From benl@google.com Wed Dec 11 08:55:14 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E271ADF2F for ; Wed, 11 Dec 2013 08:55:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lPQeASWHyjV6 for ; Wed, 11 Dec 2013 08:55:13 -0800 (PST) Received: from mail-vb0-x22c.google.com (mail-vb0-x22c.google.com [IPv6:2607:f8b0:400c:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 198501AD694 for ; Wed, 11 Dec 2013 08:55:12 -0800 (PST) Received: by mail-vb0-f44.google.com with SMTP id x8so1810820vbf.17 for ; Wed, 11 Dec 2013 08:55:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=YdyeZDLWkLYKP2KO7sHTIZHbbxUvFTASp0978i0DxhE=; b=I8ayDPnFq5S9N+8QXqGzQXeLkFg1dF03joN0V3FXzIp983mrhMqlpoQk5O90m2w4aW W83fz0u5Zg28hQk7xCU8Ery0CML8LEen0EqPCYyLphbGKDywgE3r4Nm0NOzin0IbMRud ux9+yMzZ8ae972PlqpqZRGT3WlFYw4v9MVws4MWZAoQYX9gUxUyUu/0LMkBvU/aR5V7E XKRN51DwvevX/qFLkm6nnGOy2viEwtBhxafQAMztEThYp1ov17bIn+frJn9KHQV5pRXE K/s+suzsJqbrkDYltrvU6FerBSh7fFOrIf563YAUzQLyJX03GkgYDPgv7OCjAtMWPZLt 859g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=YdyeZDLWkLYKP2KO7sHTIZHbbxUvFTASp0978i0DxhE=; b=lZLSeeDzC8pzzDdSN2nwnJorRz4wuWBRdexH8rMTgJOlsd03+cpKVlJC8kj6QiM7QV 40aIBlE0Xbgi1xW0n4/aDnIXGBHu4Xd2UuUDnM7gG4I5BqAAb+m6/lK2C5KNk/+GzYRO CFVXz/YuOy03k2gg6YrR3PEnsMd/v8lLQh6jp6+Dj+d8HGW51oe+d6qHYzOyFi9ct+qv HX7RkZIaUAUkvvduvXV0IsxyAy24BUi8gVSD4r2s0UUFps/PVDOAiuboGU1t5XLgJruE 7FP2M/d5EkB2F2usrWtFU5s1ERm7K7W1KCW1kVZMXv/zVLvvixQ72Y/ZnAnDUNuVAWR/ Frjg== X-Gm-Message-State: ALoCoQl9GHF67SH84QMwvyBKYWEvanCKca+YvS/OIY+E/HsQUvyUMTtBAgVyPfFc7tS2WRpUM6hMD/DjhwxKEQD3hw9W9ogH//aE1TS57yxvhCmUGZg/OpsvBVO1ROdFYd1UxtX8aEcwX49JxpffEVMpTJuXyiG66bLWNKw/BFXrBXxRBsMr2DCyQMv0eMaiMtqEEQl++bB7 MIME-Version: 1.0 X-Received: by 10.58.241.212 with SMTP id wk20mr51814vec.79.1386780907262; Wed, 11 Dec 2013 08:55:07 -0800 (PST) Received: by 10.52.183.65 with HTTP; Wed, 11 Dec 2013 08:55:07 -0800 (PST) Date: Wed, 11 Dec 2013 16:55:07 +0000 Message-ID: From: Ben Laurie To: "therightkey@ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Subject: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 16:55:14 -0000 Who's in? "Problem statement: many Internet protocols require a mapping between some kind of identifier and some kind of key, for example, HTTPS, SMTPS, IPSec, DNSSEC and OpenPGP. These protocols rely on either ad-hoc mappings, or on authorities which attest to the mappings. History shows that neither of these mechanisms is entirely satisfactory. Ad-hoc mappings are difficult to discover and maintain, and authorities make mistakes or are subverted. Cryptographically verifiable logs can help to ameliorate the problems by making it possible to discover and rectify errors before they can cause harm. These logs can also assist with other interesting problems, such as how to assure end users that software they are running is, indeed, the software they intend to run. Work items: Specify a standards-track mechanism to apply verifiable logs to HTTP/TLS (i.e. RFC 6962-bis). Discuss mechanisms and techniques that allow cryptographically verifiable logs to be deployed to improve the security of protocols and software distribution. Where such mechanisms appear sufficiently useful, the WG will re-charter to add relevant new work items." From rob.stradling@comodo.com Wed Dec 11 09:01:21 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDEE71AD8EC for ; Wed, 11 Dec 2013 09:01:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.41 X-Spam-Level: * X-Spam-Status: No, score=1.41 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yMkSpW990VgP for ; Wed, 11 Dec 2013 09:01:19 -0800 (PST) Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 01B801A1F5D for ; Wed, 11 Dec 2013 09:01:18 -0800 (PST) Received: (qmail 1308 invoked by uid 1000); 11 Dec 2013 17:01:10 -0000 Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Wed, 11 Dec 2013 17:01:10 +0000 Message-ID: <52A89A56.4010905@comodo.com> Date: Wed, 11 Dec 2013 17:01:10 +0000 From: Rob Stradling User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Ben Laurie , "therightkey@ietf.org" References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 17:01:22 -0000 On 11/12/13 16:55, Ben Laurie wrote: > Who's in? Me. :-) -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online From stephen.farrell@cs.tcd.ie Wed Dec 11 09:23:54 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB8F1ACB4E for ; Wed, 11 Dec 2013 09:23:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2icu0FTJBFMA for ; Wed, 11 Dec 2013 09:23:51 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id A47E21ADF12 for ; Wed, 11 Dec 2013 09:23:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 59978BE9A; Wed, 11 Dec 2013 17:23:44 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z1M612Hc9to9; Wed, 11 Dec 2013 17:23:44 +0000 (GMT) Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id DB367BE79; Wed, 11 Dec 2013 17:23:43 +0000 (GMT) Message-ID: <52A89F9F.70604@cs.tcd.ie> Date: Wed, 11 Dec 2013 17:23:43 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Ben Laurie , "therightkey@ietf.org" References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 17:23:54 -0000 Thanks Ben, So folks know what we're thinking and in case all the process gibberish isn't clear to you all... Sean and I like the idea of doing this, and the more that it seems to get broader support, the more we'll like it. Since there was already a BoF on this back at IETF-85 [1] that concluded this was work that's relevant to do in the IETF, we're thinking that if a crisp enough charter can be crafted on this list then this wouldn't need another BoF but would be ok to just be pushed into the IESG/IETF approval process. What that means is that when Sean and I think we have a good enough charter draft, then we'll put that into the datatracker and the IESG will do an IESG-internal review to decide if its ready to be sent out for IETF review. If/when the IESG are ok with that going for IETF-wide review then a mail will go to the IETF discuss list so's anyone can comment on the proposed new WG. Then the IESG get to look at it again, and any comments we've gotten, and approve the new WG or not. Charter text tweaks can be expected at each stage. All going well, that could result in a new WG for this being formed early in the new year, before IETF-89 with the WG having a first f2f meeting there presumably. So please comment on Ben's text and the above with that in mind. I assume Ben will hold the pen on draft charter text and update that as comments are received. And please use this list for now, since this is the one we used for RFC 6962 so probably has the right people. When/if we form a WG we can make a new list or use this one if folks prefer that. Thanks, S. [1] http://www.ietf.org/proceedings/85/certrans.html On 12/11/2013 04:55 PM, Ben Laurie wrote: > Who's in? > > "Problem statement: many Internet protocols require a mapping between > some kind of identifier and some kind of key, for example, HTTPS, > SMTPS, IPSec, DNSSEC and OpenPGP. > > These protocols rely on either ad-hoc mappings, or on authorities > which attest to the mappings. > > > History shows that neither of these mechanisms is entirely > satisfactory. Ad-hoc mappings are difficult to discover and maintain, > and authorities make mistakes or are subverted. > > > Cryptographically verifiable logs can help to ameliorate the problems > by making it possible to discover and rectify errors before they can > cause harm. > > > These logs can also assist with other interesting problems, such as > how to assure end users that software they are running is, indeed, the > software they intend to run. > > > Work items: Specify a standards-track mechanism to apply verifiable > logs to HTTP/TLS (i.e. RFC 6962-bis). > > > Discuss mechanisms and techniques that allow cryptographically > verifiable logs to be deployed to improve the security of protocols > and software distribution. Where such mechanisms appear sufficiently > useful, the WG will re-charter to add relevant new work items." > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > > From hallam@gmail.com Wed Dec 11 09:25:30 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 023EF1ADF57 for ; Wed, 11 Dec 2013 09:25:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rFuAHxfbYEJw for ; Wed, 11 Dec 2013 09:25:28 -0800 (PST) Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id D94F91ACB4E for ; Wed, 11 Dec 2013 09:25:27 -0800 (PST) Received: by mail-wg0-f53.google.com with SMTP id k14so6809859wgh.20 for ; Wed, 11 Dec 2013 09:25:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=EkNPpvWmT/sJvCAcDv9Tm5n8qC2h3JWXk9PgmdRzTFs=; b=i/4B1cUZljN4S7WbLU0Un7bDyywEenXZxNCGUYxL0GNCx7Tx5dpc5pdHlEdbohtiV1 OJl0oleAtkf6X8ZV+enlreP8Dr6SWJyH1+QIrx/ZGs+z0CvfV7PLSt4RU7sUsEW9E2vE NHFGRwVP0N7Z6itGGDdS7rp/KYwkfA/Kb50p4fGVvMUqkw1u83/TmT/g+m4/BZ090ceG T9n+z631kRrkWXXAJ0eNPcAS8J2ljpu315JGc3Rrk3LQuqJmg6TPv7X0Zan69omlVE6U PG1qWIBUFBWXHC/TIDGByd8hK4qR/454ei3gxNJ1x5Wf4RJmYCSSArU/CyKqZ/BaGcoQ PxOw== MIME-Version: 1.0 X-Received: by 10.180.20.33 with SMTP id k1mr3900616wie.34.1386782721826; Wed, 11 Dec 2013 09:25:21 -0800 (PST) Received: by 10.194.243.136 with HTTP; Wed, 11 Dec 2013 09:25:21 -0800 (PST) In-Reply-To: References: Date: Wed, 11 Dec 2013 12:25:21 -0500 Message-ID: From: Phillip Hallam-Baker To: Ben Laurie Content-Type: multipart/alternative; boundary=bcaec53d5ee183ea4004ed4583c7 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 17:25:30 -0000 --bcaec53d5ee183ea4004ed4583c7 Content-Type: text/plain; charset=ISO-8859-1 IRTF or IETF? Do we build on existing legacy proposals or write new stuff? I think there are two separate or at least separable pieces of infrastructure needed. One is a transparent timestamp notary infrastructure and the other is transparency mechanisms that make use of said notary infrastructure. The need to revisit the first comes from the expiry of the Harber & Stornetta patents. I think we should have such a facility as a general Web facility. We can build an infrastructure that prevents defection without collusion by every notary and archive using existing technology. Applying the mechanisms to TLS might be done at different levels with different deployment impacts. Deploying in EE certs is much harder than deploying in cert signing certs. But the latter would provide most of the benefit by blocking MITM certs. I am looking at SMTP and the approach is very obviously research at this point. --bcaec53d5ee183ea4004ed4583c7 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
IRTF or IETF?

Do we= build on existing legacy proposals or write new stuff?=A0

I think there are two= separate or at least separable pieces of infrastructure needed. One is a t= ransparent timestamp notary infrastructure and the other is transparency me= chanisms that make use of said notary infrastructure.

The need to= revisit the first comes from the expiry of the Harber & Stornetta pate= nts. I think we should have such a facility as a general Web facility. We c= an build an infrastructure that prevents defection without collusion by eve= ry notary and archive using existing technology.


<= div class=3D"gmail_extra">Applying the mechanisms to TLS might be done at d= ifferent levels with different deployment impacts. Deploying in EE certs is= much harder than deploying in cert signing certs. But the latter would pro= vide most of the benefit by blocking MITM certs.

I am lookin= g at SMTP and the approach is very obviously research at this point.=A0
--bcaec53d5ee183ea4004ed4583c7-- From dkg@fifthhorseman.net Wed Dec 11 09:35:12 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AFB31ADFAD for ; Wed, 11 Dec 2013 09:35:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mFuMW74RxDw9 for ; Wed, 11 Dec 2013 09:35:10 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 040A41ADF9C for ; Wed, 11 Dec 2013 09:35:10 -0800 (PST) Received: from [192.168.23.229] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 3AA4CF984; Wed, 11 Dec 2013 12:35:03 -0500 (EST) Message-ID: <52A8A245.9070408@fifthhorseman.net> Date: Wed, 11 Dec 2013 12:35:01 -0500 From: Daniel Kahn Gillmor User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0 MIME-Version: 1.0 To: Ben Laurie , "therightkey@ietf.org" References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kr88R0xFXhng9MBRSOR3lAHKkLlhJkqID" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 17:35:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kr88R0xFXhng9MBRSOR3lAHKkLlhJkqID Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 12/11/2013 11:55 AM, Ben Laurie wrote: > "Problem statement: many Internet protocols require a mapping between > some kind of identifier and some kind of key, for example, HTTPS, > SMTPS, IPSec, DNSSEC and OpenPGP. >=20 > These protocols rely on either ad-hoc mappings, or on authorities > which attest to the mappings. >=20 >=20 > History shows that neither of these mechanisms is entirely > satisfactory. Ad-hoc mappings are difficult to discover and maintain, > and authorities make mistakes or are subverted. >=20 >=20 > Cryptographically verifiable logs can help to ameliorate the problems > by making it possible to discover and rectify errors before they can > cause harm. >=20 >=20 > These logs can also assist with other interesting problems, such as > how to assure end users that software they are running is, indeed, the > software they intend to run. >=20 >=20 > Work items: Specify a standards-track mechanism to apply verifiable > logs to HTTP/TLS (i.e. RFC 6962-bis). >=20 >=20 > Discuss mechanisms and techniques that allow cryptographically > verifiable logs to be deployed to improve the security of protocols > and software distribution. Where such mechanisms appear sufficiently > useful, the WG will re-charter to add relevant new work items." I'm interested. I think this has strong potential for improved authenticity on the 'net (and improved confidentiality follows from that)= =2E However, I'm also concerned that cryptographically-verifiable global logs create an enumeration concern for the space that they log. This is similar in some ways to the issues raised around DNSSEC's NSEC (and not particularly effectively addressed by NSEC3). Enumerability like this is potentially a major table of metadata that could potentially be abused= =2E I'd appreciate it if any Transparency Working Group explicitly tries to address concerns around enumerability. Thanks for taking point on this, Ben. Regards, --dkg --kr88R0xFXhng9MBRSOR3lAHKkLlhJkqID Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQJ8BAEBCgBmBQJSqKJFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcn94QAM5R/9PD4QOFGdA+hRTeWMxr BlVElIJcG6Aay7JC/Mbzn5pQz7zeyxAdRmqn/bVrDHUeQeRyMG9RdEv3H3nloiVw +Z+U8OhrBYDxv7Sdi8xrDvzi21+uLa3xOFlJxksTHSZlOhK+lOpDLWDCVcVFIRwL L+pZimMnfa0P2JsVJ1vqUrWP81E7u1mh5Jdlrne6gGm61p81rK28VKcF33LARe2P VcO0jQWCPQaoVNU3oVbbn1NHV0h/Ialbtp1YNiEo03GFEszpa4G3A8PwXWwXuG9w 2qqgjJEkzJmtc+RjjqtD2xzUmQyGRM40d97JfrAsqjQMR/JzTEUb5D2uIpMuWkb7 Y438UoSPvr0k7w0Bgy81waDbYx5gRTMKs0xQmbfRj3Ikmz/X2/m1H7YP3BUaVHgq 4KzrC2WoE34t7K6x158QbK5rsum8FKNYoy+koWSrqTVU1x/BHWYUAzLav266x08y +Zr0U5mw28kuqbTWH0IwrZ0LaNUS9JPGbzdcr5HHocAnrGk5Vo0mmNOKaBAgxHwY qytaDo+ao4HJLQ6pyOHeh89Z2mQ7/5cT7qUz3XrPRJb34Crjjkx7iU7G4GlWsf0F mwkquG86d4vHzOFxi8+uVwjf99G/1kPv5Roe38hg+tJpIGwVe5Uw8f0KY34QHXCX vFQ4/NvU3ZMk3bK5f+XQ =1XUq -----END PGP SIGNATURE----- --kr88R0xFXhng9MBRSOR3lAHKkLlhJkqID-- From jason_livingood@cable.comcast.com Wed Dec 11 09:45:29 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 745471AE0F9 for ; Wed, 11 Dec 2013 09:45:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.201 X-Spam-Level: X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HOST_EQ_MODEMCABLE=1.368, IP_NOT_FRIENDLY=0.334, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XoBLVpg-7YDR for ; Wed, 11 Dec 2013 09:45:28 -0800 (PST) Received: from cable.comcast.com (pacdcavout01.cable.comcast.com [69.241.43.119]) by ietfa.amsl.com (Postfix) with ESMTP id D36481AE0E5 for ; Wed, 11 Dec 2013 09:45:27 -0800 (PST) Received: from ([24.40.56.115]) by pacdcavout01.cable.comcast.com with ESMTP id 97wm3m1.75849416; Wed, 11 Dec 2013 12:45:14 -0500 Received: from PACDCEXMB06.cable.comcast.com ([169.254.8.202]) by PACDCEXHUB02.cable.comcast.com ([fe80::492e:3fa1:c2ad:e04e%13]) with mapi id 14.02.0318.001; Wed, 11 Dec 2013 12:45:14 -0500 From: "Livingood, Jason" To: Stephen Farrell , Ben Laurie , "therightkey@ietf.org" Thread-Topic: [therightkey] Draft charter for a Transparency Working Group Thread-Index: AQHO9pHEKt3E69RZxEmGP9vf1l32hZpPkimA//+yKgA= Date: Wed, 11 Dec 2013 17:44:26 +0000 Message-ID: <10229F86C86EB444898E629583FD4171EDEAB12A@PACDCEXMB06.cable.comcast.com> In-Reply-To: <52A89F9F.70604@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.8.130913 x-originating-ip: [24.40.56.164] x-wiganss: 0100000001001EPACDCEXHUB02.cable.comcast.com ID0048<10229F86C86EB444898E629583FD4171EDEAB12A@PACDCEXMB06.cable.comcast.com> Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 17:45:29 -0000 I totally understand the problem statement. But what concrete things can you enumerate as goals/output of the WG? Jason On 12/11/13, 12:23 PM, "Stephen Farrell" wrote: > >Thanks Ben, > >So folks know what we're thinking and in case all the >process gibberish isn't clear to you all... > >Sean and I like the idea of doing this, and the more that >it seems to get broader support, the more we'll like it. > >Since there was already a BoF on this back at IETF-85 [1] >that concluded this was work that's relevant to do in >the IETF, we're thinking that if a crisp enough charter >can be crafted on this list then this wouldn't need another >BoF but would be ok to just be pushed into the IESG/IETF >approval process. > >What that means is that when Sean and I think we have a >good enough charter draft, then we'll put that into the >datatracker and the IESG will do an IESG-internal review >to decide if its ready to be sent out for IETF review. >If/when the IESG are ok with that going for IETF-wide >review then a mail will go to the IETF discuss list so's >anyone can comment on the proposed new WG. Then the IESG >get to look at it again, and any comments we've gotten, >and approve the new WG or not. Charter text tweaks can >be expected at each stage. > >All going well, that could result in a new WG for this >being formed early in the new year, before IETF-89 >with the WG having a first f2f meeting there presumably. > >So please comment on Ben's text and the above with that >in mind. I assume Ben will hold the pen on draft charter >text and update that as comments are received. > >And please use this list for now, since this is the >one we used for RFC 6962 so probably has the right >people. When/if we form a WG we can make a new list >or use this one if folks prefer that. > >Thanks, >S. > >[1] http://www.ietf.org/proceedings/85/certrans.html > >On 12/11/2013 04:55 PM, Ben Laurie wrote: >> Who's in? >>=20 >> "Problem statement: many Internet protocols require a mapping between >> some kind of identifier and some kind of key, for example, HTTPS, >> SMTPS, IPSec, DNSSEC and OpenPGP. >>=20 >> These protocols rely on either ad-hoc mappings, or on authorities >> which attest to the mappings. >>=20 >>=20 >> History shows that neither of these mechanisms is entirely >> satisfactory. Ad-hoc mappings are difficult to discover and maintain, >> and authorities make mistakes or are subverted. >>=20 >>=20 >> Cryptographically verifiable logs can help to ameliorate the problems >> by making it possible to discover and rectify errors before they can >> cause harm. >>=20 >>=20 >> These logs can also assist with other interesting problems, such as >> how to assure end users that software they are running is, indeed, the >> software they intend to run. >>=20 >>=20 >> Work items: Specify a standards-track mechanism to apply verifiable >> logs to HTTP/TLS (i.e. RFC 6962-bis). >>=20 >>=20 >> Discuss mechanisms and techniques that allow cryptographically >> verifiable logs to be deployed to improve the security of protocols >> and software distribution. Where such mechanisms appear sufficiently >> useful, the WG will re-charter to add relevant new work items." >> _______________________________________________ >> therightkey mailing list >> therightkey@ietf.org >> https://www.ietf.org/mailman/listinfo/therightkey >>=20 >>=20 >_______________________________________________ >therightkey mailing list >therightkey@ietf.org >https://www.ietf.org/mailman/listinfo/therightkey From paul@nohats.ca Wed Dec 11 09:52:28 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E55D1AD8F0 for ; Wed, 11 Dec 2013 09:52:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YD6Tc-aassuZ for ; Wed, 11 Dec 2013 09:52:26 -0800 (PST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0731AD75F for ; Wed, 11 Dec 2013 09:52:26 -0800 (PST) Received: by bofh.nohats.ca (Postfix, from userid 500) id 9BB1C80A09; Wed, 11 Dec 2013 12:52:19 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nohats.ca; s=default; t=1386784339; bh=lsUHOKYXlcIsk/uddU05tXHRhb+w7ufaAHZBCQ+Lw/U=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=LaNcKuBGl6VIeLg9ipraraUoWU76311nkp2aRffMoYoOQgohKYs7p34WmQ8xHWsHZ j34CH6tWF/k8HZvEHH8MSg66HahxyKKVWtiwcvAdAtXD5OTcl9sReWxQroRbOE6ayG 5dOg74kS63v2waATpY3keQj2cpVbndnTiWc4jyQE= Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8BC5880A04; Wed, 11 Dec 2013 12:52:19 -0500 (EST) Date: Wed, 11 Dec 2013 12:52:19 -0500 (EST) From: Paul Wouters To: Ben Laurie In-Reply-To: Message-ID: References: User-Agent: Alpine 2.10 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 17:52:28 -0000 On Wed, 11 Dec 2013, Ben Laurie wrote: > Who's in? Yes, but... > "Problem statement: many Internet protocols require a mapping between > some kind of identifier and some kind of key, for example, HTTPS, > SMTPS, IPSec, DNSSEC and OpenPGP. This is protocol agnostic (good!) > Work items: Specify a standards-track mechanism to apply verifiable > logs to HTTP/TLS (i.e. RFC 6962-bis). This is not. I'd prefer to work towards a more generic method or infrastructure, but I assume the work item is just an example and not a limitation of the charter. Paul From benl@google.com Wed Dec 11 10:23:41 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 443DF1ADFA7 for ; Wed, 11 Dec 2013 10:23:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihjE9EqR7NUb for ; Wed, 11 Dec 2013 10:23:40 -0800 (PST) Received: from mail-vb0-x233.google.com (mail-vb0-x233.google.com [IPv6:2607:f8b0:400c:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0AB1A1F66 for ; Wed, 11 Dec 2013 10:23:39 -0800 (PST) Received: by mail-vb0-f51.google.com with SMTP id 11so1870469vbe.24 for ; Wed, 11 Dec 2013 10:23:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ymi7Ax2OwGH4jGNXx6tOt6AKLEqppR8C4ihdVvdQBYo=; b=JsqQq+rA5zSKcUunnJvwbJtOwmuWnsxJRyVT3MRhPCjmHFHtIsYRSb8J+PEIckuTSw sN7/8VLvffjXIHxEiB7E3QH3+TgySl2zK2ohV7OB2nqYtjtByR4H97DEh1fbUCriwRg+ RYIcvstRfoNoPFUIpbGWMFp6WlCdsNzOXBuDnVaeNWDiMvfHRRiJAHSGZzf/aWRWCwAG lvtHa2mGwDMhtUpMJj7qyrSW5eUb0NUsWXfRVo/JEXjNUQHSKwK0BgZS6EySVFWozsJ4 mR152oqVSigA0CsTmpLUvJfvZfqrNa3B7MRWNlRoFEkKxxDxXNzhBleNOo4uVjLTSAum PKjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ymi7Ax2OwGH4jGNXx6tOt6AKLEqppR8C4ihdVvdQBYo=; b=UTC4GrjXTLpa8mZRAIMvHIaNbfmPfSgeP4P3IgFX2B+ojm55WBYuCBhnMu63U1uP4i gPmpI7cOfZ+yc+v/O2zIVczeVU81s9iBBVALUgajMxO68m8xiqsC0S3CpAb4aZuWi7Sa zHVOOrlV+bpQqw53576jw89HJhnxSIb1W269bl5Ggl0DZXtW8jqNRWRHbshNeX6Gei6g 5JnWCGPnTo9Wk/2hZwQmjXwjDvC6hHOaO0XkDgswwVQVBQWAHC2AUvtT/+RhR4E1fyei DMM67L1AhdMYRt8OBRO35G3sc3qpC/9iIHXujNDnhF8Oo7q1qrWvpD9BVJXSBffusk/5 jLrA== X-Gm-Message-State: ALoCoQk5yIr7sER2G1WaoEyYEPh3WxW6NFN04EiAA5gXBLZocvuwzbCosgNab3Yd2837fjteM+xrjfiaS+1ferczJzT2MtvTg9CLHkAx7ykOmEMP/0CuXLQkLCok9EwSKtNJh8Tloi8MYnRrUiX6S5YQAn+2pX8nWmEuYrYY7BDR0yUUWoDHCNZ2hmEO/PGVBz8K6jBm7Yoj MIME-Version: 1.0 X-Received: by 10.58.118.84 with SMTP id kk20mr1157254veb.26.1386786214270; Wed, 11 Dec 2013 10:23:34 -0800 (PST) Received: by 10.52.183.65 with HTTP; Wed, 11 Dec 2013 10:23:34 -0800 (PST) In-Reply-To: References: Date: Wed, 11 Dec 2013 18:23:34 +0000 Message-ID: From: Ben Laurie To: Phillip Hallam-Baker Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 18:23:41 -0000 On 11 December 2013 17:25, Phillip Hallam-Baker wrote: > IRTF or IETF? > > Do we build on existing legacy proposals or write new stuff? > > I think there are two separate or at least separable pieces of > infrastructure needed. One is a transparent timestamp notary infrastructure > and the other is transparency mechanisms that make use of said notary > infrastructure. > > The need to revisit the first comes from the expiry of the Harber & > Stornetta patents. I think we should have such a facility as a general Web > facility. We can build an infrastructure that prevents defection without > collusion by every notary and archive using existing technology. > > > Applying the mechanisms to TLS might be done at different levels with > different deployment impacts. Deploying in EE certs is much harder than > deploying in cert signing certs. But the latter would provide most of the > benefit by blocking MITM certs. > > I am looking at SMTP and the approach is very obviously research at this > point. I think this is well covered by "Discuss mechanisms and techniques that allow cryptographically verifiable logs to be deployed to improve the security of protocols and software distribution. Where such mechanisms appear sufficiently useful, the WG will re-charter to add relevant new work items." From benl@google.com Wed Dec 11 10:28:00 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72FBF1ADFE5 for ; Wed, 11 Dec 2013 10:28:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZrNtu1Eyy_Jv for ; Wed, 11 Dec 2013 10:27:59 -0800 (PST) Received: from mail-vb0-x22a.google.com (mail-vb0-x22a.google.com [IPv6:2607:f8b0:400c:c02::22a]) by ietfa.amsl.com (Postfix) with ESMTP id EC03C1ADFD3 for ; Wed, 11 Dec 2013 10:27:58 -0800 (PST) Received: by mail-vb0-f42.google.com with SMTP id w5so1934772vbf.29 for ; Wed, 11 Dec 2013 10:27:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0oRH9nRmPqrcXEh0PvnDIfsXTzNFtjvn5/O0cAOQRFI=; b=lvRuGGz2keBFkmitzDWL0BviPeG8D7a/gEuevrmUVjuWvCN85+yp9GB9T/U6aLXQkN vK5ow0+P2VzXqQk8no6bpSBQXb/XyE9qlploS9bZrfa0S9fbFOMKiisBqvXUN2vUznzz wP6hhlSt0ljI5w4wKenzgO9UWpThrvXChZFXvmtMCIOJbr4uJZFa8eq14MkMt7iprMtJ 3RyVba4ExbN2uNkjp7Q5IKHddl4v7U8TphuuOYsEw8MMvmLmWYhJoSzdUiTAuSh+Kvnh v8/ROOhjUExDSwQe7v9ON8fl3emPT8QWeXk2/bddmlf69Gh5nB+CargI+D2QTgHNiTmE 4/YQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=0oRH9nRmPqrcXEh0PvnDIfsXTzNFtjvn5/O0cAOQRFI=; b=jDNhh3jA8VkAUx1nSN+wN/hCJ5V/WE7BwTMnrhSqLeDHLQ4prqzUC3CrydR4CZa/uS CKvc1vUUaWOOySx+357UZLYzpWAxBjXManxhRqjD87aXiO3WIf5NJeJpwjbkPfFGha9V ksfWbXidlTjn7ht9zy310D1u2U3u/BG8mxibHs0L69PqX9lTvgRsgBQ//JSMj7pm5QLV OCDTrlQtBj2yAtQEkbxwmwnADTH1ZBw7zTUWKi9ajguewyybnbAwkEUPfSbYqqKOBJ7W 3Q51tZ9GuZxU+NTfgKa6/DT7IQUmyW6SXwJIC/1qBUCZlLr5dQkMc7b8YSKJ8kXm6n4k yKRA== X-Gm-Message-State: ALoCoQlb7EazmzaCQIS0dpWpQuIpImfhhilOdWJLY/fzFdYtMC6GE1lHpM1j1BHvMmXPJEKJPhCeyS3TdwRRAEBzOTt9dpfMhNDFVq7zH4P66IAJ7w/YJ9WogrEq49xqhf3e32DHf93s30mYRapadqhSBELcifIYkzFQcs40+RZR/VFszNKei58BYq1v6V/XKyd/++tch6de MIME-Version: 1.0 X-Received: by 10.52.27.170 with SMTP id u10mr419454vdg.74.1386786472958; Wed, 11 Dec 2013 10:27:52 -0800 (PST) Received: by 10.52.183.65 with HTTP; Wed, 11 Dec 2013 10:27:52 -0800 (PST) In-Reply-To: <52A8A245.9070408@fifthhorseman.net> References: <52A8A245.9070408@fifthhorseman.net> Date: Wed, 11 Dec 2013 18:27:52 +0000 Message-ID: From: Ben Laurie To: Daniel Kahn Gillmor Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 18:28:00 -0000 On 11 December 2013 17:35, Daniel Kahn Gillmor wrote: > I'm interested. I think this has strong potential for improved > authenticity on the 'net (and improved confidentiality follows from that). > > However, I'm also concerned that cryptographically-verifiable global > logs create an enumeration concern for the space that they log. This is > similar in some ways to the issues raised around DNSSEC's NSEC (and not > particularly effectively addressed by NSEC3). Enumerability like this > is potentially a major table of metadata that could potentially be abused. Agreed, at least for some protocols. I think this area has already been well thrashed out for HTTPS certificates, the initial target, which are _mostly_ public. It seems we have good mechanisms in place for those who want public CAs to issue private certificates, too (that is, name-constrained intermediates). > I'd appreciate it if any Transparency Working Group explicitly tries to > address concerns around enumerability. This is a _hard problem_, and verifiable logs suffer from the same limitations that NSEC3 does, at least as currently envisaged. Mechanisms akin to name constraints can perhaps go some way towards addressing this issue in general, but the general problem I have no idea how to solve. But it would seem to be on-topic for the general case. Possibly we have to admit we have no such mechanism for namespaces we want to be non-enumerable. From benl@google.com Wed Dec 11 10:29:17 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 330E41AE069 for ; Wed, 11 Dec 2013 10:29:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D00DlUYOpiOn for ; Wed, 11 Dec 2013 10:29:15 -0800 (PST) Received: from mail-ve0-x231.google.com (mail-ve0-x231.google.com [IPv6:2607:f8b0:400c:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 658C11AE066 for ; Wed, 11 Dec 2013 10:29:15 -0800 (PST) Received: by mail-ve0-f177.google.com with SMTP id db12so6182527veb.22 for ; Wed, 11 Dec 2013 10:29:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TN/54zqF9+0yzYUEUxikMjLQTvncwJvzHmsmZXN08wY=; b=mtIpfMQg5dE44Cnrj/d0+7KCKUbjD4v4Jlqwr0IXrkcXSqJBBbAvWwvg2n2z1OzdwL w97FtUnyWDJlLoXRw6Igx81YPrzQNKXoDdVhfvSIRGAfuGNxTFGAF3Ig0qIKTRDZvYfl GjCPO1AZAlSvYEplt79vugaqQTIvpCj44pzHjff6ZF3qxRdyH52qX0ZWYoxYj/FLmm3H 0zSpsNzVUTojzbyzAp840NTfBQCVpYx9ll4EDvUwg3sd7uownOYtusGPF1mr6tFoKfh2 vPAs7izq0xD4fC2r36p0w7B8DuDczV5OE5vNwI6hDvyL+klTlM5dCM517uSLiXOkRzMb VWIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=TN/54zqF9+0yzYUEUxikMjLQTvncwJvzHmsmZXN08wY=; b=ZjORwpP+m4CI5HNdr8C/ppfNVKvP6I7Y4tAe6WHYDO2ag5s3dIvwno4lYNGyJn34nL SkTpod8Q/s4pg1DY0Zc5ZM5aW9SLOBhC9NfTsS2MEzqsmy3GE4HgMCNKuALQhgL9DpM6 dz6Nh4PnX6uChXxeel79MTPm1momk2InEleY07zZ71dXIXsv7JdsGzR1gKv918sZDXpD xD+Bl9R8CCewNKrdQpsmm1V+lQt9/9ovuSpIfstZWGzgrNpjUVGFDG+Qf9mRyvgXvVy7 JPx3JorzGsJUy8wbtvJsI6TcroPoidNweyzJeeuImRlfbHRKpVonKXDBCGobCpbesn0m lSPw== X-Gm-Message-State: ALoCoQmtd1S32tYEK8aE9sIu/LqPCp22lU1JvOQ2zKAu7IH2JdqMkOk8zAVtFmV75MNr2MWbuPrpypG1SQovm3HunEpeOhRT/T1tIAs6yCs3biF5YcfgAzjo8aYYroWYIrFwLApB71tqswDx/dYvNqiBqhzqezq1PQK16VH+rIB+n+wgOTcPZwTKqTXGuZhPZVtAw8WQn6YT MIME-Version: 1.0 X-Received: by 10.220.145.75 with SMTP id c11mr1181524vcv.30.1386786549495; Wed, 11 Dec 2013 10:29:09 -0800 (PST) Received: by 10.52.183.65 with HTTP; Wed, 11 Dec 2013 10:29:09 -0800 (PST) In-Reply-To: <10229F86C86EB444898E629583FD4171EDEAB12A@PACDCEXMB06.cable.comcast.com> References: <52A89F9F.70604@cs.tcd.ie> <10229F86C86EB444898E629583FD4171EDEAB12A@PACDCEXMB06.cable.comcast.com> Date: Wed, 11 Dec 2013 18:29:09 +0000 Message-ID: From: Ben Laurie To: "Livingood, Jason" Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" , Stephen Farrell Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 18:29:17 -0000 On 11 December 2013 17:44, Livingood, Jason wrote: > I totally understand the problem statement. But what concrete things can > you enumerate as goals/output of the WG? I already did enumerate the one current output: RFC 6962-bis. Other interesting targets include DNSSEC transparency, email-to-key mappings and binary transparency. All implicitly already in the charter. > > > Jason > > On 12/11/13, 12:23 PM, "Stephen Farrell" wrote: > >> >>Thanks Ben, >> >>So folks know what we're thinking and in case all the >>process gibberish isn't clear to you all... >> >>Sean and I like the idea of doing this, and the more that >>it seems to get broader support, the more we'll like it. >> >>Since there was already a BoF on this back at IETF-85 [1] >>that concluded this was work that's relevant to do in >>the IETF, we're thinking that if a crisp enough charter >>can be crafted on this list then this wouldn't need another >>BoF but would be ok to just be pushed into the IESG/IETF >>approval process. >> >>What that means is that when Sean and I think we have a >>good enough charter draft, then we'll put that into the >>datatracker and the IESG will do an IESG-internal review >>to decide if its ready to be sent out for IETF review. >>If/when the IESG are ok with that going for IETF-wide >>review then a mail will go to the IETF discuss list so's >>anyone can comment on the proposed new WG. Then the IESG >>get to look at it again, and any comments we've gotten, >>and approve the new WG or not. Charter text tweaks can >>be expected at each stage. >> >>All going well, that could result in a new WG for this >>being formed early in the new year, before IETF-89 >>with the WG having a first f2f meeting there presumably. >> >>So please comment on Ben's text and the above with that >>in mind. I assume Ben will hold the pen on draft charter >>text and update that as comments are received. >> >>And please use this list for now, since this is the >>one we used for RFC 6962 so probably has the right >>people. When/if we form a WG we can make a new list >>or use this one if folks prefer that. >> >>Thanks, >>S. >> >>[1] http://www.ietf.org/proceedings/85/certrans.html >> >>On 12/11/2013 04:55 PM, Ben Laurie wrote: >>> Who's in? >>> >>> "Problem statement: many Internet protocols require a mapping between >>> some kind of identifier and some kind of key, for example, HTTPS, >>> SMTPS, IPSec, DNSSEC and OpenPGP. >>> >>> These protocols rely on either ad-hoc mappings, or on authorities >>> which attest to the mappings. >>> >>> >>> History shows that neither of these mechanisms is entirely >>> satisfactory. Ad-hoc mappings are difficult to discover and maintain, >>> and authorities make mistakes or are subverted. >>> >>> >>> Cryptographically verifiable logs can help to ameliorate the problems >>> by making it possible to discover and rectify errors before they can >>> cause harm. >>> >>> >>> These logs can also assist with other interesting problems, such as >>> how to assure end users that software they are running is, indeed, the >>> software they intend to run. >>> >>> >>> Work items: Specify a standards-track mechanism to apply verifiable >>> logs to HTTP/TLS (i.e. RFC 6962-bis). >>> >>> >>> Discuss mechanisms and techniques that allow cryptographically >>> verifiable logs to be deployed to improve the security of protocols >>> and software distribution. Where such mechanisms appear sufficiently >>> useful, the WG will re-charter to add relevant new work items." >>> _______________________________________________ >>> therightkey mailing list >>> therightkey@ietf.org >>> https://www.ietf.org/mailman/listinfo/therightkey >>> >>> >>_______________________________________________ >>therightkey mailing list >>therightkey@ietf.org >>https://www.ietf.org/mailman/listinfo/therightkey > From benl@google.com Wed Dec 11 10:30:25 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AA721AE081 for ; Wed, 11 Dec 2013 10:30:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gNT_4UvfIVKS for ; Wed, 11 Dec 2013 10:30:24 -0800 (PST) Received: from mail-ve0-x230.google.com (mail-ve0-x230.google.com [IPv6:2607:f8b0:400c:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 5AD351AE066 for ; Wed, 11 Dec 2013 10:30:24 -0800 (PST) Received: by mail-ve0-f176.google.com with SMTP id oz11so6285886veb.35 for ; Wed, 11 Dec 2013 10:30:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4kunb5xa+n30SdOK1vd/ql+FDJqdTTW3CQWz0MSePWY=; b=iS6bw1aLIely0ts0uXaGr1QxWsGbQQvFbY5BVYNAo/SCa0OT+VHTxMQw4XEHFaj9kF mAmbf8eC3uRVHCdiAr+cCYueAgl+VoMdwnF0Zb9udnnJYyopJuDKIJyf84zr/zTVVx2B +eM2Lg4mmGTCPdEXLzIKmWOk5eJRfsNfMMT/jy1naDcA9kclrz0y0KIQ8HrPG5f6V8Ul NcBQX0m86vxrOATXx9Ksd60xxO96Un7iSfTzRALbY2hrIs2w+hVy2t9rpKuV8r+o92Me xVE550cRJCSHAsGbD1QbswooEN6T8nezBAqz0P7EhJcGMJ4I8BMeK/65rtqpDiTPfFYt ddHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=4kunb5xa+n30SdOK1vd/ql+FDJqdTTW3CQWz0MSePWY=; b=Wo6SkpTXozyr/EAyTz1mpS4hmRf7ZeEp2rDnI8+t+iwb6zFnoxmUx1xctBEcE5viPK fp38QD1VS0r0oPYNOfDDaobA7bf++lePyNaXkYdOrpL7hYLo5N4sA98il/eDSmCTbQem UjUZle4N/sOdqCEzEXjl0lBzEACtipu7gSSQlcXtJIgDHnxuGRcjMS0m1lbZ/ewpeqtv 7CBi8Mq4l5gvxrZZi1e/lKW0zsKh6TZASzHZKUmAd0Sbw7U/1Wf+ESYru8N4JixnklJa MoFwk5YtXrJyq3bcBG5oTaY0d3DNyHOKc2PFUyAPN2I0MjAs41CT+/V0X0insXG8R1+x dqKg== X-Gm-Message-State: ALoCoQlD8T8Ph+sXswv3RkFtZqYCv2G3HB0ijbYA+BfdjMuUR85Q6odw+0+gnPuvH4SqSOqY4w6mQEEqB4OB1CmuYwWiNCTDx0AMlRLKNOG0i6NpqK5cFH81h0a5pf0XKJfYJb///jl0lw2ur1vS39kolFQsTyJw8CLx0KxLQvyYs43AbM3bSOHO2q5FuhDMcTskvYMcly5/ MIME-Version: 1.0 X-Received: by 10.58.118.36 with SMTP id kj4mr1189520veb.2.1386786618585; Wed, 11 Dec 2013 10:30:18 -0800 (PST) Received: by 10.52.183.65 with HTTP; Wed, 11 Dec 2013 10:30:18 -0800 (PST) In-Reply-To: References: Date: Wed, 11 Dec 2013 18:30:18 +0000 Message-ID: From: Ben Laurie To: Paul Wouters Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 18:30:25 -0000 On 11 December 2013 17:52, Paul Wouters wrote: > On Wed, 11 Dec 2013, Ben Laurie wrote: > >> Who's in? > > > Yes, but... > > >> "Problem statement: many Internet protocols require a mapping between >> some kind of identifier and some kind of key, for example, HTTPS, >> SMTPS, IPSec, DNSSEC and OpenPGP. > > > This is protocol agnostic (good!) > > >> Work items: Specify a standards-track mechanism to apply verifiable >> logs to HTTP/TLS (i.e. RFC 6962-bis). > > > This is not. I'd prefer to work towards a more generic > method or infrastructure, but I assume the work item is > just an example and not a limitation of the charter. As the charter suggests, we will re-charter to include such things, as they appear to become viable. I am _very_ keen to come up with more generic mechanisms. But I also have an urgent problem to solve. They are not mutually exclusive. From leifj@mnt.se Wed Dec 11 12:39:42 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09B5F1ADFC9 for ; Wed, 11 Dec 2013 12:39:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9NPuvCrHherS for ; Wed, 11 Dec 2013 12:39:40 -0800 (PST) Received: from mail-la0-f46.google.com (mail-la0-f46.google.com [209.85.215.46]) by ietfa.amsl.com (Postfix) with ESMTP id B70611AC4C5 for ; Wed, 11 Dec 2013 12:39:39 -0800 (PST) Received: by mail-la0-f46.google.com with SMTP id eh20so4211811lab.33 for ; Wed, 11 Dec 2013 12:39:33 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=P8GDzfw7t9XwLuDsKhcffshGeXCGf+mG+J1lS6xM/V4=; b=Nj4L63ppVAjrWjD5c39FXG7rhLdMCVQLCq6rgpCXskNkVlqpU0cqtwQqRcK49hWEgR UuZF357ellHJoNA61Uru7RAts8Um4jwxh2jSj3UR8kI37zqwJgaVwbBlPVrvPcV57bNY 5Mkb9WLhUMfUSr7IVpJOJ5P/UO6eZ0MPN5j2rIqvdjz43o3PUzGV3tUkBlKByOaoi+nZ /aVIsl8SzIBhdtbP7M1kGFqodZkaa6OetYl8MJ5ICu48+46jyc4sGbXfujUXttdTBcd9 c/TvUU/BxSgRh9wWEgTsiT4ialkku7yjawXbibm6Kvl5hSGRvuo8+tM1rw0gfs/73xLi LnLg== X-Gm-Message-State: ALoCoQkDeI5ePzK99QybRMUgY97yiN667hEqIlnlLVtoHUQ3hgrnrXmp+QS54UDYrjnG+ugzMORs X-Received: by 10.152.180.66 with SMTP id dm2mr296456lac.88.1386794373165; Wed, 11 Dec 2013 12:39:33 -0800 (PST) Received: from [10.0.0.248] (tb62-102-145-131.cust.teknikbyran.com. [62.102.145.131]) by mx.google.com with ESMTPSA id di11sm30457955lac.0.2013.12.11.12.39.31 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Dec 2013 12:39:32 -0800 (PST) Message-ID: <52A8CD83.1080503@mnt.se> Date: Wed, 11 Dec 2013 21:39:31 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: therightkey@ietf.org References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 20:39:42 -0000 On 12/11/2013 05:55 PM, Ben Laurie wrote: > Who's in? > yep From leifj@mnt.se Wed Dec 11 12:59:42 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7B81ADF68 for ; Wed, 11 Dec 2013 12:59:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id squmG_7oz642 for ; Wed, 11 Dec 2013 12:59:40 -0800 (PST) Received: from mail-la0-f41.google.com (mail-la0-f41.google.com [209.85.215.41]) by ietfa.amsl.com (Postfix) with ESMTP id 91D891ADF55 for ; Wed, 11 Dec 2013 12:59:40 -0800 (PST) Received: by mail-la0-f41.google.com with SMTP id eo20so4207216lab.0 for ; Wed, 11 Dec 2013 12:59:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=g0jRlL+8G8m40tD5cLTgzddvS49m2WCN/xwo6QDOGmQ=; b=me8ryfjObKhgbsJcOtXSk1uF1bC2RAMnsjf36IzuLItmmw/ZMDWY0EQFA6TsovGdxe HobALRol4hcVOwL5hKi/TacT9N36CQjrtJGO0GPYA7Gl8n8JJ9fcNslQBkOpss+g3VvU 2GZ+AKroJUHa15h1B+0brfzjvrbr6hdVW3qQRrYExdEIUxZziP8+WZWUKjQ9Pn7psfUU 0dojZquf4yCFK+RV4B2KoS0UD5c6HpPGi6KQw3Url1+M4XjojeRMgOYWdUCIVb+PYAGP dASVLZIDjcx3RDt6h+YbEQRuNrvCqQuf6E+2IYL3fgbINW7nZP9fpv3MBxbjktUt9kUw p4qQ== X-Gm-Message-State: ALoCoQlzKb9ZYCX/sEk8Dqs/S9HnbNlmami8zb1RNCPjXl9vOJtZ36aHkHw7RaQjIMABXjhqZC1r X-Received: by 10.152.29.130 with SMTP id k2mr325018lah.84.1386795573886; Wed, 11 Dec 2013 12:59:33 -0800 (PST) Received: from [10.0.0.248] (tb62-102-145-131.cust.teknikbyran.com. [62.102.145.131]) by mx.google.com with ESMTPSA id ld10sm30529803lab.8.2013.12.11.12.59.32 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Dec 2013 12:59:33 -0800 (PST) Message-ID: <52A8D234.1070303@mnt.se> Date: Wed, 11 Dec 2013 21:59:32 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: therightkey@ietf.org References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 20:59:42 -0000 > As the charter suggests, we will re-charter to include such things, as > they appear to become viable. > > I am _very_ keen to come up with more generic mechanisms. > > But I also have an urgent problem to solve. > > They are not mutually exclusive. > So there are various other "public ledger" projects out there, all based on organic, locally sourced Merkle trees. We should probably make some effort to reach out to these communities. Cheers Leif From hallam@gmail.com Wed Dec 11 13:43:43 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04A0E1AE00C for ; Wed, 11 Dec 2013 13:43:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7jYHLdHSvKA for ; Wed, 11 Dec 2013 13:43:41 -0800 (PST) Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2731ADFF9 for ; Wed, 11 Dec 2013 13:43:40 -0800 (PST) Received: by mail-wg0-f53.google.com with SMTP id k14so7137057wgh.20 for ; Wed, 11 Dec 2013 13:43:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ItvXj6hbCLDyLnPIQgJT3ejNpUqX25b8PqLWR5w/tU8=; b=s8Nwuho/6m6pLF1TpGl0i6fN9e8Ze+Mxast0T6ULuF0wd85mn0PJc9pxSI3lO3nWCx Du919Rv2aEuzhy1XSKItgZIlk55Z4hUQ/D0GDB9f6SW3opMkcac2ZebwjvGLP2jDJXpM 0Mp3mFN/D3dNG5byzCZ8miH+UBLMyofy3yENUTnJh+vW4zVfk5M5inr16adp5VxUErun li+yheExgCXkHIVptjtRG0ZhvNpRfHrX1ry5MnZiiJ1e5TM6LeUnnBMRTuznnvjyfX3R ZUY1A2LD4FeAG7/2Zw/nt4Z10DgmVjaLWNNbJpXolh1tTGkGZD2mi8peO8CGArlmGThn aINg== MIME-Version: 1.0 X-Received: by 10.180.76.112 with SMTP id j16mr8881377wiw.32.1386798214910; Wed, 11 Dec 2013 13:43:34 -0800 (PST) Received: by 10.194.243.136 with HTTP; Wed, 11 Dec 2013 13:43:34 -0800 (PST) In-Reply-To: References: <52A89F9F.70604@cs.tcd.ie> <10229F86C86EB444898E629583FD4171EDEAB12A@PACDCEXMB06.cable.comcast.com> Date: Wed, 11 Dec 2013 16:43:34 -0500 Message-ID: From: Phillip Hallam-Baker To: Ben Laurie Content-Type: multipart/alternative; boundary=90e6ba475e4bf9c6d604ed491efd Cc: "therightkey@ietf.org" , "Livingood, Jason" , Stephen Farrell Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 21:43:43 -0000 --90e6ba475e4bf9c6d604ed491efd Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 11, 2013 at 1:29 PM, Ben Laurie wrote: > On 11 December 2013 17:44, Livingood, Jason > wrote: > > I totally understand the problem statement. But what concrete things can > > you enumerate as goals/output of the WG? > > I already did enumerate the one current output: RFC 6962-bis. > > Other interesting targets include DNSSEC transparency, email-to-key > mappings and binary transparency. All implicitly already in the > charter. I am currently working on an email scheme that is intended to consume such a service. The big difference as I see it is that with TLS we only have the transparency issue to work on. In email we have a big functionality gap in S/MIME which is the lack of a viable key discovery infrastructure. We have plenty of proposals but nothing got done. If we are going to do transparency in that sphere we should look at the two problems together since any transparency infrastructure is potentially a solution to the discovery problem. If I can ask the transparency infrastructure if someone else has registered a key for hallam@gmail.com to see if someone is impersonating me, then someone who is trying to send me an email can ask the same infrastructure what keys are registered for me. The other big difference is in latency. Email is store and forward. The issues that motivate putting transparency statements inside the certs in SSL do not apply. -- Website: http://hallambaker.com/ --90e6ba475e4bf9c6d604ed491efd Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On W= ed, Dec 11, 2013 at 1:29 PM, Ben Laurie <benl@google.com> wrot= e:
On 11 December 2013 17:44, Livingood, Jason
<= Jason_Livingood@cable.comcast.com> wrote:
> I totally understand the problem statement. But what concrete things c= an
> you enumerate as goals/output of the WG?

I already did enumerate the one current output: RFC 6962-bis.

Other interesting targets include DNSSEC transparency, email-to-key
mappings and binary transparency. All implicitly already in the
charter.

I am currently working on an= email scheme that is intended to consume such a service.

The big difference as I see it is that with TLS we only have the tr= ansparency issue to work on. In email we have a big functionality gap in S/= MIME which is the lack of a viable key discovery infrastructure. We have pl= enty of proposals but nothing got done.


If we are going to do transparency in th= at sphere we should look at the two problems together since any transparenc= y infrastructure is potentially a solution to the discovery problem.

If I can ask the transparency infrastructure if someone= else has registered a key for hallam@g= mail.com to see if someone is impersonating me, then someone who is try= ing to send me an email can ask the same infrastructure what keys are regis= tered for me.


The other big difference is in latency. = Email is store and forward. The issues that motivate putting transparency s= tatements inside the certs in SSL do not apply.



--
Website: http://hallambaker.com/
--90e6ba475e4bf9c6d604ed491efd-- From warren@kumari.net Wed Dec 11 14:10:01 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B131ADF58 for ; Wed, 11 Dec 2013 14:10:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uzanfi2wfF3v for ; Wed, 11 Dec 2013 14:09:59 -0800 (PST) Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B601ADDBD for ; Wed, 11 Dec 2013 14:09:58 -0800 (PST) Received: from [192.168.1.153] (unknown [66.84.81.105]) by vimes.kumari.net (Postfix) with ESMTPSA id 5B9931B401C6; Wed, 11 Dec 2013 17:09:52 -0500 (EST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Warren Kumari In-Reply-To: Date: Wed, 11 Dec 2013 17:09:51 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <937401BC-9270-45D9-AD3E-FC7656439C14@kumari.net> References: <52A89F9F.70604@cs.tcd.ie> <10229F86C86EB444898E629583FD4171EDEAB12A@PACDCEXMB06.cable.comcast.com> To: Ben Laurie X-Mailer: Apple Mail (2.1822) Cc: Jason Livingood , "therightkey@ietf.org" , Warren Kumari , Stephen Farrell Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 22:10:01 -0000 On Dec 11, 2013, at 1:29 PM, Ben Laurie wrote: > On 11 December 2013 17:44, Livingood, Jason > wrote: >> I totally understand the problem statement. But what concrete things = can >> you enumerate as goals/output of the WG? >=20 > I already did enumerate the one current output: RFC 6962-bis. >=20 > Other interesting targets include DNSSEC transparency, email-to-key > mappings and binary transparency. All implicitly already in the > charter. >=20 I=92m in =97 I think that there is still much work / firming up the = =93charter=94 needed, but the effort seems useful and needed. W >>=20 >>=20 >> Jason >>=20 >> On 12/11/13, 12:23 PM, "Stephen Farrell" = wrote: >>=20 >>>=20 >>> Thanks Ben, >>>=20 >>> So folks know what we're thinking and in case all the >>> process gibberish isn't clear to you all... >>>=20 >>> Sean and I like the idea of doing this, and the more that >>> it seems to get broader support, the more we'll like it. >>>=20 >>> Since there was already a BoF on this back at IETF-85 [1] >>> that concluded this was work that's relevant to do in >>> the IETF, we're thinking that if a crisp enough charter >>> can be crafted on this list then this wouldn't need another >>> BoF but would be ok to just be pushed into the IESG/IETF >>> approval process. >>>=20 >>> What that means is that when Sean and I think we have a >>> good enough charter draft, then we'll put that into the >>> datatracker and the IESG will do an IESG-internal review >>> to decide if its ready to be sent out for IETF review. >>> If/when the IESG are ok with that going for IETF-wide >>> review then a mail will go to the IETF discuss list so's >>> anyone can comment on the proposed new WG. Then the IESG >>> get to look at it again, and any comments we've gotten, >>> and approve the new WG or not. Charter text tweaks can >>> be expected at each stage. >>>=20 >>> All going well, that could result in a new WG for this >>> being formed early in the new year, before IETF-89 >>> with the WG having a first f2f meeting there presumably. >>>=20 >>> So please comment on Ben's text and the above with that >>> in mind. I assume Ben will hold the pen on draft charter >>> text and update that as comments are received. >>>=20 >>> And please use this list for now, since this is the >>> one we used for RFC 6962 so probably has the right >>> people. When/if we form a WG we can make a new list >>> or use this one if folks prefer that. >>>=20 >>> Thanks, >>> S. >>>=20 >>> [1] http://www.ietf.org/proceedings/85/certrans.html >>>=20 >>> On 12/11/2013 04:55 PM, Ben Laurie wrote: >>>> Who's in? >>>>=20 >>>> "Problem statement: many Internet protocols require a mapping = between >>>> some kind of identifier and some kind of key, for example, HTTPS, >>>> SMTPS, IPSec, DNSSEC and OpenPGP. >>>>=20 >>>> These protocols rely on either ad-hoc mappings, or on authorities >>>> which attest to the mappings. >>>>=20 >>>>=20 >>>> History shows that neither of these mechanisms is entirely >>>> satisfactory. Ad-hoc mappings are difficult to discover and = maintain, >>>> and authorities make mistakes or are subverted. >>>>=20 >>>>=20 >>>> Cryptographically verifiable logs can help to ameliorate the = problems >>>> by making it possible to discover and rectify errors before they = can >>>> cause harm. >>>>=20 >>>>=20 >>>> These logs can also assist with other interesting problems, such as >>>> how to assure end users that software they are running is, indeed, = the >>>> software they intend to run. >>>>=20 >>>>=20 >>>> Work items: Specify a standards-track mechanism to apply verifiable >>>> logs to HTTP/TLS (i.e. RFC 6962-bis). >>>>=20 >>>>=20 >>>> Discuss mechanisms and techniques that allow cryptographically >>>> verifiable logs to be deployed to improve the security of protocols >>>> and software distribution. Where such mechanisms appear = sufficiently >>>> useful, the WG will re-charter to add relevant new work items." >>>> _______________________________________________ >>>> therightkey mailing list >>>> therightkey@ietf.org >>>> https://www.ietf.org/mailman/listinfo/therightkey >>>>=20 >>>>=20 >>> _______________________________________________ >>> therightkey mailing list >>> therightkey@ietf.org >>> https://www.ietf.org/mailman/listinfo/therightkey >>=20 > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey >=20 --=20 Do not meddle in the affairs of wizards, for they are subtle and quick = to anger. =20 -- J.R.R. Tolkien From lynch@isoc.org Wed Dec 11 14:18:52 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9170F1AE0DC for ; Wed, 11 Dec 2013 14:18:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8_jgI_e-1da for ; Wed, 11 Dec 2013 14:18:50 -0800 (PST) Received: from hans.rg.net (hans.rg.net [IPv6:2001:418:1::42]) by ietfa.amsl.com (Postfix) with ESMTP id 196D11ADDD2 for ; Wed, 11 Dec 2013 14:18:50 -0800 (PST) Received: from hiroshima.bogus.com (hiroshima.bogus.com [IPv6:2001:418:1::80]) (authenticated bits=0) by hans.rg.net (8.14.7/8.14.7) with ESMTP id rBBMIMP7008734 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Dec 2013 22:18:22 GMT (envelope-from lynch@isoc.org) Date: Wed, 11 Dec 2013 14:18:22 -0800 (PST) From: Lucy Lynch X-X-Sender: llynch@hiroshima.bogus.com To: Warren Kumari In-Reply-To: <937401BC-9270-45D9-AD3E-FC7656439C14@kumari.net> Message-ID: References: <52A89F9F.70604@cs.tcd.ie> <10229F86C86EB444898E629583FD4171EDEAB12A@PACDCEXMB06.cable.comcast.com> <937401BC-9270-45D9-AD3E-FC7656439C14@kumari.net> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT X-Mailman-Approved-At: Wed, 11 Dec 2013 14:19:39 -0800 Cc: Jason Livingood , "therightkey@ietf.org" , Ben Laurie , Stephen Farrell Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: lynch@isoc.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 22:18:52 -0000 On Wed, 11 Dec 2013, Warren Kumari wrote: > > On Dec 11, 2013, at 1:29 PM, Ben Laurie wrote: > >> On 11 December 2013 17:44, Livingood, Jason >> wrote: >>> I totally understand the problem statement. But what concrete things can >>> you enumerate as goals/output of the WG? >> >> I already did enumerate the one current output: RFC 6962-bis. >> >> Other interesting targets include DNSSEC transparency, email-to-key >> mappings and binary transparency. All implicitly already in the >> charter. >> > > I’m in — I think that there is still much work / firming up the “charter†needed, but the effort seems useful and needed. > W Count me in as well - Lucy >>> >>> >>> Jason >>> >>> On 12/11/13, 12:23 PM, "Stephen Farrell" wrote: >>> >>>> >>>> Thanks Ben, >>>> >>>> So folks know what we're thinking and in case all the >>>> process gibberish isn't clear to you all... >>>> >>>> Sean and I like the idea of doing this, and the more that >>>> it seems to get broader support, the more we'll like it. >>>> >>>> Since there was already a BoF on this back at IETF-85 [1] >>>> that concluded this was work that's relevant to do in >>>> the IETF, we're thinking that if a crisp enough charter >>>> can be crafted on this list then this wouldn't need another >>>> BoF but would be ok to just be pushed into the IESG/IETF >>>> approval process. >>>> >>>> What that means is that when Sean and I think we have a >>>> good enough charter draft, then we'll put that into the >>>> datatracker and the IESG will do an IESG-internal review >>>> to decide if its ready to be sent out for IETF review. >>>> If/when the IESG are ok with that going for IETF-wide >>>> review then a mail will go to the IETF discuss list so's >>>> anyone can comment on the proposed new WG. Then the IESG >>>> get to look at it again, and any comments we've gotten, >>>> and approve the new WG or not. Charter text tweaks can >>>> be expected at each stage. >>>> >>>> All going well, that could result in a new WG for this >>>> being formed early in the new year, before IETF-89 >>>> with the WG having a first f2f meeting there presumably. >>>> >>>> So please comment on Ben's text and the above with that >>>> in mind. I assume Ben will hold the pen on draft charter >>>> text and update that as comments are received. >>>> >>>> And please use this list for now, since this is the >>>> one we used for RFC 6962 so probably has the right >>>> people. When/if we form a WG we can make a new list >>>> or use this one if folks prefer that. >>>> >>>> Thanks, >>>> S. >>>> >>>> [1] http://www.ietf.org/proceedings/85/certrans.html >>>> >>>> On 12/11/2013 04:55 PM, Ben Laurie wrote: >>>>> Who's in? >>>>> >>>>> "Problem statement: many Internet protocols require a mapping between >>>>> some kind of identifier and some kind of key, for example, HTTPS, >>>>> SMTPS, IPSec, DNSSEC and OpenPGP. >>>>> >>>>> These protocols rely on either ad-hoc mappings, or on authorities >>>>> which attest to the mappings. >>>>> >>>>> >>>>> History shows that neither of these mechanisms is entirely >>>>> satisfactory. Ad-hoc mappings are difficult to discover and maintain, >>>>> and authorities make mistakes or are subverted. >>>>> >>>>> >>>>> Cryptographically verifiable logs can help to ameliorate the problems >>>>> by making it possible to discover and rectify errors before they can >>>>> cause harm. >>>>> >>>>> >>>>> These logs can also assist with other interesting problems, such as >>>>> how to assure end users that software they are running is, indeed, the >>>>> software they intend to run. >>>>> >>>>> >>>>> Work items: Specify a standards-track mechanism to apply verifiable >>>>> logs to HTTP/TLS (i.e. RFC 6962-bis). >>>>> >>>>> >>>>> Discuss mechanisms and techniques that allow cryptographically >>>>> verifiable logs to be deployed to improve the security of protocols >>>>> and software distribution. Where such mechanisms appear sufficiently >>>>> useful, the WG will re-charter to add relevant new work items." >>>>> _______________________________________________ >>>>> therightkey mailing list >>>>> therightkey@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/therightkey >>>>> >>>>> >>>> _______________________________________________ >>>> therightkey mailing list >>>> therightkey@ietf.org >>>> https://www.ietf.org/mailman/listinfo/therightkey >>> >> _______________________________________________ >> therightkey mailing list >> therightkey@ietf.org >> https://www.ietf.org/mailman/listinfo/therightkey >> > > From llynch@civil-tongue.net Wed Dec 11 14:28:47 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0551AE06B for ; Wed, 11 Dec 2013 14:28:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELUykwQptRkw for ; Wed, 11 Dec 2013 14:28:45 -0800 (PST) Received: from hans.rg.net (hans.rg.net [IPv6:2001:418:1::42]) by ietfa.amsl.com (Postfix) with ESMTP id 904281AE113 for ; Wed, 11 Dec 2013 14:28:45 -0800 (PST) Received: from hiroshima.bogus.com (hiroshima.bogus.com [IPv6:2001:418:1::80]) (authenticated bits=0) by hans.rg.net (8.14.7/8.14.7) with ESMTP id rBBMRgTZ009357 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Dec 2013 22:27:42 GMT (envelope-from llynch@civil-tongue.net) Date: Wed, 11 Dec 2013 14:27:42 -0800 (PST) From: Lucy Lynch X-X-Sender: llynch@hiroshima.bogus.com To: Warren Kumari In-Reply-To: <937401BC-9270-45D9-AD3E-FC7656439C14@kumari.net> Message-ID: References: <52A89F9F.70604@cs.tcd.ie> <10229F86C86EB444898E629583FD4171EDEAB12A@PACDCEXMB06.cable.comcast.com> <937401BC-9270-45D9-AD3E-FC7656439C14@kumari.net> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT Cc: Jason Livingood , "therightkey@ietf.org" , Ben Laurie , Stephen Farrell Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 22:28:47 -0000 On Wed, 11 Dec 2013, Warren Kumari wrote: > > On Dec 11, 2013, at 1:29 PM, Ben Laurie wrote: > >> On 11 December 2013 17:44, Livingood, Jason >> wrote: >>> I totally understand the problem statement. But what concrete things can >>> you enumerate as goals/output of the WG? >> >> I already did enumerate the one current output: RFC 6962-bis. >> >> Other interesting targets include DNSSEC transparency, email-to-key >> mappings and binary transparency. All implicitly already in the >> charter. >> > > I’m in — I think that there is still much work / firming up the > “charter†needed, but the effort seems useful and needed. count me in as well - Lucy > W > >>> >>> >>> Jason >>> >>> On 12/11/13, 12:23 PM, "Stephen Farrell" wrote: >>> >>>> >>>> Thanks Ben, >>>> >>>> So folks know what we're thinking and in case all the >>>> process gibberish isn't clear to you all... >>>> >>>> Sean and I like the idea of doing this, and the more that >>>> it seems to get broader support, the more we'll like it. >>>> >>>> Since there was already a BoF on this back at IETF-85 [1] >>>> that concluded this was work that's relevant to do in >>>> the IETF, we're thinking that if a crisp enough charter >>>> can be crafted on this list then this wouldn't need another >>>> BoF but would be ok to just be pushed into the IESG/IETF >>>> approval process. >>>> >>>> What that means is that when Sean and I think we have a >>>> good enough charter draft, then we'll put that into the >>>> datatracker and the IESG will do an IESG-internal review >>>> to decide if its ready to be sent out for IETF review. >>>> If/when the IESG are ok with that going for IETF-wide >>>> review then a mail will go to the IETF discuss list so's >>>> anyone can comment on the proposed new WG. Then the IESG >>>> get to look at it again, and any comments we've gotten, >>>> and approve the new WG or not. Charter text tweaks can >>>> be expected at each stage. >>>> >>>> All going well, that could result in a new WG for this >>>> being formed early in the new year, before IETF-89 >>>> with the WG having a first f2f meeting there presumably. >>>> >>>> So please comment on Ben's text and the above with that >>>> in mind. I assume Ben will hold the pen on draft charter >>>> text and update that as comments are received. >>>> >>>> And please use this list for now, since this is the >>>> one we used for RFC 6962 so probably has the right >>>> people. When/if we form a WG we can make a new list >>>> or use this one if folks prefer that. >>>> >>>> Thanks, >>>> S. >>>> >>>> [1] http://www.ietf.org/proceedings/85/certrans.html >>>> >>>> On 12/11/2013 04:55 PM, Ben Laurie wrote: >>>>> Who's in? >>>>> >>>>> "Problem statement: many Internet protocols require a mapping between >>>>> some kind of identifier and some kind of key, for example, HTTPS, >>>>> SMTPS, IPSec, DNSSEC and OpenPGP. >>>>> >>>>> These protocols rely on either ad-hoc mappings, or on authorities >>>>> which attest to the mappings. >>>>> >>>>> >>>>> History shows that neither of these mechanisms is entirely >>>>> satisfactory. Ad-hoc mappings are difficult to discover and maintain, >>>>> and authorities make mistakes or are subverted. >>>>> >>>>> >>>>> Cryptographically verifiable logs can help to ameliorate the problems >>>>> by making it possible to discover and rectify errors before they can >>>>> cause harm. >>>>> >>>>> >>>>> These logs can also assist with other interesting problems, such as >>>>> how to assure end users that software they are running is, indeed, the >>>>> software they intend to run. >>>>> >>>>> >>>>> Work items: Specify a standards-track mechanism to apply verifiable >>>>> logs to HTTP/TLS (i.e. RFC 6962-bis). >>>>> >>>>> >>>>> Discuss mechanisms and techniques that allow cryptographically >>>>> verifiable logs to be deployed to improve the security of protocols >>>>> and software distribution. Where such mechanisms appear sufficiently >>>>> useful, the WG will re-charter to add relevant new work items." >>>>> _______________________________________________ >>>>> therightkey mailing list >>>>> therightkey@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/therightkey >>>>> >>>>> >>>> _______________________________________________ >>>> therightkey mailing list >>>> therightkey@ietf.org >>>> https://www.ietf.org/mailman/listinfo/therightkey >>> >> _______________________________________________ >> therightkey mailing list >> therightkey@ietf.org >> https://www.ietf.org/mailman/listinfo/therightkey >> > > From hallam@gmail.com Wed Dec 11 15:02:20 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1869D1ADFDA for ; Wed, 11 Dec 2013 15:02:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BjRvX2lghr3g for ; Wed, 11 Dec 2013 15:02:18 -0800 (PST) Received: from mail-we0-x236.google.com (mail-we0-x236.google.com [IPv6:2a00:1450:400c:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id E527A1ADEBF for ; Wed, 11 Dec 2013 15:02:17 -0800 (PST) Received: by mail-we0-f182.google.com with SMTP id q59so7297069wes.27 for ; Wed, 11 Dec 2013 15:02:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=RS8dtEi0uO49UcuXtn7qY74oxM7VEBptfER8K4P8xeQ=; b=FOI2Y8WDR5zf+AjNmSRb0wPl0+EvqpD/AGnUQcjSN2aqJy5hN0Zdfc5JMJgAF/LKjW zJhC3ZcGx+aAnQEj6Q0a6BSJO5NemQSNqj2sw6nSM+UjZ9RWg/B4RIEpVo3sAoYzqNZX oVmojFccSceHkPBENINT1eyl8YoQJvq1PkLB8kDSfvZ0XXqTgSEL2Zn/tkW/VuquhNr9 /zoWfovbVnMqUYQAqEbCqOjhVdn6+aLEU6LG5UUTw7JzPPs5piJ0eP52ToLK1czcdMlg lprqYeHXi1hHVIKWbGFT0ugFKPhs/2iy/whMTg/dziySe2O5z/K9IunjgCW9VULbUJKU WZzQ== MIME-Version: 1.0 X-Received: by 10.180.76.112 with SMTP id j16mr9103253wiw.32.1386802931768; Wed, 11 Dec 2013 15:02:11 -0800 (PST) Received: by 10.194.243.136 with HTTP; Wed, 11 Dec 2013 15:02:11 -0800 (PST) In-Reply-To: References: <52A8B1D0.2080304@dcrocker.net> Date: Wed, 11 Dec 2013 18:02:11 -0500 Message-ID: From: Phillip Hallam-Baker To: "therightkey@ietf.org" Content-Type: multipart/alternative; boundary=90e6ba475e4b1f24c504ed4a38c0 Subject: [therightkey] Fwd: [perpass] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 23:02:20 -0000 --90e6ba475e4b1f24c504ed4a38c0 Content-Type: text/plain; charset=ISO-8859-1 ---------- Forwarded message ---------- From: Phillip Hallam-Baker Date: Wed, Dec 11, 2013 at 4:50 PM Subject: Re: [perpass] Draft charter for a Transparency Working Group To: Ben Laurie Cc: Dave Crocker , perpass , " saag@ietf.org" On Wed, Dec 11, 2013 at 1:52 PM, Ben Laurie wrote: > On 11 December 2013 18:41, Dave Crocker wrote: > > On 12/11/2013 10:32 AM, Ben Laurie wrote: > >> > >> http://www.ietf.org/mail-archive/web/therightkey/current/msg00680.html > > > > > > > > The text isn't a draft charter. It's a very generic statement of an > idea. > > Formulating that into the detail an actual charter will be helpful. > > > > The text needs to give some explanation of what is being proposed, > beyond a > > highly cryptic label like "Cryptographically verifiable logs". A term > like > > that could mean many things and from the message, I can't tell what is > > meant. > > > > The text needs to explain what sort of usage scenario is expected, with > > enough detail to make the scenario substantive. That permits the reader > to > > get a sense of basic/likely relevance to operational environments. > > Am I allowed to refer to RFC 6962 for background? > > Reiterating what's in there doesn't seem useful. Well how far do we want the group to be allowed to stray from RFC 6962? One approach would be to divide the problem up into two parts: * An append only log that provides a cryptographic assurance of integrity that is independent of the trustworthiness of the log maintainer from the time of the last checkpoint. * Application of the above to the specific use cases Initial use cases that the WG agreed to deliver might be * PKIX certificate signing certificates * PKIX TLS end entity certificates Use cases that are in scope but without a delivery undertaking might be OpenPGP, S/MIME, etc. -- Website: http://hallambaker.com/ -- Website: http://hallambaker.com/ --90e6ba475e4b1f24c504ed4a38c0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable


---------- Forwarded me= ssage ----------
From: Phillip Hallam-Bake= r <hallam@gmai= l.com>
Date: Wed, Dec 11, 2013 at 4:50 PM
Subject: Re: [perpass] Draft charter = for a Transparency Working Group
To: Ben Laurie <benl@google.com>
Cc: Dave Crocker <dcrocker@bbiw.net>, perpass <perpass@ietf.org>, "saag@ietf.org" <saag@ietf.org>





On Wed, Dec 11, 2013 at 1:52 PM, Ben Lau= rie <benl@google.com> wrote:
On 11 December 2013 18:41, Dave Crocker= <dhc@dcrocker.net= > wrote:
> On 12/11/2013 10:32 AM, Ben Laurie wrote:
>>
>> http://www.ietf.org/mail-archive/web/the= rightkey/current/msg00680.html
>
>
>
> The text isn't a draft charter. =A0It's a very generic stateme= nt of an idea.
> Formulating that into the detail an actual charter will be helpful. >
> The text needs to give some explanation of what is being proposed, bey= ond a
> highly cryptic label like "Cryptographically verifiable logs"= ;. =A0A term like
> that could mean many things and from the message, I can't tell wha= t is
> meant.
>
> The text needs to explain what sort of usage scenario is expected, wit= h
> enough detail to make the scenario substantive. =A0That permits the re= ader to
> get a sense of basic/likely relevance to operational environments.

Am I allowed to refer to RFC 6962 for background?

Reiterating what's in there doesn't seem useful.
<= br>
Well how far do we want the group to be allowed to stra= y from RFC 6962?

One approach would be to divide t= he problem up into two parts:

* An append only log that provides a cryptographic assu= rance of integrity that is independent of the trustworthiness of the log ma= intainer from the time of the last checkpoint.

* Application of the above to the specific use cases

Initial use cases that the WG agreed to deliver might be
<= br>
* PKIX certificate signing certificates
* PKIX TLS = end entity certificates

Use cases that are in scope but without a delivery unde= rtaking might be OpenPGP, S/MIME, etc.



=

--
Websit= e: http://hallambaker= .com/



--
Website: http://hallambaker.com/
--90e6ba475e4b1f24c504ed4a38c0-- From paul@marvell.com Wed Dec 11 17:32:33 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81B471AE032 for ; Wed, 11 Dec 2013 17:32:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.567 X-Spam-Level: X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJF30czbiS1Z for ; Wed, 11 Dec 2013 17:32:32 -0800 (PST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id 501951AE01F for ; Wed, 11 Dec 2013 17:32:32 -0800 (PST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id rBC1WOxE030622; Wed, 11 Dec 2013 17:32:24 -0800 Received: from sc-owa.marvell.com ([199.233.58.135]) by mx0b-0016f401.pphosted.com with ESMTP id 1gpgd4jsaf-8 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 11 Dec 2013 17:32:24 -0800 Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA.marvell.com ([::1]) with mapi; Wed, 11 Dec 2013 17:32:19 -0800 From: Paul Lambert To: Ben Laurie , "therightkey@ietf.org" Date: Wed, 11 Dec 2013 17:32:18 -0800 Thread-Topic: [therightkey] Draft charter for a Transparency Working Group Thread-Index: Ac722f8lZ9meEbpRT4WYLJeilxU/KA== Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2013-12-12_01:2013-12-11,2013-12-12,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1312110158 Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 01:32:33 -0000 On 12/11/13, 8:55 AM, "Ben Laurie" wrote: >Who's in? Very cool concept =8A very broad possible applications. Less interested in HTTPS/TLS, but many applications. Paul > >"Problem statement: many Internet protocols require a mapping between >some kind of identifier and some kind of key, for example, HTTPS, >SMTPS, IPSec, DNSSEC and OpenPGP. > >These protocols rely on either ad-hoc mappings, or on authorities >which attest to the mappings. > > >History shows that neither of these mechanisms is entirely >satisfactory. Ad-hoc mappings are difficult to discover and maintain, >and authorities make mistakes or are subverted. > > >Cryptographically verifiable logs can help to ameliorate the problems >by making it possible to discover and rectify errors before they can >cause harm. > > >These logs can also assist with other interesting problems, such as >how to assure end users that software they are running is, indeed, the >software they intend to run. > > >Work items: Specify a standards-track mechanism to apply verifiable >logs to HTTP/TLS (i.e. RFC 6962-bis). > > >Discuss mechanisms and techniques that allow cryptographically >verifiable logs to be deployed to improve the security of protocols >and software distribution. Where such mechanisms appear sufficiently >useful, the WG will re-charter to add relevant new work items." >_______________________________________________ >therightkey mailing list >therightkey@ietf.org >https://www.ietf.org/mailman/listinfo/therightkey From benl@google.com Thu Dec 12 03:00:04 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2751AE020 for ; Thu, 12 Dec 2013 03:00:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-KrgQGJGOp7 for ; Thu, 12 Dec 2013 03:00:03 -0800 (PST) Received: from mail-ve0-x235.google.com (mail-ve0-x235.google.com [IPv6:2607:f8b0:400c:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id 467D31AE0B4 for ; Thu, 12 Dec 2013 03:00:02 -0800 (PST) Received: by mail-ve0-f181.google.com with SMTP id oy12so162155veb.12 for ; Thu, 12 Dec 2013 02:59:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eacEjswDijWna5jYWqt65RIk1B5Rh7IWLNcsQxUgtH8=; b=JTW4BMkZNYr1+ntUmmrHyPbzjInbfEBMu1/wzt+7r4IoMSlTsPoVFhOh+RjoANFFhs Hudlpb3zRZfG1ikhnEVruNUSsSSSsCIjgA9By8o1Y3PIZqWToNKoGDegUegcEPyP27dQ wJ+/h8WGnukZZLMtTltxgaw6Cgb6CwFEsxXp8Rx8WGK0CIj7duPZwLUB6M9farX11+aO lXGCXb3D4Yy8zhL0ACRozevkZaofDC4Wh7Vn+WMXIE8EPN3xhCnl+VhR/nM1D8uLM0TT 2nTGAY6G+KTDZaUoOXatfOAa/BsLM/IuhQbTmfzjOiTR/Vw1rEIWeiXifNi1Y4DxchUZ x8IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=eacEjswDijWna5jYWqt65RIk1B5Rh7IWLNcsQxUgtH8=; b=CS3y6YHqh7zhtpXA5li9JFK1PvGfv+/vZFoeXpXQr8OMq2JIQXF4I58Ezsc6O5ibN7 +k58k6kQdPcijVwAFTK4HrIEXHzhUED8E3+nf2Z5/yZ0Jzrt6AGnOy14bHfM4hedbr4O hLFhfBH4u1TUsLFjbFauFSJHbyMYJj15IO0iXabd2ZbjQZsy7taoq1+lqTCGKtp3bwwb aYkFAlXZbNWbQMFOu3vpkL5BPi12KIO5UfErNKgur0UKN2DJPWtauVGw2qJl4LdsuwYw 5Qca1OO3yXE0xkaKvumxXfx8XJQ+JF3X2M4/3hjavlntfQR+a2leZSzg/dGshV3Sn7lQ mnEQ== X-Gm-Message-State: ALoCoQmJHumHLBbJG/aA8j1wVUN+pIRPKXAMg1Lf4bmUML8M6zFdKi9XFRzV4y7utVXm8SRAuRzKDBvYC0ray79wvoO6iw0WETHEcGFJSsb2xaIhog5ULwDXzWLgrEkwS8Kf5OGP6yC19c81UMerhnPqMUYK/GN6WCYh099d6P1HTg2rCIBpS8O2nCYbIYJRxq2YaIgAS9lj MIME-Version: 1.0 X-Received: by 10.220.144.80 with SMTP id y16mr3265725vcu.4.1386845995978; Thu, 12 Dec 2013 02:59:55 -0800 (PST) Received: by 10.52.183.65 with HTTP; Thu, 12 Dec 2013 02:59:55 -0800 (PST) In-Reply-To: <52A8E0E9.5020409@dcrocker.net> References: <52A8B1D0.2080304@dcrocker.net> <52A8E0E9.5020409@dcrocker.net> Date: Thu, 12 Dec 2013 10:59:55 +0000 Message-ID: From: Ben Laurie To: Dave Crocker , "therightkey@ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Cc: perpass , "saag@ietf.org" Subject: Re: [therightkey] [perpass] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 11:00:04 -0000 [please include therightkey on replies] On 11 December 2013 22:02, Dave Crocker wrote: > On 12/11/2013 1:56 PM, Ben Laurie wrote: >> >> Agree, I just want to be able to refer to 6962 for what >> "cryptographically verifiable log" means. > > > > Being able to cite a doc that defines the term is always nice; so yes, > please do cite freely. > > My own view is that charters need to have some pedagogy, since one goal of a > charter is to explain the work to folk who might get involved (eventually). > While a citation is formally sufficient, it's not the best pedagogy. So I > tend to prefer to have a charter be somewhat self-explanatory about its > basic constructs, unless they are already very well established in industry. > > In this case, I think what you mean is /not/ obvious to a reader who is not > already immersed in the topic. So some sort of superficial explanation > would help, with the citation pointing the reader to the deeper discussion. How about this footnote? "A cryptographically verifiable log is an append-only log of hashes of more-or-less anything that can prove its own correctness cryptographically. See RFC 6962, http://www.links.org/files/CertificateTransparencyVersion2.1a.pdf and http://www.links.org/files/RevocationTransparency.pdf for background." From benl@google.com Thu Dec 12 03:09:27 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F15C51AE08D for ; Thu, 12 Dec 2013 03:09:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T84aiL55BePv for ; Thu, 12 Dec 2013 03:09:26 -0800 (PST) Received: from mail-ve0-x230.google.com (mail-ve0-x230.google.com [IPv6:2607:f8b0:400c:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 0093B1AD944 for ; Thu, 12 Dec 2013 03:09:25 -0800 (PST) Received: by mail-ve0-f176.google.com with SMTP id oz11so164630veb.21 for ; Thu, 12 Dec 2013 03:09:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pwtPfP5ks1b3cDzKS/27Ss5FXEdi/iPS2IA8zwvEYPM=; b=jA7PARiT+Dwj2yp4SwM2WF0cfPIspp0vOCxee9IrWm7L6E0VmAhVGdmUHv4yc9KZwu h+YO9pUjS4YUpYcN+KZhRhQmjCBfFWfl8E4oLhqX1FpDfppGdyVPcIF6+CCi5a5Iku/e rv4gebRSQ+yX7/aSFtleayNjRnq3Q3tk8fDai9oHD/ggE1Q8/RndCAqjOfUb79JHgl4w svkvht75oYxrRMKvOM25d0IPvsSzvNzmBeTgYZq2JPbCXnVhxcBV3Hafc6/agvhVpPy8 /up4nS4mSSEVm15+ZsZ+lM35650N2SKWxrl4JqQ7MBHmExhNX1VZrzNeg39wMVKwRlqC 3w/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=pwtPfP5ks1b3cDzKS/27Ss5FXEdi/iPS2IA8zwvEYPM=; b=hWbGNrZV1ldvMRf3raz2Wkg59eJLRf1aMKqFHzfRgsOrJwUJtyqeD4Xjts+bon928z GyvFa/PRZfIhj6/hLrIKntwDmh8seWzlPfJFGJF4oPBXuABYDbUkSumNKZm+/dEVUtvk C3uVoHcbRPPZurnefRnUbgG/Q2Bl3KS/6BdG8b1w3dsQsdHr23QYC5Zk95NqxWR5c0RB FTSNdXXcFRXAEMWzp6I3nNYQr1BIIJvBz2H33Sse5e2RrZ8uO1q0xviXM3U5We73xXUB GDAatXKT0xn1fwuctKmw8ibyZM1BwKAGEioJU35ktrAegr9YoRPtdcJc6OLF//Inr2Mo RWZA== X-Gm-Message-State: ALoCoQnp/aEvdoZNnCWqLFodUgiCN3Qn0IU9I3aGHeWiKE0Er8/amWh418RiR9juXet7yuRvMb5MZ+BchW86TKxUGvgaY2dhx0kGoW1lBYqQBUdcyjJZ574ZLKVjDiIvIeoLsV8HHVq+PIYmZ0ccN5fFfkY8hrTYqsu5Ojzt2jg+eNoA7NYjcj+cS3WpfHnYeqrAjIaDjCOx MIME-Version: 1.0 X-Received: by 10.58.254.200 with SMTP id ak8mr3279601ved.12.1386846559986; Thu, 12 Dec 2013 03:09:19 -0800 (PST) Received: by 10.52.183.65 with HTTP; Thu, 12 Dec 2013 03:09:19 -0800 (PST) In-Reply-To: <52A8D234.1070303@mnt.se> References: <52A8D234.1070303@mnt.se> Date: Thu, 12 Dec 2013 11:09:19 +0000 Message-ID: From: Ben Laurie To: Leif Johansson Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 11:09:27 -0000 On 11 December 2013 20:59, Leif Johansson wrote: > >> As the charter suggests, we will re-charter to include such things, as >> they appear to become viable. >> >> I am _very_ keen to come up with more generic mechanisms. >> >> But I also have an urgent problem to solve. >> >> They are not mutually exclusive. >> > So there are various other "public ledger" projects out there, all based > on organic, locally sourced Merkle trees. We should probably make some > effort to reach out to these communities. Sure. Do you have a list? From benl@google.com Thu Dec 12 03:10:36 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C038E1AE220 for ; Thu, 12 Dec 2013 03:10:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8-0G7a-trK0 for ; Thu, 12 Dec 2013 03:10:35 -0800 (PST) Received: from mail-vb0-x22d.google.com (mail-vb0-x22d.google.com [IPv6:2607:f8b0:400c:c02::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 482ED1AE08D for ; Thu, 12 Dec 2013 03:10:35 -0800 (PST) Received: by mail-vb0-f45.google.com with SMTP id i12so160081vbh.18 for ; Thu, 12 Dec 2013 03:10:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=U7Kur6Qu/RWi+Lr6JNUvmKeb5zFRYh8RIiMhQuPJ7Q8=; b=oGBA/WNKXu5ok8m/OE9o8GRNpCD6N39LtM9GptmQA86I9yIGLddzJmt3zON9kxE2FU 2tZTUk7bxVFHSmfRdshXRwuQ4V6HIg8TJwYU1Mn+cZPcSUnTxbaLRDgtfUNwniI90z9Y f0fIt6ilN7+0KoovQOiJoEba+cxGXis1VvFCbp5hRz/Gns+3AW+K/YDFSNPn8onhzFgE Uyn/DdxUOR9fR1rk75IxwQrsycy16unBxCCfqm7zPuwCCuXL/YzgiPtP5HjPUoaQoCKl V2yyKZV4qThzWc1jyF0qjtHfRvmha9Q+9p79Nw4dzXq3uULCDQLGAylxhTZJV4QMpo/U F5/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=U7Kur6Qu/RWi+Lr6JNUvmKeb5zFRYh8RIiMhQuPJ7Q8=; b=AidUJ5AnAZOHtsDo3T5jbUdkicVUbTYz/WFq1uB6refCIlf+EyddoVNPJVGIGApU1+ 3sIlFmreisVG/0SOeJxqvlZLbWgECBBA+65CT+A5mX3FLu+0r5SGo2e/Q6sytvwHuiG8 haYDH0Q8gG6lCHiVO0fRgIVoHh3zT8zLAO1JgLS0NK255heFl2aUH9SChpWh4Uc4Bvba WTcr+6b+5X/MXxerRa7lUBbRwE1IOUE4qtf7Bdch+Ksr4NMXnegautsYzndFCPDmWyoi V9W04xd47BM9E2BAzAtl8I0EuMzZ/Cs6rKalbItvC01R5EOP0z8KX2oDJHqgp5VYwOLK ft8A== X-Gm-Message-State: ALoCoQnewYX31yzwF+R3vFmzcpBvO0rB2tHqRpe0FPinZhHW/pNsMtY+48PmCxGgL9qdW2M0POtbJ5arkdGQhPW00I89csslxqmTs/w279N9bjcn4//Q4nwkeusTQvXedglFvUEKaTqO0U/QedSVd7PJTJLtnkyRwxtKZpWKIYDdAxhmDyX6uzM6bkWHTy2Ge6TlsZL1+Zub MIME-Version: 1.0 X-Received: by 10.52.111.200 with SMTP id ik8mr2721360vdb.2.1386846629215; Thu, 12 Dec 2013 03:10:29 -0800 (PST) Received: by 10.52.183.65 with HTTP; Thu, 12 Dec 2013 03:10:29 -0800 (PST) In-Reply-To: References: Date: Thu, 12 Dec 2013 11:10:29 +0000 Message-ID: From: Ben Laurie To: Paul Lambert Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 11:10:36 -0000 On 12 December 2013 01:32, Paul Lambert wrote: > > > On 12/11/13, 8:55 AM, "Ben Laurie" wrote: > >>Who's in? > Very cool concept =C5=A0 very broad possible applications. > Less interested in HTTPS/TLS, but many applications. Great - can you be more specific what interests you? > > Paul > > >> >>"Problem statement: many Internet protocols require a mapping between >>some kind of identifier and some kind of key, for example, HTTPS, >>SMTPS, IPSec, DNSSEC and OpenPGP. >> >>These protocols rely on either ad-hoc mappings, or on authorities >>which attest to the mappings. >> >> >>History shows that neither of these mechanisms is entirely >>satisfactory. Ad-hoc mappings are difficult to discover and maintain, >>and authorities make mistakes or are subverted. >> >> >>Cryptographically verifiable logs can help to ameliorate the problems >>by making it possible to discover and rectify errors before they can >>cause harm. >> >> >>These logs can also assist with other interesting problems, such as >>how to assure end users that software they are running is, indeed, the >>software they intend to run. >> >> >>Work items: Specify a standards-track mechanism to apply verifiable >>logs to HTTP/TLS (i.e. RFC 6962-bis). >> >> >>Discuss mechanisms and techniques that allow cryptographically >>verifiable logs to be deployed to improve the security of protocols >>and software distribution. Where such mechanisms appear sufficiently >>useful, the WG will re-charter to add relevant new work items." >>_______________________________________________ >>therightkey mailing list >>therightkey@ietf.org >>https://www.ietf.org/mailman/listinfo/therightkey > From leifj@mnt.se Thu Dec 12 04:11:41 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F175A1AC85E for ; Thu, 12 Dec 2013 04:11:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MJIdgOQRa97R for ; Thu, 12 Dec 2013 04:11:32 -0800 (PST) Received: from mail-bk0-f49.google.com (mail-bk0-f49.google.com [209.85.214.49]) by ietfa.amsl.com (Postfix) with ESMTP id 98E5D1AD739 for ; Thu, 12 Dec 2013 04:11:32 -0800 (PST) Received: by mail-bk0-f49.google.com with SMTP id my13so837887bkb.22 for ; Thu, 12 Dec 2013 04:11:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=d5GLjdiarPY57rFZoolaNIrDtH+DGLqqATOLUdswioA=; b=dCXvV0LV2LT9KiqNAolAeZFeCe2HASJbSO7MKvgWxSnufgQLPEjlo2C96y4Vfx9fo/ +LvoI+Kks/VY//hXWc/abAaktw3b+Qqd6BJ2w/mWCp1udww78uMfxg8kWvyUVh1KuSXF 22NPh3Z+OkPyTO21vUzVsXQ5Zb5NqLkUHCBpnKxq6pecGt9u01FFwyBjKzaXbp8Qnigd We1RwizzYuorxgj7H/821i1hy95a+sMbtUSvrZ5YGpNl+IAsq1qpP+T11zzW2o1Hfun2 rc+cC590HhvNq9sbyv7ZwJSTDhKfjpYB/YQiFku3EUL2bAb0rF/iEa3VZ63sDroaFYCB NaKA== X-Gm-Message-State: ALoCoQn7Zs+tH/kUSvROGweyDRoH8pJV5VoMxLjh4dpbagFgwuAnEk1GILnpVHeMhs2FtmmhMbKr X-Received: by 10.204.101.199 with SMTP id d7mr2768402bko.18.1386850285936; Thu, 12 Dec 2013 04:11:25 -0800 (PST) Received: from ?IPv6:2001:6b0:7:0:4c4a:4e98:5268:4137? ([2001:6b0:7:0:4c4a:4e98:5268:4137]) by mx.google.com with ESMTPSA id q5sm12973991bkr.5.2013.12.12.04.11.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 12 Dec 2013 04:11:24 -0800 (PST) Message-ID: <52A9A7EB.9070101@mnt.se> Date: Thu, 12 Dec 2013 13:11:23 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Ben Laurie References: <52A8D234.1070303@mnt.se> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 12:11:41 -0000 On 12/12/2013 12:09 PM, Ben Laurie wrote: > On 11 December 2013 20:59, Leif Johansson wrote: >>> As the charter suggests, we will re-charter to include such things, as >>> they appear to become viable. >>> >>> I am _very_ keen to come up with more generic mechanisms. >>> >>> But I also have an urgent problem to solve. >>> >>> They are not mutually exclusive. >>> >> So there are various other "public ledger" projects out there, all based >> on organic, locally sourced Merkle trees. We should probably make some >> effort to reach out to these communities. > Sure. Do you have a list? I'll dig From stephen.farrell@cs.tcd.ie Thu Dec 12 04:26:57 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB301ACC88 for ; Thu, 12 Dec 2013 04:26:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGQKe0JqCq8Z for ; Thu, 12 Dec 2013 04:26:55 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 0E39E1AC85E for ; Thu, 12 Dec 2013 04:26:55 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 79747BE2F; Thu, 12 Dec 2013 12:26:48 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBaZA7TFvhx0; Thu, 12 Dec 2013 12:26:48 +0000 (GMT) Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E9311BE79; Thu, 12 Dec 2013 12:26:44 +0000 (GMT) Message-ID: <52A9AB84.6090609@cs.tcd.ie> Date: Thu, 12 Dec 2013 12:26:44 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Ben Laurie , "therightkey@ietf.org" References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 12:26:57 -0000 Hi Ben, I've a question. On 12/11/2013 04:55 PM, Ben Laurie wrote: > Work items: Specify a standards-track mechanism to apply verifiable > logs to HTTP/TLS (i.e. RFC 6962-bis). > > Discuss mechanisms and techniques that allow cryptographically > verifiable logs to be deployed to improve the security of protocols > and software distribution. Where such mechanisms appear sufficiently > useful, the WG will re-charter to add relevant new work items." I'd like to get a feel for how these work items might be sequenced. For the 2nd one, I assume the modus-operandi would be for folks interested in transparency-for-X to write up a personal draft, have that discussed on the WG list and for stuff for which the WG achieve consensus to re-charter to add new work items to tackle transparency-for-X to the charter. That seems fine to me. (And people can starting writing those today - the more that exists before the WG would be chartered, the easier it'll all be.) For the first one, I'm not clear as to whether you intend to 1) first consider a set of transparency-for-X proposals, re-charter and to only then figure out how to re-factor 6962 into a set of standards-track RFCs, or 2) if you want to do the work of generating a standards-track set of RFCs based on 6962 for HTTP/TLS before the WG have considered a set of transparency-for-X proposals. Or maybe 3) you wanted that to emerge from this chartering discussion. Can you clarify? If (1) or (2) apply then it'd probably be useful to include that explicitly in the charter text. If (3) applies then I guess you'd want to actively lead the discussion down that path, which sort of seems to be happening already. And note I'm not asking here about the specific set of RFCs as deliverables nor the timing of those deliverables, just how the ordering of HTTP/TLS vs. other stuff would happen at a coarse-grained level. (Separately, it'd be good to chat about what RFC deliverables are likely to be wanted, but probably only after the above is clear.) Thanks, S. From paul@marvell.com Thu Dec 12 06:39:19 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD5731AE2F2 for ; Thu, 12 Dec 2013 06:39:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.567 X-Spam-Level: X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvsJsUOHQEyt for ; Thu, 12 Dec 2013 06:39:18 -0800 (PST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id 39C901AE2EB for ; Thu, 12 Dec 2013 06:39:18 -0800 (PST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id rBCEd8wx027163; Thu, 12 Dec 2013 06:39:08 -0800 Received: from sc-owa.marvell.com ([199.233.58.135]) by mx0b-0016f401.pphosted.com with ESMTP id 1gpgd4mr0a-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 12 Dec 2013 06:39:08 -0800 Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA.marvell.com ([::1]) with mapi; Thu, 12 Dec 2013 06:39:05 -0800 From: Paul Lambert To: Ben Laurie Date: Thu, 12 Dec 2013 06:39:06 -0800 Thread-Topic: [therightkey] Draft charter for a Transparency Working Group Thread-Index: Ac73R+iuGsZCj3X2SQawmTVuWgTE9A== Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2013-12-12_04:2013-12-12,2013-12-12,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1312120050 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 14:39:19 -0000 >> >> On 12/11/13, 8:55 AM, "Ben Laurie" wrote: >> >>>Who's in? >> Very cool concept =A9 very broad possible applications. >> Less interested in HTTPS/TLS, but many applications. > >Great - can you be more specific what interests you? 1) Basic logs and the ability to have assurance on time and order 2) Distributed authorization systems with an ability to demonstrate the existence and ordering of authorization statements 3) Time stamps and time synchronization 4) Group membership / enrollment 5) 'key centric' identity (mappings using hashes of keys as identity) 6) Service description and discovery without central registration =20 Paul > >> >> Paul >> >> >>> >>>"Problem statement: many Internet protocols require a mapping between >>>some kind of identifier and some kind of key, for example, HTTPS, >>>SMTPS, IPSec, DNSSEC and OpenPGP. >>> >>>These protocols rely on either ad-hoc mappings, or on authorities >>>which attest to the mappings. >>> >>> >>>History shows that neither of these mechanisms is entirely >>>satisfactory. Ad-hoc mappings are difficult to discover and maintain, >>>and authorities make mistakes or are subverted. >>> >>> >>>Cryptographically verifiable logs can help to ameliorate the problems >>>by making it possible to discover and rectify errors before they can >>>cause harm. >>> >>> >>>These logs can also assist with other interesting problems, such as >>>how to assure end users that software they are running is, indeed, the >>>software they intend to run. >>> >>> >>>Work items: Specify a standards-track mechanism to apply verifiable >>>logs to HTTP/TLS (i.e. RFC 6962-bis). >>> >>> >>>Discuss mechanisms and techniques that allow cryptographically >>>verifiable logs to be deployed to improve the security of protocols >>>and software distribution. Where such mechanisms appear sufficiently >>>useful, the WG will re-charter to add relevant new work items." >>>_______________________________________________ >>>therightkey mailing list >>>therightkey@ietf.org >>>https://www.ietf.org/mailman/listinfo/therightkey >> From benl@google.com Thu Dec 12 07:23:18 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 532091AE30C for ; Thu, 12 Dec 2013 07:23:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1A5Sg2L2t6n for ; Thu, 12 Dec 2013 07:23:17 -0800 (PST) Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id EFC821AE301 for ; Thu, 12 Dec 2013 07:23:16 -0800 (PST) Received: by mail-vc0-f169.google.com with SMTP id hu19so382513vcb.14 for ; Thu, 12 Dec 2013 07:23:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=08R/f8CAuBD22XQGsP9wOQEOlbvoCQ/4NK7TYz/VNss=; b=cRxSzHHK1ac3JLckZ9YIQPZ8QK2wKYwL+TkBrqmFs4iQ9wi/lKrby2xpzRHS7kG9c+ EdWWFdI4KRZBlyROWDRDX4QAqZHUWLEseZEOh13eLG/lIAWNOvnufwcStZ5lJJlFJidd R+fz5Z1HPMmetpV7ufROyWUS2t2GMYp/KwQfl7LA4aT4cRl38njju72hS/2QIcAG1C9K PmP1D8eiQ14ZCAQU1NspvvQ0FRpSY1xmVUjyj4EPABa2Fc4/+sQBsc7zpdoSdoLky/5N D25Hgg2Nj1z+graB1t0P/1mfBoir0x66fLZdkPjvxp31JFX9yBP+X0x1mnbmQcEOJ2qr 3nKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=08R/f8CAuBD22XQGsP9wOQEOlbvoCQ/4NK7TYz/VNss=; b=Ceo71jBouoJ1X9xIg2n0EOFWothYTnyTPi80q6dsNabLdpqjO9r9GSZ8NUrN1tXiZg BGGOulhtlpTjv3meBMKVlAL0PoKb1+bJ+4ijfXMDC3ztrwd8auI18Xhx6s94hKysXJAF L15Qf6gdSY2esnmyWe6gR62hAQ4EGrd76qyUVh3Q3vaH1vMNK0k/1SaIaXkCjX74ecvX sNz0eGywbBe+r8Nt1vdBCFY2qtNQA5vcKYmxwIu+2Le7KZyDawL0F5plQDq7XF9j4sxv gsr3FBPgMH9xcFOvtGEyH7Q3LNiDz2OGyK9NTW/o+vSlewE8n4DprRdtuCG1trIiba7z aE4Q== X-Gm-Message-State: ALoCoQk4KmVMs+V2+IjvCkalKlRUJBXrvyCjLqpfPpJLQyrb+zAkeDTV8pgITXga54uEgI4bJBZquBJ2twCNoIfDvAy7pO5UpohV299lBmxckB2YLftsZ4OEbbawvs/SGiwZvtMlzfabALMzH2ErkCbMLtN6vgzjU5MkiZqXlWYMNxIbD9ysEOTDfmrgR/dAu+YfIHf9CH3i MIME-Version: 1.0 X-Received: by 10.58.187.129 with SMTP id fs1mr46037vec.45.1386861790721; Thu, 12 Dec 2013 07:23:10 -0800 (PST) Received: by 10.52.183.65 with HTTP; Thu, 12 Dec 2013 07:23:10 -0800 (PST) In-Reply-To: <52A9AB84.6090609@cs.tcd.ie> References: <52A9AB84.6090609@cs.tcd.ie> Date: Thu, 12 Dec 2013 15:23:10 +0000 Message-ID: From: Ben Laurie To: Stephen Farrell Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 15:23:18 -0000 On 12 December 2013 12:26, Stephen Farrell wrote: > > Hi Ben, > > I've a question. > > On 12/11/2013 04:55 PM, Ben Laurie wrote: >> Work items: Specify a standards-track mechanism to apply verifiable >> logs to HTTP/TLS (i.e. RFC 6962-bis). >> >> Discuss mechanisms and techniques that allow cryptographically >> verifiable logs to be deployed to improve the security of protocols >> and software distribution. Where such mechanisms appear sufficiently >> useful, the WG will re-charter to add relevant new work items." > > I'd like to get a feel for how these work items > might be sequenced. > > For the 2nd one, I assume the modus-operandi would > be for folks interested in transparency-for-X to > write up a personal draft, have that discussed on > the WG list and for stuff for which the WG achieve > consensus to re-charter to add new work items to > tackle transparency-for-X to the charter. That > seems fine to me. (And people can starting writing > those today - the more that exists before the WG > would be chartered, the easier it'll all be.) > > For the first one, I'm not clear as to whether > you intend to 1) first consider a set of > transparency-for-X proposals, re-charter and > to only then figure out how to re-factor 6962 > into a set of standards-track RFCs, or > > 2) if you want to do the work of generating a > standards-track set of RFCs based on 6962 for > HTTP/TLS before the WG have considered a set > of transparency-for-X proposals. > > Or maybe 3) you wanted that to emerge from > this chartering discussion. > > Can you clarify? If (1) or (2) apply then it'd > probably be useful to include that explicitly > in the charter text. If (3) applies then I guess > you'd want to actively lead the discussion down > that path, which sort of seems to be happening > already. None of the above? I want to generate standards-track RFC(s) for 6962-bis, but other stuff could proceed in parallel. I don't want to hold up 6962-bis for that other stuff, though. > And note I'm not asking here about the specific > set of RFCs as deliverables nor the timing of > those deliverables, just how the ordering of > HTTP/TLS vs. other stuff would happen at a > coarse-grained level. (Separately, it'd be good > to chat about what RFC deliverables are likely > to be wanted, but probably only after the > above is clear.) > > Thanks, > S. From hallam@gmail.com Thu Dec 12 07:24:14 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F7D01AE2F9 for ; Thu, 12 Dec 2013 07:24:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.989 X-Spam-Level: X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id riRiYMCKhms4 for ; Thu, 12 Dec 2013 07:24:10 -0800 (PST) Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 30D8F1A1F61 for ; Thu, 12 Dec 2013 07:24:09 -0800 (PST) Received: by mail-wi0-f169.google.com with SMTP id hn6so917623wib.0 for ; Thu, 12 Dec 2013 07:24:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=A1Qf3KhiG4+d/Efc3az35r+TOFFDbQeD7RENsuJN+jQ=; b=Vmgc0DZUJ5M82sVgg6ZLDBuuZyrVUsMJ5LjzM1FbxGvo6xqNb0f1sfs/0m0O7swB6z /bVzYz5+ZeJHhjwKLo7CjmsP1hEY5SrCPPWZggqboBHs5EhztkUoXzPSEW6iJIHsHiZ0 GYEVIcV+2rquwLYn1kfr0keo2v9eAcZvb1MSavytJuYJCezdexz6nM9OIAFl8+olfWjD VVqXorg96tUyqjamfRxLM3Gl/n1kQHbDgO12gQDk8fxP2qHyPYwAuHWGf6QWq8T4m1Dx yAeed0RfG3oRd6CJsyTxpHxGl9S/fQk7RcpajuaFfz0+s20ID4FvX4hVEM9wmc40zfkg Q/sA== MIME-Version: 1.0 X-Received: by 10.194.94.167 with SMTP id dd7mr7123595wjb.43.1386861842696; Thu, 12 Dec 2013 07:24:02 -0800 (PST) Received: by 10.194.243.136 with HTTP; Thu, 12 Dec 2013 07:24:02 -0800 (PST) In-Reply-To: References: Date: Thu, 12 Dec 2013 10:24:02 -0500 Message-ID: From: Phillip Hallam-Baker To: "therightkey@ietf.org" Content-Type: multipart/mixed; boundary=047d7bb03c467caf3804ed57ef22 Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 15:24:14 -0000 --047d7bb03c467caf3804ed57ef22 Content-Type: multipart/alternative; boundary=047d7bb03c467caf3504ed57ef20 --047d7bb03c467caf3504ed57ef20 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, Dec 12, 2013 at 9:39 AM, Paul Lambert wrote: > > > >> > >> On 12/11/13, 8:55 AM, "Ben Laurie" wrote: > >> > >>>Who's in? > >> Very cool concept =C5=A0 very broad possible applications. > >> Less interested in HTTPS/TLS, but many applications. > > > >Great - can you be more specific what interests you? > > 1) Basic logs and the ability to have assurance on time and order > 2) Distributed authorization systems with an ability to demonstrate the > existence > and ordering of authorization statements > 3) Time stamps and time synchronization > 4) Group membership / enrollment > 5) 'key centric' identity (mappings using hashes of keys as identity) > 6) Service description and discovery without central registration > I am very interested in 5, in fact my strong email addresses are really just a convenient notation for key centric identity. But there are two questions here: 1) What should we do? 2) What should we do in the transparency WG? A draft of the paper I wrote for the IAB/W3C workshop is attached. It describes the scheme I am currently writing code to support. The part of the scheme described in the paper is what I consider 'plumbing'. I don't think that I have foreclosed any options by taking the decisions I did. Most of the design is constrained by previous specifications and by legacy infrastructure. The decision to use JSON to encode the 'Prism Hardening Bit' is driven by fashion but I think that is a good one in this case and I can support it with a use case that JSON meets but not ASN.1. But what I don't describe in the paper is the much bigger part of the scheme that has to do with a next generation PKI model for individual users built on a synthesis of the PKIX, PGP and CT models. I could propose that as a WG item but I get the feeling that Stephen is going to respond that it is research or it should be an experimental or whatever. I really want to fix end-to-end email security. But right now the problem with end-to-end security is not a lack of trust in the key distribution model. The problem that is killing deployment is that the products are too difficult to use. So even though I am building my alternative key distribution infrastructure on the assumption that there is a CT like infrastructure in place, the motivation for building that infrastructure is to solve a different problem= . Another area that I have considered and written code for but not yet described is how to use key centric crypto to secure a Web service. For example, let us say that we have some infrastructure that lets us resolve either a hash alone or a hash plus a domain name to a blob of data that is a policy signed under the corresponding key (a PHingerprint Blob, fb was already taken). I am currently using this mechanism to resolve strong email addresses: ?alice@example.com We can use just a Web server and the .well-known convention to resolve (, example.com) to a policy file. But while I was writing the proxy I suddenly realized that even though my email client lets me check the box that says 'use SSL', the client does not actually check the certificate chain, nor does it let me install my own root of trust to check the chain against. Which is a pretty big hole. So what I would like to be able to do to configure my email client is to specify the mail service connection in a form such as: phb://example.com/_submit._tcp/ The corresponding policy would then contain the port and service DNS name data for connecting to the submit service at example.com. We can further use this as a discovery mechanism for the phingerprint as follows: Let us assume that all the user tells the client is their email address ( alice@example.com) and the client is to work out everything else for themselves. So the client knows that it wants to talk the SUBMIT protocol (_submit._tcp) and it knows the domain (example.com). It can now form a .well-known query for the phingerprint of the corresponding domain: https://example.com/.well-known/phb/ http://example.com/.well-known/phb/ As a short term measure the user would have to enter a one-time passphrase to provide initial authentication. But in the longer term this should be replaced by an out of band confirmation service. When I buy a new device I want to be able to configure it for use with all my applications through a one time process in which I tell the device which account(s) to use and then I get an out of band request for confirmation that this is what I want to do on an already configured and trusted device. --=20 Website: http://hallambaker.com/ --047d7bb03c467caf3504ed57ef20 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable



On Thu, Dec 12, 2013 at 9:39 AM, Paul Lambert <= ;paul@marvell.com= > wrote:


>>
>> On 12/11/13, 8:55 AM, "Ben Laurie" <benl@google.com> wrote:
>>
>>>Who's in?
>> Very cool concept =C5=A0 very broad possible applications.
>> Less interested in HTTPS/TLS, but many applications.
>
>Great - can you be more specific what interests you?

1) Basic logs and the ability to have assurance on time and order
2) Distributed authorization systems with an ability to demonstrate the
existence
=C2=A0 =C2=A0and ordering of authorization statements
3) Time stamps and time synchronization
4) Group membership / enrollment
5) 'key centric' identity (mappings using hashes of keys as identit= y)
6) Service description and discovery without central registration


I am very interested in 5, in fac= t my strong email addresses are really just a convenient notation for key c= entric identity.

But there are two questions here:

<= div>1) What should we do?
2) What should we do in the transparenc= y WG?


A draft of the paper I = wrote for the IAB/W3C workshop is attached. It describes the scheme I am cu= rrently writing code to support.=C2=A0

The part of the scheme described in the paper is what I= consider 'plumbing'. I don't think that I have foreclosed any = options by taking the decisions I did. Most of the design is constrained by= previous specifications and by legacy infrastructure. The decision to use = JSON to encode the 'Prism Hardening Bit' is driven by fashion but I= think that is a good one in this case and I can support it with a use case= that JSON meets but not ASN.1.


But what I don't describe in the pap= er is the much bigger part of the scheme that has to do with a next generat= ion PKI model for individual users built on a synthesis of the PKIX, PGP an= d CT models.

I could propose that as a WG item but I get the feeling= that Stephen is going to respond that it is research or it should be an ex= perimental or whatever.

I really want to fix end-t= o-end email security. But right now the problem with end-to-end security is= not a lack of trust in the key distribution model. The problem that is kil= ling deployment is that the products are too difficult to use.

So even though I am building my alternative key distrib= ution infrastructure on the assumption that there is a CT like infrastructu= re in place, the motivation for building that infrastructure is to solve a = different problem.


Another area that I have considered and = written code for but not yet described is how to use key centric crypto to = secure a Web service.

For example, let us say that= we have some infrastructure that lets us resolve either a hash alone or a = hash plus a domain name to a blob of data that is a policy signed under the= corresponding key (a PHingerprint Blob, fb was already taken).

I am currently using this mechanism to resolve strong e= mail addresses:

<fingerprint>?alice@example.com

We ca= n use just a Web server and the .well-known convention to resolve (<fing= erprint>, example.com) to a policy fi= le.


But while I was writing the proxy I sudd= enly realized that even though my email client lets me check the box that s= ays 'use SSL', the client does not actually check the certificate c= hain, nor does it let me install my own root of trust to check the chain ag= ainst. Which is a pretty big hole. So what I would like to be able to do to= configure my email client is to specify the mail service connection in a f= orm such as:

phb://exam= ple.com/_submit._tcp/<fingerprint>

The c= orresponding policy would then contain the port and service DNS name data f= or connecting to the submit service at examp= le.com.


We can further use this as a discovery m= echanism for the phingerprint as follows:

Let us a= ssume that all the user tells the client is their email address (alice@example.com) and the client is to work= out everything else for themselves. So the client knows that it wants to t= alk the SUBMIT protocol (_submit._tcp) and it knows the domain (example.com). It can now form a .well-known query f= or the phingerprint of the corresponding domain:

http://example.com/.well-known/phb/=C2=A0


As a short term measure the user would have to en= ter a one-time passphrase to provide initial authentication. But in the lon= ger term this should be replaced by an out of band confirmation service. Wh= en I buy a new device I want to be able to configure it for use with all my= applications through a one time process in which I tell the device which a= ccount(s) to use and then I get an out of band request for confirmation tha= t this is what I want to do on an already configured and trusted device.

--
Website: http://h= allambaker.com/
--047d7bb03c467caf3504ed57ef20-- --047d7bb03c467caf3804ed57ef22 Content-Type: application/pdf; name="Privacy Protected Email.pdf" Content-Disposition: attachment; filename="Privacy Protected Email.pdf" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hp44lx9w0 JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmlsdGVyIC9G bGF0ZURlY29kZSA+PgpzdHJlYW0KeAGtnF2P7MZxhu/nVzBnds6Z3dVyh+R8OpGtWJIl21FsxQfI RdZXQoQgsAI4+v9A3mb3+7DJHnLmOMYCyxl2dXV9vFVd3WzOX6vvq79WTVu3+8PJ16Y6nE/1YXc+ VKdj+vC//1n9e/U/1euXPzfVDz9Xu3p32TfN6XjQx7Y97Q/NbrWru/O57Q5d9fMP4qqGfbULf+HD RV12h1NTHc+XWh3a6oefql9/DJya3bn6+EMVLoE8XVcff6peP35sq6b6+GP1H9X2H96tHzbvP7zp w9vjY/XSVNun5/dPz5/Fz2/bl/ihjpfN+vWx+nP18XfV1x9XQcuxPN1+X1+6SzeVZyJFNZJi+7Z9 XH38b3GU3aTu7nLedRd9OuwOUl3q1qdkFpngfK4PR5n1eDrXbSeNf6oObVfvg6l9b/WX/N4pWuYv WVdu/Vf1Y6HEYNTDrj5qiBVGPbay2w/VoXeAL1GZfWbSaKt1vDxkl9U23dzEm+/jRebPiKpt6uK7 wTHJ5j2yxjZvAprOF2k/FndByO3TY2WDT13YnFqBpztM2QlSR/liWfvt89v2sxdhZY57u+vq0+Fy vMr9BnOh9TUZbBfN1cRLBO5qm762o8bUo6tT6z62jh1wiDeP8XJ6XIU4OC9ZvWuO9WV/aFEkRd7U 6itFW4LGVqLYLhFAixHdtnXX5BG9a/crmf/c9QGdLhF8xxH4JLtgpv/Ckf5LVf3X4Pr/Qbfmw7c5 ysuHvXw/HnxhyFHwTrFEJB0uF7kdZaZGCinpLPE+/rgKKekxZJVq+y5dpUv/XaIrO/T6vPQ3gmv7 Dx/6D2riTkgpfVPAxq7eZ72E/Z5NiK4R3+fwXTaiiwf+THjoeRRdAorGEoR02XMpm5Jwq0xKC6eI GbOxLLYB3GwEpeEwcsYM3c0MPUK0jOW3DWCLioqSsfjmBnuMUKoahVtt3ScJmZnUesEECRDSneN1 tQ3hrLmgR/PY/3SxlcABLbDvPvROFEZCAhhbwzaFGOlQUQbLMnCAVjYLH3anuuu6c3U3zKutMk6f C65MokPUnA/1OUxxzD+73WwGPq/6KX27k92cZabx2OykeHfYqxQZcZ7GY0haMR4HQa/NPLt9vW8u 0nuBXao4EjuF91Xjjh0LibwWnCWvxVjM0ICzDCnjBp8pm2ddVdek74n7qi9terADF0c8wwI+t0Ca BcqfV309dMVCKlDqri0MFKq2XXttusssL1O9DyEcsvbzbv38QbJkGAwJI8Ngq3Lo0pyGoYaiZbeb LVrs5JOsOQea9ryvd23T4eXEWX6Z02LI57HEfNtuHuo0Lb8GC0qndf2yeXrbPjy/Pa5D9gmJd/u0 eXt8255f1+HysHmpN8ETanp6Wg/90r3EUKLPm2WIpVNTH1Ug52a56oGx7K/KDb1kyRObt61gpTvH R8Xbtk63d5sP8fburZ8+1LTZvZPa65f1bv2h3TzXL5FgfXm1U3drQTaIvuor32mwtmG5EByaJJ8p MMbyvvRZLgzfB45mUaBMXDgOIDG2J3lwtZ2GVsckAFfiwUzCwqFPr4SO4i3OxQz4C9O4E1ycySEt WkpuQ5L4x55v8EuaT4Ope2GKgWL4rgY7uYuzhiS4B1aHkwubldZd00Q6do4NT3rDnNgqStGXsrEW cZHivhhm0Nq6wQSa1x4NAoE9y8gYBlo8erERIU7IWW1xhvmdTLtorbZVbrocLtUhWSsF4bK1/skg MSYKPUsoIPI91jG/qEwGBSLFmEBvrMUdC8fIG9vcneGGf7KpQ6Ei93T0tmEtU+kVSw1b/IVwdAJf 7y0UMpiNQ5w+aGaKQg80hNRGKJks4mJIzvuuPlxIznFmma90+pVCmFniZCGcKOTTlBG/PLxtnwP4 dV/TS5BTn5pgIF2DlLoEA+rylO4qQ8cbx7WmpfQ59VyH4lG0wXq6TBlqB2XEsk7d0t30LUwHgUzl ceKe2FmuKHQ/Qik04mmF/faYGHwexbo+DooGFEjqdHl7rJMBnt+pIzluNZ1/Bu+0l37qvGsCinlq NVR5RrSBRuYxvpgwCIJJrus3Tfo4Ma+gcH8DZvQFgmbiYRLyh9Q6MHGO/WXPVmvF4LHxEiEYvE/I ZqsB46TmG7CjswOHliHMETcRZ8mH7g4qaK09N2CcmyFKpb2LXtxht+5KdaolS70/aoPwsODhon63 QfNBQzGapzHMhTZOaJoxgFyx89adj3XY8FuSJ+0derkjG8wVrgOAd5f6MGylxPRSFn+FptoSvVm4 xnBVFlESCOXs+vISythdjMw6r2ddy6at1aIifnN+aaaFb598VDCnwE15Y/OqjPH2GErSowrRYGqF uQwyb2BMsr8cai0EXQ4vz8SUawUk8TNzQgFSSBwoxg8N0wls2D8AYleRHkE3G/CJ/2o75Z8D1eL6 Cjc6EW0Pj6t5w7ZHlThh49uGXU6Wq7j5jloMi1FsLUhsNkuaGlZb8qfzDTFnd8EDUsZzVk6bIqst voYEJ1ikiQTV7DJhNSw+kMlqIErKy9m+AOLSqZ4uIGixiniJzr9KGRA9LHYIzT65i3TeoUOknBvt mbAJM42U8YJ9KDs/eSkSIjcIpjxqR2ZLkdhg44GSQac0YaFt2zPTrllpX/sRU2G8QXyPxKwJsRED X5PCBenwksVMTDJcQFsIZeVtDGA4RahqDa/yzGQy3jxCs+VxEnYoNu5BaKkzDmBHtTAUOpNjMC4W m+A6qw+sI0NT5DOQTeZ1xlB3sD3AQBr6niDQM6bs8eIoCMbTZgDv7IR8rLvT/nys9nezU5FvIGAk 7IcJgAQ0QeVYCRkLvuIgrG8Aw5cW2LF+Amq2MYb0DceHv+MVC0CY0xVnG8fuy/45Epk0SZYtyd2C URC+0I+BM23GxSwDWxu6mJlFxGgM52Rd+A3LQwp0zQ1jeZjn4EVVNYYyXQdMW0QbgGEQzcw0g/cb wt1iEbo/7/Rk77IIUhWhWeIPNdcs5sMuaXhCv+8udaM1braZr4fc0+d5KZiG53lvjwp4zQnSUv+D c7UZrtSkL9IvThb6L4fpviCm/4lI85wapLv+y3z6LzG5k4hig8yvBhkOojic3KE7getq2y0lim6n ww4n7RFPtLz64DA9qAgS3LaaHrOGR/Az5VTmBGWKL4APcDUoDDCAfSWi0uxrtMADzLlliOS0DCX/ mOIpIS3o2E/pSFYAGbgiEVGZemeLaSd/REJIKwo7WqC9Yzew0MwD2n4wYyZxy7XxknnMFWvABQ2J VUczRrDByBUMBDsLmdhm9potaLINcuZ5+FkGHhmCmnlN7HmkQ8fYsmIPloZ/7vcUFGD0sS19Fek9 k7OC76Tl7ac+l3kXsKLcqhTz68+1Yu2/hCVv2FZLO14P9cvDJqwuaU+dEvnmaX08rp9fA77FKt1t vNQNnMQuMQvfEmGzuax/pW22TQgddfSW2ruNnnlp8279oOXucpruWu0Zng7Vfqz+qDbxZkHcMVzK 03osqudpelL292HH8qE7yznD1uaCdEpg05MPIBLMRGgOK2QDEghBaQwV07AbEu6zEoLcYTATlcUN khXjeaZGZiIY2czFIvn7EG8hYWgGY4kGM+vJcObBKFargySpk9XOX4ZsrDURbOl9p4zZyoUeMGPg L8gXEDk9W0oNrFpEW422AZTOd3AzRWEC89KjyGS1tAhEIvwHM/xmrl4mpz7ZQ3H6AItCAoS2eoys IveOzNVp1ySb3eV8PVEu9/3HK4y075/ykBJUzCBBXCWSPleNkpH33cNSuN9ISz2fxyfB6mPi8BC8 J07P2ml/8M4+rV/Fxq8jq9/Eb9/ES/r27VLWbi9aBHWnU5XpfuPJ4VLaai/ad9JxSdjlz7dvPvb/ 7e9+P1+D6fCZnvuf2inr5RSWPxGMmxb/IuP0+AQchDcQo2kCxzA5hZhVoBRxETyhtcFq+3X/QfNo sH9PG/zRl13ckU/iHYZ00qEyW4cwEhdkIXqAOZ3fmx3EyNnFyMrS6ieFzT0TvjZu6/3/4yzDplb2 FMI3kkwXTcpKIfPh2ux32pW/XCqPO1OMp4fdYW+T401Xnjo0OiN8bvaCbFJjiV1cKyjkbUTnLRIZ XsIVk3LQuz9ZWYiz8KzZelrxd6Mk5Iw8yWbMLBnggBbRCom+TBNRTOFaXDmXm9LfYeoeX3DHOZfh oiDZdDeg1EFktg4zq6lh5/3f6WjRcdftcdinFprhgcgxlHUqBr/6OsSkUPdNf11tv930TzSDJ3R3 rWIyKKSP6U44B7Qk3VBpCaaHex9p2M82CIjAvFo6hAWhqhHcWKQg3wB6+AJ+hVOKtSIYtEMRwcIh QMpVV55hZlksLjhTGsoWFwhpjKVxskyF+OUZSUoaQIWYtqV0jjWN5R5KMXo7WBBmYqhqm4r+62ei uoOq9LDP0CVnL+UOin5eLph9xN218vSwOTM/xYXzyd85F+AXtMEmw8Jz7kFAFqfYAD44wvaySRmS kVz9mQJmUBQAYxhIABYDO/GBBGg9kN1Ow8TJWYqExPnGatFQyIggqSUz12ScbMZG94I/7EQSQVoa Ab4YmV4ELXfSUNeUvKlLtvmQ0U6qD0xjexN49LE1TYHcbDG7JfPVfJ4fMunuGF+t6c8dr+ajIZzB samxJ1I4z1hMtoyYu9GRzkPcuBeZbUqcLVUMVvzvxFzajJEsXWKbOdKTI6RoNBWh2nJkxOJ6jxkn 2T6f91lD8xpM0IyB6IRQ4A1iuxSh6A1j2HhGYSqjBVp6F1oXxkSoe5xEMFl/BoIvKEVJgAExWpaS 2+KJpE8Qd4C7vRTv1dyz5PyFhpPzhBr9D+LpItX034e0080PkUSHM0waDgpv5ApdpOm8iI1O0Z92 x0s1EVFViJbFnZ4V3ArF4KEgVzB+kGx0GY6IhHosrl+DVUUY3gGMn1x8pa7BM2oPW0W6rAMIwzV1 88G1uObu19a1NvW0WRjpUu/0TadjzF0fl/f2tPQ8dOfBErcPjC4tkklsWs3Wzb0l4hdgzyEHBh1X cnnK2i6wg65xFek7QJkIBu7wSzQrXlGADQmMqLEwbFvDl5FUd02eZTgI4cvQmSqxcISEuIIvnZgO LQzSleUCvV2oeC6iwdkb9uUeAsv3LEtNLO+Uj/zwv52uVuH5WfSbLUVvVIOx5cWPAAW702RaX2GL Y9Fa/OdzwwDhQ3zt9XZEaG5GKyRkfO6wb2vA2pClhHSezJ1UYFrIornTM/DEfiAX8XIbRDewRXQT n5mWHZyRNHkvqx4NWcMQseizqEMKLESfx4tbGICoiToNm/hQGCUYES9BQpNp4zUrX0q/0RkV4Wsu oLwJGU05vuRC5znv61wd0kXvX3tdy7jIzHMP7LVptBu2vJZLUicJpEHd8eCr4hVTCKlEgK/DAmNa ASudKUunMpP9a9rOBEBYniB450lFVcZ4LmGbiE44BbEyNqF3BgxI6GTRh8cQSF4SU75fwYxGuooZ 29tBh32VKee93h1VorXHqk1Ov7nID6tyAIttPCgW8Q0r4O+Z0im86eL0A5RowUDW0XhIDdmmnlvK vqQEM3Fs4aIk22jLZ95ywzShE92X4cjzzKt6xYMVitZUxP7hu/d6SPvH7/+4NDc1Rx2v1pGuqk2D 3p6blqq18AMEzVlHaSfseh1uP9L4t9/PP9Jo9EpdK3RNWS+nkz+lMLztceBtZJUe546Rhadh//c4 bAazYiJdQLJFgsTABdK0OITcxfhFG+dgbhjZ8CIDMmubSfbyQqwG3IDxbN/E48rhCg/H+OQHot1M nNmHM4P4kQEl9T1R1xz0optPK4Vcct8bsn+Y7IpX22//lC+Qindz9PgkPpJpRyMuvX8YQ+76tipp o9FrAdkb50txsbrjtAKpGC8AILxAzYyD6GUHARA6wW/YYo4YuYIEfGisIgMtWbSEZYCeNhZzMCTA 1sGBLMgNbUrvQ51hjaAoZUEo+A5v3RLMHhs+9CpGmJM3K4kZCdw7vFHJMYKTGFCd40rMEYdMsL2n zEj8hqLY7LCQRYC/s0JmjCxGg1DZ+/EDxHWeP7wIfrOoiC8Y9uVaVkTN5iZMhdrWAIELHWkxaeE9 tAf6fEids8c3BjgSwJ86wwMgbbZgn6t9YNfZ0txBmEm6vxKGaALIrDRSgqlMkckqn5HpdAUFXkKm WLbOPphM147YMN49MCSM5+Wir2aGIRF+6OsVNUxmwCN4FaQ2TrmCWDokNv9LFAP+dfb+7p/iwUCF 55EYdQdrmjgzScKWrWenweVKl7QhY0O4izfY7TJ7d4JA7UnYpkiIPHbzwr54QYsTLciU//BzCUQF pF7JgX3YI9wgU1BcB65tEiiQAC62AaI4R07T9PBWi80FD9ibGYEKE+6kiXjgVmiKXpYE9h4YWdUy D9f9Xm9dnY9NFX7dLINrLKnCXnhR64zPguvVyCCcVqXadg5S6VOQRZegji4v4c3vbMIIq+WrE8bh ysvp5duj46OmWpCuXx7SuGnAJE86hcaBWh2KWJIjlHr7/UWWSHKkiSvWluEHwRaqtO379lVbGXPH 7Juj6tXu1MH7jpWbf7jo2skeLQQvbaOfPPybTbbR27P9ubtks7fHJhpKhUH/vuvmu+i9tC7Nq+Ty deJG8hymlrvxECWApN91WcqzkeKOA/VwW8yO/YhLE3kZrWxQlVlBdyazJgFMeNILAaEZo3G2jNLr LHeXUanIyMoop4cyx5Aznb7LB6eqJ8N8kh/NQfrSLmhYziQKeSXawSge0jKw8GAehNYkTmvJQ1lV 7RbPecgBD6f80hnJLFlh4PE8zaEw3EouzuhREm1IYW3LBq7ozB34lnK79qGF3kjloa0ipB55sMrN stOq5zNHDMDpwiLbgmVAex0ZbUGztagQxIl3FR5Rapg4b9wzT7SH/FcGZtb+4y237Tcv/e9ELaRo 5bBTOPHUXGN/I/1rFto8h598lBKaZnzsU7sN3/zm2/gDVUw9V36IrtXvqp7Pu/ATtveo5hkwvd+l DB08Njf3tJrhu9PuMmU+ms3G1pI6ho1hBCYGKIDgiWOz0LydjOMz734rAFwAKQ2qtKhdApoILO4Q CcQRTUZk4pdlRUMTUtRzvkQG34A0DZilDGhZ/Tka6YStoEXcazsg90RBI7cOv/SpANIWWHMbp8Uh 0CBIhO1bf8pGn9/H3/jRz7POC9Lo1+rak06tN2NBRrAyUisJpsPKUn4OpSybLvFXALq8+io3o8d4 3X6lzfOn9ctFP9HxIjTODdIctCXRNG2VDXLjnQCFQoENQIgPk5+vnCsAAUPcOB9S04MJt3jpRQPw cTgyMiRDqDkcIwizaEQWYsZLHw8MBTpnRUGaP6D5hCCiTzrGNSxsLAEKWRRUptBAVWijNYatrNKi uKosLDxyxjZo2O9JhiVKlnUgsfkRDrYTboNMTqTiMR9MoP8UX/+/umk2xryA6fxmk1kGA8DSXnNU zKvuiT6lsU2S6RFrAkDExjKgwd2WxExwh29AmSTIikSMbiYMiLSQ0GRaDlt4Q4CRAQ+dpzL4PQYi f3gmWHKhs51Rss0jP64XSpzaVaVqyDuZU7K4tt+RBS4WihZclK/niqce+05LYf02VLUExyG3h1+4 z596fP9/iwoExAplbmRzdHJlYW0KZW5kb2JqCjUgMCBvYmoKNTY4OQplbmRvYmoKMiAwIG9iago8 PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgNiAwIFIgL0NvbnRlbnRzIDQg MCBSIC9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCj4+CmVuZG9iago2IDAgb2JqCjw8IC9Qcm9jU2V0 IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwgL1RU OCAxNSAwIFIKL1RUNCAxMSAwIFIgL1RUMiA5IDAgUiAvVFQ2IDEzIDAgUiA+PiA+PgplbmRvYmoK MTYgMCBvYmoKPDwgL0xlbmd0aCAxNyAwIFIgL04gMyAvQWx0ZXJuYXRlIC9EZXZpY2VSR0IgL0Zp bHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBnZZ3VFPZFofPvTe90BIiICX0GnoJINI7SBUE UYlJgFAChoQmdkQFRhQRKVZkVMABR4ciY0UUC4OCYtcJ8hBQxsFRREXl3YxrCe+tNfPemv3HWd/Z 57fX2Wfvfde6AFD8ggTCdFgBgDShWBTu68FcEhPLxPcCGBABDlgBwOFmZgRH+EQC1Py9PZmZqEjG s/buLoBku9ssv1Amc9b/f5EiN0MkBgAKRdU2PH4mF+UClFOzxRky/wTK9JUpMoYxMhahCaKsIuPE r2z2p+Yru8mYlybkoRpZzhm8NJ6Mu1DemiXho4wEoVyYJeBno3wHZb1USZoA5fco09P4nEwAMBSZ X8znJqFsiTJFFBnuifICAAiUxDm8cg6L+TlongB4pmfkigSJSWKmEdeYaeXoyGb68bNT+WIxK5TD TeGIeEzP9LQMjjAXgK9vlkUBJVltmWiR7a0c7e1Z1uZo+b/Z3x5+U/09yHr7VfEm7M+eQYyeWd9s 7KwvvRYA9iRamx2zvpVVALRtBkDl4axP7yAA8gUAtN6c8x6GbF6SxOIMJwuL7OxscwGfay4r6Df7 n4Jvyr+GOfeZy+77VjumFz+BI0kVM2VF5aanpktEzMwMDpfPZP33EP/jwDlpzcnDLJyfwBfxhehV UeiUCYSJaLuFPIFYkC5kCoR/1eF/GDYnBxl+nWsUaHVfAH2FOVC4SQfIbz0AQyMDJG4/egJ961sQ MQrIvrxorZGvc48yev7n+h8LXIpu4UxBIlPm9gyPZHIloiwZo9+EbMECEpAHdKAKNIEuMAIsYA0c gDNwA94gAISASBADlgMuSAJpQASyQT7YAApBMdgBdoNqcADUgXrQBE6CNnAGXARXwA1wCwyAR0AK hsFLMAHegWkIgvAQFaJBqpAWpA+ZQtYQG1oIeUNBUDgUA8VDiZAQkkD50CaoGCqDqqFDUD30I3Qa ughdg/qgB9AgNAb9AX2EEZgC02EN2AC2gNmwOxwIR8LL4ER4FZwHF8Db4Uq4Fj4Ot8IX4RvwACyF X8KTCEDICAPRRlgIG/FEQpBYJAERIWuRIqQCqUWakA6kG7mNSJFx5AMGh6FhmBgWxhnjh1mM4WJW YdZiSjDVmGOYVkwX5jZmEDOB+YKlYtWxplgnrD92CTYRm40txFZgj2BbsJexA9hh7DscDsfAGeIc cH64GFwybjWuBLcP14y7gOvDDeEm8Xi8Kt4U74IPwXPwYnwhvgp/HH8e348fxr8nkAlaBGuCDyGW ICRsJFQQGgjnCP2EEcI0UYGoT3QihhB5xFxiKbGO2EG8SRwmTpMUSYYkF1IkKZm0gVRJaiJdJj0m vSGTyTpkR3IYWUBeT64knyBfJQ+SP1CUKCYUT0ocRULZTjlKuUB5QHlDpVINqG7UWKqYup1aT71E fUp9L0eTM5fzl+PJrZOrkWuV65d7JU+U15d3l18unydfIX9K/qb8uAJRwUDBU4GjsFahRuG0wj2F SUWaopViiGKaYolig+I1xVElvJKBkrcST6lA6bDSJaUhGkLTpXnSuLRNtDraZdowHUc3pPvTk+nF 9B/ovfQJZSVlW+Uo5RzlGuWzylIGwjBg+DNSGaWMk4y7jI/zNOa5z+PP2zavaV7/vCmV+SpuKnyV IpVmlQGVj6pMVW/VFNWdqm2qT9QwaiZqYWrZavvVLquNz6fPd57PnV80/+T8h+qwuol6uPpq9cPq PeqTGpoavhoZGlUalzTGNRmabprJmuWa5zTHtGhaC7UEWuVa57VeMJWZ7sxUZiWzizmhra7tpy3R PqTdqz2tY6izWGejTrPOE12SLls3Qbdct1N3Qk9LL1gvX69R76E+UZ+tn6S/R79bf8rA0CDaYItB m8GooYqhv2GeYaPhYyOqkavRKqNaozvGOGO2cYrxPuNbJrCJnUmSSY3JTVPY1N5UYLrPtM8Ma+Zo JjSrNbvHorDcWVmsRtagOcM8yHyjeZv5Kws9i1iLnRbdFl8s7SxTLessH1kpWQVYbbTqsPrD2sSa a11jfceGauNjs86m3ea1rakt33a/7X07ml2w3Ra7TrvP9g72Ivsm+zEHPYd4h70O99h0dii7hH3V Eevo4bjO8YzjByd7J7HTSaffnVnOKc4NzqMLDBfwF9QtGHLRceG4HHKRLmQujF94cKHUVduV41rr +sxN143ndsRtxN3YPdn9uPsrD0sPkUeLx5Snk+cazwteiJevV5FXr7eS92Lvau+nPjo+iT6NPhO+ dr6rfS/4Yf0C/Xb63fPX8Of61/tPBDgErAnoCqQERgRWBz4LMgkSBXUEw8EBwbuCHy/SXyRc1BYC QvxDdoU8CTUMXRX6cxguLDSsJux5uFV4fnh3BC1iRURDxLtIj8jSyEeLjRZLFndGyUfFRdVHTUV7 RZdFS5dYLFmz5EaMWowgpj0WHxsVeyR2cqn30t1Lh+Ps4grj7i4zXJaz7NpyteWpy8+ukF/BWXEq HhsfHd8Q/4kTwqnlTK70X7l35QTXk7uH+5LnxivnjfFd+GX8kQSXhLKE0USXxF2JY0muSRVJ4wJP QbXgdbJf8oHkqZSQlKMpM6nRqc1phLT4tNNCJWGKsCtdMz0nvS/DNKMwQ7rKadXuVROiQNGRTChz WWa7mI7+TPVIjCSbJYNZC7Nqst5nR2WfylHMEeb05JrkbssdyfPJ+341ZjV3dWe+dv6G/ME17msO rYXWrlzbuU53XcG64fW+649tIG1I2fDLRsuNZRvfbore1FGgUbC+YGiz7+bGQrlCUeG9Lc5bDmzF bBVs7d1ms61q25ciXtH1YsviiuJPJdyS699ZfVf53cz2hO29pfal+3fgdgh33N3puvNYmWJZXtnQ ruBdreXM8qLyt7tX7L5WYVtxYA9pj2SPtDKosr1Kr2pH1afqpOqBGo+a5r3qe7ftndrH29e/321/ 0wGNA8UHPh4UHLx/yPdQa61BbcVh3OGsw8/rouq6v2d/X39E7Ujxkc9HhUelx8KPddU71Nc3qDeU NsKNksax43HHb/3g9UN7E6vpUDOjufgEOCE58eLH+B/vngw82XmKfarpJ/2f9rbQWopaodbc1om2 pDZpe0x73+mA050dzh0tP5v/fPSM9pmas8pnS8+RzhWcmzmfd37yQsaF8YuJF4c6V3Q+urTk0p2u sK7ey4GXr17xuXKp2737/FWXq2euOV07fZ19ve2G/Y3WHruell/sfmnpte9tvelws/2W462OvgV9 5/pd+y/e9rp95Y7/nRsDiwb67i6+e/9e3D3pfd790QepD14/zHo4/Wj9Y+zjoicKTyqeqj+t/dX4 12apvfTsoNdgz7OIZ4+GuEMv/5X5r0/DBc+pzytGtEbqR61Hz4z5jN16sfTF8MuMl9Pjhb8p/rb3 ldGrn353+71nYsnE8GvR65k/St6ovjn61vZt52To5NN3ae+mp4req74/9oH9oftj9MeR6exP+E+V n40/d3wJ/PJ4Jm1m5t/3hPP7CmVuZHN0cmVhbQplbmRvYmoKMTcgMCBvYmoKMjYxMgplbmRvYmoK NyAwIG9iagpbIC9JQ0NCYXNlZCAxNiAwIFIgXQplbmRvYmoKMTkgMCBvYmoKPDwgL0xlbmd0aCAy MCAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBzV3bkuTGcX3vrwB3pmd7dnYw uHeDFy1NSaZIhhQiYyza5viJYYbDQTpC5jfpP32yKs9BAdVA9y5fzI0YoFFZWXnPrAvAvxffFn8v 6qZsuv7Ia130p2PZV6e+OA5+87//WXxf/E/x9Ptf6+LHX4sq/Pv1R3Su0Df+tpuxKquqP9bFsTqV x7prdj/+UnzxXPSxh1+efymenp9PRV08/1T8UBz+cg80XXG4sWtTHB7vi8eqrIvD63DTFocm3PQ7 3hSH2mAB8hlh9+EGvatwA3SvHN3LgTf3doMWPNmFkdSJQ98aBAZUg0jQkzsO5Hh3hxfifWe9U7qJ jugJIJKE1cfZTeSLD3bWgydS8MapzdGVzuCw5CfrQgjhEMca78aRkZtWVJM0aUwt6rzQwm4SLdEJ VCMLHalVi0T9xmiCoohEAz+4Dkq7whzaVuISWpLtI+9kTccgWWgQ6P6jeP66+ONzcJEVKx/Gruz7 rimilcNoK5j/7vnHCwb/bPxglHc3RhJuxngxJvBr8Oab5n5nv18Ob7zFCMaD0n863MOrm5fDu5cg WbT6U0ftoC/wqoAMIl3nrOlO5XishmLB2dJ/d5P/Hvr74vm/zwuq6Zty7LtxiS7IqSuWctrNAsOh ggpXMQ9t2Z66bUIX+LYIRaBrh4zOqNAGhO6WEkgiGPQDWa9SehzLsR5PksFVIZGGb9oLZiz3bE29 wfTplh4ck6BFp6APCEKuIJ+jKzBgyEc0ssZjpFBf0SSv9E67A2FJgQZegibxWk2kCfhjmCY/ebCf pCHCmRmWDCRxWoQLRr1JsJgEyLq/KN8Np6ocWuW7yXAuRILy0XQDp633dy/3L4c7d167f7OvosuW +/HG3Pvp7jM8CuCvXtAjgd2P5c3jyNaSNy/3NW/L/UP5iIDzAEQhWqCtfAw/PMzc4oejn0a8kv1h KLtjCIQ7pPvg323m38XMv5H4X0Ox4H3/sSkEN02DACxp75bVRd0cy+PpWAzTaBeKCwuJwTF3Vuis RfFuSKN4IN58/rzqdqFqOfzpES665vN1jaGGGtFpjnoZRK4Mo3XdWYWG8DRH99vDaN105XDstwm9 PozWzakcMmSTM2xFUZgD4uibPazw4enl/sYtsd7f3O4fS/9Fk9/flm60T95yUz5Oxkv7NpMfbt4A L6HcZdzppkFeR09zML848EMXfW7/Nl455J7djUTvAr/cm0+HVFtf6TxtU7ajqogV55lrwZznDhEj uA1ilqX9B5Ra5k1VvL6u9g+vHy2sJEDvEFvr3QG2C0jzOnlb5h8NbKM/jXC3OX0zI86oAssxYZnw QppSaFWTwu8UvS/nMnUSPuZItXgCSUrMjwMRydTC1BSmACxLRdQ5encLVpiHeM2zWo4l1qNIPpyF aMSMFnVWyznYmBKFTsmSkxD1aQVDenn1gXah7gwzFoGi97pJTOmuPpUN0p0XvjEQXa57PzbrszC/ f2sDmrFOlmgNsf3dPYJsEJhdovk6fATfQ6hoinb/iFoDP2LXGbrHCmaFptdNg6IAN/vYw1EirISn 1R6uApjj/stqH9FAUAbunvQ0/UwIc2SPxJ37Y0CSOSVHMFRXSrvqyhaTaZf2zAGZU4EtTqY5/5Ex ab6qJxbHghOoLkzVbza/M9mGupOF3BmrUieZK1gLneSiIwJhsC91FywdUFgEQg5IgmObikoOkwUA jatRCCreneWdFhsEmtWNHk6iJQa+Tj63lN9H9Ocqy8n5cqLohuJYNLzyglfkqkWwloy4iBGlLQlK 0w4c4nyIwRQlRSu0bBCvpG1ZaidLLyJO0ZWiEyUZOpFviXaeFqhFgFwReXrEoFpTbsOFKfd6tQY3 jm7BCgIJ+uXekmI5vBxub1E2GDtwRRbB+wcWB4/juZIadrtOZtOfsHLWngqSedVkT2KjtUp8Etvg yx2SPTVJfbFry5tV38aSiJRALHRGdpbNijSOI4om0A9wcVFJtLYAAsXuDgvXKqxUCfYiSvhAlCic CSRzcrVk4UyeQBFIwmoxw9xdXAvqj305Lqq4fIkD4Top+lHFeYoxAmGEnqamPDmv3ioHg9oAXFl+ ShISNIKnZju4eIr0jOr9HqsvIHBr3TTiDmsrfd0VZMmNOPraFdO6N+5SJkEM5r9sarcqxmZAQdEd R425levAwfNPocpbm4CpUOmxoDWFC1gSgkVvc7tTG1at48Wr2CEgthXpLsoSARX0wzLwF6tHWE2s TZK4xpoD0dP4gzRxiUpBGMF9lDI4Bih8CU8iqPdGHjHBxPYIC6vGkwgLuQUc1C2QwD/wNyJB2EVz HDRSGKmVatEaUfj8GssI6gALWw9fXVuVY9tC83OxbQgrlGmX1dD0ZT85x6yCyaYQfw6xAGu7eRQC 07DCKIlz5UmyfE5/NpEHUPVVdFWTfB4i9HwZq2xRwAYhUXTgOMKhFofdHf4QqIYK/kjy/zncYF7y ZfbkT3yioaYRPHVmxDCqiQYG5zwJTNHTkEGSBM2Qio9pfBM+9KIWcUgky5aQa7wXR5bUxSB72wp1 qBbJjzQlxkilBhKIEkfMaYklqEWwOQkaAESt+8cUVuq67Kblvpk9syKHk8bSQ2VZPj7zb7b6SmFR NOKXD1i4yUIlTZYKhNCogiByiUEUyl7Yuba6A5a7Vc4ijEW1aYB/CU9gKRK9059MzcmIGHg/pYMs uI/wU5CSk1rEvrgVmSDBdL07u8nTdnV56rCG17uuL2ak4oddvh2l4kQEkXHJWjSLMFv3DfxRDWqZ 9CB2znU3hUA80XPPrT1I6kKjG1oHXU1j00ipKDRc4SrdiD3klclrFvpFxO+CBSULN6RG3FKMzkmy liGCJXJ2FnoZBVsSG/a4+JGnDUY/9RX6T0mjmqRsh5nsQaTQUHlVX91Q/osHW64jkuTIimfiVILb B+NC5Be1GolEqbfIppwEKg4FK5PibJDGq4Zl5+KgGSTX/0QlxS7WNA6J5FVYSeOtz5XUVUhJkVqm BUhi47iTeXlO0jDofI3Zn6yIPr9mk5k9Byd9kphuNDpBnafEt2k3Ym6dbbWQW6CPBY86fxmMG1Yi EtRJtMi2BONNSfIVQhJOHmVaioMZA1GhCYsiQViFRZavJhmMntAwcgaycxliTZ01dmQgcUcNLWLk WeKN5kQbpeAdfSIwtohIds1JmqxXxKFXVKSg2V3iEE1JzLN8AV3/mXnbFZqIHoReY/XDGOqic7ny equnkCSCxbpbQpYsj+alPlIcDS5JW5FbF9pOB4UkIolTSCRO4V/QZIX0QvICnZK2yM1HoJ5o9Bpa oLSMDTIzWNCwcGxRJTTiTZbBCC4aPNUlgpeJC4buS0b4WwBinh4kagVCzcuT5Fu6oTqNarfIM5u7 HXZKq6o9Ft3cIuNOxYXNXVuW2YMU1L0mLVxe22i4wsrwF4rAXxB9jUf0fdlgZ/yqhUAasVQjrvXk LUtDillK4wNJlQ+kcUpX4tY6YNYimyASRkgRonEd227KFBpQpCjPp9oLJaqWs0UU18BphJKB0Io4 4VeT6kZvSsI0eSRe/s6RtGwSTdGWp00D2jZC6LoNtHb6qerqonMbuBwVzai4mIKpdjWeqnbEkkRf 9aeTHbQsj11dH4e+2Dp8acs4tl/kNmc2j3mMHWiIRzX9Ek9jTIten9TRvE2Y61zVOC567HFc9Nwo 4+VRPoU+4T2QHBIOTqIkY+UHPtoBc7AeEnSOXIJhGS8u+p/naBdn3p/VsDcMZhvxuMSRoVyMHMdH SMJzAG3wi/nLaRxOoiGRKg7KXZTq73AYAWnVhoQv2bLfrZkVrkdYul3NAO3x0QIkbkCOXXAYaPbb Im54bMEYN94Nwch+9Uc/wuCdUmzrzLWwzGODA3oLAc8MxRO3G8pswe/yQeCuSiuCCwdALs+5FC5g ODGx0Z3lq1NVpISjoOXbDMmWHnNzEr4UEIRSTxi+eF0GwYA40pUPrpSpXgpbWcBxipPwpZRIWHVW OFynV3M+wao3c44eLCO+Ghx9UgSIRyFBmgxhnVoxawylpUQodDzBK6onxZEECGrdds1kR4QGN7DU LbHytnJ6C+6O0HA47j+ykzp3zetHHIGz07WMuqunxNpxlsjBFTYer9gMwTajKXNyWFOk+TFO+CES hAhQDiaECeQVDhTNHpQ47hQA/LFjNBx/k4zOlEEN1q6GvmkKUn8uBc0XLGMKOr8mVuNUv53vL1ps duFU2taJhNFF/Y/73Zps67ote5wRvgZdXQV8u0Oxrqu6saLvOvJO2BKJSeJLSDaYaCtjpXvLW2S9 Jv8ALDOG1doKARY7E6vFgz5UiBGY7kG88hvOSdhV5yXk7SLBI0Ky+s5OGVYnchcSSKBWnXN0DIAJ YvEmaM6cgXndIdtmLOsRL39csI75BihFoLHIzvSWgaiX3MShSFXhR6kwTEp1bBASJQNhy0AyJCJF MVw3IiULbFS/QDmOuogmULsu4M72H4Zh8pc05l06A3HYf/X9N6h61pwRL/yUwzhKeY57Y2sjLVaX YXOKFEMNo1Ateg7dFClWiZsixWV0HimK6yLFHB/c9brjJN/iTKmdJDF7mOI2UopXYThhgtbb5HRJ DN93T17GeTy/edj76VI70G3vcQjny/3DK2y/rJtD2/bl6YjKtHUmtoO718Ru7HFbPsQtGR9nNQKR fU5Bwt00WW4XkPDQ3lkETPhYHqjPg1VxECCdntNMASgsZMg4CrvS7dSVzrs5SevGEfMsTKjmQtwq VK+z++5YVvGEpJ2I/8127+g2vPL97H6O72q7/+glvIIHjbkBpwefn3B2G4er/K0FFFg3+LUV0JoG /hYKgEla2Yl+n37UTSwosDiTTBNifkU8jTdB5Tav5IOY0pGLY+DGwUYj0bd2gr2DlQf45LqbNaem PNmrRu2MSNjtdaFi/xrjYJT41wbHD9R+4Wp/dzYZXR+/xaH65nRCZJ6Nf9akvKq5zkLbdquGsyz9 XpF5Ax1VGGu4KyPzHF+00PryGeO/LiPs7avURpMAHErveQC+K1/urWCAhmYvFLze3yKgP9wMCNB4 ReHpLgG0NxZe7t/d2Is1IcVuhOyur7Cg0cKW5tydCw94P9ZC9nW6xHlsvGi3WY/Hgvfwj/USYMqy 2+jMNN4v2mzgy7YFvqTvvlc9HnNXMjdlesgSiKr8rDJkJvFElky+02UHTHARYZiOmGQUcVQhKh0y MQlEGersjBeWvj53SJYpUDhvBY22HDurxd9H9KxLVRlfPw2ZToyLb/EriUs2UoqeTBWGDj9ITILO hE2CNaZ0GnWZqFAjCZbqVh9usOQDY56+Lutp2olz+sfplFsMWfkSQWbxeEEpho8Yeb76Pl6/2VJw jRl4gxfiitYH3agM/E37qyJJgznGaXu/4n2ywhXo3iuSXIFv+q7A7y3Pw5eoaGmec85oPkktm9u7 bEHWvG4u0yobVrXjkoKsjpaqOaDwMVCphVRpaNGtodVZT8ijWugrwLJYkIyhMimSRKQGykDcBc/F V/JKDrMSXiQtGdrZfloo/+XhDKsKGWJQnTParlmB+SokFaR1862gGngXbvBkXnyZrOKeQrjBdzHK ocE7pzS87TlWWFwEv2GSfWY9TtPi5jiE72NsoJu52cp6HBfQrkCXuNn6ghwX0K7AF91sh3L8c1mu bmiN2veTDUifWbCV98gJExOO7iQzydFxRG+ZTl7JkmRANDoaLKMBbU/I3S+SnKsmIbsmhSd8RFck BeJUjJEmiSkjSvzwOJ6Ezr7Ezq5zAzdJJgbeHo/lOHQwcLfI35ZHdEK26eNL1ZfRzSd0wTclXck7 6igJP4pZklQuTKGhAoRuChmSfF7iZYFmNYicKzOEWFRodKlQqhM3OgKtUKzuGTm0W0EIi8skeZsm pyaTiQRJz0zQ+XFUcaCmHK9gOID04mwny9J0WmERDeIp45pW7gJKRK/OZEBIRFNON52Fpw6IXsiE hJBqEWMi32EDTev14uQjXRM+GuFJICwo5K8MZeXi26dqenV1s0bEgvxwxCGYxge6yhnX9Bb2z2Pu ZOgR45KJpJXpTbufDEuulK2jb9IbZX9G5GExBweFMfKizhFRQiPHE+G0QMHGBwlRJHfqy4IHcTVW EML/OWWnJ9oc0hMNLVGxk5hTWBBV3jsha93G/1/KSuzTLij4hRSudh0sivkHR7IFQ+5naodPsZSD LuWavt8gghIgPxKuJ+vC/yeWl/9qlW00y1ntMs2TJRIqTGpnDGKDUtMXxC57kM3QiBTh5G/ElqEX O9HEk0jKgWWrxKEuklIG4gRcWtSs6rLqu75orlZkOn398LNRTdXi+JL2oyzm1vG4wPmTRL5J/Dk3 5B9LU3FYwR1MHVgKujuG9+vwgmB4jNVpa3/71pSEG0g3rCfe8GYrZDf1UNZVPRYLOmcHctzAP+xA To3l7ORLRSsrj842V9rpOLJZmpvbQVIi08EFKlORG2bmtYixSZhT5wztRuGdvLt+vedmnqSh3cQT /5g+KUc5yDHEtpxWbFOIH/MIp2DVez2wZAOJKqLVOFq9E36xsiE0Tb8UQShyXuXqQkeicF0vd7oO 25QNXu293vJSV1/uLHd4NbU7Vv0SXaieLh78+erfvllf/+7wUbm+PnZnUV/aX8c0Zl+iJIfH471s 7AXMZLJYVlAJWOO95ySPoZ7AplJeAzKlAbu9+Wznfh4Qk9f28ms7E2Wrvwv0AXvOyLzCPNxhk+Ox siNSN1Ds6hj2Bb6xg7BmLGxtnJqIEAzDFI8xILNe2hSP0/O3fIQPhIooOB9SgyxZti2nlAkz9KgT sTDlLd0qmYPKIabakNVo1lvka6BPQhiAuZD+rI+IpAeqr7CxrzhMeHZJC1bkCoZ4ObKDTueciV5C UFdVE6JJ1KZBJpbkObDwkAReRaTQUd9XnUGaHKuffZpzmebmZ5Cy2E+BiO88pooDiT57I0QsiKnM 2iZZOczuIBuVZDUURZG36AlBMHaUvWxTWESNnshEqG8DSSL6Ino1cP3mZF8MttXR+Nk/q8Lb+E0F v8w+9nf4en1RtMHHNwc7tvce6L4zdOcXRZtjgxJqxHGBbRNIv+D5t/VDio1ttBzB09XoQqGwGjZB 1KkaETbt9M7sE1oheaEktkPV8eKBGZ/isLiPgw92MBQKXUU+oqoecZhlgXwTKaxgHd+xrDuL8WeJ 3c3weo4SsTi/juMfOAKyjr/BLnjX1hO9vkCxiXeD3qZF3juO0JXT6/iQ93LhLum9e/Pw9uX+EfOm NXE0J7wSXncZ+g8mF9/ZPg04nfsh5N589PCmROBaI7bF5/vqLpfFhxLb4rh1ON35IcRW9St8Lq4f 8PXOsf34k+746fAZ9gac9uy9D9t1afBVJw7lC2SbpOMA6FpE8KRQWFk0TqeWV6oh1lp+XmK/+Z94 yD6fWOPFsyZENR91ssXLH6w6rA46cSmu7IUc23X+pYCMUT9aJOWzn+fPwlfkfuZn2gNYeFHo5+K/ ip8yFiZ0c8Etk2kaSZEN1yxSBFfx9STXKvawLeL5Jc0aO2WNcx/hbpE0uhO+OY8NDCi1pZHUMYDG i6OjLtfVhdP9p2rAZ5oX6Cx0YLKB9wnwIleIzOEyL5lR2P47Eq8v9+AoONLxMRR2WB5AQTnwyV/D /ODb8DfeQ16AjDCoOgCJmgNFIQoO9LUKAugshgI5Ij9a/EcKjPyNbW4USACKQ8fWSFN84ggjJsRQ YI8jofISlfG5oQtvxWYUOD2xS8QbSUfhYMARe2xA0QdurA4BB3H0iB6lP56gFEKPCBqfRBwtZgho jrxO9ITj9cPOPloAGUT24gjxPooASJOyJdvqwmmAGgfpqGJmm1Sx9H7PuKDvkjmf8Mk3LCi1jm3d nItDqFrOfyp9pDmfsACUoLMghe/JLe1vTqZNrP4CucEIIA1bbbLCFb+sbO3ijOXRrBP6ceFaK3/O +0CStqoF2zHQ8MVddZ1Q7QPqoF8MoQHNQNKRoED76TjZCvt5hIXtre4OhhuGmpPh+Pd/iBiecYGj fI4LrAqCTPSclac1XpNEiUVRbkUG1zO/DX9mz74Zepy6x3dwF+hMMzgYsKYZrT7/8PV3sCKwCVm4 ZnCxd47wDIKBkE0RELmJY4KAU+CZdQrrYQYG4S672v8KAHi+/u7lJd7Zui+AIMwod/SDKoEJ2xUm 8wDua5RYpggYz/R0kiJ9r+yLbkAK98LfCI2dDdzH9vg3wkSyuwgUqYjjxydmmOhnn2M064p6PF/I ay53xOdPkeAY4U3wQzhWNQvJdAkJ3lZJ4mgIFBiTv/x1TJBrdm4EgZIKpNgFQcie+i97QxO/wAb+ 2hIwQGxChYt3x3nR2Aq+jTHTIVrjiIKxnjiSQArmsPjYdcBfQbzT2N7XR/NLRIulEZDjSBzOqXDy nanNnX+cainHpjoWFO/7hcNv/w9v25WECmVuZHN0cmVhbQplbmRvYmoKMjAgMCBvYmoKNjMxNApl bmRvYmoKMTggMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDIx IDAgUiAvQ29udGVudHMgMTkgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iagoy MSAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcg MCBSID4+IC9Gb250IDw8IC9UVDkgMjIgMCBSCi9UVDggMTUgMCBSIC9UVDEyIDI1IDAgUiAvVFQx NCAyNyAwIFIgL1RUMTAgMjMgMCBSIC9UVDYgMTMgMCBSID4+ID4+CmVuZG9iagoyOSAwIG9iago8 PCAvTGVuZ3RoIDMwIDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHtXWuXHLdx /T6/osXlLIdcTrPfM6NHKOpBxXEsUc7KSay185As5/hIOUfRb8r/zC2g7m10Y7pnKCv5FOt4u6cB FApVtwqFArr5Y/Fl8WNRN2XT9Qde66I/Hsq+OvbFYfCb//pT8Y/FfxYvPv6pLr75qajCfz99g8YV 2sbfdnOqyqrqD3VxqI7loe6azTc/FB/dF31s4Zf7H4oX9/fHoi7uvyu+LnbvPDUyxe6RXx92frN9 WuxDydEe1JvdCz5QlYenVtQVuzpUKXZq0z4JldtipzpdeILK26ebSPgL7+kPLPkHfyAyN/7gsV1B TAV39qA2rjeBx3JWUSzuA23UVFNxlhGtAmPgcFkWbCP6t4E+5CeyPuDN+KTi+MilZHIFUzc+QhFR m0XhiBVVbQIH/WYnvk+Uiyp7nURSf2Sdz026kMvHdu2L3W+NJ9Ptgz3AzW9n13nHxY5Dp+KSbjd/ KO7/rvj0PtjDFNLdAf0dDidBuliF9AaQ3vVPi/u/LJHryn5o2jk5M5yqKe6/mdrKZm4rt09McwBT tX3+osIglzmXMQ4n9NnLGIH8s30Vk76gp2F5GKdT2Z2aqitmtNcNHQSj0mjgVIWQFQG12b20mhil wCJoZHZODMrM2Nb1u9mpLas+cz6EERaIhkrEwN9EC9rsWJd2OOO92ImIAJ5Tg3MyDwTckpyYVGU5 O/YkXg60Cq+72X0WnsAHiBuRYQekogJVpa/xDje7rKpcDG2INXhlJ8+jlArKPDH3vF8SU4m60dAT eiYvGD57Ys9kXkRk1nrCqhowTAjeA96EHFypMpuNcpVtzLFfY4bHqhzarllzIBvOiRoFscqrHLfQ wOHx6uPejFigjNSW45acBVVWlfBGpEpImQl+YfYE8ElboiuRiylRIQ/zKsk8JpvQzTg9+wROKnQt 4ltkOSLJa14FGGUQkUmdaBM1PmC/Go43TbyN+qGXIyfqRY11Iyab4B+A95lWC/PKAYXkQMyrv7kZ bUbFSJAcB8mTNz4XR0KGk08seoyw2ErkUfkaixiGsjtoYlqfPChFjlscSjdSAauqRKIho2q8KE0O LjEjNs44EPlcszRbSY9ExEHeWFLUjepoRIw6BRhV0ROOYPSZOb0oqU3uCNWRhpQJldBRz3Gs4wwp ZIqljAZFqaoUjzc5MxeJM1ElI3kJpY8J8w+bxQivrcvDgAXQMJzK/iQH3bZhYeOXNDja7P55OTTq 2qFsa0R4g6P7sr+3CWQpYByjuG4IUZyTi1Fcdzli/JcbW/aEWMo0ZaFjvDx6CCsSPHjkT/xi/gNP Hz9dCYvrAU6oPjbFMGVrwYYtLMZKT1D5vcd3iu8/Q59hDlGVVvqVXqOTGtFK9X4QGoNlNRZq9SQH yS8fBMQRqG+yx6tArpGRKV6d242Wf6I1q5FMkrkjoQ21t1zmyvBZREPkb4k4k5d4vbOYCTLW3K7h ZESyAEEzEu1d0xvbkqGk6TUTSNuULSzW0wxhYZObxHRhAxhWABJG8qTa2uhwt0f3uGBECMAslYC/ txV4wxUs4+9+G39BD/i1tbHj6s2RnsCPF7HGWGS0oHv8PWxfRzJjYSCzNks2Q1P2XXUqhjODzFeK 2SBv1dfdTeT6YddgaCbWzdmlboukzelQDerRXU0QKwLT2dqUPSpm/WD74jF8SjlsK/MtT549EwuP H48iO764GZ+jKtQQ6q/56NEL1seyuRBEQ7T3322g59GF0Hx4lV0pvBHOZQGKZlEUUzwqIhk1khHm hiR78Tobw0SI4NTaxBHWI+pA/OlJ1uX/uT1G70Y+aLgSoEQgcXGcGsNcFME81kWR5LBERt5E9KSq RUenjJ9ygJJ+4nLiEKVDBsXShpeEFV+sOwZZakVXxtbqiKLTQFazfde4v6rDJMyAxVZESOy0i4Ya 7MKm4cc+wz/s7m6Gm4fdM+MIbmq42Z8e4AVt3sDPh6c3exuVObA1T1WfDmXVtnUxTPhZy2StRTw1 kkvDoYcbupocxvShpEoxS+5UiOAie4sgTkL8DAvC2jhzWaCSJCJIPTY9C42MKo1HNkMiwu8LTt00 Io0mG6eAN4ep0mebxBOqSzWjvDLCkhe546JDNdUjafxuDSdd35T14dRLsZd3B1ZxgunKdhuwX9GV 9ZjfPBeCniL2d/+9HGjXdVv2Td9cQ66unF6xQq8ZrmZv3Av5UAh4NwS1SFJJyIQRAvPgNKUGSl8Y kZKJHlVVFTqucbmmnvPKokckyILIk9tJYkrqKeNBuBJZVlEb0I8ZOvEiKejJFZ7cZTiOUaCncxY1 JgIy09QE58wl6SI5B4kja60O1dG/ykQ2tvs2221ArIfNBtuDi5heWzw6BkH5/i/nI7paJoKl7Wlc 2q6byGZpLTqayGVybiKb3VUmcpneUWHmJ1ztCS0ZjiRsVSHcLRkSg7n/h3uay5YIV+Auqf5M3PuO h8jQWGh6KqCX4Zwr5ugnqENZF0llLUTz7wNqkL3XE7bJ3KmoyqzlsQxPy4FZX2E5aqmf3vH8S01w PaaS9TzpW01wl8m93QR3md44wV3e7H8TckOb3Zd2xa5C/J0ojnihsqWm0cilQtf2OANwrhQM+EA6 Frp1M+vof2+Su2JKG6ePM5vVbXsom+PxVPRXq+S6CKury9P6cY63AuBlcm8HwMv03gaAPsFsdp8G nwEIvmYs9ln25G/5RIA6A88YyyzDc0zRE42ixgcOz81OqNTNDJ7JJrCmPzpOkJX72syDjwbruPZ0 hPtyeV4OPrDwEmOZl1bvMlCNag3ovrMHoGOhlTpsRcT03LLyLJrzaDHZjdO8lklrkVordv9tLRXe WQb81PdXii2cEAHlxSBLMVtzuBizxaDoumXNOrkNjmS9ndFN6S3kHrIDLL/ZN/X2ye0t/noaFvJH hgE4x9/tLdSDaxMf3tWedoVN4fhXXvpmC2SjfmxlgBtJ7ePDKvaWAL/40SLA5Nhai50anFbDSnI6 pnNhsjsSuc0zQfwYdWNJeVxPVk7c5kIQr4XpZXKJBpejeC1Mp/Ri+uhsZtnAkXhQy+7++ye/gYFC 2t9MJDtbz9QHSOAwHIve+7oiIlo5PVUfDuVxqLFGn5K7NvH/GtEHWEZEgb9bZsgdJ2VI/iP2RJmj cJr0Z32HmWFSWwDm4uyX9gXG5P82EsOxpKz69pORI/nlbFHYDsjLdzX88nTU18DzTJAgeHYh0abd k3PkJvA8f6JNi8IryCXwXPZ/hOcV9BJMerDImUBzj3w4Zl9fgNDh5ytATrakAs2FEFSxoZo8m+dg lILOe+bkqxJRiZycOe6mGVNtSETj0eRHJr0kyZhrRlYjZVHEgsioJ/W9DwIDaNVKlSlCnrVTY/U0 BjscpLqUqMi5n627kGbuKgtuLd+HZdZh3PVb3qcvdt8uz7NdXZcDSBXX40xO/4xVaYeqO5zKw5iN XPGqs1PQ5lVvS5MSRH6Dqc9vDbd4sj+9MD3gDjn6rd96Fb+UFiGhwmMWhw25h6db0xuel+byLOmP bTrbgcWjentXMsn/8JS9swFYwl7dFtXvXmA3wMnU9sDvwyWsrpb9V9dDIqfhUFA06/uKWciwPz0+ bD+PftkdLGC23N+oiqEPBzouTzqIYwVhoVGwx0a6n07QvrVqC/CqrSfyGnQrauQmlmwWKLadu54r qEXyCbHF/IlpK2w0ihO5CBVpp4zrGNq6gSzsfKiqqMhlsK6T3ewUdmsckhOlohJJWVVEVztlqkzf QS5VIO4oSXFJ5kB1llyeOyudX02yDmJK7ksrH45EPYmZKzTBvd84oGTFAiLXYLyvy24hxswsiYxK RhKwRjcWIZgOk5+rcHPmFQtKVFqmzEVldRA13i+pgwv2QbihRp95xUEO82ZHUwM8GRyVyd9FdiYs b6q+bKuhL7oVkfFQA2I1Hlny9agkJDvQjdR9GUdJ7ogIVmsBK8eRnsheuf0vDc52Yi5kASDi8bT4 eKJKvEiB1Kg4UBWZq/zc8xAwYMtKkiFAaAdqvJYACL525OktLFzk2R+NSmLTuDSevAhUrjE85Nr6 MScWMXvF5vtwY9IBYI0VXGzDHfvu1uniEcW6bbFArY5F5536DLrS6XTJ9uxh9/LmDnED+7RJDp3j kalx5MYr3Oz9BkcF4lmAcFTgzp/emTGgEeKAx/7IQw9EDGaH/vBht0fcKmFmGae2swXyCZHBdFzn liJceIfl4fmVctthedh09ZzcheWhJ1EqgGUpKdP2OHbUt5kC5owmUl97C6jF2a6mPWaMRn3mS/DM kZtgcXhtf/fwtL51IN2UOKT2mKFbuTV3EvAVosBnfoTjvOTwul956KqMofn4kpAVOl5MMYwRWI2U IoLhNOI769cTwSEWex9eB6zDewg72aq4Rvxe1Yeu6KZ9TFjOBCfPJPs3qKbOcPndu82ObkUeT953 vOG0edavxJ50LlOtOBfIPWUPMvfuA0jCPjpbzvIamQbNGi1v1B+oxW3Rq9eZ5yJmyocHRTRnShiK FHL5c8gzf4/DKyJDtjUgDZGNswWpRKy49pOgcMDrdbjBdMU9qTcW8aAgP08sOcXpMHkJQhxoOiQr YpJcUzpUJZouu/zRhKp2McCbRCt24lF9SmS55AVe1Zkr5RpMESfSI1HH0SpsFAeqyraSncRL2amE VJ3pt9v+EBWNVE/eZahCdsmTmFRVIUhUNCKNMW/FkczQnCRTBBjdaHVJpogY9SxBsQa7EUsUmODO GmuW4R6wFTSEI+9w3D9NmPXlYD52cXlOdBZOw8bIp+iRT7URFWhieRqQnbTHU9mMm+Rhzs9n0onF 2FlIJnXLqrwrG3AF3lanyrqrcEp66Ap2eHmXLJ0qsaVVnY5Ve4Kr6av+iHgFdwdko/AOSrH2Tn07 xNOevkiyAdZDOOwZtzL6eIkvqgxawLxXA0UYlKkJl9vyud+9v+9DxhujxfMnk1oAi8UOsejmyf5j 5InWtNA0bdkeihmLztE5xgI7jLYuf0/AAkVb5U4WiFdo9x1LqtlaIwig3uqEazzbGkLbVXjVp7o8 9i207RwsaHsavxDLskrZU+L7GQu48Qn32IcI8QgNlqaeeSiakDyVLCZZtEVaqjIeiZdPEZMZPQ4j +rBkViBrMn0xT2bp9jhePvfOpomhZetGjFzCSDLxL0T0WbjnW4yO+O3ti+fcWQyg33ZeAjYj3MVK tlbp+t7Sz5eAkETI8C4u941CDIp0VIj0kC+JUUn8ZPHv6PiaieObxL+Zu5OHp7KlQnFE/FGFKjgH r5giUhV5c83XSmrIBAgFTm5qnAuA6PEqSfIkQfiMBbLNbgTvNMqJViHUim09yVpr8GKXs+X4jmJe R6PPxayuVMSDaMSIJJaZG12BeFHPbJtN/+JEVQW8bKxzsuP7aOJVVahFdjwOi4lNtYmQS0I4tpGK OK6MI+kO/cokMhMdTaLuy1ovRpiDxYsRy28w4WxBTPa9wbTw8gm2Xu7xmQ3kTPaWmPnK9ADvUN75 RLL94s39V3gTXYxkttn0eNW/xnzofFzegDBPwekwO5fTt0g+nIY5uYujshTm7lff/nqFNLaWQ050 xulVpOHfDts/Bc958/iufGmpn/Cr1jtgb+5DiPHVmrDMxzdDC8861dpZR6ZTwALguDqceYvkewSC oFrhSfQBdBe8qiqBLXtRCVEqYtqdkFci9olwuV0BmVVBZBlHI6CruqzHLc8I6CuSjc9CVvzOxgAE G8O4PJO2anMTBm1s8sUyr/kIe4HGM8pOj7zIfyPn5w/wol+sYp4kkA/E3nwXf34WLx5Mnz880JzM UE9F6+M7F11NJ/U1Q5G4Ggsbrt0U4eqfGpGebXQhEqPC6ZbcxyVZgAwsi20577JFRMjaEYAM1mMM RyJk3V36ZvwGDVlmt+0a3BqcGsURm6FI5Le5+PkuDXXelwp87klOJpAdyZoiVhtajuYGlbhBrk1K akSW1Pj3nuKZv3ieBLfkbS5c8Rrkv2y0XY313AHHdSjFv8774+BPif+f5uSuctG7X33962Xv3zXH shuwrTDj9DrSBwh1acrqsGHRD93byACzyWVLjLpJ4kCFGxle5Gml+1GBSegTZwGFWqi8rNnRv9jG 5RhfBHm1m6UXpLG0iOHFE6Dc/G/463OlMYVnGJj+bhEI4geMGn8xLvx9d89X1fn9L1/HeHMnto1t nkRq8YBl9FKgscUUJ4JN44RhIXgY958WP4LWnIZyOOHduMYHnuQgVuOqEIHsb7Y3FkxV4WVTY3UJ Nm0PuTY44tPgq2v2mrf3s3bE5+sVckONLTpsEczYPhtZQAwWLv1ujVxXDse6fxtyKzaic3hNhyBs nNy7Pnx3xC8xnVN3zh6WAkvCAyCxVm7hvaf0gM4Q+q7S7T989WqFdIvtL7T/OZQPp/bd97rD+8MH 2CJc4h2fknOf+TN4f/XeRx9/8s4j7H3dYjsToQyCnttnd88fnu6f37xz9wyRzOJOVXscyqYa4F29 43GnakVo3DGsYW9LQ+rs7eUen8ibUZ6rwTJHUi+2ZZfojc5n5ZDyNFY641I5IXKSk3NkASdiOJbo GjWXKhBmVYbM/C3/Kqcs6gjS/fBlFs1oYarmaiU6KqL/p7eX3768RFYIzqFHtpNYCTPGsu9vcKyv PXSYK6fiD74/z0ROFbGLX7h4VFW323dx9g5sL6m5xdsEp7oHIL2fK6KHlRPTQGB5si9LXk8OqFEm RsqnwHVOTYdDpS3KdT1uCgG12ihgZWOVEFzsWJrWDUvEEsEBF76sxw4v1uJF9FG+55YcTJu5nYOp JXWNTrzCx6MmIUHuPxwUsvaPPv30PfjdxEO+ev/1oYP0l7rDGQR71b0uGu/O0TF3KpaFVDcQ8jI9 5A4NHVNyV00Zn7384PXLVy97c7+vfqb77bBpUzX4ZgUZ+MXcb4/TwvVgYfNUMXNJvbX7rcFyEvtN Yomp1Z9xv3Jkwnnu47KPHcu/MqsgKuNKUIYqL60elJ2gwahEaU/5RjljWRk7p3FxqSki6pAl4g5V lu0QX1rAV9ewgUV5OpIv5+o8mEYOLjnuYvs85d64RjRbb+0zuTZuC3vte0TxuVVCfFDi1BM+SMSH T/wGXyiy04QhY2KnmpZ511SM2LI8jWe9J1igD4mBG7BASUpVdHGCQOYNJVtVkaboZVVFJaoLRcQp XLqil1VdIUA3BImoeAcb2wyEckyizIt8bovp5DOq8zZ6ORALDDZWICDGhRdhLosRVHeGseRbDKIi 7rTIE1t5nTF5qPks65xCU2vRY9BBzVInqBkFz6biKRuImFSJ6rpKkjFCN8ug7FoEKM0Jb+w4KM9N bJmDmg8hCf9m+yoaPmU2ngmQ4tKDM8ucjuaD9Zml6S6HODAfSUq9yVmJtey7ABKm8Ed85/JWFSc3 HvcSfeqTV/EkSBAKYjLCKUkvqeMZlhO7knmyHzGAfoAsmNxHtEFW0UhlyeJJreVw4hm1BFl5XQJB dKn20ZFpjNpsyvumuC/iTBwcwkohdTPztBBlnA09L/Cz21fIXP1LWnEelg8b4Z5XvTAPX2MKCPuP 4+mV9ZkkG45wqBKppKUGVEQpUSV5Y4kgSjgBL0UuhErjumF/kpI6Fk/EYVZVYFObJSM58xU9wXE+ QA1HLM18/MpZ81GzHDqvEpsSjejnktvniDVQUZH38aIkWa6BSSr5iNRcBFWZTpH6VuOcCRo9rxKY 2nCPmlJY3d2xtZaddSpqR/flKemK7R38QyV4cw+2Mq4V4j+dsFmxmt129X/LK6Qan3LBmyP2z6PE Xn2yWlj3T6O+5V6tw3gU22dD0I//SkPxQ4HMZ/x0mJ59P31mH4Mpvuc/txKahu/DfF/8R/Fdvhs9 kpsIblVcyykzMYwD2Mnb7c0hpC39cvXnkk9tie/84YRPjXVa8iKTyRfn7ZFTx2rXDojFSxbAbDE7 7IeQLd/jq3wG1D3mx635I/uNNdMeH5GA4dlPMwq89xJ+xV0E/II3sCZsQQpsSpKI7hJKZvVoZHaH f9QELsfWGv8Uq7AFjMRahJUG+oEvm7BopgoSZt5oG1iLyXp7yt5DBzH6wVPn37uDRYeq4Hh5imkA 4H7A25cUcALgMwKeAhhxlx38S8bt/ISuR2796ZQ9l7mXbf8MOlCBi9mFYTEctPfntQ9stB2Q0eHz DByBG/4EGCPflz6wIfxWOIs5ZmzO4tcTQN8u+wfhFx9PsU/ktIlXOiPeS/h1zRI52K7d46V54stB F2Qn+IYXPSBDou68wpyi04eDH6EY40DTMUl4cXiNGKjDhlSAAIsdERYEJCYWSIsrNyrbkbJKjgXH OgmRdafk8LGvLuzxuY/Jz7BFtmZNlrM0btx82T9iDaPl43YsuhxZl7ZGD+A+Y9qG3FhaYTRmt2EW ehOqz0unw0slMoreWzqhKVkvS8zdzH469VrkkXzSpMOHN3CoppihcsFkws4XwoGQJjzz6iRN5ngM n6Anxs+ajG9UhW258y8byWSw92Lf7SS5BZdPy462aB5pweU7al3aNB1eCYgg2viaLbyuI8HhSSBM leEKI6HtqzcRave4HDY7HG7aH7Ai23rHM2OhLTlNekPHmhuEM+WGRVzal0MM0wHDy/OIk/QOotH+ VQP0EdAcENYa3pw578Z58l/kmAKk56AhOKzxXlBqo/NJ2ok5zt0GvFuqz5VhaSTwxP4m/sxnZXnN qdED5suTpQMd/4AdNu+wJdsmk+UpnLdasSBA8zn0CbagN2ALnMNRdOgQ3hnv6+JHLLAPLsDbYoCo hUFDxXtIykKFUDcW2CuYaBh/RLpAK1rED9XY0NEiNo8EIRsUG07BQ2wdiyEeFJiSwIP3HkuGpxv0 Hu+93AmnvefMxVIgJJHlzAU1BxwaaPDtH8oymRnhmeaRHc0cnMavt8f3uS00AtbAN5jEX3txFZep 87NUVeL8mhM21PGahXp2La7oLl13fPk/LPGMNQplbmRzdHJlYW0KZW5kb2JqCjMwIDAgb2JqCjY3 MDYKZW5kb2JqCjI4IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNl cyAzMSAwIFIgL0NvbnRlbnRzIDI5IDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+PgplbmRv YmoKMzEgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0Nz MSA3IDAgUiA+PiAvRm9udCA8PCAvVFQ5IDIyIDAgUgovVFQ4IDE1IDAgUiAvVFQxNCAyNyAwIFIg L1RUMTAgMjMgMCBSIC9UVDYgMTMgMCBSID4+ID4+CmVuZG9iagozMyAwIG9iago8PCAvTGVuZ3Ro IDM0IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGlXGuP4zh2/e5foWmXXa6q sUoPS7ZnM9OLefXOBoOtxhaQD/EGAQZpJAFmgc38fyDnkvccSmJJds+i0SVbJO+L98VL0v8oPhb/ KOqmbA7dkc+66E7HsqtOXXHs/cP//Vfxb8Xfi+fvfquLX34rqrKtzqeqPeNTV3WnU3NYVeXxUNfH vit++wVAK8AsKvtnH85VWVXdsS6O1bE8nw9N8cuvxbevaKyq5li8/lJ0sXd8rF5/LZ5fX/uiLl4/ Ff9e7L7fPhRNsTuGv134e9mFx788oNNuE/7uw98fwt+nh+JvxeufVz+8Bh7H5NSHY3nsz4cpOSMi ihERO+Bbvf5vEeAFvhb57E99eTqKzy6O8Mfrrytwd0rcPRT7qgQb6wcTV7EDI/EFuAgNxmxoAaNo GXYpHyB6vFCL+n4T+h4S2DsD0ha7atogfOeHVUScQ2vvwygMJ5VNeNENUJNcb1mpq2gSJtFAooSR L54DeHCGuTeeV/xQ7EqXxuXBPoBDQRMUvXnHvkmExiPgCgExikpBIaLeJacGDqmCwECBSOEQcXoO 5EcljYiFZyrT1S6XqcT+6DTwKYwCR6Lw/Nvq9c9RV6emeIDun9rjsZioKEirYIzBFhe19bK72xhR xtHW6MWHZzBp5jaD8tyUB7gLoVxF659ahdm8W8UORk5ryzg49+WhPyQOHNwCB0PI6/2mvDxgJufg y1n1x6Y81ofG4c8LaAAezmprMwOhlN/UmzXmwgTlry670/Man1d4d9lhJvE8br5f758uu839fnO/ 3Tbrp/tqXe4h22WptnVdVn0DqY7J/J1SbeuurA49pHozOPBKXyBtl4V8FdQelkEHJXOTjlOTNSaz HXWtTflNkMHeYLzUdUF1LyF3cYOXWO1kXCKBcDPGZMaiSXYnoqb2XIzsed5AksZ1p/KI8DjSaARB xMeJTY5V7sntcH3Z7c3zQVJfb8KH1e4dVAsqWfp7Pust3j/fBWsO7RYuMK4+br54t76D5m6eykco 6QYG8x2Aray13PT3T2tic5D3/gTAy8NlZ0A3ZR/xFwF/gGSAlqJyksLhUPatgmewu8OsEGBLMUn4 yo0MUwdKq/jYn68aUt3BzA/Hc9E73n/OPdVdXx5bs8sxuNvck9nUXg52/xim5v36cQ1G9vdxElzc 6/eQ893zdgt35q+QIM1rWdv0ZXdoTlPCFlTLsorrbrI5lAfkOp/pJj/sN5Xp5jq6wcvuvoE+hrkz voKPhFsE0ws81edzWXeHuuidCE8sRzx5OpkSLlOUkDfQyul4vg5OC9ojf2CCDV1jHrGyPBBjhwmX PI/AEpwysOS+PH1be9ZGdyN8pEgOlT1EiHyWHFETnCISMdF23bMKoeDOM0gShLkVIoFJro9J4Dtn MeMoHyzAxCSwTh28mEs9H5wwE5MEAzDz5pDcTY1VDAzjutnDOMmdcBCpCPOZW92SlIpxzYI4J1wY Qkja1UAZTREWlk+ErhwqHVLsUqQSvnm5Cv6sgFfJTMSIcIKYedk3WFieqtOh6D9H9hIB7UvBX+x8 GUwhZB3RStVlSNhYoLfwR5FS+CJFNi9xTWfBeww8B3VIVGdjBV5dNE9IHoM/ymSgSWbXBSDJh/la 6PN82PzEyqg6JOltymRG/thX1skfvzfFhdellKVNYgESistcdskFQ540Ixr8Vt/JovkLdy/f2ROe 9MUp+iG4f3j7D/zAFkGX9+WM8CmZfskYIr6oAQe2OLS0Ypa6ingpiRjkqjQDK2mJSNKksWqhtrAH nyKNoUoUSdEEQzQSmGhVl2g4qx0jIQ1JQzWk1RhKSfzJ6UrmiwnPoT2g+HQ+FVTGt5IDKOOgGnNT wtMdsQBNxZ2ZdWGWdSDhsSVeU11CtQD6vsdKz5K4JVeJklp5btpjQaw3hSmaSSsllOySoKUmmlrN hkSuN4RI/dAYn65BvJvXAnljTr+IGSimu6SWGKVvhCuapClzcN+KUBpE9ZJkyJqg0ZWLxdySM0Ym YwbrUbHIFfF8ekhKpkIeVLooDE0iiLzFL/dN2aKmcd0UkOxIEKKD3OXzRkFocmyxEgJtNpgTqwbN sOZGUCKbg5W6Wub6pjBCktTTaxLJy2rq9UF9RRznIke8DRwiOAxmNmYd04CWiU1oBJXpsiSb/KBK KRTcYFDEJ3A+epVKyEA9rxbtsUYpH3lYt6AWY0e2VJlrj13ZnLHCnIDTCn61kAfsKkh6brHZnrry 2DSdIF/3gouEns7lseoToQ7u5jU61qWPG9Q5np4vD2ubDnhzVE4g6/nCa2dbH404mLHAVNgJzmtO ICnRsiCXiiWnNuy6+MO3MGKJZAczmwXXlS2KwpDvGJzNXH2y2ssIcLZBU3612bLWWd3D8CCPaoNg b4IxpcQD6PH3W7yDyTSb/XehGcbo7X+836Lqiy7bdwjreMZv8XMECZe9pMwIyx22r5wFn9MR4fmm zrxIjHfbs+pQaO1TfeNmHfliqfLmpZz35frxblgp2yM5QM2ttxL1et9fHiwSQxZ3rmSXh+cn/wjV Q+5gIam2xcWT9wzlN+rkptybawOAelIqUo1p84iKNIY7VCwR50UsrTucsYOGNfOyEq9iYc4ghzWL /KQCC120usiTtfS70XcOlk+5r6ZflM8WFLlOhktmswz+fK8RooQtcsjqIjbQFNcRhKa+pIiBQA0a K2jsmi30lYOJYQ0WOPVhhIn59SDvUR4v4VCwko1aRJOEwFQlb5kXD+dURDr8lQoUahFDgi+GRBQ5 UxftuWUkcHGhruwhqNl8qCKiLhh8iwGc2rJLG9nRKbSrq5X6O1N9mGPfr58G1XoZaWz1ajuMPX6n 9duUYXAq+L6rjVd75T1t5vCVb3vjD9+DlyjCfge+IXbFbk/vjG17A7/jNHiTAyr962X3TYSUhpzD ysVGOxDvik2DuyeERVt6oNEB2ZZWfIGtgQjKW8xNxhYf4aw4zU7W+gmdbpmY/jz01gsJBxJcGYc0 kiqEqIM5BflSEJw0iF6MSkXDTebJEoSxE2rExuGoeswxtBH1nG0Y6mUEGvGvUnau9FlcZGDTOlAm Rzfw3nwYGNXgVN2VDYoPAeZodfGWm5aBdJc20UFOIip9oGsVgpwGClEtkpXeOFMDf0jCWTwRRxrM Fj7VEOcIkYjbByRAMDiLwq+WDJhrzWDLP4PGF1Q4ki78UzQrnYwgOuC/xWa6ruzSojCm61d82a4C WXPpZF1VZY/zL8XBIX9+fr05lyZ4KCb9EvzGs9V38WqNbXRjHh/L57uNZeNLjDZNG/NYkhPTlsXV yMIBhAYbaedT34g7gFv5aaZqfqMSKS3yocVlDuo85aHuzoL8zy1zmkNdHuxQB/n+/GlAqHgq9/0a Tp07y+swL1FxbS58ImqeCsGQNftedufhAmlpkg7VqTwfscSbELvgwS1uzKlgSlVbrG1u3d75I7MN PmnRckPubAceRf5Bxv7i1eNPdP8f6OjUJW06HKDSMTtm+KDdqzOJmNr7oLgUfcNK5yIIg0NVubol WhGYCCA0OWyVFfVhyTl5RU8RRoUvBgJ6OIlyKm6Fp4HciXHg6zyaUJBJyBSDuFdYVxbMLhIyiZIU RJ3euCceLE7IkXgl2CzzlBcXNMecNjuFUDRN++J4he9cCCG6yOWvpmenklU0cA2pbLBgZEiT4vQP uNT00EyEPeeKBIqZbKEjaIJyg7CYpQwSDglHqASZdOZdpBHaU6BeSTPyQYKrJg5ye7jpsKKsSeCo LLQ3aQQbqF7CK5EJBrtoJpjSijRpE6GSeMEQeElSdq4PgI/EcbDVqr6kgDMvaEJMhGrRvq34UZMG CX6etU8JTxXeYYvMYv588gHnk5u0tTMyi3EdFGYhBSGjlOesAJy71W7RM3lSTGhUBklEgpDKihI1 cdKzwXwhQUNCJpi3T0o3cBP9uUMGMRaMKrpvH0zTmawKuVmo5e0hEyQLppR4gDr83WInLHyAdeLr BgzjAXduXyy9xBM97LBkOkAZ3kZgsf82Poin2sSBXoTcbJ+/bGKPeKRIYA26I8a2HIe/SWYcD6XF kBvPsLXnNmQdXiC7VV4HpyMKaHF3s8bRib4vJogWNPambKk9tmWd6hoL4GAAP4e0BkfCZWVG/vh0 FE19EqUHbpvWk49NVvKHgAniJzh5NwVyIpAJ0ArlQLKxtAVZVlZaEjABUV+SrS4TaG+UuwRErIqN 9IESTCHL0yeFCyISFNFEDikLNQyGjCuWApoToMHCk+YDFoFpHixe1fmaWGItapzwAkGkSnokcBIZ 4YoYdYm0SAkHe4VKetFl3vkfcIbQbrMUE90PNttdWQbDCty9VNFmQdY8KqVfbXcuK6Rfn7sgGx+r xdLqvakf7MJCAR4bM0k8cbh3//LxZbAke/kUWz785xKBuAhUdn0PWYwJHPmB8fmdJbfSHE5lU51O U3BBtNfONe9++u9/nV/fNX1bNh2uLd1OKeZKSkPnIOtNFbIsP5UO0rwyKGxgUipEAzfHPhos1Kl+ x8KSlFwfDPLERkSWIBJFbkbC5X1XOuFkahGs8UP4MDzYOtmC0RoslmTCOaljWLya4i1pVVJ7qFc9 KTTlajBOtHb/cb9YaqpbbKuez0U7hg2m7D7LdfO10zjagTM5gZv95ukdhDlvyDU2zvumSlivF2qg fZyfgTeeREufp8Eql30nXi5sp4JHEKsVjJRFCvEVawvZaKmIBikAzB6CTgtTDRImqZGamIGqy4/U tPxkiNQzmQLDYDIpkTxV/NWOx/coYD4lGhEhTIKW4mzIu1e7AZ32ZvHG24tXeiQ8YvYSRzrwJgoU lNhV7DDEoeu85iVbaqvynOpaUd/b2WsSyF3jbix3oLZR1f0RtpRiCInvbbsDynXh1pHRj+/fm7m8 X9t9pfhiUOq7PPRuP2iGF51nAqfyyjNuHBWtM3F9H3kxzOAGR4frp1NwM2Fm4l+uhJmjG/oCpROA kMxcVbI5Im3q24xxUbpYk/7pf5YCIo7ItDXqz5Spu6ToB6/rxaYqN/ebl08f7HpcXIPhC9wPZh3X eeIyLNzY0C0N7/etd4LPNMVYXLUcIAActk8CuO44l2Y+WYPdhvsdCVU4pGEHeUo70GOmCHaDFq9Q up7eY3p5+VO4kPOHwXkJW3tjDC9FmcsxiSEFl/5nZbgGKeepx1mVcIkvleE8aC1Mlh+pKJ+w7YEd VZTlcYDUcZZbuyVUYisX0xjJwGRunSnbgPUtVecPbNtGsMicL4s0OM1983Vm+jV5WPMUYVGYeToF C3VRbNDCJBtE+PK53xI+Y6VDW+3+4qtRc3KBAo5lTz4ZH+WcFTliGBsEZNEs/PpA6OJcfdnyHAIy kiwi/ut0vczSJykSCNV4JCsezshWe5nIBERjRbM3rXYnD2USvCjIstKlmLzo922Pp69wCO6KQvkh OFP2JevHDw5gDYDzaRNw8qbj6tTETf90uSy40wM2+Rrs8r0N+0paiUu9P5sZ2nItHm+YCwhyYM1p dNl4YcGFRHI6e9FlhVyFikXlkC6yQSqQaYlyI7XIkPSGOUquUT8HG0O2JGNTH9Hw4mcNPrrWv7jO iSaRoCGT9CxdzfjE3PYDjRsrW1g5KBC4G1YwUSwD+yaHIoUWKXYEXt6C5u1iSomyulL6si5NIcHT 3PhdhplJIJsMDiUSYaVncF4GRxfUZXZshkUCEZcCkvWVrAargFviTP/G/edbctqQlSonfVwzkuNm vZ+lMloRl03+eCD0+Qsem8SbO38FbuZpbeq+rLoGfmFM67LBZkoliUmGinzSDAlRfWQVE4UbqHyc 8sHpIEUyfRjMSYyKLIYQaqaCOUmZUsoWMuhiNTviLr6IeNA1LowlAlHgB7MGBsvFH2WsMQKfeyT1 Ady4i6XOokEoZbO0L3XRIHc0b9R8JXX0ndeqFAa6ePf9cwuDuK6/59V+Vv22du0f/3FgI6zsjGzo PlQ/HC9OJzrMeqyfWYUdH/7aklyVFtOw9f5xjbvozw7PWDNb2ngK/A4LCEdhJ5PvnucPOQ4kYVWt t34qqDmgLDWzFTeuQCIgRg1O559kKFTt4YRDtbBtqS5qmuj0Uu0uUwkBkUroDarmfhOGvnaoE9EC 1VlUiXBmX9GuBhvL0kKCpRUJhmiR65ZOA2EsJ6qPRhGM4KuLUlBidEYG+wBsETRVdARFcIlILbpQ I/Gqr/roTWbuRO08DjzEJAymG0IZMKEhMOdjAEyyVF9BkXRFf+YxJPeJsr1xs4skCOpgiNvPyn6/ a85+7Oce0hH9K2UA7dhu7w0fzLqqFxfydQOIR5wts9NwAzyjODjJuCGx63lwFS8Ov1URGoOD2U9d P0VGsWuK+IJWlYWitKTRGNmkjiuliWZ1UurBuSEiQBn4uMkc1WccdTvjmF/zOcwKe6b5IvnF82lb /Q+L+qvd78qNBXegz/AayLAlG/KtrpwCOQC1fB+Igmb9ED5g9/DHCZlFevOn2GeQ2Ij9zG3IpoST 08yuaXNH1suJ4lNkZnvA4lVdlvOJ4cRPght+Bas8NPVxceLHwU3X2N6w9cMJv7xS9fUUXLD1+YOo svXKTd0LehUYnFdapSi1/ZxXDMx26nVk8GPaYaE3rMBcrCl4011L3j8HZbi2tISRQbk+hqVl2t/y fHGgSFOnkc+vPK40i1oiQ1AIl1qKWloAx6hhXrOkuOpLGQihaHKEaY0p+tVFUPRGfUicMKKwGyya pqIhtCENzUz9jZTfjyrIymQp+iDBcZ2QUZSfsJWM3/J8t2js8RQuPQ8r4vPmoZ0Smsf9HlMJ1VJo NLXAdz/TBEbwxVLm8AH8pLb4ZduYEK3TPYSIJxZY+HsfAMRjlfgam/wUFH5zK/TxgQ7bf9QKyoH+ ETamyUDZUapwUAraje/e/y3KrXlE+WKYP1RNDFX1WIYLVr9UsUtOpEPakur15rHeuGfq7iT9EOiP FX4Zyjh4hNRt8cGDW2B4ZfdK95sPS06sqWocMseF59rxe5oxvSRqPwnhWEOsu5q21A32idJqBdHX f01xaUPHMhj7rbWt2QuYwakNu/aZrmaihmhbaXeh3ao33GWoN3/xMdi2sOubZlaAoMuhbDXTwXtv rv9qp/ntLP/S7hxOy+P3GnG/4U2m8nJMlpZhCckbZtiduDzcjS9/BYp8zYi9JjvOaTNpDyyg/faY ORe8TZD063Fv/8hk0iwcCLCrqaMVdE50Fql6XqELPw5puM1n4WE1ezycIJfk+g51XTL5IXZMlx4u D5g5F33gCwrrV3lXu94brNw077zsJE7bIL+unZ+bEmKb9uDO5d8zr60WhZZ0tsTcRsgbGQ3UJwtm hGsOKmytsAdv2GrhJ4QKS3pDNHLwE2gr20wEQxC/BpuwA0INUhM84oiUQUNc7AqxxgqhmjLG+MKh LZUFFBEFViQI4yCGRaLQZV4NpNbYMbT7prxxHR1Mrta5LRpiyM8dgn4q0LYKY4ureamdfH8fikRR 983DrPewZap4Gn2L7sMfPLkVwYU5QfXXjifVrSI93p6uhQItLc0IwQGGYJBuid59OYrZGrVti4kQ R0FsLLlhEPv4/1AWajYKZW5kc3RyZWFtCmVuZG9iagozNCAwIG9iago1Njc1CmVuZG9iagozMiAw IG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgMzUgMCBSIC9Db250 ZW50cyAzMyAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjM1IDAgb2JqCjw8 IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0Zv bnQgPDwgL1RUOCAxNSAwIFIKL1RUNiAxMyAwIFIgPj4gPj4KZW5kb2JqCjM3IDAgb2JqCjw8IC9M ZW5ndGggMzggMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ad1d+3MjRZL+vf+K Hntky2PcVj8lEcfCMvYyj2BumDV7weGFCwYIHuuN2OX/j9gv68vMruqW2pKxB7iZCLVUlZWVle/K Ksn/yj/L/5WXVVE17dKeZd6ulkW7WLX5stM3//4u/5/8n/n501/K/O0v+aKoF+vVol7jXbtoV6uq yRbFsinLZdfmv7wF0gVw5gv5L2/Wi2KxaJdlvlwsi/W6qfK3N/nHV+hcLNB99TZvCc1HdnWTn19d dXmZX32ff5nPnz0+yat8/uQELfNyFh7X89D2X+EDm87Ce8Ly/fFJhhF83wb4w5P87/nVi/zyKiw+ pbNctkVVdt2Qzgnq5kLH1U/EFxY8yYBu1RWrpTEgOxMOLKrAAQ5u+SAHVs6BRwfX89nxSX6G5Rwd XZ8U+v70YPbkev749Prk8L2TTHqv509mh2ezBWEPDh/Pjmzc9fz6ZIaG6/nqXNsqgumj7KeoiO3w dIpfddcWXbOq83RZQa6LerQqlWu/quP3KmEfqJ4tCj75WByET9p5fcK+46OjCvID+Onx4jCIluBn kP92qbr2dcuqWJbG/FxZzceItiNwBtoBhmL2RdHkc8wVGoS1SQN4tChAFQGyuXATlpHPoYqwFazO cIH6gAIaCQhZiA71IecGCmXH2Gw+GrK2sY7VkIBpAbvINszrlH7AMVlPyYc6sS3KpjFcwvqATIdG i+DQnjJSKpqnQwynE+gE+bptjIJkYtuBZAd12r3F0TmzfEZbDRrgiSA0B/FBJgsfYyt1jrugjRcL 2EAQdKnMWo5Y/5Gh9XmcbpOGThjx3saMVcyJ80UbXxx/oSvslGHo2EX121WxTB3vAt71bZYYQT50 OxcXXwd7u3zE58XUZGVdIwgAbaeTZfTyE1OIPprzHAaNsu6KelUth+iCyxTaUwNOaZ8//+nlBOq2 LJpq3W5EvYM3hreaHc8gGljw4YfiVsNbyLXMYAYz/Xx8tsaHApIC3AxeO7wpFsVpUQksGt+7npfF GTHNrkLbo0evA6xErgLICfnBrDg7lRiwq69rmqKrzdftHmgOz7rrE9E+zP5YdBnP65PzU317fn0C Ig4QVwPA7D2FwKrPJBIdieEJ4aXEIR1UzB6fHx0V1yf6GUuRlRDy6CTbrr91WxXrZQNBJcuBq9gY NsdOvDqUUFGcDbj/AWLgnxagmcwVAIg0Uu5sqI19EKnhEjyCi6PdSEqvjhlzmEIXj0COKCwh3LgD bSArHktw7pmuDDpcHyhkBxa+T85r3/XJE/ik7fyruq5YryoE6JTqxCRTrsUmCY88TPTA+l0SvW7R Fsu2qdQFCJNKJgRxoqdM6hO97visOPsY3IALx8KgSMfX8+dwv2cwrCI88/n77HkMN7195eVqXVT1 qsuNEk057y+Va1eJhSUs7aWvGeznWEKIbxZK3J9DA0OHu/5TcfBY+fa45FF0nAqIpoSQxegj3kjw g50+ITJmgniXGHEYNI71F6EL1FyEWIg3CAQB9jL0APEjncA6fIjPaJFQlDas9bEsMc6LnBRfmsM6 cR7SHZixMQqstfPMgrtN7bRYbhKFT9CEZbxPJmRzG+IUOE8diSUIJjvvcPItFVSsEfsbzhN2JZgZ HDWSHNaxOF7xt8o5aov3/NnE8Im98dFOtzNMM5xMdkSc27scGJi3W5V7wXZJL3h7iMf2zYRhC61r n1YpEhhqvfd8bOsZJ13PrKt2GZlEVEkinbCekax8rDPDmWpjagQnaoeR7vQ6v8ZovMvxqWwivjuM r9cxOzne5cCO0OnyUUagw1rDkPluRo5MNo7BpN16HInDjIxixE4aVDZ3fhgTfUJfzyin9fmMaJ03 wmbLMEIMuyP9UNwQrMkbnHaCZnOfZQvtkct1mv0NsLlZbE8O2rYrWoS9qL4xubuX3GB+JJnA1iwY FZNysa7yAWpIbGPekQZzGB+SHFk4OHMoosFT1oTH7Mk5sjDtK+yN1BkUQJO8U/FYAl90s9PirDtE mrcF5aFi8zrC2RNL885lMwUswO+DT3t4yYc+FMxPlrP/NXqVDoM6RC5MdDCkJ7FAthecIIui7vc9 G4M0Em1N0TSSyfzBIEzZXKfc3Fy5TC+pudkcLkMGI6C4IbhBj3R2pIjWgAm5j/WxI5sxU5kwWpvv LBg4mG82YmMNwBbh6zQ6fJkehUv1097j6zWkNta56IyIjUl4BG55n5EyhAlVvxD6fKFOpdPgG3Wj IerZJkoH8RmVlszjlYdqhzX8o+zBOGgAKrdsbpC2PpOjL8Il7PwyUOeNUthXXBw0yibdO00YQ7Wy rUum1ddJ76Rm4RtXGGjIyWGl4albj2xzLbVeF4ty3eRtP6vUfDeaIDJ9McEobH+naabzyfXM5WW8 Nib0WYUrvDPqdgk6t10gOibKoXdRV1N/J9xU49xyCXciJmin0lbi1BqE02TqBBxwEChKOtk2ryPz adxwjBIH0R6s0GqcTrWT4MDGbu8xdNbRZ0suIqM/Fo1mno7X8fncxuZe4R0hgHdR9LIp6r7QG0Jl nU1XjBAqj8+OKywGjnLNxzmYKpFPitPRtOKao9ONssWpAcrdbTrrlKL7fiDKSkbBxhljonUGGedd sq4OxnDn7l4qxZ3daLPhyFxNfGKjxEG8R2Ej6/H1OLAt2ZXYexzWzd6XaOrmsCO2eI8xzrF5z4HG Vx/rILYim2bzZoW5JrkdZamxnjILmNht+5QmtNG22NEZhEckp9tBIkGLqm52yv3+bYFkuU9Up3Q1 UlHjiVPu0nYH5fQYrPFTSY9cvEnHFufVDEdmPeb17DNxRnz3ES5gJ9E5ZYQYYT7GKup1it5tNJ97 9uPIfLC3kMbeZTkltkyNlptPHqt1WXTLeonw6IKRGD0hmLhQt7Va2eDISzxhVIfjgSsO7eSkUR/D A9cXWB8cH1iFV6weryU/8NitZJssPvKLMIrEL+Ksc13mRoLuiZKJdbeiBcCwd9u2EXLVbZplsfLK NuZEaXElRxkJ5lFp8Tmrhgc4BsZq+OHsz7Oj6gkUY2IR6wazrZe5TaucnJhsx2VUbbHAMm6voMSC lgN7sLXs4gP7qhG+22l9NjytD4KeOpVvFjUElexa28DRpgxj9TE8HHr+AlsdVPFewtZ6Bt4nheWi QbW5W+cDChO60h3vkFlliTQJdw/66w0NwvSycnblEbsyudywjV0lLkq0ONoaEgMFLHnYPUEWsovP oXPL4FTw+hVCHvaINTkIF4FUDkk1msSmwFT4URwg83V2kmEIR9AwCQq+o/0iDIuRoyILFYdvxquE YeDmMODOgFvbUO11en4OUF+9CrieDuV5KxN31rkKxtutcai3h0RhseYUwn2Ve5NohWNAOZYY0CIe ZbWUA8ZpgX7545cvIAKICSIQVkNyeMCdQIwSGZX9KlR8ugwAf8FGAIMUAiKGfBAtIBgEILyXlAfA KQZtLKAqPT4oBhB9EsZKRMIoIlJSRNCA1i5tJAQJ/wsGAQNUC+crnJ30sFsKrcD5pwSpYiMhHFMk baTqvwNV5IytO0xGcnVmneGvARiTpn7k/vTOjbdeV3HiI7Jey8FUlsh6dH7zD2GeMB4chaCweIoL zGNcjI5ls894r2ofPQ3XqrZ6HhjNcrXociM+iuYbFHVE/BdwDiD0DQweD5g6FkIBf3OSQeFE/K4l qnZsUwVCbgkADnlz8+KG+Pj5eWDFp9AU1HNUD6hD1A1tUuV7GaDj8R/JyFCawhScFTkGqCIStkgC hm42Kaq/hdWQCDkhhUD4qqbC/stwTegyLIDdhRy3Aj8VmKSQ1MRAkM8BiN04dw1MW0fIOFyHJNyi AzjgnDqS2NgjfmMZn3rv7dVSbRlsRyXfKhfdyrVFE68JBfegqap7S4YRh8yUlEEG6DlbvcRdjjQN DRlG6mFHivv8DeQOub6DDMMo3MSsd55hDIgRJ9V0twekb6CttFO8PgXraNvyqCqoqLyB2oq5wRU4 5NeIR1R1b/oOUF1wbdIjJgzHoQ9ReRGKaLagwiZegBQ/zvGkU3Z7aDTYeLordAF3TCvSDoE+HE0U cMH7SG+MQ+mLcVwQKqVGjlRXwXMhvimFOglSKME6C4z4Ch8GNCGJkkWn+AIpLGnELIhJg3sVrihG XZkK41vOeX3tz8D5G36Ew3IBfIomECSuDEQYG5X012z9jA/9hKiL0RJW1/0AlbY+lAGyz45kAw48 fNTtmuG5GDZQt0bdV+Z4JU8GH47hwam8+ABG4z2ox/u30Dp8kOtSgYkKr2FDG9UVc8Sbm5sf6dz5 uQ9juHMpfAYzESegyvuFsWOCc+ix3snlJyUDYqbegW6JW6Cbr33cQv/lJRtDtAIVqA0BkBRzCkVH sI3R6hJyxyAFPNb1w0KxtoPLYWRC47fX+CfR/aEUosF9pNW6XOd1qhBJbJp2t/vFpmzrdq6PTc0K N4XGu99RbMpwJ72/u/z8CygJBLN3bEL0zJLb9FvTPtv91imFezDr1gQ6DuW77X4HxIQEOtzGnCAL u9/X0Co4NBqbhAAoJvwRrQz6DhPBK1tgvZEC4rR9r2VMZiQlLhSulvA9tgxNpRPi0zxkvu/+c+fN cInbAuUad9SMmP7aACsKt2xKPge7wEbEWrBRrBzqKFYNRiIiJXv7bP46QH31SfCXF2GgBAsM+Wdo Yr8Ox54GiPkK10LBAeEzIMGpLcdxdjgjdEN8cGeQLoC+V1IQLIGEbYhVPY1wr/wQFSOIDM4MxBMl ZycskRCGLXEFREjPtN7BwiTJIR4k3VjkNH6yCxEFsyOQYhGfYo0gkoNJFgnqK589t0nem7Dem/D6 Irx+YU7bZYEwAz4pcq4kppUtyr+XARZ2E0ZHt2Tvd7/Qb41x4Tq62QrLLnk8vN04Mlj2R7hVQGPG a6wNZHksEF0YIiA1Cq/IrzAMB/jgPNmMMAjGE+Yy9PI1FgJFQc4hyGEs2STTMz2DcDiA6stuDlMd RxqEmYnbqBBMqt2CPNNuKpuO47KIFlNEngq12Vs91c7OQU4E2g6F5zoVSyKMQajc11Pt7P0rqYIj aqekiO/fUH9IiYKG4Lq4iBQcBXv5ypY0TWNbI0oi7gGO7O+ZfVPrV6r8YF8q/ratl40v6LeMAjWq kKt2if36mLu493VrkhyuZ0DdoftwLbAGvBfGgtfWBb0HR3HOhVco7p4qG2uJB9dsw4FCg7Orao1a +GAlicqOgmt25+KuE7PpK3dS1O3KRW8/cdFsPdpMp2RBaU0PEcX25NfOJt6U+FLOEodXU/xKrWnv ZCQW3mSC11RVgXuG5ZCYnYx8fiO7hjsLcpqwWr6UiS+PTnHJxMe7fJJ0xMTst2fgEdAmBe/3DBWu pPXXCoVHE/UsEgWdev4tM6e77Bn8G7iTzPITszqlcKMJbmbWrSEsVik1QWyzNviDPrNIiRF24WB4 eMCSyhDsuvue4V4jcb9nSJeR8PRdmWm/Z0iJAU93O4Vk+rLLngEC8EiMYIKqPPK1ONljchyn+VfE rpmSpk3cmDC1ZX6I+3mIREzAYKrIbz9nLscEjXhJIrtxmAQK5C4NQlySxTUBFaEMuQQ7tiQL4DjO qhRqQsoUEiUWTPLXMFW6IRAK98vc5VzOMvd948fAvraXMJqqK7oOR/+7GDuYcvV9uH3zaz1jMPXB oUPvGVG0WPRfj7vFMypRz7/89f56I1W4gtrUiK93IUqc9EOwqnfRKVWJOzFfGBgUtDmQcv9Hi3ap wVgUZ0nhm7ATZMFFX0DJoepgFUznlZUYQwofvgePXBSWjVdCHMMLyLYankEebNSEP8Z0zEFs+iCc chP257Bpk+I69m6vnrLxB2L7iY83fNzwgX0kKCPcWzShunus2w64C3QpRWuCSNUfhEnVH48UAl4C kxJODhawPSQAdoHo0DHslwoXVn3MMdqlC2UbPAwYx/Wg5ABK9CRUy8DioYCVM8Q8TNf3gpRKMRIE C8OCjQMdHBbGf0pCdJXEkyxLiXoZoGMZfMSa+ofDinaYiIh0rPP4oRJlTyQqnN4PLvaGDegthbKp 42EJFpchzkGMEJkU3EUalBIZQobpagmGbRSA2G2nFAgtjozDMUQiHXe2KlFEN9EWzqltxMaeH356 85Al+Arf3CtLHCcOeJnY+SCbgU7f3RNuj18eNCocD9+lBC+GD5HdJZ3eswQ/oHAPZu2VTk/n9uar B8SE1C/8is4EWfDV30FbvRD5NGghUyK+su4mSg6Wan4EwWMELoRDY+FCoMrM6diusDFa5n/wDp7/ jCvRn4ReooMxwYzSSdmjbQTgfP8XKOB0yBhw3+QmrAKOH/QR5nWAwSUW0BqXHmHCyF5hYVgcIeMy dfCZWGlMGmwSI5QRXBeMGtQqzfDP+MCZiFc6rA6t43QVnJE8TxdLZKSOMxqlUhzntDohJTPOTEn0 s7BkXv17FRgCRqlDvve0oWmhdKu2zk0VdyiggQd7OJGdiyi9E2nXd7rF+uMdncjOFHrCV6UUTlir qGjMrIdwIikxkqhv2JOngeBX7ckf5hzPeLqDAu5bHd9dwHaOZ8Q85Dnep8z0JIeFg6CvpMv4XH0O 3PlDJWKVfJdv0SJ5GGsPzgdurVVbUVUopSNGnHitn0A3nDacHXpYq2ZCxHbEFLjbNGuWKPMN3TC7 UYsAChgPOnBRUS8+Ir3GZ+TDQCzsk2BGeDAOSPFrNGHcywABtwlo4pCUHAhR9MArnDFeN1xOJC5F 8jcb/lAy6JNhnGJE3+ERC/6dJsOaf9fYUYC1ZNdl4OYTkT3kQd4yDYYGPBTv5Po5fleqzKuUd1Ou eF+3EZdvJvO5CkG0abtmSIwLMr2BMnLFv79jNRQ0UIRc+4J+S6dc44cTmgrXegaiDtyVbPmWPWOh VQJ42L4UgIxSPqjSFihRho/c5Unrnoob68pkKb3GT6q1qw4J14TiDopG7ckDHa3BgIr1Aj+TacTE RaPxFycGZN38AA+7V3KzcyCu8fudi7rsCdv/Nu9+R0W77G1rnKvtUhAdXC8Ll0QRsN7F5jYlccoZ voO8NCXmD5uX6jJ+SxfoZ0XViKf3f78MeRi2yxchmmuO+hbagk0129JtL4+RbKsriZn28/bV04AG iZ/XHZjoKlC/3bbNPA+ISAMHS7Eg09Mc0vE6ZBzipZHzETd31nxPpHyPFAWJSrrVllthnIB7fsLE p19vAr034RV1WdCOsixeWbEgEchCUaFVBnFRREReJMtEPgoqfPSesWVnr9ng3km9lrCdqskefuD+ vWbJ3w/sd1JbDtgHXhOloHdVEUwp3INZD7GZT4n5wzpNXcbvw2mOeHr/TpMuadOl3K0uiw6KpUIC Sc2PP+Hi9ci4UEkgvevL0SziqjMd+jqrhaqPin0tR+9+AzYbOsA9XVicHk9upeoON6nwM6fVSGab 3MZoJ/Vc1gpXC+8r3gMcCRt9jT7SJLySusFLeGM8wFO8ygkZWI5YprfZ5QE/jleiwK5WmmTXADi2 GSbUCdAFRMqTe6/R9nUC+Xo/Livtk6Wj0jd1aCaHWpeBS4igYM89fafS6wRBGuAXuMZpfrM6gfJu h43EO6gTpMT8P6gTpJqZxNDBrnFf7u6c/fR1gjF3/1jXb2v8DtWqxRd/8WNU8V/ZmGbrQ9UIUCAu cbnViYm8T7vD9dsFfnQcbhO+BbFMiixwNA/lKevlGrfbcdXeGPdb5h/1qi6qCr+ib8REKfCt5d07 3MPd3VDW2CY07YiwRL3S0CrhLa703Ps2ocSfqtn0yzVp5RSuZLBNwO5MVOuGj71LLDvzTFL9atXk Azr3YNkDbBYGxITNQju6jZtKEvnAM6Q+2OFDpHiVG1hSCEVahCwGJgpuIlPEe+SI0oFdNpoQwpFW 4f4AmjiQhX77iwcB16MY8XdEjCwKAxW9IuOFUNzSBGJszZ2Wn8NUjw44MSniZI90pE5KMo8iCsNv myHJIPjXAQOBeZKUEkCoi3gerhl/FSFQRapZVPCjKNDJ6kT/NzTADV4zJcbhAZhcPyKRMUvJSy6c S+boT0Ka9OzRq0AXeBkl2fd65to0HX7TH1/vMAXawU2CxNgB3P63pnY2LT/3x29hyYUm+83l5BfT UiWO3dHWX0wr8Zcm1lt+GW87us/+Aw9af44KZW5kc3RyZWFtCmVuZG9iagozOCAwIG9iago2MDgx CmVuZG9iagozNiAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMg MzkgMCBSIC9Db250ZW50cyAzNyAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2Jq CjM5IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEg NyAwIFIgPj4gL0ZvbnQgPDwgL1RUOCAxNSAwIFIKL1RUNiAxMyAwIFIgPj4gPj4KZW5kb2JqCjMg MCBvYmoKPDwgL1R5cGUgL1BhZ2VzIC9NZWRpYUJveCBbMCAwIDYxMiA3OTJdIC9Db3VudCA1IC9L aWRzIFsgMiAwIFIgMTggMCBSIDI4IDAgUgozMiAwIFIgMzYgMCBSIF0gPj4KZW5kb2JqCjQwIDAg b2JqCjw8IC9UeXBlIC9DYXRhbG9nIC9QYWdlcyAzIDAgUiA+PgplbmRvYmoKMTMgMCBvYmoKPDwg L1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvVlZSQlZBK0NhbGlicmkt Qm9sZCAvRm9udERlc2NyaXB0b3IKNDEgMCBSIC9Ub1VuaWNvZGUgNDIgMCBSIC9GaXJzdENoYXIg MzMgL0xhc3RDaGFyIDc0IC9XaWR0aHMgWyA2MDYgNTM3IDM5OQozNDcgMzU1IDQ5NCA0MTggMjI2 IDkwNiA1MzcgNDc0IDUzNyA1MzggNTM3IDIzMyA1MzcgNTAzIDUzNyA0NjMgNjUzIDI0NiA0ODgK MjQ2IDc0NSAyNjcgMzE2IDU0NyA1MzIgNjM3IDI1OCA2MzAgNDczIDQ3NCA4MTMgNDczIDg3NCA0 NTkgNDU5IDQ4MCA2NzYgNTYxCjUyOSBdID4+CmVuZG9iago0MiAwIG9iago8PCAvTGVuZ3RoIDQz IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAFdk8uOm0AQRfd8RS8ni5HbNLbH EkKKJhrJizwUJx8AdOMgxYAwXvjvc27ZmUhZXKRLPbpO0axeD58OQ7+41bd5bI9pcV0/xDldxuvc JtekUz9k69zFvl0ezt6153rKVhQfb5clnQ9DN7qyzJxbfafkssw39/Qxjk36oHdf55jmfji5p5+v R3tzvE7T73ROw+J8VlUupo52n+vpS31ObmWlz4dIvF9uz1T9y/hxm5JjIirW95HaMabLVLdprodT ykrvq/LtrcrSEP8LPQqarv1Vz1mZv1Qk+73jEXnknkftrfKRE/b3M5ru0TxfV6XkfbGuaJFjkffb XDZgC9ldkN1gEdaiWywi2Wp3WIS15D0Web/ZqbbGIqIvsg0W0Wov22IR0UI2YhG2k01YhE2yHRZB qM6B/Ui02shCI5FsFppgRDs2UQaIJO+DOgfgJIa0ZOCCAW5bRYGTWI5FgQt3QM0cWLfEuTYGrMF4 C4vCGu68WyXDKtGqkYVV4lybCtZgvIW1gjUYLzshGVaJWi2ngFWiVnvmu5ngVW0Bq4SNsrBKDKkx aGCilUVhBU1RfZQCVomoJcPKPGqlmQtYJaJaHZRlYYAcp8v5907pnup/er//7XWeufr209lfodve D+n9v5zGSQ1MfwAlUfj2CmVuZHN0cmVhbQplbmRvYmoKNDMgMCBvYmoKNDkyCmVuZG9iago0MSAw IG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IgL0ZvbnROYW1lIC9WVlJCVkErQ2FsaWJyaS1C b2xkIC9GbGFncyA0IC9Gb250QkJveApbLTQ5MyAtMTk0IDEyMzkgOTUyXSAvSXRhbGljQW5nbGUg MCAvQXNjZW50IDk1MiAvRGVzY2VudCAtMjY5IC9DYXBIZWlnaHQgNjQ2Ci9TdGVtViAwIC9YSGVp Z2h0IDQ4MyAvQXZnV2lkdGggNTE4IC9NYXhXaWR0aCAxMzEwIC9Gb250RmlsZTIgNDQgMCBSID4+ CmVuZG9iago0NCAwIG9iago8PCAvTGVuZ3RoIDQ1IDAgUiAvTGVuZ3RoMSAyMjA3NiAvRmlsdGVy IC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHlnAl8VNXZ8M+5985MZp/J7JNk1sxMkklmJpM9hGQI SchCgBCCCRBI2HEDgYigKFpxQVEr7hvW3eIymSAOgkuV2lpFrbXWvdraRWsqbvUVzeR7zn1mQnBp +7Z9v+/7/d4kz/3fs95znrM/98LG9UMriJJsIzyJLDtlcB0Rf/wRwMnLTt/oQrf5LEIkn61ct+oU dOdCPLlh1cmbV6Lb/xkhYdfqFYPL0U2+BlauBg9003Jg/upTNp6Bbt/5wPtOXrssHe6/Cdy9pwye kX4+eRPcrlMHT1mB8ecbgQXr1q9Ih9NeQkwe8HuHiYSsG1y2Yv3gqatWKOoikfq6lpZ6xYpTlxMK oUFyP5GR+0A4oiNhMkCIKpdOIwKEsnCOkF2fP3r5Em3d58SWBR6EHPjLWc8xPjXl7j9+rU1tkH8g uwXiyllc8QfSyW4Ze50QxZkQPij/QMwpHSgiOCznk9yXCUeeM8n9V8IRBHyRcBQD/ob4HPEZhn2K rk8QHyOOID5C/BVjjiI+RM+/ID5AvI/4M+JPiD8i/oB4L+GQQyF+j67fId5N5GWD5zuJPBvgt4m8 MOBtxFuINxFvYJTX0fUa4lXEbxCvIH6NeBnxK8RLiF8iXkS8gHgeC3EY8RziWcQv8LHPYMyfI36G eBrxU8QhxFOIJxE/QTyBeBzzfAzxKHoeRBxAPILYj0giHkbsQzyE2IsYQSQQw4ncKGgwjngwkVsG rgcQ9yPuQ+xB/DiRWwpR7kXcg+nuRtyFuBNxB+J2xG2Y/EeIWxG7EbcgbkbchFnfiLgBk1+PuA5x LeIaxNWY7irELsSViB8irkBcjrgMs96JyS9FXILYgbgYcREmuBBxAWI74nzEDxDnJXLKQS/nIrYh zkGcjdiKOAtxJmILYjPiDMQmxOmIIcRGxAbEesRpiHWItQl7BRTiVMQpiJMRJyFORKxBrEasQqxE rEAsRyxDLEUMIgYQSxCLEf2IRYiFiAWIvoStCkrWizgBMR/Rg5iH6EbMRXQh5iBmI2YhOhEzER2I dkQbohUxA9GCaEY0IaYjGhHTEDFEA6IeMRVRh5iCqEXUJKw1UL9qRBWiElGBKEeUIaKIUkQEEUaE ECWIYkQQUYQoRBQgAgg/wpewTIGy5CO8CQsb4Z6EpRbgRk8XwolwIPIQuYgchB1hQ1gRFoQZYcIn GPEJBvTMRugROoQWoUGoESqEEqFAyDHPLIQMPaUICUJA8AgOQRFEBB1HpBBjiK8RXyGOIr5E/Bfi C/Gx9G9ijejn6PkZ4lPEJ4iPEUcQHyH+ihhFfIj4C+IDxPuIPyP+hM/7Y8LsdSbpHxDvJcwwZOjv Eb9LmKvB9S7inYR5Orh+mzA3Ad5GvIV4M2FuBs83EuYWwOuI1xCvYta/QbyCmf0aM3sZ8SvES5jZ LzHdi4gXEM8jDiOeQzyL6X6BWT+D+DkW/meIp/F5P02YG6FkhzDBU/igJ7HUP8HMnkA8jngM8Sji IOIA4hHMej9mncSsH8as9yEeQuzFB40gEohhfGwc8SDiAcz6fsR9iD2IHyPuTZhguqf3JEzTAHcj 7kqYOsF1Z8I0C3BHwjQbcHvCNBdwW8IUA/wIo9yKUXZjlFswys0YdhPGvBFdN2DM6xHXYYJrEdck THMgz6sx+VWIXYgrsUg/xJhXYMzLEZclTF2QbifGvBRxCWJHwtgLYRcnjH2AixLGRYALE8Z+wAUJ Yztge8K4EHA+hv0AY56HUc6NPQhRj2ibnR9pWp3vqGY5nwT5CcgTII8r5zsTIMMgcZAHQR4AuR/k PpA9ID8GuRfkHpC7Qe4CuRPkDpDbQW4D+RHIrSC7QW5RrHbeAHI9yHUg14JcA3I1yFUgu0CuBPkh yBXy1c7LQS4D2QlyKUiSnpMwwAxJz05ks/G2EbEhoWeddD3iNMQ6xFrEqYhTECcjTkKciKhDTEno WGa1iBpENaIKUYmoQJQjyhDRBOgzSUsREUQ2Qo/QIbQIDUKdgDZIUhVCiVAg5IgshCyhZi0rjS0E /hVkFORDkL+AfADyPrTeb0HeBnkL5E2QN0BeB3kNWuFVkN+APAbyKMhBkAMgj4DcDJq/CSRJt6Gm tyT0bCxsRuWcgdiEOB0xhJiOaEQ9TEPEEA2IesRUrLIJYUQYEGfiY7uxZefi07sQcxCzEbMQnYiZ iA5EO6IN0YqYgWhBNCOaEB6EGwvoQjgRDkQeIheRg7AjbAgr1sGCMMduhL4wBvI1yFcgR0G+hHb+ L5AvQP4G8jnIZyCfQst9AvIxyJ9A/gjyB5D3QH4P8juQd6EFD4M8B/IsyC9AngH5OcjPQJ4G+SnI IZCnQJIgD0Or7gN5CGQvyAjIjWILb0Udn4VYk9CHoKFXI1ahPlYiViCWI5YhliIGEQOIJYjFiH7E IsRCxAJEH6IXcQJiPqIHMQ8RRoRQxyWIYkQQUYQoRBQgAgg/woeNko/wIiQIAcEjOATF4UZit0Hr jIOkQP4MGn0F5NcgL4P8CuQlkF+CvAjyAsjzoOH9INt5n/N8PuT8AQ05z2vd1nPunm0957Ru7Tl7 z9Ye5dYpWzu28sqtOYAzt+7Z+sZW6VmtW3rO3LOlR9hi3MIpNrdu6jljz6Ye5SaqOr11qGfe0HtD nw3xxqF5Q8uHNg5dNfQyeMjuGNo7dGiIT44/Ecseqp7Ssm3oiiHOCOEcGaJa5u0eUmpaNrau79mw Z32PsL58PTflvfX0xfWUc62nsfVz1nMQa2R9fkELiz2+3mxvIetd6yPr+dNa1/as27O259TWU3pe OIWeBFU5Eaq0JrSqZ/WeVT0rQ8t7VuxZ3rMstLRnMDTQsyTU37N4T3/PotCCnoV7FvT0hXp7ToD4 80Pzenr2zOvpDnX1zN3T1TM7NKtnFvh3hjp6Zu7p6GkPtfa07WntmdNKZ4Raepr5SidxUuKAv3WO bY4jDkE5kLcuj1uX907ekTx+Xe6RXO6cHKq1n2O/3M5r4cLhxea0XW7bbXvQJtGKN7xqXfa2bG6d fpuei+hj+hf17+gFor9Vz2kv1+7WPqjlZ2uXaD/SjmuFB7X0Qc3jmhc0sQF+tmaJZq2G12qYD6+L aUKlLVq1Ux1W83VhdYN6tpq/XE1j6lC0JabOD7Q0qGarlqj43SoaU/kLWz5SjCu4mAICPpKPy7lx OSU8dVEwC+kAfBZoeS81OVv4g6KlSEIovWJ4Xncw2JGUjc/tiMvnLIzTi+K+bnaNdS2ISy+Kk54F C3uHKb2sb5hy0+fFjR1dC9C9fedOktfYEc/r7k3wt96a19jXEd/G7mMx8X6c3ROI0hdcvGFow4aN wQ1BuIAs3gA+G4fgTwSFK9wPwYXdEYgS/J4fFgCyYWjJEKQFx+ING1iuQ3DDHCz370n6v8Kb/q+o 5f+PlbQuWczspGBXJaldkwyn55JzyU1kD3mIPEJ+Qn5BfkU+pQqw2W4nj5Pfkw/IJ+QrGIwyaqK5 tHBSun/zNvUDySlEzT9BpMRCyPjR8fdT946/DzZvzSSfXeCyCP5jPuPZ46Pf9EvtSiVTz0uVRCem 1XHPQm5H6Oj4Ua4BUurGK5mbu5Ddi086Irsl9WBq93EVWEfWkyFyBtlMtpAzyVZyNjmH/IBcQC4k F5GLQRfnwP0l5FKyk1xGLidXkB+SK8kuchW5mlxDriXXkevJDeRG0OPN5BayOx3G3LfA7zViKAu5 jdxF7gXL+G3kdnIHuZPcTe4B949B+/eRB8APfdB9P/jcSn4EvndBPBbrPrCrPwi/cTJMEmSE7IU2 Q3fGlSRPkH3kYZIk+6E1D5CD5FHyGLTjE9CyT4p+zCfj/v6YGP8pcoj8lDxNfkZ+Tp6BnvEseY4c Js+TF8i/EvLTiVxYDi+SX5KXoK+9TH5NXiG/Ia+RN8jb5LfwduF30Os+/Fb4qxDjdYjzVjrWuxDr D+R9iDkKOWE+GOdNyONd8mcxh5ch73fIezSLfE458hUZhzvWeteILXS92I6s9W6AdrtD1DNrjwfB zVoItc7a5n7Q+f3Qvqxl2P0N6dZ4AOIOg14zmmZa/rZunk+3Fer7IMRhumD6RG2+CBrGNmP5PDah 8WdFPSXEFn1yoi2OtQLTIdPfb0hGO29O0uEfyB9FzTDtvirq7s1J2mNafg80yFqB5XG8bn8HabF1 WFqmc6bTTBoW9jq434fZ4UPQNONfxJb4C/nTxP2f0uGj5K/kI/K5eD1CPob55FPyGbj/Bj5HwPUR XI/3/abPF+QL8l/kS3IUWvBrMjbJNfmehYyRFLQx7BooR3mSOnZ3zJeFUIFKqBTmtCwqpwqqomqq oVrYg8i+EaKcCNF/K+RYqmNhcjGfbGqgRpgvLdRK7TQH5s086qBO6qYeeizMNhHighAvzae+dDqz mNI2kdYJeyNLOhcWt5BG6Ca4BmmIhuG+lJbTClpFa8CnBNxRcNdCWERkY6xlyeL+RQsX9PX2zOue 2zVn9qzOmR3tba0zWpqbpjdOizXUT62bUltTXVVZEQ6VFBf4fflej9Nq1Ou0aqVCniWTSgSeo6S4 2dsy4Ir7B+KC39vaWsLc3kHwGJzkMRB3gVfL8XHiLpZuEIKOixmDmCu/ETOGMWMTManOVUfqSopd zV5X/HCT15WkC7p64X5nk7fPFR8V7zvFe8EvOtTgcLshhavZurrJFacDruZ4y+mrdzQPNJUU02Gl Yrp3+gpFSTEZVijhVgl38QLvumFaUE/FG66guXaYI1lq9tg472seXB6f09Xb3JTjdveJfmS6mFdc Oj0uE/NyrYlDmcklruHiJ3ZcmtSRpQNB1XLv8sFFvXF+EBLt4Jt37Lgwrg/GC71N8cIt71lBgSvi xd6m5njQCwXrmDvxABqX+HRe147PCRTeO/ohlHqSz2DaR+rTfU5YIKvihJridDBzT6BsUEKon9vN ynJJMkaWgiO+rasX3S6yNCdBYuFgX5wbYCFPZEJMPSxkWyZkIvmAFzTb7G0eSP+dvtoa37bUVVIM LSv++eKCD8Jdcd4/sHTZasbBFTu8TVBD0CWZ1xuPNcFNbDCtzObhSBjiDw5AJdYwNXT1xsPedXGj txG1DR6Qia95TXevmAR9m+PG6XEysCydKh5uhrTQRZp3sIZhBWR5ebt695Oy8XeGy105I2WknPSx csTN06FR/M07epevjDsHcpZD/1zp6s1xx2N9oL4+b++KPtZKXl288B14HPxAA4qpoG7fiJ2JDNWO y3xZrl4uh+9jrQUerha4eBvrIEAXl6KTtWhjnauX5pBMNHhKOga7Oy4fcPC+6a2QGAhJp7fmuKFz iz9/p0g5WAEoRjxrokwCFEJyrEz4nO8tGsZmBSp0Na9omlTA4zIFh1jAdG7fXU6O6SKtDChCFmvO VlaHkmIO7l0QnBXnoJ6iF2tFqytO5rh6vSu8fV7oQ7E5vaxxmK7F9u3o9rJTntja6V4y7zgXhldj WJy4O+b1ZhxwRuyNtwTFdmXNKrpniO4JZ+s3gtsywa4dWd6O7h3s4d50hsQFIwgaR+pvG7ykOrsc BmsLTJTelkGvS+dq2TGYHN+2dMdwLLZjXfPA6loYBju8bct3eLt766AtxXG/NWcLe3Q26aAd8xpL imHuaRz20ou6hmP0ou4Fvfth3+q6aF5vgoMT7kBj33A+hPXudxESE3055ss8WRQXc7Cc5oIjS4yf sz9GyDYxVBA9RPeyJCWiH0YCP0qWJTn002XiceAnoF9M9OuDHxhh1tXQBDAPN7uWs+Y5q2/1joE+ NriIGZoS/miceutJnPPWw7lcqoorvCsa40pvI/NvYP4N6C9l/jJvY5yaKSgnCXPSjgEvzFPQ5XpJ Du2D3qFjvZ/zuZLj4/N63YdzRvvcMCQWgSzojcuDsA5IfO0QbwaTAfCeEd+2bJCVg/TAUGcjs21Z H4yFTIYQpS0uhxzk6RwgRouYhnVHSLQM2gYaUEy/DRzxbX3xviB7aO8aViKXSxcnrd5aaHbMU+Jn Dwr37cj2RlnHhqhxhe9CBjmUjXT3ok8OOOFhMOGyGslUUPJlXghaNuCCFhDIsm7o6jiXKli7gc8K mBIF/wpRFDnpQMKqxfuUakVcHoIM4Y/dK0OQIfzJ+kAprPKi68J0BHi2Lq6EEvknqTKdALQDQW2s LPB3IRSeRf0Jy6YrSeZ6z4CpkRVafJQMguNqX9sgTP6YXgk+3upMYsgry8e8WB6H0FfGaq4CvfO+ ecnxu72b2QyQ+Skp9rLFgXVMkrMfOjbp2/FNj/jCYElx1jd91aL3jh1Z6u9OgPrKUk8QciGChhD6 AiHCa3C+PIvsFOrIbImS7OT/BHIf2SmxkTbOA/4DZKc0Be41ZI7QCGE/Jw2SGnKpLEaC/KdkhtBB zub7SCuwQ5CRdu4iYuOfJTnMn35BTuJ/I/Js6XnkbOYndIpxz+ZehXSl8Iyn4fkdZDP/DDFL/ka8 /P3Exf+CmPmHyAZORyz0bTiRQlHhl/2o4AzLTvFuUkQ4kg30EBfREwOE64iVBIiROEgehHqJiThJ AdGSHEhjIz74lspMFERNskghkRA4V5Nckg/fofnhOy075MxDV2M/cGKlnfQj7jzuQ367kCv8VmKR XCNdID0sa8+SZq2TK+R/U1ynDCl/obpG7dL4NXdovtRu1h7QbdUL+k3ZtuzrDCcZOePZxr+afmSO mm+zFFuWWq6AJ5LUBv4NOKHz8Lwa0klmkXkHiZreDAWppc/ubWrKKpE9Bk6OuOizUEpKb44ZBE6d k9PgrZBeynfp2xpkl3LzSMPY2289DZfD2TXhwzT81ugro7qxp/U14dGXR0sjVO/Wi2LUcDKZVOr1 hLiKgL+yrCxaz1WU+70eDSf6lVdW1fNlUQfHQ0z0qeeYm/JvfD2bbx7L5za7p3SXSmjQZ3EasrJ4 p0PtK3NpOzq9lQV2iZAl5SVZskBlo7dnU7vneYU1kJsXsCqAebnAsSclmqOfSDRfnSA0fXWQ+3NN b32+dLNayUnkWTcXOEz5pblTO9RatUSTY7HnyrL0GkVR6+DY9XafRaGw+Oy5PpaXb2wKaMQyflR4 SmKE1vaTd5mZswf2Nfnjf96r1NKZ3uT4n2MOdudTqb1WNTFTjdmvVHg9CuISvFTv9fuStCjmiCmJ imbzKlUgL9/rdSjUZuL1WGXZeXOzeyQ9xNrQ0JBtqanWl+lBs3BmKLN3jkapLby43249HC3beuGh Q9R6aHE/3pZGwA4KQ3VyMR5ipfh3nlYaCQb7fGYztluAd8s0vNfj91dWUWwsi8zLu4VhldRcXVpW 41AJJ6TscwV1XkUwVG6UqujlUp23vmxKS0AvfZI+TNcuzS8ySXi5Tk2FMY1BKUgtRV7hLL1JyfNK s+Fp+KKQB5sOESqhZzrgy8VqsjujXye36yG70mRSkiR3U6LYX5bkNieU9kCS8iOlpbJ8ULuo//wk 9cXkuq5yK6t9eZIWJmKyeaBOUF+wYTQIyhytoeHRaHgUOml2DXTSnOF/MZvSSB81agSv2+Ov0JdX lrmhv5pYT3fwtDzEeb161s0Nx26FSv/0/nXnzErd4y4pcdPmTXeeVmcNTQ9W9TcXpO6zRtqmbt9V 01Rinu6oXdB602NVHVVOen7zuvn1BYZAsbC6OFDQdda8cHdTuU4RnX0i/W2gvtCciueEG8a+LJkR saeusJRMZ/PT7PG/CCqJF0b2Jai/RC4JPsb9DCYaKx2Eicqf1pY/SQcShm4BjnEPV0RElUWSdGki Jp8vqmws+PJoA7uAxl4+BKo6+K9mALryGTU4AZRnV1bC2JYyXbGxzmYBk9EB4x3HvKDipQpzw8Kh pu2vXDOn95a3tlcu72nKUUh5QaGRa0NtK1o6N/cUh084s7NlZVtYrVBlCYdsXlu2Jd9tnnv7Z7fd SckDC7Lz/DnZuf5cR5Fd5Q16G4buWr3+7pMr3AWuLGuQfffKetoT0NOyYW4+DfX0ODFwN8K0a+eu hCnamtaSNUlDMbmmK0dUUE6SzkvEJJP6FFMO60f7/+kU2HO443qOZFI/eaL/gS/vSz0r9pKZ9398 5/zUkeCSqzdvv/jkq5aVcjckxm7twA7RtfuD2xfdsnHa11dUn3YPtDzUib8U6gSHaKwR69vclTGt 3OAyuKBOdqsaxoX9EVrIOsE+Ne30+6W2zOixiTVVdwXEmsLgCiVi0kk1hdETHA3SMAycmnBYNxqF Wu/7T2SJ3eN4hYjdw63PjCov3kL1FFr52OlMN9wFco1CIoFOkYrSC+Vadq+VpzbTl9j9KlgAlKgm hS3ggGVAmTqktMDC4LcoUruU1gAbKzvHj/LLQGMBsj+tMZkhyV0VM6vziCNPVqClnTKrSk1nynRK uH2EnkAM40f2wb3BYJMmx98ZgRhAmH40dKY0SRfujXm6bOIMzuYcNuOAzoJMa4f0NaLKYvr/YL4T fWmypjKraGZagioqQUt9dKdco5SI9xtUzmjAX+ZQgx4Hma9wm6PQqkrdobAWOBwFdmXKodQppVK4 CFcXB5S2ItBW2/gHwo2SfNJA3kBtjeTmaq3QwxIkoD3AXQ+nehg1TCVWUMkIdC/gkREVIw3s9Xhq wvUHaBh2IIr04FKAxmLymm6j2OWMSbokEQvj7AMTNpt72AKICoQ5aBQcmaH2P/OYjD6Pm5gqq/Sw 8lWUwwQl9kc9m/fZZob5RB0CKEWulqtrB7b3Lr7u5NopJ169oHi+7/NsI+uc9CGdzaAwTRtYtabi xs9/vGAg/uX183asaspRCc15RTZFflH+tE13r1h77/pao5EWl1Tm+i1KpdlpHBtzlNhzjYq+ez+9 YffY8GKL259bhn2WXg07EBMpwlaAPTp31UMxhW4ubh1oGLoeqGkk45EZX6zIeiwzZ6JXqx3YBdTO qD8QdajzFTqFVAoX4enMXXqMCPXwvDKyFJ/3OIlwV8E6ouB2QSE83NMjxcUmeZJ7LqaJEVNgrluh y5mrm9jH1NQ00PDLUCTWkrqxKCtaTPld0SbK6fcHKCgZ94ITJdanNx4mo1RGqdks1CudlYXTamyy 1GZVpi6OMlYXFT1TZnRFAwXlTlW2LXUz/YFZHlDqlVIF5Lpy7IaJvv2UEuusHHuN86v1CgF6vEKf H0iFxx4uzEFtS0+DGaKOvIa1jynVkYglHFaErFZ7klu+N79UpVLAzcMkv7LLplJaD9ASODSFxo/s 1Xm5maUwBGIudmfRsasar5ZwpDQkdRZ0OXsmtnxsz8feV4KuotEo09poVF8GEy3sA2umhsvK9GWg u4f+s0+ZUDrrHF7KNnkhLkC9k/TPduwOzkLLWAOwW5P0NGVexJcfyVVxqYuFbGfE44k4s/nUNZzS EQb/PGVlyX2hxohLRa0C9aidhdW+4ZyAbVIfy/vqPdA3L2EzTO5Xv8/0OOHcskqtt6bo6zGeFtXm azWQiq3Xc8bfl9gkPjhfBY6t10buSVivHXBVEFt6SoFVbFFMru32ilOKN0n7Yb2emFLY+pVZr//Z FJPmhPSI58TletLGRWKbc8v711/77jUdwBt2vXttZ+pDV+e2gcHz5rhdM7cNMnLX/Cg13D/7tqN7 bv4qvnjWbV/sW3n3pmltW25feOK9ZzS0nnUn25XA6YKH3pYLJ8Nt2N+G86UHYKDpSR73k5ic6H1i veAYERyRSlXsxJE+etDg3pipSzWx9ogTJ+tD6ZX6v5cwU+nj+wFMf8LkrQrfdN6j205OTySq0gJa GureuGlecWo00tJZuO70hp7KXH77KfdsqEstm2jhS8NhmaV+yTlLm3qLlKk2z9QeGGcN4+/D4u4j beQA1ns/mcZd+1B+ND+qymG7fqIKsYFVRRS0ZJ++Cn7NdZnK1yVpSUw1LUdS2G0W1WNO0t7JzQ47 ltGgHrctOtjPvgyTEexh2FR0kIT+Q9lmVOYJCZl+gifdkDTt/uamV8pfOvO8B5ZN39A7xa4UYNui KZuzti0ysyI30rl09dLOSPPQ7r7Qojn1RpmE42VqpTLSsqgqGAuawrOXr14+K0LPX3nDqnKz02Mv DTmL7Ep3gdtSVO8vbigNRqb2bOzq39kf0lgdRo3Fa88rsKty3TkmX3leEMM3gN4vHX9fuB9m9yA5 AfV+kLi4K2BUmbldMZXCP1c3d2Lnu2iySmF6woEUU/6dSMd0Mmnp0ae3+8cWI+H+lot+ft6WJy+Y Ie5LYDHyz1g2tX5pk08FE7q/FCb03206eF7T1LP2n8UbMj1pTOg8rd3nbzupiVdm/NiKFRw/KjNC nerIOVinmDysUBH413GqaJLrjCnqVBar2uf1qjxJ7upYdsyqqppbNDfiVfLfOIE3NMCh24qLly1c U5NdY9WxvmODPTD0ILaSab83KdTdl55OeS+fmVjhBM3OP5zFUGZIH6TTd3DWlkl+KzUVNZbVNBdk S17gDkmyA9OrasEhTb0u52w1ZeGqXAX/e/qhoHZWlkRqnBrhM+73vCK3PFxcaubl0615WolEm2fl y79+zpKnE++FNfmFZgmvNBm+dvOvGqxqiaC2Gr8u4N/UWdQSiTnog5lnBoy/08FGVkZitBC1lpBb ypPcwr0kECC1Sa45ptPzFvqphVqSqnL6dTktZ5/iydn2uLw8NK0oSa2xnHc8lN/q2enhYp45ngEP r/U4PZxK8HiEPNguxzQqOIDkWXW0M+9oqH0qDGA4r9POqe/FVJ0CsYYzJ3W2cQa7R3//kn5xCxjs P220/zTocodq2MkDNf//uDSsfY3MPOL3V1SkzVtsd1VWwQ5zE8atekFcMmV40DWXRSur+NONwaKS Qn3VzvkzNp0Qmbp576YT9IFpkYZlM8t04jYlt2Xx2ilrrh4o/mJg6vxK24yGir6QU6OTyXSaGVMa fW0nt87a0JFfWdRQZMz15GrsfoszP8/rMBT2XLDo9ez8Mnd1rBL+2SlHzobxTSTrwA45lVyTbleF u/IANwB7tyB3PiwpJkVlhVuQRDKzKRgBOmJqf3tOi25mjTid1iRpO4z9zowlpYHZUixgSREXF9YY +/7VPCZNEIGMSeDYvKDHEZJZbmV6M+ivnhNI+dLLF5bMmtGcDycTh7PQplDBfsQXyVN5mppaC5bt OKEg9ZW+aHqZLVJW6agYrChtKjHSDzc9dkGr3l9bOKjUKgRBoVVKvAo85ShSBtjBaGZfMDJUc+Lc Uo2nsiD1atOM6JyVMJ+0jn/Au/lXSAW5Oa3BXBJ4jNsoWlTgK9AJwxvYn5wJQ7vwCG0lpTA2lHBQ LC0WVVicpC1gWUEVwsEmOGFaOcTO0cy08u/lJPbGjI1FPJfAaiOaXLweuHNMGFigKhKZtbb9hNCq 3SdXTT/jjqUFndMrzHIJb9Tp/eWt0aWr7WWdZeUd1X61XCUT4navVWtx23WxrXs3XvDUtnpYUMxa q9dWG4aud+2Vrae2+5x+pyKniPW3DphHnpOcAtbRGnJ1WlvKnJoDHDOWh7n1MYXB3aKsCeQImqJM h4OZoy0mt7ZPmO3a9sY0nZKZzA7KTtHY23DBwaEv/1fzQC3hwWLymI2aLRPnDN4vmqYzOqvin1NY Cx2uApuy+dpFK3f2FZQtvXJJx5Y6tgX2wRb4aOWyytIZQVN2YVO5vbSs0uXJdK9l7XOhRy1j3W7q FAp7XPFErRgrb2otnbuiovrE7qjWU1XA9NYOetsH82+QlFMJ6m3EYHAXJ7npiWC5kGSac/PFhmIu p/gpgU28FjhfE0EncDPnCAMCd6sQFzhByA2DVtnZmDHmgjjh9/zt1r8RjU7D6XmN3ArHcbkVIsi/ jOVmumPwZZhsR0HPbN7tP21xf3B0cT/MttG30kfumPz/7rPFaUHqdU/qtzA7pC2IYu/mTIFKsZ1k /L7C/LF3c6b0T2tc3hbRylVZPCdkqWsXbGzcNHLGlPrT7z1x3e6Vkc/4hUsiM8I2jh4NFdf0T/MY LAZZtttmdpq1GqtFX7flka2bHt/e0jh062LXiZvzp3aHYezb4NvF6yRnwF5iQ7pVzDoCG9IlI5Ei H5gv8kYqZ9j9mZ4MJlXnvlik1TVT18p6r9h9ow2w4zxUNnaojBlR98MG9p9LNGlqFNcOk7iOwJie tCfP2CVgzRG1InDXCVkKqUxv81hyAnbV7cwWZjTcrsqN5ueX5inXGQwS8Fqb37mpK9BSoJELwid5 XoNMliXT+6YE5yosBXlV4bGQAs1pCu6lcFVegUXRsfDihSF4RWILgJU+J7WLv43/FamHN0dLKId6 ic3WRmR8tbe9rP2pdt7ZTtvffQZOfyqqeqabOrqptZt2f3wYPsUyUWLSmTityTRQzX9Z11rkKm48 2Ajv2Wnj4ep27UKq4xc+F3PNxsUG+mXDaH9/dk2DuA9gWwJw9r8iAtYgtgXrmfxkZTv9xw8/9uy6 xucaOaGRav/u8+GxmRIcV4B+sQTwIgAaxWzG9csfkMJ8a7ZYHPzEggaNUwW7BHjRxa6spcwWd9RM 8SUYxMZ3Bf5AQAOJRBd/m1m3xmwoH7x4XnCWSWUoC702c1NXsHbjg0Prf7QqrHdHnMFwZdBbVLX0 orlFnW6aozelHp3T5qv2Zc+Z4a/2Gaa0NozYnQbpikU1syJGfiASsk51z9rcHTRp1PnmPB+XBd+L LK5rHJofzY/1VbjrqqIWy+zwlMGAd2nbrDN7ShTy4tSXrXNswRpn02xrUdXY/JIIJzF4XQ5dtNzi D7O99tlgQX0J9hdRcgr2g/1EyS1JRIuMSW5gxFFk02XGhi5JO2PyWEl7fottJk7uOD6yxVcyohE9 8c/FnzyL68XNFvT4b9uLcKNt4l9S5Zbm+0pzVYb8Gn9kaUVmr5DhtAvbFm7t9HgynZ6OTWuvyGuZ PvZgxmfyPiHWULf6kmVszj5p/CjdKZkFGyk3acbaPw7npsfh+G6C/ZUC/n3ImQ/FbLo2rO0rsJZl Dk37vyPs+FqlJzkDW8NZz4EuQ7dkSpyhoX5ez5SpPfPqJsrOb4FtDdhttQoamVlb3TZzSk26lQ5A K5Ufs+GVQgk9RAVXePfI7RspKTGDFethZsMze5SSgrbcFv1EM8FZBzZ7x2x477Fhp/yuaJMq8c/Y 8PgDyrxoQWGZO1uW+k2mVhnSrCyju9TvK3OqtNrUVzSkUrrBxC8R2EvEV1IF326drz+my1TZ4psA pdZjSL2aKjHmYf3pFqi/ibBPXeCdbUyrNlHYnikVVE2oUoAXiwPMhNqCTZU2oYonkH4wpKa9J1Xu 2B71260y0RjHug2WQSqHFX4O2YNlGG6Bdw1LRhyOKCh+SWJOfYDtyqPwmTyadNiASXS0T3672QnN M629vqWkuq1k5rFRBM2T2ShBB6sBqzl70SkuNv9WZsfXlx1qjhtn3/JI91lT+oSLm3eTVK7Kjfj8 YBTUeyt8JYsqoX3z2V5d76nMDy2aGI4Ke6HTVWRRtO+aU9XbHNUXdHZ0BPq2dLgm9MnpS74xML/t w5+V6Rar5syxBOt8wfqAoW7Vjs6J2QraIErOTbdBkYEp3SFOWsQBk9WREdi0i5MWO6qKk5YSJq0i W37bhMJhLWD7UrAlsgNQRtH/nZT/QLPHK/L7Z7AJlV3f/Q9msOPUAuoYhPmrFc6GAmjjGzbVIdGm OnS8TdUONtX2CZtq7uTT4PfYVP9uCqg/vD3HfTjuXL5lUxWEui3JMzfFN1ZP3fLwmWfEN1SnxkzR 7obqeZU55tJ59TXzKu30/fUHL2pvPDt5+vpHL2yfdnby3Ma1c0OFs9fOAJYUzloLtTw7dbVAoJaT T8DuSkXmBLz9752A23Sz/+0T8D/KY5IqAt9exEzfdwKGQ8jiwLSpda7MbKmwFTodcBIOdMzqDi9l J+Cj+sLpURucSBwVA+WlzcUmOrrp8Qtatc6QM7UocxgR3s6MlzUFUwuNnRckNtWsmVuqZSfg16e3 RbvYCRhWee4A6LCMwLfZbP4c9mthxoypiF2rcCrCCl7NK9jBA8YObIq7Y4pYsN2vNbnaTOIpLjNB wYQKW+H0iIGXgP8o/iTdsC3wdyzyqB8pdwB2/Ioso82RbSoqgaU+bQ7IDBBvfXV1rtrhssKbTo7v yA/ZFWzLm19XPPZypv7Hhsja6DS/lpfJFSoTvvd8n/sEat9G3sfaM9t0aMI23RSDdVQI0dB7VbCc KP6kr4qxKaTKVcXxop1aW0fBVH0klsO+Sql7j9mp2806ZjeDD4R0gvmTCdMK6CfYAMoaDfaL1uol /UHdaD/8HWeyjrn+h592TO3/tCWb+6Rm9WXd0YWtEbNKyFLJlcFYT6WnImD0Te3s6pzqiy6+cF7R 7FixIUvgeZkqS+6v6Yh4oi6dv3521+x6P3XM3DgroLVYTSXFeV6TzOawa+wFdkfQlespji1oiJ00 s0iVbdJqTU5LjscoM1lNGrvX6Cxy5bqLY33QRy3jH3KXCcOkluzCVnpYr1dPKSTeEra6WtQlmY1o CRzSRryteeqMh5qZbSytpUk6A74XSlu54DB8GISGy8aih6LsNbS4npakF+f/ViagT/j+Bd8ZT7xK zhzZONPkg52492cHPe4yZbYXzL0dp7Z6TjLAq2St4kRlHu5jn2Rd1mh4KjTF6LLpZVKlVLKlOGyA jZ9/9hlz6TN4ZvsZDHF4269T/AxPdan+tjaZXCYz5YO2NjM7Df80rIQnpUe0ErYfzEjj5JbEtIaS toBSYmvLF41XYNfq/IZJho1ocTMrnsA0/0x01MLxtpcJowu+E4A37enVwARWF5jQ3IVWRfv1cxdt 7XSLlYddQ7YPNvGDVRnry8TmAJb7utUXr+QmPFJZLeJugevKjHCotxnOKyNQ72LSg/VO6Nzwnxid vy9mcrukbm+S64+pYsTlLmhzK+1tyvT0xd4D2K1viTtgu+4tO5hFoDs8/I1I6XEjm3iLOvGNAJj7 LVVpez8/QnmJkPpMog9Mr6yY7tdLUp/BG21lbqmvMJqnEp6VSn/Oq3PDfl/YruB3SzR6s+br1/Qm lSBRmXR8wOjSSKFGgkSuV42dZrNxl6v0sClWaNkOxzt+VPIrqF8zuTY9CnLzskPFxboisCTFlHm6 ao1O4GtrdXVJLhhTx3jdtLayNl1EqW2tTY6/OAIsBsY07KZWx1t8bZaZclEL6dfTx78TEd+DZF6K sBck7GSgZXl+R+qGBlFDUlnmbQgfOHabORmzVyMTupp0K/mVNOuvEp17amlpvVcnXMNxOwRtfn1p dCq4PpRLoH/4CqK5Sn6Y4+7i1fawzxfKUfIJnvsxxzagvnCOgr9V6XIc0yXnkMvHfndMs3luJZwv wDLMFKtSMcUyNWsVYycr0y54SwdadkEv2glaDpNLUcsH4TuIHfDZbz5XFJOHrPBLLEpVkhuMaeE8 Bf3BrHSFiderhK3+Q8zPpSxs8yr1eW0ThyxxRB3rZewVk92qewuWBNbbIJR9c6XDrye+Ky0bXmbc UgX4tIKrDGDMzLxvErsfe8nE89uzaG5tpKTKqRXuvFPQ5JUXFZdbqfyL9+TUXlNaXOHQSHbfwqvs JYHiCgtVvl0OXRC+3VQr6NTUUwq1HN5Rm/XwUedN2TaNlJeqFalXaFEWfIknaGzG1EmgIXPqan4v aCifrEYN7aNyuYbYwXTWuC+Wb3cp7PDl0AZQhcbubLMpDG2KDmE26RCtZrAETnrxlh5vMAMfZp1L 9Z3RofZuHl/CVBnY9yP+8ky94T0bM7iYjTLuByfL53QWRKycbJPaJEkdVlvh+6xorkb2Ev+E1FBc FazJyUodspllOqueBqU2DV/u9ZmyeJXNMraHG7Trs7LMPvF7hA3jH/NLJavhRN1KOg6SCm4/fBYl 4abt0zbAbyF8GXJxTEcK8/OdcuOIRBKRN9Wy/8gpZzjSQhpGG956nh3R2KoysbJj47JdceZj6UDA DyVPv0OGeXNivyy+Ufrm/plfGu7Z1JpFq8rdJXYV/HPKLJPLrKnojFpyqrqry2ZV+xSw7kqkxupZ A+Wn33NSNPWq2l1VUFTpVqvdlUUFVW41/+bc8wdqs57KzuazNMoPXQVWuad6ZjAyp9ZptBrl1mKP 12XMseimnXrZ172F1R6t1lNdWFTj1cIXG9DmltSb9C7qhu/cTcM6OFFfNpKttOQS3cuHYaV4ujQC ayDUDV+EVhky78jpXVnZuaYLZHqrx56Xr6OSLTpPuQ/+6YY2WTCttirvCYUmCz7tgw/wjLd4iswy mZntyTbzy+lyySY40WfvB2tL0YhSoptBGtiT4Mvz9NEiwDMFwmIqozMVZq89x2uWw7/fVOeWuNzF uSrKXwaro4R98kQfFxdLuMAKSOGrUAok8L2+gZD58+c2zp8WnD548pql69eUNK49mf1Hr/8Hf4r8 awplbmRzdHJlYW0KZW5kb2JqCjQ1IDAgb2JqCjEyMjMyCmVuZG9iagoxMSAwIG9iago8PCAvVHlw ZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9PT1dQSkQrQ2FsaWJyaS1JdGFs aWMgL0ZvbnREZXNjcmlwdG9yCjQ2IDAgUiAvVG9Vbmljb2RlIDQ3IDAgUiAvRmlyc3RDaGFyIDMz IC9MYXN0Q2hhciA1NiAvV2lkdGhzIFsgNTE3IDUxNCAyMjkKMjI5IDUxNCAyMjYgNjIzIDUxNCA3 OTEgMzA2IDU0NCA0NTUgNDc4IDM0MyAyNTAgNTIyIDUxMyA1MTQgNjMxIDUxNCAyNTIgNTE0CjQx NiAyNTIgXSA+PgplbmRvYmoKNDcgMCBvYmoKPDwgL0xlbmd0aCA0OCAwIFIgL0ZpbHRlciAvRmxh dGVEZWNvZGUgPj4Kc3RyZWFtCngBXZLNasMwEITvfgod20OwLOcXjKGkBHLoD037ALK0Tg2NbBTn kLfvjBJSmsMIPmlG2rU3X2+ft6EbVf4ee7eTUbVd8FGO/Sk6UY3su5AVRvnOjVdKe+5ghyxHeHc+ jnLYhrZXVZUplX8gchzjWT08+b6RR+69RS+xC3v18LXepZ3daRh+5CBhVDqra+WlxXUvdni1B1F5 ik62HufdeJ4g9ef4PA+iUBESxaUk13s5DtZJtGEvWaV1XW02dSbB3x1dA03rvm3MKjOvYdYrhcVj MRqL1Sl59dwnLBOGZuuV0cU/s7m5r5WYoq4orWcwVsYAS+J8SZwCIaAjzoCQ1otkXgAhrafJvARC MBc0r4AQ0BMbIASzIToghNOG6IEQcEYUIISHkrkFQuiLZZT4ehSuKokon0K2JaIFCjglohsK5gUR 3VC4mQ+V6IbC6YqIz00hK0Q0RwHTQ2iuTA2iNv67pr18Rf5GjtttPNwpRkxGmsk0NByGLshtbId+ 4AVJvxVNy20KZW5kc3RyZWFtCmVuZG9iago0OCAwIG9iagozODgKZW5kb2JqCjQ2IDAgb2JqCjw8 IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL09PV1BKRCtDYWxpYnJpLUl0YWxpYyAv RmxhZ3MgNjggL0ZvbnRCQm94ClstNDc2IC0xOTQgMTIxNCA5NTJdIC9JdGFsaWNBbmdsZSAtNSAv QXNjZW50IDk1MiAvRGVzY2VudCAtMjY5IC9DYXBIZWlnaHQKNjQ0IC9TdGVtViAwIC9YSGVpZ2h0 IDQ3NiAvQXZnV2lkdGggNTAyIC9NYXhXaWR0aCAxMjg4IC9Gb250RmlsZTIgNDkgMCBSID4+CmVu ZG9iago0OSAwIG9iago8PCAvTGVuZ3RoIDUwIDAgUiAvTGVuZ3RoMSAxNDkxNiAvRmlsdGVyIC9G bGF0ZURlY29kZSA+PgpzdHJlYW0KeAHVewd0XMXV/7yyvfddrbRFT7uWtJLVq1We1Wx1ydLaK1d1 y1W2bGNsMHZMMZGBAAYSek2AKAmrNRhBCNUhXwqhxCH5kkBIryKEhAQIkv533t1VSyMn5/zP+da6 7zf3zp12586dmbfrg2OHhoiGnCAcyR3Y07ePSB/fWwBrBy466JNYYo4QItMP79u+B3nHCCEqy/bd R4aR928mxPn0yFDfIPLkI8DiERAgzxQCpo3sOXgx8r5LAQd3jw7E8/3pwBfu6bs43j75EfC+vX17 hlC/PBkwfd/YUDyfgf4YZ0D2FiUZ2dc3MDTWt3f7kLoiN7eqoqGhSj20d5AwkOsiF4iCRIFYYiQ5 pBd6/humjfCQS/NZQq467blim6HiPeJSgoCQL//u0m9RfGHVg7/8KG/2gOqc4i7QU1Fd6QPlFHfN /IAQddtHeTM/UZ1TEua2eB6Ca1LFTbFHY54q7xR7BOHimEcD3GGEi2KecuAOIRxElQMxzyoQjsU8 FQD7EfYhjMY8lSDci7AHC+xG2BVLWQ15OxF2xFJqgBuJpdQCbEcYRhhCGEQYwAL9WKAPoRfztiFs jSXXQy1bEDYjbELYiNCDEEHYgLAeIYzQjbAOoROhA6EdoS2WXAcNtSLXgtCM0ITQiLAWYQ1CA0I9 Ql3M3Qi11MbcTQA1CKsRxJi7GYTVCFUxdwtwlQgVCKsQyhG6EMqwzlKEEqysGKEIoRDrLEDIx3J5 CLkIOQgrEbKxsiwsHsJymZiXgZCOsAI1gwgBLJCGIGC5VNT0I/gQvAgehJRYUhuMNhnBHUtqBy4J wYXgxDwHgh2FNgQrggXzzAgmFBqRMyDoUahD0CJoENQIqpirA1pXxlydAAoEOYIMgUcVDjkWgUEg EjBzCLMIM1IB5iPk/obwIcIHCO8j/BXhLzFnl3eKeQ/hzzFnN3B/QngX4Y8I76DKHxDeRuE0wu8R fofwW1T5DcKvEX6Feb9E+AXCzxF+hio/RfgJCt9C+DHCmwhvxBzroYM/QvhhzLEBuB8g/C8Kv4/w PRS+jvBdhAsI30GV15B7FblXEF5G4bcRXkL4FsI3Eb6Bml9H+B8Ufg3hRYSvIpyP2SHyMS/E7NUA zyM8F7NvAu5ZhGcQnkb4CsJTCF9GeBLLPYEwhcLHEc4hPIbwKMJZhBjCJJaLYl8eQe5LCF9ElS8g TCB8HuFhhIew3INY4HMo/CzCAwj3I9yHcC/CPQh3I9wVs/XDoO9EuCNmGwDu9phtEOC2mG0I4NaY bRjgMwifRrgF4WaEmxDOINwYs/VBgRuwzuuxzk9hndchXItVX4MFTiOMo+YnUeXqmC0MtZzCyq7C yq5EuAI1L8daTmLxTyCcQDiOcBnCMYRLES5BOBqzwd7BHMEWLsaqDyNchC0cwr4cRDiA7Y1h8f0I +xBGEfYi7EHYjbALh7IT29uBMBKzFUPr2xGGY9aTwA3FrHQdDcasxwEGYlZqgn4U9sWsInC9KNyG wq0x62Ug3BKzXg6wOWa9EmBTzAJ7MbMxZvEA9CBEYhY1cBsQ1scssNsz4ZgFtnmmG6ELYV3MAts8 0xmzwDbPdCC0x8zUWG0xcwNAK0ILCpsRmlDYiLAWYU3MDPsm04Aq9SisQ6iNmdZAXk3MRMPF6pgp AiDGTD0A1THTRoAqhMqYia7NCoRVCOUIZTFTCPJKY6YsgJKYqQygGKEoZqLdLcSGChDyYyZq1jyE 3JiJmjwHYSX2JRshC7sUwi5lImRgl9IRVmAngggBhDQEAQukoqYfu+TDTnixPQ9CCmomI7ixeBKC C8GJmg4EO3bQhmDFflqwITOCCcsZEQwIegQdqmiR08SMW8AE6phxK4AqZtwGoERQIMgRZKjJoyaH QhaBQSDiHJSfgxpnAWeAPgL6G9CHIPsAmngf0n8F+gvQe0B/NvR7/wT0rmHA+0fDoPcdoD8AvQ00 DfLfA/0O8n4L/G+Afg30K6BfgvwXQD+H9M8Afwr0E9B7C/gfA70J9AbQj4B+CPQD/Xbv/+pHvN8H +h7Q60DfBdkFwO8AvQb0KvCvAL4M9G2gl4C+BfRNoG8AfR3of3S7vF/T7fa+qMv0fhXwvC7L+wLI nof0c7o9XnHuWd1O7zO6Hd6ndSPer0DOU7o875eBngR6QrvfO6Ud8z6uPeA9pz3ofQzoUaCzwMcA J0EnCvQI0JeAvgj0BaAJoM8DPay5zPuQ5qj3Qc0R7+cAP6u51PuA5pj3fpDfB3Qv0D1AdwPdBXQn 0B1AtwPdpsn23gr0GfWD3k+rP+u9BfBmoJuAzgDdqB7x3qA+6b1efbv3U+o7vdep7/ZeC/JrgK7k At4ruFLv5Uyp92T4RPgTEyfCx8PHwpdNHAtrjjGaY+5jzccuOTZx7IfHxFa5+tLw0fAlE0fDR8KH wxdPHA5fNHEozB+yHjp4iPvzIWbiEFN3iMk9xLDkkPGQ7xCnPRgeCx+YGAuTsY6xE2PRMX5VdOyt MZaMMeqpuWfPjrk9DYDipWM6Y8P+8Gh438RoeO/wnvBO6NaO0u3hkYnt4eHSwfDQxGB4oLQ/3Ffa G95WuiW8dWJLeHPpxvCmiY3hntJIeAPory/tDocnusNdpZ3hdROd4fbStnAbyFtLm8MtE83hptK1 4caJteE1pQ3hehgySTYm+5I5I+1AWzL0hLiZmly36H7L/Y6bJ+6o+1k3ZzYkeZPYDIOLqW13MaOu 465PuTiD82UnKzozshoMjpcdP3b8wcFbREfGygZiN9p9ds5Gx2Zv7aZjO2uvrkPMK5LG2moXgg0G G2OweW1svdfGENNbpndMnO0Z48tG1mBgDIY5AysaQN2g9+pZ+pjTc6I+r6TBoPPqWPqY03F2UQcS 2vkV2o7uBoPGq2HD1Zp2DStqqmsbRE12bgPhGB8DV04jAKcE3UcZm7eBe0q6hcoIw1w/2d0VCjVP KebWNUdVHZuizNXRQBd9ip0bo/KroyS8cVNkkmGu65lk2NruqLW5cyPyV157LUmpaY6mdEVi3D33 pNT0NEdP0LQoSuk5miag0hPaeuDQgVDo4FZ4bD1wMCT9Acccohx8IAP+DhwEnv4DAJ7QnH/+QTXQ 23YAPlI1wCD+81L/V3OY/6sd///Ub+e2rdI7EHhnQmbPLHkr0kF2kgPwrukEuYpcS86QZ8gPST+5 HFK3knvI58jD8J7mOfJ18r0lpf5LZvaIbA/Rco8TObEQMvfh3PTs54CmZPpFkjPAWXjfgmTOOPf2 Mtnbs2fmjLNTcjNRS2V17GtQ25+YmbkP2WooqZsrpjx7CtIGqaU/Ku6afWT2wSUDaCItpJuEyXqy gfSQdtIG1EE6SSvZQraRPjJABskQGSbbyQjZAfbaRXaTPWQv0DAZJfvIfjIGNjxIDpGLIH0wLkH+ YnKEHCXHCOIl5FJIH4HnUSl1GTkOlv8ESeDJOH9ykeRyciXMxxXwvIqcIleTTwLS51LZUm6cnCbX wHxeRz5FEumF1GIpTV9Pbga6gdwIs34TpD8Dc38buZ3cIUnPkFvIpyXubnIf5N+yRJfmLejfSe4i d4Pf3Aua94P3PLhMl2reTZ4iXwGfepE8Dd72DKSeJ09A+nnyY3h3+HPyK/Jr8hsmxBQza8i75M/k ZbD+MFid2nyf9NwBz+3zFj8Mtj1K0LKXgS0XW2ocZgTz0MInJauhFcfJYbDpKZiNk4vKjEvzRWeJ 1kWtmrD6gkXRVtRSCzK03Jl5yYI9E/OwILl5ic2WWvA2sPotiyyasP1iyy5O30sWc4vT95PPwhw8 AE86D8u5hPwhWOGUPk8myBcghc8FPpH6IvkSeQRiwSQ5Sx4j58jjZGqefxS4hfwYaDw6r/OP5U+S L0te8Ax5Vpr/F8h5QmXPkBfAFzAXPeMF4J4C+fPkaxCFvkm+RV4iXwXf+ZpE3yTfBv94lbwGUetH 5M24B70ueZDAhMgr5FU+SL4v0zMy7lnyPNtGLgb+e+yt4OtEbNi2dcvmTRt7IuHurnWdHe1trS3N TY1r1zTU19XWrBarqyorVpWXlZYUF+WszM5KDwbShFSv02oyGnQatUqpkMt4jmVIVr3Q0OuLBnuj fFBYuzab8kIfCPoWCXqjPhA1LNWJ+mi5PshaoimC5vAyTRE1xXlNxuirIBXZWb56wRd9qU7wwd23 MwLpa+uEHl90Wkq3Smk+KDE6YPx+KOGrd47U+aJMr68+2nDRyHh9b112FjOpUdcKtUPq7CwyqdZA UgOpaLqwb5JJr2KkBJteXz7JEqWONhvlAvV9g9GOzkh9ndvv75FkpFaqKyqvjSqkunw7otBncto3 mfXs+DVTRtLfG9IOCoN9myNRrg8KjXP14+OnoqZQNEOoi2Yc/bkTDDgUzRLq6qMhATrWvG6+ASYq CxgF3/h7BDovTP8eer1I0heXyAPG9wjNpEOcN1OU6UukCfQNegjj8/tpX05PiaQfmOiJzgjyPtLv jhExJ9QTZXtpzrOJHFuY5pxI5MwX7xXAsvVCfW/876IRZ/REvy87C2ZW+gtE+QDk+6JcsLd/YIRi 39C4UAcjBFuS7khUrIOE2Bc3Zv1kbg7o9/XCIHZQM3RGojnCvqhVqEFrgwAqCdTv6IpIRVBaH7XW RknvQLxUNKceyoKL1I/TiaEdpHUJnZEnSMHcW5OFPvfZAlJIemg/ovZamJRg/XhkcDjq7XUPgn8O +yJuf1TsAfP1CJGhHjpLgjGa8RY0Bx+YQKkUjG2ZdkIZhh1VBJS+COvmeuhsgcDXAA+hpgIyjFE5 snRGayp8EcZNEmrQSlyDppbUAwwXqF0LhQGhaO1atx+cW/r8iy65cQDQjahyvk88dEK20Cds5592 DbVphzJ89UN1izq4pFJgpA7Ga/vH/WSpLeLGgC4o6XSupWPIzmIh7YNsZZSFcUoiOotOX5R0+CLC kNAjgA+JHRE6OdTW0vw2dwn0BiLNdtxLupdwmF+KeVHib+6OJBi4v0SiDSFpXum0SvwaiZ9n1y7L bkxk+8aVQnPXOG1ciFdIfLCCYHLkwca+06XmQlisDRAohYY+wWf0NYz3Tc2d6B+fFMXxffW9I+Ww DMaFxsFxoStSAXMprftj7qO0aTNpZpq7a7KzIPbUTArM1Z2TInN118bIE0b4SvLq7kiMhdtXb03P ZBrkRZ7wQWyXpCyVUiFV8VGG1rQOGKWk735CJOSElMtLAokfmGKIJEMlkDFkYIpFmTGhx4KMR5ko yXrgAyvMOQJTAHG43jdIp+fSnpHx3h66uIgdphL+mCgjVJEoK1TBnVGujaqFoZqoRqih8moqr0a5 nMoVQk2UsTNgnCmISeO9AsQpcLkIXMZ7wDuM1PvZgG9qbq474n/JPd3jhyWxGWhjJKoKwT4gCzSB 3hpKvSBeEz0x0Ef7QcKw1OnKbBzogbWQqBBUGqMqqEEVrwE0GqQy1B2h0ADMDUygVP4EMNETPdGe EG00soP2yOczRslaoRymHeuUBWlDOT3jZiGfOjaoRtWBUxRU0DfSFUGJG1hoDAIuHZFCCz0fECBr oNcHM8CTgS5wdYylajpvIBmCkMgHhyRSu+OZhA6LC2h06qhqJVQIfzStWQkVwp+iB4xCBy9xp+IK 0LYxqoEeBReZMl4ArANZjbQv8HcKOk9Vn6PVdE6RdcLFEBppp6WmFJAd1QUa+yD4Y3kNSITSRGGo SxmgIlrHeZQq6Mi1YHcu0D0196BwhEaAxCc7S6CbA3VM4n4CHJv0jC8XRDeFsrOUy6U6STw+rtT9 4wJoL6VuHqEWwusJYV4mhN9IuvmV5IBMS/byH5F1LE/W8alAKaST6yYtEr5GWgGrmddJNXc/qaIo 7ybVVMa7SRufMvc++7TE72Pm5m5mZaSJPUDWwkjwe35CtHAvKwfeT5zwawAt0cEtzQK5MqKEXwY4 CUv08EsIK7HDbyHgjgeTboMSJvje3wGlCJxXH2KqmWfYSzk/N8K9w5+W2WVn5U3yXyk2K95Vlqt0 qnvUenVMU6A5r5nR5mm3Qc1k9gD3A7gtctDiKunW1/5Ytj3brqxYrWamSSNRMIPQsI+5BjrBMIOi mWcDJXKu060z7etkOusULAzyjTff2PLmGy8BvsTkvDH9+rRx5vVpc1lZTk5eLmPymySy6lmFQi4X UleyJSXFxQUF+VVsUeFKVkjVAwWLCqvYkiquIN/DMlQVNSUpKFMp94OPNnHtM3L2Em/93rY01uvW W7UyxifzOpSV7SstBn9RerqY41Wo5axMKVdmlNel1m0tT5p9jFNoFGqf3Z6kl/EKrVLlc1lcen62 Qab/8F2Z/m+1/O6/3cTlFW5fVyz7jFrJ8nL5U25HYFWD3xXyWQwWo1Yvs9jNcoXFrAlWNs2cVjqS HAq1WqE1qlVOp12pUsu1xplSsGI3eIsb7OkhIVJMTj/JHmMvI5EQfSEWhlNGFltyVq22kSm2VDR6 8wJ2myw4bfcm2XJzTYEpho0ldeZNMfxZ0dSdHnJWJ7VOV4Mdc8rAltNlTM6L+QUXpk1lOdN58O5R 8x8UzcvtkYzq4WxWPS/4U4MlFrCqH8yqoFMggN2rWK4wGE/xbn/lhpLMxsKU5LLw2LVbZh/2+1W/ VOS7GfvAVT1Zj9vzmivPdb3QPrzau+KiS97Y+Md1+1vSeXPlns0NDmVm9frCol19XVWp/gB/coXX L27d7C8M2Ga3FHb2z/y0a9NsaU4r/DCHIQfm3uGPyDyklOxYaqmzKSnEOMWGz2XzSXySTTXFZMYK u2xTTNZZMX39vGlM1MWYnOnzZeBo7sf+va5kB/QscDveZvWwdOAF+Xawi5K6JjgcT72NP6J36PRB caile3y0uyQ5vWVvQ9v+zmKTRs3xMqXKVtt3pG74gQPV6W2Hbn/+YOPxjen8uK0qLRAKVO+65tY7 GjqOrc8SQoLRCK6T5LBYVwiuysOTB7Z9/emHjjf681fQ8e+de5ufk/lIA3ly6fgfzQxlEfcU84fH sojPRyxTbMm5spBToXBqv8ysgLi3guFEQ7I7K5kwyckM4QrFLucUEzorFs5bx+wA4+SAiYzTRuo0 ZnAgainjheljp/Tnz1OL/ddVomPx1HILBi0usYCHSZb059sVnFyu0HOLjMvzc5xMqdYqDAXwHUHP 7SeH1wQKeq/urjpV3jz7Xa2Ok6m0BhVze7JLMcjrlKrG0dMtJ1+8qiFv86lHXjvacLS3xqnkP6Gw OVwWTVp2oGjL8Zsf6I6c2pyT4mEOm4wKh9Np0QR9s3qLQ6US0ty1J84d2PXyk3eN1biETLuVWn7d 3If8uzIr/N5qmeVFu6DVpcI/pyNNow6QnIDakbkuTQAPFFNEjTOQk8qnONREx6cTLWPntFpzyjpz WBamTlldDYuVwEU65CgD859Pap05X83kvPJcfsGxU+fPM07jiwX5RpoE45/976oFywfQqmBtLpHC AKrg/JZE6n1WY/MnOX0WOTc2c3aMVdtTnUk+s5x9n9Ha/S6n3yxjtrMtI4zGLqnJWJdCq5DJ4MFW zzyXSPM/SqRmPoA4HtdASzIfgiVtpH6pD4sGG9GobRqi5mXGdXEDgVUgjBXkSwHs7/MWDyo+ANgd NQtd1tn9TjqWhU4udIz+Vo7OazrEXy/M7Mml/YHzAlsian2WdKVqBfyzWtKnGO5xq8OiUir1KyDs PiY6OvU4kRB5adyFwDvN5LwUnzSYvws09D5B0j9OwcTaEOZnR9r17A4PpygMrgjGgy3Pp7uKuy66 dSS2hVU7/C6Hz6Jg31bm++fyW9OKN1T4zlWKznL/fcP3r+lvKvAZuDeLDo4OtIRms+ks0P2Mn0hP VSi1+Y29LVU9ZgU/84GvsKG5ldqjc26a+wn3DRKE3f3aJ9nj7In53eisKkXpmWIeeRS6sko5xXzp cWIIMhYumDfFekSHhahWrUgJyjl/Y+YHSU3F74v6Vq5F8nJpW6qWpnL6Anj7G9MFpgIaY8rotNo/ RkE6z4mjwOLQYHfQkwHdlRRgnkURuoTL4tMyrUlG6I+ubsvYqo4dVQ5bTvPOa3p6judb+GC61W3k me/k7Kkr3lCb54WvuIpDJaO9TWaXSc8rNKrP+1rEzNLNBytLr7vpmtHatdWbjHpOqVX8vr6+oHvX 2N4sob5MqNx9I/xwkyEtYLX13NdJETm1zGbJycREzZOSXvjXdK+Mkan/ktPk+0s6cRldrJpzWT8U A624P81ckCLBdDUktoTAjeLblJj8nxZFR4IAmwiy9oVNC85TGGnzPTy3XqG3aPWevOZycaAx16Pb 2LN6y+pMo1LFq3TOivbNeffebctvG7ulL71pdVGKgmszB/32lDRPUXj33u3B7Tt9GT6DXusXPK60 FMsD91XecGZ8lwhLLskc9yW+DL6ryCLVy+0iqv3Z1amQoUotoeZJsqVmcSsaQKhSErk+94PkpvLl DgT+A+EyvikV5Cf2JNH1sYv+nRfxid3bkQh/TMKNJJOVcNlcWqYtyShjfZIXrdqwKmBT2HObd56O hFqqCm3DjNrqczm9Zhk7+zo4U1G4Ls9nrGlc7EoP+ZurM7yF9Y1N3vLrbzi9q8biX+liZhU6GjV1 ipn++rV563bu37uyb3vFzhs3wCpsBX+6E1bhSlKx3HLnMvNL5DxRTbF6USWYtB7OahVyplidaCOC /OmSkkyPyaTNfzWzSftj0RN3LTgVwoZugggFbnWBRioH7PImh7T+LB+jVMKjBLncZl3kTezSjRoO h3QVsgrpdHinePWFm3YqZAOj4nBzrkql4pU6pbayezC/B86EruL1h+/o7z7UnPpwR9PqwdYS0/CO a8MC+ws4q2f6q9yDOy12i06rTk5JUmkdFm1616Xdq2++8arhqsyazpKC6uyWodKk7ApYfdVzH3JR 2X6ymhxbuvpEYaUrbTVsKILGqVldyMssH4hlTYJLTdJWyj0ZDZ4WGQYoGpvo4VkKUTnn800FEMJp bEr62OWobyU21eLixD1FkQjlTGJ71XMKTNqscgWXx6pt1H1MMmYUdlB3yFs0uq3Z1MGqrX6nC8Qs o2ZVNth2vSae6ZDpDQa5sW7z6CpxY1mSUuFSapQ8Dw82K2m1MyVXsFbtuSk8uz8hlpUqIdrz8Jjd kVRclGsWmqszA6s3FqbVCXSFguWYP8hy4NaYQXYutd2jGV6rB+4d/aJG7fV4rN4MPs1lmGLWnJOJ aY2ueGB/s3XaJBntdbhnQFAHmz3+b3SpK8UNhYZIcPNL8DcyU3KmJyVoZmVysxtSAQs7+9cFk5yF NSdZRMbw30oOOtRqRzA5OeBSqVyBv+Ulxs5dQXc6GLuCRugq8JGz4COFy9eTmMlbZGbC8Vwo02LN gH9e0RzyZFp0uY1Wj1kW8mYoXGkNrhbdIleRwtD580m40cPZ2MQUgNPELSDa/m1paT3JFQxjpxcJ KVLDCT1ulnlfiSe4sybX7BFGp1YqbUJSss+q5mffGgDPgaON1yRnGc2Ci9zP3Ku0JglOp9+i5O7R JjlmJ2dXmV0KlU4pg+1Lxbw7q5MsBMZZ8I6PXmOOqHQKDu69uJ6YP4KtbGTNUp8QjXBCE9UEDmlw RGuILx5p/qkp6IKBxbY8E8Zasmxkv1yYzMX+Pe/OCz2jcwdeKvsVRMNN5MFl/Smry85eWeawp/rb UjeRTdA4nEfUpamariZT+gdiY1PpSj+cve3ZmtRNbXVl+oKqxoKW5PlVH1/20pk7J+c8nExMMI3m svMAcOaU3Fn0/6d1LY8EGBETkwvX6KJ4kJwXxWNDPDA4FuKDbDszP8sQH/Iq83f1NtHoIE29Uc6M KmT5FQU7UZgIGY8xKkuK1eY28EyqoX7znrKK9SVJnLVh8+7S2o2lziVhI6UwSWyp3HVm/ezexMJh szzlrsrGpULuSnAYjh6AvpAKByN/WXuO0FKdGayJFAp1afFZ4qIwS+XkkmWzFMxLSnIHeT1HDIyV M+gDtg/E4qaAW88nGfKCSl+o0deiWrS6IBAzOefpdMAUzM+D/d+Xiq+qebv+W1NzUaViPyyeRAhW yAorlwfgJdas27q/ktqQfR1GPfPtBZN5y+2Vzf/SZBm1EYi4bbCzvwpWcsB9I7LUTvS+4RVVxGl0 shbOmUbPRRptynuWpoyfiYqFnRwOhvQQLb3TUf99tmQEeGez6N2E9Mpm4XDMc68ml0UOf3pL7ycj me7yDVKqJ/NLtrz20or+1rKA2Z7XVlrZR1PsgabbPnXZ1pKVkROdTbddd3xrSU7kxMb8jhJPqLF/ 9FBpfkepJ9TUv+8gYefen72JewXGlgnnvRuXjk3U+YuKtboiXZFT53DCtuIRk0MObXGRn1fkfhBs cuicPt7sbjS3l72/aKzSAsVd+cJ0Dg2vcBnGcCvtzh+/gkVWWbHIP/DqEF9/8XeLCoWdnnB47hU8 52U3VRXaw6wK9hwHnPOYGVY6EsLi0tfCxaJlu5j8RXiVuKJ4X2+zyZ+zu64ILhR+A3tF+Q03nd69 2uwLJc12JPZh/rdwjYClNOFvXp1ZuOFwe2htYXLF7jMbPttQn9+9c2wfxjv2XbBjAdm9zIrqdJMp xZxMUpK1U4xTNIrZTeZkU3rKCrkjtdGBSyh+lGEgoM3vSE/Aq4d/rb7IPtIBbt5Gy2KTHXoGe6pO qbQ4PNbUnvVrTO0LwZzuzPHI43dUN3WuMAkeh1zO3cE7PD63WaFWrBq5rmt2NLFuFqLKAxktZaky hUoup7FkH6ySn3JPwen30DILpGqcJK8iP09IczmJxpmW5xIq8lWykkZPY9b7orE1vifRGydeOGFf Ok8PdCbprOv4GGXAFImTXHzfKiqEN1RxQ8DLqcRbwAVZFqM2p9isboOM9Rvrt4yW1W0pc6kUo4k9 Wsbslcs10umut9nczsAbFrp1yxgXBFSeXskfTm0W0wOre4r89QJbmIi1M68llaZ48tKslbtvjjDX JcSEmbt59k2mGH7x4yCpk1pYT20xvcLyFaYTXvunx2/tIeOfX4JY8WJebgCOmtL78WAQBpJ4aV5c kHNWlwmLXckpnnLIjK5AsgtODV8oO1D6bYNOpjRqGMtFbp9RLtPRbxWa5v7KZEotep+CSDUGXzhY 4H8DKFrSE1MUqqaXVtrc0vDDZMrUBmdWanKaVSnTGBwZwRTBqrhVH0xPdWqVFrfJuCLod+jUliQ6 92uZR9kythJOH47HiMb8M+VC/fT28hJ8QxB/JZ14YciWMXKlxqSe3aLTwot8rUHD3K/XsMlyq8Nh 1ZrNMosD3u/BlRQ+DHwTQv+XJIFvQmyEtLdv6GiqC9X27d7RP7Yju/EgJAbI/wPOprKyCmVuZHN0 cmVhbQplbmRvYmoKNTAgMCBvYmoKODQ2NgplbmRvYmoKMjUgMCBvYmoKPDwgL1R5cGUgL0ZvbnQg L1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvTlNKQU1JK0NhbWJyaWEtSXRhbGljIC9Gb250 RGVzY3JpcHRvcgo1MSAwIFIgL1RvVW5pY29kZSA1MiAwIFIgL0ZpcnN0Q2hhciAzMyAvTGFzdENo YXIgNDQgL1dpZHRocyBbIDM4MiAzNDUgNDA3CjUwNyA1MzUgNTIyIDIyMCA0NTcgNzk5IDUyNiAy NzEgMjY3IF0gPj4KZW5kb2JqCjUyIDAgb2JqCjw8IC9MZW5ndGggNTMgMCBSIC9GaWx0ZXIgL0Zs YXRlRGVjb2RlID4+CnN0cmVhbQp4AV2RTWrDMBCF9zqFlukiWFaapAFjKCkBL/pD3R5AlsaJoJaF rCx8+z4pJoUu3sA3mjcezxTH5qVxNvLiI4y6pch760ygabwGTbyjs3WslNxYHRfKOT0ozwqY23mK NDSuH3lVMc6LT1imGGa+ejZjRw8p9x4MBevOfPV9bHOmvXr/QwO5yAWra26oR7tX5d/UQLzI1nVj 8G7jvIbrr+Jr9sQxERzlbSQ9Gpq80hSUOxOrhKir06lm5My/p8XQ9fqiAqvkvkaxOHAEgyAFghLZ udSU4vaNrl+ay7KupEy+/aZGiw0QAsqEj0BIiF2fcAuEgJRwB4SA+4RPQAi4TXgAQkCTUAEhYJmw A0LAQ0INhIB6mfc2YPrpdJz7MvU1BOwxXzCvOK3OOrof2Y8+rSrrF43sm14KZW5kc3RyZWFtCmVu ZG9iago1MyAwIG9iagozMDkKZW5kb2JqCjUxIDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRv ciAvRm9udE5hbWUgL05TSkFNSStDYW1icmlhLUl0YWxpYyAvRmxhZ3MgNjggL0ZvbnRCQm94Clst MzMyIC0yMjAgMTE2NCA5NTBdIC9JdGFsaWNBbmdsZSAtNiAvQXNjZW50IDk1MCAvRGVzY2VudCAt MjIyIC9DYXBIZWlnaHQKNjc0IC9TdGVtViAwIC9YSGVpZ2h0IDQ3NSAvQXZnV2lkdGggNTEwIC9N YXhXaWR0aCAxMjIyIC9Gb250RmlsZTIgNTQgMCBSID4+CmVuZG9iago1NCAwIG9iago8PCAvTGVu Z3RoIDU1IDAgUiAvTGVuZ3RoMSA4NjAwIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4 AbVZCXQbx3me3cFJXIsb5ILkgktQJBckQIIXJJBcEQBFipZMUlSNFSkLEECJpA7TkqxatqIjMk0F UhI7iQ5HbuIktdX6SJd26lJ5qaPIjpP0Ra7bHM9pk9px0yYvz2plN1drCew/C4CW9JykzbHY2Zn5 /3+u7z9mdrFvzz2TyICOIIxCmV3pWaRc9hRkocz+fZxSRapXEaK5bbPbdxXqmqsIGVdu33lgW6Fu fxoh06WpyXS2UEfXIO+YAkKhTrVBXju1a9+9hbo9AHnbzrsyRb79Iah7d6XvnS3w0fch53and00W 6j5Cr5/dM1nkU0mE8P6tk9und2fuyk7unU1nJvekd2+fLIuGQj3R/v6essndWURBKxN6GKnRQaRF NGJQEKVgJQ8aVyIVcAmfRkj81gvPbbFEf44MOiAgdOHfz3aT/MVV5398Xcr36Ee0nwQ5PZFVLmin /WQ+gpD+5evS9Zf1I2gfKl86U+SSzCSOvP6Gy+399nfgcf9BF3v/wfJ/+Eco7/9TeOyahcfOu+Cx Y7eL3bH78J6Kffc4nN7tM/DYNg2PySkHOzk1d3dF+V7XfbFy3wFIi0tXnztX5YtALroe5fgI912j OfLaCxQnG0wR8auBFmBdfO45u10RqbnKVkbefZgW4r86/vDxt88+fPZt9eLblD7jyXwtg7mMyULE nltT7VfEG87W+COdn6JOn6IFz5mGxoj7DMWc6hUj3ztFXfkpLYg/dbgj4tcdDjKIOLEAo3xoTi0c OUwLRw9TwqHDauHaMVp4cA4Lrx2mDs/5q4/PUcI8pAdA7Bgk3Zy+E8XEFj0TYTudng6ns91pa3Na wk5jq1Pf4tSEnDjoRM3O1QKlpXTIQqkpDTJTmFJBmaJoZEa9FAUJQ1IjEXLCUSNEaREDiYMyB3kI OCEoh6AsQnodWpVRJnFnrMdXt8Jcv8JiaQzV042COSBYanhzLW+pqjZz1RakZtS0hbEa9WUGo0ar M2KV2ogo2qjB2eoqVF9tsAxZaANaheJ4H34K/bNFY0AGbLCsQqv0Eh7X78fn0Dn9I5bvIeMFykxZ RJuFpSpNHm2Fycm4TTaVw4ReoMwoCKkX0kcps1inCkQbo/XRumhttCbKRauibNQTdUZtUUtUH9VE cRRFh8NjlGwbQkNjfbKdgnxDnxwWhhYxNyq3CkOyfng8uUBRH5GAKtPHFyk0JquOL9KQ2WKbxpOL VDlhz7EXEGAhD6XmPiwJQqWcHdqQlI9USnIrKTxUKaEhuXVEZvk+4dZrr0LYu++eIqNQF/bKjQk5 kEjL9YmUXMfHgbt33y1tqUL9BjLaJ0CNEPYVpQvdyR65F9Z2S3thQU8WOTzaJ9OxiSE5OzokVw2P p+QKvm9I/jrUOobHZSPfh5D6w6gMnhvB1wX1BPgsUrmhXLzwlwrlpatLf4bQ0lVCJs/8KHmqTyM1 lN4tSWs+gBjcvXSVfgMxS48t/QxZFU6UPPMfKEkV8vw9pTqJISSpCKEPPQHxh8huRrPodsg3QiLR 7zdfl34z+9dw/xZdQLLCW0BPocfRp5TyM+gS+sINLaRi+XY0hu5Fm9BjMKdtJC6iu9HgslwKSagF fggSIFq8XkA/QX8J/vZT6ocl0g35PJQXYLRPo9vQJOpRv6N+B30CZvJpNISOAQ7vXa8oxdfoNNqu lA69x1JK29E6yAdgRgSvB2CWMnoI+pxH96DTUJ9HewDVH6CLaCf6ODoH8/8y+iw6ij6GzmmeV7T2 X+oFZKJXgjZ1oIX9qC//Wv4SRM7kljs3T4xvkpIbx0bX3Ta0dnBgTX881rda7O3pjq5aGenq7Ghv C7e2hILNTQGhsaF+RZ2/lq/xcdVVlV62otzjdjkddpuVsZhNRkOZXqfVqFWYplCA8sieWDIxI5fH UmCMcZ7hZOP6q+uCMrKxPt7KhYNSU1FKVgsysg/JjuHkAhK7JFkj3CqyXsZ+5h0fNF7HcglZ5Yeb X5vOyvWjSR/PfJdd5kvQrVwRS/p8rEz74R4EFtxr01xWZoaBDgyFMiij4SRJi0tvdgERdfkkeI4m 5apSVSK9FZZywyQvgJ9cvGWa66kcs2Asj8Vl5FhAxjdl5CRiV7tAV1G5HuKQn4GS0hsKypTjHZmy y5RzHSzp5iFIsze63geDRHaGT2SnAdFs6j1MrxYQ9XE5LjeatIZZn0+ZNISCkeSCoSzGxybLYBUQ y4CAFsoMQDEQAqhldoEy9lBKgTYmVi7QSGcC+GxkugmSZmTxRAoKfBxwA479PQ7sfCdvZCFoVhBC IKaUKGVMWROTtYVJcNOymJbRCW4hcDF3cpFBW1OCMctn0xNJGadhUgsI+xNTY7J3aHgTkGASkFJT HFF3XHkQ5XGJKS4HdSKbgicfh6Y307NTkyliJlSKjwNPH0vO+y6yEP+T8wnZKsgmaG6670csziU8 0xyp5nLznPzYSPJGro/IgBF4mgJcLsHDaNBZYqaPaCy4rDbFGgezinLEE2lOPrJ1BjCDO32yZP++ HCMbf+ED7YB+oCXxDgIwSdnUDFnKDLRUQcblTkwqSz2pLA3slUvMxEkiDcH60UZovSmZmOITgGdx QAAE2mP/rW19PrlcIA1zuQSZYjoLsyfIwF0uKNMoVMAnWIGC+cRkcUzJ0JiiAxhRTMelIqkoABwV 6EEWU3FJIosqKEDW+ufVzTyXI91r/bJDYHwvAe9iU2BoNJmIE+sESTqW7L7iYa9AeWh4mUx5QCYX vEJAIpwN/NBIwQqmCD7kkRorODCgVtQ8iBbllV4ve9jLhREmkv18fyqX6+e5/lwql15cOrKV5xg+ t2A05mYTKU5xfwroXzzByv0nJZlJTVErFQ2R4WFx2N8P26l9ZJyoqp+bSgMF7l7e18X6rMsyEEXe n130ObB+8AHicznmLVi9EaITy/WTUAOHzi5WZrqIy8KENibBJzIwRCKrPMBX4CRCs8RrsORPTG8o gsX6YEjFeEgMHClSoROfj/jTiUURbYWKfGQkWahzaCv7LBKDAugxRTgXSxznRsI5UuIsN0/xoDcP OQkp9vHr7Bti+7Jt56y8jYuQwA6zg3swK18cgzX+qkvWAWKK6u2xJGZpIgIlmsWkVCbA9hCV3YLS kGACETPH8NyrvMwIsjqWvMhGJY6xQrCkQGYABImlMq/y36BIHEUORqaiMuUidARxFdCDuO/uAuay IXGJXKpogDcuC0SJdHZq2ZUKkwffJWuD1TM8uC5bgMFq48kKv0kMvrQx+PuJX4FKFKDWSrKZ7Hey +S3lAfNlY0kOIhF47ohS4BLcFFG2zKXiSkiQWMIvkReX3kjFSQhMgg2CCFs0cTD0ArQ3m2JT4P9q 6EfA0I+elKZWwpzERlgB1w7DEtBjY8miuyl6UpwAxhokS7mZv4xiSQYCG7izTw5VfMMDhlrhUby6 4LvLwqCEMVjNsgJuHEzhlcyDzETuh/2/EAOUmclrlLqydsIeuIU9WGJD+PgAex/IwUbWt8BTx0cW ROr4hk3JCwy8QR8fSz5LU3Qs1Sct1AIveYGD112FShMqIRIRjlTQEAW9PUvrFHn2gojQEYWrUghK PQNvFgqtIAQ0CmXgNUOhMSU5GmiqAk1UaLCfwBQTnikIb0kelJ6VxeHkQWkql5II2MhVMECwbL4H yTTfs0DRGqNcxk/2yQa+j9B7Cb23QNcQupbvA/MH5+AWwdVzKR7cHwJwErGUREyYWDnt5xaXliCC XobI65M1/glIEGD1gsTJav9akFtDUgrIa+QjmTSZBzFTaKv1D2YkWbfcIYgMynroQV/sAST6lTaw PZNGGTDWNK8UgQzOcUSSJYEMmpwmM+I4OA8N8CtlTV1hkuo6MlBQytn4VmU70fjlMv88tIAx1iqB UKGwUIXByH4Et9YIM8/wIJVJcaABFcpsAGNU1ZG7jOgNKJOwq6vqYFOFVAaOrDARWRb2G0xlsr4Z OoSblA3N0CHcWglAIYtXavNFARibkQ0wo7oboCw2AHSANUjmAvc8TJ6IfoV0M7KIRvl7ZUpBVBlK C2zZ5B9Mw2Gh0N4AFB7OfYXG0JfOT0ikj5cKVC1ZuVE50I4tLp3nDxAnKV1NAV5GY0limAhebJGI pNytBHkcAqfuVqpJIedyOtP7NyjgpTMt59ALvB/G4d39RXiza0dj+C/QqKp56aO0gO6ga9A6TRbd oRqAZEYbcB+6A5uXlugXEXmvKXxngg9mSINqoO6DkgFSGbyd6kBXFHx7I1+n1MAn11F0lKqmvkF/ CrtwRlWnel7tVT+hGdb8EGRfgNEfVI+heniHDKE2lBbtDoe5RqMxo4AghMweT6hNDIJDimwIhZkw Ha401CPUKNgdrQ7BgMNNTR2hcPCyLRK0uSOXg/CLkAcKbr5c8YMKQr9sjQR/8Io1Yg1DpSVEtbf1 0J09uL2tjq8x01q+vaMj3FpFOx1QMWOn0+3k2ymrz0oS3alxNda661jL6h4uVFuuT0U/FOvP9Hgt tdEAV+fU2h6irl3X4PS1LurHLpe/sX1FeTAc4YdGHbWtVR+saq4M9zfU9XT3N/kCK+q9mt2f+Uz+ R6pPvrtN9cv/eRqWDSiNLb2N/wVfRiwKo89ANIhtTIrBahNA6qWxFxsM7Q3HRDtNMaimvAbXnBLL GZMxwARw4IzIuMr05+NlTuTpFSBVrLsiWFE4vFzy9IZDVBDIsHJ3eP4iXC2sWPW7dyZRnW6s0Tgd LrfW17lCo+Fr6gBPHG514Q54zySQqoAbbu3o6IQb902Ij5jLmlfr82/2mlJPp3YfCEgHP5fqmfXq NX3rGm9bv2YlF4lVx0bbgp02fKKPuS5FVzsb/OqWd1UnP/jE6dRXnnlgfWV+oSHKr1/D9m772Pnb p7Z7hwZjxyTADr5y4A8Cdl7UiL5bxK7Hi5DLOldbG3A9IOodlbjytGhxVDvoSgyWpTKvwCtOiWYG iZx/AHHIe9VLG7BXpSrH5WdElasII/Iw34YX64ryy0IRTRuKeIKEBCCH4NWhgOoVMK4wYNryRxpI 8ptpvqaZJkYLIDsdKh9BH/Dt9PeoFcA1Gty89vjx0dv3DNWue/Sf7j9wIP+V/MvG0c0Tp0fzjRMn sn0rLJGu/vntXxu5sz4s3T+w4+cv7tg69eST0f7pLcMbrlF2X3Nnt687MfkU2OPSR/Or8ZuAaRC+ MrxVxHRNZW1VrRc+D7RX1baDScbtqrlAQAS7rOP0zEBdVSPigkGmsaqS8UbKIzhSsNIQE8IhYqWN Wqw9JTZ6l8F9X1O1gpUC4JCVAA4HrxBiwXSZeWK8zX+sESW3GWIAIAvR4SbDdhOT12o18ANdcO1t AH1rKX4QY99mrzDs3JV5YCJRa04/kdp1YOXUsY/d3jsbmRCnDMaKoLemWdh/bjr/YHyI2h6e3Cs2 lSw/+ifupsbKoUT/w995Fs/d9+dn73rt83u7qmr7mLzQ2nvsLWl7ondj8/e7JsLH+s/mXgFvKbkA iRx3wCMEMRwjDzpd1FTIAx+XVWbahBFWYROdEWcxZcGvY9qCt2Baj7HnSZfLeT7ushgN5+PGUuiA 8MGs+zdi33dvrrgCQUPBHCAnmNf8rt1IlJbvLMQLEjDsSoioW9HZGaZDzQvN/QaNozGkz//dGVOZ tb7F8LNV6vilS+8+Hw4yVTU2dQv92ZUJdyXH0O16suvAFzS6Db5pOtHa4mrt8CUbGyjK6Tgfd6Kb YiGJh8oyYP7mXy8hUWFKiWdkflQP+FkdzI/671X5a8rkdPmvU3SZTuVqaDeqT7+bDbVYlampDgYC 9eQjO26DmYEm1K/jb4LHvFCcWS+HfbAx+upwTU1Ib/RA7ImHosFVwWDbKhzC0W7MahpEsQE3nBFF ZuWTkUjX+XjEEqqx223n43ZFLYVQXtBMbwWEdghBEXcrCT7uMKjGaqOIbygOUtLU79ezBEhqyXYI gUaLSaB5T23KZon5gg5vqigKxW6lHf4ydcfTE1syjjGrotqXD5mdrR0r0jMxx/gze+G/kY769M7V tvFnzqqt1oYW44+6+owTz29OZelfmbW6+/fvmBY35R8daFRApq513t080C0+cHRzfoi6tlniBrpX Hz+2KX87/ZR7U5W32oLb9fnrqg/Nwd94ihbwi6CFADpV1EJzvboGU1SzhTWazBVms70CW6jA+biF clY86fG4z8c9FiOrq9Zh3RmxmrlpCy3iHlZikYL3xRLiYFLs/78b+MTyW8BzOjQl1PFf5b962Ohu aWtMzwwCdEW4/jUSM259fjydNekUgKlrLfuDa3pWH53bcjMo11S5uR3TtRt9JTAhXmxY+k/8RcDH Aae2O4sIlVuOeb21zmMiBBHsOSUil6EaV58SDSUwipjcsOPB6oH5G4UlNTkWdHZ0KpsWMSYzTSm7 lq2wZdHUI+eestj5pg//zfTej/eV1+Zezb8+PrH1bHJMmjonWT//uejI9Mjkx9clz2SkyU+8soOq 2z0tU9337tz1+fyXiro+BGvxoi+UVlL2uKjX63QOG22n4OfGDvSkl8Em0+LST0Svwz2A9IyedmC9 5ojGhE2ihvGy5+Nei4M4W+H8dFlAFR7mMkRBwRoOQ0BUIgjxLSsVDoaDFVda2Of/AL1C1NEq/uLW 8nWFYyjxrGLw+Ui037jlr1ODLaHtupraFdtm2s1gAE5bfciAv/oL1bFDhjfaOoZP7h8gKr+zRXED sP+lJTgN2RT7//siJqvdj0Owd/rR4wE4TZsfrKxs1j7o9xkMFRgFUoHZwJGAyogDDRCHMD4lNjAW V7WLtmGXzVaBK06JthuOQy8BKsq2XYIIdmYrOV4qp8srrQDPFSsBCTASA3/QMSSKgFQM07Agh3Lu XNEZdpGDkIIaOSGRAOTW0p8wjGwM3haoWiOm1296dGvykYHgeu34HVK2SlzVu14YPTP5+KFm+lub RvhYk7+7T1h93/Cdx8QKx2sT49KgEO+pF24b79xwnyi8AnZ2CDA1q55DVehiEdMeNetk6Z+z8J+5 y27XOW0uq4vR6fVWF9ZZrJQRW22iHrZWvfM/4M9SJNaQY2YVxixmz4j4BkC/XTpcXn9p2ewK+27J 4CCyo813t4RYkf+9ew5J/uJpvdPOw+tPZ1jr0/qUGE8Ok/TnRh/bNDNlO3jKsCoRrK/KdVLdrvyl VH17uHkyupiZ3Lm9dz2tDWv93Vvv/OVk/uBnh7t71wwo73cUsgFS5NLA3ozWb1i7et2gEEvv2rpn Ot00uC+9czqD/hehXxeHCmVuZHN0cmVhbQplbmRvYmoKNTUgMCBvYmoKNTQzMQplbmRvYmoKMjMg MCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvSElIUUJD K0FyaWFsTVQgL0ZvbnREZXNjcmlwdG9yCjU2IDAgUiAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2Rp bmcgL0ZpcnN0Q2hhciAzMiAvTGFzdENoYXIgMzIgL1dpZHRocyBbIDI3OApdID4+CmVuZG9iago1 NiAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IgL0ZvbnROYW1lIC9ISUhRQkMrQXJpYWxN VCAvRmxhZ3MgMzIgL0ZvbnRCQm94IFstNjY1IC0zMjUgMjAyOCAxMDA2XQovSXRhbGljQW5nbGUg MCAvQXNjZW50IDkwNSAvRGVzY2VudCAtMjEyIC9DYXBIZWlnaHQgNzI4IC9TdGVtViA5NSAvTGVh ZGluZwozMyAvWEhlaWdodCA1MzAgL1N0ZW1IIDg0IC9BdmdXaWR0aCA0NDEgL01heFdpZHRoIDIw MDAgL0ZvbnRGaWxlMiA1NyAwIFIgPj4KZW5kb2JqCjU3IDAgb2JqCjw8IC9MZW5ndGggNTggMCBS IC9MZW5ndGgxIDY0NjAgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBhVkLeFTVtV57 nzOPvMgkQDJJhswZhoySSQgEaCCJySSZCdAIJBB0hgaZkEQC8oiEp0UYqogOL8u1VNCKj6qoVzl5 SCcBL1HUVhShSvEtiPSq/Ypgv6r1Qc7995kBifXrPTv/WmuvtfZrnXX22WeyfNmKFkqkEEnkaVrc 2Eb6ZW0Gy2xauVyJ1hP9RMbRN7bNXxytp95JZPjz/EVrbozWrajTotaWRtFOXN8DP2uFQq8RGwc+ onXx8tXRurUB3LxoaVPMbg2hblzcuDo2Pr2PurKkcXELOK4MG4jStrR9uV4l6z/Br25b1hLzZ5hf vLZkfkt86ejRZaXV1WXxLUuaicGLg5RTExmIk4UK6DoiOSlew3q5bpcSj759zZoTc5NLvzRnmfXu H/74qlwh9E49tP7bfRfnW4rNiajG6f7CgC5NZf3TqMpC3+7rH2spvmwRVnHxjvrkiuFSOp0HNEAi O2gBMB2YC2wH9gBGSo5ploKvBw4BFwAjeaT0zh1jPRGwzTrrWrioUK82RqsNc/Rq1/WBKJ9aF+Xe KVG34qjbmHFR9ajKKL8qL8pTcwpD6LwrPqmwryJNSqPjAKc2UMZfpGTGyE4PSkNJBbiEqeoaj5Ta NcJVuOeQJBOTuMSomexan8Q6k1IKK+K5xs9TKtn55/xc1MLPdQ1KKdxT8XN+hvYBhwCJn0H5iH9E 6/lpBNACWg7sAQ4Bx4DzgJGfRjmF8iH/kJL5B1QAlANzgT3AIeA8YOIfgFr4++J26FTI5QDn74Na +HtY1nugyfxdSO/yd7U+/mZn0cTCHl1wF8QEe05MSM+KCalphRH+Ruc3I+0R/nGX4rY/WDGanyAV 4BjsBDo/QQpQCwSBNsAI6SSkkxQC7gYeBFTAiDYn0eYk2hwBXgNO0mjAA9QCZn68E8NE+LFOV6W9 Io2/zv9I6QjqUf4nnb/GX9b5q/wlnb8Cng37Ef5yZ7adKhJgJ7SxgFvAC2A38Oe7RqTatYoUfghB soMWAOXAdGAusB0w8kN8eGezPRWdHKAjeCrsvJM+0/lj9LCZPAvtHlcVckwRxFV8DSSQPcoeF/e4 du5CVRDXth2QBHHdvgWSIK5bNkASxLVoJSRBXM0LIQnimj0XkiCu6fWQQCL8gT+MuMpeNP0mplQk 81WI0ipEaRWitIpkvkoU+kYWc7yvMzcXEdvtcY/MtYd6WeggC81goYdZqIWF1rHQBhYqZaEbWMjN QjYWymYhDwsdYBMQihDzdA+oTvRYWegICz3NQu0s5GKhHBYawUIKK/JEuKNzCh4sMJ/OuirEc8Ud XdeUFSZjjg5E1IG0duCxPwR6DND0mgdOyvCoc0a24MO7csuj9VHFhUsrJvPDaHgYt+EwnQJk3KDD SKPD6OQwuksGLQfmAn3AeUADjPAejnVs12kyaAFQDswF1gPnAaM+nfOYCqeloGKK+/SJFYCWA9NF jR9GGY7i4A7PMIvN4rZMlrbbWHI2m56tZfMiSkvDJpeaYk6JsKT9Xyf96+skiquI49v4dhqGG3F3 jG/v/GaYPcLu7XQdsFcMZb+lbBlZxyaSi+WAT6B2vT6ebGahH0c2/hR4YaftOjRL7nTl2XvZINFq v/0b21n7Z7YIh/ip7YD9LSUis077X6B5ar/9hO0u+ysFETM0B10RBtar6K49tgn2p4/orhtg2N1p XyfYfvuttkn2m2y6oSVquKEdNU+yfYZrtn0y+vPa5tk97ehzv73cdoO9NOo1XrTZbx+NKbijYi4m O9KmD+rM1jucVRRhrZ48006T3zTd9DNToSnP5DDZTcNMWaYh5lSzxTzInGiON5vNRrNs5mYyD4lo pz1u8WYZYrQIZkRCM5J12YIdholtBhTvMzOnn5M6WKrhNTMrWY3a10Q18xT1q5nOCIuvm60anJVM Ta2hmvpKdYK7JmLSZqhF7hrVVPsLfwdj2wLQqvzOCKN6f4RpQrUxS02t8vcQYykbt2YJfvXGrYEA WdNWllvLU8tSJlZ7f4IEdWXQ6/7hsv4guq3uYerOmpl+9clhAbVQCNqwQI36XzOVBn8P+we74PP2 sC8EC/h7pDL2D98MoZfKvIFATYRdp/uRwr6AHzIGDH7mbFKEHynm7Kjf7qhfDtrDb4Rg8IuLoxzd LycuTveTmfDraB/h83aMAIFPukLtuk97unKlz5Ec+OSAwCctREd0nyNpIeGjlund2GxwyQaBC8sk m+5iY5m6iz7zDt2lIOZy12WXu/SRpOhsdB9B0E3S6Us+Safhc0Ug/7PYUul2s66SQFODr8XpCzp9 LUBQ3byy1aqG5ilKR1NAGBRVcgXnNbUK3tiiBpwtXrXJ6VU6SvR2PzI3CHOJ09tBDb56f0eDp8Xb WeIp8TkbvYGuSbXjigaMddflscbV/sRYtaKzcWKsSXq7H41VJMyTxFhFYqwiMdYkzyR9LNJzvNbf YabKQBXun+BdPCEe+RrMcgQq0yxtZXryljis67J6cSDZSwnugJrorFSTAJHX+RX5FcKEZ0qYBkGd HDNZ15U4snrZ3pjJAnWKs5Lcy1e0ryCrb4E3+teOC6rlK8StiFK30P3kBRef6mn0itNqjZo7s0Yt r5vt7zCZoA16A9AVX9IlJPgiWl9UOQrKYuEoSZcdha5U6OLiYo7/ngv6nKBGdHpw0DjQxTzZbDm1 ByQ1u6aeYyuon40wNMz29+K4JF4S7QEssJ25Wful3sQ63BStEZbcfgnLV8SkWByWx7juKpq0XwrH pa7cIkpk6KUMINPwOGXILrISaZ8Anwrev0D7VNgF53/DthaJgWgvPc0W0NN0iF5gF9BqH/VQN4kD j5fup7V0D23CS2w2NHfRDBQD9PewDK0bJ/uH8Hp8iI7C93paR72UxqzaZ7SeNkpvotVGSqLhVEG1 tJS2smu1FdRAp+TbqIiupSXUxkKaX9um7dB+T49Sj/Qn7SIlUCY1oRzVPje8rb1P+WjxG9pFp9iO uGfJg1FC8PwdLaPd0hyZafO1bzEDB63CHGSaSkdZH3ej9xb6hFnZWqkKvTyiqdqL8LLRHGql3dTL xrNJ3GFo0KZqRykNY6xGr7uok/ajROg5epclGi5ov9cuUAbl0RSsp5teZ31S/8UN/eWImwFRGkkT YVlK/0N/pOPMyZ7nSw2JhkKDx3CLdoKG0Biahdk+jpb/y77m61DWSy/L1VolDUJcfi2iTS/RRyyT FbDp7Do+ki/lD0jLyIwRx6A00wLE+170/iGSZj9P5MekR+Sn5O+Mw/pPa4NwR1x0H/2OnmdJWKnC 2tmv2En2Ma/ic/l9/Ix0j/yE/IapEau+gRbTVnqKvmapbAKrY79grWwt28R+zXaxo+w4+5RX8Hp+ Ez8vtUo3S8/JlSgz5Xb5NsMdhs3GT/v9/S/2/7n/a61Qu4PqkA8bMPvf0ANYWQ8do3dQTtEZZmAJ bBCKwhxsFvslyjq2lT3M9rInWDdGOc7OsM/wAvqSfcfxXuVGnoWjjjjwOPkynCfv4ffzYyjH+d/5 N1K6NFxyS+OlUikgLcWsNkl3ozwrfSRnysdkDXEuNOw07DHsNTxleMFwwZho+hXe6K99/8jF3Isf 9lP/nf07+zv7u7WPaCjuId4V+KYqxewbURbifu9Exu2jN1kiYpfJclkZuxaRmcsWspvZakTydrab ParP/Rl2EFF6i53HnJO4TZ/zKD6eV/LpKDfwFn4zjl47eDc/yb+VTFKClCwNlXKlSdIcqUVaLq2R dkqq9Jr0gXRG+kr6HkWT42W7PFx2yW55kjxXXiE/IH8if2JoMLxq+Ksx3rjYeIcxYvwCZ5gyU62p zjTHtN2033TCHER2HqZn6Q/IwMsXOy1tkHzSs7SNj5Uz8MHyOvJ5LjVLUzkyle9ld/JbWTcfYVht LOElbBpdkF2I9ct8D/+Kl0hTWQ2bSQv5mGiHxiHyk5BK5cN0Tj6Itb2OnlcbE9k6ft6YSJ04EU3E ieglabTsll6ld6VTzCQ/RO/J8SydneOPS7XIgufkMoOfHNL99Ix0M7uVnuU+/FLwnXkL8ngaexL7 Qj0rZP+S8HsAn4YsKpI+ptvoJv42ncNzfCf9ljXL82kbjWVr6RN6DE/FSMMSY65xKHuFL5DDfDDr Ji4/gdVNZCOYZBhCt7M50m7jef4OraBjcjx9KP03Zn+MPyNNlS8YZrBWPAG30h10s7aB1hj88hts PknsOsqRT2N3WysVyg7w9dhVGrCn7cfT3Yt9oEKaCo0VmXMt8mIWdojdKPdin5CRQQvwjF+PXex1 6jbW8wjNNwxi2HXwS8er/TNotvYY7dLm0xJtB+VjP9ikrUWPe+mvtJ32so39v6Q2fDi+g2f7WkM1 P2ao1vJ5mL/DZ/KdA+8vop3DrPQ3lGeomsoMBygsv0UzqVzbov0F2X01dthdNA/H07NY5ecYYbLU R2P7p/EOrVpqw3pPUZ32uGZn8dSqLaLpdJAeNRmo0eT2VM2qr/CUl11TWlI8cULR+HFjC8eMLhiV n+fOHXn1Va6cEc7hDsWePcyWlZlhTU8bOmRwaooleVBSYkJ8nNlkNMgSfujJ8zmrg4rqCqqyyzl5 cr6oOxuhaLxCEVQVqKoH+qiKaNcI0wBPDzxv/JGnJ+rpuezJLEoplebnKT6noh71OpUIm13nh7zV 6wwo6jldnqrLd+tyEmSHAw0Un7XVq6gsqPjU6pWtYV/Qm5/HOhLiq5xVLfH5edQRnwAxAZKa7mzr YOllTBd4uq+4g5M5CUtUM51en5rhRFN0I+X4GpvV2jq/z5vlcATy81RW1eScp5I487h1F6rSh1GN VapJH0ZZgNOKSpuVjry+8JaIheYF3YnNzubGBr8qNaIPn5rixrheNf2Ws9Yfqugcp6tNV1qzpLDP ukARzuHwJkV9sM5/Rdssh+ghEEAfaMtzqoPhagy9BXeqRpyqVb4x4FfZRgyJI2KOvqro+qLn15zg QkWNc1Y6W8MLg7g1mWGVZqxxdGZmenq005TpU8L1fqdDLc9yBhq9to4hFJ6xpivDo2QMtOTndVhS ooHtGJQcExKTrhRaEPSoTZd0dyHVzLgcWSbm6JyCM52qNCmYid+JNU0QpGUChZsm4AbgCjC0Uptx RxaocVXBsKVY6LFEphpyLE4l/CUhA5zn/j5Q0xjTGHMsX5Iwijy5nGoqa7wkq263mpsrUsRUhXuK OZbp9fH5eSsj3Olss+BLWBz/qRaxbQwUFyD8Doe4wZsjHpqHihqq80frCs3L6iRPAU7JPCgsfZcs Q2cJS+iS5XLzoBOZ3C2+TGmoanZd/ku2pA32tRarLO0/mFui9pqZzhocchVfOBjL2pr6AbWoXQQU cYMtJqmDq/xSFodOSDxL0q3Rs+4lFxx8/YmqnIM/o57UzRGTGVmpa5hSrVqCk6M0EO9wxJ6Z/69R RLsgWunsh2axZajF7thEo9NWSwbUB0wvMSzV1GPL4Tijh8PxA2xItegsp8QYMh6f7A6lSqVZeDJz 8IePhwkCgSzVg5DBUo+nSFcHsmLVAY5ZsUYBXCI78/OqsWeGw9VOpTocDDdGtNA8p2Jxhnv4C/yF cJsPu100cSJa7+YstXpLABFrZcV4PDhVise4qt4fW7kec5HduE3IB6P41QLvaFxMTxDCfxqMAJFy WYP/E6CI3zVADCg4HZuospuzs0ZThO/yDCaDfFaieJN8llGG2Wg4y6WDOCTE4cg4iqxuy1elF0un Wf5ZOvViKZVDtnwPMma0I8WRkgOCX1Hoe0Xq+95joO9IkfswFobCpV2Fs9dPXcIu6QZGqbGZG3FW pslTJtdVVrkrli1oXDS1/v8AFSuwtwplbmRzdHJlYW0KZW5kb2JqCjU4IDAgb2JqCjQzNjUKZW5k b2JqCjkgMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAv RERXT1FJK0NhbGlicmkgL0ZvbnREZXNjcmlwdG9yCjU5IDAgUiAvVG9Vbmljb2RlIDYwIDAgUiAv Rmlyc3RDaGFyIDMzIC9MYXN0Q2hhciA0NyAvV2lkdGhzIFsgNTE3IDM0OSAyMjkKNDUyIDQ3OSA0 MjMgNDUzIDIyNiA1MjcgMzM1IDQ5OCA1MjUgNDg4IDc5OSAyMjkgXSA+PgplbmRvYmoKNjAgMCBv YmoKPDwgL0xlbmd0aCA2MSAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBXZLN boMwEITvPIWP6SHCEJIUyUKqUkXi0B+V9gGMvaRIxViGHHj7zjoolXqYlT7PjrG9pKf6uXb9LNL3 MJqGZtH1zgaaxmswJFq69C7JcmF7M68U18ygfZIi3CzTTEPtulEolQiRfiAyzWERmyc7tvTAa2/B UujdRWy+Tk1caa7e/9BAbhYyqSphqcN2L9q/6oFEGqPb2sLv52WL1F/H5+JJ4ERIZLcjmdHS5LWh oN2FEiVlpc7nKiFn/1lroO3Mtw6Jyh8rNMtSoFiUXKJoGZNrT1bcvtF26+Z5VimWlHs0qjwHQlIe c8YdEJLyUDIWQAjugXEPhOBmjAcgBNwxHoEQmmO2BEJwO3Y1EIJbMLZACO6e0QAhYHQtEJKyiC4B IbiWmzsgBDTrXW+X4wfjwd4HYa4hYAZx+nE8/Oy9o/sP4kfPzxz1C9I6qIkKZW5kc3RyZWFtCmVu ZG9iago2MSAwIG9iagozMzQKZW5kb2JqCjU5IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRv ciAvRm9udE5hbWUgL0REV09RSStDYWxpYnJpIC9GbGFncyA0IC9Gb250QkJveCBbLTQ3NiAtMTk0 IDEyMTQgOTUyXQovSXRhbGljQW5nbGUgMCAvQXNjZW50IDk1MiAvRGVzY2VudCAtMjY5IC9DYXBI ZWlnaHQgNjQ0IC9TdGVtViAwIC9YSGVpZ2h0CjQ3NiAvQXZnV2lkdGggNTAzIC9NYXhXaWR0aCAx Mjg4IC9Gb250RmlsZTIgNjIgMCBSID4+CmVuZG9iago2MiAwIG9iago8PCAvTGVuZ3RoIDYzIDAg UiAvTGVuZ3RoMSAxNzYyMCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHVnHlgU1Xe /s+9N82eJmmabmmbpOlCSUtZSmlZ2tCNLhQobaAtFLqyyVJayr5UcK3iMrjhrqOigpoGkKKOouI4 Ou7j6Izb4Czq6OAyM8640b7Pud8cRGfm/f3x+2fe0E+e53zPkrPdk9u0ZUNvfzczsQGmsPGda9p7 mPqY9AKkoHPjBg+lM7oYizIu61m+htJjUc6QtHz1lmWUzh/DmG1wRXc7yqmP7/BcsAIBSkr50PQV azZspvSky6GB1es6I/n5GqTT1rRvjrw+ewdpz9r2Nd1UvvwIT/f0dkfypSY0Z0LsFEfHahIklsPE iyOGh8yYBLGxB5iOHQIyfB5Di74E1NUgl+ej2JO3H3hxqXX6lyxRzyuyRz/ZzsfPnp524IPvJoz0 GR7W3YqkgZdVH6inu/XMW4wZ5yD/csPDakuRTFVsYYPiGZYvOGJIkGpg9gizW5jzhRkQZpcwO4XZ Icx2YbYJs1WYLcJsFmaTMBuF6RdmgzB9wqwXpkeYdcKsFWaNMKuFOU+YVcKsFGaFMMuFWSZMtzBd wnQK0yFMuzBtwiwVZokwrcIsFmaRMC3CNAvTJMxCYRYIExSmUZgGYeYLUy/MPGHmCjNHmDphZgtT K0yNMNXCVAkzS5hKYSqEKRemTJhSYWYKExCmRJhiYWYIM12YacJMFaZImEJhpghTIMxkYfKFmSTM RGEmCDNemDxhxgmTK0yOMH5hxgqTLcwYYbKEyRQmQ5h0YXzCpAnjFcYjjFuYVGFShEkWxiVMkjCJ wiQIEy9MnDBOYWKFcQgTI4xdGJswVmGihbEIYxbGJIxRGIMwemF0wmiFiRJGI4wijCyMJAyLGGlU mBFhzgjznTDfCvONMF8L85Uw/xTmH8J8KczfhfmbMH8V5gthPhfmM2E+Fea0MH8R5hNhPhbmz8J8 JMyHwnwgzJ+E+aMwfxDm98K8L8wpYX4nzHvCvCvMO8K8LcxbwvxWmN8I86Ywbwjza2FeF+ZXwrwm zKvCvCLMy8K8JMyLwrwgzC+FeV6Y54T5hTDPCvNzYZ4R5qQwTwvzlDBPCnNCmCeEeVyYnwnzmDCP CvOIMMeFGRbmmDAPC3NUmCPCHBYmLMyQMCFhHhLmQWEeEOaQMAeFuV+Y+4S5V5gDwtwjzN3C3CXM T4W5U5g7hLldmNuEuVWYW4S5WZibhLlRmP3C3CDM9cJcJ8y1wlwjzD5hfiLM1cJcJcyVwlwhzF5h LhfmMmEGhblUmEuEuViYi4S5UJgLhNkjzG5hzhdmQJhdwuwUZocw24XZJsxWYbYIs1mYTcJsFKZf mA3C9AnTK8x6YXqEWSfMWmHWCLNamPOEWSXMSmFWCLNcmGXCdAvTJUynMB3CtAvTJsxSYZYI0yrM YmEWCdMiTLMwTcIsFGaBMEFhGoVpEGa+MPOEmSvMHGFmC1MrTI0w1cJUCTNLmEphKoQpF6bsML9b xl1zOLXYjXvmcKoTsptS54dTpyI1QKldJDvDqWYEd1BqO8k2kq0kW8IpM1FkczilDLKJZCNJP+Vt oFQfSS8F14dTSlGhh2QdyVoqsoZkNcl54eQKlFxFspJkBclykmXh5HIU6aZUF0knSQdJO0kbyVKS JVSvlVKLSRaRtJA0kzSRLCRZQBIkaSRpIJlPUk8yj2QuyRySOpLZJLUkNWFXNcZQTVIVdtUgNYuk MuyqRaoi7JoNKScpIymlvJlUL0BSQvWKSWaQTKeS00imUvUikkKSKSQFJJOpsXySSdTKRJIJJOOp sTyScVQvlySHxE8yliSbZAxJFjWdSZJBbaaT+EjSqGkviYfquUlSSVJIkklcJEnhpDmYrESShHDS XKTiSeIo6CSJpaCDJIbETnk2EisFo0ksJGbKM5EYSQyUpyfRkWjDifPw6lHhxHqIhkShoEwpiYSp Io2SjKhFpDOU+o7kW5JvKO9rSn1F8k+Sf5B8GU5odA9Lfw8nNED+Rqm/knxB8jnlfUapT0lOk/yF 8j4h+ZiCfyb5iORDkg+oyJ8o9UdK/YFSvyd5n+QU5f2O5D0KvkvyDsnbJG9Rkd9S6jckb4bjF2Io b4TjF0B+TfI6BX9F8hrJqySvUJGXSV6i4IskL5D8kuR5KvIcyS8o+CzJz0meITlJ8jSVfIpST5Kc IHmC8h4n+RkFHyN5lOQRkuMkw1TyGKUeJjlKcoTkcDiuBIMOh+MWQYZIQiQPkTxI8gDJIZKDJPeH 43DqS/dRK/eSHKC8e0juJrmL5Kckd5LcQXI7yW3U2K3Uyi0kN1PeTSQ3kuwnuYEqXE+p60iuJbmG 8vZRKz8huZryriK5kuQKkr0kl1PJyyg1SHIpySUkF5NcFHa2Y+wXhp0dkAtI9oSdy5DaTXJ+2BlE aiDsxJuNtCvsLIDsJNlB1bdTvW0kW8POLhTZQtU3k2wi2UjST7KBpI+a7qXq60l6ws5OtLKOGltL JdeQrCY5j2QVyUqqt4JkOfVsGVXvJumikp0kHSTtJG0kS0mW0KBbqWeLSRbRoFuo6WZ6oSaShdTd BfRCQWqlkaSBZD5JfTg2gIHNC8fyaZ0bjuUX7Jxw7B5IXTg2FzKbitSS1IRjcSMhVVOqimQWBSvD sTuRVxGOvRhSHo7dBSkLxw5ASsMxlZCZJAGSEpLicAzuC6QZlJoetjcjNY1katjOr6MiksKwfRZS U8L2JkhB2N4CmUx5+SSTwvYcBCdSyQlhOx/Y+LCdH0h5JOOoei69Qg6JnxobS5JNjY0hySLJJMkI 2/kspZP4qM00atNLjXmoFTdJKtVLIUkmcZEkkSSGba1oMyFsWwKJD9uWQuJInCSxJA6SGKpgpwo2 ClpJokksJGYqaaKSRgoaSPQkOhItlYyikhoKKiQyiUTCAqPWDjdnxNrpPmPtcn8H/y34BnyN2FeI /RP8A3wJ/o7438BfkfcF0p+Dz8Cn4DTifwGfIO9jpP8MPgIfgg+il7v/FL3C/UfwB/B78D5ip6C/ A++Bd5F+B/o2eAv8FvzGcp77TcsE9xvQX1tWu1+3ZLp/BV6Df9Xid78CXgYvIf9FxF6wrHH/Ev55 +Ofgf2FZ5X7WstL9c8sK9zOW5e6TqPs02nsKPAkCoyfw/AR4HPzMvN79mLnX/ai5z/2IeYP7OBgG xxB/GBxF3hHkHUYsDIZACDxk2uJ+0LTV/YBpu/uQaYf7oGmn+35wH7gXHAD3gLtNue67oD8Fd6LO HdDbTee5b4O/Ff4WcDP8TWjrRrS1H23dgNj14DpwLbgG7AM/Qb2r0d5VxjnuK41z3VcYl7v3Gu92 X2484L5QyXBfoBS690iF7t3BgeD5BweCu4I7gjsP7giadkimHa4dtTu27Ti44+0dgTqtcXtwa3Db wa3BLcFNwc0HNwU3HuwPavpj+zf0K3/vlw72S+X90vh+SWb9tn5Pv2LeEOwN9h3sDbLeeb0DvaFe zbRQ76lemfVKxuHRE4d7XamV0MD2Xoutcn1wXbDn4Lrg2mVrgqvQrZWFy4MrDi4PLivsCnYf7Ap2 FnYE2wvbgksLW4NLDrYGFxe2BBcdbAk2FzYFF6L8gsLGYPBgY7ChsD44/2B9cG7hnOAcxOsKa4Oz D9YGawqrgtUHq4KzCiuDFRgyS7Yle5IVG+/AnGT0hLmk0vGugOuU63OXhrlCrhMuJcaa5E6Ss62J UtncRGld4q7EKxMVa8LLCXIgITun0hr/cvzv4j+L1zgC8dnjKlmcLc4Tpzj52OLqGvnYDseVlJNO mKyOtS7Ol1lpdUpWp9spV7idErOfsn9uV5xP2F62yVarZLWOWuWAFcWt0e5omT+NRiuB6AlTKq0W t0XmT6MWJS5gQYR3Pss8r7HSanKb5GCJaa5JDphKyioDptzxlUyRPBJ+3mODKHqUPSI53ZXKY+qP gKKYJF011Njg99cO69n82pB+3qKQdEkoo4E/B+pbQtpLQizYsqhpSJKuaB6S5LLGUGxtfQulL9y7 l6WU1oZSGprCyu23p5Q214YGuA8EVD/KPUORZv+Svv4+v3/DEjwt6dvgV7+Qkvp5Cg9k4KtvA9L8 HwRpxnP+84OKodzSPjzUZpAg/c+1/stzpP/y/v0f6N4QwzZtmjkqX8C65D1gNzgfDIBdYCfYAbaD bWAr2AI2g01gI+gHG0AfWA96wDqwFqwBq8F5YBVYCVaA5WAZ6AZdoBN0gHbQBpaCJaAVLAaLQAto Bk1gIVgAgqARNID5oB7MA3PBHFAHZoNaUAOqQRWYBSpBBSgHZaAUzAQBUAKKwQwwHUwDU0ERKART QAGYDPLBJDARTADjQR4YB3IBfuYs+8FYkA3GgCyQCTJAOvCBNOAFHuAGqSAFJAMXSAKJIAHEgzjg BLHAAWKAHdiAFUQDCzADEzACA9ADHdCCKKCZOYpnBchAAox1SYhJI+AM+A58C74BX4OvwD/BP8CX 4O/gb+Cv4AvwOfgMfApOg7+AT8DH4M/gI/Ah+AD8CfwR/AH8HrwPToHfgffAu+Ad8DZ4C/wW/Aa8 Cd4Avwavg1+B18Cr4BXwMngJvAheAL8Ez4PnwC/As+Dn4BlwEjwNngJPghPgCfA4+Bl4DDwKHgHH wTA4Bh4GR8ERcBiEwRAIgYfAg+ABcAgcBPeD+8C94AC4B9wN7gI/BXeCO8Dt4DZwK7gF3AxuAjeC /eAGcD24DlwLrgH7wE/A1eAqcCW4AuwFl4PLwCC4FFwCLgYXgQtZ18wB6QK4PWA3OB8MgF1gJ9gB toNtYCvYAjaDTWAj6AcbQB/oBetBD1gH1oI1YDU4D6wCK8EKsBwsA92gC3SCDtAO2sBSsAS0gsVg EWgBzaAJLAQLQBA0ggYwH8wDc8EcMBvUghpQDarALFAJKkA5KGNd/weO6v/mLjb/N3fu/0DfEpYu wS8E8d8fGtl37i8IsXlsFetjA/h3EdvL9rEn2Nusg+2B289uZ/ew+1iIPcmeY2/+oNb/Z2JkS9Qa ZlaOMS1zMDb6zejpkXvAcFT0OZF9SDk0nu8jo7bRT38U+3Rk36htZFgbw4xqXYv8Glr7m3Rm9Bu8 wWqZZbSAp+WL4a3qK32hu3XkoZEDPxjAPFbPWtgitpi1sjbWjvF3sRVsJWbmPLaarWFr1dRa5C2H X4bUUpTCYaL670utYz1sHetlG1g/24h/PfB9kRTPW6+m+9km/NvMtrCtbBvbznZEnjepke3I2apG NyNnJ9uFlTmf7VadUIrsYRewC7FqF7NL2KVYsf+cuvRsqUF2Gbsc63wFu5L9J7/3BzlXsavY1ewn 2A/XsGvZdewG7Iub2M0/il6vxm9kt7LbsGd4jWsRuU1117Hr2WPs5+woe5A9xB5W57ITc0szIuZl mTrTPZiD7RjznnN6TLO56exs7cRs8HEPRsa9GfO3+5waGyPzyGdvD0ry2RmMrANvZUckImbiKoyM /Pfj5HPEx3DlD8Ypavy/onzEfJ5uxnyJmeFzdh1iN/5L9NwS5/rr2C24Au/AM59V7u6EJ3eb6s+N 33q27O1q3k/ZXexurMUBxp1QityD2AF2L67t+9lB/E7ioXP899F7I7kP4jcX+cqF2BALs8PsCFby YXaMDavx/y3v39U5HGkrfLaV4+wR9ih2yOPsBE6ap/BPRH6G2BOR6Em1FKWfYk+zk2opnvsU9taz OKGeZ79kL7CX2TNIvaQ+/wKpV9hr7FfsTckC9yr7M57PABaY1bV0SeviRS3NTcHGhvn18+bOqZtd W1NdNauyorysdGagpHjG9GlTiwqnFEzOG5ebMyYzI92X5k6ItdusFpPRoNdpozQKbmVzKnyVbZ5Q ZltIk+mrqsrlaV87Au3nBNpCHoQqf1gm5OH12pH1g5IBlFz2o5IBKhk4W1Kyeaaz6bk5ngqfJ/Ri uc8zLLXUN8HvLfc1e0KnVV+nek2mmrAg4fWihqciYUW5JyS1eSpClRtXDFa0lefmSEMmY5mvrNuY m8OGjCZYE1xojK9nSBpTLKlGHlMxdUhmegt/2ZCSUdHeFZpX31RR7vJ6m9UYK1PbCmnLQjq1Lc/K EPrMLvMM5ZwYvHzYxjra/OYuX1f74qaQ0o5Kg0rF4ODFIbs/lO0rD2Vv/WMCJrA7lOMrrwj5fehY 7fyzLyCFojJsPs/glwyd953+C3p9TqQ9EtFm2L5kPJMP8ew0haR24Rn6hh5ifF4v78tlwwHWgURo oL6J0h7W4QqzQJ6/OSS38ZwTIscZ5DkDIuds9TYfZrbCV9EW+dq4IiE00OHJzcHKql8ZIU0G8j0h JbOto3MF1/buQV85Roi5ZI1NoUA5TKA9MpkVQ+PzUL69DYNYyaehvimU5+sJxfpKabYRQCMZFSsb mtQqFK0IxZaFWFtnpFYorwJ1sUUqBvnC8A7ytnz1TcfZpNFTQ/ke1+FJLJ81836E4sqwKJkVg01d y0LuNlcX9ucyT5PLGwo0Y/qafU3dzXyVfLZQ9im8HB5YQLUWxvaj0qIwhh3SZeg9TbJLaearhYCn Ek++0unIsIW0lOQrWjrd0yS5mCiGV4mU4O4H7SChZJRVoTIUVcuqXF5sbvXxv3TJRQNAN0L6s33S oBNR3/eJXuc/do1K8w5leyq6y8/p4A8aRULtYKS1f99Pmc9FZDLQBT1fzio+htwcGd6DbH1IxjjV EF/FBE+IzfM0+bp9zT7socC8Jr44fK7V9a1t8PFPA9XVjuySxh+kKL+Q8kLMW9vYJBL8Q5pQpV9d V76sanqWmj6brPpRdrXI9gzqfbUNg/zFfZEGmQdXEBZHm1ndfllhTD4u1koclL7Kdp/H5qkcbB8e HegYHAoEBnsq2lZMxWUw6KvuGvQ1NE3HWqrX/Q7XVv7SMaxWqm0szc3B2VM65JMuqR8KSJc0tDQd tzHmuaSxKSzjk9C20uahdOQ1HffgcFejMo/yIC/i4Qne0nwk9Gp51/EAYwNqrkYNqOnOYYmpMSqE mMQ6h2WK2UQ5GTENxQJqrBkPXGEJK7AEOIcrPF18ebY3rxhsa+YXF4vDUuJLCkm+YhaSfcX4/FZr Dhl93aUhk6+Ux0t4vITiWh7X+UpDUpyEyRnGmTTY5sM5hS3XhA/Gm7E7bHz3yxme4dHRxibvi67T zV5cEotBS1PI4Mf7QFRGDcrN4rQhPCs00NnO+8GCuNT5lVnd2YxrQTSIItUhA1owRFpAiUq1Dt+O qNSJtcECqvUHkAgNNIea/fxFm1byHnk8thCr8k3FslObUZn8hfKaB2N8E/nGRtGQMeNiLgb0jTU0 UcSFJF4MBy4fkc6Mnnf6kNXZ5sEKaFhnA7Y6naVGvm6IdONI1GR2qxhdkUzGh6VkmCzGkGEcGsQX 96ZxaBBfumZMCh+8mro4UgCvbQuZ0KPMc6YyUgGzg6xq3hd8XYzO86JP8mbqh9l832YcjbzT6kvp kB2yZFS34/Cn+iZEfIWiMtrSZ/AQb+MkRXV85GbMu5LRODx6wLeFnwDikZvj428OfGMy13FsbNY8 +ONAaJE/N0f/46hFDQ8O6i3/vgLNl95yVnkrngq81zCmiWYMH24x5SN2SJPGDim/ZouVDtaiyWdt yresFR+KXQj2a7vYfk0ha5GfZ/vlB5lXuYWlKbexNHSW/qaFMTO+78Lf5DAvvvtSkNKzaKxdFFIS /trHgr+G0TKZGfE3LfS4g90hpUjXyRXyq8oKjUGzW/NM1D3afO0DumzdKX0FCkXhO9g+5TV8t6eg dhGrY3PYoseYBZ/LxLGp0tGjzvJyfa7ucXzmIjMPPrXR48cqZQGrRrYcS0oq8R2brN2r2KuHpdwj Jbq9+Dyy5Mx7Z17KO/Pe6ZiivNNS3rvvv/e+7YuX7EV5k95//f0J4yW7164SGy3rdLFaX9o4eXJW ZsGkSROL5cn5mb60aFmN5RdMKVYmTUyVFZSkSLHM05Ly2nctytwzWnmnr2TBpKjUJGusRRslJyfE 5E7PsDUsypg+LkWn6LRKlF43ZkppWu3qirS3dPYUZ1xKjF4fkxLnTLHrzrwdFf3NX6Oivy3TrP72 GkU7bXFJunKDUS9rtNrh1ITEsdO81QusDpvG5LDZ4/S6GLt5TPniMxc5k3kbyU4ntXWmDjN/CGu7 HTOYwzYOJWUNj3502CbVQT8/bI2oRdV/HDar+tFhE1fZHjAYHB6HB8uVNCzpA5aBTOlEpvRKppSZ qU0clsxhS30WZEjbyEpOl/AZbV3fi0nNiykqysuzva9+UDJxwvgMPkXetMzJ9vyCSV7MkVMN2H9k le0ao0V/Zl98dna8vExv0UdF4WlEK4X1FoNGY4CfI0t6i1EzK8YVo3dnaXZnufUxrtgYl10/sspg S3bEJNl0IxP0dhf/C6tDo98oz2LcySybbR5K10ZGDlVHripGDlVHruZj5Fo+8nh7SgJmKcWGKUqx mS3S7BQP8lKG5YlhZs8YloyHtVqzb1gyHXbWm4OsRB0+xv66Ourvxy7xofrsYpNEZkCjyx/Hw3xX Kc8GNj2weZ/B4U1M9MbqxyZJzrF1K9fMzj46bWFrzm03zVlema7sa7957fSRcXqzLipKZ9Zr7h+T posvWbxl4dxV+dFnvh4zq5OPePHoaaVEeZ5NwtERCnispe7SvFLFZIjPN2Np820YbX4ChpFvs9qk 2fnD0j8D0SwrC5enmfGRsql8blAU+tFhlFYVFbge4XWmDsv6QKw9/hmWb8uXp53Il1i+lJ8/bubY YckVsL6SJqWlaVI+Hlcz4x1znYbliX1x2q7ujiWtmCJ1hk76l7QWRfbIxKIJ45e0ZsRqcbllZk6e zBWXXT4uqEmT+USdveiKNfwSc+p4xBkbN2liwRSlxJbsSnJHT7u6flZffW7xhntXbo+bMKdoRnv1 BLPebNDoXKULluW3X9KYedfe8q5Sd/O8metmJJjNWD9zS0llRuWymbN7ajIq8+dNdqX4UvS2RGti SpIvxZET3Nl4Mj63JLuyobQc11ELZtejPMcms0uHkhn/4TJ2CPQUnynoR0cwU+zfXGCf/vDCGv2Y V8AFZgpY8qKl6MQP3QGjpcqdPizJRxw1yicT+I+KDZaqCTnDknbIUIdD63X/afVJymuly+okLi66 tL6frImpWicdWb40uFScR3QmKR45Spc4vbYpr/267skz1+9v9teXT04waOUYizVrenDqpl3eQOv0 ogUlfrPOqFPutCfaLYkZKTGBbYf7L3xi6zRbUlpCtCMhJsvtHeM99uDCPU3+dL9P70jhu64N83Iz PuHLxPl8WcBdMk0yuYr4XisyYisV2TBLRXx3FfGtV/QofuDDWB7NWl7kmoSq16SqqKTGUTpvWDYG jA5vpakoy6WJxiaLCifUYONqDkfXRc3mlx0uvPiiksiu8tPl5+c7ChsKlx7fSOduqIlx8Xa+sfg2 UjLV81zM1BTlZp09OZYfobP2L+q8fOGYiR1XL527J6CLdSckemIM95TtKC9pmpLozF8w0zsjUJmV iOtRo8H1uKluQd2eoY4Nj14wq6JMNuks/DK16M5UNCyc3rE9UL67e0bM2LIJfLZaMVv7cY368Z3Y g4GxeQUlBesKFIcH8+XwYJYcDm+ODVOQw2crh09jjnq1Yi98fbTcf5df9mOyjqKkP18T2XxQdY+p aVSD0uWq4fPn9eY8O6C5SiOf0EivaCSNJjnvncyahI/bonui5WjDx8nqBms99wRX99jEd/202XDp +v2YUAmby3vOtsIxfu7mk51ZBeqE6pT9WYlnwqmVPfWBruo8s86kVWRFZypYsD6w7kDv1Onrb+9c dW1b7j3Klk0zFhenybKc5a3dvGCcM8mpi06MsTisZlNigqN46/DWDcfPryjvu6nJsfuacbO7p/AZ vHD0G6k+Ko85cZ9x+bES31zfOp8Sx3cSJguqnuZq2qGmT/HrFGl1h6lxTFHco/J6vDM4EUUt/MqI WguqvvtBP1fPO+ew9NXDRncA041fECs+kmirVrfdG6f9kS0X2XF8fs5uuLM7zMEvx8zJeNubGCcV 62M8iQkeh07n8PD9pHfkTJvq5yTqTXqNBk/KBfxw12BbSeOnjs0uAvzuaj9GXBy1HiMOHCuJnxu/ Ll7BeaP2HKr2nJ8//H2bx9WeM/T8iNFWqXY30td/28d/7dfZ7kQV6qk7+AtltRdRr2DnzmMfB1wx NryYg+/RTJvJLM3OSuDPPfOlSkekR1C1R9DP+Qqoyjf4MB2ADnQwkJoah+lPTZ1o5GeFkW93I2/U qO55I/b8sXkBu1Q3rxjnqjpQ9XxFCfUGBs2qimZVRfWsR/HT5InMJmnDtTU4UrUBy8ya4srcwurc 2Ymz1dkoKcENCj85xKlR9Lpf3fG4DSTj5+eH+isw56wpfyPS6s55K/+XQORccRZgvVPleLpBdEa9 goXHgjv0sTnl44r6KvRY/3ivQxeXUzauaEO52BbamOT4uBSbbvaV1YXN5eNtufW1s9IXbqx2n10P 2Ve0pDy9KXjmMrFh/jWiXKA3GRTFYNJvCs5Nyps5ZkL5WMeMZZfOxpXD38Hewwo6WBa7N5Bcki2N iZGy7VKmRco0S5l6KVMnjVWkbFlK5YuH2YWqlw1UfZuDqieNmo9VSOUHTGqeUTLG8vulWH7Ox/Kz LDYG6xnLlzL2EfyiABs9cczK6nqwjXDnKIWtNbh3koeicPSo69AamXfx9obpFw/1DkrcD2Ba1Vsn 9f2f3uCU96b2PdC77u61BUV9h/qgUx50Fa+aW72y3OsqWTW3alW5R/rT2uMX1ZbuPNILrYFur97d UZS/dHddze72ovwlu2l3ywcwN5NY55GeyVKmNbLfoOo2htKFxQ0/M6x8/8awAA4Zxrco48NmSdiz GQGDvybT6vRUO/lblLrZpDz+jq3uMr63xKD4jcy5W0rsIHXraOUDstag18enpDsTx0+e6vvxTsmY ObUoxeJNTzFrFEnpiEu1GwwGfey42VPOhMQO+X4/7Ckoz7IqeqPREI37Y4l5Rz+T12geYFPZ4iPZ zO7Ljay1qhgLVL3ioOpeUBULmssHbo635J72VaVYTsdXTcD78ZCOlvJFflVNonuUiS+epFsUjfo2 bFePQowQN3VinOr7MA5J3CHjbo6i8hq9zZM9Lr6yK5Cy0xrDvwnYIY7MD/kdXYz1wymz4tOTY/VR hijNopQ0W7RBm1HbN0eO9qQ7kuy6N3QopTGYYexJjnTPiLF1qcFoiIpO4ONOw/cF25TH8P3QH44z 3+hXgXh+dLn1/DnDLaWSSZXUtwyMl78Z8KM19vsDTd0RMZG0HfmBKSgwBVeSXcqySWOipLQxCMxI k9LTJC+3JV4p3St51KhHSvdIWVZpo1fyDo++EjDYnVVeD/YRUh8FDLiOvPxOgKf4nSP084AZbXjH VHtNSdUm2lS451G/wWL+VvVq8be28i+JXzdqhh9pv5/vNJ0UrfAlyJIit9X8dHLET3FEvoXdJsmK PPKixpI0JjV1TGK0ZuQlTZSkd7jjU3wOg2ZEo3wr4y7MFZ9q1ym3aQxGs+67+0zRekWjjzYqC80x BgVvWTKeDGeSzGb5A4NZr8h6/FcZmO2Ra5TtmO10Nv84c2Ekk/lMuaRsl5Sgvn0kSJnRBdFylkFK CiBrapKUWAidlii5qxONjmpjrWYuq8V1xK+kEgwVo+KD5IP1KvS9whRHZmaWlJkfOXilSQ6+leLi YnXypM3aCROTPHZZu91gU0ae0NvSU1PTYg1RkqR8pbWneZLT7dqRozZ7lDk2WirSxBiVxc6E6ChF b7WcGSe/4TBFYd/EqB9YSCwGI+IPLT7ZYOXlC+fWV/vL2lev7Ohd+T+K5TiwCmVuZHN0cmVhbQpl bmRvYmoKNjMgMCBvYmoKODgzMgplbmRvYmoKMjcgMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5 cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvQU9IRU9VK0NvbnNvbGFzIC9Gb250RGVzY3JpcHRvcgo2 NCAwIFIgL1RvVW5pY29kZSA2NSAwIFIgL0ZpcnN0Q2hhciAzMyAvTGFzdENoYXIgNzEgL1dpZHRo cyBbIDU1MCA1NTAgNTUwCjU1MCA1NTAgNTUwIDU1MCA1NTAgNTUwIDU1MCA1NTAgNTUwIDU1MCA1 NTAgNTUwIDU1MCA1NTAgNTUwIDU1MCA1NTAgNTUwIDU1MAo1NTAgNTUwIDU1MCA1NTAgNTUwIDU1 MCA1NTAgNTUwIDU1MCA1NTAgNTUwIDU1MCA1NTAgNTUwIDU1MCA1NTAgNTUwIF0gPj4KZW5kb2Jq CjY1IDAgb2JqCjw8IC9MZW5ndGggNjYgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVh bQp4AV2TzY6bQBCE7zzFHDeHlQfGP2sJIUUbreRDfhQnDwDM4CDFgDA++O3zVa+zUfZQh6K6erp6 htXz4dNh6Be3+jaP7TEtruuHOKfLeJ3b5Jp06ocsL1zs2+XO7Ft7rqdshfl4uyzpfBi60ZVl5tzq O5bLMt/cw8c4NumDvn2dY5r74eQefj4f7cvxOk2/0zkNi/NZVbmYOtp9rqcv9Tm5lVkfDxG9X26P uP5V/LhNyTERjvx1pHaM6TLVbZrr4ZSy0vuqfHmpsjTEd9Ld0HTtr3rOymJXUVxE530dXeFzb6a7 /K44JBX7PcVejsLL9p8jbF8Harr7JEVelUUh3zqvOC9AgfdhJ7qGAtRWdAMF3m8K0S0UoG5En6AA bxDdQwFqI1pDAdTUBgpotZbaQgFe6xyhAHUrlWACXqMdFECfUAPLFKBqFUgk4DWVcPSEhk4q4QTv t8obCCdAFTAQToDuRQknQDUzKzFAlTeQVeBcdlwGsgre7+xcsgbLu41SySqgWjFZg+UlFypZBTrb kIRjWlGptDcQoRYlnMAFq3hNOIFinct2DVBtkpUY8OoWuCgDY2hXrNMA1XWvCSjgpZjH+feZ6J3q f3p7/+11nnn69tPZX6HX3g/p7b+cxkkNDH8A3WT8hQplbmRzdHJlYW0KZW5kb2JqCjY2IDAgb2Jq CjQ4NQplbmRvYmoKNjQgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Gb250TmFtZSAv QU9IRU9VK0NvbnNvbGFzIC9GbGFncyA1IC9Gb250QkJveCBbLTEyMiAtMjMwIDYxOSA5NTJdCi9J dGFsaWNBbmdsZSAwIC9Bc2NlbnQgNzQzIC9EZXNjZW50IC0yNTcgL0NhcEhlaWdodCA2NDcgL1N0 ZW1WIDAgL0xlYWRpbmcKMTcxIC9YSGVpZ2h0IDQ5OSAvQXZnV2lkdGggNTUwIC9NYXhXaWR0aCA1 NTAgL0ZvbnRGaWxlMiA2NyAwIFIgPj4KZW5kb2JqCjY3IDAgb2JqCjw8IC9MZW5ndGggNjggMCBS IC9MZW5ndGgxIDE1ODQ0IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AdWaeXgUxaL2 q7pnzzaTbbIQMkkzgWxMkiEJkSWTlUCA7DiBAAmQCAiCBFREBAQEg4jghoiCHNwAYTIsBkQWZREV V4TjURRERY+g4EEOApnct7pSHOSc7z7Pd/+6d5LfvG9XV1fX1lXVPT192oxG4kfmEpmkjZ3cMJWo n4QUSNPYe6bb+HbEJEI0hqapd0zm212mE2K03jFpZhPfTviRkPDj4xsbxvFtch2aNR4BfJv2gnYb P3n6fXzb/ih07aQpYzv3JzyJ7crJDfd1np98hW3bXQ2TG3n8fvug3aZOa+zcT92EWENvU3fOzeVx 1O9Tf3llQZxESiMoySOEIqwHGUP05B4gETNxEKTo94A1FOWl6n6JkNvvXxs/Oqjv78RoUBN580x0 EjPv9HnlbIfel6i5pH8BmwakwD9IV3ux/SIdpWnq0HdM01xSU+rcqUqPncQmyduMEXSQrU2ShKHC kE5DO4TxCdMuzDVhrgrzhzBXhPmnMJeF+V2YS8L8Q5jfhLkozAVhfhXmF2HOC3NOmJ+F+bswPwnz ozBnhflBmO+F+U6YM8J8K8xpYU4J840wXwtzUpivhPlSmL8J84UwfxXmhDDHhflcmGPCfCbMp8J8 IszHwnwkzIfCHBXmA2HeF+Y9YY4I864wh4U5JMxBYQ4I844wbwuzX5h9wuwVZo8wbwmzW5g3hdkl zE5h2oR5Q5gdwmwXZpswW4XxCtMqjEeYLcK8LswmYTYKs0GY14R5VZhXhHlZmJeEWS/MOmFeFGat MGuEeV6Y1cI8J8wqYZ4VZqUwzwjztDBPCfOkME8Is0KY5cI8LswyYR4TZqkwLcI8IsxiYRYJ87Aw C4VZIMx8YeYJM0eYB4WZLcwDwswSZqYw9wlzrzD3CDNdmGZhpgkzRZi7hJkszCRh7hRmojAThBkv zB3CNAnTKMw4YcYKM0aYBmHqhRktzChhRgpTJ8wIYWqFcQtzuzDDhKkRplqYSmEqhCkXpkyYocIM EWaQMAOFKRYmX5g8YVzC5ArTT5g+wuQI01uYbGGyhMkUppcwTmEyhEkXJk0YhzA9XfeyWWoazYud IufF3iXlxU5IHV9zR2pTTWPquJqxqWNqGjLqaxz1ufXS6IxRNbHD9w6Xpg4/NVwallpTk1tDq1Or anKr6L4qukb9r0ytqClPLauZWkYdZXRNCZ1aQveV0Ckl1FVCi1OLagpTC2ryU/Nq2iTZ2zU+FtMj F+qN6YEtogrt4OLj0s7lOpdr3i7JsW30Kpc/uFzh8k8ul7n8zuWSN9qBA/7B5TcuF7lc4PIrl1+4 nOdyjsvPXP7O5ScuP3I5y+UHLt9z+Y7LGS7feqN64+ynuZzi8g2Xr7mc5PIVly+5/I3LF1z+yuUE l+NcPudyjMtn3sg+ONGnXD7h8jGXj7h8yOUolw+4vM/lPS5HuLzL5TCXQ1wOcjnA5R0ub3PZz2Uf l71c9nB5i8tuLm9y2cVlJ5c2b0QeMv8Glx1ctnPZxmUrFy+XVi4eLlu4bObyOpdNXDZy2cDlNS6v cnmFy8tcXuKynstfuKzj8iKXtVzWcHmBy/NcVnN5jssqLs9yWcnlGS5Pc3mKy5NcnuCygstyLo9z WcblMS5LuTzKZQmXFq91AGrwES6LuSzi8jCXhVwWcJnP5SEu87jM5TKHy4NcZnN5gMssLvdzmcnl Pi73crmHywwu07k0c5nG5W4uU7lM4XIXl8lcJnG5k8tELhO4jOdyB5cmLo1cxnEZy2UMlwYu9VxG cxnFZSSXOi4juAznUsvF7Q2vQe3ezmUYlxou1VyquFRyqeBSzqWMy1AuQ7gM5lLKZRCXgVxKuAzg UsyliEshlwIu+VzyuLi45HLpz6Ufl75c+nC5jUsOl97esDEoXzaXLC6ZXHpxcXrDyhElg0s6D0zj 4uDSk0uqNxQjO03hkuwNsWMriUuiN5iN3j24dOeSwMXOpRsXhUs8lzguNq8lE4fHcunKJcZrLkRg Fy7RXKK4RHKJ4GLlEs4ljEsolxAuwVwsXMxcgrgEcgng4u8NKsVp/biYuBi5GLjouei4aLlouMhc JC6UC3F1IFGGD7SD6+AauAr+AFfAP8Fl8Du4BP4BfgMXwQXwK/gFnAfnwM/g7+An8CM4C34A34Pv wBnwLTgNToFvwNfgJPgKfAn+Br4AfwUnwHHweWBl7DHwGfgUfAI+Bh+BD8FR8AF4H7wHjoB3wWFw CBwEB8A74G2wH7g69uF7L9gD3gK7wZtgF9gJ2sAbYAfYDraBrcALWgPGxHrAFrAZvA42gY0B5bEb oK+BV8Er4GXwElgP/gLWgRfBWrAGvACeB6vBc2CV/5TYZ8FK8Ax4GjwFngRPgBVgOXgcLAOP+bXE LgWPAnMUnRo1N0qaGjk3UnJE5EaURcixVoc11yqvsW6xSi5rdGzx1NC5oR+HuoynQjVzQ+haM23r 2LfVnJJWDHUp5tj44qlBdG8QXRa4JnBLoLwlcG+gtDfwo8BvAmVXYP/8Ynm3+lRDSyh9vLW6Kjm5 tE3fUVnqMZSP8NDFHnsV+3ZVDPfoFntIzfAR7lZKH6ttpVJBtcdSWjGcby9cupTE5Jd6YqrcXnnt 2pj82lLPXOZdLtV3ME8QpTa5efqM5hnJyc3NzTS5ecb05ubpJPl//Yf+r8/h/yiDrObRENPRCjDT p89Ing5Jxgb/tBI0szuvQ5LJOEkCFBAyjnYAH2gH18BV8Ae4Av4JLoPfwSXwD/AbuAgugF/BL+A8 OAd+Bn8HP4EfwVnwA/gefAfOgG/BaXAKfAO+BifBV+BL8DfwBfgrOAGOg8/BMfAZ+BR8Aj4GH4EP wVHwAXgfvAeOgHfBYXAIHAQHwDvgbbAf7AN7wR7wFtgN3gS7wE7QBt4AO8B2sA1sBV7QCjxgC3gd bAIbwQbwGngVvAJeBi+B9WAdeBGsBWvA82A1eA6sAs+CleAZ8DR4CjwJngArwHLwOFgGHgNLQQt4 BCwGi8DDYCFYAOaDeWAOeBDMBg/kse9ZYCa4D9wL7gHTQTOYBqaAu8BkMAncCSaCCWA8uAM0gUYw DowFY0ADqAejwSgwEtSBEaAWuMHtYBioAdWgElSAclAGhoIhYBAYCIpBPsgDLpAL+oE+IAf0Btkg C2SCXsAJMkA6SAMO0JOME1fC/02t/b+ZbZHrCEL0k+RsX93ND8rhK0kTaSYt5GnyMvmcGqgTrd9M FpK1ZDPZT94jF6iOxtDBtxz1P9rURpNgQjp+8c3puNaRqP3N972vTmft0GlPdITK5/g+7ULi72vq uOyb4/uiI1Hzjq+ug+iaOhI7LkguYhApaGaRYIRd0TZpF2pf1X6CciWyLKm/FPz/5m0I6mA0fplo IhPBJDIVWkdGElxBZAK27kZ9TMdvGDPJ/WQWmU3uIvdCHyQPkfnkYbIY280I4XvnkHkIXUQeIUvI o2QpeYwsQ8hDqM9FiLmkM+QR6DLC4rI0FiIVdkTLTccsJ0+gRVaSZ8kq8hx5nCwnKxDyJHkKoc/c CF9NnseeW8NX/7fxXyBr0LYvknVkPVr8VbIB7czD/hWykWwiW0grwtepcTaTz/F3mvjINfy29Cu5 iH5iosE0Cr2lHx2CMaORjFdrqQ61dheZQaagvprVfMzBr1sL1bLNVutgjlpnrH54qeaRBZ01sFit A1FrrMSsvCuRC5bTJ1AXrLw8739Rw3h9iFpie3lJ2N6XcMx/qi9RVhHnNbKReIiXbCXbyA7yBkq+ GWX3Yms7/CuooddQR6xGXsceD2qFx92uxmb1J/Zt+be9bWQXeZPsJm/hSmojO+HYtwjbQw50brMY exDnHYQcJIfIYfIBOYoaPwH3LnmffEI+JZ+p21+Qb8kv5Cr5hpxFO5xEm3xPfiA/kp/JOYT/Si6Q i+Qy2ug62uo6rlzWTqloqUhcw3a0Vg4d7BowbvSokXUjhte6a6qrKivKy4YOGVw6aGDJgOKiwoL8 PFdu/359+9yW0zs7K9PRMzWlR4K9mxIfGxFqMQcF+JmMBr1Oq5GxekkpUorrbZ6Eeo8mQSkpSWXb SgMCGm4KqPfYEFT85zgeGzuuAbv+FNOFmE23xHTxmK4bManZ1pf0TU2xFSk2z9FCxdZGh1e44ZcW KrU2z3nVD1G9JkHdCMBGXByOsBVFjC+0eWi9rchTfM/4lqL6wtQU2upnKlAKGk2pKaTV5AfrB+fp oUxtpT36U9VIPYpua5WIIYCd1iPbixrGecor3EWF0XFxtWoYKVDT8ugKPHo1LdsED/JMlthaU/a1 PNpmJmPqk/3HKeMa6tweuQEHtchFLS2LPJZkT6JS6Em8/7sIVGCjJ0UpLPIkK8hYaeWNE1CP1m5W bC2/E2ReOX8Oub4ppKEzRGc3/07YTlbEG9XkoQ3CE+QNOUT54uJYXpa0ucgYbHjmVrj5to2MifYS lyO51iPVsz37xJ6wGrZnrthz4/B6BTVbpBTVd/7fMz7CM3eMLTUFLav+2z0aO/bbPHJC/Zix45k2 NLYohSgh6pJUuz2uQhhXQ2dlFrWmORC/oR6FmMCqocLtcShTPaFKPq9tBCARe9GEKrd6CA8t8oQW eEj92M6jPI4iHIsuUtTCGoZlkKWlVLh3EmfHqdZetuitTtKL1LJ8eMIL0CgJRS3ucU2e2Proceif TTZ3dJzHVYvqq1XcjbWslRSzJ/EUTocPGlA9CmW7JbaIjGJ79HaDzS1Fy7WstRBgK8aXkt8XO8we Hd9kLZrf1+am0UREw1k6YzD3p3SwIdsLSnAwFIcWlETHoXOrn/8mS9G8AMiGx3AjTxpkQvuvPPHz /D+zxmOzDCXaihoLb8rgnxLFhprBztT+cz4lVhedlYEsGFhzlrAypKZI8DbsNngklFMNYq0YYfOQ cptbaVRqFfQhV7mbNQ6ra7V9S6sUdvustnZnL6n+0xbf3/vGvk7nYbdknuJktVFZm6rbA9TtG5sl t+weKHbbWgxKaVULO7PSmSCx4fJBy+gSBjYs6R3cC1dqMUZJpbhBsZltxS0NbR1zx7S0ulwtU4vq x9+Ga6BFGTiuRaly90VDqhf97Oj72amDSSktrc5PTcHAk9+q0MUVrS66uGq4e6eZENviardXwnOD +vza1m7Y595pI8SlhkoslAWyKDa2wVKqxIZBjR+900XIXHWvRg1Qt8e2UaKG8UgIo2Qsfg5Sw8wi noQwDQ9zqWG1+ODyihiP+scgXGQbx9rmgdrxLfW17Moi4WhH/FMPVfoTj6T0x9MOnb/HpDTme/yU fBaey8JzebiOheuVfA8Np6icNgxILfUKBin0NzeJprXoGmbW9SW7ra2jo9oddzT6fG0croc6MNzt MSZjEtDaByHeAEY9ggd45o5tYPkgNbjO2WU5cGwtLgSRIKIM9BiRgrEzBcQoVo9hfREHjUXboAHV 4+diwzO31lObzE7qnsByZLOZPaREuQ3NztPUJrATOWpbgpUM1qsR1WOyL2JiRN5IlZuHRGMTJ8No y0qk90fOxyrYNbbehhbQkLFV6Od8IDWxdkNII8ZDTUKjiim6cydhxZLtfgEmj7EnEsQ/8349kSD+ 9bWoFFZ4dWtRZwSc2+zxQ44SbqrKzgNQO9g1kOUF/4uQeRZ1P0umoo1UKvdhXGSZVk+lx25PgH1g A0Z+frwfQpTe4mCkZbCzIJbGAR6qZyX3R73L9uq2jleUmezyF5/UFIXNDKxjkuid6NiktuXWAM+I 5NQUw62hAWpwS4sh4D8fwOvLEHBDWSq2Ikw0RNNE3ICpCbwA6sBkcAQcBVPAavAT2ACGAQ0IBgvB WsCOm9HpN0F3AKbDO8NYmixeLrCDYnBV00RXAaRBDcCBsGZgBE+A9WAG6oK/M0WIP9ERvINF4kh3 IuFdqu7EhLfIdNhOIEZ0En9iJwF458pAtCSQxJMgEk5CiQV3WN1IDLGSKGIjkUgtgsQShYTgzayu JJp0IWFIk31m4e9dmkTvoV56RgqUcqVZ0krpshwhD5KXyJc0JZoVmotah3aOdqf2O91A3cO6T/U9 9BP1XxgaDLuMOmOGscS42fieaa7pI78BfnciRQ3LryYQ928y8hVL0kndTqLQZ72pQQFttNc2s9kQ pd9DM1CcEDxmMOAJqtNl1kgBK83mHpHPRumekfOCsNSL2dZD8zQtILntX7d/iK/zwTmO89Rx8vTx 0+aLhyw5jtMHj51OT6OWOItKaKCk6JXuzozMXj0lRcl0ZnSVaEZ4GAuP7yll9uovaQKvD5Ld7Rrp Tlv+HSWacbppjycNvtOlJE54tjHd12ZPD7DagoNjrYGB1lht9NXvtdHX8jRjrr0g/Zhak9f9hevz U0uc0eOcFXe0/+y0d8YLDrZFBBIUxoRS16HUerhxrmCTrDFqtAaJGimx6XVGk6GNBrq6SLJs7GHU LZPWSPho9Lo8rVZDqQYHo6hOh0X9z3WisCODc3o7HebzGTTS4XRGRRzNmL3owAHaqelpcYocJyvU GSLLmrq3R7SfqttJvZfqTp6kMb4z2ujrL0pvthcRtALeqZOvIGcWtH0iKWiNTHgTT8l0JJiu3x6g M5l0pI2ud1lidUkBkaftdl3EGX1ewhkd8nM+V631HGo+fuw0qjw4B3V/EJXOKjXOEmezhOr0XWVZ rXGLM6O/FCJslnxl4KK9M3wb0LW2N07LHF2S9GNE36ahbd5+Ywd0T04qby7ZsfvZp+miUcvH9dJG +96euNJuShs8nrb3GODs6rsjKqui/VJGeXZXX/9p6L91HRfkM9pk9Nw+WwO7dA1vo4e92hh0KOu2 skAaaGmjAV5TPnmThiBKJA1slQrRc46fByPPI/unzccPpKfZdYqNWNATnBnh1rCEBCU+UAoLDXZm ZGXLZ57f5PvZd6Jy5V8fHrG6ZMDK4XVPje/94eHqVQPS82gpLXze11ofa9vSPbFo/lszfT5fd4W1 Ot7T1MSgbv1x3eFdREIPbjMH0IBQVqMmgzXkjDEv9KyBVyXLxrGRrM+GBmrU6iOi5myamBhX05MH Zvt+pBU0g6a+2Wvi2knPLqR7pNWjNj05c5gDVXTQt2XJvnsyr4ehPo6gTT04rx9Jb9WZ2NlCcQeo IdRfd8ZopNozUp7pe3b1dDYhzn3yQHCO2npxaLmwTmRPe6R0tv19Kbb9tJSpjX7ad+fTvv5s/DmK M2zGGYwkaZts1Eu6NvqqK0Bvkr7VavX0e0OeHqnz/oHELx40H8hByXiyiiVO3tz+uRTY/tsO6bRm vs/9VPsupEXxtID3RT/ibDVokG+v1khZ9s1E6++XZzgry1pcEwWEJZ7LLvlcaj7kuHiI5xwJWxSL E99O+Yq3/UuvV7J7JXf7q9ro9hMSHgxRPDkgGivOZSLFW016SUbiOzR+eOOUmto6LnhNRn1bxykU RNJotQZjHoYf9cqzOHOdTnTwnN6WnN7U4XQ4WaEOZrDrjKrnxD21xnrKZ/V66TeftV+X5rXPwVlf lEa3P8HO+xNK9gXOq2XzmIa+4jISqpPyNJ2tgDo6iqZH3SP38hft5u1SH4wvs9GHNiDH0TgyEmN2 qcsoRVISGW4k6NMHtkaZYo1q65rs4foDtkhbpKnrGb88UwHaVq0i1gI5Dsd5do2iEY5dPIRtnMOp DhA9ZUVB5uMwFrKBUB8ebpV7JSCMXaua6CPvhPfMzO1e7aWjpq2fkN5twITC7CE9hs6/99XHcxsH dKfr0nLtZtZyGcPnDOk3uTbPHDK6TNJNGO8rj8mpYqUehrybkXc9icGvHm30ZZdRK1PN97o8We0e GdRx6OIhtWMgG5lxGrNv9jbfbHmXZv612Zr5K1kabPAbgzQMJN0VLmlkaiA2HUZMnWTQyHlY+pI8 dAbWPsE5lmCaE+lgg6ET/0iXYgSkISFUM8ZXeME39AiNKq+kqE02el9f5vNRSb4b58DTSM1QnMOP FLuS/IjeJBuIHgM01Rk1EtWZZL2OkgAjRm1/E06dp8vTFMishnuiG+6nDof5UIbFqX4F4aP2Cpwa 52bdYuhp39u+/V/Trb6pn9FkmnrUN0Uyt1+QVktzfKH0XPsjaOWFHb/I+2Uf5mMHKd0WFmak+EHb 4w2I695G33MFGdP8P6A2Ek/j46NsFWFtVHIZQy1/RJWnXNZUssuYDWZ8VlDHs2MHTudgREZGuut0 fILLcjoz0bjxOn1mf5lNf2EWmY9wXTHgYYizaypfGzns/jL76a8+njaj5iV3XMXwMRkjVjRmbTmZ N6pvTHAPV8++zw1bVFGSMmR8v2c2umvvTFCe97cG+/WofKC6fTA9EpVWkBSTmRgxsAwlWttxSb6q XYhVRQJGIb/YN/EbDV7spltd5lBDd39tZHtQubEq/jODFgVwnlcHC/TSY5hDMBarc0h8Qnf0VX1W Fsuuns0dGJH1lvBw1j/lq0Vzdkyr3TVis6F045hhD7lTvNaMoVlxhQMrejonpvWdXJUuGWYffGRg vF07yDdrV2NVyfyd95ctGJUZll7R1xcZak2ofQJt/0LHb/Im+SrWQ729QcTKXn3SdQ1so0aXcU4Q DQr+w68cM6D+jakxNCbqqozMsknjxsxxTJ04UMeErSH+NHMgm6jWTYXLBv/i6xj08K6pQxf3z1tU UnDv8F6tzw9Y2N8eFUmlK/e+3VIaHvlyfKyzvuX2HdttNtTdDPSGC+gNbEZ2bfX3D0MOdmyNDUvE mPiGKywsKfboMg3VaJK6fRJVHvC5v/6yWc0XH87VKe3iAfNJNimzqtTp40LVOssOE72BZRV1mtVZ p/IFSWrP3bQuxV1ZahuwtX7erntz+s3YMGnCuik522Vbwbj8nFGFSVop2Z4RvuolvX+QcVloZPHC /fdPfGtZdf7M1ysLppSnppRPLWBX7FqMdYfR8hHE0Rrkx9rdH8FbXEHUP9Lsp70WVh5Y5VdBKtgY zgaof7V6nGJhXZQ1MhvH9ayjhofJhzffXqH0yx/q3LxZl1hWVpny9Hpp3vTmEEd533Y8+Pfd8UJ6 QVLwG22ouU049yfa5ZiXYkjebhKEH1MjMd62ugKNWGsZsR7RGC/rKzAn9nCZQtEVS0LJ73IZLqGv k1F7GWwgZiOm+bS6fMSYxGbDzLiQzjFSLBbpZd8J+gVNvv4lHdQvJsMeFmbPiOlUue7x6y8tX64l YQnpMV0yEsLCEjK6xKQnsJl5B0aa7qgbE8nfSQz03FajkZj24KdXPZFRURjs6EWXmWJKKpNMelmj rdJ01lSwNQeTnXp9HDyFS51NFzfNPd1/9aVs3kzf+cGXKEW1/6BdeH01fd+XztqD18lCNlezuafV ZemsC5NaF+RzuUpdCdxUeDYki6LfXFTN5WXX/JcvZ6kOR0n80UdTSUlrTEQb3eKNCsBcvcWbaveD uKwBAT0dustJ5SGX48tj7FHRZVEVAaLVMQuxtQcbrx0Xc3DNHzuN9UGc5cY1jo4gLnf0BCvvCOzb YpEn6YOsltD47g7bGn1QhCXY1j0tbu1CQ1R6rz7dKqojema6kt6SPnH0VQIjsmrz2mdJe7ILEwJD ew0vbp8ln9ubU55unTilV0V2jO9ku130V5TEiv4qhbP+aiV+rL/6WyMkYq3wqzBf05cTdBLkGaMs bwWW4RCRM3TXGx137XP6lEp00ufWbHbfbuuXPyRts3xuXa+iJMsbbe13S/PuuZt3XPTWuo5fNCac OQR3bt12o1a34vasK4ZIk6lH5B9B5coVNjiionBK3iFvul+5eVAMC2WDOCZtU/4D3rsnbbw3V6g3 cfDkgqFTBsQlDp5UyJT6ZryzZEjBQ/tmz9gPnbdvwcglIx39mhYNGvmoqmzs9jXJV5GvUGInvbcG mGy4PdniNSVgGNrqsoQZAhL8o9rN5f5lxhrlM55F1I0FrUodp9lKI5it9tS8YghnDfifxvAs+Wrp gm0T0kanb37Or3TD2D+P4WkTnUvXSoaH312Qb/L31WkffvWOfxvB96L1cjF+H9Gmos0yW81Y8m9x hZv0eoM1yBChN//T3xRQRq5ZQ6/wgft8rvOoepEfY8vdA+xuxc6GxIRMtvywZKtLXzZWYuA+0ufB vLd2+c7SSFxWvn7NU9Om9Q8MCtjYKvmvoKGpvr0rfNKkO4PMyIMd10K++svl467uWo1O5+/vpzeZ /LCw1FCLxSxrJCkoyGwOJoEBGk0IFvg2056OU8QCgoA/1pxWP7N/kMWk0QcE6I2GMp2+QqIVwazX ZbDVjXrTZ83pzT5Ovs5xOiMOZGC9g+Ucqp6t6iLMNwJ4IFpBVuTuenw5Q6zZIeqXJn/FZ8tj4pYc Xb6hOjh5xeznU4OGyueuh9L1TZN8Y+Rz7cNWLkSJCxYulbawK70YpUtE6fzIZ62Koa3jR1dXRZFs CpZEWBAZTez+tUyv15XhVrOCUjawZzhwt6r+88XyoQwsjvDscZu6mgqKdvmrxoRvpZKakxcFHjDP XmQ4UEt6s1jqwovFUo0R33+OxeKoKzQWRzVYweuVSvJvKamLORZLNSZ8/znWLUu1xLO+i75Lp+lC 39JvcMckn/AtonN88+gVesn3IH3IhwWMRK76NkgncXVEYuzruZvE4iewRBKK9+eJqRter9weVU4+ igxqo8mtOlTFedyk4MnEIfX6tYb3x7MG/ryBXb/q8wcqTOeDiKvO+oEpMd1izHFORclLj+k3c/t9 NCe2d1JkZFLvWFt2UkREUvZRKTzZlZjUKyUjKaxnQkRM3+H9qp69p1hbfVMcGzsGOaarOn6RjnaO M0qrNrJNwluOCm5Dk7xdKzEXJrWScj7OOA6o6/FbcnTr7Cc5b8mNeqabziz7btpQd7Yrt4bg3gqr XukTvEESQsJ3E60k4wEVoSmtJjboYSRB770lI1JyfL/UqKjUfvFKX6Z9aZ+onv2UeL4Rr/TrGYUU 0HIfyaOkZjzdsHhlKu/EPQMl7PnQUT6xyaPaN0jD6EfrUTcOrLVWYUaOIj1J0W7Mwhvx8MNG/9ia lBSC8e7Drf4h2ug2muAy2eWP/HW6EHtlcBulrSHqpImJOOe8uf1D6jh2mk3K6qoBCy49LjiMx/96 2qS5tSjyqm0bDU8FzOhXmRHed9JT7sjoxlfmN+TF+oZ0SVNCQ5W0LtFp3UJDu6XJR9a94neZzolK K0oeOG1oj9UJee4xE65fC+uWHh2dpoSFKWnR0end2OqiuSNRXXnJJMJlIlTGM8EqKtVifZ3rROGd uF9lt0Ty4fbKl6XN2oV/rNfhNRCJGH31GjdWTSVkBJmym1TRBaQfCac1Lj9lwKCS7BEjBtISRxut dikmpW7QCDpQHjb4SGFJoXbYe7f1yr6tEH+RQZ6k6i6RrbZhWCAfwmTAVlHBORl4QoU7o/MWK6YG tno5PvsQJnHcqeFpQ8Rx1sQ6HV/Qq3UVH6gJM6uPXNSlqiQnBKtzf3hwWCBuVxIy+Wjdq7+GLbWz 9epTGk1Y5/JW9jdKAV3CumR0t3YbOru2cM7k2lzlbU/tqqrK9cM7fpdoUtndy14dfe+Wadk0eeiU wqGDE9z9R40KiM0YOM6VkB80b4fR3qVrmj3Soo+I94+ItoXQla7qtJA+s3bPe/zbF6qKZm85dmmB b4/vncTEeQkJ9EF6/zM07MLBJUMa3vBd3rDp99UDywuHDFi6MvvBOTNqs4KNsev9Q5KKa0eN6FZf bYrplYQ2wuMA+QLmKxvJYSvA3dsjLZEWG+72zrj8aZw54B8aAwkdK9naaDRebsOFkIElR077IbYE UJem6nOCTNpf5hWm03fnk6t6C6+Pky9c/wutrBp/W2hU1rC+VYtz6gftn3v7svE5PSpmVZ+XZq2m 5ZX3jXU7027PTxjUp3noqF5jHqstnTtnccVZ5G49roYTyF0WGb4TK5EVrgBHhtXRzepwWLvJRlwP y10xFmN2RsRhS/YWK7Vak7LtF7vFXUgaa7hk9L+gbRTP1dhqgD2kVB89HD+N9nc4HKzVWZN3rgwy b2p49kiWXS9/ukPlzw9PFD96bOnQB7L6t5SMWeLukXb7zJKnnunTUGSf+0D+o+XxQ4YMVsa/MDGr eZxzbFk6XTrsmbvzTIbVfv5K/qg+WeVZ0ctib6vJmlAfFbXSPyRAn1p9X+nUlamGtNImlBdP0+Wf cOePZ+Zv4F0G9rgBz4SitmnHSBSV72S3BI4DmFw7Lx2sEuSf2r86LOW095ena2ZeW6SZuQ7Ptdk8 GQzYR8eGsbyykqKymuSCKXc1T5nU0Izg/wJO0KQLCmVuZHN0cmVhbQplbmRvYmoKNjggMCBvYmoK OTE2MAplbmRvYmoKMTUgMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9C YXNlRm9udCAvQ0pGSEhIK0NhbWJyaWEgL0ZvbnREZXNjcmlwdG9yCjY5IDAgUiAvVG9Vbmljb2Rl IDcwIDAgUiAvRmlyc3RDaGFyIDMzIC9MYXN0Q2hhciAxMTAgL1dpZHRocyBbIDU5MyA1NTIgMjc4 CjQzMCAyMjAgNTU2IDQ4OCA0ODggNDE0IDU1NSA0NDEgNTQ3IDU1OCA1MzEgNTUyIDMzOCA1MDQg MjcxIDgzMiA1MjQgMzMyIDMwMwoyMDUgNTQ3IDQ5NCA3NzQgMjY2IDkyMSAyMDUgNDgzIDUwNCA2 MjMgMjIxIDIyMSA1NjMgNDk2IDQ5MCA4MTUgMzI0IDU3NSAzNTAKNTU0IDM1MCA1NzAgNjUzIDUz NyAzODIgNTY4IDYxMSA1NTQgMzgyIDY4NyA2MTEgMjY0IDQyNyA0NTUgNTU0IDY0OCA1NTQgNTU0 CjQyMiA2MjEgNTM3IDU3MSA1MzggMzA3IDY4MSA1NTQgNjYyIDYyOSA1NTQgNTU0IDU1NCA1NTQg MzkzIDYwNCA1NTQgMzcxIF0KPj4KZW5kb2JqCjcwIDAgb2JqCjw8IC9MZW5ndGggNzEgMCBSIC9G aWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AV2Uy46bQBRE93xFLyeLkdtA47GEkKKJRvIi D8XJB2BoPEgxRhgv/Pc5dXEmySwKqbiPvlX9WD3vPu2Gfnarb9O52cfZdf3QTvFyvk5NdId47Idk nbq2b+Y7s3/NqR6TFcX722WOp93QnV1ZJs6tvlNymaebe/jYng/xg/59ndo49cPRPfx83tuf/XUc f8VTHGbnk6pybexo97kev9Sn6FZW+rhriffz7ZGqvxk/bmN0TETFehmpObfxMtZNnOrhGJPS+6p8 eamSOLTvQveCQ9e81lNSpqEi2W8dn5ZP6vnU3irvOe8qMqtIlVy3LvXr/5KDXwY6dPdJ0nVVCt6H vGK9FJqJFk+iORR4v8lECyiA0rVMN1BA8lr0CQqgQXQLBSSnojUUELWFDlAAtc4NFEAtuYVGo1G1 HRTQSp0z3BOgapUxvgDdiiIhWyQ0oowv0PkgyvgCtBBlfAFntVDG+AKtpChjfIHkjSjjC0SNMn62 SKgVZXwBJy2KhAzQ2cZATWaKNjI2Q41AK42Ro0bwPte6fMpcO+HXSs5RIxCVVzlqBBYyyobny6Z3 iiJOILkVRZwAlTk54gSonOSfgVYyJ0ec4D1+QhEnELVWiMsXgdYKcSyhVrYu4nITyOrUIk5AviQE xAm00skJCBSolVcBrQLraveRZaBWC3EwDSRbK7QG04tFRNEqUKtdwHsDtUbRGpYNhXLd/hz89O3a 3C9CwAqBPnI1YIPAwDIKewxEjWJDMCs4LUSxQSAqKwI2CNTahNgQzArcS8oCGwSiquXqGKAamONv QKxRrOCCkIy3RLFCYCGdfO6ZgahRbOBUK1m7yZk1kKzt40KXxSJQG1QgTiAqk7kcBnzTzAXiBKay ZMQVi0BtX4E4gSh6/3FV75ne3bd3srlOE0+kPc72eupV7If49n6P51ENDL8Boc952AplbmRzdHJl YW0KZW5kb2JqCjcxIDAgb2JqCjcwNAplbmRvYmoKNjkgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNj cmlwdG9yIC9Gb250TmFtZSAvQ0pGSEhIK0NhbWJyaWEgL0ZsYWdzIDQgL0ZvbnRCQm94IFstMTQ3 NSAtMjQ2MyAyODY3IDMxMTddCi9JdGFsaWNBbmdsZSAwIC9Bc2NlbnQgOTUwIC9EZXNjZW50IC0y MjIgL0NhcEhlaWdodCA2NzQgL1N0ZW1WIDAgL1hIZWlnaHQKNDc1IC9BdmdXaWR0aCA1OTYgL01h eFdpZHRoIDI5MTkgL0ZvbnRGaWxlMiA3MiAwIFIgPj4KZW5kb2JqCjcyIDAgb2JqCjw8IC9MZW5n dGggNzMgMCBSIC9MZW5ndGgxIDI3MDEyIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4 Ae29eWBU1fk3fs69d/bJrJktk0xmMpmZJJNkZjLZmSQ3ySQEQiCEAEnYAhmQRQVkEVQEhQgGRLHi grbSytLS9suA+i322ypt1aoVq9Xa1i6KS2tVKtoVhcnvc+7MsFj7vr8/fr/3rzfkOefcc86995xn O8/znHPD2uvWLSYasoXwJDxyzcJVRPopEZE9NrJ+rVu6JCZcK29esuqqa9LXeScJ0bZedfXGJenr 0nsIaXlp6eKFifQ1OY+8dikq0te0Gnnx0mvWbkhfBwRCaOzqlSOZ9pK/oX7/NQs3ZN5Pfodr97UL r1mc7r+MPde96rrFmXY6QIjh/btumGwn1m579UPjT1ESIRvR6ds0fQchOrwC5WnkJKkgCSIjHDGQ EMETVS2G9zFfKrVzhDzY9MIfF+hjfydOpXTzE3+8v4kVfjLh8J/+Vv1Rt/UT+8e4VOEJ6R88V7Ev 1UCIbehv1RcOWD+RnpRplLJpTxA3TT2mstPJ7hP0s2zhXLbwr2zhn9nCP7KFs9nCx9nCX7KFM9nC R9nCh9nCH7OF97KFd7OFd7KFt7OF09nCW9nCq9nCL7KFV7KFn2cLL2ULp7KFF7OF/dnCndnC7mxh LFvYkS1szxZuyxbmZAtD2cJgtjCQLfRnC73ZwpRsoTtbmJwt1GYL4WwhlC1UZAvl2YIqW1BkCzJx XKLc36T0Uyn9RErPSunHUnpGSj+S0g+k9D0pfVdK35HS01L6Byl9Q0p/LaWvSukpKX1RSl+Q0uel 9DkpfVZKn5bSH0vpSSl9Skp/KKWPSukxKT0qpQel9ICU7pfS3VJ6h5TuktKdUjompbdL6aiUbpPS rUjF5snuLdLVZim9WUo3SekiKZ0upb1S2iWlbVKqY+mC1i7+AwjFFv5v5C7AfkAScBLwMuAtwFmA koSEKGkBTAMsAKwEbAbcCXgYcBTwFEBNCoVq9K5G72r0rkbvavSuRu9qoiA/F7zkTcDHAJ7okRYC WgALAA8LXtErO/s2TV44eYE7eeHlC29dOHtBSGf8yfGXx98aPzsurGpVCz4M+yTSlwFvAc4KPlEr vPXk2Sc5KdG3GgUPHuxh+oQbQG890rcAHF6rZteC8jGq91N9q1NQSNdypJs5m9T3IVLIPURCgBbA NMACgJy8ifRjwDj3kDiDf/Mtqy3/tV8iufEmq/PGmxyv/ALl9dcjuWYVkqtXIllxrdW54trN1+Wt XZdryb9qOZIly5AsXprrXLx0dHWeY431hnaHZyPA0Rrh7iYPADiSj7SclbgHuH3cg0TL3cHt5u5E Psbt5HYRLXFyD5CdAEwJ6cOA/wH8FiBwB9HnMMnhHsa9X0f+EO79GskZf5/bfTzX2/AECvtYoTWP u5XbBBIHuVu4m6B/g9zN3A1EQL4pk9/AzZbqr+eukvKruNnHZUH3CW7Vcae74YfcdWhn/a9FvcDq Zz8aiTaoWlu51cQBOIJ2VKLPMly9gdL7AJ7bxm0ERoPcFuTs/s3I2ThuzOQbuVlS+waOrV9Bbj1y 1r4uk6/J5Esy/dYiZ/3WZPKV3KzjimBpay+uKbmNpdw8bj63ACiczvVxM5BP5aZxvUClhpsKmE7U 3DwyAeVBlNcD1uH6QVw/jvw3yNXcMtyxAggdwZMWIx/GkxYhX0Zi3AhgGDAPMB0wFRDnYhLW2jkj CBXkxMx1M67ZrJs4I7DW2WpBPSWdSJ8FcNwEtCvQ3oCcYaku09+D/gqG5ehxs7Wh1cqFMg2VmbwC OSNjeeY6mMnLcKMsOLG1DdeUyJAeBHCYbpR0AxK4WgsQuDbOIL26FTl7UgtyNvTGTH19Jq/N5DWZ 3J3Jq5Gz+yKZPJypL83kJZwBUxhrvRbXlOQhfYKrwpRtnJ1zgCgaTsvlIFdyKk4tEUcJ4miAfBtG qwRxNCCOBsSxgThKEMcG4ijR7sUdPhCjAE8qRJ6HJ+Uj94IQBYA8gA2gAShJjM6gPWxmdGomn0Xn MqLQmZl8NnLW/gZ9DbotSH+dyd+jb7EZ0tOZ/C36oXT9MXLW/yP6IXAtnkCmUkPYTlLheCSSKUBo ToyffOynhe4G9OCPl5c3fJ/yzM45XljkfYIVHz3pcnmzlQUF2cr8/IuVTme2MjcvU9qiMWdKokqN Ekfpo2LvTpQonshKrWpUMmOrkFWxHCMjx3tnSiMjj3q9bETkewWuBvF9p1Ma5p+KfQ2zTlClaKa/ /7UsOOH17tc5ManJafjRSVkQ8xDrHjabG8SHQuGGh/bR4IP7ZMF9e4Tgtx4Qgg/czQfFZ8ojDXfv 4YM79ty/h1ON2Ed+OsK7R3L0ePjZxyYW+hp+doKqxXx6/14arPsavXcvF7Tf5y9rsN1HDXtbxIbf 7KU/oLW0HOtFkIaPnxKCJ2jo+Issqzh+ikdWzip/QKfQyVKfycc3y4JP0Dm0H3Klb3XQfky3n3D0 NrpDIs525IzIt2fyHfRO6cbdyFn9nY+OyoItrVq6n1D6En1RavwFcoghfYW+eFzOKKs4XlXVwLKj GMP4yUf/4JLIKhp/Z89reP4FPvjCc0JQfM5TxLD46HMWm5Q/C2yy62eteSwXvU9VRBp6pwNP04Hv 9zCtd9/BxTtlZQ2nXgQHvdgWl/q/GAiw/Hsv2vIafvwBxaxVx9+QXixGP/D5Gt78gIpPOwsaHj0m Cx4DYcSTTU0NJ48KwVePyoJHN0Fdv2GyNjzzQ+reTQ27KRvCztp66dE7A0FpKFU78exdd8iCd4wJ wdvHZMEx4PFvH/PBTz+WBT/ZwgXP7heCHwM14kdV1Q3iR3gbe8z+6X3pvGNiOq+PSY/T7Afh39xP 9+NO1u8e8D9y8bUtwM8tm2nwZoxqE15xBvDrzXTzqK9wxygNbgdsw1u2AkpHG0YnjfJLRmnnKK0d pf5R6qyz2GstlhqLqdqij1q0VRZVxCIPW/iQhVRazn2md58Ln+P8AV1JQF8W1JUH9UVeXbFX7yrU uQv1RGaQcbEmnSa2NvZAjNcbjFqVWqOVK5RaXpBpsUBo5XyicFUZ1ZdRjb5bD00xgcT5tfy3yW/1 cg3R8Br9BDJBNcjPUa3nHyQPqh7Q/4Zon6AaqhXL9E5akGNX5OVYDLYck5CbEzq38tzD5/af+/m5 l8/JW86J546eS55765yMnKCa46Fzoe9TDWmhGrFS+Dx2LvbP2N9j5bGyWEnMHyuOFcXcMVfMGbPH LDFTTB9TxeQxPkZivdF+mjR1k+7+tqSZIp/RlowGu0/w7r5kVbA7qeqdM3CM0t2DqE1yOyDP/Ulh xwkOmal9aM7ACepgzaPOJ8DeJNk9PHrHYDBYkEx0zxhIbikYTFaxwl0Fg6Q7WTU96fS2Bb/sZ83a dVI18jVr0x3WBNekC8dK/B3Jso6FyfKO4XgwWyu10TX4SffP3BXM5ul7pRTPzF5dLGQrLuWZJpZR qZasZQ9by1649vKnrvmyd+AOculZV1xJT8zOKtOHZCecvs60XnrCf7jnijfgQrqPsjRpT7aAdl/s cEzFiNjb15bk2ud2JxN93UlX75zhZJ63rTv5HK5qe+cktd42jIehEj/I165Zh4QBqzhGuPb+YxxL 5EjmzBloHaEpkqCfAc4B/gX4J+AfgLOAjwF/AZwBfAT4EPBHwHuAdwHvAN4GnAa8BXgV8AvAK4Cf A14CnAK8CNgPuBOwGzAG2AHYDrgNMAcwBBgEDAD6Ab2AKYBuwGRALSAMCAEQEYDiT1AVQAGQicsS f0t8mvgkcTbxceJM4qPEB4n3Eu8m3kmcTvwh8Ubi14lXE6cSLyZeSDyfeC7xbOLpxI8TJxNPJX6Y eDRxLHE0cTBxILE/sTtxR2JXYmdiLHF7YjSxLbE1sSWxOXFzYlNiUWJ6ojfRlWhL6BJfpMv/P9eQ vP8TP7I7YL4Q2UzEVoJS5IMINpQzP/wP0mU4V18lZPxstj7Vd6mMu4+RHL6J5LCncJbxs9xbxDC+ //Ie2fsu5Tz6pK9YzIaBwC7byCaW4WcknSFPx4yYBf+ff378n5v+Y8tL5HnyP2Sr1P4D8ij5Tqbn d8jjZJT8mPyApKNdgzCHtpH9SPtRM0QmkZlkPlmG3qvJAXIwc9ciMowQVgRXzcDoWKb2BfI++W96 Hv0ezNRcyr6Ct1xHTuBND5LJeF4z2YPZ3kO+TR4m3eQ2XF36eV0qvsUtJMvJGnKYJHFvgiyVanvI LaSLzMXYOsksjOlavH2IHCWPIVZ2jDyA+h+QPvI1+ZNEya1llBr/K9c4/leyE3ffy62Fd7eb30LW kpvI18gfCBx+cmfqx/9r6l0a2H8s3UXuxyy2kd2g6RDfxPfywxdp+x9vyjR8D/j6EXCzAVQ5BLp8 jdxFfWQf2U42US35KvkBrboCO/+7531Z+/fILjz7yp+fkCeAt4Og725gbA3o8k2MvvfKTghLllA1 +GY5GaI68hlZ8MX2/0+uV4EXNoDjbsV7rsPMB8gScNc65EsB67LvgAHcTHaA6o9AJ76L+jZyM7mW emiYPEt2UDu5Af2/itp7yPdpGH3XkMdoCTkHqZqDWf7bD/QB5FLSB2hTEmolLzHZ5D9jXfkPsvqA XTEeocXkOUIu6QPqpTngt++RI3j/N8iD1El58ndymqRoiOaDcqXkFcCzwNv3yY+Av4/Qw05+xbyO L/58cSy4Y6dssaQn0PXfxwJuv+PysUAuDpOHIF+bwEOPQdZ/RO4m/418F672Q4LuI98FDxwCL23B WC/+yIZIFDi4iqUSDnTkJxn9hGv+JKsff2X8FGtNp6yU2n2x/EtI828hz73QFf/35/9i4P8gBjjF +Xdkb3KTZHoZHf9QOKIQUnPo3zGAg5D4ryC9Ef+u+vIB8Rf492VHx/8i+36qTWaUFadWp27CWvYr 8hvyc/IMeYe8Sn5JXiB/4sP8M/xp/lNhWJDLTsm+QR4XKsn15N4vPlW4VlgqTBcOCENCpSwACcon PdCrs7FWDZNFZAX0GhEHEwvmz5s7Z2hwYGZ/X8+U7smTuiZ2xtvbWsWW5qbYhMaG+rramupoVSQc qqwoD5aVlgT8vmJvkcdd6CrId+Y57DarJddsMhr0uhytRq1SKuQygUc0o5zak/b2gY7lSUf7MAzj uNfgTmqnnu0JJYnJ6fEa3dHQYEWmV1IWTBJzdzK3d+AYEesHk/LgF7tMTfI+w6ce3NzjdHckBR9+ vZMXJpIlfQMer+F158X2QTw2mdc+4PE4k5wPv5PQhN/JC92JpKEX9WiQaiYlSe8AgxPjb9ejktR7 BpH2DSRd2ctB9rT0VC4b5BNQPSe/MMypdMxwTOtojydJ7jGifTtJLKzb2XqYC7FkCXw+nwEl6Wkk lKS5nyapOUktPZjSla9gt71V/yU46Egs93YklgGjieFLOD2bxqjHPeYe6xswRp0ejzRouCXTB45p 1O3e9sVqzAJ+IyrIMbUGNRpWAbKsOka1zVQqcNqOxmMcUeYAfSY23A4Gy5PizmEUvHHgDS3mSy0I G+y6vIngtnQngm5SiUrvTMrbk4r0INzLkuLCJNnpPlZ+cmzXCQNZNBzUJryJhXMHkvxCDOoY4X0d S/uT+d29Q6jCIADDS92M3HEpYcRzdyx1j+Ga9R1G6o3j1ivrE0sXDzM2ocPeONpU7QPbPSed8LUH tnckjcFkDm7PueFdJz/WYV/mZpdjY9vdyf3TBy5v9bA+YAJ7Rbl7rMOLt+FhHcvbGMVCF8kmceOk hEQccedCd3LLouXAGX4X7sryv2fMkNT+wwPqgD64k0kHQzCDxPByNpXluFNA5h7buVia6i5pauBX d8fyOAN2I7ifzMTdQwMdS70dwGfmhUAI7ud9X7zX40k6guzGsbEONsSFCYyeYQa/Dri7GEb6AjLh DFKMpz0p9ksZ6ZdogDeKC+ODmapMB7QIoENSHI4PDrJJpQmQVPi2yyq97jH2UIUvmRs0eJ5G28mK 8u6+gY4440705NoHms7YnWdQ7u69WE3t6DMWOsOQxFpmeLunp7lgKcMPS4b70wIMrGUoj66Z/tJT T9mdp9JvmDvQ6e0cHhvr9Lo7x4bHFp4Y37LI6zZ4x45ptWOrOobdkvhT1H9/pzPZuWswaRheShsl CrHXY3K8rxOuvXn6HEaqTvfShajBb4vXU+/0GC/2gRb58uaMzIH7IQNM5sYMH2H2Wmgnp7uTqRqE W+udSUM9E1kMaOYAZGIEr+hISAlkBVEfzsmkhh/0dSybkUGW04NXSszDdOD0TC0e4vEwedp5QiSL cJHcMn0gfe0mi5zHiRgKgo7DrOVktsUyk7VsybZcvH3YC7rZWdRJ4o//xN/Q7Rd5e8zoNbkbmGLH 6PA7KZE82Y85/qs+qQTGJNKb2wd4J8e6oMQ5eVZSB7E8xJK2oHQjwwk05pjB637ZmzQEk7L2gZPO 2KDbYISypOjThY6MUw0ve5+nTI+SXEOSxpLUyuoJ9CqwB71vq0fjRUZyd4wNZxjw8mmhK+udWHpR lNKDh+yyuWH2Bi9E15lGg9HkZTN8kTF8dmHwdTK5AkkkRE0eTOrYepfUfSQlGK+zfcANTQTJnS4V 3B3upYzYSfdwXFIJg07Wnq0+Mf7WcJypwAHwILo4MywORk+j9kpWrCj/f8voW8Dot+waXNqIMYll mIG7Bq9lSG/vH8iIm0QnSQjwrklsKle2X8Ritg8UG8TZkwznPW8Ho+bZJalOy+7FziBCP2ZzkQCX v0xqy7IHG0myE+t/WgdII0tOlK6lubPmri80T8o2Q31sct6AfljI2o556Y7px0S6Y8bQwBPwq9w7 +geOc5RrH24bPFaMtoEn3LCBpFpE5YbbWCXr4mYXpJviacex28X6O58QCdkitQpShXQ9giiuVJfu hDpKRhDSleoM2X4c6oR0nSjVYT3BEDvsS6HeBrwgeiIp9g7cNLh0bHiQIZtY0wwIzvY2kyTnbT5G Obk2qfYubktqvG2svoXVt6Tr5axe4W0D+0M43Ccg6mPDXog/FPAAcdJBxsKMyzmf+8T4ODToKWhe T1LumwuAglUFB91JmW8y+k1kMIzqicktIwvZOBib4l6Fb9LIYFJ58YHoMimpwhNUmSegR6d0D5Zn dtMImHWhVyqiGsKxZTA5GGQvHVjGRuR2wx7q8jYm5f70IGV+9qLQ4JjJWyUtJ3JfUu3bjjvwjsmS IpRqnLjEy9h6hF+FFiMf8aLXyLAbFBDIyAwwo+Bnv2pGN9Qsxqou+LGoAtQQZKkRhyqY4Gty1ElV JR6IX1bWVOKB+FUMAils8tLV9kwHvNuQ1GBE/stQmbkB2EHTJDYW/G7H4FnXH7HHTD9B+rwbklTC qPQqBZqTOb5JC2EspO/XoMYLuy99M56l9LEq9oyn07UKNnOtZND2nxg/7N3IhCT7U1HuTZL+AcaY BJsIRCSDY1+sSM6B4lR+sTZHqh4bU+Z8+Q1pfClzLubsKe6OZfEKvEoWJ09S5qGfJ3LhXbJR2EKu l3WTDcI+lLsB7+D6ZrKRux+wlhTIVOl6+W1knew6QCO5XtiJun+Rjfy/yCrhSdImC5Eh4TViVSwg VuFuYhHuIiahh8zn3ye9wkIS5reTZcIqsoz/E1nKXU2m8X/DmZLlROQayAzOQ2RCFc6HlJMW+TfJ DOF6QAv6ryGThGGylJ9GZvCryHzuceITVqBOSczyKlLA/4HYUM7lHyHT6QFixwb1EeTXcN8kV/ML yVz6DFkGmMh/RJp5HXkMEOROkXcBQX4Fmcr9E9EJH9kjXEtuARzP5Hch7wHcC7gVcA9gJSABuAno S5+jw4FAbGOyiJiHTCW5pIh4SQXayoiTFJJy4iIFJJ+UkFKcwatEBMRPAsRH6omb1CFy7EFsqpjY SA2pImHCkUZsjgnETGJEBw9STlpIB7jBQdjxgSZiRGCpE/ERFTZQa0krqSYTiQWxkimkgZhIDrGT PJxp1COqKcOopiI62g3PsZ1YSRyRLPazHv/O0vX0Xa6Ve4Hv4V8WeoVdwrOyQdl35FH5I/JPFDMU byqXKp9W+VUPqZ3q72oKNOu1Ndpv5dhz9um0ulv0q/T/Mkw1HDR2GUdN680y84D5z7kLcl+0DFtO WCus99pqbT+019u/a/+NQ+5wOWKO/Y7X8vg8T97Ved/LO+3UOHudI847nL/K9+TfVZBbcJOLuta5 niicWPhE4Z8w8yfBjbfJ+oGvcuCjmnSLPkuouqS0nJQXaCKV1eWaykpNebVQU0tKg+GoyWzW2e2V EZ60nKoK4bfl96+fqjKaqK0hhB/DKcMpY9Rwqsrw+2cjYVpT3czVNfM11X5vkY5TeGtqa6NVLs6S iwsdb7HYLN4aavQYGXB1cmtZsc3v1Lc2u8PFDtVw7Pb2zpHmfH1xrNzttyhMd9HzF+T8wvP19E9W q6+sJuAIRRu83X25xVWuW12VBdHOUn9zU2eFpzxQki+/9utfT70r7Pt8ifDPz76DCYLWcsz1z7LF 4JIicrMYV6o8RTKN2l2kK3LYi9yeIl6mk+UVFhbrbGalpijXrebVe0S9e5qbM/Jut91Ec1280WQ8 FCdWndwpMxXZBdISDdmiQSOxRY2mBnsIIYK8njNBo4k0NITh9kSjpgYkRpOtwRiNGrafPHmSQcRT 08wBLYGARyGXW3KtNosHyKmjUeribBbq4fn8qojdoPelKovyDE0tqZn1MwL061+j/XZfdcX5R+k3 noyo7cHiommRWxZNnlIYq1dFIqpVS4UZnx+c2lepiXD53CiEjB1VFZYjSloA+agl14oTrJbasrJa vnaPWKYtKNtTEi6o4Cv2FIgF9FC8wKT18/49WlGrORTX8sabPZ6ItcxxcyRSXxbcLAudrsJsThsb WEpagiTPbsBkif1iEeXQxflHwlE2S2N1JReo8VRZEf2QyxWWdO7lqxAtqeS8RXKF0WiNVtXi0u/3 ejc2l+WobX60PPyj+e1Xz9yxa+MbDxbf//WKaVe3+G8qnDS0dU/rxHtufTBiCHRN5hd2tHgtOZH4 6LLZW/qLVaXfXr/jOz3cJ1/Z1TGn1iZwFz67cK2i7ZaFC29uhoa4fvysYAL93WSVaMg16CxduXrT AtNKE2+yERjSYhhVYJRenIh6mRNUPOey6XjdHtFmdsl5+R6X4KJyOaem5gOcyVSkvjkvdJqR9zQE oAG/pEVCBkMAsRueBi80BA1PI4EoGL3SXMH7JmmydVGjXO4tIsZqU3G0yiqYRuyTF3Vc9fW5U+65 um/pRPfI/GfWp1Lnt1P5f8/ZJ6tPfTj7qvLbU2d+8nTqwztCS0ZSbzscdIDOfJ1iB53xNnaAhNdA Zyd0XKPodrp41x6n6ARRnSad9lBcV8qX7tHx5k0+X0X+Zrk0cNDwDHaQL5FPohh/kWJMUjmFHBzq DWDQzUJNNQdJVmyoLLGqQaMQ/e8ffnKor2eyOK/nhcMNJVP7t109q9ax7pf3xJsiWmuR2MEv7Gwp An1mfOOTw99Kjc+eEikpmifkx1bsPLL4Z1S2QQBVGIeWYeSV5PYniB7HK7pV2i69urDQZuc4Fd7D m0TUmGx7RHVlkRocW+Q9FC+y8/Y9YlFlxaF4pYpX7ankjQf0JpOdHuA4u8d9oLAwrLZvDmRYVuJb iVSZKUtcyuaOwoVng5LA2kOgYcjwbIZcgtdjZGwJSjHaeY2eqma+LspLoptmasG9SO8uKq0PpJ5+ vbzKo58/X1cUCr1O6yJN5UW23BHz+UUZbpbNTP0iMrnKpbnwN0dMTG2JNeVdeMpY2jYxnvr6FZzM VjmGERUwUkZ2iDOIzqBz6/brkjqZitepOE6pUll5vbHQGDIeNT5llKmM1j0iUVELrypzqfaowvmF rsJDcVdZ6aF4mZJX7inj9QeMOp2XoaZcZdvszSDlCnxAhUUZOiQFduHZ+fMyKDE8i5o0//JfREgu 01WXo0O1yFpaEYukfvtSGhv6olDlSzp3bUkqfhke4v3lpgtvFcQnpobiHQWpDbGuMpyA+TcsMGm9 H9JaQW4U80p8fh/0rp+qeL9fyxXICviCPSKVmfVMbksht3pi6DUMG142QG4NWq2Ft+zRChatVmk4 YDRyFZvd7pBjkzLN9w2SFjPiQPBlktoSlTQXgcaW0MAwEgn7FIHL5dT2BTmuYUoL2s2C5UyonTqp dffcC+NkF5Ufm/edZSPOyVdNu+bAnJ77V66/zhyuo/cUF5sVMsvUEj/Ods36JW37riUvdWZocXBX 6uMfPZ364I6rVsSGest1kYi2sLK9OcMLMgG8UE/mi+GgntfvEYNeW3BPOCxXWXi7zX4orrSZfJFq vqjK6y06FPfyZHN5Tk6jvmxzAXDzqJ72FISCkuaOMqWNWRltUXtLetFKS8AZsLwPi1uWmh7jF0kr TRCrdHa2HOxMuS7XF0jNqys3XnhNZSmtTM3JEJkeLA/YNFy5sWQCfaS+3PBZY6PXalJHIrqizhn0 kdS89uZiu/ZKikc0Vk9bR+prdNFssciArt7Ovsz8uULMP48UiyaZUqE8FFdYTGbTobgZE9VK6xCm ZA9lyPWlA6dHpPENZcd3iI3vs/84CvZe8CXHzglYSYmYK8h42R5RMOr0ukNxPY5ZWTerQ6efheXM 3ppe8hgGsbwFpBXvIk/Q+1v23uYZmFxgDDRR6bXx7d9cWzpQ1LF0QEikpyrNPEtrJvcdZI5YT8r4 MtHq53nSHCF7XGGnK8qHI2Es0h47H9EZRb6puQmjUeXyzXyHxmh1enyK4Oa60GkbxpWxSexZ44TR 2RbNO8V0m6TUauvwj1kgjHc5BZXsDmaDsDpe0ndfjspvuvwtU3uHveV6bWUJfczd3NqSStKrG9ti RamJviKb48+l/nJfzZcxxEf2tqEV4YZAgbPEJ0QiCm9TZ+q2Cx/3txfKIhHeajVFi+mc5hLz/4JB MtrRACy5SJcYICqDitPyKpWNaLDKaWDx7BE1DqvNeihu49WqA0qlm2w2pMX+Cnpl9Juk3XxQ7cKV ql1iePotKg82lnpcztzFuec3ZdnnYLnPrp2rtvhic+akrr1CcUW0ZndbF0aJfW85459askScUO0Q VaYuhyPq0+gCfLGv+FA8x0ci0ciheI3NyUd5h73aDkGtri6Un7HaaniTqT7PGeULtwQZOaGobVFm aQSjUFkSacF0l1mdQSgqCg10hdia6rzY44bgXVktGWOUeuQ5TAgkMi1oKDeo5MbU2jWpu7CeSHVf yU52MV1Ab6V9smKJTc8/nJEaXXHndLr5PlrTcN7Df9yUOvmt1N1fIlDno/wpho3xzyBCM+FftIvF aV0u2PyGnKrqqkPxfF01b9nCCzZeqax15lfz7i3ll6YNC5vNNIoZP1uVFnJqtdqifg66V5oM071G L4XMscla/o1t+YeKI3k5MqXS4qukSyt8Nu2mC69Wl5uNCqhQqK2LU23gCmJD9U10xd2/6BCZ2RLR 5rrFSZ8/zB+a3RvoSV3z3ItfMkVmfbG16idYqwywLctFGzzjXKzJZlU+n79HJeRsstuLjJtkoT+D hn++zEqMhGVFfkyk2gS/CGPP5eTUYIJ8mtKWlo7jdm945o6eHRcOH//rjbvGUzmPfuea+6cM7lsy dMvMgGHaYSo8/iYVD3819fPffpB6cj/3s9Sp1MmdVPvoG7Tw1v4H8XEbJ1kT9ZK8BEmH6Mt38+49 Yn4+FqK0NpV0KbMOzbzt5uLiikJJrVYZJRtfsg8l3Sq5N2yFlJaKKxd+GPfMp/MWBWrShjyzdRX0 WznOykhqUpaTzn7wXte2x0ZWNq1d/ZWpldNXtY1UXZjQWWrTXLkSPPq9pYeWVwozJty+etaazgKc okjP4V+YQwh++hKxJt9JIhHCR4BjMkFRrIKJeiju8StyzYfiuRP4CXty+bLCQqffhxMbN9fVNfsi dHMOrJ4Qm5QRnhjMdWnxZ2oxw14X5yf5bszi+TdGYrOUHBibTbJ8wHGBSt7Lw0yE1mfeSxE9orH6 K1MXV5qPP3j/vvuaZtcMBeobw6kP/XHPQEk0GIlcu3r21XPrWretGuKmp77T1eph3Ha5R3Pk0dtP 1iod8xYd6JpSoozU3NByeEpXgYb75oX/cnRumrPgZoQXKFk1fpbfC74Lk9tEfYh5NKGKEOqJRrAy wyiGGqsZzojdbd9iF3S83Z6vKS4W8isEXtgjVpjNjEPNgv3ANBu12UrcZ/T6cMkZhaKKHAinlSZY FigLzZOcBfgKWfeOIVGyk0wNUKXogDwSNrs4cIBkFFUCJczft2ZtJubnWoG5DKsYX8uNXz1z3abq 9RvX7Whf9rOtU/ZcM2LrnN/delUsevXyLXdMa1v3yMKvnqJ1A0siN6zrXjIUa1x5a8+qg0OG/NSn A4sC4YXtExf1V4vX3jF/2Z45pTXUhJkDLcJN4BQ3mSVW6E1GGApGXl9Ic/jCQqPKQRy8A1zDcwd4 nbrQ3lZ4wO32qDdDPj1sEkzJng5SQ8+np9lU4chfNAejGQvD7IEJyMMdyLKHUGNMRzfahMZF1mC4 rm6zxPd1CEmYNTeHmqqD5hHY/wdmJaqt50mG4xUGW3FzTCCmhmU4tkXJEDTIGxh3hFSL+UpJRpVm c1kFb7VgKQta+Mh+vz+at1mXHiO0IsbG7Li0SNJc+GlMAoH1jMONZV3S/BJzXm64Lc41+71L70ls /O7qKrW5OEIPwEYrnbxkSufyiXnMTrmzMWigv75mWndj9aSy2hsP38LdPbXObQOHMqvsQmzhtkme SOLuG7nVaQNGXxyXbDUr5vBLzMFDbhJnyt1G2iN3q3V0ioIVFVJRyYpKqagSVWhTubHuqZxmk8XN vh/Bx7Kw7GQFeruM8HkqpzPfodd7PbISvYFOkeWHTkm8dgpkyiyFGSxgAcyeoA5SNnOEVMy0mYWe shaOl7LVgr5RGUZc5QNaKNeq+Lo2eqC0KuJNLdyaOuosCcMPjSjt5T6EVc6/zNeay0pcObE6WK5q f//cz78jzJnTE1Dj6CQl1vFzimHM1UdufgJnEF4WwVx0iiXMUpOUIqLwstigoj2opD2ooz0+k4Xn TBo450oVDFlzvqAj9iKFivcVWywufN9hMilzzTjJ5Qoo4YgyTSWpKhZbQvGSWQcjgE2Y/VAs8pU8 m2Q6kGRGDMl80bLjFdTLfzd18hup35vwPY6Hfqc5YjI8T9u+SWUfBaMT6Jir2BPIS91zpzDr80eE 5visiAO+mDYc9A43nf9AuPbzPdznOyc01TIcOIJDUz5/ns3eAinbhNk3k6vExpJKpZ3W1YWaXZ4I XxmqPBR31wSL82QhajCnjVRjg5BjlTXzSnsdX1JSaG4yN4ULC8VwCHQ0wRmDXoZPcml6WauVTRvt pgao48z0bHWSqs0QlTennZaM2cpnQ2lw1M0SVujpcJnfu+dOtzunuIyu8U1ob347VRsqDXlTkyrL C1yPPxUuLkvd5guX1074KPXHklJvvgk8oPB78vsb//qn6uYya2FQCYRUDixIfSM1f3BipBhyoPR6 8+NVtDL102lRTxnaNYXhyXPpKvqy2Fisl0scYgKO7geOgmS2WFlAdDqFz+v3+Q/FfTKLnZfWXiun NjllCt6uK5Ahki8r1xVsJqSiXFJFLMrGVNHb0EQXzXmmkNDKVi3gROJoEF7idnMaCRl7/qJ64mvo 2yl87lKNtWm+0/vcMyWeYBm9sbRZbE59oM3HAl0XrszPwUd8dF4vAocRTWdBV1tqK507cY6/uBR2 ur5maEXKn/pBQ2eZHe1qW7CzETwwH+HFzzA/K1ks1hCFQQE7XKHIVSupEt9/7RGVehO0rsmksmpz c7W8Fouy6YDZbNVo1IoDcrmdqENgbkmdRZExs4gtvcb0qnIxjJhZZWB1wEjnEIzx1FBPkY5XICBj oRPpsvbWsiL7ovMJ7rupvYGKYq/XvIi/ba6jZnhxak9EeC7HWT0nTmezWH8vVssk7FE/Yv/v49OR 8fcfY2oFgvq+qGYlrpIWCCXYURbjKn1XiUYT4AP3iqs0WzRJzUmNQDQGTa/mLs1+jUzLazSOMK0U KvnKr4mC1Vd8OO6zuM1h835z0iyEkXBm9q1QIFDeJZhzceXIsRRYKhCl4S0Gh4E33O8wmHNzla5R qvHzVeylKqjCqqrqslElrpjjroTjzrggbf2fklBEonBZEF1cHZy3GnHXzIIM+ziDqNWZKEZQ8myC QZ8Uv/D7a6qLfWkbRY5AfDOWaQRiwSXM6ecl1SHFJWu4R/SzH5g1ZW0zjuZ6SmZ1TV1g3zq8ZUvb yIYYp84NlKf+ov3ZC5Wd4fjK5juFwckTVnTe/XBO69IN9X19t1aFnC23bk0dmNxUXWjVRuhz3NJl DW2OtiX4NJKEgf1zsvuwN1NJhkVfOS2Vweq8T5QZ4KFYDTneHC/v3SvmWPMch+N5JJ+qtvoZBnMY Zfz+sKGyMn/ULMWuGE7AMJemD76xt7SkbROgAqJhy8wQPrm3yB9QBLAqQkuCfzDltInCVm0LnSd0 zhuZsOKBGSM/2jZ5a1dnB59jC0Q/naDztEwNb7hp9XUNvdN8fCGd1Oa95o2vPXJ6jbOoySC0DE+p cZlU1erPX+mZE6syP/30sz/1Tu6qhFwswzz7wGUeslGMu3GUmUviU8XCLeaJbmIymNwmXlVoohAO BwKb/tIuk96OsM59ot1aiCDzXrHQYDCoTW6z2YuvH73qrU7J/mJLXp4DqT1EmGGSITxMu9cZpa/D voOj5wwC8qfmrWbaMh1uhmaQDLI6xLGBhoxBxk/ebKxqi3Re3WJvHJ7Ycb3YEJ06ODv6w+dWvbCt byd/8JXWbtfQidGZdyTqa+Nt9U2l5s/P3PPeTViYODY7IQgqFsGzXS5WGo8YDPrDcYMlmhuyh/gQ m0ZRaWEhKMtmopAfjiuIkqpHTblFvJeRkzG511tfzuaV4e1/o2SGhWHdYJ6GnvcwoUvUg+uh8NYF mLGTnZCNERc7CdCDUpiaFzJElOcGaz+KafUt85bFDhxf+8yNbVc36Dz17aEtt127qryxvtGpu4yU N0xtL3FoqtUHhPb2knMfHnhvlcWeOjZ1vliee+rkyef0nsYwYjEcWQoK3wMKO0DjG8Q2t9nq8hh5 472ix6OxkonuNx0fOzjiMDjcjrMOhCMdVsHKW++DmtAgLL9X1KDFZiIek2FrXp7XtE0hYeITU8Pr xgbQOG15XkZg0Bef2PeckRQ/M0rB7lgSfZehAP6Ih5nX4Ow6Fr3Brgq/RVyxpeelX6x49pbFu2eG +AtjNRsX9m1tXSEv649fdaPmSPuU4D8/2fvuTeLKb+0wrf/6nKYOOvPq2ycdfICt8NNA7D/JHsKu 4DWiW61QKg7HlRaDCaS20r8E9cRtcLvdJ90vu2U5PHb3T4r2Il+XG9tIxXzxvQXwQDjPQXeQG7Uj QHvyUQPt0SN68UnVa4zmkgfMWJVxbkvPmWgVY2e2tIHQlwxrbERAUQnYQIxWYaeQuVfw9C1RbuTj HEdpReqqcr9FvdHvsBlzBFXTutGhaXUj5milp8LvzPmYn33hkfa41wK7RdqJ4OZFYSDnRSuv2TEc 0Dw+IWLyiwumLEO8qCXVyr8NalZhf3cG+as4u83TFwiolSFlLa/ce7KW6msLa0O1vKq2NqTvo30i MVALdJLeUGgIGT42jBtkXt5gCHVRPIInfxGr9I4uvmuv6MgPtfAte0OGgFpbNKWYIakUiCgudnna 2qZ0uA1mOqXD5ernVCURoWzCNpkBoiGTWaKEzJzC1gONHj2mWCwzo9vKJBY5FQT2mHGAZQEbig3M HIZhiAIaTlUhvnWZYshqQ4lrGAtBRZyClxZCMbtFiTZmWwUU0qYc/HcmQtaotDZImlNy4urY6lEr pUyr2jxUkrOMyys3S6vHRcffW8S//YSqsPj5J2bEphS0x88uv63h6hd3LD58fWt/T6hWnN7V3bB4 rLdrIl10YfKS4WhXhaVqVv2ChCMavfMrQ7fEdYGuxr3T+dkKTeGK5keOWRrrfX5D28rJ87/SZ2+Y 19lyVcA8uaphQVPZXXNnbZ5Raky9vGlHID4YGVhfd/P5M/6ZtUMzw0Ox/JoyB+NjRAiEIuirRrJC jPEMw1wJEsoSwhKDOciXlJYcjptKLW4qbSywNam+7nC8njRQ7ajdHiPe0XCGjcOZWPoVyw+LTmUc srRZnl5+XCwiB5eX7ZGwXTWJg9NO2cW69KJErxGmzhmM1s1qLc3VByak1geKbDnOaRNLxP6gIrc0 mFrLeF1Sap/EsBhNa3Hn1fSs6Ettn93iRbRca3K3x6l89I7O/K4pwdQt8caAA6Zaeg+uI7tWMf09 A0j5M86h8NBes8Uym+AQDscdlqwe13Mjq3iq59/kOT2/ABnP062ceZRTZ0wS5JI4q0PB4NOnDadJ aN7qeWcyejorw9jWR1A644iyJVdCAt18YknAY8sR7JGKPzcZKqKpDbL4j3/82RmMvq2TPiZODdmU NaoLNbPavTlMz8pSHXSdNFYbdj8iGqUSO333i8p8S+7huPWIBYMVvzhapVul0tvpNs42epnmOf3a aSY2knJlA8470/JedglNqx0M2ZyO318aN133veONd24pam4ts8pzy+o+aJLG+/Nd31znG7AHG4a7 uT9NjQfsmhoVOK0FnBYDp4lsH9M0/j4z4GACSnkuC8Y0oaKsssltc8osxXypyOEICadFfEvvyJcc p8NxZ8ii1x2O6/XNTYfjzUSkOqPFUSwjZaO1GbzXMv5jEX7J+GFzSAcCMtZf3ilbFJ4iJisxImL9 ddjBZL8ZTxhbFAoWP5XOG0hxmgCWCy8T+y/y5NVuj8URq6sMqZS+Mnq0cmndH6m7ano4tSXPoSmq uL6owO2sZ2RcUxUwKjLMyVUoVMFoMOaAQ1skx5kEsfqN1I62Fuhh3pirL6hq3l+Rrz0rkTiSkx9o r+Uv408Ji/R3wKKVhEWLgKDG4Th0kvlwPJdYcGSPjOZkEJGTNgHTaJBo6PuyOXxxfJ/9xzdDMuQL +Bfxxcfb4iyNEsRSs5i8FKAQ2CXPEo7FKyhLCEuUUbndGZ3WJ6utqT0c782rsSw4Mn/+vMPx+Xqq Kgl2ytrl7Xz7fTlyg6piNMa4ASsAy0WmimKxAfOo3kPb34StzQQMjcjfh+ZHwbNomHSN4kTwyUcR NEEusRI7Bc36DUAAwQpscyAYhG6XjClUIDIEC0EKDaWNp3T8HGyR4Yl01MDGVlWrZCW7vqiSBMky vsyDhHl1sS69SXiZkKzUxXq6WjyJm+3d8xbWty9sL1Sb/RWp65kKU5mdRZX+ko7pxZfq1BZPUWVB aVe3X56T6/OlNvg9di3TCR808UVCrMlnmLtgSlcgMP2Gq1LbpzS6bdgpzOi3mSvb/PkG95Se6tRX rmwZXBUvs2p8nVPKU7c3xIosZrbuX6FWIKGgsBAChWPkerGpkhGggq0A5SwJssSRH8P3OBzcD2op PVJSEjgcL9GXm/RhZqCHDbWjSmVzeVnuaBFCO0y8kZ98zGCkU4pAgzQtsC4w9LMFIYt+iRrpdcGT WQkuovNyqUN0qi6qSJMks5cjhNJLgdLs9IUDgc5+v6Q2s1r0gyaNbvKcedW1M1vLLMpcfyiLqM7r JpUWGAunTA6ndqYZ/kpkPCJ0i15Hdc/VM1LbO5pBKGhb5re8DjsoBx7aZLGQwKLdK+JcIQ6T7VUY rAYN7bFuVbu1kAu1SwcufBw1uq0841tU8pBHZp4gvcwMkXY4Mm4HO/5zpeXA5b782zXPbXn9d9e+ kNqx9Yb2+RPyWld1bbzF8PezB99dee7Ph95dTT976fet1+6Z9pUfz/kFW78mpfoEDWhYgh3xW8Uy FvqHi+Ek/ko/XPG9ot9amxctjPLR++B+2I7ArsFSoS/aGsmsX8jhUkJ+IpFGYs/j66VlQlShRs84 AmZqML3lhpydcWL+RyYSnIm2MvM7a676Lm43SRIheZggIZMtNl24KHzaA6sxpN3NVSpbMJxaWlxh VwpaW6Diw6YcfXNXz8SSg8cST22bvKHK3jQjvvGG9+qn93pcr7aKPjuLvFlKOxv5oa6mkjyTqkb1 iNDS4Df88y8HT6920AXDS1vdzz9Nd3inTipjGFoKDLlBRxdiyXNEv0tiaOqsVJZpsaV8n6i1WovN Zpjpe80Gu95msDpGlRJWmGcWiUQDW/Vpzyx6GieaWjJhmUtxhuzUaZqXL3NCrLY6m6Q14K0xFyTr jgnu1NJw0KaqnXedePDYmpe2T7wu1hlX2SqKU+/YG6fW3HL7ypVlExom5OlSfTjV5mtpo4NNkyr/ 8eGh91YXuJsMn++e0IETR/wr85ZMLHz5h/DEihpD8MQkieYrMNcAYlAuq8OOyIHdwmIx/iM+vZ5q idKg5HJ5pWyLlq3AJoO1C6EbrcygUipLA9Q06spIsostq2zPC0GWU/ijGsw7gc2MpbSlR7IUMt6J JJ1ZZ4TpzX8TYLpSVzf/mo7G0Gp7bah4YpsD5nTqmst0nJVv7ymT/7E2UtbbGU59Y06HmwVcL9NV 1WrMbD6kUY2ZRcg+0RrKa8mblsc/lYc/NWXIc0Mi8/wFlHFyl8naFUJ4gcr82vXa27ScD2dHOZ5o DTjE16sd1spUMm1BpQXHZfaKFmsldmH3VhryDjocZVUUfxFAaRgtKooqR9P+BdvokQwlSYtlPFDG 7kDFgnnABrMy2MkgbPfMu445a1k6X9rXQbw9yvzQ9I4YjIvsLhA3PmyNTanrXeDvXbxkZUvtou29 /V/rXuRcPq+4o9Zd0r98zrUtg99c3XbjPO50rCO/u7UyVh0sn7woPu3quMuR+8rcGXpvrCIq1lT4 uxa1920Uc8zAkw9/xeHHwqPQWbPFiM3A57rNoj/UZRa1+i6z4T4bQqx6OdXycoWoJjCw1H9R6M25 KpVLIdOM4vxeAyP66yy0Bic0S/WGlp4LrweDMBfZlhaCyVGLxyIdimH+tU2Sazinvqpmb65mN21P /dBQXl9e0llUMXFz/Jab7+HHlCUtC+b8c3GqfeGa1nxPYW1H8wOPcEGMdxLiJz78tYpy7GMWFRzJ z3cejudb4GF7FbziPtFrNZfTclg7VG8ddbvAtemwoFZbyY0iMon4CWyBEmZ6lDBNxRRulJ3rkfbI rxDSTOQE+1WSBgI90iEw6TodQ5Em4pc8k8AkWmAqbmv0d87yyXVmb4AWwOStfa9Jrp9x35Q56xtz fM38D1L8uhuay1zdkyP0+ob0oZ4LM3vimajJUH/XnbfSG/pbfOyPopnH/yGoMdNCslQUVWEzTKkw 2/FRGFhATymlMK5QVtmtBgTysf1zOC7LwUkWGdGbdaBRm8vldthVKo8bLNeEmDfjPxYTfwu8mY2J t7CtEPzxHPwdm4s7P1fGwjM7P9+u9JtzdP/1Yq6hIkbXB8rKClJH16c+yfcEQJCIJtftdE4IpOT0 vXCzs6ycRfk9E8ULTu7DnoZ8JdM2BeOfy8sxIx/5sWjQGaQlAwnidbAGmdlWgEKuG4mRJTppPWEJ YmRSj7PYJQIGcg0sNUqpdF+THrtGuW6WGtNpro+nFmLSq7FXJAVfhBx7fpFMqfcV5+YWmDlqNJqx waAsKMBOEZhA2h9ie0RA1JU7RdHL94pg+7E/98P+1BBiiwgUXbFvZL4MbdLGkSv12c6ztkIww87G Uq32q5Te8UZSZ6qopfPAuB5H6s3t3IcXDNwfuyYUMIMrEGAY5Hj5+c/on/0drjK2n6DQFzSJF9zA nw07Bj8F/upI4glSNv4vZkLhD2v9Swyj4CwjOsEbNll8fJG3CBLgVair+FA4hMBTWE90zjIBe2hh lc9kavBd3DhCGOTiVujFEzE25vzQIIXfc5nXY06raqkqcOnUNfYUzFlEYMGyccpbLXlFxXSif1rD z9+NTA2krp2hM+/ZZzT7SlLHPTV1FS//sry63Ep3TLNYudaDzqjT5lJEIhpxYip1qq1Tj+W62uJ3 vPCc1WdzerF/oi1uqMMfrSuO1ebDIdJW2SrzWWQiNzVZko9KyEezxm60dr2n+buGU4gose0UtwJb BQqNCHNH821RyHcTg9USKGNn/mCW2vTKgwqFFQdO3KXWNPmhyM5cRAasfikAxHTai1DfwXlQZTK2 WF/Uz3WZ7aPMbullxOcUnLJu6aZZdR2D2uIiVyjaEUy97/T4A/S+kN+Uozv+nNEcakzLUN9N+6bm PFvqttWvHeQ+mdTowmqmsXjynI2BlIa+VdJeEMzKEpv1dPDADPBALvmqmItTvmoOnyPmcirercrp 4nUc3Lu3xFKUc2QaqUWfiw8zDGrOwatlHE5j7xU5DVvFNHrVQbXAVvVCcI+Qw0QsR52j5nMPEknc cEif5ToefCHZpdJOI3xTBC2kOJm0xQQtyQ5qG3DiFaLDlrbg/HnSgVdpnwnusrTPJO098TPOp7ji 1CdVjdX22dw/LvyeKqqr/cUOWpT6Q4RvLO6fSA1V539q8E7pw0ztqY9oO/6qTg7xiib58ZM5IpuV XJHDHdNo9Dq8CUcIcYYwFMz7CMHc9Ol4dnywOkBrdOFlc2ujlbmK9zvjnWvXdDSFe3DMfzKz744A jdfhqx4eX6hUi4VckvAG3s338nfxMj3PK5KinHKyo3KlSn60BHJg6DkdrWIHnc+ww71nsGqzWAf7 8uK65557jt/+wQcXFr7/PqPNNUjqMGKe2EQ1n9zC0aMcJxOkkRLcj1Gy2+peeD/d/2r6Iy7GzUV/ j2jiKM89JhKKc8hUkFFS0gjbOfs9BF7qqfFwsVSYvkx/9CBmMRd8YMXJFR++05kqlrqVSivxJ8US tkXCeXiTdYsVxL7bKviPlvq2EGLKu1mtBnlCbCOELXunX0+TMbNms3PcL7FgKF6V/uwkG57MfHbC IpzYNQSzpz87iakdNZHGaF7ZlKppC0w7rnu4Z8NXJ+pdlQ0Ta8K53ufo/qLSqoapTZPnjjT1rKid P/9AY2XXTdNLO9o6Omc0d09scJwAEuA18U/RZ2TfxddDelIqGnVKhZ7qdBqFW6k5xvNGA0PeJ3+4 uHPzuuOU/WnYFFJEVTIlmM4x36rNKZ6xsClaLtfewz/lmepuHlk6K9ayod/VEae/ZrSZyH+LzkVc REd8okEBPKdfwoOXDHqJQq9ffEneKSBBiujiPGpaB9J2bU7J7MGmSKVcK7sPL2hbsmxqbMLG2a54 B57enOrjv4un86RA1PKUcxLq5rO0j+Y1nQIDtbTgqThswH/3QuVXuddk9/3rfxTs3sdSPdw7sgfh b1SINjWU1b2imhJsdNxLnBqXZZtM5i5kA7zAzstejE/jWezom9FgwhkhSxECPdI/fB5hw+FNmzXK vXPkVxtqazb8+khnbVMw7PIaTS5vfpkvOmF+qmfJK/h7py6aT6e/trxPqyspnzb3/q+Pn049k+gP lVrsGFUQoxr6wqic6VFRl0a2zWJJj+rMF0ZlxrYo/kQHB9OoBrGz9D+cxgv42T9v8D8OSvbgkldS x1Nvp95NHb1iUHRCZlAY1bupPu4bwLOC4YqDGrtX5CiB5QdcIdg1SqlKKeEKCL8CVx5sdgO4b6Ta 6JOpTyk8JUVH37kF0kz7ENHNPFMuPVNOKcdz91KnjCOjPJ9+5pl/e2YNnljjoX/GM3V45pOpvj75 16WTPFO5g3wBnmkkE0QPJ1NqdEa5VhBMWmrklDJOptEJQg6vFUxmgYegGymCjtInTjhWZ28BsXEB Cit8Zq9ZFvD56mQ45OqzyfiC1tR4wTZXCq90pd5uo5xrWwGlral3+PtXPp76KW14fOVto6sepw2p nz6+ahSzI+N67p/jW8GZ+sfJb6DYaMjwNAlBF1lw0oH75ydr10IK9/BPc4ck/lXgvLYFfwbbgBWX KtlfxT7KC0cVijQOEAcmLSxkNo/pCRzd8wBov7gsj7O0LHfI7ktV0FcZ4Jm3wAM7Aw3F4iHsTCfi IftwplOJD0/2KQXNrtxcl24Xn9ZFVxBLVsThqx529I0xknSg02SUvpzBec7yX7/auu7Awt++/l4q tnHzxnWxFVM65jXYDbSfDp2g2qP9qf9KHUl9LbWXezH1/dTPaSGt+CMtuKlv3++ZFjgOrfkSxpRH mkWXyQpVppSrlKoH8A0A/hqezmpVyfGt4phOl++UdMKzOEQUZTtGpOXSIc4oI032tD8LW/jZdmGA RuUW7ns5nub5PRcKVi6osuU73etnl9PX6uRU1jjBZ9FwkybJjEXNnXywxNfW2ENtw0cwplswpucx phIyIkbdBTjwYbdblQVWPs/6oFiAD1lEg7lLVqIs4UseVjocJpVMIXfvMpnKHCUqlX23I3Q6GmJm a+iT16tOsRzUZWGXZ4OSBYMzvyzewo4IsQAmfC4cAsFHOCymXZd2MnHWNP1pYVrFyxXck5FYscUw 03j++eDdt62N1tfZwyPd/9O6ceOr/d9/0lIxZe7qJwf3a/MrQqnfhZf9bu+Wtq5l80Lda9pePtkQ feTBmsHZias2PI8/E0TJXeCCFzC7MNkixnO0Pr/fx/v2iX7B6t9XEtbnUSOfB3K4Kqwu3uGCr24W Knha8aAgaJV+f1kYf7ksT7mrrCzPtMvjqXLuTn8yJi1gmCrLpe/GpB1QbHunZ4vpspWTLaDSVnh6 v9csfT6Z0esWF58JMGXsOWbXetnBDpaDng+vfWH+6iND8RsXNa0eqFn88t5ZP52xwbtm5NbR5JGh 7U8MrV89f32+0PhkXW3n1jkzbxmuVGlq+td1r31sacD92tL5u3fevW9AOTA2a+WGJcsgDT2InXpk czHVIjKc/k4rxL7T0ivVCpk6X4ZzpA/iAw2ZMo99E3sonudW4m/Tqk2357s9SkEmK3YqpOM+NmwC /xLudvo4JUiKo0yZ7X7psBf8OxAZs6iB/QWtIn2ApcD+hHTiFlYENiK9lBNwqPjCa9ykOy2NVR7d FO1Z6ST38tRf6Ha5oE5tlM7SHujm15x/xBiMvHQgfW6bjp+b/+cJF74Cut4Luv4SGsNP7vsepVpZ nqGA7ReJfmN+l15bgCDRQ6K+4OGCo4ic8AUFRpkPmnWf6DMbcYL0YRyuxY435m818labzaPP22kw UM8upbKE203TOoGRl/2Zpu5kTt/QwLG83PpBacsW/39J8OIymOZt0JrhQGJ6YwNj9FAkXJeOozC6 pgUUH6CB6aMKj1E6VpsJMN670bVxeHRH1w3T44vqe7lAkcuknaq/8KPqG5quP5FY9dqe79a9tmR4 /8PLdzbDeuLu1tjc76cmWa0LH11/28kEKHsrIhJqcLgDX1rNFstdMrncqFIhxvSQqFI5/A4c5hId ghEfhsIHknkdsAFy7ggGQ95duemJwu+AY55VgdiSluQ1y7jwRqFuLEVyTmG7fNySjiyuo0UwsfEv Eyxk3Mvfue8vX3Wr+x9ZsPrh3sQrD/z2zVUvUcO9qfHInF6/Vq6Wb7m1e0mL8wZZZWTbOEkKsfqR Rzfc+tProPNVx2ntn0aVF1ZYy9warbm+7annqufc2HXPQVD8nvFzAofzajp845zPc2GtVs6xjzRw 6ObhHNg8nFam0xlyNNrQqWdAgOgl2j1BZOPv1w+iksWJWCRQWuPyDM9jZhQWcQ0OpOHzZrMHX5x+ fw/nTHWVRjxW86xcfkjm++y1iLBOr8+vjNM4VCVZCc4bB74LgO8WslCsxWJlFCZ4vTi4vk/02pRe KBYlItj7RKXZFuSD+2yC845AoE7rusNs1gq76upaK3fhyyfGYF8WsLtMbUirsC2tMhCLls7L1AWy x2YYB2EhYCe2s1yWiVZnLnUcb+dWr131y92jz6+MLZzM/Wr1K5vvenrk6gvJ/OaRrhmr61qvm3zz qMbVumRS37qmtg3TJi9ucXKv5JR/6/p1xxcOfnvt7C0zinLmvX3VN+ZOf2DFtQ9T+YSlUypaN/UN bYrdfv7T1tV94fZtQ8M7J1VOXcZ8mwRw86HEi5VkphgsBC+qTFleDOCTV8aLZhOO5e0zCTIvpTmW O7zecPkdON3P0AH433Cir4YJUSAT+cL36WyVzuUEhZktLNn1RHKJacOuU5ssGT6MrT+2/he/+0bq dz857O9oa3GodMq61TO6l7a6bghEbvrrM2kuHPr6xompP6TOnkt95Wcmbm+OI2BV5pVV3P6TEcaG ew+wOd5Eq/lP+fngBAWpEV30STeYU3hSTMqoXlYo49S8jFcQQakSFFnTKu1IMR3xB+bAmWH5gOcs N/Hrz4/x67lXd+5MLdzJ/koqW7HYKXj2Iwenk/bJnV1dXcH2hdcsum7Zwv8HBu+RVgplbmRzdHJl YW0KZW5kb2JqCjczIDAgb2JqCjE4MTc2CmVuZG9iagoyMiAwIG9iago8PCAvVHlwZSAvRm9udCAv U3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9GUVdSUkkrU3ltYm9sIC9Gb250RGVzY3JpcHRv cgo3NCAwIFIgL0VuY29kaW5nIC9NYWNSb21hbkVuY29kaW5nIC9GaXJzdENoYXIgMTY1IC9MYXN0 Q2hhciAxNjUgL1dpZHRocyBbCjQ2MCBdID4+CmVuZG9iago3NCAwIG9iago8PCAvVHlwZSAvRm9u dERlc2NyaXB0b3IgL0ZvbnROYW1lIC9GUVdSUkkrU3ltYm9sIC9GbGFncyAzMiAvRm9udEJCb3gg Wy0xNjcgLTI5OSAxMDk0IDgyN10KL0l0YWxpY0FuZ2xlIDAgL0FzY2VudCA3MDEgL0Rlc2NlbnQg LTI5OSAvQ2FwSGVpZ2h0IDYyMyAvU3RlbVYgMTAzIC9YSGVpZ2h0CjQ2NyAvU3RlbUggMzggL0F2 Z1dpZHRoIDU3MiAvTWF4V2lkdGggMTA0MiAvRm9udEZpbGUyIDc1IDAgUiA+PgplbmRvYmoKNzUg MCBvYmoKPDwgL0xlbmd0aCA3NiAwIFIgL0xlbmd0aDEgMzcwNCAvRmlsdGVyIC9GbGF0ZURlY29k ZSA+PgpzdHJlYW0KeAG9l2t4FNUZx/9nzs7sRpKwAQR0Tdk1hmvSAAGRmyyYpNBYDAFxF2m4JSFY IpEAAillaUyBRbxhaUpTKpZSizSuQHGlliYPrWC5eIFKL6mWKkVaitYi5cGQ9D3/XfnA037r42zm d97bOe8758zMmSxZvLQCqYhAIzivek4NeKStk+bmecuW+BN6ShVg9aysmV+d0LtERMf8hSsqE3ra LmkfqaqYU57Q0S7t7VViSOhqmLS3VVUvWZ7Q0yLSehYumpf0p20X3ameszyZH22i+x+cU10hrRzp IYG/ZlHtEqpIHyxt/5rFFcl4JX6PN+gt7m38Wk6XEZScFlYmFJG8CCIDcH/g8YrP/Bhz/J0PR8zq OuYTleExvbDt2LqIaV/NOze2Y+fVJk+Ls1VUh/HGIf3spqtNknN6x85P2zxrrnmM1xxWHO5B4zut iLLRAa1cpMYqkS3KioQhOskO8irZTn5KXiEvk/8mL5GfkBfJf5Efk/8kPyI/JC+Q/yDPk3+XGjX+ RvkcPkA5bJyjZmSNs5T/Sp4h3yffI/9CnibfJd8h28g/kn8gf0/+jjxFvo1HkCnZ3kaW5HmLtrdE duFNym8kaSyvUz5OHiWP4LD0+g3l18jD5CHyVdb+a8q/Ig+SreQvyQPkL8hXyJ+T+/Ey7pG69ie0 zjckv7FoxPES0sUTR09qEfG8hH1yP9j0aGFQbMai8TMMFe7FN6HHd2IPnkG+xO3BTLHuYdxuZniR tcbwgmS0EaPtBTRjmWjGpoUmU3NyBOPRoplMz6NY5J3s8xPyOfLHHHMHRon3R5S30/5DZn+Wlm3J 8bZhnERt43imRo0fsN9WjBf5+7IyGk3s/T1m20L5u2SjuY/xHdwh3EzLt8mnOcImep8in2TOJ+h9 HFck/jHGbKT3UXID1zTKmPXkOvSXyHWdH8m1rqXlW2RD8t5pwJ3iN/eRRr3MtJnhekbUc92MRWON zF+beNbQswYtMloEq/Go2IxHC80Mr8Y3MEZsxqOFZoaNxTyt5un8Olkn7xETVZfQmMdYNFbQspx8 mFzGq14q62/612IxCqVnbUJjT2PReAg1XP2H6KnBIq6+sWnxmNoW4UH0lb7Go4WmNmPR+Br7VJHz yQpyHjmLLCO/Ss4k78cMqc3G/dSMrBGmHCLvI6eT95LTyKlcqVLKJeQ95GTyK+TdZDE5sfPPUumX OH4RLQV8xu+iPIEcTwZ5NeMo30mOJceQo8lR5EjcJdXeQXkEOYzMJ4eSQzBMYgZTziO/SOaSOZgo 3kGUB5IDyP7oJ3elLXedWS8ja6nKyNnkbegqchZ8wlvljtcI0O7HvSL3YfwXaMmkfAvpG5+4D27m LNzE3L0Z1YvsSd6YpFfmq4fsTtlSRw/auqObPHk2ujNjt6TP2DRlLfuZqdErP5dUaJ6udFrSyFSy C3kDmUJ6SDeGS7yD40KbFu5RopkxLT5bZsd0yd5m7pLZcvWzxRpBGp6Q8xk5Y3K2yOmGUnc3bFS1 gz6XA59Llv9rkkxcwDGMxlprvbx3p6MVZeo8dqtN2KBysV68o+XdvhuH5ByBXMzWOySmHSdk1zlh zcQR0SoxxLpJ2smYJlFNlmVlYila1Wa0WunWOLULW60mtVpWZgb6uPpJ5EWE9F5UI996DmWuB6wG N1BrPYulyitvozJrgjU5xUKj6xJG2EWyR7wiK7pDV1tn3WUoUJdl9Cr8Cacx3BqBudhozZVKD6gT ap86pd6zSvG6Oqja1TF7In/mW7AXLtit2Gf55N22T3QfxmlX0j9R9D4YIPWbs1Jtso+orXL9JXL1 FzAEW/Ck2LfYE6WKIboRuVoql6+SL8tvgG4US75dL/JBPI5S+wRmqCYsdVbJXIlP71O7ka8b7Xp1 iHqjZOumzjiZGOkKWP2cMtlJztkxa6x1Cg+j3rokkXvxrr3R2iHz0c1usurV3MScYLJdig32RvSQ mQlIO1NWpI99EaVqv5ULr96hdn42N/Zr1lkr1SlCuX1eXVCXnTwnW+22L1tAvWp1hmOsanfy1QFn pJMus1kv83igrmF1p+xagzEQCLod26UthRy/N2ZlTyqPBaeE/IfDgdyc61S/1+2PoSSWtsIf7+ws Cbl8djhm3xLT2Z6YKzvr9P9yns7NKS4J+ePKXViQHLZwdoEYp4Ykg/wZs6QrLMiVj9ac4jicktCL Sj0WjqvOhjgKMl82HzazysTtyfH7CxcUxNRsUVJyxDAwININOf4iqaOoNJQV9kf90UnlUX+Rv2pO uRTGVhwV0XCelDg1tEA4LRSIBcO+a2JFODxKxulixpEuEh4NywgPJEeQlqa8qxKUmlPsj+m+JaEp oVikwBcLFoR9gYC/MNZSEoq1FPgC4bBEpV2rVCpetaB3suZ0qTltoPi7JkaROQj6YghHo2bMqaGs QCwSjfqich1JPY6W6wwK1xuCSUMcZgyZicK4ipTIYNJkBXzGkBXICkidYTPJXjP3hVJpIJzrOoZK 3SzPvvmvwvw/AvlvzJET8gX3mQWy60wQi4XKjs2uSnu7vI/d6BVMccFRHttyIe9o29Eh8J48evLo 4O4ZgYzsQEag0oX2Wu1rP9Ox2Z1++ePFzgAzukKzetNqdwXQBd2DHv3blFSnGKnek++b/ucHdx92 e/7Qnjf2cLJu7dvcXLfy+Z+urNtlXVnRvKuurlnKlBvbHB275Cn8b4fxr6VDyf6VuCJH9ggUTbmv tHTSoKkrqucuWoj/AAPXIEEKZW5kc3RyZWFtCmVuZG9iago3NiAwIG9iagoyMDU3CmVuZG9iago3 NyAwIG9iagooTWljcm9zb2Z0IFdvcmQgLSBQcml2YWN5IFByb3RlY3RlZCBFbWFpbC5kb2N4KQpl bmRvYmoKNzggMCBvYmoKKE1hYyBPUyBYIDEwLjkgUXVhcnR6IFBERkNvbnRleHQpCmVuZG9iago3 OSAwIG9iagooV29yZCkKZW5kb2JqCjgwIDAgb2JqCihEOjIwMTMxMjA4MTk0MDI2WjAwJzAwJykK ZW5kb2JqCjgxIDAgb2JqCigpCmVuZG9iago4MiAwIG9iagpbIF0KZW5kb2JqCjEgMCBvYmoKPDwg L1RpdGxlIDc3IDAgUiAvUHJvZHVjZXIgNzggMCBSIC9DcmVhdG9yIDc5IDAgUiAvQ3JlYXRpb25E YXRlIDgwIDAgUiAvTW9kRGF0ZQo4MCAwIFIgL0tleXdvcmRzIDgxIDAgUiAvQUFQTDpLZXl3b3Jk cyA4MiAwIFIgPj4KZW5kb2JqCnhyZWYKMCA4MwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAxMTIz MzYgMDAwMDAgbiAKMDAwMDAwNTgwNSAwMDAwMCBuIAowMDAwMDM0OTM5IDAwMDAwIG4gCjAwMDAw MDAwMjIgMDAwMDAgbiAKMDAwMDAwNTc4NSAwMDAwMCBuIAowMDAwMDA1OTA5IDAwMDAwIG4gCjAw MDAwMDg3NzggMDAwMDAgbiAKMDAwMDAwMDAwMCAwMDAwMCBuIAowMDAwMDY5NDg3IDAwMDAwIG4g CjAwMDAwMDAwMDAgMDAwMDAgbiAKMDAwMDA0ODYwNSAwMDAwMCBuIAowMDAwMDAwMDAwIDAwMDAw IG4gCjAwMDAwMzUxMDAgMDAwMDAgbiAKMDAwMDAwMDAwMCAwMDAwMCBuIAowMDAwMDg5NzMwIDAw MDAwIG4gCjAwMDAwMDYwNDIgMDAwMDAgbiAKMDAwMDAwODc1NyAwMDAwMCBuIAowMDAwMDE1MjI1 IDAwMDAwIG4gCjAwMDAwMDg4MTQgMDAwMDAgbiAKMDAwMDAxNTIwNCAwMDAwMCBuIAowMDAwMDE1 MzMyIDAwMDAwIG4gCjAwMDAxMDk1MjkgMDAwMDAgbiAKMDAwMDA2NDU3OCAwMDAwMCBuIAowMDAw MDAwMDAwIDAwMDAwIG4gCjAwMDAwNTgxNzMgMDAwMDAgbiAKMDAwMDAwMDAwMCAwMDAwMCBuIAow MDAwMDc5MzE0IDAwMDAwIG4gCjAwMDAwMjIyOTcgMDAwMDAgbiAKMDAwMDAxNTQ5NCAwMDAwMCBu IAowMDAwMDIyMjc2IDAwMDAwIG4gCjAwMDAwMjI0MDQgMDAwMDAgbiAKMDAwMDAyODMyNSAwMDAw MCBuIAowMDAwMDIyNTUzIDAwMDAwIG4gCjAwMDAwMjgzMDQgMDAwMDAgbiAKMDAwMDAyODQzMiAw MDAwMCBuIAowMDAwMDM0NzIxIDAwMDAwIG4gCjAwMDAwMjg1NDMgMDAwMDAgbiAKMDAwMDAzNDcw MCAwMDAwMCBuIAowMDAwMDM0ODI4IDAwMDAwIG4gCjAwMDAwMzUwNTAgMDAwMDAgbiAKMDAwMDAz NjAyMCAwMDAwMCBuIAowMDAwMDM1NDMyIDAwMDAwIG4gCjAwMDAwMzYwMDAgMDAwMDAgbiAKMDAw MDAzNjI2MCAwMDAwMCBuIAowMDAwMDQ4NTgzIDAwMDAwIG4gCjAwMDAwNDkzNTEgMDAwMDAgbiAK MDAwMDA0ODg2NyAwMDAwMCBuIAowMDAwMDQ5MzMxIDAwMDAwIG4gCjAwMDAwNDk1OTUgMDAwMDAg biAKMDAwMDA1ODE1MiAwMDAwMCBuIAowMDAwMDU4NzkyIDAwMDAwIG4gCjAwMDAwNTgzODcgMDAw MDAgbiAKMDAwMDA1ODc3MiAwMDAwMCBuIAowMDAwMDU5MDM2IDAwMDAwIG4gCjAwMDAwNjQ1NTcg MDAwMDAgbiAKMDAwMDA2NDc1MSAwMDAwMCBuIAowMDAwMDY1MDExIDAwMDAwIG4gCjAwMDAwNjk0 NjYgMDAwMDAgbiAKMDAwMDA3MDEzNSAwMDAwMCBuIAowMDAwMDY5NzA1IDAwMDAwIG4gCjAwMDAw NzAxMTUgMDAwMDAgbiAKMDAwMDA3MDM3MCAwMDAwMCBuIAowMDAwMDc5MjkzIDAwMDAwIG4gCjAw MDAwODAyMTEgMDAwMDAgbiAKMDAwMDA3OTYzMCAwMDAwMCBuIAowMDAwMDgwMTkxIDAwMDAwIG4g CjAwMDAwODA0NTggMDAwMDAgbiAKMDAwMDA4OTcwOSAwMDAwMCBuIAowMDAwMDkxMDAyIDAwMDAw IG4gCjAwMDAwOTAyMDIgMDAwMDAgbiAKMDAwMDA5MDk4MiAwMDAwMCBuIAowMDAwMDkxMjQwIDAw MDAwIG4gCjAwMDAxMDk1MDcgMDAwMDAgbiAKMDAwMDEwOTcwMyAwMDAwMCBuIAowMDAwMTA5OTUw IDAwMDAwIG4gCjAwMDAxMTIwOTcgMDAwMDAgbiAKMDAwMDExMjExOCAwMDAwMCBuIAowMDAwMTEy MTgyIDAwMDAwIG4gCjAwMDAxMTIyMzIgMDAwMDAgbiAKMDAwMDExMjI1NSAwMDAwMCBuIAowMDAw MTEyMjk3IDAwMDAwIG4gCjAwMDAxMTIzMTYgMDAwMDAgbiAKdHJhaWxlcgo8PCAvU2l6ZSA4MyAv Um9vdCA0MCAwIFIgL0luZm8gMSAwIFIgL0lEIFsgPGEzOGY1OTVlNGQwYTMzODliMzQ5YTNmYmI3 ZDcyZmExPgo8YTM4ZjU5NWU0ZDBhMzM4OWIzNDlhM2ZiYjdkNzJmYTE+IF0gPj4Kc3RhcnR4cmVm CjExMjQ4MAolJUVPRgo= --047d7bb03c467caf3804ed57ef22-- From benl@google.com Thu Dec 12 07:24:56 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90B4E1AE301 for ; Thu, 12 Dec 2013 07:24:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7iUzeL6lcaJE for ; Thu, 12 Dec 2013 07:24:55 -0800 (PST) Received: from mail-vb0-x232.google.com (mail-vb0-x232.google.com [IPv6:2607:f8b0:400c:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id 836201A1F61 for ; Thu, 12 Dec 2013 07:24:55 -0800 (PST) Received: by mail-vb0-f50.google.com with SMTP id w18so385392vbj.37 for ; Thu, 12 Dec 2013 07:24:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Qa7SL7Dy1vimmxYMZevBPe53aKkczC0a+eK4J5vq3Cw=; b=M8x0RTRVMUSXon/dmCut8D7afeoh6eat3X1s3/nCSlSj5ie1wj4R2gxNd29GRvIg+O y/hLWU/xHnFYZ202Lqp9hfUuYOE9uapgVxa9XySz6Bn8vDXf4HZwb27bXO/wiM+sNGiO gRZUfPv+TzudhLH0KwiQUehWKegYFNvYvuPnZt89JxtUBYzZ32M6EoufuLIUrCS1LTKo vTR70JSrzyHotLil5ZoJYwu4m6LjckTErXQkrIJoKJKAouyZHgT+z76iobpNEqWYwnKn HZWaz1jglQZB/J/rxwsxWg+RS1QmYeaGYUfgt6lNL2PLNek0hKx6yB+I6pjhJ9K+VEcz SH9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Qa7SL7Dy1vimmxYMZevBPe53aKkczC0a+eK4J5vq3Cw=; b=CfWa0w8QZzFaQvOEPqe1RI4FuFDMX0SKLoaIOBkhgvUFAl2t70z+0qnL8HrQhv/oSi hxKqd6IX6mYTLOx1Q1Z3C83HtGMIxy5swxs6djeBiwExAWo0Gbe1FPBjc0y/JyKJ9PCS chGynPQprIhhhPcgZwxKrvGwmKLkZqoWedYHGddVtvsED3Zfq3gbcQptBUnq2osrL4TQ MTurZM49uNd4E4esZvN6KktdPe9sC7ySI9rsgZnaAt4OV9Au6zqVimVhf/sY7qYoGRqr r6QJ1Q4nBrW6Ft3zC9RXnGtVukVNtnLtANsOL/lbaDcHp87o2Cm86B52wl01g/9rxrvO BUGQ== X-Gm-Message-State: ALoCoQkxNknc1VurZ0Rkc+jR90cZejoBwMBRVmmWHyKuGXAm/VhNB7sNF9qpzuAB3qflUG5o/KwHaYZYu3Y0NgaGN6FZQ7N4t9IYZ2nyYr5Q6ncbFj7bne0jXhAWbvBHb3siFeZc33/UTREouZ207VPeR81FXHBSmcP1GaA5xxB/Kf2g+J56eA/Q/Fav9/BQ58CDxlih7bNP MIME-Version: 1.0 X-Received: by 10.52.27.11 with SMTP id p11mr34547vdg.67.1386861889353; Thu, 12 Dec 2013 07:24:49 -0800 (PST) Received: by 10.52.183.65 with HTTP; Thu, 12 Dec 2013 07:24:49 -0800 (PST) In-Reply-To: References: Date: Thu, 12 Dec 2013 15:24:49 +0000 Message-ID: From: Ben Laurie To: Paul Lambert Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 15:24:56 -0000 On 12 December 2013 14:39, Paul Lambert wrote: > > >>> >>> On 12/11/13, 8:55 AM, "Ben Laurie" wrote: >>> >>>>Who's in? >>> Very cool concept =C5=A0 very broad possible applications. >>> Less interested in HTTPS/TLS, but many applications. >> >>Great - can you be more specific what interests you? > > 1) Basic logs and the ability to have assurance on time and order Not sure how you do time without some notion of trust. But order is a basic property of the log, yes. > 2) Distributed authorization systems with an ability to demonstrate the > existence > and ordering of authorization statements > 3) Time stamps and time synchronization > 4) Group membership / enrollment > 5) 'key centric' identity (mappings using hashes of keys as identity) > 6) Service description and discovery without central registration These all sound interesting, indeed. From stephen.farrell@cs.tcd.ie Thu Dec 12 07:33:48 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF96B1AE329 for ; Thu, 12 Dec 2013 07:33:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbWjclee_KNj for ; Thu, 12 Dec 2013 07:33:46 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 7AD7A1AE30C for ; Thu, 12 Dec 2013 07:33:46 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id D2D2EBE9C; Thu, 12 Dec 2013 15:33:39 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wd0yOBJQ+A0I; Thu, 12 Dec 2013 15:33:38 +0000 (GMT) Received: from [10.87.48.12] (unknown [86.42.29.42]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 316C4BE79; Thu, 12 Dec 2013 15:33:38 +0000 (GMT) Message-ID: <52A9D752.2060303@cs.tcd.ie> Date: Thu, 12 Dec 2013 15:33:38 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Ben Laurie References: <52A9AB84.6090609@cs.tcd.ie> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 15:33:48 -0000 On 12/12/2013 03:23 PM, Ben Laurie wrote: > I want to generate standards-track RFC(s) for 6962-bis, but other > stuff could proceed in parallel. I don't want to hold up 6962-bis for > that other stuff, though. What requirements are there to be able to also use a 6962bis log instance or piece of s/w for another transparency-for-X thing? If there are none or its ok as a best-effort thing then working in parallel seems ok, but if there's a strong desire to be able to use the same log instance or s/w for more than one thing, aren't there dangers there? I've no particular opinion as to what's right here btw, but its a fairly typical way in which a WG might trip up and can lead to the WG convincing themselves to step back to start from use-cases, blah, requirements, blah, architecture, blah etc. after a big and non-fun argument. Better to figure it out and have some sort of consensus on that kind of thing up front if possible. S. From benl@google.com Thu Dec 12 07:47:01 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9302A1ADFC6 for ; Thu, 12 Dec 2013 07:47:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gWKQbOEK-evz for ; Thu, 12 Dec 2013 07:47:00 -0800 (PST) Received: from mail-vc0-x22b.google.com (mail-vc0-x22b.google.com [IPv6:2607:f8b0:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 66D0F1ADF64 for ; Thu, 12 Dec 2013 07:47:00 -0800 (PST) Received: by mail-vc0-f171.google.com with SMTP id ik5so404352vcb.2 for ; Thu, 12 Dec 2013 07:46:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MW05EozL+K2DcM1q8CSLPsyFLZ0OFlc8Qh0aUJWkWpY=; b=Oyj/h3aXssldv6WeN0lQaPqslVqQigTabZmjqbmVoc7iUe02DENw2ai+9Q2JPtKiyr UocVUJwlKaCOhtzWSK5ufYAn3t4OqMKIcG4psDuKF8J5dPFUQ7OLldMQXfTSBQ85Rh4M ttse8tXT786dXrXQBMsChFkCGMwi28sa+hx2W6KZ8nARxRL8QZs+4o5K3Mu2GGf44M6N eB0iR/c8ZNdS6wbd2yqTsDYamkWSqiov0UUHg0zvccO3KakPzl6oPNzaKSPpJ4TC2m6X fckBVtdwN+XuBP/r4V+/ExQqXugTs4BwwlATHDULTdm2+6HUZFyFAhoDKL3qwKbOZErB VswQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=MW05EozL+K2DcM1q8CSLPsyFLZ0OFlc8Qh0aUJWkWpY=; b=g06u1KGgy0ytMkHmMTsWnVNHVvbmbCI4rDr9ccRNDwi0MSAD7fRLHU6NeiN/BY/4V6 WGoNPAhas0Wf0WfFadXlzRStbIiuW4DuFZN9d6nIz5Jc/z8004g8hWAXK+5CNLqwh+vJ 94SqY8DdVpFDn3P4FirR1g89LWSbo/sYBtVoF8t34hnGSkUMj4urnf/rGLZ48anxHpiz S2zZJ/LL02+HDb0maGhYHTG1ujSOrKZ3W5gyZQx8OHL1S1r1PIjRzRtKE76sU62Hn/JZ NWblexYvMAMLJRuwYwFS2c94tfV2WSu5gwMobqV/TBGy194XY1EUWqtC07oAq/szcyOI ysRA== X-Gm-Message-State: ALoCoQkAuFapBbLxX81frXeI4id46rLKC6mZuTH6bN4GLmJ/Zr619DJrsfNItNKHPxqirQrRHsNst1RQf3a3inalTsJQWNFJEv2dPEFHHn6wBKQhXvF0GdV0hnHyr3yHO/7j/fsZqtNW5fw+6rC98MHVS8gkyofzUSygS0rkjEJt9qi3jhf1c7Arx8i1dOzAXIUTqBCQr8/a MIME-Version: 1.0 X-Received: by 10.220.79.199 with SMTP id q7mr287539vck.38.1386863214181; Thu, 12 Dec 2013 07:46:54 -0800 (PST) Received: by 10.52.183.65 with HTTP; Thu, 12 Dec 2013 07:46:54 -0800 (PST) In-Reply-To: <52A9D752.2060303@cs.tcd.ie> References: <52A9AB84.6090609@cs.tcd.ie> <52A9D752.2060303@cs.tcd.ie> Date: Thu, 12 Dec 2013 15:46:54 +0000 Message-ID: From: Ben Laurie To: Stephen Farrell Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 15:47:01 -0000 On 12 December 2013 15:33, Stephen Farrell wrote: > > > On 12/12/2013 03:23 PM, Ben Laurie wrote: >> I want to generate standards-track RFC(s) for 6962-bis, but other >> stuff could proceed in parallel. I don't want to hold up 6962-bis for >> that other stuff, though. > > What requirements are there to be able to also > use a 6962bis log instance or piece of s/w for > another transparency-for-X thing? > > If there are none or its ok as a best-effort > thing then working in parallel seems ok, but if > there's a strong desire to be able to use the > same log instance or s/w for more than one > thing, aren't there dangers there? CT is tightly linked to CAs as an anti-spam measure, and so I don't think it can be used for other things. I think it is possible to define a more generic mechanism, with some parameter choices (e.g. do you have the logs issue signatures on timestamps and later order the log, as in CT, or do you order before issuing a signature on a Merkle proof?), for other things, but that's a distraction from progress on CT, which is urgent. Spam is a particularly thorny issue, and I suspect anti-spam measures are tightly linked to the log's purpose. I have ideas for DNSSEC and binaries, but they are not completely generic. A log with no mechanism to control ingress of loggable things is trivial to DoS into uselessness. > I've no particular opinion as to what's right > here btw, but its a fairly typical way in which > a WG might trip up and can lead to the WG > convincing themselves to step back to start > from use-cases, blah, requirements, blah, > architecture, blah etc. after a big and non-fun > argument. > > Better to figure it out and have some sort of > consensus on that kind of thing up front if > possible. > > S. From paul@marvell.com Thu Dec 12 08:09:52 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 685601AE014 for ; Thu, 12 Dec 2013 08:09:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.567 X-Spam-Level: X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbDXL0G1l2wX for ; Thu, 12 Dec 2013 08:09:51 -0800 (PST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA581AE349 for ; Thu, 12 Dec 2013 08:09:51 -0800 (PST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id rBCG9hsO026465; Thu, 12 Dec 2013 08:09:43 -0800 Received: from sc-owa.marvell.com ([199.233.58.135]) by mx0b-0016f401.pphosted.com with ESMTP id 1gpgd4n27a-4 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 12 Dec 2013 08:09:43 -0800 Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA.marvell.com ([::1]) with mapi; Thu, 12 Dec 2013 08:09:40 -0800 From: Paul Lambert To: Ben Laurie Date: Thu, 12 Dec 2013 08:09:39 -0800 Thread-Topic: Transparent time -> Re: [therightkey] Draft charter for a Transparency Working Group Thread-Index: Ac73VI/dTGdWjhafRw67redk0qmjKg== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2013-12-12_04:2013-12-12,2013-12-12,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=1 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1312120066 Cc: "therightkey@ietf.org" Subject: [therightkey] Transparent time -> Re: Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 16:09:52 -0000 >> >> 1) Basic logs and the ability to have assurance on time and order > >Not sure how you do time without some notion of trust. But order is a >basic property of the log, yes. Order places bounds on observed events in a time sequence. Log based =B9time' would have a different model of usage and would validate the order events rather than deliver a continuos clock time. For a broader usage of time in the logs you have a good point about the =8Ctrust=B9 particularly for time. Different entries would have different qualities of time accuracy and veracity that could be quantified. Paul From fanf2@hermes.cam.ac.uk Thu Dec 12 08:24:19 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 128961ADFFA for ; Thu, 12 Dec 2013 08:24:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xhdvd4Mo3No8 for ; Thu, 12 Dec 2013 08:24:16 -0800 (PST) Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f42]) by ietfa.amsl.com (Postfix) with ESMTP id C00DC1ADFE0 for ; Thu, 12 Dec 2013 08:24:16 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:55438) by ppsw-42.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1Vr93Z-0006cC-7J (Exim 4.82_3-c0e5623) (return-path ); Thu, 12 Dec 2013 16:24:09 +0000 Received: from fanf2 by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1Vr93Z-0005II-7Q (Exim 4.72) (return-path ); Thu, 12 Dec 2013 16:24:09 +0000 Date: Thu, 12 Dec 2013 16:24:09 +0000 From: Tony Finch X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk To: Paul Lambert In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1870870024-1082801049-1386865449=:11049" Sender: Tony Finch Cc: "therightkey@ietf.org" , Ben Laurie Subject: Re: [therightkey] Transparent time -> Re: Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 16:24:19 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1870870024-1082801049-1386865449=:11049 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Paul Lambert wrote: > >> 1) Basic logs and the ability to have assurance on time and order > > > >Not sure how you do time without some notion of trust. But order is a > >basic property of the log, yes. > > Order places bounds on observed events in a time sequence. Log based > =C2=B9time' would have a different model of usage and would validate th= e > order events rather than deliver a continuos clock time. For a broader > usage of time in the logs you have a good point about the =C5=92trust=C2= =B9 > particularly for time. Different entries would have different qualities > of time accuracy and veracity that could be quantified. Tangentially related (since it does not involve Merkle logs) I have a background project on secure time, based on getting the time from multiple different sources using tlsdate and requiring that a quorum of them agree. I have written a few articles on the subject and some rough proof-of- concept code (not even polished enough to be called a prototype). http://fanf.livejournal.com/128861.html http://fanf.livejournal.com/129371.html http://fanf.livejournal.com/129569.html https://git.csx.cam.ac.uk/x/ucs/u/fanf2/temporum.git Tony. --=20 f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first= =2E Rough, becoming slight or moderate. Showers, rain at first. Moderate or goo= d, occasionally poor at first. --1870870024-1082801049-1386865449=:11049-- From benl@google.com Thu Dec 12 08:33:09 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA8C1AE026 for ; Thu, 12 Dec 2013 08:33:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1wqBWjF37BrZ for ; Thu, 12 Dec 2013 08:33:08 -0800 (PST) Received: from mail-ve0-x22a.google.com (mail-ve0-x22a.google.com [IPv6:2607:f8b0:400c:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id C33381ADFC1 for ; Thu, 12 Dec 2013 08:33:07 -0800 (PST) Received: by mail-ve0-f170.google.com with SMTP id oy12so485515veb.15 for ; Thu, 12 Dec 2013 08:33:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=F1OLMpxrML+XByxiNIaBx4osHWMWoZWQu+JrVCD6D50=; b=RK16gACjU8JmgkvrZ9B0mZaYGT6/8QsCKrWfIFd8tFMjC33OVDWsiDUO57BYzNAToj ZzIBdrgfwh7bbOoJR7H3xfFl256cTyTkE/9OMk6lW6oV57uJ9iOopsLRxSxlKlqqo/ut mm9BmVCGVLZEYY4XBCKkpRpfSH7/CY/CQUojGuTdieS/zMuhdS1hawdFrxZaUw/FQWVI lFk+Nh8+x3qGZZ7BzLoR+VnCkn1/BBi6xgMFkJQkctrV5VkaGKasvNfrGXrkToiTkOPt S8MAPpYqatHqtq0SltEvXtzSAIURbzLojsfDKY+v6BM1Kf+LpKLKsh+/9fwJ5tyAYkp4 Ko/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=F1OLMpxrML+XByxiNIaBx4osHWMWoZWQu+JrVCD6D50=; b=cShgzoUIi7Xl+CeBvbUZg/xbkTeXWoO4qhAZdWePKaL7o8TB92kgLESV6zm0ErnZkZ 2rz7UQOPAh1ESwKAszXrufIK2TXRDIeljpKo/gA+P+see/R/V6WrVzm+xI9tVxyEHKA0 bUivA1SA9fiuMZ3f8/MeFkLacegTehMNsgkHeOJo3o5tPi3MJFTMNz7CA894vrT/iPyx YoZz0fHzEQYJ7MRxWSdfZ3y3HzQ223HRthJbg4ZLHgj9t2WhVmTTG63I4u9DZnbwqSoj qZd7EnSWcvNbLrlXzHztzav01mEanHYqyPE02MzbUXtVhW7/S8PlvbHDEyYisMA8ioy+ hKMg== X-Gm-Message-State: ALoCoQmqYqvq3XYqG8cOGnapXP6ZrchjkCzBC3LS2s6/wRKMD8W14jwrV6uIbNp7S8IyGAIxxGFXzOqcv4m3o7SySDmSZe/N1pw15THRy/aXz599IIXP0gz5906WcEaxbJ15xLAWRmHFU0TDUFTcZKYQZWgtvLl1TQyD1uxt+90NbJh99Xv76WlVZ/2gtmapHW42dlanPNVq MIME-Version: 1.0 X-Received: by 10.58.95.97 with SMTP id dj1mr4331436veb.21.1386865981557; Thu, 12 Dec 2013 08:33:01 -0800 (PST) Received: by 10.52.183.65 with HTTP; Thu, 12 Dec 2013 08:33:01 -0800 (PST) In-Reply-To: References: Date: Thu, 12 Dec 2013 16:33:01 +0000 Message-ID: From: Ben Laurie To: Tony Finch Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: Paul Lambert , "therightkey@ietf.org" Subject: Re: [therightkey] Transparent time -> Re: Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 16:33:09 -0000 On 12 December 2013 16:24, Tony Finch wrote: > Paul Lambert wrote: > >> >> 1) Basic logs and the ability to have assurance on time and order >> > >> >Not sure how you do time without some notion of trust. But order is a >> >basic property of the log, yes. >> >> Order places bounds on observed events in a time sequence. Log based >> =B9time' would have a different model of usage and would validate the >> order events rather than deliver a continuos clock time. For a broader >> usage of time in the logs you have a good point about the =8Ctrust=B9 >> particularly for time. Different entries would have different qualities >> of time accuracy and veracity that could be quantified. > > Tangentially related (since it does not involve Merkle logs) I have a > background project on secure time, based on getting the time from multipl= e > different sources using tlsdate and requiring that a quorum of them agree= . You know we're in the process of breaking tlsdate by removing time from the TLS handshake? Of course, you can get it from the HTTP headers instead... > I have written a few articles on the subject and some rough proof-of- > concept code (not even polished enough to be called a prototype). > > http://fanf.livejournal.com/128861.html > http://fanf.livejournal.com/129371.html > http://fanf.livejournal.com/129569.html > https://git.csx.cam.ac.uk/x/ucs/u/fanf2/temporum.git > > Tony. > -- > f.anthony.n.finch http://dotat.at/ > Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at fir= st. > Rough, becoming slight or moderate. Showers, rain at first. Moderate or g= ood, > occasionally poor at first. From fanf2@hermes.cam.ac.uk Thu Dec 12 09:49:51 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0839E1AE399 for ; Thu, 12 Dec 2013 09:49:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pj4GLvaYldWY for ; Thu, 12 Dec 2013 09:49:48 -0800 (PST) Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f42]) by ietfa.amsl.com (Postfix) with ESMTP id 085F81AE38F for ; Thu, 12 Dec 2013 09:49:47 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:58354) by ppsw-42.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1VrAOI-0005KV-9S (Exim 4.82_3-c0e5623) (return-path ); Thu, 12 Dec 2013 17:49:38 +0000 Received: from fanf2 by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1VrAOI-0002PA-SM (Exim 4.72) (return-path ); Thu, 12 Dec 2013 17:49:38 +0000 Date: Thu, 12 Dec 2013 17:49:38 +0000 From: Tony Finch X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk To: Ben Laurie In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Tony Finch Cc: Paul Lambert , "therightkey@ietf.org" Subject: Re: [therightkey] Transparent time -> Re: Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Dec 2013 17:49:51 -0000 Ben Laurie wrote: > > You know we're in the process of breaking tlsdate by removing time > from the TLS handshake? Of course, you can get it from the HTTP > headers instead... Yes. Yuck. This is what you get when you use protocols parasitically :-) I would be very interested to hear from anyone who has thoughts on how to do this properly rather than as a hack. Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. From warren@kumari.net Fri Dec 13 13:50:38 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0911AE3A6 for ; Fri, 13 Dec 2013 13:50:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nOxmjShK5Sv for ; Fri, 13 Dec 2013 13:50:37 -0800 (PST) Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6E671AE3A0 for ; Fri, 13 Dec 2013 13:50:36 -0800 (PST) Received: from [192.168.1.153] (unknown [66.84.81.105]) by vimes.kumari.net (Postfix) with ESMTPSA id DAC8A1B404B2; Fri, 13 Dec 2013 16:50:29 -0500 (EST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Warren Kumari In-Reply-To: Date: Fri, 13 Dec 2013 16:50:28 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <52A9AB84.6090609@cs.tcd.ie> <52A9D752.2060303@cs.tcd.ie> To: Ben Laurie X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" , Warren Kumari , Stephen Farrell Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Dec 2013 21:50:38 -0000 On Dec 12, 2013, at 10:46 AM, Ben Laurie wrote: > On 12 December 2013 15:33, Stephen Farrell = wrote: >>=20 >>=20 >> On 12/12/2013 03:23 PM, Ben Laurie wrote: >>> I want to generate standards-track RFC(s) for 6962-bis, but other >>> stuff could proceed in parallel. I don't want to hold up 6962-bis = for >>> that other stuff, though. >>=20 >> What requirements are there to be able to also >> use a 6962bis log instance or piece of s/w for >> another transparency-for-X thing? >>=20 >> If there are none or its ok as a best-effort >> thing then working in parallel seems ok, but if >> there's a strong desire to be able to use the >> same log instance or s/w for more than one >> thing, aren't there dangers there? >=20 > CT is tightly linked to CAs as an anti-spam measure, and so I don't > think it can be used for other things. >=20 > I think it is possible to define a more generic mechanism, with some > parameter choices (e.g. do you have the logs issue signatures on > timestamps and later order the log, as in CT, or do you order before > issuing a signature on a Merkle proof?), for other things, but that's > a distraction from progress on CT, which is urgent. >=20 > Spam is a particularly thorny issue, and I suspect anti-spam measures > are tightly linked to the log's purpose. I have ideas for DNSSEC and > binaries, but they are not completely generic. A log with no mechanism > to control ingress of loggable things is trivial to DoS into > uselessness. Yup, but I think you should be able to mitigate some of the spam issues = by forcing the inserter to do some work =97 for example, when I input a = DNSSEC record I have to solve a CAPTCHA=85. Yes, there are many weaknesses with captchas (automated solvers, mules, = etc), but (AFAICT) all you need to do is raise the cost enough that this = is not an attractive attack. DoSing the log doesn=92t *provide access*, = it simply denies service to those wanting to insert information, so, = unless I=92m very mistaken, the main incentive to DoS is giggles / being = an ass=85 Or am I completely missing something? W >=20 >> I've no particular opinion as to what's right >> here btw, but its a fairly typical way in which >> a WG might trip up and can lead to the WG >> convincing themselves to step back to start >> from use-cases, blah, requirements, blah, >> architecture, blah etc. after a big and non-fun >> argument. >>=20 >> Better to figure it out and have some sort of >> consensus on that kind of thing up front if >> possible. >>=20 >> S. > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey -- For every complex problem, there is a solution that is simple, neat, and = wrong. -- H. L. Mencken From contact@taoeffect.com Fri Dec 13 20:56:45 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183AA1AE0D6 for ; Fri, 13 Dec 2013 20:56:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSTZlS0D4MAP for ; Fri, 13 Dec 2013 20:56:43 -0800 (PST) Received: from homiemail-a61.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC641ADFEE for ; Fri, 13 Dec 2013 20:56:43 -0800 (PST) Received: from homiemail-a61.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTP id A518257806C for ; Fri, 13 Dec 2013 20:56:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h=from :content-type:subject:message-id:date:to:mime-version; s= taoeffect.com; bh=ccT60kmVBl1Ay6qAKCsP+buC47A=; b=GcFhHuKxX+p+3o kgyO9NKSBMfr7cvQ/cqUmXwEePk53sJouBm6km3PNwpZnVP7WLuwWpq9+HbvAcVp /JO926ov/+UeJhRjVXywxo9XRZ6AHRvwMCtqaGsGsFHCE3E3/9gMUQyg7DzEEOJ9 GNkbgG1WIeKMj6W/p5tU/BPXoNblw= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTPSA id 2D273578059 for ; Fri, 13 Dec 2013 20:56:35 -0800 (PST) From: Tao Effect Content-Type: multipart/signed; boundary="Apple-Mail=_FDB14E3A-60C9-485D-88A4-4F354D075E69"; protocol="application/pgp-signature"; micalg=pgp-sha512 Message-Id: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> Date: Fri, 13 Dec 2013 23:56:29 -0500 To: therightkey@ietf.org Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) X-Mailer: Apple Mail (2.1822) Subject: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Dec 2013 04:56:45 -0000 --Apple-Mail=_FDB14E3A-60C9-485D-88A4-4F354D075E69 Content-Type: multipart/alternative; boundary="Apple-Mail=_41EED495-778C-4CF2-B093-8CC6F283AD30" --Apple-Mail=_41EED495-778C-4CF2-B093-8CC6F283AD30 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hi list, Was referred here from another IETF-related list. Just announced a = project that combines several technologies that address the security = issues with TLS to "NSA-proof" the web. Here is an excerpt from the paper (link to paper below it): DNSNMC fixes the authentication problems previously described, and it = addresses all of the problems that with the previously mentioned = proposals. It does this first by combining DNS with Namecoin (NMC), and = then by encouraging a =93trust only those you know=94 policy.5 =93Namecoin is an open source decentralized key/value registration and = transfer system based on Bitcoin technology=94.[16] Namecoin =93squares = Zooko=92s Triangle=94, meaning, it makes it possible to have domain = names (and other types of identifiers) that are: Authenticated: users can be certain that they are not speaking to an = impostor Decentralized: there is no central authority controlling all the names Human-readable: names look just like today=92s domain names However, by itself, Namecoin does not provide the means by which = ordinary users can take advantage of the features it provides. Using = Namecoin is far too cumbersome for the vast majority of internet users, = even those with years of computer expertise. For one, it cannot be used = on mobile devices (like iPhones) in its current state because of its = network requirements. DNSNMC provides the missing =93glue=94 to the Namecoin blockchain that = makes it immediately accessible to clients of all types with zero = configuration. A network administrator need only enter the IP address of = a DNSNMC-compliant DNS server to instantly make the information within = the blockchain accessible to all of the users that she (or he) provides = internet access to.=20 Paper: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf Cheers, Greg Slepak -- Please do not email me anything that you are not comfortable also = sharing with the NSA. -- Please do not email me anything that you are not comfortable also = sharing with the NSA. -- Please do not email me anything that you are not comfortable also = sharing with the NSA. --Apple-Mail=_41EED495-778C-4CF2-B093-8CC6F283AD30 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
Hi = list,

Was referred here from another = IETF-related list. Just announced a project that combines several = technologies that address the security issues with TLS to "NSA-proof" = the web.

Here is an excerpt from the paper = (link to paper below it):

DNSNMC fixes the = authentication problems previously described, and it addresses all of = the problems that with the previously mentioned proposals. It does this = first by combining DNS with Namecoin (NMC), and then by encouraging a = =93trust only those you know=94 policy.5

=93Namecoin is an open source = decentralized key/value registration and transfer system based on = Bitcoin technology=94.[16] Namecoin =93squares Zooko=92s Triangle=94, = meaning, it makes it possible to have domain names (and other types of = identifiers) that = are:

  • Authenticated: users can be certain that they are not = speaking to an impostor

  • Decentralized: there = is no central authority controlling all the names

  • Human-readable: names look just like today=92s domain names

    However, by itself, Namecoin does not provide = the means by which ordinary users can take advantage of the features it = provides. Using Namecoin is far too cumbersome for the vast majority of = internet users, even those with years of computer expertise. For one, it = cannot be used on mobile devices (like iPhones) in its current state = because of its network requirements.

    DNSNMC provides the missing =93glue=94 to the = Namecoin blockchain that makes it immediately accessible to clients of = all types with zero configuration. A = network administrator need only enter the IP address of a = DNSNMC-compliant DNS server to instantly make the information within the = blockchain accessible to all of the users that she (or he) provides = internet access to. 


<= div>Cheers,
Greg Slepak
--
Please do not email me anything that = you are not comfortable also sharing with the = NSA.



--
Please do not email me anything that you are = not comfortable also sharing with the NSA.


--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

= --Apple-Mail=_41EED495-778C-4CF2-B093-8CC6F283AD30-- --Apple-Mail=_FDB14E3A-60C9-485D-88A4-4F354D075E69 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSq+UBAAoJEOxnICvpCVJHydEQALLJ2N3sWq83lVpCOZnKdLcu JuO23GwSBP1ICfgJMbG4wOdG+iEx37xklH2jd3aGK3TuiU4R9/5gtED0Li8xsCZj si/o05cmFumv+8SlWQnFd+cXH6j1T0nKamH58oT6gspJL6ZZ/3e1ywGSDOXAvbah 8DC1i64bR4vIH33xm7IcKfw02VvPJTi4WU4WFenYXC5HlDP4DtShR+bUhCbNQ+RN mLgs96rIzN6NesrwHmlX9jNv4AtY9Tb4ScSPHJvb+cYj/Ul8J4fQPR3jxlN2dWVT StSKrs94hCtcYmMs41cT3GTSQkbh7Z47X2DBDAJ84NdCw90Xuba70wKnzsBxSZ3X Z/qAErLkJXrPidWgeBtbJYT40wyDLTR6TJUp0UrqWD7tGpCD6+7Zo7xMGW9gdyhN 2O6iSwKMDIGuCiHg87D+kSTArj9/gZtY+6Nd6PCCKklIiMf7lpdVqPE2Setil6yN xF9DQLr1o416V8tWbmPqLzIpNAK7i1P/C3OhIwHjzSeQiznu1ZzwHinPi0crIjXi 0WySW+PJlAZJX8zTnCLdjhmj/U7VSF6RBALnR41ec4Zi1rZzHa8sqOPTiD+NtvG0 +jDIVzbsvn3gdUEeUBv+yso/5+9H4auyagj7pMLEyuv6wOuSz98mXR2kCNZbbBOC wxgQRBPYkCQrKLiBKA5A =4XJX -----END PGP SIGNATURE----- --Apple-Mail=_FDB14E3A-60C9-485D-88A4-4F354D075E69-- From holz@net.in.tum.de Sat Dec 14 03:08:53 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB221ADF6E for ; Sat, 14 Dec 2013 03:08:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.55 X-Spam-Level: X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etUqCNpYVcoP for ; Sat, 14 Dec 2013 03:08:51 -0800 (PST) Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id 058321ADF6A for ; Sat, 14 Dec 2013 03:08:50 -0800 (PST) Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 992DA80B0E; Sat, 14 Dec 2013 12:08:42 +0100 (CET) Received: from [192.168.178.34] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 9D4CB80A89 for ; Sat, 14 Dec 2013 12:08:41 +0100 (CET) Message-ID: <52AC3C39.3010306@net.in.tum.de> Date: Sat, 14 Dec 2013 12:08:41 +0100 From: Ralph Holz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: therightkey@ietf.org References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.97.8 at ex6 X-Virus-Status: Clean Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Dec 2013 11:08:53 -0000 On 12/11/2013 05:55 PM, Ben Laurie wrote: > Who's in? I'd like to be part of it. > Cryptographically verifiable logs can help to ameliorate the problems > by making it possible to discover and rectify errors before they can > cause harm. Correct me if I am wrong, but the following comes to mind. I'd probably say "too much harm" or "significant harm": the public log concept allows for a short time window for successful attack. Much depends on the number of logs a CA pushes their certs to, and how many monitors watch these logs for suspicious changes. I am less concerned about the consistency proofs and audit paths here, and more about what monitors actually do. I.e., deployment issues. > Work items: Specify a standards-track mechanism to apply verifiable > logs to HTTP/TLS (i.e. RFC 6962-bis). One thing that I was wondering about is whether the work can be taken further at some point to include that mechanism from Sovereign Keys that allows to give, say, an alternate Tor routing (or hidden service), for a given domain, in order to avoid censorship. I'd agree that's not a primary topic for CT, but a worthwhile goal to keep in mind for later. Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF From benl@google.com Sat Dec 14 04:41:12 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B971AC441 for ; Sat, 14 Dec 2013 04:41:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpCQ9deb76Cu for ; Sat, 14 Dec 2013 04:41:11 -0800 (PST) Received: from mail-vb0-x230.google.com (mail-vb0-x230.google.com [IPv6:2607:f8b0:400c:c02::230]) by ietfa.amsl.com (Postfix) with ESMTP id 667BD1ADFB5 for ; Sat, 14 Dec 2013 04:40:01 -0800 (PST) Received: by mail-vb0-f48.google.com with SMTP id f13so2028721vbg.35 for ; Sat, 14 Dec 2013 04:39:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JFlcUvqr1apprZY8Rl7Anjg8zFxbvN5l837t63dt0yM=; b=c+6IA0XoMd3bJbXz6Px9AqkiIiworKOjVq/o+sjrxhltd9+tgr5QideoQZIDOgJyCQ r2RK/iAm2Xq54IfgzG1JbkemfOvBaGl9y/jQkPQuwpFTdlXzMqtRsIfz/oqRRIYUv4Vj RdljygxMjgJBrq86KX3uUdn37+Q/pzzyABrnyozbGVKN5eEwrjaXDzvzHimXK0JeBeJR ShK3t0iOFtHh0KwDAK+TQAXxg3wfiKF8vnnSRCKYfis1+KyFg8wWEOZjFIouu6bvb4tT FOAgM7850C8DCP4pN2sYQY/Zv9Yj9kMyjCQfYgEESI7XrDgGj3VomL4sD2Bftw8ZbUI+ mqeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JFlcUvqr1apprZY8Rl7Anjg8zFxbvN5l837t63dt0yM=; b=Qa6XIFyrQYhCpKQmDmasw4vKY3P1r+Iqr6sruyTfB89Kz2B+9gT421EhtjUlc0XDIK hxQTIWIRASB8u66fIQ6XQINaYOwQzSnAZqgvZUTf09uFTeurMuqxai3nR6qK/yFVBRDB rN6cv76V2xm06i5rkdoFuV5WgV3pfSSq0e4DB9431xK+g/GAJMFfi+kUoK+fs7dH+nZW Rweujm2nZzkozjv42xSrRFjpsNoiB75Snrl2IWUvbslC4kFb+fpg85cnUeR7N/CfeJ5p v3/tkza2sw7INgDl9zAgNGtAM+ch4b9YvsyeySohMsyDlgujA6Jt8avXLn8/dFtyor0h ruZQ== X-Gm-Message-State: ALoCoQm/5/2I67DOq9unr61gReyzJuigoFup32Skr9d7dpmFI/g9bRVKNRxOPXRLMVmpwdb5Pe2zSINyF/f2W0MULmJ8DrfH0Z0jeeoieDrGVJHoMAy3diZGn/sINBV0ltCKx9whDiPAfYxFJ+l01ViqOOSvNU2OE97UVfe3w5ZBChhme3NAL8cEPTWYZI2czoNy9bXDrPq3 MIME-Version: 1.0 X-Received: by 10.52.229.39 with SMTP id sn7mr2505907vdc.2.1387024794387; Sat, 14 Dec 2013 04:39:54 -0800 (PST) Received: by 10.52.183.65 with HTTP; Sat, 14 Dec 2013 04:39:54 -0800 (PST) In-Reply-To: <52AC3C39.3010306@net.in.tum.de> References: <52AC3C39.3010306@net.in.tum.de> Date: Sat, 14 Dec 2013 12:39:54 +0000 Message-ID: From: Ben Laurie To: Ralph Holz Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Dec 2013 12:41:12 -0000 On 14 December 2013 11:08, Ralph Holz wrote: > On 12/11/2013 05:55 PM, Ben Laurie wrote: >> Who's in? > > I'd like to be part of it. > >> Cryptographically verifiable logs can help to ameliorate the problems >> by making it possible to discover and rectify errors before they can >> cause harm. > > Correct me if I am wrong, but the following comes to mind. I'd probably > say "too much harm" or "significant harm": the public log concept allows > for a short time window for successful attack. That's not actually generally true. There's really a spectrum where "responsive log/immediate availability of certs (or whatever)" as at one end and "slow log/certs delayed until everyone's happy" is at the other. The original CT proposal delayed cert issuance to reduce the window. CAs didn't like it. So, we exchanged more attack window for happier CAs. That's a needle we might want to move over time. > Much depends on the > number of logs a CA pushes their certs to, and how many monitors watch > these logs for suspicious changes. I am less concerned about the > consistency proofs and audit paths here, and more about what monitors > actually do. I.e., deployment issues. > >> Work items: Specify a standards-track mechanism to apply verifiable >> logs to HTTP/TLS (i.e. RFC 6962-bis). > > One thing that I was wondering about is whether the work can be taken > further at some point to include that mechanism from Sovereign Keys that > allows to give, say, an alternate Tor routing (or hidden service), for a > given domain, in order to avoid censorship. I'd agree that's not a > primary topic for CT, but a worthwhile goal to keep in mind for later. In the Revocation Transparency paper, we describe two mechanisms that could be sued to remove the trusted components from Sovereign Keys. So ... yes. From hallam@gmail.com Sat Dec 14 09:51:11 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5BFD1AE243 for ; Sat, 14 Dec 2013 09:51:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.702 X-Spam-Level: X-Spam-Status: No, score=0.702 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s3C9-EQzBUsS for ; Sat, 14 Dec 2013 09:51:09 -0800 (PST) Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) by ietfa.amsl.com (Postfix) with ESMTP id DDC911AE254 for ; Sat, 14 Dec 2013 09:51:08 -0800 (PST) Received: by mail-wg0-f41.google.com with SMTP id y10so521276wgg.4 for ; Sat, 14 Dec 2013 09:51:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MRIq/Dd0JIfUPyFDaHDCvZnQmT1jGkoTDN64rpQFW7c=; b=AwQEnnQeAxAwAJfFm9hAA7vYqXVSKy11pHv9exurb5XCB89Bl6ypBnogAqsbco1nMa 0ETC82RqlDSmaLRg2ZEmxsasPn/ZE8C/fT4InYj68SlUvwdB19D+P81u0Mbh0wgjRAeV PYA2iaZLAHUVfAywFO/KMfM6PTPsnuROvz0e2wC7iD/12VGz0uJzk9eZZ/Zlc0DFZAds oLSo6qtMAVELLQ4qWSYvSbZpSp+Y4jKjOb85bh60LbWrfcbYtRvgsEOVB5YBTq6FSIQQ wck3Y2oQQSbxUpG1YNf8qfbm+l/XcwyE2UhqjBmscrC4wXkKEKsav/VjK4Qk6LaIMAGH jGhA== MIME-Version: 1.0 X-Received: by 10.194.11.38 with SMTP id n6mr6667809wjb.25.1387043461357; Sat, 14 Dec 2013 09:51:01 -0800 (PST) Received: by 10.194.243.136 with HTTP; Sat, 14 Dec 2013 09:51:01 -0800 (PST) In-Reply-To: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> Date: Sat, 14 Dec 2013 12:51:01 -0500 Message-ID: From: Phillip Hallam-Baker To: Tao Effect Content-Type: multipart/alternative; boundary=047d7b5d5710cd661e04ed8238b2 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Dec 2013 17:51:12 -0000 --047d7b5d5710cd661e04ed8238b2 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable "The first project, DNSNMC, deprecates today's insecure and fraudulent1 pub= lic key infrastructure (PKI) by gracefully transitioning DNS from its hierarchical design, to one that is based on a globally distributed, peer-to-peer network that successfully "squares Zooko's triangle"" I think you have lost me already. If you want to get anywhere with a proposal probably not a good idea to accuse the people who might implement it as being 'fraudulent'. "We use the term =93meaningful security=94 to refer to the security provide= d by protocols that employ all of these features for communication between individuals." Have you paused to consider the reasons why the market has not adopted the security mechanisms then embody those principles to date? Designing a spec that provides more security if used is trivial. The hard part is proposing something that is secure and usable. And for someone who is accusing others of being 'fraudulent', not a good move to start off repeating figures already exposed as bogus like the oft repeated but still untrue claim of 600 CAs. Tying the notary log to namecoin seems to be completely pointless to me, unless the real objective is to promote namecoin. Why hook into namecoin rather than the market leader? Given the success of the US government in shutting down eGold type schemes I am very skeptical about the stability of 'namecoin'. If we accept the purported scenarios that motivate the scheme then namecoin won't last very long. The fact that BitCoin has survived this long is rather surprising. We have already seen a huge robbery of over $200 million in bitcoin (from a drug dealer). And now we have people trying to de-anonymize the system to stop the coins being spent (!) When the feds moved on the e-Gold crowd they started off by rolling up the small guys and created a crisis of confidence in the big ones. What would be the effect on the price of Bitcoin if the feds shut down namecoin using the same tactics they used against mega-upload? I don't think it would take much to start a run. --047d7b5d5710cd661e04ed8238b2 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable
"The first project, DNSNMC, deprecates today'= s insecure and fraudulent1 public key infrastructure (PKI) by gracefully transitioning DNS from its hierarchical = design, to one that is based on a globally distributed, peer-to-peer network that successf= ully "squares Zooko's triangle""
I think you have lost me already. If you want to get anywhere wi= th a proposal probably not a good idea to accuse the people who might imple= ment it as being 'fraudulent'.


"We use the term =93meaningful security= =94 to refer to the security provided by protocols that employ all of these features for communication between individuals.&qu= ot;

Have you paused to consider the reasons why the ma= rket has not adopted the security mechanisms then embody those principles t= o date? Designing a spec that provides more security if used is trivial. Th= e hard part is proposing something that is secure and usable.


<= div class=3D"gmail_extra">And for someone who is accusing others of being &= #39;fraudulent', not a good move to start off repeating figures already= exposed as bogus like the oft repeated but still untrue claim of 600 CAs.<= /div>

Tying the n= otary log to namecoin seems to be completely pointless to me, unless the re= al objective is to promote namecoin. Why hook into namecoin rather than the= market leader?=A0


<= div class=3D"gmail_extra">Given the success of the US government in shuttin= g down eGold type schemes I am very skeptical about the stability of 'n= amecoin'. If we accept the purported scenarios that motivate the scheme= then namecoin won't last very long.

The fact th= at BitCoin has survived this long is rather surprising. We have already see= n a huge robbery of over $200 million in bitcoin (from a drug dealer). And = now we have people trying to de-anonymize the system to stop the coins bein= g spent (!)

When the fe= ds moved on the e-Gold crowd they started off by rolling up the small guys = and created a crisis of confidence in the big ones. What would be the effec= t on the price of Bitcoin if the feds shut down namecoin using the same tac= tics they used against mega-upload? I don't think it would take much to= start a run.=A0


--047d7b5d5710cd661e04ed8238b2-- From benl@google.com Sat Dec 14 11:12:29 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C40A31AE170 for ; Sat, 14 Dec 2013 11:12:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.38 X-Spam-Level: X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_yNY-uKHZhj for ; Sat, 14 Dec 2013 11:12:26 -0800 (PST) Received: from mail-vb0-x234.google.com (mail-vb0-x234.google.com [IPv6:2607:f8b0:400c:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id D16771ADBCB for ; Sat, 14 Dec 2013 11:12:21 -0800 (PST) Received: by mail-vb0-f52.google.com with SMTP id p5so2195787vbn.11 for ; Sat, 14 Dec 2013 11:12:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=GqCsa/E7yc8mfNYkFJVFrX5S5KXB8TYgn98017M7Cc8=; b=GGw9Yfched8XpV4fjGvDKEe6vmcBLeW8bxqBxEk7F/Z3J3+4wX5AjRJDc6Xg+SGO8J x6JBUqY1rBMsHttpPg/ZnPqTHzcQiSB2bygeVGSV4UtHNxlVTmTU5i09uZ0YaJ8B/MiA rriGXkbGdLbPSRyxOK7yUf0Je7UkZxnnbufkx9gqjVmqAh2qxy89gLxj0KzRS7r8IAiQ sHY+F8VGTGd3mkYDLmgy2LvGX2MnqV4ddXGWFMa7uV8RjPqTsjWJVPENlWZNSz+kpZZb tfZahb6OfNM80A4yXHKmYLJ1y8EoR8cL9DsGWCERhBoq4AGE6tTn/YfYnRAwtTHhKZpr Firw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GqCsa/E7yc8mfNYkFJVFrX5S5KXB8TYgn98017M7Cc8=; b=Ie2Yd/CgjBCvQBQMnWqbwAVuaY5liFovc1lAYT6wVf5P7kAPj/qzQk86/2eSFXRqsT 4zVtCZ2ipNv7qQ+4+b3zkId8i5m1ZyeFG1I3+sl72hL+e9QMWXV/ns1WgTgvi7RYgLKb V3zK36sSgHSJxeCpYD9vSJvZoHeR2scC6X/KAdTQaP0auFIpTGXepVkNA0ljXl3E0byO MXCpdUVZzQN8G9evunTovAgikUgTJBUPXQ7bdWaMmrsKTLV3uRA69KcElwloMS5XBUK+ Gq34CKB0b5jziM+5iWZ4k8BvBNVMuEW0WawZfcjXINPK9839o6EL7Q35wWc7l3lqIMNN VJqw== X-Gm-Message-State: ALoCoQlVjdNa7WMOxpoQYcNBXOZnOeWc1DaTkCszDFu6FsvuAM0PhBnaSuHQKWVGXkuMjCxAgc3kmTPN+05hnPaY4mxoHjgHTlmj+Cq03bRmNchmbYGqED62O4j4lcYgdp0GM28jYDpiokI409DH4sg+8uSF+dPFhWtEXfG+8qg5OIXiyfrVvZOY77gxDdA7v9NFrxRUTtn7 MIME-Version: 1.0 X-Received: by 10.58.95.97 with SMTP id dj1mr4620052veb.21.1387048334623; Sat, 14 Dec 2013 11:12:14 -0800 (PST) Received: by 10.52.183.65 with HTTP; Sat, 14 Dec 2013 11:12:14 -0800 (PST) In-Reply-To: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> Date: Sat, 14 Dec 2013 19:12:14 +0000 Message-ID: From: Ben Laurie To: Tao Effect Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Dec 2013 19:12:30 -0000 X-List-Received-Date: Sat, 14 Dec 2013 19:12:30 -0000 On 14 December 2013 04:56, Tao Effect wrote: > Hi list, > > Was referred here from another IETF-related list. Just announced a projec= t > that combines several technologies that address the security issues with = TLS > to "NSA-proof" the web. > > Here is an excerpt from the paper (link to paper below it): > > DNSNMC fixes the authentication problems previously described, and it > addresses all of the problems that with the previously mentioned proposal= s. > It does this first by combining DNS with Namecoin (NMC), and then by > encouraging a =93trust only those you know=94 policy.5 > > =93Namecoin is an open source decentralized key/value registration and > transfer system based on Bitcoin technology=94.[16] Namecoin =93squares Z= ooko=92s > Triangle=94, meaning, it makes it possible to have domain names (and othe= r > types of identifiers) that are: > > Authenticated: users can be certain that they are not speaking to an > impostor > > Decentralized: there is no central authority controlling all the names If it is based on bitcoin, that is untrue. Or even if not. See http://www.links.org/files/decentralised-currencies.pdf. > Human-readable: names look just like today=92s domain names > > However, by itself, Namecoin does not provide the means by which ordinary > users can take advantage of the features it provides. Using Namecoin is f= ar > too cumbersome for the vast majority of internet users, even those with > years of computer expertise. For one, it cannot be used on mobile devices > (like iPhones) in its current state because of its network requirements. > > DNSNMC provides the missing =93glue=94 to the Namecoin blockchain that ma= kes it > immediately accessible to clients of all types with zero configuration. A > network administrator need only enter the IP address of a DNSNMC-complian= t > DNS server to instantly make the information within the blockchain > accessible to all of the users that she (or he) provides internet access = to. > > Paper: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf > > Cheers, > Greg Slepak > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > From ali@packetknife.com Sat Dec 14 11:25:25 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 783CB1AE28F for ; Sat, 14 Dec 2013 11:25:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.168 X-Spam-Level: X-Spam-Status: No, score=-1.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FM_FORGED_GMAIL=0.622, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ah-7_h-KuFqb for ; Sat, 14 Dec 2013 11:25:14 -0800 (PST) Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) by ietfa.amsl.com (Postfix) with ESMTP id F07DB1ADFF7 for ; Sat, 14 Dec 2013 11:25:13 -0800 (PST) Received: by mail-pd0-f169.google.com with SMTP id v10so3774301pde.28 for ; Sat, 14 Dec 2013 11:25:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetknife.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=unuPujs1x3QnSZZmUW82C97zO1JGBPtWpMNAJosWv6E=; b=Pd9H3XwwY6GN5RIxd6MKksGrXuXST8SOys/YXO764D4P7hH1rxNVqUjMuDK9NFRGsw kEqM7UBhfrsdWJJgtcNps9+ZuUSSFljTMc34Im9iuRIpHrdl5VvgrV696lMpIIV3JiBb QQo65NoGIAIwJADAxwi8lsY/Onyr+GGWpdbfc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=unuPujs1x3QnSZZmUW82C97zO1JGBPtWpMNAJosWv6E=; b=S7OmR7qf3ZOze4LqDrCtDbfGz1Dg7N8lhNU6pRDiTqxO+ARRn3vrfV/TLSzHQJU2dn u/4SeBa99TjFzekUe8Ld5mtBhKk48OidwSTtLDiOZ9okAne7WeZT8PiCgsM0aqh0swVH Ev6SNuKcweRrPvSSqrjQWzp89YIjYSpFgCixcTKVGXLC4K+CRLQYdo1ELABqUSijlAod xH6Yrk5pzBUdhSdobIapz5O9cGwX3LD5w1m7WnW3LC1fobDAXQvm9RVuBzshinV4BnT9 T0nOdEazvgMArN5ByMssZDNRSAlclvWMCAXH98J/A7Fv0le5EFoCDWag3R9VHs16/9YX M6Vw== X-Gm-Message-State: ALoCoQkXijLtlSF/SoUb0i2AsyA8DUO23BJCITOBzAY2Uxq/Z1PfgnXdcuwuthIXwQpHv4UNgjiO MIME-Version: 1.0 X-Received: by 10.67.22.67 with SMTP id hq3mr10822365pad.132.1387049106218; Sat, 14 Dec 2013 11:25:06 -0800 (PST) Received: by 10.66.157.1 with HTTP; Sat, 14 Dec 2013 11:25:06 -0800 (PST) In-Reply-To: References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> Date: Sat, 14 Dec 2013 14:25:06 -0500 Message-ID: From: Ali-Reza Anghaie To: "therightkey@ietf.org" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Dec 2013 19:25:25 -0000 On Sat, Dec 14, 2013 at 12:51 PM, Phillip Hallam-Baker wrote: > Given the success of the US government in shutting down eGold type schemes I > am very skeptical about the stability of 'namecoin'. If we accept the > purported scenarios that motivate the scheme then namecoin won't last very > long. Aside from the tactful / lack thereof issues in the delivery - this is a key point not addressed in the proposal. Adoption requires not only a State unwilling to quash it but ISPs and other providers willing to support it. This isn't just a US issue, it's quite prevalent an issue in every moderately to well connected State. I see nothing in this proposal as of now that I could see any major provider getting behind in a major way. > The fact that BitCoin has survived this long is rather surprising. We have > already seen a huge robbery of over $200 million in bitcoin (from a drug > dealer). And now we have people trying to de-anonymize the system to stop > the coins being spent (!) I'm not sure I agree here - I think it has a lot of believers but also as importantly it has a lot of power brokers perfectly happy to let it thrive in the niche area where it can be corralled into easily identified groups. This tactic will fail the State with other Bitcoin derivatives but the initial runup (which we're still in) somewhat reflects a normal permissive environment with the hopes of criminalization benefits to the State. -Ali From leifj@mnt.se Sun Dec 15 02:21:22 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7736A1A802A for ; Sun, 15 Dec 2013 02:21:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aLEqU-dMy-5Y for ; Sun, 15 Dec 2013 02:21:13 -0800 (PST) Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com [209.85.217.179]) by ietfa.amsl.com (Postfix) with ESMTP id 1F69D1AD845 for ; Sun, 15 Dec 2013 02:21:07 -0800 (PST) Received: by mail-lb0-f179.google.com with SMTP id w7so409373lbi.24 for ; Sun, 15 Dec 2013 02:21:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=mrBCb0QrE7vkybOM/yzMy/VkKUuChjBUd6B0HwRhGPo=; b=lNjtC91d1o0Jo1vTU5agwjMFVwTc71MCv+A+bJMIpd9D9Ezs6mT3Rj1kx6EN/M3HKP Xnxilt5e6PbEX68XeBSRJ+SVAo1FKSFNe2hSZR46trl7atAr90F514+uNQqKN+3RM11/ J/GvmZ5vnyH/TG79MNWDtq5xl/++GGOYgbcIwVLu7dLbRs1RXzMWXbSPTloW2E8sKl2F dRs0Fr422HxKvTRywqBuLa8yp4axE/jZXot/1xDFVJ9gZ3Os3n5/PEfYedsET7SdTL0m HdTDYFgKbX0bgJnQEoSp3eA0Q+xyOwqTKDBk3fpH9CWJX9HgVgjeLli7K8E2NfpXRHny BMIg== X-Gm-Message-State: ALoCoQn3fSOibaPG59fGyc3F5JdIOnCJZl+j8ejHaxuucBO9CEs4MoYwXCCh3kgz1wDy5EzG+ind X-Received: by 10.112.148.104 with SMTP id tr8mr1894726lbb.42.1387102860269; Sun, 15 Dec 2013 02:21:00 -0800 (PST) Received: from [192.168.1.169] (c-d7bae055.641-1-64736c20.cust.bredbandsbolaget.se. [85.224.186.215]) by mx.google.com with ESMTPSA id sd11sm15256843lab.2.2013.12.15.02.20.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 15 Dec 2013 02:20:59 -0800 (PST) Message-ID: <52AD828F.6040104@mnt.se> Date: Sun, 15 Dec 2013 11:21:03 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: therightkey@ietf.org References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Dec 2013 10:21:23 -0000 On 2013-12-14 20:25, Ali-Reza Anghaie wrote: > On Sat, Dec 14, 2013 at 12:51 PM, Phillip Hallam-Baker wrote: >> Given the success of the US government in shutting down eGold type schemes I >> am very skeptical about the stability of 'namecoin'. If we accept the >> purported scenarios that motivate the scheme then namecoin won't last very >> long. > Aside from the tactful / lack thereof issues in the delivery - this is > a key point not addressed in the proposal. Adoption requires not only > a State unwilling to quash it but ISPs and other providers willing to > support it. This isn't just a US issue, it's quite prevalent an issue > in every moderately to well connected State. > > Its still interesting to consider distributed proof-of-work systems _like_ bitcoin as a basis for public ledger systems. I realize that this isn't exactly what this proposal is about. I also see quite a few challenges with this proposal. For instance I don't see how running and trusting your own DNSNMC server is significantly different (or easier) than running and trusting your own CA. However, distributed systems like this should not be dismissed offhand as inherently un-deployable by using, what are essentially guilt-by-association arguments. Cheers Leif From tom@tom-fitzhenry.me.uk Sun Dec 15 12:36:47 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57DA21AE1CC for ; Sun, 15 Dec 2013 12:36:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.162 X-Spam-Level: X-Spam-Status: No, score=0.162 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNQvwoHs1Hfb for ; Sun, 15 Dec 2013 12:36:45 -0800 (PST) Received: from server.tom-fitzhenry.me.uk (tom-fitzhenry.me.uk [78.46.238.73]) by ietfa.amsl.com (Postfix) with ESMTP id 844511AE1BC for ; Sun, 15 Dec 2013 12:36:45 -0800 (PST) Received: by server.tom-fitzhenry.me.uk (Postfix, from userid 1001) id 2C58D1A80E8; Sun, 15 Dec 2013 20:36:44 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tom-fitzhenry.me.uk; s=default; t=1387139804; bh=6SjDq5d+6VlYxixXoVPRbsLwG3JcUoOfOENB/6opyvk=; h=Date:From:To:Subject:In-Reply-To:References; b=rUb7dmuDmwANtTqZcR0UCd8p3NldoaTZyNzOxv3n04BTux5CKgfpvEtPSPdqzJF84 4qEBuIAVPNQgj5V0Jv7L6ymOtcWqdSeTdof54wjjCAmHjUsj39Q9hyDPC5J0SGguwg KW/2tdr4sfR8+yu9KlHitm6hjEiWsZ1GhJiX04sc= Received: from [127.0.0.1] (server.tom-fitzhenry.me.uk [127.0.0.1]) by server.tom-fitzhenry.me.uk (Postfix) with ESMTP id 28BFD1A80E2 for ; Sun, 15 Dec 2013 20:36:41 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tom-fitzhenry.me.uk; s=default; t=1387139802; bh=6SjDq5d+6VlYxixXoVPRbsLwG3JcUoOfOENB/6opyvk=; h=Date:From:To:Subject:In-Reply-To:References; b=xQTnaQpcRe7TEKGcZTE/bU6CCSYA3rtF8GmEChJMicPtPL9uIctA7Wvk5DiZO+Zsy e7+nYbnR1y9Ls0RoJhSivjwFGkjK+zGd7S9b36yHojZR2ogCA9sVg+/V7mR66aoqcG 5MDIi8tS2oHlx0x2XH2GtUFeVdeJkE7G66m9f02g= Message-ID: <52AE12D8.9090403@tom-fitzhenry.me.uk> Date: Sun, 15 Dec 2013 20:36:40 +0000 From: Tom Fitzhenry User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: therightkey@ietf.org In-Reply-To: References: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] Draft charter for a Transparency Working Group X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Dec 2013 20:37:37 -0000 On 12/11/2013 05:55 PM, Ben Laurie wrote: > Who's in? I'd like to be involved. I'm interested in: * applications * trusted timestamping * E2E email encryption * binary transparency * infrastructure/generalisations to make applications more coherent or easier to deploy As evidence there is wider interest in Transparency solutions, Mark Ryan wrote "Enhanced certificate transparency (how Johnny could encrypt)"[0], a proposal to use Revocation Transparency to provide E2E email encryption. -- Tom Fitzhenry https://tom-fitzhenry.me.uk/ 0. http://eprint.iacr.org/2013/595.pdf From contact@taoeffect.com Sun Dec 15 17:50:32 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAB481AE270 for ; Sun, 15 Dec 2013 17:50:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.333 X-Spam-Level: X-Spam-Status: No, score=-1.333 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ZvX1PLQBMSc for ; Sun, 15 Dec 2013 17:50:30 -0800 (PST) Received: from homiemail-a61.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id 5978E1ADFD1 for ; Sun, 15 Dec 2013 17:50:30 -0800 (PST) Received: from homiemail-a61.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTP id EAEE857806E; Sun, 15 Dec 2013 17:50:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=cluKiUdGz4R6GGGfM 2KGZcjqbCA=; b=VzpvwXotkk0kYL/fDMpbWczoSUGhu54Vl9ip01fhlGs7I6NoT /lfoigSRx70sEMF3IdOhLY5l7sxGSn2/oFIZu62S+R23r1yJphQXlgXRMct+ayU/ tFF0xLddILgLczBvV1HHrx5tlbH8uwbpmtu6+MNdlao5PmI5ijb8g/miyI= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTPSA id 2E52E57806C; Sun, 15 Dec 2013 17:50:28 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_4032D5FE-E4DF-4C05-B624-ADE5ECC9CE15"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Tao Effect In-Reply-To: Date: Sun, 15 Dec 2013 20:50:26 -0500 Message-Id: References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> To: Phillip Hallam-Baker X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 01:50:33 -0000 --Apple-Mail=_4032D5FE-E4DF-4C05-B624-ADE5ECC9CE15 Content-Type: multipart/alternative; boundary="Apple-Mail=_B71B9501-7825-4BA3-82C5-1C39AA1DFD38" --Apple-Mail=_B71B9501-7825-4BA3-82C5-1C39AA1DFD38 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 > And for someone who is accusing others of being 'fraudulent', not a = good move to start off repeating figures already exposed as bogus like = the oft repeated but still untrue claim of 600 CAs. I thought the EFF was a reputable source. There has been no update or correction to their post: = https://www.eff.org/deeplinks/2011/10/how-secure-https-today If this information is incorrect please provide a link with more = details. If the EFF is wrong about this, then I'll make sure to update = the paper. > Tying the notary log to namecoin seems to be completely pointless to = me, unless the real objective is to promote namecoin. Why hook into = namecoin rather than the market leader?=20 What market leader? > Given the success of the US government in shutting down eGold type = schemes I am very skeptical about the stability of 'namecoin'. If we = accept the purported scenarios that motivate the scheme then namecoin = won't last very long. What eGold scheme are you comparing Namecoin to? Are you sure you know what you're talking about here...? ;-) Cheers, Greg -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 14, 2013, at 12:51 PM, Phillip Hallam-Baker = wrote: > "The first project, DNSNMC, deprecates today's insecure and = fraudulent1 public key infrastructure (PKI) by gracefully transitioning = DNS from its hierarchical design, to one that is based on a globally = distributed, peer-to-peer network that successfully "squares Zooko's = triangle"" >=20 > I think you have lost me already. If you want to get anywhere with a = proposal probably not a good idea to accuse the people who might = implement it as being 'fraudulent'. >=20 >=20 > "We use the term =93meaningful security=94 to refer to the security = provided by protocols that employ all of these features for = communication between individuals." >=20 > Have you paused to consider the reasons why the market has not adopted = the security mechanisms then embody those principles to date? Designing = a spec that provides more security if used is trivial. The hard part is = proposing something that is secure and usable. >=20 >=20 > And for someone who is accusing others of being 'fraudulent', not a = good move to start off repeating figures already exposed as bogus like = the oft repeated but still untrue claim of 600 CAs. >=20 > Tying the notary log to namecoin seems to be completely pointless to = me, unless the real objective is to promote namecoin. Why hook into = namecoin rather than the market leader?=20 >=20 >=20 > Given the success of the US government in shutting down eGold type = schemes I am very skeptical about the stability of 'namecoin'. If we = accept the purported scenarios that motivate the scheme then namecoin = won't last very long. >=20 > The fact that BitCoin has survived this long is rather surprising. We = have already seen a huge robbery of over $200 million in bitcoin (from a = drug dealer). And now we have people trying to de-anonymize the system = to stop the coins being spent (!) >=20 > When the feds moved on the e-Gold crowd they started off by rolling up = the small guys and created a crisis of confidence in the big ones. What = would be the effect on the price of Bitcoin if the feds shut down = namecoin using the same tactics they used against mega-upload? I don't = think it would take much to start a run.=20 >=20 >=20 > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey --Apple-Mail=_B71B9501-7825-4BA3-82C5-1C39AA1DFD38 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
And for someone who is accusing others of being = 'fraudulent', not a good move to start off repeating figures already = exposed as bogus like the oft repeated but still untrue claim of 600 = CAs.

I thought the = EFF was a reputable source.

There has been no update or correction to their = post: http= s://www.eff.org/deeplinks/2011/10/how-secure-https-today

If this = information is incorrect please provide a link with more details. If the = EFF is wrong about this, then I'll make sure to update the = paper.

Tying the = notary log to namecoin seems to be completely pointless to me, unless = the real objective is to promote namecoin. Why hook into namecoin rather = than the market leader? 

What market leader?

Given the = success of the US government in shutting down eGold type schemes I am = very skeptical about the stability of 'namecoin'. If we accept the = purported scenarios that motivate the scheme then namecoin won't last = very long.

What eGold scheme are = you comparing Namecoin to?

Are you sure you = know what you're talking about here...? = ;-)

Cheers,
Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 14, 2013, at 12:51 PM, Phillip Hallam-Baker <hallam@gmail.com> = wrote:

"The first project, DNSNMC, = deprecates today's insecure and fraudulent1 = public key infrastructure (PKI) by gracefully transitioning DNS from its = hierarchical design, to one that is based on a globally distributed, peer-to-peer network that = successfully "squares Zooko's triangle""

I think you have lost me = already. If you want to get anywhere with a proposal probably not a good = idea to accuse the people who might implement it as being = 'fraudulent'.


"We use the term = =93meaningful security=94 to refer to the security provided by protocols that employ all of these features for communication between = individuals."

Have you paused = to consider the reasons why the market has not adopted the security = mechanisms then embody those principles to date? Designing a spec that = provides more security if used is trivial. The hard part is proposing = something that is secure and usable.


And for = someone who is accusing others of being 'fraudulent', not a good move to = start off repeating figures already exposed as bogus like the oft = repeated but still untrue claim of 600 CAs.

Tying = the notary log to namecoin seems to be completely pointless to me, = unless the real objective is to promote namecoin. Why hook into namecoin = rather than the market leader? 


Given the = success of the US government in shutting down eGold type schemes I am = very skeptical about the stability of 'namecoin'. If we accept the = purported scenarios that motivate the scheme then namecoin won't last = very long.

The fact = that BitCoin has survived this long is rather surprising. We have = already seen a huge robbery of over $200 million in bitcoin (from a drug = dealer). And now we have people trying to de-anonymize the system to = stop the coins being spent (!)

When the = feds moved on the e-Gold crowd they started off by rolling up the small = guys and created a crisis of confidence in the big ones. What would be = the effect on the price of Bitcoin if the feds shut down namecoin using = the same tactics they used against mega-upload? I don't think it would = take much to start a run. 


_______________________________________________
therightkey mailing = list
therightkey@ietf.org
https://w= ww.ietf.org/mailman/listinfo/therightkey

= = --Apple-Mail=_B71B9501-7825-4BA3-82C5-1C39AA1DFD38-- --Apple-Mail=_4032D5FE-E4DF-4C05-B624-ADE5ECC9CE15 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSrlxiAAoJEOxnICvpCVJHQFUQAKC0XGK63kjbSaeEbyCOWABv BGeRaOWImyxRJnLdW37f+ExqkvnczvyAw7h+bFwrYPiRsiEYVjhxKLgrPZ/NkQ4G eaoAUVjK5BrDib6yMJdXpu/9pDn1xz591mM8y8YSNEkGehX9mjQRNXhDE6Je6c0K IIZaa67EOJPUUvThLbVMicP5RJcGMq6HBO6GdFL8pzsydHkKs35uIBir+Tut4wi5 ZmCj+LiK2ri5BZbZ/RIUd5JfvIy9+lavLfAUIxBqdX3avmu5PqIhVLHYQlwH4sIo K+yEB6iK6d0YLQtv1k6k3h//K9gJZ3nb+8dSozdQzrJtdq537HQLUPRPRwuswSg1 NylUmtXJmU5kAEHDgH1EkJc4dBNvirVO9lvBDKbkdZHE8cuHTpwoHuWGkJ5JPnQw ElxLZK+SDgeyOX+f141dK0vS1WVkm2ypqIf7qTYOMry1OR7nbyURWVZ9nTCmINLa W+7ELA9JjwZ3lxYwIdn4x03HWBqoaKpe4i1JbAeGLOvu4oLAXBq9wxVxXRAk7r1P p+3OfI3M8o4XjI0korgib3O/NU76BGUghlTznSbbuf1EUszD1CnGO2PPRpY6YY1r Jd6Zu09HWQktHeVJg1PPNXeHgjoZTiOYYnsh+5zSTsLRyXUs5DP6tbamJJomALp6 M9/Z5mgR8HbfTrszE8M/ =8Uoa -----END PGP SIGNATURE----- --Apple-Mail=_4032D5FE-E4DF-4C05-B624-ADE5ECC9CE15-- From hallam@gmail.com Sun Dec 15 18:21:43 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 918AF1AE27D for ; Sun, 15 Dec 2013 18:21:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.701 X-Spam-Level: X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWTEeU7WBDS9 for ; Sun, 15 Dec 2013 18:21:40 -0800 (PST) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 7F8631AE27C for ; Sun, 15 Dec 2013 18:21:40 -0800 (PST) Received: by mail-wg0-f47.google.com with SMTP id n12so4051183wgh.14 for ; Sun, 15 Dec 2013 18:21:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rQQW3d3r9dRgqHy8Y8sWbGLXKWxLwJitmrTZkDTxRw0=; b=hSW5ROsucUIVG33Ub36DMpDW7bKATDvP70BHrtgZcgKDXwOQfBcZapKVHKXzsVHtES 2H+yTp0MglvRQTF5wlgeS76Qd+F7h2BIC5O+HmGQrK/9JTHhl6Zd+61XRyWEUZRTKlhg a+T1DOCvBrjCW6S2mgVxanwLGcgNUdIr9cPGTlrzNp74kTzFc7fExzQI36BZz8+6wlX4 iurveB0yfEU81UvujA2lSU5Er9ex9IerVxIt3CSFmeWr7W8cixeIFueazBrv9JfNaIV6 TjtO72Yt8e+MgnFb6fjOwwB0peGlhoIC4870Mio5nMWMn1RMbYWpDJsctH8ugCzf/4xp GbGA== MIME-Version: 1.0 X-Received: by 10.194.11.38 with SMTP id n6mr11020093wjb.25.1387160499560; Sun, 15 Dec 2013 18:21:39 -0800 (PST) Received: by 10.194.243.136 with HTTP; Sun, 15 Dec 2013 18:21:39 -0800 (PST) In-Reply-To: References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> Date: Sun, 15 Dec 2013 21:21:39 -0500 Message-ID: From: Phillip Hallam-Baker To: Tao Effect Content-Type: multipart/alternative; boundary=047d7b5d5710d2a6aa04ed9d78b6 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 02:21:44 -0000 --047d7b5d5710d2a6aa04ed9d78b6 Content-Type: text/plain; charset=ISO-8859-1 On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect wrote: > And for someone who is accusing others of being 'fraudulent', not a good > move to start off repeating figures already exposed as bogus like the oft > repeated but still untrue claim of 600 CAs. > > > I thought the EFF was a reputable source. > > There has been no update or correction to their post: > https://www.eff.org/deeplinks/2011/10/how-secure-https-today > Which kind of calls their credibility into question. HALF the 'CAs' in their graph are from the DFN root. You can check that out for yourself, it is a German CA that issues certs to higher education institutions. As has been demonstrated (and agreed by the EFF people), DFN do not sign certs for key signing keys they do not hold. You can't calculate the number of CAs the way the EFF tried to. An intermediate certificate does not equate to a CA. Pretending it does to peddle an alternative PKI scheme calls into question their veracity. I have tried to get members of the EFF board to look into this but they never get back. Too much trouble to get it right. Tying the notary log to namecoin seems to be completely pointless to me, > unless the real objective is to promote namecoin. Why hook into namecoin > rather than the market leader? > > > What market leader? > I was under the impression that Bitcoin was the preferred currency of libertopia. It is the only one that gets mention in the mainstream press. It is not clear to me how namecoin can be part of BitCoin and another currency. > Given the success of the US government in shutting down eGold type schemes > I am very skeptical about the stability of 'namecoin'. If we accept the > purported scenarios that motivate the scheme then namecoin won't last very > long. > > > What eGold scheme are you comparing Namecoin to? > Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by the Feds. > Are you sure you know what you're talking about here...? ;-) > I must admit that I find the scheme completely confused and assumes that I know a lot that I do not. I might be a little more inclined to make an effort if you hadn't attacked me as being 'fraudulent' in your opening. -- Website: http://hallambaker.com/ --047d7b5d5710d2a6aa04ed9d78b6 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable



On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <<= a href=3D"mailto:contact@taoeffect.com" target=3D"_blank">contact@taoeffect= .com> wrote:
And for someone who is accusing others of being 'fraudulent', = not a good move to start off repeating figures already exposed as bogus lik= e the oft repeated but still untrue claim of 600 CAs.
<= br>
I thought the EFF was a reputable sourc= e.

The= re has been no update or correction to their post:=A0https:= //www.eff.org/deeplinks/2011/10/how-secure-https-today

Which kind of calls thei= r credibility into question. HALF the 'CAs' in their graph are from= the DFN root. You can check that out for yourself, it is a German CA that = issues certs to higher education institutions. As has been demonstrated (an= d agreed by the EFF people), DFN do not sign certs for key signing keys the= y do not hold.

You can't calculate the number of CAs the way the E= FF tried to. An intermediate certificate does not equate to a CA. Pretendin= g it does to peddle an alternative PKI scheme calls into question their ver= acity.

I have tried to get members of the EFF board to look in= to this but they never get back. Too much trouble to get it right.


Tying the notary log = to namecoin seems to be completely pointless to me, unless the real objecti= ve is to promote namecoin. Why hook into namecoin rather than the market le= ader?=A0

What market leader?

I was under the impression that = Bitcoin was the preferred currency of libertopia. It is the only one that g= ets mention in the mainstream press. It is not clear to me how namecoin can= be part of BitCoin and another currency.

=A0
Given the success of the US government in shutti= ng down eGold type schemes I am very skeptical about the stability of '= namecoin'. If we accept the purported scenarios that motivate the schem= e then namecoin won't last very long.

What eGold scheme are you comparing= Namecoin to?

Gold Age, eGold, = Liberty Reserve. All the ones that were taken apart by the Feds.

=A0
Are you sure you know what you're talking about he= re...? ;-)

I must admit that I find the scheme = completely confused and assumes that I know a lot that I do not.
=
I might be a little more inclined to make an effort if you h= adn't attacked me as being 'fraudulent' in your opening.
=A0

--
Website: http://hallambaker.com/
--047d7b5d5710d2a6aa04ed9d78b6-- From leifj@mnt.se Sun Dec 15 22:32:32 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD1A1AE2B6 for ; Sun, 15 Dec 2013 22:32:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGXcOfx2w3Bg for ; Sun, 15 Dec 2013 22:32:28 -0800 (PST) Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 74AAE1AE114 for ; Sun, 15 Dec 2013 22:32:28 -0800 (PST) Received: by mail-lb0-f172.google.com with SMTP id x18so676600lbi.3 for ; Sun, 15 Dec 2013 22:32:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=WofJZrd5zWmLTsaUtAuMKTtZ7xUTNodYQRfNMyRK/w4=; b=dVN/8X80QpSwDUeDA/p3bZARX8ID0JpK6hXVNFtnqNUeGGAy29woR3xMFlDMaVIZdL F09okImIpFg7sPsQccXfk5Izls9GgQ5ac1nOTD0H0EQhGhK6pA8Tq3xYibE1JfK0OeQv HsNmUUoZ8EAtl3kTAQr5xj+cY1RPg2pmQMm0wY/oLk4SFZLkuC3iHuaEt5mnwNkOyc9w eK3QRqVUhcrbfEXTu0OujxZhVfP+iaeKTL8ANDNzTeBqdR79BgVlzvKcJbKvuktdlCLW sJsahccpQWtDFpcmL/e3Bo0FEM+4ovAg/zoQ7XWfdkJ4wUI56u/OVc1OhxlwuGWB4k6S Vumg== X-Gm-Message-State: ALoCoQk52QpQVswe8aYqMaBzXiTEz8UFUNJtb0sFdGAjolevzTm/DfgnrE8aSQAMDOjWxUK02map X-Received: by 10.112.49.162 with SMTP id v2mr3133945lbn.10.1387175546996; Sun, 15 Dec 2013 22:32:26 -0800 (PST) Received: from [10.0.0.166] (tb62-102-145-131.cust.teknikbyran.com. [62.102.145.131]) by mx.google.com with ESMTPSA id sd11sm19447200lab.2.2013.12.15.22.32.25 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 15 Dec 2013 22:32:25 -0800 (PST) Content-Type: multipart/alternative; boundary=Apple-Mail-2F59C203-6373-414A-B8B1-4D41A00A7A85 Mime-Version: 1.0 (1.0) From: Leif Johansson X-Mailer: iPhone Mail (11B554a) In-Reply-To: Date: Mon, 16 Dec 2013 07:32:26 +0100 Content-Transfer-Encoding: 7bit Message-Id: References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> To: Phillip Hallam-Baker Cc: "therightkey@ietf.org" , Tao Effect Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 06:32:33 -0000 --Apple-Mail-2F59C203-6373-414A-B8B1-4D41A00A7A85 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable > 16 dec 2013 kl. 03:21 skrev Phillip Hallam-Baker : >=20 >=20 >=20 >=20 > On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect wrote:= >>> And for someone who is accusing others of being 'fraudulent', not a good= move to start off repeating figures already exposed as bogus like the oft r= epeated but still untrue claim of 600 CAs. >>=20 >>=20 >> I thought the EFF was a reputable source. >>=20 >> There has been no update or correction to their post: https://www.eff.org= /deeplinks/2011/10/how-secure-https-today >=20 > Which kind of calls their credibility into question. HALF the 'CAs' in the= ir graph are from the DFN root. You can check that out for yourself, it is a= German CA that issues certs to higher education institutions. As has been d= emonstrated (and agreed by the EFF people), DFN do not sign certs for key si= gning keys they do not hold. >=20 yep, DFN is a 'private' sub-CA under tight control but it could still be att= acked the way diginotar was and though I believe their secuity is a lot bett= er than their less fortunate Dutch cousins, a successful attack would be jus= t as bad. > You can't calculate the number of CAs the way the EFF tried to. An interme= diate certificate does not equate to a CA. Pretending it does to peddle an a= lternative PKI scheme calls into question their veracity. >=20 > I have tried to get members of the EFF board to look into this but they ne= ver get back. Too much trouble to get it right. >=20 >=20 >>> Tying the notary log to namecoin seems to be completely pointless to me,= unless the real objective is to promote namecoin. Why hook into namecoin ra= ther than the market leader?=20 >>=20 >>=20 >> What market leader? >=20 > I was under the impression that Bitcoin was the preferred currency of libe= rtopia. It is the only one that gets mention in the mainstream press. It is n= ot clear to me how namecoin can be part of BitCoin and another currency. >=20 > =20 >>> Given the success of the US government in shutting down eGold type schem= es I am very skeptical about the stability of 'namecoin'. If we accept the p= urported scenarios that motivate the scheme then namecoin won't last very lo= ng. >>=20 >> What eGold scheme are you comparing Namecoin to? >=20 > Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by th= e Feds. >=20 > =20 >> Are you sure you know what you're talking about here...? ;-) >=20 > I must admit that I find the scheme completely confused and assumes that I= know a lot that I do not. >=20 > I might be a little more inclined to make an effort if you hadn't attacked= me as being 'fraudulent' in your opening. > =20 >=20 > --=20 > Website: http://hallambaker.com/ > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey --Apple-Mail-2F59C203-6373-414A-B8B1-4D41A00A7A85 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit


16 dec 2013 kl. 03:21 skrev Phillip Hallam-Baker <hallam@gmail.com>:




On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
And for someone who is accusing others of being 'fraudulent', not a good move to start off repeating figures already exposed as bogus like the oft repeated but still untrue claim of 600 CAs.

I thought the EFF was a reputable source.

There has been no update or correction to their post: https://www.eff.org/deeplinks/2011/10/how-secure-https-today

Which kind of calls their credibility into question. HALF the 'CAs' in their graph are from the DFN root. You can check that out for yourself, it is a German CA that issues certs to higher education institutions. As has been demonstrated (and agreed by the EFF people), DFN do not sign certs for key signing keys they do not hold.


yep, DFN is a 'private' sub-CA under tight control but it could still be attacked the way diginotar was and though I believe their secuity is a lot better than their less fortunate Dutch cousins, a successful attack would be just as bad.

You can't calculate the number of CAs the way the EFF tried to. An intermediate certificate does not equate to a CA. Pretending it does to peddle an alternative PKI scheme calls into question their veracity.

I have tried to get members of the EFF board to look into this but they never get back. Too much trouble to get it right.


Tying the notary log to namecoin seems to be completely pointless to me, unless the real objective is to promote namecoin. Why hook into namecoin rather than the market leader? 

What market leader?

I was under the impression that Bitcoin was the preferred currency of libertopia. It is the only one that gets mention in the mainstream press. It is not clear to me how namecoin can be part of BitCoin and another currency.

 
Given the success of the US government in shutting down eGold type schemes I am very skeptical about the stability of 'namecoin'. If we accept the purported scenarios that motivate the scheme then namecoin won't last very long.

What eGold scheme are you comparing Namecoin to?

Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by the Feds.

 
Are you sure you know what you're talking about here...? ;-)

I must admit that I find the scheme completely confused and assumes that I know a lot that I do not.

I might be a little more inclined to make an effort if you hadn't attacked me as being 'fraudulent' in your opening.
 

--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
--Apple-Mail-2F59C203-6373-414A-B8B1-4D41A00A7A85-- From hallam@gmail.com Mon Dec 16 06:31:32 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A30F1AE32D for ; Mon, 16 Dec 2013 06:31:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O4FpLZ0y5sCr for ; Mon, 16 Dec 2013 06:31:30 -0800 (PST) Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 18F2D1AE323 for ; Mon, 16 Dec 2013 06:31:29 -0800 (PST) Received: by mail-we0-f169.google.com with SMTP id w61so4718021wes.28 for ; Mon, 16 Dec 2013 06:31:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wmSLnIbqGIuDL2hgFrZjfGYzk/6KXyiPKKXjpNkxtFM=; b=yHqnlDNYPfX/2brPZKtQDKcEHF/kSuemiXQ1roDBjl84SuiB3tkw6awpPIsUTCs8e7 jGPLM2ckj+Eld8nZfj7bf8K1yGoUWZCdRLRTt7Z7vcHdRR+QLNi7+XLKCpxzQa3fYDmk bB4V5RmMj4sDHp6Uoj3IQ6QpwC78FmEABYn/OB+Pcz2KfjO+Be6rwLYppsAx5vEOTrFM uN1Q6QCa6Db78tIX3vMt5LvcS63xAp40YJ+7ygPSppFkL1WZxMr3FyJFpKmOBt2qv3YU 786qa14HQOYUEbND2ORLsSG5BD3j5jdcy3TSZlFj8Y7VvZFupwvzZlH+vTo15hke6jSN Udlg== MIME-Version: 1.0 X-Received: by 10.180.105.66 with SMTP id gk2mr4316781wib.32.1387204288839; Mon, 16 Dec 2013 06:31:28 -0800 (PST) Received: by 10.194.243.136 with HTTP; Mon, 16 Dec 2013 06:31:28 -0800 (PST) In-Reply-To: References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> Date: Mon, 16 Dec 2013 09:31:28 -0500 Message-ID: From: Phillip Hallam-Baker To: Leif Johansson Content-Type: multipart/alternative; boundary=f46d04426f1cde081f04eda7aa35 Cc: "therightkey@ietf.org" , Tao Effect Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 14:31:32 -0000 --f46d04426f1cde081f04eda7aa35 Content-Type: text/plain; charset=ISO-8859-1 On Mon, Dec 16, 2013 at 1:32 AM, Leif Johansson wrote: > > > 16 dec 2013 kl. 03:21 skrev Phillip Hallam-Baker : > > > > > On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect wrote: > >> And for someone who is accusing others of being 'fraudulent', not a good >> move to start off repeating figures already exposed as bogus like the oft >> repeated but still untrue claim of 600 CAs. >> >> >> I thought the EFF was a reputable source. >> >> There has been no update or correction to their post: >> https://www.eff.org/deeplinks/2011/10/how-secure-https-today >> > > Which kind of calls their credibility into question. HALF the 'CAs' in > their graph are from the DFN root. You can check that out for yourself, it > is a German CA that issues certs to higher education institutions. As has > been demonstrated (and agreed by the EFF people), DFN do not sign certs for > key signing keys they do not hold. > > > yep, DFN is a 'private' sub-CA under tight control but it could still be > attacked the way diginotar was and though I believe their secuity is a lot > better than their less fortunate Dutch cousins, a successful attack would > be just as bad. > That does not excuse 1) Failing to examine the issue when the DFN root accounted for half of the purported '600 CAs' 2) Continuing to count the DFN as 300 CAs when they know it is one. Putting out sloppy research and then failing to correct it when a mistake is committed is the problem. If someone publishes a flawed study I expect them to withdraw it when the errors are pointed out. I don't expect them to say that they are going to continue to publish a number they know is out by a factor of at least 2 because getting a correct number would be too much work. If people are going to make pointed accusations about the trustworthiness of others then they had better not continue to knowingly publish false data. As with the 'Al Gore claimed to invent the internet' lie, this has become a zombie lie that is repeated to make a political point by people who don't really care if what they are saying is true or not. I think that is a problem. And I am going to continue to point out that the EFF is peddling a lie until they withdraw it. -- Website: http://hallambaker.com/ --f46d04426f1cde081f04eda7aa35 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable



On Mon, Dec 16, 2013 at 1:32 AM, Leif Johansson &= lt;leifj@mnt.se> wrote:


16= dec 2013 kl. 03:21 skrev Phillip Hallam-Baker <hallam@gmail.com>:




On Sun, = Dec 15, 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
And for = someone who is accusing others of being 'fraudulent', not a good mo= ve to start off repeating figures already exposed as bogus like the oft rep= eated but still untrue claim of 600 CAs.
<= br>
I thought the EFF was a reputable sourc= e.

The= re has been no update or correction to their post:=A0https:= //www.eff.org/deeplinks/2011/10/how-secure-https-today

Which kind of calls thei= r credibility into question. HALF the 'CAs' in their graph are from= the DFN root. You can check that out for yourself, it is a German CA that = issues certs to higher education institutions. As has been demonstrated (an= d agreed by the EFF people), DFN do not sign certs for key signing keys the= y do not hold.


yep, DFN is a 'private' sub-CA under tight control but it could = still be attacked the way diginotar was and though I believe their secuity = is a lot better than their less fortunate Dutch cousins, a successful attac= k would be just as bad.


That does not excuse= =A0

1) Failing to examine the issue when the DFN r= oot accounted for half of the purported '600 CAs'

2) Continuing to count the DFN as 300 CAs when they know it is one.


Putting out sloppy research and then = failing to correct it when a mistake is committed is the problem. If someon= e publishes a flawed study I expect them to withdraw it when the errors are= pointed out. I don't expect them to say that they are going to continu= e to publish a number they know is out by a factor of at least 2 because ge= tting a correct number would be too much work.

If people are going to make pointed accusations about t= he trustworthiness of others then they had better not continue to knowingly= publish false data.


As with the 'Al Gore claimed to invent the internet' lie,= this has become a zombie lie that is repeated to make a political point by= people who don't really care if what they are saying is true or not.

I think tha= t is a problem. And I am going to continue to point out that the EFF is ped= dling a lie until they withdraw it.

--
= Website: http://hallambaker.com/
--f46d04426f1cde081f04eda7aa35-- From leifj@mnt.se Mon Dec 16 06:54:55 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0694E1AE32E for ; Mon, 16 Dec 2013 06:54:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yYa9V--ev5V for ; Mon, 16 Dec 2013 06:54:52 -0800 (PST) Received: from mail-ee0-f48.google.com (mail-ee0-f48.google.com [74.125.83.48]) by ietfa.amsl.com (Postfix) with ESMTP id C0DDE1AE33D for ; Mon, 16 Dec 2013 06:54:51 -0800 (PST) Received: by mail-ee0-f48.google.com with SMTP id e49so2252064eek.21 for ; Mon, 16 Dec 2013 06:54:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=QTLhsegX2u1H8P7Yg2FMij2/AHmi8T9dYzcLVuTFDq4=; b=LoXZRVkZxRt/dLVzV69cSpfIuDgx7l2rspIHMc+qzEe3lSL1oqL4SUlowMQsGgcU2M 8WW/fu+zxuFHf2fVXTMJBo4CgVba9gOT6KwQKvM9ZhOtFRi5PbW0WLVTRp845wuVD98p ocKgNHYwniFdxJaXXSfGfUeUDGwHKUS0zv3FDnwzlajsz5m3k6dJGdi2nURKQUwr7T95 256RXbISqZ1Fkn8wiRYiOSpxgdxaW613JXAdLv7XXyVMNu/V4IH61NWaNKcfqWEQByx1 mmNceEGG6oV6dmIKs8q+TgbuIGQo+8r0RxC6XTQ89nCXJ6SXzOSEmEYTD+jswI6aFdGw AETQ== X-Gm-Message-State: ALoCoQls9fE1RJ9z2aFQFjFvgIVuKW3W3q8qGKusekGVgoDxAAx7onxQc/aQXgEjiOOmdykmToPh X-Received: by 10.14.113.199 with SMTP id a47mr17416221eeh.41.1387205690625; Mon, 16 Dec 2013 06:54:50 -0800 (PST) Received: from [193.10.94.23] ([193.10.94.23]) by mx.google.com with ESMTPSA id h3sm43100390eem.15.2013.12.16.06.54.49 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 16 Dec 2013 06:54:49 -0800 (PST) Message-ID: <52AF1439.9050800@mnt.se> Date: Mon, 16 Dec 2013 15:54:49 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Phillip Hallam-Baker References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: multipart/alternative; boundary="------------080104060706060801060907" Cc: "therightkey@ietf.org" , Tao Effect Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 14:54:55 -0000 This is a multi-part message in MIME format. --------------080104060706060801060907 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 2013-12-16 15:31, Phillip Hallam-Baker wrote: > > > > On Mon, Dec 16, 2013 at 1:32 AM, Leif Johansson > wrote: > > > > 16 dec 2013 kl. 03:21 skrev Phillip Hallam-Baker >: > >> >> >> >> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect >> > wrote: >> >>> And for someone who is accusing others of being >>> 'fraudulent', not a good move to start off repeating figures >>> already exposed as bogus like the oft repeated but still >>> untrue claim of 600 CAs. >> >> I thought the EFF was a reputable source. >> >> There has been no update or correction to their >> post: https://www.eff.org/deeplinks/2011/10/how-secure-https-today >> >> >> Which kind of calls their credibility into question. HALF the >> 'CAs' in their graph are from the DFN root. You can check that >> out for yourself, it is a German CA that issues certs to higher >> education institutions. As has been demonstrated (and agreed by >> the EFF people), DFN do not sign certs for key signing keys they >> do not hold. >> > > yep, DFN is a 'private' sub-CA under tight control but it could > still be attacked the way diginotar was and though I believe their > secuity is a lot better than their less fortunate Dutch cousins, a > successful attack would be just as bad. > > > > That does not excuse > > 1) Failing to examine the issue when the DFN root accounted for half > of the purported '600 CAs' > > 2) Continuing to count the DFN as 300 CAs when they know it is one. > agree > > Putting out sloppy research and then failing to correct it when a > mistake is committed is the problem. If someone publishes a flawed > study I expect them to withdraw it when the errors are pointed out. I > don't expect them to say that they are going to continue to publish a > number they know is out by a factor of at least 2 because getting a > correct number would be too much work. > > If people are going to make pointed accusations about the > trustworthiness of others then they had better not continue to > knowingly publish false data. > > > As with the 'Al Gore claimed to invent the internet' lie, this has > become a zombie lie that is repeated to make a political point by > people who don't really care if what they are saying is true or not. > > I think that is a problem. And I am going to continue to point out > that the EFF is peddling a lie until they withdraw it. > > -- > Website: http://hallambaker.com/ --------------080104060706060801060907 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 2013-12-16 15:31, Phillip Hallam-Baker wrote:



On Mon, Dec 16, 2013 at 1:32 AM, Leif Johansson <leifj@mnt.se> wrote:


16 dec 2013 kl. 03:21 skrev Phillip Hallam-Baker <hallam@gmail.com>:




On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
And for someone who is accusing others of being 'fraudulent', not a good move to start off repeating figures already exposed as bogus like the oft repeated but still untrue claim of 600 CAs.

I thought the EFF was a reputable source.

There has been no update or correction to their post: https://www.eff.org/deeplinks/2011/10/how-secure-https-today

Which kind of calls their credibility into question. HALF the 'CAs' in their graph are from the DFN root. You can check that out for yourself, it is a German CA that issues certs to higher education institutions. As has been demonstrated (and agreed by the EFF people), DFN do not sign certs for key signing keys they do not hold.


yep, DFN is a 'private' sub-CA under tight control but it could still be attacked the way diginotar was and though I believe their secuity is a lot better than their less fortunate Dutch cousins, a successful attack would be just as bad.


That does not excuse 

1) Failing to examine the issue when the DFN root accounted for half of the purported '600 CAs'

2) Continuing to count the DFN as 300 CAs when they know it is one.


agree


Putting out sloppy research and then failing to correct it when a mistake is committed is the problem. If someone publishes a flawed study I expect them to withdraw it when the errors are pointed out. I don't expect them to say that they are going to continue to publish a number they know is out by a factor of at least 2 because getting a correct number would be too much work.

If people are going to make pointed accusations about the trustworthiness of others then they had better not continue to knowingly publish false data.


As with the 'Al Gore claimed to invent the internet' lie, this has become a zombie lie that is repeated to make a political point by people who don't really care if what they are saying is true or not.

I think that is a problem. And I am going to continue to point out that the EFF is peddling a lie until they withdraw it.

--
Website: http://hallambaker.com/

--------------080104060706060801060907-- From rob.stradling@comodo.com Mon Dec 16 07:06:14 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855071AE02F for ; Mon, 16 Dec 2013 07:06:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.29 X-Spam-Level: X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfsVScBLERDa for ; Mon, 16 Dec 2013 07:06:11 -0800 (PST) Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 301641AE01E for ; Mon, 16 Dec 2013 07:06:10 -0800 (PST) Received: (qmail 28039 invoked by uid 1000); 16 Dec 2013 15:06:09 -0000 Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Mon, 16 Dec 2013 15:06:09 +0000 Message-ID: <52AF16E0.80108@comodo.com> Date: Mon, 16 Dec 2013 15:06:08 +0000 From: Rob Stradling User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Phillip Hallam-Baker , Leif Johansson References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "therightkey@ietf.org" , Tao Effect Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 15:06:14 -0000 On 16/12/13 14:31, Phillip Hallam-Baker wrote: > That does not excuse > > 1) Failing to examine the issue when the DFN root accounted for half of > the purported '600 CAs' > > 2) Continuing to count the DFN as 300 CAs when they know it is one. > > Putting out sloppy research and then failing to correct it when a > mistake is committed is the problem. If someone publishes a flawed study > I expect them to withdraw it when the errors are pointed out. I don't > expect them to say that they are going to continue to publish a number > they know is out by a factor of at least 2 because getting a correct > number would be too much work. FWIW, I suggested to Mozilla a few months ago that they could survey the CAs in order to find out the correct number (or, at least, a rather more accurate approximation!) They seemed interested. The conversation was somewhere in the middle of this thread... http://mozilla.6506.n7.nabble.com/SSL-TLS-and-HTTPS-in-a-Post-Prism-Era-td294842.html -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online From contact@taoeffect.com Mon Dec 16 10:44:54 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A492D1AE14A for ; Mon, 16 Dec 2013 10:44:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arCqU6lSusJr for ; Mon, 16 Dec 2013 10:44:46 -0800 (PST) Received: from homiemail-a10.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id 8EBEF1AE031 for ; Mon, 16 Dec 2013 10:44:45 -0800 (PST) Received: from homiemail-a10.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a10.g.dreamhost.com (Postfix) with ESMTP id A97A3280083; Mon, 16 Dec 2013 10:44:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=6FKWD6vQdfqiTVnnN TZHJ+c2TOs=; b=x0ox+PFpYoMd9AKXDkEuymkWtO/6MVap3ZK1BS7xQDAPxVztd YZiklZAQHlQUqGLsrBH60sbMfMCk1La3GpNAkaTZ9t+DtzZv3f5UCEyCcOBatvEQ s8QvnhyrOFVS1iENVd4PLibjc234QEtpx0TXiP2RSyGXCPDJ2L/ffa2lSU= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a10.g.dreamhost.com (Postfix) with ESMTPSA id 24D35280080; Mon, 16 Dec 2013 10:44:42 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_58A703A8-B743-4BE0-BBFF-2138E5859B49"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Tao Effect In-Reply-To: Date: Mon, 16 Dec 2013 13:44:35 -0500 Message-Id: <1D1AAD8E-3787-4E95-8694-6EB0B4A60890@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> To: Phillip Hallam-Baker X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 18:44:55 -0000 --Apple-Mail=_58A703A8-B743-4BE0-BBFF-2138E5859B49 Content-Type: multipart/alternative; boundary="Apple-Mail=_D7E220D9-2AC2-4EC0-BA5E-316773674AA8" --Apple-Mail=_D7E220D9-2AC2-4EC0-BA5E-316773674AA8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 > Which kind of calls their credibility into question. HALF the 'CAs' in = their graph are from the DFN root. You can check that out for yourself, = it is a German CA that issues certs to higher education institutions. As = has been demonstrated (and agreed by the EFF people), DFN do not sign = certs for key signing keys they do not hold. >=20 > You can't calculate the number of CAs the way the EFF tried to. An = intermediate certificate does not equate to a CA. Pretending it does to = peddle an alternative PKI scheme calls into question their veracity. >=20 > I have tried to get members of the EFF board to look into this but = they never get back. Too much trouble to get it right. OK, in order for me to correct this in the paper I need the following = information: 1. A link to who "DFN" is. 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are = shipped with (and details about this, like, do all 3 major browsers = include DFN?) 3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the argument Let me emphasize that none of this ultimately matters to the points that = were made in the paper. Whether the number is 600+ or 300+, it's still an insecure, broken mess. > I was under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency. I'll be happy to clear this up: - Bitcoin is not the "market leader" of distributed DNS systems. = Namecoin is. - Namecoin and Bitcoin are designed with completely different goals in = mind. They are not competitors. - Namecoin is not intended to be a bitcoin replacement, nor the other = way around. It is not like "litecoin" or any of the other bitcoin = competitors, because it is not a competitor to bitcoin. > Gold Age, eGold, Liberty Reserve. All the ones that were taken apart = by the Feds. I'll be happy to clear this up too: None of these are comparable to Bitcoin or Namecoin. Neither "Gold Age", nor "eGold", nor "Liberty Reserve" were truly = decentralized, distributed currencies. - "Gold Age" was not a currency: https://en.wikipedia.org/wiki/Gold_Age - eGold: Centralized currency with no "reliable user identification" = (not a problem with Bitcoin or Namecoin) - Liberty Reserve: Centralized currency = https://en.wikipedia.org/wiki/Liberty_Reserve#Background People who are standing back and scratching their heads, wondering why = Bitcoin is still around after years of being used to purchase illegal = drugs, murder-for-hire, and weapons (continuing to this day btw), simply = don't understand what Bitcoin is. > I might be a little more inclined to make an effort if you hadn't = attacked me as being 'fraudulent' in your opening. Do you represent a company that sells SSL certs? It seems like you = might: During twelve years as Principal Scientist at VeriSign Inc., Perhaps the paper is a bit harsh (and I welcome suggestions to improve = its language), but the critiques it levies against companies that sell = SSL certs are completely valid: Companies that sell SSL certificates usually claim that their = certificates provide customers with =93security.=94 Customers are led to = believe that these certificates protect browser-server communication = from eavesdropping and tampering. As elaborated in this paper, this = simply isn=92t true today. I have to say, that among the cert companies websites that I looked at, = VeriSign's homepage makes the fewest claims about the security = protections it provides. The words "usually claim" leaves room for exceptions. I could not find, = on the customer-facing pages on VeriSign's site, any claims that = VeriSign's SSL certs "protect browser-server communication from = eavesdropping and tampering." Some close calls are: In short, when it comes to securing online transactions, safeguarding = customer information, and protecting business reputation, you're only as = safe as the Certificate Authority you choose. https://www.symantec.com/ssl-certificates-advantages Customers Gain Confidence with the Green Address Bar: Online shoppers = recognize the green address bar as an easy and reliable way to verify = the site identity and security. = https://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=3D= ssl-certificates VeriSign's SSL certificates do not provide websites with meaningful = protection as defined in the DNSNMC paper because they cannot be = securely authenticated in the face of a fraudulent certificate that's = presented to customers by a MITM. If your certs can simply be replaced by any of the other CAs out there, = then *all* of the security they provide is thrown out the window. Furthermore, because VeriSign is a random third-party, not the company = that user's visit when they visit a site using VeriSign's certificate, = the protection offered by that certificate is inherently inferior to a = securely authenticated self-signed certificate. This is simply mathematics, and not a point that's up for debate. When trust is distributed across more parties, that trust is diluted = because it now depends on the least secure of those parties. Sidenote: It seems like I was sent "to the sharks" so to speak (perhaps as a = practical joke?). So far almost half of the replies to this thread have come from = representatives of SSL companies. The hostility is therefore no surprise. -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 15, 2013, at 9:21 PM, Phillip Hallam-Baker = wrote: >=20 >=20 >=20 > On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect = wrote: >> And for someone who is accusing others of being 'fraudulent', not a = good move to start off repeating figures already exposed as bogus like = the oft repeated but still untrue claim of 600 CAs. >=20 >=20 > I thought the EFF was a reputable source. >=20 > There has been no update or correction to their post: = https://www.eff.org/deeplinks/2011/10/how-secure-https-today >=20 > Which kind of calls their credibility into question. HALF the 'CAs' in = their graph are from the DFN root. You can check that out for yourself, = it is a German CA that issues certs to higher education institutions. As = has been demonstrated (and agreed by the EFF people), DFN do not sign = certs for key signing keys they do not hold. >=20 > You can't calculate the number of CAs the way the EFF tried to. An = intermediate certificate does not equate to a CA. Pretending it does to = peddle an alternative PKI scheme calls into question their veracity. >=20 > I have tried to get members of the EFF board to look into this but = they never get back. Too much trouble to get it right. >=20 >=20 >> Tying the notary log to namecoin seems to be completely pointless to = me, unless the real objective is to promote namecoin. Why hook into = namecoin rather than the market leader?=20 >=20 >=20 > What market leader? >=20 > I was under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency. >=20 > =20 >> Given the success of the US government in shutting down eGold type = schemes I am very skeptical about the stability of 'namecoin'. If we = accept the purported scenarios that motivate the scheme then namecoin = won't last very long. >=20 > What eGold scheme are you comparing Namecoin to? >=20 > Gold Age, eGold, Liberty Reserve. All the ones that were taken apart = by the Feds. >=20 > =20 > Are you sure you know what you're talking about here...? ;-) >=20 > I must admit that I find the scheme completely confused and assumes = that I know a lot that I do not. >=20 > I might be a little more inclined to make an effort if you hadn't = attacked me as being 'fraudulent' in your opening. > =20 >=20 > --=20 > Website: http://hallambaker.com/ > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey --Apple-Mail=_D7E220D9-2AC2-4EC0-BA5E-316773674AA8 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
Which kind of = calls their credibility into question. HALF the 'CAs' in their graph are = from the DFN root. You can check that out for yourself, it is a German = CA that issues certs to higher education institutions. As has been = demonstrated (and agreed by the EFF people), DFN do not sign certs for = key signing keys they do not hold.

You can't = calculate the number of CAs the way the EFF tried to. An intermediate = certificate does not equate to a CA. Pretending it does to peddle an = alternative PKI scheme calls into question their = veracity.

I have tried to get members of the = EFF board to look into this but they never get back. Too much trouble to = get it right.

OK, in order for me to correct = this in the paper I need the following = information:

1. A link to who "DFN" = is.
2. A 'yes' or 'no' as to whether DFN is a root cert that = browsers are shipped with (and details about this, like, do all 3 major = browsers include DFN?)
3. A link to a paper, a blog post, or = an article somewhere that describes in detail your side of the = argument

Let me emphasize that none of this = ultimately matters to the points that were made in the = paper.

Whether the number is 600+ or 300+, it's = still an insecure, broken = mess.

I was = under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency.

I'll be happy = to clear this up:

- Bitcoin is not the "market leader" of = distributed DNS systems. Namecoin = is.
- Namecoin and = Bitcoin are designed with completely different goals in mind. They are = not competitors.
- Namecoin is not intended to be a bitcoin = replacement, nor the other way around. It is not like "litecoin" or any = of the other bitcoin competitors, because it is not a competitor to = bitcoin.

Gold = Age, eGold, Liberty Reserve. All the ones that were taken apart by the = Feds.

I'll be happy to clear this up too:

None of = these are comparable to Bitcoin or Namecoin.

Neither "Gold = Age", nor "eGold", nor "Liberty Reserve" were truly decentralized, = distributed currencies.

- "Gold Age" was not a currency: https://en.wikipedia.org/w= iki/Gold_Age
- eGold: Centralized = currency with no "reliable user = identification" (not a problem with Bitcoin or = Namecoin)
- Liberty Reserve: Centralized = currency https://= en.wikipedia.org/wiki/Liberty_Reserve#Background

<= div>People who are standing back and scratching their heads, wondering = why Bitcoin is still around after years of being used to purchase = illegal drugs, murder-for-hire, and weapons (continuing to this day = btw), simply don't understand what Bitcoin = is.

I = might be a little more inclined to make an effort if you hadn't attacked = me as being 'fraudulent' in your = opening.

Do you represent a company that sells SSL certs? = It seems like you might:

During twelve years as Principal Scientist at = VeriSign Inc.,

Perhaps the = paper is a bit harsh (and I welcome suggestions to improve its = language), but the critiques it levies against companies that sell SSL = certs are completely valid:

Companies that sell SSL certificates usually claim = that their certificates provide customers with =93security.=94 Customers = are led to believe that these certificates protect browser-server = communication from eavesdropping and tampering. As elaborated in = this paper, this simply isn=92t true = today.

I have to say, that among the cert companies = websites that I looked at, VeriSign's homepage makes the fewest claims = about the security protections it provides.

The words = "usually claim" leaves room for exceptions. I could not find, on the = customer-facing pages on VeriSign's site, any claims that VeriSign's SSL = certs "protect browser-server communication from eavesdropping and = tampering."

Some = close calls are:

In = short, when it comes to securing online transactions, safeguarding=20 customer information, and protecting business reputation, you're only as safe as the Certificate Authority you choose.
https://www.= symantec.com/ssl-certificates-advantages

Customers Gain Confidence with the = Green Address Bar: Online shoppers recognize the green address = bar as an easy and reliable way to verify the site identity and = security.
https://www.symantec.com/verisign/ssl-certific= ates/secure-site-pro-ev?fid=3Dssl-certificates
=

VeriSign's = SSL certificates do not provide websites with meaningful = protection as defined in the DNSNMC paper because they cannot = be securely authenticated in the face of a fraudulent certificate that's = presented to customers by a MITM.

If your certs = can simply be replaced by any of the other CAs out there, then = *all* of the = security they provide is thrown out the window.

Furthermore, = because VeriSign is a random third-party, not the company that user's = visit when they visit a site using VeriSign's certificate, the = protection offered by that certificate is inherently inferior to a = securely authenticated self-signed certificate.

This is = simply mathematics, and not a point that's up for debate.

When trust is = distributed across more parties, that trust is diluted because it now = depends on the least secure of those parties.

Sidenote:

It seems like I was sent "to the sharks" so to speak (perhaps as = a practical joke?).

So far almost half of the = replies to this thread have come from representatives of SSL = companies.

The hostility is therefore no = surprise.

--
Please do not email me anything that = you are not comfortable also sharing with the NSA.

On Dec 15, 2013, at 9:21 PM, Phillip Hallam-Baker <hallam@gmail.com> = wrote:




On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
And for = someone who is accusing others of being 'fraudulent', not a good move to = start off repeating figures already exposed as bogus like the oft = repeated but still untrue claim of 600 CAs.

I thought the = EFF was a reputable source.

There has been no update or correction to their = post: https://www.eff.org/deeplinks/2011/10/how-secure-https-t= oday

Which kind of calls = their credibility into question. HALF the 'CAs' in their graph are from = the DFN root. You can check that out for yourself, it is a German CA = that issues certs to higher education institutions. As has been = demonstrated (and agreed by the EFF people), DFN do not sign certs for = key signing keys they do not hold.

You can't calculate the number of CAs the way the = EFF tried to. An intermediate certificate does not equate to a CA. = Pretending it does to peddle an alternative PKI scheme calls into = question their veracity.

I have tried to get members of the EFF board to look = into this but they never get back. Too much trouble to get it = right.


Tying the = notary log to namecoin seems to be completely pointless to me, unless = the real objective is to promote namecoin. Why hook into namecoin rather = than the market leader? 

What market = leader?

I was = under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency.

 
Given the success of the US government in = shutting down eGold type schemes I am very skeptical about the stability = of 'namecoin'. If we accept the purported scenarios that motivate the = scheme then namecoin won't last very long.

What eGold scheme are you comparing = Namecoin to?

Gold Age, = eGold, Liberty Reserve. All the ones that were taken apart by the = Feds.

 
Are you = sure you know what you're talking about here...? ;-)

I must admit that I find the = scheme completely confused and assumes that I know a lot that I do = not.

I might be a little more inclined to make = an effort if you hadn't attacked me as being 'fraudulent' in your = opening.
 

--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing = list
therightkey@ietf.org
https://w= ww.ietf.org/mailman/listinfo/therightkey

<= /div>= --Apple-Mail=_D7E220D9-2AC2-4EC0-BA5E-316773674AA8-- --Apple-Mail=_58A703A8-B743-4BE0-BBFF-2138E5859B49 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSr0oXAAoJEOxnICvpCVJH3OQQAK41TeHLUwDhHKCuExu7U2O2 5ucGHOFEHSb8p438E8Z6P10pVokN0xpP5lN9vECRAii1ZR9IfoB7EifgFZFV7wyp VDubWQyW8m2zMRkX70aTZnG4dXugwzGtlGy7rdvtE15l47ichd9mSx597LUK7WtI 9ip8Bi/RMQ9IJbJHCFD1cwpXF0KMXk6dVmI3J+EXwN8dm6i0gxVqpHI9IotBJl+w 0VjhYyEfF/1tKfs7oUHhooq/QmnK7fbE07dM39rtHgrgH8R4AM/t/IzWfjf5uYki fD4FkGSjwQ+c0sxfY7c55mF2rvGP18MBDeffXGr7LKLPP4N1mBHLRmc3dDkPlfoH 9RwZwAMtCx+qrYk/0L7ZLYiNjmqqmh/Z3S4UE4mreHPfX8aj42kxR5IZCsnWPaWY lZhtO8O9MTI+p0uumwypAJEPmY7tO6WlqYWqngiGOviGQvqoKGJwakPRXuC8ofPK l/sjEv1SYTusHH4bzHdm8RD3CFe24zelxSgn3xhFZk0CVahlr8bgiqjvjoHU0oM5 iINSpotDQKvdKM6QQxQHhxxB/omRedOLDwIlSaPHDW6XCpHdC0oZc8HNMP1R/Lt+ t18GcUuxKaXVoMd0L++kRyS5QFdsCgHGGmrDOUiCY0VYVyF018v5iNiTu/p3+J85 WDQz1mvgKqtMOwUKt/mN =0HXz -----END PGP SIGNATURE----- --Apple-Mail=_58A703A8-B743-4BE0-BBFF-2138E5859B49-- From contact@taoeffect.com Mon Dec 16 13:31:19 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25F141A1F00 for ; Mon, 16 Dec 2013 13:31:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hhwz3CYBVXxZ for ; Mon, 16 Dec 2013 13:31:15 -0800 (PST) Received: from homiemail-a4.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id 974E91AD8EC for ; Mon, 16 Dec 2013 13:31:15 -0800 (PST) Received: from homiemail-a4.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTP id F1CE951C063; Mon, 16 Dec 2013 13:31:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=d71yU3XePE8b9+8Vg 0IYAJylNqA=; b=AqJwvuCC3WY9Yg8oSEZ23x/D51wFYgsD1S014gFo+FoY4KySj rSYkZYxdrZ/e03chHSRHp5AO+eHAP/7IpXTVypUN1sO8af3QHGMew8crSW5WH7Hw oyb7175QWEDhmjLSiBQh1Lp/aDxMwulMVmI+ZtL4HYlKYBaEf+hDOt87/I= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTPSA id 2EED351C062; Mon, 16 Dec 2013 13:31:13 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_14C01A26-908E-47E7-B788-05B8325D0EA3"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Tao Effect In-Reply-To: Date: Mon, 16 Dec 2013 16:31:08 -0500 Message-Id: <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> To: Ben Laurie X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 21:31:19 -0000 --Apple-Mail=_14C01A26-908E-47E7-B788-05B8325D0EA3 Content-Type: multipart/alternative; boundary="Apple-Mail=_816056DE-EF3A-4AAE-B066-459A0261F7C6" --Apple-Mail=_816056DE-EF3A-4AAE-B066-459A0261F7C6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hey Ben, On Dec 14, 2013, at 2:12 PM, Ben Laurie wrote: >> Decentralized: there is no central authority controlling all the = names >=20 > If it is based on bitcoin, that is untrue. Or even if not. See > http://www.links.org/files/decentralised-currencies.pdf. Thank you for the link to this paper. I needed to find the time to actually read this and get back to you. = I've now done this. You've posted this reply to a number of lists that we're both subscribed = to, so I'm going to send this reply to each one: My reply can be summarized (mostly) by Vladimir's response to your paper = here: https://bitcointalk.org/index.php?topic=3D25760.msg372591#msg372591 For the list's sake, here are the salient points Sir Vladimir makes: Than, first of all, he is trying to solve a non-problem and fails to see = that issue he is trying to solve is not a bug but a feature. This is in reference to your criticism of proof-of-work. Here's the rest = of his comment on that particular point: There is no problem with energy consumption, it is a very low price to pay for getting rid of all the middlemen leaching a few percent from every money transfer. Moreover, energy spent by miners on securing the bloc chain is rather negligible in comparison to energy spent on other ways to do money, when you consider, for example energy, required to haul all the cash and gold in armoured trucks, smelting gold bullions, coining coins, smelting metal for the bank vaults and so on... Second criticism of your paper is as follows (again, I'll just copy = Vlad's comments here): Second of all, his "efficient solution" is very weak. Essentially, he is proposing to replace voting weighted by pure computational power (surely not very energy efficient way) to voting weighted by a number of clients plugged into the network, without proposing any viable way (since it is impossible) to ensure that this number of clients is not faked. Therefore, he is effectively shifting proof-of-work concept from doing lots of sha-256 calculations to opening lots of ports on lots of IP's simultaneously. This could solve a problem of quick propagations and wide distribution of information, but surely not a problem of "double spending". Total epic fail! Somehow, you seem to have completely missed the point of Bitcoin's = proof-of-work. It's right there in the original paper: The proof-of-work also solves the problem of determining representation = in majority decision making. If the majority were based on = one-IP-address-one-vote, it could be subverted by anyone able to = allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. Vladimir made one final comment (not too important though, but I'll = include it anyway): He also has completely missed economic part of the system where initial bitcoin inflation serves the purpose of subsidy to enable quick growth of the network and making it secure from 50% attacks. However, all of these points made by Vladimir do not destroy the point = your paper makes entirely. They just badly bruise it. IMO, the only legitimate criticism of Bitcoin contained in your paper is = the following: If, for example, 1% of the total power available7 is used to produce = Bitcoins at present (in fact, the amount is far less than that), then at = any point someone could come along with a further 1.1% of the total = power and use this to define their own consensus8 , thus invalidating = all the work, and all the money, of the initial group, and instead take = possession of the entire currency for themselves. This is referring to (or at least should be referring to) the idea of an = attacker making their own "fake fork" that they control through = superior-CPU power. The strength of your argument (IMO) rests on this one issue: Whether or = not there exists an attacker with the computational power necessary to = take over the network. This is a legitimate question, and combined with the observations made = by Vladimir, it implies two takeaway points: 1. Your suggestion for an "efficient alternative" to Bitcoin appears to = be inferior to Bitcoin because it appears to be based on one-IP-one-vote = (rejected in the original paper). 2. Bitcoin's legitimacy and trustworthiness depends on whether or not = there exists (or can exist) an entity with more horsepower than all more = than 50% of the nodes on the network. This is old news. The Bitcoin community has been discussing the 51% attack for a while and = appears to be working on addressing the issue: https://en.bitcoin.it/wiki/Proof_of_blockchain_fair_sharing In case it's of interest to someone, here are two sites about known = attacks on Bitcoin: http://codinginmysleep.com/bitcoin-attacks-in-plain-english/ https://en.bitcoin.it/wiki/Double-spending Cheers, Greg -- Please do not email me anything that you are not comfortable also = sharing with the NSA. --Apple-Mail=_816056DE-EF3A-4AAE-B066-459A0261F7C6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Hey = Ben,

On Dec 14, 2013, at 2:12 PM, Ben Laurie <benl@google.com> = wrote:

Decentralized: there is no central authority controlling = all the names

If it is based on bitcoin, that is = untrue. Or even if not. See
http://ww= w.links.org/files/decentralised-currencies.pdf.

<= /div>
Thank you for the link to this = paper.

I needed to find the time to actually = read this and get back to you. I've now done = this.

You've posted this reply to a number of = lists that we're both subscribed to, so I'm going to send this reply to = each one:

My reply can be summarized (mostly) = by Vladimir's response to your paper here:


For the list's sake, here are the salient = points Sir Vladimir = makes:

Than, = first of all, he is trying to solve a non-problem and fails to see that = issue he is trying to solve is not a bug but a = feature.

= This is in reference to your criticism of proof-of-work. Here's the rest = of his comment on that particular = point:

There is no problem with = energy consumption, it is a very low price to
pay for getting rid of = all the middlemen leaching a few percent from
every money transfer. = Moreover, energy spent by miners on securing the
bloc chain is rather = negligible in comparison to energy spent on other
ways to do money, = when you consider, for example energy, required to
haul all the cash = and gold in armoured trucks, smelting gold bullions,
coining coins, = smelting metal for the bank vaults and so = on...

Second criticism of your = paper is as follows (again, I'll just copy Vlad's comments = here):

Second of all, his = "efficient solution" is very weak. Essentially, he
is proposing to = replace voting weighted by pure computational power
(surely not very = energy efficient way) to voting weighted by a number
of clients = plugged into the network, without proposing any viable way
(since it = is impossible) to ensure that this number of clients is not
faked. = Therefore, he is effectively shifting proof-of-work concept
from = doing lots of sha-256 calculations to opening lots of ports on
lots = of IP's simultaneously. This could solve a problem of = quick
propagations and wide distribution of information, but surely = not a
problem of "double spending". Total epic = fail!

Somehow, you seem to have = completely missed the point of Bitcoin's proof-of-work. It's right there = in the original paper:

The proof-of-work also solves the problem of = determining representation in majority decision making. If the = majority were based on one-IP-address-one-vote, it could be = subverted by anyone able to allocate many IPs. Proof-of-work = is essentially = one-CPU-one-vote.

Vladimir made one final = comment (not too important though, but I'll include it = anyway):

He also has completely = missed economic part of the system where
initial bitcoin inflation = serves the purpose of subsidy to enable
quick growth of the network = and making it secure from 50% = attacks.

However, all of these = points made by Vladimir do not destroy the point your paper makes = entirely. They just badly bruise it.

IMO, the = only legitimate criticism of Bitcoin contained in your paper is the = following:

If, for example, 1% of = the total power available7 is used to produce Bitcoins = at present (in fact, the amount is far less than that), then at any = point someone could come along with a further 1.1% of the = total power and use this to define their own consensus8 , thus = invalidating all the work, and all the money, of the initial = group, and instead take possession of the entire currency for = themselves.

This is referring to (or = at least should be referring to) the idea of an attacker making their = own "fake fork" that they control through superior-CPU = power.

The strength of your argument (IMO) = rests on this one issue: Whether or not there exists an attacker with = the computational power necessary to take over the = network.

This is a legitimate question, and = combined with the observations made by Vladimir, it implies two takeaway = points:

1. Your suggestion for an "efficient = alternative" to Bitcoin appears to be inferior to Bitcoin because it = appears to be based on one-IP-one-vote (rejected in the original = paper).

2. Bitcoin's legitimacy and = trustworthiness depends on whether or not there exists (or can exist) an = entity with more horsepower than all more than 50% of the nodes on the = network. This is old news.

The Bitcoin = community has been discussing the 51% attack for a while and appears to = be working on addressing the issue:


<= /div>
In case it's of interest to someone, here are two sites about = known attacks on Bitcoin:


Cheers,
Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

= --Apple-Mail=_816056DE-EF3A-4AAE-B066-459A0261F7C6-- --Apple-Mail=_14C01A26-908E-47E7-B788-05B8325D0EA3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSr3EfAAoJEOxnICvpCVJHfDcP/RzjibgV4fZqg3nFI8sSM1dJ jgry9FSr9bvcQlOQYkBgELwDoWJEFEuwcdOE7xBl4bqasK1UlVEXvyV7W/xOGFAc /e6UgFJ4ll6cczMvf4Q+xQk0ZtTncsdvK9ofIL77ZC12dJB0nqRSTMFzWe7njM+b 9crWTQiYCiT9EFJuN0I4l0XV6A1oiyWLrRro5A6D2zSxebLexmB+DPb7HbVnXMdH iq3FaXmSDFFw+HOPZb1eRtkHpIMb2WaEcIbmvyifRqORU21SSP70IJW8VdoZh6f1 /2xe9qbwNWPvQRY79XC0gg8taXDTMlNmtNC3ez/O0cKFd2VzYz9U49g488sr1y0a BL10CXwK/csyQ8AAomQ0y7MLV3gOMrBqcDUps5a8lNebvgAozPc/M8HEy2OPvUQW UnLoRXVDJ+am72GApuSbry0d7bHFOwx2mi8RkepVjRaPzQjgC3QbIUmZQU4ck9PJ LHeQFh1qxIq0JUdLii3qCjrIkaNe+k56ZmLffwMGsDLBRZwnZVQYoGZVszUiVjUL 9m5XHgsTbsSNrrvgl/dz9hQ10NFQbv9AYKmmaEz/UPBn7P/S5n1SjfagWL4IrT6v nVG5QGHhAZkp7ZxAXd+CUGXNNBvhUzX4SyFHNDHVKtG5FB2YoAdGDlasPNizrifw U9sg43fbXmwAFqQETRTH =IKMc -----END PGP SIGNATURE----- --Apple-Mail=_14C01A26-908E-47E7-B788-05B8325D0EA3-- From benl@google.com Mon Dec 16 14:00:53 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 331E51ADF46 for ; Mon, 16 Dec 2013 14:00:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.917 X-Spam-Level: X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nt9x5KgWo4f1 for ; Mon, 16 Dec 2013 14:00:51 -0800 (PST) Received: from mail-ve0-x236.google.com (mail-ve0-x236.google.com [IPv6:2607:f8b0:400c:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id D04311A82E2 for ; Mon, 16 Dec 2013 14:00:50 -0800 (PST) Received: by mail-ve0-f182.google.com with SMTP id jy13so3806230veb.13 for ; Mon, 16 Dec 2013 14:00:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ma2BSpSz/zt9FpSyqoMjrfuETI3DPBNpfLu2Kezge/A=; b=HcRpS1CWXkVDTm54Ty1edZ5nGrBZ+2ccAyYi9yQtLJiaSqIzxb5QQaxooknkEU4xhG MAwxpMXbOAT3wJ2onQiIpccvAab8HJkLxpg3p8VxU+JrSMU9edMpMIWA0BpQC04XM8LI SKw6os5hCplPymr6S2zHzwhdtTWEMw1LZPrtf5/EeFHLkASNOzPfGH3YydftjiCUf0uA gpQmdFNnEqZ3YhT6v/Hy6nZrJ34AqsvwOyb91yKGWopRfCi1KOYn2QFsGJvedeShRa8z JLxpJOWlY0AuDxeBC9jyXZqFTrYCkP8gg7TE1rwM4l8eTa7haFxDuR0/oIhIvgCPoNo8 SQGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Ma2BSpSz/zt9FpSyqoMjrfuETI3DPBNpfLu2Kezge/A=; b=mMoIX9LLIAUWEifH+YEeUjtdyNOZMaCkVcpxbmvf4M1MdfL5U5cWyWuX1TsrWjExue udZEg0hh/l6Rv4D/b9PL5Uq9fx/4SAYsKRp5jSjAiN54Gz4CFIFZaPraAjVMEqeHUdtE 2R4jwm6Ay5zgobjfpPF+WtsMEpUZjQcwD+OSbk57FmuUCm23awrsh2IvQa2GnZGFwVgD sZcZLJL4EwxV/3px2VnbuLPFrsmnTKdbWFUEQEQfi/fcBy6nGLGxQUnwWIt284oQwSgj t7OT/GiPeLxDJmpdtUpmkmD+wQME0ppibwtPrFXtvY90X9GdjfTnElIRfF9G8leTNgvd 3Qww== X-Gm-Message-State: ALoCoQmROk0vxzxQKIB5dQOuSbc5g2CNfk1KIBxcGKqJR6dkl7iOVbtAeJKEihOfrWSvdljjKjT86Uv4GNkPutRnCyZoVntqD1vaS+PQy7MsQ2fpaHvN44lyHtZ+Q5nPWfvfcBFlRp0dfgs6azpeWhA/917VLibvTnCr+lesLS9un38baCvCIFx0HfLaiNTdYvUUA2cJg9oo MIME-Version: 1.0 X-Received: by 10.52.36.14 with SMTP id m14mr114046vdj.79.1387231249767; Mon, 16 Dec 2013 14:00:49 -0800 (PST) Received: by 10.52.183.65 with HTTP; Mon, 16 Dec 2013 14:00:49 -0800 (PST) In-Reply-To: <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> Date: Mon, 16 Dec 2013 22:00:49 +0000 Message-ID: From: Ben Laurie To: Tao Effect Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 22:00:53 -0000 On 16 December 2013 21:31, Tao Effect wrote: > Hey Ben, > > On Dec 14, 2013, at 2:12 PM, Ben Laurie wrote: > > Decentralized: there is no central authority controlling all the names > > > If it is based on bitcoin, that is untrue. Or even if not. See > http://www.links.org/files/decentralised-currencies.pdf. > > > Thank you for the link to this paper. > > I needed to find the time to actually read this and get back to you. I've > now done this. > > You've posted this reply to a number of lists that we're both subscribed to, > so I'm going to send this reply to each one: Fun though it is to debate the merits of bitcoin, the question at hand is whether we should form a WG. If you want to propose a bitcoin based protocol, go right ahead. My difficulties with bitcoin as a whole are on record. I may have more to say about a specific I-D. P.S. I think you're criticising a different paper. For example, this one doesn't even mention IP addresses. From contact@taoeffect.com Mon Dec 16 14:13:09 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42B41AD7C5 for ; Mon, 16 Dec 2013 14:13:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2dbOwc60543 for ; Mon, 16 Dec 2013 14:13:08 -0800 (PST) Received: from homiemail-a6.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id E9D6C1A1F62 for ; Mon, 16 Dec 2013 14:13:07 -0800 (PST) Received: from homiemail-a6.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a6.g.dreamhost.com (Postfix) with ESMTP id 5073E598077; Mon, 16 Dec 2013 14:13:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=eG5qo034RmwFqgOyY 9KYFnKIvJQ=; b=Hzq66mSba7vU8ysVZzYNbTo+SSuJxVrERTASIBV4qsNRKmu9J ko4KDG2cXJ8jpOi82aupzPlY3GbVBHZliM6pCqdoD+4NSoP+uLO+2CrweGGPG3zw WZFsWeeYizNvwI0GYoZQY1CmTWPJWf/bMaJtVjNqExsbqgUR+/wmAebcqI= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a6.g.dreamhost.com (Postfix) with ESMTPSA id 8ABA6598074; Mon, 16 Dec 2013 14:13:05 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_E57C1B49-6C40-4453-9A76-CBD4236A9B5C"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Tao Effect In-Reply-To: Date: Mon, 16 Dec 2013 17:12:59 -0500 Message-Id: References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> To: Ben Laurie X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 22:13:10 -0000 --Apple-Mail=_E57C1B49-6C40-4453-9A76-CBD4236A9B5C Content-Type: multipart/alternative; boundary="Apple-Mail=_2399A28A-F140-4AA0-94DF-1903BB232027" --Apple-Mail=_2399A28A-F140-4AA0-94DF-1903BB232027 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Dec 16, 2013, at 5:00 PM, Ben Laurie wrote: > Fun though it is to debate the merits of bitcoin, the question at hand > is whether we should form a WG. >=20 > If you want to propose a bitcoin based protocol, go right ahead. Though this thread is more of an announcement, it can also be considered = a first draft of a proposal for DNSNMC. Paper was linked to in the first post, here it is again: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf > My difficulties with bitcoin as a whole are on record. OK... and so are the replies to your paper. > P.S. I think you're criticising a different paper. For example, this > one doesn't even mention IP addresses. What are you mentioning then? What does this paragraph refer to, if not = IP addresses? Next we have to agree who should get the coin. This is not particularly = hard. First we use efficient unbounded agreement to number the current = participants11 sequentially. We then use it to agree a consensus random = number. This could be done, for example, by agreeing a commitment for = each participant, and then revealing the value they committed to, adding = them all together and taking the modulo of that total, which would = randomly designate a participant. Cheers, Greg -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 16, 2013, at 5:00 PM, Ben Laurie wrote: > On 16 December 2013 21:31, Tao Effect wrote: >> Hey Ben, >>=20 >> On Dec 14, 2013, at 2:12 PM, Ben Laurie wrote: >>=20 >> Decentralized: there is no central authority controlling all the = names >>=20 >>=20 >> If it is based on bitcoin, that is untrue. Or even if not. See >> http://www.links.org/files/decentralised-currencies.pdf. >>=20 >>=20 >> Thank you for the link to this paper. >>=20 >> I needed to find the time to actually read this and get back to you. = I've >> now done this. >>=20 >> You've posted this reply to a number of lists that we're both = subscribed to, >> so I'm going to send this reply to each one: >=20 > Fun though it is to debate the merits of bitcoin, the question at hand > is whether we should form a WG. >=20 > If you want to propose a bitcoin based protocol, go right ahead. >=20 > My difficulties with bitcoin as a whole are on record. I may have more > to say about a specific I-D. >=20 > P.S. I think you're criticising a different paper. For example, this > one doesn't even mention IP addresses. > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey --Apple-Mail=_2399A28A-F140-4AA0-94DF-1903BB232027 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii On Dec = 16, 2013, at 5:00 PM, Ben Laurie <benl@google.com> = wrote:

Fun though it is to debate the = merits of bitcoin, the question at hand
is whether we should form a = WG.

If you want to propose a bitcoin based protocol, go right = ahead.

Though this thread is more of = an announcement, it can also be considered a first draft of a proposal = for DNSNMC.

Paper was linked to in the first = post, here it is again:


<= blockquote type=3D"cite">My difficulties with bitcoin as a whole are on = record.

OK... and so are the replies = to your paper.

P.S. I think you're = criticising a different paper. For example, this
one doesn't even = mention IP addresses.

What are you = mentioning then? What does this paragraph refer to, if not IP = addresses?

Next we have to agree = who should get the coin. This is not particularly hard. First we = use efficient unbounded agreement to number the current = participants11 sequentially. We then use it to agree a = consensus random number. This could be done, for example, by = agreeing a commitment for each participant, and then revealing the = value they committed to, adding them all together and taking = the modulo of that total, which would randomly designate a = participant.

Cheers,
Greg
=

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 5:00 PM, Ben Laurie <benl@google.com> wrote:

On 16 = December 2013 21:31, Tao Effect <contact@taoeffect.com> = wrote:
Hey Ben,

On Dec 14, 2013, at = 2:12 PM, Ben Laurie <benl@google.com> = wrote:

Decentralized: there is no central authority controlling = all the names


If it is based on bitcoin, that is untrue. Or = even if not. See
http://ww= w.links.org/files/decentralised-currencies.pdf.


Thank you = for the link to this paper.

I needed to find the time to actually = read this and get back to you. I've
now done this.

You've = posted this reply to a number of lists that we're both subscribed = to,
so I'm going to send this reply to each = one:

Fun though it is to debate the merits of = bitcoin, the question at hand
is whether we should form a = WG.

If you want to propose a bitcoin based protocol, go right = ahead.

My difficulties with bitcoin as a whole are on record. I = may have more
to say about a specific I-D.

P.S. I think you're = criticising a different paper. For example, this
one doesn't even = mention IP = addresses.
_______________________________________________
therightk= ey mailing list
therightkey@ietf.org
https://w= ww.ietf.org/mailman/listinfo/therightkey

<= /body>= --Apple-Mail=_2399A28A-F140-4AA0-94DF-1903BB232027-- --Apple-Mail=_E57C1B49-6C40-4453-9A76-CBD4236A9B5C Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSr3ruAAoJEOxnICvpCVJHMlIQAK0CuBObWVULRyejGapuZp1M uwZ+44Uw+6l/+E9Je8cMAc0s9LbzSRcAL//pdcJdl0V/a/sXT8H/0xvV7eNRMGYG F3cLQHFvASf2PyuNE2GXfnnLw8spf0TspAWfmhJf1fz7axJA24DpWD8hjvnQ27Di i12xui1hNfq7AG6SfZrKyo01S0uBLySDCu+a3yECW2AmCwze/iK3yC/8fYFa1Nz9 Ugl7KBC3GahsxvdaI35AnmHBERsKCHYrNC7wpssksa3viiOB0TnXOMf+pryq6ksZ D+Uf/uVQ4SZ+cR35sAgT7x7Izpo9/JA36BTvMxeDOq9AKwbIrWDxSl7ZqO3COtPc 7byTjUeus9ksbjeCv0XkgM/idmd72KUwEh88SrR4+eUHQJ+S39uP/F/ZQTV9jo6o 6zt7KxHF1I6fEHEPDARIqj4icDA1HVbkYFJ8W6D2fY5Fotv20DCPtjoEsRIklebb eadge58V/i2AdecGR9uS/3E2Vek143vofxm58655yixxARFEdJ36d+bx52KYVpNy V8uPKF6NYvcgh5jGBQlZmpN8cXij0Ay55Ev8+xb0tnBu770hfNH2xCVzsSsP1Z5M yv7ds2Q8CCwa+6GaV9f/bPCVwohkMwr4R1ozXXhttw9T9rhbU2a5o4RrsIpOXh8j VGJneemS+nCmhQqB21YU =6DdS -----END PGP SIGNATURE----- --Apple-Mail=_E57C1B49-6C40-4453-9A76-CBD4236A9B5C-- From stephen.farrell@cs.tcd.ie Mon Dec 16 14:25:15 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 369DC1AD8E1 for ; Mon, 16 Dec 2013 14:25:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.438 X-Spam-Level: X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4jM8g8g3FxDe for ; Mon, 16 Dec 2013 14:25:12 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 85B031ADF46 for ; Mon, 16 Dec 2013 14:25:12 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 97266BE57; Mon, 16 Dec 2013 22:25:10 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MzKq3wyG66io; Mon, 16 Dec 2013 22:25:09 +0000 (GMT) Received: from [10.87.48.9] (unknown [86.42.29.233]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 87D4ABE53; Mon, 16 Dec 2013 22:25:09 +0000 (GMT) Message-ID: <52AF7DC5.7070601@cs.tcd.ie> Date: Mon, 16 Dec 2013 22:25:09 +0000 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Tao Effect , Ben Laurie References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 22:25:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hiya, (As list moderator) On 12/16/2013 10:12 PM, Tao Effect wrote: > Next we have to agree who should get the coin. I don't want to shut this down too quickly but I will point out that designing protocols via one-by-one mail messages to an IETF list is not really something that works out so please let's not go that route. I'd say if a bunch of folks are interested in this proposal then better would be to go and get together and work on it some more and if you're interested in pursuing it in the IETF then writing an Internet-draft is the way to go. I assume that interested people will contact Greg and then self-organise. If anyone wants to do that and needs help/hints, mail me offlist. Thanks, S. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQEcBAEBAgAGBQJSr33CAAoJEC88hzaAX42iqcsIAIus2CxPqxn8m1PJfld24jAm 7PI2hsYkSW+AWsoEVSrqW7ZosFEZV0+6rq38ClXEMWV8Jv7v9eBtjJGS/c5zrpc4 SJGWcsJqfFQEu9dsQNVH9dfvaWKxBvJ+TzXejZsDCw1BbYSSf3M/b7JLkpMEK2Ub V24t24V8KL0tOyEF9imACxdKA9jJixvN/3oFg2715ySayMIQreGiLElbq/z2Ryqu kOoJv9ljq2dHtTGot9BstLF+YkiO2nSTxfADSGf5jQEf5uR0dmAEt4uruzWxQUfh fwDJT6zlvkbk6Go044Qgc3hOyQiD2audYjBv/6KILzOrnSjj6mF3t6L9XcvLhoM= =DIiL -----END PGP SIGNATURE----- From benl@google.com Mon Dec 16 14:31:39 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E3B61ADF38 for ; Mon, 16 Dec 2013 14:31:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.917 X-Spam-Level: X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFo3maVa8Wyl for ; Mon, 16 Dec 2013 14:31:37 -0800 (PST) Received: from mail-ve0-x229.google.com (mail-ve0-x229.google.com [IPv6:2607:f8b0:400c:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 920431AD943 for ; Mon, 16 Dec 2013 14:31:37 -0800 (PST) Received: by mail-ve0-f169.google.com with SMTP id c14so3887903vea.28 for ; Mon, 16 Dec 2013 14:31:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mNhig3cgo9uc3c2wb/zyV7OnHn9+DqjrGWv8FkHovtw=; b=mXZuzI55Qe42BlWzy24/LLVU+GcHr/vFg57nxKJKsFG+EyXpkHX1x2DaH6KXfSez62 i0gnsl7qJgiWwryTcPAs9aDeXkPACHJHSYFIe/5iKPLRSeJoLgOYyYWS/01GoNBPbLfK l7RYxsVD+gM5t8X4rNQ82SmAmdvW2dvMW/Y569c6uX0FmtmXGNbm/cJ+TSHo37TwQXEN CgjcpoYDOMx5v5j/qRKBEcOmTu/LCifFmpfrDyuYmZ9+KwPpcfDck5iwrZ0X8RloWPYe /RYqK7Ap2pVm2w/6F9FqsOQJk/HDFsMvSXXp4oKq4PAhpcn/cTa3/nOSWrnU3YgCUFoa e8tA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=mNhig3cgo9uc3c2wb/zyV7OnHn9+DqjrGWv8FkHovtw=; b=SP38FUaFZ2X0eZtaR6N0OvmQbGSQgy0Ezg7hRAoZ6MahQUQEDwkRQLn+moO2mjC9pa S4Yyc3uK/8wvPZb96Br/HhdIya5CSuYzDv7UFCVY9ieJkAXQ0cp6E8OneTgt8MGpawcJ k1j3ADqXrPr1eBxcO3h0ihExeSQVkShC4xlqQlhVTMRieOS/QCc8BJhINT9hXZW2Nfci N8Nd3PnKyrCQVAe9nYoP/MChg0AyhgTFOUx3GI9DdzWOgmrVQ9V3PorVmTazaIOq8bZ1 E3YCPaEheuv3071elRof/t9s5VeAzr/SLZj5KcMw4zEHEnV5yIpvTpZwcgRt3CXXnC5H StFA== X-Gm-Message-State: ALoCoQmry9aZqskgmyTZWRYFyorZAXirEFsE3ON6SIZLzh/CnFTHqt1VvcWnukhtNgJD9FNUei4cZYCz/b279HpDsnM5Tu2lBdbOEgOjjmNRJ2miUHnJP4By0NjWMdgU+YQA6hNQZUYTLBSyTCSxdKConDuT0RsNRYuwTwDUFEeFiVIWzesFkHG0b4Ts2LmhzzmamGltnddz MIME-Version: 1.0 X-Received: by 10.52.253.235 with SMTP id ad11mr148781vdd.75.1387233096381; Mon, 16 Dec 2013 14:31:36 -0800 (PST) Received: by 10.52.183.65 with HTTP; Mon, 16 Dec 2013 14:31:36 -0800 (PST) In-Reply-To: References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> Date: Mon, 16 Dec 2013 22:31:36 +0000 Message-ID: From: Ben Laurie To: Tao Effect Content-Type: text/plain; charset=ISO-8859-1 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 22:31:39 -0000 On 16 December 2013 22:12, Tao Effect wrote: > On Dec 16, 2013, at 5:00 PM, Ben Laurie wrote: > > Fun though it is to debate the merits of bitcoin, the question at hand > is whether we should form a WG. > > If you want to propose a bitcoin based protocol, go right ahead. > > > Though this thread is more of an announcement, it can also be considered a > first draft of a proposal for DNSNMC. > > Paper was linked to in the first post, here it is again: > > http://okturtles.com/other/dnsnmc_okturtles_overview.pdf > > My difficulties with bitcoin as a whole are on record. > > > OK... and so are the replies to your paper. > > P.S. I think you're criticising a different paper. For example, this > one doesn't even mention IP addresses. > > > What are you mentioning then? What does this paragraph refer to, if not IP > addresses? > > Next we have to agree who should get the coin. This is not particularly > hard. First we use efficient unbounded agreement to number the current > participants11 sequentially. We then use it to agree a consensus random > number. This could be done, for example, by agreeing a commitment for each > participant, and then revealing the value they committed to, adding them all > together and taking the modulo of that total, which would randomly designate > a participant. For anyone following along: there's little chance you'll understand this paragraph without reading the paper. Sorry. But it doesn't refer to IP addresses. Once more: this is not the forum for debating the merits of bitcoin. From hallam@gmail.com Mon Dec 16 14:37:13 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B73E81AD8F2 for ; Mon, 16 Dec 2013 14:37:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rm409YwHiAiA for ; Mon, 16 Dec 2013 14:37:10 -0800 (PST) Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id C342A1AC7EE for ; Mon, 16 Dec 2013 14:37:09 -0800 (PST) Received: by mail-wi0-f169.google.com with SMTP id hn6so2796249wib.4 for ; Mon, 16 Dec 2013 14:37:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8PWw9TTt5xtiMlqbl27mtQATBoGdaFsayEhkkgvvsGU=; b=x03yIOv0ZDDDYqcpg18MX/KMP3DNjMfqFmMs7B3AF+lqMZMc/ygSieXnBYclL3ICRu 6hmCRVBjcPw6Jx41gKlO/RodwnfUG6GbXk/aUNEoeWdYd/nsJ1Fez7Xk8SCh/OyIDzNm 9Vrb/lyQCoNxCvWLtruBfYA92awV8o4JFAKIUYIkNOamJOZwILdC5kfZEf7oc9vFIuFk 1rk0b1WA6+Bd5vF8Cs65ly9W8LKTOY+BQJTKnqo88S6/SA60DqU4i9D3zrbShGn1QXzG pefOpV5kxnCV5symZOzFfLa3wEBOHeMXTzZ3HJyeUnb3uqwTq/0o3cJ7hrhf1N7GgGNs KSBg== MIME-Version: 1.0 X-Received: by 10.194.11.38 with SMTP id n6mr15321275wjb.25.1387233428461; Mon, 16 Dec 2013 14:37:08 -0800 (PST) Received: by 10.194.243.136 with HTTP; Mon, 16 Dec 2013 14:37:08 -0800 (PST) In-Reply-To: <1D1AAD8E-3787-4E95-8694-6EB0B4A60890@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <1D1AAD8E-3787-4E95-8694-6EB0B4A60890@taoeffect.com> Date: Mon, 16 Dec 2013 17:37:08 -0500 Message-ID: From: Phillip Hallam-Baker To: Tao Effect Content-Type: multipart/alternative; boundary=047d7b5d5710b95e0b04edae7343 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 22:37:14 -0000 --047d7b5d5710b95e0b04edae7343 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable When you make an assertion in a paper then you are accepting the burden of proof. If the source for the '600' claim was lying then the claim has to be taken off the table completely. The DFN root issue demonstrates that the methodology is bogus rather than just being a single inaccurate data point. If you want to make assertions about the number of CAs then the most accurate measure currently available is still the number of roots in the commonly used browsers. While there are a handful of CAs using roots cross certified by another CA, such CAs now have to have a full audit statement and meet all the acceptance criteria in their own right. So there would be little point in not applying to have the root entered in independently. Since the 600 number is inaccurate and not particularly necessary, why bother to quote it at all? On Mon, Dec 16, 2013 at 1:44 PM, Tao Effect wrote: > Which kind of calls their credibility into question. HALF the 'CAs' in > their graph are from the DFN root. You can check that out for yourself, i= t > is a German CA that issues certs to higher education institutions. As has > been demonstrated (and agreed by the EFF people), DFN do not sign certs f= or > key signing keys they do not hold. > > You can't calculate the number of CAs the way the EFF tried to. An > intermediate certificate does not equate to a CA. Pretending it does to > peddle an alternative PKI scheme calls into question their veracity. > > I have tried to get members of the EFF board to look into this but they > never get back. Too much trouble to get it right. > > > OK, in order for me to correct this in the paper I need the following > information: > > 1. A link to who "DFN" is. > 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are > shipped with (and details about this, like, do all 3 major browsers inclu= de > DFN?) > 3. A link to a paper, a blog post, or an article somewhere that describes > in detail your side of the argument > > Let me emphasize that none of this ultimately matters to the points that > were made in the paper. > > Whether the number is 600+ or 300+, it's still an *insecure*, *broken*mes= s. > > I was under the impression that Bitcoin was the preferred currency of > libertopia. It is the only one that gets mention in the mainstream press. > It is not clear to me how namecoin can be part of BitCoin and another > currency. > > > I'll be happy to clear this up: > > - Bitcoin is not the "market leader" of distributed DNS systems. Namecoin > is. > - Namecoin and Bitcoin are designed with completely different goals in > mind. They are not competitors. > - Namecoin is not intended to be a bitcoin replacement, nor the other way > around. It is not like "litecoin" or any of the other bitcoin competitors= , > because it is not a competitor to bitcoin. > > Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by > the Feds. > > > I'll be happy to clear this up too: > > *None of these are comparable to Bitcoin or Namecoin.* > > Neither "Gold Age", nor "eGold", nor "Liberty Reserve" were truly > decentralized, distributed currencies. > > - "Gold Age" was not a currency: https://en.wikipedia.org/wiki/Gold_Age > - eGold: *Centralized currency* with no "reliable user identification" (not > a problem with Bitcoin or Namecoin) > - Liberty Reserve: *Centralized currency* > https://en.wikipedia.org/wiki/Liberty_Reserve#Background > > People who are standing back and scratching their heads, wondering why > Bitcoin is still around after years of being used to purchase illegal > drugs, murder-for-hire, and weapons (continuing to this day btw), simply > don't understand what Bitcoin is. > > I might be a little more inclined to make an effort if you hadn't attacke= d > me as being 'fraudulent' in your opening. > > > Do you represent a company that sells SSL certs? It seems like you might: > > *During twelve years as Principal Scientist at VeriSign Inc.,* > > > Perhaps the paper is a bit harsh (and I welcome suggestions to improve it= s > language), but the critiques it levies against companies that sell SSL > certs are completely valid: > > Companies that sell SSL certificates usually claim that their certificate= s > provide customers with =93security.=94 Customers are led to believe that = these > certificates protect browser-server communication from eavesdropping and > tampering. As elaborated in this paper, this simply isn=92t true today. > > > I have to say, that among the cert companies websites that I looked at, > VeriSign's homepage makes the fewest claims about the security protection= s > it provides. > > The words "usually claim" leaves room for exceptions. I could not find, o= n > the customer-facing pages on VeriSign's site, any claims that VeriSign's > SSL certs "protect browser-server communication from eavesdropping and > tampering." > > Some close calls are: > > *In short, when it comes to securing online transactions, safeguarding > customer information, and protecting business reputation, you're only as > safe as the Certificate Authority you choose.* > https://www.symantec.com/ssl-certificates-advantages > > > *Customers Gain Confidence with the Green Address Bar: Online shoppers > recognize the green address bar as an easy and reliable way to verify the > site identity and security.* > > https://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid= =3Dssl-certificates > > > VeriSign's SSL certificates do not provide websites with *meaningful > protection* as defined in the DNSNMC paper because they cannot be > securely authenticated in the face of a fraudulent certificate that's > presented to customers by a MITM. > > If your certs can simply be replaced by any of the other CAs out there, > then ****all** of the security they provide is thrown out the window. > > Furthermore, because VeriSign is a random third-party, not the company > that user's visit when they visit a site using VeriSign's certificate, th= e > protection offered by that certificate is inherently inferior to a secure= ly > authenticated self-signed certificate. > > This is simply mathematics, and not a point that's up for debate. > > When trust is distributed across more parties, that trust is diluted > because it now depends on the least secure of those parties. > > *Sidenote:* > > It seems like I was sent "to the sharks" so to speak (perhaps as a > practical joke?). > > So far almost half of the replies to this thread have come from > representatives of SSL companies. > > The hostility is therefore no surprise. > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > On Dec 15, 2013, at 9:21 PM, Phillip Hallam-Baker > wrote: > > > > > On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect wrote= : > >> And for someone who is accusing others of being 'fraudulent', not a good >> move to start off repeating figures already exposed as bogus like the of= t >> repeated but still untrue claim of 600 CAs. >> >> >> I thought the EFF was a reputable source. >> >> There has been no update or correction to their post: >> https://www.eff.org/deeplinks/2011/10/how-secure-https-today >> > > Which kind of calls their credibility into question. HALF the 'CAs' in > their graph are from the DFN root. You can check that out for yourself, i= t > is a German CA that issues certs to higher education institutions. As has > been demonstrated (and agreed by the EFF people), DFN do not sign certs f= or > key signing keys they do not hold. > > You can't calculate the number of CAs the way the EFF tried to. An > intermediate certificate does not equate to a CA. Pretending it does to > peddle an alternative PKI scheme calls into question their veracity. > > I have tried to get members of the EFF board to look into this but they > never get back. Too much trouble to get it right. > > > Tying the notary log to namecoin seems to be completely pointless to me, >> unless the real objective is to promote namecoin. Why hook into namecoin >> rather than the market leader? >> >> >> What market leader? >> > > I was under the impression that Bitcoin was the preferred currency of > libertopia. It is the only one that gets mention in the mainstream press. > It is not clear to me how namecoin can be part of BitCoin and another > currency. > > > >> Given the success of the US government in shutting down eGold type >> schemes I am very skeptical about the stability of 'namecoin'. If we acc= ept >> the purported scenarios that motivate the scheme then namecoin won't las= t >> very long. >> >> >> What eGold scheme are you comparing Namecoin to? >> > > Gold Age, eGold, Liberty Reserve. All the ones that were taken apart by > the Feds. > > > >> Are you sure you know what you're talking about here...? ;-) >> > > I must admit that I find the scheme completely confused and assumes that = I > know a lot that I do not. > > I might be a little more inclined to make an effort if you hadn't attacke= d > me as being 'fraudulent' in your opening. > > > -- > Website: http://hallambaker.com/ > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > > > --=20 Website: http://hallambaker.com/ --047d7b5d5710b95e0b04edae7343 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable
When you make an assertion in a paper then you are ac= cepting the burden of proof.=A0


If the s= ource for the '600' claim was lying then the claim has to be taken = off the table completely. The DFN root issue demonstrates that the methodol= ogy is bogus rather than just being a single inaccurate data point.

If you want to make assertions about the number of CAs then = the most accurate measure currently available is still the number of roots = in the commonly used browsers. While there are a handful of CAs using roots= cross certified by another CA, such CAs now have to have a full audit stat= ement and meet all the acceptance criteria in their own right. So there wou= ld be little point in not applying to have the root entered in independentl= y.

Since the 600 number is inaccurate and not particularly= necessary, why bother to quote it at all?




On Mon, Dec 16, 2013 at 1:44 PM, Tao Eff= ect <contact@taoeffect.com> wrote:
Which kind of calls their credibility into question. HALF the &#= 39;CAs' in their graph are from the DFN root. You can check that out fo= r yourself, it is a German CA that issues certs to higher education institu= tions. As has been demonstrated (and agreed by the EFF people), DFN do not = sign certs for key signing keys they do not hold.

You can't calculate the number of CAs the way the E= FF tried to. An intermediate certificate does not equate to a CA. Pretendin= g it does to peddle an alternative PKI scheme calls into question their ver= acity.

I have tried to get members of the EFF board to look in= to this but they never get back. Too much trouble to get it right.

OK, in order for me to corre= ct this in the paper I need the following information:

=
1. A link to who "DFN" is.
2. A 'yes' or &= #39;no' as to whether DFN is a root cert that browsers are shipped with= (and details about this, like, do all 3 major browsers include DFN?)
3. A link to a paper, a blog post, or an article somewhere that descri= bes in detail your side of the argument

Let me emp= hasize that none of this ultimately matters to the points that were made in= the paper.

Whether the number is 600+ or 300+, it's still an <= u>insecure, broken mess.

<= div>
<= div class=3D"gmail_quote"> I was under the impression that Bitcoin was the preferred currency of liber= topia. It is the only one that gets mention in the mainstream press. It is = not clear to me how namecoin can be part of BitCoin and another currency.

= I'll be happy to clear this up:

- Bitcoin is not the "market leader" of distributed DNS systems. = Namecoin is.
- Namecoin= and Bitcoin are designed with completely different goals in mind. They are= not competitors.
- Namecoin is not intended to be a bitcoin replacement, nor the other = way around. It is not like "litecoin" or any of the other bitcoin= competitors, because it is not a competitor to bitcoin.

Gold Age, eGold, Liberty Reserv= e. All the ones that were taken apart by the Feds.

I'll be happy to clea= r this up too:

None of these are comparable to Bitcoin or Namecoin.

Neither "= Gold Age", nor "eGold", nor "Liberty Reserve" were= truly decentralized, distributed currencies.

- "Gol= d Age" was not a currency:=A0https://en.wikipedia.org/wiki/Gold_Age
- eGold: Centralized currency with no=A0"reliable user identi= fication"=A0(not a problem with Bitcoin or Namecoin)
- Liberty Reserve: Centralized currency=A0htt= ps://en.wikipedia.org/wiki/Liberty_Reserve#Background

People who are standing back and scratching their heads, wondering why= Bitcoin is still around after years of being used to purchase illegal drug= s, murder-for-hire, and weapons (continuing to this day btw), simply don= 9;t understand what Bitcoin is.

I might be a li= ttle more inclined to make an effort if you hadn't attacked me as being= 'fraudulent' in your opening.

= Do you represent a company that sells SSL certs? It seems like you might:

During twelve years as Prin= cipal Scientist at VeriSign Inc.,

Perhap= s the paper is a bit harsh (and I welcome suggestions to improve its langua= ge), but the critiques it levies against companies that sell SSL certs are = completely valid:

Companies that sell SSL certif= icates usually claim that their certificates provide customers with =93secu= rity.=94 Customers are led to believe that these certificates protect brows= er-server communication from=A0eavesdropping and tampering. As elaborated i= n this paper, this simply isn=92t true today.

I have= to say, that among the cert companies websites that I looked at, VeriSign&= #39;s homepage makes the fewest claims about the security protections it pr= ovides.

The words &= quot;usually claim" leaves room for exceptions. I could not find, on t= he customer-facing pages on VeriSign's site, any claims that VeriSign&#= 39;s SSL certs "protect browser-server communication from=A0eavesdropp= ing and tampering."

Some close calls ar= e:

In short, when it comes to securing online transactions, safeguarding= =20 customer information, and protecting business reputation, you're only a= s safe as the Certificate Authority you choose.
https://www.symantec.com/ssl-certificates-advantages

Customers Gain Confidence with the Gr= een Address Bar: Online shoppers recognize the green address bar a= s an easy and reliable way to verify the site identity and security.
= https://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid= =3Dssl-certificates

VeriSi= gn's SSL certificates do not provide websites with meaningful protec= tion=A0as defined in the DNSNMC paper because they cannot be securely a= uthenticated in the face of a fraudulent certificate that's presented t= o customers by a MITM.

If your cer= ts can simply be replaced by any of the other CAs out there, then *all* of the security they = provide is thrown out the window.

Furthermore= , because VeriSign is a random third-party, not the company that user's= visit when they visit a site using VeriSign's certificate, the protect= ion offered by that certificate is inherently inferior to a securely authen= ticated self-signed certificate.

This is sim= ply mathematics, and not a point that's up for debate.

When trust is distrib= uted across more parties, that trust is diluted because it now depends on t= he least secure of those parties.

Sidenote= :

It seems like I was sent &= quot;to the sharks" so to speak (perhaps as a practical joke?).
<= div>
So far almost half of the replies to this thread have come f= rom representatives of SSL companies.

The hostilit= y is therefore no surprise.

--
Please do not email me anything that you are not=A0comfortable a= lso sharing with the NSA.

On Dec 15, 2013, at 9:21 PM, Phi= llip Hallam-Baker <hallam@gmail.com> wrote:



=
On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect = <contact@taoeffect.com> wrote:
And for = someone who is accusing others of being 'fraudulent', not a good mo= ve to start off repeating figures already exposed as bogus like the oft rep= eated but still untrue claim of 600 CAs.
<= br>
I thought the EFF was a reputable sourc= e.

The= re has been no update or correction to their post:=A0https:= //www.eff.org/deeplinks/2011/10/how-secure-https-today

Which kind of calls thei= r credibility into question. HALF the 'CAs' in their graph are from= the DFN root. You can check that out for yourself, it is a German CA that = issues certs to higher education institutions. As has been demonstrated (an= d agreed by the EFF people), DFN do not sign certs for key signing keys the= y do not hold.

You can't calculate the number of CAs the way the E= FF tried to. An intermediate certificate does not equate to a CA. Pretendin= g it does to peddle an alternative PKI scheme calls into question their ver= acity.

I have tried to get members of the EFF board to look in= to this but they never get back. Too much trouble to get it right.


Tying the notary log to namecoin seems = to be completely pointless to me, unless the real objective is to promote n= amecoin. Why hook into namecoin rather than the market leader?=A0
<= br>
What market leader?

I was under the impression that Bitcoi= n was the preferred currency of libertopia. It is the only one that gets me= ntion in the mainstream press. It is not clear to me how namecoin can be pa= rt of BitCoin and another currency.

=A0
Given the success of the US government in shutti= ng down eGold type schemes I am very skeptical about the stability of '= namecoin'. If we accept the purported scenarios that motivate the schem= e then namecoin won't last very long.

What eGold scheme are you comparing Namec= oin to?

Gold Age, eGold, Libert= y Reserve. All the ones that were taken apart by the Feds.

=A0
Are you sure you know what you're talking about he= re...? ;-)

I must admit that I find the scheme = completely confused and assumes that I know a lot that I do not.
=
I might be a little more inclined to make an effort if you h= adn't attacked me as being 'fraudulent' in your opening.
=A0

--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing list=
therightkey@i= etf.org
https://www.ietf.org/mailman/listinfo/therightkey




--
Website: http://hallambaker.com/
--047d7b5d5710b95e0b04edae7343-- From contact@taoeffect.com Mon Dec 16 14:48:47 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 172881AD9AB for ; Mon, 16 Dec 2013 14:48:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtW_h7FiOHZM for ; Mon, 16 Dec 2013 14:48:43 -0800 (PST) Received: from homiemail-a62.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id 7B53C1AD8F6 for ; Mon, 16 Dec 2013 14:48:43 -0800 (PST) Received: from homiemail-a62.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a62.g.dreamhost.com (Postfix) with ESMTP id BC1E763406C; Mon, 16 Dec 2013 14:48:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=37kLVTK+tfR9kdoQA HpVQtzZ1F4=; b=Jn8gtAHX7FuzgDvKsejraxrvMSBOBjVC78FWGvxep14a67nIl 4gv8nByhvOSIRDweZrBVafm3lxsr7u0tPyO77GhLsxL2kIQ8dSIF81aq1vrhAbKi OUxMG3kqWNOSnSThU+PUFUJQpEgiJGbKjYKxhPw+TPR9jL4IpqsdjOHzpo= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a62.g.dreamhost.com (Postfix) with ESMTPSA id B653463406E; Mon, 16 Dec 2013 14:48:41 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_C6221F5A-9C01-482A-BB3C-AADD34FB569D"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Tao Effect In-Reply-To: Date: Mon, 16 Dec 2013 17:48:39 -0500 Message-Id: <582F125D-03E5-4793-9F48-B68E9F23B7C3@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <1D1AAD8E-3787-4E95-8694-6EB0B4A60890@taoeffect.com> To: Phillip Hallam-Baker X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 22:48:47 -0000 --Apple-Mail=_C6221F5A-9C01-482A-BB3C-AADD34FB569D Content-Type: multipart/alternative; boundary="Apple-Mail=_80DFBD3A-ACC1-4EFA-AF33-F520F9E55356" --Apple-Mail=_80DFBD3A-ACC1-4EFA-AF33-F520F9E55356 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker = wrote: >=20 > Since the 600 number is inaccurate and not particularly necessary, why = bother to quote it at all? Dude, how did you manage to ignore that entire email? One more time, since you somehow missed it: >> OK, in order for me to correct this in the paper I need the following = information: >>=20 >> 1. A link to who "DFN" is. >> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are = shipped with (and details about this, like, do all 3 major browsers = include DFN?) >> 3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the argument >>=20 You cannot just say "the EFF is lying", throw your hands in the air, and = leave it at that. Unlike you, the EFF provided sources and proof for their claim. The then wrote a widely cited blog post containing their claim and their = evidence for it. Where is your blog post? Where is your evidence that the EFF is lying? These emails of yours don't cut it. Heck, I'd even post a link to an = archived email of yours if you provided the necessary information in it. - Greg -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker = wrote: > When you make an assertion in a paper then you are accepting the = burden of proof.=20 >=20 >=20 > If the source for the '600' claim was lying then the claim has to be = taken off the table completely. The DFN root issue demonstrates that the = methodology is bogus rather than just being a single inaccurate data = point. >=20 > If you want to make assertions about the number of CAs then the most = accurate measure currently available is still the number of roots in the = commonly used browsers. While there are a handful of CAs using roots = cross certified by another CA, such CAs now have to have a full audit = statement and meet all the acceptance criteria in their own right. So = there would be little point in not applying to have the root entered in = independently. >=20 > Since the 600 number is inaccurate and not particularly necessary, why = bother to quote it at all? >=20 >=20 >=20 >=20 > On Mon, Dec 16, 2013 at 1:44 PM, Tao Effect = wrote: >> Which kind of calls their credibility into question. HALF the 'CAs' = in their graph are from the DFN root. You can check that out for = yourself, it is a German CA that issues certs to higher education = institutions. As has been demonstrated (and agreed by the EFF people), = DFN do not sign certs for key signing keys they do not hold. >>=20 >> You can't calculate the number of CAs the way the EFF tried to. An = intermediate certificate does not equate to a CA. Pretending it does to = peddle an alternative PKI scheme calls into question their veracity. >>=20 >> I have tried to get members of the EFF board to look into this but = they never get back. Too much trouble to get it right. >=20 >=20 > OK, in order for me to correct this in the paper I need the following = information: >=20 > 1. A link to who "DFN" is. > 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are = shipped with (and details about this, like, do all 3 major browsers = include DFN?) > 3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the argument >=20 > Let me emphasize that none of this ultimately matters to the points = that were made in the paper. >=20 > Whether the number is 600+ or 300+, it's still an insecure, broken = mess. >=20 >> I was under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency. >=20 >=20 > I'll be happy to clear this up: >=20 > - Bitcoin is not the "market leader" of distributed DNS systems. = Namecoin is. > - Namecoin and Bitcoin are designed with completely different goals in = mind. They are not competitors. > - Namecoin is not intended to be a bitcoin replacement, nor the other = way around. It is not like "litecoin" or any of the other bitcoin = competitors, because it is not a competitor to bitcoin. >=20 >> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart = by the Feds. >=20 >=20 > I'll be happy to clear this up too: >=20 > None of these are comparable to Bitcoin or Namecoin. >=20 > Neither "Gold Age", nor "eGold", nor "Liberty Reserve" were truly = decentralized, distributed currencies. >=20 > - "Gold Age" was not a currency: = https://en.wikipedia.org/wiki/Gold_Age > - eGold: Centralized currency with no "reliable user identification" = (not a problem with Bitcoin or Namecoin) > - Liberty Reserve: Centralized currency = https://en.wikipedia.org/wiki/Liberty_Reserve#Background >=20 > People who are standing back and scratching their heads, wondering why = Bitcoin is still around after years of being used to purchase illegal = drugs, murder-for-hire, and weapons (continuing to this day btw), simply = don't understand what Bitcoin is. >=20 >> I might be a little more inclined to make an effort if you hadn't = attacked me as being 'fraudulent' in your opening. >=20 >=20 > Do you represent a company that sells SSL certs? It seems like you = might: >=20 > During twelve years as Principal Scientist at VeriSign Inc., >=20 > Perhaps the paper is a bit harsh (and I welcome suggestions to improve = its language), but the critiques it levies against companies that sell = SSL certs are completely valid: >=20 > Companies that sell SSL certificates usually claim that their = certificates provide customers with =93security.=94 Customers are led to = believe that these certificates protect browser-server communication = from eavesdropping and tampering. As elaborated in this paper, this = simply isn=92t true today. >=20 > I have to say, that among the cert companies websites that I looked = at, VeriSign's homepage makes the fewest claims about the security = protections it provides. >=20 > The words "usually claim" leaves room for exceptions. I could not = find, on the customer-facing pages on VeriSign's site, any claims that = VeriSign's SSL certs "protect browser-server communication from = eavesdropping and tampering." >=20 > Some close calls are: >=20 > In short, when it comes to securing online transactions, safeguarding = customer information, and protecting business reputation, you're only as = safe as the Certificate Authority you choose. > https://www.symantec.com/ssl-certificates-advantages >=20 > Customers Gain Confidence with the Green Address Bar: Online shoppers = recognize the green address bar as an easy and reliable way to verify = the site identity and security. > = https://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=3D= ssl-certificates >=20 > VeriSign's SSL certificates do not provide websites with meaningful = protection as defined in the DNSNMC paper because they cannot be = securely authenticated in the face of a fraudulent certificate that's = presented to customers by a MITM. >=20 > If your certs can simply be replaced by any of the other CAs out = there, then *all* of the security they provide is thrown out the window. >=20 > Furthermore, because VeriSign is a random third-party, not the company = that user's visit when they visit a site using VeriSign's certificate, = the protection offered by that certificate is inherently inferior to a = securely authenticated self-signed certificate. >=20 > This is simply mathematics, and not a point that's up for debate. >=20 > When trust is distributed across more parties, that trust is diluted = because it now depends on the least secure of those parties. >=20 > Sidenote: >=20 > It seems like I was sent "to the sharks" so to speak (perhaps as a = practical joke?). >=20 > So far almost half of the replies to this thread have come from = representatives of SSL companies. >=20 > The hostility is therefore no surprise. >=20 > -- > Please do not email me anything that you are not comfortable also = sharing with the NSA. >=20 > On Dec 15, 2013, at 9:21 PM, Phillip Hallam-Baker = wrote: >=20 >>=20 >>=20 >>=20 >> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect = wrote: >>> And for someone who is accusing others of being 'fraudulent', not a = good move to start off repeating figures already exposed as bogus like = the oft repeated but still untrue claim of 600 CAs. >>=20 >>=20 >> I thought the EFF was a reputable source. >>=20 >> There has been no update or correction to their post: = https://www.eff.org/deeplinks/2011/10/how-secure-https-today >>=20 >> Which kind of calls their credibility into question. HALF the 'CAs' = in their graph are from the DFN root. You can check that out for = yourself, it is a German CA that issues certs to higher education = institutions. As has been demonstrated (and agreed by the EFF people), = DFN do not sign certs for key signing keys they do not hold. >>=20 >> You can't calculate the number of CAs the way the EFF tried to. An = intermediate certificate does not equate to a CA. Pretending it does to = peddle an alternative PKI scheme calls into question their veracity. >>=20 >> I have tried to get members of the EFF board to look into this but = they never get back. Too much trouble to get it right. >>=20 >>=20 >>> Tying the notary log to namecoin seems to be completely pointless to = me, unless the real objective is to promote namecoin. Why hook into = namecoin rather than the market leader?=20 >>=20 >>=20 >> What market leader? >>=20 >> I was under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency. >>=20 >> =20 >>> Given the success of the US government in shutting down eGold type = schemes I am very skeptical about the stability of 'namecoin'. If we = accept the purported scenarios that motivate the scheme then namecoin = won't last very long. >>=20 >> What eGold scheme are you comparing Namecoin to? >>=20 >> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart = by the Feds. >>=20 >> =20 >> Are you sure you know what you're talking about here...? ;-) >>=20 >> I must admit that I find the scheme completely confused and assumes = that I know a lot that I do not. >>=20 >> I might be a little more inclined to make an effort if you hadn't = attacked me as being 'fraudulent' in your opening. >> =20 >>=20 >> --=20 >> Website: http://hallambaker.com/ >> _______________________________________________ >> therightkey mailing list >> therightkey@ietf.org >> https://www.ietf.org/mailman/listinfo/therightkey >=20 >=20 >=20 >=20 > --=20 > Website: http://hallambaker.com/ > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey --Apple-Mail=_80DFBD3A-ACC1-4EFA-AF33-F520F9E55356 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 On Dec = 16, 2013, at 5:37 PM, Phillip Hallam-Baker <hallam@gmail.com> = wrote:
Since the 600 = number is inaccurate and not particularly necessary, why bother to quote = it at all?

Dude, how did you manage = to ignore that entire email?

One more time, = since you somehow missed it:

OK,= in order for me to correct this in the paper I need the following = information:

1. A link to who "DFN" = is.
2. A 'yes' or 'no' as to whether DFN is a root cert that = browsers are shipped with (and details about this, like, do all 3 major = browsers include DFN?)
3. A link to a paper, a blog post, or = an article somewhere that describes in detail your side of the = argument


You cannot just say "the = EFF is lying", throw your hands in the air, and leave it at = that.

Unlike you, the EFF provided sources and = proof for their claim.

The then wrote a widely = cited blog post containing their claim and their evidence for = it.

Where is your blog post? Where is your = evidence that the EFF is lying?

These emails of = yours don't cut it. Heck, I'd even post a link to an archived email of = yours if you provided the necessary information in = it.

- Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker <hallam@gmail.com> = wrote:

When you make an assertion in a = paper then you are accepting the burden of = proof. 


If the source for the = '600' claim was lying then the claim has to be taken off the table = completely. The DFN root issue demonstrates that the methodology is = bogus rather than just being a single inaccurate data point.

If you want to make assertions about the number of CAs = then the most accurate measure currently available is still the number = of roots in the commonly used browsers. While there are a handful of CAs = using roots cross certified by another CA, such CAs now have to have a = full audit statement and meet all the acceptance criteria in their own = right. So there would be little point in not applying to have the root = entered in independently.

Since the 600 number is inaccurate and not = particularly necessary, why bother to quote it at all?




On Mon, Dec 16, 2013 at 1:44 PM, Tao = Effect <contact@taoeffect.com> = wrote:
Which kind of calls their credibility into = question. HALF the 'CAs' in their graph are from the DFN root. You can = check that out for yourself, it is a German CA that issues certs to = higher education institutions. As has been demonstrated (and agreed by = the EFF people), DFN do not sign certs for key signing keys they do not = hold.

You can't calculate the number of CAs the way the = EFF tried to. An intermediate certificate does not equate to a CA. = Pretending it does to peddle an alternative PKI scheme calls into = question their veracity.

I have tried to get members of the EFF board to look = into this but they never get back. Too much trouble to get it = right.

OK, in order for me to = correct this in the paper I need the following = information:

1. A link to who "DFN" = is.
2. A 'yes' or 'no' as to whether DFN is a root cert that = browsers are shipped with (and details about this, like, do all 3 major = browsers include DFN?)
3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the = argument

Let me emphasize that none of this = ultimately matters to the points that were made in the paper.

Whether the number is 600+ or 300+, it's still an = insecure, broken mess.

I was under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency.

I'll be happy to clear this up:

- Bitcoin is not the "market leader" of distributed DNS systems. = Namecoin is.
- = Namecoin and Bitcoin are designed with completely different goals in = mind. They are not competitors.
- Namecoin is not intended to be a bitcoin replacement, nor the = other way around. It is not like "litecoin" or any of the other bitcoin = competitors, because it is not a competitor to bitcoin.

Gold Age, eGold, = Liberty Reserve. All the ones that were taken apart by the = Feds.

I'll be happy = to clear this up too:

None of these are comparable to Bitcoin or = Namecoin.

Neither "Gold Age", nor "eGold", nor "Liberty = Reserve" were truly decentralized, distributed currencies.

- "Gold = Age" was not a currency: https://en.wikipedia.org/wiki/Gold_Age
- eGold: Centralized currency with no "reliable user identification" (not a problem = with Bitcoin or Namecoin)
- Liberty Reserve: Centralized currency https://en.wikipedia.org/wiki/Liberty_Reserve#Background=

People who are standing back and scratching their heads, wondering = why Bitcoin is still around after years of being used to purchase = illegal drugs, murder-for-hire, and weapons (continuing to this day = btw), simply don't understand what Bitcoin is.

I = might be a little more inclined to make an effort if you hadn't attacked = me as being 'fraudulent' in your opening.

Do you represent a company that sells SSL certs? = It seems like you might:

During twelve years = as Principal Scientist at VeriSign Inc.,

Perhaps the paper is a bit harsh (and I welcome = suggestions to improve its language), but the critiques it levies = against companies that sell SSL certs are completely valid:

Companies that sell SSL = certificates usually claim that their certificates provide customers = with =93security.=94 Customers are led to believe that these = certificates protect browser-server communication = from eavesdropping and tampering. As elaborated in this paper, this = simply isn=92t true today.

I have to say, that among the cert companies = websites that I looked at, VeriSign's homepage makes the fewest claims = about the security protections it provides.

The = words "usually claim" leaves room for exceptions. I could not find, on = the customer-facing pages on VeriSign's site, any claims that VeriSign's = SSL certs "protect browser-server communication from eavesdropping = and tampering."

Some = close calls are:

In short, when it comes to securing online = transactions, safeguarding=20 customer information, and protecting business reputation, you're only as safe as the Certificate Authority you choose.
https://www.symantec.com/ssl-certificates-advantages=

Customers Gain Confidence with the = Green Address Bar: Online shoppers recognize the green address = bar as an easy and reliable way to verify the site identity and = security.
https://www.symantec.com/verisign/ssl-certificates/secur= e-site-pro-ev?fid=3Dssl-certificates

VeriSign's SSL certificates do not provide = websites with meaningful protection as defined in the DNSNMC = paper because they cannot be securely authenticated in the face of a = fraudulent certificate that's presented to customers by a MITM.

If your = certs can simply be replaced by any of the other CAs out there, then = *all* of the = security they provide is thrown out the window.

Furthermore, because VeriSign is a random = third-party, not the company that user's visit when they visit a site = using VeriSign's certificate, the protection offered by that certificate = is inherently inferior to a securely authenticated self-signed = certificate.

This is = simply mathematics, and not a point that's up for debate.

When trust is = distributed across more parties, that trust is diluted because it now = depends on the least secure of those parties.

Sidenote:

It seems like I was sent "to the sharks" so to speak (perhaps as = a practical joke?).

So far almost half of the replies to this thread have = come from representatives of SSL companies.

The = hostility is therefore no surprise.

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 15, 2013, at 9:21 PM, = Phillip Hallam-Baker <hallam@gmail.com> = wrote:




On Sun, Dec 15, = 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
And for someone who is accusing = others of being 'fraudulent', not a good move to start off repeating = figures already exposed as bogus like the oft repeated but still untrue = claim of 600 CAs.

I thought the = EFF was a reputable source.

There has been no update or correction to their = post: https://www.eff.org/deeplinks/2011/10/how-secure-https-t= oday

Which kind of calls = their credibility into question. HALF the 'CAs' in their graph are from = the DFN root. You can check that out for yourself, it is a German CA = that issues certs to higher education institutions. As has been = demonstrated (and agreed by the EFF people), DFN do not sign certs for = key signing keys they do not hold.

You can't calculate the number of CAs the way the = EFF tried to. An intermediate certificate does not equate to a CA. = Pretending it does to peddle an alternative PKI scheme calls into = question their veracity.

I have tried to get members of the EFF board to look = into this but they never get back. Too much trouble to get it = right.


Tying the notary log to namecoin = seems to be completely pointless to me, unless the real objective is to = promote namecoin. Why hook into namecoin rather than the market = leader? 

What market = leader?

I was = under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency.

 
Given the success of the US government in = shutting down eGold type schemes I am very skeptical about the stability = of 'namecoin'. If we accept the purported scenarios that motivate the = scheme then namecoin won't last very long.

What eGold scheme are you comparing = Namecoin to?

Gold Age, = eGold, Liberty Reserve. All the ones that were taken apart by the = Feds.

 
Are you = sure you know what you're talking about here...? ;-)

I must admit that I find the = scheme completely confused and assumes that I know a lot that I do = not.

I might be a little more inclined to make = an effort if you hadn't attacked me as being 'fraudulent' in your = opening.
 

--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing = list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey




--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing = list
therightkey@ietf.org
https://w= ww.ietf.org/mailman/listinfo/therightkey

= = --Apple-Mail=_80DFBD3A-ACC1-4EFA-AF33-F520F9E55356-- --Apple-Mail=_C6221F5A-9C01-482A-BB3C-AADD34FB569D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSr4NHAAoJEOxnICvpCVJHUboP/1HESV1loT73AjW0HEtscfpt OLqTlntfWLVLA+33Rsnu3q8FOkjWJiPkYxFtxYddouMDGoCUUX5gPUW0GIVonAAh ECykLwg9RQH9Oddz0ViBWgRgKoLPCVOFM7JF7+GUl668zAFoUzEpjBA/mrBaP5VI ZzO3iusbqQaONrGoV0TiIbGPMfz4wEV6NK1kbfXyKW+H078TM3WRmNahR7d9U5DP PithkACUg+7+iNN6gZcZ3C75sqbywbHSvfx05kPYrsT/RMEfA/ZjhKEGo+CAQ/+0 KSiKLVAfRxpY0YQVQo9xFDwjtwVXjwxkR41v6dOxBkWIzuwMLBSpTkC7x6leNkMt erhKVrdPBra5R5ldDEZ8WplbmGUWMYOWv/evvD0MCII4mJ79tV+DODAD4LDUrCLK V6ihi0fFu6LKzbKbiflftBnrNCbN17mj5Fa7aoHixdVh+FjMOAfLM8b/jDnQjkAe RWQIPoDfIMC+S74Oa0qsLdSsLlIakcnJXSYMUR4pf1uu0e+8A04hg27Ovx54ckzx V8WH0Jw03jlX75nbC3R+eYPBXV+baf1fgf9OICIksIa78zpmst6fwMXnOjuOIgeN 00IFYsAgMUKqeqSqxxxiwiLXral5WImCmFj5nGkdoTbyIfB7gSP3x0sjJAAvrkJY sQeZ/qzkEvuJ4oPmqCGN =nQru -----END PGP SIGNATURE----- --Apple-Mail=_C6221F5A-9C01-482A-BB3C-AADD34FB569D-- From contact@taoeffect.com Mon Dec 16 14:54:11 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DBA21ADF66 for ; Mon, 16 Dec 2013 14:54:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D2jPg6PBl-fa for ; Mon, 16 Dec 2013 14:54:07 -0800 (PST) Received: from homiemail-a62.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id 713411AD9AB for ; Mon, 16 Dec 2013 14:54:07 -0800 (PST) Received: from homiemail-a62.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a62.g.dreamhost.com (Postfix) with ESMTP id CCD94634073; Mon, 16 Dec 2013 14:54:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=DejnrmhpYtn7Eu4jg 9AfNCFTfpg=; b=TfmOJLSBoNj9gUmDyhmKvYjZio9JAzXoWdGHXB+HmWa1g0uxT 3CzPFWZ6mD2utd+sgNo/u0YSYVj8tt+0lQ5HXhk6qbjDEOdt817VcIVLN+KdL7Lw Z+uQahFWbpW4fFI8cR6sHOmnFQmtbKlYonEXurRNYglKpeog5dQnfrLcNU= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a62.g.dreamhost.com (Postfix) with ESMTPSA id 9ECBF634075; Mon, 16 Dec 2013 14:54:05 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_8443AD8E-BE87-49F9-9527-3F71356AEE0D"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Tao Effect In-Reply-To: <582F125D-03E5-4793-9F48-B68E9F23B7C3@taoeffect.com> Date: Mon, 16 Dec 2013 17:54:01 -0500 Message-Id: <625EF7DC-7769-44AF-8D4D-2345DF841DD4@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <1D1AAD8E-3787-4E95-8694-6EB0B4A60890@taoeffect.com> <582F125D-03E5-4793-9F48-B68E9F23B7C3@taoeffect.com> To: Phillip Hallam-Baker X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 22:54:11 -0000 --Apple-Mail=_8443AD8E-BE87-49F9-9527-3F71356AEE0D Content-Type: multipart/alternative; boundary="Apple-Mail=_85F36B24-10E4-4A9B-B4C2-182A6F6E07C5" --Apple-Mail=_85F36B24-10E4-4A9B-B4C2-182A6F6E07C5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Oh, sorry, I just saw (after sending that email), that I didn't answer = your question. Why bother quoting it at all? Because whether the number is 600+ or = 300+, it still serves to support the point that browsers will take the = word of any one of over a hundred potentially untrustworthy strangers as = "proof" that a connection to a website is secure. - Greg -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 16, 2013, at 5:48 PM, Tao Effect wrote: > On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker = wrote: >>=20 >> Since the 600 number is inaccurate and not particularly necessary, = why bother to quote it at all? >=20 > Dude, how did you manage to ignore that entire email? >=20 > One more time, since you somehow missed it: >=20 >>> OK, in order for me to correct this in the paper I need the = following information: >>>=20 >>> 1. A link to who "DFN" is. >>> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers = are shipped with (and details about this, like, do all 3 major browsers = include DFN?) >>> 3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the argument >>>=20 >=20 >=20 > You cannot just say "the EFF is lying", throw your hands in the air, = and leave it at that. >=20 > Unlike you, the EFF provided sources and proof for their claim. >=20 > The then wrote a widely cited blog post containing their claim and = their evidence for it. >=20 > Where is your blog post? Where is your evidence that the EFF is lying? >=20 > These emails of yours don't cut it. Heck, I'd even post a link to an = archived email of yours if you provided the necessary information in it. >=20 > - Greg >=20 > -- > Please do not email me anything that you are not comfortable also = sharing with the NSA. >=20 > On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker = wrote: >=20 >> When you make an assertion in a paper then you are accepting the = burden of proof.=20 >>=20 >>=20 >> If the source for the '600' claim was lying then the claim has to be = taken off the table completely. The DFN root issue demonstrates that the = methodology is bogus rather than just being a single inaccurate data = point. >>=20 >> If you want to make assertions about the number of CAs then the most = accurate measure currently available is still the number of roots in the = commonly used browsers. While there are a handful of CAs using roots = cross certified by another CA, such CAs now have to have a full audit = statement and meet all the acceptance criteria in their own right. So = there would be little point in not applying to have the root entered in = independently. >>=20 >> Since the 600 number is inaccurate and not particularly necessary, = why bother to quote it at all? >>=20 >>=20 >>=20 >>=20 >> On Mon, Dec 16, 2013 at 1:44 PM, Tao Effect = wrote: >>> Which kind of calls their credibility into question. HALF the 'CAs' = in their graph are from the DFN root. You can check that out for = yourself, it is a German CA that issues certs to higher education = institutions. As has been demonstrated (and agreed by the EFF people), = DFN do not sign certs for key signing keys they do not hold. >>>=20 >>> You can't calculate the number of CAs the way the EFF tried to. An = intermediate certificate does not equate to a CA. Pretending it does to = peddle an alternative PKI scheme calls into question their veracity. >>>=20 >>> I have tried to get members of the EFF board to look into this but = they never get back. Too much trouble to get it right. >>=20 >>=20 >> OK, in order for me to correct this in the paper I need the following = information: >>=20 >> 1. A link to who "DFN" is. >> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers are = shipped with (and details about this, like, do all 3 major browsers = include DFN?) >> 3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the argument >>=20 >> Let me emphasize that none of this ultimately matters to the points = that were made in the paper. >>=20 >> Whether the number is 600+ or 300+, it's still an insecure, broken = mess. >>=20 >>> I was under the impression that Bitcoin was the preferred currency = of libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency. >>=20 >>=20 >> I'll be happy to clear this up: >>=20 >> - Bitcoin is not the "market leader" of distributed DNS systems. = Namecoin is. >> - Namecoin and Bitcoin are designed with completely different goals = in mind. They are not competitors. >> - Namecoin is not intended to be a bitcoin replacement, nor the other = way around. It is not like "litecoin" or any of the other bitcoin = competitors, because it is not a competitor to bitcoin. >>=20 >>> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart = by the Feds. >>=20 >>=20 >> I'll be happy to clear this up too: >>=20 >> None of these are comparable to Bitcoin or Namecoin. >>=20 >> Neither "Gold Age", nor "eGold", nor "Liberty Reserve" were truly = decentralized, distributed currencies. >>=20 >> - "Gold Age" was not a currency: = https://en.wikipedia.org/wiki/Gold_Age >> - eGold: Centralized currency with no "reliable user identification" = (not a problem with Bitcoin or Namecoin) >> - Liberty Reserve: Centralized currency = https://en.wikipedia.org/wiki/Liberty_Reserve#Background >>=20 >> People who are standing back and scratching their heads, wondering = why Bitcoin is still around after years of being used to purchase = illegal drugs, murder-for-hire, and weapons (continuing to this day = btw), simply don't understand what Bitcoin is. >>=20 >>> I might be a little more inclined to make an effort if you hadn't = attacked me as being 'fraudulent' in your opening. >>=20 >>=20 >> Do you represent a company that sells SSL certs? It seems like you = might: >>=20 >> During twelve years as Principal Scientist at VeriSign Inc., >>=20 >> Perhaps the paper is a bit harsh (and I welcome suggestions to = improve its language), but the critiques it levies against companies = that sell SSL certs are completely valid: >>=20 >> Companies that sell SSL certificates usually claim that their = certificates provide customers with =93security.=94 Customers are led to = believe that these certificates protect browser-server communication = from eavesdropping and tampering. As elaborated in this paper, this = simply isn=92t true today. >>=20 >> I have to say, that among the cert companies websites that I looked = at, VeriSign's homepage makes the fewest claims about the security = protections it provides. >>=20 >> The words "usually claim" leaves room for exceptions. I could not = find, on the customer-facing pages on VeriSign's site, any claims that = VeriSign's SSL certs "protect browser-server communication from = eavesdropping and tampering." >>=20 >> Some close calls are: >>=20 >> In short, when it comes to securing online transactions, safeguarding = customer information, and protecting business reputation, you're only as = safe as the Certificate Authority you choose. >> https://www.symantec.com/ssl-certificates-advantages >>=20 >> Customers Gain Confidence with the Green Address Bar: Online shoppers = recognize the green address bar as an easy and reliable way to verify = the site identity and security. >> = https://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=3D= ssl-certificates >>=20 >> VeriSign's SSL certificates do not provide websites with meaningful = protection as defined in the DNSNMC paper because they cannot be = securely authenticated in the face of a fraudulent certificate that's = presented to customers by a MITM. >>=20 >> If your certs can simply be replaced by any of the other CAs out = there, then *all* of the security they provide is thrown out the window. >>=20 >> Furthermore, because VeriSign is a random third-party, not the = company that user's visit when they visit a site using VeriSign's = certificate, the protection offered by that certificate is inherently = inferior to a securely authenticated self-signed certificate. >>=20 >> This is simply mathematics, and not a point that's up for debate. >>=20 >> When trust is distributed across more parties, that trust is diluted = because it now depends on the least secure of those parties. >>=20 >> Sidenote: >>=20 >> It seems like I was sent "to the sharks" so to speak (perhaps as a = practical joke?). >>=20 >> So far almost half of the replies to this thread have come from = representatives of SSL companies. >>=20 >> The hostility is therefore no surprise. >>=20 >> -- >> Please do not email me anything that you are not comfortable also = sharing with the NSA. >>=20 >> On Dec 15, 2013, at 9:21 PM, Phillip Hallam-Baker = wrote: >>=20 >>>=20 >>>=20 >>>=20 >>> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect = wrote: >>>> And for someone who is accusing others of being 'fraudulent', not a = good move to start off repeating figures already exposed as bogus like = the oft repeated but still untrue claim of 600 CAs. >>>=20 >>>=20 >>> I thought the EFF was a reputable source. >>>=20 >>> There has been no update or correction to their post: = https://www.eff.org/deeplinks/2011/10/how-secure-https-today >>>=20 >>> Which kind of calls their credibility into question. HALF the 'CAs' = in their graph are from the DFN root. You can check that out for = yourself, it is a German CA that issues certs to higher education = institutions. As has been demonstrated (and agreed by the EFF people), = DFN do not sign certs for key signing keys they do not hold. >>>=20 >>> You can't calculate the number of CAs the way the EFF tried to. An = intermediate certificate does not equate to a CA. Pretending it does to = peddle an alternative PKI scheme calls into question their veracity. >>>=20 >>> I have tried to get members of the EFF board to look into this but = they never get back. Too much trouble to get it right. >>>=20 >>>=20 >>>> Tying the notary log to namecoin seems to be completely pointless = to me, unless the real objective is to promote namecoin. Why hook into = namecoin rather than the market leader?=20 >>>=20 >>>=20 >>> What market leader? >>>=20 >>> I was under the impression that Bitcoin was the preferred currency = of libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency. >>>=20 >>> =20 >>>> Given the success of the US government in shutting down eGold type = schemes I am very skeptical about the stability of 'namecoin'. If we = accept the purported scenarios that motivate the scheme then namecoin = won't last very long. >>>=20 >>> What eGold scheme are you comparing Namecoin to? >>>=20 >>> Gold Age, eGold, Liberty Reserve. All the ones that were taken apart = by the Feds. >>>=20 >>> =20 >>> Are you sure you know what you're talking about here...? ;-) >>>=20 >>> I must admit that I find the scheme completely confused and assumes = that I know a lot that I do not. >>>=20 >>> I might be a little more inclined to make an effort if you hadn't = attacked me as being 'fraudulent' in your opening. >>> =20 >>>=20 >>> --=20 >>> Website: http://hallambaker.com/ >>> _______________________________________________ >>> therightkey mailing list >>> therightkey@ietf.org >>> https://www.ietf.org/mailman/listinfo/therightkey >>=20 >>=20 >>=20 >>=20 >> --=20 >> Website: http://hallambaker.com/ >> _______________________________________________ >> therightkey mailing list >> therightkey@ietf.org >> https://www.ietf.org/mailman/listinfo/therightkey >=20 > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey --Apple-Mail=_85F36B24-10E4-4A9B-B4C2-182A6F6E07C5 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Oh, = sorry, I just saw (after sending that email), that I didn't answer your = question.

Why bother quoting it at all? Because = whether the number is 600+ or 300+, it still serves to support the point = that browsers will take the word of any one of over a hundred = potentially untrustworthy strangers as "proof" that a connection to a = website is secure.

- Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 5:48 PM, Tao Effect <contact@taoeffect.com> = wrote:

On Dec = 16, 2013, at 5:37 PM, Phillip Hallam-Baker <hallam@gmail.com> = wrote:
Since the 600 = number is inaccurate and not particularly necessary, why bother to quote = it at all?

Dude, how did you manage = to ignore that entire email?

One more time, = since you somehow missed it:

OK, in order for = me to correct this in the paper I need the following = information:

1. A link to who "DFN" = is.
2. A 'yes' or 'no' as to whether DFN is a root cert that = browsers are shipped with (and details about this, like, do all 3 major = browsers include DFN?)
3. A link to a paper, a blog post, or = an article somewhere that describes in detail your side of the = argument


You cannot just say "the = EFF is lying", throw your hands in the air, and leave it at = that.

Unlike you, the EFF provided sources and = proof for their claim.

The then wrote a widely = cited blog post containing their claim and their evidence for = it.

Where is your blog post? Where is your = evidence that the EFF is lying?

These emails of = yours don't cut it. Heck, I'd even post a link to an archived email of = yours if you provided the necessary information in = it.

- Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker <hallam@gmail.com> = wrote:

When you make an assertion in a = paper then you are accepting the burden of = proof. 


If the source for the = '600' claim was lying then the claim has to be taken off the table = completely. The DFN root issue demonstrates that the methodology is = bogus rather than just being a single inaccurate data point.

If you want to make assertions about the number of CAs = then the most accurate measure currently available is still the number = of roots in the commonly used browsers. While there are a handful of CAs = using roots cross certified by another CA, such CAs now have to have a = full audit statement and meet all the acceptance criteria in their own = right. So there would be little point in not applying to have the root = entered in independently.

Since the 600 number is inaccurate and not = particularly necessary, why bother to quote it at all?




On Mon, Dec 16, 2013 at 1:44 PM, Tao = Effect <contact@taoeffect.com> = wrote:
Which kind of calls their credibility into = question. HALF the 'CAs' in their graph are from the DFN root. You can = check that out for yourself, it is a German CA that issues certs to = higher education institutions. As has been demonstrated (and agreed by = the EFF people), DFN do not sign certs for key signing keys they do not = hold.

You can't calculate the number of CAs the way the = EFF tried to. An intermediate certificate does not equate to a CA. = Pretending it does to peddle an alternative PKI scheme calls into = question their veracity.

I have tried to get members of the EFF board to look = into this but they never get back. Too much trouble to get it = right.

OK, in order for me to = correct this in the paper I need the following = information:

1. A link to who "DFN" = is.
2. A 'yes' or 'no' as to whether DFN is a root cert that = browsers are shipped with (and details about this, like, do all 3 major = browsers include DFN?)
3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the = argument

Let me emphasize that none of this = ultimately matters to the points that were made in the paper.

Whether the number is 600+ or 300+, it's still an = insecure, broken mess.

I was under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency.

I'll be happy to clear this up:

- Bitcoin is not the "market leader" of distributed DNS systems. = Namecoin is.
- = Namecoin and Bitcoin are designed with completely different goals in = mind. They are not competitors.
- Namecoin is not intended to be a bitcoin replacement, nor the = other way around. It is not like "litecoin" or any of the other bitcoin = competitors, because it is not a competitor to bitcoin.

Gold Age, eGold, = Liberty Reserve. All the ones that were taken apart by the = Feds.

I'll be happy = to clear this up too:

None of these are comparable to Bitcoin or = Namecoin.

Neither "Gold Age", nor "eGold", nor "Liberty = Reserve" were truly decentralized, distributed currencies.

- "Gold = Age" was not a currency: https://en.wikipedia.org/wiki/Gold_Age
- eGold: Centralized currency with no "reliable user identification" (not a problem = with Bitcoin or Namecoin)
- Liberty Reserve: Centralized currency https://en.wikipedia.org/wiki/Liberty_Reserve#Background=

People who are standing back and scratching their heads, wondering = why Bitcoin is still around after years of being used to purchase = illegal drugs, murder-for-hire, and weapons (continuing to this day = btw), simply don't understand what Bitcoin is.

I = might be a little more inclined to make an effort if you hadn't attacked = me as being 'fraudulent' in your opening.

Do you represent a company that sells SSL certs? = It seems like you might:

During twelve years = as Principal Scientist at VeriSign Inc.,

Perhaps the paper is a bit harsh (and I welcome = suggestions to improve its language), but the critiques it levies = against companies that sell SSL certs are completely valid:

Companies that sell SSL = certificates usually claim that their certificates provide customers = with =93security.=94 Customers are led to believe that these = certificates protect browser-server communication = from eavesdropping and tampering. As elaborated in this paper, this = simply isn=92t true today.

I have to say, that among the cert companies = websites that I looked at, VeriSign's homepage makes the fewest claims = about the security protections it provides.

The = words "usually claim" leaves room for exceptions. I could not find, on = the customer-facing pages on VeriSign's site, any claims that VeriSign's = SSL certs "protect browser-server communication from eavesdropping = and tampering."

Some = close calls are:

In short, when it comes to securing online = transactions, safeguarding=20 customer information, and protecting business reputation, you're only as safe as the Certificate Authority you choose.
https://www.symantec.com/ssl-certificates-advantages=

Customers Gain Confidence with the = Green Address Bar: Online shoppers recognize the green address = bar as an easy and reliable way to verify the site identity and = security.
https://www.symantec.com/verisign/ssl-certificates/secur= e-site-pro-ev?fid=3Dssl-certificates

VeriSign's SSL certificates do not provide = websites with meaningful protection as defined in the DNSNMC = paper because they cannot be securely authenticated in the face of a = fraudulent certificate that's presented to customers by a MITM.

If your = certs can simply be replaced by any of the other CAs out there, then = *all* of the = security they provide is thrown out the window.

Furthermore, because VeriSign is a random = third-party, not the company that user's visit when they visit a site = using VeriSign's certificate, the protection offered by that certificate = is inherently inferior to a securely authenticated self-signed = certificate.

This is = simply mathematics, and not a point that's up for debate.

When trust is = distributed across more parties, that trust is diluted because it now = depends on the least secure of those parties.

Sidenote:

It seems like I was sent "to the sharks" so to speak (perhaps as = a practical joke?).

So far almost half of the replies to this thread have = come from representatives of SSL companies.

The = hostility is therefore no surprise.

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 15, 2013, at 9:21 PM, = Phillip Hallam-Baker <hallam@gmail.com> = wrote:




On Sun, Dec 15, = 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
And for someone who is accusing = others of being 'fraudulent', not a good move to start off repeating = figures already exposed as bogus like the oft repeated but still untrue = claim of 600 CAs.

I thought the = EFF was a reputable source.

There has been no update or correction to their = post: https://www.eff.org/deeplinks/2011/10/how-secure-https-t= oday

Which kind of calls = their credibility into question. HALF the 'CAs' in their graph are from = the DFN root. You can check that out for yourself, it is a German CA = that issues certs to higher education institutions. As has been = demonstrated (and agreed by the EFF people), DFN do not sign certs for = key signing keys they do not hold.

You can't calculate the number of CAs the way the = EFF tried to. An intermediate certificate does not equate to a CA. = Pretending it does to peddle an alternative PKI scheme calls into = question their veracity.

I have tried to get members of the EFF board to look = into this but they never get back. Too much trouble to get it = right.


Tying the notary log to namecoin = seems to be completely pointless to me, unless the real objective is to = promote namecoin. Why hook into namecoin rather than the market = leader? 

What market = leader?

I was = under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency.

 
Given the success of the US government in = shutting down eGold type schemes I am very skeptical about the stability = of 'namecoin'. If we accept the purported scenarios that motivate the = scheme then namecoin won't last very long.

What eGold scheme are you comparing = Namecoin to?

Gold Age, = eGold, Liberty Reserve. All the ones that were taken apart by the = Feds.

 
Are you = sure you know what you're talking about here...? ;-)

I must admit that I find the = scheme completely confused and assumes that I know a lot that I do = not.

I might be a little more inclined to make = an effort if you hadn't attacked me as being 'fraudulent' in your = opening.
 

--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing = list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey




--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing = list
therightkey@ietf.org
https://www.iet= f.org/mailman/listinfo/therightkey

___= ____________________________________________
therightkey mailing = list
therightkey@ietf.org
https://w= ww.ietf.org/mailman/listinfo/therightkey

<= /body>= --Apple-Mail=_85F36B24-10E4-4A9B-B4C2-182A6F6E07C5-- --Apple-Mail=_8443AD8E-BE87-49F9-9527-3F71356AEE0D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSr4SJAAoJEOxnICvpCVJHciUP/RHEw0lcHND/+L9JpuYee8Vp xHGmPLzMKb2jddpc9be+kmrBxtU7O51EkO50Jbqe17WtgZgPy2MEa5nqM1/0tUEP 5A4zeTh+ski8z19t5/n17+HDDj15Lk4PGQmbT2l4FQUTbne4VcfjYuD4gh9VARmq FAkJzdB4S09ZK776rLA220inqZypeQMkPvWxDdmt8gC9rMMjcGAqPw2OFuusVzND xVgiqDH+Oo8tp+GcXhITfRmfskBQxn57LgvSbagidLai6dcMIib/8dvxh0cPrvB2 rVJm2LK1jbvmvGkeXQOk6GgtCMj1tOIZwkgHq29wVDiVxy2zWTNkgLRXBeoMh36r h7MUX023IcOL0ZLuUbI/yGF9LtEdsH/g8hfk0GckieLGzlyfnikg37rb/IesPKZv I7ZQhX0PsWDd5WaDfmuZMA6xF6s4Of9o4k1J8UoEOnyEWG/QGNvE/lZCti0v+/fk mQ3Ar40fL+uehY2cxw5fDgoi89VcgzIc41jNGK4XBqHKQ+7rVWhLBSa0aty4hcxe lQ9IseSLs6Zms0QR9OrMWM7TZxZOemmRxLR+cItGnyppzyGlueOlqe8GjxUV3x7o mTB+PAgd+bJ+FiHyOaYTDUrV10XvK0eQ2E49vyZCtIL4xZRa2dzx5q7mT4wIaxtT GIHW7uNFFyN/askojRI+ =YJfq -----END PGP SIGNATURE----- --Apple-Mail=_8443AD8E-BE87-49F9-9527-3F71356AEE0D-- From paul@marvell.com Mon Dec 16 16:53:09 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10DC21ADFB7 for ; Mon, 16 Dec 2013 16:53:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.566 X-Spam-Level: X-Spam-Status: No, score=-1.566 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUebxUFcxbYU for ; Mon, 16 Dec 2013 16:53:08 -0800 (PST) Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by ietfa.amsl.com (Postfix) with ESMTP id 043ED1ADFA4 for ; Mon, 16 Dec 2013 16:53:07 -0800 (PST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id rBH0r6G1018788; Mon, 16 Dec 2013 16:53:06 -0800 Received: from sc-owa02.marvell.com ([199.233.58.137]) by mx0a-0016f401.pphosted.com with ESMTP id 1gr76f2d0a-14 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 16 Dec 2013 16:53:06 -0800 Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by sc-owa02.marvell.com ([10.93.76.22]) with mapi; Mon, 16 Dec 2013 16:53:02 -0800 From: Paul Lambert To: Tao Effect , Ben Laurie Date: Mon, 16 Dec 2013 16:53:00 -0800 Thread-Topic: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security Thread-Index: Ac76wlX9/TCxT2f/RG2VubHwgAzxZw== Message-ID: References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_CED4DF972A6D1paulmarvellcom_" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2013-12-16_02:2013-12-16,2013-12-16,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1312160188 Cc: "therightkey@ietf.org" Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Dec 2013 00:53:09 -0000 --_000_CED4DF972A6D1paulmarvellcom_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Though this thread is more of an announcement, it can also be considered a = first draft of a proposal for DNSNMC. Paper was linked to in the first post, here it is again: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf More of a marketing announcement than a technical proposal =85 perhaps I mi= ssed the URL, but is there any technical specification? Seem like the charter of this group could provide a more generic worked out= solution. Paul --_000_CED4DF972A6D1paulmarvellcom_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable



=

Though this thread is more of an announcement, it can also be consi= dered a first draft of a proposal for DNSNMC.

Pape= r was linked to in the first post, here it is again:

htt= p://okturtles.com/other/dnsnmc_okturtles_overview.pdf
=

More of a marketing announcement th= an a technical proposal =85 perhaps I missed the URL, but is there any tech= nical specification?  
Seem like the charter of this group c= ould provide a more generic worked out solution.

P= aul


--_000_CED4DF972A6D1paulmarvellcom_-- From contact@taoeffect.com Mon Dec 16 17:59:27 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD32F1AE020 for ; Mon, 16 Dec 2013 17:59:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.18 X-Spam-Level: X-Spam-Status: No, score=0.18 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_RHS_DOB=1.514] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPMGhGy9vT_6 for ; Mon, 16 Dec 2013 17:59:26 -0800 (PST) Received: from homiemail-a14.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1CDD11AE019 for ; Mon, 16 Dec 2013 17:59:26 -0800 (PST) Received: from homiemail-a14.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTP id 55E56392075; Mon, 16 Dec 2013 17:59:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=0J1aSTCBpAh38zlyW npKhQH90sw=; b=JSqL3ZjUat3GLwt5iIDc49ZZTJjbKtIBvr8Kx5pHbwALbvYAc R+VYRWW0vwVqicDXjm3/yUCqz7lw3FEDAeY3AXgOzDbYRhaHCZKdBAMuEyI/isOc G/tdNnvGn9k1ZEXtzIR/wPEZIHC75PRUYd/xoxLzTt7h4tDFXeowBfF0io= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTPSA id 6487639206D; Mon, 16 Dec 2013 17:59:24 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_EC885ECA-1BDB-4545-ADCA-72E2F8B9177C"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Tao Effect In-Reply-To: Date: Mon, 16 Dec 2013 20:59:18 -0500 Message-Id: <02B32516-2621-443C-AA46-39D132E7EB8E@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> To: Paul Lambert X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" , Ben Laurie Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Dec 2013 01:59:28 -0000 --Apple-Mail=_EC885ECA-1BDB-4545-ADCA-72E2F8B9177C Content-Type: multipart/alternative; boundary="Apple-Mail=_53EBD946-64AB-413E-9BF7-825ED44C9958" --Apple-Mail=_53EBD946-64AB-413E-9BF7-825ED44C9958 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 > More of a marketing announcement than a technical proposal =85 perhaps = I missed the URL, but is there any technical specification? =20 he basic idea is already be explained in the paper. A detailed specification will be published to Github soon. You're welcome to comment on what's already suggested in the paper (here = or in the corresponding Namecoin thread). Cheers, Greg -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 16, 2013, at 7:53 PM, Paul Lambert wrote: >=20 >=20 >=20 >=20 >> Though this thread is more of an announcement, it can also be = considered a first draft of a proposal for DNSNMC. >>=20 >> Paper was linked to in the first post, here it is again: >>=20 >> http://okturtles.com/other/dnsnmc_okturtles_overview.pdf >=20 >=20 > More of a marketing announcement than a technical proposal =85 perhaps = I missed the URL, but is there any technical specification? =20 > Seem like the charter of this group could provide a more generic = worked out solution. >=20 > Paul >=20 >=20 --Apple-Mail=_53EBD946-64AB-413E-9BF7-825ED44C9958 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
More of a = marketing announcement than a technical proposal =85 perhaps I missed = the URL, but is there any technical specification? =  

he basic idea is = already be explained in the paper.

A detailed = specification will be published to Github = soon.

You're welcome to comment on what's = already suggested in the paper (here or in the corresponding Namecoi= n = thread).

Cheers,
Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 7:53 PM, Paul Lambert <paul@marvell.com> = wrote:





Though this thread is more = of an announcement, it can also be considered a first draft of a = proposal for DNSNMC.

Paper was linked to in the = first post, here it is again:


More of a marketing announcement than a = technical proposal =85 perhaps I missed the URL, but is there any = technical specification?  
Seem like the charter of this = group could provide a more generic worked out = solution.

Paul



= --Apple-Mail=_53EBD946-64AB-413E-9BF7-825ED44C9958-- --Apple-Mail=_EC885ECA-1BDB-4545-ADCA-72E2F8B9177C Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSr6/5AAoJEOxnICvpCVJHeAcQAKNBqQevWc7xTEmjDKs2IKpt pbvnM8XgQBrGa9guVX+Hfr/9ip6jaP3Q9uOUUuS3ebCtuRpp1ldJkH61J6yYujGS RyJu7tJ79Fhw+HaITLba+tWyWN1AwjsJm0dtzlV/hFZdg/WfzALWY3Mh0CdZuyY5 gfVGn+kdXhvDXnhubT7ADxop2sGHOC6uIujQMYslDmRRxtuL6PJdD/0KjHtQ9LAl 7Db3UZ8G5seHGK+78YqjVOUjvDKldMJOG1rEmztRDX869O9NJj4l7shi0k2i/eMW g+6EGdUhsL5vO/8RDE+xPA9HiQgqj3aHa6GSIUHJ4/IzUM/NO5+FEeZPEUyCqWgN Fw+7+lE5ghkAyOkkrR29obhORrjlq6+bAA6m9EeCXPjgUTnB9M9wHpo+yTzSpFf1 OF5Ll4Kzp2z6nG+p1/KCTk/DbpsU9aEKN3DuspUQ2Lg332OLh8c+bxcUr1UoWn/S wWUZdyfmIaLeav7a6rMPkGUk4cFVPcHbEOWd/8has0MDl7xlUIWlxNh+iFnm4nJg kgS2dIV0brs2iSOmdo48ui1uL6yl1jtW3AMQya9gJyNOvImhcx7lAGQI0KRkPX8M THbHi2LSHaw9KoKpWFXh88PMsFqosItPwfeUF7vhEuZh7tMJqVV+omNjnxshJs2s e1Ph2Oga2+0UOHmrzCTe =amI4 -----END PGP SIGNATURE----- --Apple-Mail=_EC885ECA-1BDB-4545-ADCA-72E2F8B9177C-- From contact@taoeffect.com Mon Dec 16 18:00:23 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8039E1ADFAA for ; Mon, 16 Dec 2013 18:00:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.18 X-Spam-Level: X-Spam-Status: No, score=0.18 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_RHS_DOB=1.514] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id smqkO2FhU_1N for ; Mon, 16 Dec 2013 18:00:22 -0800 (PST) Received: from homiemail-a14.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id 01FAD1AE00A for ; Mon, 16 Dec 2013 18:00:22 -0800 (PST) Received: from homiemail-a14.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTP id 4BB61392070; Mon, 16 Dec 2013 18:00:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=JjKlf6LmBv2tS73r/ Edq3sGcmxc=; b=xJAJISwhzFHYaAmx9siPSoGwUn6M7nxek06f8aZRtzbQALShP pqo8k7W0jSBY858IksH5dHTIXPJ5DDehyEeLGZQNDtTEyQoWcpRUkovYXgo7s2U9 Zr15zKtxvtpw3fEtNb7ZNTHpMmRgUVmji5pii4UODeetQYOgHGVCEsEtP4= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTPSA id 671DE39206D; Mon, 16 Dec 2013 18:00:20 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_C22622AD-AB6B-4853-A09D-7528F4BAF4F5"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) From: Tao Effect In-Reply-To: <02B32516-2621-443C-AA46-39D132E7EB8E@taoeffect.com> Date: Mon, 16 Dec 2013 21:00:19 -0500 Message-Id: <4B128138-713D-40C9-85C1-2455CD69CFE7@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <596BD192-F19E-48A5-8FD7-37D5A2085751@taoeffect.com> <02B32516-2621-443C-AA46-39D132E7EB8E@taoeffect.com> To: Paul Lambert X-Mailer: Apple Mail (2.1822) Cc: "therightkey@ietf.org" , Ben Laurie Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Dec 2013 02:00:23 -0000 --Apple-Mail=_C22622AD-AB6B-4853-A09D-7528F4BAF4F5 Content-Type: multipart/alternative; boundary="Apple-Mail=_9048F820-3577-44D9-AC23-1F3C72695D7A" --Apple-Mail=_9048F820-3577-44D9-AC23-1F3C72695D7A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Sorry, that's got to be a new level of typo for me: > he basic idea is already be explained in the paper. *The basic idea is already touched on in the paper. -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 16, 2013, at 8:59 PM, Tao Effect wrote: >> More of a marketing announcement than a technical proposal =85 = perhaps I missed the URL, but is there any technical specification? =20 >=20 > he basic idea is already be explained in the paper. >=20 > A detailed specification will be published to Github soon. >=20 > You're welcome to comment on what's already suggested in the paper = (here or in the corresponding Namecoin thread). >=20 > Cheers, > Greg >=20 > -- > Please do not email me anything that you are not comfortable also = sharing with the NSA. >=20 > On Dec 16, 2013, at 7:53 PM, Paul Lambert wrote: >=20 >>=20 >>=20 >>=20 >>=20 >>> Though this thread is more of an announcement, it can also be = considered a first draft of a proposal for DNSNMC. >>>=20 >>> Paper was linked to in the first post, here it is again: >>>=20 >>> http://okturtles.com/other/dnsnmc_okturtles_overview.pdf >>=20 >>=20 >> More of a marketing announcement than a technical proposal =85 = perhaps I missed the URL, but is there any technical specification? =20 >> Seem like the charter of this group could provide a more generic = worked out solution. >>=20 >> Paul >>=20 >>=20 >=20 --Apple-Mail=_9048F820-3577-44D9-AC23-1F3C72695D7A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
Sorry, that's got to be a new level of typo for = me:

he basic idea is already be explained in the = paper.

*The = basic idea is already touched on in the paper.

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 8:59 PM, Tao Effect <contact@taoeffect.com> = wrote:

More of a = marketing announcement than a technical proposal =85 perhaps I missed = the URL, but is there any technical specification? =  

he basic idea is = already be explained in the paper.

A detailed = specification will be published to Github = soon.

You're welcome to comment on what's = already suggested in the paper (here or in the corresponding Namecoi= n = thread).

Cheers,
Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 7:53 PM, Paul Lambert <paul@marvell.com> = wrote:





Though this thread is more = of an announcement, it can also be considered a first draft of a = proposal for DNSNMC.

Paper was linked to in the = first post, here it is again:


More of a marketing announcement than a = technical proposal =85 perhaps I missed the URL, but is there any = technical specification?  
Seem like the charter of this = group could provide a more generic worked out = solution.

Paul




= --Apple-Mail=_9048F820-3577-44D9-AC23-1F3C72695D7A-- --Apple-Mail=_C22622AD-AB6B-4853-A09D-7528F4BAF4F5 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSr7AzAAoJEOxnICvpCVJHyWwP/0P4tv20KO0gmY2egcnUqnyw A4hFppvv5H6iV7pQck3uGyPoBiNEXaJrkyhegV0fQUmHufCM9Gbpiq0e/tIWYzra Lu+/7B2qUhfv1c+4WOoEUKY8zfBIoH9z3c3DzkIejjzejoWqjuCMR+7QSC9bptNr bFYx76Cg3WDB+Ep+3ZZAGw6WTEXZUwCCitFgazxPC9rvapuZuosj231zvw2jJ9Fu aG/BhDODF1MThy3ailN981Lv7uWuJx4/Up0MgPe0usnMNGqgUztDYbmHZdSzKi1i bFI3b7X9t+KJtxGrZMWc+0EA0uvw6E/NCiyf7lBSWgJH+zYyQOoYe2f7aUTL//1i yldxamZbsQRNvQ2yRsBuU3GWnfzr2Gca6m0juWxnmp3rnuc8ouW/VcOc0Xa9iXpa z99yP8p4isnkPnphdhmAiVjolVig463iESkTCCkQHjxrxrGFcp7YXW4uO9YhAUyG lHaYriGWltNn+XWK4axn5jniBqWoz1jZ3KpL94JyaIbbSl41wKbwN6aRehse8OdS eQMiwYlslwGM0zIcbCpkA2HbpcGA2cLvUapp+TIB2ogZEhwQfmrjgXMw0D/cbssy 7q1T2fcmOHQFaU0f9ZA37/J+qDSiBJD8TUCdAP+adqZfCLd7retTiTbJpVdameUr JD2EfV02yMzEHrYlv/6a =5SrA -----END PGP SIGNATURE----- --Apple-Mail=_C22622AD-AB6B-4853-A09D-7528F4BAF4F5-- From holz@net.in.tum.de Tue Dec 17 02:40:21 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC6B1AE15A for ; Tue, 17 Dec 2013 02:40:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.15 X-Spam-Level: X-Spam-Status: No, score=-0.15 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MkfejQouoyyy for ; Tue, 17 Dec 2013 02:40:19 -0800 (PST) Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id 61D161AE142 for ; Tue, 17 Dec 2013 02:40:19 -0800 (PST) Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 703DE8054D; Tue, 17 Dec 2013 11:40:17 +0100 (CET) Received: from [131.159.197.236] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 596BB8050A for ; Tue, 17 Dec 2013 11:40:16 +0100 (CET) Message-ID: <52B02A10.1040403@net.in.tum.de> Date: Tue, 17 Dec 2013 11:40:16 +0100 From: Ralph Holz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: therightkey@ietf.org References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.97.8 at ex6 X-Virus-Status: Clean Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Dec 2013 10:40:21 -0000 Hi, > yep, DFN is a 'private' sub-CA under tight control but it could still be > attacked the way diginotar was and though I believe their secuity is a > lot better than their less fortunate Dutch cousins, a successful attack > would be just as bad. That is true for any CA, sub-* or not. The important point is where the private key is kept. In the case of the DFN, the 'many subCAs' are actually RAs without signing capacity. I'd be much more worried about some resellers of the very popular CAs. Anyone remember Comodo's InstantSSL reseller? Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF From contact@taoeffect.com Tue Dec 17 12:35:25 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4A0F1A9313 for ; Tue, 17 Dec 2013 12:35:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNmZBs0bxM0b for ; Tue, 17 Dec 2013 12:35:21 -0800 (PST) Received: from homiemail-a37.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 15A8F1ADF0E for ; Tue, 17 Dec 2013 12:35:21 -0800 (PST) Received: from homiemail-a37.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a37.g.dreamhost.com (Postfix) with ESMTP id EE065208070; Tue, 17 Dec 2013 12:35:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=lGPw1voSkb0x0FYL6 ZY1W+vbjFQ=; b=gc7mc2xsEbhsEyr71YHRTPBfYOxWgH1CrxjeHfXrX/mkK9UMI UfFau/9ityCg0bc0f2fJimStg4+wpsUrHatrU19DKrjDfU2vzbEMtVvNlujZl0sj fIf0ymzJoxHwig0eVHRSYg2HtY9qygACV/I11F9pkLD89VrlvSOmOFiiZk= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a37.g.dreamhost.com (Postfix) with ESMTPSA id 9A436208063; Tue, 17 Dec 2013 12:35:16 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_1452B3D6-D97E-4210-89F0-0E2A3F861587"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) From: Tao Effect In-Reply-To: <625EF7DC-7769-44AF-8D4D-2345DF841DD4@taoeffect.com> Date: Tue, 17 Dec 2013 15:35:13 -0500 Message-Id: <673A824A-7A9A-47B5-845E-F0F60BF5A63D@taoeffect.com> References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <1D1AAD8E-3787-4E95-8694-6EB0B4A60890@taoeffect.com> <582F125D-03E5-4793-9F48-B68E9F23B7C3@taoeffect.com> <625EF7DC-7769-44AF-8D4D-2345DF841DD4@taoeffect.com> To: Tao Effect Support X-Mailer: Apple Mail (2.1827) Cc: "therightkey@ietf.org" , Phillip Hallam-Baker Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Dec 2013 20:35:25 -0000 --Apple-Mail=_1452B3D6-D97E-4210-89F0-0E2A3F861587 Content-Type: multipart/alternative; boundary="Apple-Mail=_30F5A43B-78E5-445E-B51A-ED6B9E62A891" --Apple-Mail=_30F5A43B-78E5-445E-B51A-ED6B9E62A891 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 The list moderator asked a few participants (including myself) to let = this issue go, but I just want to mention that I've posted a minor = update to the PDF, and have included a link to this thread in it, as = well as a footnote next to the 600+ figure, mentioning that, "Phillip = Hallam-Baker disputes the EFF=92s figure on [therightkey] mailing list, = but did not provided citable references for his claims." URL remains the same, but it should say Version 1.1 in the lower-left of = the cover page: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 16, 2013, at 5:54 PM, Tao Effect wrote: > Oh, sorry, I just saw (after sending that email), that I didn't answer = your question. >=20 > Why bother quoting it at all? Because whether the number is 600+ or = 300+, it still serves to support the point that browsers will take the = word of any one of over a hundred potentially untrustworthy strangers as = "proof" that a connection to a website is secure. >=20 > - Greg >=20 > -- > Please do not email me anything that you are not comfortable also = sharing with the NSA. >=20 > On Dec 16, 2013, at 5:48 PM, Tao Effect wrote: >=20 >> On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker = wrote: >>>=20 >>> Since the 600 number is inaccurate and not particularly necessary, = why bother to quote it at all? >>=20 >> Dude, how did you manage to ignore that entire email? >>=20 >> One more time, since you somehow missed it: >>=20 >>>> OK, in order for me to correct this in the paper I need the = following information: >>>>=20 >>>> 1. A link to who "DFN" is. >>>> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers = are shipped with (and details about this, like, do all 3 major browsers = include DFN?) >>>> 3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the argument >>>>=20 >>=20 >>=20 >> You cannot just say "the EFF is lying", throw your hands in the air, = and leave it at that. >>=20 >> Unlike you, the EFF provided sources and proof for their claim. >>=20 >> The then wrote a widely cited blog post containing their claim and = their evidence for it. >>=20 >> Where is your blog post? Where is your evidence that the EFF is = lying? >>=20 >> These emails of yours don't cut it. Heck, I'd even post a link to an = archived email of yours if you provided the necessary information in it. >>=20 >> - Greg >>=20 >> -- >> Please do not email me anything that you are not comfortable also = sharing with the NSA. >>=20 >> On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker = wrote: >>=20 >>> When you make an assertion in a paper then you are accepting the = burden of proof.=20 >>>=20 >>>=20 >>> If the source for the '600' claim was lying then the claim has to be = taken off the table completely. The DFN root issue demonstrates that the = methodology is bogus rather than just being a single inaccurate data = point. >>>=20 >>> If you want to make assertions about the number of CAs then the most = accurate measure currently available is still the number of roots in the = commonly used browsers. While there are a handful of CAs using roots = cross certified by another CA, such CAs now have to have a full audit = statement and meet all the acceptance criteria in their own right. So = there would be little point in not applying to have the root entered in = independently. >>>=20 >>> Since the 600 number is inaccurate and not particularly necessary, = why bother to quote it at all? >>>=20 >>>=20 >>>=20 >>>=20 >>> On Mon, Dec 16, 2013 at 1:44 PM, Tao Effect = wrote: >>>> Which kind of calls their credibility into question. HALF the 'CAs' = in their graph are from the DFN root. You can check that out for = yourself, it is a German CA that issues certs to higher education = institutions. As has been demonstrated (and agreed by the EFF people), = DFN do not sign certs for key signing keys they do not hold. >>>>=20 >>>> You can't calculate the number of CAs the way the EFF tried to. An = intermediate certificate does not equate to a CA. Pretending it does to = peddle an alternative PKI scheme calls into question their veracity. >>>>=20 >>>> I have tried to get members of the EFF board to look into this but = they never get back. Too much trouble to get it right. >>>=20 >>>=20 >>> OK, in order for me to correct this in the paper I need the = following information: >>>=20 >>> 1. A link to who "DFN" is. >>> 2. A 'yes' or 'no' as to whether DFN is a root cert that browsers = are shipped with (and details about this, like, do all 3 major browsers = include DFN?) >>> 3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the argument >>>=20 >>> Let me emphasize that none of this ultimately matters to the points = that were made in the paper. >>>=20 >>> Whether the number is 600+ or 300+, it's still an insecure, broken = mess. >>>=20 >>>> I was under the impression that Bitcoin was the preferred currency = of libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency. >>>=20 >>>=20 >>> I'll be happy to clear this up: >>>=20 >>> - Bitcoin is not the "market leader" of distributed DNS systems. = Namecoin is. >>> - Namecoin and Bitcoin are designed with completely different goals = in mind. They are not competitors. >>> - Namecoin is not intended to be a bitcoin replacement, nor the = other way around. It is not like "litecoin" or any of the other bitcoin = competitors, because it is not a competitor to bitcoin. >>>=20 >>>> Gold Age, eGold, Liberty Reserve. All the ones that were taken = apart by the Feds. >>>=20 >>>=20 >>> I'll be happy to clear this up too: >>>=20 >>> None of these are comparable to Bitcoin or Namecoin. >>>=20 >>> Neither "Gold Age", nor "eGold", nor "Liberty Reserve" were truly = decentralized, distributed currencies. >>>=20 >>> - "Gold Age" was not a currency: = https://en.wikipedia.org/wiki/Gold_Age >>> - eGold: Centralized currency with no "reliable user identification" = (not a problem with Bitcoin or Namecoin) >>> - Liberty Reserve: Centralized currency = https://en.wikipedia.org/wiki/Liberty_Reserve#Background >>>=20 >>> People who are standing back and scratching their heads, wondering = why Bitcoin is still around after years of being used to purchase = illegal drugs, murder-for-hire, and weapons (continuing to this day = btw), simply don't understand what Bitcoin is. >>>=20 >>>> I might be a little more inclined to make an effort if you hadn't = attacked me as being 'fraudulent' in your opening. >>>=20 >>>=20 >>> Do you represent a company that sells SSL certs? It seems like you = might: >>>=20 >>> During twelve years as Principal Scientist at VeriSign Inc., >>>=20 >>> Perhaps the paper is a bit harsh (and I welcome suggestions to = improve its language), but the critiques it levies against companies = that sell SSL certs are completely valid: >>>=20 >>> Companies that sell SSL certificates usually claim that their = certificates provide customers with =93security.=94 Customers are led to = believe that these certificates protect browser-server communication = from eavesdropping and tampering. As elaborated in this paper, this = simply isn=92t true today. >>>=20 >>> I have to say, that among the cert companies websites that I looked = at, VeriSign's homepage makes the fewest claims about the security = protections it provides. >>>=20 >>> The words "usually claim" leaves room for exceptions. I could not = find, on the customer-facing pages on VeriSign's site, any claims that = VeriSign's SSL certs "protect browser-server communication from = eavesdropping and tampering." >>>=20 >>> Some close calls are: >>>=20 >>> In short, when it comes to securing online transactions, = safeguarding customer information, and protecting business reputation, = you're only as safe as the Certificate Authority you choose. >>> https://www.symantec.com/ssl-certificates-advantages >>>=20 >>> Customers Gain Confidence with the Green Address Bar: Online = shoppers recognize the green address bar as an easy and reliable way to = verify the site identity and security. >>> = https://www.symantec.com/verisign/ssl-certificates/secure-site-pro-ev?fid=3D= ssl-certificates >>>=20 >>> VeriSign's SSL certificates do not provide websites with meaningful = protection as defined in the DNSNMC paper because they cannot be = securely authenticated in the face of a fraudulent certificate that's = presented to customers by a MITM. >>>=20 >>> If your certs can simply be replaced by any of the other CAs out = there, then *all* of the security they provide is thrown out the window. >>>=20 >>> Furthermore, because VeriSign is a random third-party, not the = company that user's visit when they visit a site using VeriSign's = certificate, the protection offered by that certificate is inherently = inferior to a securely authenticated self-signed certificate. >>>=20 >>> This is simply mathematics, and not a point that's up for debate. >>>=20 >>> When trust is distributed across more parties, that trust is diluted = because it now depends on the least secure of those parties. >>>=20 >>> Sidenote: >>>=20 >>> It seems like I was sent "to the sharks" so to speak (perhaps as a = practical joke?). >>>=20 >>> So far almost half of the replies to this thread have come from = representatives of SSL companies. >>>=20 >>> The hostility is therefore no surprise. >>>=20 >>> -- >>> Please do not email me anything that you are not comfortable also = sharing with the NSA. >>>=20 >>> On Dec 15, 2013, at 9:21 PM, Phillip Hallam-Baker = wrote: >>>=20 >>>>=20 >>>>=20 >>>>=20 >>>> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect = wrote: >>>>> And for someone who is accusing others of being 'fraudulent', not = a good move to start off repeating figures already exposed as bogus like = the oft repeated but still untrue claim of 600 CAs. >>>>=20 >>>>=20 >>>> I thought the EFF was a reputable source. >>>>=20 >>>> There has been no update or correction to their post: = https://www.eff.org/deeplinks/2011/10/how-secure-https-today >>>>=20 >>>> Which kind of calls their credibility into question. HALF the 'CAs' = in their graph are from the DFN root. You can check that out for = yourself, it is a German CA that issues certs to higher education = institutions. As has been demonstrated (and agreed by the EFF people), = DFN do not sign certs for key signing keys they do not hold. >>>>=20 >>>> You can't calculate the number of CAs the way the EFF tried to. An = intermediate certificate does not equate to a CA. Pretending it does to = peddle an alternative PKI scheme calls into question their veracity. >>>>=20 >>>> I have tried to get members of the EFF board to look into this but = they never get back. Too much trouble to get it right. >>>>=20 >>>>=20 >>>>> Tying the notary log to namecoin seems to be completely pointless = to me, unless the real objective is to promote namecoin. Why hook into = namecoin rather than the market leader?=20 >>>>=20 >>>>=20 >>>> What market leader? >>>>=20 >>>> I was under the impression that Bitcoin was the preferred currency = of libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency. >>>>=20 >>>> =20 >>>>> Given the success of the US government in shutting down eGold type = schemes I am very skeptical about the stability of 'namecoin'. If we = accept the purported scenarios that motivate the scheme then namecoin = won't last very long. >>>>=20 >>>> What eGold scheme are you comparing Namecoin to? >>>>=20 >>>> Gold Age, eGold, Liberty Reserve. All the ones that were taken = apart by the Feds. >>>>=20 >>>> =20 >>>> Are you sure you know what you're talking about here...? ;-) >>>>=20 >>>> I must admit that I find the scheme completely confused and assumes = that I know a lot that I do not. >>>>=20 >>>> I might be a little more inclined to make an effort if you hadn't = attacked me as being 'fraudulent' in your opening. >>>> =20 >>>>=20 >>>> --=20 >>>> Website: http://hallambaker.com/ >>>> _______________________________________________ >>>> therightkey mailing list >>>> therightkey@ietf.org >>>> https://www.ietf.org/mailman/listinfo/therightkey >>>=20 >>>=20 >>>=20 >>>=20 >>> --=20 >>> Website: http://hallambaker.com/ >>> _______________________________________________ >>> therightkey mailing list >>> therightkey@ietf.org >>> https://www.ietf.org/mailman/listinfo/therightkey >>=20 >> _______________________________________________ >> therightkey mailing list >> therightkey@ietf.org >> https://www.ietf.org/mailman/listinfo/therightkey >=20 > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey --Apple-Mail=_30F5A43B-78E5-445E-B51A-ED6B9E62A891 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 The = list moderator asked a few participants (including myself) to let this = issue go, but I just want to mention that I've posted a minor update to = the PDF, and have included a link to this thread in it, as well as a = footnote next to the 600+ figure, mentioning that, "Phillip Hallam-Baker = disputes the EFF=92s figure on [therightkey] mailing list, but did not = provided citable references for his claims."

URL = remains the same, but it should say Version 1.1 in the lower-left of the = cover page:

http://o= kturtles.com/other/dnsnmc_okturtles_overview.pdf

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 5:54 PM, Tao Effect = <contact@taoeffect.com> wrote:

Oh, = sorry, I just saw (after sending that email), that I didn't answer your = question.

Why bother quoting it at all? Because = whether the number is 600+ or 300+, it still serves to support the point = that browsers will take the word of any one of over a hundred = potentially untrustworthy strangers as "proof" that a connection to a = website is secure.

- Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 5:48 PM, Tao Effect <contact@taoeffect.com> = wrote:

On Dec = 16, 2013, at 5:37 PM, Phillip Hallam-Baker <hallam@gmail.com> = wrote:
Since the 600 = number is inaccurate and not particularly necessary, why bother to quote = it at all?

Dude, how did you manage = to ignore that entire email?

One more time, = since you somehow missed it:

OK, in order for = me to correct this in the paper I need the following = information:

1. A link to who "DFN" = is.
2. A 'yes' or 'no' as to whether DFN is a root cert that = browsers are shipped with (and details about this, like, do all 3 major = browsers include DFN?)
3. A link to a paper, a blog post, or = an article somewhere that describes in detail your side of the = argument


You cannot just say "the = EFF is lying", throw your hands in the air, and leave it at = that.

Unlike you, the EFF provided sources and = proof for their claim.

The then wrote a widely = cited blog post containing their claim and their evidence for = it.

Where is your blog post? Where is your = evidence that the EFF is lying?

These emails of = yours don't cut it. Heck, I'd even post a link to an archived email of = yours if you provided the necessary information in = it.

- Greg

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 16, 2013, at 5:37 PM, Phillip Hallam-Baker <hallam@gmail.com> = wrote:

When you make an assertion in a = paper then you are accepting the burden of = proof. 


If the source for the = '600' claim was lying then the claim has to be taken off the table = completely. The DFN root issue demonstrates that the methodology is = bogus rather than just being a single inaccurate data point.

If you want to make assertions about the number of CAs = then the most accurate measure currently available is still the number = of roots in the commonly used browsers. While there are a handful of CAs = using roots cross certified by another CA, such CAs now have to have a = full audit statement and meet all the acceptance criteria in their own = right. So there would be little point in not applying to have the root = entered in independently.

Since the 600 number is inaccurate and not = particularly necessary, why bother to quote it at all?




On Mon, Dec 16, 2013 at 1:44 PM, Tao = Effect <contact@taoeffect.com> = wrote:
Which kind of calls their credibility into = question. HALF the 'CAs' in their graph are from the DFN root. You can = check that out for yourself, it is a German CA that issues certs to = higher education institutions. As has been demonstrated (and agreed by = the EFF people), DFN do not sign certs for key signing keys they do not = hold.

You can't calculate the number of CAs the way the = EFF tried to. An intermediate certificate does not equate to a CA. = Pretending it does to peddle an alternative PKI scheme calls into = question their veracity.

I have tried to get members of the EFF board to look = into this but they never get back. Too much trouble to get it = right.

OK, in order for me to = correct this in the paper I need the following = information:

1. A link to who "DFN" = is.
2. A 'yes' or 'no' as to whether DFN is a root cert that = browsers are shipped with (and details about this, like, do all 3 major = browsers include DFN?)
3. A link to a paper, a blog post, or an article somewhere that = describes in detail your side of the = argument

Let me emphasize that none of this = ultimately matters to the points that were made in the paper.

Whether the number is 600+ or 300+, it's still an = insecure, broken mess.

I was under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency.

I'll be happy to clear this up:

- Bitcoin is not the "market leader" of distributed DNS systems. = Namecoin is.
- = Namecoin and Bitcoin are designed with completely different goals in = mind. They are not competitors.
- Namecoin is not intended to be a bitcoin replacement, nor the = other way around. It is not like "litecoin" or any of the other bitcoin = competitors, because it is not a competitor to bitcoin.

Gold Age, eGold, = Liberty Reserve. All the ones that were taken apart by the = Feds.

I'll be happy = to clear this up too:

None of these are comparable to Bitcoin or = Namecoin.

Neither "Gold Age", nor "eGold", nor "Liberty = Reserve" were truly decentralized, distributed currencies.

- "Gold = Age" was not a currency: https://en.wikipedia.org/wiki/Gold_Age
- eGold: Centralized currency with no "reliable user identification" (not a problem = with Bitcoin or Namecoin)
- Liberty Reserve: Centralized currency https://en.wikipedia.org/wiki/Liberty_Reserve#Background=

People who are standing back and scratching their heads, wondering = why Bitcoin is still around after years of being used to purchase = illegal drugs, murder-for-hire, and weapons (continuing to this day = btw), simply don't understand what Bitcoin is.

I = might be a little more inclined to make an effort if you hadn't attacked = me as being 'fraudulent' in your opening.

Do you represent a company that sells SSL certs? = It seems like you might:

During twelve years = as Principal Scientist at VeriSign Inc.,

Perhaps the paper is a bit harsh (and I welcome = suggestions to improve its language), but the critiques it levies = against companies that sell SSL certs are completely valid:

Companies that sell SSL = certificates usually claim that their certificates provide customers = with =93security.=94 Customers are led to believe that these = certificates protect browser-server communication = from eavesdropping and tampering. As elaborated in this paper, this = simply isn=92t true today.

I have to say, that among the cert companies = websites that I looked at, VeriSign's homepage makes the fewest claims = about the security protections it provides.

The = words "usually claim" leaves room for exceptions. I could not find, on = the customer-facing pages on VeriSign's site, any claims that VeriSign's = SSL certs "protect browser-server communication from eavesdropping = and tampering."

Some = close calls are:

In short, when it comes to securing online = transactions, safeguarding=20 customer information, and protecting business reputation, you're only as safe as the Certificate Authority you choose.
https://www.symantec.com/ssl-certificates-advantages=

Customers Gain Confidence with the = Green Address Bar: Online shoppers recognize the green address = bar as an easy and reliable way to verify the site identity and = security.
https://www.symantec.com/verisign/ssl-certificates/secur= e-site-pro-ev?fid=3Dssl-certificates

VeriSign's SSL certificates do not provide = websites with meaningful protection as defined in the DNSNMC = paper because they cannot be securely authenticated in the face of a = fraudulent certificate that's presented to customers by a MITM.

If your = certs can simply be replaced by any of the other CAs out there, then = *all* of the = security they provide is thrown out the window.

Furthermore, because VeriSign is a random = third-party, not the company that user's visit when they visit a site = using VeriSign's certificate, the protection offered by that certificate = is inherently inferior to a securely authenticated self-signed = certificate.

This is = simply mathematics, and not a point that's up for debate.

When trust is = distributed across more parties, that trust is diluted because it now = depends on the least secure of those parties.

Sidenote:

It seems like I was sent "to the sharks" so to speak (perhaps as = a practical joke?).

So far almost half of the replies to this thread have = come from representatives of SSL companies.

The = hostility is therefore no surprise.

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

On Dec 15, 2013, at 9:21 PM, = Phillip Hallam-Baker <hallam@gmail.com> = wrote:




On Sun, Dec 15, = 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
And for someone who is accusing = others of being 'fraudulent', not a good move to start off repeating = figures already exposed as bogus like the oft repeated but still untrue = claim of 600 CAs.

I thought the = EFF was a reputable source.

There has been no update or correction to their = post: https://www.eff.org/deeplinks/2011/10/how-secure-https-t= oday

Which kind of calls = their credibility into question. HALF the 'CAs' in their graph are from = the DFN root. You can check that out for yourself, it is a German CA = that issues certs to higher education institutions. As has been = demonstrated (and agreed by the EFF people), DFN do not sign certs for = key signing keys they do not hold.

You can't calculate the number of CAs the way the = EFF tried to. An intermediate certificate does not equate to a CA. = Pretending it does to peddle an alternative PKI scheme calls into = question their veracity.

I have tried to get members of the EFF board to look = into this but they never get back. Too much trouble to get it = right.


Tying the notary log to namecoin = seems to be completely pointless to me, unless the real objective is to = promote namecoin. Why hook into namecoin rather than the market = leader? 

What market = leader?

I was = under the impression that Bitcoin was the preferred currency of = libertopia. It is the only one that gets mention in the mainstream = press. It is not clear to me how namecoin can be part of BitCoin and = another currency.

 
Given the success of the US government in = shutting down eGold type schemes I am very skeptical about the stability = of 'namecoin'. If we accept the purported scenarios that motivate the = scheme then namecoin won't last very long.

What eGold scheme are you comparing = Namecoin to?

Gold Age, = eGold, Liberty Reserve. All the ones that were taken apart by the = Feds.

 
Are you = sure you know what you're talking about here...? ;-)

I must admit that I find the = scheme completely confused and assumes that I know a lot that I do = not.

I might be a little more inclined to make = an effort if you hadn't attacked me as being 'fraudulent' in your = opening.
 

--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing = list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey




--
Website: http://hallambaker.com/
_______________________________________________
therightkey mailing = list
therightkey@ietf.org
https://www.iet= f.org/mailman/listinfo/therightkey

___= ____________________________________________
therightkey mailing = list
therightkey@ietf.org
https://w= ww.ietf.org/mailman/listinfo/therightkey

<= /div>_______________________________________________
therightkey = mailing = list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/ther= ightkey

= --Apple-Mail=_30F5A43B-78E5-445E-B51A-ED6B9E62A891-- --Apple-Mail=_1452B3D6-D97E-4210-89F0-0E2A3F861587 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSsLWBAAoJEOxnICvpCVJHD3IQALKNd97h36S5EMnp1k0UjWbk gd9/rcwUPRIuSJHzYpEO7+BKaQw/mwRCpxLPujaOvnsiX037Owo+HGH6EDzCheFe 6BG4WpSx2/u3ZByEwAenp3i7yAaESdgMnpKR0RPxSw1OJk7NlhfZ6sw5TGVIpCGK 3sCvUDNfctoQEF2dI8g3z9d1KMk/z8Vziw2NS289hEXbO0/SMZz/mgreNT3MJlYN si5GwGvcz1Sddcru15RMJ6B/K7t+gmAzYnOV8zqwcXix7Cqn1q3MVcIZkjGPSNZG eWbsMKTv0BaN58sXUcUGa8XOgDP+zvAbUX/CT4SrUOcDFHSxB1yowJmc05vFr/sn Oi9uoqJU+NR/4ShdBOgfr4aC6FFE0+SdRTjsALV5H15vptN/cQgOgqRbr7oLU+Mx GrGwRqMIfqnPFvaoY0E6kojwgHDBVunQCss36tQxGNmSLsYrnwvuzskyn3JLMikU o6JbT6KvhCojdB+VYNrkQLnAljfuS9owJdqa0TAlYwaicFFqc1EOLi+Aj160EycQ jZhJLjTE0c3PH+X2vQQyh1NEj70RRw6pjAzQsRDQh3YkcpvXq5Ru7+Ao7NpR0f4F JhAVGm8ChbonTeSpZWdRBcgFz4LVGnPzRIhL8xYNWipeWZFuZ1UolBCra66oBitC lM++HRCPEoFlTPyL+VPz =WQNp -----END PGP SIGNATURE----- --Apple-Mail=_1452B3D6-D97E-4210-89F0-0E2A3F861587-- From contact@taoeffect.com Sat Dec 21 18:05:02 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E25CA1AE13B for ; Sat, 21 Dec 2013 18:05:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.334 X-Spam-Level: X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jW43nKNpHz0M for ; Sat, 21 Dec 2013 18:05:01 -0800 (PST) Received: from homiemail-a8.g.dreamhost.com (caiajhbdcaid.dreamhost.com [208.97.132.83]) by ietfa.amsl.com (Postfix) with ESMTP id 2DAA91AE129 for ; Sat, 21 Dec 2013 18:05:01 -0800 (PST) Received: from homiemail-a8.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a8.g.dreamhost.com (Postfix) with ESMTP id 70B47D22072 for ; Sat, 21 Dec 2013 18:04:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h=from :content-type:subject:message-id:date:to:mime-version; s= taoeffect.com; bh=dDP6xQ6ccMDVt+tIi4pZG+lOdpg=; b=ggJ+iJYz8TvJDm gQJ/B7KOR1ZFvXW0KliwwpEBYHCn9zv+2vmOZ4UtGUqmOcy+tBV8ncUb3DWtuKI+ nV/4NBWx92YkqAgdx9MskUp0K8TTZ1NGEnAYTrw+FyNkKoKttUfxXdteydJHYwEm 8ot6ZDsUkdfjI7CHVtmNr/aQYgIgo= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a8.g.dreamhost.com (Postfix) with ESMTPSA id DE80CD22070 for ; Sat, 21 Dec 2013 18:04:57 -0800 (PST) From: Tao Effect Content-Type: multipart/signed; boundary="Apple-Mail=_E71B3E47-A159-4E75-A7C9-6DCE516F39B8"; protocol="application/pgp-signature"; micalg=pgp-sha512 Message-Id: <4E36BCFE-59CC-4709-ACA2-B0800AA4140A@taoeffect.com> Date: Sat, 21 Dec 2013 21:04:52 -0500 To: "therightkey@ietf.org" Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) X-Mailer: Apple Mail (2.1827) Subject: [therightkey] Transitioning the web to Namecoin/DNSNMC by addressing name-squatters X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 02:05:03 -0000 --Apple-Mail=_E71B3E47-A159-4E75-A7C9-6DCE516F39B8 Content-Type: multipart/alternative; boundary="Apple-Mail=_5858F9B7-8690-43C2-A6B2-4F7AE4F98860" --Apple-Mail=_5858F9B7-8690-43C2-A6B2-4F7AE4F98860 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii =46rom the proposal [1]: The only criticism of relevance that I have received (so far) from those = reviewing DNSNMC is that people do not like domain squatters and = therefore do not want to switch to a system where all the existing = trademarked and copyrighted names have already been registered: = https://www.reddit.com/r/netsec/comments/1t20wi/therightkey_dnsnmc_depreca= tes_certificate/ce45865 = http://lists.randombit.net/pipermail/cryptography/2013-December/005959.htm= l = http://lists.randombit.net/pipermail/cryptography/2013-December/005960.htm= l I think this is one of the main things that is holding Namecoin back = from widespread adoption, and therefore we must address this issue. Herein I propose a very simple method to address this problem: namecoind must be modified to give existing TLDs special treatment in a = way that paves for a smooth transition from today's DNS, to a = Namecoin-based DNS like DNSNMC. New namespaces will be created for each of today's TLDs, and only the = owners of those domains (in the deprecated, old DNS system) can register = them. For example, only the owners of apple.com can register com/apple, = etc. Proof of ownership is done by special NMC DNS records that contain = the owner's cryptographic signature/fingerprint. When Namecoin clients = receive a notification that someone wants to register a domain in the = com namespace, they check the JSON request to verify that it was signed = by the same signature that appears in the old DNS records. If they = match, the registration request is accepted and added to their local = blockchain. If it does not match, the request is discarded. Similarly, = the namecoin client itself will perform this check locally before = sending out the request to other peers (to provide instant feedback to = users attempting to register something that doesn't belong to them). Thoughts? [1]: http://dot-bit.org/forum/viewtopic.php?f=3D5&t=3D1439 -- Please do not email me anything that you are not comfortable also = sharing with the NSA. --Apple-Mail=_5858F9B7-8690-43C2-A6B2-4F7AE4F98860 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii =46rom = the proposal [1]:

The only criticism of = relevance that I have received (so far) from those reviewing DNSNMC is that people do not like domain = squatters and therefore do not want to switch to a system where all the = existing trademarked and copyrighted names have already been = registered:

  1. https://www.reddit.com/r/netsec/comments/= 1t20wi/therightkey_dnsnmc_deprecates_certificate/ce45865
  2. http://lists.randombit.net/pipermail/cryptography/2013-December= /005959.html
  3. http://lists.randombit.net/pipermail/cryptography/2013-December= /005960.html

I think this is one of the main things = that is holding Namecoin back from widespread adoption, and therefore we = must address this issue.

Herein I propose a very simple method to = address this problem:

namecoind must be = modified to give existing TLDs special treatment in a way that paves for = a smooth transition from today's DNS, to a Namecoin-based DNS like = DNSNMC.

New namespaces will be created for each of today's TLDs, = and only the owners of those domains (in the deprecated, old DNS system) = can register them. For example, only the owners of apple.com can register com/apple, = etc. Proof of ownership is done by special NMC DNS records that contain = the owner's cryptographic signature/fingerprint. When Namecoin clients = receive a notification that someone wants to register a domain in = the com namespace, they check the JSON = request to verify that it was signed by the same signature that appears = in the old DNS records. If they match, the registration request is = accepted and added to their local blockchain. If it does not match, the = request is discarded. Similarly, the namecoin client itself will perform = this check locally before sending out the request to other peers (to = provide instant feedback to users attempting to register something that = doesn't belong to = them).

Thoughts?

[1]: <= a = href=3D"http://dot-bit.org/forum/viewtopic.php?f=3D5&t=3D1439">http://= dot-bit.org/forum/viewtopic.php?f=3D5&t=3D1439

--
Please do not email me anything that you are = not comfortable also sharing with the NSA.

= --Apple-Mail=_5858F9B7-8690-43C2-A6B2-4F7AE4F98860-- --Apple-Mail=_E71B3E47-A159-4E75-A7C9-6DCE516F39B8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJStkjHAAoJEOxnICvpCVJHONMQANRg+RHK1tVRkK6fgj47SObC BmEh3OyNXnVxQvST7lDBhxQSJqjn3xLJgSeTePI18pHrmVoRFdZbJ9/eUNGTFLQ7 PE/XhALJdrLC8u32Mi6RCee+4UgJ34I+FcGYTdqHwlyAVAkCxBgfRSSGX5tFWeMd Ba5jvveq0WYbPi3JuMMZCzS4aULshNIr7iLHEFCETMljMtPxEzD7xNj2WuG1Ir8c iQdmDDw5i+klRe+QJs+DWybyPvNst10fy9LcHMAFrcLYzWewCGPDtr07VJlgUYps q6nvL8CqVCakyBxTwJZ45iXDbNS0G2HWPtSjP92o7juYQEH1KGwHZP0lxyDQM4qs CWj8RncPuwvwCeIYHiabIJ2ZoC4R1Tc6OuYLJou0anOFeiuFp3EtTE8o5cmW3gxH 5pVn4DipnizfA7b0cMeWbyqhbV953HxVPNOMDW6xubjcUtubFFVJNinb9neNb0u9 fgp9F+Rdwnk8Rxg+NuRNJ3uwZ8FyvYOF4nbDfcXhu37cOVUApwrZ4ikHMhx+6sFB 7+YACh/9liyI7DFqtrsXV9oMxRd/i1obF2ulXqNBF/wUqhMjtL95q2AEJO9+LCkl 13fFJVzSodInr/fa2GU294zMAw0MyIs1pGW0lQe0z0wCs40Zmytj2O83PEm5Po0L Sfaxrcf+Tj0E4HEOmwon =lZLm -----END PGP SIGNATURE----- --Apple-Mail=_E71B3E47-A159-4E75-A7C9-6DCE516F39B8-- From contact@taoeffect.com Sat Dec 21 18:46:27 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BA861AE0E4 for ; Sat, 21 Dec 2013 18:46:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.335 X-Spam-Level: X-Spam-Status: No, score=-1.335 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QH-qfmQSVpFH for ; Sat, 21 Dec 2013 18:46:25 -0800 (PST) Received: from homiemail-a6.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfa.amsl.com (Postfix) with ESMTP id ACDAF1AE13D for ; Sat, 21 Dec 2013 18:46:25 -0800 (PST) Received: from homiemail-a6.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a6.g.dreamhost.com (Postfix) with ESMTP id CE8E8598070; Sat, 21 Dec 2013 18:46:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=0atGbx8PaK1DDsl+s aDo/HHNODU=; b=LsYQhGKjYLrq6ytMQTLKMo7ZnenTWPN/n355Pq3NwmMHl3fRJ XcDhihZAW11NjFnKT9eLU4oHPJZHMKE1EN1w8LVep3hKrhiDoq3e8Ht5rMJAcIWF c2ZNPtaKolfOmm8/crlsbzoqAtRotiVfOwPSBIsUsAPsdrUctgXMctSC+U= Received: from [192.168.2.3] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a6.g.dreamhost.com (Postfix) with ESMTPSA id 2FA9659806C; Sat, 21 Dec 2013 18:46:21 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_050B9239-D80E-41F1-B0C4-DDF2507108DE"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) From: Tao Effect In-Reply-To: <20131222021208.GD23277@mail2.eff.org> Date: Sat, 21 Dec 2013 21:46:17 -0500 Message-Id: References: <4E36BCFE-59CC-4709-ACA2-B0800AA4140A@taoeffect.com> <20131222021208.GD23277@mail2.eff.org> To: Seth Schoen X-Mailer: Apple Mail (2.1827) Cc: "therightkey@ietf.org" Subject: Re: [therightkey] Transitioning the web to Namecoin/DNSNMC by addressing name-squatters X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 02:46:27 -0000 --Apple-Mail=_050B9239-D80E-41F1-B0C4-DDF2507108DE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Dec 21, 2013, at 9:12 PM, Seth Schoen wrote: > Sovereign Keys (which has similar aims to Namecoin) has a similar > mechanism to this, and for the same reasons. Nice! :-) Correct me if I'm wrong though, but from what I remember when I = researched Sovereign Keys, that system still preserves today's CAs, is = that correct? In other words, people still have to pay money every year to random = third parties to keep themselves secure? Is that correct? -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Dec 21, 2013, at 9:12 PM, Seth Schoen wrote: > Tao Effect writes: >=20 >> namecoind must be modified to give existing TLDs special treatment in = a way that paves for a smooth transition from today's DNS, to a = Namecoin-based DNS like DNSNMC. >>=20 >> New namespaces will be created for each of today's TLDs, and only the = owners of those domains (in the deprecated, old DNS system) can register = them. For example, only the owners of apple.com can register com/apple, = etc. Proof of ownership is done by special NMC DNS records that contain = the owner's cryptographic signature/fingerprint. When Namecoin clients = receive a notification that someone wants to register a domain in the = com namespace, they check the JSON request to verify that it was signed = by the same signature that appears in the old DNS records. If they = match, the registration request is accepted and added to their local = blockchain. If it does not match, the request is discarded. Similarly, = the namecoin client itself will perform this check locally before = sending out the request to other peers (to provide instant feedback to = users attempting to register something that doesn't belong to them). >>=20 >> Thoughts? >=20 > Sovereign Keys (which has similar aims to Namecoin) has a similar > mechanism to this, and for the same reasons. The SK idea is that an > initial registration of a name in SK should include cryptographic > proof of ownership of the name according to the conventional Internet > naming systems (via a cryptographic binding to PKIX or DNSSEC). >=20 > "Claiming a key for a name requires evidence of control in the DNS > (either a CA-signed certificate or a key published by DANE DNSSEC)." >=20 > = https://git.eff.org/?p=3Dsovereign-keys.git;a=3Dblob;f=3Dsovereign-key-des= ign.txt;hb=3Dmaster >=20 > --=20 > Seth Schoen > Senior Staff Technologist https://www.eff.org/ > Electronic Frontier Foundation = https://www.eff.org/join > 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 --Apple-Mail=_050B9239-D80E-41F1-B0C4-DDF2507108DE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJStlJ8AAoJEOxnICvpCVJHHKoP/3aY1TS5cNJctA3wQfugwUAX z8E4pKN4TBC/S4IOveAQka8VC18iR98z38rHpeSm6Pgilxf1hcQUjoPpW6pKQWlG gm/wYQKwsIu8tDGVNP06HVPRvO72liIksWrsoHjR/J/i3pcT+lcVCD2O/nLy3T7g 5ZbkD/NA1+DnapKbX6537kG2DqP1eb6Wi3GAG5E+5OlkSMgFEUP0pAOVwciAb9/i /nOQn0Vx9zmTLi/kLYPoBzqbJPKqvJCn1LTiNZOdK9BzCtJi9tD98HlJDoDyuoSb 1uxevYsSizelcEq0AobZJfnMqyAUTuO4xtHhCDF8q05OrI72CDuSO4thvzNWd8bi KJtq7Pb1fM4/jm+4qnVtyrCKaa5YOjnUpho56v9GqFQG9q5P9XCVlTQB10wi4RIw xTBlWnAsT3tJuEaF9VgFzD9G1142I+kkNOMNJNATuGfVF/ZGD0y2h9Y+mOf2Mz+Y sNShi20uaVn2zeHGmIveJPBqlWu46vZZ6HWlGsvdG2E30YdIP2nS7ZhKTpSrCpA2 V1V8TRBpPTl9fXu5Fp8ipRxWeZNcqN2wZlqprMC6PurlQUCznf1qhUwGTTLW195i SZf3fc6ZusE2DmiT8MZId4VT3f6zUQ9dP94p//m7KC1xzMJn8lK+kwZ5ghq/FzsS cJnZ/UG/GbPRgh9FNKW8 =Kwm3 -----END PGP SIGNATURE----- --Apple-Mail=_050B9239-D80E-41F1-B0C4-DDF2507108DE-- From jacob@appelbaum.net Mon Dec 23 10:33:39 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DB991AE23A for ; Mon, 23 Dec 2013 10:33:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.099 X-Spam-Level: ** X-Spam-Status: No, score=2.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FSL_HELO_BARE_IP_2=1.999, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8DkoBBJ0HbU for ; Mon, 23 Dec 2013 10:33:37 -0800 (PST) Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) by ietfa.amsl.com (Postfix) with ESMTP id 29C6D1AE234 for ; Mon, 23 Dec 2013 10:33:36 -0800 (PST) Received: by mail-wi0-f179.google.com with SMTP id z2so6517882wiv.6 for ; Mon, 23 Dec 2013 10:33:33 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:mime-version:to:subject :references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=lTmPon5ycHArp89IXpl+ESm1xkj66DBc0+ees7QaTMA=; b=Ht6Owmfe2iKumpetXtiJwNG5BXLdeoL5cGdi6SCvWUEuC/h4ZYGa0gbRZlKVO4cR2y 6jyz2Wcn6lcEGmctwXNo7aLnqynM4PGqdqMvUNqJ6opw0ZiCtu6lZV3QdUJLJI3r9ST8 rpR/yRIpBnZbcNZH4ZLZYyJS3xZrieto5+6m8xHPRr4/VWNf5qLB1PTNrbPcv7ennTQg Ozer6u0yhNfgi1d5spDQi575ZX8IY30MYCT9c7uJoRlacjaM0HDhhNOx4bHKOHBnugIp XzuwE/OCnoxrHawp87nqA/VUVAD5K72DdM55Lp2YzmPGwyBB5jJ61p7ymXxU4vBWF+hC Xt6g== X-Gm-Message-State: ALoCoQk7fU7ImTFy5e5qlPmzr40lb/kLue0YWjv/7KWzWDmk9XSBTDb8eenJuNhJJdx0I1nQ7Fl4 X-Received: by 10.180.11.105 with SMTP id p9mr14115506wib.42.1387823613116; Mon, 23 Dec 2013 10:33:33 -0800 (PST) Received: from 127.0.0.1 (chomsky.torservers.net. [77.247.181.162]) by mx.google.com with ESMTPSA id r10sm10585244wje.10.2013.12.23.10.33.28 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Dec 2013 10:33:32 -0800 (PST) Message-ID: <52B88104.9040607@appelbaum.net> Date: Mon, 23 Dec 2013 18:29:24 +0000 From: Jacob Appelbaum MIME-Version: 1.0 To: therightkey@ietf.org, Seth David Schoen References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> In-Reply-To: OpenPGP: id=4193A197 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Dec 2013 18:33:39 -0000 Phillip Hallam-Baker: > On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect wrote: > >> And for someone who is accusing others of being 'fraudulent', not a good >> move to start off repeating figures already exposed as bogus like the oft >> repeated but still untrue claim of 600 CAs. >> >> >> I thought the EFF was a reputable source. >> >> There has been no update or correction to their post: >> https://www.eff.org/deeplinks/2011/10/how-secure-https-today >> > > Which kind of calls their credibility into question. No, I don't think so, actually. > HALF the 'CAs' in > their graph are from the DFN root. You can check that out for yourself, it > is a German CA that issues certs to higher education institutions. As has > been demonstrated (and agreed by the EFF people), DFN do not sign certs for > key signing keys they do not hold. Their count isn't off simply because you want to reduce a large number of keys into a single entity. > > You can't calculate the number of CAs the way the EFF tried to. An > intermediate certificate does not equate to a CA. Pretending it does to > peddle an alternative PKI scheme calls into question their veracity. > I disagree strongly. I have an intermediate certificate. I am as powerful CA as a result. Please also see these estimates which are even higher: https://zakird.com/slides/durumeric-https-imc13.pdf "Identified 1,832 CA certificates belonging to 683 organizations" "311 (45%) of the organizations were provided certificates by German National Research and Education Network (DFN) " http://link.springer.com/chapter/10.1007%2F978-3-642-39884-1_28 "More than 1200 root and intermediate CAs can currently sign certificates for any domain and be trusted by popular browsers." > I have tried to get members of the EFF board to look into this but they > never get back. Too much trouble to get it right. I've cc'ed Seth Schoen from the EFF - I'd be surprised if he had no response. Later you said: > 1) Failing to examine the issue when the DFN root accounted for half of the > purported '600 CAs' > Other estimates appear to be much higher than the EFF count. What is your qualification for what counts as a CA? For example - Debian GNU/Linux ships with one set of ca-certificates, Chrome on Windows ships with another, heck Microsoft even adds new CA certs dynamically, right? So what is your metric exactly? > 2) Continuing to count the DFN as 300 CAs when they know it is one. The number matters because it isn't just an issue of control over a single signing key. I'd be interested to hear how many of those CAs/sub-CAs are able to sign leaf certificates. All the best, Jacob From holz@net.in.tum.de Fri Dec 27 02:06:34 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4341AE0CA for ; Fri, 27 Dec 2013 02:06:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.15 X-Spam-Level: * X-Spam-Status: No, score=1.15 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJ97tmUdhlPS for ; Fri, 27 Dec 2013 02:06:32 -0800 (PST) Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4E11AE0D0 for ; Fri, 27 Dec 2013 02:06:31 -0800 (PST) Received: by smtp.serverkommune.de (Postfix, from userid 5001) id DDCA280958; Fri, 27 Dec 2013 11:06:25 +0100 (CET) Received: from [151.217.237.103] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id C02EA80916; Fri, 27 Dec 2013 11:06:23 +0100 (CET) Message-ID: <52BD511F.4040005@net.in.tum.de> Date: Fri, 27 Dec 2013 11:06:23 +0100 From: Ralph Holz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: therightkey@ietf.org, schoen@eff.org References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <52B88104.9040607@appelbaum.net> In-Reply-To: <52B88104.9040607@appelbaum.net> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.97.8 at ex6 X-Virus-Status: Clean Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 10:06:34 -0000 Hi, [The EFF's count] >> You can't calculate the number of CAs the way the EFF tried to. An >> intermediate certificate does not equate to a CA. Pretending it does to >> peddle an alternative PKI scheme calls into question their veracity. >> > > I disagree strongly. I have an intermediate certificate. I am as > powerful CA as a result. > Please also see these estimates which are even higher: > > https://zakird.com/slides/durumeric-https-imc13.pdf > > "Identified 1,832 CA certificates belonging to 683 organizations" > "311 (45%) of the organizations were provided certificates by > German National Research and Education Network (DFN) " I was there at IMC and spoke with Zakir. He was not aware of the fact that the private keys to all the intermediate certificates are held by the central DFN Verein, not the RAs themselves. In the case of DFN, the intermediate certs only identify the RAs. The RAs do not carry signing power. It is the same at TUM, where I work, BTW. Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF From rob.stradling@comodo.com Tue Dec 31 06:31:55 2013 Return-Path: X-Original-To: therightkey@ietfa.amsl.com Delivered-To: therightkey@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09701AE28E for ; Tue, 31 Dec 2013 06:31:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.41 X-Spam-Level: * X-Spam-Status: No, score=1.41 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7CLl-liabDV for ; Tue, 31 Dec 2013 06:31:52 -0800 (PST) Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA121AE027 for ; Tue, 31 Dec 2013 06:31:51 -0800 (PST) Received: (qmail 7616 invoked by uid 1000); 31 Dec 2013 14:31:43 -0000 Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Tue, 31 Dec 2013 14:31:43 +0000 Message-ID: <52C2D54F.8000209@comodo.com> Date: Tue, 31 Dec 2013 14:31:43 +0000 From: Rob Stradling User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: Jacob Appelbaum , therightkey@ietf.org, Seth David Schoen References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <52B88104.9040607@appelbaum.net> In-Reply-To: <52B88104.9040607@appelbaum.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security X-BeenThere: therightkey@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Dec 2013 14:31:55 -0000 On 23/12/13 18:29, Jacob Appelbaum wrote: > Phillip Hallam-Baker: >> You can't calculate the number of CAs the way the EFF tried to. An >> intermediate certificate does not equate to a CA. Pretending it does to >> peddle an alternative PKI scheme calls into question their veracity. > > I disagree strongly. I have an intermediate certificate. I am as > powerful CA as a result. Jake, you're only that powerful if you control the intermediate private key. > Other estimates appear to be much higher than the EFF count. What is > your qualification for what counts as a CA? For example - Debian > GNU/Linux ships with one set of ca-certificates, Chrome on Windows ships > with another, heck Microsoft even adds new CA certs dynamically, right? > So what is your metric exactly? I would prefer to count the number of distinct organizations that control at least 1 private key that is associated with at least 1 non-Name-Constrained root or intermediate certificate that chains to (or is) a root in the Microsoft, Mozilla and/or Apple root store and which can issue certs that are trusted for Server Authentication. It's not possible to measure this purely by examining the body of root/intermediate certificates that are known to exist (although this body of certificates is of course useful for cross-referencing). >> 2) Continuing to count the DFN as 300 CAs when they know it is one. > > The number matters because it isn't just an issue of control over a > single signing key. I'd be interested to hear how many of those > CAs/sub-CAs are able to sign leaf certificates. All of the DFN Sub-CAs are able to sign leaf certificates, but it is _only_ DFN that controls the private keys that would be used to sign these leaf certificates. The various German universities are essentially only RAs, even though they are named as the Subjects of the intermediate certificates. Many Sub-CA certificates issued by major commercial Root CAs exist purely for branding reasons. i.e. the Subject is at most an RA, and sometimes only a Reseller. On the other hand, if there are still any RAs/Resellers that control root or intermediate private keys, then by my metric they should be counted as CAs. My gut feeling is that the real number (by my metric) is likely to be a lot nearer to 60 than to 600. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online