXUqBhgpxiMjHkQDYRc1gNMYcgBYB2vltBEgK3CTb0EpJ6qJQkBtuQ0fUC+LqWp7 0EaoS83GYAQZVYweIIexxbwCROGUX4N2QotRG4MYJB6zBMz+RkFpBRlp7pS/gKjKRLERiBMj lN9AvaQ8UUuD55S3hGcBWI6qO7QA8FZxn3a9BO9R44hxFrQb2hXtZ1BrqvmEL5jlzJb6T8Bi 8UTzglJXK6A9ASO/uVq+BL8rfrV9vaDmCXqTIR/Iq/pK4whYaloVbR84fW05tThgvnlUPwFc oLO3Jli+USaTBOpiMUvNBdai9oX2iqBVUW4oJUDpIIYpbUDdrTwWUwHo9teF99tzNP5o/NF4 OHfv3L1z94A61KEObAjaELQhCIYznOF/tZDp/AOnup3qdupvPO2vste/ar+pJ9zDLw6/OPwC unfv3r17d8jim8U3iy9M6zat27RuMPr06NOjT0NPb09vTy+srr66+urqMOjMoDODzoD6ifqJ +gl8n/R90vdJ8M2Sb5Z8swTmnpp7au6pd9f7fzd+zx7/Xfzl99A/0D/QP4CpiVMTpybCU89T z1MPGOeMc8a5tHbeHt4e3h4QPi58XPg4GFR5UOVBlSHwQeCDwAd/9Sj++/BX++mJ2Sdmn5j9 9vH4z/rBv5t3rjjrdyxJroVwt8nDV4+tcGX6naV3dkKmatmq+haAlIsy+fULiLwQXdJRAZT7 Isi2HSJXJHUxL0DMgLi8/jvB29Rom+EA2PoEfRb3AJIreXslLoM3B55mTVIg7uTrie4JYI4z bskl4PJJmapWgdeJsZ3imkNEx+jS4ePhbr7wl7GfwoqLh5tNiYNw253eRyaDPZu9jV9dMLOb BfSuINaK/bIVKA+1L5Wl4HoQuS2iIDy+f/PUzTcQ0yZlrjsaEusYU1kI1iqO72x9wDPGW8C4 DCk/ehalZAK9MqVJBGOJuccYCkIRN2gK5kmziQmILqzjPmgHtH7aSrD01z7WJJivzUryN9A/ 0hvpu8DIbAQbjUHWlHVlfzAXmj+b60AuNQeZu0B+KmvzE4g8wiNaAIvoxnpgDNfMJGCRWC8r AkuZoQ8GEcZuQwMeypccA9FFmadkBnWZ+kBtCcoSdZa6CSwLtc3aTJA/yd1UAjbLpaIkKAaT lWsgXJQSu4FRMoVfQBY0x8nboK5QWiuDgI0oyn0wpphLjXUgOoqBigKiu+ihXgc8hItqYFlm 2afVByWLEq10A+t16zXrCZDPcBqxIG5RQTYDGWx+Y5wDPUiP16+CXGs+kw3Au8kY4i0FSUvc 0/X5oC8zxuIP6mt1nTYB0BDiI/A29bbXd4N3tneBcRxkJWk3NoDeQz/kvQfJvya3iN8IETVf XnrSCqIXRg0MnwvJHROaRb4AM8FbLHE7JGVNahV3GuLrx+eI6wBJzqT7yV+A63N3mPcxJBRM 6pMSBAmuxKoJoyDuSmKPxHjwnjOaenaBrbU6y7z5/gL1YPTB6IPRaZXgFjla5GiRA5pNbDax 2UTYPnb72O1j09rHxsbGxsbCiBEjRowYAQ23N9zecHta+5Efjfxo5Edp7caGjw0fG562fb/y /cr3K/+Py/tc7HOxz0Xo3Llz586d4Xa129VuV0tb37t37969e8PkyZMnT56ctnzni50vdr6A rxp+1fCrhrBv3759+/ZB69atW7dunTaexo0bN27cGJZdW3Zt2bV/1ENqJWTVrVW3Vt2CDgkd EjokQGJiYmJiYloloklYk7AmYWmVjNRx/hHvW66oHFE5onJAf7W/2l9Nq4ylrr+58ubKmyt/ X56pb6a+mfoGmu5uurvpbphfYn6J+SX+sV1q5eb37PW2+nlbuX9vv/8sraa2mtpq6u9XuiIi IiIiIiB0a+jW0K3Q92Lfi30vpm2X5UWWF1lewK1BtwbdGgT2KvYq9ipp8dKlc5fOXTqnxUEq uq7ruv7Py/l7ek/VX+odm7p169atWzct3n489+O5H//mRP9n/TVVP3Pcc9xz3Gn9L1iwYMGC Bf+8Pf7IXybtmbRn0h7YtWvXrl270tanJiwNnjV41uAZvDnw5sCbA+/Pzqmsqbmm5pqakCtX rly5ckG2bNmyZcv2j+3+/wplGcpQJs1Pyywss7DMQmi0vdH2RtvT9Pu2vO1x9O/tlJoApm7X pUiXIl2KwPOMzzM+z/iv94N39dP3Zdc/G4//rB/8u3nnxNlbxAj3nwjeqGi7ZQD4ZDA9Aa0g 4zUnmX6AwplCt4Y8AkdGH0tsP0h4rPR71QC0VdYy0dOBx4lDojRwl9F7JTQFYsV3yS4w5viW j7sKvtvsHscr8Mmk1rEOAUrr21y7wLbPr5drJHhGe0pZ3kB4w/DbygVwfZky11UFtNoBTUIO wpJKWx8NnQUJc8L73joD2nDbZz5PwQzV+3p/AU5qg5UAiK73qNjDcvDsyQv/50cgJjYlxFsR jNdKBfU0WFKs5y19wZXo6e1+BckTvMXdTUGUES4xHWRu47r5EgxFr6sXAbMJrc19IIsbX5iP gFiznvkpKIPFb0IB0ViOEavBzGs6zJzAcc7J9mDeNK8bFUEMET0EoEaqKSICFIMatAT52shr VAfjnB7jOQn6G3ON2QxkNumVOYAhMjcrwVHXptmjwLrN0s4SDNbsFmkNAWtrS1FrLRAFzTey HPChLMpCUPuoA9SWIB4p34nFoEQr5ZVRoPZQgpU9wM/48xuYA8yHpj/QhKz0AvOa3CGXAJvE dY4AsWIqVUFDc1nzgNZTK2ezg62+zeaTAo5vHZF+VcHhdvTxvwGOus6dfnXBNsZayLkT/Gv4 HgkqBH5N/R8FNwFjgpHBeALmNe6wH/xWBEwNngVaW1tZ+36QxXjIZvD66h30TGCcNQqabjAj zaqyCriCkm8ldQfvV57AFCvo7dw5kz8G1/aE32I7witHxJQXN+HxZ4+W3LfDo2+f9X9yAcJb Ri6MnQ7xXd1bvYUhbqX7LPEQPjCmT0pFiDyW0sIbAjEtkuL1UxAVHNfNfRBSTnpaGftBeYjF rP/+AnVitonZJmaD7zt83+H7DrD16danW5/Cwj4L+yzsA790+qXTL53S2k87MO3AtAMQ+jT0 aehT2PVi14tdL2Dbs23Ptj2DsPFh48PGwzdtv2n7TVuYmHVi1olZ07ZfVGZRmUVlfn95JWsl ayUrXFh4YeGFheCZ65nrmQtRUVFRUVFwdenVpVeXpm13qd+lfpf6QeXrla9Xvg5r7629t/Ye fFz649Ifl04bz/Jry68tvwY/nv/x/I/n/1gva1avWb1mddoJI/XAnZqo11hTY02NNTDz15m/ zvz1j/t733J9k++bfN/kS5tasG3btm3btsGnyz5d9ukymFFwRsEZ/4+3pdSqWatmrZqwtMLS CksrwKrVq1avWv3/8JPfsdfb6udt5f69/b4vUk/oe7Pvzb43O1iWWZZZlqUl8BG7I3ZH7Iai 3Yp2K9oNyl0ud7ncZRgeMDxgeAAcmn5o+qHp0MPbw9vDC9lfZ3+d/TVMaDKhyYQm7y5f6gVO YGBgYGBg2gXY1tCtoVtDIaFDQoeEDmnt39Vfy4lyopyAJZeXXF5yGVZUWVFlRZW3t8fvtatf v379+vXhQO4DuQ/kTlt/5syZM2fOQKFOhToV6gQZPsrwUYaP3p+dUy+Q1tRYU2NNDRhWa1it YbV+v/3jzY83P94MSj+ln9IPGjVu1LhR47QLzcZhjcMah8G1AdcGXBvw9vK87XH07wmpF1Iv pB7saban2Z5mUHtd7XW118H0o9OPTj/6r/eDv+dt/fR98bbx+LZ+8O/mnRNn+yRvN+8+CF7s v96nKYQ4/PdZuoOS31xrVIC4VUaS4whoTcz7sh4EjtL2Z8gKtsW2VcZFcF1QskdsB08p747Y OPAkJGX3ywA5L/r3y5IA9orygd4QLL8lLlCjwHHByGMrDZYpjo3yCWR4lWWStQSEhGQopw+D MHfwXJ/CkHw2yqJYIbyVa1rKaVhzd0PbL/sCsUkytgaIBZahzuag7ZJVaA4R5581ulcI3hSM aZ7ogtjX+k7zFKgZLULrB2KCKK/MhqS8KS8TOoJ7hZ7gmQ5iuNHU/BnQqSVWAT+bg0V5UIfw ufIRyKtM1y+Ckc38Ro8Eo53hNTYDixhFOTAbm53kWlBsSoISDMqX4kNWgaW39qmoBvJ7Disl Qc2jnbf0BXFTGaFmAOO+mYNpQCZi5WEQbUR9pSowRExSJ4FRWy6gO8iZ5lTsYGzRx3g3gfJa bBc7Qe2vjlHLAJ1owD0Q3UVb0QXUlapbvQF0Ff7sBeVHtZLaF3isxAoLiLniLk1B2cA5FoOq q3M4Ddp6Za9yA8QdWUYMBq2l9QftCmSalrV+ruGQ5VaW5vmd4Dcx4GlILghcF5KYsS6EujP/ mrMqhGYLK5rDHwKvZiyZKTdkapIlNPcosF9zTghKgkw/ZJmdtx0oyzSHOgaMA/oc9yTQR3gj dBPMr4xT+jdgfm3s9h4CucY4Yl4BcwPTlFIg8hBnDgE9yfDXG4CzpP+9wMNgHWUb4GgBRgNZ yagBSQ8S9sddBc9nrlXJZcCcbn5nrAHLPssB2wRwNHfWDJoP9mW2ogFZwPxItHY8gaSR+i+2 TZC43pOZ6SADlM/UQe8vUFMPkGN3jt05dicsX758+fLlaQeYGd/N+G7Gd2ntT3U/1f1Ud+h1 pteZXmdA+UT5RPkExGKxWCyG7nO7z+0+F052O9nt5J+4hZeaAF9cdHHRxUVplb5ySjmlnALa Ve2qdhWip0VPi54Gl5XLymUFKlasWLFiRVhacWnFpRUheGPwxuCNsH74+uHrh8P88/PPzz8P 5o/mj+aPv7//Nq3btG7TOm1cqVNMmu1utrvZ7rR2LSNbRraMhLPzz84/O/+Px/W+5UpNNP5e rirLqyyvshzm95jfY36P3+8v9YQaEhISEhKSdmv6bXlb/byr3H/E31eonmx5suXJln8c9z9U sEpTmtKwo9GORjsaQd9FfRf1XQR5DuY5mOcgTG0xtcXUFv+4v5xTck7JOQWqOas5qznhWcZn GZ9lhMWXF19efPnPjyOV1FvhqRV6TdM0TUvzg9QLsT9rj7+nbN+yfcv2TavA/1m/+D1SK7YP v3z45cMvIf7b+G/jv4XdE3ZP2D0Bmr5s+rLpy/dv5xkdZ3Sc0RF6dO/RvUd3yPhVxq8yfvX7 /QdvCt4UvCmtkrt50+ZNmzfByiorq6ysAm/2v9n/Zj9M2jtp76S9f8Ku73gcbZKlSZYmWf7G vlEto1pGwaW+l/pe6vvv94O39dP3Zde/54/i8W394N/NO89xto3XrihlIPEXt7+lJZgBmr/V Da5Z+ksjCTS7bXfSWJB79dNyFoiy5l3XPHDmxsI4iBhg/Gb/GGyDtMMpi8E2QfnBuggStsQN xx/MM+7mSbvBmKK0dmYBvxFh5WwxkHA7sYxPJXh11PUyqR8EPLGvUTdCQH3O+hwH+/WwoXGR 4God390vEi50Dp/wYgUU7Xig9dLyUK1QvUZ9toH4TPWK4RCe497UJ5kgxpWS7KoG7hv6Vj0P OEr6fukoCuYlOVAOA9dQV4zrAfCEbeI0GOXkFGMq0FuOV56BuUNekgtBDGcjK4FD2OUWkLvM lbIN8Fo0lOtAHFA8YjlofbUG2udgzjdnyyBQpdZC+wTMMWaSuQ9Ef+EUxUBdrW5QWoJ5xjwj jwNj5QEKgDKCA+o3oGQTiuIF7ZL2RtQB/Y0+Sn8GopCaX00AJVmUFTNBmaYcFK+Bl8Kp3gA+ F/15BarQymg5QHloCOM8sFm+JATkYSWrfAKiguyn9gdRRASIU6D8QllygZxPqGgK4rHwWlzg +1PA/YDLYD/nI/13gp5NP2vcg7hP4za8ugKsN6KSKoD7h6RyUVNBWNSs9hcgT5rX9Y6gf68X 9EwBdYAaFjsB/Kb47rMPAHerlP4pdkioEP95TD8wL3pKemeBUUwPdQ8D+SEVzPYgJ4ipykrg ihil3AZxlFeyPOgBxiciCGybnDEBJtgWOL/zHwnJ7ZOJtIB+xQjw1oCgJ/6ujNEQ+HVQjywh IL5Sc/MxiKIa9lugVbKUdZQCmSyLUQ+0JK24dhO0fOaslI9Av+vpmXwF9HaGwhBgy9tG1H/N 9wW/L/h9Qbj74O6Duw/g2pBrQ64NgaUnlp5YegIYzGAGwxzmMAeQpWVpWRq0fdo+bd8/9icu ioviIpjPzGfmM6ATnej0z8tT/HTx08VPw73d93bf2w0Xil0odqEYlNpZamepnWA9bz1vPQ/7 W+1vtb8V+K3yW+W3CoJuBd0KugWfVf6s8meVIXRf6L7QfWmV1apVq1atWhV2sIMd/4/922/Z b9lvpf2OzBmZMzIn1NpTa0+tPUBZylIWsGLFCmKamCam/fG4Um+Zvi+5jB+NH40fwWxltjL/ i29Ipl745CIXuf6L/lIrq+/K2+rnXeX+I+YUm1NsTjHwdvR29HaEz2yf2T6zwcsmL5u8bAKb Nm3atGlTWnv3Kfcp9ykYEzgmcEwgHH119NXRV2m3fgfdHHRz0E2wDbcNtw2Hc73O9TrXK60i 3aN4j+I9isPnPp/7fO4DB7ce3HpwK+yK3RW7KxZGM5rR76BfcUlcEpeARjSi0X+x/j/jjWCC CX53f31ffvF7pCZStWfVnlV7Fuxov6P9jvZwZemVpVeWwsSvJn418Z9IZN7WzqlTgY72ONrj aA+YUXZG2Rn/ReKV2m7GkxlPZjyBxnMbz208F0KjQ6NDoyGUUEKB4GfBz4KfwfNPnn/y/JO3 18P7Po4qi5XFyuK0fv/dfvC2fvq+7Pq28ZjKP+sHa/3W+q31e3v7/lneueIc40z40OgK5jg1 g6c7eD/ROxIPL7dHDkv5FvTvk4SaHYIqq6dCfoNMGQJ+S3SCGm6cE0sg4yHfhgFTIGOjDJ+L 2WCpbakd1R9CQ4MPWYqAs5tfRltf8B1ta8B2iJqfdCrmDOgZ/T1xyyB0cLZpKRIyfBCwxFkY lO32kcyAxHxxXZgMrlduf++n4DnmuJvSGtYFnOu6vjvsK7YzaMlScFd7ueaRH7xo8sTxPAzi OnoCvPkhebfxtTke1CaWLpYfwNtDz+M9AK6RnhTPMJBFGKLOAdbQWakApk3OMYeD7EOs7AfS V56XD8CobUbKDcBE5bnSCsRRdYfyOchFFOMLUFqxQNQC8aN8zUPQ8+vn9HNgDpF+8hHIK/JX eRyMNcZ0cxHgJBkJ5gXzmLkPZG/Z2+wJ6iR1rjIUlFZKO1EP1FHqBGUeKD+LRaIbqK/UcHUH KPuUfco0UL4Xk0V+sJS2DLR8A1pLZbuaD7Si6nQtCjSnVl2rDVqSFmMpCdbK1pu2/WDZouWz +oOcJiJEGFiz2fysGvjU9X/qdxWsA+377DlBNjSnmTMgMe+bpREXgV7e2UnlQLkrsmn5gMny pvIM1Ouc9/QHpaJcYIwHyz2lt1IIrN0tb1QVfGb524MuQHDtkCsZV0DOTLmHFHwNmVpk35QP yF4s770PAiHHpXzzS1eEsGm5Py3xJWS9nWdOiTmQ5Ycc8wofhexl88aXKgO5tfwLS68BtY41 d2BF8L0dPDijG/JX+GBwtZMQlDnMv/A9cCwOfhOSBD5B/n2CCoP4UGtpKQzGU9byBajLtZXq bpABSa0jD0Firujvnn8HKZ2TBqfsAaOSsUj6vL9Abftt22/bfptWCW0T0yamTQx8+eDLB18+ gKs/Xf3p6k9p7VPntK0YuGLgioFpTzWn/l22fNnyZcvTEsJ/ltTtUysVhZMKJxVOgs31Ntfb XA9KmaXMUmZaxWpl1ZVVV1aFStcrXa90Pa2fK1euXLlyBQZcHXB1wNW0KQGplYf/n/+sMP4R WSdknZB1Qlql6cKFCxcuXEirTI4cMXLEyBF/3M/7liu14vL3c9DPy/PyvISvMn+V+avM789P fs9eb6ufd5U7db+/a6+mWZtmbZo2d9G6zLrM+jcJQOry1L+pt7RTK3SpF26p/ncg14FcB3Kl 3epOnTI0r8S8EvNKwA89f+j5Q8+08Ue2iGwR2QLyx+ePzx//7npOfbtH6pSS1LmaqXcoFolF YpH4m/G/J399Wz9423apUzbmG/ON+QbUvl/7fu37oF3TrmnX/ri/t7Xzuvvr7q+7n5Z4pf7N sjPLziw707ZLvcOW+lBj+wLtC7QvABsfbny48WGavKl2rlSxUsVKFd9eb+96HN35cufLnX9T md8SuiV0SyiUvlD6QukL/34/eFs/fV92fdt4fFs/+HfzzhVn++1M4THlQKz01vFkAu81r27v DYm73cPiLBD0iXwcuggKtM68IMswCL3p2yLjt3A7wtLjRRC8ir/f0cwI9rNKqYCOICaK5OQ6 8Gp50gtjGGhnY8tbt0Bw5+Bh2lnwlAte82YkhEc+dqScgAwtHHX9p0NSRf8qXgVISOjt+wP4 DfD3yNlg6xQi7BPB44z47vVwiD3jrfxqFpyocO+jIwXB2J4UZZkC4eviK7tWQtJLt8N7AUyL yGmuA62G9qE2Blw/6Xk8TcBbwqjt/Rr0mZQV80AMMxaZvUE2EJvYCnKVnEQ8mPPNkUYoKCuV nGIXmC3M3sYe0EfqX+lzQRugLbSMBjFMXBFVwdhgLNBnAvkUUxwBI59nn3kBuIakLih9xBTR BkQBESMaARWYxGAwfpFNjQxg3pFr5SaQjyklfgRznfyQWFDXis/lbWA1kxgJAnFJvAZZT9bn DRjH9Xn6KlC+0MZrp0G5oRwVbmAS2cRJkB/Jp3INiMlCUQsDD7VQZSVowlLEmgSWebbnjtYg 74kF1m9AuSvGaRXANTEpR2JrMD9gs2c7yNJqWWsSiCjFbV0A2ibx2DMZNKtqVcNBbW075FwG IoflsVWCz9c+uwP7glpf22mrDbqUQ8wEMHvQR3wJ1tc+C/0HgriMv9IQ1L5aa6sVaEdOtoP8 lWC5HpQwspo20BTLXetQcA1LSUq4DNYCql3vBwFd/X/N9hOYE5hqFADlqbpcLQ5ypCzHETA+ NYWsDqK92CB7gL/0nWW9CvpF10D9HLiea2HWs+B4ErI4rAdYwhxzfKuBGC+GKFOAYe8nULud 7Hay20noXap3qd6lQIlUIpVIUFeqK9WVMGbRmEVjFqW1H5VhVIZRGWDq6Kmjp46GZnea3Wl2 J219kR1FdhTZkfZwyx9R+Hjh44WPQ6dznc51Ogc/8zM/A5VvVL5R+Qbc9rntc9sHsoRnCc8S Do5YR6wjFiJzROaIzJE2tYOSlKRk2sMvqQ8Tpj4FX9osbZY20/Y3a+GshbMW/v8F9d9l/Pjx 48ePh0lfT/p60tfg2ura6toKjlWOVY5V8EXWL7J+kfWPx/m+5Rr14agPR32YlmiuC1sXti4M nIOdg52DYWzmsZnH/gsS57+31/hK4yuNr/TP6+fPyv17fvJHbB61edTmUcAoRjHqH9efmXdm 3pl5QC1qUQuuV7pe6XoluM51rv8X/aVWuO7MujPrzqy0E6+nj6ePpw9UMCoYFQwYmXNkzpE5 313fqQ+PTdYn65N1aJCxQcYGGdP01Xpn652tdwJd6UrX9+evb+sHv2eP32tX5HiR40WOg72y vbK98j8/RePP2jlny5wtc7b8x+XWqdap1qlpv8MmhE0ImwC9C/Qu0LsAvHj14tWLVzDz+Mzj M4+D5QfLD5Yf0uwwdPrQ6UOnv72873ocffjhww8ffpj2MGVwruBcwbng6/tf3//6PkT3ju4d 3ftf7wepvK2fvi+7pl6A/bPxmK1KtirZ/ou52r/nB/9uxH/MZZOyQoUKFSpUePsOenww9n7x vVA6MN+u8vXAFaVf8PwK587ceX7qCgSsdw70GQ2Zy/hXyPYSzFfKXks3ePP81UcRF+DOwkcl 4hpA6MzMJy23oMSNTO1znoMnzd70dnvBvwU1zP4Q2VKbGD8UfGzBQ/SWoNwwKsiF8GJVXGl3 LQjqLQ5lWwDm08Txyb9ApmlZRmeIBf+b1l0pdyC2ZJLD5QbvVu1A7HTIfS24ZMU+UOBxsKuu A7ZfXtJnyTK4UvppicfXIOVT2dG6BMLOZBufOwYSo5M2xm2GZ9Ne1H+yF4z8Ip/2EMzjhk12 BRTyyOsg2nGTZWCGStMsDHKfPCu7g8glmot2YJ40D5g7QcmpDlYqgbJWXFEXgrxjfCFfAg7R V74A8xO+FpPB/MW8aZwF5VtcNAbKyXWiOYjKygUxAoRbuYsOloIa9oYgHoml9AFljBIhb4DS RzmgbgElXN1qmwTaCe2B2h+0EO2OrTPIKeQ2N4C8IVOkC+zH7Vecj8Gq2TI624D6XCmqlgIl ozrYehYsidbPbVlAidFeqF3A2C+6sR2UsuKR5Qhw2ww174I7wlU9aTawi4nGJ+DoY+9qfwXm KuOspyXoY1wjUr4DraK2wzoYRDnLTusYEN+rq6xzQS5gldoNTMMMM1eDPCVCNAXEM2W5shfM 3eZhfQG4lqU8TegAii97ZDzI2vgrncEbYTZWS0LKhIScMRfB3d+bkvIpBPcOrhTyGfh+75sY 8hW457p9UoqCftZ8mTwBLMuU7eo+sOR1DA+uA+5od1vPagj8woG2EJQD/OAdC7E1EzyJ34K6 wfrU7ymo+ZRGRINykKt6XshRNmOczReW2JdeXvzLvz+w00knnXT+LKkVyMvqZfWyCt91+K7D dx3+/bfE/6eSescmtYKczv8Ozp49e/bs2fdQcX41MzaP6oUzPzwIu30G5G7Pk4RREDLA51un Hyi63wnlLES9tt6L3AoXE85GvrkIvhUcp8RJsLWSFdQ2kGEuQRkmgJrfN6c5AfJccaqWy/D8 7NMn0XGgb7NOScoGcf2T53lrgJbHPO4TCs4hqrTMA08+d4JcBc5tgYPFEUjMK5a/bAGv/GJv 6YXBtsvW17cY+A03c/hOhXIjCuyp/hwMJbalbQrEZI//JWEcuL4wyhp1QNmsVRIfgtilnpWn wW1xf+RtAkYlfZm0gIzUipkC5HJzgtkUZIjMJq+CrMBgmRnMs/KYjAb1ppinWoBsHKY5yHzy EVFAT7OXOAjGWLnZEEBNXBLgjmwgZoI8L4KxgTJQOUZrUELFZ+px4Im8LWJA+slT5jKgpSgt KoDxgcxhZgNHb9slZzCoU7WeqgrWcfZPfX4D/x8DXob8BuKg+Ey6QBku+lkUMK1GV88qME3j inkCbL/ZrfaFoOW3DbUvA/lEdLA0AzVZHaEKsJxRt2ofgR5nFvFUBuE26no+AllZGkZ1UKpp vqoHfM74jfZJBHOgd50xCog2O3m6ghA8YyjYbvu2CvSClllrpoWA2kv72f4EzBPGT3IYiDOi ibwNZkuOyUmgN9DbG9XBvKGfTykM5mp3keQjYK0nfYyb4HloBBEL7q+8C/WcEKtE/xRTGJJm Jh+NyQLaAJrIMaArrh5Jv4JZJct9sxPYSzgK2r2gH/IYciuIsso2OR+8m5KyxI0FOU32VIfC m73uqkkuMJebBfUWIHpaL1j3gjWLMdm1GYyx+m/yFQTm8J3hWxq0fjjV28DyvzrU00knnXTe jt0Td0/cPTHt/bpT506dO3Uuv1/iTyed/0O8c+Kc41Wm5cqnENfddSqiNwQcUFc560CGjpqP YyXEWJKzJTYA9yjtF/1zKGYWCPI1ILmcsUT2By1e3WyfArbXCTcto8Esn+Ly1oVAM/Cq79dg T3G1NiaDj5+YkXUUuNfbP3v9EtxXjdkpJ4H93gaOliAWMigmAlzl9a7addC2KsU1BYKGhLQN PgGu285rrsFgjokZ5LgCIV8FWHOFwK+3TnU5dhg8p5jPXtA76N+Z48Gy2VpMtAUWijYEgneq MVAPBmugw/SZBZYbziC/WNAjvEPlHeAyDhEA9okOu/MC2IbZrtuLg1nA+E3vA94juvSGgXJX naD2BSHprfwMxjyjg/4JKFeVD2UyWO5YI/2qgmkVD82ywBoZITaC9qOlrm0V8Ebm5QgYwd4w 9y+gDhZljBKgLbN4rQVAi9QqWvOA+qVmtWjAUkUoX4Iln2WcswmYvyKN/aANUnZrn4DoTC/Z EdTy6nw1CIxPzAt6DuArHil9QIwXG7gCbJM15HOQzWQfvRpobbkmD4DqsPZ0lAEjVrZRnoKY ozZVz4H+ibeGtwfIH4ihElg/swy1FQPHYXt760Vw39F/lA3AXGYm6BaQg8xvjVBQfhOtcIOI 5r7hD8YHJCk9wHhg9DI7AGdlNZkbfE/5BDtfgPxR32F+CxHnI+2RIyHa8Wbgqy7gaeWulvgQ zBPGQbMppFz0ZjOfg7mUw4ofRF2IbBUxAnzmOgcG5ARbB0cG398g7kzC19G5wP6h02stBeKZ OtG+AbwJ7mPuWmAbq/pZOoHlqP6rchaSY7xZk+aDM49vkYAVEDc3oUuiD/heUgMtU986nNJJ J510/nKavGzysslLaEIT3sPb+v7Pse3ptqfbnv7VUqTzr+Ld3+N8ICGDKyvk7BK8LjPgW8BW 2PkEEkup8XowqAv139QoyBCu5fGpCcE5c14xPgN7BXtmpT6ENMkaFnYcolRLeGxheJX3VSHr L5D3vn/xEiGQUc1UIHAZZHD53XWbkKGDLSlTL1C+4mNrA+ABa+VO8L5JaSNPgG2s5UetDzhz 2xqqM8G921719UKIbhZ559EB+KBw7geltoIYq/jRAJ4Vibj4oD94vzSvGw4wb5nV+QnEF0oD JQ7MPGZu0QuUKK2z+hICy4ecDN0JobkzL8/tC1m75L5fwB/CDucsk0+HoE4Zn2WrDz6uIL9M y8F3XobPsjwAfzX0XvYmEPhLprK5HOCvh1bP8SkENM/wQ9gK8A0MrBfqBL/OQfszbwG/kMA2 mX4B/8tBN0LLgqOi382g5+D43K9D8Bnwyx80LONhcI4K+D5TfrAu8rkVtAXUMEdz/9ogSlo7 +uQE6wF7Sd8DoB61xjvmgrW27a7PKlDHWV0OP6Ch7Ufnr2CuV2qqc0CpoB6x9galpfrcYgHb p5antjVgf26PdBwAo7V5xgwDMUmroP0Aoop6UNkLWoQlTN0BIlJEKEFgn26/7BwPPi18Mvsm gN3pYwn4GGRPkdWyC5SBRi/zOWhPRCTRwG7zA5cKnnB3gbhG4Mqc0idxHiRVj1sUOwhcHVPa JfmC8kxZrswBZaW2xzoKjAXmVE8VCO0QeMWxDDLnDykQVBOUT5XlNg3sT+ydHR0h8/2cvjmt kPFK9nPZR0Ngo8AKgbvA38e/iG9FsDy3PdIyQGD9wNLBLyCkVGCPTLXBaijXzaOg5dcuKCXB vKJ4RCwYs8QAfRjY+lrraCuACYymCehjRG82gncIO/k//InXdNJJJ53/q2R7ne11ttd/tRTp /Kt454qz5TP928CxYLaOPmppCq/buZelrAMtJMiVUhIS8nDA2APGkYjv3IchqJxzoRYLtm3q z4ovxI6VJx8lgiNDQG/nIUg67poavxbOLblx/gKgfWGdqPYBxwH/2nwMrvEJcXoT0MtQiZ/A J8r3pVITLHVdp5wh4O2Q/MSTDO7MQW21hmCZlOzv+yGEWLR5sgMULJgta8VGIAelDFdSQNtr HhVVwd1I72PkBG8R+Vx+Co5m6ihegCzAalkayMNZbRxo56zL/T8Bo4q5wfsavIuTBydfA9lG NpbXQflBG2TtC+pZ6wPfrKAuVYs7loIyQG3p1kEO1K8bjUGUpZHRGkRTNReVwZKorvBxglwr f/aWBLOCWdMsBkp9YdEWg5lCMaMeMEnUUY6BPcn+sZ8FhE2uN8+AIfkCH+BbUdQcC9oH//HW DXWqmCQ7Aq9wug0QrVmlrgJxiyjZArQWZnP9ZzB1T3ziLKCJ8oX1ESj51FjtUzAm62F4wWxD I3oDk2R/2RioK/eLDGBcNRoaGcGoqD9IGQRGA30Hw8Bz2/vSNQWSZ8fFRGcE2037TFsnsHe3 93ccAx8tYFtILxD+Yro2BZQ+Zkf3SDCHyV0iD5iX5AA+BtskNaNyDJIruKt6+0KMNW5LQhLg 8mvumAqWW+rP6gLwPe/3S+B1CNgf8n3my6A6nK8yDQLliZaJRqB+YBtiKQ/qXGOkBGQdUVpO AWWO5muJAgy1v2MoeINSliRtBdfZ5GYJNgia7NfMbxuo+dWi1u6QPNb9XfI6MNoRoe4DvaBu 8DWoedXKdgHqMussCgNFtB1aPwA6/9VBnk466aSTTjrpvB/eOXF+eSn6p4T58Giseji6Laib /YryGdi7Jtfz7QSm09VNHoXErR5LShyYLtdre0fINMHxOKcTor5JjLlzDfJWtXWz54XkDFo1 LRvEjnPnMzqDkZjQPfkI+BXL3sszERyN7T+7b0HSL1cnunaCt4q1qKZDpjV+b4L6g7MF9e3r IUMHdZ3zF0h85ukX0RxqbCvtrncPcu/OMKTgRnhsv/38TmZwfyqvmAoYmcQIozAYK1ml3wZZ 2xyqHQCZVw4V9QCX8FfzgvKhZYmjCsieSk7tJthKOub43QPvOm8ezzTQ6lszadVAqSSeag3A LK5XTqkLBBJhNAK+MhPFaFBuq61FOyBczNZ6gXbC2sDRF4wNMoZdYM1rnWxRQN7R4427IH8y 2vAENI+2SqwEz0/6+eQIMOfIZ7YhoE1nqPwJZBtjcEpl8JY3r3n7gGe8PsGVHUR95bicB/ZB tq2+fcA1wx2WPBLorOSmHmjf0N4WDeTVsnjzgPAxutEdVF3Nog0DY7Dh9rYH82P9A+99UEsw y7wNrh7JxRKbQNy6uKpvDoO7p3u6qxAYy/XqrtxgzWrpoA0H93T3DVEKkkLihisjwH3bPS6l B5gexbBNARqb/b29IKVBYnziavB74X/CbwnYnvgRfAhsK2x3baXBEmzJbTFBPyIrGmXAkd/R 3/4laPUd3Xwfgf69PEYOCLmfpbZ1JriXJO/xfgbeGt5I1yYQ4cLtLQXudim1EquCOYET4hQo m5RfEtqAu1pKnYSa4Fc2aHiABZwDfKf6noGk/PFNEm+DOGYk6OtAWyOsBIL7Y7eNeuD5OOVc 3H0wPWpGUsBvoFrIJ8ufDKp00kknnXTSSee/Je/+OrquzuaJDcGWYi/k+BxSYvU+5n4IqG+r 51MC8u7PVd9ZGO5leXYz+g24TiX/oD6CxJaukIh7YN1h36iEQezhxGBtM+iNU+YYtyHpgVIs JRs48qtF/U6AuPVsS7Id4jumvPJq4L2t7/M9Dm67UdKVEXIkBe70PISs3cpXDNoEyiVH05gP oWgfvUm5J1C2YcFR7RqAs7RvsdBIsJ+U+r1wUFtf7iGegr5SHyxeg7rfzCFugNFOjPJMAzOb LG72A9rKNUYOkCvM7eY9sHxjKaA1Ac+nZl+jOKj17RPsMaBs0+pbPgIx35wvd4HopGfxxoJ+ wuhiXgdTkZP1i6DekBkt/cFywvqztQB4N3r7GxOBDWK/0h/0456W+iJQ2pJZWQPGx94XcUvA UyylgKcTqJ3UN85JIMpZ8yuHwCznjXR/CXK8kcdbE4w7XDeXg5JDpph+YL1lWW8dDy5Lil+S H+hhepXkQ6D11NZbQsGzzrgivwXPDvdub16wLtQU2zhQLikl1DNgLNavuA+BvZDlmroPXDGJ A+KnQ2KnhKbR48FcoC8xHoLe09Mn+TdQ3UqM9huYhckjLoHeUz9k2EE0lUO82SB5xusGLzWw ZXKu9XkCyn4GCy8Y4d4UbxxENX7zJmUXONt6RxlBoM22VLMHgjJS2aktB1sn2wSrHYz+Yqk2 DOLLuycZI8AMkr/hAe9cfYI3M2izrNu1ZyD2GV8pFcHzlfdX/R54BniGesaBu35KuYTDoGbW 9tiGgOpVMsrGoH/ukZ7B8HLNq7uvAyEpKF6JbQHWAmp5mRds6+z3fXuApZ422scJ7gopd1K+ Ae2p2sUGKLvMc+7yQFPgPbwnNp100kknnXTS+et558TZOKuvtJSA0BuOYnYTXsQmtPZuAU2R dkcLSGnt7WMegpSvY360CPC/7J/HPwke9gnP+OwpeFulJKpdwc/Hb57eEaRqPlZHgHhodIyd C+YOdZx6EKK/eTFFqQSZPgv6yb4MfGtmX2mWB+VBwgBnL/Braw1P1MCb50kJcyJ0qNe40uSP Id9POSvXnA6eAD0fX4OaW+lvZABxPHqS33Ng95tfvHnB2t9SzvoQjJXqI/kSlOtGV60LiP0M FifBfGCO8h6ClMMJ56OqgB7kqeIIBKWPEqVGgblZe25vCOYTbbztR5ATjWqyINgW2+vYS4E1 SJ1m/RpS8rlax58C2YSh+IH3urHX+AVUYemt5QAxw5zg6Q1mbU8793XAobZTR4IrOfFcwm0w Gxv39UdgjbQXkbHg8SY+fF0ZbPPt1e0vwHeqf9eg3qAeUUpYVoM+ynhg2MBT17POVQjUp5ZY ZSaIMlw1DoEyX1tquwfe5tKRcg20ujRXOkBs4+j9EclgqavGK+fAzGze069ByiJWSQuY1c1p Rl5Qv1YTVD+gC2eULiC6ih/RQS9ijjROgeqvnxdfgLeuvsDIB2Yzc6d3GpiR5mMxBMxwVomR QEkaiNVgvW7ZY/0MjIcclxHgHSKvIEEdJBoq00EmS2QlkOFyt5wLnqbuGO9cMNsoEYYHrKOt Z22PQA/01DTjwb1ULxs7A0SEvsVbAZSyag/xGLQZwq1lAW16QLPgCeAMDHRnOgI8ND+Xq0CO 0KfrVcEs5PnJmAyOOc4NmCA8VPSOBjoov1qTgCZihdgKfrn9HgZ/B95D7ntGKYjv+sb+ahgQ +1eHeDrppJNOOumk875454cDtQb2G/IoxNc3xkf2AX2155T7PMRUis6c0h2ue+4OS8wNSQ1t O2gAbx556r+YCmFZgrbIMMhcJMMdZSkkvXZOTb4L7GOl7AxKdzXA8hiCu1oOe6eArblawBwH j6slBsbegISxScG6A9ydmOkuBcWfZhpW+xkMKN565rqbkHtijry1V0DyI9dDry94snk/jPsJ nj98Xv3qMohqfitr+FDImGz71lkObJo6U7WBMlg5yUOQD0Rr4xyItcouZQ5IzYzgCcjdRgt9 LmjD1bXWp+Dc7XcxUzj4fhX4VWgZcKg+yT71wHrB6bGMBts92wdqSRBIZ+JtcPwccCSwNPje 868a3BKclx3VbbnAFqTN18uCOgQhf4X4EXEfvTkOiWXjd0ZXA+Un9YUWD3pDfY7XASnl4iu8 coC5R2/gfQhygghX/cFoLQPMVaCP1Hu6LoA5nfXyPtjL2S84qoCWw1LHuh+0XywHHadA3lB+ trwB+aWItUjw9HJV84wDva53oKcsJGZNeBh1EVwvUzLEZ4LkBq5piTVAPhW6uRrMtfKe3ACi idgifYDjtBB7wPQ1WhprwZxsBHt1YLze1TMMjAHeEboNzJfmCm8L8B7yznR3BhlkthV3wF3G O8VTD6xD7Jd9+4O2XfnSuhF4Ib1kB3WHVk/rCt5zei/9e/CEe9aljAZzgBGj3wWzPN9SCSy/ 2kY6IkA9af3arxSw337e8hTsZZwFfGuDc1HgswzPwKe6f/7QrGDrZYm3FQTLBMsrWy9w+3ry G7+C9qnSVG0Hzk3OR/ZW4JPXr2VQFATUCLaGdAWfqIBq/vFgaWtvajsO2kHZwlsY1NW2ypb3 9PGT/85Mzzs97/S8/7g89T2m/y5Sv+Q1a9asWbNmQS3/Wv61/NO+/JX6YZPnz58/f/78r9ba /xxWr169evXqtA8YpH4BcuDNgTcH3oSoHFE5onL8++T5V/vV7/nz/3b+3fH672Lr061Ptz6F qW+mvpn65h/X/3fz73T+Z/DOibPLZhsVvxccfoHnfJ6C5bFPKdkaEiON8jEmRH0W/f2b9ZBt kSUx4BzEVowvpKwH35y2/Vlygk8O+7fKBSiQM+SJbzQExPqkKIsgVx+/fpmmg5agFVa/Astl ucK6GLRJXndAIYg69+puYmP4YEaIteAX0PZOj7tTz4BzRoiWNR+4f3DFJM4BkVNG6qUh7trL 4Fe9Qe3ivRdwFZQ1CWHGAsgcm0X33wRKE3HfrAzqE/WR7SXIIUYbb0sQYbK6/hHYB9meWGeD z8ygWaFdwL9Rpu5ZfwDbPP9FfhlBTbA9sZ0GS1eHy7ke/M4H2UOXg6eHPj/pJSQ6486/2gbq ee/8xC7gCUiuF7cA3IOTc8dVh+SSiV/FHwIscqN5Dnx1v2pBI0G9qc5jAyi3rcvVhmDd4XQ7 /MH+pWOvf33wXRkUkzEMfPL6+PqeANlLdxubQBYQ/dXuoG3TktT9YNY2e3rrQNLQpBHxX0LK IrdMLgXR818NeF4OXpx9XvDec0iZ6noSfQDcH7jKpSwEfbd3n1ETzE3GMbMYsEYuZTN4Snpi PVPAW8areC6DYTVK6nlA6a+EKo1BVBEW0RvMdpQXvwItlFhlFhAotog1oE1VB1g3gnpEjBJO 8Jb3Vk7+AJTDajbVCra9ttw+10BDrazVBFFMKCIZlPlaY+0IqCn2VfbSYH1k7W4PBbWn2lIZ DbKefkBvBOKUjPPeAct4W7JqguOAs0TGQWA2VWar7UBpb51vDwdrRkuQfSoYmzwXPQ/A9VXi 1riLQA051/sCqMAoV1dwW1yN45dA8t7ku/GtwH3cdSGhFrgvJk1OeglmP+/OlFiw9XB+ZfkA QsaFvMr07V8d3v96Uj95+1dzYvaJ2Sdmp50Ie57peabnGfh06adLP10KZ+efnX92PnzT9pu2 37T9q6X978+xY8eOHTuWdiFS4/Man9f4HIauHbp26Fo41e1Ut1PdYEahGYVmFPqrpX1//Hfx 53T+HEfaHWl3pF3aBdC0g9MOTjsIFxdeXHhxYVq7/6v+nc774Z0TZx/T3S/jZAg0fa05b0NY Of+TYY2g9t2ca8oWgvrbazwqfwaChwU9FClQ5ut8h7J1Ablfq2t4wPehz9fB9+FpvsRZSc0h LneKj6U5GGXF8JTcoGwW6+zJkHF5YMHMdSHbTdUvpho0vFxoR8nB0NOv79U59cEVJDuaVcG4 6nmYMgC0OVqM/TikTEgqHh8Ajl72JcpZiIl+lv9FcbD9aLVbo6DwoNKRZQTYemo/iA9AKya2 WaqCbG5G0BGMSNFI/Q4UU/vVvhKUbcpDcQfkCyO75zcwfDz25K5g/Oqql/Aa9GOu1om1wJM1 uXliI5CGkdmyHJzzfczgleDOktwv6S6kZEx+E2eA8a3+gTwDSkulvrUMuG8YY1LGgPbQtkp7 Bs68gZaQBLCd93nqNxn87gfHZXoAjqSgnzMtBssO2xuHDnqSrugfgznUuGAsAWGaD82vgYlG SaMSeDyu9a4RYO1vq2mpBdplbYclHvzGBW8P6QdhtbI5Co8GvyE+v2X6Aswf9JEpDcD4wNjs XQDugZ4g93XwqJ4z7uZgbNMX68fB9EqplwHvcL2rdxLovuYhAzC6U0s+AyNFX+KZDeYL46Jn DahJyh4xE5Sr6h5LK9ByW2N9V4NfcIbKGV9BkBnySbaMYG1mn+1XEMQi+0zn56BmsYbZ4oAL xrfiU7B25gPrCJDZRZS6CeQknGp+UB9pv1h+AVlKHhF3QTlp5NNfgyzuHeLVgEpGPeNXULco JZUMQJz6mT0PqFOtN2wq2Nc7j/uMg9CPM87JXBns/R1fB4SBb++Ag5kqQcCagMuZQkGJ0ho7 74C4qua2zAPrVdtpnzZgrtVGOvKApYh9o7P6+wvU2NjY2NjYtE+mNtzecHvD7dBsYrOJzSam ffI1td2+ffv27dsHrVu3bt26NbTI0SJHixzQuHHjxo0bw7Jry64tu/aP+/m9ytPfLx8bPjZ8 bHja7z4X+1zsc/Eft0ut9DTd3XR3090wv8T8EvNLvP34W01tNbXV1N+Xz17FXsVeBdoebnu4 7WHo0rlL5y6d0/SUiq7ruq7/eTv8s/r5++UzOs7oOKMjNAlrEtYkDL498u2Rb4+k2S31vblz is4pOqdo2vZ/1o7vqs89zfY029Ms7fcn5T8p/0l5qNC/Qv8K/WH/1P1T909N+yTxu+pz7qm5 p+aeSrNXlyJdinQpAs8zPs/4POM/bvdHfvW28fJ7/vy2/UREREREREAPbw9vDy80b968efPm aXb9Iz9ZdWvVrVW3oENCh4QOCe8ex+9br4mJiYmJiTB48ODBgwen+XPqHZ1UPfyz43tf/prK ae9p72kvvJr0atKrSWlfQPyr/Dud/528c+IckCvgoDMXJEYmnohYBZ7LSXei2oJ+Abw/wNhB 3ZLWlYeP2zTePWA9hGb0809Jhnx9stbLMgyyLNA+9TsNmRs5W1pXQIYcGTsbJ+Gl4Qmy3oKn HybejZoMSj53mXv9oIFaztK+JnTp2FeZWxSUFgEl/QWIkt6v1WIg2qlB6g3Qb8pRxkmQ/ubH nieQ1N+72PU9xPZ8+TpiJOT8ruTJaq/BZ2FozhxjwZFgWatlAntezdcSCEYXucOcD4oDH+Mj UCeK/uI4uB8l13e9AXd+1379Gcj55nVcoEt3sHsDSJte3TsLjH36N54boGUXG4x+wD5rFUcM aHfs/r4WcOCs7u8APrSeUQ6BdYejquMX8A31TwguBY4LPrsDJ4FtnP173wiwhMv6Ig/od1J+ c88FMUqrYPGCus9az1EVLPjagoPB+rNvwaATID5Vt1m+BM8cc7XaAizNnfEBJcH6q/NIhmHg tPr3DzsJvof9CmQsBL4dg8qElgBnu6BxmeZD1oF5JpX6EkITsy7IEw7BOzONyOEPwdsyncjx E/i2D4rKXAMshW1JvoGgJFrq+cwBv3oBBzJVgKCFGSpnuwaOPr4rMmng9zA4X/afIaRdttFF lkNInhztim+CYJE5OO+3EJIt08h8j8He2udkxskg6ihl1eJgqaP+Ij4GZa50Gr+CsdeonFwK Up6kdIr9BLxfpnSPnwvM0mu6OoMR4mmfHAZKNhlo1gKjpr5eyQ5mdoI9C8FsKctbFPBU9GQz osC71vNjUi8w+nk8KZNAKSgLmXVBLOQO84DbwpTtwVPcvcvTGPQd3ih9NcgcpsecA4qPMkb+ AHoB9yZjI6hWfMRFcOa0WGTE+wvUaQemHZh2AEKfhj4NfQq7Xux6sesFbHu27dm2ZxA2Pmx8 2Pi0iurae2vvrb0HH5f+uPTHpdNuWS6/tvza8mvw4/kfz/94/s/LMzHrxKwTs6b9XlRmUZlF Zf6xXa2atWrWqglLKyytsLQCrFq9avWq1e9PL6mUu1zucrnLMDxgeMDwADg0/dD0Q9PTEpjs r7O/zv4aJjSZ0GTCX/BFhzrD6wyvMzwt0Vk/fP3w9cOh3fR209tNh6X9l/Zf2h/Wrlu7bu26 tO3+1Xb8PZ49f/b82d9MaenevXv37t3TEsH27du3b98ebjtvO287331/IfVC6oXUS0toaq+r va72Oph+dPrR6Uf/sf0f+dXbxsvv+fPb9jM9bnrc9Dj46NFHjz56BNu2bdu2bRtk35t9b/a9 /7w+1qxes3rN6ne3//vW64IFCxYsWJCWwO58sfPFzhdQY02NNTXWwMxfZ/4689d/fnzvm9Fb Rm8ZvSXtQvX3+Hf7dzr/u3jnhwPF2uCDUcvAXtmyI6gtJG+M3el5DrYXLHD4wO6Ju0bMOgbm FlfPhJGQ/0nm67WmgzXJvcwzHB7pxokbk6HoTfuYamGQ/LXwxFSGo2Hna0TnhoKVQkbnGg5d V3dt92UuyHI2/9qyNvD0837j/Qn0rp4d+hJQHqqv5UlQcpJJjQZ9nTfMFQhimBlpeMF3lX19 cHXId6fsT9UKg/++rM6gEpDULnKWezJkaBy4368iaPWifkjuD7K+e53bDfKRuZayoFzXhqmD QcxJOew6AimfJNSJXgAer7Wn8zhYimsvmQcuM2WGax1oDbWrlqugRskrMheYY6XbqAdilwgR W0F/qdf1/AoWq+WqzQHGF651CWtA/yYp1hgCQlefaOvAOsje0/dHEEPV25aioCbYvleWg35X X+ruD1QyrhvTgQXyNyMPiHAlk7YMjLvyjToOlHzKKWMUiA94yiEwHup7xBVQQqydZFZgr3Ja nQbmHD2PcRe0O9b+1u/AJ7tlQ6YZ4GxpRoYmgdLT4qe2AbyeeSlXwTvb8yrpM+CcMVl+AqpH 6y76g5wvflbKgmWKMk6sAumRPxqXwKgjFVEaQOhqRZD+PFM6gd7AbEdRMFrqTndPsBWyvlCK ATeM7hYTjHyGy10O7De0ME2C8bn1sL0hKHvxMwH7R5YGYi4YF81rsi7oUg81o8AsLqKMEFAm Kesso0AtqxV0BIFqitvaNdAClNp6POiFva88Q0Cs5ws1HLQyag5Lf3B/5L5qdAJXtOeOoYLS RmlomQOGahaU24Gp0iWug6iieu3fgbhiqW72Ah+v2kTfBHbD2lWN+c8gaffugXqq+6nup7rD zsw7M+/MDMrPys/Kz2nru3fo3qF7B2jUrVG3Rt3gaP6j+Y/mh0t9L/W91BfWx66PXR8Ld8/f PX/3PJiNzEZmI6AXvej1rzvApJ5gLSGWEEsIeOt763vrAxe4wIXf3y61wvRky5MtT7b8fr+p XLhw4cKFv+kv55ScU3JOgWq7qu2qtgt+zvhzxp8zwuLLiy8vvgyjGc3of92w/4ES80rMKzEP xGKxWCz+L5ZvFVvFVvCW9Zb1lk3Tz9KKSysurfjudnxbfeaOzh2dOxoIJphgGLRy0MpBKyHH vhz7cuyDTt93+r7T9zAl55ScU3LCdraznT9PkyxNsjT5m9c3toxqGdUyCn4a+9PYn8YCJzjB iX+U9/f86m3j5fd4235kKVlKloKJ2SZmm5gNuMc97kG9zfU219sMU5jClP+HHtq0btO6TWtQ bim3lFuw9NzSc0vP/Xn7v2+9Ho0/Gn80HtZdXHdx3UWgM53pDC0jW0a2jISl85fOXzofaEpT mv7x+N6Xv/59/P8Regm9hF6Cf5t/p/O/i3dOnH+z/tbKo0G2aP+2RnuwT1W+NOfB6fXPC106 Bb+0ftTh2A7IfzV4RdhYKDwu380i2+F1D/xfrobLte+eez0PsjmydNCTAEeSr8sLHxQt8Em+ idA+a7sVgxpAkCVLUOl4cG9Nmpx8EIxEyxt5BpS24or2GcivzVVGA1AKabnoDUZbV0LyPWCq 9tJ6EZQDyhqfA2Bccs16NQ+836V8YZsAIXfC/HJ2hewJ2edlmwAXzMffR+0F5bTHUFqA2cns ayaCVtdS1vYNiH3eHN7FoGawT7Q0BksTpauIBr6Qyw1A7KSw8hQ0zTLDvgnUuY52zjcgaumd vAKUkeZQ0wbiJ5eeXB28ud1PXXPA1Mz23mXgtekrXRpo8WonZTXor8xw8yJYqjha+RQGpZR6 Q+sFsqjZXXYG/bbQZAGQlYwS3sVgL2+bpYSAY6K9g304yEipiu6AVfqbA8DV3zsn5RjoxV2N RBtQ6lgr2YeBck7cUbeAto72TAHrZVukDAexg/lmKMS2SPgwKRvw0ngtV4J2WYuyHgIlzNpY vQ/G567JKVdB7jK3u4tB8lzxkIOgGvKcng0su9UDWiEQ1+RUMyuoL6lotAHlvqxgFAM1QP3M cQucydoItRaIadpj4xDIhsSqnSHgA/+igdHgyq6X5zoYocY28yFYM9o3aHNBLpD5jTHgbeVZ RAq4o7wr3N+Bw24bpzUFcUKYyn3Q93u3GX1BO67WFFtBLWDrabeDeCTzyjcguihlxWvwSZSF lN8gaKLPEb/h4NqovzAOgV7edClfgiygP5FlQL2uTjEXgpbBdsRWGvx/sZxVR4JV2oJFRQA+ eR+BKkvL0rI0aPu0fdq+f1wvLoqL4iKYz8xn5jMYbA42B5sQui90X+i+tEpS1apVq1atCjvY wY5/Yr+euZ65nrl/Xm7LMssyy7K3325OsTnF5hQDb0dvR29H+Mz2me0zG7xs8rLJyyawadOm TZs2pbU/1+tcr3O94ObKmytvroQexXsU71EcPvf53OdzHzi49eDWg1thV+yu2F2x7y9x/mf1 8/cJ8x8tTyX1lvi72vFt9Zl6y/5R30d9H/WFShUrVaxUEey37LfstyDo06BPgz6F1y1et3jd 4j0o8u9QFiuLlcVpfv/3/JFfvW280IlOdHr3flKnBqiH1EPqob9pd0lcEpf+eNyp+k3lfdn/ fek1MmdkzsicUGtPrT219gBlKUtZwIoVK4hpYpqY9s+P7/d4W399W4I2Bm0M2vjX+Xc6/7N5 58TZszHuW0t+SDmoNYzXwfqVmBZYEuxDjabGG/D/1mdxrhHwpoBy1AiA6+UfPbiZCFlyh9wI nAn+NTJ94lsfXi/zhN5KhKoLC5Wt3xo6FvwwcXAMWMP8i+aJAO/6lFfJ90G5qTpEYdDC5M9q H5C9ZHa9Bph7eGGcAOU2s8Ql8KzwHkqJAOcc/4iQxxA55EWGl7fBMs/S0vADa2dnpH0iKB5L I0dlCFuZo1LWXeA8an1x6ygkXPe0sw0AY7xcLBLA+dqaz1YOEo7FFY6bB8S4prsqgGVIwHeO JHAHuLPqecDW0h7obASMFR+SGdyz48q+fgC2+vaffQ+D2CKyaV+BNtMyz/4SxGD1J+0J2LAF 2UcC98VuUR7EauNTIxsY3+kV3RNAza8EqxHgye6ppecE23KtqlYf1G+sVpsJ8iP5rboGKGi8 1htDwqBYLeoFUM046O4L7sN6ZXkD7M99L/nHg/bU9p1vS7DUtWjaVtBKqHetN4Gl5no9EMQS ucXzHWi/ksHSGhy/aGXNwmBrYr8groHzrvOpWgrUeBnuzQ1ysPWUaoKnpnuzkRtSnEYe6Qf2 Uc57fvkh5YK3HXHgXct3yjFwX9C36j5ga6nmVzuAel/9yfIhyIXKJLkNHCmOQ/amIH6U9dXq oJeSYd56EHDEkdWSFbSGamdrJtBXmz0YCeKBqKgYIGdbUsTH4H2kLycYLD9YZmqJYNYwK8mf QZnguGg5Dt6O3g2ukqA200arKojqcrnMAWYzc6URAiKz8kaVoORmp1YYfLITIw0QFRhtNgfr Qr5WfgZPsL7EvAvu6+a3RhjYnij35DfgHGnNbq3wn0Hy4bsHaurbIVYMXDFwxUDor/ZX+6tp 65ctX7Z82XKouqPqjqo74OSck3NOzoFtV7dd3XYVMtzOcDvDbThz5syZM2f+puPSlKY0cIlL XALLNcs1yzWIioqKioqC+33v973fF1jBClb8vnypb7X4o0TwnyVr06xNs/5Nxco61TrVOjXt d65cuXLlypX2+1bUrahbUTCvxLwS80pAUvek7kndwb+KfxX/KhDpjnRHuqHI7CKzi8z+83L9 Wf38Wa5cuXLlypW3t+O76rP6ieonqp9I625W11ldZ3WFwAWBCwIXQGSOyByROaC6tbq1uvXd x7nz5c6XO19CBzrQAdgSuiV0SyiUvlD6Qum3qCSm8rbx8vek+vPb9pO0MGlh0kLY67fXb68f tKQlLYH9rfa32t8KmMxkJv/77P++9Zp1QtYJWSfAlBZTWkxpkRZPL8a9GPdiHJwZcWbEmRHA fvaz/8/7w9v669tS/Xb129Vv//v8O53/Xbxz4uy8658nZDZk7e5fKFchKFUx00e560LQpYCD Xj84a/629XESXBwV2frWGdA3Z6rl3AjBhmeUJwCKrPfMc8RD3W2NRs8+CsWC8vesHACuJWKc sx+IoeJraz+QkWKhXg9Q5CaSQX4gyjIMRAc5VOkKaogyXS0JepxsriSBo7Vttm9HiHv06njs c/jt4tXsp2Oh0KDScyq8BjWD9sy2CuR+EPcg667sDbOtAp8g+3L7cVCypPR3zQKmGQeVeLBE WDLY5oI1wb7JsQGMIpYR6seglydCXAIfq+88//Gg7/GGe+qDMVgf4C0AjmzO8IC14B2qR/I9 KNW0F2p3UCtYIukFyqfmDDEfRAFlj7IbjDjjql4ZPPvdlVIegPpEua3tAnlRBsjNQKzWWvEH uUdMkh+Dd70nIrkxcEOJVs6CMdt9wdMBZFn5m6gFQrWG+o4G50vnYIs/sIpvjBxgLvGMN5aA 55rpMR6Bt4ni474Gxin9lXEL5FW9ipwJZhh9zCdgibSYmgHWnhQQLSBxRMLEpMdglDTCmQqW z9SDsjnoJrdMA3yfBkwJeAWucO9gJRpkgmLoIyFTnsCFAbfBz2PrqRQAy1ZttVIURKgoptQA 70XPLP1jUEeQUfkIxBr1vCIhqYJnrT4QLCOUx+ZaUAapZdXpYBSTHczL4P3NM9E9BCjHVrUA eMd6Tuk6mFm8n7qbgG2ibZbWAoTdfMImUF7STC4FY4PeVn8MtgLWr7UAUFuLEZZxoFc35psH QX4jZpq9QTyWnQ0N1CvqbW0RyGPqeiUIXLuS9riqg3FP8ZetwTihvRA3QRv4/7X3nmFSVdui 9rtC5arOuQlNlhwkGUiSRXISAQXJooCgqIACSgYVRECCAoIiiARRckbJOefYNHROlWuF74e3 v/bi5mzdsI/7nlPvn/nMsMYYa82a1aNHjTmXMUfaDMx9PAu1YJPKpNGTRk8aDW0vtr3Y9mJh f4UfK/xY4cfCzUqbqm2qtqka9O3bt2/fvhB2Lexa2DWoodXQamhQfl/5feX3wcz5M+fPnA/D GMYwoGf5nuV7loc+c/vM7TMXGoxoMKLBiIfbVSCn++Huh7sfhm/5lm95/Pww6odRP4wCRjGK UX/sLzhO6uLMizMvziyMSPn7+/v7+0MdtY5aR4X3ir9X/L3i/7odf/X5PCoFm67+6jw+6vPs VrZb2W5lIaNHRo+MHvBj/I/xP8aD71ffr75fC4/7GzVm1JhRY4Dv+Z7v//X7vN70etPrTaHl nZZ3Wt6BiKSIpIgkmHJlypUpV/66vL+6Xgp48PM8N3Ju5Ny/IMf5tPNp59OFubbfdvq207ed oEmTJk2aNAGptlRbqv3fN/+P+7mOGzdu3Lhx8NGUj6Z8NAW8a71rvWvBssyyzLIMRiSOSByR +Nfl/jP+2ef1r/Lf/fkO8j8L4bf/XHW9Tp06derU+esCnk3qP7pYX6j7ffGTNbfBO3u733gt DU4nXnn9zFxYUv7nrssHgHjB/rapCdz7KX1Bchq83LDW0w02Qse81mU+/AV83wa6mWeDuMZ2 2LQJDF/ZbthjQRisDdZ9oHr1H51vgbhdeNsyEfQXhKVyNIjHeVHZCuzVUqRrQI6xuHwTcjul D7wdBVmbU49ldgf1TeWlzOKQOLJU0yoOsK62NInaCNIm01ipL1yrfuCNHU74yPdR9blT4PIb 91PSpoPxgKlkyAkIW5jQs1hFcDbP/un+K+Cbo87SW4LBYDsV0gMEh7ol8CMwQbP6i4HwGWPE lSC2kKob5oJ2WMyQc8DaM7xV3B1Q93mecfeFvLHZxVIPgh6tlgpsAsNpeZlcDAy/mEJsyaDt 4mnxHKiKLz33GGgLDJWsp0AeIq6VSoBu0JrrX4F0WJ5jGAR8wTvCUdBMeoK2B+SvjcstGog/ 6HHKJfCVcRfNqwaBXH9/70SQ50k7zL1AeEIqL9hBqCaO0u6AvFHKt4WA/LJxg7EU6NFatcA4 EGZqY7Xb4H3PN9q7ELRUvaxqBeWa/4S/IdivWvuY9oIJ26VQQDmtNpIywfK1ZZfRBGFDrZGG HiAsDMT7G4DxO8MV6R0wvCg1E6qDuZjhqtgIpB6ik3DwVw08ofcDd7p3lScf5JO6WX0flGJq mE8Cf3hge6AOGC7KRw0WULtpg2gOdBHWsQP0EaqD0cBx8U0OAU/rDuUJsA2zSxFu0E4Kz8lV QKohXzHp4O3lHeOOA22jsilQDYxfGctKfhC6invEuqD4hbHCfNB+VhqJ/YBQzRqYBcZbpsrS FxC10nrXPgtC60e8YR4Fb77z/tH3z/3dyzxIkP9MCnJV/2qO6n8qBTnA1atVr1a9GoRdD7se dh2yJmdNzppceJpEwakN/y7+pz3XIEH+Ezh06NChQ4ceQ8SZVCEs/CScr3ltwPHqMPO5b65P bwmemsoZ+3nIn2nw6iKIu3NHpjaGV2ZGN6uzD9pVqf7DBx0h92xOqqs3eEPTOl3eA4kHnrY1 7gH+AepqZRGI4/UkJRdETVho7A1CrthAGAzCcD1LXwBaPWGKvAiYzGxlJZisQkPDk+CbIF3x ZEBu1yO7Nh4H15DN8069AbFTxzYZdxf0u5X3Rl8F/ROeEndC7LVipZNWQNFK4VvCG8K15zM7 OQ+CzxAQvR+BVlJXhFiQ7xmvWUzgPpH7XFZXMKy0PGFRQEqWzkuLQe1Ma6EnGNrJa4z3QP1E GyE9BcxWVweSIbDddT9zEfjnenf4a4HlpPkVSxIIqdwzGUA7pffQWoIezgfacvDPCTzlrQLC hyjSWhDWk274EZR5gbOBW0Cy3t3/IshDxHx9FfgPBc4rYSD2E0eKx0E8LP6q3wSxnzHK6ICQ BaFnwhTgKe3ZQCKwRbpmHgS+CZ5avj7gT/ENcnUCLUZPcJ0G9wpPas73YClvHWdzg2+tUlUd BOpFbaI6G6wzbZeNI0FqY40zOsB42TBWsoL8iexhCRjXSu/r3wG3+Uw9B84e/obiOyA9LwSk weD6zl+aUDDsE3dzB4TWvsiABYzHDWcNq8Ff3Pdd4HsItPR/ok4F6T1NVYaBdFQ6JSaAbbr1 fEgJkBeKz4t9wdfTe9zbCVybPIu9s0HpIA6WJPDvdBdVLWDuYvjW8DJIH/r6+RpDoJL6sWcA qD4GeiqBOEseY1oOiqwmCQPBaXeGutuC6azxB3MfUH/wz/QngXWApb28B7QwYZl5Iqi/qPvF FSBfsB4SToDglVfLc/7uZR4kSJD/TvZ59nn2eeCM5YzljAX6V+hfoX8FWFF3Rd0VdaF6TPWY 6jGPridIkCB/H4/sOFu+MVV3vQgh2b4XooDk5ffcgW8halvcYG08mM5pqZmnoaMz+uvax6DN ltZHxnrh1m7v4DQNrJfTv3b/DJHFKi14sihoC7SlnAYhSR+n9wU1RF+Q3REku3gozA1s4KJw EfRr+m1xLhCq/ujvBFKadantObhd+caRA1Xg7pAJH49bDaYev/6Y2h20Er590m0QP/Umqi1A VvDL1eCOuK/tjiywzYma7PgCyolVvKU6wv6Zt15MPQD+BF9N30sQeNZXVPkQDL3NQ8P3g7A/ Z1nWK6CX9Rv9KaD/bPzVshXoo5eQ3gNlubJOfw2UDUqE6wLgE/OFTPCvy96RGgpSb8M0gwVM Gy0/hVcHz6ve055lYLlkbWU9BGppta92FkzV+EyqD9Imabn8M/CGeJW9oG1UP1DXg5amugz7 QSjFTbUySC8L7yu54Nf86dooELpoNwMfQ9TzITG2RPBe9Hzr+Q7yxVxr1kagk/q0fzjoafwg rQFLY9v60DsglJG2ij1B15Vl3qXga+1b7+4PUjNDA+Pz4Khk72I5DUIpzS33BnWf9opSEpRm VFDngO+872reXdA/0tZr34F81TDe2haEG8JPppeA8ZwV/GD92brZACjXtaniIKCG3oSZ4I3w PeP/FrQTwj6hLxj2GG9aG4Cvma+TdxB4triPee5C1vPOdjnVwDTBYJMug+GSPMowBLL3OVv6 R0L4dsdHVhc4Ntr3i41BbSt2NbwH2Tucaz3fg8klhAUiIDBBswjvgn5YiJevgLxRGi19AabD pt7yDPB/7+3rvQaiUYjgCPi/VHyB9aC41UjlCNgbGN+Xo8B8xTwk1AHSKXG+/BwAY1D/7mUe JMh/Jutur7u97vbfbcXjY+CCgQsGLoCRtUbWGlkLGlgbWBtYoeIrFV+p+ApM2Dhh44SN/347 /qc91yBB/pN4ZMf5yS5hDYv0g5wb4uSQGAibYWvp2AKhlUwdA+uhe8UuEW8NhEqVSvbtNhu0 TdH5UTsh7Ilz3oPbwZYRnVbeAabnwhZG3ANfeODHQD+QntfO+1uBOFmfKi8EcS7HTQdB7avP 0T8BoTIWfzswdjS9Z14P7minmlYPTs3+9OrHSVB24cFOGX6wVX9iZxkNwr4y1A2JAWv18oNK 7wPFExCUfLBmFm1UdC1Yj9lam5xQxBp1KyoTwhraT4TtAOcRV3zeNnC1cP7gToaw3OhG8T3B WMI807oK/I3UimoImEeZB1kjQd8rbNVngfqC/5rfBpYDhvKGF0B5RX7bVg7MT1jTAzFAEbWu fz74LvmOe6qDsavhOfkTCPQPtFIag9BDWi43A8P70jA1HRSJDcq3IE7RncJeMFSV4yw+0OOl 9tpRoIfeytMehAihvTwJDLNMM4yvg3Gc4ZwxC7x9nPeyN0CqfO+1lCog9jY8b1wHst1Q2RQD JrtpmnEryCPk9cau4B/tPeoeDGKqdML4E0gu4z1TFBhayL3FCJBnckW5CIau5rekm0AH/YhJ A994ZYB/LHBKi5W6Au3EC/rr4F/u3e9fDOJnep28yxDdIizCLIN4U3UwEAxTZY9pDxg2GLEO AE8/f9eAFQIt1QqBOyDXUUaIIhhaC7X1aSBtNcYTD4pP7SeuBP0T7ftAMgijxERjUwh/Jap/ dGPwD/BNVnuBftzfTb0DqihulmqCeanpiKksWOeZZ1viQd+rLxVrgWmLYZG0FQw1hUpSKqiX lSv+RAgcl7MpDcIt06+WV8Bj9e1XioLVZDjJixCzMfwJ4yAIbxbWM7wsqIFAP6UWsPvvXuJB gvznUiStSFqRtL/bisdHzPsx78e8D0tYwpJ/NKAOdfgXUiL/Kv/TnmuQIP9JPLLjHIKcGLsY vCNDm+enQZGbxesEOkGHeU/eGZwL8TNKZdaMAvc+Yax4G8QynqWuMxB6pnTXqpOBG+Jcw1YI SL5Y73ww7BI3mupAoHx+mZt7QXzeSmIL0FP4SOoHwmwO+d8F3hTj5Pvg/dLtdt2G/cWXvvX1 ArD2yvkoSoKEBe8aWumQ3ffC1DNlAf1SnbsRoO1XPnB9BtJBy0JzEQitnHishA3MlwwVxG0g Rzm6Wd4Dc29LY7sLDHctcx254HK7emSuAVuV8CJxw8D4knlyyGDI6Xj/2I2awDva80I9MB+y Lbf/AloZdYf/Y9BExglJIFmoLGwHxawu4joE3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYh G7RG+v7A5yB4heGaD6SZ8i5LOliWGo+JL4P3BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e /Sv4Rwfsvnch+rOiHUrVAdMm6T3jfJBkjvp9INXXPMpXoDT0L3GtBmmQsbUaDoF030fqRvDN 84z2GUFtKn4khkJIFQfWL0E/zwJWgzvV/Yo3FdTqWh1vCbA9Y/pBugNhaY7XQ0qC4tHe9N0G eYBez1ADpONChhAA603TQn0+eJ/zLRc9kD47d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1C TzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuaXOBIrLJOA2UZ4S20pMQluaIMn0A4V5bmcjd4An4 jd6DkHvcHa/eArGKMNezBOQnxe9CfgXPEM8xXzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2 H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0AOv7dizxIkCBBggQJ8nh4ZMf5biNnP2MbCM+M 76O2BF9K+gc3XwTPCzmHMsdC/nGhhKcTmFZLtS29QbnKZ/onIOXrLZgBTFDr+SeDuFTsbhwO qq7sz6oB+mD1B/0rED41vR0WB/qLGJRpwHjtonYCTFONZc1r4VCHg0sPZ8Ox1052z9wBPTN6 zX35eQiZ+Vx2TROkr+jz8bDm4FKcRTI7QE7+hgrLXweH+dl7L74Cposltsetg5y62Y1cReBO udxelniI/SbuRvQiSG+VV887Gdxd8q23doL7VZfPVQvsgxw9Qu+AdbLppm0m6BmBDq6eoIYE dun3wRBlMjqeBN0rhIpzQV9LnD4H1KeVov4rYOhhHCcfB4PTOjhiCOhJ2sdiCnBNm6dcAs0f WO3aAYEhvlOeyyD/ZKgpjgRflveaexDo433xgg38myhv+gGsr1sPhxYFew9bafEd0AKe/c7K YEm1n9U2gGu6Ipvbgmuqt5v7HBiqyLM9G0APDcR4YkEaLHXVngS7wzzU3AaYJmVaNkLuBWGf rxo4RHmxaQL4RwQG8AF4ve6u3qvgGpy/J30XRO6IjLX+AObGhkzxA8iMyVvnnA+5ZbLn5fsg 7JPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38jfOvg+lJ623DSMitnvuBegf8HQOjfDWB2WJH 9oN8Ql5ueBeUc/lj8oaBPMNQ0TAP+ERbqncH49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5 Xss3D0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLzalUw+G1rxG0QWKL21uuBt6US76kI5hRjijgI vN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY6PeF10M8f/fyDhIkSJAgQYI8Th7Zca50tXLT YmcgeezZM+6W0PiHpz09VkD8RzXNdZcBw0xlrDpo1ZQtnADhO+FLcSOwTcgyzAHdoGb6XwJh slhGzAT9HachKw8Mo/Xm1iPATPErsTX4jztL5FcAYZwwVy0CWotAPzbC7ct3xskDoZHhpWb1 0yCq7VOlKqSAq8b9SSmvgiDk7MzbD2Eni5wsEQ+m/BIvVjoKmU/O6rKkPcRLozv0vw45lZzW wMtg/MoaFTMNykwuubtkGNxseT8qrzLkzshNsE8E99G8QPqXYPnaYSteCSy1Q0aEC2AYwO28 ZhCywtFRlsH5s+ew2w+O8rbbIRWAGsJ+qQjIu8OrhX8K/jtCtPFzULcpX/oiwVspZ3fGUNCr 6X2Ul4F48YokgLRTGi80AnGrECWGgjjGLJoGg7mC7bp9HYQWNVosaWB9y7LGXAT8+c63nBNB neff6pkPGU/mH9PiwFnXP0fbAvoRKU6sBo6zoZ+Zq4C8W3xfuwGGHVJRvROwk9p+E7jK5i9U OoLaUl+hXwFNFQzGbaB11VRtF5iaydvFdChhLF0y4T7ILfUz2ki42iVFz+8GEoahchz4z2qt tLLgv6S/Q38Ifyn017AwyNqQ08BdHDI8uUfzs8Fy1jxe+xKUS852Sj3QbRj1GJCPGcfJs0DP Ig0TqD+qM9TxYNxnOmwKBW2mJij1wdDbNNEYD0p71aI9A4E07Qf9Z7C+bM023YXATvWYMAky Dme1yNgD9tH2tx0XwXjUMNj4AUhRcl/zRfCI7p6uO4CiO5RZoG7SbwvrANVdwZUMgTDJL94D cxX/ldxlUMlS3BQVgMj7lqWOZMgZmTrAfxVC20fbHdnw3/p6uiBBggQJEiTIv5VHP1VjlPeZ 29eg+qUSE8oWhUo0iX6xAmiKNVJsB/5WmR2z64P4tXmDKQpEhQ+UZFDnCgMUGxhrmXPsL4G6 XHxGHwpq69yV7tIQqK3fs/cBywvxIfoGyO+Qt8FXBEK1sIthM8HT2P+jvy48c6Lhe2XMEN8h UQ1vAj4lz5DWFVQ1t3NOEzAmuHRyQWweU8o8GwyfhIfEPA9ct40PKw/+k7n3c8tB1MTY6XEv QsxW+ydqaZCSYwZbIsF+NOS4sA6M1cLGxKSC81J6kZsdwFPM0zp+I5jNltXhy0C0u17zOiCs nHGXeQHYxgo/KA1AtqrpqSII54RzUjXQ3vJMzX8f1K/V7ZIFxMXaJKkl+O4Jc9SWoBzTquvT Qf/Kv8oXDXIzS0vbLyDU1JIUN+hu5RnXdlCLeDZIm0GMFyYatwNHhFLe+aAX1bJcv4JQ17DD Ng7UteoP/oEQqlrqycXAes563dYerOcNS/V6YH1dnhoSAerIwBDf8xA47Z+g/gz2WiGHhCUQ 4TDNNbwGeT38/cTp4H/O09C/CpJKxCw2SaDEKQuly5C73lXSewiKRMW8bQ0D98vuyYEykFVc 6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawx AdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMFM4KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtD QNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0M Sl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+CrUXEDyEX/u7lHSRIkCBBggR5nIiPKkC6qTfI E+Hps821DgpwxTbP8CXkhab2udMG9k74sceKcHDtvHMmeQ24h2dmZ78NSvn82PyXIL3Wyf1H VoD6tPsLZyrkVsp5VQXUpyxnQ78D5Yh/l2IF5b561ZIHwlL5uiBB6Ba7ZNwOcRmxLUNeB189 VxnX+yCecsyJyQC9hPOQtgbECZmVM38G8RvDcKsXpHkhfUKPgPCc7ZytEui7pL2GSBBy/Z84 20Ipc/GMYrsh7F7E11odcGyzqr58CLWEdooJBUk25pqHgntq1tSU0aDGSlVME8BzSBhiew/O z0v+OHs05A31RWi1wfRT6N7E62A32eZHtIXsjvnDvYDvK9eM/L2Q3TIrPaUVuN92385dAupp /2DXKTC/bwpIDcFa1NiK9mCqarJaBoF6WT8ujgflYuAlVwXIvpRbJvk65DtdC51DIONuTrw6 EFLaZXbJKw+Ri0KibFPAUtb0vmEv6Ke1Jz0XQTihvyw6wLHAoplfh5CdjqFhE8AQbX7SMgTE aKmGYz3klMqbLa4CZ69cq28yKKf8C10HwNfD87bvPfC95F/pjADrFilbUyD2k5BnLfNA+UFd q4eBc4rvLfckcIerbbTDYNONr+oVQUvjOckO4mg1XI0AQzmhrTgPol4LNYRngzzLtN7aDqwp 1k+s20B6luHycNAXCU8TANOroioPAVNJw2vSPBA6SomEgT83cF39EvzXfd9olUEr58cngWmo HM96MLUU3zd8Bsal0htySRBaCFON18B1Le81fzNwZXmaOLeBL4fmuh+kUONGYxUQ21hKWb6B sJsh/ew7oeTRkmlFS4LWU84I3QBpE/I2eWdA3CuJ3SLdYDqj9RWL/t3LO0iQIEGCBAnyOHnk iHMxl7Vlg9cgoX4JtZYR8kyZK1MT4HKl4zUPz4WM69HLxcHw0/S959Y+DUm5puRii6HenG5h nQVgt2GswQ40cu3LDofAlpz16RvA5HxiWaWqkN0uNfHwHpBa6c9YzoNhr+mdajPA3yiwSVGA fuoVfTLIJ4UcwxcgVBX6SxdBOZayKP0WKH2knyypYI6PLBNjB6F83KkEAxi/DksNaQPCVa2q XhsMybZnTM0ge76t7oVJkDE7t+6xzfDEL09cj2gN9w/k9/YPAsczUV8Xy4Os0neXX60P3i3O 7vnPgfkFmznMBcJ8f777Lcjt5iur/wDakDSnayOEfGFsr6kQ8X7M8OitoM/TQrQKYJ7obJg/ FiJXhM4Jqw36CQziG+D63H/Tcx/yj7pb+z8Fj8FT2lsThFSpv7kVaHfoL4gg1tLbqAPBJXi/ yTeC0IaqLIT4npFzHeMgNNT0mtAAXEO9i7RtILwn9hR2g2W7sZ10HXwlA630vpBzIjsvqz/4 SyoXmQOeT5V453eg39He9E0H+2fGGUoHCFz0+QLFwTPDP4uBEFcvbHj0CbjZN2N55huQ3dM1 T3sSAl/rxcUvwDLdNDpQGeypxtflMsAwdZvyETDC2EWqAvkrvBUZA7kN3HO8djAukyKlHyHu 27Dq5vEgJos7pXqgTDF3MpnAWNm/298KtIPCBt4EcYiSLJQEPVuppo8Hk8skUhx8rb1TfJNA WiZMFFMgp3tewLUVAlXUCXpdCMRoq5TvwLDBdNRqBe8ZX5rrGIS+Eno4fCEolxW/9jkoY/RN CiCu1acbfoZi0WGnxKNQ6WoZQ1JXsHxoKGMbBlIPebO9OUQkRWSGK3B8+a+9LzWFajy9nf1/ 9zIPEiRIkCBBgjwOHjni/OSExnM7vg5+j9pZWQTSCYPJIgMjIubLmyCnvfubvNqQMUae7CoD IWGJC/VKEGiU8fG1dDC+G1k+ciQww3MscwhEvRBbzHEDpDrmScahEFkpusYTFyBqVdxzpfqC clL5QR8KQhQb9Vogfq+fYzXoVwUvX4K2E/QM0D9TywohwDpbI8cm0G2+JdqrYBhgsBg2gWRO WhC2GNioTxbXgV9033XPgjLbi8RFfQb50/QUPRTcE7NmZHwBxUIjtouVwLDJMTmqOZhrOCLC roNvfHaTtAogJGgfGaeAeYFtvq0FeK74Ogs/Qd5ova3sgByPEG2eBp7PlbFCH9C2au2lsWDY bt5u84D2pjZCTQPXKddNVzeQzqqZ/p2Q8GJ4tD0UiiXHXAl/H4wBbZFPAymgHg2kg6OaeYHt azBvNC41tAXLTMNhaReY78mHDd3hRsu07Myj4LfpA9WvwNbZOtlRCtzjXC29YXD31YzEzKWQ U8F1Nu8TcL/grZ49BTwz3VHpdUD5LtDHmQ+um57GWhhI0dJJbSEUeyb6m6g0OBd+4+X0CEhu kh3i7QvZPVyDPXNBmKsr6noINUn1xdUQM9dWX2wHwlpjQ6kUZFmcNaV88H8T+EF9D6Ijw1pa 1oFtkfmAwQIE9Ne0DZB+NkvKqw/Z03PfddnAW9Nj9XwG3m35vvzvwL3J1SK3E0gvMsv7EagG b4Z4CvRsvb3cBrLPOhf5WkHmGGcxTytIu5ZTPycXskc6R7uXQfbh3OY5HcB4xuhhDhjLipuF XRCywva08VMIW2QPt20BQ8CQwzRI3Fc8JWo7xN+K6x4XAaFrTeG2e1D0cukLZeZDoLZ7qGaC a97j5osN/+7lHSRIkCBBggR5nDxyxNlxIiosoSZob+hLSQBRN0YYTkL66zk/ZL8ALu2O5b4N ag4rf6faTaj0ddWljUaBctw0V74LUn3tkG4BtZY3z/UDcEDoRHNgpbrcVRq0+/k/e54HsVxE 64S7IE0OrFKug/aLuIqtQEnxFXTwz1Kb+V4F0wh/P/8tUNsox6QvQc815duHgbDB3U+eANwH aTsYVyfWiq0AfK8kBz4Df+uMBneLQl4/R+e0LCjXvIbxybpw9si5Awt8ULdtla/Kvwz2Tvqi mOXw6wrvhqK9Iefw3UEXS4NnWN7rqSvA0ib81YjDIA0KvOWbBVqiMkAbC9oY4+XoKpD3pP6M +j0o7/oauFqA4br6nbYfXC95DrnLgK2TdZHjOITMFRpLh8D6saGd4WeQdjBXOwBJh+JnRA4C 11GfoCwBz6T8ZTnNoMik2GPREeCs4A1Va4FYR/5YtkCR5+2fF7sFokHHq4Jnqvuycxk473tS c7eA96hnmccL5q2mE6ZQYKaw1/QJ2C9a14fYwDJQDhXeBMscqZryJZjGGT+1GuHqlLvXnNPB tUDL8fUHyy7D26brEL0ppIJpEaSMTx16LwyiFzh6W18Ee3Nb29BqcC5wZ/z958D0oSnKPgwc Lximm8uBbFASXANA66KliXsg2ZQ7QmkOerK6zn8TtKq8YOwMOY3UIYEU0ERvJ2UVaM8rF1xb wDlF/lbPANEuVNd7QHggumbcuxCYoNQnC+Rw8b56Hhxplk/FU6Dn6gP1RDCul3dpT0HIbbOF IqDuCdzy9QDzdvuecBPoK/1b9I4Q9lNsSXs0RF0ova/cWvBka7qpD0Snx5eMaQbhxoS10Slw JH7NoF9tcGPt/VfvhACd/p6FnZOTk5OTA0uWLFmyZElhe69evXr16gVhYWFhYWF/j21BggQJ EiTI/6s8suOsXxYS9UWg2lx18kdDlnJ/+pUYKDFFtVkqQbkJVeVn+0Jikaqbnn4WtB9imiWW BfGG/4YvAcSreoiwEJzv32p1ajBY02O9VcqD7nQPzH8D+MjdP7s2cC/i24SqoF8SG+mZoD8j 3EMGaZ+eJqwEvRZJgZPg/dgX7uoNgZrXVyRvBW2h1pfukNNXtue9BI5Td1ZenAbeTcd6HKsK lief2FniHJgrV9NKHwT9vrd2yAR48q0in1k84BvWZOPta1CxfIX3W0dC81l1B3prQeqpqU9+ 1wlOfekeFucB96eZV+6eALmhJd3xFpgmm4+F/QK+O/k/Z28C98ScI9kfg8FnshtbgVBcmCf0 APdhPUn+FCzPGV1h5cH7jbqEvZDTQloiNgdfZGAbPSF6o+MFmwAmk7m87QPIb+PMdd+FQIR5 oqkphC60Pm09CbHPhHeQ08DbxDdZHwNO8vJzr4DUS7ipfwjSbHtJwxiwXTe3Dv0EvKN9jSz9 gQ7Kp4GqIEYbdOM1yO7s3qZ8D4GFfkGYBOyUh4uV4OwnNxPT0iFwRY7TZoHDaNpoKgPMUupk lIO77dNHi93B/qTla5MHSBPTPAJkmLJ+Mn8JYb+GTYkeCnHG8BTrCMiVc2rk3Qe/y19efwky RuXecX4GvrXqCfUyRK0I+cXcGEyi6QP9DbC9GRggHoQMjaPyPpDjJDX8EkTvDTluigVTWXmx mgX+Vv664g7wPMc2tRxI3YyCQQdps3bUUh30ynrDwI+gbtA66zMhf6m7suoA6VXTbuMiyOvq 3OcdAY4T5k2GlZCwNuFYzHYQyosHrEtBba1Wky+C/Ujs1rhLEBjjWux6Bw76DriPmeBk9ZtN buh/38Ju2LBhw4YNCx3oAgoc6ZMnT548efLvsy9IkCBB/qfgdLpcPh9Mn75o0a+/wuXLN29m Z//79JUtm5QUHg5vv9237zPPgN1us5lMv7fH5wsEYMqU3bsvXIDLl7OyvN5/pz0REWYzvPtu w4bly4PdbjIZDIX9Xq+maRrs2ZOZmZcHubmKoij/PntCQ2VZlqFBg8jIkBAwm0VRfOT8ikIe /VSNba4NrjXgzXdfylkMtlphq2KHQtEmrYrWqQjaZM7phyFQVnlbTQV9nlf13gL6imF6a1CN gbdcRjCHh78aWQvkmkUXlq8I0nR7vZBGoG+zRYaPAU1T7cI7oPcQvqclCHM5L8SAVoGufA+m tYLDMR3UejZb+HoI31y7WkJtOHXkbiOvH47Xjvn80iXoOlrKuhUO9zeV1+9+DAlXS7xTLBxs b5t6xb8KUhnz7LBPQEJv7f8Imr7RxD+qIuif6dn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPh OphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrkH8/eBYGZnmbaIRBai/vYAcKvhlmiHcRbgQmW r0EJlasYPwb3NnNfOR6klb7PPD3Al6e+zDeQv9DVNvdjMJ9SHXnPQfaQjDv3fwTmmb8O7w/M DLRSNoA4Ql6kTgHzSssq03oQhtFBPgF6fiDUexpCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg 6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2Rtz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqF LU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72ZqXMAPNWy1emryHrRP6v3tvgae+N9SVBkaz4 ORFnwLDfUNM6G3hJ7eiNhvAToc+aG4E63t88rz+kxrjCXZ0hUxO+kQeA/jFp2seg9aQUTcD0 rcFlTAT1oPCcfgQCP2sfa3PBNz4wW/sFlCeV1z3dQaqkfSbUBH0IrTwiONZYk+STUKJiMWcZ DSL6RV2MrAWGj/2vaOkQ/lO0M3onmG6LS8RQOHBw7epjy+CX0xedlz+BtHjFoF35930xPIzd u3fv3r0bTp06derUKbhx48aNGzcK+0uUKFGiRInCcQUOdpAgQYIE+deYMmX+/D17IDMzLy8Q gDJlSpWKigJBEARBeHx6dF3XdR3S0jIynM5CvRMmDB/erFnhuAkTtm07exY8Hk0TBHj66WLF IiJ+s+dx3vdv1sCNG5mZTmeh3ilTXnihevXCcTt2ZGTk5IDVKkmSBNWqhYba7fB4rQH9/wSr 7t71eHy+Qr2tWsXEREQ8Pj2P7Di7yzmLZz8FxgvGBeY5IOWGTAjfBx6nt42nGAjFtNtCKqgr 5K2MA+EJsYU+GqQ4QgwbQd+mvuN+CYzPF/++4jkwHrFtd1wDtTY/cR2IYZBYFAwmvaf/KQg8 K/jYCBzUG4u5oHuFw/odoDV11DAQb/r3GIqBtXzDN2q9Aflns5K2ZENOmeRd/g6Q15Rd7t2g Tit1pGhV+LXt5XN7M6DZ3pCT5V4Cb1jaUfNRuP/JbUumAsa6hiVZwyG7S8ri+ycge9H9AVdS 4FTfWy8mR4H1A0ejkF/A/QJflWsP3qE3DxzbBPkjs/emt4aQW5ERMZvAWN9i9teBgNNXPPdl kPqJ7YWhYO9pjQhpBUw3WIzDT64S6AAAO9dJREFUwPicnCxOhNBccYF2DgwljLcdh+DujbwJ eiz4Orq+870EWaf0AYY8UOoZc6J0KDI3pKTxY8gcl7XYPRykBdzScyDP5f5Zt4CvlFrfZwa5 hLxESAdvea2U9hzILcSQ3DfhnpZzzrUHJNFYw1ERjLUMPmNDME0yVHK8CNbj3PDuA999zxdZ qaCeZJpuBdMQ8zYtBJTj6ntaFSjyXGylslMhvF5ErO0MeF50XZDnQl5K9kVPB3D10Mb5O4Gj hv2c5Th4GweStTLg7alupQPEvhGzMOo0WOdaW1uKwF3HvfHZbggMCvT3HAOO6rMCKyDH4F3r d4HwhfyKtSEEFmu3qQvm2Zb5xm/AeEDOlo6DMloLFzuCYgzc9xYD2wzDcGE1WL6UHXJpkH+U VoRfgdyN/tOBTmCfbNwstoNyQ4vWi02FYv2LTS12HwwrhbvSmxAbETk0/BpEhUd+GdUFLr35 a9Ll72Fdm02ldodC8l1fWVcuyB3Fbfa3/s8i2fp4vxz+K6pVq1atWrXC+syZM2fOnPnPxwUJ EiRIkH+Nc+euXMnKgvj4xMSwMLh58969vLx/nz673WIxGAr1PsiZMykpublQunRcXFgYHDhw +3ZGxr/Pnrg4m81sLtT7IOnpfr+iQMmSdrvBABcueDyef+MLwsLDJUmWIT39Nwf6cfPIjnPK G1eN118BnzX1TtYEqHaj89qOGeCP8JUNvAL6SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7X CMSSYpT8OWg/C3fkROCq1ifQBISXhEWCGwKThNfFKSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wF vhK+CpQBtbz7ZeVrKDMi4Y0qn8It1evZ+xFkhMsH8ndCokm76mgPKS+o38qfQ1bN+73u7YZP HW9f/3Qp3DSlGQIfQOQY0+S8maAfVGY7R0JmjGuR51XwfGFfX7w6xHcv+lNSAjA35PnQzZB+ Nyq32CHwHkjvlBwL3jPG58x7wBES+nbIbRBu8YWeBOZscUFAgrCAQVevgv6eetXphNDOxpfF UmDeJYUFouBqq+SXc06Cr72WZ60H6n76SS7QO1JTGwbyT0Jn/SykpuaG+HeDrbGjvLkNyIPk qpb+4K3hyfS8D6GZcm9VAjHAK8J1MJaVu9hOgznMHG6OAeM8+xZPBghFaMkNELcJycIToBbV Pgx8D7Zlcrp0DcwvG0tFTQfv076OuVVBaEsL42Hw5QSeUOaAb7vz2fwcCDQ1rbW6wWV0z8id CPoC4W3lIyjuDe8l1ACjS4iUxkO22bNAuwcxXUJ3WPIh9KQpXTsBOUn5i/N7gFvVPtfdQBzp hk9By6Y3TcF80VbZmgOWVwxPG46C2lQ/onYFNUbdJnQGtY9+RLwB8lpJD9QGU19zfdkP4etD Zzk6gHe5N0m+DO6PfbV8lcB2xGCXJkLxzbFnQ89DrLHY8uJvgl5U+NgSAPtBsavxFCR9UMqS 2BJcgeyb7mmw+YWfN+y7AXe65N66UQcsxfnEGwfKLB0hCnj23/fl8I8oyF1evHjx4sWLoXfv 3r179y7sL2gP5jgHCRIkyONBUTRNVSE397eUjUeXFwh4veD1uly/T7Wz28PC4uIK9RTofRC/ 3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz711KPbW6CnQO8f70dVdR0yMhTlH/Xv2LFly9Gj sG/fgQM3bkC9ek89VaIENG7cvHnNmn/dngI9BXofN4+c9ZHtVxtljIeMAG3z2oD8naBI10Ho qu/SooESrOIYCBOFVcIWIF3fKxwG4WNhmVAd/EWuhvxiAmVndl7ObhBvyMlyALRIoZv4Juhb 8QhlQLgtfE4PYJRQVbsGdGCIUBF0kUp6NRDGCs2FYiAuJ5pp4FOEd/V1UHR86S8aXoSmibWm d2wJ9mfN5eJrwuXNGfL5MmA2W06GZsO+5INPHygPNy9azHfeBr/VWtOzA+wtyn5R+hRUq/bC +8/nQKlG1crUHQRDS/ev1aUL1HNU0GM+gtj3WZU3F6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0 N/e+D8bG9uoh7UHL1EX5GHh6emZ6JoHxSflOIB+8eD91/wjn42+8fv87SLakf5dxC7zZnlGu UiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hpr2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoY Uj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivg0LBlibtj89rqQ+LGtu2MpGAWxmT0H/FuUmf4w yP8299n8REg5dP+L5CmgOtRegRmQH6KEeV+G60czJ51cBHI94ZZ3JrBLv5R7Gty/+pf5S8G9 I5k3Mq1g+FyK9O8E+xPWEtJbkGLMKO6cB85Jntv+HeCr6K3m/R48s32bA05Q7rNKWABSKT7T ZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUIdNL3ipmQ+XFelnYHrsy52Ss9ATI2ZidlXgFl h/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTvDn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLD v1z56kInSN+btyetAzjrZnW63xr8IzzT7v/w+Bfsn6VgE+CfbX9UatasWbNmzX9edtnRZUeX HX/fc3ncdJzUcVLHSYX397DnUjDuP4UVjhWOFY4/P28F5eURl0dcHvF3W1/IpMxJmZMyYX7/ +f3n9//r1+d3y++W3w2eMj5lfMpYeJ93Wt5peafl3313/7mfnyD/N6qqKKoKqqqqmvavlz6f 1+t2w6RJQ4Y0bgzr18+bN2BAYfnH637T+yB+v8/n94PfHwgoSmG5f//HH7/9dmH5YP+jl7/p fZBAQNMANO03N/bB8sCBU6cyM8FsjoxMTCysP2z8ny0L9D5uHjniLNcpbY2ZBuaM8JXhs0Df wZOMAb0x3XgNhJ1arD8B1G/12/pbILQV3zKsBvE5obSUCOJBobthOUg77TExS0F9V/+BeBA9 PKmUB6Epz0lm0A/oY2gIegOM9AKiEYTmIHQRntLfANrqtfXToGewWuwB4k+iZjkAykG5WGAW FNWK6g1ugbhaRroMmZniqMu34LozNe36j3Ax/foZT20ot7JxyjMvwNlPfux0oj+EDSzewZEC 5aPLLK20GV481u1Gr4pg3WorZnoednXeWfq7YtB4T8zt/DEQcuJ4rrYRzlb0v1HqDmR9pB1W JoJvUUaRlAVg7C1NL1oW5BH2J8OjwPeJf0beR5Djy1uRNwPcZQMzhI6QfdB7V88C0zHDp4Ym YPhWWBeoAGIP5ahbgECY1yUng3mK5SfT8xCY5n/FZ4WcQ3kvZZ8DWxHLHMsYUJ7RLJYz4Lzk LSJ9BMZScnHjSfAb9TnaEVDOB4Z6LoNtkmGWbRt42uWvDkwB/1e+1lnXwPWhcvOyEVJPpe3P WAHSz3JjLoFhmTDVMhq8672i1Bn0VVK0OQz4UqySHwCX39856ySItZhu/wXyyuUPy4uGs/dv vO9KgpIH40dFqRBzxrrfkQgpz6U9lb8fvF3J8o8FSy1GyWvAXEZOJRvCvgmtbF4EwjfCPNMx UPaKF6WlIO81rJfeBzUucFf8GXLD89/JzgRqEiW1Aetg6zFrRYiZG9JebwFqrr+naRUY2pu7 GJ+AIlPC14bthYibxaS4BSBvstRxXAO1pncwIyH6q3hL5HmQVVvvMB0OvPTLL5eqw97Eo61P vQjpDdgQ+Am0L4wzo2TwPk23u5+C0F5qKlUE7v07lu3DKchZ3rNnz549e/7YX5Bz16BBgwYN GhTmOj8uIptFNotsBq+//vrrr7/+x37HZcdlx+X/3mfydzL2x7E/jv0R7Ha73W7/u60ppG7d unXr1oWxS8cuHbu0sH18m/Ftxrd5+DzGfRP3Tdw3f7f1haxpvqb5muZQvEPxDsU7wAAGMOAv XL99+/bt27dDoEqgSqBKYfuWjls6bukIfelL37/7JoP8x6MoBY5sgcv2rzFlyptvNm0KpUoV KxYV9cf+B+UX6H0Qv9/jCQTA77da/6tNeH7/bykUiuLxuFyF7bJssdhsoOuqqigQCLhc+fm/ tVutIIoGw+83Iz6o90ECgd82B6pqYR7y75Fli8Xh+GP9YeP/LAV6HzeP7DhnWe8mJPeCuOHh W8t8BMKnaryeBQzmdSyAT8+VLoC4TnxOmA0E+FSKAe1zrYXWB6QWRYeXXQziAevg6L0gRKiD fXtBW6/fkE8DI8XRLAbBoq/Xh4GeQihmEErgoiZQU/9YMIB+hRK6DbinG/UfQG/OOa0vSB3k OlICKM+onyu/gHTfMMW6E57YHVuqQXeIyNV/DjkJUYESh83bYfXpxVmb46BUu4qnI1xQPbfa IVNDSA65G3uuEiTUSzumbYfIN+2l7R2gTLWwFZY3QWirtUh4AVIWyimXPoV7CfYNoc+BXouw st+Dc+m9b87JkGfP/DnZB+HTIhclrgd9pnWmwws5VQLdtOqgjvQ60k6CoYU8VPwOYtZGFI96 EQwdSFHHQur+rAZ3KkBojdAKEc+CVtR3UjoIoVEhethMsO+w3JZ2gPMX9y/u4eBv6T2SvweE y4ZOxlggXe/puw+uHM8dzzSwjDa9JO8DdZgywesC9x1vvqsIePMCLTI9oG0y7vD1AHm9oZV9 KriHuZ/OeRbEXPMcqQ1YF5v3cBLkBsJ7+mkQ0cfYnoK48OjoKkcgf5Lr+ZyrUOROZOPY6yB9 JS5L7wsJm0OjQiZCVrnMJZ6VcPerTHJ+hlKvxD9p3wSBWCE/UAvECeYZlgmgzKELn4A9nimK F0zLxFP6RTA4xXZyVcjcldc04xuITrDHG6ZA3MWo92J+AvM75q/lY5DyTGZ3d3m4OTa1+b2h UPal0suKnAPHpiLvRpcEw0JjF9tJ8LTPvxboBVH1YpJi9kLIspg5UQ3hxjvnWt31weE3TmSc rAb3L+pV9SOgjpA/i7oGTPdHpxwE41zrdPkmmNpakuJffPwL9p9REFEucKDHjx8/fvz4wv6x Y8eOHTsWkpKSkpKSHr/+AgexdULrhNYJ/2BAAgkkgDZPm6fNgy/rfFnnyzqwbt26devWQUZG RkZGBkRFRUVFRUG7du3atWsHfQ71OdTnEIiDxEHioMJIXIHD9MOoH0b9MKowMndrza01t9bA 0aNHjx49Wqi+4Lq4uLi4uDiwLLMssywDZzlnOWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgWu60 3Gm5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrWsOaPt1uQY140rWha0TRotKTRkkZLHp8d1bXq WnUNbre43eJ2C7j7490f7/74x/t+kBLbSmwrsQ1KUIISv2sfz3jG/1fz+DZv83ah/cUmFptY bCLU+bLOl3W+hKxOWZ2yOsGOaTum7Zj25+fn2qprq66tgqmlppaaWgrOnj179uzZQrXlXir3 UrmXYOi5oeeGnoPZ+2fvn/27FwsVyBuWNixtWNrDc/sfZGPaxrSNaVDu03KflvsUjEuMS4xL fuc41+hbo28N4DjHOf7on6PPfJ/5PvPBpvRN6ZvSwel0Op1OqPFFjS9qfAHjx40fN34cRN2O uh11u1Cfb79vv28/dJ3WdVrXaZA3I29G3gwYcnbI2SFnoWVMy5iWMY9vXT1sXqd2mdplapfH /73x/zqK8puDqSiP5qiVLv1/O8zt2w8fvnr1P9f7IH6/z1cQCf59RLpy5YEDJ0worEdEVKhQ qxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOmaFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PeBwkE fnP4H/ZvhSybzWbzH9unTp0yZcOGh99/nTo1axYpAvXrN278+82ID+p93DxyqoYh3x8auA3h VU1LQ0ZCIInKwhug1xc+FJ4FYZm4wrABeErwSpnACmE3JqCnMss9DrShuS3SxgAVtNviaaA1 7wjLQGgs9tPdgEwzfTYgkkU0YBDMSEAq+dwC/Xk66MkgVBOq6g7gO55XvgVd0Ib4JdB7M93Y A6R5QqjUHNTeyjnPSQhPcljLX4XyVUqObTUdvLfl7w2NwSyWaW3rCz0cL05o0wwcTTwjI/qD /+79obn7wSmcO5SaDCFzDbfDdkLxpZGBuK6gD5T7SUUgdFjRFaa+EDncVjnPDpGj7V9KyWAe GLez3DYw7jeMt6wAd4Msx10J1PaeCz4nhEwPeTa0KThaxpwucgFia0Vdj0mF2LiomOgJEOkN DY3WoXTfouGlz0LET7YzIXshap+jp6EimHbow92fgtTY+3bWJkhKiRwg74HQboYyylSw2aTP vRvBsIbyzkSwfmUsZW4I3v4eeyAJsr/NVNM+B89+9w6fBpi1BMc3YIrTjlbWIOykqW/JELA2 Mty09AXuqnbzQnDsMe0tng/ZzVyB9GHgf1GfRlHIapTazaWA4W391ZAm4F7pTc5vDKVSY44W nwe2D+S08L3gauab7T0KscsjEq03wL7btMi0A+LLRbQLj4PEBmFFrZ+Dt3n+2YAdHBssqjgK jC30T5QkyKh8/9XbfcH/o39z6gDITfQsy+gEV1amlT/VAy4m3AlPXgq5B/LOuotDhWMVzhZJ gBKdSgslvgPTAVOvUAVcxdw7te/BesxRKawphBHzXlQu3Lt+69usUnD0yWPZp27DjZL5+9yH wVtf94h9wTPWsyH3dXB+7ryblgiGLMu9qGXgnqJvNH/x+BZqwfFx48aNGzdu3MPHFTjODxtX 4EjfvHnz5s2bD5dTcP1fPbauwIF52E/9m4puKrqpKCy7sOzCsguFP7GX3V12d9ndMD13eu70 3MJ6Qf83w78Z/s3wx/c8Uz9K/Sj1I+g0udPkTpMhZ0fOjpwdMH3X9F3TdxWOW/rs0meXPgtr otdEr4mGZjea3Wh2o/Cn/bSP0j5K++jhenJ35u7M3Qn5ZfPL5pf91+1YtnzZ8mXLC+1oPqr5 qOajoOyMsjPKzih0mP+7SU5OTk5OLnTcnx367NBnh/51OZO3Tt46eSscH3B8wPEBMGHjhI0T NsLUzlM7T+0MybHJscmxhRHxiRMmTpj4OwcgfkP8hvgN8F6z95q91+yf67ufcD/hfgKcqHWi 1olahQ5u0/Cm4U3D4UbTG01vNIWrV69evXr14XL+7Px9ZfjK8JUBvnV86/jWAY0cjRyNHDCp +KTik4rDxYsXL168CLMqzao0q9LD9bT7qN1H7T76Lz4nj2ldPa55/d/Cv5qqkZeXlXXvXmH5 IA/2/9lUjUDA5/P5fnOcf4s8/1aeOfPFF2PGFJYF7StXjhrVp09h2atX3bplysDmzRMmvPYa zJo1cGDnzrBly8SJr78OtWvHxlosf5RfoPdB/P7fco1V9bdzOB4sJclkMpv/WNpsiYmlSz+8 PHny6lWf7+FyC/Q+bh7ZcTYuMmcYn4DwPqEHImJAe1OfoLhByBdChFQgDZPeENiuVxaWgfCB +Kk0AYRPfNNzZ4F6Ka9OXgiIXwjzzHtB7Sdk6KtAqK1/zUygkj5SiADdTQkEQEIA0PPIwAvC HOYIDUD/BkmYC3qWOs0jgdjJc8XTC+jl9nnXASZmaykgVBeqkAViPektpsL9lVnV0++BuPva U1fTYayl26qhb0KVYxXqt74K1erVebFVO2iV9VLTTv3AMK7Cx4nh8NPKna12rIbt7fZmnd4E xlOBOVoeVGzsCA9vAPEOPcHzHpTym6Jzn4TyT8dcNraFkKS4vmUEkPZa9jm6g29z1qtpZ8A/ zHnR1RuMybIltCzoz5tMkWcgbUPeAK0K3K2SO93XCDK3OcuobSF1e+ZBtwjpX2YPcn0J91pk bMn5FszHzdUkJwi3/WnaMJC7MFkdClHZ1leEyhD9nfULcw1wnJNtahmwnjG9YYwHf4zyOvXB O1S9kZsKuWJgz4lISHstp+a5M5C1I9Dz0nBw1vJ97Y4F6Q47DDK4WwdCPPOBcKm/4R64e/qM ORUhf3tgf/JCSO+Xc+zmDMj4MOdrzz3IWOs0pr0HhhfCrjv6QojgyI7aAo52pq+xQ5gh5LCx AggvK1NN4yD/Qn6C51kwnpDOKB7gKdFOO1C7i3bbWtBmm5v6BoHQ3tY/JxlyLwWKp3eGy/Xv hV6Lg/RIz5l7F6HIyFKdw2ZAscPFWpfuA4IixFv7g7tYfvFAOlhiHYNCXoPQ1TF3YipD+mfJ oXn74Ezska9PCXDzxdyDuWGg1jUMN5wCOms+oQuwWmgi1AbphfDUonGgbJBD4wUQssThwp/4 A/5nKTiPucDxLYgYPXhO8z+jIDXjwVznAjkFcgv0/FX5BQ7M6tWrV69e/cey3oV6F+pdgO1T t0/dPrXwujFjxowZMwbqf1P/m/rfwOg1o9eM/l0E98Hxj0qRtkXaFmlbGMEriBxmTc6anDW5 cNye7nu67+leWB+6bOiyoctgwNEBRwcchfDr4dfDr//77XgwpWaIeYh5iBleX/z64tcXQ8jb IW+HvP34ns+fJfS50OdCn4PZvtm+2T5ofa/1vdb/QnpSwX0XMH3G9BnTZ8C27G3Z27JhiGmI aYgJlpmXmZeZIS4lLiUupXC8cbFxsXExxD4f+3zs8/9c3+ZJmydt/l3OcJMmTZo0aQKN32n8 TuN3Ctu3dNrSact/8RKjPzt/+37Z98u+XwrrBSkwja40utLoCiw6sejEohPQo0ePHj16/FFP 4vjE8YnjoVt+t/xu+YV68qbnTc+bXjjuca2rxzWv/1t4MFXjz5Y7dixZ8sYbheWDPNj/4PUP T9X47Rzngojzg5HnwnH/uL1du6efrl4dHA6L5R9Fgrt3r1evatU/yi/Q+yCFEeff6g+WBRHn v1q+8EKjRhUrPlzuvyvi/MipGsVnR/Yu9gUYbpqPWh2grdCztXIgxHNDvw26Ve8qbAYxgSlK A2CEMM/6HfieypmZdx38xz1S6GEwGgw9pB4gdlYvB5YCa/UweSOwXOype0H4VJ9LPuj79Qv8 CkI/oQvLQI3U22gJIHXVSgpXwTcg/22fAEKKx+m9C4IulzUtAKmVaZ22BoRnZVFuAfoi7Yg6 CgwbvCs9sdAw9Elf++oQft12q1QC+ML92d4BYO8WPaz4CHAYhQYlGkKUN8mt/AQRnog3w56A PX32DNv+EaxKvXQgsyLETPPU0y9AqQthE21twRgv7vZGQZGuYaLaBNY+oVUiD47ZDHVKDQRt d1bfO+sg8FHe+vS9wNtqT70nWKqFNA4/ANoieZ0wG/zP+btrW8B9P29keg4EIn0h+e3AXt3c UhoMkb1sqnkT2M8aDljLgudTvbEeBlF1wxcbJkPEgLDEsFxI+yrje89SsA2WP3etAdNGOVPa B2nFsoTUHZDwbmTfuG6QvsM3NHoopH/pq39lANgjrfUdo0EfL71nViF9jVu7tQ6ExXmx8gkI OW75LrYoSD9Zf3RvAFsFR+vQeSB2U36I+AyMv4p3jMmgTSXJ9RPcqn93QkZZ8L3qTXeuhqKN YxbbS8LNvWlV9JfAnaCsSu8PRXLCW8p9IDBH+cJ8CNwtPM8FwiH7vru/NgMiy9i/LXIOXK8G BlIKbNGmBcZRUKJjzLZyJ6DI7aKflDwEYa+HD49fAv5WgclSQ3DX8lfwhULosfAOEbHguBxd MaIjZD+VvsW5FG6ePhV7fj3ccWS/mToAtGnGyNChwDz1FeEt0Lqy3ncWxAqmxmEmEKZqRwIR oD3tq5B9AKT7Ad0VA5R8PAv1wdSK9evXr1+/vjAi/GfPYy7IbX6QAjkFch+m959R4MAkjUoa lTTqvxjowcPvjiMSjgnHhGNAM5rRDITjwnHhdz+Na/20flq/P4p5sF09rB5WD/9zO8WB4kBx 4O/qC8WF4sI/jtP76f30foAVK9bf2VnAMY5xDOhMZzr/+ef0V+0IVA1UDVQtrEsDpYHSQBDs gl2wgzRKGiWN+uf6HjchK0JWhKwAcZQ4SvwH+v/s/HyY+GHih4nQ7ot2X7T7Ag6/cPiFwy/A oT6H+hzqAxsTNyZuTIRlU5dNXTYVVrGKVf+KwTWoQQ3YOH3j9I2/czgL/mF8kIKUjcE1BtcY /A9SNv7s/BWkUPxh3P9JfflnSLWl2lLtf67nQf7VdfXP5jXI/01hqsY/dmQfp57fy39YqkYg 4PX+fnPgw3hY//Llhw5dvgzLlh05cuMGfPBBy5ZVq0LnzjVrli4NtWuXK5eU9Nv1x479Ue8f 9fzfEecHeViqxvjxnToVL/5w++/cycvLzwe3+x/L/Y+NOJuPuurJTcBQle5SUQB9LreB60Il 4SqIPvk1+TaoCJP1tcAw4ZB+BNT3vTOki+BrJtWMnQXiIGkhClBGO8sC0IcK73EDOK+v0CNB T8dDBLAHJ+dB76rXYT4Y+ksH5e/A0NQ4w1gFpEOOxJi6kLzeN8FYFC4tzhylz4Oc6b5iwhCQ fhRb0waUjcou/04IKRJfvOwPEGqPTiraEbw/KF73fRA+E9sxEJS31EzvUgg8E1jiHQ7aSe+b 6jxI6B1XofphaLemtvR0Raj/WeUKEXkQNqREHUNdUNYYB/g+hhKW6J0RMVAuquwzISegmm4N zakBT4w0SloLCFOiQ4ovA4mwxsVagtrIdyOnLrjic46kTAAuaTWYAqEnQn+JHAWxYxJ9SbmQ eLfo6yWGQKjPVimiFAjXDTPk8hC6P3pBRAAcJssU09eQujetXc5VOLP9Ytm0jyB3szfEvxxs ve0tIrLBPt8m2dpC1Z5JW4svhjI9IuKKRYHBThvfl1AsP+pQiZ+h/KCw7HrvQNFL9oZFvwbb VYvFUg9KJ5Q4X7kFRNjCekUeh4gJoaa4iSBPkaSIcuDpqh7zKKAM1+25e8Akmqebu0H4WvuL hEHCx3EbQ/aBKuKyVoOoN6N+dnwLT54pWybhLISG2z4O7QfSZCFSbgG2UEuypSdY3bZeRiuI zUxtzYch9nZYfNJ8KNO1eEZZGcofqPBMzaZgTw75PvEXyO3mmqznQ84Qr0m5D9Y6kTmRNcE0 PnJ2ZB7k6nf75laBW2ePvXTiBKQeyOpz/TCoEeaqllTQX5GijedBU/RVeisQSgifUwS4r273 1gPF5lvnvA9KJfVZ13VQrDyn7H58C7XAgS1evHjx33+RFPzBf/DV2n+WgusedBwK9Py7cqEb r2y8svHKwvpHmz7a9NEm2Fd+X/l95WHChAkTfp+L17RJ0yZNmxTWC3JwUzembkzdCKsar2q8 qjHcHXt37N2xj8/OZ4Y8M+SZIYX1mS/PfHnmy7BAWCAsECC7c3bn7H/BYf6r1D5R+0TtE4X1 zw58duCzAzD3yNwjc4/899nxZ/mr8/Om7U3bm7bCHOfqR6ofqX4EBtUeVHtQbbC+aX3T+uYf I6zCQmGhsLAwV7ggxeBhXAm9EnolFK6/c/2d6+8Uyn/wl5GCiHDK2JSxKWPh7Ndnvz779b/+ PJ5Z+szSZ363CfOTfZ/s+2Qf7Oy6s+vOrvDq3FfnvjoXVlxecXnFI2yefdR1FeRfozB14q9F nJs0GTjw228Lywd5sP+Pcv6xox4I/HYs3IOnXjzIw9p3775yJTW1sH/x4gMHrlx5+PUFZYHe P44r2Bz4j1MqZPm31IwHy717r19PSYHz510uj+ePZX7+b+c1PzxV4z90c6Dt18ixcYtA7yDV MVwCcTljeR+UFP/uQC/wPeFZ5a4CpldCsX8GxmLCaP0MnJ1zLTezD4Q2TOqe1BqMo5mhDQPv h0JbcQEIP/Oz7gP9HY5rySDOELpLh0GowkZhNehnqUUZcL7mzMu5BqtnrDm7wQK+z1VzxHao tu2pNvW3gV7EcJddIPWQ0+SzIEZr25QSoPUTTxh6AS9TS/gcAk/5b+hnQfRLrdkOrNe7kgnC Ct4SJwNzxST1ZaCINli2QqAHaeJbIK5MfKdqCah8WPzAvh5KvG5acHoWZJUKT80ZCeKFvKMe G4ifJL77hAcqjam0N3ABElenpTmnwqmkLJ+yDs7MFS/b34E75c1Nku6AdjNvZ9oo8HXKbJra H7Si9i9Dt4L9vZAvQxQw/WxpakoE8RP7V/YzoAWUTv6mkLY9J1roB65invNqLrhm6C8adoIY I5dUbwBDtS/1KLjzWtrpDC+wSX3NEAphzUOLW86A8qJ0xrcfSm0L6VP8BZATDPMiikLeGZfH sxj0GcJW37tg3qINDNsJtNYaMwBMk+T24ldgvESriDQw9LX1zbkInu89UtZFyDTmduYLUMf6 JyafhzKlYmLLByB0vLQv/hWwrQubgQ+USq5TTgnuj0hWXaMhrZcz1WUB88tm1XQaxKbCTvUI ONLMk209ILRcRL2QeWAf6zCErQDzh/aZlorgy/eVFHaD8wPnIL8A0rumd0zhEKnGLo5ZAubO 5p2GUZA/8Xav1E8hfc3NfldNkNckV7tVGjwYDeGfgTqUMcbXQZ+izVF/+/wNUi+Afkc/pFcC bQSxemUgQshS14FoJ9r4NvAsLfVq/2eRtH98C7Yg97jgfObc3Nzc3NzCekH5sMjyPzt140E9 /y5e9rzsedkDft2v+3VYN2LdiHUjYETGiIwRGRB9K/pW9C0YWGxgsYHFoEegR6DH776Qh9uG 24bbYKZ5pnmmGb4b+d3I70ZC9O3o29G3IY000h6Dnb2r9K7Suwrcf+H+C/dfgC0Tt0zcMhGK 7S62u9huiJwcOTlyMmRuzdya+W980U1/vb/eX4d7I++NvDcSNqRsSNmQApUiKkVUiihMUShw VP9u/ur8FDiw01dMXzF9BYywjbCNsIF6SD2kHircjDmi+IjiI373j2OH9A7pHdLhx24/dvux W+GmwYdtYivYVMl5znMeWn3Q6oNWH/wxVaRgs93nfM7nwJZJWyZtmQSVvq30baVv+cv07du3 b9++4JzpnOmcCZt3b969eTdsvLXx1sZbUNtf21/bX7j58V/lUddVkH8NVf3tFdIPc2T/dbn/ tbwCvQ8SCPj9fj9I0m+nZjyMglM1HuTChbt3f/9ilQfrD7u+QO8f7fkt8vuwxAmbzW63WMDn U5Tfj9i+/eDB5GTQtEAgNfWP1z3xRFKS2QzVqj355D8K8BTofdwIBw8ePHjwoK7XqVOnTp06 f12AG1eD7JrAZcNJe1cQsvhQqwJaPf8X/kPgi3F38/jAZgyfG7EI1Mv6W74+cH7K1sjjPaBk ZJ3R1a+D9dXw44ZBoJ5XM/Uk4Kjq1LcB2/QV6qsg9DQ8aSgH15PuJp9bDsU3x9QqXReUPko7 PQ72ZOx1HqkOzl9dFjUSaOX4vmh3KJlZylfkFyh/L36dIRmsXaxF2Q9qebWFeA+kDsI4ToJS Xt3s3QOiX+guHwXhNamSOAv0t7X20j5gjfiJFgD9OQQhAcT9uqi8C/4azgp5HcCYYmijLgT1 BdfkjDdAm5/xcuZ3ILkip4d1Bu+dzI33HaBPTp+a/gZIu2SdFeBNle540iAr6frOnHRYfW1P ifst4Piw7J+kdPAv8Y7Lmg3+THeL7MkgVJNHWi5D2JshdSI2gePt0A3mjWByGF7T7wED1e5+ GbwVXeu934Iv27898Bkoy/SL2jDwx/qvetPBN9BlyTkAZqdlnXUwRGRHvhH2FnjvuMd4u4Kn mDvL+TNkVs3KSW0M6nRho/M2aO2Fly1FwdnZvz07HULyHCvEKuBPc28TPoTc+u5cV08olxY/ ruhnIF8QoyyV4WZ4xs27R8FQV95u6QVRa8LU2PYQucd83lQatD36KKUL3B10Z5h3G2he4yDW gWNCqGQVwPyK/I31JsTkxm+wKRDRPLJ4VCYYBpmvhZwD7QNlt+FNcKU6yyv54M1UNwSGg0UJ Oxd2DEKXhc8JuwdiRe1nww5wRt3Pud8ZfN9kD7iTCh6f8nnuZMj2u94OHIC8bfqosK6glxbn mY9BYAIzpOfAd195n9cg0CvQPdAaAgeUlb7ToMwIdPKeAxaq9zxTQaqkL/H1hGOp+z7dcOrx L9wCx7bg9IACB/pfJTQ0NDQ0FIYNGzZs2LB/v+Mc5K9R8MtASuuU1imtoU18m/g28YW5zS/t eWnPS3sK6xvbbmy7se3fbXWQIP87qFz5+eenTYMqVWrWLF/+X5fzzTcffti6dWG9e/cPPviv TpU4ffro0QsX4MyZjRtHjixsj47u3HnKFDCZihWLjy9sT07++ONXXimsFykyYsTSpQ9vf5B/ Ns7nu3373j1IT//++3ffLWwfPPjo0Rs3oFKlhASr9Y9y09Lu3zcY4MSJe/f+yj8efn9+flYW tG5dv35o6B/7z55NSXG7Yc6cmjVLlPjzch/GoUOHDh069Bgizprq+dHbHwzfGptajoDWRvtY 7whyWeO3huogLzEp5kRQQ/Th2vfAEs96/wRwfO7Yb9sFxi8s8w29Qdws1RVNID4hXBSeBa0t L6o/gBQtZxheh9S87Nkp+XD9jesLDm2B4m3iusQ1gcwv3LXdg8DpNE0wvQTFVpZZWLEo+Iu4 38INt2bcf9k1GBLc4X3tN8F6xF7WkA16LW0wQ4HjenP9PIgThYWiH4QlYif5C9CL6l9oU0Dr zw/eLKCiuk4dDtJi8YRlJOhHxEHGeyDPdqyLjALNr7YLhILewTBNXQnKQktVZ3OQ21ruxL4P 5rDI+ubZQM+YxNJ9gcmONjGTwXJPMsvRELG4+izvEXjjdI33zn0Hvy7bc+HET7Buzv4y6ldw 7zXT6dAkUA7ldUrfB9kHMivffx+8ee6NlsUQvi3sZkR9CDsdWtZuA0uLyFuWfNCf0ZeoA0Df oHj9q8FfxTfOtB1cwyz1DKfBdF6OlQZB5sXsL73fg/dZZXfgXZDPG8cHjkHOEm+f7CFgbWPe Y5kI9kjLOts9MB22tPO1BHmNYZy2BVx38kLcMyGsWMTMsCTIr+03+o5Azor8jjm9QTgsjRA3 gfELwwTDy3B5zM2G13LA9pr1kKEdhG4Ja2T0Q9SoYheLrIfIaSGR4U0h/HaYz9EJTDNMzlAd DOVs2+3jIGAIrJCGgWt87k++JyF/ne9i4HmQzNYcw1gIPxZzNVYCyw7rIYcJlFfyLnr3QUb2 ndu3hkLGmrtVLqyHQLzeOG8eaJ/o7wjvQ36Su6r2DTi7q3JeDQhka0W0peCvpn6njwBlm95B fwLU/UpfdTP4qwfeDESCPl7bqk4F/aTaN/AMqIFAE9/7j75QH0aBY1vg6BY40AUO1q1bt27d uvXw6wtSMQo2CRbICb5R8D+TgmPndn2z65td30A/+tEPYDrTmV54XNubmW9mvpn5d1sbJMj/ LjTtt8hwfn5WVn4+mExW6z865/iv4vf/45xhn8/t9vkK9T5IIPDbm/N0PS/P6QRR/Meb/P5q CsfDxmmax+P1gqL84zcD+ny/2Zmd7XYrCoSGWizy77zPUqWiojye386HDgmBCxcyMwUB/ut4 OTz9dIkS8fG/RbLd7sL23FyPR1EK9T5uHtlxVia78vWfwFAv7BsxDtSl/o1qTfDN0ucHloGx oakJMSC3lhsaEsFzKPCVrxmI54Ul2hwwLDN3NrwD98fcv31zHSjblV/934MJ6Su9JziO2oaG H4T8p3K65fnA/qr5WsQYMJU2r7cPhKhw+2ZzBDhXO4uc0eDKipR2uV9CYoXIGVFpYNtheUmt Dynfpu31l4FijcKLmE6B2lTwUQSU0UrJwGEQJoltxUZAURYKYSBs5768EnSb6M4eB0JtaohV gUjFqT4Lyl2nK+cpMDS2Ny3SGtTKwj31EshOx/W4GmA4aw+Lqwzas8oRZzaobbwH8yuAsZ65 XvTPoO4wrLY9C+rn2su6BJpVftl8GGzVyx+r/x48X7Z8n6f7QLmJZapt+BoWdP3hq8N14fJW q1zqJHgrupplrALPwPxrubHg35G28e4QcM3P22weD6FfOvKjoiEkOWSF6SDYLltfMX8Hoe+G fORQIOp8VC01DfxnPWtcz4JBsSXmlYPAbqWvWBqURK+mbwL505L5xTpCXp/ct7wamJoY3jBX A+muuiYkFdwGd03/ArDvt/QXSkH8jxEVo0+DHcOzCZMhbbqxVcorELLLfsA2EaL2hayK3g3O TkXf9vQBwyzjNXaDIyXcausHlmtmZ9hXYGwom+2DIeDXtktPgb9owEQM5OSkf+F9AQJfqzls Be1XYxdze7B8FTrS8i7Yq4avjXgepGK+g7ggt+HN4+kbwNUu635yb1DOKgvTPwZbF/uX2nzw bVGuWBaAt6x/j78b2EVLknYIpPWBee6i4PtQqaCXBr2+XIF8UG5rfdVQ0J8yxfEhKH11k/40 aMe0TZoIwiXBYPSDIior5Ef4yfXPUuDoFjjSDx4jV3COawEFuczVqlWrVq3av9++II+Hqq9W fbXqq7CUpSwFGMIQhjyq1CBBgjwOnniiVKmICLhzJyUlIwPi4hISoqIenwNdQIHDfP/+b3oK 9D5IxYrFi0dEwOnTt25lZoIohoaGhEBY2KBB8+f/cfzD2v/ZOF33eDwe0LTc3Lw8qFKlePHI yD9eFxpqNMryb6/m9vshIeG3BIqwMItFkiArSxQlCYoXDw3Ny4O6dRMTbTaQJEEQ/4udeLdu /aY3P1/XZRlycjweVYWUlNxcv79Q7+PmkVM17jW4+O6NLRC5/okpxUZAIN3TSS0BSqYaGxgF pt7GlobjoMuKy2eD3JG7ux4KgbxZ+ldyVShy+bmqz7SBbE+O51598C1XhimjwZRt/EasBmff uJzwawrkXlJfy38ZypSKXl6qKySokWsq5sLpThecx/Pg3Pt3/RcuwcUzd09LdaDKmxU/avkC 1JlQKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtAn6I1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs 65cGQHoX76wbZSFiWES7kF6gfep0ZU+BcIvJWfEDCJ3j6FWuHvjaaRXcF4APBFmUQdhFitwL xC+0iMAwUGboP2ttQNTFqoY3gEQ9WksF4St9nn4a1HS9gZAAVGSfFAW2LyxV5EawKnRGn0/u wrq2R403+oCeYJsedRHck72NA/VAXe8ukfsr6Bc9M/OugShrp/xLwfqenCfNAPMuexd7Pjgs Dot1NoSMsL5kPg3m6WaTQQbDCHmU+hxov5KiGcBfWv1Y8YJ+UiuldAdtnnY60A0CJuVpVQNP Ne/r/tEgrJSThedBmivEiTVBmiYsEC6BtkBrIQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1 SdDCWSOcA21SoKGYCt7K3mZaeXDu9RbzByAwKrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQ uhagiC92kO0S3AncfyPjZ8hXciqkfwHZtVMTLnaG3Pw0j386qMfYFPgV5DiljZYEoklcaWoA rDaa5QiQPxTXSUVBf4d3pHfAP0Ety7ugf0K+PhYQaCScBD1B+EVcAXwgbpHmgy5rp/RaoL0l 3BB3gp4hnpOnwY/dfh75/bbHv3CDBAkSJMh/BllZOTlOJ/Tu/c47X38N589fuZL2ODZZPIQK FcqUiYmBxYunTn35ZYiICAv7/ZtJ09Nzc51OeOGF0aMXLoSTJ69c+UfnRD8uqlUrUyY+Hn76 aeLEfv0gOjo09Pf2ZGf/Fjv+4IMzZ5KTIS3tt8jzv4uYGKtVluHDDytXLlIEwsMfjwP92FI1 5HGO74xrITA9p26+G/RXsr/N2QXCeFeKywr66LLzSrUEtbS7j3s5OItvPvfr2xBmfvHtdvkg 7LMkCMchYaLxlaIDIHuQu0qeHU5kHNcOzABLWaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI 2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBfJz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXe FeaAOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD5dVXeh4vBcphfbphPugLTcM1H0SfiohMvggV txf53JcE0cnWxom7AIs42OAB/RsRrSEwSdgshoAALY2tQPhQr65WAH0dPdgAbBeWChNBDBdu Uwy0mXRSAhDQlCLaQRAq+nPzdRA3ZDS5DsjjtLnq+yD3MXe1bwDthbASkZdA+SWkasRVUHv5 Bef34O/v25zfAZTowBitJgQ2ZE3Lugg5zqxn5PZgqm/8UHwHzBbTDkt7MFUyDDeVBjHcNE/a ANINSZYPglTXUM66E4x75CZiezCYQ/YSAGSe01JA8DJBXAJCiC7pG0Brqt+iLChD9VStD6jl lEgWQX5zpQyvgG9tTh9vLHh7B6YoIgTEQAnlAqhH2ctZkNeYks3zwLjUusI2FYwdzA2sByFu lH25cSnU6FxuZtQaqPFdzZcrz4C4z5Iul5oCm9/dOuvrkpD6Rt6km6WheoOavrZtYPWmNfd+ HgL6Zs+rhpLQ9Lsqteqnw5W4sx0yysKxb4+VO18B7izKisgaA77nlcFKF7CMNS0z9wL5mOFV Qz/QKqpF9HdBraV9qZwA/WthgPgtiM317mIoaJf1u5oBtOP6PnUU0O3f9+UQJEiQIEH+fgoc 1/Xr589/7bW/25pCx/XQoc8/f/PNv9uaQsd19ux/vInv/zUe2XG2zFcm+1tBYPnNvHvrgUhf C08V0J7xFvG/CMbdQpuSa4BQ1yzXz8AW//XAEjB9EhMZUg0My5kmb4TMt9xrMwQ4vv748H2z IGGmcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8Fp05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUt pNS43ufKXLiw4Kr3WgYc2ZLUPiIBnutScaa9FwRWBZb5JoG8zRRheRbUw9p6bwoIp4Q5pqJA X72MEA6GDywTTbsgpkQFrQyQfPiU58owKLVbiohbCfZLrkhLW7iWunn3qjiwzy2dVq0NCOuE jlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/IPGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9Q PwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2gBxj2R8RDcY8y4XISyDWsMyx/Qimn0Pd4QJo U5z9s2LBixKrzYXA+/o9LQe0Q3pxTQdnc89az3EQX3b58y+DIqm79ItAc93NGRBWCWfESWBc yBPCedB3in3oA/qrwiLBBUJDFgsJoM/nJ3E16JOEhYSA1l9/VtkHepjwnlgG9NeEovJdENZK 2+UWIJ00HDMcBPlkSIOwW2CZZplm+xnMDuMa80GIy7S6tZ1Qo2nx2hY7VGtVu0rVZyBud1m5 hgTKIuGcORoCJ/WZ7ISG79Z3dxkHziLOQKN3IaJXwmulP4doS/eFZfeAfaGjTBkZQi+F9S7+ HlTIrDntbj9I2lq967mh8L17+a0Nt8H/Xn7OOQ8kd0z9OrsiqD3FaZITjA6zZj0KhkRpiWE+ yGZpofgM0A2n2Bn0VWq8dga0gcpx/TMAytHo717mQYIECRIkSJDHwSM7ztIG+Yh0GnS3o77t RxA2xaTFjgKhAxeETKCS7JebgG/5nbjrN0DuEvVq+BiQ34+JiP0WPCGB+/nVIW90XvK9QVB9 a+W6dRdCdP/w6fE2OJB+vvGG0RAebeseMwn0dvJ1w5twbuDx6jt2gXGmtW3xxVB8pu3L8tFQ a1vZq0/Z4EKDyJ4lAeF59UvtaaiaUdYTKYBvtOvZ9PdAeMvTOKslaKtk1VYcxOXW/jYf6I0M ecYfQLpk3ihGQ8rAE/LVSpByNve9C+3AtiD+Q1MWRKRGNU6aCeXfr+xrOQQ85orV7vpBT86q da8I+Bbc63zjB9CTXO/lVAVVCi/vWAuGZyPio/OAJ4RhodWAs/RT5oH+POcYDZwimZWgtRR+ 5EPwfeLvoDcDX75/A07QBsh3DZ3BezuwyL0MMHgPu7eDkJe7KvMXMOWbsu/bwNrSPibMD8W2 FEuMSoH20X3rN6sC99Pv3c5+CW6vuBZ/Nx9u988Y7OoJmZ+5SwSmQv5J/0KhDrhz9HPKSRBa q5H6SAiEqmjx4D6hpmvdgSeEcfp60KOFPcwD1vIhmSDGiEPFp0CMMnxg+AGEDVKk4RuQ1xla GxuANEPOkCeCPMLgMb4PhiTxLXk5MJ7OPAuGaNUaSAdtWkbD+9XhueLPdyjVHJ5+tg3tS4L3 PbF11E3wzQ+M9UaDflj8wtcMxFjpstgZpBfNYbZFEDVKrmDJB30MVc2LIbFY0b1NxkHApExV toI/03/ZfxyM79t2m1tA4Lw6OKwtPP1q9XZVfBA/Jyyj2KuQfNC9TX8Jtp/b8uleF6TMyXzj 7i7wmA1n5fVgEZSvTMfBtNJU07gBxEPiPvEoyBGGJ+Xfjs8JxpyDBAkSJEiQ/yE8co5zkCBB ggQJEiRIkCD/kynIcX7kNwcGCRIkSJAgQYIECfK/gaDjHCRIkCBBggQJEiTInyDoOAcJEiRI kCBBggQJ8icIOs5BggQJEiRIkCBBgvwJgo5zkCBBggQJEiRIkCB/gv//OLqC3YJBggQJEiRI kCBBggT5I/8fGIb3tyeqXWgAAAAASUVORK5CYII= --------------060806010707000809090802-- --------------040604080902070705030802-- From nobody Thu Apr 3 09:29:34 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4F61A0264 for ; Thu, 3 Apr 2014 09:29:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.411 X-Spam-Level: X-Spam-Status: No, score=-2.411 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_EMBEDS=1.799, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfZK6DlsMu7I for ; Thu, 3 Apr 2014 09:29:22 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 72F391A01FA for ; Thu, 3 Apr 2014 09:29:22 -0700 (PDT) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s33GTFpA025108 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 3 Apr 2014 16:29:16 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s33GTD1f029051 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 3 Apr 2014 16:29:13 GMT Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s33GTCLQ009446; Thu, 3 Apr 2014 16:29:12 GMT Received: from [192.168.1.186] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Apr 2014 09:29:11 -0700 Content-Type: multipart/alternative; boundary="Apple-Mail=_85E98450-AA91-4A33-9841-EFC933701315" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: Phil Hunt In-Reply-To: <533D7D1D.3020103@aol.com> Date: Thu, 3 Apr 2014 09:29:09 -0700 Message-Id: <299C4586-EF50-4715-8EC4-49A6D785BE48@oracle.com> References: <533D754F.6010909@mitre.org> <533D7D1D.3020103@aol.com> To: George Fletcher X-Mailer: Apple Mail (2.1874) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/8o1e8BLZfltKJDWzbv5_NIq5o-s Cc: OAuth WG Subject: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 16:29:30 -0000 --Apple-Mail=_85E98450-AA91-4A33-9841-EFC933701315 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 I think there are two broad cases to consider: 1. Assuming each client =93instance=94 gets its own client_id (e.g. via = Dyn Reg), my concern about changing client_id is you loose track of the = client software=92s relation to the user. In many cases it is more = important to track the software and its relation to the user rather than = the fact that it updated. In these cases you might want to keep = client_id the same and track versioning somewhere else (e.g. inside the = client assertion or database). 2. If however all copies of a particular class of client software = received the same client_id (e.g. because client_ids are issued to the = developer), then you may wish to force a client_id change with each = version. This allows differentiation of versions in use, etc and would = seem to represent a good way to do things when dynamic registration is = not possible or available. Depending on the model (of client_id management) you go for, the reasons = for voiding tokens and/or refresh tokens are likely different. Phil @independentid www.independentid.com phil.hunt@oracle.com On Apr 3, 2014, at 8:24 AM, George Fletcher wrote: > Comments inline... > On 4/3/14, 10:50 AM, Justin Richer wrote: >> This is the question I had. The spec says not to share refresh tokens = across clients, so it all depends on whether or not you consider a new = version a new client. I've usually seen client_id stay the same across = versions, since it's considered "the same client", but you could easily = consider the new client_id an alias of the old client_id and consider = the two of them flavors of "the same client".=20 > There are times where you want to track the change of semantics within = a client. But yes, as Torsten says, we could treat the new client_id as = an "alias" of the old client_id and issue a new set of tokens (refresh = and access). I lose the ability to do the "sub" check (though that could = be an additional parameter on the refresh_token call). Note that it also = requires the client to be able to handle getting both a refresh_token = and access_token on the response. That would be good client behavior = anyway. >=20 > And I agree that at token exchange time, the old refresh_token (and = it's access tokens) would be revoked. >>=20 >> Another option is to put all existing refresh tokens into a = one-time-use bucket when the upgrade happens, so that the client gets = issued a new refresh token the first time (and last time) it uses the = old token with the new client_id.=20 >>=20 >> -- Justin >>=20 >> On 04/03/2014 10:43 AM, Torsten Lodderstedt wrote: >>> Hi George, >>>=20 >>> if you want to effectively preseve the refresh token, why doesn't = the AS just treat the new client id as an alias of the the old client = id? >>>=20 >>> regards, >>> Torsten. >>>=20 >>> -------- Urspr=FCngliche Nachricht -------- >>> Von: George Fletcher =20 >>> Datum:03.04.2014 15:43 (GMT+01:00)=20 >>> An: Torsten Lodderstedt ,Phil Hunt = =20 >>> Cc: OAuth WG =20 >>> Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after = software update with client credential change=20 >>>=20 >>> Hi Torsten, >>>=20 >>> We actually have the same issue. Deployed clients in the field where = we want to update the client_id and doing so invalidates the existing = refresh_token stored with the client. =46rom a user experience = perspective, this is a pain and from a risk perspective I think it's = fine to effectively do a "token exchange" from the old refresh_token to = the new one (with the appropriate security considerations in mind). >>>=20 >>> Andre got me thinking about this and here is what I'm leaning = towards implementing in our system. >>>=20 >>> Use the JWT Client Assertion flow requesting an authorization grant = for the existing user. The JWT would contain an "iss" of the new = client_id, a "sub" of the userid the client should already know about, = an "aud" of the Authorization Server, a short lived "exp" value as this = is effectively a one-time token exchange, and an additional claim of the = old refresh_token. Maybe an additional claim with the old client_id as = well (still thinking about that as the client_id is already associated = with the refresh_token). >>>=20 >>> This allows the AS to do the following checks... >>> 1. Make sure the assertion is being presented by the new client (the = level of surety is based on the risk associated with the client. If the = client is provisioned with additional keys some how that's much stronger = than just using a client_secret which, as you point out, doesn't really = prove anything). >>> 2. Verify that the "sub" value in the JWT is the same as that = identified by the refresh_token >>> 3. Verify that the client_id defined as the "issuer" is allowed to = make this token exchange call and that the client_id in the = refresh_token is one of those being replaced >>> 4. Verify the audience of the JWT >>>=20 >>> If all the checks pass, then a new refresh_token can be issued, with = exactly the same scopes as the "old" refresh_token (no ability in this = flow to change scopes). The semantics of the refresh_token (e.g. authN = time, expiry time, etc) need to be copied to the new refresh_token. In = other words there should be no way to "extend" the lifetime of the = refresh_token via this mechanism. It's purely a token exchange to = provide a new refresh_token mapped to the new client_id. >>>=20 >>> Interested in feedback as to the viability of this. >>>=20 >>> Phil, I agree this doesn't need to be standardized, and I would like = to see the community start collecting some "best practices" to help = others that come across the same use case. It will ensure a more = secure internet for all of us. >>>=20 >>> Thanks, >>> George >>>=20 >>> On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: >>> Hi Andre, >>>=20 >>> I would expect the AS to treat a client with a different client id = as another client. So the new client should not be able to use the "old" = refresh tokens. >>>=20 >>> Some further questions/remarks: >>> - if you utilize refresh tokens, access tokens should be transient. = Right? So you don't need to bother >>> - public client means w/o secret - there is no security benefit of = having a secret for the type of client you described (see Spec section = 10) >>>=20 >>> Regards, >>> Torsten. >>>=20 >>> Am 03.04.2014 um 00:51 schrieb Phil Hunt : >>>=20 >>> I don=92t see a strong reason to standardize behaviour here. But it = seems like a change in scope after a client upgrade is a good reason to = expire existing tokens and re-authorize as well as simply expire tokens. >>>=20 >>> Some may choose to be very conservative and always expire tokens on = any client update. But I think that unless there is a critical security = due to the nature of the client and/or server, there is no reason to = assume it is necessary beyond =93good practice=94. >>>=20 >>> One good reason for expiring tokens is that you are forcing the = client to re-confirm it has the new client credential and it is still = valid. >>>=20 >>> If you revoke tokens and refresh tokens, your authorization and = authentication system might inspect browser cookies that hold the = previous SSO state and/or previous authorization state. Thus you could = avoid re-authenticating the user and simply ask about the new scopes. >>>=20 >>> Phil >>>=20 >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>>=20 >>> On Apr 2, 2014, at 1:37 PM, Andr=E9 DeMarre = wrote: >>>=20 >>> We have a mobile app which operates as an OAuth 2.0 public client >>> (w/client credentials). It uses the resource owner password >>> credentials grant type for authorized communication with our = resource >>> servers. >>>=20 >>> We are working on a software update and want to change the = registered >>> client_id and client_secret for the new app version (register a new >>> client at the auth server). The problem is that after the app = updates >>> on users' devices, it will inherit the app data of the previous >>> version, including the access and refresh tokens. >>>=20 >>> Since the token scope issued to the new client might be different, = we >>> know that we want the new app version to discard the previous >>> version's access tokens. But what about the refresh token? >>> Technically, the new version of the app will be a different client, >>> but the core OAuth spec section 6 says "the refresh token is bound = to >>> the client to which it was issued." So what should we do? >>>=20 >>> We can program the app to discard the previous version's refresh >>> token, but that would inconvenience our users to re-enter their >>> password after the software update. >>>=20 >>> I'm tempted to allow the new client to use the refresh token issued = to >>> the previous client, but that violates the spec. >>>=20 >>> Does the OAuth community have any insight here? Thank you. >>>=20 >>> Kind Regards, >>> Andre DeMarre >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>>=20 >>>=20 >>>=20 >>> Hi George, >>>=20 >>> if you want to effectively preseve the refresh token, why doesn't = the AS just treat the new client id as an alias of the the old client = id? >>>=20 >>> regards, >>> Torsten. >>>=20 >>>=20 >>> -------- Urspr=FCngliche Nachricht -------- >>> Von: George Fletcher=20 >>> Datum:03.04.2014 15:43 (GMT+01:00)=20 >>> An: Torsten Lodderstedt ,Phil Hunt=20 >>> Cc: OAuth WG=20 >>> Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after = software update with client credential change=20 >>>=20 >>> Hi Torsten, >>>=20 >>> We actually have the same issue. Deployed clients in the field where = we want to update the client_id and doing so invalidates the existing = refresh_token stored with the client. =46rom a user experience = perspective, this is a pain and from a risk perspective I think it's = fine to effectively do a "token exchange" from the old refresh_token to = the new one (with the appropriate security considerations in mind). >>>=20 >>> Andre got me thinking about this and here is what I'm leaning = towards implementing in our system. >>>=20 >>> Use the JWT Client Assertion flow requesting an authorization grant = for the existing user. The JWT would contain an "iss" of the new = client_id, a "sub" of the userid the client should already know about, = an "aud" of the Authorization Server, a short lived "exp" value as this = is effectively a one-time token exchange, and an additional claim of the = old refresh_token. Maybe an additional claim with the old = client_id as well (still thinking about that as the client_id is = already associated with the refresh_token). >>>=20 >>> This allows the AS to do the following checks... >>> 1. Make sure the assertion is being presented by the new client (the = level of surety is based on the risk associated with the client. If the = client is provisioned with additional keys some how that's much stronger = than just using a client_secret which, as you point out, doesn't really = prove anything). >>> 2. Verify that the "sub" value in the JWT is the same as that = identified by the refresh_token >>> 3. Verify that the client_id defined as the "issuer" is allowed to = make this token exchange call and that the client_id in the = refresh_token is one of those being replaced >>> 4. Verify the audience of the JWT >>>=20 >>> If all the checks pass, then a new refresh_token can be issued, with = exactly the same scopes as the "old" refresh_token (no ability in this = flow to change scopes). The semantics of the refresh_token (e.g. authN = time, expiry time, etc) need to be copied to the new refresh_token. In = other words there should be no way to "extend" the lifetime of the = refresh_token via this mechanism. It's purely a token exchange to = provide a new refresh_token mapped to the new client_id. >>>=20 >>> Interested in feedback as to the viability of this. >>>=20 >>> Phil, I agree this doesn't need to be standardized, and I would like = to see the community start collecting some "best practices" to help = others that come across the same use case. It will ensure a more secure = internet for all of us. >>>=20 >>> Thanks, >>> George >>>=20 >>> On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: >>>> Hi Andre, >>>>=20 >>>> I would expect the AS to treat a client with a different client id = as another client. So the new client should not be able to use the "old" = refresh tokens. >>>>=20 >>>> Some further questions/remarks: >>>> - if you utilize refresh tokens, access tokens should be transient. = Right? So you don't need to bother >>>> - public client means w/o secret - there is no security benefit of = having a secret for the type of client you described (see Spec section = 10) >>>>=20 >>>> Regards, >>>> Torsten. >>>>=20 >>>>> Am 03.04.2014 um 00:51 schrieb Phil Hunt : >>>>>=20 >>>>> I don=92t see a strong reason to standardize behaviour here. But = it seems like a change in scope after a client upgrade is a good reason = to expire existing tokens and re-authorize as well as simply expire = tokens. >>>>>=20 >>>>> Some may choose to be very conservative and always expire tokens = on any client update. But I think that unless there is a critical = security due to the nature of the client and/or server, there is no = reason to assume it is necessary beyond =93good practice=94. >>>>>=20 >>>>> One good reason for expiring tokens is that you are forcing the = client to re-confirm it has the new client credential and it is still = valid. >>>>>=20 >>>>> If you revoke tokens and refresh tokens, your authorization and = authentication system might inspect browser cookies that hold the = previous SSO state and/or previous authorization state. Thus you could = avoid re-authenticating the user and simply ask about the new scopes. >>>>>=20 >>>>> Phil >>>>>=20 >>>>> @independentid >>>>> www.independentid.com >>>>> phil.hunt@oracle.com >>>>>=20 >>>>>> On Apr 2, 2014, at 1:37 PM, Andr=E9 DeMarre = wrote: >>>>>>=20 >>>>>> We have a mobile app which operates as an OAuth 2.0 public client >>>>>> (w/client credentials). It uses the resource owner password >>>>>> credentials grant type for authorized communication with our = resource >>>>>> servers. >>>>>>=20 >>>>>> We are working on a software update and want to change the = registered >>>>>> client_id and client_secret for the new app version (register a = new >>>>>> client at the auth server). The problem is that after the app = updates >>>>>> on users' devices, it will inherit the app data of the previous >>>>>> version, including the access and refresh tokens. >>>>>>=20 >>>>>> Since the token scope issued to the new client might be = different, we >>>>>> know that we want the new app version to discard the previous >>>>>> version's access tokens. But what about the refresh token? >>>>>> Technically, the new version of the app will be a different = client, >>>>>> but the core OAuth spec section 6 says "the refresh token is = bound to >>>>>> the client to which it was issued." So what should we do? >>>>>>=20 >>>>>> We can program the app to discard the previous version's refresh >>>>>> token, but that would inconvenience our users to re-enter their >>>>>> password after the software update. >>>>>>=20 >>>>>> I'm tempted to allow the new client to use the refresh token = issued to >>>>>> the previous client, but that violates the spec. >>>>>>=20 >>>>>> Does the OAuth community have any insight here? Thank you. >>>>>>=20 >>>>>> Kind Regards, >>>>>> Andre DeMarre >>>>>>=20 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>=20 >>> --=20 >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>=20 >=20 > --=20 > --Apple-Mail=_85E98450-AA91-4A33-9841-EFC933701315 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
I = think there are two broad cases to consider:

1. = Assuming each client =93instance=94 gets its own client_id (e.g. via Dyn = Reg), my concern about changing client_id is you loose track of the = client software=92s relation to the user. In many cases it is more = important to track the software and its relation to the user rather than = the fact that it updated. In these cases you might want to keep = client_id the same and track versioning somewhere else (e.g. inside the = client assertion or database).

2. If however = all copies of a particular class of client software received the same = client_id (e.g. because client_ids are issued to the developer), then = you may wish to force a client_id change with each version. This allows = differentiation of versions in use, etc and would seem to represent a = good way to do things when dynamic registration is not possible or = available.

Depending on the model (of client_id = management) you go for, the reasons for voiding tokens and/or refresh = tokens are likely different.


On Apr 3, 2014, at 8:24 AM, George Fletcher <gffletch@aol.com> = wrote:

=20 =20
Comments = inline...
On 4/3/14, 10:50 AM, Justin Richer wrote:
This is the question I had. The spec says not to share refresh tokens across clients, so it all depends on whether or not you consider a new version a new client. I've usually seen client_id stay the same across versions, since it's considered "the same client", but you could easily consider the new client_id an alias of the old client_id and consider the two of them flavors of "the same client".
There are times where you want to track the change of semantics within a client. But yes, as Torsten says, we could treat the new client_id as an "alias" of the old client_id and issue a new set of tokens (refresh and access). I lose the ability to do the "sub" check (though that could be an additional parameter on the refresh_token call). Note that it also requires the client to be able to handle getting both a refresh_token and access_token on the response. That would be good client behavior anyway.

And I agree that at token exchange time, the old refresh_token (and it's access tokens) would be revoked.
=
Another option is to put all existing refresh tokens into a one-time-use bucket when the upgrade happens, so that the client gets issued a new refresh token the first time (and last time) it uses the old token with the new client_id.

 -- Justin

On 04/03/2014 10:43 AM, Torsten Lodderstedt wrote:
Hi George,

if you want to effectively preseve the refresh token, why doesn't the AS =
just treat the new client id as an alias of the the old client id?

regards,
Torsten.

-------- Urspr=FCngliche Nachricht --------
Von: George Fletcher <gffletch@aol.com>=20
Datum:03.04.2014  15:43  (GMT+01:00)=20
An: Torsten Lodderstedt <torsten@lodderstedt.net>,Phil Hunt <phil.hunt@oracle.com>=20
Cc: OAuth WG <oauth@ietf.org>=20
Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after =
software update with client credential change=20

Hi Torsten,

We actually have the same issue. Deployed clients in the field where we =
want to update the client_id and doing so invalidates the existing =
refresh_token stored with the client. =46rom a user experience =
perspective, this is a pain and from a risk perspective I think it's =
fine to effectively do a "token exchange" from the old refresh_token to =
the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards =
implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for =
the existing user. The JWT would contain an "iss" of the new client_id, =
a "sub" of the userid the client should already know about, an "aud" of =
the Authorization Server, a short lived "exp" value as this is =
effectively a one-time token exchange, and an additional claim of the =
old refresh_token. Maybe an additional claim with the old client_id as =
well (still thinking about that as the client_id is already associated =
with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the =
level of surety is based on the risk associated with the client. If the =
client is provisioned with additional keys some how that's much stronger =
than just using a client_secret which, as you point out, doesn't really =
prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified =
by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make =
this token exchange call and that the client_id in the refresh_token is =
one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with =
exactly the same scopes as the "old" refresh_token (no ability in this =
flow to change scopes). The semantics of the refresh_token (e.g. authN =
time, expiry time, etc) need to be copied to the new refresh_token. In =
other words there should be no way to "extend" the lifetime of the =
refresh_token via this mechanism. It's purely a token exchange to =
provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of this.

Phil, I agree this doesn't need to be standardized, and I would like to =
see the community start collecting some "best practices" to help others =
that come across the same use case. It will ensure       a more secure =
internet for all of us.

Thanks,
George

On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as =
another client. So the new client should not be able to use the "old" =
refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. =
Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of =
having a secret for the type of client you described (see Spec section =
10)

Regards,
Torsten.

Am 03.04.2014 um 00:51 schrieb Phil Hunt <phil.hunt@oracle.com>:

I don=92t see a strong reason to standardize behaviour here.  But it =
seems like a change in scope after a client upgrade is a good reason to =
expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any =
client update. But I think that unless there is a critical security due =
to the nature of the client and/or server, there is no reason to assume =
it is necessary beyond =93good practice=94.

One good reason for expiring tokens is that you are forcing the client =
to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and =
authentication system might inspect browser cookies that hold the =
previous SSO state and/or previous authorization state.  Thus you could =
avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

On Apr 2, 2014, at 1:37 PM, Andr=E9 DeMarre <andredemarre@gmail.com> =
wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth


Hi George,

if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id?

regards,
Torsten.


-------- Urspr=FCngliche Nachricht --------
Von: George Fletcher
Datum:03.04.2014 15:43 (GMT+01:00)
An: Torsten Lodderstedt ,Phil Hunt =
Cc: OAuth WG
Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change

Hi = Torsten,

We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. =46rom a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of = this.

Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us.

Thanks,
George
On 4/3/14, 6:13 AM, = Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as =
another client. So the new client should not be able to use the "old" =
refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. =
Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of =
having a secret for the type of client you described (see Spec section =
10)

Regards,
Torsten.


Am 03.04.2014 um 00:51 schrieb Phil =
Hunt <phil.hunt@oracle.com>:

I don=92t see a strong reason to standardize behaviour here.  But it =
seems like a change in scope after a client upgrade is a good reason to =
expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any =
client update. But I think that unless there is a critical security due =
to the nature of the client and/or server, there is no reason to assume =
it is necessary beyond =93good practice=94.

One good reason for expiring tokens is that you are forcing the client =
to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and =
authentication system might inspect browser cookies that hold the =
previous SSO state and/or previous authorization state.  Thus you could =
avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com


On Apr 2, 2014, at 1:37 PM, Andr=E9 =
DeMarre <andredemarre@gmail.com> =
wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth

-- 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/=
mailman/listinfo/oauth
=


--
<XeC.png>

= --Apple-Mail=_85E98450-AA91-4A33-9841-EFC933701315-- From nobody Thu Apr 3 09:31:17 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E8BE1A0246 for ; Thu, 3 Apr 2014 09:31:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jYyclcN3x4L for ; Thu, 3 Apr 2014 09:31:01 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id DDE661A021B for ; Thu, 3 Apr 2014 09:30:37 -0700 (PDT) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s33GUUpp004724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 3 Apr 2014 16:30:31 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s33GUTo3012699 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 3 Apr 2014 16:30:30 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s33GUTl5012732; Thu, 3 Apr 2014 16:30:29 GMT Received: from [192.168.2.5] (/24.6.202.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Apr 2014 09:30:29 -0700 Message-ID: <533D8CA3.6070005@oracle.com> Date: Thu, 03 Apr 2014 09:30:27 -0700 From: Prateek Mishra Organization: Oracle Corporation User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Bill Mills , Phil Hunt , Hannes Tschofenig , Justin Richer , OAuth WG References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> In-Reply-To: <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> Content-Type: multipart/alternative; boundary="------------070303070605090104070409" X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/-PmQVhOe4NmW8ZHZ97oQu4c-0yo Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 16:31:08 -0000 This is a multi-part message in MIME format. --------------070303070605090104070409 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit "key confirmed" or "key confirmation" is another term that is widely used for these use-cases > I really *like* the name "proof of possession", but I think the > acronym PoP is going to be confused with POP. HOTK has the advantage > of not being a homonym for aything else. What about "Possession Proof"? > -bill > > > -------------------------------- > William J. Mills > "Paranoid" MUX Yahoo! > > On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" > wrote: > > A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt > has been successfully submitted by Hannes Tschofenig and posted to the > IETF repository. > > Name: draft-hunt-oauth-pop-architecture > Revision: 00 > Title: OAuth 2.0 Proof-of-Possession (PoP) Security Architecture > Document date: 2014-04-03 > Group: Individual Submission > Pages: 21 > URL: > http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.txt > Status: > https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/ > Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 > > > Abstract: > The OAuth 2.0 bearer token specification, as defined in RFC 6750, > allows any party in possession of a bearer token (a "bearer") to get > access to the associated resources (without demonstrating possession > of a cryptographic key). To prevent misuse, bearer tokens must to be > protected from disclosure in transit and at rest. > > Some scenarios demand additional security protection whereby a client > needs to demonstrate possession of cryptographic keying material when > accessing a protected resource. This document motivates the > development of the OAuth 2.0 proof-of-possession security mechanism. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > --------------070303070605090104070409 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit "key confirmed" or "key confirmation" is another term that is widely used for these use-cases
I really *like* the name "proof of possession", but I think the acronym PoP is going to be confused with POP.  HOTK has the advantage of not being a homonym for aything else.  What about "Possession Proof"?
 
-bill


--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!

On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:

A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.

Name:        draft-hunt-oauth-pop-architecture
Revision:    00
Title:        OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
Document date:    2014-04-03
Group:        Individual Submission
Pages:        21
URL:            http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.txt
Status:        https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/
Htmlized:      http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00


Abstract:
  The OAuth 2.0 bearer token specification, as defined in RFC 6750,
  allows any party in possession of a bearer token (a "bearer") to get
  access to the associated resources (without demonstrating possession
  of a cryptographic key).  To prevent misuse, bearer tokens must to be
  protected from disclosure in transit and at rest.

  Some scenarios demand additional security protection whereby a client
  needs to demonstrate possession of cryptographic keying material when
  accessing a protected resource.  This document motivates the
  development of the OAuth 2.0 proof-of-possession security mechanism.

                                                                                 


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat




--------------070303070605090104070409-- From nobody Thu Apr 3 09:38:07 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 729241A0264 for ; Thu, 3 Apr 2014 09:38:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.911 X-Spam-Level: X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KITdaPU8vBM4 for ; Thu, 3 Apr 2014 09:37:57 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 8753B1A021B for ; Thu, 3 Apr 2014 09:37:57 -0700 (PDT) Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s33GbrAl007736 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 3 Apr 2014 12:37:53 -0400 Received: from [10.10.61.189] (vpn-61-189.rdu2.redhat.com [10.10.61.189]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s33GbpjN015282 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 3 Apr 2014 12:37:52 -0400 Message-ID: <533D8E5F.8000600@redhat.com> Date: Thu, 03 Apr 2014 11:37:51 -0500 From: Anil Saldhana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7 MIME-Version: 1.0 To: oauth@ietf.org References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> <533D8CA3.6070005@oracle.com> In-Reply-To: <533D8CA3.6070005@oracle.com> Content-Type: multipart/alternative; boundary="------------060002030101000003040206" X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/8TMO-B0HEiC58CDSGm2B6n5Ixp0 Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 16:38:03 -0000 This is a multi-part message in MIME format. --------------060002030101000003040206 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Prateek, why not just use "proof"? draft-hunt-oauth-proof-architecture-00.txt Is that allowed by IETF? Regards, Anil On 04/03/2014 11:30 AM, Prateek Mishra wrote: > "key confirmed" or "key confirmation" is another term that is widely > used for these use-cases >> I really *like* the name "proof of possession", but I think the >> acronym PoP is going to be confused with POP. HOTK has the advantage >> of not being a homonym for aything else. What about "Possession Proof"? >> -bill >> >> >> -------------------------------- >> William J. Mills >> "Paranoid" MUX Yahoo! >> >> On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" >> wrote: >> >> A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt >> has been successfully submitted by Hannes Tschofenig and posted to the >> IETF repository. >> >> Name: draft-hunt-oauth-pop-architecture >> Revision: 00 >> Title: OAuth 2.0 Proof-of-Possession (PoP) Security Architecture >> Document date: 2014-04-03 >> Group: Individual Submission >> Pages: 21 >> URL: >> http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/ >> Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 >> >> >> Abstract: >> The OAuth 2.0 bearer token specification, as defined in RFC 6750, >> allows any party in possession of a bearer token (a "bearer") to get >> access to the associated resources (without demonstrating possession >> of a cryptographic key). To prevent misuse, bearer tokens must to be >> protected from disclosure in transit and at rest. >> >> Some scenarios demand additional security protection whereby a client >> needs to demonstrate possession of cryptographic keying material when >> accessing a protected resource. This document motivates the >> development of the OAuth 2.0 proof-of-possession security mechanism. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> --------------060002030101000003040206 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
Prateek,
  why not just use "proof"?

draft-hunt-oauth-proof-architecture-00.txt

Is that allowed by IETF?


Regards,
Anil

On 04/03/2014 11:30 AM, Prateek Mishra wrote:
"key confirmed" or "key confirmation" is another term that is widely used for these use-cases
I really *like* the name "proof of possession", but I think the acronym PoP is going to be confused with POP.  HOTK has the advantage of not being a homonym for aything else.  What about "Possession Proof"?
 
-bill


--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!

On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:

A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.

Name:        draft-hunt-oauth-pop-architecture
Revision:    00
Title:        OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
Document date:    2014-04-03
Group:        Individual Submission
Pages:        21
URL:            http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.txt
Status:        https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/
Htmlized:      http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00


Abstract:
  The OAuth 2.0 bearer token specification, as defined in RFC 6750,
  allows any party in possession of a bearer token (a "bearer") to get
  access to the associated resources (without demonstrating possession
  of a cryptographic key).  To prevent misuse, bearer tokens must to be
  protected from disclosure in transit and at rest.

  Some scenarios demand additional security protection whereby a client
  needs to demonstrate possession of cryptographic keying material when
  accessing a protected resource.  This document motivates the
  development of the OAuth 2.0 proof-of-possession security mechanism.

                                                                                 


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


  --------------060002030101000003040206-- From nobody Thu Apr 3 09:41:57 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A521A0270 for ; Thu, 3 Apr 2014 09:41:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHvZ9KhYH-nC for ; Thu, 3 Apr 2014 09:41:47 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 9D27F1A0264 for ; Thu, 3 Apr 2014 09:41:47 -0700 (PDT) Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s33GfguN007567 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 3 Apr 2014 16:41:43 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s33GffTX000121 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 3 Apr 2014 16:41:41 GMT Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s33GfeoT012936; Thu, 3 Apr 2014 16:41:40 GMT Received: from [192.168.1.186] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Apr 2014 09:41:40 -0700 Content-Type: multipart/alternative; boundary="Apple-Mail=_90A6F07B-ED41-4EDC-A37F-297F89E27D90" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: Phil Hunt In-Reply-To: <533D8E5F.8000600@redhat.com> Date: Thu, 3 Apr 2014 09:41:39 -0700 Message-Id: <6BE94541-2DAA-4CDA-8478-E1BF99480629@oracle.com> References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> <533D8CA3.6070005@oracle.com> <533D8E5F.8000600@redhat.com> To: Anil Saldhana X-Mailer: Apple Mail (2.1874) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/3mMasAEViXX1PO65xc86fQlBXSk Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 16:41:52 -0000 --Apple-Mail=_90A6F07B-ED41-4EDC-A37F-297F89E27D90 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 What was wrong with HOK? Aside: Why was =93the=94 so important in HOTK? Phil @independentid www.independentid.com phil.hunt@oracle.com On Apr 3, 2014, at 9:37 AM, Anil Saldhana = wrote: > Prateek, > why not just use "proof"?=20 >=20 > draft-hunt-oauth-proof-architecture-00.txt >=20 > Is that allowed by IETF? >=20 >=20 > Regards, > Anil >=20 > On 04/03/2014 11:30 AM, Prateek Mishra wrote: >> "key confirmed" or "key confirmation" is another term that is widely = used for these use-cases >>> I really *like* the name "proof of possession", but I think the = acronym PoP is going to be confused with POP. HOTK has the advantage of = not being a homonym for aything else. What about "Possession Proof"? >>> =20 >>> -bill >>>=20 >>>=20 >>> -------------------------------- >>> William J. Mills >>> "Paranoid" MUX Yahoo! >>>=20 >>> On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" = wrote: >>>=20 >>> A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt >>> has been successfully submitted by Hannes Tschofenig and posted to = the >>> IETF repository. >>>=20 >>> Name: draft-hunt-oauth-pop-architecture >>> Revision: 00 >>> Title: OAuth 2.0 Proof-of-Possession (PoP) Security = Architecture >>> Document date: 2014-04-03 >>> Group: Individual Submission >>> Pages: 21 >>> URL: = http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.t= xt >>> Status: = https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/ >>> Htmlized: = http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 >>>=20 >>>=20 >>> Abstract: >>> The OAuth 2.0 bearer token specification, as defined in RFC 6750, >>> allows any party in possession of a bearer token (a "bearer") to = get >>> access to the associated resources (without demonstrating = possession >>> of a cryptographic key). To prevent misuse, bearer tokens must to = be >>> protected from disclosure in transit and at rest. >>>=20 >>> Some scenarios demand additional security protection whereby a = client >>> needs to demonstrate possession of cryptographic keying material = when >>> accessing a protected resource. This document motivates the >>> development of the OAuth 2.0 proof-of-possession security = mechanism. >>>=20 >>> = =20 >>>=20 >>>=20 >>> Please note that it may take a couple of minutes from the time of = submission >>> until the htmlized version and diff are available at tools.ietf.org. >>>=20 >>> The IETF Secretariat >>>=20 >>>=20 > =20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_90A6F07B-ED41-4EDC-A37F-297F89E27D90 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 What = was wrong with HOK?

Aside: Why was =93the=94 so = important in HOTK?


On Apr 3, 2014, at 9:37 AM, Anil Saldhana <Anil.Saldhana@redhat.com> = wrote:

=20 =20
Prateek,
  why not just use "proof"?

draft-hunt-oauth-proof-architecture-00.txt

Is that allowed by IETF?


Regards,
Anil

On 04/03/2014 11:30 AM, Prateek Mishra wrote:
"key confirmed" or "key confirmation" is another term that is widely used for these use-cases
I really *like* the name "proof of possession", but I think the acronym PoP is going to be confused with = POP.  HOTK has the advantage of not being a homonym for aything else.  What about "Possession Proof"?
 
-bill


--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!


A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.

Name:        = draft-hunt-oauth-pop-architecture
Revision:    00
Title:        OAuth 2.0 = Proof-of-Possession (PoP) Security Architecture
Document date:    2014-04-03
Group:        Individual = Submission
Pages:        21
URL:            http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop= -architecture-00.txt
Status:        https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-ar= chitecture/
Htmlized:      http://tools.ietf.org/html/draft-hunt-oauth-pop-architec= ture-00


Abstract:
  The OAuth 2.0 bearer token specification, as = defined in RFC 6750,
  allows any party in possession of a bearer = token (a "bearer") to get
  access to the associated resources (without demonstrating possession
  of a cryptographic key).  To prevent = misuse, bearer tokens must to be
  protected from disclosure in transit and at = rest.

  Some scenarios demand additional security = protection whereby a client
  needs to demonstrate possession of = cryptographic keying material when
  accessing a protected resource.  This = document motivates the
  development of the OAuth 2.0 = proof-of-possession security mechanism.

              =                     =                                   =              


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


 
_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_90A6F07B-ED41-4EDC-A37F-297F89E27D90-- From nobody Thu Apr 3 11:10:44 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41A561A0264 for ; Thu, 3 Apr 2014 11:10:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKL3OKQS-LQf for ; Thu, 3 Apr 2014 11:10:33 -0700 (PDT) Received: from mail-qa0-f53.google.com (mail-qa0-f53.google.com [209.85.216.53]) by ietfa.amsl.com (Postfix) with ESMTP id E278A1A010F for ; Thu, 3 Apr 2014 11:10:32 -0700 (PDT) Received: by mail-qa0-f53.google.com with SMTP id w8so1987967qac.26 for ; Thu, 03 Apr 2014 11:10:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=d0/WfNwngp8MoUdjdSTKQejbSNLwgjtLxX5mw36ZLh0=; b=fa8H2SrghXw/+3GFINmUxcYAl3JAV/sf9+OzrXrCjrJpOEZVNfRADRS4IMIG7A+tgX RVSyP1x+wI7+Bt5zUzHded2El52fKp9zbvaG1v9P5ZcLNd03f/SIsUA/MRfo22r6tJBr 3NIyEzZT06xM0eGNotbM2TtFFgg38EC7914Io8iy/2DYsJ7PbTMS9QHoYVAMfE/QhT2F ZKsXBAhcYqx50E07lk7IW8LfeKoXa7rE2LpWSuasnHpoFx1TFRpgfSFRWEFAd6dPlNBl tUmeTBvzk1btpMxCRd7xYzZKODE9V9bI1KgL0aAbtOEhP4JTGI9xD+/PLvG9jIqyuD17 Uinw== X-Gm-Message-State: ALoCoQkYhMt3HjfVNU48udmW4z76WiG6LRVh5vmBsy1Epd5X8k1J+c0tpaJGWtBY/p5jwU8A6nka X-Received: by 10.229.81.71 with SMTP id w7mr9261155qck.8.1396548627913; Thu, 03 Apr 2014 11:10:27 -0700 (PDT) Received: from [107.16.249.57] ([107.16.249.57]) by mx.google.com with ESMTPSA id s111sm7689613qge.19.2014.04.03.11.10.26 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 03 Apr 2014 11:10:26 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_84A27B51-5583-4F8F-AE63-9032AB6F54A7" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <6BE94541-2DAA-4CDA-8478-E1BF99480629@oracle.com> Date: Thu, 3 Apr 2014 14:10:10 -0400 Message-Id: References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> <533D8CA3.6070005@oracle.com> <533D8E5F.8000600@redhat.com> <6BE94541-2DAA-4CDA-8478-E1BF99480629@oracle.com> To: Phil Hunt X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/1l0eHYbmwQaxCZXWongUvziDx1s Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 18:10:38 -0000 --Apple-Mail=_84A27B51-5583-4F8F-AE63-9032AB6F54A7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Some people and specs associate holder of key with asymmetric keys. = Proof of possession is thought to be a broader category including = symmetric and key agreement eg http://tools.ietf.org/html/rfc2875. NIST defines the term PoP Protocol = http://fismapedia.org/index.php?title=3DTerm:Proof_of_Possession_Protocol In SAML the saml:SubjectConfirmation method is called = urn:oasis:names:tc:SAML:2.0:cm:holder-of-key=20 In WS* the term proof of possession is more common. So I think for this document as an overview "Proof of Possession (PoP) = Architecture" is fine. John B. On Apr 3, 2014, at 12:41 PM, Phil Hunt wrote: > What was wrong with HOK? >=20 > Aside: Why was =93the=94 so important in HOTK? >=20 > Phil >=20 > @independentid > www.independentid.com > phil.hunt@oracle.com >=20 > On Apr 3, 2014, at 9:37 AM, Anil Saldhana = wrote: >=20 >> Prateek, >> why not just use "proof"?=20 >>=20 >> draft-hunt-oauth-proof-architecture-00.txt >>=20 >> Is that allowed by IETF? >>=20 >>=20 >> Regards, >> Anil >>=20 >> On 04/03/2014 11:30 AM, Prateek Mishra wrote: >>> "key confirmed" or "key confirmation" is another term that is widely = used for these use-cases >>>> I really *like* the name "proof of possession", but I think the = acronym PoP is going to be confused with POP. HOTK has the advantage of = not being a homonym for aything else. What about "Possession Proof"? >>>> =20 >>>> -bill >>>>=20 >>>>=20 >>>> -------------------------------- >>>> William J. Mills >>>> "Paranoid" MUX Yahoo! >>>>=20 >>>> On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" = wrote: >>>>=20 >>>> A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt >>>> has been successfully submitted by Hannes Tschofenig and posted to = the >>>> IETF repository. >>>>=20 >>>> Name: draft-hunt-oauth-pop-architecture >>>> Revision: 00 >>>> Title: OAuth 2.0 Proof-of-Possession (PoP) Security = Architecture >>>> Document date: 2014-04-03 >>>> Group: Individual Submission >>>> Pages: 21 >>>> URL: = http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.t= xt >>>> Status: = https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/ >>>> Htmlized: = http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 >>>>=20 >>>>=20 >>>> Abstract: >>>> The OAuth 2.0 bearer token specification, as defined in RFC 6750, >>>> allows any party in possession of a bearer token (a "bearer") to = get >>>> access to the associated resources (without demonstrating = possession >>>> of a cryptographic key). To prevent misuse, bearer tokens must = to be >>>> protected from disclosure in transit and at rest. >>>>=20 >>>> Some scenarios demand additional security protection whereby a = client >>>> needs to demonstrate possession of cryptographic keying material = when >>>> accessing a protected resource. This document motivates the >>>> development of the OAuth 2.0 proof-of-possession security = mechanism. >>>>=20 >>>> = =20 >>>>=20 >>>>=20 >>>> Please note that it may take a couple of minutes from the time of = submission >>>> until the htmlized version and diff are available at = tools.ietf.org. >>>>=20 >>>> The IETF Secretariat >>>>=20 >>>>=20 >> =20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_84A27B51-5583-4F8F-AE63-9032AB6F54A7 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Some = people and specs associate holder of key with asymmetric keys. =  Proof of possession is thought to be a broader category including = symmetric and key agreement eg http://tools.ietf.org/html/rfc= 2875.


In SAML the = saml:SubjectConfirmation method  is called urn:oasis:names:tc:SAML:2.0:cm:holder-of-key 

=
In WS* the term proof of possession is more = common.

So I think for this document as an = overview "Proof of Possession (PoP) Architecture" is = fine.

John B.

On = Apr 3, 2014, at 12:41 PM, Phil Hunt <phil.hunt@oracle.com> = wrote:

What = was wrong with HOK?

Aside: Why was =93the=94 so = important in HOTK?

www.independentid.com
phil.hunt@oracle.com
=

On Apr 3, 2014, at 9:37 AM, Anil Saldhana <Anil.Saldhana@redhat.com> = wrote:

=20 =20
Prateek,
  why not just use "proof"?

draft-hunt-oauth-proof-architecture-00.txt

Is that allowed by IETF?


Regards,
Anil

On 04/03/2014 11:30 AM, Prateek Mishra wrote:
"key confirmed" or "key confirmation" is another term that is widely used for these use-cases
I really *like* the name "proof of possession", but I think the acronym PoP is going to be confused with = POP.  HOTK has the advantage of not being a homonym for aything else.  What about "Possession Proof"?
 
-bill


--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!


A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.

Name:        = draft-hunt-oauth-pop-architecture
Revision:    00
Title:        OAuth 2.0 = Proof-of-Possession (PoP) Security Architecture
Document date:    2014-04-03
Group:        Individual = Submission
Pages:        21
URL:            http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop= -architecture-00.txt
Status:        https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-ar= chitecture/
Htmlized:      http://tools.ietf.org/html/draft-hunt-oauth-pop-architec= ture-00


Abstract:
  The OAuth 2.0 bearer token specification, as = defined in RFC 6750,
  allows any party in possession of a bearer = token (a "bearer") to get
  access to the associated resources (without demonstrating possession
  of a cryptographic key).  To prevent = misuse, bearer tokens must to be
  protected from disclosure in transit and at = rest.

  Some scenarios demand additional security = protection whereby a client
  needs to demonstrate possession of = cryptographic keying material when
  accessing a protected resource.  This = document motivates the
  development of the OAuth 2.0 = proof-of-possession security mechanism.

              =                     =                                   =              


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


 
_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

_________= ______________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_84A27B51-5583-4F8F-AE63-9032AB6F54A7-- From nobody Thu Apr 3 11:32:51 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B5B1A0245 for ; Thu, 3 Apr 2014 11:32:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8o67wPikx_DB for ; Thu, 3 Apr 2014 11:32:40 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0187.outbound.protection.outlook.com [207.46.163.187]) by ietfa.amsl.com (Postfix) with ESMTP id 8639C1A028D for ; Thu, 3 Apr 2014 11:32:35 -0700 (PDT) Received: from BY2PR03CA046.namprd03.prod.outlook.com (10.141.249.19) by BY2PR03MB028.namprd03.prod.outlook.com (10.255.240.42) with Microsoft SMTP Server (TLS) id 15.0.913.9; Thu, 3 Apr 2014 18:32:28 +0000 Received: from BL2FFO11FD041.protection.gbl (2a01:111:f400:7c09::104) by BY2PR03CA046.outlook.office365.com (2a01:111:e400:2c5d::19) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Thu, 3 Apr 2014 18:32:28 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD041.mail.protection.outlook.com (10.173.161.137) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Thu, 3 Apr 2014 18:32:28 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Thu, 3 Apr 2014 18:31:52 +0000 From: Mike Jones To: John Bradley , Phil Hunt Thread-Topic: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt Thread-Index: AQHPT1olpQMLkHf4/kC3w3flBp/HH5sAF2eAgAABEICAABi7AIAABazQ Date: Thu, 3 Apr 2014 18:31:52 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A139FC3@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> <533D8CA3.6070005@oracle.com> <533D8E5F.8000600@redhat.com> <6BE94541-2DAA-4CDA-8478-E1BF99480629@oracle.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.32] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A139FC3TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(438001)(377424004)(189002)(199002)(377454003)?= =?us-ascii?Q?(24454002)(479174003)(81542001)(15974865002)(86362001)(51295?= =?us-ascii?Q?4002)(98676001)(97736001)(47976001)(74706001)(79102001)(7450?= =?us-ascii?Q?2001)(74876001)(94316002)(92726001)(81816001)(71186001)(1518?= =?us-ascii?Q?8155005)(93516002)(93136001)(47446002)(77982001)(15395725003?= =?us-ascii?Q?)(47736001)(81342001)(44976005)(76482001)(85852003)(56776001?= =?us-ascii?Q?)(55846006)(56816005)(6806004)(15975445006)(54316002)(830720?= =?us-ascii?Q?02)(19580405001)(84676001)(76786001)(2009001)(15202345003)(8?= =?us-ascii?Q?3322001)(59766001)(87936001)(33656001)(92566001)(63696002)(2?= =?us-ascii?Q?656002)(81686001)(85806002)(4396001)(86612001)(95416001)(809?= =?us-ascii?Q?76001)(49866001)(90146001)(31966008)(77096001)(53806001)(543?= =?us-ascii?Q?56001)(74366001)(97336001)(80022001)(76796001)(66066001)(692?= =?us-ascii?Q?26001)(19300405004)(14971765001)(95666003)(16297215004)(5098?= =?us-ascii?Q?6001)(19580395003)(74662001)(99396002)(85306002)(97186001)(8?= =?us-ascii?Q?4326002)(46102001)(65816001)(87266001)(51856001)(19623215001?= =?us-ascii?Q?);DIR:OUT;SFP:1101;SCL:1;SRVR:BY2PR03MB028;H:mail.microsoft.?= =?us-ascii?Q?com;FPR:A84FFD3D.ACF677CC.B7C37F4B.52E4C9B1.20471;MLV:sfv;PT?= =?us-ascii?Q?R:InfoDomainNonexistent;MX:1;A:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0170DAF08C Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GUX4ofcXnYHewNMvC7FWdFuUT0E Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 18:32:44 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A139FC3TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I agree with what John wrote below. Besides, PoP is more natural to say th= an HoK and certainly more natural to say than HOTK. I'd like us to stay wi= th the term Proof-of-Possession (PoP). -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley Sent: Thursday, April 03, 2014 11:10 AM To: Phil Hunt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-a= rchitecture-00.txt Some people and specs associate holder of key with asymmetric keys. Proof = of possession is thought to be a broader category including symmetric and k= ey agreement eg http://tools.ietf.org/html/rfc2875. NIST defines the term PoP Protocol http://fismapedia.org/index.php?title=3D= Term:Proof_of_Possession_Protocol In SAML the saml:SubjectConfirmation method is called urn:oasis:names:tc:S= AML:2.0:cm:holder-of-key In WS* the term proof of possession is more common. So I think for this document as an overview "Proof of Possession (PoP) Arch= itecture" is fine. John B. On Apr 3, 2014, at 12:41 PM, Phil Hunt > wrote: What was wrong with HOK? Aside: Why was "the" so important in HOTK? Phil @independentid www.independentid.com phil.hunt@oracle.com On Apr 3, 2014, at 9:37 AM, Anil Saldhana > wrote: Prateek, why not just use "proof"? draft-hunt-oauth-proof-architecture-00.txt Is that allowed by IETF? Regards, Anil On 04/03/2014 11:30 AM, Prateek Mishra wrote: "key confirmed" or "key confirmation" is another term that is widely used f= or these use-cases I really *like* the name "proof of possession", but I think the acronym PoP= is going to be confused with POP. HOTK has the advantage of not being a h= omonym for aything else. What about "Possession Proof"? -bill -------------------------------- William J. Mills "Paranoid" MUX Yahoo! On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" wrote: A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt has been successfully submitted by Hannes Tschofenig and posted to the IETF repository. Name: draft-hunt-oauth-pop-architecture Revision: 00 Title: OAuth 2.0 Proof-of-Possession (PoP) Security Architecture Document date: 2014-04-03 Group: Individual Submission Pages: 21 URL: http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-ar= chitecture-00.txt Status: https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-archit= ecture/ Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture= -00 Abstract: The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a bearer token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens must to be protected from disclosure in transit and at rest. Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism. Please note that it may take a couple of minutes from the time of submissio= n until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A139FC3TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I agree with what John wr= ote below.  Besides, PoP is more natural to say than HoK and certainly= more natural to say than HOTK.  I’d like us to stay with the term Proof-of-Possession (PoP).

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: OAuth [m= ailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Thursday, April 03, 2014 11:10 AM
To: Phil Hunt
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oaut= h-pop-architecture-00.txt

 

Some people and specs associate holder of key with a= symmetric keys.  Proof of possession is thought to be a broader catego= ry including symmetric and key agreement eg http://tools.ietf.org/html/r= fc2875.

 

 

In SAML the saml:SubjectConfirmation method  is= called urn:oasis:names:tc:SAML:2.0:cm:holder-o= f-key 

 

In WS* the term proof of possession is more common.<= o:p>

 

So I think for this document as an overview "Pr= oof of Possession (PoP) Architecture" is fine.

 

John B.

 



What was wrong with HOK?

 

Aside: Why was “the” so important in HOT= K?

 

 

On Apr 3, 2014, at 9:37 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrot= e:



Prateek,
  why not just use "proof"?

draft-hunt-oauth-proof-architecture-00.txt

Is that allowed by IETF?


Regards,
Anil

On 04/03/2014 11:30 AM, Prateek Mishra wrote:

"key confirmed" or "key confirmation&= quot; is another term that is widely used for these use-cases

I really *like* the name "= proof of possession", but I think the acronym PoP is going to be confu= sed with POP.  HOTK has the advantage of not being a homonym for aything else.  What about "Possession Proof"?

 

-bill

--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!

 

On Thursday, A= pril 3, 2014 1:38 AM, "internet-drafts@ietf.org&= quot; <internet-drafts@ietf.org> wrote:


A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.

Name:        draft-hunt-oauth-pop-architectur= e
Revision:    00
Title:        OAuth 2.0 Proof-of-Possession (= PoP) Security Architecture
Document date:    2014-04-03
Group:        Individual Submission
Pages:        21
URL:            http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.tx= t
Status:        https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/
Htmlized:      http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00


Abstract:
  The OAuth 2.0 bearer token specification, as defined in RFC 6750,   allows any party in possession of a bearer token (a "bearer&quo= t;) to get
  access to the associated resources (without demonstrating possession=
  of a cryptographic key).  To prevent misuse, bearer tokens must= to be
  protected from disclosure in transit and at rest.

  Some scenarios demand additional security protection whereby a clien= t
  needs to demonstrate possession of cryptographic keying material whe= n
  accessing a protected resource.  This document motivates the   development of the OAuth 2.0 proof-of-possession security mechanism.=

                     = ;                     &nb= sp;                     &= nbsp;                


Please note that it may take a couple of minutes from the time of submissio= n
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.or= g/mailman/listinfo/oauth

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.or= g/mailman/listinfo/oauth

 

--_000_4E1F6AAD24975D4BA5B16804296739439A139FC3TK5EX14MBXC286r_-- From nobody Thu Apr 3 12:06:53 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9621A1A02A0 for ; Thu, 3 Apr 2014 12:06:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, HTML_EMBEDS=1.799, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hz2hsOByYd1J for ; Thu, 3 Apr 2014 12:06:39 -0700 (PDT) Received: from omr-m10.mx.aol.com (omr-m10.mx.aol.com [64.12.143.86]) by ietfa.amsl.com (Postfix) with ESMTP id BD85F1A027B for ; Thu, 3 Apr 2014 12:06:38 -0700 (PDT) Received: from mtaout-mcb01.mx.aol.com (mtaout-mcb01.mx.aol.com [172.26.50.173]) by omr-m10.mx.aol.com (Outbound Mail Relay) with ESMTP id 4E9BA70246EA1; Thu, 3 Apr 2014 15:06:34 -0400 (EDT) Received: from [10.172.4.228] (unknown [10.172.4.228]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mcb01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 8565A380000AA; Thu, 3 Apr 2014 15:06:33 -0400 (EDT) Message-ID: <533DB139.3040906@aol.com> Date: Thu, 03 Apr 2014 15:06:33 -0400 From: George Fletcher Organization: AOL LLC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Phil Hunt References: <533D754F.6010909@mitre.org> <533D7D1D.3020103@aol.com> <299C4586-EF50-4715-8EC4-49A6D785BE48@oracle.com> In-Reply-To: <299C4586-EF50-4715-8EC4-49A6D785BE48@oracle.com> Content-Type: multipart/alternative; boundary="------------080601040103010403000905" x-aol-global-disposition: G X-AOL-VSS-INFO: 5600.1067/97359 X-AOL-VSS-CODE: clean DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1396551994; bh=VWq/MMlKoX2xIUr5pLEd85SUOyFsEOfhYxmKR7IDXmc=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=B/jqG/GQFVjm4lz3W1Ff/6upGn5gAYtf7EipaNjrGgSIRCziI3P4oxd5Lc5drSZxv YEZA+ieInmMswzH4OtrYbPGJ6VywJLf/lQzSvaYVpvK+ki85rhc+3Vi94qnRAqjGXo sFNUCEX3PMgWZnxuKH7fUC8FVl0hHgrbuVtpmsFQ= x-aol-sid: 3039ac1a32ad533db1390273 X-AOL-IP: 10.172.4.228 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/o-u-vdsgrNLgBPa8W2ZFSQatQnI Cc: OAuth WG Subject: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 19:06:48 -0000 This is a multi-part message in MIME format. --------------080601040103010403000905 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Great points Phil! On 4/3/14, 12:29 PM, Phil Hunt wrote: > I think there are two broad cases to consider: > > 1. Assuming each client "instance" gets its own client_id (e.g. via > Dyn Reg), my concern about changing client_id is you loose track of > the client software's relation to the user. In many cases it is more > important to track the software and its relation to the user rather > than the fact that it updated. In these cases you might want to keep > client_id the same and track versioning somewhere else (e.g. inside > the client assertion or database). > > 2. If however all copies of a particular class of client software > received the same client_id (e.g. because client_ids are issued to the > developer), then you may wish to force a client_id change with each > version. This allows differentiation of versions in use, etc and would > seem to represent a good way to do things when dynamic registration is > not possible or available. > > Depending on the model (of client_id management) you go for, the > reasons for voiding tokens and/or refresh tokens are likely different. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > On Apr 3, 2014, at 8:24 AM, George Fletcher > wrote: > >> Comments inline... >> On 4/3/14, 10:50 AM, Justin Richer wrote: >>> This is the question I had. The spec says not to share refresh >>> tokens across clients, so it all depends on whether or not you >>> consider a new version a new client. I've usually seen client_id >>> stay the same across versions, since it's considered "the same >>> client", but you could easily consider the new client_id an alias of >>> the old client_id and consider the two of them flavors of "the same >>> client". >> There are times where you want to track the change of semantics >> within a client. But yes, as Torsten says, we could treat the new >> client_id as an "alias" of the old client_id and issue a new set of >> tokens (refresh and access). I lose the ability to do the "sub" check >> (though that could be an additional parameter on the refresh_token >> call). Note that it also requires the client to be able to handle >> getting both a refresh_token and access_token on the response. That >> would be good client behavior anyway. >> >> And I agree that at token exchange time, the old refresh_token (and >> it's access tokens) would be revoked. >>> >>> Another option is to put all existing refresh tokens into a >>> one-time-use bucket when the upgrade happens, so that the client >>> gets issued a new refresh token the first time (and last time) it >>> uses the old token with the new client_id. >>> >>> -- Justin >>> >>> On 04/03/2014 10:43 AM, Torsten Lodderstedt wrote: >>>> Hi George, >>>> >>>> if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id? >>>> >>>> regards, >>>> Torsten. >>>> >>>> -------- Ursprüngliche Nachricht -------- >>>> Von: George Fletcher >>>> Datum:03.04.2014 15:43 (GMT+01:00) >>>> An: Torsten Lodderstedt,Phil Hunt >>>> Cc: OAuth WG >>>> Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change >>>> >>>> Hi Torsten, >>>> >>>> We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind). >>>> >>>> Andre got me thinking about this and here is what I'm leaning towards implementing in our system. >>>> >>>> Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token). >>>> >>>> This allows the AS to do the following checks... >>>> 1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything). >>>> 2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token >>>> 3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced >>>> 4. Verify the audience of the JWT >>>> >>>> If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id. >>>> >>>> Interested in feedback as to the viability of this. >>>> >>>> Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us. >>>> >>>> Thanks, >>>> George >>>> >>>> On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: >>>> Hi Andre, >>>> >>>> I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens. >>>> >>>> Some further questions/remarks: >>>> - if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother >>>> - public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10) >>>> >>>> Regards, >>>> Torsten. >>>> >>>> Am 03.04.2014 um 00:51 schrieb Phil Hunt: >>>> >>>> I don't see a strong reason to standardize behaviour here. But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens. >>>> >>>> Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond "good practice". >>>> >>>> One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid. >>>> >>>> If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state. Thus you could avoid re-authenticating the user and simply ask about the new scopes. >>>> >>>> Phil >>>> >>>> @independentid >>>> www.independentid.com >>>> phil.hunt@oracle.com >>>> >>>> On Apr 2, 2014, at 1:37 PM, André DeMarre wrote: >>>> >>>> We have a mobile app which operates as an OAuth 2.0 public client >>>> (w/client credentials). It uses the resource owner password >>>> credentials grant type for authorized communication with our resource >>>> servers. >>>> >>>> We are working on a software update and want to change the registered >>>> client_id and client_secret for the new app version (register a new >>>> client at the auth server). The problem is that after the app updates >>>> on users' devices, it will inherit the app data of the previous >>>> version, including the access and refresh tokens. >>>> >>>> Since the token scope issued to the new client might be different, we >>>> know that we want the new app version to discard the previous >>>> version's access tokens. But what about the refresh token? >>>> Technically, the new version of the app will be a different client, >>>> but the core OAuth spec section 6 says "the refresh token is bound to >>>> the client to which it was issued." So what should we do? >>>> >>>> We can program the app to discard the previous version's refresh >>>> token, but that would inconvenience our users to re-enter their >>>> password after the software update. >>>> >>>> I'm tempted to allow the new client to use the refresh token issued to >>>> the previous client, but that violates the spec. >>>> >>>> Does the OAuth community have any insight here? Thank you. >>>> >>>> Kind Regards, >>>> Andre DeMarre >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>>> Hi George, >>>> >>>> if you want to effectively preseve the refresh token, why doesn't >>>> the AS just treat the new client id as an alias of the the old >>>> client id? >>>> >>>> regards, >>>> Torsten. >>>> >>>> >>>> -------- Ursprüngliche Nachricht -------- >>>> Von: George Fletcher >>>> Datum:03.04.2014 15:43 (GMT+01:00) >>>> An: Torsten Lodderstedt ,Phil Hunt >>>> Cc: OAuth WG >>>> Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after >>>> software update with client credential change >>>> >>>> Hi Torsten, >>>> >>>> We actually have the same issue. Deployed clients in the field >>>> where we want to update the client_id and doing so invalidates the >>>> existing refresh_token stored with the client. From a user >>>> experience perspective, this is a pain and from a risk perspective >>>> I think it's fine to effectively do a "token exchange" from the old >>>> refresh_token to the new one (with the appropriate security >>>> considerations in mind). >>>> >>>> Andre got me thinking about this and here is what I'm leaning >>>> towards implementing in our system. >>>> >>>> Use the JWT Client Assertion flow requesting an authorization grant >>>> for the existing user. The JWT would contain an "iss" of the new >>>> client_id, a "sub" of the userid the client should already know >>>> about, an "aud" of the Authorization Server, a short lived "exp" >>>> value as this is effectively a one-time token exchange, and an >>>> additional claim of the old refresh_token. Maybe an additional >>>> claim with the old client_id as well (still thinking about that as >>>> the client_id is already associated with the refresh_token). >>>> >>>> This allows the AS to do the following checks... >>>> 1. Make sure the assertion is being presented by the new client >>>> (the level of surety is based on the risk associated with the >>>> client. If the client is provisioned with additional keys some how >>>> that's much stronger than just using a client_secret which, as you >>>> point out, doesn't really prove anything). >>>> 2. Verify that the "sub" value in the JWT is the same as that >>>> identified by the refresh_token >>>> 3. Verify that the client_id defined as the "issuer" is allowed to >>>> make this token exchange call and that the client_id in the >>>> refresh_token is one of those being replaced >>>> 4. Verify the audience of the JWT >>>> >>>> If all the checks pass, then a new refresh_token can be issued, >>>> with exactly the same scopes as the "old" refresh_token (no ability >>>> in this flow to change scopes). The semantics of the refresh_token >>>> (e.g. authN time, expiry time, etc) need to be copied to the new >>>> refresh_token. In other words there should be no way to "extend" >>>> the lifetime of the refresh_token via this mechanism. It's purely a >>>> token exchange to provide a new refresh_token mapped to the new >>>> client_id. >>>> >>>> Interested in feedback as to the viability of this. >>>> >>>> Phil, I agree this doesn't need to be standardized, and I would >>>> like to see the community start collecting some "best practices" to >>>> help others that come across the same use case. It will ensure a >>>> more secure internet for all of us. >>>> >>>> Thanks, >>>> George >>>> >>>> On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote: >>>>> Hi Andre, >>>>> >>>>> I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens. >>>>> >>>>> Some further questions/remarks: >>>>> - if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother >>>>> - public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10) >>>>> >>>>> Regards, >>>>> Torsten. >>>>> >>>>>> Am 03.04.2014 um 00:51 schrieb Phil Hunt: >>>>>> >>>>>> I don't see a strong reason to standardize behaviour here. But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens. >>>>>> >>>>>> Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond "good practice". >>>>>> >>>>>> One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid. >>>>>> >>>>>> If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state. Thus you could avoid re-authenticating the user and simply ask about the new scopes. >>>>>> >>>>>> Phil >>>>>> >>>>>> @independentid >>>>>> www.independentid.com >>>>>> phil.hunt@oracle.com >>>>>> >>>>>>> On Apr 2, 2014, at 1:37 PM, André DeMarre wrote: >>>>>>> >>>>>>> We have a mobile app which operates as an OAuth 2.0 public client >>>>>>> (w/client credentials). It uses the resource owner password >>>>>>> credentials grant type for authorized communication with our resource >>>>>>> servers. >>>>>>> >>>>>>> We are working on a software update and want to change the registered >>>>>>> client_id and client_secret for the new app version (register a new >>>>>>> client at the auth server). The problem is that after the app updates >>>>>>> on users' devices, it will inherit the app data of the previous >>>>>>> version, including the access and refresh tokens. >>>>>>> >>>>>>> Since the token scope issued to the new client might be different, we >>>>>>> know that we want the new app version to discard the previous >>>>>>> version's access tokens. But what about the refresh token? >>>>>>> Technically, the new version of the app will be a different client, >>>>>>> but the core OAuth spec section 6 says "the refresh token is bound to >>>>>>> the client to which it was issued." So what should we do? >>>>>>> >>>>>>> We can program the app to discard the previous version's refresh >>>>>>> token, but that would inconvenience our users to re-enter their >>>>>>> password after the software update. >>>>>>> >>>>>>> I'm tempted to allow the new client to use the refresh token issued to >>>>>>> the previous client, but that violates the spec. >>>>>>> >>>>>>> Does the OAuth community have any insight here? Thank you. >>>>>>> >>>>>>> Kind Regards, >>>>>>> Andre DeMarre >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> -- >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> -- >> > -- George Fletcher --------------080601040103010403000905 Content-Type: multipart/related; boundary="------------080009020309090806090302" --------------080009020309090806090302 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Great points Phil!
On 4/3/14, 12:29 PM, Phil Hunt wrote:
I think there are two broad cases to consider:

1. Assuming each client “instance” gets its own client_id (e.g. via Dyn Reg), my concern about changing client_id is you loose track of the client software’s relation to the user. In many cases it is more important to track the software and its relation to the user rather than the fact that it updated. In these cases you might want to keep client_id the same and track versioning somewhere else (e.g. inside the client assertion or database).

2. If however all copies of a particular class of client software received the same client_id (e.g. because client_ids are issued to the developer), then you may wish to force a client_id change with each version. This allows differentiation of versions in use, etc and would seem to represent a good way to do things when dynamic registration is not possible or available.

Depending on the model (of client_id management) you go for, the reasons for voiding tokens and/or refresh tokens are likely different.


On Apr 3, 2014, at 8:24 AM, George Fletcher <gffletch@aol.com> wrote:

Comments inline...
On 4/3/14, 10:50 AM, Justin Richer wrote:
This is the question I had. The spec says not to share refresh tokens across clients, so it all depends on whether or not you consider a new version a new client. I've usually seen client_id stay the same across versions, since it's considered "the same client", but you could easily consider the new client_id an alias of the old client_id and consider the two of them flavors of "the same client".
There are times where you want to track the change of semantics within a client. But yes, as Torsten says, we could treat the new client_id as an "alias" of the old client_id and issue a new set of tokens (refresh and access). I lose the ability to do the "sub" check (though that could be an additional parameter on the refresh_token call). Note that it also requires the client to be able to handle getting both a refresh_token and access_token on the response. That would be good client behavior anyway.

And I agree that at token exchange time, the old refresh_token (and it's access tokens) would be revoked.

Another option is to put all existing refresh tokens into a one-time-use bucket when the upgrade happens, so that the client gets issued a new refresh token the first time (and last time) it uses the old token with the new client_id.

 -- Justin

On 04/03/2014 10:43 AM, Torsten Lodderstedt wrote:
Hi George,

if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id?

regards,
Torsten.

-------- Ursprüngliche Nachricht --------
Von: George Fletcher <gffletch@aol.com> 
Datum:03.04.2014  15:43  (GMT+01:00) 
An: Torsten Lodderstedt <torsten@lodderstedt.net>,Phil Hunt <phil.hunt@oracle.com> 
Cc: OAuth WG <oauth@ietf.org> 
Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change 

Hi Torsten,

We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of this.

Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure       a more secure internet for all of us.

Thanks,
George

On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10)

Regards,
Torsten.

Am 03.04.2014 um 00:51 schrieb Phil Hunt <phil.hunt@oracle.com>:

I don’t see a strong reason to standardize behaviour here.  But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond “good practice”.

One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state.  Thus you could avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

On Apr 2, 2014, at 1:37 PM, André DeMarre <andredemarre@gmail.com> wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Hi George,

if you want to effectively preseve the refresh token, why doesn't the AS just treat the new client id as an alias of the the old client id?

regards,
Torsten.


-------- Ursprüngliche Nachricht --------
Von: George Fletcher
Datum:03.04.2014 15:43 (GMT+01:00)
An: Torsten Lodderstedt ,Phil Hunt
Cc: OAuth WG
Betreff: Re: [OAUTH-WG] Handling stored tokens in mobile app after software update with client credential change

Hi Torsten,

We actually have the same issue. Deployed clients in the field where we want to update the client_id and doing so invalidates the existing refresh_token stored with the client. From a user experience perspective, this is a pain and from a risk perspective I think it's fine to effectively do a "token exchange" from the old refresh_token to the new one (with the appropriate security considerations in mind).

Andre got me thinking about this and here is what I'm leaning towards implementing in our system.

Use the JWT Client Assertion flow requesting an authorization grant for the existing user. The JWT would contain an "iss" of the new client_id, a "sub" of the userid the client should already know about, an "aud" of the Authorization Server, a short lived "exp" value as this is effectively a one-time token exchange, and an additional claim of the old refresh_token. Maybe an additional claim with the old client_id as well (still thinking about that as the client_id is already associated with the refresh_token).

This allows the AS to do the following checks...
1. Make sure the assertion is being presented by the new client (the level of surety is based on the risk associated with the client. If the client is provisioned with additional keys some how that's much stronger than just using a client_secret which, as you point out, doesn't really prove anything).
2. Verify that the "sub" value in the JWT is the same as that identified by the refresh_token
3. Verify that the client_id defined as the "issuer" is allowed to make this token exchange call and that the client_id in the refresh_token is one of those being replaced
4. Verify the audience of the JWT

If all the checks pass, then a new refresh_token can be issued, with exactly the same scopes as the "old" refresh_token (no ability in this flow to change scopes). The semantics of the refresh_token (e.g. authN time, expiry time, etc) need to be copied to the new refresh_token. In other words there should be no way to "extend" the lifetime of the refresh_token via this mechanism. It's purely a token exchange to provide a new refresh_token mapped to the new client_id.

Interested in feedback as to the viability of this.

Phil, I agree this doesn't need to be standardized, and I would like to see the community start collecting some "best practices" to help others that come across the same use case. It will ensure a more secure internet for all of us.

Thanks,
George
On 4/3/14, 6:13 AM, Torsten Lodderstedt wrote:
Hi Andre,

I would expect the AS to treat a client with a different client id as another client. So the new client should not be able to use the "old" refresh tokens.

Some further questions/remarks:
- if you utilize refresh tokens, access tokens should be transient. Right? So you don't need to bother
- public client means w/o secret - there is no security benefit of having a secret for the type of client you described (see Spec section 10)

Regards,
Torsten.


Am 03.04.2014 um 00:51 schrieb Phil Hunt <phil.hunt@oracle.com>:

I don’t see a strong reason to standardize behaviour here.  But it seems like a change in scope after a client upgrade is a good reason to expire existing tokens and re-authorize as well as simply expire tokens.

Some may choose to be very conservative and always expire tokens on any client update. But I think that unless there is a critical security due to the nature of the client and/or server, there is no reason to assume it is necessary beyond “good practice”.

One good reason for expiring tokens is that you are forcing the client to re-confirm it has the new client credential and it is still valid.

If you revoke tokens and refresh tokens, your authorization and authentication system might inspect browser cookies that hold the previous SSO state and/or previous authorization state.  Thus you could avoid re-authenticating the user and simply ask about the new scopes.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com


On Apr 2, 2014, at 1:37 PM, André DeMarre <andredemarre@gmail.com> wrote:

We have a mobile app which operates as an OAuth 2.0 public client
(w/client credentials). It uses the resource owner password
credentials grant type for authorized communication with our resource
servers.

We are working on a software update and want to change the registered
client_id and client_secret for the new app version (register a new
client at the auth server). The problem is that after the app updates
on users' devices, it will inherit the app data of the previous
version, including the access and refresh tokens.

Since the token scope issued to the new client might be different, we
know that we want the new app version to discard the previous
version's access tokens. But what about the refresh token?
Technically, the new version of the app will be a different client,
but the core OAuth spec section 6 says "the refresh token is bound to
the client to which it was issued." So what should we do?

We can program the app to discard the previous version's refresh
token, but that would inconvenience our users to re-enter their
password after the software update.

I'm tempted to allow the new client to use the refresh token issued to
the previous client, but that violates the spec.

Does the OAuth community have any insight here? Thank you.

Kind Regards,
Andre DeMarre

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

-- 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
<XeC.png>


--
George Fletcher
--------------080009020309090806090302 Content-Type: image/png; name="XeC" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="XeC" iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk uBMSLBA0IWgCCa4JDoHB3SHI4AzMMMO49bRWnfePe7mzz+7m2eyGvbn3efvzz9DVVb86p7pO 86tTp05Lly9fvnz5shC4ubm5ubm5ubm5uf0m3bt/1KhRo0aNGn92cdzc3Nzc3Nzc3Nz+Z7ly 5cqVK1dA/rML4ubm5ubm5ubm5va/gTtxdnNzc3Nzc3Nzc/sd3Imzm5ubm5ubm5ub2+/gTpzd 3Nzc3Nzc3Nzcfgd34uzm5ubm5ubm5ub2O+j+aACr1W632f7zhQw40JEEUii7pAYgxkhhkh9o B5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8L8Pc7BsbcoGuRs8DV0XzEfBGU8VwwHgfpW9LZ AeoSuZj+NUiHc3/O+BKcHa1pWUPAeC74WtQPIMbaYi1J4Pj42aE7s0GskRsoB4B7rpXqYNBe Z6/KWAbqIWmU0hG0XPWhuSBYP8pc4IyF3GHZpTMPQm7RnMjsoZCbZOunZoHF25FuuwSW59b8 2RvBPtA+1doT9M+8N/jZQJroHeKXBpaEjFOZmZCzMpOUHuDqJK2TK4CoSiddVdBmeX4fkB9s B3Nzc4+B4m8qbL4HmZPTPdK/AY/TIXciMkGLV370eglmL88o750gTDw1VgT918bN8kFQv3DV 136BGoNqfViuEdSQKhYLfw5aKddi1z2QNoi2RILwl4LFJZAaYyYIRC4uXABI/8cHqfAfUxLe Q0IGApjABNDNlZYqA+H1tcSHqRvh0MYzHS5vAGHUP3eNgl5Tm8xu2Bick+WlUiRoe8RsPMH3 uec3xnwgL5P85b2gu2bqbj4B0TNPJh1qABn5rDa1HTxJSFpyaRl4vQ2endML7A8TPJRf4WHM m9LP14N0TdfOthmymqbMEFcha2DOWJ8J4H1L96XhLgQv908qcB2K7yqUXXoDWLvZJ+oWQ2p4 UmBuKEQ1Cl0phoJ1vJptmQIFj3jkRlYHv34FPoucCblNrU9TPwc/f4+OgfvhUuOYzw7sAutK tWtKYxgQ0WLgzLng+EHupnwMZbcU/zh0Mzz+7NnX2eXh0JhL0ctnQ5aP1XK9O3i1l0f6+kHy /aSKPt6w4N6UqFWz/uxm7ubm5ubm5vY+vL8eZxmBBmRKJvyA2mjiAkjLxBuhgjRc3JJ9AZt+ q7gIzoepSxObgzHAJ5/XBdD8tY+1qkATXUnzV6C/IKteZ0HzEzHqChAWMdMZCMp1KULUBs57 vfbvDIYvvOMDPwJtiusjx0UgWtTVqoKQXbvsjcHpk+QXuxfUj3M/Su8I6nBnM9unIBZkJmVP BsewzCNpN0C6qDxTZ4NI0F2Xu4Oy1nDXMBQM9U2Z+oXg6fS8bj4M5mPmNR5VwfCxbqL+FSie rjTHJ6B3CsU5HEzrTJf0JUD5QAqTg0De5DrpCgCtorOSrSgondVP7HVBn8gkVxCYeum7aJPB mOph89oA0khHHXs38B7qedQ8BcQBtZyzGQStCekacAY8l/scCTOBzkuv09+Gx8Njcl4eBcs0 S2WbBvKHyjjxK2gDpM+lEJAWsIswEIlSIBYAxF+lzP9BBQRQVApFgFSTOtJGcLYWr1zPIN/s cG+/etDP0r5b00NQ/2CF5DLfQdBPQQQY4dLgG/q7n8HDYc9b36sKWfnTB1r8gBvyYrkzGDox VvoazI2830SMAiVMKWXXQchbv6+sFrApWULvCVX7lNjerhX45UgJRU5C5tHU/YFp4DvUo1pg eSjUPrBbkTXgzHYULSpB1vnsXJ7C/cIvlDt6KLQovI5XGyjsiLCULQ83pzw4nDES3trTt2TM BN1+acTruuC1Q67uXAlvaiQdevo93Cp3v+ZPs0FbaWntXwjCwj0adtoGuubGPrpB4HXaPEoX BUnOpJUZL+HXT5/5Hr8Cmc0y+zyKBlfr7LScHEi7mzAqoxDkjrK9dEX/2c3bzc3Nzc3N7X36 wz3O/8WJhACpkLBJQSAu8UQsBa2udFd8AXIl/TLlHKg7LfHWSsBV+TvDHJDnGdrr5oMySRmq XgZxV+4taoI2UO6nlQYpTKzWjQHhrwmnHqQxzkWWISCV0k/xGATqF2K8ywpa2fgGj6qDlmi/ 7dwG0q/yQt16MJz1HOo/DZyHLOcsySCdcRVU4sDl7+zjnAiuT+0N7J+BGqE0F3XBsEjfUu8B hm1eZu+6IEfZhjtmAor9jq0NeC2UWkmnQDovWyUjqPNdk+2lQP9IvkwAOLbLY7T+YB7jYTbH AOOy81l+BrWSNk2bCWKZzZzdC6RNWpCyApyqxZQ1ATyLGAZ4rgIU7K5PQDtp3ZT2BWCQr+qj wDokR35bHfRLPQ4HB4BvUkAR/9mQeTfdlr4EXox99Vl6EFQ8UbpFqC+4XroGaQD95E9YAGgi VVoCSMgilv9Ikv/PBFrCAGgilqsgHkll+Qmk++JrxQJajtpQmwPWJ9TUXkExW8FR+c2Q0C31 cFIZqNGj3O6iXSCsZ0BqaBLYNPWQ6yxk/JJ1z/EVPBiVWujZD5D2pe2n16Xg9tXYyPsdIeUb S0KKN6j3sxdkp4JPqL7o7XTQp/htcq6HRssKdSxfHVzltIJyApwdfffsExPI23Tfh1QCqTRJ xnhouLVSmcY/Q6X5Bb2rvIGsu5HHEi5C/S9qSd16wv3PY94+fQOPGz2w7HgNzwPtGxyXIOOl PvD5EPCej2qaBdWKlb3QsBr4fxqZ4h8L/q0D/b07QdrSt0Mzx0PKukyj+BqerX38cWIVEA20 o+bJYKuTmZF/LrgSVJ/sBMgoxc3XnwJQ/89u5G5ubm5ubm7vx/tLnGX+IxnzIwsTcFBqynPQ tRAj6AGuYO260wDKKnFW3ADlVpHyxXJA/UosdN4G5ZSzZ+aHIMbr+5t8QX6upYjOIGrJbXR9 QOonxzMHtLicqekKaJdyOyR1BN0+fSWPHLC9UmPFCND6JA+LbwauHOtCWwYwTfpauQFyX6UJ J4D8hrHed0H3QDquLwPee71GK4XB0daxV+oGzkLacLUTuBarRfEGw3qx05gKrj7aQHELNDvB 0lTwKupVRdcb7FnWVVnfgnzducuVAp4llQPyc5Dvmq8aI0EuqKZLJUBaa6/hbAjWvc4WtiLA Fqm30gLsU3L0ljugT9ar2YeBOx7ngsqBsZurV/YQcJ6wv+IZZLqyP0ztBp6VA/unfgH60mFa ySPgPd93k9/P8GD54/j4VlDy68I7gkqA7gudl2gP6hTxiWwEuY7kKX4BcVfkogAKEtr/8QkK nIDAl0LATFFXvAK5qawwEHJic6bYasCVqbcq3eoCCaUzzsTdg5zaOW+0jlD5bYWPS0wBUw+P BkGh8HJpQq/nveA766Efdu4DXVXdodzt4Jqq/yalDxT5NbB3/iS4P/f5fZ8l4NjnKmR9Bd43 EqvfqwgRwf6tS30GGSfszVN9oNC4gBUNVsLrEW9rHp4OH65v5mreC3xS7FsNY6FMVCnPwmsg pnh86mMfeJ0Yvz82HSy3bd9ZesIL69vCx66Aa4NYoESDf1lrSsIlEFusG8O/gFJ1SucvtwqC AoNG+JwFz190mvUxJG6Mv56ig8RtGV+/ioZXckLEs7kQFBt2mV8hc/XzsLS1wCG9XToCmaUy Thk7g3zXp5PnJKA6Y/7sRu7m5ubm5ub2frzfxFkG8RSXeANSWSJJAWFjhhwC8if0lBaAqOzV w7wTpMsc1U8GeaBslRwgPza0iQgEKQC9LgvEHHzZCZJLHBf7QBuXG5e8GHimC/L2A/myx+WA L0H1z+r6eihIFqmaWgcUNaBc+CzQfkiwvMwEramrkToFlHue1pBY4JZJ9bgJIi33W3UiiHLq Z/ISMFilV1oMSBFatpYIUo69oMsCrnzyUOcKUBoo5eV00B3RcpVpIL0UT8Q8EJIySz8cOEMt 0QrM6aKT1hrUBLrKJUHuZX5sugfyAuVbnRfgsoaJ2mBt62qrzgItWdqkfAa2BEuwbQEYTuPK XAfKRt14XoD5meGpuQuk5U9faykMuu95qW2ELKvU2RgJPoHBT6MkyBlqbeO6Aq/1cXLaPCjW ulj/4Iqgpth/UUNBPJMW4Q/YgL/3A+sSoAEqmlQIpL18IdaAOKb1EN+B+YRpidEEzYPrPKm5 Ho42u3DgzgjYfeT82h0H4Rj3lp3pBjVuFB1eagvomkmqrxXyj/AtFBYNZfYUrlVxBSQXzZ37 6gq8kVODf6kJwfX9XzsLg+Oi1NC6HPxrm0eaPwbFO/teZgrEnHo71NUbLJ7W0mduQ5kV+QqE 34O4fWlX7qfCwNNtP+4TAmujt+p/DoGUnrb1jwZA7dgSJTuNgifjX6TefwA5FcRBz2MQOcir r+4K2JpkVfF8DaU8ix6v+gtU+rqAqcRaMP9g1HnmwtvliTXSn8PLEon7bu6BQzduTN57CEIe +uqcZaHBqSJBLWZARJL/hNoWMP5iKiVVh8zX/t0ta+BthdxzcTX/DS22MpWpDEfnHZ13dB7s 9N/pv9MfnjR60uhJI1BXqavUVVDkyyJfFvkS2h9sf7D9Qeic0jmlcwoo1ZXqSvV/Q7nc/q+q Vq1atWrVf367Kc2nNJ/SHLrM6zKvy7y/jXPixIkTJ06An5+fn5/fHy/ns53Pdj7bmfe6YMGC BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjNPTACpj3JBrg5Mkqb4BIN2Te2c swWUHKmOUgsYKdU1jQDxQqRIs4Bm0lnWgrgrbdbOgxRmOO5ZDfhE2W4qBtoVxxdZPwHztWDx CcgFfEWgJ8iWcE9zKshr9C75DLDJNMtzPUjn5S3mkuD6MuMLyxIQA+1e9oYg9TfGKgkgqfbj rhBQfrFb1c1gD3fkd3qD6rRfd4wGFqtbRXnQTZFKKmaQvtBNknqC1MeU69UbRIpor70AVwM1 1JUJ5jXqCTkXXLf1hZRFoCzSXVIfgHxMaizpQSuX29XeG9Qnjr3sAeN4XY55Eqgxzsr2EZC9 I3t4alMwq16D/BqA7wJfp+cOyJmR1TH9c6B4SujLUWCfYaxs9AbDS9/8kdvg6dpXkanfQeHT hfcFh4H0g3RdVAGuihi5HFAWSbwCPNDhB9hwYAUEGiaQIiQ9GojD4i4CyE8/+QEoVXQfizng 3OPM5/gVAgf6SmolaORVoWHUBrCMNqx6Fg26WtqJmJEgNc5MrpgOVfqX3VmjIvwQ9kvzn65B 6OjQ/qZqUGNE6U/qDobWX5Q9k28ePC6cOflNEuz56Nil76uCYZxyK6kYWBurgb6z4HbCY8+A B+DXw5DquwZiPJ9LV/bD1923bTY4IKi7oaM8Daz9Ml4G7ga1pCJST0HEm4B1RaIhZ6DlfNRR sMiW+heag6m9hyzVgZsFHze/vAGe1Ik1xBQHuYU5w8MM8Tff3k7YCOGpns8CH0K5lIDDTa+D b5GgSnF9wd+Zr33JpaA11ZVMegG57dR1Fj/Qh4h9D7dBStmU+MSLABR7nw124amFpxaegp1N djbZ2SRvud6ld+ld/Fdi/dDjocdDD3jY7WG3h93gRtMbTW80hQXDFgxbMAy4yU1uvudvE7ff LWRGyIyQGaAMV4Yrw397PY8xHmM8xvz3lav7wu4Luy/Me/1fCS1++P1ZB8vNzc3tf5D3lzjD f/Rk6oXAC0jnObeBl1jEGqAcYZIZRKiWpo0BbbHLO3ckSJPkw2YLSLOMh/gKpCVimboQRBrB IhCEQa6kqwxSVWuvrBxwybTINYIyx2Okb1+QWvtd9u0FuhtyV7kfiM2uWdo2kPYUqRxWBqRS upK6QkAPdaPLAko1mfg6YD/mnJPyATjDM/tlx4ArxXLEFQjWqtYbtj6Q+7V1Ze4rcPm50kQ2 SF9LO3UtQFkun5MXgbGeoaKxP4gyht7SALBPdCY7N4B0TJ3vqg1qea24EgJSLa2jqA+yQ3rk agSuIY7higSePiab0Q6u7fat9j2gHXUVdP4K8i7dbP0isMXavlOPg10vQrJLgumkT7ruDRjL 6H/VTQHF26nYt4N9cPqk+Gfgdc13QcAOsJ62VjeVhqy52RdtaeCT6R1vuAPqHnW2eA00xEEd EIXFTO17kHKlLdJL4KS0XMoBkUG4uAdo3KEYcJ6mruGgnRWxyimQL7DOWARSO71Nz7SAb3F5 jsMA6gdSg4xsSAvLUKkAqj5zxP10OJx97fTjC2B6bZJT6oDhkT4trCCkF8+eb54MZ1onHbSm QeKy1C9v74bkbGe7FDOoHXI+E15geqhVT6sF2kXboMRbIO4E9wypAOVTIgfUXACOU9Y9rk2Q 2Vl2OTtAwaMRA2sPg8eBj/fF/whhoYHL/ZtA0oDsRWljIbmaJSylJRi65h53zIBqbUt3b2wC +5PshEAveBuT2SqmO0xr0MM0wBd0bfSTzZ/Aa2dyy6zyEGN4efz4Gfjl4uXJ2y5D07lVu3ww DHy+sUeHPIETda/NvFkTspdorz2/A/by1ftoWqdPnz59+jTsHL9z/M7xYKxtrG2sDbPiZ8XP iocm3zb5tsm3IJ2Xzkvn4UzmmcwzmTAjdEbojNC8BOic9Zz1nBXqUY96/z3fMW5/x9YGWxts bQB+b/ze+L35s0vj5ubm5vZ7vc95nKX/vNVvkQoAHlJZ0Q0wc1+aC9IrSin9QQ11zEytDQy1 mLI+BlmQrjsBWl9ayuEgnRFD+QrwkA4px4DCtl5ZD4E4ndX8DJQ1nt7+HUGqq5tq7A3SMZoo Kmj5tBznVVCfyW8dD0DerJ1lM7DRMccxEUQV/J3fgzPE/io3BqTq4oE6DXT5dXcNTcF2Laen JRsy66ZmZSwCu2YZ49BAPFCzxF3QTZTTlfLg4WP41ZwMnh8bBnsUA31LqaccD9plcYuFQD9l s/4X0IUYwkyFgbbSR/JCcM1xZTg/AP0n+vPyL2BsZDQpTcFrojnB8z7of1EKGQJArFEXqg1A v19ZK/uBtt1lt+vB7mXxSLGB7JRvucygHZIaacfAtimrZ/oRSLsbV+zBXlCzHNuseyHnC8tD xwuQtkiZUkvQlosL6iXQ/aTEK5vBbDCM8qgOynzZZFwBbBVBkgdI5cQC6QBwmrbkAgNFqPwp sFQaKvWHzCrZB9PjwHzBXB0fyC6oF0lGyBjqMKVdhJdpb47FLwPXfHlKbh9In+sslngeCmzy G5J/H7im51b0leDBh7G/3giGo89vttr0KbyambzjWSFoUqbYxkYfgyFSMvt2AulXw0ytIZgy fFvojeBdnbFVj4HrLFUyEyB7mnP6k7Pw8puElkmR0LBKRUvYVShxwa9IsAy6o8oHt6dDZGjA VUM0GMfZPQNHQtsStTNaeMBY70GFBi+DwDch33mtgSZTaxSsfBAkh9c6MRYO97184tAW+PlU dLOVP8Kjwq9Mr9dC4Xmh1QKPwZNdj1+eOQOJtsRvbjeC6neKTy3VCgqeCNjy6tn7a1zbt2/f vn173uthw4YNGzYMmu9pvqf5nrxb6fJwebg8HBo9afSk0ROYtHPSzkk7oVVIq5BWIZBzJudM zpm/jR+/P35//H4Yt3Xc1nFbod7Deg/rPYR6HvU86nnAhMYTGk9oDAntEtoltPs7BfzPnu53 PeEdO3bs2LEj1KxZs2bNmtDh8w6fd/gcdkzcMXHHxLz138nIyMjIyMi7hf/u78N6D+s9rAdd 07umd02HTQ82Pdj04G/3u3nz5s2bN+cdj2YBzQKaBcCpYqeKnSr2t3Hf7e+91f9/iH+2HupV 9ap69beHkjRt2rRp06Zwz3DPcM/wt8d938x9M/fNhK6FuxbuWjjv8272otmLZi9g0clFJxed BFtpW2lb6d8u9y35lnxL/ts4A64MuDLgCrxo9qLZi2Z/vL5/+Hxzc3P7/7331+P8boxsFhAC Ul3s7AKG0kN0ArWz1FJeDDI8ZSmod5KeP30N2ktzZkhXkD1Nc6WyoNWjIqWB/uKm1B+kqvqO noDkaTgo9QDpsfa59hKwawHqLhBN5FO6AoCHdkHqC1J7qigPgUS5spQBDBcjdYOB0apTGwbS Nq9+AbtBP8gvI9QO4iPRT90K/hOD24TsBPOs1JYZ+UE7Yl1l7QhyojSVDKC4I962D3Rt5KLK erB5uqKEF+SMs7d3NgJuOqu4/MG1RRvriAGnQ72iVgWeiq1qNCjlmM4HIH2p/GhoBIb9tNZW AxZzMBHg6uG4oC8M9KaBKQMclZzfOxaAtkCMcpQD123HMmsIaD84r7h8QTqpK24oDcau5gyf c2B7kl4iqS9YXqcVi/eAzG+y4iP6QMFC+ZoFjgDlNlP0n8OrOxl+cdsht1Nu67hn4HfV44rv Agia7l2+6M/g6sZ+VwhIZUW8XAQQ0gj6glRXC2Y5GKqbdAZ/iFoVllDUCywrxXHxESTeiPnl 1WAILui3xloQDI08+yZrkBWUNtnmB5eWPB6YvAuMQ4w1Mp+BZ3GljecbMJ/Tpum/gqBWprOV PwTxiTJP0kPAAY+eAV+Bxz4lI/8xUG+6soxfQ+UllUuXegxKhLS54AU4N+BCqQtToJNX1cTm 3aBMi6rHSv4MLyyvL2YNhZTcV+WFL/idDf0lcjL4hHoce+wAwzDTEE8Vfni023noNNzbHFvr yhHISMpc6LcdNrQ9lLGzAPj7+Xfy7gXFMqNa+44AbVhODc0B5qYeB8Oeg+6Q/ro9DX6Jutry RCUwJ/rJvsvAXEO3wb/BH29WYrAYLAbDnR/u/HDnB6A85Smflxj+I+0i2kW0i4B2h9sdbnf4 b9/PXZq7NHcpDI0eGj00GhITExMTE6HOqDqj6owCR1lHWUdZOJV1KutUVt4QkO0523O254CX l5eXlxfs2r1r967dsLDbwm4Lu4F+mX6ZfhlU1iprlbW8xGhR/0X9F/UHebe8W94NXelK1/9L +SfunLhz4k5IaJbQLKEZ8CM/8mPe+wcSDiQcSIBly5YtW7Ys7wKicGzh2MKxMGv/rP2z9gNL WcrSf1/9/1kfffTRRx999Ntjh0uWLFmyZEmY23lu57md/3G8f7UeW4puKbqlKBToXKBzgc4Q uzd2b+zevLj58uXLly8fGBoYGhj+4nz+6eeffv7p57zyGWYZZhlmQRW1ilpFhec1ntd4XgN2 RO2I2hEF2cezj2cfh8/5nM//TvmnT58+ffp0iCCCCPIuAO+OuDvi7gj43PG543MHbGADG97D 5/avnm9ubm5u76/HWQMkkPLhIgfEtxSgDYjqLJK2g/whIa7LIG+Q95lvgWNRbqHcKSBuqCZn AMg9pKdSFRDbSOAIEClVEdNBOiG/UJ6AeCoqiZ9Ba6J9px0AFpEi5YBk4TppQB25tq4QSEWk FYYI0OK1gZIGUjlRXAsFJUCKNI4BZbb/es/WQGkPf/UjkCv71DHYwayFnDJFgnmheYNrFXiP CuyjJIPxsddXWjGwNXCOsgyB9Mnp5ZOPgeV55uS3XUF9LQo5C4C2mm3qcHAutw9xfgmuz9Xb oh84BgqTVBbEZ3JRuSsot+Q1uhVg/sq4w9AW/D73auc5DnzP+qT6TARTC2M1szcYhvsUCvgJ tPXaauktyLtFSWJBt06+jweIVa7uDh2olezfZ+cAE5TRpnqQ8WuC/slASN2bWjetOrxIer0u cRkcn/brh9+1gM2nj/VbvgWWf7/92PdX4Yfo6Gk7KsCrAUljEpNAf1Bs0X0Lao7oJ30GWmst iaJgqqe7qisH54LvZF7rA7eqxPV83AaY4UpXfgbPEGWU3xowe3sWMY4HQyF9uGKF1Onpm1Ki QdmtzDAcBc+p+ob5ukDudMsMz2EQnmGS8m8F/+0+0/SxYPzK3CnnDLRZXn1i1b6ghnAz9xaU OVq0j197OFn/fMiN43D0+NWPz5+GOrPK/9jjGpwbcKfQ2/Gw/ouNh4+Mg5f+sZNjJoIx2NjA yxvUMvJK+zaosqzEyFbTICXt5eIcFS7l3GpzvinUT62cU+QIBIwKdBVbCuZ+xj2OOWCpYO2Z PhCezXwxKn4axFhTuj4Khgs3Ht7ccxouj3jp2rsA7JGipHoWnP2thdKvw8vFiXrllz/erCxL LUstS8FZ3lneWT5veVBQUFBQ0N+uv8SyxLLEkvcw2V///eabb7755pu89Y8kH0k+kpyXeHzw wQcffPABLO+7vO/yvrDq6qqrq67mLX+33qHPD31+6C8yoE0PNz3c9DDv9bshJN9W+LbCtxVg ZujM0Jmhee9vbbi14daG/7j+dUfXHV13NOxvs7/N/jbQ5ViXY12O5b3/44MfH/z4Fz2C7xKw bd7bvLd5wxAxRAwRvx3/fdX/nxUXFxcXF5eXqP7133f7+b3+1XocXXB0wdEFsGfqnql7pv5t 3I0bN27cuBGKLy6+uPjivzjudX+s+2PdvNez281uN7sdrBywcsDKAXl3APR39Xf1d+HY3GNz j80Fm81m+68fzPoL7x6C3PV81/Ndz2FFmRVlVpTJe/9B3Qd1H/zF/v5dn9s/Ot/c3Nzc3u8Y ZxlwoYjnQBDp2ACFfaSDeKEdV5eDmCFmOjqAYY7PrJCBoHymtJHLgVgi+ojxICVJaXJlYKC4 J2wgnotHohtwnSbyWZCDFBuBwHw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graKH GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+NKV7XoDcD7PbqF+DuKCNMRQA 2aDrbowD5zC1quM1kCHdsHmB8wwhSh2QzvjpvfpCysVsKTcHssOzMlIHgW1u9qqsE+D9uWmA x1iQKstL5BJg8leW6z4AuZvujNII9LL6i2sG2HroHfpC4NrBN+ImGDe55jhaAjWVMkSCyO96 JXcC+13Ho9yJYPpUv8gYBUqslmbcAzkjM6Kzt8GO1YdeXDwJ966lXV9fEzxOG6oX+RWUHuqC qFZwq9f9clcmQO5YW459JUw62H3Q7CJgaCuPUbqA0lzXQ9sID0rGJz2ZA7pxxhJp8SC7NO+M XXBv3stNt25B8mWbZ/JiCG2p8/aPAdvknKm50WD81uuucS34ZXvsdc4Gj1rqIf02sF/QHbZN ANPpELvUHwxzTJPVOEj0tByLrwxZca7kN6+guldRtdU+8NykO+BxAWp1KNf1/jG43vnXw9Zb UGVy9QKG+uDoy9QSQeDnbdqf5AvFFpUtXiMd9r+Ifr6pCegmEJkSB5kfG542NoKzh/VX8RYK XgqtV7gqxHrHn8ztBecSHpe86QG+Qeazxhlgv24tlDwTtMPqbMMM8O3hddTSAFxl02e5RkPq 106jaSY4L+umaycgo5P9YnpZyCmQW87YEoCMP9KkzA/MD8wPQFonrZPW5fVAp3dN75reFYJ/ Cv4p+Ke89VOiUqJSoiC2UGyh2EJ/Gy+lbUrblLZ5r+//cP+H+z8A4YQTDrt37969e3fe39/y bjtrgjXBmgBvHr55+OYvEueGYxuObTgWaElLWkKDLQ22NNiS9/7rkNchr0N+O5F6Z8T3I74f 8f3f9uy+2+6vb+E3ndR0UtNJwCY2sSmvx30Zy1j2f6nHv1p/FrKQhfzT3vcsEv9d9Xg35OLd 5/dOLUMtQ62/GMoR2DyweWBzuOS45Ljk+Mdxa/9a+9favwJtaUtbKNqtaLei3YAAAgjIG1Ly vurbYmqLqS3+zoXCb51vbm5ubu+8z+noBDKIF1IY8SB9Jr6VuoMoILUT20CLoLEcB9IXWrHc BJBHBNyP9Ae1h2ihHgTdMHawBMQZMnECh0kWj0HazSQpBcRHklHoQERQXw4EiooB2jyQ1lKV R0AMy8QhoJL8NUtAlLQtzN4F3NS/8iwEsqoMlvtAduFngU9KQ5LuVM9LvmDd5DCJr8G2xvCz eSy4fpF/tDYEg6p4W/KD6Yjnp/6+INfWj5Lmg+Qn6bSXoDilpror4Fqvfm9YCaZCPt+av4H0 /Nb4jJ6gK5UzJLM/hC0x3jSfB2t51yciH0g/KIV0V0B7KYKJg9yBFs+cKmDrllk/czpkj8z+ MuUZWJd4bPFuC/YPXN1cL0EMcupyeoDHeWOE70sQUaKcOgB08/DiMzCOsj/JBZRW8nKnP+gK 2/rmzIXAQj6FgmuCbtSbx2WbAqla1+SvIOzDYKNrIjhvGse/Hg0vtj2qY8sP32zatPCHZjDw ZOe9nctAYsuEh1lr4UZYQujtCIj+7oXX/Cfgs118HVAI0h+kNLYPAaWBcl9eCHHB0gClFZhS dDXMHaHk2RJfma9CRsPkA86fwXgpeGZ2DJSqLQqo3vDmg4TabxaBMUE6oA8E76Fe5nwvwKFa ryv3oOnyehkN94DfLK9A/0Lw5nbapuAXUGJRvra6PfBG//qCZQQ0OV8rueBWeBTxqK98ESqM rT6v5OeQu87+1Yf14Hq3mEmvZ4B/paCrPvPgqRYz53oEtNzRdH3fFXCk/rUB90KhQcUiJfU2 ePxFXImH/cBjhnmc9yFQDulSH8sQ3F6/zdIQkrrqSnjfAG2omOoZCtJa9WbOPpBdynK2Q2Bb 0w5RGzj3x5rVu1v5pS6UulDqAjzgAQ+Ag7MPzj44G/rTn/5/sf681Hmp81JhHvOYBxw8ePDg wYPw2WefffbZZ38b33bRdtF2EehCF7pAwJSAKQFTwPuR9yPvR79dLtMa0xrTmt9fD+mmdFP6 e7N4vBvrfJGLXPzbt38rgdFWaau0VX9n+WBtsDb4L47fMGWYMgzwwQefP6/+/27/XfUQVUQV UQV4yEP+4kJJp9PpdH/gf5N3QzP+y7tZX5rSlKb/ffV1J8xubm7/yPucjk5CAP4ilQDgZ2Ri gLsiUmoLUgBfacVAbmGuEPg9iH1yoZyTwFJRngOAXptFOPCYKRwBMQo/IQEtCJOXgfS9Nl87 CuKMMGpDgA7KWLkPiATRRooHaQlntMEgPlHyG1+AmJQbn3EDtH45vWLrgfSD91Dvl5D79MbD W8EgdntX9OkLjiR1l/4Q5J5NbZmZC5Jd6pPTFBwrhGLZDRm6jOrJe0G3Wv5emgy6R8otgydI /vIi3RfgMcf7pd9WUGbntvCTwbQ6JzJrAAR+Zy5uHAauEF1z/RZQguSOylGgj3OKswcYhslR 0hwIPGq441sCXBGeZ429IPes43v/XyB1ra20/hYkrXTOs0aCrVhKv+zjoK102e31wJQoXTVd BsN66YLYBR535bJKOTA2cbrskaAuf9D7+iDwtpecWfwM+GwLn+78CJIWZc6ze4LjTGbvnAjI bpqgL3IVSnfPX7fZIAj9zrtsvs1wcE30uuhOkHxd+sr6HbyIT5h5aT4E3PYZbPwaCn4ZUN/b Ai9d2hspChwWl8ZOKEbw+cqn4dLqmCWXfCDuRdqD3IUQtlhf1+8rCBkRsc78KRgXy/XrrgQm KOsTa0PcxMzqTxpDAT+P6MipUG52mLHmRYjb9KZm/DW4MyVjxauq8GJ0Qu3kDVBgWqHwoC5Q /If8Z4JugH8xf9lvC/hXCdiQ+wmIlnJXXRIU7FLqx4L9IOUTy6dyInR43bpV+XlwdNLBAsoT MCaaZluHQ13/qgOLrQePq8o2509QunzJy8FdwS7ZLxoC4aS40uLlPLCvllube4H+K2Nv6Qno SjnGZQ+C0Jc+DQMkeB1lqxB/Awp+7XPe9z+GJrR4H82re3T36O7RMItZzALWVl1bdW1V8N/p v9N/J7Sd2XZm25l5Ccgl5yXnJScs279s/7L9vx23YOeCnQt2BiQkJOiUv1P+TvlheJfhXYZ3 yVvv8bjH4x6Pg5cvX758+RIKzC8wv8B8MPcy9zL3gvCE8ITwhLyHsE4vOb3k9JL/6nDm9OLT i08vBlrTmtYQ2T6yfWR7MM00zTTNBFuGLcOW8fuPh8cmj00emyA4LjguOA6So5KjkqPgZPeT 3U92h3YJ7RLaJcCRo0eOHjkKdKMb3d5//f+n+HfV490dDnaxi11gvm++b74PYRFhEWEReUMg 3s360rJly5YtW+bd+ejQsUPHDh3z4p3scbLHyR7/c+vr5ubm9o+836EaABIqEuCUQtADe4VE QZBtfKdrDWKINMKjHijbDEuVNSAeCy/1C1D7kK3eB+mJtFrbAXJNsVv5FNgm0qRMECWVHVot kEeL6q45oC1Se8k2kJvK4yU9aBfEJN0GUGZq653nwFlfNFP9IMf3eo0r40HUFvOdp0CZFjEm 2AuyCsTeTi0LydeSctKvgNrX9dz+C+RMSolOngbPRyfvz3oLWYd0awwdQTlkbOhZAIJeyB8b YyFfkLmIR3fQlTVLWbNBPqOLf90OfDP9JslBYJsohrrWg9RAP8m7FhgqGNd47QX7Y60nXUFt KTcwbgFDR+Np43SQL+kNehNIoTqT4xswxPk8MpQFU0NpfOAkSMhSV1i6glbFLqUvAs+rhqoi Fcw1RCWpGpjfykvVvqB8Is/X7wSpxr0iMRch4LBfaecQ8Pkw6lHcRYiNS3jw5lPInm+sm/Y5 lCtU6nDHWuA73epf9AH86h0/5OE3kJSZ0eH6RDD4BquJ+0A+I4137AP/Wt4nvP3A8ci6WXoB voMMO31TITvFsUA4ICjTfNpQBMKHe+6NVCHxSawh/zowVAlabd0MmQvizz39GaIGBwcGxUDP nk1f9GwJx55eX7ytCLyckrXqyQVIvGQvlbEU7vfPir3yI2RnZ31j3AcBlXy+za0GZz45OTWu D2T+WGm3KxU6+jbrFq6HoI2BD7w/gzMDLv348CW0eNRYKucDL+Y87/i2M6QsSrucNQ10ZQxh 2k7w6+5f2icVPE4GLlU8Ie1ZYrrVH27Yr0++2whefJfZ9qkA/5H6k8GfgOWIc8szBbyO6JJs U8DRUMxVZMjZ4+iSUQm882kdgj+A7MvKQBEBVHw/zarNz21+bvMzXDlw5cCVA3C4w+EOhzvA nDlz5syZAws8Fngs8ADZQ/aQPcDxteNrx9d5D5n9V0/sX/UUtj/U/lD7Q7A5enP05mj4Xv+9 /ns9PPF84vnEM68n8d00dtzgBjdgQ40NNTbUAHrRi17Qt3Tf0n1Lw5dFvizyZRGYHTk7cnYk 7L+z/87+O3kPB77T19bX1tf2zx2D/8N/9kh2Wd9lfZf1sHr16tWrV8OcTnM6zekEW4tvLb61 OLwIeBHw4v/yEOX7qv+f7X3V4900h/aL9ov2i/DFnC/mfDEHxsaNjRsbB/lu5ruZ7yb0mdhn Yp+JsChxUeKixLw7GvvD94fvD4fnpZ+Xfl46L867Mfbv4v/p9X3DG9zTALq5uf0L3m/i/B/T 0TkxASY8xUsA9moJwA5pGDWBsqK2poHwlGKkZBClpfW6HKCZFC56grRPLOEisFeOlaeB+nPW 4CdTwd7+xf7bniBPDPAv9BHoM01PDSq47lh1tg9B931Y2ZIdQJP1VwJPga4DdZVK4Ih4uzS3 IaQ9Th366hTgyv8s9FuI2x+XmNQN7N/Zr2mHQIwVJ1xBYPvW+jUm8KnkWc1vJhRsV6hakRQI jPW7EpkCnh2MX/mYQIrVZdEcnNe1M7lnweptPZkhgFuW0OxIyN6WFp0IGPU+PY0xYIwzHZPb gO6RrqjcHKTb8mTdjyAdp7DUAqQW4rRUBXR91C1qNBClXckdA54vPQfI08AzwCfZxxNc53JO cgMME0WYownoF6sxtuNgfmo/rD4E/XSP9gEnAEVZlH4EtKvP+qXehJT8znxyY9AnGtp4dgdl uaWFawvE9TWtv1AOCA64krsOPHZZKhfbBl6NfT/1ioCiDU0n6p+Gxj5Vb1WdD6/L5TZ6tAW2 lDtZfONm8PPwcgRfAFvF5B3Sd3C3sd3p9RV45tNuVh8JtVrWSXmUDEn5EqMze0LOgOyxrmx4 vjtbfzEa1GaOaGME1N1a6kWjfhC+It6erx74GH3igj6EVFOSNX4geF0sPSnSA7Ia5wyLLQ6m fqablifgWmyPTd0D27/dV+3ER5DPkD9/uDcUaxvhV3AxuBbbf1ZHQlm19PyIMfC81Mtjb8+B 5zLvLw3FwFjA3MI7HPQbXO1EN8gU0itHPTA89itaehS0lkuMq7cJsrtk1I2rCK9mJKvWlfBS zlqb4w2yJwP108Fkzylp/wEkX6/+2Vlg9iDLFPYe29Z/JoqzB88ePHswVIqtFFspFnZP2T1l 9xR43ux5s+fNwGgymowmaLGnxZ4We2DMgDEDxgyAsTFjY8bG/G3YsLCwsLAwWLN6zeo1q2F5 meVllpeBy99e/vbytyDdkG5IN6ByxcoVK1eE4dJwabgEJXNL5pbMzYvTtVDXQl0LgTpeHa+O h62vtr7a+gpuHLpx6MahvP30ftb7We9n0OVol6NdjpI3puRf1L98//L9y0NO75zeOb3zpkdL vJF4I/EGTPOc5jnNE2a3n91+dvt/X/3/bO+rHkMYwhBg/ab1m9ZvgsuXL1++fBly7+bezb0L LGYxi6H7ie4nup8A+YX8Qn4B27Zv275tO9xYc2PNjTXgV9mvsl9l6Dur76y+s2D4sOHDhg8D mtOc5n9+ff96OkI3Nze330v6jy9GIWrUqFGjRo1/PoDVarfbbPzXrBp4AC7gDhYkEMvwkM6C fIEfpQ+Azsx2hYP2jbrZngZSrNxUbgFSQdnT2B24pfkr9UD7TndQNAX16+R7d05B7vAzQw6/ BhGvC/ftCYZS4a9CMkAUzXqYsgDkAb7rveuDcUblVp29QKknfaxrD5mxZ2dcaQ7JvV8NiV0B T/3idE+SIHN++istPzh+Ur/TEkGxqYG2x2D4UTYY6kNYo4DNAXMhfETUwsjPgB3KeF0uaD/L I6WR4GpBjiMcqGQPdE4AubO+kb4H+B2NulKgCMQffXrm5TcgXZGny4NB3Jani5ZgK2+/ZVsG IsplUZeD1EF0lWsCRs2kzQJ1k/2A9SfQ5qtf8QzsT+RZWODty9wJmQPAejtzUeoX4BtqeCqV APMkexe2gWmMVtpQBPQ234e+AgQJPbNDwGRVV6iD4cSo0o1ep0PMN/KuBxXBp7+9nNcEyNgn TmZokP6xukc9A4WmeSXUOAclPEOV8tEgj9VPzf0FrNXtafpNENDO9JHoAdd/eh52fRVExXuP q7YIUtPejnx9E/SPPZ35CkHS9kzvuwWgUMHQxq6+YPhMfhHwBXBXnHTFQuqm9Ddpo2BUlX6j vikA+nVyI88EiPV6s+7hKoiucafH7kWgP+vYbEwDtaxjvakHPH/1tkaagPAigd7aFZDSTZ97 mcH3Q913RS6CttLWWukF1ZtXLFBzEAR5+X/i2QPCL+e779cMjlvPXH30PWT0TSn96ibU8697 utyXYPdzFJSPg+KnWy+tgFL7is7N3wn25h7ddakl7Iw4WXBXNIR+F+RnHwZp8zKq5T6A8Br6 y5ZokMZo54UEIiLSJzUT8l+O7OVdAiYrvb47sfLPbub/73nXo76mypoqa6rkLX/3cGCpc6XO lToHN4feHHpzKAy5MeTGkBt5Q1kunL9w/sJ50G/Qb9Bv+LNr4+bm5ub2P92VK1euXLnyPnuc FQQCyJA8kEGqK24ggfQFN9gIWkccwhvke2yVO4IYroW7uoBSRhrnkQnaNtFUKQ8MYon6BKSu mq+YDlJ1xyluAqu8Bhb4AcS+rKSM1WDd/PKThJGgzXC0y1kNUr/kjhmpoEvNb35zEaQJ+V+X Ogee+avsK7kUbEdSgxNHQ9CHPvMj64BzuEGz7AWtlU04k8FvlWfV/D+B+b6SqAaByShKCRfk Lre+yJoMOk/9WONL0G9Rbeoq8M5QeoqSYPo4KC74OZj2579UaCUoxfyneNQFUS5ji+UiZH1o PZb7K1gr2DfZHKD7VtqlOwNqPmm0yARaSXZpIsgL5VaKBURbbYRuEohD0iD1SzAsUTKVlhDw hWmiTzrkbLBPzOoDunDnd9kmUNfZ+jkU0KqZl/p8CgJHTPZCUEzeMw0bADnntZgA2pjMsp51 wH+SXy3POKiUUeaTqBh4OePpV8WaQuLg1BKBvqB4qPWlDZC409Y5syeYXnrZpFBgnzy98Hp4 lhHfy3oDCjSX79TuBVrd7O26cyC+cUUF7QH1vO1kViKE5fg3r9gRrAHZGZkdwFFbCiQX1IP0 ztkGud86R9sscDLx+rSzU8D8xHw0dAFca/J45881ofyEAqsiHGAMtw7wi4IbPe4mZnaBBocr iEbPILlRdsWn+SHjsHX1nULgddP7XNAYKF6lVGCtZlAsp/iysJ/hxdVn9+M7g2loxh3jV5Bz L/5M7G0ocaPsush0cM63TZPNkO/byNtBdrhT9bbytDzoD7p6Ck8wPVIKphwEr88998W/AP1R c3llMuS/5oh22MC203MHDjAO0MU7+4NzuHLZPAfi5zguOZ4Bs/7spv7/JsMGwwbDBrg66Oqg q4Pyfrhi0/BNwzcNh9CI0IjQvxiD++4hxKYTm05sOhH0qfpUfeqfXQs3Nzc3t/9t/niPc67d bnMCGhouQMOAAlIEqTiBqsRyHcQ4fKkIkhOrbAftqjbK3g7EK2mm/jQo86V4CoFUhK+1SSCK iyDJAGKEY0P2SrC2vv7o5COw3njc4eFbcNWyFssdA4YKvn2DZTBMLz607Lfgmm3/KnMp+Eyr 9qB5DZBLyD0MuWB//Krn87eQM/b2zJvN4PKRNGPuDnirpRRIKwz5k7y+8W8Oun2ObvZsMI2U 3iodwXjeVExfCYwxxLsGQ3BUvudR/SHgZbW1VS+ALIerQQ9Acul7azXB9uzG6vvbIefsywsJ n0NqwZzBOfvBmmR/5CgL2iJmajngeOu46bgDopq0XsQA5UQvrRrwpStRWwJamPOp5glisC5I uQ5MMpY0poD1vPVU1jzI2JHoGz8NsrNv17krQ+DDoDEhh8GzeeCRsIWgZfvuDTkE1pNafeNy eHjA02VvB5aFhgeutmBYKu6p3UF7bl0tmyHrkH2l6geW1hk/a/3Blc81M2cLqOnWGOcusE12 rrE1AV2u3qV8A9qvzvr2nuC6qD6Uw8BQTR9rHAZUVDoKfzAeMY3xPgyeDwy95B6g+9C0UMwD Rynx0OQNqk3XSQsBJUy3SE6BwC2+p51nwcvpd9hzMVRYX2J2k3GgvHEla/ngUcyTfk+uQWBq QKi5EcS3ir/96DnUy9cgpMYv4Hpt/TR4LwTvDq1rfgjesZ5dfUpBbpp9EEXhzbWXSuY10KKt rlfnoGxGlTkVMuDR3ZilrzvAS9831WKNkPxpks+zQhC3L3V/3GhQLD7ZaRp4mkzzsg6CPCa9 j6sv2Dd7BLj6Q0A1/3H+X0DqQlef7KlgnST3lqtDTljGwoxE+C560uaLaX92M/9/V9r8tPlp 82HpuaXnlp6Di2Uvlr1YFrJ6ZvXM6pk333Wzps2aNmsKw6sPrz68Opg3mTeZN/3ZpXdzc3Nz +9/iXY/zH0+cHfZc23OQikvhUikQD8RbEQckkCxVA1TSSAOpM0GiMFCFFcpxED+KYa7ywFR5 pvQIpIEiUkwG1zIW6w6C3ET/XH8b1Bkxb0/shxc7t07ZEgVpv+R8YtoC5gee431GgX8vryiD Fcwi4BdpHXg8rHqmvgeYvcp0rlEY5EjilJugfmMzZd0D16obSbe+h6fak4m3+kDudC1D/ALe P0gLQm6Dep7lhhTwnu69x7cIeEQZ83v0A3MVzxcesWB2Vk4oNg74Idjhmx/EbltZ2xXQfWuZ nzkHcoMennilg5S9LysmxkC2l/UTayVwdpfaagoIC8PFQnA8dnzt+A4cg11G61cgzyBYFAPO a5f4CYjUopQKoO2T+igakGp4rWwGtYoYSBLYLtk+sAyHzMFvH+duh4w7GV1tz0DZHroiYCqI mSbh+QNkOB17rL0g7Y0rK707pOYkifSSYNFlTM1cB7aXltqZj8F+wrHRlQ76LdyRL4Be1rUw bAL5gr6/XgNTiFFneAnSZtmu1AbFoS+qnwlyY7mfXBnkKfI4cQbETFFSjgStiZpBOXCO177S CoBWm+aqN4h72g7hAHmcPEXfFZSpxmKml2AsZnok1QbDaB9j8AbQN/X18I8Bv+cBNwOiQFfI XNK4FJzPk+NetIOMWtaPH4dCEY9Inf42qDsc9zxqQsPZDfL3bwDmcbquzrbgvC/rxBSQWzkK eR+D3PJvKzxqDLmvpU/lZsBe7bq0C1ST6GzsDA9LPW9/yQZii9Xz6S7I6pUzVv4A9H1Nm1zD wFrQfDt2ATDG8bm0DKxmZy1lAph+8Wuhi4HXD9PqpBeG1AZJPbgC+x3LWp2v+Wc3dzc3Nzc3 N7c/4v0N1ciVAqQZIKqIr8URkDylohiAnuIunwKpjKULiLJStlBAqiMsojYQpqyRBgLHtYHS OhAJoqC2EuTvlefSftB9lrU2tgE8PLRNt/06XPvk+XbRHQo9LlenkglKJdYbXPkiOANiNz6+ CLoLnhvlq6DvEp4euQnkcP18r89Ac7pu2peC8omhquc8yB1ut+hnQKEbYU2jWoL1sDYqJxUS dr+xOqqBHGw+ZN4Ahs36VKUnGIr4tjXPBQYaOssJ4KqR/XPmJdB/6bPD+AQwp5/KyIacXY9e vSgNubMTvs7RwNlTPSsSQHhKPswA7Zg6UlwF7SJNtXCQjsmV5NYgN3cFaONBDRWhjpIghUlH 5KMgd5cnyckgdxPJaiVAr33ONHDk0832PQq5ozx/8boPuUOiNjpLQmp139K5YyCnVvaitC2Q /n3cuJiDkL4j4UWiAXKe5rS0hYAcK9/RtoNXgtcY73AIvOl3y/8LMGV7n/M6BMY9HqGmZaBb Zcqv3w46Rd4ofwvaehHLLRBXhVXsBSk/rcU00JWUPpMOgnRRiZbuAkZptn4WKBHyYiJBvi2W S01BC9N6KfdAayXGu1qBOtZeSLNDzh57pvUu2JpZZbUS5N54G5TYCsTQ1EtJrSC74Nuqfk4w feJVyy8EvD82VnKkgP8qj9n+zeFOx6en7QJqq1EWKRye/nB36cVXYHHIvTxWQL4VoZs9o6DW lhqnGhaBG36PJ8esB+tJo1XbCEUKFcsN+haMG+XJXhbQpaqJZfqAXxnfDVVrgse5gC6Bc+FU qSvXt6wDNTnzi4QuEHjT4wtpBHgUkF9W/gru/vj26JXCENg0ZLypFaibRRn7u9krYv/s5u7m 5ubm5ub2PvzxxHmg+I5NQF3pnmQBYmhGc+Ah3cXHwA+cldeDyM9SZQBIdbRXLh1QSnRRygEL pCx+Bi2TRpQE/Q/6/Lo4yPnynse1WEhtdi87uRIUeFwpp04ilBnXon2F+eC7OTS/bwNwVvd/ UXQViO3as9yh4GqT3SurARgvh22VvEBqIirLWaA1c8y3nwVR0elPMmQfdzwK2ge2rVlXnVXB 2TOzY9xK0PbZRrgWgKWk+qX0MRiClQbybjB+VNoR5QWSL9tdl8DV++WF11ZwnEk6mT4ftB1Z ZtcH4KolX5evgmui84hWHkS66xgrQJqASQwDXUN5n9wVnF9pKVo7YLWkyp2BWdo9vgZRQxTX GoPopW51TQAe6Md5zoKsBtJ8j48hKdtZVrNAqrA2y/oEUpe82RVXFpIOv+72aj+kibefJbQH 7aL6g6sjeF7x3xywGKI8ixYp6AIPs5/idQv03xpOK0fBddI1QbOCo6ftK6sOclMzv8/sAGJs +khxFeSdYrpkBG07HcRuYIwcK/mALp+ySLcTDMmKj1IYlJJKtqKBzqz4yj+CVkLeJy8Gua2S xG3Q5ei2SkYwVNMt0m0ENptL6X3AM8NriFcOaMWUdLkqODNcK0Q1sGdY67kqQ+6lnA9zSoKt SsrBrJaQskiZZ4gG81qvLeZUKD6mTMPa4WB84RfgfQTKHS92KLw2BMeGRYd0B9NO003DQDB2 NQwVs6BiYNNV9bzB9IW5me4wEMgq6oDSj3B5Bxg6eBgDGoLtrWipfgi+VczfG2dC2cySnXuP had+L7Keh0FuG4f+9QnwCgvUedeBgk28Y58shKyinrmZNyAsIl89r7KAO212c3Nzc3P7f8Z7 6HFmgpoCfCiOyJuB2RSVEgC7tJruoO0RY1Qd6FbxVtcIHG+l6bQEqb04K4JA7qL0lseCrqVr qrwWuPMfYV01k9NTakLhHnU61BgPUcOHFf84FKRnXuUNdsgt9aL+gzKghtl6ZewG+bn80pUf TNsL7ig3GbQurnU2P2CT/pY0E7QWr3dmTANXA/s+1QUZP2XPzu4AmYfezkzZC67t1gBbVwju 7VvJfwYE7Qho7hUGyg9KPiJAPf5mSWoqiOmFXoasAmW70abzAc5RUBcNopCUzxUFSiOmSEZQ jmrz6AWSUXohTQXpmOhEBIjKWqyrPigXpNnCAMpaaZr8E2hlpMvKxyC2GHZ63AF7f/3nXgqk TFBHKDXh7de52yw+kFg3/tWLs5Cy+vHbh8ch5Wbyg6SToLQxTjHmgv83EUXCvwTP1cFtglqB nKCPwQzOTpYbtkDIepb8NDUSHN0cg7VyoNSTK+ozwTTebDO8BY8Azx1eQ8Fjpmd1z41gnOCh mBqDoYfxa2MG6HbqF+pPg05WKusTQBqtHMIbRHWhilyQhguD1hW0y+pw7VfQVmgnXApoi13X HP1AfO2o5BoCWgGXQX0A6J0HHP1Al+L6ULKCAXm87jl43/EyG2aDa5f3r8ZEcLZ02rQ4yBlt CXM2BcvO3O254+DpgYsfnqoI9tyIo+FXobgrdFjdhhCuyz8t8DPQNooApxO0666PzE7w6ulZ k2jI6Zfjaw0B+bz8iXwZMtan9bJ8CqYBpqEmB0R+HTDXOwfU865B2iKo+EG5r0qsBd2vpjUF SsGVvnfDnx0DW6ay2DEVSocU31ZsC9w8FJO5/zvIOepY8WgF8D/o1+Xc3Nzc3Nzc/pg/nDjr uuo/Mn0EajFnIWdzYJj0BfWAhayX5oGczGh5Oziau1o6jOB4mbzg7UdgCDMmmZwgbwwICPgV XJsd3o5KID/TqVJNMKwpWaP4JAjuEWVXs0Ed72X36g1Mybqb8BYUq9zV+RWoj6yrsrqCElZ8 ec0bIB80zfAdBdRWC6iTQQSrZeydILfPi9qJhcG2Imu8LR+4WtmStKnAdemMXza4TkplVBne vIo/nBgLrgB7gsUIYYUjixcYCnKSq5dzGejLMknsBlEuMin4A9BHhizyPgdiqy3ONgPwy75t 3wpisH6yuAa6R+pFloCrseOQOgCELD2kHogBLKEa6A7r5hq7gM1uXOW9EzKXGU6YJ0KyZrvk SITED950fjkZEivcX3fXG5J8XzteTQVum2p6hEJg68LeRaaBuUxgCb9m4CjpLOkcA9njkh6m DgK1mq2SmgymJuYhhqvguzLQ1+878NsQ0iDoKviNDPjZvw/4TvOe7tUHzEs9C5m6gG6m/oWu CSiHpGLKOBA/MkgsB62vGMAykD8UQVIiiP7spyUwUnQSm0C9qk7TPgT20FE0A05rR4QFXD9q N7Td4Gqi7lQbg+ap3VSPgEhwDndeA2c766DcYFA72YtZ74HrR/WEYzK4UtTFYhoYOuseSJXB tNh3m7E3+FT0ESYJcr+353MNhbcDUgclB8KPQze3+KkP+F8M+DhoB4QsDG4fVAoqx1YYUOIX KFu6zL6CCyFzdOpe6T44Bkr3Xdfh7e2EU6nLwDDbEKT/Bcp7VvUvkh+kzboJcltQrNoN5zoo saSIr+Eo3H3+a3vHJ/Dk9d2Dd6PA52z5mWWOQT21zJY+R+H0o8sT9pYG4IM/u5G7ubm5ubm5 vR9/OHE+W+/iyMujoFa5qver1gb5urRNJIBYLZK020C0NFxOAbm89JNSFjxWByQFX4ekygld k1PAt6Bpmf0yGC4ZSkmfg7Ze9WQLGDqHphYZBerVrF7Z60FUc+jsP4G0UHolHQay5M7GONAP K9K42legXx4kIm8C0fZbub+CGKvz1D8H+uVO0LJAuWmfLTSQU5Unxt3gud0zyXALvDy9GwQ2 AmeWmJD/R7B4JC6LKwNx3z29eHcbWHekpabUgbCfooIKvgXjLWv7nChQNqSGpRlAF+nT2vcB aL2dT1y3QW4hV5SagOED0UiOAvtCTWi7QFdDOagsBFcDrY7WD9Q6GHTbwBXvd9xvKKQ6nZGa BHGzk4ckroSEtY/1dyfC62sPQx6sBeta1yytAPhujCqerzUYdwdO8PkZnF7OzepcSGkcN+fN dJCfqNcJh+B6QfUCC0NoWqlT+VwQ2iBydehc8P3R39PXFzxOmyeaMsBQWr9a8QS9QbogBYEi CR1dQFxTm4qKYH3smqV+B9pj7QutMUjP5UeyAbTrrlfqJHAN1KzaMNDKiYOiOSiNRQvygTRE aiiVAeWhvFr0BqUyQkoG5RLrlOogIWfLgK6sXhhegWOK6WvzEXD1Uau7QkBscFkcVrDXdky3 DQRXOWtJaw1wDLEvdg4FZaIqaZlgCDFVkm+BxwRTjt8HYL1n7ewoCWn9MountYfkolm+6eUg e1aONX0xpF1LrvQ2G+rfrn+5/k0w/OT71K8ABHUJ2umXCa4a6gh1Nujy6x2KA9QWrngRCy7F VVz+GVJJNuZ8CzkjMi4nnIVMR+L0Z9/Cxac5u2N7Q4lxxSNL2aH25jI9G2/+s5u3m5ubm5ub 2/v0hxPn7NbpUfaaoBulZEnFwdVMraD5gdxTGs1BEBNwiNkgdZXrSddAaewpeUSCKSBwsu9k cHZx3HbGgmdT73F+2eB6oY5T14FYb74ZNBh0maZwfxO4imW9TW0B+i9Npc3XQKkePqTUApCe U09ZDuAYnVsJxGdKf+UViLJSTXxBtNKeauNA7JXniQpAMOO10SCPlEa7OoDXMLms9SQ4R2sR zr1g3OGfoCsMrhhLeMS38FafkP6yPThPWJNjakDw5+FHA6eCV1O/uxGjQctv7W3/GMQcqZ3y AJybXd84r4BYpa0SFpDuSiPEEZD7O7s6fgGpgW6uvjDYS3mOCgqB2FD7I1ssxH77cvTjfvAq 69aTm/sgsfkbXs0AJc6/p29T8B0fWSYiFpTaoqe0HtJLvCmR5ADdKM2uLILIbyLnhZeHAnHF jxYaD8Fb8yWFrwbfAr7ZXifBdFV/2LAb+JH1SiNQW6mq+grkuVo9oYFrMiOpAfZZ6kY1H2hj RQgGoLHkL38HBotOJ+cD3WCpJ7mgBUpfaSPBdc61QekCtlHqfbUkODOZJY6Bq4v6ldofnJ00 ozgNylb5SykK9E7piLQN1FLaEw6DXVKTXT+AKEs1RoAUIXZIlUG5pNtk+hZEH+kToxmUj/RP PBJAn+u6aJ8A+lXWOtb74Iq3p9vvga6u+tDZGvQdzCWVTDB8Zjru4wHZW3OT7UPgTeuEPUmR YBtnn+bsBrw0NjB1Bv8lXl96lYHszIwdOd3AWtcyJucnsCc46jo8IXewzd+RBrmvrFtzK8Kb 5Lf709uCZa2lffJh8B3rO0eZCdbi9nC1Bfz64cPK976B5L0pjd4UgnrUp+4faF/vfsAjJycn JycH6m+pv6X+lr9dL6NwRuGMwnCg/YH2B9pDb0tvS28LrKu2rtq6ajBkyJAhQ4a8/y+QtWvX rl279l+P/0e3d3Nzc3Nz++/0hxPnGz891+4+haj4h60i10DlkuVHFp8COSVsU+w+oDRkk5gN bCBeHAHXXKfFeRP8Ovos994N7BGnpS/BkeVs5PocpJGSwkmQmivnlQogAlmuewK6LT6JJiPg S2NJD9oRta9qAfkjSjuaAUOk3vqPQHsg5qtnQT5MjPYGxPbcAqmtwb4tPSP5JdhfWc+mpwFN Xa7UdvBo7etSz+IhtVZij/j2kG9OyOchNcF/q//cSBUyvcyvPYtDup+rr/QAXJ3eNExfAt5D LIOzreBfMcg3/CQYd5lr+JpBq6kW09aCFCxCJStITx2dteEgL9LZfFuAJdq3hfcDeDw3q2Fa JLzIvHf8/jp4Pvrmrmu5kJ1se2YpAx6xkVvy54Khg19/z+tg3Zx5NfsZaMVyatq/g3BbRP2I lVCkV5kyReMhf/4Cr/KPAe+TvkN8ToDcQjkqTwLpc2kyu0FEqme0pyA6av1cBUHs5nPagKua 2COGgyjDK+aA9EbWy6dBdNO8teGg/aQN1IzgKscBLoPukPSK+aCvrZSWWoLYL0a5DoEo7Tgj moAzVB2rXgRXpvjVVQjEM+0m8SA9UadwEBhMuNQVxCsh4Q1ijMgS5UG8FU1FARC5YqK4CmKb Nk3rA9JcnPQD1zXxVvIB0U/52hgBclmP8oZE0EcYntpHgXzP8YutJ+j0jk326qAEOHY4vgL9 XnMHgzfkPtSN0NeCdGvW99lOONT4iO50FdB9pj9r3gD608o1ZSTkjss6m/EW0uel3UopCmpN Kd55BzQfrZwrGVxXxTrdUjBcNeyRKoMrRPPwDAA/nX8pLxNIO2iu1oWky2nfZU4CalKWVf96 +yq6qOiioovgp+k/Tf9pOtStWLdi3Yog35Zvy7fz1nv3k9uFFxReUHgBSCbJJJlg4NWBVwde /fd9gQysOLDiwIp/3vb/buK6uC6uw+5mu5vtbgZd07umd03/HRuuYQ1r4O7du3fv3oWYmJiY mBhwVnBWcFaA4Njg2OBYaPio4aOGj8Bwz3DPcO9vw2R2z+ye2R327t27d+9e6O/s7+zvzHv/ ud9zv+d+cHX11dVXV+ctrz6s+rDqw6BwRuGMwhn/uLjHCx0vdLwQZERnRGdEQ9fCXQt3LfzP H6+/vhByXxi5ubn9v+YPJ84vNqX0eXIezhS4XS3AAqU+KLEzcgDocuRX8mIQ34m2UnGgMy9p CDiIwQXqWc2o6UGqLy1iGEgP5a+YCOwhWwoAVlAGE1BetNfWgFgiLVFWAS4xX/0UdPc4ISqA OIxFfgLivujg9Ab9Qv1xz47gNKX2fNEPsgdcLHp6LqiFkvomdQZxUz2TWwmeN7m/4lkpuPnZ wx/f+IG0zd5AigFfUWqsdyHQv1DOJH0I6jS8vMuAwemnhP8Cumu6ItIFyNzlOp7WBhwbMwKS LeDv6dxoHQzmk4YN5rsglVIDDSNBd8a7cvBCSKrnlRKwCB5MTXj7RgfPrl6XrvWBx573jt5I BUd+xWnQgc9XBeYVyAE5TRcsDYCsFW9Wp94GX8WjurkxlChQK7LSRSh4ruTkwgkQtDzgXOAe 0E/Wf6jvCdJB1lIDxGJV0iqCSNMScIKwikHCDLLKd6wAZToLJQ3UL6WtfAq00lZoK0GsFEFa BOir01rqA+KoVIaZIJfV7omBIC6Lr9kJ4jB9tK7AdpFPrAWlmlxYpIFpmhSs5IL9c/WoqA4u GaOQQVuqLRZzQT2tTtAeg1aOgsIA1BL7NA1EazFT6guk0o5dIB0QbRkDorHYLlqB+B6ZAFAX iJoiP9BWpEhJoLWR+xu8QAoyHlS+AH15pby+PIjD0ge5k4FJzrqun0EaIt2hFii3lT2mmZB5 3lJA/hTsd9SJzuvgHeR7zDsGDPM9VY8KYD8kqcr3kFkq7VaSGXgi35OrgtgtpqkBYO1i2+8a BEnfpJzPGQnGC4aBymvw6ujT2LwYtDdin/oT8AeTVh8fHx8fH/Cb6DfRbyK8bvi64euGUIAC FPiL9d4lzvVO1jtZ7yTQmta0hu9uf3f7u9swpPqQ6kOq5yUyNe/UvFPzDjzxfeL7xBdaTG0x tcVUiF4YvTB6IVhLW0tbS0OhtEJphdLgju6O7o7ubxOg34pfYUCFARUGwItmL5q9aJZ3AVC1 atWqVav+7faNAxoHNA6Amzdv3rx5E8RgMVgMBnWVukpdBaXPlT5X+hxUXFVxVcU/cCHyez3b +Wzns53waMujLY+2QPqX6V+mf/n7t3887vG4x+Mg3j/eP94fOk/uPLnzZFBqKDWUGnDBdsF2 wQZXKl+pfKUy1KMe9f5ie62iVlGrCGffnn179i04VzpXOv/OT7efX3F+xfkV0Glfp32d9oFY I9aINbDPvs++zw6FKczvyX9fTHkx5cUUGJw2OG1wGr9/Qzc3N7f/n5H/aIBCg8y60HHwWry6 mjAVfr508MTZZ2A6arCZvwSthmjGciCCeB6C9KW0RFoCqLhwghggpvE9SCvEcak6SBDBABAn RRHxAUhTpE1KDMibRLTWC7hDcVaDVkJapHsDNNJ2uzxB2y35MQrUEpbGCfPBcTBhxP1ZYK33 0i/mKGjjXRHpu4AsrZP9OJh+9CpjWg91BtVqWNEDasU0dtX3AePq4JzISpDS1rbB8wBILq+F /jvA84XZy2My6FSvCV6bwbOyd8XIr0GsVuoFBEDm15mFLT6Q8bHlfPZPYH/oMcGnMiS/8W7v fw0enn9T/5UBYjacK3/mEcTsvLXkehg4ehiPeRwFc3jk8dAPwFXD4bCrYP3gbeP0e1D4qyhT yD5oVL35/DqtoeK56rcrfAdRNyOGRZYGrxeGqUYrKC20c9o60B0TxbTmYFoq95LXgr4KReSV oKsmPpeqghQrWvANcECdpwaD7gPtnBoJSiwLtEdg/EDpIo8GvcxeEQbSZ669rtvg2OTs7+oK 1iHO711pkDvOqajrQRsrVlMAjA/1djEBdAelw65BIHfSGmrRoEzXzroughIkZFEMdNfkXuSA cknuLnJAuiAFSWVAuiqNEbVADqOJ6AC6D+V4qT8Ytso6+THoG0svpSpg7CWtl9qDYaDUnWAw zJeuiw6ghEo9pOGgXNBlGi+BQfJ46r0azPvMrTzegscX8lapNJg3S9+ofcHXw6uGvgp4f6zL UbZAVsWUqJQHYK9kz7JGQ+idsKmhDyDybES1IutAviuumHqDPJ71whN0/ZTZyhWwjXQM0DpB evvMGZZ7oN5WW6vdQHaIBc7I99dQi2UVyyqWBc92PNvxbEfe8syTmSczT4Kzv7O/sz+Evg59 Hfr698ft3Llz586d8xK5IulF0oukQ48ePXr06AG+T3yf+D7558sbOTtyduRsaJ/QPqF9Atz5 /s73d77/7fXvjbw38t5IqLKmypoqa6B7ZvfM7pnQ8W3Htx3fwrXB1wZfG/zPl8Nms9lsNnBe dl52Xv7923k/8n7k/QjKli1btmzZf36/DzY/2PxgM1STqknVJNCN0I3QjQCpqlRVqgrVq1ev Xr06lD5f+nzp83+7/eVvL397+VsoWbJkyZIlf3s/73563HrOes56Dqznreet50G/Qb9Bv+Ef l/NU1qmsU1l5rw9GHIw4GJF33E6cOHHixAnYErMlZksMbG+0vdH2RhBdJLpIdJG89X7v5/B7 473rYU+JSolKicqLs3///v3798PZs2fPnj2bt/zdhcqpYqeKnSoGDofD4XDA0aNHjx49Ctu8 t3lv84bDHQ53ONzht8v97sLv7oi7I+6OgD1T90zdMxWeT3o+6fkk2PV81/Ndz2GH7w7fHb55 5X/U4FGDRw3++fPEzc3tf58/3OMsG+R1HgOh4e6Kxrp3oLq5cnrh9mB1Op7Y24IcL5+SjoM0 gp0iB8QR8VzUBO5whUvAXGm69BmIG1pt7TVQQosnC/hBPiLlAm0YLU6CeExVqR/wmFtiCrCN HHEDtBTpI8kI8jbXohQfSJ14qMbGX0CzXv7yflkwfV9rS/UaIIp5N/cdCFLS/R63Af9lxouG ZZBZRV/Ovxk4dhv1pkRwpjqme64ELcJU19AKzPUNmnEE6BroZnmOBPVTvnXuBkMT2UcYwfDQ p2/ACsgNsDw1tALrclMtY33IvRDQJ/x7+PXI63txpeHex2cfnHXCM/OjL56awFnG55rHQPAs FlDV/1Nwds6OtJUA/XYt2nUHyq+q1KIMUHJYhdUl4iC/KWpVvlPgsUzXWT8Zcs5ZhlvWg727 GCa+AcNWXXlDNJi+0B8ylALHVHs9+3eg5GLEC5RZcgCfgmbVjNou4GdphigKjrKuQFcP0KaK C9wFW0vR37UWRIBqFt7gaq7FUA7kZ9J0bQpI+bR8YhM4X4qiUk1QakgFRSEwrNG3EWkgpzFS fAFKIH3EY1By5GipBaitRSNpIDirqIlkAFXFIOkuSLvQ1OWgDKcN+8FwRNdYXgRSmjSR+eD6 Vo3RfgVptgr1QHsqPhS1QGvAY8kEcobUgARQO3AFLxAXxXkyQFop3ZYjQa1nCDZsAK0LH0kf g9Fke2CzAnbHDPv3wGPzTaUpiEzachCyC1ubWl6BEbMwuiDkk3yrQxaBtF/pbvgM3o6L+/jR InDdJth+GNSF8lGhQq4597TaCmx7rCbHA/DIUQbLEe+voRb5ssiXRb6Ea6HXQq+Fgmula6Vr JbwY+WLki5FQpH+R/kX6A0MZytB/HK906dKlS5fOS+Te6N/o3+ih0ZJGSxot+Yv9di/SvUh3 OHv37N2zd39/eSMORByIOAByjBwjx4C6Vl2rrv3t9Tvk65CvQz5IOJBwIOEA3K9zv879OpBy LOVYyjEQW8VWsRWoTGUq/+P9J3dK7pTcKS/R0t3R3dHdga65XXO75oKHh4eHh8dvbx8yI2RG yIy/WLCWtaz9h7v9L+ld07umd4X4NfFr4tfA0c1HNx/dDPaL9ov2ixDeNrxteFuoP6b+mPpj gMc85jHE7o3dG7sX7JPsk+yToNj4YuOLjYdTnOLU39lP3U11N9XdBD8f/vnwz4eBOOKIgzZh bcLahP3jcjbyaeTTyAee8IQnQLuIdhHtIuBE1xNdT3QFzxjPGM8Y6LWh14ZeG0DKlDKlTLja 8GrDqw3hQpkLZS6UgSbPmjxr8uy393O+z/k+5/v8/nj5ffL75PeBN+3etHvTDvyv+l/1vwq5 ubm5ublg72fvZ+8HpJNOOiQcTDiYcBDyv83/Nv9buH79+vXr1yEiIiIiIgJaZrfMbpkN93+8 /+P9H+Fy/8v9L/eHhtsabmu47bfL/e7CcmOtjbU21oIuQV2CugSBT6ZPpk9m3rMH7y48S1CC Er//NHFzc/tf6A/3ODtuGJ7GW+CpZ+xnx9uAd3Gv3l6VQL4qpmp7QLKLC+JrEL3EZWxADq94 DjzgKU9B/la6Io0AR13Ha2cPsO9ylnLWA1mTK8tvQOwSy0QYkEWWiAOpEn5kAOXEM+JBHq/h lCE342qxM4Eg1U/Pyq0K0vDSrSu6wGd8k197bYFgS5sjAz8A38Eto7qUgODeVXpVzIbQ1IC1 3h+AcQI/KoNB/cR02kMFZYfumikWlL2612YB9qualzUc1F6OCeo5sLe1T7YUAVsXS4uMPeBV InB4cHVweRW8UEqG+4Y3X72pCTHrzu07ex+edXtUL6YX2Bd77zM+BtNjnyp+PcHZOSckNxK8 nihT5aZQY1TN11XsUPmXOksq/Qz5e+bvnq887DMcrn74BaxN3fzrj6vgh5E7tm3/GtZ4bZix YQ2c+vXC0bMfw5tTSWfjvgPDUZOPXB9ks+6kbgq4rmtnxGdAtLxU1xvkt4ax+uGg/9DUXL8Z PE4YPtAPAcMQxkkXQXogvNXZYBok54grYGgiz5X2AKPFNVEM1AZqAdc4sO50fe0cBNZvbPNd FUEeLOpJZcEn0/xauQGmBXqdVAD0emmKWh4MxaRp6grwqKF8T34wL5M/kn4F/RY5iu6g7laf qLvAsdKpuW6A86iaqHUC12SytH7gmkcbLRacqhjiygDXdW2E2h1cFnWJ2AmuNqKN9jM42on6 IglcSWIExUB+rfPUdwfDVtNXHh5gemI8Z9oCHisIFmXAlGJaJ7UH7xBTvDINsk+lN0l9BJaJ lhPZ9cDvaMgYn0NQuECB6wV9wFRZf87bCoYY4wyPTNBmyUNN5SFnU+4wUR9cg1x7zTPfX0M1 /mD8wfgDhMeHx4fHQ2xwbHBscN4QjaLRRaOLRv/+eO96QN/RrmnXtGsgr5PXyevylktDpCHS vzA29a/HYP8j73oGnzx98vTJ07we38qDKw+u/C/0NL8bWvFuqMe7hDVncc7inMV/+OP4h1wu l8vlAssZyxnLGehSsEvBLgWhz9k+Z/uchcCXgS8DX8LJYieLnSwGuUtzl+YuzRuqUud+nft1 7vMPL4TeJYjNJzef3HwyNAtoFtAsAK4Pvj74+r9w3N55/fPrn1//DJUGVRpUaVDeBRY3uclN qHil4pWKV+DVT69+evXT+4/3LgF+lzgnH0k+knwk706GPFweLg/P62FPmJ0wO2E25MuXL1++ fPByysspL6dAyV4le5XslVeOUpZSllIWiGsT1yauzW+X968vLCNmR8yOmA2nep7qeaon3L59 +/bt23mJc4vmLZq3aP7vP6/c3Nz+fH+4x7lc6/zba00Gg5AfZPrBm+KJHoktoFi5olsK3YGs ajkds0eC/oT+oX4kMIHNVAb6EUQd4JK4wnXI9MiIyDoIATMDPQMsoHUTpbUokLZKEdJIIF1c EbVB3GUM20DaKa+WPcHVJLNMsgLW+rHh8TfAmZAWaL0FwZf6rRqwC/TngrtH3AHnCHuq3QrG LQWOlVkG4iP7F/br4N+16my/NPCYdnHLk6bwqubLC8mrwTaGKLkmuKo4AuwnwbDf4C0sIL91 PlOjQDqoRtuXgVRBCGkz2E56HfL8EJ6/TnqYNBUe2S9PuHgSniY/Wv3gc8jq4rHceA18k7zq e60AOcXayH4HfGwerU0zIOJh0eP5B0Lol0VP5VsJhjv6HcahcOfBvWP3e8C9pjE5z+rA6/jY M2/soIxQtuhfgy1TfeH4Eu7qYz54ngWHvzle66QfVNld0VJuHJRoWPRh4VxQPtYVNNSHxIGJ uYl1Icgr6EDQUtA1EU/1ncE8W6+qXhBSKnROSCfwfGCe6V8NHJ/YLzs+B+ceV5jrEDg/c+Vo nYEGcgvlC1AmiTrSAJADdJ/qLJCWlHPYUgoyG2Xpk0+Bb1fvj/1WgGGXcbkpBbinmPgWXONd FV0/gnOO6zybQe0qBoiNoI0WX5EMaj/xGd7Afp5oK0EbLxCXACvp/Ap8yhjRCuRa4iO+AjzF MdEURGEeiPMglRWqKAvqEPFY7AHhEudEDMjT5NfSSZAKGoubhoDhOy2Dk+A1yN7SehxEsqEo m4BCIkgpDVl3U18mbwTPZv6DXAL8lwS09ysFocfFOWkjJJ1IvPr2BDhShLAkQUZAVmF7JdBe 6T/2PPD+G2yxnsV6FusJt9bdWndrHahX1avqVQhYELAgYMG/HjeiXUS7iHbwZP6T+U/mQylK UQp4uvPpzqc7gbOc5ey/Hv8fSUxMTExMhB7DewzvMRzMKeYUcwrExcXFxcUBhznMYf7robt/ lFC+u5CwGq1GqxGMtY21jbUh5EzImZAz/756vGO6b7pvug9Vo6tGV40GQ11DXUNd4B73uAeV HJUclRywaeSmkZtGQtq1tGtp1yB5TvKc5DmwcePGjRs3/m3cd0MJunXr1q1bN0iZmzI3ZS5E RUVFRUWBiBJRIgqi50bPjZ77r5f/3VhpubfcW+79d1b4z+P/7uFJylOe8u8vXkhcSFxIHKQ+ Tn2c+hjehLwJeRMCYSXCSoSVAOWIckQ5kjd0ybjduN24HUzJpmRTMlhuWm5absLG6xuvb7xO 3h0DBQUFpPPSeek80Jve/J3y/PWFZYvAFoEtAiF1dOro1NHw9tDbQ28Pwa1Xt17degUc5ShH oRWtaPVvP7vc3Nz+TH84cY6vm/zZsxPQ3KNOVDsFzt++8uxKCNi8XD3sNaBQbD41qhYowXJv ZT/QVVQW20B7zWZtFGhl1SzXXqCR6Kt9C9LHoqI8BuSlLJang3O3a6fzFsgF5CSlBUgRUhQD AadkwAy8ti21jALRzXrNXhw8TlcoVz0X9B7hZYrWAO217dfc7iAFKHeMp0F8gkVeAS7f1GBL ezCWDu9XuAb4d6w1tdTP4Pwx+0tbIKRHZi9xDQIaG7/SpYHWTPVxtAYmOQtnHgNKqO3UV2A/ FtGt4CR4sT/7tb0EPC14OfLiSXgWca/brWxIG6ovpV8NHi1N2b4mcK109naUBPmQfFN6DspW nwP6FfBi5pslLztB3OmkT+OzwLbfVtrVHeL3Jf6SfBNspa1lHVVAFyd3VOqBmiKaOQJBtHZl iJvgChN6cR8ydmdH2b+HAz8fO3y6P1y0XMm8XgvkZ/JKnRVyDuR+lHse5DrSaKkkmPObAs21 QBxgp9QGfNr4XvIoBd3fdPBuWw38fXwHBQwEQ1d9NaMP6H807DDUhqwR2YtyksEx2/m1Mw3e NkrpmhgCV6tcr3t7BKSuSRuV6g/BZ0JLBLwGU5apqPkX8MwxbTX7QkWlfPXyLvDqZvT1vgTq Le1zrSVorenJVtDGitlacdAGaTLbQNwWLUQFkD6RRkinQRupfao1A+GLygPQPEWEqAvaMfER H4D0kpqiGUhDtR8ZAtpAESiSQK1JdbEDtCasFzkgW4wLDZdBX40e6o/gUdNa1fYxiPGGqXI+ MNfQ6it9wSplJqXNBTnXOE9fBCI6FiC0DJQ6WvBZ5Ifg84XhjnkpmD/wKKP3BQ9d6JqIhQA0 /COzavy1dwnSmZ5nep7pCeXnl59ffj6/ewjDb6lbt27dunUh2ivaK9oLft35685fd0LhwoUL Fy78Fz3RQxjCv2F2hGq3qt2qdgv219lfZ38dMM00zTTNzOthDw4PDg8Oh8ttL7e93BZqUpOa /5d473okK1CBCn/5RklKUpL3Lrtnds/snuC9zXub9zYoWLBgwYIF84YGVKxVsVbFWnk9+A/1 D/UP9RDaOrR1aGvIdyDfgXwHfvvw/tbsFO/2l9IwpWFKQxApIkWkgO8E3wm+E4BBDGLQP1+f /B3zd8zfEe7UuFPjTo28sdrv3K50u9LtShDVM6pnVM/3H0+WZVmWIXha8LTgafCwwMMCDwtA h4MdDnY4CLp5unm6eXCx38V+F/tB8ezi2cWz8+L5NPJp5NMIGu9ovKPxDghuGdwyuCVkn84+ nX0a4jziPOI8/nG539nVbFezXc2gzdI2S9sshdK20rbSNsjfM3/P/D1hz8s9L/e8BC5xiUvv ++xyc3P7n+QPJ86lyxVrVXUG5M5xPM6+DN5jPX41fwLJO+P3J38K+TxCfPzjIetD6zGpE9ya eW/PlSUQVNv3ZVhhiKn6us6FLhDh71+2YHOIvJBzpoQOCsQV3V2wPRjX69NN40A8kHK1WHBK 6mPXbNC/EOliPzBKtuAFhm/yzQ3VwMtYZ37jDuBqKQdwH2SVB+IAUJy7WjDQ3pirpIKugX8T f0BL15fyGArmgBJ3S4wAvxLxczMyQGtz7soNJ1hjtZ+lOuB6kPM2NQAso7OfOwPAtb7QwdJv IflLz+k+peDVjDv6a8fhRck7C25aIOW5NoX+oDvu9dRrPhgsSje2QtaM7Io5IyC9gXrZNgji J2a0fVsAXCMdPtoGcFRQy2oHQIkzTDdYQC2k9lQtoA1ydnbZQF4u38UC2mbXClcHUFuJc8ob IAdFfQquvs55ajqYq5nqe20DSw1rqNYM1JFOW+5IMA007jF9B65Mra/qD1m+2S2sOlAzXW2l FEgqk2rKaghrx/yYsbMD+Ez0Kel5HsrtLxFX4iNQV2kbtNrw4HmM16NzoBugt8gNwVrd9oHt HFjJ9XKcBMyipDwEtC5KC/kUOE47nqTvA/HANdDxCRiKG1P1HaGIo8DrwpPA74HvvYA5IOao D7XBIN1BEhdAv0LpqmsOrlvqMuc00DqobykALBYuUQaEnTNiOdBcZBEI0kS8RX/QPhcz5fUg 2mjp6jcgXaE8NUALVVuqC0Cup5znLqgLpLMiC+inVwx+oO+pDdT2gjnWNsxZAfjcECLfAm2v qK9bC9ZH6WVSF4Kc5L3Xoz9Um1FvVeWBUPVNtWqVbgHnpTJUBi1KFOfeP92c/iGlulJdqQ4f Vf+o+kfV//H6f51o/da0YKkFUwumFoSWsS1jW8aCabRptGl03q3wGFOMKcb0r8f/vcvLZpbN LJv5/o/bv9ueFnta7GkBH/ERHwE1dDV0NXRwvvD5wucLw1avrV5bvYCtbGUrhLQKaRXSChr3 aNyjcY9/fb91R9cdXXc0RPeI7hHdAyhKUYpCA2MDYwPjvx63nkc9j3oecC76XPS5aNiWsi1l W0re+8Gvgl8Fv4J6m+ptqrcJaEpTmr7/ePmT8iflT4Lkuclzk+eCVwmvEl4lQBevi9fFg2Wp Zallad56hBFGGDRs2LBhw4Zw9sOzH579MG/ozLux7rUX115cezG/2eP81yoOrDiw4kDYH74/ fH84SBOlidJEkDpJnaROUP9G/Rv1b/zh08jNze1/Aeny5cuXL18WokaNGjVq1PjXA2lBrkHq dUhNTduQdAk8Bpmf+u2Duz88fH5qDMS6Yh1pvaCIrui20icgsWt2p2e/wv0FzwufCYbwFM+N +cPgdeGEqfHHoGVs3cN9i4N3qFc7023wM/o89y8I/leCZoW8AHWJaCFmgbo25fyvj0BNU7N1 VcEwOXxnmZkg37I/VyVQY5QZ6lgQslRWXgI6P/Ub6RGofYxt5MKgOyFvU26D1evhhlu3ILPw /sAjcfB2RGLTzG8gu6J9We5TcLzMnWSIBF1igXIlraCmV9pdOgCeHXo0/84cuBN2LN+ekfDk atLgDAvkNvAw+54H3yOeAZ5fgr27daO1CqQUypiZ2h4snR0B1gega6fP0t8H1a6liDOga6O7 YWgL2iy5tpYCtFX1og44ZtnnOGeCOCbqa71AipBq4Q9amBYtSoLwFsHsBZElojUZ5MdyF6kh yI/kfXJ7kC/KA6RqIE2Xlkm9gR8lM73BMc7xRi0Phmh9G2U/qJJ4o90BaaxorjQFySV9zi8g hUr5tX7g8iZJywJdsmzX1QfDIP0leSao89SToinID6XjSn7QtrgixTmgE3OFDvQnTbm6nSB6 aVvVCVBwdlSlfCcgdF9oSPA2yDc47Hh4CQh/G7I7LB2cVudw7RPItGU2Sd8LgWsDFwTeBckg Zeh7gVxB/kT7AtS7/x975xmnRbHm7au6+4mThxmGnHOQnFGiknOSKEgUlKCABCUHRUWCkiUj QSVnAUFyzjmHgYEZJocndFe9H3b5sb/d9fV48Kzn7M71ZWa6q6rv+19193NPPdXV1krzFCib amIbCeZKq5o/GERn8UxMB32r9qvmAX8d3yeyOOhljGKyPHi6+Beo06B6CbvYBsYCqsmewHv+ 2mY3MEd7y3nPQ8Yin2ENB88iK4FCkPKud7y/G9hM52DXEMg3P1/+3Ieh5r0KWpkvoUSXEvML zwI9LqC5/QK4+ttzuv4FEsEDqQdSD6SCc7lzuXM5VFAVVAUFZxedXXR2ESR9kfRF0hdQv379 +vXrv/r1/rexcePGjRs3QsuWLVu2bPlXW5NJJplkksmfzfHjx48fPw56r169evXqNW7ci4cq /iibDhwY/3VF8Nj9lTM2gqirHQ64Dnd4OPTGVTgVcuXWiXUQOT1YFkyEuitrjXg9FzxVT5o/ GgSPGj9ueK84PJ+XOCcjAuIGp5WN7QPGHbEjPhoe3XwyP3YtyDcznmf0hryz89zOlwf8xRhj uEEfIAd6ZoM9jzM17B7II3rVQA1EoG43vwBN6gXdM4AH4kNWAJXEHtMC/7fXR5woB0ktD+/6 5RoklV73/vYdED/01rZnIeDz8G14LdAauVvmHgr2ijk/KbILQjtUK1bmHjzTEpIf/AoX39tr 7mgKdzMe5Hn8EST2Nz4NeAAhMwOk8yyoyWY1cxsk7E3pk1gTUk6nf5haD5igXxUDwAjVbovb 4Bho/9EYCqKjuGweBe2C2iKXgb+d/21LB7OEdcVsDOprNUotAeuQdd3sDWxHlwLE29rb/AxK U5dlFWCX+oUYkBflEVkIpKlcKi9YU5RQb4GZaK0ze4Kqqh7KW2DbbxQT1UG9Ln5RV0BdUHWF B9RSq4X1Lki7XCnDQbopS2dgp2wjj4OlZE65CmSS2qRWg4pQk9gFMpscLxuArKoOyIcgj8to cx+onOJ9PQc8ezt2RspxiG8X//HzLeBr5O+UcRus42a4PxoiD0U+iMoLMR2fLoxxgX2RY71j INhy2Jo6Q+Dh8oft7lmgrdRrirOQlj+jsm8NnDlxfv25aRBXIO5UXE0witlXGkshIC6gmLMj PMsVF5dYDU58eKbsuSYQN+d5vZgfIOutrO3CioJxWb/sigditB3aE9DzUVT2BWu4XGwOAaL1 69p3kFHVM8p3Aayz5gDrV4hbkjwnJQ58hTNqex9B4MeWU1yH4B5ZQ8JH/dXh/vtEHos8Fnns 5X7NR2YfmX1kNshNcpPcBK8nvp74eiI48jnyOfL91db+8/F728ZlkkkmmWTyr010dHR0dPSf sFTjxHcngw8KuLc2b+MLpcExxEopMwbC3g5sExYPzyZ4Hl4+B+GrfFpYO7i/9/7Mu/sh6Vvv nRQLTs64t/fh65Az3nE1zAaFNkQ0K3MFnurPqqUtAEe0c2DSdrhc/Fm7E8FQ/JNCR0pUg9AB OX0FDoFnjvFl0ByQgeo9bS3oU0V56yikF7ykbe8BtqVZ+hXYDEbl4Pth18Bz5EmtWx7wXrlX NiYExAEjIjAWAgrX8tWrAsH+rBk5N4NzQnjnsK6QsOrwtgtFQI4KGxVyHZ5oMk/8Uri980S9 I3HwaND9kPvJEDcUSz8O7kj3XqcElom5woS01qlVUm5DalR6SOpD0D60f6XNBucc53ZbD1Cj rWj1DHydrSneQGAQu3kOdJK9xFugbstiZj3QBos3mQFWX/Vva3NnGbm08iBGWnfkB+AY7Cgs 5oJMVbX0eEhPTks1JWjp+ldYoCbTQLsBcoh1U54C8SGntZugrRCLmQv+fN4kGQvWNcpRHNjD NfND8FeXR1RDMBL5TmsDfMJKVRKkn3WqJoiv5VFxGsR08ZQwEPHklMVBPVKFeR1USfpzHLSy ZhPRC4xgW6j1FcjjqqaaDalZ0jCPQ8zKp+WergC307XE3hHoefuQ/iM4B7obu1vBnc/v5bp/ HnyGr48sC56LnvkpH0Pqj6m1It6Gp/cTDidoEP9lyleJK4A1yYONBXC3ePTsBw4oe/A1UXgr RO9/OC19F8QGJRRIqA2iQfwacyhoLfSJ6ijojbWPHUFgPLDtVBchrzfqWfYNILswy8oLRrQY ZowGZ23joCgEKWbS14lTQPvYfdD1NpxOudb2zlO4v/xByccToTclkwv91dH+NxDwRsAbAW9A S1rSEv7DL/9OLnLxd/xjnUkmmWSSSSb/m3jlxNnT2VHdp8G9T+O6PouB8E4hfY8OgNtjHlzP MKH0iYg7dSPgZ9+p5msLgK+R9Yv8AfKQO7hAXcgWYvySBWjQtEK/pl2g9tq63vo/w/0j9yvc CQbvEe+19IHgITGXVQf8Pc093o/BvKjG+kzQ7tvuBlUGylhbzI9A5Bajva+DL/wWN6bB87Q1 M7ekQ0S9jrl65AXnrAL5KrjAsTV/dXcq6Bft1fXJwFGttHEf/APiizyOh9TspzodHwPG6/Yf UxRYP2e/lqMH3Lt5dt657fCw/KXyF/LBs7wZM70/g/rKFRz4FBzN7d/r30B62fTmqY/ged2U 7xN/Bd9ps6B1CMRX4he9LviiPdl8H4HZyr/aKgH+BbKIWgJqu0oSK0BlUZIJoHwqQ/YFkSE6 EAoiXu+oxoJozxKxChwdHR/oQSBqyXzUA6XJMKsw2Ge5b2tnwGztXWFVBJnTvGdFgxFtFBAV Qa1S3a1TQG9xTXwC1psqXl0Fc5FZVS4CNYBBdAAxSA83soGsocYpAdoutUxMAPWT+Ep9BKqG HCurATPZy4cgEkRu8RSwxI/iKzAXyGTZGfR4BuuVQTbwNfL/DLphK8Eg0JOMNsZWSBiQlDWt H5ypcn72lUuQb16eaylOUH3VJXtreN4x/kF8XrBVsY3T90NwoaBPg/KBb6t/hwJSUtOKJydB mj+1e+phsCarz1gFnv3ekJRCcKj+sYYpM0B8rd7Qx4LaTzG9GGgVtOlaVrjd6+7V6CtAHTFB ZYCcwGXrG3iW/WmNmOxQUORqHNUGgj8M+ihqI4iiejmjKmCa12QnSAmOzRf/IfCz2K/vBf/b vuf+F7sMDP6rwzyTTDLJJJNMMvkzePXEea38hFBIG/U8zJMENishw3kOHI0D5oRWgcdBosEF P9hei3rXbAwZTuvH5x9C6oqnttBoeC+pdZb+oyGwhX1rQGcQk5gtp0HBXgVaFPNC3L3kKY/d cOZKSsL27yHkJ//ESl0hqqhe2v4meBN8680UEEsNp+NTsPqyxHKDPjO4Z1A6hK6o8V7VXeA8 ULp+rWgQlaTdXwVUF7nfvALyB38JRoLvzaeVr46FpMZbRm4KAl+nxINmNgiaX3lDrUbwxJU2 JjkZHvhPDzk6DmJ+jL+SUBXSS4rHWmsI/t5VIiAbqBDzsVUfUk6mZklZBN7z1jE5ENQKHonr INzyqvwBVEORQHuQQWoebwNzVVlygmqtbqh+IKqziysg3qANHlAfq1+UCSySIwgEeZlZahp4 b5uDzFQwHooyWhCI7uI1nMCXZlazOkibdUetB3VJluYyiBDtgVYYVB91TK0DulBOywHWLZVd tgLWUUk9Br2t6KUJEHGih1oHspUKoANYlawk6yigKKZ+An2yll1/H+Rnqr2cCOoHtUFNAPGN aCyygm2P6MBZMPrZGvM+UATJXDA/k+W5Bt5y3lRrPKi7sp+qA6Kg+EGrCjd236r+KAZMj9Xf ygb6CKOpfgK0FK2wdgDibYkLk96BXLYcsyJbQELlpOeJucHsILOoDuA74v3ZnwBahl5abwG+ LL5B3lNAK/mJmAbaTe2MvgGMQENoG0EbL6qyCsRFPbcuQTVRMWI9PNv8fE3aFXB9aV/8PB/Y h9sGu8+C46QjLiQnKLsRpfUEb7J3c0YryKiRPDxpI1jb3Tns1YAfif2rgzyTTDLJJJNMMvlz eOXEOfnT543Sx0C207bWJUtDn9BmsUM7gv1O2AJ/Lfh58bmiq2eAv4u7o+ciBOxzhqY1hx9a Hhk6Yxx0LeEu+eED8OxIXy+OwrEeWxL22sB9PWB+hAFmLW2rNQkKDQo/XfACPJqTtCKmBEQW C5n56DwEusLaRUWDbCqHW4tA+0H0dxwB24Qciwu8D9r0oIZhacBwraQSoK769vnrgKqo/Wzs BzzGKvUc/On3064tAt/MZ1MSD4M+Knty0RrgSw0/F+SF6wN+PbBvHTxacnfr7YHwrIqZTxYB Y5ZrSlA70D+htzoMSZfTMpL3QOpZT3nPYLB1cEh9D5gXzFLWPtDsWrI4BaoDq2UC+H/yb7I+ BXYzRTwEPd6op78PsqhVzBwJ5kSznBkGmkPrq4UCi9UwMQvkDVlArgP/PvWJ2g4+pZZjgebS osRZ4HvOi19BrpG35WYQo1QWURr8Cb6R5kGgtSgndgCVxUHVBqwEtVLmBH2wnqhtB06LYaoK yKbWe1YFUPVUFzSQS6yVVm7Qcxrdjc2g1qn9UoBWQ0xmKxi5jHr6DVBDVZTqDPoucYXpoH9o zORTMN+2PlYDgFUqH4FgNbfqWLGg/WQY2m6gJrPkZjD7ytPKAC3GmKPlAjNM+eUOYKp5RNUG M9J8KlfBvfb3A549B25r69VjEEu1t2QU2K/aL+lvgv+m3+ctCtY+6x25APQ9ejNjCagwFSIB 8YPVQRsIcrEYSl3Qu5OhtoAcrXobH4G6J58oHWK+iRueWAWCI4MqBCyGbB+Fv+1wgpaTS/YP QO8osomPwJ+Wtix1Ohid7NcCx//V4Z1JJplkkkkmmfyZvHLiXGxw1CfVtkB/1b7l8CgICA4r 6voM4vo/PfK8AKTmiS0QdAWudbt/9U4RePr0WcDjO6CtthfKkhe22o6X2NMP3JP17wMGQ+KX /jEPssCThr5Wt45C2vepkekTITk19djT1RCU5FsfMBly98n5RrbGEFYlysqVDt7NGZ18PYBn 9HB6QB8WsS+/AdTL+Pr5TtBOWPutKDDLaMNEWdB2q7ucASrLkh4/GANDkgISQdejZgX2gCxX qn9Zvh08D/DkTrPBw5Nnfj7VEWL6JPs9OSHjA7HUCAZHRTnOegDpJ9OPppqQmJE+Nnkp+FrI UVZ30HuZicoEtVytYS74S/pj5DvgH2l5rDTQviZMXwKkcY8GYG33L7X2gXwmE8zNYIzVjusf gMihDRVTwV/J7GSWBPETNUVpEA/lI+UE1U8kib5gZVMj1FAQYxioboCqyLt4QJ0V7WkL+nAR igCZT25Xi0Hd1VbwgH/bf/QHEJu1luI4iC1iMvlBXTDvqxignmpLbTB8xo9GOIh1ml0UA2ow VV0FUUUUESEge8tSsjmI2byploE1nnosB/9+j6E6gSylzqs8YF9hLNfyg/xVjhA/ALlUYyqC WibGUQ/UAzVHhQN9VQF5CsQl9ROlQGWTA9V+kO9whq/BP1/usuqCvtLobUSAQvaSXUC+qXZb jUB9K/Oom6A+V21UPlCH1CpzJmh9xVQ5BxivdzXOga2sraIGUPvf3plrVjOf+bqBY7l9o54b Mo57vxCDIPq1Z91i20LAbedrAV4IlO748LXgSxTjRTjIIv5Y7wmQhzL2a1eB1rT5q4M8k0wy ySSTTDL5c3jlxDmfyt0g51w43ut86sGmsP/GScfePPBoZMLn0SHgWp2lesJkCO4U+pOrFSRo j4f7ZkJgV/dQZyik5PJ89egNSPlRHksBcrcK6htyEYI/C0mvmAKBO7Omu3KCcPFUOaDS2DKr m52BG7areU/egrwPi04uWBZ417bb0QaoYxb3TAMjMSQq23egpjoWsBqUtNaZtUBUEte1FNDu qGFWc1AllHQ9AEfFAu+Uqg9ZFmSNKGhBwNBsOwp9BRcmrfxu0Rh4En3vk/u7IWGMVYK3wNoi MpgO3uUZI9NGgBmujaIWeNP8TayFIH+U8YwCdV9+KJeCbCgj5SqwJqiOagNY5WWUbAfiLa2y ugwsZhzFQfZVxeQzUBv4VnQCmcQzFQWimKrEaiCSPDQAFUgFlQsoIKbwI4h3Ka6qgUqR/VUi sEeM5zFo3VUGscAV0V1EgfqUItpnINtgNzNATZQfUgsozkCxCqzDZpg6Bfo3emkRBvpj2+va TVAbVScRCwxUQ1U/YDtNmQSqgHSqbUBzLYtaBfKMVU3eA5XTOii6gshqvKMlgr28PVI4gM/t R7X7oNUyd6qPwJrGFzIfqMnyubEKOEpPvgJqkkdmAauNvKu+B3S114gAsQmbyAWypypvDgQ1 Ch+zgDIy0coD4hNhN/KBOd98RHvQSogQUQBERXrLt0DkUblkb5AjuC1ugDVNlrdagyhtmioS pC6vi65gTTcHqvLge0N0xwbaWqOOlg2eJ8YHZQyGZ7WDIp4ngHuKM869BeyPxSz3QUj/QCyR +cC3O+Nnb8i/B8nVVw/U69evX79+/X/ilpBJJplkkkkm/3spWrRo0aJF//76r5w47899ee3W ZfDgbPzCpIHgLmrvYcwF8761T3YDkSNxvt2CrJFZnoZUBs+nWZ2Pa0O2Lr68xcvCkxwpk2Pe hoDb9gj7Ybiz9tlr1hIImpNUJcYA2zvGHNMFhsMt0t8F367bfdRauLb8ontje8g6NmeK2QSq nK11qv+nkF4yw54xDHSHXtLtAtHEPTZ7D+CRila1QKtFBP1B7hc2kR1UNPEyGMQ641BUKDi7 RT2wD4Lkrg/H3n0NzrU7kP9gRXj+WUYWXyKkr2KOmAbuHY5QdwiYucWPIgTSynouZgSCf4G5 UC4H8bZI046CFqvnNvqBfNuc4tsF2mnZWiaCFquX0fKBbCrvqENAbqozHIQmfOI6MFNNVT8C DkrxASipSqmjIL4Q1bRPQPVU3VRLMOrZxhu1wZovB8g3Qc6UDeVXoFcXWUUkaFe1a1obkI9l mHoEshnl2QC2FNu7jmJgVgABsj0AAIAASURBVLFymrlBWtYk2Rp4WzkZAVLJtuoZAJNkNtCS tWr6TtA+0c/rh8EqYHW2uoNeXBQRP4HKKTOsSqDWqiecBqReQ5wCPhM2+oFKpwIJoOb5SkpA lrLekDtAxYv2+jLgMr+opaBOqLdUf6A8bdUyUJesUgSD+E5kN0uB6KVp2imgqrqurQO5R56U dYBcIo5vQIykjrUVeEclyp/A/xqz5GsgdqulejZgL8XlERA79HesWaAGG6OMxWCVtfqKH0Bv pBkqEORSFaGlAF1FIe6BbbmoqtUDfxlzrOWA+LUJg1LLQ2SnMGeqDQL7uLHfB2E3p5ELzCNm FeEFuvLonyHQM8kkk0wyySSTV0d71QY8a3w7Y71Q2pHXIVtC2fpl26c0g+y/5qkgfoWY2IyL vmFwvf+tETFZIaCF54YRBOp4cK/nJ6BA42JFC1WG2Jj0CqoTyBJcSv8c4halnr7xAzy9mtLh /ocQXy594+PjcPbC+Z77S0HAgIjyhZrCMc69sasapGyIef/OQNDsjom2/mB9qrKaj0HuoYGz KlCfd0VuoCqN1D6gAg34ELQqcrkYA7IGN+XXwEym+cPhbuKxFcfiILrFvaCHdogb5lusPgDj U8cddz0I2R7wZuAY0Jdq32nXQIYog3tgT3bkcYwFrb52Rr8DcrHcYH0L2jrtB20xGJFGUaME aAO0Tto+EDmx8QDEdbFTfAzaW9o72scg8ugldBfYctpK2U+DeqBOqzfAVsZWxsgHzsPOI87z YO9ua2b3gaOW47QzBVzHnX1cI0FboW02+oP+hl7P6ALGJcPU74PYLvJTAbTd2nv6anDZHN86 c4D7B+d1R2lwzrJftecD+2N9uO0YaOMV2tvAFquwnAWinpyuFoMtm75BHwtKUotTYMWp2VwD +TmfsBbUXRkpD4NIpSa1wGpoZlP5QLb15lBxIPdZo7ULoGqq4zQGUVc4terAAnbzHlCS+eIZ iG/EaD0FRLQIFFuAeSxgBdCeruoSiGriNWGBGi+Lq9Yg7bKk1hY0XbPZe4At3VjvPgqqqtyp XQPrmVmeHcBEftJHAjPlKqqDtdasLKPBEmaytAH71EPVDKwi/v3mPbC+80fJrWDetIabvSCu z/MZqeUg4V5SdGozoK1yegeA8ZH2DjvAqiOzmRX/6vDOJJNMMskkk0z+TF55xtk1zHnKOQaS N3inpjSFHOm85e4GAePVE/MtyB4d1sSZDJHnjYHB8yFPmyx27T7c+jF51dOFkPt9Z+UKH0DJ OWVX5Y6D+xUeXj9/F1KPJsuAUWBg+8pWAPTrti4pYaAd9P7kmAFhPwdrIcsh5m5i8fQGsKPW 7lqzI6DDyk4XphWEtPtqn9EEtDYiXg0ElUvcVt8CWYnXugLbRQfVFmRlOqi+oO3W2hnx4G+U eCGpAlzST/Y8VgLihqRFpi2GNL8apk0Hdy9X64BI0HaoJ9YR8I/1HvEWAFxinNgA2lnxjiZA S9JqyWgw5/gum5dBGysuax4QLY0Kek2gh+oovgGxhiTrY1BO9qlmQF26i4MgP1Q2okG6ZUXV ErRvtGX6d6BrultvAEIJqR0BS7c81hDQuutbtLkgNor92jHQh9gs41eQe2R5eRTMcVZ98yoY M/Vx+gKwlsg0eRaYpIqwC2zj9ZpaMogHWrJWA7RGWletJliXzI7KB1RhkkoDbollTAExRQwS 58GY6WijB4L10HPbdwbkXjObmR20qlqAVhlIkV+IeJBlRR5RDcRMVY6fQVXQe+oPwMim/2C4 QKWpZJkfKMByEQXGJW2U8SbQTaAKAl+L4fooELP4hHogHNpA1QXEI56K+yB66fNEAbCfdpQJ Cga1AqeoAfo8Omn1Ab+al3oa/F/7RmTcBvm11UiTwHD5qXwE2iZ1ge2AQ/RXLUCGyjXmFNDX 6p2MFBBHVGGtFLj2u4Y4l4C21mjmuAYpk9OKWMfBt9Df0goFvYUeLHaCilFO/yKg/V8d4plk kkkmmWSSyZ/FK884P+seG5WxHuxhjqnOnhAuImLztwaPU4tLOgO2bpRUY8BcY1+ccRRiYr2f J+SH9H7pBTO2w4UKT9b+fB1u1Ho0+kJdSI5/Xl9VAluca6zzBrhd4ccCFwM/mif1E6A6Wz2t G3C3yE37w3BIKZ9wXu8Jj/dap+8mw40Vd4YsXATuq85L9oYgP6OB5QGWcE7fB5wTd5QEsqql fAMsk+3lT2CfbatjpMOz4ddqXD4PDzrffvf2e/A8znfIDAYVJqbZDHCEOJ7rLcCzzlfddwHS a5uGbxPI/OqCtINvua+S/zBYU6zdphOMI7b79vngX2JWs9aBUtZxuRgcLW1ltHugHTS6GQ7Q Db22cQpsY23NbA3BUdz2gS0MOM959QZQmrKqIzCQ92kAYrvYxhpQdVQe6yZ4vs8Ykf4c/N39 ob53wV/KfGz1BdOyClibQM+hl9IzQLskTmnTQPtAXOUcKI2J8jKIs9o4LR/wiVqlBgFplOET EIu0DM6B2iKi+AiMpcYm4zCYE+R0uQH0ZmqpqAWOYfZyjsmgtzRu2muDHmG49W9AVVQlRB1Q NjlBLgUZzRTygz6XQboGxgOtpS0IxGpKaZ+BTJB2moO13XooQ8Dfz9/VXA+2ZWKHURxsi7QA 2xmw77B/6L4H8nPZTJUAWdrcIneCb2DG1dSvwfde+u2USpBeJ61B8jCwXvMvNqtBQL0gPTQD sl/LGVukKIStCV+a9zQ4Ogf0y7IW3KGhTbL2hohdkVPyfg2hX0R0zl0QXP1CxkX0g6CaYQOy t4Cs+6Pm53CA7TPXitAS4O9mrtfLg+1LsdRaAEZnUdP45K8O7z/OsLrD6g6rC+33tt/bfu/L 49MKTis4reBfbd3/HSpWrFix4h/4xuI/l/+r+utVr/uqfv9V/v2z6P+vyj97v/+j+FvHUyb/ XLxy4pz7eNYO9kuQY0GuLCHREJ0RfyPhEDzw3R+esQ+etUx74ukA8Xc9gfHT4GHHZ2e0s2DU sTq5GkDGN2p2alPwVjaPWbkhPY+/jKMPiJvJBZNqgDaA58kNwIoxZunjID1OBskZkHFSdk2e A+YqY/vdhvCwzXOblRsW99g65ccjcL7xoaClceC64jwZ0AvMJaqA9wcgm2otwkFlUWVFdxAr RHk9J6hRVj7vHbg1/nSl0wsgrmvCw8SykNLV9wQTbLedF13zQY8Ul7XOkD4to176B+A9r67K IaDyiFixHmwTbfOMZDCm6E1tU0DfoA/TVoC9mj3S2AHyjvpe7gb5k5ojW4PR3uikvwV6Nb2W Xhe0cdpobRKIVPGAlcARHvAtiO/EClEFZKQsqjaAeFd00z4CeyWjgcMJzvOOh67BoA3R1hhf gExSddkFWoTeVTNA84l4fQ1YTa33pAbG+3pDvT44UuyasyAY8wy3MRNEhnZXqwqikUAsAY5i 8SnYCxiVjBFAKJdJBq2SeF0UA+qqjQSAbhdT9LfBGKEv1iuBSpc1RA9Qw1gv5wBVcKvPwDhk JGhNQTQX91gEcqlVVE0HtVw+UQdAxDBBTAWSxEWtNej79Pv28uDb4y/juwxynLXZCgHv/PSj qU/A/4t/n38yyIVyhvoexGnRQ0hQP6se1ndASVGDFqDlNGobVcEqLB3qCQSdC6ob6Iesz7L3 zVUIcp/PPajwA8hdO+fogl9Dntdz9cgzAvKuyJaU7RDkO5WjS0QgZNsbusyVBqELHduNfBBy xf2esykYNbRLWk/QOophWjvQI7VNWte/Orz/OL8k/5L8SzKsubHmxpobL4+vC1sXti7sr7Yu k9/iyDtH3jnyzsu//6r+etXr/mc//tn4Lf/+WfT/V+Wfvd//UWSOk39NXjlxNq/Z0jzz4Xqz O0/v2eHctGuLr22BqNdz1QwsAhmnVfqzxxB7Kr6sqwpoN0WYYxPELkvrKk9BwoCkgsFbwN/c ap9lNzj6hH2QdBvSq/l7pi6B57sf5EzTIOnwswne8SDHWlfUIvAEZEzRa8Cz1MTOSS0hplN8 +ehxcL1Q9JPE92HZ6b0tJidBtONar32TwJnL2S6oPsjcsojZDcRqsUu1Ae2O8bG2GDy3YzfG FIV7Ny8fufwcEtplzPbGQ2o9awrzwV7D9aWjD/g+8RexzkLGXN+CjCgwq1OeVLAWye3WUBCa uERzkIdlMwmIrqzhJhi7jX7GcrD1N3obCuQzWU3dAvMts4m5FaxsVrjVFFRtVV/1Bzlffi/X gFosB8mtoN5XdfkORAHhE62ABbzDWuATLsg0YIFYq6oCi/nKHAwiB9ssA7ijnrAfRFftWy0b 6Ev023pr0BbpM/QfwTbf+Mn4GtR3ahvVgJ/UYlEWNItJ2gUQHsqJbcAolcEBUEXlWHUV9GVa W20Q8AOadhOsyXKxtQZEJzFQ00B0Fz30i4CPaPE62JbYdhoNQcuuxWvvgP2i/YL9EKiHuK1E EFeoolqACpefWyfADDOTzfOgVsuHqhH4f7SG+MtB2iLvNHMOmEusMQSD/kxfY4wHDIR4C/zN /W+b28A/0z/POgiqmnJa68DsYe7x34D0X9NbJf8AMbWfnLnfBuLnxw2Mng3pnVJaxD4GmeIv lboJ0nKmtUk6CskNk/MkdYQ0d9rN9I/A86E3h/8epBRN65MRBime1JopoyDpXGqP1GTwn7Ca +7aCo60+Q17+8wL15/if43+OfzkT3CpPqzyt8kCLCS0mtJgAm8ZsGrNpzMvyiYmJiYmJMGLE iBEjRkDjTY03Nd70svzIt0a+NfKtl+XGRI+JHhP9sn6/yv0q96v8X4/3Od3ndJ/T0KVLly5d usDV16++fvX1l+d79erVq1cvmDRp0qRJk14e3/J4y+Mtj+HTxp82/rQx7Ny5c+fOndC2bdu2 bdu+9Kdp06ZNmzaFJReWXFhy4b/q8GImZsWVFVdWXIGOKR1TOqZAampqamoqDB48ePDgwdAs R7MczXLAgMUDFg9Y/NLP3+PPtisuT1yeuDzQX++v99ehZcuWLVu2fHn+8vLLyy8v/217pjyf 8nzKc2i+rfm25ttgTpk5ZeaU+a/lqi+rvqz6st/urz+qzx+1+7eu+0d54ccLe158A1K/fv36 9eu/HL9zT8w9MffEy3p/b/+/6LdZ3lneWd6X7c+bN2/evHl/u3+/p//E7RO3T9wOW7du3bp1 68vz1gnrhHUCGj1s9LDRQ3i++/nu57v/dr3+aJz/Z79nH5l9ZPaRl/W6luhaomsJeJT1UdZH Wf/xur5qv/+jdHrV+8DvHf9b4+Vvjf9M/md55cTZX8KKDp4A/rh4p20ABGSRvpA2kPWCm6hv oHhU5IaIu+DKGmBL7Acp97R+TxuBscJeIX4acC91SJwB3gpmz5TmQKL4Mt0D1qzAyknnIXCj 0+d6CgFRej37EKC8udGzFRw7g3p6RoJvtK+c7TlEN46+qp0Cz8cZsz01wKgb0iziZ1hUbcPd oTMgZVZ03yvHwBju+CDgAchIs6//AHDYGKyFQHyDu6XuVIKH9x8HP9oHCYkZEf6qYD3TquhH wZZhP2nrC55UXy/vU0gf7y/tbQ6igvCIaaDyWxflE7A0s75ZAmQz2sqdoEpbH8m7QKJsIN8H bbC4JTQQTdUnYiXIgtIl8wIHOaHeBnlZXrSqghgieghAj9UzRAxoFrVoDeqZVdB6A6wTZoLv MJjP5SrZAlQu5Vd5gCEqP8vBVd9hOOPAvtHWwRYO9tw2ZY8Ae1tbSXsdEEXlc1UJeFOVZD7o ffQBemsQd7UvxULQ4rXK2ijQe2jh2nbge4K5BXKAvCODgWbkpCfIC2qzWgT8KC6yD0gUU6gJ BobHXgCMd41KDic4GjocARng+sIVG1QTXF5Xn+BL4Krv3hJUHxyf2Iu5t0BwrcB9YcUgqHnw 3fBmYI23slj3QV7gGrsgaFnIlPAZYLR3VHTuAlWKO/wE/kCzoxkF1nGrqPSCjJU1VQ3whKVf SesO/k99oRl2MDt486b3Bs+mlFuJneCpK2by48tw74O7i2464e4XD/vfPwXRrWPnJ06D5G7e Df7ikLTce5xkiB6Y0CejKsTuz2jlj4CEVmnJ5hGIC096x/szZBz2tbF2gXYHm2z45wXqhFwT ck3IBdM7Tu84vSNseLDhwYYHML/P/D7z+8CBzgc6H+j8svzU3VN3T90NkQ8iH0Q+gK2Ptz7e +hg2Ptz4cONDyDEux7gc4+Dz9p+3/7w9TMg5IeeEnC/rL6iwoMKCCr99vJq9mr2aHU7NPzX/ 1HzwzfbN9s2GuLi4uLg4OL/4/OLzi1/WO9PvTL8z/aD6xeoXq1+E1TdW31h9A3qX712+d/mX /iy9sPTC0gsw9+Tck3NP/r4uq1auWrlq5csP5BcfUC8S9Vqraq2qtQq+/vXrX7/+9ffb+7Pt +rzQ54U+LwSvX3396utXYePGjRs3boT3l7y/5P0l8FXRr4p+9f/ZLaVO7Tq169SGxVUWV1lc BVasXLFyxcr/zzj5jf76o/r8Ubt/67p/Ly8ShtDQ0NDQ0JeJzIbIDZEbIiGlY0rHlI4vy79q /1cSlUQlAYvOLjq76Cwsq7GsxrIaf9y/3yrXsGHDhg0bwu78u/Pvzv/y/LFjx44dOwbFOhfr XKwzZHkry1tZ3vrbdfqjcf6fiWgQ0SCiAWxvsb3F9hZQd03dNXXXwLRfpv0y7Zd/vK6v2u// KJ3+rPvAb/G3jqc/Gv+Z/M/wyomzc6L/Hf9OCF8YvDagOUS4gnfauoNWWK62qkDSCivNtQ+M ZvKmagCho4xdWXKCY6FjhXUaPKe03DGbwFfOvzkxCXwpabmDskDe08H9sqeAs6q6bTYG263U eXocuE5ZBRzlwTbZ9YO6D1meZp9oLwMREVkqmcMghzd8dkBxSD8eZ9PsEN3GMzXjKKy6vq79 x32BxDSVWAvEPNtQd0swtqoatISYkw+b3CgGz4smtEz1QOIzc4s8AnpWmzD6gRgvKmszIa1g xpOUTuBdZqb4poEYbjWX3wMmdcQK4Hs5WFQGfQgfam+BOs808zRYueTnZixYHSy/9ROwgFFU AtlUdlarQXNoKVo4aB+LN1kBtl7G++J1UNPZq5UFvYBx0tYXxGVthJ4FrJsyD1OBKBLVXhDt REOtJjBETNQnglVXzaM7qK/lFJxgrTc/8f8I2jOxSWwBvb/+iV4B6EwjboDoLtqLrqAv1736 JaCbCGYHaHP1anpf4J6WKGwgZovrNAdtHSdYCLqpz+IoGGu1HdolENdUBTEYjNb2b4xzEDU1 Z8N8wyH7lewtC7shaELIg4h8ELomIjVrfYj0Zvs1b02IzJWjZJ5gCD2ftWxUfohqlj0y/yhw XnCPD0uDqG+yzyzYAbQlhkv/BKzd5izvRDBH+GNMCfJT64j5OcjPrG3+PaBWWfvkOZDrmKqV A1GAJDkEzDQr2GwE7rLBN0L3gn2UY4CrFViNVDWrFqTdTtmVdB58H3hWpFcAOU1+aa0C207b bsd4cLV01w6bA84ljpIh2UG+Jdq67kPaSPOA40dIXevLxjRQIdoH+qA/L1BffACN2TJmy5gt sHTp0qVLl0JMTExMTAx89eVXX3715cvyR7of6X6kO/Q81vNYz2Ogvae9p70HYqFYKBZC99nd Z3efDYffOfzO4b/jK9IXCfDpBacXnF4AVwZdGXRlEFTSKmmVNDDOG+eN8xA/NX5q/FQ4q53V zmpQtWrVqlWrwuKqi6surgrhP4T/EP4DrB2+dvja4TDn5JyTc06CnCvnyrm/ff12bdu1bdf2 pV8vlpi02NZiW4ttL8u1jm0d2zoWjs85Puf4nN/368+260Vi9J/tqrG0xtIaS2FOjzk95vT4 7fZeJCwRERERERHg7+Hv4f//lP8t/qg+r2r3q/Liq/sXM96GYRiG8VLXFwnN3+vff9G5b8W+ FftC5IbIDZEb/n6df4sK8yvMrzAf7nx85+M7H0PyF8lfJH8B28ZvG79tPDR/0vxJ8yd/h06v GOfNsjfL3iz7f9ArrnVc6zg40/dM3zN9/+d1/aP9/o/S6VXvA38Wf1b8Z/Ln8sq7ajjGGee0 CpB6wBtsaw0yxAi2e8Ezw3xipYHhdGxLGwNqh3lUzQBRUV73fAvu/NgYCzEDrFvO3uAYZOzN WAiO8do39gWQsj5pOMEgj3lbpm0Da7LW1p0dgkbkqORIgJSrqRUCqsHTXzxP0vpByH3nKv0H CGnI8YCD4LyYY2hSLHjaJncPioVTXaLHP14GJTvtbru4MrxerEGTPhtBfKD7xXCIznNjyv0o SPBkpHteB+8lc4NZAFxlAz92lQR5Rg1Uw8Az1JPguQ3cZ6M4ClYlNdmaAvRS47SHIDerM2o+ iOH8wHJgD061HtRWuVy1A56JxmoNiN2aTywFo6/RyPgQ5Bw5U4WBroxWxnsgP5FpcieI/sIt SoG+Ul+ntQZ5TB5TB4ExajdFQBvBbv1z0HIJTfODccZ4LuqB+dwcZT4EUUwvrKeAli4qiq9B m6r9LJ4BT4RbvwR8KPrzFHRhVDDygHbHEtZJ4Cf1hAhQe7Wc6j6IKqqf3h9ECREijoB2gIrk AzWHSNEcxD3ht3kg8LuQmyFnwXkiQAVvATOXedy6AUnvJ617eg5Ya8WlVQHvN2mV4qaAsOk5 nY9BHZYXzU5gTjeL+iaDPkDPkTgegiYH7nQOAG+bjP4ZTkipkvxhQj+Qp31l/TPAKmVGeoeB epMq8m1Q48UUbTlwTozSroL4haeqMpgh1nsiDBw/uhNCJDjmub8MHgnpb6cTawPznBXirwVh 94M9WeMh9LOwHtkjQHyq56c3iJIGzitgVLNVdJUDla5K0QCMNKO0cRmMQnJGxltgXve9m34O zA6WxhBg/Z8TqNOLTi86vShcv3399vXbcGHIhSEXhsDiQ4sPLT4EDGYwg2EWs5gFqPKqvCoP xk5jp7Hzv7YnTovT4jTIh/KhfAh0pjOd/3Z7Sh8tfbT0Ubix7ca2G9vgVKlTpU6VgnJbym0p twXsJ+0n7SdhV5tdbXa1gaAVQSuCVkDYlbArYVfgg+ofVP+gOkTujNwZufPlzErNmjVr1qwJ m9nM5v/P9Z1XnFecV17+HZs3Nm9sXqizvc72OtuBilSkImDHjh3EVDFVTP19v158Jf1n2WXN teZac0G2kW3kf/MOyRf/+OQjH/n+m/ZsS2xLbEteYeD8nfq8qt2vijgjzogzQBOa0OS/Of/v 45dwwgl/9f7/s3T+LV4kanVn1J1RdwZsfnvz25vfhnOLzy0+txgmfDrh0wmf/vF2/+w41xZq C7WFL9v9n9b1j/b7P0qnwXKwHCz//vvAC158E/f38o8el5n8fbzyjHOCO+VNqxvIsXoWX3fw v2d2IhmebIodlvEFmNPThJ4bwqrrRyJuQVSWkFupbtCjrRNiEWTdE9g4ZDJkbZLlQzETbHVt deP6Q2Rk+B5bCXC/E5TV0RcCRzsasQni5qQdSTgGZtZgX9ISiByca2qGgiyvhSxyFwdtk3Mk X0FqoaSuTALPU2+w/33w7Xddz2gLa0JOdFvbHXaW2hK2aDF4X3+y6m4QPG523/UoByR18oX4 C0P6NuszOQ70Zrautm/A38Ms4N8NnpG+DN8wUCUYos8CVtFFqwLSoWbJ4aD6kKj6gQpUJ9Vt sOrKWLUOmKA90tqA+EXfrH0IagGl+Ai0NswTdUDMVc+4A2Zh84R5AuQQFaTugjqnflUHwVpl TZMLADfpKJCn5H65E1Qv1Uu+C/pEfbY2FLQ2WgfRAPRR+njtW9C+FwvEO6A/1aP1zaDt1HZq U0GbLiaJwmArbxto+xyM1tomvRAYJfVpRhwYbuMNoy4YaUaCrSzYq9svO3aBbb1RyB4MaqqI ETnAnssRZDcgoH7wg6DzYB/o3OnMC6qxnCq/gtSCzxfHnAZ6+memVQLtushlFAImqcvaQ9Av ctLXH7Sqap41Dmw3tF5aMbB3tz3XdQiYEewMOwXhdSPOZV0GeaPyDyn6DKJa5f6xEJC7VMEb r4VCnjOF5pSvCjmm5n+/zMeQ82qBWWVmQfZv8nxb/BfIXbFgcrkKkN8oPL/8KtDr2fOHVoXA q+GDs3qhcJXXBr9+GMKy5QgufgNcC8OfR6RBQFhwn7DiIN40WtuKg/WA1XwE+lJjub4NVEha 29g9kJov/stHX0JGl7TBGdvBqmYtUAF/XqC2/6L9F+2/eDkD0i6hXUK7BPj49se3P74N5787 /935716Wf7FmcNnAZQOXDQTVW/VWvV/+XLJ0ydIlS19+EPytvKj/YiaoeFrxtOJp8FODnxr8 1ADKyXKynHw5w7a85vKay2tCtYvVLla7+LKdc+fOnTt3DgacH3B+wPmXSwIeZn2Y9WHW/3DB 8pTnb5hhyjk+5/ic42F5jeU1lteAU6dOnTp1CjY32dxkcxMYOWLkiJEjfr+dP9uuFzNG/3kN +kl1Up1U8Gm2T7N9mu3PGye/1V9/VJ9XtfvFdV8QvTl6c/Tfkmn8OzUG1hhYY+DLNa2maZqm +XKmb4FYIBaIl+X/rP7/o7r+0XIvlmzMseZYcyyoe7Puzbo3wbhgXDD+mzWzv6fbq8b5lidb nmz5DzPd6yPXR66PhPKnyp8qf+p/Xtc/2u//KJ3+3vuA7YLtgu3CyyVrp/ue7nu67x8fJ3+U Pxpfmbwar75U42pUdEIlsL/vqvc8CsRSYZofQ+pH3mFJJcCe4btnWwtF2obMyzEMiqaE+Qqt h6CY7D3s68GTnLZGHgNxPPXXkE4gJoj0gHrwdFnaYysVfG8nVravh7Au4SsdfSCoUo653pGQ cOl5tYzSQKvE+u5pkPZMz+ufD2kpab2cpcD5q/AFb4AskREia3MIcKsvHRcg8Zh/xdN8cKjK jdh9RWHXpp03DyyF6FHJJT3ZIa2qt75/K0ibyCvvglHLeNNoCd6OZkW/Bv4yVl3/Z2CWUlvU TLCGmV/JEyAbqXRGgrwlJ5IM/vbWeEuCuqLyshWsVlYv633wrfAd8Z0ANUDNV6NBbBPPxccg J8t5VlGQuVRvuQ98hXw7/XvBdJmrzfpg9jF3+weD+Y75s382UIWJFALLrS5YWUBeU8PVZrDu qXHMBTlU/UR7YDWHVQ5gJRMZCQJxRjwDGlCb52DlN5+YK4CP1Di5CbQErbeIAm2i9lg7DNpb PBALQWsu5ujnQW9iNLPVA6dwjg1IA8e3ruLBbYG+WpLzc9DCxVijCngnpOVJ7Q9yOj/5bKDK 6/e1NBBK89rngfGjfk/UAmOzbje+B1cJ956QdRBwInRtVgXhn0Vuy9UXQnIGfRQ2DAIiA34J +gJcPQJLBreC0A8i5+cYCCGVsgzMXgHCt2V9N7cdIr7MVjjPJgh/Lev7OddC1hw5FuZzQDYt V9fclcAxzFHXdhbchxxbtH4QlTXrR7m+g4Dx7inunRDY2u22PwA9K5VYCNZIKdQbID5knVwJ IdMCT9rPg32FeEvdBfm+McJ+HFwDIprksIEtV9CsnPVATBRDAsw/L1DfOfzO4XcOQ69yvcr1 KgetYlvFtoqFQcsHLR+0HD755JNPPvkP29+NyjIqy6gscH/0/dH3R0OLli1atmj58ueLG+2L h2J+j+IHix8sfhA6d+ncpXOXl8erX6p+qfqllzNF2aOzR2ePhvIny58sfxJi88Tmic3zcmnH C148XPTiYcIe/h7+Hn44KU/Kk/Ll9WZ0m9FtRrfft2/cuHHjxo2DiTsm7pi44+XDPEPrDq07 tC7kbZO3Td42v9/On23XqDdHvTnqTdi/f//+/ftfPlz1ZccvO37Z8eXDSn82/7m//qg+f6/d vzVOOk/vPL3z9L/d/hftx7eLbxffDhplbZS1UdaX4z77luxbsm/58/v/j+r6R8uVOFjiYImD 4HQ6nU7n7y/R+D3dXjXO77x55807b758OHF3vt35dueD4SHDQ4aH/M/p+vf2+z9Kp7/3PtC1 eNfiXYtDzzk95/ScA0f9R/1H/a8+nn6PPxpfmbwa4t/WsilVpUqVKlWq/PEGerw25mbpHVA+ tNDWyg3AE2ee8v0KJ45de3TkHISsdQ8MGA3ZKgRXyfUE5FNth+0deP7o6Vsxp+Da/LtlkhpB 5NfZDtuuQJlLUW/nPQH3Wzzv5fVDcCtqyf4Q29qYkDwUAhzhQ8zWoF2yqqj58HhFUnlvHQjr JfbkmgfyQeq49AMQNTX76CyJEHzZvjXjGiSWTXN5vODfYOxOnAb5L4SXrdoHitwL99R3waaz i/osWgLnyj8oc+8CZLyvOtkXQY5jucblT4DU+LQfkn6Ch1MfN7y/A6zCopBxB+RBy6G6ARoF 1EUQHbjMEpCRSsrioHaq46o7iHyipegA8rDcLbeAllcfrFUDbbU4p88Hdc36SD0BXKKvegzy PT4Tk0AekJet46B9gYemQCW1RrQEUV07JUaA8GrXMcFW1MDZGMRdsZg+oH2ixahLoPXRduvr QYvWNzgmgnHIuK33ByPCuOboAmoy+eU6UJdUhvKA86DznPse2A1HVnc70B9pJfVyoGXVB9uP gy3V/qEjO2gJxmO9K1i7xDtsAq2iuGvbB1yVkfI6eGM8b6TNBLYywXoPXH2c3ZxPQa6wjvta g/mJZ0TGl2BUNTbbB4OoZNti/wTEdH2FfTaoeazQ3wFpyRxyJagjIsLQQDzUlmo7QG6Te815 4FmS8SClI2iBbFfJoOoSrHUBf4xsqpeFjPEpeRNOg7e/PyPjfQjvFV4t4gMInB6YGvEpeGd7 AzJKgnlcPkkfD7Yl2iZ9J9gKuoaH1wNvvLe9byWEfuTCmA/abr7xj4HE2im+1C9AX2d/EPQA 9EJaE+JB+5nzZkHIUzFrkiMQFjkXn1144K8O80wy+Wvp3r179+7dX67N/7/GixnTs/pZ/az+ 8h+Q1UGrg1YH/Xa9f5RuL75ReDGD/K/O//Xx9X/d//8pjh8/fvz48T9hjfPTrxML6H449s3t HFePgdrmu58yCiIGBHzhDgLNDDqkHYe4Z/YbsRvgdMrx2OenIbCK64g4DI42qoreDrLMJizL eNALB+aV46HAObduOwuPjj+4H58E5kb75LRckNQ//Vt/LTAKyIMBkeAeoivbt+Ar5E1RK8C9 MXSw2AepBcXSJ63gaVDiFbM4OLY6+gaWgqDhMk/gFKg0osj2Nx6BpSW2dkyGhNzJB1LGgucj q6JVD7SfjGriTRBb9ePqKHht3rf8zcCqZi5RNlCxRikpQC2V42VzUBEqlzoPqgqDVTaQx9V+ FQ/6ZfGtbgNysZeWoAqpu8QB78qe4mewxqifLAHUxqMArqlG4mtQJ0U4DtAGavtpC1qk+EA/ CNxXV0UCqCB1RC4BWovyogpYr6k8Mhe4ejnOuMNBn2K8q+tgH+t8P+AWBM8NeRJxC8TP4gPl AW246GfTQNqtbr4VIKV1Th4Cxy2n3TkfjMKOoc4loO6LjrYWoKfrI3QBtmP6BuMtMJNkCV91 EF6rvu8tUNWVZb0B2utGoO6DgGNBowNSQQ70r7FGAfGys68bCMFDhoLjamCbUD8Y2YwWRgTo PY3vnfdBHrK+U8NAHBPN1FWQrdmvJoLZyHzbegPkJfNkRnGQK70l0veBvYEKsC6D744VRiJ4 P/XPN/NCohb/XUJxSPs6/ZeE7GAMoJn6BEzN0yPtV5A1st+UncFZxlXU6Qdzj89SG0BU1Daq OeD/MS170hhQU9W7+lB4vsNbM80DcqksarYC8a79lH0H2LNbkzw/gTXGvKWeQmiewK8Cy4PR D7d+FVj6V4d6Jpn89fxf/0DfNmHbhG0TYHra9LTpaTBl9pTZU2YDF7nIxd+u939dt7+V/+s6 /V/3/3+aV06c8zyNWqq9D0ndPUdiekHIbn2Fux5k6WQEuJZDgi09V2oj8I4yDpgfQilZJCzQ gvRK1iLVH4xk/SfnZHA8S7lsGw2ycobHXx9CZej5wM/AmeFpa02CgCDxVc5R4F3r/ODZE/Ce t2ZmHAZ2+Ru5WoOYz6CEGPBUNrsZF8HYoJU2NAgbEtE+/BB4rroveAaD/CRhkOscRHwaYs8X Ab9eOdJ1/17wHWEOO8DsaH4px4HtJ3sp0R6YL9oRCv4p1kAzHOyhLhkwA2yX3GFBiWDG+Ieq a8BZXCIEnBNcTvcpcAxzXHSWBlnEumX2Af8+U/lzgHZdH6/3BaHopX0P1rdWR/M90M5rb6p0 sF2zxwbVBGkXd2RFYJWKET+AMddW37ECeK4Ksg+scH8O7wHQB4sKVhkwltj89iJgxBpV7QVA /9iw2wxgsSa0j8FWyDbW3QzkryhrFxiDtG3GeyC60FN1Ar2yPkcPA+s9ecrMA3zKXa0PiHFi HeeAjaqWegSqhepjvg5Gey6o3aC77O+6KoCVqNppD0DM0pvrJ8B8z1/L3wPUNyRQDewf2IY6 SoFrr/Nt+2nwXjPnqkYgl8gU0wZqkPzCigTtlmiDF0Q8N61gsF4jTesB1m2rp+wIHFevq/wQ eCQg3P0Y1Fxzs/wCYk7GOmNHQrzr+cCnXcHXxvt66h2Qh6yfZXPIOO3PJR+BXMxeLQjiTsW2 iRkBAbPdA0PygqOjK0vgLUg6lvJZfD5wvun228uBeKhPcK4Df4p3v7cOOMboQbbOYPvF/FU7 DukJ/pxpc8BdILBEyDJImp3SNTUAAs/oobYpf3V4Z5JJJv8MNHvS7EmzJ9CMZjT7q40BNj7Y +GDjg7/aikwy+dfk1fdx3p2SxZMT8nYNX5MNCCziKO6+D6nl9GQzHPT55i09DrJEGwUCakN4 3rznrA/AWcWZTWsIEc1y5shxEOJ0W3RicXha8Gkx+wEoeDO4dJkIyKpHFQldAlk8Qde9ErJ0 dKRF9QTtU3rbGwG3Wa22gP95Rjt1CBxjbHONPuDO72isfw3ebc6az+ZDfIvYa3d3w2vF898u twHEGC2IRvCwRMzp2/3B/7G8aLlAXpFv8B2Ij7RGWhLIAjK/6AlanNFFfwKhlSMOR26ByPzZ luYPhJxd898sEgw59uatUMiEsM5ZH+ZqCAGesKCopRD4bZYPst+GYD3yRu5mEHogqmI+FwSb kW/keR9CWmb5JscyCAwNbRDphqAuYbuyrYegiNB2UQcg+GzYpciK4KoadDnsEbg+DOoYfgyC CocNy7oX3KNCpkcVBvuCgCth60HP4WoZXBdEWXungLxg3+0sG7gb9F/sya7ZYK/ruB6wAvSx do8rCGjsmOv+FeRarbY+C7Qq+j57L9Ba649sNnC8b3vgWAXOR85Y126w2spjMgeIiUYV4xsQ NfSftR1gxNhy6JtBxIoYLQyc05xn3eMgoFVAtsAUcLoDbCG9Qb0rctq2gjbQ6ikfgXFfxBIP bJOveXTwRXuLJDUBT7aMPqnfQtobSQsSB4GnU0aHtEDQHmpLtVmgLTe220eBNU9O8dWAyI6h 51xLIFvhiCJhtUF7X1vqMMB539nF1Qmy3cwbmNcOWc/lPpF7NIQ2Ca0SuhWCA4JLBFYF2yPH XSMLhDYMLR/+GCLKhfaIqgt2S7sofwGjsHFKKwvynOYTiWDNEAPMYeDoa69nLAPGM5pmYH4i evED+IewhcxXpmaSSSb/hOR6lutZrmd/tRWZZPKvySvPONs+ML8IHQOybfwvtubwrIN3ScYa MCLCPBllIaUAu63tYO2L+dK7F8IquecbieDYqH+vBULiGHX4biq4soT0cu+BtIOeKcmr4cSi SydPAcZH9gl6H3DtDq5Lb/CMS0kym4FZgWp8BwFxgU+02mCr7znijgB/x/T7vnTwZgtrbzQG 28T04MA3IcJmfKs6QtGiuXJWbQJqUMZwLQOMHfIXURO8Tcw+Vl7wl1CP1PvgaqGP4jGoIqxU 5YECHDfGgnHCvjT4PbBqyHX+Z+BfmD44/QKodqqpugjaN8Yge1/Qj9tvB+YEfbFe2rUYtAF6 a68JaqB50WoKoiJNrLYgmuv5qA62VH1ZgBvUavW9vyzIKrK2LAVaQ2EzFoLMoJTVAJgo6mn7 wZnm7B1kA+FQa+UxsBQfEQB8IUrKMWC89m+7buhTxETVCXiK22uBaMsKfQWIK8SpVmC0ki3N 70GavuTUGUAz7SP7XdAK6YnG+2BNMnPgB9mOJvQCJqr+qilQX+0SWcA6bzW2soJV1bydMQis RuZmhoHvqv+JZzKkz0xKiM8KjsvOrx2dwdnd2d+1HwKMkI0RPUEEi2nGZND6yE7ekSCHqa2i AMgzagC9wTFRz6rth/Qq3pr+vpBgT1qfkgZ4glq6poDtiv69Pg8CTwYdCL0IIbsipmc7C7rL /TRqEGj3jSiagP6aY4itMuizrZEKUPVEeTUZtFlGoC0OsPT+rqHgD8tYlLYBPMfTW6Q4IGxS UIugjaAX1kvau0P6GO+X6WvA6kCMvhPMoqbFZ6AX1Ks7BehL7DMoDpQwNhv9AHiFRz4yySST TDLJJJN/Jl45cX5yJv67lDlwd4y+N7496D8FleQDcHZLbxDYGaTb8476BVI3+GwZSSA9nmfO ThA13nUvrxviPk9NuHYBCtZ0vOMsCOlZjNeNXJA41lvI6gJWakr39H0QVCp3T98EcDV1fu+9 AmkHzk/wbAF/DXtJw4SoVUHPw/qDuxUNnWshS0d9jfsApD709YtpCbU2lvc2uAH5t2UZUvQH uOe8+uhaNvC+r85JDawoMcIqDtZyVphXQdWVQ43doAqqoaIB4BHBekHQ3rQtctUA9a6W17gM jrKuWUE3wL/GX8A3FYyG9ijjddCqiQdGI5ClzeoZ9YFQYqwmwKcyVYwG7areVnQAosVMoycY h+yNXH3BWqcS2Ar2gvZJNg3UNTPZug7qO6sd98HwGSvEcvB9Z55MjwE5Sz10DAFjGkPVd6Da WYMzqoO/srzg7wO+ceZ4T24QDbWD6ltwDnJsCOwDnq+8OdJHAl20/DQA43PedsQDBY3s/gIg Aqx36A66qWc3hoE12PL63wbZ23zNfxP0MsyQV8HTI71UajNIWpNU8/le8L7rneYpBtZS8w1P frDntHU0hoN3mveSKAdpEUnDtRHgveodm9EDpE+zHJOBprK/vydkNEpNTl0JQY+DDwUtAsf9 IML3gGOZ47qjPNjCbfltEsx9qqpVAVyFXf2dH4PR0PVO4F0wp6v95IGIm9nr2r8G76L07f4P wF/LH+v5EUS08PrLgbdDRp3UmiDHc0gcAe1H7UBKO/C+nlEvpTYEVQwbHmID94DAKYHHIK1w crPUqyD2WynmGjBWCTuh4O3tddAAfL0zTiTdBOnTs5IBQQP1YgHZ/86gyiSTTDLJJJNM/il5 5cTZ2c3dMrUxODKcxVwfQkai2UfugpCGjgYBZaDgrnwN3cXhRvaHl+Ofg+dI+jf6XUht7YmI uQH2zc4ftByQuDc13PgJzKYZs6yrkHZbK5WRC1yF9ZJBh0Bcebg+3QnJnTKe+g3wXzV3Bh4E r9Mq68kKedJCt/juQM53KlcN+xG0M67mCW9CyT5ms0r3oWLjoqM6NAJ3+cBSkbHgPKzMG9Gg tz3bQzwAc7k5WDwDfZfMIy6B1UGM8k0FmUuVlv2A9mqVlQfUMrlJ3gDb57YiRjPwvS/7WqVB b+gc70wAbaPR0PYWiDlyjtoKorOZ3Z8I5iGrq7wIUlOTzNOgX1JZbf3Bdsj+vb0I+H/w97cm AOvELq0/mAd9rc0FoLUnm7YKrN7+x0mLwFcqo4ivM+id9efuiSAq2Qtre0BW8sd6PwY1zirg rw3WNS7KpaDlURkyCOxXbGvt48BjywhKCwIzh1kjfQ8Y7xprbZHgW2OdU1+Ab7N3m78g2Ocb mmMsaGe0MvoxsBaa57x7wFnMdkHfCZ6E1AHJ0yC1c0rz+HEg55mLrDtgvuvrk34LdK+WYNwC WZwC4gyY75p7LCeI5mqIPxekf/Ws0RMDHFHu1QH3QdvFYOEHK9qf4U+CuKbPn2dsBXd7/ygr DIyZttedoaCN1LYYS8HR2THe7gSrv1hsDIPkyt6J1giQYeoWPvDPNsf7s4Exw77JeAhip/Wp VhV8n/p/NW+Ab4BvqG8seBtmVErZC3o2Y7tjCOh+LatqCuaHPuUbDE9WPb3+LBTSwpK1xFZg L6JXVgXBscZ5M7AH2BoYowPc4K2ScS3jczAe6F0dgLZVnvBWBpoDyX91mGeSSSaZZJJJJn8G r5w4W8fN5bYyEHnJVcop4XFiSlv/ejA05XS1goy2/j5yD2R8ljDXJiD4bHCB4DS40yc668MH 4G+Tkap3g6CAoG/NTqB0eU8fAeKO1SlxNsjN+lj9Z4j//PFkrRpEfRD2nXMJBNbOvVxWBu12 ygB3Twhqb49ONcBf4H4ZOQE6NmhabVJvKPRd3uq1p4EvxCzEZ6Dn1/pbWUAcjJ8Y9AjY9vyA vyDY+9sq2e+AtVy/q56AdtHqZnQFsYvB4jDI23KUfw9k7E05GVcDzDBfDVcoaH20OD0O5E/G I2djkPeNcY65oCZYr6ui4FjorOcsB/Ywfar9M8go5GmbfARUM4YSBP6L1g7rAOjC1svIA+Ir Od7XC2RdXwfvRcCld9BHgic99UTKVZBNrZvmXbDHOkuoRPD5U+88qw6OOc43nI8hcEpwt7Be oO/TythWgjnKum05wFfft8ZTDPQHtkTtaxAVOG/tAW2OsdhxA/wtlSvjAhj1aal1hMSm8bti 0sFWX0/WToDMJm+YFyBjASuUDeQbcqpVEPTP9BQ9COjKMa0riG5iLiaYJeRI6wjoweZJ8RH4 65vzrEIgW8gt/qkgY+U9MQRkNCvESKAsjcRKsF+0bbd/ANYdDqoY8A9R51CgDxKNtWmg0hWq GqhotU3NBl9zb4J/Nsh2WozlA/to+3HHXTBDfbVlMngXmxUTvwIRY673VwGtot5D3APjK+E1 soMxLaRF+Hhwh4Z6o/YBd+SHagWoEeY0sybIYr7vrEngmuVehwTho6p/NNBR+9WeBjQTy8QG CMofdCf8S/Dv8d6wykFyt+fOp8OAxL86xDPJJJNMMskkkz+LV3440GjkvKR+geSG1rjYPmCu 9B3xnoSEavHZMrrDRd/1Yan5Ia2xYzON4PldX8PHUyBH9rD1KgdkK5HlmrYY0p65p6RfB3ay XHUBrbseYrsH4d1se/2TwdFSLyLHwr3XU0MTL0HKmLRw0wXeznztLQelH0QNq/sQBpRu+/Wa y5B/Qp6CdZdB+l3PHX8g+HL530z6Dh7defTG+SUQ1/JKzuihkDXd8YW7EjgM/WvdAdpg7TB3 QN0Wba0TIFZrW7VZoAwZw31Q26xW5mwwhuur7Q/AvS3odFQ0BH4a+mlkBXDpAekBDcB+yu2z jQbHDcdrelkQKHfqVXB9H7IvtDwE3giuGd4a3GddbzjygSPMmGNWBH0IQv0KySOS3np+EFIr Jm+Jfx207/THRjKYjc1ZfhdkVEqu8tQFcrvZyH8H1HgRrQeD1VaFyBVgjjTf9ZwCOY216iY4 KzlPuWqAkcdWz74LjAO2n11HQF3Svrc9B/WxSLQp8PX0vO4bC2Z9/0BfRUjNmXIn7jR4nmRk SY6C9Eaeqam1QD0QplwJcrW6odaBaCbWqwDgIK3EdpCBVmtrNchJVrjfBMaZ3XzDwBrgH2E6 QD6Ry/ytwL/H/7W3C6gw2V5cA28F/2RfA7APcZ4N7A/GJu1j+w/AY+UnN+ibjQZGN/CfMHua 08EX7VuTMRrkACvBvA6yMl9QDWy/Oka6YkA/bP8sqBywy3nS9gCcFdxFAuuCe0HowywPIeCN 4MKROcHR05bsKAq28banjp7gDfQVtn4F432tud4B3D+67zrbQEDBoNZhcRBSK9we0Q0C4kJe D04GW3tnc8dBMH5WrfzFQV/pqG4b9leH9/8+Xuw/+49iWsFpBacV/Ku9/J/nH61rJplkksn/ Fl55xtnjcIxK3gERQaHFgrJA2j1/OastpMZ6Kyc8gOQPkr7wrYVStlzVC56AG+/GF0sPg6i8 Ybuyx4GRR3ybsB5y5A2dHxgPCQdUuLYAIvoY/aIc4Osh9qd9CrazvoX2VmDc9ntDfoK4E8nX nzSFxl8VjyyXE9pf63F9yjHwfiUMWz3wfuNJSJ0F4kuSxNuQlP4k/GkT0GeqGyFlQFuVksOa B9mqZL8bnAZaM3FT5gR9uX7XsQrUEKunvzWIUuq++RY4Bznu22eC+DrwaJauEPRrljnZV4Bo rDe1ZwV1kfscBa2b8LAWXDsNZ/AgSJuSOOdxaUi7l/Ta07sQfFKfo3UFXydrhT4P5GAZ7+8B 1k75qTUXHDZbP7cBgWaQChsJ/su+jimvgXbVXk4vBXY3XlcA6AutHfaqYFsemBByHxzjHYH2 rCB7ml4rClQRo79tPBgLjdt6KZDjzXd9WSBtaNqnyXWA5WqfnAipD5IGJMVDSpG0kOePIEAP uB+wG7yXPZ0zpgEj5U7rPBhPjCh+BT1NT9O/Ad+7vua+n0CvoGmyK2i3tbJaAdD6a5FaUxA1 hE36QXagspgGuLVEbQCgy/XyNTCm6Edsz0AbIWzCDX7Lfy79NXB85D4a+AAcQY68ARdAL65X N9aDKCU0EQNae6OpsQ/oqK/QdoHtLje0SFDvavnFaFAlzcdmCIi+3OYa2GId6boELasok3UQ WM2tZmnBoL1tn6MfBds7Wpg+Bawffad9+cF72rMh/Szwg1pnFgbiGOWfCd7rnqbpbUHtENP/ fReNU2YNsB6bk7QnQD8tj0oEx0P3p7bXIMvToFxRXwBNgU//6jDP5G9lXdi6sHVhMJzhDP+r jckkk0wyyeSfjleecQ6Q3n5ZJ0GoDLTnvQo5KgUfztEE6l7Pu6piMWi4qdbdyscgfFjYHZEB FT4rtCdXV1C7jPqWDwLvBHwWfhMeFEqdkdYSkvJnBNhaglVRDM/ID9pPYo0zHbIuDS2arT7k uqwHJbwOjc8W21x2MLwb1Pf8rIbgCVOdZE2wzvvuZAwAY5aR4DwIGePTSieHgKunc5F2HBLi HxZ+XBocc+1OexwUH1Q+toIAx7vGN+I1MEqJjbaaoFrKGDqBFSua6F+CJo1fnctB26jdEddA PbZy+26BFeBzpncD61dPg5RnYO73tE2tA76c6S1Tm4CyrGy2peCeEyDDl4M3e3q/tOuQkTX9 eZIF1hfma+oYaK21hvYK4L1kfZLxCRh3HCuMh+AuGGqLSAHHyYAHQZMg6GZ4UtRtcKWFfR+1 EGybHc9dJphppmb2BjnUOmUtAiHlHfkZMMEqa1UDn8+z1jMC7P0dtW11wDhrbLYlQ9DY8E0R /SBHnVyu4qMhaEjAraiPQH5jjsxoBNZr1k/+eeAd6AvzXgSf7jvmbQnWRnOheRCkXymzAviH m938E8EMlHsswOpOHfUQrAxzkW8myMfWad8q0NO07eJr0M7r221twMhvTwxcCUHhWapnfQph MuK9XFnB3sI5M6goiAXOr90fgp7dnsORBJyyvhDvg70Lr9lHgMot4vQfQU3ErRcG/a5xwHYA VDm1T1wH7bBVyHwGqrR/iN8AqlkNrF9BX6+V1bIASfoHzgKgT7FfcujgXOs+GDAWIntnnZWt Ojj7uz4LyQGBvUJ+jqoGIatCzkZFghZnNHVfA3Fez2/7FuznHUcD2oFcbYx0FQBbCecP7jf+ /ID9rZnB3zv+VaevOn3V6eWrk7/Y98W+L/a9fMXsi31mZ5WcVXJWyZf1d+7cuXPnTmjbtm3b tm1fvnK3adOmTZs2hSUXllxYcuHV/Zl9ZPaR2Ueg8abGmxpvgq4lupboWgIeZX2U9VHW/1pv yvMpz6c8h+bbmm9rvg3mlJlTZk6Zl+cTExMTExNfvsL3RbstJrSY0GLCS79flBsTPSZ6TPTL +n1O9znd5/QfbycmJiYmJublK3pbtmzZsmXLl7r+Xj+tuLLiyoor0DGlY0rHlL9f/3+Urqmp qampqTB48ODBgwe/HE8vXlH8Qoe/1b9MMskkk381XjlxDskX8rM7H6TGph6KWQG+s2nX4tqD eQr838CYQe+krakMvds13TZgLURmDQrOSIdCfXI2yD4Mss8z3g86CtmauFvbl0GWPFm7WIfh ieULs1+BB2+mXo+bBFohb4Ub/aCRXsn2dm3o2qmvNrskaK1CygYLEGX9n+mlQHTQw/RLYF5W o6zDoIJlb999SOvvX+iZDonvPnkWMxLyfln28OvPIGB+ZN48Y8CVYlttRIGzoBFoCwWrq9os 54DmIsB6C/QJor84CN676Q09z8Fb2LPLfAhqjryIB0zlDfeuA+Uw3/DPAGun+bnvEhi5xTqr H7DTXsOVAMY1Z3CgDVy43wh2AW/aj2l7wL7ZVdN1AAIjg1PCy4HrVMC20IngGOucHhgDtmjV UBQA81rGLe9sEKOMKjY/6DvtDVw1wUagIzwc7N8HFg07BOJ9faPtY/DNkiv1VmBr6U4OKQv2 X937sgwDtz24f47DELg3qEjWYhDYKaxCZBlwdwgbGzUHcg4sMLHcxxCZmnNegWgI3xI1Ik8w hG+MOpTnOwh8OywuWy2wFXekBYaClmprEDALghqE7I6qAmHzs1TPdQFcfQKXRRkQdCe8UO7v IaJDrtEllkJEgTwdSv8I4SJbeMEvICJX1MhC98DZNuBw1kkg6mkV9dJgq6cfEL1Bm63c1q9g 7bCqp5eDjPsZnRPfA//HGd2TZwMzzNqeLmBF+N5OzwFaLhUq64BV21yr5QaZm3DffJCtVWWb Br6qvlxWHPhX++am9QSrn8+XMRG0oqqYrA9iPtf4FrgqpHobfKW9W31NwdzsjzNXgsojfXIW aAHaJ+obMIt4f7R+AN1OgDgN7rw2m4r5q8P7JfWG1xteb/jLRGvt8LXD1w6HDtM6TOswDRb3 X9x/cX9YvWb1mtVrXtZbfWP1jdU3oHf53uV7l4cNDzY82PAAll5YemHpBZh7cu7JuSdf3b6I BhENIhrA9hbbW2xvAXXX1F1Tdw1M+2XaL9N++a/l69SuU7tObVhcZXGVxVVgxcoVK1esfHl+ 6u6pu6fuhsgHkQ8iH8DWx1sfb30MGx9ufLjxIeQYl2NcjnHwefvP23/eHibknJBzQs6X9RdU WFBhQYU/3s60pGlJ05Lgrbtv3X3rLmzcuHHjxo2Qe0fuHbl3/O16rFq5auWqla+u/5+t67x5 8+bNm/cyEd7yeMvjLY+h1qpaq2qtgq9//frXr3/92/3LJJNMMvlX45WXaojV4T/HLQFnddvm sPaQ/kPiFt8jcDxmnisAtk3YOmLGfpDrPe+mjITC97NdrDMN7GneJb7hcNe0Dl2aBCUvOz95 PQekfyZ8CdXhlxwna8Xnh6LVIkbnGw7dVnbr8HE+yH688OqKDvD183/u/w7Mbr7N5iLQ7ujP 1GHQ8hKlx4O5xp/DEwpimIy1/BC4wrk2/A0odK3id68Xh+CdOd1hZSCtQ+wM7yTI0jR0V1BV MBrEfZPeH1RD7xqvF9RduZqKoF00humDQczK2OvZBxnvpdSLnwc+v/1d90GwlTae8C14ZMZX njVgNDbO286DHqfOqXwgxyiv1QDEVhEhNoD5xKzv+xVsdtt5hwusjzxrUlaB+XlaojUEhKnf N9aAfZDz3cC5IIbqV20lQU9xTNeWgnndXOztD1SzLlrTgHnqllUARLQWZSwB67p6ro8FrZB2 xBoF4jUesAesO+Z2cQ60CHtnlRPYoR3Vp4KcZRawroNxzd7f/iUE5Lati/oK3K1lbGQaaO/a gvR2gN/3bcZ58M/0PU37ADhhTVLvge4zuov+oOaI77WKYJusjRUrQPnUXOsMWPWUJsoDCFOv CiqYh1pnMBvJDpQEq7Xp9r4LjmL2x1op4JLV3SbBKmR5vJXAecnIYSiwPrTvdTYGbQdBEnC+ ZWskZoN1Wl5Q9cFUZqSMA1laxFkRoE3U1thGgV7RKOoKA12Kq8YFMEK0umYymMX9T31DQKzl Iz0ajAp6Hlt/8L7lPW91Bk+875qlg9ZOa2ybBZYui6pNwBTlERdB1ND9zi9BnLO9IXtCgF9v Zv4ITsveTU/49yDp8FeHOZT5tsy3Zb4FsVAsFAv/m+MbxAaxAfwV/RX9FYFTnOIULK66uOri qnCm75m+Z/rC2sS1iWsT4frJ6yevnwTZRDaRTYCe9KTn329fs+zNsjf7D9v3tY5rHdc6Dr4b 892Y78YAhzjEoZfnXyRutghbhC0C/A39Df0NX9p9pPuR7ke6w5ZsW7JtyQba99r32vcv63fv 2L1j947Q5J0m7zR557ft+qPtqHKqnCoHE3JNyDUhF3CDG9yABj81+KnBTzCZyUz+/+jQrm27 tu3agnZFu6JdgcUnFp9YfOLv1//P1vWX5F+Sf0mGNafXnF5zGuhCF7pA69jWsa1jYfGcxXMW zwGa05zmv+9fJplkksm/Gq+cON+y32rjMyBXfHB7621wTtE+lt/C0bWPip05Agfa3u24fzMU Ph++LMcYKD620OUSm+BZD4KfrISzda+fePYt5HJl72imAa60QI8fXitZ5L1CE+DtnB2WDWoE YbbsYeWTwbshbVL6z2Cl2p6rY6C1F+eMD0B9JldYjUArZuSjF1jtPSnpN4ApxhP7adB2a6sC doN1xjPj6bfg/zLjI8d4iLiWIyhvN8idkvvbXOPhlLw3PW4HaEd9ltYKZGfZV6aCUd9W0fE5 iJ3+PP6FoGdxTrA1BVszrZuIBz5SSy1AbKG49gAMw/aV80fQZ7s6uJ+DqGN29gvQRsqh0gHi O4+Z/gb483sfeGaBNOTb/iXgd5jLPQYYyXpnbSWYT2W0PA22Gq42AcVBK6dfMnqCKim7qy5g XhWGKgKqmlXGvxCclR0ztAhwTXB2dA4HFat00R2wq2A5ADz9/bMy9oNZ2tNEtAOtnr2acxho J8Q1fT0Ya3ibyWA/64hV0SA2M0dGQmKrlDfTcgFPrGdqORhnjTj7HtBy2JvqN8H60DMp4zyo rXKTtxSkzxZ3+Bl0S50wc4Ftm77bKAbigpoic4L+hKpWO9BuqipWKdBD9A9cV8CdbozQ64CY atyz9oBqTKLeBUJeCy4ZGg+e3GZlLoIVaW2Ud8Ce1bnOmA1qnipsfQL+Nr4FZIA3zr/M+yW4 nI6xRnMQh4TUboK5y7/R6gvGQb222AB6Ece7TieIu6qgeg6iq1ZRPIOAVFVMuwVhEwL2BQ0H zw/mY2sPmJWlR/sYVBHzvqoA+kV9spwPRhbHPkd5CD5gO66PBLtyhIuqALz3jwxg32zfbN/s 3y/3nxPm3zv+ghdfyUfujNwZufPljGTNmjVr1qwJm9nM5n+AX9pCbaG2EFR5VV6V/6/nbUts S2xLfrv+i3rGTmOnsfO/8fu0OC1Og3woH8qHQGc60/nV25Fz5Vw5F/Q9+h59z38od0acEWd+ 32/nFecV539IKP9s/V9V19i8sXlj80Kd7XW219kOVKQiFQE7duwgpoqpYurf7l8mmWSSyb8a r5w4+35I+sJWGDJ+Nhonm2D/VEwNLQvOoVZz6zkEfxGwMN8IeF5E+8UKgYuV796+nArZ80dc Cv0agmtFvRfYEJ4t8UVeSYWa84tVbNgWOhV9M3VwAthzBJcsEAP+tRlP02+Cdll3ieJg5FDf 631A9VS5zVogt/PYOgTaVWaIM+Bb5t+TEQPuWcExEfcgdsjjLE+ugu1bW2srCOxd3LHOCaD5 bE1c1SHH8jzVcm4F9y/2x1d+gZSLvg6OAWCNUwtFCrif2Qs5KkHK/qTiSd8CCZ5pnipgGxLy pSsNvCHenGYBcLR2hrqbAGPEm2QD78ykis9ug6Oh8/vAvSDWi1zGp2B8bfvW+QTEYP074z44 cIQ5RwI3xTZRGcRK630rF1hfmlW940EvrIXrMeDL7atj5gXHUqOm0RD0z+12hwT1lvpCXwUU tZ6ZTSFlUKIR9xh43frZ2xe8e83q6hI4HwWeCU4G44Hjy8DWYKtvM4wNYJTRr9svA4vlWjMU xCK13vclGL+SxdYWXAeMirI4OJo5T4kL4L7ufqCXAz1ZRfvzgxpsP6JL8NX2/mTlhwy3VUAF gXOU+0ZQYcg45e9AEvhX86W2H7ynzA1mADha64X1jqDf1L+zvQlqvjZRbQRXhmuPszmIuaqh /gaY5VQOfwMI2efKacsJRmO9iz0KzJWyByNB3BZVNQvUTFuG6A3+u+ZSwsH2je1rIxVkLVlN fQ/aeNdp20Hwd/Kv85QFvYUxWtdBvKGWqjwgW8jlVgSIbNpzXYGWny1GcQjITYKyQFRhtGwJ 9vl8pn0PvnBzkbwO3ovyCysHOO5rN9Tn4B5pz22v8u9B8uafF7C2C7YLtgsQFxcXFxcHN/ve 7HuzL7CMZSz7828Q586dO3fuHGw8v/H8xvOQ5WqWq1muwrFjx44dO/YfCpanPOWBM5zhDERv jt4cvRlyNs/ZPGfz37/Olidbnmx5Ah3pSEdgfeT6yPWRUP5U+VPlT/1xu6svq76s+jJYNnDZ wGUDob/eX++vvzy/ZOmSpUuWQs3NNTfX/G8yT9Vb9Va9/3g7afPT5qfNhx1BO4J2BEFrWtMa 2NVmV5tdbYBJTGLSP17/f5SuOcfnHJ9zPExuNbnV5FZQYmaJmSVmwuOxj8c+HgvHRhwbcWwE sItd7Prj7WeSSSaZ/LPzyomz+3pwgYiZkLN7cLF8xaBc1ai38teHsDMhP/uD4Li8teFeGpwe Fdv2yjEwf4qq4/4Bwi3fKF8IlFjr+9aVDPU3Nhk98xcoFVb43eoh4Fkkxrr7gRgqPrP3AxUr 5psNAE39SDqo10RFhoHoqIZq3UCP0KbpZcFMUi21NHC1dcwM7ARJd58eTHwEt06fz300EYoN Kj+ryjPQsxgPHStA7QJxA3Juzd041woICHMudR4ELXtGf88MYKr1s5YMthhbFsdssKc4f3St A6uEbYTeG8zKxIgzEGAP/DZ4HJjb/dG+hmANNgf4i4Arlzs6ZDX4h5qxTAftdeOx3h30KrZY eoL2vvxKzAFRRNuubQMryTpvVgffLm+1jNug39euGltBnVYh6icg0WirBYPaLiaq3uBf64tJ bwpc0uK142DN9J7ydQRVUd0SdUDo9sjA0eB+4h5sCwZW8LmVB+Qi3zhrEfguSJ91F/zNtADv BbCOmE+tK6DOmzXU1yBz0EfeB1usTRoW2N+liGgFqSNSJqTdA6usFc0UsH2g/6xagim5Ii0I fBAyOeQpeKL9g7V4UCmaZY6EqAKh80OuQpDP8a5WBGwbjJVaSRCRopRWC/ynfTPM3qCPIKv2 FohV+klNQVoV32pzINhGaPfkatAG6RX1aWCVUh3lWfDf8k3wDgEqsUEvAv4xviOmCTK7/31v M3BMcMwwWoFwyvv8CNoTWqjFYK0z25v3wFHE/pkRAnpbMcI2Fsw3rDnyZ1Cfi69lLxD3VBfL AP2cftVYAGq/vlYLA8/WtO2eN8C6oQWrtmAdMh6Ly2AMtCfqO4E5f27Adi3etXjX4tBzTs85 PedArY9qfVTro3/cDeLFQ1+9evXq1asXhN4OvR16G8rL8rK8hOIHix8sfhBmzJ8xf8Z8GMxg BgOdp3ee3nk67G++v/n+vyFxvvPmnTfvvAmNHjZ62OghhOcLzxeeDz67+dnNz27+cbtHZRmV ZVQWmDJ6yugpo6HFtRbXWlx7eb7E5hKbS2x++XDfC1740/lE5xOdT8CcLHOyzPkD7aRWT62e Wh1Grx+9fvR6+L7t922/bwv169evX78+6JX1ynrlf7z+/yhdx40bN27cOJj42cTPJn4Gng2e DZ4N4FrhWuFaAR/l/CjnRzn/eLuZZJJJJv8qiH+buVCqSpUqVapU+eMN1MzXZ3SeXlD1h7zn Kv4MH//a+W7/Z3Ah5833L86BpcW3dVjZF7SrgcMc9eHJ1tgFj55Bt9qVqtfaDm2SmxWecAi8 3/s7OmeDtj7ghGMH2BYH3A2MAjFADlBesDxqc+pQ0PaIYa7JoJqKZUYkaGd429wN/Cof67eB RHte4x4ktY3t9yAC4nc+Pf28M1hDzE7P80LO4QXffC0I3D+66kdsB32HY6zeC26XO/rB3lSY 6J1Ybs5ncOODmMfPvgD7UUeB4LMQujBH1zwlIbVBwtaYd8D7rTVTNQKbLeB8cBcQQdYu/2Zg knT78oCYxSfaWtAa6uVsc0Ce0OKMRHB3DWuS7SFYBzNqpPeC5LEJeZ4eAxVpFfTvANsFY4WR B2yHHMEBj0D+QnXtMlimNzbpNMgFtlLu82AM1Dbo+UHZZAO1GPQTxre294B5fCxOgXSoHPIA GMvtK10StJ9UNvM6eAun504uC/4kXx/PZDDm6nud3UEU04uLQBBltVHyIRjb9ZSAYDC62bfY C4KKlGX940DMkGPlA/CM9I72LAT5VBWx3GDe9p311YbAW+6ejl/BQcD1EMC8YNXRn4NruesX uwNCB7mz2LqAWOjP7qsF9jW2m/rHYHtbf0uUA2ce2y2tDuhdtFTCwFfGX0z1hvRYz7qMFDDO Kaf1KZh5rFCvDr4w/x5/FbBdM07ZXGB1lO/RAGgvNrIX1EdWEKOBM9oQjgPVVZBZDAIGB+rh 6SDPibrGa6CXN246FHi6ez5JzwZyu7nDXxbsi+1FdB+IDtoBrSqYPjFWzAe5zayj9QZCpNs/ E+z3HaX1eRCx1h0dOBNC3gj/wDkKhnz86alPL//VYf4/T/fu3bt37w5Lly5dunTpb5d7sab2 1KlTp079HTOg/2y8WANcrmy5suXKQuid0DuhdyB+avzU+Kkvd5PYNWXXlF1T/nF2/G/TNZNM Msnkr+b48ePHjx//E2aceSpCw87BlYq3+54pBzPqrrrzRSPIqGheDLwCKTNsHqWBtj9p+NN6 8M6MyLeqHISWr5X7aUwbSLqU+DStB3hCnrW9cQByHq0eUK8L+PpaP5qLQBuv8plJoEmx0N4D RJJWSwwA8aGKVwtAvi4+MxYBU5ltrgWHW9S2VQDvJP1mRhwkdTj5y/YzkDZw59zzH0DU52Pr j4sGFV3618hboKZTTdsHUbfzFMq3GnKXCtsVVhtuN37eNvUYeG1+zTMRZAFliigwnthvuxyQ fjapbnwHsK11FXOZoD/Sr+hLwGpHM9EVbC2N9fYnYE2XH+nVgNnWj/5H4N+TFvN8EfjmePb6 KoHrnPMdVz4QT3nisIE8r7rIRqDCGCNXgu9bfzXPayAmYOobQGwi1rYZzLn+S/77wCPV2fc2 GAO1FLUOfMf9V8xQ0Hprw7UzoJ3QDqt7oPW2R9iDIHhByMVQE6gma/pzArv02873wDspo5K3 J/gee99Lawsyq8qR9v/ae884qYq1X/taoXP39ORIjpKDJEWSZJCcREBFsiggKCqggJJBxQAo QUBAFJEgSs4oOecch4HJqXOv8H7wzDse3DzbvWEfn/Ocvr7Ur2rVqvtea031/Pvuu2qdBs9K b2rOD2CpYJ1g84B/rVJNHQLqRW2y+jlYZ9suG0eD1N4ab3SA8bJhvGQF+WPZyxIwrpXe078D bvOZeg5cvQONxbdBaiMEpaHg/i5QBicY9om7uQNCO39U0ALG44azhtUQKO7/LvgDBFsHPlan g/SupiojQDoqnRITwTbTej6sJMgLxDZif/D38R33dQX3Ju9i3+egdBaHShIEdnqKqhYwdzd8 a3gRpA/8A/xNIVhZ/cg7CFQ/g72VQfxUHmdaDoqslhAGg8vucno6gOms8UdzP1B/DMwOlADr IEsneQ9o4cIy82RQf1X3iytBvmA9JJwAwSevluf83dP87+OfCeb/qezz7vPu88IZyxnLGQsM rDiw4sCKsLLeynor60GN2BqxNWIf3U6IECFChPh7eGThbFlhquF+HsKy/c9FA8nL73mC30L0 tvih2kQwndNSM09DF1fMN3WOQfst7Y6M98Gt3b6haRpYL6d/4/kFoopVnv9kUdDma0s5DUIJ fYLeH9QwfX52F5Ds4qFwD7CBi8JF0K/pt8W5gFP9KdAVpDTrUtuzcLvKjSMHqsLdYZM+mrAa TL1/+ym1F2gl/fuk2yB+4ktSW4GsEJCrwx1xX4cdWWCbEz3V8SWUF6v6SneB/bNvPZ96AAKJ /lr+FyD4jL+o8gEY+pqHR+wHYX/OsqyXQC8XMAZSQP/F+JtlK9BPLym9C8pyZZ3+KigblEj3 BcAv5guZEFiXvSPVCVJfwwyDBUwbLT9H1ADvK77T3mVguWRtaz0Eahm1v3YWTNX5TGoI0iZp ufwL8Lp4lb2gbVTfV9eDlqa6DftBKM1NtQpILwrvKbkQ0ALp2hgQums3gx9BdJuwWFsS+C56 v/V+B/lirjVrI9BVfTowEvQ0fpTWgKWpbb3zDghlpa1iH9B1ZZlvKfjb+dd7BoLUwtDI2AYc le3dLadBKK155L6g7tNeUkqB0oKK6hzwn/dfzbsL+ofaeu07kK8aJlo7gHBD+Nn0AjCRs0IA rL9YNxsA5bo2XRwC1NSbMRt8kf76gW9BOyHsE/qDYY/xprUR+Fv4u/qGgHeL55j3LmS1cXXM qQ6mSQabdBkMl+QxhmGQvc/VOjAaIrY7PrS6wbHRvl9sCmoHsYfhXcje4Vrr/QFMbiE8GAnB SZpFeAf0w0KCfAXkjdJY6UswHTb1lWdB4Adff981EI1CJEcgsEjxB9eD4lGjlCNgb2R8T44G 8xXzMKcDpFPiV/KzAIxD/bun+X9f1t1ed3vd7b/bi8fH4PmD5w+eD6Nrj649ujY0sjayNrJC pZcqvVTpJZi0cdLGSRv/8378T7uvIUKECPHfhUcWzk92D29cZADk3BCnhsVC+Cxba8cWcFY2 dQmuh16Vuke+ORgqVy7Vv+fnoG2KyY/eCeFPnPMd3A62jJi0Cg4wPRu+IPIe+COCPwUHgNRG Ox9oC+JUfbq8AMS5HDcdBLW/Pkf/GIQqWAIdwdjF9K55PXhiXGpaAzj1+SdXPyoB5RYc7JoR AFuNJ3aW1SD8a0O9sFiw1qgwpMw+ULxBQckHa2bRJkXXgvWYrZ3JBUWs0beiMyG8sf1E+A5w HXEn5G0DdyvXj55kCM+NaZLQB4wlzbOtqyDQRK2khoF5jHmINQr0vcJW/VNQnwtcC9jAcsBQ wfAcKC/Jb9nKg/kJa3owFiii1gt8Bf5L/uPeGmDsYXhW/hiCA4NtlaYg9JaWyy3A8J40Qk0H RWKD8i2I03SXsBcM1eR4ix/0BKmTdhTorbf1dgIhUugkTwHDp6ZZxtfAOMFwzpgFvn6ue9kb IFW+92pKVRD7GtoY14FsN1QxxYLJbpph3AryKHm9sQcExvqOeoaCmCqdMP4Mktt4zxQNhlZy XzES5NlcUS6CoYf5Tekm0Fk/YtLAP1EZFBgPnNLipB5AR/GC/hoElvv2BxaD+JleN+8yxLQK jzTLIN5UHQwGw3TZa9oDhg1GrIPAOyDQI2iFYGu1YvAOyHWVUaIIhnZCHX0GSFuNCSSA4lcH iN+D/rH2QzAZhDFikrE5RLwUPTCmKQQG+aeqL4N+PNBTvQOqKG6WaoF5qemIqRxY55k/tySA vldfKtYG0xbDQmkrGGoJlaVUUC8rVwJJEDwuZ1MGhFum3ywvgdfq368UBavJcJLnIXZjxBPG IRDRIrxPRDlQg8EBSm1g9989xf97UyStSFqRtL/bi8dH7Hux78W+B0tYwpJ/1KEudfk3UuL+ Vf6n3dcQIUKE+O/CIwvnMOSkuMXgG+1smZ8GRW4WrxvsCp3nPXlnaC4kzCqdWSsaPPuE8eJt EMt6l7rPgPNMmR7VpgI3xLmGrRCU/HG+r8CwS9xoqgvBCvllb+4FsY2VpFagp/ChNACEzzkU eAd4Q4yX74Nvkcfjvg37iy9985v5YH0558NoCRLnv2Noq0N2/wvTz5QD9Et170aCtl953/0Z SActC8xFwFkl6VhJG5gvGSqK20COdvS0vAvmvpamdjcY7lrmOnLB7XH3zlwDtqoRReJHgPEF 89SwoZDT5f6xG7WAt7U2QgMwH7Itt/8KWll1R+Aj0EQmCCVAslBF2A6KWV3IdQi+qd1Xy4Ee qw5WwoC7lNZLA2bha+kmyOv1rUI2aE30/cEvQPAJIzU/SLPlXZZ0sCw1HhNfBN9zHtHzPYgj aKhsBXG1PMRWB9TnxKHSfFC1wETPbxAYG7T734GYz4p2Ll0XTJukd41fgSRzNOAHqaHmVb4G pXFgiXs1SEOM7dQICKb7P1Q3gn+ed6zfCGpz8UPRCWFVHVgXgX6e+awGT6rnJV8qqDW0ur6S YKtv+lG6A+FpjtfCSoHi1d7w3wZ5kN7AUBOk40KGEATrTdMC/SvwPetfLnoh/fPcrf5eYGlk XKq9A+bOop0z4LME0n3nQI/Rdwl9wLzKEGN8C8gSz4qjQL+uVjG+D5mH03ulzQWKyCbjDFDq Cx2kJyE8zRFteh8ifLayUbvBGwwYfQch97gnQb0FYlVhrncJyE+K34X9Bt5h3mP+FmDqbxkk XwOlvLBEPA1ZBzKCObshfHtYpO0+mDeImzU/lDxZXAg3gX2tY50jHtxx7uq+OwB0+bsneYgQ IUKECBHi8fDIwvluE9cAY3uIyEzop7YGf0r6+zefB+9zOYcyx0P+caGktyuYVkt1LH1Bucpn +scg5eutmAVMUhsEpoK4VOxlHAmqruzPqgn6UPVH/WsQPjG9FR4P+vMYlBnARO2idgJM043l zGvhUOeDSw9nw7FXT/bK3AF9Ml6e+2IbCJv9bHYtE6Sv7PfRiJbgVlxFMjtDTv6GistfA4f5 mXvPvwSmiyW3x6+DnHrZTdxF4E753JctCRC3Iv5GzEJIb5vXwDcVPN3zrbd2gucVt99dG+xD HL2dd8A61XTTNhv0jGBndx9Qw4K79PtgiDYZHU+C7hOc4lzQ1xKvzwH1aaVo4AoYehsnyMfB 4LIOjRwGegntIzEFuKbNUy6BFgiudu+A4DD/Ke9lkH821BJHgz/Ld80zBPSJ/gTBBoFNVDD9 CNbXrIedRcHe21ZGfBu0oHe/qwpYUu1ntQ3gnqnI5g7gnu7r6TkHhqry594NoDuDsd44kIZK PbQnwe4wDze3B2ZImZaNkHtB2OevDg5RXmyaBIFRwUG8Dz6fp4fvKriH5u9J3wVRO6LirD+C uakhU3wfMmPz1rm+gtyy2fPy/RD+sfMNexSoovCu2AjUtcSIL4HBkrdd6QFqi0DT/OtgetJ6 2zAacmvkvq/egUCX4Bh/LeBzsQv7QT4hLze8A8q5/HF5I0CeZahkmAd8rC3Ve4Hxaev3lv3g rxqI8iWC6S1KBLuA+GLwuOYEuaVe2z8PwgYYV8oZIF21dDYOhqBBOWZ4H7S6Qhu1GhgCtjXi NgguUfvqDcDXWknwVgJzijFFHAK+nvmxOb9BmdUljtoleCK98phiP0BedHYH8Rjo94XXwrx/ 9/QOESJEiBAhQjxOHlk4V75apXmxM5A8/uwZT2to+uPT3t4rIeHDWuZ6y4ARprJWHbTqyhZO gPCdsEjcCGwTsgxzQDeomYEXQJgqlhUzQX/bZcjKA8NYvaX1CDBb/FpsB4HjrpL5FUGYIMxV i4DWKjiAjXD78p0J8mBoYnihRcM0iO7wVOmKKeCueX9KyisgCDk78/ZD+MkiJ0smgCm/5POV j0Lmk592X9IJEqSxnQdeh5zKLmvwRTB+bY2OnQFlp5baXSocbra+H51XBXJn5SbaJ4PnaF4w fRFYvnHYilcGS52wURECGAZxO68FhK10dJFlcP3iPewJgKOC7XZYRaCmsF8qAvLuiOoRn0Dg jhBj/ALUbcoifxT4KufszhgOenW9n/IikCBekQSQdkoThSYgbhWiRSeI48yiaSiYK9qu29eB s6jRYkkD65uWNeYiEMh3vemaDOq8wFbvV5DxZP4xLR5c9QJztC2gH5HixergOOv8zFwV5N3i e9oNMOyQiupdgZ3UCZjAXS5/gdIF1Nb6Sv0KaKpgMG4DrYemarvA1ELeLqZDSWOZUon3QW6t n9FGw9XuKXp+T5AwDJfjIXBWa6uVg8Al/W0GQsQLzt/CwyFrQ04jT3HI8OYezc8Gy1nzRG0R KJdcHZUGoNsw6rEgHzNOkD8FPYs0TKD+pM5SJ4Jxn+mwyQnabE1QGoKhr2myMQGUTqpFqw/B NO1H/RewvmjNNt2F4E71mDAFMg5ntcrYA/ax9rccF8F41DDU+D5I0XJ/80Xwip4+7juAojuU T0HdpN8W1gGqp6I7GYLhUkC8B+aqgSu5y6CypbgpOghR9y1LHcmQMzp1UOAqODvF2B3ZwNi/ e4qHCBEiRIgQIR4Xj76rxhhf/dvXoMalkpPKFYXKNIt5viJoijVK7AiBtpldshuC+I15gyka RIX3lWRQ5wqDFBsYa5tz7C+Aulysrw8HtV3u954yEKyj37P3A8tzCWH6BsjvnLfBXwScWvjF 8NngbRr4KVAP6p9o/G5ZMyR0TlIjmoFfyTOk9QBVze2W0wyMiW6dXBBbxpY2fw6GjyPCYtsA 120TwytA4GTu/dzyED05bmb88xC71f6xWgak5NihliiwHw07LqwDY/XwcbGp4LqUXuRmZ/AW 87ZL2Ahms2V1xDIQ7e5XfQ4IL2/cZZ4PtvHCj0ojkK1qeqoIwjnhnFQdtDe90/PfA/Ubdbtk AXGxNkVqDf57why1NSjHtBr6TNC/Dqzyx4DcwtLa9isItbQSigd0j1LfvR3UIt4N0mYQE4TJ xu3AEaG07yvQi2pZ7t9AqGfYYZsA6lr1x8BgcKqWBnIxsJ6zXrd1Aut5w1K9AVhfk6eHRYI6 OjjM3waCpwOT1F/AXjvskLAEIh2muYZXIa93YIA4EwLPehsHVkGJkrGLTRIo8coC6TLkrneX 8h2CItGxb1nDwfOiZ2qwLGQV1/oK3UG97U/z9gble1dexnUo+rV1oNoIXOttu8P2QLoxb1Gw K2jJSlVXP3DUtIjG5WCobShnTAT2k8Io0H7SY4TSEFS0OP0EBN9XMsUDIMwWDopnwXbY0l4u DTGDncMsMpg1c5I9HZR1wWRhGOg6V/yAPkT1aF4IZPl2+UqAsN+wWUmB/NGu6LxhIPh0j/Y2 +Otqv6gKCLXUxsoC8J4O9FE/g1LXE06YxkL42KT6JZMgqHu7imXB+Kqtn+UZsLWK/DHswt89 vUOECBEiRIgQjxPxUQeQbuqN8kR4+mxLrbMCXLHNMyyCPGdqvzvtYe+kn3qvjAD3zjtnkteA Z2RmdvZboFTIj8t/AdJrn9x/ZCWoT3u+dKVCbuWcV1RAfcpy1vkdKEcCuxQrKPfVq5Y8EJbK 1wUJnFvsknE7xGfEtQ57DfwN3GXd74F4yjEnNgP0kq5D2hoQJ2VWyfwFxBWGkVYfSPPC+jmP gPCs7ZytMui7pL2GKBByAx+7OkBpc/GMYrsh/F7kN1pdcGyzqv58cFqcXWOdIMnGXPNw8EzP mp4yFtQ4qappEngPCcNs78L5eckfZY+FvOH+SK0OmH527k26DnaT7avIDpDdJX+kD/B/7Z6V vxeyW2elp7QFz1ue27lLQD0dGOo+Beb3TEGpMViLGtvSCUzVTFbLEFAv68fFiaBcDL7grgjZ l3LLJl+HfJd7gWsYZNzNSVAHQ0rHzO55FSBqYVi0bRpYypneM+wF/bT2pPciCCf0F0UHOOZb NPNrELbTMTx8EhhizE9ahoEYI9V0rIec0nmfi6vA9XKu1T8VlFOBBe4D4O/tfcv/LvhfCHzv igTrFilbUyDu47BnLPNA+VFdq4eDa5r/Tc8U8ESo7bXDYNONr+iVQEvjWckO4lg1Qo0EQ3mh gzgPol91GiKyQf7UtN7aEawp1o+t20B6hpHySNAXCk8TBNMroioPA1Mpw6vSPBC6SEmEQyA3 eF1dBIHr/hVaFdDKB/BLYBouJ7AeTK3F9wyfgXGp9LpcCoRWwnTjNXBfy3s10ALcWd5mrm3g z6GlHgDJadxorApie0tpywoIvxk2wL4TSh0tlVa0FGh95AznBkiblLfJNwviX0rqGeUB0xmt v1j0757eIUKECBEiRIjHySNHnIu5ra0bvQqJDUuqtY2QZ8r8PjURLlc+XuvwXMi4HrNcHAo/ z9x7bu3TUCLXlFxsMTSY0zO8mwDsNow32IEm7n3ZERDckrM+fQOYXE8sq1wNsjumJh3eA1Jb vb7lPBj2mt6uPgsCTYKbFAUYoF7Rp4J8UsgxfAlCNWGgdBGUYykL02+B0k/62ZIK5oSosrF2 ECrEn0o0gPGb8NSw9iBc1arpdcCQbKtvagHZX9nqXZgCGZ/n1ju2GZ749Ynrke3g/oH8voEh 4Kgf/U2xPMgqc3f51Ybg2+Lqlf8smJ+zmcPdIHwVyPe8Cbk9/eX0H0EbluZyb4SwL42dNBUi 34sdGbMV9HlamFYRzJNdjfPHQ9RK55zwOqCfwCC+Du4vAje99yH/qKdd4BPwGrxlfLVASJUG mtuCdoeBgghibb29Ohjcgm9FvhGE9lRjAST0iZrrmABOp+lVoRG4h/sWattAeFfsI+wGy3Zj R+k6+EsF2+r9IedEdl7WQAiUUi4yB7yfKAmu70C/o73hnwn2z4yzlM4QvOj3B4uDd1bgUwZD fIPwkTEn4Gb/jOWZr0N2H/c87UkIfqMXF78Ey0zT2GAVsKcaX5PLAiPUbcqHwChjd6kq5K/0 VWIc5DbyzPHZwbhMipJ+gvhvw2uYJ4KYLO6UGoAyzdzVZAJjlcDuQFvQDgobeAPEYUqyUAr0 bKW6PhFMbpNIcfC3803zTwFpmTBZTIGcXnlB91YIVlUn6fUgGKutUr4DwwbTUasVfGf8ae5j 4HzJeThiASiXlYD2BSjj9E0KIK7VZxp+gWIx4afEo1D5allDiR5g+cBQ1jYCpN7yZntLiCwR mRmhwPHlv/W91Byq8/R29v/d0zxEiBAhQoQI8Th45Ijzk5Oazu3yGgS8ajdlIUgnDCaLDIyK /EreBDmdPCvy6kDGOHmquyyEhSct0CtDsEnGR9fSwfhOVIWo0cAs77HMYRD9XFwxxw2Q6pqn GIdDVOWYmk9cgOhV8c+W7g/KSeVHfTgI0WzUa4P4g36O1aBfFXwsAm0n6Bmgf6aWE8KAdbYm jk2g2/xLtFfAMMhgMWwCyVxifvhiYKM+VVwHAdFz1/MplN1eJD76M8ifoafoTvBMzpqV8SUU c0ZuFyuDYZNjanRLMNd0RIZfB//E7GZpFUFI1D40TgPzfNtXtlbgveLvJvwMeWP1DrIDcrxC jHkGeL9Qxgv9QNuqdZLGg2G7ebvNC9ob2ig1Ddyn3DfdPUE6q2YGdkLi8xExdicUS469EvEe GIPaQr8GUlA9GkwHR3XzfNs3YN5oXGroAJbZhsPSLjDfkw8besGN1mnZmUchYNMHq1+DrZt1 qqM0eCa4W/vC4e4rGUmZSyGnovts3sfgec5XI3saeGd7otPrgvJdsJ8rH9w3vU21cJBipJPa AihWP2ZFdBqci7jxYnokJDfLDvP1h+ze7qHeuSDM1RV1PThNUkNxNcTOtTUUO4Kw1thYKg1Z FlctKR8CK4I/qu9CTFR4a8s6sC00HzBYgKD+qrYB0s9mSXkNIXtm7jtuG/hqea3ez8C3Ld+f /x14Nrlb5XYF6Xk+9X0IqsGXIZ4CPVvvJLeH7LOuhf62kDnOVczbFtKu5TTMyYXs0a6xnmWQ fTi3ZU5nMJ4xepkDxnLiZmEXhK20PW38BMIX2iNsW8AQNOQwA5L2FU+J3g4Jt+J7xUeCc60p wnYPil4uc6HsVxCs4xmumeCa77j5YuO/e3qHCBEiRIgQIR4njxxxdpyIDk+sBdrr+lISQdSN kYaTkP5azo/Zz4Fbu2O5b4NaIyrcqX4TKn9TbWmTMaAcN82V74LUUDukW0Ct7ctz/wgcELrS EvheXe4uA9r9/F+8bUAsH9ku8S5IU4OrlOug/SquYitQSnwJHQKfqi38r4BpVGBA4Bao7ZVj 0iLQc0359hEgbPAMkCcB90HaDsbVSbXjKgI/KMnBzyDQLqPR3aKQN8DRLS0LyresaXyyHpw9 cu7AfD/U61D16wovgr2rvjB2Ofy20rehaF/IOXx3yMUy4B2R91rqSrC0j3gl8jBIQ4Jv+j8F LUkZpI0HbZzxckxVyHtSr6/+AMo7/kbuVmC4rn6n7Qf3C95DnrJg62pd6DgOYXOFptIhsH5k 6Gj4BaQdzNUOQIlDCbOihoD7qF9QloB3Sv6ynBZQZErcsZhIcFX0OdXaINaVP5ItUKSN/Yti t0A06PhU8E73XHYtA9d9b2ruFvAd9S7z+sC81XTC5ARmC3tNH4P9onV9mA0sg2Wn8AZY5kjV lUVgmmD8xGqEq9PuXnPNBPd8Lcc/ECy7DG+ZrkPMprCKpoWQMjF1+L1wiJnv6Gt9HuwtbR2c 1eFc8M7E+8+C6QNTtH0EOJ4zzDSXB9mgJLoHgdZdSxP3QLIpd5TSEvRkdV3gJmjVeM7YDXKa qMOCKaCJvq7KKtDaKBfcW8A1Tf5WzwDRLtTQe0NEMKZW/DsQnKQ0JAvkCPG+eh4caZZPxFOg 5+qD9SQwrpd3aU9B2G2zhSKg7gne8vcG83b7nggT6N8HtuhdIPznuFL2GIi+UGZf+bXgzdZ0 Uz+ISU8oFdsCIoyJa2NS4EjCmiG/2eDG2vuv3AkDuv49EzsnJycnJ+fPb/AreBV2eHh4eHj4 3+NbiBAhQoQI8X8rjyyc9ctCkr4QVJu7bv5YyFLuz7wSCyWnqTZLZSg/qZr8TH9IKlJt09PP gPZjbIukciDeCNzwJ4J4VQ8TFoDrvVttTw0Fa3qcr2oF0F2ewfmvAx96BmbXAe5FfptYDfRL YhM9E/T6wj1kkPbpacL3oNemRPAk+D7yR7j7QrDW9ZXJW0FboPWnF+T0l+15L4Dj1J3vL84A 36ZjvY9VA8uTT+wseQ7MVaprZQ6Cft9XJ2wSPPlmkc8sXvCPaLbx9jWoVKHie+2ioOWn9Qb7 akPqqelPftcVTi3yjIj3gueTzCt3T4Dc2JLueBNMU83Hwn8F/538X7I3gWdyzpHsj8DgN9mN bUEoLswTeoPnsF5C/gQszxrd4RXAt0Jdwl7IaSUtEVuCPyq4jT4Qs9HxnE0Ak8lcwfY+5Ld3 5XruQjDSPNnUHJwLrE9bT0Jc/YjOchr4mvmn6uPARV5+7hWQXhZu6h+A9Lm9lGEc2K6b2zk/ Bt9YfxPLQKCz8kmwGogxBt14DbK7ebYpP0BwQUAQpgA75ZFiZTj78c2ktHQIXpHjtU/BYTRt NJUFPlXqZpSHu53Sx4q9wP6k5RuTF0gT07wCZJiyfjYvgvDfwqfFDId4Y0SKdRTkyjk18+5D wB2ooL8AGWNy77g+A/9a9YR6GaJXhv1qbgom0fS+/jrY3ggOEg9ChsZReR/I8ZIacQli9oYd N8WBqZy8WM2CQNtAPXEHeJ9lm1oepJ5GwaCDtFk7aqkBehW9cfAnUDdo3fTZkL/UU0V1gPSK abdxIeT1cO3zjQLHCfMmw/eQuDbxWOx2ECqIB6xLQW2nVpcvgv1I3Nb4SxAc517sfhsO+g94 jpngZI2bzW7of9/Ebty4cePGjQsFdAEFQvrkyZMnT578+/wLESJEiP8puFxut98PM2cuXPjb b3D58s2b2dn/OXvlypUoEREBb73Vv3/9+mC322wm0x/98fuDQZg2bffuCxfg8uWsLJ/vP+lP ZKTZDO+807hxhQpgt5tMBkPhcZ9P0zQN9uzJzMzLg9xcRVGU/5w/TqcsyzI0ahQVFRYGZrMo io+cX1HIo++qsc29wb0GfPmeSzmLwVY7fFXccCjarG3RupVAm8o5/TAEyylvqamgz/OpvltA fzFcbweqMfim2wjmiIhXomqDXKvoggqVQJppbxDWBPRttqiIcaBpql14G/Tewg+0BmEu54VY 0CrSgx/AtFZwOGaC2sBmi1gPEZvrVE+sA6eO3G3iC8DxOrFfXLoEPcZKWbci4P6mCvrdjyDx asm3i0WA7S3TywmvgFTW/Hn4xyChtwt8CM1fbxYYUwn0z/Rs+oHwbuIR3oIutVrEX+wINwev aXd6BeREug/mVADX+1lN7mVCuBhXruj7YCpriwpbDN7e+cezd0FwtreFdgiEduI+doDwm+FT 0Q7ireAkyzegOOWqxo/As83cX04A6Xv/Z97e4M9TX2QF5C9wd8j9CMynVEfes5A9LOPO/Z+A eeZvIgYCs4NtlQ0gjpIXqtPA/L1llWk9CCPoLJ8APT/o9J2GsD6mO1I90IySw9YalHQxw5wA nmjPOKU6uDt7Dd76wCptiK8fiG2EI9YtEJ4bectuAPcTedtzHOC97/k6dyMkmGIM0e9AZm5G 9Su9Iaxr+OIS1cG5yDE27m3IvuvvETgHgZycN9WzkPGWLytlFpi3Wr42fQNZJ/J/890Gbydf nL8EFMlKmBN5Bgz7DbWsnwMvqF18MRBxwvmMuQmoEwMt8wZCaqw7wt0NMjVhhTwI9I9I0z4C rQ+laQambw1uYxKoB4Vn9SMQ/EX7SJsL/onBz7VfQXlSec3bC6TK2mdCLdCH0dYrgmONtYR8 EkpWKuYqq0HkgOiLUbXB8FHgJS0dIn6OccXsBNNtcYnohAMH164+tgx+PX3RdfljSEtQDNqV /9wHw8PYvXv37t274dSpU6dOnYIbN27cuHGj8HjJkiVLlixZ2K9AYIcIESJEiH+PadO++mrP HsjMzMsLBqFs2dKlo6NBEARBEB6fHV3XdV2HtLSMDJer0O6kSSNHtmhR2G/SpG3bzp4Fr1fT BAGefrpYscjI3/15nNf9uzdw40ZmpstVaHfatOeeq1GjsN+OHRkZOTlgtUqSJEH16k6n3Q6P 1xvQ/1ew6u5dr9fvL7Tbtm1sbGTk47PzyMLZU95VPPspMF4wzjfPASk3bFLEPvC6fO29xUAo pt0WUkFdKW9lAghPiK30sSDFE2bYCPo29W3PC2BsU/yHSufAeMS23XEN1Dr8zHUgliFiUTCY 9D6BpyD4jOBnI3BQbyrmgu4TDut3gHbUVcNBvBnYYygG1gqNX6/9OuSfzSqxJRtyyibvCnSG vObs8uwGdUbpI0WrwW8dLp/bmwEt9oadLP8C+MLTjpqPwv2Pb1syFTDWMyzJGgnZ3VMW3z8B 2QvvD7qSAqf633o+ORqs7zuahP0Knuf4unwn8A2/eeDYJsgfnb03vR2E3YqKjN0ExoYWc6Au BF3+4rkvgjRA7CQMB3sfa2RYW2CmwWIcAcZn5WRxMjhzxfnaOTCUNN52HIK7N/Im6XHg7+L+ zv8CZJ3SBxnyQGlgzInWocjcsFLGjyBzQtZiz0iQ5nNLz4E8t+cX3QL+0mpDvxnkkvISIR18 FbTS2rMgtxLDct+Ae1rOOfcekERjTUclMNY2+I2NwTTFUNnxPFiPc8O3D/z3vV9mpYJ6khm6 FUzDzNu0MFCOq+9qVaHIs3GVy02HiAaRcbYz4H3efUGeC3kp2Re9ncHdW5sQ6AqOmvZzluPg axpM1sqCr4+6lc4Q93rsgujTYJ1rbWcpAncd9yZmeyA4JDjQeww4qn8aXAk5Bt/agBuEL+WX rI0huFi7TT0wf275yrgCjAfkbOk4KGO1CLELKMbgfV8xsM0yjBRWg2WR7JDLgPyTtDLiCuRu DJwOdgX7VONmsSOUH160QVwqFBtYbHqx+2D4XrgrvQFxkVHDI65BdETUoujucOmN30pc/gHW td9UercTku/6y7lzQe4ibrO/+b8mydbH++HwX1G9evXq1asX1mfPnj179ux/3i9EiBAhQvx7 nDt35UpWFiQkJCWFh8PNm/fu5eX95+zZ7RaLwVBo90HOnElJyc2FMmXi48PD4cCB27czMv5z /sTH22xmc6HdB0lPDwQUBUqVstsNBrhwwev1/gdfEBYRIUmyDOnpvwvox80jC+eU168ar78E fmvqnaxJUP1Gt7VdMiAQ6S8XfAn0k7KZ70A6q53gKAgthUHCfNATxVO8DfpF/Zy/CYilxGj5 C9B+Ee7IScBVrV+wGQgvCAsFDwSnCK+J00C8qN0VGwFxwklFB2GEvl88AloYDtkKfC18HSwL agXPi8o3UHZU4utVP4Fbqs+790PIiJAP5O+EJJN21dEJUp5Tv5W/gKxa91++txs+cbx1/ZOl cNOUZgi+D1HjTFPzZoN+UPncNRoyY90Lva+A90v7+uI1IKFX0Z9LJAJzw9o4N0P63ejcYofA dyC9a3Ic+M4YnzXvAUeY862w2yDc4ku9BJizxflBCcKDBl29Cvq76lWXC5zdjC+KpcG8SwoP RsPVtskv5pwEfyctz9oA1P0MkNygd6GWNgLkn4Vu+llITc0NC+wGW1NHBXN7kIfI1SwDwVfT m+l9D5yZcl9VAjHIS8J1MJaTu9tOgzncHGGOBeM8+xZvBghFaM0NELcJycIToBbVPgj+ALZl crp0DcwvGktHzwTf0/4uudVA6EAr42Hw5wSfUOaAf7vrmfwcCDY3rbV6wG30zMqdDPp84S3l Qyjui3hZqAlGtxAlTYRss3e+dg9iuzt3WPLBedKUrp2AnBL5i/N7g0fVvtA9QDzphk9Ay6Yv zcF80VbFmgOWlwxPG46C2lw/ovYANVbdJnQDtZ9+RLwB8lpJD9YBU39zQzkAEeudnzo6g2+5 r4R8GTwf+Wv7K4PtiMEuTYbim+POOs9DnLHY8uJvgF5U+MgSBPtBsYfxFJR4v7QlqTW4g9k3 PTNg83O/bNh3A+50z711oy5YivOxLx6UT3WEaOCZ/9yHwz+iIHd58eLFixcvhr59+/bt27fw eEF7KMc5RIgQIR4PiqJpqgq5ub+nbDz6eMGgzwc+n9v9x1Q7uz08PD6+0E6B3QcJBAKBYBBu 387JcbkK21NTT506cKCwHhdXrdpTTz26vwV2Cuz++XpUVdchI0NR/tHxHTu2bDl6FPbtO3Dg xg1o0OCpp0qWhKZNW7asVetf96fAToHdx80jZ31kB9QmGRMhI0iHvPYgfyco0nUQeui7tBig JKs4BsJkYZWwBUjX9wqHQfhIWCbUgECRq2G/mkDZmZ2XsxvEG3KyHAQtSugpvgH6VrxCWRBu C1/QGxgjVNOuAZ0ZJlQCXaSyXh2E8UJLoRiIy4lhBvgV4R19HRSdWObLxheheVLtmV1ag/0Z c/mEWnB5c4Z8viyYzZaTzmzYl3zw6QMV4OZFi/nOWxCwWmt5d4C9Vbkvy5yC6tWfe69NDpRu Ur1svSEwvMzA2t27QwNHRT32Q4h7j1V5c8E6P7Z5kZUgB8J/juoE3r05z6aWBk8fT0vfe2Bs aq8R1gm0TF2Uj4G3j3e2dwoYn5TvBPPBh+8Tz09wPuHGa/e/g2RL+ncZt8CX7R3jLg3SPaPF +AuY/dZXbN2BU4JP6g/SOYPXuBeUgVqGYTfkDXBX9VnBtNj8nHEhhFvC6li/gehKYTXCWoD5 uBipHAKGBP2uvhB2x3yWpyHh68hPwpMh9oYtYK8HSR/ZejmWglEQW9hzILBFmR0Ih/xvc5/J T4KUQ/e/TJ4GqkN9OTgL8sOUcN+LcP1o5pSTC0FuINzyzQZ26ZdyT4Pnt8CyQGm4dyTzRqYV DF9IUYGdYH/CWlJ6E1KMGcVd88A1xXs7sAP8lXzVfT+A93P/5qALlPusEuaDVJrPdBmMscad 8niwV7DHmFqCrbz5e9v7INc0ZooiBLvqe8VMyPwoL0u7A1fm3Hw5PREyNmaXyLwCyg7lB+/P EPNN9PPWZZCwp3j9xOsgficPM7UG345AFe0DcDSObxPXDfImuNKEV2DLvc1HjkTD4V+vfH2h K6TvzduT1hlc9bK63m8HgVHeENFhgAAANEdJREFUGfd/fPwT9q9SsAjwr7Y/KrVq1apVq9Y/ L7vv6L6j+46/7748brpM6TKly5TC63vYfSno99+FlY6VjpWOv/7cCsrLoy6Pujzq7/a+kCmZ UzKnZMJXA78a+NXAf/38/J75PfN7wlPGp4xPGQuv807rO63vtP67r+6/799PiP8dVVUUVQVV VVVN+/dLv9/n83hgypRhw5o2hfXr580bNKiw/PN5v9t9kEDA7w8EIBAIBhWlsNy//6OP3nqr sHzw+KOXv9t9kGBQ0wA07XcZ+2B54MCpU5mZYDZHRSUlFdYf1v+vlgV2HzePHHGW65axxs4A c0bE9xGfgr6DJxkHelN68ioIO7W4QCKo3+q39TdB6CC+aVgN4rNCGSkJxINCL8NykHbaY2OX gvqO/iMJIHp5UqkAQnOelcygH9DH0Rj0Rhh5GYhBEFqC0F14Sn8d6KDX0U+DnsFqsTeIP4ua 5QAoB+ViwU+hqFZUb3QLxNUy0mXIzBTHXL4F112padd/govp189460D575um1H8Ozn78U9cT AyF8cPHOjhSoEFN2aeXN8PyxnjdergTWrbZipjawq9vOMt8Vg6Z7Ym/nj4OwE8dztY1wtlLg 9dJ3IOtD7bAyGfwLM4qkzAdjX2lm0XIgj7I/GREN/o8Ds/I+hBx/3sq8WeApF5wldIHsg767 ehaYjhk+MTQDw7fCumBFEHsrRz0CBMN9bjkZzNMsP5vaQHBG4CW/FXIO5b2QfQ5sRSxzLONA qa9ZLGfAdclXRPoQjKXl4saTEDDqc7QjoJwPDvdeBtsUw6e2beDtmL86OA0CX/vbZV0D9wfK zctGSD2Vtj9jJUi/yE25BIZlwnTLWPCt94lSN9BXSTHmcGCRWDU/CO5AoFvWSRBrM9P+K+SV zx+RFwNn7994z10CSh1MGBOtQuwZ635HEqQ8m/ZU/n7w9SArMB4stRkjrwFzWTmVbAhf4axi XgjCCmGe6Rgoe8WL0lKQ9xrWS++BGh+8K/4CuRH5b2dnArWIltqDdaj1mLUSxM4N66S3AjU3 0Me0CgydzN2NT0CRaRFrw/dC5M1iUvx8kDdZ6jqugVrLN5TREPN1giXqPMiqrW+4Dgde+PXX SzVgb9LRdqeeh/RGbAj+DNqXxtnRMviepufdT0DoJDWXKgH3/hPT9uEU5Czv2bNnz549fz5e kHPXqFGjRo0aFeY6Py6iWkS1iGoBr7322muvvfbn447LjsuOy/9n78nfyfifxv80/iew2+12 u/3v9qaQevXq1atXD8YvHb90/NLC9ontJ7af2P7hzzF+RfyK+BV/t/eFrGm5puWallC8c/HO xTvDIAYx6F84f/v27du3b4dg1WDVYNXC9i1dtnTZ0gX605/+f/dFhvhvj6IUCNkCyfbvMW3a G280bw6lSxcrFh395+MPjl9g90ECAa83GIRAwGr9rxbhBQK/p1Aoitfrdhe2y7LFYrOBrquq okAw6Hbn5//ebrWCKBoMf1yM+KDdBwkGf18cqKqFech/RJYtFofjz/WH9f+rFNh93DyycM6y 3k1MfhniR0ZsLfshCJ+oCXoWMJTXsAB+PVe6AOI68VnhcyDIJ1IsaF9orbR+ILUqOrLcYhAP WIfG7AUhUh3q3wvaev2GfBoYLY5lMQgWfb0+AvQUnJhBKImbWkAt/SPBAPoVSuo24J5u1H8E vSXntP4gdZbrSomg1Fe/UH4F6b5hmnUnPLE7rnSjXhCZq/8SdhKigyUPm7fD6tOLszbHQ+mO lU5HuqFGbvVDpsaQHHY37lxlSGyQdkzbDlFv2MvYO0PZ6uErLW+A0EFrlfgcpCyQUy59AvcS 7Rucz4Jem/ByP4Br6b0V52TIs2f+kuyHiBlRC5PWgz7bOtvhg5yqwZ5aDVBH+xxpJ8HQSh4u fgexayOLRz8Phs6kqOMhdX9WozsVwVnTWTHyGdCK+k9KB8EZHaaHzwb7DsttaQe4fvX86hkJ gda+I/l7QLhs6GqMA9L1Pv774M7x3vHOAMtY0wvyPlBHKJN8bvDc8eW7i4AvL9gq0wvaJuMO f2+Q1xva2qeDZ4Tn6ZxnQMw1z5Hag3WxeQ8nQW4kvKufBhF9nO0piI+Iial6BPKnuNvkXIUi d6Kaxl0H6WtxWXp/SNzsjA6bDFnlM5d4v4e7X2eS8wuUfinhSfsmCMYJ+cHaIE4yz7JMAmUO 3fkY7AlMU3xgWiae0i+CwSV2lKtB5q685hkrICbRnmCYBvEXo9+N/RnMb5u/kY9BSv3MXp4K cHN8ast7w6HcC2WWFTkHjk1F3okpBYYFxu62k+DtlH8t+DJEN4gtEbsXwpbFzoluDDfePtf2 rh8Ov34i42R1uH9Rr6YfAXWU/Fn0NWBmICblIBjnWmfKN8HUwVIi4fnHP2H/GQUR5QIBPXHi xIkTJxYeHz9+/Pjx46FEiRIlSpR4/PYLBGK7xHaJ7RL/QYdEEkkEbZ42T5sHi+ouqruoLqxb t27dunWQkZGRkZEB0dHR0dHR0LFjx44dO0K/Q/0O9TsE4hBxiDikMBJXIJh+HPPjmB/HFEbm bq25tebWGjh69OjRo0cLzRecFx8fHx8fD5ZllmWWZeAq7yrvKg8jL468OPIiNI9sHtk8EpSq SlWlKszInZE7Ixc2Ft1YdGNRKFOmTJkyZcDbydvJ2wlYwxrW/PlyC3LMi6YVTSuaBk2WNFnS ZMnj86OGVkOrocHtVrdb3W4Fd3+6+9Pdn/583Q9SclvJbSW3QUlKUvIP7ROZyMT/6jm+xVu8 Veh/scnFJhebDHUX1V1UdxFkdc3qmtUVdszYMWPHjL/+fK6turbq2iqYXnp66eml4ezZs2fP ni00W/6F8i+UfwGGnxt+bvg5+Hz/5/s//8OLhQrGG5E2Im1E2sNz+x9kY9rGtI1pUP6T8p+U /wSMS4xLjEv+IJxr9q/ZvyZwnOMcf/S/o8/8n/k/88Om9E3pm9LB5XK5XC6o+WXNL2t+CRMn TJwwcQJE346+HX270J5/v3+/fz/0mNFjRo8ZkDcrb1beLBh2dtjZYWehdWzr2Naxj29ePey5 Tu8+vfv07o//c+P/dhTld4GpKI8m1MqU+d8Fc6dOI0euXv3P7T5IIOD3F0SC/xiRrlJl8OBJ kwrrkZEVK9auDfHxPt8fc6Bv3MjOzswEg8HjycmBWrXKli1aFC5evHPnxg3Iy7Nao6PBaHQ4 IiL+bPdBgsHfBf/DvlbIstlsNv+5ffr0adM2bHj49detW6tWkSLQsGHTpn9cjPig3cfNI6dq GPIDzuBtiKhmWho2GoIlqCK8DnpD4QPhGRCWiSsNG4CnBJ+UCawUdmMC+iifeiaANjy3Vdo4 oKJ2WzwNtONtYRkITcUBugeQaaF/DohkEQMYBDMSkEo+t0BvQ2c9GYTqQjXdAXxHG+Vb0AVt WEACvS8zjb1Bmic4pZag9lXOeU9CRAmHtcJVqFC11Pi2M8F3W/7B0BTMYtl2tv7Q2/H8pPYt wNHMOzpyIATu3h+eux9cwrlDqckQNtdwO3wnFF8aFYzvAfpgeYBUBJwjiq409YeokbYqeXaI GmtfJCWDeXD8zvLbwLjfMNGyEjyNshx3JVA7eS/4XRA2M+wZZ3NwtI49XeQCxNWOvh6bCnHx 0bExkyDK53TG6FCmf9GIMmch8mfbmbC9EL3P0cdQCUw79JGeT0Bq6nsraxOUSIkaJO8BZ09D WWU62GzSF76NYFhDBVcSWL82ljY3Bt9Arz1YArK/zVTTvgDvfs8OvwaYtUTHCjDFa0eraBB+ 0tS/VBhYmxhuWvoDd1W7eQE49pj2Fs+H7BbuYPoICDyvz6AoZDVJ7elWwPCW/kpYM/B870vO bwqlU2OPFp8HtvfltIi94G7h/9x3FOKWRyZZb4B9t2mhaQcklI/sGBEPSY3Ci1q/AF/L/LNB Ozg2WFRxDBhb6R8rJSCjyv1XbveHwE+BzamDIDfJuyyjK1z5Pq3Cqd5wMfFORPJSyD2Qd9ZT HCoeq3i2SCKU7FpGKPkdmA6YXnYq4C7m2an9ANZjjsrhzSGc2Hejc+He9VvfZpWGo08eyz51 G26Uyt/nOQy+hrpX7A/e8d4Nua+B6wvX3bQkMGRZ7kUvA880faP5y8c3UQu2j5swYcKECRMe 3q9AOD+sX4GQvnnz5s2bNx8+TsH5/+q2dQUC5mE/9W8quqnopqKw7MKyC8suFP7EXm53ud3l dsPM3Jm5M3ML6wXHV4xcMXLFyMd3P1M/TP0w9UPoOrXr1K5TIWdHzo6cHTBz18xdM3cV9lv6 zNJnlj4Da2LWxKyJgRY3WtxocaPwp/20D9M+TPvw4XZyd+buzN0J+eXyy+WX+/f9WLZ82fJl ywv9aDmm5ZiWY6DcrHKzys0qFMz/p0lOTk5OTi4U7s8Mf2b4M8P/9XGmbp26depWOD7o+KDj g2DSxkkbJ22E6d2md5veDZLjkuOS4woj4pMnTZ40+Q8CIGFDwoaEDfBui3dbvNvin9u7n3g/ 8X4inKh9ovaJ2oUCt3lE84jmEXCj+Y3mN5rD1atXr169+vBx/urz+9rwteFrA3zr+NbxrQOa OJo4mjhgSvEpxacUh4sXL168eBE+rfxp5U8rP9xOxw87ftjxw//i7+QxzavH9Vz/X+HfTdXI y8vKunevsHyQB4//1VSNYNDv9/t/F86/R55/L8+c+fLLceMKy4L2778fM6Zfv8Ly5Zfr1Stb FjZvnjTp1Vfh008HD+7WDbZsmTz5tdegTp24OIvlz+MX2H2QQOD3XGNV/X0fjgdLSTKZzOY/ lzZbUlKZMg8vT568etXvf/i4BXYfN48snI0LzRnGJyCin/NAZCxob+iTFA8I+UKYkAqkYdIb A9v1KsIyEN4XP5EmgfCxf2bup6BeyqubFwbil8I8815QBwgZ+ioQ6ujfMBuorI8WIkH3UBIB kBAA9Dwy8IEwhzlCI9BXIAlzQc9SZ3glELt6r3hfBl72+H3rABOfaykg1BCqkgViA+lNpsP9 77NqpN8Dcfe1p66mw3hLz1XD34Cqxyo2bHcVqjeo+3zbjtA264XmXQeAYULFj5Ii4Ofvd7bd sRq2d9ybdXoTGE8F52h5UKmpIyKiESQ49ETvu1A6YIrJfRIqPB172dgBwkrE9y8rgLTXss/R C/ybs15JOwOBEa6L7r5gTJYtznKgtzGZos5A2oa8QVpVuFs1d6a/CWRuc5VVO0Dq9syDHhHS F2UPcS+Ce60ytuR8C+bj5uqSC4TbgTRtBMjdmaoOh+hs60tCFYj5zvqluSY4zsk2tSxYz5he NyZAIFZ5jYbgG67eyE2FXDG450QUpL2aU+vcGcjaEexzaSS4avu/8cSBdIcdBhk87YJh3q+A CGmg4R54+viNOZUgf3twf/ICSB+Qc+zmLMj4IOcb7z3IWOsypr0LhufCrzv6Q5jgyI7eAo6O pm+wQ7gh7LCxIggvKtNNEyD/Qn6i9xkwnpDOKF7gKdFOR1B7iXbbWtA+Nzf3DwGhk21gTjLk XgoWT+8Glxvec16Lh/Qo75l7F6HI6NLdwmdBscPF2pXpB4IiJFgHgqdYfvFgOljiHEPCXgXn 6tg7sVUg/bNkZ94+OBN35JtTAtx8Pvdgbjio9QwjDaeAbppf6A6sFpoJdUB6LiK1aDwoG2Rn ggBCljhS+Av/wP8qBfsxFwjfgojRg/s0/zMKUjMezHUuGKdg3AI7/+r4BQJm9erVq1ev/nPZ 4EKDCw0uwPbp26dvn1543rhx48aNGwcNVzRc0XAFjF0zds3YP0RwH+z/qBTpUKRDkQ6FEbyC yGHW1KypWVML++3ptafXnl6F9eHLhi8bvgwGHR10dNBRiLgecT3i+n/ejwdTaoaZh5mHmeG1 xa8tfm0xhL0V9lbYW4/v/vxVnM86n3U+C5/7P/d/7od299rda/dvpCcVXHcBM2fNnDVzFmzL 3pa9LRuGmYaZhplgmXmZeZkZ4lPiU+JTCvsbFxsXGxdDXJu4NnFt/rm9zVM2T9n8h5zhZs2a NWvWDJq+3fTtpm8Xtm/puqXrlv/iJUZ/9fnt+3Xfr/t+LawXpMA0udLkSpMrsPDEwhMLT0Dv 3r179+79ZztJE5MmJk2Envk983vmF9rJm5k3M29mYb/HNa8e13P9f4UHUzX+arljx5Ilr79e WD7Ig8cfPP/hqRq/7+NcEHF+MPJc2O8ft3fs+PTTNWqAw2Gx/KNIcK9eDRpUq/bn8QvsPkhh xPn3+oNlQcT5Xy2fe65Jk0qVHj7ufyri/MipGsU/j+pb7Esw3DQftTpAW6lna+VBSOCGfht0 q95D2AxiItOURsAoYZ71O/A/lTM77zoEjnsl52EwGgy9pd4gdlMvB5cCa/VweSOwXOyj+0D4 RJ9LPuj79Qv8BsIAoTvLQI3S22uJIPXQSglXwT8o/y2/AEKK1+W7C4IulzPNB6mtaZ22BoRn ZFFuBfpC7Yg6BgwbfN9746Cx80l/pxoQcd12q3Qi+CMC2b5BYO8ZM6L4KHAYhUYlG0O0r4RH +RkivZFvhD8Be/rtGbH9Q1iVeulAZiWIneFtoF+A0hfCJ9s6gDFB3O2LhiI9wkW1Gax9QqtM HhyzGeqWHgza7qz+d9ZB8MO89el7gbfUPnofsFQPaxpxALSF8jrhcwg8G+ilbQHP/bzR6TkQ jPKH5XcEew1za2koRL1sU82bwH7WcMBaDryf6E31cIiuF7HYMBUiB4UnhedC2tcZP3iXgm2o /IV7DZg2ypnSPkgrliWk7oDEd6L6x/eE9B3+4THDIX2Rv+GVQWCPsjZ0jAV9ovSuWYX0NR7t 1joQFufFyScg7Ljlu7iiIP1s/cmzAWwVHe2c80DsqfwY+RkYfxPvGJNBm04J989wq+HdSRnl wP+KL921Goo2jV1sLwU396ZV1V8AT6KyKn0gFMmJaC33g+Ac5UvzIfC08j4bjIDs+56B2iyI Kmv/tsg5cL8SHExpsMWY5hvHQMkusdvKn4Ait4t+XOoQhL8WMTJhCQTaBqdKjcFTO1DR7wTn sYjOkXHguBxTKbILZD+VvsW1FG6ePhV3fj3ccWS/kToItBnGKOdwYJ76kvAmaD1Y7z8LYkVT 03ATCNO1I8FI0J72V8w+ANL9oO6OBUo9non6YGrF+vXr169fXxgR/qv7MRfkNj9IwTgF4z7M 7j+jQMCUGFNiTIkx/0VHL17+sB2RcEw4JhwDWtCCFiAcF44Lf/hpXBugDdAG/HmYB9vVw+ph 9fA/91McLA4WB/+hvkBcIC74cz99gD5AHwBYsWL9g58FHOMYx4BudKPbX79P/6ofwWrBasFq hXVpsDRYGgyCXbALdpDGSGOkMf/c3uMmbGXYyrCVII4Rx4j/wP5ffT4fJH2Q9EESdPyy45cd v4TDzx1+7vBzcKjfoX6H+sHGpI1JG5Ng2fRl05dNh1WsYtW/43BNalITNs7cOHPjHwRnwRfG BylI2Rhac2jNof8gZeOvPr+CFIo/9ftfqS//DKmOVEeq88/tPMi/O6/+2XMN8b9TmKrxj4Xs 47Tzx/EflqoRDPp8f1wc+DAednz58kOHLl+GZcuOHLlxA95/v3XratWgW7datcqUgTp1ypcv UeL3848d+7PdP9v53yPOD/KwVI2JE7t2LV784f7fuZOXl58PHs8/Hve/bcTZfNTdQG4Ghmr0 kooC6HO5DVwXKgtXQfTLr8q3QUWYqq8FRgiH9COgvuebJV0EfwupVtynIA6RFqAAZbWzzAd9 uPAuN4Dz+ko9CvR0vEQCe3BxHvQeel2+AsNA6aD8HRiaG2cZq4J0yJEUWw+S1/snGYvCpcWZ Y/R5kDPTX0wYBtJPYjvag7JR2RXYCWFFEoqX+xGc9pgSRbuA70fF57kPwmdiRwaD8qaa6VsK wfrBJb6RoJ30vaHOg8S+8RVrHIaOa+pIT1eChp9VqRiZB+HDStY11ANljXGQ/yMoaYnZGRkL 5aPL1Q87AdV1qzOnJjwx2ihprSBciQkrvgwkwpsWaw1qE/+NnHrgTsg5kjIJuKTVZBo4Tzh/ jRoDceOS/CVyIelu0ddKDgOn31Y5sjQI1w2z5Arg3B8zPzIIDpNlmukbSN2b1jHnKpzZfrFc 2oeQu9kXFlgOtr72VpHZYP/KJtk6QLU+JbYWXwxle0fGF4sGg532/kVQLD/6UMlfoMKQ8OwG b0PRS/bGRb8B21WLxdIAyiSWPF+lFUTawl+OOg6Rk5ym+MkgT5OkyPLg7aEe8yqgjNTtuXvA JJpnmntCxFr784RD4kfxG8P2gSritlaH6Deif3F8C0+eKVc28Sw4I2wfOQeANFWIkluBzWlJ tvQBq8f2stEKYgtTB/NhiLsdnlDiKyjbo3hGORkqHKhYv1ZzsCeH/ZD0K+T2dE/V8yFnmM+k 3Adr3aicqFpgmhj1eVQe5Op3++dWhVtnj71w4gSkHsjqd/0wqJHmapZU0F+SYoznQVP0VXpb EEoKX1AEuK9u9zUAxeZf57oPSmX1Gfd1UKw8q+x+fBO1QMAWL168+B8/SAr+4T/4au2/SsF5 DwqHAjv/qVzopt83/b7p94X1Dzd9uOnDTbCvwr4K+yrApEmTJv0xF695s+bNmjcrrBfk4KZu TN2YuhFWNV3VdFVTuDv+7vi74x+fn/WH1R9Wf1hhffaLs1+c/SLMF+YL8wXI7pbdLfvfEMz/ KnVO1DlR50Rh/bMDnx347ADMPTL3yNwj/+f8+Kv8q8/nDdsbtjdshTnONY7UOFLjCAypM6TO kDpgfcP6hvWNP0dYhQXCAmFBYa5wQYrBw7jivOK84oTrb19/+/rbheM/+MtIQUQ4ZXzK+JTx cPabs9+c/ebfvx/1l9ZfWv8PizA/3vfxvo/3wc4eO3vs7AGvzH1l7itzYeXllZdXPsLi2Ued VyH+PQpTJ/61iHOzZoMHf/ttYfkgDx7/8zj/WKgHg79vC/fgrhcP8rD23buvXElNLTy+ePGB A1euPPz8grLA7p/7FSwO/McpFbL8e2rGg+Xevdevp6TA+fNut9f75zI///f9mh+eqvHfdHGg 7beo8fELQe8s1TVcAnE543kPlJTA7uDL4H/Cu8pTFUwvObF/BsZiwlj9DJydcy03sx84G5fo VaIdGMcySxsBvg+EDuJ8EH7hF90P+tsc15JBnCX0kg6DUJWNwmrQz1KbsuB61ZWXcw1Wz1pz doMF/F+o5sjtUH3bU+0bbgO9iOEuu0DqLafJZ0GM0bYpJUEbIJ4wvAy8SG3hCwg+FbihnwUx ILVjO7Be70EmCCt5U5wKzBVLqC8CRbShshWCvUkT3wTx+6S3q5WEKofF9+3roeRrpvmnP4Ws 0hGpOaNBvJB31GsD8eOkd57wQuVxlfcGL0DS6rQ013Q4VSLLr6yDM3PFy/a34U4Fc7MSd0C7 mbczbQz4u2Y2Tx0IWlH7IudWsL8btihMAdMvluamJBA/tn9tPwNaUOkaaA5p23NihAHgLuY9 r+aCe5b+vGEniLFyKfUGMFxbpEfDnVfTTmf4gE3qqwYnhLd0FrecAeV56Yx/P5TeFtav+HMg JxrmRRaFvDNur3cx6LOErf53wLxFGxy+E2inNWUQmKbIncSvwXiJtpFpYOhv659zEbw/eKWs i5BpzO3Gl6COD0xOPg9lS8fGVQiCc6K0L+ElsK0Ln4UflMruUy4J7o9KVt1jIe1lV6rbAuYX zarpNIjNhZ3qEXCkmafaeoOzfGSDsHlgH+8whK8E8wf22ZZK4M/3lxJ2g+t915CAANI7prdN ERClxi2OXQLmbuadhjGQP/n2y6mfQPqamwOumiCvWa52qwx4MRoiPgN1OOOMr4E+TZuj/v73 N0S9APod/ZBeGbRRxOlVgEghS10Hop0Y41vAM7TWq/+vSdLp8U3Ygtzjgv2Zc3Nzc3NzC+sF 5cMiy/9s140H7fyneNH7ovdFLwT0gB7QYd2odaPWjYJRGaMyRmVAzK2YWzG3YHCxwcUGF4Pe wd7B3n/4QB5pG2kbaYPZ5tnm2Wb4bvR3o78bDTG3Y27H3IY00kh7DH72rdq3at+qcP+5+8/d fw62TN4yectkKLa72O5iuyFqatTUqKmQuTVza+Z/8EU3A/WB+kAd7o2+N/reaNiQsiFlQwpU jqwcWTmyMEWhQKj+3fyrz6dAwM5cOXPlzJUwyjbKNsoG6iH1kHqocDHmqOKjio/6wxfHzumd 0zunw089f+r5U8/CRYMPW8RWsKiS85znPLR9v+37bd//c6pIwWK7L/iCL4AtU7ZM2TIFKn9b +dvK3/Iv079///79+4Nrtmu2azZs3r159+bdsPHWxlsbb0GdQJ1AnUDh4sd/l0edVyH+PVT1 91dIP0zI/vvj/tfjFdh9kGAwEAgEQJJ+3zXjYRTsqvEgFy7cvfvHF6s8WH/Y+QV2/+zP75Hf hyVO2Gx2u8UCfr+i/LHH9u0HDyYng6YFg6mpfz7viSdKlDCboXr1J5/8RwGeAruPG+HgwYMH Dx7U9bp169atW/dfH8CDu1F2LeCy4aS9BwhZfKBVBa1B4MvAIfDHenp6/WAzRsyNXAjqZf1N fz84P21r1PHeUCqq7tga18H6SsRxwxBQz6uZegngqOrStwHb9JXqKyD0MTxpKA/XS9xNPrcc im+OrV2mHij9lI56POzJ2Os6UgNcv7ktahTQ1vFD0V5QKrO0v8ivUOFewjpDMli7W4uyH9QK aivxHkidhQmcBKWCutm3B8SA0Es+CsKrUmXxU9Df0jpJ+4A14sdaEPRnEYREEPfrovIOBGq6 KuZ1BmOKob26ANTn3FMzXgftq4wXM78DyR01M7wb+O5kbrzvAH1q+vT010HaJeusBF+qdMeb Blklru/MSYfV1/aUvN8Kjo/I/llKh8AS34SszyGQ6WmVPRWE6vJoy2UIfyOsbuQmcLzl3GDe CCaH4VX9HjBY7RWQwVfJvd73LfizA9uDn4GyTL+ojYBAXOCqLx38g92WnANgdlnWWYdCZHbU 6+Fvgu+OZ5yvB3iLebJcv0Bmtayc1KagzhQ2um6D1kl40VIUXN0C27PTISzPsVKsCoE0zzbh A8ht6Ml194HyaQkTin4G8gUx2lIFbkZk3Lx7FAz15O2WlyF6Tbga1wmi9pjPm8qAtkcfo3SH u0PujPBtA81nHMI6cExySlYBzC/JK6w3ITY3YYNNgciWUcWjM8EwxHwt7Bxo7yu7DW+AO9VV QckHX6a6ITgSLEr4ufBj4FwWMSf8HoiVtF8MO8AVfT/nfjfwr8gedCcVvH7li9ypkB1wvxU8 AHnb9DHhPUAvI84zH4PgJGZJz4L/vvIer0Lw5WCvYDsIHlC+958GZVawq+8csEC9550OUmV9 ib8PHEvd98mGU49/4hYI24LdAwoE9L+L0+l0Op0wYsSIESNG/OeFc4h/jYJfBlLapbRLaQft E9ontE8ozG1+Yc8Le17YU1jf2GFjh40d/m6vQ4T4f4MqVdq0mTEDqlatVatChX9/nBUrPvig XbvCeq9e77//X+0qcfr00aMXLsCZMxs3jh5d2B4T063btGlgMhUrlpBQ2J6c/NFHL71UWC9S ZNSopUsf3v4g/6yf33/79r17kJ7+ww/vvFPYPnTo0aM3bkDlyomJVuufx01Lu3/fYIATJ+7d +1e+eAQC+flZWdCuXcOGTuefj589m5Li8cCcObVqlSz518d9GIcOHTp06NBjiDhrqvcn30Aw fGtsbjkCWnvtI70LyOWM3xpqgLzEpJiTQA3TR2o/AEu86wOTwPGFY79tFxi/tHxl6AviZqme aALxCeGi8AxoHXhe/RGkGDnD8Bqk5mV/npIP11+/Pv/QFijePr57fDPI/NJTxzMEXC7TJNML UOz7sgsqFYVAEc+beODWrPsvuodCoieiv/0mWI/YyxmyQa+tDWU4cFxvqZ8HcbKwQAyAsETs Kn8JelH9S20aaAP50ZcFVFLXqSNBWiyesIwG/Yg4xHgP5M8d66KiQQuoHYNO0DsbZqjfg7LA Us3VEuQOljtx74E5PKqh+XOgT2xSmf7AVEf72KlguSeZ5RiIXFzjU98ReP10zXfPfQe/Ldtz 4cTPsG7O/rLq13DvVdNpZwlQDuV1Td8H2Qcyq9x/D3x5no2WxRCxLfxmZEMIP+0sZ7eBpVXU LUs+6PX1Jeog0DcovsBqCFT1TzBtB/cISwPDaTCdl+OkIZB5MXuR7wfwPaPsDr4D8nnjxOAx yFni65c9DKztzXssk8EeZVlnuwemw5aO/tYgrzFM0LaA+05emGc2hBeLnB1eAvLrBIz+I5Cz Mr9LTl8QDkujxE1g/NIwyfAiXB53s/G1HLC9aj1k6AjOLeFNjAGIHlPsYpH1EDUjLCqiOUTc Dvc7uoJplsnl1MFQ3rbdPgGChuBKaQS4J+b+7H8S8tf5LwbbgGS25hjGQ8Sx2KtxElh2WA85 TKC8lHfRtw8ysu/cvjUcMtbcrXphPQQT9KZ580D7WH9beA/yS3iqaSvA1UuV82pCMFsroi2F QHX1O30UKNv0zvoToO5X+qubIVAj+EYwCvSJ2lZ1Ougn1f7B+qAGg8387z36RH0YBcK2QOgW COgCgXXr1q1bt249/PyCVIyCRYIF44TeKPjfk4Jt53at2LVi1woYwAAGAMxkJjMLt2t7I/ON zDcy/25vQ4T4fwtN+z0ynJ+flZWfDyaT1fqP9jn+VwkE/nHOsN/v8fj9hXYfJBj8/c15up6X 53KBKP7jRX7/agrHw/ppmtfr84Gi/OM3A/r9v/uZne3xKAo4nRaL/Af1Wbp0dLTX+/v+0GFh cOFCZqYgwH8dL4enny5ZMiHh90i2x1PYnpvr9SpKod3HzSMLZ2WqO1//GQwNwleI8aAuDWxU a4H/U/2r4DIwNjY1IxbkdnJjQxJ4DwW/9rcA8bywRJsDhmXmboa34f64+7dvrgNlu/Jb4Acw IX2t9wHHUdvwiIOQ/1ROzzw/2F8xX4scB6Yy5vX2wRAdYd9sjgTXaleRMxpcWZnSMXcRJFWM mhWdBrYdlhfUhpDybdreQFko1iSiiOkUqM0FP0VAGauUCh4GYYrYQWwCFGWBEA7Cdu7L34Nu Ez3ZE0CoQ02xGhCluNRnQLnrcuc8BYam9uZF2oFaRbinXgLZ5bgeXxMMZ+3h8VVAe0Y54soG tb3vYH5FMDYwN4j5BdQdhtW2Z0D9QntRl0Czyi+aD4OtRoVjDd+FNuUq9Hu6H5SfXLb6hm9g fo8fvz5cDy5vtcqlT4KvkrtFxirwDs6/lhsHgR1pG+8OA/dXeZvNE8G5yJEfHQNhyWErTQfB dtn6kvk7cL4T9qFDgejz0bXVNAic9a5xPwMGxZaUVx6Cu5X+YhlQknyavgnkT0rlF+sCef1y 3/RpYGpmeN1cHaS76pqwVPAYPLUC88G+3zJQKA0JP0VWijkNdgzPJE6FtJnGtikvQdgu+wHb ZIjeF7YqZje4uhZ9y9sPDJ8ar7EbHCkRVtsAsFwzu8K/BmNj2WwfCsGAtl16CgJFgyZiIScn /UvfcxD8Rs1hK2i/GbubO4Hla+doyztgrxaxNrINSMX8B3FDbuObx9M3gLtj1v3kvqCcVRak fwS27vZF2lfg36JcscwHX7nAnkBPsIuWEtohkNYH53mKgv8DpaJeBvSGckXyQbmt9VedoD9l iucDUPrrJv1p0I5pmzQRhEuCwRgARVRWyo/wk+tfpUDoFgjpB7eRK9jHtYCCXObq1atXr179 P+9fiMdDtVeqvVLtFVjKUpYCDGMYwx511BAhQjwOnniidOnISLhzJyUlIwPi4xMTo6Mfn4Au oEAw37//u50Cuw9SqVLx4pGRcPr0rVuZmSCKTmdYGISHDxny1Vd/7v+w9n/WT9e9Xq8XNC03 Ny8PqlYtXjwq6s/nOZ1Goyz//mruQAASE39PoAgPt1gkCbKyRFGSoHhxpzMvD+rVS0qy2UCS BEH8L1bi3br1u938fF2XZcjJ8XpVFVJScnMDgUK7j5tHTtW41+jiOze2QNT6J6YVGwXBdG9X tSQomWpccAyY+hpbG46DLituvw1yR+/ucSgM8j7Vv5arQZHLz1ar3x6yvTneew3Bv1wZoYwF U7ZxhVgdzr5+OfG3FMi9pL6a/yKULR2zvHQPSFSj1lTKhdNdL7iO58G59+4GLlyCi2funpbq QtU3Kn3Y+jmoO6lyZrGx8MSx6A1CaxBKGbqIxUDcqG/RV4I+TWuh3gY9VWwvpIHYUyhuaApC qrhHbwOppuzrlwZBenffpzfKQeSIyI5hL4P2icudPQ0iLCZXpffBOcfxcvkG4O+oVfRcAN4X ZFEGYRcp8ssgfqlFBkeAMkv/RWsPoi5WM7wOJOkxWioIX+vz9NOgpuuNhESgEvukaLB9aakq N4FVzln9Pr4L6zocNd7oB3qibWb0RfBM9TUNNgB1vadk7m+gX/TOzrsGoqydCiwF67tynjQL zLvs3e354LA4LNbPIWyU9QXzaTDPNJsMMhhGyWPUZ0H7jRTNAIEy6keKD/STWmmlF2jztNPB nhA0KU+rGnir+14LjAXhezlZaAPSXCFerAXSDGG+cAm0+VorQQCTx/SecQ9oG4WW2q9gqirW N74Ahnzzz9YnQYtgjXAOtCnBxmIq+Kr4WmgVwLXXVywQhOCY4NZgBqgNpIXCmyDFGo/YjoNx oiXCmA8xZcPqWYAi/rghtktwJ3j/9YxfIF/JqZj+JWTXSU282A1y89O8gZmgHmNT8DeQ45X2 WgkQTeL3pkbAaqNZjgT5A3GdVBT0t3lbehsCk9RyvAP6x+Tr4wGBJsJJ0BOFX8WVwPviFukr 0GXtlF4btDeFG+JO0DPEc/IM+KnnL6N/2Pb4J26IECFChPjvQVZWTo7LBX37vv32N9/A+fNX rqQ9jkUWD6FixbJlY2Nh8eLp0198ESIjw8P/+GbS9PTcXJcLnntu7NgFC+DkyStX/tE+0Y+L 6tXLlk1IgJ9/njx5wACIiXE6/+hPdvbvseP33z9zJjkZ0tJ+jzz/p4iNtVplGT74oEqVIkUg IuLxCOjHlqohT3B8Z1wLwZk59fI9oL+U/W3OLhAmulPcVtDHlptXujWoZTz9PMvBVXzzud/e gnDz8291zAdhnyVROA6Jk40vFR0E2UM8VfPscCLjuHZgFljKGY3OF8C7z7ZGvwXRO6ylEhqD 4W1j+Yh6sCNtV8SdvnBvlPDj3W7giZTWBW/A1mO7zv9wAfxdA/T4BkonNV1fvAFY3Kbz9AF1 v/aa6AXhlHhXmAPiaGGP1AW0XD4IJII8nwbmM+Cpk+fPGgiXV1/pc7w0KIf1mYavQF9gGqn5 IeZUZFTyRai0vcgX/hIQk2xtmrQLsIhDDV7QV4hojYEpwmYxDARobWwLwgd6DbUi6OvozQZg u7BUmAxihHCbYqDNpqsShKCmFNEOglApkJuvg7gho9l1QJ6gzVXfA7mfuYd9A2jPhZeMugTK r2HVIq+C+nJAcP0AgYH+zfmdQYkJjtNqQXBD1oysi5DjyqovdwJTQ+MH4ttgtph2WDqBqbJh pKkMiBGmedIGkG5IsnwQpHqG8tadYNwjNxM7gcEctpcgIPOslgKCj0niEhDCdEnfAFpz/Rbl QBmup2r9QC2vRLEQ8lsqZXkJ/Gtz+vniwNc3OE0RISgGSyoXQD3KXs6CvMaUbJ4HxqXWlbbp YOxsbmQ9CPFj7MuNS6Fmt/Kzo9dAze9qvVhlFsR/VuJy6Wmw+Z2tn35TClJfz5tyswzUaFTL 36E9rN605t4vw0Df7H3FUAqaf1e1dsN0uBJ/tnNGOTj27bHy5yvCnYVZkVnjwN9GGap0B8t4 0zLzyyAfM7xiGABaJbWI/g6otbVFygnQvxEGid+C2FLvJTpBu6zf1QygHdf3qWOAnv+5D4cQ IUKECPH3UyBc16//6qtXX/27vSkUrocOffHFG2/83d4UCtfPP//Hi/j+b+ORhbPlK2VqoC0E l9/Mu7ceiPK38lYFrb6vSOB5MO4W2pdaAzjdn7p/AbYErgeXgOnj2Kiw6mBYzgx5I2S+6Vmb IcDx9cdH7vsUEmcbt8W/Ce5kc0t3BISnCaMcSRC3Kb5k8Zfh1Klri9JEEE+HDU2aD/rCzDUp TihapMLIqh0gpeb1flfmwoX5V33XMuDIlhKdIhPh2e6VZttfhuCq4DL/FJC3mSItz4B6WFvv SwHhlDDHVBTor5cVIsDwvmWyaRfElqyolQWSD5/yXhkBpXdLkfHfg/2SO8rSAa6lbt69Kh7s c8ukVW8Pwjqhi1QC9NuslzuBYVTR7WV7gPx2THbJp0HfrjdmHrBS6EM26Av08+ggJDOGoyDW 0mOE0mBorCeq74PwjbZY7QHur11PZt4H+RVlt7cMiF3Nux0bQI617I+MAWOe5ULUJRBrWubY fgLTL05PhADaNNfArDjwocRpcyH4nn5PywHtkF5c08HV0rvWexzEF92B/MugSOou/SLQUvdw BoRVwhlxChgX8IRwHvSdYj/6gf6KsFBwg9CYxUIi6F/xs7ga9CnCAsJAG6g/o+wDPVx4VywL +qtCUfkuCGul7XIrkE4ajhkOgnwyrFH4LbDMsMyw/QJmh3GN+SDEZ1o92k6o2bx4HYsdqret U7VafYjfXU6uKYGyUDhnjoHgSX02O6HxOw093SeAq4gr2OQdiHw58dUyX0CMpdeCcnvAvsBR tqwMzkvhfYu/CxUza824OwBKbK3R49xw+MGz/NaG2xB4Nz/nnBeSu6R+k10J1D7iDMkFRodZ sx4FQ5K0xPAVyGZpgVgf6IlL7Ab6KjVBOwPaYOW4/hkA5Wnyd0/zECFChAgRIsTj4JGFs7RB PiKdBt3jaGj7CYRNsWlxY0DozAUhE6gsB+Rm4F9+J/76DZC7R78SMQ7k92Ij474Fb1jwfn4N yBubl3xvCNTYWqVevQUQMzBiZoINDqSfb7phLETE2HrFTgG9o3zd8AacG3y8xo5dYJxt7VB8 MRSfbVtUIQZqbyt39SkbXGgU1acUILRRF2lPQ7WMct4oAfxj3c+kvwvCm96mWa1BWyWrtuIg LrcOtPlBb2LIM/4I0iXzRjEGUgafkK9WhpSzue9e6Ai2+QkfmLIgMjW6aYnZUOG9Kv7Ww8Br rlT9bgD05Kza94qAf/69bjd+BL2E+92caqBKERUca8HwTGRCTB7whDDCWR04ywBlHuhtOMdY 4BTJfA9aa+EnPgD/x4HOegvw5wc24AJtkHzX0A18t4MLPcsAg++wZzsIebmrMn8FU74p+74N rK3t48IDUGxLsaToFOgU079hi6pwP/3e7ewX4PbKawl38+H2wIyh7j6Q+ZmnZHA65J8MLBDq gidHP6ecBKGdGqWPhqBTRUsAzwk1XesFPCFM0NeDHiPsYR6wlg/IBDFWHC4+BWK04X3DjyBs kKIMK0BeZ2hnbATSLDlDngzyKIPX+B4YSohvysuBiXTjGTDEqNZgOmgzMhrfrwHPFm/TuXRL ePqZ9nQqBb53xXbRN8H/VXC8Lwb0w+KX/hYgxkmXxW4gPW8Oty2E6DFyRUs+6OOoZl4MScWK 7m02AYImZbqyFQKZgcuB42B8z7bb3AqC59Wh4R3g6VdqdKzqh4Q54RnFXoHkg55t+guw/dyW T/a6IWVO5ut3d4HXbDgrrweLoHxtOg6m7021jBtAPCTuE4+CHGl4Uv59+5xQzDlEiBAhQoT4 H8Ij5ziHCBEiRIgQIUKECPE/mYIc50d+c2CIECFChAgRIkSIEP8vEBLOIUKECBEiRIgQIUL8 BULCOUSIECFChAgRIkSIv0BIOIcIESJEiBAhQoQI8RcICecQIUKECBEiRIgQIf4C//92dAWr BUOECBEiRIgQIUKECPFn/j/4k62J5WpfAwAAAABJRU5ErkJggg== --------------080009020309090806090302-- --------------080601040103010403000905-- From nobody Fri Apr 4 02:39:32 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3C2D1A045D for ; Fri, 4 Apr 2014 02:39:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJEn_Rc-QOOe for ; Fri, 4 Apr 2014 02:39:26 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 51DFB1A043C for ; Fri, 4 Apr 2014 02:39:26 -0700 (PDT) Received: from [192.168.131.138] ([80.92.119.215]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0Lqi70-1X0NXG3Fxa-00eKnp for ; Fri, 04 Apr 2014 11:39:20 +0200 Message-ID: <533E77C3.9000509@gmx.net> Date: Fri, 04 Apr 2014 11:13:39 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="FW9lwAmNo8wGfXWASsQO537gqnbq16pjx" X-Provags-ID: V03:K0:CGVy7D3sHavgUuIINOW9gJAJzACyBu2lBih6ACT8C90q9j6k1c9 ZEdPkFsPTKS3zlWGNvaUqR/lZYsBIYqvdXYyf/IMT19eudBShvzvT2CeaTewT+M929matPg fTzRgP1gCNQnPX88vWVIKoiqytjk8KYyQ1Sg8nQOnbr993/WIcjMTkuAMzCsW0ruwvkFFBi egFo+MYA6/bmBS9xxZovQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/biUhYw0ITKt7-RyDbmavvha8dKY Subject: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 09:39:31 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FW9lwAmNo8wGfXWASsQO537gqnbq16pjx Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, This is a Last Call for comments on the dynamic client registration documents: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 Since we have to do the last call for these two documents together we are setting the call for **3 weeks**. Please have your comments in no later than April 25th. Ciao Hannes & Derek --FW9lwAmNo8wGfXWASsQO537gqnbq16pjx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTPnfDAAoJEGhJURNOOiAt03YH/Roz7TqrAdznYy6/dqbIgufO ztZe5649EpOqoEhuBkvND2TDupbL20KL0ypGmYyYXdpf/n6FxnjGzIdjG+/InTi2 AaXUEAOhRFh4f738Gu8VP5ioVOK5Vjs2Km/XqWU3IQjh4ZjMUupbPOdnn0CJ8xqj a0k6I18xOk00GWLm53475Fbx8iOagoBWFwYimDQR2TEUbVw4tE5kk8+jnPEbnhS9 jQ1xoRRv5jXNfQa2W7iA/0mkrQvxPAUFmqHZc9WZQz8H9EWXV3XVrn6Fhj1nJAZy CYb3ahTHOAhkX/eYtkSWxnzxoIqS5TsSd5ESiLw7yX8jVTbRNnGz9m4HYDhjKUk= =JwAE -----END PGP SIGNATURE----- --FW9lwAmNo8wGfXWASsQO537gqnbq16pjx-- From nobody Fri Apr 4 06:23:21 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 285F71A0174 for ; Fri, 4 Apr 2014 06:23:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.209 X-Spam-Level: X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FAAn-f_sVuaf for ; Fri, 4 Apr 2014 06:23:14 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 67FC61A018B for ; Fri, 4 Apr 2014 06:23:14 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BD5FD1F00EC; Fri, 4 Apr 2014 09:23:09 -0400 (EDT) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id A309A1F0F02; Fri, 4 Apr 2014 09:23:09 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Fri, 4 Apr 2014 09:23:09 -0400 Message-ID: <533EB22D.9070604@mitre.org> Date: Fri, 4 Apr 2014 09:22:53 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig , "oauth@ietf.org" References: <533E77C3.9000509@gmx.net> In-Reply-To: <533E77C3.9000509@gmx.net> Content-Type: multipart/alternative; boundary="------------060207050003070903020007" X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/4527rHEd-b41UAGiDQ6uV9j4Mho Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 13:23:19 -0000 --------------060207050003070903020007 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit I believe the two documents should be merged back into one, keeping the same functionality. It doesn't help developers to split them out like this and it doesn't change the modularity of the implementation at all to have things listed in separate documents. I would really like to see actual concrete implementations of the software statement. -- Justin On 04/04/2014 05:13 AM, Hannes Tschofenig wrote: > Hi all, > > This is a Last Call for comments on the dynamic client registration > documents: > > * OAuth 2.0 Dynamic Client Registration Core Protocol > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 > > * OAuth 2.0 Dynamic Client Registration Metadata > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 > > Since we have to do the last call for these two documents together we > are setting the call for **3 weeks**. > > Please have your comments in no later than April 25th. > > Ciao > Hannes & Derek > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------060207050003070903020007 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit I believe the two documents should be merged back into one, keeping the same functionality. It doesn't help developers to split them out like this and it doesn't change the modularity of the implementation at all to have things listed in separate documents.

I would really like to see actual concrete implementations of the software statement.

 -- Justin

On 04/04/2014 05:13 AM, Hannes Tschofenig wrote:
Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00

Since we have to do the last call for these two documents together we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------060207050003070903020007-- From nobody Fri Apr 4 08:26:02 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0A5B1A01F4 for ; Thu, 3 Apr 2014 09:07:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -16.22 X-Spam-Level: X-Spam-Status: No, score=-16.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, USER_IN_DEF_WHITELIST=-15] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V43f-XXngTsB for ; Thu, 3 Apr 2014 09:07:17 -0700 (PDT) Received: from mrout2-b.corp.bf1.yahoo.com (mrout2-b.corp.bf1.yahoo.com [98.139.253.105]) by ietfa.amsl.com (Postfix) with ESMTP id CCF7A1A0211 for ; Thu, 3 Apr 2014 09:07:16 -0700 (PDT) Received: from BF1-EX10-CAHT16.y.corp.yahoo.com (bf1-ex10-caht16.corp.bf1.yahoo.com [10.74.226.60]) by mrout2-b.corp.bf1.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id s33G6PaI059854 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 3 Apr 2014 09:06:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com; s=cobra; t=1396541186; bh=t0IirXC7K5HtTgcbBuyqcbUb5iB2Nh61c/coKyzbLOM=; h=References:Date:From:Reply-To:Subject:To:In-Reply-To; b=lmfxop2kWBmqbmvau1l01ZAE7O6AoxlQZoxmXQTV2Q2CIhIo8m758U82xiqrGUUkS ukq2v5RZqvpvMySJWj6h7WA2RPHogB34PnbOjkavRyAGNHtVqgZFeagf0n5ZhCaUhV 2+URIzOjEgqoPtD8RN8dwG/EPP5/E+q4a1Ta6Ii0= Received: from omp1030.mail.ne1.yahoo.com (98.138.89.174) by BF1-EX10-CAHT16.y.corp.yahoo.com (10.74.209.170) with Microsoft SMTP Server (TLS) id 14.3.181.6; Thu, 3 Apr 2014 12:06:25 -0400 Received: (qmail 55855 invoked by uid 1000); 3 Apr 2014 16:06:24 -0000 Received: (qmail 1822 invoked by uid 60001); 3 Apr 2014 16:06:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1396541184; bh=VrNbInVRI7Hd363AQTOu/yCurFB+yCkIShvvtDViygw=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=NDNitKcaL0avVBL+vUMCNIMvpdOMpqtBk4IS8WOxXmBa4vf4cGlmLL7jL9CXdASn/OhBEVAL0gY6ByjEToVY0oxff8VGYsLFTPb8nSnMbfHcFoshu80Va+4YAcMRIOgXOX7SwLjREf49MI1mRZbXj24spCGZypkyIBU0X3uBOjY= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=A60I6W1kR2kdhTEz1oBgG/R00XtgecDE+I1r5xKT9A5irMDBGfxBGuKkZuVng7eVTGz3S4lyp7u/GJdlNC64emeTK/485lf86W/a8/OFJXrvKNbFhkfrOreZhXc4FjCahfa0TtyL3PObRSuR1qS+mO//n8o3cPrp+qJEBnUsACA=; X-YMail-OSG: 70XWf8EVM1m2Iw31apjAf9nfhOJZoM8IWoF1mXB2JGfITp. aPqElMSoYTLVWO3mJoisXyTSnjLJv1JD6AmATMvOUMmrxVxQcns0I_lD_nK5 o8cVD0Jijo.f09rIkoUoh1hv.g4Vx6e7fS70mKlTtYYTqyOYP9.tDuyDgtcl 9MrQyWJiXYdSG7ZeVB.wMDUxKP0aqdF2CgKd5GV6D0rsMCxKNOlRej4cN0bf 0S0HtjsXjFkQRZG.YPWrSujZB4L97tpz0xEY5szTLqmkcr0FKosTrC4Y65w1 Qzkrce_u.Hl1vtctBO0WDSMKO5zDGzqQ- Received: from [99.31.212.42] by web125601.mail.ne1.yahoo.com via HTTP; Thu, 03 Apr 2014 09:06:24 PDT X-Rocket-MIMEInfo: 002.001, SSByZWFsbHkgKmxpa2UqIHRoZSBuYW1lICJwcm9vZiBvZiBwb3NzZXNzaW9uIiwgYnV0IEkgdGhpbmsgdGhlIGFjcm9ueW0gUG9QIGlzIGdvaW5nIHRvIGJlIGNvbmZ1c2VkIHdpdGggUE9QLsKgIEhPVEsgaGFzIHRoZSBhZHZhbnRhZ2Ugb2Ygbm90IGJlaW5nIGEgaG9tb255bSBmb3IgYXl0aGluZyBlbHNlLsKgIFdoYXQgYWJvdXQgIlBvc3Nlc3Npb24gUHJvb2YiPwoKwqAKLWJpbGwKCgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KV2lsbGlhbSBKLiBNaWxscwoiUGFyYW5vaWQiIE1VWCBZYWgBMAEBAQE- X-Mailer: YahooMailWebService/0.8.182.648 References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> Message-ID: <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> Date: Thu, 3 Apr 2014 09:06:24 -0700 From: Bill Mills To: Phil Hunt , Prateek Mishra , Hannes Tschofenig , Justin Richer , OAuth WG In-Reply-To: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-1981468715-1974275554-1396541184=:357" X-Milter-Version: master.31+4-gbc07cd5+ X-CLX-ID: 541186003 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tsK-_pRofn5JGHwuD4Jp32wr-2E X-Mailman-Approved-At: Fri, 04 Apr 2014 08:26:01 -0700 Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2014 16:07:21 -0000 ---1981468715-1974275554-1396541184=:357 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I really *like* the name "proof of possession", but I think the acronym PoP= is going to be confused with POP.=A0 HOTK has the advantage of not being a= homonym for aything else.=A0 What about "Possession Proof"?=0A=0A=A0=0A-bi= ll=0A=0A=0A=0A--------------------------------=0AWilliam J. Mills=0A"Parano= id" MUX Yahoo!=0A=0A=0AOn Thursday, April 3, 2014 1:38 AM, "internet-drafts= @ietf.org" wrote:=0A =0A=0AA new version of I-D,= draft-hunt-oauth-pop-architecture-00.txt=0Ahas been successfully submitted= by Hannes Tschofenig and posted to the=0AIETF repository.=0A=0AName:=A0=A0= =A0 =A0=A0=A0 draft-hunt-oauth-pop-architecture=0ARevision:=A0=A0=A0 00=0AT= itle:=A0=A0=A0 =A0=A0=A0 OAuth 2.0 Proof-of-Possession (PoP) Security Archi= tecture=0ADocument date:=A0=A0=A0 2014-04-03=0AGroup:=A0=A0=A0 =A0=A0=A0 In= dividual Submission=0APages:=A0=A0=A0 =A0=A0=A0 21=0AURL:=A0 =A0 =A0 =A0 = =A0 =A0 http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architectu= re-00.txt=0AStatus:=A0 =A0 =A0 =A0 https://datatracker.ietf.org/doc/draft-h= unt-oauth-pop-architecture/=0AHtmlized:=A0 =A0 =A0 http://tools.ietf.org/ht= ml/draft-hunt-oauth-pop-architecture-00=0A=0A=0AAbstract:=0A=A0 The OAuth = 2.0 bearer token specification, as defined in RFC 6750,=0A=A0 allows any p= arty in possession of a bearer token (a "bearer") to get=0A=A0 access to t= he associated resources (without demonstrating possession=0A=A0 of a crypt= ographic key).=A0 To prevent misuse, bearer tokens must to be=0A=A0 protec= ted from disclosure in transit and at rest.=0A=0A=A0 Some scenarios demand= additional security protection whereby a client=0A=A0 needs to demonstrat= e possession of cryptographic keying material when=0A=A0 accessing a prote= cted resource.=A0 This document motivates the=0A=A0 development of the OAu= th 2.0 proof-of-possession security mechanism.=0A=0A=A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =0A=0A= =0APlease note that it may take a couple of minutes from the time of submis= sion=0Auntil the htmlized version and diff are available at tools.ietf.org.= =0A=0AThe IETF Secretariat ---1981468715-1974275554-1396541184=:357 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I really *like* the name "proof of possession", but I think the acronym P= oP is going to be confused with POP.  HOTK has the advantage of not be= ing a homonym for aything else.  What about "Possession Proof"?
 
-bill


-------------------------= -------
William J. Mills
"Paranoid" MUX Yahoo!

On Thursday, April 3, 2014 1:38 AM, "internet-d= rafts@ietf.org" <internet-drafts@ietf.org> wrote:
=

A new version of I-D, draft-hunt-oauth-= pop-architecture-00.txt
has been successfully submitted by Hannes Tschof= enig and posted to the
IETF repository.

Name:    &= nbsp;   draft-hunt-oauth-pop-architecture
Revision:  = ;  00
Title:        OAuth 2.0 Proof-o= f-Possession (PoP) Security Architecture
Document date:   = ; 2014-04-03
Group:        Individual Subm= ission
Pages:        21
URL:  &nbs= p;         http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop= -architecture-00.txt
Status:        https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architect= ure/
Htmlized:      http://tools.= ietf.org/html/draft-hunt-oauth-pop-architecture-00


Abstract:=
  The OAuth 2.0 bearer token specification, as defined in RFC 675= 0,
  allows any party in possession of a bearer token (a "bearer")= to get
  access to the associated resources (without demonstratin= g possession
  of a cryptographic key).  To prevent misuse, b= earer tokens must to be
  protected from disclosure in transit and= at rest.

  Some scenarios demand additional security protecti= on whereby a client
  needs to demonstrate possession of cryptograph= ic keying material when
  accessing a protected resource.  Th= is document motivates the
  development of the OAuth 2.0 proof-of-= possession security mechanism.

          &n= bsp;                     =                      = ;                     &nb= sp;      


Please note that it may take a couple = of minutes from the time of submission
until the htmlized version and di= ff are available at tools.ietf.org.

The IETF Secretariat


=
---1981468715-1974275554-1396541184=:357-- From nobody Fri Apr 4 08:38:30 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51041A0235 for ; Fri, 4 Apr 2014 08:38:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.611 X-Spam-Level: X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kCYfCYiqyR6e for ; Fri, 4 Apr 2014 08:38:23 -0700 (PDT) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id 788BC1A0232 for ; Fri, 4 Apr 2014 08:38:23 -0700 (PDT) X-AuditID: 1209190e-f79ee6d000000c40-26-533ed1eafac4 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 12.4A.03136.AE1DE335; Fri, 4 Apr 2014 11:38:18 -0400 (EDT) Received: from outgoing-exchange-3.mit.edu (outgoing-exchange-3.mit.edu [18.9.28.13]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s34FcHqN015504; Fri, 4 Apr 2014 11:38:18 -0400 Received: from OC11EXEDGE3.EXCHANGE.MIT.EDU (oc11exedge3.exchange.mit.edu [18.9.3.21]) by outgoing-exchange-3.mit.edu (8.13.8/8.12.4) with ESMTP id s34FcH6D024540; Fri, 4 Apr 2014 11:38:17 -0400 Received: from W92EXHUB13.exchange.mit.edu (18.7.73.24) by OC11EXEDGE3.EXCHANGE.MIT.EDU (18.9.3.21) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 4 Apr 2014 11:38:09 -0400 Received: from OC11EXPO24.exchange.mit.edu ([169.254.1.193]) by W92EXHUB13.exchange.mit.edu ([18.7.73.24]) with mapi id 14.03.0158.001; Fri, 4 Apr 2014 11:38:16 -0400 From: Thomas Hardjono To: Bill Mills , OAuth WG Thread-Topic: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt Thread-Index: AQHPUBowsLOurSBGTkGypziV6taZwZsBlZ9B Date: Fri, 4 Apr 2014 15:38:15 +0000 Message-ID: <5E393DF26B791A428E5F003BB6C5342A55BF436B@OC11EXPO24.exchange.mit.edu> References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com>, <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> In-Reply-To: <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [18.189.27.130] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrJKsWRmVeSWpSXmKPExsUixCmqrPvqol2wwZ49BhYn375is3jfX+3A 5LFkyU8mjzurfjEGMEVx2aSk5mSWpRbp2yVwZdy49Z694Ixoxbr7l1gaGPcIdjFyckgImEh8 /rCEHcIWk7hwbz1bFyMXh5DAbCaJz7NPMkM4+xkl1j7aDZU5xijRsPcSE4SzjVHiSu8mqMwq RomJ1x+ygAxjE9CQOPd7L9hgEQEHiWXr97KB2MIC8RKLG3YzQsQTJH7MX8gEYRtJPJu/GKye RUBF4snTF0C7OTh4BYIkJjaJgYSFBGokfuy6A1bCKeAu0dg5lRXEZgS6+/upNWBjmAXEJW49 mc8E8Y+gxKLZe5hhfvu36yEbhK0o8eLiQmaIeh2JBbs/sUHY2hLLFr4Gi/MC9Z6c+YRlAqPE LCRjZyFpmYWkZRaSlgWMLKsYZVNyq3RzEzNzilOTdYuTE/PyUot0jfVyM0v0UlNKNzGCY1CS bwfj14NKhxgFOBiVeHg7dtgFC7EmlhVX5h5ilORgUhLlvboKKMSXlJ9SmZFYnBFfVJqTWnyI UYKDWUmEt24CUI43JbGyKrUoHyYlzcGiJM771toqWEggPbEkNTs1tSC1CCYrw8GhJMFrBkw1 QoJFqempFWmZOSUIaSYOTpDhPEDDfUBqeIsLEnOLM9Mh8qcYFaXEeT9fAEoIgCQySvPgemEp 8hWjONArwrwqIO08wPQK1/0KaDAT0OCGMLDBJYkIKakGxhgbWcMlL4NYN35gT/nA82vVjfeN mkxqLe5qT6s3zVn0UNGzaPVum91fVedt3xb52bj6Vz2fbUCsgHTCvMJv0RMazfk37Pnjziws Z5y46/uV0wwCD1kW1hvf8FbY/oupVidvVvKRsK/Ch1OvXfPekHrt6Z6TF2UbfgobC7S8jwrq z1pr11V4W4mlOCPRUIu5qDgRAAiod0lsAwAA Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Wf_S_DYGCUEhoYjlo3UEJsIktDw Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 15:38:28 -0000 Bill, The PoP terminology in ancient IETF terminology coming from the IPsec WG (a= lso home of IKE and IKEv2 protocols),=20 and perhaps even before the IPsec WG. So its a well-known term in the Secu= rity Area. I'd suggest we keep it. Folks that work in the Mail & routing area use the term POP3 or RFC1939 in = their context. People in OASIS security-related Technical Committees use HOK (holder of ke= y), such as the HOK Web Browser profile: https://wiki.oasis-open.org/security/SamlHoKWebSSOProfile /thomas/ ________________________________________ From: OAuth [oauth-bounces@ietf.org] on behalf of Bill Mills [wmills@yahoo-= inc.com] Sent: Thursday, April 03, 2014 12:06 PM To: Phil Hunt; Prateek Mishra; Hannes Tschofenig; Justin Richer; OAuth WG Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-a= rchitecture-00.txt I really *like* the name "proof of possession", but I think the acronym PoP= is going to be confused with POP. HOTK has the advantage of not being a h= omonym for aything else. What about "Possession Proof"? -bill -------------------------------- William J. Mills "Paranoid" MUX Yahoo! On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" wrote: A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt has been successfully submitted by Hannes Tschofenig and posted to the IETF repository. Name: draft-hunt-oauth-pop-architecture Revision: 00 Title: OAuth 2.0 Proof-of-Possession (PoP) Security Architecture Document date: 2014-04-03 Group: Individual Submission Pages: 21 URL: http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-ar= chitecture-00.txt Status: https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-archit= ecture/ Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture= -00 Abstract: The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a bearer token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens must to be protected from disclosure in transit and at rest. Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism. Please note that it may take a couple of minutes from the time of submissio= n until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Fri Apr 4 09:41:27 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E36C51A020B for ; Fri, 4 Apr 2014 09:41:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.509 X-Spam-Level: X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IIRQVHKCh7-S for ; Fri, 4 Apr 2014 09:41:18 -0700 (PDT) Received: from nm32-vm8.bullet.mail.bf1.yahoo.com (nm32-vm8.bullet.mail.bf1.yahoo.com [72.30.238.134]) by ietfa.amsl.com (Postfix) with ESMTP id DEFFE1A01F3 for ; Fri, 4 Apr 2014 09:41:17 -0700 (PDT) Received: from [98.139.212.151] by nm32.bullet.mail.bf1.yahoo.com with NNFMP; 04 Apr 2014 16:41:13 -0000 Received: from [98.139.212.214] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 04 Apr 2014 16:41:13 -0000 Received: from [127.0.0.1] by omp1023.mail.bf1.yahoo.com with NNFMP; 04 Apr 2014 16:41:13 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 196732.40860.bm@omp1023.mail.bf1.yahoo.com Received: (qmail 54260 invoked by uid 60001); 4 Apr 2014 16:41:13 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1396629673; bh=fbgclEU1r5hZ+sxbGEISEtYRa2O5lYcYK5dftb7+lms=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=cvz1E2i7qdiDvgxRd/SoXBJBhWxyO/9t4ClrZtNMJommiup/OU5JBLTDcOD1uqwDcwKI+JAO2VLZ4JUsMwjgWoVi2wzGASW0bp6J2gY/iAOftnvfj1y0PEGBLrlgXClPbS4gEvPi3FINyRFjues8o43EhpSIyiIuddTgYwwLaNM= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Z480EVUoM1uR3O56Z1NvtvdbezN325Zs6pPCs9nB9wIB7hnT6qtH6EKguscKRIzYElQBR2Oz3/tJ7oW+HJt9hlWP6e4t9hMxr75x05G++rNrer9QLH8Fybnv8xqUlMLRBQ/hJ+YlHQoX64i3kQIJ5/pzFq+TYjMPW7pO7f3uugo=; X-YMail-OSG: AZo5rX8VM1kYmMXpb_uw9TFgkxoAnbzSuFObW2GUrDykVMS sLEYZTsm5UU.he_wjC3UWhKwDE4R3dsqPz.VvtYuFdskGR.G1dbo529od9AZ cRT1a.Rw1p9isRSD1SndVX0Q0Z.4khUl.hNlPvls9ljfCg5_NhogO_f6DJ1I gKf0vnG9ism6M80iuUiA9dfrh56zi9zaaowmNnOk..SdyTTjgLHVODefFcnZ pFyvINxlGLZwdkkFfkDSxwwxP9AaLR6Cvo1mKzsdzvR6RINVetPpyn6tbhzR wBNLvPC5YFT3YKXNLHW7v8x_NXRxmLZzLW2zIC439K26vzF1Tx_K03GztfS1 8z2NbH4Xkdr5mqG6bJ4Pb5Z_dwjDWBAHnixTW12uJ34zDHMfjjllRIQnKv3R s3N2MJh89kU7SqsBvNIi8eC.xdVyrZRMkymP4rI..dskOKku.CKu.bEmqSan iZ4vjgtXlsHL6A90OUJq2hZGdGLN7Rpssx5VjfmnPPY1F7sObm6o71zzv7z9 3LHnVivzUwV7Zwa1kBOhbvIgq..jpApaKd1dd6N_MVOPFyAtg Received: from [99.31.212.42] by web142804.mail.bf1.yahoo.com via HTTP; Fri, 04 Apr 2014 09:41:12 PDT X-Rocket-MIMEInfo: 002.001, R2l2ZW4gdGhlIGZ1bmRhbWVudGFsIHNjYWxhYmlsaXR5IHByb2JsZW0gd2UgZGlzY3Vzc2VkIGluIExvbmRvbiBkbyB3ZSByZWFsbHkgZmVlbCB3ZSdyZSByZWFkeT8KT24gRnJpZGF5LCBBcHJpbCA0LCAyMDE0IDM6MDcgQU0sIEhhbm5lcyBUc2Nob2ZlbmlnIDxoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PiB3cm90ZToKIApIaSBhbGwsCgpUaGlzIGlzIGEgTGFzdCBDYWxsIGZvciBjb21tZW50cyBvbiB0aGUgZHluYW1pYyBjbGllbnQgcmVnaXN0cmF0aW9uCmRvY3VtZW50czoKCiogT0F1dGggMi4wIER5bmEBMAEBAQE- X-Mailer: YahooMailWebService/0.8.182.648 References: <533E77C3.9000509@gmx.net> Message-ID: <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> Date: Fri, 4 Apr 2014 09:41:12 -0700 (PDT) From: Bill Mills To: Hannes Tschofenig , "oauth@ietf.org" In-Reply-To: <533E77C3.9000509@gmx.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-2129327256-776238219-1396629672=:75505" Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/j1RmPpDcC-YvgAABU3gMe2Bu-XM Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 16:41:22 -0000 ---2129327256-776238219-1396629672=:75505 Content-Type: text/plain; charset=us-ascii Given the fundamental scalability problem we discussed in London do we really feel we're ready? On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig wrote: Hi all, This is a Last Call for comments on the dynamic client registration documents: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 Since we have to do the last call for these two documents together we are setting the call for **3 weeks**. Please have your comments in no later than April 25th. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ---2129327256-776238219-1396629672=:75505 Content-Type: text/html; charset=us-ascii
Given the fundamental scalability problem we discussed in London do we really feel we're ready?
On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00

Since we have to do the last call for these two documents together we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


---2129327256-776238219-1396629672=:75505-- From nobody Fri Apr 4 17:49:45 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60C3F1A031C for ; Fri, 4 Apr 2014 17:49:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yg1rDtKU2SNH for ; Fri, 4 Apr 2014 17:49:40 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id 04A871A030F for ; Fri, 4 Apr 2014 17:49:39 -0700 (PDT) Received: from BLUPR03CA033.namprd03.prod.outlook.com (10.141.30.26) by BLUPR03MB438.namprd03.prod.outlook.com (10.141.78.149) with Microsoft SMTP Server (TLS) id 15.0.908.10; Sat, 5 Apr 2014 00:49:33 +0000 Received: from BY2FFO11FD001.protection.gbl (2a01:111:f400:7c0c::149) by BLUPR03CA033.outlook.office365.com (2a01:111:e400:879::26) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Sat, 5 Apr 2014 00:49:33 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD001.mail.protection.outlook.com (10.1.14.123) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sat, 5 Apr 2014 00:49:31 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Sat, 5 Apr 2014 00:49:05 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents Thread-Index: AQHPT+nITTIZxjtAw0axukyWMLHP/JsCL3yg Date: Sat, 5 Apr 2014 00:49:03 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A141067@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <533E77C3.9000509@gmx.net> In-Reply-To: <533E77C3.9000509@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(6009001)(438001)(199002)(13464003)(189002)(53?= =?us-ascii?Q?754006)(377454003)(81342001)(33656001)(80976001)(47446002)(6?= =?us-ascii?Q?3696002)(74662001)(20776003)(83072002)(84676001)(65816001)(2?= =?us-ascii?Q?24303002)(2656002)(74706001)(87266001)(56816005)(46406003)(8?= =?us-ascii?Q?7936001)(81686001)(99396002)(81816001)(95666003)(81542001)(9?= =?us-ascii?Q?7186001)(224313003)(66066001)(74366001)(97336001)(92726001)(?= =?us-ascii?Q?93516002)(77096001)(50986001)(76482001)(23726002)(69226001)(?= =?us-ascii?Q?85852003)(19580395003)(6806004)(15975445006)(93136001)(47776?= =?us-ascii?Q?003)(83322001)(51856001)(95416001)(4396001)(85306002)(152023?= =?us-ascii?Q?45003)(86362001)(94946001)(77982001)(2009001)(76786001)(9431?= =?us-ascii?Q?6002)(59766001)(97736001)(44976005)(55846006)(76796001)(1958?= =?us-ascii?Q?0405001)(98676001)(90146001)(74876001)(31966008)(79102001)(5?= =?us-ascii?Q?4356001)(86612001)(53806001)(47976001)(54316002)(56776001)(9?= =?us-ascii?Q?7756001)(49866001)(80022001)(50466002)(47736001)(74502001)(9?= =?us-ascii?Q?2566001)(46102001);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUPR03MB438;?= =?us-ascii?Q?H:mail.microsoft.com;FPR:FEE6FA7F.1CF65FEA.31D53B80.48E4A0E0?= =?us-ascii?Q?.20245;MLV:sfv;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0172F0EF77 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/_8xbAJQCOXRIaXFi3dNgqBogUz4 Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 00:49:44 -0000 I would combine these two documents, with no normative changes. This would= be a convenience for implementers. And the metadata values that are curre= ntly optional would remain optional. I would also add an optional "jwks" metadata member, paralleling this addit= ion in OpenID Connect Registration. This allows the JWK Set to be passed b= y value, rather than by reference. This was discussed in London and people= seemed to agree with this change. The reference to RFC 4627 should be changed to RFC 7159, which has obsolete= d 4627. Other than that, I believe they're ready to proceed on the next steps towar= ds becoming an RFC. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Friday, April 04, 2014 2:14 AM To: oauth@ietf.org Subject: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration = Documents Hi all, This is a Last Call for comments on the dynamic client registration documents: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 Since we have to do the last call for these two documents together we are s= etting the call for **3 weeks**. Please have your comments in no later than April 25th. Ciao Hannes & Derek From nobody Fri Apr 4 23:39:30 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3539D1A0331 for ; Fri, 4 Apr 2014 23:39:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.55 X-Spam-Level: X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgHM1s9dD5sH for ; Fri, 4 Apr 2014 23:39:23 -0700 (PDT) Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.38]) by ietfa.amsl.com (Postfix) with ESMTP id F0F601A0330 for ; Fri, 4 Apr 2014 23:39:22 -0700 (PDT) Received: from [91.2.89.182] (helo=[192.168.71.82]) by smtprelay04.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1WWKG4-0001MP-Q5; Sat, 05 Apr 2014 08:39:16 +0200 References: <533E77C3.9000509@gmx.net> <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> Mime-Version: 1.0 (1.0) In-Reply-To: <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> Content-Type: multipart/alternative; boundary=Apple-Mail-48C86FB4-BFE9-4475-AB30-CF223D8CC7A4 Content-Transfer-Encoding: 7bit Message-Id: <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> X-Mailer: iPad Mail (11D167) From: Torsten Lodderstedt Date: Sat, 5 Apr 2014 08:39:15 +0200 To: Bill Mills X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/C_g6ffsnN_MD6FuIKt8KuDTp8WI Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 06:39:27 -0000 --Apple-Mail-48C86FB4-BFE9-4475-AB30-CF223D8CC7A4 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hi Bill, which scalability problem are you referring to? As far as I remember there w= ere issues around the management API but not the core protocol. regards, Torsten. > Am 04.04.2014 um 18:41 schrieb Bill Mills : >=20 > Given the fundamental scalability problem we discussed in London do we rea= lly feel we're ready? > On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig wrote: > Hi all, >=20 > This is a Last Call for comments on the dynamic client registration > documents: >=20 > * OAuth 2.0 Dynamic Client Registration Core Protocol > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >=20 > * OAuth 2.0 Dynamic Client Registration Metadata > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >=20 > Since we have to do the last call for these two documents together we > are setting the call for **3 weeks**. >=20 > Please have your comments in no later than April 25th. >=20 > Ciao > Hannes & Derek >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail-48C86FB4-BFE9-4475-AB30-CF223D8CC7A4 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Hi Bill,

whic= h scalability problem are you referring to? As far as I remember there were i= ssues around the management API but not the core protocol.

regards,
Torsten.

Am 04.04.2014 um 18:41 sch= rieb Bill Mills <wmills_92105@y= ahoo.com>:

Giv= en the fundamental scalability problem we discussed in London do we really f= eel we're ready?
On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
=
Hi all,

This is a Las= t Call for comments on the dynamic client registration
documents:

= * OAuth 2.0 Dynamic Client Registration Core Protocol
http://too= ls.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic C= lient Registration Metadata
http://tools.ietf.org/html/= draft-ietf-oauth-dyn-reg-metadata-00

Since we have to do the last= call for these two documents together we
are setting the call for **3 we= eks**.

Please have your comments in no later than April 25th.

= Ciao
Hannes & Derek

__________________________________________= _____
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/list= info/oauth


__________________________________= _____________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/= oauth
= --Apple-Mail-48C86FB4-BFE9-4475-AB30-CF223D8CC7A4-- From nobody Sat Apr 5 01:38:35 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3BE61A03AB for ; Sat, 5 Apr 2014 01:38:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.91 X-Spam-Level: X-Spam-Status: No, score=-0.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_Pv_cHfX1cl for ; Sat, 5 Apr 2014 01:38:27 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 8AE391A0110 for ; Sat, 5 Apr 2014 01:38:27 -0700 (PDT) Received: from [192.168.131.139] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MYLKn-1WaSp23czh-00V7Y6; Sat, 05 Apr 2014 10:38:22 +0200 Message-ID: <533FC099.6010806@gmx.net> Date: Sat, 05 Apr 2014 10:36:41 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Torsten Lodderstedt , Bill Mills References: <533E77C3.9000509@gmx.net> <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> In-Reply-To: <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="MN97Wh9PnMfvOTbsU5lSiu47ruQ2gDWSU" X-Provags-ID: V03:K0:vpsFdHZAb2w70nc6duruOfSQ9gkFm5iZovWioWq4/z3S3ddWtJq ifZT4/HK2L/OPubKOpkixKftkIhiQfkfxyoWMinFer6ky0Zks/9h1BDg5c6HIL1q252gRXl 7TLFS5XuCKxPeB2l9iOsla6dU3NFCslNiLdao3DxbA90KZjeDTNwQOZYJnli0ADaP8OLeTy b7zcBPuC78vdBINprYOZg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/1dBxEVIWEhdihWSqdyvTUVyPy38 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 08:38:32 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MN97Wh9PnMfvOTbsU5lSiu47ruQ2gDWSU Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Bill, I believe Torsten is right. Most of the discussion in London was focused on the management API rather than the core/meta-data docs. Unfortunately, in our agenda we lumped both of these topics together. There wasn't much disagreement on the core/meta-data docs. As I wrote on the mailing list after our management API discussion (see http://www.ietf.org/mail-archive/web/oauth/current/msg12514.html ) we will have to get a better understanding of the constraints of the deployment environments. Ciao Hannes On 04/05/2014 08:39 AM, Torsten Lodderstedt wrote: > Hi Bill, >=20 > which scalability problem are you referring to? As far as I remember > there were issues around the management API but not the core protocol. >=20 > regards, > Torsten. >=20 > Am 04.04.2014 um 18:41 schrieb Bill Mills >: >=20 >> Given the fundamental scalability problem we discussed in London do we= >> really feel we're ready? >> On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig >> > wrote: >> Hi all, >> >> This is a Last Call for comments on the dynamic client registration >> documents: >> >> * OAuth 2.0 Dynamic Client Registration Core Protocol >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >> >> * OAuth 2.0 Dynamic Client Registration Metadata >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >> >> Since we have to do the last call for these two documents together we >> are setting the call for **3 weeks**. >> >> Please have your comments in no later than April 25th. >> >> Ciao >> Hannes & Derek >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth --MN97Wh9PnMfvOTbsU5lSiu47ruQ2gDWSU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTP8CZAAoJEGhJURNOOiAt9oEH/0l+Y8gnY9sB6O7sygDQYyfH zmDRfCniWn88SvfzSUO9lM6INPEALZrTEsa8XZZM2D1Wu6I1jVRrhBRfpda5Zw55 1vJY3GTEqNXb5FHVOFQflvy6SRLZu7frJh7crKVTorgl8i1+ISKTc2tb923Ho0Xy ieV1/eQ4dgdGKgr5SmglT/hhT5RPASu59J6Ba7qKROnXcMKC7M2zaccHanzlYppp 0CSLSAmBe0m5eSoyQd0QXD4t5ZA0mKyoWO+khDpfLkqWhiqtRe8c6imniUye+s6p SOcXUQ0u82o4CpoLyJ53QztQXUfFGJpB9rtjHsCghMGLHhfDjxTG2JkzoLaB+1s= =6nkN -----END PGP SIGNATURE----- --MN97Wh9PnMfvOTbsU5lSiu47ruQ2gDWSU-- From nobody Sat Apr 5 16:06:15 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56FE91A01B0 for ; Sat, 5 Apr 2014 16:06:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5PhIaglkzPX for ; Sat, 5 Apr 2014 16:06:09 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (dns-bn1lp0143.outbound.protection.outlook.com [207.46.163.143]) by ietfa.amsl.com (Postfix) with ESMTP id B46321A0192 for ; Sat, 5 Apr 2014 16:06:08 -0700 (PDT) Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB312.namprd03.prod.outlook.com (10.141.48.28) with Microsoft SMTP Server (TLS) id 15.0.908.10; Sat, 5 Apr 2014 23:06:02 +0000 Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0908.008; Sat, 5 Apr 2014 23:06:02 +0000 From: Anthony Nadalin To: Mike Jones , Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents Thread-Index: AQHPT+nJ4KJS+eG/n0yC2jifmlELQJsCMdqAgAF1SAA= Date: Sat, 5 Apr 2014 23:06:01 +0000 Message-ID: References: <533E77C3.9000509@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A141067@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A141067@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [58.64.242.220] x-forefront-prvs: 0172F0EF77 x-forefront-antispam-report: =?us-ascii?Q?SFV:NSPM; SFS:(10009001)(979002)(6009001)(428001)(377454003)(?= =?us-ascii?Q?199002)(189002)(53754006)(13464003)(63696002)(87266001)(1597?= =?us-ascii?Q?5445006)(2656002)(20776003)(74706001)(81542001)(81342001)(85?= =?us-ascii?Q?852003)(47446002)(65816001)(59766001)(76482001)(92566001)(56?= =?us-ascii?Q?816005)(76786001)(74662001)(79102001)(74502001)(99286001)(22?= =?us-ascii?Q?4303002)(98676001)(97336001)(224313003)(74876001)(66066001)(?= =?us-ascii?Q?81686001)(77982001)(54356001)(87936001)(19580395003)(7657600?= =?us-ascii?Q?1)(76796001)(97186001)(50986001)(51856001)(94316002)(3196600?= =?us-ascii?Q?8)(86612001)(93136001)(49866001)(95416001)(93516002)(6922600?= =?us-ascii?Q?1)(33646001)(47736001)(54316002)(4396001)(85306002)(15202345?= =?us-ascii?Q?003)(53806001)(1511001)(90146001)(95666003)(56776001)(743160?= =?us-ascii?Q?01)(19580405001)(81816001)(80976001)(47976001)(80022001)(833?= =?us-ascii?Q?22001)(83072002)(86362001)(99396002)(46102001)(94946001)(743?= =?us-ascii?Q?66001)(42262001)(24736002)(969003)(989001)(999001)(1009001)(?= =?us-ascii?Q?1019001);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUPR03MB312;H:BLUPR03M?= =?us-ascii?Q?B309.namprd03.prod.outlook.com;FPR:3EE2F97F.1CF65F8A.31D1378?= =?us-ascii?Q?1.48E4A0E0.20290;MLV:ovrnspm;PTR:InfoNoRecords;A:1;MX:1;LANG?= =?us-ascii?Q?:en;?= received-spf: None (: microsoft.com does not designate permitted sender hosts) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Y6lob6mF4sSMENK8AzQlhZwWlB0 Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 23:06:14 -0000 If these are going to be combined then a draft should be produced and then = a decision should be made once everyone has a chance to review -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones Sent: Friday, April 4, 2014 5:49 PM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registrat= ion Documents I would combine these two documents, with no normative changes. This would= be a convenience for implementers. And the metadata values that are curre= ntly optional would remain optional. I would also add an optional "jwks" metadata member, paralleling this addit= ion in OpenID Connect Registration. This allows the JWK Set to be passed b= y value, rather than by reference. This was discussed in London and people= seemed to agree with this change. The reference to RFC 4627 should be changed to RFC 7159, which has obsolete= d 4627. Other than that, I believe they're ready to proceed on the next steps towar= ds becoming an RFC. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Friday, April 04, 2014 2:14 AM To: oauth@ietf.org Subject: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration = Documents Hi all, This is a Last Call for comments on the dynamic client registration documents: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 Since we have to do the last call for these two documents together we are s= etting the call for **3 weeks**. Please have your comments in no later than April 25th. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From nobody Sat Apr 5 22:12:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 490BE1A0338 for ; Sat, 5 Apr 2014 22:12:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.509 X-Spam-Level: X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VceaB_JS5lI8 for ; Sat, 5 Apr 2014 22:12:39 -0700 (PDT) Received: from nm25-vm1.bullet.mail.bf1.yahoo.com (nm25-vm1.bullet.mail.bf1.yahoo.com [98.139.212.155]) by ietfa.amsl.com (Postfix) with ESMTP id 2A18E1A0229 for ; Sat, 5 Apr 2014 22:12:39 -0700 (PDT) Received: from [98.139.215.140] by nm25.bullet.mail.bf1.yahoo.com with NNFMP; 06 Apr 2014 05:12:33 -0000 Received: from [98.139.212.250] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 06 Apr 2014 05:12:33 -0000 Received: from [127.0.0.1] by omp1059.mail.bf1.yahoo.com with NNFMP; 06 Apr 2014 05:12:33 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 781983.16484.bm@omp1059.mail.bf1.yahoo.com Received: (qmail 33303 invoked by uid 60001); 6 Apr 2014 05:12:33 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1396761153; bh=6s3/G/5ttcYkTqfUk1zKgVPpZkVJ6ewrKnGMRttKu7E=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=FgGRex6VZ72YT4TF8MlgP3Q5QioVrZ6wjKMQH070peehL9BFA8Ccg8ghf2tkJrhGcyHDRhG4CoCKuz4WmgiieUvHUnd3/go4HmuPtrmy5BlKH7tmnR7/HSG2JrzWaKulh1B4drwA6CjGtSGKiso4m+/3ei7ufAB1WoB0/o9ei2o= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=d6aoj6bWqCCXS6DwfEEjLuA4lRnjzCPa6EZ9QSw7hCBYx7cGBSVkifnEgUV1xovjXdICS+Y1o1TEbV2BeT4VxaJRnzQkbcYnCRKhOEfU8XrEa8qAeVlMTtEnLEkfFFKS+iTmSj6stYILF46G2Rje68E9eT6IPXoJCmMEI/wzeE8=; X-YMail-OSG: B7upusEVM1mrIARU.VtZYPNNPbUT9RtrdRewlbglkPBhQLM 12HpFtU4_3HfdlEOu81dHOBqiC1F9CuidCf9yrRPoi7csFyvay9WtMPzAFww CpFma8Q0qUinRNBUg2J9meOSWRp.Z8V58rnjWLU9i2Fy_aqhoWxM.nraYM1q ApQEm1bGWOdc2UBQR2V4xHWS5E0xsoN7EaIemYPsZYx9dZfse9j4g03_janf 6e5B88Su7WWq2Y_LuZWh9A53VZ6S6HS8K6dFP5pijN9lO1r_MJWq.dcdLO2Q LM.iFMIBOKJsJm8QClQ3irX7Y6nJ3er9.w9DXgIArMxM1pcAKU_99YJdPOBd fCQBlXo96cO0qv0vuxS6LHY1ILtl27UrwRpAjClyv1jfx75fCTxaY_9wZu8i ScKuiQiEW21r8Chbb73Xhm0BeGuvGd6XoZGJp6cdL5Q3U0EFa0XZHBeEYqDM SNjb7aaEeMHkECXUL.3Rv5wpNUNdgATum3P7eAz9M6exUNn_XQ5BR28_ksLt f3alKPsy.7e8yR4tTaeSBCBTbASXIRuNhN1DslapiqNJoKCCwkMmu Received: from [99.31.212.42] by web142805.mail.bf1.yahoo.com via HTTP; Sat, 05 Apr 2014 22:12:33 PDT X-Rocket-MIMEInfo: 002.001, VG8gbWUgdGhlIGZ1bmRhbWVudGFsIHF1ZXN0aW9uIG9mIHdoZXRoZXIgYSBjbGllbnQgaGFzIHRvIGJlIHJlZ2lzdGVyZWQgaW4gZWFjaCBwbGFjZSBpdCBpcyB1c2VkIGlzIHF1aXRlIHNpZ25pZmljYW50LiDCoFdlIGRvbid0IGFkZHJlc3MgdGhlIHByb2JsZW0gYW5kIGhhdmUgbm90IGRpc2N1c3NlZCBpdCBlbm91Z2guCgotYmlsbApPbiBGcmlkYXksIEFwcmlsIDQsIDIwMTQgMTE6MzkgUE0sIFRvcnN0ZW4gTG9kZGVyc3RlZHQgPHRvcnN0ZW5AbG9kZGVyc3RlZHQubmV0PiB3cm90ZToKIApIaSBCaWxsLAoBMAEBAQE- X-Mailer: YahooMailWebService/0.8.182.648 References: <533E77C3.9000509@gmx.net> <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> Message-ID: <1396761153.23438.YahooMailNeo@web142805.mail.bf1.yahoo.com> Date: Sat, 5 Apr 2014 22:12:33 -0700 (PDT) From: Bill Mills To: Torsten Lodderstedt In-Reply-To: <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="1583497461-1325027450-1396761153=:23438" Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/1qpBBUmwLoUEPWUBuFWuH-9wz_w Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Bill Mills List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 05:12:43 -0000 --1583497461-1325027450-1396761153=:23438 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable To me the fundamental question of whether a client has to be registered in = each place it is used is quite significant. =A0We don't address the problem= and have not discussed it enough.=0A=0A-bill=0AOn Friday, April 4, 2014 11= :39 PM, Torsten Lodderstedt wrote:=0A =0AHi Bill,= =0A=0Awhich scalability problem are you referring to? As far as I remember = there were issues around the management API but not the core protocol.=0A= =0Aregards,=0ATorsten.=0A=0AAm 04.04.2014 um 18:41 schrieb Bill Mills :=0A=0A=0AGiven the fundamental scalability problem we d= iscussed in London do we really feel we're ready?=0A>On Friday, April 4, 20= 14 3:07 AM, Hannes Tschofenig wrote:=0A> =0A>Hi= all,=0A>=0A>This is a Last Call for comments on the dynamic client registr= ation=0A>documents:=0A>=0A>* OAuth 2.0 Dynamic Client Registration Core Pro= tocol=0A>http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16=0A>=0A>* OA= uth 2.0 Dynamic Client Registration Metadata=0A>http://tools.ietf.org/html/= draft-ietf-oauth-dyn-reg-metadata-00=0A>=0A>Since we have to do the last ca= ll for these two documents together we=0A>are setting the call for **3 week= s**.=0A>=0A>Please have your comments in no later than April 25th.=0A>=0A>C= iao=0A>Hannes & Derek=0A>=0A>______________________________________________= _=0A>OAuth mailing list=0A>OAuth@ietf.org=0A>https://www.ietf.org/mailman/l= istinfo/oauth=0A>=0A>=0A>=0A_______________________________________________= =0A>OAuth mailing list=0A>OAuth@ietf.org=0A>https://www.ietf.org/mailman/li= stinfo/oauth=0A> --1583497461-1325027450-1396761153=:23438 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
To me the fundamental question of whether a client= has to be registered in each place it is used is quite significant.  = We don't address the problem and have not discussed it enough.
=

-bill
On Friday, April 4, 2014 11:= 39 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Hi Bill,

which scalability probl= em are you referring to? As far as I remember there were issues around the = management API but not the core protocol.

regards,
Torsten.

Am 04.04.20= 14 um 18:41 schrieb Bill Mills <wmills_92105@yahoo.com>:

Given the = fundamental scalability problem we discussed in London do we really feel we= 're ready?
On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig <= hannes.tsc= hofenig@gmx.net> wrote:
Hi all,

This is a Last Call for comments on the dynamic client registrati= on
documents:

* OAut= h 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oaut= h-dyn-reg-16

* OAuth 2.0 Dynamic C= lient Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-m= etadata-00

Since we have to do the= last call for these two documents together we
are settin= g the call for **3 weeks**.

Please hav= e your comments in no later than April 25th.

Ciao
Hannes &= amp; Derek

___________________________= ____________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/= oauth


<= /div>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
htt= ps://www.ietf.org/mailman/listinfo/oauth


--1583497461-1325027450-1396761153=:23438-- From nobody Sat Apr 5 23:47:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A17881A02A4 for ; Sat, 5 Apr 2014 23:47:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzCpn7bBpmAw for ; Sat, 5 Apr 2014 23:47:43 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id A6F751A02BC for ; Sat, 5 Apr 2014 23:47:42 -0700 (PDT) Received: from BY2PR03CA050.namprd03.prod.outlook.com (10.141.249.23) by BY2PR03MB027.namprd03.prod.outlook.com (10.255.240.41) with Microsoft SMTP Server (TLS) id 15.0.913.9; Sun, 6 Apr 2014 06:47:35 +0000 Received: from BY2FFO11FD032.protection.gbl (2a01:111:f400:7c0c::101) by BY2PR03CA050.outlook.office365.com (2a01:111:e400:2c5d::23) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Sun, 6 Apr 2014 06:47:35 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD032.mail.protection.outlook.com (10.1.14.210) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 6 Apr 2014 06:47:35 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0181.007; Sun, 6 Apr 2014 06:47:03 +0000 From: Mike Jones To: Bill Mills , Torsten Lodderstedt Thread-Topic: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents Thread-Index: Ac9RY/LDqaPPFycZSmKqmisDiThmcg== Date: Sun, 6 Apr 2014 06:47:03 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A143EA5@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A143EA5TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(438001)(377454003)(53754006)(189002)(24454002?= =?us-ascii?Q?)(199002)(47736001)(19580405001)(81542001)(84326002)(5098600?= =?us-ascii?Q?1)(94946001)(47976001)(97186001)(33656001)(80976001)(2009001?= =?us-ascii?Q?)(97336001)(76796001)(74876001)(92726001)(47446002)(74706001?= =?us-ascii?Q?)(92566001)(95666003)(49866001)(77096001)(20776003)(19580395?= =?us-ascii?Q?003)(76176001)(99396002)(53806001)(74502001)(93136001)(43960?= =?us-ascii?Q?01)(63696002)(512954002)(83072002)(93516002)(95416001)(85306?= =?us-ascii?Q?002)(15202345003)(90146001)(74662001)(87266001)(98676001)(76?= =?us-ascii?Q?786001)(94316002)(81342001)(54356001)(85852003)(56776001)(26?= =?us-ascii?Q?56002)(65816001)(83322001)(54316002)(16236675002)(76482001)(?= =?us-ascii?Q?15975445006)(84676001)(87936001)(56816005)(66066001)(1930040?= =?us-ascii?Q?5004)(74366001)(55846006)(79102001)(86362001)(77982001)(5976?= =?us-ascii?Q?6001)(97736001)(81686001)(44976005)(81816001)(80022001)(6922?= =?us-ascii?Q?6001)(6806004)(46102001)(71186001)(31966008);DIR:OUT;SFP:110?= =?us-ascii?Q?1;SCL:1;SRVR:BY2PR03MB027;H:mail.microsoft.com;FPR:3CA4F9B7.?= =?us-ascii?Q?8FF6D3E9.37FCFDB7.50E250C8.2032F;MLV:sfv;PTR:InfoDomainNonex?= =?us-ascii?Q?istent;MX:1;A:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0173C6D4D5 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Oz6ZLD7UMXizzEnkcv3Q8GW60mA Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 06:47:47 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A143EA5TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The core spec actually already does speak to this question, Bill. http://t= ools.ietf.org/html/draft-ietf-oauth-dyn-reg-16#section-3 says: In some cases, authorization servers MAY choose to accept a software statement value directly as a Client ID in an authorization request, without a prior dynamic client registration having been performed. The circumstances under which an authorization server would do so, and the specific software statement characteristics required in this case, are beyond the scope of this specification. This spec is about dynamic registration, and how to accomplish it. In the = case where registration isn't used, other specs or conventions would be nee= ded, which are out of scope for the dynamic registration work (by definitio= n!). Cheers, -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Bill Mills Sent: Saturday, April 05, 2014 10:13 PM To: Torsten Lodderstedt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registrat= ion Documents To me the fundamental question of whether a client has to be registered in = each place it is used is quite significant. We don't address the problem a= nd have not discussed it enough. -bill On Friday, April 4, 2014 11:39 PM, Torsten Lodderstedt > wrote: Hi Bill, which scalability problem are you referring to? As far as I remember there = were issues around the management API but not the core protocol. regards, Torsten. Am 04.04.2014 um 18:41 schrieb Bill Mills >: Given the fundamental scalability problem we discussed in London do we real= ly feel we're ready? On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig > wrote: Hi all, This is a Last Call for comments on the dynamic client registration documents: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 Since we have to do the last call for these two documents together we are setting the call for **3 weeks**. Please have your comments in no later than April 25th. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A143EA5TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The core spec actually al= ready does speak to this question, Bill.  http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16#section-3 says= :

 

   In some cases, = authorization servers MAY choose to accept a software

   statement value= directly as a Client ID in an authorization request,

   without a prior= dynamic client registration having been performed.

   The circumstanc= es under which an authorization server would do so,

   and the specifi= c software statement characteristics required in this

   case, are beyon= d the scope of this specification.

 

This spec is about dynami= c registration, and how to accomplish it.  In the case where registrat= ion isn’t used, other specs or conventions would be needed, which are out of scope for the dynamic registration work (by definition!).<= /o:p>

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     Cheers,

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: OAuth [m= ailto:oauth-bounces@ietf.org] On Behalf Of Bill Mills
Sent: Saturday, April 05, 2014 10:13 PM
To: Torsten Lodderstedt
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Re= gistration Documents

 

To me the fundamental question of whether a cl= ient has to be registered in each place it is used is quite significant. &n= bsp;We don't address the problem and have not discussed it enough.

 

-bill

On= Friday, April 4, 2014 11:39 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

Hi Bill,

 

which scalability problem are you referring to= ? As far as I remember there were issues around the management API but not = the core protocol.

 

regards,

Torsten.


Am 04.04.2014 um 18:41 schrieb Bill Mills <wmills_92105@yahoo.com>:

Given the fundamental scalability problem we d= iscussed in London do we really feel we're ready?

On= Friday, April 4, 2014 3:07 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-meta= data-00

Since we have to do the last call for these two documents together we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

______________________________________________= _
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

 <= /p>

--_000_4E1F6AAD24975D4BA5B16804296739439A143EA5TK5EX14MBXC286r_-- From nobody Sat Apr 5 23:49:01 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40AED1A02B2 for ; Sat, 5 Apr 2014 23:49:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXIGpLr2R4f1 for ; Sat, 5 Apr 2014 23:48:55 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) by ietfa.amsl.com (Postfix) with ESMTP id AC6EB1A02A4 for ; Sat, 5 Apr 2014 23:48:54 -0700 (PDT) Received: from BY2PR03CA069.namprd03.prod.outlook.com (10.141.249.42) by BY2PR03MB025.namprd03.prod.outlook.com (10.255.240.39) with Microsoft SMTP Server (TLS) id 15.0.913.9; Sun, 6 Apr 2014 06:48:47 +0000 Received: from BY2FFO11FD055.protection.gbl (2a01:111:f400:7c0c::111) by BY2PR03CA069.outlook.office365.com (2a01:111:e400:2c5d::42) with Microsoft SMTP Server (TLS) id 15.0.898.11 via Frontend Transport; Sun, 6 Apr 2014 06:48:48 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD055.mail.protection.outlook.com (10.1.15.192) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 6 Apr 2014 06:48:46 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0174.002; Sun, 6 Apr 2014 06:48:11 +0000 From: Mike Jones To: Anthony Nadalin , Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents Thread-Index: Ac9RZBsU+MMllXxtRHK3tqJs5i6mGg== Date: Sun, 6 Apr 2014 06:48:10 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A143EDE@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(6009001)(438001)(199002)(189002)(53754006)(37?= =?us-ascii?Q?7454003)(13464003)(92726001)(79102001)(20776003)(98676001)(8?= =?us-ascii?Q?6362001)(97186001)(94316002)(84676001)(49866001)(50986001)(8?= =?us-ascii?Q?7266001)(54356001)(97736001)(77982001)(85306002)(81542001)(9?= =?us-ascii?Q?3136001)(90146001)(33656001)(6806004)(23726002)(95666003)(99?= =?us-ascii?Q?396002)(54316002)(63696002)(87936001)(76796001)(46406003)(76?= =?us-ascii?Q?176001)(47776003)(1511001)(2009001)(97336001)(77096001)(4497?= =?us-ascii?Q?6005)(94946001)(15202345003)(55846006)(50466002)(47736001)(1?= =?us-ascii?Q?5975445006)(47976001)(83322001)(80976001)(81686001)(19580405?= =?us-ascii?Q?001)(19580395003)(31966008)(65816001)(74662001)(74502001)(74?= =?us-ascii?Q?366001)(74706001)(81816001)(92566001)(66066001)(76482001)(74?= =?us-ascii?Q?876001)(2656002)(95416001)(46102001)(85852003)(69226001)(538?= =?us-ascii?Q?06001)(97756001)(81342001)(56816005)(4396001)(56776001)(7678?= =?us-ascii?Q?6001)(47446002)(80022001)(83072002)(59766001)(93516002);DIR:?= =?us-ascii?Q?OUT;SFP:1101;SCL:1;SRVR:BY2PR03MB025;H:mail.microsoft.com;FP?= =?us-ascii?Q?R:3EA0F97F.1CF65F8A.31D13781.48E6A0E0.202CB;MLV:sfv;PTR:Info?= =?us-ascii?Q?DomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0173C6D4D5 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/MVvXyqjMX7w95GKl7o3irGGFgp8 Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 06:49:00 -0000 If the working group decides to merge these specs, I'd be happy to do the e= ditorial work to do so. Best wishes, -- Mike -----Original Message----- From: Anthony Nadalin=20 Sent: Saturday, April 05, 2014 4:06 PM To: Mike Jones; Hannes Tschofenig; oauth@ietf.org Subject: RE: [OAUTH-WG] Working Group Last Call on Dynamic Client Registrat= ion Documents If these are going to be combined then a draft should be produced and then = a decision should be made once everyone has a chance to review -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones Sent: Friday, April 4, 2014 5:49 PM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registrat= ion Documents I would combine these two documents, with no normative changes. This would= be a convenience for implementers. And the metadata values that are curre= ntly optional would remain optional. I would also add an optional "jwks" metadata member, paralleling this addit= ion in OpenID Connect Registration. This allows the JWK Set to be passed b= y value, rather than by reference. This was discussed in London and people= seemed to agree with this change. The reference to RFC 4627 should be changed to RFC 7159, which has obsolete= d 4627. Other than that, I believe they're ready to proceed on the next steps towar= ds becoming an RFC. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Friday, April 04, 2014 2:14 AM To: oauth@ietf.org Subject: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration = Documents Hi all, This is a Last Call for comments on the dynamic client registration documents: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 Since we have to do the last call for these two documents together we are s= etting the call for **3 weeks**. Please have your comments in no later than April 25th. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From nobody Sun Apr 6 00:59:21 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 532401A0331 for ; Sun, 6 Apr 2014 00:59:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.55 X-Spam-Level: X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HodUGbmdBol4 for ; Sun, 6 Apr 2014 00:59:15 -0700 (PDT) Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.98]) by ietfa.amsl.com (Postfix) with ESMTP id 271421A030F for ; Sun, 6 Apr 2014 00:59:14 -0700 (PDT) Received: from [79.253.60.18] (helo=[192.168.71.82]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1WWhyt-0002aB-M0; Sun, 06 Apr 2014 09:59:07 +0200 References: <533E77C3.9000509@gmx.net> <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> <1396761153.23438.YahooMailNeo@web142805.mail.bf1.yahoo.com> Mime-Version: 1.0 (1.0) In-Reply-To: <1396761153.23438.YahooMailNeo@web142805.mail.bf1.yahoo.com> Content-Type: multipart/alternative; boundary=Apple-Mail-B42AA229-B38D-4FCD-9235-6D568132F91B Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: iPad Mail (11D167) From: Torsten Lodderstedt Date: Sun, 6 Apr 2014 09:59:07 +0200 To: Bill Mills X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/x0OWGWsCh4qtIGureO86i100jao Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 07:59:19 -0000 --Apple-Mail-B42AA229-B38D-4FCD-9235-6D568132F91B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable I think it is at the discretion of the actual deployment whether clients may= dynamically register or not (meaning they need to go through some oob mecha= nism). Protocols utilizing OAuth could make it part of their mandatory to im= plement features - in the same way OIDC does. Best regards, Torsten. > Am 06.04.2014 um 07:12 schrieb Bill Mills : >=20 > To me the fundamental question of whether a client has to be registered in= each place it is used is quite significant. We don't address the problem a= nd have not discussed it enough. >=20 > -bill > On Friday, April 4, 2014 11:39 PM, Torsten Lodderstedt wrote: > Hi Bill, >=20 > which scalability problem are you referring to? As far as I remember there= were issues around the management API but not the core protocol. >=20 > regards, > Torsten. >=20 >> Am 04.04.2014 um 18:41 schrieb Bill Mills : >>=20 >=20 >> Given the fundamental scalability problem we discussed in London do we re= ally feel we're ready? >> On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig wrote: >> Hi all, >>=20 >> This is a Last Call for comments on the dynamic client registration >> documents: >>=20 >> * OAuth 2.0 Dynamic Client Registration Core Protocol >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >>=20 >> * OAuth 2.0 Dynamic Client Registration Metadata >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >>=20 >> Since we have to do the last call for these two documents together we >> are setting the call for **3 weeks**. >>=20 >> Please have your comments in no later than April 25th. >>=20 >> Ciao >> Hannes & Derek >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 --Apple-Mail-B42AA229-B38D-4FCD-9235-6D568132F91B Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
I think it is at the discretion of the= actual deployment whether clients may dynamically register or not (meaning t= hey need to go through some oob mechanism). Protocols utilizing OAuth could m= ake it part of their mandatory to implement features - in the same way OIDC d= oes.

Best regards,
Torsten.
Am 06.04.2= 014 um 07:12 schrieb Bill Mills <wmills_92105@yahoo.com>:


-bill
On Friday, April 4, 2014 11:39 P= M, Torsten Lodderstedt <torste= n@lodderstedt.net> wrote:
Hi Bill,

which scalability problem are you referring to? As far as I= remember there were issues around the management API but not the core proto= col.

regards,
Torsten.

Am 04.04.2014 um 18:41 schrieb Bill Mills <wmills_92105@yahoo.com= >:

Given the fundamental scalabili= ty problem we discussed in London do we really feel we're ready?
On Frida= y, April 4, 2014 3:07 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:<= br clear=3D"none">
Hi all,

This is a Last Call for comm= ents on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core P= rotocol
http://to= ols.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/ht= ml/draft-ietf-oauth-dyn-reg-metadata-00

Since we have to do the last call for these two documents together weare setting the call for **3 weeks**.
Please have your comments in no later than April 25th.

Ciao
Hannes &a= mp; Derek

_____________________________= __________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




= --Apple-Mail-B42AA229-B38D-4FCD-9235-6D568132F91B-- From nobody Sun Apr 6 08:27:02 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED7521A0190 for ; Sun, 6 Apr 2014 08:26:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.209 X-Spam-Level: X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k21yv3-4o0Bt for ; Sun, 6 Apr 2014 08:26:52 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 1187A1A045C for ; Sun, 6 Apr 2014 08:26:51 -0700 (PDT) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s36FQjYZ019834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 6 Apr 2014 15:26:46 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s36FQhox025500 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 6 Apr 2014 15:26:44 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s36FQhcd008402; Sun, 6 Apr 2014 15:26:43 GMT Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 06 Apr 2014 08:26:43 -0700 References: <533E77C3.9000509@gmx.net> <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> <1396761153.23438.YahooMailNeo@web142805.mail.bf1.yahoo.com> Mime-Version: 1.0 (1.0) In-Reply-To: Content-Type: multipart/alternative; boundary=Apple-Mail-1360E418-F306-46D4-BAC9-7E8CDCD9E5B9 Content-Transfer-Encoding: 7bit Message-Id: <307C95B1-CF4C-499A-835A-AA12012DA7B1@oracle.com> X-Mailer: iPhone Mail (11D167) From: Phil Hunt Date: Sun, 6 Apr 2014 08:26:42 -0700 To: Torsten Lodderstedt X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/frp886CGEMQMEp78kque3godk4Q Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 15:26:58 -0000 --Apple-Mail-1360E418-F306-46D4-BAC9-7E8CDCD9E5B9 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hmm. I think this issue is self evident to the developer If they have obtained a client id through developer registration (current ty= pical oauth) they are good to go.=20 IOW If you have a client id issued out of band you are good to go.=20 Otherwise look for dyn reg or some other method. This likely happens where c= lients connect to apis and/or protocols deployed by many service providers e= g OIDC. An emerging example I heard at ietf london was interest in adapting o= auth to non web protocols like smtp, imap, pop and even jabber.=20 Phil > On Apr 6, 2014, at 0:59, Torsten Lodderstedt wro= te: >=20 > I think it is at the discretion of the actual deployment whether clients m= ay dynamically register or not (meaning they need to go through some oob mec= hanism). Protocols utilizing OAuth could make it part of their mandatory to i= mplement features - in the same way OIDC does. >=20 > Best regards, > Torsten. >> Am 06.04.2014 um 07:12 schrieb Bill Mills : >>=20 >> To me the fundamental question of whether a client has to be registered i= n each place it is used is quite significant. We don't address the problem a= nd have not discussed it enough. >>=20 >> -bill >> On Friday, April 4, 2014 11:39 PM, Torsten Lodderstedt wrote: >> Hi Bill, >>=20 >> which scalability problem are you referring to? As far as I remember ther= e were issues around the management API but not the core protocol. >>=20 >> regards, >> Torsten. >>=20 >>> Am 04.04.2014 um 18:41 schrieb Bill Mills : >>>=20 >>=20 >>> Given the fundamental scalability problem we discussed in London do we r= eally feel we're ready? >>> On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig wrote: >>> Hi all, >>>=20 >>> This is a Last Call for comments on the dynamic client registration >>> documents: >>>=20 >>> * OAuth 2.0 Dynamic Client Registration Core Protocol >>> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >>>=20 >>> * OAuth 2.0 Dynamic Client Registration Metadata >>> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >>>=20 >>> Since we have to do the last call for these two documents together we >>> are setting the call for **3 weeks**. >>>=20 >>> Please have your comments in no later than April 25th. >>>=20 >>> Ciao >>> Hannes & Derek >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>>=20 >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail-1360E418-F306-46D4-BAC9-7E8CDCD9E5B9 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Hmm. I think this issue is self eviden= t to the developer

If they have obtained a client i= d through developer registration (current typical oauth) they are good to go= . 

IOW If you have a client id issued out of b= and you are good to go. 

Otherwise look for dy= n reg or some other method. This likely happens where clients connect to api= s and/or protocols deployed by many service providers  eg OIDC. An emer= ging example I heard at ietf london was interest in adapting oauth to non we= b protocols like smtp, imap, pop and even jabber. 

Phil

On Apr 6, 2014, at 0:59, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

<= /div>
I think it is at the discretion of the= actual deployment whether clients may dynamically register or not (meaning t= hey need to go through some oob mechanism). Protocols utilizing OAuth could m= ake it part of their mandatory to implement features - in the same way OIDC d= oes.

Best regards,
Torsten.
Am 06.04.2= 014 um 07:12 schrieb Bill Mills <wmills_92105@yahoo.com>:


-bill
On Friday, April 4, 2014 11:39 P= M, Torsten Lodderstedt <torste= n@lodderstedt.net> wrote:
Hi Bill,

which scalability problem are you referring to? As far as I= remember there were issues around the management API but not the core proto= col.

regards,
Torsten.

Am 04.04.2014 um 18:41 schrieb Bill Mills <wmills_92105@yahoo.com= >:

Given the fundamental scalabili= ty problem we discussed in London do we really feel we're ready?
On Frida= y, April 4, 2014 3:07 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:<= br clear=3D"none">
Hi all,

This is a Last Call for comm= ents on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core P= rotocol
http://to= ols.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/ht= ml/draft-ietf-oauth-dyn-reg-metadata-00

Since we have to do the last call for these two documents together weare setting the call for **3 weeks**.
Please have your comments in no later than April 25th.

Ciao
Hannes &a= mp; Derek

_____________________________= __________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
= --Apple-Mail-1360E418-F306-46D4-BAC9-7E8CDCD9E5B9-- From nobody Sun Apr 6 10:45:44 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB1F51A04AF for ; Sun, 6 Apr 2014 10:45:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tegvR0lGkK65 for ; Sun, 6 Apr 2014 10:45:38 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0145.outbound.protection.outlook.com [207.46.163.145]) by ietfa.amsl.com (Postfix) with ESMTP id 00BC41A03EA for ; Sun, 6 Apr 2014 10:45:37 -0700 (PDT) Received: from CH1PR03CA007.namprd03.prod.outlook.com (10.255.156.152) by BLUPR03MB439.namprd03.prod.outlook.com (10.141.78.151) with Microsoft SMTP Server (TLS) id 15.0.908.10; Sun, 6 Apr 2014 17:45:31 +0000 Received: from BN1AFFO11FD013.protection.gbl (10.255.156.132) by CH1PR03CA007.outlook.office365.com (10.255.156.152) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Sun, 6 Apr 2014 17:45:31 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD013.mail.protection.outlook.com (10.58.52.73) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 6 Apr 2014 17:45:29 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0181.007; Sun, 6 Apr 2014 17:44:58 +0000 From: Mike Jones To: Torsten Lodderstedt , Bill Mills Thread-Topic: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents Thread-Index: AQHPT+nITTIZxjtAw0axukyWMLHP/JsBqYwAgADqJoCAAXocgIAALomAgACjKcA= Date: Sun, 6 Apr 2014 17:44:57 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A148D31@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <533E77C3.9000509@gmx.net> <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> <1396761153.23438.YahooMailNeo@web142805.mail.bf1.yahoo.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A148D31TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(438001)(189002)(199002)(377454003)(53754006)(?= =?us-ascii?Q?24454002)(87266001)(49866001)(2656002)(86362001)(87936001)(9?= =?us-ascii?Q?4316002)(85306002)(93516002)(90146001)(47736001)(97186001)(9?= =?us-ascii?Q?2726001)(54356001)(47976001)(74662001)(31966008)(69226001)(1?= =?us-ascii?Q?9300405004)(85852003)(92566001)(79102001)(74502001)(55846006?= =?us-ascii?Q?)(6806004)(224303002)(80976001)(224313003)(53806001)(5098600?= =?us-ascii?Q?1)(97336001)(59766001)(16236675002)(84326002)(95666003)(2077?= =?us-ascii?Q?6003)(94946001)(2009001)(74706001)(56816005)(33656001)(95416?= =?us-ascii?Q?001)(93136001)(47446002)(83072002)(81342001)(81542001)(15975?= =?us-ascii?Q?445006)(76786001)(19580395003)(54316002)(98676001)(77096001)?= =?us-ascii?Q?(83322001)(81686001)(76796001)(81816001)(74366001)(76482001)?= =?us-ascii?Q?(74876001)(99396002)(84676001)(63696002)(4396001)(66066001)(?= =?us-ascii?Q?46102001)(19580405001)(77982001)(512874002)(65816001)(152023?= =?us-ascii?Q?45003)(97736001)(71186001)(80022001)(56776001)(44976005);DIR?= =?us-ascii?Q?:OUT;SFP:1101;SCL:1;SRVR:BLUPR03MB439;H:mail.microsoft.com;F?= =?us-ascii?Q?PR:3CA6F1F7.CF2D3ED.33F93FF7.48C352C8.2033D;MLV:sfv;PTR:Info?= =?us-ascii?Q?DomainNonexistent;MX:1;A:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0173C6D4D5 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/xpO1ZuROtahsgMAh4zKPbmZ-M6s Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 17:45:42 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A148D31TK5EX14MBXC286r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QXMgYSBwb2ludCBvZiBjbGFyaXR5LCBPcGVuSUQgQ29ubmVjdCBkb2VzIG5vdCBtYW5kYXRlIHN1 cHBvcnQgZm9yIGR5bmFtaWMgcmVnaXN0cmF0aW9uIGluIGFsbCBjYXNlcy4gIEluIHN0YXRpYyBw cm9maWxlcyB3aXRoIGEgcHJlLWVzdGFibGlzaGVkIHNldCBvZiBpZGVudGl0eSBwcm92aWRlcnMs IGl0IGlzbuKAmXQgcmVxdWlyZWQuICBJdCAqaXMqIHJlcXVpcmVkIGluIHRoZSBkeW5hbWljIHBy b2ZpbGUsIGluIHdoaWNoIGNsaWVudHMgY2FuIHVzZSBpZGVudGl0eSBwcm92aWRlcnMgdGhhdCB0 aGV5IGhhdmUgbm8gcHJlLWV4aXN0aW5nIHJlbGF0aW9uc2hpcCB3aXRoLg0KDQogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtl DQoNCkZyb206IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxm IE9mIFRvcnN0ZW4gTG9kZGVyc3RlZHQNClNlbnQ6IFN1bmRheSwgQXByaWwgMDYsIDIwMTQgMTI6 NTkgQU0NClRvOiBCaWxsIE1pbGxzDQpDYzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBb T0FVVEgtV0ddIFdvcmtpbmcgR3JvdXAgTGFzdCBDYWxsIG9uIER5bmFtaWMgQ2xpZW50IFJlZ2lz dHJhdGlvbiBEb2N1bWVudHMNCg0KSSB0aGluayBpdCBpcyBhdCB0aGUgZGlzY3JldGlvbiBvZiB0 aGUgYWN0dWFsIGRlcGxveW1lbnQgd2hldGhlciBjbGllbnRzIG1heSBkeW5hbWljYWxseSByZWdp c3RlciBvciBub3QgKG1lYW5pbmcgdGhleSBuZWVkIHRvIGdvIHRocm91Z2ggc29tZSBvb2IgbWVj aGFuaXNtKS4gUHJvdG9jb2xzIHV0aWxpemluZyBPQXV0aCBjb3VsZCBtYWtlIGl0IHBhcnQgb2Yg dGhlaXIgbWFuZGF0b3J5IHRvIGltcGxlbWVudCBmZWF0dXJlcyAtIGluIHRoZSBzYW1lIHdheSBP SURDIGRvZXMuDQoNCkJlc3QgcmVnYXJkcywNClRvcnN0ZW4uDQpBbSAwNi4wNC4yMDE0IHVtIDA3 OjEyIHNjaHJpZWIgQmlsbCBNaWxscyA8d21pbGxzXzkyMTA1QHlhaG9vLmNvbTxtYWlsdG86d21p bGxzXzkyMTA1QHlhaG9vLmNvbT4+Og0KVG8gbWUgdGhlIGZ1bmRhbWVudGFsIHF1ZXN0aW9uIG9m IHdoZXRoZXIgYSBjbGllbnQgaGFzIHRvIGJlIHJlZ2lzdGVyZWQgaW4gZWFjaCBwbGFjZSBpdCBp cyB1c2VkIGlzIHF1aXRlIHNpZ25pZmljYW50LiAgV2UgZG9uJ3QgYWRkcmVzcyB0aGUgcHJvYmxl bSBhbmQgaGF2ZSBub3QgZGlzY3Vzc2VkIGl0IGVub3VnaC4NCg0KLWJpbGwNCk9uIEZyaWRheSwg QXByaWwgNCwgMjAxNCAxMTozOSBQTSwgVG9yc3RlbiBMb2RkZXJzdGVkdCA8dG9yc3RlbkBsb2Rk ZXJzdGVkdC5uZXQ8bWFpbHRvOnRvcnN0ZW5AbG9kZGVyc3RlZHQubmV0Pj4gd3JvdGU6DQpIaSBC aWxsLA0KDQp3aGljaCBzY2FsYWJpbGl0eSBwcm9ibGVtIGFyZSB5b3UgcmVmZXJyaW5nIHRvPyBB cyBmYXIgYXMgSSByZW1lbWJlciB0aGVyZSB3ZXJlIGlzc3VlcyBhcm91bmQgdGhlIG1hbmFnZW1l bnQgQVBJIGJ1dCBub3QgdGhlIGNvcmUgcHJvdG9jb2wuDQoNCnJlZ2FyZHMsDQpUb3JzdGVuLg0K DQpBbSAwNC4wNC4yMDE0IHVtIDE4OjQxIHNjaHJpZWIgQmlsbCBNaWxscyA8d21pbGxzXzkyMTA1 QHlhaG9vLmNvbTxtYWlsdG86d21pbGxzXzkyMTA1QHlhaG9vLmNvbT4+Og0KR2l2ZW4gdGhlIGZ1 bmRhbWVudGFsIHNjYWxhYmlsaXR5IHByb2JsZW0gd2UgZGlzY3Vzc2VkIGluIExvbmRvbiBkbyB3 ZSByZWFsbHkgZmVlbCB3ZSdyZSByZWFkeT8NCk9uIEZyaWRheSwgQXByaWwgNCwgMjAxNCAzOjA3 IEFNLCBIYW5uZXMgVHNjaG9mZW5pZyA8aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDxtYWlsdG86 aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldD4+IHdyb3RlOg0KSGkgYWxsLA0KDQpUaGlzIGlzIGEg TGFzdCBDYWxsIGZvciBjb21tZW50cyBvbiB0aGUgZHluYW1pYyBjbGllbnQgcmVnaXN0cmF0aW9u DQpkb2N1bWVudHM6DQoNCiogT0F1dGggMi4wIER5bmFtaWMgQ2xpZW50IFJlZ2lzdHJhdGlvbiBD b3JlIFByb3RvY29sDQpodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRo LWR5bi1yZWctMTYNCg0KKiBPQXV0aCAyLjAgRHluYW1pYyBDbGllbnQgUmVnaXN0cmF0aW9uIE1l dGFkYXRhDQpodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWR5bi1y ZWctbWV0YWRhdGEtMDANCg0KU2luY2Ugd2UgaGF2ZSB0byBkbyB0aGUgbGFzdCBjYWxsIGZvciB0 aGVzZSB0d28gZG9jdW1lbnRzIHRvZ2V0aGVyIHdlDQphcmUgc2V0dGluZyB0aGUgY2FsbCBmb3Ig KiozIHdlZWtzKiouDQoNClBsZWFzZSBoYXZlIHlvdXIgY29tbWVudHMgaW4gbm8gbGF0ZXIgdGhh biBBcHJpbCAyNXRoLg0KDQpDaWFvDQpIYW5uZXMgJiBEZXJlaw0KDQpfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0 aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9t YWlsbWFuL2xpc3RpbmZvL29hdXRoDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0 bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v b2F1dGgNCg0K --_000_4E1F6AAD24975D4BA5B16804296739439A148D31TK5EX14MBXC286r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6eD0idXJuOnNjaGVtYXMtbWljcm9z b2Z0LWNvbTpvZmZpY2U6ZXhjZWwiIHhtbG5zOm09Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5j b20vb2ZmaWNlLzIwMDQvMTIvb21tbCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnL1RSL1JFQy1o dG1sNDAiPg0KPGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9 InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCI+DQo8bWV0YSBuYW1lPSJHZW5lcmF0b3IiIGNvbnRl bnQ9Ik1pY3Jvc29mdCBXb3JkIDE0IChmaWx0ZXJlZCBtZWRpdW0pIj4NCjxzdHlsZT48IS0tDQov KiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7 DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZh bWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpIZWx2ZXRpY2FOZXVlO30NCi8qIFN0eWxlIERlZmluaXRpb25zICov DQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47 DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1p bHk6IlRpbWVzIE5ldyBSb21hbiIsInNlcmlmIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5r DQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlv bjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21z by1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQpzcGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1y ZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5 N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9u dC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47 DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7 cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4N CjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48 IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0 PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5 b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9 ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE Ij5BcyBhIHBvaW50IG9mIGNsYXJpdHksIE9wZW5JRCBDb25uZWN0IGRvZXMgbm90IG1hbmRhdGUg c3VwcG9ydCBmb3IgZHluYW1pYyByZWdpc3RyYXRpb24gaW4gYWxsIGNhc2VzLiZuYnNwOyBJbiBz dGF0aWMgcHJvZmlsZXMgd2l0aCBhIHByZS1lc3RhYmxpc2hlZCBzZXQgb2YgaWRlbnRpdHkNCiBw cm92aWRlcnMsIGl0IGlzbuKAmXQgcmVxdWlyZWQuJm5ic3A7IEl0ICo8Yj5pczwvYj4qIHJlcXVp cmVkIGluIHRoZSBkeW5hbWljIHByb2ZpbGUsIGluIHdoaWNoIGNsaWVudHMgY2FuIHVzZSBpZGVu dGl0eSBwcm92aWRlcnMgdGhhdCB0aGV5IGhhdmUgbm8gcHJlLWV4aXN0aW5nIHJlbGF0aW9uc2hp cCB3aXRoLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXYgc3R5 bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMu MHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5z LXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsi PiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2Yg PC9iPlRvcnN0ZW4gTG9kZGVyc3RlZHQ8YnI+DQo8Yj5TZW50OjwvYj4gU3VuZGF5LCBBcHJpbCAw NiwgMjAxNCAxMjo1OSBBTTxicj4NCjxiPlRvOjwvYj4gQmlsbCBNaWxsczxicj4NCjxiPkNjOjwv Yj4gb2F1dGhAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gV29y a2luZyBHcm91cCBMYXN0IENhbGwgb24gRHluYW1pYyBDbGllbnQgUmVnaXN0cmF0aW9uIERvY3Vt ZW50czxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5JIHRoaW5rIGl0IGlzIGF0IHRoZSBkaXNjcmV0aW9uIG9mIHRoZSBhY3R1YWwgZGVwbG95bWVu dCB3aGV0aGVyIGNsaWVudHMgbWF5IGR5bmFtaWNhbGx5IHJlZ2lzdGVyIG9yIG5vdCAobWVhbmlu ZyB0aGV5IG5lZWQgdG8gZ28gdGhyb3VnaCBzb21lIG9vYiBtZWNoYW5pc20pLiBQcm90b2NvbHMg dXRpbGl6aW5nIE9BdXRoIGNvdWxkIG1ha2UgaXQgcGFydCBvZiB0aGVpciBtYW5kYXRvcnkgdG8g aW1wbGVtZW50DQogZmVhdHVyZXMgLSBpbiB0aGUgc2FtZSB3YXkgT0lEQyBkb2VzLjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5CZXN0IHJlZ2Fy ZHMsPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPlRvcnN0ZW4uPGJyPg0KQW0gMDYuMDQuMjAxNCB1 bSAwNzoxMiBzY2hyaWViIEJpbGwgTWlsbHMgJmx0OzxhIGhyZWY9Im1haWx0bzp3bWlsbHNfOTIx MDVAeWFob28uY29tIj53bWlsbHNfOTIxMDVAeWFob28uY29tPC9hPiZndDs6PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1i b3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpIZWx2ZXRp Y2FOZXVlO2NvbG9yOmJsYWNrIj5UbyBtZSB0aGUgZnVuZGFtZW50YWwgcXVlc3Rpb24gb2Ygd2hl dGhlciBhIGNsaWVudCBoYXMgdG8gYmUgcmVnaXN0ZXJlZCBpbiBlYWNoIHBsYWNlIGl0IGlzIHVz ZWQgaXMgcXVpdGUgc2lnbmlmaWNhbnQuICZuYnNwO1dlIGRvbid0IGFkZHJlc3MgdGhlIHByb2Js ZW0gYW5kIGhhdmUgbm90DQogZGlzY3Vzc2VkIGl0IGVub3VnaC48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1mYW1pbHk6SGVsdmV0aWNhTmV1ZTtjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OkhlbHZldGljYU5ldWU7Y29sb3I6YmxhY2siPi1iaWxsPG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6YmxhY2siPk9uIEZyaWRheSwgQXByaWwgNCwgMjAxNCAxMTozOSBQTSwgVG9y c3RlbiBMb2RkZXJzdGVkdCAmbHQ7PGEgaHJlZj0ibWFpbHRvOnRvcnN0ZW5AbG9kZGVyc3RlZHQu bmV0Ij50b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDwvYT4mZ3Q7IHdyb3RlOjwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhTmV1ZTtjb2xvcjpibGFjayI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdiBpZD0ieWl2OTgyNzc5ODY3MyI+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48 c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhTmV1ZTtjb2xvcjpibGFjayI+SGkgQmls bCw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5Okhl bHZldGljYU5ldWU7Y29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRl Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhTmV1ZTtjb2xvcjpibGFjayI+d2hp Y2ggc2NhbGFiaWxpdHkgcHJvYmxlbSBhcmUgeW91IHJlZmVycmluZyB0bz8gQXMgZmFyIGFzIEkg cmVtZW1iZXIgdGhlcmUgd2VyZSBpc3N1ZXMgYXJvdW5kIHRoZSBtYW5hZ2VtZW50IEFQSSBidXQg bm90IHRoZSBjb3JlIHByb3RvY29sLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBz dHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhTmV1ZTtjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpIZWx2ZXRpY2FO ZXVlO2NvbG9yOmJsYWNrIj5yZWdhcmRzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3Bh biBzdHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhTmV1ZTtjb2xvcjpibGFjayI+VG9yc3Rlbi48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQ7YmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5 bGU9ImZvbnQtZmFtaWx5OkhlbHZldGljYU5ldWU7Y29sb3I6YmxhY2siPjxicj4NCkFtIDA0LjA0 LjIwMTQgdW0gMTg6NDEgc2NocmllYiBCaWxsIE1pbGxzICZsdDs8YSBocmVmPSJtYWlsdG86d21p bGxzXzkyMTA1QHlhaG9vLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPndtaWxsc185MjEwNUB5YWhvby5j b208L2E+Jmd0Ozo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXYgaWQ9Inlpdjk4 Mjc3OTg2NzN5cXQ2NDA1NCI+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDtt YXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6 SGVsdmV0aWNhTmV1ZTtjb2xvcjpibGFjayI+R2l2ZW4gdGhlIGZ1bmRhbWVudGFsIHNjYWxhYmls aXR5IHByb2JsZW0gd2UgZGlzY3Vzc2VkIGluIExvbmRvbiBkbyB3ZSByZWFsbHkgZmVlbCB3ZSdy ZSByZWFkeT88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+T24gRnJpZGF5LCBBcHJpbCA0 LCAyMDE0IDM6MDcgQU0sIEhhbm5lcyBUc2Nob2ZlbmlnICZsdDs8YSBocmVmPSJtYWlsdG86aGFu bmVzLnRzY2hvZmVuaWdAZ214Lm5ldCIgdGFyZ2V0PSJfYmxhbmsiPmhhbm5lcy50c2Nob2Zlbmln QGdteC5uZXQ8L2E+Jmd0Ow0KIHdyb3RlOjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6 SGVsdmV0aWNhTmV1ZTtjb2xvcjpibGFjayI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0 O2JhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpIZWx2ZXRpY2FOZXVl O2NvbG9yOmJsYWNrIj5IaSBhbGwsPGJyPg0KPGJyPg0KVGhpcyBpcyBhIExhc3QgQ2FsbCBmb3Ig Y29tbWVudHMgb24gdGhlIGR5bmFtaWMgY2xpZW50IHJlZ2lzdHJhdGlvbjxicj4NCmRvY3VtZW50 czo8YnI+DQo8YnI+DQoqIE9BdXRoIDIuMCBEeW5hbWljIENsaWVudCBSZWdpc3RyYXRpb24gQ29y ZSBQcm90b2NvbDxicj4NCjxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0 LWlldGYtb2F1dGgtZHluLXJlZy0xNiIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtZHluLXJlZy0xNjwvYT48YnI+DQo8YnI+DQoqIE9B dXRoIDIuMCBEeW5hbWljIENsaWVudCBSZWdpc3RyYXRpb24gTWV0YWRhdGE8YnI+DQo8YSBocmVm PSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWR5bi1yZWctbWV0 YWRhdGEtMDAiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFm dC1pZXRmLW9hdXRoLWR5bi1yZWctbWV0YWRhdGEtMDA8L2E+PGJyPg0KPGJyPg0KU2luY2Ugd2Ug aGF2ZSB0byBkbyB0aGUgbGFzdCBjYWxsIGZvciB0aGVzZSB0d28gZG9jdW1lbnRzIHRvZ2V0aGVy IHdlPGJyPg0KYXJlIHNldHRpbmcgdGhlIGNhbGwgZm9yICoqMyB3ZWVrcyoqLjxicj4NCjxicj4N ClBsZWFzZSBoYXZlIHlvdXIgY29tbWVudHMgaW4gbm8gbGF0ZXIgdGhhbiBBcHJpbCAyNXRoLjxi cj4NCjxicj4NCkNpYW88YnI+DQpIYW5uZXMgJmFtcDsgRGVyZWs8YnI+DQo8YnI+DQpfX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxp bmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxh bmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRm Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N CjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4w cHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpIZWx2ZXRpY2FO ZXVlO2NvbG9yOmJsYWNrIj5fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0 aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk9BdXRoQGlldGYub3JnPC9hPjxicj4NCjxhIGhy ZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0i X2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdDtiYWNr Z3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhTmV1ZTtjb2xv cjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Jv ZHk+DQo8L2h0bWw+DQo= --_000_4E1F6AAD24975D4BA5B16804296739439A148D31TK5EX14MBXC286r_-- From nobody Sun Apr 6 10:48:59 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9B301A02B0 for ; Sun, 6 Apr 2014 10:48:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CfFMdO7DFF52 for ; Sun, 6 Apr 2014 10:48:53 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id B10771A0265 for ; Sun, 6 Apr 2014 10:48:53 -0700 (PDT) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s36HmlJP024621 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 6 Apr 2014 17:48:48 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s36HmkM6007188 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 6 Apr 2014 17:48:47 GMT Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s36Hmkxs007182; Sun, 6 Apr 2014 17:48:46 GMT Received: from [192.168.1.186] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 06 Apr 2014 10:48:46 -0700 Content-Type: multipart/alternative; boundary="Apple-Mail=_C8193CDD-34C8-4AC9-8BBA-F68659E7329A" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: Phil Hunt In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A148D31@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Sun, 6 Apr 2014 10:48:44 -0700 Message-Id: <8B95347D-DCB8-4C09-9138-6D02A0D11760@oracle.com> References: <533E77C3.9000509@gmx.net> <1396629672.75505.YahooMailNeo@web142804.mail.bf1.yahoo.com> <495B4720-34D6-4588-9E63-A8F501D39177@lodderstedt.net> <1396761153.23438.YahooMailNeo@web142805.mail.bf1.yahoo.com> <4E1F6AAD24975D4BA5B16804296739439A148D31@TK5EX14MBXC286.redmond.corp.microsoft.com> To: Mike Jones X-Mailer: Apple Mail (2.1874) X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/pba1sd6aD1UvSj4P7RB5BlhRJvE Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 17:48:58 -0000 --Apple-Mail=_C8193CDD-34C8-4AC9-8BBA-F68659E7329A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 So in other words, OpenID Connect defines (or should define) how this = happens. There is no need for the Dyn Reg spec to clarify this right? Phil @independentid www.independentid.com phil.hunt@oracle.com On Apr 6, 2014, at 10:44 AM, Mike Jones = wrote: > As a point of clarity, OpenID Connect does not mandate support for = dynamic registration in all cases. In static profiles with a = pre-established set of identity providers, it isn=92t required. It *is* = required in the dynamic profile, in which clients can use identity = providers that they have no pre-existing relationship with. > =20 > -- Mike > =20 > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Torsten = Lodderstedt > Sent: Sunday, April 06, 2014 12:59 AM > To: Bill Mills > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client = Registration Documents > =20 > I think it is at the discretion of the actual deployment whether = clients may dynamically register or not (meaning they need to go through = some oob mechanism). Protocols utilizing OAuth could make it part of = their mandatory to implement features - in the same way OIDC does. > =20 > Best regards, > Torsten. > Am 06.04.2014 um 07:12 schrieb Bill Mills : >=20 > To me the fundamental question of whether a client has to be = registered in each place it is used is quite significant. We don't = address the problem and have not discussed it enough. > =20 > -bill > On Friday, April 4, 2014 11:39 PM, Torsten Lodderstedt = wrote: > Hi Bill, > =20 > which scalability problem are you referring to? As far as I remember = there were issues around the management API but not the core protocol. > =20 > regards, > Torsten. >=20 > Am 04.04.2014 um 18:41 schrieb Bill Mills : >=20 > Given the fundamental scalability problem we discussed in London do we = really feel we're ready? > On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig = wrote: > Hi all, >=20 > This is a Last Call for comments on the dynamic client registration > documents: >=20 > * OAuth 2.0 Dynamic Client Registration Core Protocol > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >=20 > * OAuth 2.0 Dynamic Client Registration Metadata > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >=20 > Since we have to do the last call for these two documents together we > are setting the call for **3 weeks**. >=20 > Please have your comments in no later than April 25th. >=20 > Ciao > Hannes & Derek >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > =20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_C8193CDD-34C8-4AC9-8BBA-F68659E7329A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 So in = other words, OpenID Connect defines (or should define) how this = happens.

There is no need for the Dyn Reg spec to = clarify this right?


On Apr 6, 2014, at 10:44 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:

As a point of clarity, OpenID Connect does not = mandate support for dynamic registration in all cases.  In static = profiles with a pre-established set of identity providers, it isn=92t required.  It *is* required in the = dynamic profile, in which clients can use identity providers that they = have no pre-existing relationship with.

 

        &nbs= p;            =             &n= bsp;           &nbs= p;            =   -- Mike

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Torsten Lodderstedt
Sent: Sunday, April 06, 2014 12:59 AM
To: Bill Mills
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client = Registration Documents

 

I think it is at the discretion of the = actual deployment whether clients may dynamically register or not = (meaning they need to go through some oob mechanism). Protocols = utilizing OAuth could make it part of their mandatory to implement features - in the same way OIDC does.

 

Best regards,

Torsten.
Am 06.04.2014 um 07:12 schrieb Bill Mills <wmills_92105@yahoo.com>:

To me the fundamental question of = whether a client has to be registered in each place it is used is quite = significant.  We don't address the problem and have not discussed it enough.

 

-bill

On Friday, = April 4, 2014 11:39 PM, Torsten Lodderstedt <torsten@lodderstedt.net> = wrote:

Hi Bill,

 

which scalability problem are you = referring to? As far as I remember there were issues around the = management API but not the core protocol.

 

regards,

Torsten.


Am 04.04.2014 um 18:41 schrieb Bill Mills <wmills_92105@yahoo.com>:

Given the fundamental scalability = problem we discussed in London do we really feel we're = ready?

On Friday, = April 4, 2014 3:07 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-meta= data-00

Since we have to do the last call for these two documents together = we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek

_______________________________________________
OAuth mailing list
OAuth@ietf.org
= https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
= https://www.ietf.org/mailman/listinfo/oauth

 

_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_C8193CDD-34C8-4AC9-8BBA-F68659E7329A-- From nobody Sun Apr 6 10:50:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A881A03EA for ; Sun, 6 Apr 2014 10:50:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eEwE11LkIoqV for ; Sun, 6 Apr 2014 10:50:40 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0142.outbound.protection.outlook.com [207.46.163.142]) by ietfa.amsl.com (Postfix) with ESMTP id E4EA31A02B0 for ; Sun, 6 Apr 2014 10:50:39 -0700 (PDT) Received: from CH1PR03CA001.namprd03.prod.outlook.com (10.255.156.146) by BLUPR03MB017.namprd03.prod.outlook.com (10.255.208.39) with Microsoft SMTP Server (TLS) id 15.0.913.9; Sun, 6 Apr 2014 17:50:33 +0000 Received: from BN1AFFO11FD012.protection.gbl (10.255.156.132) by CH1PR03CA001.outlook.office365.com (10.255.156.146) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Sun, 6 Apr 2014 17:50:33 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD012.mail.protection.outlook.com (10.58.52.72) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 6 Apr 2014 17:50:32 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0174.002; Sun, 6 Apr 2014 17:50:04 +0000 From: Mike Jones To: Phil Hunt Thread-Topic: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents Thread-Index: Ac9RwKUh99Wjgp17RDG6opbpUnHwag== Date: Sun, 6 Apr 2014 17:50:04 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A148DE3@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.35] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A148DE3TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; ?= =?us-ascii?Q?SFS:(10009001)(438001)(53754006)(24454002)(199002)(189002)(3?= =?us-ascii?Q?77454003)(74876001)(16236675002)(98676001)(76796001)(6606600?= =?us-ascii?Q?1)(63696002)(80976001)(16601075003)(85852003)(77096001)(9541?= =?us-ascii?Q?6001)(19300405004)(84326002)(99396002)(44976005)(93136001)(4?= =?us-ascii?Q?7976001)(19580405001)(83322001)(50986001)(2656002)(65816001)?= =?us-ascii?Q?(76176001)(87266001)(6806004)(95666003)(19580395003)(9718600?= =?us-ascii?Q?1)(46102001)(74366001)(83072002)(94946001)(80022001)(8530600?= =?us-ascii?Q?2)(87936001)(84676001)(81686001)(90146001)(20776003)(9431600?= =?us-ascii?Q?2)(74662001)(33656001)(77982001)(74502001)(92566001)(5681600?= =?us-ascii?Q?5)(74706001)(15975445006)(97736001)(54356001)(59766001)(8134?= =?us-ascii?Q?2001)(4396001)(54316002)(49866001)(53806001)(47736001)(86362?= =?us-ascii?Q?001)(76786001)(15202345003)(97336001)(93516002)(92726001)(81?= =?us-ascii?Q?816001)(31966008)(2009001)(71186001)(76482001)(81542001)(791?= =?us-ascii?Q?02001)(512954002)(56776001)(55846006)(69226001)(47446002)(15?= =?us-ascii?Q?974865002);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUPR03MB017;H:mail.m?= =?us-ascii?Q?icrosoft.com;FPR:EC8EF1B7.CFEF3EC.33F93F77.48C3FAC8.203B8;ML?= =?us-ascii?Q?V:sfv;PTR:InfoDomainNonexistent;A:1;MX:1;LANG:en;?= X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0173C6D4D5 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/vZHanBf7U1jINSHL7jA6IwsmrIY Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 17:50:44 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A148DE3TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable OpenID Connect defines how it happens for OpenID Connect. Other dynamic OA= uth use cases still definitely need this. From: Phil Hunt [mailto:phil.hunt@oracle.com] Sent: Sunday, April 06, 2014 10:49 AM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registrat= ion Documents So in other words, OpenID Connect defines (or should define) how this happe= ns. There is no need for the Dyn Reg spec to clarify this right? Phil @independentid www.independentid.com phil.hunt@oracle.com On Apr 6, 2014, at 10:44 AM, Mike Jones > wrote: As a point of clarity, OpenID Connect does not mandate support for dynamic = registration in all cases. In static profiles with a pre-established set o= f identity providers, it isn't required. It *is* required in the dynamic p= rofile, in which clients can use identity providers that they have no pre-e= xisting relationship with. -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Torsten Loddersted= t Sent: Sunday, April 06, 2014 12:59 AM To: Bill Mills Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registrat= ion Documents I think it is at the discretion of the actual deployment whether clients ma= y dynamically register or not (meaning they need to go through some oob mec= hanism). Protocols utilizing OAuth could make it part of their mandatory to= implement features - in the same way OIDC does. Best regards, Torsten. Am 06.04.2014 um 07:12 schrieb Bill Mills >: To me the fundamental question of whether a client has to be registered in = each place it is used is quite significant. We don't address the problem a= nd have not discussed it enough. -bill On Friday, April 4, 2014 11:39 PM, Torsten Lodderstedt > wrote: Hi Bill, which scalability problem are you referring to? As far as I remember there = were issues around the management API but not the core protocol. regards, Torsten. Am 04.04.2014 um 18:41 schrieb Bill Mills >: Given the fundamental scalability problem we discussed in London do we real= ly feel we're ready? On Friday, April 4, 2014 3:07 AM, Hannes Tschofenig > wrote: Hi all, This is a Last Call for comments on the dynamic client registration documents: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 Since we have to do the last call for these two documents together we are setting the call for **3 weeks**. Please have your comments in no later than April 25th. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A148DE3TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

OpenID Connect defines ho= w it happens for OpenID Connect.  Other dynamic OAuth use cases still = definitely need this.

 <= /p>

From: Phil Hun= t [mailto:phil.hunt@oracle.com]
Sent: Sunday, April 06, 2014 10:49 AM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Re= gistration Documents

 

So in other words, OpenID Connect defines (or should= define) how this happens.

 

There is no need for the Dyn Reg spec to clarify thi= s right?

 

Phil

 

@independentid<= /span>

phil.hunt@oracle.com

 <= /p>

 

 

On Apr 6, 2014, at 10:44 AM, Mike Jones <Michael.Jones@microsoft.com>= wrote:



As a point of clarity, Op= enID Connect does not mandate support for dynamic registration in all cases= .  In static profiles with a pre-established set of identity providers, it isn’t required.  It *is* required in the d= ynamic profile, in which clients can use identity providers that they have = no pre-existing relationship with.

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: OAuth [<= a href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org] On Behalf Of Torsten Lodderstedt
Sent: Sunday, April 06, 2014 12:59 AM
To: Bill Mills
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Re= gistration Documents

 

I think it is at the discretion of the actual deploy= ment whether clients may dynamically register or not (meaning they need to = go through some oob mechanism). Protocols utilizing OAuth could make it par= t of their mandatory to implement features - in the same way OIDC does.

 

Best regards,

Torsten.
Am 06.04.2014 um 07:12 schrieb Bill Mills <wmills_92105@yahoo.com>:

To me the fundamental question of whether a client has to = be registered in each place it is used is quite significant.  We don't= address the problem and have not discussed it enough.

 

-bill

On Friday, Apr= il 4, 2014 11:39 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

Hi Bill,

 

which scalability problem are you referring to? As far as = I remember there were issues around the management API but not the core pro= tocol.

 

regards,

Torsten.


Am 04.04.2014 um 18:41 schrieb Bill Mills <wmills_92105@yahoo.com>:<= /o:p>

Given the fundamental scalability problem we discussed in = London do we really feel we're ready?

On Friday, Apr= il 4, 2014 3:07 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-meta= data-00

Since we have to do the last call for these two documents together we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.or= g/mailman/listinfo/oauth

 

--_000_4E1F6AAD24975D4BA5B16804296739439A148DE3TK5EX14MBXC286r_-- From nobody Sun Apr 6 18:46:08 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 752D01A063B for ; Sun, 6 Apr 2014 18:46:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2JR_Vf2pvecS for ; Sun, 6 Apr 2014 18:46:03 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0189.outbound.protection.outlook.com [207.46.163.189]) by ietfa.amsl.com (Postfix) with ESMTP id D004A1A01F0 for ; Sun, 6 Apr 2014 18:46:02 -0700 (PDT) Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB310.namprd03.prod.outlook.com (10.141.48.25) with Microsoft SMTP Server (TLS) id 15.0.918.8; Mon, 7 Apr 2014 01:45:55 +0000 Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0918.000; Mon, 7 Apr 2014 01:45:55 +0000 From: Anthony Nadalin To: Mike Jones , John Bradley , Phil Hunt Thread-Topic: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt Thread-Index: AQHPT1ol/WlOVQaWcUeFKb0tHOmcZJsAF2eAgAABEICAABi7AIAABhAAgAUvlGA= Date: Mon, 7 Apr 2014 01:45:54 +0000 Message-ID: <5eb59ad6654c4e38adb85afba06bbc8b@BLUPR03MB309.namprd03.prod.outlook.com> References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> <533D8CA3.6070005@oracle.com> <533D8E5F.8000600@redhat.com> <6BE94541-2DAA-4CDA-8478-E1BF99480629@oracle.com> <4E1F6AAD24975D4BA5B16804296739439A139FC3@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A139FC3@TK5EX14MBXC286.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2404:1a0:1001:16:f0c2:abde:79ae:5539] x-forefront-prvs: 0174BD4BDA x-forefront-antispam-report: =?us-ascii?Q?SFV:NSPM; SFS:(10009001)(428001)(479174003)(24454002)(3774540?= =?us-ascii?Q?03)(189002)(199002)(377424004)(74662001)(90146001)(74502001)?= =?us-ascii?Q?(47446002)(15395725003)(16236675002)(81342001)(31966008)(818?= =?us-ascii?Q?16001)(93136001)(81686001)(92566001)(93516002)(81542001)(743?= =?us-ascii?Q?66001)(74706001)(85852003)(83072002)(74876001)(76576001)(863?= =?us-ascii?Q?62001)(76796001)(76786001)(69226001)(14971765001)(56816005)(?= =?us-ascii?Q?94316002)(97186001)(80976001)(97336001)(94946001)(74316001)(?= =?us-ascii?Q?59766001)(19609705001)(77982001)(19580395003)(83322001)(1958?= =?us-ascii?Q?0405001)(33646001)(16799955002)(87266001)(87936001)(2656002)?= =?us-ascii?Q?(20776003)(19300405004)(63696002)(15188155005)(80022001)(658?= =?us-ascii?Q?16001)(79102001)(15975445006)(95416001)(53806001)(54356001)(?= =?us-ascii?Q?46102001)(1511001)(99396002)(85306002)(56776001)(54316002)(5?= =?us-ascii?Q?0986001)(47976001)(49866001)(47736001)(76482001)(98676001)(1?= =?us-ascii?Q?5202345003)(4396001)(95666003)(42262001)(24736002)(3826001)(?= =?us-ascii?Q?19623215001);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUPR03MB310;H:BLUP?= =?us-ascii?Q?R03MB309.namprd03.prod.outlook.com;FPR:A84FFD3D.ACF677CC.B7C?= =?us-ascii?Q?37F49.52E4C9B1.204AA;MLV:sfv;PTR:InfoNoRecords;MX:1;A:1;LANG?= =?us-ascii?Q?:en;?= received-spf: None (: microsoft.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_5eb59ad6654c4e38adb85afba06bbc8bBLUPR03MB309namprd03pro_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/J9AIf_BfB8qgKZPewUIQP1P4ffA Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 01:46:07 -0000 --_000_5eb59ad6654c4e38adb85afba06bbc8bBLUPR03MB309namprd03pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have to agree with Phil on this as there are already spec out there that = use HoK and PoP , either of these work but prefer HoK as folks get confused= with PoP as we have seen this within our company already From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones Sent: Thursday, April 3, 2014 11:32 AM To: John Bradley; Phil Hunt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-a= rchitecture-00.txt I agree with what John wrote below. Besides, PoP is more natural to say th= an HoK and certainly more natural to say than HOTK. I'd like us to stay wi= th the term Proof-of-Possession (PoP). -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley Sent: Thursday, April 03, 2014 11:10 AM To: Phil Hunt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-a= rchitecture-00.txt Some people and specs associate holder of key with asymmetric keys. Proof = of possession is thought to be a broader category including symmetric and k= ey agreement eg http://tools.ietf.org/html/rfc2875. NIST defines the term PoP Protocol http://fismapedia.org/index.php?title=3D= Term:Proof_of_Possession_Protocol In SAML the saml:SubjectConfirmation method is called urn:oasis:names:tc:S= AML:2.0:cm:holder-of-key In WS* the term proof of possession is more common. So I think for this document as an overview "Proof of Possession (PoP) Arch= itecture" is fine. John B. On Apr 3, 2014, at 12:41 PM, Phil Hunt > wrote: What was wrong with HOK? Aside: Why was "the" so important in HOTK? Phil @independentid www.independentid.com phil.hunt@oracle.com On Apr 3, 2014, at 9:37 AM, Anil Saldhana > wrote: Prateek, why not just use "proof"? draft-hunt-oauth-proof-architecture-00.txt Is that allowed by IETF? Regards, Anil On 04/03/2014 11:30 AM, Prateek Mishra wrote: "key confirmed" or "key confirmation" is another term that is widely used f= or these use-cases I really *like* the name "proof of possession", but I think the acronym PoP= is going to be confused with POP. HOTK has the advantage of not being a h= omonym for aything else. What about "Possession Proof"? -bill -------------------------------- William J. Mills "Paranoid" MUX Yahoo! On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" wrote: A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt has been successfully submitted by Hannes Tschofenig and posted to the IETF repository. Name: draft-hunt-oauth-pop-architecture Revision: 00 Title: OAuth 2.0 Proof-of-Possession (PoP) Security Architecture Document date: 2014-04-03 Group: Individual Submission Pages: 21 URL: http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-ar= chitecture-00.txt Status: https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-archit= ecture/ Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture= -00 Abstract: The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a bearer token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens must to be protected from disclosure in transit and at rest. Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism. Please note that it may take a couple of minutes from the time of submissio= n until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_5eb59ad6654c4e38adb85afba06bbc8bBLUPR03MB309namprd03pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I have to agree with Phil= on this as there are already spec out there that use HoK and PoP , either = of these work but prefer HoK as folks get confused with PoP as we have seen this within our company already

 

From: OAuth = [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Thursday, April 3, 2014 11:32 AM
To: John Bradley; Phil Hunt
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oaut= h-pop-architecture-00.txt

 

I agree with what John wr= ote below.  Besides, PoP is more natural to say than HoK and certainly= more natural to say than HOTK.  I’d like us to stay with the term Proof-of-Possession (PoP).

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: OAuth [<= a href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Thursday, April 03, 2014 11:10 AM
To: Phil Hunt
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oaut= h-pop-architecture-00.txt

 

Some people and specs associate holder of key with a= symmetric keys.  Proof of possession is thought to be a broader catego= ry including symmetric and key agreement eg http://tools.ietf.org/html/r= fc2875.

 

 

In SAML the saml:SubjectConfirmation method  is= called urn:oasis:names:tc:SAML:2.0:cm:holder-o= f-key 

 

In WS* the term proof of possession is more common.<= o:p>

 

So I think for this document as an overview "Pr= oof of Possession (PoP) Architecture" is fine.

 

John B.

 

 

What was wrong with HOK?

 

Aside: Why was “the” so important in HOT= K?

 

 

On Apr 3, 2014, at 9:37 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrot= e:

 

Prateek,
  why not just use "proof"?

draft-hunt-oauth-proof-architecture-00.txt

Is that allowed by IETF?


Regards,
Anil

On 04/03/2014 11:30 AM, Prateek Mishra wrote:

"key confirmed&q= uot; or "key confirmation" is another term that is widely used fo= r these use-cases

I really *like* the name "= proof of possession", but I think the acronym PoP is going to be confu= sed with POP.  HOTK has the advantage of not being a homonym for aything else.  What about "Possession Proof"?

 

-bill=

--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!

 

On Thursday, A= pril 3, 2014 1:38 AM, "internet-drafts@ietf.org&= quot; <internet-drafts@ietf.org> wrote:


A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.

Name:        draft-hunt-oauth-pop-architectur= e
Revision:    00
Title:        OAuth 2.0 Proof-of-Possession (= PoP) Security Architecture
Document date:    2014-04-03
Group:        Individual Submission
Pages:        21
URL:            http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.tx= t
Status:        https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/
Htmlized:      http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00


Abstract:
  The OAuth 2.0 bearer token specification, as defined in RFC 6750,   allows any party in possession of a bearer token (a "bearer&quo= t;) to get
  access to the associated resources (without demonstrating possession=
  of a cryptographic key).  To prevent misuse, bearer tokens must= to be
  protected from disclosure in transit and at rest.

  Some scenarios demand additional security protection whereby a clien= t
  needs to demonstrate possession of cryptographic keying material whe= n
  accessing a protected resource.  This document motivates the   development of the OAuth 2.0 proof-of-possession security mechanism.=

                     = ;                     &nb= sp;                     &= nbsp;                


Please note that it may take a couple of minutes from the time of submissio= n
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.or= g/mailman/listinfo/oauth

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.or= g/mailman/listinfo/oauth

 

--_000_5eb59ad6654c4e38adb85afba06bbc8bBLUPR03MB309namprd03pro_-- From nobody Fri Apr 11 19:27:47 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E67F71A031B for ; Fri, 11 Apr 2014 19:27:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ky0c3saCHwwj for ; Fri, 11 Apr 2014 19:27:43 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) by ietfa.amsl.com (Postfix) with ESMTP id CDACC1A0010 for ; Fri, 11 Apr 2014 19:27:42 -0700 (PDT) Received: from CH1PR03CA004.namprd03.prod.outlook.com (10.255.156.149) by BN1PR03MB171.namprd03.prod.outlook.com (10.255.200.150) with Microsoft SMTP Server (TLS) id 15.0.913.9; Sat, 12 Apr 2014 02:27:39 +0000 Received: from BN1BFFO11FD044.protection.gbl (10.255.156.132) by CH1PR03CA004.outlook.office365.com (10.255.156.149) with Microsoft SMTP Server (TLS) id 15.0.918.8 via Frontend Transport; Sat, 12 Apr 2014 02:27:39 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD044.mail.protection.outlook.com (10.58.144.107) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sat, 12 Apr 2014 02:27:39 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0181.007; Sat, 12 Apr 2014 02:27:12 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Working Group Last Call on draft-ietf-oauth-jwt-bearer-07 Thread-Index: AQHPPVw2F9HuDaJs6kGBrOUGRQCwHpsNbeag Date: Sat, 12 Apr 2014 02:27:11 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A154C74@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <531F5A2A.2090109@gmx.net> In-Reply-To: <531F5A2A.2090109@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.71] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(199002)(189002)(377454003)(13464003)(41574002)(55846006)(20776003)(54356999)(76482001)(15975445006)(77982001)(85806002)(50986999)(86362001)(76176999)(46102001)(81342001)(97756001)(4396001)(47776003)(83072002)(86612001)(46406003)(31966008)(83322001)(85852003)(2009001)(92566001)(74502001)(50466002)(92726001)(79102001)(74662001)(19580395003)(99396002)(66066001)(2656002)(80976001)(80022001)(87936001)(44976005)(15202345003)(19580405001)(33656001)(6806004)(81542001)(23726002)(97736001)(84676001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN1PR03MB171; H:mail.microsoft.com; FPR:FC3B5871.1EF297F6.1E3FF87.46E29959.20183; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01792087B6 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/p_WTOETIPOKJsJi0fLK1R3pq_7c Subject: Re: [OAUTH-WG] Working Group Last Call on draft-ietf-oauth-jwt-bearer-07 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2014 02:27:45 -0000 Am I correct that there were no working group last call comments received o= n draft-ietf-oauth-jwt-bearer? (It's possible that I missed them, of cours= e...) If so, it sounds to me like nothing blocks this from proceeding to IESG rev= iew beyond the JWT and Assertions spec dependencies. Is that correct, Hann= es? -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Tuesday, March 11, 2014 11:47 AM To: oauth@ietf.org Subject: [OAUTH-WG] Working Group Last Call on draft-ietf-oauth-jwt-bearer-= 07 This is a Last Call for comments on http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 Please have your comments in no later than March 25th. It is a fairly short document - have a look at it. Thanks! Hannes & Derek From nobody Sat Apr 12 18:09:22 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F24A1A0261 for ; Sat, 12 Apr 2014 18:09:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 264ZdjAZ5qx4 for ; Sat, 12 Apr 2014 18:09:14 -0700 (PDT) Received: from mail-ob0-f170.google.com (mail-ob0-f170.google.com [209.85.214.170]) by ietfa.amsl.com (Postfix) with ESMTP id 3A95A1A0178 for ; Sat, 12 Apr 2014 18:09:14 -0700 (PDT) Received: by mail-ob0-f170.google.com with SMTP id uz6so7747652obc.1 for ; Sat, 12 Apr 2014 18:09:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=yPV/fFApWYY7YiD6llZwpcU8pyzqnC+rR27w3navnno=; b=P+WsFKbTfiPZRYwEgZinx2n5OfTCmroqOWh7vk6PUcV8wuve9+b7UJMrBONfFWLC3l 39yfUjF0KBXrlULt4/iEx9q2j0c+YipAdR8+faQ60rFaa8BL6qRuTQq6kTH+S/+mA2mg g1Ph8BgSqItI+FctGJ/fntdzxEhNcNMlQ8vEUVp3jXFHj3TgnUvTHpHYsPSfpCO7sXhP lyLadZvDj1Zy86A/WfSbxLzjJ9n5ZlbadUNfC6x6bKOHDhHZXWJFIoJyF6F0i6YYzQzV E6GOkg4Kzaabqjvi4NT7zILpO9vJu5pD/q7ST2OfwKekN1QwHsfer2pr0JOgdrJLkLVL VoPw== X-Gm-Message-State: ALoCoQnmlS3Uz7yX/3dngKeFB6hvbWXgjijHIIwGeuCbYhPDrjYGC3ea6254YhN0JKH8tJdLAnKX MIME-Version: 1.0 X-Received: by 10.60.39.131 with SMTP id p3mr27240766oek.44.1397351352035; Sat, 12 Apr 2014 18:09:12 -0700 (PDT) Received: by 10.76.75.169 with HTTP; Sat, 12 Apr 2014 18:09:11 -0700 (PDT) In-Reply-To: <533D1E8D.5000401@gmx.net> References: <533D1E8D.5000401@gmx.net> Date: Sat, 12 Apr 2014 18:09:11 -0700 Message-ID: From: Chuck Mortimore To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=089e0149cc30f7006404f6e23619 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qcbRKyCTrHV19WV4QVdKoJeluoI Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 01:09:19 -0000 --089e0149cc30f7006404f6e23619 Content-Type: text/plain; charset=ISO-8859-1 Nice document. One quick question In Section 6, on the use of asymmetric keys, it is stated "If the client generates the key pair it includes a fingerprint of the public key (of the SubjectPublicKeyInfo structure, more precisely). The authorization server would include this fingerprint in the access token and thereby bind the asymmetric key pair to the token." However, it's not clear where this fingerprint would go in a JWK. I see a cert fingerprint, but no provision for a public key fingerprint. What's the intent here? -cmort On Thu, Apr 3, 2014 at 1:40 AM, Hannes Tschofenig wrote: > Hi all, > > as discussed during the last IETF meeting we are re-factoring our > documents on proof-of-possession. (As a reminder, here is the > presentation I have during the OAuth meeting: > http://www.ietf.org/proceedings/89/slides/slides-89-oauth-0.pptx)* > > Mike had already posted draft-jones-oauth-proof-of-possession-00 and now > I have added the architecture document, which provides an overview of > the different pieces. > > Here is the document for you to look at: > http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 > > Ciao > Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --089e0149cc30f7006404f6e23619 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Nice document. =A0 One quick question

<= div>In Section 6, on the use of asymmetric keys, it is stated "If the = client generates the key pair it includes a fingerprint of the public key (= of the SubjectPublicKeyInfo structure, more precisely). =A0The authorizatio= n server would include this fingerprint in the access token and thereby bin= d the asymmetric key pair to the token." =A0 However, it's not cle= ar where this fingerprint would go in a JWK. =A0 I see a cert fingerprint, = but no provision for a public key fingerprint. =A0=A0

What's the intent here?

<= div>-cmort



On Thu, Apr 3, 2014 at 1:40 AM, Hannes Tschofenig <= span dir=3D"ltr"><hannes.tschofenig@gmx.net> wrote:
Hi all,

as discussed during the last IETF meeting we are re-factoring our
documents on proof-of-possession. (As a reminder, here is the
presentation I have during the OAuth meeting:
http://www.ietf.org/proceedings/89/slides/slides-89-o= auth-0.pptx)*

Mike had already posted draft-jones-oauth-proof-of-possession-00 and now I have added the architecture document, which provides an overview of
the different pieces.

Here is the document for you to look at:
http://tools.ietf.org/html/draft-hunt-oauth-pop-architec= ture-00

Ciao
Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--089e0149cc30f7006404f6e23619-- From nobody Sat Apr 12 18:12:13 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66131A0261 for ; Sat, 12 Apr 2014 18:12:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcqz2-zi8mp0 for ; Sat, 12 Apr 2014 18:12:08 -0700 (PDT) Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by ietfa.amsl.com (Postfix) with ESMTP id A8F8E1A0178 for ; Sat, 12 Apr 2014 18:12:08 -0700 (PDT) Received: by mail-oa0-f41.google.com with SMTP id j17so7814632oag.14 for ; Sat, 12 Apr 2014 18:12:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Q2vYZhEpMlZccLO5JCOd3ZXltLG3Pp7ApBH6qaT75GE=; b=ZkXw/w+4e+OV0Q0yc4VRolRyDu87u/Ca5ZDau/h1dqr5z6mhDIjLiAyMX8CWQA/vxh PcQ/PLdlGQ4mn0LfXheO/qia/ORusLmoHTyFNK511fTzFHcp6wJPv4PfqSCqi5qhuYfU WKdJ3Ud6i7+vFxUQv1gV3qMG8gSPkI+WKAkeFrglTKioefv0d42NZdsaf257DdchsXdq FzCPZBFwZZvw8c4vOLbzDhDZGKgc9bCU+QKVOWADMa+RYxp16iq1uXxJ7O3HBv27rgif PhhuHYvd8rNzRZuHXxjFq992ZhinoZJF5K3SQlQx7stQ4mAslm0Xm3n5bmzKztcWEEz4 Un2w== X-Gm-Message-State: ALoCoQkGqD8DqyCx4WmYBkRQC4ujY8HHBDRdCQ53qFxYwQJasbyC7XR2LRAc7uWywKG48mjoBVGh MIME-Version: 1.0 X-Received: by 10.182.44.167 with SMTP id f7mr26562298obm.3.1397351526614; Sat, 12 Apr 2014 18:12:06 -0700 (PDT) Received: by 10.76.75.169 with HTTP; Sat, 12 Apr 2014 18:12:06 -0700 (PDT) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Sat, 12 Apr 2014 18:12:06 -0700 Message-ID: From: Chuck Mortimore To: Mike Jones Content-Type: multipart/alternative; boundary=001a11c1d7e05ed7e704f6e241c7 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wjXJdvUI16bpznmG3MkEXetEdoo Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 01:12:11 -0000 --001a11c1d7e05ed7e704f6e241c7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Good start here Mike! One quick question - I see the "cnf" member is defined as a JWK. Why not a JWK Set? I could see use-cases for binding in multiple keys. -cmort On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones wro= te: > I've written a concise Internet-Draft on proof-of-possession for JWTs > with John Bradley and Hannes Tschofenig. Quoting from the abstract: > > > > *This specification defines how to express a declaration in a JSON Web > Token (JWT) that the presenter of the JWT possesses a particular key and > that the recipient can cryptographically confirm proof-of-possession of t= he > key by the presenter. This property is also sometimes described as the > presenter being a holder-of-key.* > > > > This specification intentionally does not specify the means of > communicating the proof-of-possession JWT, nor the messages used to > exercise the proof key, as these are necessarily application-specific. > Rather, this specification defines a proof-of-possession JWT data structu= re > to be used by other specifications that do define those things. > > > > The specification is available at: > > =B7 > http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 > > > > An HTML formatted version is available at: > > =B7 > http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.htm= l > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=3D1210 and = as > @selfissued. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --001a11c1d7e05ed7e704f6e241c7 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Good start here Mike!

One quick questio= n - I see the "cnf" member is defined as a JWK.  Why not a J= WK Set?    I could see use-cases for binding in multiple keys.

-cmort




On Tue, Apr 1, 2014 at = 8:36 PM, Mike Jones <Michael.Jones@microsoft.com> = wrote:

I’ve written a concise Internet-Draft on proof= -of-possession for JWTs with John Bradley and Hannes Tschofenig.  Quot= ing from the abstract:

 

This specification def= ines how to express a declaration in a JSON Web Token (JWT) that the presen= ter of the JWT possesses a particular key and that the recipient can crypto= graphically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as = the presenter being a holder-of-key.

 

This specification intentionally does not specify th= e means of communicating the proof-of-possession JWT, nor the messages used= to exercise the proof key, as these are necessarily application-specific.&= nbsp; Rather, this specification defines a proof-of-possession JWT data structure to be used by other specification= s that do define those things.

 

The specification is available at:

=B7       = ; http://tools.ietf.org/ht= ml/draft-jones-oauth-proof-of-possession-00

 

An HTML formatted version is available at:=

=B7       = ; http://self-issue= d.info/docs/draft-jones-oauth-proof-of-possession-00.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1210 and as @selfissued.

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--001a11c1d7e05ed7e704f6e241c7-- From nobody Sat Apr 12 20:31:33 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9B51A01CD for ; Sat, 12 Apr 2014 20:31:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8WILKr585Ej for ; Sat, 12 Apr 2014 20:31:28 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id C93811A000B for ; Sat, 12 Apr 2014 20:31:27 -0700 (PDT) Received: from BY2PR03CA067.namprd03.prod.outlook.com (10.141.249.40) by BY2PR03MB027.namprd03.prod.outlook.com (10.255.240.41) with Microsoft SMTP Server (TLS) id 15.0.921.12; Sun, 13 Apr 2014 03:31:18 +0000 Received: from BN1AFFO11FD016.protection.gbl (2a01:111:f400:7c10::116) by BY2PR03CA067.outlook.office365.com (2a01:111:e400:2c5d::40) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Sun, 13 Apr 2014 03:31:19 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD016.mail.protection.outlook.com (10.58.52.76) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 13 Apr 2014 03:31:18 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Sun, 13 Apr 2014 03:30:47 +0000 From: Mike Jones To: Chuck Mortimore , Hannes Tschofenig Thread-Topic: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document Thread-Index: AQHPTxiWJX+tCnUI4kWVS6o6n/baT5sOy8OAgAAmWoA= Date: Sun, 13 Apr 2014 03:30:45 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A155FC1@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <533D1E8D.5000401@gmx.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A155FC1TK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(24454002)(377454003)(53754006)(33656001)(87936001)(20776003)(2656002)(44976005)(85852003)(83072002)(19580395003)(80976001)(19580405001)(15975445006)(83322001)(6806004)(55846006)(99396002)(16236675002)(76176999)(50986999)(54356999)(46102001)(79102001)(66066001)(19300405004)(80022001)(4396001)(81342001)(2009001)(97736001)(77982001)(81542001)(71186001)(15202345003)(76482001)(92726001)(84676001)(85806002)(92566001)(74662001)(31966008)(86612001)(74502001)(512954002)(84326002)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB027; H:mail.microsoft.com; FPR:B474D5F4.82F297D1.73E3347B.40E1D9E9.20290; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 018093A9B5 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/4Ddukfb1fWDGBf8hUJJd7qrx9IE Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 03:31:30 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A155FC1TK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The new http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 speci= fication defines a way to compute a thumbprint for a JWK (or in fact, any k= ey with a defined JWK representation). -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Chuck Mortimore Sent: Saturday, April 12, 2014 6:09 PM To: Hannes Tschofenig Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document Nice document. One quick question In Section 6, on the use of asymmetric keys, it is stated "If the client ge= nerates the key pair it includes a fingerprint of the public key (of the Su= bjectPublicKeyInfo structure, more precisely). The authorization server wo= uld include this fingerprint in the access token and thereby bind the asymm= etric key pair to the token." However, it's not clear where this fingerpr= int would go in a JWK. I see a cert fingerprint, but no provision for a p= ublic key fingerprint. What's the intent here? -cmort On Thu, Apr 3, 2014 at 1:40 AM, Hannes Tschofenig > wrote: Hi all, as discussed during the last IETF meeting we are re-factoring our documents on proof-of-possession. (As a reminder, here is the presentation I have during the OAuth meeting: http://www.ietf.org/proceedings/89/slides/slides-89-oauth-0.pptx)* Mike had already posted draft-jones-oauth-proof-of-possession-00 and now I have added the architecture document, which provides an overview of the different pieces. Here is the document for you to look at: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 Ciao Hannes _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A155FC1TK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The new h= ttp://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 specificat= ion defines a way to compute a thumbprint for a JWK (or in fact, any key wi= th a defined JWK representation).

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: OAuth [m= ailto:oauth-bounces@ietf.org] On Behalf Of Chuck Mortimore
Sent: Saturday, April 12, 2014 6:09 PM
To: Hannes Tschofenig
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Docum= ent

 

Nice document.   One quick question<= /p>

 

In Section 6, on the use of asymmetric keys, it is s= tated "If the client generates the key pair it includes a fingerprint = of the public key (of the SubjectPublicKeyInfo structure, more precisely). =  The authorization server would include this fingerprint in the access token and thereby bind the asymmetric key p= air to the token."   However, it's not clear where this fingerpri= nt would go in a JWK.   I see a cert fingerprint, but no provision for= a public key fingerprint.   

 

What's the intent here?

 

-cmort

 

 

On Thu, Apr 3, 2014 at 1:40 AM, Hannes Tschofenig &l= t;hannes.tsc= hofenig@gmx.net> wrote:

Hi all,

as discussed during the last IETF meeting we are re-factoring our
documents on proof-of-possession. (As a reminder, here is the
presentation I have during the OAuth meeting:
http://www.ietf.org/proceedings/89/slides/slides-89-o= auth-0.pptx)*

Mike had already posted draft-jones-oauth-proof-of-possession-00 and now I have added the architecture document, which provides an overview of
the different pieces.

Here is the document for you to look at:
http://tools.ietf.org/html/draft-hunt-oauth-pop-architec= ture-00

Ciao
Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

 

--_000_4E1F6AAD24975D4BA5B16804296739439A155FC1TK5EX14MBXC286r_-- From nobody Sat Apr 12 20:33:30 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF2C1A000B for ; Sat, 12 Apr 2014 20:33:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvMEvtd3Exr2 for ; Sat, 12 Apr 2014 20:33:25 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) by ietfa.amsl.com (Postfix) with ESMTP id B54791A000F for ; Sat, 12 Apr 2014 20:33:24 -0700 (PDT) Received: from BL2PR03CA018.namprd03.prod.outlook.com (10.141.66.26) by BLUPR03MB017.namprd03.prod.outlook.com (10.255.208.39) with Microsoft SMTP Server (TLS) id 15.0.921.12; Sun, 13 Apr 2014 03:33:16 +0000 Received: from BL2FFO11FD010.protection.gbl (2a01:111:f400:7c09::125) by BL2PR03CA018.outlook.office365.com (2a01:111:e400:c1b::26) with Microsoft SMTP Server (TLS) id 15.0.918.8 via Frontend Transport; Sun, 13 Apr 2014 03:33:16 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD010.mail.protection.outlook.com (10.173.161.16) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 13 Apr 2014 03:33:15 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0174.002; Sun, 13 Apr 2014 03:32:53 +0000 From: Mike Jones To: Chuck Mortimore Thread-Topic: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) Thread-Index: Ac9OJMm2QQWqL+riTTewCyU8ts655AIkJjcAAATakwA= Date: Sun, 13 Apr 2014 03:32:52 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(189002)(199002)(24454002)(77982001)(71186001)(81342001)(15975445006)(2009001)(86612001)(80976001)(19300405004)(4396001)(54356999)(92566001)(76176999)(76482001)(81542001)(16236675002)(83072002)(6806004)(19580395003)(86362001)(46102001)(15202345003)(66066001)(83322001)(19580405001)(44976005)(2656002)(80022001)(84676001)(74502001)(87936001)(55846006)(79102001)(92726001)(20776003)(97736001)(33656001)(512954002)(85852003)(84326002)(85806002)(74662001)(50986999)(31966008)(99396002)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB017; H:mail.microsoft.com; FPR:CC40D19E.9E3A46D9.B3D3BD49.4CF0F471.20311; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 018093A9B5 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Vrkcm_qCbc2uj1ncTzsfie0E9UM Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 03:33:27 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Is having multiple confirmation keys a common case? I'd rather we "make si= mple things simple" than build the most general solution possible. If an a= pplication really needs multiple confirmation keys, it can always defined a= "jwks" element and the handling rules for it, and go for it... -- Mike From: Chuck Mortimore [mailto:cmortimore@salesforce.com] Sent: Saturday, April 12, 2014 6:12 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (= JWTs) Good start here Mike! One quick question - I see the "cnf" member is defined as a JWK. Why not a= JWK Set? I could see use-cases for binding in multiple keys. -cmort On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones > wrote: I've written a concise Internet-Draft on proof-of-possession for JWTs with = John Bradley and Hannes Tschofenig. Quoting from the abstract: This specification defines how to express a declaration in a JSON Web Token= (JWT) that the presenter of the JWT possesses a particular key and that th= e recipient can cryptographically confirm proof-of-possession of the key by= the presenter. This property is also sometimes described as the presenter = being a holder-of-key. This specification intentionally does not specify the means of communicatin= g the proof-of-possession JWT, nor the messages used to exercise the proof = key, as these are necessarily application-specific. Rather, this specifica= tion defines a proof-of-possession JWT data structure to be used by other s= pecifications that do define those things. The specification is available at: * http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-0= 0 An HTML formatted version is available at: * http://self-issued.info/docs/draft-jones-oauth-proof-of-possession= -00.html -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1210 and as= @selfissued. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Is having multiple confir= mation keys a common case?  I’d rather we “make simple thi= ngs simple” than build the most general solution possible.  If a= n application really needs multiple confirmation keys, it can always defined a “jw= ks” element and the handling rules for it, and go for it…<= /o:p>

 <= /p>

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 <= /p>

From: Chuck Mo= rtimore [mailto:cmortimore@salesforce.com]
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web T= okens (JWTs)

 

Good start here Mike!

 

One quick question - I see the "cnf" membe= r is defined as a JWK.  Why not a JWK Set?    I could see us= e-cases for binding in multiple keys.

 

-cmort

 

 

 

On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones <Michael.Jones@m= icrosoft.com> wrote:

I’ve written a concise Internet-Draft on proof-of-possession= for JWTs with John Bradley and Hannes Tschofenig.  Quoting from the a= bstract:

 

This specification defines how to express a declaration in a JSON Web To= ken (JWT) that the presenter of the JWT possesses a particular key and that= the recipient can cryptographically confirm proof-of-possession of the key= by the presenter. This property is also sometimes described as the presenter being a holder-of-key.

 

This specification intentionally does not specify the means of com= municating the proof-of-possession JWT, nor the messages used to exercise t= he proof key, as these are necessarily application-specific.  Rather, this specification defines a proof-of-= possession JWT data structure to be used by other specifications that do de= fine those things.

 

The specification is available at:

·        http://tools.ietf.org/html/draft-jones-oauth-= proof-of-possession-00

 

An HTML formatted version is available at:

·        http://self-issued.info/docs/draft-jon= es-oauth-proof-of-possession-00.html

 

      =             &nb= sp;            =             &nb= sp;            =     -- Mike

 

P.S.  This note was also posted at http://self= -issued.info/?p=3D1210 and as @selfissued.

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

 

--_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_-- From nobody Sat Apr 12 20:39:31 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E0D91A01D3 for ; Sat, 12 Apr 2014 20:39:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZebvDAgq4kO for ; Sat, 12 Apr 2014 20:39:27 -0700 (PDT) Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by ietfa.amsl.com (Postfix) with ESMTP id 290961A01CD for ; Sat, 12 Apr 2014 20:39:27 -0700 (PDT) Received: by mail-oa0-f54.google.com with SMTP id n16so7847111oag.41 for ; Sat, 12 Apr 2014 20:39:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QC/85Y0vgSVOVLASiC7+SzJ4BBtlMQeZV099LmPYYoQ=; b=idBeVNd7aIfQBJsS8MXAdzQD0ZKbMyXRXKVpe4aYS5GRPB1Xh5x9emLWRJBR3P62JE yQbQ58QRwjiL9AJlgpA0pgDalBWEotzyHhhwafn2PvX52yyaqiNQhwP7OBLv5EC0Et0Y q9cFvMx+6mbgcd/KW64i1zURnFtAraZxJJCBMcK9vsssj+fLNaCJVN3yanOedmQdJG/Y C1cB2Yn/8xHcMSytoSSJZczVSY9ccitHl6UcFlC/j28NE0lK2vdWkn162DOX4RjsGAHe w16v6w4AN6ndkQdAfGVh93wdRlbINwVS3aRAhjEVrTJofrlmhS5RPE6kXrt1rUK/37Y7 Fklw== X-Gm-Message-State: ALoCoQlEJnC1pzreG4Cv7TNDlab1A+ZVig4hsX3pUhnL0ju9x/tYr/H80z3mgvRdLOvsFE5gn0Eo MIME-Version: 1.0 X-Received: by 10.60.160.173 with SMTP id xl13mr27852578oeb.19.1397360365211; Sat, 12 Apr 2014 20:39:25 -0700 (PDT) Received: by 10.76.75.169 with HTTP; Sat, 12 Apr 2014 20:39:25 -0700 (PDT) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Sat, 12 Apr 2014 20:39:25 -0700 Message-ID: From: Chuck Mortimore To: Mike Jones Content-Type: multipart/alternative; boundary=089e011764e9311f6504f6e45065 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/OEH8oCWwChgCPjyWffDJWcDXCSU Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 03:39:29 -0000 --089e011764e9311f6504f6e45065 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Not sure it it's common yet. The scenario I'm exploring is a client that is paired with a server. For example, a mobile app that's an OpenID Connect client that is sharing it's ID Token with the server. Both the client and server want to be able to prove possession without sharing a private key. -cmort On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones wr= ote: > Is having multiple confirmation keys a common case? I'd rather we "make > simple things simple" than build the most general solution possible. If = an > application really needs multiple confirmation keys, it can always define= d > a "jwks" element and the handling rules for it, and go for it... > > > > -- Mike > > > > *From:* Chuck Mortimore [mailto:cmortimore@salesforce.com] > *Sent:* Saturday, April 12, 2014 6:12 PM > *To:* Mike Jones > > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web > Tokens (JWTs) > > > > Good start here Mike! > > > > One quick question - I see the "cnf" member is defined as a JWK. Why not > a JWK Set? I could see use-cases for binding in multiple keys. > > > > -cmort > > > > > > > > On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones > wrote: > > I've written a concise Internet-Draft on proof-of-possession for JWTs wit= h > John Bradley and Hannes Tschofenig. Quoting from the abstract: > > > > *This specification defines how to express a declaration in a JSON Web > Token (JWT) that the presenter of the JWT possesses a particular key and > that the recipient can cryptographically confirm proof-of-possession of t= he > key by the presenter. This property is also sometimes described as the > presenter being a holder-of-key.* > > > > This specification intentionally does not specify the means of > communicating the proof-of-possession JWT, nor the messages used to > exercise the proof key, as these are necessarily application-specific. > Rather, this specification defines a proof-of-possession JWT data structu= re > to be used by other specifications that do define those things. > > > > The specification is available at: > > =B7 > http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 > > > > An HTML formatted version is available at: > > =B7 > http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.htm= l > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=3D1210 and = as > @selfissued. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --089e011764e9311f6504f6e45065 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Not sure it it's common yet.   The scenario I'= ;m exploring is a client that is paired with a server.     For ex= ample, a mobile app that's an OpenID Connect client that is sharing it&= #39;s ID Token with the server.   Both the client and server want to b= e able to prove possession without sharing a private key.   

-cmort 


<= div class=3D"gmail_quote">On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

Is having multiple confir= mation keys a common case?  I’d rather we “make simple thi= ngs simple” than build the most general solution possible.  If a= n application really needs multiple confirmation keys, it can always defined a “jw= ks” element and the handling rules for it, and go for it…

 

    &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;     -- Mike

 

From: Chuck Mo= rtimore [mailto:cmortimore@salesforce.com]
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones


Cc: oauth@ietf.o= rg
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web T= okens (JWTs)

 

Good start here Mike!

 

One quick question - I see the "cnf" membe= r is defined as a JWK.  Why not a JWK Set?    I could see us= e-cases for binding in multiple keys.

 

-cmort

 

 

 <= /p>

On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones <Michael.Jones@m= icrosoft.com> wrote:

I’ve written a concise Internet-Draft on proof= -of-possession for JWTs with John Bradley and Hannes Tschofenig.  Quot= ing from the abstract:

 

This specification defines how to express a declaration in a JSON Web To= ken (JWT) that the presenter of the JWT possesses a particular key and that= the recipient can cryptographically confirm proof-of-possession of the key= by the presenter. This property is also sometimes described as the presenter being a holder-of-key.=

 

This specification intentionally does not specify th= e means of communicating the proof-of-possession JWT, nor the messages used= to exercise the proof key, as these are necessarily application-specific.  Rather, this specification defines a proof-of-= possession JWT data structure to be used by other specifications that do de= fine those things.

 

The specification is available at:

=B7        http://tools.ietf.org/html/draft-jones-oauth-= proof-of-possession-00

 

An HTML formatted version is available at:=

=B7        http://self-issued.info/docs/draft-jon= es-oauth-proof-of-possession-00.html

 

   &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;      -- Mike

 

P.S.  This note was also posted at http://self= -issued.info/?p=3D1210 and as @selfissued.

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

 


--089e011764e9311f6504f6e45065-- From nobody Sat Apr 12 21:17:58 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E80451A01D3 for ; Sat, 12 Apr 2014 21:17:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_bebi-t9tv3 for ; Sat, 12 Apr 2014 21:17:54 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) by ietfa.amsl.com (Postfix) with ESMTP id A26011A01CD for ; Sat, 12 Apr 2014 21:17:53 -0700 (PDT) Received: from BY2PR03CA034.namprd03.prod.outlook.com (10.242.234.155) by BY2PR03MB026.namprd03.prod.outlook.com (10.255.240.40) with Microsoft SMTP Server (TLS) id 15.0.921.12; Sun, 13 Apr 2014 04:17:49 +0000 Received: from BL2FFO11FD032.protection.gbl (2a01:111:f400:7c09::105) by BY2PR03CA034.outlook.office365.com (2a01:111:e400:2c2c::27) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Sun, 13 Apr 2014 04:17:49 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD032.mail.protection.outlook.com (10.173.160.73) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 13 Apr 2014 04:17:49 +0000 Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0174.002; Sun, 13 Apr 2014 04:17:30 +0000 From: Mike Jones To: Chuck Mortimore Thread-Topic: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) Thread-Index: Ac9OJMm2QQWqL+riTTewCyU8ts655AIkJjcAAATakwAAAEqKgAABT95w Date: Sun, 13 Apr 2014 04:17:29 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A15609B@TK5EX14MBXC286.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A15609BTK5EX14MBXC286r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(24454002)(189002)(199002)(377454003)(33656001)(92566001)(19300405004)(86362001)(92726001)(15202345003)(2009001)(86612001)(46102001)(85852003)(83072002)(80976001)(2656002)(66066001)(512954002)(87936001)(99396002)(76482001)(55846006)(80022001)(97736001)(77982001)(83322001)(4396001)(20776003)(19580395003)(19580405001)(79102001)(16236675002)(6806004)(81342001)(74502001)(50986999)(84326002)(71186001)(44976005)(54356999)(15975445006)(76176999)(84676001)(74662001)(85806002)(81542001)(31966008)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB026; H:mail.microsoft.com; FPR:CE40D11E.9E3A52D9.B3D3BD49.4CF0F471.2039E; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 018093A9B5 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/YZAp7igB1zlwsKm77MkA7ixoxLg Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 04:17:57 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A15609BTK5EX14MBXC286r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Can you sketch out what data structures you'd ideally use for your scenario= and what the elements mean? From: Chuck Mortimore [mailto:cmortimore@salesforce.com] Sent: Saturday, April 12, 2014 8:39 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (= JWTs) Not sure it it's common yet. The scenario I'm exploring is a client that = is paired with a server. For example, a mobile app that's an OpenID Con= nect client that is sharing it's ID Token with the server. Both the clien= t and server want to be able to prove possession without sharing a private = key. -cmort On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones > wrote: Is having multiple confirmation keys a common case? I'd rather we "make si= mple things simple" than build the most general solution possible. If an a= pplication really needs multiple confirmation keys, it can always defined a= "jwks" element and the handling rules for it, and go for it... -- Mike From: Chuck Mortimore [mailto:cmortimore@salesforce.com] Sent: Saturday, April 12, 2014 6:12 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (= JWTs) Good start here Mike! One quick question - I see the "cnf" member is defined as a JWK. Why not a= JWK Set? I could see use-cases for binding in multiple keys. -cmort On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones > wrote: I've written a concise Internet-Draft on proof-of-possession for JWTs with = John Bradley and Hannes Tschofenig. Quoting from the abstract: This specification defines how to express a declaration in a JSON Web Token= (JWT) that the presenter of the JWT possesses a particular key and that th= e recipient can cryptographically confirm proof-of-possession of the key by= the presenter. This property is also sometimes described as the presenter = being a holder-of-key. This specification intentionally does not specify the means of communicatin= g the proof-of-possession JWT, nor the messages used to exercise the proof = key, as these are necessarily application-specific. Rather, this specifica= tion defines a proof-of-possession JWT data structure to be used by other s= pecifications that do define those things. The specification is available at: * http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-0= 0 An HTML formatted version is available at: * http://self-issued.info/docs/draft-jones-oauth-proof-of-possession= -00.html -- Mike P.S. This note was also posted at http://self-issued.info/?p=3D1210 and as= @selfissued. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_4E1F6AAD24975D4BA5B16804296739439A15609BTK5EX14MBXC286r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Can you sketch out what d= ata structures you’d ideally use for your scenario and what the eleme= nts mean?

 <= /p>

From: Chuck Mo= rtimore [mailto:cmortimore@salesforce.com]
Sent: Saturday, April 12, 2014 8:39 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web T= okens (JWTs)

 

Not sure it it's common yet.   The scenario I'm= exploring is a client that is paired with a server.     For exam= ple, a mobile app that's an OpenID Connect client that is sharing it's ID T= oken with the server.   Both the client and server want to be able to prove possession without sharing a private key.  &= nbsp;

 

-cmort 

 

On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones <Michael.Jones@= microsoft.com> wrote:

Is having multiple confirmation keys a = common case?  I’d rather we “make simple things simpleR= 21; than build the most general solution possible.  If an application really n= eeds multiple confirmation keys, it can always defined a “jwks”= element and the handling rules for it, and go for it…

 

      &nb= sp;            =             &nb= sp;            =             &nb= sp;   -- Mike

 

From: Chuck Mortimore [mailt= o:cmortimore= @salesforce.com]
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones


Cc: oauth@ietf.o= rg
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web T= okens (JWTs)

 

Good start here Mike!

 

One quick question - I see the "cnf" member is defined a= s a JWK.  Why not a JWK Set?    I could see use-cases for bi= nding in multiple keys.

 

-cmort

 

 

 

On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

I’ve written a concise Internet-Draft on proof-of-possession= for JWTs with John Bradley and Hannes Tschofenig.  Quoting from the a= bstract:

 

This specification defines how to express a declaration in a JSON Web To= ken (JWT) that the presenter of the JWT possesses a particular key and that= the recipient can cryptographically confirm proof-of-possession of the key= by the presenter. This property is also sometimes described as the presenter being a holder-of-key.

 

This specification intentionally does not specify the means of com= municating the proof-of-possession JWT, nor the messages used to exercise t= he proof key, as these are necessarily application-specific.  Rather, this specification defines a proof-of-= possession JWT data structure to be used by other specifications that do de= fine those things.

 

The specification is available at:

·        http://tools.ietf.org/html/draft-jones-oauth-= proof-of-possession-00

 

An HTML formatted version is available at:

·        http://self-issued.info/docs/draft-jon= es-oauth-proof-of-possession-00.html

 

      =             &nb= sp;            =             &nb= sp;            =     -- Mike

 

P.S.  This note was also posted at http://self= -issued.info/?p=3D1210 and as @selfissued.

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

 

 

--_000_4E1F6AAD24975D4BA5B16804296739439A15609BTK5EX14MBXC286r_-- From nobody Sun Apr 13 08:16:55 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCAC01A02C6 for ; Sun, 13 Apr 2014 08:16:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzOz9Rcjf5O3 for ; Sun, 13 Apr 2014 08:16:47 -0700 (PDT) Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6FED31A01C6 for ; Sun, 13 Apr 2014 08:16:47 -0700 (PDT) Received: by mail-qa0-f44.google.com with SMTP id hw13so7245854qab.31 for ; Sun, 13 Apr 2014 08:16:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=VWcjj/+fF81xFycqlD0QOCC0D70HQ0EABLMqB2IgX80=; b=e+GIuKmE/SDYVffPHQb7HFia3YOWNgLiJGhtMo5DogEztpDopp75N8zQN62AA/5aYw Xd1mlmeRn4MK3l7m6n1oLcsEGEiXlJ9tF24GKUNrsC9PrP+NBBCAMI4ri66/ugb7RjWW C/MqADEwbgHt8ovrQvx4+oauEXpAc8wvKVASkjOQXZeBJPlKFAe88ISg4e3/Hivs8cy3 g36WuFF6xB/1Yo44j01VYS3drUaKDlF59BypUY24m1nNLZexeaHur/oX3Q3TMV8SGyBu mmxSwyn1BMF/vGqOInwXl9EZzGYrx9RaiTw1zgXa3FlIx0R+p1xesGUgzpWy2ar/ykGP YKIQ== X-Gm-Message-State: ALoCoQke3+6l0SkdmsX4wLKK9TkgSPWxnJoINlXG1Tam27XY65c2NNxWG0VKyX4dOhFYEnMq9zN9 X-Received: by 10.224.13.7 with SMTP id z7mr14809851qaz.4.1397402204941; Sun, 13 Apr 2014 08:16:44 -0700 (PDT) Received: from [192.168.1.216] ([190.22.119.198]) by mx.google.com with ESMTPSA id g64sm16902822qgf.22.2014.04.13.08.16.36 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 13 Apr 2014 08:16:44 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_437D519A-6C52-4754-BEFD-3967911A4B13" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Sun, 13 Apr 2014 12:16:20 -0300 Message-Id: <1AAA2914-E5A6-448D-816B-8F4F657DD120@ve7jtb.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> To: Chuck Mortimore X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Wv7I8Y2NNPnQ6GxDzR7KH5dwmxU Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 15:16:52 -0000 --Apple-Mail=_437D519A-6C52-4754-BEFD-3967911A4B13 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 The client should request a second token for the server rather than try = and overload both into the same token. Or based on the first token the server should use that to exchange it = for one that has it's proof key. In general you want the requester to be able to prove that it has the = proof key, or the private key used to decrypt the proof key to get the = full benefit. I can see how having multiple entities able to present the token along = with multiple audiences in the token may seem like a simplification for = issuing tokens, but I would rather keep the basic model simple and go = hop by hop. I understand that may require a more REST STS like = capability than exists in the current token endpoint. On Apr 13, 2014, at 12:39 AM, Chuck Mortimore = wrote: > Not sure it it's common yet. The scenario I'm exploring is a client = that is paired with a server. For example, a mobile app that's an = OpenID Connect client that is sharing it's ID Token with the server. = Both the client and server want to be able to prove possession without = sharing a private key. =20 >=20 > -cmort=20 >=20 >=20 > On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones = wrote: > Is having multiple confirmation keys a common case? I=92d rather we = =93make simple things simple=94 than build the most general solution = possible. If an application really needs multiple confirmation keys, it = can always defined a =93jwks=94 element and the handling rules for it, = and go for it=85 >=20 > =20 >=20 > -- Mike >=20 > =20 >=20 > From: Chuck Mortimore [mailto:cmortimore@salesforce.com]=20 > Sent: Saturday, April 12, 2014 6:12 PM > To: Mike Jones >=20 >=20 > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web = Tokens (JWTs) >=20 > =20 >=20 > Good start here Mike! >=20 > =20 >=20 > One quick question - I see the "cnf" member is defined as a JWK. Why = not a JWK Set? I could see use-cases for binding in multiple keys. >=20 > =20 >=20 > -cmort >=20 > =20 >=20 > =20 >=20 > =20 >=20 > On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones = wrote: >=20 > I=92ve written a concise Internet-Draft on proof-of-possession for = JWTs with John Bradley and Hannes Tschofenig. Quoting from the = abstract: >=20 > =20 >=20 > This specification defines how to express a declaration in a JSON Web = Token (JWT) that the presenter of the JWT possesses a particular key and = that the recipient can cryptographically confirm proof-of-possession of = the key by the presenter. This property is also sometimes described as = the presenter being a holder-of-key. >=20 > =20 >=20 > This specification intentionally does not specify the means of = communicating the proof-of-possession JWT, nor the messages used to = exercise the proof key, as these are necessarily application-specific. = Rather, this specification defines a proof-of-possession JWT data = structure to be used by other specifications that do define those = things. >=20 > =20 >=20 > The specification is available at: >=20 > =B7 = http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 >=20 > =20 >=20 > An HTML formatted version is available at: >=20 > =B7 = http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html= >=20 > =20 >=20 > -- Mike >=20 > =20 >=20 > P.S. This note was also posted at http://self-issued.info/?p=3D1210 = and as @selfissued. >=20 > =20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > =20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_437D519A-6C52-4754-BEFD-3967911A4B13 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 The = client should request a second token for the server rather than try and = overload both into the same token.

Or based on the first = token the server should use that to exchange it for one that has it's = proof key.

In general you want the requester to = be able to prove that it has the proof key, or the private key used to = decrypt the proof key to get the full = benefit.

I can see how having multiple entities = able to present the token along with multiple audiences in the token may = seem like a simplification for issuing tokens, but I would rather keep = the basic model simple and go hop by hop.   I understand that may = require a more REST STS like capability than exists in the current token = endpoint.


On Apr 13, = 2014, at 12:39 AM, Chuck Mortimore <cmortimore@salesforce.com>= ; wrote:

Not sure it it's common yet.   The = scenario I'm exploring is a client that is paired with a server.   =   For example, a mobile app that's an OpenID Connect client that is = sharing it's ID Token with the server.   Both the client and server = want to be able to prove possession without sharing a private key. =   

-cmort 


On Sat, Apr 12, = 2014 at 8:32 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

Is having multiple confirmation keys a common = case?  I=92d rather we =93make simple things simple=94 than build = the most general solution possible.  If an application really needs multiple confirmation keys, it can always defined a =93jwks=94= element and the handling rules for it, and go for = it=85

 

        &nbs= p;            =             &n= bsp;           &nbs= p;            =   -- Mike

 

From: Chuck Mortimore [mailto:cmortimore@salesforce.com]
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones


Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON = Web Tokens (JWTs)

 

Good start here = Mike!

 

One quick question - I see the "cnf" member = is defined as a JWK.  Why not a JWK Set?    I could see = use-cases for binding in multiple keys.

 

-cmort

 

 

 

On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones = <Michael.Jones@microsoft.com> = wrote:

I=92ve written a concise Internet-Draft on = proof-of-possession for JWTs with John Bradley and Hannes = Tschofenig.  Quoting from the abstract:

 

This specification defines how to express a declaration in a JSON Web = Token (JWT) that the presenter of the JWT possesses a particular key and = that the recipient can cryptographically confirm proof-of-possession of = the key by the presenter. This property is also sometimes described as the presenter being a = holder-of-key.

 

This = specification intentionally does not specify the means of communicating = the proof-of-possession JWT, nor the messages used to exercise the proof = key, as these are necessarily application-specific.  Rather, this specification defines a = proof-of-possession JWT data structure to be used by other = specifications that do define those things.

 

The = specification is available at:

=B7        http://tools.ietf.org/html/draft-jones-oauth-proof-of-po= ssession-00

 

An = HTML formatted version is available at:

=B7        http://self-issued.info/docs/draft-jones-oauth-proof-of-= possession-00.html

 

        &n= bsp;           &nbs= p;            =             &n= bsp;           &nbs= p;  -- Mike

 

P.S.  This note was also posted at http://self-issued.info/?p=3D1210 and as = @selfissued.

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org
= https://www.ietf.org/mailman/listinfo/oauth

 


_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_437D519A-6C52-4754-BEFD-3967911A4B13-- From nobody Sun Apr 13 08:34:57 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5731A01DC for ; Sun, 13 Apr 2014 08:34:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aSqaC4JO3log for ; Sun, 13 Apr 2014 08:34:48 -0700 (PDT) Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) by ietfa.amsl.com (Postfix) with ESMTP id 368951A02CA for ; Sun, 13 Apr 2014 08:34:47 -0700 (PDT) Received: by mail-qa0-f42.google.com with SMTP id k15so7310106qaq.29 for ; Sun, 13 Apr 2014 08:34:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=BvMFSpN662h5zohgiRk5UdP3D9HvlgOQC2uVGzBhBho=; b=bqHMgjNWKUKYi+NYrXqXNRybq5yViRoYmaC8+2bndAOuhvLWsgs+Bh1mFmak8tTGM1 ZtlixxSC1QcrO3GVlA7iejHAQiUFO5FO1vbN8B5E3ejVOk6W5XzbdEoTeN5+KqbtdPjm 9N8XEu96oDrFzjYThD/vRRM/5N7wQfneqedFncmoHqeGT7iV2544tBzj3gGBT9T9AQxc K9eeS1QJ8pM2eXKihWuKtFraQWYtW0GreHuhrTvxOCcDjkgot0TABp91XAuxk/ZGWeZw 0REqmSAAEylb/Jw4aaNZto3M401X6ZTzctKIQmxguvPmLSik0QWXdMGtXKaWLJlqMj3+ NW4g== X-Gm-Message-State: ALoCoQmnYLa2G//TjNLTnxj26JI9gjKoCs8SWmePhDlDz/039brgGAOxsgwYWQAw6qRNC2c1Koo1 X-Received: by 10.140.16.198 with SMTP id 64mr41712726qgb.10.1397403285583; Sun, 13 Apr 2014 08:34:45 -0700 (PDT) Received: from [192.168.1.216] ([190.22.119.198]) by mx.google.com with ESMTPSA id k9sm25948631qat.18.2014.04.13.08.34.30 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 13 Apr 2014 08:34:45 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_8D4613E5-C4BB-45B3-BF88-CBF1487BCBAE" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A15609B@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Sun, 13 Apr 2014 12:34:04 -0300 Message-Id: References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A15609B@TK5EX14MBXC286.redmond.corp.microsoft.com> To: Michael Jones X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/iHre33HulhLZ3XD29dLV1GXMVns Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 15:34:53 -0000 --Apple-Mail=_8D4613E5-C4BB-45B3-BF88-CBF1487BCBAE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 I think Chuck is largely referring to the scenario that Connect supports = for issuing id_tokens for 3rd parties but where the 3rd party also wants = a access token to access the API. This is similar to the Google Play / NAAPS use case, but with access = tokens using PoP back to the 1st party RS. Now using bearer tokens the native app can just pass the AT to a backend = server hand have it make calls to the RS. The AS is no wiser to the = activity. However PoP is designed to stop this sort of thing. As I think Chuck intimated, you could share the private key between the = app and the backend, but giving your servers private key to a app seems = like a good way to loose it. The alternatives are: 1 share keys (bad) 2 put multiple proof keys in the token (needs the keys to be pre = registered and ads complexity for symmetric keys. 3 Give client an assertion that can be used by the related backend to = get it's own AT, allowing the clients to have different client_id and = proof keys. (builds on Connect id_token used in jwt assertion flow) John B. On Apr 13, 2014, at 1:17 AM, Mike Jones = wrote: > Can you sketch out what data structures you=92d ideally use for your = scenario and what the elements mean? > =20 > From: Chuck Mortimore [mailto:cmortimore@salesforce.com]=20 > Sent: Saturday, April 12, 2014 8:39 PM > To: Mike Jones > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web = Tokens (JWTs) > =20 > Not sure it it's common yet. The scenario I'm exploring is a client = that is paired with a server. For example, a mobile app that's an = OpenID Connect client that is sharing it's ID Token with the server. = Both the client and server want to be able to prove possession without = sharing a private key. =20 > =20 > -cmort=20 > =20 >=20 > On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones = wrote: > Is having multiple confirmation keys a common case? I=92d rather we = =93make simple things simple=94 than build the most general solution = possible. If an application really needs multiple confirmation keys, it = can always defined a =93jwks=94 element and the handling rules for it, = and go for it=85 > =20 > -- Mike > =20 > From: Chuck Mortimore [mailto:cmortimore@salesforce.com]=20 > Sent: Saturday, April 12, 2014 6:12 PM > To: Mike Jones >=20 > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web = Tokens (JWTs) > =20 > Good start here Mike! > =20 > One quick question - I see the "cnf" member is defined as a JWK. Why = not a JWK Set? I could see use-cases for binding in multiple keys. > =20 > -cmort > =20 > =20 > =20 >=20 > On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones = wrote: > I=92ve written a concise Internet-Draft on proof-of-possession for = JWTs with John Bradley and Hannes Tschofenig. Quoting from the = abstract: > =20 > This specification defines how to express a declaration in a JSON Web = Token (JWT) that the presenter of the JWT possesses a particular key and = that the recipient can cryptographically confirm proof-of-possession of = the key by the presenter. This property is also sometimes described as = the presenter being a holder-of-key. > =20 > This specification intentionally does not specify the means of = communicating the proof-of-possession JWT, nor the messages used to = exercise the proof key, as these are necessarily application-specific. = Rather, this specification defines a proof-of-possession JWT data = structure to be used by other specifications that do define those = things. > =20 > The specification is available at: > =B7 = http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 >=20 > =20 > An HTML formatted version is available at: > =B7 = http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html= >=20 > =20 > -- Mike > =20 > P.S. This note was also posted at http://self-issued.info/?p=3D1210 = and as @selfissued. > =20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 > =20 > =20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_8D4613E5-C4BB-45B3-BF88-CBF1487BCBAE Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 I = think Chuck is largely referring to the scenario that Connect supports = for issuing id_tokens for 3rd parties but where the 3rd party also wants = a access token to access the API.

This is similar to = the Google Play / NAAPS use case, but with access tokens using PoP back = to the 1st party RS.

Now using bearer tokens = the native app can just pass the AT to a backend server hand have it = make calls to the RS.  The AS is no wiser to the = activity.
However PoP is designed to stop this sort of = thing.

As I think Chuck intimated, you could = share the private key between the app and the backend, but giving your = servers private key to a app seems like a good way to loose = it.

The alternatives are:
1 share = keys (bad)
2 put multiple proof keys in the token (needs the = keys to be pre registered and ads complexity for symmetric = keys.
3 Give client an assertion that can be used by the = related backend to get it's own AT, allowing the clients to have = different client_id and proof keys. (builds on Connect id_token used in = jwt assertion flow)

John = B.

On Apr 13, 2014, at 1:17 AM, Mike Jones = <Michael.Jones@microsoft.com> wrote:

Can you sketch out what data structures you=92d = ideally use for your scenario and what the elements = mean?
 
From: Chuck Mortimore [mailto:cmortimore@salesforce.com= ] 
Sent: Saturday, April 12, 2014 = 8:39 PM
To: Mike = Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] = Proof-Of-Possession Semantics for JSON Web Tokens = (JWTs)
 
Not = sure it it's common yet.   The scenario I'm exploring is a client = that is paired with a server.     For example, a mobile app = that's an OpenID Connect client that is sharing it's ID Token with the = server.   Both the client and server want to be able to prove = possession without sharing a private key. =   
 
-cmort 

 

On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones <Michael.Jones@microsoft.com> = wrote:
Is having multiple confirmation keys a common = case?  I=92d rather we =93make simple things simple=94 than build = the most general solution possible.  If an application really needs = multiple confirmation keys, it can always defined a =93jwks=94 element = and the handling rules for it, and go for = it=85
 
           &= nbsp;           &nb= sp;            = ;            &= nbsp;           -- = Mike
 
From: Chuck Mortimore [mailto:cmortimore@salesforce.com] 
Sent: Saturday, April 12, 2014 = 6:12 PM
To: Mike = Jones

Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] = Proof-Of-Possession Semantics for JSON Web Tokens = (JWTs)
 
Good = start here Mike!
 
One = quick question - I see the "cnf" member is defined as a JWK.  Why = not a JWK Set?    I could see use-cases for binding in = multiple keys.
 
-cmort
 
 

 

On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones <Michael.Jones@microsoft.com> = wrote:
I=92ve written = a concise Internet-Draft on proof-of-possession for JWTs with John = Bradley and Hannes Tschofenig.  Quoting from the = abstract:
 
This = specification defines how to express a declaration in a JSON Web Token = (JWT) that the presenter of the JWT possesses a particular key and that = the recipient can cryptographically confirm proof-of-possession of the = key by the presenter. This property is also sometimes described as the = presenter being a holder-of-key.
 
This = specification intentionally does not specify the means of communicating = the proof-of-possession JWT, nor the messages used to exercise the proof = key, as these are necessarily application-specific.  Rather, this = specification defines a proof-of-possession JWT data structure to be = used by other specifications that do define those = things.
 
The = specification is available at:

=B7        http://tools.ietf.org/html/draft-jones-oauth-proof-of-possessi= on-00

 
An HTML = formatted version is available at:

=B7        http://self-issued.info/docs/draft-jones-oauth-proof-of-posses= sion-00.html

 
           &= nbsp;           &nb= sp;            = ;            &= nbsp;           -- = Mike
 
P.S.  This = note was also posted at http://self-issued.info/?p=3D1210 and as = @selfissued.
 


_______________________________________________
OAuth = mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

=
 
 
_______________________________= ________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_8D4613E5-C4BB-45B3-BF88-CBF1487BCBAE-- From nobody Sun Apr 13 09:31:51 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5C711A01DA for ; Sun, 13 Apr 2014 09:31:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqV7D5P8Q0J0 for ; Sun, 13 Apr 2014 09:31:44 -0700 (PDT) Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) by ietfa.amsl.com (Postfix) with ESMTP id 67B581A01DC for ; Sun, 13 Apr 2014 09:31:44 -0700 (PDT) Received: by mail-ob0-f169.google.com with SMTP id va2so8220170obc.0 for ; Sun, 13 Apr 2014 09:31:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=GVPQENbfZVwwPxw1CxrCcT2Hd6nbdTQ+aH5vWorPMOg=; b=ZJL5Ypc7JCQTSn7w7W21XqbHrwWPXs54lOskohazFCKP51kMI/XWm4/Ei7DXppbeA8 09UQFTBuozRqUGMjbmvzkJD0iprGCc/Uv3XagreGnJlWWtqMqAkn0y/MBnvbL5z+0aMT wDy+irrOK75Ef3pG2DUyaJXllmoGhpmB5GZIIwfvVm46tt6x6bxWcj1D3xFU7yBxwZ+/ eqhRIJnHaLZ+uExwg6bN1J1hmESWhchE7dhs4JaL8UPo+EntJ5Th9EzjFOx2caqDpQ5y ExV1FZLxHa/QGcgQYJv8arfc/3sRbyS44WP4/3RjX5Hu5OS40kBlNrl606lvmZgWtPnQ yaWg== X-Gm-Message-State: ALoCoQkIFx4dKHHCI96euoFQ0YD6gpehQFaunJ3TNFcl/6ZU64FRVt31P338XaBinCJ0iJf4LeZn MIME-Version: 1.0 X-Received: by 10.60.160.173 with SMTP id xl13mr30574936oeb.19.1397406702084; Sun, 13 Apr 2014 09:31:42 -0700 (PDT) Received: by 10.76.75.169 with HTTP; Sun, 13 Apr 2014 09:31:41 -0700 (PDT) In-Reply-To: References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A15609B@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Sun, 13 Apr 2014 09:31:41 -0700 Message-ID: From: Chuck Mortimore To: John Bradley Content-Type: multipart/alternative; boundary=089e011764e915b50404f6ef1ad7 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/yR4KUEidNLPUHr9BFWzbTheo6e8 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 16:31:49 -0000 --089e011764e915b50404f6ef1ad7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Yes - sounds about what I'm looking at For the scenario, we'd have a client talking to our authorization server that is also paired with it's own cloud backend. The cloud would have a certificate pre-reigstered with our authorization server, and the client would dynamically generate it's own public/private key. Both would be able to prove possession using their own keys without sharing. So to answer mike's data structure question, it would looks something like this 1) Client requests id token and in the authorization request it passes in its newly minted public key ( or perhaps a thumbprint but not covering that here) 2) Authorization server authorizes, and mints new id token as jwk set containing both the dynamically generated client key and also the cert for its server: { "iss": "https://login.salesforce.com", "sub": " https://login.salesforce.com/id/00D30000001bZxaEAE/00530000009UVC0AAO" "aud": "3MVG99OxTyEMCQ3gXuX31lysX3RQP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGPi= GyHhojZ2BE3", "exp": 1397352138, "iat": 1397352018, "cnf": { "keys":[ { "kty": "RSA", "n": "AKPBc9I142dEc-Srdk5sz9MVaJH_k....", "e": "AQAB", "alg": "RS256" }, { "x5c":["MIIDQjCCAi...."] } ] } } The id token can then be presented to something like our oauth token endpoint as an assertion by either the client application such as a mobile app, or the server infrastructure it's paired with. The client's key is client specific. The server's key is global for the application. No need to share between them, and the capabilities of the grant could vary. Proof would simply be constructing a JWT that signs the id token with the required key: outerheader.base64url(innerheader.body.innersignature).outersignature -cmort On Sun, Apr 13, 2014 at 8:34 AM, John Bradley wrote: > I think Chuck is largely referring to the scenario that Connect supports > for issuing id_tokens for 3rd parties but where the 3rd party also wants = a > access token to access the API. > > This is similar to the Google Play / NAAPS use case, but with access > tokens using PoP back to the 1st party RS. > > Now using bearer tokens the native app can just pass the AT to a backend > server hand have it make calls to the RS. The AS is no wiser to the > activity. > However PoP is designed to stop this sort of thing. > > As I think Chuck intimated, you could share the private key between the > app and the backend, but giving your servers private key to a app seems > like a good way to loose it. > > The alternatives are: > 1 share keys (bad) > 2 put multiple proof keys in the token (needs the keys to be pre > registered and ads complexity for symmetric keys. > 3 Give client an assertion that can be used by the related backend to get > it's own AT, allowing the clients to have different client_id and proof > keys. (builds on Connect id_token used in jwt assertion flow) > > John B. > > On Apr 13, 2014, at 1:17 AM, Mike Jones > wrote: > > Can you sketch out what data structures you'd ideally use for your > scenario and what the elements mean? > > *From:* Chuck Mortimore [mailto:cmortimore@salesforce.com > ] > *Sent:* Saturday, April 12, 2014 8:39 PM > *To:* Mike Jones > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web > Tokens (JWTs) > > Not sure it it's common yet. The scenario I'm exploring is a client tha= t > is paired with a server. For example, a mobile app that's an OpenID > Connect client that is sharing it's ID Token with the server. Both the > client and server want to be able to prove possession without sharing a > private key. > > -cmort > > > On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones > wrote: > Is having multiple confirmation keys a common case? I'd rather we "make > simple things simple" than build the most general solution possible. If = an > application really needs multiple confirmation keys, it can always define= d > a "jwks" element and the handling rules for it, and go for it... > > -- Mike > > *From:* Chuck Mortimore [mailto:cmortimore@salesforce.com] > *Sent:* Saturday, April 12, 2014 6:12 PM > *To:* Mike Jones > > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web > Tokens (JWTs) > > Good start here Mike! > > One quick question - I see the "cnf" member is defined as a JWK. Why not > a JWK Set? I could see use-cases for binding in multiple keys. > > -cmort > > > > > On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones > wrote: > I've written a concise Internet-Draft on proof-of-possession for JWTs wit= h > John Bradley and Hannes Tschofenig. Quoting from the abstract: > > *This specification defines how to express a declaration in a JSON Web > Token (JWT) that the presenter of the JWT possesses a particular key and > that the recipient can cryptographically confirm proof-of-possession of t= he > key by the presenter. This property is also sometimes described as the > presenter being a holder-of-key.* > > This specification intentionally does not specify the means of > communicating the proof-of-possession JWT, nor the messages used to > exercise the proof key, as these are necessarily application-specific. > Rather, this specification defines a proof-of-possession JWT data structu= re > to be used by other specifications that do define those things. > > The specification is available at: > > =B7 > http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 > > An HTML formatted version is available at: > > =B7 > http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.htm= l > > -- Mike > > P.S. This note was also posted at http://self-issued.info/?p=3D1210 and = as > @selfissued. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --089e011764e915b50404f6ef1ad7 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Yes - sounds about what I'm looking at

<= div>For the scenario, we'd have a client talking to our authorization s= erver that is also paired with it's own cloud backend.   The cloud= would have a certificate pre-reigstered with our authorization server, and= the client would dynamically generate it's own public/private key. &nb= sp;  Both would be able to prove possession using their own keys witho= ut sharing.    So to answer mike's data structure question, i= t would looks something like this

1) Client requests id token and in the authorization request= it passes in its newly minted public key ( or perhaps a thumbprint but not= covering that here) 

2) Authorization server author= izes, and mints new id token as jwk set containing both the dynamically gen= erated client key and also the cert for its server:

{
     "aud": "3MVG99OxTyEMCQ3gXuX31lysX3R= QP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGPiGyHhojZ2BE3",
     "exp": 1397352138,
    &= nbsp;"iat": 1397352018,
     "cnf":
  {
"= ;keys":[
{
"kty"= : "RSA",
= "n": "AKPBc9I142dEc-Srdk5sz9MVaJH_k....",
"e": "= ;AQAB",
"alg": "RS256"
},
{
"x5c":["M= IIDQjCCAi...."]        
}
]
}


The id token can then be presented to something like our oau= th token endpoint as an assertion by either the client application such as = a mobile app, or the server infrastructure it's paired with.   The= client's key is client specific.   The server's key is global= for the application.  No need to share between them, and the capabili= ties of the grant could vary.

Proof would simply be constructing a JWT that signs the= id token with the required key: outerheader.base64url(innerheader.body.inn= ersignature).outersignature

-cmort



On Sun, Apr 13, 2014 at 8:34 AM, John Bradley <ve7jtb@ve7jtb.com&= gt; wrote:
I think = Chuck is largely referring to the scenario that Connect supports for issuin= g id_tokens for 3rd parties but where the 3rd party also wants a access tok= en to access the API.

This is similar to the Google Play / NAAPS use case, but wit= h access tokens using PoP back to the 1st party RS.

Now using bearer tokens the native app can just pass the AT to a backend = server hand have it make calls to the RS.  The AS is no wiser to the a= ctivity.
However PoP is designed to stop this sort of thing.

As I think Chuck intimated, you could share the private key between = the app and the backend, but giving your servers private key to a app seems= like a good way to loose it.

The alternatives are:
1 share keys (bad)
2 put multiple proof keys in the token (needs the keys to be pre regi= stered and ads complexity for symmetric keys.
3 Give client an as= sertion that can be used by the related backend to get it's own AT, all= owing the clients to have different client_id and proof keys. (builds on Co= nnect id_token used in jwt assertion flow)

John B.

= On Apr 13, 2014, at 1:17 AM, Mike Jones <Michael.Jones@microsoft.com> wrote= :

Can you sketch out what data structures= you’d ideally use for your scenario and what the elements mean?
 
From:&nb= sp;Chuck Mortimore [mailto:cmortimore@salesforce.com] 
Sent: Saturday, April 12, 2014 8:39 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject:<= /b> Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON= Web Tokens (JWTs)
 
 
-cmort 

 

On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
<= div>
Is having multiple confirmation keys a commo= n case?  I’d rather we “make simple things simple” t= han build the most general solution possible.  If an application reall= y needs multiple confirmation keys, it can always defined a “jwks&rdq= uo; element and the handling rules for it, and go for it…<= /u>
 
           &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;           -- Mike
 
From: C= huck Mortimore [mailto:cmortimore@sa= lesforce.com] 
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones
I’ve written a concise Internet-Draft on = proof-of-possession for JWTs with John Bradley and Hannes Tschofenig. = Quoting from the abstract:
 
This specification defines how to express a declaration in a JSON Web= Token (JWT) that the presenter of the JWT possesses a particular key and t= hat the recipient can cryptographically confirm proof-of-possession of the = key by the presenter. This property is also sometimes described as the pres= enter being a holder-of-key.
 
Thi= s specification intentionally does not specify the means of communicating t= he proof-of-possession JWT, nor the messages used to exercise the proof key= , as these are necessarily application-specific.  Rather, this specifi= cation defines a proof-of-possession JWT data structure to be used by other= specifications that do define those things.
 
The= specification is available at:

=B7=         http://tools.ietf.org/html/draft-jones-oauth-proof-of-p= ossession-00

 
An = HTML formatted version is available at:

=B7=         http://self-issued.info/docs/draft-jones-oauth-p= roof-of-possession-00.html

 =
      =             &nb= sp;            =             &nb= sp;            =     -- Mike
 
P.S.  This note was a= lso posted at http:= //self-issued.info/?p=3D1210 and as @selfissued.
 


_______________________________________________
OAuth mailing listOAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 
 
_____________________________________= __________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oau= th


--089e011764e915b50404f6ef1ad7-- From nobody Sun Apr 13 11:05:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 119FB1A02CC for ; Sun, 13 Apr 2014 11:05:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8zF9Zj2Cdm2o for ; Sun, 13 Apr 2014 11:05:42 -0700 (PDT) Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com [209.85.214.177]) by ietfa.amsl.com (Postfix) with ESMTP id B197E1A02C6 for ; Sun, 13 Apr 2014 11:05:42 -0700 (PDT) Received: by mail-ob0-f177.google.com with SMTP id wo20so7934836obc.36 for ; Sun, 13 Apr 2014 11:05:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Zx/STjoGi2rNa2HPEqWye2438uDpDfoCV5QI7a4YWXA=; b=aEEK2cLy7nGcSXrsUabziHTSOv4XKOG+blFdZmysZxeXdKYD+MuDEwHK0o2hR/EEbL FFr+omYTFtVaVvBva3PwZvGSiJ5/W4cRD5H2PpGE6JYE/IM3+Dk9NeTk/olRHGBfNYe2 stPfUK+nYDJOqKLaVpxPEqfgo/DdUdyO4A6GiWU6hgmZHCMLclHfH8igNgQbgGXpilmc 8b8EFditrzCkJKG4iwb5lMa+BiS8ZvXT6Kw39inHIIWGBKyfXu8y7kPbrMXLnjwolsFy MEQMkxHsIJ7OxAdlClrV2paATx/Jncp9x30pGg/mch1bV3DkZI7+OOVrZMeBHrQLS8F4 sboQ== X-Gm-Message-State: ALoCoQkYZJQZyeH0R5rVYh19DYlxRQnbI6VtYywXfnTWKwwg5DaGg5NAwUFmOrO0F7vgOzQsHxOz MIME-Version: 1.0 X-Received: by 10.60.50.197 with SMTP id e5mr30744140oeo.39.1397412340322; Sun, 13 Apr 2014 11:05:40 -0700 (PDT) Received: by 10.76.75.169 with HTTP; Sun, 13 Apr 2014 11:05:40 -0700 (PDT) In-Reply-To: References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A15609B@TK5EX14MBXC286.redmond.corp.microsoft.com> Date: Sun, 13 Apr 2014 11:05:40 -0700 Message-ID: From: Chuck Mortimore To: John Bradley Content-Type: multipart/alternative; boundary=001a11c2ed6c2663ad04f6f06af2 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GfAXqwQZbpIQrokfwLgQBhi02TI Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 18:05:49 -0000 --001a11c2ed6c2663ad04f6f06af2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Was also trying to work through what this would look like with thumbnails. Does this sounds right? 1) Client generates a private / public key 2) Client calculates a public key thumbprint like this: http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 For example for this key {"e":"AQAB","kty":"RSA","n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2 aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCi FV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65Y GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n 91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_x BniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"} You'd arrive at: NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs 3) Client passes the thumbprint in an oauth authorization request as a parameter "jkt=3DNzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" 4) Authorization server constructs an id_token like this: { "iss": "https://login.salesforce.com", "sub": " https://login.salesforce.com/id/00D30000001bZxaEAE/00530000009UVC0AAO" "aud": "3MVG99OxTyEMCQ3gXuX31lysX3RQP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGPi= GyHhojZ2BE3", "exp": 1397352138, "iat": 1397352018, "nbf": 1397352018, "cnf":{ "jwk":{ "jkt": "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" } } } 5) This ID Token can then be passed by the client or a delegate with the key to the token endpoint via JWT bearer flow and prove possession by constructing a JWT that looks like this: {"alg":"RS256"} . { "jwk":{ "kty": "RSA", "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2 aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCi FV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65Y GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n 91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_x BniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", "e": "AQAB" } "pop": "base64url encoded id token", } . signture with private key When this is posted as a JWT bearer assertion, the token endpoint a) verifies that the outer signature matches the public key, b) that the public key matches the thumbprint signed into the inner id token, and c) that the signature on the id token is valid. It can than act as then issue a token response for the sub of the inner id token Look correct? -cmort On Sun, Apr 13, 2014 at 9:31 AM, Chuck Mortimore wrote: > Yes - sounds about what I'm looking at > > For the scenario, we'd have a client talking to our authorization server > that is also paired with it's own cloud backend. The cloud would have a > certificate pre-reigstered with our authorization server, and the client > would dynamically generate it's own public/private key. Both would be > able to prove possession using their own keys without sharing. So to > answer mike's data structure question, it would looks something like this > > 1) Client requests id token and in the authorization request it passes in > its newly minted public key ( or perhaps a thumbprint but not covering th= at > here) > > 2) Authorization server authorizes, and mints new id token as jwk set > containing both the dynamically generated client key and also the cert fo= r > its server: > > { > "iss": "https://login.salesforce.com", > "sub": " > https://login.salesforce.com/id/00D30000001bZxaEAE/00530000009UVC0AAO" > "aud": > "3MVG99OxTyEMCQ3gXuX31lysX3RQP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBG= PiGyHhojZ2BE3", > "exp": 1397352138, > "iat": 1397352018, > "cnf": > { > "keys":[ > { > "kty": "RSA", > "n": "AKPBc9I142dEc-Srdk5sz9MVaJH_k....", > "e": "AQAB", > "alg": "RS256" > }, > { > "x5c":["MIIDQjCCAi...."] > } > ] > } > } > > > The id token can then be presented to something like our oauth token > endpoint as an assertion by either the client application such as a mobil= e > app, or the server infrastructure it's paired with. The client's key is > client specific. The server's key is global for the application. No ne= ed > to share between them, and the capabilities of the grant could vary. > > Proof would simply be constructing a JWT that signs the id token with the > required key: > outerheader.base64url(innerheader.body.innersignature).outersignature > > -cmort > > > > On Sun, Apr 13, 2014 at 8:34 AM, John Bradley wrote: > >> I think Chuck is largely referring to the scenario that Connect supports >> for issuing id_tokens for 3rd parties but where the 3rd party also wants= a >> access token to access the API. >> >> This is similar to the Google Play / NAAPS use case, but with access >> tokens using PoP back to the 1st party RS. >> >> Now using bearer tokens the native app can just pass the AT to a backend >> server hand have it make calls to the RS. The AS is no wiser to the >> activity. >> However PoP is designed to stop this sort of thing. >> >> As I think Chuck intimated, you could share the private key between the >> app and the backend, but giving your servers private key to a app seems >> like a good way to loose it. >> >> The alternatives are: >> 1 share keys (bad) >> 2 put multiple proof keys in the token (needs the keys to be pre >> registered and ads complexity for symmetric keys. >> 3 Give client an assertion that can be used by the related backend to ge= t >> it's own AT, allowing the clients to have different client_id and proof >> keys. (builds on Connect id_token used in jwt assertion flow) >> >> John B. >> >> On Apr 13, 2014, at 1:17 AM, Mike Jones >> wrote: >> >> Can you sketch out what data structures you'd ideally use for your >> scenario and what the elements mean? >> >> *From:* Chuck Mortimore [mailto:cmortimore@salesforce.com >> ] >> *Sent:* Saturday, April 12, 2014 8:39 PM >> *To:* Mike Jones >> *Cc:* oauth@ietf.org >> *Subject:* Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web >> Tokens (JWTs) >> >> Not sure it it's common yet. The scenario I'm exploring is a client >> that is paired with a server. For example, a mobile app that's an >> OpenID Connect client that is sharing it's ID Token with the server. B= oth >> the client and server want to be able to prove possession without sharin= g a >> private key. >> >> -cmort >> >> >> On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones >> wrote: >> Is having multiple confirmation keys a common case? I'd rather we "make >> simple things simple" than build the most general solution possible. If= an >> application really needs multiple confirmation keys, it can always defin= ed >> a "jwks" element and the handling rules for it, and go for it... >> >> -- Mike >> >> *From:* Chuck Mortimore [mailto:cmortimore@salesforce.com] >> *Sent:* Saturday, April 12, 2014 6:12 PM >> *To:* Mike Jones >> >> *Cc:* oauth@ietf.org >> *Subject:* Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web >> Tokens (JWTs) >> >> Good start here Mike! >> >> One quick question - I see the "cnf" member is defined as a JWK. Why no= t >> a JWK Set? I could see use-cases for binding in multiple keys. >> >> -cmort >> >> >> >> >> On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones >> wrote: >> I've written a concise Internet-Draft on proof-of-possession for JWTs >> with John Bradley and Hannes Tschofenig. Quoting from the abstract: >> >> *This specification defines how to express a declaration in a JSON Web >> Token (JWT) that the presenter of the JWT possesses a particular key and >> that the recipient can cryptographically confirm proof-of-possession of = the >> key by the presenter. This property is also sometimes described as the >> presenter being a holder-of-key.* >> >> This specification intentionally does not specify the means of >> communicating the proof-of-possession JWT, nor the messages used to >> exercise the proof key, as these are necessarily application-specific. >> Rather, this specification defines a proof-of-possession JWT data struct= ure >> to be used by other specifications that do define those things. >> >> The specification is available at: >> >> =B7 >> http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 >> >> An HTML formatted version is available at: >> >> =B7 >> http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.ht= ml >> >> -- Mike >> >> P.S. This note was also posted at http://self-issued.info/?p=3D1210 and >> as @selfissued. >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > --001a11c2ed6c2663ad04f6f06af2 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Was also trying to work through what this would look like = with thumbnails.    Does this sounds right?

1) Client = generates a private / public key


2) Client = calculates a public key thumbprint like this:  http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00<= /span>=


For examp= le for this key


{"e&= quot;:"AQAB","kty":"RSA","n":"= 0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2
    aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_= BJECPebWKRXjBZCi
    FV4n3oknjhMstn64tZ_= 2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65Y
  =   GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajr= n1n
    91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcR= wr3XPksINHaQ-G_x
    BniIqbw0Ls1jF44-csF= Cur-kEgU8awapJzKnqDKgw"}


You&rsquo= ;d arrive  at: NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs

<= br>=

3) Client= passes the thumbprint in an oauth authorization request as a parameter &ld= quo;jkt=3DNzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs”


4) Author= ization server constructs an id_token like this:


{<= /p>

=  &nb= sp;  "iss": "https://login.salesforce.com",

=  &nb= sp;  "sub": "https://login.salesforce.com/i= d/00D30000001bZxaEAE/00530000009UVC0AAO"

=  &nb= sp;  "aud": "3MVG99OxTyEMCQ3gXuX31lysX3RQP4.Vj3EVz= lMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGPiGyHhojZ2BE3",

=  &nb= sp;  "exp": 1397352138,

=  &nb= sp;  "iat": 1397352018,

=  &nb= sp;  "nbf": 1397352018,

=  &nb= sp;  "cnf":{

=    "jwk"= :{

=  &nb= sp;            =             &qu= ot;jkt": “NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs”

}

= }

= } <= /p>

5) This ID= Token can then be passed by the client or a delegate with the key to the t= oken endpoint via JWT bearer flow and prove possession by constructing a JW= T that looks like this:


{"al= g":"RS256"}

= .

= {

=  &nb= sp;  "jwk":{

= "kty": "RSA",<= /span>

= "n": "0vx7agoebGcQS= uuPiLJXZptN9nndrQmbXEps2
    aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_= BJECPebWKRXjBZCi
    FV4n3oknjhMstn64tZ_= 2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65Y
  =   GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajr= n1n
    91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcR= wr3XPksINHaQ-G_x
    BniIqbw0Ls1jF44-csF= Cur-kEgU8awapJzKnqDKgw",

<= /span>"e": "AQAB"

=  &nb= sp;  }

=  &nb= sp;  "pop": "base64url encoded id token",

= }

= .

= signture w= ith private key


When this= is posted as a JWT bearer assertion, the token endpoint 

a) verifies that the outer signature matches the = public key, b) that the public key matches the thumbprint signed into the i= nner id token, and c) that the signature on the id token is valid.  &n= bsp;It can than act as then issue a token response for the sub of the inner= id token

Look correct?

-cmort



On Sun, Apr 13, 2014 at 9:31 AM, Chuck Mortimore <cmorti= more@salesforce.com> wrote:
Yes - sounds about what I&#= 39;m looking at

For the scenario, we'd have a client= talking to our authorization server that is also paired with it's own = cloud backend.   The cloud would have a certificate pre-reigstered wit= h our authorization server, and the client would dynamically generate it= 9;s own public/private key.    Both would be able to prove posses= sion using their own keys without sharing.    So to answer mike&#= 39;s data structure question, it would looks something like this

1) Client requests id token and in the authorization request= it passes in its newly minted public key ( or perhaps a thumbprint but not= covering that here) 

2) Authorization server author= izes, and mints new id token as jwk set containing both the dynamically gen= erated client key and also the cert for its server:

{
     "iss": &= quot;https://log= in.salesforce.com",
     "aud": "3MVG99OxTyEMCQ3gXuX31lysX3R= QP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGPiGyHhojZ2BE3",
     "exp": 1397352138,
    &= nbsp;"iat": 1397352018,
     "cnf":
  {
=
"keys":[
{
"kty": &quo= t;RSA",
&qu= ot;n": "AKPBc9I142dEc-Srdk5sz9MVaJH_k....",
"e": "AQAB&= quot;,
"alg= ": "RS256"
= },
{
"x5c":["MIIDQjCCAi...= ."]      =   
}
]
}


The id token can then be presented to something like our oau= th token endpoint as an assertion by either the client application such as = a mobile app, or the server infrastructure it's paired with.   The= client's key is client specific.   The server's key is global= for the application.  No need to share between them, and the capabili= ties of the grant could vary.

Proof would simply be constructing a JWT that signs the= id token with the required key: outerheader.base64url(innerheader.body.inn= ersignature).outersignature

-cmort



On Sun, Apr 13, 2014 at 8:34 A= M, John Bradley <ve7jtb@ve7jtb.com> wrote:
I think = Chuck is largely referring to the scenario that Connect supports for issuin= g id_tokens for 3rd parties but where the 3rd party also wants a access tok= en to access the API.

This is similar to the Google Play / NAAPS use case, but wit= h access tokens using PoP back to the 1st party RS.

Now using bearer tokens the native app can just pass the AT to a backend = server hand have it make calls to the RS.  The AS is no wiser to the a= ctivity.
However PoP is designed to stop this sort of thing.

As I think Chuck intimated, you could share the private key between = the app and the backend, but giving your servers private key to a app seems= like a good way to loose it.

The alternatives are:
1 share keys (bad)
2 put multiple proof keys in the token (needs the keys to be pre regi= stered and ads complexity for symmetric keys.
3 Give client an as= sertion that can be used by the related backend to get it's own AT, all= owing the clients to have different client_id and proof keys. (builds on Co= nnect id_token used in jwt assertion flow)

John B.

On Apr 13, 20= 14, at 1:17 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:

Can you sketch out what data structures= you’d ideally use for your scenario and what the elements mean?
 
From:&nb= sp;Chuck Mortimore [mailto:cmortimore@salesforce.com] 
Sent: Saturday, April 12, 2014 8:39 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject:<= /b> Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON= Web Tokens (JWTs)
 
 
-cmort 

 

On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
<= div>
Is having multiple confirmation keys a commo= n case?  I’d rather we “make simple things simple” t= han build the most general solution possible.  If an application reall= y needs multiple confirmation keys, it can always defined a “jwks&rdq= uo; element and the handling rules for it, and go for it…<= /u>
 
           &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;           -- Mike
 
From: C= huck Mortimore [mailto:cmortimore@sa= lesforce.com] 
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones
I’ve written a concise Internet-Draft on = proof-of-possession for JWTs with John Bradley and Hannes Tschofenig. = Quoting from the abstract:
 
This specification defines how to express a declaration in a JSON Web= Token (JWT) that the presenter of the JWT possesses a particular key and t= hat the recipient can cryptographically confirm proof-of-possession of the = key by the presenter. This property is also sometimes described as the pres= enter being a holder-of-key.
 
Thi= s specification intentionally does not specify the means of communicating t= he proof-of-possession JWT, nor the messages used to exercise the proof key= , as these are necessarily application-specific.  Rather, this specifi= cation defines a proof-of-possession JWT data structure to be used by other= specifications that do define those things.
 
The= specification is available at:

=B7=         http://tools.ietf.org/html/draft-jones-oauth-proof-of-p= ossession-00

 
An = HTML formatted version is available at:

=B7=         http://self-issued.info/docs/draft-jones-oauth-p= roof-of-possession-00.html

 =
      =             &nb= sp;            =             &nb= sp;            =     -- Mike
 
P.S.  This note was a= lso posted at http:= //self-issued.info/?p=3D1210 and as @selfissued.
 


_______________________________________________
OAuth mailing listOAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 
 
_____________________________________= __________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oau= th



--001a11c2ed6c2663ad04f6f06af2-- From nobody Sun Apr 13 13:00:10 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BBCD1A0221 for ; Sun, 13 Apr 2014 13:00:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SuHmRIKadfsG for ; Sun, 13 Apr 2014 13:00:03 -0700 (PDT) Received: from mail-qg0-f48.google.com (mail-qg0-f48.google.com [209.85.192.48]) by ietfa.amsl.com (Postfix) with ESMTP id 04FCA1A021D for ; Sun, 13 Apr 2014 13:00:02 -0700 (PDT) Received: by mail-qg0-f48.google.com with SMTP id z60so488395qgd.7 for ; Sun, 13 Apr 2014 13:00:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=UHQnk0yiuQmJeKgfwgMlqwjHxdCzY8450WrPY1rddGE=; b=P7lvnjL0mZ2YpsNormNLczsrht8Dl6wYEIQv+IGYx5+Fqn/dGmzSQR+dASNockCITq gVifz0s8wsnc4wuQzLZuBwV/JOFQ1BxaSKnSD6zK2CoNBqQHxjDRXqRMS52QJTJ4Boyy jn2j9ZpuoEsAPkDIlExEVo/e7pyh5S0leyjjxQUyzjhsMlF8eoUN+OouY9ReNHqVaALi TBlEE9q8oXzTOW5d63suDrKKExMQUY8W97aPFL2kOA+sxkF/e6vCTP4S68kPNmdh6Chw 8JEIfYa7zskgSr3qM7R/nuu32ac5V4ZV9axoCV5R6Q/o/jdNFIv3RY4Q27ValFMVQ3Ex QP6Q== X-Gm-Message-State: ALoCoQnvPrlkGXPVFChVlvnR/+jZTj4vRU50ww968u4zO48tzZ4qyxxOHAUvhWVNt5oTnGLh8zai X-Received: by 10.224.119.141 with SMTP id z13mr14420100qaq.48.1397419200427; Sun, 13 Apr 2014 13:00:00 -0700 (PDT) Received: from [192.168.1.216] ([190.22.32.162]) by mx.google.com with ESMTPSA id c61sm17685581qgf.15.2014.04.13.12.58.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 13 Apr 2014 13:00:00 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_DF0562C2-38EA-4C5A-B0B4-E6933DFFE11A" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Sun, 13 Apr 2014 16:57:50 -0300 Message-Id: <222ED748-B291-4E1F-BF26-54072EAF696F@ve7jtb.com> References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439A15609B@TK5EX14MBXC286.redmond.corp.microsoft.com> To: Chuck Mortimore X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/EBhE4CQlyBan1bYomKttlDrGV_A Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2014 20:00:08 -0000 --Apple-Mail=_DF0562C2-38EA-4C5A-B0B4-E6933DFFE11A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 That is one way it might be done. Sending the thumbprint in the authorization request is similar to sec = 2.2 https://tools.ietf.org/html/draft-sakimura-oauth-tcse-02 I have always thought of that spec as wanting to be a a proof of = possession for code. So in the case where the AS and the token endpoint are in the same = security domain this is really just a code flow with the thumbprint in = "code_challenge" or "jkt" Then uses the assertion flow to authenticate as you describe. For native apps this avoids per instance registration and gets you = almost all the benefits of a private client. Nothing stops you from making code a JWT and passing the thumbprint to = the Token endpoint statelesly. =20 The token endpoint can then use the same pattern for generating the = refresh token and on down to the access token. We want to separate the logical parts to document: 1 the format of the JWT itself 2 Getting a pop token and key establishment 3 using a PoP token at a RS 4 PoP presentment at the token endpoint for code and refresh. (I think = it is important, but some think it is low priority, In OAuth people = have mostly been thinking about PoP at the RS) As you point out with the JWT assertion flow PoP is posable for clients = that are otherwise public with a bit of profiling. The format you propose is similar to = http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 If you = mix in PoP. =20 Perhaps it is just a "urn:ietf:params:oauth:grant-type:jwt-pop" = grant_type where code is used as the pop value in your example. =20 If we were talking about Connect then yes we might use the id_token = returned, but for the id_token with the client as the aud I hope we can = eventually have the user agent provide a proof key once we have web = crypto available. So overloading the id_token may not be as simple as = just treating the value of code as an assertion that can be a = JWT/SAML/or reference. John B. On Apr 13, 2014, at 3:05 PM, Chuck Mortimore = wrote > Was also trying to work through what this would look like with = thumbnails. Does this sounds right? >=20 >=20 > 1) Client generates a private / public key >=20 > 2) Client calculates a public key thumbprint like this: = http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00 >=20 > For example for this key >=20 > {"e":"AQAB","kty":"RSA","n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2 >=20 > = aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCi > = FV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65Y > = GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n >=20 > = 91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_x > BniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"} >=20 > You=92d arrive at: NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs >=20 > 3) Client passes the thumbprint in an oauth authorization request as = a parameter =93jkt=3DNzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs=94 >=20 > 4) Authorization server constructs an id_token like this: >=20 > { > "iss": "https://login.salesforce.com", > "sub": = "https://login.salesforce.com/id/00D30000001bZxaEAE/00530000009UVC0AAO" > "aud": = "3MVG99OxTyEMCQ3gXuX31lysX3RQP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGP= iGyHhojZ2BE3", > "exp": 1397352138, > "iat": 1397352018, > "nbf": 1397352018, > "cnf":{ > "jwk":{ > "jkt": = =93NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs=94 > } > } > }=20 >=20 >=20 > 5) This ID Token can then be passed by the client or a delegate with = the key to the token endpoint via JWT bearer flow and prove possession = by constructing a JWT that looks like this: >=20 > {"alg":"RS256"} > . > { > "jwk":{ > "kty": "RSA", > "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2 >=20 > = aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCi > = FV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65Y > = GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n >=20 > = 91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_x > BniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", > "e": "AQAB" > } > "pop": "base64url encoded id token", > } > . > signture with private key >=20 > When this is posted as a JWT bearer assertion, the token endpoint=20 >=20 > a) verifies that the outer signature matches the public key, b) that = the public key matches the thumbprint signed into the inner id token, = and c) that the signature on the id token is valid. It can than act as = then issue a token response for the sub of the inner id token >=20 > Look correct? >=20 > -cmort >=20 >=20 >=20 > On Sun, Apr 13, 2014 at 9:31 AM, Chuck Mortimore = wrote: > Yes - sounds about what I'm looking at >=20 > For the scenario, we'd have a client talking to our authorization = server that is also paired with it's own cloud backend. The cloud = would have a certificate pre-reigstered with our authorization server, = and the client would dynamically generate it's own public/private key. = Both would be able to prove possession using their own keys without = sharing. So to answer mike's data structure question, it would looks = something like this >=20 > 1) Client requests id token and in the authorization request it passes = in its newly minted public key ( or perhaps a thumbprint but not = covering that here)=20 >=20 > 2) Authorization server authorizes, and mints new id token as jwk set = containing both the dynamically generated client key and also the cert = for its server: >=20 > { > "iss": "https://login.salesforce.com", > "sub": = "https://login.salesforce.com/id/00D30000001bZxaEAE/00530000009UVC0AAO" > "aud": = "3MVG99OxTyEMCQ3gXuX31lysX3RQP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGP= iGyHhojZ2BE3", > "exp": 1397352138, > "iat": 1397352018, > "cnf": > { > "keys":[ > { > "kty": "RSA", > "n": = "AKPBc9I142dEc-Srdk5sz9MVaJH_k....", > "e": "AQAB", > "alg": "RS256" > }, > { > "x5c":["MIIDQjCCAi...."] = =20 > } > ] > } > }=20 >=20 >=20 > The id token can then be presented to something like our oauth token = endpoint as an assertion by either the client application such as a = mobile app, or the server infrastructure it's paired with. The = client's key is client specific. The server's key is global for the = application. No need to share between them, and the capabilities of the = grant could vary. >=20 > Proof would simply be constructing a JWT that signs the id token with = the required key: = outerheader.base64url(innerheader.body.innersignature).outersignature >=20 > -cmort >=20 >=20 >=20 > On Sun, Apr 13, 2014 at 8:34 AM, John Bradley = wrote: > I think Chuck is largely referring to the scenario that Connect = supports for issuing id_tokens for 3rd parties but where the 3rd party = also wants a access token to access the API. >=20 > This is similar to the Google Play / NAAPS use case, but with access = tokens using PoP back to the 1st party RS. >=20 > Now using bearer tokens the native app can just pass the AT to a = backend server hand have it make calls to the RS. The AS is no wiser to = the activity. > However PoP is designed to stop this sort of thing. >=20 > As I think Chuck intimated, you could share the private key between = the app and the backend, but giving your servers private key to a app = seems like a good way to loose it. >=20 > The alternatives are: > 1 share keys (bad) > 2 put multiple proof keys in the token (needs the keys to be pre = registered and ads complexity for symmetric keys. > 3 Give client an assertion that can be used by the related backend to = get it's own AT, allowing the clients to have different client_id and = proof keys. (builds on Connect id_token used in jwt assertion flow) >=20 > John B. >=20 > On Apr 13, 2014, at 1:17 AM, Mike Jones = wrote: >=20 >> Can you sketch out what data structures you=92d ideally use for your = scenario and what the elements mean? >> =20 >> From: Chuck Mortimore [mailto:cmortimore@salesforce.com]=20 >> Sent: Saturday, April 12, 2014 8:39 PM >> To: Mike Jones >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web = Tokens (JWTs) >> =20 >> Not sure it it's common yet. The scenario I'm exploring is a client = that is paired with a server. For example, a mobile app that's an = OpenID Connect client that is sharing it's ID Token with the server. = Both the client and server want to be able to prove possession without = sharing a private key. =20 >> =20 >> -cmort=20 >> =20 >>=20 >> On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones = wrote: >> Is having multiple confirmation keys a common case? I=92d rather we = =93make simple things simple=94 than build the most general solution = possible. If an application really needs multiple confirmation keys, it = can always defined a =93jwks=94 element and the handling rules for it, = and go for it=85 >> =20 >> -- Mike >> =20 >> From: Chuck Mortimore [mailto:cmortimore@salesforce.com]=20 >> Sent: Saturday, April 12, 2014 6:12 PM >> To: Mike Jones >>=20 >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web = Tokens (JWTs) >> =20 >> Good start here Mike! >> =20 >> One quick question - I see the "cnf" member is defined as a JWK. Why = not a JWK Set? I could see use-cases for binding in multiple keys. >> =20 >> -cmort >> =20 >> =20 >> =20 >>=20 >> On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones = wrote: >> I=92ve written a concise Internet-Draft on proof-of-possession for = JWTs with John Bradley and Hannes Tschofenig. Quoting from the = abstract: >> =20 >> This specification defines how to express a declaration in a JSON Web = Token (JWT) that the presenter of the JWT possesses a particular key and = that the recipient can cryptographically confirm proof-of-possession of = the key by the presenter. This property is also sometimes described as = the presenter being a holder-of-key. >> =20 >> This specification intentionally does not specify the means of = communicating the proof-of-possession JWT, nor the messages used to = exercise the proof key, as these are necessarily application-specific. = Rather, this specification defines a proof-of-possession JWT data = structure to be used by other specifications that do define those = things. >> =20 >> The specification is available at: >> =B7 = http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 >>=20 >> =20 >> An HTML formatted version is available at: >> =B7 = http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html= >>=20 >> =20 >> -- Mike >> =20 >> P.S. This note was also posted at http://self-issued.info/?p=3D1210 = and as @selfissued. >> =20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>=20 >> =20 >> =20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 >=20 --Apple-Mail=_DF0562C2-38EA-4C5A-B0B4-E6933DFFE11A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 That = is one way it might be done.

Sending the thumbprint = in the authorization request is similar to sec 2.2 https://= tools.ietf.org/html/draft-sakimura-oauth-tcse-02

<= div>I have always thought of that spec as wanting to be a a proof of = possession for code.

So in the case where the = AS and the token endpoint are in the same security domain this is really = just a code flow with the thumbprint in "code_challenge" or "jkt"
Then uses the assertion = flow to authenticate as you describe.

For = native apps this avoids per instance registration and gets you almost = all the benefits of a private client.

Nothing = stops you from making code a JWT and passing the thumbprint to the Token = endpoint statelesly.  
The token endpoint can then use = the same pattern for generating the refresh token and on down to the = access token.

We want to separate the logical = parts to document:
1  the format of the JWT = itself
2 Getting a pop token and key establishment
3 = using a PoP token at a RS
4 PoP presentment at the token = endpoint for code and refresh. (I think it is important, but some think = it is low priority,  In OAuth people have mostly been thinking = about PoP at the RS)

As you point out with the = JWT assertion flow PoP is posable for clients that are otherwise public = with a bit of profiling.

The format you propose = is similar to ht= tp://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 =  If you mix in PoP.  

Perhaps it is = just a "urn:ietf:params:oauth:grant-type:jwt-pop" grant_type where code = is used as the pop value in your example.  
If we = were talking about Connect then yes we might use the id_token returned, = but for the id_token with the client as the aud I hope we can eventually = have the user agent provide a proof key once we have web crypto = available.  So overloading the id_token may not be as simple as = just treating the value of code as an assertion that can be a = JWT/SAML/or reference.

John = B.


On Apr 13, 2014, at = 3:05 PM, Chuck Mortimore <cmortimore@salesforce.com>= ; wrote

Was also trying to work through what this = would look like with thumbnails.    Does this sounds = right?


1) Client = generates a private / public key

2) Client = calculates a public key thumbprint like this:  http:= //tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00

For example for this key

{"e":"AQAB","kty":"RSA","n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXE= ps2
=     aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_= BJECPebWKRXjBZCi
=     FV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5= w6Cf0h4QyQ5v-65Y
=     GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHz= u6qMQvRL5hajrn1n
=     91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcR= wr3XPksINHaQ-G_x
=     BniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw"}=

You=92d = arrive  at: = NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs

3) = Client passes the thumbprint in an oauth authorization request as a = parameter =93jkt=3DNzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs=94
4) Authorization server constructs an id_token like = this:

{
    "iss": "https://login.salesforce.com",<= /span>
    "aud": = "3MVG99OxTyEMCQ3gXuX31lysX3RQP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGP= iGyHhojZ2BE3",
    "exp": = 1397352138,
    "iat": = 1397352018,
    "nbf": = 1397352018,
=     "cnf":{
=    "jwk":{
=             &n= bsp;           &nbs= p; "jkt": = =93NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs=94
}
}
} =


5) This = ID Token can then be passed by the client or a delegate with the key to = the token endpoint via JWT bearer flow and prove possession by = constructing a JWT that looks like this:

{"alg":"RS256"}
.
{
=     "jwk":{
"kty": "RSA",
"n": = "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2
=     aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_= BJECPebWKRXjBZCi
=     FV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5= w6Cf0h4QyQ5v-65Y
=     GjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHz= u6qMQvRL5hajrn1n
=     91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcR= wr3XPksINHaQ-G_x
=     BniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",=
"e": = "AQAB"
    }
=     "pop": "base64url encoded id = token",
}
.
signture with private key

When this is posted as a JWT bearer assertion, the token = endpoint 

a) verifies that the outer signature = matches the public key, b) that the public key matches the thumbprint = signed into the inner id token, and c) that the signature on the id = token is valid.   It can than act as then issue a token = response for the sub of the inner id token

Look = correct?

-cmort

<= div class=3D"gmail_extra">

On Sun, Apr = 13, 2014 at 9:31 AM, Chuck Mortimore <cmortimore@salesforce.com> wrote:
Yes - = sounds about what I'm looking at

For the scenario, = we'd have a client talking to our authorization server that is also = paired with it's own cloud backend.   The cloud would have a = certificate pre-reigstered with our authorization server, and the client = would dynamically generate it's own public/private key.   =  Both would be able to prove possession using their own keys = without sharing.    So to answer mike's data structure = question, it would looks something like this

1) Client requests id token and in the authorization = request it passes in its newly minted public key ( or perhaps a = thumbprint but not covering that here) 

2) = Authorization server authorizes, and mints new id token as jwk set = containing both the dynamically generated client key and also the cert = for its server:

{
     "aud": = "3MVG99OxTyEMCQ3gXuX31lysX3RQP4.Vj3EVzlMsVbxFvUe7VjZ0WcjWvGlAU7BPJFZBSyBGP= iGyHhojZ2BE3",
     "exp": = 1397352138,
     "iat": 1397352018,
     "cnf":
=   = {
= "keys":[
= {
= "kty": "RSA",
= "n": = "AKPBc9I142dEc-Srdk5sz9MVaJH_k....",
= "e": "AQAB",
= "alg": "RS256"
},
= {
= "x5c":["MIIDQjCCAi...."]      =   
= }
= ]
= }


The id token can then be presented to something like our = oauth token endpoint as an assertion by either the client application = such as a mobile app, or the server infrastructure it's paired with. =   The client's key is client specific.   The server's key is = global for the application.  No need to share between them, and the = capabilities of the grant could vary.

Proof would simply be constructing a JWT that signs = the id token with the required key: = outerheader.base64url(innerheader.body.innersignature).outersignature

-cmort



On Sun, Apr 13, = 2014 at 8:34 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
I think Chuck is largely referring to the = scenario that Connect supports for issuing id_tokens for 3rd parties but = where the 3rd party also wants a access token to access the API.

This is similar to the Google Play / NAAPS use case, but = with access tokens using PoP back to the 1st party = RS.

Now using bearer tokens the native app can = just pass the AT to a backend server hand have it make calls to the RS. =  The AS is no wiser to the activity.
However PoP is designed to stop this sort of = thing.

As I think Chuck intimated, you could = share the private key between the app and the backend, but giving your = servers private key to a app seems like a good way to loose it.

The alternatives are:
1 share keys = (bad)
2 put multiple proof keys in the token (needs the keys = to be pre registered and ads complexity for symmetric keys.
3 = Give client an assertion that can be used by the related backend to get = it's own AT, allowing the clients to have different client_id and proof = keys. (builds on Connect id_token used in jwt assertion flow)

John B.

On Apr 13, 2014, at = 1:17 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:

Can you sketch out what data structures you=92d ideally use for your = scenario and what the elements mean?
 
From: = Chuck Mortimore [mailto:cmortimore@salesforce.com] =
Sent: Saturday, April 12, 2014 8:39 = PM
To: Mike = Jones
Cc: oauth@ietf.org
Subject: = Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens = (JWTs)
 
Not = sure it it's common yet.   The scenario I'm exploring is a client = that is paired with a server.     For example, a mobile app = that's an OpenID Connect client that is sharing it's ID Token with the = server.   Both the client and server want to be able to prove = possession without sharing a private key. =   
 
-cmort 

 

On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones <Michael.Jones@microsoft.com> = wrote:
Is having multiple confirmation keys a common case?  I=92d = rather we =93make simple things simple=94 than build the most general = solution possible.  If an application really needs multiple = confirmation keys, it can always defined a =93jwks=94 element and the = handling rules for it, and go for it=85
 
            = ;            &= nbsp;           &nb= sp;            = ;           -- = Mike
 
From: = Chuck Mortimore [mailto:cmortimore@salesforce.com] 
Sent: Saturday, April 12, 2014 6:12 = PM
To: Mike = Jones

Cc: oauth@ietf.org
Subject: = Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens = (JWTs)
 
Good start here Mike!
 
One quick question - I see the "cnf" member is defined as a JWK. =  Why not a JWK Set?    I could see use-cases for binding = in multiple keys.
 
-cmort
 
 

 

On Tue, Apr = 1, 2014 at 8:36 PM, Mike Jones <Michael.Jones@microsoft.com> = wrote:
I=92ve = written a concise Internet-Draft on proof-of-possession for JWTs with = John Bradley and Hannes Tschofenig.  Quoting from the = abstract:
 
This specification defines how to express a declaration = in a JSON Web Token (JWT) that the presenter of the JWT possesses a = particular key and that the recipient can cryptographically confirm = proof-of-possession of the key by the presenter. This property is also = sometimes described as the presenter being a = holder-of-key.
 
This = specification intentionally does not specify the means of communicating = the proof-of-possession JWT, nor the messages used to exercise the proof = key, as these are necessarily application-specific.  Rather, this = specification defines a proof-of-possession JWT data structure to be = used by other specifications that do define those = things.
 
The = specification is available at:

=B7       &n= bsp;http://tools.ietf.org/html/draft-jones-oauth-proof-of-po= ssession-00

 
An HTML = formatted version is available at:

=B7       &n= bsp;http://self-issued.info/docs/draft-jones-oauth-proof-of-= possession-00.html

 
       = ;            &= nbsp;           &nb= sp;            = ;            &= nbsp;   -- Mike
 
P.S.  = This note was also posted at http://self-issued.info/?p=3D1210 = and as @selfissued.
 


_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

 
=  
____________________________________= ___________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




= --Apple-Mail=_DF0562C2-38EA-4C5A-B0B4-E6933DFFE11A-- From nobody Sun Apr 20 03:14:32 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39F331A010D for ; Sun, 20 Apr 2014 03:14:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.151 X-Spam-Level: X-Spam-Status: No, score=-0.151 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XHyJNsZaP2h for ; Sun, 20 Apr 2014 03:14:24 -0700 (PDT) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.103]) by ietfa.amsl.com (Postfix) with ESMTP id 83A7D1A007F for ; Sun, 20 Apr 2014 03:14:13 -0700 (PDT) Received: from [79.253.6.217] (helo=[192.168.71.87]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1WbolD-0006mc-B9; Sun, 20 Apr 2014 12:14:07 +0200 Message-ID: <53539DF1.4020103@lodderstedt.net> Date: Sun, 20 Apr 2014 12:14:09 +0200 From: Torsten Lodderstedt User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig , "oauth@ietf.org" References: <533E77C3.9000509@gmx.net> In-Reply-To: <533E77C3.9000509@gmx.net> Content-Type: multipart/alternative; boundary="------------020202000003070804010703" X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/sTy8xJNG_WjB8O8yiu5W3LwRmwk Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 10:14:28 -0000 This is a multi-part message in MIME format. --------------020202000003070804010703 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi all, I also believe both documents should be merged. Nevertheless, here are my comments on the current drafts: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 1.2. Terminology " Multiple instances of the same piece of client software MAY use the same Client ID value at an authorization server, provided that the Redirection URI values and potentially other values dictated by authorization server policy are the same for all instances." Which entity determines whether the same client id is used for different instances? Given the current protocol design, I would assume it is at the discretion of the authz server. Other opinions? "Software Statement ... It may also be accepted by some authorization servers directly as a Client ID value, without prior registration." under which circumstances does an authz server accept a software statement as client_id? How does the client know? I think the idea is valuable but needs much more text in order to come up with an interoperable protocol design. 1.3. Protocol Flow Initial Access Token vs. Software Statement: In my opinion, those concepts are two different ways to authorize client registration. Although there are the typical differences between tokens and assertions (such as opaque content vs. defined syntax), I feel software statements could supersede initial access tokens. Thoughts? 2. Client Metadata "redirect_uris ... It is RECOMMENDED that clients using these flows register this parameter, and an authorization server SHOULD require ..." I consider this a rather weak statement - does this foster interop? Why not requiring registration of redirect_uris for all clients using web-based grant types. last paragraph: "If the same client metadata name is present in both locations, the value in the software statement SHOULD take precedence." why not MUST? 3. Software Statement Is there a need to require a certain signature method for JWTs used as software statement (interop)? JWT itself requires "HMAC" and "none", which both are of no or limited value in this context. RSA is just recommended by the JWT spec. 5.1 "If a software statement was used as part of the registration, its value SHOULD be returned in the response and its value MUST be returned if the authorization server supports registration management operations [OAuth.Registration.Management] that would require its presence in subsequent operations." I don't get the connection between software statements and the management API. In the management API spec, I only found a reference to software statements in the introduction. Should this text just be removed? 5.2 error codes - invalid_client_metadata I consider this underspecified. How is the client supposed to react if this error occurs? I would expect the authz server to give more detailed information regarding error conditions, e.g. notify the client if particular requested grant types are not supported. Otherwise, the client cannot handle those error differently. * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 I would suggest to add "jwks" (as defined in http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) in order to support native clients. regards, Torsten. Am 04.04.2014 11:13, schrieb Hannes Tschofenig: > Hi all, > > This is a Last Call for comments on the dynamic client registration > documents: > > * OAuth 2.0 Dynamic Client Registration Core Protocol > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 > > * OAuth 2.0 Dynamic Client Registration Metadata > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 > > Since we have to do the last call for these two documents together we > are setting the call for **3 weeks**. > > Please have your comments in no later than April 25th. > > Ciao > Hannes & Derek > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------020202000003070804010703 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi all,

I also believe both documents should be merged.

Nevertheless, here are my comments on the current drafts:

*  OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

1.2.  Terminology

 " Multiple instances of the same piece of client software MAY use
      the same Client ID value at an authorization server, provided that
      the Redirection URI values and potentially other values dictated
      by authorization server policy are the same for all instances."

Which entity determines whether the same client id is used for different instances? Given the current protocol design, I would assume it is at the discretion of the authz server. Other opinions?

"Software Statement ... It may also be accepted by some authorization servers
      directly as a Client ID value, without prior registration."

under which circumstances does an authz server accept a software statement as client_id? How does the client know? I think the idea is valuable but needs much more text in order to come up with an interoperable protocol design.

1.3. Protocol Flow

Initial Access Token vs. Software Statement: In my opinion, those concepts are two different ways to authorize client registration. Although there are the typical differences between tokens and assertions (such as opaque content vs. defined syntax), I feel software statements could supersede initial access tokens.
Thoughts?

2.  Client Metadata

"redirect_uris  ...  It is
      RECOMMENDED that clients using these flows register this
      parameter, and an authorization server SHOULD require ..."

I consider this a rather weak statement - does this foster interop? Why not requiring registration of redirect_uris for all clients using web-based grant types.

last paragraph:
"If the same client metadata name is present in both
   locations, the value in the software statement SHOULD take
   precedence."

why not MUST?

3.  Software Statement

Is there a need to require a certain signature method for JWTs used as software statement (interop)? JWT itself requires "HMAC" and "none", which both are of no or limited value in this context. RSA is just recommended by the JWT spec.

5.1

"If a software statement was used as part of the registration, its
   value SHOULD be returned in the response and its value MUST be
   returned if the authorization server supports registration management
   operations [OAuth.Registration.Management] that would require its
   presence in subsequent operations."

I don't get the connection between software statements and the management API. In the management API spec, I only found a reference to software statements in the introduction. Should this text just be removed?

5.2

error codes - invalid_client_metadata

I consider this underspecified. How is the client supposed to react if this error occurs? I would expect the authz server to give more detailed information regarding error conditions, e.g. notify the client if particular requested grant types are not supported. Otherwise, the client cannot handle those error differently.

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00

I would suggest to add "jwks" (as defined in http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) in order to support native clients.

regards,
Torsten.

Am 04.04.2014 11:13, schrieb Hannes Tschofenig:
Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00

Since we have to do the last call for these two documents together we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------020202000003070804010703-- From nobody Wed Apr 23 01:41:38 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 949F61A0134 for ; Wed, 23 Apr 2014 01:41:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.273 X-Spam-Level: X-Spam-Status: No, score=-0.273 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLmuHrzoPdWx for ; Wed, 23 Apr 2014 01:41:33 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id E2CD91A012E for ; Wed, 23 Apr 2014 01:41:32 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M8JyQ-1WpaIp21WU-00vtSS; Wed, 23 Apr 2014 10:41:25 +0200 Message-ID: <53577C32.5060604@gmx.net> Date: Wed, 23 Apr 2014 10:39:14 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Mike Jones , oauth mailing list References: <1373E8CE237FCC43BCA36C6558612D2AA347D1@USCHMBX001.nsn-intra.net> <4E1F6AAD24975D4BA5B16804296739439A0A956A@TK5EX14MBXC286.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A0A956A@TK5EX14MBXC286.redmond.corp.microsoft.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="PSPTctst4rODBX7iGeVHMPIPdP0NShqWG" X-Provags-ID: V03:K0:VMwxkKEilhHf/lLRFPmleivsi1WAcy7aEiIM07nXz2vJQ9m362o 4eGO+ATdhbsscEk4FelhLdHZokvOJOIdBHrwdXKQCv00uBRgWT7vYKxEdUXoQ7wMFw6g4Fj zwSt7FRmGOR3oz9TuldX4HdWXpkOtuGxsarGb4l7aVwyuF2xwg7VMuRSwGr2PCqPuIPrBwN 6i3qFKtSJQ5RzuivpHLpw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/HQu9bO_KjaShzfnCz90pKAp9dxA Subject: Re: [OAUTH-WG] My review of draft-ietf-oauth-json-web-token-11 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 08:41:37 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PSPTctst4rODBX7iGeVHMPIPdP0NShqWG Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi Mike, thanks for the clarifications. My comments are addressed. Ciao Hannes On 03/03/2014 11:22 PM, Mike Jones wrote: > Hi Hannes, >=20 > =20 >=20 > My replies to your comments follow in-line. Thanks again for writing > these up. >=20 > =20 >=20 > -- Mike >=20 > =20 >=20 > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Tschofenig, Hannes (NSN - FI/Espoo) > Sent: Thursday, September 12, 2013 1:07 AM > To: oauth mailing list > Subject: [OAUTH-WG] My review of draft-ietf-oauth-json-web-token-11 >=20 > =20 >=20 > Hi Mike, Hi all, >=20 > =20 >=20 > As part of preparing the shepherd write-up I have read the draft and > here are a few comments. >=20 > =20 >=20 > In general, the draft looks good. The comments are fairly minor. >=20 > =20 >=20 > 1. Section 4: JWT Claims >=20 > =20 >=20 > In the first paragraph you write: >=20 > " >=20 > The Claim Names within a JWT Claims Set MUST be unique; recipients MUST= > either reject JWTs with duplicate Claim Names or use a JSON parser that= > returns only the lexically last duplicate member name " >=20 > =20 >=20 > I think what you want to write here is that the sender of a JWT must > ensure that the claims are unique. If a JWT is, however, received with > non-unique claims then some decision must be taken. You list two choice= s > and I am wondering why not just have one. Let's just reject the JWT if > that happens to ensure consistent behavior. >=20 > =20 >=20 > This was extensively discussed within JOSE and the language used is the= > same. Ideally, yes, we=92d reject duplicate names, but both the old an= d > new JSON specs allow duplication, so if we=92re to use existing deploye= d > parsers, that isn=92t really a practical option. (We used to require > rejection of duplicate names, but objections were raised to that.) >=20 > =20 >=20 > I believe it might be good to clarify that unique here means that claim= s > may appear more than once in a JWT but you are concerned about having > two claims that actually have a different semantic. Correct? >=20 > =20 >=20 > No, the issue is that either parsers will only return one (they will > overwrite each other) or duplicates will cause a parsing error.=20 > Therefore, for things to always work regardless of parser, producers > can=92t include any duplicates. >=20 > =20 >=20 > You write: "However, in the absence of such requirements, all claims > that are not understood by implementations SHOULD be ignored." >=20 > =20 >=20 > The 'SHOULD' is not good enough here. Either you ignore claims that you= > don't understand or you do something else. Since there does not seem to= > be a way to declare claims as "critical" to understand I suggest to tur= n > this into a MUST. >=20 > =20 >=20 > Agreed. I made this change in -18. >=20 > =20 >=20 > With every claim you add "Use of this claim is OPTIONAL.". I would > suggest to move that sentence to the front and avoid repeating it with > every claim. In fact you have that necessary sentence currently in > Section 4.1 "None of the claims defined below are intended to be > mandatory to use, but rather, provide a starting point for a set of > useful, interoperable claims." >=20 > =20 >=20 > For what it=92s worth, Jim Schaad had requested the opposite =96 that t= he > =93OPTIONAL=94 statements be on a per-name basis =96 so each definition= could > be easily read in isolation. >=20 > =20 >=20 > Since you describe the "use" there is obviously the question about the > "implementation". So, what claims in this document are mandatory to > implement? All? None? >=20 > =20 >=20 > None. It=92s up to the application what claims are MTI for its use cas= e.=20 > I added text clarifying this. >=20 > =20 >=20 > Claim Types: You distinguish between three types of claims, namely > Reserved Claim Names, Public Claim Names, and Private Claim Names. >=20 > =20 >=20 > - Reserved claims are those that are registered with IANA. >=20 > - Public Claims are (interestingly enough) also registered via IANA or= > use a Collision Resistant Namespace. >=20 > - Private Claims are those that may produce collisions >=20 > =20 >=20 > Clear I would suggest to change the definition of a public claim. Let's= > just call the claims that are registered via IANA reserved claims. >=20 > =20 >=20 > =93Reserved=94 was changed to =93registered=94, both here and in JOSE, = as a > result of review comments from both working groups. >=20 > =20 >=20 > I also wonder why we need private claims at all when it is so easy to > construct public claims? >=20 > =20 >=20 > In practice, people will use unregistered names in some contexts.=20 > (There was a 1/2 hour presentation in AppsAWG today about this very > thing!) Given we really can=92t prevent this and it will happen, it=92= s > better to clearly describe the downsides and alternatives than to > pretend that private names won=92t be used. At least this way, people > will have been warned about the consequences of their choices. >=20 > =20 >=20 > Section 4.1.1: "iss" (Issuer) Claim >=20 > =20 >=20 > You write: >=20 > " >=20 > The iss (issuer) claim identifies the principal that issued the JWT. Th= e > processing of this claim is generally application specific. >=20 > " >=20 > =20 >=20 > Would it be useful to say what people use this claim for. It might also= > be useful to indicate that this value cannot be relied on for any trust= > or access control decisions without proper cryptographic assurance. I > can already see people who base their security decisions on this value > without any relationship to the actual crypto of the JWT. So, one might= > wonder what the relationship of the crypto and the iss claim is. >=20 > =20 >=20 > I added language about making trust decisions in the Security > Considerations section. Did you have particular language in mind about= > what the claim is used for, beyond stating that it identifies the issue= r? >=20 > =20 >=20 > Section 4.1.3: "aud" (Audience) Claim >=20 > =20 >=20 > You write: >=20 > " >=20 > The aud (audience) claim identifies the audiences that the JWT is > intended for. >=20 > " >=20 > =20 >=20 > That's not a good description. You could instead write: "The aud > (audience) claim identifies the recipient the JWT is intended for." >=20 > =20 >=20 > Agreed =96 done. >=20 > =20 >=20 > You write: >=20 > " >=20 > In the special case when the JWT has one audience, the aud value MAY be= > a single case sensitive string containing a StringOrURI value. >=20 > " >=20 > =20 >=20 > Shouldn't this read: >=20 > " >=20 > In the special case when the JWT has one audience, the aud value is a > single case sensitive string containing a StringOrURI value. >=20 > " >=20 > =20 >=20 > No =96 because either =93aud=94:=94foo=94 or =93aud=94:[=93foo=94] are = legal and mean the > same thing. >=20 > =20 >=20 > Section 4.1.8. "typ" (Type) Claim >=20 > =20 >=20 > You write: >=20 > " >=20 > The typ (type) claim MAY be used to declare a type for the contents of > this JWT Claims Set in an application-specific manner in contexts where= > this is useful to the application. The typ value is a case sensitive > string. Use of this claim is OPTIONAL. >=20 > =20 >=20 > The values used for the typ claim come from the same value space as the= > typ header parameter, with the same rules applying. >=20 > " >=20 > =20 >=20 > I believe the first sentence should say: "The typ (type) claim is used > to declare a type for the contents of this JWT Claims Set ....". I don'= t > understand what the "MAY" here was supposed to indicate since if it doe= s > not declare the type of the claims then what else does it do? >=20 > =20 >=20 > Why is the typ claim actually there when there is already the same clai= m > in the header? >=20 > =20 >=20 > The =93typ=94 claim was removed as part of the JOSE change to use MIME = type > names for =93typ=94 and =93cty=94 header parameter values. >=20 > Section 5.1. "typ" (Type) Header Parameter >=20 > =20 >=20 > You write: >=20 > " >=20 > The typ (type) header parameter MAY be used to declare the type of this= > JWT in an application-specific manner in contexts where this is useful > to the application. This parameter has no effect upon the JWT > processing. If present, it is RECOMMENDED that its value be either JWT > or urn:ietf:params:oauth:token-type:jwt to indicate that this object is= > a JWT. >=20 > " >=20 > =20 >=20 > Here again I would write: " The typ (type) header parameter is used to > declare the type of this JWT in an application-specific manner in > contexts where this is useful to the application." >=20 > =20 >=20 > Why doesn't this value have any impact on the processing? It appears to= > be useless? Would it be good to mandate that it is set to JWT or > urn:ietf:params:oauth:token-type:jwt when the content is a JWT? Why do > you leave two options for what the value is set to? Why would anyone us= e > the longer string? >=20 > =20 >=20 > The URN value was removed as part of the JOSE change to use MIME type > names for =93typ=94 and =93cty=94 header parameter values. >=20 > =20 >=20 > Section 5.2. "cty" (Content Type) Header Parameter >=20 > =20 >=20 > What is the relationship between cty and typ? >=20 > =20 >=20 > As described in the JOSE specs that define them, =93typ=94 is the type = of > the entire object, whereas =93cty=94 is the type of the message contain= ed in > the JWS or JWE. Both are now MIME type values. =93cty=94 is used by J= WTs > in the specific way specified whereas =93typ=94 can be used as needed b= y > applications using JWTs. >=20 > =20 >=20 > Section 5.3. Replicating Claims as Header Parameters >=20 > =20 >=20 > I am not sure why you would want to have encryption of the claims and > then again include them in cleartext. That would defeat the purpose of > encryption. Then, you could as well just provide them in cleartext (onl= y > signed, for example). >=20 > =20 >=20 > Putting the sub value into the header does not seem to be a good idea > since this may be personal data. >=20 > =20 >=20 > This showed up in a use case that Dick Hardt had, in which case he > wanted to route the contents of the JWT to the recipient without being > able to read the contents of the JWT itself. In his case, there was an= > intermediary handling the JWT that did not have the decryption key. >=20 > =20 >=20 > It=92s application-specific whether the audience is private information= or > not. >=20 > =20 >=20 > Putting these fields into the header in general does not strike me as a= > good idea since you loose the ability to sign these values. They will b= e > exposed to all security threats since they cannot be protected. Why not= > use a nested JWT instead? >=20 > =20 >=20 > They are still integrity-protected, because JWE uses only authenticated= > encryption. They are protected from tampering or alteration. >=20 > =20 >=20 > The 'SHOULD' in this sentence particularly makes me nervous: "If such > replicated Claims are present, the application receiving them SHOULD > verify that their values are identical." This essentially means that if= > you have protected claims and someone adds unprotected stuff into the > header it may mean that an application would accept that. Not a good id= ea! >=20 > =20 >=20 > Per the above, you can=92t add stuff, because of the authenticated > encryption used. >=20 > =20 >=20 > Section 6 Plaintext JWTs >=20 > =20 >=20 > Why do we want plaintext JWTs? I thought that the threat analysis > concluded that sending this stuff of information around without any > security protection is a bad idea. >=20 > =20 >=20 > The JWT can either be cryptographically protected by a signature and/or= > encryption in the JWT itself or by signature and/or encryption of a dat= a > structure in which the JWT is conveyed. For instance, if it is returne= d > from an OAuth Token Endpoint, it is integrity protected by the channel=92= s > use of TLS and so may not need to be signed and/or encrypted in some > application contexts. OpenID Connect uses this capability in several > places, for instance, as does Phil Hunt=92s OAuth Authentication draft.= >=20 > =20 >=20 > Section 7. Rules for Creating and Validating a JWT >=20 > =20 >=20 > I am curious why this section is so extensive given that we are > essentially just applying JWS and JWE here. Wouldn't a pointer to the > JWS/JWE spec be sufficient? >=20 > =20 >=20 > It=92s longer because the JWT adds two things: First, the contents can= be > either a JWS or JWE, and so there=92s logic described for the slightly > different actions taken in the two cases. Second, the JWT can be > nested, so the logic for nesting and detecting nested JWTs is defined. = > It **does** just rely on JWS and JWE for the creation and verification > aspects of the JWS and JWE aspects of JWTs. >=20 > =20 >=20 > That said, I did remove a step that was actually a pure duplication of = a > corresponding JWS/JWE step. >=20 > =20 >=20 > Ciao >=20 > Hannes >=20 > =20 >=20 > =20 >=20 > =20 >=20 > =20 >=20 > =20 >=20 > =20 >=20 > _______________________________________________ >=20 > OAuth mailing list >=20 > OAuth@ietf.org >=20 > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 --PSPTctst4rODBX7iGeVHMPIPdP0NShqWG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTV3wyAAoJEGhJURNOOiAt2gQH/RaTr8TmeCyMBMMr5aPiBzrO yQnQ3ad8I6TWhOgfgfIH0FgnLptA8K3MzixhyUTL+rRQnhIwXKB57fQxa48WRDlD DLpQgejT7Nvq/XTHckvrxMBwD2yDINLXThrw9yB7rjbbr4Q+7VVGRTe61+m4exVk wv2A5jrjB/996ca4FXZQbFt4+b9sLrmSdFYUAX3pIM71LE4acPE+I4czTbbLd79n ufocID9piFJZylU2fr5d5k6ro7A4dVp8itj9EcXS2jMGekBC0ObQfV+yfHsu4QCg gn+8r8rWbPDQqpQgrSWc0xsL7t+pJ/rdU3zbMYXgLPzMDGch4OHVcFDXhCEIZ0E= =jeg6 -----END PGP SIGNATURE----- --PSPTctst4rODBX7iGeVHMPIPdP0NShqWG-- From nobody Wed Apr 23 01:42:07 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 084D01A013A for ; Wed, 23 Apr 2014 01:42:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1K7W7nSQQgjw for ; Wed, 23 Apr 2014 01:41:55 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 4F1181A0139 for ; Wed, 23 Apr 2014 01:41:55 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MQeET-1WUnC919Hp-00U3og; Wed, 23 Apr 2014 10:41:44 +0200 Message-ID: <53577C41.2090606@gmx.net> Date: Wed, 23 Apr 2014 10:39:29 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="M6KfA2q6Ui6C9bCVQEtj7anao85JrOKm7" X-Provags-ID: V03:K0:wFFe5g3TvBB3iAYycZq2CLx/4J2vcII79yu5corM3BOR5RBj2gZ x8OrpO8Jq63yotTAT09GeSg19ZV/sTVFRgtxMd7l2mGVEY2UpCM+7Q9kieZSLGSme4fQ8ok GNUHso4rTde+XpJySBWyqbHgxcc4LI/LinXdBhIObrRcN0ci5liR3P0XDbhHN+qzE7lDq4r LnZa3mVcqLKx3ievDVccg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/TeLiGA9zbLptHCAAc1mNleyaDY0 Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 08:42:03 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --M6KfA2q6Ui6C9bCVQEtj7anao85JrOKm7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, in preparing the shepherd write-up for draft-ietf-oauth-jwt-bearer-08 I had to review our recent email conversations and the issue raised by Antonio in http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html belong to it. The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08 says: " 2. The JWT MUST contain a "sub" (subject) claim identifying the principal that is the subject of the JWT. Two cases need to be differentiated: A. For the authorization grant, the subject SHOULD identify an authorized accessor for whom the access token is being requested (typically the resource owner, or an authorized delegate). B. For client authentication, the subject MUST be the "client_id" of the OAuth client. " Antonio pointed to the current Google API to illustrate that the subject is not always needed. Here is the Google API documentation: https://developers.google.com/accounts/docs/OAuth2ServiceAccount The Google API used the client authentication part (rather than the authorization grant), in my understanding. I still believe that the subject field has to be included for client authentication but I am not so sure anymore about the authorization grant since I could very well imagine cases where the subject is not needed for authorization decisions but also for privacy reasons. I would therefore suggest to change the text as follows: " 2. The JWT contains a "sub" (subject) claim identifying the principal that is the subject of the JWT. Two cases need to be differentiated: A. For the authorization grant, the subject claim MAY be included. If it is included it MUST identify the authorized accessor for whom the access token is being requested (typically the resource owner, or an authorized delegate). Reasons for not including the subject claim in the JWT are identity hiding (i.e., privacy protection of the identifier of the subject) and cases where the identifier of the subject is irrelevant for making an authorization decision by the resource server. B. For client authentication, the subject MUST be the included in the JWT and the value MUST be populated with the "client_id" of the OAuth client. " What do you guys think? Ciao Hannes --M6KfA2q6Ui6C9bCVQEtj7anao85JrOKm7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTV3xBAAoJEGhJURNOOiAtXDgIAJi8QSjCqLHojaHDoKnon1gr ezLq9mAbZoII/IDODvyzDB49B4OM/mo9LcorCbX3F/gozDtoUi9FY0rrzdrfQbNF cAC7Ni4UwUv3SZ0zPV4JDQZ9//Y290+4ehgnjjQ5C/yf1UtoCuSD3jPhHYoJFQYv OZKMSRrsuQaLHA6SFQi1pZB+XhsbgP7EDcR+M5zRAIKc+9+SOSIou91LykTyOf5Y mDvemx3gP6NZUrLVeIuIMxk13u0BNQUdwEtLQvxuZS/qiD/O6bmxU2eba3muKQEn gEfgPbHZ9FCB7MGc4IzJSoCbknjHQ2ESLgWySgERQnJCi5yjgt0mN0tjRsOYusY= =pF65 -----END PGP SIGNATURE----- --M6KfA2q6Ui6C9bCVQEtj7anao85JrOKm7-- From nobody Wed Apr 23 01:42:44 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78AF1A0133 for ; Wed, 23 Apr 2014 01:42:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.171 X-Spam-Level: X-Spam-Status: No, score=-2.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, URIBL_RED=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FAdq3wiNAUOp for ; Wed, 23 Apr 2014 01:42:38 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id DACF11A012E for ; Wed, 23 Apr 2014 01:42:37 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0LeeNW-1XH6W82rra-00qSt0 for ; Wed, 23 Apr 2014 10:42:30 +0200 Message-ID: <53577C73.2010201@gmx.net> Date: Wed, 23 Apr 2014 10:40:19 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="eKlbWxBMdlvsqbK8EdlgcS3Q7r6otJWxT" X-Provags-ID: V03:K0:L7ZwMOsaNmA1y4h+HNt/BNJLMvoTOrvZrJzR3hb1xu25hf23uSj 0hYh3FY+wh0uTlceVCOuaU9VWx95tli9mFNYpwoEE/lffweneiRI8pwdx2fCWYfZO07Yz2Q UYRJI67BmoHhdXRAOlM4IC9yCKXYKXLpj9YQGeS/6jchj0B4EKjuSRrIzPMQoe4KKiVeIIi biFEkazTf2mgUdiwhiy0A== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/oN3hDWnyP5hQ0aQSAFUhuy4jVGI Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 08:42:42 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --eKlbWxBMdlvsqbK8EdlgcS3Q7r6otJWxT Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, I am working on the shepherd writeup for the JWT bearer document. The shepherd write-ups for the assertion draft and the SAML bearer document have been completed a while ago already, see http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html A few requests: - To the document authors: Please confirm that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. - To all: Are you aware of implementations of this specification? If so, I would like to reference them in my write-up. - To all: Please also go through the text to make sure that I correctly reflect the history and the status of this document. Here is the most recent version of the write-up: https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/= shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt (The copy-and-paste of the full version is below.) Ciao Hannes PS: Note that I have send a mail about a pending issue to the list. In response to my question I will update the write-up accordingly. ---- Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants" (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? The RFC type is 'Standards Track' and the type is indicated in the title page. This document defines an instantiation for the OAuth assertion framework using JSON Web Tokens. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. Working Group Summary: Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? This document belongs to the OAuth assertion document bundle consisting of the abstract OAuth assertion framework, and the SAML assertion profile. Due to the use of the JSON-based encoding of the assertion it also relies on the work in the JOSE working group (such as JWE/JWS) indirectly through the use of the JWT. This document has intentionally been kept in sync with the SAML-based version. Document Quality: This document has gone through many iterations and has received substantial feedback. [[Add implementation list here.]] Personnel: The document shepherd is Hannes Tschofenig and the responsible area director is Kathleen Moriarty. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IE= SG. The draft authors believe that this document is ready for publication. The document has had received review comments from working group members, and from the OAuth working group chairs. These review comments have been taken into account. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? This document has gotten feedback from the working group and given the focused use cases it has received adequate review. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Since the OAuth working group develops security protocols any feedback from the security community is always appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The shepherd has no concerns with this document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? [[Confirmation from the authors required.]] (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No IPR disclosures have been filed on this document. However, two IPRs have been filed for the JWT specification this document relies on, see http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddra= ft-ietf-oauth-json-web-token (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The working group has consensus to publish this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No appeal or extreme discontent has been raised. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd has checked the nits. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. There is no such review necessary. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? Yes. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational RFC. A downref is required. However, this document depends on the completion of the abstract OAuth assertion framework and on the JWT specification. There are the following dependencies: (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. The publication of this document does not change the status of other RFCs= =2E (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). The document registers two sub-namespaces to the urn:ietf:params:oauth URN established with RFC 6755. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. The document only adds entries to existing registries and does not define any new registries. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. There are only snippets of message exchanges and JWT assertion structures, which are based on JSON, used in the examples. There is no pseudo code contained in the document that requires validation. --eKlbWxBMdlvsqbK8EdlgcS3Q7r6otJWxT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTV3xzAAoJEGhJURNOOiAtbW4H/jBVNkGG4erGQDhxIqf6pXML pKrPV4fJ/0tUndXWCCNEELwjdBbeqZrlnzPa4T+znlviMUV/Yb+qN9EOcTW79hdV OhDn52t1QYIc1MGxD1FH4ByTMdu3tCt/+S4uv4RmuVzcQBghpFKPZeBE8+37C424 n5nK6I562BK27zBpQNYOzcW0D4j3Jxs4GENLc91pVYtvbaF5QksGIozsADc4DD4j lKluqq+C3jjUi8tcjKC8CUeN/FsDCYUTixq2CfFK/D0Mo7efRGEZ2bPZXurNvZ53 WLDdEQ+e8d95yw4NP7imozImNBX7ZIXqFX/p3UypO13cRDg5q7xASbFLaT371g8= =dKf0 -----END PGP SIGNATURE----- --eKlbWxBMdlvsqbK8EdlgcS3Q7r6otJWxT-- From nobody Wed Apr 23 04:52:22 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6D21A0339 for ; Wed, 23 Apr 2014 04:52:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAqdyfLcvICq for ; Wed, 23 Apr 2014 04:52:19 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 7F4C21A01C3 for ; Wed, 23 Apr 2014 04:52:19 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MDn8s-1WhrOc2JGY-00H9mZ for ; Wed, 23 Apr 2014 13:52:12 +0200 Message-ID: <5357A89D.7000901@gmx.net> Date: Wed, 23 Apr 2014 13:48:45 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="u4nLQuRDPwJoIr0a7ErbCR2qP7B5TVdkb" X-Provags-ID: V03:K0:rGdr7IVoScm09UhvGwPVG2Ox6A5KdNNTjerMQR94o4/L7esvVE2 PeN/+BWp0bIJDmfRMm8sRzd/qxI45cWvb0BhXAoQ4yMrYBo/JW57S9B2czxaPo0+/sQD3XM dmFCwNZKDgYNPf7gDHUY0cXqZ9WpERNYIO5IAftMYN4ABsFoREWB/MbNxOYsH/adoRGtyLz kibYqUx3sy4zWF4wsQ9Ng== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/BvvThwZJRnb-lo4-ygLmcL9KMmU Subject: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 11:52:21 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --u4nLQuRDPwJoIr0a7ErbCR2qP7B5TVdkb Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Doing my shepherd write-up I had a few minor questions: * Could you move the RFC 6755 reference to the normative reference section? Reason: the IANA consideration section depends on the existence of the urn:ietf:params:oauth registry. * Could you move the JWK reference to the informative reference section? Reason: The JWK is only used in an example and not essential to the implementation or understanding of the specification. * Would it be sufficient to reference RFC 7159 instead of the [ECMAScript] reference? * The document registers 'urn:ietf:params:oauth:token-type' and it is used in the "type" header parameter. The text, however, states that the value can also be set to jwt. Why would someone prefer to use urn:ietf:params:oauth:token-type instead of the much shorter jwt value? Ciao Hannes --u4nLQuRDPwJoIr0a7ErbCR2qP7B5TVdkb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTV6idAAoJEGhJURNOOiAtuQ4H/2lBaakkTPWBbJi4XjxiNJyC NzNUdePpoEiyWOJZt3PM/RvUbXmQFGzHEaorkDz+G0Z/faue+VunaLRqlWy1AWFk NVLbDAPdX8r/0s52A2xQq8FZMkTAWVA5HKx9wSW5VLUXDq+IOTefDiiICA+mbKtT GWfbZhwxjDGz+FNNev9cJ/wcBOnerqyvs0vGcOUWykzdIVbs+uzp4uZraqczKsb1 +eTcjNyYOeORLeaZ8kO15b6XA7ZCvhNekK2qOzo3fvqJ50D89oJ6m3V7vs/g4gmO V/tobrj/8vjHJ5lE8aIqf6Nyn0qhQRTn8dbDxoUwO8f5qc26pjXMjlWsfKU5doU= =Hpub -----END PGP SIGNATURE----- --u4nLQuRDPwJoIr0a7ErbCR2qP7B5TVdkb-- From nobody Wed Apr 23 04:59:37 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 363D71A0339 for ; Wed, 23 Apr 2014 04:59:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.171 X-Spam-Level: X-Spam-Status: No, score=-2.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, URIBL_RED=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3a6NMQ3XuwP for ; Wed, 23 Apr 2014 04:59:32 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id C46101A01C3 for ; Wed, 23 Apr 2014 04:59:31 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Mbx62-1WJkp11rIU-00JJ8M for ; Wed, 23 Apr 2014 13:59:25 +0200 Message-ID: <5357AA4C.8080707@gmx.net> Date: Wed, 23 Apr 2014 13:55:56 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="MU8fH0aerfGTaR49ggQPbfg07wxcW08dv" X-Provags-ID: V03:K0:thX5YND3LFU9MJWa614gRo+R9B43hNZMjC1VO1pmRAweJR+j8e9 s9jutTqXd1Zw9Me6gOnprs3imHTxqb8AlobJ5GKEpWZBPtIbDSHzM3V/CnoFRAQnJ6psGBS IaMSfMeJ3JMtpgI8VTtcMlqP1hNAzk2ljGMTrVwUI/eVUVsMiSICUIanJCxsKbZHFZPx5D4 CvStCx8TXLshf1U5GSS4A== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wXSNRCExQXcXAuwSSjYhfVPdLrs Subject: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 11:59:35 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MU8fH0aerfGTaR49ggQPbfg07wxcW08dv Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, I am working on the shepherd writeup for the JWT. Here are a few question= s: - To the document authors: Please confirm that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. - To all: I have included various pointers to implementations in the write-up. Maybe there are others that should be included. If so, please let me know. - To all: Please also go through the text to make sure that I correctly reflect the history and the status of this document. Here is the latest version of the write-up: https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/= shepherd-writeups/Writeup_OAuth_JWT.txt Ciao Hannes PS: Here is the copy-and-paste text: -------- Writeup for "JSON Web Token (JWT)" (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? The RFC type is 'Standards Track' and the type is indicated in the title page. This document defines the syntax and semantic of information elements. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted. Working Group Summary: Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? This document was uncontroversial. It allows OAuth deployments to use a standardized access token format, which increases interoperability of OAuth-based deployments. Document Quality: This document has gone through many iterations and has received substantial feedback. A substantial number of implementations exist, as documented at http://openid.net/developers/libraries/ (scrowl down to the 'JWT/JWS/JWE/JWK/JWA Implementations' section) An Excel document providing additional details can be found here: http://www.oauth-v2.org/wp-content/uploads/2014/04/JWT-Implementations.xl= sx Personnel: The document shepherd is Hannes Tschofenig and the responsible area director is Kathleen Moriarty. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IE= SG. The draft authors believe that this document is ready for publication. The document has received review comments from working group members, and from the OAuth working group chairs. Implementations exist and they have tested for interoperability as part of the OpenID Connect interop events. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? This document has gotten enough feedback from the working group. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. Since the OAuth working group develops security protocols any feedback from the security community is always appreciated. The JWT document heavily depends on the work in the JOSE working group since it re-uses the JWE and the JWS specifications. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The shepherd has no concerns with this document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? [[Confirmation from the authors required.]] (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. Two IPRs have been filed for the JWT specification this document relies on, see http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddra= ft-ietf-oauth-json-web-token There was no discussion regarding those two IPRs on the mailing list. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The working group has consensus to publish this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No appeal or extreme discontent has been raised. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd has checked the nits. The shepherd has not verified the examples for correctness. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. The document does not require a formal review even though it contains JSON-based examples. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? There are various JOSE documents that have not been published as RFCs yet. As such, this document cannot be published before the respective JOSE documents are finalized. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. The document contains a reference to [ECMAScript] Ecma International, "ECMAScript Language Specification, 5.1 Edition", ECMA 262, June 2011. which might require a downref. RFC 6755 is also a downref. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. The publication of this document does not change the status of other RFCs= =2E (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). The document creates a new registry for JWT claims and populates this registry with values. It also registers values into two existing registries, namely into * the RFC 6755 created OAuth URN registry, and * the media type registry (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. The newly created JWT claims registry requires expert review for future allocations. Guidance is given in the document. The document shepherd volunteers to become an expert review. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. There are examples in the document that use a JSON-based encoding. The document shepherd has reviewed those examples but has not verified the correctness of the cryptographic operations. --MU8fH0aerfGTaR49ggQPbfg07wxcW08dv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTV6pMAAoJEGhJURNOOiAtuVoIAJn/xnZOWrPG8J6Wsf+Vm7b8 ifmZi/cQVuiR1xxPABVneOWZ7AKpIhahL/CzC3EedNtrMnrhyQ8vBCPNNh2m7WRZ XNvf0t7J5CG0pwQMoOAnajWeNSr4ryc+J35gWti77yq8CL5xwl1v16BJzNZByaUO 0wIKILaR/4hcHuzvd4+oHsYoVssv8Gv0F8rmQypp0n21XA5agF9HNXmk/lag72kg VamA/VYqn6tUQGL+qpuq435r6uMDLg29KoCS6Wpw7oNjegnP+vtll4q2Gq6pMFgr W7u2uTGXlQunmdHAtkLqN7bXwZRe6U1iwRls0pJodFqEkGbnHJGfS0/PkTZMc58= =ozAy -----END PGP SIGNATURE----- --MU8fH0aerfGTaR49ggQPbfg07wxcW08dv-- From nobody Wed Apr 23 05:12:16 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B10F91A0348 for ; Wed, 23 Apr 2014 05:12:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8pJwZgGz7vRy for ; Wed, 23 Apr 2014 05:12:13 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 3FCF41A0346 for ; Wed, 23 Apr 2014 05:12:13 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M7DVi-1WoQXA23Bm-00wzs2 for ; Wed, 23 Apr 2014 14:12:06 +0200 Message-ID: <5357AD3F.6050803@gmx.net> Date: Wed, 23 Apr 2014 14:08:31 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="471Pwcle2WKEditFXFVN3Maeu77TIgdpq" X-Provags-ID: V03:K0:87teUDtMCZHY+NEp3qJJ7TaYgDgwEkdp8OPHKMEi3huFwxEAklR VKwdCY8GCjl87xKk3qAhVXALX+JeL3J//RxY2lw8OIYOpIj25vd11WeJMGM+Ibetc1i11f7 1fat1YxzwleWuWMVpX0bx33Ev1+FLurwfMBHFCpfKTwVrv4/zxj3LJUNoPuA3pGkydHxeRV w6WEhFBUxvHyBnMfR7ttw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/o7SAJ-FJ0wY7qi4ZMXXSLGs-LeY Subject: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 12:12:14 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --471Pwcle2WKEditFXFVN3Maeu77TIgdpq Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, in a discussion about re-using the client authentication part of the assertion framework for other specifications currently in progress I ran into the following question: Section 6.1 of http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about the client using the assertion with the **token endpoint**. Now, it appears that one cannot use the client authentication with other endpoints, such as the introspection endpoint defined in http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2 Am I reading too much into Section 6.1 of the assertion draft? Ciao Hannes --471Pwcle2WKEditFXFVN3Maeu77TIgdpq Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTV60/AAoJEGhJURNOOiAtgkIH/RqGyzgkYw13lIoKjlUMxF1p UnKlSJILSgTraSJG5fXKr+cvUo6peU2LP/e6h4NyV4gd0ahxWRs/uxqNVlao7RpV WzSNEAQSLtMiv9ukaAZ1DYzGt2e7R3bxJYrN4cUnaWjj1WplTntk0nCx5j94nAYk 7i6M4bdrcVe4Xicf4ZSBcS781DEpjwYdbBcu8CbLajqVBXHepJElRKKP7BSRgVgI o3Jc5hZHuSU6xy4cqCcZLXjNevHqT5XeFpttNuMSAFUrWaJ7JtbsJlw4Qd/jXgdi ULrAmkLtzYxf311UtNyFJa26vo0eJDulJ73tY3azBaAoai4ouQLm4IJwS7/i6TI= =mCMO -----END PGP SIGNATURE----- --471Pwcle2WKEditFXFVN3Maeu77TIgdpq-- From nobody Wed Apr 23 06:12:44 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8281A039B for ; Wed, 23 Apr 2014 06:12:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNNhr1yG_tD3 for ; Wed, 23 Apr 2014 06:12:35 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 785DF1A0396 for ; Wed, 23 Apr 2014 06:12:35 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LoaCE-1X9EmX1Dxa-00gWWf for ; Wed, 23 Apr 2014 15:12:27 +0200 Message-ID: <5357BB37.1080803@gmx.net> Date: Wed, 23 Apr 2014 15:08:07 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="2cD3Bjpmopgto2u42QuVmEx6bSFr34XmN" X-Provags-ID: V03:K0:kR5TcBU2rWF4y1/fKc9bzHLkWM98zan0mv2IH/Ul73bQt7TcR4/ NB3LjoHGpcxSIUMgucQjzDFCENciTsIKBSVj1o8Ch7V1Z2o1j7kO9XnG4TAjFTWjAqWAX92 TPYZKgzhLF1CRe78JDSnJ0ZavFXqbJtLvCFK5KQfUa3s+tQgV+qN0cEY//6AdBitg0dpRpR cykQqvqpEIw9G/fuZCGxg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/mxRRY0rtrqx7RMvpni_mGrmqbcY Subject: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-16 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 13:12:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2cD3Bjpmopgto2u42QuVmEx6bSFr34XmN Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, here are a few comments regarding the draft-ietf-oauth-dyn-reg-16 spec. The first two are editorial and a matter of taste. - Abstract The abstract is awfully short. Could you at least add a few more lines to tell the reader what to expect in the document? - Introduction I believe the problem statement in the introduction section could be a bit clearer. I would phrase the story as follows: today client software developers need to manually interact with a deployment organization to obtain relevant parameters for their client software and/or to provide meta-data about it. This can be time-consuming. This document provides a mechanism for dynamically provisioning this information. - Terminology Please avoid RFC 2119 language in the terminology section. I also believe it is unnecessary, for example in the client instance definition.= There is a bit of inconsistency in the terminology when I look at the client software - client instance and the software api publisher - software api deployment relationship. I would have expected to see software api instance - software api publisher. It might help readers to provide a few examples to show typical relationships. For example, a social network site (=3Ddeployment organization) develops their own social network software and makes it available to application developers. They are also a software API publisher and use OAuth to protect access to the data. A software developer writes a client software for use with the social network site and distributes different client instances to smart phones. I wonder whether it would make sense to use a different name for the 'initial access token', such as registration token to make it easier to differentiate it from a regular access token. (Later in my review I will argue that this access token is a bit strange...) In the text you use the term 'client' but the terminology section only defines 'client instance' and 'client software'. Does the term 'client' refer to 'client software'? - Protocol Flow In Figure 1 you show the client and the developer in the same box. The protocol defined in the specification clearly runs between a client and client registration endpoint at an authorization server. So, I would suggest to put the developer (which is a human) outside the box and to draw another box around the client registration endpoint to indicate that this is part of the authorization server. - Section 2 What exactly does this sentence mean? " Authorization servers MUST accept all fields in this list. " I believe I cannot mean that the authorization server supports all mechanisms. You write: " Client metadata values can either be communicated directly in the body of a registration request, as described in Section 4.1, or included as claims in a software statement, as described in Section 3. If the same client metadata name is present in both locations, the value in the software statement SHOULD take precedence. " It might be worthwhile to note that the two options exist to allow (a) the client to suggest values and (b) to have the organizing issuing the software assertion to provide further values. Regarding the SHOULD in the last sentence I guess it might make more sense to just say that it is deployment dependent what policy is used. - Section 2.1 You write: " As such, a server supporting these fields SHOULD take steps to ensure that a client cannot register itself into an inconsistent state. " Any guidance on how the authorization server would do that? - Section 3 I don't understand this sentence: " In some cases, authorization servers MAY choose to accept a software statement value directly as a Client ID in an authorization request, without a prior dynamic client registration having been performed. " Does this mean that the client id is the software statement or that the software statement is embedded in the client id or something else? - Section 4 The story around the initial access token is a bit strange. Here is the text: The client registration endpoint MAY be an OAuth 2.0 protected resource and accept an initial access token in the form of an OAuth 2.0 [RFC6749] access token to limit registration to only previously authorized parties. The method by which the initial access token is obtained by the registrant is generally out-of-band and is out of scope for this specification. The method by which the initial access token is verified and validated by the client registration endpoint is out of scope for this specification. First, the term 'registrant' is used here for the first time. Then, it is outside the scope of how the client got this initial access token. Normally for access tokens the client does not have to care about the content and does not verify anything but here the last sentence hints to the verification (although it is outside the scope of how it is used). I am curious whether the software assertion could actually be re-use here in case the unauthorized use of the registration by clients is a concern!? - Section 4.2 You write: " This client identifier MUST be unique at the server and MUST NOT be in use by any other client. " This is a bit unclear given the text you provide in the subsequent section, Section 5.1. You write: " client_id REQUIRED. Unique client identifier. It MUST NOT be currently valid for any other distinct registered client. It MAY be the same as the Client ID value used by other instances of this client, provided that the Redirection URI values and potentially other values dictated by authorization server policy are the same for all instances. " You write: " If a software statement was used as part of the registration, its value SHOULD be returned in the response and its value MUST be returned if the authorization server supports registration management operations [OAuth.Registration.Management] that would require its presence in subsequent operations. " I am not sure I understand that. Are you saying that the software assertion is returned in the response from the authorization server to the client? Why is that? - References I believe you should delete the dependency on the registration management specification. Ciao Hannes --2cD3Bjpmopgto2u42QuVmEx6bSFr34XmN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTV7s3AAoJEGhJURNOOiAtt4MIAI11H2LfvqDTritXJn91nSvR v7dH3RN0fZu6wJjqzZxHaqPxKBW38JYO+cft7dKxR9X/2pumlUBbOmdpY4tLaJes FmCG5BOr949SMfMXbysErDT/GePreutGt6MhQ3++YfYXX2V2WZgOBAAOWl4fOOPq LfVzYoSqfMP43SMBRyuR5e8fIaAygUOhsVEtohJyEXkAlNpdNwGg45LFw44Z7XPI RA/+kqAdLVPr39M852AR8JjQVzdFbCoctS6M34JC/w0xZ1V1GBVAGNqB+kusssf3 RnvS+y2OL03HJuOJbV6B+3GKmNpuWukUmoVuEiCzYsP+rYkXq2lRcdQ4NNo0wH8= =OxfR -----END PGP SIGNATURE----- --2cD3Bjpmopgto2u42QuVmEx6bSFr34XmN-- From nobody Wed Apr 23 07:58:58 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5BE1A0104 for ; Wed, 23 Apr 2014 07:58:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.471 X-Spam-Level: X-Spam-Status: No, score=-4.471 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M_f3e8qiK6ht for ; Wed, 23 Apr 2014 07:58:52 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id F2A9E1A0137 for ; Wed, 23 Apr 2014 07:58:51 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1B6A61F02F3; Wed, 23 Apr 2014 10:58:46 -0400 (EDT) Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 0205D1F0258; Wed, 23 Apr 2014 10:58:46 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 23 Apr 2014 10:58:45 -0400 Message-ID: <5357D4FF.5040800@mitre.org> Date: Wed, 23 Apr 2014 10:58:07 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig , "oauth@ietf.org" References: <5357BB37.1080803@gmx.net> In-Reply-To: <5357BB37.1080803@gmx.net> Content-Type: multipart/alternative; boundary="------------020609040305040101020203" X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/uOUhwzStgaLngHsg4D671VPIitw Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-16 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 14:58:56 -0000 --------------020609040305040101020203 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Responses inline. On 04/23/2014 09:08 AM, Hannes Tschofenig wrote: > Hi all, > > here are a few comments regarding the draft-ietf-oauth-dyn-reg-16 spec. > The first two are editorial and a matter of taste. > > - Abstract > > The abstract is awfully short. Could you at least add a few more lines > to tell the reader what to expect in the document? Makes sense -- there was a lot of tumult about what would actually be in the document, but now that I think we've got general agreement on the proper split (i.e., merging "core" and "metadata", keeping "management" separate) this can happen. > - Introduction > > I believe the problem statement in the introduction section could be a > bit clearer. I would phrase the story as follows: today client software > developers need to manually interact with a deployment organization to > obtain relevant parameters for their client software and/or to provide > meta-data about it. This can be time-consuming. This document provides a > mechanism for dynamically provisioning this information. Makes sense, we can clarify. Most notably, we need to be clear that this is an automated API to do client registration, and that you can still do manual registration or some other nonstandard process if you want to. > - Terminology > > Please avoid RFC 2119 language in the terminology section. I also > believe it is unnecessary, for example in the client instance definition. Noted. > There is a bit of inconsistency in the terminology when I look at the > client software - client instance and the software api publisher - > software api deployment relationship. I would have expected to see > software api instance - software api publisher. > > It might help readers to provide a few examples to show typical > relationships. > > For example, a social network site (=deployment organization) develops > their own social network software and makes it available to application > developers. They are also a software API publisher and use OAuth to > protect access to the data. A software developer writes a client > software for use with the social network site and distributes different > client instances to smart phones. Many of these terms and relationship were pulled in wholesale from Phil's draft, so they probably need to be massaged a bit to fit with the rest. > I wonder whether it would make sense to use a different name for the > 'initial access token', such as registration token to make it easier to > differentiate it from a regular access token. (Later in my review I will > argue that this access token is a bit strange...) > > In the text you use the term 'client' but the terminology section only > defines 'client instance' and 'client software'. Does the term 'client' > refer to 'client software'? The draft inherits the term "client" from RFC6749. We *do* need to be careful to use the most exact term throughout the text. > - Protocol Flow > > In Figure 1 you show the client and the developer in the same box. The > protocol defined in the specification clearly runs between a client and > client registration endpoint at an authorization server. So, I would > suggest to put the developer (which is a human) outside the box and to > draw another box around the client registration endpoint to indicate > that this is part of the authorization server. There are two known modes of deployment for this protocol: either the client calls the registration endpoint directly and gets its own client_id and client_secret, or the developer uses some tool (part of their build process, a software publication process, a self-service portal) to register the client. While the first use case is the original driver, several people wanted to make sure that this other use case wasn't inadvertently written out. > - Section 2 > > What exactly does this sentence mean? > > " > Authorization servers MUST accept all fields in this list. > " > > I believe I cannot mean that the authorization server supports all > mechanisms. All I was trying to say was that the AS isn't allowed to crash if it sees a field in this list as part of the registration, to give us some kind of interoperability baseline. I am welcome to re-wording suggestions. The AS is free to ignore any field that it doesn't like, or reject a registration for a value that it doesn't like, or replace a value that it doesn't like with something that it does like and return that. We enumerate all of those cases separately, so perhaps this sentence isn't necessary any more. > You write: > > " > Client metadata values can either be communicated directly in the > body of a registration request, as described in Section 4.1, or > included as claims in a software statement, as described in > Section 3. If the same client metadata name is present in both > locations, the value in the software statement SHOULD take > precedence. > " > > It might be worthwhile to note that the two options exist to allow (a) > the client to suggest values and (b) to have the organizing issuing the > software assertion to provide further values. It's actually the other way around -- the assertion if present defines a set of core values for a class of clients and the client suggests values on its own in the plain JSON. The vast majority of registrations will use only the JSON object, in my estimation. > Regarding the SHOULD in the last sentence I guess it might make more > sense to just say that it is deployment dependent what policy is used. The idea here is that the software statement, if present and trusted, should really take precedence since it's cryptographically protected and the plain JSON isn't. > - Section 2.1 > > You write: > > " > As such, a server supporting these fields > SHOULD take steps to ensure that a client cannot register itself into > an inconsistent state. > " > > Any guidance on how the authorization server would do that? Either return an error ("invalid_client_metadata") or replace the values with sane defaults. Probably the former for most servers. Should we state this? > - Section 3 > > I don't understand this sentence: > > " > In some cases, authorization servers MAY choose to accept a software > statement value directly as a Client ID in an authorization request, > without a prior dynamic client registration having been performed. > " > > Does this mean that the client id is the software statement or that the > software statement is embedded in the client id or something else? The idea here is that the software statement itself would be the client_id, but the details of such usage are outside the scope of dynamic registration (since it's not really registration at that point, but a stateless client identifier). > - Section 4 > > The story around the initial access token is a bit strange. Here is the > text: > > The client registration endpoint MAY be an OAuth 2.0 protected > resource and accept an initial access token in the form of an OAuth > 2.0 [RFC6749] access token to limit registration to only previously > authorized parties. The method by which the initial access token is > obtained by the registrant is generally out-of-band and is out of > scope for this specification. The method by which the initial access > token is verified and validated by the client registration endpoint > is out of scope for this specification. > > > First, the term 'registrant' is used here for the first time. Then, it > is outside the scope of how the client got this initial access token. > Normally for access tokens the client does not have to care about the > content and does not verify anything but here the last sentence hints to > the verification (although it is outside the scope of how it is used). The client doesn't verify the token, the client registration endpoint verifies it. It's a vanilla OAuth token. > I am curious whether the software assertion could actually be re-use > here in case the unauthorized use of the registration by clients is a > concern!? This is exactly what BlueButton+ does: the software statement equivalent is presented as the initial access token. I personally think that this makes a lot more sense, but some folks wanted to be able to separate these two things, so that the authority to register with a server is differentiable from the fixed registration parameters. Also, you don't want to define the initial access token to *always* be a software statement, since it could just represent authorization to call the registration endpoint with no other strings attached. > - Section 4.2 > > You write: > > " > This client identifier MUST be > unique at the server and MUST NOT be in use by any other client. > " > > This is a bit unclear given the text you provide in the subsequent > section, Section 5.1. > You write: > > " > client_id REQUIRED. Unique client identifier. It MUST NOT be > currently valid for any other distinct registered client. It MAY > be the same as the Client ID value used by other instances of this > client, provided that the Redirection URI values and potentially > other values dictated by authorization server policy are the same > for all instances. > " Those are still inconsistent and I'm not positive where we came down on that issue -- I personally don't like the idea of re-using client_ids for different instances of the client (I see it causing nothing but trouble down the line), but there was a push to relax that. Can someone who wanted this comment on its utility? > You write: > > " > If a software statement was used as part of the registration, its > value SHOULD be returned in the response and its value MUST be > returned if the authorization server supports registration management > operations [OAuth.Registration.Management] that would require its > presence in subsequent operations. > " > > I am not sure I understand that. Are you saying that the software > assertion is returned in the response from the authorization server to > the client? Why is that? It is effectively part of the client's registration metadata and should be returned as-is. If the client is going to be doing management, it needs to be able to post that back to the server again as part of its update and the server needs to be able to check against it. What we really don't want is the registration endpoint to generate a new software statement as part of the registration response. > - References > > I believe you should delete the dependency on the registration > management specification. This makes sense if the operations can be completely insular and we don't need any forward references as to why to do certain things. It would be easy to build a registration endpoint that precludes any kind of management/lifecycle API, and we want to avoid that in the design of the core protocol. I think we've successfully done that, but if it makes it cleaner to remove the references and just state how to do things, I don't see why not. Thanks for the thorough review. -- Justin > > Ciao > Hannes > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------020609040305040101020203 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Responses inline.

On 04/23/2014 09:08 AM, Hannes Tschofenig wrote:
Hi all,

here are a few comments regarding the draft-ietf-oauth-dyn-reg-16 spec.
The first two are editorial and a matter of taste.

- Abstract

The abstract is awfully short. Could you at least add a few more lines
to tell the reader what to expect in the document?

Makes sense -- there was a lot of tumult about what would actually be in the document, but now that I think we've got general agreement on the proper split (i.e., merging "core" and "metadata", keeping "management" separate) this can happen.

- Introduction

I believe the problem statement in the introduction section could be a
bit clearer. I would phrase the story as follows: today client software
developers need to manually interact with a deployment organization to
obtain relevant parameters for their client software and/or to provide
meta-data about it. This can be time-consuming. This document provides a
mechanism for dynamically provisioning this information.

Makes sense, we can clarify. Most notably, we need to be clear that this is an automated API to do client registration, and that you can still do manual registration or some other nonstandard process if you want to.

- Terminology

Please avoid RFC 2119 language in the terminology section. I also
believe it is unnecessary, for example in the client instance definition.

Noted.

There is a bit of inconsistency in the terminology when I look at the
client software - client instance and the software api publisher -
software api deployment relationship. I would have expected to see
software api instance - software api publisher.

It might help readers to provide a few examples to show typical
relationships.

For example, a social network site (=deployment organization) develops
their own social network software and makes it available to application
developers. They are also a software API publisher and use OAuth to
protect access to the data. A software developer writes a client
software for use with the social network site and distributes different
client instances to smart phones.

Many of these terms and relationship were pulled in wholesale from Phil's draft, so they probably need to be massaged a bit to fit with the rest.

I wonder whether it would make sense to use a different name for the
'initial access token', such as registration token to make it easier to
differentiate it from a regular access token. (Later in my review I will
argue that this access token is a bit strange...)

In the text you use the term 'client' but the terminology section only
defines 'client instance' and 'client software'. Does the term 'client'
refer to 'client software'?

The draft inherits the term "client" from RFC6749. We *do* need to be careful to use the most exact term throughout the text.

- Protocol Flow

In Figure 1 you show the client and the developer in the same box. The
protocol defined in the specification clearly runs between a client and
client registration endpoint at an authorization server. So, I would
suggest to put the developer (which is a human) outside the box and to
draw another box around the client registration endpoint to indicate
that this is part of the authorization server.

There are two known modes of deployment for this protocol: either the client calls the registration endpoint directly and gets its own client_id and client_secret, or the developer uses some tool (part of their build process, a software publication process, a self-service portal) to register the client. While the first use case is the original driver, several people wanted to make sure that this other use case wasn't inadvertently written out.


- Section 2

What exactly does this sentence mean?

"
   Authorization servers MUST accept all fields in this list.
"

I believe I cannot mean that the authorization server supports all
mechanisms.

All I was trying to say was that the AS isn't allowed to crash if it sees a field in this list as part of the registration, to give us some kind of interoperability baseline. I am welcome to re-wording suggestions. The AS is free to ignore any field that it doesn't like, or reject a registration for a value that it doesn't like, or replace a value that it doesn't like with something that it does like and return that. We enumerate all of those cases separately, so perhaps this sentence isn't necessary any more. 

You write:

"
   Client metadata values can either be communicated directly in the
   body of a registration request, as described in Section 4.1, or
   included as claims in a software statement, as described in
   Section 3.  If the same client metadata name is present in both
   locations, the value in the software statement SHOULD take
   precedence.
"

It might be worthwhile to note that the two options exist to allow (a)
the client to suggest values and (b) to have the organizing issuing the
software assertion to provide further values.

It's actually the other way around -- the assertion if present defines a set of core values for a class of clients and the client suggests values on its own in the plain JSON. The vast majority of registrations will use only the JSON object, in my estimation.

Regarding the SHOULD in the last sentence I guess it might make more
sense to just say that it is deployment dependent what policy is used.

The idea here is that the software statement, if present and trusted, should really take precedence since it's cryptographically protected and the plain JSON isn't.

- Section 2.1

You write:

"
As such, a server supporting these fields
   SHOULD take steps to ensure that a client cannot register itself into
   an inconsistent state.
"

Any guidance on how the authorization server would do that?

Either return an error ("invalid_client_metadata") or replace the values with sane defaults. Probably the former for most servers. Should we state this?

- Section 3

I don't understand this sentence:

"
  In some cases, authorization servers MAY choose to accept a software
   statement value directly as a Client ID in an authorization request,
   without a prior dynamic client registration having been performed.
"

Does this mean that the client id is the software statement or that the
software statement is embedded in the client id or something else?

The idea here is that the software statement itself would be the client_id, but the details of such usage are outside the scope of dynamic registration (since it's not really registration at that point, but a stateless client identifier).

- Section 4

The story around the initial access token is a bit strange. Here is the
text:

   The client registration endpoint MAY be an OAuth 2.0 protected
   resource and accept an initial access token in the form of an OAuth
   2.0 [RFC6749] access token to limit registration to only previously
   authorized parties.  The method by which the initial access token is
   obtained by the registrant is generally out-of-band and is out of
   scope for this specification.  The method by which the initial access
   token is verified and validated by the client registration endpoint
   is out of scope for this specification.


First, the term 'registrant' is used here for the first time. Then, it
is outside the scope of how the client got this initial access token.
Normally for access tokens the client does not have to care about the
content and does not verify anything but here the last sentence hints to
the verification (although it is outside the scope of how it is used).

The client doesn't verify the token, the client registration endpoint verifies it. It's a vanilla OAuth token.

I am curious whether the software assertion could actually be re-use
here in case the unauthorized use of the registration by clients is a
concern!?

This is exactly what BlueButton+ does: the software statement equivalent is presented as the initial access token. I personally think that this makes a lot more sense, but some folks wanted to be able to separate these two things, so that the authority to register with a server is differentiable from the fixed registration parameters. Also, you don't want to define the initial access token to *always* be a software statement, since it could just represent authorization to call the registration endpoint with no other strings attached.

- Section 4.2

You write:

"
 This client identifier MUST be
   unique at the server and MUST NOT be in use by any other client.
"

This is a bit unclear given the text you provide in the subsequent
section, Section 5.1.
You write:

"
  client_id  REQUIRED.  Unique client identifier.  It MUST NOT be
      currently valid for any other distinct registered client.  It MAY
      be the same as the Client ID value used by other instances of this
      client, provided that the Redirection URI values and potentially
      other values dictated by authorization server policy are the same
      for all instances.
"

Those are still inconsistent and I'm not positive where we came down on that issue -- I personally don't like the idea of re-using client_ids for different instances of the client (I see it causing nothing but trouble down the line), but there was a push to relax that. Can someone who wanted this comment on its utility?

You write:

"
If a software statement was used as part of the registration, its
   value SHOULD be returned in the response and its value MUST be
   returned if the authorization server supports registration management
   operations [OAuth.Registration.Management] that would require its
   presence in subsequent operations.
"

I am not sure I understand that. Are you saying that the software
assertion is returned in the response from the authorization server to
the client? Why is that?

It is effectively part of the client's registration metadata and should be returned as-is. If the client is going to be doing management, it needs to be able to post that back to the server again as part of its update and the server needs to be able to check against it. What we really don't want is the registration endpoint to generate a new software statement as part of the registration response.

- References

I believe you should delete the dependency on the registration
management specification.

This makes sense if the operations can be completely insular and we don't need any forward references as to why to do certain things. It would be easy to build a registration endpoint that precludes any kind of management/lifecycle API, and we want to avoid that in the design of the core protocol. I think we've successfully done that, but if it makes it cleaner to remove the references and just state how to do things, I don't see why not.

Thanks for the thorough review.

 -- Justin


Ciao
Hannes




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------020609040305040101020203-- From nobody Wed Apr 23 09:32:58 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61B281A0380 for ; Wed, 23 Apr 2014 09:32:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCOqkGnfr7gB for ; Wed, 23 Apr 2014 09:32:54 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) by ietfa.amsl.com (Postfix) with ESMTP id C77441A0348 for ; Wed, 23 Apr 2014 09:32:53 -0700 (PDT) Received: from CH1PR03CA007.namprd03.prod.outlook.com (10.255.156.152) by BLUPR03MB437.namprd03.prod.outlook.com (10.141.78.147) with Microsoft SMTP Server (TLS) id 15.0.921.12; Wed, 23 Apr 2014 16:32:47 +0000 Received: from BY2FFO11FD008.protection.gbl (10.255.156.132) by CH1PR03CA007.outlook.office365.com (10.255.156.152) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Wed, 23 Apr 2014 16:32:47 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD008.mail.protection.outlook.com (10.1.14.159) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Wed, 23 Apr 2014 16:32:46 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.03.0181.007; Wed, 23 Apr 2014 16:32:10 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19 Thread-Index: Ac9fEZKCDboZV7WmRDqDYDMAE4ic1Q== Date: Wed, 23 Apr 2014 16:32:09 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A191D83@TK5EX14MBXC288.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A191D83TK5EX14MBXC288r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(199002)(189002)(13464003)(20776003)(79102001)(80976001)(46102001)(15202345003)(2656002)(81342001)(77982001)(81542001)(84676001)(86362001)(66066001)(76482001)(33656001)(84326002)(16236675002)(80022001)(55846006)(54356999)(92726001)(97736001)(87936001)(19580395003)(512954002)(44976005)(74502001)(19580405001)(83322001)(99396002)(74662001)(19300405004)(4396001)(6806004)(92566001)(31966008)(50986999)(71186001)(2009001)(85852003)(83072002)(15975445006); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB437; H:mail.microsoft.com; FPR:B4D2F635.AC32B4D8.71D3BF7B.42EFAA28.2027B; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01901B3451 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/R9OctM9A76eFxtbfhWgl1KVFzpk Subject: Re: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 16:32:56 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A191D83TK5EX14MBXC288r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Replies inline... -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, April 23, 2014 4:49 AM To: oauth@ietf.org Subject: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-tok= en-19 Doing my shepherd write-up I had a few minor questions: * Could you move the RFC 6755 reference to the normative reference section?= Reason: the IANA consideration section depends on the existence of the urn= :ietf:params:oauth registry. OK * Could you move the JWK reference to the informative reference section? Reason: The JWK is only used in an example and not essential to the impleme= ntation or understanding of the specification. OK * Would it be sufficient to reference RFC 7159 instead of the [ECMAScript] = reference? No. There's no equivalent to Section 15.12 of ECMAScript about the lexical= ly last member name to reference in RFC 7159. See the usage in the first p= aragraph of http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#s= ection-4. * The document registers 'urn:ietf:params:oauth:token-type' and it is used = in the "type" header parameter. The text, however, states that the value can also be set to jwt. Why would = someone prefer to use urn:ietf:params:oauth:token-type instead of the much = shorter jwt value? There are use cases, such as using JWTs as tokens in WS-Trust, where a URI = is needed. Ciao Hannes Thanks for doing this. -- Mike --_000_4E1F6AAD24975D4BA5B16804296739439A191D83TK5EX14MBXC288r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Replies inline...

 

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig<= br> Sent: Wednesday, April 23, 2014 4:49 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-tok= en-19

 

Doing my shepherd write-up I had a few minor ques= tions:

 

* Could you move the RFC 6755 reference to the no= rmative reference section? Reason: the IANA consideration section depends o= n the existence of the urn:ietf:params:oauth registry.

 

OK

 

* Could you move the JWK reference to the informa= tive reference section?

Reason: The JWK is only used in an example and no= t essential to the implementation or understanding of the specification.

 

OK

 

* Would it be sufficient to reference RFC 7159 in= stead of the [ECMAScript] reference?

 

No.  ThereR= 17;s no equivalent to Section 15.12 of ECMAScript about the lexically last = member name to reference in RFC 7159.  See the usage in the first para= graph of http://tools.ietf.org/html/draf= t-ietf-oauth-json-web-token-19#section-4.

 

* The document registers 'urn:ietf:params:oauth:t= oken-type' and it is used in the "type" header parameter.

 

The text, however, states that the value can also= be set to jwt. Why would someone prefer to use urn:ietf:params:oauth:token= -type instead of the much shorter jwt value?

 

There are use cases= , such as using JWTs as tokens in WS-Trust, where a URI is needed.

 

Ciao

Hannes

 

Thanks for doing th= is.

 

   &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739439A191D83TK5EX14MBXC288r_-- From nobody Wed Apr 23 09:42:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D314D1A03B1 for ; Wed, 23 Apr 2014 09:42:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n_SV5XgAajpr for ; Wed, 23 Apr 2014 09:42:47 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0142.outbound.protection.outlook.com [207.46.163.142]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2581A039B for ; Wed, 23 Apr 2014 09:42:47 -0700 (PDT) Received: from CH1PR03CA005.namprd03.prod.outlook.com (10.255.156.150) by BLUPR03MB018.namprd03.prod.outlook.com (10.255.208.40) with Microsoft SMTP Server (TLS) id 15.0.934.12; Wed, 23 Apr 2014 16:42:39 +0000 Received: from BY2FFO11FD033.protection.gbl (10.255.156.132) by CH1PR03CA005.outlook.office365.com (10.255.156.150) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Wed, 23 Apr 2014 16:42:39 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD033.mail.protection.outlook.com (10.1.14.218) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Wed, 23 Apr 2014 16:42:39 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.03.0181.007; Wed, 23 Apr 2014 16:42:01 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? Thread-Index: Ac9fEvMDrKXTirhYSF+Oue2iYb0ZfA== Date: Wed, 23 Apr 2014 16:42:00 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(377454003)(53754006)(199002)(189002)(13464003)(80976001)(23726002)(54356999)(46102001)(19580405001)(19580395003)(83322001)(44976005)(6806004)(4396001)(76482001)(50986999)(87936001)(55846006)(84676001)(15975445006)(79102001)(86362001)(2656002)(66066001)(33656001)(80022001)(46406003)(81342001)(20776003)(92566001)(47776003)(92726001)(85852003)(83072002)(50466002)(99396002)(2009001)(77982001)(15202345003)(74662001)(74502001)(97736001)(97756001)(31966008)(81542001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB018; H:mail.microsoft.com; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01901B3451 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/8IdY5jWEgSVy19ZQ2zKy-R3pvxM Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 16:42:49 -0000 The assertions draft is only trying to describe how to perform assertion-ba= sed authentication at the Token Endpoint. Other drafts, such as the intros= pection draft, could explicitly say that this can also be done in the same = manner there, but that's an extension, and should be specified by the exten= sion draft, if appropriate - not in the assertions draft. Justin may have more to say about the applicability or lack of it to the in= trospection draft, but I'm personally not familiar with it. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, April 23, 2014 5:09 AM To: oauth@ietf.org Subject: [OAUTH-WG] Assertions: Client authentication for non-token endpoin= ts? Hi all, in a discussion about re-using the client authentication part of the assert= ion framework for other specifications currently in progress I ran into the= following question: Section 6.1 of http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about the c= lient using the assertion with the **token endpoint**. Now, it appears that one cannot use the client authentication with other en= dpoints, such as the introspection endpoint defined in http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2 Am I reading too much into Section 6.1 of the assertion draft? Ciao Hannes From nobody Wed Apr 23 09:50:41 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71FAF1A0348 for ; Wed, 23 Apr 2014 09:50:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.472 X-Spam-Level: X-Spam-Status: No, score=-4.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSHwWgnmsKNS for ; Wed, 23 Apr 2014 09:50:34 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id BFE851A037F for ; Wed, 23 Apr 2014 09:50:34 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 005481F07FF; Wed, 23 Apr 2014 12:50:29 -0400 (EDT) Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D74BF1F030B; Wed, 23 Apr 2014 12:50:28 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 23 Apr 2014 12:50:28 -0400 Message-ID: <5357EF2E.1020503@mitre.org> Date: Wed, 23 Apr 2014 12:49:50 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Mike Jones , Hannes Tschofenig , "oauth@ietf.org" References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/T8rQ1dPbytk4UOfxerbdKcG9VvA Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 16:50:40 -0000 For introspection, we really just wanted to say "you can authenticate the caller (client or RP) just like you would to the token endpoint". So if you've got the means to do that with the assertion draft or with client secrets or TLS certs or anything else, go for it. I would not read the text of the assertions draft as restricting this other use case. -- Justin On 04/23/2014 12:42 PM, Mike Jones wrote: > The assertions draft is only trying to describe how to perform assertion-based authentication at the Token Endpoint. Other drafts, such as the introspection draft, could explicitly say that this can also be done in the same manner there, but that's an extension, and should be specified by the extension draft, if appropriate - not in the assertions draft. > > Justin may have more to say about the applicability or lack of it to the introspection draft, but I'm personally not familiar with it. > > -- Mike > > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Wednesday, April 23, 2014 5:09 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? > > Hi all, > > in a discussion about re-using the client authentication part of the assertion framework for other specifications currently in progress I ran into the following question: > > Section 6.1 of > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about the client using the assertion with the **token endpoint**. > > Now, it appears that one cannot use the client authentication with other endpoints, such as the introspection endpoint defined in > http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2 > > Am I reading too much into Section 6.1 of the assertion draft? > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Wed Apr 23 10:04:33 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40EDF1A03B6 for ; Wed, 23 Apr 2014 10:04:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_RED=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XdTXLw2EHBb9 for ; Wed, 23 Apr 2014 10:04:28 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0237.outbound.protection.outlook.com [207.46.163.237]) by ietfa.amsl.com (Postfix) with ESMTP id 877B21A0221 for ; Wed, 23 Apr 2014 10:04:28 -0700 (PDT) Received: from CH1PR03CA006.namprd03.prod.outlook.com (10.255.156.151) by BL2PR03MB435.namprd03.prod.outlook.com (10.141.92.24) with Microsoft SMTP Server (TLS) id 15.0.921.12; Wed, 23 Apr 2014 17:04:20 +0000 Received: from BL2FFO11FD045.protection.gbl (10.255.156.132) by CH1PR03CA006.outlook.office365.com (10.255.156.151) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Wed, 23 Apr 2014 17:04:20 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD045.mail.protection.outlook.com (10.173.161.207) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Wed, 23 Apr 2014 17:04:20 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Wed, 23 Apr 2014 17:03:42 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Thread-Index: AQHPXs/+AbcgNVUF5Euf8vKZ+xVfPZsfbjqQ Date: Wed, 23 Apr 2014 17:03:41 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A191EB9@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <53577C73.2010201@gmx.net> In-Reply-To: <53577C73.2010201@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(377454003)(53754006)(13464003)(189002)(199002)(4396001)(15975445006)(55846006)(92726001)(76482001)(83072002)(23726002)(84676001)(85852003)(92566001)(46102001)(50466002)(46406003)(2656002)(74502001)(97736001)(74662001)(97756001)(15202345003)(31966008)(79102001)(80976001)(54356999)(81542001)(81342001)(87936001)(66066001)(80022001)(19580405001)(19580395003)(83322001)(77982001)(44976005)(86362001)(99396002)(47776003)(20776003)(50986999)(76176999)(6806004)(2009001)(33656001); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB435; H:mail.microsoft.com; FPR:C608F5CE.9ED2D381.B1D37BB7.42E8C881.20714; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01901B3451 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/E5N2a-d9M1WZxPYQq7q76-XVqYc Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 17:04:31 -0000 I am not aware of any IPR that applies to this specification. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, April 23, 2014 1:40 AM To: oauth@ietf.org Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Hi all, I am working on the shepherd writeup for the JWT bearer document. The sheph= erd write-ups for the assertion draft and the SAML bearer document have bee= n completed a while ago already, see http://www.ietf.org/mail-archive/web/o= auth/current/msg12410.html A few requests: - To the document authors: Please confirm that any and all appropriate IPR = disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. - To all: Are you aware of implementations of this specification? If so, I = would like to reference them in my write-up. - To all: Please also go through the text to make sure that I correctly ref= lect the history and the status of this document. Here is the most recent version of the write-up: https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/sh= epherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt (The copy-and-paste of the full version is below.) Ciao Hannes PS: Note that I have send a mail about a pending issue to the list. In resp= onse to my question I will update the write-up accordingly. ---- Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authenticati= on and Authorization Grants" (1) What type of RFC is being requested (BCP, Proposed Standard, Internet S= tandard, Informational, Experimental, or Historic)? Why is this the proper = type of RFC? Is this type of RFC indicated in the title page header? The RFC type is 'Standards Track' and the type is indicated in the title pa= ge. This document defines an instantiation for the OAuth assertion framewor= k using JSON Web Tokens. (2) The IESG approval announcement includes a Document Announcement Write-U= p. Please provide such a Document Announcement Write-Up. Recent examples ca= n be found in the "Action" announcements for approved documents. The approv= al announcement contains the following sections: Technical Summary: This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. Working Group Summary: Was there anything in WG process that is worth noting? For example, was the= re controversy about particular points or were there decisions where the co= nsensus was particularly rough? This document belongs to the OAuth assertion document bundle consisting of = the abstract OAuth assertion framework, and the SAML assertion profile. Due= to the use of the JSON-based encoding of the assertion it also relies on t= he work in the JOSE working group (such as JWE/JWS) indirectly through the = use of the JWT. This document has intentionally been kept in sync with the = SAML-based version. Document Quality: This document has gone through many iterations and has received substantial= feedback. [[Add implementation list here.]] Personnel: The document shepherd is Hannes Tschofenig and the responsible area directo= r is Kathleen Moriarty. (3) Briefly describe the review of this document that was performed by the = Document Shepherd. If this version of the document is not ready for publica= tion, please explain why the document is being forwarded to the IESG. The draft authors believe that this document is ready for publication. The document has had received review comments from working group members, a= nd from the OAuth working group chairs. These review comments have been tak= en into account. (4) Does the document Shepherd have any concerns about the depth or breadth= of the reviews that have been performed? This document has gotten feedback from the working group and given the focu= sed use cases it has received adequate review. (5) Do portions of the document need review from a particular or from broad= er perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML= , or internationalization? If so, describe the review that took place. Since the OAuth working group develops security protocols any feedback from= the security community is always appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has= with this document that the Responsible Area Director and/or the IESG shou= ld be aware of? For example, perhaps he or she is uncomfortable with certai= n parts of the document, or has concerns whether there really is a need for= it. In any event, if the WG has discussed those issues and has indicated t= hat it still wishes to advance the document, detail those concerns here. The shepherd has no concerns with this document. (7) Has each author confirmed that any and all appropriate IPR disclosures = required for full conformance with the provisions of BCP 78 and BCP 79 have= already been filed. If not, explain why? [[Confirmation from the authors required.]] (8) Has an IPR disclosure been filed that references this document? If so, = summarize any WG discussion and conclusion regarding the IPR disclosures. No IPR disclosures have been filed on this document. However, two IPRs have= been filed for the JWT specification this document relies on, see http://d= atatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oa= uth-json-web-token (9) How solid is the WG consensus behind this document? Does it represent t= he strong concurrence of a few individuals, with others being silent, or do= es the WG as a whole understand and agree with it? The working group has consensus to publish this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discont= ent? If so, please summarise the areas of conflict in separate email messag= es to the Responsible Area Director. (It should be in a separate email beca= use this questionnaire is publicly available.) No appeal or extreme discontent has been raised. (11) Identify any ID nits the Document Shepherd has found in this document.= (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist).= Boilerplate checks are not enough; this check needs to be thorough. The shepherd has checked the nits. (12) Describe how the document meets any required formal review criteria, s= uch as the MIB Doctor, media type, and URI type reviews. There is no such review necessary. (13) Have all references within this document been identified as either nor= mative or informative? Yes. (14) Are there normative references to documents that are not ready for adv= ancement or are otherwise in an unclear state? If such normative references= exist, what is the plan for their completion? Yes. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the L= ast Call procedure. RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational RFC.= A downref is required. However, this document depends on the completion of the abstract OAuth asse= rtion framework and on the JWT specification. There are the following dependencies: (16) Will publication of this document change the status of any existing RF= Cs? Are those RFCs listed on the title page header, listed in the abstract,= and discussed in the introduction? If the RFCs are not listed in the Abstr= act and Introduction, explain why, and point to the part of the document wh= ere the relationship of this document to the other RFCs is discussed. If th= is information is not in the document, explain why the WG considers it unne= cessary. The publication of this document does not change the status of other RFCs. (17) Describe the Document Shepherd's review of the IANA considerations sec= tion, especially with regard to its consistency with the body of the docume= nt. Confirm that all protocol extensions that the document makes are associ= ated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. C= onfirm that newly created IANA registries include a detailed specification = of the initial contents for the registry, that allocations procedures for f= uture registrations are defined, and a reasonable name for the new registry= has been suggested (see RFC 5226). The document registers two sub-namespaces to the urn:ietf:params:oauth URN = established with RFC 6755. (18) List any new IANA registries that require Expert Review for future all= ocations. Provide any public guidance that the IESG would find useful in se= lecting the IANA Experts for these new registries. The document only adds entries to existing registries and does not define a= ny new registries. (19) Describe reviews and automated checks performed by the Document Shephe= rd to validate sections of the document written in a formal language, such = as XML code, BNF rules, MIB definitions, etc. There are only snippets of message exchanges and JWT assertion structures, = which are based on JSON, used in the examples. There is no pseudo code cont= ained in the document that requires validation. From nobody Wed Apr 23 12:19:42 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E6271A024D for ; Wed, 23 Apr 2014 12:19:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4o1_bpIS1_CK for ; Wed, 23 Apr 2014 12:19:39 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 6C2001A04C8 for ; Wed, 23 Apr 2014 12:19:39 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MCwbX-1WmhUN13bf-009kmo for ; Wed, 23 Apr 2014 21:19:32 +0200 Message-ID: <5358110C.9020503@gmx.net> Date: Wed, 23 Apr 2014 21:14:20 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="mPuBW1dej32FjPk2SsO9AFg9ecPWkrRRh" X-Provags-ID: V03:K0:enCJmOBSPyABzMeGYNMMxHgKryq+Bx1zAdj5rflSPz2zwdG2Q2s UNqnSb6ceWr8zx5/av+vD5f8ZZFn+dHN4Om+icHPiibdc62muvMDz+cKdpIQF6cuqmfjxVk xfJv/n4aLeoHyFEdbp/e+wlQgcofejWoggq6ZV96LsYAZyDl/mIF0jUdZzIG3JfKcksbYpm Sh1htFBmLTYzC766+Z+LA== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/rrO75-Eb8dmsNgJ2RCPih44DNG4 Subject: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-metadata-00 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 19:19:41 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mPuBW1dej32FjPk2SsO9AFg9ecPWkrRRh Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, I read through the document as part of my shepherding task; it is nicely written and easy to understand. I only have a few minor suggestions: * client_uri: URL of the homepage of the client. Would it be better to say that this is the URI provides further information about the client software (provided by the client software developer)? * logo_uri: The value of this field MUST point to a valid image file. Would it make sense to provide a type field here as well, such as in HTML (e.g., type=3D"image/png")? * contacts: Would these email addresses be in the format of mailto:user@example.com or would you just use joe@example.com? I am asking because with the URI scheme one could potentially provide other contact information here as well, such as XMPP URIs or so. * policy_uri: Would it be better to call this a privacy notice rather than policy document? Here is a short description what a privacy notice is: https://www.privacyassociation.org/resource_center/privacy_glossary/priva= cy_notice * jwks_uri: The text provides little information about how this element is used. I believe that this is an alternative way of using the PoP architecture, where the client registers keys with the authorization server that can then be tied to access tokens. Right? I could add some text in the PoP overview document to explain this and maybe you could include a reference to the PoP document (as an informative reference, for example). Ciao Hannes --mPuBW1dej32FjPk2SsO9AFg9ecPWkrRRh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWBEMAAoJEGhJURNOOiAtTgUH/1JFTohFPb9766vjDurXSgC7 pLla8uMbDfKHiuB9rO+YL457GODCZeLieko3FkCtQ6gVS1nk+QguwCy5nDTpZpmC HSmw+BlTTpXJGgmrnrIvDWOBwj54Z8XwzVlfYD6aMcC5GY32/7ZMapnR6xay2aHQ gCg9A0ff9eG3FLXqmyp9nVEqnwL29dWf/s69xkVNz1BsM8FDPPY2inyUPndG6MYE +4KlvfB6bCS3591n2KrFsKq9aOqpu9X6mP8ock222IXiRAdcniRvH9rQ75mQw0Q1 P3CegTVAtCzxi8Xp3cjA3UsdX0ExwS+XxNBEOP9BTeohkMZ0/cF5zPC+qCoutS4= =NcoW -----END PGP SIGNATURE----- --mPuBW1dej32FjPk2SsO9AFg9ecPWkrRRh-- From nobody Wed Apr 23 13:26:01 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8CC01A064C for ; Wed, 23 Apr 2014 13:26:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.471 X-Spam-Level: X-Spam-Status: No, score=-4.471 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFKZxmvxoKOa for ; Wed, 23 Apr 2014 13:25:58 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5A8441A0644 for ; Wed, 23 Apr 2014 13:25:58 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 75ECF1F0837; Wed, 23 Apr 2014 16:25:52 -0400 (EDT) Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 5706A1F0822; Wed, 23 Apr 2014 16:25:52 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 23 Apr 2014 16:25:51 -0400 Message-ID: <535821A9.8020503@mitre.org> Date: Wed, 23 Apr 2014 16:25:13 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig , "oauth@ietf.org" References: <5358110C.9020503@gmx.net> In-Reply-To: <5358110C.9020503@gmx.net> Content-Type: multipart/alternative; boundary="------------020309060309000809080901" X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/1AOuXKWrq1tlaSDTiibypfaP3uc Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-metadata-00 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 20:26:00 -0000 --------------020309060309000809080901 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Thank you for the review, responses inline (and this draft still needs to be factored back into the main one): On 04/23/2014 03:14 PM, Hannes Tschofenig wrote: > Hi all, > > I read through the document as part of my shepherding task; it is nicely > written and easy to understand. > > I only have a few minor suggestions: > > * client_uri: URL of the homepage of the client. > > Would it be better to say that this is the URI provides further > information about the client software (provided by the client software > developer)? I personally think "homepage" is a clear designator of that, but would not be adverse to extending the definition somewhat. > * logo_uri: The value of this field MUST point to a valid image file. > > Would it make sense to provide a type field here as well, such as in > HTML (e.g., type="image/png")? Unless we're going to allow the client to register and manage multiple images (please, no), then we shouldn't go out of our way to store mimetypes. This is a URL to be fetched and/or stored -- its content doesn't much matter. > * contacts: Would these email addresses be in the format of > mailto:user@example.com or would you just use joe@example.com? > I am asking because with the URI scheme one could potentially provide > other contact information here as well, such as XMPP URIs or so. I think you could do either, but what I've seen deployed is the non-URI version of joe@example.com. I think it would make sense for it to be listed as not just email addresses but also other contact URIs -- however, I don't think it's particularly useful to devolve into a full contact record. It should be simple and actionable by a person, and email fits that bill (as well as XMPP might, arguably). > * policy_uri: Would it be better to call this a privacy notice rather > than policy document? > Here is a short description what a privacy notice is: > https://www.privacyassociation.org/resource_center/privacy_glossary/privacy_notice I would think that policy document is a superset of privacy notice, right? > * jwks_uri: The text provides little information about how this element > is used. I believe that this is an alternative way of using the PoP > architecture, where the client registers keys with the authorization > server that can then be tied to access tokens. Right? I could add some > text in the PoP overview document to explain this and maybe you could > include a reference to the PoP document (as an informative reference, > for example). The text states that this is there for the use of higher level protocols. Several of which (including OIDC and BB+, not to mention more advanced token types and client authentication methods) have a need to tie a key to a client. This, and the proposed jwks value, provide a hook for that kind of stuff. -- Justin > > Ciao > Hannes > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------020309060309000809080901 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Thank you for the review, responses inline (and this draft still needs to be factored back into the main one):

On 04/23/2014 03:14 PM, Hannes Tschofenig wrote:
Hi all,

I read through the document as part of my shepherding task; it is nicely
written and easy to understand.

I only have a few minor suggestions:

* client_uri: URL of the homepage of the client.

Would it be better to say that this is the URI provides further
information about the client software (provided by the client software
developer)?

I personally think "homepage" is a clear designator of that, but would not be adverse to extending the definition somewhat.

* logo_uri: The value of this field MUST point to a valid image file.

Would it make sense to provide a type field here as well, such as in
HTML (e.g., type="image/png")?

Unless we're going to allow the client to register and manage multiple images (please, no), then we shouldn't go out of our way to store mimetypes. This is a URL to be fetched and/or stored -- its content doesn't much matter.

* contacts: Would these email addresses be in the format of
mailto:user@example.com or would you just use joe@example.com?
I am asking because with the URI scheme one could potentially provide
other contact information here as well, such as XMPP URIs or so.

I think you could do either, but what I've seen deployed is the non-URI version of joe@example.com. I think it would make sense for it to be listed as not just email addresses but also other contact URIs -- however, I don't think it's particularly useful to devolve into a full contact record. It should be simple and actionable by a person, and email fits that bill (as well as XMPP might, arguably).

* policy_uri: Would it be better to call this a privacy notice rather
than policy document?
Here is a short description what a privacy notice is:
https://www.privacyassociation.org/resource_center/privacy_glossary/privacy_notice

I would think that policy document is a superset of privacy notice, right?

* jwks_uri: The text provides little information about how this element
is used. I believe that this is an alternative way of using the PoP
architecture, where the client registers keys with the authorization
server that can then be tied to access tokens. Right? I could add some
text in the PoP overview document to explain this and maybe you could
include a reference to the PoP document (as an informative reference,
for example).

The text states that this is there for the use of higher level protocols. Several of which (including OIDC and BB+, not to mention more advanced token types and client authentication methods) have a need to tie a key to a client. This, and the proposed jwks value, provide a hook for that kind of stuff.

 -- Justin


Ciao
Hannes





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------020309060309000809080901-- From nobody Wed Apr 23 15:38:10 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C891A070B for ; Wed, 23 Apr 2014 15:38:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n7s0Qi2obI7U for ; Wed, 23 Apr 2014 15:38:05 -0700 (PDT) Received: from na3sys009aog116.obsmtp.com (na3sys009aog116.obsmtp.com [74.125.149.240]) by ietfa.amsl.com (Postfix) with ESMTP id 56F161A029F for ; Wed, 23 Apr 2014 15:38:05 -0700 (PDT) Received: from mail-ie0-f173.google.com ([209.85.223.173]) (using TLSv1) by na3sys009aob116.postini.com ([74.125.148.12]) with SMTP ID DSNKU1hAx2qv/HPVabVz/HpZR2pGvM7bNxaX@postini.com; Wed, 23 Apr 2014 15:37:59 PDT Received: by mail-ie0-f173.google.com with SMTP id rl12so1623838iec.32 for ; Wed, 23 Apr 2014 15:37:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=OH7WYZvmUMAcUet1HARS9KPSTSnh4iRkJkEk5Rcyqcw=; b=lO1Nb/JtbXfk5pHIsIk9DkQ3lkZnOdc8Zw7cyfGFnyJCQQxmporJCoRDUEtvjHv6xc EJK9IK3TCG48+2Yy6sqzbKGAvVzmvAzDi+j6AkmVQmy3aB8zgir2yKXiiydMXn/FO9EF yJWsnWpT9Fa4YPUxUmGBc+vfsfqRkOzK0ax3JSD0e9jT69+PuH3+3P/Rz+sWyER/0b21 +XBtglWRaWhfjotstPWjCrPpqT24AIPfJaA6OQ8vlp3QTRIIgfXwQRF1zL1Z/wHbE3X1 NvvsEiUyLVVZSI7B67ok5UqfkivBxvq1Zur5NoVvC4kF7pyQkknc8JIsGAM1XlBPpaj6 +3Xg== X-Gm-Message-State: ALoCoQl/M+ckLxdp9p0kn1JMtNoL5uVdZX0VSQqQxrES2QB9Q1HNpoKAF09ujuzmMT440OmuVKAO8iHXd2iQQTv6sNx5dS/+octsehSis7p8xLpQHLDfMdy7zmCOpF+Q+H9FTuCMMxrd X-Received: by 10.42.173.68 with SMTP id q4mr45070074icz.41.1398292679313; Wed, 23 Apr 2014 15:37:59 -0700 (PDT) X-Received: by 10.42.173.68 with SMTP id q4mr45070067icz.41.1398292679218; Wed, 23 Apr 2014 15:37:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Wed, 23 Apr 2014 15:37:29 -0700 (PDT) In-Reply-To: <53577C41.2090606@gmx.net> References: <53577C41.2090606@gmx.net> From: Brian Campbell Date: Wed, 23 Apr 2014 16:37:29 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=90e6ba6e863a6ff4b604f7bd62c9 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2j2j-JdSGIesg8eQMxHWmUBKq2A Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 22:38:08 -0000 --90e6ba6e863a6ff4b604f7bd62c9 Content-Type: text/plain; charset=UTF-8 That thread that Antonio started which you reference went on for some time ( http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) and seems to have reached consensus that the spec didn't need normative change and that such privacy cases or other cases which didn't explicitly need a subject identifier would be more appropriately dealt with in application logic: http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > in preparing the shepherd write-up for draft-ietf-oauth-jwt-bearer-08 I > had to review our recent email conversations and the issue raised by > Antonio in > http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html belong > to it. > > The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08 says: > " > 2. The JWT MUST contain a "sub" (subject) claim identifying the > principal that is the subject of the JWT. Two cases need to be > differentiated: > > A. For the authorization grant, the subject SHOULD identify an > authorized accessor for whom the access token is being > requested (typically the resource owner, or an authorized > delegate). > > B. For client authentication, the subject MUST be the > "client_id" of the OAuth client. > " > > Antonio pointed to the current Google API to illustrate that the subject > is not always needed. Here is the Google API documentation: > https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > The Google API used the client authentication part (rather than the > authorization grant), in my understanding. > > I still believe that the subject field has to be included for client > authentication but I am not so sure anymore about the authorization > grant since I could very well imagine cases where the subject is not > needed for authorization decisions but also for privacy reasons. > > I would therefore suggest to change the text as follows: > > " > 2. The JWT contains a "sub" (subject) claim identifying the > principal that is the subject of the JWT. Two cases need to be > differentiated: > > A. For the authorization grant, the subject claim MAY > be included. If it is included it MUST identify the > authorized accessor for whom the access token is being > requested (typically the resource owner, or an authorized > delegate). Reasons for not including the subject claim > in the JWT are identity hiding (i.e., privacy protection > of the identifier of the subject) and cases where > the identifier of the subject is irrelevant for making > an authorization decision by the resource server. > > B. For client authentication, the subject MUST be the > included in the JWT and the value MUST be populated > with the "client_id" of the OAuth client. > " > > What do you guys think? > > Ciao > Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --90e6ba6e863a6ff4b604f7bd62c9 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
That thread that Antonio started which you reference went = on for some time (http://www.ietf.org/mail-archive= /web/oauth/current/threads.html#12520) and seems to have reached consen= sus that the spec didn't need normative change and that such privacy ca= ses or other cases which didn't explicitly need a subject identifier wo= uld be more appropriately dealt with in application logic: http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html



On We= d, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig <hannes.tschofenig@g= mx.net> wrote:
Hi all,

in preparing the shepherd write-up for draft-ietf-oauth-jwt-bearer-08 I
had to review our recent email conversations and the issue raised by
Antonio in
http://www.ietf.org/mail-archive/web/oauth/current/msg1= 2520.html belong
to it.

The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08 says:
"
=C2=A0 =C2=A02. =C2=A0 The JWT MUST contain a "sub" (subject) cla= im identifying the
=C2=A0 =C2=A0 =C2=A0 =C2=A0 principal that is the subject of the JWT. =C2= =A0Two cases need to be
=C2=A0 =C2=A0 =C2=A0 =C2=A0 differentiated:

=C2=A0 =C2=A0 =C2=A0 =C2=A0 A. =C2=A0For the authorization grant, the subje= ct SHOULD identify an
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for whom the = access token is being
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typically the resource= owner, or an authorized
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate).

=C2=A0 =C2=A0 =C2=A0 =C2=A0 B. =C2=A0For client authentication, the subject= MUST be the
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "client_id" of the OAut= h client.
"

Antonio pointed to the current Google API to illustrate that the subject is not always needed. Here is the Google API documentation:
https://developers.google.com/accounts/docs/OAuth2Servi= ceAccount

The Google API used the client authentication part (rather than the
authorization grant), in my understanding.

I still believe that the subject field has to be included for client
authentication but I am not so sure anymore about the authorization
grant since I could very well imagine cases where the subject is not
needed for authorization decisions but also for privacy reasons.

I would therefore suggest to change the text as follows:

"
=C2=A0 =C2=A02. =C2=A0 The JWT contains a "sub" (subject) claim i= dentifying the
=C2=A0 =C2=A0 =C2=A0 =C2=A0 principal that is the subject of the JWT. =C2= =A0Two cases need to be
=C2=A0 =C2=A0 =C2=A0 =C2=A0 differentiated:

=C2=A0 =C2=A0 =C2=A0 =C2=A0 A. =C2=A0For the authorization grant, the subje= ct claim MAY
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 be included. If it is included it= MUST identify the
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for whom the = access token is being
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typically the resource= owner, or an authorized
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate). Reasons for not includ= ing the subject claim
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 in the JWT are identity hiding (i= .e., privacy protection
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 of the identifier of the subject)= and cases where
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 the identifier of the subject is = irrelevant for making
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 an authorization decision by the = resource server.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 B. =C2=A0For client authentication, the subject= MUST be the
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 included in the JWT and the value= MUST be populated
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 with the "client_id" of= the OAuth client.
"

What do you guys think?

Ciao
Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--90e6ba6e863a6ff4b604f7bd62c9-- From nobody Wed Apr 23 15:47:09 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8C0D1A070B for ; Wed, 23 Apr 2014 15:47:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.577 X-Spam-Level: X-Spam-Status: No, score=-3.577 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_RED=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9gw1DgMN1nd for ; Wed, 23 Apr 2014 15:47:03 -0700 (PDT) Received: from na3sys009aog131.obsmtp.com (na3sys009aog131.obsmtp.com [74.125.149.247]) by ietfa.amsl.com (Postfix) with ESMTP id 8A60D1A029F for ; Wed, 23 Apr 2014 15:47:03 -0700 (PDT) Received: from mail-ig0-f178.google.com ([209.85.213.178]) (using TLSv1) by na3sys009aob131.postini.com ([74.125.148.12]) with SMTP ID DSNKU1hC4WTXJ5Yone3SSwhynX02diEOMSYJ@postini.com; Wed, 23 Apr 2014 15:46:58 PDT Received: by mail-ig0-f178.google.com with SMTP id hn18so185580igb.17 for ; Wed, 23 Apr 2014 15:46:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=etajoBNcCzqv/1eyyj0PR3422MgThxDj/5PRC/+vz8I=; b=PnY/SeSbcIT8zSpo7OOQvlkl0cCnz5C8IE0Yip+X3FJX6IYEBd6i53pUKCdFAUjTgK a/81LC3HcH7qACautvO9TqaiJZV60xSEZAmEsOq282JuTB0QO1bNFIuKi7fHs8Ncmq2k T9XHAIxvsg9Aw1Zqct8CLd0ApJKJ21l/anW93hPkxvxjpaRjItTKinYfSSRXutor5MCG T+vutxJMO+nMuYPRct3a+/3Hxh3R9HdpaqcrHkgEe9xFDunF7ahdJfDnJapvSMZBMHn1 USV3+SS8ncJiBkqcBXUe+NjSNpoZokENoLvhoLvB1mYO/UkuKiDadjmPxvF73QXCN+Ng f7zw== X-Gm-Message-State: ALoCoQlpmWdFvtBV8gUNAkYrbLPa9OfTcLJdq1jKfhqvsm0k1i4Wcl4KwWy2js105/Xm5Vja3em4zPXyR326/zYuufPg/NRfFFOSTOcTTub6WDZ6GAHciLiRkEYJisAjK+tiPLnkQzMa X-Received: by 10.50.49.109 with SMTP id t13mr84259ign.2.1398293217637; Wed, 23 Apr 2014 15:46:57 -0700 (PDT) X-Received: by 10.50.49.109 with SMTP id t13mr84254ign.2.1398293217524; Wed, 23 Apr 2014 15:46:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Wed, 23 Apr 2014 15:46:27 -0700 (PDT) In-Reply-To: <5357AA4C.8080707@gmx.net> References: <5357AA4C.8080707@gmx.net> From: Brian Campbell Date: Wed, 23 Apr 2014 16:46:27 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=047d7bdc123485dd8804f7bd8202 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Mv5PDv8LxHgVzD6USsDWIz0VlF4 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 22:47:07 -0000 --047d7bdc123485dd8804f7bd8202 Content-Type: text/plain; charset=UTF-8 While OAuth access tokens are a valuable application of JWT, might it also be worthwhile to mention that JWT can and will be useful in other contexts? Connect's ID Token is one such example: http://openid.net/specs/openid-connect-core-1_0.html#IDToken On Wed, Apr 23, 2014 at 5:55 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > I am working on the shepherd writeup for the JWT. Here are a few questions: > > - To the document authors: Please confirm that any and all appropriate > IPR disclosures required for full conformance with the provisions of BCP > 78 and BCP 79 have already been filed. > > - To all: I have included various pointers to implementations in the > write-up. Maybe there are others that should be included. If so, please > let me know. > > - To all: Please also go through the text to make sure that I correctly > reflect the history and the status of this document. > > Here is the latest version of the write-up: > > https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT.txt > > Ciao > Hannes > > PS: Here is the copy-and-paste text: > > -------- > > Writeup for "JSON Web Token (JWT)" > > (1) What type of RFC is being requested (BCP, Proposed Standard, > Internet Standard, Informational, Experimental, or Historic)? Why is > this the proper type of RFC? Is this type of RFC indicated in the title > page header? > > The RFC type is 'Standards Track' and the type is indicated in the title > page. This document defines the syntax and semantic of information > elements. > > (2) The IESG approval announcement includes a Document Announcement > Write-Up. Please provide such a Document Announcement Write-Up. Recent > examples can be found in the "Action" announcements for approved > documents. The approval announcement contains the following sections: > > Technical Summary: > > JSON Web Token (JWT) is a compact URL-safe means of representing > claims to be transferred between two parties. The claims in a JWT > are encoded as a JavaScript Object Notation (JSON) object that is > used as the payload of a JSON Web Signature (JWS) structure or as the > plaintext of a JSON Web Encryption (JWE) structure, enabling the > claims to be digitally signed or MACed and/or encrypted. > > Working Group Summary: > > Was there anything in WG process that is worth noting? For example, was > there controversy about particular points or were there decisions where > the consensus was particularly rough? > > This document was uncontroversial. It allows OAuth deployments to use a > standardized access token format, which increases interoperability of > OAuth-based deployments. > > Document Quality: > > This document has gone through many iterations and has received > substantial feedback. > > A substantial number of implementations exist, as documented at > http://openid.net/developers/libraries/ > (scrowl down to the 'JWT/JWS/JWE/JWK/JWA Implementations' section) > > An Excel document providing additional details can be found here: > http://www.oauth-v2.org/wp-content/uploads/2014/04/JWT-Implementations.xlsx > > Personnel: > > The document shepherd is Hannes Tschofenig and the responsible area > director is Kathleen Moriarty. > > (3) Briefly describe the review of this document that was performed by > the Document Shepherd. If this version of the document is not ready for > publication, please explain why the document is being forwarded to the > IESG. > > The draft authors believe that this document is ready for publication. > The document has received review comments from working group members, > and from the OAuth working group chairs. Implementations exist and they > have tested for interoperability as part of the OpenID Connect interop > events. > > (4) Does the document Shepherd have any concerns about the depth or > breadth of the reviews that have been performed? > > This document has gotten enough feedback from the working group. > > (5) Do portions of the document need review from a particular or from > broader perspective, e.g., security, operational complexity, AAA, DNS, > DHCP, XML, or internationalization? If so, describe the review that took > place. > > Since the OAuth working group develops security protocols any feedback > from the security community is always appreciated. > The JWT document heavily depends on the work in the JOSE working group > since it re-uses the JWE and the JWS specifications. > > (6) Describe any specific concerns or issues that the Document Shepherd > has with this document that the Responsible Area Director and/or the > IESG should be aware of? For example, perhaps he or she is uncomfortable > with certain parts of the document, or has concerns whether there really > is a need for it. In any event, if the WG has discussed those issues and > has indicated that it still wishes to advance the document, detail those > concerns here. > > The shepherd has no concerns with this document. > > (7) Has each author confirmed that any and all appropriate IPR > disclosures required for full conformance with the provisions of BCP 78 > and BCP 79 have already been filed. If not, explain why? > > [[Confirmation from the authors required.]] > > (8) Has an IPR disclosure been filed that references this document? If > so, summarize any WG discussion and conclusion regarding the IPR > disclosures. > > Two IPRs have been filed for the JWT specification this document relies > on, see > > http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token > > > There was no discussion regarding those two IPRs on the mailing list. > > (9) How solid is the WG consensus behind this document? Does it > represent the strong concurrence of a few individuals, with others being > silent, or does the WG as a whole understand and agree with it? > > The working group has consensus to publish this document. > > (10) Has anyone threatened an appeal or otherwise indicated extreme > discontent? If so, please summarise the areas of conflict in separate > email messages to the Responsible Area Director. (It should be in a > separate email because this questionnaire is publicly available.) > > No appeal or extreme discontent has been raised. > > (11) Identify any ID nits the Document Shepherd has found in this > document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts > Checklist). Boilerplate checks are not enough; this check needs to be > thorough. > > The shepherd has checked the nits. The shepherd has not verified the > examples for correctness. > > (12) Describe how the document meets any required formal review > criteria, such as the MIB Doctor, media type, and URI type reviews. > > The document does not require a formal review even though it contains > JSON-based examples. > > (13) Have all references within this document been identified as either > normative or informative? > > Yes. > > (14) Are there normative references to documents that are not ready for > advancement or are otherwise in an unclear state? If such normative > references exist, what is the plan for their completion? > > There are various JOSE documents that have not been published as RFCs > yet. As such, this document cannot be published before the respective > JOSE documents are finalized. > > (15) Are there downward normative references references (see RFC 3967)? > If so, list these downward references to support the Area Director in > the Last Call procedure. > > The document contains a reference to > > [ECMAScript] > Ecma International, "ECMAScript Language Specification, > 5.1 Edition", ECMA 262, June 2011. > > which might require a downref. > > RFC 6755 is also a downref. > > > (16) Will publication of this document change the status of any existing > RFCs? Are those RFCs listed on the title page header, listed in the > abstract, and discussed in the introduction? If the RFCs are not listed > in the Abstract and Introduction, explain why, and point to the part of > the document where the relationship of this document to the other RFCs > is discussed. If this information is not in the document, explain why > the WG considers it unnecessary. > > The publication of this document does not change the status of other RFCs. > > (17) Describe the Document Shepherd's review of the IANA considerations > section, especially with regard to its consistency with the body of the > document. Confirm that all protocol extensions that the document makes > are associated with the appropriate reservations in IANA registries. > Confirm that any referenced IANA registries have been clearly > identified. Confirm that newly created IANA registries include a > detailed specification of the initial contents for the registry, that > allocations procedures for future registrations are defined, and a > reasonable name for the new registry has been suggested (see RFC 5226). > > The document creates a new registry for JWT claims and populates this > registry with values. > It also registers values into two existing registries, namely into > * the RFC 6755 created OAuth URN registry, and > * the media type registry > > (18) List any new IANA registries that require Expert Review for future > allocations. Provide any public guidance that the IESG would find useful > in selecting the IANA Experts for these new registries. > > The newly created JWT claims registry requires expert review for future > allocations. Guidance is given in the document. > The document shepherd volunteers to become an expert review. > > (19) Describe reviews and automated checks performed by the Document > Shepherd to validate sections of the document written in a formal > language, such as XML code, BNF rules, MIB definitions, etc. > > There are examples in the document that use a JSON-based encoding. The > document shepherd has reviewed those examples but has not verified the > correctness of the cryptographic operations. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --047d7bdc123485dd8804f7bd8202 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
While OAuth access tokens are a valuable application of JW= T, might it also be worthwhile to mention that JWT can and will be useful i= n other contexts? Connect's ID Token is one such example: http://openid.n= et/specs/openid-connect-core-1_0.html#IDToken


On Wed,= Apr 23, 2014 at 5:55 AM, Hannes Tschofenig <hannes.tschofenig@g= mx.net> wrote:
Hi all,

I am working on the shepherd writeup for the JWT. Here are a few questions:=

- To the document authors: Please confirm that any and all appropriate
IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.

- To all: I have included various pointers to implementations in the
write-up. Maybe there are others that should be included. If so, please
let me know.

- To all: Please also go through the text to make sure that I correctly
reflect the history and the status of this document.

Here is the latest version of the write-up:
https:/= /raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-= writeups/Writeup_OAuth_JWT.txt

Ciao
Hannes

PS: Here is the copy-and-paste text:

--------

Writeup for "JSON Web Token (JWT)" <draft-ietf-oauth-json-web-= token-19>

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)? Why is
this the proper type of RFC? Is this type of RFC indicated in the title
page header?

The RFC type is 'Standards Track' and the type is indicated in the = title
page. This document defines the syntax and semantic of information
elements.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved<= br> documents. The approval announcement contains the following sections:

Technical Summary:

=C2=A0 =C2=A0JSON Web Token (JWT) is a compact URL-safe means of representi= ng
=C2=A0 =C2=A0claims to be transferred between two parties. =C2=A0The claims= in a JWT
=C2=A0 =C2=A0are encoded as a JavaScript Object Notation (JSON) object that= is
=C2=A0 =C2=A0used as the payload of a JSON Web Signature (JWS) structure or= as the
=C2=A0 =C2=A0plaintext of a JSON Web Encryption (JWE) structure, enabling t= he
=C2=A0 =C2=A0claims to be digitally signed or MACed and/or encrypted.

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was
there controversy about particular points or were there decisions where
the consensus was particularly rough?

This document was uncontroversial. It allows OAuth deployments to use a
standardized access token format, which increases interoperability of
OAuth-based deployments.

Document Quality:

This document has gone through many iterations and has received
substantial feedback.

A substantial number of implementations exist, as documented at
http:= //openid.net/developers/libraries/
(scrowl down to the 'JWT/JWS/JWE/JWK/JWA Implementations' section)<= br>
An Excel document providing additional details can be found here:
http://www.oauth-v2.org/wp-content/uploads/2= 014/04/JWT-Implementations.xlsx

Personnel:

The document shepherd is Hannes Tschofenig and the responsible area
director is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the IESG= .

The draft authors believe that this document is ready for publication.
The document has received review comments from working group members,
and from the OAuth working group chairs. Implementations exist and they
have tested for interoperability as part of the OpenID Connect interop
events.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

This document has gotten enough feedback from the working group.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that took place.

Since the OAuth working group develops security protocols any feedback
from the security community is always appreciated.
The JWT document heavily depends on the work in the JOSE working group
since it re-uses the JWE and the JWS specifications.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

The shepherd has no concerns with this document.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why?

[[Confirmation from the authors required.]]

(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

Two IPRs have been filed for the JWT specification this document relies
on, see
http://datatra= cker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oaut= h-json-web-token


There was no discussion regarding those two IPRs on the mailing list.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

The working group has consensus to publish this document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No appeal or extreme discontent has been raised.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The shepherd has checked the nits. The shepherd has not verified the
examples for correctness.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

The document does not require a formal review even though it contains
JSON-based examples.

(13) Have all references within this document been identified as either
normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

There are various JOSE documents that have not been published as RFCs
yet. As such, this document cannot be published before the respective
JOSE documents are finalized.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

The document contains a reference to

=C2=A0 =C2=A0[ECMAScript]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Ecma International, "= ECMAScript Language Specification,
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 5.1 Edition", ECMA 26= 2, June 2011.

which might require a downref.

RFC 6755 is also a downref.


(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction? If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs
is discussed. If this information is not in the document, explain why
the WG considers it unnecessary.

The publication of this document does not change the status of other RFCs.<= br>
(17) Describe the Document Shepherd's review of the IANA considerations=
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The document creates a new registry for JWT claims and populates this
registry with values.
It also registers values into two existing registries, namely into
=C2=A0* the RFC 6755 created OAuth URN registry, and
=C2=A0* the media type registry

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

The newly created JWT claims registry requires expert review for future
allocations. Guidance is given in the document.
The document shepherd volunteers to become an expert review.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

There are examples in the document that use a JSON-based encoding. The
document shepherd has reviewed those examples but has not verified the
correctness of the cryptographic operations.



_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--047d7bdc123485dd8804f7bd8202-- From nobody Wed Apr 23 15:59:05 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03B641A0729 for ; Wed, 23 Apr 2014 15:59:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cmQyclFVuc3h for ; Wed, 23 Apr 2014 15:59:00 -0700 (PDT) Received: from na3sys009aog129.obsmtp.com (na3sys009aog129.obsmtp.com [74.125.149.142]) by ietfa.amsl.com (Postfix) with ESMTP id 72D881A0728 for ; Wed, 23 Apr 2014 15:59:00 -0700 (PDT) Received: from mail-ie0-f179.google.com ([209.85.223.179]) (using TLSv1) by na3sys009aob129.postini.com ([74.125.148.12]) with SMTP ID DSNKU1hFrjn3ddFMCoNHXbZ7yASE7aI7E6g4@postini.com; Wed, 23 Apr 2014 15:58:55 PDT Received: by mail-ie0-f179.google.com with SMTP id lx4so1586184iec.24 for ; Wed, 23 Apr 2014 15:58:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=e3hVKuMRpJtQkJdMmYPNvmTDyoEPt6+ZYlfdUwMHNdc=; b=Ab2Lpg0dA8ymOMnpilYqTr2egnA1QyBBK7kyjCXz/bWxkoKrNsDcWJiQ62a3zI81Kw qe3W0qJCcHtoJ3UBVDZ6dq2DYfB+a8OL4glIMpyjm/tqiAwL4ftxsAQAvC7O5o+IHLJu 9/Pc3GX5s6qb6i7UZC3z07CanHycceducQGKeES1ae3P865YV8dAt4IH91Go1eHhgfZo Dq/G0SD5JLi8mvD3S3EjWHuWg7yTf3jha60/4TO/tcP97zi6PqOGP1PPd1vO2QUBxXs+ pZYKruG/H6MqRXQep63MSGWTgb/rgZjNP/XQxI1K4mfj6LbokQ8Dd+hDKeRrJX8m+dWS 6h+Q== X-Gm-Message-State: ALoCoQmX4VXcggCBbivcr15yec6uHxbo7bamqzaf9zbeheFFYIRR0f0UUi5915GjAvPA8GgttlsAhTOx41fMV5WFLfzBVwwJAKpBBlctU6bQ0ssbRiNxDZAP+qpVxnBcN9RBJraBU2c0 X-Received: by 10.43.143.211 with SMTP id jn19mr47402971icc.0.1398293934563; Wed, 23 Apr 2014 15:58:54 -0700 (PDT) X-Received: by 10.43.143.211 with SMTP id jn19mr47402958icc.0.1398293934433; Wed, 23 Apr 2014 15:58:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Wed, 23 Apr 2014 15:58:24 -0700 (PDT) In-Reply-To: <5357EF2E.1020503@mitre.org> References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> <5357EF2E.1020503@mitre.org> From: Brian Campbell Date: Wed, 23 Apr 2014 16:58:24 -0600 Message-ID: To: Justin Richer Content-Type: multipart/alternative; boundary=001a11c2f1ac40fe1c04f7bdad1d Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/3ojjIEEBmZmupRCqiGsTOKpTvPg Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 22:59:03 -0000 --001a11c2f1ac40fe1c04f7bdad1d Content-Type: text/plain; charset=UTF-8 Just to pile on here - the Assertions draft(s) do define client assertion authentication only for the token endpoint (and register token endpoint parameters). But it certainly doesn't preclude it from being profiled for use elsewhere. FWIW we used the token endpoint in our implementation of token introspection/validation partly because all supported forms of client authentication come along for free by doing so. My esteemed colleague, Dr. Paul Madsen, posted a rough draft of what we've implemented in product a while back: http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer wrote: > For introspection, we really just wanted to say "you can authenticate the > caller (client or RP) just like you would to the token endpoint". So if > you've got the means to do that with the assertion draft or with client > secrets or TLS certs or anything else, go for it. I would not read the text > of the assertions draft as restricting this other use case. > > -- Justin > > > On 04/23/2014 12:42 PM, Mike Jones wrote: > >> The assertions draft is only trying to describe how to perform >> assertion-based authentication at the Token Endpoint. Other drafts, such >> as the introspection draft, could explicitly say that this can also be done >> in the same manner there, but that's an extension, and should be specified >> by the extension draft, if appropriate - not in the assertions draft. >> >> Justin may have more to say about the applicability or lack of it to the >> introspection draft, but I'm personally not familiar with it. >> >> -- Mike >> >> -----Original Message----- >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >> Tschofenig >> Sent: Wednesday, April 23, 2014 5:09 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] Assertions: Client authentication for non-token >> endpoints? >> >> Hi all, >> >> in a discussion about re-using the client authentication part of the >> assertion framework for other specifications currently in progress I ran >> into the following question: >> >> Section 6.1 of >> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about >> the client using the assertion with the **token endpoint**. >> >> Now, it appears that one cannot use the client authentication with other >> endpoints, such as the introspection endpoint defined in >> http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2 >> >> Am I reading too much into Section 6.1 of the assertion draft? >> >> Ciao >> Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --001a11c2f1ac40fe1c04f7bdad1d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Just to pile on here - the Assertions draft(s) do define c= lient assertion authentication only for the token endpoint (and register to= ken endpoint parameters). But it certainly doesn't preclude it from bei= ng profiled for use elsewhere.

FWIW we used the token endpoint in our implementation of token introspe= ction/validation partly because all supported forms of client authenticatio= n come along for free by doing so. My esteemed colleague, Dr. Paul Madsen, = posted a rough draft of what we've implemented in product a while back:= http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html


On Wed,= Apr 23, 2014 at 10:49 AM, Justin Richer <jricher@mitre.org>= wrote:
For introspection, we really just wanted to = say "you can authenticate the caller (client or RP) just like you woul= d to the token endpoint". So if you've got the means to do that wi= th the assertion draft or with client secrets or TLS certs or anything else= , go for it. I would not read the text of the assertions draft as restricti= ng this other use case.

=C2=A0-- Justin


On 04/23/2014 12:42 PM, Mike Jones wrote:
The assertions draft is only trying to describe how to perform assertion-ba= sed authentication at the Token Endpoint. =C2=A0Other drafts, such as the i= ntrospection draft, could explicitly say that this can also be done in the = same manner there, but that's an extension, and should be specified by = the extension draft, if appropriate - not in the assertions draft.

Justin may have more to say about the applicability or lack of it to the in= trospection draft, but I'm personally not familiar with it.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, April 23, 2014 5:09 AM
To: oauth@ietf.org<= br> Subject: [OAUTH-WG] Assertions: Client authentication for non-token endpoin= ts?

Hi all,

in a discussion about re-using the client authentication part of the assert= ion framework for other specifications currently in progress I ran into the= following question:

Section 6.1 of
http://tools.ietf.org/html/draft-ietf-oauth-assertions-= 15 talks about the client using the assertion with the **token endpoint= **.

Now, it appears that one cannot use the client authentication with other en= dpoints, such as the introspection endpoint defined in
http://tools.ietf.org/html/draft-richer-= oauth-introspection-04#section-2

Am I reading too much into Section 6.1 of the assertion draft?

Ciao
Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

--001a11c2f1ac40fe1c04f7bdad1d-- From nobody Thu Apr 24 00:11:40 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 762971A0129 for ; Thu, 24 Apr 2014 00:11:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0qkHZDUN9ov0 for ; Thu, 24 Apr 2014 00:11:35 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id A84B51A00AE for ; Thu, 24 Apr 2014 00:11:34 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LxLcc-1WxRcz0Rha-016xTk; Thu, 24 Apr 2014 09:11:27 +0200 Message-ID: <5358B8BC.8000508@gmx.net> Date: Thu, 24 Apr 2014 09:09:48 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <53577C41.2090606@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="FROQIoNb2KRBeA6w0UmJtWx11fBJjptLu" X-Provags-ID: V03:K0:S+nEjrQdI5L6sR/tY/pJ8eL2OS732LHaERYQgAZgK58T/3t4Jjm azKqGt9ZZKRMb2UmSBk7aXShPUjaz1+Jh0A0yyevJjbZJ7JeVqwQlucf5mzA73fJ47ceER5 i+PJ4qFUhhEHQOyK7V4RcWp/D8N4uxbtdejsXuTgYxX0dXC1C+lPsoEpjbawqUVAdERAbbf AujpP3r+Sy3p9Jquee86g== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/JF-YDSc0w7vWYN0qYdch3aDVJ2I Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 07:11:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FROQIoNb2KRBeA6w0UmJtWx11fBJjptLu Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Brian, I read through the thread and the Google case is a bit different since they are using the client authentication part of the JWT bearer spec. There I don't see the privacy concerns either. I am, however, focused on the authorization grant where the subject is in most cases the resource owner. It is possible to put garbage into the subject element when privacy protection is needed for the resource owner case but that would need to be described in the document; currently it is not there. Ciao Hannes On 04/24/2014 12:37 AM, Brian Campbell wrote: > That thread that Antonio started which you reference went on for some > time > (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520)= > and seems to have reached consensus that the spec didn't need normative= > change and that such privacy cases or other cases which didn't > explicitly need a subject identifier would be more appropriately dealt > with in application logic: > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html >=20 >=20 >=20 >=20 > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig > > wrote: >=20 > Hi all, >=20 > in preparing the shepherd write-up for draft-ietf-oauth-jwt-bearer-= 08 I > had to review our recent email conversations and the issue raised b= y > Antonio in > http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html be= long > to it. >=20 > The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08 says= : > " > 2. The JWT MUST contain a "sub" (subject) claim identifying th= e > principal that is the subject of the JWT. Two cases need t= o be > differentiated: >=20 > A. For the authorization grant, the subject SHOULD identif= y an > authorized accessor for whom the access token is being > requested (typically the resource owner, or an authoriz= ed > delegate). >=20 > B. For client authentication, the subject MUST be the > "client_id" of the OAuth client. > " >=20 > Antonio pointed to the current Google API to illustrate that the su= bject > is not always needed. Here is the Google API documentation: > https://developers.google.com/accounts/docs/OAuth2ServiceAccount >=20 > The Google API used the client authentication part (rather than the= > authorization grant), in my understanding. >=20 > I still believe that the subject field has to be included for clien= t > authentication but I am not so sure anymore about the authorization= > grant since I could very well imagine cases where the subject is no= t > needed for authorization decisions but also for privacy reasons. >=20 > I would therefore suggest to change the text as follows: >=20 > " > 2. The JWT contains a "sub" (subject) claim identifying the > principal that is the subject of the JWT. Two cases need t= o be > differentiated: >=20 > A. For the authorization grant, the subject claim MAY > be included. If it is included it MUST identify the > authorized accessor for whom the access token is being > requested (typically the resource owner, or an authoriz= ed > delegate). Reasons for not including the subject claim > in the JWT are identity hiding (i.e., privacy protectio= n > of the identifier of the subject) and cases where > the identifier of the subject is irrelevant for making > an authorization decision by the resource server. >=20 > B. For client authentication, the subject MUST be the > included in the JWT and the value MUST be populated > with the "client_id" of the OAuth client. > " >=20 > What do you guys think? >=20 > Ciao > Hannes >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 --FROQIoNb2KRBeA6w0UmJtWx11fBJjptLu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWLi8AAoJEGhJURNOOiAt8zEH/RMaWZCJ9NI4DI87okaQvYVL FQdLrTPxb5/w1wjhdzfWkhHf9yiJbVyaDS/LB6Jw8HG2FeO/q6bkYEpHA/coTagK osc/adIjZqyFKTvE0mUU9UuRDji6ToFtMjCoIhFNq/sRlG6knqZsJXVbNAW/Ol8q mFtpUjVhev2q1CdFM1uAR0//7Fy/CJte92iy4W4IYn3fDRwVBefYq/nnd54mRhq3 8bcHcWnhQpHNcw11Iwsua5QP9JesYzj85G9rdiAm7bsrYO+xx2Ed/R/oMOBMigQI 5iTa691DaN7JTJd8OuLIjrtWeEToUmqtjGI/G5APY+mjFq0LQZDCt4v2ZnXz7WQ= =i+cY -----END PGP SIGNATURE----- --FROQIoNb2KRBeA6w0UmJtWx11fBJjptLu-- From nobody Thu Apr 24 00:12:55 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91FE71A0314 for ; Thu, 24 Apr 2014 00:12:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivlGBL1w-m6i for ; Thu, 24 Apr 2014 00:12:50 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 97E151A00AE for ; Thu, 24 Apr 2014 00:12:50 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MKu9E-1WdDpr35Ga-0004DM; Thu, 24 Apr 2014 09:12:44 +0200 Message-ID: <5358B907.3030905@gmx.net> Date: Thu, 24 Apr 2014 09:11:03 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <5357AA4C.8080707@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="0jrosNpFI0KCmOdc8FKQHVCGPw4mqx5Qo" X-Provags-ID: V03:K0:4p1CE5GgmZCz6inGP1cuB7kl2WgD6uvHo14ymD2zBTY90btfKxu VtTZy1bFkSxcbPDnbX/Ff10KqyqQHGaTzDXpPuXXj2rqVj7qpfKhseti7gQkiiDEGx99vG3 Lt84sB2NzkjE8jsgXQ241wo4N4qegVzEZ5FHdo7OXJ03TRF1dNNLOkhIXEUhf5pR72+TQsJ S9xE02lTn0wDDXnU79/sQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/rhNNsSOzCxzklP4BnePTrAP7QTs Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 07:12:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0jrosNpFI0KCmOdc8FKQHVCGPw4mqx5Qo Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thanks, Brian. I will add this aspect to the write-up. On 04/24/2014 12:46 AM, Brian Campbell wrote: > While OAuth access tokens are a valuable application of JWT, might it > also be worthwhile to mention that JWT can and will be useful in other > contexts? Connect's ID Token is one such example: > http://openid.net/specs/openid-connect-core-1_0.html#IDToken >=20 >=20 > On Wed, Apr 23, 2014 at 5:55 AM, Hannes Tschofenig > > wrote: >=20 > Hi all, >=20 > I am working on the shepherd writeup for the JWT. Here are a few > questions: >=20 > - To the document authors: Please confirm that any and all appropri= ate > IPR disclosures required for full conformance with the provisions o= f BCP > 78 and BCP 79 have already been filed. >=20 > - To all: I have included various pointers to implementations in th= e > write-up. Maybe there are others that should be included. If so, pl= ease > let me know. >=20 > - To all: Please also go through the text to make sure that I corre= ctly > reflect the history and the status of this document. >=20 > Here is the latest version of the write-up: > https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/m= aster/shepherd-writeups/Writeup_OAuth_JWT.txt >=20 > Ciao > Hannes >=20 > PS: Here is the copy-and-paste text: >=20 > -------- >=20 > Writeup for "JSON Web Token (JWT)" >=20 > (1) What type of RFC is being requested (BCP, Proposed Standard, > Internet Standard, Informational, Experimental, or Historic)? Why i= s > this the proper type of RFC? Is this type of RFC indicated in the t= itle > page header? >=20 > The RFC type is 'Standards Track' and the type is indicated in the = title > page. This document defines the syntax and semantic of information > elements. >=20 > (2) The IESG approval announcement includes a Document Announcement= > Write-Up. Please provide such a Document Announcement Write-Up. Rec= ent > examples can be found in the "Action" announcements for approved > documents. The approval announcement contains the following section= s: >=20 > Technical Summary: >=20 > JSON Web Token (JWT) is a compact URL-safe means of representing= > claims to be transferred between two parties. The claims in a J= WT > are encoded as a JavaScript Object Notation (JSON) object that i= s > used as the payload of a JSON Web Signature (JWS) structure or a= s the > plaintext of a JSON Web Encryption (JWE) structure, enabling the= > claims to be digitally signed or MACed and/or encrypted. >=20 > Working Group Summary: >=20 > Was there anything in WG process that is worth noting? For example,= was > there controversy about particular points or were there decisions w= here > the consensus was particularly rough? >=20 > This document was uncontroversial. It allows OAuth deployments to u= se a > standardized access token format, which increases interoperability = of > OAuth-based deployments. >=20 > Document Quality: >=20 > This document has gone through many iterations and has received > substantial feedback. >=20 > A substantial number of implementations exist, as documented at > http://openid.net/developers/libraries/ > (scrowl down to the 'JWT/JWS/JWE/JWK/JWA Implementations' section) >=20 > An Excel document providing additional details can be found here: > http://www.oauth-v2.org/wp-content/uploads/2014/04/JWT-Implementati= ons.xlsx >=20 > Personnel: >=20 > The document shepherd is Hannes Tschofenig and the responsible area= > director is Kathleen Moriarty. >=20 > (3) Briefly describe the review of this document that was performed= by > the Document Shepherd. If this version of the document is not ready= for > publication, please explain why the document is being forwarded to > the IESG. >=20 > The draft authors believe that this document is ready for publicati= on. > The document has received review comments from working group member= s, > and from the OAuth working group chairs. Implementations exist and = they > have tested for interoperability as part of the OpenID Connect inte= rop > events. >=20 > (4) Does the document Shepherd have any concerns about the depth or= > breadth of the reviews that have been performed? >=20 > This document has gotten enough feedback from the working group. >=20 > (5) Do portions of the document need review from a particular or fr= om > broader perspective, e.g., security, operational complexity, AAA, D= NS, > DHCP, XML, or internationalization? If so, describe the review that= took > place. >=20 > Since the OAuth working group develops security protocols any feedb= ack > from the security community is always appreciated. > The JWT document heavily depends on the work in the JOSE working gr= oup > since it re-uses the JWE and the JWS specifications. >=20 > (6) Describe any specific concerns or issues that the Document Shep= herd > has with this document that the Responsible Area Director and/or th= e > IESG should be aware of? For example, perhaps he or she is uncomfor= table > with certain parts of the document, or has concerns whether there r= eally > is a need for it. In any event, if the WG has discussed those issue= s and > has indicated that it still wishes to advance the document, detail = those > concerns here. >=20 > The shepherd has no concerns with this document. >=20 > (7) Has each author confirmed that any and all appropriate IPR > disclosures required for full conformance with the provisions of BC= P 78 > and BCP 79 have already been filed. If not, explain why? >=20 > [[Confirmation from the authors required.]] >=20 > (8) Has an IPR disclosure been filed that references this document?= If > so, summarize any WG discussion and conclusion regarding the IPR > disclosures. >=20 > Two IPRs have been filed for the JWT specification this document re= lies > on, see > http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id= =3Ddraft-ietf-oauth-json-web-token >=20 >=20 > There was no discussion regarding those two IPRs on the mailing lis= t. >=20 > (9) How solid is the WG consensus behind this document? Does it > represent the strong concurrence of a few individuals, with others = being > silent, or does the WG as a whole understand and agree with it? >=20 > The working group has consensus to publish this document. >=20 > (10) Has anyone threatened an appeal or otherwise indicated extreme= > discontent? If so, please summarise the areas of conflict in separa= te > email messages to the Responsible Area Director. (It should be in a= > separate email because this questionnaire is publicly available.) >=20 > No appeal or extreme discontent has been raised. >=20 > (11) Identify any ID nits the Document Shepherd has found in this > document. (See http://www.ietf.org/tools/idnits/ and the Internet-D= rafts > Checklist). Boilerplate checks are not enough; this check needs to = be > thorough. >=20 > The shepherd has checked the nits. The shepherd has not verified th= e > examples for correctness. >=20 > (12) Describe how the document meets any required formal review > criteria, such as the MIB Doctor, media type, and URI type reviews.= >=20 > The document does not require a formal review even though it contai= ns > JSON-based examples. >=20 > (13) Have all references within this document been identified as ei= ther > normative or informative? >=20 > Yes. >=20 > (14) Are there normative references to documents that are not ready= for > advancement or are otherwise in an unclear state? If such normative= > references exist, what is the plan for their completion? >=20 > There are various JOSE documents that have not been published as RF= Cs > yet. As such, this document cannot be published before the respecti= ve > JOSE documents are finalized. >=20 > (15) Are there downward normative references references (see RFC 39= 67)? > If so, list these downward references to support the Area Director = in > the Last Call procedure. >=20 > The document contains a reference to >=20 > [ECMAScript] > Ecma International, "ECMAScript Language Specificatio= n, > 5.1 Edition", ECMA 262, June 2011. >=20 > which might require a downref. >=20 > RFC 6755 is also a downref. >=20 >=20 > (16) Will publication of this document change the status of any exi= sting > RFCs? Are those RFCs listed on the title page header, listed in the= > abstract, and discussed in the introduction? If the RFCs are not li= sted > in the Abstract and Introduction, explain why, and point to the par= t of > the document where the relationship of this document to the other R= FCs > is discussed. If this information is not in the document, explain w= hy > the WG considers it unnecessary. >=20 > The publication of this document does not change the status of othe= r > RFCs. >=20 > (17) Describe the Document Shepherd's review of the IANA considerat= ions > section, especially with regard to its consistency with the body of= the > document. Confirm that all protocol extensions that the document ma= kes > are associated with the appropriate reservations in IANA registries= =2E > Confirm that any referenced IANA registries have been clearly > identified. Confirm that newly created IANA registries include a > detailed specification of the initial contents for the registry, th= at > allocations procedures for future registrations are defined, and a > reasonable name for the new registry has been suggested (see RFC 52= 26). >=20 > The document creates a new registry for JWT claims and populates th= is > registry with values. > It also registers values into two existing registries, namely into > * the RFC 6755 created OAuth URN registry, and > * the media type registry >=20 > (18) List any new IANA registries that require Expert Review for fu= ture > allocations. Provide any public guidance that the IESG would find u= seful > in selecting the IANA Experts for these new registries. >=20 > The newly created JWT claims registry requires expert review for fu= ture > allocations. Guidance is given in the document. > The document shepherd volunteers to become an expert review. >=20 > (19) Describe reviews and automated checks performed by the Documen= t > Shepherd to validate sections of the document written in a formal > language, such as XML code, BNF rules, MIB definitions, etc. >=20 > There are examples in the document that use a JSON-based encoding. = The > document shepherd has reviewed those examples but has not verified = the > correctness of the cryptographic operations. >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 --0jrosNpFI0KCmOdc8FKQHVCGPw4mqx5Qo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWLkHAAoJEGhJURNOOiAtpJsIAJdAL6Pms5vC2I/DLIhIexi/ VWViVoMdLmJJzEhIfBYUsPVWr3TiIQGcQ1HXiiqCLUxI/JNNEsNAD6ph36SeSVzs t2sOeNF9pGGC10BfVjhSwjEwza0LoBdjPv81iBy1kE/apnKW/8ucI/OQ6+pFqkU8 9wUbC4KFNsa3dRs+9ijWA76kQVe0VejxgrG+r6mDqmsKTu9P6DVpy3KYGvESyYm9 0d9/U+IvhXGUGnhHtZ6lYWdW764e9mQhdy4w9CAlycXo97dRCrTMKewAVVZV+GUe MGHL0vj37jKICEMlmya+MEV5WZIdsKMJd/c4JsJ/TAhBi1L7FvnKBrMV8+yy1C0= =3pDH -----END PGP SIGNATURE----- --0jrosNpFI0KCmOdc8FKQHVCGPw4mqx5Qo-- From nobody Thu Apr 24 01:58:47 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288831A07ED for ; Thu, 24 Apr 2014 01:58:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dISgPon0tdSL for ; Thu, 24 Apr 2014 01:58:42 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id A0E351A0125 for ; Thu, 24 Apr 2014 01:58:42 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LuJDv-1X5P6z2eUJ-011iuE; Thu, 24 Apr 2014 10:58:34 +0200 Message-ID: <5358D170.1060303@gmx.net> Date: Thu, 24 Apr 2014 10:55:12 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Justin Richer , "oauth@ietf.org" References: <5357BB37.1080803@gmx.net> <5357D4FF.5040800@mitre.org> In-Reply-To: <5357D4FF.5040800@mitre.org> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3GWtv1xukaSUPt84eOpgxdHUth1FjsxJB" X-Provags-ID: V03:K0:UkHoRZN3WvwFJPhPx9baHbI6hmXYgw/ZTCfj6Ez7V7v0OB01fi+ IBolv6nEwOTf+TQHSVvYXU9AGMpHKfrwXUUd1bsENlyOYXA/57eJPM1jMmWUyVJ7f8oOnF1 PEf53RHlofh/rgkzFfT2rjZbXkEXm9brF1x2bgj3TBOM2LYj2APd7xmb9NVk26X79c8Mq0y 8qJAxgDzoTtrbg9l5d0nw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Kub0Pk3RaYgxBzipMzcll0T6vB4 Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-16 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 08:58:46 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3GWtv1xukaSUPt84eOpgxdHUth1FjsxJB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Justin, thanks for the quick feedback. A few remarks below. >> - Protocol Flow >> >> In Figure 1 you show the client and the developer in the same box. The= >> protocol defined in the specification clearly runs between a client an= d >> client registration endpoint at an authorization server. So, I would >> suggest to put the developer (which is a human) outside the box and to= >> draw another box around the client registration endpoint to indicate >> that this is part of the authorization server. >=20 > There are two known modes of deployment for this protocol: either the > client calls the registration endpoint directly and gets its own > client_id and client_secret, or the developer uses some tool (part of > their build process, a software publication process, a self-service > portal) to register the client. While the first use case is the origina= l > driver, several people wanted to make sure that this other use case > wasn't inadvertently written out. Makes sense to me. Maybe you just want to provide that piece of background to the figure. >=20 >=20 >> - Section 2 >> >> What exactly does this sentence mean? >> >> " >> Authorization servers MUST accept all fields in this list. >> " >> >> I believe I cannot mean that the authorization server supports all >> mechanisms. >=20 > All I was trying to say was that the AS isn't allowed to crash if it > sees a field in this list as part of the registration, to give us some > kind of interoperability baseline. I am welcome to re-wording > suggestions. The AS is free to ignore any field that it doesn't like, o= r > reject a registration for a value that it doesn't like, or replace a > value that it doesn't like with something that it does like and return > that. We enumerate all of those cases separately, so perhaps this > sentence isn't necessary any more. Understood. To clarify the context one could write the following. " Future extensions will extend the list of grant_types, and response_types with new mechanisms. To avoid interoperability problems authorization server MUST ignore values they do not understand. For instance, the [OAuth.Registration.Metadata] specification defines additional client metadata values. A properly implemented authorization server that does not understand any of the metadata values defined in [OAuth.Registration.Metadata] sent by the client would ignore those. " >=20 >> You write: >> >> " >> Client metadata values can either be communicated directly in the >> body of a registration request, as described in Section 4.1, or >> included as claims in a software statement, as described in >> Section 3. If the same client metadata name is present in both >> locations, the value in the software statement SHOULD take >> precedence. >> " >> >> It might be worthwhile to note that the two options exist to allow (a)= >> the client to suggest values and (b) to have the organizing issuing th= e >> software assertion to provide further values. >=20 > It's actually the other way around -- the assertion if present defines = a > set of core values for a class of clients and the client suggests value= s > on its own in the plain JSON. The vast majority of registrations will > use only the JSON object, in my estimation. >=20 >> Regarding the SHOULD in the last sentence I guess it might make more >> sense to just say that it is deployment dependent what policy is used.= >=20 > The idea here is that the software statement, if present and trusted, > should really take precedence since it's cryptographically protected an= d > the plain JSON isn't. Reasonable thought. Maybe turn the SHOULD into a MUST? The challenge with the SHOULD is always to explain when it shouldn't be done. >=20 >> - Section 2.1 >> >> You write: >> >> " >> As such, a server supporting these fields >> SHOULD take steps to ensure that a client cannot register itself in= to >> an inconsistent state. >> " >> >> Any guidance on how the authorization server would do that? >=20 > Either return an error ("invalid_client_metadata") or replace the value= s > with sane defaults. Probably the former for most servers. Should we > state this? Might be a useful addition for someone implementing the spec to know what to do. I didn't know what to do when reading that sentence. >=20 >> - Section 3 >> >> I don't understand this sentence: >> >> " >> In some cases, authorization servers MAY choose to accept a software= >> statement value directly as a Client ID in an authorization request= , >> without a prior dynamic client registration having been performed. >> " >> >> Does this mean that the client id is the software statement or that th= e >> software statement is embedded in the client id or something else? >=20 > The idea here is that the software statement itself would be the > client_id, but the details of such usage are outside the scope of > dynamic registration (since it's not really registration at that point,= > but a stateless client identifier). If the software statement is the client_id then would you only send the software statement but no client_id in the message? >=20 >> - Section 4 >> >> The story around the initial access token is a bit strange. Here is th= e >> text: >> >> The client registration endpoint MAY be an OAuth 2.0 protected >> resource and accept an initial access token in the form of an OAuth= >> 2.0 [RFC6749] access token to limit registration to only previously= >> authorized parties. The method by which the initial access token i= s >> obtained by the registrant is generally out-of-band and is out of >> scope for this specification. The method by which the initial acce= ss >> token is verified and validated by the client registration endpoint= >> is out of scope for this specification. >> >> >> First, the term 'registrant' is used here for the first time. Then, it= >> is outside the scope of how the client got this initial access token. >> Normally for access tokens the client does not have to care about the >> content and does not verify anything but here the last sentence hints = to >> the verification (although it is outside the scope of how it is used).= >=20 > The client doesn't verify the token, the client registration endpoint > verifies it. It's a vanilla OAuth token. Read that incorrectly. Thanks for the clarification! >=20 >> I am curious whether the software assertion could actually be re-use >> here in case the unauthorized use of the registration by clients is a >> concern!? >=20 > This is exactly what BlueButton+ does: the software statement equivalen= t > is presented as the initial access token. I personally think that this > makes a lot more sense, but some folks wanted to be able to separate > these two things, so that the authority to register with a server is > differentiable from the fixed registration parameters. Also, you don't > want to define the initial access token to *always* be a software > statement, since it could just represent authorization to call the > registration endpoint with no other strings attached. I would like to see some text (from some of the proponents of this two-token idea) where it would make sense to have these two tokens. Sounds quite complex to me, particularly when there are a lot of "out-of-scope" statements. We don't want to get to a model where the client does not have the client_id configured and then needs to use the dynamic client registration protocol to subsequently require even more information to get registered.... >=20 >> - Section 4.2 >> >> You write: >> >> " >> This client identifier MUST be >> unique at the server and MUST NOT be in use by any other client. >> " >> >> This is a bit unclear given the text you provide in the subsequent >> section, Section 5.1. >> You write: >> >> " >> client_id REQUIRED. Unique client identifier. It MUST NOT be >> currently valid for any other distinct registered client. It MA= Y >> be the same as the Client ID value used by other instances of th= is >> client, provided that the Redirection URI values and potentially= >> other values dictated by authorization server policy are the sam= e >> for all instances. >> " >=20 > Those are still inconsistent and I'm not positive where we came down on= > that issue -- I personally don't like the idea of re-using client_ids > for different instances of the client (I see it causing nothing but > trouble down the line), but there was a push to relax that. Can someone= > who wanted this comment on its utility? >=20 >> You write: >> >> " >> If a software statement was used as part of the registration, its >> value SHOULD be returned in the response and its value MUST be >> returned if the authorization server supports registration manageme= nt >> operations [OAuth.Registration.Management] that would require its >> presence in subsequent operations. >> " >> >> I am not sure I understand that. Are you saying that the software >> assertion is returned in the response from the authorization server to= >> the client? Why is that? >=20 > It is effectively part of the client's registration metadata and should= > be returned as-is. If the client is going to be doing management, it > needs to be able to post that back to the server again as part of its > update and the server needs to be able to check against it. What we > really don't want is the registration endpoint to generate a new > software statement as part of the registration response. But the client had that data in the first place and so it is a waste of bandwidth to return the same data back to him again (maybe even twice -- once in the software assertion and then separately as meta-data). >=20 >> - References >> >> I believe you should delete the dependency on the registration >> management specification. >=20 > This makes sense if the operations can be completely insular and we > don't need any forward references as to why to do certain things. It > would be easy to build a registration endpoint that precludes any kind > of management/lifecycle API, and we want to avoid that in the design of= > the core protocol. I think we've successfully done that, but if it make= s > it cleaner to remove the references and just state how to do things, I > don't see why not. >=20 I am just saying it because of the way how the discussions at the last IETF meeting went and creating these dependencies could lead to a problem with progressing this spec. > Thanks for the thorough review. No problem - I am here to help. Ciao Hannes > -- Justin >=20 >> >> Ciao >> Hannes >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 --3GWtv1xukaSUPt84eOpgxdHUth1FjsxJB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWNFwAAoJEGhJURNOOiAtEU4H/jqv7Y6SZL5+n906x9BJfNYJ Vo5k3V/MdjrDs2nmIjn6wPn2i85NEdE8dJlxd7dBmNPIaYCJJq95B0Sq8uJJxtST TuOg+3xYctEI6x/XmBGULt1k35iixXlQel0jvP9C9on2OHcFwFYooKZKqP6NB+bH 4NCujf2G+hyr9qWVZyzC4diOBeEPPftFevYmL2oktQhl3KygwXwiFAkga8HHNkj1 NTIbVsXWhJI1T8zRuXWYrmBk4V/dcgaUA6q2fgqsbLvV6JFBS80hgbLzroTwOK1o MLRF5Z3xUGEnlvvGnsT7p3SLzpt+OKV0KoYCBTtJL6z0cBFPa21Ex0XKvL1Gxt8= =Ax3b -----END PGP SIGNATURE----- --3GWtv1xukaSUPt84eOpgxdHUth1FjsxJB-- From nobody Thu Apr 24 02:00:17 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF0FA1A03E5 for ; Thu, 24 Apr 2014 02:00:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKex2s1Amz87 for ; Thu, 24 Apr 2014 02:00:14 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id A6D791A0125 for ; Thu, 24 Apr 2014 02:00:13 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MWwp6-1WR6Rz3Ro4-00VyTS; Thu, 24 Apr 2014 11:00:04 +0200 Message-ID: <5358D1C6.1080807@gmx.net> Date: Thu, 24 Apr 2014 10:56:38 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Mike Jones , "oauth@ietf.org" References: <4E1F6AAD24975D4BA5B16804296739439A191D83@TK5EX14MBXC288.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A191D83@TK5EX14MBXC288.redmond.corp.microsoft.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="IKUr7xaNpcXVb1JhSFD0JBNgFr9uMiltI" X-Provags-ID: V03:K0:ds2GOP07ZL/yh4Z2fY4sSXSRtMARYTv2bKmPBM9gtEeGTAL41Hg j9bbPXjM04VG4b11F3P30tjVOTKA3kYCWfaNItDkns4O+MSGoSIbEq25BM/StJEbGybmLMk ya6AfLIU9Dq29VYY7X15vZ0DyprWr7el+3cfA6CUmJbm9oD5P8UoCZzTWABWDzaUwIs+Eeg gMxCRnFrnqvux8U1eSy+Q== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/h8NJw0b3W7MAjmhXk7iulbG9nOo Subject: Re: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 09:00:15 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --IKUr7xaNpcXVb1JhSFD0JBNgFr9uMiltI Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Thanks, Mike. Leave the ECMAScript reference in the document. I indicated it as a DOWNREF in the my shepherd write-up and that should be fine. Ciao Hannes On 04/23/2014 06:32 PM, Mike Jones wrote: > Replies inline... >=20 > =20 >=20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofe= nig > Sent: Wednesday, April 23, 2014 4:49 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Minor questions regarding > draft-ietf-oauth-json-web-token-19 >=20 > =20 >=20 > Doing my shepherd write-up I had a few minor questions: >=20 > =20 >=20 > * Could you move the RFC 6755 reference to the normative reference > section? Reason: the IANA consideration section depends on the existenc= e > of the urn:ietf:params:oauth registry. >=20 > =20 >=20 > OK >=20 > =20 >=20 > * Could you move the JWK reference to the informative reference section= ? >=20 > Reason: The JWK is only used in an example and not essential to the > implementation or understanding of the specification. >=20 > =20 >=20 > OK >=20 > =20 >=20 > * Would it be sufficient to reference RFC 7159 instead of the > [ECMAScript] reference? >=20 > =20 >=20 > No. There=92s no equivalent to Section 15.12 of ECMAScript about the > lexically last member name to reference in RFC 7159. See the usage in > the first paragraph of > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-4= =2E >=20 > =20 >=20 > * The document registers 'urn:ietf:params:oauth:token-type' and it is > used in the "type" header parameter. >=20 > =20 >=20 > The text, however, states that the value can also be set to jwt. Why > would someone prefer to use urn:ietf:params:oauth:token-type instead of= > the much shorter jwt value? >=20 > =20 >=20 > There are use cases, such as using JWTs as tokens in WS-Trust, where a > URI is needed. >=20 > =20 >=20 > Ciao >=20 > Hannes >=20 > =20 >=20 > Thanks for doing this. >=20 > =20 >=20 > -- Mike >=20 > =20 >=20 --IKUr7xaNpcXVb1JhSFD0JBNgFr9uMiltI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWNHGAAoJEGhJURNOOiAtP8oH/jIY3rxW+oz0Zn+ce25+UMkl auSrMkZF3AdxfQW2EVTxm1rUQzZZM6FIwniG9Yc8TPYCJ484WHewSbNG/6f9AAru F9AY3AthQ/iEQ4H/TdY3MH7k9MxCKCmwH71pRYxoMsmEkLakVgCLBKgrNZliYwyt Fvk3fw52npc4jjF6COmsYI1xJulrekG6g9lwb2Az2kDJhASk6r4OiTnaH6hWSQAk mKpoan+s8jfOxe7DLc6VwbuZIqppBUerTrQKuJrGwzGmzLDVc2rLe452k2h3NCKQ kgdPD56Ud+CBbUnMAGOrjPVTmI8cni/iWzcbOyV4N5BBq6/a96KB1NjI9tjNmhQ= =3vAL -----END PGP SIGNATURE----- --IKUr7xaNpcXVb1JhSFD0JBNgFr9uMiltI-- From nobody Thu Apr 24 02:04:49 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39C221A07ED for ; Thu, 24 Apr 2014 02:04:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7t206a63Ght for ; Thu, 24 Apr 2014 02:04:46 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 428F11A07A6 for ; Thu, 24 Apr 2014 02:04:46 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MLA45-1WdWZ51TVJ-000NFr; Thu, 24 Apr 2014 11:04:38 +0200 Message-ID: <5358D2D8.5080402@gmx.net> Date: Thu, 24 Apr 2014 11:01:12 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Justin Richer , Mike Jones , "oauth@ietf.org" References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> <5357EF2E.1020503@mitre.org> In-Reply-To: <5357EF2E.1020503@mitre.org> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lt6npRW1UInK355eu5f0SQXkN28IpdX83" X-Provags-ID: V03:K0:BWEMyGJHuOlI1TN+Tqq3BaOeU6iishYfSkefvJy5Z83V8Ul7egJ 2Gh+LEeLPgE3I36s+mX1Ay9HI4l5MhyG1yH6tCbwUCcrwp9L9swDr8AXVh4Skv6aJ/wWFha nAZq+kBXJcq/WADnRA3bocXZnRdNBVaKvcLUkcpaRusnSQA7xekuyL9XTSjoe30CBQrbTyB vVLl9Qlzd5923h98JKwNQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/p5M66AbaklMwNxfKAZKxoMatS6A Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 09:04:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lt6npRW1UInK355eu5f0SQXkN28IpdX83 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I believe that Mike is right that we might need to describe these aspects in the token introspection document. Ensure proper authentication of the resource server to the authorization server is extremely important for the security (particularly in context of the PoP work we are doing right now). If everyone is able to retrieve the session key for the respective PoP-enable access token then the additional security value goes to null. Ciao Hannes On 04/23/2014 06:49 PM, Justin Richer wrote: > For introspection, we really just wanted to say "you can authenticate > the caller (client or RP) just like you would to the token endpoint". S= o > if you've got the means to do that with the assertion draft or with > client secrets or TLS certs or anything else, go for it. I would not > read the text of the assertions draft as restricting this other use cas= e. >=20 > -- Justin >=20 > On 04/23/2014 12:42 PM, Mike Jones wrote: >> The assertions draft is only trying to describe how to perform >> assertion-based authentication at the Token Endpoint. Other drafts, >> such as the introspection draft, could explicitly say that this can >> also be done in the same manner there, but that's an extension, and >> should be specified by the extension draft, if appropriate - not in >> the assertions draft. >> >> Justin may have more to say about the applicability or lack of it to >> the introspection draft, but I'm personally not familiar with it. >> >> -- Mike >> >> -----Original Message----- >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >> Tschofenig >> Sent: Wednesday, April 23, 2014 5:09 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] Assertions: Client authentication for non-token >> endpoints? >> >> Hi all, >> >> in a discussion about re-using the client authentication part of the >> assertion framework for other specifications currently in progress I >> ran into the following question: >> >> Section 6.1 of >> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about >> the client using the assertion with the **token endpoint**. >> >> Now, it appears that one cannot use the client authentication with >> other endpoints, such as the introspection endpoint defined in >> http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section= -2 >> >> Am I reading too much into Section 6.1 of the assertion draft? >> >> Ciao >> Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 --lt6npRW1UInK355eu5f0SQXkN28IpdX83 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWNLYAAoJEGhJURNOOiAtRAkH/RUWPPPuWYF8vhNcMs3fsznI U4SXH4tnArrYz50g/Qvcb8Hg/l0JYJnJ9V+ILzpMFhbawCJOtDrqt8kCQq++hNZt 7TLTr7K6zNdAwxKqCs9aRiIm4MEAzF0HW0zxwq+HVZ/WJUO+vCL/UYJj2j48+wE8 i1FCdOqVOsmtfDilblqQn5tnQPQ/8NyuItXcRAcRbrdcnkrLp2LxPGn7ZhMbBjv1 vPTxmx+fYdtxxcj7qJbn08ZOblcWx9J2WLq9TiQhYD9t+yoHdZebK7SzFjYCGRUA G7KKpOZTa99kflEdSliUiMjtysMWTDjTSZTFljYU+4ZlAEXQbKsOGpM5S+w5JHo= =hmoh -----END PGP SIGNATURE----- --lt6npRW1UInK355eu5f0SQXkN28IpdX83-- From nobody Thu Apr 24 02:10:38 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D25861A07EF for ; Thu, 24 Apr 2014 02:10:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f8X9HTE5vllW for ; Thu, 24 Apr 2014 02:10:34 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 794351A07A6 for ; Thu, 24 Apr 2014 02:10:34 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M8JyQ-1WqmLN31rG-00vtVU; Thu, 24 Apr 2014 11:10:23 +0200 Message-ID: <5358D42C.3000803@gmx.net> Date: Thu, 24 Apr 2014 11:06:52 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Justin Richer , "oauth@ietf.org" References: <5358110C.9020503@gmx.net> <535821A9.8020503@mitre.org> In-Reply-To: <535821A9.8020503@mitre.org> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="qa5FbNAUKp8V6KDngHh09tXI6U2XWIl0B" X-Provags-ID: V03:K0:avjMQTN7VJ2233Zf0nd7z5HkYblnOZztsh6KZwT01EvMP+FLh3e YnVbVBWlaMiTpUZiU9rQDzcRiD0NDoJmS4w2NQ2NQ+2Z8sivDnHK/6l3Lf3uboiZ3q2F/4c 3OsQGkozlvqL+vPUTABYO57Sm19uKiwxZITsTPufzsYqpe7SZ86OdapDaSXAA8lXiapmO+b FtFm8Ckx50YRjuDobemBg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/6MZSIBmDWS7KVsfJkGwthDWYTA4 Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-metadata-00 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 09:10:37 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qa5FbNAUKp8V6KDngHh09tXI6U2XWIl0B Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Justin, thanks again for the quick response. A few notes below. On 04/23/2014 10:25 PM, Justin Richer wrote: > Thank you for the review, responses inline (and this draft still needs > to be factored back into the main one): >=20 > On 04/23/2014 03:14 PM, Hannes Tschofenig wrote: >> Hi all, >> >> I read through the document as part of my shepherding task; it is nice= ly >> written and easy to understand. >> >> I only have a few minor suggestions: >> >> * client_uri: URL of the homepage of the client. >> >> Would it be better to say that this is the URI provides further >> information about the client software (provided by the client software= >> developer)? >=20 > I personally think "homepage" is a clear designator of that, but would > not be adverse to extending the definition somewhat. >=20 >> * logo_uri: The value of this field MUST point to a valid image file. >> >> Would it make sense to provide a type field here as well, such as in >> HTML (e.g., type=3D"image/png")? >=20 > Unless we're going to allow the client to register and manage multiple > images (please, no), then we shouldn't go out of our way to store > mimetypes. This is a URL to be fetched and/or stored -- its content > doesn't much matter. >=20 >> * contacts: Would these email addresses be in the format of >> mailto:user@example.com or would you just use joe@example.com? >> I am asking because with the URI scheme one could potentially provide >> other contact information here as well, such as XMPP URIs or so. >=20 > I think you could do either, but what I've seen deployed is the non-URI= > version of joe@example.com. I think it would make sense for it to be > listed as not just email addresses but also other contact URIs -- > however, I don't think it's particularly useful to devolve into a full > contact record. It should be simple and actionable by a person, and > email fits that bill (as well as XMPP might, arguably). Maybe you want to say that this is a list of email addresses without the mailto URI scheme prefix. I am just seeing others putting all sorts of different stuff in there and expect it to work. >=20 >> * policy_uri: Would it be better to call this a privacy notice rather >> than policy document? >> Here is a short description what a privacy notice is: >> https://www.privacyassociation.org/resource_center/privacy_glossary/pr= ivacy_notice >=20 > I would think that policy document is a superset of privacy notice, rig= ht? I am not sure what a policy document is. When you register your application with Facebook then you have to provide a link to your privacy notice. That made sense to me given the nature of the data sharing that is going on. >=20 >> * jwks_uri: The text provides little information about how this elemen= t >> is used. I believe that this is an alternative way of using the PoP >> architecture, where the client registers keys with the authorization >> server that can then be tied to access tokens. Right? I could add some= >> text in the PoP overview document to explain this and maybe you could >> include a reference to the PoP document (as an informative reference, >> for example). >=20 > The text states that this is there for the use of higher level > protocols. Several of which (including OIDC and BB+, not to mention mor= e > advanced token types and client authentication methods) have a need to > tie a key to a client. This, and the proposed jwks value, provide a hoo= k > for that kind of stuff. It is difficult to describe the semantic if it is not further explained how it is supposed to be used. Is this field used in OpenID Connect? Ciao hannes >=20 > -- Justin >=20 >> >> Ciao >> Hannes >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 --qa5FbNAUKp8V6KDngHh09tXI6U2XWIl0B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWNQsAAoJEGhJURNOOiAt4vsH/A+vB6r1hKIi4j+YzfcnbX8O PsBGlPCi8hfYxhSFjj4izt+29BCNJW5jMKNKFxFmeCJOJQ6i2dAdydIrtrxcOHJX jn/68krNpfUM5fRbEbOPrPaR4JmhfwpyI95vmLbWAAsd4FAhYudJUSrGHoQ5ZMww niIC4XlRNNKst06yvPe6KiEoKLYvX2gYDa6UCI30Q7T0+A5l1kAz43AEDkOnbbtU GXGwVs3ZbYqlrwYqDvS24QBwK+oIN6gamFLUs8Lr2JeZ+EWFjPuzSRD56lgkW6m7 WiSkdJM1xy0P5NEC3eTTUOyc8AFNvzUVDgH8tp3SPbuK2QzAN5M1+BwZJrlBFCc= =VoSd -----END PGP SIGNATURE----- --qa5FbNAUKp8V6KDngHh09tXI6U2XWIl0B-- From nobody Thu Apr 24 02:12:51 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D94EE1A07F1 for ; Thu, 24 Apr 2014 02:12:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2i5pa_YkA2Gu for ; Thu, 24 Apr 2014 02:12:49 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id D29B21A07A6 for ; Thu, 24 Apr 2014 02:12:48 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Lu7ty-1X57tg48es-011P9O; Thu, 24 Apr 2014 11:12:39 +0200 Message-ID: <5358D4B2.1070500@gmx.net> Date: Thu, 24 Apr 2014 11:09:06 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell , Justin Richer References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> <5357EF2E.1020503@mitre.org> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="2tkkXUfaKpsE77NlBiigJRhLD8A8g8Jq6" X-Provags-ID: V03:K0:cwg03mhDYWiPYO8dKcDz7g7VY0eMtbQP+88gnfbs46doKkVtOBz 9DeNoiixM+ZY51Ii3Z/RKmxS9SIF+TtfQWyyI1sq1eGRzZG3OuGPZlf8jpHhaVxqTwJLUmD ZB6Bz/cN/iGeI2tVRdgewjyhoRBQKqN/667lrmr0lTpJZLqbfCgpLXB9RN+icrAslJbHkUz 561jTqMJBKlbkmA0B4Xrg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/7zWvKH5pASk4YHGvepWisqPs40w Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 09:12:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2tkkXUfaKpsE77NlBiigJRhLD8A8g8Jq6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Brian, does it sound reasonable for you to add text to the token introspection endpoint regarding the use of the JWT bearer assertion for the token introspection endpoint? Ciao Hannes On 04/24/2014 12:58 AM, Brian Campbell wrote: > Just to pile on here - the Assertions draft(s) do define client > assertion authentication only for the token endpoint (and register toke= n > endpoint parameters). But it certainly doesn't preclude it from being > profiled for use elsewhere. >=20 > FWIW we used the token endpoint in our implementation of token > introspection/validation partly because all supported forms of client > authentication come along for free by doing so. My esteemed colleague, > Dr. Paul Madsen, posted a rough draft of what we've implemented in > product a while back: > http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html >=20 >=20 > On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer > wrote: >=20 > For introspection, we really just wanted to say "you can > authenticate the caller (client or RP) just like you would to the > token endpoint". So if you've got the means to do that with the > assertion draft or with client secrets or TLS certs or anything > else, go for it. I would not read the text of the assertions draft > as restricting this other use case. >=20 > -- Justin >=20 >=20 > On 04/23/2014 12:42 PM, Mike Jones wrote: >=20 > The assertions draft is only trying to describe how to perform > assertion-based authentication at the Token Endpoint. Other > drafts, such as the introspection draft, could explicitly say > that this can also be done in the same manner there, but that's= > an extension, and should be specified by the extension draft, i= f > appropriate - not in the assertions draft. >=20 > Justin may have more to say about the applicability or lack of > it to the introspection draft, but I'm personally not familiar > with it. >=20 > -- Mike >=20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org > __] On Behalf Of Hannes Tschofen= ig > Sent: Wednesday, April 23, 2014 5:09 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Assertions: Client authentication for > non-token endpoints? >=20 > Hi all, >=20 > in a discussion about re-using the client authentication part o= f > the assertion framework for other specifications currently in > progress I ran into the following question: >=20 > Section 6.1 of > http://tools.ietf.org/html/__draft-ietf-oauth-assertions-15 > > talks about the client using the assertion with the **token > endpoint**. >=20 > Now, it appears that one cannot use the client authentication > with other endpoints, such as the introspection endpoint define= d in > http://tools.ietf.org/html/__draft-richer-oauth-__introspection= -04#section-2 > >=20 > Am I reading too much into Section 6.1 of the assertion draft? >=20 > Ciao > Hannes >=20 > _________________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/__listinfo/oauth > >=20 >=20 > _________________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/__listinfo/oauth > >=20 >=20 --2tkkXUfaKpsE77NlBiigJRhLD8A8g8Jq6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWNSyAAoJEGhJURNOOiAtBYsH/3aT5SPAwmow2CHeOx3l4cKu oZbIbiBs9AHv6ubH04sr93ZEC+Ul2GhliToLcECl8PQEVJlKM0a/24s1J+eULJaH d3OJZLSYnbdxAoPcuZOSTWsBeWVl9o57vRckbJsyncyVPPkq630DQATx/U7NOxz5 yrWXfK3mESkqwMZf7/Jrml2sE9Dx8e5Z++TgxeHE6agD6/WSzh8qzAsQvPvJIf6X hwqmlhiVbZjfxwNy1szUaMn6LulUHtaqh4ZsV7tfPA2ecbN2WQKV4LdA2jwHJr8t BBxHPPNGV6Te9+GuwVAaEE5113WuW1wcL1jwbI/wsvggyTKeCApXgJBsL9EW6yw= =LdqR -----END PGP SIGNATURE----- --2tkkXUfaKpsE77NlBiigJRhLD8A8g8Jq6-- From nobody Thu Apr 24 05:26:09 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A34901A01B9 for ; Thu, 24 Apr 2014 05:26:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qq2gQakZqUu for ; Thu, 24 Apr 2014 05:26:01 -0700 (PDT) Received: from na3sys009aog128.obsmtp.com (na3sys009aog128.obsmtp.com [74.125.149.141]) by ietfa.amsl.com (Postfix) with ESMTP id 670A41A01AD for ; Thu, 24 Apr 2014 05:26:01 -0700 (PDT) Received: from mail-ie0-f174.google.com ([209.85.223.174]) (using TLSv1) by na3sys009aob128.postini.com ([74.125.148.12]) with SMTP ID DSNKU1kC0w0kNmza+N+SavRV+eRsJUfdC2OB@postini.com; Thu, 24 Apr 2014 05:25:55 PDT Received: by mail-ie0-f174.google.com with SMTP id rp18so2201811iec.5 for ; Thu, 24 Apr 2014 05:25:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=5GPcOVDhZiOIi3WzvRb18XvUATuhQv40OwNb+uMF02A=; b=J6NN+3/kcJG/wb1/LFK6gBAcgs4JRQgdKdRcPHpbNyub+1BIj1nbDPEhKfyeWyihmI ph6mrBhiS8/anVBJl5hFpl55wH9cz125FmZEcp2+cQgq4Iovw9g8ItuVj++xnrSEzPxz RuO5MxVTrzGqyssrqdT/LFKQ4AEkHmPZGoInAB07gbkBbymWlFR5e9ns/nkmNM8e2D6t aXJ3Ssi6+LHSMQEGctpUtBc1/uPuX/ZGLTPNyHbS6JgWiUEoPGdWdXLJL55AMcHlv2Gp M3r+gXIh9KY7zQBdvbmwkyUxqRExhEbQGOE26ncbbMQWWyRCXEyzfGx7uEOyp+xBA5RJ kvXQ== X-Gm-Message-State: ALoCoQnY1Cm0CnDyQ9gKysWt/JdXtcKR/DRIuKcgSoaq11fs+cOPRk0Jvh7U75IYR3GHclAFx42IPH8G266BTQPM9C3cTO4XHeS1cb/rjNeYCkFzedvEBavp1yVU8QSd80qQ+e6mcEsP X-Received: by 10.50.13.100 with SMTP id g4mr9308183igc.9.1398342355257; Thu, 24 Apr 2014 05:25:55 -0700 (PDT) X-Received: by 10.50.13.100 with SMTP id g4mr9308168igc.9.1398342355096; Thu, 24 Apr 2014 05:25:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Thu, 24 Apr 2014 05:25:25 -0700 (PDT) In-Reply-To: <53577C73.2010201@gmx.net> References: <53577C73.2010201@gmx.net> From: Brian Campbell Date: Thu, 24 Apr 2014 06:25:25 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=089e013c661459d98c04f7c8f350 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/0nG29fZynqgX3FuXfUdkZlv5Xp0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 12:26:05 -0000 --089e013c661459d98c04f7c8f350 Content-Type: text/plain; charset=UTF-8 I do not have, nor am I aware of any, IPR on any of the technology in the document. Couple of little things on the writeup: "Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants" " -> should have "" Does the answer to 14 need more explanation? There normative references to drafts draft-ietf-oauth-assertions and draft-ietf-oauth-json-web-token (which depends on the JOSE work) but they are all expected to be advanced soon. Related, the answer for 15 has "There are the following dependencies:" at the end with nothing following it. On Wed, Apr 23, 2014 at 2:40 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > I am working on the shepherd writeup for the JWT bearer document. The > shepherd write-ups for the assertion draft and the SAML bearer document > have been completed a while ago already, see > http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html > > A few requests: > > - To the document authors: Please confirm that any and all appropriate > IPR disclosures required for full conformance with the provisions of BCP > 78 and BCP 79 have already been filed. > > - To all: Are you aware of implementations of this specification? If so, > I would like to reference them in my write-up. > > - To all: Please also go through the text to make sure that I correctly > reflect the history and the status of this document. > > Here is the most recent version of the write-up: > > https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt > > > (The copy-and-paste of the full version is below.) > > Ciao > Hannes > > PS: Note that I have send a mail about a pending issue to the list. In > response to my question I will update the write-up accordingly. > > ---- > > Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client > Authentication and Authorization Grants" > > (1) What type of RFC is being requested (BCP, Proposed Standard, > Internet Standard, Informational, Experimental, or Historic)? Why is > this the proper type of RFC? Is this type of RFC indicated in the title > page header? > > The RFC type is 'Standards Track' and the type is indicated in the title > page. This document defines an instantiation for the OAuth assertion > framework using JSON Web Tokens. > > (2) The IESG approval announcement includes a Document Announcement > Write-Up. Please provide such a Document Announcement Write-Up. Recent > examples can be found in the "Action" announcements for approved > documents. The approval announcement contains the following sections: > > Technical Summary: > > This specification defines the use of a JSON Web Token (JWT) Bearer > Token as a means for requesting an OAuth 2.0 access token as well as > for use as a means of client authentication. > > Working Group Summary: > > Was there anything in WG process that is worth noting? For example, was > there controversy about particular points or were there decisions where > the consensus was particularly rough? > > This document belongs to the OAuth assertion document bundle consisting > of the abstract OAuth assertion framework, and the SAML assertion > profile. Due to the use of the JSON-based encoding of the assertion it > also relies on the work in the JOSE working group (such as JWE/JWS) > indirectly through the use of the JWT. This document has intentionally > been kept in sync with the SAML-based version. > > Document Quality: > > This document has gone through many iterations and has received > substantial feedback. > > [[Add implementation list here.]] > > Personnel: > > The document shepherd is Hannes Tschofenig and the responsible area > director is Kathleen Moriarty. > > (3) Briefly describe the review of this document that was performed by > the Document Shepherd. If this version of the document is not ready for > publication, please explain why the document is being forwarded to the > IESG. > > The draft authors believe that this document is ready for publication. > The document has had received review comments from working group > members, and from the OAuth working group chairs. These review comments > have been taken into account. > > (4) Does the document Shepherd have any concerns about the depth or > breadth of the reviews that have been performed? > > This document has gotten feedback from the working group and given the > focused use cases it has received adequate review. > > (5) Do portions of the document need review from a particular or from > broader perspective, e.g., security, operational complexity, AAA, DNS, > DHCP, XML, or internationalization? If so, describe the review that took > place. > > Since the OAuth working group develops security protocols any feedback > from the security community is always appreciated. > > (6) Describe any specific concerns or issues that the Document Shepherd > has with this document that the Responsible Area Director and/or the > IESG should be aware of? For example, perhaps he or she is uncomfortable > with certain parts of the document, or has concerns whether there really > is a need for it. In any event, if the WG has discussed those issues and > has indicated that it still wishes to advance the document, detail those > concerns here. > > The shepherd has no concerns with this document. > > (7) Has each author confirmed that any and all appropriate IPR > disclosures required for full conformance with the provisions of BCP 78 > and BCP 79 have already been filed. If not, explain why? > > [[Confirmation from the authors required.]] > > (8) Has an IPR disclosure been filed that references this document? If > so, summarize any WG discussion and conclusion regarding the IPR > disclosures. > > No IPR disclosures have been filed on this document. However, two IPRs > have been filed for the JWT specification this document relies on, see > > http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token > > > (9) How solid is the WG consensus behind this document? Does it > represent the strong concurrence of a few individuals, with others being > silent, or does the WG as a whole understand and agree with it? > > The working group has consensus to publish this document. > > (10) Has anyone threatened an appeal or otherwise indicated extreme > discontent? If so, please summarise the areas of conflict in separate > email messages to the Responsible Area Director. (It should be in a > separate email because this questionnaire is publicly available.) > > No appeal or extreme discontent has been raised. > > (11) Identify any ID nits the Document Shepherd has found in this > document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts > Checklist). Boilerplate checks are not enough; this check needs to be > thorough. > > The shepherd has checked the nits. > > (12) Describe how the document meets any required formal review > criteria, such as the MIB Doctor, media type, and URI type reviews. > > There is no such review necessary. > > (13) Have all references within this document been identified as either > normative or informative? > > Yes. > > (14) Are there normative references to documents that are not ready for > advancement or are otherwise in an unclear state? If such normative > references exist, what is the plan for their completion? > > Yes. > > (15) Are there downward normative references references (see RFC 3967)? > If so, list these downward references to support the Area Director in > the Last Call procedure. > > RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational > RFC. A downref is required. > > However, this document depends on the completion of the abstract OAuth > assertion framework and on the JWT specification. > There are the following dependencies: > > (16) Will publication of this document change the status of any existing > RFCs? Are those RFCs listed on the title page header, listed in the > abstract, and discussed in the introduction? If the RFCs are not listed > in the Abstract and Introduction, explain why, and point to the part of > the document where the relationship of this document to the other RFCs > is discussed. If this information is not in the document, explain why > the WG considers it unnecessary. > > The publication of this document does not change the status of other RFCs. > > (17) Describe the Document Shepherd's review of the IANA considerations > section, especially with regard to its consistency with the body of the > document. Confirm that all protocol extensions that the document makes > are associated with the appropriate reservations in IANA registries. > Confirm that any referenced IANA registries have been clearly > identified. Confirm that newly created IANA registries include a > detailed specification of the initial contents for the registry, that > allocations procedures for future registrations are defined, and a > reasonable name for the new registry has been suggested (see RFC 5226). > > The document registers two sub-namespaces to the urn:ietf:params:oauth > URN established with RFC 6755. > > (18) List any new IANA registries that require Expert Review for future > allocations. Provide any public guidance that the IESG would find useful > in selecting the IANA Experts for these new registries. > > The document only adds entries to existing registries and does not > define any new registries. > > (19) Describe reviews and automated checks performed by the Document > Shepherd to validate sections of the document written in a formal > language, such as XML code, BNF rules, MIB definitions, etc. > > There are only snippets of message exchanges and JWT assertion > structures, which are based on JSON, used in the examples. There is no > pseudo code contained in the document that requires validation. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --089e013c661459d98c04f7c8f350 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I do not have, nor am I aware of any,=C2=A0IPR on any of the=C2=A0technology=C2=A0= in the=C2=A0document.

Couple of little things on the w= riteup:

"Writeup for "JSON Web Token (JWT) Profile for OAu= th 2.0 Client
Authentication and Authorization Grants" <draft-ietf-oauth-saml2-bearer-08>"=C2=A0 -> should have "= <draft-ietf-oauth-jwt-bearer-08>"

Does the answer to 14 need more explanation? There normative references to = drafts draft-ietf-oauth-assertions and draft-ietf-oauth-json-web-token (whi= ch depends on the JOSE work) but they are all expected to be advanced soon.=

Related, the answer for 15 has "T= here are the following dependencies:" at the end with nothing followin= g it.



On Wed, Apr 23, 2014 at 2:40 AM, Hannes = Tschofenig <hannes.tschofenig@gmx.net> wrote:
Hi all,

I am working on the shepherd writeup for the JWT bearer document. The
shepherd write-ups for the assertion draft and the SAML bearer document
have been completed a while ago already, see
http://www.ietf.org/mail-archive/web/oauth/current/msg1= 2410.html

A few requests:

- To the document authors: Please confirm that any and all appropriate
IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.

- To all: Are you aware of implementations of this specification? If so, I would like to reference them in my write-up.

- To all: Please also go through the text to make sure that I correctly
reflect the history and the status of this document.

Here is the most recent version of the write-up:
https://raw.githubusercontent.com/hannestschofenig/tschofenig-i= ds/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt


(The copy-and-paste of the full version is below.)

Ciao
Hannes

PS: Note that I have send a mail about a pending issue to the list. In
response to my question I will update the write-up accordingly.

----

Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client
Authentication and Authorization Grants" <draft-ietf-oauth-saml2-be= arer-08>

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)? Why is
this the proper type of RFC? Is this type of RFC indicated in the title
page header?

The RFC type is 'Standards Track' and the type is indicated in the = title
page. This document defines an instantiation for the OAuth assertion
framework using JSON Web Tokens.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved<= br> documents. The approval announcement contains the following sections:

Technical Summary:

=C2=A0 =C2=A0This specification defines the use of a JSON Web Token (JWT) B= earer
=C2=A0 =C2=A0Token as a means for requesting an OAuth 2.0 access token as w= ell as
=C2=A0 =C2=A0for use as a means of client authentication.

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was
there controversy about particular points or were there decisions where
the consensus was particularly rough?

This document belongs to the OAuth assertion document bundle consisting
of the abstract OAuth assertion framework, and the SAML assertion
profile. Due to the use of the JSON-based encoding of the assertion it
also relies on the work in the JOSE working group (such as JWE/JWS)
indirectly through the use of the JWT. This document has intentionally
been kept in sync with the SAML-based version.

Document Quality:

This document has gone through many iterations and has received
substantial feedback.

[[Add implementation list here.]]

Personnel:

The document shepherd is Hannes Tschofenig and the responsible area
director is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the IESG= .

The draft authors believe that this document is ready for publication.
The document has had received review comments from working group
members, and from the OAuth working group chairs. These review comments
have been taken into account.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

This document has gotten feedback from the working group and given the
focused use cases it has received adequate review.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that took place.

Since the OAuth working group develops security protocols any feedback
from the security community is always appreciated.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

The shepherd has no concerns with this document.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why?

[[Confirmation from the authors required.]]

(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been filed on this document. However, two IPRs
have been filed for the JWT specification this document relies on, see
http://datatra= cker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oaut= h-json-web-token


(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

The working group has consensus to publish this document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No appeal or extreme discontent has been raised.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The shepherd has checked the nits.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

There is no such review necessary.

(13) Have all references within this document been identified as either
normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

Yes.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational
RFC. A downref is required.

However, this document depends on the completion of the abstract OAuth
assertion framework and on the JWT specification.
There are the following dependencies:

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction? If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs
is discussed. If this information is not in the document, explain why
the WG considers it unnecessary.

The publication of this document does not change the status of other RFCs.<= br>
(17) Describe the Document Shepherd's review of the IANA considerations=
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The document registers two sub-namespaces to the urn:ietf:params:oauth
URN established with RFC 6755.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

The document only adds entries to existing registries and does not
define any new registries.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

There are only snippets of message exchanges and JWT assertion
structures, which are based on JSON, used in the examples. There is no
pseudo code contained in the document that requires validation.




_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--089e013c661459d98c04f7c8f350-- From nobody Thu Apr 24 05:31:32 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A6E61A01C1 for ; Thu, 24 Apr 2014 05:31:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTfO1d6D0DA1 for ; Thu, 24 Apr 2014 05:31:26 -0700 (PDT) Received: from na3sys009aog135.obsmtp.com (na3sys009aog135.obsmtp.com [74.125.149.84]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA861A01B9 for ; Thu, 24 Apr 2014 05:31:26 -0700 (PDT) Received: from mail-ig0-f181.google.com ([209.85.213.181]) (using TLSv1) by na3sys009aob135.postini.com ([74.125.148.12]) with SMTP ID DSNKU1kEGMDr5zeWBJrf/OsSJx3pEbS6SdVZ@postini.com; Thu, 24 Apr 2014 05:31:20 PDT Received: by mail-ig0-f181.google.com with SMTP id h18so810684igc.2 for ; Thu, 24 Apr 2014 05:31:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=HVWxdb5p2HVv4X5rZc1fsfLJ6JB7Uw8smg0GpOtf25o=; b=QgBWjOfQi6qfHtC4DAiyPw3HH8mk4ARcrRH/23ft5JSshQwoNvssx+bHvJYTg9CqUw 359lpdD+jBUyOe9k0u6T96tCzHFKuUsbCOXcRykhw2lxUETVcOGdFwDGa6b+9ikvl1pS WRECGB6XNbiDyF0HVUZOzadOJZnhGOVmqNQr7PHiUeqsKeZe77qwpoGltHX2JeVWwJAu m/qGIAmIsuhlyweuXXYcOVglikhziNV0hOnmfJ8k1lHkOYm5TbxA/Z5Jr9hWMwycZwAS 1Yp0UcyY4emviYmdY3KB5Avpqr8BZ49G2v5WaG2KnBmyQT33ip5q74FCzuXYezkLchat 7B2A== X-Gm-Message-State: ALoCoQmSjRMSDyWO+OUxRJoiy87B8PoTvmslu3uQucIeJSCLjnw/69rtM6ufGwjIJixJNioIXIwIt7K2QPNDaxCfCjJ2QYyl1TWncemdazGhhZjcJNCIRmEpWeDgsobDQV2gbCrGSy7T X-Received: by 10.42.136.130 with SMTP id u2mr1451922ict.51.1398342679935; Thu, 24 Apr 2014 05:31:19 -0700 (PDT) X-Received: by 10.42.136.130 with SMTP id u2mr1451912ict.51.1398342679832; Thu, 24 Apr 2014 05:31:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Thu, 24 Apr 2014 05:30:49 -0700 (PDT) In-Reply-To: <5358B8BC.8000508@gmx.net> References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> From: Brian Campbell Date: Thu, 24 Apr 2014 06:30:49 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=90e6ba6e8c06b4c12f04f7c9066c Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/jIxpe9aprjKSgMczukz-XsP-laA Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 12:31:29 -0000 --90e6ba6e8c06b4c12f04f7c9066c Content-Type: text/plain; charset=UTF-8 There is some discussion of that case in the assertion framework document at http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 Do you feel that more is needed? If so, can you propose some text? On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi Brian, > > I read through the thread and the Google case is a bit different since > they are using the client authentication part of the JWT bearer spec. > There I don't see the privacy concerns either. > > I am, however, focused on the authorization grant where the subject is > in most cases the resource owner. > > It is possible to put garbage into the subject element when privacy > protection is needed for the resource owner case but that would need to > be described in the document; currently it is not there. > > Ciao > Hannes > > > On 04/24/2014 12:37 AM, Brian Campbell wrote: > > That thread that Antonio started which you reference went on for some > > time > > (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) > > and seems to have reached consensus that the spec didn't need normative > > change and that such privacy cases or other cases which didn't > > explicitly need a subject identifier would be more appropriately dealt > > with in application logic: > > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html > > > > > > > > > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig > > > wrote: > > > > Hi all, > > > > in preparing the shepherd write-up for > draft-ietf-oauth-jwt-bearer-08 I > > had to review our recent email conversations and the issue raised by > > Antonio in > > http://www.ietf.org/mail-archive/web/oauth/current/msg12520.htmlbelong > > to it. > > > > The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08 says: > > " > > 2. The JWT MUST contain a "sub" (subject) claim identifying the > > principal that is the subject of the JWT. Two cases need to > be > > differentiated: > > > > A. For the authorization grant, the subject SHOULD identify > an > > authorized accessor for whom the access token is being > > requested (typically the resource owner, or an authorized > > delegate). > > > > B. For client authentication, the subject MUST be the > > "client_id" of the OAuth client. > > " > > > > Antonio pointed to the current Google API to illustrate that the > subject > > is not always needed. Here is the Google API documentation: > > https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > > > The Google API used the client authentication part (rather than the > > authorization grant), in my understanding. > > > > I still believe that the subject field has to be included for client > > authentication but I am not so sure anymore about the authorization > > grant since I could very well imagine cases where the subject is not > > needed for authorization decisions but also for privacy reasons. > > > > I would therefore suggest to change the text as follows: > > > > " > > 2. The JWT contains a "sub" (subject) claim identifying the > > principal that is the subject of the JWT. Two cases need to > be > > differentiated: > > > > A. For the authorization grant, the subject claim MAY > > be included. If it is included it MUST identify the > > authorized accessor for whom the access token is being > > requested (typically the resource owner, or an authorized > > delegate). Reasons for not including the subject claim > > in the JWT are identity hiding (i.e., privacy protection > > of the identifier of the subject) and cases where > > the identifier of the subject is irrelevant for making > > an authorization decision by the resource server. > > > > B. For client authentication, the subject MUST be the > > included in the JWT and the value MUST be populated > > with the "client_id" of the OAuth client. > > " > > > > What do you guys think? > > > > Ciao > > Hannes > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > --90e6ba6e8c06b4c12f04f7c9066c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
There is some discussion of that case in the assertio= n framework document at http://tools.ietf.org/html/draft-ietf-oaut= h-assertions-15#section-6.3.1

Do you feel that more is needed? If so, can you propose some text= ?


On= Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig <hannes.tschofeni= g@gmx.net> wrote:
Hi Brian,

I read through the thread and the Google case is a bit different since
they are using the client authentication part of the JWT bearer spec.
There I don't see the privacy concerns either.

I am, however, focused on the authorization grant where the subject is
in most cases the resource owner.

It is possible to put garbage into the subject element when privacy
protection is needed for the resource owner case but that would need to
be described in the document; currently it is not there.

Ciao
Hannes


On 04/24/2014 12:37 AM, Brian Campbell wrote:
> That thread that Antonio started which you reference went on for some<= br> > time
> (http://www.ietf.org/mail-archive/web/oauth/c= urrent/threads.html#12520)
> and seems to have reached consensus that the spec didn't need norm= ative
> change and that such privacy cases or other cases which didn't
> explicitly need a subject identifier would be more appropriately dealt=
> with in application logic:
> http://www.ietf.org/mail-archive/web/oauth/current= /msg12538.html
>
>
>
>
> On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>
> =C2=A0 =C2=A0 Hi all,
>
> =C2=A0 =C2=A0 in preparing the shepherd write-up for draft-ietf-oauth-= jwt-bearer-08 I
> =C2=A0 =C2=A0 had to review our recent email conversations and the iss= ue raised by
> =C2=A0 =C2=A0 Antonio in
> =C2=A0 =C2=A0 http://www.ietf.org/mail-archive/web= /oauth/current/msg12520.html belong
> =C2=A0 =C2=A0 to it.
>
> =C2=A0 =C2=A0 The issue was that Section 3 of draft-ietf-oauth-jwt-bea= rer-08 says:
> =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 =C2=A0 =C2=A02. =C2=A0 The JWT MUST contain a "sub&= quot; (subject) claim identifying the
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 principal that is the subjec= t of the JWT. =C2=A0Two cases need to be
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 differentiated:
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 A. =C2=A0For the authorizati= on grant, the subject SHOULD identify an
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized acc= essor for whom the access token is being
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typ= ically the resource owner, or an authorized
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate).
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 B. =C2=A0For client authenti= cation, the subject MUST be the
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "client_i= d" of the OAuth client.
> =C2=A0 =C2=A0 "
>
> =C2=A0 =C2=A0 Antonio pointed to the current Google API to illustrate = that the subject
> =C2=A0 =C2=A0 is not always needed. Here is the Google API documentati= on:
> =C2=A0 =C2=A0 https://developers.google.com/accoun= ts/docs/OAuth2ServiceAccount
>
> =C2=A0 =C2=A0 The Google API used the client authentication part (rath= er than the
> =C2=A0 =C2=A0 authorization grant), in my understanding.
>
> =C2=A0 =C2=A0 I still believe that the subject field has to be include= d for client
> =C2=A0 =C2=A0 authentication but I am not so sure anymore about the au= thorization
> =C2=A0 =C2=A0 grant since I could very well imagine cases where the su= bject is not
> =C2=A0 =C2=A0 needed for authorization decisions but also for privacy = reasons.
>
> =C2=A0 =C2=A0 I would therefore suggest to change the text as follows:=
>
> =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 =C2=A0 =C2=A02. =C2=A0 The JWT contains a "sub"= ; (subject) claim identifying the
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 principal that is the subjec= t of the JWT. =C2=A0Two cases need to be
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 differentiated:
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 A. =C2=A0For the authorizati= on grant, the subject claim MAY
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 be included. I= f it is included it MUST identify the
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized acc= essor for whom the access token is being
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typ= ically the resource owner, or an authorized
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate). Rea= sons for not including the subject claim
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 in the JWT are= identity hiding (i.e., privacy protection
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 of the identif= ier of the subject) and cases where
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 the identifier= of the subject is irrelevant for making
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 an authorizati= on decision by the resource server.
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 B. =C2=A0For client authenti= cation, the subject MUST be the
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 included in th= e JWT and the value MUST be populated
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 with the "= ;client_id" of the OAuth client.
> =C2=A0 =C2=A0 "
>
> =C2=A0 =C2=A0 What do you guys think?
>
> =C2=A0 =C2=A0 Ciao
> =C2=A0 =C2=A0 Hannes
>
>
> =C2=A0 =C2=A0 _______________________________________________
> =C2=A0 =C2=A0 OAuth mailing list
> =C2=A0 =C2=A0 OAuth@ietf= .org <mailto:OAuth@ietf.org>= ;
> =C2=A0 =C2=A0 https://www.ietf.org/mailman/listinfo/oauth
>
>


--90e6ba6e8c06b4c12f04f7c9066c-- From nobody Thu Apr 24 05:38:08 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0371A01B3 for ; Thu, 24 Apr 2014 05:38:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NwOZE5CoO5G for ; Thu, 24 Apr 2014 05:38:02 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB931A01B0 for ; Thu, 24 Apr 2014 05:38:01 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M34eJ-1WwTrB0W19-00stLg; Thu, 24 Apr 2014 14:37:54 +0200 Message-ID: <535904B5.4040800@gmx.net> Date: Thu, 24 Apr 2014 14:33:57 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <53577C73.2010201@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="0thXcG0kn5Pb9VBRqBOId4BqO9UIVTmAE" X-Provags-ID: V03:K0:FggydJPCC4v/jtgcRx1RumHxyT4XqLLDdbONVyAx9DXcd4Gcoyw Q59PvrqO5JINqrActfPqzZO/UJmjcaKVft4oL61q5Qh9D1cf3e902OyuYgO/wUy2rrevXoK 0DMXvFhu0C+lRHABP0VZeiiNVpoUOkAro9Mx9e26XDTJaJbSs5rR3wWyoc1z/+ZLWmBDSV+ oqBn4/+qubvD2p6nAsCLw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/lh0PehkcSTrkjFp96mopLBQ5OzQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 12:38:06 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0thXcG0kn5Pb9VBRqBOId4BqO9UIVTmAE Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Brian, thanks for the quick response. On 04/24/2014 02:25 PM, Brian Campbell wrote: > I do not have, nor am I aware of any, IPR on any of the technology in > the document. >=20 > Couple of little things on the writeup: >=20 > "Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client > Authentication and Authorization Grants" bearer-08>" -> should have "" Fixed. >=20 > Does the answer to 14 need more explanation? There normative references= > to drafts draft-ietf-oauth-assertions and > draft-ietf-oauth-json-web-token (which depends on the JOSE work) but > they are all expected to be advanced soon. Added text. >=20 > Related, the answer for 15 has "There are the following dependencies:" > at the end with nothing following it. >=20 Fixed. Updated version is here: https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/= shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt Ciao Hannes >=20 >=20 > On Wed, Apr 23, 2014 at 2:40 AM, Hannes Tschofenig > > wrote: >=20 > Hi all, >=20 > I am working on the shepherd writeup for the JWT bearer document. T= he > shepherd write-ups for the assertion draft and the SAML bearer docu= ment > have been completed a while ago already, see > http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >=20 > A few requests: >=20 > - To the document authors: Please confirm that any and all appropri= ate > IPR disclosures required for full conformance with the provisions o= f BCP > 78 and BCP 79 have already been filed. >=20 > - To all: Are you aware of implementations of this specification? I= f so, > I would like to reference them in my write-up. >=20 > - To all: Please also go through the text to make sure that I corre= ctly > reflect the history and the status of this document. >=20 > Here is the most recent version of the write-up: > https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/m= aster/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >=20 >=20 > (The copy-and-paste of the full version is below.) >=20 > Ciao > Hannes >=20 > PS: Note that I have send a mail about a pending issue to the list.= In > response to my question I will update the write-up accordingly. >=20 > ---- >=20 > Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client > Authentication and Authorization Grants" > >=20 > (1) What type of RFC is being requested (BCP, Proposed Standard, > Internet Standard, Informational, Experimental, or Historic)? Why i= s > this the proper type of RFC? Is this type of RFC indicated in the t= itle > page header? >=20 > The RFC type is 'Standards Track' and the type is indicated in the = title > page. This document defines an instantiation for the OAuth assertio= n > framework using JSON Web Tokens. >=20 > (2) The IESG approval announcement includes a Document Announcement= > Write-Up. Please provide such a Document Announcement Write-Up. Rec= ent > examples can be found in the "Action" announcements for approved > documents. The approval announcement contains the following section= s: >=20 > Technical Summary: >=20 > This specification defines the use of a JSON Web Token (JWT) Bea= rer > Token as a means for requesting an OAuth 2.0 access token as wel= l as > for use as a means of client authentication. >=20 > Working Group Summary: >=20 > Was there anything in WG process that is worth noting? For example,= was > there controversy about particular points or were there decisions w= here > the consensus was particularly rough? >=20 > This document belongs to the OAuth assertion document bundle consis= ting > of the abstract OAuth assertion framework, and the SAML assertion > profile. Due to the use of the JSON-based encoding of the assertion= it > also relies on the work in the JOSE working group (such as JWE/JWS)= > indirectly through the use of the JWT. This document has intentiona= lly > been kept in sync with the SAML-based version. >=20 > Document Quality: >=20 > This document has gone through many iterations and has received > substantial feedback. >=20 > [[Add implementation list here.]] >=20 > Personnel: >=20 > The document shepherd is Hannes Tschofenig and the responsible area= > director is Kathleen Moriarty. >=20 > (3) Briefly describe the review of this document that was performed= by > the Document Shepherd. If this version of the document is not ready= for > publication, please explain why the document is being forwarded to > the IESG. >=20 > The draft authors believe that this document is ready for publicati= on. > The document has had received review comments from working group > members, and from the OAuth working group chairs. These review comm= ents > have been taken into account. >=20 > (4) Does the document Shepherd have any concerns about the depth or= > breadth of the reviews that have been performed? >=20 > This document has gotten feedback from the working group and given = the > focused use cases it has received adequate review. >=20 > (5) Do portions of the document need review from a particular or fr= om > broader perspective, e.g., security, operational complexity, AAA, D= NS, > DHCP, XML, or internationalization? If so, describe the review that= took > place. >=20 > Since the OAuth working group develops security protocols any feedb= ack > from the security community is always appreciated. >=20 > (6) Describe any specific concerns or issues that the Document Shep= herd > has with this document that the Responsible Area Director and/or th= e > IESG should be aware of? For example, perhaps he or she is uncomfor= table > with certain parts of the document, or has concerns whether there r= eally > is a need for it. In any event, if the WG has discussed those issue= s and > has indicated that it still wishes to advance the document, detail = those > concerns here. >=20 > The shepherd has no concerns with this document. >=20 > (7) Has each author confirmed that any and all appropriate IPR > disclosures required for full conformance with the provisions of BC= P 78 > and BCP 79 have already been filed. If not, explain why? >=20 > [[Confirmation from the authors required.]] >=20 > (8) Has an IPR disclosure been filed that references this document?= If > so, summarize any WG discussion and conclusion regarding the IPR > disclosures. >=20 > No IPR disclosures have been filed on this document. However, two I= PRs > have been filed for the JWT specification this document relies on, = see > http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id= =3Ddraft-ietf-oauth-json-web-token >=20 >=20 > (9) How solid is the WG consensus behind this document? Does it > represent the strong concurrence of a few individuals, with others = being > silent, or does the WG as a whole understand and agree with it? >=20 > The working group has consensus to publish this document. >=20 > (10) Has anyone threatened an appeal or otherwise indicated extreme= > discontent? If so, please summarise the areas of conflict in separa= te > email messages to the Responsible Area Director. (It should be in a= > separate email because this questionnaire is publicly available.) >=20 > No appeal or extreme discontent has been raised. >=20 > (11) Identify any ID nits the Document Shepherd has found in this > document. (See http://www.ietf.org/tools/idnits/ and the Internet-D= rafts > Checklist). Boilerplate checks are not enough; this check needs to = be > thorough. >=20 > The shepherd has checked the nits. >=20 > (12) Describe how the document meets any required formal review > criteria, such as the MIB Doctor, media type, and URI type reviews.= >=20 > There is no such review necessary. >=20 > (13) Have all references within this document been identified as ei= ther > normative or informative? >=20 > Yes. >=20 > (14) Are there normative references to documents that are not ready= for > advancement or are otherwise in an unclear state? If such normative= > references exist, what is the plan for their completion? >=20 > Yes. >=20 > (15) Are there downward normative references references (see RFC 39= 67)? > If so, list these downward references to support the Area Director = in > the Last Call procedure. >=20 > RFC 6755 defines the urn:ietf:params:oauth URN and is an Informatio= nal > RFC. A downref is required. >=20 > However, this document depends on the completion of the abstract OA= uth > assertion framework and on the JWT specification. > There are the following dependencies: >=20 > (16) Will publication of this document change the status of any exi= sting > RFCs? Are those RFCs listed on the title page header, listed in the= > abstract, and discussed in the introduction? If the RFCs are not li= sted > in the Abstract and Introduction, explain why, and point to the par= t of > the document where the relationship of this document to the other R= FCs > is discussed. If this information is not in the document, explain w= hy > the WG considers it unnecessary. >=20 > The publication of this document does not change the status of othe= r > RFCs. >=20 > (17) Describe the Document Shepherd's review of the IANA considerat= ions > section, especially with regard to its consistency with the body of= the > document. Confirm that all protocol extensions that the document ma= kes > are associated with the appropriate reservations in IANA registries= =2E > Confirm that any referenced IANA registries have been clearly > identified. Confirm that newly created IANA registries include a > detailed specification of the initial contents for the registry, th= at > allocations procedures for future registrations are defined, and a > reasonable name for the new registry has been suggested (see RFC 52= 26). >=20 > The document registers two sub-namespaces to the urn:ietf:params:oa= uth > URN established with RFC 6755. >=20 > (18) List any new IANA registries that require Expert Review for fu= ture > allocations. Provide any public guidance that the IESG would find u= seful > in selecting the IANA Experts for these new registries. >=20 > The document only adds entries to existing registries and does not > define any new registries. >=20 > (19) Describe reviews and automated checks performed by the Documen= t > Shepherd to validate sections of the document written in a formal > language, such as XML code, BNF rules, MIB definitions, etc. >=20 > There are only snippets of message exchanges and JWT assertion > structures, which are based on JSON, used in the examples. There is= no > pseudo code contained in the document that requires validation. >=20 >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 --0thXcG0kn5Pb9VBRqBOId4BqO9UIVTmAE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWQS1AAoJEGhJURNOOiAtPrcIAJaPj0dPKwwvrixGX2mNek2k 7tkiQJsEcYjOpegWMJjzYvJN9u0iUtkb2Ax8zqijKYVmeGoTx0emB/DY4UlXKwM1 exgCov9/ILFgXps3rnBxMfkBXkCgdpG3roexsa/hNhqivNLA292HvE4BwxGVt4ps NsOLIS3V/rU6k8YTa8Bm+c2iaoJ9lHmPyZOeXtFY/XJSRQ1qHRUluWSKmJDaNIhN aol0KtEn2MV4mu74QATbuMljAjvv0YcB2nAfyOJVafx1/mKBacFFBiqErnAz9P7B QvGlT6WIddxIX/ABqWN9vCbWaw974pYX7Tt2GorrmyCRYGoKlKxQQZ2W6TUT/h4= =Rcjg -----END PGP SIGNATURE----- --0thXcG0kn5Pb9VBRqBOId4BqO9UIVTmAE-- From nobody Thu Apr 24 05:45:21 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC241A01BA for ; Thu, 24 Apr 2014 05:45:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XI7-Rm2_dMq3 for ; Thu, 24 Apr 2014 05:45:09 -0700 (PDT) Received: from na3sys009aog123.obsmtp.com (na3sys009aog123.obsmtp.com [74.125.149.149]) by ietfa.amsl.com (Postfix) with ESMTP id 8AE5A1A01B3 for ; Thu, 24 Apr 2014 05:45:06 -0700 (PDT) Received: from mail-ie0-f170.google.com ([209.85.223.170]) (using TLSv1) by na3sys009aob123.postini.com ([74.125.148.12]) with SMTP ID DSNKU1kHTJSnGCmaWDj7oXwqbh1ZlSXzPQT1@postini.com; Thu, 24 Apr 2014 05:45:00 PDT Received: by mail-ie0-f170.google.com with SMTP id rd18so2311240iec.15 for ; Thu, 24 Apr 2014 05:45:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=rCpFk8YI9V6Jst7/CgW6gWtnyWXDR4xe5M2LXafyFxA=; b=OBnoKYgNISSvHHfExj7NDzF4vd59r0ERLwIshJtqHDvsmDMmN5mUuLCvEueuuFlX99 Qt7AvYYRkqAF8wTMgG/uHi4hmVyIO73CxIshe0bXgtuMdHGFtA8xB8Sl2scSSFr8XLpT 9hEoYgdePGwS41VyPXJWtcaS5XylZnivTNyLmL/SC44l7fi25HSNHM/73/siDm+6c4CG vKrYvzv/aPaQl+mz1+/qSkmv5z2A2lViCzu2ZhAKJqjjTepudpbSYKgKb7xaI3njD3AH vFDXucCqarRkAVZYsa0ygoLZscAUSpNTssKn6GwlO1XEOZHeQIWWPTIdLs/b+rRqJD43 tHvw== X-Gm-Message-State: ALoCoQmXnb3nHK0hBi4by0NgT+vitjlpO/d+Et4zY9ySE0k4FKl+xIvDT8t8a1iKc1CO2g16Oqac8KknFnxmh/75MSSw7pXWziOSCxfZqxGXRufEnMVCTwqhl4QSIg+vQY9ZfN+G6WbV X-Received: by 10.42.136.130 with SMTP id u2mr1528148ict.51.1398343500447; Thu, 24 Apr 2014 05:45:00 -0700 (PDT) X-Received: by 10.42.136.130 with SMTP id u2mr1528139ict.51.1398343500360; Thu, 24 Apr 2014 05:45:00 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Thu, 24 Apr 2014 05:44:30 -0700 (PDT) In-Reply-To: <5358D4B2.1070500@gmx.net> References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> <5357EF2E.1020503@mitre.org> <5358D4B2.1070500@gmx.net> From: Brian Campbell Date: Thu, 24 Apr 2014 06:44:30 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=90e6ba6e8c069cfbdb04f7c937b6 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/CietKoY7WbK6rNLjz55AG8lVWfs Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 12:45:17 -0000 --90e6ba6e8c069cfbdb04f7c937b6 Content-Type: text/plain; charset=UTF-8 Perhaps it'd be more appropriate for this introspection endpoint to say that it accepts the same client authentication mechanisms as the token endpoint rather than describing specific methods itself in the document? On Thu, Apr 24, 2014 at 3:09 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi Brian, > > does it sound reasonable for you to add text to the token introspection > endpoint regarding the use of the JWT bearer assertion for the token > introspection endpoint? > > Ciao > Hannes > > On 04/24/2014 12:58 AM, Brian Campbell wrote: > > Just to pile on here - the Assertions draft(s) do define client > > assertion authentication only for the token endpoint (and register token > > endpoint parameters). But it certainly doesn't preclude it from being > > profiled for use elsewhere. > > > > FWIW we used the token endpoint in our implementation of token > > introspection/validation partly because all supported forms of client > > authentication come along for free by doing so. My esteemed colleague, > > Dr. Paul Madsen, posted a rough draft of what we've implemented in > > product a while back: > > http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html > > > > > > On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer > > wrote: > > > > For introspection, we really just wanted to say "you can > > authenticate the caller (client or RP) just like you would to the > > token endpoint". So if you've got the means to do that with the > > assertion draft or with client secrets or TLS certs or anything > > else, go for it. I would not read the text of the assertions draft > > as restricting this other use case. > > > > -- Justin > > > > > > On 04/23/2014 12:42 PM, Mike Jones wrote: > > > > The assertions draft is only trying to describe how to perform > > assertion-based authentication at the Token Endpoint. Other > > drafts, such as the introspection draft, could explicitly say > > that this can also be done in the same manner there, but that's > > an extension, and should be specified by the extension draft, if > > appropriate - not in the assertions draft. > > > > Justin may have more to say about the applicability or lack of > > it to the introspection draft, but I'm personally not familiar > > with it. > > > > -- Mike > > > > -----Original Message----- > > From: OAuth [mailto:oauth-bounces@ietf.org > > __] On Behalf Of Hannes > Tschofenig > > Sent: Wednesday, April 23, 2014 5:09 AM > > To: oauth@ietf.org > > Subject: [OAUTH-WG] Assertions: Client authentication for > > non-token endpoints? > > > > Hi all, > > > > in a discussion about re-using the client authentication part of > > the assertion framework for other specifications currently in > > progress I ran into the following question: > > > > Section 6.1 of > > http://tools.ietf.org/html/__draft-ietf-oauth-assertions-15 > > > > talks about the client using the assertion with the **token > > endpoint**. > > > > Now, it appears that one cannot use the client authentication > > with other endpoints, such as the introspection endpoint defined > in > > > http://tools.ietf.org/html/__draft-richer-oauth-__introspection-04#section-2 > > < > http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2> > > > > Am I reading too much into Section 6.1 of the assertion draft? > > > > Ciao > > Hannes > > > > _________________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/__listinfo/oauth > > > > > > > > _________________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/__listinfo/oauth > > > > > > > > --90e6ba6e8c069cfbdb04f7c937b6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Perhaps it'd be more appropriate for this introspectio= n endpoint to say that it accepts the same client authentication mechanisms= as the token endpoint rather than describing specific methods itself in th= e document?


On Thu,= Apr 24, 2014 at 3:09 AM, Hannes Tschofenig <hannes.tschofenig@g= mx.net> wrote:
Hi Brian,

does it sound reasonable for you to add text to the token introspection
endpoint regarding the use of the JWT bearer assertion for the token
introspection endpoint?

Ciao
Hannes

On 04/24/2014 12:58 AM, Brian Campbell wrote:
> Just to pile on here - the Assertions draft(s) do define client
> assertion authentication only for the token endpoint (and register tok= en
> endpoint parameters). But it certainly doesn't preclude it from be= ing
> profiled for use elsewhere.
>
> FWIW we used the token endpoint in our implementation of token
> introspection/validation partly because all supported forms of client<= br> > authentication come along for free by doing so. My esteemed colleague,=
> Dr. Paul Madsen, posted a rough draft of what we've implemented in=
> product a while back:
> http://www.ietf.org/mail-archive/web/oauth/current= /msg08607.html
>
>
> On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer <jricher@mitre.org
> <mailto:= jricher@mitre.org>> wrote:
>
> =C2=A0 =C2=A0 For introspection, we really just wanted to say "yo= u can
> =C2=A0 =C2=A0 authenticate the caller (client or RP) just like you wou= ld to the
> =C2=A0 =C2=A0 token endpoint". So if you've got the means to = do that with the
> =C2=A0 =C2=A0 assertion draft or with client secrets or TLS certs or a= nything
> =C2=A0 =C2=A0 else, go for it. I would not read the text of the assert= ions draft
> =C2=A0 =C2=A0 as restricting this other use case.
>
> =C2=A0 =C2=A0 =C2=A0-- Justin
>
>
> =C2=A0 =C2=A0 On 04/23/2014 12:42 PM, Mike Jones wrote:
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 The assertions draft is only trying to des= cribe how to perform
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 assertion-based authentication at the Toke= n Endpoint. =C2=A0Other
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 drafts, such as the introspection draft, c= ould explicitly say
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 that this can also be done in the same man= ner there, but that's
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 an extension, and should be specified by t= he extension draft, if
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 appropriate - not in the assertions draft.=
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Justin may have more to say about the appl= icability or lack of
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 it to the introspection draft, but I'm= personally not familiar
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 with it.
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- Mi= ke
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 -----Original Message-----
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 From: OAuth [mailto:oauth-bounces@ietf.org
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <mailto:oauth-bounces@ietf.org>__] On Beh= alf Of Hannes Tschofenig
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Sent: Wednesday, April 23, 2014 5:09 AM
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 To: oauth@ietf.org <mailto:oauth@ietf.org>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: [OAUTH-WG] Assertions: Client aut= hentication for
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 non-token endpoints?
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Hi all,
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 in a discussion about re-using the client = authentication part of
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 the assertion framework for other specific= ations currently in
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 progress I ran into the following question= :
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Section 6.1 of
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://tools.ietf.org= /html/__draft-ietf-oauth-assertions-15
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <http://to= ols.ietf.org/html/draft-ietf-oauth-assertions-15>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 talks about the client using the assertion= with the **token
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 endpoint**.
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Now, it appears that one cannot use the cl= ient authentication
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 with other endpoints, such as the introspe= ction endpoint defined in
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 http= ://tools.ietf.org/html/__draft-richer-oauth-__introspection-04#section-2
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <http://tools.ietf.org/html/draft-richer-oauth-introspection-04#sectio= n-2>
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Am I reading too much into Section 6.1 of = the assertion draft?
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Ciao
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Hannes
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 ____________________________________= _____________
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth mailing list
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 OAuth@ie= tf.org <mailto:OAuth@ietf.org&= gt;
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/mailman/__listinfo/o= auth
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <https://www.ietf.org/mailman/listinfo/o= auth>
>
>
> =C2=A0 =C2=A0 _________________________________________________
> =C2=A0 =C2=A0 OAuth mailing list
> =C2=A0 =C2=A0 OAuth@ietf.org <= ;mailto:OAuth@ietf.org>
> =C2=A0 =C2=A0 https://www.ietf.org/mailman/__listinfo/oauth
> =C2=A0 =C2=A0 <https://www.ietf.org/mailman/listinfo/oauth> >
>


--90e6ba6e8c069cfbdb04f7c937b6-- From nobody Thu Apr 24 05:52:30 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D07BB1A01D5 for ; Thu, 24 Apr 2014 05:52:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F6anJPo6OqQx for ; Thu, 24 Apr 2014 05:52:20 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 705921A0176 for ; Thu, 24 Apr 2014 05:52:20 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MbsV8-1WNQwX3PfC-00JNdX; Thu, 24 Apr 2014 14:52:12 +0200 Message-ID: <53590810.8000503@gmx.net> Date: Thu, 24 Apr 2014 14:48:16 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="41NaeWCBmvH5Dxh8uSsinvOhdq4LPww6w" X-Provags-ID: V03:K0:s0x+H0/SV3kpzDMsB6ej3bZ2/zU38srI8O7JkQrEi/zatFlPKPR puw1qLo+BKaQnUUBQPnkLs2/9ReBxHb/GRtO+5PAUiQlWgRcqKIKnVLqErAJwJzoLLrCBxT AbRcd2VTKItz4hBLRIHlsNYtZrKVlapvrN9mKR6Hbdl25Uj2Lo99tFaZLZ5k346tICNuzi8 FXi4LSgxqCickYguuXIoQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/0LXDYkeVIywPYJB-TifEPpkwitM Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 12:52:25 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --41NaeWCBmvH5Dxh8uSsinvOhdq4LPww6w Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Brian, Thanks for pointing to the assertion framework document. Re-reading the text it appears that we have listed the case that in Section 6.3.1 but have forgotten to cover it elsewhere in the document. In Section 6.3.1 we say: " 6.3.1. Client Acting on Behalf of an Anonymous User When a client is accessing resources on behalf of an anonymous user, the Subject indicates to the Authorization Server that the client is acting on-behalf of an anonymous user as defined by the Authorization Server. It is implied that authorization is based upon additional criteria, such as additional attributes or claims provided in the assertion. For example, a client may present an assertion from a trusted issuer asserting that the bearer is over 18 via an included claim. ***** In this case, no additional information about the user's identity is included, yet all the data needed to issue an access token is present. ***** " (I marked the relevant part with '***') In Section 5.2, however, we say: o The assertion MUST contain a Subject. The Subject identifies an authorized accessor for which the access token is being requested (typically the resource owner, or an authorized delegate). When the client is acting on behalf of itself, the Subject MUST be the value of the client's "client_id". What we should have done in Section 5.2 is to expand the cases inline with what we have written in Section 6. Here is my proposed text: " o The assertion MUST contain a Subject. The Subject identifies an authorized accessor for which the access token is being requested (typically the resource owner, or an authorized delegate). When the client is acting on behalf of itself, as described in Section 6.1 and Section 6.2, the Subject MUST be the value of the client's "client_id". When the client is acting on behalf of an user, as described in Section 6.3, the Subject element MUST be included in the assertion and identifies an authorized accessor for which the access token is being requested. When the client is acting on behalf of an anonymous user, as described in Section 6.3.1, the Subject element MUST NOT be included in the assertion. Other elements within the assertion will, however, provide enough information for the authorization server to make an authorization decision. " Does this make sense to you? Ciao Hannes On 04/24/2014 02:30 PM, Brian Campbell wrote: > There is some discussion of that case in the assertion framework > document at > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1= >=20 > Do you feel that more is needed? If so, can you propose some text? >=20 >=20 > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig > > wrote: >=20 > Hi Brian, >=20 > I read through the thread and the Google case is a bit different si= nce > they are using the client authentication part of the JWT bearer spe= c. > There I don't see the privacy concerns either. >=20 > I am, however, focused on the authorization grant where the subject= is > in most cases the resource owner. >=20 > It is possible to put garbage into the subject element when privacy= > protection is needed for the resource owner case but that would nee= d to > be described in the document; currently it is not there. >=20 > Ciao > Hannes >=20 >=20 > On 04/24/2014 12:37 AM, Brian Campbell wrote: > > That thread that Antonio started which you reference went on for = some > > time > > > (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12= 520) > > and seems to have reached consensus that the spec didn't need > normative > > change and that such privacy cases or other cases which didn't > > explicitly need a subject identifier would be more appropriately = dealt > > with in application logic: > > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html > > > > > > > > > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig > > > >> wrote: > > > > Hi all, > > > > in preparing the shepherd write-up for > draft-ietf-oauth-jwt-bearer-08 I > > had to review our recent email conversations and the issue > raised by > > Antonio in > > =20 > http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html be= long > > to it. > > > > The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-0= 8 > says: > > " > > 2. The JWT MUST contain a "sub" (subject) claim > identifying the > > principal that is the subject of the JWT. Two cases > need to be > > differentiated: > > > > A. For the authorization grant, the subject SHOULD > identify an > > authorized accessor for whom the access token is = being > > requested (typically the resource owner, or an > authorized > > delegate). > > > > B. For client authentication, the subject MUST be th= e > > "client_id" of the OAuth client. > > " > > > > Antonio pointed to the current Google API to illustrate that > the subject > > is not always needed. Here is the Google API documentation: > > https://developers.google.com/accounts/docs/OAuth2ServiceAcco= unt > > > > The Google API used the client authentication part (rather > than the > > authorization grant), in my understanding. > > > > I still believe that the subject field has to be included for= > client > > authentication but I am not so sure anymore about the > authorization > > grant since I could very well imagine cases where the subject= > is not > > needed for authorization decisions but also for privacy reaso= ns. > > > > I would therefore suggest to change the text as follows: > > > > " > > 2. The JWT contains a "sub" (subject) claim identifying = the > > principal that is the subject of the JWT. Two cases > need to be > > differentiated: > > > > A. For the authorization grant, the subject claim MA= Y > > be included. If it is included it MUST identify t= he > > authorized accessor for whom the access token is = being > > requested (typically the resource owner, or an > authorized > > delegate). Reasons for not including the subject = claim > > in the JWT are identity hiding (i.e., privacy > protection > > of the identifier of the subject) and cases where= > > the identifier of the subject is irrelevant for m= aking > > an authorization decision by the resource server.= > > > > B. For client authentication, the subject MUST be th= e > > included in the JWT and the value MUST be populat= ed > > with the "client_id" of the OAuth client. > > " > > > > What do you guys think? > > > > Ciao > > Hannes > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > > > >=20 >=20 --41NaeWCBmvH5Dxh8uSsinvOhdq4LPww6w Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWQgQAAoJEGhJURNOOiAt03oH/0vTYwkXRSDNvtGk6Fk4ckuM 1pOr5A124hD0kdowDdtQdYykkt/8X0PUb/hpUsyPj2fqxrB7HR+EXAaF6PWZV4nJ zTNSohXIwQlwAxBKiKAXm8wrx4RLPBNbJezI4zG/It9d0Iv6MJJKQ9yEf3u3ASt8 ZSsXDtzHo3N0GhzHVjFYPVs551yrlT/yUVESkuLdHlgtHOmhFS2zjsE86euU5VEa VcizjzOwZquC2R46Y1YAcV99bmXmcPWes/mW+gMXZ/AiwIfAsW0Y2F005CItZItM ixR7cPdg3qsAj+sW/QbAquxLFK2UNb6mGlolzb0irGk21lVmNlUbov8vIZlzGFo= =XshG -----END PGP SIGNATURE----- --41NaeWCBmvH5Dxh8uSsinvOhdq4LPww6w-- From nobody Thu Apr 24 05:54:19 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3DFD1A01D6 for ; Thu, 24 Apr 2014 05:54:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z_F_cSya4sk3 for ; Thu, 24 Apr 2014 05:54:08 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 27C6C1A0176 for ; Thu, 24 Apr 2014 05:54:08 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0M3vCA-1WvfKI3oTC-00rcKY; Thu, 24 Apr 2014 14:53:57 +0200 Message-ID: <53590879.9060006@gmx.net> Date: Thu, 24 Apr 2014 14:50:01 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> <5357EF2E.1020503@mitre.org> <5358D4B2.1070500@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="PcRwd05EK4UEbeIO9nGxe19AKMDIhDfhQ" X-Provags-ID: V03:K0:6TpBDlxgJ4YGTGsMTz00nJhFidDWxYeIUKrtK4OxNPqAyIFF/27 B2EnHtbVSdKeEkMFn9asFGxtvg57yigdNbd4Jfw30zd5LTTqHUTo5mk4mOu5+dqhbb7x3X+ OfRy0TMAAutENaTMVDKsBu7bzVCX6Uuy4BQOW+4m8hQr/CeTQPJTO1871uJyXZKYxYdaaQ6 Br7qal0IAO6BO1Qzw7bbQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/3OBtxM7LBCQ7aNlDsjbNUfIlMqM Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 12:54:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PcRwd05EK4UEbeIO9nGxe19AKMDIhDfhQ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I will leave it to Justin to come up with the right wording. Ideally, we shouldn't have too many ways for the resource server to authenticate to the authorization server to avoid interoperability problems. On 04/24/2014 02:44 PM, Brian Campbell wrote: > Perhaps it'd be more appropriate for this introspection endpoint to say= > that it accepts the same client authentication mechanisms as the token > endpoint rather than describing specific methods itself in the document= ? >=20 >=20 > On Thu, Apr 24, 2014 at 3:09 AM, Hannes Tschofenig > > wrote: >=20 > Hi Brian, >=20 > does it sound reasonable for you to add text to the token introspec= tion > endpoint regarding the use of the JWT bearer assertion for the toke= n > introspection endpoint? >=20 > Ciao > Hannes >=20 > On 04/24/2014 12:58 AM, Brian Campbell wrote: > > Just to pile on here - the Assertions draft(s) do define client > > assertion authentication only for the token endpoint (and registe= r > token > > endpoint parameters). But it certainly doesn't preclude it from b= eing > > profiled for use elsewhere. > > > > FWIW we used the token endpoint in our implementation of token > > introspection/validation partly because all supported forms of cl= ient > > authentication come along for free by doing so. My esteemed colle= ague, > > Dr. Paul Madsen, posted a rough draft of what we've implemented i= n > > product a while back: > > http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html > > > > > > On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer > > >> wrote: > > > > For introspection, we really just wanted to say "you can > > authenticate the caller (client or RP) just like you would to= the > > token endpoint". So if you've got the means to do that with t= he > > assertion draft or with client secrets or TLS certs or anythi= ng > > else, go for it. I would not read the text of the assertions = draft > > as restricting this other use case. > > > > -- Justin > > > > > > On 04/23/2014 12:42 PM, Mike Jones wrote: > > > > The assertions draft is only trying to describe how to pe= rform > > assertion-based authentication at the Token Endpoint. Ot= her > > drafts, such as the introspection draft, could explicitly= say > > that this can also be done in the same manner there, but > that's > > an extension, and should be specified by the extension > draft, if > > appropriate - not in the assertions draft. > > > > Justin may have more to say about the applicability or la= ck of > > it to the introspection draft, but I'm personally not fam= iliar > > with it. > > > > -- Mike > > > > -----Original Message----- > > From: OAuth [mailto:oauth-bounces@ietf.org > > > >__] On Behalf Of Hannes Tschofenig > > Sent: Wednesday, April 23, 2014 5:09 AM > > To: oauth@ietf.org > > > > Subject: [OAUTH-WG] Assertions: Client authentication for= > > non-token endpoints? > > > > Hi all, > > > > in a discussion about re-using the client authentication > part of > > the assertion framework for other specifications currentl= y in > > progress I ran into the following question: > > > > Section 6.1 of > > http://tools.ietf.org/html/__draft-ietf-oauth-assertions-= 15 > > > > talks about the client using the assertion with the **tok= en > > endpoint**. > > > > Now, it appears that one cannot use the client authentica= tion > > with other endpoints, such as the introspection endpoint > defined in > > =20 > http://tools.ietf.org/html/__draft-richer-oauth-__introspection-04#= section-2 > > =20 > > > > > Am I reading too much into Section 6.1 of the assertion d= raft? > > > > Ciao > > Hannes > > > > _________________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/__listinfo/oauth > > > > > > > > _________________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > > https://www.ietf.org/mailman/__listinfo/oauth > > > > > > >=20 >=20 --PcRwd05EK4UEbeIO9nGxe19AKMDIhDfhQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWQh5AAoJEGhJURNOOiAtOFgH/0RqaLQqw4JOgG4P8UvRmj4P 4XuhOvC75dMgJl/OmMoWMXBuUJGZa66/5Hq/x7SW57hNZOrBNvQbdIiZFIOI6Kpu 6R0MC8hdlqRtcvqUY0edodg7lVQopbJ5VRxi9spgp601jUSyDDSxFVe2j1AzWZXl jixTLh/wEyzSUSZL1qxLQiXN+JF7gENbXLNq9nIHExZ9tkgOfQrt5kXwmHtoTGqF Z5Mdpdr8CRJ2FIOR0zNbxKrgSf05rOZyxwKxmfG8PtisDs6MrigEkPpihPSpkail 6jNL1n/g1i4TRHwyrdFhg8Dx9wJptiF/s5NctmJrCX/yJB7psPa04DUn1JX4inM= =HwZb -----END PGP SIGNATURE----- --PcRwd05EK4UEbeIO9nGxe19AKMDIhDfhQ-- From nobody Thu Apr 24 06:46:23 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9753C1A01DC for ; Thu, 24 Apr 2014 06:46:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.472 X-Spam-Level: X-Spam-Status: No, score=-4.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfTasuIR_dGq for ; Thu, 24 Apr 2014 06:46:15 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 3966A1A019B for ; Thu, 24 Apr 2014 06:46:15 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1685A1F0894; Thu, 24 Apr 2014 09:46:09 -0400 (EDT) Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 0AE9C1F0886; Thu, 24 Apr 2014 09:46:09 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 24 Apr 2014 09:46:08 -0400 Message-ID: <53591579.9090103@mitre.org> Date: Thu, 24 Apr 2014 09:45:29 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig , "oauth@ietf.org" References: <5357BB37.1080803@gmx.net> <5357D4FF.5040800@mitre.org> <5358D170.1060303@gmx.net> In-Reply-To: <5358D170.1060303@gmx.net> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/03iOAebYpjVh2wIrGaFo4A6byOE Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-16 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 13:46:19 -0000 On 04/24/2014 04:55 AM, Hannes Tschofenig wrote: > Hi Justin, > > thanks for the quick feedback. > > A few remarks below. > >>> - Protocol Flow >>> >>> In Figure 1 you show the client and the developer in the same box. The >>> protocol defined in the specification clearly runs between a client and >>> client registration endpoint at an authorization server. So, I would >>> suggest to put the developer (which is a human) outside the box and to >>> draw another box around the client registration endpoint to indicate >>> that this is part of the authorization server. >> There are two known modes of deployment for this protocol: either the >> client calls the registration endpoint directly and gets its own >> client_id and client_secret, or the developer uses some tool (part of >> their build process, a software publication process, a self-service >> portal) to register the client. While the first use case is the original >> driver, several people wanted to make sure that this other use case >> wasn't inadvertently written out. > Makes sense to me. Maybe you just want to provide that piece of > background to the figure. Makes sense -- it's in the introductory text but it might not have been propagated through. > >> >>> - Section 2 >>> >>> What exactly does this sentence mean? >>> >>> " >>> Authorization servers MUST accept all fields in this list. >>> " >>> >>> I believe I cannot mean that the authorization server supports all >>> mechanisms. >> All I was trying to say was that the AS isn't allowed to crash if it >> sees a field in this list as part of the registration, to give us some >> kind of interoperability baseline. I am welcome to re-wording >> suggestions. The AS is free to ignore any field that it doesn't like, or >> reject a registration for a value that it doesn't like, or replace a >> value that it doesn't like with something that it does like and return >> that. We enumerate all of those cases separately, so perhaps this >> sentence isn't necessary any more. > Understood. > > To clarify the context one could write the following. > > " > Future extensions will extend the list of grant_types, and > response_types with new mechanisms. To avoid interoperability problems > authorization server MUST ignore values they do not understand. > > For instance, the [OAuth.Registration.Metadata] specification defines > additional client metadata values. A properly implemented authorization > server that does not understand any of the metadata values defined in > [OAuth.Registration.Metadata] sent by the client would ignore those. > " OK, we can work on that text. > >>> You write: >>> >>> " >>> Client metadata values can either be communicated directly in the >>> body of a registration request, as described in Section 4.1, or >>> included as claims in a software statement, as described in >>> Section 3. If the same client metadata name is present in both >>> locations, the value in the software statement SHOULD take >>> precedence. >>> " >>> >>> It might be worthwhile to note that the two options exist to allow (a) >>> the client to suggest values and (b) to have the organizing issuing the >>> software assertion to provide further values. >> It's actually the other way around -- the assertion if present defines a >> set of core values for a class of clients and the client suggests values >> on its own in the plain JSON. The vast majority of registrations will >> use only the JSON object, in my estimation. >> >>> Regarding the SHOULD in the last sentence I guess it might make more >>> sense to just say that it is deployment dependent what policy is used. >> The idea here is that the software statement, if present and trusted, >> should really take precedence since it's cryptographically protected and >> the plain JSON isn't. > Reasonable thought. Maybe turn the SHOULD into a MUST? > The challenge with the SHOULD is always to explain when it shouldn't be > done. I'll let the proponents of including the software statement in the core chime in on that one. > > >>> - Section 2.1 >>> >>> You write: >>> >>> " >>> As such, a server supporting these fields >>> SHOULD take steps to ensure that a client cannot register itself into >>> an inconsistent state. >>> " >>> >>> Any guidance on how the authorization server would do that? >> Either return an error ("invalid_client_metadata") or replace the values >> with sane defaults. Probably the former for most servers. Should we >> state this? > Might be a useful addition for someone implementing the spec to know > what to do. > > I didn't know what to do when reading that sentence. I think we can do that with a small example, something like: As such, a server supporting these fields SHOULD take steps to ensure that a client cannot register itself into an inconsistent state. For instance, returning an "invalid_client_metadata" error if a client tries to register for the "code" response type and the "implicit" grant type. > >>> - Section 3 >>> >>> I don't understand this sentence: >>> >>> " >>> In some cases, authorization servers MAY choose to accept a software >>> statement value directly as a Client ID in an authorization request, >>> without a prior dynamic client registration having been performed. >>> " >>> >>> Does this mean that the client id is the software statement or that the >>> software statement is embedded in the client id or something else? >> The idea here is that the software statement itself would be the >> client_id, but the details of such usage are outside the scope of >> dynamic registration (since it's not really registration at that point, >> but a stateless client identifier). > If the software statement is the client_id then would you only send the > software statement but no client_id in the message? > You'd send the whole software statement as the client_id, in the client_id field. There would need to be another draft to describe how to do that interoperably, and I think John was looking to put that out sometime. This statement as I understand it is more of a pointing toward another use case that's outside the scope of dynamic registration (and in fact can be an alternative to dynamic registration for some use cases). >>> - Section 4 >>> >>> The story around the initial access token is a bit strange. Here is the >>> text: >>> >>> The client registration endpoint MAY be an OAuth 2.0 protected >>> resource and accept an initial access token in the form of an OAuth >>> 2.0 [RFC6749] access token to limit registration to only previously >>> authorized parties. The method by which the initial access token is >>> obtained by the registrant is generally out-of-band and is out of >>> scope for this specification. The method by which the initial access >>> token is verified and validated by the client registration endpoint >>> is out of scope for this specification. >>> >>> >>> First, the term 'registrant' is used here for the first time. Then, it >>> is outside the scope of how the client got this initial access token. >>> Normally for access tokens the client does not have to care about the >>> content and does not verify anything but here the last sentence hints to >>> the verification (although it is outside the scope of how it is used). >> The client doesn't verify the token, the client registration endpoint >> verifies it. It's a vanilla OAuth token. > Read that incorrectly. Thanks for the clarification! > >>> I am curious whether the software assertion could actually be re-use >>> here in case the unauthorized use of the registration by clients is a >>> concern!? >> This is exactly what BlueButton+ does: the software statement equivalent >> is presented as the initial access token. I personally think that this >> makes a lot more sense, but some folks wanted to be able to separate >> these two things, so that the authority to register with a server is >> differentiable from the fixed registration parameters. Also, you don't >> want to define the initial access token to *always* be a software >> statement, since it could just represent authorization to call the >> registration endpoint with no other strings attached. > I would like to see some text (from some of the proponents of this > two-token idea) where it would make sense to have these two tokens. > Sounds quite complex to me, particularly when there are a lot of > "out-of-scope" statements. > > We don't want to get to a model where the client does not have the > client_id configured and then needs to use the dynamic client > registration protocol to subsequently require even more information to > get registered.... > >>> - Section 4.2 >>> >>> You write: >>> >>> " >>> This client identifier MUST be >>> unique at the server and MUST NOT be in use by any other client. >>> " >>> >>> This is a bit unclear given the text you provide in the subsequent >>> section, Section 5.1. >>> You write: >>> >>> " >>> client_id REQUIRED. Unique client identifier. It MUST NOT be >>> currently valid for any other distinct registered client. It MAY >>> be the same as the Client ID value used by other instances of this >>> client, provided that the Redirection URI values and potentially >>> other values dictated by authorization server policy are the same >>> for all instances. >>> " >> Those are still inconsistent and I'm not positive where we came down on >> that issue -- I personally don't like the idea of re-using client_ids >> for different instances of the client (I see it causing nothing but >> trouble down the line), but there was a push to relax that. Can someone >> who wanted this comment on its utility? >> >>> You write: >>> >>> " >>> If a software statement was used as part of the registration, its >>> value SHOULD be returned in the response and its value MUST be >>> returned if the authorization server supports registration management >>> operations [OAuth.Registration.Management] that would require its >>> presence in subsequent operations. >>> " >>> >>> I am not sure I understand that. Are you saying that the software >>> assertion is returned in the response from the authorization server to >>> the client? Why is that? >> It is effectively part of the client's registration metadata and should >> be returned as-is. If the client is going to be doing management, it >> needs to be able to post that back to the server again as part of its >> update and the server needs to be able to check against it. What we >> really don't want is the registration endpoint to generate a new >> software statement as part of the registration response. > But the client had that data in the first place and so it is a waste of > bandwidth to return the same data back to him again (maybe even twice -- > once in the software assertion and then separately as meta-data). Maybe we should instead prohibit what we really *don't* want instead of trying to say what we do, since the former is more narrowly defined? > >>> - References >>> >>> I believe you should delete the dependency on the registration >>> management specification. >> This makes sense if the operations can be completely insular and we >> don't need any forward references as to why to do certain things. It >> would be easy to build a registration endpoint that precludes any kind >> of management/lifecycle API, and we want to avoid that in the design of >> the core protocol. I think we've successfully done that, but if it makes >> it cleaner to remove the references and just state how to do things, I >> don't see why not. >> > I am just saying it because of the way how the discussions at the last > IETF meeting went and creating these dependencies could lead to a > problem with progressing this spec. > >> Thanks for the thorough review. > No problem - I am here to help. > > > Ciao > Hannes > >> -- Justin >> >>> Ciao >>> Hannes >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Apr 24 06:51:57 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C22EE1A0232 for ; Thu, 24 Apr 2014 06:51:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.472 X-Spam-Level: X-Spam-Status: No, score=-4.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWq-UzWpTvYA for ; Thu, 24 Apr 2014 06:51:49 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 570F81A01E3 for ; Thu, 24 Apr 2014 06:51:49 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 47A3D2260071; Thu, 24 Apr 2014 09:51:43 -0400 (EDT) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 3304E2260070; Thu, 24 Apr 2014 09:51:43 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 24 Apr 2014 09:51:42 -0400 Message-ID: <535916C7.6000900@mitre.org> Date: Thu, 24 Apr 2014 09:51:03 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig , "oauth@ietf.org" References: <5358110C.9020503@gmx.net> <535821A9.8020503@mitre.org> <5358D42C.3000803@gmx.net> In-Reply-To: <5358D42C.3000803@gmx.net> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/8Rh1YZccRDOFYcc05LvSLGBrnKw Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-metadata-00 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 13:51:53 -0000 On 04/24/2014 05:06 AM, Hannes Tschofenig wrote: > Hi Justin, > > thanks again for the quick response. > > A few notes below. > > > On 04/23/2014 10:25 PM, Justin Richer wrote: >> Thank you for the review, responses inline (and this draft still needs >> to be factored back into the main one): >> >> On 04/23/2014 03:14 PM, Hannes Tschofenig wrote: >>> Hi all, >>> >>> I read through the document as part of my shepherding task; it is nicely >>> written and easy to understand. >>> >>> I only have a few minor suggestions: >>> >>> * client_uri: URL of the homepage of the client. >>> >>> Would it be better to say that this is the URI provides further >>> information about the client software (provided by the client software >>> developer)? >> I personally think "homepage" is a clear designator of that, but would >> not be adverse to extending the definition somewhat. >> >>> * logo_uri: The value of this field MUST point to a valid image file. >>> >>> Would it make sense to provide a type field here as well, such as in >>> HTML (e.g., type="image/png")? >> Unless we're going to allow the client to register and manage multiple >> images (please, no), then we shouldn't go out of our way to store >> mimetypes. This is a URL to be fetched and/or stored -- its content >> doesn't much matter. >> >>> * contacts: Would these email addresses be in the format of >>> mailto:user@example.com or would you just use joe@example.com? >>> I am asking because with the URI scheme one could potentially provide >>> other contact information here as well, such as XMPP URIs or so. >> I think you could do either, but what I've seen deployed is the non-URI >> version of joe@example.com. I think it would make sense for it to be >> listed as not just email addresses but also other contact URIs -- >> however, I don't think it's particularly useful to devolve into a full >> contact record. It should be simple and actionable by a person, and >> email fits that bill (as well as XMPP might, arguably). > Maybe you want to say that this is a list of email addresses without the > mailto URI scheme prefix. I am just seeing others putting all sorts of > different stuff in there and expect it to work. From what I've seen, it's meant to be a human-facing string. So we should either call it a plain text string that MAY be an email address or other contact URI, or a formatted string with a particular format such as email without the mailto: scheme. I would lean toward the former and wash our hands of it. If people want a structured contact thing, people can standardize around an extension on a new metadata field. > > >>> * policy_uri: Would it be better to call this a privacy notice rather >>> than policy document? >>> Here is a short description what a privacy notice is: >>> https://www.privacyassociation.org/resource_center/privacy_glossary/privacy_notice >> I would think that policy document is a superset of privacy notice, right? > I am not sure what a policy document is. > > When you register your application with Facebook then you have to > provide a link to your privacy notice. That made sense to me given the > nature of the data sharing that is going on. > >>> * jwks_uri: The text provides little information about how this element >>> is used. I believe that this is an alternative way of using the PoP >>> architecture, where the client registers keys with the authorization >>> server that can then be tied to access tokens. Right? I could add some >>> text in the PoP overview document to explain this and maybe you could >>> include a reference to the PoP document (as an informative reference, >>> for example). >> The text states that this is there for the use of higher level >> protocols. Several of which (including OIDC and BB+, not to mention more >> advanced token types and client authentication methods) have a need to >> tie a key to a client. This, and the proposed jwks value, provide a hook >> for that kind of stuff. > It is difficult to describe the semantic if it is not further explained > how it is supposed to be used. Is this field used in OpenID Connect? Yes, it's used in OpenID Connect and other protocols that add key-related stuff on top of it. > > Ciao > hannes > > >> -- Justin >> >>> Ciao >>> Hannes >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth From nobody Thu Apr 24 06:56:59 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01DAB1A0232 for ; Thu, 24 Apr 2014 06:56:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.471 X-Spam-Level: X-Spam-Status: No, score=-4.471 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9Vsl_dzAOyz for ; Thu, 24 Apr 2014 06:56:49 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 99B7D1A0248 for ; Thu, 24 Apr 2014 06:56:49 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 854821F0899; Thu, 24 Apr 2014 09:56:43 -0400 (EDT) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 6CD711F0898; Thu, 24 Apr 2014 09:56:43 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 24 Apr 2014 09:56:43 -0400 Message-ID: <535917F4.1040909@mitre.org> Date: Thu, 24 Apr 2014 09:56:04 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell , Hannes Tschofenig References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> <5357EF2E.1020503@mitre.org> <5358D4B2.1070500@gmx.net> In-Reply-To: Content-Type: multipart/alternative; boundary="------------070106080304050709060509" X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/suBa_ih80IMdiXO9rFEG9N7am3M Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 13:56:53 -0000 --------------070106080304050709060509 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit This is the intent of my draft (and results of my implementation), and if the WG ever picks up token introspection as a work item then we can make sure it says that. -- Justin On 04/24/2014 08:44 AM, Brian Campbell wrote: > Perhaps it'd be more appropriate for this introspection endpoint to > say that it accepts the same client authentication mechanisms as the > token endpoint rather than describing specific methods itself in the > document? > > > On Thu, Apr 24, 2014 at 3:09 AM, Hannes Tschofenig > > wrote: > > Hi Brian, > > does it sound reasonable for you to add text to the token > introspection > endpoint regarding the use of the JWT bearer assertion for the token > introspection endpoint? > > Ciao > Hannes > > On 04/24/2014 12:58 AM, Brian Campbell wrote: > > Just to pile on here - the Assertions draft(s) do define client > > assertion authentication only for the token endpoint (and > register token > > endpoint parameters). But it certainly doesn't preclude it from > being > > profiled for use elsewhere. > > > > FWIW we used the token endpoint in our implementation of token > > introspection/validation partly because all supported forms of > client > > authentication come along for free by doing so. My esteemed > colleague, > > Dr. Paul Madsen, posted a rough draft of what we've implemented in > > product a while back: > > http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html > > > > > > On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer > > > >> wrote: > > > > For introspection, we really just wanted to say "you can > > authenticate the caller (client or RP) just like you would > to the > > token endpoint". So if you've got the means to do that with the > > assertion draft or with client secrets or TLS certs or anything > > else, go for it. I would not read the text of the assertions > draft > > as restricting this other use case. > > > > -- Justin > > > > > > On 04/23/2014 12:42 PM, Mike Jones wrote: > > > > The assertions draft is only trying to describe how to > perform > > assertion-based authentication at the Token Endpoint. Other > > drafts, such as the introspection draft, could > explicitly say > > that this can also be done in the same manner there, but > that's > > an extension, and should be specified by the extension > draft, if > > appropriate - not in the assertions draft. > > > > Justin may have more to say about the applicability or > lack of > > it to the introspection draft, but I'm personally not > familiar > > with it. > > > > -- Mike > > > > -----Original Message----- > > From: OAuth [mailto:oauth-bounces@ietf.org > > > >__] On Behalf Of Hannes Tschofenig > > Sent: Wednesday, April 23, 2014 5:09 AM > > To: oauth@ietf.org > > > > Subject: [OAUTH-WG] Assertions: Client authentication for > > non-token endpoints? > > > > Hi all, > > > > in a discussion about re-using the client authentication > part of > > the assertion framework for other specifications > currently in > > progress I ran into the following question: > > > > Section 6.1 of > > http://tools.ietf.org/html/__draft-ietf-oauth-assertions-15 > > > > talks about the client using the assertion with the **token > > endpoint**. > > > > Now, it appears that one cannot use the client > authentication > > with other endpoints, such as the introspection endpoint > defined in > > > http://tools.ietf.org/html/__draft-richer-oauth-__introspection-04#section-2 > > > > > > > Am I reading too much into Section 6.1 of the assertion > draft? > > > > Ciao > > Hannes > > > > _________________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > > https://www.ietf.org/mailman/__listinfo/oauth > > > > > > > > _________________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > > https://www.ietf.org/mailman/__listinfo/oauth > > > > > > > > --------------070106080304050709060509 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: 8bit This is the intent of my draft (and results of my implementation), and if the WG ever picks up token introspection as a work item then we can make sure it says that.

 -- Justin

On 04/24/2014 08:44 AM, Brian Campbell wrote:
Perhaps it'd be more appropriate for this introspection endpoint to say that it accepts the same client authentication mechanisms as the token endpoint rather than describing specific methods itself in the document?


On Thu, Apr 24, 2014 at 3:09 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
Hi Brian,

does it sound reasonable for you to add text to the token introspection
endpoint regarding the use of the JWT bearer assertion for the token
introspection endpoint?

Ciao
Hannes

On 04/24/2014 12:58 AM, Brian Campbell wrote:
> Just to pile on here - the Assertions draft(s) do define client
> assertion authentication only for the token endpoint (and register token
> endpoint parameters). But it certainly doesn't preclude it from being
> profiled for use elsewhere.
>
> FWIW we used the token endpoint in our implementation of token
> introspection/validation partly because all supported forms of client
> authentication come along for free by doing so. My esteemed colleague,
> Dr. Paul Madsen, posted a rough draft of what we've implemented in
> product a while back:
> http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html
>
>
> On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer <jricher@mitre.org
> <mailto:jricher@mitre.org>> wrote:
>
>     For introspection, we really just wanted to say "you can
>     authenticate the caller (client or RP) just like you would to the
>     token endpoint". So if you've got the means to do that with the
>     assertion draft or with client secrets or TLS certs or anything
>     else, go for it. I would not read the text of the assertions draft
>     as restricting this other use case.
>
>      -- Justin
>
>
>     On 04/23/2014 12:42 PM, Mike Jones wrote:
>
>         The assertions draft is only trying to describe how to perform
>         assertion-based authentication at the Token Endpoint.  Other
>         drafts, such as the introspection draft, could explicitly say
>         that this can also be done in the same manner there, but that's
>         an extension, and should be specified by the extension draft, if
>         appropriate - not in the assertions draft.
>
>         Justin may have more to say about the applicability or lack of
>         it to the introspection draft, but I'm personally not familiar
>         with it.
>
>                                         -- Mike
>
>         -----Original Message-----
>         From: OAuth [mailto:oauth-bounces@ietf.org
>         <mailto:oauth-bounces@ietf.org>__] On Behalf Of Hannes Tschofenig
>         Sent: Wednesday, April 23, 2014 5:09 AM
>         To: oauth@ietf.org <mailto:oauth@ietf.org>
>         Subject: [OAUTH-WG] Assertions: Client authentication for
>         non-token endpoints?
>
>         Hi all,
>
>         in a discussion about re-using the client authentication part of
>         the assertion framework for other specifications currently in
>         progress I ran into the following question:
>
>         Section 6.1 of
>         http://tools.ietf.org/html/__draft-ietf-oauth-assertions-15
>         <http://tools.ietf.org/html/draft-ietf-oauth-assertions-15>
>         talks about the client using the assertion with the **token
>         endpoint**.
>
>         Now, it appears that one cannot use the client authentication
>         with other endpoints, such as the introspection endpoint defined in
>         http://tools.ietf.org/html/__draft-richer-oauth-__introspection-04#section-2
>         <http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2>
>
>         Am I reading too much into Section 6.1 of the assertion draft?
>
>         Ciao
>         Hannes
>
>         _________________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/__listinfo/oauth
>         <https://www.ietf.org/mailman/listinfo/oauth>
>
>
>     _________________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/__listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
>
>



--------------070106080304050709060509-- From nobody Thu Apr 24 08:14:34 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64CD91A03AB for ; Thu, 24 Apr 2014 08:14:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S6jo-cQ4nBHt for ; Thu, 24 Apr 2014 08:14:29 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id 0C97F1A02C1 for ; Thu, 24 Apr 2014 08:14:28 -0700 (PDT) Received: from BL2PR04MB849.namprd04.prod.outlook.com (10.242.197.139) by BL2PR04MB018.namprd04.prod.outlook.com (10.255.228.14) with Microsoft SMTP Server (TLS) id 15.0.929.12; Thu, 24 Apr 2014 15:14:21 +0000 Received: from DM2PR04CA008.namprd04.prod.outlook.com (10.141.96.18) by BL2PR04MB849.namprd04.prod.outlook.com (10.242.197.139) with Microsoft SMTP Server (TLS) id 15.0.921.12; Thu, 24 Apr 2014 15:14:18 +0000 Received: from BY2FFO11FD056.protection.gbl (2a01:111:f400:7c0c::190) by DM2PR04CA008.outlook.office365.com (2a01:111:e400:2428::18) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Thu, 24 Apr 2014 15:14:18 +0000 Received: from il06msg02.am.mot-solutions.com (129.188.136.18) by BY2FFO11FD056.mail.protection.outlook.com (10.1.15.193) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 24 Apr 2014 15:14:18 +0000 Received: from il06msg02.am.mot-solutions.com (il06vts01.mot.com [129.188.137.141]) by il06msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s3OFEEQl021117 for ; Thu, 24 Apr 2014 11:14:14 -0400 (EDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0239.outbound.protection.outlook.com [207.46.163.239]) by il06msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s3OFEDV7021109 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 24 Apr 2014 11:14:14 -0400 (EDT) Received: from DM2PR04MB735.namprd04.prod.outlook.com (10.141.177.17) by DM2PR04MB735.namprd04.prod.outlook.com (10.141.177.17) with Microsoft SMTP Server (TLS) id 15.0.921.12; Thu, 24 Apr 2014 15:14:11 +0000 Received: from DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) by DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) with mapi id 15.00.0921.000; Thu, 24 Apr 2014 15:14:11 +0000 From: Lewis Adam-CAL022 To: "oauth@ietf.org" Thread-Topic: HOTK/POP/etc drafts Thread-Index: Ac9fz9dNWc6zm844Req5Ldez4lT55w== Date: Thu, 24 Apr 2014 15:14:10 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [150.130.21.204] x-forefront-prvs: 01917B1794 X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(428001)(189002)(199002)(79102001)(18717965001)(2656002)(76482001)(87936001)(46102001)(92566001)(86362001)(74316001)(4396001)(81342001)(19300405004)(77982001)(19609705001)(81542001)(20776003)(15975445006)(85852003)(33646001)(80976001)(16236675002)(54356999)(76576001)(74662001)(66066001)(19580395003)(83322001)(50986999)(77096999)(31966008)(15202345003)(99286001)(74502001)(80022001)(99396002)(83072002)(87944003)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR04MB735; H:DM2PR04MB735.namprd04.prod.outlook.com; FPR:B856C27E.A511CFCA.79E4B6C1.44E95CE8.20107; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; Received-SPF: Pass (: domain of motorolasolutions.com designates 129.188.136.18 as permitted sender) receiver=; client-ip=129.188.136.18; helo=il06msg02.am.mot-solutions.com; Content-Type: multipart/alternative; boundary="_000_a5902fbd6bf44b5bb03d9ebf6da0bc33DM2PR04MB735namprd04pro_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:129.188.136.18; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(189002)(199002)(81542001)(99396002)(79102001)(512954002)(77982001)(81342001)(44976005)(99286001)(66066001)(80022001)(76482001)(83322001)(86362001)(19580395003)(18717965001)(71186001)(2009001)(15975445006)(46102001)(4396001)(97736001)(20776003)(74316001)(19300405004)(74502001)(76576001)(84326002)(2656002)(54356999)(77096999)(74662001)(33646001)(6806004)(84676001)(85852003)(31966008)(83072002)(80976001)(15202345003)(50986999)(92566001)(16236675002)(87936001)(87944003)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR04MB849; H:il06msg02.am.mot-solutions.com; FPR:B856C27E.A511CFCA.79E4B6C1.44E95CE8.20107; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Forefront-PRVS: 01917B1794 X-OriginatorOrg: motorolasolutions.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/CONU_vcWs0EnJIbqxRRyWZcjlE0 Subject: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 15:14:31 -0000 --_000_a5902fbd6bf44b5bb03d9ebf6da0bc33DM2PR04MB735namprd04pro_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, Lots of crypto drafts on OAuth popping up that I need to come up to speed o= n. draft-bradley-oauth-pop-key-distribution-00 draft-hunt-oauth-pop-architecture-00 draft-jones-oauth-proof-of-possession-00 draft-sakimura-oauth-rjwtprof-01 draft-sakimura-oauth-tcse-03 draft-tschofenig-oauth-hotk-03 Glad to see all the work, but is there a preferred reading order here? Whi= ch ones build on each other vs. which ones are out there on their own? -adam --_000_a5902fbd6bf44b5bb03d9ebf6da0bc33DM2PR04MB735namprd04pro_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi,

 

Lots of crypto drafts on OAuth popping up that I nee= d to come up to speed on.

draft-bradley-oauth-pop-key-distribution-= 00

draft-hunt-oauth-pop-architecture-00

draft-jones-oauth-proof-of-possession-00=

draft-sakimura-oauth-rjwtprof-01

draft-sakimura-oauth-tcse-03

draft-tschofenig-oauth-hotk-03

 

Glad to see all the work, but is there a preferred r= eading order here?  Which ones build on each other vs. which ones are = out there on their own?

 

 

-adam

--_000_a5902fbd6bf44b5bb03d9ebf6da0bc33DM2PR04MB735namprd04pro_-- From nobody Thu Apr 24 09:02:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6C1C1A02C8 for ; Thu, 24 Apr 2014 09:02:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z28SmwjXC47Y for ; Thu, 24 Apr 2014 09:02:42 -0700 (PDT) Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) by ietfa.amsl.com (Postfix) with ESMTP id 5606A1A02AD for ; Thu, 24 Apr 2014 09:02:42 -0700 (PDT) Received: by mail-qg0-f43.google.com with SMTP id a108so2710714qge.16 for ; Thu, 24 Apr 2014 09:02:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=N4wY9RD/E4m5GeN0nt5WvKFzWFTlpWZWuI0ftTlX5hY=; b=Cr4k+SRZ+6JNhmHFtMxx8hIXJMngHgThNVNgAovxOP3O8JMqvUaXALLIx3IqUEebN0 VvdHwzGyU7MPiE3b59NNfr2X1JpQRymEAMgIdYkbu8cvZZjTgM0c5djbTcjThZU1NUo8 3UTRxmy34rkdiOfwxGhuRCvrnu1AyOHqRPaE9mU49wVTkOUdAN7x4PxVkYuVOVEUUSY8 MX3a4HeSQ+eozeO8dlZMiXH9fkbRZsTJSk116py/3SbssC0kp/XnFjvyuH1hPiEDmrGL oIx5yK6Maw/7q5NdjpO2UpkHFGMIZMwJyOEVqQ5S66pBrk4UFZhrBHxpMK9x+V4bPS9C /8Zg== X-Gm-Message-State: ALoCoQmQhIu0Lp1NiDcj0gi5xSJbXf5hdlR/Qn64AZk8qL+E062lRVGn3eZnJT8uOwWXaGwBlone X-Received: by 10.224.79.72 with SMTP id o8mr4095797qak.20.1398355356060; Thu, 24 Apr 2014 09:02:36 -0700 (PDT) Received: from [192.168.0.200] ([201.188.36.226]) by mx.google.com with ESMTPSA id p9sm8611703qai.22.2014.04.24.09.02.27 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 24 Apr 2014 09:02:29 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_30DF6E1B-063B-406B-B2CE-C9AF45233730" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Thu, 24 Apr 2014 13:02:24 -0300 Message-Id: <27146759-DA4D-43CF-BA37-CE5C35B29AF1@ve7jtb.com> References: To: Adam Lewis X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/BZPA2Q1-D11jtUy8s1vRXxVA08s Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 16:02:44 -0000 --Apple-Mail=_30DF6E1B-063B-406B-B2CE-C9AF45233730 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii The overview document is draft-hunt-oauth-pop-architecture-00 For the client requesting POP tokens and key = draft-bradley-oauth-pop-key-distribution For how to include the proof key info in a JWT (more generic than just = access tokens) draft-jones-oauth-proof-of-possession The draft-sakimura-oauth-tcse spec is older and is about symmetric proof = keys for code when using public clients, and not directly related to the = new docs. The draft-tschofenig-oauth-hotk is how to use the pop AT at the RS. It = needs some updating to align with draft-jones-oauth-proof-of-possession = but is the general idea. I am going to do a version of draft-sakimura-oauth-tcse using asymmetric = proof keys for discussion on how you could start with a public client = generating a key-pair and tying the public key to code, refresh and = access tokens.=20 > draft-sakimura-oauth-rjwtprof was a discussion document for the WG. These are all independent drafts at the moment. The WG will look at = them and decide how it wants to proceed with WG drafts, that may or may = not be based on these. We are still trying to decide what sort of sausage to make. John B. On Apr 24, 2014, at 12:14 PM, Lewis Adam-CAL022 = wrote: > Hi, > =20 > Lots of crypto drafts on OAuth popping up that I need to come up to = speed on. > draft-bradley-oauth-pop-key-distribution-00 > draft-hunt-oauth-pop-architecture-00 > draft-jones-oauth-proof-of-possession-00 > draft-sakimura-oauth-rjwtprof-01 > draft-sakimura-oauth-tcse-03 > draft-tschofenig-oauth-hotk-03 > =20 > Glad to see all the work, but is there a preferred reading order here? = Which ones build on each other vs. which ones are out there on their = own? > =20 > =20 > -adam > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_30DF6E1B-063B-406B-B2CE-C9AF45233730 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii The = overview document is draft-hunt-oauth-pop-architecture-00

For = the client requesting POP tokens and key draft-bradley-oauth-pop-key-distribution

=
For how to include the proof key info in a JWT (more generic than = just access tokens) draft-jones-oauth-proof-of-possession

The draft-sakimura-oauth-tcse spec is older and is about = symmetric proof keys for code when using public clients, and not = directly related to the new docs.

The draft-tschofenig-oauth-hotk is how to use the pop AT = at the RS.  It needs some updating to align with  draft-jones-oauth-proof-of-possession but is the = general idea.

I am going to do a version = of draft-sakimura-oauth-tcse using asymmetric proof keys = for discussion on how you could start with a public client generating a = key-pair and tying the public key to code, refresh and access = tokens. 

draft-sakimura-oauth-rjwtprof was a = discussion document for the = WG.

These are all = independent drafts at the moment.  The WG will look at them and = decide how it wants to proceed with WG drafts, that may or may not be = based on these.

We are still trying to decide = what sort of sausage to make.

John = B.


On Apr 24, 2014, at 12:14 PM, Lewis = Adam-CAL022 <Adam.Lewis@motorolasoluti= ons.com> wrote:

Hi,
 
Lots of = crypto drafts on OAuth popping up that I need to come up to speed = on.
 
Glad = to see all the work, but is there a preferred reading order here?  = Which ones build on each other vs. which ones are out there on their = own?
 
 
-adam
_________________________________= ______________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

= --Apple-Mail=_30DF6E1B-063B-406B-B2CE-C9AF45233730-- From ashakirin@talend.com Thu Apr 24 09:39:55 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65EF1A037A for ; Thu, 24 Apr 2014 09:39:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.002 X-Spam-Level: X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9s80zjTccYv0 for ; Thu, 24 Apr 2014 09:39:54 -0700 (PDT) Received: from mxout.myoutlookonline.com (mxout.myoutlookonline.com [74.201.97.202]) by ietfa.amsl.com (Postfix) with ESMTP id DCDDB1A01E1 for ; Thu, 24 Apr 2014 09:39:53 -0700 (PDT) Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id B92457B355D for ; Thu, 24 Apr 2014 12:39:46 -0400 (EDT) X-Virus-Scanned: by SpamTitan at mail.lan Received: from S10HUB001.SH10.lan (unknown [10.110.2.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 140E17B336E for ; Thu, 24 Apr 2014 12:39:46 -0400 (EDT) Received: from S10BE002.SH10.lan ([::1]) by S10HUB001.SH10.lan ([::1]) with mapi id 14.01.0438.000; Thu, 24 Apr 2014 12:39:46 -0400 From: Andrei Shakirin To: "oauth@ietf.org" Thread-Topic: Session cookies in OAuth2 flow Thread-Index: Ac9f1m601wyijPx7QUKZAdgpumsSsw== Date: Thu, 24 Apr 2014 16:39:45 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [95.91.233.206] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/YaB1YYYkG7GB0wneohxQh_WkONo Subject: [OAUTH-WG] Session cookies in OAuth2 flow X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 16:41:43 -0000 Hi, My name is Andrei Shakirin, I am working with OAuth2 implementation in Apac= he CXF project. Could you please help me to verify my understanding regarding of using sess= ion cookies in OAuth2 flow. OAuth2 specification mentions session cookies in: 1) Section 3.1. Authorization Endpoint as possible way to authenticate reso= urce owner against authorization server 2) Section 10.12. Cross-Site Request Forgery as possible attack where end-u= ser follows a malicious URI to a trusting server including a valid session = cookie My current understanding is: a) using sessions between user-agent and authorization server is optional a= nd authorization server is not obligated to keep user state (in case if use= r-agent provide authentication information with every request). b) in case if sessions are used (because of any reasons), authorization ser= ver have to care about additional protection like hidden form fields in ord= er to uniquely identify the actual authorization request. Is this correct? Regards, Andrei. From nobody Thu Apr 24 09:43:57 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 692C51A037A for ; Thu, 24 Apr 2014 09:43:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BLSEUyRASmd6 for ; Thu, 24 Apr 2014 09:43:53 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id CC8801A03BD for ; Thu, 24 Apr 2014 09:43:52 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M1AIu-1Wsxmu33mq-00t9XP; Thu, 24 Apr 2014 18:43:40 +0200 Message-ID: <53593E65.5020903@gmx.net> Date: Thu, 24 Apr 2014 18:40:05 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Lewis Adam-CAL022 , "oauth@ietf.org" References: In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="EqnU6g1a1XXGlMPNBemVudMsAj8ep24Ec" X-Provags-ID: V03:K0:or7YkdI7PgBZeVaHDHgrFu8W7YNAdJqCHTU//aFpFgdSRv9/+LE h4SCb93L4xljaLsAyuPQrRcn2I0IiKnXD47qhgB6uekZDNFDaQo4u5gpgvU5DmIFtvDzNwE 8M3466UaMiFnOm5/N53osUmWwRyb1ak0SG0x2VKTJT6YRGIpNKlzf2X7fJvtvB+AVTlwl9Y aGmw72YoEoyIgfAdnT9ow== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kc21NQfUAljBCe9m70YAxP7Doa4 Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 16:43:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EqnU6g1a1XXGlMPNBemVudMsAj8ep24Ec Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Lewis, good that you ask. In the London IETF meeting we have proposed a plan on how to proceed with the proof-of-possession (PoP) work. John had already explained that the main document is draft-hunt-oauth-pop-architecture-00. It pains the big picture and points to the relevant documents, in particular to a) draft-bradley-oauth-pop-key-distribution b) draft-jones-oauth-proof-of-possession c) a not-yet-published HTTP signature mechanism. (a) explains how the client obtains keys from the authorization server. (b) describes a mechanism for binding a key to the access token. (c) illustrates the procedure for the client to interact with the resource server (based on the PoP mechanism). These documents replace prior work on draft-ietf-oauth-v2-http-mac-05 and draft-tschofenig-oauth-hotk-03. We are getting closer to have all relevant parts published. Ciao Hannes On 04/24/2014 05:14 PM, Lewis Adam-CAL022 wrote: > Hi, >=20 > =20 >=20 > Lots of crypto drafts on OAuth popping up that I need to come up to > speed on. >=20 > draft-bradley-oauth-pop-key-distribution-00 > >=20 > draft-hunt-oauth-pop-architecture-00 > >=20 > draft-jones-oauth-proof-of-possession-00 > >=20 > draft-sakimura-oauth-rjwtprof-01 > >=20 > draft-sakimura-oauth-tcse-03 > >=20 > draft-tschofenig-oauth-hotk-03 > >=20 > =20 >=20 > Glad to see all the work, but is there a preferred reading order here? = > Which ones build on each other vs. which ones are out there on their ow= n? >=20 > =20 >=20 > =20 >=20 > -adam >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 --EqnU6g1a1XXGlMPNBemVudMsAj8ep24Ec Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWT5lAAoJEGhJURNOOiAt9pUH/jjICPICgmIM43wa1tEzCBU2 ZZD/0AFlkoRdr2yLKdGrYFnV3iZ8SBX2tM6pbuE75DBsO3wn3OpG/1rrsl2QG/5A i9UkJhv2eh1WqeKW8LwTIJ/caxTW++ZahMT9eVLEQVfhAlY7wlgJpbzmIT9qELmd Eqe+NPXkwJEq52/V95mdeadts2e6gfkygz2ci+Hxs4c1xF4GFTc8BoXJI7yW4oyz 9BXUU2ArIvyyS56VWRGiFQb51SRk6nkFg49i92sEs3kPWAOvfAqnjvwSc0TX7ild joW9u1bm9YaxBjFgpzvPh7wLH891qNCduJRTX2o1HnDlj+2ONPjXASImjgS+fOU= =IhRh -----END PGP SIGNATURE----- --EqnU6g1a1XXGlMPNBemVudMsAj8ep24Ec-- From nobody Thu Apr 24 12:46:15 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B41181A037A for ; Thu, 24 Apr 2014 12:46:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oTUrwYvOyy61 for ; Thu, 24 Apr 2014 12:46:08 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 054831A0383 for ; Thu, 24 Apr 2014 12:46:08 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MJWAZ-1WbTmm2RuV-0037Lk; Thu, 24 Apr 2014 21:45:59 +0200 Message-ID: <5359691E.5000807@gmx.net> Date: Thu, 24 Apr 2014 21:42:22 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Lewis Adam-CAL022 , "oauth@ietf.org" References: <53593E65.5020903@gmx.net> In-Reply-To: <53593E65.5020903@gmx.net> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="V2ifseBb6lkdE75Ce7efEa4pkUmospnaw" X-Provags-ID: V03:K0:ePcXPrwjUkQjlvovikurcaiP+lAzBj9VJqoklrrtm1PTbTt23gZ yfcB65k973xEcJkuIfp8p78Pmbcx6mZcBKjGn16SyM9uO3w4e5NECNK4TJ9tL7murA+mIU3 /YA8V7vJQi9kJ4oKN21imj6hZpk/Sej0FDo3JekeY5PIfZidA3DHpg0JR5LeYhv2rBE3AXS c6NWDibUA5f7EpT2z5ZQA== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/74h_31izoavoRB5Ng09str5NbOA Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 19:46:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --V2ifseBb6lkdE75Ce7efEa4pkUmospnaw Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Btw, the HTTP signature mechanism now also got published as http://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 I think we now have a pretty good collection of documents to look at. Ciao Hannes On 04/24/2014 06:40 PM, Hannes Tschofenig wrote: > Hi Lewis, >=20 > good that you ask. >=20 > In the London IETF meeting we have proposed a plan on how to proceed > with the proof-of-possession (PoP) work. >=20 > John had already explained that the main document is > draft-hunt-oauth-pop-architecture-00. It pains the big picture and > points to the relevant documents, in particular to > a) draft-bradley-oauth-pop-key-distribution > b) draft-jones-oauth-proof-of-possession > c) a not-yet-published HTTP signature mechanism. >=20 > (a) explains how the client obtains keys from the authorization server.= > (b) describes a mechanism for binding a key to the access token. > (c) illustrates the procedure for the client to interact with the > resource server (based on the PoP mechanism). >=20 > These documents replace prior work on draft-ietf-oauth-v2-http-mac-05 > and draft-tschofenig-oauth-hotk-03. >=20 > We are getting closer to have all relevant parts published. >=20 > Ciao > Hannes >=20 > On 04/24/2014 05:14 PM, Lewis Adam-CAL022 wrote: >> Hi, >> >> =20 >> >> Lots of crypto drafts on OAuth popping up that I need to come up to >> speed on. >> >> draft-bradley-oauth-pop-key-distribution-00 >> >> >> draft-hunt-oauth-pop-architecture-00 >> >> >> draft-jones-oauth-proof-of-possession-00 >> >> >> draft-sakimura-oauth-rjwtprof-01 >> >> >> draft-sakimura-oauth-tcse-03 >> >> >> draft-tschofenig-oauth-hotk-03 >> >> >> =20 >> >> Glad to see all the work, but is there a preferred reading order here?= =20 >> Which ones build on each other vs. which ones are out there on their o= wn? >> >> =20 >> >> =20 >> >> -adam >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 --V2ifseBb6lkdE75Ce7efEa4pkUmospnaw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWWkfAAoJEGhJURNOOiAtz9sH/jFCwZEJ5KC8TUjeeVvRraMD aX6SkVPK6xZZJW0qbZ5Nz2Kd//e5LQ8KKZY2er3cZ8OrEcfS3IULqKmnu5DmQC1y B6l4yC3Q8fkuqsIyGHbTiSLd0HxQsX2Mu6Yw1pKiGrCHZDBWfbO7O5n8u5+IFa3N xglFSCEPVh+X0TJUZHpx8aja3TbCGKpDgM16E336knp8jjo1kc07tLiZr1xjH8PX M3DO+VWeRyMJgR3krLvHe7wiPKOQ8svFvYVxxJnCEn4OyJpsZaN6YJATwf1d9/Ww vkQP7fDxro1nhbfSAyKG0N24jaIkuERe3Vzw3AdG+zkRqNBzwh90zRnxlvjT4pI= =/PI/ -----END PGP SIGNATURE----- --V2ifseBb6lkdE75Ce7efEa4pkUmospnaw-- From nobody Thu Apr 24 14:42:34 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3551A03F5 for ; Thu, 24 Apr 2014 14:42:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJ72QivwyZoK for ; Thu, 24 Apr 2014 14:42:20 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 7CD171A03EF for ; Thu, 24 Apr 2014 14:42:20 -0700 (PDT) Received: from BY2PR03CA075.namprd03.prod.outlook.com (10.141.249.48) by BY2PR03MB025.namprd03.prod.outlook.com (10.255.240.39) with Microsoft SMTP Server (TLS) id 15.0.934.12; Thu, 24 Apr 2014 21:42:12 +0000 Received: from BN1AFFO11FD013.protection.gbl (2a01:111:f400:7c10::184) by BY2PR03CA075.outlook.office365.com (2a01:111:e400:2c5d::48) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Thu, 24 Apr 2014 21:42:12 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD013.mail.protection.outlook.com (10.58.52.73) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 24 Apr 2014 21:42:11 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0181.007; Thu, 24 Apr 2014 21:41:40 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19 Thread-Index: Ac9fEZKCDboZV7WmRDqDYDMAE4ic1QAiYecAABqJgEA= Date: Thu, 24 Apr 2014 21:41:40 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A194BB5@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <4E1F6AAD24975D4BA5B16804296739439A191D83@TK5EX14MBXC288.redmond.corp.microsoft.com> <5358D1C6.1080807@gmx.net> In-Reply-To: <5358D1C6.1080807@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(24454002)(13464003)(377454003)(479174003)(189002)(199002)(52604005)(51704005)(51444003)(164054003)(15202345003)(92566001)(92726001)(86362001)(80022001)(66066001)(33656001)(23726002)(15975445006)(97736001)(50466002)(99396002)(97756001)(86612001)(80976001)(46406003)(81342001)(81542001)(20776003)(47776003)(79102001)(6806004)(19580405001)(19580395003)(44976005)(46102001)(83322001)(76482001)(83072002)(74502001)(76176999)(84676001)(2009001)(54356999)(74662001)(50986999)(31966008)(4396001)(85852003)(87936001)(77982001)(55846006)(2656002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB025; H:mail.microsoft.com; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01917B1794 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/7Pex558h2jIHXvhac2u37VPJYgw Subject: Re: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19 X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 21:42:23 -0000 For what it's worth, the JOSE documents such as http://tools.ietf.org/html/= draft-ietf-jose-json-web-signature-25 also include the ECMAScript reference= for the same reason as JWT does and Karen's shepherd write-up at http://da= tatracker.ietf.org/doc/draft-ietf-jose-json-web-signature/shepherdwriteup/ = doesn't list it as a down-reference. I think that it shouldn't be list as = a downref for JWT, because it's a reference to a related standard - not a r= eference to a standard that was obsoleted by any RFC, including not being o= bsoleted by RFC 7159. -- Mike -----Original Message----- From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]=20 Sent: Thursday, April 24, 2014 1:57 AM To: Mike Jones; oauth@ietf.org Subject: Re: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web= -token-19 Thanks, Mike. Leave the ECMAScript reference in the document. I indicated it as a DOWNREF= in the my shepherd write-up and that should be fine. Ciao Hannes On 04/23/2014 06:32 PM, Mike Jones wrote: > Replies inline... >=20 > =20 >=20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes=20 > Tschofenig > Sent: Wednesday, April 23, 2014 4:49 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Minor questions regarding > draft-ietf-oauth-json-web-token-19 >=20 > =20 >=20 > Doing my shepherd write-up I had a few minor questions: >=20 > =20 >=20 > * Could you move the RFC 6755 reference to the normative reference=20 > section? Reason: the IANA consideration section depends on the=20 > existence of the urn:ietf:params:oauth registry. >=20 > =20 >=20 > OK >=20 > =20 >=20 > * Could you move the JWK reference to the informative reference section? >=20 > Reason: The JWK is only used in an example and not essential to the=20 > implementation or understanding of the specification. >=20 > =20 >=20 > OK >=20 > =20 >=20 > * Would it be sufficient to reference RFC 7159 instead of the=20 > [ECMAScript] reference? >=20 > =20 >=20 > No. There's no equivalent to Section 15.12 of ECMAScript about the=20 > lexically last member name to reference in RFC 7159. See the usage in=20 > the first paragraph of=20 > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-4. >=20 > =20 >=20 > * The document registers 'urn:ietf:params:oauth:token-type' and it is=20 > used in the "type" header parameter. >=20 > =20 >=20 > The text, however, states that the value can also be set to jwt. Why=20 > would someone prefer to use urn:ietf:params:oauth:token-type instead=20 > of the much shorter jwt value? >=20 > =20 >=20 > There are use cases, such as using JWTs as tokens in WS-Trust, where a=20 > URI is needed. >=20 > =20 >=20 > Ciao >=20 > Hannes >=20 > =20 >=20 > Thanks for doing this. >=20 > =20 >=20 > -- Mike >=20 > =20 >=20 From nobody Thu Apr 24 15:33:24 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6B1D1A0412 for ; Thu, 24 Apr 2014 15:33:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gvhLAOxTtWRZ for ; Thu, 24 Apr 2014 15:33:16 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0145.outbound.protection.outlook.com [207.46.163.145]) by ietfa.amsl.com (Postfix) with ESMTP id 51E5A1A0406 for ; Thu, 24 Apr 2014 15:33:15 -0700 (PDT) Received: from BY2PR03CA061.namprd03.prod.outlook.com (10.141.249.34) by BY2PR03MB026.namprd03.prod.outlook.com (10.255.240.40) with Microsoft SMTP Server (TLS) id 15.0.934.12; Thu, 24 Apr 2014 22:33:06 +0000 Received: from BN1AFFO11FD010.protection.gbl (2a01:111:f400:7c10::152) by BY2PR03CA061.outlook.office365.com (2a01:111:e400:2c5d::34) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Thu, 24 Apr 2014 22:33:06 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD010.mail.protection.outlook.com (10.58.52.70) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 24 Apr 2014 22:33:06 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0174.002; Thu, 24 Apr 2014 22:32:20 +0000 From: Mike Jones To: Hannes Tschofenig , Brian Campbell Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd Write-up Thread-Index: AQHPXuuAbJx37+xreUSkSd/lWmnNa5sfzeGAgACM/ICAAPt4oA== Date: Thu, 24 Apr 2014 22:32:20 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A194E11@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <5357AA4C.8080707@gmx.net> <5358B907.3030905@gmx.net> In-Reply-To: <5358B907.3030905@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A194E11TK5EX14MBXC288r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(189002)(199002)(51704005)(24454002)(13464003)(479174003)(377454003)(52604005)(53754006)(43784003)(164054003)(86612001)(92726001)(33656001)(97736001)(80976001)(92566001)(50986999)(99396002)(66066001)(512874002)(54356999)(15975445006)(15202345003)(83322001)(77982001)(76176999)(20776003)(16236675002)(80022001)(15395725003)(6806004)(19300405004)(4396001)(87936001)(44976005)(85852003)(76482001)(83072002)(55846006)(84676001)(81542001)(71186001)(19580405001)(46102001)(19580395003)(2009001)(31966008)(79102001)(84326002)(81342001)(2656002)(86362001)(74502001)(74662001)(15398625002)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB026; H:mail.microsoft.com; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01917B1794 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/T6cC1fjPITStc-DoanhmTKC9szQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 22:33:21 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A194E11TK5EX14MBXC288r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIGZvciBkb2luZyB0aGlzLCBIYW5uZXMuICBJIHdvdWxkIHN1Z2dlc3QgbWFraW5nIHRo ZSBmb2xsb3dpbmcgY2hhbmdlcy4uLg0KDQoNCg0KQ2hhbmdlIOKAnEl0IGFsbG93cyBPQXV0aCBk ZXBsb3ltZW50cyB0byB1c2UgYSBzdGFuZGFyZGl6ZWQgYWNjZXNzIHRva2VuIGZvcm1hdCwgd2hp Y2ggaW5jcmVhc2VzIGludGVyb3BlcmFiaWxpdHkgb2YgT0F1dGgtYmFzZWQgZGVwbG95bWVudHPi gJ0gdG8g4oCcSXQgZGVmaW5lcyBhIHN0YW5kYXJkIEpTT04tYmFzZWQgc2VjdXJpdHkgdG9rZW4g Zm9ybWF0LCBpbmNyZWFzaW5nIGludGVyb3BlcmFiaWxpdHkgYm90aCBhbW9uZyBPQXV0aCBkZXBs b3ltZW50cyB1c2luZyBpdCBhbmQgaW4gb3RoZXIgYXBwbGljYXRpb24gY29udGV4dHMgYXMgd2Vs bOKAnS4NCg0KDQoNCkkgd291bGQgY2hhbmdlIGh0dHA6Ly9vcGVuaWQubmV0L2RldmVsb3BlcnMv bGlicmFyaWVzLyB0byBodHRwOi8vb3BlbmlkLm5ldC9kZXZlbG9wZXJzL2xpYnJhcmllcy8jand0 IChhZGRpbmcgdGhlICNqd3QgdGFyZ2V0IHdpdGhpbiB0aGUgcGFnZSkuDQoNCg0KDQpJIHdvdWxk IGNoYW5nZSDigJxUaGUgZHJhZnQgYXV0aG9ycyBiZWxpZXZlIHRoYXQgdGhpcyBkb2N1bWVudCBp cyByZWFkeSBmb3IgcHVibGljYXRpb27igJ0gdG8g4oCcVGhlIGRvY3VtZW50IGlzIHJlYWR5IGZv ciBwdWJsaWNhdGlvbuKAnS4NCg0KDQoNCkkgd291bGQgY2hhbmdlIHRoZSBhbnN3ZXIgdG8gKDE1 KSB0byBzYXkgbm90aGluZyBhYm91dCBFQ01BU2NyaXB0LCBzaW5jZSBpdCBpcyBub3QgYSBkb3du cmVmLCBhbmQgdG8gb25seSBzYXkg4oCcUkZDIDY3NTUgaXMgYSBkb3ducmVmLCBzaW5jZSA2NzU1 IGlzIGluZm9ybWF0aW9uYWwu4oCdDQoNCg0KDQpJIHdvdWxkIGNoYW5nZSDigJxUaGUgZG9jdW1l bnQgc2hlcGhlcmQgdm9sdW50ZWVycyB0byBiZWNvbWUgYW4gZXhwZXJ0IHJldmlld+KAnSB0byB0 aGUgZm9sbG93aW5nOg0KDQoNCg0KVGhlIGRvY3VtZW50IHNoZXBoZXJkIGFuZCB0aGUgYXV0aG9y IE1pY2hhZWwgSm9uZXMgYm90aCB2b2x1bnRlZXIgdG8gYmVjb21lIGV4cGVydCByZXZpZXdlcnMu ICBOb3RlIHRoYXQgdGhlIGRvY3VtZW50IHJlY29tbWVuZHMgdGhhdCBtdWx0aXBsZSBleHBlcnQg cmV2aWV3ZXJzIGJlIGFwcG9pbnRlZCwgd2l0aCB0aGUgZm9sbG93aW5nIHRleHQgKHdoaWNoIGFs c28gYXBwZWFycyBpbiB0aGUgSk9TRSBkb2N1bWVudHMpOg0KDQogICBJdCBpcyBzdWdnZXN0ZWQg dGhhdCBtdWx0aXBsZSBEZXNpZ25hdGVkIEV4cGVydHMgYmUgYXBwb2ludGVkIHdobyBhcmUNCiAg IGFibGUgdG8gcmVwcmVzZW50IHRoZSBwZXJzcGVjdGl2ZXMgb2YgZGlmZmVyZW50IGFwcGxpY2F0 aW9ucyB1c2luZw0KICAgdGhpcyBzcGVjaWZpY2F0aW9uLCBpbiBvcmRlciB0byBlbmFibGUgYnJv YWRseS1pbmZvcm1lZCByZXZpZXcgb2YNCiAgIHJlZ2lzdHJhdGlvbiBkZWNpc2lvbnMuICBJbiBj YXNlcyB3aGVyZSBhIHJlZ2lzdHJhdGlvbiBkZWNpc2lvbiBjb3VsZA0KICAgYmUgcGVyY2VpdmVk IGFzIGNyZWF0aW5nIGEgY29uZmxpY3Qgb2YgaW50ZXJlc3QgZm9yIGEgcGFydGljdWxhcg0KICAg RXhwZXJ0LCB0aGF0IEV4cGVydCBzaG91bGQgZGVmZXIgdG8gdGhlIGp1ZGdtZW50IG9mIHRoZSBv dGhlcg0KICAgRXhwZXJ0KHMpLg0KDQoNCg0KSSB3b3VsZCBjaGFuZ2Ug4oCcVGhlIGRvY3VtZW50 IHNoZXBoZXJkIGhhcyByZXZpZXdlZCB0aG9zZSBleGFtcGxlcyBidXQgaGFzIG5vdCB2ZXJpZmll ZCB0aGUgY29ycmVjdG5lc3Mgb2YgdGhlIGNyeXB0b2dyYXBoaWMgb3BlcmF0aW9uc+KAnSB0byDi gJxUaGUgZG9jdW1lbnQgc2hlcGhlcmQgaGFzIHJldmlld2VkIHRob3NlIGV4YW1wbGVzIGJ1dCBo YXMgbm90IHZlcmlmaWVkIHRoZSBjb3JyZWN0bmVzcyBvZiB0aGUgY3J5cHRvZ3JhcGhpYyBvcGVy YXRpb25zLCBob3dldmVyIEJyaWFuIENhbXBiZWxsIGhhcyBkb25lIHNv4oCdLg0KDQoNCg0KVGhh bmtzIGFnYWluIGZvciBtb3ZpbmcgdGhpcyBmb3J3YXJkIQ0KDQoNCg0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQoN Cg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IE9BdXRoIFttYWlsdG86b2F1dGgt Ym91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEhhbm5lcyBUc2Nob2ZlbmlnDQpTZW50OiBU aHVyc2RheSwgQXByaWwgMjQsIDIwMTQgMTI6MTEgQU0NClRvOiBCcmlhbiBDYW1wYmVsbA0KQ2M6 IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBkcmFmdC1pZXRmLW9hdXRo LWpzb24td2ViLXRva2VuLTE5IFNoZXBoZXJkIFdyaXRlLXVwDQoNCg0KDQpUaGFua3MsIEJyaWFu LiBJIHdpbGwgYWRkIHRoaXMgYXNwZWN0IHRvIHRoZSB3cml0ZS11cC4NCg0KDQoNCk9uIDA0LzI0 LzIwMTQgMTI6NDYgQU0sIEJyaWFuIENhbXBiZWxsIHdyb3RlOg0KDQo+IFdoaWxlIE9BdXRoIGFj Y2VzcyB0b2tlbnMgYXJlIGEgdmFsdWFibGUgYXBwbGljYXRpb24gb2YgSldULCBtaWdodCBpdA0K DQo+IGFsc28gYmUgd29ydGh3aGlsZSB0byBtZW50aW9uIHRoYXQgSldUIGNhbiBhbmQgd2lsbCBi ZSB1c2VmdWwgaW4gb3RoZXINCg0KPiBjb250ZXh0cz8gQ29ubmVjdCdzIElEIFRva2VuIGlzIG9u ZSBzdWNoIGV4YW1wbGU6DQoNCj4gaHR0cDovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5l Y3QtY29yZS0xXzAuaHRtbCNJRFRva2VuDQoNCj4NCg0KPg0KDQo+IE9uIFdlZCwgQXByIDIzLCAy MDE0IGF0IDU6NTUgQU0sIEhhbm5lcyBUc2Nob2ZlbmlnDQoNCj4gPGhhbm5lcy50c2Nob2Zlbmln QGdteC5uZXQgPG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4gd3JvdGU6DQoNCj4N Cg0KPiAgICAgSGkgYWxsLA0KDQo+DQoNCj4gICAgIEkgYW0gd29ya2luZyBvbiB0aGUgc2hlcGhl cmQgd3JpdGV1cCBmb3IgdGhlIEpXVC4gSGVyZSBhcmUgYSBmZXcNCg0KPiAgICAgcXVlc3Rpb25z Og0KDQo+DQoNCj4gICAgIC0gVG8gdGhlIGRvY3VtZW50IGF1dGhvcnM6IFBsZWFzZSBjb25maXJt IHRoYXQgYW55IGFuZCBhbGwgYXBwcm9wcmlhdGUNCg0KPiAgICAgSVBSIGRpc2Nsb3N1cmVzIHJl cXVpcmVkIGZvciBmdWxsIGNvbmZvcm1hbmNlIHdpdGggdGhlIHByb3Zpc2lvbnMgb2YgQkNQDQoN Cj4gICAgIDc4IGFuZCBCQ1AgNzkgaGF2ZSBhbHJlYWR5IGJlZW4gZmlsZWQuDQoNCj4NCg0KPiAg ICAgLSBUbyBhbGw6IEkgaGF2ZSBpbmNsdWRlZCB2YXJpb3VzIHBvaW50ZXJzIHRvIGltcGxlbWVu dGF0aW9ucyBpbiB0aGUNCg0KPiAgICAgd3JpdGUtdXAuIE1heWJlIHRoZXJlIGFyZSBvdGhlcnMg dGhhdCBzaG91bGQgYmUgaW5jbHVkZWQuIElmIHNvLCBwbGVhc2UNCg0KPiAgICAgbGV0IG1lIGtu b3cuDQoNCj4NCg0KPiAgICAgLSBUbyBhbGw6IFBsZWFzZSBhbHNvIGdvIHRocm91Z2ggdGhlIHRl eHQgdG8gbWFrZSBzdXJlIHRoYXQgSSBjb3JyZWN0bHkNCg0KPiAgICAgcmVmbGVjdCB0aGUgaGlz dG9yeSBhbmQgdGhlIHN0YXR1cyBvZiB0aGlzIGRvY3VtZW50Lg0KDQo+DQoNCj4gICAgIEhlcmUg aXMgdGhlIGxhdGVzdCB2ZXJzaW9uIG9mIHRoZSB3cml0ZS11cDoNCg0KPg0KDQo+IGh0dHBzOi8v cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9oYW5uZXN0c2Nob2ZlbmlnL3RzY2hvZmVuaWctaWRz L21hc3QNCg0KPiBlci9zaGVwaGVyZC13cml0ZXVwcy9Xcml0ZXVwX09BdXRoX0pXVC50eHQNCg0K Pg0KDQo+ICAgICBDaWFvDQoNCj4gICAgIEhhbm5lcw0KDQo+DQoNCj4gICAgIFBTOiBIZXJlIGlz IHRoZSBjb3B5LWFuZC1wYXN0ZSB0ZXh0Og0KDQo+DQoNCj4gICAgIC0tLS0tLS0tDQoNCj4NCg0K PiAgICAgV3JpdGV1cCBmb3IgIkpTT04gV2ViIFRva2VuIChKV1QpIg0KDQo+IDxkcmFmdC1pZXRm LW9hdXRoLWpzb24td2ViLXRva2VuLTE5Pg0KDQo+DQoNCj4gICAgICgxKSBXaGF0IHR5cGUgb2Yg UkZDIGlzIGJlaW5nIHJlcXVlc3RlZCAoQkNQLCBQcm9wb3NlZCBTdGFuZGFyZCwNCg0KPiAgICAg SW50ZXJuZXQgU3RhbmRhcmQsIEluZm9ybWF0aW9uYWwsIEV4cGVyaW1lbnRhbCwgb3IgSGlzdG9y aWMpPyBXaHkgaXMNCg0KPiAgICAgdGhpcyB0aGUgcHJvcGVyIHR5cGUgb2YgUkZDPyBJcyB0aGlz IHR5cGUgb2YgUkZDIGluZGljYXRlZCBpbiB0aGUgdGl0bGUNCg0KPiAgICAgcGFnZSBoZWFkZXI/ DQoNCj4NCg0KPiAgICAgVGhlIFJGQyB0eXBlIGlzICdTdGFuZGFyZHMgVHJhY2snIGFuZCB0aGUg dHlwZSBpcyBpbmRpY2F0ZWQgaW4gdGhlIHRpdGxlDQoNCj4gICAgIHBhZ2UuIFRoaXMgZG9jdW1l bnQgZGVmaW5lcyB0aGUgc3ludGF4IGFuZCBzZW1hbnRpYyBvZiBpbmZvcm1hdGlvbg0KDQo+ICAg ICBlbGVtZW50cy4NCg0KPg0KDQo+ICAgICAoMikgVGhlIElFU0cgYXBwcm92YWwgYW5ub3VuY2Vt ZW50IGluY2x1ZGVzIGEgRG9jdW1lbnQgQW5ub3VuY2VtZW50DQoNCj4gICAgIFdyaXRlLVVwLiBQ bGVhc2UgcHJvdmlkZSBzdWNoIGEgRG9jdW1lbnQgQW5ub3VuY2VtZW50IFdyaXRlLVVwLiBSZWNl bnQNCg0KPiAgICAgZXhhbXBsZXMgY2FuIGJlIGZvdW5kIGluIHRoZSAiQWN0aW9uIiBhbm5vdW5j ZW1lbnRzIGZvciBhcHByb3ZlZA0KDQo+ICAgICBkb2N1bWVudHMuIFRoZSBhcHByb3ZhbCBhbm5v dW5jZW1lbnQgY29udGFpbnMgdGhlIGZvbGxvd2luZyBzZWN0aW9uczoNCg0KPg0KDQo+ICAgICBU ZWNobmljYWwgU3VtbWFyeToNCg0KPg0KDQo+ICAgICAgICBKU09OIFdlYiBUb2tlbiAoSldUKSBp cyBhIGNvbXBhY3QgVVJMLXNhZmUgbWVhbnMgb2YgcmVwcmVzZW50aW5nDQoNCj4gICAgICAgIGNs YWltcyB0byBiZSB0cmFuc2ZlcnJlZCBiZXR3ZWVuIHR3byBwYXJ0aWVzLiAgVGhlIGNsYWltcyBp biBhIEpXVA0KDQo+ICAgICAgICBhcmUgZW5jb2RlZCBhcyBhIEphdmFTY3JpcHQgT2JqZWN0IE5v dGF0aW9uIChKU09OKSBvYmplY3QgdGhhdCBpcw0KDQo+ICAgICAgICB1c2VkIGFzIHRoZSBwYXls b2FkIG9mIGEgSlNPTiBXZWIgU2lnbmF0dXJlIChKV1MpIHN0cnVjdHVyZSBvciBhcyB0aGUNCg0K PiAgICAgICAgcGxhaW50ZXh0IG9mIGEgSlNPTiBXZWIgRW5jcnlwdGlvbiAoSldFKSBzdHJ1Y3R1 cmUsIGVuYWJsaW5nIHRoZQ0KDQo+ICAgICAgICBjbGFpbXMgdG8gYmUgZGlnaXRhbGx5IHNpZ25l ZCBvciBNQUNlZCBhbmQvb3IgZW5jcnlwdGVkLg0KDQo+DQoNCj4gICAgIFdvcmtpbmcgR3JvdXAg U3VtbWFyeToNCg0KPg0KDQo+ICAgICBXYXMgdGhlcmUgYW55dGhpbmcgaW4gV0cgcHJvY2VzcyB0 aGF0IGlzIHdvcnRoIG5vdGluZz8gRm9yIGV4YW1wbGUsIHdhcw0KDQo+ICAgICB0aGVyZSBjb250 cm92ZXJzeSBhYm91dCBwYXJ0aWN1bGFyIHBvaW50cyBvciB3ZXJlIHRoZXJlIGRlY2lzaW9ucyB3 aGVyZQ0KDQo+ICAgICB0aGUgY29uc2Vuc3VzIHdhcyBwYXJ0aWN1bGFybHkgcm91Z2g/DQoNCj4N Cg0KPiAgICAgVGhpcyBkb2N1bWVudCB3YXMgdW5jb250cm92ZXJzaWFsLiBJdCBhbGxvd3MgT0F1 dGggZGVwbG95bWVudHMgdG8gdXNlIGENCg0KPiAgICAgc3RhbmRhcmRpemVkIGFjY2VzcyB0b2tl biBmb3JtYXQsIHdoaWNoIGluY3JlYXNlcyBpbnRlcm9wZXJhYmlsaXR5IG9mDQoNCj4gICAgIE9B dXRoLWJhc2VkIGRlcGxveW1lbnRzLg0KDQo+DQoNCj4gICAgIERvY3VtZW50IFF1YWxpdHk6DQoN Cj4NCg0KPiAgICAgVGhpcyBkb2N1bWVudCBoYXMgZ29uZSB0aHJvdWdoIG1hbnkgaXRlcmF0aW9u cyBhbmQgaGFzIHJlY2VpdmVkDQoNCj4gICAgIHN1YnN0YW50aWFsIGZlZWRiYWNrLg0KDQo+DQoN Cj4gICAgIEEgc3Vic3RhbnRpYWwgbnVtYmVyIG9mIGltcGxlbWVudGF0aW9ucyBleGlzdCwgYXMg ZG9jdW1lbnRlZCBhdA0KDQo+ICAgICBodHRwOi8vb3BlbmlkLm5ldC9kZXZlbG9wZXJzL2xpYnJh cmllcy8NCg0KPiAgICAgKHNjcm93bCBkb3duIHRvIHRoZSAnSldUL0pXUy9KV0UvSldLL0pXQSBJ bXBsZW1lbnRhdGlvbnMnIHNlY3Rpb24pDQoNCj4NCg0KPiAgICAgQW4gRXhjZWwgZG9jdW1lbnQg cHJvdmlkaW5nIGFkZGl0aW9uYWwgZGV0YWlscyBjYW4gYmUgZm91bmQgaGVyZToNCg0KPg0KDQo+ IGh0dHA6Ly93d3cub2F1dGgtdjIub3JnL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDE0LzA0L0pXVC1J bXBsZW1lbnRhdGlvbnMNCg0KPiAueGxzeA0KDQo+DQoNCj4gICAgIFBlcnNvbm5lbDoNCg0KPg0K DQo+ICAgICBUaGUgZG9jdW1lbnQgc2hlcGhlcmQgaXMgSGFubmVzIFRzY2hvZmVuaWcgYW5kIHRo ZSByZXNwb25zaWJsZSBhcmVhDQoNCj4gICAgIGRpcmVjdG9yIGlzIEthdGhsZWVuIE1vcmlhcnR5 Lg0KDQo+DQoNCj4gICAgICgzKSBCcmllZmx5IGRlc2NyaWJlIHRoZSByZXZpZXcgb2YgdGhpcyBk b2N1bWVudCB0aGF0IHdhcyBwZXJmb3JtZWQgYnkNCg0KPiAgICAgdGhlIERvY3VtZW50IFNoZXBo ZXJkLiBJZiB0aGlzIHZlcnNpb24gb2YgdGhlIGRvY3VtZW50IGlzIG5vdCByZWFkeSBmb3INCg0K PiAgICAgcHVibGljYXRpb24sIHBsZWFzZSBleHBsYWluIHdoeSB0aGUgZG9jdW1lbnQgaXMgYmVp bmcgZm9yd2FyZGVkIHRvDQoNCj4gICAgIHRoZSBJRVNHLg0KDQo+DQoNCj4gICAgIFRoZSBkcmFm dCBhdXRob3JzIGJlbGlldmUgdGhhdCB0aGlzIGRvY3VtZW50IGlzIHJlYWR5IGZvciBwdWJsaWNh dGlvbi4NCg0KPiAgICAgVGhlIGRvY3VtZW50IGhhcyByZWNlaXZlZCByZXZpZXcgY29tbWVudHMg ZnJvbSB3b3JraW5nIGdyb3VwIG1lbWJlcnMsDQoNCj4gICAgIGFuZCBmcm9tIHRoZSBPQXV0aCB3 b3JraW5nIGdyb3VwIGNoYWlycy4gSW1wbGVtZW50YXRpb25zIGV4aXN0IGFuZCB0aGV5DQoNCj4g ICAgIGhhdmUgdGVzdGVkIGZvciBpbnRlcm9wZXJhYmlsaXR5IGFzIHBhcnQgb2YgdGhlIE9wZW5J RCBDb25uZWN0IGludGVyb3ANCg0KPiAgICAgZXZlbnRzLg0KDQo+DQoNCj4gICAgICg0KSBEb2Vz IHRoZSBkb2N1bWVudCBTaGVwaGVyZCBoYXZlIGFueSBjb25jZXJucyBhYm91dCB0aGUgZGVwdGgg b3INCg0KPiAgICAgYnJlYWR0aCBvZiB0aGUgcmV2aWV3cyB0aGF0IGhhdmUgYmVlbiBwZXJmb3Jt ZWQ/DQoNCj4NCg0KPiAgICAgVGhpcyBkb2N1bWVudCBoYXMgZ290dGVuIGVub3VnaCBmZWVkYmFj ayBmcm9tIHRoZSB3b3JraW5nIGdyb3VwLg0KDQo+DQoNCj4gICAgICg1KSBEbyBwb3J0aW9ucyBv ZiB0aGUgZG9jdW1lbnQgbmVlZCByZXZpZXcgZnJvbSBhIHBhcnRpY3VsYXIgb3IgZnJvbQ0KDQo+ ICAgICBicm9hZGVyIHBlcnNwZWN0aXZlLCBlLmcuLCBzZWN1cml0eSwgb3BlcmF0aW9uYWwgY29t cGxleGl0eSwgQUFBLCBETlMsDQoNCj4gICAgIERIQ1AsIFhNTCwgb3IgaW50ZXJuYXRpb25hbGl6 YXRpb24/IElmIHNvLCBkZXNjcmliZSB0aGUgcmV2aWV3IHRoYXQgdG9vaw0KDQo+ICAgICBwbGFj ZS4NCg0KPg0KDQo+ICAgICBTaW5jZSB0aGUgT0F1dGggd29ya2luZyBncm91cCBkZXZlbG9wcyBz ZWN1cml0eSBwcm90b2NvbHMgYW55IGZlZWRiYWNrDQoNCj4gICAgIGZyb20gdGhlIHNlY3VyaXR5 IGNvbW11bml0eSBpcyBhbHdheXMgYXBwcmVjaWF0ZWQuDQoNCj4gICAgIFRoZSBKV1QgZG9jdW1l bnQgaGVhdmlseSBkZXBlbmRzIG9uIHRoZSB3b3JrIGluIHRoZSBKT1NFIHdvcmtpbmcgZ3JvdXAN Cg0KPiAgICAgc2luY2UgaXQgcmUtdXNlcyB0aGUgSldFIGFuZCB0aGUgSldTIHNwZWNpZmljYXRp b25zLg0KDQo+DQoNCj4gICAgICg2KSBEZXNjcmliZSBhbnkgc3BlY2lmaWMgY29uY2VybnMgb3Ig aXNzdWVzIHRoYXQgdGhlIERvY3VtZW50IFNoZXBoZXJkDQoNCj4gICAgIGhhcyB3aXRoIHRoaXMg ZG9jdW1lbnQgdGhhdCB0aGUgUmVzcG9uc2libGUgQXJlYSBEaXJlY3RvciBhbmQvb3IgdGhlDQoN Cj4gICAgIElFU0cgc2hvdWxkIGJlIGF3YXJlIG9mPyBGb3IgZXhhbXBsZSwgcGVyaGFwcyBoZSBv ciBzaGUgaXMgdW5jb21mb3J0YWJsZQ0KDQo+ICAgICB3aXRoIGNlcnRhaW4gcGFydHMgb2YgdGhl IGRvY3VtZW50LCBvciBoYXMgY29uY2VybnMgd2hldGhlciB0aGVyZSByZWFsbHkNCg0KPiAgICAg aXMgYSBuZWVkIGZvciBpdC4gSW4gYW55IGV2ZW50LCBpZiB0aGUgV0cgaGFzIGRpc2N1c3NlZCB0 aG9zZSBpc3N1ZXMgYW5kDQoNCj4gICAgIGhhcyBpbmRpY2F0ZWQgdGhhdCBpdCBzdGlsbCB3aXNo ZXMgdG8gYWR2YW5jZSB0aGUgZG9jdW1lbnQsIGRldGFpbCB0aG9zZQ0KDQo+ICAgICBjb25jZXJu cyBoZXJlLg0KDQo+DQoNCj4gICAgIFRoZSBzaGVwaGVyZCBoYXMgbm8gY29uY2VybnMgd2l0aCB0 aGlzIGRvY3VtZW50Lg0KDQo+DQoNCj4gICAgICg3KSBIYXMgZWFjaCBhdXRob3IgY29uZmlybWVk IHRoYXQgYW55IGFuZCBhbGwgYXBwcm9wcmlhdGUgSVBSDQoNCj4gICAgIGRpc2Nsb3N1cmVzIHJl cXVpcmVkIGZvciBmdWxsIGNvbmZvcm1hbmNlIHdpdGggdGhlIHByb3Zpc2lvbnMgb2YgQkNQIDc4 DQoNCj4gICAgIGFuZCBCQ1AgNzkgaGF2ZSBhbHJlYWR5IGJlZW4gZmlsZWQuIElmIG5vdCwgZXhw bGFpbiB3aHk/DQoNCj4NCg0KPiAgICAgW1tDb25maXJtYXRpb24gZnJvbSB0aGUgYXV0aG9ycyBy ZXF1aXJlZC5dXQ0KDQo+DQoNCj4gICAgICg4KSBIYXMgYW4gSVBSIGRpc2Nsb3N1cmUgYmVlbiBm aWxlZCB0aGF0IHJlZmVyZW5jZXMgdGhpcyBkb2N1bWVudD8gSWYNCg0KPiAgICAgc28sIHN1bW1h cml6ZSBhbnkgV0cgZGlzY3Vzc2lvbiBhbmQgY29uY2x1c2lvbiByZWdhcmRpbmcgdGhlIElQUg0K DQo+ICAgICBkaXNjbG9zdXJlcy4NCg0KPg0KDQo+ICAgICBUd28gSVBScyBoYXZlIGJlZW4gZmls ZWQgZm9yIHRoZSBKV1Qgc3BlY2lmaWNhdGlvbiB0aGlzIGRvY3VtZW50IHJlbGllcw0KDQo+ICAg ICBvbiwgc2VlDQoNCj4NCg0KPiBodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvaXByL3NlYXJj aC8/b3B0aW9uPWRvY3VtZW50X3NlYXJjaCZpZD1kcmFmDQoNCj4gdC1pZXRmLW9hdXRoLWpzb24t d2ViLXRva2VuDQoNCj4NCg0KPg0KDQo+ICAgICBUaGVyZSB3YXMgbm8gZGlzY3Vzc2lvbiByZWdh cmRpbmcgdGhvc2UgdHdvIElQUnMgb24gdGhlIG1haWxpbmcgbGlzdC4NCg0KPg0KDQo+ICAgICAo OSkgSG93IHNvbGlkIGlzIHRoZSBXRyBjb25zZW5zdXMgYmVoaW5kIHRoaXMgZG9jdW1lbnQ/IERv ZXMgaXQNCg0KPiAgICAgcmVwcmVzZW50IHRoZSBzdHJvbmcgY29uY3VycmVuY2Ugb2YgYSBmZXcg aW5kaXZpZHVhbHMsIHdpdGggb3RoZXJzIGJlaW5nDQoNCj4gICAgIHNpbGVudCwgb3IgZG9lcyB0 aGUgV0cgYXMgYSB3aG9sZSB1bmRlcnN0YW5kIGFuZCBhZ3JlZSB3aXRoIGl0Pw0KDQo+DQoNCj4g ICAgIFRoZSB3b3JraW5nIGdyb3VwIGhhcyBjb25zZW5zdXMgdG8gcHVibGlzaCB0aGlzIGRvY3Vt ZW50Lg0KDQo+DQoNCj4gICAgICgxMCkgSGFzIGFueW9uZSB0aHJlYXRlbmVkIGFuIGFwcGVhbCBv ciBvdGhlcndpc2UgaW5kaWNhdGVkIGV4dHJlbWUNCg0KPiAgICAgZGlzY29udGVudD8gSWYgc28s IHBsZWFzZSBzdW1tYXJpc2UgdGhlIGFyZWFzIG9mIGNvbmZsaWN0IGluIHNlcGFyYXRlDQoNCj4g ICAgIGVtYWlsIG1lc3NhZ2VzIHRvIHRoZSBSZXNwb25zaWJsZSBBcmVhIERpcmVjdG9yLiAoSXQg c2hvdWxkIGJlIGluIGENCg0KPiAgICAgc2VwYXJhdGUgZW1haWwgYmVjYXVzZSB0aGlzIHF1ZXN0 aW9ubmFpcmUgaXMgcHVibGljbHkgYXZhaWxhYmxlLikNCg0KPg0KDQo+ICAgICBObyBhcHBlYWwg b3IgZXh0cmVtZSBkaXNjb250ZW50IGhhcyBiZWVuIHJhaXNlZC4NCg0KPg0KDQo+ICAgICAoMTEp IElkZW50aWZ5IGFueSBJRCBuaXRzIHRoZSBEb2N1bWVudCBTaGVwaGVyZCBoYXMgZm91bmQgaW4g dGhpcw0KDQo+ICAgICBkb2N1bWVudC4gKFNlZSBodHRwOi8vd3d3LmlldGYub3JnL3Rvb2xzL2lk bml0cy8gYW5kIHRoZSBJbnRlcm5ldC1EcmFmdHMNCg0KPiAgICAgQ2hlY2tsaXN0KS4gQm9pbGVy cGxhdGUgY2hlY2tzIGFyZSBub3QgZW5vdWdoOyB0aGlzIGNoZWNrIG5lZWRzIHRvIGJlDQoNCj4g ICAgIHRob3JvdWdoLg0KDQo+DQoNCj4gICAgIFRoZSBzaGVwaGVyZCBoYXMgY2hlY2tlZCB0aGUg bml0cy4gVGhlIHNoZXBoZXJkIGhhcyBub3QgdmVyaWZpZWQgdGhlDQoNCj4gICAgIGV4YW1wbGVz IGZvciBjb3JyZWN0bmVzcy4NCg0KPg0KDQo+ICAgICAoMTIpIERlc2NyaWJlIGhvdyB0aGUgZG9j dW1lbnQgbWVldHMgYW55IHJlcXVpcmVkIGZvcm1hbCByZXZpZXcNCg0KPiAgICAgY3JpdGVyaWEs IHN1Y2ggYXMgdGhlIE1JQiBEb2N0b3IsIG1lZGlhIHR5cGUsIGFuZCBVUkkgdHlwZSByZXZpZXdz Lg0KDQo+DQoNCj4gICAgIFRoZSBkb2N1bWVudCBkb2VzIG5vdCByZXF1aXJlIGEgZm9ybWFsIHJl dmlldyBldmVuIHRob3VnaCBpdCBjb250YWlucw0KDQo+ICAgICBKU09OLWJhc2VkIGV4YW1wbGVz Lg0KDQo+DQoNCj4gICAgICgxMykgSGF2ZSBhbGwgcmVmZXJlbmNlcyB3aXRoaW4gdGhpcyBkb2N1 bWVudCBiZWVuIGlkZW50aWZpZWQgYXMgZWl0aGVyDQoNCj4gICAgIG5vcm1hdGl2ZSBvciBpbmZv cm1hdGl2ZT8NCg0KPg0KDQo+ICAgICBZZXMuDQoNCj4NCg0KPiAgICAgKDE0KSBBcmUgdGhlcmUg bm9ybWF0aXZlIHJlZmVyZW5jZXMgdG8gZG9jdW1lbnRzIHRoYXQgYXJlIG5vdCByZWFkeSBmb3IN Cg0KPiAgICAgYWR2YW5jZW1lbnQgb3IgYXJlIG90aGVyd2lzZSBpbiBhbiB1bmNsZWFyIHN0YXRl PyBJZiBzdWNoIG5vcm1hdGl2ZQ0KDQo+ICAgICByZWZlcmVuY2VzIGV4aXN0LCB3aGF0IGlzIHRo ZSBwbGFuIGZvciB0aGVpciBjb21wbGV0aW9uPw0KDQo+DQoNCj4gICAgIFRoZXJlIGFyZSB2YXJp b3VzIEpPU0UgZG9jdW1lbnRzIHRoYXQgaGF2ZSBub3QgYmVlbiBwdWJsaXNoZWQgYXMgUkZDcw0K DQo+ICAgICB5ZXQuIEFzIHN1Y2gsIHRoaXMgZG9jdW1lbnQgY2Fubm90IGJlIHB1Ymxpc2hlZCBi ZWZvcmUgdGhlIHJlc3BlY3RpdmUNCg0KPiAgICAgSk9TRSBkb2N1bWVudHMgYXJlIGZpbmFsaXpl ZC4NCg0KPg0KDQo+ICAgICAoMTUpIEFyZSB0aGVyZSBkb3dud2FyZCBub3JtYXRpdmUgcmVmZXJl bmNlcyByZWZlcmVuY2VzIChzZWUgUkZDIDM5NjcpPw0KDQo+ICAgICBJZiBzbywgbGlzdCB0aGVz ZSBkb3dud2FyZCByZWZlcmVuY2VzIHRvIHN1cHBvcnQgdGhlIEFyZWEgRGlyZWN0b3IgaW4NCg0K PiAgICAgdGhlIExhc3QgQ2FsbCBwcm9jZWR1cmUuDQoNCj4NCg0KPiAgICAgVGhlIGRvY3VtZW50 IGNvbnRhaW5zIGEgcmVmZXJlbmNlIHRvDQoNCj4NCg0KPiAgICAgICAgW0VDTUFTY3JpcHRdDQoN Cj4gICAgICAgICAgICAgICAgICAgRWNtYSBJbnRlcm5hdGlvbmFsLCAiRUNNQVNjcmlwdCBMYW5n dWFnZSBTcGVjaWZpY2F0aW9uLA0KDQo+ICAgICAgICAgICAgICAgICAgIDUuMSBFZGl0aW9uIiwg RUNNQSAyNjIsIEp1bmUgMjAxMS4NCg0KPg0KDQo+ICAgICB3aGljaCBtaWdodCByZXF1aXJlIGEg ZG93bnJlZi4NCg0KPg0KDQo+ICAgICBSRkMgNjc1NSBpcyBhbHNvIGEgZG93bnJlZi4NCg0KPg0K DQo+DQoNCj4gICAgICgxNikgV2lsbCBwdWJsaWNhdGlvbiBvZiB0aGlzIGRvY3VtZW50IGNoYW5n ZSB0aGUgc3RhdHVzIG9mIGFueSBleGlzdGluZw0KDQo+ICAgICBSRkNzPyBBcmUgdGhvc2UgUkZD cyBsaXN0ZWQgb24gdGhlIHRpdGxlIHBhZ2UgaGVhZGVyLCBsaXN0ZWQgaW4gdGhlDQoNCj4gICAg IGFic3RyYWN0LCBhbmQgZGlzY3Vzc2VkIGluIHRoZSBpbnRyb2R1Y3Rpb24/IElmIHRoZSBSRkNz IGFyZSBub3QgbGlzdGVkDQoNCj4gICAgIGluIHRoZSBBYnN0cmFjdCBhbmQgSW50cm9kdWN0aW9u LCBleHBsYWluIHdoeSwgYW5kIHBvaW50IHRvIHRoZSBwYXJ0IG9mDQoNCj4gICAgIHRoZSBkb2N1 bWVudCB3aGVyZSB0aGUgcmVsYXRpb25zaGlwIG9mIHRoaXMgZG9jdW1lbnQgdG8gdGhlIG90aGVy IFJGQ3MNCg0KPiAgICAgaXMgZGlzY3Vzc2VkLiBJZiB0aGlzIGluZm9ybWF0aW9uIGlzIG5vdCBp biB0aGUgZG9jdW1lbnQsIGV4cGxhaW4gd2h5DQoNCj4gICAgIHRoZSBXRyBjb25zaWRlcnMgaXQg dW5uZWNlc3NhcnkuDQoNCj4NCg0KPiAgICAgVGhlIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1l bnQgZG9lcyBub3QgY2hhbmdlIHRoZSBzdGF0dXMgb2Ygb3RoZXINCg0KPiAgICAgUkZDcy4NCg0K Pg0KDQo+ICAgICAoMTcpIERlc2NyaWJlIHRoZSBEb2N1bWVudCBTaGVwaGVyZCdzIHJldmlldyBv ZiB0aGUgSUFOQSBjb25zaWRlcmF0aW9ucw0KDQo+ICAgICBzZWN0aW9uLCBlc3BlY2lhbGx5IHdp dGggcmVnYXJkIHRvIGl0cyBjb25zaXN0ZW5jeSB3aXRoIHRoZSBib2R5IG9mIHRoZQ0KDQo+ICAg ICBkb2N1bWVudC4gQ29uZmlybSB0aGF0IGFsbCBwcm90b2NvbCBleHRlbnNpb25zIHRoYXQgdGhl IGRvY3VtZW50IG1ha2VzDQoNCj4gICAgIGFyZSBhc3NvY2lhdGVkIHdpdGggdGhlIGFwcHJvcHJp YXRlIHJlc2VydmF0aW9ucyBpbiBJQU5BIHJlZ2lzdHJpZXMuDQoNCj4gICAgIENvbmZpcm0gdGhh dCBhbnkgcmVmZXJlbmNlZCBJQU5BIHJlZ2lzdHJpZXMgaGF2ZSBiZWVuIGNsZWFybHkNCg0KPiAg ICAgaWRlbnRpZmllZC4gQ29uZmlybSB0aGF0IG5ld2x5IGNyZWF0ZWQgSUFOQSByZWdpc3RyaWVz IGluY2x1ZGUgYQ0KDQo+ICAgICBkZXRhaWxlZCBzcGVjaWZpY2F0aW9uIG9mIHRoZSBpbml0aWFs IGNvbnRlbnRzIGZvciB0aGUgcmVnaXN0cnksIHRoYXQNCg0KPiAgICAgYWxsb2NhdGlvbnMgcHJv Y2VkdXJlcyBmb3IgZnV0dXJlIHJlZ2lzdHJhdGlvbnMgYXJlIGRlZmluZWQsIGFuZCBhDQoNCj4g ICAgIHJlYXNvbmFibGUgbmFtZSBmb3IgdGhlIG5ldyByZWdpc3RyeSBoYXMgYmVlbiBzdWdnZXN0 ZWQgKHNlZSBSRkMgNTIyNikuDQoNCj4NCg0KPiAgICAgVGhlIGRvY3VtZW50IGNyZWF0ZXMgYSBu ZXcgcmVnaXN0cnkgZm9yIEpXVCBjbGFpbXMgYW5kIHBvcHVsYXRlcyB0aGlzDQoNCj4gICAgIHJl Z2lzdHJ5IHdpdGggdmFsdWVzLg0KDQo+ICAgICBJdCBhbHNvIHJlZ2lzdGVycyB2YWx1ZXMgaW50 byB0d28gZXhpc3RpbmcgcmVnaXN0cmllcywgbmFtZWx5IGludG8NCg0KPiAgICAgICogdGhlIFJG QyA2NzU1IGNyZWF0ZWQgT0F1dGggVVJOIHJlZ2lzdHJ5LCBhbmQNCg0KPiAgICAgICogdGhlIG1l ZGlhIHR5cGUgcmVnaXN0cnkNCg0KPg0KDQo+ICAgICAoMTgpIExpc3QgYW55IG5ldyBJQU5BIHJl Z2lzdHJpZXMgdGhhdCByZXF1aXJlIEV4cGVydCBSZXZpZXcgZm9yIGZ1dHVyZQ0KDQo+ICAgICBh bGxvY2F0aW9ucy4gUHJvdmlkZSBhbnkgcHVibGljIGd1aWRhbmNlIHRoYXQgdGhlIElFU0cgd291 bGQgZmluZCB1c2VmdWwNCg0KPiAgICAgaW4gc2VsZWN0aW5nIHRoZSBJQU5BIEV4cGVydHMgZm9y IHRoZXNlIG5ldyByZWdpc3RyaWVzLg0KDQo+DQoNCj4gICAgIFRoZSBuZXdseSBjcmVhdGVkIEpX VCBjbGFpbXMgcmVnaXN0cnkgcmVxdWlyZXMgZXhwZXJ0IHJldmlldyBmb3IgZnV0dXJlDQoNCj4g ICAgIGFsbG9jYXRpb25zLiBHdWlkYW5jZSBpcyBnaXZlbiBpbiB0aGUgZG9jdW1lbnQuDQoNCj4g ICAgIFRoZSBkb2N1bWVudCBzaGVwaGVyZCB2b2x1bnRlZXJzIHRvIGJlY29tZSBhbiBleHBlcnQg cmV2aWV3Lg0KDQo+DQoNCj4gICAgICgxOSkgRGVzY3JpYmUgcmV2aWV3cyBhbmQgYXV0b21hdGVk IGNoZWNrcyBwZXJmb3JtZWQgYnkgdGhlIERvY3VtZW50DQoNCj4gICAgIFNoZXBoZXJkIHRvIHZh bGlkYXRlIHNlY3Rpb25zIG9mIHRoZSBkb2N1bWVudCB3cml0dGVuIGluIGEgZm9ybWFsDQoNCj4g ICAgIGxhbmd1YWdlLCBzdWNoIGFzIFhNTCBjb2RlLCBCTkYgcnVsZXMsIE1JQiBkZWZpbml0aW9u cywgZXRjLg0KDQo+DQoNCj4gICAgIFRoZXJlIGFyZSBleGFtcGxlcyBpbiB0aGUgZG9jdW1lbnQg dGhhdCB1c2UgYSBKU09OLWJhc2VkIGVuY29kaW5nLiBUaGUNCg0KPiAgICAgZG9jdW1lbnQgc2hl cGhlcmQgaGFzIHJldmlld2VkIHRob3NlIGV4YW1wbGVzIGJ1dCBoYXMgbm90IHZlcmlmaWVkIHRo ZQ0KDQo+ICAgICBjb3JyZWN0bmVzcyBvZiB0aGUgY3J5cHRvZ3JhcGhpYyBvcGVyYXRpb25zLg0K DQo+DQoNCj4NCg0KPg0KDQo+ICAgICBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXw0KDQo+ICAgICBPQXV0aCBtYWlsaW5nIGxpc3QNCg0KPiAgICAgT0F1dGhA aWV0Zi5vcmcgPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCg0KPiAgICAgaHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KDQo+DQoNCj4NCg0KDQo= --_000_4E1F6AAD24975D4BA5B16804296739439A194E11TK5EX14MBXC288r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZp bml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXtt YXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0K CWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5 cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRl Y29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dl ZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3Jh dGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29QbGFpblRleHQsIGxpLk1zb1BsYWluVGV4dCwgZGl2Lk1z b1BsYWluVGV4dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IlBs YWluIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30N CnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJl Zm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0K CWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpzcGFuLlBs YWluVGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IlBsYWluIFRleHQgQ2hhciI7DQoJbXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJQbGFpbiBUZXh0IjsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXIN Cgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1w cmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6 ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQpAcGFn ZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGlu IDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0K LS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpl eHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0 ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6 ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0t Pg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUi Pg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlRo YW5rcyBmb3IgZG9pbmcgdGhpcywgSGFubmVzLiZuYnNwOyBJIHdvdWxkIHN1Z2dlc3QgbWFraW5n IHRoZSBmb2xsb3dpbmcgY2hhbmdlcy4uLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5D aGFuZ2Ug4oCcSXQgYWxsb3dzIE9BdXRoIGRlcGxveW1lbnRzIHRvIHVzZSBhIHN0YW5kYXJkaXpl ZCBhY2Nlc3MgdG9rZW4gZm9ybWF0LCB3aGljaCBpbmNyZWFzZXMgaW50ZXJvcGVyYWJpbGl0eSBv ZiBPQXV0aC1iYXNlZCBkZXBsb3ltZW50c+KAnSB0byDigJxJdCBkZWZpbmVzIGEgc3RhbmRhcmQg SlNPTi1iYXNlZCBzZWN1cml0eSB0b2tlbiBmb3JtYXQsIGluY3JlYXNpbmcgaW50ZXJvcGVyYWJp bGl0eSBib3RoDQogYW1vbmcgT0F1dGggZGVwbG95bWVudHMgdXNpbmcgaXQgYW5kIGluIG90aGVy IGFwcGxpY2F0aW9uIGNvbnRleHRzIGFzIHdlbGzigJ0uPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPkkgd291bGQgY2hhbmdlIDxhIGhyZWY9Imh0dHA6Ly9vcGVuaWQubmV0L2RldmVsb3Bl cnMvbGlicmFyaWVzLyI+DQpodHRwOi8vb3BlbmlkLm5ldC9kZXZlbG9wZXJzL2xpYnJhcmllcy88 L2E+IHRvIDxhIGhyZWY9Imh0dHA6Ly9vcGVuaWQubmV0L2RldmVsb3BlcnMvbGlicmFyaWVzLyNq d3QiPg0KaHR0cDovL29wZW5pZC5uZXQvZGV2ZWxvcGVycy9saWJyYXJpZXMvI2p3dDwvYT4gKGFk ZGluZyB0aGUgI2p3dCB0YXJnZXQgd2l0aGluIHRoZSBwYWdlKS48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+SSB3b3VsZCBjaGFuZ2Ug4oCcVGhlIGRyYWZ0IGF1dGhvcnMgYmVsaWV2ZSB0 aGF0IHRoaXMgZG9jdW1lbnQgaXMgcmVhZHkgZm9yIHB1YmxpY2F0aW9u4oCdIHRvIOKAnFRoZSBk b2N1bWVudCBpcyByZWFkeSBmb3IgcHVibGljYXRpb27igJ0uPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPkkgd291bGQgY2hhbmdlIHRoZSBhbnN3ZXIgdG8gKDE1KSB0byBzYXkgbm90aGlu ZyBhYm91dCBFQ01BU2NyaXB0LCBzaW5jZSBpdCBpcyBub3QgYSBkb3ducmVmLCBhbmQgdG8gb25s eSBzYXkg4oCcUkZDIDY3NTUgaXMgYSBkb3ducmVmLCBzaW5jZSA2NzU1IGlzIGluZm9ybWF0aW9u YWwu4oCdPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkkgd291bGQgY2hhbmdlIOKAnFRo ZSBkb2N1bWVudCBzaGVwaGVyZCB2b2x1bnRlZXJzIHRvIGJlY29tZSBhbiBleHBlcnQgcmV2aWV3 4oCdIHRvIHRoZSBmb2xsb3dpbmc6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj5UaGUgZG9jdW1lbnQgc2hlcGhlcmQgYW5kIHRoZSBhdXRob3Ig TWljaGFlbCBKb25lcyBib3RoIHZvbHVudGVlciB0byBiZWNvbWUgZXhwZXJ0IHJldmlld2Vycy4m bmJzcDsgTm90ZSB0aGF0IHRoZSBkb2N1bWVudCByZWNvbW1lbmRzIHRoYXQgbXVsdGlwbGUgZXhw ZXJ0IHJldmlld2VycyBiZSBhcHBvaW50ZWQsIHdpdGggdGhlIGZvbGxvd2luZyB0ZXh0ICh3aGlj aCBhbHNvDQogYXBwZWFycyBpbiB0aGUgSk9TRSBkb2N1bWVudHMpOjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVmb3JlOmFsd2F5cyI+PHNw YW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nv dXJpZXIgTmV3JnF1b3Q7Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJF TiIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDsiPiZuYnNwOyZuYnNwOyBJdCBpcyBzdWdnZXN0ZWQgdGhhdCBtdWx0aXBsZSBEZXNpZ25h dGVkIEV4cGVydHMgYmUgYXBwb2ludGVkIHdobyBhcmU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3Bh biBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291 cmllciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNwOyBhYmxlIHRvIHJlcHJlc2VudCB0aGUgcGVyc3Bl Y3RpdmVzIG9mIGRpZmZlcmVudCBhcHBsaWNhdGlvbnMgdXNpbmc8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0icGFnZS1icmVhay1iZWZvcmU6YWx3YXlz Ij48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q291cmllciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNwOyB0aGlzIHNwZWNpZmljYXRpb24sIGlu IG9yZGVyIHRvIGVuYWJsZSBicm9hZGx5LWluZm9ybWVkIHJldmlldyBvZjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9yZTph bHdheXMiPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7IHJlZ2lzdHJhdGlvbiBkZWNp c2lvbnMuJm5ic3A7IEluIGNhc2VzIHdoZXJlIGEgcmVnaXN0cmF0aW9uIGRlY2lzaW9uIGNvdWxk PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2Ut YnJlYWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LXNpemU6MTIu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsgYmUg cGVyY2VpdmVkIGFzIGNyZWF0aW5nIGEgY29uZmxpY3Qgb2YgaW50ZXJlc3QgZm9yIGEgcGFydGlj dWxhcjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJw YWdlLWJyZWFrLWJlZm9yZTphbHdheXMiPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7 IEV4cGVydCwgdGhhdCBFeHBlcnQgc2hvdWxkIGRlZmVyIHRvIHRoZSBqdWRnbWVudCBvZiB0aGUg b3RoZXI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i cGFnZS1icmVhay1iZWZvcmU6YWx3YXlzIj48c3BhbiBsYW5nPSJFTiIgc3R5bGU9ImZvbnQtc2l6 ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVvdDsiPiZuYnNwOyZuYnNw OyBFeHBlcnQocykuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5JIHdvdWxk IGNoYW5nZSDigJxUaGUgZG9jdW1lbnQgc2hlcGhlcmQgaGFzIHJldmlld2VkIHRob3NlIGV4YW1w bGVzIGJ1dCBoYXMgbm90IHZlcmlmaWVkIHRoZSBjb3JyZWN0bmVzcyBvZiB0aGUgY3J5cHRvZ3Jh cGhpYyBvcGVyYXRpb25z4oCdIHRvIOKAnFRoZSBkb2N1bWVudCBzaGVwaGVyZCBoYXMgcmV2aWV3 ZWQgdGhvc2UgZXhhbXBsZXMgYnV0IGhhcyBub3QgdmVyaWZpZWQgdGhlIGNvcnJlY3RuZXNzIG9m IHRoZQ0KIGNyeXB0b2dyYXBoaWMgb3BlcmF0aW9ucywgaG93ZXZlciBCcmlhbiBDYW1wYmVsbCBo YXMgZG9uZSBzb+KAnS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+VGhhbmtzIGFnYWlu IGZvciBtb3ZpbmcgdGhpcyBmb3J3YXJkITxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4tLS0tLU9y aWdpbmFsIE1lc3NhZ2UtLS0tLTxicj4NCkZyb206IE9BdXRoIFttYWlsdG86b2F1dGgtYm91bmNl c0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEhhbm5lcyBUc2Nob2ZlbmlnPGJyPg0KU2VudDogVGh1 cnNkYXksIEFwcmlsIDI0LCAyMDE0IDEyOjExIEFNPGJyPg0KVG86IEJyaWFuIENhbXBiZWxsPGJy Pg0KQ2M6IG9hdXRoQGlldGYub3JnPGJyPg0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gZHJhZnQt aWV0Zi1vYXV0aC1qc29uLXdlYi10b2tlbi0xOSBTaGVwaGVyZCBXcml0ZS11cDwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+VGhhbmtzLCBCcmlhbi4gSSB3aWxsIGFkZCB0aGlzIGFzcGVjdCB0byB0aGUgd3Jp dGUtdXAuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPk9uIDA0LzI0LzIwMTQgMTI6NDYg QU0sIEJyaWFuIENhbXBiZWxsIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyBXaGlsZSBPQXV0aCBhY2Nlc3MgdG9rZW5zIGFyZSBhIHZhbHVhYmxlIGFw cGxpY2F0aW9uIG9mIEpXVCwgbWlnaHQgaXQNCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+Jmd0OyBhbHNvIGJlIHdvcnRod2hpbGUgdG8gbWVudGlvbiB0aGF0IEpXVCBj YW4gYW5kIHdpbGwgYmUgdXNlZnVsIGluIG90aGVyDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsgY29udGV4dHM/IENvbm5lY3QncyBJRCBUb2tlbiBpcyBvbmUg c3VjaCBleGFtcGxlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0 OyBodHRwOi8vb3BlbmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1jb3JlLTFfMC5odG1sI0lE VG9rZW48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBPbiBXZWQsIEFwciAyMywgMjAxNCBhdCA1OjU1 IEFNLCBIYW5uZXMgVHNjaG9mZW5pZyA8bzpwPg0KPC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyAmbHQ7aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldCAmbHQ7bWFpbHRvOmhh bm5lcy50c2Nob2ZlbmlnQGdteC5uZXQmZ3Q7Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEhpIGFsbCw8bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEkgYW0gd29y a2luZyBvbiB0aGUgc2hlcGhlcmQgd3JpdGV1cCBmb3IgdGhlIEpXVC4gSGVyZSBhcmUgYSBmZXc8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgcXVlc3Rpb25zOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLSBUbyB0aGUgZG9jdW1lbnQgYXV0aG9yczogUGxlYXNl IGNvbmZpcm0gdGhhdCBhbnkgYW5kIGFsbCBhcHByb3ByaWF0ZTxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBJUFIgZGlz Y2xvc3VyZXMgcmVxdWlyZWQgZm9yIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGUgcHJvdmlzaW9u cyBvZiBCQ1A8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgNzggYW5kIEJDUCA3OSBoYXZlIGFscmVhZHkgYmVlbiBmaWxl ZC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IC0gVG8gYWxsOiBJIGhhdmUgaW5jbHVkZWQgdmFyaW91cyBwb2ludGVycyB0byBpbXBsZW1l bnRhdGlvbnMgaW4gdGhlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHdyaXRlLXVwLiBNYXliZSB0aGVyZSBhcmUgb3Ro ZXJzIHRoYXQgc2hvdWxkIGJlIGluY2x1ZGVkLiBJZiBzbywgcGxlYXNlPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGxl dCBtZSBrbm93LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgLSBUbyBhbGw6IFBsZWFzZSBhbHNvIGdvIHRocm91Z2ggdGhlIHRleHQgdG8g bWFrZSBzdXJlIHRoYXQgSSBjb3JyZWN0bHk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgcmVmbGVjdCB0aGUgaGlzdG9y eSBhbmQgdGhlIHN0YXR1cyBvZiB0aGlzIGRvY3VtZW50LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgSGVyZSBpcyB0aGUgbGF0ZXN0IHZl cnNpb24gb2YgdGhlIHdyaXRlLXVwOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsgaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29t L2hhbm5lc3RzY2hvZmVuaWcvdHNjaG9mZW5pZy1pZHMvbWFzdDxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBlci9zaGVwaGVyZC13cml0ZXVwcy9Xcml0ZXVwX09B dXRoX0pXVC50eHQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IENpYW88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgSGFubmVzPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBQUzogSGVyZSBpcyB0aGUgY29w eS1hbmQtcGFzdGUgdGV4dDo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tLS0tLS0tPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBXcml0ZXVwIGZvciAmcXVvdDtKU09OIFdlYiBU b2tlbiAoSldUKSZxdW90OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgJmx0O2RyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4tMTkmZ3Q7PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoMSkgV2hh dCB0eXBlIG9mIFJGQyBpcyBiZWluZyByZXF1ZXN0ZWQgKEJDUCwgUHJvcG9zZWQgU3RhbmRhcmQs PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IEludGVybmV0IFN0YW5kYXJkLCBJbmZvcm1hdGlvbmFsLCBFeHBlcmltZW50 YWwsIG9yIEhpc3RvcmljKT8gV2h5IGlzPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHRoaXMgdGhlIHByb3BlciB0eXBl IG9mIFJGQz8gSXMgdGhpcyB0eXBlIG9mIFJGQyBpbmRpY2F0ZWQgaW4gdGhlIHRpdGxlPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IHBhZ2UgaGVhZGVyPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhlIFJGQyB0eXBlIGlzICdTdGFuZGFyZHMgVHJhY2snIGFu ZCB0aGUgdHlwZSBpcyBpbmRpY2F0ZWQgaW4gdGhlIHRpdGxlPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHBhZ2UuIFRo aXMgZG9jdW1lbnQgZGVmaW5lcyB0aGUgc3ludGF4IGFuZCBzZW1hbnRpYyBvZiBpbmZvcm1hdGlv bjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyBlbGVtZW50cy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICgyKSBUaGUgSUVTRyBhcHByb3ZhbCBhbm5vdW5jZW1l bnQgaW5jbHVkZXMgYSBEb2N1bWVudCBBbm5vdW5jZW1lbnQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgV3JpdGUtVXAu IFBsZWFzZSBwcm92aWRlIHN1Y2ggYSBEb2N1bWVudCBBbm5vdW5jZW1lbnQgV3JpdGUtVXAuIFJl Y2VudDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyBleGFtcGxlcyBjYW4gYmUgZm91bmQgaW4gdGhlICZxdW90O0FjdGlv biZxdW90OyBhbm5vdW5jZW1lbnRzIGZvciBhcHByb3ZlZDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBkb2N1bWVudHMu IFRoZSBhcHByb3ZhbCBhbm5vdW5jZW1lbnQgY29udGFpbnMgdGhlIGZvbGxvd2luZyBzZWN0aW9u czo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IFRlY2huaWNhbCBTdW1tYXJ5OjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgSlNPTiBXZWIgVG9rZW4g KEpXVCkgaXMgYSBjb21wYWN0IFVSTC1zYWZlIG1lYW5zIG9mIHJlcHJlc2VudGluZzxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBjbGFpbXMgdG8gYmUgdHJhbnNmZXJyZWQgYmV0d2VlbiB0 d28gcGFydGllcy4mbmJzcDsgVGhlIGNsYWltcyBpbiBhIEpXVDxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyBhcmUgZW5jb2RlZCBhcyBhIEphdmFTY3JpcHQgT2JqZWN0IE5vdGF0aW9uIChK U09OKSBvYmplY3QgdGhhdCBpczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB1c2VkIGFz IHRoZSBwYXlsb2FkIG9mIGEgSlNPTiBXZWIgU2lnbmF0dXJlIChKV1MpIHN0cnVjdHVyZSBvciBh cyB0aGU8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgcGxhaW50ZXh0IG9mIGEgSlNPTiBX ZWIgRW5jcnlwdGlvbiAoSldFKSBzdHJ1Y3R1cmUsIGVuYWJsaW5nIHRoZTxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyBjbGFpbXMgdG8gYmUgZGlnaXRhbGx5IHNpZ25lZCBvciBNQUNlZCBh bmQvb3IgZW5jcnlwdGVkLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsgV29ya2luZyBHcm91cCBTdW1tYXJ5OjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgV2FzIHRoZXJlIGFueXRo aW5nIGluIFdHIHByb2Nlc3MgdGhhdCBpcyB3b3J0aCBub3Rpbmc/IEZvciBleGFtcGxlLCB3YXM8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgdGhlcmUgY29udHJvdmVyc3kgYWJvdXQgcGFydGljdWxhciBwb2ludHMgb3Ig d2VyZSB0aGVyZSBkZWNpc2lvbnMgd2hlcmU8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgdGhlIGNvbnNlbnN1cyB3YXMg cGFydGljdWxhcmx5IHJvdWdoPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhpcyBkb2N1bWVudCB3YXMgdW5jb250cm92ZXJzaWFsLiBJ dCBhbGxvd3MgT0F1dGggZGVwbG95bWVudHMgdG8gdXNlIGE8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgc3RhbmRhcmRp emVkIGFjY2VzcyB0b2tlbiBmb3JtYXQsIHdoaWNoIGluY3JlYXNlcyBpbnRlcm9wZXJhYmlsaXR5 IG9mPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7IE9BdXRoLWJhc2VkIGRlcGxveW1lbnRzLjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgRG9jdW1lbnQgUXVhbGl0 eTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IFRoaXMgZG9jdW1lbnQgaGFzIGdvbmUgdGhyb3VnaCBtYW55IGl0ZXJhdGlvbnMgYW5kIGhh cyByZWNlaXZlZDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBzdWJzdGFudGlhbCBmZWVkYmFjay48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEEgc3Vic3RhbnRp YWwgbnVtYmVyIG9mIGltcGxlbWVudGF0aW9ucyBleGlzdCwgYXMgZG9jdW1lbnRlZCBhdDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyBodHRwOi8vb3BlbmlkLm5ldC9kZXZlbG9wZXJzL2xpYnJhcmllcy88bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgKHNjcm93bCBkb3duIHRvIHRoZSAnSldUL0pXUy9KV0UvSldLL0pXQSBJbXBsZW1lbnRhdGlv bnMnIHNlY3Rpb24pPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyBBbiBFeGNlbCBkb2N1bWVudCBwcm92aWRpbmcgYWRkaXRpb25hbCBkZXRh aWxzIGNhbiBiZSBmb3VuZCBoZXJlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsgaHR0cDovL3d3dy5vYXV0aC12Mi5vcmcvd3AtY29udGVu dC91cGxvYWRzLzIwMTQvMDQvSldULUltcGxlbWVudGF0aW9uczxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAueGxzeDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUGVyc29ubmVsOjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhlIGRvY3VtZW50 IHNoZXBoZXJkIGlzIEhhbm5lcyBUc2Nob2ZlbmlnIGFuZCB0aGUgcmVzcG9uc2libGUgYXJlYTxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyBkaXJlY3RvciBpcyBLYXRobGVlbiBNb3JpYXJ0eS48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICgzKSBCcmllZmx5IGRl c2NyaWJlIHRoZSByZXZpZXcgb2YgdGhpcyBkb2N1bWVudCB0aGF0IHdhcyBwZXJmb3JtZWQgYnk8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgdGhlIERvY3VtZW50IFNoZXBoZXJkLiBJZiB0aGlzIHZlcnNpb24gb2YgdGhl IGRvY3VtZW50IGlzIG5vdCByZWFkeSBmb3I8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgcHVibGljYXRpb24sIHBsZWFz ZSBleHBsYWluIHdoeSB0aGUgZG9jdW1lbnQgaXMgYmVpbmcgZm9yd2FyZGVkIHRvPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IHRoZSBJRVNHLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0 OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgVGhlIGRyYWZ0IGF1dGhvcnMgYmVsaWV2ZSB0aGF0IHRoaXMgZG9jdW1l bnQgaXMgcmVhZHkgZm9yIHB1YmxpY2F0aW9uLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGUgZG9jdW1lbnQgaGFz IHJlY2VpdmVkIHJldmlldyBjb21tZW50cyBmcm9tIHdvcmtpbmcgZ3JvdXAgbWVtYmVycyw8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgYW5kIGZyb20gdGhlIE9BdXRoIHdvcmtpbmcgZ3JvdXAgY2hhaXJzLiBJbXBsZW1l bnRhdGlvbnMgZXhpc3QgYW5kIHRoZXk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgaGF2ZSB0ZXN0ZWQgZm9yIGludGVy b3BlcmFiaWxpdHkgYXMgcGFydCBvZiB0aGUgT3BlbklEIENvbm5lY3QgaW50ZXJvcDxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyBldmVudHMuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyAoNCkgRG9lcyB0aGUgZG9jdW1lbnQgU2hlcGhlcmQgaGF2ZSBhbnkgY29u Y2VybnMgYWJvdXQgdGhlIGRlcHRoIG9yPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGJyZWFkdGggb2YgdGhlIHJldmll d3MgdGhhdCBoYXZlIGJlZW4gcGVyZm9ybWVkPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhpcyBkb2N1bWVudCBoYXMgZ290dGVuIGVu b3VnaCBmZWVkYmFjayBmcm9tIHRoZSB3b3JraW5nIGdyb3VwLjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKDUpIERvIHBvcnRpb25zIG9m IHRoZSBkb2N1bWVudCBuZWVkIHJldmlldyBmcm9tIGEgcGFydGljdWxhciBvciBmcm9tPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IGJyb2FkZXIgcGVyc3BlY3RpdmUsIGUuZy4sIHNlY3VyaXR5LCBvcGVyYXRpb25hbCBj b21wbGV4aXR5LCBBQUEsIEROUyw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgREhDUCwgWE1MLCBvciBpbnRlcm5hdGlv bmFsaXphdGlvbj8gSWYgc28sIGRlc2NyaWJlIHRoZSByZXZpZXcgdGhhdCB0b29rPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IHBsYWNlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgU2luY2UgdGhlIE9BdXRoIHdvcmtpbmcgZ3JvdXAgZGV2ZWxvcHMgc2VjdXJp dHkgcHJvdG9jb2xzIGFueSBmZWVkYmFjazxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBmcm9tIHRoZSBzZWN1cml0eSBj b21tdW5pdHkgaXMgYWx3YXlzIGFwcHJlY2lhdGVkLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGUgSldUIGRvY3Vt ZW50IGhlYXZpbHkgZGVwZW5kcyBvbiB0aGUgd29yayBpbiB0aGUgSk9TRSB3b3JraW5nIGdyb3Vw PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IHNpbmNlIGl0IHJlLXVzZXMgdGhlIEpXRSBhbmQgdGhlIEpXUyBzcGVjaWZp Y2F0aW9ucy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7ICg2KSBEZXNjcmliZSBhbnkgc3BlY2lmaWMgY29uY2VybnMgb3IgaXNzdWVzIHRo YXQgdGhlIERvY3VtZW50IFNoZXBoZXJkPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGhhcyB3aXRoIHRoaXMgZG9jdW1l bnQgdGhhdCB0aGUgUmVzcG9uc2libGUgQXJlYSBEaXJlY3RvciBhbmQvb3IgdGhlPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IElFU0cgc2hvdWxkIGJlIGF3YXJlIG9mPyBGb3IgZXhhbXBsZSwgcGVyaGFwcyBoZSBvciBz aGUgaXMgdW5jb21mb3J0YWJsZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyB3aXRoIGNlcnRhaW4gcGFydHMgb2YgdGhl IGRvY3VtZW50LCBvciBoYXMgY29uY2VybnMgd2hldGhlciB0aGVyZSByZWFsbHk8bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgaXMgYSBuZWVkIGZvciBpdC4gSW4gYW55IGV2ZW50LCBpZiB0aGUgV0cgaGFzIGRpc2N1c3Nl ZCB0aG9zZSBpc3N1ZXMgYW5kPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGhhcyBpbmRpY2F0ZWQgdGhhdCBpdCBzdGls bCB3aXNoZXMgdG8gYWR2YW5jZSB0aGUgZG9jdW1lbnQsIGRldGFpbCB0aG9zZTxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyBjb25jZXJucyBoZXJlLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsgVGhlIHNoZXBoZXJkIGhhcyBubyBjb25jZXJucyB3aXRoIHRoaXMg ZG9jdW1lbnQuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAoNykgSGFzIGVhY2ggYXV0aG9yIGNvbmZpcm1lZCB0aGF0IGFueSBhbmQgYWxs IGFwcHJvcHJpYXRlIElQUjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBkaXNjbG9zdXJlcyByZXF1aXJlZCBmb3IgZnVs bCBjb25mb3JtYW5jZSB3aXRoIHRoZSBwcm92aXNpb25zIG9mIEJDUCA3ODxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBh bmQgQkNQIDc5IGhhdmUgYWxyZWFkeSBiZWVuIGZpbGVkLiBJZiBub3QsIGV4cGxhaW4gd2h5Pzxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg W1tDb25maXJtYXRpb24gZnJvbSB0aGUgYXV0aG9ycyByZXF1aXJlZC5dXTxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgKDgpIEhhcyBhbiBJ UFIgZGlzY2xvc3VyZSBiZWVuIGZpbGVkIHRoYXQgcmVmZXJlbmNlcyB0aGlzIGRvY3VtZW50PyBJ ZjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyBzbywgc3VtbWFyaXplIGFueSBXRyBkaXNjdXNzaW9uIGFuZCBjb25jbHVz aW9uIHJlZ2FyZGluZyB0aGUgSVBSPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGRpc2Nsb3N1cmVzLjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVHdvIElQUnMg aGF2ZSBiZWVuIGZpbGVkIGZvciB0aGUgSldUIHNwZWNpZmljYXRpb24gdGhpcyBkb2N1bWVudCBy ZWxpZXM8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsgb24sIHNlZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyA8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgaHR0cDovL2RhdGF0cmFja2VyLmlldGYub3JnL2lw ci9zZWFyY2gvP29wdGlvbj1kb2N1bWVudF9zZWFyY2gmYW1wO2lkPWRyYWY8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgdC1pZXRmLW9hdXRoLWpzb24td2ViLXRv a2VuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhlcmUg d2FzIG5vIGRpc2N1c3Npb24gcmVnYXJkaW5nIHRob3NlIHR3byBJUFJzIG9uIHRoZSBtYWlsaW5n IGxpc3QuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAoOSkgSG93IHNvbGlkIGlzIHRoZSBXRyBjb25zZW5zdXMgYmVoaW5kIHRoaXMgZG9j dW1lbnQ/IERvZXMgaXQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn dDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgcmVwcmVzZW50IHRoZSBzdHJvbmcgY29uY3VycmVu Y2Ugb2YgYSBmZXcgaW5kaXZpZHVhbHMsIHdpdGggb3RoZXJzIGJlaW5nPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNp bGVudCwgb3IgZG9lcyB0aGUgV0cgYXMgYSB3aG9sZSB1bmRlcnN0YW5kIGFuZCBhZ3JlZSB3aXRo IGl0PzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsgJm5ic3A7Jm5ic3A7 Jm5ic3A7VGhlIHdvcmtpbmcgZ3JvdXAgaGFzIGNvbnNlbnN1cyB0byBwdWJsaXNoIHRoaXMgZG9j dW1lbnQuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAoMTApIEhhcyBhbnlvbmUgdGhyZWF0ZW5lZCBhbiBhcHBlYWwgb3Igb3RoZXJ3aXNl IGluZGljYXRlZCBleHRyZW1lPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGRpc2NvbnRlbnQ/IElmIHNvLCBwbGVhc2Ug c3VtbWFyaXNlIHRoZSBhcmVhcyBvZiBjb25mbGljdCBpbiBzZXBhcmF0ZTxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBl bWFpbCBtZXNzYWdlcyB0byB0aGUgUmVzcG9uc2libGUgQXJlYSBEaXJlY3Rvci4gKEl0IHNob3Vs ZCBiZSBpbiBhPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNlcGFyYXRlIGVtYWlsIGJlY2F1c2UgdGhpcyBxdWVzdGlv bm5haXJlIGlzIHB1YmxpY2x5IGF2YWlsYWJsZS4pPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBObyBhcHBlYWwgb3IgZXh0cmVtZSBkaXNj b250ZW50IGhhcyBiZWVuIHJhaXNlZC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICgxMSkgSWRlbnRpZnkgYW55IElEIG5pdHMgdGhlIERv Y3VtZW50IFNoZXBoZXJkIGhhcyBmb3VuZCBpbiB0aGlzPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGRvY3VtZW50LiAo U2VlIGh0dHA6Ly93d3cuaWV0Zi5vcmcvdG9vbHMvaWRuaXRzLyBhbmQgdGhlIEludGVybmV0LURy YWZ0czxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyBDaGVja2xpc3QpLiBCb2lsZXJwbGF0ZSBjaGVja3MgYXJlIG5vdCBl bm91Z2g7IHRoaXMgY2hlY2sgbmVlZHMgdG8gYmU8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgdGhvcm91Z2guPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGUg c2hlcGhlcmQgaGFzIGNoZWNrZWQgdGhlIG5pdHMuIFRoZSBzaGVwaGVyZCBoYXMgbm90IHZlcmlm aWVkIHRoZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyBleGFtcGxlcyBmb3IgY29ycmVjdG5lc3MuPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoMTIpIERlc2Ny aWJlIGhvdyB0aGUgZG9jdW1lbnQgbWVldHMgYW55IHJlcXVpcmVkIGZvcm1hbCByZXZpZXc8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgY3JpdGVyaWEsIHN1Y2ggYXMgdGhlIE1JQiBEb2N0b3IsIG1lZGlhIHR5cGUsIGFu ZCBVUkkgdHlwZSByZXZpZXdzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhlIGRvY3VtZW50IGRvZXMgbm90IHJlcXVpcmUgYSBmb3Jt YWwgcmV2aWV3IGV2ZW4gdGhvdWdoIGl0IGNvbnRhaW5zPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEpTT04tYmFzZWQg ZXhhbXBsZXMuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAoMTMpIEhhdmUgYWxsIHJlZmVyZW5jZXMgd2l0aGluIHRoaXMgZG9jdW1lbnQg YmVlbiBpZGVudGlmaWVkIGFzIGVpdGhlcjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBub3JtYXRpdmUgb3IgaW5mb3Jt YXRpdmU/PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyBZZXMuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyAoMTQpIEFyZSB0aGVyZSBub3JtYXRpdmUgcmVmZXJlbmNlcyB0byBkb2N1 bWVudHMgdGhhdCBhcmUgbm90IHJlYWR5IGZvcjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhZHZhbmNlbWVudCBvciBh cmUgb3RoZXJ3aXNlIGluIGFuIHVuY2xlYXIgc3RhdGU/IElmIHN1Y2ggbm9ybWF0aXZlPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IHJlZmVyZW5jZXMgZXhpc3QsIHdoYXQgaXMgdGhlIHBsYW4gZm9yIHRoZWlyIGNvbXBs ZXRpb24/PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyBUaGVyZSBhcmUgdmFyaW91cyBKT1NFIGRvY3VtZW50cyB0aGF0IGhhdmUgbm90IGJl ZW4gcHVibGlzaGVkIGFzIFJGQ3M8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgeWV0LiBBcyBzdWNoLCB0aGlzIGRvY3Vt ZW50IGNhbm5vdCBiZSBwdWJsaXNoZWQgYmVmb3JlIHRoZSByZXNwZWN0aXZlPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IEpPU0UgZG9jdW1lbnRzIGFyZSBmaW5hbGl6ZWQuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoMTUpIEFyZSB0aGVyZSBkb3dud2FyZCBu b3JtYXRpdmUgcmVmZXJlbmNlcyByZWZlcmVuY2VzIChzZWUgUkZDIDM5NjcpPzxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyBJZiBzbywgbGlzdCB0aGVzZSBkb3dud2FyZCByZWZlcmVuY2VzIHRvIHN1cHBvcnQgdGhlIEFy ZWEgRGlyZWN0b3IgaW48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn dDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgdGhlIExhc3QgQ2FsbCBwcm9jZWR1cmUuPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGUg ZG9jdW1lbnQgY29udGFpbnMgYSByZWZlcmVuY2UgdG88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFtFQ01B U2NyaXB0XTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBFY21hIEludGVy bmF0aW9uYWwsICZxdW90O0VDTUFTY3JpcHQgTGFuZ3VhZ2UgU3BlY2lmaWNhdGlvbiw8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgNS4xIEVkaXRpb24mcXVvdDssIEVDTUEg MjYyLCBKdW5lIDIwMTEuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyB3aGljaCBtaWdodCByZXF1aXJlIGEgZG93bnJlZi48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFJGQyA2NzU1 IGlzIGFsc28gYSBkb3ducmVmLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7ICgxNikgV2lsbCBwdWJsaWNhdGlvbiBvZiB0aGlzIGRvY3VtZW50IGNoYW5nZSB0 aGUgc3RhdHVzIG9mIGFueSBleGlzdGluZzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBSRkNzPyBBcmUgdGhvc2UgUkZD cyBsaXN0ZWQgb24gdGhlIHRpdGxlIHBhZ2UgaGVhZGVyLCBsaXN0ZWQgaW4gdGhlPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IGFic3RyYWN0LCBhbmQgZGlzY3Vzc2VkIGluIHRoZSBpbnRyb2R1Y3Rpb24/IElmIHRoZSBS RkNzIGFyZSBub3QgbGlzdGVkPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGluIHRoZSBBYnN0cmFjdCBhbmQgSW50cm9k dWN0aW9uLCBleHBsYWluIHdoeSwgYW5kIHBvaW50IHRvIHRoZSBwYXJ0IG9mPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IHRoZSBkb2N1bWVudCB3aGVyZSB0aGUgcmVsYXRpb25zaGlwIG9mIHRoaXMgZG9jdW1lbnQgdG8g dGhlIG90aGVyIFJGQ3M8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn dDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgaXMgZGlzY3Vzc2VkLiBJZiB0aGlzIGluZm9ybWF0 aW9uIGlzIG5vdCBpbiB0aGUgZG9jdW1lbnQsIGV4cGxhaW4gd2h5PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHRoZSBX RyBjb25zaWRlcnMgaXQgdW5uZWNlc3NhcnkuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBUaGUgcHVibGljYXRpb24gb2YgdGhpcyBkb2N1 bWVudCBkb2VzIG5vdCBjaGFuZ2UgdGhlIHN0YXR1cyBvZiBvdGhlcjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBSRkNz LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsgKDE3KSBEZXNjcmliZSB0aGUgRG9jdW1lbnQgU2hlcGhlcmQncyByZXZpZXcgb2YgdGhlIElB TkEgY29uc2lkZXJhdGlvbnM8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgc2VjdGlvbiwgZXNwZWNpYWxseSB3aXRoIHJl Z2FyZCB0byBpdHMgY29uc2lzdGVuY3kgd2l0aCB0aGUgYm9keSBvZiB0aGU8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg ZG9jdW1lbnQuIENvbmZpcm0gdGhhdCBhbGwgcHJvdG9jb2wgZXh0ZW5zaW9ucyB0aGF0IHRoZSBk b2N1bWVudCBtYWtlczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0 OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBhcmUgYXNzb2NpYXRlZCB3aXRoIHRoZSBhcHByb3By aWF0ZSByZXNlcnZhdGlvbnMgaW4gSUFOQSByZWdpc3RyaWVzLjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBDb25maXJt IHRoYXQgYW55IHJlZmVyZW5jZWQgSUFOQSByZWdpc3RyaWVzIGhhdmUgYmVlbiBjbGVhcmx5PG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IGlkZW50aWZpZWQuIENvbmZpcm0gdGhhdCBuZXdseSBjcmVhdGVkIElBTkEgcmVn aXN0cmllcyBpbmNsdWRlIGE8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgZGV0YWlsZWQgc3BlY2lmaWNhdGlvbiBvZiB0 aGUgaW5pdGlhbCBjb250ZW50cyBmb3IgdGhlIHJlZ2lzdHJ5LCB0aGF0PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGFs bG9jYXRpb25zIHByb2NlZHVyZXMgZm9yIGZ1dHVyZSByZWdpc3RyYXRpb25zIGFyZSBkZWZpbmVk LCBhbmQgYTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyByZWFzb25hYmxlIG5hbWUgZm9yIHRoZSBuZXcgcmVnaXN0cnkg aGFzIGJlZW4gc3VnZ2VzdGVkIChzZWUgUkZDIDUyMjYpLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhlIGRvY3VtZW50IGNyZWF0ZXMg YSBuZXcgcmVnaXN0cnkgZm9yIEpXVCBjbGFpbXMgYW5kIHBvcHVsYXRlcyB0aGlzPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7IHJlZ2lzdHJ5IHdpdGggdmFsdWVzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBJdCBhbHNvIHJlZ2lzdGVycyB2 YWx1ZXMgaW50byB0d28gZXhpc3RpbmcgcmVnaXN0cmllcywgbmFtZWx5IGludG88bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgKiB0aGUgUkZDIDY3NTUgY3JlYXRlZCBPQXV0aCBVUk4gcmVnaXN0cnksIGFuZDxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyAqIHRoZSBtZWRpYSB0eXBlIHJlZ2lzdHJ5PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAoMTgpIExpc3QgYW55 IG5ldyBJQU5BIHJlZ2lzdHJpZXMgdGhhdCByZXF1aXJlIEV4cGVydCBSZXZpZXcgZm9yIGZ1dHVy ZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyBhbGxvY2F0aW9ucy4gUHJvdmlkZSBhbnkgcHVibGljIGd1aWRhbmNlIHRo YXQgdGhlIElFU0cgd291bGQgZmluZCB1c2VmdWw8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgaW4gc2VsZWN0aW5nIHRo ZSBJQU5BIEV4cGVydHMgZm9yIHRoZXNlIG5ldyByZWdpc3RyaWVzLjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgVGhlIG5ld2x5IGNyZWF0 ZWQgSldUIGNsYWltcyByZWdpc3RyeSByZXF1aXJlcyBleHBlcnQgcmV2aWV3IGZvciBmdXR1cmU8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgYWxsb2NhdGlvbnMuIEd1aWRhbmNlIGlzIGdpdmVuIGluIHRoZSBkb2N1bWVu dC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgVGhlIGRvY3VtZW50IHNoZXBoZXJkIHZvbHVudGVlcnMgdG8gYmVjb21l IGFuIGV4cGVydCByZXZpZXcuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyAoMTkpIERlc2NyaWJlIHJldmlld3MgYW5kIGF1dG9tYXRlZCBj aGVja3MgcGVyZm9ybWVkIGJ5IHRoZSBEb2N1bWVudDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBTaGVwaGVyZCB0byB2 YWxpZGF0ZSBzZWN0aW9ucyBvZiB0aGUgZG9jdW1lbnQgd3JpdHRlbiBpbiBhIGZvcm1hbDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyBsYW5ndWFnZSwgc3VjaCBhcyBYTUwgY29kZSwgQk5GIHJ1bGVzLCBNSUIgZGVmaW5p dGlvbnMsIGV0Yy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7IFRoZXJlIGFyZSBleGFtcGxlcyBpbiB0aGUgZG9jdW1lbnQgdGhhdCB1c2Ug YSBKU09OLWJhc2VkIGVuY29kaW5nLiBUaGU8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgZG9jdW1lbnQgc2hlcGhlcmQg aGFzIHJldmlld2VkIHRob3NlIGV4YW1wbGVzIGJ1dCBoYXMgbm90IHZlcmlmaWVkIHRoZTxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyBjb3JyZWN0bmVzcyBvZiB0aGUgY3J5cHRvZ3JhcGhpYyBvcGVyYXRpb25zLjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBPQXV0aCBtYWlsaW5nIGxpc3Q8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgT0F1dGhAaWV0Zi5vcmcgJmx0O21haWx0bzpPQXV0aEBpZXRmLm9yZyZndDs8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9o dG1sPg0K --_000_4E1F6AAD24975D4BA5B16804296739439A194E11TK5EX14MBXC288r_-- From nobody Thu Apr 24 15:42:15 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1A771A0406 for ; Thu, 24 Apr 2014 15:42:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qS6d76O910op for ; Thu, 24 Apr 2014 15:42:07 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (dns-bn1lp0143.outbound.protection.outlook.com [207.46.163.143]) by ietfa.amsl.com (Postfix) with ESMTP id 77D7B1A03FD for ; Thu, 24 Apr 2014 15:42:07 -0700 (PDT) Received: from BL2PR03CA019.namprd03.prod.outlook.com (10.141.66.27) by BLUPR03MB018.namprd03.prod.outlook.com (10.255.208.40) with Microsoft SMTP Server (TLS) id 15.0.934.12; Thu, 24 Apr 2014 22:41:49 +0000 Received: from BL2FFO11FD006.protection.gbl (2a01:111:f400:7c09::183) by BL2PR03CA019.outlook.office365.com (2a01:111:e400:c1b::27) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Thu, 24 Apr 2014 22:41:49 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD006.mail.protection.outlook.com (10.173.161.2) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 24 Apr 2014 22:41:49 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0174.002; Thu, 24 Apr 2014 22:41:16 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Thread-Index: AQHPXs/+AbcgNVUF5Euf8vKZ+xVfPZshXm/g Date: Thu, 24 Apr 2014 22:41:15 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <53577C73.2010201@gmx.net> In-Reply-To: <53577C73.2010201@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(377454003)(53754006)(13464003)(189002)(199002)(83072002)(46406003)(50466002)(15975445006)(92726001)(15202345003)(44976005)(99396002)(23726002)(19580395003)(55846006)(92566001)(76482001)(31966008)(6806004)(87936001)(2009001)(85852003)(2656002)(86362001)(81542001)(77982001)(79102001)(74662001)(50986999)(97756001)(80022001)(66066001)(46102001)(47776003)(4396001)(33656001)(83322001)(19580405001)(80976001)(84676001)(81342001)(20776003)(74502001)(97736001)(76176999)(86612001)(54356999); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB018; H:mail.microsoft.com; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01917B1794 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/vvLab5CZDCNNmDYShsOp-Pf66kc Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 22:42:12 -0000 I am aware of these implementations: Microsoft Azure Active Directory: http://azure.microsoft.com/en-us/servic= es/active-directory/ Google Service Account: https://developers.google.com/accounts/docs/OAuth2= ServiceAccount I believe that Ping Identity and Salesforce also have implementations, but = I'll let Brian and Chuck authoritatively speak to those. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, April 23, 2014 1:40 AM To: oauth@ietf.org Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Hi all, I am working on the shepherd writeup for the JWT bearer document. The sheph= erd write-ups for the assertion draft and the SAML bearer document have bee= n completed a while ago already, see http://www.ietf.org/mail-archive/web/o= auth/current/msg12410.html A few requests: - To the document authors: Please confirm that any and all appropriate IPR = disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. - To all: Are you aware of implementations of this specification? If so, I = would like to reference them in my write-up. - To all: Please also go through the text to make sure that I correctly ref= lect the history and the status of this document. Here is the most recent version of the write-up: https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/sh= epherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt (The copy-and-paste of the full version is below.) Ciao Hannes PS: Note that I have send a mail about a pending issue to the list. In resp= onse to my question I will update the write-up accordingly. ---- Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authenticati= on and Authorization Grants" (1) What type of RFC is being requested (BCP, Proposed Standard, Internet S= tandard, Informational, Experimental, or Historic)? Why is this the proper = type of RFC? Is this type of RFC indicated in the title page header? The RFC type is 'Standards Track' and the type is indicated in the title pa= ge. This document defines an instantiation for the OAuth assertion framewor= k using JSON Web Tokens. (2) The IESG approval announcement includes a Document Announcement Write-U= p. Please provide such a Document Announcement Write-Up. Recent examples ca= n be found in the "Action" announcements for approved documents. The approv= al announcement contains the following sections: Technical Summary: This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. Working Group Summary: Was there anything in WG process that is worth noting? For example, was the= re controversy about particular points or were there decisions where the co= nsensus was particularly rough? This document belongs to the OAuth assertion document bundle consisting of = the abstract OAuth assertion framework, and the SAML assertion profile. Due= to the use of the JSON-based encoding of the assertion it also relies on t= he work in the JOSE working group (such as JWE/JWS) indirectly through the = use of the JWT. This document has intentionally been kept in sync with the = SAML-based version. Document Quality: This document has gone through many iterations and has received substantial= feedback. [[Add implementation list here.]] Personnel: The document shepherd is Hannes Tschofenig and the responsible area directo= r is Kathleen Moriarty. (3) Briefly describe the review of this document that was performed by the = Document Shepherd. If this version of the document is not ready for publica= tion, please explain why the document is being forwarded to the IESG. The draft authors believe that this document is ready for publication. The document has had received review comments from working group members, a= nd from the OAuth working group chairs. These review comments have been tak= en into account. (4) Does the document Shepherd have any concerns about the depth or breadth= of the reviews that have been performed? This document has gotten feedback from the working group and given the focu= sed use cases it has received adequate review. (5) Do portions of the document need review from a particular or from broad= er perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML= , or internationalization? If so, describe the review that took place. Since the OAuth working group develops security protocols any feedback from= the security community is always appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has= with this document that the Responsible Area Director and/or the IESG shou= ld be aware of? For example, perhaps he or she is uncomfortable with certai= n parts of the document, or has concerns whether there really is a need for= it. In any event, if the WG has discussed those issues and has indicated t= hat it still wishes to advance the document, detail those concerns here. The shepherd has no concerns with this document. (7) Has each author confirmed that any and all appropriate IPR disclosures = required for full conformance with the provisions of BCP 78 and BCP 79 have= already been filed. If not, explain why? [[Confirmation from the authors required.]] (8) Has an IPR disclosure been filed that references this document? If so, = summarize any WG discussion and conclusion regarding the IPR disclosures. No IPR disclosures have been filed on this document. However, two IPRs have= been filed for the JWT specification this document relies on, see http://d= atatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oa= uth-json-web-token (9) How solid is the WG consensus behind this document? Does it represent t= he strong concurrence of a few individuals, with others being silent, or do= es the WG as a whole understand and agree with it? The working group has consensus to publish this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discont= ent? If so, please summarise the areas of conflict in separate email messag= es to the Responsible Area Director. (It should be in a separate email beca= use this questionnaire is publicly available.) No appeal or extreme discontent has been raised. (11) Identify any ID nits the Document Shepherd has found in this document.= (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist).= Boilerplate checks are not enough; this check needs to be thorough. The shepherd has checked the nits. (12) Describe how the document meets any required formal review criteria, s= uch as the MIB Doctor, media type, and URI type reviews. There is no such review necessary. (13) Have all references within this document been identified as either nor= mative or informative? Yes. (14) Are there normative references to documents that are not ready for adv= ancement or are otherwise in an unclear state? If such normative references= exist, what is the plan for their completion? Yes. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the L= ast Call procedure. RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational RFC.= A downref is required. However, this document depends on the completion of the abstract OAuth asse= rtion framework and on the JWT specification. There are the following dependencies: (16) Will publication of this document change the status of any existing RF= Cs? Are those RFCs listed on the title page header, listed in the abstract,= and discussed in the introduction? If the RFCs are not listed in the Abstr= act and Introduction, explain why, and point to the part of the document wh= ere the relationship of this document to the other RFCs is discussed. If th= is information is not in the document, explain why the WG considers it unne= cessary. The publication of this document does not change the status of other RFCs. (17) Describe the Document Shepherd's review of the IANA considerations sec= tion, especially with regard to its consistency with the body of the docume= nt. Confirm that all protocol extensions that the document makes are associ= ated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. C= onfirm that newly created IANA registries include a detailed specification = of the initial contents for the registry, that allocations procedures for f= uture registrations are defined, and a reasonable name for the new registry= has been suggested (see RFC 5226). The document registers two sub-namespaces to the urn:ietf:params:oauth URN = established with RFC 6755. (18) List any new IANA registries that require Expert Review for future all= ocations. Provide any public guidance that the IESG would find useful in se= lecting the IANA Experts for these new registries. The document only adds entries to existing registries and does not define a= ny new registries. (19) Describe reviews and automated checks performed by the Document Shephe= rd to validate sections of the document written in a formal language, such = as XML code, BNF rules, MIB definitions, etc. There are only snippets of message exchanges and JWT assertion structures, = which are based on JSON, used in the examples. There is no pseudo code cont= ained in the document that requires validation. From nobody Thu Apr 24 15:50:58 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 095521A040D for ; Thu, 24 Apr 2014 15:50:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5c8zMThb8xiS for ; Thu, 24 Apr 2014 15:50:48 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0145.outbound.protection.outlook.com [207.46.163.145]) by ietfa.amsl.com (Postfix) with ESMTP id A7DBD1A0413 for ; Thu, 24 Apr 2014 15:50:47 -0700 (PDT) Received: from CH1PR03CA006.namprd03.prod.outlook.com (10.255.156.151) by BLUPR03MB549.namprd03.prod.outlook.com (10.141.76.17) with Microsoft SMTP Server (TLS) id 15.0.921.12; Thu, 24 Apr 2014 22:50:40 +0000 Received: from BN1AFFO11FD009.protection.gbl (10.255.156.132) by CH1PR03CA006.outlook.office365.com (10.255.156.151) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Thu, 24 Apr 2014 22:50:39 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD009.mail.protection.outlook.com (10.58.52.69) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 24 Apr 2014 22:50:39 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0174.002; Thu, 24 Apr 2014 22:50:06 +0000 From: Mike Jones To: Hannes Tschofenig , "oauth@ietf.org" Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Thread-Index: AQHPXs/+AbcgNVUF5Euf8vKZ+xVfPZshX7jQ Date: Thu, 24 Apr 2014 22:50:06 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A194E8B@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <53577C73.2010201@gmx.net> In-Reply-To: <53577C73.2010201@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.36] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A194E8BTK5EX14MBXC288r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(52604005)(13464003)(53754006)(189002)(199002)(77982001)(81342001)(76176999)(512954002)(71186001)(2009001)(80022001)(44976005)(83322001)(66066001)(19580395003)(55846006)(86362001)(81542001)(19580405001)(99396002)(15975445006)(46102001)(20776003)(86612001)(79102001)(97736001)(31966008)(33656001)(74502001)(2656002)(80976001)(54356999)(19300405004)(74662001)(92726001)(6806004)(83072002)(84676001)(15202345003)(4396001)(50986999)(76482001)(92566001)(84326002)(85852003)(87936001)(16236675002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB549; H:mail.microsoft.com; FPR:C608F5CE.9ED2D381.B1D37BB7.42E8C881.20740; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01917B1794 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/r86tPpyEnLoj2rpYVqE3XDlyXSg Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 22:50:55 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A194E8BTK5EX14MBXC288r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks for doing the write-up, Hannes. I would suggest that the following = changes be made in the write-up: Change "This document belongs to the OAuth assertion document bundle consis= ting of the abstract OAuth assertion framework, and the SAML assertion prof= ile" to "This document belongs to the OAuth assertion document bundle consi= sting of the abstract OAuth assertion framework, the SAML assertion profile= , and the JWT assertion profile (this document)". (See my previous note with the implementation list that I am aware of, incl= uding Microsoft, Google, Ping Identity, and Salesforce.) I would change "The draft authors believe that this document is ready for p= ublication" to "The document is ready for publication". Those are all the potential changes that I identified. Thanks for moving t= his forward. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, April 23, 2014 1:40 AM To: oauth@ietf.org Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Hi all, I am working on the shepherd writeup for the JWT bearer document. The sheph= erd write-ups for the assertion draft and the SAML bearer document have bee= n completed a while ago already, see http://www.ietf.org/mail-archive/web/o= auth/current/msg12410.html A few requests: - To the document authors: Please confirm that any and all appropriate IPR = disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. - To all: Are you aware of implementations of this specification? If so, I = would like to reference them in my write-up. - To all: Please also go through the text to make sure that I correctly ref= lect the history and the status of this document. Here is the most recent version of the write-up: https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/sh= epherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt (The copy-and-paste of the full version is below.) Ciao Hannes PS: Note that I have send a mail about a pending issue to the list. In resp= onse to my question I will update the write-up accordingly. ---- Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authenticati= on and Authorization Grants" (1) What type of RFC is being requested (BCP, Proposed Standard, Internet S= tandard, Informational, Experimental, or Historic)? Why is this the proper = type of RFC? Is this type of RFC indicated in the title page header? The RFC type is 'Standards Track' and the type is indicated in the title pa= ge. This document defines an instantiation for the OAuth assertion framewor= k using JSON Web Tokens. (2) The IESG approval announcement includes a Document Announcement Write-U= p. Please provide such a Document Announcement Write-Up. Recent examples ca= n be found in the "Action" announcements for approved documents. The approv= al announcement contains the following sections: Technical Summary: This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. Working Group Summary: Was there anything in WG process that is worth noting? For example, was the= re controversy about particular points or were there decisions where the co= nsensus was particularly rough? This document belongs to the OAuth assertion document bundle consisting of = the abstract OAuth assertion framework, and the SAML assertion profile. Due= to the use of the JSON-based encoding of the assertion it also relies on t= he work in the JOSE working group (such as JWE/JWS) indirectly through the = use of the JWT. This document has intentionally been kept in sync with the = SAML-based version. Document Quality: This document has gone through many iterations and has received substantial= feedback. [[Add implementation list here.]] Personnel: The document shepherd is Hannes Tschofenig and the responsible area directo= r is Kathleen Moriarty. (3) Briefly describe the review of this document that was performed by the = Document Shepherd. If this version of the document is not ready for publica= tion, please explain why the document is being forwarded to the IESG. The draft authors believe that this document is ready for publication. The document has had received review comments from working group members, a= nd from the OAuth working group chairs. These review comments have been tak= en into account. (4) Does the document Shepherd have any concerns about the depth or breadth= of the reviews that have been performed? This document has gotten feedback from the working group and given the focu= sed use cases it has received adequate review. (5) Do portions of the document need review from a particular or from broad= er perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML= , or internationalization? If so, describe the review that took place. Since the OAuth working group develops security protocols any feedback from= the security community is always appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has= with this document that the Responsible Area Director and/or the IESG shou= ld be aware of? For example, perhaps he or she is uncomfortable with certai= n parts of the document, or has concerns whether there really is a need for= it. In any event, if the WG has discussed those issues and has indicated t= hat it still wishes to advance the document, detail those concerns here. The shepherd has no concerns with this document. (7) Has each author confirmed that any and all appropriate IPR disclosures = required for full conformance with the provisions of BCP 78 and BCP 79 have= already been filed. If not, explain why? [[Confirmation from the authors required.]] (8) Has an IPR disclosure been filed that references this document? If so, = summarize any WG discussion and conclusion regarding the IPR disclosures. No IPR disclosures have been filed on this document. However, two IPRs have= been filed for the JWT specification this document relies on, see http://d= atatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oa= uth-json-web-token (9) How solid is the WG consensus behind this document? Does it represent t= he strong concurrence of a few individuals, with others being silent, or do= es the WG as a whole understand and agree with it? The working group has consensus to publish this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discont= ent? If so, please summarise the areas of conflict in separate email messag= es to the Responsible Area Director. (It should be in a separate email beca= use this questionnaire is publicly available.) No appeal or extreme discontent has been raised. (11) Identify any ID nits the Document Shepherd has found in this document.= (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist).= Boilerplate checks are not enough; this check needs to be thorough. The shepherd has checked the nits. (12) Describe how the document meets any required formal review criteria, s= uch as the MIB Doctor, media type, and URI type reviews. There is no such review necessary. (13) Have all references within this document been identified as either nor= mative or informative? Yes. (14) Are there normative references to documents that are not ready for adv= ancement or are otherwise in an unclear state? If such normative references= exist, what is the plan for their completion? Yes. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the L= ast Call procedure. RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational RFC.= A downref is required. However, this document depends on the completion of the abstract OAuth asse= rtion framework and on the JWT specification. There are the following dependencies: (16) Will publication of this document change the status of any existing RF= Cs? Are those RFCs listed on the title page header, listed in the abstract,= and discussed in the introduction? If the RFCs are not listed in the Abstr= act and Introduction, explain why, and point to the part of the document wh= ere the relationship of this document to the other RFCs is discussed. If th= is information is not in the document, explain why the WG considers it unne= cessary. The publication of this document does not change the status of other RFCs. (17) Describe the Document Shepherd's review of the IANA considerations sec= tion, especially with regard to its consistency with the body of the docume= nt. Confirm that all protocol extensions that the document makes are associ= ated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. C= onfirm that newly created IANA registries include a detailed specification = of the initial contents for the registry, that allocations procedures for f= uture registrations are defined, and a reasonable name for the new registry= has been suggested (see RFC 5226). The document registers two sub-namespaces to the urn:ietf:params:oauth URN = established with RFC 6755. (18) List any new IANA registries that require Expert Review for future all= ocations. Provide any public guidance that the IESG would find useful in se= lecting the IANA Experts for these new registries. The document only adds entries to existing registries and does not define a= ny new registries. (19) Describe reviews and automated checks performed by the Document Shephe= rd to validate sections of the document written in a formal language, such = as XML code, BNF rules, MIB definitions, etc. There are only snippets of message exchanges and JWT assertion structures, = which are based on JSON, used in the examples. There is no pseudo code cont= ained in the document that requires validation. --_000_4E1F6AAD24975D4BA5B16804296739439A194E8BTK5EX14MBXC288r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks for doing the write-up, Hannes.  I wo= uld suggest that the following changes be made in the write-up:<= /p>

 

Change “This document belongs to the OAuth = assertion document bundle consisting of the abstract OAuth assertion framew= ork, and the SAML assertion profile” to “This document belongs = to the OAuth assertion document bundle consisting of the abstract OAuth assertion framework, the SAML assertion profile, and th= e JWT assertion profile (this document)”.

 

(See my previous note with the implementation lis= t that I am aware of, including Microsoft, Google, Ping Identity, and Sales= force.)

 

I would change “The draft authors believe t= hat this document is ready for publication” to “The document is= ready for publication”.

 

Those are all the potential changes that I identi= fied.  Thanks for moving this forward.

 

        &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp; -- Mike

 

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig<= br> Sent: Wednesday, April 23, 2014 1:40 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up

 

Hi all,

 

I am working on the shepherd writeup for the JWT = bearer document. The shepherd write-ups for the assertion draft and the SAM= L bearer document have been completed a while ago already, see http://www.ietf.org= /mail-archive/web/oauth/current/msg12410.html

 

A few requests:

 

- To the document authors: Please confirm that an= y and all appropriate IPR disclosures required for full conformance with th= e provisions of BCP

78 and BCP 79 have already been filed.=

 

- To all: Are you aware of implementations of thi= s specification? If so, I would like to reference them in my write-up.=

 

- To all: Please also go through the text to make= sure that I correctly reflect the history and the status of this document.=

 

Here is the most recent version of the write-up:<= o:p>

ht= tps://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shep= herd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt=

 

 

(The copy-and-paste of the full version is below.= )

 

Ciao

Hannes

 

PS: Note that I have send a mail about a pending = issue to the list. In response to my question I will update the write-up ac= cordingly.

 

----

 

Writeup for "JSON Web Token (JWT) Profile fo= r OAuth 2.0 Client Authentication and Authorization Grants" <draft-= ietf-oauth-saml2-bearer-08>

 

(1) What type of RFC is being requested (BCP, Pro= posed Standard, Internet Standard, Informational, Experimental, or Historic= )? Why is this the proper type of RFC? Is this type of RFC indicated in the= title page header?

 

The RFC type is 'Standards Track' and the type is= indicated in the title page. This document defines an instantiation for th= e OAuth assertion framework using JSON Web Tokens.

 

(2) The IESG approval announcement includes a Doc= ument Announcement Write-Up. Please provide such a Document Announcement Wr= ite-Up. Recent examples can be found in the "Action" announcement= s for approved documents. The approval announcement contains the following sections:

 

Technical Summary:

 

   This specification defines the use o= f a JSON Web Token (JWT) Bearer

   Token as a means for requesting an O= Auth 2.0 access token as well as

   for use as a means of client authent= ication.

 

Working Group Summary:

 

Was there anything in WG process that is worth no= ting? For example, was there controversy about particular points or were th= ere decisions where the consensus was particularly rough?

 

This document belongs to the OAuth assertion docu= ment bundle consisting of the abstract OAuth assertion framework, and the S= AML assertion profile. Due to the use of the JSON-based encoding of the ass= ertion it also relies on the work in the JOSE working group (such as JWE/JWS) indirectly through the use of = the JWT. This document has intentionally been kept in sync with the SAML-ba= sed version.

 

Document Quality:

 

This document has gone through many iterations an= d has received substantial feedback.

 

[[Add implementation list here.]]

 

Personnel:

 

The document shepherd is Hannes Tschofenig and th= e responsible area director is Kathleen Moriarty.

 

(3) Briefly describe the review of this document = that was performed by the Document Shepherd. If this version of the documen= t is not ready for publication, please explain why the document is being fo= rwarded to the IESG.

 

The draft authors believe that this document is r= eady for publication.

The document has had received review comments fro= m working group members, and from the OAuth working group chairs. These rev= iew comments have been taken into account.

 

(4) Does the document Shepherd have any concerns = about the depth or breadth of the reviews that have been performed?

 

This document has gotten feedback from the workin= g group and given the focused use cases it has received adequate review.

 

(5) Do portions of the document need review from = a particular or from broader perspective, e.g., security, operational compl= exity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the re= view that took place.

 

Since the OAuth working group develops security p= rotocols any feedback from the security community is always appreciated.

 

(6) Describe any specific concerns or issues that= the Document Shepherd has with this document that the Responsible Area Dir= ector and/or the IESG should be aware of? For example, perhaps he or she is= uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In= any event, if the WG has discussed those issues and has indicated that it = still wishes to advance the document, detail those concerns here.

 

The shepherd has no concerns with this document.<= o:p>

 

(7) Has each author confirmed that any and all ap= propriate IPR disclosures required for full conformance with the provisions= of BCP 78 and BCP 79 have already been filed. If not, explain why?

 

[[Confirmation from the authors required.]]<= /o:p>

 

(8) Has an IPR disclosure been filed that referen= ces this document? If so, summarize any WG discussion and conclusion regard= ing the IPR disclosures.

 

No IPR disclosures have been filed on this docume= nt. However, two IPRs have been filed for the JWT specification this docume= nt relies on, see http://datatracker.ie= tf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oauth-json-= web-token

 

 

(9) How solid is the WG consensus behind this doc= ument? Does it represent the strong concurrence of a few individuals, with = others being silent, or does the WG as a whole understand and agree with it= ?

 

The working group has consensus to publish this d= ocument.

 

(10) Has anyone threatened an appeal or otherwise= indicated extreme discontent? If so, please summarise the areas of conflic= t in separate email messages to the Responsible Area Director. (It should b= e in a separate email because this questionnaire is publicly available.)

 

No appeal or extreme discontent has been raised.<= o:p>

 

(11) Identify any ID nits the Document Shepherd h= as found in this document. (See http://www.ietf.org/tools/idnits/ and t= he Internet-Drafts Checklist). Boilerplate checks are not enough; this chec= k needs to be thorough.

 

The shepherd has checked the nits.

 

(12) Describe how the document meets any required= formal review criteria, such as the MIB Doctor, media type, and URI type r= eviews.

 

There is no such review necessary.

 

(13) Have all references within this document bee= n identified as either normative or informative?

 

Yes.

 

(14) Are there normative references to documents = that are not ready for advancement or are otherwise in an unclear state? If= such normative references exist, what is the plan for their completion?

 

Yes.

 

(15) Are there downward normative references refe= rences (see RFC 3967)?

If so, list these downward references to support = the Area Director in the Last Call procedure.

 

RFC 6755 defines the urn:ietf:params:oauth URN an= d is an Informational RFC. A downref is required.

 

However, this document depends on the completion = of the abstract OAuth assertion framework and on the JWT specification.

There are the following dependencies:<= /p>

 

(16) Will publication of this document change the= status of any existing RFCs? Are those RFCs listed on the title page heade= r, listed in the abstract, and discussed in the introduction? If the RFCs a= re not listed in the Abstract and Introduction, explain why, and point to the part of the document where the= relationship of this document to the other RFCs is discussed. If this info= rmation is not in the document, explain why the WG considers it unnecessary= .

 

The publication of this document does not change = the status of other RFCs.

 

(17) Describe the Document Shepherd's review of t= he IANA considerations section, especially with regard to its consistency w= ith the body of the document. Confirm that all protocol extensions that the= document makes are associated with the appropriate reservations in IANA registries.

Confirm that any referenced IANA registries have = been clearly identified. Confirm that newly created IANA registries include= a detailed specification of the initial contents for the registry, that al= locations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested= (see RFC 5226).

 

The document registers two sub-namespaces to the = urn:ietf:params:oauth URN established with RFC 6755.

 

(18) List any new IANA registries that require Ex= pert Review for future allocations. Provide any public guidance that the IE= SG would find useful in selecting the IANA Experts for these new registries= .

 

The document only adds entries to existing regist= ries and does not define any new registries.

 

(19) Describe reviews and automated checks perfor= med by the Document Shepherd to validate sections of the document written i= n a formal language, such as XML code, BNF rules, MIB definitions, etc.

 

There are only snippets of message exchanges and = JWT assertion structures, which are based on JSON, used in the examples. Th= ere is no pseudo code contained in the document that requires validation.

 

 

 

--_000_4E1F6AAD24975D4BA5B16804296739439A194E8BTK5EX14MBXC288r_-- From nobody Thu Apr 24 16:06:09 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 203601A041D for ; Thu, 24 Apr 2014 16:06:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-UVxNbgoGeS for ; Thu, 24 Apr 2014 16:05:58 -0700 (PDT) Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com [209.85.192.49]) by ietfa.amsl.com (Postfix) with ESMTP id 985671A041C for ; Thu, 24 Apr 2014 16:05:57 -0700 (PDT) Received: by mail-qg0-f49.google.com with SMTP id j5so3245820qga.22 for ; Thu, 24 Apr 2014 16:05:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=rSRmzp+h2u6KKg7uiqeS/Lim442pKreut6X+1QQAXzI=; b=TEYZx5yZrfX8KoP+Q0IJQMHiQYEXbxxH+hsOCzp9SaqPruRCyYYikmvGgRi2hSzMW0 T4UbEdzoRCZaq8XShapjNfUWIJZsBQR42A36H9L2Fg2PHLjA9qY0sNkC7EfrBmeC6M0v RCsJY4mCuKB91XXqNmi3XePG+0pAKyEUUrLLYb4WYpZ/+q+cpeLV0g/rgNTz4CGWG6QX UUbATrxGE+11sO8dP5iRKr6+UJZXKaS4aj9V3oLwZPRt+DcBRzWAaF7QxYa0H0/aMRcR ktTuxolFu263vYLZg94/V3FMpnFxhu6EkF7Zd0blHpCzqhRA2MVA9z+W80PQAXb0/ufn 6Bzg== X-Gm-Message-State: ALoCoQmEFWJBlW1HLPr4gaWj8W0EPe3YTEzDixaJEBYe9vxfgn0oBn4Siy4m0kqyZKHJ5290K+16 X-Received: by 10.140.104.103 with SMTP id z94mr6491960qge.91.1398380750776; Thu, 24 Apr 2014 16:05:50 -0700 (PDT) Received: from [192.168.0.200] ([201.188.30.118]) by mx.google.com with ESMTPSA id z6sm10591528qal.6.2014.04.24.16.05.44 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 24 Apr 2014 16:05:50 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_0E7B59CF-B4EC-4D51-9B97-376EBBF89DDA" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A194E11@TK5EX14MBXC288.redmond.corp.microsoft.com> Date: Thu, 24 Apr 2014 20:05:38 -0300 Message-Id: References: <5357AA4C.8080707@gmx.net> <5358B907.3030905@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E11@TK5EX14MBXC288.redmond.corp.microsoft.com> To: Michael Jones X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/E4mKpKNxiIViTjG1Cd64mqM8fZY Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 23:06:04 -0000 --Apple-Mail=_0E7B59CF-B4EC-4D51-9B97-376EBBF89DDA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 I have no IPR to disclose. Ping supports JWT in a number of products. As access tokens and as = Connect Id_tokens in Ping Federate and Ping Access. OAuth access tokens may only account for 50% of the usage of JWT. In OAuth itself they are used in the JWT assertion flow and increasing = interest in that. John B. On Apr 24, 2014, at 7:32 PM, Mike Jones = wrote: > Thanks for doing this, Hannes. I would suggest making the following = changes... > =20 > Change =93It allows OAuth deployments to use a standardized access = token format, which increases interoperability of OAuth-based = deployments=94 to =93It defines a standard JSON-based security token = format, increasing interoperability both among OAuth deployments using = it and in other application contexts as well=94. > =20 > I would change http://openid.net/developers/libraries/ to = http://openid.net/developers/libraries/#jwt (adding the #jwt target = within the page). > =20 > I would change =93The draft authors believe that this document is = ready for publication=94 to =93The document is ready for publication=94. > =20 > I would change the answer to (15) to say nothing about ECMAScript, = since it is not a downref, and to only say =93RFC 6755 is a downref, = since 6755 is informational.=94 > =20 > I would change =93The document shepherd volunteers to become an expert = review=94 to the following: > =20 > The document shepherd and the author Michael Jones both volunteer to = become expert reviewers. Note that the document recommends that = multiple expert reviewers be appointed, with the following text (which = also appears in the JOSE documents): > =20 > It is suggested that multiple Designated Experts be appointed who = are > able to represent the perspectives of different applications using > this specification, in order to enable broadly-informed review of > registration decisions. In cases where a registration decision = could > be perceived as creating a conflict of interest for a particular > Expert, that Expert should defer to the judgment of the other > Expert(s). > =20 > I would change =93The document shepherd has reviewed those examples = but has not verified the correctness of the cryptographic operations=94 = to =93The document shepherd has reviewed those examples but has not = verified the correctness of the cryptographic operations, however Brian = Campbell has done so=94. > =20 > Thanks again for moving this forward! > =20 > -- Mike > =20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes = Tschofenig > Sent: Thursday, April 24, 2014 12:11 AM > To: Brian Campbell > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd = Write-up > =20 > Thanks, Brian. I will add this aspect to the write-up. > =20 > On 04/24/2014 12:46 AM, Brian Campbell wrote: > > While OAuth access tokens are a valuable application of JWT, might = it > > also be worthwhile to mention that JWT can and will be useful in = other > > contexts? Connect's ID Token is one such example: > > http://openid.net/specs/openid-connect-core-1_0.html#IDToken > > > > > > On Wed, Apr 23, 2014 at 5:55 AM, Hannes Tschofenig > > > = wrote: > > > > Hi all, > > > > I am working on the shepherd writeup for the JWT. Here are a few > > questions: > > > > - To the document authors: Please confirm that any and all = appropriate > > IPR disclosures required for full conformance with the = provisions of BCP > > 78 and BCP 79 have already been filed. > > > > - To all: I have included various pointers to implementations in = the > > write-up. Maybe there are others that should be included. If so, = please > > let me know. > > > > - To all: Please also go through the text to make sure that I = correctly > > reflect the history and the status of this document. > > > > Here is the latest version of the write-up: > > =20 > > = https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/mast > > er/shepherd-writeups/Writeup_OAuth_JWT.txt > > > > Ciao > > Hannes > > > > PS: Here is the copy-and-paste text: > > > > -------- > > > > Writeup for "JSON Web Token (JWT)" > > > > > > (1) What type of RFC is being requested (BCP, Proposed Standard, > > Internet Standard, Informational, Experimental, or Historic)? = Why is > > this the proper type of RFC? Is this type of RFC indicated in = the title > > page header? > > > > The RFC type is 'Standards Track' and the type is indicated in = the title > > page. This document defines the syntax and semantic of = information > > elements. > > > > (2) The IESG approval announcement includes a Document = Announcement > > Write-Up. Please provide such a Document Announcement Write-Up. = Recent > > examples can be found in the "Action" announcements for approved > > documents. The approval announcement contains the following = sections: > > > > Technical Summary: > > > > JSON Web Token (JWT) is a compact URL-safe means of = representing > > claims to be transferred between two parties. The claims in = a JWT > > are encoded as a JavaScript Object Notation (JSON) object = that is > > used as the payload of a JSON Web Signature (JWS) structure = or as the > > plaintext of a JSON Web Encryption (JWE) structure, enabling = the > > claims to be digitally signed or MACed and/or encrypted. > > > > Working Group Summary: > > > > Was there anything in WG process that is worth noting? For = example, was > > there controversy about particular points or were there = decisions where > > the consensus was particularly rough? > > > > This document was uncontroversial. It allows OAuth deployments = to use a > > standardized access token format, which increases = interoperability of > > OAuth-based deployments. > > > > Document Quality: > > > > This document has gone through many iterations and has received > > substantial feedback. > > > > A substantial number of implementations exist, as documented at > > http://openid.net/developers/libraries/ > > (scrowl down to the 'JWT/JWS/JWE/JWK/JWA Implementations' = section) > > > > An Excel document providing additional details can be found = here: > > =20 > > = http://www.oauth-v2.org/wp-content/uploads/2014/04/JWT-Implementations > > .xlsx > > > > Personnel: > > > > The document shepherd is Hannes Tschofenig and the responsible = area > > director is Kathleen Moriarty. > > > > (3) Briefly describe the review of this document that was = performed by > > the Document Shepherd. If this version of the document is not = ready for > > publication, please explain why the document is being forwarded = to > > the IESG. > > > > The draft authors believe that this document is ready for = publication. > > The document has received review comments from working group = members, > > and from the OAuth working group chairs. Implementations exist = and they > > have tested for interoperability as part of the OpenID Connect = interop > > events. > > > > (4) Does the document Shepherd have any concerns about the depth = or > > breadth of the reviews that have been performed? > > > > This document has gotten enough feedback from the working group. > > > > (5) Do portions of the document need review from a particular or = from > > broader perspective, e.g., security, operational complexity, = AAA, DNS, > > DHCP, XML, or internationalization? If so, describe the review = that took > > place. > > > > Since the OAuth working group develops security protocols any = feedback > > from the security community is always appreciated. > > The JWT document heavily depends on the work in the JOSE working = group > > since it re-uses the JWE and the JWS specifications. > > > > (6) Describe any specific concerns or issues that the Document = Shepherd > > has with this document that the Responsible Area Director and/or = the > > IESG should be aware of? For example, perhaps he or she is = uncomfortable > > with certain parts of the document, or has concerns whether = there really > > is a need for it. In any event, if the WG has discussed those = issues and > > has indicated that it still wishes to advance the document, = detail those > > concerns here. > > > > The shepherd has no concerns with this document. > > > > (7) Has each author confirmed that any and all appropriate IPR > > disclosures required for full conformance with the provisions of = BCP 78 > > and BCP 79 have already been filed. If not, explain why? > > > > [[Confirmation from the authors required.]] > > > > (8) Has an IPR disclosure been filed that references this = document? If > > so, summarize any WG discussion and conclusion regarding the IPR > > disclosures. > > > > Two IPRs have been filed for the JWT specification this document = relies > > on, see > > =20 > > = http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraf= > > t-ietf-oauth-json-web-token > > > > > > There was no discussion regarding those two IPRs on the mailing = list. > > > > (9) How solid is the WG consensus behind this document? Does it > > represent the strong concurrence of a few individuals, with = others being > > silent, or does the WG as a whole understand and agree with it? > > > > The working group has consensus to publish this document. > > > > (10) Has anyone threatened an appeal or otherwise indicated = extreme > > discontent? If so, please summarise the areas of conflict in = separate > > email messages to the Responsible Area Director. (It should be = in a > > separate email because this questionnaire is publicly = available.) > > > > No appeal or extreme discontent has been raised. > > > > (11) Identify any ID nits the Document Shepherd has found in = this > > document. (See http://www.ietf.org/tools/idnits/ and the = Internet-Drafts > > Checklist). Boilerplate checks are not enough; this check needs = to be > > thorough. > > > > The shepherd has checked the nits. The shepherd has not verified = the > > examples for correctness. > > > > (12) Describe how the document meets any required formal review > > criteria, such as the MIB Doctor, media type, and URI type = reviews. > > > > The document does not require a formal review even though it = contains > > JSON-based examples. > > > > (13) Have all references within this document been identified as = either > > normative or informative? > > > > Yes. > > > > (14) Are there normative references to documents that are not = ready for > > advancement or are otherwise in an unclear state? If such = normative > > references exist, what is the plan for their completion? > > > > There are various JOSE documents that have not been published as = RFCs > > yet. As such, this document cannot be published before the = respective > > JOSE documents are finalized. > > > > (15) Are there downward normative references references (see RFC = 3967)? > > If so, list these downward references to support the Area = Director in > > the Last Call procedure. > > > > The document contains a reference to > > > > [ECMAScript] > > Ecma International, "ECMAScript Language = Specification, > > 5.1 Edition", ECMA 262, June 2011. > > > > which might require a downref. > > > > RFC 6755 is also a downref. > > > > > > (16) Will publication of this document change the status of any = existing > > RFCs? Are those RFCs listed on the title page header, listed in = the > > abstract, and discussed in the introduction? If the RFCs are not = listed > > in the Abstract and Introduction, explain why, and point to the = part of > > the document where the relationship of this document to the = other RFCs > > is discussed. If this information is not in the document, = explain why > > the WG considers it unnecessary. > > > > The publication of this document does not change the status of = other > > RFCs. > > > > (17) Describe the Document Shepherd's review of the IANA = considerations > > section, especially with regard to its consistency with the body = of the > > document. Confirm that all protocol extensions that the document = makes > > are associated with the appropriate reservations in IANA = registries. > > Confirm that any referenced IANA registries have been clearly > > identified. Confirm that newly created IANA registries include a > > detailed specification of the initial contents for the registry, = that > > allocations procedures for future registrations are defined, and = a > > reasonable name for the new registry has been suggested (see RFC = 5226). > > > > The document creates a new registry for JWT claims and populates = this > > registry with values. > > It also registers values into two existing registries, namely = into > > * the RFC 6755 created OAuth URN registry, and > > * the media type registry > > > > (18) List any new IANA registries that require Expert Review for = future > > allocations. Provide any public guidance that the IESG would = find useful > > in selecting the IANA Experts for these new registries. > > > > The newly created JWT claims registry requires expert review for = future > > allocations. Guidance is given in the document. > > The document shepherd volunteers to become an expert review. > > > > (19) Describe reviews and automated checks performed by the = Document > > Shepherd to validate sections of the document written in a = formal > > language, such as XML code, BNF rules, MIB definitions, etc. > > > > There are examples in the document that use a JSON-based = encoding. The > > document shepherd has reviewed those examples but has not = verified the > > correctness of the cryptographic operations. > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > =20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_0E7B59CF-B4EC-4D51-9B97-376EBBF89DDA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 I have = no IPR to disclose.

Ping supports JWT in a number of = products.  As access tokens and as Connect Id_tokens in Ping = Federate and Ping Access.

OAuth access tokens = may only account for 50% of the usage of = JWT.

In OAuth itself they are used in the JWT = assertion flow and increasing interest in = that.

John B.
On Apr 24, 2014, at = 7:32 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

Thanks for doing = this, Hannes.  I would suggest making the following = changes...
 
Change =93It= allows OAuth deployments to use a standardized access token format, = which increases interoperability of OAuth-based deployments=94 to =93It = defines a standard JSON-based security token format, increasing = interoperability both among OAuth deployments using it and in other = application contexts as well=94.
 
 
I would = change =93The draft authors believe that this document is ready for = publication=94 to =93The document is ready for = publication=94.
 
I would = change the answer to (15) to say nothing about ECMAScript, since it is = not a downref, and to only say =93RFC 6755 is a downref, since 6755 is = informational.=94
 
I would = change =93The document shepherd volunteers to become an expert review=94 = to the following:
 
The = document shepherd and the author Michael Jones both volunteer to become = expert reviewers.  Note that the document recommends that multiple = expert reviewers be appointed, with the following text (which also = appears in the JOSE documents):
 
   It is suggested that multiple = Designated Experts be appointed who are
   able = to represent the perspectives of different applications = using
   this specification, in order to enable = broadly-informed review of
   registration decisions.  = In cases where a registration decision could
   be = perceived as creating a conflict of interest for a = particular
   Expert, that Expert should = defer to the judgment of the other
   = Expert(s).
 
I would = change =93The document shepherd has reviewed those examples but has not = verified the correctness of the cryptographic operations=94 to =93The = document shepherd has reviewed those examples but has not verified the = correctness of the cryptographic operations, however Brian Campbell has = done so=94.
 
Thanks = again for moving this forward!
 
          &= nbsp;           &nb= sp;            = ;            &= nbsp;            = -- Mike
 
-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] = On Behalf Of Hannes Tschofenig
Sent: Thursday, April 24, 2014 12:11 = AM
To: Brian Campbell
Cc: oauth@ietf.org
Subject: Re: = [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd = Write-up
 
Thanks, Brian. I will add this aspect to the = write-up.
 
On = 04/24/2014 12:46 AM, Brian Campbell wrote:
> While OAuth access tokens are a valuable = application of JWT, might it
> = also be worthwhile to mention that JWT can and will be useful in = other
> contexts? Connect's ID = Token is one such example:
> http= ://openid.net/specs/openid-connect-core-1_0.html#IDToken
>
>
> On = Wed, Apr 23, 2014 at 5:55 AM, Hannes Tschofenig
>
>     Hi all,
>
>     I am working on the shepherd = writeup for the JWT. Here are a few
>     = questions:
>
>     - To the document authors: = Please confirm that any and all appropriate
>     IPR disclosures = required for full conformance with the provisions of = BCP
>     78 = and BCP 79 have already been filed.
>
>     - To all: I have included = various pointers to implementations in the
>     write-up. Maybe there = are others that should be included. If so, please
>     let me = know.
>
>     - To all: Please also = go through the text to make sure that I correctly
>     reflect the history = and the status of this document.
>
>     Here is the latest version of = the write-up:
>    
> = er/shepherd-writeups/Writeup_OAuth_JWT.txt
>
>     Ciao
>     = Hannes
>
>     PS: Here is the copy-and-paste = text:
>
>     = --------
>
>     Writeup for "JSON Web Token = (JWT)"
> = <draft-ietf-oauth-json-web-token-19>
>
>     (1) What type of RFC is being = requested (BCP, Proposed Standard,
>     Internet Standard, = Informational, Experimental, or Historic)? Why is
>     this the proper type = of RFC? Is this type of RFC indicated in the title
>     page = header?
>
>     The RFC type is 'Standards = Track' and the type is indicated in the title
>     page. This document = defines the syntax and semantic of information
>     = elements.
>
>     (2) The IESG approval = announcement includes a Document Announcement
>     Write-Up. Please = provide such a Document Announcement Write-Up. = Recent
>     examples can be found in the = "Action" announcements for approved
>     documents. The approval = announcement contains the following sections:
>
>     Technical = Summary:
>
>        JSON Web = Token (JWT) is a compact URL-safe means of = representing
>        claims to be = transferred between two parties.  The claims in a = JWT
>        are encoded = as a JavaScript Object Notation (JSON) object that = is
>        used as the = payload of a JSON Web Signature (JWS) structure or as = the
>        plaintext of = a JSON Web Encryption (JWE) structure, enabling the
>        = claims to be digitally signed or MACed and/or = encrypted.
>
>     Working Group = Summary:
>
>     Was there anything in WG = process that is worth noting? For example, was
>     there controversy = about particular points or were there decisions = where
>     = the consensus was particularly rough?
>
>     This document was = uncontroversial. It allows OAuth deployments to use = a
>     = standardized access token format, which increases interoperability = of
>     = OAuth-based deployments.
>
>     Document = Quality:
>
>     This document has gone through = many iterations and has received
>     substantial = feedback.
>
>     A substantial number of = implementations exist, as documented at
>     (scrowl down to the = 'JWT/JWS/JWE/JWK/JWA Implementations' section)
>
>     An Excel document providing = additional details can be found here:
>    
> = .xlsx
>
>     = Personnel:
>
>     The document shepherd is = Hannes Tschofenig and the responsible area
>     director is Kathleen = Moriarty.
>
>     (3) Briefly describe the = review of this document that was performed by
>     the Document = Shepherd. If this version of the document is not ready = for
>     = publication, please explain why the document is being forwarded = to
>     = the IESG.
>
>     The draft authors believe that = this document is ready for publication.
>     The document has = received review comments from working group = members,
>     and from the OAuth working = group chairs. Implementations exist and they
>     have tested for = interoperability as part of the OpenID Connect = interop
>     events.
>
>     (4) Does the document Shepherd = have any concerns about the depth or
>     breadth of the reviews that = have been performed?
>
>     This document has gotten = enough feedback from the working group.
>
>     (5) Do portions of the = document need review from a particular or from
>     broader perspective, = e.g., security, operational complexity, AAA, DNS,
>     DHCP, XML, or = internationalization? If so, describe the review that = took
>     = place.
>
>     Since the OAuth working group = develops security protocols any feedback
>     from the security = community is always appreciated.
>     The JWT document heavily = depends on the work in the JOSE working group
>     since it re-uses the = JWE and the JWS specifications.
>
>     (6) Describe any specific = concerns or issues that the Document Shepherd
>     has with this = document that the Responsible Area Director and/or = the
>     = IESG should be aware of? For example, perhaps he or she is = uncomfortable
>     with certain parts of the = document, or has concerns whether there really
>     is a need for it. In = any event, if the WG has discussed those issues and
>     has indicated that it = still wishes to advance the document, detail those
>     concerns = here.
>
>     The shepherd has no = concerns with this document.
>
>     (7) Has each author confirmed = that any and all appropriate IPR
>     disclosures required for full = conformance with the provisions of BCP 78
>     and BCP 79 have = already been filed. If not, explain why?
>
>     [[Confirmation from the = authors required.]]
>
>     (8) Has an IPR disclosure been = filed that references this document? If
>     so, summarize any WG = discussion and conclusion regarding the IPR
>     = disclosures.
>
>     Two IPRs have been filed for = the JWT specification this document relies
>     on, = see
>    
> = t-ietf-oauth-json-web-token
>
>
>     There was no discussion = regarding those two IPRs on the mailing list.
>
>     (9) How solid is the WG = consensus behind this document? Does it
>     represent the strong = concurrence of a few individuals, with others being
>     silent, or does the = WG as a whole understand and agree with it?
>
>  =    The working group has consensus to publish this = document.
>
>     (10) Has anyone threatened an = appeal or otherwise indicated extreme
>     discontent? If so, = please summarise the areas of conflict in separate
>     email messages to the = Responsible Area Director. (It should be in a
>     separate email = because this questionnaire is publicly available.)
>
>     No appeal or extreme = discontent has been raised.
>
>     (11) Identify any ID nits the = Document Shepherd has found in this
>     document. (See http://www.ietf.org/tools/idnit= s/ and the Internet-Drafts
>     Checklist). Boilerplate checks = are not enough; this check needs to be
>     = thorough.
>
>     The shepherd has checked the = nits. The shepherd has not verified the
>     examples for = correctness.
>
>     (12) Describe how the document = meets any required formal review
>     criteria, such as the MIB = Doctor, media type, and URI type reviews.
>
>     The document does not require = a formal review even though it contains
>     JSON-based = examples.
>
>     (13) Have all references = within this document been identified as either
>     normative or = informative?
>
>     Yes.
>
>     (14) Are there normative = references to documents that are not ready for
>     advancement or are = otherwise in an unclear state? If such normative
>     references exist, = what is the plan for their completion?
>
>     There are various JOSE = documents that have not been published as RFCs
>     yet. As such, this = document cannot be published before the respective
>     JOSE documents are = finalized.
>
>     (15) Are there downward = normative references references (see RFC 3967)?
>     If so, list these = downward references to support the Area Director in
>     the Last Call = procedure.
>
>     The document contains a = reference to
>
>        = [ECMAScript]
>         &nb= sp;         Ecma International, = "ECMAScript Language Specification,
>         &nb= sp;         5.1 Edition", ECMA = 262, June 2011.
>
>     which might require a = downref.
>
>     RFC 6755 is also a = downref.
>
>
>     (16) Will publication of this = document change the status of any existing
>     RFCs? Are those RFCs = listed on the title page header, listed in the
>     abstract, and = discussed in the introduction? If the RFCs are not = listed
>     in the Abstract and = Introduction, explain why, and point to the part of
>     the document where = the relationship of this document to the other RFCs
>     is discussed. If this = information is not in the document, explain why
>     the WG considers it = unnecessary.
>
>     The publication of this = document does not change the status of other
>     = RFCs.
>
>     (17) Describe the = Document Shepherd's review of the IANA = considerations
>     section, especially with = regard to its consistency with the body of the
>     document. Confirm = that all protocol extensions that the document = makes
>     = are associated with the appropriate reservations in IANA = registries.
>     Confirm that any referenced = IANA registries have been clearly
>     identified. Confirm that newly = created IANA registries include a
>     detailed specification of the = initial contents for the registry, that
>     allocations = procedures for future registrations are defined, and = a
>     = reasonable name for the new registry has been suggested (see RFC = 5226).
>
>     The document creates a new = registry for JWT claims and populates this
>     registry with = values.
>     It also registers values into = two existing registries, namely into
>      * the RFC 6755 created = OAuth URN registry, and
>      * the media type = registry
>
>     (18) List any new IANA = registries that require Expert Review for future
>     allocations. Provide = any public guidance that the IESG would find useful
>     in selecting the IANA = Experts for these new registries.
>
>     The newly created JWT claims = registry requires expert review for future
>     allocations. Guidance = is given in the document.
>     The document shepherd = volunteers to become an expert review.
>
>     (19) Describe reviews and = automated checks performed by the Document
>     Shepherd to validate = sections of the document written in a formal
>     language, such as XML = code, BNF rules, MIB definitions, etc.
>
>     There are examples in the = document that use a JSON-based encoding. The
>     document shepherd has = reviewed those examples but has not verified the
>     correctness of the = cryptographic operations.
>
>
>
>     = _______________________________________________
>     OAuth mailing = list
________________________________= _______________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_0E7B59CF-B4EC-4D51-9B97-376EBBF89DDA-- From nobody Thu Apr 24 16:07:54 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C32B1A0426 for ; Thu, 24 Apr 2014 16:07:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zg7410w1YIUV for ; Thu, 24 Apr 2014 16:06:57 -0700 (PDT) Received: from mail-qg0-f44.google.com (mail-qg0-f44.google.com [209.85.192.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF5F1A041C for ; Thu, 24 Apr 2014 16:06:57 -0700 (PDT) Received: by mail-qg0-f44.google.com with SMTP id q108so3308274qgd.31 for ; Thu, 24 Apr 2014 16:06:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=zvFDpSXHchGLkO2R8RtvVMvXCutMkroLRu0vx72BGgE=; b=GvNL5+hgRWc14NDBOzVm24hKDrS1VrfOEYJzlJ5mvp1VtMM2K5d3JOGTW0lrpAyUWP baNtHhly6NzbZNzBC/D5zezKhzaYXnHlwXbkqcN4QJts3r1BjvQwKVYAgcli1VYcqusz XH7uPDkfp5+6aUp9oUgJK37jf7m5+MEawfSMJ+EgCN1i9OiD4zXBMhV/ZMTnSgYeuInh Qqrm4Gbk1/H0Bq0vTa7ufR3yuavIJd7kr1nWsQvLZFV7oDsrA/tNmjcveA5oCy1tO2Af Vt7WHV4ydeIEBlYz7w6K4h0MypkViRXmY7JohOQFehb77NNadvKa6oqEqpSOGbWeec6G I5YQ== X-Gm-Message-State: ALoCoQl36TBzepPtzN+Hgj5ySTnPJZZicZFzPoUY9LvAUk0RqBg5JKIPg1j0AZ663g1bt3OMgsoR X-Received: by 10.224.126.9 with SMTP id a9mr6984347qas.39.1398380810786; Thu, 24 Apr 2014 16:06:50 -0700 (PDT) Received: from [192.168.0.200] ([201.188.30.118]) by mx.google.com with ESMTPSA id z6sm10591528qal.6.2014.04.24.16.06.45 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 24 Apr 2014 16:06:50 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_FCF49E0E-44B6-42C3-B027-A184D1C84F2E" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A194E11@TK5EX14MBXC288.redmond.corp.microsoft.com> Date: Thu, 24 Apr 2014 20:06:45 -0300 Message-Id: <7522503E-3D27-4223-8907-1BEBFD5E877C@ve7jtb.com> References: <5357AA4C.8080707@gmx.net> <5358B907.3030905@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E11@TK5EX14MBXC288.redmond.corp.microsoft.com> To: Michael Jones X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/T0KZZF8bzv-y_kLi2co26GAk_58 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 23:07:14 -0000 X-List-Received-Date: Thu, 24 Apr 2014 23:07:14 -0000 --Apple-Mail=_FCF49E0E-44B6-42C3-B027-A184D1C84F2E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 +1 On Apr 24, 2014, at 7:32 PM, Mike Jones = wrote: > Thanks for doing this, Hannes. I would suggest making the following = changes... > =20 > Change =93It allows OAuth deployments to use a standardized access = token format, which increases interoperability of OAuth-based = deployments=94 to =93It defines a standard JSON-based security token = format, increasing interoperability both among OAuth deployments using = it and in other application contexts as well=94. > =20 > I would change http://openid.net/developers/libraries/ to = http://openid.net/developers/libraries/#jwt (adding the #jwt target = within the page). > =20 > I would change =93The draft authors believe that this document is = ready for publication=94 to =93The document is ready for publication=94. > =20 > I would change the answer to (15) to say nothing about ECMAScript, = since it is not a downref, and to only say =93RFC 6755 is a downref, = since 6755 is informational.=94 > =20 > I would change =93The document shepherd volunteers to become an expert = review=94 to the following: > =20 > The document shepherd and the author Michael Jones both volunteer to = become expert reviewers. Note that the document recommends that = multiple expert reviewers be appointed, with the following text (which = also appears in the JOSE documents): > =20 > It is suggested that multiple Designated Experts be appointed who = are > able to represent the perspectives of different applications using > this specification, in order to enable broadly-informed review of > registration decisions. In cases where a registration decision = could > be perceived as creating a conflict of interest for a particular > Expert, that Expert should defer to the judgment of the other > Expert(s). > =20 > I would change =93The document shepherd has reviewed those examples = but has not verified the correctness of the cryptographic operations=94 = to =93The document shepherd has reviewed those examples but has not = verified the correctness of the cryptographic operations, however Brian = Campbell has done so=94. > =20 > Thanks again for moving this forward! > =20 > -- Mike > =20 > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes = Tschofenig > Sent: Thursday, April 24, 2014 12:11 AM > To: Brian Campbell > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd = Write-up > =20 > Thanks, Brian. I will add this aspect to the write-up. > =20 > On 04/24/2014 12:46 AM, Brian Campbell wrote: > > While OAuth access tokens are a valuable application of JWT, might = it > > also be worthwhile to mention that JWT can and will be useful in = other > > contexts? Connect's ID Token is one such example: > > http://openid.net/specs/openid-connect-core-1_0.html#IDToken > > > > > > On Wed, Apr 23, 2014 at 5:55 AM, Hannes Tschofenig > > > = wrote: > > > > Hi all, > > > > I am working on the shepherd writeup for the JWT. Here are a few > > questions: > > > > - To the document authors: Please confirm that any and all = appropriate > > IPR disclosures required for full conformance with the = provisions of BCP > > 78 and BCP 79 have already been filed. > > > > - To all: I have included various pointers to implementations in = the > > write-up. Maybe there are others that should be included. If so, = please > > let me know. > > > > - To all: Please also go through the text to make sure that I = correctly > > reflect the history and the status of this document. > > > > Here is the latest version of the write-up: > > =20 > > = https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/mast > > er/shepherd-writeups/Writeup_OAuth_JWT.txt > > > > Ciao > > Hannes > > > > PS: Here is the copy-and-paste text: > > > > -------- > > > > Writeup for "JSON Web Token (JWT)" > > > > > > (1) What type of RFC is being requested (BCP, Proposed Standard, > > Internet Standard, Informational, Experimental, or Historic)? = Why is > > this the proper type of RFC? Is this type of RFC indicated in = the title > > page header? > > > > The RFC type is 'Standards Track' and the type is indicated in = the title > > page. This document defines the syntax and semantic of = information > > elements. > > > > (2) The IESG approval announcement includes a Document = Announcement > > Write-Up. Please provide such a Document Announcement Write-Up. = Recent > > examples can be found in the "Action" announcements for approved > > documents. The approval announcement contains the following = sections: > > > > Technical Summary: > > > > JSON Web Token (JWT) is a compact URL-safe means of = representing > > claims to be transferred between two parties. The claims in = a JWT > > are encoded as a JavaScript Object Notation (JSON) object = that is > > used as the payload of a JSON Web Signature (JWS) structure = or as the > > plaintext of a JSON Web Encryption (JWE) structure, enabling = the > > claims to be digitally signed or MACed and/or encrypted. > > > > Working Group Summary: > > > > Was there anything in WG process that is worth noting? For = example, was > > there controversy about particular points or were there = decisions where > > the consensus was particularly rough? > > > > This document was uncontroversial. It allows OAuth deployments = to use a > > standardized access token format, which increases = interoperability of > > OAuth-based deployments. > > > > Document Quality: > > > > This document has gone through many iterations and has received > > substantial feedback. > > > > A substantial number of implementations exist, as documented at > > http://openid.net/developers/libraries/ > > (scrowl down to the 'JWT/JWS/JWE/JWK/JWA Implementations' = section) > > > > An Excel document providing additional details can be found = here: > > =20 > > = http://www.oauth-v2.org/wp-content/uploads/2014/04/JWT-Implementations > > .xlsx > > > > Personnel: > > > > The document shepherd is Hannes Tschofenig and the responsible = area > > director is Kathleen Moriarty. > > > > (3) Briefly describe the review of this document that was = performed by > > the Document Shepherd. If this version of the document is not = ready for > > publication, please explain why the document is being forwarded = to > > the IESG. > > > > The draft authors believe that this document is ready for = publication. > > The document has received review comments from working group = members, > > and from the OAuth working group chairs. Implementations exist = and they > > have tested for interoperability as part of the OpenID Connect = interop > > events. > > > > (4) Does the document Shepherd have any concerns about the depth = or > > breadth of the reviews that have been performed? > > > > This document has gotten enough feedback from the working group. > > > > (5) Do portions of the document need review from a particular or = from > > broader perspective, e.g., security, operational complexity, = AAA, DNS, > > DHCP, XML, or internationalization? If so, describe the review = that took > > place. > > > > Since the OAuth working group develops security protocols any = feedback > > from the security community is always appreciated. > > The JWT document heavily depends on the work in the JOSE working = group > > since it re-uses the JWE and the JWS specifications. > > > > (6) Describe any specific concerns or issues that the Document = Shepherd > > has with this document that the Responsible Area Director and/or = the > > IESG should be aware of? For example, perhaps he or she is = uncomfortable > > with certain parts of the document, or has concerns whether = there really > > is a need for it. In any event, if the WG has discussed those = issues and > > has indicated that it still wishes to advance the document, = detail those > > concerns here. > > > > The shepherd has no concerns with this document. > > > > (7) Has each author confirmed that any and all appropriate IPR > > disclosures required for full conformance with the provisions of = BCP 78 > > and BCP 79 have already been filed. If not, explain why? > > > > [[Confirmation from the authors required.]] > > > > (8) Has an IPR disclosure been filed that references this = document? If > > so, summarize any WG discussion and conclusion regarding the IPR > > disclosures. > > > > Two IPRs have been filed for the JWT specification this document = relies > > on, see > > =20 > > = http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraf= > > t-ietf-oauth-json-web-token > > > > > > There was no discussion regarding those two IPRs on the mailing = list. > > > > (9) How solid is the WG consensus behind this document? Does it > > represent the strong concurrence of a few individuals, with = others being > > silent, or does the WG as a whole understand and agree with it? > > > > The working group has consensus to publish this document. > > > > (10) Has anyone threatened an appeal or otherwise indicated = extreme > > discontent? If so, please summarise the areas of conflict in = separate > > email messages to the Responsible Area Director. (It should be = in a > > separate email because this questionnaire is publicly = available.) > > > > No appeal or extreme discontent has been raised. > > > > (11) Identify any ID nits the Document Shepherd has found in = this > > document. (See http://www.ietf.org/tools/idnits/ and the = Internet-Drafts > > Checklist). Boilerplate checks are not enough; this check needs = to be > > thorough. > > > > The shepherd has checked the nits. The shepherd has not verified = the > > examples for correctness. > > > > (12) Describe how the document meets any required formal review > > criteria, such as the MIB Doctor, media type, and URI type = reviews. > > > > The document does not require a formal review even though it = contains > > JSON-based examples. > > > > (13) Have all references within this document been identified as = either > > normative or informative? > > > > Yes. > > > > (14) Are there normative references to documents that are not = ready for > > advancement or are otherwise in an unclear state? If such = normative > > references exist, what is the plan for their completion? > > > > There are various JOSE documents that have not been published as = RFCs > > yet. As such, this document cannot be published before the = respective > > JOSE documents are finalized. > > > > (15) Are there downward normative references references (see RFC = 3967)? > > If so, list these downward references to support the Area = Director in > > the Last Call procedure. > > > > The document contains a reference to > > > > [ECMAScript] > > Ecma International, "ECMAScript Language = Specification, > > 5.1 Edition", ECMA 262, June 2011. > > > > which might require a downref. > > > > RFC 6755 is also a downref. > > > > > > (16) Will publication of this document change the status of any = existing > > RFCs? Are those RFCs listed on the title page header, listed in = the > > abstract, and discussed in the introduction? If the RFCs are not = listed > > in the Abstract and Introduction, explain why, and point to the = part of > > the document where the relationship of this document to the = other RFCs > > is discussed. If this information is not in the document, = explain why > > the WG considers it unnecessary. > > > > The publication of this document does not change the status of = other > > RFCs. > > > > (17) Describe the Document Shepherd's review of the IANA = considerations > > section, especially with regard to its consistency with the body = of the > > document. Confirm that all protocol extensions that the document = makes > > are associated with the appropriate reservations in IANA = registries. > > Confirm that any referenced IANA registries have been clearly > > identified. Confirm that newly created IANA registries include a > > detailed specification of the initial contents for the registry, = that > > allocations procedures for future registrations are defined, and = a > > reasonable name for the new registry has been suggested (see RFC = 5226). > > > > The document creates a new registry for JWT claims and populates = this > > registry with values. > > It also registers values into two existing registries, namely = into > > * the RFC 6755 created OAuth URN registry, and > > * the media type registry > > > > (18) List any new IANA registries that require Expert Review for = future > > allocations. Provide any public guidance that the IESG would = find useful > > in selecting the IANA Experts for these new registries. > > > > The newly created JWT claims registry requires expert review for = future > > allocations. Guidance is given in the document. > > The document shepherd volunteers to become an expert review. > > > > (19) Describe reviews and automated checks performed by the = Document > > Shepherd to validate sections of the document written in a = formal > > language, such as XML code, BNF rules, MIB definitions, etc. > > > > There are examples in the document that use a JSON-based = encoding. The > > document shepherd has reviewed those examples but has not = verified the > > correctness of the cryptographic operations. > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > =20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_FCF49E0E-44B6-42C3-B027-A184D1C84F2E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 +1

On Apr 24, 2014, at 7:32 PM, = Mike Jones <Michael.Jones@microsoft.com> wrote:

Thanks for doing = this, Hannes.  I would suggest making the following = changes...
 
Change =93It= allows OAuth deployments to use a standardized access token format, = which increases interoperability of OAuth-based deployments=94 to =93It = defines a standard JSON-based security token format, increasing = interoperability both among OAuth deployments using it and in other = application contexts as well=94.
 
 
I would = change =93The draft authors believe that this document is ready for = publication=94 to =93The document is ready for = publication=94.
 
I would = change the answer to (15) to say nothing about ECMAScript, since it is = not a downref, and to only say =93RFC 6755 is a downref, since 6755 is = informational.=94
 
I would = change =93The document shepherd volunteers to become an expert review=94 = to the following:
 
The = document shepherd and the author Michael Jones both volunteer to become = expert reviewers.  Note that the document recommends that multiple = expert reviewers be appointed, with the following text (which also = appears in the JOSE documents):
 
   It is suggested that multiple = Designated Experts be appointed who are
   able = to represent the perspectives of different applications = using
   this specification, in order to enable = broadly-informed review of
   registration decisions.  = In cases where a registration decision could
   be = perceived as creating a conflict of interest for a = particular
   Expert, that Expert should = defer to the judgment of the other
   = Expert(s).
 
I would = change =93The document shepherd has reviewed those examples but has not = verified the correctness of the cryptographic operations=94 to =93The = document shepherd has reviewed those examples but has not verified the = correctness of the cryptographic operations, however Brian Campbell has = done so=94.
 
Thanks = again for moving this forward!
 
          &= nbsp;           &nb= sp;            = ;            &= nbsp;            = -- Mike
 
-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] = On Behalf Of Hannes Tschofenig
Sent: Thursday, April 24, 2014 12:11 = AM
To: Brian Campbell
Cc: oauth@ietf.org
Subject: Re: = [OAUTH-WG] draft-ietf-oauth-json-web-token-19 Shepherd = Write-up
 
Thanks, Brian. I will add this aspect to the = write-up.
 
On = 04/24/2014 12:46 AM, Brian Campbell wrote:
> While OAuth access tokens are a valuable = application of JWT, might it
> = also be worthwhile to mention that JWT can and will be useful in = other
> contexts? Connect's ID = Token is one such example:
> http= ://openid.net/specs/openid-connect-core-1_0.html#IDToken
>
>
> On = Wed, Apr 23, 2014 at 5:55 AM, Hannes Tschofenig
>
>     Hi all,
>
>     I am working on the shepherd = writeup for the JWT. Here are a few
>     = questions:
>
>     - To the document authors: = Please confirm that any and all appropriate
>     IPR disclosures = required for full conformance with the provisions of = BCP
>     78 = and BCP 79 have already been filed.
>
>     - To all: I have included = various pointers to implementations in the
>     write-up. Maybe there = are others that should be included. If so, please
>     let me = know.
>
>     - To all: Please also = go through the text to make sure that I correctly
>     reflect the history = and the status of this document.
>
>     Here is the latest version of = the write-up:
>    
> = er/shepherd-writeups/Writeup_OAuth_JWT.txt
>
>     Ciao
>     = Hannes
>
>     PS: Here is the copy-and-paste = text:
>
>     = --------
>
>     Writeup for "JSON Web Token = (JWT)"
> = <draft-ietf-oauth-json-web-token-19>
>
>     (1) What type of RFC is being = requested (BCP, Proposed Standard,
>     Internet Standard, = Informational, Experimental, or Historic)? Why is
>     this the proper type = of RFC? Is this type of RFC indicated in the title
>     page = header?
>
>     The RFC type is 'Standards = Track' and the type is indicated in the title
>     page. This document = defines the syntax and semantic of information
>     = elements.
>
>     (2) The IESG approval = announcement includes a Document Announcement
>     Write-Up. Please = provide such a Document Announcement Write-Up. = Recent
>     examples can be found in the = "Action" announcements for approved
>     documents. The approval = announcement contains the following sections:
>
>     Technical = Summary:
>
>        JSON Web = Token (JWT) is a compact URL-safe means of = representing
>        claims to be = transferred between two parties.  The claims in a = JWT
>        are encoded = as a JavaScript Object Notation (JSON) object that = is
>        used as the = payload of a JSON Web Signature (JWS) structure or as = the
>        plaintext of = a JSON Web Encryption (JWE) structure, enabling the
>        = claims to be digitally signed or MACed and/or = encrypted.
>
>     Working Group = Summary:
>
>     Was there anything in WG = process that is worth noting? For example, was
>     there controversy = about particular points or were there decisions = where
>     = the consensus was particularly rough?
>
>     This document was = uncontroversial. It allows OAuth deployments to use = a
>     = standardized access token format, which increases interoperability = of
>     = OAuth-based deployments.
>
>     Document = Quality:
>
>     This document has gone through = many iterations and has received
>     substantial = feedback.
>
>     A substantial number of = implementations exist, as documented at
>     (scrowl down to the = 'JWT/JWS/JWE/JWK/JWA Implementations' section)
>
>     An Excel document providing = additional details can be found here:
>    
> = .xlsx
>
>     = Personnel:
>
>     The document shepherd is = Hannes Tschofenig and the responsible area
>     director is Kathleen = Moriarty.
>
>     (3) Briefly describe the = review of this document that was performed by
>     the Document = Shepherd. If this version of the document is not ready = for
>     = publication, please explain why the document is being forwarded = to
>     = the IESG.
>
>     The draft authors believe that = this document is ready for publication.
>     The document has = received review comments from working group = members,
>     and from the OAuth working = group chairs. Implementations exist and they
>     have tested for = interoperability as part of the OpenID Connect = interop
>     events.
>
>     (4) Does the document Shepherd = have any concerns about the depth or
>     breadth of the reviews that = have been performed?
>
>     This document has gotten = enough feedback from the working group.
>
>     (5) Do portions of the = document need review from a particular or from
>     broader perspective, = e.g., security, operational complexity, AAA, DNS,
>     DHCP, XML, or = internationalization? If so, describe the review that = took
>     = place.
>
>     Since the OAuth working group = develops security protocols any feedback
>     from the security = community is always appreciated.
>     The JWT document heavily = depends on the work in the JOSE working group
>     since it re-uses the = JWE and the JWS specifications.
>
>     (6) Describe any specific = concerns or issues that the Document Shepherd
>     has with this = document that the Responsible Area Director and/or = the
>     = IESG should be aware of? For example, perhaps he or she is = uncomfortable
>     with certain parts of the = document, or has concerns whether there really
>     is a need for it. In = any event, if the WG has discussed those issues and
>     has indicated that it = still wishes to advance the document, detail those
>     concerns = here.
>
>     The shepherd has no = concerns with this document.
>
>     (7) Has each author confirmed = that any and all appropriate IPR
>     disclosures required for full = conformance with the provisions of BCP 78
>     and BCP 79 have = already been filed. If not, explain why?
>
>     [[Confirmation from the = authors required.]]
>
>     (8) Has an IPR disclosure been = filed that references this document? If
>     so, summarize any WG = discussion and conclusion regarding the IPR
>     = disclosures.
>
>     Two IPRs have been filed for = the JWT specification this document relies
>     on, = see
>    
> = t-ietf-oauth-json-web-token
>
>
>     There was no discussion = regarding those two IPRs on the mailing list.
>
>     (9) How solid is the WG = consensus behind this document? Does it
>     represent the strong = concurrence of a few individuals, with others being
>     silent, or does the = WG as a whole understand and agree with it?
>
>  =    The working group has consensus to publish this = document.
>
>     (10) Has anyone threatened an = appeal or otherwise indicated extreme
>     discontent? If so, = please summarise the areas of conflict in separate
>     email messages to the = Responsible Area Director. (It should be in a
>     separate email = because this questionnaire is publicly available.)
>
>     No appeal or extreme = discontent has been raised.
>
>     (11) Identify any ID nits the = Document Shepherd has found in this
>     document. (See http://www.ietf.org/tools/idnit= s/ and the Internet-Drafts
>     Checklist). Boilerplate checks = are not enough; this check needs to be
>     = thorough.
>
>     The shepherd has checked the = nits. The shepherd has not verified the
>     examples for = correctness.
>
>     (12) Describe how the document = meets any required formal review
>     criteria, such as the MIB = Doctor, media type, and URI type reviews.
>
>     The document does not require = a formal review even though it contains
>     JSON-based = examples.
>
>     (13) Have all references = within this document been identified as either
>     normative or = informative?
>
>     Yes.
>
>     (14) Are there normative = references to documents that are not ready for
>     advancement or are = otherwise in an unclear state? If such normative
>     references exist, = what is the plan for their completion?
>
>     There are various JOSE = documents that have not been published as RFCs
>     yet. As such, this = document cannot be published before the respective
>     JOSE documents are = finalized.
>
>     (15) Are there downward = normative references references (see RFC 3967)?
>     If so, list these = downward references to support the Area Director in
>     the Last Call = procedure.
>
>     The document contains a = reference to
>
>        = [ECMAScript]
>         &nb= sp;         Ecma International, = "ECMAScript Language Specification,
>         &nb= sp;         5.1 Edition", ECMA = 262, June 2011.
>
>     which might require a = downref.
>
>     RFC 6755 is also a = downref.
>
>
>     (16) Will publication of this = document change the status of any existing
>     RFCs? Are those RFCs = listed on the title page header, listed in the
>     abstract, and = discussed in the introduction? If the RFCs are not = listed
>     in the Abstract and = Introduction, explain why, and point to the part of
>     the document where = the relationship of this document to the other RFCs
>     is discussed. If this = information is not in the document, explain why
>     the WG considers it = unnecessary.
>
>     The publication of this = document does not change the status of other
>     = RFCs.
>
>     (17) Describe the = Document Shepherd's review of the IANA = considerations
>     section, especially with = regard to its consistency with the body of the
>     document. Confirm = that all protocol extensions that the document = makes
>     = are associated with the appropriate reservations in IANA = registries.
>     Confirm that any referenced = IANA registries have been clearly
>     identified. Confirm that newly = created IANA registries include a
>     detailed specification of the = initial contents for the registry, that
>     allocations = procedures for future registrations are defined, and = a
>     = reasonable name for the new registry has been suggested (see RFC = 5226).
>
>     The document creates a new = registry for JWT claims and populates this
>     registry with = values.
>     It also registers values into = two existing registries, namely into
>      * the RFC 6755 created = OAuth URN registry, and
>      * the media type = registry
>
>     (18) List any new IANA = registries that require Expert Review for future
>     allocations. Provide = any public guidance that the IESG would find useful
>     in selecting the IANA = Experts for these new registries.
>
>     The newly created JWT claims = registry requires expert review for future
>     allocations. Guidance = is given in the document.
>     The document shepherd = volunteers to become an expert review.
>
>     (19) Describe reviews and = automated checks performed by the Document
>     Shepherd to validate = sections of the document written in a formal
>     language, such as XML = code, BNF rules, MIB definitions, etc.
>
>     There are examples in the = document that use a JSON-based encoding. The
>     document shepherd has = reviewed those examples but has not verified the
>     correctness of the = cryptographic operations.
>
>
>
>     = _______________________________________________
>     OAuth mailing = list
________________________________= _______________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_FCF49E0E-44B6-42C3-B027-A184D1C84F2E-- From nobody Thu Apr 24 16:31:25 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ADE51A041F for ; Thu, 24 Apr 2014 16:31:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMcgeDGKH1ID for ; Thu, 24 Apr 2014 16:31:19 -0700 (PDT) Received: from mail-oa0-f43.google.com (mail-oa0-f43.google.com [209.85.219.43]) by ietfa.amsl.com (Postfix) with ESMTP id 1F7661A0412 for ; Thu, 24 Apr 2014 16:31:18 -0700 (PDT) Received: by mail-oa0-f43.google.com with SMTP id eb12so3435921oac.2 for ; Thu, 24 Apr 2014 16:31:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=oG0g7UXCtUaG5i0FrVdrqguSwoBg/ORk/+eoXlp2FX8=; b=bf8k4hG9bZLVnvBR9BR384ui5prbf9BSnwpjwG4emRoGnF5WCBqg7f/zPMCT682ce4 9SJyJHoK3v1DJRdV2qCjLT0kl4L6d95qyMLnVrc9fCEdtEVodWJSSUQ/FPlJyVTU3GRk wSLx7tEve0tLpGYvzCaG+o8os91fimhaU9kevbqy1+jPyfw8EQz+FmSRNfrVQuAX1zef TcYy1t2JIhRqqsmIajCD4JCQIj782rjhe+WaB9b8d+HEDgFKGdX/QiDFhIK/u58kqxjW 3OAcIK44u0MhOP7jB05VMELnlUCuo+uMrefcjdle4aC/9TG2+5062o5JrJ2MTjzUd15P +OWg== X-Gm-Message-State: ALoCoQltG43nAx+kPce5AkPT+815GvweIqMXgeG2rX3H3izRmMQEJe7jUZnGXZcH/BwvT1+UokhT MIME-Version: 1.0 X-Received: by 10.60.133.81 with SMTP id pa17mr3908327oeb.35.1398382272690; Thu, 24 Apr 2014 16:31:12 -0700 (PDT) Received: by 10.76.75.169 with HTTP; Thu, 24 Apr 2014 16:31:12 -0700 (PDT) In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> Date: Thu, 24 Apr 2014 16:31:12 -0700 Message-ID: From: Chuck Mortimore To: Mike Jones Content-Type: multipart/alternative; boundary=047d7b4728009fdce904f7d23e5a Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/FvRgW_dHyYss-yZXSHDC0NkqXQ0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 23:31:23 -0000 --047d7b4728009fdce904f7d23e5a Content-Type: text/plain; charset=ISO-8859-1 Salesforce Implementation: https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_jwt_flow.htm&language=en_US On Thu, Apr 24, 2014 at 3:41 PM, Mike Jones wrote: > I am aware of these implementations: > Microsoft Azure Active Directory: > http://azure.microsoft.com/en-us/services/active-directory/ > Google Service Account: > https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > I believe that Ping Identity and Salesforce also have implementations, but > I'll let Brian and Chuck authoritatively speak to those. > > -- Mike > > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Wednesday, April 23, 2014 1:40 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up > > Hi all, > > I am working on the shepherd writeup for the JWT bearer document. The > shepherd write-ups for the assertion draft and the SAML bearer document > have been completed a while ago already, see > http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html > > A few requests: > > - To the document authors: Please confirm that any and all appropriate IPR > disclosures required for full conformance with the provisions of BCP > 78 and BCP 79 have already been filed. > > - To all: Are you aware of implementations of this specification? If so, I > would like to reference them in my write-up. > > - To all: Please also go through the text to make sure that I correctly > reflect the history and the status of this document. > > Here is the most recent version of the write-up: > > https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt > > > (The copy-and-paste of the full version is below.) > > Ciao > Hannes > > PS: Note that I have send a mail about a pending issue to the list. In > response to my question I will update the write-up accordingly. > > ---- > > Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client > Authentication and Authorization Grants" > > (1) What type of RFC is being requested (BCP, Proposed Standard, Internet > Standard, Informational, Experimental, or Historic)? Why is this the proper > type of RFC? Is this type of RFC indicated in the title page header? > > The RFC type is 'Standards Track' and the type is indicated in the title > page. This document defines an instantiation for the OAuth assertion > framework using JSON Web Tokens. > > (2) The IESG approval announcement includes a Document Announcement > Write-Up. Please provide such a Document Announcement Write-Up. Recent > examples can be found in the "Action" announcements for approved documents. > The approval announcement contains the following sections: > > Technical Summary: > > This specification defines the use of a JSON Web Token (JWT) Bearer > Token as a means for requesting an OAuth 2.0 access token as well as > for use as a means of client authentication. > > Working Group Summary: > > Was there anything in WG process that is worth noting? For example, was > there controversy about particular points or were there decisions where the > consensus was particularly rough? > > This document belongs to the OAuth assertion document bundle consisting of > the abstract OAuth assertion framework, and the SAML assertion profile. Due > to the use of the JSON-based encoding of the assertion it also relies on > the work in the JOSE working group (such as JWE/JWS) indirectly through the > use of the JWT. This document has intentionally been kept in sync with the > SAML-based version. > > Document Quality: > > This document has gone through many iterations and has received > substantial feedback. > > [[Add implementation list here.]] > > Personnel: > > The document shepherd is Hannes Tschofenig and the responsible area > director is Kathleen Moriarty. > > (3) Briefly describe the review of this document that was performed by the > Document Shepherd. If this version of the document is not ready for > publication, please explain why the document is being forwarded to the IESG. > > The draft authors believe that this document is ready for publication. > The document has had received review comments from working group members, > and from the OAuth working group chairs. These review comments have been > taken into account. > > (4) Does the document Shepherd have any concerns about the depth or > breadth of the reviews that have been performed? > > This document has gotten feedback from the working group and given the > focused use cases it has received adequate review. > > (5) Do portions of the document need review from a particular or from > broader perspective, e.g., security, operational complexity, AAA, DNS, > DHCP, XML, or internationalization? If so, describe the review that took > place. > > Since the OAuth working group develops security protocols any feedback > from the security community is always appreciated. > > (6) Describe any specific concerns or issues that the Document Shepherd > has with this document that the Responsible Area Director and/or the IESG > should be aware of? For example, perhaps he or she is uncomfortable with > certain parts of the document, or has concerns whether there really is a > need for it. In any event, if the WG has discussed those issues and has > indicated that it still wishes to advance the document, detail those > concerns here. > > The shepherd has no concerns with this document. > > (7) Has each author confirmed that any and all appropriate IPR disclosures > required for full conformance with the provisions of BCP 78 and BCP 79 have > already been filed. If not, explain why? > > [[Confirmation from the authors required.]] > > (8) Has an IPR disclosure been filed that references this document? If so, > summarize any WG discussion and conclusion regarding the IPR disclosures. > > No IPR disclosures have been filed on this document. However, two IPRs > have been filed for the JWT specification this document relies on, see > http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token > > > (9) How solid is the WG consensus behind this document? Does it represent > the strong concurrence of a few individuals, with others being silent, or > does the WG as a whole understand and agree with it? > > The working group has consensus to publish this document. > > (10) Has anyone threatened an appeal or otherwise indicated extreme > discontent? If so, please summarise the areas of conflict in separate email > messages to the Responsible Area Director. (It should be in a separate > email because this questionnaire is publicly available.) > > No appeal or extreme discontent has been raised. > > (11) Identify any ID nits the Document Shepherd has found in this > document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts > Checklist). Boilerplate checks are not enough; this check needs to be > thorough. > > The shepherd has checked the nits. > > (12) Describe how the document meets any required formal review criteria, > such as the MIB Doctor, media type, and URI type reviews. > > There is no such review necessary. > > (13) Have all references within this document been identified as either > normative or informative? > > Yes. > > (14) Are there normative references to documents that are not ready for > advancement or are otherwise in an unclear state? If such normative > references exist, what is the plan for their completion? > > Yes. > > (15) Are there downward normative references references (see RFC 3967)? > If so, list these downward references to support the Area Director in the > Last Call procedure. > > RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational > RFC. A downref is required. > > However, this document depends on the completion of the abstract OAuth > assertion framework and on the JWT specification. > There are the following dependencies: > > (16) Will publication of this document change the status of any existing > RFCs? Are those RFCs listed on the title page header, listed in the > abstract, and discussed in the introduction? If the RFCs are not listed in > the Abstract and Introduction, explain why, and point to the part of the > document where the relationship of this document to the other RFCs is > discussed. If this information is not in the document, explain why the WG > considers it unnecessary. > > The publication of this document does not change the status of other RFCs. > > (17) Describe the Document Shepherd's review of the IANA considerations > section, especially with regard to its consistency with the body of the > document. Confirm that all protocol extensions that the document makes are > associated with the appropriate reservations in IANA registries. > Confirm that any referenced IANA registries have been clearly identified. > Confirm that newly created IANA registries include a detailed specification > of the initial contents for the registry, that allocations procedures for > future registrations are defined, and a reasonable name for the new > registry has been suggested (see RFC 5226). > > The document registers two sub-namespaces to the urn:ietf:params:oauth URN > established with RFC 6755. > > (18) List any new IANA registries that require Expert Review for future > allocations. Provide any public guidance that the IESG would find useful in > selecting the IANA Experts for these new registries. > > The document only adds entries to existing registries and does not define > any new registries. > > (19) Describe reviews and automated checks performed by the Document > Shepherd to validate sections of the document written in a formal language, > such as XML code, BNF rules, MIB definitions, etc. > > There are only snippets of message exchanges and JWT assertion structures, > which are based on JSON, used in the examples. There is no pseudo code > contained in the document that requires validation. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > --047d7b4728009fdce904f7d23e5a Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable


On Thu, Apr 2= 4, 2014 at 3:41 PM, Mike Jones <Michael.Jones@microsoft.com&= gt; wrote:
I am aware of these implementations:
=A0 =A0 =A0 =A0 Microsoft Azure Active Directory: =A0http://= azure.microsoft.com/en-us/services/active-directory/
=A0 =A0 =A0 =A0 Google Service Account: https://develop= ers.google.com/accounts/docs/OAuth2ServiceAccount

I believe that Ping Identity and Salesforce also have implementations, but = I'll let Brian and Chuck authoritatively speak to those.

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 -- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces= @ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, April 23, 2014 1:40 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up

Hi all,

I am working on the shepherd writeup for the JWT bearer document. The sheph= erd write-ups for the assertion draft and the SAML bearer document have bee= n completed a while ago already, see http://www.ietf.or= g/mail-archive/web/oauth/current/msg12410.html

A few requests:

- To the document authors: Please confirm that any and all appropriate IPR = disclosures required for full conformance with the provisions of BCP
78 and BCP 79 have already been filed.

- To all: Are you aware of implementations of this specification? If so, I = would like to reference them in my write-up.

- To all: Please also go through the text to make sure that I correctly ref= lect the history and the status of this document.

Here is the most recent version of the write-up:
https://raw.githubusercontent.com/hannestschofenig/tschofenig-i= ds/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt


(The copy-and-paste of the full version is below.)

Ciao
Hannes

PS: Note that I have send a mail about a pending issue to the list. In resp= onse to my question I will update the write-up accordingly.

----

Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authent= ication and Authorization Grants" <draft-ietf-oauth-saml2-bearer-08= >

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet S= tandard, Informational, Experimental, or Historic)? Why is this the proper = type of RFC? Is this type of RFC indicated in the title page header?

The RFC type is 'Standards Track' and the type is indicated in the = title page. This document defines an instantiation for the OAuth assertion = framework using JSON Web Tokens.

(2) The IESG approval announcement includes a Document Announcement Write-U= p. Please provide such a Document Announcement Write-Up. Recent examples ca= n be found in the "Action" announcements for approved documents. = The approval announcement contains the following sections:

Technical Summary:

=A0 =A0This specification defines the use of a JSON Web Token (JWT) Bearer<= br> =A0 =A0Token as a means for requesting an OAuth 2.0 access token as well as=
=A0 =A0for use as a means of client authentication.

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was the= re controversy about particular points or were there decisions where the co= nsensus was particularly rough?

This document belongs to the OAuth assertion document bundle consisting of = the abstract OAuth assertion framework, and the SAML assertion profile. Due= to the use of the JSON-based encoding of the assertion it also relies on t= he work in the JOSE working group (such as JWE/JWS) indirectly through the = use of the JWT. This document has intentionally been kept in sync with the = SAML-based version.

Document Quality:

This document has gone through many iterations and has received substantial= feedback.

[[Add implementation list here.]]

Personnel:

The document shepherd is Hannes Tschofenig and the responsible area directo= r is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by the = Document Shepherd. If this version of the document is not ready for publica= tion, please explain why the document is being forwarded to the IESG.

The draft authors believe that this document is ready for publication.
The document has had received review comments from working group members, a= nd from the OAuth working group chairs. These review comments have been tak= en into account.

(4) Does the document Shepherd have any concerns about the depth or breadth= of the reviews that have been performed?

This document has gotten feedback from the working group and given the focu= sed use cases it has received adequate review.

(5) Do portions of the document need review from a particular or from broad= er perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML= , or internationalization? If so, describe the review that took place.

Since the OAuth working group develops security protocols any feedback from= the security community is always appreciated.

(6) Describe any specific concerns or issues that the Document Shepherd has= with this document that the Responsible Area Director and/or the IESG shou= ld be aware of? For example, perhaps he or she is uncomfortable with certai= n parts of the document, or has concerns whether there really is a need for= it. In any event, if the WG has discussed those issues and has indicated t= hat it still wishes to advance the document, detail those concerns here.
The shepherd has no concerns with this document.

(7) Has each author confirmed that any and all appropriate IPR disclosures = required for full conformance with the provisions of BCP 78 and BCP 79 have= already been filed. If not, explain why?

[[Confirmation from the authors required.]]

(8) Has an IPR disclosure been filed that references this document? If so, = summarize any WG discussion and conclusion regarding the IPR disclosures.
No IPR disclosures have been filed on this document. However, two IPRs have= been filed for the JWT specification this document relies on, see http://datatracker.ie= tf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oauth-json-= web-token


(9) How solid is the WG consensus behind this document? Does it represent t= he strong concurrence of a few individuals, with others being silent, or do= es the WG as a whole understand and agree with it?

The working group has consensus to publish this document.

(10) Has anyone threatened an appeal or otherwise indicated extreme discont= ent? If so, please summarise the areas of conflict in separate email messag= es to the Responsible Area Director. (It should be in a separate email beca= use this questionnaire is publicly available.)

No appeal or extreme discontent has been raised.

(11) Identify any ID nits the Document Shepherd has found in this document.= (See http:= //www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boiler= plate checks are not enough; this check needs to be thorough.

The shepherd has checked the nits.

(12) Describe how the document meets any required formal review criteria, s= uch as the MIB Doctor, media type, and URI type reviews.

There is no such review necessary.

(13) Have all references within this document been identified as either nor= mative or informative?

Yes.

(14) Are there normative references to documents that are not ready for adv= ancement or are otherwise in an unclear state? If such normative references= exist, what is the plan for their completion?

Yes.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the L= ast Call procedure.

RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational RFC.= A downref is required.

However, this document depends on the completion of the abstract OAuth asse= rtion framework and on the JWT specification.
There are the following dependencies:

(16) Will publication of this document change the status of any existing RF= Cs? Are those RFCs listed on the title page header, listed in the abstract,= and discussed in the introduction? If the RFCs are not listed in the Abstr= act and Introduction, explain why, and point to the part of the document wh= ere the relationship of this document to the other RFCs is discussed. If th= is information is not in the document, explain why the WG considers it unne= cessary.

The publication of this document does not change the status of other RFCs.<= br>
(17) Describe the Document Shepherd's review of the IANA considerations= section, especially with regard to its consistency with the body of the do= cument. Confirm that all protocol extensions that the document makes are as= sociated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified. C= onfirm that newly created IANA registries include a detailed specification = of the initial contents for the registry, that allocations procedures for f= uture registrations are defined, and a reasonable name for the new registry= has been suggested (see RFC 5226).

The document registers two sub-namespaces to the urn:ietf:params:oauth URN = established with RFC 6755.

(18) List any new IANA registries that require Expert Review for future all= ocations. Provide any public guidance that the IESG would find useful in se= lecting the IANA Experts for these new registries.

The document only adds entries to existing registries and does not define a= ny new registries.

(19) Describe reviews and automated checks performed by the Document Shephe= rd to validate sections of the document written in a formal language, such = as XML code, BNF rules, MIB definitions, etc.

There are only snippets of message exchanges and JWT assertion structures, = which are based on JSON, used in the examples. There is no pseudo code cont= ained in the document that requires validation.



_______________________________________________=
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--047d7b4728009fdce904f7d23e5a-- From nobody Thu Apr 24 16:36:17 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2411E1A043D for ; Thu, 24 Apr 2014 16:36:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MoDPgXzHPchX for ; Thu, 24 Apr 2014 16:36:10 -0700 (PDT) Received: from mail-pb0-f47.google.com (mail-pb0-f47.google.com [209.85.160.47]) by ietfa.amsl.com (Postfix) with ESMTP id 1F2A41A042D for ; Thu, 24 Apr 2014 16:36:10 -0700 (PDT) Received: by mail-pb0-f47.google.com with SMTP id up15so2477802pbc.6 for ; Thu, 24 Apr 2014 16:36:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=XU3A4CkppCop5EBYmZUU1xIUExYED1EieznQOfgVJWI=; b=DK2GuCs9ZsA6qP5Lozk3VlyAeJasZYZVMkytbwtamOqnuZIar7PPXXRmEWPfVruSkk 4G5YzQmqjyNG+fgEhBStwDB4kddBKiI0SmsR5fpqbU3pCjVSAtBrAXbaJA7jzkKT3UY1 q0xOQ0aFtkV36osv1qm6yyAGyjp21/IkPgQi8skNQ4z1qEBFG96TAncAMcahBo/4p3S5 WHIjGIVjmZ381XLkyZ7x6UD5DYvY39eOqm8gwir/wceYsfpyJUQQrglIcQ3k7ED21hOp dt70JWMoOCAb2iUlgJ/OKtr1+zG4bY3NIOH2cQprwZuGRj5qP4CE2FkcEb1eQpNur7/g mkHw== X-Gm-Message-State: ALoCoQnlCNvASQRdYLLZ/ZOkGD2B1ywlmFqE/2z6DJ46K7UpWgorz1SsPItPVBs0POm3l/8MwMPp MIME-Version: 1.0 X-Received: by 10.66.149.37 with SMTP id tx5mr3547593pab.81.1398382563958; Thu, 24 Apr 2014 16:36:03 -0700 (PDT) Received: by 10.70.129.134 with HTTP; Thu, 24 Apr 2014 16:36:03 -0700 (PDT) In-Reply-To: <53577C73.2010201@gmx.net> References: <53577C73.2010201@gmx.net> Date: Thu, 24 Apr 2014 16:36:03 -0700 Message-ID: From: Chuck Mortimore To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=047d7b6dcdccfc33c504f7d24faf Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/VedCdz_2eIwvzbXIyUsht2ngvoo Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 23:36:15 -0000 --047d7b6dcdccfc33c504f7d24faf Content-Type: text/plain; charset=ISO-8859-1 I do not have, nor am I aware of any, IPR on any of the technology in the document. thanks -cmort On Wed, Apr 23, 2014 at 1:40 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > I am working on the shepherd writeup for the JWT bearer document. The > shepherd write-ups for the assertion draft and the SAML bearer document > have been completed a while ago already, see > http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html > > A few requests: > > - To the document authors: Please confirm that any and all appropriate > IPR disclosures required for full conformance with the provisions of BCP > 78 and BCP 79 have already been filed. > > - To all: Are you aware of implementations of this specification? If so, > I would like to reference them in my write-up. > > - To all: Please also go through the text to make sure that I correctly > reflect the history and the status of this document. > > Here is the most recent version of the write-up: > > https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt > > > (The copy-and-paste of the full version is below.) > > Ciao > Hannes > > PS: Note that I have send a mail about a pending issue to the list. In > response to my question I will update the write-up accordingly. > > ---- > > Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client > Authentication and Authorization Grants" > > (1) What type of RFC is being requested (BCP, Proposed Standard, > Internet Standard, Informational, Experimental, or Historic)? Why is > this the proper type of RFC? Is this type of RFC indicated in the title > page header? > > The RFC type is 'Standards Track' and the type is indicated in the title > page. This document defines an instantiation for the OAuth assertion > framework using JSON Web Tokens. > > (2) The IESG approval announcement includes a Document Announcement > Write-Up. Please provide such a Document Announcement Write-Up. Recent > examples can be found in the "Action" announcements for approved > documents. The approval announcement contains the following sections: > > Technical Summary: > > This specification defines the use of a JSON Web Token (JWT) Bearer > Token as a means for requesting an OAuth 2.0 access token as well as > for use as a means of client authentication. > > Working Group Summary: > > Was there anything in WG process that is worth noting? For example, was > there controversy about particular points or were there decisions where > the consensus was particularly rough? > > This document belongs to the OAuth assertion document bundle consisting > of the abstract OAuth assertion framework, and the SAML assertion > profile. Due to the use of the JSON-based encoding of the assertion it > also relies on the work in the JOSE working group (such as JWE/JWS) > indirectly through the use of the JWT. This document has intentionally > been kept in sync with the SAML-based version. > > Document Quality: > > This document has gone through many iterations and has received > substantial feedback. > > [[Add implementation list here.]] > > Personnel: > > The document shepherd is Hannes Tschofenig and the responsible area > director is Kathleen Moriarty. > > (3) Briefly describe the review of this document that was performed by > the Document Shepherd. If this version of the document is not ready for > publication, please explain why the document is being forwarded to the > IESG. > > The draft authors believe that this document is ready for publication. > The document has had received review comments from working group > members, and from the OAuth working group chairs. These review comments > have been taken into account. > > (4) Does the document Shepherd have any concerns about the depth or > breadth of the reviews that have been performed? > > This document has gotten feedback from the working group and given the > focused use cases it has received adequate review. > > (5) Do portions of the document need review from a particular or from > broader perspective, e.g., security, operational complexity, AAA, DNS, > DHCP, XML, or internationalization? If so, describe the review that took > place. > > Since the OAuth working group develops security protocols any feedback > from the security community is always appreciated. > > (6) Describe any specific concerns or issues that the Document Shepherd > has with this document that the Responsible Area Director and/or the > IESG should be aware of? For example, perhaps he or she is uncomfortable > with certain parts of the document, or has concerns whether there really > is a need for it. In any event, if the WG has discussed those issues and > has indicated that it still wishes to advance the document, detail those > concerns here. > > The shepherd has no concerns with this document. > > (7) Has each author confirmed that any and all appropriate IPR > disclosures required for full conformance with the provisions of BCP 78 > and BCP 79 have already been filed. If not, explain why? > > [[Confirmation from the authors required.]] > > (8) Has an IPR disclosure been filed that references this document? If > so, summarize any WG discussion and conclusion regarding the IPR > disclosures. > > No IPR disclosures have been filed on this document. However, two IPRs > have been filed for the JWT specification this document relies on, see > > http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token > > > (9) How solid is the WG consensus behind this document? Does it > represent the strong concurrence of a few individuals, with others being > silent, or does the WG as a whole understand and agree with it? > > The working group has consensus to publish this document. > > (10) Has anyone threatened an appeal or otherwise indicated extreme > discontent? If so, please summarise the areas of conflict in separate > email messages to the Responsible Area Director. (It should be in a > separate email because this questionnaire is publicly available.) > > No appeal or extreme discontent has been raised. > > (11) Identify any ID nits the Document Shepherd has found in this > document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts > Checklist). Boilerplate checks are not enough; this check needs to be > thorough. > > The shepherd has checked the nits. > > (12) Describe how the document meets any required formal review > criteria, such as the MIB Doctor, media type, and URI type reviews. > > There is no such review necessary. > > (13) Have all references within this document been identified as either > normative or informative? > > Yes. > > (14) Are there normative references to documents that are not ready for > advancement or are otherwise in an unclear state? If such normative > references exist, what is the plan for their completion? > > Yes. > > (15) Are there downward normative references references (see RFC 3967)? > If so, list these downward references to support the Area Director in > the Last Call procedure. > > RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational > RFC. A downref is required. > > However, this document depends on the completion of the abstract OAuth > assertion framework and on the JWT specification. > There are the following dependencies: > > (16) Will publication of this document change the status of any existing > RFCs? Are those RFCs listed on the title page header, listed in the > abstract, and discussed in the introduction? If the RFCs are not listed > in the Abstract and Introduction, explain why, and point to the part of > the document where the relationship of this document to the other RFCs > is discussed. If this information is not in the document, explain why > the WG considers it unnecessary. > > The publication of this document does not change the status of other RFCs. > > (17) Describe the Document Shepherd's review of the IANA considerations > section, especially with regard to its consistency with the body of the > document. Confirm that all protocol extensions that the document makes > are associated with the appropriate reservations in IANA registries. > Confirm that any referenced IANA registries have been clearly > identified. Confirm that newly created IANA registries include a > detailed specification of the initial contents for the registry, that > allocations procedures for future registrations are defined, and a > reasonable name for the new registry has been suggested (see RFC 5226). > > The document registers two sub-namespaces to the urn:ietf:params:oauth > URN established with RFC 6755. > > (18) List any new IANA registries that require Expert Review for future > allocations. Provide any public guidance that the IESG would find useful > in selecting the IANA Experts for these new registries. > > The document only adds entries to existing registries and does not > define any new registries. > > (19) Describe reviews and automated checks performed by the Document > Shepherd to validate sections of the document written in a formal > language, such as XML code, BNF rules, MIB definitions, etc. > > There are only snippets of message exchanges and JWT assertion > structures, which are based on JSON, used in the examples. There is no > pseudo code contained in the document that requires validation. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --047d7b6dcdccfc33c504f7d24faf Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I do not have, nor am I aware of any,=A0IPR=A0on any o= f the=A0technology=A0in the=A0document.=A0

tha= nks

-cmort


On Wed, Apr 23, 2014 at 1:40 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
Hi all,

I am working on the shepherd writeup for the JWT bearer document. The
shepherd write-ups for the assertion draft and the SAML bearer document
have been completed a while ago already, see
http://www.ietf.org/mail-archive/web/oauth/current/msg1= 2410.html

A few requests:

- To the document authors: Please confirm that any and all appropriate
IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.

- To all: Are you aware of implementations of this specification? If so, I would like to reference them in my write-up.

- To all: Please also go through the text to make sure that I correctly
reflect the history and the status of this document.

Here is the most recent version of the write-up:
https://raw.githubusercontent.com/hannestschofenig/tschofenig-i= ds/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt


(The copy-and-paste of the full version is below.)

Ciao
Hannes

PS: Note that I have send a mail about a pending issue to the list. In
response to my question I will update the write-up accordingly.

----

Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client
Authentication and Authorization Grants" <draft-ietf-oauth-saml2-be= arer-08>

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)? Why is
this the proper type of RFC? Is this type of RFC indicated in the title
page header?

The RFC type is 'Standards Track' and the type is indicated in the = title
page. This document defines an instantiation for the OAuth assertion
framework using JSON Web Tokens.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved<= br> documents. The approval announcement contains the following sections:

Technical Summary:

=A0 =A0This specification defines the use of a JSON Web Token (JWT) Bearer<= br> =A0 =A0Token as a means for requesting an OAuth 2.0 access token as well as=
=A0 =A0for use as a means of client authentication.

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was
there controversy about particular points or were there decisions where
the consensus was particularly rough?

This document belongs to the OAuth assertion document bundle consisting
of the abstract OAuth assertion framework, and the SAML assertion
profile. Due to the use of the JSON-based encoding of the assertion it
also relies on the work in the JOSE working group (such as JWE/JWS)
indirectly through the use of the JWT. This document has intentionally
been kept in sync with the SAML-based version.

Document Quality:

This document has gone through many iterations and has received
substantial feedback.

[[Add implementation list here.]]

Personnel:

The document shepherd is Hannes Tschofenig and the responsible area
director is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the IESG= .

The draft authors believe that this document is ready for publication.
The document has had received review comments from working group
members, and from the OAuth working group chairs. These review comments
have been taken into account.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

This document has gotten feedback from the working group and given the
focused use cases it has received adequate review.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that took place.

Since the OAuth working group develops security protocols any feedback
from the security community is always appreciated.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

The shepherd has no concerns with this document.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why?

[[Confirmation from the authors required.]]

(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been filed on this document. However, two IPRs
have been filed for the JWT specification this document relies on, see
http://datatra= cker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oaut= h-json-web-token


(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

The working group has consensus to publish this document.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No appeal or extreme discontent has been raised.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The shepherd has checked the nits.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

There is no such review necessary.

(13) Have all references within this document been identified as either
normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

Yes.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational
RFC. A downref is required.

However, this document depends on the completion of the abstract OAuth
assertion framework and on the JWT specification.
There are the following dependencies:

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction? If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs
is discussed. If this information is not in the document, explain why
the WG considers it unnecessary.

The publication of this document does not change the status of other RFCs.<= br>
(17) Describe the Document Shepherd's review of the IANA considerations=
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The document registers two sub-namespaces to the urn:ietf:params:oauth
URN established with RFC 6755.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

The document only adds entries to existing registries and does not
define any new registries.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

There are only snippets of message exchanges and JWT assertion
structures, which are based on JSON, used in the examples. There is no
pseudo code contained in the document that requires validation.




_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--047d7b6dcdccfc33c504f7d24faf-- From nobody Thu Apr 24 22:26:39 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD3E1A030B for ; Thu, 24 Apr 2014 22:26:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.551 X-Spam-Level: X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glBz0-iGWqps for ; Thu, 24 Apr 2014 22:26:31 -0700 (PDT) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.29]) by ietfa.amsl.com (Postfix) with ESMTP id DA3251A02F9 for ; Thu, 24 Apr 2014 22:26:30 -0700 (PDT) Received: from [80.187.96.74] (helo=[10.208.186.37]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from ) id 1WdYeQ-0001PC-Ir; Fri, 25 Apr 2014 07:26:22 +0200 Date: Fri, 25 Apr 2014 07:26:13 +0200 Message-ID: Importance: normal From: Torsten Lodderstedt To: Chuck Mortimore , Mike Jones MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--_com.android.email_597612265271170" X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/dWmqCNFxl9CfwVg0XwAeZO-iPdY Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 05:26:36 -0000 ----_com.android.email_597612265271170 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 RGV1dHNjaGUgVGVsZWtvbSBhbHNvIGhhcyBhbiBpbXBsZW1lbnRhdGlvbi7CoAoKcmVnYXJkcywK VG9yc3Rlbi4KCi0tLS0tLS0tIFVyc3Byw7xuZ2xpY2hlIE5hY2hyaWNodCAtLS0tLS0tLQpWb246 IENodWNrIE1vcnRpbW9yZSA8Y21vcnRpbW9yZUBzYWxlc2ZvcmNlLmNvbT4gCkRhdHVtOjI1LjA0 LjIwMTQgIDAxOjMxICAoR01UKzAxOjAwKSAKQW46IE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNA bWljcm9zb2Z0LmNvbT4gCkNjOiBvYXV0aEBpZXRmLm9yZyAKQmV0cmVmZjogUmU6IFtPQVVUSC1X R10gZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyIFNoZXBoZXJkIFdyaXRlLXVwIAoKU2FsZXNm b3JjZSBJbXBsZW1lbnRhdGlvbjogaHR0cHM6Ly9oZWxwLnNhbGVzZm9yY2UuY29tL0hUVmlld0hl bHBEb2M/aWQ9cmVtb3RlYWNjZXNzX29hdXRoX2p3dF9mbG93Lmh0bSZsYW5ndWFnZT1lbl9VUwoK Ck9uIFRodSwgQXByIDI0LCAyMDE0IGF0IDM6NDEgUE0sIE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9u ZXNAbWljcm9zb2Z0LmNvbT4gd3JvdGU6CkkgYW0gYXdhcmUgb2YgdGhlc2UgaW1wbGVtZW50YXRp b25zOgrCoCDCoCDCoCDCoCBNaWNyb3NvZnQgQXp1cmUgQWN0aXZlIERpcmVjdG9yeTogwqBodHRw Oi8vYXp1cmUubWljcm9zb2Z0LmNvbS9lbi11cy9zZXJ2aWNlcy9hY3RpdmUtZGlyZWN0b3J5LwrC oCDCoCDCoCDCoCBHb29nbGUgU2VydmljZSBBY2NvdW50OiBodHRwczovL2RldmVsb3BlcnMuZ29v Z2xlLmNvbS9hY2NvdW50cy9kb2NzL09BdXRoMlNlcnZpY2VBY2NvdW50CgpJIGJlbGlldmUgdGhh dCBQaW5nIElkZW50aXR5IGFuZCBTYWxlc2ZvcmNlIGFsc28gaGF2ZSBpbXBsZW1lbnRhdGlvbnMs IGJ1dCBJJ2xsIGxldCBCcmlhbiBhbmQgQ2h1Y2sgYXV0aG9yaXRhdGl2ZWx5IHNwZWFrIHRvIHRo b3NlLgoKwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgLS0g TWlrZQoKLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0 aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgSGFubmVzIFRzY2hvZmVuaWcKU2VudDog V2VkbmVzZGF5LCBBcHJpbCAyMywgMjAxNCAxOjQwIEFNClRvOiBvYXV0aEBpZXRmLm9yZwpTdWJq ZWN0OiBbT0FVVEgtV0ddIGRyYWZ0LWlldGYtb2F1dGgtand0LWJlYXJlciBTaGVwaGVyZCBXcml0 ZS11cAoKSGkgYWxsLAoKSSBhbSB3b3JraW5nIG9uIHRoZSBzaGVwaGVyZCB3cml0ZXVwIGZvciB0 aGUgSldUIGJlYXJlciBkb2N1bWVudC4gVGhlIHNoZXBoZXJkIHdyaXRlLXVwcyBmb3IgdGhlIGFz c2VydGlvbiBkcmFmdCBhbmQgdGhlIFNBTUwgYmVhcmVyIGRvY3VtZW50IGhhdmUgYmVlbiBjb21w bGV0ZWQgYSB3aGlsZSBhZ28gYWxyZWFkeSwgc2VlIGh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1h cmNoaXZlL3dlYi9vYXV0aC9jdXJyZW50L21zZzEyNDEwLmh0bWwKCkEgZmV3IHJlcXVlc3RzOgoK LSBUbyB0aGUgZG9jdW1lbnQgYXV0aG9yczogUGxlYXNlIGNvbmZpcm0gdGhhdCBhbnkgYW5kIGFs bCBhcHByb3ByaWF0ZSBJUFIgZGlzY2xvc3VyZXMgcmVxdWlyZWQgZm9yIGZ1bGwgY29uZm9ybWFu Y2Ugd2l0aCB0aGUgcHJvdmlzaW9ucyBvZiBCQ1AKNzggYW5kIEJDUCA3OSBoYXZlIGFscmVhZHkg YmVlbiBmaWxlZC4KCi0gVG8gYWxsOiBBcmUgeW91IGF3YXJlIG9mIGltcGxlbWVudGF0aW9ucyBv ZiB0aGlzIHNwZWNpZmljYXRpb24/IElmIHNvLCBJIHdvdWxkIGxpa2UgdG8gcmVmZXJlbmNlIHRo ZW0gaW4gbXkgd3JpdGUtdXAuCgotIFRvIGFsbDogUGxlYXNlIGFsc28gZ28gdGhyb3VnaCB0aGUg dGV4dCB0byBtYWtlIHN1cmUgdGhhdCBJIGNvcnJlY3RseSByZWZsZWN0IHRoZSBoaXN0b3J5IGFu ZCB0aGUgc3RhdHVzIG9mIHRoaXMgZG9jdW1lbnQuCgpIZXJlIGlzIHRoZSBtb3N0IHJlY2VudCB2 ZXJzaW9uIG9mIHRoZSB3cml0ZS11cDoKaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29t L2hhbm5lc3RzY2hvZmVuaWcvdHNjaG9mZW5pZy1pZHMvbWFzdGVyL3NoZXBoZXJkLXdyaXRldXBz L1dyaXRldXBfT0F1dGhfSldULUFzc2VydGlvbi1Qcm9maWxlLnR4dAoKCihUaGUgY29weS1hbmQt cGFzdGUgb2YgdGhlIGZ1bGwgdmVyc2lvbiBpcyBiZWxvdy4pCgpDaWFvCkhhbm5lcwoKUFM6IE5v dGUgdGhhdCBJIGhhdmUgc2VuZCBhIG1haWwgYWJvdXQgYSBwZW5kaW5nIGlzc3VlIHRvIHRoZSBs aXN0LiBJbiByZXNwb25zZSB0byBteSBxdWVzdGlvbiBJIHdpbGwgdXBkYXRlIHRoZSB3cml0ZS11 cCBhY2NvcmRpbmdseS4KCi0tLS0KCldyaXRldXAgZm9yICJKU09OIFdlYiBUb2tlbiAoSldUKSBQ cm9maWxlIGZvciBPQXV0aCAyLjAgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBBdXRob3JpemF0 aW9uIEdyYW50cyIgPGRyYWZ0LWlldGYtb2F1dGgtc2FtbDItYmVhcmVyLTA4PgoKKDEpIFdoYXQg dHlwZSBvZiBSRkMgaXMgYmVpbmcgcmVxdWVzdGVkIChCQ1AsIFByb3Bvc2VkIFN0YW5kYXJkLCBJ bnRlcm5ldCBTdGFuZGFyZCwgSW5mb3JtYXRpb25hbCwgRXhwZXJpbWVudGFsLCBvciBIaXN0b3Jp Yyk/IFdoeSBpcyB0aGlzIHRoZSBwcm9wZXIgdHlwZSBvZiBSRkM/IElzIHRoaXMgdHlwZSBvZiBS RkMgaW5kaWNhdGVkIGluIHRoZSB0aXRsZSBwYWdlIGhlYWRlcj8KClRoZSBSRkMgdHlwZSBpcyAn U3RhbmRhcmRzIFRyYWNrJyBhbmQgdGhlIHR5cGUgaXMgaW5kaWNhdGVkIGluIHRoZSB0aXRsZSBw YWdlLiBUaGlzIGRvY3VtZW50IGRlZmluZXMgYW4gaW5zdGFudGlhdGlvbiBmb3IgdGhlIE9BdXRo IGFzc2VydGlvbiBmcmFtZXdvcmsgdXNpbmcgSlNPTiBXZWIgVG9rZW5zLgoKKDIpIFRoZSBJRVNH IGFwcHJvdmFsIGFubm91bmNlbWVudCBpbmNsdWRlcyBhIERvY3VtZW50IEFubm91bmNlbWVudCBX cml0ZS1VcC4gUGxlYXNlIHByb3ZpZGUgc3VjaCBhIERvY3VtZW50IEFubm91bmNlbWVudCBXcml0 ZS1VcC4gUmVjZW50IGV4YW1wbGVzIGNhbiBiZSBmb3VuZCBpbiB0aGUgIkFjdGlvbiIgYW5ub3Vu Y2VtZW50cyBmb3IgYXBwcm92ZWQgZG9jdW1lbnRzLiBUaGUgYXBwcm92YWwgYW5ub3VuY2VtZW50 IGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgc2VjdGlvbnM6CgpUZWNobmljYWwgU3VtbWFyeToKCsKg IMKgVGhpcyBzcGVjaWZpY2F0aW9uIGRlZmluZXMgdGhlIHVzZSBvZiBhIEpTT04gV2ViIFRva2Vu IChKV1QpIEJlYXJlcgrCoCDCoFRva2VuIGFzIGEgbWVhbnMgZm9yIHJlcXVlc3RpbmcgYW4gT0F1 dGggMi4wIGFjY2VzcyB0b2tlbiBhcyB3ZWxsIGFzCsKgIMKgZm9yIHVzZSBhcyBhIG1lYW5zIG9m IGNsaWVudCBhdXRoZW50aWNhdGlvbi4KCldvcmtpbmcgR3JvdXAgU3VtbWFyeToKCldhcyB0aGVy ZSBhbnl0aGluZyBpbiBXRyBwcm9jZXNzIHRoYXQgaXMgd29ydGggbm90aW5nPyBGb3IgZXhhbXBs ZSwgd2FzIHRoZXJlIGNvbnRyb3ZlcnN5IGFib3V0IHBhcnRpY3VsYXIgcG9pbnRzIG9yIHdlcmUg dGhlcmUgZGVjaXNpb25zIHdoZXJlIHRoZSBjb25zZW5zdXMgd2FzIHBhcnRpY3VsYXJseSByb3Vn aD8KClRoaXMgZG9jdW1lbnQgYmVsb25ncyB0byB0aGUgT0F1dGggYXNzZXJ0aW9uIGRvY3VtZW50 IGJ1bmRsZSBjb25zaXN0aW5nIG9mIHRoZSBhYnN0cmFjdCBPQXV0aCBhc3NlcnRpb24gZnJhbWV3 b3JrLCBhbmQgdGhlIFNBTUwgYXNzZXJ0aW9uIHByb2ZpbGUuIER1ZSB0byB0aGUgdXNlIG9mIHRo ZSBKU09OLWJhc2VkIGVuY29kaW5nIG9mIHRoZSBhc3NlcnRpb24gaXQgYWxzbyByZWxpZXMgb24g dGhlIHdvcmsgaW4gdGhlIEpPU0Ugd29ya2luZyBncm91cCAoc3VjaCBhcyBKV0UvSldTKSBpbmRp cmVjdGx5IHRocm91Z2ggdGhlIHVzZSBvZiB0aGUgSldULiBUaGlzIGRvY3VtZW50IGhhcyBpbnRl bnRpb25hbGx5IGJlZW4ga2VwdCBpbiBzeW5jIHdpdGggdGhlIFNBTUwtYmFzZWQgdmVyc2lvbi4K CkRvY3VtZW50IFF1YWxpdHk6CgpUaGlzIGRvY3VtZW50IGhhcyBnb25lIHRocm91Z2ggbWFueSBp dGVyYXRpb25zIGFuZCBoYXMgcmVjZWl2ZWQgc3Vic3RhbnRpYWwgZmVlZGJhY2suCgpbW0FkZCBp bXBsZW1lbnRhdGlvbiBsaXN0IGhlcmUuXV0KClBlcnNvbm5lbDoKClRoZSBkb2N1bWVudCBzaGVw aGVyZCBpcyBIYW5uZXMgVHNjaG9mZW5pZyBhbmQgdGhlIHJlc3BvbnNpYmxlIGFyZWEgZGlyZWN0 b3IgaXMgS2F0aGxlZW4gTW9yaWFydHkuCgooMykgQnJpZWZseSBkZXNjcmliZSB0aGUgcmV2aWV3 IG9mIHRoaXMgZG9jdW1lbnQgdGhhdCB3YXMgcGVyZm9ybWVkIGJ5IHRoZSBEb2N1bWVudCBTaGVw aGVyZC4gSWYgdGhpcyB2ZXJzaW9uIG9mIHRoZSBkb2N1bWVudCBpcyBub3QgcmVhZHkgZm9yIHB1 YmxpY2F0aW9uLCBwbGVhc2UgZXhwbGFpbiB3aHkgdGhlIGRvY3VtZW50IGlzIGJlaW5nIGZvcndh cmRlZCB0byB0aGUgSUVTRy4KClRoZSBkcmFmdCBhdXRob3JzIGJlbGlldmUgdGhhdCB0aGlzIGRv Y3VtZW50IGlzIHJlYWR5IGZvciBwdWJsaWNhdGlvbi4KVGhlIGRvY3VtZW50IGhhcyBoYWQgcmVj ZWl2ZWQgcmV2aWV3IGNvbW1lbnRzIGZyb20gd29ya2luZyBncm91cCBtZW1iZXJzLCBhbmQgZnJv bSB0aGUgT0F1dGggd29ya2luZyBncm91cCBjaGFpcnMuIFRoZXNlIHJldmlldyBjb21tZW50cyBo YXZlIGJlZW4gdGFrZW4gaW50byBhY2NvdW50LgoKKDQpIERvZXMgdGhlIGRvY3VtZW50IFNoZXBo ZXJkIGhhdmUgYW55IGNvbmNlcm5zIGFib3V0IHRoZSBkZXB0aCBvciBicmVhZHRoIG9mIHRoZSBy ZXZpZXdzIHRoYXQgaGF2ZSBiZWVuIHBlcmZvcm1lZD8KClRoaXMgZG9jdW1lbnQgaGFzIGdvdHRl biBmZWVkYmFjayBmcm9tIHRoZSB3b3JraW5nIGdyb3VwIGFuZCBnaXZlbiB0aGUgZm9jdXNlZCB1 c2UgY2FzZXMgaXQgaGFzIHJlY2VpdmVkIGFkZXF1YXRlIHJldmlldy4KCig1KSBEbyBwb3J0aW9u cyBvZiB0aGUgZG9jdW1lbnQgbmVlZCByZXZpZXcgZnJvbSBhIHBhcnRpY3VsYXIgb3IgZnJvbSBi cm9hZGVyIHBlcnNwZWN0aXZlLCBlLmcuLCBzZWN1cml0eSwgb3BlcmF0aW9uYWwgY29tcGxleGl0 eSwgQUFBLCBETlMsIERIQ1AsIFhNTCwgb3IgaW50ZXJuYXRpb25hbGl6YXRpb24/IElmIHNvLCBk ZXNjcmliZSB0aGUgcmV2aWV3IHRoYXQgdG9vayBwbGFjZS4KClNpbmNlIHRoZSBPQXV0aCB3b3Jr aW5nIGdyb3VwIGRldmVsb3BzIHNlY3VyaXR5IHByb3RvY29scyBhbnkgZmVlZGJhY2sgZnJvbSB0 aGUgc2VjdXJpdHkgY29tbXVuaXR5IGlzIGFsd2F5cyBhcHByZWNpYXRlZC4KCig2KSBEZXNjcmli ZSBhbnkgc3BlY2lmaWMgY29uY2VybnMgb3IgaXNzdWVzIHRoYXQgdGhlIERvY3VtZW50IFNoZXBo ZXJkIGhhcyB3aXRoIHRoaXMgZG9jdW1lbnQgdGhhdCB0aGUgUmVzcG9uc2libGUgQXJlYSBEaXJl Y3RvciBhbmQvb3IgdGhlIElFU0cgc2hvdWxkIGJlIGF3YXJlIG9mPyBGb3IgZXhhbXBsZSwgcGVy aGFwcyBoZSBvciBzaGUgaXMgdW5jb21mb3J0YWJsZSB3aXRoIGNlcnRhaW4gcGFydHMgb2YgdGhl IGRvY3VtZW50LCBvciBoYXMgY29uY2VybnMgd2hldGhlciB0aGVyZSByZWFsbHkgaXMgYSBuZWVk IGZvciBpdC4gSW4gYW55IGV2ZW50LCBpZiB0aGUgV0cgaGFzIGRpc2N1c3NlZCB0aG9zZSBpc3N1 ZXMgYW5kIGhhcyBpbmRpY2F0ZWQgdGhhdCBpdCBzdGlsbCB3aXNoZXMgdG8gYWR2YW5jZSB0aGUg ZG9jdW1lbnQsIGRldGFpbCB0aG9zZSBjb25jZXJucyBoZXJlLgoKVGhlIHNoZXBoZXJkIGhhcyBu byBjb25jZXJucyB3aXRoIHRoaXMgZG9jdW1lbnQuCgooNykgSGFzIGVhY2ggYXV0aG9yIGNvbmZp cm1lZCB0aGF0IGFueSBhbmQgYWxsIGFwcHJvcHJpYXRlIElQUiBkaXNjbG9zdXJlcyByZXF1aXJl ZCBmb3IgZnVsbCBjb25mb3JtYW5jZSB3aXRoIHRoZSBwcm92aXNpb25zIG9mIEJDUCA3OCBhbmQg QkNQIDc5IGhhdmUgYWxyZWFkeSBiZWVuIGZpbGVkLiBJZiBub3QsIGV4cGxhaW4gd2h5PwoKW1tD b25maXJtYXRpb24gZnJvbSB0aGUgYXV0aG9ycyByZXF1aXJlZC5dXQoKKDgpIEhhcyBhbiBJUFIg ZGlzY2xvc3VyZSBiZWVuIGZpbGVkIHRoYXQgcmVmZXJlbmNlcyB0aGlzIGRvY3VtZW50PyBJZiBz bywgc3VtbWFyaXplIGFueSBXRyBkaXNjdXNzaW9uIGFuZCBjb25jbHVzaW9uIHJlZ2FyZGluZyB0 aGUgSVBSIGRpc2Nsb3N1cmVzLgoKTm8gSVBSIGRpc2Nsb3N1cmVzIGhhdmUgYmVlbiBmaWxlZCBv biB0aGlzIGRvY3VtZW50LiBIb3dldmVyLCB0d28gSVBScyBoYXZlIGJlZW4gZmlsZWQgZm9yIHRo ZSBKV1Qgc3BlY2lmaWNhdGlvbiB0aGlzIGRvY3VtZW50IHJlbGllcyBvbiwgc2VlIGh0dHA6Ly9k YXRhdHJhY2tlci5pZXRmLm9yZy9pcHIvc2VhcmNoLz9vcHRpb249ZG9jdW1lbnRfc2VhcmNoJmlk PWRyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4KCgooOSkgSG93IHNvbGlkIGlzIHRoZSBX RyBjb25zZW5zdXMgYmVoaW5kIHRoaXMgZG9jdW1lbnQ/IERvZXMgaXQgcmVwcmVzZW50IHRoZSBz dHJvbmcgY29uY3VycmVuY2Ugb2YgYSBmZXcgaW5kaXZpZHVhbHMsIHdpdGggb3RoZXJzIGJlaW5n IHNpbGVudCwgb3IgZG9lcyB0aGUgV0cgYXMgYSB3aG9sZSB1bmRlcnN0YW5kIGFuZCBhZ3JlZSB3 aXRoIGl0PwoKVGhlIHdvcmtpbmcgZ3JvdXAgaGFzIGNvbnNlbnN1cyB0byBwdWJsaXNoIHRoaXMg ZG9jdW1lbnQuCgooMTApIEhhcyBhbnlvbmUgdGhyZWF0ZW5lZCBhbiBhcHBlYWwgb3Igb3RoZXJ3 aXNlIGluZGljYXRlZCBleHRyZW1lIGRpc2NvbnRlbnQ/IElmIHNvLCBwbGVhc2Ugc3VtbWFyaXNl IHRoZSBhcmVhcyBvZiBjb25mbGljdCBpbiBzZXBhcmF0ZSBlbWFpbCBtZXNzYWdlcyB0byB0aGUg UmVzcG9uc2libGUgQXJlYSBEaXJlY3Rvci4gKEl0IHNob3VsZCBiZSBpbiBhIHNlcGFyYXRlIGVt YWlsIGJlY2F1c2UgdGhpcyBxdWVzdGlvbm5haXJlIGlzIHB1YmxpY2x5IGF2YWlsYWJsZS4pCgpO byBhcHBlYWwgb3IgZXh0cmVtZSBkaXNjb250ZW50IGhhcyBiZWVuIHJhaXNlZC4KCigxMSkgSWRl bnRpZnkgYW55IElEIG5pdHMgdGhlIERvY3VtZW50IFNoZXBoZXJkIGhhcyBmb3VuZCBpbiB0aGlz IGRvY3VtZW50LiAoU2VlIGh0dHA6Ly93d3cuaWV0Zi5vcmcvdG9vbHMvaWRuaXRzLyBhbmQgdGhl IEludGVybmV0LURyYWZ0cyBDaGVja2xpc3QpLiBCb2lsZXJwbGF0ZSBjaGVja3MgYXJlIG5vdCBl bm91Z2g7IHRoaXMgY2hlY2sgbmVlZHMgdG8gYmUgdGhvcm91Z2guCgpUaGUgc2hlcGhlcmQgaGFz IGNoZWNrZWQgdGhlIG5pdHMuCgooMTIpIERlc2NyaWJlIGhvdyB0aGUgZG9jdW1lbnQgbWVldHMg YW55IHJlcXVpcmVkIGZvcm1hbCByZXZpZXcgY3JpdGVyaWEsIHN1Y2ggYXMgdGhlIE1JQiBEb2N0 b3IsIG1lZGlhIHR5cGUsIGFuZCBVUkkgdHlwZSByZXZpZXdzLgoKVGhlcmUgaXMgbm8gc3VjaCBy ZXZpZXcgbmVjZXNzYXJ5LgoKKDEzKSBIYXZlIGFsbCByZWZlcmVuY2VzIHdpdGhpbiB0aGlzIGRv Y3VtZW50IGJlZW4gaWRlbnRpZmllZCBhcyBlaXRoZXIgbm9ybWF0aXZlIG9yIGluZm9ybWF0aXZl PwoKWWVzLgoKKDE0KSBBcmUgdGhlcmUgbm9ybWF0aXZlIHJlZmVyZW5jZXMgdG8gZG9jdW1lbnRz IHRoYXQgYXJlIG5vdCByZWFkeSBmb3IgYWR2YW5jZW1lbnQgb3IgYXJlIG90aGVyd2lzZSBpbiBh biB1bmNsZWFyIHN0YXRlPyBJZiBzdWNoIG5vcm1hdGl2ZSByZWZlcmVuY2VzIGV4aXN0LCB3aGF0 IGlzIHRoZSBwbGFuIGZvciB0aGVpciBjb21wbGV0aW9uPwoKWWVzLgoKKDE1KSBBcmUgdGhlcmUg ZG93bndhcmQgbm9ybWF0aXZlIHJlZmVyZW5jZXMgcmVmZXJlbmNlcyAoc2VlIFJGQyAzOTY3KT8K SWYgc28sIGxpc3QgdGhlc2UgZG93bndhcmQgcmVmZXJlbmNlcyB0byBzdXBwb3J0IHRoZSBBcmVh IERpcmVjdG9yIGluIHRoZSBMYXN0IENhbGwgcHJvY2VkdXJlLgoKUkZDIDY3NTUgZGVmaW5lcyB0 aGUgdXJuOmlldGY6cGFyYW1zOm9hdXRoIFVSTiBhbmQgaXMgYW4gSW5mb3JtYXRpb25hbCBSRkMu IEEgZG93bnJlZiBpcyByZXF1aXJlZC4KCkhvd2V2ZXIsIHRoaXMgZG9jdW1lbnQgZGVwZW5kcyBv biB0aGUgY29tcGxldGlvbiBvZiB0aGUgYWJzdHJhY3QgT0F1dGggYXNzZXJ0aW9uIGZyYW1ld29y ayBhbmQgb24gdGhlIEpXVCBzcGVjaWZpY2F0aW9uLgpUaGVyZSBhcmUgdGhlIGZvbGxvd2luZyBk ZXBlbmRlbmNpZXM6CgooMTYpIFdpbGwgcHVibGljYXRpb24gb2YgdGhpcyBkb2N1bWVudCBjaGFu Z2UgdGhlIHN0YXR1cyBvZiBhbnkgZXhpc3RpbmcgUkZDcz8gQXJlIHRob3NlIFJGQ3MgbGlzdGVk IG9uIHRoZSB0aXRsZSBwYWdlIGhlYWRlciwgbGlzdGVkIGluIHRoZSBhYnN0cmFjdCwgYW5kIGRp c2N1c3NlZCBpbiB0aGUgaW50cm9kdWN0aW9uPyBJZiB0aGUgUkZDcyBhcmUgbm90IGxpc3RlZCBp biB0aGUgQWJzdHJhY3QgYW5kIEludHJvZHVjdGlvbiwgZXhwbGFpbiB3aHksIGFuZCBwb2ludCB0 byB0aGUgcGFydCBvZiB0aGUgZG9jdW1lbnQgd2hlcmUgdGhlIHJlbGF0aW9uc2hpcCBvZiB0aGlz IGRvY3VtZW50IHRvIHRoZSBvdGhlciBSRkNzIGlzIGRpc2N1c3NlZC4gSWYgdGhpcyBpbmZvcm1h dGlvbiBpcyBub3QgaW4gdGhlIGRvY3VtZW50LCBleHBsYWluIHdoeSB0aGUgV0cgY29uc2lkZXJz IGl0IHVubmVjZXNzYXJ5LgoKVGhlIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1lbnQgZG9lcyBu b3QgY2hhbmdlIHRoZSBzdGF0dXMgb2Ygb3RoZXIgUkZDcy4KCigxNykgRGVzY3JpYmUgdGhlIERv Y3VtZW50IFNoZXBoZXJkJ3MgcmV2aWV3IG9mIHRoZSBJQU5BIGNvbnNpZGVyYXRpb25zIHNlY3Rp b24sIGVzcGVjaWFsbHkgd2l0aCByZWdhcmQgdG8gaXRzIGNvbnNpc3RlbmN5IHdpdGggdGhlIGJv ZHkgb2YgdGhlIGRvY3VtZW50LiBDb25maXJtIHRoYXQgYWxsIHByb3RvY29sIGV4dGVuc2lvbnMg dGhhdCB0aGUgZG9jdW1lbnQgbWFrZXMgYXJlIGFzc29jaWF0ZWQgd2l0aCB0aGUgYXBwcm9wcmlh dGUgcmVzZXJ2YXRpb25zIGluIElBTkEgcmVnaXN0cmllcy4KQ29uZmlybSB0aGF0IGFueSByZWZl cmVuY2VkIElBTkEgcmVnaXN0cmllcyBoYXZlIGJlZW4gY2xlYXJseSBpZGVudGlmaWVkLiBDb25m aXJtIHRoYXQgbmV3bHkgY3JlYXRlZCBJQU5BIHJlZ2lzdHJpZXMgaW5jbHVkZSBhIGRldGFpbGVk IHNwZWNpZmljYXRpb24gb2YgdGhlIGluaXRpYWwgY29udGVudHMgZm9yIHRoZSByZWdpc3RyeSwg dGhhdCBhbGxvY2F0aW9ucyBwcm9jZWR1cmVzIGZvciBmdXR1cmUgcmVnaXN0cmF0aW9ucyBhcmUg ZGVmaW5lZCwgYW5kIGEgcmVhc29uYWJsZSBuYW1lIGZvciB0aGUgbmV3IHJlZ2lzdHJ5IGhhcyBi ZWVuIHN1Z2dlc3RlZCAoc2VlIFJGQyA1MjI2KS4KClRoZSBkb2N1bWVudCByZWdpc3RlcnMgdHdv IHN1Yi1uYW1lc3BhY2VzIHRvIHRoZSB1cm46aWV0ZjpwYXJhbXM6b2F1dGggVVJOIGVzdGFibGlz aGVkIHdpdGggUkZDIDY3NTUuCgooMTgpIExpc3QgYW55IG5ldyBJQU5BIHJlZ2lzdHJpZXMgdGhh dCByZXF1aXJlIEV4cGVydCBSZXZpZXcgZm9yIGZ1dHVyZSBhbGxvY2F0aW9ucy4gUHJvdmlkZSBh bnkgcHVibGljIGd1aWRhbmNlIHRoYXQgdGhlIElFU0cgd291bGQgZmluZCB1c2VmdWwgaW4gc2Vs ZWN0aW5nIHRoZSBJQU5BIEV4cGVydHMgZm9yIHRoZXNlIG5ldyByZWdpc3RyaWVzLgoKVGhlIGRv Y3VtZW50IG9ubHkgYWRkcyBlbnRyaWVzIHRvIGV4aXN0aW5nIHJlZ2lzdHJpZXMgYW5kIGRvZXMg bm90IGRlZmluZSBhbnkgbmV3IHJlZ2lzdHJpZXMuCgooMTkpIERlc2NyaWJlIHJldmlld3MgYW5k IGF1dG9tYXRlZCBjaGVja3MgcGVyZm9ybWVkIGJ5IHRoZSBEb2N1bWVudCBTaGVwaGVyZCB0byB2 YWxpZGF0ZSBzZWN0aW9ucyBvZiB0aGUgZG9jdW1lbnQgd3JpdHRlbiBpbiBhIGZvcm1hbCBsYW5n dWFnZSwgc3VjaCBhcyBYTUwgY29kZSwgQk5GIHJ1bGVzLCBNSUIgZGVmaW5pdGlvbnMsIGV0Yy4K ClRoZXJlIGFyZSBvbmx5IHNuaXBwZXRzIG9mIG1lc3NhZ2UgZXhjaGFuZ2VzIGFuZCBKV1QgYXNz ZXJ0aW9uIHN0cnVjdHVyZXMsIHdoaWNoIGFyZSBiYXNlZCBvbiBKU09OLCB1c2VkIGluIHRoZSBl eGFtcGxlcy4gVGhlcmUgaXMgbm8gcHNldWRvIGNvZGUgY29udGFpbmVkIGluIHRoZSBkb2N1bWVu dCB0aGF0IHJlcXVpcmVzIHZhbGlkYXRpb24uCgoKCl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fCk9BdXRoIG1haWxpbmcgbGlzdApPQXV0aEBpZXRmLm9yZwpo dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoCgo= ----_com.android.email_597612265271170 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0 L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPjwvaGVhZD48Ym9keSA+RGV1dHNjaGUgVGVsZWtvbSBhbHNv IGhhcyBhbiBpbXBsZW1lbnRhdGlvbi4mbmJzcDs8ZGl2Pjxicj48L2Rpdj48ZGl2PnJlZ2FyZHMs PC9kaXY+PGRpdj5Ub3JzdGVuLjwvZGl2Pjxicj48YnI+LS0tLS0tLS0gVXJzcHLDvG5nbGljaGUg TmFjaHJpY2h0IC0tLS0tLS0tPGJyPlZvbjogQ2h1Y2sgTW9ydGltb3JlIDxjbW9ydGltb3JlQHNh bGVzZm9yY2UuY29tPiA8YnI+RGF0dW06MjUuMDQuMjAxNCAgMDE6MzEgIChHTVQrMDE6MDApIDxi cj5BbjogTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPiA8YnI+Q2M6IG9h dXRoQGlldGYub3JnIDxicj5CZXRyZWZmOiBSZTogW09BVVRILVdHXSBkcmFmdC1pZXRmLW9hdXRo LWp3dC1iZWFyZXIgU2hlcGhlcmQgV3JpdGUtdXAgPGJyPjxicj48ZGl2IGRpcj0ibHRyIj5TYWxl c2ZvcmNlIEltcGxlbWVudGF0aW9uOiA8YSBocmVmPSJodHRwczovL2hlbHAuc2FsZXNmb3JjZS5j b20vSFRWaWV3SGVscERvYz9pZD1yZW1vdGVhY2Nlc3Nfb2F1dGhfand0X2Zsb3cuaHRtJmFtcDts YW5ndWFnZT1lbl9VUyI+aHR0cHM6Ly9oZWxwLnNhbGVzZm9yY2UuY29tL0hUVmlld0hlbHBEb2M/ aWQ9cmVtb3RlYWNjZXNzX29hdXRoX2p3dF9mbG93Lmh0bSZhbXA7bGFuZ3VhZ2U9ZW5fVVM8L2E+ PC9kaXY+CjxkaXYgY2xhc3M9ImdtYWlsX2V4dHJhIj48YnI+PGJyPjxkaXYgY2xhc3M9ImdtYWls X3F1b3RlIj5PbiBUaHUsIEFwciAyNCwgMjAxNCBhdCAzOjQxIFBNLCBNaWtlIEpvbmVzIDxzcGFu IGRpcj0ibHRyIj4mbHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNv bSIgdGFyZ2V0PSJfYmxhbmsiPk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTwvYT4mZ3Q7PC9z cGFuPiB3cm90ZTo8YnI+CjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1h cmdpbjowIDAgMCAuOGV4O2JvcmRlci1sZWZ0OjFweCAjY2NjIHNvbGlkO3BhZGRpbmctbGVmdDox ZXgiPkkgYW0gYXdhcmUgb2YgdGhlc2UgaW1wbGVtZW50YXRpb25zOjxicj4KJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7IE1pY3Jvc29mdCBBenVyZSBBY3RpdmUgRGlyZWN0b3J5OiAmbmJzcDs8 YSBocmVmPSJodHRwOi8vYXp1cmUubWljcm9zb2Z0LmNvbS9lbi11cy9zZXJ2aWNlcy9hY3RpdmUt ZGlyZWN0b3J5LyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9henVyZS5taWNyb3NvZnQuY29tL2Vu LXVzL3NlcnZpY2VzL2FjdGl2ZS1kaXJlY3RvcnkvPC9hPjxicj4KJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7IEdvb2dsZSBTZXJ2aWNlIEFjY291bnQ6IDxhIGhyZWY9Imh0dHBzOi8vZGV2ZWxv cGVycy5nb29nbGUuY29tL2FjY291bnRzL2RvY3MvT0F1dGgyU2VydmljZUFjY291bnQiIHRhcmdl dD0iX2JsYW5rIj5odHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9hY2NvdW50cy9kb2NzL09B dXRoMlNlcnZpY2VBY2NvdW50PC9hPjxicj4KPGJyPgpJIGJlbGlldmUgdGhhdCBQaW5nIElkZW50 aXR5IGFuZCBTYWxlc2ZvcmNlIGFsc28gaGF2ZSBpbXBsZW1lbnRhdGlvbnMsIGJ1dCBJJ2xsIGxl dCBCcmlhbiBhbmQgQ2h1Y2sgYXV0aG9yaXRhdGl2ZWx5IHNwZWFrIHRvIHRob3NlLjxicj4KPGRp diBjbGFzcz0iIj48YnI+CiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAtLSBNaWtlPGJyPgo8YnI+Ci0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0t PGJyPgpGcm9tOiBPQXV0aCBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzpvYXV0aC1ib3VuY2VzQGll dGYub3JnIj5vYXV0aC1ib3VuY2VzQGlldGYub3JnPC9hPl0gT24gQmVoYWxmIE9mIEhhbm5lcyBU c2Nob2ZlbmlnPGJyPgpTZW50OiBXZWRuZXNkYXksIEFwcmlsIDIzLCAyMDE0IDE6NDAgQU08YnI+ ClRvOiA8YSBocmVmPSJtYWlsdG86b2F1dGhAaWV0Zi5vcmciPm9hdXRoQGlldGYub3JnPC9hPjxi cj4KU3ViamVjdDogW09BVVRILVdHXSBkcmFmdC1pZXRmLW9hdXRoLWp3dC1iZWFyZXIgU2hlcGhl cmQgV3JpdGUtdXA8YnI+Cjxicj4KPC9kaXY+PGRpdj48ZGl2IGNsYXNzPSJoNSI+SGkgYWxsLDxi cj4KPGJyPgpJIGFtIHdvcmtpbmcgb24gdGhlIHNoZXBoZXJkIHdyaXRldXAgZm9yIHRoZSBKV1Qg YmVhcmVyIGRvY3VtZW50LiBUaGUgc2hlcGhlcmQgd3JpdGUtdXBzIGZvciB0aGUgYXNzZXJ0aW9u IGRyYWZ0IGFuZCB0aGUgU0FNTCBiZWFyZXIgZG9jdW1lbnQgaGF2ZSBiZWVuIGNvbXBsZXRlZCBh IHdoaWxlIGFnbyBhbHJlYWR5LCBzZWUgPGEgaHJlZj0iaHR0cDovL3d3dy5pZXRmLm9yZy9tYWls LWFyY2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTI0MTAuaHRtbCIgdGFyZ2V0PSJfYmxhbmsi Pmh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9vYXV0aC9jdXJyZW50L21zZzEy NDEwLmh0bWw8L2E+PGJyPgoKPGJyPgpBIGZldyByZXF1ZXN0czo8YnI+Cjxicj4KLSBUbyB0aGUg ZG9jdW1lbnQgYXV0aG9yczogUGxlYXNlIGNvbmZpcm0gdGhhdCBhbnkgYW5kIGFsbCBhcHByb3By aWF0ZSBJUFIgZGlzY2xvc3VyZXMgcmVxdWlyZWQgZm9yIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0 aGUgcHJvdmlzaW9ucyBvZiBCQ1A8YnI+Cjc4IGFuZCBCQ1AgNzkgaGF2ZSBhbHJlYWR5IGJlZW4g ZmlsZWQuPGJyPgo8YnI+Ci0gVG8gYWxsOiBBcmUgeW91IGF3YXJlIG9mIGltcGxlbWVudGF0aW9u cyBvZiB0aGlzIHNwZWNpZmljYXRpb24/IElmIHNvLCBJIHdvdWxkIGxpa2UgdG8gcmVmZXJlbmNl IHRoZW0gaW4gbXkgd3JpdGUtdXAuPGJyPgo8YnI+Ci0gVG8gYWxsOiBQbGVhc2UgYWxzbyBnbyB0 aHJvdWdoIHRoZSB0ZXh0IHRvIG1ha2Ugc3VyZSB0aGF0IEkgY29ycmVjdGx5IHJlZmxlY3QgdGhl IGhpc3RvcnkgYW5kIHRoZSBzdGF0dXMgb2YgdGhpcyBkb2N1bWVudC48YnI+Cjxicj4KSGVyZSBp cyB0aGUgbW9zdCByZWNlbnQgdmVyc2lvbiBvZiB0aGUgd3JpdGUtdXA6PGJyPgo8YSBocmVmPSJo dHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vaGFubmVzdHNjaG9mZW5pZy90c2Nob2Zl bmlnLWlkcy9tYXN0ZXIvc2hlcGhlcmQtd3JpdGV1cHMvV3JpdGV1cF9PQXV0aF9KV1QtQXNzZXJ0 aW9uLVByb2ZpbGUudHh0IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNv bnRlbnQuY29tL2hhbm5lc3RzY2hvZmVuaWcvdHNjaG9mZW5pZy1pZHMvbWFzdGVyL3NoZXBoZXJk LXdyaXRldXBzL1dyaXRldXBfT0F1dGhfSldULUFzc2VydGlvbi1Qcm9maWxlLnR4dDwvYT48YnI+ Cgo8YnI+Cjxicj4KKFRoZSBjb3B5LWFuZC1wYXN0ZSBvZiB0aGUgZnVsbCB2ZXJzaW9uIGlzIGJl bG93Lik8YnI+Cjxicj4KQ2lhbzxicj4KSGFubmVzPGJyPgo8YnI+ClBTOiBOb3RlIHRoYXQgSSBo YXZlIHNlbmQgYSBtYWlsIGFib3V0IGEgcGVuZGluZyBpc3N1ZSB0byB0aGUgbGlzdC4gSW4gcmVz cG9uc2UgdG8gbXkgcXVlc3Rpb24gSSB3aWxsIHVwZGF0ZSB0aGUgd3JpdGUtdXAgYWNjb3JkaW5n bHkuPGJyPgo8YnI+Ci0tLS08YnI+Cjxicj4KV3JpdGV1cCBmb3IgIkpTT04gV2ViIFRva2VuIChK V1QpIFByb2ZpbGUgZm9yIE9BdXRoIDIuMCBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEF1dGhv cml6YXRpb24gR3JhbnRzIiAmbHQ7ZHJhZnQtaWV0Zi1vYXV0aC1zYW1sMi1iZWFyZXItMDgmZ3Q7 PGJyPgo8YnI+CigxKSBXaGF0IHR5cGUgb2YgUkZDIGlzIGJlaW5nIHJlcXVlc3RlZCAoQkNQLCBQ cm9wb3NlZCBTdGFuZGFyZCwgSW50ZXJuZXQgU3RhbmRhcmQsIEluZm9ybWF0aW9uYWwsIEV4cGVy aW1lbnRhbCwgb3IgSGlzdG9yaWMpPyBXaHkgaXMgdGhpcyB0aGUgcHJvcGVyIHR5cGUgb2YgUkZD PyBJcyB0aGlzIHR5cGUgb2YgUkZDIGluZGljYXRlZCBpbiB0aGUgdGl0bGUgcGFnZSBoZWFkZXI/ PGJyPgoKPGJyPgpUaGUgUkZDIHR5cGUgaXMgJ1N0YW5kYXJkcyBUcmFjaycgYW5kIHRoZSB0eXBl IGlzIGluZGljYXRlZCBpbiB0aGUgdGl0bGUgcGFnZS4gVGhpcyBkb2N1bWVudCBkZWZpbmVzIGFu IGluc3RhbnRpYXRpb24gZm9yIHRoZSBPQXV0aCBhc3NlcnRpb24gZnJhbWV3b3JrIHVzaW5nIEpT T04gV2ViIFRva2Vucy48YnI+Cjxicj4KKDIpIFRoZSBJRVNHIGFwcHJvdmFsIGFubm91bmNlbWVu dCBpbmNsdWRlcyBhIERvY3VtZW50IEFubm91bmNlbWVudCBXcml0ZS1VcC4gUGxlYXNlIHByb3Zp ZGUgc3VjaCBhIERvY3VtZW50IEFubm91bmNlbWVudCBXcml0ZS1VcC4gUmVjZW50IGV4YW1wbGVz IGNhbiBiZSBmb3VuZCBpbiB0aGUgIkFjdGlvbiIgYW5ub3VuY2VtZW50cyBmb3IgYXBwcm92ZWQg ZG9jdW1lbnRzLiBUaGUgYXBwcm92YWwgYW5ub3VuY2VtZW50IGNvbnRhaW5zIHRoZSBmb2xsb3dp bmcgc2VjdGlvbnM6PGJyPgoKPGJyPgpUZWNobmljYWwgU3VtbWFyeTo8YnI+Cjxicj4KJm5ic3A7 ICZuYnNwO1RoaXMgc3BlY2lmaWNhdGlvbiBkZWZpbmVzIHRoZSB1c2Ugb2YgYSBKU09OIFdlYiBU b2tlbiAoSldUKSBCZWFyZXI8YnI+CiZuYnNwOyAmbmJzcDtUb2tlbiBhcyBhIG1lYW5zIGZvciBy ZXF1ZXN0aW5nIGFuIE9BdXRoIDIuMCBhY2Nlc3MgdG9rZW4gYXMgd2VsbCBhczxicj4KJm5ic3A7 ICZuYnNwO2ZvciB1c2UgYXMgYSBtZWFucyBvZiBjbGllbnQgYXV0aGVudGljYXRpb24uPGJyPgo8 YnI+CldvcmtpbmcgR3JvdXAgU3VtbWFyeTo8YnI+Cjxicj4KV2FzIHRoZXJlIGFueXRoaW5nIGlu IFdHIHByb2Nlc3MgdGhhdCBpcyB3b3J0aCBub3Rpbmc/IEZvciBleGFtcGxlLCB3YXMgdGhlcmUg Y29udHJvdmVyc3kgYWJvdXQgcGFydGljdWxhciBwb2ludHMgb3Igd2VyZSB0aGVyZSBkZWNpc2lv bnMgd2hlcmUgdGhlIGNvbnNlbnN1cyB3YXMgcGFydGljdWxhcmx5IHJvdWdoPzxicj4KPGJyPgpU aGlzIGRvY3VtZW50IGJlbG9uZ3MgdG8gdGhlIE9BdXRoIGFzc2VydGlvbiBkb2N1bWVudCBidW5k bGUgY29uc2lzdGluZyBvZiB0aGUgYWJzdHJhY3QgT0F1dGggYXNzZXJ0aW9uIGZyYW1ld29yaywg YW5kIHRoZSBTQU1MIGFzc2VydGlvbiBwcm9maWxlLiBEdWUgdG8gdGhlIHVzZSBvZiB0aGUgSlNP Ti1iYXNlZCBlbmNvZGluZyBvZiB0aGUgYXNzZXJ0aW9uIGl0IGFsc28gcmVsaWVzIG9uIHRoZSB3 b3JrIGluIHRoZSBKT1NFIHdvcmtpbmcgZ3JvdXAgKHN1Y2ggYXMgSldFL0pXUykgaW5kaXJlY3Rs eSB0aHJvdWdoIHRoZSB1c2Ugb2YgdGhlIEpXVC4gVGhpcyBkb2N1bWVudCBoYXMgaW50ZW50aW9u YWxseSBiZWVuIGtlcHQgaW4gc3luYyB3aXRoIHRoZSBTQU1MLWJhc2VkIHZlcnNpb24uPGJyPgoK PGJyPgpEb2N1bWVudCBRdWFsaXR5Ojxicj4KPGJyPgpUaGlzIGRvY3VtZW50IGhhcyBnb25lIHRo cm91Z2ggbWFueSBpdGVyYXRpb25zIGFuZCBoYXMgcmVjZWl2ZWQgc3Vic3RhbnRpYWwgZmVlZGJh Y2suPGJyPgo8YnI+CltbQWRkIGltcGxlbWVudGF0aW9uIGxpc3QgaGVyZS5dXTxicj4KPGJyPgpQ ZXJzb25uZWw6PGJyPgo8YnI+ClRoZSBkb2N1bWVudCBzaGVwaGVyZCBpcyBIYW5uZXMgVHNjaG9m ZW5pZyBhbmQgdGhlIHJlc3BvbnNpYmxlIGFyZWEgZGlyZWN0b3IgaXMgS2F0aGxlZW4gTW9yaWFy dHkuPGJyPgo8YnI+CigzKSBCcmllZmx5IGRlc2NyaWJlIHRoZSByZXZpZXcgb2YgdGhpcyBkb2N1 bWVudCB0aGF0IHdhcyBwZXJmb3JtZWQgYnkgdGhlIERvY3VtZW50IFNoZXBoZXJkLiBJZiB0aGlz IHZlcnNpb24gb2YgdGhlIGRvY3VtZW50IGlzIG5vdCByZWFkeSBmb3IgcHVibGljYXRpb24sIHBs ZWFzZSBleHBsYWluIHdoeSB0aGUgZG9jdW1lbnQgaXMgYmVpbmcgZm9yd2FyZGVkIHRvIHRoZSBJ RVNHLjxicj4KCjxicj4KVGhlIGRyYWZ0IGF1dGhvcnMgYmVsaWV2ZSB0aGF0IHRoaXMgZG9jdW1l bnQgaXMgcmVhZHkgZm9yIHB1YmxpY2F0aW9uLjxicj4KVGhlIGRvY3VtZW50IGhhcyBoYWQgcmVj ZWl2ZWQgcmV2aWV3IGNvbW1lbnRzIGZyb20gd29ya2luZyBncm91cCBtZW1iZXJzLCBhbmQgZnJv bSB0aGUgT0F1dGggd29ya2luZyBncm91cCBjaGFpcnMuIFRoZXNlIHJldmlldyBjb21tZW50cyBo YXZlIGJlZW4gdGFrZW4gaW50byBhY2NvdW50Ljxicj4KPGJyPgooNCkgRG9lcyB0aGUgZG9jdW1l bnQgU2hlcGhlcmQgaGF2ZSBhbnkgY29uY2VybnMgYWJvdXQgdGhlIGRlcHRoIG9yIGJyZWFkdGgg b2YgdGhlIHJldmlld3MgdGhhdCBoYXZlIGJlZW4gcGVyZm9ybWVkPzxicj4KPGJyPgpUaGlzIGRv Y3VtZW50IGhhcyBnb3R0ZW4gZmVlZGJhY2sgZnJvbSB0aGUgd29ya2luZyBncm91cCBhbmQgZ2l2 ZW4gdGhlIGZvY3VzZWQgdXNlIGNhc2VzIGl0IGhhcyByZWNlaXZlZCBhZGVxdWF0ZSByZXZpZXcu PGJyPgo8YnI+Cig1KSBEbyBwb3J0aW9ucyBvZiB0aGUgZG9jdW1lbnQgbmVlZCByZXZpZXcgZnJv bSBhIHBhcnRpY3VsYXIgb3IgZnJvbSBicm9hZGVyIHBlcnNwZWN0aXZlLCBlLmcuLCBzZWN1cml0 eSwgb3BlcmF0aW9uYWwgY29tcGxleGl0eSwgQUFBLCBETlMsIERIQ1AsIFhNTCwgb3IgaW50ZXJu YXRpb25hbGl6YXRpb24/IElmIHNvLCBkZXNjcmliZSB0aGUgcmV2aWV3IHRoYXQgdG9vayBwbGFj ZS48YnI+Cgo8YnI+ClNpbmNlIHRoZSBPQXV0aCB3b3JraW5nIGdyb3VwIGRldmVsb3BzIHNlY3Vy aXR5IHByb3RvY29scyBhbnkgZmVlZGJhY2sgZnJvbSB0aGUgc2VjdXJpdHkgY29tbXVuaXR5IGlz IGFsd2F5cyBhcHByZWNpYXRlZC48YnI+Cjxicj4KKDYpIERlc2NyaWJlIGFueSBzcGVjaWZpYyBj b25jZXJucyBvciBpc3N1ZXMgdGhhdCB0aGUgRG9jdW1lbnQgU2hlcGhlcmQgaGFzIHdpdGggdGhp cyBkb2N1bWVudCB0aGF0IHRoZSBSZXNwb25zaWJsZSBBcmVhIERpcmVjdG9yIGFuZC9vciB0aGUg SUVTRyBzaG91bGQgYmUgYXdhcmUgb2Y/IEZvciBleGFtcGxlLCBwZXJoYXBzIGhlIG9yIHNoZSBp cyB1bmNvbWZvcnRhYmxlIHdpdGggY2VydGFpbiBwYXJ0cyBvZiB0aGUgZG9jdW1lbnQsIG9yIGhh cyBjb25jZXJucyB3aGV0aGVyIHRoZXJlIHJlYWxseSBpcyBhIG5lZWQgZm9yIGl0LiBJbiBhbnkg ZXZlbnQsIGlmIHRoZSBXRyBoYXMgZGlzY3Vzc2VkIHRob3NlIGlzc3VlcyBhbmQgaGFzIGluZGlj YXRlZCB0aGF0IGl0IHN0aWxsIHdpc2hlcyB0byBhZHZhbmNlIHRoZSBkb2N1bWVudCwgZGV0YWls IHRob3NlIGNvbmNlcm5zIGhlcmUuPGJyPgoKPGJyPgpUaGUgc2hlcGhlcmQgaGFzIG5vIGNvbmNl cm5zIHdpdGggdGhpcyBkb2N1bWVudC48YnI+Cjxicj4KKDcpIEhhcyBlYWNoIGF1dGhvciBjb25m aXJtZWQgdGhhdCBhbnkgYW5kIGFsbCBhcHByb3ByaWF0ZSBJUFIgZGlzY2xvc3VyZXMgcmVxdWly ZWQgZm9yIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGUgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5k IEJDUCA3OSBoYXZlIGFscmVhZHkgYmVlbiBmaWxlZC4gSWYgbm90LCBleHBsYWluIHdoeT88YnI+ Cjxicj4KW1tDb25maXJtYXRpb24gZnJvbSB0aGUgYXV0aG9ycyByZXF1aXJlZC5dXTxicj4KPGJy PgooOCkgSGFzIGFuIElQUiBkaXNjbG9zdXJlIGJlZW4gZmlsZWQgdGhhdCByZWZlcmVuY2VzIHRo aXMgZG9jdW1lbnQ/IElmIHNvLCBzdW1tYXJpemUgYW55IFdHIGRpc2N1c3Npb24gYW5kIGNvbmNs dXNpb24gcmVnYXJkaW5nIHRoZSBJUFIgZGlzY2xvc3VyZXMuPGJyPgo8YnI+Ck5vIElQUiBkaXNj bG9zdXJlcyBoYXZlIGJlZW4gZmlsZWQgb24gdGhpcyBkb2N1bWVudC4gSG93ZXZlciwgdHdvIElQ UnMgaGF2ZSBiZWVuIGZpbGVkIGZvciB0aGUgSldUIHNwZWNpZmljYXRpb24gdGhpcyBkb2N1bWVu dCByZWxpZXMgb24sIHNlZSA8YSBocmVmPSJodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvaXBy L3NlYXJjaC8/b3B0aW9uPWRvY3VtZW50X3NlYXJjaCZhbXA7aWQ9ZHJhZnQtaWV0Zi1vYXV0aC1q c29uLXdlYi10b2tlbiIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9y Zy9pcHIvc2VhcmNoLz9vcHRpb249ZG9jdW1lbnRfc2VhcmNoJmFtcDtpZD1kcmFmdC1pZXRmLW9h dXRoLWpzb24td2ViLXRva2VuPC9hPjxicj4KCjxicj4KPGJyPgooOSkgSG93IHNvbGlkIGlzIHRo ZSBXRyBjb25zZW5zdXMgYmVoaW5kIHRoaXMgZG9jdW1lbnQ/IERvZXMgaXQgcmVwcmVzZW50IHRo ZSBzdHJvbmcgY29uY3VycmVuY2Ugb2YgYSBmZXcgaW5kaXZpZHVhbHMsIHdpdGggb3RoZXJzIGJl aW5nIHNpbGVudCwgb3IgZG9lcyB0aGUgV0cgYXMgYSB3aG9sZSB1bmRlcnN0YW5kIGFuZCBhZ3Jl ZSB3aXRoIGl0Pzxicj4KPGJyPgpUaGUgd29ya2luZyBncm91cCBoYXMgY29uc2Vuc3VzIHRvIHB1 Ymxpc2ggdGhpcyBkb2N1bWVudC48YnI+Cjxicj4KKDEwKSBIYXMgYW55b25lIHRocmVhdGVuZWQg YW4gYXBwZWFsIG9yIG90aGVyd2lzZSBpbmRpY2F0ZWQgZXh0cmVtZSBkaXNjb250ZW50PyBJZiBz bywgcGxlYXNlIHN1bW1hcmlzZSB0aGUgYXJlYXMgb2YgY29uZmxpY3QgaW4gc2VwYXJhdGUgZW1h aWwgbWVzc2FnZXMgdG8gdGhlIFJlc3BvbnNpYmxlIEFyZWEgRGlyZWN0b3IuIChJdCBzaG91bGQg YmUgaW4gYSBzZXBhcmF0ZSBlbWFpbCBiZWNhdXNlIHRoaXMgcXVlc3Rpb25uYWlyZSBpcyBwdWJs aWNseSBhdmFpbGFibGUuKTxicj4KCjxicj4KTm8gYXBwZWFsIG9yIGV4dHJlbWUgZGlzY29udGVu dCBoYXMgYmVlbiByYWlzZWQuPGJyPgo8YnI+CigxMSkgSWRlbnRpZnkgYW55IElEIG5pdHMgdGhl IERvY3VtZW50IFNoZXBoZXJkIGhhcyBmb3VuZCBpbiB0aGlzIGRvY3VtZW50LiAoU2VlIDxhIGhy ZWY9Imh0dHA6Ly93d3cuaWV0Zi5vcmcvdG9vbHMvaWRuaXRzLyIgdGFyZ2V0PSJfYmxhbmsiPmh0 dHA6Ly93d3cuaWV0Zi5vcmcvdG9vbHMvaWRuaXRzLzwvYT4gYW5kIHRoZSBJbnRlcm5ldC1EcmFm dHMgQ2hlY2tsaXN0KS4gQm9pbGVycGxhdGUgY2hlY2tzIGFyZSBub3QgZW5vdWdoOyB0aGlzIGNo ZWNrIG5lZWRzIHRvIGJlIHRob3JvdWdoLjxicj4KCjxicj4KVGhlIHNoZXBoZXJkIGhhcyBjaGVj a2VkIHRoZSBuaXRzLjxicj4KPGJyPgooMTIpIERlc2NyaWJlIGhvdyB0aGUgZG9jdW1lbnQgbWVl dHMgYW55IHJlcXVpcmVkIGZvcm1hbCByZXZpZXcgY3JpdGVyaWEsIHN1Y2ggYXMgdGhlIE1JQiBE b2N0b3IsIG1lZGlhIHR5cGUsIGFuZCBVUkkgdHlwZSByZXZpZXdzLjxicj4KPGJyPgpUaGVyZSBp cyBubyBzdWNoIHJldmlldyBuZWNlc3NhcnkuPGJyPgo8YnI+CigxMykgSGF2ZSBhbGwgcmVmZXJl bmNlcyB3aXRoaW4gdGhpcyBkb2N1bWVudCBiZWVuIGlkZW50aWZpZWQgYXMgZWl0aGVyIG5vcm1h dGl2ZSBvciBpbmZvcm1hdGl2ZT88YnI+Cjxicj4KWWVzLjxicj4KPGJyPgooMTQpIEFyZSB0aGVy ZSBub3JtYXRpdmUgcmVmZXJlbmNlcyB0byBkb2N1bWVudHMgdGhhdCBhcmUgbm90IHJlYWR5IGZv ciBhZHZhbmNlbWVudCBvciBhcmUgb3RoZXJ3aXNlIGluIGFuIHVuY2xlYXIgc3RhdGU/IElmIHN1 Y2ggbm9ybWF0aXZlIHJlZmVyZW5jZXMgZXhpc3QsIHdoYXQgaXMgdGhlIHBsYW4gZm9yIHRoZWly IGNvbXBsZXRpb24/PGJyPgo8YnI+Clllcy48YnI+Cjxicj4KKDE1KSBBcmUgdGhlcmUgZG93bndh cmQgbm9ybWF0aXZlIHJlZmVyZW5jZXMgcmVmZXJlbmNlcyAoc2VlIFJGQyAzOTY3KT88YnI+Cklm IHNvLCBsaXN0IHRoZXNlIGRvd253YXJkIHJlZmVyZW5jZXMgdG8gc3VwcG9ydCB0aGUgQXJlYSBE aXJlY3RvciBpbiB0aGUgTGFzdCBDYWxsIHByb2NlZHVyZS48YnI+Cjxicj4KUkZDIDY3NTUgZGVm aW5lcyB0aGUgdXJuOmlldGY6cGFyYW1zOm9hdXRoIFVSTiBhbmQgaXMgYW4gSW5mb3JtYXRpb25h bCBSRkMuIEEgZG93bnJlZiBpcyByZXF1aXJlZC48YnI+Cjxicj4KSG93ZXZlciwgdGhpcyBkb2N1 bWVudCBkZXBlbmRzIG9uIHRoZSBjb21wbGV0aW9uIG9mIHRoZSBhYnN0cmFjdCBPQXV0aCBhc3Nl cnRpb24gZnJhbWV3b3JrIGFuZCBvbiB0aGUgSldUIHNwZWNpZmljYXRpb24uPGJyPgpUaGVyZSBh cmUgdGhlIGZvbGxvd2luZyBkZXBlbmRlbmNpZXM6PGJyPgo8YnI+CigxNikgV2lsbCBwdWJsaWNh dGlvbiBvZiB0aGlzIGRvY3VtZW50IGNoYW5nZSB0aGUgc3RhdHVzIG9mIGFueSBleGlzdGluZyBS RkNzPyBBcmUgdGhvc2UgUkZDcyBsaXN0ZWQgb24gdGhlIHRpdGxlIHBhZ2UgaGVhZGVyLCBsaXN0 ZWQgaW4gdGhlIGFic3RyYWN0LCBhbmQgZGlzY3Vzc2VkIGluIHRoZSBpbnRyb2R1Y3Rpb24/IElm IHRoZSBSRkNzIGFyZSBub3QgbGlzdGVkIGluIHRoZSBBYnN0cmFjdCBhbmQgSW50cm9kdWN0aW9u LCBleHBsYWluIHdoeSwgYW5kIHBvaW50IHRvIHRoZSBwYXJ0IG9mIHRoZSBkb2N1bWVudCB3aGVy ZSB0aGUgcmVsYXRpb25zaGlwIG9mIHRoaXMgZG9jdW1lbnQgdG8gdGhlIG90aGVyIFJGQ3MgaXMg ZGlzY3Vzc2VkLiBJZiB0aGlzIGluZm9ybWF0aW9uIGlzIG5vdCBpbiB0aGUgZG9jdW1lbnQsIGV4 cGxhaW4gd2h5IHRoZSBXRyBjb25zaWRlcnMgaXQgdW5uZWNlc3NhcnkuPGJyPgoKPGJyPgpUaGUg cHVibGljYXRpb24gb2YgdGhpcyBkb2N1bWVudCBkb2VzIG5vdCBjaGFuZ2UgdGhlIHN0YXR1cyBv ZiBvdGhlciBSRkNzLjxicj4KPGJyPgooMTcpIERlc2NyaWJlIHRoZSBEb2N1bWVudCBTaGVwaGVy ZCdzIHJldmlldyBvZiB0aGUgSUFOQSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uLCBlc3BlY2lhbGx5 IHdpdGggcmVnYXJkIHRvIGl0cyBjb25zaXN0ZW5jeSB3aXRoIHRoZSBib2R5IG9mIHRoZSBkb2N1 bWVudC4gQ29uZmlybSB0aGF0IGFsbCBwcm90b2NvbCBleHRlbnNpb25zIHRoYXQgdGhlIGRvY3Vt ZW50IG1ha2VzIGFyZSBhc3NvY2lhdGVkIHdpdGggdGhlIGFwcHJvcHJpYXRlIHJlc2VydmF0aW9u cyBpbiBJQU5BIHJlZ2lzdHJpZXMuPGJyPgoKQ29uZmlybSB0aGF0IGFueSByZWZlcmVuY2VkIElB TkEgcmVnaXN0cmllcyBoYXZlIGJlZW4gY2xlYXJseSBpZGVudGlmaWVkLiBDb25maXJtIHRoYXQg bmV3bHkgY3JlYXRlZCBJQU5BIHJlZ2lzdHJpZXMgaW5jbHVkZSBhIGRldGFpbGVkIHNwZWNpZmlj YXRpb24gb2YgdGhlIGluaXRpYWwgY29udGVudHMgZm9yIHRoZSByZWdpc3RyeSwgdGhhdCBhbGxv Y2F0aW9ucyBwcm9jZWR1cmVzIGZvciBmdXR1cmUgcmVnaXN0cmF0aW9ucyBhcmUgZGVmaW5lZCwg YW5kIGEgcmVhc29uYWJsZSBuYW1lIGZvciB0aGUgbmV3IHJlZ2lzdHJ5IGhhcyBiZWVuIHN1Z2dl c3RlZCAoc2VlIFJGQyA1MjI2KS48YnI+Cgo8YnI+ClRoZSBkb2N1bWVudCByZWdpc3RlcnMgdHdv IHN1Yi1uYW1lc3BhY2VzIHRvIHRoZSB1cm46aWV0ZjpwYXJhbXM6b2F1dGggVVJOIGVzdGFibGlz aGVkIHdpdGggUkZDIDY3NTUuPGJyPgo8YnI+CigxOCkgTGlzdCBhbnkgbmV3IElBTkEgcmVnaXN0 cmllcyB0aGF0IHJlcXVpcmUgRXhwZXJ0IFJldmlldyBmb3IgZnV0dXJlIGFsbG9jYXRpb25zLiBQ cm92aWRlIGFueSBwdWJsaWMgZ3VpZGFuY2UgdGhhdCB0aGUgSUVTRyB3b3VsZCBmaW5kIHVzZWZ1 bCBpbiBzZWxlY3RpbmcgdGhlIElBTkEgRXhwZXJ0cyBmb3IgdGhlc2UgbmV3IHJlZ2lzdHJpZXMu PGJyPgo8YnI+ClRoZSBkb2N1bWVudCBvbmx5IGFkZHMgZW50cmllcyB0byBleGlzdGluZyByZWdp c3RyaWVzIGFuZCBkb2VzIG5vdCBkZWZpbmUgYW55IG5ldyByZWdpc3RyaWVzLjxicj4KPGJyPgoo MTkpIERlc2NyaWJlIHJldmlld3MgYW5kIGF1dG9tYXRlZCBjaGVja3MgcGVyZm9ybWVkIGJ5IHRo ZSBEb2N1bWVudCBTaGVwaGVyZCB0byB2YWxpZGF0ZSBzZWN0aW9ucyBvZiB0aGUgZG9jdW1lbnQg d3JpdHRlbiBpbiBhIGZvcm1hbCBsYW5ndWFnZSwgc3VjaCBhcyBYTUwgY29kZSwgQk5GIHJ1bGVz LCBNSUIgZGVmaW5pdGlvbnMsIGV0Yy48YnI+Cjxicj4KVGhlcmUgYXJlIG9ubHkgc25pcHBldHMg b2YgbWVzc2FnZSBleGNoYW5nZXMgYW5kIEpXVCBhc3NlcnRpb24gc3RydWN0dXJlcywgd2hpY2gg YXJlIGJhc2VkIG9uIEpTT04sIHVzZWQgaW4gdGhlIGV4YW1wbGVzLiBUaGVyZSBpcyBubyBwc2V1 ZG8gY29kZSBjb250YWluZWQgaW4gdGhlIGRvY3VtZW50IHRoYXQgcmVxdWlyZXMgdmFsaWRhdGlv bi48YnI+Cjxicj4KPGJyPgo8YnI+CjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9IiI+X19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+Ck9BdXRoIG1haWxpbmcg bGlzdDxicj4KPGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9yZzwv YT48YnI+CjwvZGl2PjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu Zm8vb2F1dGgiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL29hdXRoPC9hPjxicj4KPC9ibG9ja3F1b3RlPjwvZGl2Pjxicj48L2Rpdj4KPC9ib2R5 Pg== ----_com.android.email_597612265271170-- From nobody Fri Apr 25 00:01:55 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E42141A0412 for ; Fri, 25 Apr 2014 00:01:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vja49iCOtNsm for ; Fri, 25 Apr 2014 00:01:49 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id 259D41A007F for ; Fri, 25 Apr 2014 00:01:48 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB208.namprd02.prod.outlook.com (10.242.165.150) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 07:01:40 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) with mapi id 15.00.0921.000; Fri, 25 Apr 2014 07:01:40 +0000 From: Antonio Sanso To: Andrei Shakirin Thread-Topic: [OAUTH-WG] Session cookies in OAuth2 flow Thread-Index: Ac9f1m601wyijPx7QUKZAdgpumsSswAfcZMA Date: Fri, 25 Apr 2014 07:01:40 +0000 Message-ID: <8CE5B8B4-5CFB-4E1C-B1EC-06D2F0217ED8@adobe.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.147.117.11] x-forefront-prvs: 0192E812EC x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(53474002)(51704005)(24454002)(377454003)(199002)(189002)(86362001)(99396002)(31966008)(74662001)(80022001)(83716003)(2656002)(80976001)(82746002)(19580405001)(4396001)(20776003)(81342001)(85852003)(79102001)(87936001)(76482001)(76176999)(77982001)(83072002)(50986999)(54356999)(46102001)(81542001)(92726001)(36756003)(74502001)(19580395003)(99286001)(83322001)(66066001)(15975445006)(555904002)(92566001)(33656001)(100906001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB208; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:D0D4F5B2.8E1B57D1.B1FBFFB7.CCEDA970.20230; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Q5shPCLQFn-w4-iFFS4iOOHdSI4 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 07:01:52 -0000 hi Andrei, AFAIU session cookie management is beyond the scope of the OAuth2 specifica= tion. regards antonio On Apr 24, 2014, at 6:39 PM, Andrei Shakirin wrote: > Hi, >=20 > My name is Andrei Shakirin, I am working with OAuth2 implementation in Ap= ache CXF project. > Could you please help me to verify my understanding regarding of using se= ssion cookies in OAuth2 flow. > OAuth2 specification mentions session cookies in: > 1) Section 3.1. Authorization Endpoint as possible way to authenticate re= source owner against authorization server > 2) Section 10.12. Cross-Site Request Forgery as possible attack where end= -user follows a malicious URI to a trusting server including a valid sessio= n cookie >=20 > My current understanding is: > a) using sessions between user-agent and authorization server is optional= and authorization server is not obligated to keep user state (in case if u= ser-agent provide authentication information with every request). > b) in case if sessions are used (because of any reasons), authorization s= erver have to care about additional protection like hidden form fields in o= rder to uniquely identify the actual authorization request. >=20 > Is this correct? >=20 > Regards, > Andrei. >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 00:08:21 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A051A00E3 for ; Fri, 25 Apr 2014 00:08:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.554 X-Spam-Level: X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3SZXz64XVvbP for ; Fri, 25 Apr 2014 00:08:17 -0700 (PDT) Received: from mxout.myoutlookonline.com (mxout.myoutlookonline.com [74.201.97.201]) by ietfa.amsl.com (Postfix) with ESMTP id 934A71A0127 for ; Fri, 25 Apr 2014 00:08:17 -0700 (PDT) Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id F13BD554824; Fri, 25 Apr 2014 03:08:11 -0400 (EDT) X-Virus-Scanned: by SpamTitan at mail.lan Received: from S10HUB001.SH10.lan (unknown [10.110.2.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 4600955368A; Fri, 25 Apr 2014 03:08:11 -0400 (EDT) Received: from S10BE002.SH10.lan ([::1]) by S10HUB001.SH10.lan ([::1]) with mapi id 14.01.0438.000; Fri, 25 Apr 2014 03:08:10 -0400 From: Andrei Shakirin To: "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Session cookies in OAuth2 flow Thread-Index: Ac9f1m601wyijPx7QUKZAdgpumsSswAfcZMAAAAQz7A= Date: Fri, 25 Apr 2014 07:08:10 +0000 Message-ID: References: <8CE5B8B4-5CFB-4E1C-B1EC-06D2F0217ED8@adobe.com> In-Reply-To: <8CE5B8B4-5CFB-4E1C-B1EC-06D2F0217ED8@adobe.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [95.91.233.170] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/5v78Ea_XdywqJWe4YFUZd7tibVQ Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 07:08:19 -0000 Hi Antonio, Thanks for your quick answer. Important for me is that OAuth2 doesn't force to store client or user-agent= states in the authorization server, so authorization server can be statele= ss and is not obligated to introduce the sessions at all. Regards, Andrei. > -----Original Message----- > From: Antonio Sanso [mailto:asanso@adobe.com] > Sent: Freitag, 25. April 2014 09:02 > To: Andrei Shakirin > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow >=20 > hi Andrei, >=20 > AFAIU session cookie management is beyond the scope of the OAuth2 > specification. >=20 > regards >=20 > antonio >=20 > On Apr 24, 2014, at 6:39 PM, Andrei Shakirin wrote= : >=20 > > Hi, > > > > My name is Andrei Shakirin, I am working with OAuth2 implementation in > Apache CXF project. > > Could you please help me to verify my understanding regarding of using > session cookies in OAuth2 flow. > > OAuth2 specification mentions session cookies in: > > 1) Section 3.1. Authorization Endpoint as possible way to authenticate > resource owner against authorization server > > 2) Section 10.12. Cross-Site Request Forgery as possible attack where e= nd- > user follows a malicious URI to a trusting server including a valid sessi= on cookie > > > > My current understanding is: > > a) using sessions between user-agent and authorization server is option= al and > authorization server is not obligated to keep user state (in case if user= -agent > provide authentication information with every request). > > b) in case if sessions are used (because of any reasons), authorization= server > have to care about additional protection like hidden form fields in order= to > uniquely identify the actual authorization request. > > > > Is this correct? > > > > Regards, > > Andrei. > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 01:43:04 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECE541A00DA for ; Fri, 25 Apr 2014 01:43:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsNjucwxnic2 for ; Fri, 25 Apr 2014 01:43:01 -0700 (PDT) Received: from mail-ee0-x230.google.com (mail-ee0-x230.google.com [IPv6:2a00:1450:4013:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id 14FE71A00D1 for ; Fri, 25 Apr 2014 01:43:00 -0700 (PDT) Received: by mail-ee0-f48.google.com with SMTP id b57so2544700eek.7 for ; Fri, 25 Apr 2014 01:42:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=0bS/vgtyyRNWT+/Aa2hteKOFJjmFnTJYJhDLEKMBMT4=; b=YV3juWynPMrpcRjDlQw/LROW/oPWh8d9x6VFdM9ICYJFZP8WP7RxpjAFnslVcXLTRs 8pJvVaC8vCAtZszCAhpQOCt3IsUQnPKBA/37OS1rg8T+lIXl6VaaYxxpvXUgkWTToY0Z wIX6etNJUoKwLl82PQ0wQrGVXhojaqYP6RA+PZqm4L2AgaeCWIlPT0UdWVabXXcZGZDd HyhIl1IwJSZKBkJ2P2YlARHmDNAv/OGlmHwOovef8OARP4taBEZmayAyK4ZnTKI8UbKI DoUu3tryVuNQKKnE8RXhJVf+75JtSFp4bM7IqxexfvJMwkeO3yaXmlXwq3kvBwfeIUkR pe6A== X-Received: by 10.14.45.6 with SMTP id o6mr9087926eeb.24.1398415374319; Fri, 25 Apr 2014 01:42:54 -0700 (PDT) Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id bc51sm23010967eeb.22.2014.04.25.01.42.52 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 01:42:53 -0700 (PDT) Message-ID: <535A2009.7080708@gmail.com> Date: Fri, 25 Apr 2014 09:42:49 +0100 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: oauth@ietf.org References: <53593E65.5020903@gmx.net> <5359691E.5000807@gmx.net> In-Reply-To: <5359691E.5000807@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/3NkqGcyPq75q8vunEF_RHKRJPzg Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 08:43:03 -0000 Hi Hannes Is the MAC token effort you were leading still on the map ? Thanks, Sergey On 24/04/14 20:42, Hannes Tschofenig wrote: > Btw, the HTTP signature mechanism now also got published as > http://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 > > I think we now have a pretty good collection of documents to look at. > > Ciao > Hannes > > > On 04/24/2014 06:40 PM, Hannes Tschofenig wrote: >> Hi Lewis, >> >> good that you ask. >> >> In the London IETF meeting we have proposed a plan on how to proceed >> with the proof-of-possession (PoP) work. >> >> John had already explained that the main document is >> draft-hunt-oauth-pop-architecture-00. It pains the big picture and >> points to the relevant documents, in particular to >> a) draft-bradley-oauth-pop-key-distribution >> b) draft-jones-oauth-proof-of-possession >> c) a not-yet-published HTTP signature mechanism. >> >> (a) explains how the client obtains keys from the authorization server. >> (b) describes a mechanism for binding a key to the access token. >> (c) illustrates the procedure for the client to interact with the >> resource server (based on the PoP mechanism). >> >> These documents replace prior work on draft-ietf-oauth-v2-http-mac-05 >> and draft-tschofenig-oauth-hotk-03. >> >> We are getting closer to have all relevant parts published. >> >> Ciao >> Hannes >> >> On 04/24/2014 05:14 PM, Lewis Adam-CAL022 wrote: >>> Hi, >>> >>> >>> >>> Lots of crypto drafts on OAuth popping up that I need to come up to >>> speed on. >>> >>> draft-bradley-oauth-pop-key-distribution-00 >>> >>> >>> draft-hunt-oauth-pop-architecture-00 >>> >>> >>> draft-jones-oauth-proof-of-possession-00 >>> >>> >>> draft-sakimura-oauth-rjwtprof-01 >>> >>> >>> draft-sakimura-oauth-tcse-03 >>> >>> >>> draft-tschofenig-oauth-hotk-03 >>> >>> >>> >>> >>> Glad to see all the work, but is there a preferred reading order here? >>> Which ones build on each other vs. which ones are out there on their own? >>> >>> >>> >>> >>> >>> -adam >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From nobody Fri Apr 25 01:51:14 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40A181A0359 for ; Fri, 25 Apr 2014 01:51:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P230BIvVddRl for ; Fri, 25 Apr 2014 01:51:08 -0700 (PDT) Received: from mail-ee0-x230.google.com (mail-ee0-x230.google.com [IPv6:2a00:1450:4013:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id E3FD41A00FF for ; Fri, 25 Apr 2014 01:51:07 -0700 (PDT) Received: by mail-ee0-f48.google.com with SMTP id b57so2552124eek.7 for ; Fri, 25 Apr 2014 01:51:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=HDAPg6T9AOhzEeL97qfY62fOBKdgHDLX7NsfgyYopZ4=; b=xFmne+0DmgvComWy7maSq4KiYnrbKAJf9XHcMiOzTnOnq7bXaNL8w0fQVXi+Qct3CI 4T93JHfjVoSqTlVOFtENQqAO+WccnwloRJ4Z9kDCQzqEPQD7WPGOEZ7BsnX0N4NvvTzT PowgUkRKN741OG3peLdS2cGbCO+10kiGGp2lUD7VC7Qs0NKvW5F/OUqdRmDngmFQ4sxk ebnHE/DjdXtd20iZbeeh0/LLZRl7+9G5pl4vq7PK9Q9oVe8veAQsddAEidf+2o3OFsMR v8TY+wja2guyUHIC/psZdfTX2X26/iJl1610UiL8PIuq8ZXXf8s4MiUGgfbb9LgFwTxM 8IUg== X-Received: by 10.14.216.2 with SMTP id f2mr744603eep.83.1398415861193; Fri, 25 Apr 2014 01:51:01 -0700 (PDT) Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id x46sm23063715een.17.2014.04.25.01.50.59 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 01:51:00 -0700 (PDT) Message-ID: <535A21F3.4050306@gmail.com> Date: Fri, 25 Apr 2014 09:50:59 +0100 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: oauth@ietf.org References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/_P9zIgQ3tAHgizqqfxzgC_xEg54 Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 08:51:12 -0000 On 24/04/14 23:41, Mike Jones wrote: > I am aware of these implementations: > Microsoft Azure Active Directory: http://azure.microsoft.com/en-us/services/active-directory/ > Google Service Account: https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > I believe that Ping Identity and Salesforce also have implementations, but I'll let Brian and Chuck authoritatively speak to those. Here is some info about open source projects: Apache Oltu has a good support for working with JWT, believe Spring Security has it (I haven't tried) and JBoss KeyCloak team works with JWT, work for supporting JWT Bearer is in progress in Apache CXF (a month or so away). There will be a pretty good coverage for it... Sergey > > -- Mike > > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Wednesday, April 23, 2014 1:40 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up > > Hi all, > > I am working on the shepherd writeup for the JWT bearer document. The shepherd write-ups for the assertion draft and the SAML bearer document have been completed a while ago already, see http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html > > A few requests: > > - To the document authors: Please confirm that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP > 78 and BCP 79 have already been filed. > > - To all: Are you aware of implementations of this specification? If so, I would like to reference them in my write-up. > > - To all: Please also go through the text to make sure that I correctly reflect the history and the status of this document. > > Here is the most recent version of the write-up: > https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt > > > (The copy-and-paste of the full version is below.) > > Ciao > Hannes > > PS: Note that I have send a mail about a pending issue to the list. In response to my question I will update the write-up accordingly. > > ---- > > Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants" > > (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? > > The RFC type is 'Standards Track' and the type is indicated in the title page. This document defines an instantiation for the OAuth assertion framework using JSON Web Tokens. > > (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: > > Technical Summary: > > This specification defines the use of a JSON Web Token (JWT) Bearer > Token as a means for requesting an OAuth 2.0 access token as well as > for use as a means of client authentication. > > Working Group Summary: > > Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? > > This document belongs to the OAuth assertion document bundle consisting of the abstract OAuth assertion framework, and the SAML assertion profile. Due to the use of the JSON-based encoding of the assertion it also relies on the work in the JOSE working group (such as JWE/JWS) indirectly through the use of the JWT. This document has intentionally been kept in sync with the SAML-based version. > > Document Quality: > > This document has gone through many iterations and has received substantial feedback. > > [[Add implementation list here.]] > > Personnel: > > The document shepherd is Hannes Tschofenig and the responsible area director is Kathleen Moriarty. > > (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. > > The draft authors believe that this document is ready for publication. > The document has had received review comments from working group members, and from the OAuth working group chairs. These review comments have been taken into account. > > (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? > > This document has gotten feedback from the working group and given the focused use cases it has received adequate review. > > (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. > > Since the OAuth working group develops security protocols any feedback from the security community is always appreciated. > > (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. > > The shepherd has no concerns with this document. > > (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? > > [[Confirmation from the authors required.]] > > (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. > > No IPR disclosures have been filed on this document. However, two IPRs have been filed for the JWT specification this document relies on, see http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token > > > (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? > > The working group has consensus to publish this document. > > (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) > > No appeal or extreme discontent has been raised. > > (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. > > The shepherd has checked the nits. > > (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. > > There is no such review necessary. > > (13) Have all references within this document been identified as either normative or informative? > > Yes. > > (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? > > Yes. > > (15) Are there downward normative references references (see RFC 3967)? > If so, list these downward references to support the Area Director in the Last Call procedure. > > RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational RFC. A downref is required. > > However, this document depends on the completion of the abstract OAuth assertion framework and on the JWT specification. > There are the following dependencies: > > (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. > > The publication of this document does not change the status of other RFCs. > > (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. > Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). > > The document registers two sub-namespaces to the urn:ietf:params:oauth URN established with RFC 6755. > > (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. > > The document only adds entries to existing registries and does not define any new registries. > > (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. > > There are only snippets of message exchanges and JWT assertion structures, which are based on JSON, used in the examples. There is no pseudo code contained in the document that requires validation. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From nobody Fri Apr 25 02:34:24 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC9EE1A0163 for ; Fri, 25 Apr 2014 02:34:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYK8fMizfShj for ; Fri, 25 Apr 2014 02:34:19 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 4CA751A0162 for ; Fri, 25 Apr 2014 02:34:19 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M9NIY-1Wkj0P1OFq-00Clys; Fri, 25 Apr 2014 11:34:11 +0200 Message-ID: <535A298B.9030600@gmx.net> Date: Fri, 25 Apr 2014 11:23:23 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Sergey Beryozkin , oauth@ietf.org References: <53593E65.5020903@gmx.net> <5359691E.5000807@gmx.net> <535A2009.7080708@gmail.com> In-Reply-To: <535A2009.7080708@gmail.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tOFMtaSi0n0rrWtsGfVvsXLiQPKwPGg4h" X-Provags-ID: V03:K0:FF/Yjr0RVzKrwzsuE86h1wmgNZ7jvJ2x67IvA3YzHpuXsMWkrjt stxsFtHbFw8Ea1NXjdmRJ1A3/1ipYOr6mJnZIcXSROAaKjEhd+YOWWfv3R/EEq0aLgzRPrQ I6RKNLb4YzT08+up3hXSFlJsoF/CH6Bw7SJfjTq1M09HsoexHUVMX2M75aLI7hDW2iy1JvS AdD079RuO85lzi9x7iOTg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Y5kpQKfAybbJsNSEJ5vzC3-eDXE Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 09:34:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --tOFMtaSi0n0rrWtsGfVvsXLiQPKwPGg4h Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Good question. The architecture allows different mechanisms to be used for proof-of-possession between the client and the resource server. With the publication of draft-richer-oauth-signed-http-request-01 we have a version that uses a JOSE-based encoding. I have not had time to illustrate how the MAC-based version would fit in there. On 04/25/2014 10:42 AM, Sergey Beryozkin wrote: > Hi Hannes >=20 > Is the MAC token effort you were leading still on the map ? >=20 > Thanks, Sergey >=20 > On 24/04/14 20:42, Hannes Tschofenig wrote: >> Btw, the HTTP signature mechanism now also got published as >> http://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 >> >> I think we now have a pretty good collection of documents to look at. >> >> Ciao >> Hannes >> >> >> On 04/24/2014 06:40 PM, Hannes Tschofenig wrote: >>> Hi Lewis, >>> >>> good that you ask. >>> >>> In the London IETF meeting we have proposed a plan on how to proceed >>> with the proof-of-possession (PoP) work. >>> >>> John had already explained that the main document is >>> draft-hunt-oauth-pop-architecture-00. It pains the big picture and >>> points to the relevant documents, in particular to >>> a) draft-bradley-oauth-pop-key-distribution >>> b) draft-jones-oauth-proof-of-possession >>> c) a not-yet-published HTTP signature mechanism. >>> >>> (a) explains how the client obtains keys from the authorization serve= r. >>> (b) describes a mechanism for binding a key to the access token. >>> (c) illustrates the procedure for the client to interact with the >>> resource server (based on the PoP mechanism). >>> >>> These documents replace prior work on draft-ietf-oauth-v2-http-mac-05= >>> and draft-tschofenig-oauth-hotk-03. >>> >>> We are getting closer to have all relevant parts published. >>> >>> Ciao >>> Hannes >>> >>> On 04/24/2014 05:14 PM, Lewis Adam-CAL022 wrote: >>>> Hi, >>>> >>>> >>>> >>>> Lots of crypto drafts on OAuth popping up that I need to come up to >>>> speed on. >>>> >>>> draft-bradley-oauth-pop-key-distribution-00 >>>> >>>> >>>> >>>> draft-hunt-oauth-pop-architecture-00 >>>> = >>>> >>>> draft-jones-oauth-proof-of-possession-00 >>>> >>>> >>>> >>>> draft-sakimura-oauth-rjwtprof-01 >>>> >>>> >>>> draft-sakimura-oauth-tcse-03 >>>> >>>> >>>> draft-tschofenig-oauth-hotk-03 >>>> >>>> >>>> >>>> >>>> Glad to see all the work, but is there a preferred reading order her= e? >>>> Which ones build on each other vs. which ones are out there on their= >>>> own? >>>> >>>> >>>> >>>> >>>> >>>> -adam >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --tOFMtaSi0n0rrWtsGfVvsXLiQPKwPGg4h Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWimLAAoJEGhJURNOOiAtDpsH/0kxAmuSUnwCsW7jUdktp0H2 yR6O+VI6cTcMfzmY0LBUXf3v2gxq8z/o82Hy4nE13nFRGKfHzgzZsrCajMcV2vkb eLgbDZRn0UWjrlBmO2AyQgGrg4glWF05JUEkmmnfCJiR7Tle1m00H5QI4flNWcHn ZMPq5ReAVHA5UCM8I0S3of88VkW3iLyyZMfFLyni3sQ+CZZ3OhcAegUeeRR9qzcD x9ejZoYXZ19ktbux0LkI5UsnIu+0fHgsi54kqQfbyx/nJXzQ7ApYUrP8pIn8+lHh 4u5y5M/2eyw/GPNF3bMxq4IskiYTYiVWuhPyw5WoNK2w9mQJIskdJ6xkRdHwkxw= =ly6n -----END PGP SIGNATURE----- --tOFMtaSi0n0rrWtsGfVvsXLiQPKwPGg4h-- From nobody Fri Apr 25 02:35:57 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CD6D1A0163 for ; Fri, 25 Apr 2014 02:35:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aw0t1qW4A8IX for ; Fri, 25 Apr 2014 02:35:53 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 240F41A0359 for ; Fri, 25 Apr 2014 02:35:53 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LwW8p-1WyQLI0wTH-018KJQ; Fri, 25 Apr 2014 11:35:44 +0200 Message-ID: <535A29E7.6040505@gmx.net> Date: Fri, 25 Apr 2014 11:24:55 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Sergey Beryozkin , oauth@ietf.org References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> <535A21F3.4050306@gmail.com> In-Reply-To: <535A21F3.4050306@gmail.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jFptSGgVKamPRfCGpbgal8ojRKMaMNX0k" X-Provags-ID: V03:K0:jWhFtp0uwF8H+i2sakmfIvA/Zh97WDIbhZUqFuc8w52XkCccLMF XwzMiOWbYUW63fKh+lzKmnpoLkyZ5NOIcT5bf7b8WZShQ5lj2dhKLpnUbJn/LANHgnXFi9a 6rcfuIGUSHD0/9H6afUHxj8yfMm+Sqoj7PkO+Fr2nxyUUtZXP4jU5+c1+B2yrbRe8MjsurH gJCnMDmL1/gmchs3gxBKQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/FDet3ksy0rtq1vqJmvpNM6dvS4M Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 09:35:56 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jFptSGgVKamPRfCGpbgal8ojRKMaMNX0k Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The implementation and deployment status of JWT is certainly good. For this write-up it would, however, be interesting to know what the implementation status of the JWT bearer assertion spec is. On 04/25/2014 10:50 AM, Sergey Beryozkin wrote: > On 24/04/14 23:41, Mike Jones wrote: >> I am aware of these implementations: >> Microsoft Azure Active Directory:=20 >> http://azure.microsoft.com/en-us/services/active-directory/ >> Google Service Account: >> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >> >> I believe that Ping Identity and Salesforce also have implementations,= >> but I'll let Brian and Chuck authoritatively speak to those. >=20 > Here is some info about open source projects: >=20 > Apache Oltu has a good support for working with JWT, believe Spring > Security has it (I haven't tried) and JBoss KeyCloak team works with > JWT, work for supporting JWT Bearer is in progress in Apache CXF (a > month or so away). >=20 > There will be a pretty good coverage for it... >=20 > Sergey >=20 >> >> -- Mike >> >> -----Original Message----- >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >> Tschofenig >> Sent: Wednesday, April 23, 2014 1:40 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up >> >> Hi all, >> >> I am working on the shepherd writeup for the JWT bearer document. The >> shepherd write-ups for the assertion draft and the SAML bearer >> document have been completed a while ago already, see >> http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >> >> A few requests: >> >> - To the document authors: Please confirm that any and all appropriate= >> IPR disclosures required for full conformance with the provisions of B= CP >> 78 and BCP 79 have already been filed. >> >> - To all: Are you aware of implementations of this specification? If >> so, I would like to reference them in my write-up. >> >> - To all: Please also go through the text to make sure that I >> correctly reflect the history and the status of this document. >> >> Here is the most recent version of the write-up: >> https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/mast= er/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >> >> >> >> (The copy-and-paste of the full version is below.) >> >> Ciao >> Hannes >> >> PS: Note that I have send a mail about a pending issue to the list. In= >> response to my question I will update the write-up accordingly. >> >> ---- >> >> Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client >> Authentication and Authorization Grants" >> >> >> (1) What type of RFC is being requested (BCP, Proposed Standard, >> Internet Standard, Informational, Experimental, or Historic)? Why is >> this the proper type of RFC? Is this type of RFC indicated in the >> title page header? >> >> The RFC type is 'Standards Track' and the type is indicated in the >> title page. This document defines an instantiation for the OAuth >> assertion framework using JSON Web Tokens. >> >> (2) The IESG approval announcement includes a Document Announcement >> Write-Up. Please provide such a Document Announcement Write-Up. Recent= >> examples can be found in the "Action" announcements for approved >> documents. The approval announcement contains the following sections: >> >> Technical Summary: >> >> This specification defines the use of a JSON Web Token (JWT) Beare= r >> Token as a means for requesting an OAuth 2.0 access token as well = as >> for use as a means of client authentication. >> >> Working Group Summary: >> >> Was there anything in WG process that is worth noting? For example, >> was there controversy about particular points or were there decisions >> where the consensus was particularly rough? >> >> This document belongs to the OAuth assertion document bundle >> consisting of the abstract OAuth assertion framework, and the SAML >> assertion profile. Due to the use of the JSON-based encoding of the >> assertion it also relies on the work in the JOSE working group (such >> as JWE/JWS) indirectly through the use of the JWT. This document has >> intentionally been kept in sync with the SAML-based version. >> >> Document Quality: >> >> This document has gone through many iterations and has received >> substantial feedback. >> >> [[Add implementation list here.]] >> >> Personnel: >> >> The document shepherd is Hannes Tschofenig and the responsible area >> director is Kathleen Moriarty. >> >> (3) Briefly describe the review of this document that was performed by= >> the Document Shepherd. If this version of the document is not ready >> for publication, please explain why the document is being forwarded to= >> the IESG. >> >> The draft authors believe that this document is ready for publication.= >> The document has had received review comments from working group >> members, and from the OAuth working group chairs. These review >> comments have been taken into account. >> >> (4) Does the document Shepherd have any concerns about the depth or >> breadth of the reviews that have been performed? >> >> This document has gotten feedback from the working group and given the= >> focused use cases it has received adequate review. >> >> (5) Do portions of the document need review from a particular or from >> broader perspective, e.g., security, operational complexity, AAA, DNS,= >> DHCP, XML, or internationalization? If so, describe the review that >> took place. >> >> Since the OAuth working group develops security protocols any feedback= >> from the security community is always appreciated. >> >> (6) Describe any specific concerns or issues that the Document >> Shepherd has with this document that the Responsible Area Director >> and/or the IESG should be aware of? For example, perhaps he or she is >> uncomfortable with certain parts of the document, or has concerns >> whether there really is a need for it. In any event, if the WG has >> discussed those issues and has indicated that it still wishes to >> advance the document, detail those concerns here. >> >> The shepherd has no concerns with this document. >> >> (7) Has each author confirmed that any and all appropriate IPR >> disclosures required for full conformance with the provisions of BCP >> 78 and BCP 79 have already been filed. If not, explain why? >> >> [[Confirmation from the authors required.]] >> >> (8) Has an IPR disclosure been filed that references this document? If= >> so, summarize any WG discussion and conclusion regarding the IPR >> disclosures. >> >> No IPR disclosures have been filed on this document. However, two IPRs= >> have been filed for the JWT specification this document relies on, see= >> http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3D= draft-ietf-oauth-json-web-token >> >> >> >> (9) How solid is the WG consensus behind this document? Does it >> represent the strong concurrence of a few individuals, with others >> being silent, or does the WG as a whole understand and agree with it? >> >> The working group has consensus to publish this document. >> >> (10) Has anyone threatened an appeal or otherwise indicated extreme >> discontent? If so, please summarise the areas of conflict in separate >> email messages to the Responsible Area Director. (It should be in a >> separate email because this questionnaire is publicly available.) >> >> No appeal or extreme discontent has been raised. >> >> (11) Identify any ID nits the Document Shepherd has found in this >> document. (See http://www.ietf.org/tools/idnits/ and the >> Internet-Drafts Checklist). Boilerplate checks are not enough; this >> check needs to be thorough. >> >> The shepherd has checked the nits. >> >> (12) Describe how the document meets any required formal review >> criteria, such as the MIB Doctor, media type, and URI type reviews. >> >> There is no such review necessary. >> >> (13) Have all references within this document been identified as >> either normative or informative? >> >> Yes. >> >> (14) Are there normative references to documents that are not ready >> for advancement or are otherwise in an unclear state? If such >> normative references exist, what is the plan for their completion? >> >> Yes. >> >> (15) Are there downward normative references references (see RFC 3967)= ? >> If so, list these downward references to support the Area Director in >> the Last Call procedure. >> >> RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational= >> RFC. A downref is required. >> >> However, this document depends on the completion of the abstract OAuth= >> assertion framework and on the JWT specification. >> There are the following dependencies: >> >> (16) Will publication of this document change the status of any >> existing RFCs? Are those RFCs listed on the title page header, listed >> in the abstract, and discussed in the introduction? If the RFCs are >> not listed in the Abstract and Introduction, explain why, and point to= >> the part of the document where the relationship of this document to >> the other RFCs is discussed. If this information is not in the >> document, explain why the WG considers it unnecessary. >> >> The publication of this document does not change the status of other >> RFCs. >> >> (17) Describe the Document Shepherd's review of the IANA >> considerations section, especially with regard to its consistency with= >> the body of the document. Confirm that all protocol extensions that >> the document makes are associated with the appropriate reservations in= >> IANA registries. >> Confirm that any referenced IANA registries have been clearly >> identified. Confirm that newly created IANA registries include a >> detailed specification of the initial contents for the registry, that >> allocations procedures for future registrations are defined, and a >> reasonable name for the new registry has been suggested (see RFC 5226)= =2E >> >> The document registers two sub-namespaces to the urn:ietf:params:oauth= >> URN established with RFC 6755. >> >> (18) List any new IANA registries that require Expert Review for >> future allocations. Provide any public guidance that the IESG would >> find useful in selecting the IANA Experts for these new registries. >> >> The document only adds entries to existing registries and does not >> define any new registries. >> >> (19) Describe reviews and automated checks performed by the Document >> Shepherd to validate sections of the document written in a formal >> language, such as XML code, BNF rules, MIB definitions, etc. >> >> There are only snippets of message exchanges and JWT assertion >> structures, which are based on JSON, used in the examples. There is no= >> pseudo code contained in the document that requires validation. >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --jFptSGgVKamPRfCGpbgal8ojRKMaMNX0k Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWinoAAoJEGhJURNOOiAtvsoH/36fPqyntcpX2kOqlpp68qKU aZk0sp63xU4AFjJYhiSc0Cc+2y8KWs3pGqaVnXewZCZPrn5cd9MD8igaUPp8RMtO a9RidV1mUqr8yvL7eyySmPzZCEok50kyKD4GVzhQcZZxye/fRO/EZnk/2YAUBaQa qLbwDs7PRP98f378smgMt3uVhysIeWFFFp00EMs5vdPvEZDRczYlnM1XuPCzuTkU aPdWyxluSs43qzRyhDaA5YzPouKHTr27xunmodAVcYhg7kCN/R1Q8k6vhaf81vvF 51tUOB130cIODgvSX+m3AihNCjAZqb0VW0kIMPF0XfroDmH4Of2us8iVE/kHCb4= =C8LG -----END PGP SIGNATURE----- --jFptSGgVKamPRfCGpbgal8ojRKMaMNX0k-- From nobody Fri Apr 25 02:39:09 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 452191A0366 for ; Fri, 25 Apr 2014 02:39:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGsSiM0vkbm5 for ; Fri, 25 Apr 2014 02:39:06 -0700 (PDT) Received: from mail-ee0-x22b.google.com (mail-ee0-x22b.google.com [IPv6:2a00:1450:4013:c00::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 474BF1A0163 for ; Fri, 25 Apr 2014 02:39:05 -0700 (PDT) Received: by mail-ee0-f43.google.com with SMTP id e53so2644068eek.30 for ; Fri, 25 Apr 2014 02:38:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=h55VkgZk1KatwUrxHV6xmORlSe7ekdAUQ0NrxsHQ+rw=; b=J0xsbzv0sNTYab+rsy7hn5z2kMdGUqo83gTCCAo6T6TEv0rh87K0wWXh+uYB5XD8xL 4SDoe+WVempnly3E2BMNkjKTnYuTShCFZIgGZ74GfhUG0W1kTi/KJxOoPgDRC1LFTrCN ViUvTVWlzbHRYPmRy1ub1SnDvNgEsKVRykC8ODFBVC9VPpJiqFU9hE0W+H7I+6WHcPig uA2zfFDwzk6fmWIeN7tm8+pzlD59I7yNllmIB/L28DhT644GByArfTe0P8PhcaFrPnj+ 3wmIU4A5KtJ2WdXXbEF2hogUPLktEbrYm8xr+vDUGMsXjKTgyhNMnAdVwtMJIKrh8K4+ kZtA== X-Received: by 10.14.219.137 with SMTP id m9mr1081716eep.77.1398418739410; Fri, 25 Apr 2014 02:38:59 -0700 (PDT) Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id l42sm23377197eew.19.2014.04.25.02.38.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 02:38:58 -0700 (PDT) Message-ID: <535A2D31.8090909@gmail.com> Date: Fri, 25 Apr 2014 10:38:57 +0100 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig , oauth@ietf.org References: <53593E65.5020903@gmx.net> <5359691E.5000807@gmx.net> <535A2009.7080708@gmail.com> <535A298B.9030600@gmx.net> In-Reply-To: <535A298B.9030600@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2ZW9_HwpJ-1u39h2CecUYLgWOtU Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 09:39:08 -0000 On 25/04/14 10:23, Hannes Tschofenig wrote: > Good question. The architecture allows different mechanisms to be used > for proof-of-possession between the client and the resource server. > With the publication of draft-richer-oauth-signed-http-request-01 we > have a version that uses a JOSE-based encoding. I have not had time to > illustrate how the MAC-based version would fit in there. OAuth2 is very open to supporting all sort of access token types. Hopefully PoP model will not be made exclusive for JWT only, it won't be very OAuth2 friendly IMHO... Cheers, Sergey > > On 04/25/2014 10:42 AM, Sergey Beryozkin wrote: >> Hi Hannes >> >> Is the MAC token effort you were leading still on the map ? >> >> Thanks, Sergey >> >> On 24/04/14 20:42, Hannes Tschofenig wrote: >>> Btw, the HTTP signature mechanism now also got published as >>> http://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 >>> >>> I think we now have a pretty good collection of documents to look at. >>> >>> Ciao >>> Hannes >>> >>> >>> On 04/24/2014 06:40 PM, Hannes Tschofenig wrote: >>>> Hi Lewis, >>>> >>>> good that you ask. >>>> >>>> In the London IETF meeting we have proposed a plan on how to proceed >>>> with the proof-of-possession (PoP) work. >>>> >>>> John had already explained that the main document is >>>> draft-hunt-oauth-pop-architecture-00. It pains the big picture and >>>> points to the relevant documents, in particular to >>>> a) draft-bradley-oauth-pop-key-distribution >>>> b) draft-jones-oauth-proof-of-possession >>>> c) a not-yet-published HTTP signature mechanism. >>>> >>>> (a) explains how the client obtains keys from the authorization server. >>>> (b) describes a mechanism for binding a key to the access token. >>>> (c) illustrates the procedure for the client to interact with the >>>> resource server (based on the PoP mechanism). >>>> >>>> These documents replace prior work on draft-ietf-oauth-v2-http-mac-05 >>>> and draft-tschofenig-oauth-hotk-03. >>>> >>>> We are getting closer to have all relevant parts published. >>>> >>>> Ciao >>>> Hannes >>>> >>>> On 04/24/2014 05:14 PM, Lewis Adam-CAL022 wrote: >>>>> Hi, >>>>> >>>>> >>>>> >>>>> Lots of crypto drafts on OAuth popping up that I need to come up to >>>>> speed on. >>>>> >>>>> draft-bradley-oauth-pop-key-distribution-00 >>>>> >>>>> >>>>> >>>>> draft-hunt-oauth-pop-architecture-00 >>>>> >>>>> >>>>> draft-jones-oauth-proof-of-possession-00 >>>>> >>>>> >>>>> >>>>> draft-sakimura-oauth-rjwtprof-01 >>>>> >>>>> >>>>> draft-sakimura-oauth-tcse-03 >>>>> >>>>> >>>>> draft-tschofenig-oauth-hotk-03 >>>>> >>>>> >>>>> >>>>> >>>>> Glad to see all the work, but is there a preferred reading order here? >>>>> Which ones build on each other vs. which ones are out there on their >>>>> own? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -adam >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > From nobody Fri Apr 25 02:45:14 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2838B1A038D for ; Fri, 25 Apr 2014 02:45:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSLFdpg7EPaT for ; Fri, 25 Apr 2014 02:45:05 -0700 (PDT) Received: from mail-ee0-x233.google.com (mail-ee0-x233.google.com [IPv6:2a00:1450:4013:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id B74CC1A0163 for ; Fri, 25 Apr 2014 02:45:04 -0700 (PDT) Received: by mail-ee0-f51.google.com with SMTP id c13so2606055eek.24 for ; Fri, 25 Apr 2014 02:44:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=mgtD7QrsuLz3khgf56IztXLVSCJikf3ehxtwHvyLSK4=; b=Fty5uvTrUZwJPfcfqEOsJ4vfHXkkBihqs7+Y7gogno8s/WxNi8OOiARiPerDMmX4LF 639cX5wiUv1XZ0vGjNtzKMR7nnj0yNltboi8cklBiezRS8sbK7djbI4qEYMm48m5IcEu KEvfEZrDvNKq+6ICB6zuAY6kHmm7wdYGC2Cq6E2iN8cMeEXXc8mcOOINjqKbM+kuiH+T xlUAudSk0W5ZvklYJRLMLE3r9GGu+S4XDDRb/F2lzBZ5bLoUYdnPItS0BZAu5PJo/RQ2 dWXc8vYNX8kuNTE++vYR5LSzhTYrVHTmLawlaO+4nBAhqt/gaarDWsTQRm7mqn2dkqGm WDWg== X-Received: by 10.15.90.201 with SMTP id q49mr2353903eez.65.1398419097920; Fri, 25 Apr 2014 02:44:57 -0700 (PDT) Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id o4sm23414928eef.20.2014.04.25.02.44.56 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 02:44:57 -0700 (PDT) Message-ID: <535A2E98.2000804@gmail.com> Date: Fri, 25 Apr 2014 10:44:56 +0100 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> <535A21F3.4050306@gmail.com> <535A29E7.6040505@gmx.net> In-Reply-To: <535A29E7.6040505@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Iyp7e1GMCpdeyufnFqnNoNvihgs Cc: "" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 09:45:10 -0000 On 25/04/14 10:24, Hannes Tschofenig wrote: > The implementation and deployment status of JWT is certainly good. > For this write-up it would, however, be interesting to know what the > implementation status of the JWT bearer assertion spec is. Was I off-topic ? Sorry about it, I thought it would be encouraging for experts to see the general status, the wider JWT is supported the more likely the count of JWT Bearer assertion adopters will go up Cheers, Sergey > > On 04/25/2014 10:50 AM, Sergey Beryozkin wrote: >> On 24/04/14 23:41, Mike Jones wrote: >>> I am aware of these implementations: >>> Microsoft Azure Active Directory: >>> http://azure.microsoft.com/en-us/services/active-directory/ >>> Google Service Account: >>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>> >>> I believe that Ping Identity and Salesforce also have implementations, >>> but I'll let Brian and Chuck authoritatively speak to those. >> >> Here is some info about open source projects: >> >> Apache Oltu has a good support for working with JWT, believe Spring >> Security has it (I haven't tried) and JBoss KeyCloak team works with >> JWT, work for supporting JWT Bearer is in progress in Apache CXF (a >> month or so away). >> >> There will be a pretty good coverage for it... >> >> Sergey >> >>> >>> -- Mike >>> >>> -----Original Message----- >>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >>> Tschofenig >>> Sent: Wednesday, April 23, 2014 1:40 AM >>> To: oauth@ietf.org >>> Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up >>> >>> Hi all, >>> >>> I am working on the shepherd writeup for the JWT bearer document. The >>> shepherd write-ups for the assertion draft and the SAML bearer >>> document have been completed a while ago already, see >>> http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >>> >>> A few requests: >>> >>> - To the document authors: Please confirm that any and all appropriate >>> IPR disclosures required for full conformance with the provisions of BCP >>> 78 and BCP 79 have already been filed. >>> >>> - To all: Are you aware of implementations of this specification? If >>> so, I would like to reference them in my write-up. >>> >>> - To all: Please also go through the text to make sure that I >>> correctly reflect the history and the status of this document. >>> >>> Here is the most recent version of the write-up: >>> https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >>> >>> >>> >>> (The copy-and-paste of the full version is below.) >>> >>> Ciao >>> Hannes >>> >>> PS: Note that I have send a mail about a pending issue to the list. In >>> response to my question I will update the write-up accordingly. >>> >>> ---- >>> >>> Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client >>> Authentication and Authorization Grants" >>> >>> >>> (1) What type of RFC is being requested (BCP, Proposed Standard, >>> Internet Standard, Informational, Experimental, or Historic)? Why is >>> this the proper type of RFC? Is this type of RFC indicated in the >>> title page header? >>> >>> The RFC type is 'Standards Track' and the type is indicated in the >>> title page. This document defines an instantiation for the OAuth >>> assertion framework using JSON Web Tokens. >>> >>> (2) The IESG approval announcement includes a Document Announcement >>> Write-Up. Please provide such a Document Announcement Write-Up. Recent >>> examples can be found in the "Action" announcements for approved >>> documents. The approval announcement contains the following sections: >>> >>> Technical Summary: >>> >>> This specification defines the use of a JSON Web Token (JWT) Bearer >>> Token as a means for requesting an OAuth 2.0 access token as well as >>> for use as a means of client authentication. >>> >>> Working Group Summary: >>> >>> Was there anything in WG process that is worth noting? For example, >>> was there controversy about particular points or were there decisions >>> where the consensus was particularly rough? >>> >>> This document belongs to the OAuth assertion document bundle >>> consisting of the abstract OAuth assertion framework, and the SAML >>> assertion profile. Due to the use of the JSON-based encoding of the >>> assertion it also relies on the work in the JOSE working group (such >>> as JWE/JWS) indirectly through the use of the JWT. This document has >>> intentionally been kept in sync with the SAML-based version. >>> >>> Document Quality: >>> >>> This document has gone through many iterations and has received >>> substantial feedback. >>> >>> [[Add implementation list here.]] >>> >>> Personnel: >>> >>> The document shepherd is Hannes Tschofenig and the responsible area >>> director is Kathleen Moriarty. >>> >>> (3) Briefly describe the review of this document that was performed by >>> the Document Shepherd. If this version of the document is not ready >>> for publication, please explain why the document is being forwarded to >>> the IESG. >>> >>> The draft authors believe that this document is ready for publication. >>> The document has had received review comments from working group >>> members, and from the OAuth working group chairs. These review >>> comments have been taken into account. >>> >>> (4) Does the document Shepherd have any concerns about the depth or >>> breadth of the reviews that have been performed? >>> >>> This document has gotten feedback from the working group and given the >>> focused use cases it has received adequate review. >>> >>> (5) Do portions of the document need review from a particular or from >>> broader perspective, e.g., security, operational complexity, AAA, DNS, >>> DHCP, XML, or internationalization? If so, describe the review that >>> took place. >>> >>> Since the OAuth working group develops security protocols any feedback >>> from the security community is always appreciated. >>> >>> (6) Describe any specific concerns or issues that the Document >>> Shepherd has with this document that the Responsible Area Director >>> and/or the IESG should be aware of? For example, perhaps he or she is >>> uncomfortable with certain parts of the document, or has concerns >>> whether there really is a need for it. In any event, if the WG has >>> discussed those issues and has indicated that it still wishes to >>> advance the document, detail those concerns here. >>> >>> The shepherd has no concerns with this document. >>> >>> (7) Has each author confirmed that any and all appropriate IPR >>> disclosures required for full conformance with the provisions of BCP >>> 78 and BCP 79 have already been filed. If not, explain why? >>> >>> [[Confirmation from the authors required.]] >>> >>> (8) Has an IPR disclosure been filed that references this document? If >>> so, summarize any WG discussion and conclusion regarding the IPR >>> disclosures. >>> >>> No IPR disclosures have been filed on this document. However, two IPRs >>> have been filed for the JWT specification this document relies on, see >>> http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token >>> >>> >>> >>> (9) How solid is the WG consensus behind this document? Does it >>> represent the strong concurrence of a few individuals, with others >>> being silent, or does the WG as a whole understand and agree with it? >>> >>> The working group has consensus to publish this document. >>> >>> (10) Has anyone threatened an appeal or otherwise indicated extreme >>> discontent? If so, please summarise the areas of conflict in separate >>> email messages to the Responsible Area Director. (It should be in a >>> separate email because this questionnaire is publicly available.) >>> >>> No appeal or extreme discontent has been raised. >>> >>> (11) Identify any ID nits the Document Shepherd has found in this >>> document. (See http://www.ietf.org/tools/idnits/ and the >>> Internet-Drafts Checklist). Boilerplate checks are not enough; this >>> check needs to be thorough. >>> >>> The shepherd has checked the nits. >>> >>> (12) Describe how the document meets any required formal review >>> criteria, such as the MIB Doctor, media type, and URI type reviews. >>> >>> There is no such review necessary. >>> >>> (13) Have all references within this document been identified as >>> either normative or informative? >>> >>> Yes. >>> >>> (14) Are there normative references to documents that are not ready >>> for advancement or are otherwise in an unclear state? If such >>> normative references exist, what is the plan for their completion? >>> >>> Yes. >>> >>> (15) Are there downward normative references references (see RFC 3967)? >>> If so, list these downward references to support the Area Director in >>> the Last Call procedure. >>> >>> RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational >>> RFC. A downref is required. >>> >>> However, this document depends on the completion of the abstract OAuth >>> assertion framework and on the JWT specification. >>> There are the following dependencies: >>> >>> (16) Will publication of this document change the status of any >>> existing RFCs? Are those RFCs listed on the title page header, listed >>> in the abstract, and discussed in the introduction? If the RFCs are >>> not listed in the Abstract and Introduction, explain why, and point to >>> the part of the document where the relationship of this document to >>> the other RFCs is discussed. If this information is not in the >>> document, explain why the WG considers it unnecessary. >>> >>> The publication of this document does not change the status of other >>> RFCs. >>> >>> (17) Describe the Document Shepherd's review of the IANA >>> considerations section, especially with regard to its consistency with >>> the body of the document. Confirm that all protocol extensions that >>> the document makes are associated with the appropriate reservations in >>> IANA registries. >>> Confirm that any referenced IANA registries have been clearly >>> identified. Confirm that newly created IANA registries include a >>> detailed specification of the initial contents for the registry, that >>> allocations procedures for future registrations are defined, and a >>> reasonable name for the new registry has been suggested (see RFC 5226). >>> >>> The document registers two sub-namespaces to the urn:ietf:params:oauth >>> URN established with RFC 6755. >>> >>> (18) List any new IANA registries that require Expert Review for >>> future allocations. Provide any public guidance that the IESG would >>> find useful in selecting the IANA Experts for these new registries. >>> >>> The document only adds entries to existing registries and does not >>> define any new registries. >>> >>> (19) Describe reviews and automated checks performed by the Document >>> Shepherd to validate sections of the document written in a formal >>> language, such as XML code, BNF rules, MIB definitions, etc. >>> >>> There are only snippets of message exchanges and JWT assertion >>> structures, which are based on JSON, used in the examples. There is no >>> pseudo code contained in the document that requires validation. >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > From nobody Fri Apr 25 02:55:30 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34B9D1A013B for ; Fri, 25 Apr 2014 02:55:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eudl8BQzMdlW for ; Fri, 25 Apr 2014 02:55:25 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id B0FDA1A013D for ; Fri, 25 Apr 2014 02:55:24 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M0Kp7-1WucP20NED-00uX8V; Fri, 25 Apr 2014 11:55:17 +0200 Message-ID: <535A2E7B.7010102@gmx.net> Date: Fri, 25 Apr 2014 11:44:27 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Sergey Beryozkin , oauth@ietf.org References: <53593E65.5020903@gmx.net> <5359691E.5000807@gmx.net> <535A2009.7080708@gmail.com> <535A298B.9030600@gmx.net> <535A2D31.8090909@gmail.com> In-Reply-To: <535A2D31.8090909@gmail.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="s07k6ku9GxgKp4abGJIFaM7dhdpSjEjtQ" X-Provags-ID: V03:K0:aIUEwOi4aZjrytTKZTkPQlXJkvUFg+3yu2cKsn44rE/YCypf0uE PT3d7IDBGxA88/uKvo7SFpXFAEcoLT08pUJI2ZsPlIW9+x0WBXJJUs8qJewkM7rQ71mre8N 9ePq41ZO7QiO7k7+m80m2UJTeQr5lo1bxc0dOmhgUnDSvpiFBtADGYxX7TyQCwT+E9a0jS4 aVOP6da83BtKZFN9yx1zw== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/_76_9B_izbx4iVMDLgs7rh5Qdt8 Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 09:55:28 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --s07k6ku9GxgKp4abGJIFaM7dhdpSjEjtQ Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Sergey, On 04/25/2014 11:38 AM, Sergey Beryozkin wrote: > Hopefully PoP model will not be made exclusive for JWT only, it won't b= e > very OAuth2 friendly IMHO... Note that draft-richer-oauth-signed-http-request-01 doesn't use JWTs. I just uses a JSON-based encoding of the parameters. I put a strawman proposal into the document. For the access token there is also no requirement to use JWTs. The use of a reference only (in combination with the token introspection) is one possible deployment option (which I still need to add to the overview document; I put a editor's note in the version of the document I submitted today). Ciao Hannes --s07k6ku9GxgKp4abGJIFaM7dhdpSjEjtQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWi57AAoJEGhJURNOOiAtqecH/0fnjYq6h/WL/E6H2P8Jac3Y AYDQ05YMmoWbLgNb5HPQPQ3iWIdigCW9kTIib2kopneAnETxjtCWn89FhnU9146U j7Y0fDHnm4zVZIP4FgLbKEAP5jintcSdXtt+8a2JgvQi8Ta2i6Bc+Ao4Cct9uZB8 xKYjcvllzgVXrMdeCnkCZ1eMstbyYUM2UXiYpzBzcJxCAZDOw+Fy2I60FRe5rV5N 3MWCKWHjSjMG2wyQY9QU27X/pnZ3zZzWRctcTV15u7NnCbS1vE/qS3vo5PLFq6A4 1JqZ9ooGu4blkLBTa6hokMJhIDygcT1mahiBBGlLn0qqC5ih/ycU8EErNtB1DwM= =2m7D -----END PGP SIGNATURE----- --s07k6ku9GxgKp4abGJIFaM7dhdpSjEjtQ-- From nobody Fri Apr 25 03:08:37 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EF831A013D for ; Fri, 25 Apr 2014 03:08:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1AucP1S-5or for ; Fri, 25 Apr 2014 03:08:33 -0700 (PDT) Received: from mail-ee0-x232.google.com (mail-ee0-x232.google.com [IPv6:2a00:1450:4013:c00::232]) by ietfa.amsl.com (Postfix) with ESMTP id 7212D1A0139 for ; Fri, 25 Apr 2014 03:08:33 -0700 (PDT) Received: by mail-ee0-f50.google.com with SMTP id c13so2687645eek.9 for ; Fri, 25 Apr 2014 03:08:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=wpDZ3SGCbhk0MXxAt10MvXSArrMpQy+cPNn1zJtDOHM=; b=ggYJgO+pAuDvO//5Cylr9lnK0/EYhOoWtnzvgilE45MBfR+h461Lq6fRq5JW02jKUJ yCeIkQT3SkeOoeOogQkLQThXPThDdKWtc/GytEs11y7zSn+dE2lwrgONUB0F5o9dmEl7 Y8R8OseEc4NGjXkWDhKnalPjKlXyhrGK8H61DQlt4xplmk79JrIiF/O+eHqRySxwQhR1 q1QIj503OvyNbVpRzJX8v2K8f69q/IS8UZ9/o6oAMHQouub/YcJs580ZzDV9ZKWZBGL2 eybRvezKfhOUNMJqY+qlFM1xUpcDVwyFv9tEgVi+y98k4crHCfcxdS9E9MObbkaGdmZT dilA== X-Received: by 10.15.107.75 with SMTP id ca51mr9393eeb.103.1398420506708; Fri, 25 Apr 2014 03:08:26 -0700 (PDT) Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id q41sm23575874eez.7.2014.04.25.03.08.25 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 03:08:26 -0700 (PDT) Message-ID: <535A3418.6070703@gmail.com> Date: Fri, 25 Apr 2014 11:08:24 +0100 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hannes Tschofenig , oauth@ietf.org References: <53593E65.5020903@gmx.net> <5359691E.5000807@gmx.net> <535A2009.7080708@gmail.com> <535A298B.9030600@gmx.net> <535A2D31.8090909@gmail.com> <535A2E7B.7010102@gmx.net> In-Reply-To: <535A2E7B.7010102@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/9llfOwueBZTR11zwddFz8Rz8Nkg Subject: Re: [OAUTH-WG] HOTK/POP/etc drafts X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 10:08:35 -0000 Hi Hannes On 25/04/14 10:44, Hannes Tschofenig wrote: > Hi Sergey, > > On 04/25/2014 11:38 AM, Sergey Beryozkin wrote: >> Hopefully PoP model will not be made exclusive for JWT only, it won't be >> very OAuth2 friendly IMHO... > > Note that draft-richer-oauth-signed-http-request-01 doesn't use JWTs. I > just uses a JSON-based encoding of the parameters. I put a strawman > proposal into the document. > > For the access token there is also no requirement to use JWTs. The use > of a reference only (in combination with the token introspection) is one > possible deployment option (which I still need to add to the overview > document; I put a editor's note in the version of the document I > submitted today). Thanks for the clarifications, actually, draft-richer-oauth-signed-http-request-01 is quite cool, perhaps we will see the document in time for using JWE for encrypting HTTP payloads too. Looks like OAuth2 is going to affect a lot the way HTTP communications are done in the future. Cheers, Sergey > > Ciao > Hannes > From nobody Fri Apr 25 03:13:49 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DDFB1A0144 for ; Fri, 25 Apr 2014 03:13:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jzNLhOvdC85n for ; Fri, 25 Apr 2014 03:13:38 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0189.outbound.protection.outlook.com [207.46.163.189]) by ietfa.amsl.com (Postfix) with ESMTP id ECFE01A0139 for ; Fri, 25 Apr 2014 03:13:37 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB207.namprd02.prod.outlook.com (10.242.165.145) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 10:13:29 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) with mapi id 15.00.0921.000; Fri, 25 Apr 2014 10:13:29 +0000 From: Antonio Sanso To: Torsten Lodderstedt Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Thread-Index: AQHPYEbfbJDShXj6EUK1aulw1xPKC5siHXoA Date: Fri, 25 Apr 2014 10:13:28 +0000 Message-ID: <79F587EF-9B47-4351-B1CC-B60E245FDCF4@adobe.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.147.117.11] x-forefront-prvs: 0192E812EC x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(199002)(53754006)(13464003)(189002)(377454003)(24454002)(79102001)(99286001)(74502001)(99396002)(31966008)(83072002)(74662001)(76176999)(15202345003)(87936001)(66066001)(83322001)(2656002)(76482001)(50986999)(80022001)(77982001)(15975445006)(33656001)(83716003)(20776003)(92566001)(4396001)(54356999)(86362001)(81342001)(46102001)(19580395003)(82746002)(80976001)(92726001)(36756003)(19580405001)(85852003)(16236675002)(81542001)(100906001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB207; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:C609E1CC.9ED2D381.B1DF7BB7.4228C881.207A9; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: multipart/alternative; boundary="_000_79F587EF9B474351B1CCB60E245FDCF4adobecom_" MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/6bj2IcATXoKT-abGl2khsFQf0mQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 10:13:43 -0000 --_000_79F587EF9B474351B1CCB60E245FDCF4adobecom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Torsten, Adobe also has an implementation. regards antonio On Apr 25, 2014, at 7:26 AM, Torsten Lodderstedt > wrote: Deutsche Telekom also has an implementation. regards, Torsten. -------- Urspr=FCngliche Nachricht -------- Von: Chuck Mortimore Datum:25.04.2014 01:31 (GMT+01:00) An: Mike Jones Cc: oauth@ietf.org Betreff: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Salesforce Implementation: https://help.salesforce.com/HTViewHelpDoc?id=3Dr= emoteaccess_oauth_jwt_flow.htm&language=3Den_US On Thu, Apr 24, 2014 at 3:41 PM, Mike Jones > wrote: I am aware of these implementations: Microsoft Azure Active Directory: http://azure.microsoft.com/en-us= /services/active-directory/ Google Service Account: https://developers.google.com/accounts/docs= /OAuth2ServiceAccount I believe that Ping Identity and Salesforce also have implementations, but = I'll let Brian and Chuck authoritatively speak to those. -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] = On Behalf Of Hannes Tschofenig Sent: Wednesday, April 23, 2014 1:40 AM To: oauth@ietf.org Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up Hi all, I am working on the shepherd writeup for the JWT bearer document. The sheph= erd write-ups for the assertion draft and the SAML bearer document have bee= n completed a while ago already, see http://www.ietf.org/mail-archive/web/o= auth/current/msg12410.html A few requests: - To the document authors: Please confirm that any and all appropriate IPR = disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. - To all: Are you aware of implementations of this specification? If so, I = would like to reference them in my write-up. - To all: Please also go through the text to make sure that I correctly ref= lect the history and the status of this document. Here is the most recent version of the write-up: https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/sh= epherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt (The copy-and-paste of the full version is below.) Ciao Hannes PS: Note that I have send a mail about a pending issue to the list. In resp= onse to my question I will update the write-up accordingly. ---- Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authenticati= on and Authorization Grants" (1) What type of RFC is being requested (BCP, Proposed Standard, Internet S= tandard, Informational, Experimental, or Historic)? Why is this the proper = type of RFC? Is this type of RFC indicated in the title page header? The RFC type is 'Standards Track' and the type is indicated in the title pa= ge. This document defines an instantiation for the OAuth assertion framewor= k using JSON Web Tokens. (2) The IESG approval announcement includes a Document Announcement Write-U= p. Please provide such a Document Announcement Write-Up. Recent examples ca= n be found in the "Action" announcements for approved documents. The approv= al announcement contains the following sections: Technical Summary: This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. Working Group Summary: Was there anything in WG process that is worth noting? For example, was the= re controversy about particular points or were there decisions where the co= nsensus was particularly rough? This document belongs to the OAuth assertion document bundle consisting of = the abstract OAuth assertion framework, and the SAML assertion profile. Due= to the use of the JSON-based encoding of the assertion it also relies on t= he work in the JOSE working group (such as JWE/JWS) indirectly through the = use of the JWT. This document has intentionally been kept in sync with the = SAML-based version. Document Quality: This document has gone through many iterations and has received substantial= feedback. [[Add implementation list here.]] Personnel: The document shepherd is Hannes Tschofenig and the responsible area directo= r is Kathleen Moriarty. (3) Briefly describe the review of this document that was performed by the = Document Shepherd. If this version of the document is not ready for publica= tion, please explain why the document is being forwarded to the IESG. The draft authors believe that this document is ready for publication. The document has had received review comments from working group members, a= nd from the OAuth working group chairs. These review comments have been tak= en into account. (4) Does the document Shepherd have any concerns about the depth or breadth= of the reviews that have been performed? This document has gotten feedback from the working group and given the focu= sed use cases it has received adequate review. (5) Do portions of the document need review from a particular or from broad= er perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML= , or internationalization? If so, describe the review that took place. Since the OAuth working group develops security protocols any feedback from= the security community is always appreciated. (6) Describe any specific concerns or issues that the Document Shepherd has= with this document that the Responsible Area Director and/or the IESG shou= ld be aware of? For example, perhaps he or she is uncomfortable with certai= n parts of the document, or has concerns whether there really is a need for= it. In any event, if the WG has discussed those issues and has indicated t= hat it still wishes to advance the document, detail those concerns here. The shepherd has no concerns with this document. (7) Has each author confirmed that any and all appropriate IPR disclosures = required for full conformance with the provisions of BCP 78 and BCP 79 have= already been filed. If not, explain why? [[Confirmation from the authors required.]] (8) Has an IPR disclosure been filed that references this document? If so, = summarize any WG discussion and conclusion regarding the IPR disclosures. No IPR disclosures have been filed on this document. However, two IPRs have= been filed for the JWT specification this document relies on, see http://d= atatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraft-ietf-oa= uth-json-web-token (9) How solid is the WG consensus behind this document? Does it represent t= he strong concurrence of a few individuals, with others being silent, or do= es the WG as a whole understand and agree with it? The working group has consensus to publish this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discont= ent? If so, please summarise the areas of conflict in separate email messag= es to the Responsible Area Director. (It should be in a separate email beca= use this questionnaire is publicly available.) No appeal or extreme discontent has been raised. (11) Identify any ID nits the Document Shepherd has found in this document.= (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist).= Boilerplate checks are not enough; this check needs to be thorough. The shepherd has checked the nits. (12) Describe how the document meets any required formal review criteria, s= uch as the MIB Doctor, media type, and URI type reviews. There is no such review necessary. (13) Have all references within this document been identified as either nor= mative or informative? Yes. (14) Are there normative references to documents that are not ready for adv= ancement or are otherwise in an unclear state? If such normative references= exist, what is the plan for their completion? Yes. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the L= ast Call procedure. RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational RFC.= A downref is required. However, this document depends on the completion of the abstract OAuth asse= rtion framework and on the JWT specification. There are the following dependencies: (16) Will publication of this document change the status of any existing RF= Cs? Are those RFCs listed on the title page header, listed in the abstract,= and discussed in the introduction? If the RFCs are not listed in the Abstr= act and Introduction, explain why, and point to the part of the document wh= ere the relationship of this document to the other RFCs is discussed. If th= is information is not in the document, explain why the WG considers it unne= cessary. The publication of this document does not change the status of other RFCs. (17) Describe the Document Shepherd's review of the IANA considerations sec= tion, especially with regard to its consistency with the body of the docume= nt. Confirm that all protocol extensions that the document makes are associ= ated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. C= onfirm that newly created IANA registries include a detailed specification = of the initial contents for the registry, that allocations procedures for f= uture registrations are defined, and a reasonable name for the new registry= has been suggested (see RFC 5226). The document registers two sub-namespaces to the urn:ietf:params:oauth URN = established with RFC 6755. (18) List any new IANA registries that require Expert Review for future all= ocations. Provide any public guidance that the IESG would find useful in se= lecting the IANA Experts for these new registries. The document only adds entries to existing registries and does not define a= ny new registries. (19) Describe reviews and automated checks performed by the Document Shephe= rd to validate sections of the document written in a formal language, such = as XML code, BNF rules, MIB definitions, etc. There are only snippets of message exchanges and JWT assertion structures, = which are based on JSON, used in the examples. There is no pseudo code cont= ained in the document that requires validation. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth --_000_79F587EF9B474351B1CCB60E245FDCF4adobecom_ Content-Type: text/html; charset="iso-8859-1" Content-ID: <8881736E30461542AFC879CF135A066A@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable Hi Torsten,

Adobe also  has an implementation.

regards

antonio

On Apr 25, 2014, at 7:26 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

Deutsche Telekom also has an implementation. 

regards,
Torsten.


-------- Urspr=FCngliche Nachricht --------
Von: Chuck Mortimore
Datum:25.04.2014 01:31 (GMT+01:00)
An: Mike Jones
Cc: oauth@ietf.org
Betreff: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up



On Thu, Apr 24, 2014 at 3:41 PM, Mike Jones <Michae= l.Jones@microsoft.com> wrote:
I am aware of these implementations:
        Microsoft Azure Active Directory:  http://azure.microsoft.com/en-us/services/active-directory/
        Google Service Account: https://developers.google.com/accounts/docs/OAuth2ServiceAccount

I believe that Ping Identity and Salesforce also have implementations, but = I'll let Brian and Chuck authoritatively speak to those.

                     = ;           -- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces= @ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, April 23, 2014 1:40 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up

Hi all,

I am working on the shepherd writeup for the JWT bearer document. The sheph= erd write-ups for the assertion draft and the SAML bearer document have bee= n completed a while ago already, see http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html

A few requests:

- To the document authors: Please confirm that any and all appropriate IPR = disclosures required for full conformance with the provisions of BCP
78 and BCP 79 have already been filed.

- To all: Are you aware of implementations of this specification? If so, I = would like to reference them in my write-up.

- To all: Please also go through the text to make sure that I correctly ref= lect the history and the status of this document.

Here is the most recent version of the write-up:
https://raw.githubusercontent.com/hannestschofenig/tschofenig-i= ds/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt


(The copy-and-paste of the full version is below.)

Ciao
Hannes

PS: Note that I have send a mail about a pending issue to the list. In resp= onse to my question I will update the write-up accordingly.

----

Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authent= ication and Authorization Grants" <draft-ietf-oauth-saml2-bearer-08= >

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet S= tandard, Informational, Experimental, or Historic)? Why is this the proper = type of RFC? Is this type of RFC indicated in the title page header?

The RFC type is 'Standards Track' and the type is indicated in the title pa= ge. This document defines an instantiation for the OAuth assertion framewor= k using JSON Web Tokens.

(2) The IESG approval announcement includes a Document Announcement Write-U= p. Please provide such a Document Announcement Write-Up. Recent examples ca= n be found in the "Action" announcements for approved documents. = The approval announcement contains the following sections:

Technical Summary:

   This specification defines the use of a JSON Web Token (JWT) B= earer
   Token as a means for requesting an OAuth 2.0 access token as w= ell as
   for use as a means of client authentication.

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was the= re controversy about particular points or were there decisions where the co= nsensus was particularly rough?

This document belongs to the OAuth assertion document bundle consisting of = the abstract OAuth assertion framework, and the SAML assertion profile. Due= to the use of the JSON-based encoding of the assertion it also relies on t= he work in the JOSE working group (such as JWE/JWS) indirectly through the use of the JWT. This document has= intentionally been kept in sync with the SAML-based version.

Document Quality:

This document has gone through many iterations and has received substantial= feedback.

[[Add implementation list here.]]

Personnel:

The document shepherd is Hannes Tschofenig and the responsible area directo= r is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by the = Document Shepherd. If this version of the document is not ready for publica= tion, please explain why the document is being forwarded to the IESG.

The draft authors believe that this document is ready for publication.
The document has had received review comments from working group members, a= nd from the OAuth working group chairs. These review comments have been tak= en into account.

(4) Does the document Shepherd have any concerns about the depth or breadth= of the reviews that have been performed?

This document has gotten feedback from the working group and given the focu= sed use cases it has received adequate review.

(5) Do portions of the document need review from a particular or from broad= er perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML= , or internationalization? If so, describe the review that took place.

Since the OAuth working group develops security protocols any feedback from= the security community is always appreciated.

(6) Describe any specific concerns or issues that the Document Shepherd has= with this document that the Responsible Area Director and/or the IESG shou= ld be aware of? For example, perhaps he or she is uncomfortable with certai= n parts of the document, or has concerns whether there really is a need for it. In any event, if the WG ha= s discussed those issues and has indicated that it still wishes to advance = the document, detail those concerns here.

The shepherd has no concerns with this document.

(7) Has each author confirmed that any and all appropriate IPR disclosures = required for full conformance with the provisions of BCP 78 and BCP 79 have= already been filed. If not, explain why?

[[Confirmation from the authors required.]]

(8) Has an IPR disclosure been filed that references this document? If so, = summarize any WG discussion and conclusion regarding the IPR disclosures.
No IPR disclosures have been filed on this document. However, two IPRs have= been filed for the JWT specification this document relies on, see http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Dd= raft-ietf-oauth-json-web-token


(9) How solid is the WG consensus behind this document? Does it represent t= he strong concurrence of a few individuals, with others being silent, or do= es the WG as a whole understand and agree with it?

The working group has consensus to publish this document.

(10) Has anyone threatened an appeal or otherwise indicated extreme discont= ent? If so, please summarise the areas of conflict in separate email messag= es to the Responsible Area Director. (It should be in a separate email beca= use this questionnaire is publicly available.)

No appeal or extreme discontent has been raised.

(11) Identify any ID nits the Document Shepherd has found in this document.= (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). B= oilerplate checks are not enough; this check needs to be thorough.

The shepherd has checked the nits.

(12) Describe how the document meets any required formal review criteria, s= uch as the MIB Doctor, media type, and URI type reviews.

There is no such review necessary.

(13) Have all references within this document been identified as either nor= mative or informative?

Yes.

(14) Are there normative references to documents that are not ready for adv= ancement or are otherwise in an unclear state? If such normative references= exist, what is the plan for their completion?

Yes.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the L= ast Call procedure.

RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational RFC.= A downref is required.

However, this document depends on the completion of the abstract OAuth asse= rtion framework and on the JWT specification.
There are the following dependencies:

(16) Will publication of this document change the status of any existing RF= Cs? Are those RFCs listed on the title page header, listed in the abstract,= and discussed in the introduction? If the RFCs are not listed in the Abstr= act and Introduction, explain why, and point to the part of the document where the relationship of this docum= ent to the other RFCs is discussed. If this information is not in the docum= ent, explain why the WG considers it unnecessary.

The publication of this document does not change the status of other RFCs.<= br>
(17) Describe the Document Shepherd's review of the IANA considerations sec= tion, especially with regard to its consistency with the body of the docume= nt. Confirm that all protocol extensions that the document makes are associ= ated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified. C= onfirm that newly created IANA registries include a detailed specification = of the initial contents for the registry, that allocations procedures for f= uture registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 522= 6).

The document registers two sub-namespaces to the urn:ietf:params:oauth URN = established with RFC 6755.

(18) List any new IANA registries that require Expert Review for future all= ocations. Provide any public guidance that the IESG would find useful in se= lecting the IANA Experts for these new registries.

The document only adds entries to existing registries and does not define a= ny new registries.

(19) Describe reviews and automated checks performed by the Document Shephe= rd to validate sections of the document written in a formal language, such = as XML code, BNF rules, MIB definitions, etc.

There are only snippets of message exchanges and JWT assertion structures, = which are based on JSON, used in the examples. There is no pseudo code cont= ained in the document that requires validation.



_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--_000_79F587EF9B474351B1CCB60E245FDCF4adobecom_-- From nobody Fri Apr 25 03:48:35 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0241A03A6 for ; Fri, 25 Apr 2014 03:48:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.866 X-Spam-Level: X-Spam-Status: No, score=-0.866 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, TRACKER_ID=1.306] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ju-gJ2he5Tb0 for ; Fri, 25 Apr 2014 03:48:31 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3F11A0366 for ; Fri, 25 Apr 2014 03:48:31 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0Lat5o-1XJX03492e-00kM88 for ; Fri, 25 Apr 2014 12:48:24 +0200 Message-ID: <535A3AF4.4060506@gmx.net> Date: Fri, 25 Apr 2014 12:37:40 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "oauth@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="UGdiqJkcSk99eNJ6rKcPmWfQnQI9afPHU" X-Provags-ID: V03:K0:7/ToZGpMEJa5/n6wL84qUBkDr1i+Tzky61rRQJ/Z/Hxe8gSzgmN bw+v8zCacWOYeeNJq4RNjjoWY62/LYBbs8DvuoEs3ksghXU03WLhGcGu0QOk3CXp3gHhegY AkoOCZMhWG8XcmOIDUGLHAUZhMcS7JwgomceN8+QyJX3WLoQLy7UPM8qJ0jVT9l51Y27yON b1acT7El4UXws8kk8gBHQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/cpJhBy-cjcSv7N0_J5GasKd-t8k Subject: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 10:48:33 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --UGdiqJkcSk99eNJ6rKcPmWfQnQI9afPHU Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, As a document shepherd I have to verify the entire document and this includes the examples as well. Section 3.1: You write: " The following octet sequence is the UTF-8 representation of the JWT Header/JWS Header above: [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32, 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] " The values IMHO are represented in Decimal code point rather than Octal UTF-8 bytes, as stated above. See the following online tool to see the difference: http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=3D%22&mode=3Dchar Note that you could also show a hex encoding instead (e.g., via http://ostermiller.org/calc/encode.html). Hixie's decoder would then produce the correct decoding. Here is the link to his software: http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder (Note that this program seems to have flaws for most other options.) When do a Base64URL encoding of {"typ":"JWT","alg":"HS256"} then I get eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 but your spec says: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root":true= }. My result: eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb= 290Ijp0cnVlfQ Your result: eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvb= S9pc19yb290Ijp0cnVlfQ Note: I am using this online tool for Base64URL encoding: http://kjur.github.io/jsjws/tool_b64uenc.html. Interestingly, when I dump the data into http://jwt.io/ then I get a correct decoding. It might well be that the kjur.github.io has a flaw. Just wanted to check what tool you have used to create these encodings. Section 6.1: The example in Section 6.1 is the same as in 3.1. Maybe it would be useful to show something different here. The example in Appendix A.1 is more sophisticated since it demonstrates encryption. To verify it I would need to have a library that supports JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library have you been using? I was wondering whether it would make sense to add two other examples, namely for integrity protection. One example showing an HMAC-based keyed message digest and another one using a digital signature. Here is a simple example to add that almost all JWT libraries seem to be able to create and verify: Header: {"alg":"HS256","typ":"JWT"} I use the HS256 algorithm with a shared secret '12345'. Body: {"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":139= 8420753,"exp":1398424353,"iat":1398420753} jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com= ","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", "HS256") I used http://www.onlineconversion.com/unix_time.htm to create the date/time values: "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT Here is the output created with https://github.com/progrium/pyjwt/ and verified with http://jwt.io/: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUu= Y29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsI= mV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHez= drv2E1LAVcNdTsq4 Ciao Hannes --UGdiqJkcSk99eNJ6rKcPmWfQnQI9afPHU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWjr0AAoJEGhJURNOOiAtcl4H+gLMPDbEtwHxgsD1Xkz+XzLf 6z0x++GE2tYQXPZ2prlv/zt8t1Q2FpulQbEKbsgr3AteW3+FT+xNNi1fGcZFOZj6 wLvpeQbcrRKzAA8lWVhRpD54Ln9YrdW8FBJ6Bl2IER70HiExy1fhPPfv+NL7ab7A udm/v9B7tfrga88hs8ztdZqlhZxPUc1T0epc0w2g/+XIsxHVa7/HOokuEu5Gwias pfwcjpYbYr/dXbneTr6Q4dyeZyAUAA99ayo+bnemRhaegzTplAMJJy2qW76QIVyY xTp/Dcmmgq+xrBZWVZvK3YK1c/6sZKPa+YCDyYBJRAQZeiqxPqrpDEBHQ102IEI= =SwBb -----END PGP SIGNATURE----- --UGdiqJkcSk99eNJ6rKcPmWfQnQI9afPHU-- From nobody Fri Apr 25 04:06:28 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67D1B1A03B7 for ; Fri, 25 Apr 2014 04:06:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_tVOtbWAJPz for ; Fri, 25 Apr 2014 04:06:23 -0700 (PDT) Received: from mail-ee0-x22a.google.com (mail-ee0-x22a.google.com [IPv6:2a00:1450:4013:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 0852F1A017C for ; Fri, 25 Apr 2014 04:06:22 -0700 (PDT) Received: by mail-ee0-f42.google.com with SMTP id d17so2713062eek.1 for ; Fri, 25 Apr 2014 04:06:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=uUh8oUn43Ym9YGzx5G7xkJXRWCWGd3Vpcuof2XG4d2Q=; b=ozDL6GWdSUN31+c3l+MWmV8YXxZlykajUc0B0Mu+IjBpWRQeMWd+yN4lV+YvOsh/8b 4taruf/ZN9oxsVEeUM065hTPYJAonhov2rfIfdAWFP+3JB7dRxy47xzKCHh44OuxYNSq tdupGU6DKhLc7GOUNgxuHA1mPMtadlwoLIzy+jgfjgcA+RtmP8waBLCwUTUjt75DKvQA uoIb53jKCXRTsei5Aqiz95c0/5H0JO5Bza/Rz7WTxxoF2xrjifvStbtGCbnQfyK7Hmjg gJ/Ebv0nzMGAUBbxTQ5VLu2qTIatcQRk8DHNTIVcfvVal722havgdadQOPKxmyw2oZa7 ujyw== X-Received: by 10.14.214.198 with SMTP id c46mr10000832eep.29.1398423976190; Fri, 25 Apr 2014 04:06:16 -0700 (PDT) Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id q41sm23953178eez.7.2014.04.25.04.06.15 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 04:06:15 -0700 (PDT) Message-ID: <535A41A6.1040200@gmail.com> Date: Fri, 25 Apr 2014 12:06:14 +0100 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: oauth@ietf.org References: <535A3AF4.4060506@gmx.net> In-Reply-To: <535A3AF4.4060506@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/RpygXduTbFvDvwJb0rBsgQ1dXqs Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 11:06:25 -0000 As far as I recall the spec example uses line separators and it can affect the output Thanks, Sergey On 25/04/14 11:37, Hannes Tschofenig wrote: > Hi all, > > As a document shepherd I have to verify the entire document and this > includes the examples as well. > > Section 3.1: > > You write: > > " > The following octet sequence is the UTF-8 representation of the JWT > Header/JWS Header above: > > [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32, > 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] > " > > The values IMHO are represented in Decimal code point rather than Octal > UTF-8 bytes, as stated above. > See the following online tool to see the difference: > http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char > > Note that you could also show a hex encoding instead (e.g., via > http://ostermiller.org/calc/encode.html). Hixie's decoder would then > produce the correct decoding. Here is the link to his software: > http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder > (Note that this program seems to have flaws for most other options.) > > When do a Base64URL encoding of > > {"typ":"JWT","alg":"HS256"} > > then I get > > eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 > > but your spec says: > > eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 > > Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}. > > My result: > eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > Your result: > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > Note: I am using this online tool for Base64URL encoding: > http://kjur.github.io/jsjws/tool_b64uenc.html. > Interestingly, when I dump the data into http://jwt.io/ then I get a > correct decoding. It might well be that the kjur.github.io has a flaw. > > Just wanted to check what tool you have used to create these encodings. > > > Section 6.1: > > The example in Section 6.1 is the same as in 3.1. Maybe it would be > useful to show something different here. > > The example in Appendix A.1 is more sophisticated since it demonstrates > encryption. To verify it I would need to have a library that supports > JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library > have you been using? > > I was wondering whether it would make sense to add two other examples, > namely for integrity protection. One example showing an HMAC-based keyed > message digest and another one using a digital signature. > > Here is a simple example to add that almost all JWT libraries seem to be > able to create and verify: > > Header: > {"alg":"HS256","typ":"JWT"} > > I use the HS256 algorithm with a shared secret '12345'. > > Body: > > {"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":1398420753,"exp":1398424353,"iat":1398420753} > > jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", > "HS256") > > I used http://www.onlineconversion.com/unix_time.htm to create the > date/time values: > "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT > "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > > Here is the output created with https://github.com/progrium/pyjwt/ and > verified with http://jwt.io/: > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4 > > Ciao > Hannes > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > From nobody Fri Apr 25 04:48:51 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E08101A0478 for ; Fri, 25 Apr 2014 04:48:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgS33URZElwu for ; Fri, 25 Apr 2014 04:48:46 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 1C9221A017B for ; Fri, 25 Apr 2014 04:48:45 -0700 (PDT) Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB205.namprd02.prod.outlook.com (10.242.165.139) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 11:48:37 +0000 Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) with mapi id 15.00.0921.000; Fri, 25 Apr 2014 11:48:37 +0000 From: Antonio Sanso To: Hannes Tschofenig Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples Thread-Index: AQHPYHP4mOmW3SJu7kGrJMFJQGhvh5siN7kA Date: Fri, 25 Apr 2014 11:48:36 +0000 Message-ID: <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> References: <535A3AF4.4060506@gmx.net> In-Reply-To: <535A3AF4.4060506@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.147.117.11] x-forefront-prvs: 0192E812EC x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(51694002)(199002)(189002)(377454003)(53754006)(51704005)(24454002)(74662001)(74502001)(2656002)(77982001)(79102001)(85852003)(575784001)(86362001)(83072002)(31966008)(36756003)(15975445006)(92566001)(81342001)(99286001)(80022001)(83716003)(33656001)(92726001)(20776003)(15395725003)(82746002)(15202345003)(54356999)(50986999)(46102001)(76482001)(76176999)(66066001)(87936001)(19580405001)(19580395003)(83322001)(80976001)(4396001)(81542001)(99396002)(100906001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB205; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:FE6DD1D8.9A365129.BFEF31D7.8EFB6262.20536; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (: adobe.com does not designate permitted sender hosts) Content-Type: text/plain; charset="iso-8859-1" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qbE9CwFlYIyBUtqkYWhUdzXkh7k Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 11:48:49 -0000 hi Hannes. On Apr 25, 2014, at 12:37 PM, Hannes Tschofenig = wrote: > Hi all, >=20 > As a document shepherd I have to verify the entire document and this > includes the examples as well. >=20 > Section 3.1: >=20 > You write: >=20 > " > The following octet sequence is the UTF-8 representation of the JWT > Header/JWS Header above: >=20 > [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32, > 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] > " >=20 > The values IMHO are represented in Decimal code point rather than Octal > UTF-8 bytes, as stated above. > See the following online tool to see the difference: > http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=3D%22&mode=3Dchar >=20 > Note that you could also show a hex encoding instead (e.g., via > http://ostermiller.org/calc/encode.html). Hixie's decoder would then > produce the correct decoding. Here is the link to his software: > http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder > (Note that this program seems to have flaws for most other options.) >=20 > When do a Base64URL encoding of >=20 > {"typ":"JWT","alg":"HS256"} >=20 > then I get >=20 > eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 >=20 > but your spec says: >=20 > eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 >=20 > Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root":true= }. >=20 > My result: > eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb= 290Ijp0cnVlfQ >=20 > Your result: > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvb= S9pc19yb290Ijp0cnVlfQ see http://www.ietf.org/mail-archive/web/oauth/current/msg11599.html regards antonio >=20 > Note: I am using this online tool for Base64URL encoding: > http://kjur.github.io/jsjws/tool_b64uenc.html. > Interestingly, when I dump the data into http://jwt.io/ then I get a > correct decoding. It might well be that the kjur.github.io has a flaw. >=20 > Just wanted to check what tool you have used to create these encodings. >=20 >=20 > Section 6.1: >=20 > The example in Section 6.1 is the same as in 3.1. Maybe it would be > useful to show something different here. >=20 > The example in Appendix A.1 is more sophisticated since it demonstrates > encryption. To verify it I would need to have a library that supports > JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library > have you been using? >=20 > I was wondering whether it would make sense to add two other examples, > namely for integrity protection. One example showing an HMAC-based keyed > message digest and another one using a digital signature. >=20 > Here is a simple example to add that almost all JWT libraries seem to be > able to create and verify: >=20 > Header: > {"alg":"HS256","typ":"JWT"} >=20 > I use the HS256 algorithm with a shared secret '12345'. >=20 > Body: >=20 > {"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":139= 8420753,"exp":1398424353,"iat":1398420753} >=20 > jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com= ","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", > "HS256") >=20 > I used http://www.onlineconversion.com/unix_time.htm to create the > date/time values: > "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT > "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT >=20 > Here is the output created with https://github.com/progrium/pyjwt/ and > verified with http://jwt.io/: > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUu= Y29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV= 4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2= E1LAVcNdTsq4 >=20 > Ciao > Hannes >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 05:03:18 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAE251A048D for ; Fri, 25 Apr 2014 05:03:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.146 X-Spam-Level: X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSJGG9OfZ7EM for ; Fri, 25 Apr 2014 05:03:15 -0700 (PDT) Received: from mail-qa0-f52.google.com (mail-qa0-f52.google.com [209.85.216.52]) by ietfa.amsl.com (Postfix) with ESMTP id 412721A048C for ; Fri, 25 Apr 2014 05:03:14 -0700 (PDT) Received: by mail-qa0-f52.google.com with SMTP id m5so2263941qaj.25 for ; Fri, 25 Apr 2014 05:03:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=m4fLkaPty45QC4ckv/XR/14NzuIE9Uk7HQ4748OOpZs=; b=BFc2SHlVHabLdnMjHKURRwaptMnUD8nwtUzVe3T4ygSTdYf2GXs8mCJgfHVXmAcFyS ezYaYH4wb60EhwxwEn4vcQkV+6/89Ks2huRV0tzFB1MdEXPZlyR/0HGNcWBFcGRsE85u 3FNoyRfqDGoFRZNiw56HteRWOjUF5FnjQ2jxNfdvTeJpEElzyu3/RsJB2bafJKw4p2Th WtZ1Gw07E0sTF5/gHyqdWs1xlGYMz+s5t4686xinlcpE/q0mHQ0GxmoVwlEvodoQm7hC pvAIXfyLjDPv6N9ArohP7vwq9+yGgbE0tijfbBhsHSWMGwQ/ygLMPLs61nW+9hKgFlqL 67rQ== X-Gm-Message-State: ALoCoQldWTCh2AvwPDQALQuIKY7xwAPFYRaPcq91Uo916rJ0fJNQzH1bNI+dOKXysfiOAFRPnQlH X-Received: by 10.140.86.71 with SMTP id o65mr10036583qgd.67.1398427388497; Fri, 25 Apr 2014 05:03:08 -0700 (PDT) Received: from [192.168.0.200] ([201.188.125.93]) by mx.google.com with ESMTPSA id 11sm9313704qgv.20.2014.04.25.05.03.06 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 05:03:07 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Fri, 25 Apr 2014 09:03:06 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: <7EF3EC88-B32C-4858-8570-B142A6EEE96C@ve7jtb.com> References: <8CE5B8B4-5CFB-4E1C-B1EC-06D2F0217ED8@adobe.com> To: Andrei Shakirin X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/97vfE-hEajm9liFg7EpZeOOzde4 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 12:03:17 -0000 Yes the server can be stateless, though it may need to store client = credentials and user to validate against, and refresh token grants etc. =20= The "state" parameter allows the client to maintain some state = information across the Oauth authorization request and response. Part of the use of that state information by the client allows it to = protect itself from having authorization requests initiated by 3rd = parties that is what Sec 10.12 is talking about. =20 In that case the client can save state in a browser cookie or in the = server and use that to validate the returned state value to assure = itself that the authorization request came from itself. John B. On Apr 25, 2014, at 4:08 AM, Andrei Shakirin = wrote: > Hi Antonio, >=20 > Thanks for your quick answer. > Important for me is that OAuth2 doesn't force to store client or = user-agent states in the authorization server, so authorization server = can be stateless and is not obligated to introduce the sessions at all. >=20 > Regards, > Andrei. >=20 >> -----Original Message----- >> From: Antonio Sanso [mailto:asanso@adobe.com] >> Sent: Freitag, 25. April 2014 09:02 >> To: Andrei Shakirin >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow >>=20 >> hi Andrei, >>=20 >> AFAIU session cookie management is beyond the scope of the OAuth2 >> specification. >>=20 >> regards >>=20 >> antonio >>=20 >> On Apr 24, 2014, at 6:39 PM, Andrei Shakirin = wrote: >>=20 >>> Hi, >>>=20 >>> My name is Andrei Shakirin, I am working with OAuth2 implementation = in >> Apache CXF project. >>> Could you please help me to verify my understanding regarding of = using >> session cookies in OAuth2 flow. >>> OAuth2 specification mentions session cookies in: >>> 1) Section 3.1. Authorization Endpoint as possible way to = authenticate >> resource owner against authorization server >>> 2) Section 10.12. Cross-Site Request Forgery as possible attack = where end- >> user follows a malicious URI to a trusting server including a valid = session cookie >>>=20 >>> My current understanding is: >>> a) using sessions between user-agent and authorization server is = optional and >> authorization server is not obligated to keep user state (in case if = user-agent >> provide authentication information with every request). >>> b) in case if sessions are used (because of any reasons), = authorization server >> have to care about additional protection like hidden form fields in = order to >> uniquely identify the actual authorization request. >>>=20 >>> Is this correct? >>>=20 >>> Regards, >>> Andrei. >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 05:36:54 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0130F1A04B7 for ; Fri, 25 Apr 2014 05:36:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCgmoph7lwxM for ; Fri, 25 Apr 2014 05:36:47 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id B84761A04C1 for ; Fri, 25 Apr 2014 05:36:45 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MZgdm-1WKLnc2LfS-00LZVO; Fri, 25 Apr 2014 14:36:38 +0200 Message-ID: <535A544C.80100@gmx.net> Date: Fri, 25 Apr 2014 14:25:48 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Sergey Beryozkin References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> <535A21F3.4050306@gmail.com> <535A29E7.6040505@gmx.net> <535A2E98.2000804@gmail.com> In-Reply-To: <535A2E98.2000804@gmail.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="hQfOa7KjmVrHhMSS3pWu6PBwS3dI2gl5x" X-Provags-ID: V03:K0:ZeyEtI/2XeoUpaW4kDoEHRoMg13HtpQtDDqPlhGHKEvLIYEBIJl nd39xYoT6R4t/udJav/24uQALH9CqaOgm9ET5lP2V0mRC1ARsdVMMX2itDW7edHbodq0IzE IVVJbN0g21sXhH064xYrav9ngopdHz78+i8GRkgF62pyQjfHUG902CwXPhVogPw361zB+TH nG3O5Dm6TUomGN9DYdhHg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/LaqkulMW4sQ5LOHQovLQdwlMmR4 Cc: "" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 12:36:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --hQfOa7KjmVrHhMSS3pWu6PBwS3dI2gl5x Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Sergey, no, your comment wasn't off-topic and I agree that more widespread support of the JWT spec will also have a positive impact on the JWT bearer implementation / deployment status. draft-ietf-oauth-jwt-bearer spec requires the JWT to be used in a specific way. It does, however, make sense to indicate the JWT implementation situation in the write-up. Ciao Hannes On 04/25/2014 11:44 AM, Sergey Beryozkin wrote: >=20 > On 25/04/14 10:24, Hannes Tschofenig wrote: >> The implementation and deployment status of JWT is certainly good. >> For this write-up it would, however, be interesting to know what the >> implementation status of the JWT bearer assertion spec is. >=20 > Was I off-topic ? Sorry about it, I thought it would be encouraging for= > experts to see the general status, the wider JWT is supported the more > likely the count of JWT Bearer assertion adopters will go up >=20 > Cheers, Sergey >=20 >> >> On 04/25/2014 10:50 AM, Sergey Beryozkin wrote: >>> On 24/04/14 23:41, Mike Jones wrote: >>>> I am aware of these implementations: >>>> Microsoft Azure Active Directory: >>>> http://azure.microsoft.com/en-us/services/active-directory/ >>>> Google Service Account: >>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>> >>>> I believe that Ping Identity and Salesforce also have implementation= s, >>>> but I'll let Brian and Chuck authoritatively speak to those. >>> >>> Here is some info about open source projects: >>> >>> Apache Oltu has a good support for working with JWT, believe Spring >>> Security has it (I haven't tried) and JBoss KeyCloak team works with >>> JWT, work for supporting JWT Bearer is in progress in Apache CXF (a >>> month or so away). >>> >>> There will be a pretty good coverage for it... >>> >>> Sergey >>> >>>> >>>> -- Mike >>>> >>>> -----Original Message----- >>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >>>> Tschofenig >>>> Sent: Wednesday, April 23, 2014 1:40 AM >>>> To: oauth@ietf.org >>>> Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up >>>> >>>> Hi all, >>>> >>>> I am working on the shepherd writeup for the JWT bearer document. Th= e >>>> shepherd write-ups for the assertion draft and the SAML bearer >>>> document have been completed a while ago already, see >>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >>>> >>>> A few requests: >>>> >>>> - To the document authors: Please confirm that any and all appropria= te >>>> IPR disclosures required for full conformance with the provisions of= >>>> BCP >>>> 78 and BCP 79 have already been filed. >>>> >>>> - To all: Are you aware of implementations of this specification? If= >>>> so, I would like to reference them in my write-up. >>>> >>>> - To all: Please also go through the text to make sure that I >>>> correctly reflect the history and the status of this document. >>>> >>>> Here is the most recent version of the write-up: >>>> https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/ma= ster/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >>>> >>>> >>>> >>>> >>>> (The copy-and-paste of the full version is below.) >>>> >>>> Ciao >>>> Hannes >>>> >>>> PS: Note that I have send a mail about a pending issue to the list. = In >>>> response to my question I will update the write-up accordingly. >>>> >>>> ---- >>>> >>>> Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client >>>> Authentication and Authorization Grants" >>>> >>>> >>>> (1) What type of RFC is being requested (BCP, Proposed Standard, >>>> Internet Standard, Informational, Experimental, or Historic)? Why is= >>>> this the proper type of RFC? Is this type of RFC indicated in the >>>> title page header? >>>> >>>> The RFC type is 'Standards Track' and the type is indicated in the >>>> title page. This document defines an instantiation for the OAuth >>>> assertion framework using JSON Web Tokens. >>>> >>>> (2) The IESG approval announcement includes a Document Announcement >>>> Write-Up. Please provide such a Document Announcement Write-Up. Rece= nt >>>> examples can be found in the "Action" announcements for approved >>>> documents. The approval announcement contains the following sections= : >>>> >>>> Technical Summary: >>>> >>>> This specification defines the use of a JSON Web Token (JWT) >>>> Bearer >>>> Token as a means for requesting an OAuth 2.0 access token as >>>> well as >>>> for use as a means of client authentication. >>>> >>>> Working Group Summary: >>>> >>>> Was there anything in WG process that is worth noting? For example, >>>> was there controversy about particular points or were there decision= s >>>> where the consensus was particularly rough? >>>> >>>> This document belongs to the OAuth assertion document bundle >>>> consisting of the abstract OAuth assertion framework, and the SAML >>>> assertion profile. Due to the use of the JSON-based encoding of the >>>> assertion it also relies on the work in the JOSE working group (such= >>>> as JWE/JWS) indirectly through the use of the JWT. This document has= >>>> intentionally been kept in sync with the SAML-based version. >>>> >>>> Document Quality: >>>> >>>> This document has gone through many iterations and has received >>>> substantial feedback. >>>> >>>> [[Add implementation list here.]] >>>> >>>> Personnel: >>>> >>>> The document shepherd is Hannes Tschofenig and the responsible area >>>> director is Kathleen Moriarty. >>>> >>>> (3) Briefly describe the review of this document that was performed = by >>>> the Document Shepherd. If this version of the document is not ready >>>> for publication, please explain why the document is being forwarded = to >>>> the IESG. >>>> >>>> The draft authors believe that this document is ready for publicatio= n. >>>> The document has had received review comments from working group >>>> members, and from the OAuth working group chairs. These review >>>> comments have been taken into account. >>>> >>>> (4) Does the document Shepherd have any concerns about the depth or >>>> breadth of the reviews that have been performed? >>>> >>>> This document has gotten feedback from the working group and given t= he >>>> focused use cases it has received adequate review. >>>> >>>> (5) Do portions of the document need review from a particular or fro= m >>>> broader perspective, e.g., security, operational complexity, AAA, DN= S, >>>> DHCP, XML, or internationalization? If so, describe the review that >>>> took place. >>>> >>>> Since the OAuth working group develops security protocols any feedba= ck >>>> from the security community is always appreciated. >>>> >>>> (6) Describe any specific concerns or issues that the Document >>>> Shepherd has with this document that the Responsible Area Director >>>> and/or the IESG should be aware of? For example, perhaps he or she i= s >>>> uncomfortable with certain parts of the document, or has concerns >>>> whether there really is a need for it. In any event, if the WG has >>>> discussed those issues and has indicated that it still wishes to >>>> advance the document, detail those concerns here. >>>> >>>> The shepherd has no concerns with this document. >>>> >>>> (7) Has each author confirmed that any and all appropriate IPR >>>> disclosures required for full conformance with the provisions of BCP= >>>> 78 and BCP 79 have already been filed. If not, explain why? >>>> >>>> [[Confirmation from the authors required.]] >>>> >>>> (8) Has an IPR disclosure been filed that references this document? = If >>>> so, summarize any WG discussion and conclusion regarding the IPR >>>> disclosures. >>>> >>>> No IPR disclosures have been filed on this document. However, two IP= Rs >>>> have been filed for the JWT specification this document relies on, s= ee >>>> http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3D= draft-ietf-oauth-json-web-token >>>> >>>> >>>> >>>> >>>> (9) How solid is the WG consensus behind this document? Does it >>>> represent the strong concurrence of a few individuals, with others >>>> being silent, or does the WG as a whole understand and agree with it= ? >>>> >>>> The working group has consensus to publish this document. >>>> >>>> (10) Has anyone threatened an appeal or otherwise indicated extreme >>>> discontent? If so, please summarise the areas of conflict in separat= e >>>> email messages to the Responsible Area Director. (It should be in a >>>> separate email because this questionnaire is publicly available.) >>>> >>>> No appeal or extreme discontent has been raised. >>>> >>>> (11) Identify any ID nits the Document Shepherd has found in this >>>> document. (See http://www.ietf.org/tools/idnits/ and the >>>> Internet-Drafts Checklist). Boilerplate checks are not enough; this >>>> check needs to be thorough. >>>> >>>> The shepherd has checked the nits. >>>> >>>> (12) Describe how the document meets any required formal review >>>> criteria, such as the MIB Doctor, media type, and URI type reviews. >>>> >>>> There is no such review necessary. >>>> >>>> (13) Have all references within this document been identified as >>>> either normative or informative? >>>> >>>> Yes. >>>> >>>> (14) Are there normative references to documents that are not ready >>>> for advancement or are otherwise in an unclear state? If such >>>> normative references exist, what is the plan for their completion? >>>> >>>> Yes. >>>> >>>> (15) Are there downward normative references references (see RFC 396= 7)? >>>> If so, list these downward references to support the Area Director i= n >>>> the Last Call procedure. >>>> >>>> RFC 6755 defines the urn:ietf:params:oauth URN and is an Information= al >>>> RFC. A downref is required. >>>> >>>> However, this document depends on the completion of the abstract OAu= th >>>> assertion framework and on the JWT specification. >>>> There are the following dependencies: >>>> >>>> (16) Will publication of this document change the status of any >>>> existing RFCs? Are those RFCs listed on the title page header, liste= d >>>> in the abstract, and discussed in the introduction? If the RFCs are >>>> not listed in the Abstract and Introduction, explain why, and point = to >>>> the part of the document where the relationship of this document to >>>> the other RFCs is discussed. If this information is not in the >>>> document, explain why the WG considers it unnecessary. >>>> >>>> The publication of this document does not change the status of other= >>>> RFCs. >>>> >>>> (17) Describe the Document Shepherd's review of the IANA >>>> considerations section, especially with regard to its consistency wi= th >>>> the body of the document. Confirm that all protocol extensions that >>>> the document makes are associated with the appropriate reservations = in >>>> IANA registries. >>>> Confirm that any referenced IANA registries have been clearly >>>> identified. Confirm that newly created IANA registries include a >>>> detailed specification of the initial contents for the registry, tha= t >>>> allocations procedures for future registrations are defined, and a >>>> reasonable name for the new registry has been suggested (see RFC 522= 6). >>>> >>>> The document registers two sub-namespaces to the urn:ietf:params:oau= th >>>> URN established with RFC 6755. >>>> >>>> (18) List any new IANA registries that require Expert Review for >>>> future allocations. Provide any public guidance that the IESG would >>>> find useful in selecting the IANA Experts for these new registries. >>>> >>>> The document only adds entries to existing registries and does not >>>> define any new registries. >>>> >>>> (19) Describe reviews and automated checks performed by the Document= >>>> Shepherd to validate sections of the document written in a formal >>>> language, such as XML code, BNF rules, MIB definitions, etc. >>>> >>>> There are only snippets of message exchanges and JWT assertion >>>> structures, which are based on JSON, used in the examples. There is = no >>>> pseudo code contained in the document that requires validation. >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >=20 --hQfOa7KjmVrHhMSS3pWu6PBwS3dI2gl5x Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWlRMAAoJEGhJURNOOiAtDdUH/1koMWh6FlgYJmsF2QB/hij7 46ZYX9vugqVCu4GEFNeAc5bJ4yAsHzYjeYB5uqgNPDzYxME2IiD6XwQp2zelOKzi MpB4EgCu7VxV/DH+RhZGW+ReRRhB0ddbvxgBUOVFqjc3jsCF+FszQVE4kAFpTVpK zYyKLR2ZBHUw048ok/zblu4ebJ8+i35PIkqedTfdxdnR2WNztX/2dgbY0ILs1zPL EPxAhIg4iPxvUlCXV4JFwrMwQuuyG3BKCoAHrqq0gA+IaWYlyJx3161AsS/2u5gy jdEcgjKoyrMOy4HoTnLQ2F89Wp8usjCbQYgedzYH9hjqrEt0KHubOZh5WC7GV8Q= =fuBM -----END PGP SIGNATURE----- --hQfOa7KjmVrHhMSS3pWu6PBwS3dI2gl5x-- From nobody Fri Apr 25 05:53:08 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE0171A04A8 for ; Fri, 25 Apr 2014 05:53:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.172 X-Spam-Level: X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6W21wl4FUX2z for ; Fri, 25 Apr 2014 05:52:59 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 4B5181A04B6 for ; Fri, 25 Apr 2014 05:52:59 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MBFBB-1Wnst23lpd-00AFnl; Fri, 25 Apr 2014 14:52:50 +0200 Message-ID: <535A5819.2030805@gmx.net> Date: Fri, 25 Apr 2014 14:42:01 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Antonio Sanso References: <535A3AF4.4060506@gmx.net> <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> In-Reply-To: <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="8wjj5WWKRavXcnXqHQDtibdSmLxBQHIxm" X-Provags-ID: V03:K0:Fo4ZJ+A3nUuEuLfp3CVmPEQAbUGKMyKdrkCKcEMf/6NOWQrF1ZG PpUwQkTNBZJ40Zfnh9VGRs4kcyhlLPX01STMUBSCJUOT5In5NCEIAJM8nKBDT+gvwlq5kh0 QbsApuMH6awLptVA4ZefsFLBSwTb+BkGL3sg3CENcicBoMJx9I/uj3tdVCKBeB/NcB/cV/X K3ISIZM48TC0ckntD/EsQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/FnnxY8xDS-8pZ9xkPBV1dxTkVG4 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 12:53:05 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8wjj5WWKRavXcnXqHQDtibdSmLxBQHIxm Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Antonio good to see that others have run into the same issue before. I wonder why the carriage return and the line feed had been inserted. We either need some text to explain this in the example or to use an example that does not use carriage returns or line feeds. Ciao Hannes On 04/25/2014 01:48 PM, Antonio Sanso wrote: > hi Hannes. >=20 >=20 > On Apr 25, 2014, at 12:37 PM, Hannes Tschofenig wrote: >=20 >> Hi all, >> >> As a document shepherd I have to verify the entire document and this >> includes the examples as well. >> >> Section 3.1: >> >> You write: >> >> " >> The following octet sequence is the UTF-8 representation of the JWT >> Header/JWS Header above: >> >> [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32,= >> 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] >> " >> >> The values IMHO are represented in Decimal code point rather than Octa= l >> UTF-8 bytes, as stated above. >> See the following online tool to see the difference: >> http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=3D%22&mode=3Dchar >> >> Note that you could also show a hex encoding instead (e.g., via >> http://ostermiller.org/calc/encode.html). Hixie's decoder would then >> produce the correct decoding. Here is the link to his software: >> http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder >> (Note that this program seems to have flaws for most other options.) >> >> When do a Base64URL encoding of >> >> {"typ":"JWT","alg":"HS256"} >> >> then I get >> >> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 >> >> but your spec says: >> >> eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 >> >> Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root":t= rue}. >> >> My result: >> eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc1= 9yb290Ijp0cnVlfQ >> >> Your result: >> eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLm= NvbS9pc19yb290Ijp0cnVlfQ >=20 > see http://www.ietf.org/mail-archive/web/oauth/current/msg11599.html >=20 > regards >=20 > antonio >=20 >> >> Note: I am using this online tool for Base64URL encoding: >> http://kjur.github.io/jsjws/tool_b64uenc.html. >> Interestingly, when I dump the data into http://jwt.io/ then I get a >> correct decoding. It might well be that the kjur.github.io has a flaw.= >> >> Just wanted to check what tool you have used to create these encodings= =2E >> >> >> Section 6.1: >> >> The example in Section 6.1 is the same as in 3.1. Maybe it would be >> useful to show something different here. >> >> The example in Appendix A.1 is more sophisticated since it demonstrate= s >> encryption. To verify it I would need to have a library that supports >> JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library >> have you been using? >> >> I was wondering whether it would make sense to add two other examples,= >> namely for integrity protection. One example showing an HMAC-based key= ed >> message digest and another one using a digital signature. >> >> Here is a simple example to add that almost all JWT libraries seem to = be >> able to create and verify: >> >> Header: >> {"alg":"HS256","typ":"JWT"} >> >> I use the HS256 algorithm with a shared secret '12345'. >> >> Body: >> >> {"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":= 1398420753,"exp":1398424353,"iat":1398420753} >> >> jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.= com","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", >> "HS256") >> >> I used http://www.onlineconversion.com/unix_time.htm to create the >> date/time values: >> "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT >> "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT >> "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT >> >> Here is the output created with https://github.com/progrium/pyjwt/ and= >> verified with http://jwt.io/: >> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wb= GUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbS= IsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHw= Hezdrv2E1LAVcNdTsq4 >> >> Ciao >> Hannes >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 --8wjj5WWKRavXcnXqHQDtibdSmLxBQHIxm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTWlgZAAoJEGhJURNOOiAtyboH/RB8iwx6aOFLr3aL2XQZO3Nt +BzkJUaaBuGtw6HkS5C/eD4IpcwUhOCx/Kyvoc/iynxBqv6k8lGLHyOhKMj6ju9G IGiE5YS9OwYJr7I6ZvYAHcoGll8FuaxVnjhZNIOP+Zv3qi++N4pl5sDrqIqPC94i FuKdwJdF4N5DALghqTxYCOMMUNwGLYTIAOSQb3mo+0UczTR45lDTkekoaZB5pj2Q UvUjmAMN426W3q8WAeumOtF39orVpsHNkiIU4EmwCFYBx7up2f2gPF/tRPR/PVDj QHrHqOA79KCChvAJxmlo340n3sMeNUlWHhLS5Gh/Suss0cx0A0ckzc3RIHntAOY= =9bf3 -----END PGP SIGNATURE----- --8wjj5WWKRavXcnXqHQDtibdSmLxBQHIxm-- From nobody Fri Apr 25 06:04:24 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D5E61A04A8 for ; Fri, 25 Apr 2014 06:04:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.917 X-Spam-Level: X-Spam-Status: No, score=0.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, FR_TEST_BASE64_BAD=3.189, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, TRACKER_ID=1.306] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oiJehXm_b9Dw for ; Fri, 25 Apr 2014 06:04:19 -0700 (PDT) Received: from na3sys009aog106.obsmtp.com (na3sys009aog106.obsmtp.com [74.125.149.77]) by ietfa.amsl.com (Postfix) with ESMTP id CEE4E1A047E for ; Fri, 25 Apr 2014 06:04:18 -0700 (PDT) Received: from mail-ig0-f172.google.com ([209.85.213.172]) (using TLSv1) by na3sys009aob106.postini.com ([74.125.148.12]) with SMTP ID DSNKU1pdTDLlXnM2qeCq+GsbuETD+sQ0TiNF@postini.com; Fri, 25 Apr 2014 06:04:12 PDT Received: by mail-ig0-f172.google.com with SMTP id hn18so2142144igb.17 for ; Fri, 25 Apr 2014 06:04:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=S8Ab0yoV282KoiWNzheHi3SuaVgc9PXOTqxsRs0mxKA=; b=lDvkAlRh5RmtGew5OGvjcnc9XgVf5Wu8RIrNSVUrTrPyjwIXuKWg0A/4g4OsHsKGGO E8OsOtOCfMS06XSrO/p5kINl2jDUtVU06EI37tiEWk64g5/tyZMxbvB11WslSxy4/8pg 5FKMX5bugi1ZW/1C6ikWPCKYpdhFbxFrRUTpusXHBJtFsbcqzcszhJGBpNBqA2E8v4ZF uwcs0y7BHiArMvFVG3gkbwKiExUZeD6GsFIROgEvlNxm9om9qUeN4k3oCtu07EtvXe5S OgcthBJVz2BdpttTgFAzXWa1w+ijiteQzC4Jb28IW2+OUFVU/HzvICoYE5Bjay+Hp8Tl 0ETQ== X-Gm-Message-State: ALoCoQnmU41JnRK3ccmWn2jzQrqwPnu/DNbf/Hnke6JUFU42bO2lOVB1fkTY48eHfbcDwabNEek5HePCULwoZJM+iJZnFAQlyCmqKOJuqvj2ZWRv5yzrPNMrHbQqF5/ZOjjSm6KU2GJO X-Received: by 10.50.153.49 with SMTP id vd17mr4886502igb.40.1398431052262; Fri, 25 Apr 2014 06:04:12 -0700 (PDT) X-Received: by 10.50.153.49 with SMTP id vd17mr4886434igb.40.1398431051649; Fri, 25 Apr 2014 06:04:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Fri, 25 Apr 2014 06:03:40 -0700 (PDT) In-Reply-To: <535A3AF4.4060506@gmx.net> References: <535A3AF4.4060506@gmx.net> From: Brian Campbell Date: Fri, 25 Apr 2014 07:03:40 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=089e014954be13ae9e04f7dd9a74 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/yIzmU_VO6ORNCd4g4irSp5EMhIU Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 13:04:21 -0000 --089e014954be13ae9e04f7dd9a74 Content-Type: text/plain; charset=UTF-8 So JWT 3.1 is based entirely on, and is just a subset of, JWS Appendix A.1. And I've got a test which validates that example in my JOSE library: https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsUsingHmacSha256ExampleTest.java And here's a verification of the Example Encrypted JWT from Appendix A.1: https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jwe/EncryptedJwtTest.java The example in Section 6.1 is different than 3.1 - it's a "Plaintext JWT" using the "none" JWS alg. I've got verification of that one as well at the top of https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsPlaintextTest.java On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > As a document shepherd I have to verify the entire document and this > includes the examples as well. > > Section 3.1: > > You write: > > " > The following octet sequence is the UTF-8 representation of the JWT > Header/JWS Header above: > > [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32, > 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] > " > > The values IMHO are represented in Decimal code point rather than Octal > UTF-8 bytes, as stated above. > See the following online tool to see the difference: > http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char > > Note that you could also show a hex encoding instead (e.g., via > http://ostermiller.org/calc/encode.html). Hixie's decoder would then > produce the correct decoding. Here is the link to his software: > http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder > (Note that this program seems to have flaws for most other options.) > > When do a Base64URL encoding of > > {"typ":"JWT","alg":"HS256"} > > then I get > > eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 > > but your spec says: > > eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 > > Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root > ":true}. > > My result: > > eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > Your result: > > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > Note: I am using this online tool for Base64URL encoding: > http://kjur.github.io/jsjws/tool_b64uenc.html. > Interestingly, when I dump the data into http://jwt.io/ then I get a > correct decoding. It might well be that the kjur.github.io has a flaw. > > Just wanted to check what tool you have used to create these encodings. > > > Section 6.1: > > The example in Section 6.1 is the same as in 3.1. Maybe it would be > useful to show something different here. > > The example in Appendix A.1 is more sophisticated since it demonstrates > encryption. To verify it I would need to have a library that supports > JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library > have you been using? > > I was wondering whether it would make sense to add two other examples, > namely for integrity protection. One example showing an HMAC-based keyed > message digest and another one using a digital signature. > > Here is a simple example to add that almost all JWT libraries seem to be > able to create and verify: > > Header: > {"alg":"HS256","typ":"JWT"} > > I use the HS256 algorithm with a shared secret '12345'. > > Body: > > {"iss":"https://as.example.com","sub":"mailto:john@example.com > ","nbf":1398420753,"exp":1398424353,"iat":1398420753} > > jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com > ","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", > "HS256") > > I used http://www.onlineconversion.com/unix_time.htm to create the > date/time values: > "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT > "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > > Here is the output created with https://github.com/progrium/pyjwt/ and > verified with http://jwt.io/: > > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4 > > Ciao > Hannes > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --089e014954be13ae9e04f7dd9a74 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
So JWT 3.1 is based entirely on, and is just a s= ubset of, JWS Appendix A.1. And I've got a test which validates that ex= ample in my JOSE library: = https://bitbucket.org/b_c/jose= 4j/src/master/src/test/java/org/jose4j/jws/JwsUsingHmacSha256ExampleTest.ja= va

And here's a verification of the Example Encrypted= JWT from Appendix A.1: https://bitbucket.o= rg/b_c/jose4j/src/master/src/test/java/org/jose4j/jwe/EncryptedJwtTest.java=

The example in Section 6.1 is different than 3.1 - it's a "Pla= intext JWT" using the "none" JWS alg. I've got verificat= ion of that one as well at the top of https= ://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsPlai= ntextTest.java


On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
Hi all,

As a document shepherd I have to verify the entire document and this
includes the examples as well.

Section 3.1:

You write:

"
=C2=A0 =C2=A0The following octet sequence is the UTF-8 representation of th= e JWT
=C2=A0 =C2=A0Header/JWS Header above:

=C2=A0 =C2=A0[123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 1= 0, 32,
=C2=A0 =C2=A034, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]
"

The values IMHO are represented in Decimal code point rather than Octal
UTF-8 bytes, as stated above.
See the following online tool to see the difference:
http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input= =3D%22&mode=3Dchar

Note that you could also show a hex encoding instead (e.g., via
http:= //ostermiller.org/calc/encode.html). Hixie's decoder would then
produce the correct decoding. Here is the link to his software:
http://software.hixie.ch/utilities/cgi/unicode-decod= er/utf8-decoder
(Note that this program seems to have flaws for most other options.)

When do a Base64URL encoding of

{"typ":"JWT","alg":"HS256"}

then I get

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

but your spec says:

eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9

Same with {"iss":"joe","exp":1300819380,"= ;http://example.co= m/is_root":true}.

My result:
eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb29= 0Ijp0cnVlfQ

Your result:
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9= pc19yb290Ijp0cnVlfQ

Note: I am using this online tool for Base64URL encoding:
http://kjur.github.io/jsjws/tool_b64uenc.html.
Interestingly, when I dump the data into http://jwt.io/ then I get a
correct decoding. It might well be that the kjur.github.io has a flaw.

Just wanted to check what tool you have used to create these encodings.


Section 6.1:

The example in Section 6.1 is the same as in 3.1. Maybe it would be
useful to show something different here.

The example in Appendix A.1 is more sophisticated since it demonstrates
encryption. To verify it I would need to have a library that supports
JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library
have you been using?

I was wondering whether it would make sense to add two other examples,
namely for integrity protection. One example showing an HMAC-based keyed message digest and another one using a digital signature.

Here is a simple example to add that almost all JWT libraries seem to be able to create and verify:

Header:
{"alg":"HS256","typ":"JWT"}

I use the HS256 algorithm with a shared secret '12345'.

Body:

{"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":13984207= 53,"exp":1398424353,"iat":1398420753}

jwt.encode({"iss":"https://as.example.com","sub":"mailto:<= a href=3D"mailto:john@example.com">john@example.com","nbf&quo= t;:1398420753,"exp":1398424353,"iat":1398420753},"= 12345",
"HS256")

I used http://www.onlineconversion.com/unix_time.htm to create the
date/time values:
"nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
"exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT
"iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT

Here is the output created with https://github.com/progrium/pyjwt/ and
verified with http://jwt.io/:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY2= 9tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4c= CI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1= LAVcNdTsq4

Ciao
Hannes



_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--089e014954be13ae9e04f7dd9a74-- From nobody Fri Apr 25 06:11:07 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC9A1A04C2 for ; Fri, 25 Apr 2014 06:10:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79tt4EUpw3qX for ; Fri, 25 Apr 2014 06:10:50 -0700 (PDT) Received: from mail-qc0-f174.google.com (mail-qc0-f174.google.com [209.85.216.174]) by ietfa.amsl.com (Postfix) with ESMTP id EDD661A049F for ; Fri, 25 Apr 2014 06:10:49 -0700 (PDT) Received: by mail-qc0-f174.google.com with SMTP id c9so3880836qcz.19 for ; Fri, 25 Apr 2014 06:10:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=KAO7uXU7w/CZKHn8gbwEpqXaESZdXh/VowyhR2WhGP8=; b=QBtzwGuOUfU6eq3OZ55NtcR8l6P/OU2EzA7tgUp6fD6RKcP0hJkYJGvQqnJF4TyNyg oEcm0PyMvDfAO/tmKQ2VzH7FjcEg82UPO62amTrbaxipJpAtHiMvM2qLk0iUpPnmjOGB h80khAX7E79n0mj+S0jvqUAe9YcvsRHVXMiANp/x5GiZ/MimwbRbDt8b2clLzOcCZ8Gx Lgi0KbW2NBMz3krSu3+7ZytbKnPQsCO6In2Zw3d5r3W2pMR9zsZ4itVcEB3VsracOCAx AJGHtMf4fnOkiLjFcyh/8j3RZIpeILFVRn9ZfTHfaScy0NGX+Ztyq4chF6dGPDjQSDTv 8ZcQ== X-Gm-Message-State: ALoCoQkRKcIs+UuHuDfJmgduZnGzqQ3Mb9OhmJjrIYeW3u6g7Un9XBUHcnMaMGz/bCSSQknZGEra X-Received: by 10.140.18.173 with SMTP id 42mr10589621qgf.94.1398431443240; Fri, 25 Apr 2014 06:10:43 -0700 (PDT) Received: from [192.168.0.200] ([201.188.125.93]) by mx.google.com with ESMTPSA id x2sm14209736qas.26.2014.04.25.06.10.39 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 06:10:41 -0700 (PDT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <535A544C.80100@gmx.net> Date: Fri, 25 Apr 2014 10:10:39 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> <535A21F3.4050306@gmail.com> <535A29E7.6040505@gmx.net> <535A2E98.2000804@gmail.com> <535A544C.80100@gmx.net> To: Hannes Tschofenig X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/yy9Bc54mMsQeRM1gE9szkPkJiUA Cc: "" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 13:10:55 -0000 The JWT bearer spec is used in Connect for authenticating clients with = asymmetric credentials. I don't know at the moment how many server implementations support that = as it is not MTI. I know it is on the Ping roadmap but not currently in shipping product. John B. On Apr 25, 2014, at 9:25 AM, Hannes Tschofenig = wrote: > Hi Sergey, >=20 > no, your comment wasn't off-topic and I agree that more widespread > support of the JWT spec will also have a positive impact on the JWT > bearer implementation / deployment status. >=20 > draft-ietf-oauth-jwt-bearer spec requires the JWT to be used in a > specific way. It does, however, make sense to indicate the JWT > implementation situation in the write-up. >=20 > Ciao > Hannes >=20 >=20 >=20 > On 04/25/2014 11:44 AM, Sergey Beryozkin wrote: >>=20 >> On 25/04/14 10:24, Hannes Tschofenig wrote: >>> The implementation and deployment status of JWT is certainly good. >>> For this write-up it would, however, be interesting to know what the >>> implementation status of the JWT bearer assertion spec is. >>=20 >> Was I off-topic ? Sorry about it, I thought it would be encouraging = for >> experts to see the general status, the wider JWT is supported the = more >> likely the count of JWT Bearer assertion adopters will go up >>=20 >> Cheers, Sergey >>=20 >>>=20 >>> On 04/25/2014 10:50 AM, Sergey Beryozkin wrote: >>>> On 24/04/14 23:41, Mike Jones wrote: >>>>> I am aware of these implementations: >>>>> Microsoft Azure Active Directory: >>>>> http://azure.microsoft.com/en-us/services/active-directory/ >>>>> Google Service Account: >>>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>=20 >>>>> I believe that Ping Identity and Salesforce also have = implementations, >>>>> but I'll let Brian and Chuck authoritatively speak to those. >>>>=20 >>>> Here is some info about open source projects: >>>>=20 >>>> Apache Oltu has a good support for working with JWT, believe Spring >>>> Security has it (I haven't tried) and JBoss KeyCloak team works = with >>>> JWT, work for supporting JWT Bearer is in progress in Apache CXF (a >>>> month or so away). >>>>=20 >>>> There will be a pretty good coverage for it... >>>>=20 >>>> Sergey >>>>=20 >>>>>=20 >>>>> -- Mike >>>>>=20 >>>>> -----Original Message----- >>>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >>>>> Tschofenig >>>>> Sent: Wednesday, April 23, 2014 1:40 AM >>>>> To: oauth@ietf.org >>>>> Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up >>>>>=20 >>>>> Hi all, >>>>>=20 >>>>> I am working on the shepherd writeup for the JWT bearer document. = The >>>>> shepherd write-ups for the assertion draft and the SAML bearer >>>>> document have been completed a while ago already, see >>>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >>>>>=20 >>>>> A few requests: >>>>>=20 >>>>> - To the document authors: Please confirm that any and all = appropriate >>>>> IPR disclosures required for full conformance with the provisions = of >>>>> BCP >>>>> 78 and BCP 79 have already been filed. >>>>>=20 >>>>> - To all: Are you aware of implementations of this specification? = If >>>>> so, I would like to reference them in my write-up. >>>>>=20 >>>>> - To all: Please also go through the text to make sure that I >>>>> correctly reflect the history and the status of this document. >>>>>=20 >>>>> Here is the most recent version of the write-up: >>>>> = https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/s= hepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >>>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> (The copy-and-paste of the full version is below.) >>>>>=20 >>>>> Ciao >>>>> Hannes >>>>>=20 >>>>> PS: Note that I have send a mail about a pending issue to the = list. In >>>>> response to my question I will update the write-up accordingly. >>>>>=20 >>>>> ---- >>>>>=20 >>>>> Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client >>>>> Authentication and Authorization Grants" >>>>> >>>>>=20 >>>>> (1) What type of RFC is being requested (BCP, Proposed Standard, >>>>> Internet Standard, Informational, Experimental, or Historic)? Why = is >>>>> this the proper type of RFC? Is this type of RFC indicated in the >>>>> title page header? >>>>>=20 >>>>> The RFC type is 'Standards Track' and the type is indicated in the >>>>> title page. This document defines an instantiation for the OAuth >>>>> assertion framework using JSON Web Tokens. >>>>>=20 >>>>> (2) The IESG approval announcement includes a Document = Announcement >>>>> Write-Up. Please provide such a Document Announcement Write-Up. = Recent >>>>> examples can be found in the "Action" announcements for approved >>>>> documents. The approval announcement contains the following = sections: >>>>>=20 >>>>> Technical Summary: >>>>>=20 >>>>> This specification defines the use of a JSON Web Token (JWT) >>>>> Bearer >>>>> Token as a means for requesting an OAuth 2.0 access token as >>>>> well as >>>>> for use as a means of client authentication. >>>>>=20 >>>>> Working Group Summary: >>>>>=20 >>>>> Was there anything in WG process that is worth noting? For = example, >>>>> was there controversy about particular points or were there = decisions >>>>> where the consensus was particularly rough? >>>>>=20 >>>>> This document belongs to the OAuth assertion document bundle >>>>> consisting of the abstract OAuth assertion framework, and the SAML >>>>> assertion profile. Due to the use of the JSON-based encoding of = the >>>>> assertion it also relies on the work in the JOSE working group = (such >>>>> as JWE/JWS) indirectly through the use of the JWT. This document = has >>>>> intentionally been kept in sync with the SAML-based version. >>>>>=20 >>>>> Document Quality: >>>>>=20 >>>>> This document has gone through many iterations and has received >>>>> substantial feedback. >>>>>=20 >>>>> [[Add implementation list here.]] >>>>>=20 >>>>> Personnel: >>>>>=20 >>>>> The document shepherd is Hannes Tschofenig and the responsible = area >>>>> director is Kathleen Moriarty. >>>>>=20 >>>>> (3) Briefly describe the review of this document that was = performed by >>>>> the Document Shepherd. If this version of the document is not = ready >>>>> for publication, please explain why the document is being = forwarded to >>>>> the IESG. >>>>>=20 >>>>> The draft authors believe that this document is ready for = publication. >>>>> The document has had received review comments from working group >>>>> members, and from the OAuth working group chairs. These review >>>>> comments have been taken into account. >>>>>=20 >>>>> (4) Does the document Shepherd have any concerns about the depth = or >>>>> breadth of the reviews that have been performed? >>>>>=20 >>>>> This document has gotten feedback from the working group and given = the >>>>> focused use cases it has received adequate review. >>>>>=20 >>>>> (5) Do portions of the document need review from a particular or = from >>>>> broader perspective, e.g., security, operational complexity, AAA, = DNS, >>>>> DHCP, XML, or internationalization? If so, describe the review = that >>>>> took place. >>>>>=20 >>>>> Since the OAuth working group develops security protocols any = feedback >>>>> from the security community is always appreciated. >>>>>=20 >>>>> (6) Describe any specific concerns or issues that the Document >>>>> Shepherd has with this document that the Responsible Area Director >>>>> and/or the IESG should be aware of? For example, perhaps he or she = is >>>>> uncomfortable with certain parts of the document, or has concerns >>>>> whether there really is a need for it. In any event, if the WG has >>>>> discussed those issues and has indicated that it still wishes to >>>>> advance the document, detail those concerns here. >>>>>=20 >>>>> The shepherd has no concerns with this document. >>>>>=20 >>>>> (7) Has each author confirmed that any and all appropriate IPR >>>>> disclosures required for full conformance with the provisions of = BCP >>>>> 78 and BCP 79 have already been filed. If not, explain why? >>>>>=20 >>>>> [[Confirmation from the authors required.]] >>>>>=20 >>>>> (8) Has an IPR disclosure been filed that references this = document? If >>>>> so, summarize any WG discussion and conclusion regarding the IPR >>>>> disclosures. >>>>>=20 >>>>> No IPR disclosures have been filed on this document. However, two = IPRs >>>>> have been filed for the JWT specification this document relies on, = see >>>>> = http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraf= t-ietf-oauth-json-web-token >>>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> (9) How solid is the WG consensus behind this document? Does it >>>>> represent the strong concurrence of a few individuals, with others >>>>> being silent, or does the WG as a whole understand and agree with = it? >>>>>=20 >>>>> The working group has consensus to publish this document. >>>>>=20 >>>>> (10) Has anyone threatened an appeal or otherwise indicated = extreme >>>>> discontent? If so, please summarise the areas of conflict in = separate >>>>> email messages to the Responsible Area Director. (It should be in = a >>>>> separate email because this questionnaire is publicly available.) >>>>>=20 >>>>> No appeal or extreme discontent has been raised. >>>>>=20 >>>>> (11) Identify any ID nits the Document Shepherd has found in this >>>>> document. (See http://www.ietf.org/tools/idnits/ and the >>>>> Internet-Drafts Checklist). Boilerplate checks are not enough; = this >>>>> check needs to be thorough. >>>>>=20 >>>>> The shepherd has checked the nits. >>>>>=20 >>>>> (12) Describe how the document meets any required formal review >>>>> criteria, such as the MIB Doctor, media type, and URI type = reviews. >>>>>=20 >>>>> There is no such review necessary. >>>>>=20 >>>>> (13) Have all references within this document been identified as >>>>> either normative or informative? >>>>>=20 >>>>> Yes. >>>>>=20 >>>>> (14) Are there normative references to documents that are not = ready >>>>> for advancement or are otherwise in an unclear state? If such >>>>> normative references exist, what is the plan for their completion? >>>>>=20 >>>>> Yes. >>>>>=20 >>>>> (15) Are there downward normative references references (see RFC = 3967)? >>>>> If so, list these downward references to support the Area Director = in >>>>> the Last Call procedure. >>>>>=20 >>>>> RFC 6755 defines the urn:ietf:params:oauth URN and is an = Informational >>>>> RFC. A downref is required. >>>>>=20 >>>>> However, this document depends on the completion of the abstract = OAuth >>>>> assertion framework and on the JWT specification. >>>>> There are the following dependencies: >>>>>=20 >>>>> (16) Will publication of this document change the status of any >>>>> existing RFCs? Are those RFCs listed on the title page header, = listed >>>>> in the abstract, and discussed in the introduction? If the RFCs = are >>>>> not listed in the Abstract and Introduction, explain why, and = point to >>>>> the part of the document where the relationship of this document = to >>>>> the other RFCs is discussed. If this information is not in the >>>>> document, explain why the WG considers it unnecessary. >>>>>=20 >>>>> The publication of this document does not change the status of = other >>>>> RFCs. >>>>>=20 >>>>> (17) Describe the Document Shepherd's review of the IANA >>>>> considerations section, especially with regard to its consistency = with >>>>> the body of the document. Confirm that all protocol extensions = that >>>>> the document makes are associated with the appropriate = reservations in >>>>> IANA registries. >>>>> Confirm that any referenced IANA registries have been clearly >>>>> identified. Confirm that newly created IANA registries include a >>>>> detailed specification of the initial contents for the registry, = that >>>>> allocations procedures for future registrations are defined, and a >>>>> reasonable name for the new registry has been suggested (see RFC = 5226). >>>>>=20 >>>>> The document registers two sub-namespaces to the = urn:ietf:params:oauth >>>>> URN established with RFC 6755. >>>>>=20 >>>>> (18) List any new IANA registries that require Expert Review for >>>>> future allocations. Provide any public guidance that the IESG = would >>>>> find useful in selecting the IANA Experts for these new = registries. >>>>>=20 >>>>> The document only adds entries to existing registries and does not >>>>> define any new registries. >>>>>=20 >>>>> (19) Describe reviews and automated checks performed by the = Document >>>>> Shepherd to validate sections of the document written in a formal >>>>> language, such as XML code, BNF rules, MIB definitions, etc. >>>>>=20 >>>>> There are only snippets of message exchanges and JWT assertion >>>>> structures, which are based on JSON, used in the examples. There = is no >>>>> pseudo code contained in the document that requires validation. >>>>>=20 >>>>>=20 >>>>>=20 >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>=20 >>>>=20 >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>=20 >>=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 07:06:58 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 949E11A04CD for ; Fri, 25 Apr 2014 07:06:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KlPtcPUnVJFO for ; Fri, 25 Apr 2014 07:06:53 -0700 (PDT) Received: from mail-ob0-f170.google.com (mail-ob0-f170.google.com [209.85.214.170]) by ietfa.amsl.com (Postfix) with ESMTP id 605DD1A04C8 for ; Fri, 25 Apr 2014 07:06:53 -0700 (PDT) Received: by mail-ob0-f170.google.com with SMTP id vb8so4282208obc.15 for ; Fri, 25 Apr 2014 07:06:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:from:mime-version:in-reply-to:date :message-id:subject:to:cc:content-type; bh=1t93zu8SBpAm/ncQKM1a7B/oPcIJVPg3Jy0IP7bhng4=; b=H6jmAP04wat3AWfAAPmT1Pkm40HPs9WicLCmum8HdTC7TDxPWS/N+J4SpdAYcbPd3V kj85E9lDV3wxI/tWzn+u38Kt1UKDLBstZMOyh4ncYeH8k2fJbcYvSkS9AdG//uUpnj4F +Ont7V/CkPeCaLkLtVBY/0ScPwLydZaJWQwHsLZGUI0frp+FjlAsxLj2GH7D8FRs3z74 cV4SDqyNXg0xbpPttD51GzhP+kxt3AodqtHKgb3EJp44qHOeFj0AP32RXf6r+dJNok8K QWl00/SufEYukfGOJk/yG3XSF04JVp3rD9Z0/eLQyY0HbjEDktUuDhoBwUZSndamGkLY SdYg== X-Gm-Message-State: ALoCoQn+ftQUgz6WwrGoLjRRD2Vm2R091ZHzuJHmbCkCka6HLfCkcBA7igWNn8UmAlNobZWNZpaz X-Received: by 10.60.131.172 with SMTP id on12mr7198956oeb.18.1398434806732; Fri, 25 Apr 2014 07:06:46 -0700 (PDT) References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> <535A21F3.4050306@gmail.com> <535A29E7.6040505@gmx.net> <535A2E98.2000804@gmail.com> <535A544C.80100@gmx.net> From: Chuck Mortimore Mime-Version: 1.0 (1.0) In-Reply-To: Date: Fri, 25 Apr 2014 07:06:42 -0700 Message-ID: <1061532531353586658@unknownmsgid> To: John Bradley Content-Type: text/plain; charset=ISO-8859-1 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/G6hblQNL_wCrybw_QQR00-_mdok Cc: "" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 14:06:56 -0000 Salesforce supports this > On Apr 25, 2014, at 6:11 AM, John Bradley wrote: > > The JWT bearer spec is used in Connect for authenticating clients with asymmetric credentials. > > I don't know at the moment how many server implementations support that as it is not MTI. > > I know it is on the Ping roadmap but not currently in shipping product. > > John B. > >> On Apr 25, 2014, at 9:25 AM, Hannes Tschofenig wrote: >> >> Hi Sergey, >> >> no, your comment wasn't off-topic and I agree that more widespread >> support of the JWT spec will also have a positive impact on the JWT >> bearer implementation / deployment status. >> >> draft-ietf-oauth-jwt-bearer spec requires the JWT to be used in a >> specific way. It does, however, make sense to indicate the JWT >> implementation situation in the write-up. >> >> Ciao >> Hannes >> >> >> >>> On 04/25/2014 11:44 AM, Sergey Beryozkin wrote: >>> >>>> On 25/04/14 10:24, Hannes Tschofenig wrote: >>>> The implementation and deployment status of JWT is certainly good. >>>> For this write-up it would, however, be interesting to know what the >>>> implementation status of the JWT bearer assertion spec is. >>> >>> Was I off-topic ? Sorry about it, I thought it would be encouraging for >>> experts to see the general status, the wider JWT is supported the more >>> likely the count of JWT Bearer assertion adopters will go up >>> >>> Cheers, Sergey >>> >>>> >>>>> On 04/25/2014 10:50 AM, Sergey Beryozkin wrote: >>>>>> On 24/04/14 23:41, Mike Jones wrote: >>>>>> I am aware of these implementations: >>>>>> Microsoft Azure Active Directory: >>>>>> http://azure.microsoft.com/en-us/services/active-directory/ >>>>>> Google Service Account: >>>>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>> >>>>>> I believe that Ping Identity and Salesforce also have implementations, >>>>>> but I'll let Brian and Chuck authoritatively speak to those. >>>>> >>>>> Here is some info about open source projects: >>>>> >>>>> Apache Oltu has a good support for working with JWT, believe Spring >>>>> Security has it (I haven't tried) and JBoss KeyCloak team works with >>>>> JWT, work for supporting JWT Bearer is in progress in Apache CXF (a >>>>> month or so away). >>>>> >>>>> There will be a pretty good coverage for it... >>>>> >>>>> Sergey >>>>> >>>>>> >>>>>> -- Mike >>>>>> >>>>>> -----Original Message----- >>>>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >>>>>> Tschofenig >>>>>> Sent: Wednesday, April 23, 2014 1:40 AM >>>>>> To: oauth@ietf.org >>>>>> Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up >>>>>> >>>>>> Hi all, >>>>>> >>>>>> I am working on the shepherd writeup for the JWT bearer document. The >>>>>> shepherd write-ups for the assertion draft and the SAML bearer >>>>>> document have been completed a while ago already, see >>>>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >>>>>> >>>>>> A few requests: >>>>>> >>>>>> - To the document authors: Please confirm that any and all appropriate >>>>>> IPR disclosures required for full conformance with the provisions of >>>>>> BCP >>>>>> 78 and BCP 79 have already been filed. >>>>>> >>>>>> - To all: Are you aware of implementations of this specification? If >>>>>> so, I would like to reference them in my write-up. >>>>>> >>>>>> - To all: Please also go through the text to make sure that I >>>>>> correctly reflect the history and the status of this document. >>>>>> >>>>>> Here is the most recent version of the write-up: >>>>>> https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> (The copy-and-paste of the full version is below.) >>>>>> >>>>>> Ciao >>>>>> Hannes >>>>>> >>>>>> PS: Note that I have send a mail about a pending issue to the list. In >>>>>> response to my question I will update the write-up accordingly. >>>>>> >>>>>> ---- >>>>>> >>>>>> Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client >>>>>> Authentication and Authorization Grants" >>>>>> >>>>>> >>>>>> (1) What type of RFC is being requested (BCP, Proposed Standard, >>>>>> Internet Standard, Informational, Experimental, or Historic)? Why is >>>>>> this the proper type of RFC? Is this type of RFC indicated in the >>>>>> title page header? >>>>>> >>>>>> The RFC type is 'Standards Track' and the type is indicated in the >>>>>> title page. This document defines an instantiation for the OAuth >>>>>> assertion framework using JSON Web Tokens. >>>>>> >>>>>> (2) The IESG approval announcement includes a Document Announcement >>>>>> Write-Up. Please provide such a Document Announcement Write-Up. Recent >>>>>> examples can be found in the "Action" announcements for approved >>>>>> documents. The approval announcement contains the following sections: >>>>>> >>>>>> Technical Summary: >>>>>> >>>>>> This specification defines the use of a JSON Web Token (JWT) >>>>>> Bearer >>>>>> Token as a means for requesting an OAuth 2.0 access token as >>>>>> well as >>>>>> for use as a means of client authentication. >>>>>> >>>>>> Working Group Summary: >>>>>> >>>>>> Was there anything in WG process that is worth noting? For example, >>>>>> was there controversy about particular points or were there decisions >>>>>> where the consensus was particularly rough? >>>>>> >>>>>> This document belongs to the OAuth assertion document bundle >>>>>> consisting of the abstract OAuth assertion framework, and the SAML >>>>>> assertion profile. Due to the use of the JSON-based encoding of the >>>>>> assertion it also relies on the work in the JOSE working group (such >>>>>> as JWE/JWS) indirectly through the use of the JWT. This document has >>>>>> intentionally been kept in sync with the SAML-based version. >>>>>> >>>>>> Document Quality: >>>>>> >>>>>> This document has gone through many iterations and has received >>>>>> substantial feedback. >>>>>> >>>>>> [[Add implementation list here.]] >>>>>> >>>>>> Personnel: >>>>>> >>>>>> The document shepherd is Hannes Tschofenig and the responsible area >>>>>> director is Kathleen Moriarty. >>>>>> >>>>>> (3) Briefly describe the review of this document that was performed by >>>>>> the Document Shepherd. If this version of the document is not ready >>>>>> for publication, please explain why the document is being forwarded to >>>>>> the IESG. >>>>>> >>>>>> The draft authors believe that this document is ready for publication. >>>>>> The document has had received review comments from working group >>>>>> members, and from the OAuth working group chairs. These review >>>>>> comments have been taken into account. >>>>>> >>>>>> (4) Does the document Shepherd have any concerns about the depth or >>>>>> breadth of the reviews that have been performed? >>>>>> >>>>>> This document has gotten feedback from the working group and given the >>>>>> focused use cases it has received adequate review. >>>>>> >>>>>> (5) Do portions of the document need review from a particular or from >>>>>> broader perspective, e.g., security, operational complexity, AAA, DNS, >>>>>> DHCP, XML, or internationalization? If so, describe the review that >>>>>> took place. >>>>>> >>>>>> Since the OAuth working group develops security protocols any feedback >>>>>> from the security community is always appreciated. >>>>>> >>>>>> (6) Describe any specific concerns or issues that the Document >>>>>> Shepherd has with this document that the Responsible Area Director >>>>>> and/or the IESG should be aware of? For example, perhaps he or she is >>>>>> uncomfortable with certain parts of the document, or has concerns >>>>>> whether there really is a need for it. In any event, if the WG has >>>>>> discussed those issues and has indicated that it still wishes to >>>>>> advance the document, detail those concerns here. >>>>>> >>>>>> The shepherd has no concerns with this document. >>>>>> >>>>>> (7) Has each author confirmed that any and all appropriate IPR >>>>>> disclosures required for full conformance with the provisions of BCP >>>>>> 78 and BCP 79 have already been filed. If not, explain why? >>>>>> >>>>>> [[Confirmation from the authors required.]] >>>>>> >>>>>> (8) Has an IPR disclosure been filed that references this document? If >>>>>> so, summarize any WG discussion and conclusion regarding the IPR >>>>>> disclosures. >>>>>> >>>>>> No IPR disclosures have been filed on this document. However, two IPRs >>>>>> have been filed for the JWT specification this document relies on, see >>>>>> http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> (9) How solid is the WG consensus behind this document? Does it >>>>>> represent the strong concurrence of a few individuals, with others >>>>>> being silent, or does the WG as a whole understand and agree with it? >>>>>> >>>>>> The working group has consensus to publish this document. >>>>>> >>>>>> (10) Has anyone threatened an appeal or otherwise indicated extreme >>>>>> discontent? If so, please summarise the areas of conflict in separate >>>>>> email messages to the Responsible Area Director. (It should be in a >>>>>> separate email because this questionnaire is publicly available.) >>>>>> >>>>>> No appeal or extreme discontent has been raised. >>>>>> >>>>>> (11) Identify any ID nits the Document Shepherd has found in this >>>>>> document. (See http://www.ietf.org/tools/idnits/ and the >>>>>> Internet-Drafts Checklist). Boilerplate checks are not enough; this >>>>>> check needs to be thorough. >>>>>> >>>>>> The shepherd has checked the nits. >>>>>> >>>>>> (12) Describe how the document meets any required formal review >>>>>> criteria, such as the MIB Doctor, media type, and URI type reviews. >>>>>> >>>>>> There is no such review necessary. >>>>>> >>>>>> (13) Have all references within this document been identified as >>>>>> either normative or informative? >>>>>> >>>>>> Yes. >>>>>> >>>>>> (14) Are there normative references to documents that are not ready >>>>>> for advancement or are otherwise in an unclear state? If such >>>>>> normative references exist, what is the plan for their completion? >>>>>> >>>>>> Yes. >>>>>> >>>>>> (15) Are there downward normative references references (see RFC 3967)? >>>>>> If so, list these downward references to support the Area Director in >>>>>> the Last Call procedure. >>>>>> >>>>>> RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational >>>>>> RFC. A downref is required. >>>>>> >>>>>> However, this document depends on the completion of the abstract OAuth >>>>>> assertion framework and on the JWT specification. >>>>>> There are the following dependencies: >>>>>> >>>>>> (16) Will publication of this document change the status of any >>>>>> existing RFCs? Are those RFCs listed on the title page header, listed >>>>>> in the abstract, and discussed in the introduction? If the RFCs are >>>>>> not listed in the Abstract and Introduction, explain why, and point to >>>>>> the part of the document where the relationship of this document to >>>>>> the other RFCs is discussed. If this information is not in the >>>>>> document, explain why the WG considers it unnecessary. >>>>>> >>>>>> The publication of this document does not change the status of other >>>>>> RFCs. >>>>>> >>>>>> (17) Describe the Document Shepherd's review of the IANA >>>>>> considerations section, especially with regard to its consistency with >>>>>> the body of the document. Confirm that all protocol extensions that >>>>>> the document makes are associated with the appropriate reservations in >>>>>> IANA registries. >>>>>> Confirm that any referenced IANA registries have been clearly >>>>>> identified. Confirm that newly created IANA registries include a >>>>>> detailed specification of the initial contents for the registry, that >>>>>> allocations procedures for future registrations are defined, and a >>>>>> reasonable name for the new registry has been suggested (see RFC 5226). >>>>>> >>>>>> The document registers two sub-namespaces to the urn:ietf:params:oauth >>>>>> URN established with RFC 6755. >>>>>> >>>>>> (18) List any new IANA registries that require Expert Review for >>>>>> future allocations. Provide any public guidance that the IESG would >>>>>> find useful in selecting the IANA Experts for these new registries. >>>>>> >>>>>> The document only adds entries to existing registries and does not >>>>>> define any new registries. >>>>>> >>>>>> (19) Describe reviews and automated checks performed by the Document >>>>>> Shepherd to validate sections of the document written in a formal >>>>>> language, such as XML code, BNF rules, MIB definitions, etc. >>>>>> >>>>>> There are only snippets of message exchanges and JWT assertion >>>>>> structures, which are based on JSON, used in the examples. There is no >>>>>> pseudo code contained in the document that requires validation. >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 07:23:08 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E381A022E for ; Fri, 25 Apr 2014 07:22:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.389 X-Spam-Level: X-Spam-Status: No, score=-0.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, FR_TEST_BASE64_BAD=3.189, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2rw26zS-IJx for ; Fri, 25 Apr 2014 07:22:54 -0700 (PDT) Received: from na3sys009aog132.obsmtp.com (na3sys009aog132.obsmtp.com [74.125.149.250]) by ietfa.amsl.com (Postfix) with ESMTP id 8256E1A04B6 for ; Fri, 25 Apr 2014 07:22:52 -0700 (PDT) Received: from mail-ig0-f174.google.com ([209.85.213.174]) (using TLSv1) by na3sys009aob132.postini.com ([74.125.148.12]) with SMTP ID DSNKU1pvsPwsJTn7eq2d7kHNhel8qUniKs0N@postini.com; Fri, 25 Apr 2014 07:22:46 PDT Received: by mail-ig0-f174.google.com with SMTP id h18so2243029igc.1 for ; Fri, 25 Apr 2014 07:22:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=XKGUIgUjZQz849aUZMZUeSBsNSrWT+Jl12vLTNoyzI8=; b=cRioqAiJgh1nk84qrKHwcGlTy6fPWq9e/uEeSeZJfx0ILSz6FsPdTculSWo3EOLuT2 S+0r0pIwgE7bnaRzB2fPd5hz9V25piVslDxJANm7T+5B7L0u+dHGSfOnZ+G1sD7v89ld 4g9zjgtgfASCPtwGJHqzrte/F8pBHcoSCrGzri98ov4ArLCkilDzuHV1lDIQiUfch3Q3 V+d1hmLWNrxY11JGfmF9cQvKX7L/RVzI+xTgAq90ERPWod36/Xs4K+ppd5aTE099NZeN 3LQSwjncoovSTElgyRqiwuMEepjB3iz4Dsp2yn07CQnREo507dPYD9tJFEg7ca5s6o+y 2glw== X-Gm-Message-State: ALoCoQlO1AAtq5XLzELv+7PUBUJWtJkcaavIB5fh1Fs5OPuiPO1oWOyBMCk9XKqxnTZEHAUQGIB4pAcTlxzwdnO7TgOnIgCHSOWcTvT6Bjke4lstkTA2QzkXW29aqwOtfzK0C9wZ6qua X-Received: by 10.50.153.49 with SMTP id vd17mr5392373igb.40.1398435750758; Fri, 25 Apr 2014 07:22:30 -0700 (PDT) X-Received: by 10.50.153.49 with SMTP id vd17mr5392349igb.40.1398435750608; Fri, 25 Apr 2014 07:22:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Fri, 25 Apr 2014 07:22:00 -0700 (PDT) In-Reply-To: <535A5819.2030805@gmx.net> References: <535A3AF4.4060506@gmx.net> <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> <535A5819.2030805@gmx.net> From: Brian Campbell Date: Fri, 25 Apr 2014 08:22:00 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=089e014954be28192e04f7deb27c Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Fatkzz5KWf6ylOaeKllDsNjFYmo Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 14:22:57 -0000 --089e014954be28192e04f7deb27c Content-Type: text/plain; charset=UTF-8 Note that the draft is showing an *octet sequence* with each individual octet being shown as decimal value. It doesn't state anything about using octal, the base-8 number system. Those octets also show unambiguously what is being base64url encoded (including the line endings via "13, 10") - no matter how the unencoded headers or bodies are shown in the draft, there's going to be potential confusion about what white space and line breaks is or is not to be included in the encoding and serialization so giving the octet sequence alleviates that. It's maybe also worth noting that the JOSE suite of specs all use the same notation and text in their examples. If we were to add another example as was suggested, it should probably use a shared secret with a little more entropy as '12345' isn't strictly compliant with the normative requirements in JWA for HS256. http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-3.2states that a 'key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used.' On Fri, Apr 25, 2014 at 6:42 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi Antonio > > good to see that others have run into the same issue before. > > I wonder why the carriage return and the line feed had been inserted. > > We either need some text to explain this in the example or to use an > example that does not use carriage returns or line feeds. > > Ciao > Hannes > > On 04/25/2014 01:48 PM, Antonio Sanso wrote: > > hi Hannes. > > > > > > On Apr 25, 2014, at 12:37 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > > > >> Hi all, > >> > >> As a document shepherd I have to verify the entire document and this > >> includes the examples as well. > >> > >> Section 3.1: > >> > >> You write: > >> > >> " > >> The following octet sequence is the UTF-8 representation of the JWT > >> Header/JWS Header above: > >> > >> [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32, > >> 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] > >> " > >> > >> The values IMHO are represented in Decimal code point rather than Octal > >> UTF-8 bytes, as stated above. > >> See the following online tool to see the difference: > >> http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char > >> > >> Note that you could also show a hex encoding instead (e.g., via > >> http://ostermiller.org/calc/encode.html). Hixie's decoder would then > >> produce the correct decoding. Here is the link to his software: > >> http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder > >> (Note that this program seems to have flaws for most other options.) > >> > >> When do a Base64URL encoding of > >> > >> {"typ":"JWT","alg":"HS256"} > >> > >> then I get > >> > >> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 > >> > >> but your spec says: > >> > >> eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 > >> > >> Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root > ":true}. > >> > >> My result: > >> > eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > >> > >> Your result: > >> > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > > > see http://www.ietf.org/mail-archive/web/oauth/current/msg11599.html > > > > regards > > > > antonio > > > >> > >> Note: I am using this online tool for Base64URL encoding: > >> http://kjur.github.io/jsjws/tool_b64uenc.html. > >> Interestingly, when I dump the data into http://jwt.io/ then I get a > >> correct decoding. It might well be that the kjur.github.io has a flaw. > >> > >> Just wanted to check what tool you have used to create these encodings. > >> > >> > >> Section 6.1: > >> > >> The example in Section 6.1 is the same as in 3.1. Maybe it would be > >> useful to show something different here. > >> > >> The example in Appendix A.1 is more sophisticated since it demonstrates > >> encryption. To verify it I would need to have a library that supports > >> JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library > >> have you been using? > >> > >> I was wondering whether it would make sense to add two other examples, > >> namely for integrity protection. One example showing an HMAC-based keyed > >> message digest and another one using a digital signature. > >> > >> Here is a simple example to add that almost all JWT libraries seem to be > >> able to create and verify: > >> > >> Header: > >> {"alg":"HS256","typ":"JWT"} > >> > >> I use the HS256 algorithm with a shared secret '12345'. > >> > >> Body: > >> > >> {"iss":"https://as.example.com","sub":"mailto:john@example.com > ","nbf":1398420753,"exp":1398424353,"iat":1398420753} > >> > >> jwt.encode({"iss":"https://as.example.com","sub":"mailto: > john@example.com > ","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", > >> "HS256") > >> > >> I used http://www.onlineconversion.com/unix_time.htm to create the > >> date/time values: > >> "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > >> "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT > >> "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > >> > >> Here is the output created with https://github.com/progrium/pyjwt/ and > >> verified with http://jwt.io/: > >> > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4 > >> > >> Ciao > >> Hannes > >> > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --089e014954be28192e04f7deb27c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Note that the draft is showing an *octet sequence* wi= th each individual octet=20 being shown as decimal value. It doesn't state anything about using=20 octal, the base-8 number system. Those octets also show unambiguously what is being base64url encoded (including the line endings via "13, 10&qu= ot;) - no matter how the unencoded headers or bodies are shown in the draft= , there's going to be potential confusion about what white space and li= ne breaks is or is not to be included in the encoding and serialization so = giving the octet sequence alleviates that. It's maybe also worth noting= that the JOSE suite of specs all use the same notation and text in their e= xamples.

If we were to add another example as was suggested, it should pro= bably use a shared secret with a little more entropy as '12345' isn= 't strictly compliant with the normative requirements in JWA for HS256.= http://tools.ietf.org/html/draft-ietf-jose-json-web-algorit= hms-25#section-3.2 states that a 'key of the same size as the hash = output (for instance, 256 bits for "HS256") or larger MUST be use= d.'




On Fri, Apr 25, 2014 at 6:42 AM, Hannes Tschofenig <ha= nnes.tschofenig@gmx.net> wrote:
Hi Antonio

good to see that others have run into the same issue before.

I wonder why the carriage return and the line feed had been inserted.

We either need some text to explain this in the example or to use an
example that does not use carriage returns or line feeds.

Ciao
Hannes

On 04/25/2014 01:48 PM, Antonio Sanso wrote:
> hi Hannes.
>
>
> On Apr 25, 2014, at 12:37 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>
>> Hi all,
>>
>> As a document shepherd I have to verify the entire document and th= is
>> includes the examples as well.
>>
>> Section 3.1:
>>
>> You write:
>>
>> "
>> =C2=A0 The following octet sequence is the UTF-8 representation of= the JWT
>> =C2=A0 Header/JWS Header above:
>>
>> =C2=A0 [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13= , 10, 32,
>> =C2=A0 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]<= br> >> "
>>
>> The values IMHO are represented in Decimal code point rather than = Octal
>> UTF-8 bytes, as stated above.
>> See the following online tool to see the difference:
>> http://www.ltg.ed.ac.uk/~richard/utf-8.c= gi?input=3D%22&mode=3Dchar
>>
>> Note that you could also show a hex encoding instead (e.g., via >> http://ostermiller.org/calc/encode.html). Hixie's decoder would= then
>> produce the correct decoding. Here is the link to his software: >> http://software.hixie.ch/utilities/cgi/unic= ode-decoder/utf8-decoder
>> (Note that this program seems to have flaws for most other options= .)
>>
>> When do a Base64URL encoding of
>>
>> {"typ":"JWT","alg":"HS256"= }
>>
>> then I get
>>
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
>>
>> but your spec says:
>>
>> eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
>>
>> Same with {"iss":"joe","exp":1300819= 380,"http://e= xample.com/is_root":true}.
>>
>> My result:
>> eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS= 9pc19yb290Ijp0cnVlfQ
>>
>> Your result:
>> eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcG= xlLmNvbS9pc19yb290Ijp0cnVlfQ
>
> see http://www.ietf.org/mail-archive/web/oauth/cur= rent/msg11599.html
>
> regards
>
> antonio
>
>>
>> Note: I am using this online tool for Base64URL encoding:
>> http://kjur.github.io/jsjws/tool_b64uenc.html.
>> Interestingly, when I dump the data into http://jwt.io/ then I get a
>> correct decoding. It might well be that the kjur.github.io has a flaw.
>>
>> Just wanted to check what tool you have used to create these encod= ings.
>>
>>
>> Section 6.1:
>>
>> The example in Section 6.1 is the same as in 3.1. Maybe it would b= e
>> useful to show something different here.
>>
>> The example in Appendix A.1 is more sophisticated since it demonst= rates
>> encryption. To verify it I would need to have a library that suppo= rts
>> JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which libra= ry
>> have you been using?
>>
>> I was wondering whether it would make sense to add two other examp= les,
>> namely for integrity protection. One example showing an HMAC-based= keyed
>> message digest and another one using a digital signature.
>>
>> Here is a simple example to add that almost all JWT libraries seem= to be
>> able to create and verify:
>>
>> Header:
>> {"alg":"HS256","typ":"JWT"= }
>>
>> I use the HS256 algorithm with a shared secret '12345'. >>
>> Body:
>>
>> {"iss":"https://as.example.com","sub":"mailto:<= a href=3D"mailto:john@example.com">john@example.com","nbf&quo= t;:1398420753,"exp":1398424353,"iat":1398420753}
>>
>> jwt.encode({"iss":"https://as.example.com","sub":"= ;mailto:john@example.com",&quo= t;nbf":1398420753,"exp":1398424353,"iat":139842075= 3},"12345",
>> "HS256")
>>
>> I used http://www.onlineconversion.com/unix_time.htm to creat= e the
>> date/time values:
>> "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT >> "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT >> "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT >>
>> Here is the output created with https://github.com/progrium/pyjwt/ and >> verified with http://= jwt.io/:
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4Y= W1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNv= bSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHw= Hezdrv2E1LAVcNdTsq4
>>
>> Ciao
>> Hannes
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth


--089e014954be28192e04f7deb27c-- From nobody Fri Apr 25 08:36:13 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C460C1A0538 for ; Fri, 25 Apr 2014 08:36:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.554 X-Spam-Level: X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B05FwgKYRKuo for ; Fri, 25 Apr 2014 08:36:09 -0700 (PDT) Received: from mxout.myoutlookonline.com (mxout.myoutlookonline.com [74.201.97.201]) by ietfa.amsl.com (Postfix) with ESMTP id 4B8861A04F1 for ; Fri, 25 Apr 2014 08:36:09 -0700 (PDT) Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 8C3867B2FE7; Fri, 25 Apr 2014 11:36:01 -0400 (EDT) X-Virus-Scanned: by SpamTitan at mail.lan Received: from S10HUB003.SH10.lan (unknown [10.110.2.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id A0C227B2FC2; Fri, 25 Apr 2014 11:36:00 -0400 (EDT) Received: from S10BE002.SH10.lan ([::1]) by S10HUB003.SH10.lan ([::1]) with mapi id 14.01.0379.000; Fri, 25 Apr 2014 11:36:01 -0400 From: Andrei Shakirin To: "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Session cookies in OAuth2 flow Thread-Index: Ac9f1m601wyijPx7QUKZAdgpumsSswAfcZMAAAAQz7AAEtf8AAAICd4g Date: Fri, 25 Apr 2014 15:36:01 +0000 Message-ID: References: <8CE5B8B4-5CFB-4E1C-B1EC-06D2F0217ED8@adobe.com> <7EF3EC88-B32C-4858-8570-B142A6EEE96C@ve7jtb.com> In-Reply-To: <7EF3EC88-B32C-4858-8570-B142A6EEE96C@ve7jtb.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [95.91.233.170] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GIVPCfvqusmHPMZu7-3J6ytpA7U Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 15:36:12 -0000 Hi John, Thanks a lot for your explanation! I am a bit confused regarding "state" parameter and cookies. I thought that= "state" is included in redirection URI for user-agent and verified by clie= nt when Authorization server redirects user-agent back. It is a way to bind authorization request to response (4.1. Authorization C= ode Grant, steps (A) and (C)). Are the cookies really necessary in this case? Can they provide additional = protection in case if redirect URI manipulated? Regards, Andrei. > -----Original Message----- > From: John Bradley [mailto:ve7jtb@ve7jtb.com] > Sent: Freitag, 25. April 2014 14:03 > To: Andrei Shakirin > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow >=20 > Yes the server can be stateless, though it may need to store client crede= ntials > and user to validate against, and refresh token grants etc. >=20 > The "state" parameter allows the client to maintain some state informatio= n > across the Oauth authorization request and response. >=20 > Part of the use of that state information by the client allows it to prot= ect itself > from having authorization requests initiated by 3rd parties that is what = Sec > 10.12 is talking about. > In that case the client can save state in a browser cookie or in the serv= er and > use that to validate the returned state value to assure itself that the > authorization request came from itself. >=20 > John B. >=20 > On Apr 25, 2014, at 4:08 AM, Andrei Shakirin wrote= : >=20 > > Hi Antonio, > > > > Thanks for your quick answer. > > Important for me is that OAuth2 doesn't force to store client or user-a= gent > states in the authorization server, so authorization server can be statel= ess and > is not obligated to introduce the sessions at all. > > > > Regards, > > Andrei. > > > >> -----Original Message----- > >> From: Antonio Sanso [mailto:asanso@adobe.com] > >> Sent: Freitag, 25. April 2014 09:02 > >> To: Andrei Shakirin > >> Cc: oauth@ietf.org > >> Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow > >> > >> hi Andrei, > >> > >> AFAIU session cookie management is beyond the scope of the OAuth2 > >> specification. > >> > >> regards > >> > >> antonio > >> > >> On Apr 24, 2014, at 6:39 PM, Andrei Shakirin > wrote: > >> > >>> Hi, > >>> > >>> My name is Andrei Shakirin, I am working with OAuth2 implementation > >>> in > >> Apache CXF project. > >>> Could you please help me to verify my understanding regarding of > >>> using > >> session cookies in OAuth2 flow. > >>> OAuth2 specification mentions session cookies in: > >>> 1) Section 3.1. Authorization Endpoint as possible way to > >>> authenticate > >> resource owner against authorization server > >>> 2) Section 10.12. Cross-Site Request Forgery as possible attack > >>> where end- > >> user follows a malicious URI to a trusting server including a valid > >> session cookie > >>> > >>> My current understanding is: > >>> a) using sessions between user-agent and authorization server is > >>> optional and > >> authorization server is not obligated to keep user state (in case if > >> user-agent provide authentication information with every request). > >>> b) in case if sessions are used (because of any reasons), > >>> authorization server > >> have to care about additional protection like hidden form fields in > >> order to uniquely identify the actual authorization request. > >>> > >>> Is this correct? > >>> > >>> Regards, > >>> Andrei. > >>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 08:40:04 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E111A0312 for ; Fri, 25 Apr 2014 08:39:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.017 X-Spam-Level: X-Spam-Status: No, score=-2.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m8GJFaET3Llc for ; Fri, 25 Apr 2014 08:39:50 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id D85B61A0641 for ; Fri, 25 Apr 2014 08:39:49 -0700 (PDT) Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s3PFdeTV015323 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 25 Apr 2014 15:39:41 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s3PFdcmA007588 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 25 Apr 2014 15:39:39 GMT Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s3PFdc92014256; Fri, 25 Apr 2014 15:39:38 GMT Received: from [192.168.1.186] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 25 Apr 2014 08:39:37 -0700 Content-Type: multipart/alternative; boundary="Apple-Mail=_01A2FA1C-9B8E-496A-A61F-559BF24FE4CE" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: Phil Hunt In-Reply-To: <79F587EF-9B47-4351-B1CC-B60E245FDCF4@adobe.com> Date: Fri, 25 Apr 2014 08:39:36 -0700 Message-Id: <3677407D-3875-4687-BE39-37CB665A8DA0@oracle.com> References: <79F587EF-9B47-4351-B1CC-B60E245FDCF4@adobe.com> To: Antonio Sanso X-Mailer: Apple Mail (2.1874) X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/jY4mKdV4T6aGNN59U2cJcjUVZc8 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 15:39:56 -0000 --Apple-Mail=_01A2FA1C-9B8E-496A-A61F-559BF24FE4CE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Oracle also has an implementation. Phil @independentid www.independentid.com phil.hunt@oracle.com On Apr 25, 2014, at 3:13 AM, Antonio Sanso wrote: > Hi Torsten, >=20 > Adobe also has an implementation. >=20 > regards >=20 > antonio >=20 > On Apr 25, 2014, at 7:26 AM, Torsten Lodderstedt = wrote: >=20 >> Deutsche Telekom also has an implementation.=20 >>=20 >> regards, >> Torsten. >>=20 >>=20 >> -------- Urspr=FCngliche Nachricht -------- >> Von: Chuck Mortimore=20 >> Datum:25.04.2014 01:31 (GMT+01:00)=20 >> An: Mike Jones=20 >> Cc: oauth@ietf.org=20 >> Betreff: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up=20= >>=20 >> Salesforce Implementation: = https://help.salesforce.com/HTViewHelpDoc?id=3Dremoteaccess_oauth_jwt_flow= .htm&language=3Den_US >>=20 >>=20 >> On Thu, Apr 24, 2014 at 3:41 PM, Mike Jones = wrote: >> I am aware of these implementations: >> Microsoft Azure Active Directory: = http://azure.microsoft.com/en-us/services/active-directory/ >> Google Service Account: = https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>=20 >> I believe that Ping Identity and Salesforce also have = implementations, but I'll let Brian and Chuck authoritatively speak to = those. >>=20 >> -- Mike >>=20 >> -----Original Message----- >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes = Tschofenig >> Sent: Wednesday, April 23, 2014 1:40 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up >>=20 >> Hi all, >>=20 >> I am working on the shepherd writeup for the JWT bearer document. The = shepherd write-ups for the assertion draft and the SAML bearer document = have been completed a while ago already, see = http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >>=20 >> A few requests: >>=20 >> - To the document authors: Please confirm that any and all = appropriate IPR disclosures required for full conformance with the = provisions of BCP >> 78 and BCP 79 have already been filed. >>=20 >> - To all: Are you aware of implementations of this specification? If = so, I would like to reference them in my write-up. >>=20 >> - To all: Please also go through the text to make sure that I = correctly reflect the history and the status of this document. >>=20 >> Here is the most recent version of the write-up: >> = https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/s= hepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >>=20 >>=20 >> (The copy-and-paste of the full version is below.) >>=20 >> Ciao >> Hannes >>=20 >> PS: Note that I have send a mail about a pending issue to the list. = In response to my question I will update the write-up accordingly. >>=20 >> ---- >>=20 >> Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client = Authentication and Authorization Grants" = >>=20 >> (1) What type of RFC is being requested (BCP, Proposed Standard, = Internet Standard, Informational, Experimental, or Historic)? Why is = this the proper type of RFC? Is this type of RFC indicated in the title = page header? >>=20 >> The RFC type is 'Standards Track' and the type is indicated in the = title page. This document defines an instantiation for the OAuth = assertion framework using JSON Web Tokens. >>=20 >> (2) The IESG approval announcement includes a Document Announcement = Write-Up. Please provide such a Document Announcement Write-Up. Recent = examples can be found in the "Action" announcements for approved = documents. The approval announcement contains the following sections: >>=20 >> Technical Summary: >>=20 >> This specification defines the use of a JSON Web Token (JWT) = Bearer >> Token as a means for requesting an OAuth 2.0 access token as well = as >> for use as a means of client authentication. >>=20 >> Working Group Summary: >>=20 >> Was there anything in WG process that is worth noting? For example, = was there controversy about particular points or were there decisions = where the consensus was particularly rough? >>=20 >> This document belongs to the OAuth assertion document bundle = consisting of the abstract OAuth assertion framework, and the SAML = assertion profile. Due to the use of the JSON-based encoding of the = assertion it also relies on the work in the JOSE working group (such as = JWE/JWS) indirectly through the use of the JWT. This document has = intentionally been kept in sync with the SAML-based version. >>=20 >> Document Quality: >>=20 >> This document has gone through many iterations and has received = substantial feedback. >>=20 >> [[Add implementation list here.]] >>=20 >> Personnel: >>=20 >> The document shepherd is Hannes Tschofenig and the responsible area = director is Kathleen Moriarty. >>=20 >> (3) Briefly describe the review of this document that was performed = by the Document Shepherd. If this version of the document is not ready = for publication, please explain why the document is being forwarded to = the IESG. >>=20 >> The draft authors believe that this document is ready for = publication. >> The document has had received review comments from working group = members, and from the OAuth working group chairs. These review comments = have been taken into account. >>=20 >> (4) Does the document Shepherd have any concerns about the depth or = breadth of the reviews that have been performed? >>=20 >> This document has gotten feedback from the working group and given = the focused use cases it has received adequate review. >>=20 >> (5) Do portions of the document need review from a particular or from = broader perspective, e.g., security, operational complexity, AAA, DNS, = DHCP, XML, or internationalization? If so, describe the review that took = place. >>=20 >> Since the OAuth working group develops security protocols any = feedback from the security community is always appreciated. >>=20 >> (6) Describe any specific concerns or issues that the Document = Shepherd has with this document that the Responsible Area Director = and/or the IESG should be aware of? For example, perhaps he or she is = uncomfortable with certain parts of the document, or has concerns = whether there really is a need for it. In any event, if the WG has = discussed those issues and has indicated that it still wishes to advance = the document, detail those concerns here. >>=20 >> The shepherd has no concerns with this document. >>=20 >> (7) Has each author confirmed that any and all appropriate IPR = disclosures required for full conformance with the provisions of BCP 78 = and BCP 79 have already been filed. If not, explain why? >>=20 >> [[Confirmation from the authors required.]] >>=20 >> (8) Has an IPR disclosure been filed that references this document? = If so, summarize any WG discussion and conclusion regarding the IPR = disclosures. >>=20 >> No IPR disclosures have been filed on this document. However, two = IPRs have been filed for the JWT specification this document relies on, = see = http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3Ddraf= t-ietf-oauth-json-web-token >>=20 >>=20 >> (9) How solid is the WG consensus behind this document? Does it = represent the strong concurrence of a few individuals, with others being = silent, or does the WG as a whole understand and agree with it? >>=20 >> The working group has consensus to publish this document. >>=20 >> (10) Has anyone threatened an appeal or otherwise indicated extreme = discontent? If so, please summarise the areas of conflict in separate = email messages to the Responsible Area Director. (It should be in a = separate email because this questionnaire is publicly available.) >>=20 >> No appeal or extreme discontent has been raised. >>=20 >> (11) Identify any ID nits the Document Shepherd has found in this = document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts = Checklist). Boilerplate checks are not enough; this check needs to be = thorough. >>=20 >> The shepherd has checked the nits. >>=20 >> (12) Describe how the document meets any required formal review = criteria, such as the MIB Doctor, media type, and URI type reviews. >>=20 >> There is no such review necessary. >>=20 >> (13) Have all references within this document been identified as = either normative or informative? >>=20 >> Yes. >>=20 >> (14) Are there normative references to documents that are not ready = for advancement or are otherwise in an unclear state? If such normative = references exist, what is the plan for their completion? >>=20 >> Yes. >>=20 >> (15) Are there downward normative references references (see RFC = 3967)? >> If so, list these downward references to support the Area Director in = the Last Call procedure. >>=20 >> RFC 6755 defines the urn:ietf:params:oauth URN and is an = Informational RFC. A downref is required. >>=20 >> However, this document depends on the completion of the abstract = OAuth assertion framework and on the JWT specification. >> There are the following dependencies: >>=20 >> (16) Will publication of this document change the status of any = existing RFCs? Are those RFCs listed on the title page header, listed in = the abstract, and discussed in the introduction? If the RFCs are not = listed in the Abstract and Introduction, explain why, and point to the = part of the document where the relationship of this document to the = other RFCs is discussed. If this information is not in the document, = explain why the WG considers it unnecessary. >>=20 >> The publication of this document does not change the status of other = RFCs. >>=20 >> (17) Describe the Document Shepherd's review of the IANA = considerations section, especially with regard to its consistency with = the body of the document. Confirm that all protocol extensions that the = document makes are associated with the appropriate reservations in IANA = registries. >> Confirm that any referenced IANA registries have been clearly = identified. Confirm that newly created IANA registries include a = detailed specification of the initial contents for the registry, that = allocations procedures for future registrations are defined, and a = reasonable name for the new registry has been suggested (see RFC 5226). >>=20 >> The document registers two sub-namespaces to the = urn:ietf:params:oauth URN established with RFC 6755. >>=20 >> (18) List any new IANA registries that require Expert Review for = future allocations. Provide any public guidance that the IESG would find = useful in selecting the IANA Experts for these new registries. >>=20 >> The document only adds entries to existing registries and does not = define any new registries. >>=20 >> (19) Describe reviews and automated checks performed by the Document = Shepherd to validate sections of the document written in a formal = language, such as XML code, BNF rules, MIB definitions, etc. >>=20 >> There are only snippets of message exchanges and JWT assertion = structures, which are based on JSON, used in the examples. There is no = pseudo code contained in the document that requires validation. >>=20 >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_01A2FA1C-9B8E-496A-A61F-559BF24FE4CE Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 Oracle = also has an implementation.


On Apr 25, 2014, at 3:13 AM, Antonio Sanso = <asanso@adobe.com> = wrote:

Hi Torsten,

Adobe also  has an implementation.

regards

antonio

On Apr 25, 2014, at 7:26 AM, Torsten Lodderstedt <torsten@lodderstedt.net> = wrote:

Deutsche Telekom also has an implementation. 

regards,
Torsten.


-------- Urspr=FCngliche Nachricht --------
Von: Chuck Mortimore
Datum:25.04.2014 01:31 (GMT+01:00)
An: Mike Jones
Cc: oauth@ietf.org
Betreff: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up =



On Thu, Apr 24, 2014 at 3:41 PM, Mike Jones = <Michael.Jones@microsoft.com> wrote:
I am aware of these implementations:
        Microsoft Azure Active Directory:  http://azure.microsoft.com/en-us/services/active-directo= ry/
        Google Service Account: https://developers.google.com/accounts/docs/OAuth2ServiceAccount

I believe that Ping Identity and Salesforce also have implementations, = but I'll let Brian and Chuck authoritatively speak to those.

                    =             -- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On = Behalf Of Hannes Tschofenig
Sent: Wednesday, April 23, 2014 1:40 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up

Hi all,

I am working on the shepherd writeup for the JWT bearer document. The = shepherd write-ups for the assertion draft and the SAML bearer document = have been completed a while ago already, see http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html

A few requests:

- To the document authors: Please confirm that any and all appropriate = IPR disclosures required for full conformance with the provisions of = BCP
78 and BCP 79 have already been filed.

- To all: Are you aware of implementations of this specification? If so, = I would like to reference them in my write-up.

- To all: Please also go through the text to make sure that I correctly = reflect the history and the status of this document.

Here is the most recent version of the write-up:
https://raw.githubusercontent.com/hannestschofenig/tscho= fenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt=


(The copy-and-paste of the full version is below.)

Ciao
Hannes

PS: Note that I have send a mail about a pending issue to the list. In = response to my question I will update the write-up accordingly.

----

Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client = Authentication and Authorization Grants" = <draft-ietf-oauth-saml2-bearer-08>

(1) What type of RFC is being requested (BCP, Proposed Standard, = Internet Standard, Informational, Experimental, or Historic)? Why is = this the proper type of RFC? Is this type of RFC indicated in the title = page header?

The RFC type is 'Standards Track' and the type is indicated in the title = page. This document defines an instantiation for the OAuth assertion = framework using JSON Web Tokens.

(2) The IESG approval announcement includes a Document Announcement = Write-Up. Please provide such a Document Announcement Write-Up. Recent = examples can be found in the "Action" announcements for approved = documents. The approval announcement contains the following sections:

Technical Summary:

   This specification defines the use of a JSON Web Token = (JWT) Bearer
   Token as a means for requesting an OAuth 2.0 access token = as well as
   for use as a means of client authentication.

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was = there controversy about particular points or were there decisions where = the consensus was particularly rough?

This document belongs to the OAuth assertion document bundle consisting = of the abstract OAuth assertion framework, and the SAML assertion = profile. Due to the use of the JSON-based encoding of the assertion it = also relies on the work in the JOSE working group (such as JWE/JWS) indirectly through the use of the JWT. This document = has intentionally been kept in sync with the SAML-based version.

Document Quality:

This document has gone through many iterations and has received = substantial feedback.

[[Add implementation list here.]]

Personnel:

The document shepherd is Hannes Tschofenig and the responsible area = director is Kathleen Moriarty.

(3) Briefly describe the review of this document that was performed by = the Document Shepherd. If this version of the document is not ready for = publication, please explain why the document is being forwarded to the = IESG.

The draft authors believe that this document is ready for = publication.
The document has had received review comments from working group = members, and from the OAuth working group chairs. These review comments = have been taken into account.

(4) Does the document Shepherd have any concerns about the depth or = breadth of the reviews that have been performed?

This document has gotten feedback from the working group and given the = focused use cases it has received adequate review.

(5) Do portions of the document need review from a particular or from = broader perspective, e.g., security, operational complexity, AAA, DNS, = DHCP, XML, or internationalization? If so, describe the review that took = place.

Since the OAuth working group develops security protocols any feedback = from the security community is always appreciated.

(6) Describe any specific concerns or issues that the Document Shepherd = has with this document that the Responsible Area Director and/or the = IESG should be aware of? For example, perhaps he or she is uncomfortable = with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG = has discussed those issues and has indicated that it still wishes to = advance the document, detail those concerns here.

The shepherd has no concerns with this document.

(7) Has each author confirmed that any and all appropriate IPR = disclosures required for full conformance with the provisions of BCP 78 = and BCP 79 have already been filed. If not, explain why?

[[Confirmation from the authors required.]]

(8) Has an IPR disclosure been filed that references this document? If = so, summarize any WG discussion and conclusion regarding the IPR = disclosures.

No IPR disclosures have been filed on this document. However, two IPRs = have been filed for the JWT specification this document relies on, see = http://datatracker.ietf.org/ipr/search/?option=3Ddocument_search&id=3D= draft-ietf-oauth-json-web-token


(9) How solid is the WG consensus behind this document? Does it = represent the strong concurrence of a few individuals, with others being = silent, or does the WG as a whole understand and agree with it?

The working group has consensus to publish this document.

(10) Has anyone threatened an appeal or otherwise indicated extreme = discontent? If so, please summarise the areas of conflict in separate = email messages to the Responsible Area Director. (It should be in a = separate email because this questionnaire is publicly available.)

No appeal or extreme discontent has been raised.

(11) Identify any ID nits the Document Shepherd has found in this = document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts = Checklist). Boilerplate checks are not enough; this check needs to be = thorough.

The shepherd has checked the nits.

(12) Describe how the document meets any required formal review = criteria, such as the MIB Doctor, media type, and URI type reviews.

There is no such review necessary.

(13) Have all references within this document been identified as either = normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for = advancement or are otherwise in an unclear state? If such normative = references exist, what is the plan for their completion?

Yes.

(15) Are there downward normative references references (see RFC = 3967)?
If so, list these downward references to support the Area Director in = the Last Call procedure.

RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational = RFC. A downref is required.

However, this document depends on the completion of the abstract OAuth = assertion framework and on the JWT specification.
There are the following dependencies:

(16) Will publication of this document change the status of any existing = RFCs? Are those RFCs listed on the title page header, listed in the = abstract, and discussed in the introduction? If the RFCs are not listed = in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this = document to the other RFCs is discussed. If this information is not in = the document, explain why the WG considers it unnecessary.

The publication of this document does not change the status of other = RFCs.

(17) Describe the Document Shepherd's review of the IANA considerations = section, especially with regard to its consistency with the body of the = document. Confirm that all protocol extensions that the document makes = are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly = identified. Confirm that newly created IANA registries include a = detailed specification of the initial contents for the registry, that = allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC = 5226).

The document registers two sub-namespaces to the urn:ietf:params:oauth = URN established with RFC 6755.

(18) List any new IANA registries that require Expert Review for future = allocations. Provide any public guidance that the IESG would find useful = in selecting the IANA Experts for these new registries.

The document only adds entries to existing registries and does not = define any new registries.

(19) Describe reviews and automated checks performed by the Document = Shepherd to validate sections of the document written in a formal = language, such as XML code, BNF rules, MIB definitions, etc.

There are only snippets of message exchanges and JWT assertion = structures, which are based on JSON, used in the examples. There is no = pseudo code contained in the document that requires validation.



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_01A2FA1C-9B8E-496A-A61F-559BF24FE4CE-- From nobody Fri Apr 25 09:21:57 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D047D1A0584 for ; Fri, 25 Apr 2014 09:21:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.472 X-Spam-Level: X-Spam-Status: No, score=-4.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cdtiufjEmHSL for ; Fri, 25 Apr 2014 09:21:47 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 344821A065E for ; Fri, 25 Apr 2014 09:21:47 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id A5D1C2350036; Fri, 25 Apr 2014 12:21:40 -0400 (EDT) Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 750872350038; Fri, 25 Apr 2014 12:21:40 -0400 (EDT) Received: from [10.146.15.6] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.3.174.1; Fri, 25 Apr 2014 12:21:40 -0400 Message-ID: <535A8B6B.8060005@mitre.org> Date: Fri, 25 Apr 2014 12:20:59 -0400 From: Justin Richer User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Chuck Mortimore , John Bradley References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> <535A21F3.4050306@gmail.com> <535A29E7.6040505@gmx.net> <535A2E98.2000804@gmail.com> <535A544C.80100@gmx.net> <1061532531353586658@unknownmsgid> In-Reply-To: <1061532531353586658@unknownmsgid> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [129.83.31.51] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/VYyEccjQ2_yrWU4QK72ld4T6TsY Cc: "" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 16:21:53 -0000 MITREid Connect supports this mode, also (client authentication with a client-generated JWT assertion). We also have support for a subset of the JWT Bearer Assertion for renewing ID tokens, but as far as I know nobody's running that bit of code in reality and I can't guarantee it actually does anything. -- Justin On 04/25/2014 10:06 AM, Chuck Mortimore wrote: > Salesforce supports this > >> On Apr 25, 2014, at 6:11 AM, John Bradley wrote: >> >> The JWT bearer spec is used in Connect for authenticating clients with asymmetric credentials. >> >> I don't know at the moment how many server implementations support that as it is not MTI. >> >> I know it is on the Ping roadmap but not currently in shipping product. >> >> John B. >> >>> On Apr 25, 2014, at 9:25 AM, Hannes Tschofenig wrote: >>> >>> Hi Sergey, >>> >>> no, your comment wasn't off-topic and I agree that more widespread >>> support of the JWT spec will also have a positive impact on the JWT >>> bearer implementation / deployment status. >>> >>> draft-ietf-oauth-jwt-bearer spec requires the JWT to be used in a >>> specific way. It does, however, make sense to indicate the JWT >>> implementation situation in the write-up. >>> >>> Ciao >>> Hannes >>> >>> >>> >>>> On 04/25/2014 11:44 AM, Sergey Beryozkin wrote: >>>> >>>>> On 25/04/14 10:24, Hannes Tschofenig wrote: >>>>> The implementation and deployment status of JWT is certainly good. >>>>> For this write-up it would, however, be interesting to know what the >>>>> implementation status of the JWT bearer assertion spec is. >>>> Was I off-topic ? Sorry about it, I thought it would be encouraging for >>>> experts to see the general status, the wider JWT is supported the more >>>> likely the count of JWT Bearer assertion adopters will go up >>>> >>>> Cheers, Sergey >>>> >>>>>> On 04/25/2014 10:50 AM, Sergey Beryozkin wrote: >>>>>>> On 24/04/14 23:41, Mike Jones wrote: >>>>>>> I am aware of these implementations: >>>>>>> Microsoft Azure Active Directory: >>>>>>> http://azure.microsoft.com/en-us/services/active-directory/ >>>>>>> Google Service Account: >>>>>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>>> >>>>>>> I believe that Ping Identity and Salesforce also have implementations, >>>>>>> but I'll let Brian and Chuck authoritatively speak to those. >>>>>> Here is some info about open source projects: >>>>>> >>>>>> Apache Oltu has a good support for working with JWT, believe Spring >>>>>> Security has it (I haven't tried) and JBoss KeyCloak team works with >>>>>> JWT, work for supporting JWT Bearer is in progress in Apache CXF (a >>>>>> month or so away). >>>>>> >>>>>> There will be a pretty good coverage for it... >>>>>> >>>>>> Sergey >>>>>> >>>>>>> -- Mike >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >>>>>>> Tschofenig >>>>>>> Sent: Wednesday, April 23, 2014 1:40 AM >>>>>>> To: oauth@ietf.org >>>>>>> Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up >>>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I am working on the shepherd writeup for the JWT bearer document. The >>>>>>> shepherd write-ups for the assertion draft and the SAML bearer >>>>>>> document have been completed a while ago already, see >>>>>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >>>>>>> >>>>>>> A few requests: >>>>>>> >>>>>>> - To the document authors: Please confirm that any and all appropriate >>>>>>> IPR disclosures required for full conformance with the provisions of >>>>>>> BCP >>>>>>> 78 and BCP 79 have already been filed. >>>>>>> >>>>>>> - To all: Are you aware of implementations of this specification? If >>>>>>> so, I would like to reference them in my write-up. >>>>>>> >>>>>>> - To all: Please also go through the text to make sure that I >>>>>>> correctly reflect the history and the status of this document. >>>>>>> >>>>>>> Here is the most recent version of the write-up: >>>>>>> https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> (The copy-and-paste of the full version is below.) >>>>>>> >>>>>>> Ciao >>>>>>> Hannes >>>>>>> >>>>>>> PS: Note that I have send a mail about a pending issue to the list. In >>>>>>> response to my question I will update the write-up accordingly. >>>>>>> >>>>>>> ---- >>>>>>> >>>>>>> Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client >>>>>>> Authentication and Authorization Grants" >>>>>>> >>>>>>> >>>>>>> (1) What type of RFC is being requested (BCP, Proposed Standard, >>>>>>> Internet Standard, Informational, Experimental, or Historic)? Why is >>>>>>> this the proper type of RFC? Is this type of RFC indicated in the >>>>>>> title page header? >>>>>>> >>>>>>> The RFC type is 'Standards Track' and the type is indicated in the >>>>>>> title page. This document defines an instantiation for the OAuth >>>>>>> assertion framework using JSON Web Tokens. >>>>>>> >>>>>>> (2) The IESG approval announcement includes a Document Announcement >>>>>>> Write-Up. Please provide such a Document Announcement Write-Up. Recent >>>>>>> examples can be found in the "Action" announcements for approved >>>>>>> documents. The approval announcement contains the following sections: >>>>>>> >>>>>>> Technical Summary: >>>>>>> >>>>>>> This specification defines the use of a JSON Web Token (JWT) >>>>>>> Bearer >>>>>>> Token as a means for requesting an OAuth 2.0 access token as >>>>>>> well as >>>>>>> for use as a means of client authentication. >>>>>>> >>>>>>> Working Group Summary: >>>>>>> >>>>>>> Was there anything in WG process that is worth noting? For example, >>>>>>> was there controversy about particular points or were there decisions >>>>>>> where the consensus was particularly rough? >>>>>>> >>>>>>> This document belongs to the OAuth assertion document bundle >>>>>>> consisting of the abstract OAuth assertion framework, and the SAML >>>>>>> assertion profile. Due to the use of the JSON-based encoding of the >>>>>>> assertion it also relies on the work in the JOSE working group (such >>>>>>> as JWE/JWS) indirectly through the use of the JWT. This document has >>>>>>> intentionally been kept in sync with the SAML-based version. >>>>>>> >>>>>>> Document Quality: >>>>>>> >>>>>>> This document has gone through many iterations and has received >>>>>>> substantial feedback. >>>>>>> >>>>>>> [[Add implementation list here.]] >>>>>>> >>>>>>> Personnel: >>>>>>> >>>>>>> The document shepherd is Hannes Tschofenig and the responsible area >>>>>>> director is Kathleen Moriarty. >>>>>>> >>>>>>> (3) Briefly describe the review of this document that was performed by >>>>>>> the Document Shepherd. If this version of the document is not ready >>>>>>> for publication, please explain why the document is being forwarded to >>>>>>> the IESG. >>>>>>> >>>>>>> The draft authors believe that this document is ready for publication. >>>>>>> The document has had received review comments from working group >>>>>>> members, and from the OAuth working group chairs. These review >>>>>>> comments have been taken into account. >>>>>>> >>>>>>> (4) Does the document Shepherd have any concerns about the depth or >>>>>>> breadth of the reviews that have been performed? >>>>>>> >>>>>>> This document has gotten feedback from the working group and given the >>>>>>> focused use cases it has received adequate review. >>>>>>> >>>>>>> (5) Do portions of the document need review from a particular or from >>>>>>> broader perspective, e.g., security, operational complexity, AAA, DNS, >>>>>>> DHCP, XML, or internationalization? If so, describe the review that >>>>>>> took place. >>>>>>> >>>>>>> Since the OAuth working group develops security protocols any feedback >>>>>>> from the security community is always appreciated. >>>>>>> >>>>>>> (6) Describe any specific concerns or issues that the Document >>>>>>> Shepherd has with this document that the Responsible Area Director >>>>>>> and/or the IESG should be aware of? For example, perhaps he or she is >>>>>>> uncomfortable with certain parts of the document, or has concerns >>>>>>> whether there really is a need for it. In any event, if the WG has >>>>>>> discussed those issues and has indicated that it still wishes to >>>>>>> advance the document, detail those concerns here. >>>>>>> >>>>>>> The shepherd has no concerns with this document. >>>>>>> >>>>>>> (7) Has each author confirmed that any and all appropriate IPR >>>>>>> disclosures required for full conformance with the provisions of BCP >>>>>>> 78 and BCP 79 have already been filed. If not, explain why? >>>>>>> >>>>>>> [[Confirmation from the authors required.]] >>>>>>> >>>>>>> (8) Has an IPR disclosure been filed that references this document? If >>>>>>> so, summarize any WG discussion and conclusion regarding the IPR >>>>>>> disclosures. >>>>>>> >>>>>>> No IPR disclosures have been filed on this document. However, two IPRs >>>>>>> have been filed for the JWT specification this document relies on, see >>>>>>> http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> (9) How solid is the WG consensus behind this document? Does it >>>>>>> represent the strong concurrence of a few individuals, with others >>>>>>> being silent, or does the WG as a whole understand and agree with it? >>>>>>> >>>>>>> The working group has consensus to publish this document. >>>>>>> >>>>>>> (10) Has anyone threatened an appeal or otherwise indicated extreme >>>>>>> discontent? If so, please summarise the areas of conflict in separate >>>>>>> email messages to the Responsible Area Director. (It should be in a >>>>>>> separate email because this questionnaire is publicly available.) >>>>>>> >>>>>>> No appeal or extreme discontent has been raised. >>>>>>> >>>>>>> (11) Identify any ID nits the Document Shepherd has found in this >>>>>>> document. (See http://www.ietf.org/tools/idnits/ and the >>>>>>> Internet-Drafts Checklist). Boilerplate checks are not enough; this >>>>>>> check needs to be thorough. >>>>>>> >>>>>>> The shepherd has checked the nits. >>>>>>> >>>>>>> (12) Describe how the document meets any required formal review >>>>>>> criteria, such as the MIB Doctor, media type, and URI type reviews. >>>>>>> >>>>>>> There is no such review necessary. >>>>>>> >>>>>>> (13) Have all references within this document been identified as >>>>>>> either normative or informative? >>>>>>> >>>>>>> Yes. >>>>>>> >>>>>>> (14) Are there normative references to documents that are not ready >>>>>>> for advancement or are otherwise in an unclear state? If such >>>>>>> normative references exist, what is the plan for their completion? >>>>>>> >>>>>>> Yes. >>>>>>> >>>>>>> (15) Are there downward normative references references (see RFC 3967)? >>>>>>> If so, list these downward references to support the Area Director in >>>>>>> the Last Call procedure. >>>>>>> >>>>>>> RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational >>>>>>> RFC. A downref is required. >>>>>>> >>>>>>> However, this document depends on the completion of the abstract OAuth >>>>>>> assertion framework and on the JWT specification. >>>>>>> There are the following dependencies: >>>>>>> >>>>>>> (16) Will publication of this document change the status of any >>>>>>> existing RFCs? Are those RFCs listed on the title page header, listed >>>>>>> in the abstract, and discussed in the introduction? If the RFCs are >>>>>>> not listed in the Abstract and Introduction, explain why, and point to >>>>>>> the part of the document where the relationship of this document to >>>>>>> the other RFCs is discussed. If this information is not in the >>>>>>> document, explain why the WG considers it unnecessary. >>>>>>> >>>>>>> The publication of this document does not change the status of other >>>>>>> RFCs. >>>>>>> >>>>>>> (17) Describe the Document Shepherd's review of the IANA >>>>>>> considerations section, especially with regard to its consistency with >>>>>>> the body of the document. Confirm that all protocol extensions that >>>>>>> the document makes are associated with the appropriate reservations in >>>>>>> IANA registries. >>>>>>> Confirm that any referenced IANA registries have been clearly >>>>>>> identified. Confirm that newly created IANA registries include a >>>>>>> detailed specification of the initial contents for the registry, that >>>>>>> allocations procedures for future registrations are defined, and a >>>>>>> reasonable name for the new registry has been suggested (see RFC 5226). >>>>>>> >>>>>>> The document registers two sub-namespaces to the urn:ietf:params:oauth >>>>>>> URN established with RFC 6755. >>>>>>> >>>>>>> (18) List any new IANA registries that require Expert Review for >>>>>>> future allocations. Provide any public guidance that the IESG would >>>>>>> find useful in selecting the IANA Experts for these new registries. >>>>>>> >>>>>>> The document only adds entries to existing registries and does not >>>>>>> define any new registries. >>>>>>> >>>>>>> (19) Describe reviews and automated checks performed by the Document >>>>>>> Shepherd to validate sections of the document written in a formal >>>>>>> language, such as XML code, BNF rules, MIB definitions, etc. >>>>>>> >>>>>>> There are only snippets of message exchanges and JWT assertion >>>>>>> structures, which are based on JSON, used in the examples. There is no >>>>>>> pseudo code contained in the document that requires validation. >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 09:23:38 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1054E1A0584 for ; Fri, 25 Apr 2014 09:23:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.146 X-Spam-Level: X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nws0udFPM4jU for ; Fri, 25 Apr 2014 09:23:33 -0700 (PDT) Received: from mail-qc0-f180.google.com (mail-qc0-f180.google.com [209.85.216.180]) by ietfa.amsl.com (Postfix) with ESMTP id 102491A0665 for ; Fri, 25 Apr 2014 09:23:32 -0700 (PDT) Received: by mail-qc0-f180.google.com with SMTP id w7so4338933qcr.11 for ; Fri, 25 Apr 2014 09:23:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=ncYy4mCPtYYb7q/diKpls2GQDHIEWRrDww9cLfAkZXs=; b=KbFiG5E2v9Lsw3pUWcDlI6RiGpBHmQzc/8NMsiJysPGamxlxTd1BMLe/yz6eAY9USU /ZtmbTi/TKOxH2kjOYQxrCXYfLvDsQqhg4ciLQ8vcbbKtVwQh5aQLSz8RUl6kQDPzSyJ muvUjIyzmXBPM4l/cAzSQpEgY/jtKD5aUz/9FOeCLq+dmMAkDLPChsgFMmLV8uESjPbS BQ/5m8FbMzroqEl2Hyx2mJUs3KGM+wv9vdBqoSzzZV518Gnl2hTmNtPM73JI+PwmIJU6 j/2JpjTRJht17Ic/l4RgV5tO58jURNYD/OnjDWEIQcZTAY/+vCKYi0qjTohBmmIOODq/ vt0w== X-Gm-Message-State: ALoCoQn0OT1SxuGFzhs95ilmuzM0etduQ8Vh6O08SHi3r/veharyOLrKG/vPoN+r8N0aqHfTU7nC X-Received: by 10.140.48.13 with SMTP id n13mr12267554qga.90.1398443006044; Fri, 25 Apr 2014 09:23:26 -0700 (PDT) Received: from [192.168.0.200] ([201.188.68.144]) by mx.google.com with ESMTPSA id x2sm15101258qas.26.2014.04.25.09.23.23 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 09:23:24 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Fri, 25 Apr 2014 13:23:23 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: <585CA20A-F0D4-441D-81BC-DCA2A049E5F1@ve7jtb.com> References: <8CE5B8B4-5CFB-4E1C-B1EC-06D2F0217ED8@adobe.com> <7EF3EC88-B32C-4858-8570-B142A6EEE96C@ve7jtb.com> To: Andrei Shakirin X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/opyvQStwxRgGhgT-B3g1IQ1gjHU Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 16:23:35 -0000 For cross site request forgery you need to validate the value in state = somehow. You could store the value in the browser session, or relate = it somehow to session information in the server. Making up a random number in the request and checking that there is a = random number in the response won't help. Even signing the value of the state is not super useful as the the = attacker could just separately get a state value from another authn = request and use that in there cross site request request. The cookie or hash of some other TLS bound session cookie allows the = client to detect the XRSF attack without using server side state on the = client. John B. On Apr 25, 2014, at 12:36 PM, Andrei Shakirin = wrote: > Hi John, >=20 > Thanks a lot for your explanation! >=20 > I am a bit confused regarding "state" parameter and cookies. I thought = that "state" is included in redirection URI for user-agent and verified = by client when Authorization server redirects user-agent back. > It is a way to bind authorization request to response (4.1. = Authorization Code Grant, steps (A) and (C)). > Are the cookies really necessary in this case? Can they provide = additional protection in case if redirect URI manipulated? >=20 > Regards, > Andrei. >=20 >=20 >> -----Original Message----- >> From: John Bradley [mailto:ve7jtb@ve7jtb.com] >> Sent: Freitag, 25. April 2014 14:03 >> To: Andrei Shakirin >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow >>=20 >> Yes the server can be stateless, though it may need to store client = credentials >> and user to validate against, and refresh token grants etc. >>=20 >> The "state" parameter allows the client to maintain some state = information >> across the Oauth authorization request and response. >>=20 >> Part of the use of that state information by the client allows it to = protect itself >> from having authorization requests initiated by 3rd parties that is = what Sec >> 10.12 is talking about. >> In that case the client can save state in a browser cookie or in the = server and >> use that to validate the returned state value to assure itself that = the >> authorization request came from itself. >>=20 >> John B. >>=20 >> On Apr 25, 2014, at 4:08 AM, Andrei Shakirin = wrote: >>=20 >>> Hi Antonio, >>>=20 >>> Thanks for your quick answer. >>> Important for me is that OAuth2 doesn't force to store client or = user-agent >> states in the authorization server, so authorization server can be = stateless and >> is not obligated to introduce the sessions at all. >>>=20 >>> Regards, >>> Andrei. >>>=20 >>>> -----Original Message----- >>>> From: Antonio Sanso [mailto:asanso@adobe.com] >>>> Sent: Freitag, 25. April 2014 09:02 >>>> To: Andrei Shakirin >>>> Cc: oauth@ietf.org >>>> Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow >>>>=20 >>>> hi Andrei, >>>>=20 >>>> AFAIU session cookie management is beyond the scope of the OAuth2 >>>> specification. >>>>=20 >>>> regards >>>>=20 >>>> antonio >>>>=20 >>>> On Apr 24, 2014, at 6:39 PM, Andrei Shakirin >> wrote: >>>>=20 >>>>> Hi, >>>>>=20 >>>>> My name is Andrei Shakirin, I am working with OAuth2 = implementation >>>>> in >>>> Apache CXF project. >>>>> Could you please help me to verify my understanding regarding of >>>>> using >>>> session cookies in OAuth2 flow. >>>>> OAuth2 specification mentions session cookies in: >>>>> 1) Section 3.1. Authorization Endpoint as possible way to >>>>> authenticate >>>> resource owner against authorization server >>>>> 2) Section 10.12. Cross-Site Request Forgery as possible attack >>>>> where end- >>>> user follows a malicious URI to a trusting server including a valid >>>> session cookie >>>>>=20 >>>>> My current understanding is: >>>>> a) using sessions between user-agent and authorization server is >>>>> optional and >>>> authorization server is not obligated to keep user state (in case = if >>>> user-agent provide authentication information with every request). >>>>> b) in case if sessions are used (because of any reasons), >>>>> authorization server >>>> have to care about additional protection like hidden form fields in >>>> order to uniquely identify the actual authorization request. >>>>>=20 >>>>> Is this correct? >>>>>=20 >>>>> Regards, >>>>> Andrei. >>>>>=20 >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>=20 >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >=20 From nobody Fri Apr 25 09:38:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0F11A0584 for ; Fri, 25 Apr 2014 09:38:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.589 X-Spam-Level: X-Spam-Status: No, score=0.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FR_TEST_BASE64_BAD=3.189, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXXUYWT_t4q3 for ; Fri, 25 Apr 2014 09:38:41 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id 287201A063C for ; Fri, 25 Apr 2014 09:38:41 -0700 (PDT) Received: from BL2PR03CA017.namprd03.prod.outlook.com (10.141.66.25) by SN2PR03MB029.namprd03.prod.outlook.com (10.255.175.39) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 16:38:27 +0000 Received: from BN1BFFO11FD012.protection.gbl (2a01:111:f400:7c10::1:160) by BL2PR03CA017.outlook.office365.com (2a01:111:e400:c1b::25) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Fri, 25 Apr 2014 16:38:26 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD012.mail.protection.outlook.com (10.58.144.75) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Fri, 25 Apr 2014 16:38:26 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0181.007; Fri, 25 Apr 2014 16:37:53 +0000 From: Mike Jones To: Brian Campbell , Hannes Tschofenig Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples Thread-Index: AQHPYHPsqQW6K7XM2UikgyZnVh8GF5siN60AgAAO7ICAABvwAIAAIeyQ Date: Fri, 25 Apr 2014 16:37:52 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A195D48@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <535A3AF4.4060506@gmx.net> <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> <535A5819.2030805@gmx.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.34] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A195D48TK5EX14MBXC288r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(24454002)(53754006)(51694002)(377454003)(479174003)(51704005)(16601075003)(46102001)(84326002)(4396001)(19300405004)(31966008)(86612001)(74502001)(86362001)(81342001)(16236675002)(71186001)(76176999)(50986999)(33656001)(14971765001)(74662001)(81542001)(99396002)(2009001)(15202345003)(15395725003)(85852003)(512874002)(84676001)(80976001)(6806004)(97736001)(87936001)(83072002)(55846006)(92726001)(19273905006)(80022001)(79102001)(92566001)(2656002)(20776003)(77982001)(19580395003)(15975445006)(575784001)(76482001)(44976005)(19580405001)(66066001)(54356999)(83322001); DIR:OUT; SFP:1101; SCL:1; SRVR:SN2PR03MB029; H:mail.microsoft.com; FPR:FE6DF1E6.9AF65139.8FEFF1D7.8AFB6042.207CA; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0192E812EC Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/eaHC4crxXoMQ4ML46UAZYA6w3wc Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 16:38:44 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A195D48TK5EX14MBXC288r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SeKAmW0gbm90IHN1cmUgaG93IG9jdGFsIGNhbWUgdXAsIGFzIHRoZSBleGFtcGxlcyBhbGwgdXNl IEpTT04gbm90YXRpb24sIHdoaWNoIGlzIGRlY2ltYWwuICAoVGhlIHdvcmQgb2N0ZXQgaXMgYSBz dGFuZGFyZCB3b3JkIGZvciBhIHZhbHVlIGNvbnRhaW5pbmcgOCBiaXRzLCBhbmQgaGFzIG5vdGhp bmcgdG8gZG8gd2l0aCBvY3RhbC4pDQoNCkhhbm5lcywgd2UgdXNlIEpTT04gbm90YXRpb24gaW4g dGhlIGV4YW1wbGVzLCByYXRoZXIgdGhhbiBoZXhhZGVjaW1hbCBpbnRlbnRpb25hbGx5LCBhcyB0 aGUgc3BlY3MgYXJlIGJhc2VkIG9uIEpTT04uDQoNClNvbWUgb2YgdGhlIGV4YW1wbGVzIGludGVu dGlvbmFsbHkgaW5jbHVkZSB3aGl0ZXNwYWNlLCBpbmNsdWRpbmcgQ1JMRnMsIHRvIGRlbW9uc3Ry YXRlIHRoYXQgdGhlIEpTT04gbmVlZCBub3QgYmUgY2Fub25pY2FsaXplZCBpbiBhbnkgd2F5IGJl Zm9yZSB1c2UgaW4gYSBKV1QuICBUaGUgYWN0dWFsIGJ5dGVzIG9mIHRoZSBKU09OIHJlcHJlc2Vu dGF0aW9uIGFyZSBpbmNsdWRlZCBzbyB0aGVyZeKAmXMgbm8gYW1iaWd1aXR5IGFib3V0IHRoZSBh Y3R1YWwgdmFsdWVzIHVzZWQgaW4gdGhlIGV4YW1wbGVzLiAgV2UgZG8gYWxyZWFkeSBoYXZlIGV4 cGxpY2l0IHRleHQgdGFsa2luZyBhYm91dCB0aGlzIGluIHRoZSBzcGVjLiAgQnVsbGV0IDEgb2Yg aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1qc29uLXdlYi10b2tl bi0xOSNzZWN0aW9uLTcgc2F5czoNCiAgIDEuICBDcmVhdGUgYSBKV1QgQ2xhaW1zIFNldCBjb250 YWluaW5nIHRoZSBkZXNpcmVkIGNsYWltcy4gIE5vdGUgdGhhdA0KICAgICAgIHdoaXRlIHNwYWNl IGlzIGV4cGxpY2l0bHkgYWxsb3dlZCBpbiB0aGUgcmVwcmVzZW50YXRpb24gYW5kIG5vDQogICAg ICAgY2Fub25pY2FsaXphdGlvbiBuZWVkIGJlIHBlcmZvcm1lZCBiZWZvcmUgZW5jb2RpbmcuDQoN CldoaWxlIHdlIGNvdWxkIGFkZCBvdGhlciBleGFtcGxlcywgZG9pbmcgc28gaXMgYmV5b25kIHRo ZSBzY29wZSBvZiB0aGUgaW1tZWRpYXRlIG1pc3Npb24gdG8gdmFsaWRhdGUgdGhlIGV4aXN0aW5n IGV4YW1wbGVzLCBIYW5uZXMuICBUaGVyZeKAmXMgbG90cyBvZiBleGFtcGxlcyBpbiB0aGUgdW5k ZXJseWluZyBKT1NFIHNwZWNzLCBzbyBpdOKAmXMgbm90IGNsZWFyIHRoYXQgd2UgcmVhbGx5IG5l ZWQgdG8gYWRkIGFkZGl0aW9uYWwgb25lcyBhdCB0aGlzIHRpbWUuICAoSWYgdGhpcyBzdWdnZXN0 aW9uIGNvbWVzIHVwIGFnYWluIGR1cmluZyBJRVNHIHJldmlldywgd2UgY291bGQgZG8gdGhhdCwg YnV0IEkgZG9u4oCZdCB0aGluayBpdOKAmXMgbmVjZXNzYXJ5IGF0IHRoaXMgcG9pbnQgdG8gbW92 ZSB0aGUgc3BlYyB0byBJRVNHIHJldmlldy4pDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTogT0F1dGgg W21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgQnJpYW4gQ2FtcGJl bGwNClNlbnQ6IEZyaWRheSwgQXByaWwgMjUsIDIwMTQgNzoyMiBBTQ0KVG86IEhhbm5lcyBUc2No b2ZlbmlnDQpDYzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIGRyYWZ0 LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4tMTkgLSBFeGFtcGxlcw0KDQpOb3RlIHRoYXQgdGhl IGRyYWZ0IGlzIHNob3dpbmcgYW4gKm9jdGV0IHNlcXVlbmNlKiB3aXRoIGVhY2ggaW5kaXZpZHVh bCBvY3RldCBiZWluZyBzaG93biBhcyBkZWNpbWFsIHZhbHVlLiBJdCBkb2Vzbid0IHN0YXRlIGFu eXRoaW5nIGFib3V0IHVzaW5nIG9jdGFsLCB0aGUgYmFzZS04IG51bWJlciBzeXN0ZW0uIFRob3Nl IG9jdGV0cyBhbHNvIHNob3cgdW5hbWJpZ3VvdXNseSB3aGF0IGlzIGJlaW5nIGJhc2U2NHVybCBl bmNvZGVkIChpbmNsdWRpbmcgdGhlIGxpbmUgZW5kaW5ncyB2aWEgIjEzLCAxMCIpIC0gbm8gbWF0 dGVyIGhvdyB0aGUgdW5lbmNvZGVkIGhlYWRlcnMgb3IgYm9kaWVzIGFyZSBzaG93biBpbiB0aGUg ZHJhZnQsIHRoZXJlJ3MgZ29pbmcgdG8gYmUgcG90ZW50aWFsIGNvbmZ1c2lvbiBhYm91dCB3aGF0 IHdoaXRlIHNwYWNlIGFuZCBsaW5lIGJyZWFrcyBpcyBvciBpcyBub3QgdG8gYmUgaW5jbHVkZWQg aW4gdGhlIGVuY29kaW5nIGFuZCBzZXJpYWxpemF0aW9uIHNvIGdpdmluZyB0aGUgb2N0ZXQgc2Vx dWVuY2UgYWxsZXZpYXRlcyB0aGF0LiBJdCdzIG1heWJlIGFsc28gd29ydGggbm90aW5nIHRoYXQg dGhlIEpPU0Ugc3VpdGUgb2Ygc3BlY3MgYWxsIHVzZSB0aGUgc2FtZSBub3RhdGlvbiBhbmQgdGV4 dCBpbiB0aGVpciBleGFtcGxlcy4NCklmIHdlIHdlcmUgdG8gYWRkIGFub3RoZXIgZXhhbXBsZSBh cyB3YXMgc3VnZ2VzdGVkLCBpdCBzaG91bGQgcHJvYmFibHkgdXNlIGEgc2hhcmVkIHNlY3JldCB3 aXRoIGEgbGl0dGxlIG1vcmUgZW50cm9weSBhcyAnMTIzNDUnIGlzbid0IHN0cmljdGx5IGNvbXBs aWFudCB3aXRoIHRoZSBub3JtYXRpdmUgcmVxdWlyZW1lbnRzIGluIEpXQSBmb3IgSFMyNTYuIGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtam9zZS1qc29uLXdlYi1hbGdvcml0 aG1zLTI1I3NlY3Rpb24tMy4yIHN0YXRlcyB0aGF0IGEgJ2tleSBvZiB0aGUgc2FtZSBzaXplIGFz IHRoZSBoYXNoIG91dHB1dCAoZm9yIGluc3RhbmNlLCAyNTYgYml0cyBmb3IgIkhTMjU2Iikgb3Ig bGFyZ2VyIE1VU1QgYmUgdXNlZC4nDQoNCg0KT24gRnJpLCBBcHIgMjUsIDIwMTQgYXQgNjo0MiBB TSwgSGFubmVzIFRzY2hvZmVuaWcgPGhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8bWFpbHRvOmhh bm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ+PiB3cm90ZToNCkhpIEFudG9uaW8NCg0KZ29vZCB0byBz ZWUgdGhhdCBvdGhlcnMgaGF2ZSBydW4gaW50byB0aGUgc2FtZSBpc3N1ZSBiZWZvcmUuDQoNCkkg d29uZGVyIHdoeSB0aGUgY2FycmlhZ2UgcmV0dXJuIGFuZCB0aGUgbGluZSBmZWVkIGhhZCBiZWVu IGluc2VydGVkLg0KDQpXZSBlaXRoZXIgbmVlZCBzb21lIHRleHQgdG8gZXhwbGFpbiB0aGlzIGlu IHRoZSBleGFtcGxlIG9yIHRvIHVzZSBhbg0KZXhhbXBsZSB0aGF0IGRvZXMgbm90IHVzZSBjYXJy aWFnZSByZXR1cm5zIG9yIGxpbmUgZmVlZHMuDQoNCkNpYW8NCkhhbm5lcw0KDQpPbiAwNC8yNS8y MDE0IDAxOjQ4IFBNLCBBbnRvbmlvIFNhbnNvIHdyb3RlOg0KPiBoaSBIYW5uZXMuDQo+DQo+DQo+ IE9uIEFwciAyNSwgMjAxNCwgYXQgMTI6MzcgUE0sIEhhbm5lcyBUc2Nob2ZlbmlnIDxoYW5uZXMu dHNjaG9mZW5pZ0BnbXgubmV0PG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4gd3Jv dGU6DQo+DQo+PiBIaSBhbGwsDQo+Pg0KPj4gQXMgYSBkb2N1bWVudCBzaGVwaGVyZCBJIGhhdmUg dG8gdmVyaWZ5IHRoZSBlbnRpcmUgZG9jdW1lbnQgYW5kIHRoaXMNCj4+IGluY2x1ZGVzIHRoZSBl eGFtcGxlcyBhcyB3ZWxsLg0KPj4NCj4+IFNlY3Rpb24gMy4xOg0KPj4NCj4+IFlvdSB3cml0ZToN Cj4+DQo+PiAiDQo+PiAgIFRoZSBmb2xsb3dpbmcgb2N0ZXQgc2VxdWVuY2UgaXMgdGhlIFVURi04 IHJlcHJlc2VudGF0aW9uIG9mIHRoZSBKV1QNCj4+ICAgSGVhZGVyL0pXUyBIZWFkZXIgYWJvdmU6 DQo+Pg0KPj4gICBbMTIzLCAzNCwgMTE2LCAxMjEsIDExMiwgMzQsIDU4LCAzNCwgNzQsIDg3LCA4 NCwgMzQsIDQ0LCAxMywgMTAsIDMyLA0KPj4gICAzNCwgOTcsIDEwOCwgMTAzLCAzNCwgNTgsIDM0 LCA3MiwgODMsIDUwLCA1MywgNTQsIDM0LCAxMjVdDQo+PiAiDQo+Pg0KPj4gVGhlIHZhbHVlcyBJ TUhPIGFyZSByZXByZXNlbnRlZCBpbiBEZWNpbWFsIGNvZGUgcG9pbnQgcmF0aGVyIHRoYW4gT2N0 YWwNCj4+IFVURi04IGJ5dGVzLCBhcyBzdGF0ZWQgYWJvdmUuDQo+PiBTZWUgdGhlIGZvbGxvd2lu ZyBvbmxpbmUgdG9vbCB0byBzZWUgdGhlIGRpZmZlcmVuY2U6DQo+PiBodHRwOi8vd3d3Lmx0Zy5l ZC5hYy51ay9+cmljaGFyZC91dGYtOC5jZ2k/aW5wdXQ9JTIyJm1vZGU9Y2hhcg0KPj4NCj4+IE5v dGUgdGhhdCB5b3UgY291bGQgYWxzbyBzaG93IGEgaGV4IGVuY29kaW5nIGluc3RlYWQgKGUuZy4s IHZpYQ0KPj4gaHR0cDovL29zdGVybWlsbGVyLm9yZy9jYWxjL2VuY29kZS5odG1sKS4gSGl4aWUn cyBkZWNvZGVyIHdvdWxkIHRoZW4NCj4+IHByb2R1Y2UgdGhlIGNvcnJlY3QgZGVjb2RpbmcuIEhl cmUgaXMgdGhlIGxpbmsgdG8gaGlzIHNvZnR3YXJlOg0KPj4gaHR0cDovL3NvZnR3YXJlLmhpeGll LmNoL3V0aWxpdGllcy9jZ2kvdW5pY29kZS1kZWNvZGVyL3V0ZjgtZGVjb2Rlcg0KPj4gKE5vdGUg dGhhdCB0aGlzIHByb2dyYW0gc2VlbXMgdG8gaGF2ZSBmbGF3cyBmb3IgbW9zdCBvdGhlciBvcHRp b25zLikNCj4+DQo+PiBXaGVuIGRvIGEgQmFzZTY0VVJMIGVuY29kaW5nIG9mDQo+Pg0KPj4geyJ0 eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9DQo+Pg0KPj4gdGhlbiBJIGdldA0KPj4NCj4+IGV5SjBl WEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOQ0KPj4NCj4+IGJ1dCB5b3VyIHNwZWMgc2F5 czoNCj4+DQo+PiBleUowZVhBaU9pSktWMVFpTEEwS0lDSmhiR2NpT2lKSVV6STFOaUo5DQo+Pg0K Pj4gU2FtZSB3aXRoIHsiaXNzIjoiam9lIiwiZXhwIjoxMzAwODE5MzgwLCJodHRwOi8vZXhhbXBs ZS5jb20vaXNfcm9vdCI6dHJ1ZX0uDQo+Pg0KPj4gTXkgcmVzdWx0Og0KPj4gZXlKcGMzTWlPaUpx YjJVaUxDSmxlSEFpT2pFek1EQTRNVGt6T0RBc0ltaDBkSEE2THk5bGVHRnRjR3hsTG1OdmJTOXBj MTl5YjI5MElqcDBjblZsZlENCj4+DQo+PiBZb3VyIHJlc3VsdDoNCj4+IGV5SnBjM01pT2lKcWIy VWlMQTBLSUNKbGVIQWlPakV6TURBNE1Ua3pPREFzRFFvZ0ltaDBkSEE2THk5bGVHRnRjR3hsTG1O dmJTOXBjMTl5YjI5MElqcDBjblZsZlENCj4NCj4gc2VlIGh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFp bC1hcmNoaXZlL3dlYi9vYXV0aC9jdXJyZW50L21zZzExNTk5Lmh0bWwNCj4NCj4gcmVnYXJkcw0K Pg0KPiBhbnRvbmlvDQo+DQo+Pg0KPj4gTm90ZTogSSBhbSB1c2luZyB0aGlzIG9ubGluZSB0b29s IGZvciBCYXNlNjRVUkwgZW5jb2Rpbmc6DQo+PiBodHRwOi8va2p1ci5naXRodWIuaW8vanNqd3Mv dG9vbF9iNjR1ZW5jLmh0bWwuDQo+PiBJbnRlcmVzdGluZ2x5LCB3aGVuIEkgZHVtcCB0aGUgZGF0 YSBpbnRvIGh0dHA6Ly9qd3QuaW8vIHRoZW4gSSBnZXQgYQ0KPj4gY29ycmVjdCBkZWNvZGluZy4g SXQgbWlnaHQgd2VsbCBiZSB0aGF0IHRoZSBranVyLmdpdGh1Yi5pbzxodHRwOi8va2p1ci5naXRo dWIuaW8+IGhhcyBhIGZsYXcuDQo+Pg0KPj4gSnVzdCB3YW50ZWQgdG8gY2hlY2sgd2hhdCB0b29s IHlvdSBoYXZlIHVzZWQgdG8gY3JlYXRlIHRoZXNlIGVuY29kaW5ncy4NCj4+DQo+Pg0KPj4gU2Vj dGlvbiA2LjE6DQo+Pg0KPj4gVGhlIGV4YW1wbGUgaW4gU2VjdGlvbiA2LjEgaXMgdGhlIHNhbWUg YXMgaW4gMy4xLiBNYXliZSBpdCB3b3VsZCBiZQ0KPj4gdXNlZnVsIHRvIHNob3cgc29tZXRoaW5n IGRpZmZlcmVudCBoZXJlLg0KPj4NCj4+IFRoZSBleGFtcGxlIGluIEFwcGVuZGl4IEEuMSBpcyBt b3JlIHNvcGhpc3RpY2F0ZWQgc2luY2UgaXQgZGVtb25zdHJhdGVzDQo+PiBlbmNyeXB0aW9uLiBU byB2ZXJpZnkgaXQgSSB3b3VsZCBuZWVkIHRvIGhhdmUgYSBsaWJyYXJ5IHRoYXQgc3VwcG9ydHMN Cj4+IEpXRSBhbmQgUlNBRVMtUEtDUzEtVjFfNSBhbmQgQUVTXzEyOF9DQkNfSE1BQ19TSEFfMjU2 LiBXaGljaCBsaWJyYXJ5DQo+PiBoYXZlIHlvdSBiZWVuIHVzaW5nPw0KPj4NCj4+IEkgd2FzIHdv bmRlcmluZyB3aGV0aGVyIGl0IHdvdWxkIG1ha2Ugc2Vuc2UgdG8gYWRkIHR3byBvdGhlciBleGFt cGxlcywNCj4+IG5hbWVseSBmb3IgaW50ZWdyaXR5IHByb3RlY3Rpb24uIE9uZSBleGFtcGxlIHNo b3dpbmcgYW4gSE1BQy1iYXNlZCBrZXllZA0KPj4gbWVzc2FnZSBkaWdlc3QgYW5kIGFub3RoZXIg b25lIHVzaW5nIGEgZGlnaXRhbCBzaWduYXR1cmUuDQo+Pg0KPj4gSGVyZSBpcyBhIHNpbXBsZSBl eGFtcGxlIHRvIGFkZCB0aGF0IGFsbW9zdCBhbGwgSldUIGxpYnJhcmllcyBzZWVtIHRvIGJlDQo+ PiBhYmxlIHRvIGNyZWF0ZSBhbmQgdmVyaWZ5Og0KPj4NCj4+IEhlYWRlcjoNCj4+IHsiYWxnIjoi SFMyNTYiLCJ0eXAiOiJKV1QifQ0KPj4NCj4+IEkgdXNlIHRoZSBIUzI1NiBhbGdvcml0aG0gd2l0 aCBhIHNoYXJlZCBzZWNyZXQgJzEyMzQ1Jy4NCj4+DQo+PiBCb2R5Og0KPj4NCj4+IHsiaXNzIjoi aHR0cHM6Ly9hcy5leGFtcGxlLmNvbSIsInN1YiI6Im1haWx0bzpqb2huQGV4YW1wbGUuY29tPG1h aWx0bzpqb2huQGV4YW1wbGUuY29tPiIsIm5iZiI6MTM5ODQyMDc1MywiZXhwIjoxMzk4NDI0MzUz LCJpYXQiOjEzOTg0MjA3NTN9DQo+Pg0KPj4gand0LmVuY29kZSh7ImlzcyI6Imh0dHBzOi8vYXMu ZXhhbXBsZS5jb20iLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbTxtYWlsdG86am9obkBl eGFtcGxlLmNvbT4iLCJuYmYiOjEzOTg0MjA3NTMsImV4cCI6MTM5ODQyNDM1MywiaWF0IjoxMzk4 NDIwNzUzfSwiMTIzNDUiLA0KPj4gIkhTMjU2IikNCj4+DQo+PiBJIHVzZWQgaHR0cDovL3d3dy5v bmxpbmVjb252ZXJzaW9uLmNvbS91bml4X3RpbWUuaHRtIHRvIGNyZWF0ZSB0aGUNCj4+IGRhdGUv dGltZSB2YWx1ZXM6DQo+PiAibmJmIjoxMzk4NDIwNzUzIC0tPiBGcmksIDI1IEFwciAyMDE0IDEw OjEyOjMzIEdNVA0KPj4gImV4cCI6MTM5ODQyNDM1MyAtLT4gRnJpLCAyNSBBcHIgMjAxNCAxMTox MjozMyBHTVQNCj4+ICJpYXQiOjEzOTg0MjA3NTMgLS0+IEZyaSwgMjUgQXByIDIwMTQgMTA6MTI6 MzMgR01UDQo+Pg0KPj4gSGVyZSBpcyB0aGUgb3V0cHV0IGNyZWF0ZWQgd2l0aCBodHRwczovL2dp dGh1Yi5jb20vcHJvZ3JpdW0vcHlqd3QvIGFuZA0KPj4gdmVyaWZpZWQgd2l0aCBodHRwOi8vand0 LmlvLzoNCj4+IGV5SmhiR2NpT2lKSVV6STFOaUlzSW5SNWNDSTZJa3BYVkNKOS5leUpwYzNNaU9p Sm9kSFJ3Y3pvdkwyRnpMbVY0WVcxd2JHVXVZMjl0SWl3aWFXRjBJam94TXprNE5ESXdOelV6TENK emRXSWlPaUp0WVdsc2RHODZhbTlvYmtCbGVHRnRjR3hsTG1OdmJTSXNJbVY0Y0NJNk1UTTVPRFF5 TkRNMU15d2libUptSWpveE16azROREl3TnpVemZRLjBnZlJVSWxleTcwYk1QN2hONnNNV2tId0hl emRydjJFMUxBVmNOZFRzcTQNCj4+DQo+PiBDaWFvDQo+PiBIYW5uZXMNCj4+DQo+Pg0KPj4gX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4+IE9BdXRoIG1h aWxpbmcgbGlzdA0KPj4gT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KPj4g aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KPg0KDQpfX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGluZyBs aXN0DQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5p ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQoNCg== --_000_4E1F6AAD24975D4BA5B16804296739439A195D48TK5EX14MBXC288r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2lu OjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250 LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uaG9lbnpiDQoJe21zby1zdHlsZS1uYW1lOmhv ZW56Yjt9DQpzcGFuLkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBs eTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7 fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0dGVkQ2hhcg0KCXttc28tc3R5bGUtbmFtZToiSFRNTCBQcmVm b3JtYXR0ZWQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5r OiJIVE1MIFByZWZvcm1hdHRlZCI7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQouTXNv Q2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToi Q2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWlu IDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0 aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5 XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4N CjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlv dXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286 c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1V UyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEi Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPknigJltIG5vdCBzdXJlIGhvdyBvY3RhbCBjYW1lIHVwLCBhcyB0aGUgZXhhbXBs ZXMgYWxsIHVzZSBKU09OIG5vdGF0aW9uLCB3aGljaCBpcyBkZWNpbWFsLiZuYnNwOyAoVGhlIHdv cmQgb2N0ZXQgaXMgYSBzdGFuZGFyZCB3b3JkIGZvciBhIHZhbHVlIGNvbnRhaW5pbmcgOCBiaXRz LA0KIGFuZCBoYXMgbm90aGluZyB0byBkbyB3aXRoIG9jdGFsLik8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkhhbm5lcywg d2UgdXNlIEpTT04gbm90YXRpb24gaW4gdGhlIGV4YW1wbGVzLCByYXRoZXIgdGhhbiBoZXhhZGVj aW1hbCBpbnRlbnRpb25hbGx5LCBhcyB0aGUgc3BlY3MgYXJlIGJhc2VkIG9uIEpTT04uPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0 OTdEIj5Tb21lIG9mIHRoZSBleGFtcGxlcyBpbnRlbnRpb25hbGx5IGluY2x1ZGUgd2hpdGVzcGFj ZSwgaW5jbHVkaW5nIENSTEZzLCB0byBkZW1vbnN0cmF0ZSB0aGF0IHRoZSBKU09OIG5lZWQgbm90 IGJlIGNhbm9uaWNhbGl6ZWQgaW4gYW55IHdheSBiZWZvcmUgdXNlIGluIGEgSldULiZuYnNwOw0K IFRoZSBhY3R1YWwgYnl0ZXMgb2YgdGhlIEpTT04gcmVwcmVzZW50YXRpb24gYXJlIGluY2x1ZGVk IHNvIHRoZXJl4oCZcyBubyBhbWJpZ3VpdHkgYWJvdXQgdGhlIGFjdHVhbCB2YWx1ZXMgdXNlZCBp biB0aGUgZXhhbXBsZXMuJm5ic3A7IFdlIGRvIGFscmVhZHkgaGF2ZSBleHBsaWNpdCB0ZXh0IHRh bGtpbmcgYWJvdXQgdGhpcyBpbiB0aGUgc3BlYy4mbmJzcDsgQnVsbGV0IDEgb2YNCjxhIGhyZWY9 Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9r ZW4tMTkjc2VjdGlvbi03Ij4NCmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt b2F1dGgtanNvbi13ZWItdG9rZW4tMTkjc2VjdGlvbi03PC9hPiBzYXlzOjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJwYWdlLWJyZWFrLWJlZm9yZTph bHdheXMiPjxzcGFuIGxhbmc9IkVOIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBO ZXcmcXVvdDsiPiZuYnNwOyZuYnNwOyAxLiZuYnNwOyBDcmVhdGUgYSBKV1QgQ2xhaW1zIFNldCBj b250YWluaW5nIHRoZSBkZXNpcmVkIGNsYWltcy4mbmJzcDsgTm90ZSB0aGF0PG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJlYWstYmVmb3Jl OmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDb3VyaWVy IE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHdoaXRlIHNw YWNlIGlzIGV4cGxpY2l0bHkgYWxsb3dlZCBpbiB0aGUgcmVwcmVzZW50YXRpb24gYW5kIG5vPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9InBhZ2UtYnJl YWstYmVmb3JlOmFsd2F5cyI+PHNwYW4gbGFuZz0iRU4iIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtDb3VyaWVyIE5ldyZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 IGNhbm9uaWNhbGl6YXRpb24gbmVlZCBiZSBwZXJmb3JtZWQgYmVmb3JlIGVuY29kaW5nLjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+V2hpbGUgd2UgY291bGQgYWRkIG90aGVyIGV4YW1wbGVzLCBkb2luZyBzbyBpcyBiZXlv bmQgdGhlIHNjb3BlIG9mIHRoZSBpbW1lZGlhdGUgbWlzc2lvbiB0byB2YWxpZGF0ZSB0aGUgZXhp c3RpbmcgZXhhbXBsZXMsIEhhbm5lcy4mbmJzcDsgVGhlcmXigJlzIGxvdHMgb2YgZXhhbXBsZXMN CiBpbiB0aGUgdW5kZXJseWluZyBKT1NFIHNwZWNzLCBzbyBpdOKAmXMgbm90IGNsZWFyIHRoYXQg d2UgcmVhbGx5IG5lZWQgdG8gYWRkIGFkZGl0aW9uYWwgb25lcyBhdCB0aGlzIHRpbWUuJm5ic3A7 IChJZiB0aGlzIHN1Z2dlc3Rpb24gY29tZXMgdXAgYWdhaW4gZHVyaW5nIElFU0cgcmV2aWV3LCB3 ZSBjb3VsZCBkbyB0aGF0LCBidXQgSSBkb27igJl0IHRoaW5rIGl04oCZcyBuZWNlc3NhcnkgYXQg dGhpcyBwb2ludCB0byBtb3ZlIHRoZSBzcGVjIHRvIElFU0cgcmV2aWV3Lik8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv dDsiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYg T2YgPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0KPGI+U2VudDo8L2I+IEZyaWRheSwgQXByaWwgMjUs IDIwMTQgNzoyMiBBTTxicj4NCjxiPlRvOjwvYj4gSGFubmVzIFRzY2hvZmVuaWc8YnI+DQo8Yj5D Yzo8L2I+IG9hdXRoQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbT0FVVEgtV0dd IGRyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4tMTkgLSBFeGFtcGxlczxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbTox Mi4wcHQiPk5vdGUgdGhhdCB0aGUgZHJhZnQgaXMgc2hvd2luZyBhbiAqb2N0ZXQgc2VxdWVuY2Uq IHdpdGggZWFjaCBpbmRpdmlkdWFsIG9jdGV0IGJlaW5nIHNob3duIGFzIGRlY2ltYWwgdmFsdWUu IEl0IGRvZXNuJ3Qgc3RhdGUgYW55dGhpbmcgYWJvdXQgdXNpbmcgb2N0YWwsIHRoZSBiYXNlLTgg bnVtYmVyIHN5c3RlbS4gVGhvc2Ugb2N0ZXRzIGFsc28gc2hvdyB1bmFtYmlndW91c2x5DQogd2hh dCBpcyBiZWluZyBiYXNlNjR1cmwgZW5jb2RlZCAoaW5jbHVkaW5nIHRoZSBsaW5lIGVuZGluZ3Mg dmlhICZxdW90OzEzLCAxMCZxdW90OykgLSBubyBtYXR0ZXIgaG93IHRoZSB1bmVuY29kZWQgaGVh ZGVycyBvciBib2RpZXMgYXJlIHNob3duIGluIHRoZSBkcmFmdCwgdGhlcmUncyBnb2luZyB0byBi ZSBwb3RlbnRpYWwgY29uZnVzaW9uIGFib3V0IHdoYXQgd2hpdGUgc3BhY2UgYW5kIGxpbmUgYnJl YWtzIGlzIG9yIGlzIG5vdCB0byBiZSBpbmNsdWRlZCBpbg0KIHRoZSBlbmNvZGluZyBhbmQgc2Vy aWFsaXphdGlvbiBzbyBnaXZpbmcgdGhlIG9jdGV0IHNlcXVlbmNlIGFsbGV2aWF0ZXMgdGhhdC4g SXQncyBtYXliZSBhbHNvIHdvcnRoIG5vdGluZyB0aGF0IHRoZSBKT1NFIHN1aXRlIG9mIHNwZWNz IGFsbCB1c2UgdGhlIHNhbWUgbm90YXRpb24gYW5kIHRleHQgaW4gdGhlaXIgZXhhbXBsZXMuPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPklmIHdlIHdlcmUgdG8g YWRkIGFub3RoZXIgZXhhbXBsZSBhcyB3YXMgc3VnZ2VzdGVkLCBpdCBzaG91bGQgcHJvYmFibHkg dXNlIGEgc2hhcmVkIHNlY3JldCB3aXRoIGEgbGl0dGxlIG1vcmUgZW50cm9weSBhcyAnMTIzNDUn IGlzbid0IHN0cmljdGx5IGNvbXBsaWFudCB3aXRoIHRoZSBub3JtYXRpdmUgcmVxdWlyZW1lbnRz IGluIEpXQSBmb3IgSFMyNTYuDQo8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9k cmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGhtcy0yNSNzZWN0aW9uLTMuMiI+DQpodHRw Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWpvc2UtanNvbi13ZWItYWxnb3JpdGht cy0yNSNzZWN0aW9uLTMuMjwvYT4gc3RhdGVzIHRoYXQgYSAna2V5IG9mIHRoZSBzYW1lIHNpemUg YXMgdGhlIGhhc2ggb3V0cHV0IChmb3IgaW5zdGFuY2UsIDI1NiBiaXRzIGZvciAmcXVvdDtIUzI1 NiZxdW90Oykgb3IgbGFyZ2VyIE1VU1QgYmUgdXNlZC4nPG86cD48L286cD48L3A+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48bzpwPiZu YnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBGcmksIEFwciAyNSwgMjAxNCBhdCA2OjQyIEFN LCBIYW5uZXMgVHNjaG9mZW5pZyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmhhbm5lcy50c2Nob2Zlbmln QGdteC5uZXQiIHRhcmdldD0iX2JsYW5rIj5oYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PC9hPiZn dDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSBBbnRvbmlv PGJyPg0KPGJyPg0KZ29vZCB0byBzZWUgdGhhdCBvdGhlcnMgaGF2ZSBydW4gaW50byB0aGUgc2Ft ZSBpc3N1ZSBiZWZvcmUuPGJyPg0KPGJyPg0KSSB3b25kZXIgd2h5IHRoZSBjYXJyaWFnZSByZXR1 cm4gYW5kIHRoZSBsaW5lIGZlZWQgaGFkIGJlZW4gaW5zZXJ0ZWQuPGJyPg0KPGJyPg0KV2UgZWl0 aGVyIG5lZWQgc29tZSB0ZXh0IHRvIGV4cGxhaW4gdGhpcyBpbiB0aGUgZXhhbXBsZSBvciB0byB1 c2UgYW48YnI+DQpleGFtcGxlIHRoYXQgZG9lcyBub3QgdXNlIGNhcnJpYWdlIHJldHVybnMgb3Ig bGluZSBmZWVkcy48YnI+DQo8YnI+DQpDaWFvPGJyPg0KPHNwYW4gY2xhc3M9ImhvZW56YiI+PHNw YW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPkhhbm5lczwvc3Bhbj48L3NwYW4+PG86cD48L286cD48 L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90 dG9tOjEyLjBwdCI+PGJyPg0KT24gMDQvMjUvMjAxNCAwMTo0OCBQTSwgQW50b25pbyBTYW5zbyB3 cm90ZTo8YnI+DQomZ3Q7IGhpIEhhbm5lcy48YnI+DQomZ3Q7PGJyPg0KJmd0Ozxicj4NCiZndDsg T24gQXByIDI1LCAyMDE0LCBhdCAxMjozNyBQTSwgSGFubmVzIFRzY2hvZmVuaWcgJmx0OzxhIGhy ZWY9Im1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Ij5oYW5uZXMudHNjaG9mZW5pZ0Bn bXgubmV0PC9hPiZndDsgd3JvdGU6PGJyPg0KJmd0Ozxicj4NCiZndDsmZ3Q7IEhpIGFsbCw8YnI+ DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IEFzIGEgZG9jdW1lbnQgc2hlcGhlcmQgSSBoYXZlIHRv IHZlcmlmeSB0aGUgZW50aXJlIGRvY3VtZW50IGFuZCB0aGlzPGJyPg0KJmd0OyZndDsgaW5jbHVk ZXMgdGhlIGV4YW1wbGVzIGFzIHdlbGwuPGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7Jmd0OyBTZWN0 aW9uIDMuMTo8YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IFlvdSB3cml0ZTo8YnI+DQomZ3Q7 Jmd0Ozxicj4NCiZndDsmZ3Q7ICZxdW90Ozxicj4NCiZndDsmZ3Q7ICZuYnNwOyBUaGUgZm9sbG93 aW5nIG9jdGV0IHNlcXVlbmNlIGlzIHRoZSBVVEYtOCByZXByZXNlbnRhdGlvbiBvZiB0aGUgSldU PGJyPg0KJmd0OyZndDsgJm5ic3A7IEhlYWRlci9KV1MgSGVhZGVyIGFib3ZlOjxicj4NCiZndDsm Z3Q7PGJyPg0KJmd0OyZndDsgJm5ic3A7IFsxMjMsIDM0LCAxMTYsIDEyMSwgMTEyLCAzNCwgNTgs IDM0LCA3NCwgODcsIDg0LCAzNCwgNDQsIDEzLCAxMCwgMzIsPGJyPg0KJmd0OyZndDsgJm5ic3A7 IDM0LCA5NywgMTA4LCAxMDMsIDM0LCA1OCwgMzQsIDcyLCA4MywgNTAsIDUzLCA1NCwgMzQsIDEy NV08YnI+DQomZ3Q7Jmd0OyAmcXVvdDs8YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IFRoZSB2 YWx1ZXMgSU1ITyBhcmUgcmVwcmVzZW50ZWQgaW4gRGVjaW1hbCBjb2RlIHBvaW50IHJhdGhlciB0 aGFuIE9jdGFsPGJyPg0KJmd0OyZndDsgVVRGLTggYnl0ZXMsIGFzIHN0YXRlZCBhYm92ZS48YnI+ DQomZ3Q7Jmd0OyBTZWUgdGhlIGZvbGxvd2luZyBvbmxpbmUgdG9vbCB0byBzZWUgdGhlIGRpZmZl cmVuY2U6PGJyPg0KJmd0OyZndDsgPGEgaHJlZj0iaHR0cDovL3d3dy5sdGcuZWQuYWMudWsvfnJp Y2hhcmQvdXRmLTguY2dpP2lucHV0PSUyMiZhbXA7bW9kZT1jaGFyIiB0YXJnZXQ9Il9ibGFuayI+ DQpodHRwOi8vd3d3Lmx0Zy5lZC5hYy51ay9+cmljaGFyZC91dGYtOC5jZ2k/aW5wdXQ9JTIyJmFt cDttb2RlPWNoYXI8L2E+PGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7Jmd0OyBOb3RlIHRoYXQgeW91 IGNvdWxkIGFsc28gc2hvdyBhIGhleCBlbmNvZGluZyBpbnN0ZWFkIChlLmcuLCB2aWE8YnI+DQom Z3Q7Jmd0OyA8YSBocmVmPSJodHRwOi8vb3N0ZXJtaWxsZXIub3JnL2NhbGMvZW5jb2RlLmh0bWwi IHRhcmdldD0iX2JsYW5rIj5odHRwOi8vb3N0ZXJtaWxsZXIub3JnL2NhbGMvZW5jb2RlLmh0bWw8 L2E+KS4gSGl4aWUncyBkZWNvZGVyIHdvdWxkIHRoZW48YnI+DQomZ3Q7Jmd0OyBwcm9kdWNlIHRo ZSBjb3JyZWN0IGRlY29kaW5nLiBIZXJlIGlzIHRoZSBsaW5rIHRvIGhpcyBzb2Z0d2FyZTo8YnI+ DQomZ3Q7Jmd0OyA8YSBocmVmPSJodHRwOi8vc29mdHdhcmUuaGl4aWUuY2gvdXRpbGl0aWVzL2Nn aS91bmljb2RlLWRlY29kZXIvdXRmOC1kZWNvZGVyIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwOi8v c29mdHdhcmUuaGl4aWUuY2gvdXRpbGl0aWVzL2NnaS91bmljb2RlLWRlY29kZXIvdXRmOC1kZWNv ZGVyPC9hPjxicj4NCiZndDsmZ3Q7IChOb3RlIHRoYXQgdGhpcyBwcm9ncmFtIHNlZW1zIHRvIGhh dmUgZmxhd3MgZm9yIG1vc3Qgb3RoZXIgb3B0aW9ucy4pPGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7 Jmd0OyBXaGVuIGRvIGEgQmFzZTY0VVJMIGVuY29kaW5nIG9mPGJyPg0KJmd0OyZndDs8YnI+DQom Z3Q7Jmd0OyB7JnF1b3Q7dHlwJnF1b3Q7OiZxdW90O0pXVCZxdW90OywmcXVvdDthbGcmcXVvdDs6 JnF1b3Q7SFMyNTYmcXVvdDt9PGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7Jmd0OyB0aGVuIEkgZ2V0 PGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7Jmd0OyBleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJ VXpJMU5pSjk8YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IGJ1dCB5b3VyIHNwZWMgc2F5czo8 YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IGV5SjBlWEFpT2lKS1YxUWlMQTBLSUNKaGJHY2lP aUpJVXpJMU5pSjk8YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IFNhbWUgd2l0aCB7JnF1b3Q7 aXNzJnF1b3Q7OiZxdW90O2pvZSZxdW90OywmcXVvdDtleHAmcXVvdDs6MTMwMDgxOTM4MCwmcXVv dDs8YSBocmVmPSJodHRwOi8vZXhhbXBsZS5jb20vaXNfcm9vdCIgdGFyZ2V0PSJfYmxhbmsiPmh0 dHA6Ly9leGFtcGxlLmNvbS9pc19yb290PC9hPiZxdW90Ozp0cnVlfS48YnI+DQomZ3Q7Jmd0Ozxi cj4NCiZndDsmZ3Q7IE15IHJlc3VsdDo8YnI+DQomZ3Q7Jmd0OyBleUpwYzNNaU9pSnFiMlVpTENK bGVIQWlPakV6TURBNE1Ua3pPREFzSW1oMGRIQTZMeTlsZUdGdGNHeGxMbU52YlM5cGMxOXliMjkw SWpwMGNuVmxmUTxicj4NCiZndDsmZ3Q7PGJyPg0KJmd0OyZndDsgWW91ciByZXN1bHQ6PGJyPg0K Jmd0OyZndDsgZXlKcGMzTWlPaUpxYjJVaUxBMEtJQ0psZUhBaU9qRXpNREE0TVRrek9EQXNEUW9n SW1oMGRIQTZMeTlsZUdGdGNHeGxMbU52YlM5cGMxOXliMjkwSWpwMGNuVmxmUTxicj4NCiZndDs8 YnI+DQomZ3Q7IHNlZSA8YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93 ZWIvb2F1dGgvY3VycmVudC9tc2cxMTU5OS5odG1sIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwOi8v d3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvb2F1dGgvY3VycmVudC9tc2cxMTU5OS5odG1s PC9hPjxicj4NCiZndDs8YnI+DQomZ3Q7IHJlZ2FyZHM8YnI+DQomZ3Q7PGJyPg0KJmd0OyBhbnRv bmlvPGJyPg0KJmd0Ozxicj4NCiZndDsmZ3Q7PGJyPg0KJmd0OyZndDsgTm90ZTogSSBhbSB1c2lu ZyB0aGlzIG9ubGluZSB0b29sIGZvciBCYXNlNjRVUkwgZW5jb2Rpbmc6PGJyPg0KJmd0OyZndDsg PGEgaHJlZj0iaHR0cDovL2tqdXIuZ2l0aHViLmlvL2pzandzL3Rvb2xfYjY0dWVuYy5odG1sIiB0 YXJnZXQ9Il9ibGFuayI+aHR0cDovL2tqdXIuZ2l0aHViLmlvL2pzandzL3Rvb2xfYjY0dWVuYy5o dG1sPC9hPi48YnI+DQomZ3Q7Jmd0OyBJbnRlcmVzdGluZ2x5LCB3aGVuIEkgZHVtcCB0aGUgZGF0 YSBpbnRvIDxhIGhyZWY9Imh0dHA6Ly9qd3QuaW8vIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwOi8v and0LmlvLzwvYT4gdGhlbiBJIGdldCBhPGJyPg0KJmd0OyZndDsgY29ycmVjdCBkZWNvZGluZy4g SXQgbWlnaHQgd2VsbCBiZSB0aGF0IHRoZSA8YSBocmVmPSJodHRwOi8va2p1ci5naXRodWIuaW8i IHRhcmdldD0iX2JsYW5rIj4NCmtqdXIuZ2l0aHViLmlvPC9hPiBoYXMgYSBmbGF3Ljxicj4NCiZn dDsmZ3Q7PGJyPg0KJmd0OyZndDsgSnVzdCB3YW50ZWQgdG8gY2hlY2sgd2hhdCB0b29sIHlvdSBo YXZlIHVzZWQgdG8gY3JlYXRlIHRoZXNlIGVuY29kaW5ncy48YnI+DQomZ3Q7Jmd0Ozxicj4NCiZn dDsmZ3Q7PGJyPg0KJmd0OyZndDsgU2VjdGlvbiA2LjE6PGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7 Jmd0OyBUaGUgZXhhbXBsZSBpbiBTZWN0aW9uIDYuMSBpcyB0aGUgc2FtZSBhcyBpbiAzLjEuIE1h eWJlIGl0IHdvdWxkIGJlPGJyPg0KJmd0OyZndDsgdXNlZnVsIHRvIHNob3cgc29tZXRoaW5nIGRp ZmZlcmVudCBoZXJlLjxicj4NCiZndDsmZ3Q7PGJyPg0KJmd0OyZndDsgVGhlIGV4YW1wbGUgaW4g QXBwZW5kaXggQS4xIGlzIG1vcmUgc29waGlzdGljYXRlZCBzaW5jZSBpdCBkZW1vbnN0cmF0ZXM8 YnI+DQomZ3Q7Jmd0OyBlbmNyeXB0aW9uLiBUbyB2ZXJpZnkgaXQgSSB3b3VsZCBuZWVkIHRvIGhh dmUgYSBsaWJyYXJ5IHRoYXQgc3VwcG9ydHM8YnI+DQomZ3Q7Jmd0OyBKV0UgYW5kIFJTQUVTLVBL Q1MxLVYxXzUgYW5kIEFFU18xMjhfQ0JDX0hNQUNfU0hBXzI1Ni4gV2hpY2ggbGlicmFyeTxicj4N CiZndDsmZ3Q7IGhhdmUgeW91IGJlZW4gdXNpbmc/PGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7Jmd0 OyBJIHdhcyB3b25kZXJpbmcgd2hldGhlciBpdCB3b3VsZCBtYWtlIHNlbnNlIHRvIGFkZCB0d28g b3RoZXIgZXhhbXBsZXMsPGJyPg0KJmd0OyZndDsgbmFtZWx5IGZvciBpbnRlZ3JpdHkgcHJvdGVj dGlvbi4gT25lIGV4YW1wbGUgc2hvd2luZyBhbiBITUFDLWJhc2VkIGtleWVkPGJyPg0KJmd0OyZn dDsgbWVzc2FnZSBkaWdlc3QgYW5kIGFub3RoZXIgb25lIHVzaW5nIGEgZGlnaXRhbCBzaWduYXR1 cmUuPGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7Jmd0OyBIZXJlIGlzIGEgc2ltcGxlIGV4YW1wbGUg dG8gYWRkIHRoYXQgYWxtb3N0IGFsbCBKV1QgbGlicmFyaWVzIHNlZW0gdG8gYmU8YnI+DQomZ3Q7 Jmd0OyBhYmxlIHRvIGNyZWF0ZSBhbmQgdmVyaWZ5Ojxicj4NCiZndDsmZ3Q7PGJyPg0KJmd0OyZn dDsgSGVhZGVyOjxicj4NCiZndDsmZ3Q7IHsmcXVvdDthbGcmcXVvdDs6JnF1b3Q7SFMyNTYmcXVv dDssJnF1b3Q7dHlwJnF1b3Q7OiZxdW90O0pXVCZxdW90O308YnI+DQomZ3Q7Jmd0Ozxicj4NCiZn dDsmZ3Q7IEkgdXNlIHRoZSBIUzI1NiBhbGdvcml0aG0gd2l0aCBhIHNoYXJlZCBzZWNyZXQgJzEy MzQ1Jy48YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IEJvZHk6PGJyPg0KJmd0OyZndDs8YnI+ DQomZ3Q7Jmd0OyB7JnF1b3Q7aXNzJnF1b3Q7OiZxdW90OzxhIGhyZWY9Imh0dHBzOi8vYXMuZXhh bXBsZS5jb20iIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2FzLmV4YW1wbGUuY29tPC9hPiZxdW90 OywmcXVvdDtzdWImcXVvdDs6JnF1b3Q7bWFpbHRvOjxhIGhyZWY9Im1haWx0bzpqb2huQGV4YW1w bGUuY29tIj5qb2huQGV4YW1wbGUuY29tPC9hPiZxdW90OywmcXVvdDtuYmYmcXVvdDs6MTM5ODQy MDc1MywmcXVvdDtleHAmcXVvdDs6MTM5ODQyNDM1MywmcXVvdDtpYXQmcXVvdDs6MTM5ODQyMDc1 M308YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IGp3dC5lbmNvZGUoeyZxdW90O2lzcyZxdW90 OzomcXVvdDs8YSBocmVmPSJodHRwczovL2FzLmV4YW1wbGUuY29tIiB0YXJnZXQ9Il9ibGFuayI+ aHR0cHM6Ly9hcy5leGFtcGxlLmNvbTwvYT4mcXVvdDssJnF1b3Q7c3ViJnF1b3Q7OiZxdW90O21h aWx0bzo8YSBocmVmPSJtYWlsdG86am9obkBleGFtcGxlLmNvbSI+am9obkBleGFtcGxlLmNvbTwv YT4mcXVvdDssJnF1b3Q7bmJmJnF1b3Q7OjEzOTg0MjA3NTMsJnF1b3Q7ZXhwJnF1b3Q7OjEzOTg0 MjQzNTMsJnF1b3Q7aWF0JnF1b3Q7OjEzOTg0MjA3NTN9LCZxdW90OzEyMzQ1JnF1b3Q7LDxicj4N CiZndDsmZ3Q7ICZxdW90O0hTMjU2JnF1b3Q7KTxicj4NCiZndDsmZ3Q7PGJyPg0KJmd0OyZndDsg SSB1c2VkIDxhIGhyZWY9Imh0dHA6Ly93d3cub25saW5lY29udmVyc2lvbi5jb20vdW5peF90aW1l Lmh0bSIgdGFyZ2V0PSJfYmxhbmsiPg0KaHR0cDovL3d3dy5vbmxpbmVjb252ZXJzaW9uLmNvbS91 bml4X3RpbWUuaHRtPC9hPiB0byBjcmVhdGUgdGhlPGJyPg0KJmd0OyZndDsgZGF0ZS90aW1lIHZh bHVlczo8YnI+DQomZ3Q7Jmd0OyAmcXVvdDtuYmYmcXVvdDs6MTM5ODQyMDc1MyAtLSZndDsgRnJp LCAyNSBBcHIgMjAxNCAxMDoxMjozMyBHTVQ8YnI+DQomZ3Q7Jmd0OyAmcXVvdDtleHAmcXVvdDs6 MTM5ODQyNDM1MyAtLSZndDsgRnJpLCAyNSBBcHIgMjAxNCAxMToxMjozMyBHTVQ8YnI+DQomZ3Q7 Jmd0OyAmcXVvdDtpYXQmcXVvdDs6MTM5ODQyMDc1MyAtLSZndDsgRnJpLCAyNSBBcHIgMjAxNCAx MDoxMjozMyBHTVQ8YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IEhlcmUgaXMgdGhlIG91dHB1 dCBjcmVhdGVkIHdpdGggPGEgaHJlZj0iaHR0cHM6Ly9naXRodWIuY29tL3Byb2dyaXVtL3B5and0 LyIgdGFyZ2V0PSJfYmxhbmsiPg0KaHR0cHM6Ly9naXRodWIuY29tL3Byb2dyaXVtL3B5and0Lzwv YT4gYW5kPGJyPg0KJmd0OyZndDsgdmVyaWZpZWQgd2l0aCA8YSBocmVmPSJodHRwOi8vand0Lmlv LyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9qd3QuaW8vPC9hPjo8YnI+DQomZ3Q7Jmd0OyBleUpo YkdjaU9pSklVekkxTmlJc0luUjVjQ0k2SWtwWFZDSjkuZXlKcGMzTWlPaUpvZEhSd2N6b3ZMMkZ6 TG1WNFlXMXdiR1V1WTI5dElpd2lhV0YwSWpveE16azROREl3TnpVekxDSnpkV0lpT2lKdFlXbHNk Rzg2YW05b2JrQmxlR0Z0Y0d4bExtTnZiU0lzSW1WNGNDSTZNVE01T0RReU5ETTFNeXdpYm1KbUlq b3hNems0TkRJd056VXpmUS4wZ2ZSVUlsZXk3MGJNUDdoTjZzTVdrSHdIZXpkcnYyRTFMQVZjTmRU c3E0PGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7Jmd0OyBDaWFvPGJyPg0KJmd0OyZndDsgSGFubmVz PGJyPg0KJmd0OyZndDs8YnI+DQomZ3Q7Jmd0Ozxicj4NCiZndDsmZ3Q7IF9fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KJmd0OyZndDsgT0F1dGggbWFp bGluZyBsaXN0PGJyPg0KJmd0OyZndDsgPGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIj5P QXV0aEBpZXRmLm9yZzwvYT48YnI+DQomZ3Q7Jmd0OyA8YSBocmVmPSJodHRwczovL3d3dy5pZXRm Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvYT48YnI+DQomZ3Q7PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1i b3R0b206MTIuMHB0Ij48YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpP QXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBz Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_4E1F6AAD24975D4BA5B16804296739439A195D48TK5EX14MBXC288r_-- From nobody Fri Apr 25 10:17:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 315371A0659 for ; Fri, 25 Apr 2014 10:17:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwXnDGq0fh3m for ; Fri, 25 Apr 2014 10:17:39 -0700 (PDT) Received: from na6sys009bog035.obsmtp.com (na6sys009bog035.obsmtp.com [74.125.150.109]) by ietfa.amsl.com (Postfix) with ESMTP id 1EE5B1A064B for ; Fri, 25 Apr 2014 10:17:38 -0700 (PDT) Received: from mail-ig0-f175.google.com ([209.85.213.175]) (using TLSv1) by na6sys009bob035.postini.com ([74.125.148.12]) with SMTP ID DSNKU1qYrDx62ut1DHSuCw36/BkGcq8U8K0E@postini.com; Fri, 25 Apr 2014 10:17:33 PDT Received: by mail-ig0-f175.google.com with SMTP id h3so2449131igd.14 for ; Fri, 25 Apr 2014 10:17:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=NojWeskXO613XgWCKj03lmfkUXye0uC9Tx1H9PpIFX8=; b=Ke//yxlqY4E/2OwbH1wB2RCiDun0sW832ZysWw754lX3Urzw323ON2CaWaFnx+KSIC FUi5x+oqbWwdfY1eploVlq4pdVHudxoSlYENjQJMXVcHol6vESYbbMD3gi6uKIJJH3Hu t6ZIJERnamS5AeRF0BV7way158bSwhu7+p9PTjNGES4Ny9DaISxUg65Kz2qDOt8oWS8n vSBW+gF88B2YdNvPkdIJkY+iXx7K7O+eTWucTDCPoAbqxc5rCPUn+6+oeYISPyoyHEi3 MyTVvGQ/86RD+aYKlMFy9hdQFoTQSx373wjd0r2fz7+QSK2Ts4Dhwel7u+MqbrFKBbpS Imiw== X-Gm-Message-State: ALoCoQmx8+BsZlq129aOvAOSO8C5BeGBHcmjwPypanLjqPuioKkRYfzYDjpUK/PS7fnzca8OeSUGFzSo7cLPDIpSXiOaUxyoGnCppWex1+nv1ni+jQhLsojs2QGrfQMkcWxfwbfX3xlr X-Received: by 10.42.249.8 with SMTP id mi8mr8463610icb.4.1398446252206; Fri, 25 Apr 2014 10:17:32 -0700 (PDT) X-Received: by 10.42.249.8 with SMTP id mi8mr8463602icb.4.1398446252072; Fri, 25 Apr 2014 10:17:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Fri, 25 Apr 2014 10:17:01 -0700 (PDT) In-Reply-To: <53590810.8000503@gmx.net> References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> From: Brian Campbell Date: Fri, 25 Apr 2014 11:17:01 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=20cf300e506917b38f04f7e124b0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/7qF_0MR-ubKQZltKWiQK2HpwaHI Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 17:17:44 -0000 --20cf300e506917b38f04f7e124b0 Content-Type: text/plain; charset=UTF-8 I believe, from the thread referenced earlier and prior discussion and draft text, that the WG has reached (rough) consensus to require the subject claim. So text that says "Subject element MUST NOT be included" isn't workable. It seems what's needed here is some better explanation of how, in cases that need it, the value of the subject can be populated without using a PII type value. A simple static value like "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of pairwise persistent pseudonymous identifier would be utilized, which would not directly identify the subject but would allow the relying party to recognize the same subject on subsequent transactions. A transient pseudonym might also be appropriate in some cases. And any of those approaches could be used with or without additional claims (like age > 18 or membership in some group) that get used to make an authorization decision. I wasn't sure exactly how to articulate all that in text for the draft(s) but that's more of what I was asking for when I asked if you could propose some text. On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi Brian, > > Thanks for pointing to the assertion framework document. Re-reading the > text it appears that we have listed the case that in Section 6.3.1 but > have forgotten to cover it elsewhere in the document. > > > In Section 6.3.1 we say: > > " > > 6.3.1. Client Acting on Behalf of an Anonymous User > > When a client is accessing resources on behalf of an anonymous user, > the Subject indicates to the Authorization Server that the client is > acting on-behalf of an anonymous user as defined by the Authorization > Server. It is implied that authorization is based upon additional > criteria, such as additional attributes or claims provided in the > assertion. For example, a client may present an assertion from a > trusted issuer asserting that the bearer is over 18 via an included > claim. > > ***** > In this case, no additional information about the user's > identity is included, yet all the data needed to issue an access > token is present. > ***** > " > (I marked the relevant part with '***') > > > In Section 5.2, however, we say: > > > o The assertion MUST contain a Subject. The Subject identifies an > authorized accessor for which the access token is being requested > (typically the resource owner, or an authorized delegate). When > the client is acting on behalf of itself, the Subject MUST be the > value of the client's "client_id". > > > What we should have done in Section 5.2 is to expand the cases inline > with what we have written in Section 6. > > Here is my proposed text: > > " > o The assertion MUST contain a Subject. The Subject identifies an > authorized accessor for which the access token is being requested > (typically the resource owner, or an authorized delegate). > > > When the client is acting on behalf of itself, as described in Section > 6.1 and Section 6.2, the Subject MUST be the value of the client's > "client_id". > > When the client is acting on behalf of an user, as described in Section > 6.3, the Subject element MUST be included in the assertion and > identifies an authorized accessor for which the access token is being > requested. > > When the client is acting on behalf of an anonymous user, as described > in Section 6.3.1, the Subject element MUST NOT be included in the > assertion. Other elements within the assertion will, however, provide > enough information for the authorization server to make an authorization > decision. > " > > Does this make sense to you? > > Ciao > Hannes > > > On 04/24/2014 02:30 PM, Brian Campbell wrote: > > There is some discussion of that case in the assertion framework > > document at > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 > > > > Do you feel that more is needed? If so, can you propose some text? > > > > > > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig > > > wrote: > > > > Hi Brian, > > > > I read through the thread and the Google case is a bit different > since > > they are using the client authentication part of the JWT bearer spec. > > There I don't see the privacy concerns either. > > > > I am, however, focused on the authorization grant where the subject > is > > in most cases the resource owner. > > > > It is possible to put garbage into the subject element when privacy > > protection is needed for the resource owner case but that would need > to > > be described in the document; currently it is not there. > > > > Ciao > > Hannes > > > > > > On 04/24/2014 12:37 AM, Brian Campbell wrote: > > > That thread that Antonio started which you reference went on for > some > > > time > > > > > ( > http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) > > > and seems to have reached consensus that the spec didn't need > > normative > > > change and that such privacy cases or other cases which didn't > > > explicitly need a subject identifier would be more appropriately > dealt > > > with in application logic: > > > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html > > > > > > > > > > > > > > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig > > > > > > >> wrote: > > > > > > Hi all, > > > > > > in preparing the shepherd write-up for > > draft-ietf-oauth-jwt-bearer-08 I > > > had to review our recent email conversations and the issue > > raised by > > > Antonio in > > > > > http://www.ietf.org/mail-archive/web/oauth/current/msg12520.htmlbelong > > > to it. > > > > > > The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08 > > says: > > > " > > > 2. The JWT MUST contain a "sub" (subject) claim > > identifying the > > > principal that is the subject of the JWT. Two cases > > need to be > > > differentiated: > > > > > > A. For the authorization grant, the subject SHOULD > > identify an > > > authorized accessor for whom the access token is > being > > > requested (typically the resource owner, or an > > authorized > > > delegate). > > > > > > B. For client authentication, the subject MUST be the > > > "client_id" of the OAuth client. > > > " > > > > > > Antonio pointed to the current Google API to illustrate that > > the subject > > > is not always needed. Here is the Google API documentation: > > > > https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > > > > > The Google API used the client authentication part (rather > > than the > > > authorization grant), in my understanding. > > > > > > I still believe that the subject field has to be included for > > client > > > authentication but I am not so sure anymore about the > > authorization > > > grant since I could very well imagine cases where the subject > > is not > > > needed for authorization decisions but also for privacy > reasons. > > > > > > I would therefore suggest to change the text as follows: > > > > > > " > > > 2. The JWT contains a "sub" (subject) claim identifying > the > > > principal that is the subject of the JWT. Two cases > > need to be > > > differentiated: > > > > > > A. For the authorization grant, the subject claim MAY > > > be included. If it is included it MUST identify the > > > authorized accessor for whom the access token is > being > > > requested (typically the resource owner, or an > > authorized > > > delegate). Reasons for not including the subject > claim > > > in the JWT are identity hiding (i.e., privacy > > protection > > > of the identifier of the subject) and cases where > > > the identifier of the subject is irrelevant for > making > > > an authorization decision by the resource server. > > > > > > B. For client authentication, the subject MUST be the > > > included in the JWT and the value MUST be populated > > > with the "client_id" of the OAuth client. > > > " > > > > > > What do you guys think? > > > > > > Ciao > > > Hannes > > > > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > > > --20cf300e506917b38f04f7e124b0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I believe, from the thread referenced earlier an= d prior discussion and draft text, that the WG has reached (rough) consensu= s to require the subject claim. So text that says "Subject element MUS= T NOT be included" isn't workable.

It seems what's needed here is some better explanation of how= , in cases that need it, the value of the subject can be populated without = using a PII type value. A simple static value like "ANONYMOUS-SUBJECT&= quot; could be used. Or, more likely, some kind of pairwise persistent pseu= donymous identifier would be utilized, which would not directly identify th= e subject but would allow the relying party to recognize the same subject o= n subsequent transactions. A transient pseudonym might also be appropriate = in some cases. And any of those approaches could be used with or without ad= ditional claims (like age > 18 or membership in some group) that get use= d to make an authorization decision.=C2=A0

I wasn't sure exactly how to articulate all that in text for = the draft(s) but that's more of what I was asking for when I asked if y= ou could propose some text.






O= n Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig <hannes.tschofen= ig@gmx.net> wrote:
Hi Brian,

Thanks for pointing to the assertion framework document. Re-reading the
text it appears that we have listed the case that in Section 6.3.1 but
have forgotten to cover it elsewhere in the document.


In Section 6.3.1 we say:

"

6.3.1. =C2=A0Client Acting on Behalf of an Anonymous User

=C2=A0 =C2=A0When a client is accessing resources on behalf of an anonymous= user,
=C2=A0 =C2=A0the Subject indicates to the Authorization Server that the cli= ent is
=C2=A0 =C2=A0acting on-behalf of an anonymous user as defined by the Author= ization
=C2=A0 =C2=A0Server. =C2=A0It is implied that authorization is based upon a= dditional
=C2=A0 =C2=A0criteria, such as additional attributes or claims provided in = the
=C2=A0 =C2=A0assertion. =C2=A0For example, a client may present an assertio= n from a
=C2=A0 =C2=A0trusted issuer asserting that the bearer is over 18 via an inc= luded
=C2=A0 =C2=A0claim.

*****
=C2=A0 =C2=A0 In this case, no additional information about the user's<= br> =C2=A0 =C2=A0identity is included, yet all the data needed to issue an acce= ss
=C2=A0 =C2=A0token is present.
*****
"
(I marked the relevant part with '***')


In Section 5.2, however, we say:


=C2=A0 =C2=A0o =C2=A0The assertion MUST contain a Subject. =C2=A0The Subjec= t identifies an
=C2=A0 =C2=A0 =C2=A0 authorized accessor for which the access token is bein= g requested
=C2=A0 =C2=A0 =C2=A0 (typically the resource owner, or an authorized delega= te). =C2=A0When
=C2=A0 =C2=A0 =C2=A0 the client is acting on behalf of itself, the Subject = MUST be the
=C2=A0 =C2=A0 =C2=A0 value of the client's "client_id".


What we should have done in Section 5.2 is to expand the cases inline
with what we have written in Section 6.

Here is my proposed text:

"
o =C2=A0The assertion MUST contain a Subject. =C2=A0The Subject identifies = an
authorized accessor for which the access token is being requested
(typically the resource owner, or an authorized delegate).<= br>

When the client is acting on behalf of itself, as described in Sectio= n
6.1 and Section 6.2, the Subject MUST be the value of the client's
"client_id".

When the client is acting on behalf of an user, as described in Section
6.3, the Subject element MUST be included in the assertion and
identifies an authorized accessor for which the access token is being
requested.

When the client is acting on behalf of an anonymous user, as described
in Section 6.3.1, the Subject element MUST NOT be included in the
assertion. Other elements within the assertion will, however, provide
enough information for the authorization server to make an authorization decision.
"

Does this make sense to you?

Ciao
Hannes


On 04/24/2014 02:30 PM, Brian Campbell wrote:
> There is some discussion of that case in the assertion framework
> document at
> http://tools.ietf.org/html/draft-ietf-oauth= -assertions-15#section-6.3.1
>
> Do you feel that more is needed? If so, can you propose some text?
>
>
> On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>
> =C2=A0 =C2=A0 Hi Brian,
>
> =C2=A0 =C2=A0 I read through the thread and the Google case is a bit d= ifferent since
> =C2=A0 =C2=A0 they are using the client authentication part of the JWT= bearer spec.
> =C2=A0 =C2=A0 There I don't see the privacy concerns either.
>
> =C2=A0 =C2=A0 I am, however, focused on the authorization grant where = the subject is
> =C2=A0 =C2=A0 in most cases the resource owner.
>
> =C2=A0 =C2=A0 It is possible to put garbage into the subject element w= hen privacy
> =C2=A0 =C2=A0 protection is needed for the resource owner case but tha= t would need to
> =C2=A0 =C2=A0 be described in the document; currently it is not there.=
>
> =C2=A0 =C2=A0 Ciao
> =C2=A0 =C2=A0 Hannes
>
>
> =C2=A0 =C2=A0 On 04/24/2014 12:37 AM, Brian Campbell wrote:
> =C2=A0 =C2=A0 > That thread that Antonio started which you referenc= e went on for some
> =C2=A0 =C2=A0 > time
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 (http://www.ietf.org/mail-archi= ve/web/oauth/current/threads.html#12520)
> =C2=A0 =C2=A0 > and seems to have reached consensus that the spec d= idn't need
> =C2=A0 =C2=A0 normative
> =C2=A0 =C2=A0 > change and that such privacy cases or other cases w= hich didn't
> =C2=A0 =C2=A0 > explicitly need a subject identifier would be more = appropriately dealt
> =C2=A0 =C2=A0 > with in application logic:
> =C2=A0 =C2=A0 > http://www.ietf.org/mail-archiv= e/web/oauth/current/msg12538.html
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig<= br> > =C2=A0 =C2=A0 > <ha= nnes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>
> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net
> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>>> wrote:
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hi all,
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 in preparing the shepherd write-up fo= r
> =C2=A0 =C2=A0 draft-ietf-oauth-jwt-bearer-08 I
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 had to review our recent email conver= sations and the issue
> =C2=A0 =C2=A0 raised by
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Antonio in
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 http://www.ietf.org/mail-archive/web= /oauth/current/msg12520.html belong
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 to it.
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 The issue was that Section 3 of draft= -ietf-oauth-jwt-bearer-08
> =C2=A0 =C2=A0 says:
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A02. =C2=A0 The JWT MUST c= ontain a "sub" (subject) claim
> =C2=A0 =C2=A0 identifying the
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 principal= that is the subject of the JWT. =C2=A0Two cases
> =C2=A0 =C2=A0 need to be
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 different= iated:
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 A. =C2=A0= For the authorization grant, the subject SHOULD
> =C2=A0 =C2=A0 identify an
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 authorized accessor for whom the access token is being
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 requested (typically the resource owner, or an
> =C2=A0 =C2=A0 authorized
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 delegate).
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 B. =C2=A0= For client authentication, the subject MUST be the
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 "client_id" of the OAuth client.
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Antonio pointed to the current Google= API to illustrate that
> =C2=A0 =C2=A0 the subject
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 is not always needed. Here is the Goo= gle API documentation:
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 https://developer= s.google.com/accounts/docs/OAuth2ServiceAccount
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 The Google API used the client authen= tication part (rather
> =C2=A0 =C2=A0 than the
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorization grant), in my understan= ding.
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I still believe that the subject fiel= d has to be included for
> =C2=A0 =C2=A0 client
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authentication but I am not so sure a= nymore about the
> =C2=A0 =C2=A0 authorization
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 grant since I could very well imagine= cases where the subject
> =C2=A0 =C2=A0 is not
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 needed for authorization decisions bu= t also for privacy reasons.
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I would therefore suggest to change t= he text as follows:
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A02. =C2=A0 The JWT contai= ns a "sub" (subject) claim identifying the
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 principal= that is the subject of the JWT. =C2=A0Two cases
> =C2=A0 =C2=A0 need to be
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 different= iated:
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 A. =C2=A0= For the authorization grant, the subject claim MAY
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 be included. If it is included it MUST identify the
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 authorized accessor for whom the access token is being
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 requested (typically the resource owner, or an
> =C2=A0 =C2=A0 authorized
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 delegate). Reasons for not including the subject claim
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 in the JWT are identity hiding (i.e., privacy
> =C2=A0 =C2=A0 protection
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 of the identifier of the subject) and cases where
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 the identifier of the subject is irrelevant for making
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 an authorization decision by the resource server.
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 B. =C2=A0= For client authentication, the subject MUST be the
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 included in the JWT and the value MUST be populated
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 with the "client_id" of the OAuth client.
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 What do you guys think?
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Ciao
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hannes
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 _____________________________________= __________
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 OAuth mailing list
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 OAuth@ietf.org <mailto:OA= uth@ietf.org> <mailto:OAuth@iet= f.org
> =C2=A0 =C2=A0 <mailto:OAuth@ietf.= org>>
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 https://www.ietf.org/mailman/listinfo/= oauth
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 >
>
>


--20cf300e506917b38f04f7e124b0-- From nobody Fri Apr 25 11:08:26 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A329D1A05C3 for ; Fri, 25 Apr 2014 11:08:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhJyXu1PSBg8 for ; Fri, 25 Apr 2014 11:08:16 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0188.outbound.protection.outlook.com [207.46.163.188]) by ietfa.amsl.com (Postfix) with ESMTP id AB3A21A03FC for ; Fri, 25 Apr 2014 11:08:15 -0700 (PDT) Received: from DM2PR03CA009.namprd03.prod.outlook.com (10.141.52.157) by BL2PR03MB618.namprd03.prod.outlook.com (10.255.109.43) with Microsoft SMTP Server (TLS) id 15.0.929.12; Fri, 25 Apr 2014 18:08:07 +0000 Received: from BL2FFO11FD018.protection.gbl (2a01:111:f400:7c09::142) by DM2PR03CA009.outlook.office365.com (2a01:111:e400:2414::29) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Fri, 25 Apr 2014 18:08:06 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD018.mail.protection.outlook.com (10.173.161.36) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Fri, 25 Apr 2014 18:08:05 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Fri, 25 Apr 2014 18:07:28 +0000 From: Mike Jones To: Brian Campbell , Hannes Tschofenig Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue Thread-Index: AQHPXs/pjC9GpnZqh0Gb1vg2sid3k5sfy5eAgACPJACAAFmxgIAABOAAgAHda4CAAA0wQA== Date: Fri, 25 Apr 2014 18:07:27 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.34] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A1960AATK5EX14MBXC288r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(479174003)(199002)(189002)(51704005)(52604005)(53754006)(24454002)(19300405004)(16236675002)(71186001)(44976005)(87936001)(2656002)(15202345003)(86612001)(80022001)(81542001)(66066001)(512874002)(81342001)(551934002)(15975445006)(86362001)(19580405001)(83322001)(6806004)(80976001)(19580395003)(76176999)(54356999)(50986999)(79102001)(76482001)(55846006)(33656001)(97736001)(85852003)(20776003)(99396002)(31966008)(74662001)(74502001)(46102001)(84326002)(77982001)(92726001)(2009001)(83072002)(92566001)(84676001)(4396001); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB618; H:mail.microsoft.com; FPR:E6F0F1F4.ACFA9390.F2D77D75.42F72972.20602; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0192E812EC Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/eWuZLuRYldrgPKQM0QHyLXBA5Us Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 18:08:21 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A1960AATK5EX14MBXC288r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBhZ3JlZS4gIFdl4oCZZCBhbHJlYWR5IGRpc2N1c3NlZCB0aGlzIHByZXR0eSBleHRlbnNpdmVs eSBhbmQgcmVhY2hlZCB0aGUgY29uY2x1c2lvbiB0aGF0IGFsd2F5cyByZXF1aXJpbmcgYm90aCBh biBpc3N1ZXIgYW5kIGEgc3ViamVjdCBib3RoIGtlcHQgdGhlIHNwZWNzIHNpbXBsZXIgYW5kIHdh cyBsaWtlbHkgdG8gaW1wcm92ZSBpbnRlcm9wZXJhYmlsaXR5Lg0KDQpJdOKAmXMgZW50aXJlbHkg dXAgdG8gdGhlIGFwcGxpY2F0aW9uIHByb2ZpbGUgd2hhdCB0aGUgY29udGVudHMgb2YgdGhlIGlz c3VlciBhbmQgdGhlIHN1YmplY3QgZmllbGRzIGFyZSBhbmQgc28gSSBkb27igJl0IHRoaW5rIHdl IG5lZWQgdG8gZnVydGhlciBzcGVjaWZ5IHRoZWlyIGNvbnRlbnRzIGJleW9uZCB3aGF04oCZcyBh bHJlYWR5IGluIHRoZSBzcGVjcy4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRv Om9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBCcmlhbiBDYW1wYmVsbA0KU2Vu dDogRnJpZGF5LCBBcHJpbCAyNSwgMjAxNCAxMDoxNyBBTQ0KVG86IEhhbm5lcyBUc2Nob2Zlbmln DQpDYzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIGRyYWZ0LWlldGYt b2F1dGgtand0LWJlYXJlci0wOCAmIHN1YmplY3QgaXNzdWUNCg0KSSBiZWxpZXZlLCBmcm9tIHRo ZSB0aHJlYWQgcmVmZXJlbmNlZCBlYXJsaWVyIGFuZCBwcmlvciBkaXNjdXNzaW9uIGFuZCBkcmFm dCB0ZXh0LCB0aGF0IHRoZSBXRyBoYXMgcmVhY2hlZCAocm91Z2gpIGNvbnNlbnN1cyB0byByZXF1 aXJlIHRoZSBzdWJqZWN0IGNsYWltLiBTbyB0ZXh0IHRoYXQgc2F5cyAiU3ViamVjdCBlbGVtZW50 IE1VU1QgTk9UIGJlIGluY2x1ZGVkIiBpc24ndCB3b3JrYWJsZS4NCkl0IHNlZW1zIHdoYXQncyBu ZWVkZWQgaGVyZSBpcyBzb21lIGJldHRlciBleHBsYW5hdGlvbiBvZiBob3csIGluIGNhc2VzIHRo YXQgbmVlZCBpdCwgdGhlIHZhbHVlIG9mIHRoZSBzdWJqZWN0IGNhbiBiZSBwb3B1bGF0ZWQgd2l0 aG91dCB1c2luZyBhIFBJSSB0eXBlIHZhbHVlLiBBIHNpbXBsZSBzdGF0aWMgdmFsdWUgbGlrZSAi QU5PTllNT1VTLVNVQkpFQ1QiIGNvdWxkIGJlIHVzZWQuIE9yLCBtb3JlIGxpa2VseSwgc29tZSBr aW5kIG9mIHBhaXJ3aXNlIHBlcnNpc3RlbnQgcHNldWRvbnltb3VzIGlkZW50aWZpZXIgd291bGQg YmUgdXRpbGl6ZWQsIHdoaWNoIHdvdWxkIG5vdCBkaXJlY3RseSBpZGVudGlmeSB0aGUgc3ViamVj dCBidXQgd291bGQgYWxsb3cgdGhlIHJlbHlpbmcgcGFydHkgdG8gcmVjb2duaXplIHRoZSBzYW1l IHN1YmplY3Qgb24gc3Vic2VxdWVudCB0cmFuc2FjdGlvbnMuIEEgdHJhbnNpZW50IHBzZXVkb255 bSBtaWdodCBhbHNvIGJlIGFwcHJvcHJpYXRlIGluIHNvbWUgY2FzZXMuIEFuZCBhbnkgb2YgdGhv c2UgYXBwcm9hY2hlcyBjb3VsZCBiZSB1c2VkIHdpdGggb3Igd2l0aG91dCBhZGRpdGlvbmFsIGNs YWltcyAobGlrZSBhZ2UgPiAxOCBvciBtZW1iZXJzaGlwIGluIHNvbWUgZ3JvdXApIHRoYXQgZ2V0 IHVzZWQgdG8gbWFrZSBhbiBhdXRob3JpemF0aW9uIGRlY2lzaW9uLg0KSSB3YXNuJ3Qgc3VyZSBl eGFjdGx5IGhvdyB0byBhcnRpY3VsYXRlIGFsbCB0aGF0IGluIHRleHQgZm9yIHRoZSBkcmFmdChz KSBidXQgdGhhdCdzIG1vcmUgb2Ygd2hhdCBJIHdhcyBhc2tpbmcgZm9yIHdoZW4gSSBhc2tlZCBp ZiB5b3UgY291bGQgcHJvcG9zZSBzb21lIHRleHQuDQoNCg0KDQoNCk9uIFRodSwgQXByIDI0LCAy MDE0IGF0IDY6NDggQU0sIEhhbm5lcyBUc2Nob2ZlbmlnIDxoYW5uZXMudHNjaG9mZW5pZ0BnbXgu bmV0PG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4gd3JvdGU6DQpIaSBCcmlhbiwN Cg0KVGhhbmtzIGZvciBwb2ludGluZyB0byB0aGUgYXNzZXJ0aW9uIGZyYW1ld29yayBkb2N1bWVu dC4gUmUtcmVhZGluZyB0aGUNCnRleHQgaXQgYXBwZWFycyB0aGF0IHdlIGhhdmUgbGlzdGVkIHRo ZSBjYXNlIHRoYXQgaW4gU2VjdGlvbiA2LjMuMSBidXQNCmhhdmUgZm9yZ290dGVuIHRvIGNvdmVy IGl0IGVsc2V3aGVyZSBpbiB0aGUgZG9jdW1lbnQuDQoNCg0KSW4gU2VjdGlvbiA2LjMuMSB3ZSBz YXk6DQoNCiINCg0KNi4zLjEuICBDbGllbnQgQWN0aW5nIG9uIEJlaGFsZiBvZiBhbiBBbm9ueW1v dXMgVXNlcg0KDQogICBXaGVuIGEgY2xpZW50IGlzIGFjY2Vzc2luZyByZXNvdXJjZXMgb24gYmVo YWxmIG9mIGFuIGFub255bW91cyB1c2VyLA0KICAgdGhlIFN1YmplY3QgaW5kaWNhdGVzIHRvIHRo ZSBBdXRob3JpemF0aW9uIFNlcnZlciB0aGF0IHRoZSBjbGllbnQgaXMNCiAgIGFjdGluZyBvbi1i ZWhhbGYgb2YgYW4gYW5vbnltb3VzIHVzZXIgYXMgZGVmaW5lZCBieSB0aGUgQXV0aG9yaXphdGlv bg0KICAgU2VydmVyLiAgSXQgaXMgaW1wbGllZCB0aGF0IGF1dGhvcml6YXRpb24gaXMgYmFzZWQg dXBvbiBhZGRpdGlvbmFsDQogICBjcml0ZXJpYSwgc3VjaCBhcyBhZGRpdGlvbmFsIGF0dHJpYnV0 ZXMgb3IgY2xhaW1zIHByb3ZpZGVkIGluIHRoZQ0KICAgYXNzZXJ0aW9uLiAgRm9yIGV4YW1wbGUs IGEgY2xpZW50IG1heSBwcmVzZW50IGFuIGFzc2VydGlvbiBmcm9tIGENCiAgIHRydXN0ZWQgaXNz dWVyIGFzc2VydGluZyB0aGF0IHRoZSBiZWFyZXIgaXMgb3ZlciAxOCB2aWEgYW4gaW5jbHVkZWQN CiAgIGNsYWltLg0KDQoqKioqKg0KICAgIEluIHRoaXMgY2FzZSwgbm8gYWRkaXRpb25hbCBpbmZv cm1hdGlvbiBhYm91dCB0aGUgdXNlcidzDQogICBpZGVudGl0eSBpcyBpbmNsdWRlZCwgeWV0IGFs bCB0aGUgZGF0YSBuZWVkZWQgdG8gaXNzdWUgYW4gYWNjZXNzDQogICB0b2tlbiBpcyBwcmVzZW50 Lg0KKioqKioNCiINCihJIG1hcmtlZCB0aGUgcmVsZXZhbnQgcGFydCB3aXRoICcqKionKQ0KDQoN CkluIFNlY3Rpb24gNS4yLCBob3dldmVyLCB3ZSBzYXk6DQoNCg0KICAgbyAgVGhlIGFzc2VydGlv biBNVVNUIGNvbnRhaW4gYSBTdWJqZWN0LiAgVGhlIFN1YmplY3QgaWRlbnRpZmllcyBhbg0KICAg ICAgYXV0aG9yaXplZCBhY2Nlc3NvciBmb3Igd2hpY2ggdGhlIGFjY2VzcyB0b2tlbiBpcyBiZWlu ZyByZXF1ZXN0ZWQNCiAgICAgICh0eXBpY2FsbHkgdGhlIHJlc291cmNlIG93bmVyLCBvciBhbiBh dXRob3JpemVkIGRlbGVnYXRlKS4gIFdoZW4NCiAgICAgIHRoZSBjbGllbnQgaXMgYWN0aW5nIG9u IGJlaGFsZiBvZiBpdHNlbGYsIHRoZSBTdWJqZWN0IE1VU1QgYmUgdGhlDQogICAgICB2YWx1ZSBv ZiB0aGUgY2xpZW50J3MgImNsaWVudF9pZCIuDQoNCg0KV2hhdCB3ZSBzaG91bGQgaGF2ZSBkb25l IGluIFNlY3Rpb24gNS4yIGlzIHRvIGV4cGFuZCB0aGUgY2FzZXMgaW5saW5lDQp3aXRoIHdoYXQg d2UgaGF2ZSB3cml0dGVuIGluIFNlY3Rpb24gNi4NCg0KSGVyZSBpcyBteSBwcm9wb3NlZCB0ZXh0 Og0KDQoiDQpvICBUaGUgYXNzZXJ0aW9uIE1VU1QgY29udGFpbiBhIFN1YmplY3QuICBUaGUgU3Vi amVjdCBpZGVudGlmaWVzIGFuDQphdXRob3JpemVkIGFjY2Vzc29yIGZvciB3aGljaCB0aGUgYWNj ZXNzIHRva2VuIGlzIGJlaW5nIHJlcXVlc3RlZA0KKHR5cGljYWxseSB0aGUgcmVzb3VyY2Ugb3du ZXIsIG9yIGFuIGF1dGhvcml6ZWQgZGVsZWdhdGUpLg0KDQpXaGVuIHRoZSBjbGllbnQgaXMgYWN0 aW5nIG9uIGJlaGFsZiBvZiBpdHNlbGYsIGFzIGRlc2NyaWJlZCBpbiBTZWN0aW9uDQo2LjEgYW5k IFNlY3Rpb24gNi4yLCB0aGUgU3ViamVjdCBNVVNUIGJlIHRoZSB2YWx1ZSBvZiB0aGUgY2xpZW50 J3MNCiJjbGllbnRfaWQiLg0KDQpXaGVuIHRoZSBjbGllbnQgaXMgYWN0aW5nIG9uIGJlaGFsZiBv ZiBhbiB1c2VyLCBhcyBkZXNjcmliZWQgaW4gU2VjdGlvbg0KNi4zLCB0aGUgU3ViamVjdCBlbGVt ZW50IE1VU1QgYmUgaW5jbHVkZWQgaW4gdGhlIGFzc2VydGlvbiBhbmQNCmlkZW50aWZpZXMgYW4g YXV0aG9yaXplZCBhY2Nlc3NvciBmb3Igd2hpY2ggdGhlIGFjY2VzcyB0b2tlbiBpcyBiZWluZw0K cmVxdWVzdGVkLg0KDQpXaGVuIHRoZSBjbGllbnQgaXMgYWN0aW5nIG9uIGJlaGFsZiBvZiBhbiBh bm9ueW1vdXMgdXNlciwgYXMgZGVzY3JpYmVkDQppbiBTZWN0aW9uIDYuMy4xLCB0aGUgU3ViamVj dCBlbGVtZW50IE1VU1QgTk9UIGJlIGluY2x1ZGVkIGluIHRoZQ0KYXNzZXJ0aW9uLiBPdGhlciBl bGVtZW50cyB3aXRoaW4gdGhlIGFzc2VydGlvbiB3aWxsLCBob3dldmVyLCBwcm92aWRlDQplbm91 Z2ggaW5mb3JtYXRpb24gZm9yIHRoZSBhdXRob3JpemF0aW9uIHNlcnZlciB0byBtYWtlIGFuIGF1 dGhvcml6YXRpb24NCmRlY2lzaW9uLg0KIg0KDQpEb2VzIHRoaXMgbWFrZSBzZW5zZSB0byB5b3U/ DQoNCkNpYW8NCkhhbm5lcw0KDQoNCk9uIDA0LzI0LzIwMTQgMDI6MzAgUE0sIEJyaWFuIENhbXBi ZWxsIHdyb3RlOg0KPiBUaGVyZSBpcyBzb21lIGRpc2N1c3Npb24gb2YgdGhhdCBjYXNlIGluIHRo ZSBhc3NlcnRpb24gZnJhbWV3b3JrDQo+IGRvY3VtZW50IGF0DQo+IGh0dHA6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtYXNzZXJ0aW9ucy0xNSNzZWN0aW9uLTYuMy4xDQo+ DQo+IERvIHlvdSBmZWVsIHRoYXQgbW9yZSBpcyBuZWVkZWQ/IElmIHNvLCBjYW4geW91IHByb3Bv c2Ugc29tZSB0ZXh0Pw0KPg0KPg0KPiBPbiBUaHUsIEFwciAyNCwgMjAxNCBhdCAxOjA5IEFNLCBI YW5uZXMgVHNjaG9mZW5pZw0KPiA8aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDxtYWlsdG86aGFu bmVzLnRzY2hvZmVuaWdAZ214Lm5ldD4gPG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0 PG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4+IHdyb3RlOg0KPg0KPiAgICAgSGkg QnJpYW4sDQo+DQo+ICAgICBJIHJlYWQgdGhyb3VnaCB0aGUgdGhyZWFkIGFuZCB0aGUgR29vZ2xl IGNhc2UgaXMgYSBiaXQgZGlmZmVyZW50IHNpbmNlDQo+ICAgICB0aGV5IGFyZSB1c2luZyB0aGUg Y2xpZW50IGF1dGhlbnRpY2F0aW9uIHBhcnQgb2YgdGhlIEpXVCBiZWFyZXIgc3BlYy4NCj4gICAg IFRoZXJlIEkgZG9uJ3Qgc2VlIHRoZSBwcml2YWN5IGNvbmNlcm5zIGVpdGhlci4NCj4NCj4gICAg IEkgYW0sIGhvd2V2ZXIsIGZvY3VzZWQgb24gdGhlIGF1dGhvcml6YXRpb24gZ3JhbnQgd2hlcmUg dGhlIHN1YmplY3QgaXMNCj4gICAgIGluIG1vc3QgY2FzZXMgdGhlIHJlc291cmNlIG93bmVyLg0K Pg0KPiAgICAgSXQgaXMgcG9zc2libGUgdG8gcHV0IGdhcmJhZ2UgaW50byB0aGUgc3ViamVjdCBl bGVtZW50IHdoZW4gcHJpdmFjeQ0KPiAgICAgcHJvdGVjdGlvbiBpcyBuZWVkZWQgZm9yIHRoZSBy ZXNvdXJjZSBvd25lciBjYXNlIGJ1dCB0aGF0IHdvdWxkIG5lZWQgdG8NCj4gICAgIGJlIGRlc2Ny aWJlZCBpbiB0aGUgZG9jdW1lbnQ7IGN1cnJlbnRseSBpdCBpcyBub3QgdGhlcmUuDQo+DQo+ICAg ICBDaWFvDQo+ICAgICBIYW5uZXMNCj4NCj4NCj4gICAgIE9uIDA0LzI0LzIwMTQgMTI6MzcgQU0s IEJyaWFuIENhbXBiZWxsIHdyb3RlOg0KPiAgICAgPiBUaGF0IHRocmVhZCB0aGF0IEFudG9uaW8g c3RhcnRlZCB3aGljaCB5b3UgcmVmZXJlbmNlIHdlbnQgb24gZm9yIHNvbWUNCj4gICAgID4gdGlt ZQ0KPiAgICAgPg0KPiAgICAgKGh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9v YXV0aC9jdXJyZW50L3RocmVhZHMuaHRtbCMxMjUyMCkNCj4gICAgID4gYW5kIHNlZW1zIHRvIGhh dmUgcmVhY2hlZCBjb25zZW5zdXMgdGhhdCB0aGUgc3BlYyBkaWRuJ3QgbmVlZA0KPiAgICAgbm9y bWF0aXZlDQo+ICAgICA+IGNoYW5nZSBhbmQgdGhhdCBzdWNoIHByaXZhY3kgY2FzZXMgb3Igb3Ro ZXIgY2FzZXMgd2hpY2ggZGlkbid0DQo+ICAgICA+IGV4cGxpY2l0bHkgbmVlZCBhIHN1YmplY3Qg aWRlbnRpZmllciB3b3VsZCBiZSBtb3JlIGFwcHJvcHJpYXRlbHkgZGVhbHQNCj4gICAgID4gd2l0 aCBpbiBhcHBsaWNhdGlvbiBsb2dpYzoNCj4gICAgID4gaHR0cDovL3d3dy5pZXRmLm9yZy9tYWls LWFyY2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTI1MzguaHRtbA0KPiAgICAgPg0KPiAgICAg Pg0KPiAgICAgPg0KPiAgICAgPg0KPiAgICAgPiBPbiBXZWQsIEFwciAyMywgMjAxNCBhdCAyOjM5 IEFNLCBIYW5uZXMgVHNjaG9mZW5pZw0KPiAgICAgPiA8aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5l dDxtYWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldD4gPG1haWx0bzpoYW5uZXMudHNjaG9m ZW5pZ0BnbXgubmV0PG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4NCj4gICAgIDxt YWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDxtYWlsdG86aGFubmVzLnRzY2hvZmVuaWdA Z214Lm5ldD4NCj4gICAgIDxtYWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDxtYWlsdG86 aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldD4+Pj4gd3JvdGU6DQo+ICAgICA+DQo+ICAgICA+ICAg ICBIaSBhbGwsDQo+ICAgICA+DQo+ICAgICA+ICAgICBpbiBwcmVwYXJpbmcgdGhlIHNoZXBoZXJk IHdyaXRlLXVwIGZvcg0KPiAgICAgZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyLTA4IEkNCj4g ICAgID4gICAgIGhhZCB0byByZXZpZXcgb3VyIHJlY2VudCBlbWFpbCBjb252ZXJzYXRpb25zIGFu ZCB0aGUgaXNzdWUNCj4gICAgIHJhaXNlZCBieQ0KPiAgICAgPiAgICAgQW50b25pbyBpbg0KPiAg ICAgPg0KPiAgICAgaHR0cDovL3d3dy5pZXRmLm9yZy9tYWlsLWFyY2hpdmUvd2ViL29hdXRoL2N1 cnJlbnQvbXNnMTI1MjAuaHRtbCBiZWxvbmcNCj4gICAgID4gICAgIHRvIGl0Lg0KPiAgICAgPg0K PiAgICAgPiAgICAgVGhlIGlzc3VlIHdhcyB0aGF0IFNlY3Rpb24gMyBvZiBkcmFmdC1pZXRmLW9h dXRoLWp3dC1iZWFyZXItMDgNCj4gICAgIHNheXM6DQo+ICAgICA+ICAgICAiDQo+ICAgICA+ICAg ICAgICAyLiAgIFRoZSBKV1QgTVVTVCBjb250YWluIGEgInN1YiIgKHN1YmplY3QpIGNsYWltDQo+ ICAgICBpZGVudGlmeWluZyB0aGUNCj4gICAgID4gICAgICAgICAgICAgcHJpbmNpcGFsIHRoYXQg aXMgdGhlIHN1YmplY3Qgb2YgdGhlIEpXVC4gIFR3byBjYXNlcw0KPiAgICAgbmVlZCB0byBiZQ0K PiAgICAgPiAgICAgICAgICAgICBkaWZmZXJlbnRpYXRlZDoNCj4gICAgID4NCj4gICAgID4gICAg ICAgICAgICAgQS4gIEZvciB0aGUgYXV0aG9yaXphdGlvbiBncmFudCwgdGhlIHN1YmplY3QgU0hP VUxEDQo+ICAgICBpZGVudGlmeSBhbg0KPiAgICAgPiAgICAgICAgICAgICAgICAgYXV0aG9yaXpl ZCBhY2Nlc3NvciBmb3Igd2hvbSB0aGUgYWNjZXNzIHRva2VuIGlzIGJlaW5nDQo+ICAgICA+ICAg ICAgICAgICAgICAgICByZXF1ZXN0ZWQgKHR5cGljYWxseSB0aGUgcmVzb3VyY2Ugb3duZXIsIG9y IGFuDQo+ICAgICBhdXRob3JpemVkDQo+ICAgICA+ICAgICAgICAgICAgICAgICBkZWxlZ2F0ZSku DQo+ICAgICA+DQo+ICAgICA+ICAgICAgICAgICAgIEIuICBGb3IgY2xpZW50IGF1dGhlbnRpY2F0 aW9uLCB0aGUgc3ViamVjdCBNVVNUIGJlIHRoZQ0KPiAgICAgPiAgICAgICAgICAgICAgICAgImNs aWVudF9pZCIgb2YgdGhlIE9BdXRoIGNsaWVudC4NCj4gICAgID4gICAgICINCj4gICAgID4NCj4g ICAgID4gICAgIEFudG9uaW8gcG9pbnRlZCB0byB0aGUgY3VycmVudCBHb29nbGUgQVBJIHRvIGls bHVzdHJhdGUgdGhhdA0KPiAgICAgdGhlIHN1YmplY3QNCj4gICAgID4gICAgIGlzIG5vdCBhbHdh eXMgbmVlZGVkLiBIZXJlIGlzIHRoZSBHb29nbGUgQVBJIGRvY3VtZW50YXRpb246DQo+ICAgICA+ ICAgICBodHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9hY2NvdW50cy9kb2NzL09BdXRoMlNl cnZpY2VBY2NvdW50DQo+ICAgICA+DQo+ICAgICA+ICAgICBUaGUgR29vZ2xlIEFQSSB1c2VkIHRo ZSBjbGllbnQgYXV0aGVudGljYXRpb24gcGFydCAocmF0aGVyDQo+ICAgICB0aGFuIHRoZQ0KPiAg ICAgPiAgICAgYXV0aG9yaXphdGlvbiBncmFudCksIGluIG15IHVuZGVyc3RhbmRpbmcuDQo+ICAg ICA+DQo+ICAgICA+ICAgICBJIHN0aWxsIGJlbGlldmUgdGhhdCB0aGUgc3ViamVjdCBmaWVsZCBo YXMgdG8gYmUgaW5jbHVkZWQgZm9yDQo+ICAgICBjbGllbnQNCj4gICAgID4gICAgIGF1dGhlbnRp Y2F0aW9uIGJ1dCBJIGFtIG5vdCBzbyBzdXJlIGFueW1vcmUgYWJvdXQgdGhlDQo+ICAgICBhdXRo b3JpemF0aW9uDQo+ICAgICA+ICAgICBncmFudCBzaW5jZSBJIGNvdWxkIHZlcnkgd2VsbCBpbWFn aW5lIGNhc2VzIHdoZXJlIHRoZSBzdWJqZWN0DQo+ICAgICBpcyBub3QNCj4gICAgID4gICAgIG5l ZWRlZCBmb3IgYXV0aG9yaXphdGlvbiBkZWNpc2lvbnMgYnV0IGFsc28gZm9yIHByaXZhY3kgcmVh c29ucy4NCj4gICAgID4NCj4gICAgID4gICAgIEkgd291bGQgdGhlcmVmb3JlIHN1Z2dlc3QgdG8g Y2hhbmdlIHRoZSB0ZXh0IGFzIGZvbGxvd3M6DQo+ICAgICA+DQo+ICAgICA+ICAgICAiDQo+ICAg ICA+ICAgICAgICAyLiAgIFRoZSBKV1QgY29udGFpbnMgYSAic3ViIiAoc3ViamVjdCkgY2xhaW0g aWRlbnRpZnlpbmcgdGhlDQo+ICAgICA+ICAgICAgICAgICAgIHByaW5jaXBhbCB0aGF0IGlzIHRo ZSBzdWJqZWN0IG9mIHRoZSBKV1QuICBUd28gY2FzZXMNCj4gICAgIG5lZWQgdG8gYmUNCj4gICAg ID4gICAgICAgICAgICAgZGlmZmVyZW50aWF0ZWQ6DQo+ICAgICA+DQo+ICAgICA+ICAgICAgICAg ICAgIEEuICBGb3IgdGhlIGF1dGhvcml6YXRpb24gZ3JhbnQsIHRoZSBzdWJqZWN0IGNsYWltIE1B WQ0KPiAgICAgPiAgICAgICAgICAgICAgICAgYmUgaW5jbHVkZWQuIElmIGl0IGlzIGluY2x1ZGVk IGl0IE1VU1QgaWRlbnRpZnkgdGhlDQo+ICAgICA+ICAgICAgICAgICAgICAgICBhdXRob3JpemVk IGFjY2Vzc29yIGZvciB3aG9tIHRoZSBhY2Nlc3MgdG9rZW4gaXMgYmVpbmcNCj4gICAgID4gICAg ICAgICAgICAgICAgIHJlcXVlc3RlZCAodHlwaWNhbGx5IHRoZSByZXNvdXJjZSBvd25lciwgb3Ig YW4NCj4gICAgIGF1dGhvcml6ZWQNCj4gICAgID4gICAgICAgICAgICAgICAgIGRlbGVnYXRlKS4g UmVhc29ucyBmb3Igbm90IGluY2x1ZGluZyB0aGUgc3ViamVjdCBjbGFpbQ0KPiAgICAgPiAgICAg ICAgICAgICAgICAgaW4gdGhlIEpXVCBhcmUgaWRlbnRpdHkgaGlkaW5nIChpLmUuLCBwcml2YWN5 DQo+ICAgICBwcm90ZWN0aW9uDQo+ICAgICA+ICAgICAgICAgICAgICAgICBvZiB0aGUgaWRlbnRp ZmllciBvZiB0aGUgc3ViamVjdCkgYW5kIGNhc2VzIHdoZXJlDQo+ICAgICA+ICAgICAgICAgICAg ICAgICB0aGUgaWRlbnRpZmllciBvZiB0aGUgc3ViamVjdCBpcyBpcnJlbGV2YW50IGZvciBtYWtp bmcNCj4gICAgID4gICAgICAgICAgICAgICAgIGFuIGF1dGhvcml6YXRpb24gZGVjaXNpb24gYnkg dGhlIHJlc291cmNlIHNlcnZlci4NCj4gICAgID4NCj4gICAgID4gICAgICAgICAgICAgQi4gIEZv ciBjbGllbnQgYXV0aGVudGljYXRpb24sIHRoZSBzdWJqZWN0IE1VU1QgYmUgdGhlDQo+ICAgICA+ ICAgICAgICAgICAgICAgICBpbmNsdWRlZCBpbiB0aGUgSldUIGFuZCB0aGUgdmFsdWUgTVVTVCBi ZSBwb3B1bGF0ZWQNCj4gICAgID4gICAgICAgICAgICAgICAgIHdpdGggdGhlICJjbGllbnRfaWQi IG9mIHRoZSBPQXV0aCBjbGllbnQuDQo+ICAgICA+ICAgICAiDQo+ICAgICA+DQo+ICAgICA+ICAg ICBXaGF0IGRvIHlvdSBndXlzIHRoaW5rPw0KPiAgICAgPg0KPiAgICAgPiAgICAgQ2lhbw0KPiAg ICAgPiAgICAgSGFubmVzDQo+ICAgICA+DQo+ICAgICA+DQo+ICAgICA+ICAgICBfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiAgICAgPiAgICAgT0F1dGgg bWFpbGluZyBsaXN0DQo+ICAgICA+ICAgICBPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0 Zi5vcmc+IDxtYWlsdG86T0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPj4gPG1h aWx0bzpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQo+ICAgICA8bWFpbHRv Ok9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4+Pg0KPiAgICAgPiAgICAgaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KPiAgICAgPg0KPiAgICAg Pg0KPg0KPg0KDQo= --_000_4E1F6AAD24975D4BA5B16804296739439A1960AATK5EX14MBXC288r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAx LjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x O30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRz IHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1h cCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRp Zl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SSBhZ3JlZS4mbmJzcDsg V2XigJlkIGFscmVhZHkgZGlzY3Vzc2VkIHRoaXMgcHJldHR5IGV4dGVuc2l2ZWx5IGFuZCByZWFj aGVkIHRoZSBjb25jbHVzaW9uIHRoYXQgYWx3YXlzIHJlcXVpcmluZyBib3RoIGFuIGlzc3VlciBh bmQgYSBzdWJqZWN0IGJvdGgga2VwdCB0aGUgc3BlY3Mgc2ltcGxlcg0KIGFuZCB3YXMgbGlrZWx5 IHRvIGltcHJvdmUgaW50ZXJvcGVyYWJpbGl0eS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkl04oCZcyBlbnRpcmVseSB1 cCB0byB0aGUgYXBwbGljYXRpb24gcHJvZmlsZSB3aGF0IHRoZSBjb250ZW50cyBvZiB0aGUgaXNz dWVyIGFuZCB0aGUgc3ViamVjdCBmaWVsZHMgYXJlIGFuZCBzbyBJIGRvbuKAmXQgdGhpbmsgd2Ug bmVlZCB0byBmdXJ0aGVyIHNwZWNpZnkgdGhlaXINCiBjb250ZW50cyBiZXlvbmQgd2hhdOKAmXMg YWxyZWFkeSBpbiB0aGUgc3BlY3MuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250 LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8 L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gT0F1dGggW21haWx0bzpvYXV0 aC1ib3VuY2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5CcmlhbiBDYW1wYmVsbDxi cj4NCjxiPlNlbnQ6PC9iPiBGcmlkYXksIEFwcmlsIDI1LCAyMDE0IDEwOjE3IEFNPGJyPg0KPGI+ VG86PC9iPiBIYW5uZXMgVHNjaG9mZW5pZzxicj4NCjxiPkNjOjwvYj4gb2F1dGhAaWV0Zi5vcmc8 YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gZHJhZnQtaWV0Zi1vYXV0aC1qd3Qt YmVhcmVyLTA4ICZhbXA7IHN1YmplY3QgaXNzdWU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+SSBi ZWxpZXZlLCBmcm9tIHRoZSB0aHJlYWQgcmVmZXJlbmNlZCBlYXJsaWVyIGFuZCBwcmlvciBkaXNj dXNzaW9uIGFuZCBkcmFmdCB0ZXh0LCB0aGF0IHRoZSBXRyBoYXMgcmVhY2hlZCAocm91Z2gpIGNv bnNlbnN1cyB0byByZXF1aXJlIHRoZSBzdWJqZWN0IGNsYWltLiBTbyB0ZXh0IHRoYXQgc2F5cyAm cXVvdDtTdWJqZWN0IGVsZW1lbnQgTVVTVCBOT1QgYmUgaW5jbHVkZWQmcXVvdDsNCiBpc24ndCB3 b3JrYWJsZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5JdCBzZWVtcyB3aGF0J3MgbmVlZGVkIGhlcmUgaXMg c29tZSBiZXR0ZXIgZXhwbGFuYXRpb24gb2YgaG93LCBpbiBjYXNlcyB0aGF0IG5lZWQgaXQsIHRo ZSB2YWx1ZSBvZiB0aGUgc3ViamVjdCBjYW4gYmUgcG9wdWxhdGVkIHdpdGhvdXQgdXNpbmcgYSBQ SUkgdHlwZSB2YWx1ZS4gQSBzaW1wbGUgc3RhdGljIHZhbHVlIGxpa2UgJnF1b3Q7QU5PTllNT1VT LVNVQkpFQ1QmcXVvdDsNCiBjb3VsZCBiZSB1c2VkLiBPciwgbW9yZSBsaWtlbHksIHNvbWUga2lu ZCBvZiBwYWlyd2lzZSBwZXJzaXN0ZW50IHBzZXVkb255bW91cyBpZGVudGlmaWVyIHdvdWxkIGJl IHV0aWxpemVkLCB3aGljaCB3b3VsZCBub3QgZGlyZWN0bHkgaWRlbnRpZnkgdGhlIHN1YmplY3Qg YnV0IHdvdWxkIGFsbG93IHRoZSByZWx5aW5nIHBhcnR5IHRvIHJlY29nbml6ZSB0aGUgc2FtZSBz dWJqZWN0IG9uIHN1YnNlcXVlbnQgdHJhbnNhY3Rpb25zLiBBIHRyYW5zaWVudA0KIHBzZXVkb255 bSBtaWdodCBhbHNvIGJlIGFwcHJvcHJpYXRlIGluIHNvbWUgY2FzZXMuIEFuZCBhbnkgb2YgdGhv c2UgYXBwcm9hY2hlcyBjb3VsZCBiZSB1c2VkIHdpdGggb3Igd2l0aG91dCBhZGRpdGlvbmFsIGNs YWltcyAobGlrZSBhZ2UgJmd0OyAxOCBvciBtZW1iZXJzaGlwIGluIHNvbWUgZ3JvdXApIHRoYXQg Z2V0IHVzZWQgdG8gbWFrZSBhbiBhdXRob3JpemF0aW9uIGRlY2lzaW9uLiZuYnNwOw0KPG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgd2Fzbid0IHN1cmUgZXhh Y3RseSBob3cgdG8gYXJ0aWN1bGF0ZSBhbGwgdGhhdCBpbiB0ZXh0IGZvciB0aGUgZHJhZnQocykg YnV0IHRoYXQncyBtb3JlIG9mIHdoYXQgSSB3YXMgYXNraW5nIGZvciB3aGVuIEkgYXNrZWQgaWYg eW91IGNvdWxkIHByb3Bvc2Ugc29tZSB0ZXh0Lg0KPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4w cHQiPjxicj4NCjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1i b3R0b206MTIuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5PbiBUaHUsIEFwciAyNCwgMjAxNCBhdCA2OjQ4IEFNLCBIYW5uZXMgVHNjaG9mZW5p ZyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQiIHRhcmdldD0i X2JsYW5rIj5oYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PC9hPiZndDsgd3JvdGU6PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSBCcmlhbiw8YnI+DQo8YnI+DQpUaGFua3Mg Zm9yIHBvaW50aW5nIHRvIHRoZSBhc3NlcnRpb24gZnJhbWV3b3JrIGRvY3VtZW50LiBSZS1yZWFk aW5nIHRoZTxicj4NCnRleHQgaXQgYXBwZWFycyB0aGF0IHdlIGhhdmUgbGlzdGVkIHRoZSBjYXNl IHRoYXQgaW4gU2VjdGlvbiA2LjMuMSBidXQ8YnI+DQpoYXZlIGZvcmdvdHRlbiB0byBjb3ZlciBp dCBlbHNld2hlcmUgaW4gdGhlIGRvY3VtZW50Ljxicj4NCjxicj4NCjxicj4NCkluIFNlY3Rpb24g Ni4zLjEgd2Ugc2F5Ojxicj4NCjxicj4NCiZxdW90Ozxicj4NCjxicj4NCjYuMy4xLiAmbmJzcDtD bGllbnQgQWN0aW5nIG9uIEJlaGFsZiBvZiBhbiBBbm9ueW1vdXMgVXNlcjxicj4NCjxicj4NCiZu YnNwOyAmbmJzcDtXaGVuIGEgY2xpZW50IGlzIGFjY2Vzc2luZyByZXNvdXJjZXMgb24gYmVoYWxm IG9mIGFuIGFub255bW91cyB1c2VyLDxicj4NCiZuYnNwOyAmbmJzcDt0aGUgU3ViamVjdCBpbmRp Y2F0ZXMgdG8gdGhlIEF1dGhvcml6YXRpb24gU2VydmVyIHRoYXQgdGhlIGNsaWVudCBpczxicj4N CiZuYnNwOyAmbmJzcDthY3Rpbmcgb24tYmVoYWxmIG9mIGFuIGFub255bW91cyB1c2VyIGFzIGRl ZmluZWQgYnkgdGhlIEF1dGhvcml6YXRpb248YnI+DQombmJzcDsgJm5ic3A7U2VydmVyLiAmbmJz cDtJdCBpcyBpbXBsaWVkIHRoYXQgYXV0aG9yaXphdGlvbiBpcyBiYXNlZCB1cG9uIGFkZGl0aW9u YWw8YnI+DQombmJzcDsgJm5ic3A7Y3JpdGVyaWEsIHN1Y2ggYXMgYWRkaXRpb25hbCBhdHRyaWJ1 dGVzIG9yIGNsYWltcyBwcm92aWRlZCBpbiB0aGU8YnI+DQombmJzcDsgJm5ic3A7YXNzZXJ0aW9u LiAmbmJzcDtGb3IgZXhhbXBsZSwgYSBjbGllbnQgbWF5IHByZXNlbnQgYW4gYXNzZXJ0aW9uIGZy b20gYTxicj4NCiZuYnNwOyAmbmJzcDt0cnVzdGVkIGlzc3VlciBhc3NlcnRpbmcgdGhhdCB0aGUg YmVhcmVyIGlzIG92ZXIgMTggdmlhIGFuIGluY2x1ZGVkPGJyPg0KJm5ic3A7ICZuYnNwO2NsYWlt Ljxicj4NCjxicj4NCioqKioqPGJyPg0KJm5ic3A7ICZuYnNwOyBJbiB0aGlzIGNhc2UsIG5vIGFk ZGl0aW9uYWwgaW5mb3JtYXRpb24gYWJvdXQgdGhlIHVzZXInczxicj4NCiZuYnNwOyAmbmJzcDtp ZGVudGl0eSBpcyBpbmNsdWRlZCwgeWV0IGFsbCB0aGUgZGF0YSBuZWVkZWQgdG8gaXNzdWUgYW4g YWNjZXNzPGJyPg0KJm5ic3A7ICZuYnNwO3Rva2VuIGlzIHByZXNlbnQuPGJyPg0KKioqKio8YnI+ DQomcXVvdDs8YnI+DQooSSBtYXJrZWQgdGhlIHJlbGV2YW50IHBhcnQgd2l0aCAnKioqJyk8YnI+ DQo8YnI+DQo8YnI+DQpJbiBTZWN0aW9uIDUuMiwgaG93ZXZlciwgd2Ugc2F5Ojxicj4NCjxicj4N Cjxicj4NCiZuYnNwOyAmbmJzcDtvICZuYnNwO1RoZSBhc3NlcnRpb24gTVVTVCBjb250YWluIGEg U3ViamVjdC4gJm5ic3A7VGhlIFN1YmplY3QgaWRlbnRpZmllcyBhbjxicj4NCiZuYnNwOyAmbmJz cDsgJm5ic3A7IGF1dGhvcml6ZWQgYWNjZXNzb3IgZm9yIHdoaWNoIHRoZSBhY2Nlc3MgdG9rZW4g aXMgYmVpbmcgcmVxdWVzdGVkPGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgKHR5cGljYWxseSB0 aGUgcmVzb3VyY2Ugb3duZXIsIG9yIGFuIGF1dGhvcml6ZWQgZGVsZWdhdGUpLiAmbmJzcDtXaGVu PGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgdGhlIGNsaWVudCBpcyBhY3Rpbmcgb24gYmVoYWxm IG9mIGl0c2VsZiwgdGhlIFN1YmplY3QgTVVTVCBiZSB0aGU8YnI+DQombmJzcDsgJm5ic3A7ICZu YnNwOyB2YWx1ZSBvZiB0aGUgY2xpZW50J3MgJnF1b3Q7Y2xpZW50X2lkJnF1b3Q7Ljxicj4NCjxi cj4NCjxicj4NCldoYXQgd2Ugc2hvdWxkIGhhdmUgZG9uZSBpbiBTZWN0aW9uIDUuMiBpcyB0byBl eHBhbmQgdGhlIGNhc2VzIGlubGluZTxicj4NCndpdGggd2hhdCB3ZSBoYXZlIHdyaXR0ZW4gaW4g U2VjdGlvbiA2Ljxicj4NCjxicj4NCkhlcmUgaXMgbXkgcHJvcG9zZWQgdGV4dDo8YnI+DQo8YnI+ DQomcXVvdDs8YnI+DQpvICZuYnNwO1RoZSBhc3NlcnRpb24gTVVTVCBjb250YWluIGEgU3ViamVj dC4gJm5ic3A7VGhlIFN1YmplY3QgaWRlbnRpZmllcyBhbjxicj4NCmF1dGhvcml6ZWQgYWNjZXNz b3IgZm9yIHdoaWNoIHRoZSBhY2Nlc3MgdG9rZW4gaXMgYmVpbmcgcmVxdWVzdGVkPG86cD48L286 cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206 MTIuMHB0Ij4odHlwaWNhbGx5IHRoZSByZXNvdXJjZSBvd25lciwgb3IgYW4gYXV0aG9yaXplZCBk ZWxlZ2F0ZSkuPGJyPg0KPGJyPg0KPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPldoZW4gdGhlIGNsaWVudCBpcyBhY3Rpbmcgb24gYmVoYWxmIG9mIGl0c2VsZiwg YXMgZGVzY3JpYmVkIGluIFNlY3Rpb248YnI+DQo2LjEgYW5kIFNlY3Rpb24gNi4yLCB0aGUgU3Vi amVjdCBNVVNUIGJlIHRoZSB2YWx1ZSBvZiB0aGUgY2xpZW50J3M8YnI+DQomcXVvdDtjbGllbnRf aWQmcXVvdDsuPGJyPg0KPGJyPg0KV2hlbiB0aGUgY2xpZW50IGlzIGFjdGluZyBvbiBiZWhhbGYg b2YgYW4gdXNlciwgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb248YnI+DQo2LjMsIHRoZSBTdWJqZWN0 IGVsZW1lbnQgTVVTVCBiZSBpbmNsdWRlZCBpbiB0aGUgYXNzZXJ0aW9uIGFuZDxicj4NCmlkZW50 aWZpZXMgYW4gYXV0aG9yaXplZCBhY2Nlc3NvciBmb3Igd2hpY2ggdGhlIGFjY2VzcyB0b2tlbiBp cyBiZWluZzxicj4NCnJlcXVlc3RlZC48YnI+DQo8YnI+DQpXaGVuIHRoZSBjbGllbnQgaXMgYWN0 aW5nIG9uIGJlaGFsZiBvZiBhbiBhbm9ueW1vdXMgdXNlciwgYXMgZGVzY3JpYmVkPGJyPg0KaW4g U2VjdGlvbiA2LjMuMSwgdGhlIFN1YmplY3QgZWxlbWVudCBNVVNUIE5PVCBiZSBpbmNsdWRlZCBp biB0aGU8YnI+DQphc3NlcnRpb24uIE90aGVyIGVsZW1lbnRzIHdpdGhpbiB0aGUgYXNzZXJ0aW9u IHdpbGwsIGhvd2V2ZXIsIHByb3ZpZGU8YnI+DQplbm91Z2ggaW5mb3JtYXRpb24gZm9yIHRoZSBh dXRob3JpemF0aW9uIHNlcnZlciB0byBtYWtlIGFuIGF1dGhvcml6YXRpb248YnI+DQpkZWNpc2lv bi48YnI+DQomcXVvdDs8YnI+DQo8YnI+DQpEb2VzIHRoaXMgbWFrZSBzZW5zZSB0byB5b3U/PGJy Pg0KPGJyPg0KQ2lhbzxicj4NCkhhbm5lczxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCk9uIDA0LzI0LzIwMTQgMDI6MzAgUE0sIEJyaWFuIENh bXBiZWxsIHdyb3RlOjxicj4NCiZndDsgVGhlcmUgaXMgc29tZSBkaXNjdXNzaW9uIG9mIHRoYXQg Y2FzZSBpbiB0aGUgYXNzZXJ0aW9uIGZyYW1ld29yazxicj4NCiZndDsgZG9jdW1lbnQgYXQ8YnI+ DQomZ3Q7IDxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1 dGgtYXNzZXJ0aW9ucy0xNSNzZWN0aW9uLTYuMy4xIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWFzc2VydGlvbnMtMTUjc2VjdGlv bi02LjMuMTwvYT48YnI+DQomZ3Q7PGJyPg0KJmd0OyBEbyB5b3UgZmVlbCB0aGF0IG1vcmUgaXMg bmVlZGVkPyBJZiBzbywgY2FuIHlvdSBwcm9wb3NlIHNvbWUgdGV4dD88YnI+DQomZ3Q7PGJyPg0K Jmd0Ozxicj4NCiZndDsgT24gVGh1LCBBcHIgMjQsIDIwMTQgYXQgMTowOSBBTSwgSGFubmVzIFRz Y2hvZmVuaWc8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj4mZ3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214 Lm5ldCI+aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDwvYT4gJmx0O21haWx0bzo8YSBocmVmPSJt YWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldCI+aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5l dDwvYT4mZ3Q7Jmd0OyB3cm90ZTo8YnI+DQomZ3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7IEhp IEJyaWFuLDxicj4NCiZndDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgSSByZWFkIHRocm91Z2gg dGhlIHRocmVhZCBhbmQgdGhlIEdvb2dsZSBjYXNlIGlzIGEgYml0IGRpZmZlcmVudCBzaW5jZTxi cj4NCiZndDsgJm5ic3A7ICZuYnNwOyB0aGV5IGFyZSB1c2luZyB0aGUgY2xpZW50IGF1dGhlbnRp Y2F0aW9uIHBhcnQgb2YgdGhlIEpXVCBiZWFyZXIgc3BlYy48YnI+DQomZ3Q7ICZuYnNwOyAmbmJz cDsgVGhlcmUgSSBkb24ndCBzZWUgdGhlIHByaXZhY3kgY29uY2VybnMgZWl0aGVyLjxicj4NCiZn dDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgSSBhbSwgaG93ZXZlciwgZm9jdXNlZCBvbiB0aGUg YXV0aG9yaXphdGlvbiBncmFudCB3aGVyZSB0aGUgc3ViamVjdCBpczxicj4NCiZndDsgJm5ic3A7 ICZuYnNwOyBpbiBtb3N0IGNhc2VzIHRoZSByZXNvdXJjZSBvd25lci48YnI+DQomZ3Q7PGJyPg0K Jmd0OyAmbmJzcDsgJm5ic3A7IEl0IGlzIHBvc3NpYmxlIHRvIHB1dCBnYXJiYWdlIGludG8gdGhl IHN1YmplY3QgZWxlbWVudCB3aGVuIHByaXZhY3k8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgcHJv dGVjdGlvbiBpcyBuZWVkZWQgZm9yIHRoZSByZXNvdXJjZSBvd25lciBjYXNlIGJ1dCB0aGF0IHdv dWxkIG5lZWQgdG88YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgYmUgZGVzY3JpYmVkIGluIHRoZSBk b2N1bWVudDsgY3VycmVudGx5IGl0IGlzIG5vdCB0aGVyZS48YnI+DQomZ3Q7PGJyPg0KJmd0OyAm bmJzcDsgJm5ic3A7IENpYW88YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgSGFubmVzPGJyPg0KJmd0 Ozxicj4NCiZndDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgT24gMDQvMjQvMjAxNCAxMjozNyBB TSwgQnJpYW4gQ2FtcGJlbGwgd3JvdGU6PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgVGhh dCB0aHJlYWQgdGhhdCBBbnRvbmlvIHN0YXJ0ZWQgd2hpY2ggeW91IHJlZmVyZW5jZSB3ZW50IG9u IGZvciBzb21lPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgdGltZTxicj4NCiZndDsgJm5i c3A7ICZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICg8YSBocmVmPSJodHRwOi8v d3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvb2F1dGgvY3VycmVudC90aHJlYWRzLmh0bWwj MTI1MjAiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93 ZWIvb2F1dGgvY3VycmVudC90aHJlYWRzLmh0bWwjMTI1MjA8L2E+KTxicj4NCiZndDsgJm5ic3A7 ICZuYnNwOyAmZ3Q7IGFuZCBzZWVtcyB0byBoYXZlIHJlYWNoZWQgY29uc2Vuc3VzIHRoYXQgdGhl IHNwZWMgZGlkbid0IG5lZWQ8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgbm9ybWF0aXZlPGJyPg0K Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgY2hhbmdlIGFuZCB0aGF0IHN1Y2ggcHJpdmFjeSBjYXNl cyBvciBvdGhlciBjYXNlcyB3aGljaCBkaWRuJ3Q8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0 OyBleHBsaWNpdGx5IG5lZWQgYSBzdWJqZWN0IGlkZW50aWZpZXIgd291bGQgYmUgbW9yZSBhcHBy b3ByaWF0ZWx5IGRlYWx0PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgd2l0aCBpbiBhcHBs aWNhdGlvbiBsb2dpYzo8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyA8YSBocmVmPSJodHRw Oi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvb2F1dGgvY3VycmVudC9tc2cxMjUzOC5o dG1sIiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93 ZWIvb2F1dGgvY3VycmVudC9tc2cxMjUzOC5odG1sPC9hPjxicj4NCiZndDsgJm5ic3A7ICZuYnNw OyAmZ3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJz cDsgJmd0Ozxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5i c3A7ICZndDsgT24gV2VkLCBBcHIgMjMsIDIwMTQgYXQgMjozOSBBTSwgSGFubmVzIFRzY2hvZmVu aWc8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmhhbm5l cy50c2Nob2ZlbmlnQGdteC5uZXQiPmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8L2E+ICZsdDtt YWlsdG86PGEgaHJlZj0ibWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQiPmhhbm5lcy50 c2Nob2ZlbmlnQGdteC5uZXQ8L2E+Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZndDsgJm5ic3A7ICZuYnNwOyAmbHQ7bWFpbHRvOjxhIGhy ZWY9Im1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Ij5oYW5uZXMudHNjaG9mZW5pZ0Bn bXgubmV0PC9hPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmx0O21haWx0bzo8YSBocmVmPSJtYWlsdG86aGFubmVz LnRzY2hvZmVuaWdAZ214Lm5ldCI+aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDwvYT4mZ3Q7Jmd0 OyZndDsgd3JvdGU6PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+DQomZ3Q7ICZuYnNw OyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7IEhpIGFsbCw8YnI+DQomZ3Q7ICZuYnNwOyAmbmJz cDsgJmd0Ozxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgaW4gcHJl cGFyaW5nIHRoZSBzaGVwaGVyZCB3cml0ZS11cCBmb3I8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsg ZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyLTA4IEk8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsg Jmd0OyAmbmJzcDsgJm5ic3A7IGhhZCB0byByZXZpZXcgb3VyIHJlY2VudCBlbWFpbCBjb252ZXJz YXRpb25zIGFuZCB0aGUgaXNzdWU8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgcmFpc2VkIGJ5PGJy Pg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyBBbnRvbmlvIGluPGJyPg0K Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgPGEgaHJlZj0i aHR0cDovL3d3dy5pZXRmLm9yZy9tYWlsLWFyY2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTI1 MjAuaHRtbCIgdGFyZ2V0PSJfYmxhbmsiPg0KaHR0cDovL3d3dy5pZXRmLm9yZy9tYWlsLWFyY2hp dmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTI1MjAuaHRtbDwvYT4gYmVsb25nPGJyPg0KJmd0OyAm bmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyB0byBpdC48YnI+DQomZ3Q7ICZuYnNwOyAm bmJzcDsgJmd0Ozxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgVGhl IGlzc3VlIHdhcyB0aGF0IFNlY3Rpb24gMyBvZiBkcmFmdC1pZXRmLW9hdXRoLWp3dC1iZWFyZXIt MDg8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgc2F5czo8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsg Jmd0OyAmbmJzcDsgJm5ic3A7ICZxdW90Ozxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzIuICZuYnNwOyBUaGUgSldUIE1VU1QgY29udGFpbiBh ICZxdW90O3N1YiZxdW90OyAoc3ViamVjdCkgY2xhaW08YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsg aWRlbnRpZnlpbmcgdGhlPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgcHJpbmNpcGFsIHRoYXQgaXMgdGhlIHN1Ympl Y3Qgb2YgdGhlIEpXVC4gJm5ic3A7VHdvIGNhc2VzPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7IG5l ZWQgdG8gYmU8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBkaWZmZXJlbnRpYXRlZDo8YnI+DQomZ3Q7ICZuYnNwOyAm bmJzcDsgJmd0Ozxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IEEuICZuYnNwO0ZvciB0aGUgYXV0aG9yaXphdGlvbiBn cmFudCwgdGhlIHN1YmplY3QgU0hPVUxEPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7IGlkZW50aWZ5 IGFuPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBhdXRob3JpemVkIGFjY2Vzc29yIGZvciB3 aG9tIHRoZSBhY2Nlc3MgdG9rZW4gaXMgYmVpbmc8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0 OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 IHJlcXVlc3RlZCAodHlwaWNhbGx5IHRoZSByZXNvdXJjZSBvd25lciwgb3IgYW48YnI+DQomZ3Q7 ICZuYnNwOyAmbmJzcDsgYXV0aG9yaXplZDxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgZGVs ZWdhdGUpLjxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5i c3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgQi4gJm5i c3A7Rm9yIGNsaWVudCBhdXRoZW50aWNhdGlvbiwgdGhlIHN1YmplY3QgTVVTVCBiZSB0aGU8YnI+ DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZxdW90O2NsaWVudF9pZCZxdW90OyBvZiB0aGUgT0F1 dGggY2xpZW50Ljxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJnF1 b3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsg Jmd0OyAmbmJzcDsgJm5ic3A7IEFudG9uaW8gcG9pbnRlZCB0byB0aGUgY3VycmVudCBHb29nbGUg QVBJIHRvIGlsbHVzdHJhdGUgdGhhdDxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyB0aGUgc3ViamVj dDxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgaXMgbm90IGFsd2F5 cyBuZWVkZWQuIEhlcmUgaXMgdGhlIEdvb2dsZSBBUEkgZG9jdW1lbnRhdGlvbjo8YnI+DQomZ3Q7 ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7IDxhIGhyZWY9Imh0dHBzOi8vZGV2ZWxv cGVycy5nb29nbGUuY29tL2FjY291bnRzL2RvY3MvT0F1dGgyU2VydmljZUFjY291bnQiIHRhcmdl dD0iX2JsYW5rIj4NCmh0dHBzOi8vZGV2ZWxvcGVycy5nb29nbGUuY29tL2FjY291bnRzL2RvY3Mv T0F1dGgyU2VydmljZUFjY291bnQ8L2E+PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+ DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7IFRoZSBHb29nbGUgQVBJIHVz ZWQgdGhlIGNsaWVudCBhdXRoZW50aWNhdGlvbiBwYXJ0IChyYXRoZXI8YnI+DQomZ3Q7ICZuYnNw OyAmbmJzcDsgdGhhbiB0aGU8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5i c3A7IGF1dGhvcml6YXRpb24gZ3JhbnQpLCBpbiBteSB1bmRlcnN0YW5kaW5nLjxicj4NCiZndDsg Jm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZu YnNwOyBJIHN0aWxsIGJlbGlldmUgdGhhdCB0aGUgc3ViamVjdCBmaWVsZCBoYXMgdG8gYmUgaW5j bHVkZWQgZm9yPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7IGNsaWVudDxicj4NCiZndDsgJm5ic3A7 ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgYXV0aGVudGljYXRpb24gYnV0IEkgYW0gbm90IHNv IHN1cmUgYW55bW9yZSBhYm91dCB0aGU8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgYXV0aG9yaXph dGlvbjxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgZ3JhbnQgc2lu Y2UgSSBjb3VsZCB2ZXJ5IHdlbGwgaW1hZ2luZSBjYXNlcyB3aGVyZSB0aGUgc3ViamVjdDxicj4N CiZndDsgJm5ic3A7ICZuYnNwOyBpcyBub3Q8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAm bmJzcDsgJm5ic3A7IG5lZWRlZCBmb3IgYXV0aG9yaXphdGlvbiBkZWNpc2lvbnMgYnV0IGFsc28g Zm9yIHByaXZhY3kgcmVhc29ucy48YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4NCiZn dDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgSSB3b3VsZCB0aGVyZWZvcmUgc3Vn Z2VzdCB0byBjaGFuZ2UgdGhlIHRleHQgYXMgZm9sbG93czo8YnI+DQomZ3Q7ICZuYnNwOyAmbmJz cDsgJmd0Ozxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJnF1b3Q7 PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 Mi4gJm5ic3A7IFRoZSBKV1QgY29udGFpbnMgYSAmcXVvdDtzdWImcXVvdDsgKHN1YmplY3QpIGNs YWltIGlkZW50aWZ5aW5nIHRoZTxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IHByaW5jaXBhbCB0aGF0IGlzIHRoZSBz dWJqZWN0IG9mIHRoZSBKV1QuICZuYnNwO1R3byBjYXNlczxicj4NCiZndDsgJm5ic3A7ICZuYnNw OyBuZWVkIHRvIGJlPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgZGlmZmVyZW50aWF0ZWQ6PGJyPg0KJmd0OyAmbmJz cDsgJm5ic3A7ICZndDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBBLiAmbmJzcDtGb3IgdGhlIGF1dGhvcml6YXRp b24gZ3JhbnQsIHRoZSBzdWJqZWN0IGNsYWltIE1BWTxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAm Z3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgYmUgaW5jbHVkZWQuIElmIGl0IGlzIGluY2x1ZGVkIGl0IE1VU1QgaWRlbnRpZnkgdGhlPGJy Pg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBhdXRob3JpemVkIGFjY2Vzc29yIGZvciB3aG9tIHRo ZSBhY2Nlc3MgdG9rZW4gaXMgYmVpbmc8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJz cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IHJlcXVl c3RlZCAodHlwaWNhbGx5IHRoZSByZXNvdXJjZSBvd25lciwgb3IgYW48YnI+DQomZ3Q7ICZuYnNw OyAmbmJzcDsgYXV0aG9yaXplZDxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgZGVsZWdhdGUp LiBSZWFzb25zIGZvciBub3QgaW5jbHVkaW5nIHRoZSBzdWJqZWN0IGNsYWltPGJyPg0KJmd0OyAm bmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7ICZuYnNwOyBpbiB0aGUgSldUIGFyZSBpZGVudGl0eSBoaWRpbmcgKGkuZS4sIHBy aXZhY3k8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgcHJvdGVjdGlvbjxicj4NCiZndDsgJm5ic3A7 ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgb2YgdGhlIGlkZW50aWZpZXIgb2YgdGhlIHN1YmplY3QpIGFuZCBjYXNlcyB3 aGVyZTxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgdGhlIGlkZW50aWZpZXIgb2YgdGhlIHN1 YmplY3QgaXMgaXJyZWxldmFudCBmb3IgbWFraW5nPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZn dDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyBhbiBhdXRob3JpemF0aW9uIGRlY2lzaW9uIGJ5IHRoZSByZXNvdXJjZSBzZXJ2ZXIuPGJyPg0K Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJz cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBCLiAmbmJzcDtGb3IgY2xpZW50 IGF1dGhlbnRpY2F0aW9uLCB0aGUgc3ViamVjdCBNVVNUIGJlIHRoZTxicj4NCiZndDsgJm5ic3A7 ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgaW5jbHVkZWQgaW4gdGhlIEpXVCBhbmQgdGhlIHZhbHVlIE1VU1QgYmUgcG9w dWxhdGVkPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyB3aXRoIHRoZSAmcXVvdDtjbGllbnRf aWQmcXVvdDsgb2YgdGhlIE9BdXRoIGNsaWVudC48YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0 OyAmbmJzcDsgJm5ic3A7ICZxdW90Ozxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPg0K Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyBXaGF0IGRvIHlvdSBndXlzIHRo aW5rPzxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7 ICZndDsgJm5ic3A7ICZuYnNwOyBDaWFvPGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5i c3A7ICZuYnNwOyBIYW5uZXM8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4NCiZndDsg Jm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPg0KJmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZu YnNwOyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4N CiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgT0F1dGggbWFpbGluZyBsaXN0 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsg Jm5ic3A7IDxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+DQpPQXV0aEBpZXRmLm9yZzwv YT4gJmx0O21haWx0bzo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYu b3JnPC9hPiZndDsgJmx0O21haWx0bzo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPk9B dXRoQGlldGYub3JnPC9hPjxicj4NCiZndDsgJm5ic3A7ICZuYnNwOyAmbHQ7bWFpbHRvOjxhIGhy ZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+Jmd0OyZndDs8YnI+ DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7IDxhIGhyZWY9Imh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiIHRhcmdldD0iX2JsYW5rIj4NCmh0 dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PGJyPg0KJmd0OyAm bmJzcDsgJm5ic3A7ICZndDs8YnI+DQomZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4NCiZndDs8 YnI+DQomZ3Q7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_4E1F6AAD24975D4BA5B16804296739439A1960AATK5EX14MBXC288r_-- From nobody Fri Apr 25 11:52:09 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2741A03CE for ; Fri, 25 Apr 2014 11:52:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.174 X-Spam-Level: X-Spam-Status: No, score=-7.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0chrkSPN-H6 for ; Fri, 25 Apr 2014 11:52:03 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id C06581A031E for ; Fri, 25 Apr 2014 11:52:03 -0700 (PDT) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3PIpukG031336 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 25 Apr 2014 14:51:57 -0400 Received: from [10.10.50.202] (vpn-50-202.rdu2.redhat.com [10.10.50.202]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s3PIpt2M026983 for ; Fri, 25 Apr 2014 14:51:56 -0400 Message-ID: <535AAECE.502@redhat.com> Date: Fri, 25 Apr 2014 14:51:58 -0400 From: Bill Burke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: oauth@ietf.org References: <53577C73.2010201@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A194E55@TK5EX14MBXC288.redmond.corp.microsoft.com> <535A21F3.4050306@gmail.com> <535A29E7.6040505@gmx.net> <535A2E98.2000804@gmail.com> <535A544C.80100@gmx.net> <1061532531353586658@unknownmsgid> In-Reply-To: <1061532531353586658@unknownmsgid> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/yOwETqxARyAW9PLqkjf_y0o17ZI Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 18:52:08 -0000 Red Hat Keycloak [1] only supports basic auth for client authentication as suggested in the OAuth 2 spec. But our access tokens are JWS signed JWTs. Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth [2]? Or is there another document I should be following? I'd like to see what other claims are being discussed related to JWT-based access tokens and may have some additional access token claims we've been experimenting with others might be interested in. Also, I'm not sure yet if we'll implement draft-ietf-oauth-jwt-bearer to authenticate clients. A lot of our initial users are more interested in public clients and/or the implicit flow as they are writing a lot of pure javascript apps served up by simple static web servers. [1] http://keycloak.org [2] http://tools.ietf.org/html/rfc6750 On 4/25/2014 10:06 AM, Chuck Mortimore wrote: > Salesforce supports this > >> On Apr 25, 2014, at 6:11 AM, John Bradley wrote: >> >> The JWT bearer spec is used in Connect for authenticating clients with asymmetric credentials. >> >> I don't know at the moment how many server implementations support that as it is not MTI. >> >> I know it is on the Ping roadmap but not currently in shipping product. >> >> John B. >> >>> On Apr 25, 2014, at 9:25 AM, Hannes Tschofenig wrote: >>> >>> Hi Sergey, >>> >>> no, your comment wasn't off-topic and I agree that more widespread >>> support of the JWT spec will also have a positive impact on the JWT >>> bearer implementation / deployment status. >>> >>> draft-ietf-oauth-jwt-bearer spec requires the JWT to be used in a >>> specific way. It does, however, make sense to indicate the JWT >>> implementation situation in the write-up. >>> >>> Ciao >>> Hannes >>> >>> >>> >>>> On 04/25/2014 11:44 AM, Sergey Beryozkin wrote: >>>> >>>>> On 25/04/14 10:24, Hannes Tschofenig wrote: >>>>> The implementation and deployment status of JWT is certainly good. >>>>> For this write-up it would, however, be interesting to know what the >>>>> implementation status of the JWT bearer assertion spec is. >>>> >>>> Was I off-topic ? Sorry about it, I thought it would be encouraging for >>>> experts to see the general status, the wider JWT is supported the more >>>> likely the count of JWT Bearer assertion adopters will go up >>>> >>>> Cheers, Sergey >>>> >>>>> >>>>>> On 04/25/2014 10:50 AM, Sergey Beryozkin wrote: >>>>>>> On 24/04/14 23:41, Mike Jones wrote: >>>>>>> I am aware of these implementations: >>>>>>> Microsoft Azure Active Directory: >>>>>>> http://azure.microsoft.com/en-us/services/active-directory/ >>>>>>> Google Service Account: >>>>>>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>>>>>> >>>>>>> I believe that Ping Identity and Salesforce also have implementations, >>>>>>> but I'll let Brian and Chuck authoritatively speak to those. >>>>>> >>>>>> Here is some info about open source projects: >>>>>> >>>>>> Apache Oltu has a good support for working with JWT, believe Spring >>>>>> Security has it (I haven't tried) and JBoss KeyCloak team works with >>>>>> JWT, work for supporting JWT Bearer is in progress in Apache CXF (a >>>>>> month or so away). >>>>>> >>>>>> There will be a pretty good coverage for it... >>>>>> >>>>>> Sergey >>>>>> >>>>>>> >>>>>>> -- Mike >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes >>>>>>> Tschofenig >>>>>>> Sent: Wednesday, April 23, 2014 1:40 AM >>>>>>> To: oauth@ietf.org >>>>>>> Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up >>>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I am working on the shepherd writeup for the JWT bearer document. The >>>>>>> shepherd write-ups for the assertion draft and the SAML bearer >>>>>>> document have been completed a while ago already, see >>>>>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12410.html >>>>>>> >>>>>>> A few requests: >>>>>>> >>>>>>> - To the document authors: Please confirm that any and all appropriate >>>>>>> IPR disclosures required for full conformance with the provisions of >>>>>>> BCP >>>>>>> 78 and BCP 79 have already been filed. >>>>>>> >>>>>>> - To all: Are you aware of implementations of this specification? If >>>>>>> so, I would like to reference them in my write-up. >>>>>>> >>>>>>> - To all: Please also go through the text to make sure that I >>>>>>> correctly reflect the history and the status of this document. >>>>>>> >>>>>>> Here is the most recent version of the write-up: >>>>>>> https://raw.githubusercontent.com/hannestschofenig/tschofenig-ids/master/shepherd-writeups/Writeup_OAuth_JWT-Assertion-Profile.txt >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> (The copy-and-paste of the full version is below.) >>>>>>> >>>>>>> Ciao >>>>>>> Hannes >>>>>>> >>>>>>> PS: Note that I have send a mail about a pending issue to the list. In >>>>>>> response to my question I will update the write-up accordingly. >>>>>>> >>>>>>> ---- >>>>>>> >>>>>>> Writeup for "JSON Web Token (JWT) Profile for OAuth 2.0 Client >>>>>>> Authentication and Authorization Grants" >>>>>>> >>>>>>> >>>>>>> (1) What type of RFC is being requested (BCP, Proposed Standard, >>>>>>> Internet Standard, Informational, Experimental, or Historic)? Why is >>>>>>> this the proper type of RFC? Is this type of RFC indicated in the >>>>>>> title page header? >>>>>>> >>>>>>> The RFC type is 'Standards Track' and the type is indicated in the >>>>>>> title page. This document defines an instantiation for the OAuth >>>>>>> assertion framework using JSON Web Tokens. >>>>>>> >>>>>>> (2) The IESG approval announcement includes a Document Announcement >>>>>>> Write-Up. Please provide such a Document Announcement Write-Up. Recent >>>>>>> examples can be found in the "Action" announcements for approved >>>>>>> documents. The approval announcement contains the following sections: >>>>>>> >>>>>>> Technical Summary: >>>>>>> >>>>>>> This specification defines the use of a JSON Web Token (JWT) >>>>>>> Bearer >>>>>>> Token as a means for requesting an OAuth 2.0 access token as >>>>>>> well as >>>>>>> for use as a means of client authentication. >>>>>>> >>>>>>> Working Group Summary: >>>>>>> >>>>>>> Was there anything in WG process that is worth noting? For example, >>>>>>> was there controversy about particular points or were there decisions >>>>>>> where the consensus was particularly rough? >>>>>>> >>>>>>> This document belongs to the OAuth assertion document bundle >>>>>>> consisting of the abstract OAuth assertion framework, and the SAML >>>>>>> assertion profile. Due to the use of the JSON-based encoding of the >>>>>>> assertion it also relies on the work in the JOSE working group (such >>>>>>> as JWE/JWS) indirectly through the use of the JWT. This document has >>>>>>> intentionally been kept in sync with the SAML-based version. >>>>>>> >>>>>>> Document Quality: >>>>>>> >>>>>>> This document has gone through many iterations and has received >>>>>>> substantial feedback. >>>>>>> >>>>>>> [[Add implementation list here.]] >>>>>>> >>>>>>> Personnel: >>>>>>> >>>>>>> The document shepherd is Hannes Tschofenig and the responsible area >>>>>>> director is Kathleen Moriarty. >>>>>>> >>>>>>> (3) Briefly describe the review of this document that was performed by >>>>>>> the Document Shepherd. If this version of the document is not ready >>>>>>> for publication, please explain why the document is being forwarded to >>>>>>> the IESG. >>>>>>> >>>>>>> The draft authors believe that this document is ready for publication. >>>>>>> The document has had received review comments from working group >>>>>>> members, and from the OAuth working group chairs. These review >>>>>>> comments have been taken into account. >>>>>>> >>>>>>> (4) Does the document Shepherd have any concerns about the depth or >>>>>>> breadth of the reviews that have been performed? >>>>>>> >>>>>>> This document has gotten feedback from the working group and given the >>>>>>> focused use cases it has received adequate review. >>>>>>> >>>>>>> (5) Do portions of the document need review from a particular or from >>>>>>> broader perspective, e.g., security, operational complexity, AAA, DNS, >>>>>>> DHCP, XML, or internationalization? If so, describe the review that >>>>>>> took place. >>>>>>> >>>>>>> Since the OAuth working group develops security protocols any feedback >>>>>>> from the security community is always appreciated. >>>>>>> >>>>>>> (6) Describe any specific concerns or issues that the Document >>>>>>> Shepherd has with this document that the Responsible Area Director >>>>>>> and/or the IESG should be aware of? For example, perhaps he or she is >>>>>>> uncomfortable with certain parts of the document, or has concerns >>>>>>> whether there really is a need for it. In any event, if the WG has >>>>>>> discussed those issues and has indicated that it still wishes to >>>>>>> advance the document, detail those concerns here. >>>>>>> >>>>>>> The shepherd has no concerns with this document. >>>>>>> >>>>>>> (7) Has each author confirmed that any and all appropriate IPR >>>>>>> disclosures required for full conformance with the provisions of BCP >>>>>>> 78 and BCP 79 have already been filed. If not, explain why? >>>>>>> >>>>>>> [[Confirmation from the authors required.]] >>>>>>> >>>>>>> (8) Has an IPR disclosure been filed that references this document? If >>>>>>> so, summarize any WG discussion and conclusion regarding the IPR >>>>>>> disclosures. >>>>>>> >>>>>>> No IPR disclosures have been filed on this document. However, two IPRs >>>>>>> have been filed for the JWT specification this document relies on, see >>>>>>> http://datatracker.ietf.org/ipr/search/?option=document_search&id=draft-ietf-oauth-json-web-token >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> (9) How solid is the WG consensus behind this document? Does it >>>>>>> represent the strong concurrence of a few individuals, with others >>>>>>> being silent, or does the WG as a whole understand and agree with it? >>>>>>> >>>>>>> The working group has consensus to publish this document. >>>>>>> >>>>>>> (10) Has anyone threatened an appeal or otherwise indicated extreme >>>>>>> discontent? If so, please summarise the areas of conflict in separate >>>>>>> email messages to the Responsible Area Director. (It should be in a >>>>>>> separate email because this questionnaire is publicly available.) >>>>>>> >>>>>>> No appeal or extreme discontent has been raised. >>>>>>> >>>>>>> (11) Identify any ID nits the Document Shepherd has found in this >>>>>>> document. (See http://www.ietf.org/tools/idnits/ and the >>>>>>> Internet-Drafts Checklist). Boilerplate checks are not enough; this >>>>>>> check needs to be thorough. >>>>>>> >>>>>>> The shepherd has checked the nits. >>>>>>> >>>>>>> (12) Describe how the document meets any required formal review >>>>>>> criteria, such as the MIB Doctor, media type, and URI type reviews. >>>>>>> >>>>>>> There is no such review necessary. >>>>>>> >>>>>>> (13) Have all references within this document been identified as >>>>>>> either normative or informative? >>>>>>> >>>>>>> Yes. >>>>>>> >>>>>>> (14) Are there normative references to documents that are not ready >>>>>>> for advancement or are otherwise in an unclear state? If such >>>>>>> normative references exist, what is the plan for their completion? >>>>>>> >>>>>>> Yes. >>>>>>> >>>>>>> (15) Are there downward normative references references (see RFC 3967)? >>>>>>> If so, list these downward references to support the Area Director in >>>>>>> the Last Call procedure. >>>>>>> >>>>>>> RFC 6755 defines the urn:ietf:params:oauth URN and is an Informational >>>>>>> RFC. A downref is required. >>>>>>> >>>>>>> However, this document depends on the completion of the abstract OAuth >>>>>>> assertion framework and on the JWT specification. >>>>>>> There are the following dependencies: >>>>>>> >>>>>>> (16) Will publication of this document change the status of any >>>>>>> existing RFCs? Are those RFCs listed on the title page header, listed >>>>>>> in the abstract, and discussed in the introduction? If the RFCs are >>>>>>> not listed in the Abstract and Introduction, explain why, and point to >>>>>>> the part of the document where the relationship of this document to >>>>>>> the other RFCs is discussed. If this information is not in the >>>>>>> document, explain why the WG considers it unnecessary. >>>>>>> >>>>>>> The publication of this document does not change the status of other >>>>>>> RFCs. >>>>>>> >>>>>>> (17) Describe the Document Shepherd's review of the IANA >>>>>>> considerations section, especially with regard to its consistency with >>>>>>> the body of the document. Confirm that all protocol extensions that >>>>>>> the document makes are associated with the appropriate reservations in >>>>>>> IANA registries. >>>>>>> Confirm that any referenced IANA registries have been clearly >>>>>>> identified. Confirm that newly created IANA registries include a >>>>>>> detailed specification of the initial contents for the registry, that >>>>>>> allocations procedures for future registrations are defined, and a >>>>>>> reasonable name for the new registry has been suggested (see RFC 5226). >>>>>>> >>>>>>> The document registers two sub-namespaces to the urn:ietf:params:oauth >>>>>>> URN established with RFC 6755. >>>>>>> >>>>>>> (18) List any new IANA registries that require Expert Review for >>>>>>> future allocations. Provide any public guidance that the IESG would >>>>>>> find useful in selecting the IANA Experts for these new registries. >>>>>>> >>>>>>> The document only adds entries to existing registries and does not >>>>>>> define any new registries. >>>>>>> >>>>>>> (19) Describe reviews and automated checks performed by the Document >>>>>>> Shepherd to validate sections of the document written in a formal >>>>>>> language, such as XML code, BNF rules, MIB definitions, etc. >>>>>>> >>>>>>> There are only snippets of message exchanges and JWT assertion >>>>>>> structures, which are based on JSON, used in the examples. There is no >>>>>>> pseudo code contained in the document that requires validation. >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From nobody Fri Apr 25 12:00:11 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9159C1A03D7 for ; Fri, 25 Apr 2014 12:00:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9_WJEomw_rnB for ; Fri, 25 Apr 2014 12:00:05 -0700 (PDT) Received: from na6sys009bog031.obsmtp.com (na6sys009bog031.obsmtp.com [74.125.150.105]) by ietfa.amsl.com (Postfix) with ESMTP id 3AF381A031D for ; Fri, 25 Apr 2014 12:00:05 -0700 (PDT) Received: from mail-ie0-f174.google.com ([209.85.223.174]) (using TLSv1) by na6sys009bob031.postini.com ([74.125.148.12]) with SMTP ID DSNKU1qwroTBRI/R5e/HAd9YqdHxK+TZ7FvD@postini.com; Fri, 25 Apr 2014 11:59:59 PDT Received: by mail-ie0-f174.google.com with SMTP id rp18so4078322iec.5 for ; Fri, 25 Apr 2014 11:59:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=rK5fL7q4uiEp+ewbikZnGs6W0Wz0JfJBo5v7ic3OfnI=; b=R4Ojhd/HQjsB8TNqMbDMnNJcJ/1fMyLie3ezWdwwfytOIlZxuoa5cnJYwQNHUVXXmY BBXfxRdGeaRYAqORRPf/Ica9myqO8FdO9aYcImHAerCPo2psIhia95fwnMhyfG5SmVts n3WQJkSbNmZAJA/DhAmzW0OJewHuAgC9ujwbeG0DD9Sbsi57yn/8NtUtkKr7NWiQXm+G Y2f/S7K/rvyQPEWB0v2xlz2Juj6MftTDvvwq9ixHa9VynjqTH8sEu5ahdU+JRyp8UFC+ 9D77xm0Yf8UegtGBbQgAY6eEKwmbnxeph+0eMYRo0S7G3bACFgTvjMfV9zS3O5oSF3Le RTgQ== X-Gm-Message-State: ALoCoQlw+7F09eSlcOh1lB6HU79Z/x+EpxoxxrTppa1iw2t6Ve2oF3552vE9Y5S36rTEDA/9fK67+uxrt+ciSrfsBEnkkBB0zOIYeM3bXY6koKD8gl8buMS7oITvajxuZSIUMU2LiXlr X-Received: by 10.50.109.230 with SMTP id hv6mr7109864igb.9.1398452398362; Fri, 25 Apr 2014 11:59:58 -0700 (PDT) X-Received: by 10.50.109.230 with SMTP id hv6mr7109851igb.9.1398452398264; Fri, 25 Apr 2014 11:59:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Fri, 25 Apr 2014 11:59:28 -0700 (PDT) From: Brian Campbell Date: Fri, 25 Apr 2014 12:59:28 -0600 Message-ID: To: Bill Burke Content-Type: multipart/alternative; boundary=089e013a1d8e6f238d04f7e2920a Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/TqShotNz44ct0BL4aKlTEvfFQV0 Cc: oauth Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 19:00:07 -0000 --089e013a1d8e6f238d04f7e2920a Content-Type: text/plain; charset=UTF-8 draft-ietf-oauth-jwt-bearer is only about interactions (client authentication and JWT as an authorization grant) with the token endpoint and doesn't define JWT style access tokens. On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke wrote: > Red Hat Keycloak [1] only supports basic auth for client authentication as > suggested in the OAuth 2 spec. But our access tokens are JWS signed JWTs. > > Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth [2]? > Or is there another document I should be following? I'd like to see what > other claims are being discussed related to JWT-based access tokens and may > have some additional access token claims we've been experimenting with > others might be interested in. > > Also, I'm not sure yet if we'll implement draft-ietf-oauth-jwt-bearer to > authenticate clients. A lot of our initial users are more interested in > public clients and/or the implicit flow as they are writing a lot of pure > javascript apps served up by simple static web servers. > > [1] http://keycloak.org > [2] http://tools.ietf.org/html/rfc6750 > > --089e013a1d8e6f238d04f7e2920a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
draft-ietf-oauth-jwt-bearer is only about interactions (cl= ient authentication and JWT as an authorization grant) with the token endpo= int and doesn't define JWT style access tokens.


On Fri, Apr 25, 2014 at 12:51 PM, Bill B= urke <bburke@redhat.com> wrote:
Red Hat Keycloak [1] only supports basic auth for client authentication as = suggested in the OAuth 2 spec. =C2=A0But our access tokens are JWS signed J= WTs.

Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth [2]? =C2= =A0Or is there another document I should be following? =C2=A0I'd like t= o see what other claims are being discussed related to JWT-based access tok= ens and may have some additional access token claims we've been experim= enting with others might be interested in.

Also, I'm not sure yet if we'll implement draft-ietf-oauth-jwt-bear= er to authenticate clients. =C2=A0A lot of our initial users are more inter= ested in public clients and/or the implicit flow as they are writing a lot = of pure javascript apps served up by simple static web servers.

[1] http://keycloak.org
[2] http:/= /tools.ietf.org/html/rfc6750
--089e013a1d8e6f238d04f7e2920a-- From nobody Fri Apr 25 12:08:43 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902201A06D4 for ; Fri, 25 Apr 2014 12:08:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbae5S3JTPwN for ; Fri, 25 Apr 2014 12:08:34 -0700 (PDT) Received: from mail-qc0-f179.google.com (mail-qc0-f179.google.com [209.85.216.179]) by ietfa.amsl.com (Postfix) with ESMTP id 6995C1A06EF for ; Fri, 25 Apr 2014 12:08:32 -0700 (PDT) Received: by mail-qc0-f179.google.com with SMTP id l6so3674095qcy.10 for ; Fri, 25 Apr 2014 12:08:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=zrz8c9FQx+mW3sMZeSXCMHXFwliQMcgh8ANxJr39d2U=; b=dMAF1ITo2Jo/7QXjPBMQ3PW1M/fazRWCiwLasge1H22aClFMQ8270uEQhgeyaeAo8S f7+bHiM2zhP94VxSNDQ2RCpyT1GqPN+AhL4Qt5CYAcg77mCZvX00+1QjaOT3OoykCy7E yT4IhaiPPCPkw+9eqdScLNDMahiakne1DYj7wOLR3d3mXRB1hQFybuP45SCMdeGRwbV6 OymoGWCd/EtxiZgWL7NPS5Xqi2xoHy5OMx+Be/zl8lshrVRnOULop7o+4fJhBaaNAOG4 R/cnYNTpu44XZO9Hb1eRwg/1RHCotCHK7XKt1DHUAZmCsc4N9qoeTmhFum3z3SH6r+V+ M1DA== X-Gm-Message-State: ALoCoQkUlnwTJNbCO0Me4IEf/TiwOjMZmjxIW4B1D6XfqckAmv5xp2T6owBCQ/vRB3dFDDX9GrpV X-Received: by 10.140.25.113 with SMTP id 104mr938085qgs.39.1398452905526; Fri, 25 Apr 2014 12:08:25 -0700 (PDT) Received: from [192.168.0.200] ([201.188.68.144]) by mx.google.com with ESMTPSA id 11sm10662057qgv.20.2014.04.25.12.08.21 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 12:08:24 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_EC577ECE-FD9B-4968-9B3D-F0CA3E4FC9B9" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> Date: Fri, 25 Apr 2014 16:08:21 -0300 Message-Id: References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> To: Michael Jones X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/w0JsMphK1DaSuCpLPvyHKIzRfAM Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 19:08:39 -0000 --Apple-Mail=_EC577ECE-FD9B-4968-9B3D-F0CA3E4FC9B9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Agreed. On Apr 25, 2014, at 3:07 PM, Mike Jones = wrote: > I agree. We=92d already discussed this pretty extensively and reached = the conclusion that always requiring both an issuer and a subject both = kept the specs simpler and was likely to improve interoperability. > =20 > It=92s entirely up to the application profile what the contents of the = issuer and the subject fields are and so I don=92t think we need to = further specify their contents beyond what=92s already in the specs. > =20 > -- Mike > =20 > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian = Campbell > Sent: Friday, April 25, 2014 10:17 AM > To: Hannes Tschofenig > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue > =20 > I believe, from the thread referenced earlier and prior discussion and = draft text, that the WG has reached (rough) consensus to require the = subject claim. So text that says "Subject element MUST NOT be included" = isn't workable. >=20 > It seems what's needed here is some better explanation of how, in = cases that need it, the value of the subject can be populated without = using a PII type value. A simple static value like "ANONYMOUS-SUBJECT" = could be used. Or, more likely, some kind of pairwise persistent = pseudonymous identifier would be utilized, which would not directly = identify the subject but would allow the relying party to recognize the = same subject on subsequent transactions. A transient pseudonym might = also be appropriate in some cases. And any of those approaches could be = used with or without additional claims (like age > 18 or membership in = some group) that get used to make an authorization decision.=20 >=20 > I wasn't sure exactly how to articulate all that in text for the = draft(s) but that's more of what I was asking for when I asked if you = could propose some text. >=20 >=20 >=20 >=20 > =20 >=20 > On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig = wrote: > Hi Brian, >=20 > Thanks for pointing to the assertion framework document. Re-reading = the > text it appears that we have listed the case that in Section 6.3.1 but > have forgotten to cover it elsewhere in the document. >=20 >=20 > In Section 6.3.1 we say: >=20 > " >=20 > 6.3.1. Client Acting on Behalf of an Anonymous User >=20 > When a client is accessing resources on behalf of an anonymous = user, > the Subject indicates to the Authorization Server that the client = is > acting on-behalf of an anonymous user as defined by the = Authorization > Server. It is implied that authorization is based upon additional > criteria, such as additional attributes or claims provided in the > assertion. For example, a client may present an assertion from a > trusted issuer asserting that the bearer is over 18 via an included > claim. >=20 > ***** > In this case, no additional information about the user's > identity is included, yet all the data needed to issue an access > token is present. > ***** > " > (I marked the relevant part with '***') >=20 >=20 > In Section 5.2, however, we say: >=20 >=20 > o The assertion MUST contain a Subject. The Subject identifies an > authorized accessor for which the access token is being = requested > (typically the resource owner, or an authorized delegate). When > the client is acting on behalf of itself, the Subject MUST be = the > value of the client's "client_id". >=20 >=20 > What we should have done in Section 5.2 is to expand the cases inline > with what we have written in Section 6. >=20 > Here is my proposed text: >=20 > " > o The assertion MUST contain a Subject. The Subject identifies an > authorized accessor for which the access token is being requested > (typically the resource owner, or an authorized delegate). >=20 >=20 > When the client is acting on behalf of itself, as described in Section > 6.1 and Section 6.2, the Subject MUST be the value of the client's > "client_id". >=20 > When the client is acting on behalf of an user, as described in = Section > 6.3, the Subject element MUST be included in the assertion and > identifies an authorized accessor for which the access token is being > requested. >=20 > When the client is acting on behalf of an anonymous user, as described > in Section 6.3.1, the Subject element MUST NOT be included in the > assertion. Other elements within the assertion will, however, provide > enough information for the authorization server to make an = authorization > decision. > " >=20 > Does this make sense to you? >=20 > Ciao > Hannes >=20 >=20 > On 04/24/2014 02:30 PM, Brian Campbell wrote: > > There is some discussion of that case in the assertion framework > > document at > > = http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 > > > > Do you feel that more is needed? If so, can you propose some text? > > > > > > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig > > > = wrote: > > > > Hi Brian, > > > > I read through the thread and the Google case is a bit different = since > > they are using the client authentication part of the JWT bearer = spec. > > There I don't see the privacy concerns either. > > > > I am, however, focused on the authorization grant where the = subject is > > in most cases the resource owner. > > > > It is possible to put garbage into the subject element when = privacy > > protection is needed for the resource owner case but that would = need to > > be described in the document; currently it is not there. > > > > Ciao > > Hannes > > > > > > On 04/24/2014 12:37 AM, Brian Campbell wrote: > > > That thread that Antonio started which you reference went on = for some > > > time > > > > > = (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) > > > and seems to have reached consensus that the spec didn't need > > normative > > > change and that such privacy cases or other cases which didn't > > > explicitly need a subject identifier would be more = appropriately dealt > > > with in application logic: > > > = http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html > > > > > > > > > > > > > > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig > > > > > > >> wrote: > > > > > > Hi all, > > > > > > in preparing the shepherd write-up for > > draft-ietf-oauth-jwt-bearer-08 I > > > had to review our recent email conversations and the issue > > raised by > > > Antonio in > > > > > http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html = belong > > > to it. > > > > > > The issue was that Section 3 of = draft-ietf-oauth-jwt-bearer-08 > > says: > > > " > > > 2. The JWT MUST contain a "sub" (subject) claim > > identifying the > > > principal that is the subject of the JWT. Two = cases > > need to be > > > differentiated: > > > > > > A. For the authorization grant, the subject = SHOULD > > identify an > > > authorized accessor for whom the access token = is being > > > requested (typically the resource owner, or an > > authorized > > > delegate). > > > > > > B. For client authentication, the subject MUST be = the > > > "client_id" of the OAuth client. > > > " > > > > > > Antonio pointed to the current Google API to illustrate = that > > the subject > > > is not always needed. Here is the Google API = documentation: > > > = https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > > > > > The Google API used the client authentication part (rather > > than the > > > authorization grant), in my understanding. > > > > > > I still believe that the subject field has to be included = for > > client > > > authentication but I am not so sure anymore about the > > authorization > > > grant since I could very well imagine cases where the = subject > > is not > > > needed for authorization decisions but also for privacy = reasons. > > > > > > I would therefore suggest to change the text as follows: > > > > > > " > > > 2. The JWT contains a "sub" (subject) claim = identifying the > > > principal that is the subject of the JWT. Two = cases > > need to be > > > differentiated: > > > > > > A. For the authorization grant, the subject claim = MAY > > > be included. If it is included it MUST = identify the > > > authorized accessor for whom the access token = is being > > > requested (typically the resource owner, or an > > authorized > > > delegate). Reasons for not including the = subject claim > > > in the JWT are identity hiding (i.e., privacy > > protection > > > of the identifier of the subject) and cases = where > > > the identifier of the subject is irrelevant = for making > > > an authorization decision by the resource = server. > > > > > > B. For client authentication, the subject MUST be = the > > > included in the JWT and the value MUST be = populated > > > with the "client_id" of the OAuth client. > > > " > > > > > > What do you guys think? > > > > > > Ciao > > > Hannes > > > > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org = > > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > >=20 > =20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_EC577ECE-FD9B-4968-9B3D-F0CA3E4FC9B9 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Agreed.

On Apr 25, = 2014, at 3:07 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

I agree.  We=92d already discussed this pretty = extensively and reached the conclusion that always requiring both an = issuer and a subject both kept the specs simpler and was likely to = improve interoperability.
 
It=92s entirely up to the = application profile what the contents of the issuer and the subject = fields are and so I don=92t think we need to further specify their = contents beyond what=92s already in the = specs.
 
           &= nbsp;           &nb= sp;            = ;            &= nbsp;           -- = Mike
 
From: OAuth [mailto:oauth-bounces@ietf.org]<= span class=3D"Apple-converted-space"> On Behalf Of Brian = Campbell
Sent: Friday, April 25, 2014 = 10:17 AM
To: Hannes = Tschofenig
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] = draft-ietf-oauth-jwt-bearer-08 & subject = issue
 

I believe, from the thread referenced earlier and prior = discussion and draft text, that the WG has reached (rough) consensus to = require the subject claim. So text that says "Subject element MUST NOT = be included" isn't workable.

It seems what's needed here is some better explanation = of how, in cases that need it, the value of the subject can be populated = without using a PII type value. A simple static value like = "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of = pairwise persistent pseudonymous identifier would be utilized, which = would not directly identify the subject but would allow the relying = party to recognize the same subject on subsequent transactions. A = transient pseudonym might also be appropriate in some cases. And any of = those approaches could be used with or without additional claims (like = age > 18 or membership in some group) that get used to make an = authorization decision. 

I wasn't sure exactly how to articulate all that in text for the = draft(s) but that's more of what I was asking for when I asked if you = could propose some text.




 

On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig = <hannes.tschofenig@gmx.net> = wrote:
Hi = Brian,

Thanks for pointing to the assertion framework document. = Re-reading the
text it appears that we have listed the case that in = Section 6.3.1 but
have forgotten to cover it elsewhere in the = document.


In Section 6.3.1 we say:

"

6.3.1. =  Client Acting on Behalf of an Anonymous User

  =  When a client is accessing resources on behalf of an anonymous = user,
   the Subject indicates to the Authorization Server = that the client is
   acting on-behalf of an anonymous user = as defined by the Authorization
   Server.  It is = implied that authorization is based upon additional
  =  criteria, such as additional attributes or claims provided in = the
   assertion.  For example, a client may present = an assertion from a
   trusted issuer asserting that the = bearer is over 18 via an included
  =  claim.

*****
    In this case, no additional = information about the user's
   identity is included, yet = all the data needed to issue an access
   token is = present.
*****
"
(I marked the relevant part with = '***')


In Section 5.2, however, we say:


  =  o  The assertion MUST contain a Subject.  The Subject = identifies an
      authorized accessor for which the = access token is being requested
      (typically the = resource owner, or an authorized delegate).  When
    =   the client is acting on behalf of itself, the Subject MUST be = the
      value of the client's = "client_id".


What we should have done in Section 5.2 is to = expand the cases inline
with what we have written in Section = 6.

Here is my proposed text:

"
o  The assertion = MUST contain a Subject.  The Subject identifies an
authorized = accessor for which the access token is being = requested

(typically the resource owner, or an authorized = delegate).

When = the client is acting on behalf of itself, as described in Section
6.1 = and Section 6.2, the Subject MUST be the value of the = client's
"client_id".

When the client is acting on behalf of = an user, as described in Section
6.3, the Subject element MUST be = included in the assertion and
identifies an authorized accessor for = which the access token is being
requested.

When the client is = acting on behalf of an anonymous user, as described
in Section 6.3.1, = the Subject element MUST NOT be included in the
assertion. Other = elements within the assertion will, however, provide
enough = information for the authorization server to make an = authorization
decision.
"

Does this make sense to = you?

Ciao
Hannes


On 04/24/2014 02:30 PM, Brian Campbell wrote:
> = There is some discussion of that case in the assertion framework
> = document at
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#sect= ion-6.3.1
>
> Do you feel that more is needed? If so, = can you propose some text?
>
>
> On Thu, Apr 24, 2014 = at 1:09 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> = wrote:
>
>     Hi Brian,
>
>   =   I read through the thread and the Google case is a bit different = since
>     they are using the client authentication = part of the JWT bearer spec.
>     There I don't see the = privacy concerns either.
>
>     I am, however, = focused on the authorization grant where the subject is
>   =   in most cases the resource owner.
>
>     = It is possible to put garbage into the subject element when = privacy
>     protection is needed for the resource = owner case but that would need to
>     be described in = the document; currently it is not there.
>
>     = Ciao
>     Hannes
>
>
>     = On 04/24/2014 12:37 AM, Brian Campbell wrote:
>     > = That thread that Antonio started which you reference went on for = some
>     > time
>     >
> =     (http://www.ietf.org/mail-archive/web/oauth/current/threads.htm= l#12520)
>     > and seems to have reached = consensus that the spec didn't need
>     = normative
>     > change and that such privacy cases = or other cases which didn't
>     > explicitly need a = subject identifier would be more appropriately dealt
>   =   > with in application logic:
>     > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.ht= ml
>     >
>     >
> =     >
>     >
>     > = On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig
>     = > <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>
>     <mailto:hannes.tschofenig@gmx.net>>> = wrote:
>     >
>     >   =   Hi all,
>     >
>     > =     in preparing the shepherd write-up for
>   =   draft-ietf-oauth-jwt-bearer-08 I
>     > =     had to review our recent email conversations and the = issue
>     raised by
>     >   =   Antonio in
>     >
>     http://www.ietf.org/mail-archive/web/oauth/current/msg12520.ht= ml belong
> =     >     to it.
>     = >
>     >     The issue was that Section = 3 of draft-ietf-oauth-jwt-bearer-08
>     says:
> =     >     "
>     >   =      2.   The JWT MUST contain a "sub" (subject) = claim
>     identifying the
>     > =             principal that is the subject = of the JWT.  Two cases
>     need to be
> =     >             = differentiated:
>     >
>     > =             A.  For the authorization = grant, the subject SHOULD
>     identify an
> =     >               =   authorized accessor for whom the access token is being
> =     >               =   requested (typically the resource owner, or an
>   =   authorized
>     >         =         delegate).
>     = >
>     >           =   B.  For client authentication, the subject MUST be = the
>     >             =     "client_id" of the OAuth client.
>     = >     "
>     >
>     = >     Antonio pointed to the current Google API to = illustrate that
>     the subject
>     = >     is not always needed. Here is the Google API = documentation:
>     >     https://developers.google.com/accounts/docs/OAuth2ServiceAccou= nt
>     >
>     >   =   The Google API used the client authentication part = (rather
>     than the
>     >   =   authorization grant), in my understanding.
>     = >
>     >     I still believe that the = subject field has to be included for
>     = client
>     >     authentication but I am = not so sure anymore about the
>     = authorization
>     >     grant since I = could very well imagine cases where the subject
>     is = not
>     >     needed for authorization = decisions but also for privacy reasons.
>     = >
>     >     I would therefore suggest = to change the text as follows:
>     >
>   =   >     "
>     >     =    2.   The JWT contains a "sub" (subject) claim = identifying the
>     >         =     principal that is the subject of the JWT.  Two = cases
>     need to be
>     >   =           differentiated:
>     = >
>     >           =   A.  For the authorization grant, the subject claim = MAY
>     >             =     be included. If it is included it MUST identify = the
>     >             =     authorized accessor for whom the access token is = being
>     >           =       requested (typically the resource owner, or = an
>     authorized
>     >   =               delegate). Reasons for = not including the subject claim
>     >     =             in the JWT are identity hiding = (i.e., privacy
>     protection
>     = >                 of the = identifier of the subject) and cases where
>     > =                 the identifier = of the subject is irrelevant for making
>     > =                 an authorization = decision by the resource server.
>     >
> =     >             B. =  For client authentication, the subject MUST be the
>   =   >                 = included in the JWT and the value MUST be populated
>   =   >                 with = the "client_id" of the OAuth client.
>     >   =   "
>     >
>     >   =   What do you guys think?
>     >
>   =   >     Ciao
>     >     = Hannes
>     >
>     >
> =     >     = _______________________________________________
>     = >     OAuth mailing list

>     >   =   OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>     <mailto:OAuth@ietf.org>>
>     >   =   https://www.ietf.org/mailman/listinfo/oauth
> =     >
>     = >
>
>

 
_______________________________= ________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_EC577ECE-FD9B-4968-9B3D-F0CA3E4FC9B9-- From nobody Fri Apr 25 12:51:35 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8A31A06AF for ; Fri, 25 Apr 2014 12:51:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.174 X-Spam-Level: X-Spam-Status: No, score=-7.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CZB0gQXXo8OM for ; Fri, 25 Apr 2014 12:51:32 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 24D2A1A06EC for ; Fri, 25 Apr 2014 12:51:32 -0700 (PDT) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3PJpPQ0022963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 Apr 2014 15:51:25 -0400 Received: from [10.10.50.202] (vpn-50-202.rdu2.redhat.com [10.10.50.202]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s3PJpN2f018596; Fri, 25 Apr 2014 15:51:25 -0400 Message-ID: <535ABCBF.3090308@redhat.com> Date: Fri, 25 Apr 2014 15:51:27 -0400 From: Bill Burke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/lfX6QvX_0C2JkHp8bVxvNQO11L0 Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 19:51:34 -0000 Thank you. Thats what I thought. Is it just assumed JWT would/might be used an access token format for Bearer token auth? Or is there another draft somewhere for that? Is anybody out there using JWS + JWT as a access token format? On 4/25/2014 2:59 PM, Brian Campbell wrote: > draft-ietf-oauth-jwt-bearer is only about interactions (client > authentication and JWT as an authorization grant) with the token > endpoint and doesn't define JWT style access tokens. > > > On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke > wrote: > > Red Hat Keycloak [1] only supports basic auth for client > authentication as suggested in the OAuth 2 spec. But our access > tokens are JWS signed JWTs. > > Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth > [2]? Or is there another document I should be following? I'd like > to see what other claims are being discussed related to JWT-based > access tokens and may have some additional access token claims we've > been experimenting with others might be interested in. > > Also, I'm not sure yet if we'll implement > draft-ietf-oauth-jwt-bearer to authenticate clients. A lot of our > initial users are more interested in public clients and/or the > implicit flow as they are writing a lot of pure javascript apps > served up by simple static web servers. > > [1] http://keycloak.org > [2] http://tools.ietf.org/html/__rfc6750 > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From nobody Fri Apr 25 12:58:28 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FA5C1A03CD for ; Fri, 25 Apr 2014 12:58:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-K23TkECs8S for ; Fri, 25 Apr 2014 12:58:21 -0700 (PDT) Received: from na6sys009bog039.obsmtp.com (na6sys009bog039.obsmtp.com [74.125.150.113]) by ietfa.amsl.com (Postfix) with ESMTP id 5E1931A03C9 for ; Fri, 25 Apr 2014 12:58:20 -0700 (PDT) Received: from mail-ig0-f170.google.com ([209.85.213.170]) (using TLSv1) by na6sys009bob039.postini.com ([74.125.148.12]) with SMTP ID DSNKU1q+Vd20LlUQM/4GLf438fL3Oi0fcxIN@postini.com; Fri, 25 Apr 2014 12:58:14 PDT Received: by mail-ig0-f170.google.com with SMTP id uq10so2659854igb.3 for ; Fri, 25 Apr 2014 12:58:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=86r8pvZwVVguKwNJPUkXVH8ACvYLcv9JRbIQ39OXjU0=; b=STiNBQM9C8uK7OR61ouVCOlW9YPYKoJfm8cOn4i0Yj7Lpc9AdXDux8kPCNCtAlgZQP iLehNtMy1l4FBW09NI4mUv3nQaHone5k9we8VpGDnZq7g9WoqcWoIZOYu5l6NQNKetbh RQWTjT+WUKFAvdEfRqEmf8joy0ijtzVDWleCJeR9hVKlBIwrxzla8qbu1GXwBTkVBRK1 qwl4RyE9cAEikbFsNNnSOQauPMCeTwRy+bNXwk8P7iXyT3eHPyKoeLnY05WcjMFdicTH 2HCacKgCcfesFY3lFuXbt4IpQv35PPq4X6LOGX66E8mSDtF0xXr1EzwCj8EbD4LLjlII FpAg== X-Gm-Message-State: ALoCoQmuO8KSBFiYgxzTb9P7L7vRztM4d3suIoSjrFTJ5QWr/Vr7YjFGF2aMFmrThqYLYi0yP9O+Yv7/KoKmXXyB36z/ALTu/W4Su3t+TVuYiwCY2Tw0fiSav487NRyDcv68I8YkjfNd X-Received: by 10.50.13.100 with SMTP id g4mr7492134igc.9.1398455893394; Fri, 25 Apr 2014 12:58:13 -0700 (PDT) X-Received: by 10.50.13.100 with SMTP id g4mr7492120igc.9.1398455893219; Fri, 25 Apr 2014 12:58:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Fri, 25 Apr 2014 12:57:43 -0700 (PDT) In-Reply-To: References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> From: Brian Campbell Date: Fri, 25 Apr 2014 13:57:43 -0600 Message-ID: To: John Bradley Content-Type: multipart/alternative; boundary=089e013c6614bff40b04f7e362ca Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/1fKjZKgMmHf9HS_J85USS5CgJWk Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 19:58:26 -0000 --089e013c6614bff40b04f7e362ca Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I absolutely agree with always requiring both issuer and subject and that doing so keeps the specs simpler and is likely to improve interoperability. However, without changing that, perhaps some of the text in the document(s) could be improved a bit. Here's a rough proposal: Change the text of the second bullet in http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2 to "The assertion MUST contain a Subject. The Subject typically identifies an authorized accessor for which the access token is being requested (i.e. the resource owner, or an authorized delegate) but, in some cases, may be a pseudonym or other value denoting an anonymous user. When the client is acting on behalf of itself, the Subject MUST be the value of the client's client_id." And also change http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 to "When a client is accessing resources on behalf of an anonymous user, a mutually agreed upon Subject identifier indicating anonymity is used. The Subject value might be an agreed upon static value indicating an anonymous user or an opaque persistent or transient pseudonym for the user may also be utilized. The authorization may be based upon additional criteria, such as additional attributes or claims provided in the assertion. For example, a client may present an assertion from a trusted issuer asserting that the bearer is over 18 via an included claim. In this case, no additional information about the user's identity is included, yet all the data needed to issue an access token is present." And maybe also change the subject text in SAML and JWT (item #2 in http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 and http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3) to read a little more like the new proposed text above for section 5.2 of the Assertion Framework draft. Would that sit any better with you, Hannes? Thoughts from others in the WG? On Fri, Apr 25, 2014 at 1:08 PM, John Bradley wrote: > Agreed. > > On Apr 25, 2014, at 3:07 PM, Mike Jones > wrote: > > I agree. We=E2=80=99d already discussed this pretty extensively and reac= hed the > conclusion that always requiring both an issuer and a subject both kept t= he > specs simpler and was likely to improve interoperability. > > It=E2=80=99s entirely up to the application profile what the contents of = the > issuer and the subject fields are and so I don=E2=80=99t think we need to= further > specify their contents beyond what=E2=80=99s already in the specs. > > -- Mike > > *From:* OAuth [mailto:oauth-bounces@ietf.org ] *O= n > Behalf Of *Brian Campbell > *Sent:* Friday, April 25, 2014 10:17 AM > *To:* Hannes Tschofenig > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue > > > I believe, from the thread referenced earlier and prior discussion and > draft text, that the WG has reached (rough) consensus to require the > subject claim. So text that says "Subject element MUST NOT be included" > isn't workable. > > It seems what's needed here is some better explanation of how, in cases > that need it, the value of the subject can be populated without using a P= II > type value. A simple static value like "ANONYMOUS-SUBJECT" could be used. > Or, more likely, some kind of pairwise persistent pseudonymous identifier > would be utilized, which would not directly identify the subject but woul= d > allow the relying party to recognize the same subject on subsequent > transactions. A transient pseudonym might also be appropriate in some > cases. And any of those approaches could be used with or without addition= al > claims (like age > 18 or membership in some group) that get used to make = an > authorization decision. > I wasn't sure exactly how to articulate all that in text for the draft(s) > but that's more of what I was asking for when I asked if you could propos= e > some text. > > > > > > On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > Hi Brian, > > Thanks for pointing to the assertion framework document. Re-reading the > text it appears that we have listed the case that in Section 6.3.1 but > have forgotten to cover it elsewhere in the document. > > > In Section 6.3.1 we say: > > " > > 6.3.1. Client Acting on Behalf of an Anonymous User > > When a client is accessing resources on behalf of an anonymous user, > the Subject indicates to the Authorization Server that the client is > acting on-behalf of an anonymous user as defined by the Authorization > Server. It is implied that authorization is based upon additional > criteria, such as additional attributes or claims provided in the > assertion. For example, a client may present an assertion from a > trusted issuer asserting that the bearer is over 18 via an included > claim. > > ***** > In this case, no additional information about the user's > identity is included, yet all the data needed to issue an access > token is present. > ***** > " > (I marked the relevant part with '***') > > > In Section 5.2, however, we say: > > > o The assertion MUST contain a Subject. The Subject identifies an > authorized accessor for which the access token is being requested > (typically the resource owner, or an authorized delegate). When > the client is acting on behalf of itself, the Subject MUST be the > value of the client's "client_id". > > > What we should have done in Section 5.2 is to expand the cases inline > with what we have written in Section 6. > > Here is my proposed text: > > " > o The assertion MUST contain a Subject. The Subject identifies an > authorized accessor for which the access token is being requested > > (typically the resource owner, or an authorized delegate). > > When the client is acting on behalf of itself, as described in Section > 6.1 and Section 6.2, the Subject MUST be the value of the client's > "client_id". > > When the client is acting on behalf of an user, as described in Section > 6.3, the Subject element MUST be included in the assertion and > identifies an authorized accessor for which the access token is being > requested. > > When the client is acting on behalf of an anonymous user, as described > in Section 6.3.1, the Subject element MUST NOT be included in the > assertion. Other elements within the assertion will, however, provide > enough information for the authorization server to make an authorization > decision. > " > > Does this make sense to you? > > Ciao > Hannes > > > On 04/24/2014 02:30 PM, Brian Campbell wrote: > > There is some discussion of that case in the assertion framework > > document at > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 > > > > Do you feel that more is needed? If so, can you propose some text? > > > > > > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig > > > wrote: > > > > Hi Brian, > > > > I read through the thread and the Google case is a bit different > since > > they are using the client authentication part of the JWT bearer spe= c. > > There I don't see the privacy concerns either. > > > > I am, however, focused on the authorization grant where the subject > is > > in most cases the resource owner. > > > > It is possible to put garbage into the subject element when privacy > > protection is needed for the resource owner case but that would nee= d > to > > be described in the document; currently it is not there. > > > > Ciao > > Hannes > > > > > > On 04/24/2014 12:37 AM, Brian Campbell wrote: > > > That thread that Antonio started which you reference went on for > some > > > time > > > > > ( > http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) > > > and seems to have reached consensus that the spec didn't need > > normative > > > change and that such privacy cases or other cases which didn't > > > explicitly need a subject identifier would be more appropriately > dealt > > > with in application logic: > > > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html > > > > > > > > > > > > > > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig > > > > > > >> wrote: > > > > > > Hi all, > > > > > > in preparing the shepherd write-up for > > draft-ietf-oauth-jwt-bearer-08 I > > > had to review our recent email conversations and the issue > > raised by > > > Antonio in > > > > > http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html > belong > > > to it. > > > > > > The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-0= 8 > > says: > > > " > > > 2. The JWT MUST contain a "sub" (subject) claim > > identifying the > > > principal that is the subject of the JWT. Two cases > > need to be > > > differentiated: > > > > > > A. For the authorization grant, the subject SHOULD > > identify an > > > authorized accessor for whom the access token is > being > > > requested (typically the resource owner, or an > > authorized > > > delegate). > > > > > > B. For client authentication, the subject MUST be th= e > > > "client_id" of the OAuth client. > > > " > > > > > > Antonio pointed to the current Google API to illustrate that > > the subject > > > is not always needed. Here is the Google API documentation: > > > > https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > > > > > The Google API used the client authentication part (rather > > than the > > > authorization grant), in my understanding. > > > > > > I still believe that the subject field has to be included for > > client > > > authentication but I am not so sure anymore about the > > authorization > > > grant since I could very well imagine cases where the subject > > is not > > > needed for authorization decisions but also for privacy > reasons. > > > > > > I would therefore suggest to change the text as follows: > > > > > > " > > > 2. The JWT contains a "sub" (subject) claim identifying > the > > > principal that is the subject of the JWT. Two cases > > need to be > > > differentiated: > > > > > > A. For the authorization grant, the subject claim MA= Y > > > be included. If it is included it MUST identify t= he > > > authorized accessor for whom the access token is > being > > > requested (typically the resource owner, or an > > authorized > > > delegate). Reasons for not including the subject > claim > > > in the JWT are identity hiding (i.e., privacy > > protection > > > of the identifier of the subject) and cases where > > > the identifier of the subject is irrelevant for > making > > > an authorization decision by the resource server. > > > > > > B. For client authentication, the subject MUST be th= e > > > included in the JWT and the value MUST be populat= ed > > > with the "client_id" of the OAuth client. > > > " > > > > > > What do you guys think? > > > > > > Ciao > > > Hannes > > > > > > > > > _______________________________________________ > > > OAuth mailing list > > > > OAuth@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > --089e013c6614bff40b04f7e362ca Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I absolutely agree with always requiring both issuer = and subject and that doing so keeps the specs simpler and is likely to impr= ove interoperability.

However, without changing that, perhaps = some of the text in the document(s) could be improved a bit. Here's a r= ough proposal:

Change the text of the second bullet in http://tools.ietf.org/ht= ml/draft-ietf-oauth-assertions-15#section-5.2 to

"The assertion MUST contain a Subject. The Subject typically identifie= s an authorized accessor for which the access token is being requested (i.e= . the resource owner, or an authorized delegate) but, in some cases, may be= a pseudonym or other value denoting an anonymous user. When the client is = acting on behalf of itself, the Subject MUST be the value of the client'= ;s client_id."

And also change http://tools.ietf.org/html/draft-ie= tf-oauth-assertions-15#section-6.3.1 to

"When a client is accessing resources on behalf of an anonymous user, = a mutually agreed upon Subject identifier indicating anonymity is used. The= Subject value might be an agreed upon static value indicating an anonymous= user or an opaque persistent or transient pseudonym for the user may also = be utilized. The authorization may be based upon additional criteria, such = as additional attributes or claims provided in the assertion. For example, = a client may present an assertion from a trusted issuer asserting that the = bearer is over 18 via an included claim. In this case, no additional inform= ation about the user's identity is included, yet all the data needed to= issue an access token is present."

And maybe also change the subject text in SAML and JWT= (item #2 in http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08= #section-3 and http://tools.ietf.org/html/draft-ietf-oauth-saml2= -bearer-19#section-3) to read a little more like the new proposed text = above for section 5.2 of the Assertion Framework draft.

Would that sit any better with you, Hannes? Thoughts from ot= hers in the WG?


On Fri, Apr 25, 2014 at 1:08 PM, John Bradley <ve7jtb@= ve7jtb.com> wrote:
Agreed.<= div>
On Apr 25, 2014, at 3:07 PM, Mike = Jones <= Michael.Jones@microsoft.com> wrote:

I agree.=C2=A0 W= e=E2=80=99d already discussed this pretty extensively and reached the concl= usion that always requiring both an issuer and a subject both kept the spec= s simpler and was likely to improve interoperability.<= /div>
=C2=A0
It=E2=80=99s entirely up to the application profile what the conten= ts of the issuer and the subject fields are and so I don=E2=80=99t think we= need to further specify their contents beyond what=E2=80=99s already in th= e specs.
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 -- Mike<= /u>
=C2=A0
From:=C2=A0OAuth [mailto:oauth-bounces@i= etf.org]=C2=A0On Behalf Of=C2=A0Brian = Campbell
Sent:=C2=A0Friday, April 25, 2014 10:17 AM
To:=C2=A0Hannes Tschofenig
Cc:=C2=A0oauth@ietf.org
Sub= ject:=C2=A0Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 &= amp; subject issue
=C2=A0

I believe, from the thread referenced earlier and prior discussion and draf= t text, that the WG has reached (rough) consensus to require the subject cl= aim. So text that says "Subject element MUST NOT be included" isn= 't workable.

It seems what's needed here = is some better explanation of how, in cases that need it, the value of the = subject can be populated without using a PII type value. A simple static va= lue like "ANONYMOUS-SUBJECT" could be used. Or, more likely, some= kind of pairwise persistent pseudonymous identifier would be utilized, whi= ch would not directly identify the subject but would allow the relying part= y to recognize the same subject on subsequent transactions. A transient pse= udonym might also be appropriate in some cases. And any of those approaches= could be used with or without additional claims (like age > 18 or membe= rship in some group) that get used to make an authorization decision.=C2=A0=

I wasn't sure exactly how to articulate al= l that in text for the draft(s) but that's more of what I was asking fo= r when I asked if you could propose some text.




=C2=A0

On Thu, Apr 24, 2014 at= 6:48 AM, Hannes Tschofenig <hannes= .tschofenig@gmx.net> wrote:
Hi Brian,

Thanks for pointing to the assertio= n framework document. Re-reading the
text it appears that we have listed= the case that in Section 6.3.1 but
have forgotten to cover it elsewhere in the document.


In Section= 6.3.1 we say:

"

6.3.1. =C2=A0Client Acting on Behalf of= an Anonymous User

=C2=A0 =C2=A0When a client is accessing resources= on behalf of an anonymous user,
=C2=A0 =C2=A0the Subject indicates to the Authorization Server that the cli= ent is
=C2=A0 =C2=A0acting on-behalf of an anonymous user as defined by = the Authorization
=C2=A0 =C2=A0Server. =C2=A0It is implied that authoriz= ation is based upon additional
=C2=A0 =C2=A0criteria, such as additional attributes or claims provided in = the
=C2=A0 =C2=A0assertion. =C2=A0For example, a client may present an a= ssertion from a
=C2=A0 =C2=A0trusted issuer asserting that the bearer is= over 18 via an included
=C2=A0 =C2=A0claim.

*****
=C2=A0 =C2=A0 In this case, no additional information about th= e user's
=C2=A0 =C2=A0identity is included, yet all the data needed = to issue an access
=C2=A0 =C2=A0token is present.
*****
"
= (I marked the relevant part with '***')


In Section 5.2, however, we say:


=C2=A0 =C2=A0o =C2=A0Th= e assertion MUST contain a Subject. =C2=A0The Subject identifies an
=C2= =A0 =C2=A0 =C2=A0 authorized accessor for which the access token is being r= equested
=C2=A0 =C2=A0 =C2=A0 (typically the resource owner, or an autho= rized delegate). =C2=A0When
=C2=A0 =C2=A0 =C2=A0 the client is acting on behalf of itself, the Subject = MUST be the
=C2=A0 =C2=A0 =C2=A0 value of the client's "client_= id".


What we should have done in Section 5.2 is to expand t= he cases inline
with what we have written in Section 6.

Here is my proposed text:

"
o =C2=A0The assertion MUST c= ontain a Subject. =C2=A0The Subject identifies an
authorized accessor fo= r which the access token is being requested

(typically the resource owner, or an authorized delegate).

When the client is acting on behalf o= f itself, as described in Section
6.1 and Section 6.2, the Subject MUST be the value of the client's
&= quot;client_id".

When the client is acting on behalf of an user= , as described in Section
6.3, the Subject element MUST be included in t= he assertion and
identifies an authorized accessor for which the access token is being
re= quested.

When the client is acting on behalf of an anonymous user, a= s described
in Section 6.3.1, the Subject element MUST NOT be included i= n the
assertion. Other elements within the assertion will, however, provide
en= ough information for the authorization server to make an authorization
d= ecision.
"

Does this make sense to you?

Ciao
Hannes


On 04/24/2014 02:30 PM, Brian Campbell = wrote:
> There is some discussion of that case in the assertion frame= work
> document at
>=C2=A0http://tools.ietf.org/html/draf= t-ietf-oauth-assertions-15#section-6.3.1
>
> Do you feel that more is needed? If so, can you propose some t= ext?
>
>
> On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschof= enig
> <hannes.tschofenig@gmx.net= =C2=A0<mailto:hannes.t= schofenig@gmx.net>> wrote:
>
> =C2=A0 =C2=A0 Hi Brian,
>
> =C2=A0 =C2=A0 I read t= hrough the thread and the Google case is a bit different since
> =C2= =A0 =C2=A0 they are using the client authentication part of the JWT bearer = spec.
> =C2=A0 =C2=A0 There I don't see the privacy concerns eith= er.
>
> =C2=A0 =C2=A0 I am, however, focused on the authorization gran= t where the subject is
> =C2=A0 =C2=A0 in most cases the resource own= er.
>
> =C2=A0 =C2=A0 It is possible to put garbage into the su= bject element when privacy
> =C2=A0 =C2=A0 protection is needed for the resource owner case but tha= t would need to
> =C2=A0 =C2=A0 be described in the document; current= ly it is not there.
>
> =C2=A0 =C2=A0 Ciao
> =C2=A0 =C2= =A0 Hannes
>
>
> =C2=A0 =C2=A0 On 04/24/2014 12:37 AM, Br= ian Campbell wrote:
> =C2=A0 =C2=A0 > That thread that Antonio started which you referenc= e went on for some
> =C2=A0 =C2=A0 > time
> =C2=A0 =C2=A0 &g= t;
> =C2=A0 =C2=A0 (http://www.ietf.org/mail-archive/web/oauth/current= /threads.html#12520)
> =C2=A0 =C2=A0 > and seems to have reached consensus that the spec d= idn't need
> =C2=A0 =C2=A0 normative
> =C2=A0 =C2=A0 > c= hange and that such privacy cases or other cases which didn't
> = =C2=A0 =C2=A0 > explicitly need a subject identifier would be more appro= priately dealt
> =C2=A0 =C2=A0 > with in application logic:
> =C2=A0 =C2=A0 &g= t;=C2=A0http://www.ietf.org/mail-archive/web/oauth/current/msg12538.= html
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 &g= t;
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > On Wed, Apr 23, 20= 14 at 2:39 AM, Hannes Tschofenig
> =C2=A0 =C2=A0 > <hannes.tschofenig@gmx.net=C2=A0&= lt;mailto:hannes.tschofenig@gmx.net>
> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>>> wrote:
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hi all,> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 in prepar= ing the shepherd write-up for
> =C2=A0 =C2=A0 draft-ietf-oauth-jwt-be= arer-08 I
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 had to review our recent= email conversations and the issue
> =C2=A0 =C2=A0 raised by
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Anton= io in
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0=C2=A0http://w= ww.ietf.org/mail-archive/web/oauth/current/msg12520.html=C2=A0belong
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 to it.
> =C2=A0 =C2=A0 >
= > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 The issue was that Section 3 of draft= -ietf-oauth-jwt-bearer-08
> =C2=A0 =C2=A0 says:
> =C2=A0 =C2=A0= > =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 = =C2=A02. =C2=A0 The JWT MUST contain a "sub" (subject) claim
> =C2=A0 =C2=A0 identifying the
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 principal that is the subject of the JWT. =C2= =A0Two cases
> =C2=A0 =C2=A0 need to be
> =C2=A0 =C2=A0 > = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 differentiated:
> =C2=A0 = =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 A. =C2=A0For the authorization grant, the subject SHOULD
> =C2=A0 =C2=A0 identify an
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for whom the acc= ess token is being
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typically the resource owner, or an<= br>> =C2=A0 =C2=A0 authorized
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate).
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 B. =C2=A0For client authentication, the subject MUST be t= he
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 "client_id" of the OAuth client.
> =C2=A0 =C2=A0= > =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Antonio pointed to the current Google= API to illustrate that
> =C2=A0 =C2=A0 the subject
> =C2=A0 = =C2=A0 > =C2=A0 =C2=A0 is not always needed. Here is the Google API docu= mentation:
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0=C2=A0https://dev= elopers.google.com/accounts/docs/OAuth2ServiceAccount
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 The Google= API used the client authentication part (rather
> =C2=A0 =C2=A0 than= the
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorization grant), in my u= nderstanding.
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 = =C2=A0 I still believe that the subject field has to be included for
> =C2=A0 =C2=A0 client
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authenti= cation but I am not so sure anymore about the
> =C2=A0 =C2=A0 authori= zation
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 grant since I could very we= ll imagine cases where the subject
> =C2=A0 =C2=A0 is not
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 needed for authorization decisions bu= t also for privacy reasons.
> =C2=A0 =C2=A0 >
> =C2=A0 =C2= =A0 > =C2=A0 =C2=A0 I would therefore suggest to change the text as foll= ows:
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 &q= uot;
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A02. =C2=A0 The JWT contai= ns a "sub" (subject) claim identifying the
> =C2=A0 =C2=A0 = > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 principal that is the subjec= t of the JWT. =C2=A0Two cases
> =C2=A0 =C2=A0 need to be
> =C2= =A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 differentiated: > =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 A. =C2=A0For the authorization grant, the subject claim M= AY
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 be included. If it is included it MUST identify the
> =C2= =A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 aut= horized accessor for whom the access token is being
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 requested (typically the resource owner, or an
> =C2=A0 =C2=A0= authorized
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 delegate). Reasons for not including the subject claim=
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 in the JWT are identity hiding (i.e., privacy
> =C2=A0 =C2=A0 protection
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 of the identifier of the subject) an= d cases where
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 the identifier of the subject is irrelevant for makin= g
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 an authorization decision by the resource server.
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 B. =C2=A0For client authentication, the subject MUST be t= he
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 included in the JWT and the value MUST be populated
> =C2= =A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 wit= h the "client_id" of the OAuth client.
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 >
= > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 What do you guys think?
> =C2= =A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Ciao
> =C2= =A0 =C2=A0 > =C2=A0 =C2=A0 Hannes
> =C2=A0 =C2=A0 >
> =C2= =A0 =C2=A0 >
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 __________________= _____________________________
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 OAuth mailing list

> =C2=A0 =C2=A0 > =C2=A0 = =C2=A0=C2=A0OAuth@ietf.org= =C2=A0<mailto:OAuth@ietf.org> &l= t;mailto:OAuth@ietf.org
> =C2=A0 =C2=A0 <mailto:OAuth@ietf.org&= gt;>
> =C2=A0 =C2=A0 > =C2=A0 =C2=A0=C2=A0https://www.ietf.org/mailman/listi= nfo/oauth
> =C2=A0 =C2=A0 >
> =C2=A0 =C2=A0 >
>
>

=C2=A0
_______________________________________________
OAuth mailing list
O= Auth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth=


--089e013c6614bff40b04f7e362ca-- From nobody Fri Apr 25 13:06:19 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B856D1A02F2 for ; Fri, 25 Apr 2014 13:06:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tdb3kFK_Yg7c for ; Fri, 25 Apr 2014 13:06:15 -0700 (PDT) Received: from mail-qc0-f169.google.com (mail-qc0-f169.google.com [209.85.216.169]) by ietfa.amsl.com (Postfix) with ESMTP id 5CA891A0676 for ; Fri, 25 Apr 2014 13:06:15 -0700 (PDT) Received: by mail-qc0-f169.google.com with SMTP id i17so4586748qcy.28 for ; Fri, 25 Apr 2014 13:06:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=p9y5VnpVCLfOHK5ZRgDFiYlG1ZZNBSyswQCXBIct1hg=; b=Br0MxuJtqe6oDt5tamGe+XSvAM98YbFfs9jHLG8iGPAKWYS9NHilAn4eqCXporSi6o KpaLPDYK3bTOjaJ5Xmi1tYbOMouCTpS6PWsHBoE1kY/mOhIFHbViR7wuexiKnA3GNpK5 EQH4x7LdFj3kMQuoE5G3FjJGj2eZoy9xGpIex8E0e9BmNvxwKtHIDeUkIEKbmnYmSc/o 3eqBnb0iQoWD+Uc6nTrYwam+jHGwDZhewwuZYmbt+1XdXipiJ+f0+tUFcSWaSvuBwflE pU+oHpB9I1EdQD8dawHH4reaePAw0y4LR629zIqpmqgzoPd0kSeyS/eT1c54TwBACPVK xeEQ== X-Gm-Message-State: ALoCoQmuRD1/tYAlzguTNLS68LD13hnJlreNmtPMcubvm/mIVA8LWP/h+e/UrGmm3Qe1hzZ2kdG7 X-Received: by 10.140.109.70 with SMTP id k64mr5637466qgf.92.1398456368446; Fri, 25 Apr 2014 13:06:08 -0700 (PDT) Received: from [192.168.0.200] ([201.188.68.144]) by mx.google.com with ESMTPSA id b17sm16126409qaq.25.2014.04.25.13.06.06 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 13:06:07 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: <535ABCBF.3090308@redhat.com> Date: Fri, 25 Apr 2014 17:06:07 -0300 Content-Transfer-Encoding: quoted-printable Message-Id: <6A3BC24E-5BFA-4350-886A-27B2AD6CB077@ve7jtb.com> References: <535ABCBF.3090308@redhat.com> To: Bill Burke X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wZK9m9w4nK-ZG9PPpLXbB1xMG-E Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 20:06:17 -0000 The only current draft that describes JWT as access tokens is the PoP = draft: = http://tools.ietf.org/html/draft-bradley-oauth-pop-key-distribution That describes JWT access tokens and how to add PoP information. I = don't think there is anything other than the JWT spec itself describing = bearer JWT, though they would be like the PoP JWT without the proof key. Ping Federate has supported generating JWS access as a option for some = time. John B. On Apr 25, 2014, at 4:51 PM, Bill Burke wrote: > Thank you. Thats what I thought. Is it just assumed JWT would/might = be used an access token format for Bearer token auth? Or is there = another draft somewhere for that? Is anybody out there using JWS + JWT = as a access token format? >=20 > On 4/25/2014 2:59 PM, Brian Campbell wrote: >> draft-ietf-oauth-jwt-bearer is only about interactions (client >> authentication and JWT as an authorization grant) with the token >> endpoint and doesn't define JWT style access tokens. >>=20 >>=20 >> On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke > > wrote: >>=20 >> Red Hat Keycloak [1] only supports basic auth for client >> authentication as suggested in the OAuth 2 spec. But our access >> tokens are JWS signed JWTs. >>=20 >> Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth >> [2]? Or is there another document I should be following? I'd = like >> to see what other claims are being discussed related to JWT-based >> access tokens and may have some additional access token claims = we've >> been experimenting with others might be interested in. >>=20 >> Also, I'm not sure yet if we'll implement >> draft-ietf-oauth-jwt-bearer to authenticate clients. A lot of our >> initial users are more interested in public clients and/or the >> implicit flow as they are writing a lot of pure javascript apps >> served up by simple static web servers. >>=20 >> [1] http://keycloak.org >> [2] http://tools.ietf.org/html/__rfc6750 >> >>=20 >=20 > --=20 > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Fri Apr 25 13:11:49 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5BEB1A031D for ; Fri, 25 Apr 2014 13:11:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OlaQ0XK66y_8 for ; Fri, 25 Apr 2014 13:11:36 -0700 (PDT) Received: from mail-qg0-f51.google.com (mail-qg0-f51.google.com [209.85.192.51]) by ietfa.amsl.com (Postfix) with ESMTP id 7C82B1A02F2 for ; Fri, 25 Apr 2014 13:11:36 -0700 (PDT) Received: by mail-qg0-f51.google.com with SMTP id f51so4636199qge.10 for ; Fri, 25 Apr 2014 13:11:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=YcoaZB4ix9iJ8j9nBtFeZQmMtssglCEoYklarZ0HoAM=; b=TZrJC2IHW6gsVN5dvLc3m7YNOT4Y8CHvoVRYTEDRch2W024s1BKtQCeRxXfPgGw+5l 8AxhPD5iOqwzbcT7iJa8SXd6wnVEpq/niwGvZjgx6MindI8B1GXcBmr0RhwgDPTmsvVC MIp4thQINTiq6YTGsRycpAPR0LX6lgLem2Y/w09O3GNhbKVzTbwU9RO00VKNGofipDTG 3xreVcu1ZGujGd4k2MVzFD45DY7aMkqqn/MyMBTv8JLlh4wSQ5XGYepT+ZjDZAI8r6Qx Ab+p7GZHnu77QT+RFXZ5D41qS7UMw+MK3FOnf+xKYEYEmwRXO5pwFgBnH1IbHISs9fY4 ZyEQ== X-Gm-Message-State: ALoCoQme2irmAupeBR9L2mv7MePvRB8MsKo9l6N+RNYT91fzUmN20q4CPnAa2yRMHYRxfwNLmW00 X-Received: by 10.224.73.136 with SMTP id q8mr14664109qaj.54.1398456689529; Fri, 25 Apr 2014 13:11:29 -0700 (PDT) Received: from [192.168.0.200] ([201.188.68.144]) by mx.google.com with ESMTPSA id z6sm16164948qal.6.2014.04.25.13.11.25 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 13:11:29 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_75A17B79-53FD-487F-85F5-9824B17D3EF8" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Fri, 25 Apr 2014 17:11:26 -0300 Message-Id: <2DE29BE5-8E48-42E1-96AE-D92336AF66B8@ve7jtb.com> References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> To: Brian Campbell X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kymn-pnW6Hv--GBg8vDJ8Wi65kw Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 20:11:45 -0000 --Apple-Mail=_75A17B79-53FD-487F-85F5-9824B17D3EF8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 I am OK with that. On Apr 25, 2014, at 4:57 PM, Brian Campbell = wrote: > I absolutely agree with always requiring both issuer and subject and = that doing so keeps the specs simpler and is likely to improve = interoperability. >=20 > However, without changing that, perhaps some of the text in the = document(s) could be improved a bit. Here's a rough proposal: >=20 > Change the text of the second bullet in = http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2 to=20= >=20 > "The assertion MUST contain a Subject. The Subject typically = identifies an authorized accessor for which the access token is being = requested (i.e. the resource owner, or an authorized delegate) but, in = some cases, may be a pseudonym or other value denoting an anonymous = user. When the client is acting on behalf of itself, the Subject MUST be = the value of the client's client_id." >=20 > And also change = http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 = to=20 >=20 > "When a client is accessing resources on behalf of an anonymous user, = a mutually agreed upon Subject identifier indicating anonymity is used. = The Subject value might be an agreed upon static value indicating an = anonymous user or an opaque persistent or transient pseudonym for the = user may also be utilized. The authorization may be based upon = additional criteria, such as additional attributes or claims provided in = the assertion. For example, a client may present an assertion from a = trusted issuer asserting that the bearer is over 18 via an included = claim. In this case, no additional information about the user's identity = is included, yet all the data needed to issue an access token is = present." >=20 > And maybe also change the subject text in SAML and JWT (item #2 in = http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 and = http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3) = to read a little more like the new proposed text above for section 5.2 = of the Assertion Framework draft. >=20 > Would that sit any better with you, Hannes? Thoughts from others in = the WG? >=20 >=20 > On Fri, Apr 25, 2014 at 1:08 PM, John Bradley = wrote: > Agreed. >=20 > On Apr 25, 2014, at 3:07 PM, Mike Jones = wrote: >=20 >> I agree. We=92d already discussed this pretty extensively and = reached the conclusion that always requiring both an issuer and a = subject both kept the specs simpler and was likely to improve = interoperability. >> =20 >> It=92s entirely up to the application profile what the contents of = the issuer and the subject fields are and so I don=92t think we need to = further specify their contents beyond what=92s already in the specs. >> =20 >> -- Mike >> =20 >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian = Campbell >> Sent: Friday, April 25, 2014 10:17 AM >> To: Hannes Tschofenig >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject = issue >> =20 >> I believe, from the thread referenced earlier and prior discussion = and draft text, that the WG has reached (rough) consensus to require the = subject claim. So text that says "Subject element MUST NOT be included" = isn't workable. >>=20 >> It seems what's needed here is some better explanation of how, in = cases that need it, the value of the subject can be populated without = using a PII type value. A simple static value like "ANONYMOUS-SUBJECT" = could be used. Or, more likely, some kind of pairwise persistent = pseudonymous identifier would be utilized, which would not directly = identify the subject but would allow the relying party to recognize the = same subject on subsequent transactions. A transient pseudonym might = also be appropriate in some cases. And any of those approaches could be = used with or without additional claims (like age > 18 or membership in = some group) that get used to make an authorization decision.=20 >>=20 >> I wasn't sure exactly how to articulate all that in text for the = draft(s) but that's more of what I was asking for when I asked if you = could propose some text. >>=20 >>=20 >>=20 >>=20 >> =20 >>=20 >> On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig = wrote: >> Hi Brian, >>=20 >> Thanks for pointing to the assertion framework document. Re-reading = the >> text it appears that we have listed the case that in Section 6.3.1 = but >> have forgotten to cover it elsewhere in the document. >>=20 >>=20 >> In Section 6.3.1 we say: >>=20 >> " >>=20 >> 6.3.1. Client Acting on Behalf of an Anonymous User >>=20 >> When a client is accessing resources on behalf of an anonymous = user, >> the Subject indicates to the Authorization Server that the client = is >> acting on-behalf of an anonymous user as defined by the = Authorization >> Server. It is implied that authorization is based upon additional >> criteria, such as additional attributes or claims provided in the >> assertion. For example, a client may present an assertion from a >> trusted issuer asserting that the bearer is over 18 via an = included >> claim. >>=20 >> ***** >> In this case, no additional information about the user's >> identity is included, yet all the data needed to issue an access >> token is present. >> ***** >> " >> (I marked the relevant part with '***') >>=20 >>=20 >> In Section 5.2, however, we say: >>=20 >>=20 >> o The assertion MUST contain a Subject. The Subject identifies = an >> authorized accessor for which the access token is being = requested >> (typically the resource owner, or an authorized delegate). = When >> the client is acting on behalf of itself, the Subject MUST be = the >> value of the client's "client_id". >>=20 >>=20 >> What we should have done in Section 5.2 is to expand the cases inline >> with what we have written in Section 6. >>=20 >> Here is my proposed text: >>=20 >> " >> o The assertion MUST contain a Subject. The Subject identifies an >> authorized accessor for which the access token is being requested >> (typically the resource owner, or an authorized delegate). >>=20 >>=20 >> When the client is acting on behalf of itself, as described in = Section >> 6.1 and Section 6.2, the Subject MUST be the value of the client's >> "client_id". >>=20 >> When the client is acting on behalf of an user, as described in = Section >> 6.3, the Subject element MUST be included in the assertion and >> identifies an authorized accessor for which the access token is being >> requested. >>=20 >> When the client is acting on behalf of an anonymous user, as = described >> in Section 6.3.1, the Subject element MUST NOT be included in the >> assertion. Other elements within the assertion will, however, provide >> enough information for the authorization server to make an = authorization >> decision. >> " >>=20 >> Does this make sense to you? >>=20 >> Ciao >> Hannes >>=20 >>=20 >> On 04/24/2014 02:30 PM, Brian Campbell wrote: >> > There is some discussion of that case in the assertion framework >> > document at >> > = http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 >> > >> > Do you feel that more is needed? If so, can you propose some text? >> > >> > >> > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig >> > > = wrote: >> > >> > Hi Brian, >> > >> > I read through the thread and the Google case is a bit = different since >> > they are using the client authentication part of the JWT bearer = spec. >> > There I don't see the privacy concerns either. >> > >> > I am, however, focused on the authorization grant where the = subject is >> > in most cases the resource owner. >> > >> > It is possible to put garbage into the subject element when = privacy >> > protection is needed for the resource owner case but that would = need to >> > be described in the document; currently it is not there. >> > >> > Ciao >> > Hannes >> > >> > >> > On 04/24/2014 12:37 AM, Brian Campbell wrote: >> > > That thread that Antonio started which you reference went on = for some >> > > time >> > > >> > = (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) >> > > and seems to have reached consensus that the spec didn't need >> > normative >> > > change and that such privacy cases or other cases which = didn't >> > > explicitly need a subject identifier would be more = appropriately dealt >> > > with in application logic: >> > > = http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html >> > > >> > > >> > > >> > > >> > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig >> > > >> > > > >> wrote: >> > > >> > > Hi all, >> > > >> > > in preparing the shepherd write-up for >> > draft-ietf-oauth-jwt-bearer-08 I >> > > had to review our recent email conversations and the = issue >> > raised by >> > > Antonio in >> > > >> > = http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html belong >> > > to it. >> > > >> > > The issue was that Section 3 of = draft-ietf-oauth-jwt-bearer-08 >> > says: >> > > " >> > > 2. The JWT MUST contain a "sub" (subject) claim >> > identifying the >> > > principal that is the subject of the JWT. Two = cases >> > need to be >> > > differentiated: >> > > >> > > A. For the authorization grant, the subject = SHOULD >> > identify an >> > > authorized accessor for whom the access token = is being >> > > requested (typically the resource owner, or = an >> > authorized >> > > delegate). >> > > >> > > B. For client authentication, the subject MUST = be the >> > > "client_id" of the OAuth client. >> > > " >> > > >> > > Antonio pointed to the current Google API to illustrate = that >> > the subject >> > > is not always needed. Here is the Google API = documentation: >> > > = https://developers.google.com/accounts/docs/OAuth2ServiceAccount >> > > >> > > The Google API used the client authentication part = (rather >> > than the >> > > authorization grant), in my understanding. >> > > >> > > I still believe that the subject field has to be included = for >> > client >> > > authentication but I am not so sure anymore about the >> > authorization >> > > grant since I could very well imagine cases where the = subject >> > is not >> > > needed for authorization decisions but also for privacy = reasons. >> > > >> > > I would therefore suggest to change the text as follows: >> > > >> > > " >> > > 2. The JWT contains a "sub" (subject) claim = identifying the >> > > principal that is the subject of the JWT. Two = cases >> > need to be >> > > differentiated: >> > > >> > > A. For the authorization grant, the subject = claim MAY >> > > be included. If it is included it MUST = identify the >> > > authorized accessor for whom the access token = is being >> > > requested (typically the resource owner, or = an >> > authorized >> > > delegate). Reasons for not including the = subject claim >> > > in the JWT are identity hiding (i.e., privacy >> > protection >> > > of the identifier of the subject) and cases = where >> > > the identifier of the subject is irrelevant = for making >> > > an authorization decision by the resource = server. >> > > >> > > B. For client authentication, the subject MUST = be the >> > > included in the JWT and the value MUST be = populated >> > > with the "client_id" of the OAuth client. >> > > " >> > > >> > > What do you guys think? >> > > >> > > Ciao >> > > Hannes >> > > >> > > >> > > _______________________________________________ >> > > OAuth mailing list >> > > OAuth@ietf.org = > > > >> > > https://www.ietf.org/mailman/listinfo/oauth >> > > >> > > >> > >> > >>=20 >> =20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 --Apple-Mail=_75A17B79-53FD-487F-85F5-9824B17D3EF8 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 I am = OK with that.

On Apr 25, 2014, at 4:57 PM, = Brian Campbell <bcampbell@pingidentity.com&= gt; wrote:

I absolutely agree with always = requiring both issuer and subject and that doing so keeps the specs = simpler and is likely to improve interoperability.

However, = without changing that, perhaps some of the text in the document(s) could = be improved a bit. Here's a rough proposal:

Change the text of the second bullet in http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2= to

"The assertion MUST contain a Subject. The Subject typically identifies = an authorized accessor for which the access token is being requested = (i.e. the resource owner, or an authorized delegate) but, in some cases, = may be a pseudonym or other value denoting an anonymous user. When the = client is acting on behalf of itself, the Subject MUST be the value of = the client's client_id."

And also change http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6= .3.1 to

"When a client is accessing resources on behalf of an anonymous user, a = mutually agreed upon Subject identifier indicating anonymity is used. = The Subject value might be an agreed upon static value indicating an = anonymous user or an opaque persistent or transient pseudonym for the = user may also be utilized. The authorization may be based upon = additional criteria, such as additional attributes or claims provided in = the assertion. For example, a client may present an assertion from a = trusted issuer asserting that the bearer is over 18 via an included = claim. In this case, no additional information about the user's identity = is included, yet all the data needed to issue an access token is = present."

And maybe also change the subject text in SAML and = JWT (item #2 in http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3= and http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3= ) to read a little more like the new proposed text above for section = 5.2 of the Assertion Framework draft.

Would that sit any better with you, Hannes? Thoughts from = others in the WG?


On Fri, Apr 25, 2014 at 1:08 PM, John Bradley = <ve7jtb@ve7jtb.com> wrote:
Agreed.

On Apr 25, 2014, at 3:07 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

I agree.  We=92d already discussed this pretty extensively and = reached the conclusion that always requiring both an issuer and a = subject both kept the specs simpler and was likely to improve = interoperability.
 
It=92s entirely up to the application profile what the contents of = the issuer and the subject fields are and so I don=92t think we need to = further specify their contents beyond what=92s already in the = specs.
 
            = ;            &= nbsp;           &nb= sp;            = ;           -- = Mike
 
From: = OAuth [mailto:oauth-bounces@ietf.org] = On Behalf Of Brian Campbell
Sent: Friday, April 25, 2014 10:17 = AM
To: Hannes = Tschofenig
Cc: oauth@ietf.org
Subject: = Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject = issue
 

I believe, from the thread referenced earlier and prior discussion and = draft text, that the WG has reached (rough) consensus to require the = subject claim. So text that says "Subject element MUST NOT be included" = isn't workable.

It seems what's = needed here is some better explanation of how, in cases that need it, = the value of the subject can be populated without using a PII type = value. A simple static value like "ANONYMOUS-SUBJECT" could be used. Or, = more likely, some kind of pairwise persistent pseudonymous identifier = would be utilized, which would not directly identify the subject but = would allow the relying party to recognize the same subject on = subsequent transactions. A transient pseudonym might also be appropriate = in some cases. And any of those approaches could be used with or without = additional claims (like age > 18 or membership in some group) that = get used to make an authorization decision. 

I wasn't = sure exactly how to articulate all that in text for the draft(s) but = that's more of what I was asking for when I asked if you could propose = some text.




 

On Thu, Apr = 24, 2014 at 6:48 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> = wrote:
Hi Brian,

Thanks for pointing to the assertion = framework document. Re-reading the
text it appears that we have = listed the case that in Section 6.3.1 but
have forgotten to cover it elsewhere in the document.


In = Section 6.3.1 we say:

"

6.3.1.  Client Acting on = Behalf of an Anonymous User

   When a client is = accessing resources on behalf of an anonymous user,
   the Subject indicates to the Authorization Server that the = client is
   acting on-behalf of an anonymous user as = defined by the Authorization
   Server.  It is implied = that authorization is based upon additional
   criteria, such as additional attributes or claims provided = in the
   assertion.  For example, a client may = present an assertion from a
   trusted issuer asserting = that the bearer is over 18 via an included
   claim.

*****
    In this case, no additional information about = the user's
   identity is included, yet all the data needed = to issue an access
   token is present.
*****
"
(I = marked the relevant part with '***')


In Section 5.2, however, we say:


   o =  The assertion MUST contain a Subject.  The Subject identifies = an
      authorized accessor for which the access = token is being requested
      (typically the resource = owner, or an authorized delegate).  When
      the client is acting on behalf of itself, the = Subject MUST be the
      value of the client's = "client_id".


What we should have done in Section 5.2 is to = expand the cases inline
with what we have written in Section 6.

Here is my proposed text:

"
o  The assertion MUST = contain a Subject.  The Subject identifies an
authorized = accessor for which the access token is being = requested

(typically the resource owner, or an authorized = delegate).

When the = client is acting on behalf of itself, as described in Section
6.1 and Section 6.2, the Subject MUST be the value of the = client's
"client_id".

When the client is acting on behalf of = an user, as described in Section
6.3, the Subject element MUST be = included in the assertion and
identifies an authorized accessor for which the access token is = being
requested.

When the client is acting on behalf of an = anonymous user, as described
in Section 6.3.1, the Subject element = MUST NOT be included in the
assertion. Other elements within the assertion will, however, = provide
enough information for the authorization server to make an = authorization
decision.
"

Does this make sense to = you?

Ciao
Hannes


On = 04/24/2014 02:30 PM, Brian Campbell wrote:
> There is some = discussion of that case in the assertion framework
> document at
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-1= 5#section-6.3.1
>
> Do you feel that more is needed? If so, can you propose = some text?
>
>
> On Thu, Apr 24, 2014 at 1:09 AM, = Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mail= to:hannes.tschofenig@gmx.net>> wrote:
>
>     Hi Brian,
>
>     I = read through the thread and the Google case is a bit different = since
>     they are using the client authentication = part of the JWT bearer spec.
>     There I don't see the = privacy concerns either.
>
>     I am, however, focused on the authorization = grant where the subject is
>     in most cases the = resource owner.
>
>     It is possible to put = garbage into the subject element when privacy
>     protection is needed for the resource owner case but = that would need to
>     be described in the document; = currently it is not there.
>
>     Ciao
> =     Hannes
>
>
>     On 04/24/2014 = 12:37 AM, Brian Campbell wrote:
>     > That thread that Antonio started which you = reference went on for some
>     > time
> =     >
>     (http://www.ietf.org/mail-archive/web/oauth/current/threa= ds.html#12520)
>     > and seems to have reached consensus that the = spec didn't need
>     normative
>     = > change and that such privacy cases or other cases which = didn't
>     > explicitly need a subject identifier = would be more appropriately dealt
>     > with in application logic:
>     = > http://www.ietf.org/mail-archive/web/oauth/current/msg12= 538.html
>     >
>     >
>     = >
>     >
>     > On Wed, Apr = 23, 2014 at 2:39 AM, Hannes Tschofenig
>     > <hannes.tschofenig@gmx.net <mail= to:hannes.tschofenig@gmx.net>
>   =   <mailto:hannes.tschofenig@gmx.net
>   =   <mailto:hannes.tschofenig@gmx.net>>> wrote:
>     >
>     >     Hi = all,
>     >
>     >     = in preparing the shepherd write-up for
>     = draft-ietf-oauth-jwt-bearer-08 I
>     >   =   had to review our recent email conversations and the issue
>     raised by
>     >     = Antonio in
>     >
>   =   http://www.ietf.org/mail-archive/web/oauth/current/msg12= 520.html belong
>     >     to it.
>     = >
>     >     The issue was that Section = 3 of draft-ietf-oauth-jwt-bearer-08
>     says:
> =     >     "
>     >   =      2.   The JWT MUST contain a "sub" (subject) = claim
>     identifying the
>     >   =           principal that is the subject of the = JWT.  Two cases
>     need to be
>   =   >             = differentiated:
>     >
>     > =             A.  For the authorization = grant, the subject SHOULD
>     identify an
>     >     =             authorized accessor for whom = the access token is being
>     >     =             requested (typically the = resource owner, or an
>     authorized
>   =   >                 = delegate).
>     >
>     >       =       B.  For client authentication, the subject = MUST be the
>     >         =         "client_id" of the OAuth client.
> =     >     "
>     >
>     >     Antonio pointed to the current = Google API to illustrate that
>     the subject
> =     >     is not always needed. Here is the = Google API documentation:
>     >   =   https://developers.google.com/accounts/docs/OAuth2Servic= eAccount
>     >
>     >     The = Google API used the client authentication part (rather
>   =   than the
>     >     authorization = grant), in my understanding.
>     >
>   =   >     I still believe that the subject field has to = be included for
>     client
>     >     = authentication but I am not so sure anymore about the
>   =   authorization
>     >     grant = since I could very well imagine cases where the subject
>   =   is not
>     >     needed for authorization decisions = but also for privacy reasons.
>     >
>   =   >     I would therefore suggest to change the text = as follows:
>     >
>     >   =   "
>     >        2.   The JWT = contains a "sub" (subject) claim identifying the
>     = >             principal that is the = subject of the JWT.  Two cases
>     need to = be
>     >             = differentiated:
>     >
>     >       =       A.  For the authorization grant, the subject = claim MAY
>     >           =       be included. If it is included it MUST identify = the
>     >             =     authorized accessor for whom the access token is being
>     >               =   requested (typically the resource owner, or an
>   =   authorized
>     >         =         delegate). Reasons for not including the = subject claim
>     >         =         in the JWT are identity hiding (i.e., = privacy
>     protection
>     >     =             of the identifier of the = subject) and cases where
>     >       =           the identifier of the subject is = irrelevant for making
>     >       =           an authorization decision by the = resource server.
>     >
>     >       =       B.  For client authentication, the subject = MUST be the
>     >         =         included in the JWT and the value MUST be = populated
>     >           =       with the "client_id" of the OAuth client.
>     >     "
>     = >
>     >     What do you guys = think?
>     >
>     >   =   Ciao
>     >     Hannes
> =     >
>     >
>     > =     _______________________________________________
>     >     OAuth mailing = list

>   =   >     OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>     <mailto:OAuth@ietf.org>>
>     > =     https://www.ietf.org/mailman/listinfo/oauth
>     >
>     = >
>
>

 
______________________= _________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



= --Apple-Mail=_75A17B79-53FD-487F-85F5-9824B17D3EF8-- From nobody Fri Apr 25 13:12:44 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 326661A0663 for ; Fri, 25 Apr 2014 13:12:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ov8PEBffkxpz for ; Fri, 25 Apr 2014 13:12:40 -0700 (PDT) Received: from na6sys009bog036.obsmtp.com (na6sys009bog036.obsmtp.com [74.125.150.110]) by ietfa.amsl.com (Postfix) with ESMTP id C7FF41A03D0 for ; Fri, 25 Apr 2014 13:12:39 -0700 (PDT) Received: from mail-ie0-f177.google.com ([209.85.223.177]) (using TLSv1) by na6sys009bob036.postini.com ([74.125.148.12]) with SMTP ID DSNKU1rBseY1I+AagTajhqoD5oTfja0DtP/s@postini.com; Fri, 25 Apr 2014 13:12:33 PDT Received: by mail-ie0-f177.google.com with SMTP id rl12so4133094iec.8 for ; Fri, 25 Apr 2014 13:12:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=NJf5FhO/0N5IBbN+XvrcGSzo2cKzzU0zEcwakUYYRcs=; b=nKGkM1/7tayhOPuvS4uSSb6fstwMETD0xJ9vuA/c68qt8ONmXmXy29bsVn1DcyYQGm g95kJ6AHZaM0pyLiGZnz6IawF8HLNS0wojipsWxxjuJbHiq2jcvNDyAHYF8uy+IKFEf7 MVQdRkmhdQLw+DkklOnMumNmvpkKgeXTkoELe8Keaje/CY70qEIMIJ3BDq2R+w3Fh6WZ ABZq7yBNl3na6OI3S7h0QQp+Rd3tIYNXkcLDsGlrfMhPSqaLs0QQ1+oa2e4Gjy9QY+c9 zmVnWqBnnuPvslv28sh7o/SiA3vun424j1ugQVBfVYg0eK+WYxv0rIqGUdLv9/9ZHEVs 7KuA== X-Gm-Message-State: ALoCoQkVNLUeqeEn1ptlYos01lriaho3cEP8oNPkiNtg7RGAMC5/RjCLowPm7OdFjsbfsKap/zkLiRiMhKPvtBfGYbWMVER1uhOxlv+oRwFJ7s8UcwLdKIt+1C0LlFfNFPi9RFOr96Zo X-Received: by 10.50.109.230 with SMTP id hv6mr7575632igb.9.1398456753026; Fri, 25 Apr 2014 13:12:33 -0700 (PDT) X-Received: by 10.50.109.230 with SMTP id hv6mr7575618igb.9.1398456752885; Fri, 25 Apr 2014 13:12:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Fri, 25 Apr 2014 13:12:02 -0700 (PDT) In-Reply-To: <535ABCBF.3090308@redhat.com> References: <535ABCBF.3090308@redhat.com> From: Brian Campbell Date: Fri, 25 Apr 2014 14:12:02 -0600 Message-ID: To: Bill Burke Content-Type: multipart/alternative; boundary=089e013a1d8efd6f6e04f7e395f5 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/suVYyhu6O5JoR7AXRppArCWarYU Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 20:12:42 -0000 --089e013a1d8efd6f6e04f7e395f5 Content-Type: text/plain; charset=UTF-8 I think it is kind of assumed, yeah. And JWT as it is gives you everything you need for that as long as the AS and RS can agree on keys, JWE and/or JWS, and how the claims will look. I suspect that's what most deployments are doing with JWT access tokens today. We are, or offer JWS + JWT access tokens as an option in product anyway, and I believe many others are doing the same. IHMO getting everyone to agree on the specific claims etc. needed for a standardized JWT access token is a bit of a rat's nest, which is why there's not been much progress in that area. On Fri, Apr 25, 2014 at 1:51 PM, Bill Burke wrote: > Thank you. Thats what I thought. Is it just assumed JWT would/might be > used an access token format for Bearer token auth? Or is there another > draft somewhere for that? Is anybody out there using JWS + JWT as a access > token format? > > > On 4/25/2014 2:59 PM, Brian Campbell wrote: > >> draft-ietf-oauth-jwt-bearer is only about interactions (client >> authentication and JWT as an authorization grant) with the token >> endpoint and doesn't define JWT style access tokens. >> >> >> On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke > > wrote: >> >> Red Hat Keycloak [1] only supports basic auth for client >> authentication as suggested in the OAuth 2 spec. But our access >> tokens are JWS signed JWTs. >> >> Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth >> [2]? Or is there another document I should be following? I'd like >> to see what other claims are being discussed related to JWT-based >> access tokens and may have some additional access token claims we've >> been experimenting with others might be interested in. >> >> Also, I'm not sure yet if we'll implement >> draft-ietf-oauth-jwt-bearer to authenticate clients. A lot of our >> initial users are more interested in public clients and/or the >> implicit flow as they are writing a lot of pure javascript apps >> served up by simple static web servers. >> >> [1] http://keycloak.org >> [2] http://tools.ietf.org/html/__rfc6750 >> >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > --089e013a1d8efd6f6e04f7e395f5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I think it is kind of assumed, yeah. And JWT as it is= gives you everything you need for that as long as the AS and RS can agree = on keys, JWE and/or JWS, and how the claims will look. I suspect that's= what most deployments are doing with JWT access tokens today. We are, or o= ffer JWS + JWT access tokens as an option in product anyway, and I believe = many others are doing the same.

IHMO getting everyone to agree on the specific claims etc. needed= for a standardized JWT access token is a bit of a rat's nest, which is= why there's not been much progress in that area.






On Fri, Apr 25, 2014 at 1:51 PM, Bill Burke <bburke@= redhat.com> wrote:
Thank you. =C2=A0Thats what I thought. =C2= =A0Is it just assumed JWT would/might be used an access token format for Be= arer token auth? =C2=A0Or is there another draft somewhere for that? =C2=A0= Is anybody out there using JWS + JWT as a access token format?


On 4/25/2014 2:59 PM, Brian Campbell wrote:
draft-ietf-oauth-jwt-bearer is only about interactions (client
authentication and JWT as an authorization grant) with the token
endpoint and doesn't define JWT style access tokens.


On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke <bburke@redhat.com
<mailto:bburke@re= dhat.com>> wrote:

=C2=A0 =C2=A0 Red Hat Keycloak [1] only supports basic auth for client
=C2=A0 =C2=A0 authentication as suggested in the OAuth 2 spec. =C2=A0But ou= r access
=C2=A0 =C2=A0 tokens are JWS signed JWTs.

=C2=A0 =C2=A0 Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token= auth
=C2=A0 =C2=A0 [2]? =C2=A0Or is there another document I should be following= ? =C2=A0I'd like
=C2=A0 =C2=A0 to see what other claims are being discussed related to JWT-b= ased
=C2=A0 =C2=A0 access tokens and may have some additional access token claim= s we've
=C2=A0 =C2=A0 been experimenting with others might be interested in.

=C2=A0 =C2=A0 Also, I'm not sure yet if we'll implement
=C2=A0 =C2=A0 draft-ietf-oauth-jwt-bearer to authenticate clients. =C2=A0A = lot of our
=C2=A0 =C2=A0 initial users are more interested in public clients and/or th= e
=C2=A0 =C2=A0 implicit flow as they are writing a lot of pure javascript ap= ps
=C2=A0 =C2=A0 served up by simple static web servers.

=C2=A0 =C2=A0 [1] http://= keycloak.org
=C2=A0 =C2=A0 [2] http://tools.ietf.org/html/__rfc6750
=C2=A0 =C2=A0 <http://tools.ietf.org/html/rfc6750>


--
Bill Burke
JBoss, a division of Red Hat
http://bill.burk= ecentral.com

--089e013a1d8efd6f6e04f7e395f5-- From nobody Fri Apr 25 13:19:32 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06FC01A06A9 for ; Fri, 25 Apr 2014 13:19:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OihQryBZQ5nJ for ; Fri, 25 Apr 2014 13:19:26 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) by ietfa.amsl.com (Postfix) with ESMTP id 63F141A06A1 for ; Fri, 25 Apr 2014 13:19:26 -0700 (PDT) Received: from BLUPR03CA036.namprd03.prod.outlook.com (10.141.30.29) by BN1PR03MB250.namprd03.prod.outlook.com (10.255.200.16) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 20:19:18 +0000 Received: from BL2FFO11FD034.protection.gbl (2a01:111:f400:7c09::120) by BLUPR03CA036.outlook.office365.com (2a01:111:e400:879::29) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Fri, 25 Apr 2014 20:19:18 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD034.mail.protection.outlook.com (10.173.161.130) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Fri, 25 Apr 2014 20:19:17 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Fri, 25 Apr 2014 20:18:23 +0000 From: Mike Jones To: Brian Campbell , Bill Burke Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) Thread-Index: AQHPYLiWCPtQeI+RDEaVTJpQcIUadZsivgyAgAAFwACAAAEnwA== Date: Fri, 25 Apr 2014 20:18:22 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A196778@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <535ABCBF.3090308@redhat.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.74] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A196778TK5EX14MBXC288r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(24454002)(52314003)(377454003)(479174003)(189002)(199002)(54356999)(31966008)(76176999)(92726001)(81342001)(4396001)(19300405004)(85852003)(99396002)(512874002)(92566001)(74662001)(87936001)(86612001)(50986999)(71186001)(66066001)(77982001)(16236675002)(6806004)(83322001)(97736001)(80022001)(81542001)(55846006)(2009001)(79102001)(33656001)(2656002)(86362001)(19580405001)(44976005)(16601075003)(20776003)(84326002)(19580395003)(74502001)(15975445006)(46102001)(84676001)(16297215004)(80976001)(15202345003)(76482001)(83072002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN1PR03MB250; H:mail.microsoft.com; FPR:AC20F0B6.BEFAD7DB.72CF7DBB.4EC6FA41.203FC; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0192E812EC Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qDg9sl3PExXlQzEQr0MvrWwqjWI Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 20:19:30 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A196778TK5EX14MBXC288r_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VG8gYmUgY2xlYXIsIGFjY2VzcyB0b2tlbnMgYXJlIG9wYXF1ZSBpbiBPQXV0aCBhbmQgSSBkb27i gJl0IHNlZSBhbnkgb2YgdXMgdHJ5aW5nIHRvIGNoYW5nZSB0aGF0IGluIHRoZSBnZW5lcmFsIGNh c2UuICBQYXJ0aWN1bGFyIGF1dGhvcml6YXRpb24gc2VydmVycyBtYXkgdXNlIEpXVHMgYXMgYW4g YWNjZXNzIHRva2VuIGZvcm1hdCwgYnV0IHRoYXTigJlzIHRoZWlyIHByaXZhdGUgY2hvaWNlLiAg SSBrbm93IG9mIG90aGVyIGF1dGhvcml6YXRpb24gc2VydmVycyB0aGF0IGhhdmUgdGhlIGFjY2Vz cyB0b2tlbiB2YWx1ZSBiZSBhbiBpbmRleCBpbnRvIGEgbG9jYWwgZGF0YWJhc2UgdGFibGUsIHdo aWNoIGlzIGp1c3QgYXMgbGVnaXRpbWF0ZSBhIGNob2ljZSBhcyB1c2luZyBhIHN0cnVjdHVyZWQg YWNjZXNzIHRva2VuLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBPQXV0aCBbbWFpbHRvOm9h dXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBCcmlhbiBDYW1wYmVsbA0KU2VudDog RnJpZGF5LCBBcHJpbCAyNSwgMjAxNCAxOjEyIFBNDQpUbzogQmlsbCBCdXJrZQ0KQ2M6IG9hdXRo DQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBkcmFmdC1pZXRmLW9hdXRoLWp3dC1iZWFyZXIgIT0g YWNjZXNzIHRva2VucyAod2FzIFJlOiBkcmFmdC1pZXRmLW9hdXRoLWp3dC1iZWFyZXIgU2hlcGhl cmQgV3JpdGUtdXApDQoNCkkgdGhpbmsgaXQgaXMga2luZCBvZiBhc3N1bWVkLCB5ZWFoLiBBbmQg SldUIGFzIGl0IGlzIGdpdmVzIHlvdSBldmVyeXRoaW5nIHlvdSBuZWVkIGZvciB0aGF0IGFzIGxv bmcgYXMgdGhlIEFTIGFuZCBSUyBjYW4gYWdyZWUgb24ga2V5cywgSldFIGFuZC9vciBKV1MsIGFu ZCBob3cgdGhlIGNsYWltcyB3aWxsIGxvb2suIEkgc3VzcGVjdCB0aGF0J3Mgd2hhdCBtb3N0IGRl cGxveW1lbnRzIGFyZSBkb2luZyB3aXRoIEpXVCBhY2Nlc3MgdG9rZW5zIHRvZGF5LiBXZSBhcmUs IG9yIG9mZmVyIEpXUyArIEpXVCBhY2Nlc3MgdG9rZW5zIGFzIGFuIG9wdGlvbiBpbiBwcm9kdWN0 IGFueXdheSwgYW5kIEkgYmVsaWV2ZSBtYW55IG90aGVycyBhcmUgZG9pbmcgdGhlIHNhbWUuDQpJ SE1PIGdldHRpbmcgZXZlcnlvbmUgdG8gYWdyZWUgb24gdGhlIHNwZWNpZmljIGNsYWltcyBldGMu IG5lZWRlZCBmb3IgYSBzdGFuZGFyZGl6ZWQgSldUIGFjY2VzcyB0b2tlbiBpcyBhIGJpdCBvZiBh IHJhdCdzIG5lc3QsIHdoaWNoIGlzIHdoeSB0aGVyZSdzIG5vdCBiZWVuIG11Y2ggcHJvZ3Jlc3Mg aW4gdGhhdCBhcmVhLg0KDQoNCg0KDQpPbiBGcmksIEFwciAyNSwgMjAxNCBhdCAxOjUxIFBNLCBC aWxsIEJ1cmtlIDxiYnVya2VAcmVkaGF0LmNvbTxtYWlsdG86YmJ1cmtlQHJlZGhhdC5jb20+PiB3 cm90ZToNClRoYW5rIHlvdS4gIFRoYXRzIHdoYXQgSSB0aG91Z2h0LiAgSXMgaXQganVzdCBhc3N1 bWVkIEpXVCB3b3VsZC9taWdodCBiZSB1c2VkIGFuIGFjY2VzcyB0b2tlbiBmb3JtYXQgZm9yIEJl YXJlciB0b2tlbiBhdXRoPyAgT3IgaXMgdGhlcmUgYW5vdGhlciBkcmFmdCBzb21ld2hlcmUgZm9y IHRoYXQ/ICBJcyBhbnlib2R5IG91dCB0aGVyZSB1c2luZyBKV1MgKyBKV1QgYXMgYSBhY2Nlc3Mg dG9rZW4gZm9ybWF0Pw0KDQoNCk9uIDQvMjUvMjAxNCAyOjU5IFBNLCBCcmlhbiBDYW1wYmVsbCB3 cm90ZToNCmRyYWZ0LWlldGYtb2F1dGgtand0LWJlYXJlciBpcyBvbmx5IGFib3V0IGludGVyYWN0 aW9ucyAoY2xpZW50DQphdXRoZW50aWNhdGlvbiBhbmQgSldUIGFzIGFuIGF1dGhvcml6YXRpb24g Z3JhbnQpIHdpdGggdGhlIHRva2VuDQplbmRwb2ludCBhbmQgZG9lc24ndCBkZWZpbmUgSldUIHN0 eWxlIGFjY2VzcyB0b2tlbnMuDQoNCg0KT24gRnJpLCBBcHIgMjUsIDIwMTQgYXQgMTI6NTEgUE0s IEJpbGwgQnVya2UgPGJidXJrZUByZWRoYXQuY29tPG1haWx0bzpiYnVya2VAcmVkaGF0LmNvbT4N CjxtYWlsdG86YmJ1cmtlQHJlZGhhdC5jb208bWFpbHRvOmJidXJrZUByZWRoYXQuY29tPj4+IHdy b3RlOg0KDQogICAgUmVkIEhhdCBLZXljbG9hayBbMV0gb25seSBzdXBwb3J0cyBiYXNpYyBhdXRo IGZvciBjbGllbnQNCiAgICBhdXRoZW50aWNhdGlvbiBhcyBzdWdnZXN0ZWQgaW4gdGhlIE9BdXRo IDIgc3BlYy4gIEJ1dCBvdXIgYWNjZXNzDQogICAgdG9rZW5zIGFyZSBKV1Mgc2lnbmVkIEpXVHMu DQoNCiAgICBEb2VzIGRyYWZ0LWlldGYtb2F1dGgtand0LWJlYXJlciByZWxhdGUgdG8gT0F1dGgg QmVhcmVyIHRva2VuIGF1dGgNCiAgICBbMl0/ICBPciBpcyB0aGVyZSBhbm90aGVyIGRvY3VtZW50 IEkgc2hvdWxkIGJlIGZvbGxvd2luZz8gIEknZCBsaWtlDQogICAgdG8gc2VlIHdoYXQgb3RoZXIg Y2xhaW1zIGFyZSBiZWluZyBkaXNjdXNzZWQgcmVsYXRlZCB0byBKV1QtYmFzZWQNCiAgICBhY2Nl c3MgdG9rZW5zIGFuZCBtYXkgaGF2ZSBzb21lIGFkZGl0aW9uYWwgYWNjZXNzIHRva2VuIGNsYWlt cyB3ZSd2ZQ0KICAgIGJlZW4gZXhwZXJpbWVudGluZyB3aXRoIG90aGVycyBtaWdodCBiZSBpbnRl cmVzdGVkIGluLg0KDQogICAgQWxzbywgSSdtIG5vdCBzdXJlIHlldCBpZiB3ZSdsbCBpbXBsZW1l bnQNCiAgICBkcmFmdC1pZXRmLW9hdXRoLWp3dC1iZWFyZXIgdG8gYXV0aGVudGljYXRlIGNsaWVu dHMuICBBIGxvdCBvZiBvdXINCiAgICBpbml0aWFsIHVzZXJzIGFyZSBtb3JlIGludGVyZXN0ZWQg aW4gcHVibGljIGNsaWVudHMgYW5kL29yIHRoZQ0KICAgIGltcGxpY2l0IGZsb3cgYXMgdGhleSBh cmUgd3JpdGluZyBhIGxvdCBvZiBwdXJlIGphdmFzY3JpcHQgYXBwcw0KICAgIHNlcnZlZCB1cCBi eSBzaW1wbGUgc3RhdGljIHdlYiBzZXJ2ZXJzLg0KDQogICAgWzFdIGh0dHA6Ly9rZXljbG9hay5v cmcNCiAgICBbMl0gaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvX19yZmM2NzUwDQogICAgPGh0 dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzY3NTA+DQoNCi0tDQpCaWxsIEJ1cmtlDQpKQm9z cywgYSBkaXZpc2lvbiBvZiBSZWQgSGF0DQpodHRwOi8vYmlsbC5idXJrZWNlbnRyYWwuY29tDQoN Cg== --_000_4E1F6AAD24975D4BA5B16804296739439A196778TK5EX14MBXC288r_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5ob2VuemINCgl7bXNvLXN0eWxl LW5hbWU6aG9lbnpiO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNv bmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6 IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsN Cglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCkBwYWdlIFdvcmRTZWN0aW9u MQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47 fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwh LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3Bp ZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1s Pg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRh dGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8 Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNz PSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRvIGJlIGNsZWFyLCBhY2Nlc3MgdG9rZW5zIGFyZSBv cGFxdWUgaW4gT0F1dGggYW5kIEkgZG9u4oCZdCBzZWUgYW55IG9mIHVzIHRyeWluZyB0byBjaGFu Z2UgdGhhdCBpbiB0aGUgZ2VuZXJhbCBjYXNlLiZuYnNwOyBQYXJ0aWN1bGFyIGF1dGhvcml6YXRp b24gc2VydmVycyBtYXkgdXNlDQogSldUcyBhcyBhbiBhY2Nlc3MgdG9rZW4gZm9ybWF0LCBidXQg dGhhdOKAmXMgdGhlaXIgcHJpdmF0ZSBjaG9pY2UuJm5ic3A7IEkga25vdyBvZiBvdGhlciBhdXRo b3JpemF0aW9uIHNlcnZlcnMgdGhhdCBoYXZlIHRoZSBhY2Nlc3MgdG9rZW4gdmFsdWUgYmUgYW4g aW5kZXggaW50byBhIGxvY2FsIGRhdGFiYXNlIHRhYmxlLCB3aGljaCBpcyBqdXN0IGFzIGxlZ2l0 aW1hdGUgYSBjaG9pY2UgYXMgdXNpbmcgYSBzdHJ1Y3R1cmVkIGFjY2VzcyB0b2tlbi48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAtLSBNaWtlPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bh bj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFo b21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJv dW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkJyaWFuIENhbXBiZWxsPGJyPg0K PGI+U2VudDo8L2I+IEZyaWRheSwgQXByaWwgMjUsIDIwMTQgMToxMiBQTTxicj4NCjxiPlRvOjwv Yj4gQmlsbCBCdXJrZTxicj4NCjxiPkNjOjwvYj4gb2F1dGg8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g UmU6IFtPQVVUSC1XR10gZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyICE9IGFjY2VzcyB0b2tl bnMgKHdhcyBSZTogZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyIFNoZXBoZXJkIFdyaXRlLXVw KTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWJvdHRvbToxMi4wcHQiPkkgdGhpbmsgaXQgaXMga2luZCBvZiBhc3N1bWVkLCB5ZWFoLiBB bmQgSldUIGFzIGl0IGlzIGdpdmVzIHlvdSBldmVyeXRoaW5nIHlvdSBuZWVkIGZvciB0aGF0IGFz IGxvbmcgYXMgdGhlIEFTIGFuZCBSUyBjYW4gYWdyZWUgb24ga2V5cywgSldFIGFuZC9vciBKV1Ms IGFuZCBob3cgdGhlIGNsYWltcyB3aWxsIGxvb2suIEkgc3VzcGVjdCB0aGF0J3Mgd2hhdCBtb3N0 DQogZGVwbG95bWVudHMgYXJlIGRvaW5nIHdpdGggSldUIGFjY2VzcyB0b2tlbnMgdG9kYXkuIFdl IGFyZSwgb3Igb2ZmZXIgSldTICYjNDM7IEpXVCBhY2Nlc3MgdG9rZW5zIGFzIGFuIG9wdGlvbiBp biBwcm9kdWN0IGFueXdheSwgYW5kIEkgYmVsaWV2ZSBtYW55IG90aGVycyBhcmUgZG9pbmcgdGhl IHNhbWUuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPklITU8g Z2V0dGluZyBldmVyeW9uZSB0byBhZ3JlZSBvbiB0aGUgc3BlY2lmaWMgY2xhaW1zIGV0Yy4gbmVl ZGVkIGZvciBhIHN0YW5kYXJkaXplZCBKV1QgYWNjZXNzIHRva2VuIGlzIGEgYml0IG9mIGEgcmF0 J3MgbmVzdCwgd2hpY2ggaXMgd2h5IHRoZXJlJ3Mgbm90IGJlZW4gbXVjaCBwcm9ncmVzcyBpbiB0 aGF0IGFyZWEuDQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQo8YnI+DQo8YnI+DQo8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIEZyaSwgQXByIDI1LCAyMDE0IGF0IDE6 NTEgUE0sIEJpbGwgQnVya2UgJmx0OzxhIGhyZWY9Im1haWx0bzpiYnVya2VAcmVkaGF0LmNvbSIg dGFyZ2V0PSJfYmxhbmsiPmJidXJrZUByZWRoYXQuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGFuayB5b3UuICZuYnNwO1RoYXRzIHdoYXQg SSB0aG91Z2h0LiAmbmJzcDtJcyBpdCBqdXN0IGFzc3VtZWQgSldUIHdvdWxkL21pZ2h0IGJlIHVz ZWQgYW4gYWNjZXNzIHRva2VuIGZvcm1hdCBmb3IgQmVhcmVyIHRva2VuIGF1dGg/ICZuYnNwO09y IGlzIHRoZXJlIGFub3RoZXIgZHJhZnQgc29tZXdoZXJlIGZvciB0aGF0PyAmbmJzcDtJcyBhbnli b2R5IG91dCB0aGVyZSB1c2luZyBKV1MgJiM0MzsgSldUIGFzIGEgYWNjZXNzIHRva2VuIGZvcm1h dD88bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+ DQpPbiA0LzI1LzIwMTQgMjo1OSBQTSwgQnJpYW4gQ2FtcGJlbGwgd3JvdGU6PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz b2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6 NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ZHJh ZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyIGlzIG9ubHkgYWJvdXQgaW50ZXJhY3Rpb25zIChjbGll bnQ8YnI+DQphdXRoZW50aWNhdGlvbiBhbmQgSldUIGFzIGFuIGF1dGhvcml6YXRpb24gZ3JhbnQp IHdpdGggdGhlIHRva2VuPGJyPg0KZW5kcG9pbnQgYW5kIGRvZXNuJ3QgZGVmaW5lIEpXVCBzdHls ZSBhY2Nlc3MgdG9rZW5zLjxicj4NCjxicj4NCjxicj4NCk9uIEZyaSwgQXByIDI1LCAyMDE0IGF0 IDEyOjUxIFBNLCBCaWxsIEJ1cmtlICZsdDs8YSBocmVmPSJtYWlsdG86YmJ1cmtlQHJlZGhhdC5j b20iIHRhcmdldD0iX2JsYW5rIj5iYnVya2VAcmVkaGF0LmNvbTwvYT48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZsdDttYWlsdG86PGEgaHJlZj0i bWFpbHRvOmJidXJrZUByZWRoYXQuY29tIiB0YXJnZXQ9Il9ibGFuayI+YmJ1cmtlQHJlZGhhdC5j b208L2E+Jmd0OyZndDsgd3JvdGU6PGJyPg0KPGJyPg0KJm5ic3A7ICZuYnNwOyBSZWQgSGF0IEtl eWNsb2FrIFsxXSBvbmx5IHN1cHBvcnRzIGJhc2ljIGF1dGggZm9yIGNsaWVudDxicj4NCiZuYnNw OyAmbmJzcDsgYXV0aGVudGljYXRpb24gYXMgc3VnZ2VzdGVkIGluIHRoZSBPQXV0aCAyIHNwZWMu ICZuYnNwO0J1dCBvdXIgYWNjZXNzPGJyPg0KJm5ic3A7ICZuYnNwOyB0b2tlbnMgYXJlIEpXUyBz aWduZWQgSldUcy48YnI+DQo8YnI+DQombmJzcDsgJm5ic3A7IERvZXMgZHJhZnQtaWV0Zi1vYXV0 aC1qd3QtYmVhcmVyIHJlbGF0ZSB0byBPQXV0aCBCZWFyZXIgdG9rZW4gYXV0aDxicj4NCiZuYnNw OyAmbmJzcDsgWzJdPyAmbmJzcDtPciBpcyB0aGVyZSBhbm90aGVyIGRvY3VtZW50IEkgc2hvdWxk IGJlIGZvbGxvd2luZz8gJm5ic3A7SSdkIGxpa2U8YnI+DQombmJzcDsgJm5ic3A7IHRvIHNlZSB3 aGF0IG90aGVyIGNsYWltcyBhcmUgYmVpbmcgZGlzY3Vzc2VkIHJlbGF0ZWQgdG8gSldULWJhc2Vk PGJyPg0KJm5ic3A7ICZuYnNwOyBhY2Nlc3MgdG9rZW5zIGFuZCBtYXkgaGF2ZSBzb21lIGFkZGl0 aW9uYWwgYWNjZXNzIHRva2VuIGNsYWltcyB3ZSd2ZTxicj4NCiZuYnNwOyAmbmJzcDsgYmVlbiBl eHBlcmltZW50aW5nIHdpdGggb3RoZXJzIG1pZ2h0IGJlIGludGVyZXN0ZWQgaW4uPGJyPg0KPGJy Pg0KJm5ic3A7ICZuYnNwOyBBbHNvLCBJJ20gbm90IHN1cmUgeWV0IGlmIHdlJ2xsIGltcGxlbWVu dDxicj4NCiZuYnNwOyAmbmJzcDsgZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyIHRvIGF1dGhl bnRpY2F0ZSBjbGllbnRzLiAmbmJzcDtBIGxvdCBvZiBvdXI8YnI+DQombmJzcDsgJm5ic3A7IGlu aXRpYWwgdXNlcnMgYXJlIG1vcmUgaW50ZXJlc3RlZCBpbiBwdWJsaWMgY2xpZW50cyBhbmQvb3Ig dGhlPGJyPg0KJm5ic3A7ICZuYnNwOyBpbXBsaWNpdCBmbG93IGFzIHRoZXkgYXJlIHdyaXRpbmcg YSBsb3Qgb2YgcHVyZSBqYXZhc2NyaXB0IGFwcHM8YnI+DQombmJzcDsgJm5ic3A7IHNlcnZlZCB1 cCBieSBzaW1wbGUgc3RhdGljIHdlYiBzZXJ2ZXJzLjxicj4NCjxicj4NCiZuYnNwOyAmbmJzcDsg WzFdIDxhIGhyZWY9Imh0dHA6Ly9rZXljbG9hay5vcmciIHRhcmdldD0iX2JsYW5rIj5odHRwOi8v a2V5Y2xvYWsub3JnPC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPiZuYnNwOyAmbmJzcDsgWzJdIDxhIGhy ZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL19fcmZjNjc1MCIgdGFyZ2V0PSJfYmxhbmsi Pg0KaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvX19yZmM2NzUwPC9hPjxicj4NCiZuYnNwOyAm bmJzcDsgJmx0OzxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzY3NTAiIHRh cmdldD0iX2JsYW5rIj5odHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM2NzUwPC9hPiZndDs8 bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IHN0eWxlPSJjb2xvcjojODg4ODg4Ij48YnI+DQo8c3BhbiBjbGFzcz0iaG9lbnpiIj4tLSA8L3Nw YW4+PGJyPg0KPHNwYW4gY2xhc3M9ImhvZW56YiI+QmlsbCBCdXJrZTwvc3Bhbj48YnI+DQo8c3Bh biBjbGFzcz0iaG9lbnpiIj5KQm9zcywgYSBkaXZpc2lvbiBvZiBSZWQgSGF0PC9zcGFuPjxicj4N CjxzcGFuIGNsYXNzPSJob2VuemIiPjxhIGhyZWY9Imh0dHA6Ly9iaWxsLmJ1cmtlY2VudHJhbC5j b20iIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vYmlsbC5idXJrZWNlbnRyYWwuY29tPC9hPjwvc3Bh bj48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_4E1F6AAD24975D4BA5B16804296739439A196778TK5EX14MBXC288r_-- From nobody Fri Apr 25 14:04:56 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3EA31A06A5 for ; Fri, 25 Apr 2014 14:04:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.174 X-Spam-Level: X-Spam-Status: No, score=-7.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7IDjgjSOWkN for ; Fri, 25 Apr 2014 14:04:48 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id BA24E1A03D9 for ; Fri, 25 Apr 2014 14:04:48 -0700 (PDT) Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3PL4fB1004976 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 Apr 2014 17:04:41 -0400 Received: from [10.10.50.202] (vpn-50-202.rdu2.redhat.com [10.10.50.202]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s3PL4eE1019782; Fri, 25 Apr 2014 17:04:41 -0400 Message-ID: <535ACDEB.3090906@redhat.com> Date: Fri, 25 Apr 2014 17:04:43 -0400 From: Bill Burke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <535ABCBF.3090308@redhat.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/aRMNnnf8Mm-GGIiAgwO6ruYZh9s Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 21:04:52 -0000 On 4/25/2014 4:12 PM, Brian Campbell wrote: > > IHMO getting everyone to agree on the specific claims etc. needed for a > standardized JWT access token is a bit of a rat's nest, which is why > there's not been much progress in that area. > I guess any IANA registry submissions for new JWT claims is premature until an RFC is out for JWT? Or are people writing drafts for their own personal claims? Thanks. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From nobody Fri Apr 25 14:26:06 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A651A06B9 for ; Fri, 25 Apr 2014 14:26:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8UW9By5niQQN for ; Fri, 25 Apr 2014 14:26:02 -0700 (PDT) Received: from na6sys009bog019.obsmtp.com (na6sys009bog019.obsmtp.com [74.125.150.78]) by ietfa.amsl.com (Postfix) with ESMTP id 9C6491A067C for ; Fri, 25 Apr 2014 14:26:02 -0700 (PDT) Received: from mail-ig0-f181.google.com ([209.85.213.181]) (using TLSv1) by na6sys009bob019.postini.com ([74.125.148.12]) with SMTP ID DSNKU1rS49Qzy5gD9fylUwM31hS8wswntV8L@postini.com; Fri, 25 Apr 2014 14:25:56 PDT Received: by mail-ig0-f181.google.com with SMTP id h18so2718537igc.14 for ; Fri, 25 Apr 2014 14:25:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=QLLhxiogj0cN2YtZi7Hihu9k2H0Y62ba6EnFqp6g8L4=; b=ZndLXECZt92dm/ELqCHfyX2KQ3MpDsrvRwnYfZeA84MEMt3acU9TmFkviDYysrlvEC EPWEgsFOwkUytSfvpmWDAEWxkwsoJ/XiP/kODvaflepVTHZ6cY8J/Z+cj4GOnHdbc+mH As8yqu8k2RPFibXvgafRH+2EUrnYSW7toOWrGP20a4fRRxuXyEr7ltUg9C5F0+NjCjKe cXKs5a6clN9IeHFKDSIquDwsG8FCGTemhrM4V3+bky7GAnqIKV4i/GHcXyppU5Bk2UmI Xg5DeauGFRItb7rGjIELFl3vMe7BU8Ep76zmAtJruy2VVvv8cDI7q0QJZQ1e5eEZm5ww boVw== X-Gm-Message-State: ALoCoQnT3aH3zGIy1t3GfVMHWTqThQFknF0rBDLNhTixSIXw7YabuS1d7c4Jp7eLM1d7qE+mZddL3nh0MvbuB0Q8EA7VFddnaeM0YIQYD1DClH4B9o88hVRtKSGED9Eti0nVgfIP7E/k X-Received: by 10.42.136.130 with SMTP id u2mr9299461ict.51.1398461155634; Fri, 25 Apr 2014 14:25:55 -0700 (PDT) X-Received: by 10.42.136.130 with SMTP id u2mr9299450ict.51.1398461155498; Fri, 25 Apr 2014 14:25:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Fri, 25 Apr 2014 14:25:25 -0700 (PDT) In-Reply-To: <535ACDEB.3090906@redhat.com> References: <535ABCBF.3090308@redhat.com> <535ACDEB.3090906@redhat.com> From: Brian Campbell Date: Fri, 25 Apr 2014 15:25:25 -0600 Message-ID: To: Bill Burke Content-Type: multipart/alternative; boundary=90e6ba6e8c0667f41904f7e49cef Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/LUKEpBE6WqvxImcyhCtmELc87fQ Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 21:26:04 -0000 --90e6ba6e8c0667f41904f7e49cef Content-Type: text/plain; charset=UTF-8 Well, OpenID Connect has a section register JWT claims so it can't be too premature: http://openid.net/specs/openid-connect-core-1_0.html#IANA However, private claims are often good enough for JWTs between a related AS and RS: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-4.3 On Fri, Apr 25, 2014 at 3:04 PM, Bill Burke wrote: > > > On 4/25/2014 4:12 PM, Brian Campbell wrote: > >> >> IHMO getting everyone to agree on the specific claims etc. needed for a >> standardized JWT access token is a bit of a rat's nest, which is why >> there's not been much progress in that area. >> >> > I guess any IANA registry submissions for new JWT claims is premature > until an RFC is out for JWT? Or are people writing drafts for their own > personal claims? > > Thanks. > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > --90e6ba6e8c0667f41904f7e49cef Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Well, OpenID Connect has a section register JWT claim= s so it can't be too premature: http://openid.net/specs/openid-connect-core-= 1_0.html#IANA

However, private claims are often good enough for JWTs between a = related AS and RS: http://tools.ietf.org/html/draft-ietf-oauth-j= son-web-token-19#section-4.3


On Fri,= Apr 25, 2014 at 3:04 PM, Bill Burke <bburke@redhat.com> wro= te:


On 4/25/2014 4:12 PM, Brian Campbell wrote:

IHMO getting everyone to agree on the specific claims etc. needed for a
standardized JWT access token is a bit of a rat's nest, which is why there's not been much progress in that area.


I guess any IANA registry submissions for new JWT claims is premature until= an RFC is out for JWT? =C2=A0Or are people writing drafts for their own pe= rsonal claims?

Thanks.


--
Bill Burke
JBoss, a division of Red Hat
http://bill.burk= ecentral.com

--90e6ba6e8c0667f41904f7e49cef-- From nobody Fri Apr 25 14:46:23 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756251A050E for ; Fri, 25 Apr 2014 14:46:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnZcHO5xb290 for ; Fri, 25 Apr 2014 14:46:17 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0139.outbound.protection.outlook.com [207.46.163.139]) by ietfa.amsl.com (Postfix) with ESMTP id 6486A1A03D8 for ; Fri, 25 Apr 2014 14:46:17 -0700 (PDT) Received: from BLUPR03CA036.namprd03.prod.outlook.com (10.141.30.29) by BY2PR03MB364.namprd03.prod.outlook.com (10.242.237.17) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 21:46:09 +0000 Received: from BN1AFFO11FD054.protection.gbl (2a01:111:f400:7c10::112) by BLUPR03CA036.outlook.office365.com (2a01:111:e400:879::29) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Fri, 25 Apr 2014 21:46:08 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD054.mail.protection.outlook.com (10.58.53.69) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Fri, 25 Apr 2014 21:46:07 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.03.0181.007; Fri, 25 Apr 2014 21:45:32 +0000 From: Mike Jones To: Bill Burke , Brian Campbell Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) Thread-Index: AQHPYLiWCPtQeI+RDEaVTJpQcIUadZsivgyAgAAFwACAAA64gIAACw+w Date: Fri, 25 Apr 2014 21:45:31 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A196A2B@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <535ABCBF.3090308@redhat.com> <535ACDEB.3090906@redhat.com> In-Reply-To: <535ACDEB.3090906@redhat.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.74] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(979002)(6009001)(438001)(24454002)(51704005)(189002)(199002)(377454003)(479174003)(13464003)(15975445006)(2656002)(87936001)(33656001)(50466002)(81542001)(83072002)(76482001)(55846006)(46102001)(76176999)(97756001)(54356999)(97736001)(46406003)(6806004)(86362001)(77982001)(23726002)(4396001)(80976001)(2009001)(99396002)(16601075003)(86612001)(15202345003)(83322001)(44976005)(79102001)(74662001)(74502001)(50986999)(19580395003)(81342001)(47776003)(92566001)(31966008)(66066001)(20776003)(92726001)(84676001)(80022001)(19580405001)(85852003)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB364; H:mail.microsoft.com; FPR:ECD279B7.9E0217E2.F1CF7F6B.4652FC7A.2021E; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0192E812EC Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/hXVQteWX2QdzvxB5-Ju-wa9bhOQ Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 21:46:20 -0000 Yes, IANA can't act upon this until JWT is an RFC. If you point us to your= draft defining new claims, however, I'd be glad review your proposed claim= s usage, if you're interested in that. Best wishes, -- Mike -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Bill Burke Sent: Friday, April 25, 2014 2:05 PM To: Brian Campbell Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer !=3D access tokens (was= Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) On 4/25/2014 4:12 PM, Brian Campbell wrote: > > IHMO getting everyone to agree on the specific claims etc. needed for=20 > a standardized JWT access token is a bit of a rat's nest, which is why=20 > there's not been much progress in that area. > I guess any IANA registry submissions for new JWT claims is premature until= an RFC is out for JWT? Or are people writing drafts for their own persona= l claims? Thanks. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth From nobody Sat Apr 26 04:52:30 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF71C1A048F for ; Sat, 26 Apr 2014 04:52:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.554 X-Spam-Level: X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKHgD9tf90Xp for ; Sat, 26 Apr 2014 04:52:26 -0700 (PDT) Received: from mxout.myoutlookonline.com (mxout.myoutlookonline.com [74.201.97.201]) by ietfa.amsl.com (Postfix) with ESMTP id 9B3871A0185 for ; Sat, 26 Apr 2014 04:52:26 -0700 (PDT) Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id D64EE8C07DE; Sat, 26 Apr 2014 07:52:19 -0400 (EDT) X-Virus-Scanned: by SpamTitan at mail.lan Received: from S10HUB001.SH10.lan (unknown [10.110.2.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mxout.myoutlookonline.com (Postfix) with ESMTPS id 16EB18C07C0; Sat, 26 Apr 2014 07:52:19 -0400 (EDT) Received: from S10BE002.SH10.lan ([::1]) by S10HUB001.SH10.lan ([::1]) with mapi id 14.01.0438.000; Sat, 26 Apr 2014 07:52:18 -0400 From: Andrei Shakirin To: "oauth@ietf.org" Thread-Topic: [OAUTH-WG] Session cookies in OAuth2 flow Thread-Index: Ac9f1m601wyijPx7QUKZAdgpumsSswAfcZMAAAAQz7AAEtf8AAAICd4gAAENP4AACAct8A== Date: Sat, 26 Apr 2014 11:52:17 +0000 Message-ID: References: <8CE5B8B4-5CFB-4E1C-B1EC-06D2F0217ED8@adobe.com> <7EF3EC88-B32C-4858-8570-B142A6EEE96C@ve7jtb.com> <585CA20A-F0D4-441D-81BC-DCA2A049E5F1@ve7jtb.com> In-Reply-To: <585CA20A-F0D4-441D-81BC-DCA2A049E5F1@ve7jtb.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [95.91.233.189] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/FFH3uhHsxvFCElTvuyMD01u1on4 Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 11:52:29 -0000 Hi John, Thanks for explanation, so basically "state" binds the redirected request t= o user-agent authentication state. Do you think the following way to check "state" is safe enough as well? 1. The client authenticates user-agent by every request (for example using = Basic or Digest over SSL)=20 2. The client generates a random state and stores it into kind of hashtable= (user id -> list of states) for every initial request. 3. Client injects generated state into redirect URL as query parameter. 4. When Authorization server redirects user-agent back to the client using = redirect URL, client authenticates user-agent and compares the state receiv= ed with request (it was injected into URL) with value from internal hashtab= le based on user identity. 5. Used state is removed from hashtable to prevent repeatable using. Thanks in advance, Andrei. =20 > -----Original Message----- > From: John Bradley [mailto:ve7jtb@ve7jtb.com] > Sent: Freitag, 25. April 2014 18:23 > To: Andrei Shakirin > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow >=20 > For cross site request forgery you need to validate the value in state so= mehow. > You could store the value in the browser session, or relate it somehow to > session information in the server. >=20 > Making up a random number in the request and checking that there is a > random number in the response won't help. > Even signing the value of the state is not super useful as the the attack= er could > just separately get a state value from another authn request and use that= in > there cross site request request. >=20 > The cookie or hash of some other TLS bound session cookie allows the clie= nt to > detect the XRSF attack without using server side state on the client. >=20 > John B. >=20 >=20 > On Apr 25, 2014, at 12:36 PM, Andrei Shakirin wrot= e: >=20 > > Hi John, > > > > Thanks a lot for your explanation! > > > > I am a bit confused regarding "state" parameter and cookies. I thought = that > "state" is included in redirection URI for user-agent and verified by cli= ent when > Authorization server redirects user-agent back. > > It is a way to bind authorization request to response (4.1. Authorizati= on Code > Grant, steps (A) and (C)). > > Are the cookies really necessary in this case? Can they provide additio= nal > protection in case if redirect URI manipulated? > > > > Regards, > > Andrei. > > > > > >> -----Original Message----- > >> From: John Bradley [mailto:ve7jtb@ve7jtb.com] > >> Sent: Freitag, 25. April 2014 14:03 > >> To: Andrei Shakirin > >> Cc: oauth@ietf.org > >> Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow > >> > >> Yes the server can be stateless, though it may need to store client > >> credentials and user to validate against, and refresh token grants etc= . > >> > >> The "state" parameter allows the client to maintain some state > >> information across the Oauth authorization request and response. > >> > >> Part of the use of that state information by the client allows it to > >> protect itself from having authorization requests initiated by 3rd > >> parties that is what Sec > >> 10.12 is talking about. > >> In that case the client can save state in a browser cookie or in the > >> server and use that to validate the returned state value to assure > >> itself that the authorization request came from itself. > >> > >> John B. > >> > >> On Apr 25, 2014, at 4:08 AM, Andrei Shakirin > wrote: > >> > >>> Hi Antonio, > >>> > >>> Thanks for your quick answer. > >>> Important for me is that OAuth2 doesn't force to store client or > >>> user-agent > >> states in the authorization server, so authorization server can be > >> stateless and is not obligated to introduce the sessions at all. > >>> > >>> Regards, > >>> Andrei. > >>> > >>>> -----Original Message----- > >>>> From: Antonio Sanso [mailto:asanso@adobe.com] > >>>> Sent: Freitag, 25. April 2014 09:02 > >>>> To: Andrei Shakirin > >>>> Cc: oauth@ietf.org > >>>> Subject: Re: [OAUTH-WG] Session cookies in OAuth2 flow > >>>> > >>>> hi Andrei, > >>>> > >>>> AFAIU session cookie management is beyond the scope of the OAuth2 > >>>> specification. > >>>> > >>>> regards > >>>> > >>>> antonio > >>>> > >>>> On Apr 24, 2014, at 6:39 PM, Andrei Shakirin > >> wrote: > >>>> > >>>>> Hi, > >>>>> > >>>>> My name is Andrei Shakirin, I am working with OAuth2 > >>>>> implementation in > >>>> Apache CXF project. > >>>>> Could you please help me to verify my understanding regarding of > >>>>> using > >>>> session cookies in OAuth2 flow. > >>>>> OAuth2 specification mentions session cookies in: > >>>>> 1) Section 3.1. Authorization Endpoint as possible way to > >>>>> authenticate > >>>> resource owner against authorization server > >>>>> 2) Section 10.12. Cross-Site Request Forgery as possible attack > >>>>> where end- > >>>> user follows a malicious URI to a trusting server including a valid > >>>> session cookie > >>>>> > >>>>> My current understanding is: > >>>>> a) using sessions between user-agent and authorization server is > >>>>> optional and > >>>> authorization server is not obligated to keep user state (in case > >>>> if user-agent provide authentication information with every request)= . > >>>>> b) in case if sessions are used (because of any reasons), > >>>>> authorization server > >>>> have to care about additional protection like hidden form fields in > >>>> order to uniquely identify the actual authorization request. > >>>>> > >>>>> Is this correct? > >>>>> > >>>>> Regards, > >>>>> Andrei. > >>>>> > >>>>> _______________________________________________ > >>>>> OAuth mailing list > >>>>> OAuth@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/oauth > >>> > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > > From nobody Sun Apr 27 02:56:10 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 290601A0788 for ; Sun, 27 Apr 2014 02:56:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.951 X-Spam-Level: X-Spam-Status: No, score=-0.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_25=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rpZWdgyXh0wb for ; Sun, 27 Apr 2014 02:56:00 -0700 (PDT) Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.37]) by ietfa.amsl.com (Postfix) with ESMTP id 3213A1A00FF for ; Sun, 27 Apr 2014 02:55:58 -0700 (PDT) Received: from [79.253.32.176] (helo=[192.168.71.87]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1WeLoL-0000Em-0Z; Sun, 27 Apr 2014 11:55:49 +0200 Message-ID: <535CD425.7080506@lodderstedt.net> Date: Sun, 27 Apr 2014 11:55:49 +0200 From: Torsten Lodderstedt User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: John Bradley , Brian Campbell References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> <2DE29BE5-8E48-42E1-96AE-D92336AF66B8@ve7jtb.com> In-Reply-To: <2DE29BE5-8E48-42E1-96AE-D92336AF66B8@ve7jtb.com> Content-Type: multipart/alternative; boundary="------------080706040004050302050001" X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ= Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/WDQQTJq_zoFuk6Jh18fvVQevOsc Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 09:56:07 -0000 This is a multi-part message in MIME format. --------------080706040004050302050001 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit +1 (we actually use a sub value of "anonymous" in our id tokens in case age verification, if we do not want to disclose the user's identity to the RP) Am 25.04.2014 22:11, schrieb John Bradley: > I am OK with that. > > On Apr 25, 2014, at 4:57 PM, Brian Campbell > > wrote: > >> I absolutely agree with always requiring both issuer and subject and >> that doing so keeps the specs simpler and is likely to improve >> interoperability. >> >> However, without changing that, perhaps some of the text in the >> document(s) could be improved a bit. Here's a rough proposal: >> >> Change the text of the second bullet in >> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2 to >> >> "The assertion MUST contain a Subject. The Subject typically >> identifies an authorized accessor for which the access token is being >> requested (i.e. the resource owner, or an authorized delegate) but, >> in some cases, may be a pseudonym or other value denoting an >> anonymous user. When the client is acting on behalf of itself, the >> Subject MUST be the value of the client's client_id." >> >> And also change >> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 >> to >> >> "When a client is accessing resources on behalf of an anonymous user, >> a mutually agreed upon Subject identifier indicating anonymity is >> used. The Subject value might be an agreed upon static value >> indicating an anonymous user or an opaque persistent or transient >> pseudonym for the user may also be utilized. The authorization may be >> based upon additional criteria, such as additional attributes or >> claims provided in the assertion. For example, a client may present >> an assertion from a trusted issuer asserting that the bearer is over >> 18 via an included claim. In this case, no additional information >> about the user's identity is included, yet all the data needed to >> issue an access token is present." >> >> And maybe also change the subject text in SAML and JWT (item #2 in >> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 >> and >> http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3) to >> read a little more like the new proposed text above for section 5.2 >> of the Assertion Framework draft. >> >> Would that sit any better with you, Hannes? Thoughts from others in >> the WG? >> >> >> On Fri, Apr 25, 2014 at 1:08 PM, John Bradley > > wrote: >> >> Agreed. >> >> On Apr 25, 2014, at 3:07 PM, Mike Jones >> > > wrote: >> >>> I agree. We'd already discussed this pretty extensively and >>> reached the conclusion that always requiring both an issuer and >>> a subject both kept the specs simpler and was likely to improve >>> interoperability. >>> It's entirely up to the application profile what the contents of >>> the issuer and the subject fields are and so I don't think we >>> need to further specify their contents beyond what's already in >>> the specs. >>> -- Mike >>> *From:*OAuth [mailto:oauth-bounces@ietf.org]*On Behalf Of*Brian >>> Campbell >>> *Sent:*Friday, April 25, 2014 10:17 AM >>> *To:*Hannes Tschofenig >>> *Cc:*oauth@ietf.org >>> *Subject:*Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & >>> subject issue >>> >>> I believe, from the thread referenced earlier and prior >>> discussion and draft text, that the WG has reached (rough) >>> consensus to require the subject claim. So text that says >>> "Subject element MUST NOT be included" isn't workable. >>> >>> It seems what's needed here is some better explanation of how, >>> in cases that need it, the value of the subject can be populated >>> without using a PII type value. A simple static value like >>> "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of >>> pairwise persistent pseudonymous identifier would be utilized, >>> which would not directly identify the subject but would allow >>> the relying party to recognize the same subject on subsequent >>> transactions. A transient pseudonym might also be appropriate in >>> some cases. And any of those approaches could be used with or >>> without additional claims (like age > 18 or membership in some >>> group) that get used to make an authorization decision. >>> >>> I wasn't sure exactly how to articulate all that in text for the >>> draft(s) but that's more of what I was asking for when I asked >>> if you could propose some text. >>> >>> >>> >>> >>> On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig >>> > >>> wrote: >>> Hi Brian, >>> >>> Thanks for pointing to the assertion framework document. >>> Re-reading the >>> text it appears that we have listed the case that in Section >>> 6.3.1 but >>> have forgotten to cover it elsewhere in the document. >>> >>> >>> In Section 6.3.1 we say: >>> >>> " >>> >>> 6.3.1. Client Acting on Behalf of an Anonymous User >>> >>> When a client is accessing resources on behalf of an >>> anonymous user, >>> the Subject indicates to the Authorization Server that the >>> client is >>> acting on-behalf of an anonymous user as defined by the >>> Authorization >>> Server. It is implied that authorization is based upon >>> additional >>> criteria, such as additional attributes or claims provided in the >>> assertion. For example, a client may present an assertion from a >>> trusted issuer asserting that the bearer is over 18 via an >>> included >>> claim. >>> >>> ***** >>> In this case, no additional information about the user's >>> identity is included, yet all the data needed to issue an access >>> token is present. >>> ***** >>> " >>> (I marked the relevant part with '***') >>> >>> >>> In Section 5.2, however, we say: >>> >>> >>> o The assertion MUST contain a Subject. The Subject >>> identifies an >>> authorized accessor for which the access token is being >>> requested >>> (typically the resource owner, or an authorized delegate). >>> When >>> the client is acting on behalf of itself, the Subject MUST >>> be the >>> value of the client's "client_id". >>> >>> >>> What we should have done in Section 5.2 is to expand the cases >>> inline >>> with what we have written in Section 6. >>> >>> Here is my proposed text: >>> >>> " >>> o The assertion MUST contain a Subject. The Subject identifies an >>> authorized accessor for which the access token is being requested >>> >>> (typically the resource owner, or an authorized delegate). >>> >>> When the client is acting on behalf of itself, as described in >>> Section >>> 6.1 and Section 6.2, the Subject MUST be the value of the client's >>> "client_id". >>> >>> When the client is acting on behalf of an user, as described in >>> Section >>> 6.3, the Subject element MUST be included in the assertion and >>> identifies an authorized accessor for which the access token is >>> being >>> requested. >>> >>> When the client is acting on behalf of an anonymous user, as >>> described >>> in Section 6.3.1, the Subject element MUST NOT be included in the >>> assertion. Other elements within the assertion will, however, >>> provide >>> enough information for the authorization server to make an >>> authorization >>> decision. >>> " >>> >>> Does this make sense to you? >>> >>> Ciao >>> Hannes >>> >>> >>> On 04/24/2014 02:30 PM, Brian Campbell wrote: >>> > There is some discussion of that case in the assertion framework >>> > document at >>> >http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 >>> > >>> > Do you feel that more is needed? If so, can you propose some text? >>> > >>> > >>> > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig >>> > >> >> >> wrote: >>> > >>> > Hi Brian, >>> > >>> > I read through the thread and the Google case is a bit >>> different since >>> > they are using the client authentication part of the JWT >>> bearer spec. >>> > There I don't see the privacy concerns either. >>> > >>> > I am, however, focused on the authorization grant where >>> the subject is >>> > in most cases the resource owner. >>> > >>> > It is possible to put garbage into the subject element >>> when privacy >>> > protection is needed for the resource owner case but that >>> would need to >>> > be described in the document; currently it is not there. >>> > >>> > Ciao >>> > Hannes >>> > >>> > >>> > On 04/24/2014 12:37 AM, Brian Campbell wrote: >>> > > That thread that Antonio started which you reference >>> went on for some >>> > > time >>> > > >>> > >>> (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) >>> > > and seems to have reached consensus that the spec didn't >>> need >>> > normative >>> > > change and that such privacy cases or other cases which >>> didn't >>> > > explicitly need a subject identifier would be more >>> appropriately dealt >>> > > with in application logic: >>> > >>> >http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html >>> > > >>> > > >>> > > >>> > > >>> > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig >>> > > >> >> > >>> > >> >>> > >> >>> wrote: >>> > > >>> > > Hi all, >>> > > >>> > > in preparing the shepherd write-up for >>> > draft-ietf-oauth-jwt-bearer-08 I >>> > > had to review our recent email conversations and the >>> issue >>> > raised by >>> > > Antonio in >>> > > >>> > >>> http://www.ietf.org/mail-archive/web/oauth/current/msg12520.htmlbelong >>> > > to it. >>> > > >>> > > The issue was that Section 3 of >>> draft-ietf-oauth-jwt-bearer-08 >>> > says: >>> > > " >>> > > 2. The JWT MUST contain a "sub" (subject) claim >>> > identifying the >>> > > principal that is the subject of the JWT. Two cases >>> > need to be >>> > > differentiated: >>> > > >>> > > A. For the authorization grant, the subject >>> SHOULD >>> > identify an >>> > > authorized accessor for whom the access token is being >>> > > requested (typically the resource owner, or an >>> > authorized >>> > > delegate). >>> > > >>> > > B. For client authentication, the subject >>> MUST be the >>> > > "client_id" of the OAuth client. >>> > > " >>> > > >>> > > Antonio pointed to the current Google API to >>> illustrate that >>> > the subject >>> > > is not always needed. Here is the Google API >>> documentation: >>> > > >>> https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>> > > >>> > > The Google API used the client authentication part >>> (rather >>> > than the >>> > > authorization grant), in my understanding. >>> > > >>> > > I still believe that the subject field has to be >>> included for >>> > client >>> > > authentication but I am not so sure anymore about the >>> > authorization >>> > > grant since I could very well imagine cases where >>> the subject >>> > is not >>> > > needed for authorization decisions but also for >>> privacy reasons. >>> > > >>> > > I would therefore suggest to change the text as follows: >>> > > >>> > > " >>> > > 2. The JWT contains a "sub" (subject) claim >>> identifying the >>> > > principal that is the subject of the JWT. Two cases >>> > need to be >>> > > differentiated: >>> > > >>> > > A. For the authorization grant, the subject >>> claim MAY >>> > > be included. If it is included it MUST identify the >>> > > authorized accessor for whom the access token is being >>> > > requested (typically the resource owner, or an >>> > authorized >>> > > delegate). Reasons for not including the subject claim >>> > > in the JWT are identity hiding (i.e., privacy >>> > protection >>> > > of the identifier of the subject) and cases where >>> > > the identifier of the subject is irrelevant for making >>> > > an authorization decision by the resource server. >>> > > >>> > > B. For client authentication, the subject >>> MUST be the >>> > > included in the JWT and the value MUST be populated >>> > > with the "client_id" of the OAuth client. >>> > > " >>> > > >>> > > What do you guys think? >>> > > >>> > > Ciao >>> > > Hannes >>> > > >>> > > >>> > > _______________________________________________ >>> > > OAuth mailing list >>> >>> > > OAuth@ietf.org >>> >> > >> >>> > >> >>> > > https://www.ietf.org/mailman/listinfo/oauth >>> > > >>> > > >>> > >>> > >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --------------080706040004050302050001 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit +1

(we actually use a sub value of "anonymous" in our id tokens in case age verification, if we do not want to disclose the user's identity to the RP)

Am 25.04.2014 22:11, schrieb John Bradley:
I am OK with that.

On Apr 25, 2014, at 4:57 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:

I absolutely agree with always requiring both issuer and subject and that doing so keeps the specs simpler and is likely to improve interoperability.

However, without changing that, perhaps some of the text in the document(s) could be improved a bit. Here's a rough proposal:

Change the text of the second bullet in http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2 to

"The assertion MUST contain a Subject. The Subject typically identifies an authorized accessor for which the access token is being requested (i.e. the resource owner, or an authorized delegate) but, in some cases, may be a pseudonym or other value denoting an anonymous user. When the client is acting on behalf of itself, the Subject MUST be the value of the client's client_id."

And also change http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 to

"When a client is accessing resources on behalf of an anonymous user, a mutually agreed upon Subject identifier indicating anonymity is used. The Subject value might be an agreed upon static value indicating an anonymous user or an opaque persistent or transient pseudonym for the user may also be utilized. The authorization may be based upon additional criteria, such as additional attributes or claims provided in the assertion. For example, a client may present an assertion from a trusted issuer asserting that the bearer is over 18 via an included claim. In this case, no additional information about the user's identity is included, yet all the data needed to issue an access token is present."

And maybe also change the subject text in SAML and JWT (item #2 in http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 and http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3) to read a little more like the new proposed text above for section 5.2 of the Assertion Framework draft.

Would that sit any better with you, Hannes? Thoughts from others in the WG?


On Fri, Apr 25, 2014 at 1:08 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
Agreed.

On Apr 25, 2014, at 3:07 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

I agree.  We’d already discussed this pretty extensively and reached the conclusion that always requiring both an issuer and a subject both kept the specs simpler and was likely to improve interoperability.
 
It’s entirely up to the application profile what the contents of the issuer and the subject fields are and so I don’t think we need to further specify their contents beyond what’s already in the specs.
 
                                                            -- Mike
 
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Friday, April 25, 2014 10:17 AM
To: Hannes Tschofenig
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue
 

I believe, from the thread referenced earlier and prior discussion and draft text, that the WG has reached (rough) consensus to require the subject claim. So text that says "Subject element MUST NOT be included" isn't workable.

It seems what's needed here is some better explanation of how, in cases that need it, the value of the subject can be populated without using a PII type value. A simple static value like "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of pairwise persistent pseudonymous identifier would be utilized, which would not directly identify the subject but would allow the relying party to recognize the same subject on subsequent transactions. A transient pseudonym might also be appropriate in some cases. And any of those approaches could be used with or without additional claims (like age > 18 or membership in some group) that get used to make an authorization decision. 

I wasn't sure exactly how to articulate all that in text for the draft(s) but that's more of what I was asking for when I asked if you could propose some text.




 

On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
Hi Brian,

Thanks for pointing to the assertion framework document. Re-reading the
text it appears that we have listed the case that in Section 6.3.1 but
have forgotten to cover it elsewhere in the document.


In Section 6.3.1 we say:

"

6.3.1.  Client Acting on Behalf of an Anonymous User

   When a client is accessing resources on behalf of an anonymous user,
   the Subject indicates to the Authorization Server that the client is
   acting on-behalf of an anonymous user as defined by the Authorization
   Server.  It is implied that authorization is based upon additional
   criteria, such as additional attributes or claims provided in the
   assertion.  For example, a client may present an assertion from a
   trusted issuer asserting that the bearer is over 18 via an included
   claim.

*****
    In this case, no additional information about the user's
   identity is included, yet all the data needed to issue an access
   token is present.
*****
"
(I marked the relevant part with '***')


In Section 5.2, however, we say:


   o  The assertion MUST contain a Subject.  The Subject identifies an
      authorized accessor for which the access token is being requested
      (typically the resource owner, or an authorized delegate).  When
      the client is acting on behalf of itself, the Subject MUST be the
      value of the client's "client_id".


What we should have done in Section 5.2 is to expand the cases inline
with what we have written in Section 6.

Here is my proposed text:

"
o  The assertion MUST contain a Subject.  The Subject identifies an
authorized accessor for which the access token is being requested

(typically the resource owner, or an authorized delegate).

When the client is acting on behalf of itself, as described in Section
6.1 and Section 6.2, the Subject MUST be the value of the client's
"client_id".

When the client is acting on behalf of an user, as described in Section
6.3, the Subject element MUST be included in the assertion and
identifies an authorized accessor for which the access token is being
requested.

When the client is acting on behalf of an anonymous user, as described
in Section 6.3.1, the Subject element MUST NOT be included in the
assertion. Other elements within the assertion will, however, provide
enough information for the authorization server to make an authorization
decision.
"

Does this make sense to you?

Ciao
Hannes


On 04/24/2014 02:30 PM, Brian Campbell wrote:
> There is some discussion of that case in the assertion framework
> document at
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1
>
> Do you feel that more is needed? If so, can you propose some text?
>
>
> On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>
>     Hi Brian,
>
>     I read through the thread and the Google case is a bit different since
>     they are using the client authentication part of the JWT bearer spec.
>     There I don't see the privacy concerns either.
>
>     I am, however, focused on the authorization grant where the subject is
>     in most cases the resource owner.
>
>     It is possible to put garbage into the subject element when privacy
>     protection is needed for the resource owner case but that would need to
>     be described in the document; currently it is not there.
>
>     Ciao
>     Hannes
>
>
>     On 04/24/2014 12:37 AM, Brian Campbell wrote:
>     > That thread that Antonio started which you reference went on for some
>     > time
>     >
>     (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520)
>     > and seems to have reached consensus that the spec didn't need
>     normative
>     > change and that such privacy cases or other cases which didn't
>     > explicitly need a subject identifier would be more appropriately dealt
>     > with in application logic:
>     > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html
>     >
>     >
>     >
>     >
>     > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig
>     > <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>
>     <mailto:hannes.tschofenig@gmx.net>>> wrote:
>     >
>     >     Hi all,
>     >
>     >     in preparing the shepherd write-up for
>     draft-ietf-oauth-jwt-bearer-08 I
>     >     had to review our recent email conversations and the issue
>     raised by
>     >     Antonio in
>     >
>     http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html belong
>     >     to it.
>     >
>     >     The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08
>     says:
>     >     "
>     >        2.   The JWT MUST contain a "sub" (subject) claim
>     identifying the
>     >             principal that is the subject of the JWT.  Two cases
>     need to be
>     >             differentiated:
>     >
>     >             A.  For the authorization grant, the subject SHOULD
>     identify an
>     >                 authorized accessor for whom the access token is being
>     >                 requested (typically the resource owner, or an
>     authorized
>     >                 delegate).
>     >
>     >             B.  For client authentication, the subject MUST be the
>     >                 "client_id" of the OAuth client.
>     >     "
>     >
>     >     Antonio pointed to the current Google API to illustrate that
>     the subject
>     >     is not always needed. Here is the Google API documentation:
>     >     https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>     >
>     >     The Google API used the client authentication part (rather
>     than the
>     >     authorization grant), in my understanding.
>     >
>     >     I still believe that the subject field has to be included for
>     client
>     >     authentication but I am not so sure anymore about the
>     authorization
>     >     grant since I could very well imagine cases where the subject
>     is not
>     >     needed for authorization decisions but also for privacy reasons.
>     >
>     >     I would therefore suggest to change the text as follows:
>     >
>     >     "
>     >        2.   The JWT contains a "sub" (subject) claim identifying the
>     >             principal that is the subject of the JWT.  Two cases
>     need to be
>     >             differentiated:
>     >
>     >             A.  For the authorization grant, the subject claim MAY
>     >                 be included. If it is included it MUST identify the
>     >                 authorized accessor for whom the access token is being
>     >                 requested (typically the resource owner, or an
>     authorized
>     >                 delegate). Reasons for not including the subject claim
>     >                 in the JWT are identity hiding (i.e., privacy
>     protection
>     >                 of the identifier of the subject) and cases where
>     >                 the identifier of the subject is irrelevant for making
>     >                 an authorization decision by the resource server.
>     >
>     >             B.  For client authentication, the subject MUST be the
>     >                 included in the JWT and the value MUST be populated
>     >                 with the "client_id" of the OAuth client.
>     >     "
>     >
>     >     What do you guys think?
>     >
>     >     Ciao
>     >     Hannes
>     >
>     >
>     >     _______________________________________________
>     >     OAuth mailing list

>     >     OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>     <mailto:OAuth@ietf.org>>
>     >     https://www.ietf.org/mailman/listinfo/oauth
>     >
>     >
>
>

 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--------------080706040004050302050001-- From nobody Sun Apr 27 17:42:39 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6C91A0821 for ; Sun, 27 Apr 2014 17:42:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.499 X-Spam-Level: ** X-Spam-Status: No, score=2.499 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YGRyEwwMeLiG for ; Sun, 27 Apr 2014 17:42:31 -0700 (PDT) Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id 48E8E1A06D8 for ; Sun, 27 Apr 2014 17:42:26 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.97,939,1389704400"; d="scan'208,217";a="209602615" Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipobvi.tcif.telstra.com.au with ESMTP; 28 Apr 2014 10:42:24 +1000 X-IronPort-AV: E=McAfee;i="5400,1158,7421"; a="218166364" Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcbvi.tcif.telstra.com.au with ESMTP; 28 Apr 2014 10:42:24 +1000 Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3702.srv.dir.telstra.com ([172.49.40.170]) with mapi; Mon, 28 Apr 2014 10:42:23 +1000 From: "Manger, James" To: "oauth@ietf.org" , Torsten Lodderstedt , John Bradley , Brian Campbell Date: Mon, 28 Apr 2014 10:34:40 +1000 Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue Thread-Index: Ac9h/u3vQZvwJo0oRJuQg7CxtNhQDAAcsTAA Message-ID: <255B9BB34FB7D647A506DC292726F6E11545569E2D@WSMSG3153V.srv.dir.telstra.com> References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> <2DE29BE5-8E48-42E1-96AE-D92336AF66B8@ve7jtb.com> <535CD425.7080506@lodderstedt.net> In-Reply-To: <535CD425.7080506@lodderstedt.net> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E11545569E2DWSMSG3153Vsrv_" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/JunWlUpaCPt_-KTmiWAJShsqwQk Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 00:42:34 -0000 --_000_255B9BB34FB7D647A506DC292726F6E11545569E2DWSMSG3153Vsrv_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 U2F5aW5nIOKAnHN1YuKAnSBNVVNUIGJlIHByZXNlbnQgbWlnaHQgc2ltcGxpZnkgYSBzcGVjLCBi dXQgb25seSBhdCB0aGUgY29zdCBvZiBjb21wcm9taXNpbmcgdGhlIG1lYW5pbmcgb2YgbWVzc2Fn ZXMuDQoNCuKAnHN1YuKAnSBzb21ldGltZXMgaG9sZHMgYW4gaWRlbnRpZmllciBmb3IgYSBzdWJq ZWN0IHRoYXQgaXMgdW5hbWJpZ3VvdXMgaW4gdGhlIGNvbnRleHQgb2YgdGhlIGlzc3Vlci4gVGhh dCBpcywgYW4gYWNjb3VudCBuZWVkcyB0byBiZSBpZGVudGlmaWVkIGJ5IHRoZSB0dXBsZSB7aXNz LCBzdWJ9Lg0KDQrigJxzdWLigJ0gc29tZXRpbWVzIGhvbGRzIGFuIGlkZW50aWZpZXIgZm9yIGEg c3ViamVjdCB0aGF0IGlzIGdsb2JhbGx5IHVuYW1iaWd1b3VzLiBUaGF0IGlzLCDigJxzdWLigJ0g YWxvbmUgaXMgc3VmZmljaWVudCB0byBpZGVudGlmeSBhbiBhY2NvdW50LiBBbiB1bnN0YXRlZCBh c3N1bXB0aW9uIGlzIHRoYXQgYWxsIOKAnHN1YuKAnSB2YWx1ZXMgdGhhdCBtaWdodCBiZSBjb21w YXJlZCBuZWVkIHRvIGNvbWUgZnJvbSB0aGUgc2FtZSAodW5pZGVudGlmaWVkKSBuYW1lc3BhY2Uu DQoNCuKAnHN1YuKAnSBzb21ldGltZXMgaG9sZHMgYW4gZXBoZW1lcmFsIHBzZXVkb255bSAoZWcg cmFuZG9tIGdhcmJhZ2UpLg0KDQrigJxzdWLigJ0gc29tZXRpbWVzIGhvbGRzIGEgZml4ZWQgc3Ry aW5nIHN1Y2ggYXMg4oCcYW5vbnltb3Vz4oCdICh3aXRoIGRpZmZlcmVudCBpc3N1ZXJzIGNob29z aW5nIGRpZmZlcmVudCBzdHJpbmdzKS4gQXNzdW1pbmcgdGhlIHR1cGxlIHtpc3MsIHN1Yn0gaWRl bnRpZmllcyBhbiBhY2NvdW50IHdvdWxkIGJlIHBvc2l0aXZlbHkgZGFuZ2Vyb3VzIGluIHRoaXMg Y2FzZS4NCg0K4oCcc3Vi4oCdIHNvbWV0aW1lcyBob2xkcyBhIGZpbmdlcnByaW50IG9mIGEgcHVi bGljIGtleS4g4oCcc3Vi4oCdIGlzIHRoZW4gcmVkdW5kYW50IGFzIGl0IGNhbiBiZSByZWNhbGN1 bGF0ZWQgZnJvbSB0aGUga2V5LiBUaGF0IGludHJvZHVjZXMgdGhlIGNoYW5jZSB0aGF0IHNvbWUg Y29tcG9uZW50IHVzZXMg4oCcc3Vi4oCdIHdpdGhvdXQgY29uZmlybWluZyBpdCBtYXRjaGVzIHRo ZSBrZXkgdGhhdCBpcyBsaWtlbHkgdG8gaW50cm9kdWNlIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdGll cy4NCg0KQSDigJxzdWLigJ0gdmFsdWUgaXMgc29tZXRpbWVzIOKAnHVuaXF1ZeKAnSBpbiBpdHMg Y29udGV4dCBbZHJhZnQtaWV0Zi1vYXV0aC1qc29uLXdlYi10b2tlbi0xOSNzZWN0aW9uLTQuMS4y IF0sIHdoaWNoIEkgaW50ZXJwcmV0IGFzIG1lYW5pbmcgaXQgaXMgdGhlIHN1YmplY3TigJlzIG9u ZSBhbmQgb25seSBpZGVudGlmaWVyLiBJIHN1c3BlY3QgaW4gcHJhY3RpY2Ug4oCcc3Vi4oCdIHdp bGwgb2Z0ZW4gYmUg4oCcdW5hbWJpZ3VvdXPigJ0sIGJ1dCBub3QgbmVjZXNzYXJpbHkg4oCcdW5p cXVl4oCdLiBUaGF0IGlzLCBhbiBhY2NvdW50IG1pZ2h0IGhhdmUgbXVsdGlwbGUg4oCcc3Vi4oCd IHZhbHVlcyBhc3NvY2lhdGVkIHdpdGggaXQgKGR1ZSB0byBhY2NvdW50IG1lcmdlcywga2V5IGNo YW5nZXMsIHN5c3RlbSByZWRlc2lnbnMsIGFsaWFzZXPigKYpLg0KDQoNCk1ha2luZyDigJxzdWLi gJ0gbWFuZGF0b3J5IHNlZW1zIHRvIG1ha2UgdGhpcyBtZXNzIHdvcnNlLg0KV2Ugd291bGQgYmUg YmV0dGVyIHdpdGggZGlzdGluY3QgImlzdWIiLCAiZ3N1YiIsICJwc3ViIiwgImFzdWIiOm51bGws ICJrc3ViIiwgYW5kICJ1bmlxdWUiOnRydWUgZWxlbWVudHMgc28gdGhlIHNlbWFudGljcyBhcmUg Y2xlYXIuDQoNCi0tDQpKYW1lcyBNYW5nZXINCg0KRnJvbTogT0F1dGggW21haWx0bzpvYXV0aC1i b3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgVG9yc3RlbiBMb2RkZXJzdGVkdA0KU2VudDog U3VuZGF5LCAyNyBBcHJpbCAyMDE0IDc6NTYgUE0NClRvOiBKb2huIEJyYWRsZXk7IEJyaWFuIENh bXBiZWxsDQpDYzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIGRyYWZ0 LWlldGYtb2F1dGgtand0LWJlYXJlci0wOCAmIHN1YmplY3QgaXNzdWUNCg0KKzENCg0KKHdlIGFj dHVhbGx5IHVzZSBhIHN1YiB2YWx1ZSBvZiAiYW5vbnltb3VzIiBpbiBvdXIgaWQgdG9rZW5zIGlu IGNhc2UgYWdlIHZlcmlmaWNhdGlvbiwgaWYgd2UgZG8gbm90IHdhbnQgdG8gZGlzY2xvc2UgdGhl IHVzZXIncyBpZGVudGl0eSB0byB0aGUgUlApDQpBbSAyNS4wNC4yMDE0IDIyOjExLCBzY2hyaWVi IEpvaG4gQnJhZGxleToNCkkgYW0gT0sgd2l0aCB0aGF0Lg0KDQpPbiBBcHIgMjUsIDIwMTQsIGF0 IDQ6NTcgUE0sIEJyaWFuIENhbXBiZWxsIDxiY2FtcGJlbGxAcGluZ2lkZW50aXR5LmNvbTxtYWls dG86YmNhbXBiZWxsQHBpbmdpZGVudGl0eS5jb20+PiB3cm90ZToNCg0KDQpJIGFic29sdXRlbHkg YWdyZWUgd2l0aCBhbHdheXMgcmVxdWlyaW5nIGJvdGggaXNzdWVyIGFuZCBzdWJqZWN0IGFuZCB0 aGF0IGRvaW5nIHNvIGtlZXBzIHRoZSBzcGVjcyBzaW1wbGVyIGFuZCBpcyBsaWtlbHkgdG8gaW1w cm92ZSBpbnRlcm9wZXJhYmlsaXR5Lg0KSG93ZXZlciwgd2l0aG91dCBjaGFuZ2luZyB0aGF0LCBw ZXJoYXBzIHNvbWUgb2YgdGhlIHRleHQgaW4gdGhlIGRvY3VtZW50KHMpIGNvdWxkIGJlIGltcHJv dmVkIGEgYml0LiBIZXJlJ3MgYSByb3VnaCBwcm9wb3NhbDoNCg0KQ2hhbmdlIHRoZSB0ZXh0IG9m IHRoZSBzZWNvbmQgYnVsbGV0IGluIGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWll dGYtb2F1dGgtYXNzZXJ0aW9ucy0xNSNzZWN0aW9uLTUuMiB0bw0KIlRoZSBhc3NlcnRpb24gTVVT VCBjb250YWluIGEgU3ViamVjdC4gVGhlIFN1YmplY3QgdHlwaWNhbGx5IGlkZW50aWZpZXMgYW4g YXV0aG9yaXplZCBhY2Nlc3NvciBmb3Igd2hpY2ggdGhlIGFjY2VzcyB0b2tlbiBpcyBiZWluZyBy ZXF1ZXN0ZWQgKGkuZS4gdGhlIHJlc291cmNlIG93bmVyLCBvciBhbiBhdXRob3JpemVkIGRlbGVn YXRlKSBidXQsIGluIHNvbWUgY2FzZXMsIG1heSBiZSBhIHBzZXVkb255bSBvciBvdGhlciB2YWx1 ZSBkZW5vdGluZyBhbiBhbm9ueW1vdXMgdXNlci4gV2hlbiB0aGUgY2xpZW50IGlzIGFjdGluZyBv biBiZWhhbGYgb2YgaXRzZWxmLCB0aGUgU3ViamVjdCBNVVNUIGJlIHRoZSB2YWx1ZSBvZiB0aGUg Y2xpZW50J3MgY2xpZW50X2lkLiINCg0KQW5kIGFsc28gY2hhbmdlIGh0dHA6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtYXNzZXJ0aW9ucy0xNSNzZWN0aW9uLTYuMy4xIHRv DQoiV2hlbiBhIGNsaWVudCBpcyBhY2Nlc3NpbmcgcmVzb3VyY2VzIG9uIGJlaGFsZiBvZiBhbiBh bm9ueW1vdXMgdXNlciwgYSBtdXR1YWxseSBhZ3JlZWQgdXBvbiBTdWJqZWN0IGlkZW50aWZpZXIg aW5kaWNhdGluZyBhbm9ueW1pdHkgaXMgdXNlZC4gVGhlIFN1YmplY3QgdmFsdWUgbWlnaHQgYmUg YW4gYWdyZWVkIHVwb24gc3RhdGljIHZhbHVlIGluZGljYXRpbmcgYW4gYW5vbnltb3VzIHVzZXIg b3IgYW4gb3BhcXVlIHBlcnNpc3RlbnQgb3IgdHJhbnNpZW50IHBzZXVkb255bSBmb3IgdGhlIHVz ZXIgbWF5IGFsc28gYmUgdXRpbGl6ZWQuIFRoZSBhdXRob3JpemF0aW9uIG1heSBiZSBiYXNlZCB1 cG9uIGFkZGl0aW9uYWwgY3JpdGVyaWEsIHN1Y2ggYXMgYWRkaXRpb25hbCBhdHRyaWJ1dGVzIG9y IGNsYWltcyBwcm92aWRlZCBpbiB0aGUgYXNzZXJ0aW9uLiBGb3IgZXhhbXBsZSwgYSBjbGllbnQg bWF5IHByZXNlbnQgYW4gYXNzZXJ0aW9uIGZyb20gYSB0cnVzdGVkIGlzc3VlciBhc3NlcnRpbmcg dGhhdCB0aGUgYmVhcmVyIGlzIG92ZXIgMTggdmlhIGFuIGluY2x1ZGVkIGNsYWltLiBJbiB0aGlz IGNhc2UsIG5vIGFkZGl0aW9uYWwgaW5mb3JtYXRpb24gYWJvdXQgdGhlIHVzZXIncyBpZGVudGl0 eSBpcyBpbmNsdWRlZCwgeWV0IGFsbCB0aGUgZGF0YSBuZWVkZWQgdG8gaXNzdWUgYW4gYWNjZXNz IHRva2VuIGlzIHByZXNlbnQuIg0KDQpBbmQgbWF5YmUgYWxzbyBjaGFuZ2UgdGhlIHN1YmplY3Qg dGV4dCBpbiBTQU1MIGFuZCBKV1QgKGl0ZW0gIzIgaW4gaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0 bWwvZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyLTA4I3NlY3Rpb24tMyBhbmQgaHR0cDovL3Rv b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1zYW1sMi1iZWFyZXItMTkjc2VjdGlv bi0zKSB0byByZWFkIGEgbGl0dGxlIG1vcmUgbGlrZSB0aGUgbmV3IHByb3Bvc2VkIHRleHQgYWJv dmUgZm9yIHNlY3Rpb24gNS4yIG9mIHRoZSBBc3NlcnRpb24gRnJhbWV3b3JrIGRyYWZ0Lg0KV291 bGQgdGhhdCBzaXQgYW55IGJldHRlciB3aXRoIHlvdSwgSGFubmVzPyBUaG91Z2h0cyBmcm9tIG90 aGVycyBpbiB0aGUgV0c/DQoNCk9uIEZyaSwgQXByIDI1LCAyMDE0IGF0IDE6MDggUE0sIEpvaG4g QnJhZGxleSA8dmU3anRiQHZlN2p0Yi5jb208bWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tPj4gd3Jv dGU6DQpBZ3JlZWQuDQoNCk9uIEFwciAyNSwgMjAxNCwgYXQgMzowNyBQTSwgTWlrZSBKb25lcyA8 TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29m dC5jb20+PiB3cm90ZToNCg0KSSBhZ3JlZS4gIFdl4oCZZCBhbHJlYWR5IGRpc2N1c3NlZCB0aGlz IHByZXR0eSBleHRlbnNpdmVseSBhbmQgcmVhY2hlZCB0aGUgY29uY2x1c2lvbiB0aGF0IGFsd2F5 cyByZXF1aXJpbmcgYm90aCBhbiBpc3N1ZXIgYW5kIGEgc3ViamVjdCBib3RoIGtlcHQgdGhlIHNw ZWNzIHNpbXBsZXIgYW5kIHdhcyBsaWtlbHkgdG8gaW1wcm92ZSBpbnRlcm9wZXJhYmlsaXR5Lg0K DQpJdOKAmXMgZW50aXJlbHkgdXAgdG8gdGhlIGFwcGxpY2F0aW9uIHByb2ZpbGUgd2hhdCB0aGUg Y29udGVudHMgb2YgdGhlIGlzc3VlciBhbmQgdGhlIHN1YmplY3QgZmllbGRzIGFyZSBhbmQgc28g SSBkb27igJl0IHRoaW5rIHdlIG5lZWQgdG8gZnVydGhlciBzcGVjaWZ5IHRoZWlyIGNvbnRlbnRz IGJleW9uZCB3aGF04oCZcyBhbHJlYWR5IGluIHRoZSBzcGVjcy4NCg0KICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpG cm9tOiBPQXV0aCBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBC cmlhbiBDYW1wYmVsbA0KU2VudDogRnJpZGF5LCBBcHJpbCAyNSwgMjAxNCAxMDoxNyBBTQ0KVG86 IEhhbm5lcyBUc2Nob2ZlbmlnDQpDYzogb2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYu b3JnPg0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVy LTA4ICYgc3ViamVjdCBpc3N1ZQ0KDQpJIGJlbGlldmUsIGZyb20gdGhlIHRocmVhZCByZWZlcmVu Y2VkIGVhcmxpZXIgYW5kIHByaW9yIGRpc2N1c3Npb24gYW5kIGRyYWZ0IHRleHQsIHRoYXQgdGhl IFdHIGhhcyByZWFjaGVkIChyb3VnaCkgY29uc2Vuc3VzIHRvIHJlcXVpcmUgdGhlIHN1YmplY3Qg Y2xhaW0uIFNvIHRleHQgdGhhdCBzYXlzICJTdWJqZWN0IGVsZW1lbnQgTVVTVCBOT1QgYmUgaW5j bHVkZWQiIGlzbid0IHdvcmthYmxlLg0KSXQgc2VlbXMgd2hhdCdzIG5lZWRlZCBoZXJlIGlzIHNv bWUgYmV0dGVyIGV4cGxhbmF0aW9uIG9mIGhvdywgaW4gY2FzZXMgdGhhdCBuZWVkIGl0LCB0aGUg dmFsdWUgb2YgdGhlIHN1YmplY3QgY2FuIGJlIHBvcHVsYXRlZCB3aXRob3V0IHVzaW5nIGEgUElJ IHR5cGUgdmFsdWUuIEEgc2ltcGxlIHN0YXRpYyB2YWx1ZSBsaWtlICJBTk9OWU1PVVMtU1VCSkVD VCIgY291bGQgYmUgdXNlZC4gT3IsIG1vcmUgbGlrZWx5LCBzb21lIGtpbmQgb2YgcGFpcndpc2Ug cGVyc2lzdGVudCBwc2V1ZG9ueW1vdXMgaWRlbnRpZmllciB3b3VsZCBiZSB1dGlsaXplZCwgd2hp Y2ggd291bGQgbm90IGRpcmVjdGx5IGlkZW50aWZ5IHRoZSBzdWJqZWN0IGJ1dCB3b3VsZCBhbGxv dyB0aGUgcmVseWluZyBwYXJ0eSB0byByZWNvZ25pemUgdGhlIHNhbWUgc3ViamVjdCBvbiBzdWJz ZXF1ZW50IHRyYW5zYWN0aW9ucy4gQSB0cmFuc2llbnQgcHNldWRvbnltIG1pZ2h0IGFsc28gYmUg YXBwcm9wcmlhdGUgaW4gc29tZSBjYXNlcy4gQW5kIGFueSBvZiB0aG9zZSBhcHByb2FjaGVzIGNv dWxkIGJlIHVzZWQgd2l0aCBvciB3aXRob3V0IGFkZGl0aW9uYWwgY2xhaW1zIChsaWtlIGFnZSA+ IDE4IG9yIG1lbWJlcnNoaXAgaW4gc29tZSBncm91cCkgdGhhdCBnZXQgdXNlZCB0byBtYWtlIGFu IGF1dGhvcml6YXRpb24gZGVjaXNpb24uDQpJIHdhc24ndCBzdXJlIGV4YWN0bHkgaG93IHRvIGFy dGljdWxhdGUgYWxsIHRoYXQgaW4gdGV4dCBmb3IgdGhlIGRyYWZ0KHMpIGJ1dCB0aGF0J3MgbW9y ZSBvZiB3aGF0IEkgd2FzIGFza2luZyBmb3Igd2hlbiBJIGFza2VkIGlmIHlvdSBjb3VsZCBwcm9w b3NlIHNvbWUgdGV4dC4NCg0KDQoNCk9uIFRodSwgQXByIDI0LCAyMDE0IGF0IDY6NDggQU0sIEhh bm5lcyBUc2Nob2ZlbmlnIDxoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PG1haWx0bzpoYW5uZXMu dHNjaG9mZW5pZ0BnbXgubmV0Pj4gd3JvdGU6DQpIaSBCcmlhbiwNCg0KVGhhbmtzIGZvciBwb2lu dGluZyB0byB0aGUgYXNzZXJ0aW9uIGZyYW1ld29yayBkb2N1bWVudC4gUmUtcmVhZGluZyB0aGUN CnRleHQgaXQgYXBwZWFycyB0aGF0IHdlIGhhdmUgbGlzdGVkIHRoZSBjYXNlIHRoYXQgaW4gU2Vj dGlvbiA2LjMuMSBidXQNCmhhdmUgZm9yZ290dGVuIHRvIGNvdmVyIGl0IGVsc2V3aGVyZSBpbiB0 aGUgZG9jdW1lbnQuDQoNCg0KSW4gU2VjdGlvbiA2LjMuMSB3ZSBzYXk6DQoNCiINCg0KNi4zLjEu ICBDbGllbnQgQWN0aW5nIG9uIEJlaGFsZiBvZiBhbiBBbm9ueW1vdXMgVXNlcg0KDQogICBXaGVu IGEgY2xpZW50IGlzIGFjY2Vzc2luZyByZXNvdXJjZXMgb24gYmVoYWxmIG9mIGFuIGFub255bW91 cyB1c2VyLA0KICAgdGhlIFN1YmplY3QgaW5kaWNhdGVzIHRvIHRoZSBBdXRob3JpemF0aW9uIFNl cnZlciB0aGF0IHRoZSBjbGllbnQgaXMNCiAgIGFjdGluZyBvbi1iZWhhbGYgb2YgYW4gYW5vbnlt b3VzIHVzZXIgYXMgZGVmaW5lZCBieSB0aGUgQXV0aG9yaXphdGlvbg0KICAgU2VydmVyLiAgSXQg aXMgaW1wbGllZCB0aGF0IGF1dGhvcml6YXRpb24gaXMgYmFzZWQgdXBvbiBhZGRpdGlvbmFsDQog ICBjcml0ZXJpYSwgc3VjaCBhcyBhZGRpdGlvbmFsIGF0dHJpYnV0ZXMgb3IgY2xhaW1zIHByb3Zp ZGVkIGluIHRoZQ0KICAgYXNzZXJ0aW9uLiAgRm9yIGV4YW1wbGUsIGEgY2xpZW50IG1heSBwcmVz ZW50IGFuIGFzc2VydGlvbiBmcm9tIGENCiAgIHRydXN0ZWQgaXNzdWVyIGFzc2VydGluZyB0aGF0 IHRoZSBiZWFyZXIgaXMgb3ZlciAxOCB2aWEgYW4gaW5jbHVkZWQNCiAgIGNsYWltLg0KDQoqKioq Kg0KICAgIEluIHRoaXMgY2FzZSwgbm8gYWRkaXRpb25hbCBpbmZvcm1hdGlvbiBhYm91dCB0aGUg dXNlcidzDQogICBpZGVudGl0eSBpcyBpbmNsdWRlZCwgeWV0IGFsbCB0aGUgZGF0YSBuZWVkZWQg dG8gaXNzdWUgYW4gYWNjZXNzDQogICB0b2tlbiBpcyBwcmVzZW50Lg0KKioqKioNCiINCihJIG1h cmtlZCB0aGUgcmVsZXZhbnQgcGFydCB3aXRoICcqKionKQ0KDQoNCkluIFNlY3Rpb24gNS4yLCBo b3dldmVyLCB3ZSBzYXk6DQoNCg0KICAgbyAgVGhlIGFzc2VydGlvbiBNVVNUIGNvbnRhaW4gYSBT dWJqZWN0LiAgVGhlIFN1YmplY3QgaWRlbnRpZmllcyBhbg0KICAgICAgYXV0aG9yaXplZCBhY2Nl c3NvciBmb3Igd2hpY2ggdGhlIGFjY2VzcyB0b2tlbiBpcyBiZWluZyByZXF1ZXN0ZWQNCiAgICAg ICh0eXBpY2FsbHkgdGhlIHJlc291cmNlIG93bmVyLCBvciBhbiBhdXRob3JpemVkIGRlbGVnYXRl KS4gIFdoZW4NCiAgICAgIHRoZSBjbGllbnQgaXMgYWN0aW5nIG9uIGJlaGFsZiBvZiBpdHNlbGYs IHRoZSBTdWJqZWN0IE1VU1QgYmUgdGhlDQogICAgICB2YWx1ZSBvZiB0aGUgY2xpZW50J3MgImNs aWVudF9pZCIuDQoNCg0KV2hhdCB3ZSBzaG91bGQgaGF2ZSBkb25lIGluIFNlY3Rpb24gNS4yIGlz IHRvIGV4cGFuZCB0aGUgY2FzZXMgaW5saW5lDQp3aXRoIHdoYXQgd2UgaGF2ZSB3cml0dGVuIGlu IFNlY3Rpb24gNi4NCg0KSGVyZSBpcyBteSBwcm9wb3NlZCB0ZXh0Og0KDQoiDQpvICBUaGUgYXNz ZXJ0aW9uIE1VU1QgY29udGFpbiBhIFN1YmplY3QuICBUaGUgU3ViamVjdCBpZGVudGlmaWVzIGFu DQphdXRob3JpemVkIGFjY2Vzc29yIGZvciB3aGljaCB0aGUgYWNjZXNzIHRva2VuIGlzIGJlaW5n IHJlcXVlc3RlZA0KKHR5cGljYWxseSB0aGUgcmVzb3VyY2Ugb3duZXIsIG9yIGFuIGF1dGhvcml6 ZWQgZGVsZWdhdGUpLg0KV2hlbiB0aGUgY2xpZW50IGlzIGFjdGluZyBvbiBiZWhhbGYgb2YgaXRz ZWxmLCBhcyBkZXNjcmliZWQgaW4gU2VjdGlvbg0KNi4xIGFuZCBTZWN0aW9uIDYuMiwgdGhlIFN1 YmplY3QgTVVTVCBiZSB0aGUgdmFsdWUgb2YgdGhlIGNsaWVudCdzDQoiY2xpZW50X2lkIi4NCg0K V2hlbiB0aGUgY2xpZW50IGlzIGFjdGluZyBvbiBiZWhhbGYgb2YgYW4gdXNlciwgYXMgZGVzY3Jp YmVkIGluIFNlY3Rpb24NCjYuMywgdGhlIFN1YmplY3QgZWxlbWVudCBNVVNUIGJlIGluY2x1ZGVk IGluIHRoZSBhc3NlcnRpb24gYW5kDQppZGVudGlmaWVzIGFuIGF1dGhvcml6ZWQgYWNjZXNzb3Ig Zm9yIHdoaWNoIHRoZSBhY2Nlc3MgdG9rZW4gaXMgYmVpbmcNCnJlcXVlc3RlZC4NCg0KV2hlbiB0 aGUgY2xpZW50IGlzIGFjdGluZyBvbiBiZWhhbGYgb2YgYW4gYW5vbnltb3VzIHVzZXIsIGFzIGRl c2NyaWJlZA0KaW4gU2VjdGlvbiA2LjMuMSwgdGhlIFN1YmplY3QgZWxlbWVudCBNVVNUIE5PVCBi ZSBpbmNsdWRlZCBpbiB0aGUNCmFzc2VydGlvbi4gT3RoZXIgZWxlbWVudHMgd2l0aGluIHRoZSBh c3NlcnRpb24gd2lsbCwgaG93ZXZlciwgcHJvdmlkZQ0KZW5vdWdoIGluZm9ybWF0aW9uIGZvciB0 aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgdG8gbWFrZSBhbiBhdXRob3JpemF0aW9uDQpkZWNpc2lv bi4NCiINCg0KRG9lcyB0aGlzIG1ha2Ugc2Vuc2UgdG8geW91Pw0KDQpDaWFvDQpIYW5uZXMNCg0K DQpPbiAwNC8yNC8yMDE0IDAyOjMwIFBNLCBCcmlhbiBDYW1wYmVsbCB3cm90ZToNCj4gVGhlcmUg aXMgc29tZSBkaXNjdXNzaW9uIG9mIHRoYXQgY2FzZSBpbiB0aGUgYXNzZXJ0aW9uIGZyYW1ld29y aw0KPiBkb2N1bWVudCBhdA0KPiBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm LW9hdXRoLWFzc2VydGlvbnMtMTUjc2VjdGlvbi02LjMuMQ0KPg0KPiBEbyB5b3UgZmVlbCB0aGF0 IG1vcmUgaXMgbmVlZGVkPyBJZiBzbywgY2FuIHlvdSBwcm9wb3NlIHNvbWUgdGV4dD8NCj4NCj4N Cj4gT24gVGh1LCBBcHIgMjQsIDIwMTQgYXQgMTowOSBBTSwgSGFubmVzIFRzY2hvZmVuaWcNCj4g PGhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8bWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5u ZXQ+IDxtYWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDxtYWlsdG86aGFubmVzLnRzY2hv ZmVuaWdAZ214Lm5ldD4+PiB3cm90ZToNCj4NCj4gICAgIEhpIEJyaWFuLA0KPg0KPiAgICAgSSBy ZWFkIHRocm91Z2ggdGhlIHRocmVhZCBhbmQgdGhlIEdvb2dsZSBjYXNlIGlzIGEgYml0IGRpZmZl cmVudCBzaW5jZQ0KPiAgICAgdGhleSBhcmUgdXNpbmcgdGhlIGNsaWVudCBhdXRoZW50aWNhdGlv biBwYXJ0IG9mIHRoZSBKV1QgYmVhcmVyIHNwZWMuDQo+ICAgICBUaGVyZSBJIGRvbid0IHNlZSB0 aGUgcHJpdmFjeSBjb25jZXJucyBlaXRoZXIuDQo+DQo+ICAgICBJIGFtLCBob3dldmVyLCBmb2N1 c2VkIG9uIHRoZSBhdXRob3JpemF0aW9uIGdyYW50IHdoZXJlIHRoZSBzdWJqZWN0IGlzDQo+ICAg ICBpbiBtb3N0IGNhc2VzIHRoZSByZXNvdXJjZSBvd25lci4NCj4NCj4gICAgIEl0IGlzIHBvc3Np YmxlIHRvIHB1dCBnYXJiYWdlIGludG8gdGhlIHN1YmplY3QgZWxlbWVudCB3aGVuIHByaXZhY3kN Cj4gICAgIHByb3RlY3Rpb24gaXMgbmVlZGVkIGZvciB0aGUgcmVzb3VyY2Ugb3duZXIgY2FzZSBi dXQgdGhhdCB3b3VsZCBuZWVkIHRvDQo+ICAgICBiZSBkZXNjcmliZWQgaW4gdGhlIGRvY3VtZW50 OyBjdXJyZW50bHkgaXQgaXMgbm90IHRoZXJlLg0KPg0KPiAgICAgQ2lhbw0KPiAgICAgSGFubmVz DQo+DQo+DQo+ICAgICBPbiAwNC8yNC8yMDE0IDEyOjM3IEFNLCBCcmlhbiBDYW1wYmVsbCB3cm90 ZToNCj4gICAgID4gVGhhdCB0aHJlYWQgdGhhdCBBbnRvbmlvIHN0YXJ0ZWQgd2hpY2ggeW91IHJl ZmVyZW5jZSB3ZW50IG9uIGZvciBzb21lDQo+ICAgICA+IHRpbWUNCj4gICAgID4NCj4gICAgICho dHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvb2F1dGgvY3VycmVudC90aHJlYWRz Lmh0bWwjMTI1MjApDQo+ICAgICA+IGFuZCBzZWVtcyB0byBoYXZlIHJlYWNoZWQgY29uc2Vuc3Vz IHRoYXQgdGhlIHNwZWMgZGlkbid0IG5lZWQNCj4gICAgIG5vcm1hdGl2ZQ0KPiAgICAgPiBjaGFu Z2UgYW5kIHRoYXQgc3VjaCBwcml2YWN5IGNhc2VzIG9yIG90aGVyIGNhc2VzIHdoaWNoIGRpZG4n dA0KPiAgICAgPiBleHBsaWNpdGx5IG5lZWQgYSBzdWJqZWN0IGlkZW50aWZpZXIgd291bGQgYmUg bW9yZSBhcHByb3ByaWF0ZWx5IGRlYWx0DQo+ICAgICA+IHdpdGggaW4gYXBwbGljYXRpb24gbG9n aWM6DQo+ICAgICA+IGh0dHA6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9vYXV0aC9j dXJyZW50L21zZzEyNTM4Lmh0bWwNCj4gICAgID4NCj4gICAgID4NCj4gICAgID4NCj4gICAgID4N Cj4gICAgID4gT24gV2VkLCBBcHIgMjMsIDIwMTQgYXQgMjozOSBBTSwgSGFubmVzIFRzY2hvZmVu aWcNCj4gICAgID4gPGhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8bWFpbHRvOmhhbm5lcy50c2No b2ZlbmlnQGdteC5uZXQ+IDxtYWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDxtYWlsdG86 aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldD4+DQo+ICAgICA8bWFpbHRvOmhhbm5lcy50c2Nob2Zl bmlnQGdteC5uZXQ8bWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ+DQo+ICAgICA8bWFp bHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8bWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdt eC5uZXQ+Pj4+IHdyb3RlOg0KPiAgICAgPg0KPiAgICAgPiAgICAgSGkgYWxsLA0KPiAgICAgPg0K PiAgICAgPiAgICAgaW4gcHJlcGFyaW5nIHRoZSBzaGVwaGVyZCB3cml0ZS11cCBmb3INCj4gICAg IGRyYWZ0LWlldGYtb2F1dGgtand0LWJlYXJlci0wOCBJDQo+ICAgICA+ICAgICBoYWQgdG8gcmV2 aWV3IG91ciByZWNlbnQgZW1haWwgY29udmVyc2F0aW9ucyBhbmQgdGhlIGlzc3VlDQo+ICAgICBy YWlzZWQgYnkNCj4gICAgID4gICAgIEFudG9uaW8gaW4NCj4gICAgID4NCj4gICAgIGh0dHA6Ly93 d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9vYXV0aC9jdXJyZW50L21zZzEyNTIwLmh0bWwg YmVsb25nDQo+ICAgICA+ICAgICB0byBpdC4NCj4gICAgID4NCj4gICAgID4gICAgIFRoZSBpc3N1 ZSB3YXMgdGhhdCBTZWN0aW9uIDMgb2YgZHJhZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyLTA4DQo+ ICAgICBzYXlzOg0KPiAgICAgPiAgICAgIg0KPiAgICAgPiAgICAgICAgMi4gICBUaGUgSldUIE1V U1QgY29udGFpbiBhICJzdWIiIChzdWJqZWN0KSBjbGFpbQ0KPiAgICAgaWRlbnRpZnlpbmcgdGhl DQo+ICAgICA+ICAgICAgICAgICAgIHByaW5jaXBhbCB0aGF0IGlzIHRoZSBzdWJqZWN0IG9mIHRo ZSBKV1QuICBUd28gY2FzZXMNCj4gICAgIG5lZWQgdG8gYmUNCj4gICAgID4gICAgICAgICAgICAg ZGlmZmVyZW50aWF0ZWQ6DQo+ICAgICA+DQo+ICAgICA+ICAgICAgICAgICAgIEEuICBGb3IgdGhl IGF1dGhvcml6YXRpb24gZ3JhbnQsIHRoZSBzdWJqZWN0IFNIT1VMRA0KPiAgICAgaWRlbnRpZnkg YW4NCj4gICAgID4gICAgICAgICAgICAgICAgIGF1dGhvcml6ZWQgYWNjZXNzb3IgZm9yIHdob20g dGhlIGFjY2VzcyB0b2tlbiBpcyBiZWluZw0KPiAgICAgPiAgICAgICAgICAgICAgICAgcmVxdWVz dGVkICh0eXBpY2FsbHkgdGhlIHJlc291cmNlIG93bmVyLCBvciBhbg0KPiAgICAgYXV0aG9yaXpl ZA0KPiAgICAgPiAgICAgICAgICAgICAgICAgZGVsZWdhdGUpLg0KPiAgICAgPg0KPiAgICAgPiAg ICAgICAgICAgICBCLiAgRm9yIGNsaWVudCBhdXRoZW50aWNhdGlvbiwgdGhlIHN1YmplY3QgTVVT VCBiZSB0aGUNCj4gICAgID4gICAgICAgICAgICAgICAgICJjbGllbnRfaWQiIG9mIHRoZSBPQXV0 aCBjbGllbnQuDQo+ICAgICA+ICAgICAiDQo+ICAgICA+DQo+ICAgICA+ICAgICBBbnRvbmlvIHBv aW50ZWQgdG8gdGhlIGN1cnJlbnQgR29vZ2xlIEFQSSB0byBpbGx1c3RyYXRlIHRoYXQNCj4gICAg IHRoZSBzdWJqZWN0DQo+ICAgICA+ICAgICBpcyBub3QgYWx3YXlzIG5lZWRlZC4gSGVyZSBpcyB0 aGUgR29vZ2xlIEFQSSBkb2N1bWVudGF0aW9uOg0KPiAgICAgPiAgICAgaHR0cHM6Ly9kZXZlbG9w ZXJzLmdvb2dsZS5jb20vYWNjb3VudHMvZG9jcy9PQXV0aDJTZXJ2aWNlQWNjb3VudA0KPiAgICAg Pg0KPiAgICAgPiAgICAgVGhlIEdvb2dsZSBBUEkgdXNlZCB0aGUgY2xpZW50IGF1dGhlbnRpY2F0 aW9uIHBhcnQgKHJhdGhlcg0KPiAgICAgdGhhbiB0aGUNCj4gICAgID4gICAgIGF1dGhvcml6YXRp b24gZ3JhbnQpLCBpbiBteSB1bmRlcnN0YW5kaW5nLg0KPiAgICAgPg0KPiAgICAgPiAgICAgSSBz dGlsbCBiZWxpZXZlIHRoYXQgdGhlIHN1YmplY3QgZmllbGQgaGFzIHRvIGJlIGluY2x1ZGVkIGZv cg0KPiAgICAgY2xpZW50DQo+ICAgICA+ICAgICBhdXRoZW50aWNhdGlvbiBidXQgSSBhbSBub3Qg c28gc3VyZSBhbnltb3JlIGFib3V0IHRoZQ0KPiAgICAgYXV0aG9yaXphdGlvbg0KPiAgICAgPiAg ICAgZ3JhbnQgc2luY2UgSSBjb3VsZCB2ZXJ5IHdlbGwgaW1hZ2luZSBjYXNlcyB3aGVyZSB0aGUg c3ViamVjdA0KPiAgICAgaXMgbm90DQo+ICAgICA+ICAgICBuZWVkZWQgZm9yIGF1dGhvcml6YXRp b24gZGVjaXNpb25zIGJ1dCBhbHNvIGZvciBwcml2YWN5IHJlYXNvbnMuDQo+ICAgICA+DQo+ICAg ICA+ICAgICBJIHdvdWxkIHRoZXJlZm9yZSBzdWdnZXN0IHRvIGNoYW5nZSB0aGUgdGV4dCBhcyBm b2xsb3dzOg0KPiAgICAgPg0KPiAgICAgPiAgICAgIg0KPiAgICAgPiAgICAgICAgMi4gICBUaGUg SldUIGNvbnRhaW5zIGEgInN1YiIgKHN1YmplY3QpIGNsYWltIGlkZW50aWZ5aW5nIHRoZQ0KPiAg ICAgPiAgICAgICAgICAgICBwcmluY2lwYWwgdGhhdCBpcyB0aGUgc3ViamVjdCBvZiB0aGUgSldU LiAgVHdvIGNhc2VzDQo+ICAgICBuZWVkIHRvIGJlDQo+ICAgICA+ICAgICAgICAgICAgIGRpZmZl cmVudGlhdGVkOg0KPiAgICAgPg0KPiAgICAgPiAgICAgICAgICAgICBBLiAgRm9yIHRoZSBhdXRo b3JpemF0aW9uIGdyYW50LCB0aGUgc3ViamVjdCBjbGFpbSBNQVkNCj4gICAgID4gICAgICAgICAg ICAgICAgIGJlIGluY2x1ZGVkLiBJZiBpdCBpcyBpbmNsdWRlZCBpdCBNVVNUIGlkZW50aWZ5IHRo ZQ0KPiAgICAgPiAgICAgICAgICAgICAgICAgYXV0aG9yaXplZCBhY2Nlc3NvciBmb3Igd2hvbSB0 aGUgYWNjZXNzIHRva2VuIGlzIGJlaW5nDQo+ICAgICA+ICAgICAgICAgICAgICAgICByZXF1ZXN0 ZWQgKHR5cGljYWxseSB0aGUgcmVzb3VyY2Ugb3duZXIsIG9yIGFuDQo+ICAgICBhdXRob3JpemVk DQo+ICAgICA+ICAgICAgICAgICAgICAgICBkZWxlZ2F0ZSkuIFJlYXNvbnMgZm9yIG5vdCBpbmNs dWRpbmcgdGhlIHN1YmplY3QgY2xhaW0NCj4gICAgID4gICAgICAgICAgICAgICAgIGluIHRoZSBK V1QgYXJlIGlkZW50aXR5IGhpZGluZyAoaS5lLiwgcHJpdmFjeQ0KPiAgICAgcHJvdGVjdGlvbg0K PiAgICAgPiAgICAgICAgICAgICAgICAgb2YgdGhlIGlkZW50aWZpZXIgb2YgdGhlIHN1YmplY3Qp IGFuZCBjYXNlcyB3aGVyZQ0KPiAgICAgPiAgICAgICAgICAgICAgICAgdGhlIGlkZW50aWZpZXIg b2YgdGhlIHN1YmplY3QgaXMgaXJyZWxldmFudCBmb3IgbWFraW5nDQo+ICAgICA+ICAgICAgICAg ICAgICAgICBhbiBhdXRob3JpemF0aW9uIGRlY2lzaW9uIGJ5IHRoZSByZXNvdXJjZSBzZXJ2ZXIu DQo+ICAgICA+DQo+ICAgICA+ICAgICAgICAgICAgIEIuICBGb3IgY2xpZW50IGF1dGhlbnRpY2F0 aW9uLCB0aGUgc3ViamVjdCBNVVNUIGJlIHRoZQ0KPiAgICAgPiAgICAgICAgICAgICAgICAgaW5j bHVkZWQgaW4gdGhlIEpXVCBhbmQgdGhlIHZhbHVlIE1VU1QgYmUgcG9wdWxhdGVkDQo+ICAgICA+ ICAgICAgICAgICAgICAgICB3aXRoIHRoZSAiY2xpZW50X2lkIiBvZiB0aGUgT0F1dGggY2xpZW50 Lg0KPiAgICAgPiAgICAgIg0KPiAgICAgPg0KPiAgICAgPiAgICAgV2hhdCBkbyB5b3UgZ3V5cyB0 aGluaz8NCg0KDQo= --_000_255B9BB34FB7D647A506DC292726F6E11545569E2DWSMSG3153Vsrv_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxMiAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8qIEZv bnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0 aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQt ZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQt ZmFjZQ0KCXtmb250LWZhbWlseTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0 b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg Um9tYW4iLCJzZXJpZiI7DQoJY29sb3I6YmxhY2s7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGlu aw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRp b246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1 bmRlcmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGlu azoiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9t Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXci Ow0KCWNvbG9yOmJsYWNrO30NCnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1zb0Fj ZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29u IFRleHQgQ2hhciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9u dC1zaXplOjguMHB0Ow0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjsNCgljb2xv cjpibGFjazt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJI VE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0 eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseTpDb25zb2xhczsNCglj b2xvcjpibGFjazt9DQpzcGFuLkJhbGxvb25UZXh0Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiQmFs bG9vbiBUZXh0IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGlu azoiQmFsbG9vbiBUZXh0IjsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7DQoJ Y29sb3I6YmxhY2s7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29u YWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjoj MUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0K CWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6NjEyLjBwdCA3 OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBwdCA3Mi4wcHQ7fQ0KZGl2LldvcmRT ZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1z byA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIg Lz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVs YXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8 L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+PC9oZWFkPjxib2R5IGJnY29sb3I9d2hp dGUgbGFuZz1FTi1BVSBsaW5rPWJsdWUgdmxpbms9cHVycGxlPjxkaXYgY2xhc3M9V29yZFNlY3Rp b24xPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPlNheWluZyDigJxz dWLigJ0gTVVTVCBiZSBwcmVzZW50IG1pZ2h0IHNpbXBsaWZ5IGEgc3BlYywgYnV0IG9ubHkgYXQg dGhlIGNvc3Qgb2YgY29tcHJvbWlzaW5nIHRoZSBtZWFuaW5nIG9mIG1lc3NhZ2VzLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxl PSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7Y29s b3I6IzFGNDk3RCc+4oCcc3Vi4oCdIHNvbWV0aW1lcyBob2xkcyBhbiBpZGVudGlmaWVyIGZvciBh IHN1YmplY3QgdGhhdCBpcyB1bmFtYmlndW91cyBpbiB0aGUgY29udGV4dCBvZiB0aGUgaXNzdWVy LiBUaGF0IGlzLCBhbiBhY2NvdW50IG5lZWRzIHRvIGJlIGlkZW50aWZpZWQgYnkgdGhlIHR1cGxl IHtpc3MsIHN1Yn0uPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3Bh biBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2Vy aWYiO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGli cmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz7igJxzdWLigJ0gc29tZXRpbWVzIGhvbGRz IGFuIGlkZW50aWZpZXIgZm9yIGEgc3ViamVjdCB0aGF0IGlzIGdsb2JhbGx5IHVuYW1iaWd1b3Vz LiBUaGF0IGlzLCDigJxzdWLigJ0gYWxvbmUgaXMgc3VmZmljaWVudCB0byBpZGVudGlmeSBhbiBh Y2NvdW50LiBBbiB1bnN0YXRlZCBhc3N1bXB0aW9uIGlzIHRoYXQgYWxsIOKAnHN1YuKAnSB2YWx1 ZXMgdGhhdCBtaWdodCBiZSBjb21wYXJlZCBuZWVkIHRvIGNvbWUgZnJvbSB0aGUgc2FtZSAodW5p ZGVudGlmaWVkKSBuYW1lc3BhY2UuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05v cm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ2FsaWJyaSIs InNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz7igJxzdWLigJ0gc29tZXRp bWVzIGhvbGRzIGFuIGVwaGVtZXJhbCBwc2V1ZG9ueW0gKGVnIHJhbmRvbSBnYXJiYWdlKS48bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7Y29sb3I6IzFGNDk3 RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi O2NvbG9yOiMxRjQ5N0QnPiDigJxzdWLigJ0gc29tZXRpbWVzIGhvbGRzIGEgZml4ZWQgc3RyaW5n IHN1Y2ggYXMg4oCcYW5vbnltb3Vz4oCdICh3aXRoIGRpZmZlcmVudCBpc3N1ZXJzIGNob29zaW5n IGRpZmZlcmVudCBzdHJpbmdzKS4gQXNzdW1pbmcgdGhlIHR1cGxlIHtpc3MsIHN1Yn0gaWRlbnRp ZmllcyBhbiBhY2NvdW50IHdvdWxkIGJlIHBvc2l0aXZlbHkgZGFuZ2Vyb3VzIGluIHRoaXMgY2Fz ZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7Y29sb3I6 IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMt c2VyaWYiO2NvbG9yOiMxRjQ5N0QnPuKAnHN1YuKAnSBzb21ldGltZXMgaG9sZHMgYSBmaW5nZXJw cmludCBvZiBhIHB1YmxpYyBrZXkuIOKAnHN1YuKAnSBpcyB0aGVuIHJlZHVuZGFudCBhcyBpdCBj YW4gYmUgcmVjYWxjdWxhdGVkIGZyb20gdGhlIGtleS4gVGhhdCBpbnRyb2R1Y2VzIHRoZSBjaGFu Y2UgdGhhdCBzb21lIGNvbXBvbmVudCB1c2VzIOKAnHN1YuKAnSB3aXRob3V0IGNvbmZpcm1pbmcg aXQgbWF0Y2hlcyB0aGUga2V5IHRoYXQgaXMgbGlrZWx5IHRvIGludHJvZHVjZSBzZWN1cml0eSB2 dWxuZXJhYmlsaXRpZXMuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMt c2VyaWYiO2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFz cz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNh bGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz5BIOKAnHN1YuKAnSB2YWx1ZSBpcyBz b21ldGltZXMg4oCcdW5pcXVl4oCdIGluIGl0cyBjb250ZXh0IFtkcmFmdC1pZXRmLW9hdXRoLWpz b24td2ViLXRva2VuLTE5I3NlY3Rpb24tNC4xLjIgXSwgd2hpY2ggSSBpbnRlcnByZXQgYXMgbWVh bmluZyBpdCBpcyB0aGUgc3ViamVjdOKAmXMgb25lIGFuZCBvbmx5IGlkZW50aWZpZXIuIEkgc3Vz cGVjdCBpbiBwcmFjdGljZSDigJxzdWLigJ0gd2lsbCBvZnRlbiBiZSDigJx1bmFtYmlndW91c+KA nSwgYnV0IG5vdCBuZWNlc3NhcmlseSDigJx1bmlxdWXigJ0uIFRoYXQgaXMsIGFuIGFjY291bnQg bWlnaHQgaGF2ZSBtdWx0aXBsZSDigJxzdWLigJ0gdmFsdWVzIGFzc29jaWF0ZWQgd2l0aCBpdCAo ZHVlIHRvIGFjY291bnQgbWVyZ2VzLCBrZXkgY2hhbmdlcywgc3lzdGVtIHJlZGVzaWducywgYWxp YXNlc+KApikuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi O2NvbG9yOiMxRjQ5N0QnPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29O b3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGlicmki LCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7Y29sb3I6IzFGNDk3RCc+TWFraW5nIOKAnHN1YuKA nSBtYW5kYXRvcnkgc2VlbXMgdG8gbWFrZSB0aGlzIG1lc3Mgd29yc2UuPG86cD48L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPldlIHdvdWxk IGJlIGJldHRlciB3aXRoIGRpc3RpbmN0ICZxdW90O2lzdWImcXVvdDssICZxdW90O2dzdWImcXVv dDssICZxdW90O3BzdWImcXVvdDssICZxdW90O2FzdWImcXVvdDs6bnVsbCwgJnF1b3Q7a3N1YiZx dW90OywgYW5kICZxdW90O3VuaXF1ZSZxdW90Ozp0cnVlIGVsZW1lbnRzIHNvIHRoZSBzZW1hbnRp Y3MgYXJlIGNsZWFyLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNw YW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNl cmlmIjtjb2xvcjojMUY0OTdEJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PGRpdj48cCBj bGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz4tLTxvOnA+PC9vOnA+PC9zcGFu PjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz5KYW1lcyBNYW5n ZXI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0 eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7 Y29sb3I6IzFGNDk3RCc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxkaXY+PGRpdiBzdHls ZT0nYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4w cHQgMGNtIDBjbSAwY20nPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYu MHB0Jz48Yj48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjtjb2xvcjp3aW5kb3d0ZXh0Jz5Gcm9tOjwvc3Bhbj48 L2I+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToi VGFob21hIiwic2Fucy1zZXJpZiI7Y29sb3I6d2luZG93dGV4dCc+IE9BdXRoIFttYWlsdG86b2F1 dGgtYm91bmNlc0BpZXRmLm9yZ10gPGI+T24gQmVoYWxmIE9mIDwvYj5Ub3JzdGVuIExvZGRlcnN0 ZWR0PGJyPjxiPlNlbnQ6PC9iPiBTdW5kYXksIDI3IEFwcmlsIDIwMTQgNzo1NiBQTTxicj48Yj5U bzo8L2I+IEpvaG4gQnJhZGxleTsgQnJpYW4gQ2FtcGJlbGw8YnI+PGI+Q2M6PC9iPiBvYXV0aEBp ZXRmLm9yZzxicj48Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gZHJhZnQtaWV0Zi1vYXV0 aC1qd3QtYmVhcmVyLTA4ICZhbXA7IHN1YmplY3QgaXNzdWU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+ PC9kaXY+PC9kaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQn PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbXNvLW1hcmdp bi10b3AtYWx0OjBjbTttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0b206MTIuMHB0O21hcmdp bi1sZWZ0OjM2LjBwdCc+KzE8YnI+PGJyPih3ZSBhY3R1YWxseSB1c2UgYSBzdWIgdmFsdWUgb2Yg JnF1b3Q7YW5vbnltb3VzJnF1b3Q7IGluIG91ciBpZCB0b2tlbnMgaW4gY2FzZSBhZ2UgdmVyaWZp Y2F0aW9uLCBpZiB3ZSBkbyBub3Qgd2FudCB0byBkaXNjbG9zZSB0aGUgdXNlcidzIGlkZW50aXR5 IHRvIHRoZSBSUCk8bzpwPjwvbzpwPjwvcD48ZGl2PjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0n bWFyZ2luLWxlZnQ6MzYuMHB0Jz5BbSAyNS4wNC4yMDE0IDIyOjExLCBzY2hyaWViIEpvaG4gQnJh ZGxleTo8bzpwPjwvbzpwPjwvcD48L2Rpdj48YmxvY2txdW90ZSBzdHlsZT0nbWFyZ2luLXRvcDo1 LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Jz48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdp bi1sZWZ0OjM2LjBwdCc+SSBhbSBPSyB3aXRoIHRoYXQuIDxvOnA+PC9vOnA+PC9wPjxkaXY+PHAg Y2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPjxkaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2 LjBwdCc+T24gQXByIDI1LCAyMDE0LCBhdCA0OjU3IFBNLCBCcmlhbiBDYW1wYmVsbCAmbHQ7PGEg aHJlZj0ibWFpbHRvOmJjYW1wYmVsbEBwaW5naWRlbnRpdHkuY29tIj5iY2FtcGJlbGxAcGluZ2lk ZW50aXR5LmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPjwvZGl2PjxwIGNsYXNzPU1z b05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48YnI+PGJyPjxvOnA+PC9vOnA+PC9w PjxkaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21zby1tYXJnaW4tdG9wLWFsdDow Y207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjEyLjBwdDttYXJnaW4tbGVmdDozNi4w cHQnPkkgYWJzb2x1dGVseSBhZ3JlZSB3aXRoIGFsd2F5cyByZXF1aXJpbmcgYm90aCBpc3N1ZXIg YW5kIHN1YmplY3QgYW5kIHRoYXQgZG9pbmcgc28ga2VlcHMgdGhlIHNwZWNzIHNpbXBsZXIgYW5k IGlzIGxpa2VseSB0byBpbXByb3ZlIGludGVyb3BlcmFiaWxpdHkuPG86cD48L286cD48L3A+PC9k aXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtc28tbWFyZ2luLXRvcC1hbHQ6MGNtO21hcmdp bi1yaWdodDowY207bWFyZ2luLWJvdHRvbToxMi4wcHQ7bWFyZ2luLWxlZnQ6MzYuMHB0Jz5Ib3dl dmVyLCB3aXRob3V0IGNoYW5naW5nIHRoYXQsIHBlcmhhcHMgc29tZSBvZiB0aGUgdGV4dCBpbiB0 aGUgZG9jdW1lbnQocykgY291bGQgYmUgaW1wcm92ZWQgYSBiaXQuIEhlcmUncyBhIHJvdWdoIHBy b3Bvc2FsOjxicj48YnI+Q2hhbmdlIHRoZSB0ZXh0IG9mIHRoZSBzZWNvbmQgYnVsbGV0IGluIDxh IGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtYXNzZXJ0 aW9ucy0xNSNzZWN0aW9uLTUuMiI+aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0 Zi1vYXV0aC1hc3NlcnRpb25zLTE1I3NlY3Rpb24tNS4yPC9hPiB0byA8bzpwPjwvbzpwPjwvcD48 ZGl2IHN0eWxlPSdtYXJnaW4tbGVmdDozMC4wcHQnPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0n bWFyZ2luLWxlZnQ6MzYuMHB0Jz4mcXVvdDtUaGUgYXNzZXJ0aW9uIE1VU1QgY29udGFpbiBhIFN1 YmplY3QuIFRoZSBTdWJqZWN0IHR5cGljYWxseSBpZGVudGlmaWVzIGFuIGF1dGhvcml6ZWQgYWNj ZXNzb3IgZm9yIHdoaWNoIHRoZSBhY2Nlc3MgdG9rZW4gaXMgYmVpbmcgcmVxdWVzdGVkIChpLmUu IHRoZSByZXNvdXJjZSBvd25lciwgb3IgYW4gYXV0aG9yaXplZCBkZWxlZ2F0ZSkgYnV0LCBpbiBz b21lIGNhc2VzLCBtYXkgYmUgYSBwc2V1ZG9ueW0gb3Igb3RoZXIgdmFsdWUgZGVub3RpbmcgYW4g YW5vbnltb3VzIHVzZXIuIFdoZW4gdGhlIGNsaWVudCBpcyBhY3Rpbmcgb24gYmVoYWxmIG9mIGl0 c2VsZiwgdGhlIFN1YmplY3QgTVVTVCBiZSB0aGUgdmFsdWUgb2YgdGhlIGNsaWVudCdzIGNsaWVu dF9pZC4mcXVvdDs8bzpwPjwvbzpwPjwvcD48L2Rpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9 J21hcmdpbi1sZWZ0OjM2LjBwdCc+PG86cD4mbmJzcDs8L286cD48L3A+PGRpdj48cCBjbGFzcz1N c29Ob3JtYWwgc3R5bGU9J21zby1tYXJnaW4tdG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTtt YXJnaW4tYm90dG9tOjEyLjBwdDttYXJnaW4tbGVmdDozNi4wcHQnPkFuZCBhbHNvIGNoYW5nZSA8 YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLW9hdXRoLWFzc2Vy dGlvbnMtMTUjc2VjdGlvbi02LjMuMSI+aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQt aWV0Zi1vYXV0aC1hc3NlcnRpb25zLTE1I3NlY3Rpb24tNi4zLjE8L2E+IHRvIDxvOnA+PC9vOnA+ PC9wPjxkaXYgc3R5bGU9J21hcmdpbi1sZWZ0OjMwLjBwdCc+PHAgY2xhc3M9TXNvTm9ybWFsIHN0 eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPiZxdW90O1doZW4gYSBjbGllbnQgaXMgYWNjZXNzaW5n IHJlc291cmNlcyBvbiBiZWhhbGYgb2YgYW4gYW5vbnltb3VzIHVzZXIsIGEgbXV0dWFsbHkgYWdy ZWVkIHVwb24gU3ViamVjdCBpZGVudGlmaWVyIGluZGljYXRpbmcgYW5vbnltaXR5IGlzIHVzZWQu IFRoZSBTdWJqZWN0IHZhbHVlIG1pZ2h0IGJlIGFuIGFncmVlZCB1cG9uIHN0YXRpYyB2YWx1ZSBp bmRpY2F0aW5nIGFuIGFub255bW91cyB1c2VyIG9yIGFuIG9wYXF1ZSBwZXJzaXN0ZW50IG9yIHRy YW5zaWVudCBwc2V1ZG9ueW0gZm9yIHRoZSB1c2VyIG1heSBhbHNvIGJlIHV0aWxpemVkLiBUaGUg YXV0aG9yaXphdGlvbiBtYXkgYmUgYmFzZWQgdXBvbiBhZGRpdGlvbmFsIGNyaXRlcmlhLCBzdWNo IGFzIGFkZGl0aW9uYWwgYXR0cmlidXRlcyBvciBjbGFpbXMgcHJvdmlkZWQgaW4gdGhlIGFzc2Vy dGlvbi4gRm9yIGV4YW1wbGUsIGEgY2xpZW50IG1heSBwcmVzZW50IGFuIGFzc2VydGlvbiBmcm9t IGEgdHJ1c3RlZCBpc3N1ZXIgYXNzZXJ0aW5nIHRoYXQgdGhlIGJlYXJlciBpcyBvdmVyIDE4IHZp YSBhbiBpbmNsdWRlZCBjbGFpbS4gSW4gdGhpcyBjYXNlLCBubyBhZGRpdGlvbmFsIGluZm9ybWF0 aW9uIGFib3V0IHRoZSB1c2VyJ3MgaWRlbnRpdHkgaXMgaW5jbHVkZWQsIHlldCBhbGwgdGhlIGRh dGEgbmVlZGVkIHRvIGlzc3VlIGFuIGFjY2VzcyB0b2tlbiBpcyBwcmVzZW50LiZxdW90OzxvOnA+ PC9vOnA+PC9wPjwvZGl2PjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYu MHB0Jz48bzpwPiZuYnNwOzwvbzpwPjwvcD48L2Rpdj48ZGl2PjxwIGNsYXNzPU1zb05vcm1hbCBz dHlsZT0nbXNvLW1hcmdpbi10b3AtYWx0OjBjbTttYXJnaW4tcmlnaHQ6MGNtO21hcmdpbi1ib3R0 b206MTIuMHB0O21hcmdpbi1sZWZ0OjM2LjBwdCc+QW5kIG1heWJlIGFsc28gY2hhbmdlIHRoZSBz dWJqZWN0IHRleHQgaW4gU0FNTCBhbmQgSldUIChpdGVtICMyIGluIDxhIGhyZWY9Imh0dHA6Ly90 b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtand0LWJlYXJlci0wOCNzZWN0aW9u LTMiPmh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtand0LWJlYXJl ci0wOCNzZWN0aW9uLTM8L2E+IGFuZCA8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRt bC9kcmFmdC1pZXRmLW9hdXRoLXNhbWwyLWJlYXJlci0xOSNzZWN0aW9uLTMiPmh0dHA6Ly90b29s cy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtc2FtbDItYmVhcmVyLTE5I3NlY3Rpb24t MzwvYT4pIHRvIHJlYWQgYSBsaXR0bGUgbW9yZSBsaWtlIHRoZSBuZXcgcHJvcG9zZWQgdGV4dCBh Ym92ZSBmb3Igc2VjdGlvbiA1LjIgb2YgdGhlIEFzc2VydGlvbiBGcmFtZXdvcmsgZHJhZnQuPG86 cD48L286cD48L3A+PC9kaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1s ZWZ0OjM2LjBwdCc+V291bGQgdGhhdCBzaXQgYW55IGJldHRlciB3aXRoIHlvdSwgSGFubmVzPyBU aG91Z2h0cyBmcm9tIG90aGVycyBpbiB0aGUgV0c/PG86cD48L286cD48L3A+PC9kaXY+PC9kaXY+ PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21zby1tYXJnaW4tdG9wLWFsdDowY207bWFy Z2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjEyLjBwdDttYXJnaW4tbGVmdDozNi4wcHQnPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPjxkaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4t bGVmdDozNi4wcHQnPk9uIEZyaSwgQXByIDI1LCAyMDE0IGF0IDE6MDggUE0sIEpvaG4gQnJhZGxl eSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnZlN2p0YkB2ZTdqdGIuY29tIiB0YXJnZXQ9Il9ibGFuayI+ dmU3anRiQHZlN2p0Yi5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD48ZGl2PjxwIGNs YXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz5BZ3JlZWQuIDxvOnA+PC9v OnA+PC9wPjxkaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQn PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPjxkaXY+PGRpdj48ZGl2PjxkaXY+PHAgY2xhc3M9TXNvTm9y bWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPk9uIEFwciAyNSwgMjAxNCwgYXQgMzowNyBQ TSwgTWlrZSBKb25lcyAmbHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0 LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTwvYT4mZ3Q7 IHdyb3RlOjxvOnA+PC9vOnA+PC9wPjwvZGl2PjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFy Z2luLWxlZnQ6MzYuMHB0Jz48bzpwPiZuYnNwOzwvbzpwPjwvcD48L2Rpdj48L2Rpdj48YmxvY2tx dW90ZSBzdHlsZT0nbWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Jz48ZGl2Pjxk aXY+PGRpdj48ZGl2PjxkaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDoz Ni4wcHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz5JIGFncmVlLiZuYnNwOyBX ZeKAmWQgYWxyZWFkeSBkaXNjdXNzZWQgdGhpcyBwcmV0dHkgZXh0ZW5zaXZlbHkgYW5kIHJlYWNo ZWQgdGhlIGNvbmNsdXNpb24gdGhhdCBhbHdheXMgcmVxdWlyaW5nIGJvdGggYW4gaXNzdWVyIGFu ZCBhIHN1YmplY3QgYm90aCBrZXB0IHRoZSBzcGVjcyBzaW1wbGVyIGFuZCB3YXMgbGlrZWx5IHRv IGltcHJvdmUgaW50ZXJvcGVyYWJpbGl0eS48L3NwYW4+PHNwYW4gbGFuZz1FTi1VUz48bzpwPjwv bzpwPjwvc3Bhbj48L3A+PC9kaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdp bi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPiZuYnNwOzwv c3Bhbj48c3BhbiBsYW5nPUVOLVVTPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48L2Rpdj48ZGl2Pjxw IGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVO LVVTIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1z ZXJpZiI7Y29sb3I6IzFGNDk3RCc+SXTigJlzIGVudGlyZWx5IHVwIHRvIHRoZSBhcHBsaWNhdGlv biBwcm9maWxlIHdoYXQgdGhlIGNvbnRlbnRzIG9mIHRoZSBpc3N1ZXIgYW5kIHRoZSBzdWJqZWN0 IGZpZWxkcyBhcmUgYW5kIHNvIEkgZG9u4oCZdCB0aGluayB3ZSBuZWVkIHRvIGZ1cnRoZXIgc3Bl Y2lmeSB0aGVpciBjb250ZW50cyBiZXlvbmQgd2hhdOKAmXMgYWxyZWFkeSBpbiB0aGUgc3BlY3Mu PC9zcGFuPjxzcGFuIGxhbmc9RU4tVVM+PG86cD48L286cD48L3NwYW4+PC9wPjwvZGl2PjxkaXY+ PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9 RU4tVVMgc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z LXNlcmlmIjtjb2xvcjojMUY0OTdEJz4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz1FTi1VUz48bzpw PjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21h cmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUyBzdHlsZT0nZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO2NvbG9yOiMxRjQ5N0QnPiZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAtLSBNaWtlPC9zcGFuPjxzcGFuIGxhbmc9RU4tVVM+PG86cD48L286cD48L3NwYW4+ PC9wPjwvZGl2PjxkaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4w cHQnPjxzcGFuIGxhbmc9RU4tVVMgc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 IkNhbGlicmkiLCJzYW5zLXNlcmlmIjtjb2xvcjojMUY0OTdEJz4mbmJzcDs8L3NwYW4+PHNwYW4g bGFuZz1FTi1VUz48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PGRpdj48cCBjbGFzcz1Nc29O b3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PGI+PHNwYW4gbGFuZz1FTi1VUyBzdHls ZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiInPkZy b206PC9zcGFuPjwvYj48c3BhbiBsYW5nPUVOLVVTIHN0eWxlPSdmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIic+Jm5ic3A7T0F1dGggWzxhIGhyZWY9Im1h aWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+bWFpbHRvOm9hdXRo LWJvdW5jZXNAaWV0Zi5vcmc8L2E+XSZuYnNwOzxiPk9uIEJlaGFsZiBPZiZuYnNwOzwvYj5Ccmlh biBDYW1wYmVsbDxicj48Yj5TZW50OjwvYj4mbmJzcDtGcmlkYXksIEFwcmlsIDI1LCAyMDE0IDEw OjE3IEFNPGJyPjxiPlRvOjwvYj4mbmJzcDtIYW5uZXMgVHNjaG9mZW5pZzxicj48Yj5DYzo8L2I+ Jm5ic3A7PGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+b2F1 dGhAaWV0Zi5vcmc8L2E+PGJyPjxiPlN1YmplY3Q6PC9iPiZuYnNwO1JlOiBbT0FVVEgtV0ddIGRy YWZ0LWlldGYtb2F1dGgtand0LWJlYXJlci0wOCAmYW1wOyBzdWJqZWN0IGlzc3VlPC9zcGFuPjxz cGFuIGxhbmc9RU4tVVM+PG86cD48L286cD48L3NwYW4+PC9wPjwvZGl2PjxkaXY+PHAgY2xhc3M9 TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+Jm5i c3A7PG86cD48L286cD48L3NwYW4+PC9wPjwvZGl2PjxkaXY+PGRpdj48ZGl2PjxwIGNsYXNzPU1z b05vcm1hbCBzdHlsZT0nbXNvLW1hcmdpbi10b3AtYWx0OjBjbTttYXJnaW4tcmlnaHQ6MGNtO21h cmdpbi1ib3R0b206MTIuMHB0O21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz5J IGJlbGlldmUsIGZyb20gdGhlIHRocmVhZCByZWZlcmVuY2VkIGVhcmxpZXIgYW5kIHByaW9yIGRp c2N1c3Npb24gYW5kIGRyYWZ0IHRleHQsIHRoYXQgdGhlIFdHIGhhcyByZWFjaGVkIChyb3VnaCkg Y29uc2Vuc3VzIHRvIHJlcXVpcmUgdGhlIHN1YmplY3QgY2xhaW0uIFNvIHRleHQgdGhhdCBzYXlz ICZxdW90O1N1YmplY3QgZWxlbWVudCBNVVNUIE5PVCBiZSBpbmNsdWRlZCZxdW90OyBpc24ndCB3 b3JrYWJsZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0 eWxlPSdtc28tbWFyZ2luLXRvcC1hbHQ6MGNtO21hcmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRv bToxMi4wcHQ7bWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTPkl0IHNlZW1zIHdo YXQncyBuZWVkZWQgaGVyZSBpcyBzb21lIGJldHRlciBleHBsYW5hdGlvbiBvZiBob3csIGluIGNh c2VzIHRoYXQgbmVlZCBpdCwgdGhlIHZhbHVlIG9mIHRoZSBzdWJqZWN0IGNhbiBiZSBwb3B1bGF0 ZWQgd2l0aG91dCB1c2luZyBhIFBJSSB0eXBlIHZhbHVlLiBBIHNpbXBsZSBzdGF0aWMgdmFsdWUg bGlrZSAmcXVvdDtBTk9OWU1PVVMtU1VCSkVDVCZxdW90OyBjb3VsZCBiZSB1c2VkLiBPciwgbW9y ZSBsaWtlbHksIHNvbWUga2luZCBvZiBwYWlyd2lzZSBwZXJzaXN0ZW50IHBzZXVkb255bW91cyBp ZGVudGlmaWVyIHdvdWxkIGJlIHV0aWxpemVkLCB3aGljaCB3b3VsZCBub3QgZGlyZWN0bHkgaWRl bnRpZnkgdGhlIHN1YmplY3QgYnV0IHdvdWxkIGFsbG93IHRoZSByZWx5aW5nIHBhcnR5IHRvIHJl Y29nbml6ZSB0aGUgc2FtZSBzdWJqZWN0IG9uIHN1YnNlcXVlbnQgdHJhbnNhY3Rpb25zLiBBIHRy YW5zaWVudCBwc2V1ZG9ueW0gbWlnaHQgYWxzbyBiZSBhcHByb3ByaWF0ZSBpbiBzb21lIGNhc2Vz LiBBbmQgYW55IG9mIHRob3NlIGFwcHJvYWNoZXMgY291bGQgYmUgdXNlZCB3aXRoIG9yIHdpdGhv dXQgYWRkaXRpb25hbCBjbGFpbXMgKGxpa2UgYWdlICZndDsgMTggb3IgbWVtYmVyc2hpcCBpbiBz b21lIGdyb3VwKSB0aGF0IGdldCB1c2VkIHRvIG1ha2UgYW4gYXV0aG9yaXphdGlvbiBkZWNpc2lv bi4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3Jt YWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFuZz1FTi1VUz5JIHdhc24ndCBz dXJlIGV4YWN0bHkgaG93IHRvIGFydGljdWxhdGUgYWxsIHRoYXQgaW4gdGV4dCBmb3IgdGhlIGRy YWZ0KHMpIGJ1dCB0aGF0J3MgbW9yZSBvZiB3aGF0IEkgd2FzIGFza2luZyBmb3Igd2hlbiBJIGFz a2VkIGlmIHlvdSBjb3VsZCBwcm9wb3NlIHNvbWUgdGV4dC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ PC9kaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21zby1tYXJnaW4tdG9wLWFsdDow Y207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjEyLjBwdDttYXJnaW4tbGVmdDozNi4w cHQnPjxzcGFuIGxhbmc9RU4tVVM+PGJyPjxicj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+ PC9kaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21zby1tYXJnaW4tdG9wLWFsdDow Y207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjEyLjBwdDttYXJnaW4tbGVmdDozNi4w cHQnPjxzcGFuIGxhbmc9RU4tVVM+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPjxkaXY+PGRp dj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21hcmdpbi1sZWZ0OjM2LjBwdCc+PHNwYW4gbGFu Zz1FTi1VUz5PbiBUaHUsIEFwciAyNCwgMjAxNCBhdCA2OjQ4IEFNLCBIYW5uZXMgVHNjaG9mZW5p ZyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQiIHRhcmdldD0i X2JsYW5rIj48c3BhbiBzdHlsZT0nY29sb3I6cHVycGxlJz5oYW5uZXMudHNjaG9mZW5pZ0BnbXgu bmV0PC9zcGFuPjwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48L2Rpdj48ZGl2 PjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5n PUVOLVVTPkhpIEJyaWFuLDxicj48YnI+VGhhbmtzIGZvciBwb2ludGluZyB0byB0aGUgYXNzZXJ0 aW9uIGZyYW1ld29yayBkb2N1bWVudC4gUmUtcmVhZGluZyB0aGU8YnI+dGV4dCBpdCBhcHBlYXJz IHRoYXQgd2UgaGF2ZSBsaXN0ZWQgdGhlIGNhc2UgdGhhdCBpbiBTZWN0aW9uIDYuMy4xIGJ1dDxi cj5oYXZlIGZvcmdvdHRlbiB0byBjb3ZlciBpdCBlbHNld2hlcmUgaW4gdGhlIGRvY3VtZW50Ljxi cj48YnI+PGJyPkluIFNlY3Rpb24gNi4zLjEgd2Ugc2F5Ojxicj48YnI+JnF1b3Q7PGJyPjxicj42 LjMuMS4gJm5ic3A7Q2xpZW50IEFjdGluZyBvbiBCZWhhbGYgb2YgYW4gQW5vbnltb3VzIFVzZXI8 YnI+PGJyPiZuYnNwOyAmbmJzcDtXaGVuIGEgY2xpZW50IGlzIGFjY2Vzc2luZyByZXNvdXJjZXMg b24gYmVoYWxmIG9mIGFuIGFub255bW91cyB1c2VyLDxicj4mbmJzcDsgJm5ic3A7dGhlIFN1Ympl Y3QgaW5kaWNhdGVzIHRvIHRoZSBBdXRob3JpemF0aW9uIFNlcnZlciB0aGF0IHRoZSBjbGllbnQg aXM8YnI+Jm5ic3A7ICZuYnNwO2FjdGluZyBvbi1iZWhhbGYgb2YgYW4gYW5vbnltb3VzIHVzZXIg YXMgZGVmaW5lZCBieSB0aGUgQXV0aG9yaXphdGlvbjxicj4mbmJzcDsgJm5ic3A7U2VydmVyLiAm bmJzcDtJdCBpcyBpbXBsaWVkIHRoYXQgYXV0aG9yaXphdGlvbiBpcyBiYXNlZCB1cG9uIGFkZGl0 aW9uYWw8YnI+Jm5ic3A7ICZuYnNwO2NyaXRlcmlhLCBzdWNoIGFzIGFkZGl0aW9uYWwgYXR0cmli dXRlcyBvciBjbGFpbXMgcHJvdmlkZWQgaW4gdGhlPGJyPiZuYnNwOyAmbmJzcDthc3NlcnRpb24u ICZuYnNwO0ZvciBleGFtcGxlLCBhIGNsaWVudCBtYXkgcHJlc2VudCBhbiBhc3NlcnRpb24gZnJv bSBhPGJyPiZuYnNwOyAmbmJzcDt0cnVzdGVkIGlzc3VlciBhc3NlcnRpbmcgdGhhdCB0aGUgYmVh cmVyIGlzIG92ZXIgMTggdmlhIGFuIGluY2x1ZGVkPGJyPiZuYnNwOyAmbmJzcDtjbGFpbS48YnI+ PGJyPioqKioqPGJyPiZuYnNwOyAmbmJzcDsgSW4gdGhpcyBjYXNlLCBubyBhZGRpdGlvbmFsIGlu Zm9ybWF0aW9uIGFib3V0IHRoZSB1c2VyJ3M8YnI+Jm5ic3A7ICZuYnNwO2lkZW50aXR5IGlzIGlu Y2x1ZGVkLCB5ZXQgYWxsIHRoZSBkYXRhIG5lZWRlZCB0byBpc3N1ZSBhbiBhY2Nlc3M8YnI+Jm5i c3A7ICZuYnNwO3Rva2VuIGlzIHByZXNlbnQuPGJyPioqKioqPGJyPiZxdW90Ozxicj4oSSBtYXJr ZWQgdGhlIHJlbGV2YW50IHBhcnQgd2l0aCAnKioqJyk8YnI+PGJyPjxicj5JbiBTZWN0aW9uIDUu MiwgaG93ZXZlciwgd2Ugc2F5Ojxicj48YnI+PGJyPiZuYnNwOyAmbmJzcDtvICZuYnNwO1RoZSBh c3NlcnRpb24gTVVTVCBjb250YWluIGEgU3ViamVjdC4gJm5ic3A7VGhlIFN1YmplY3QgaWRlbnRp ZmllcyBhbjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBhdXRob3JpemVkIGFjY2Vzc29yIGZvciB3 aGljaCB0aGUgYWNjZXNzIHRva2VuIGlzIGJlaW5nIHJlcXVlc3RlZDxicj4mbmJzcDsgJm5ic3A7 ICZuYnNwOyAodHlwaWNhbGx5IHRoZSByZXNvdXJjZSBvd25lciwgb3IgYW4gYXV0aG9yaXplZCBk ZWxlZ2F0ZSkuICZuYnNwO1doZW48YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgdGhlIGNsaWVudCBp cyBhY3Rpbmcgb24gYmVoYWxmIG9mIGl0c2VsZiwgdGhlIFN1YmplY3QgTVVTVCBiZSB0aGU8YnI+ Jm5ic3A7ICZuYnNwOyAmbmJzcDsgdmFsdWUgb2YgdGhlIGNsaWVudCdzICZxdW90O2NsaWVudF9p ZCZxdW90Oy48YnI+PGJyPjxicj5XaGF0IHdlIHNob3VsZCBoYXZlIGRvbmUgaW4gU2VjdGlvbiA1 LjIgaXMgdG8gZXhwYW5kIHRoZSBjYXNlcyBpbmxpbmU8YnI+d2l0aCB3aGF0IHdlIGhhdmUgd3Jp dHRlbiBpbiBTZWN0aW9uIDYuPGJyPjxicj5IZXJlIGlzIG15IHByb3Bvc2VkIHRleHQ6PGJyPjxi cj4mcXVvdDs8YnI+byAmbmJzcDtUaGUgYXNzZXJ0aW9uIE1VU1QgY29udGFpbiBhIFN1YmplY3Qu ICZuYnNwO1RoZSBTdWJqZWN0IGlkZW50aWZpZXMgYW48YnI+YXV0aG9yaXplZCBhY2Nlc3NvciBm b3Igd2hpY2ggdGhlIGFjY2VzcyB0b2tlbiBpcyBiZWluZyByZXF1ZXN0ZWQ8bzpwPjwvbzpwPjwv c3Bhbj48L3A+PC9kaXY+PGRpdj48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21zby1tYXJnaW4t dG9wLWFsdDowY207bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjEyLjBwdDttYXJnaW4t bGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+KHR5cGljYWxseSB0aGUgcmVzb3VyY2Ugb3du ZXIsIG9yIGFuIGF1dGhvcml6ZWQgZGVsZWdhdGUpLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48L2Rp dj48ZGl2PjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWxlZnQ6MzYuMHB0Jz48c3Bh biBsYW5nPUVOLVVTPldoZW4gdGhlIGNsaWVudCBpcyBhY3Rpbmcgb24gYmVoYWxmIG9mIGl0c2Vs ZiwgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb248YnI+Ni4xIGFuZCBTZWN0aW9uIDYuMiwgdGhlIFN1 YmplY3QgTVVTVCBiZSB0aGUgdmFsdWUgb2YgdGhlIGNsaWVudCdzPGJyPiZxdW90O2NsaWVudF9p ZCZxdW90Oy48YnI+PGJyPldoZW4gdGhlIGNsaWVudCBpcyBhY3Rpbmcgb24gYmVoYWxmIG9mIGFu IHVzZXIsIGFzIGRlc2NyaWJlZCBpbiBTZWN0aW9uPGJyPjYuMywgdGhlIFN1YmplY3QgZWxlbWVu dCBNVVNUIGJlIGluY2x1ZGVkIGluIHRoZSBhc3NlcnRpb24gYW5kPGJyPmlkZW50aWZpZXMgYW4g YXV0aG9yaXplZCBhY2Nlc3NvciBmb3Igd2hpY2ggdGhlIGFjY2VzcyB0b2tlbiBpcyBiZWluZzxi cj5yZXF1ZXN0ZWQuPGJyPjxicj5XaGVuIHRoZSBjbGllbnQgaXMgYWN0aW5nIG9uIGJlaGFsZiBv ZiBhbiBhbm9ueW1vdXMgdXNlciwgYXMgZGVzY3JpYmVkPGJyPmluIFNlY3Rpb24gNi4zLjEsIHRo ZSBTdWJqZWN0IGVsZW1lbnQgTVVTVCBOT1QgYmUgaW5jbHVkZWQgaW4gdGhlPGJyPmFzc2VydGlv bi4gT3RoZXIgZWxlbWVudHMgd2l0aGluIHRoZSBhc3NlcnRpb24gd2lsbCwgaG93ZXZlciwgcHJv dmlkZTxicj5lbm91Z2ggaW5mb3JtYXRpb24gZm9yIHRoZSBhdXRob3JpemF0aW9uIHNlcnZlciB0 byBtYWtlIGFuIGF1dGhvcml6YXRpb248YnI+ZGVjaXNpb24uPGJyPiZxdW90Ozxicj48YnI+RG9l cyB0aGlzIG1ha2Ugc2Vuc2UgdG8geW91Pzxicj48YnI+Q2lhbzxicj5IYW5uZXM8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+PC9kaXY+PGRpdj48ZGl2PjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFy Z2luLWxlZnQ6MzYuMHB0Jz48c3BhbiBsYW5nPUVOLVVTPjxicj48YnI+T24gMDQvMjQvMjAxNCAw MjozMCBQTSwgQnJpYW4gQ2FtcGJlbGwgd3JvdGU6PGJyPiZndDsgVGhlcmUgaXMgc29tZSBkaXNj dXNzaW9uIG9mIHRoYXQgY2FzZSBpbiB0aGUgYXNzZXJ0aW9uIGZyYW1ld29yazxicj4mZ3Q7IGRv Y3VtZW50IGF0PGJyPiZndDsmbmJzcDs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRt bC9kcmFmdC1pZXRmLW9hdXRoLWFzc2VydGlvbnMtMTUjc2VjdGlvbi02LjMuMSIgdGFyZ2V0PSJf YmxhbmsiPjxzcGFuIHN0eWxlPSdjb2xvcjpwdXJwbGUnPmh0dHA6Ly90b29scy5pZXRmLm9yZy9o dG1sL2RyYWZ0LWlldGYtb2F1dGgtYXNzZXJ0aW9ucy0xNSNzZWN0aW9uLTYuMy4xPC9zcGFuPjwv YT48YnI+Jmd0Ozxicj4mZ3Q7IERvIHlvdSBmZWVsIHRoYXQgbW9yZSBpcyBuZWVkZWQ/IElmIHNv LCBjYW4geW91IHByb3Bvc2Ugc29tZSB0ZXh0Pzxicj4mZ3Q7PGJyPiZndDs8YnI+Jmd0OyBPbiBU aHUsIEFwciAyNCwgMjAxNCBhdCAxOjA5IEFNLCBIYW5uZXMgVHNjaG9mZW5pZzxvOnA+PC9vOnA+ PC9zcGFuPjwvcD48L2Rpdj48L2Rpdj48ZGl2PjxkaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxl PSdtYXJnaW4tbGVmdDozNi4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+Jmd0OyAmbHQ7PGEgaHJlZj0i bWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBz dHlsZT0nY29sb3I6cHVycGxlJz5oYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PC9zcGFuPjwvYT4m bmJzcDsmbHQ7bWFpbHRvOjxhIGhyZWY9Im1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0 IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9J2NvbG9yOnB1cnBsZSc+aGFubmVzLnRzY2hv ZmVuaWdAZ214Lm5ldDwvc3Bhbj48L2E+Jmd0OyZndDsgd3JvdGU6PGJyPiZndDs8YnI+Jmd0OyAm bmJzcDsgJm5ic3A7IEhpIEJyaWFuLDxicj4mZ3Q7PGJyPiZndDsgJm5ic3A7ICZuYnNwOyBJIHJl YWQgdGhyb3VnaCB0aGUgdGhyZWFkIGFuZCB0aGUgR29vZ2xlIGNhc2UgaXMgYSBiaXQgZGlmZmVy ZW50IHNpbmNlPGJyPiZndDsgJm5ic3A7ICZuYnNwOyB0aGV5IGFyZSB1c2luZyB0aGUgY2xpZW50 IGF1dGhlbnRpY2F0aW9uIHBhcnQgb2YgdGhlIEpXVCBiZWFyZXIgc3BlYy48YnI+Jmd0OyAmbmJz cDsgJm5ic3A7IFRoZXJlIEkgZG9uJ3Qgc2VlIHRoZSBwcml2YWN5IGNvbmNlcm5zIGVpdGhlci48 YnI+Jmd0Ozxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgSSBhbSwgaG93ZXZlciwgZm9jdXNlZCBvbiB0 aGUgYXV0aG9yaXphdGlvbiBncmFudCB3aGVyZSB0aGUgc3ViamVjdCBpczxicj4mZ3Q7ICZuYnNw OyAmbmJzcDsgaW4gbW9zdCBjYXNlcyB0aGUgcmVzb3VyY2Ugb3duZXIuPGJyPiZndDs8YnI+Jmd0 OyAmbmJzcDsgJm5ic3A7IEl0IGlzIHBvc3NpYmxlIHRvIHB1dCBnYXJiYWdlIGludG8gdGhlIHN1 YmplY3QgZWxlbWVudCB3aGVuIHByaXZhY3k8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7IHByb3RlY3Rp b24gaXMgbmVlZGVkIGZvciB0aGUgcmVzb3VyY2Ugb3duZXIgY2FzZSBidXQgdGhhdCB3b3VsZCBu ZWVkIHRvPGJyPiZndDsgJm5ic3A7ICZuYnNwOyBiZSBkZXNjcmliZWQgaW4gdGhlIGRvY3VtZW50 OyBjdXJyZW50bHkgaXQgaXMgbm90IHRoZXJlLjxicj4mZ3Q7PGJyPiZndDsgJm5ic3A7ICZuYnNw OyBDaWFvPGJyPiZndDsgJm5ic3A7ICZuYnNwOyBIYW5uZXM8YnI+Jmd0Ozxicj4mZ3Q7PGJyPiZn dDsgJm5ic3A7ICZuYnNwOyBPbiAwNC8yNC8yMDE0IDEyOjM3IEFNLCBCcmlhbiBDYW1wYmVsbCB3 cm90ZTo8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgVGhhdCB0aHJlYWQgdGhhdCBBbnRvbmlv IHN0YXJ0ZWQgd2hpY2ggeW91IHJlZmVyZW5jZSB3ZW50IG9uIGZvciBzb21lPGJyPiZndDsgJm5i c3A7ICZuYnNwOyAmZ3Q7IHRpbWU8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+Jmd0OyAm bmJzcDsgJm5ic3A7ICg8YSBocmVmPSJodHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93 ZWIvb2F1dGgvY3VycmVudC90aHJlYWRzLmh0bWwjMTI1MjAiIHRhcmdldD0iX2JsYW5rIj48c3Bh biBzdHlsZT0nY29sb3I6cHVycGxlJz5odHRwOi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93 ZWIvb2F1dGgvY3VycmVudC90aHJlYWRzLmh0bWwjMTI1MjA8L3NwYW4+PC9hPik8YnI+Jmd0OyAm bmJzcDsgJm5ic3A7ICZndDsgYW5kIHNlZW1zIHRvIGhhdmUgcmVhY2hlZCBjb25zZW5zdXMgdGhh dCB0aGUgc3BlYyBkaWRuJ3QgbmVlZDxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgbm9ybWF0aXZlPGJy PiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7IGNoYW5nZSBhbmQgdGhhdCBzdWNoIHByaXZhY3kgY2Fz ZXMgb3Igb3RoZXIgY2FzZXMgd2hpY2ggZGlkbid0PGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7 IGV4cGxpY2l0bHkgbmVlZCBhIHN1YmplY3QgaWRlbnRpZmllciB3b3VsZCBiZSBtb3JlIGFwcHJv cHJpYXRlbHkgZGVhbHQ8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgd2l0aCBpbiBhcHBsaWNh dGlvbiBsb2dpYzo8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsmbmJzcDs8YSBocmVmPSJodHRw Oi8vd3d3LmlldGYub3JnL21haWwtYXJjaGl2ZS93ZWIvb2F1dGgvY3VycmVudC9tc2cxMjUzOC5o dG1sIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9J2NvbG9yOnB1cnBsZSc+aHR0cDovL3d3 dy5pZXRmLm9yZy9tYWlsLWFyY2hpdmUvd2ViL29hdXRoL2N1cnJlbnQvbXNnMTI1MzguaHRtbDwv c3Bhbj48L2E+PGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPiZndDsgJm5ic3A7ICZuYnNw OyAmZ3Q7PGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPiZndDsgJm5ic3A7ICZuYnNwOyAm Z3Q7PGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7IE9uIFdlZCwgQXByIDIzLCAyMDE0IGF0IDI6 MzkgQU0sIEhhbm5lcyBUc2Nob2ZlbmlnPGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZsdDs8 YSBocmVmPSJtYWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldCIgdGFyZ2V0PSJfYmxhbmsi PjxzcGFuIHN0eWxlPSdjb2xvcjpwdXJwbGUnPmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8L3Nw YW4+PC9hPiZuYnNwOyZsdDttYWlsdG86PGEgaHJlZj0ibWFpbHRvOmhhbm5lcy50c2Nob2Zlbmln QGdteC5uZXQiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0nY29sb3I6cHVycGxlJz5oYW5u ZXMudHNjaG9mZW5pZ0BnbXgubmV0PC9zcGFuPjwvYT4mZ3Q7PG86cD48L286cD48L3NwYW4+PC9w PjwvZGl2PjwvZGl2PjxkaXY+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdtYXJnaW4tbGVmdDoz Ni4wcHQnPjxzcGFuIGxhbmc9RU4tVVM+Jmd0OyAmbmJzcDsgJm5ic3A7ICZsdDttYWlsdG86PGEg aHJlZj0ibWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQiIHRhcmdldD0iX2JsYW5rIj48 c3BhbiBzdHlsZT0nY29sb3I6cHVycGxlJz5oYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PC9zcGFu PjwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PGRpdj48ZGl2PjxwIGNsYXNzPU1zb05v cm1hbCBzdHlsZT0nbXNvLW1hcmdpbi10b3AtYWx0OjBjbTttYXJnaW4tcmlnaHQ6NzIuMHB0O21h cmdpbi1ib3R0b206MGNtO21hcmdpbi1sZWZ0OjEwOC4wcHQ7bWFyZ2luLWJvdHRvbTouMDAwMXB0 Jz48c3BhbiBsYW5nPUVOLVVTPiZndDsgJm5ic3A7ICZuYnNwOyAmbHQ7bWFpbHRvOjxhIGhyZWY9 Im1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0IiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4g c3R5bGU9J2NvbG9yOnB1cnBsZSc+aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldDwvc3Bhbj48L2E+ Jmd0OyZndDsmZ3Q7IHdyb3RlOjxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4mZ3Q7ICZu YnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7IEhpIGFsbCw8YnI+Jmd0OyAmbmJzcDsgJm5i c3A7ICZndDs8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyBpbiBwcmVw YXJpbmcgdGhlIHNoZXBoZXJkIHdyaXRlLXVwIGZvcjxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgZHJh ZnQtaWV0Zi1vYXV0aC1qd3QtYmVhcmVyLTA4IEk8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsg Jm5ic3A7ICZuYnNwOyBoYWQgdG8gcmV2aWV3IG91ciByZWNlbnQgZW1haWwgY29udmVyc2F0aW9u cyBhbmQgdGhlIGlzc3VlPGJyPiZndDsgJm5ic3A7ICZuYnNwOyByYWlzZWQgYnk8YnI+Jmd0OyAm bmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyBBbnRvbmlvIGluPGJyPiZndDsgJm5ic3A7 ICZuYnNwOyAmZ3Q7PGJyPiZndDsgJm5ic3A7ICZuYnNwOyZuYnNwOzxhIGhyZWY9Imh0dHA6Ly93 d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dlYi9vYXV0aC9jdXJyZW50L21zZzEyNTIwLmh0bWwi IHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0nY29sb3I6cHVycGxlJz5odHRwOi8vd3d3Lmll dGYub3JnL21haWwtYXJjaGl2ZS93ZWIvb2F1dGgvY3VycmVudC9tc2cxMjUyMC5odG1sPC9zcGFu PjwvYT4mbmJzcDtiZWxvbmc8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNw OyB0byBpdC48YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7 ICZndDsgJm5ic3A7ICZuYnNwOyBUaGUgaXNzdWUgd2FzIHRoYXQgU2VjdGlvbiAzIG9mIGRyYWZ0 LWlldGYtb2F1dGgtand0LWJlYXJlci0wODxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgc2F5czo8YnI+ Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmcXVvdDs8YnI+Jmd0OyAmbmJz cDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7Mi4gJm5ic3A7IFRoZSBK V1QgTVVTVCBjb250YWluIGEgJnF1b3Q7c3ViJnF1b3Q7IChzdWJqZWN0KSBjbGFpbTxicj4mZ3Q7 ICZuYnNwOyAmbmJzcDsgaWRlbnRpZnlpbmcgdGhlPGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IHByaW5jaXBhbCB0aGF0 IGlzIHRoZSBzdWJqZWN0IG9mIHRoZSBKV1QuICZuYnNwO1R3byBjYXNlczxicj4mZ3Q7ICZuYnNw OyAmbmJzcDsgbmVlZCB0byBiZTxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBkaWZmZXJlbnRpYXRlZDo8YnI+Jmd0OyAm bmJzcDsgJm5ic3A7ICZndDs8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgQS4gJm5ic3A7Rm9yIHRoZSBhdXRob3JpemF0 aW9uIGdyYW50LCB0aGUgc3ViamVjdCBTSE9VTEQ8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7IGlkZW50 aWZ5IGFuPGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgYXV0aG9yaXplZCBhY2Nlc3NvciBmb3Ig d2hvbSB0aGUgYWNjZXNzIHRva2VuIGlzIGJlaW5nPGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg cmVxdWVzdGVkICh0eXBpY2FsbHkgdGhlIHJlc291cmNlIG93bmVyLCBvciBhbjxicj4mZ3Q7ICZu YnNwOyAmbmJzcDsgYXV0aG9yaXplZDxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGRlbGVnYXRl KS48YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDs8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgQi4gJm5ic3A7Rm9yIGNs aWVudCBhdXRoZW50aWNhdGlvbiwgdGhlIHN1YmplY3QgTVVTVCBiZSB0aGU8YnI+Jmd0OyAmbmJz cDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmcXVvdDtjbGllbnRfaWQmcXVvdDsgb2YgdGhlIE9BdXRoIGNsaWVudC48 YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmcXVvdDs8YnI+Jmd0OyAm bmJzcDsgJm5ic3A7ICZndDs8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNw OyBBbnRvbmlvIHBvaW50ZWQgdG8gdGhlIGN1cnJlbnQgR29vZ2xlIEFQSSB0byBpbGx1c3RyYXRl IHRoYXQ8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7IHRoZSBzdWJqZWN0PGJyPiZndDsgJm5ic3A7ICZu YnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgaXMgbm90IGFsd2F5cyBuZWVkZWQuIEhlcmUgaXMgdGhl IEdvb2dsZSBBUEkgZG9jdW1lbnRhdGlvbjo8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5i c3A7ICZuYnNwOyZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vZGV2ZWxvcGVycy5nb29nbGUuY29tL2Fj Y291bnRzL2RvY3MvT0F1dGgyU2VydmljZUFjY291bnQiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBz dHlsZT0nY29sb3I6cHVycGxlJz5odHRwczovL2RldmVsb3BlcnMuZ29vZ2xlLmNvbS9hY2NvdW50 cy9kb2NzL09BdXRoMlNlcnZpY2VBY2NvdW50PC9zcGFuPjwvYT48YnI+Jmd0OyAmbmJzcDsgJm5i c3A7ICZndDs8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyBUaGUgR29v Z2xlIEFQSSB1c2VkIHRoZSBjbGllbnQgYXV0aGVudGljYXRpb24gcGFydCAocmF0aGVyPGJyPiZn dDsgJm5ic3A7ICZuYnNwOyB0aGFuIHRoZTxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJz cDsgJm5ic3A7IGF1dGhvcml6YXRpb24gZ3JhbnQpLCBpbiBteSB1bmRlcnN0YW5kaW5nLjxicj4m Z3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsg Jm5ic3A7IEkgc3RpbGwgYmVsaWV2ZSB0aGF0IHRoZSBzdWJqZWN0IGZpZWxkIGhhcyB0byBiZSBp bmNsdWRlZCBmb3I8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7IGNsaWVudDxicj4mZ3Q7ICZuYnNwOyAm bmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7IGF1dGhlbnRpY2F0aW9uIGJ1dCBJIGFtIG5vdCBzbyBz dXJlIGFueW1vcmUgYWJvdXQgdGhlPGJyPiZndDsgJm5ic3A7ICZuYnNwOyBhdXRob3JpemF0aW9u PGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgZ3JhbnQgc2luY2UgSSBj b3VsZCB2ZXJ5IHdlbGwgaW1hZ2luZSBjYXNlcyB3aGVyZSB0aGUgc3ViamVjdDxicj4mZ3Q7ICZu YnNwOyAmbmJzcDsgaXMgbm90PGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJz cDsgbmVlZGVkIGZvciBhdXRob3JpemF0aW9uIGRlY2lzaW9ucyBidXQgYWxzbyBmb3IgcHJpdmFj eSByZWFzb25zLjxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4mZ3Q7ICZuYnNwOyAmbmJz cDsgJmd0OyAmbmJzcDsgJm5ic3A7IEkgd291bGQgdGhlcmVmb3JlIHN1Z2dlc3QgdG8gY2hhbmdl IHRoZSB0ZXh0IGFzIGZvbGxvd3M6PGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7PGJyPiZndDsg Jm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJnF1b3Q7PGJyPiZndDsgJm5ic3A7ICZu YnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzIuICZuYnNwOyBUaGUgSldUIGNv bnRhaW5zIGEgJnF1b3Q7c3ViJnF1b3Q7IChzdWJqZWN0KSBjbGFpbSBpZGVudGlmeWluZyB0aGU8 YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgcHJpbmNpcGFsIHRoYXQgaXMgdGhlIHN1YmplY3Qgb2YgdGhlIEpXVC4gJm5i c3A7VHdvIGNhc2VzPGJyPiZndDsgJm5ic3A7ICZuYnNwOyBuZWVkIHRvIGJlPGJyPiZndDsgJm5i c3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 IGRpZmZlcmVudGlhdGVkOjxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4mZ3Q7ICZuYnNw OyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBB LiAmbmJzcDtGb3IgdGhlIGF1dGhvcml6YXRpb24gZ3JhbnQsIHRoZSBzdWJqZWN0IGNsYWltIE1B WTxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGJlIGluY2x1ZGVkLiBJZiBpdCBpcyBpbmNsdWRl ZCBpdCBNVVNUIGlkZW50aWZ5IHRoZTxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGF1dGhvcml6 ZWQgYWNjZXNzb3IgZm9yIHdob20gdGhlIGFjY2VzcyB0b2tlbiBpcyBiZWluZzxicj4mZ3Q7ICZu YnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7IHJlcXVlc3RlZCAodHlwaWNhbGx5IHRoZSByZXNvdXJjZSBvd25lciwg b3IgYW48YnI+Jmd0OyAmbmJzcDsgJm5ic3A7IGF1dGhvcml6ZWQ8YnI+Jmd0OyAmbmJzcDsgJm5i c3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyBkZWxlZ2F0ZSkuIFJlYXNvbnMgZm9yIG5vdCBpbmNsdWRpbmcgdGhlIHN1YmplY3Qg Y2xhaW08YnI+Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBpbiB0aGUgSldUIGFyZSBpZGVudGl0eSBo aWRpbmcgKGkuZS4sIHByaXZhY3k8YnI+Jmd0OyAmbmJzcDsgJm5ic3A7IHByb3RlY3Rpb248YnI+ Jmd0OyAmbmJzcDsgJm5ic3A7ICZndDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBvZiB0aGUgaWRlbnRpZmllciBvZiB0aGUgc3ViamVjdCkg YW5kIGNhc2VzIHdoZXJlPGJyPiZndDsgJm5ic3A7ICZuYnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgdGhlIGlkZW50aWZpZXIg b2YgdGhlIHN1YmplY3QgaXMgaXJyZWxldmFudCBmb3IgbWFraW5nPGJyPiZndDsgJm5ic3A7ICZu YnNwOyAmZ3Q7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgYW4gYXV0aG9yaXphdGlvbiBkZWNpc2lvbiBieSB0aGUgcmVzb3VyY2Ugc2VydmVy Ljxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBCLiAmbmJzcDtGb3IgY2xp ZW50IGF1dGhlbnRpY2F0aW9uLCB0aGUgc3ViamVjdCBNVVNUIGJlIHRoZTxicj4mZ3Q7ICZuYnNw OyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7IGluY2x1ZGVkIGluIHRoZSBKV1QgYW5kIHRoZSB2YWx1ZSBNVVNUIGJlIHBv cHVsYXRlZDxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IHdpdGggdGhlICZxdW90O2NsaWVudF9p ZCZxdW90OyBvZiB0aGUgT0F1dGggY2xpZW50Ljxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0OyAm bmJzcDsgJm5ic3A7ICZxdW90Ozxicj4mZ3Q7ICZuYnNwOyAmbmJzcDsgJmd0Ozxicj4mZ3Q7ICZu YnNwOyAmbmJzcDsgJmd0OyAmbmJzcDsgJm5ic3A7IFdoYXQgZG8geW91IGd1eXMgdGhpbms/PGJy Pjxicj48L3NwYW4+PG86cD48L286cD48L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+ PC9kaXY+PC9kaXY+PC9kaXY+PC9ibG9ja3F1b3RlPjwvZGl2PjwvZGl2PjwvZGl2PjwvZGl2Pjwv ZGl2PjwvZGl2PjwvZGl2PjwvYmxvY2txdW90ZT48cCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9J21h cmdpbi1sZWZ0OjM2LjBwdCc+PG86cD4mbmJzcDs8L286cD48L3A+PC9kaXY+PC9ib2R5PjwvaHRt bD4= --_000_255B9BB34FB7D647A506DC292726F6E11545569E2DWSMSG3153Vsrv_-- From nobody Mon Apr 28 01:27:24 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA6B21A08EC for ; Mon, 28 Apr 2014 01:27:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1ANgdSOFSOg for ; Mon, 28 Apr 2014 01:27:21 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 0F9771A07C9 for ; Mon, 28 Apr 2014 01:27:20 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MH0eg-1WiYmi1Dvu-00Ds5D; Mon, 28 Apr 2014 10:27:18 +0200 Message-ID: <535E1010.6000006@gmx.net> Date: Mon, 28 Apr 2014 10:23:44 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <535A3AF4.4060506@gmx.net> <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> <535A5819.2030805@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kB7IkPuSAwR1EEC2xFJ7alQLxCQ4HOhbW" X-Provags-ID: V03:K0:5NDBoh5eacfsVzCu443fmk5LLokYzg2bx/FC2SDLZDAY5wTKoE6 lbJiYJfVLpESxuUx7UrbAvUtMSckpsMBlqBNOpePrgrWDl5KYEPOxpmbDqKAnlGG+mG0qK7 lLKzwJffjs8GT7xsauWLvvTGTnTDB3C1sshzSi6wFIGrvU7Km1mvIGPiYKKAdH1YPo+jcO5 oMzkeE9ffW52KBmv5lMLQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wVqO4v4AR712ZhHwnvPXzxE3wSw Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 08:27:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kB7IkPuSAwR1EEC2xFJ7alQLxCQ4HOhbW Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Brian, you are entirely correct. I believe I read the paragraph not carefully enough. For some reason I read octal rather than octet and that makes, of course, a huge difference. Sorry. My fault. Ciao Hannes On 04/25/2014 04:22 PM, Brian Campbell wrote: > Note that the draft is showing an *octet sequence* with each individual= > octet being shown as decimal value. It doesn't state anything about > using octal, the base-8 number system. Those octets also show > unambiguously what is being base64url encoded (including the line > endings via "13, 10") - no matter how the unencoded headers or bodies > are shown in the draft, there's going to be potential confusion about > what white space and line breaks is or is not to be included in the > encoding and serialization so giving the octet sequence alleviates that= =2E > It's maybe also worth noting that the JOSE suite of specs all use the > same notation and text in their examples. --kB7IkPuSAwR1EEC2xFJ7alQLxCQ4HOhbW Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTXhAQAAoJEGhJURNOOiAtTdEH/ikmPqpjlj428YoZ1XScyhNv kRU5dlhX3Z3s4JYVRrglWgRmf4WXOVi/Oevl+yNqERRUx+oqWgXjzNz8LHeKJnAQ rdkK8KphZohGASi+uF3iccg9iFBooEfyXXgt98ii1mfROPJJqq3xaPoJpsOsDY+Q aOVHoujrwq2tF7aUm5lJUqh9xmXGO76X5p07/AU4UZoav5XpwWmmy5/HbAOihW6i oAq3OTCuprj28TgPsy54SvnHKV8C+B/xh5zlmasxMR3NdYawMKthNr18bA3AiL2s ENwn3Ne8s8xiGwnNV+HhSXRYX4MeVObOprKJrilOxnZzTUtEjZUmEYXOpCrUAUU= =/u8J -----END PGP SIGNATURE----- --kB7IkPuSAwR1EEC2xFJ7alQLxCQ4HOhbW-- From nobody Mon Apr 28 01:37:53 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 959471A06D5 for ; Mon, 28 Apr 2014 01:37:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6g5ME-TvOfG for ; Mon, 28 Apr 2014 01:37:50 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEDF1A009C for ; Mon, 28 Apr 2014 01:37:50 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MU0pN-1WWGs91LTF-00Qg2x; Mon, 28 Apr 2014 10:37:48 +0200 Message-ID: <535E127B.2010504@gmx.net> Date: Mon, 28 Apr 2014 10:34:03 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <535A3AF4.4060506@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="oXglV5iKG3lVOHlPcBuWN1lEoLA7FlgIT" X-Provags-ID: V03:K0:hf+wSrvIv/i0r8SuOQ9MfEBEFPImDmjsWHgqxC7FDvZ3Q1jD4uO Y0apfBfYK9kWNKcTQphAOBn0VIrDdomVcjiI0BPTrnehEUKmJrjF2yppaFjue93dJRcPiL8 vXdANpkI8AiUA6kt5iNXD7evsIDfxouDvoNiaB0OQiCBas55LflhqHXU/sihWON/x9m3do0 lDxj+9qSEROTneCBBmMbQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/VDOThX7i140E1RzjrjDNO6KCFKw Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 08:37:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --oXglV5iKG3lVOHlPcBuWN1lEoLA7FlgIT Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Brian, thanks for the pointers. It is easy to see from your code where the issue is. In your code the \r\n sequence is added at the end of each line but due to the nature of the ASCII draft formatting a reader only sees the \n (new line) but not the \r carriage return. While the draft provides the UTF-8 representation of each individual character but, as I mentioned in my email below, none of the tools I found produce a convenient way to use this as input for the base64url encoding procedure. I believe it would be good to mention that each line in the examples is followed by the \r\n character sequence to make it easier for those who want to re-create the examples. What do you think? Ciao Hannes On 04/25/2014 03:03 PM, Brian Campbell wrote: > So JWT 3.1 is based entirely on, and is just a subset of, JWS Appendix > A.1. And I've got a test which validates that example in my JOSE librar= y > : > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jw= s/JwsUsingHmacSha256ExampleTest.java >=20 > And here's a verification of the Example Encrypted JWT from Appendix > A.1: > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jw= e/EncryptedJwtTest.java >=20 > The example in Section 6.1 is different than 3.1 - it's a "Plaintext > JWT" using the "none" JWS alg. I've got verification of that one as wel= l > at the top of > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jw= s/JwsPlaintextTest.java >=20 >=20 > On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig > > wrote: >=20 > Hi all, >=20 > As a document shepherd I have to verify the entire document and thi= s > includes the examples as well. >=20 > Section 3.1: >=20 > You write: >=20 > " > The following octet sequence is the UTF-8 representation of the = JWT > Header/JWS Header above: >=20 > [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10,= 32, > 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] > " >=20 > The values IMHO are represented in Decimal code point rather than O= ctal > UTF-8 bytes, as stated above. > See the following online tool to see the difference: > http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=3D%22&mode=3Dchar >=20 > Note that you could also show a hex encoding instead (e.g., via > http://ostermiller.org/calc/encode.html). Hixie's decoder would the= n > produce the correct decoding. Here is the link to his software: > http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder= > (Note that this program seems to have flaws for most other options.= ) >=20 > When do a Base64URL encoding of >=20 > {"typ":"JWT","alg":"HS256"} >=20 > then I get >=20 > eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 >=20 > but your spec says: >=20 > eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 >=20 > Same with > {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}. >=20 > My result: > eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9= pc19yb290Ijp0cnVlfQ >=20 > Your result: > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGx= lLmNvbS9pc19yb290Ijp0cnVlfQ >=20 > Note: I am using this online tool for Base64URL encoding: > http://kjur.github.io/jsjws/tool_b64uenc.html. > Interestingly, when I dump the data into http://jwt.io/ then I get = a > correct decoding. It might well be that the kjur.github.io > has a flaw. >=20 > Just wanted to check what tool you have used to create these encodi= ngs. >=20 >=20 > Section 6.1: >=20 > The example in Section 6.1 is the same as in 3.1. Maybe it would be= > useful to show something different here. >=20 > The example in Appendix A.1 is more sophisticated since it demonstr= ates > encryption. To verify it I would need to have a library that suppor= ts > JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which librar= y > have you been using? >=20 > I was wondering whether it would make sense to add two other exampl= es, > namely for integrity protection. One example showing an HMAC-based = keyed > message digest and another one using a digital signature. >=20 > Here is a simple example to add that almost all JWT libraries seem = to be > able to create and verify: >=20 > Header: > {"alg":"HS256","typ":"JWT"} >=20 > I use the HS256 algorithm with a shared secret '12345'. >=20 > Body: >=20 > {"iss":"https://as.example.com","sub":"mailto:john@example.com > ","nbf":1398420753,"exp":1398424353,"iat":= 1398420753} >=20 > jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@examp= le.com > ","nbf":1398420753,"exp":1398424353,"iat":= 1398420753},"12345", > "HS256") >=20 > I used http://www.onlineconversion.com/unix_time.htm to create the > date/time values: > "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT > "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT >=20 > Here is the output created with https://github.com/progrium/pyjwt/ = and > verified with http://jwt.io/: > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW= 1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmN= vbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMW= kHwHezdrv2E1LAVcNdTsq4 >=20 > Ciao > Hannes >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 --oXglV5iKG3lVOHlPcBuWN1lEoLA7FlgIT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTXhJ7AAoJEGhJURNOOiAtSDcH/0lc/ZErdLOC/dm6Es18AYlj K/8t3htSxlWHlrl+1ueXVewQeUhVBVArD9I0AqFYydHysVoSJAAJMUH3NqUVbhCv zMfuqg77nb2aOyj3ys4p0W2UupAz/K3PtjslFG0UNn7GN+QukVIisL85Rka1BQxb p9FvD06s5GU7qBizlIg82nnTZW4iZYoSdpR98uc3OMqFmA2OOgVMubPUcKVGBKeP bfjDEyalN+BhZgonIxN/0PoMl8XTVQbMn4PidIUxh4MSEa74wgKj2BsPqTf9FoI4 XjMQJVivZ65JXNhuJmtQWiJkZXYHvK02Waax68TUMRq6e3jqBP84yGa8r5wwHQw= =4wWP -----END PGP SIGNATURE----- --oXglV5iKG3lVOHlPcBuWN1lEoLA7FlgIT-- From nobody Mon Apr 28 01:42:42 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D8E51A0703 for ; Mon, 28 Apr 2014 01:42:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WD5_OHQ8Dgtd for ; Mon, 28 Apr 2014 01:42:38 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8411A06D5 for ; Mon, 28 Apr 2014 01:42:38 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0LnxQO-1X7QFj0mFs-00g1vR; Mon, 28 Apr 2014 10:42:31 +0200 Message-ID: <535E1391.2090909@gmx.net> Date: Mon, 28 Apr 2014 10:38:41 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Mike Jones , Brian Campbell References: <535A3AF4.4060506@gmx.net> <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> <535A5819.2030805@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A195D48@TK5EX14MBXC288.redmond.corp.microsoft.com> In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A195D48@TK5EX14MBXC288.redmond.corp.microsoft.com> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="mlLQV2dhTJMjWg7wr1THEIM6sbA9mgvkf" X-Provags-ID: V03:K0:gHqqal/Ur36UkeW3tLBKpb/vjy3Fhagd9issTIYI+nM9o1drDGN gRhWevPW8runDBj8cvI4jeIbo0onmWCKlc/AB/ZVMZUlsqp21FW7MvC2QN/GHxzs3NHjI4x 51POV4ZOpGlDbh8LiZ3TFaToZgkP+QA6giY2YKsmcd89DQeOyQhHgdlEBMIEJxz0EFv2Ffb 20/sFnjNVEzchV79uILBg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/4IpGHjIUbm0PzdP_-R3m4qY5eJc Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 08:42:40 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mlLQV2dhTJMjWg7wr1THEIM6sbA9mgvkf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Mike, On 04/25/2014 06:37 PM, Mike Jones wrote: > While we could add other examples, doing so is beyond the scope of the > immediate mission to validate the existing examples, Hannes. There=E2=80= =99s > lots of examples in the underlying JOSE specs, so it=E2=80=99s not clea= r that we > really need to add additional ones at this time. (If this suggestion > comes up again during IESG review, we could do that, but I don=E2=80=99= t think > it=E2=80=99s necessary at this point to move the spec to IESG review.) >=20 It is certainly true that examples are not mandatory and that the JOSE specs contain a number of examples. Read through the document it came to my mind that the most common uses of JWTs are actually not covered as part of the examples. Many readers look at the examples to quickly get the idea and neither a JWT protected using a MAC is there nor a JWT protected with a digital signature. I will, however, get over it. Ciao Hannes --mlLQV2dhTJMjWg7wr1THEIM6sbA9mgvkf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTXhORAAoJEGhJURNOOiAtV7YIAIRa22vhRMlp/KgndkSwgvDQ g7OuIsopJO4TWqsAcqjbZsWo44d6lFckcC43xsDU3zE99qNEqbI8apfVP3DIiD0g nlnvqk6rcQus1ciE/TaWXJx7ROtuePHZl+RKRX7GjX8L/8gcAJbCfvGYiwFJoFxW 0B7I91hIof2mkNKQS8+zE3ga+45mLbMxKevBp+FSBf/0C39+A0sppU6f8Tjhl1Xt C3h61myfWj9IinjWjklcPNbytMnX37vNlOjen2HVkzyzCioIXj7ca/435KSJDUYX mQEmi0PBBp2fSvqDhSRNXxogTuvowfxSOwZ/t9I+i6OKwcOoYve1W2Z7dlOQ1Ik= =vy9V -----END PGP SIGNATURE----- --mlLQV2dhTJMjWg7wr1THEIM6sbA9mgvkf-- From nobody Mon Apr 28 01:53:32 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A44D1A08B1 for ; Mon, 28 Apr 2014 01:53:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.151 X-Spam-Level: X-Spam-Status: No, score=-1.151 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UejCurdo807p for ; Mon, 28 Apr 2014 01:53:28 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 2D1181A0912 for ; Mon, 28 Apr 2014 01:53:28 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LiDnn-1XIAma47Nb-00nN78; Mon, 28 Apr 2014 10:53:20 +0200 Message-ID: <535E160E.3010106@gmx.net> Date: Mon, 28 Apr 2014 10:49:18 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell , John Bradley References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="afv40eJCaJ1pihBUoAAWifA4K5L2VOVeE" X-Provags-ID: V03:K0:3QlUpFisKnMjlB0MwkKpA19bIXy8iZNq2vHJwgYdEPljB2xXEXs 5g6pgq2wcbp6GXEavJ6aU3EPF4+pK+2HMeW4euwaJ1aTw7pzcujrlii9NdSG079aFeTeEnI sE0Av7X4j8KBiyq0YLmvAlsWDVlDMBmo1J7xqQBX9Oq5lkdSF3/CSVBpRL18ta+3V0AuTAy bjSafDbPKeASC+S/0Y2Bg== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/25K-bHp8KZUGeD7uixf5zF8s5nM Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 08:53:31 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --afv40eJCaJ1pihBUoAAWifA4K5L2VOVeE Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi all, your text proposal sounds reasonable and it might, as suggested, indicate what value to put in there for the anonymous user (such as 'anonymous'). Saying explicitly what implementers should be doing helps interoperability. Mentioning the pseudonym is also a good idea since in some cases anonymity can be too strong and pseudonymity is what is desired. For the terminology you could reference RFC 6973. Ciao Hannes PS: A note to various folks in this email thread: We have not discussed this issue before. As I mentioned in my original email we had only discussed a related issue regarding client authentication. Antonio's email lead me to think about the authorization grant, which is obviously a different story (which only happens to be in the same document because of the document structure we came up with). On 04/25/2014 09:57 PM, Brian Campbell wrote: > I absolutely agree with always requiring both issuer and subject and > that doing so keeps the specs simpler and is likely to improve > interoperability. >=20 > However, without changing that, perhaps some of the text in the > document(s) could be improved a bit. Here's a rough proposal: >=20 > Change the text of the second bullet in > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2 t= o >=20 > "The assertion MUST contain a Subject. The Subject typically identifies= > an authorized accessor for which the access token is being requested > (i.e. the resource owner, or an authorized delegate) but, in some cases= , > may be a pseudonym or other value denoting an anonymous user. When the > client is acting on behalf of itself, the Subject MUST be the value of > the client's client_id." >=20 > And also change > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1= to >=20 > "When a client is accessing resources on behalf of an anonymous user, a= > mutually agreed upon Subject identifier indicating anonymity is used. > The Subject value might be an agreed upon static value indicating an > anonymous user or an opaque persistent or transient pseudonym for the > user may also be utilized. The authorization may be based upon > additional criteria, such as additional attributes or claims provided i= n > the assertion. For example, a client may present an assertion from a > trusted issuer asserting that the bearer is over 18 via an included > claim. In this case, no additional information about the user's identit= y > is included, yet all the data needed to issue an access token is presen= t." >=20 > And maybe also change the subject text in SAML and JWT (item #2 in > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 and= > http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3) > to read a little more like the new proposed text above for section 5.2 > of the Assertion Framework draft. >=20 > Would that sit any better with you, Hannes? Thoughts from others in the= WG? >=20 >=20 > On Fri, Apr 25, 2014 at 1:08 PM, John Bradley > wrote: >=20 > Agreed. >=20 > On Apr 25, 2014, at 3:07 PM, Mike Jones > wrote: >=20 >> I agree. We=E2=80=99d already discussed this pretty extensively a= nd >> reached the conclusion that always requiring both an issuer and a >> subject both kept the specs simpler and was likely to improve >> interoperability.____ >> =20 >> It=E2=80=99s entirely up to the application profile what the conte= nts of >> the issuer and the subject fields are and so I don=E2=80=99t think= we need >> to further specify their contents beyond what=E2=80=99s already in= the >> specs.____ >> =20 >> -- >> Mike____ >> =20 >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian= >> Campbell >> *Sent:* Friday, April 25, 2014 10:17 AM >> *To:* Hannes Tschofenig >> *Cc:* oauth@ietf.org >> *Subject:* Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject= >> issue____ >> __ __ >> >> I believe, from the thread referenced earlier and prior discussion= >> and draft text, that the WG has reached (rough) consensus to >> require the subject claim. So text that says "Subject element MUST= >> NOT be included" isn't workable.____ >> >> It seems what's needed here is some better explanation of how, in >> cases that need it, the value of the subject can be populated >> without using a PII type value. A simple static value like >> "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of >> pairwise persistent pseudonymous identifier would be utilized, >> which would not directly identify the subject but would allow the >> relying party to recognize the same subject on subsequent >> transactions. A transient pseudonym might also be appropriate in >> some cases. And any of those approaches could be used with or >> without additional claims (like age > 18 or membership in some >> group) that get used to make an authorization decision. ____ >> >> I wasn't sure exactly how to articulate all that in text for the >> draft(s) but that's more of what I was asking for when I asked if >> you could propose some text.____ >> >> >> >> >> ____ >> >> __ __ >> >> On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig >> > >> wrote:____ >> Hi Brian, >> >> Thanks for pointing to the assertion framework document. >> Re-reading the >> text it appears that we have listed the case that in Section 6.3.1= but >> have forgotten to cover it elsewhere in the document. >> >> >> In Section 6.3.1 we say: >> >> " >> >> 6.3.1. Client Acting on Behalf of an Anonymous User >> >> When a client is accessing resources on behalf of an anonymous >> user, >> the Subject indicates to the Authorization Server that the >> client is >> acting on-behalf of an anonymous user as defined by the >> Authorization >> Server. It is implied that authorization is based upon additio= nal >> criteria, such as additional attributes or claims provided in t= he >> assertion. For example, a client may present an assertion from= a >> trusted issuer asserting that the bearer is over 18 via an incl= uded >> claim. >> >> ***** >> In this case, no additional information about the user's >> identity is included, yet all the data needed to issue an acces= s >> token is present. >> ***** >> " >> (I marked the relevant part with '***') >> >> >> In Section 5.2, however, we say: >> >> >> o The assertion MUST contain a Subject. The Subject identifie= s an >> authorized accessor for which the access token is being >> requested >> (typically the resource owner, or an authorized delegate). = When >> the client is acting on behalf of itself, the Subject MUST >> be the >> value of the client's "client_id". >> >> >> What we should have done in Section 5.2 is to expand the cases inl= ine >> with what we have written in Section 6. >> >> Here is my proposed text: >> >> " >> o The assertion MUST contain a Subject. The Subject identifies a= n >> authorized accessor for which the access token is being requested_= ___ >> >> (typically the resource owner, or an authorized delegate). >> >> ____ >> >> When the client is acting on behalf of itself, as described in Sec= tion >> 6.1 and Section 6.2, the Subject MUST be the value of the client's= >> "client_id". >> >> When the client is acting on behalf of an user, as described in >> Section >> 6.3, the Subject element MUST be included in the assertion and >> identifies an authorized accessor for which the access token is be= ing >> requested. >> >> When the client is acting on behalf of an anonymous user, as descr= ibed >> in Section 6.3.1, the Subject element MUST NOT be included in the >> assertion. Other elements within the assertion will, however, prov= ide >> enough information for the authorization server to make an >> authorization >> decision. >> " >> >> Does this make sense to you? >> >> Ciao >> Hannes____ >> >> >> On 04/24/2014 02:30 PM, Brian Campbell wrote: >> > There is some discussion of that case in the assertion framework= >> > document at >> > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#sectio= n-6.3.1 >> > >> > Do you feel that more is needed? If so, can you propose some tex= t? >> > >> > >> > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig____ >> > > > >> wrote: >> > >> > Hi Brian, >> > >> > I read through the thread and the Google case is a bit >> different since >> > they are using the client authentication part of the JWT >> bearer spec. >> > There I don't see the privacy concerns either. >> > >> > I am, however, focused on the authorization grant where the >> subject is >> > in most cases the resource owner. >> > >> > It is possible to put garbage into the subject element when >> privacy >> > protection is needed for the resource owner case but that >> would need to >> > be described in the document; currently it is not there. >> > >> > Ciao >> > Hannes >> > >> > >> > On 04/24/2014 12:37 AM, Brian Campbell wrote: >> > > That thread that Antonio started which you reference went >> on for some >> > > time >> > > >> > =20 >> (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#1= 2520) >> > > and seems to have reached consensus that the spec didn't n= eed >> > normative >> > > change and that such privacy cases or other cases which di= dn't >> > > explicitly need a subject identifier would be more >> appropriately dealt >> > > with in application logic: >> > =20 >> > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html= >> > > >> > > >> > > >> > > >> > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig >> > > > > >____ >> > > ____ >> > > >>> wrote: >> > > >> > > Hi all, >> > > >> > > in preparing the shepherd write-up for >> > draft-ietf-oauth-jwt-bearer-08 I >> > > had to review our recent email conversations and the i= ssue >> > raised by >> > > Antonio in >> > > >> > =20 >> http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html= belong >> > > to it. >> > > >> > > The issue was that Section 3 of >> draft-ietf-oauth-jwt-bearer-08 >> > says: >> > > " >> > > 2. The JWT MUST contain a "sub" (subject) claim >> > identifying the >> > > principal that is the subject of the JWT. Two= >> cases >> > need to be >> > > differentiated: >> > > >> > > A. For the authorization grant, the subject >> SHOULD >> > identify an >> > > authorized accessor for whom the access >> token is being >> > > requested (typically the resource owner, o= r an >> > authorized >> > > delegate). >> > > >> > > B. For client authentication, the subject >> MUST be the >> > > "client_id" of the OAuth client. >> > > " >> > > >> > > Antonio pointed to the current Google API to >> illustrate that >> > the subject >> > > is not always needed. Here is the Google API >> documentation: >> > > =20 >> https://developers.google.com/accounts/docs/OAuth2ServiceAccount= >> > > >> > > The Google API used the client authentication part (ra= ther >> > than the >> > > authorization grant), in my understanding. >> > > >> > > I still believe that the subject field has to be >> included for >> > client >> > > authentication but I am not so sure anymore about the >> > authorization >> > > grant since I could very well imagine cases where the >> subject >> > is not >> > > needed for authorization decisions but also for >> privacy reasons. >> > > >> > > I would therefore suggest to change the text as follow= s: >> > > >> > > " >> > > 2. The JWT contains a "sub" (subject) claim >> identifying the >> > > principal that is the subject of the JWT. Two= >> cases >> > need to be >> > > differentiated: >> > > >> > > A. For the authorization grant, the subject >> claim MAY >> > > be included. If it is included it MUST >> identify the >> > > authorized accessor for whom the access >> token is being >> > > requested (typically the resource owner, o= r an >> > authorized >> > > delegate). Reasons for not including the >> subject claim >> > > in the JWT are identity hiding (i.e., priv= acy >> > protection >> > > of the identifier of the subject) and >> cases where >> > > the identifier of the subject is >> irrelevant for making >> > > an authorization decision by the resource >> server. >> > > >> > > B. For client authentication, the subject >> MUST be the >> > > included in the JWT and the value MUST be >> populated >> > > with the "client_id" of the OAuth client. >> > > " >> > > >> > > What do you guys think? >> > > >> > > Ciao >> > > Hannes >> > > >> > > >> > > _______________________________________________ >> > > OAuth mailing list____ >> >> > > OAuth@ietf.org >> > > > >> > >> >> > > https://www.ietf.org/mailman/listinfo/oauth >> > > >> > > >> > >> >____ >> >> __ __ >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 --afv40eJCaJ1pihBUoAAWifA4K5L2VOVeE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTXhYOAAoJEGhJURNOOiAt1xkIAJzZxPi7yUeKxGLoVmJWIVgD 8lu6kyqRjy+p/pbD77Q4oseq1njx43Cw+5YKU3YzSO5gOJGM/HGhznJAOMFKGVTL 4p6iAK4iIOrOldaUiMfNMoeG+tW/z3YRIG6onxLn7VsC2sPtge90vG1ipPoCfzBr wRYqIMUDoW6Ds5HOISkqiyWmBjsR+6LuMNcRtZduqC58cYW827Dy0Hx+YJo25CPk J7pzPcUcdwM/NLTTJpsP5m1ATB8/Mt4G283KBOPSbSK2TW95m1ZnzlenU/UJ78s0 Qoz3+EJPe/Kf8pcnHe6FMbjMuAMe0lFD7WCngglEH6h9iTwMJpxB4HTYuVPsCuI= =78xs -----END PGP SIGNATURE----- --afv40eJCaJ1pihBUoAAWifA4K5L2VOVeE-- From nobody Mon Apr 28 05:51:14 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02BBB1A0710 for ; Mon, 28 Apr 2014 05:51:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.211 X-Spam-Level: X-Spam-Status: No, score=0.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, FR_TEST_BASE64_BAD=3.189, HTML_MESSAGE=0.001, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nb0LPx1SRcUn for ; Mon, 28 Apr 2014 05:51:11 -0700 (PDT) Received: from na3sys009aog115.obsmtp.com (na3sys009aog115.obsmtp.com [74.125.149.238]) by ietfa.amsl.com (Postfix) with ESMTP id F27771A047C for ; Mon, 28 Apr 2014 05:51:09 -0700 (PDT) Received: from mail-ie0-f181.google.com ([209.85.223.181]) (using TLSv1) by na3sys009aob115.postini.com ([74.125.148.12]) with SMTP ID DSNKU15OvVxacHNm0DGbXL59K+6xegZRZRp6@postini.com; Mon, 28 Apr 2014 05:51:09 PDT Received: by mail-ie0-f181.google.com with SMTP id y20so4572045ier.40 for ; Mon, 28 Apr 2014 05:51:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=7yttI/rN4PqJnbcsckVtV+wNToOFyByEuWeX1dga+Eo=; b=WwQ+pvBrRq57FfV8EukwqaKdfLWl/syKZOp6sc7pjLeNeJlPHjdHqdnqIyRR0VlmcI fJdvxCtPJgF9DZGEPDCb/Z4HWGxFxMf76y+oWLaCC+JIu4lLvVDEoGtehhcXyo+Dg5sO RIt2SOFdKkBJOusS2BcYv97DPKGU68rlcd5wUJIHvySiAZGGQgP3BW906Wg60U3Qbrq3 Eaymh5aDuGYdZZDJRdJfjdK1p37VVAKz1YqOJ4reE7zOUC+UJgMCCgh1QD2e9gfRsCSo 5E6e0Pj5YoXJF0gWeLnngOv3cy8YTtq0SdwJsO+rnfHiqxpAZeuKHXTp0mRTMbshy55d C4vg== X-Gm-Message-State: ALoCoQkdV5LiQ6eSugj8UrXLwplqd94GwYmtSKaxNFcBVAwHV6EtyKAt698xx9u+t1RMA4McLrFb7tUBMkM94tqgRZidEmyZRwXlAJc7RGa0lHUEEeW1lpFqUw2n464xQLLFQpyQRGxv X-Received: by 10.43.148.66 with SMTP id kf2mr21636551icc.30.1398689469013; Mon, 28 Apr 2014 05:51:09 -0700 (PDT) X-Received: by 10.43.148.66 with SMTP id kf2mr21636532icc.30.1398689468779; Mon, 28 Apr 2014 05:51:08 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Mon, 28 Apr 2014 05:50:38 -0700 (PDT) In-Reply-To: <535E127B.2010504@gmx.net> References: <535A3AF4.4060506@gmx.net> <535E127B.2010504@gmx.net> From: Brian Campbell Date: Mon, 28 Apr 2014 06:50:38 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=001a11c2e5acf0256404f819c4bc Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/zP1pikfoVkguxaGJj70p_yjEG6M Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 12:51:13 -0000 --001a11c2e5acf0256404f819c4bc Content-Type: text/plain; charset=UTF-8 To be honest, I'm kind of indifferent to it. Yes, the input into the example encodings do include CR+LF (the editor is a Microsoft guy after all) but they also have space characters that are removed from the beginning of each line, which isn't exactly obvious. Describing that in a way that everyone will find easy to understand and use seems like a difficult endeavor. The octet sequence is there to unambiguously show what the input into the encoding was. And one can also always decode the base64url content too, to see exactly what the input was. So, yeah, I don't know. I'm not against mentioning the \r\n but I don't personally think it helps much. On Mon, Apr 28, 2014 at 2:34 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi Brian, > > thanks for the pointers. > > It is easy to see from your code where the issue is. In your code the > \r\n sequence is added at the end of each line but due to the nature of > the ASCII draft formatting a reader only sees the \n (new line) but not > the \r carriage return. > > While the draft provides the UTF-8 representation of each individual > character but, as I mentioned in my email below, none of the tools I > found produce a convenient way to use this as input for the base64url > encoding procedure. > > I believe it would be good to mention that each line in the examples is > followed by the \r\n character sequence to make it easier for those who > want to re-create the examples. > > What do you think? > > Ciao > Hannes > > > On 04/25/2014 03:03 PM, Brian Campbell wrote: > > So JWT 3.1 is based entirely on, and is just a subset of, JWS Appendix > > A.1. And I've got a test which validates that example in my JOSE library > > : > > > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsUsingHmacSha256ExampleTest.java > > > > And here's a verification of the Example Encrypted JWT from Appendix > > A.1: > > > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jwe/EncryptedJwtTest.java > > > > The example in Section 6.1 is different than 3.1 - it's a "Plaintext > > JWT" using the "none" JWS alg. I've got verification of that one as well > > at the top of > > > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsPlaintextTest.java > > > > > > On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig > > > wrote: > > > > Hi all, > > > > As a document shepherd I have to verify the entire document and this > > includes the examples as well. > > > > Section 3.1: > > > > You write: > > > > " > > The following octet sequence is the UTF-8 representation of the > JWT > > Header/JWS Header above: > > > > [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, > 32, > > 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] > > " > > > > The values IMHO are represented in Decimal code point rather than > Octal > > UTF-8 bytes, as stated above. > > See the following online tool to see the difference: > > http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char > > > > Note that you could also show a hex encoding instead (e.g., via > > http://ostermiller.org/calc/encode.html). Hixie's decoder would then > > produce the correct decoding. Here is the link to his software: > > http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder > > (Note that this program seems to have flaws for most other options.) > > > > When do a Base64URL encoding of > > > > {"typ":"JWT","alg":"HS256"} > > > > then I get > > > > eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 > > > > but your spec says: > > > > eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 > > > > Same with > > {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}. > > > > My result: > > > eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > > > Your result: > > > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > > > Note: I am using this online tool for Base64URL encoding: > > http://kjur.github.io/jsjws/tool_b64uenc.html. > > Interestingly, when I dump the data into http://jwt.io/ then I get a > > correct decoding. It might well be that the kjur.github.io > > has a flaw. > > > > Just wanted to check what tool you have used to create these > encodings. > > > > > > Section 6.1: > > > > The example in Section 6.1 is the same as in 3.1. Maybe it would be > > useful to show something different here. > > > > The example in Appendix A.1 is more sophisticated since it > demonstrates > > encryption. To verify it I would need to have a library that supports > > JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library > > have you been using? > > > > I was wondering whether it would make sense to add two other > examples, > > namely for integrity protection. One example showing an HMAC-based > keyed > > message digest and another one using a digital signature. > > > > Here is a simple example to add that almost all JWT libraries seem > to be > > able to create and verify: > > > > Header: > > {"alg":"HS256","typ":"JWT"} > > > > I use the HS256 algorithm with a shared secret '12345'. > > > > Body: > > > > {"iss":"https://as.example.com","sub":"mailto:john@example.com > > >","nbf":1398420753,"exp":1398424353,"iat":1398420753} > > > > jwt.encode({"iss":"https://as.example.com","sub":"mailto: > john@example.com > > >","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", > > "HS256") > > > > I used http://www.onlineconversion.com/unix_time.htm to create the > > date/time values: > > "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > > "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT > > "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > > > > Here is the output created with https://github.com/progrium/pyjwt/and > > verified with http://jwt.io/: > > > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4 > > > > Ciao > > Hannes > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > --001a11c2e5acf0256404f819c4bc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
To be honest, I'm kind of indifferent to it. Yes,= the input into the example encodings do include CR+LF (the editor is a Mic= rosoft guy after all) but they also have space characters that are removed = from the beginning of each line, which isn't exactly obvious. Describin= g that in a way that everyone will find easy to understand and use seems li= ke a difficult endeavor. The octet sequence is there to unambiguously show = what the input into the encoding was. And one can also always decode the ba= se64url content too, to see exactly what the input was.

So, yeah, I don't know. I'm not against mentioning the \r= \n but I don't personally think it helps much.




On Mon, Apr 28, 2014 = at 2:34 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
Hi Brian,

thanks for the pointers.

It is easy to see from your code where the issue is. In your code the
\r\n sequence is added at the end of each line but due to the nature of
the ASCII draft formatting a reader only sees the \n (new line) but not
the \r carriage return.

While the draft provides the UTF-8 representation of each individual
character but, as I mentioned in my email below, none of the tools I
found produce a convenient way to use this as input for the base64url
encoding procedure.

I believe it would be good to mention that each line in the examples is
followed by the \r\n character sequence to make it easier for those who
want to re-create the examples.

What do you think?

Ciao
Hannes


On 04/25/2014 03:03 PM, Brian Campbell wrote:
> So JWT 3.1 is based entirely on, and is just a subset of, JWS Appendix=
> A.1. And I've got a test which validates that example in my JOSE l= ibrary
> <https://bitbucket.org/b_c/jose4j>:
> https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose= 4j/jws/JwsUsingHmacSha256ExampleTest.java
>
> And here's a verification of the Example Encrypted JWT from Append= ix
> A.1:
> https://bitbucket.or= g/b_c/jose4j/src/master/src/test/java/org/jose4j/jwe/EncryptedJwtTest.java<= /a>
>
> The example in Section 6.1 is different than 3.1 - it's a "Pl= aintext
> JWT" using the "none" JWS alg. I've got verificatio= n of that one as well
> at the top of
> https://bitbucket.or= g/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsPlaintextTest.java<= /a>
>
>
> On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>
> =C2=A0 =C2=A0 Hi all,
>
> =C2=A0 =C2=A0 As a document shepherd I have to verify the entire docum= ent and this
> =C2=A0 =C2=A0 includes the examples as well.
>
> =C2=A0 =C2=A0 Section 3.1:
>
> =C2=A0 =C2=A0 You write:
>
> =C2=A0 =C2=A0 "
> =C2=A0 =C2=A0 =C2=A0 =C2=A0The following octet sequence is the UTF-8 r= epresentation of the JWT
> =C2=A0 =C2=A0 =C2=A0 =C2=A0Header/JWS Header above:
>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0[123, 34, 116, 121, 112, 34, 58, 34, 74, 87= , 84, 34, 44, 13, 10, 32,
> =C2=A0 =C2=A0 =C2=A0 =C2=A034, 97, 108, 103, 34, 58, 34, 72, 83, 50, 5= 3, 54, 34, 125]
> =C2=A0 =C2=A0 "
>
> =C2=A0 =C2=A0 The values IMHO are represented in Decimal code point ra= ther than Octal
> =C2=A0 =C2=A0 UTF-8 bytes, as stated above.
> =C2=A0 =C2=A0 See the following online tool to see the difference:
> =C2=A0 =C2=A0 http://www.ltg.ed.ac.uk/~richa= rd/utf-8.cgi?input=3D%22&mode=3Dchar
>
> =C2=A0 =C2=A0 Note that you could also show a hex encoding instead (e.= g., via
> =C2=A0 =C2=A0 http://ostermiller.org/calc/encode.html). Hixie's dec= oder would then
> =C2=A0 =C2=A0 produce the correct decoding. Here is the link to his so= ftware:
> =C2=A0 =C2=A0 http://software.hixie.ch/utilitie= s/cgi/unicode-decoder/utf8-decoder
> =C2=A0 =C2=A0 (Note that this program seems to have flaws for most oth= er options.)
>
> =C2=A0 =C2=A0 When do a Base64URL encoding of
>
> =C2=A0 =C2=A0 {"typ":"JWT","alg":"H= S256"}
>
> =C2=A0 =C2=A0 then I get
>
> =C2=A0 =C2=A0 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
>
> =C2=A0 =C2=A0 but your spec says:
>
> =C2=A0 =C2=A0 eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
>
> =C2=A0 =C2=A0 Same with
> =C2=A0 =C2=A0 {"iss":"joe","exp":1300819= 380,"http://e= xample.com/is_root":true}.
>
> =C2=A0 =C2=A0 My result:
> =C2=A0 =C2=A0 eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFt= cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
>
> =C2=A0 =C2=A0 Your result:
> =C2=A0 =C2=A0 eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6= Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
>
> =C2=A0 =C2=A0 Note: I am using this online tool for Base64URL encoding= :
> =C2=A0 =C2=A0 http://kjur.github.io/jsjws/tool_b64uenc.html.
> =C2=A0 =C2=A0 Interestingly, when I dump the data into http://jwt.io/ then I get a
> =C2=A0 =C2=A0 correct decoding. It might well be that the kjur.github.io
> =C2=A0 =C2=A0 <http://kjur.github.io> has a flaw.
>
> =C2=A0 =C2=A0 Just wanted to check what tool you have used to create t= hese encodings.
>
>
> =C2=A0 =C2=A0 Section 6.1:
>
> =C2=A0 =C2=A0 The example in Section 6.1 is the same as in 3.1. Maybe = it would be
> =C2=A0 =C2=A0 useful to show something different here.
>
> =C2=A0 =C2=A0 The example in Appendix A.1 is more sophisticated since = it demonstrates
> =C2=A0 =C2=A0 encryption. To verify it I would need to have a library = that supports
> =C2=A0 =C2=A0 JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. W= hich library
> =C2=A0 =C2=A0 have you been using?
>
> =C2=A0 =C2=A0 I was wondering whether it would make sense to add two o= ther examples,
> =C2=A0 =C2=A0 namely for integrity protection. One example showing an = HMAC-based keyed
> =C2=A0 =C2=A0 message digest and another one using a digital signature= .
>
> =C2=A0 =C2=A0 Here is a simple example to add that almost all JWT libr= aries seem to be
> =C2=A0 =C2=A0 able to create and verify:
>
> =C2=A0 =C2=A0 Header:
> =C2=A0 =C2=A0 {"alg":"HS256","typ":"= ;JWT"}
>
> =C2=A0 =C2=A0 I use the HS256 algorithm with a shared secret '1234= 5'.
>
> =C2=A0 =C2=A0 Body:
>
> =C2=A0 =C2=A0 {"iss":"https://as.example.com","sub":"= mailto:john@example.com
> =C2=A0 =C2=A0 <mailto:john@exam= ple.com>","nbf":1398420753,"exp":1398424353= ,"iat":1398420753}
>
> =C2=A0 =C2=A0 jwt.encode({"iss":"https://as.example.com","sub&q= uot;:"mailto:john@example.com<= br> > =C2=A0 =C2=A0 <mailto:john@exam= ple.com>","nbf":1398420753,"exp":1398424353= ,"iat":1398420753},"12345",
> =C2=A0 =C2=A0 "HS256")
>
> =C2=A0 =C2=A0 I used http://www.onlineconversion.com/unix_time.htm to create the
> =C2=A0 =C2=A0 date/time values:
> =C2=A0 =C2=A0 "nbf":1398420753 --> Fri, 25 Apr 2014 10:12= :33 GMT
> =C2=A0 =C2=A0 "exp":1398424353 --> Fri, 25 Apr 2014 11:12= :33 GMT
> =C2=A0 =C2=A0 "iat":1398420753 --> Fri, 25 Apr 2014 10:12= :33 GMT
>
> =C2=A0 =C2=A0 Here is the output created with https://github.com/progrium/pyjwt/= and
> =C2=A0 =C2=A0 verified with http://jwt.io/:
> =C2=A0 =C2=A0 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczo= vL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleG= FtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP= 7hN6sMWkHwHezdrv2E1LAVcNdTsq4
>
> =C2=A0 =C2=A0 Ciao
> =C2=A0 =C2=A0 Hannes
>
>
>
> =C2=A0 =C2=A0 _______________________________________________
> =C2=A0 =C2=A0 OAuth mailing list
> =C2=A0 =C2=A0 OAuth@ietf= .org <mailto:OAuth@ietf.org>= ;
> =C2=A0 =C2=A0 https://www.ietf.org/mailman/listinfo/oauth
>
>


--001a11c2e5acf0256404f819c4bc-- From nobody Mon Apr 28 07:34:52 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D5651A6F12 for ; Mon, 28 Apr 2014 07:34:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.951 X-Spam-Level: X-Spam-Status: No, score=-1.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EU4e0IYUuS1Q for ; Mon, 28 Apr 2014 07:34:49 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 2BE091A6F07 for ; Mon, 28 Apr 2014 07:34:49 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0Lz3rc-1X0poT1hke-014DQ5; Mon, 28 Apr 2014 16:34:45 +0200 Message-ID: <535E661C.9080002@gmx.net> Date: Mon, 28 Apr 2014 16:30:52 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian Campbell References: <535A3AF4.4060506@gmx.net> <535E127B.2010504@gmx.net> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jJEfpDc1LJnnWLE16f7upiQ9b5TebFDSw" X-Provags-ID: V03:K0:k3g952YFMuLw+bldGRx+IQBrlMvQKdcOu5aO3aAuXHUWzJXG5o5 yz/NUsbzaI9lNSfFXWEeDU5eAr0i6eHii0jHM0doBz+ZsuOvyVqklbSCEVGeq1Rd3R9bgCk 9HZds8OaY7FeJ8ZE8dO8ycpr7maSY73l3ZuJKL4b7jG+nAkMeZbN1J+7Al+cBreUPpmNcQm ye4ZQSNdLMcTw9wtkyVuQ== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ozUfHzRy-neFgQSDobqBMzwKF3E Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 14:34:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jJEfpDc1LJnnWLE16f7upiQ9b5TebFDSw Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable It would be nice to be able to verify the examples in the document(s). I understand that the ASCII draft format provides a number of limitations. I wonder what others think. Have you tried to verify the examples? Have you encounter problems yourself as well? Ciao Hannes On 04/28/2014 02:50 PM, Brian Campbell wrote: > To be honest, I'm kind of indifferent to it. Yes, the input into the > example encodings do include CR+LF (the editor is a Microsoft guy after= > all) but they also have space characters that are removed from the > beginning of each line, which isn't exactly obvious. Describing that in= > a way that everyone will find easy to understand and use seems like a > difficult endeavor. The octet sequence is there to unambiguously show > what the input into the encoding was. And one can also always decode th= e > base64url content too, to see exactly what the input was. >=20 > So, yeah, I don't know. I'm not against mentioning the \r\n but I don't= > personally think it helps much. >=20 >=20 >=20 >=20 > On Mon, Apr 28, 2014 at 2:34 AM, Hannes Tschofenig > > wrote: >=20 > Hi Brian, >=20 > thanks for the pointers. >=20 > It is easy to see from your code where the issue is. In your code t= he > \r\n sequence is added at the end of each line but due to the natur= e of > the ASCII draft formatting a reader only sees the \n (new line) but= not > the \r carriage return. >=20 > While the draft provides the UTF-8 representation of each individua= l > character but, as I mentioned in my email below, none of the tools = I > found produce a convenient way to use this as input for the base64u= rl > encoding procedure. >=20 > I believe it would be good to mention that each line in the example= s is > followed by the \r\n character sequence to make it easier for those= who > want to re-create the examples. >=20 > What do you think? >=20 > Ciao > Hannes >=20 >=20 > On 04/25/2014 03:03 PM, Brian Campbell wrote: > > So JWT 3.1 is based entirely on, and is just a subset of, JWS App= endix > > A.1. And I've got a test which validates that example in my JOSE > library > > : > > > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4= j/jws/JwsUsingHmacSha256ExampleTest.java > > > > And here's a verification of the Example Encrypted JWT from Appen= dix > > A.1: > > > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4= j/jwe/EncryptedJwtTest.java > > > > The example in Section 6.1 is different than 3.1 - it's a "Plaint= ext > > JWT" using the "none" JWS alg. I've got verification of that one > as well > > at the top of > > > https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4= j/jws/JwsPlaintextTest.java > > > > > > On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig > > > >> wrote: > > > > Hi all, > > > > As a document shepherd I have to verify the entire document > and this > > includes the examples as well. > > > > Section 3.1: > > > > You write: > > > > " > > The following octet sequence is the UTF-8 representation o= f > the JWT > > Header/JWS Header above: > > > > [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, > 13, 10, 32, > > 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]= > > " > > > > The values IMHO are represented in Decimal code point rather > than Octal > > UTF-8 bytes, as stated above. > > See the following online tool to see the difference: > > http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=3D%22&mode=3D= char > > > > Note that you could also show a hex encoding instead (e.g., v= ia > > http://ostermiller.org/calc/encode.html). Hixie's decoder > would then > > produce the correct decoding. Here is the link to his softwar= e: > > =20 > http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder= > > (Note that this program seems to have flaws for most other > options.) > > > > When do a Base64URL encoding of > > > > {"typ":"JWT","alg":"HS256"} > > > > then I get > > > > eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 > > > > but your spec says: > > > > eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 > > > > Same with > > {"iss":"joe","exp":1300819380,"http://example.com/is_root":tr= ue}. > > > > My result: > > =20 > eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9= pc19yb290Ijp0cnVlfQ > > > > Your result: > > =20 > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGx= lLmNvbS9pc19yb290Ijp0cnVlfQ > > > > Note: I am using this online tool for Base64URL encoding: > > http://kjur.github.io/jsjws/tool_b64uenc.html. > > Interestingly, when I dump the data into http://jwt.io/ then = I > get a > > correct decoding. It might well be that the kjur.github.io > > > has a flaw. > > > > Just wanted to check what tool you have used to create these > encodings. > > > > > > Section 6.1: > > > > The example in Section 6.1 is the same as in 3.1. Maybe it > would be > > useful to show something different here. > > > > The example in Appendix A.1 is more sophisticated since it > demonstrates > > encryption. To verify it I would need to have a library that > supports > > JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which > library > > have you been using? > > > > I was wondering whether it would make sense to add two other > examples, > > namely for integrity protection. One example showing an > HMAC-based keyed > > message digest and another one using a digital signature. > > > > Here is a simple example to add that almost all JWT libraries= > seem to be > > able to create and verify: > > > > Header: > > {"alg":"HS256","typ":"JWT"} > > > > I use the HS256 algorithm with a shared secret '12345'. > > > > Body: > > > > {"iss":"https://as.example.com","sub":"mailto:john@example.co= m > > > >","nbf":1398420753,"exp":1398424353,"iat"= :1398420753} > > > > =20 > jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@examp= le.com > > > >","nbf":1398420753,"exp":1398424353,"iat"= :1398420753},"12345", > > "HS256") > > > > I used http://www.onlineconversion.com/unix_time.htm to creat= e the > > date/time values: > > "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > > "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT > > "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > > > > Here is the output created with > https://github.com/progrium/pyjwt/ and > > verified with http://jwt.io/: > > =20 > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW= 1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmN= vbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMW= kHwHezdrv2E1LAVcNdTsq4 > > > > Ciao > > Hannes > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > > > >=20 >=20 --jJEfpDc1LJnnWLE16f7upiQ9b5TebFDSw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTXmYcAAoJEGhJURNOOiAterYH/1wOdz7TGUQ2J7N5covQa3Fj pgEnAK/CuTN5fbWNCke04x6AeKlRbgzqz1p1OEUAGeqq6uE9+BWh6b8aTEFIsDdd 6d22M7I34mTpjekCT/0Y6Z0e2eciDxZPH3z2OUBtwN7QG5h593UFQMUwsACFyicT v40hppMN8yIVsoBxwkcmdRcoLT0M8Vckr4NWXtsNOivBPy2cTvL1fxiCPhXgZprz 0btPprPpedELYHXvNXUTtk68qlDsQrfJOAIDUcR+PAJAIJjhnrD3mw/CJGPrnyEY MIrq1UXTfrQVZHUHtmGKNNkBIfYM2gF39wL3nzDXpOEvjolZ/ePaI6IPQxCLzcI= =iUwK -----END PGP SIGNATURE----- --jJEfpDc1LJnnWLE16f7upiQ9b5TebFDSw-- From nobody Mon Apr 28 08:48:53 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9453F1A0842 for ; Mon, 28 Apr 2014 08:48:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ld6K4XS7M05q for ; Mon, 28 Apr 2014 08:48:50 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0238.outbound.protection.outlook.com [207.46.163.238]) by ietfa.amsl.com (Postfix) with ESMTP id EE0E51A07A6 for ; Mon, 28 Apr 2014 08:48:49 -0700 (PDT) Received: from DM2PR03CA002.namprd03.prod.outlook.com (10.141.52.150) by DM2PR03MB557.namprd03.prod.outlook.com (10.141.82.152) with Microsoft SMTP Server (TLS) id 15.0.921.12; Mon, 28 Apr 2014 15:48:47 +0000 Received: from BN1BFFO11FD039.protection.gbl (2a01:111:f400:7c10::1:102) by DM2PR03CA002.outlook.office365.com (2a01:111:e400:2414::22) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Mon, 28 Apr 2014 15:48:47 +0000 Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD039.mail.protection.outlook.com (10.58.144.102) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Mon, 28 Apr 2014 15:48:47 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.03.0181.007; Mon, 28 Apr 2014 15:48:15 +0000 From: Mike Jones To: Hannes Tschofenig , Brian Campbell Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples Thread-Index: AQHPYHPsqQW6K7XM2UikgyZnVh8GF5siTKYAgARrqoCAAEewAIAAHAEAgAASguA= Date: Mon, 28 Apr 2014 15:48:14 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A19888B@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <535A3AF4.4060506@gmx.net> <535E127B.2010504@gmx.net> <535E661C.9080002@gmx.net> In-Reply-To: <535E661C.9080002@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(479174003)(51704005)(189002)(199002)(53754006)(377454003)(13464003)(24454002)(83072002)(2656002)(74662001)(81342001)(31966008)(15202345003)(66066001)(47776003)(23676002)(87936001)(85852003)(80022001)(77982001)(575784001)(79102001)(81542001)(92726001)(92566001)(50986999)(6806004)(33656001)(15975445006)(99396002)(76176999)(54356999)(19580405001)(55846006)(86362001)(83322001)(15395725003)(97736001)(50466002)(46102001)(84676001)(2009001)(20776003)(80976001)(4396001)(19580395003)(44976005)(76482001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR03MB557; H:mail.microsoft.com; FPR:EE6DF1E6.96FA5111.8FEF7197.5BFB6241.207C7; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01952C6E96 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/yorArhw8sth45MixCixle8LXpPw Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 15:48:52 -0000 SSdtIG5vdCBvcHBvc2VkIHRvIHNheWluZyBtb3JlIGFib3V0IHRoZSBmYWN0IHRoYXQgaW4gb3Jk ZXIgdG8gdmVyaWZ5IHRoZSBleGFtcGxlcywgcGVvcGxlIG5lZWQgdG8gdXNlIHRoZSBvY3RldCBz ZXF1ZW5jZSByZXByZXNlbnRhdGlvbiwgcmF0aGVyIHRoYW4gdGhlIEFTQ0lJIHJlcHJlc2VudGF0 aW9uLCBzaW5jZSBhc3BlY3RzIG9mIHRoZSBBU0NJSSByZW5kZXJpbmcgd2lsbCB2YXJ5LCBpbmNs dWRpbmcgd2hldGhlciBsaW5lcyBhcmUgdGVybWluYXRlZCBieSBDUkxGIG9yIExGIHNlcXVlbmNl cyBhbmQgaW4gdGhlIG51bWJlciBvZiBzcGFjZXMgYXQgdGhlIGJlZ2lubmluZyBhbmQgZW5kcyBv ZiBsaW5lcy4NCg0KSSBhbHJlYWR5IGhhdmUgdG8gcHJvZHVjZSBhbiB1cGRhdGVkIGRyYWZ0IHRv IHN3YXAgd2hldGhlciB0d28gcmVmZXJlbmNlcyBhcmUgbm9ybWF0aXZlIG9yIGluZm9ybWF0aXZl LCBzbyBJIGNhbiBhZGQgdGhpcyBjYXZlYXQgdGhpcyBhdCB0aGUgc2FtZSB0aW1lLg0KDQoJCQkJ LS0gTWlrZQ0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogT0F1dGggW21haWx0 bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgSGFubmVzIFRzY2hvZmVuaWcN ClNlbnQ6IE1vbmRheSwgQXByaWwgMjgsIDIwMTQgNzozMSBBTQ0KVG86IEJyaWFuIENhbXBiZWxs DQpDYzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIGRyYWZ0LWlldGYt b2F1dGgtanNvbi13ZWItdG9rZW4tMTkgLSBFeGFtcGxlcw0KDQpJdCB3b3VsZCBiZSBuaWNlIHRv IGJlIGFibGUgdG8gdmVyaWZ5IHRoZSBleGFtcGxlcyBpbiB0aGUgZG9jdW1lbnQocykuIEkgdW5k ZXJzdGFuZCB0aGF0IHRoZSBBU0NJSSBkcmFmdCBmb3JtYXQgcHJvdmlkZXMgYSBudW1iZXIgb2Yg bGltaXRhdGlvbnMuDQoNCkkgd29uZGVyIHdoYXQgb3RoZXJzIHRoaW5rLiBIYXZlIHlvdSB0cmll ZCB0byB2ZXJpZnkgdGhlIGV4YW1wbGVzPyBIYXZlIHlvdSBlbmNvdW50ZXIgcHJvYmxlbXMgeW91 cnNlbGYgYXMgd2VsbD8NCg0KQ2lhbw0KSGFubmVzDQoNCk9uIDA0LzI4LzIwMTQgMDI6NTAgUE0s IEJyaWFuIENhbXBiZWxsIHdyb3RlOg0KPiBUbyBiZSBob25lc3QsIEknbSBraW5kIG9mIGluZGlm ZmVyZW50IHRvIGl0LiBZZXMsIHRoZSBpbnB1dCBpbnRvIHRoZSANCj4gZXhhbXBsZSBlbmNvZGlu Z3MgZG8gaW5jbHVkZSBDUitMRiAodGhlIGVkaXRvciBpcyBhIE1pY3Jvc29mdCBndXkgDQo+IGFm dGVyDQo+IGFsbCkgYnV0IHRoZXkgYWxzbyBoYXZlIHNwYWNlIGNoYXJhY3RlcnMgdGhhdCBhcmUg cmVtb3ZlZCBmcm9tIHRoZSANCj4gYmVnaW5uaW5nIG9mIGVhY2ggbGluZSwgd2hpY2ggaXNuJ3Qg ZXhhY3RseSBvYnZpb3VzLiBEZXNjcmliaW5nIHRoYXQgDQo+IGluIGEgd2F5IHRoYXQgZXZlcnlv bmUgd2lsbCBmaW5kIGVhc3kgdG8gdW5kZXJzdGFuZCBhbmQgdXNlIHNlZW1zIGxpa2UgDQo+IGEg ZGlmZmljdWx0IGVuZGVhdm9yLiBUaGUgb2N0ZXQgc2VxdWVuY2UgaXMgdGhlcmUgdG8gdW5hbWJp Z3VvdXNseSANCj4gc2hvdyB3aGF0IHRoZSBpbnB1dCBpbnRvIHRoZSBlbmNvZGluZyB3YXMuIEFu ZCBvbmUgY2FuIGFsc28gYWx3YXlzIA0KPiBkZWNvZGUgdGhlIGJhc2U2NHVybCBjb250ZW50IHRv bywgdG8gc2VlIGV4YWN0bHkgd2hhdCB0aGUgaW5wdXQgd2FzLg0KPiANCj4gU28sIHllYWgsIEkg ZG9uJ3Qga25vdy4gSSdtIG5vdCBhZ2FpbnN0IG1lbnRpb25pbmcgdGhlIFxyXG4gYnV0IEkgDQo+ IGRvbid0IHBlcnNvbmFsbHkgdGhpbmsgaXQgaGVscHMgbXVjaC4NCj4gDQo+IA0KPiANCj4gDQo+ IE9uIE1vbiwgQXByIDI4LCAyMDE0IGF0IDI6MzQgQU0sIEhhbm5lcyBUc2Nob2ZlbmlnIA0KPiA8 aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldCA8bWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5u ZXQ+PiB3cm90ZToNCj4gDQo+ICAgICBIaSBCcmlhbiwNCj4gDQo+ICAgICB0aGFua3MgZm9yIHRo ZSBwb2ludGVycy4NCj4gDQo+ICAgICBJdCBpcyBlYXN5IHRvIHNlZSBmcm9tIHlvdXIgY29kZSB3 aGVyZSB0aGUgaXNzdWUgaXMuIEluIHlvdXIgY29kZSB0aGUNCj4gICAgIFxyXG4gc2VxdWVuY2Ug aXMgYWRkZWQgYXQgdGhlIGVuZCBvZiBlYWNoIGxpbmUgYnV0IGR1ZSB0byB0aGUgbmF0dXJlIG9m DQo+ICAgICB0aGUgQVNDSUkgZHJhZnQgZm9ybWF0dGluZyBhIHJlYWRlciBvbmx5IHNlZXMgdGhl IFxuIChuZXcgbGluZSkgYnV0IG5vdA0KPiAgICAgdGhlIFxyIGNhcnJpYWdlIHJldHVybi4NCj4g DQo+ICAgICBXaGlsZSB0aGUgZHJhZnQgcHJvdmlkZXMgdGhlIFVURi04IHJlcHJlc2VudGF0aW9u IG9mIGVhY2ggaW5kaXZpZHVhbA0KPiAgICAgY2hhcmFjdGVyIGJ1dCwgYXMgSSBtZW50aW9uZWQg aW4gbXkgZW1haWwgYmVsb3csIG5vbmUgb2YgdGhlIHRvb2xzIEkNCj4gICAgIGZvdW5kIHByb2R1 Y2UgYSBjb252ZW5pZW50IHdheSB0byB1c2UgdGhpcyBhcyBpbnB1dCBmb3IgdGhlIGJhc2U2NHVy bA0KPiAgICAgZW5jb2RpbmcgcHJvY2VkdXJlLg0KPiANCj4gICAgIEkgYmVsaWV2ZSBpdCB3b3Vs ZCBiZSBnb29kIHRvIG1lbnRpb24gdGhhdCBlYWNoIGxpbmUgaW4gdGhlIGV4YW1wbGVzIGlzDQo+ ICAgICBmb2xsb3dlZCBieSB0aGUgXHJcbiBjaGFyYWN0ZXIgc2VxdWVuY2UgdG8gbWFrZSBpdCBl YXNpZXIgZm9yIHRob3NlIHdobw0KPiAgICAgd2FudCB0byByZS1jcmVhdGUgdGhlIGV4YW1wbGVz Lg0KPiANCj4gICAgIFdoYXQgZG8geW91IHRoaW5rPw0KPiANCj4gICAgIENpYW8NCj4gICAgIEhh bm5lcw0KPiANCj4gDQo+ICAgICBPbiAwNC8yNS8yMDE0IDAzOjAzIFBNLCBCcmlhbiBDYW1wYmVs bCB3cm90ZToNCj4gICAgID4gU28gSldUIDMuMSBpcyBiYXNlZCBlbnRpcmVseSBvbiwgYW5kIGlz IGp1c3QgYSBzdWJzZXQgb2YsIEpXUyBBcHBlbmRpeA0KPiAgICAgPiBBLjEuIEFuZCBJJ3ZlIGdv dCBhIHRlc3Qgd2hpY2ggdmFsaWRhdGVzIHRoYXQgZXhhbXBsZSBpbiBteSBKT1NFDQo+ICAgICBs aWJyYXJ5DQo+ICAgICA+IDxodHRwczovL2JpdGJ1Y2tldC5vcmcvYl9jL2pvc2U0aj46DQo+ICAg ICA+DQo+ICAgICBodHRwczovL2JpdGJ1Y2tldC5vcmcvYl9jL2pvc2U0ai9zcmMvbWFzdGVyL3Ny Yy90ZXN0L2phdmEvb3JnL2pvc2U0ai9qd3MvSndzVXNpbmdIbWFjU2hhMjU2RXhhbXBsZVRlc3Qu amF2YQ0KPiAgICAgPg0KPiAgICAgPiBBbmQgaGVyZSdzIGEgdmVyaWZpY2F0aW9uIG9mIHRoZSBF eGFtcGxlIEVuY3J5cHRlZCBKV1QgZnJvbSBBcHBlbmRpeA0KPiAgICAgPiBBLjE6DQo+ICAgICA+ DQo+ICAgICBodHRwczovL2JpdGJ1Y2tldC5vcmcvYl9jL2pvc2U0ai9zcmMvbWFzdGVyL3NyYy90 ZXN0L2phdmEvb3JnL2pvc2U0ai9qd2UvRW5jcnlwdGVkSnd0VGVzdC5qYXZhDQo+ICAgICA+DQo+ ICAgICA+IFRoZSBleGFtcGxlIGluIFNlY3Rpb24gNi4xIGlzIGRpZmZlcmVudCB0aGFuIDMuMSAt IGl0J3MgYSAiUGxhaW50ZXh0DQo+ICAgICA+IEpXVCIgdXNpbmcgdGhlICJub25lIiBKV1MgYWxn LiBJJ3ZlIGdvdCB2ZXJpZmljYXRpb24gb2YgdGhhdCBvbmUNCj4gICAgIGFzIHdlbGwNCj4gICAg ID4gYXQgdGhlIHRvcCBvZg0KPiAgICAgPg0KPiAgICAgaHR0cHM6Ly9iaXRidWNrZXQub3JnL2Jf Yy9qb3NlNGovc3JjL21hc3Rlci9zcmMvdGVzdC9qYXZhL29yZy9qb3NlNGovandzL0p3c1BsYWlu dGV4dFRlc3QuamF2YQ0KPiAgICAgPg0KPiAgICAgPg0KPiAgICAgPiBPbiBGcmksIEFwciAyNSwg MjAxNCBhdCA0OjM3IEFNLCBIYW5uZXMgVHNjaG9mZW5pZw0KPiAgICAgPiA8aGFubmVzLnRzY2hv ZmVuaWdAZ214Lm5ldCA8bWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ+DQo+ICAgICA8 bWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQNCj4gICAgIDxtYWlsdG86aGFubmVzLnRz Y2hvZmVuaWdAZ214Lm5ldD4+PiB3cm90ZToNCj4gICAgID4NCj4gICAgID4gICAgIEhpIGFsbCwN Cj4gICAgID4NCj4gICAgID4gICAgIEFzIGEgZG9jdW1lbnQgc2hlcGhlcmQgSSBoYXZlIHRvIHZl cmlmeSB0aGUgZW50aXJlIGRvY3VtZW50DQo+ICAgICBhbmQgdGhpcw0KPiAgICAgPiAgICAgaW5j bHVkZXMgdGhlIGV4YW1wbGVzIGFzIHdlbGwuDQo+ICAgICA+DQo+ICAgICA+ICAgICBTZWN0aW9u IDMuMToNCj4gICAgID4NCj4gICAgID4gICAgIFlvdSB3cml0ZToNCj4gICAgID4NCj4gICAgID4g ICAgICINCj4gICAgID4gICAgICAgIFRoZSBmb2xsb3dpbmcgb2N0ZXQgc2VxdWVuY2UgaXMgdGhl IFVURi04IHJlcHJlc2VudGF0aW9uIG9mDQo+ICAgICB0aGUgSldUDQo+ICAgICA+ICAgICAgICBI ZWFkZXIvSldTIEhlYWRlciBhYm92ZToNCj4gICAgID4NCj4gICAgID4gICAgICAgIFsxMjMsIDM0 LCAxMTYsIDEyMSwgMTEyLCAzNCwgNTgsIDM0LCA3NCwgODcsIDg0LCAzNCwgNDQsDQo+ICAgICAx MywgMTAsIDMyLA0KPiAgICAgPiAgICAgICAgMzQsIDk3LCAxMDgsIDEwMywgMzQsIDU4LCAzNCwg NzIsIDgzLCA1MCwgNTMsIDU0LCAzNCwgMTI1XQ0KPiAgICAgPiAgICAgIg0KPiAgICAgPg0KPiAg ICAgPiAgICAgVGhlIHZhbHVlcyBJTUhPIGFyZSByZXByZXNlbnRlZCBpbiBEZWNpbWFsIGNvZGUg cG9pbnQgcmF0aGVyDQo+ICAgICB0aGFuIE9jdGFsDQo+ICAgICA+ICAgICBVVEYtOCBieXRlcywg YXMgc3RhdGVkIGFib3ZlLg0KPiAgICAgPiAgICAgU2VlIHRoZSBmb2xsb3dpbmcgb25saW5lIHRv b2wgdG8gc2VlIHRoZSBkaWZmZXJlbmNlOg0KPiAgICAgPiAgICAgaHR0cDovL3d3dy5sdGcuZWQu YWMudWsvfnJpY2hhcmQvdXRmLTguY2dpP2lucHV0PSUyMiZtb2RlPWNoYXINCj4gICAgID4NCj4g ICAgID4gICAgIE5vdGUgdGhhdCB5b3UgY291bGQgYWxzbyBzaG93IGEgaGV4IGVuY29kaW5nIGlu c3RlYWQgKGUuZy4sIHZpYQ0KPiAgICAgPiAgICAgaHR0cDovL29zdGVybWlsbGVyLm9yZy9jYWxj L2VuY29kZS5odG1sKS4gSGl4aWUncyBkZWNvZGVyDQo+ICAgICB3b3VsZCB0aGVuDQo+ICAgICA+ ICAgICBwcm9kdWNlIHRoZSBjb3JyZWN0IGRlY29kaW5nLiBIZXJlIGlzIHRoZSBsaW5rIHRvIGhp cyBzb2Z0d2FyZToNCj4gICAgID4gICAgDQo+ICAgICBodHRwOi8vc29mdHdhcmUuaGl4aWUuY2gv dXRpbGl0aWVzL2NnaS91bmljb2RlLWRlY29kZXIvdXRmOC1kZWNvZGVyDQo+ICAgICA+ICAgICAo Tm90ZSB0aGF0IHRoaXMgcHJvZ3JhbSBzZWVtcyB0byBoYXZlIGZsYXdzIGZvciBtb3N0IG90aGVy DQo+ICAgICBvcHRpb25zLikNCj4gICAgID4NCj4gICAgID4gICAgIFdoZW4gZG8gYSBCYXNlNjRV UkwgZW5jb2Rpbmcgb2YNCj4gICAgID4NCj4gICAgID4gICAgIHsidHlwIjoiSldUIiwiYWxnIjoi SFMyNTYifQ0KPiAgICAgPg0KPiAgICAgPiAgICAgdGhlbiBJIGdldA0KPiAgICAgPg0KPiAgICAg PiAgICAgZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKSVV6STFOaUo5DQo+ICAgICA+DQo+ICAg ICA+ICAgICBidXQgeW91ciBzcGVjIHNheXM6DQo+ICAgICA+DQo+ICAgICA+ICAgICBleUowZVhB aU9pSktWMVFpTEEwS0lDSmhiR2NpT2lKSVV6STFOaUo5DQo+ICAgICA+DQo+ICAgICA+ICAgICBT YW1lIHdpdGgNCj4gICAgID4gICAgIHsiaXNzIjoiam9lIiwiZXhwIjoxMzAwODE5MzgwLCJodHRw Oi8vZXhhbXBsZS5jb20vaXNfcm9vdCI6dHJ1ZX0uDQo+ICAgICA+DQo+ICAgICA+ICAgICBNeSBy ZXN1bHQ6DQo+ICAgICA+ICAgIA0KPiAgICAgZXlKcGMzTWlPaUpxYjJVaUxDSmxlSEFpT2pFek1E QTRNVGt6T0RBc0ltaDBkSEE2THk5bGVHRnRjR3hsTG1OdmJTOXBjMTl5YjI5MElqcDBjblZsZlEN Cj4gICAgID4NCj4gICAgID4gICAgIFlvdXIgcmVzdWx0Og0KPiAgICAgPiAgICANCj4gICAgIGV5 SnBjM01pT2lKcWIyVWlMQTBLSUNKbGVIQWlPakV6TURBNE1Ua3pPREFzRFFvZ0ltaDBkSEE2THk5 bGVHRnRjR3hsTG1OdmJTOXBjMTl5YjI5MElqcDBjblZsZlENCj4gICAgID4NCj4gICAgID4gICAg IE5vdGU6IEkgYW0gdXNpbmcgdGhpcyBvbmxpbmUgdG9vbCBmb3IgQmFzZTY0VVJMIGVuY29kaW5n Og0KPiAgICAgPiAgICAgaHR0cDovL2tqdXIuZ2l0aHViLmlvL2pzandzL3Rvb2xfYjY0dWVuYy5o dG1sLg0KPiAgICAgPiAgICAgSW50ZXJlc3RpbmdseSwgd2hlbiBJIGR1bXAgdGhlIGRhdGEgaW50 byBodHRwOi8vand0LmlvLyB0aGVuIEkNCj4gICAgIGdldCBhDQo+ICAgICA+ICAgICBjb3JyZWN0 IGRlY29kaW5nLiBJdCBtaWdodCB3ZWxsIGJlIHRoYXQgdGhlIGtqdXIuZ2l0aHViLmlvDQo+ICAg ICA8aHR0cDovL2tqdXIuZ2l0aHViLmlvPg0KPiAgICAgPiAgICAgPGh0dHA6Ly9ranVyLmdpdGh1 Yi5pbz4gaGFzIGEgZmxhdy4NCj4gICAgID4NCj4gICAgID4gICAgIEp1c3Qgd2FudGVkIHRvIGNo ZWNrIHdoYXQgdG9vbCB5b3UgaGF2ZSB1c2VkIHRvIGNyZWF0ZSB0aGVzZQ0KPiAgICAgZW5jb2Rp bmdzLg0KPiAgICAgPg0KPiAgICAgPg0KPiAgICAgPiAgICAgU2VjdGlvbiA2LjE6DQo+ICAgICA+ DQo+ICAgICA+ICAgICBUaGUgZXhhbXBsZSBpbiBTZWN0aW9uIDYuMSBpcyB0aGUgc2FtZSBhcyBp biAzLjEuIE1heWJlIGl0DQo+ICAgICB3b3VsZCBiZQ0KPiAgICAgPiAgICAgdXNlZnVsIHRvIHNo b3cgc29tZXRoaW5nIGRpZmZlcmVudCBoZXJlLg0KPiAgICAgPg0KPiAgICAgPiAgICAgVGhlIGV4 YW1wbGUgaW4gQXBwZW5kaXggQS4xIGlzIG1vcmUgc29waGlzdGljYXRlZCBzaW5jZSBpdA0KPiAg ICAgZGVtb25zdHJhdGVzDQo+ICAgICA+ICAgICBlbmNyeXB0aW9uLiBUbyB2ZXJpZnkgaXQgSSB3 b3VsZCBuZWVkIHRvIGhhdmUgYSBsaWJyYXJ5IHRoYXQNCj4gICAgIHN1cHBvcnRzDQo+ICAgICA+ ICAgICBKV0UgYW5kIFJTQUVTLVBLQ1MxLVYxXzUgYW5kIEFFU18xMjhfQ0JDX0hNQUNfU0hBXzI1 Ni4gV2hpY2gNCj4gICAgIGxpYnJhcnkNCj4gICAgID4gICAgIGhhdmUgeW91IGJlZW4gdXNpbmc/ DQo+ICAgICA+DQo+ICAgICA+ICAgICBJIHdhcyB3b25kZXJpbmcgd2hldGhlciBpdCB3b3VsZCBt YWtlIHNlbnNlIHRvIGFkZCB0d28gb3RoZXINCj4gICAgIGV4YW1wbGVzLA0KPiAgICAgPiAgICAg bmFtZWx5IGZvciBpbnRlZ3JpdHkgcHJvdGVjdGlvbi4gT25lIGV4YW1wbGUgc2hvd2luZyBhbg0K PiAgICAgSE1BQy1iYXNlZCBrZXllZA0KPiAgICAgPiAgICAgbWVzc2FnZSBkaWdlc3QgYW5kIGFu b3RoZXIgb25lIHVzaW5nIGEgZGlnaXRhbCBzaWduYXR1cmUuDQo+ICAgICA+DQo+ICAgICA+ICAg ICBIZXJlIGlzIGEgc2ltcGxlIGV4YW1wbGUgdG8gYWRkIHRoYXQgYWxtb3N0IGFsbCBKV1QgbGli cmFyaWVzDQo+ICAgICBzZWVtIHRvIGJlDQo+ICAgICA+ICAgICBhYmxlIHRvIGNyZWF0ZSBhbmQg dmVyaWZ5Og0KPiAgICAgPg0KPiAgICAgPiAgICAgSGVhZGVyOg0KPiAgICAgPiAgICAgeyJhbGci OiJIUzI1NiIsInR5cCI6IkpXVCJ9DQo+ICAgICA+DQo+ICAgICA+ICAgICBJIHVzZSB0aGUgSFMy NTYgYWxnb3JpdGhtIHdpdGggYSBzaGFyZWQgc2VjcmV0ICcxMjM0NScuDQo+ICAgICA+DQo+ICAg ICA+ICAgICBCb2R5Og0KPiAgICAgPg0KPiAgICAgPiAgICAgeyJpc3MiOiJodHRwczovL2FzLmV4 YW1wbGUuY29tIiwic3ViIjoibWFpbHRvOmpvaG5AZXhhbXBsZS5jb20NCj4gICAgIDxtYWlsdG86 am9obkBleGFtcGxlLmNvbT4NCj4gICAgID4gICAgIDxtYWlsdG86am9obkBleGFtcGxlLmNvbQ0K PiAgICAgPG1haWx0bzpqb2huQGV4YW1wbGUuY29tPj4iLCJuYmYiOjEzOTg0MjA3NTMsImV4cCI6 MTM5ODQyNDM1MywiaWF0IjoxMzk4NDIwNzUzfQ0KPiAgICAgPg0KPiAgICAgPiAgICANCj4gICAg IGp3dC5lbmNvZGUoeyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwic3ViIjoibWFpbHRv OmpvaG5AZXhhbXBsZS5jb20NCj4gICAgIDxtYWlsdG86am9obkBleGFtcGxlLmNvbT4NCj4gICAg ID4gICAgIDxtYWlsdG86am9obkBleGFtcGxlLmNvbQ0KPiAgICAgPG1haWx0bzpqb2huQGV4YW1w bGUuY29tPj4iLCJuYmYiOjEzOTg0MjA3NTMsImV4cCI6MTM5ODQyNDM1MywiaWF0IjoxMzk4NDIw NzUzfSwiMTIzNDUiLA0KPiAgICAgPiAgICAgIkhTMjU2IikNCj4gICAgID4NCj4gICAgID4gICAg IEkgdXNlZCBodHRwOi8vd3d3Lm9ubGluZWNvbnZlcnNpb24uY29tL3VuaXhfdGltZS5odG0gdG8g Y3JlYXRlIHRoZQ0KPiAgICAgPiAgICAgZGF0ZS90aW1lIHZhbHVlczoNCj4gICAgID4gICAgICJu YmYiOjEzOTg0MjA3NTMgLS0+IEZyaSwgMjUgQXByIDIwMTQgMTA6MTI6MzMgR01UDQo+ICAgICA+ ICAgICAiZXhwIjoxMzk4NDI0MzUzIC0tPiBGcmksIDI1IEFwciAyMDE0IDExOjEyOjMzIEdNVA0K PiAgICAgPiAgICAgImlhdCI6MTM5ODQyMDc1MyAtLT4gRnJpLCAyNSBBcHIgMjAxNCAxMDoxMjoz MyBHTVQNCj4gICAgID4NCj4gICAgID4gICAgIEhlcmUgaXMgdGhlIG91dHB1dCBjcmVhdGVkIHdp dGgNCj4gICAgIGh0dHBzOi8vZ2l0aHViLmNvbS9wcm9ncml1bS9weWp3dC8gYW5kDQo+ICAgICA+ ICAgICB2ZXJpZmllZCB3aXRoIGh0dHA6Ly9qd3QuaW8vOg0KPiAgICAgPiAgICANCj4gICAgIGV5 SmhiR2NpT2lKSVV6STFOaUlzSW5SNWNDSTZJa3BYVkNKOS5leUpwYzNNaU9pSm9kSFJ3Y3pvdkwy RnpMbVY0WVcxd2JHVXVZMjl0SWl3aWFXRjBJam94TXprNE5ESXdOelV6TENKemRXSWlPaUp0WVds c2RHODZhbTlvYmtCbGVHRnRjR3hsTG1OdmJTSXNJbVY0Y0NJNk1UTTVPRFF5TkRNMU15d2libUpt SWpveE16azROREl3TnpVemZRLjBnZlJVSWxleTcwYk1QN2hONnNNV2tId0hlemRydjJFMUxBVmNO ZFRzcTQNCj4gICAgID4NCj4gICAgID4gICAgIENpYW8NCj4gICAgID4gICAgIEhhbm5lcw0KPiAg ICAgPg0KPiAgICAgPg0KPiAgICAgPg0KPiAgICAgPiAgICAgX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gICAgID4gICAgIE9BdXRoIG1haWxpbmcgbGlz dA0KPiAgICAgPiAgICAgT0F1dGhAaWV0Zi5vcmcgPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4gPG1h aWx0bzpPQXV0aEBpZXRmLm9yZw0KPiAgICAgPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4+DQo+ICAg ICA+ICAgICBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQo+ICAg ICA+DQo+ICAgICA+DQo+IA0KPiANCg0K From nobody Mon Apr 28 09:22:28 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71B361A6F4C for ; Mon, 28 Apr 2014 09:22:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_A7RZkM0VpA for ; Mon, 28 Apr 2014 09:22:24 -0700 (PDT) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0210.outbound.protection.outlook.com [207.46.163.210]) by ietfa.amsl.com (Postfix) with ESMTP id 3D59C1A6F45 for ; Mon, 28 Apr 2014 09:22:24 -0700 (PDT) Received: from BY2PR03CA028.namprd03.prod.outlook.com (10.242.234.149) by BY2PR03MB363.namprd03.prod.outlook.com (10.242.237.16) with Microsoft SMTP Server (TLS) id 15.0.929.12; Mon, 28 Apr 2014 16:22:22 +0000 Received: from BY2FFO11FD051.protection.gbl (2a01:111:f400:7c0c::142) by BY2PR03CA028.outlook.office365.com (2a01:111:e400:2c2c::21) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Mon, 28 Apr 2014 16:22:22 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD051.mail.protection.outlook.com (10.1.15.188) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Mon, 28 Apr 2014 16:22:21 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0181.007; Mon, 28 Apr 2014 16:21:48 +0000 From: Mike Jones To: Hannes Tschofenig , Brian Campbell Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples Thread-Index: AQHPYHPsqQW6K7XM2UikgyZnVh8GF5siN60AgAAO7ICAABvwAIAAIeyQgAQ1JoCAAICXMA== Date: Mon, 28 Apr 2014 16:21:47 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A1989FE@TK5EX14MBXC288.redmond.corp.microsoft.com> References: <535A3AF4.4060506@gmx.net> <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> <535A5819.2030805@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A195D48@TK5EX14MBXC288.redmond.corp.microsoft.com> <535E1391.2090909@gmx.net> In-Reply-To: <535E1391.2090909@gmx.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.37] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(24454002)(189002)(199002)(13464003)(377454003)(479174003)(83322001)(80976001)(87936001)(23676002)(6806004)(19580395003)(44976005)(19580405001)(97736001)(2656002)(84676001)(15975445006)(92726001)(20776003)(47776003)(92566001)(50986999)(76176999)(33656001)(4396001)(79102001)(85852003)(15202345003)(77982001)(54356999)(31966008)(81542001)(74662001)(99396002)(50466002)(46102001)(2009001)(86362001)(66066001)(55846006)(83072002)(80022001)(81342001)(76482001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB363; H:mail.microsoft.com; FPR:B656F336.2E3195C8.41E0F7C9.46E093AC.20289; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01952C6E96 Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/6TBLUgw-2YxBuqsNndHGmU2AOvs Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 16:22:26 -0000 SSdtIGNvbmZ1c2VkIGJ5IHlvdXIgc3RhdGVtZW50IGJlbG93LCBIYW5uZXMsIGFib3V0IHRoZSBl eGFtcGxlcyBub3Qgc2hvd2luZyBKV1RzIHByb3RlY3RlZCBieSBNQUNzIG9yIGRpZ2l0YWwgc2ln bmF0dXJlcywgc2luY2UgdGhlIGV4YW1wbGUgSldUIGluIGh0dHA6Ly90b29scy5pZXRmLm9yZy9o dG1sL2RyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4tMTkjc2VjdGlvbi0zLjEgaXMgcHJv dGVjdGVkIGJ5IGEgTUFDIGFuZCB0aGUgbmVzdGVkIEpXVCBleGFtcGxlIGluIGh0dHA6Ly90b29s cy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1dGgtanNvbi13ZWItdG9rZW4tMTkjYXBwZW5k aXgtQS4yIGlzIHByb3RlY3RlZCBieSBhIGRpZ2l0YWwgc2lnbmF0dXJlIChhbmQgdGhlbiBlbmNy eXB0ZWQpLg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogSGFubmVzIFRzY2hv ZmVuaWcgW21haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0XSANClNlbnQ6IE1vbmRheSwg QXByaWwgMjgsIDIwMTQgMTozOSBBTQ0KVG86IE1pa2UgSm9uZXM7IEJyaWFuIENhbXBiZWxsDQpD Yzogb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIGRyYWZ0LWlldGYtb2F1 dGgtanNvbi13ZWItdG9rZW4tMTkgLSBFeGFtcGxlcw0KDQpIaSBNaWtlLA0KDQpPbiAwNC8yNS8y MDE0IDA2OjM3IFBNLCBNaWtlIEpvbmVzIHdyb3RlOg0KPiBXaGlsZSB3ZSBjb3VsZCBhZGQgb3Ro ZXIgZXhhbXBsZXMsIGRvaW5nIHNvIGlzIGJleW9uZCB0aGUgc2NvcGUgb2YgdGhlIA0KPiBpbW1l ZGlhdGUgbWlzc2lvbiB0byB2YWxpZGF0ZSB0aGUgZXhpc3RpbmcgZXhhbXBsZXMsIEhhbm5lcy4g IFRoZXJl4oCZcyANCj4gbG90cyBvZiBleGFtcGxlcyBpbiB0aGUgdW5kZXJseWluZyBKT1NFIHNw ZWNzLCBzbyBpdOKAmXMgbm90IGNsZWFyIHRoYXQgDQo+IHdlIHJlYWxseSBuZWVkIHRvIGFkZCBh ZGRpdGlvbmFsIG9uZXMgYXQgdGhpcyB0aW1lLiAgKElmIHRoaXMgDQo+IHN1Z2dlc3Rpb24gY29t ZXMgdXAgYWdhaW4gZHVyaW5nIElFU0cgcmV2aWV3LCB3ZSBjb3VsZCBkbyB0aGF0LCBidXQgSSAN Cj4gZG9u4oCZdCB0aGluayBpdOKAmXMgbmVjZXNzYXJ5IGF0IHRoaXMgcG9pbnQgdG8gbW92ZSB0 aGUgc3BlYyB0byBJRVNHIA0KPiByZXZpZXcuKQ0KPiANCkl0IGlzIGNlcnRhaW5seSB0cnVlIHRo YXQgZXhhbXBsZXMgYXJlIG5vdCBtYW5kYXRvcnkgYW5kIHRoYXQgdGhlIEpPU0Ugc3BlY3MgY29u dGFpbiBhIG51bWJlciBvZiBleGFtcGxlcy4NCg0KUmVhZCB0aHJvdWdoIHRoZSBkb2N1bWVudCBp dCBjYW1lIHRvIG15IG1pbmQgdGhhdCB0aGUgbW9zdCBjb21tb24gdXNlcyBvZiBKV1RzIGFyZSBh Y3R1YWxseSBub3QgY292ZXJlZCBhcyBwYXJ0IG9mIHRoZSBleGFtcGxlcy4gTWFueSByZWFkZXJz IGxvb2sgYXQgdGhlIGV4YW1wbGVzIHRvIHF1aWNrbHkgZ2V0IHRoZSBpZGVhIGFuZCBuZWl0aGVy IGEgSldUIHByb3RlY3RlZCB1c2luZyBhIE1BQyBpcyB0aGVyZSBub3IgYSBKV1QgcHJvdGVjdGVk IHdpdGggYSBkaWdpdGFsIHNpZ25hdHVyZS4NCg0KSSB3aWxsLCBob3dldmVyLCBnZXQgb3ZlciBp dC4NCg0KQ2lhbw0KSGFubmVzDQoNCg== From nobody Mon Apr 28 11:41:47 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED06A1A0792 for ; Mon, 28 Apr 2014 11:41:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsWbrHlhnSyJ for ; Mon, 28 Apr 2014 11:41:40 -0700 (PDT) Received: from na6sys009bog007.obsmtp.com (na6sys009bog007.obsmtp.com [74.125.150.54]) by ietfa.amsl.com (Postfix) with ESMTP id 4D5DE1A04F1 for ; Mon, 28 Apr 2014 11:41:39 -0700 (PDT) Received: from mail-ie0-f179.google.com ([209.85.223.179]) (using TLSv1) by na6sys009bob007.postini.com ([74.125.148.12]) with SMTP ID DSNKU16g4qU8vpI3snabwLuBdzT3BlT1KfxG@postini.com; Mon, 28 Apr 2014 11:41:38 PDT Received: by mail-ie0-f179.google.com with SMTP id lx4so6975241iec.38 for ; Mon, 28 Apr 2014 11:41:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=tq1qAmJ5+xOq+MzJUqZR4g2h9gsSoHZT3Zn81kPmlO4=; b=jDUSpHukd11KGfv3lxS5SA3loAczslWInTfixOIYE+abZzlwVpW/WK0KGa3fjT1kgg jzRtS0fmxPSXknDs3S3rJsAz2chuwpYtdO/R+Z1gnknw2XPMz8PesznGU2nvXAIIuLwi cWzpQ9jIgEbrVV2L50odWXMQzpdzBDSh/QcG1om1055CyOGFh39FBM43U5jx3p5Ah7UH xOr77od0W3D0kxIr8CznXonqOGo1IaUqSVGAX21SkfTmSV35Yw1I7KX4j8zBn1TzLufz VgOLNsRfDHy0JOEZnQal2dRaUVHfFcUiG/VBJlwbf+CaurGIdHAi9HvahhZrSprhE4Oc zcww== X-Gm-Message-State: ALoCoQkdK5nmrmEnaCqyeTeDUIm7jVWqa5eOidKV1MCzE5FueRIogsSJ6XECd8tzrc694i9jyuQd5o/wryG2eMdFUY+thuagg++Vtw/ojo+8jvCK3vpHDZklJYAr4RZPy0omZgM2pInA X-Received: by 10.50.153.49 with SMTP id vd17mr26594388igb.40.1398710497371; Mon, 28 Apr 2014 11:41:37 -0700 (PDT) X-Received: by 10.50.153.49 with SMTP id vd17mr26594367igb.40.1398710497205; Mon, 28 Apr 2014 11:41:37 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Mon, 28 Apr 2014 11:41:07 -0700 (PDT) In-Reply-To: <535E160E.3010106@gmx.net> References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> <535E160E.3010106@gmx.net> From: Brian Campbell Date: Mon, 28 Apr 2014 12:41:07 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=089e014954be54e40f04f81eaa12 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/oQQMGdUjI7SRiCm3yF4ySGkKUDQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 18:41:44 -0000 --089e014954be54e40f04f81eaa12 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thanks Hannes, I'll update that text to reference RFC 6973 and also to indicate a specific value which could be used for the anonymous user. And I'll publish new drafts here soon(ish). On Mon, Apr 28, 2014 at 2:49 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > your text proposal sounds reasonable and it might, as suggested, > indicate what value to put in there for the anonymous user (such as > 'anonymous'). Saying explicitly what implementers should be doing helps > interoperability. > > Mentioning the pseudonym is also a good idea since in some cases > anonymity can be too strong and pseudonymity is what is desired. For the > terminology you could reference RFC 6973. > > Ciao > Hannes > > PS: A note to various folks in this email thread: We have not discussed > this issue before. As I mentioned in my original email we had only > discussed a related issue regarding client authentication. Antonio's > email lead me to think about the authorization grant, which is obviously > a different story (which only happens to be in the same document because > of the document structure we came up with). > > On 04/25/2014 09:57 PM, Brian Campbell wrote: > > I absolutely agree with always requiring both issuer and subject and > > that doing so keeps the specs simpler and is likely to improve > > interoperability. > > > > However, without changing that, perhaps some of the text in the > > document(s) could be improved a bit. Here's a rough proposal: > > > > Change the text of the second bullet in > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2 t= o > > > > "The assertion MUST contain a Subject. The Subject typically identifies > > an authorized accessor for which the access token is being requested > > (i.e. the resource owner, or an authorized delegate) but, in some cases= , > > may be a pseudonym or other value denoting an anonymous user. When the > > client is acting on behalf of itself, the Subject MUST be the value of > > the client's client_id." > > > > And also change > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1= to > > > > "When a client is accessing resources on behalf of an anonymous user, a > > mutually agreed upon Subject identifier indicating anonymity is used. > > The Subject value might be an agreed upon static value indicating an > > anonymous user or an opaque persistent or transient pseudonym for the > > user may also be utilized. The authorization may be based upon > > additional criteria, such as additional attributes or claims provided i= n > > the assertion. For example, a client may present an assertion from a > > trusted issuer asserting that the bearer is over 18 via an included > > claim. In this case, no additional information about the user's identit= y > > is included, yet all the data needed to issue an access token is > present." > > > > And maybe also change the subject text in SAML and JWT (item #2 in > > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 and > > http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3) > > to read a little more like the new proposed text above for section 5.2 > > of the Assertion Framework draft. > > > > Would that sit any better with you, Hannes? Thoughts from others in the > WG? > > > > > > On Fri, Apr 25, 2014 at 1:08 PM, John Bradley > > wrote: > > > > Agreed. > > > > On Apr 25, 2014, at 3:07 PM, Mike Jones > > wrote: > > > >> I agree. We=E2=80=99d already discussed this pretty extensively a= nd > >> reached the conclusion that always requiring both an issuer and a > >> subject both kept the specs simpler and was likely to improve > >> interoperability.____ > >> > >> It=E2=80=99s entirely up to the application profile what the conte= nts of > >> the issuer and the subject fields are and so I don=E2=80=99t think= we need > >> to further specify their contents beyond what=E2=80=99s already in= the > >> specs.____ > >> > >> -- > >> Mike____ > >> > >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian > >> Campbell > >> *Sent:* Friday, April 25, 2014 10:17 AM > >> *To:* Hannes Tschofenig > >> *Cc:* oauth@ietf.org > >> *Subject:* Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject > >> issue____ > >> __ __ > >> > >> I believe, from the thread referenced earlier and prior discussion > >> and draft text, that the WG has reached (rough) consensus to > >> require the subject claim. So text that says "Subject element MUST > >> NOT be included" isn't workable.____ > >> > >> It seems what's needed here is some better explanation of how, in > >> cases that need it, the value of the subject can be populated > >> without using a PII type value. A simple static value like > >> "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of > >> pairwise persistent pseudonymous identifier would be utilized, > >> which would not directly identify the subject but would allow the > >> relying party to recognize the same subject on subsequent > >> transactions. A transient pseudonym might also be appropriate in > >> some cases. And any of those approaches could be used with or > >> without additional claims (like age > 18 or membership in some > >> group) that get used to make an authorization decision. ____ > >> > >> I wasn't sure exactly how to articulate all that in text for the > >> draft(s) but that's more of what I was asking for when I asked if > >> you could propose some text.____ > >> > >> > >> > >> > >> ____ > >> > >> __ __ > >> > >> On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig > >> > > >> wrote:____ > >> Hi Brian, > >> > >> Thanks for pointing to the assertion framework document. > >> Re-reading the > >> text it appears that we have listed the case that in Section 6.3.1 > but > >> have forgotten to cover it elsewhere in the document. > >> > >> > >> In Section 6.3.1 we say: > >> > >> " > >> > >> 6.3.1. Client Acting on Behalf of an Anonymous User > >> > >> When a client is accessing resources on behalf of an anonymous > >> user, > >> the Subject indicates to the Authorization Server that the > >> client is > >> acting on-behalf of an anonymous user as defined by the > >> Authorization > >> Server. It is implied that authorization is based upon > additional > >> criteria, such as additional attributes or claims provided in t= he > >> assertion. For example, a client may present an assertion from= a > >> trusted issuer asserting that the bearer is over 18 via an > included > >> claim. > >> > >> ***** > >> In this case, no additional information about the user's > >> identity is included, yet all the data needed to issue an acces= s > >> token is present. > >> ***** > >> " > >> (I marked the relevant part with '***') > >> > >> > >> In Section 5.2, however, we say: > >> > >> > >> o The assertion MUST contain a Subject. The Subject identifie= s > an > >> authorized accessor for which the access token is being > >> requested > >> (typically the resource owner, or an authorized delegate). > When > >> the client is acting on behalf of itself, the Subject MUST > >> be the > >> value of the client's "client_id". > >> > >> > >> What we should have done in Section 5.2 is to expand the cases > inline > >> with what we have written in Section 6. > >> > >> Here is my proposed text: > >> > >> " > >> o The assertion MUST contain a Subject. The Subject identifies a= n > >> authorized accessor for which the access token is being > requested____ > >> > >> (typically the resource owner, or an authorized delegate). > >> > >> ____ > >> > >> When the client is acting on behalf of itself, as described in > Section > >> 6.1 and Section 6.2, the Subject MUST be the value of the client's > >> "client_id". > >> > >> When the client is acting on behalf of an user, as described in > >> Section > >> 6.3, the Subject element MUST be included in the assertion and > >> identifies an authorized accessor for which the access token is > being > >> requested. > >> > >> When the client is acting on behalf of an anonymous user, as > described > >> in Section 6.3.1, the Subject element MUST NOT be included in the > >> assertion. Other elements within the assertion will, however, > provide > >> enough information for the authorization server to make an > >> authorization > >> decision. > >> " > >> > >> Does this make sense to you? > >> > >> Ciao > >> Hannes____ > >> > >> > >> On 04/24/2014 02:30 PM, Brian Campbell wrote: > >> > There is some discussion of that case in the assertion framework > >> > document at > >> > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 > >> > > >> > Do you feel that more is needed? If so, can you propose some tex= t? > >> > > >> > > >> > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig____ > >> > >> hannes.tschofenig@gmx.net > >> >> wrote: > >> > > >> > Hi Brian, > >> > > >> > I read through the thread and the Google case is a bit > >> different since > >> > they are using the client authentication part of the JWT > >> bearer spec. > >> > There I don't see the privacy concerns either. > >> > > >> > I am, however, focused on the authorization grant where the > >> subject is > >> > in most cases the resource owner. > >> > > >> > It is possible to put garbage into the subject element when > >> privacy > >> > protection is needed for the resource owner case but that > >> would need to > >> > be described in the document; currently it is not there. > >> > > >> > Ciao > >> > Hannes > >> > > >> > > >> > On 04/24/2014 12:37 AM, Brian Campbell wrote: > >> > > That thread that Antonio started which you reference went > >> on for some > >> > > time > >> > > > >> > > >> ( > http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) > >> > > and seems to have reached consensus that the spec didn't > need > >> > normative > >> > > change and that such privacy cases or other cases which > didn't > >> > > explicitly need a subject identifier would be more > >> appropriately dealt > >> > > with in application logic: > >> > > >> > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html > >> > > > >> > > > >> > > > >> > > > >> > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig > >> > > >> hannes.tschofenig@gmx.net > >> >____ > >> > >> ____ > >> > >> >>> wrote: > >> > > > >> > > Hi all, > >> > > > >> > > in preparing the shepherd write-up for > >> > draft-ietf-oauth-jwt-bearer-08 I > >> > > had to review our recent email conversations and the > issue > >> > raised by > >> > > Antonio in > >> > > > >> > > >> http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html= belong > >> > > to it. > >> > > > >> > > The issue was that Section 3 of > >> draft-ietf-oauth-jwt-bearer-08 > >> > says: > >> > > " > >> > > 2. The JWT MUST contain a "sub" (subject) claim > >> > identifying the > >> > > principal that is the subject of the JWT. Two > >> cases > >> > need to be > >> > > differentiated: > >> > > > >> > > A. For the authorization grant, the subject > >> SHOULD > >> > identify an > >> > > authorized accessor for whom the access > >> token is being > >> > > requested (typically the resource owner, o= r > an > >> > authorized > >> > > delegate). > >> > > > >> > > B. For client authentication, the subject > >> MUST be the > >> > > "client_id" of the OAuth client. > >> > > " > >> > > > >> > > Antonio pointed to the current Google API to > >> illustrate that > >> > the subject > >> > > is not always needed. Here is the Google API > >> documentation: > >> > > > >> https://developers.google.com/accounts/docs/OAuth2ServiceAccount > >> > > > >> > > The Google API used the client authentication part > (rather > >> > than the > >> > > authorization grant), in my understanding. > >> > > > >> > > I still believe that the subject field has to be > >> included for > >> > client > >> > > authentication but I am not so sure anymore about the > >> > authorization > >> > > grant since I could very well imagine cases where the > >> subject > >> > is not > >> > > needed for authorization decisions but also for > >> privacy reasons. > >> > > > >> > > I would therefore suggest to change the text as follow= s: > >> > > > >> > > " > >> > > 2. The JWT contains a "sub" (subject) claim > >> identifying the > >> > > principal that is the subject of the JWT. Two > >> cases > >> > need to be > >> > > differentiated: > >> > > > >> > > A. For the authorization grant, the subject > >> claim MAY > >> > > be included. If it is included it MUST > >> identify the > >> > > authorized accessor for whom the access > >> token is being > >> > > requested (typically the resource owner, o= r > an > >> > authorized > >> > > delegate). Reasons for not including the > >> subject claim > >> > > in the JWT are identity hiding (i.e., > privacy > >> > protection > >> > > of the identifier of the subject) and > >> cases where > >> > > the identifier of the subject is > >> irrelevant for making > >> > > an authorization decision by the resource > >> server. > >> > > > >> > > B. For client authentication, the subject > >> MUST be the > >> > > included in the JWT and the value MUST be > >> populated > >> > > with the "client_id" of the OAuth client. > >> > > " > >> > > > >> > > What do you guys think? > >> > > > >> > > Ciao > >> > > Hannes > >> > > > >> > > > >> > > _______________________________________________ > >> > > OAuth mailing list____ > >> > >> > > OAuth@ietf.org > >> >> > >> > >> > >> > >> > > https://www.ietf.org/mailman/listinfo/oauth > >> > > > >> > > > >> > > >> >____ > >> > >> __ __ > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > --089e014954be54e40f04f81eaa12 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks Hannes,

I'll update that text= to reference RFC 6973 and also to indicate a specific value which could be= used for the anonymous user. And I'll publish new drafts here soon(is= h).






On Mon, Apr 28, 2014 at 2:49 AM, Hannes Tschofenig <= ;hannes.tsch= ofenig@gmx.net> wrote:
Hi all,

your text proposal sounds reasonable and it might, as suggested,
indicate what value to put in there for the anonymous user (such as
'anonymous'). Saying explicitly what implementers should be doing h= elps
interoperability.

Mentioning the pseudonym is also a good idea since in some cases
anonymity can be too strong and pseudonymity is what is desired. For the terminology you could reference RFC 6973.

Ciao
Hannes

PS: A note to various folks in this email thread: We have not discussed
this issue before. As I mentioned in my original email we had only
discussed a related issue regarding client authentication. Antonio's email lead me to think about the authorization grant, which is obviously a different story (which only happens to be in the same document because of the document structure we came up with).

On 04/25/2014 09:57 PM, Brian Campbell wrote:
> I absolutely agree with always requiring both issuer and subject and > that doing so keeps the specs simpler and is likely to improve
> interoperability.
>
> However, without changing that, perhaps some of the text in the
> document(s) could be improved a bit. Here's a rough proposal:
>
> Change the text of the second bullet in
> http://tools.ietf.org/html/draft-ietf-oauth-a= ssertions-15#section-5.2 to
>
> "The assertion MUST contain a Subject. The Subject typically iden= tifies
> an authorized accessor for which the access token is being requested > (i.e. the resource owner, or an authorized delegate) but, in some case= s,
> may be a pseudonym or other value denoting an anonymous user. When the=
> client is acting on behalf of itself, the Subject MUST be the value of=
> the client's client_id."
>
> And also change
> http://tools.ietf.org/html/draft-ietf-oauth= -assertions-15#section-6.3.1 to
>
> "When a client is accessing resources on behalf of an anonymous u= ser, a
> mutually agreed upon Subject identifier indicating anonymity is used.<= br> > The Subject value might be an agreed upon static value indicating an > anonymous user or an opaque persistent or transient pseudonym for the<= br> > user may also be utilized. The authorization may be based upon
> additional criteria, such as additional attributes or claims provided = in
> the assertion. For example, a client may present an assertion from a > trusted issuer asserting that the bearer is over 18 via an included > claim. In this case, no additional information about the user's id= entity
> is included, yet all the data needed to issue an access token is prese= nt."
>
> And maybe also change the subject text in SAML and JWT (item #2 in
> http://tools.ietf.org/html/draft-ietf-oauth-jwt= -bearer-08#section-3 and
> http://tools.ietf.org/html/draft-ietf-oauth-s= aml2-bearer-19#section-3)
> to read a little more like the new proposed text above for section 5.2=
> of the Assertion Framework draft.
>
> Would that sit any better with you, Hannes? Thoughts from others in th= e WG?
>
>
> On Fri, Apr 25, 2014 at 1:08 PM, John Bradley <ve7jtb@ve7jtb.com
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
> =C2=A0 =C2=A0 Agreed.
>
> =C2=A0 =C2=A0 On Apr 25, 2014, at 3:07 PM, Mike Jones <Michael.Jones@microsoft.com
> =C2=A0 =C2=A0 <mailto:Michael.Jones@microsoft.com>> wrote:
>
>> =C2=A0 =C2=A0 I agree. =C2=A0We=E2=80=99d already discussed this p= retty extensively and
>> =C2=A0 =C2=A0 reached the conclusion that always requiring both an= issuer and a
>> =C2=A0 =C2=A0 subject both kept the specs simpler and was likely t= o improve
>> =C2=A0 =C2=A0 interoperability.____
>>
>> =C2=A0 =C2=A0 It=E2=80=99s entirely up to the application profile = what the contents of
>> =C2=A0 =C2=A0 the issuer and the subject fields are and so I don= =E2=80=99t think we need
>> =C2=A0 =C2=A0 to further specify their contents beyond what=E2=80= =99s already in the
>> =C2=A0 =C2=A0 specs.____
>>
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 --
>> =C2=A0 =C2=A0 Mike____
>>
>> =C2=A0 =C2=A0 *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian
>> =C2=A0 =C2=A0 Campbell
>> =C2=A0 =C2=A0 *Sent:* Friday, April 25, 2014 10:17 AM
>> =C2=A0 =C2=A0 *To:* Hannes Tschofenig
>> =C2=A0 =C2=A0 *Cc:* oauth@ietf.o= rg <mailto:oauth@ietf.org><= br> >> =C2=A0 =C2=A0 *Subject:* Re: [OAUTH-WG] draft-ietf-oauth-jwt-beare= r-08 & subject
>> =C2=A0 =C2=A0 issue____
>> =C2=A0 =C2=A0 __ __
>>
>> =C2=A0 =C2=A0 I believe, from the thread referenced earlier and pr= ior discussion
>> =C2=A0 =C2=A0 and draft text, that the WG has reached (rough) cons= ensus to
>> =C2=A0 =C2=A0 require the subject claim. So text that says "S= ubject element MUST
>> =C2=A0 =C2=A0 NOT be included" isn't workable.____<= br>
>>
>> =C2=A0 =C2=A0 It seems what's needed here is some better expla= nation of how, in
>> =C2=A0 =C2=A0 cases that need it, the value of the subject can be = populated
>> =C2=A0 =C2=A0 without using a PII type value. A simple static valu= e like
>> =C2=A0 =C2=A0 "ANONYMOUS-SUBJECT" could be used. Or, mor= e likely, some kind of
>> =C2=A0 =C2=A0 pairwise persistent pseudonymous identifier would be= utilized,
>> =C2=A0 =C2=A0 which would not directly identify the subject but wo= uld allow the
>> =C2=A0 =C2=A0 relying party to recognize the same subject on subse= quent
>> =C2=A0 =C2=A0 transactions. A transient pseudonym might also be ap= propriate in
>> =C2=A0 =C2=A0 some cases. And any of those approaches could be use= d with or
>> =C2=A0 =C2=A0 without additional claims (like age > 18 or membe= rship in some
>> =C2=A0 =C2=A0 group) that get used to make an authorization = decision. ____
>>
>> =C2=A0 =C2=A0 I wasn't sure exactly how to articulate all that= in text for the
>> =C2=A0 =C2=A0 draft(s) but that's more of what I was asking fo= r when I asked if
>> =C2=A0 =C2=A0 you could propose some text.____
>>
>>
>>
>>
>> =C2=A0 =C2=A0 ____
>>
>> =C2=A0 =C2=A0 __ __
>>
>> =C2=A0 =C2=A0 On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig
>> =C2=A0 =C2=A0 <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>
>> =C2=A0 =C2=A0 wrote:____
>> =C2=A0 =C2=A0 Hi Brian,
>>
>> =C2=A0 =C2=A0 Thanks for pointing to the assertion framework docum= ent.
>> =C2=A0 =C2=A0 Re-reading the
>> =C2=A0 =C2=A0 text it appears that we have listed the case that in= Section 6.3.1 but
>> =C2=A0 =C2=A0 have forgotten to cover it elsewhere in the document= .
>>
>>
>> =C2=A0 =C2=A0 In Section 6.3.1 we say:
>>
>> =C2=A0 =C2=A0 "
>>
>> =C2=A0 =C2=A0 6.3.1. =C2=A0Client Acting on Behalf of an Anonymous= User
>>
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0When a client is accessing resources on= behalf of an anonymous
>> =C2=A0 =C2=A0 user,
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0the Subject indicates to the Authorizat= ion Server that the
>> =C2=A0 =C2=A0 client is
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0acting on-behalf of an anonymous user a= s defined by the
>> =C2=A0 =C2=A0 Authorization
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Server. =C2=A0It is implied that author= ization is based upon additional
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0criteria, such as additional attributes= or claims provided in the
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0assertion. =C2=A0For example, a client = may present an assertion from a
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0trusted issuer asserting that the beare= r is over 18 via an included
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0claim.
>>
>> =C2=A0 =C2=A0 *****
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 In this case, no additional informatio= n about the user's
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0identity is included, yet all the data = needed to issue an access
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0token is present.
>> =C2=A0 =C2=A0 *****
>> =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 (I marked the relevant part with '***')
>>
>>
>> =C2=A0 =C2=A0 In Section 5.2, however, we say:
>>
>>
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0o =C2=A0The assertion MUST contain a Su= bject. =C2=A0The Subject identifies an
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for which t= he access token is being
>> =C2=A0 =C2=A0 requested
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (typically the resource owner, = or an authorized delegate). =C2=A0When
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 the client is acting on behalf = of itself, the Subject MUST
>> =C2=A0 =C2=A0 be the
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 value of the client's "= ;client_id".
>>
>>
>> =C2=A0 =C2=A0 What we should have done in Section 5.2 is to expand= the cases inline
>> =C2=A0 =C2=A0 with what we have written in Section 6.
>>
>> =C2=A0 =C2=A0 Here is my proposed text:
>>
>> =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 o =C2=A0The assertion MUST contain a Subject. =C2=A0= The Subject identifies an
>> =C2=A0 =C2=A0 authorized accessor for which the access= token is being requested____
>>
>> =C2=A0 =C2=A0 (typically the resource owner, or an authorized dele= gate).
>>
>> =C2=A0 =C2=A0 ____
>>
>> =C2=A0 =C2=A0 When the client is acting on behalf of itself, as de= scribed in Section
>> =C2=A0 =C2=A0 6.1 and Section 6.2, the Subject MUST be the value o= f the client's
>> =C2=A0 =C2=A0 "client_id".
>>
>> =C2=A0 =C2=A0 When the client is acting on behalf of an user, as d= escribed in
>> =C2=A0 =C2=A0 Section
>> =C2=A0 =C2=A0 6.3, the Subject element MUST be included in the ass= ertion and
>> =C2=A0 =C2=A0 identifies an authorized accessor for which the acce= ss token is being
>> =C2=A0 =C2=A0 requested.
>>
>> =C2=A0 =C2=A0 When the client is acting on behalf of an anonymous = user, as described
>> =C2=A0 =C2=A0 in Section 6.3.1, the Subject element MUST NOT be in= cluded in the
>> =C2=A0 =C2=A0 assertion. Other elements within the assertion will,= however, provide
>> =C2=A0 =C2=A0 enough information for the authorization server to m= ake an
>> =C2=A0 =C2=A0 authorization
>> =C2=A0 =C2=A0 decision.
>> =C2=A0 =C2=A0 "
>>
>> =C2=A0 =C2=A0 Does this make sense to you?
>>
>> =C2=A0 =C2=A0 Ciao
>> =C2=A0 =C2=A0 Hannes____
>>
>>
>> =C2=A0 =C2=A0 On 04/24/2014 02:30 PM, Brian Campbell wrote:
>> =C2=A0 =C2=A0 > There is some discussion of that case in the as= sertion framework
>> =C2=A0 =C2=A0 > document at
>> =C2=A0 =C2=A0 > http://tools.ietf.or= g/html/draft-ietf-oauth-assertions-15#section-6.3.1
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > Do you feel that more is needed? If so, can you= propose some text?
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > On Thu, Apr 24, 2014 at 1:09 AM, Hannes T= schofenig____
>> =C2=A0 =C2=A0 > <hannes.tschofenig@gmx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@gmx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>>> wrote:
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hi Brian,
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I read through the thread and the= Google case is a bit
>> =C2=A0 =C2=A0 different since
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 they are using the client authent= ication part of the JWT
>> =C2=A0 =C2=A0 bearer spec.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 There I don't see the privacy= concerns either.
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I am, however, focused on the aut= horization grant where the
>> =C2=A0 =C2=A0 subject is
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 in most cases the resource owner.=
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 It is possible to put garbage int= o the subject element when
>> =C2=A0 =C2=A0 privacy
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 protection is needed for the reso= urce owner case but that
>> =C2=A0 =C2=A0 would need to
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 be described in the document; cur= rently it is not there.
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Ciao
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hannes
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 On 04/24/2014 12:37 AM, Brian Cam= pbell wrote:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > That thread that Antonio sta= rted which you reference went
>> =C2=A0 =C2=A0 on for some
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > time
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 (http://www.ietf.org/mail-a= rchive/web/oauth/current/threads.html#12520)
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > and seems to have reached co= nsensus that the spec didn't need
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 normative
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > change and that such privacy= cases or other cases which didn't
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > explicitly need a subject id= entifier would be more
>> =C2=A0 =C2=A0 appropriately dealt
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > with in application logic: >> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > http://www.ietf.org/mail-ar= chive/web/oauth/current/msg12538.html
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > On Wed, Apr 23, 2014 at 2:39= AM, Hannes Tschofenig
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > <hannes.tschofenig@gmx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@gmx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>>____
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>____
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 <mailto= :hannes.tschofenig@gmx.net=
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>>>> wrote:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hi all,
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 in preparing t= he shepherd write-up for
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 draft-ietf-oauth-jwt-bearer-08 I<= br> >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 had to review = our recent email conversations and the issue
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 raised by
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Antonio in
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 =C2=A0 http://www.ietf.org/mail-= archive/web/oauth/current/msg12520.html belong
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 to it.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 The issue was = that Section 3 of
>> =C2=A0 =C2=A0 draft-ietf-oauth-jwt-bearer-08
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 says:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A02= . =C2=A0 The JWT MUST contain a "sub" (subject) claim
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 identifying the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 principal that is the subject of the JWT. =C2=A0Two
>> =C2=A0 =C2=A0 cases
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 need to be
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 differentiated:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 A. =C2=A0For the authorization grant, the subject
>> =C2=A0 =C2=A0 SHOULD
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 identify an
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for whom the access
>> =C2=A0 =C2=A0 token is being
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typically the resource owner, or an<= br> >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorized
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate).
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 B. =C2=A0For client authentication, the subject
>> =C2=A0 =C2=A0 MUST be the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 "client_id" of the OAuth client.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Antonio pointe= d to the current Google API to
>> =C2=A0 =C2=A0 illustrate that
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 the subject
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 is not always = needed. Here is the Google API
>> =C2=A0 =C2=A0 documentation:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 =C2=A0 https://developers.google= .com/accounts/docs/OAuth2ServiceAccount
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 The Google API= used the client authentication part (rather
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 than the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorization = grant), in my understanding.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I still believ= e that the subject field has to be
>> =C2=A0 =C2=A0 included for
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 client
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authentication= but I am not so sure anymore about the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorization
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 grant since I = could very well imagine cases where the
>> =C2=A0 =C2=A0 subject
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 is not
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 needed for aut= horization decisions but also for
>> =C2=A0 =C2=A0 privacy reasons.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I would theref= ore suggest to change the text as follows:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A02= . =C2=A0 The JWT contains a "sub" (subject) claim
>> =C2=A0 =C2=A0 identifying the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 principal that is the subject of the JWT. =C2=A0Two
>> =C2=A0 =C2=A0 cases
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 need to be
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 differentiated:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 A. =C2=A0For the authorization grant, the subject
>> =C2=A0 =C2=A0 claim MAY
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 be included. If it is included it MUST
>> =C2=A0 =C2=A0 identify the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for whom the access
>> =C2=A0 =C2=A0 token is being
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typically the resource owner, or an<= br> >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorized
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate). Reasons for not including the
>> =C2=A0 =C2=A0 subject claim
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 in the JWT are identity hiding (i.e., privacy >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 protection
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 of the identifier of the subject) and
>> =C2=A0 =C2=A0 cases where
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 the identifier of the subject is
>> =C2=A0 =C2=A0 irrelevant for making
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 an authorization decision by the resource
>> =C2=A0 =C2=A0 server.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 B. =C2=A0For client authentication, the subject
>> =C2=A0 =C2=A0 MUST be the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 included in the JWT and the value MUST be
>> =C2=A0 =C2=A0 populated
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 with the "client_id" of the OAuth cli= ent.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 What do you gu= ys think?
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Ciao
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hannes
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 ______________= _________________________________
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 OA= uth mailing list____
>>
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 OAuth@ietf.org
>> =C2=A0 =C2=A0 <mailto:OAuth@i= etf.org> <mailto:OAuth@ietf.org=
>> =C2=A0 =C2=A0 <mailto:O= Auth@ietf.org>> <mailto:OAut= h@ietf.org
>> =C2=A0 =C2=A0 <mailto:OAuth@i= etf.org>
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>>>
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 https://www.iet= f.org/mailman/listinfo/oauth
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >____
>>
>> =C2=A0 =C2=A0 __ __
>> =C2=A0 =C2=A0 ____________________________________= ___________
>> =C2=A0 =C2=A0 OAuth mailing list
>> =C2=A0 =C2=A0 OAuth@ietf.org= <mailto:OAuth@ietf.org>
>> =C2=A0 =C2=A0 https://www.ietf.org/mailman/listinfo/oauth=
>
>


--089e014954be54e40f04f81eaa12-- From nobody Mon Apr 28 14:56:25 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98CF31A884A; Mon, 28 Apr 2014 14:56:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouXcK-hW1aHx; Mon, 28 Apr 2014 14:56:13 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C4F361A883E; Mon, 28 Apr 2014 14:56:08 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.4.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140428215608.2923.20956.idtracker@ietfa.amsl.com> Date: Mon, 28 Apr 2014 14:56:08 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/U6xfvnwG9jKOMNq3Xk8BcpGz2QE Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-assertions-16.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 21:56:16 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants Authors : Brian Campbell Chuck Mortimore Michael B. Jones Yaron Y. Goland Filename : draft-ietf-oauth-assertions-16.txt Pages : 23 Date : 2014-04-28 Abstract: This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. Mechanisms are specified for transporting assertions during interactions with a token endpoint, as well as general processing rules. The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions, and to provide alternative client authentication mechanisms. Note that this specification only defines abstract message flows and processing rules. In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-assertions-16 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-assertions-16 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Apr 28 14:57:56 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9929E1A6FB8; Mon, 28 Apr 2014 14:57:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R1IpkVMZeGOg; Mon, 28 Apr 2014 14:57:48 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BA761A882A; Mon, 28 Apr 2014 14:57:46 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.4.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140428215746.11463.40665.idtracker@ietfa.amsl.com> Date: Mon, 28 Apr 2014 14:57:46 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/f2YZOVqUDHwN3lfyzofC2NfcgZw Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bearer-09.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 21:57:49 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants Authors : Michael B. Jones Brian Campbell Chuck Mortimore Filename : draft-ietf-oauth-jwt-bearer-09.txt Pages : 14 Date : 2014-04-28 Abstract: This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-09 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bearer-09 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Apr 28 14:58:33 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C36A41A6FB7; Mon, 28 Apr 2014 14:58:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fpDwphrd6SHl; Mon, 28 Apr 2014 14:58:27 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F1B01A8837; Mon, 28 Apr 2014 14:58:26 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.4.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140428215826.2923.39640.idtracker@ietfa.amsl.com> Date: Mon, 28 Apr 2014 14:58:26 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/yFyYvVtCguqljvSpFNYayjg7S08 Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-saml2-bearer-20.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 21:58:29 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants Authors : Brian Campbell Chuck Mortimore Michael B. Jones Filename : draft-ietf-oauth-saml2-bearer-20.txt Pages : 20 Date : 2014-04-28 Abstract: This specification defines the use of a SAML 2.0 Bearer Assertion as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-20 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-saml2-bearer-20 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Apr 28 15:02:50 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DDD81A7035 for ; Mon, 28 Apr 2014 15:02:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUh8HC5OP7vc for ; Mon, 28 Apr 2014 15:02:34 -0700 (PDT) Received: from na3sys009aog134.obsmtp.com (na3sys009aog134.obsmtp.com [74.125.149.83]) by ietfa.amsl.com (Postfix) with ESMTP id C19651A8837 for ; Mon, 28 Apr 2014 15:02:33 -0700 (PDT) Received: from mail-ig0-f180.google.com ([209.85.213.180]) (using TLSv1) by na3sys009aob134.postini.com ([74.125.148.12]) with SMTP ID DSNKU17P74si/FxDI2anXPv4tSIidxV7nplb@postini.com; Mon, 28 Apr 2014 15:02:33 PDT Received: by mail-ig0-f180.google.com with SMTP id r2so246536igi.7 for ; Mon, 28 Apr 2014 15:02:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=SdZp8POGL62o782SgzUXt9nKY73VKVjRf1bQuqGBcik=; b=gCw+c27HvzyEZotFxrQ/UnAf/UlWKYZ8O/LrfE0wNYAQNehWz1ONKe/MG+yXXqrL2x ij6Pq92KQpdE3JFibRYLz1Sn3TCWxjxnu4b//GtSC6KXEu+01vJEjdEIci8FlhsFAFkh ReJwTX/VlLWjJzOf9+7R9JCP4SNRTn3hzcJmvn7oRO5xsPcrqgmsvzAF8HB30PCdYTEf iDtL1wH+9jhKIYBLJ7uR85NKNNh4hzgicBwCcRgEDhOZdVy2QQVLzJyPmOVD5nZNhpMV eTQnjR/HbE8A4qcQ9APmmyWPev3flzdzQQc0UqqDe3/N8m1Jcyz7udx7IMEKIianaZVH 9vQw== X-Gm-Message-State: ALoCoQksUs1RBjDN82njqJS7mIaBgUSjZA6Wc0WEihhHRajrP7iEz582ntq3qfdNXGZDDVjF0SLUcwclwYOT/eWxS28P4QU5yJhRjP7RBDHk6wA2pGkDUb97qHBsy1vPqEtY6YPUpq+C X-Received: by 10.50.153.49 with SMTP id vd17mr27647449igb.40.1398722542671; Mon, 28 Apr 2014 15:02:22 -0700 (PDT) X-Received: by 10.50.153.49 with SMTP id vd17mr27647435igb.40.1398722542554; Mon, 28 Apr 2014 15:02:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Mon, 28 Apr 2014 15:01:52 -0700 (PDT) In-Reply-To: References: <53577C41.2090606@gmx.net> <5358B8BC.8000508@gmx.net> <53590810.8000503@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> <535E160E.3010106@gmx.net> From: Brian Campbell Date: Mon, 28 Apr 2014 16:01:52 -0600 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=089e014954be49e4cd04f8217808 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ct7bAGcLTUGHo43c87iiGXdfbyU Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 22:02:41 -0000 --089e014954be49e4cd04f8217808 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable And those new drafts have now been published: http://tools.ietf.org/html/draft-ietf-oauth-assertions-16 http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-09 http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-20 On Mon, Apr 28, 2014 at 12:41 PM, Brian Campbell wrote: > Thanks Hannes, > > I'll update that text to reference RFC 6973 and also to indicate a > specific value which could be used for the anonymous user. And I'll publi= sh > new drafts here soon(ish). > > > > > > > On Mon, Apr 28, 2014 at 2:49 AM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >> Hi all, >> >> your text proposal sounds reasonable and it might, as suggested, >> indicate what value to put in there for the anonymous user (such as >> 'anonymous'). Saying explicitly what implementers should be doing helps >> interoperability. >> >> Mentioning the pseudonym is also a good idea since in some cases >> anonymity can be too strong and pseudonymity is what is desired. For the >> terminology you could reference RFC 6973. >> >> Ciao >> Hannes >> >> PS: A note to various folks in this email thread: We have not discussed >> this issue before. As I mentioned in my original email we had only >> discussed a related issue regarding client authentication. Antonio's >> email lead me to think about the authorization grant, which is obviously >> a different story (which only happens to be in the same document because >> of the document structure we came up with). >> >> On 04/25/2014 09:57 PM, Brian Campbell wrote: >> > I absolutely agree with always requiring both issuer and subject and >> > that doing so keeps the specs simpler and is likely to improve >> > interoperability. >> > >> > However, without changing that, perhaps some of the text in the >> > document(s) could be improved a bit. Here's a rough proposal: >> > >> > Change the text of the second bullet in >> > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2t= o >> > >> > "The assertion MUST contain a Subject. The Subject typically identifie= s >> > an authorized accessor for which the access token is being requested >> > (i.e. the resource owner, or an authorized delegate) but, in some case= s, >> > may be a pseudonym or other value denoting an anonymous user. When the >> > client is acting on behalf of itself, the Subject MUST be the value of >> > the client's client_id." >> > >> > And also change >> > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.= 1to >> > >> > "When a client is accessing resources on behalf of an anonymous user, = a >> > mutually agreed upon Subject identifier indicating anonymity is used. >> > The Subject value might be an agreed upon static value indicating an >> > anonymous user or an opaque persistent or transient pseudonym for the >> > user may also be utilized. The authorization may be based upon >> > additional criteria, such as additional attributes or claims provided = in >> > the assertion. For example, a client may present an assertion from a >> > trusted issuer asserting that the bearer is over 18 via an included >> > claim. In this case, no additional information about the user's identi= ty >> > is included, yet all the data needed to issue an access token is >> present." >> > >> > And maybe also change the subject text in SAML and JWT (item #2 in >> > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 an= d >> > http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3) >> > to read a little more like the new proposed text above for section 5.2 >> > of the Assertion Framework draft. >> > >> > Would that sit any better with you, Hannes? Thoughts from others in th= e >> WG? >> > >> > >> > On Fri, Apr 25, 2014 at 1:08 PM, John Bradley > > > wrote: >> > >> > Agreed. >> > >> > On Apr 25, 2014, at 3:07 PM, Mike Jones < >> Michael.Jones@microsoft.com >> > > wrote: >> > >> >> I agree. We=E2=80=99d already discussed this pretty extensively = and >> >> reached the conclusion that always requiring both an issuer and a >> >> subject both kept the specs simpler and was likely to improve >> >> interoperability.____ >> >> >> >> It=E2=80=99s entirely up to the application profile what the cont= ents of >> >> the issuer and the subject fields are and so I don=E2=80=99t thin= k we need >> >> to further specify their contents beyond what=E2=80=99s already i= n the >> >> specs.____ >> >> >> >> -- >> >> Mike____ >> >> >> >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Bria= n >> >> Campbell >> >> *Sent:* Friday, April 25, 2014 10:17 AM >> >> *To:* Hannes Tschofenig >> >> *Cc:* oauth@ietf.org >> >> *Subject:* Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subjec= t >> >> issue____ >> >> __ __ >> >> >> >> I believe, from the thread referenced earlier and prior discussio= n >> >> and draft text, that the WG has reached (rough) consensus to >> >> require the subject claim. So text that says "Subject element MUS= T >> >> NOT be included" isn't workable.____ >> >> >> >> It seems what's needed here is some better explanation of how, in >> >> cases that need it, the value of the subject can be populated >> >> without using a PII type value. A simple static value like >> >> "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of >> >> pairwise persistent pseudonymous identifier would be utilized, >> >> which would not directly identify the subject but would allow the >> >> relying party to recognize the same subject on subsequent >> >> transactions. A transient pseudonym might also be appropriate in >> >> some cases. And any of those approaches could be used with or >> >> without additional claims (like age > 18 or membership in some >> >> group) that get used to make an authorization decision. ____ >> >> >> >> I wasn't sure exactly how to articulate all that in text for the >> >> draft(s) but that's more of what I was asking for when I asked if >> >> you could propose some text.____ >> >> >> >> >> >> >> >> >> >> ____ >> >> >> >> __ __ >> >> >> >> On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig >> >> > >> >> wrote:____ >> >> Hi Brian, >> >> >> >> Thanks for pointing to the assertion framework document. >> >> Re-reading the >> >> text it appears that we have listed the case that in Section 6.3.= 1 >> but >> >> have forgotten to cover it elsewhere in the document. >> >> >> >> >> >> In Section 6.3.1 we say: >> >> >> >> " >> >> >> >> 6.3.1. Client Acting on Behalf of an Anonymous User >> >> >> >> When a client is accessing resources on behalf of an anonymous >> >> user, >> >> the Subject indicates to the Authorization Server that the >> >> client is >> >> acting on-behalf of an anonymous user as defined by the >> >> Authorization >> >> Server. It is implied that authorization is based upon >> additional >> >> criteria, such as additional attributes or claims provided in >> the >> >> assertion. For example, a client may present an assertion fro= m >> a >> >> trusted issuer asserting that the bearer is over 18 via an >> included >> >> claim. >> >> >> >> ***** >> >> In this case, no additional information about the user's >> >> identity is included, yet all the data needed to issue an acce= ss >> >> token is present. >> >> ***** >> >> " >> >> (I marked the relevant part with '***') >> >> >> >> >> >> In Section 5.2, however, we say: >> >> >> >> >> >> o The assertion MUST contain a Subject. The Subject >> identifies an >> >> authorized accessor for which the access token is being >> >> requested >> >> (typically the resource owner, or an authorized delegate). >> When >> >> the client is acting on behalf of itself, the Subject MUST >> >> be the >> >> value of the client's "client_id". >> >> >> >> >> >> What we should have done in Section 5.2 is to expand the cases >> inline >> >> with what we have written in Section 6. >> >> >> >> Here is my proposed text: >> >> >> >> " >> >> o The assertion MUST contain a Subject. The Subject identifies = an >> >> authorized accessor for which the access token is being >> requested____ >> >> >> >> (typically the resource owner, or an authorized delegate). >> >> >> >> ____ >> >> >> >> When the client is acting on behalf of itself, as described in >> Section >> >> 6.1 and Section 6.2, the Subject MUST be the value of the client'= s >> >> "client_id". >> >> >> >> When the client is acting on behalf of an user, as described in >> >> Section >> >> 6.3, the Subject element MUST be included in the assertion and >> >> identifies an authorized accessor for which the access token is >> being >> >> requested. >> >> >> >> When the client is acting on behalf of an anonymous user, as >> described >> >> in Section 6.3.1, the Subject element MUST NOT be included in the >> >> assertion. Other elements within the assertion will, however, >> provide >> >> enough information for the authorization server to make an >> >> authorization >> >> decision. >> >> " >> >> >> >> Does this make sense to you? >> >> >> >> Ciao >> >> Hannes____ >> >> >> >> >> >> On 04/24/2014 02:30 PM, Brian Campbell wrote: >> >> > There is some discussion of that case in the assertion framewor= k >> >> > document at >> >> > >> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 >> >> > >> >> > Do you feel that more is needed? If so, can you propose some >> text? >> >> > >> >> > >> >> > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig____ >> >> > > >> > hannes.tschofenig@gmx.net >> >> >> wrote: >> >> > >> >> > Hi Brian, >> >> > >> >> > I read through the thread and the Google case is a bit >> >> different since >> >> > they are using the client authentication part of the JWT >> >> bearer spec. >> >> > There I don't see the privacy concerns either. >> >> > >> >> > I am, however, focused on the authorization grant where the >> >> subject is >> >> > in most cases the resource owner. >> >> > >> >> > It is possible to put garbage into the subject element when >> >> privacy >> >> > protection is needed for the resource owner case but that >> >> would need to >> >> > be described in the document; currently it is not there. >> >> > >> >> > Ciao >> >> > Hannes >> >> > >> >> > >> >> > On 04/24/2014 12:37 AM, Brian Campbell wrote: >> >> > > That thread that Antonio started which you reference went >> >> on for some >> >> > > time >> >> > > >> >> > >> >> ( >> http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) >> >> > > and seems to have reached consensus that the spec didn't >> need >> >> > normative >> >> > > change and that such privacy cases or other cases which >> didn't >> >> > > explicitly need a subject identifier would be more >> >> appropriately dealt >> >> > > with in application logic: >> >> > >> >> > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.htm= l >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig >> >> > > > >> > hannes.tschofenig@gmx.net >> >> >____ >> >> > > >> ____ >> >> > > >> >>> wrote: >> >> > > >> >> > > Hi all, >> >> > > >> >> > > in preparing the shepherd write-up for >> >> > draft-ietf-oauth-jwt-bearer-08 I >> >> > > had to review our recent email conversations and the >> issue >> >> > raised by >> >> > > Antonio in >> >> > > >> >> > >> >> http://www.ietf.org/mail-archive/web/oauth/current/msg12520.htm= lbelong >> >> > > to it. >> >> > > >> >> > > The issue was that Section 3 of >> >> draft-ietf-oauth-jwt-bearer-08 >> >> > says: >> >> > > " >> >> > > 2. The JWT MUST contain a "sub" (subject) claim >> >> > identifying the >> >> > > principal that is the subject of the JWT. Tw= o >> >> cases >> >> > need to be >> >> > > differentiated: >> >> > > >> >> > > A. For the authorization grant, the subject >> >> SHOULD >> >> > identify an >> >> > > authorized accessor for whom the access >> >> token is being >> >> > > requested (typically the resource owner, >> or an >> >> > authorized >> >> > > delegate). >> >> > > >> >> > > B. For client authentication, the subject >> >> MUST be the >> >> > > "client_id" of the OAuth client. >> >> > > " >> >> > > >> >> > > Antonio pointed to the current Google API to >> >> illustrate that >> >> > the subject >> >> > > is not always needed. Here is the Google API >> >> documentation: >> >> > > >> >> https://developers.google.com/accounts/docs/OAuth2ServiceAccoun= t >> >> > > >> >> > > The Google API used the client authentication part >> (rather >> >> > than the >> >> > > authorization grant), in my understanding. >> >> > > >> >> > > I still believe that the subject field has to be >> >> included for >> >> > client >> >> > > authentication but I am not so sure anymore about the >> >> > authorization >> >> > > grant since I could very well imagine cases where the >> >> subject >> >> > is not >> >> > > needed for authorization decisions but also for >> >> privacy reasons. >> >> > > >> >> > > I would therefore suggest to change the text as >> follows: >> >> > > >> >> > > " >> >> > > 2. The JWT contains a "sub" (subject) claim >> >> identifying the >> >> > > principal that is the subject of the JWT. Tw= o >> >> cases >> >> > need to be >> >> > > differentiated: >> >> > > >> >> > > A. For the authorization grant, the subject >> >> claim MAY >> >> > > be included. If it is included it MUST >> >> identify the >> >> > > authorized accessor for whom the access >> >> token is being >> >> > > requested (typically the resource owner, >> or an >> >> > authorized >> >> > > delegate). Reasons for not including the >> >> subject claim >> >> > > in the JWT are identity hiding (i.e., >> privacy >> >> > protection >> >> > > of the identifier of the subject) and >> >> cases where >> >> > > the identifier of the subject is >> >> irrelevant for making >> >> > > an authorization decision by the resource >> >> server. >> >> > > >> >> > > B. For client authentication, the subject >> >> MUST be the >> >> > > included in the JWT and the value MUST be >> >> populated >> >> > > with the "client_id" of the OAuth client. >> >> > > " >> >> > > >> >> > > What do you guys think? >> >> > > >> >> > > Ciao >> >> > > Hannes >> >> > > >> >> > > >> >> > > _______________________________________________ >> >> > > OAuth mailing list____ >> >> >> >> > > OAuth@ietf.org >> >> > >> > > >> >> >> > >> >> >> > > https://www.ietf.org/mailman/listinfo/oauth >> >> > > >> >> > > >> >> > >> >> >____ >> >> >> >> __ __ >> >> _______________________________________________ >> >> OAuth mailing list >> >> OAuth@ietf.org >> >> https://www.ietf.org/mailman/listinfo/oauth >> > >> > >> >> > --089e014954be49e4cd04f8217808 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Mon, Apr 28, 20= 14 at 12:41 PM, Brian Campbell <bcampbell@pingidentity.com>= ; wrote:
Thanks Hannes,

=
I'll update that text to reference RFC 6973 and also to indicate = a specific value which could be used for the anonymous user. And I'll = publish new drafts here soon(ish).






On Mon, Apr 28, 2014 at 2:49 AM, Hannes Tschofenig <= ;hannes.tsch= ofenig@gmx.net> wrote:
Hi all,

your text proposal sounds reasonable and it might, as suggested,
indicate what value to put in there for the anonymous user (such as
'anonymous'). Saying explicitly what implementers should be doing h= elps
interoperability.

Mentioning the pseudonym is also a good idea since in some cases
anonymity can be too strong and pseudonymity is what is desired. For the terminology you could reference RFC 6973.

Ciao
Hannes

PS: A note to various folks in this email thread: We have not discussed
this issue before. As I mentioned in my original email we had only
discussed a related issue regarding client authentication. Antonio's email lead me to think about the authorization grant, which is obviously a different story (which only happens to be in the same document because of the document structure we came up with).

On 04/25/2014 09:57 PM, Brian Campbell wrote:
> I absolutely agree with always requiring both issuer and subject and > that doing so keeps the specs simpler and is likely to improve
> interoperability.
>
> However, without changing that, perhaps some of the text in the
> document(s) could be improved a bit. Here's a rough proposal:
>
> Change the text of the second bullet in
> http://tools.ietf.org/html/draft-ietf-oauth-a= ssertions-15#section-5.2 to
>
> "The assertion MUST contain a Subject. The Subject typically iden= tifies
> an authorized accessor for which the access token is being requested > (i.e. the resource owner, or an authorized delegate) but, in some case= s,
> may be a pseudonym or other value denoting an anonymous user. When the=
> client is acting on behalf of itself, the Subject MUST be the value of=
> the client's client_id."
>
> And also change
> http://tools.ietf.org/html/draft-ietf-oauth= -assertions-15#section-6.3.1 to
>
> "When a client is accessing resources on behalf of an anonymous u= ser, a
> mutually agreed upon Subject identifier indicating anonymity is used.<= br> > The Subject value might be an agreed upon static value indicating an > anonymous user or an opaque persistent or transient pseudonym for the<= br> > user may also be utilized. The authorization may be based upon
> additional criteria, such as additional attributes or claims provided = in
> the assertion. For example, a client may present an assertion from a > trusted issuer asserting that the bearer is over 18 via an included > claim. In this case, no additional information about the user's id= entity
> is included, yet all the data needed to issue an access token is prese= nt."
>
> And maybe also change the subject text in SAML and JWT (item #2 in
> http://tools.ietf.org/html/draft-ietf-oauth-jwt= -bearer-08#section-3 and
> http://tools.ietf.org/html/draft-ietf-oauth-s= aml2-bearer-19#section-3)
> to read a little more like the new proposed text above for section 5.2=
> of the Assertion Framework draft.
>
> Would that sit any better with you, Hannes? Thoughts from others in th= e WG?
>
>
> On Fri, Apr 25, 2014 at 1:08 PM, John Bradley <ve7jtb@ve7jtb.com
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
> =C2=A0 =C2=A0 Agreed.
>
> =C2=A0 =C2=A0 On Apr 25, 2014, at 3:07 PM, Mike Jones <Michael.Jones@microsof= t.com
> =C2=A0 =C2=A0 <mailto:Michael.Jones@microsoft.com>> wrot= e:
>
>> =C2=A0 =C2=A0 I agree. =C2=A0We=E2=80=99d already discussed this p= retty extensively and
>> =C2=A0 =C2=A0 reached the conclusion that always requiring both an= issuer and a
>> =C2=A0 =C2=A0 subject both kept the specs simpler and was likely t= o improve
>> =C2=A0 =C2=A0 interoperability.____
>>
>> =C2=A0 =C2=A0 It=E2=80=99s entirely up to the application profile = what the contents of
>> =C2=A0 =C2=A0 the issuer and the subject fields are and so I don= =E2=80=99t think we need
>> =C2=A0 =C2=A0 to further specify their contents beyond what=E2=80= =99s already in the
>> =C2=A0 =C2=A0 specs.____
>>
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 --
>> =C2=A0 =C2=A0 Mike____
>>
>> =C2=A0 =C2=A0 *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Br= ian
>> =C2=A0 =C2=A0 Campbell
>> =C2=A0 =C2=A0 *Sent:* Friday, April 25, 2014 10:17 AM
>> =C2=A0 =C2=A0 *To:* Hannes Tschofenig
>> =C2=A0 =C2=A0 *Cc:* oauth@ietf.org <mailto:oauth@ietf.org>
>> =C2=A0 =C2=A0 *Subject:* Re: [OAUTH-WG] draft-ietf-oauth-jwt-beare= r-08 & subject
>> =C2=A0 =C2=A0 issue____
>> =C2=A0 =C2=A0 __ __
>>
>> =C2=A0 =C2=A0 I believe, from the thread referenced earlier and pr= ior discussion
>> =C2=A0 =C2=A0 and draft text, that the WG has reached (rough) cons= ensus to
>> =C2=A0 =C2=A0 require the subject claim. So text that says "S= ubject element MUST
>> =C2=A0 =C2=A0 NOT be included" isn't workable.____<= br>
>>
>> =C2=A0 =C2=A0 It seems what's needed here is some better expla= nation of how, in
>> =C2=A0 =C2=A0 cases that need it, the value of the subject can be = populated
>> =C2=A0 =C2=A0 without using a PII type value. A simple static valu= e like
>> =C2=A0 =C2=A0 "ANONYMOUS-SUBJECT" could be used. Or, mor= e likely, some kind of
>> =C2=A0 =C2=A0 pairwise persistent pseudonymous identifier would be= utilized,
>> =C2=A0 =C2=A0 which would not directly identify the subject but wo= uld allow the
>> =C2=A0 =C2=A0 relying party to recognize the same subject on subse= quent
>> =C2=A0 =C2=A0 transactions. A transient pseudonym might also be ap= propriate in
>> =C2=A0 =C2=A0 some cases. And any of those approaches could be use= d with or
>> =C2=A0 =C2=A0 without additional claims (like age > 18 or membe= rship in some
>> =C2=A0 =C2=A0 group) that get used to make an authorization = decision. ____
>>
>> =C2=A0 =C2=A0 I wasn't sure exactly how to articulate all that= in text for the
>> =C2=A0 =C2=A0 draft(s) but that's more of what I was asking fo= r when I asked if
>> =C2=A0 =C2=A0 you could propose some text.____
>>
>>
>>
>>
>> =C2=A0 =C2=A0 ____
>>
>> =C2=A0 =C2=A0 __ __
>>
>> =C2=A0 =C2=A0 On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig
>> =C2=A0 =C2=A0 <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net= >>
>> =C2=A0 =C2=A0 wrote:____
>> =C2=A0 =C2=A0 Hi Brian,
>>
>> =C2=A0 =C2=A0 Thanks for pointing to the assertion framework docum= ent.
>> =C2=A0 =C2=A0 Re-reading the
>> =C2=A0 =C2=A0 text it appears that we have listed the case that in= Section 6.3.1 but
>> =C2=A0 =C2=A0 have forgotten to cover it elsewhere in the document= .
>>
>>
>> =C2=A0 =C2=A0 In Section 6.3.1 we say:
>>
>> =C2=A0 =C2=A0 "
>>
>> =C2=A0 =C2=A0 6.3.1. =C2=A0Client Acting on Behalf of an Anonymous= User
>>
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0When a client is accessing resources on= behalf of an anonymous
>> =C2=A0 =C2=A0 user,
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0the Subject indicates to the Authorizat= ion Server that the
>> =C2=A0 =C2=A0 client is
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0acting on-behalf of an anonymous user a= s defined by the
>> =C2=A0 =C2=A0 Authorization
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Server. =C2=A0It is implied that author= ization is based upon additional
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0criteria, such as additional attributes= or claims provided in the
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0assertion. =C2=A0For example, a client = may present an assertion from a
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0trusted issuer asserting that the beare= r is over 18 via an included
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0claim.
>>
>> =C2=A0 =C2=A0 *****
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 In this case, no additional informatio= n about the user's
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0identity is included, yet all the data = needed to issue an access
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0token is present.
>> =C2=A0 =C2=A0 *****
>> =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 (I marked the relevant part with '***')
>>
>>
>> =C2=A0 =C2=A0 In Section 5.2, however, we say:
>>
>>
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0o =C2=A0The assertion MUST contain a Su= bject. =C2=A0The Subject identifies an
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for which t= he access token is being
>> =C2=A0 =C2=A0 requested
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (typically the resource owner, = or an authorized delegate). =C2=A0When
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 the client is acting on behalf = of itself, the Subject MUST
>> =C2=A0 =C2=A0 be the
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 value of the client's "= ;client_id".
>>
>>
>> =C2=A0 =C2=A0 What we should have done in Section 5.2 is to expand= the cases inline
>> =C2=A0 =C2=A0 with what we have written in Section 6.
>>
>> =C2=A0 =C2=A0 Here is my proposed text:
>>
>> =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 o =C2=A0The assertion MUST contain a Subject. =C2=A0= The Subject identifies an
>> =C2=A0 =C2=A0 authorized accessor for which the access= token is being requested____
>>
>> =C2=A0 =C2=A0 (typically the resource owner, or an authorized dele= gate).
>>
>> =C2=A0 =C2=A0 ____
>>
>> =C2=A0 =C2=A0 When the client is acting on behalf of itself, as de= scribed in Section
>> =C2=A0 =C2=A0 6.1 and Section 6.2, the Subject MUST be the value o= f the client's
>> =C2=A0 =C2=A0 "client_id".
>>
>> =C2=A0 =C2=A0 When the client is acting on behalf of an user, as d= escribed in
>> =C2=A0 =C2=A0 Section
>> =C2=A0 =C2=A0 6.3, the Subject element MUST be included in the ass= ertion and
>> =C2=A0 =C2=A0 identifies an authorized accessor for which the acce= ss token is being
>> =C2=A0 =C2=A0 requested.
>>
>> =C2=A0 =C2=A0 When the client is acting on behalf of an anonymous = user, as described
>> =C2=A0 =C2=A0 in Section 6.3.1, the Subject element MUST NOT be in= cluded in the
>> =C2=A0 =C2=A0 assertion. Other elements within the assertion will,= however, provide
>> =C2=A0 =C2=A0 enough information for the authorization server to m= ake an
>> =C2=A0 =C2=A0 authorization
>> =C2=A0 =C2=A0 decision.
>> =C2=A0 =C2=A0 "
>>
>> =C2=A0 =C2=A0 Does this make sense to you?
>>
>> =C2=A0 =C2=A0 Ciao
>> =C2=A0 =C2=A0 Hannes____
>>
>>
>> =C2=A0 =C2=A0 On 04/24/2014 02:30 PM, Brian Campbell wrote:
>> =C2=A0 =C2=A0 > There is some discussion of that case in the as= sertion framework
>> =C2=A0 =C2=A0 > document at
>> =C2=A0 =C2=A0 > http://tools.ietf.or= g/html/draft-ietf-oauth-assertions-15#section-6.3.1
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > Do you feel that more is needed? If so, can you= propose some text?
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > On Thu, Apr 24, 2014 at 1:09 AM, Hannes T= schofenig____
>> =C2=A0 =C2=A0 > <hannes.tschofenig@gmx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@g= mx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>>> wrote:
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hi Brian,
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I read through the thread and the= Google case is a bit
>> =C2=A0 =C2=A0 different since
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 they are using the client authent= ication part of the JWT
>> =C2=A0 =C2=A0 bearer spec.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 There I don't see the privacy= concerns either.
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I am, however, focused on the aut= horization grant where the
>> =C2=A0 =C2=A0 subject is
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 in most cases the resource owner.=
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 It is possible to put garbage int= o the subject element when
>> =C2=A0 =C2=A0 privacy
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 protection is needed for the reso= urce owner case but that
>> =C2=A0 =C2=A0 would need to
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 be described in the document; cur= rently it is not there.
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Ciao
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hannes
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 On 04/24/2014 12:37 AM, Brian Cam= pbell wrote:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > That thread that Antonio sta= rted which you reference went
>> =C2=A0 =C2=A0 on for some
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > time
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 (http://www.ietf.org/mail-a= rchive/web/oauth/current/threads.html#12520)
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > and seems to have reached co= nsensus that the spec didn't need
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 normative
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > change and that such privacy= cases or other cases which didn't
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > explicitly need a subject id= entifier would be more
>> =C2=A0 =C2=A0 appropriately dealt
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > with in application logic: >> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > http://www.ietf.org/mail-ar= chive/web/oauth/current/msg12538.html
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > On Wed, Apr 23, 2014 at 2:39= AM, Hannes Tschofenig
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > <hannes.tschofenig@gmx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@g= mx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>>____=
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>____
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.ne= t
>> =C2=A0 =C2=A0 <mailto:hannes.tschofenig@gmx.net>>>> wrote:<= br> >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hi all,
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 in preparing t= he shepherd write-up for
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 draft-ietf-oauth-jwt-bearer-08 I<= br> >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 had to review = our recent email conversations and the issue
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 raised by
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Antonio in
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 =C2=A0 http://www.ietf.org/mail-= archive/web/oauth/current/msg12520.html belong
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 to it.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 The issue was = that Section 3 of
>> =C2=A0 =C2=A0 draft-ietf-oauth-jwt-bearer-08
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 says:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A02= . =C2=A0 The JWT MUST contain a "sub" (subject) claim
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 identifying the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 principal that is the subject of the JWT. =C2=A0Two
>> =C2=A0 =C2=A0 cases
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 need to be
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 differentiated:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 A. =C2=A0For the authorization grant, the subject
>> =C2=A0 =C2=A0 SHOULD
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 identify an
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for whom the access
>> =C2=A0 =C2=A0 token is being
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typically the resource owner, or an<= br> >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorized
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate).
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 B. =C2=A0For client authentication, the subject
>> =C2=A0 =C2=A0 MUST be the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 "client_id" of the OAuth client.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Antonio pointe= d to the current Google API to
>> =C2=A0 =C2=A0 illustrate that
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 the subject
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 is not always = needed. Here is the Google API
>> =C2=A0 =C2=A0 documentation:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 =C2=A0 https://developers.google= .com/accounts/docs/OAuth2ServiceAccount
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 The Google API= used the client authentication part (rather
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 than the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorization = grant), in my understanding.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I still believ= e that the subject field has to be
>> =C2=A0 =C2=A0 included for
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 client
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authentication= but I am not so sure anymore about the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorization
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 grant since I = could very well imagine cases where the
>> =C2=A0 =C2=A0 subject
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 is not
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 needed for aut= horization decisions but also for
>> =C2=A0 =C2=A0 privacy reasons.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 I would theref= ore suggest to change the text as follows:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A02= . =C2=A0 The JWT contains a "sub" (subject) claim
>> =C2=A0 =C2=A0 identifying the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 principal that is the subject of the JWT. =C2=A0Two
>> =C2=A0 =C2=A0 cases
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 need to be
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 differentiated:
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 A. =C2=A0For the authorization grant, the subject
>> =C2=A0 =C2=A0 claim MAY
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 be included. If it is included it MUST
>> =C2=A0 =C2=A0 identify the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 authorized accessor for whom the access
>> =C2=A0 =C2=A0 token is being
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 requested (typically the resource owner, or an<= br> >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 authorized
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 delegate). Reasons for not including the
>> =C2=A0 =C2=A0 subject claim
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 in the JWT are identity hiding (i.e., privacy >> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 protection
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 of the identifier of the subject) and
>> =C2=A0 =C2=A0 cases where
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 the identifier of the subject is
>> =C2=A0 =C2=A0 irrelevant for making
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 an authorization decision by the resource
>> =C2=A0 =C2=A0 server.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 B. =C2=A0For client authentication, the subject
>> =C2=A0 =C2=A0 MUST be the
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 included in the JWT and the value MUST be
>> =C2=A0 =C2=A0 populated
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 with the "client_id" of the OAuth cli= ent.
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 "
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 What do you gu= ys think?
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Ciao
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 Hannes
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 ______________= _________________________________
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 OA= uth mailing list____
>>
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 OAuth@ietf.org
>> =C2=A0 =C2=A0 <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>> =C2=A0 =C2=A0 <mailto:OAuth@ietf.org>> <mailto:OAuth@ietf.org
>> =C2=A0 =C2=A0 <mailto:OAuth@ietf.org>
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>>>
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 > =C2=A0 =C2=A0 https://www.iet= f.org/mailman/listinfo/oauth
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 > =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >
>> =C2=A0 =C2=A0 >____
>>
>> =C2=A0 =C2=A0 __ __
>> =C2=A0 =C2=A0 _______________________________________________=
>> =C2=A0 =C2=A0 OAuth mailing list
>> =C2=A0 =C2=A0 = OAuth@ietf.org <mailto:OAuth@ietf.org>
>> =C2=A0 =C2=A0 https://www.ietf.org/mailman/listinfo/oauth=
>
>



--089e014954be49e4cd04f8217808-- From lkentwell@csu.edu.au Mon Apr 28 22:12:53 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5DDF1A08AF for ; Mon, 28 Apr 2014 22:12:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.863 X-Spam-Level: X-Spam-Status: No, score=0.863 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9V541dZV6s5s for ; Mon, 28 Apr 2014 22:12:49 -0700 (PDT) Received: from seaprod01.csumain.csu.edu.au (seaprod01.csumain.csu.edu.au [137.166.4.2]) by ietfa.amsl.com (Postfix) with ESMTP id 7A68D1A08AD for ; Mon, 28 Apr 2014 22:12:47 -0700 (PDT) Received: from seaprod01.csumain.csu.edu.au (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id D6882E516E_35F34CDB for ; Tue, 29 Apr 2014 05:12:45 +0000 (GMT) Received: from casba01.CSUMain.csu.edu.au (casba01.csumain.csu.edu.au [137.166.4.68]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "weboutlook.csu.edu.au", Issuer "AusCERT Server CA" (verified OK)) by seaprod01.csumain.csu.edu.au (Sophos Email Appliance) with ESMTPS id 812B924833B_35F34CDF for ; Tue, 29 Apr 2014 05:12:45 +0000 (GMT) Received: from MAIL01.CSUMain.csu.edu.au ([fe80::fd21:a4c2:dfff:f901]) by casba01.CSUMain.csu.edu.au ([fe80::2499:6c34:c7a3:9bf4%12]) with mapi; Tue, 29 Apr 2014 15:12:44 +1000 From: "Kentwell, Luke" To: "oauth@ietf.org" Date: Tue, 29 Apr 2014 15:12:43 +1000 Thread-Topic: Link to RFC on your site is not working Thread-Index: Ac9jaabDKbYk2ANYRLO6yWrJpdU6Cg== Message-ID: Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: multipart/related; boundary="_004_FECFC0251E2B6C448BFAC302D1CCA944E6388A1230MAIL01CSUMain_"; type="multipart/alternative" MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/X-atzom1mTcRs9hNjhq1zwqGpXQ X-Mailman-Approved-At: Mon, 28 Apr 2014 22:54:21 -0700 Subject: [OAUTH-WG] Link to RFC on your site is not working X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2014 05:13:56 -0000 --_004_FECFC0251E2B6C448BFAC302D1CCA944E6388A1230MAIL01CSUMain_ Content-Type: multipart/alternative; boundary="_000_FECFC0251E2B6C448BFAC302D1CCA944E6388A1230MAIL01CSUMain_" --_000_FECFC0251E2B6C448BFAC302D1CCA944E6388A1230MAIL01CSUMain_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Guys, I was just looking for the OAuth2 spec and when I follow the link on your s= ite http://oauth.net/2/ for the RFC: http://tools.ietf.org/html/rfc6749 I get a 404 not found error. Not sure if this is a known problem or by design but thought I would let yo= u know Thanks _L Luke Kentwell Data Analyst | Office of Planning and Audit Charles Sturt University Panorama Avenue Bathurst, NSW 2795 Australia Tel: +61 2 6338 6518 Email: lkentwell@csu.edu.au www.csu.edu.au | www.csu.edu.au/unistats Twitter | Facebook | LinkedIn | YouT= ube [cid:csu-logo6ee8.bmp] | ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN= | MELBOURNE | ONTARIO | ORANGE | PORT MACQUARIE | SYDN= EY | WAGGA WAGGA | ________________________________ LEGAL NOTICE This email (and any attachment) is confidential and is intended for the use= of the addressee(s) only. If you are not the intended recipient of this em= ail, you must not copy, distribute, take any action in reliance on it or di= sclose it to anyone. Any confidentiality is not waived or lost by reason of= mistaken delivery. Email should be checked for viruses and defects before = opening. Charles Sturt University (CSU) does not accept liability for virus= es or any consequence which arise as a result of this email transmission. E= mail communications with CSU may be subject to automated email filtering, w= hich could result in the delay or deletion of a legitimate email before it = is read at CSU. The views expressed in this email are not necessarily those= of CSU. Charles Sturt University in Australia The Grange Cha= ncellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551= ; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV1201= 8 Charles Sturt University in Ontario 860 Harrin= gton Court, Burlington Ontario Canada L7N 3N4 Registration: www.peqab.ca Consider the environment before printing this email. Disclaimer added by CodeTwo Exchange Rules 2007 www.codetwo.com --_000_FECFC0251E2B6C448BFAC302D1CCA944E6388A1230MAIL01CSUMain_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Guys,

 

I wa= s just looking for the OAuth2 spec and when I follow the link on your site = http://oauth.net/2/ for the RFC: http://tools.ietf.org/html/rfc6749=

 

I get a 404 not found error.

 

Not sure if this is a known problem = or by design but thought I would let you know


Thanks

 

_L

 <= /p>

 

Lu= ke Kentwell
Data Analyst | Office of Planning and Audit

Charles Sturt University<= /o:p>

Panorama Avenue<= /p>

Bathurst, NSW 2795

Australia

T= el: +61 2 6338 6518

Email: = lkentwell@csu.edu.au

= www.csu.edu.au | www.csu.edu.au/unistats

 

Twitter | Facebook | LinkedIn | YouTube

 

|   ALBURY-WODONGA   |  &n= bsp;BATHURST   |   CANBERRA   = |   DUBBO   |   GOULBURN =   |   MELBOURNE   |  &nbs= p;ONTARIO   |   ORANGE   |&nbs= p;  PORT=20 MACQUARIE   |   SYDNEY   |&nbs= p;  WAGGA=20 WAGGA   |

LEGAL=20 NOTICE
This em= ail=20 (and any attachment) is confidential and is intended for the use of the=20 addressee(s) only. If you are not the intended recipient of this email, you= must=20 not copy, distribute, take any action in reliance on it or disclose it to=20 anyone. Any confidentiality is not waived or lost by reason of mistaken=20 delivery. Email should be checked for viruses and defects before opening.=20 Charles Sturt University (CSU) does not accept liability for viruses or any= =20 consequence which arise as a result of this email transmission. Email=20 communications with CSU may be subject to automated email filtering, which = could=20 result in the delay or deletion of a legitimate email before it is read at = CSU.=20 The views expressed in this email are not necessarily those of CSU.= =20

Charles Sturt Unive= rsity in=20 Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Austral= ia=20 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQS= A=20 Provider Number: PV12018
Charles Sturt University in Ontario 860=20 Harrington Court, Burlington Ontario Canada L7N 3N4 Registration: www.peqab.ca

<= SPAN=20 style=3D"FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px">Conside= r the=20 environment before printing this email.

Disclaimer added by CodeTwo Exch= ange Rules 2007
www.codetwo.com

= --_000_FECFC0251E2B6C448BFAC302D1CCA944E6388A1230MAIL01CSUMain_-- --_004_FECFC0251E2B6C448BFAC302D1CCA944E6388A1230MAIL01CSUMain_ Content-Type: image/bmp; name="csu-logo6ee8.bmp" Content-Description: csu-logo6ee8.bmp Content-Disposition: inline; filename="csu-logo6ee8.bmp"; size=37976; creation-date="Tue, 29 Apr 2014 05:12:44 GMT"; modification-date="Tue, 29 Apr 2014 05:12:44 GMT" Content-ID: Content-Transfer-Encoding: base64 Qk1YlAAAAAAAADYAAAAoAAAA0gAAADwAAAABABgAAAAAACKUAAASCwAAEgsAAAAAAAAAAAAA//// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// OTb///////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////8gPP////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////yIK//////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////MCD///////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////8gIP////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////6Cen0E+P0E+PpSTk/////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////yAg//////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////t7a2n56ecG5uQD0+lJOT//////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////L3j///////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////+Uk5NBPj7n 5+f///////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////8gIP////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /1hWVomHh/////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////0c6//////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////n56eTElK//////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////ICD///////////// //////////////////////////////////////////////////////////////////////////// ///w8Pi2s9yKhseKhsfEw+P////EwuOKhseKhse1s9zw8Pj///////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////z8/O3trafnp5xbm9wbm58e3ufnp7DwsLz8/P////////////////////////b29vP z8/Pz8/z8/P////////////////z8/PPz8/Pz8/n5+f////////n5+fPz8/Pz8/n5+f///////// ///////////b29vPz8/n5+f////////////////////////////////z8/PDwsKfnp6gnp+3trbn 5+f////////////////////Pz8/Pz8/Pz8/////////////////////////n5+e3trafnp6fnp7D wsLz8/P////////////////Pzs/Pzs/Pz8/////////////////n5+egnp+fnp63trbz8/P///// //////////////9lYmNAPj7DwsL///////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////8uMP////// //////////////////////////////////////////////////////////////////////////// /////4mGxxUOjxQOjxQNjxQOj1BKq////xQOjxUOjxQNjxQNjyQdlqek1f////////////////// //////////////////////////////////////////////////////////////////////////// /////////////6CenkA+PkA+PkA+PkA9PkE+P0A+PkA+PkA+PkxKSp+env////////////////// /3BubkA+PkA+Ps/Pz////////////////8/Pz0A+PkA+Pp+env///////6CenkA+PkA+PqCen/// /////////////+fn50E+P0A+PoiHh////////////////////////////5+enkA+PkA+PkA9PkA+ PkA9PkA+PnFubufn5////////////0A+PkA+PkA+Pv///////////////////4iGh0xKSnFub6Ce nnBubkA+PkxKSquqqv///////////0E+P0A+PmRiYv///////////7e2tkE+PkA+PkA+PkA+PkxK Sre2t////////////9vb20A+PkA+Pnx6e/////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////z4K ////////////////////////////////////////////////////////////////////8PD4bGi6 ////////fHfCFQ6SFQ6RFA2RFQ2RFQ2RT0qt////FQ6SFQ6RFQ2RFA2RFQ2RFQ2Rp6TW//////// e3fB//////////////////////////////////////////////////////////////////////// ////////////////iIeHQD4+QD4+QT4+iIeHt7a2z8/Pt7a2iIeHQD4+QD4+QD4+iYeH//////// ////////cW5uQT4+QD4+z8/P////////////////z8/PQD4+QD4+oJ6e////////n56eQT4/QD4+ n56e////////////////q6qqQT4+QD4+QD4+8/Pz////////////////////iIeHQD4+QD4+QD4+ oJ6e29rb8/Pzz87PiIeHTElK29vb////////QD4+QD4+QD4+////////////////////29vb//// ////////////29vbQT4/QT4+q6qq////////QD4+QD4+cW5u////////8/PzTEpKQT4+QD4+oJ6e 8/Pzz8/Pn56e////////////lJOTQD4+QD4+QD4+8/Pz//////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////c3f////////////////////////////////////////////////////////////////w8PhB O6cVDpT////T0esVDZUWDpUVDZQVDZUVDZUVDZRQSrD///8VDZQVDZUVDZUVDZUVDZQVDZUkHJzw 8Pj///8VDZNtaLz///////////////////////////////////////////////////////////// //////////////////+3trZAPj5APj5MSkrb29v////////////////////Pz89MSkpAPj5APT7D wsL///////////9xbm5BPj9APj7Pz8/////////////////Pz89APj5APj6fnp7///////+fnp5B Pj9APT6fnp7///////////////9kYmJAPj5APj5APj6rqqr///////////////+fnp5APj5BPj9A Pj7b29v////////////////////Pz8+fnp7///////9APj5APj5APT7///////////////////// //////////////////////9xbm9APj5ZVlf///////9BPj9BPj5wbm7////////Pz89APj5APT5l YmL///////////////////////////9YVlZAPj5APj5BPj63trf///////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////9yZP////////////////////////////////////////////////////////////Dw +UE7qxYNlxYNl////4qGyxYNmRUMmBUNmBYNmBUNmBUMmFBKsv///xUNmBUMmBYNmRYNmRYNmBYN mRYNmKek2f///xYNlxUNl25ov/////////////////////////////////////////////////// /////////////////////////1hVVkA+PkE+P7e2tv///////////////////////////6uqqkA+ PkA+PnBubv///////////3Fub0E+P0E+Ps/Pz////////////////8/Pz0A+PkA+Pp+env////// /5+enkA+PkA+Pp+env///////////+fn50E+PkA+PlhWVp+enllWV////////////////0xKSkA+ PkA+Pp+env///////////////////////////////////////0A+PkA+PkA+Pv////////////// //////////////////////////Pz81hWVkA+PkA+Pv///////0A+PkA+PnBubv///////8/Pz0A+ PkA+Pp+env///////////////////////9vb20E+P0A9PmRiYnx7e2ViY/////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////3BH//////////////////////////////////////////////////////// 8PD5QjuuFgyaFg2aFg2b////UEm1FgycFg2cFgycFgybFgycFgybUEm1////FgycFgybFgybFg2c FgycFgycFg2ciobN////Fg2bFg2bFg2bbmfB//////////////////////////////////////// ////////////////////////////29vbQD4+QD4+TEpK//////////////////////////////// ////QT4/QD4+QD4+////////////cW5uQD4+QD4+z8/P////////////////z8/PQD0+QD4+n56e ////////n56eQD4+QT4+oJ6e////////////n56eQD4+QD4+lJOT5+fnQD4+z87P////////z8/P QD4+QD4+QD4+5+fn////////////////////////////////////////QD4+QD4+QD4+//////// ////////////////////////8/Pzq6qqWFVWQT4/QT4/WVZX////////QD4+QD4+cG5u//////// z87PQD4+QD4+n56e////////////////////////lJOTQD0+QD4+q6qqw8LCQD4+5+fn//////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////ICD///////////////////////////////////////////////// ///w8PlCOq8XDZ4WDJ0WDJ4XDZ7///9QSbcWDJ8XDKAWDJ8WDJ8WDJ8WDJ9QSbf///8WDJ8WDJ8X DKAWC58WDJ8XDKAXDKBfWL3///8WDJ4WDJ4WDJ4WDJ5uZ8P///////////////////////////// ///////////////////////////////////DwsJBPj9BPj9wbm7///////////////////////// //////////9wbm5APj5APj7Pz8////////+fnp5APj5APj7Pz8/////////////////Pz89APj5B Pj+fnp7///////+fnp5APj5APj63trb///////////9YVlZAPj5APT7n5+f///98e3t8e3v///// ///DwsJAPj5APj5MSkr///////////////////////////////////////////9BPj5APj5APj7/ ///////////////////////z8/OIh4dAPj5APj5BPj9APj5APj6rqqr///////9APj5APT5wbm7/ ///////Pz89APj5APj6fnp7///////////////////////9MSkpBPj9BPj7z8/P///9MSkqfnp7/ //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////9lPv////////////////////////////////////////// /////////0M6tBcMoRYLoRcMohcMohcMov///1FIuhcMoxcLoxcLoxYLohcLohcMo1FJuv///xcM oxcLohcLoxYLohcMoxcMoxcLo1FIuv///xYLoRYLoRcMohcMohcMom5nxf////////////////// /////////////////////////////////////////5+enkA+PkA+PnFub/////////////////// /////////////////3BubkA9PkA+Ps/Pz////////6Cen0A9PkE+Ps/Pz////////////////8/P z0A+PkA+Pp+env///////5+enkA+PkE+PsPCwv///////9vb20E+P0A+PmRiYv///////8/Pz0A+ Pufn5////6uqqkA9PkA+PkxKSnBubnBubnBubnBubnBubnBubnBubnBubnBubtvb2////0A+PkA+ PkA+Pv////////////////////Pz82RiYkA+PkE+PkA+PkA+PkxKSre2tv///////////0A+PkE+ P3Fub////////8/Pz0A+PkA+Pp+env///////////////////8PCwkE+P0A+Pn17e////////4iG h1hWVv////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////2hO//////////////////////////////////// ////////////fXbNFwulFwumFwulFwumFwqlFwul////UUe8FwqmFwumGAunFwqmFwqmFwumUUi8 ////FwumGAunFwumFwumFwumFwumFwumUUi8////FwumFwqlFwulFwulFwulFwulmZPX//////// ////////////////////////////////////////////////n56eQD4+QT4/cG5u//////////// ////////////////////////cG5uQD0+QD4+z8/P////////fXt7QD4+QD4+z8/P//////////// ////z8/PQD4+QD4+n56e////////n56eQD4+QD0+oJ6f////////iIeHQD4+QD4+q6qq//////// ////WFZWn56e////z8/PQD4+QD4+ZWJiz8/Pz8/Pz8/Pz8/Pz8/Pz8/PWFZWQD4+QD4+z8/P//// QD4+QT4/QD4+////////////////////oJ6fQD4+QD0+QD4+WFZWt7a2//////////////////// QD4+QD4+cW5u////////z8/PQT4/QD0+n56e////////////////////iIeHQD4+QD4+w8LC//// ////w8LCQD4+w8LC//////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////MC7///////////////////////////// ///////////////i4PQXCqgXCqgXCqgYC6kXCqgXCqgXCqj///9RR78XCqoYCqoYCqoYCqoYCqoX CqlRR7////8XCqkXCakXCakYCqoYCqoYCqoXCalRR7////8YC6kYC6kXCqgXCqgXCqgYCqkmGa7x 8Pr///////////////////////////////////////////////////+fnp5APj5APj5wbm7///// //////////////////////////////9wbm5BPj5APj7Pz8////////9wbm5APj5APj7Pz8////// ///////////DwsJAPj5APj6gnp7///////+fnp5APj5APj6fnp7///////9MSUpAPj5APj7n5+f/ //////////+rqqpMSkr////z8/NAPj5APj5BPj////////////////////////9BPj9APj5BPj// //////9APj5APj5BPj////////////////////9xbm5APT5APj6gnp7///////////////////// //////9APj5APT5wbm7////////Pz89APj5BPj6fnp7////////////////z8/NAPj5APj5MSkr/ //////////////9ZVlaIh4f///////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////8gIP////////////////////// /////////////////////4uE1RcJqxgKrBgJqxgKrBgJrBcJqxcJq////1JHwhgJrRgJrRgJrRgJ rRcJrRgJrVJHwv///xgJrRgJrRgJrRgJrRgJrRgJrRgJrVJHwv///xgKrBgKrBgKrBgJrBgJrBcJ qxgJrLey5f///////////////////////////////////////////////////6Cen0A9PkA+PnBu bv///////////////////////////////////3BubkE+PkA+Ps/Pz////////3BubkA9PkE+P2Ri YvPz8////////////4iHh0A+PkA+PqCen////////5+enkA+PkA+PqCenv///8PCw0A+PkA+Pnx7 e/////////////////Pz80A+Pre2tv///4iHh0A+PkA+Ptvb2////////////////9vb20E+P0A+ PoiHh////////0A+PkE+P0A+Pp+env///////////////4iHh0A+PkA+Pv////////////////// /////////////0A+PkA9PnBubv///////8/Pz0E+P0E+P5+env///////////////7e2tkA+PkA+ PoiHh////////////////5STk0A+PvPz8/////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////3BH//////////////// ////////////////////////////YFXIGAmvGAmvGAivGAivGAivGAivGAmv////UkbFGAiwGAiw GAmxGAiwGAixGQmxUkbE////GAixGQmxGAiwGAixGAiwGAixGAixUkbE////GAmvGAivGAivGAmw GAivGAmvGAivi4TX////////////////////////////////////////////////////n56eQD4+ QD4+cW5v////////////////////////////////////cG5uQD4+QD0+z8/P////////cG5uQD4+ QT4/TEpKWVZXt7a229vbq6qqQD4+QT4+QD0+z8/P////////n56eQT4+QD0+n56e////fXt7QD4+ QD4+t7a2////////////////////fHt7ZGJi////8/PzZGJiQD4+fHt7////////////////fHt7 QD4+TEpK5+fn////////QD4+QD4+QD4+QD4+iYeHz8/Pq6qq29vbz8/PQD4+QD4+z8/P//////// ////////////////////QD0+QD4+cW5v////////z8/PQD4+QD4+n56e////////////////ZGJi QT4/QD4+w8LC////////////////29vbQT4+q6qq//////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////ZGX///////// //////////////////////////////////9SRcUYB7IZCLMYCLMYB7IYCLMYCLIYCLP///9TRccY B7QYB7QYB7QYB7QZB7QZCLRSRcf///8YB7QYB7QYB7QYB7QZCLQZB7QZCLRTRcf///8YCLMYB7IZ CLMZCLMZCLMYB7IYCLKMg9n///////////////////////////////////////////////////+g np9APj5APj5xbm7///////////////////////////////////9wbm5APj5BPj/Pz8////////9w bm5APj5APj7DwsJ8e3tAPj5BPj5APT5BPj5BPj+Ih4f///////////+fnp5APj5APj6fnp7z8/NA Pj5APj5APj7z8/P////////////////////DwsJAPj7Pz8/////z8/Nxbm5BPj98envb29vPzs99 e3tAPT5YVlbb29v///////////9APj5APT5APj63trZAPj5APj5APj6fnp7///+Uk5NAPj5MSkqU k5Ofnp6fnp5kYmLPz8////////9APj5APj5kYmL///98e3tlYmJAPj5APj5ZVldwbm5wbm5wbm7n 5+dAPj5BPj5MSkr///////////////////////9ZVldZVlf///////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////9tZf// /////////////////////////////////////////1JFyBgHthkHthkHthkHthkHthkHthkHtv// /1NEyRgGtxkHuBgGtxkGtxkGtxkHuFNFyv///xkGtxkGtxkGtxkGtxkHuBkGtxkGt1NEyf///xkH thgGthgGthkHthkHthkHthkHtouD2v////////////////////////////////////////////// /////6Cen0A+PkE+P3Bubv///////////////////////////////////3FubkA+PkE+P8/Oz/// /////9va28/Pz8/Pz/Pz8////8/Pz4iGh3Bubnx7e8PCwv///////////////+fn58/Pz8/Pz+fn 5/Pz88/Pz8/Pz9vb2////////////////////////////8/Oz+fn5////////////7e2tnx7e3Fu b3Fub3x7e7e2tv///////////////////8/Pz8/Pz8/Pz////8/Pz3x7e3Fub7e2tv///////8/P z5STk3BubnFub5STk8PCwv///////////8/Pz8/Pz8/Pz/////Pz82RiYkA+PkA+PoiHh8/Pz8/P z8/Pz/Pz88/Pz8/Pz9vb2////////////////////////+fn58/Oz/////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /yAg////////////////////////////////////////////U0TLGQa5GAW5GQa6GQW5GQa5GQW5 GAW5////U0TMGQW6GQW6GQW7GQa7GQa7GQW7U0TL////GQW6GQW7GQW7GQW6GQa7GQW7GQW7U0TL ////GQa5GQa6GQW5GAW5GQa6GQa6GQa6jILc//////////////////////////////////////// ////////////n56eQD4+QD4+cG5u////////////////////////////////////cG5uQD4+QD4+ z8/P//////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////8/PzZWJiQD4+oJ6f //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////ICD///////////////////////////////////////////9TQ80ZBL0ZBL0aBb0ZBL0a Bb0ZBb0ZBb3///9TRM4ZBL0ZBL4ZBL0ZBL0ZBL0aBb5TQ87///8ZBL0aBb4ZBb4ZBL0ZBL0ZBL0a Bb5TQ87///8aBb0ZBLwZBb0ZBb0aBb0aBb0aBb2Mgt7///////////////////////////////// //////////////////+fnp5APj5APj5wbm7///////////////////////////////////9wbm5A Pj5APj7Pz8////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////z8/Nk YmKfnp7///////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////8wMP///////////////////////////////////////////1ND0BkDwBkDwBkD wBoEwBoEwBkDwBoEwP///1ND0RkDwRoEwRkDwBkDwBoDwRoDwVNC0P///xkDwBkDwRoDwRkDwRoD wRkDwBoDwVNC0f///xkDwBkDwBoEwBoEwBoEwBoEwBoEwIyB3/////////////////////////// /////////////////////////5+enkA+PkA+PnBubv////////////////////////////////// /3BubkA+PkA+Ps/Pz/////////////////////////////////////////////////////////// /////////9vb29vb2/////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////Pz88/Pz/////////////// //////Pz88PCw/////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////yAg////////////////////////////////////////////U0LSGQLC GQLCGgLDGQLDGgPDGgLDGgPD////U0HTGgLEGgLFGQLEGgLEGgLEGQLEU0HT////GgLFGQHEGgLE GQHEGgLEGQHEGgLEU0HT////GgLDGQLDGQLDGgLDGgLDGgLDGQLCjIHh//////////////////// ////////////////////////////////n56eQD4+QD4+cW5v//////////////////////////// ////////cG5uQD4+QT4/z8/P//////////////////////////////////////////////////// ////////////n56eQD4+QT4+w8LC//////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////5+fnTEpKQD4+ZGJi//// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////cEf///////////////////////////////////////////9T QdUaAMYaAMYaAccaAMcaAMcaAccaAMf///9TQNUaAMgaAMgaAMgaAMcaAMcaAMdTQNX///8aAMca AMgaAMcaAMgaAMgaAMcaAMhTQNb///8aAMcaAMcaAccaAMcaAccaAMcaAMeMf+P///////////// //////////////////////////////////////+fnp5APj5APT5xbm////////////////////// //////////////9xbm5BPj9APj7Pz8////////////////////////////////////////////// //////////////////9wbm5APj5APj5wbm7///////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////Pz89APj5APj5B Pj////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////8gIP////////////////////////////////////// /////1NA1xsAyhoAyRoAyRoAyhoAyhoAyhoAyv///1NA1xoAyhoAyhoAyhoAyxoAyhoAylRA2P// /xoAyhoAyhoAyhoAyhoAyhoAyhoAylNA1////xoAyhoAyRoAyRoAyhoAyhoAyhoAyYx/5P////// /////////////////////////////////////////////5+enkA+PkA+PnBubv////////////// /////////////////////3BubkA+PkA+Pre2t/////////////////////////////////////// /////////////////////////7e2tkE+P0E+P8PCwv////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////Pz81hW VkE+P3x7e/////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////yAg//////////////////////////////// ////////////U0DZGwDNGgDMGgDMGwDMGgDMGgDMGgDM////VEDaGgDOGwDOGgDOGwDOGwDOGwDO U0Da////GgDOGgDOGgDOGgDNGgDNGgDNGwDOU0Da////GgDMGgDMGgDMGgDMGgDMGgDMGwDMjX/l ////////////////////////////////////////////////////5+fn////////29vb//////// ////////////////////////////5+fn////8/Pz5+fn//////////////////////////////// ////////////////////////////////////8/Pz8/Pz//////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////8/Pz//////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////MDD///////////////////////// //////////////////9UQNwaAM8bANAbANAaAM8aANAaAM8bAND///9UQNwaANAbANAaANAaANAa ANAbANBUQNz///8bANAbANAbANEbANEaANAaANAaANBTQNz///8aAM8aANAbANAbANAbANAaAM8a AM+Mf+f///////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////8gIP////////////////// /////////////////////////1RA3hsA0xsA0xsA0xsA0xsA0xsA0xsA0////1RA3xsA1BsA1BsA 1BsA1BoA0xoA01RA3////xsA1BsA0xsA1BsA1BsA1BsA1BsA1FRA3////xsA0xoA0xsA0xoA0hsA 0xsA0xsA041/6f////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////0NF//////////// ////////////////////////////////U0DgGwDWGwDVGwDVGwDVGwDWGwDWGwDV////VEDgGwDW GwDWGwDXGwDWGgDWGwDXVEDg////GwDWGgDWGwDWGwDXGwDWGwDWGwDWVEDg////GgDVGwDWGwDV GwDWGwDWGwDVGwDVjX/q//////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////ICD///// //////////////////////////////////////9UQOMbANgbANkbANgbANgbANgbANkbANj///9U QOMbANkbANgbANkbANkbANkbANlUQOP///8bANkbANkbANgbANkbANkbANkbANlUQOP///8bANgb ANgbANgbANgbANgbANgbANiNf+v///////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////91 cv///////////////////////////////////////////1RA5BsA2xsA2xwA2xsA2xwA2xsA2xsA 2////1RA5BsA2xsA2xwA2xsA2hwA2xsA21RA5P///xsA2xsA2xsA2hsA2xwA2xsA2hsA21RA5P// /xsA2xwA2xwA2xwA2xwA2xsA2xsA241/7f////////////////////////////////////////// /////////////////////////////8/Pz4iHh1hWVkA+PkA+PkA+PkE+P2RiYpSTk+fn5/////// /////////7e2toiHh5STk7e2tv///////////////////3BubpSTk3Bubv///////////6Cen2Ri YkA+PmRiYp+envPz8////5STk1hWVmRiYoiHh/Pz88PCw4iHh5STk7e2tv////////////////// /7e2toiHh3x7e7e2tv////////////////Pz85+ennBubkA+PkA+PnBubpSTk+fn5/////////// /+fn55STk3BubkE+P0E+PnFub5STk/Pz8////////////////////////////////////////9vb 25STk2RiYkA+PkE+P0A+PkA+PkA+PnBubre2t////////////////////////+fn53x7e01KS0xK SnBubre2tv///////////6Cen2RiYkA+PmRiYpSTk/Pz89vb23BubnFubre2tv///////7e2toiH h5STk7e2tv///////////////////////////5+enmRiYkA+PmRiYpSTk/Pz8/////////////// /////3hh////////////////////////////////////////////U0TlGgXbGgXbGgXbGgXbGwXc GgXbGwXc////U0flGgnbGgnbGgnbGgncGwrcGgnbU0fk////GgnbGgnbGwrcGgncGgncGwrcGwrc VEfl////GgXbGwXcGgXbGgXcGgXbGwXcGgXcjILt//////////////////////////////////// ////////////////////////////29vbcG5uQD4+QD4+QD4+QT4/QD4+QD4+QD4+QD4+QD4+QT4+ lJOT8/Pz////////n56eQT4/QT4/n56e////////////////////QD4+QT4+ZWJj////////lJOT QD4+QD4+TEpKiIeHcG5uTUpLiYeHQD4+QD4+ZGJilJOTt7a2z8/PQD4+QD4+n56e//////////// ////////n56eQD4+QD4+n56e////////////w8LDTEpKQD4+QD4+QD4+cG5ucW5vZGJiTEpKt7a2 ////////q6qqiIeHz8/Pz8/Pz8/PfHt7QT4/TEpK29vb////////////////////////////8/Pz cG5uQT4/TEpKiIeHn56en56en56elJOTWFZWQT4+QD4+WFZW29vb////////////8/PzWFZWQT4+ QD4+WFZWiIeHWFVWoJ6e////ZGJiQD4+QD4+QT4/QD4+QD4+TEpKq6qqQD4+QD4+n56e//////// n56eQT4/QT4/n56e////////////////////////n56eQD4+QD4+QT4/fHt7fHt7TUpL//////// ////////////ICD///////////////////////////////////////////9TT+UaFNwaFNwbFN0a FNwaE9waFNwaFNz///9TTuYaFN0bFN0aFN0bFN0aE9wbFN1UT+b///8bFN0aFN0aFN0aFN0aFN0a E9waE91TT+b///8aE9waFNwbFN0aFNwaE9waFNwaFNyMie3///////////////////////////// ///////////////////////////////b29tNSktAPj5BPj5BPj5wbm7DwsLz8/P////////////P z8+Ih4dMSkpYVlbb29v///+fnp5BPj5APj6fnp7///////////////////9BPj5BPj9wbm7////z 8/NAPj5APT5BPj7Pz8////////+3trZAPj5APj5APj7DwsL////////Pz89APj5APj6gnp////// //////////////+fnp5APj5APj6fnp7////////b29tAPj5APj5APj6Ihofz8/P////////////P z89kYmLDwsL///////////////////////////9wbm5BPj5ZVlf///////////////////////// ///z8/NkYmK3trb///////////////////////////+rqqpAPj5APj5MSkrz8/P///////+3trZB Pj9APj5YVlbz8/P////////n5+e3trZAPj5APj5MSkrPz8/////z8/OUk5NBPj5APj5APj6fnp7/ //////+fnp5APj5BPj+fnp7///////////////////////9MSkpAPj5APj63trf////////n5+f/ //////////////////8wPP///////////////////////////////////////////1NW5hkd3Rod 3Rkd3Rod3Rod3Roe3Rod3f///1NW5hod3Rkd3Roe3Rod3Rod3Rod3VNW5v///xod3Rod3Rod3Roe 3Rod3Roe3hoe3lNW5v///xoe3hod3Rod3Roe3Rod3Rkd3Rod3YyO7v////////////////////// /////////////////////////////////9vb20xKSkA+PkA+PkxKSsPCwv////////////////// /////////////+fn53x7e9vb2////5+enkA+PkA+Pp+env///////////////////0A+PkA+PnBu bv///8/Pz0A+PkA+PkA+Pv///////////////3BubkA+PkA9Ps/Pz////////8/Pz0A+PkA+PqCe n////////////////////5+enkA+PkA+Pp+env///////3Fub0A9PkA+PnBubv////////////// //////////Pz8+fn5////////////////////////////5STk0A+PkA+Pufn5/////////////// /////////////////////////////////////////////////////5+enkA+PkA+PpSTk/////// /5+enkE+P0A+Pquqqv///////////////5STk0A+PkA+Pp+env///////////////5+enkE+P0A+ PqCen////////5+enkA+PkA+Pp+env///////////////////////0A+PkA+PlhWVv////////// /////////////////////////yAg////////////////////////////////////////////U1zm GiXeGSTdGiXeGSTdGiXeGSXdGSXd////U13nGSbeGSbeGSbeGSbeGSffGSbeU13n////GSfeGSbe GSbeGiffGSbeGSbeGSbeU1zm////GiXeGSXdGSXdGSTdGiXeGSTdGSTdjJLu//////////////// ////////////////////////////////////////WFZWQT4/QD4+TUpL29vb//////////////// ////////////////////////////////////oJ6eQT4+QD4+n56e////////////////////QD4+ QD4+cW5u////5+fnQD4+QD4+QD4+////////////////cG5uQT4/QD4+z8/P////////z8/PQD4+ QD4+n56e////////////////////n56eQT4+QD4+n56e////29vbQT4/QD4+QD4+z8/P//////// ////////////////////////////////////////////////z8/PTEpKQD4+QD4+29vb//////// ////////////////////////////////////////////////////////////5+fnQD4+QD0+WFZW ////////oJ6fQD4+QD4+z87P////////////////cG5uQD4+QT4/z8/P////////////////z8/P QD4+QD4+n56e////////n56eQD4+QD4+rKqr////////////////////////QT4/QD4+cG5u//// ////////////////////////////////PTH///////////////////////////////////////// //9TYOcZK98ZK98ZK94ZK94ZLN8ZLN82RuP///9TYeYZLd8ZLN4ZLN4ZLd8ZLd8ZLd9TYeb///8Z LN4ZLd4ZLd8ZLd8ZLd8ZLN4ZLd9TYuf///8ZK94ZK94ZK94ZK94ZK94ZK98ZK9+Mle7///////// //////////////////////////////////////////+3trZBPj5APj5APj6sqqv///////////// //////////////////////////////////////////+fnp5APj5APj6fnp7///////////////// //9BPj9APj5wbm7///////9xbm9APj5APj7Pz8////////////9wbm5APj5APj7Pz8/////////P z89BPj5BPj+fnp7///////////////////+fnp5APj5APj6fnp7///+rqqpAPj5APj5NSkr///// ///////////////////////////////////////////z8/O3trZYVlZAPj5APj5APj5YVVb///// ///////////////////////////////////////////////////////////////////b29tAPT5B Pj9APj7///////+fnp5APj5APj7Pz8////////////////9wbm5APj5APj7Pz8////////////// ///Pz89BPj5BPj6fnp7///////+fnp5APj5APj7Pz8////////////////////////9APj5APj5w bm7///////////////////////////////////8gIP////////////////////////////////// /////////1Jl5xky3xgy3xgy3xky3xgy3xky31Jl5////1Jm5xgz3xgz3xk03xk03xgz3xk04FNn 5////xk04Bgz3xgz3xgz3xgz3xgz3xgz31Nn5////xgy3xky4Bky3xgx3xgy3xgy3xgy32Bz6f// /////////////////////////////////////////////////2RiYkA+PkA+PlhWVv////////// /////////////////////////////////////////////////7e2tkA+PkA+PqCen/////////// /////////0A+PkA9PnBubv////////Pz83BubkA+Pk1KS9vb2////////3BubkA+PkA+Ps/Pz/// /////8/Pz0A+PkA+PqCen////////////////////5+enkE+P0A9Pp+env///5+enkA+PkA+PmRi Ys/Pz8/Pz8/Pz8/Pz8/Pz8/Oz8/Pz8/Pz8/Oz////////9vb20xKSkA+PkA+PkA+PkE+PkxJStvb 2/////////////////////////////////////////////////////////////////////Pz82Ri YkA+PkA+PkA+Pv///////5+enkA9PkA+Ps/Oz////////////////3BubkA+PkA+Ps/Pz/////// /////////8/Pz0A+PkA+Pp+env///////5+enkA+PkA+Ps/Oz////////////////////////0A9 PkE+PnBubv///////////////////////////////////yAg//////////////////////////// ////////////////GDfgGDfgGDfgGDfgGDfgGDfgGDfgfY/u////UmroGDjgGDjgGDjgGDjgGDjg GDjgUmro////GDjgGDjgGDjgGDjgGDjhGDjhGDjgUmrp////UmnoGDfgGDfgGDfgGDfgGDfgGDbg Umno////////////////////////////////////////////////8/PzQD4+QD4+QT4/rKqr//// ////////////////////////////////////////////////////////z8/PQD4+QD4+n56e//// ////////////////QD4+QT4/cG5u////////////////t7a2WFZWQD4+oJ6f5+fncG5uQT4/QD4+ z8/P////////z8/PQD4+QD4+n56e////////////////////n56eQD0+QT4/n56e////n56eQD4+ QD4+QD4+QD4+QD4+QD4+QT4/QD0+QD4+QD4+QD0+QD4+////5+fnTUpKQT4/QT4/QT4/TEpKiIeH 5+fn////////////////////////////////////////////////////////////////////t7a2 WFZWQD4+QD4+QD4+fXt7////////n56eQD4+QD4+z8/P////////////////cG5uQD4+QD4+z8/P ////////////////z8/PQD4+QD4+oJ6e////////n56eQD4+QT4/z87P//////////////////// ////QD4+QD4+cW5v////////////////////////////////////YXD///////////////////// ///////////////////i5/sXPeAYPeEXPOAXPOAXPOAXPOAYPeG2wvb///9RbukXPeAYPeEXPeAX PeEXPOAXPOBSbun///8XPeEXPOAYPeEYPeEXPOAYPeEXPOBRbej///+ZqfEXPOAXPOAYPeEXPOAY PeEYPeEXPOD////////////////////////////////////////////////Pz89APj5APj5APj7P z8/////////////////////////////////////////////////////////////Pz89BPj5APj6g np7///////////////////9APj5APj5wbm7////////////////////////b29uUk5NZVlZAPj5A Pj5APj7Pz8/////////Pz89APj5APT6fnp7///////////////////+fnp5APj5APj6fnp7////D wsJAPj5APj5xbm////////////////////////9BPj9BPj5APT7///+fnp5BPj9APj5NSkqgnp/z 8/P////////////////////////////////////////////////////////////////b29uIh4dM SkpAPj5BPj9BPj9APj5NSkrn5+f///////+fnp5APj5APj7Pz8////////////////9wbm5APj5A Pj7Pz8/////////////////Pz89APj5APT6gnp7///////+gnp9APj5APj7Pz8////////////// //////////9APj5BPj9wbm7///////////////////////////////////8gIP////////////// /////////////////////////6e49BZC4hZB4RZB4hZC4hZB4RZC4jRa5v///////0Jm5xZD4hZC 4hZC4hVC4RZC4hZC4lBy6f///xZC4hZC4hZC4hZD4hZD4hZD4hZD4lBy6f////Dz/RZC4hZC4hZB 4RZB4RdC4hZB4RZC4tPb+v///////////////////////////////////////////8/Oz0A+PkA+ PkA+Pv///////////////////////////////////////////////////////////////8/Pz0E+ P0A+PoiHh////////////////9vb20A+PkE+PnBubv////////////////////////////////// /2RiYkA+PkE+P8/Pz////////8/Pz0A9PkA+PnFubv///////////////////5+enkA+PkE+P5+e nv////Pz80xKSkE+PkxKSv///////////////////9vb20A+PkE+P2RiYv///5+enkA+PkA9PsPC wv///////////////////////////////////////////////////////////////7e2tlhWVkA+ PkA+PkA+PkE+PkA9PkA+PnBubtvb2////////////5+enkA+PkA+Ps/Pz////////////////3Bu bkE+P0E+P8/Pz////////////////8/Pz0A+PkA+Pp+env///////6Cen0A9PkA+PoiHh/////// /////////////////0A+PkA+PnBubv///////////////////////////////////3BH//////// ////////////////////////////////XoHsFUbiFUbiFUfiFUfiFkfjFUfip7n0////////FUfi FkfjFUbiFUfiFUbiFkfjFUbiXoHr////UHXqFUbiFUbiFUfiFUbiFUfiFUfiUHXq////////iqPw FUbiFUfiFUfiFkfjFUfiFUfifJjv////////////////////////////////////////////z8/P QD4+QD4+QD4+//////////////////////////////////////////////////////////////// z8/PQD4+QD4+QT4/lJOT////////////fHt7QD0+QD4+fHt7////////5+fn29vb//////////// ////29vbQD4+QD4+QD4+////////////z87PQD4+QD4+QD4+n56e////////////////n56eQD4+ QD4+n56e////////oJ6fQD4+QD4+z8/P////////////////n56eQT4+QD4+w8LC////t7a2QT4/ QD4+z8/P////////////////////////////////////////////////////////29vbZGJiQT4+ QD0+QD4+QD0+QD4+QD0+fHt7z8/P////////////////////n56eQT4/QD4+z8/P//////////// ////cG5uQT4+QD4+z8/P////////////////z8/PQD4+QD4+oJ6e////////n56eQD4+QD4+QD4+ t7a2////////////////////QD4+QT4/cG5u////////////////////////////////////ICD/ ///////////////////////////////////i6fsVS+QVTOQVTOQUS+MUS+MVTOReg+z///////// //8US+MUS+MUS+MVS+MVS+MVTOQUS+OJpfH///9tj+4US+MVTOQUS+MVS+MVS+MVS+QjV+X///// ///w9P1AbegUS+MVS+QUS+MVS+QVS+QxYuf///////////////////////////////////////// ///Pz89APj5BPj5APj7Pzs////////////////////////////////////////////////////// ///////Pz89APj5BPj58e3tMSkpZVleUk5Nwbm5APT5APj5BPj7DwsL////////b29tYVlafnp7n 5+f////DwsNYVlZBPj9APj6fnp7////////////Pz89APj5APj5kYmJAPj5YVlZwbm5APj7///+g np9APj5APj6fnp7///////////+Ih4dAPj5YVlbz8/P////////b29tMSkpBPj+Jh4f///////// //9kYmJAPj5kYmLz8/P////////n5+fz8/P////////////////////////////////z8/NNSktB Pj5APT5APj5BPj9lYmKrqqrz8/P////////////////////z8/PPz8+IhodAPj5APj6rqqrPz8/P z8/Pz8////9wbm5APj5APj7Pzs/////////////////Pz89APj5BPj6fnp7///////+fnp5APj5A Pj5YVlZAPj5lYmJwbm5kYmLb29vPz89APj5APj5lYmPPz8/Pz8/Pz8/z8/P///////////////// //8gIP///////////////////////////////////12H7BNQ5BNQ5BNQ5BNQ5BRQ5D9x6fD0/f// /////8TT+BNP4xRQ5BRQ5BRQ5BNQ5BRQ5BRQ5NPe+v///6e99RRQ5BRQ5BNP4xNQ5BNQ5BRQ5BRQ 5PD0/f///////9Pe+iNb5hRQ5BRQ5BNQ5BRQ5BRQ5Imn8f////////////////////////////// //////////Pz80E+P0E+P0A+Pre2t/////////////////////////////////////////////// /////////////8/Pz0A9PkA+Pp+envPz84iHh0A+PkA+PkA+PkxKSre2tv///////////////+fn 54iHh0A+PkA+PkA+PkA+PkA+PpSTk////////////////8/Pz3BubnBubre2tre2tkxKSkA+PkA+ PvPz85+enkA9PkA+Pp+env///////////////6uqqkxKSkxKSoiHh317e0A+PlhWVre2tv////// //////////Pz83BubkA+PkA+PnBubkxKSkxKSsPCwv///////////////////////////////4iH h0A+PkA+PkA+PmRiYs/Pz/////////////////////////////////Pz8317e0A9PkA+PkA9PmRi YnBubnBubnFubv///5STk3FubnBubtvb2////////////////9vb23BubnBubre2tv///////7e2 t3BubnFub7e2tpSTk0A+PkA+PkA+Pre2tkA+PkE+P0A+PkxKSnBubnFubnBubtvb2/////////// /////////zAw////////////////////////////////pr/1E1TlE1TlE1TlE1TlE1TlP3Tq8PT9 ////////////l7T0E1TlE1TlE1TlE1TlE1TlE1TlMWno////////8PT9Il/nE1TlE1TlE1TlE1Tl E1TlElTltcr3////////////09/6Il/nE1TlE1TlE1TlE1TlE1Tl09/6//////////////////// ////////////////////ZGJiQD4+QT4+cG5u//////////////////////////////////////// ////////////////////z8/PQD4+QD4+oJ6f////////5+fnz8/Pz8/P8/Pz//////////////// ////////////5+fnz8/Pn56ez87P8/Pz////////////////////////////////////////8/Pz z8/Pz8/P8/Pzn56eQD4+QD4+n56e////////////////////////z8/Pq6qqw8LD29vb//////// ////////////////////////8/Pzz8/Pz87P29vb//////////////////////////////////// ////WFZWQT4+QD0+ZWJj8/Pz////////////////////////////////////////////iIeHQD4+ QD4+z8/P//////////////////////////////////////////////////////////////////// ////////////////////////5+fnz8/Pz8/P////29vbTElKQD4+cW5u//////////////////// ////////////////ICD///////////////////////////+lwfYRWeUSWuYSWuYRWuYRWuZ6ovDw 9f3///////////////8+eOsRWuYSWuYRWeURWeURWeUSWua1y/f///////////+Iq/IRWeURWuYS WuYRWeURWeURWeVrmPD////////////////w9f1Ng+wRWuURWeURWuUSWuYhZOnS4Pr///////// //////////////////////////+3trZAPj5APj5APj7Pz8////////////////////////////// ///////////////////////////Pz89APj5APj6fnp7///////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////+gnp9APj5APj6fnp7///////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////9APj5APj5APj7DwsL///////////////////////////////////////////////// //+Ih4dAPj7Pz8////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////b29tMSkpxbm////////////// //////////////////////8gIP///////////////////9Lh+luR7xFe5xFe5xBe5xBd5k2G7cPW +f///////////////////+Hr/BBe5xFe5xFe5xFe5xFe5xBe51uQ7////////////////////z18 7BFe5xFe5xBe5xBe5xBe5x9p6fD1/v///////////////////7TM9z587BBd5xFe5xBe5xBe52qb 8OHr/P///////////////////////////////2RiYkE+P0A9PllWV/Pz8/////////////////// /////////////////////////////////8/Pz0A+PkE+Pp+env////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////5+enkA+PkA+Pp+env////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////1hWVkA+PkA+Ps/Oz/////////////////////////////////////////// /////////////4iHh8/Pz/////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////9vb23x7e/////// /////////////////////////////1lL////////////////////D2PoDmLnPH/sWpPvlrr14ev8 ////////////////////////////WpPvD2LnD2LoD2PoD2PoD2LoPH/s8PX9//////////////// ////0uH7HmzpD2LnD2LoD2LoD2LnD2LohrDz////////////////////////////0uH7h6/zS4nu LnbrD2PoD2Lo////////////////////////////////29vbTUpLQT4/QD4+ZGJi5+fn//////// ////////////////////////5+fniIeH8/Pz////z8/PQD4+QD4+n56e//////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////n56eQT4/QD4+n56e//////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////iIeHQD4+QT4+q6qq//////////////////////////////////// ////////////////////////8/Pz//////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////8/Pz ////////////////////////////////////ICD///////////////////////////////////// //////////////////////////////+kxvcLZukMZukMZukMZukMZuk7g+3w9f7///////////// ///////////////S4vsdcOoLZugMZukMZukLZukLZunR4/v///////////////////////////// ///////////////////////////////////////////////////////b29tMSkpAPT5APj5NSkuf np7n5+f////////////////n5+efnp5NSkpkYmLz8/P///+3trZAPj5BPj6fnp7///////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////+fnp5APj5APj6fnp7///////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////n5+dMSkpAPj5MSkrPzs/////////////////////z8/O3 trdkYmLz8/P///////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////9sbP////////////////////////////// /////////////////////////////////7LR+Bh06wpr6gpr6Qlq6Qlq6VeZ8fD2/v////////// /////////////////////////+Ds/EeP7wpr6glq6Qlq6Qlq6Rh069Hj+/////////////////// //////////////////////////////////////////////////////////////////Pz84iHh0A+ PkA+PkA+PkE+P1hWVnFubnFub2RiYkA+PkA+PpSTk/Pz8////////5+enkA+PkA+Pp+env////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////6Cen0A+PkA+Pp+env////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////9vb20xKSkA+PkA+PmRiYp+enp+enp+ennx7 e01KS0A+PoiHh/Pz8/////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////yAg//////////////////////// ////////////////////////////////4O38ZKbzB2/qB2/rB2/qB2/rJoDtstH4//////////// ////////////////////////////////////////osj3JoDtB2/rCHDrB2/rB2/rgrf17/b+//// //////////////////////////////////////////////////////////////////////////// ////5+fnlJOTZGJiQD4+QD4+QT4/QD4+cG5ulJOT5+fn////////////////n56eQD4+QD4+n56e //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////n56eQD4+QD4+n56e//////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////8/Pzn56eZGJiQD4+QD4+QT4/ QD4+cG5uoJ6e5+fn//////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////ICD///////////////// ///////////////////////////////////Q5fsFc+wFc+wFc+w0jfBjqPPA3Pr///////////// //////////////////////////////////////////////////////+x0/ljqPMkhe4Fc+wFc+wV fe3///////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////+3trZwbm5w bm63trb///////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////+3trZwbm5wbm63trb/ //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////9wOv////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////yAg//// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ICD///////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////8yN/////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////2FwAAA= --_004_FECFC0251E2B6C448BFAC302D1CCA944E6388A1230MAIL01CSUMain_-- From nobody Mon Apr 28 22:58:05 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B492E1A8884 for ; Mon, 28 Apr 2014 22:58:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OaLPR4nrI5Pw for ; Mon, 28 Apr 2014 22:58:01 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 168891A8882 for ; Mon, 28 Apr 2014 22:58:01 -0700 (PDT) Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M9K5G-1Wjus62dZe-00CjIQ; Tue, 29 Apr 2014 07:57:48 +0200 Message-ID: <535F3CC4.1050000@gmx.net> Date: Tue, 29 Apr 2014 07:46:44 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "Kentwell, Luke" , "oauth@ietf.org" References: In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="QmAe4AcTSxc2A3rDEJBUc5llGV78cbJxB" X-Provags-ID: V03:K0:DEsej7DR+Tlt/95cjVgOJ8CqGhao9TW9xZSORGU6yn8FvVWOPmV BP0NGZihhH7GysImjsozg7YsTIdefGBSWCnSt2m0teOanTTwojN6OKYPiH+cIf/QaCSgyTn 2FlE7kWwRJnBWbJV5YubXBt1fLemku9NUVhoIzcpUS7vebv32wAwq0tbSDHlfdQFjtO7cQt KMzIWaBcL0LBYeY3oxr1g== Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/KhpIv_LWJYZzgYT0pFKQKVzWWfk Subject: Re: [OAUTH-WG] Link to RFC on your site is not working X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2014 05:58:03 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --QmAe4AcTSxc2A3rDEJBUc5llGV78cbJxB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Luke, I just tried it and it works. This might have been a temporary problem. If you see the problem again, drop me a mail and I report it to the IESG secretary (or so). Ciao Hannes On 04/29/2014 07:12 AM, Kentwell, Luke wrote: > Hi Guys, >=20 > =20 >=20 > I was just looking for the OAuth2 spec and when I follow the link on > your site http://oauth.net/2/ for the RFC: > http://tools.ietf.org/html/rfc6749 >=20 > =20 >=20 > I get a 404 not found error. >=20 > =20 >=20 > Not sure if this is a known problem or by design but thought I would le= t > you know >=20 >=20 > Thanks >=20 > =20 >=20 > _L >=20 > =20 >=20 > =20 >=20 > *Luke Kentwell* > Data Analyst | Office of Planning and Audit >=20 > Charles Sturt University >=20 > Panorama Avenue >=20 > Bathurst, NSW 2795 >=20 > Australia >=20 > Tel: +61 2 6338 6518 >=20 > Email: lkentwell@csu.edu.au >=20 > *www.csu.edu.au* | *www.csu.edu.au/unistats* > >=20 > =20 >=20 > Twitter | Facebook > | LinkedIn > | YouTube > >=20 > =20 >=20 > Charles Sturt University >=20 > | ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOUL= BURN | MELBOURNE | ONTARIO | ORANGE | PORT > MACQUARIE | SYDNEY | WAGGA WAGGA | >=20 > -----------------------------------------------------------------------= - > LEGAL NOTICE > This email (and any attachment) is confidential and is intended for the= > use of the addressee(s) only. If you are not the intended recipient of > this email, you must not copy, distribute, take any action in reliance > on it or disclose it to anyone. Any confidentiality is not waived or > lost by reason of mistaken delivery. Email should be checked for viruse= s > and defects before opening. Charles Sturt University (CSU) does not > accept liability for viruses or any consequence which arise as a result= > of this email transmission. Email communications with CSU may be subjec= t > to automated email filtering, which could result in the delay or > deletion of a legitimate email before it is read at CSU. The views > expressed in this email are not necessarily those of CSU. >=20 > Charles Sturt University in Australia The Grang= e > Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 > 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider > Number: PV12018 > Charles Sturt University in Ontario 860 > Harrington Court, Burlington Ontario Canada L7N 3N4 Registration: > www.peqab.ca >=20 > Consider the environment before printing this email. >=20 > Disclaimer added by *CodeTwo Exchange Rules 2007* > www.codetwo.com >=20 >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 --QmAe4AcTSxc2A3rDEJBUc5llGV78cbJxB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTXzzEAAoJEGhJURNOOiAtEywH/2moo4JRxvIdPCtRKs6maG5v yGdw+knt1uR8MTUINUNqw4kQ9A/ogdTxAncvZmyPb8PN3S80kH7rP1PMJKlC5kAV hdzBuIqgy4MKp4iCHIY3cxesdjSwFTmmgxbiurPKZ7zgBA1YTUrddfU6rMRJcu3t +31kEX8kdebQbSK4tJfvFWq8oN7ksucb7NXK+pGJtq4QC32vPbdIET8M4/8CcDjL 2xkQrJ5MVK1yN2tncF5BzZMzs+0kmjJEYoO8OiDhRtsnZLppPi8qVU38DVjkyt6f 7mldAfzKmfU2kecxSV0kMbkygoEdlhdiWvsawd4gIWNwjHYZly2ZA3PF4y8yIVA= =HmtD -----END PGP SIGNATURE----- --QmAe4AcTSxc2A3rDEJBUc5llGV78cbJxB-- From nobody Mon Apr 28 23:17:56 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21F921A8884 for ; Mon, 28 Apr 2014 23:17:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.852 X-Spam-Level: X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0-bCWGVifUJ for ; Mon, 28 Apr 2014 23:17:53 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id C2C5E1A884F for ; Mon, 28 Apr 2014 23:17:53 -0700 (PDT) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s3T6Hjgv013072 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 Apr 2014 06:17:46 GMT Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s3T6Hgl6004113 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 29 Apr 2014 06:17:43 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s3T6HfF5028415; Tue, 29 Apr 2014 06:17:42 GMT Received: from [192.168.1.3] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 28 Apr 2014 23:17:41 -0700 References: <535F3CC4.1050000@gmx.net> Mime-Version: 1.0 (1.0) In-Reply-To: <535F3CC4.1050000@gmx.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <2C2D83F6-239D-40F3-891A-E5EFEF178CBC@oracle.com> X-Mailer: iPhone Mail (11D167) From: Phil Hunt Date: Mon, 28 Apr 2014 23:17:39 -0700 To: Hannes Tschofenig X-Source-IP: acsinet21.oracle.com [141.146.126.237] Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/hm0lIt7QSYqueK2fJHQuagGV0jU Cc: "Kentwell, Luke" , "oauth@ietf.org" Subject: Re: [OAUTH-WG] Link to RFC on your site is not working X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2014 06:17:55 -0000 There have been flakey issues with the entire ietf site since at least 3paci= fic. First noticed it on xml2rfc. But then noticed it is all the pages.=20 Phil > On Apr 28, 2014, at 22:46, Hannes Tschofenig w= rote: >=20 > Hi Luke, >=20 > I just tried it and it works. This might have been a temporary problem. >=20 > If you see the problem again, drop me a mail and I report it to the IESG > secretary (or so). >=20 > Ciao > Hannes >=20 >> On 04/29/2014 07:12 AM, Kentwell, Luke wrote: >> Hi Guys, >>=20 >>=20 >>=20 >> I was just looking for the OAuth2 spec and when I follow the link on >> your site http://oauth.net/2/ for the RFC: >> http://tools.ietf.org/html/rfc6749 >>=20 >>=20 >>=20 >> I get a 404 not found error. >>=20 >>=20 >>=20 >> Not sure if this is a known problem or by design but thought I would let >> you know >>=20 >>=20 >> Thanks >>=20 >>=20 >>=20 >> _L >>=20 >>=20 >>=20 >>=20 >>=20 >> *Luke Kentwell* >> Data Analyst | Office of Planning and Audit >>=20 >> Charles Sturt University >>=20 >> Panorama Avenue >>=20 >> Bathurst, NSW 2795 >>=20 >> Australia >>=20 >> Tel: +61 2 6338 6518 >>=20 >> Email: lkentwell@csu.edu.au >>=20 >> *www.csu.edu.au* | *www.csu.edu.au/unistats* >> >>=20 >>=20 >>=20 >> Twitter | Facebook >> | LinkedIn >> | YouTube >> >>=20 >>=20 >>=20 >> Charles Sturt University >>=20 >> | ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBU= RN | MELBOURNE | ONTARIO | ORANGE | PORT >> MACQUARIE | SYDNEY | WAGGA WAGGA | >>=20 >> ------------------------------------------------------------------------ >> LEGAL NOTICE >> This email (and any attachment) is confidential and is intended for the >> use of the addressee(s) only. If you are not the intended recipient of >> this email, you must not copy, distribute, take any action in reliance >> on it or disclose it to anyone. Any confidentiality is not waived or >> lost by reason of mistaken delivery. Email should be checked for viruses >> and defects before opening. Charles Sturt University (CSU) does not >> accept liability for viruses or any consequence which arise as a result >> of this email transmission. Email communications with CSU may be subject >> to automated email filtering, which could result in the delay or >> deletion of a legitimate email before it is read at CSU. The views >> expressed in this email are not necessarily those of CSU. >>=20 >> Charles Sturt University in Australia The Grange >> Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 >> 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider >> Number: PV12018 >> Charles Sturt University in Ontario 860 >> Harrington Court, Burlington Ontario Canada L7N 3N4 Registration: >> www.peqab.ca >>=20 >> Consider the environment before printing this email. >>=20 >> Disclaimer added by *CodeTwo Exchange Rules 2007* >> www.codetwo.com >>=20 >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth From nobody Tue Apr 29 07:45:14 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 226601A8884 for ; Mon, 28 Apr 2014 23:20:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bYOlmuBZiN1 for ; Mon, 28 Apr 2014 23:20:20 -0700 (PDT) Received: from seaprod01.csumain.csu.edu.au (seaprod01.csumain.csu.edu.au [137.166.4.2]) by ietfa.amsl.com (Postfix) with ESMTP id 05A7D1A884E for ; Mon, 28 Apr 2014 23:20:20 -0700 (PDT) Received: from seaprod01.csumain.csu.edu.au (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 588D5E51FB_35F44A2B; Tue, 29 Apr 2014 06:20:18 +0000 (GMT) Received: from casba01.CSUMain.csu.edu.au (casba01.csumain.csu.edu.au [137.166.4.68]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "weboutlook.csu.edu.au", Issuer "AusCERT Server CA" (verified OK)) by seaprod01.csumain.csu.edu.au (Sophos Email Appliance) with ESMTPS id 337FB248457_35F44A2F; Tue, 29 Apr 2014 06:20:18 +0000 (GMT) Received: from MAIL01.CSUMain.csu.edu.au ([fe80::fd21:a4c2:dfff:f901]) by casba01.CSUMain.csu.edu.au ([fe80::2499:6c34:c7a3:9bf4%12]) with mapi; Tue, 29 Apr 2014 16:20:16 +1000 From: "Kentwell, Luke" To: Phil Hunt , Hannes Tschofenig Date: Tue, 29 Apr 2014 16:20:16 +1000 Thread-Topic: [OAUTH-WG] Link to RFC on your site is not working Thread-Index: Ac9jcsJTjXL+0fTeR4qEDUOoGCytEAAACdkQ Message-ID: References: <535F3CC4.1050000@gmx.net> <2C2D83F6-239D-40F3-891A-E5EFEF178CBC@oracle.com> In-Reply-To: <2C2D83F6-239D-40F3-891A-E5EFEF178CBC@oracle.com> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/5o42pM3LxlkkW8cUjXdTeOzNUiU X-Mailman-Approved-At: Tue, 29 Apr 2014 07:45:06 -0700 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Link to RFC on your site is not working X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2014 06:20:22 -0000 Hi Phil, I tried again after Hannes email and got the page now. Thankyou very much for the reply :D _L -----Original Message----- From: Phil Hunt [mailto:phil.hunt@oracle.com] Sent: Tuesday, 29 April 2014 4:18 PM To: Hannes Tschofenig Cc: Kentwell, Luke; oauth@ietf.org Subject: Re: [OAUTH-WG] Link to RFC on your site is not working There have been flakey issues with the entire ietf site since at least 3pac= ific. First noticed it on xml2rfc. But then noticed it is all the pages. Phil > On Apr 28, 2014, at 22:46, Hannes Tschofenig = wrote: > > Hi Luke, > > I just tried it and it works. This might have been a temporary problem. > > If you see the problem again, drop me a mail and I report it to the > IESG secretary (or so). > > Ciao > Hannes > >> On 04/29/2014 07:12 AM, Kentwell, Luke wrote: >> Hi Guys, >> >> >> >> I was just looking for the OAuth2 spec and when I follow the link on >> your site http://oauth.net/2/ for the RFC: >> http://tools.ietf.org/html/rfc6749 >> >> >> >> I get a 404 not found error. >> >> >> >> Not sure if this is a known problem or by design but thought I would >> let you know >> >> >> Thanks >> >> >> >> _L >> >> >> >> >> >> *Luke Kentwell* >> Data Analyst | Office of Planning and Audit >> >> Charles Sturt University >> >> Panorama Avenue >> >> Bathurst, NSW 2795 >> >> Australia >> >> Tel: +61 2 6338 6518 >> >> Email: lkentwell@csu.edu.au >> >> *www.csu.edu.au* | *www.csu.edu.au/unistats* >> >> >> >> >> Twitter | Facebook >> | LinkedIn >> | YouTube >> >> >> >> >> Charles Sturt University >> >> | ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULB= URN | MELBOURNE | ONTARIO | ORANGE | PORT >> MACQUARIE | SYDNEY | WAGGA WAGGA | >> >> --------------------------------------------------------------------- >> --- >> LEGAL NOTICE >> This email (and any attachment) is confidential and is intended for >> the use of the addressee(s) only. If you are not the intended >> recipient of this email, you must not copy, distribute, take any >> action in reliance on it or disclose it to anyone. Any >> confidentiality is not waived or lost by reason of mistaken delivery. >> Email should be checked for viruses and defects before opening. >> Charles Sturt University (CSU) does not accept liability for viruses >> or any consequence which arise as a result of this email >> transmission. Email communications with CSU may be subject to >> automated email filtering, which could result in the delay or >> deletion of a legitimate email before it is read at CSU. The views expre= ssed in this email are not necessarily those of CSU. >> >> Charles Sturt University in Australia The >> Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 >> (ABN: 83 878 >> 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider >> Number: PV12018 >> Charles Sturt University in Ontario 860 >> Harrington Court, Burlington Ontario Canada L7N 3N4 Registration: >> www.peqab.ca >> >> Consider the environment before printing this email. >> >> Disclaimer added by *CodeTwo Exchange Rules 2007* www.codetwo.com >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth Charles Sturt University | ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ONT= ARIO | ORANGE | PORT MACQUARIE | SYDNEY | WAGGA WAGGA | LEGAL NOTICE This email (and any attachment) is confidential and is intended for the use= of the addressee(s) only. If you are not the intended recipient of this em= ail, you must not copy, distribute, take any action in reliance on it or di= sclose it to anyone. Any confidentiality is not waived or lost by reason of= mistaken delivery. Email should be checked for viruses and defects before = opening. Charles Sturt University (CSU) does not accept liability for virus= es or any consequence which arise as a result of this email transmission. E= mail communications with CSU may be subject to automated email filtering, w= hich could result in the delay or deletion of a legitimate email before it = is read at CSU. The views expressed in this email are not necessarily those= of CSU. Charles Sturt University in Australia http://www.csu.edu.au The Grange Ch= ancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 5= 51; CRICOS Provider Numbers: 00005F (NSW), 01947G (VIC), 02960B (ACT)). TEQ= SA Provider Number: PV12018 Charles Sturt University in Ontario http://www.charlessturt.ca 860 Harring= ton Court, Burlington Ontario Canada L7N 3N4 Registration: www.peqab.ca Consider the environment before printing this email. Disclaimer added by CodeTwo Exchange Rules 2007 http://www.codetwo.com From nobody Wed Apr 30 11:56:19 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229F31A0946 for ; Wed, 30 Apr 2014 11:56:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.899 X-Spam-Level: X-Spam-Status: No, score=-0.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_DOMAIN_NOVOWEL=0.5, HTML_MESSAGE=0.001, URI_NOVOWEL=0.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxL5cwOUb1Ce for ; Wed, 30 Apr 2014 11:56:13 -0700 (PDT) Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2FB1A094A for ; Wed, 30 Apr 2014 11:56:12 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id AA3EC4321ACD; Wed, 30 Apr 2014 11:56:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at promanage-inc.com Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fF3DNs6iyvHL; Wed, 30 Apr 2014 11:56:08 -0700 (PDT) Received: from [192.168.168.107] (unknown [192.168.168.107]) by mail.promanage-inc.com (Postfix) with ESMTPSA id C91754321A9D; Wed, 30 Apr 2014 11:56:08 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Content-Type: multipart/alternative; boundary="Apple-Mail=_0A5BF250-E3B9-4709-8380-EDEE8C91299A" From: Eve Maler In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A196778@TK5EX14MBXC288.redmond.corp.microsoft.com> Date: Wed, 30 Apr 2014 11:55:51 -0700 Message-Id: <7482A49B-E7B2-471A-8134-54C8C711B701@xmlgrrl.com> References: <535ABCBF.3090308@redhat.com> <4E1F6AAD24975D4BA5B16804296739439A196778@TK5EX14MBXC288.redmond.corp.microsoft.com> To: Mike Jones X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/rn2Kxik4ubkwMReGKQaMuuB88No Cc: oauth Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 18:56:16 -0000 --Apple-Mail=_0A5BF250-E3B9-4709-8380-EDEE8C91299A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 I agree with Mike's point about flexibility. If OpenID Connect expects = JWT and specific claim semantics, that makes sense in the context of its = use case, but there are lots of other choices that can be made. For = example, UMA's MTI token profile* defines a mechanism for conveying = JSON-formatted permissions (=E0 la Anil Saldhana's "entitlement" model** = vs. "enforcement" for cloud authorization), and other token profiles = could be created to convey JWT claims, the results of policy decisions, = the applicable policies themselves, etc. Eve * = http://tools.ietf.org/html/draft-hardjono-oauth-umacore-09#section-3.3.2 ** = http://anil-identity.blogspot.com/2013/05/access-control-best-practices.ht= ml On 25 Apr 2014, at 1:18 PM, Mike Jones = wrote: > To be clear, access tokens are opaque in OAuth and I don=92t see any = of us trying to change that in the general case. Particular = authorization servers may use JWTs as an access token format, but that=92s= their private choice. I know of other authorization servers that have = the access token value be an index into a local database table, which is = just as legitimate a choice as using a structured access token. > =20 > -- = Mike > =20 > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian = Campbell > Sent: Friday, April 25, 2014 1:12 PM > To: Bill Burke > Cc: oauth > Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer !=3D access tokens = (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) > =20 > I think it is kind of assumed, yeah. And JWT as it is gives you = everything you need for that as long as the AS and RS can agree on keys, = JWE and/or JWS, and how the claims will look. I suspect that's what most = deployments are doing with JWT access tokens today. We are, or offer JWS = + JWT access tokens as an option in product anyway, and I believe many = others are doing the same. >=20 > IHMO getting everyone to agree on the specific claims etc. needed for = a standardized JWT access token is a bit of a rat's nest, which is why = there's not been much progress in that area. >=20 >=20 >=20 >=20 > =20 >=20 > On Fri, Apr 25, 2014 at 1:51 PM, Bill Burke wrote: > Thank you. Thats what I thought. Is it just assumed JWT would/might = be used an access token format for Bearer token auth? Or is there = another draft somewhere for that? Is anybody out there using JWS + JWT = as a access token format? >=20 >=20 > On 4/25/2014 2:59 PM, Brian Campbell wrote: > draft-ietf-oauth-jwt-bearer is only about interactions (client > authentication and JWT as an authorization grant) with the token > endpoint and doesn't define JWT style access tokens. >=20 >=20 > On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke > wrote: >=20 > Red Hat Keycloak [1] only supports basic auth for client > authentication as suggested in the OAuth 2 spec. But our access > tokens are JWS signed JWTs. >=20 > Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth > [2]? Or is there another document I should be following? I'd = like > to see what other claims are being discussed related to JWT-based > access tokens and may have some additional access token claims = we've > been experimenting with others might be interested in. >=20 > Also, I'm not sure yet if we'll implement > draft-ietf-oauth-jwt-bearer to authenticate clients. A lot of our > initial users are more interested in public clients and/or the > implicit flow as they are writing a lot of pure javascript apps > served up by simple static web servers. >=20 > [1] http://keycloak.org > [2] http://tools.ietf.org/html/__rfc6750 > >=20 >=20 > --=20 > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > =20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl --Apple-Mail=_0A5BF250-E3B9-4709-8380-EDEE8C91299A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
I = agree with Mike's point about flexibility. If OpenID Connect expects JWT = and specific claim semantics, that makes sense in the context of its use = case, but there are lots of other choices that can be made. For example, = UMA's MTI token profile* defines a mechanism for conveying = JSON-formatted permissions (=E0 la Anil Saldhana's "entitlement" model** = vs. "enforcement" for cloud authorization), and other token profiles = could be created to convey JWT claims, the results of policy decisions, = the applicable policies themselves, etc.

= Eve

On 25 Apr 2014, at 1:18 PM, Mike = Jones <Michael.Jones@microsoft.com> wrote:

To be clear, access tokens are opaque in OAuth and = I don=92t see any of us trying to change that in the general case.  = Particular authorization servers may use JWTs as an access token format, but that=92s their private = choice.  I know of other authorization servers that have the access = token value be an index into a local database table, which is just as = legitimate a choice as using a structured access = token.

 

        &nbs= p;            =             &n= bsp;           &nbs= p;            =       -- Mike

 

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Friday, April 25, 2014 1:12 PM
To: Bill Burke
Cc: oauth
Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer !=3D access = tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd = Write-up)

 

I think it is = kind of assumed, yeah. And JWT as it is gives you everything you need = for that as long as the AS and RS can agree on keys, JWE and/or JWS, and = how the claims will look. I suspect that's what most deployments are doing with JWT access tokens today. We are, or offer = JWS + JWT access tokens as an option in product anyway, and I believe = many others are doing the same.

IHMO getting everyone to agree on the = specific claims etc. needed for a standardized JWT access token is a bit = of a rat's nest, which is why there's not been much progress in that = area.




 

On Fri, Apr 25, 2014 at 1:51 PM, Bill Burke = <bburke@redhat.com> wrote:

Thank you.  Thats what I thought.  Is it = just assumed JWT would/might be used an access token format for Bearer = token auth?  Or is there another draft somewhere for that?  Is = anybody out there using JWS + JWT as a access token = format?



On 4/25/2014 2:59 PM, Brian Campbell wrote:

draft-ietf-oauth-jwt-bearer is only about = interactions (client
authentication and JWT as an authorization grant) with the token
endpoint and doesn't define JWT style access tokens.


On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke <bburke@redhat.com

<mailto:bburke@redhat.com>> wrote:

    Red Hat Keycloak [1] only supports basic auth for = client
    authentication as suggested in the OAuth 2 spec.  But = our access
    tokens are JWS signed JWTs.

    Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer = token auth
    [2]?  Or is there another document I should be = following?  I'd like
    to see what other claims are being discussed related to = JWT-based
    access tokens and may have some additional access token = claims we've
    been experimenting with others might be interested in.

    Also, I'm not sure yet if we'll implement
    draft-ietf-oauth-jwt-bearer to authenticate clients. =  A lot of our
    initial users are more interested in public clients and/or = the
    implicit flow as they are writing a lot of pure javascript = apps
    served up by simple static web servers.

    [1] http://keycloak.org

  =   [2] http://tools.ietf.org/html/__rfc6750
    <http://tools.ietf.org/html/rfc6750>


--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

 

_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth


Eve Maler       =                     =        http://www.xmlgrrl.com/blog
+1= 425 345 6756                 =         http://www.twitter.com/xmlgrrl=

= --Apple-Mail=_0A5BF250-E3B9-4709-8380-EDEE8C91299A-- From nobody Wed Apr 30 14:16:17 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08F951A0852 for ; Wed, 30 Apr 2014 14:16:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpVoeox-RbWC for ; Wed, 30 Apr 2014 14:16:13 -0700 (PDT) Received: from na6sys009bog029.obsmtp.com (na6sys009bog029.obsmtp.com [74.125.150.103]) by ietfa.amsl.com (Postfix) with ESMTP id CD3751A0639 for ; Wed, 30 Apr 2014 14:16:12 -0700 (PDT) Received: from mail-ig0-f171.google.com ([209.85.213.171]) (using TLSv1) by na6sys009bob029.postini.com ([74.125.148.12]) with SMTP ID DSNKU2FoG7yYgII/sfTp8pbGNFERYbya11N2@postini.com; Wed, 30 Apr 2014 14:16:11 PDT Received: by mail-ig0-f171.google.com with SMTP id c1so2472947igq.4 for ; Wed, 30 Apr 2014 14:16:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=1zurINaAYw2NpLbegkhCKHYAS8py5rUkb5ZRP14Eovs=; b=J54l/LZ9C6lz6h2JYepPBttQ47H3QwThaVohgpBpPeyEMyHjbxlbLP+yECkF/+r3et VV0pLFOsr5hzdJOlcE+tXajKEOqhBY8GGB62IEWvtA2lKJ0OdiwwCLM/mDzuBXyqs15c /QbbHBY3p34s1Mp4JgUAi7SY2cdB5fnrqKMes+kG6ie+3t+/maWHmBn5F5Hnvp9E6tpe okPhDQWC8MHX1hhcco4deoLuNoUJJJJrr/xBvvRMpJ/ysEi1+fpQTLCkbk41w4kF0SGr 4wfSroylXWY2ozACW4/HX6HCHGZANYFkhwoDRvZK5Z5IH2GUvHT5DumQfkWyNEuTrUPp Bnlg== X-Received: by 10.43.49.195 with SMTP id vb3mr6878091icb.14.1398892570751; Wed, 30 Apr 2014 14:16:10 -0700 (PDT) X-Gm-Message-State: ALoCoQl4Yt4TaL6Ao2w2+lfdcmoE6vWSg1M/iXTKNSJhJxyiiCAYjQVuwFCBQEByHzOgdfQAc2X/w2BAPETfvJZvP8AgBnR4Bq7erQH9IsIfxk2wMQnGJACjoPb2zQkJy4yzt7p7FoyC X-Received: by 10.43.49.195 with SMTP id vb3mr6877755icb.14.1398892565892; Wed, 30 Apr 2014 14:16:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Wed, 30 Apr 2014 14:15:35 -0700 (PDT) In-Reply-To: <53539DF1.4020103@lodderstedt.net> References: <533E77C3.9000509@gmx.net> <53539DF1.4020103@lodderstedt.net> From: Brian Campbell Date: Wed, 30 Apr 2014 15:15:35 -0600 Message-ID: To: Torsten Lodderstedt Content-Type: multipart/alternative; boundary=bcaec52999a7799da104f8490e66 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/PnliePHCAH6NDigpA1HAD3mJPkQ Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 21:16:16 -0000 --bcaec52999a7799da104f8490e66 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable As Mike and Torsten have said, and for the same reasons, I would also like to see the "jwks" metadata parameter added. On Sun, Apr 20, 2014 at 4:14 AM, Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Hi all, > > I also believe both documents should be merged. > > Nevertheless, here are my comments on the current drafts: > > > * OAuth 2.0 Dynamic Client Registration Core Protocol > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 > > 1.2. Terminology > > " Multiple instances of the same piece of client software MAY use > the same Client ID value at an authorization server, provided that > the Redirection URI values and potentially other values dictated > by authorization server policy are the same for all instances." > > Which entity determines whether the same client id is used for different > instances? Given the current protocol design, I would assume it is at the > discretion of the authz server. Other opinions? > > "Software Statement ... It may also be accepted by some authorization > servers > directly as a Client ID value, without prior registration." > > under which circumstances does an authz server accept a software statemen= t > as client_id? How does the client know? I think the idea is valuable but > needs much more text in order to come up with an interoperable protocol > design. > > 1.3. Protocol Flow > > Initial Access Token vs. Software Statement: In my opinion, those concept= s > are two different ways to authorize client registration. Although there a= re > the typical differences between tokens and assertions (such as opaque > content vs. defined syntax), I feel software statements could supersede > initial access tokens. > Thoughts? > > 2. Client Metadata > > "redirect_uris ... It is > RECOMMENDED that clients using these flows register this > parameter, and an authorization server SHOULD require ..." > > I consider this a rather weak statement - does this foster interop? Why > not requiring registration of redirect_uris for all clients using web-bas= ed > grant types. > > last paragraph: > "If the same client metadata name is present in both > locations, the value in the software statement SHOULD take > precedence." > > why not MUST? > > 3. Software Statement > > Is there a need to require a certain signature method for JWTs used as > software statement (interop)? JWT itself requires "HMAC" and "none", whic= h > both are of no or limited value in this context. RSA is just recommended = by > the JWT spec. > > 5.1 > > "If a software statement was used as part of the registration, its > value SHOULD be returned in the response and its value MUST be > returned if the authorization server supports registration management > operations [OAuth.Registration.Management] that would require its > presence in subsequent operations." > > I don't get the connection between software statements and the management > API. In the management API spec, I only found a reference to software > statements in the introduction. Should this text just be removed? > > 5.2 > > error codes - invalid_client_metadata > > I consider this underspecified. How is the client supposed to react if > this error occurs? I would expect the authz server to give more detailed > information regarding error conditions, e.g. notify the client if > particular requested grant types are not supported. Otherwise, the client > cannot handle those error differently. > > > * OAuth 2.0 Dynamic Client Registration Metadata > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 > > I would suggest to add "jwks" (as defined in > http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetada= ta) > in order to support native clients. > > regards, > Torsten. > > Am 04.04.2014 11:13, schrieb Hannes Tschofenig: > > Hi all, > > This is a Last Call for comments on the dynamic client registration > documents: > > * OAuth 2.0 Dynamic Client Registration Core Protocolhttp://tools.ietf.or= g/html/draft-ietf-oauth-dyn-reg-16 > > * OAuth 2.0 Dynamic Client Registration Metadatahttp://tools.ietf.org/htm= l/draft-ietf-oauth-dyn-reg-metadata-00 > > Since we have to do the last call for these two documents together we > are setting the call for **3 weeks**. > > Please have your comments in no later than April 25th. > > Ciao > Hannes & Derek > > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oau= th > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > --=20 [image: Ping Identity logo] Brian Campbell [Enter Title] @ bcampbell@pingidentity.com [image: phone] +1 720.317.2061 Connect with us=E2=80=A6 [image: twitter logo] = [image: youtube logo] [image: LinkedIn logo] [image: Facebook logo] [image: Google+ logo] [image: slideshare logo] [image: flipboard logo] [image: rss feed icon] [image: Register for Cloud Identity Summit 2014 | Modern Identity Revolution | 19=E2=80=9323 July, 2014 | Monterey, CA] --bcaec52999a7799da104f8490e66 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
As Mike and Torsten have said, and for the same reasons, I= would also like to see the "jwks" metadata parameter added.
<= /div>


On Sun, = Apr 20, 2014 at 4:14 AM, Torsten Lodderstedt <torsten@lodderstedt.n= et> wrote:
=20 =20 =20
Hi all,

I also believe both documents should be merged.

Nevertheless, here are my comments on the current drafts:


*=C2=A0 OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16
1.2.=C2=A0 Terminology

=C2=A0" Multiple instances of the same piece of client software MA= Y use
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the same Client ID value at an authoriza= tion server, provided that
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the Redirection URI values and potential= ly other values dictated
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 by authorization server policy are the s= ame for all instances."

Which entity determines whether the same client id is used for different instances? Given the current protocol design, I would assume it is at the discretion of the authz server. Other opinions?

"Software Statement ... It may also be accepted by some authorization servers
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 directly as a Client ID value, without p= rior registration."

under which circumstances does an authz server accept a software statement as client_id? How does the client know? I think the idea is valuable but needs much more text in order to come up with an interoperable protocol design.

1.3. Protocol Flow

Initial Access Token vs. Software Statement: In my opinion, those concepts are two different ways to authorize client registration. Although there are the typical differences between tokens and assertions (such as opaque content vs. defined syntax), I feel software statements could supersede initial access tokens.
Thoughts?

2.=C2=A0 Client Metadata

"redirect_uris=C2=A0 ...=C2=A0 It is
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 RECOMMENDED that clients using these flo= ws register this
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 parameter, and an authorization server S= HOULD require ..."

I consider this a rather weak statement - does this foster interop? Why not requiring registration of redirect_uris for all clients using web-based grant types.

last paragraph:
"If the same client metadata name is present in both
=C2=A0=C2=A0 locations, the value in the software statement SHOULD take=
=C2=A0=C2=A0 precedence."

why not MUST?

3.=C2=A0 Software Statement

Is there a need to require a certain signature method for JWTs used as software statement (interop)? JWT itself requires "HMAC" a= nd "none", which both are of no or limited value in this context= . RSA is just recommended by the JWT spec.

5.1

"If a software statement was used as part of the registration, its=
=C2=A0=C2=A0 value SHOULD be returned in the response and its value MUS= T be
=C2=A0=C2=A0 returned if the authorization server supports registration management
=C2=A0=C2=A0 operations [OAuth.Registration.Management] that would requ= ire its
=C2=A0=C2=A0 presence in subsequent operations."

I don't get the connection between software statements and the management API. In the management API spec, I only found a reference to software statements in the introduction. Should this text just be removed?

5.2

error codes - invalid_client_metadata

I consider this underspecified. How is the client supposed to react if this error occurs? I would expect the authz server to give more detailed information regarding error conditions, e.g. notify the client if particular requested grant types are not supported. Otherwise, the client cannot handle those error differently.


* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-= metadata-00

I would suggest to add "jwks" (as defined in http://openid.net/specs/openid-connect-r= egistration-1_0.html#ClientMetadata) in order to support native clients.

regards,
Torsten.

Am 04.04.2014 11:13, schrieb Hannes Tschofenig:
Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-meta=
data-00

Since we have to do the last call for these two documents together we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek




____________________________________=
___________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth




--
3D"Register

--bcaec52999a7799da104f8490e66-- From nobody Wed Apr 30 14:23:10 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA2B91A0997 for ; Wed, 30 Apr 2014 14:23:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.578 X-Spam-Level: X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eflMhLzGdLiZ for ; Wed, 30 Apr 2014 14:23:05 -0700 (PDT) Received: from na6sys009bog002.obsmtp.com (na6sys009bog002.obsmtp.com [74.125.150.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1CBAC1A09A8 for ; Wed, 30 Apr 2014 14:23:04 -0700 (PDT) Received: from mail-ig0-f178.google.com ([209.85.213.178]) (using TLSv1) by na6sys009bob002.postini.com ([74.125.148.12]) with SMTP ID DSNKU2FpthrgOT5yn9uXxXlYeCN1SlO+K/mM@postini.com; Wed, 30 Apr 2014 14:23:02 PDT Received: by mail-ig0-f178.google.com with SMTP id r10so699310igi.11 for ; Wed, 30 Apr 2014 14:23:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=r2Jlwkny6FNlvcoOY8SNkMeYak5qXtuZrHYXIRRhPLY=; b=I9ZI6RxdRU48PcsjevnSOYhe4JvC+5CZ7T6zBSlRz4sl/LYk7wIIS1iSiBzUBOT+Zs OXNem+FUb03hRvNU7s8ppeQPrq4PWgCPEk7zYewsTpgGZI74FVHXQI6PI7/KktBWSWJv YS8F+OWiDAgBHNL1+5al+5zANYMf+R01lDasNDcOpabRkHTvG+GD/txQNAtZ2u7rs3Tz coyMj6Pc9camnIAnV+6gdwyt42OiBP7qNgM3dN/DdDDuAKk2MjUMEd3oNsxdQF1lWBQY lSXK6DLv/rpRldustC8KkcxC9NNPSFHaAcN1OnJ26JntrEcrOvXNQt2eRxscB5SFSvFe ewLg== X-Gm-Message-State: ALoCoQkeXJkDgCdWRSVfMMEFUDW81Y4stOUx+d2Od9aciRsBoDN8ObXzz7sfNKgmwO35am6L3UwevdXYB5FFWM+kvqJ60K4GFtpoz5SEz7DGcWnBweeFhKf0XOimbdNyPqpLQ2nU7QGv X-Received: by 10.50.4.70 with SMTP id i6mr41685692igi.40.1398892981142; Wed, 30 Apr 2014 14:23:01 -0700 (PDT) X-Received: by 10.50.4.70 with SMTP id i6mr41685675igi.40.1398892980930; Wed, 30 Apr 2014 14:23:00 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.240.201 with HTTP; Wed, 30 Apr 2014 14:22:30 -0700 (PDT) In-Reply-To: References: <533E77C3.9000509@gmx.net> <53539DF1.4020103@lodderstedt.net> From: Brian Campbell Date: Wed, 30 Apr 2014 15:22:30 -0600 Message-ID: To: Torsten Lodderstedt Content-Type: multipart/alternative; boundary=001a11c32a8835251c04f849278d Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/hQAHr_NnyhXrn_Di6DP9agqIldw Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 21:23:08 -0000 --001a11c32a8835251c04f849278d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Somewhat related is the client_secret_expires_at parameter. It seems a little odd to have that in this protocol that offers no way to deal with the expiration other than a completely new reregistration. It also seems like it should be more general than just the expiration of the secret and apply to any credential (like "jwks") that doesn't have another means of rotation. Or maybe just be a general expiration of the client's registration. On Wed, Apr 30, 2014 at 3:15 PM, Brian Campbell wrote: > As Mike and Torsten have said, and for the same reasons, I would also lik= e > to see the "jwks" metadata parameter added. > > > On Sun, Apr 20, 2014 at 4:14 AM, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > >> Hi all, >> >> I also believe both documents should be merged. >> >> Nevertheless, here are my comments on the current drafts: >> >> >> * OAuth 2.0 Dynamic Client Registration Core Protocol >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >> >> 1.2. Terminology >> >> " Multiple instances of the same piece of client software MAY use >> the same Client ID value at an authorization server, provided that >> the Redirection URI values and potentially other values dictated >> by authorization server policy are the same for all instances." >> >> Which entity determines whether the same client id is used for different >> instances? Given the current protocol design, I would assume it is at th= e >> discretion of the authz server. Other opinions? >> >> "Software Statement ... It may also be accepted by some authorization >> servers >> directly as a Client ID value, without prior registration." >> >> under which circumstances does an authz server accept a software >> statement as client_id? How does the client know? I think the idea is >> valuable but needs much more text in order to come up with an interopera= ble >> protocol design. >> >> 1.3. Protocol Flow >> >> Initial Access Token vs. Software Statement: In my opinion, those >> concepts are two different ways to authorize client registration. Althou= gh >> there are the typical differences between tokens and assertions (such as >> opaque content vs. defined syntax), I feel software statements could >> supersede initial access tokens. >> Thoughts? >> >> 2. Client Metadata >> >> "redirect_uris ... It is >> RECOMMENDED that clients using these flows register this >> parameter, and an authorization server SHOULD require ..." >> >> I consider this a rather weak statement - does this foster interop? Why >> not requiring registration of redirect_uris for all clients using web-ba= sed >> grant types. >> >> last paragraph: >> "If the same client metadata name is present in both >> locations, the value in the software statement SHOULD take >> precedence." >> >> why not MUST? >> >> 3. Software Statement >> >> Is there a need to require a certain signature method for JWTs used as >> software statement (interop)? JWT itself requires "HMAC" and "none", whi= ch >> both are of no or limited value in this context. RSA is just recommended= by >> the JWT spec. >> >> 5.1 >> >> "If a software statement was used as part of the registration, its >> value SHOULD be returned in the response and its value MUST be >> returned if the authorization server supports registration management >> operations [OAuth.Registration.Management] that would require its >> presence in subsequent operations." >> >> I don't get the connection between software statements and the managemen= t >> API. In the management API spec, I only found a reference to software >> statements in the introduction. Should this text just be removed? >> >> 5.2 >> >> error codes - invalid_client_metadata >> >> I consider this underspecified. How is the client supposed to react if >> this error occurs? I would expect the authz server to give more detailed >> information regarding error conditions, e.g. notify the client if >> particular requested grant types are not supported. Otherwise, the clien= t >> cannot handle those error differently. >> >> >> * OAuth 2.0 Dynamic Client Registration Metadata >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >> >> I would suggest to add "jwks" (as defined in >> http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetad= ata) >> in order to support native clients. >> >> regards, >> Torsten. >> >> Am 04.04.2014 11:13, schrieb Hannes Tschofenig: >> >> Hi all, >> >> This is a Last Call for comments on the dynamic client registration >> documents: >> >> * OAuth 2.0 Dynamic Client Registration Core Protocolhttp://tools.ietf.o= rg/html/draft-ietf-oauth-dyn-reg-16 >> >> * OAuth 2.0 Dynamic Client Registration Metadatahttp://tools.ietf.org/ht= ml/draft-ietf-oauth-dyn-reg-metadata-00 >> >> Since we have to do the last call for these two documents together we >> are setting the call for **3 weeks**. >> >> Please have your comments in no later than April 25th. >> >> Ciao >> Hannes & Derek >> >> >> >> >> _______________________________________________ >> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oa= uth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > > -- > [image: Ping Identity logo] > Brian Campbell > [Enter Title] > @ bcampbell@pingidentity.com [image: phone] +1 720.317.2061 Connect > with us=E2=80=A6 [image: twitter logo] [image: > youtube logo] [image: > LinkedIn logo] [image: Facebook > logo] [image: Google+ logo] [image: > slideshare logo] [image: > flipboard logo] [image: rss feed icon] > [image: Register for Cloud Identity Summit 2014 | Modern Identity > Revolution | 19=E2=80=9323 July, 2014 | Monterey, CA] > > --=20 [image: Ping Identity logo] Brian Campbell [Enter Title] @ bcampbell@pingidentity.com [image: phone] +1 720.317.2061 Connect with us=E2=80=A6 [image: twitter logo] = [image: youtube logo] [image: LinkedIn logo] [image: Facebook logo] [image: Google+ logo] [image: slideshare logo] [image: flipboard logo] [image: rss feed icon] [image: Register for Cloud Identity Summit 2014 | Modern Identity Revolution | 19=E2=80=9323 July, 2014 | Monterey, CA] --001a11c32a8835251c04f849278d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Somewhat related is the client_secret_expires_at parameter= . It seems a little odd to have that in this protocol that offers no way to= deal with the expiration other than a completely new reregistration. It al= so seems like it should be more general than just the expiration of the sec= ret and apply to any credential (like "jwks") that doesn't ha= ve another means of rotation. Or maybe just be a general expiration of the = client's registration.


On Wed,= Apr 30, 2014 at 3:15 PM, Brian Campbell <bcampbell@pingidentity.= com> wrote:
As Mike and Torsten have sa= id, and for the same reasons, I would also like to see the "jwks"= metadata parameter added.


On Sun, Apr 20, 2014 at 4:14 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
=20 =20 =20
Hi all,

I also believe both documents should be merged.

Nevertheless, here are my comments on the current drafts:


*=C2=A0 OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16
1.2.=C2=A0 Terminology

=C2=A0" Multiple instances of the same piece of client software MA= Y use
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the same Client ID value at an authoriza= tion server, provided that
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the Redirection URI values and potential= ly other values dictated
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 by authorization server policy are the s= ame for all instances."

Which entity determines whether the same client id is used for different instances? Given the current protocol design, I would assume it is at the discretion of the authz server. Other opinions?

"Software Statement ... It may also be accepted by some authorization servers
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 directly as a Client ID value, without p= rior registration."

under which circumstances does an authz server accept a software statement as client_id? How does the client know? I think the idea is valuable but needs much more text in order to come up with an interoperable protocol design.

1.3. Protocol Flow

Initial Access Token vs. Software Statement: In my opinion, those concepts are two different ways to authorize client registration. Although there are the typical differences between tokens and assertions (such as opaque content vs. defined syntax), I feel software statements could supersede initial access tokens.
Thoughts?

2.=C2=A0 Client Metadata

"redirect_uris=C2=A0 ...=C2=A0 It is
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 RECOMMENDED that clients using these flo= ws register this
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 parameter, and an authorization server S= HOULD require ..."

I consider this a rather weak statement - does this foster interop? Why not requiring registration of redirect_uris for all clients using web-based grant types.

last paragraph:
"If the same client metadata name is present in both
=C2=A0=C2=A0 locations, the value in the software statement SHOULD take=
=C2=A0=C2=A0 precedence."

why not MUST?

3.=C2=A0 Software Statement

Is there a need to require a certain signature method for JWTs used as software statement (interop)? JWT itself requires "HMAC" a= nd "none", which both are of no or limited value in this context= . RSA is just recommended by the JWT spec.

5.1

"If a software statement was used as part of the registration, its=
=C2=A0=C2=A0 value SHOULD be returned in the response and its value MUS= T be
=C2=A0=C2=A0 returned if the authorization server supports registration management
=C2=A0=C2=A0 operations [OAuth.Registration.Management] that would requ= ire its
=C2=A0=C2=A0 presence in subsequent operations."

I don't get the connection between software statements and the management API. In the management API spec, I only found a reference to software statements in the introduction. Should this text just be removed?

5.2

error codes - invalid_client_metadata

I consider this underspecified. How is the client supposed to react if this error occurs? I would expect the authz server to give more detailed information regarding error conditions, e.g. notify the client if particular requested grant types are not supported. Otherwise, the client cannot handle those error differently.


* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-= metadata-00

I would suggest to add "jwks" (as defined in http://openid.net/specs/openid-connect-r= egistration-1_0.html#ClientMetadata) in order to support native clients.

regards,
Torsten.

Am 04.04.2014 11:13, schrieb Hannes Tschofenig:
Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-meta=
data-00

Since we have to do the last call for these two documents together we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek




_______________________________________________
OAuth mailing list
OAuth@ietf.org
h=
ttps://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/oauth




--
3D"Ping =09
Brian Campbell
[Enter Title]
=09
@ bcampbell@pingidentity.com
3D"phone" +1 720.317.2061
Connect with us=E2=80=A6
3D"twitter 3D"youtube 3D"LinkedIn 3D"Facebook 3D"Google+ 3D"slideshare 3D"flipboard 3D"rss
3D"Register




--
3D"Register

--001a11c32a8835251c04f849278d-- From nobody Wed Apr 30 14:32:27 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C9B01A0948 for ; Wed, 30 Apr 2014 14:32:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4BA-HlDn89-u for ; Wed, 30 Apr 2014 14:32:25 -0700 (PDT) Received: from mail-qc0-f178.google.com (mail-qc0-f178.google.com [209.85.216.178]) by ietfa.amsl.com (Postfix) with ESMTP id D149E1A079F for ; Wed, 30 Apr 2014 14:32:24 -0700 (PDT) Received: by mail-qc0-f178.google.com with SMTP id i8so2559067qcq.37 for ; Wed, 30 Apr 2014 14:32:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=A+7iuJG8RjY0JHa2JqkGVdiwiHxKn3DqU3GsWOn7RBU=; b=KhyRGsqYQmhbJLsZKQLjB1FxLfLtC8Aga5ubKCuAJbjy/NHJuAkX4seN7ScZMswkxX Ywgs0FTgk2PcxzlpoXBhgPq4PQLvU/iB+c5W6tKyDqAMU3EdutMpkbS9EL+0GwUkBWdk EZmXGrKIuzIHehbFGlTiHldYnqecfknRZ9Z5wM6A7lJ7oTYRLkQsEZgxGqacXAfNlEem Jkx6hBmbETCw8mcglm2HWAE434Q5zu8qRhdJKiyGjfhdxzdlYhSI8TDAQD1Hf6cROVVG FRfcxrjhhHZLl0oCQ802AAUpGqCCgd5VbrwOERxTWodIm9aHI8OHKhp6Ran3Dpm0YnsP 8s4w== X-Gm-Message-State: ALoCoQmjSCJX9KoAAtpZd3tb51Dk6bSGu1Ma1vU/Q7dDTAIuNJ6htr6LbDIsW2JSkLwh3ZFpJk0z X-Received: by 10.140.26.39 with SMTP id 36mr8358118qgu.111.1398893542860; Wed, 30 Apr 2014 14:32:22 -0700 (PDT) Received: from [192.168.0.200] ([201.189.26.19]) by mx.google.com with ESMTPSA id n105sm32316329qgd.7.2014.04.30.14.32.14 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Apr 2014 14:32:22 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_546656DE-27A7-42BC-935A-45D843942F31" Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: John Bradley In-Reply-To: Date: Wed, 30 Apr 2014 17:32:18 -0400 Message-Id: References: <533E77C3.9000509@gmx.net> <53539DF1.4020103@lodderstedt.net> To: Brian Campbell X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kK4yKpZ789gDEq2SY2rIflfQvH0 Cc: "oauth@ietf.org" Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 21:32:27 -0000 --Apple-Mail=_546656DE-27A7-42BC-935A-45D843942F31 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 The "jwks" meta-data parameter may also be required for some of the = Proof of Possession flows. Allowing a client to register its public = key is important for reducing the number of long term symetric keys that = need to be maintained. On Apr 30, 2014, at 5:15 PM, Brian Campbell = wrote: > As Mike and Torsten have said, and for the same reasons, I would also = like to see the "jwks" metadata parameter added. >=20 >=20 > On Sun, Apr 20, 2014 at 4:14 AM, Torsten Lodderstedt = wrote: > Hi all, >=20 > I also believe both documents should be merged. >=20 > Nevertheless, here are my comments on the current drafts: >=20 >=20 > * OAuth 2.0 Dynamic Client Registration Core Protocol = http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >=20 > 1.2. Terminology >=20 > " Multiple instances of the same piece of client software MAY use > the same Client ID value at an authorization server, provided = that > the Redirection URI values and potentially other values dictated > by authorization server policy are the same for all instances." >=20 > Which entity determines whether the same client id is used for = different instances? Given the current protocol design, I would assume = it is at the discretion of the authz server. Other opinions? >=20 > "Software Statement ... It may also be accepted by some authorization = servers > directly as a Client ID value, without prior registration." >=20 > under which circumstances does an authz server accept a software = statement as client_id? How does the client know? I think the idea is = valuable but needs much more text in order to come up with an = interoperable protocol design. >=20 > 1.3. Protocol Flow >=20 > Initial Access Token vs. Software Statement: In my opinion, those = concepts are two different ways to authorize client registration. = Although there are the typical differences between tokens and assertions = (such as opaque content vs. defined syntax), I feel software statements = could supersede initial access tokens.=20 > Thoughts? >=20 > 2. Client Metadata >=20 > "redirect_uris ... It is > RECOMMENDED that clients using these flows register this > parameter, and an authorization server SHOULD require ..."=20 >=20 > I consider this a rather weak statement - does this foster interop? = Why not requiring registration of redirect_uris for all clients using = web-based grant types. >=20 > last paragraph:=20 > "If the same client metadata name is present in both > locations, the value in the software statement SHOULD take > precedence." >=20 > why not MUST? >=20 > 3. Software Statement >=20 > Is there a need to require a certain signature method for JWTs used as = software statement (interop)? JWT itself requires "HMAC" and "none", = which both are of no or limited value in this context. RSA is just = recommended by the JWT spec. >=20 > 5.1 >=20 > "If a software statement was used as part of the registration, its > value SHOULD be returned in the response and its value MUST be > returned if the authorization server supports registration = management > operations [OAuth.Registration.Management] that would require its > presence in subsequent operations." >=20 > I don't get the connection between software statements and the = management API. In the management API spec, I only found a reference to = software statements in the introduction. Should this text just be = removed? >=20 > 5.2=20 >=20 > error codes - invalid_client_metadata >=20 > I consider this underspecified. How is the client supposed to react if = this error occurs? I would expect the authz server to give more detailed = information regarding error conditions, e.g. notify the client if = particular requested grant types are not supported. Otherwise, the = client cannot handle those error differently. >=20 >=20 > * OAuth 2.0 Dynamic Client Registration Metadata > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >=20 > I would suggest to add "jwks" (as defined in = http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadat= a) in order to support native clients. >=20 > regards, > Torsten. >=20 > Am 04.04.2014 11:13, schrieb Hannes Tschofenig: >> Hi all, >>=20 >> This is a Last Call for comments on the dynamic client registration >> documents: >>=20 >> * OAuth 2.0 Dynamic Client Registration Core Protocol >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >>=20 >> * OAuth 2.0 Dynamic Client Registration Metadata >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >>=20 >> Since we have to do the last call for these two documents together we >> are setting the call for **3 weeks**. >>=20 >> Please have your comments in no later than April 25th. >>=20 >> Ciao >> Hannes & Derek >>=20 >>=20 >>=20 >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >=20 >=20 >=20 >=20 > --=20 > =09 > Brian Campbell > [Enter Title] > @ bcampbell@pingidentity.com > +1 720.317.2061 > Connect with us=85 > =20 >=20 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --Apple-Mail=_546656DE-27A7-42BC-935A-45D843942F31 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 The = "jwks" meta-data parameter may also be required for some of the Proof of = Possession flows.   Allowing a client to register its public key is = important for reducing the number of long term symetric keys that need = to be maintained.

On Apr 30, 2014, at 5:15 PM, Brian = Campbell <bcampbell@pingidentity.com&= gt; wrote:

As Mike and Torsten have said, and for = the same reasons, I would also like to see the "jwks" metadata parameter = added.


On Sun, Apr 20, 2014 at 4:14 AM, Torsten = Lodderstedt <torsten@lodderstedt.net> wrote:
=20 =20 =20
Hi all,

I also believe both documents should be merged.

Nevertheless, here are my comments on the current drafts:


*  OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

1.2.  Terminology

 " Multiple instances of the same piece of client software MAY = use
      the same Client ID value at an = authorization server, provided that
      the Redirection URI values and = potentially other values dictated
      by authorization server policy are = the same for all instances."

Which entity determines whether the same client id is used for different instances? Given the current protocol design, I would assume it is at the discretion of the authz server. Other = opinions?

"Software Statement ... It may also be accepted by some authorization servers
      directly as a Client ID value, = without prior registration."

under which circumstances does an authz server accept a software statement as client_id? How does the client know? I think the idea is valuable but needs much more text in order to come up with an interoperable protocol design.

1.3. Protocol Flow

Initial Access Token vs. Software Statement: In my opinion, those concepts are two different ways to authorize client registration. Although there are the typical differences between tokens and assertions (such as opaque content vs. defined syntax), I feel software statements could supersede initial access tokens.
Thoughts?

2.  Client Metadata

"redirect_uris  ...  It is
      RECOMMENDED that clients using these = flows register this
      parameter, and an authorization = server SHOULD require ..."

I consider this a rather weak statement - does this foster interop? Why not requiring registration of redirect_uris for all clients using web-based grant types.

last paragraph:
"If the same client metadata name is present in both
   locations, the value in the software statement SHOULD = take
   precedence."

why not MUST?

3.  Software Statement

Is there a need to require a certain signature method for JWTs used as software statement (interop)? JWT itself requires "HMAC" and "none", which both are of no or limited value in this context. RSA is just recommended by the JWT spec.

5.1

"If a software statement was used as part of the registration, = its
   value SHOULD be returned in the response and its value = MUST be
   returned if the authorization server supports = registration management
   operations [OAuth.Registration.Management] that would = require its
   presence in subsequent operations."

I don't get the connection between software statements and the management API. In the management API spec, I only found a reference to software statements in the introduction. Should this text just be removed?

5.2

error codes - invalid_client_metadata

I consider this underspecified. How is the client supposed to react if this error occurs? I would expect the authz server to give more detailed information regarding error conditions, e.g. notify the client if particular requested grant types are not supported. Otherwise, the client cannot handle those error differently.


* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-meta= data-00

I would suggest to add "jwks" (as defined in http://openid.net/specs/openid-connect-registration-1_0.= html#ClientMetadata) in order to support native clients.

regards,
Torsten.

Am 04.04.2014 11:13, schrieb Hannes Tschofenig:
Hi all,

This is a Last Call for comments on the dynamic client registration
documents:

* OAuth 2.0 Dynamic Client Registration Core Protocol
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16

* OAuth 2.0 Dynamic Client Registration Metadata
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-meta=
data-00

Since we have to do the last call for these two documents together we
are setting the call for **3 weeks**.

Please have your comments in no later than April 25th.

Ciao
Hannes & Derek




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




--
3D"Ping =09
Brian Campbell
[Enter = Title]
=09
= @ = bcampbell@pingidentity.com
= 3D"phone" = +1 720.317.2061
= Connect with us=85
= 3D"twitter 3D"youtube 3D"LinkedIn 3D"Facebook 3D"Google+ 3D"slideshare 3D"flipboard
3D"Register

_______________________________________________
OAuth mailing = list
OAuth@ietf.org
https://www.ietf.org/= mailman/listinfo/oauth

= --Apple-Mail=_546656DE-27A7-42BC-935A-45D843942F31-- From nobody Wed Apr 30 23:04:44 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 671C91A09F8; Wed, 30 Apr 2014 23:04:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIpcil2TVk0t; Wed, 30 Apr 2014 23:04:29 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 378CC1A0A0F; Wed, 30 Apr 2014 23:04:19 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.4.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140501060419.21288.15455.idtracker@ietfa.amsl.com> Date: Wed, 30 Apr 2014 23:04:19 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/bS4WyZn9fHqXZ7ivHdmhgII4ORc Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-json-web-token-20.txt X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 06:04:33 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : JSON Web Token (JWT) Authors : Michael B. Jones John Bradley Nat Sakimura Filename : draft-ietf-oauth-json-web-token-20.txt Pages : 32 Date : 2014-04-30 Abstract: JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted. The suggested pronunciation of JWT is the same as the English word "jot". The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-json-web-token-20 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Apr 30 23:35:46 2014 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E6B81A0A17; Wed, 30 Apr 2014 23:35:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3iR6LUtN2CYT; Wed, 30 Apr 2014 23:35:20 -0700 (PDT) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0141.outbound.protection.outlook.com [207.46.163.141]) by ietfa.amsl.com (Postfix) with ESMTP id 1B0271A0A15; Wed, 30 Apr 2014 23:35:18 -0700 (PDT) Received: from BY2PR03CA076.namprd03.prod.outlook.com (10.141.249.49) by BY2PR03MB028.namprd03.prod.outlook.com (10.255.240.42) with Microsoft SMTP Server (TLS) id 15.0.934.12; Thu, 1 May 2014 06:35:14 +0000 Received: from BY2FFO11FD010.protection.gbl (2a01:111:f400:7c0c::156) by BY2PR03CA076.outlook.office365.com (2a01:111:e400:2c5d::49) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Thu, 1 May 2014 06:35:15 +0000 Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD010.mail.protection.outlook.com (10.1.14.74) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 1 May 2014 06:35:14 +0000 Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.193) by TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.3.174.2; Thu, 1 May 2014 06:34:47 +0000 Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0174.002; Thu, 1 May 2014 06:34:47 +0000 From: Mike Jones To: "jose@ietf.org" , "oauth@ietf.org" Thread-Topic: JOSE -26 and JWT -20 drafts addressing editorial issues Thread-Index: Ac9lB3D+NkuwBd9aSxOYZAKVDtnXow== Date: Thu, 1 May 2014 06:34:45 +0000 Message-ID: <4E1F6AAD24975D4BA5B16804296739439A1A12F8@TK5EX14MBXC288.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.32] Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A1A12F8TK5EX14MBXC288r_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(83072002)(86612001)(85852003)(92726001)(92566001)(84676001)(84326002)(87936001)(86362001)(512954002)(46102001)(2656002)(33656001)(16236675002)(4396001)(15202345003)(71186001)(54356999)(80976001)(15975445006)(44976005)(83322001)(19580395003)(6806004)(81542001)(76482001)(81342001)(99396002)(19300405004)(2009001)(50986999)(97736001)(66066001)(31966008)(16796002)(80022001)(74502001)(74662001)(55846006)(77982001)(20776003)(79102001)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB028; H:mail.microsoft.com; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 01986AE76B Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com; Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; X-OriginatorOrg: microsoft.onmicrosoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/EHcYKni748w4qg4rscgWE4typvc Subject: [OAUTH-WG] JOSE -26 and JWT -20 drafts addressing editorial issues X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 06:35:25 -0000 --_000_4E1F6AAD24975D4BA5B16804296739439A1A12F8TK5EX14MBXC288r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The JOSE -26 and JWT -20 drafts address a few editorial issues recently ide= ntified by reviewers, hopefully further clarifying these aspects of the spe= cifications. No normative changes were made. See the Document History entries for details on the specific changes made. The specifications are available at: * http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-26 * http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-26 * http://tools.ietf.org/html/draft-ietf-jose-json-web-key-26 * http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-26 * http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20 HTML formatted versions are also available at: * http://self-issued.info/docs/draft-ietf-jose-json-web-signature-26= .html * http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-2= 6.html * http://self-issued.info/docs/draft-ietf-jose-json-web-key-26.html * http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-2= 6.html * http://self-issued.info/docs/draft-ietf-oauth-json-web-token-20.ht= ml -- Mike --_000_4E1F6AAD24975D4BA5B16804296739439A1A12F8TK5EX14MBXC288r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

The JOSE -26 and JWT -20 drafts address a few editor= ial issues recently identified by reviewers, hopefully further clarifying t= hese aspects of the specifications.  No normative changes were made.

 

See the Document History entries for details on the = specific changes made.

 

The specifications are available at:

·        http://tools.ietf.org/html/draft-ietf-jose= -json-web-signature-26

·        http://tools.ietf.org/html/draft-ietf-jos= e-json-web-encryption-26

·        http://tools.ietf.org/html/draft-ietf-jose-json-= web-key-26

·        http://tools.ietf.org/html/draft-ietf-jos= e-json-web-algorithms-26

·        http://tools.ietf.org/html/draft-ietf-oauth-j= son-web-token-20

 

HTML formatted versions are also available at:<= /o:p>

·        http://self-issued.info/docs/draft-= ietf-jose-json-web-signature-26.html

·        http://self-issued.info/docs/draft= -ietf-jose-json-web-encryption-26.html

·        http://self-issued.info/docs/draft-ietf-j= ose-json-web-key-26.html

·        http://self-issued.info/docs/draft= -ietf-jose-json-web-algorithms-26.html

·        http://self-issued.info/docs/draft-iet= f-oauth-json-web-token-20.html

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p; -- Mike

 

--_000_4E1F6AAD24975D4BA5B16804296739439A1A12F8TK5EX14MBXC288r_--