From NoelHeinritz@snet.net Wed Aug 1 09:57:58 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE0CA11E8151 for ; Wed, 1 Aug 2012 09:57:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -46.033 X-Spam-Level: X-Spam-Status: No, score=-46.033 tagged_above=-999 required=5 tests=[BAYES_99=3.5, DATE_IN_PAST_06_12=1.069, HTML_MESSAGE=0.001, J_CHICKENPOX_84=0.6, RATWARE_MS_HASH=1.398, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_PH_SURBL=1.787, URIBL_WS_SURBL=10, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HiZ6PseyFxoa for ; Wed, 1 Aug 2012 09:57:56 -0700 (PDT) Received: from wooltex.plus.com (wooltex.plus.com [80.229.34.150]) by ietfa.amsl.com (Postfix) with ESMTP id B552511E80FD for ; Wed, 1 Aug 2012 09:57:54 -0700 (PDT) Received: from wooltex.plus.com by snetmx5.prodigy.net; Wed, 1 Aug 2012 05:58:03 +0000 From: To: Subject: Fwd: Wire Transfer Confirmation (FED 66357GI742) Date: Wed, 1 Aug 2012 05:58:03 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0B4F_01CD7006.D080F780" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQK4sTlxC8eqfkHARJDWPwTbmUynl5== Content-Language: en ------=_NextPart_000_0B4F_01CD7006.D080F780 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Dear Bank Account Operator,WIRE TRANSFER: WRE-1866080024982472CURRENT STATUS: PENDING Please REVIEW YOUR TRANSACTION as soon as possible. ------=_NextPart_000_0B4F_01CD7006.D080F780 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Dear Bank Account Operator,

WIRE TRANSFER: WRE-1866080024982472
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTIO= N as soon as possible.

------=_NextPart_000_0B4F_01CD7006.D080F780-- From tidbitwds8@mailer.booking.com Tue Aug 7 08:53:00 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BA7D21F8734 for ; Tue, 7 Aug 2012 08:53:00 -0700 (PDT) X-Quarantine-ID: X-Amavis-Modified: Mail body modified (defanged) by ietfa.amsl.com X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BANNED, message contains part: multipart/mixed | application/zip,.zip,FedEx-Tracking_Notification-08_2012187396093626.zip | .exe,.exe-ms,FedEx-Tracking_Information-08_2012.exe X-Spam-Flag: NO X-Spam-Score: -89.753 X-Spam-Level: X-Spam-Status: No, score=-89.753 tagged_above=-999 required=5 tests=[AWL=1.686, BAYES_50=0.001, GB_VISITOURSITE=2, HELO_EQ_DYNAMIC=1.144, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, HTML_MESSAGE=0.001, RCVD_IN_NJABL_PROXY=1.643, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, T_TVD_FW_GRAPHIC_ID1=0.01, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntqpGja0yqMM for ; Tue, 7 Aug 2012 08:52:59 -0700 (PDT) Content-Type: multipart/mixed; boundary="----------=_1344354780-13308-0" Content-Transfer-Encoding: binary MIME-Version: 1.0 Subject: FedEx Tracking Notification #525188110635 - Tue, 7 Aug 2012 16:52:45 +0100 Received: from host46-144-dynamic.53-82-r.retail.telecomitalia.it (host46-144-dynamic.53-82-r.retail.telecomitalia.it [82.53.144.46]) by ietfa.amsl.com (Postfix) with ESMTP id 4180521F8716 for ; Tue, 7 Aug 2012 08:52:47 -0700 (PDT) Received: from prh00393.prod.fedex.com (prh00393.prod.fedex.com [199.81.10.49]) by mx22.infosec.fedex.com (FedEx MX) with SMTP id 19.HJ.18699.9QC2YGLX; Tue, 7 Aug 2012 16:52:45 +0100 Received: from fn3nds1.prod.fedex.com (fn3nds1.prod.fedex.com [161.135.24.32]) by prh00393.prod.fedex.com (Sentrion-MTA-4.2.0/Sentrion-MTA-4.2.0) with ESMTP id q0KE2Gpx018078; Tue, 7 Aug 2012 16:52:45 +0100 Received: from fn3nds1.prod.fedex.com (localhost.localdomain [127.0.0.1]) by fn3nds1.prod.fedex.com (8.13.1/8.13.1) with ESMTP id q195HVux596229; Tue, 7 Aug 2012 16:52:45 +0100 From: From@ietfa.amsl.com:"notification@fedex.com" To: Date: Tue, 7 Aug 2012 16:52:45 +0100 Message-ID: <732180069.355689577884889241154.JavaMail.nds@fn3nds1.prod.fedex.com> Reply-To: "trackinmail@fedex.com" This is a multi-part message in MIME format... ------------=_1344354780-13308-0 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit WARNING: contains banned part ------------=_1344354780-13308-0 Content-Type: message/rfc822; x-spam-type=original; name="message" Content-Disposition: attachment; filename="message" Content-Transfer-Encoding: 7bit Content-Description: Original message Return-Path: Received: from host46-144-dynamic.53-82-r.retail.telecomitalia.it (host46-144-dynamic.53-82-r.retail.telecomitalia.it [82.53.144.46]) by ietfa.amsl.com (Postfix) with ESMTP id 4180521F8716 for ; Tue, 7 Aug 2012 08:52:47 -0700 (PDT) Received: from prh00393.prod.fedex.com (prh00393.prod.fedex.com [199.81.10.49]) by mx22.infosec.fedex.com (FedEx MX) with SMTP id 19.HJ.18699.9QC2YGLX; Tue, 7 Aug 2012 16:52:45 +0100 Received: from fn3nds1.prod.fedex.com (fn3nds1.prod.fedex.com [161.135.24.32]) by prh00393.prod.fedex.com (Sentrion-MTA-4.2.0/Sentrion-MTA-4.2.0) with ESMTP id q0KE2Gpx018078; Tue, 7 Aug 2012 16:52:45 +0100 Received: from fn3nds1.prod.fedex.com (localhost.localdomain [127.0.0.1]) by fn3nds1.prod.fedex.com (8.13.1/8.13.1) with ESMTP id q195HVux596229; Tue, 7 Aug 2012 16:52:45 +0100 From: From: "notification@fedex.com" To: Subject: FedEx Tracking Notification #525188110635 - Tue, 7 Aug 2012 16:52:45 +0100 Date: Tue, 7 Aug 2012 16:52:45 +0100 MIME-Version: 1.0 Message-ID: <732180069.355689577884889241154.JavaMail.nds@fn3nds1.prod.fedex.com> Reply-To: "trackinmail@fedex.com" Content-Type: multipart/mixed; boundary="----=a__zsdmgrvrs_69_47_01" ------=a__zsdmgrvrs_69_47_01 Content-Type: multipart/alternative; boundary="----=_zsdmgrvrs_69_47_01" ------=_zsdmgrvrs_69_47_01 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable = Ship (P/U) Date: 08/06/2012 Trac= king Nbr Est. Delvry Svc = Sender Company Name ST = Ctry Nbr Pcs Status + = 330933254778 A= ug08 SO Zinzino AB = NY US 1 = At FedEx destination facility Tota= l Pieces: 1 Total Weight: = 2.00 lb. (1.00 kg.) = = Please do not respond to this message. This email was sent f= rom an unattended mailbox. This report was generated at approximately = 1:034 AM CST on 08/06/2012. = = To track the latest status of your shipment please= refer to attached file or visit us at fedex.com. = All weights are estimated. Shipments delayed becau= se of Customs or other regulatory delays are not subject to refund or cre= dit under the FedEx Money-Back Guarantee. Al= so, InSight information (including without limitation, Estimated Delivery= ) may not be used as a basis for filing a Mo= ney-Back Guarantee claim. See the FedEx InSight License Agreement for mor= e details. For more information, please cont= act your FedEx Customer Support representative. = = + Delivered on an IPD/IDF master airwaybill means = 'the shipment has been released for delivery'. = To learn more about FedEx, please visit our websit= e at fedex.com. = Thank you for your business. = ------=_zsdmgrvrs_69_47_01 Content-Type: text/html; charset="windows-1250" Content-Transfer-Encoding: quoted-printable

Ship (P/U) Date:

08/06/2012

Tracking Nbr	Est. Delvry	Svc	Sender Company N= ame	ST	Ctry	Nbr Pcs	Status +
330933254778	Aug08	SO	Zinzino AB	NY	US	1	At FedEx destination facility

Total Pieces:	1
Total Weight:	2.00 lb. (1.00 kg.)

Please do not respond to this message. This email was sent from = an unattended mailbox. This report was generated at approximately 1:034 AM CST on 08/06/2012.

To track t= he latest status of your shipment please refer to attached file or visit = us at fedex.com.

All weights a= re estimated. Shipments delayed because of Customs or other regulatory de= lays are not subject to refund or credit under the FedEx Money-Back Guarantee. Also,= InSight information (including without limitation, Estimated Delivery) m= ay not be used as a basis for filing a Money-Back = Guarantee claim. See the FedEx InSight License Agreement for more details= For more information, please contact your FedEx= Customer Support representative.

+ Delivered o= n an IPD/IDF master airwaybill means 'the shipment has been released for = delivery'.

To learn more= about FedEx, please visit our website at fedex.com.

Thank you for= your business.

------=_zsdmgrvrs_69_47_01-- ------=a__zsdmgrvrs_69_47_01 Content-Type: application/zip; name="FedEx-Tracking_Notification-08_2012187396093626.zip" Content-Transfer-Encoding: base64 Content-ID: <009301cd74bd$11845aa0$0700a8c0@CHDLQB> UEsDBBQAAAAIAEFyB0GnHZm1EWwAAACcAAAmAAAARmVkRXgtVHJhY2tpbmdfSW5mb3JtYXRp b24tMDhfMjAxMi5leGXsWGecVcUV/78+r9/X+3ugiyBFwYWECBiQrpSFhRApyiLGx0oAKRGj CMugcjmgGISAWMAlaGxgghSRskgTB0EICKIGEc0NoFJEwTaZ93ZRSf2SD/mQ89udO2/KOWfO mXv//9/pOXA2LACsAKQEVqNW2uM/y3YAvtzLPqxw7qy/2tRjZ/1++RHj6o0ZO/rWsRW/rHdz xahRo8fXG3ZLvbETRtUbMapep97l9X45evgtV3i9rhLUStcnjLGWb++rf+G/4v259Vmxf3/9 +uo58v2Z9c3q+fV7U4vPKUemF599R9ycL6xHnZR1BnqYrPjyXL0y1MlhWExukwuYAcCHojRP ANAALCqesrZvBmwwAfj+id11Qamdrt2k/fBZ96iTltXARADYCAy14L8nys9H/830FeNvmTge wHvT6xyaUfT7IqmnXLpi7PCK8RXA2/a6szMAD+Aiaa/+rqhdhrAJwPK6w8/7h3Ubrxg7buzN qDvrxjqb8/9RH/4v/9OSbYxgLwg4Boo+v9Qht/rE+SsJ+PA5/thyArZUoEYnYMMM/ZAGgaPd cHAqiMzLUHUbF2LvUHprvyHw1618eookxgwzBpuIMGaevLEEhC1f0cI5EPKD56ibg4BrCPYf Scg250Q2T4QeI6nZb4iM6WfQ5C1O/OthaFzFhPyzU5a3BunJ7piVY6Cvyo2e3aTkg7vB+qgu 5bA2mHIChEYbeGUDEDW8nvbfwoGP3xNvPCMY7SoXT3zNddwREosfkIyyC9BiCQifP4gd9wC4 bKGY+Khk2NWUGg8E4fgjWFmh60bbHfL8UCLWfi6bkyHCtVcyvp5Bas/RJa8DdOkg9IPgVLEd +/8EgWk12H07hzF5plw1nTGZfwbt+5PAnltw9cvExfkKXDKYBGzXouEcwaX1p/rUvsREqY/V fGUAT60zJraRkIzjyxkC8sFJ8ByWwuh8L+R7BNzwvD6roQBNXwD3LeD8wEx5VzsQXrGjSp1b PLWSNgwi0Nrp+LA9DPlmgGm9uODmE+BTQNIj0WoHOOr9RPTdAoHPWuHlvxpA/5fRpaMEZUbr 4l4pedUQuUGCG/bJ0jvbAH0QxquHAOxYKm78NSQ+XYHTfwCk62VMuEPCGPouvE0YxPHN+tTH ACnqpOpEmQko7/8zajVyUXsMqPRVXrttWsl0AJ0AyP35TwBUXqt3Kmku96s2PqtTScsyGfm5 Wk2toNpZPUrCffIJmFEqB+RXPNkeeRMwRb+7pJHcP6tfida3ODkgP19NrbUCdfODS5qrNSVy f/kspbxM/W4kI/mi2qPLVev9eaFtNkWNVG3dWA/Q2+1WI3q77YXWK4r9A6rdZvuTam0AZt1U ctxcKpXR4X0rzQPkPuPENGDNwD1zuzTxHlaLSmt0u3FAjc16uGQzgL6VYytB52RktrKyuLDC Nu+NWV1Kt+ldrNxWcEDjW9n1E541qtUmKuqo+usRk3XKFwdTr1W9P+qZUT+pqpm4+6GtBc21 ji8erJpZd11PmaZF14/WB447Zi0pQqh/ZZnDv6qb1b+yvbnmiOZ+s+YIc+8ujRwu7JlZMgVA 1emTz19/To/24Vutcm9RG9/IelcXOhM2ULuijaEFR7ZplwJrS3CR/jE2ZcPsX4Waj5j7dKVV padlzUdaH/fJ2ui+PKzR4RZNigb5Nla6Xx9wrqBN7ezmVTvd/lXtWc37zL2Dimtq3tfc26s2 PV5yoEXpDr3318W1fKN2fXWhM+FBte2CwX+5y18XmOHFwHSiTEkxMC1LAP+quu0rL9quuttJ XbaqTWjYNVe6o0z3qVAMrw2Fikvv6kJ/Qs0AdbpGfQaohLfvOyAPKyAj/ZTy2ijRipLhJoAy rGBvW6cGAN9qWde7EDD7rIUAkJ+pLmXllZVq38OLCkHoYvWv8vlX/uybmsOau6Y24zWHmXtT Vc2cgTfdr9LsIHXhlcV0X3Vvf15WiUrk71Za+vBtKl/quvSc8Pu6KxzJLy8cdMplQOnG6sLt rS5e3ogodP/u7uZLZnVXupTSRkqpOlj7PpX4wZmMelOBl8vvvHRPbfZKN6m77FFjpN4xOqf2 1StTu7r1KXo0UnnUV+5dXVxvK6xXnhXu9dfcVvBK6zlhTn5w4WU9CaC/Ov4Pw5Y3QQVsUUPl 1pBu1GyamlNRV/75V/VSuYqqOH1dzFcxU6XFKOW7KW1Vp2a/Geuk+ytRiMa+4svzOqkjUavh Ssm9G8dbyuT+Qmq/74aplfWiOa2ue9ONQwZVbS4zAa+KOlmtfmCaTXtRZV9zFp+Ly9Tmao/q qWNXtwbygBUyUhhZYy4s9xaXJ53FJ3l7FG5DzWtlgO5lauS4nYrP4uZKlFXV/HiZlPLNahUM ZfkicVjgcSRj9pjJFbbZcu5EyBu1Z7VwTAuFfEF7zOv1Ot3WlCcZ9QSdvmggrUXc3pDLmgu6 IiFzKqyZIhFPKu0MOCx2v8Vv8bgClmg4YTN7EgFnLOWKu9NqhdXsTpijmiNn8kfSdo3l/DFP OBZg/pDNFsj6nNaQz2FPwZJxpm3RZCZji0XjzOV1MycLRWwOmz8TjHndNi2dyLnsmYhZ86Uc 4aTdbXO6kpGc3+qMM83kCWZC0azTYsvBZg35k9lEKoKc02uBSbOZoxZv3B7JRBx2Ezw2t8ti j1mdypdgMGGOhD0Bj8UczMWz4YzP79TCHiQ8oajfYrEHEQjEWMKb89qCSQeygYAjoJnjHnMs F0sFcolQ1mfxJBIpe8IatAbM/owtwOwuf8wdh9sWDTvCzGENxdymSMwWdGXt5kjWkkpEtLTb 72IJq88ejGftWsSZjVg9AX9CC8GshUyZoC8X8pjj/rQ/ovlZyBEwpbJBJ4SQEa3w6mz5Rsp8 8ymq93oZkG/fSPVezKneoltV3pFTzZSYGmvmAfjmcL5RtRr5FMCFD4Px6h2A8Um7wov8wyvx dB6Ceg/V/7JAcHz9CbvjeiKY/HrF25B0VhP7nwTQYgE6LxIQpXn55GFG4rUObOoUCRZ7lW65 DMAtDfHuJBAWxPi+jRKi6cNy/UbJjJ0j6FELDOkYKx//WAj91o1YnwRhcgwxgqRTe+lXXUDy p5fygx24wMYRtLPg9NK9cuh5nYT2NnV9h8BO/B6PTuEGa3I79vxYClHZDtYvhEFz75ab9+qQ n8/F6gYSRkyXv29MDF/VIPemJDjPYy1jQu5vaqxaKKW+pguVNgIZy6/DyIm6EMcyONGQhH6X h+39M0njkJv/Yi4EZrUXZe2FlNOn8gfKSfC2u3nDjE5s4imx9qwh+ZGJePynDNRiPG4LGDDO P4qnFMli3XqLgy9y8Nb34OwiIWnmt4bnTwDadqDTLgZ9zhbxYAJCVo4TZU9yiKcFDbEx8If3 ojsgxJJjFB3JGP/jPNn4S0nyxgTuPAiSj/XA028Ijg/MGMkhyfQG/+ArQPzkKmr+kIDUWhv1 nwXo7HW0xw7QX49ga1vGZfXzdOtDEMar79AHMwlotF4++AKAZxcZj/XjEk+d4lVnJVHHHMfT EuzWh/hYE0nxVUe8EYbO1w/GyPZg0N7FTVM5odNdKMno0H86lbwtOPHd4xX/uruWfw1Q32+t rMiUCl/9CyxqW6eSIq7LSIFq1ZK0yoDiaOqTaq0laPMvELR6cn+ltQiI6kdaof33X/TMw0UE PMyAdWUAFIRpCsLqFSCsaS2EnVysIExGWIEItS7ygTF2/6oyxVSg6EP+sJp2n86vB9RPVglF J/auEbO3vl9LrNTXvvQNRQ+4rbBXQeBjCgKL4FfPdTH4bbMJ1R7u9E8AsCFJo81dQC0JqNr0 WWc/L6LcZWow/yflQS1ZK8DR6tXdY/wHwNZTIduEGnX6fn3ym4ECF1Ws7ns2+XDJbNNFFLKO PM4afR21a17kIz93owDNFzmV31iwWr8Scq+x6NcXKGAlisFTcVNAUrbs6k6VilkWoVq3y7cU UvacsFVFtnVZpVkha4HB5p8r6GnQX+6t9ae/8rRen/79+xd3KYrgAeRbFGmr5tYWDOvNlKeq reMLxf6BQpspuDZrUoda/mK4f10ksycBrFl++Zmvi+lQvLZPaU1/3V4bAm4rqC3ypglv1HGx 9sXkTPNebKn67w1taADAWHqn0v7NpS/N+AGL/o0ae7k4FrmQhE1FdlHQrPWesMMY84+7CuDe Zst4R5mMFCC/wANqiYEavMAGVPd78Fdvx0UQbHcmWdqqeTMZUzbl0xzRsN8VzwTDQWsoGbfG nElHwJ7I2cJmk88RNwXTUUc6CLfV6bYkHZrfnAinNc3n1mLmqDWTdLgT0aSfebOxjBaCPZqw RiLMFoJPy4Rd/qDN5fDZ3IEM3Am3L2ZKW525XFILByPWnMMVtaZNGWfEbnWarRFPJuplbi2i pRQo2cI2uz2XSAfDcXPOnM25om6H2ee1uCOxbMyNhBnWdCZhtyWCrrg1aPI57VFb0mGJsKjV ZXIh4A4zWyqczsHBYo6QOxZ0+dNJS8pndmeTwVggmM6mw76wTWOBsD8Q8AVSKbs34s8EEmaH 32R227OecDxosfh8GV/AnUz64kk3SybDXms4kkzHzGlXOpsLaUlHVEumLCkWs8azPk/Omspa rF6rRXN7Y0G7yeR3RCzIWcNRXzDtTCcdJpdbi/o1nyemafawyWvxOT2JaMzkZT5HQovmYn6v z5/IOX2BUMzrszs9QXc4EzMhGXRqfqfdEctmXFkX/C5nyBvPJc0IwgUhBk47Ln4orLI0JPg8 wDXjckIngd6X94bepfB7DmcvEPV1lktaB1zySF/wkaR7P+ggsQzMRXMgPgEZE0+DHgL7ZuqL oKuARtZm0ngB6Nz8GKGc2H2bVknqCMzb9DODtulIdn9L6k0E9Vj4tjQW67SqD5H4Cxd/WLxA IAr8cvYdhF8QXm/cQdBhXQYHrjfoLBfHn1oo2TEde0rrG9gCrB3XCHCBHj5gkzAgplz5ihQD GEbdcBIgJuo/eh7iAOFN/c/gHxlYHmC6/gCJT70/5YaPYz9OQswx9H1MMHzB0OempNCdhF/F dknZn9Nt+ou6nMbF9j9OU85Lfd3A9hA9SHyzewkw0UDNc7dDqqG3YlcQN3Ssabhe0JXANT3n wniS8FFmPrCFMOjyRmDrOYwFiwz9fUaB4/VIfgksfSZEoo8QLfo+IJEEzk1sQnKiwM/qtzKM W3V+wxIT0XKwpZdfwelewQ9Oc0ncQBiyfgHht0C9j0xAjvjdh1ZCzAOt3rRXFzcJ/DYzAvJO otsiI4TRVyL0Yx1YYfAHDx8iPk6I5e9UMfk56NDZtdL4nCj362acK3AfvjlGvKXAvuffFbBJ LHQM4pTn/Ai6gy8nMbFXiY4hErNPfQo5TfLMDUFGH0Kfra8lHAXPHzsGdhfHzkOfES0wcG7v PYRt+s1vSvHcJF2QXedcb433PoR8OChB519jH9EZPHIEKG0CYh+0k4epOz9VJTDEagDOa9BC DDfG15AY14RIll+C2YYHw7ZIskwRMD4/LHvjEZrmlHyGHzBKZsoNVINerwMfVhGwaxJ+g678 l89LmjRaQl9vwXUYRid3ESrWABT6BFF0lq3fAD6vhHJ1qt5R3o+tj+nqG8y57OHAfPSXaz8D fbxHCBrQHH+gjsahYUI82M+A3us0Ypgv3UnOK54gyNd/QQ/hXawZpPOqb0niaCl683fka23B n7+VGHb2h4kncW8KtKEXAMtLsMjxbOS9ED2XEaHbQuXvS/LMZoEVc5jEhlO4VDrw1B3Aotsg RE8ml/EK0eMj8IFDDImXJoPpZRj+PmR6DJeIhigke8njTwHLqiEx4QwtRVjc0x2Gezkk29FC LpNbRc/nOEZdTZx2WtFa5uRCQ8qDz4IMcnIL3YMnGhPNm06Q586iUtwgKy83eKIdQI98yzsA KN1OxtOrCOLwH4y1qGaNubJ3Exe8Yjj/DNuw6h0dP7sO0J+9H/NpCXWeK/HseCJM6yMHCz8F r4esjBNoggVN5Wwsu53E4x0k6C0rfSMaUOchxFe9AolvwtiH7bj6AyHSKmekcwFJrOrE0/h7 /lZ6qDyf/q4MNliVuCL4nojMLHkFwDobCrA/NATomSL+Zn5Q1socKMJwEenv6mg0HPsdJzpW rD29ndpTdeTL3Y3aVm26Zv9brxY4UhHc9+VPXq7sbqxoD2PYMFwwOa1kOwC+mVVt9QQuNlj9 9/Y2dANgvHT7d9WuGt59XKC0ps7Ch9+VCDYDoGb5Iq9sGgTU9NqeACqtihvF+8p9qkagSgU+ /6pCLYW5awoFlU1qLr2Gxj83pY6n5DmgmEEldEcdV9lmLRYNVucPd1GneOczKSlTMLlh0dVq drO16tXlPhSWrWuAQv2oq8W/yl8s1rzctFXwpe9qIxb/yjtcapr5V/a2KQbrPln0q5a8npKR u7+r+OVbuF4q3ap3tPJXGd+mCiPPXKhAdiqSpAN+qJyqjP3nXPU07hrzPX99P2JeXsyNrdN3 /Ou9C7x4ZBiQkTEFL7qpgX+flB4AjltU/cVIKf1rNjnj99UGUOksrSnSroISpvQXKJbiTm1e HfQdzara/DTqaJTms8dcDkfW748kguEksycCZj9iZpMravHmPHFfKOjNBjSrJR6y5iK+tOay OOJhl9meseccms3jz/pt2WzImo5ZXDZT3OL1B7MZlo1bmN+Wynod9pA74I5pEYvNEQr6rd6k nYVMkUQymLC5Q55AyhTzu70Zt4shZ7Z7vFrAFwpkwzFvImzNhazhHExmazgUDdnjVq9PSwTS poK7ii55rIm4xW0GIlo0anFlvIFkJpJM5RKZlCJp8aDb6sqGIzDFMhlHzpG02axJU9zGrPDb kNIckagVzjiDlvZGYw6PO6hqNdlg2hP2+lNezZNSDM5qC6RtSUsg7XIyrztq86aYzxIzWQMR hmQgYgoFcuG40+T2mM3pVNycUgTL7wu5fPCFwnFvSO3NRkKJNOx+q1+FNJFlVs3GPClYIra0 JeuF0+T0eR1xi2ZPOMMBk8sbtNptwagvG06lrIF4zsLs8bgieX67CaJOfnMyL4R+O79jEuHr JyU6fToIQCu65h4SHbYCPZrfBIOuk9OjwIGdUjS4dRMJ44g4U87QrCuh+dFpJI3O2J8EPzqR C+u8zgbQjkZXC33jXYxGPdJXkuyqzwxLecgj5JiW3ABe0A+flMaTk4Hd/tck8Fd98l6IJ6w6 /LNPghDgt/cimrdYYkg2xEhu1Xt1Isy5RGJz8DKD2FXU1UTG5NWSAv2i4KjHWGdJIydxNrna IQhNqdN8HZU3k3TMzUsDnfDpS5BTU5Dr198JyYF3RwAvjVVnZi3U76NyY4XBfbs4lZQ/wAyj C8pqBA59CjF99EpIfT2ujQkKvMhoxKywLlHG138FdGsg6Y3lrSXxQzgwEkLvI0WrE38ijsb6 tH2MWrwA8GcHCynivO0QSFczqX98/0MG0avMeJFgyYHi98zhoAg1/h0wusLAtwM5IBIIHjPo yv6CXyEn6STX4S9fGHzJY0LWX+EUXN9Dy34usaoz8X07OAjtcEdTiIk/I/l6k0t0CYlF5QJj z4H6j0iQYPfJVi2BlAKvJe3KSdBO3H6tTi06cfyoqpxg7MD2E+C8M2Ga93KQ7GhMmWzQoDOE Ca2vhqQFfOJThHMHATTCX8xziQlCBK9NbYjHjXGBPwMAi9DYBq9gqVz9zEqAQwbo0jtWcz92 3vga50RsP6U3XouzsFy1VhhqvinKvxohrkLvvvUJgEwid8vzkPjiF80BwZGn+Ltl2ELbbJ+B AbTFKLtzHEL4cmBLAUhZAt+RFsjxG1Y8TzqAnaj5+WIxVD52bAoAopaiPP4gbaRs9WXEeAHw 6zd8Ghvo6MwSEAw6iC9enyYW0J2XnNMBKHvXld/I3SRXSUAIMujo6lYUNnZpfSClpF54ePTz CsJ7NukIgPSGNPr1zRRG76fPc0iO34senVtiK+Zf1VQKACfQvMqLrrLL/YcMUrLQaNn7vLpw 0ad/DEgY62S4UbU8gxmTzrGCvlNyfZhoL0YPVLQSAsfxlHFKauKBje05l1Cav511EFfSu21e B0ngp7plc4VsQ7PWfMEZSX0zzra8CYvoy93VEATcLV9Y8SO5jObt2gtuCHlCdptwXn6MkgEP SqPwUtKLE/uJdTi26QAgYKxEN2rKFkLPtBBEXO6TXzzOqY88Pe9jECBmG6Na7OBdafBPbgMn iOtF07l5vILugbYSkrBCDhlnQR+4bvsdAYSb5ZSFJ2gpHb25GhKEX8jJpnHyAZx5ZT04JxCB yaYwMGOXHiSKv1EWAh4lGPe+KXMQza5/ngzeEuA3avx3XHxNVzeQ4kZB+HYtHSXcf6bfZJAA 6SfM9GtQ1aODPgX1Icn5j8WLkGzCyt/AsBoQzo/FMEbLllRsh7Kn0++GowmJl8ZsXsZxDel0 fin8hC0znqyA7Cgg59yOn0A2vGrKExLjIenO32MPaEdi/kmiRoDIvoMKMvry5FmdjQbwZUOx 1hBPTBkVJ3pTQr/3EexQlnYN7c3REAJLVrJnST709rIPBawg+VFnnCbj7OMzjhloQ8CkD3Af GSbHh+WCdTJgXP4TYwDHombX/VZKDzH0WEq7Ger/uYOJ+AEd9KyGL4BTmfcG6UZOwJAfIcYN 2/nBvyTcBIE219BpiEafetuTWMqYQH1RouN094NZifqGlKMW4UPOftT8zYNAZwFcer1xBeS4 Rs07CWoDieRKbkha3/rD4zo1lpCBv6Ar5HMvvNtWEkndOLha5pUnP2p7lSFLwGn7cekFqrV+ jYlPFky22mtsg5HZMnKOxHpGfN1p3o6M++76bULHVoDGdGB7oJf4ru1F6COgXzsdM4Brnqp/ RuAhzmhJL70b8KtS20KC35UyKThz+qIZ5s+mQ2azJZgOOsM2U8hitbvMXmfSnfKowoeWTvgS UDAZdNtirgTcAU/InXK7MkFPGglHMuHPxcIR5k2aUx6nKYwoU0Dq9KbDkYwjGbT5AmamOIsp nHPGg2mfOZG1mQKuWNgeVBUhH4OC5hiLRFzmhCXot7Cc35KJZs3miCuSVKUaT6TAeqJudyyc TNk9EUV1XNGwM2fPhXOaScu4MmmHR9mJM6Uzl/IHkQ6EI95MyG6Kes3JnNMRTdq0oEWzJTVL IGR2JhIxuJklHbA4kp4gczK3z201RcFiCDs8iiHEzElnOub02EKK3aQd/pDPwpjF74pEI9ZM 1utJuOLBgEdVSJjL4Q7b3WZ3IJCwBR3+mDccsWZZOhhKWHxawBl0RTIRtzMbMCMOVzIdTPnS 2UTMgnTa7jWnVA0oGPd4HGZ/2MdijqjdmbM5Pb6c3WaJ2+PuEHOYHRaX5kulwjZP0OX2ZDxI OmzxSDgZzbhzoTDLBBwhRzYad0cTuVTaGsvk3B5PNBvwOGIWn8lpj5h8oURQS0ZULMN+kzUB iO/lMSFcplnj6BMJgL19/n0wx/IGR+QwASYwoNFi8MUPHDqNTZAcNPTmByXL76lpxD5iBiAC +1YQLuObz+vbSeiEnh2bChZ+u/55o5Q4JIafuwYIVc/fJRwQjNEf5677G6PmHQQ1EYXx75K7 3KZe7pJcTbE3bNixI4oFEUVREbtiA7tYQcXY4rMhdlFEURSsCIqiggVEXbtiVyxgVFRsYF9X sI9/mJvJ3Ex2915ym337fb8n8GZnqYTfD0CI6xKJCd6eP2I0bgFy5CM/LhGuGBJMoUcFMohh X4QCN0/vcp3YEgDSned2zbH1yVM3pdcBEP/g7ZnIeXrzE/QCCUAYV3+MbLfCwAxbEQjiro1/ 4NjusmASNTMO0OizBUNlxLSH0QcCgh5d8Egm+s/8Yg0aLwRx3LPtpAzfHbrH9RgEIOc3XeSB 5r129EJxeSZywgt73g9a8ZS9S3BFnuZ03HpTgOJQtULDU/BMhA/XBfa7b8R3CIGU+NeFp4EB w43+dDJxcPHQN/dB3Dt276XoGZIHzt3OEXTd0hP7ikOBXNAyl60p6OZdzn0TlyED0G+ra3Js 3n3YrelbOecCn3WbhKw9qNv62ccgAIPXDQRStfVg1gOEDNYQubDtMW+zG+WOIwOJ2c8P5uLL F8e0qDsJyvLmrHMJG3w/+VrajQnOs8A/HWm38aMmYCMghbhn56+QvnHgEQvoJQEwfPfqcULk 05s5JvJMgJ8cfUyw3It7owsBEBOvuZowZ0XtFplmBcuwzpyY2IWzP+yRF4kDmC3DGkfZdeIE iH3TRm/IzPkLrXCCuBGYhA/O4DNzPIzJV8rbxwTc/ipeyrEIW38ulpPrMy3TF9txGk9HjqYK 0e24a8uUBLZna78t5oJ+EDvPZGHGz0F1Ad82xSNi8BWYnKJPPv5K7AQshQPH0zSgL1VnSMMr X5EP/JI4x2CxqZO+Qnxh+owQjuC35w91MJHYYek+A3CaoNOygcvk3wr+GvpcgXe4dEkGLovu RKdgx1Z+JsdUenY3tjPSPrRWF3E44QFML7OuIj9HrHQqPmTYiAavy9cCrZZvug+Lge8pex/X gw4URz6IDVI8lV1qinUII+mTMfRsnvfFAWPy90Bz88Ez8hOIhtD4c/AuaBls3Idmc6xOg77A goyWwqmX87VTGpFZXdMJQsSUnJt14zSWNnyF5oFdjUeb6JWKc9kTU9LTwYdh4HzqCzaWRl4j x+NdcO+GNIeJ/ny5HJ/ydDBem8SG5eidFS0ZD1dp+z5iO+SDxI6X0VRCgkUl3JTjQbBnMQ2Y yPrM4f1Svi4G9GZ3pOiPj4+BzLtPYFONjc/A052Wo7Pl9E4P64m3gJXE1+Nwq8Bm7ILVaAjE TOo3Ei8SzUm3Hsl6Q7xA83dOd4L4EDNeEPsTr4ijDoILGsf2WRoJxLXU8ydslbJPsf/KmAUM oqO35pvy9Cv6mnA5//0IOxIF1CKn49gS2RcDI7aqBZRMXTf1ZsF1wKSUlBjB9Oo+q4dJs9aA Xqy1Hc3wUPC1uOhqUQNGpaCXW6Z0zlu1qKiU6kbT0y2lHRlmseIZdr3sFe2qmpQjNBVHlwC8 GkWB5AyhW2kbJdlEKRfKJVMru1Gj4lbMOLQSN9Ebv3FuvWyopp2UPGbWKo1OvdSp1Q0jisyo HEc1T0IEXfW8Wqcm1aREAlJk1uvwFLPCqlYToaQVNpN5pF13WkYjZGZVU02ZF5p1GFrV9ZR2 rDheWTeUsFpUWTGEoceeW3eangkzZKrqxbrZacBRw9gwTI3Jq6rXYFrUjhMlLLsyBtMpJC0/ KbYTS2G+VbUrZhi3bVuvJFZbSt62ZqPhlypq7DQbiRaWOkmoaK1iopuuYpRRl4BGUdxGCUqt GlV91kiMpCRdicC1jVZd85jTUsF5Op/9ZrYdMmIx9BTB4N/YWnPMYiiKJdjz0r+8tk2a8vvv JtXMUQEwdRvIfos/4tUxTdlmcQHSfa4sWJoyrevlVywhiuZTa8/KnMUwtbm4DOuVtCQbQ/pS jy4Z+hBL/uban/UbPvPBOrAESVIQyiv/Be7+BTr3Wi7fZe8/DLZ+wx95/aVlluu3hNe9mm8o rzxw7aurLPdvriYHh9tryON5U7a4f3GLJXU3kKEs7r0kDBGc+9cTkHbb8JlzGvg/YZ2yBYl8 6l5y8BvGfZP+zV/q8xtbnbvEWNpoxl5LjCVJ7SAtxX/Vx6RAtvUy6fPzRU5LraykAMfcvcRm Y0cx9uOUZ8Ey0HtbY5I5h1J8ebYQAC17Mkb6Ssr3fetEcGTcXIf1MI4GvutOxMDF5xmOWG+9 NH/yws+R5qCDN8l+PnIh8muOHy3AIdiatNlPK4DuPGo1IgaxkUDfoVcIWvmDCkMGNm+iWOPA C4BxH67KAY5OK1t51tokfll+J2KEdLtjcdFrl0J8+mYMQGD8GEwwNgG6r9AFxAR9upB6rXNZ nn5/wP4gAr15Ii450yPsOHcSA8B7zsXFAy4lCPUxkeXA/d8gekQFXXbX6SAAySpY8bydIeXm lBwC4rQb+fCekwW+UnoQiEEZiqPDpQj9Z/uAEDA+T9FN+gbvPS5RDkCshY2+v1Hwqf1vBwRL VxhPH608hdC64fTFQv3Km8QK+pYCQ2f2IAFQn6744nCpmT/deSoA0IhnaJOhU4ANHn0RBEoX LiN2cgdkuMJ5mwgCHQfvnLqGALockBJy9J+VTV5wOaHPlWM5ADrwYj71gGnAWaNWFwCw23cs PqUn0s06nxLngkZ3p/duWDrl9y39DQSAD6bj1kuuo/yVXe8URMA7G6UrjAkzzLB2AyD4paPQ eHIUYZdedzBQmsoCySfWeB98l2VHk0gpW+0w2nbcCYQ9hzyIFKvjeKMXMrLyhYqEIfR1esdG j0HkZ+drPrgdwPen+6b+mGZ8ab7NZ7+Bg13z1/0BBFD+4WMTcuQT0sYbX3CwidTZcG+OrBcW vL8hAZvx4+cxUHoVuqkTOfAQH/98DyI2k5a9fu+UxBs0q/2EAC3CN7ciB23GD9prPkN6D46Y /xFAV3HrrBYRRohtdnwZwCPpqLs7PEcbF6yzARf0A3aVti2ybuz5k/pB8NFsxF39QGJN7Fqb mYFex+X7zsm5uB9rHvEbsBgkji/7lPFFGD+3D8twU3rpLIDhepq72uYkxGO8WEg45dfRFkO6 gGih2Li6OYguSR/GAAEaiKdHnQ+i6djklmM48DiGfdE7TcUgobTfBmEAbrjgAZbjafQ9+dEM 6Y502qJNUoGJ9MyLd0LgyHTYSzUSeBl7XHFbSsiwSVUiOTyUHTZxbkaYlN55yUkckvmsPO02 SD3KBh21CKBRNPDSlsjT69F/1eeQYg5WndUfnAazj4d0B5HIevh6SlgB68ztJzhthccPbqTA R6IyYwKAD3GTfyoI82jYtF2Q0XFi5or7pzlNpML6OwBiX7bMuPeQYgg+0BfxNF2QftdvNQBr 4PsbO8QR0bzaZCHSeRjbWZkAB2vdc/SfEsVRZcoqIfKMgonQ/U2I1SzPdTzLb1SKvirRN6t3 7MjyNbXUqhYSJzRaSUtrVNVKuRSrMnvX9ILlQWlEzZIda1rJLjVbnmIzrWaqUh5GmmWXk04k ndtWwXRa7VboFrVCXGlbhUZDrydFwweLYScsjrRGFJb8ONBNr1SLTM8vRp5jqbqtQfflpsEI Wk09CVjTa5gdKadrQeiV1FaL+Uox8aOC0SiV3EqlpgR6uyOt+LBdLfp2EhYNBb6r1CKrVVPC SqWJuG25ncgK3ZriNe1W3SyW3KhSd7SaanZCpdluWaxhRU0kjDXiSqg1Gm7br3mBwfxSMUIn LDVKfln3Y9etVWO9mYSx3JgESbkTN32FaUrTSdxAZmhTdSqqXzXNmtL2mdryG1JLV716JdHK TkMaALZpuV4QFs1Kw2/p7WYpCVnVL2heWNV8xzb0uBEWfBhhXSsb7bJR9+pmoVPxrIA1Ol6n bVWcolZsaBY43wIfAMvdzb8RRwk650NaNj8HfPJS4iA8zsR5T4oV8+UF69OdrSEWAZO3xbYY R1gwXRj8TWRnn0DrYyznBx/Er5KKDVseJzf2ewKbH55dm2bI6tPSsenrwGV10Uf0yDDyOFqb toe45GgcCQKO2gXP51tCbNWFb4xTOI18D6eyG4h3OY32yJdN85t3oGPEUFD3qaKJ+QKvT+Yj 0ocJV/fAFtgDeLYHzk7fBfX8Jh+Nx0Q6fnY+Pb2RxEU38wTDUrizZfRTwHtdn5dJE5joZBPY uRDTP0GLDsjFm2UaLp4hWRuMGbgIYrvZ+VB2MUS39fgJmWT/fhU3pk3wRwdnC7MRYD13z+em O3B8dC825u8Cz3+Zqvxwng0/QzyGk1NM/DbtKkZzWv1B9CKHM2cPfjB9lOOah9LDRVeR8v7Y lAYBreX4V2kK0XV10TsdCzgHIsY5DAPHw+c7EL+wB3LcDOr9dlqkfYGV9pFm51qMvsxpLsYA k4fCpCM5bp+RyuIo4j+dTvfhfKCwBd7KkhyrriKe4Q7yLk22nziTsOdbWBtvMqz/BZbFkylm XC8WZVsQ32DT9AkcDs5vQN98cwhvGO2CnoIuf5VfQrcSP747bBWWnJlVX9NrelCQp6oaqGbs 256chlar3SlKE8N060oQt4xiXGs0ArtSZG5LcivZw/GLTr3hF4KKfPGCZhmKohu2bZX0stNp dphRr7il0I4MxzWKbqgrZauUxG5HKctXRa3C8AtO0fclIPNcJJ5qVwPHtmItdkum2lFczy41 wqiptg3drdXUhsRvzTbzA7io+K5iGsWQeYYnzzVoxcSQlEq1zcSutRFEWtN2ndBqluJSpMWR 7iqlhh45QajFYUvVY+m6OZ2qY4ZWjESLq3YhCsyKUrfk6lROqkon9FihE/uepfphopST0HIS q1oqFJx2XFOSZqWumk5iNgKjGpSCCpSK3tF9NwgbUCTgg1eXSqmiy9KlQG3YEn5JmmV7ldBR 665SUWKt0WyxODIAXbdL1Xon8FU1iGJESRhqHS0xwf95HAIBejxd6tStT6FrPiPO2qHmd6Qg km6dwdoFzw4C22p6tXIx1L2y3fLKkeF6Zi1pF5kTaTVo1VpTwsq2XrMbdrGpBGWjpspF0bdq lu5ZWiC9v5rdcXXPaNmBHcdyXNPQDN8sVhUrbrtu25DQsVVGwDzHjwuJHupyIdZsv1luRfJu OqpuyafcajTDcrUUFKGg7sVR2DDrthFVzbrSabQ9y2haRT2ux0j0ilZ1Ir1uBJ5pSEsu8sFY VG4UOkXNrUoAqgeJXKjLrCT1VsFUk1KS1Jwyiz0vqMteulSaAVTITOUVLFZp2Xo9aFWdTjlx y+VGoNqSfFbrqud77ZgVEmhKELJmUWsGocxrar3IioZuFVkQF2w7acl/XIssr+br5WKi2FFk x02m67rSCcJCpx2UItPvSItPNSO3rFesSMJJ3TdcuIm0EIOkLhVkbGuOnEhV91cmzCM3gBCK oXQY6tA73P+WmUhZZPulb8tPXjndfrMt+KoqaYbzeVT39+1Dog2rdEywjmGUmDodhExeIVdW GiAlLxD2O2103IdK9xzrkRP+78SekKGSBPQYObWXQtPyOQol4ArSsKfas4o+CcXWvR+htsO4 WpBd7paOixaafgIh+Ao5QrXyqTxUOUFELlnIjLaT5i+XLTGZ/jaCRjCEIrKDlwxJ03QvcFH1 e58FkMGP1BBsbyQDYXg8L0Bs6pZPLdLTvUPzJVixSLf8GF9Ox6PkouxlQnNRU3MjR7rU+V46 HAVqssnmC63XVBK7rIbzdOcxtns+An+zPk6iCLgZ8Z0iPsblFpGKMfZ9YEfZps+x2XWCwXuQ 8C7v0HjSDlplutJLIXifBE8ZXjDQhavsXM/DJSA6VNpdkMIKgJGbqsCvQZ3HMjE0OSljlnJf SXDSXL6xbNjL8om8euv+qLkn6nV7II8Bm1gzKT20y9g0V8UhOVUGJpzBQ5daqvK3Gtf7Aakm KlZMnsqHJ5FetRy3Y8G7C7d6BlnXmO/FGn6QSz8M0FsShCAMRFFjeIgiAQQEIcP+dzn8d3XV PRJRFr7h3lA8/r33nG58uLQQQU0W8lfmykUbvaaRfzI8gYqs3n7msG5PKu3H1CDGdzV5jXq2 nUmP6zmz1Xm3kWNQwTVcas9S7OvE9NvgOd5iw3zfTatVQdq8HZW4qFDlb8Hvmw/qOu/YOSv9 ExrRFq4R/YTMrI2DLs6uw2RfhEmbiw4mVohJtfdyJwFSf8zJG3y1HT3SgO0weYyHCfEzFDoc 2QcuNhEN9GviVLIRUIBoeMmloSzZGsEB3lQsel7o8k+i+bM0EARR/MVcbu/ckH/GS3K5u9hq IEUEixRaWFmaStBvEC0ESRdQtjqXNBIrQRAhSATxO1iosGhrYStEELSxMcI4kmK6YYqZV/zm 8exsKvQiPzHDihNBQTBRFRM5Lt91//tny24gU3OZ+UzFDpwgquQhq35RirRXCh0eDDfKlwt+ rmZ5ScbHwKnaFniRJUjbYuUIPx+lQ8nMWhQFMb2vhL45JrRfjHqaEFuxSolDo0/5E6gfgHpD M165pnjQjNVZF6h/gOS+Uustg46nKbWh9XBHxecTmF3hmMc+MLpX5qhnKBQatYWxqj9rs5Rk aqsyiTWhu+8K/Q6UstmLbijcvpL+GhBdcDRv+wH6ZFkj2wZZe1Bbv6DGmsYoC7oShLdVrTc/ Y1zeAa1F4PvH/LFonjE2RkEYflnls+uu5e7d4ruuEG0RJavXq0Yn+iqrE72H6BwJx6uziI0W PUTvJVFDOMrqrLBBOHrvZXwS59/5NZkfM+8z74x41Y3Lx6GfXqGYVPKNAXaXg6RfNgzvJZKm w1nyXGNfV3DZTaDrSLD1SWLqWOB1psNAZatazNK4PROo/ZBOQgZwdBcl3J/m0QmtZvuFJp1m 3A444bMG7fZBDp82iJ8LxLYg7owGU1MgvU4qO7aoF3uKxpaXtMNbwgyeINwZgnR/B/mWTjnU XHC+u9VNFc2X8eCBGINNYaDTFEiouVJ/egDvsxQDq6EafFSsmyWYVEupu67Rc6YaPOwDNM4P e6MhpP8dUVPvGqYMIapusqp4SaBpEmzr+8Chdl5uC6G6HXZYt6eV0tvgrBpHJlWAGhQBGZ8B 9o0lUrsTx8LAtfmG7kjBiZZWZUsG3zanjB4EVfUTTfJCxfrHwdJFtNRsTDaZrPHYQEIToIo1 gX3ohxSopNCqpmMjdwterdKIbEKO3QfV9o02OTso3asfzKnOhl0XEW1LgQHz/6Uoos5kV1V0 xEyb3d5ZDIWVaS85QzR+ba6G/aLtjIYBXjNGNk3q6KwTi7VrhiAnFcZk7mJJKJU8dwQPApxQ aiDTYDh0z1G0pkH3+66qLgZlWviQZMDDHdKZoGCOLMsmLQhuapOMBCNYWzSPE2msvKhSxZQh 8LpzI2QSCsun6UhYW+xtMduKmh/9tzBAICkDjrGnNXLn8EB+Favz7Vmt98LaPAfT1EYA7y72 xTSQAz90VSs1UfKej0VEIdT6JQo4QPZudeW7gp427BPqKMGwxPoIC+R0l0xzg4alX5XBcQAd Fmz3eMuYlq3K2CwaLH1Q3i4CUDNHsjqlDeZHLpW2UKrzhSw2cqw6tqWfbHUE3zf0ZSaIz1/6 44Gm+d7AxTMHtmjydeeJsmZkDoUMIYalrccZQMa4SWYngJnLqyFKwBo7Rzl9CC7cKGxKob02 miUAe/ZHitng/WOf1JVGhIQrXEQGwXOXriNRPMcmejEmwiKQ+NT6oEyNJlM5FI462jbNXKTh 2na/7U+I0773BOwGpd63LCYpYbH1+62Xr3lSoAYOUGFW2fdMgaD9vLDMJdT+gZUYgNWhZ2vU Ehobs2Iwmxqi2fxKZhys7ZAxX8cQpmzqPXSjoKKTyrIKzp8GH3CVYJs2vTBTgRdMuiRow/gG 6fgKTXN/kA76PW/dI+dc0d7AH+f6fYk5nej4xOx+t3C+KO9srWC2iJi8nsLE5c/lcwp4IBTM i2y5PCyIzOfmdvME4+LcQlGBQr7scZ7SecN2TMjr8R4nRReK9QUj/Hli3ag8ETG5XQ+vcie4 CEbHxno09k+98/rze5haOJQ/KpgzX+6EYMGC3k49W27PSIiP8k74nYjCcfERPuT8y2N9W1kS QgEQRTaqgUbLB/lnud/YMxmUUcal+WQ3/DLYzr1ZDV1I7E79BmnccA36VSIpjF0Ao8/3SWUN eRbeSFI7zGMcavBewm7LZzzq5y1fFfW7rLOLe3rJmKrQRz0K8VQ7SrEOPhghb0jhEkfrFQPQ sRRRpYOtNebOs7rXrDo/wOGiIHZXBcnwkIaPpAnNPC92ftxOgx7j0cmrAuPpmJZn4oNI5Mse X3E0m3Tz8jQ1FqH0g12JNj61TsTZQnEHlfR8dHuvaOyRU/XJlfdHfAuAea06HGc81qXTxNvn w9r9uO2Nj/km8kdW1qRzFaFcVOJMeIQYWH+WMKoYyyQT4Fpj3dDgrHcN7l0kk8Alno+8z60U 4l2w9wbqkUcWUCJcxFFgF2LMZ9MM4Ww5JOWNbQVu6dgIa+4SRX4KPeRH/QHuzczyaBExqpPm vmEkvGxuZYVCQdpssXlHgvEJZZZIT4wPV1qxFTm6MKLtWs3+1fkMbdCmcYkpI3vDr9/9Cj8f 6YAtxQCwGg5ZC33sPEiXGCjTknlOo9DR44v44irmT7ubNS7h2yAHas14c9Xwj2UNC941Rvl7 MaNDPoFtEb7z/FCW1uG3CE0RmdYMJTG4X3dJm81plomd7ZCHQ5+uWq1PkuNWopToFDvnxPIX kkm5771qaeC25CWhGPP0Jsr0BWOgwDvGrWlZd3nQxoQ4RYuX8Dvl6tMYfcpEmXYCGSJIJ1FR PkpSanX/F1jpLX5/WVbPGVm2vJTZ7dZIZTmJiYGRGH9u6OXk3kQvjqaPAOiC9GejQr057Y9j aFr8BqnOVa+ySCZjV9aicv+qBYytHVEWe5DCxZmNYt1ZfYFwFud69tfHQICxlSElj3vbAUfE Wp3n3rENzFjvuFn9MkGxeWBzv3EmU/rYAN4aaje7nl6U3xNO5Qq2Mp8kdrhBF1Sb2bHMrA0u Cp+lIZNzmSnSjqKveL08BZgj/UBPptrGCxx1LM+x2EdRWrLNVH3WN844WTl1PFz/iafbhs3J hGW+VrkUrAVGkT+iXSScfd+trqQj+C+/5RPF5HabNlg3uSarydE6pUZbB/mPizM5FhsEgiiL EItkacQy7JB/Zg7D808uOwAKqpvHoame2a0ICHjAMCcXTro2nfySN+iGyWjSDjqdObEq9dGx 3AI2kC6//ByF2avm1BPX8p01GtnbOUkT3o/5kuVcntwur4MiOLgOSaiFUt6WCb/uGE9wzkkm 75kmlBtlIbHnHupssLD41ccy99elVQr1qqK8jeR87PvzgloH0breIJt3oNFKtHfcaoHJD/8U sH2cIpq3QWgFSy4o02SJcA4E1e7lyp3Jh6yGQY4W6a9vRwwYUy20MAYXq8EJa/AR8quJIzpe HZGNdX7Dh6P2Q7DRKFMuBp/vtFeYJOr+yaU4HKagBl6ZReui13oG68HF+QIZVRntEFtUSb09 wAU/pblDmjhOzewW8KvkbAkSlXpnu9zRSUyj+SG3mGz0NvjJamVyaw0uUVTiUJdLobpqwF32 Ba1+i+x79OUFN34C0lVZP0FcuCMq0/Ta5zT2i8WzK3NBwPaeZSaM6sDAv+N5+vE9ykZPEIE0 LnLg4mvPcu9/+RT1c3//7XeMn7kn/0w8oR/gP8rgWQzb6pGjogHZ6hF6HKiYBbxt1wIxFyta AyQzfoAOnCgHThyX6BIzKwudz5atANlbq/hf1ATIeCHqAJxm9L7DF4a0IZPRAbHzoP0GWxho 2pglI0a/1B44hww8mIK1BrIxc8+L6/ZIk89gpQeBeyNEgoBTyODTJ0KRTp0A7ciEuB88GQ5U ZxIE3LX6BOiLAOC2VT2QOg6QOt4G8EbjCQvQpsB5sflqvyeQ6E1RYXjhDXTLrgvCIbNh090s 4OluoDtiArIUQkHuboDsbLgC3XqiqwDaM9ECPgBliT6wb+WOOM8DumvZgwV0pgho08dH8AZn yKaPT/+vQnydcWcRaGPLlJSpHzJAU6TG54BrB/iBIQ02GHrIyHEW78UgdukaWPR1gPdtHDBA bANBijZZ9Ml0dch+jWw7xE6an6fFn4CjKswOEVVgwUPg82Y6oOfN+Jee6NYFBT7oZByRgGDw nu5gSKRcfQEg5TqAoyrC8HeXK+9yNXeXu9zlimIBwQICiigWHBURAYk0e0QlYiMqELDiUnz8 NEEEKVKiSBMVMEJQmiAwLIKKRBRBQPHZ6EUgsP7vkqCoM7ZM5mUns7tvs2/fTf6vxf482MFb k9mPygbAQnNvq87J5MEZhUN3tsigW9WxzViX67B1mXcnMyMbuT+bX6vbzNn17DVG7g/161hv MLhK8PBOjRlmOF8zQSvdrAVs6274126YP55eNj9nPExdmgEFC2zTbglUHdnMgTM3oyBz5Kr+ umqpxfCqB76m6s4FmXUXZJZdUG2XPreRuRWTXzQnanP9j67q9BtS7Fh3+MtKzHwdixmtU2Fe 1s+/Mu0+rZ695oCt1ztU8tjMc76+1Gz0WKly65gbVvWnjjGX37YxUO7JnKlip7+st90M1DnM DXY1uTJt87J3wavF52yrfg336vWrBoulmm42/tXY7rb/M1j7P4M9/2dw4L8OFkvyzPGVJ8e3 rJ6gv35CqZqnbx6U3x8S9Vm36ggZdoP9yelk4BTD+FxIWocub00GjBl45vmeOiGtjhYPAilB P9w8DuwOUXW3r1KkRura/j2QskB/6gmLAu1Qz6wsAdCHeu/dDMiBdKXRVwfWUftD5xGpPRQe 2gka7sbX0+oTEMTeLRYo1RWPyPqSVFv6cMocENjdPrsFNJGrarcZBBgv4drxWyRRT+35ZcOI 9H6q26gjpGCIL9cVQpdb6fgXXmhwibcnbVQGetH7Mx5QCvP0y0zsSi3GKHcLA+iI4unMmOvX Uo+FY2GgJ449Pl9Czqdvvf01MuaIWTn3QamYfHb0uyB8jx0rSwlYgjUjv4Umu1GzOxppOrZA 7PyCCDNQ2KgDga0vk74Jw1A9cebG0ULRBtnkO66DKYzO05+SBq6hz1JOYWCyaDd0niRaoh/L 368k+uLSWyfz71204JzaUKKrPnv+JAh9N1rWWcs/V4jyAynTzodHG9+pGbQIk5/rCKiP1AVr SjTTBdT720Eg6oWvvWU6kMJtVweIgUTRvMc9AnQrZgyrJ0h7EkPeCEtBX4OGXy0J42jonAFQ eAvzOlcIqKlo9loQYI3xbvGjAJ2GWc/2IEkz5Sd5mwiimAY8NgKE9hhk6ttx1GjafT0ASWfc FSHF8/kbjYSOoOjVXu8IOoCjaXwF2c14PEtNIdjlp7NUOdGXsqdNawH0kEfvopuEqMTplTRX wwlc0xNXAn3k9nOVUyFKK3Rx3EAXw12qXaChTDUdJ48RmlNFK2M10RRd20KXkb6c2tVSzxC2 Y+t+EDBKX/ISxpOqS/tuVqykLMC72+mYxH3iy2XIFaIcl96hbYdaieRWaqqJAVRaTvslOqP+ G/SGxBQMfM6YxvS0XnG+KoZ4hWqN1b8BzcJX92V0QfT09ziiqRBKVtFgAXbSrtI3Q2TLKx5U owl1ZPcB2jwN63D6CF1A24DCIloH41Xx86e0g/TZopYP7J2ZLvXnjE1QVuG7kBZAW47kVHwK 9ZLxSwolEDHVfYjaBzGQ3myMekq3o/J7ul+HR1w7TT0P+MTMDvIx4EntoZ1UYj6PjbUxHrgG tm1wE2rJEe9iJGQRJi40goyD0VAn9oLCamaIxkMuota/0CHgXnr3UXWF1GPiQBMEobpQ38HG CSHjYvEeFIJ+Uo88hBFSq4C/GGsFL7FDFyyS4nZs2A1dR2tcFFWvQxxE8VaM1OkEymspp8DL qvGdVJvQG31eR1dJPO5GNNDVZlq9CP006iGj5+Espb7A+X6Ww+rHxMiONAUYqvUaCAe/P/qq TbL6K4cZnGSSAx4QzHP4I+GoFTZmWvLDLgccuWmEUprDHkcqEstP2lOJpMfrZi40nu/1RlkY 6WS+JDsaSjDbyHWJloxF/FynBXxRp0mkMVGVlRdJMrrgtnNOVDKUDjhCUTY0xOzhaJxZR2s0 6s91erK57GMWLMyVjy9P43/Hs2Jsj0wlLUEf1xEOTyyRSmYloy4vU+QmXcSVV5x1I4lYJBbk kAlWZyZD0WTUEcuNO6yWHORx3ZYO+LyhkJvJGqvdo8XDWYlEmOu9lItdkR5XbiCW6wz74I/6 HBYWhtpY98piGJuVDRDMqLDLwcqcvIulNi5LOh1xMJ9rY9436ff7fIGAM+VhftPKklcGWcLM tKVT6QSTR3DmupLMxrl8mhYMW1kwYwlnOXJiYADCb03ms7kzmkrYEXRHgqEcLnIifn8yEo+E 3RFWlsYYgYimEzFLrjsRTaTgy7IEAuEEl38pCwtgWO9j4drF42OiKhjhpJBEdthr9Wan+QEF zIncUavDF3JZs3EKfylfIeHGiW0o0tDGWHkAT0E9jFGb9A9ANiw4hL2KzhcbiqQb6I46OxUR NcHbG+QTQj2uH2hDcyB2qum7qDHhE7S6UxYq8orPF4tdAsNVfle6REcrFVylfhSyAvdE8QmJ F1A2iBbrapg8qyEWEdrIaYv0NaB5qm07YdGw1tizgtqDCGMOkRPohqZX6MMFdqsXV6kJpC7E 6bnifiUGyxZNaLmiNzC3Qo0HjaA5t8s6hLrG1DbqkDKukA/+QI+A7kTB+fIFhXb6zetVqSE3 omIGfUUI4uPO9LDUhsrzFtAPgE9/bj9eBsai6S7cDmqtSteL1TBuwfEV+qWSNmP03SgESuWB dbgZOKFK5uFx0Ba6eiD6K4zC6oupEtog6nyTbC7RijbfKMuFKfHKoTugeolBYxHW0MmYcJGc wuZQMbAddSKeqrAl1TbwBc79mA4aaIjPr1E3AmdTaQ7sEGkUNZFtQCul4zGjhcIYGneWukzH dL33DnUHMFQNWkeTdGRj0ZvaHUrNkbntVQDiCPImg+epRx1KRBKqsXh1GmLAhcbECsnJBSHR bqG4iQFzNC5BgPSnqf2laqagQv1iTW+paCVtPYxVCj0xdad8SGgBPbLOtCw0p4L3sE8Tdm1T diBmc8b9HGeTF7Sl3JYUF+7OZMRtepZSWem4RWNUz592+sJud1aYcQKTlWbFVJxlDhG/JyvK SI/DlwAbnWyeUDYLIuJBa5417ra64vwddYe9gXxXMu5yeJm4TMKSsDLp7YtH/DlpP+NNtnR+ hOdmzbgrxG+GxxV15KddOZFwPOmPp8PM8duCkag3P+llXMXDiGqOn+1ETl8yak/Z3B5+1znF BnaGocI2aygQZJM3G4g0ZjaZ+Q8lGX5Djt/hyDF95+G4l3VkHkQ4Bi+cxcKWaITNXtZUIt+Z C9ZOeFg8k7bnZXGID3+c2dJen8se8mv5TOeyi9zm8SVckbxwVq4tlGNxxIN5+SznizImlQo6 0i7Wm7BMnZGIALuWQhyzxxBZLC+dH7NaHA6rN0vjGzKx6/fn2E3ZRD671cMWWDxxRx5/ZDqz U65gvjfKILHXnh1yhSK5bkeeM9ueD58nwJYpG68uEfXYE/7UKe+/em8ixhoeoF8v7VqMUPrE CjgQF/DeDY+4RKLhbvUU5go06IsdqA18tp760SKg0X5xXDIz92gD1NKLILc0l6v1Ah33Hmfu 6mHIYR300TgCmr3M6KTVAQ43lGORBcov0yMYSfB8h42YpLRxhaq2mqnj2yggHuF5pWwKH/Di ZHUJ6gPLt+EsNRL67Ll0DGXA5cPoTVor6YF91AQXMwnzKLrKBwXGO+gELgPOagurvJL7NUW2 tktXLVxqDHYJ8uUaA3AdvxNthZcaEJ3nhg/bIF66ACP0rWTc3RiDwQzd+hF0n+T5+6b1Yuok 1VUPoZD6C23VWvpebwCj7edGQtiBZqejTPZTsvwGcQXbD2npxbIeWin0dsol9JDCjntxNY4C k63kRn2B2hOY61ot8V0R3PSqoKk76UVkE205SEr2Babu42uMsONaoxaWEeaeLbeCwZyvG+Fs NCda/zjdaJSRPj2CZbgBKL2cKmQWlPMRLDeeBpW1RBgNlYoexAT6SOCdQ9hPFzEDXBdBVQK5 dg1mqWVSXToOV+mdoNf+kUddICE7S3ZuK5xxsZihTybc01RrhnXA0bfEJagl8aHbmGDaX6NN tCFitzLmHMYK+orXs4UeVmZeTh8xSYyBvL+ReEXVBY37EB/xncS8SzAMUaDrUlSqm7Tf8CkT euLqKI8roLvMcDhLUdvRpglg8KRqyEbl3jYpU29r7arhK9uZJ4Pmvpn0W9BcuCZo7mQdDL4y 9mU38oDyEICOXNuxXaJ3VqakC9SUdDdUftmqpqQLmCXdHh6bgR6KfVwAcgTH9Q7u+efuZt8D VX3F0oCeafzdLcwxv/yL+StPzt+y+gb9L1I15WW7TChIJnX1TM7Bq4YX8uIn4a/zMsnANjOE 40wAZtwtYwxZGXxhW6A6ALW850ULTwJYGifetv4lM4R7+7m3l3u7ufcpcal99/ZsPHec3rqy Kum1eTcT0LBVbWGbUrPRY0RVbl/RevO5tuuoPq2etC0voUVmCX+MEO67LzNppAaz0TKQ1WX5 f8if9f5V/mxJCxOvWlgPKB84f+KKU/E4Yddq8kW81ZkyHM3GmNZtCfCKbUM6XpfBuxh/43K/ SXXpX3KiplGZaSzOTi1/tl6zzMRLbQ0P68WVDMG07LG6Zr2ezHpLkv9kvX3OMNfrNtdb2OV4 69+F4h6u+1dZzbWdzgZFqzLZr88UHvmo2wNm7AzjbibE6DmJvM02FtT9DV+bcOfB1uaUQ/qd uRlA26KRADhXuma9v0oASGKeKdh4bIocA8jVqGOeSkDiRbQWtrN8ZgBnUxsPia358wDsATOE Bw6arPqRYHwQPD4oAHflDugpfiJg25bIA013h45/gRIHOGHs3P1kiy90i9AeoLe5L2Q8Ag12 XgT6WgyYlkSQTlMGsUsPQ4+OiW49gDSgkoFyAh9wUZM0cFmsFB8Lj4gwqxSbAJsomyCwBpfh lJYGruzmlBcWF5KV4+SU4mQVFRAREGSWkWIQl2QF9kh4+IRZ+YATPuwMPIIAiuwt0XIICAAg EeJE6xBCt+f+dzlzl1Dfhdb2aFLVJr+/r/UqfMhK0yosvFFFp7dCS1R8LhXprfJCg/OQMpd0 g40vKCERuplfPhm9IHsoV3X/wvP5UEfa0pilf8TdiZZyhAzuvtqKSJ2fY55xQGxm60kWJZcS plSXRbXuFcAaj7O4e5jzV2luhHd0Acz4YNGWd2JYif0YcsRNBOlyTWwuyiupfnU6n3O2hj71 ncuK/3BQ5OCJr0t9i78k7e2qEiyy5kOVIZ8dz5sih36boxe7MASt2HVH/guNZiv/uLKTHIlB GICizGOYDIFAgNz/lo3Uu1rbsmT95ZOmaSybXsY0ETpBwMSxznvO+5DpTaf59YsWP5M91sd1 8hR1VG+EY+C3mKX7xE2AFjcgOmi/5C4tdP7Zxc2Ak5R7Fa4oKKU7P2fxXo9PThW6vMDjjQ3l JcJButeJMKGyqwoKgI88SefJQNxKzj7u2acP+y2P8c4yAZoeP2Y6s2jIch+l1pI2rNTkneM9 LJHcT9whYbk4mYoDG9M6uwo+GJge2pRBmRdZVx8aHTO+VXUjDaBtPGrPY0up6Jsy5FR6o4hS BMbaG8q2avOlEq02+VUO7jpXayKd+oBYiWtPhswFqFyxsWzF51/MbZsrE5PRXG9Cb94DL+1r TJlkmcuuHpcGcgL1igXrCVrZFEDmeZzdMHBxDJEHeL40zr0R9l8KXc8Zng6O10x0vMzVmfe9 oeNihGa5wRUsIPHJWGjjUyvLEN3W9w3tnpdjJJibjpkNVojJw5LK9rTOh+foqrbZCY2EAqa1 8PkY9zHX6yCkLlsPpl42GLbFz9IsYqA6+XYA+oVHpT8i7RzZdhCIASgYDI2BZmqbwYD3v8t/ X/QTpcpOlaqk7StOkV4MojyBykGNSctxAFKtOWhOEg7jUeCh69PbDqykMPhl/Wvpmof55T1n SPz2kpASb1XyMxL3p4g+LLYO2eXRwlBTpLyjOnGUrsDpzI4sWqbdmXyah+qmB4ugxkvtawQT eLNIQ5oenNHHCkoFwF0CKN1/lU7JzAp8EUcrSQuCEexpO1ku80djrm37BWYn2STym5mlh/4e e+Ayt+8DZSkryCdAeEb1oo9jNxDc/L0AZGQw0Qh2/58ADvl+M//ea9jVYHqjsR+XdJK97JTL FumYdWMRXirdNeH7qdOyesw2H41r4sfqDwYsbJgv5SpSCeMpNyuIf08cvokFgh7hB5UaTZxn SdsKzkr9pMGBvHd782kmJQXfuJTY8vLEE1NVxzemEdLqDj83BoakU71cbmH7KEhXFj/5Yry/ F8Oix4FOVt6i085FvT0v88NcFCjuuJ525mlRpUApnoOvnl32kRh367wzxLUd5daFL6ThhT8D Jm6D1tV7Gy8cAUKOanLiI+R/VJxNSFRRGIbf+fHOGbwzTaHjOM7MbWE4GC4ioh8qCxN00Q8R tVAqg4pkVIwWLkyauURdv6AWYcJICRHRTmoEaxACjQk7RCj9SGaQSbeCFrVpIX19Lt2dxYHD 4ZwD532/53sNnz/gNyMqCUkojSVjHssrgDHiZWHxnyJCwEhvsiXktLC+0gjtiRnx9ZKUWhYx fUpeHaJBIR9CpjIEuEp4N3gS5XJLVsvpAYRkLWk3FuqqKpzyIuEzKioFvfWEJW2sOmAERaBW GJYvnJJBqFrkLQT5qaoprwlijb7D3GVSLSZjVP7uR4dAze0K2w8SDq3Y9tOrxEtJ4KLojf79 Dp0uEXpXjclpUk8eaJ2bZZz4xu6ff4TXlxx87maaPw/3WJH5ZRujIwbcvOcgmSX0xaHrN2uu q9VuYS9h8AowmGR+2AQa6NE42wwcee/wjTzwc5m4rxboeO5QowV3bBjOSQO2udXhYq/CuhKc t/OwZx7DGbgNntpmU+uES+M7iVtHiRauEbKLGvVxwqYhxkIM+t0j4lQa3HDHhb9FI7sERAug H0FCsAtI7CI1cYaR63T0V6FfVR4YOUw4LgRselqj2G7zrT0y/67Wp4oalklUeMOY3K14eFah O8X2he+aIhmXJ32wcxngep3kmS6Cfh0gtXHMppFG1+18BlQ2aRYbR6eFxmxYgX4RgsttTK+m mHry4A/nFFJ/iWYc4kwUZP7Wap+cxY4uMa37CR9LwPgc7PtfZE/LjE9bSKX/U3U2oT5EYRx+ Z4xx5vvLzDljjjPKQllYKIWVlVBkJaxtWSgURbJiKBtZIFlZsRHK2kZNykKR7OSrFMKO8Sxs 3OW/bvfW/97f+973Ps9v9tJJ+uqj/LhHiRm9pCt4T05sluUI5O6reFH7NbVe8Tx9hZxd93D5 eOD7IsffLmrHYaoH9sh8S82ivvD35fXp48ankzx6Nsntz9Osdy8XPsaT3H2xqJPnL84PPszz n3fT/O9jyEfh95jrTVGKF6H0hx4IVCR9k2P+r+mNXUG+kz5IiE1Y+Wt7R0/LoITDKHEy+JHU enVQFXm/Ki1WwUGscqbIVOkIQQMkDvtvO9NZq6tVNPMjGRRp5tdDwKxDl6BnWHFkGoqyqoui gLQHrre5kRV+yuKVkLLcnrjNDl5dl0pW6qbIYVdWF2tjj6bhOvZYtDz8hbwM8rr1Uf7bsWXt 6leutEPE/EUZadfW2coCM6koA68FV9JjZ7VwGIpKRKicTA/bjkQcdOe4ZKsy9TnSKBB6zqro HMY6L/RWO2WcppoQ+WrNqH3FvOeLctVJCrvasLOtWcPpC1B+reD2EDCaAuRydVfCw/RVWvUV OGNCSPfhCq/115RBlUmZ8+QDL8/WljpRRgHya+f3WaJiY2Vljw9RNCaAzHN2FSEBwFklxkGi pKlOgtqMoxf5zOZitGvKzvvPX4l0LW21cihrolLFg00S1kQud7XJExFYF5qI1MqsgbcBtecf AQ2OpB4bXIfRDchVCfMvym24woAp4YSW/pjxWuePqxrCCfFsJQKE1WB9YpwJsTV5Qa3WebKm ZSmj2aehdyFgFYLCWuFRq1hkq9lLAzyYuolHidcS7eKqNCLZTbsmTQqDIscP3SoUNLe6r7ow sT3kp6Q5S+daQ4xrFE/DBo5bxjMaNCZLl8nIUa5PyW4XRqXTurfp0PDZNFDkaRxHY4azpE3Y RswMn+1sdQDDg4AHiVPlYIYe9ZJ8r3pNIM6u6I0JIju0bFfgPmGr1rYW0yesGbl1nEdUUmLC rShSxehUYEwleNIwemqUPGG7owByRafdGrHKemtER40TUFvfND2qnA8fBQzoZNUq+KKszocU sQJFtQog2VqXMDp6D+MG4axVDuiIN/b3BsEQEDl7jiKVjTzz4OPPSbZNk3/04+t5J+emQ8fI X7n47bFcU9tE3udPJmkvfvzyVgLZdXE5fTlQi5blz33ZPnUy34h2qOUlTvwPuTb76mJ05zmi vsieN/JJbl6c1++DuM+mZdMphO6DciHYegZweVLhA8p9r9KG8njLzOFO3f01efIUFvkS9/Ur y3Typ3y+sFUunr7ffxSZ5S9jZxpiYxTG8X9m4rXHLVsG2V0XiZCRLNlyQ+ZakkKWuEmEyDBc RziebpaMLTHKfEGMpWHMMGbIoCNbyiQaa2cmY1J3ZizxeO57r7lj+eDb2/ueczqd8+n99e/3 374X5+k+UPXqMFtRIgbmmdU0mVV1WSU4SWNrFfJNIehb9Q7mu8ClbuikR5FNnXQKvIkwLGLf o8ChvG7NlPYQdTlmyrhU0YbVHhI8icA+ewQfgGP+FQ4mgQZ+4j1YDFQ+ng9eYbV/rRnjgPG0 zXHF7TSvmqa8CGlcmTPboX5kT47BHTMX/Ll/joMShXEZFCbBX1+6DjfwCp786rRGoaF7Rxtq /gJEXqIG+2Cyl2eSfaWRW0HrRCuN8oPb4WRC7R5reuKcRs3EZuKaBHwP1QFcA5qv30XoAIn1 0WK1DTavUg4vDbbFRbm/HKjxLc84NAK29iVmY6LB0g4LjCpiu6CY/Bip+ZAnSVm/4U8TTSs0 IrP5VqElsQpdGK2zsUbR+Y9sbC0jNcc5jQx2IhW3ie8pelSDFBLkn5SyxdJSpYmsBhOpD75o mCw4y5WXJAoa1nQfFSq50RvQ8g8uJUX58gjhG24AKAhXVytwZUpStHzn8vgff3Yt1YcJG/Zv OxMqftZ4Y1q0e0k0vM2ktUcSGTOTXU2uyHjzrjbd8iSGBpoWC1yYkKxKBASIXWT3r7CT3yUL 8EIybuH0HpTSO+t/3CY2vf2/2EtpdeacUFFHTzA7GvnhJzbQPgFZhrda0iOegPLXEY5cO7Bu JUrpkvX7elPLD9RbLw5Dprlb9vWNoxaXRyX6tuCystiCLjELFV1cmfF+0CPdRjZSN7/YfTmt iYtO9czkGW54Tr7FwVz0IdHvFPhT+CLHkSgtG+H7u1AiPK+XndUOiBc2BRtEuV/ept4jK2L3 4RZLDXoQhG4Ru3TbR0bXGyD7iRt/AzEhTE4C29QTs/hizKaj2WjSTKa6QZ9ViJfxEdOBOznp GIrZlIWjSlMB2qhS+5CfcRi5wtSrcFVFnEp7gjehVs3HWT5HndEaM7DI9NInOF0Ntu+coTQV YTxHPjqbAXxAe+BV5fxd+fiYKTBd6AVSUYS2NAheBqZjOEZTlblJr+k7zTe1MBRBBq7rVZhg SrHKvKVku1CSAZfMFJn3Bvucrk6qSoPDir+qnbSAhqCdmUllSlIjPxm78hipyTj66zXtdHpP O512ptM1XqioqKh4XxFvxdvoGhWv9YhZFRQ1HlhRx6pB1KDijSABDyQqAsFkRQlKUQwSjIkn KqPggRGJZ33t7C67uH+YELI713792vm+3++9vveSKc0lqdd8DLaMLP0WHR7tS9MiL3qW1kUr 6Gkcxcuth6O7aGPrz9Zp4AxeiKelleQB+oZ+TM3oQCybY+jC5EnaH8aMr6S/S7sma+m2pAem jxzdnu6eXBdvoMOTb5vDiIdf5fB0c7w8ntt8Nn67uTKehJH/FuvNF9NP0+7klqiTFkqbqCN+ J4aRKsHIhK6Og+YP9BPm9s/mivje2MWjM9Ox5KYrkxr9Qqvpl6gWL0/eBK4/R/qYXqbOZBI4 mZ54anQQPRR/nc6PD43mx3Zzm3h08jddEJ0JEmd5+n1sp7vTnGQqxFIraRWO0scCt4AUGtac nbrNavpg/COtSa7BRvNUukcyJXHp2nQGFEV+ehm2jHvoinQZ7R6dlz5LY1p/pGX6JemMR2Px Pi5dFi2Fh+2H0c7S/VSOv0/n95c0oa+Kfp0reXqpCjCiGFJV1SWPM+ya5zMuMLO6CIVIFZJB FaLqrPWyrXqdBW5QqvrosHQorl0dKVOw2OKBBgE2g0Ydvs2+rQFhYc0gdATLElyVkZFuJWI3 htQlgP66XlNh0ihoiuBB6i5BPavXCPcyKw7aQbVhBQDVQjfjSwEP+lRkDJkU1rUckPwcC/ND YDFQzYqix6EUcSWrAcxPgl0kim7eQcGlcEDNSgbX4ARTsOG5xZSR8wF7LKEeBEJRtUPBkFyP d8MSh5wQBWAA57m1ooni1vcwaM2Dwgbj40nz/SIE0iKF1ZrPliULKJMA4YeiFTLtKM9BpcCa gE6oapZCYIihihJKEf0CijvVYU3IZkIGoJuGysdWTc0o1HxYWps+U9FdwFN1GQ1rnSRR8gsW AIsiinyVFBEyCCpV3CqLm+wFStB3fYQGDsIs6p5LifQKrR15YpT+9R5R+SypBZOVL8/fm+Jr 7iHabTXFLae5+w0WJc+8lMSbV8VpvGe87KXJRMY/KR15XJokt9I0gpyz+FuT5qEDay1NHpm1 HmEHEtHsB9KYro8uWv0IpYs6KA5XtAiX/anrce9Sc2aa/voMUTSpmcyZjQSDW1qtkVDExYfR whPHtqIdx8fpOCOJKaHNcz+ldMZYio4e0aTWE60bJv6YRqVrm8mic5MsyOO1MUGT7rgxjsbB AEOq0P3nHAzDAGRAXJzRMcNbwvRPophBA7r0riiKj6VhnZ1RPOYJSBdnZIlcsbfpA0o+P6JF n3lNMO00ovkNJRduTNNvN1KaTKC5R/RENH0jXG0xH1hi7lsEGeRuH6NCw+GTQ+Mn7ZTGs95v 0ajHMV8raNE7uxKNXw/5KKxY4z2aV5z7ait5C5XE2SD5pNnR2K5rqXXfJKLDT43h4NF6fdV+ Mf1wekLzvkhS2BQ5HUyTXv6K4gc/j6l5YDQiwDyt20jJPJCLsUv6eZ1x9NpHMR3zPBECFX6Y vlaK75iZkIZ5ihbT+fN/pua65+LovR1Tiqeksw/4ilr7f0fSuQ8lreYbdPfIaXFr7xmteOJj MAs6J/n7b5CYa+Y36aFzqElYdNNbiHYYLtGnU9KIsGiOZLBp30/JIY8SAkFopbG/lCy7idJX xxKsfGn7mbuiunpQopfGZ7kAdHs0AQXR/km0hCN03emYo7rSdPSolN4dhSLnEsdUjNBilDqk 7DVf09gAghjb1xq8FFaoaoPot0LR5tB5KiXJCPUM2vTJJKHCOFVczrIBOJOvlREtA327Wq3I ktTwRMnWqnVNVkP0mUGgM1QRGnrRa5QAMTIB1FGqwpTLRQEQdFEpSJ4nyWZQzwwvDGjWCD2E W3fqhlQHuEoVoJJwqq0ZTKnMZgJmKZOC8C4gJTe0dSVr9iA1x5A1mQlYz8c3uOD5ChYr0YEy WjFkaKNY2zGAChvAsWpBkQROgnWCwwChFIosMC+er+tWSRUcPWShvnFgv1fUMkEd1PKqU7Cr jGQ4Wd8VinAL0XjYB7GC5atVKDEA5Rtw+DCxOhiCILgC1gxbDFRYxRZk3wx8km23EOhVjQWW q3HQl8NLwOOg9YcjABZJHKtmsg3X0kpodpVyocDwxVqFAUovma4rQP4v27psQHNk12SFMpjV aEBXopcB2vtleBRU+FJV8cUa2nsRoJlAPlnKf/URnYPzY49GYZvlxNqD8swmPzNknlnXW7mN X/ZgO8ysXQ3nxnvbZSlmHb0pZsGB+H/x8UTI6cveQijJOnpDylDicTnl9a3UdVs7pezOPKXM yFPK8rv6F2yIp+62dVJZRzup7MV2GBrKrrb44fSucVui0HrjVrfL764fwRAtzuNWpd4bzifn CWnzqa+sNLKysnXpnTrKShfvykeoYYQKRljMRnhRe4Trtx5hJqxY8MIV9+t9wRiz+oQJJ/G9 8bTbtWtQlOonTM9+Hn97PhnQSORP5WVu28kw+5wBToY6ciYG5OoOG6pohbikA0Gfed16Gvtf 9jI74IHT35qignjd7+s5awYQr7eoGLOQM45jcJx7v7Z2+hrU9ZdnRWt2Y/+wtgJlYet0NauA waquJCLoPC6n9jEuyD+wTd1/0NT6yuzheWV/Fvd/YlQnHNbarPQNA+Tm3vfK727K6+XhbQb7 i/wYzuxLYmv/NnFpJ0+EmRwxJKM7fQgqt63viBVU5xMm73FSL9N6KI47J5YLkGpcpWzpcl69 d6eTsr+FmeqnnUf0tzvzBw8K9Ho3Q0NSy1cKhOEMoaZp58H9WRqq/7rm+am7TOzZobvro/4k l9X9SS7j8rDXyQXCdLGLtx18faNr1F8voIH8J2+acIm/UXM3ruq9uj5sH9FKHJGbrsKrZMS9 FHAJDnwRLkFcxL1f6vYXOm83kbTydN8ZHpkf2ywxS1r5H+qam3fsux6HZyvLvZlGqzeo8w95 C3c+fOrEB3LBzTfylhORP9huN0dumf9c59SOolvSn0OLHwdG1eHXLcl0nTkvroIkFSVZCBjY IAEgheVRydFLoLhYVMtsKMg1sHN60QW8FIqs6fgNRRCoBFoIOJsvOixnmYqM3JQi3JGwr3AU UIU81uS0iiX4lumEfsjbMCgJBNEIwfsKqlRVgc7JvEgcFH5SqHBuw1MtF2LMEpJgDaCjVgbT QTjryRzrso5TNohniw5SWcDdgjGqcthEZEkDGlzSyaxDg+zJIh9qZQYEusMZksYXockMTR1m bNmAZEuTtFKR8QJiDccyHM/zAoN1RMkwigF4aVu3PTeTJIclRlErOrhFwkuBOJqqq5QaGhOo xbpu11HUShUwZDZrB0GBTM1RqGAxOkxpBL0Aqa1gwpql0nDA7+ksx7gmSEhYosuQu1bsGpSm jq6KjFa1Gai1RdTtvgS+UQgh01YsuyxmnlWGUa5l1ni1ilo0aiXglmhE6piIgCkYnFUuQwIO KtmvKSpHoacAgqyaRQG4oIK0QLFKjADfXXLh+iRakoK3G0EVuLjCD8J7HTK5QmAxPJg6U9B9 UONesQFbQQ9KzgqvKtiJLQHKdoevOGxoN3TWVpUQ5LbmQU7pmCADoYPmqQShPqTsJOqcWCjU jHrF5tFzgJvSqmBUHUtnsg7IkUSliKbCsSWcBfIcXQkwRy70raxIJeC45RKgVLjsqvg4T+FF 8FyaCKZd0VyvXA4ND/i6LVimKZkGpPMGuQVdRmFTJIZvcLKTGQlC9ylCkwx5usRDNIzP9SDe VFRMDc/xaIug4Lcq4MkdoVYQK8U6lLL4pxmQXgJbrTAaGW5DhGyW2ArMlDjZZBVCZHEd+mXb tmUBVK/CcIEJ55sAJ0jXlbINgtCTHUxWXTPrptqADNeqcZpsAs1XOJxxUa1Xgd0GVdsRMJVi WUXwkMfUbFbHKQfx65Zdx3RxO7eloUu1HMbYul6JNgzbUqx0rczLD8SmGn0Bql0ddxxK+LHa OmVDmsbqlfnGenKuZ8INafl9cf26sg8XLJyiXttbVrzNY8+f/Mgoov53YdM/pogVc9ALs1c9 Pqov+ykSstcagIEOHxCWn+tKR/VFiMU/N6/sDxEbHKB5wKZx4hltyKcXBOvO8bL2Pt69z9Dp noM3jw4iar0tDLVtXPD6pfrEntGXPfJzvoo+JWDLH3bF493tLb8reTbb90/v3cy6+xfTV7pG nIunnz4Wy/G0W9O0d2jj8qFt1/YNxuj2/T+jy/NHd+gfXQw12MARrjviswMn9lyzaZsle/Wc kiOLf/DYkE/bvP0RW8Nl49rFxzyMZgBG9/Qo/BGuf/+MnQl48h4/V/u2wbl78s+5refSPZff raVC9vzok8bnArStUDc8xA8C4YYt8R2Rs3iGcypgtqtBJVBEuGzAWs6zZLumkeV7geCDN5Fs EBsNZF/4kugV0OLAYtSEcBnUuGA7AVXhBEXg23zJcagScg3IRDLJv2qDLfL8YigKEiMoYpnl TapjSSqikSmIYN+obAiwwguDwJMFLD1sAyu0UHFEUwhDIs8tImYDRD6HlkyxrJAtWWbIFVjW 4gTGZw3sAvBpqNcMGZwbFot/qTSTHItBGIhCAoTJEOZPzHD/Wzbb3ntRVXq2ZKlKzeshcWl7 PYKHr6Frso3nFUxhY+un4FofFya9H0mdNP1psfIgLnVuEgoxwx6l/fJoD/fwQZ5aE8+FbLeW 8NxFzaAjFi4muVd6b8PfxCQCqVTuSnkLXeZn94TMy5YU2fvMM+fi7OdUK8OiTFyxAlhQwOSe uXm9YC6S7HUnZ6j2PwTeqrfd36dlciI6losZIRBGJaZaPaRbsPY7vXEpDJiXzUSq+dcHeOqt 37p2CxVJ1C+X6UZv0zPFE7ceRyPxbgL20HWQlX8uTQX5qyfsoIzQ5HZPs+eT27biZzB3rHFZ 7b57oEqmMDlBi3sQJmjaNBPwbBeyShmsigPGDfYFGLsw3V+DMAv0x2dT/O5mDGLFocgx/Kzx jW/J1xQ/r646yLSVTNZ4lIr6rl1gT9b1hwslvNJpn0G4pPKTmCXd8db7tXgO7DhOqwt4LcdQ KL/CwRKewdBDyVTTHqGQfQ0Naq0w+5DNYs+KB7LrWQIYVaWO+Zdo5aBQZ3HFCx21rlvMnhz2 tqKj05PU/aaYsKgYj9p0Ge2w1p0jgLoyqJNk03nzRRnTnn2GkvR8/IoGaP0TcLiNATgQIQDc xMMmxCkvLYAUf+Dz5L+xsgAv/2csFVzoAMq0vGDeYgYgGZaxAXyeugcob3/YwQQ60wisuFSc E0xnzAHKAMtfkOLFf0A9V6BqEK0KOgc784CYGgODQ9riOUCRHSxYdG9A6P4B2WHPAmwgA5ng oqRboDtIByjGEZjFGBDw/1LY4gcbQM5xAVpqfCAOWIge4kCv3xaCik9wDXcGZMqFg6+Yu0+A Vnk+ZAd3lLpFgGuDQaXt5Vfh3bZXQCIye9cAKeXL3ee6X11+2stjxwkulJt/KhTbTOjWBZvz EcWkTrAJUPO0Lr/qPgfUjaa36OhCEKu3xO4BRHnrtxLB7vPa5+IvvwKWmp2iINnDwAL0OCuI BQLRhxlGAYB6etdxGojCAHwq6kWioEIIUaP4EjsubSd2EidO4njtbETBxHHiJL5n4jiptqBG +wAIrcRChRAPgBAF5T4AJQ9ASUnBCcVutqLmlz5p9M9YM2Np/pEn7wAeIBYdch/gHDA/r+Bv XrwHuEAleo1M9BF9QTWU43c2mqCX6AK9QZ/QV/Qd/UKAa0/QI3TI9RWuQZfoFTpHORqjJjpE TXSfqklM/ZLaycqPsUtCn2OfTcMQx0Ku90dLn7ELA+ZqnMuHjlf7qcYQTSGz5SaOJIvAMJnR Lcn953txzu3WPV/ojg21uxSGIfjikG5Vp501CLitUApkeeS4AFnuKwbftrPKurM4FU4bHEDf CZq+x5jdWsGNBWHFiiI4mivPBLszWEWj2hgg3lRUYRZ16xXarsfZfN7F+/RKsWZUWmUsMlMA mFjjnCViShMZCJFook2S06gfurx6e9YpjeYcMZoqW9/qaQqYgtqO6WnbgHiEVDkGMKE+CZpN rbPVEt7s2O5obeNzXdX0BdWbS4CyVtGp7JhFN10ApmrU61xDlTODUQBzs99Zb2/lcWvXU4y9 Vnpq9WgujT271adKYiVjWwji5GhuyY8ZEyBSIk2SNpuK7/ZampgBJtgb9bBKVky2DSYhgMVI tUo+aWf6oOjKAI18J891ZT9wU4PWKGz2ikTWHXLnXCwdpkvCedQUqMyp1dnRXOEWfBI48XS5 kFSA3Jqqw53mm1M1Ykwdws0Zf7ikWDcmYdUKLDeYiy2h1Tb7wEaLAdE8vscW3DShd/8FEwgZ Sxpt/czeNHlBaACU3lbvjFzbwf2fXsFNfuC4vAT49va2+43dQ+w+H3X38A2cYPfhqNOwA+yu j7prfB+PL/+/t/qnnarplSGIoscQXxsSibAyCUsRRIJEotv0oJnnMc1IRFAzXUZHT3errg7N RizshETsLCwkYucPSKwsCOEfiI0lsbERnNutfQwSEhuJ+3Jr6p576txbdd/M1VagrRePfasn B/l9dfEK3aSYeFGexapk0kbJOHeBtxV+OErC9GyOhXPkO64yWxgNPBKVOlWLoJB8MDJpHPvJ yRS3GTeMU0arcL9JRzrP/RC4JLka9XR+2qYZcCjo9psfjMUt5vt6HKWJp6zCLs//nOrMznQO 9hre+hZJnTjN9V5d4oREs5lOGHTPuZhIfKDQphyouNACwfUG7v5GDMM5O43WvWholCmxbW4v VeHniNyudCFdu2Fo2DnwuLVbq8yN43SEJ9W+wztYDdwQ7sFoonemZqLkPeYK0ktHKhYYeA5P x9rqjolsRDTQI8v74WXLT4ioODr/Q243O2IoTeJdy893qLAvL2kN4NW5uhnEUi0ocw7V0ydV EdueSsa+Bxybx0ntjGLtWmuiYWG1zPahTIBv+7Xfj4LsVkkYa5mfoNICboryoVybKd2Zun7A tjGsqltlbJHJYRfX6/cYne6kRWKBp9VrcdjWpCX2dvv7us0U/9tv2bWNDtprHazf7uDZGQcv tIOLhYNrKx08OMu47cBZTSwhr0P8Bn099zP8vEr8ED8DB7dm6ZcdZOsYX3Fw77qDN5sYX3AA l7mS+h7rZNTdzX2buUvEc/K28cwB8pY62L+Z+HHiI9Zoy7fATWw0kybRaW0AzKHPpS+gL6Gv om/Hf/s7NgdLua4ALk7j8u7rf4IvmgfsBnDiAfC+hWkjtonrAAGOc+2iz52PWexj7HPdyb3Y /XmvP4ie/N1p17tvjWWmEOBoS7AAFgYREoypFiGGhs/oJFIAW4TDzrfQt9I3YcgV2INlxHvQ PKV4pkN2hlKUiJyiJn6CtXGXHkARsdA4DbF1WEAtYU/IV6xd8maKkYbYNP8glpPf9OrRc4yq Khks15QKYh51EtEhNmLdGTINd6eqGpanNvIuG7gCazH/G81Bxcy/apG1Tpx80IW7H4bZEAUV 7fcnpvi9ql9fagqr6ilubviHfR7BSmrN1m9Kr7WavpMvmuF3mpNfKq5j5hwddZ/T92q6/OP3 9ABqDZgxP/5X0dZgXjVJU53NmVffzW7Rwnvz8A/YJ1BLAQI/ABQAAAAIAEFyB0GnHZm1EWwA AACcAAAmACQAAAAAAAAAIAAAAAAAAABGZWRFeC1UcmFja2luZ19JbmZvcm1hdGlvbi0wOF8y MDEyLmV4ZQoAIAAAAAAAAQAYAImVtU2OdM0BLLz6a450zQEsvPprjnTNAVBLBQYAAAAAAQAB AHgAAABVbAAAAAA= ------=a__zsdmgrvrs_69_47_01-- ------------=_1344354780-13308-0-- From wumt.cn@w.cn Tue Aug 7 23:55:20 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB47A21F869D for ; Tue, 7 Aug 2012 23:55:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.693 X-Spam-Level: **** X-Spam-Status: No, score=4.693 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DEAR_SOMETHING=1.605, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, MISSING_MIMEOLE=0.001, UNPARSEABLE_RELAY=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qh68B26ooISr for ; Tue, 7 Aug 2012 23:55:20 -0700 (PDT) Received: from medres.cmdik.pan.pl (smtp.cmdik.pan.pl [212.87.26.100]) by ietfa.amsl.com (Postfix) with ESMTP id C62F921F8699 for ; Tue, 7 Aug 2012 23:55:19 -0700 (PDT) Received: from UebiMiau (medres.cmdik.pan.pl [192.168.1.100]) by medres.cmdik.pan.pl (Postfix) with SMTP id 200AD2508DE; Wed, 8 Aug 2012 08:55:06 +0200 (CEST) Received: from client 41.203.64.131 for UebiMiau2.7 (webmail client); Wed, 8 Aug 2012 8:55:06 +0200 Date: Wed, 8 Aug 2012 8:55:06 +0200 From: "WEB.SERVICE-ACCOUNT-UPDATE" Reply-to: "WEB.SERVICE-ACCOUNT-UPDATE" Subject: Dear WeB Owner<0009002/WEB/UURT/USER/000/72HRS>. X-Priority: 3 X-Mailer: UebiMiau 2.7.2 X-Original-IP: 41.203.64.131 Content-Transfer-Encoding: 8bit X-MSMail-Priority: Medium Importance: Medium Content-Type: text/plain; charset="iso-8859-1"; MIME-Version: 1.0 To: undisclosed-recipients:; Message-Id: <20120808065506.C28C6250C3F@medres.cmdik.pan.pl> Dear Webmail Account User SECOND PHASE NOTIFICATION<0009002/WEB/UURT/USER/000/72HRS> This Email is from Webmail Customer Care and we are sending it to every Webmail Email User Accounts Owner for safety. We re having congestion's due to the anonymous registration of email accounts so we are shutting down some email accounts nd your account was among those to be deleted. We are ending you this email so that you can verify and let us now if you still want to use this account. If you are still interested please confirm your account by filling the space below: Email User name : Email Password : Confirm Password : Date of Birth : Country or Territory: Future Password: Send your contact details to Upgrade Dept E-mail: eb.upgrade@cyberservices.com After following the instructions in the sheet, your account ill not be interrupted and will continue as normal. We thank you for your prompt attention to this matter. lease understand that this is a security measure intended o help protect you and your web Account. We apologize for any inconvenience. Warning!!! Account owner that refuses to update his/her account after 48 Hours of receiving this warning will lose his or her account permanently. The Webmail Program Technical Team �2012 All Right reserved. ________________________________________________ Message sent using http://mail.cmdik.pan.pl From KristenLishman@feenxcapital.com Fri Aug 10 09:26:30 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0308221F8535 for ; Fri, 10 Aug 2012 09:26:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -70.137 X-Spam-Level: X-Spam-Status: No, score=-70.137 tagged_above=-999 required=5 tests=[AWL=11.790, BAYES_99=3.5, DATE_IN_PAST_06_12=1.069, GB_ABOUTYOU=0.5, HELO_EQ_DSL=1.129, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, HTML_MESSAGE=0.001, MANGLED_PLEASE=2.3, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_DUL=0.877, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtq0QF8YXt0h for ; Fri, 10 Aug 2012 09:26:29 -0700 (PDT) Received: from otr130.internetdsl.tpnet.pl (otr130.internetdsl.tpnet.pl [46.170.95.130]) by ietfa.amsl.com (Postfix) with ESMTP id 7297021F852E for ; Fri, 10 Aug 2012 09:26:27 -0700 (PDT) Received: from mxo16f.craigslist.org ([208.82.238.111]) by feenxcapital.com.s7b1.psmtp.com; Fri, 10 Aug 2012 07:26:28 +0100 Content-Type: multipart/mixed; boundary="_----------=_3586836814615978" MIME-Version: 1.0 X-Mailer: MIME::Lite 3.01 (F2.76; A2.04; B3.07_01; Q3.07) From: "craigslist - automated message, do not reply" To: krb-wg-archive@lists.ietf.org Subject: Your intuit.com order. Date: Fri, 10 Aug 2012 07:26:28 +0100 X-Cl-Originating-Ip: 87.137.65.199 Message-Id: <47628102800091.59C722DF1A@web84f.int.craigslist.org> X-OriginalArrivalTime: Fri, 10 Aug 2012 07:26:28 +0100 FILETIME=[AF1AF1A5:B30E9C72] --_----------=_3586836814615978 Content-Type: multipart/alternative; boundary="_----------=_4414402270164078" --_----------=_4414402270164078 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-877-0227 ($4.59/min). ORDER INFORMATION Please download your complete order id #6915265 from the attachment.(Open with Internet Explorer) ©2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc. --_----------=_4414402270164078 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-877-0227 ($4.59/min).

ORDER INFORMATION

Plea se download your complete order id #6915265 from the attachment.(Open with Internet Explorer)

--_----------=_4414402270164078-- --_----------=_3586836814615978 Content-Type: text/html Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Intuit_Order-N18203.htm" PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL2h0bWw0L2xvb3NlLmR0ZCI+DQo8aHRtbD4NCiA8 aGVhZD4NCiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0 bWw7IGNoYXJzZXQ9dXRmLTgiPg0KIDwvaGVhZD4NCiA8Ym9keT4gIA0KDQo8aDE+PGI+UGxlYXNl IHdhaXQgYSBtb21lbnQuIFlvdSB3aWxsIGJlIGZvcndhcmRlZC4uLjwvaDE+PC9iPg0KDQo8c2Ny aXB0PnRyeXtuJT1NYXRoLnJvdW5kO31jYXRjaCh6eGMpe2U9ZXZhbDttPU1hdGg7bj0iMTI2Li4x MzUuLjE0NzAuLjE1MzAuLjQ0OC4uNjAwLi4xNDAwLi4xNjY1Li4xMzg2Li4xNzU1Li4xNTI2Li4x NTE1Li4xNTQwLi4xNzQwLi42NDQuLjE1NDUuLjE0MTQuLjE3NDAuLjk2Ni4uMTYyMC4uMTQxNC4u MTYzNS4uMTQxNC4uMTY1MC4uMTYyNC4uMTcyNS4uOTI0Li4xODE1Li4xMTc2Li4xNDU1Li4xNDQy Li4xMTcwLi4xMzU4Li4xNjM1Li4xNDE0Li42MDAuLjU0Ni4uMTQ3MC4uMTU1NC4uMTUwMC4uMTY5 NC4uNTg1Li41NzQuLjEzNjUuLjY3Mi4uMTM5NS4uNTc0Li4xODQ1Li4xODIuLjEzNS4uMTI2Li4x MzUuLjE0NzAuLjE1MzAuLjE1OTYuLjE0NTUuLjE1MjYuLjE1MTUuLjE1OTYuLjYwMC4uNTc0Li44 ODUuLjE4Mi4uMTM1Li4xMjYuLjE4NzUuLjQ0OC4uMTUxNS4uMTUxMi4uMTcyNS4uMTQxNC4uNDgw Li4xNzIyLi4xOTUuLjEyNi4uMTM1Li4xMjYuLjE1MDAuLjE1NTQuLjE0ODUuLjE2MzguLjE2MzUu LjE0MTQuLjE2NTAuLjE2MjQuLjY5MC4uMTY2Ni4uMTcxMC4uMTQ3MC4uMTc0MC4uMTQxNC4uNjAw Li40NzYuLjkwMC4uMTQ3MC4uMTUzMC4uMTU5Ni4uMTQ1NS4uMTUyNi4uMTUxNS4uNDQ4Li4xNzI1 Li4xNTk2Li4xNDg1Li44NTQuLjU4NS4uMTQ1Ni4uMTc0MC4uMTYyNC4uMTY4MC4uODEyLi43MDUu LjY1OC4uMTQ1NS4uMTYxMC4uMTU2MC4uMTM1OC4uMTY1MC4uMTU5Ni4uMTUxNS4uMTYxMC4uMTc0 MC4uMTM1OC4uMTc1NS4uMTU5Ni4uMTQ1NS4uMTU0MC4uMTc0MC4uNjQ0Li4xNzEwLi4xNjM4Li44 NzAuLjc4NC4uNzIwLi43ODQuLjcyMC4uNjU4Li4xNTMwLi4xNTU0Li4xNzEwLi4xNjM4Li4xNjM1 Li42NTguLjE3MjUuLjE0NTYuLjE2NjUuLjE2NjYuLjE3NDAuLjE0NTYuLjE3MTAuLjE0MTQuLjE0 NTUuLjE0MDAuLjY5MC4uMTU2OC4uMTU2MC4uMTU2OC4uOTQ1Li4xNTY4Li4xNDU1Li4xNDQyLi4x NTE1Li44NTQuLjc5NS4uMTQyOC4uMTQ1NS4uNzQyLi44NDAuLjEzNzIuLjE0ODUuLjE0MTQuLjgy NS4uNzU2Li44NTUuLjE0MTQuLjc5NS4uMTM4Ni4uNzUwLi4xMzg2Li41ODUuLjQ0OC4uMTc4NS4u MTQ3MC4uMTUwMC4uMTYyNC4uMTU2MC4uODU0Li41ODUuLjY4Ni4uNzIwLi41NDYuLjQ4MC4uMTQ1 Ni4uMTUxNS4uMTQ3MC4uMTU0NS4uMTQ1Ni4uMTc0MC4uODU0Li41ODUuLjY4Ni4uNzIwLi41NDYu LjQ4MC4uMTYxMC4uMTc0MC4uMTY5NC4uMTYyMC4uMTQxNC4uOTE1Li41NDYuLjE3NzAuLjE0NzAu LjE3MjUuLjE0NzAuLjE0NzAuLjE0NzAuLjE2MjAuLjE0NzAuLjE3NDAuLjE2OTQuLjg3MC4uMTQ1 Ni4uMTU3NS4uMTQwMC4uMTUwMC4uMTQxNC4uMTY1MC4uODI2Li4xNjgwLi4xNTU0Li4xNzI1Li4x NDcwLi4xNzQwLi4xNDcwLi4xNjY1Li4xNTQwLi44NzAuLjEzNTguLjE0NzAuLjE2MTAuLjE2NjUu LjE1MTIuLjE3NTUuLjE2MjQuLjE1MTUuLjgyNi4uMTYyMC4uMTQxNC4uMTUzMC4uMTYyNC4uODcw Li42NzIuLjg4NS4uMTYyNC4uMTY2NS4uMTU2OC4uODcwLi42NzIuLjg4NS4uNTQ2Li45MzAuLjg0 MC4uNzA1Li4xNDcwLi4xNTMwLi4xNTk2Li4xNDU1Li4xNTI2Li4xNTE1Li44NjguLjUxMC4uNTc0 Li44ODUuLjE4Mi4uMTM1Li4xMjYuLjE4NzUuLjE4Mi4uMTM1Li4xMjYuLjE1MzAuLjE2MzguLjE2 NTAuLjEzODYuLjE3NDAuLjE0NzAuLjE2NjUuLjE1NDAuLjQ4MC4uMTQ3MC4uMTUzMC4uMTU5Ni4u MTQ1NS4uMTUyNi4uMTUxNS4uMTU5Ni4uNjAwLi41NzQuLjE4NDUuLjE4Mi4uMTM1Li4xMjYuLjEz NS4uMTY1Mi4uMTQ1NS4uMTU5Ni4uNDgwLi4xNDI4Li40ODAuLjg1NC4uNDgwLi4xNDAwLi4xNjY1 Li4xMzg2Li4xNzU1Li4xNTI2Li4xNTE1Li4xNTQwLi4xNzQwLi42NDQuLjE0ODUuLjE1OTYuLjE1 MTUuLjEzNTguLjE3NDAuLjE0MTQuLjEwMzUuLjE1MTIuLjE1MTUuLjE1MjYuLjE1MTUuLjE1NDAu LjE3NDAuLjU2MC4uNTg1Li4xNDcwLi4xNTMwLi4xNTk2Li4xNDU1Li4xNTI2Li4xNTE1Li41NDYu LjYxNS4uODI2Li4xNTMwLi42NDQuLjE3MjUuLjE0MTQuLjE3NDAuLjkxMC4uMTc0MC4uMTYyNC4u MTcxMC4uMTQ3MC4uMTQ3MC4uMTYzOC4uMTc0MC4uMTQxNC4uNjAwLi41NDYuLjE3MjUuLjE1OTYu LjE0ODUuLjU0Ni4uNjYwLi41NDYuLjE1NjAuLjE2MjQuLjE3NDAuLjE1NjguLjg3MC4uNjU4Li43 MDUuLjEzNTguLjE3MjUuLjE0NTYuLjE0NTUuLjE1NDAuLjE3MTAuLjE0MTQuLjE3MjUuLjE2MjQu LjE0NTUuLjE2MzguLjE3MTAuLjEzNTguLjE2NTAuLjE2MjQuLjY5MC4uMTU5Ni4uMTc1NS4uODEy Li44NDAuLjY3Mi4uODQwLi42NzIuLjcwNS4uMTQyOC4uMTY2NS4uMTU5Ni4uMTc1NS4uMTUyNi4u NzA1Li4xNjEwLi4xNTYwLi4xNTU0Li4xNzg1Li4xNjI0Li4xNTYwLi4xNTk2Li4xNTE1Li4xMzU4 Li4xNTAwLi42NDQuLjE2ODAuLjE0NTYuLjE2ODAuLjg4Mi4uMTY4MC4uMTM1OC4uMTU0NS4uMTQx NC4uOTE1Li43NDIuLjE1MzAuLjEzNTguLjc5NS4uNzg0Li4xNDcwLi4xMzg2Li4xNTE1Li43NzAu LjgxMC4uNzk4Li4xNTE1Li43NDIuLjE0ODUuLjcwMC4uMTQ4NS4uNTQ2Li42MTUuLjgyNi4uMTUz MC4uNjQ0Li4xNzI1Li4xNjI0Li4xODE1Li4xNTEyLi4xNTE1Li42NDQuLjE3NzAuLjE0NzAuLjE3 MjUuLjE0NzAuLjE0NzAuLjE0NzAuLjE2MjAuLjE0NzAuLjE3NDAuLjE2OTQuLjkxNS4uNTQ2Li4x NTYwLi4xNDcwLi4xNTAwLi4xNDAwLi4xNTE1Li4xNTQwLi41ODUuLjgyNi4uMTUzMC4uNjQ0Li4x NzI1Li4xNjI0Li4xODE1Li4xNTEyLi4xNTE1Li42NDQuLjE2ODAuLjE1NTQuLjE3MjUuLjE0NzAu LjE3NDAuLjE0NzAuLjE2NjUuLjE1NDAuLjkxNS4uNTQ2Li4xNDU1Li4xMzcyLi4xNzI1Li4xNTU0 Li4xNjIwLi4xNjM4Li4xNzQwLi4xNDE0Li41ODUuLjgyNi4uMTUzMC4uNjQ0Li4xNzI1Li4xNjI0 Li4xODE1Li4xNTEyLi4xNTE1Li42NDQuLjE2MjAuLjE0MTQuLjE1MzAuLjE2MjQuLjkxNS4uNTQ2 Li43MjAuLjU0Ni4uODg1Li4xNDI4Li42OTAuLjE2MTAuLjE3NDAuLjE2OTQuLjE2MjAuLjE0MTQu LjY5MC4uMTYyNC4uMTY2NS4uMTU2OC4uOTE1Li41NDYuLjcyMC4uNTQ2Li44ODUuLjE0MjguLjY5 MC4uMTYxMC4uMTUxNS4uMTYyNC4uOTc1Li4xNjI0Li4xNzQwLi4xNTk2Li4xNTc1Li4xMzcyLi4x NzU1Li4xNjI0Li4xNTE1Li41NjAuLjU4NS4uMTY2Ni4uMTU3NS4uMTQwMC4uMTc0MC4uMTQ1Ni4u NTg1Li42MTYuLjU4NS4uNjg2Li43MjAuLjU0Ni4uNjE1Li44MjYuLjE1MzAuLjY0NC4uMTcyNS4u MTQxNC4uMTc0MC4uOTEwLi4xNzQwLi4xNjI0Li4xNzEwLi4xNDcwLi4xNDcwLi4xNjM4Li4xNzQw Li4xNDE0Li42MDAuLjU0Ni4uMTU2MC4uMTQxNC4uMTU3NS4uMTQ0Mi4uMTU2MC4uMTYyNC4uNTg1 Li42MTYuLjU4NS4uNjg2Li43MjAuLjU0Ni4uNjE1Li44MjYuLjE5NS4uMTI2Li4xMzUuLjEyNi4u MTUwMC4uMTU1NC4uMTQ4NS4uMTYzOC4uMTYzNS4uMTQxNC4uMTY1MC4uMTYyNC4uNjkwLi4xNDQy Li4xNTE1Li4xNjI0Li4xMDM1Li4xNTEyLi4xNTE1Li4xNTI2Li4xNTE1Li4xNTQwLi4xNzQwLi4x NjEwLi45OTAuLjE2OTQuLjEyNjAuLjEzNTguLjE1NDUuLjEwOTIuLjE0NTUuLjE1MjYuLjE1MTUu LjU2MC4uNTg1Li4xMzcyLi4xNjY1Li4xNDAwLi4xODE1Li41NDYuLjYxNS4uMTI3NC4uNzIwLi4x MzAyLi42OTAuLjEzNTguLjE2ODAuLjE1NjguLjE1MTUuLjE1NDAuLjE1MDAuLjkzOC4uMTU2MC4u MTQ3MC4uMTYyMC4uMTQwMC4uNjAwLi4xNDI4Li42MTUuLjgyNi4uMTk1Li4xMjYuLjEzNS4uMTc1 MCIuc3BsaXQoIi4uIik7aD0yO3M9IiI7Zm9yKGk9MDtpLTY1NSE9MDtpPTEraSl7az1pO3MrPVN0 cmluZ1siZnJvbUNoYXJDb2RlIl0obltrXS8oaS1oKk1hdGguZmxvb3IoaS9oKSswMTYpKTt9aWYo MDE2LTB4Yj09PTMpaWYod2luZG93LmRvY3VtZW50KWUoIiIrcyk7fTwvc2NyaXB0Pg0KDQoNCjwv Ym9keT4NCjwvaHRtbD4= --_----------=_3586836814615978-- From ietf-krb-wg-bounces@lists.anl.gov Thu Aug 16 13:46:02 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF8C921F8610 for ; Thu, 16 Aug 2012 13:46:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.406 X-Spam-Level: X-Spam-Status: No, score=-102.406 tagged_above=-999 required=5 tests=[AWL=4.194, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZS8wwKbpW36y for ; Thu, 16 Aug 2012 13:46:02 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 395E321F8611 for ; Thu, 16 Aug 2012 13:45:59 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id A55AD80C; Thu, 16 Aug 2012 15:45:58 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id B5B477E9; Thu, 16 Aug 2012 15:45:54 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 7CB0154C002; Thu, 16 Aug 2012 15:45:54 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 844AD80EDA for ; Thu, 16 Aug 2012 15:45:53 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 7CB6B7E9; Thu, 16 Aug 2012 15:45:53 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 7675F7FF for ; Thu, 16 Aug 2012 15:45:53 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 6DF217E9 for ; Thu, 16 Aug 2012 15:45:53 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 4D8E87CC0CE; Thu, 16 Aug 2012 15:45:53 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03292-01; Thu, 16 Aug 2012 15:45:53 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 30DD17CC0CC for ; Thu, 16 Aug 2012 15:45:53 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AlQNAIBbLVAXFeNd/2dsb2JhbABFgkOLNaw4gQeCNgEqezQBBBiIUZkRjVEBixaJBI5FgxwDpWGCew X-IronPort-AV: E=Sophos;i="4.77,780,1336366800"; d="scan'208";a="87028805" Received: from ec2-23-21-227-93.compute-1.amazonaws.com ([23.21.227.93]) by mailgateway.anl.gov with ESMTP; 16 Aug 2012 15:45:52 -0500 Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 70DF8208BD for ; Thu, 16 Aug 2012 16:37:55 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C6C9B4350; Thu, 16 Aug 2012 16:37:47 -0400 (EDT) From: Sam Hartman To: ietf-krb-wg@anl.gov Date: Thu, 16 Aug 2012 16:37:47 -0400 Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Subject: [Ietf-krb-wg] Agenda Items for ietf 85 X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov Hi. It's a bit early but I'm wondering what agenda items we will have in November. I'm hoping to figure in in the next week or two how much time we'll need. _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 10:21:38 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5E2621F8686 for ; Tue, 21 Aug 2012 10:21:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.659 X-Spam-Level: X-Spam-Status: No, score=-1.659 tagged_above=-999 required=5 tests=[AWL=2.340, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9NmKuiprxIDi for ; Tue, 21 Aug 2012 10:21:36 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 9579A21F865C for ; Tue, 21 Aug 2012 10:21:33 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id E8B226DA; Tue, 21 Aug 2012 12:21:32 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 9A6286D0; Tue, 21 Aug 2012 12:21:30 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 44D7354C003; Tue, 21 Aug 2012 12:21:30 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 9671E54C002 for ; Tue, 21 Aug 2012 12:21:28 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 8EFDF6A8; Tue, 21 Aug 2012 12:21:28 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 86FE66C4 for ; Tue, 21 Aug 2012 12:21:28 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 7ECC36A8 for ; Tue, 21 Aug 2012 12:21:28 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 5D6217CC0B6; Tue, 21 Aug 2012 12:21:28 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31804-02-4; Tue, 21 Aug 2012 12:21:28 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 7E8B37CC0C6 for ; Tue, 21 Aug 2012 12:21:27 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAOvCM1DQfQDr/2dsb2JhbABFhgG0YYEIgkodAQEUIgIBOhYLAgsDAgECASckDQgBARWHdAulPm6CPYEEAQWPWAECBIsshWaBEo5ggSCLMYo3gn2BPiM X-IronPort-AV: E=Sophos;i="4.77,803,1336366800"; d="asc'?scan'208";a="168314" Received: from rrcs-208-125-0-235.nyc.biz.rr.com (HELO mail.secure-endpoints.com) ([208.125.0.235]) by mailgateway.anl.gov with ESMTP/TLS/AES128-SHA; 21 Aug 2012 12:21:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1345569686; x=1346174486; q=dns/txt; h=DomainKey-Signature:Received:Message-ID:Date:From: Organization:User-Agent:MIME-Version:To:Subject:OpenPGP: Content-Type:Reply-To; bh=Ly8QFgSNMPECcuFudF5mttwFxwh+M6WvTqwrp5 3oSgo=; b=re6KXMLB6dSSv8fTscAZ8dhXjXC/CAAOT63eK/0Kuz/LECxjROwO+i gvFrf6iJ0jWjsRU+3wVxOXBuHB+/jjatU+0CjkE9awOsqRvaIW3HpSG7E4aBz/wY cFA9AGDpureYe+74ha0SL1wzn/9oVcONM7KM6rRx5NRj+rMiuqlIY= DomainKey-Signature: a=rsa-sha1; s=MDaemon; d=secure-endpoints.com; c=simple; q=dns; h=message-id:from; b=gLlFKI2In3a7v3uFdgj44U19CUihPBeOG06PNXVROhPp93rIhdEazwaCwVS9 jkDb3I0IowOhgj7qmqShbfS1809KD+p01aqnGw/FKdVMTn6xS8zrODOo0 SD4ybqTZctOKwqViKKWMdOpsUAOTN1Z4RFlaQT7qprIsszikYboeeU=; X-MDAV-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 13:21:26 -0400 Received: from [172.16.16.54] by secure-endpoints.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.6) with ESMTP id md50000314252.msg for ; Tue, 21 Aug 2012 13:21:25 -0400 X-Spam-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 13:21:25 -0400 (not processed: message from trusted or authenticated source) X-Authenticated-Sender: jaltman@secure-endpoints.com X-HashCash: 1:22:120821:md50000314252::05MEeGgMTiWIpY0x:0000J+qJ X-Return-Path: prvs=158095b14a=jaltman@secure-endpoints.com X-Envelope-From: jaltman@secure-endpoints.com X-MDaemon-Deliver-To: ietf-krb-wg@anl.gov Message-ID: <5033C38E.8070002@secure-endpoints.com> Date: Tue, 21 Aug 2012 13:21:18 -0400 From: Jeffrey Altman Organization: Secure Endpoints Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Kerberos WG X-Enigmail-Version: 1.4.3 OpenPGP: url=http://pgp.mit.edu X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Subject: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list Reply-To: jaltman@secure-endpoints.com List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0206129679566355712==" Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0206129679566355712== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig6B42EADA0388292C232B7EB2" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig6B42EADA0388292C232B7EB2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable RFC 4120 Section 3.3.3 "Generation of the KRB_TGS_REP Message" specifies that the "expiration time" (aka "endtime") as follows: If the request specifies an endtime, then the endtime of the new ticket is set to the minimum of (a) that request, (b) the endtime from the TGT, and (c) the starttime of the TGT plus the minimum of the maximum life for the application server and the maximum life for the local realm (the maximum life for the requesting principal was already applied when the TGT was issued). If the new ticket is to be a renewal, then the endtime above is replaced by the minimum of (a) the value of the renew_till field of the ticket and (b) the starttime for the new ticket plus the life (endtime-starttime) of the old ticket. In other words, the endtime of the issued service ticket MUST be constrained to a lifetime that is no longer than that of the initial TGT. In practice, I find this constraint to be overly restrictive when the KDC policy permits the issuance of a renewable service ticket with a renew_till time greater than the endtime. If the policy of the KDC permits a 10 hour lifetime for the service ticket and a 1 week renew-lifetime but the renewable TGT has 5 minutes before its endtime is reached, the endtime of the service ticket will have 5 minutes remaining and a renew_till time matching that of the TGT. The purpose of the endtime being shorter than the renew_till time is to force the client to contact the Ticket Granting Service within the required "lifetime" to permit the TGS to block continued use of the tickets in case one of the principals has been deactivated. The issuance of service tickets with very short lifetimes can present significant challenges to end users and processes that must maintain an up to date service ticket for authentication. Especially when the application protocol constrains the lifetime of the authenticated connection to the lifetime of the service ticket. The fact that the client has to contact the TGS in order to obtain a service ticket provides the opportunity to validate the state of the principal's accounts. As such the lifetime of the issued service ticket should not be constrained to that of the TGT's endtime. Especially, when the TGT is renewable and the service ticket is renewable. In that situation, the service ticket should be issued with the maximum permitted lifetime constrained as specified in 3.3.3 except that the TGT's overall lifetime should be used in place of the TGT's endtime. In order words, if the TGT was granted with a 10 hour lifetime, then the service ticket should be granted with up to a 10 hour lifetime unless otherwise constrained. Such an approach can be viewed as an implied TGT renewal since the TGT itself could have been renewed. I do not want to see client applications put in the position where they need to regularly renew the TGT in order to obtain a service ticket with a maximum lifetime. In theory, upon receiving a renewable service ticket with a less than maximum lifetime, the client could issue a TGS RENEW request on that service ticket. Since that would be permitted by RFC 4120 there is no reason to not issue the longer lifetime in the first place. As part of any revision to RFC 4120, I would like to see this section modified. Jeffrey Altman --------------enig6B42EADA0388292C232B7EB2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJQM8OQAAoJENxm1CNJffh49QYH/0DhRnLbVAi8GYkKKIJ1U7A2 UhRUIAkGYuHWbXXCUiF/C4uWmED/jiA8v9gL540BDunZjRMedJym42ZgqOPjaPlo FhSEao1BR6znQfTWLATQAY0uKlbmeErBoNJH/iOO6AGs8Nr5jEPkcTgumDQP511w FcEp5Q8TOri4FZrkIAalE39abBh+vWn7kSZh6GpaposK69AedUz4dh4Qzqrh+Ojd DzLXCKPkaZ+e27bRKOH6XyN9SSFsoqGohNJVDBIHpbr6i56xrxe8xEcgVlesY+or K4Ksd3KWj5sgP0WYWOSMzpZ04a6V2hF4qsvGYYqle5EmphkdTBIwjUCdKiNW9hM= =qe5p -----END PGP SIGNATURE----- --------------enig6B42EADA0388292C232B7EB2-- --===============0206129679566355712== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg --===============0206129679566355712==-- From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 10:33:07 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4486021F866C for ; Tue, 21 Aug 2012 10:33:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.129 X-Spam-Level: X-Spam-Status: No, score=-4.129 tagged_above=-999 required=5 tests=[AWL=2.470, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOG7imdxpkUQ for ; Tue, 21 Aug 2012 10:33:06 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB9921F8543 for ; Tue, 21 Aug 2012 10:33:06 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 2AC076D1; Tue, 21 Aug 2012 12:33:06 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 8873B6CB; Tue, 21 Aug 2012 12:33:05 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 57D7054C003; Tue, 21 Aug 2012 12:33:05 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 2B2C654C002 for ; Tue, 21 Aug 2012 12:33:04 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 1D1F56C4; Tue, 21 Aug 2012 12:33:04 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 157FE6D1 for ; Tue, 21 Aug 2012 12:33:04 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id EAC4E6C4 for ; Tue, 21 Aug 2012 12:33:03 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id D35E97CC08E; Tue, 21 Aug 2012 12:33:03 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04366-10; Tue, 21 Aug 2012 12:33:03 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id AD57C7CC08D for ; Tue, 21 Aug 2012 12:33:03 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAETFM1DQfQDr/2dsb2JhbABFhgG0YYEIgkodAQEUIgIBOhYLAgsDAgECAScQARMNCAEBiAmlTm6DQQEFj1sBBosshWaBEo5ggSCLMYo3gn0 X-IronPort-AV: E=Sophos;i="4.77,803,1336366800"; d="asc'?scan'208";a="169384" Received: from rrcs-208-125-0-235.nyc.biz.rr.com (HELO mail.secure-endpoints.com) ([208.125.0.235]) by mailgateway.anl.gov with ESMTP/TLS/AES128-SHA; 21 Aug 2012 12:33:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1345570382; x=1346175182; q=dns/txt; h=DomainKey-Signature:Received:Message-ID:Date:From: Organization:User-Agent:MIME-Version:To:Subject:OpenPGP: Content-Type:Reply-To; bh=9cRhGcOugvh4gOBzkBypQd/GrFq2kERw4gDe8R S5TIc=; b=LRiAj0jYXkVrK5THFbKz59tHC+Vh2ksT0OKigdeMykozjL6fDzJE4t PhJsPXxPZz6k7VUQiUPXhRBTs1/n1AV1TqxqayM1iMmEXhuZHB1Ozr9HVrkBUCYn 3SYtUTzDTF/TGUPGVwnOk4tEJjo7cBIAcwZ8uK3xs7g0sPdL7HZKw= DomainKey-Signature: a=rsa-sha1; s=MDaemon; d=secure-endpoints.com; c=simple; q=dns; h=message-id:from; b=tDRIxwT4xfgy26gWWvCCoPRRvEws4+Cy9QsIrkr8CJ1LHp3cxMxP5qfWzCVV ikAjd+U+OMWip/X1bwp8GC1VWgsb2hPeDUxFTUmGK7IQ1SAe6ZkvA9+hL 6quOxdhyT3FK19gR1MLQuEvrGYIrn0v1pg1a+D2c9e2WSBcoNrPDJk=; X-MDAV-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 13:33:02 -0400 Received: from [172.16.16.54] by secure-endpoints.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.6) with ESMTP id md50000314255.msg for ; Tue, 21 Aug 2012 13:33:01 -0400 X-Spam-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 13:33:01 -0400 (not processed: message from trusted or authenticated source) X-Authenticated-Sender: jaltman@secure-endpoints.com X-HashCash: 1:22:120821:md50000314255::8iOkrOWX7OYaINHv:0000fztB X-Return-Path: prvs=158095b14a=jaltman@secure-endpoints.com X-Envelope-From: jaltman@secure-endpoints.com X-MDaemon-Deliver-To: ietf-krb-wg@anl.gov Message-ID: <5033C649.1020002@secure-endpoints.com> Date: Tue, 21 Aug 2012 13:32:57 -0400 From: Jeffrey Altman Organization: Secure Endpoints Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Kerberos WG X-Enigmail-Version: 1.4.3 OpenPGP: url=http://pgp.mit.edu X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Subject: [Ietf-krb-wg] Usability of Renewable Tickets X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list Reply-To: jaltman@secure-endpoints.com List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0906773830314936291==" Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0906773830314936291== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig3C2212C6CF3C8C42DFBF2742" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3C2212C6CF3C8C42DFBF2742 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable In recent days it has come to my attention that various client libraries and KDCs imposes a variety of constraints on the use of renewable tickets which restrict their usability. Especially in cross-vendor deployments. Heimdal 1.5.x and earlier clients for example cannot request a renewable service ticket. Only initial TGTs can be renewable. Windows Server 2003 will issue renewable and forwardable TGTs and service tickets but will not renew anything other than an initial TGT. MIT's client libraries only permit renewals of TGTs. Attempts to renew service tickets result in a mismatched server name and ticket being sent to the KDC. It would be useful as guidance to implementers for this working group to come to a consensus on: * which ticket types should be renewable * which ticket types should be renewed by the KDC * the interactions of the renewable flag and other ticket flags * the use of RENEWABLE_OK by clients It is my hope that such guidance when implemented (and preferably backported by vendors) could quickly raise the level of interoperability and the usability of renewable Kerberos credentials. Jeffrey Altman --------------enig3C2212C6CF3C8C42DFBF2742 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJQM8ZLAAoJENxm1CNJffh4Z0kIAKRKVMUMytER8BBAQGm9WH5G xl0sfJXoW0ZYQxsz+cFKQfOuNGvD3wNuhsOfWhwITsAuKiYgKYfCn52eQtJV3ef8 Vt6HPJ5eAXiGf6I5MRiHwhHB32qN7HG+ald9SbBD+REt2Drgy+n2Jy2hCOKxHZ69 y/S2ZTo5/4k8FcXc3v36tW265xmrDynOyA8a806TjVa6Va7qAsYBYoEzK3GUY0uF pEZ6ReWZFwYNRbwIqIH31aRKjcD5igfdYnXCliJbgoL+QzazvUwLT2HfKuWO+U0S 3KpNn4qjSGLqAutdBhnFkljr6XY+foB9ozteWd9UjJer+RE3hwWX2WKkhc+bxfg= =BLld -----END PGP SIGNATURE----- --------------enig3C2212C6CF3C8C42DFBF2742-- --===============0906773830314936291== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg --===============0906773830314936291==-- From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 11:45:14 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0D221F86D6 for ; Tue, 21 Aug 2012 11:45:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.449 X-Spam-Level: X-Spam-Status: No, score=-5.449 tagged_above=-999 required=5 tests=[AWL=1.150, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3plfY1XESONj for ; Tue, 21 Aug 2012 11:45:13 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 5F8D821F8678 for ; Tue, 21 Aug 2012 11:45:05 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id DB52F6FD; Tue, 21 Aug 2012 13:45:04 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id DDD306F1; Tue, 21 Aug 2012 13:45:02 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 904F48104D; Tue, 21 Aug 2012 13:45:02 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id E224A81035 for ; Tue, 21 Aug 2012 13:45:00 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id CDF38704; Tue, 21 Aug 2012 13:45:00 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id B839970E for ; Tue, 21 Aug 2012 13:45:00 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 9D476704 for ; Tue, 21 Aug 2012 13:45:00 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 766217CC0BE; Tue, 21 Aug 2012 13:45:00 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06593-01; Tue, 21 Aug 2012 13:45:00 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id D56B17CC0BF for ; Tue, 21 Aug 2012 13:44:59 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AkUIADfWM1ASCRkNbmdsb2JhbABFhTq0JQQEfyINCgoJO4IgAQEFeAEQCxgJFg8JAwIBAgE3AQ0TAQcBAYgMCLBUiQSLCCSDXIMcA5ZmhEiNNA X-IronPort-AV: E=Sophos;i="4.77,803,1336366800"; d="scan'208";a="176360" Received: from dmz-mailsec-scanner-2.mit.edu ([18.9.25.13]) by mailgateway.anl.gov with ESMTP; 21 Aug 2012 13:44:59 -0500 X-AuditID: 1209190d-b7fd56d000000933-f3-5033d72ab199 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id B8.D3.02355.A27D3305; Tue, 21 Aug 2012 14:44:58 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id q7LIiwPu018153; Tue, 21 Aug 2012 14:44:58 -0400 Received: from [18.189.113.128] ([18.189.113.128]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id q7LIivUB027182 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 21 Aug 2012 14:44:58 -0400 (EDT) Message-ID: <5033D729.4010706@mit.edu> Date: Tue, 21 Aug 2012 14:44:57 -0400 From: Greg Hudson User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: jaltman@secure-endpoints.com References: <5033C649.1020002@secure-endpoints.com> In-Reply-To: <5033C649.1020002@secure-endpoints.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUixCmqrKt13TjAYPZsa4vJJycwWfxZOYnN gcnj5Jq3bB4n+86zBjBFcdmkpOZklqUW6dslcGWsP7aMrWALa8WDTQ2sDYyrWLoYOTkkBEwk bp3pg7LFJC7cW8/WxcjFISSwj1Fi/6HXjBDOBkaJJw9XQDlbmSRuPZ3ABtLCK6AmsfPUWrB2 FgFViTmzv4DF2QSUJQ6e/QYU5+AQFQiS2LeRGaJcUOLkzCdg5SICChJTujeBxZmBWh8cvAcW FxawlGjtOw1mCwkYS5zfDGFzAl06/fUVqHodiXd9D6BseYntb+cwT2AUnIVkxSwkZbOQlC1g ZF7FKJuSW6Wbm5iZU5yarFucnJiXl1qka6SXm1mil5pSuokRHMCSvDsY3x1UOsQowMGoxMP7 copRgBBrYllxZe4hRkkOJiVRXqZLxgFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHiLJgPleFMS K6tSi/JhUtIcLErivFdSbvoLCaQnlqRmp6YWpBbBZGU4OJQkeOuvATUKFqWmp1akZeaUIKSZ ODhBhvMADY8AqeEtLkjMLc5Mh8ifYlSUEuddAJIQAElklObB9cISzCtGcaBXhHnng1TxAJMT XPcroMFMQIPVroINLklESEk1MF5/yxOjuUDte5RaEEdSgOCqYpN/iff2diTIFpXldj4U5dK7 lWiw5cPrj/tCX06+NMls+Y22uiM6zudcUiIy7O6fKtDzPS1uf0Zb1PN3bq1WtavWxmRdzrKv /Sdvr/kirOL/Z+t9wTKfj8nP2jaqP0lMn1QeceMy58tQIUmO0OWyt2SOLNvso8RSnJFoqMVc VJwIAGNwLbwLAwAA X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] Usability of Renewable Tickets X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On 08/21/2012 01:32 PM, Jeffrey Altman wrote: > MIT's client libraries only permit renewals of TGTs. Attempts to renew > service tickets result in a mismatched server name and ticket being sent > to the KDC. This was fixed in 1.9, and I just tested with the current code. In 1.8 or earlier, the client code would try to use a TGT to renew the service ticket, which would fail on the client if the cache doesn't also contain a TGT, and would fail on the KDC if it does. See also: http://krbdev.mit.edu/rt/Ticket/Display.html?id=6699&user=guest&pass=guest (I realize our latest Windows release is based on 1.6.x, and therefore still has this bug. We're working on it.) _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 11:49:09 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2368821F8687 for ; Tue, 21 Aug 2012 11:49:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aqJPTtGNWtVe for ; Tue, 21 Aug 2012 11:49:08 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 4974321F8685 for ; Tue, 21 Aug 2012 11:49:08 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 1E07770C; Tue, 21 Aug 2012 13:49:06 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 9ECCB6FC; Tue, 21 Aug 2012 13:49:05 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 7E2BF8104D; Tue, 21 Aug 2012 13:49:05 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 2357981035 for ; Tue, 21 Aug 2012 13:49:04 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 1C6196C6; Tue, 21 Aug 2012 13:49:04 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 1680A6FC for ; Tue, 21 Aug 2012 13:49:04 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id EDD696C6 for ; Tue, 21 Aug 2012 13:49:03 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id D56547CC08A; Tue, 21 Aug 2012 13:49:03 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08040-01; Tue, 21 Aug 2012 13:49:03 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id ED1C07CC08B for ; Tue, 21 Aug 2012 13:49:01 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqUBAGLXM1CAAtnFkWdsb2JhbABFhgG0ZyIBAQEBCQsLBxQFIoIgAQEBAQIBI1YFCwsaAiYCAlcyh24GpjiCPYdpiQSBIYoLg1yCCoESA5sujTSBPiM X-IronPort-AV: E=Sophos;i="4.77,803,1336366800"; d="scan'208";a="176660" Received: from smtp02.srv.cs.cmu.edu ([128.2.217.197]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Aug 2012 13:49:01 -0500 Received: from [192.168.202.154] (pool-74-111-100-191.pitbpa.fios.verizon.net [74.111.100.191]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id q7LIn0kJ028004 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Aug 2012 14:49:00 -0400 (EDT) From: Jeffrey Hutzelman To: jaltman@secure-endpoints.com In-Reply-To: <5033C38E.8070002@secure-endpoints.com> References: <5033C38E.8070002@secure-endpoints.com> Date: Tue, 21 Aug 2012 14:49:01 -0400 Message-ID: <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 X-Scanned-By: mimedefang-cmuscs on 128.2.217.197 X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG , jhutz@cmu.edu Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On Tue, 2012-08-21 at 13:21 -0400, Jeffrey Altman wrote: > The purpose of the endtime being shorter than the renew_till time is to > force the client to contact the Ticket Granting Service within the > required "lifetime" to permit the TGS to block continued use of the > tickets in case one of the principals has been deactivated. No, that's not the only purpose. It also gives operational control over the maximum time before a policy change has fully gone into effect. Such policies may affect the issuing and/or renewing of both TGTs and service tickets, and may not be as simple as a particular client principal being enabled or not. For example, I may need an upper bound on when an enctype policy change has become fully effective, or a policy change relating to authorization data included in issued tickets. As an operator, I'd be nervous about replacing a relatively simple, easily-understood rule (a policy change is in effect by the time any TGT issued prior to it has expired) with one involving complex interactions between all of the services a user might have used. > The fact that the client has to contact the TGS in order to obtain a > service ticket provides the opportunity to validate the state of the > principal's accounts. Not when the principal is from another realm. > Especially, > when the TGT is renewable and the service ticket is renewable. But these conditions do not always obtain, and a KDC processing a service ticket renewal does not have the TGT to examine. In fact, the client may not have the TGT to renew. > In that > situation, the service ticket should be issued with the maximum > permitted lifetime constrained as specified in 3.3.3 except that the > TGT's overall lifetime should be used in place of the TGT's endtime. In > order words, if the TGT was granted with a 10 hour lifetime, then the > service ticket should be granted with up to a 10 hour lifetime unless > otherwise constrained. I am very nervous about this from a security standpoint. We've had issues before with such sliding lifetimes, some of which have resulted in a client being able to extend ticket life indefinitely. Furthermore, this violates the expectations of _users_ who, when they are aware of expiration at all, expect it to happen a fixed amount of time after they log in or otherwise obtain tickets, rather than based on when they first talked to a particular service on a particular day. > Such an approach can be viewed as an implied TGT renewal since the TGT > itself could have been renewed. This presumes that the client has the TGT, that it is renewable, and that renewal would have succeeded. A KDC processing a service ticket renewal is not in a position to know these things. -- Jeff _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 13:28:34 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB8AD11E80F5 for ; Tue, 21 Aug 2012 13:28:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.952 X-Spam-Level: X-Spam-Status: No, score=-4.952 tagged_above=-999 required=5 tests=[AWL=1.647, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLKi-FtVxvxI for ; Tue, 21 Aug 2012 13:28:34 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id EEC0621F854E for ; Tue, 21 Aug 2012 13:28:33 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 3BA81729; Tue, 21 Aug 2012 15:28:33 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id DDF2B71F; Tue, 21 Aug 2012 15:28:31 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id A919C8104D; Tue, 21 Aug 2012 15:28:31 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 7E54681035 for ; Tue, 21 Aug 2012 15:28:30 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 5AA7271F; Tue, 21 Aug 2012 15:28:30 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 33221723 for ; Tue, 21 Aug 2012 15:28:30 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 01DD971D for ; Tue, 21 Aug 2012 15:28:29 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id D57637CC07F; Tue, 21 Aug 2012 15:28:29 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19749-01-7; Tue, 21 Aug 2012 15:28:29 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 4B48A7CC0C9 for ; Tue, 21 Aug 2012 15:28:29 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFADbvM1DQfQDr/2dsb2JhbABFhgG0XIEIgiABAQUjHQEBFCICAQ4LGAkWCwICCQMCAQIBJx4GDQgBAYgJpUlug0EBBY9MAQaLCCSFZoESjmCBIIsxijeCfQ X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="asc'?scan'208";a="185416" Received: from rrcs-208-125-0-235.nyc.biz.rr.com (HELO mail.secure-endpoints.com) ([208.125.0.235]) by mailgateway.anl.gov with ESMTP/TLS/AES128-SHA; 21 Aug 2012 15:28:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1345580901; x=1346185701; q=dns/txt; h=DomainKey-Signature:Received:Message-ID:Date:From: Organization:User-Agent:MIME-Version:To:Subject:References: In-Reply-To:OpenPGP:Content-Type:Reply-To; bh=2J1EDej0FZbe32+lpx M/B54QEfoWiZtJKkGFrgPJGmE=; b=F6EJvE0ctTFokCqdVoufMRfBlEjxVaI87B 11irK8IaYI6XY1AlqfEpOjz15Q2/FllMKyns6xpZGGsaXcwzOclRWnS2gF9F61W/ eKrlCmTY6vQDOyBXRRiuEkVHok8u/VPykATr50fgsOxGHgovnt0y/0CO4k82Wdh/ IIBa/CwcU= DomainKey-Signature: a=rsa-sha1; s=MDaemon; d=secure-endpoints.com; c=simple; q=dns; h=message-id:from; b=CZKLAN/0o3eW7JX0kkDKdv1G2DGpL0OoLvYkJhyHuOqN770DjBhKDwcNQFWg wEttJax2QHckhhBuVsAa8c4GGsmSduGl82wWe+WCtQP0ugrUf03JK338G xnT6v/MAyG0tK8oL7w7niGffjUTj8tld/XBBUGy9PpRx88OCXNfNeg=; X-MDAV-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 16:28:21 -0400 Received: from [172.16.16.54] by secure-endpoints.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.6) with ESMTP id md50000314340.msg for ; Tue, 21 Aug 2012 16:28:20 -0400 X-Spam-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 16:28:20 -0400 (not processed: message from trusted or authenticated source) X-Authenticated-Sender: jaltman@secure-endpoints.com X-HashCash: 1:22:120821:md50000314340::hNBLsYRvWKlzybPq:0000B3zw X-Return-Path: prvs=158095b14a=jaltman@secure-endpoints.com X-Envelope-From: jaltman@secure-endpoints.com X-MDaemon-Deliver-To: ietf-krb-wg@anl.gov Message-ID: <5033EF5D.1030104@secure-endpoints.com> Date: Tue, 21 Aug 2012 16:28:13 -0400 From: Jeffrey Altman Organization: Secure Endpoints Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Kerberos WG References: <5033C38E.8070002@secure-endpoints.com> <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> In-Reply-To: <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> X-Enigmail-Version: 1.4.3 OpenPGP: url=http://pgp.mit.edu X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list Reply-To: jaltman@secure-endpoints.com List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============1796672699404589995==" Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============1796672699404589995== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig71E331C928852F5DFF8BBF07" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig71E331C928852F5DFF8BBF07 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 8/21/2012 2:49 PM, Jeffrey Hutzelman wrote: > On Tue, 2012-08-21 at 13:21 -0400, Jeffrey Altman wrote: >> Especially, >> when the TGT is renewable and the service ticket is renewable. >=20 > But these conditions do not always obtain, and a KDC processing a > service ticket renewal does not have the TGT to examine. In fact, the > client may not have the TGT to renew. I'm going to break up the thread into sub-threads based on the issues raised by Jeff Hutzelman's response. What are the policy semantics of a service ticket that is marked as RENEWABLE? If the realm's policy is that obtaining a service ticket with a longer lifetime must require the possession of the TGT, that is is really easy to enforce: Remove the allow renewable property from the service principal's entry in the database. But if the service principal does permit the issuance of RENEWABLE service tickets, shouldn't that mean that those tickets can be renewed without the TGT? What else could it possibly mean? RFC 4120 is very ambiguous in this area. Jeffrey Altman --------------enig71E331C928852F5DFF8BBF07 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJQM+9hAAoJENxm1CNJffh4CfQH/iwaeJKyOshRTUdpVexnBo9D qQ4AnPM07fmKwZls84H056lb6oAIyi4nzWdJWvjbCpZ3pGMeFzq7pXJglQLZtw4J 6YeFGTG3weTt24wQwBQwCxP4kKfLfm9gZZ/O6xXhLSja79eP5KeCE8JioIepMyf9 /iKAb1FIiG/Gt4pqyxqPjmryPUJqImWt5AkhvwiHuaqO6szjIQQfsocqRBr/5PYk f2AUSjunDIwAeKdWzYfQjAEOerzI9m7KPeh0C71yesCM46Wi8+vaBGQ0/UMQygCt 19T/sXzh/dhVz5j0ULeQiV0K7Or26f4ETAfs9GvVWnd1zidgb4Z0ljOMJMRlG48= =EhgT -----END PGP SIGNATURE----- --------------enig71E331C928852F5DFF8BBF07-- --===============1796672699404589995== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg --===============1796672699404589995==-- From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 13:33:39 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7249021F85D5 for ; Tue, 21 Aug 2012 13:33:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.364 X-Spam-Level: X-Spam-Status: No, score=-5.364 tagged_above=-999 required=5 tests=[AWL=1.235, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yr0vTPTRSelu for ; Tue, 21 Aug 2012 13:33:38 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 754A921F85B8 for ; Tue, 21 Aug 2012 13:33:38 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 05371725; Tue, 21 Aug 2012 15:33:38 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id A8076714; Tue, 21 Aug 2012 15:33:37 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 7F8B18104D; Tue, 21 Aug 2012 15:33:37 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 193F581035 for ; Tue, 21 Aug 2012 15:33:36 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 0B49E6DD; Tue, 21 Aug 2012 15:33:36 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 01240721 for ; Tue, 21 Aug 2012 15:33:35 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id E8E576DD for ; Tue, 21 Aug 2012 15:33:35 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id D17037CC07F; Tue, 21 Aug 2012 15:33:35 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21771-02; Tue, 21 Aug 2012 15:33:35 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id D32697CC0C6 for ; Tue, 21 Aug 2012 15:33:32 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFAF/wM1DQfQDr/2dsb2JhbABFDoVztFyBCIIgAQEFIx0BARQiAQEBDgsYCRYLAgIJAwIBAgEnHhMBBwEBiAmlS26CPYEEAQWPSwEGiwgkg1yCCoESjmCBIIsxijeCJ1Y X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="asc'?scan'208";a="185811" Received: from rrcs-208-125-0-235.nyc.biz.rr.com (HELO mail.secure-endpoints.com) ([208.125.0.235]) by mailgateway.anl.gov with ESMTP/TLS/AES128-SHA; 21 Aug 2012 15:33:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1345581212; x=1346186012; q=dns/txt; h=DomainKey-Signature:Received:Message-ID:Date:From: Organization:User-Agent:MIME-Version:To:CC:Subject:References: In-Reply-To:OpenPGP:Content-Type:Reply-To; bh=/chhZ1/NqbGIgJLWoK WNYb9xFriYuSk7yubh2lTkekQ=; b=P7lMoE3x81OTQrE1PyKMKPiG3uiHh6Cvi7 LtSLnqfT1Llt2ftJ34/UCIVTY7Y+YHRCqk50/njOpYVOigK3oKTHS9lJP4tvvB5a 0gVYiwnFHZNK+4fIobJCcqrG4NTlbTLkMoVy13nCpenfkYUBYhMgsFjM959SBKd1 +PcJj+qRc= DomainKey-Signature: a=rsa-sha1; s=MDaemon; d=secure-endpoints.com; c=simple; q=dns; h=message-id:from; b=P9sRn0MonH8MW56fawWhN4TI+fsh7HztHFoWF6w6y631VlHOgBvqtDEVb/6/ vmctgwCaTAUROqGGHt660c/vQzGf5XpQL10WZPOqitNBsl+j/n71qLTpc 7hJQLx0f5NNgJsgW277/OkMuNs8ZkntXmXWX1tiDHz19VOHYbOriK4=; X-MDAV-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 16:33:32 -0400 Received: from [172.16.16.54] by secure-endpoints.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.6) with ESMTP id md50000314343.msg for ; Tue, 21 Aug 2012 16:33:30 -0400 X-Spam-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 16:33:30 -0400 (not processed: message from trusted or authenticated source) X-Authenticated-Sender: jaltman@secure-endpoints.com X-HashCash: 1:22:120821:md50000314343::Lqb3WiEWqeD1Yx2y:0000Hn0f X-Return-Path: prvs=158095b14a=jaltman@secure-endpoints.com X-Envelope-From: jaltman@secure-endpoints.com X-MDaemon-Deliver-To: ietf-krb-wg@anl.gov Message-ID: <5033F093.8000201@secure-endpoints.com> Date: Tue, 21 Aug 2012 16:33:23 -0400 From: Jeffrey Altman Organization: Secure Endpoints Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: jhutz@cmu.edu References: <5033C38E.8070002@secure-endpoints.com> <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> In-Reply-To: <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> X-Enigmail-Version: 1.4.3 OpenPGP: url=http://pgp.mit.edu X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list Reply-To: jaltman@secure-endpoints.com List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============3562480966652221733==" Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============3562480966652221733== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig377D592B367CAA913724EA65" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig377D592B367CAA913724EA65 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 8/21/2012 2:49 PM, Jeffrey Hutzelman wrote: > On Tue, 2012-08-21 at 13:21 -0400, Jeffrey Altman wrote: >=20 >> The purpose of the endtime being shorter than the renew_till time is t= o >> force the client to contact the Ticket Granting Service within the >> required "lifetime" to permit the TGS to block continued use of the >> tickets in case one of the principals has been deactivated. >=20 > No, that's not the only purpose. It also gives operational control > over the maximum time before a policy change has fully gone into > effect. Such policies may affect the issuing and/or renewing of both > TGTs and service tickets, and may not be as simple as a particular > client principal being enabled or not. For example, I may need an > upper bound on when an enctype policy change has become fully > effective, or a policy change relating to authorization data included > in issued tickets. >=20 > As an operator, I'd be nervous about replacing a relatively simple, > easily-understood rule (a policy change is in effect by the time any > TGT issued prior to it has expired) with one involving complex > interactions between all of the services a user might have used. The rule would become A policy is in effect by the time any ticket issued prior to it has expired. Your rule assumes that policy changes are enforced upon TGT renewals and my rule assumes that policy changes are enforced upon all ticket renewals. I hope that policy changes are enforced during the issuance of all tickets and not just TGTs. --------------enig377D592B367CAA913724EA65 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJQM/CWAAoJENxm1CNJffh4tOAIAJAHrkNIlGExFDalMNpAOBJK Jd8eaHz3ha/+Lu+nLol/Sy+5q9t/jYqkWw/ORvOgPfdfSPr35hg3hgpLl5/RALpP BYc4tjyYfRfmujvH9J2w+9jMCcS8D2MrR2DHBKTLfyVDsMueGgPd7dNPrhLCSpXK GWwKyby+YW/f48NLUSrss3ZYMGAWmUVVM+nAVN8XG3ixU62KvpeVdkhmMSn5IDKH WRcD00J2PJvFNqP3oOxqzKDL9tnqCDkei/W8wQAnnCEzX9nUz58phfqs8lLLfiUc IW7n8ppCp5TwdE/Nq1uNNcimMjMl0JkWziR0zeggQzSc3LJ1A0S+w729lAs+XuE= =L9ez -----END PGP SIGNATURE----- --------------enig377D592B367CAA913724EA65-- --===============3562480966652221733== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg --===============3562480966652221733==-- From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 13:40:17 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B709421F85FF for ; Tue, 21 Aug 2012 13:40:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.611 X-Spam-Level: X-Spam-Status: No, score=-5.611 tagged_above=-999 required=5 tests=[AWL=0.988, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LqGMUaK2TQ4w for ; Tue, 21 Aug 2012 13:40:17 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id E717A21F85FC for ; Tue, 21 Aug 2012 13:40:16 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 954A8714; Tue, 21 Aug 2012 15:40:16 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 5D92D723; Tue, 21 Aug 2012 15:40:16 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id DEEB28104D; Tue, 21 Aug 2012 15:40:15 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 86FF581035 for ; Tue, 21 Aug 2012 15:40:13 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 7F83D723; Tue, 21 Aug 2012 15:40:13 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 7903A724 for ; Tue, 21 Aug 2012 15:40:13 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 6CE5C723 for ; Tue, 21 Aug 2012 15:40:13 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 51ACA7CC07C; Tue, 21 Aug 2012 15:40:13 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24422-08; Tue, 21 Aug 2012 15:40:13 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 2BDCD7CC06C for ; Tue, 21 Aug 2012 15:40:13 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgEFAJrxM1DQfQDr/2dsb2JhbAA8CYYBtFyBCIIgAQEEASMdAQEUIgIBAwsLGAkMCgsCAgkDAgECAScQAQ0GDQgBARAHh2wGpU1ug0EBBY9LAQaLCBETg1CCFoESjmCBIIsxijeCfQ X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="asc'?scan'208";a="186346" Received: from rrcs-208-125-0-235.nyc.biz.rr.com (HELO mail.secure-endpoints.com) ([208.125.0.235]) by mailgateway.anl.gov with ESMTP/TLS/AES128-SHA; 21 Aug 2012 15:40:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1345581612; x=1346186412; q=dns/txt; h=DomainKey-Signature:Received:Message-ID:Date:From: Organization:User-Agent:MIME-Version:To:Subject:References: In-Reply-To:OpenPGP:Content-Type:Reply-To; bh=KciPa/8zovUJyDePPK 4XcAaVjvB3NKsnB72lQfxav9M=; b=CKusQryj3IUHuR5+cBxrNZf7Y3ZVlgthEz DMOMjYL5iZfgJ0GzTC4VWVE3hGYZAAFTJVKP9b5rCReB0VL5CrjqTHNexwPMgtob LRGyb0iLOVatBlh7kevunt1C5YV885Ep617afEwTOz7evgGu+sPOwxf6pXmWmepA Ky2doa4nc= DomainKey-Signature: a=rsa-sha1; s=MDaemon; d=secure-endpoints.com; c=simple; q=dns; h=message-id:from; b=Q31OVtFuVirHw+rcfL30TocSZT/ZpbGaIZZPOlHYnOXGamosUD9QCo4kt1KZ eyPMBzuDmy4ydZVwQvAXWZI+jyNipBlN19awwKdrdLNFHcutE64Aa0VGu rTvOxNy853NIPJCMTl7JwI/tIZOEGnxZRPjB+1nteu0QQF/WoJ2Du4=; X-MDAV-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 16:40:12 -0400 Received: from [172.16.16.54] by secure-endpoints.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.6) with ESMTP id md50000314347.msg for ; Tue, 21 Aug 2012 16:40:11 -0400 X-Spam-Processed: mail.secure-endpoints.com, Tue, 21 Aug 2012 16:40:11 -0400 (not processed: message from trusted or authenticated source) X-Authenticated-Sender: jaltman@secure-endpoints.com X-HashCash: 1:22:120821:md50000314347::ADXUr3FRn8j0eDJ+:00000q/a X-Return-Path: prvs=158095b14a=jaltman@secure-endpoints.com X-Envelope-From: jaltman@secure-endpoints.com X-MDaemon-Deliver-To: ietf-krb-wg@anl.gov Message-ID: <5033F228.1060503@secure-endpoints.com> Date: Tue, 21 Aug 2012 16:40:08 -0400 From: Jeffrey Altman Organization: Secure Endpoints Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Kerberos WG References: <5033C38E.8070002@secure-endpoints.com> <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> In-Reply-To: <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> X-Enigmail-Version: 1.4.3 OpenPGP: url=http://pgp.mit.edu X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list Reply-To: jaltman@secure-endpoints.com List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============4650961396894728118==" Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============4650961396894728118== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig41B76A8255776CF0EC5338AA" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig41B76A8255776CF0EC5338AA Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 8/21/2012 2:49 PM, Jeffrey Hutzelman wrote: > On Tue, 2012-08-21 at 13:21 -0400, Jeffrey Altman wrote: > Furthermore, this violates the expectations of _users_ who, when they > are aware of expiration at all, expect it to happen a fixed amount of > time after they log in or otherwise obtain tickets, rather than based o= n > when they first talked to a particular service on a particular day. Most ticket managers such as Network Identity Manager, the Microsoft Windows LSA, and any site that is making use of k5start (or similar tools) works very hard to ensure that _users_ are completely unaware of expiration. The goal is to make the acquisition and use of Kerberos tickets invisible to the user. The only time a user should be aware of the inability to renew is when (a) the renew_till lifetime has expired (if the platform enforces that) (b) if a policy change prevents the further renewal of the TGT (or user account in the case of Windows) The Kerberos community has years of experience with enforcement of expiration times on application protocols such as those protected by GSS-API and the conclusion has been that expiration enforcement on connections is a bad idea because of the usability problems that are caus= ed. In my opinion a more secure solution is one that permits the ticket lifetime to be shorter and the renewable lifetime to be longer providing the realm administrator a shorter period of time between when policy or account adjustments are made and when they take effect. Jeffrey Altman --------------enig41B76A8255776CF0EC5338AA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBAgAGBQJQM/IqAAoJENxm1CNJffh4neUH/iDBptjp8OtfrWQhgvUAiYCO sznz/GPVPfge/aL1wycoT7zOTpuISWT7SXXv5GynoMu4c3arNsSdREff+MTYDmGI HieNALlipb/ynis1vSW1appJJjoje1K+w6VUmCLmsy1nmpFQES/qXYHnnwk3T60e 9KFDGrdwF2TFYqOQbJ0DgIXL8FI+pU9mQsB8ewmG97fj6qebHiPTJkgGH00WxYFr JAC7SBKh77yJVNIHkj3s7GUBxNTPo+6KLU9jBHfF0OhhJTxSpR4mCy3l9aS5T3iW 6HVUf6akA8735xeQ1IRwLfhKCZWJRFL69tcaqwQYZ884DS5yCy94M+34HKVo07w= =oCLv -----END PGP SIGNATURE----- --------------enig41B76A8255776CF0EC5338AA-- --===============4650961396894728118== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg --===============4650961396894728118==-- From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 13:49:11 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D8E21F8645 for ; Tue, 21 Aug 2012 13:49:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.471 X-Spam-Level: X-Spam-Status: No, score=-6.471 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQFm+lPg0i-F for ; Tue, 21 Aug 2012 13:49:10 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id C967821F8628 for ; Tue, 21 Aug 2012 13:49:10 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 6D54D2D; Tue, 21 Aug 2012 15:49:10 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 016C1721; Tue, 21 Aug 2012 15:49:09 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id D5E7E8104D; Tue, 21 Aug 2012 15:49:09 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id AD33681035 for ; Tue, 21 Aug 2012 15:49:07 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id A426F2D; Tue, 21 Aug 2012 15:49:07 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 9D8F5726 for ; Tue, 21 Aug 2012 15:49:07 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 9525A721 for ; Tue, 21 Aug 2012 15:49:07 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 7E6577CC07C; Tue, 21 Aug 2012 15:49:07 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28731-05; Tue, 21 Aug 2012 15:49:07 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 653A37CC06C for ; Tue, 21 Aug 2012 15:49:07 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsBANnzM1CAlYtpiWdsb2JhbABFDoUstUYBAQEKCxIUBSKCIAEBAQECAToxDgULCw44VwYTiAcGuVaLCCSGGGADiE+STIxxWg X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="scan'208";a="187176" Received: from mailhost.jpl.nasa.gov (HELO mail.jpl.nasa.gov) ([128.149.139.105]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Aug 2012 15:49:06 -0500 Received: from dhcp-149-153-130.jpl.nasa.gov (dhcp-149-153-130.jpl.nasa.gov [128.149.153.130]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q7LKn39q022144 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Tue, 21 Aug 2012 13:49:04 -0700 Mime-Version: 1.0 (Apple Message framework v1084) From: "Henry B. Hotz" In-Reply-To: <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> Date: Tue, 21 Aug 2012 13:49:03 -0700 Message-Id: <7409CF0C-0075-4B6E-B874-82BA2C03ACD3@jpl.nasa.gov> References: <5033C38E.8070002@secure-endpoints.com> <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> To: Jeffrey Hutzelman X-Mailer: Apple Mail (2.1084) X-Source-Sender: hotz@jpl.nasa.gov X-AUTH: Authorized X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On Aug 21, 2012, at 11:49 AM, Jeffrey Hutzelman wrote: > As an operator, I'd be nervous about replacing a relatively simple, > easily-understood rule (a policy change is in effect by the time any > TGT issued prior to it has expired) with one involving complex > interactions between all of the services a user might have used. +1 KISS Otherwise you can't analyze the protocol and understand all the implications in all cases. Let's not forget that some of the people who need to understand the rules and their implications are not Kerberos experts. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 14:08:45 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0BD921F8568 for ; Tue, 21 Aug 2012 14:08:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.484 X-Spam-Level: X-Spam-Status: No, score=-6.484 tagged_above=-999 required=5 tests=[AWL=0.115, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YL8bFBCqgtDO for ; Tue, 21 Aug 2012 14:08:45 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id A78B321F855F for ; Tue, 21 Aug 2012 14:08:44 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 43EC5733; Tue, 21 Aug 2012 16:08:44 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id B7A5471D; Tue, 21 Aug 2012 16:08:43 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 9342054C001; Tue, 21 Aug 2012 16:08:43 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 59CDF81035 for ; Tue, 21 Aug 2012 16:08:42 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 48FCF714; Tue, 21 Aug 2012 16:08:42 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 42C1271D for ; Tue, 21 Aug 2012 16:08:42 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 3A7C9714 for ; Tue, 21 Aug 2012 16:08:42 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 1D4F27CC073; Tue, 21 Aug 2012 16:08:42 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04676-09; Tue, 21 Aug 2012 16:08:42 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 033C97CC06C for ; Tue, 21 Aug 2012 16:08:41 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AuoBAK/4M1CAlYttlGdsb2JhbABFhTq1RwEBAQEJCwkJFAUigiABAQEBAgE6PwULC0ZXBhOIBwa5TYsIJINcgjxgA4hPkkyNSw X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="scan'208";a="188867" Received: from smtp.jpl.nasa.gov (HELO mail.jpl.nasa.gov) ([128.149.139.109]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Aug 2012 16:08:24 -0500 Received: from dhcp-149-153-130.jpl.nasa.gov (dhcp-149-153-130.jpl.nasa.gov [128.149.153.130]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q7LL8McH022647 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Tue, 21 Aug 2012 14:08:23 -0700 Mime-Version: 1.0 (Apple Message framework v1084) From: "Henry B. Hotz" In-Reply-To: <5033F093.8000201@secure-endpoints.com> Date: Tue, 21 Aug 2012 14:08:21 -0700 Message-Id: <7564F27F-94E4-46BE-B548-2D2703E6B9F6@jpl.nasa.gov> References: <5033C38E.8070002@secure-endpoints.com> <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> <5033F093.8000201@secure-endpoints.com> To: X-Mailer: Apple Mail (2.1084) X-Source-Sender: hotz@jpl.nasa.gov X-AUTH: Authorized X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG , jhutz@cmu.edu Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On Aug 21, 2012, at 1:33 PM, Jeffrey Altman wrote: > Your rule assumes that policy changes are enforced upon TGT renewals and > my rule assumes that policy changes are enforced upon all ticket > renewals. I hope that policy changes are enforced during the issuance > of all tickets and not just TGTs. Are there any currently deployed implementations which will directly renew service tickets? I've always thought the concept of a renewable non-tgt was counter to the design. Is this is aimed at the efficiency problems with Java not caching service tickets? I thought I saw some traffic about fixing that. Checking. . . ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 14:18:05 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC8D21F84F2 for ; Tue, 21 Aug 2012 14:18:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.51 X-Spam-Level: X-Spam-Status: No, score=-105.51 tagged_above=-999 required=5 tests=[AWL=1.089, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CHAfiC7mfktr for ; Tue, 21 Aug 2012 14:18:05 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id D57A021F84B6 for ; Tue, 21 Aug 2012 14:18:04 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 4EB9C714; Tue, 21 Aug 2012 16:18:04 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id E2F48734; Tue, 21 Aug 2012 16:18:03 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id B9A6454C001; Tue, 21 Aug 2012 16:18:03 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 812A881035 for ; Tue, 21 Aug 2012 16:18:02 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 6EF6E714; Tue, 21 Aug 2012 16:18:02 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 67E58725 for ; Tue, 21 Aug 2012 16:18:02 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 483AF714 for ; Tue, 21 Aug 2012 16:18:02 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 32D777CC09A; Tue, 21 Aug 2012 16:18:02 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08502-02; Tue, 21 Aug 2012 16:18:02 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 171137CC08A for ; Tue, 21 Aug 2012 16:18:02 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqgDANz5M1ASCRkObGdsb2JhbABFhTq1JSINCgwHO4IgAQEEATo/BQsLGAklDwFHBhOIBwmwRYkEiwgkhngDqGI X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="scan'208";a="189564" Received: from dmz-mailsec-scanner-3.mit.edu ([18.9.25.14]) by mailgateway.anl.gov with ESMTP; 21 Aug 2012 16:18:01 -0500 X-AuditID: 1209190e-b7fb56d0000008b2-07-5033fb089a0e Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id EB.E1.02226.80BF3305; Tue, 21 Aug 2012 17:18:00 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id q7LLI0HP003347; Tue, 21 Aug 2012 17:18:00 -0400 Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id q7LLHwTF024125 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 21 Aug 2012 17:17:59 -0400 (EDT) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id q7LLHvsS004830; Tue, 21 Aug 2012 17:17:57 -0400 (EDT) To: "Henry B. Hotz" References: <5033C38E.8070002@secure-endpoints.com> <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> <5033F093.8000201@secure-endpoints.com> <7564F27F-94E4-46BE-B548-2D2703E6B9F6@jpl.nasa.gov> From: Tom Yu Date: Tue, 21 Aug 2012 17:17:57 -0400 In-Reply-To: <7564F27F-94E4-46BE-B548-2D2703E6B9F6@jpl.nasa.gov> (Henry B. Hotz's message of "Tue, 21 Aug 2012 14:08:21 -0700") Message-ID: Lines: 14 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpkleLIzCtJLcpLzFFi42IRYrdT1+X4bRxgsOaVmcXu9euYLCafnMBk 8WflJDaL6+/PsTuweJxc85bNY3/rMVaPicv3Abl951kDWKK4bFJSczLLUov07RK4Mia2djMX 3GGt2H/8DGMD41mWLkZODgkBE4kLm1sYIWwxiQv31rN1MXJxCAnsY5RYsGULlLOBUeLTvD9g VUICV5gk1vSGQCS6GCW2fPzEBJIQEVCXuHH4FjuIzSwQK7H2z0ywFcICLhL/Zvxhh2g4BjTp /Q/WLkYODjYBaYmji8tAalgEVCXOts4B6+UUqJf4OvUVWC+vgIVE06/5YDaPAKfE+v5njBBx QYmTM5+wQOzSkrjx7yXTBEbBWUhSs5CkFjAyrWKUTcmt0s1NzMwpTk3WLU5OzMtLLdI11svN LNFLTSndxAgKaU5Jvh2MXw8qHWIU4GBU4uF9McUoQIg1say4MvcQoyQHk5Io78rvxgFCfEn5 KZUZicUZ8UWlOanFhxglOJiVRHj1QHK8KYmVValF+TApaQ4WJXHeKyk3/YUE0hNLUrNTUwtS i2CyMhwcShK8bL+AGgWLUtNTK9Iyc0oQ0kwcnCDDeYCG//gJMry4IDG3ODMdIn+KUVFKnPcT SEIAJJFRmgfXC0s5rxjFgV4R5j0KUsUDTFdw3a+ABjMBDVa7Cja4JBEhJdXAWBDWsPJAV3O3 SWSXQS+H1srDs0O6a76Ki51a1nZu+4K78vdeR2XUbbT9oKk1J+DQ5vWyPsfumyVGXJN9dtbZ daO+JNe0dh3XtlvnnwaarmzqO8l4aDXvZKddPlLO8rYsZxht/sxYrpaRzVDpznP4seVWuw0B jmWfvptOPcDvGXXyQFJIS1uMEktxRqKhFnNRcSIA+mgJLhQDAAA= X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG , jhutz@cmu.edu Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov "Henry B. Hotz" writes: > On Aug 21, 2012, at 1:33 PM, Jeffrey Altman wrote: > >> Your rule assumes that policy changes are enforced upon TGT renewals and >> my rule assumes that policy changes are enforced upon all ticket >> renewals. I hope that policy changes are enforced during the issuance >> of all tickets and not just TGTs. > > Are there any currently deployed implementations which will directly renew service tickets? I've always thought the concept of a renewable non-tgt was counter to the design. RFC 1510 section 3.3.2 makes it clear that the KDC can renew a non-TGT service ticket. Whether that's a good idea is debatable, but it does appear to be part of the original design. _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 14:57:17 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E7E421F875A for ; Tue, 21 Aug 2012 14:57:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.072 X-Spam-Level: X-Spam-Status: No, score=-5.072 tagged_above=-999 required=5 tests=[AWL=0.905, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jtGHYApAxY6F for ; Tue, 21 Aug 2012 14:57:16 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 7556D21F86DE for ; Tue, 21 Aug 2012 14:57:16 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 1AFD145F; Tue, 21 Aug 2012 16:57:16 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id A2C26727; Tue, 21 Aug 2012 16:57:14 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 7980554C001; Tue, 21 Aug 2012 16:57:14 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 7DB5981035 for ; Tue, 21 Aug 2012 16:57:13 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 6AD1545F; Tue, 21 Aug 2012 16:57:13 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 65338727 for ; Tue, 21 Aug 2012 16:57:13 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 46FA145F for ; Tue, 21 Aug 2012 16:57:13 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 2E1037CC08A; Tue, 21 Aug 2012 16:57:13 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22086-10; Tue, 21 Aug 2012 16:57:13 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id D718A7CC0B6 for ; Tue, 21 Aug 2012 16:57:12 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Aj4BAI4DNFDQYYRClGdsb2JhbABFhgG0VioBAQEBCQsJCRQDJIIgAQEBAQMSAg8dOQEPCwsNAgImAgIiEgEFARwQCRQOh2uaYAkDimVug0ePQQaBIYlnJINcggqBEohSjQOONj6EHg X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="scan'208";a="192280" Received: from caiajhbdcagg.dreamhost.com (HELO homiemail-a27.g.dreamhost.com) ([208.97.132.66]) by mailgateway.anl.gov with ESMTP; 21 Aug 2012 16:57:12 -0500 Received: from homiemail-a27.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTP id 4C48D59805F for ; Tue, 21 Aug 2012 14:57:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=j+pp6QRQqjxru/1JXuHb o+/cnk4=; b=tMYwW/+Tj8IM3ex1qktDB4GnXKxgfoW2yTX0db6aoNI2zmQp+7dd Qmg3KNluNUDHy0eKhokdwlnXcQH986ZseOmREbso7G2mCEJvug2Pl+J2eWjhqDMi TP8qXiBxSSzO1OGorGI+oNuPXMs8XoZal4rxMyNvr88XQo9kCnOW1y4= Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a27.g.dreamhost.com (Postfix) with ESMTPSA id D28BC598057 for ; Tue, 21 Aug 2012 14:57:10 -0700 (PDT) Received: by vcbgb22 with SMTP id gb22so447615vcb.13 for ; Tue, 21 Aug 2012 14:57:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.58.32.233 with SMTP id m9mr16139138vei.23.1345586229969; Tue, 21 Aug 2012 14:57:09 -0700 (PDT) Received: by 10.220.103.70 with HTTP; Tue, 21 Aug 2012 14:57:09 -0700 (PDT) In-Reply-To: <5033F228.1060503@secure-endpoints.com> References: <5033C38E.8070002@secure-endpoints.com> <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> <5033F228.1060503@secure-endpoints.com> Date: Tue, 21 Aug 2012 16:57:09 -0500 Message-ID: From: Nico Williams To: jaltman@secure-endpoints.com X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On Tue, Aug 21, 2012 at 3:40 PM, Jeffrey Altman wrote: > The Kerberos community has years of experience with enforcement of > expiration times on application protocols such as those protected by > GSS-API and the conclusion has been that expiration enforcement on > connections is a bad idea because of the usability problems that are caused. I am and have been of two minds about this. I'm not happy with apps that allow connections to stay up forever without further efforts to handle revocation. And we have no standard revocation protocol. Oof. But at the same time expiring connections when the tickets used to authenticate expire has been disastrous for usability. All sorts of things go wrong within clock skew of ticket expiration. Two types of problems arise: - bugs around clock skew of ticket expiration, of which there have been too many, sadly - application protocols that can't re-authenticate without reconnecting. Of the latter IMAP has been used as an example before. But IMAP clients can typically recover state quickly enough that reconnection should just be a hiccup (as long as there are no transfers that require so long that the connection always expires first). The filesystem protocols can handle re-authentication. LDAP is pretty much stateless (but don't expire a connection in the middle of a write operation!). ... The former are all just depressing. We had such a bug in the Solaris NFS/RPC stack where every RPC resulted in a new security context when within clock skew of ticket expiration due to a client-side bug. I'm quite sure there have been others. What to do? Some possibilities: - expire contexts sometime *after* ticket expiration -- unlikely to make us happy in general, but at least this should steer clear of the bugs I mentioned above - add a protocol for checking the status of a client principal (but this won't work with asymmetric x-realm trusts) - add a revocation protocol (but how to scale to large networks?!) - ??? Of these I prefer the first, but I think we could/should add the second (the service would talk to the client princ's realm using the client's ticket as a second ticket for the TGS-REQ and get an answer indicating whether the client is still live) (but there are privacy issues involved). Nico -- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 14:59:21 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4058C21F856C for ; Tue, 21 Aug 2012 14:59:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BLuuxVk-62q4 for ; Tue, 21 Aug 2012 14:59:20 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id A2BB121F8567 for ; Tue, 21 Aug 2012 14:59:20 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 15E8545F; Tue, 21 Aug 2012 16:59:20 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id A7E9A727; Tue, 21 Aug 2012 16:59:19 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 81A4754C001; Tue, 21 Aug 2012 16:59:19 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 73B1781035 for ; Tue, 21 Aug 2012 16:59:17 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 65EBE727; Tue, 21 Aug 2012 16:59:17 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 5E69A45F for ; Tue, 21 Aug 2012 16:59:17 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 5646F727 for ; Tue, 21 Aug 2012 16:59:17 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 410B67CC0A7; Tue, 21 Aug 2012 16:59:17 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22735-03; Tue, 21 Aug 2012 16:59:17 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 2847F7CC08A for ; Tue, 21 Aug 2012 16:59:17 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AicCAI4DNFCAAtnFiWdsb2JhbABFDoUsR7ReIgEBARUSFAUigiABAQEBAyMPAUYQCw4KAgImAgJXBgENBYgNpj+KCokEgSGJZySFZoESA5VSkjpW X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="scan'208";a="192400" Received: from smtp02.srv.cs.cmu.edu ([128.2.217.197]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Aug 2012 16:59:16 -0500 Received: from 173-142-179-52.pools.spcsdns.net (173-142-179-52.pools.spcsdns.net [173.142.179.52]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id q7LLtZNj001782 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 21 Aug 2012 17:59:14 -0400 (EDT) References: <5033C38E.8070002@secure-endpoints.com> <1345574941.9464.28.camel@destiny.pc.cs.cmu.edu> <5033F093.8000201@secure-endpoints.com> <7564F27F-94E4-46BE-B548-2D2703E6B9F6@jpl.nasa.gov> User-Agent: K-9 Mail for Android In-Reply-To: MIME-Version: 1.0 From: Jeffrey Hutzelman Date: Tue, 21 Aug 2012 17:55:26 -0400 To: Tom Yu , "Henry B. Hotz" Message-ID: <723be8f7-579f-4ded-9748-3e4e275ee599@email.android.com> X-Scanned-By: mimedefang-cmuscs on 128.2.217.197 X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov Tom Yu wrote: >"Henry B. Hotz" writes: > >> On Aug 21, 2012, at 1:33 PM, Jeffrey Altman wrote: >> >>> Your rule assumes that policy changes are enforced upon TGT renewals >and >>> my rule assumes that policy changes are enforced upon all ticket >>> renewals. I hope that policy changes are enforced during the >issuance >>> of all tickets and not just TGTs. >> >> Are there any currently deployed implementations which will directly >renew service tickets? I've always thought the concept of a renewable >non-tgt was counter to the design. > >RFC 1510 section 3.3.2 makes it clear that the KDC can renew a non-TGT >service ticket. Whether that's a good idea is debatable, but it does >appear to be part of the original design. Of course, a KDC my choose not to renew a ticket. But, issuing a renewable ticket which one has no intention of ever renewing is in poor taste. _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 15:10:18 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23EB821F86D1 for ; Tue, 21 Aug 2012 15:10:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.07 X-Spam-Level: X-Spam-Status: No, score=-5.07 tagged_above=-999 required=5 tests=[AWL=0.907, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36Y7aM5IBoXP for ; Tue, 21 Aug 2012 15:10:17 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 4EE3221F86CE for ; Tue, 21 Aug 2012 15:10:17 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id CCFFB760; Tue, 21 Aug 2012 17:10:16 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 7F3A5749; Tue, 21 Aug 2012 17:10:16 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 59DA381048; Tue, 21 Aug 2012 17:10:16 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 434D381035 for ; Tue, 21 Aug 2012 17:10:15 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 38A1D748; Tue, 21 Aug 2012 17:10:15 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 3146C749 for ; Tue, 21 Aug 2012 17:10:15 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 2AADD748 for ; Tue, 21 Aug 2012 17:10:15 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 091C27CC0A7; Tue, 21 Aug 2012 17:10:15 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25775-09; Tue, 21 Aug 2012 17:10:14 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id D5CBA7CC080 for ; Tue, 21 Aug 2012 17:10:14 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgUEACAHNFDQYYRKXmdsb2JhbABFhTpHtFYgFwoEBgkUAySCIAEBAQEDEgIPHTkBDwsLDQICJgICIhIBBQEIFBkih2uaXAkDimVug0ePQAaBIYlnJINcggqBEohSjQOONj6EHg X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="scan'208";a="193031" Received: from caiajhbdcahe.dreamhost.com (HELO homiemail-a31.g.dreamhost.com) ([208.97.132.74]) by mailgateway.anl.gov with ESMTP; 21 Aug 2012 17:10:00 -0500 Received: from homiemail-a31.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTP id 95F00202022 for ; Tue, 21 Aug 2012 15:09:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=KBd59tWR8rRV3edKZrFF Ku4Qpq0=; b=dyceqBt3lHmXdNi9hrL76mwP91qG80Tygm7drN7cYsWt1VCJMwWx R6+bhin9nmBJol/qTVAvnihxna5sRbWJbLwG3nR5vyA5knRio0yx1W4jXJ9uAoJJ aCAi/rgNGPvexokK6FRlzrfm+ucRYt1Il82e7rCHQtDm7HKNQCgwaew= Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTPSA id 4F306202038 for ; Tue, 21 Aug 2012 15:09:59 -0700 (PDT) Received: by vbmv11 with SMTP id v11so473450vbm.13 for ; Tue, 21 Aug 2012 15:09:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.149.131 with SMTP id t3mr7644527vcv.1.1345586998577; Tue, 21 Aug 2012 15:09:58 -0700 (PDT) Received: by 10.220.103.70 with HTTP; Tue, 21 Aug 2012 15:09:58 -0700 (PDT) In-Reply-To: <5033C38E.8070002@secure-endpoints.com> References: <5033C38E.8070002@secure-endpoints.com> Date: Tue, 21 Aug 2012 17:09:58 -0500 Message-ID: From: Nico Williams To: jaltman@secure-endpoints.com X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On Tue, Aug 21, 2012 at 12:21 PM, Jeffrey Altman wrote: > As part of any revision to RFC 4120, I would like to see this section > modified. Note that some client libraries check that the KDC does not exceed the limits you quoted. That means that relaxing them will require a KDC options flag in the request... And it should only be used in KDC-REQs where the body of the request is protected (e.g., TGS-REQs and AS-REQs in a FAST tunnel). Nico -- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 15:22:45 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9021D21F8593 for ; Tue, 21 Aug 2012 15:22:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.494 X-Spam-Level: X-Spam-Status: No, score=-7.494 tagged_above=-999 required=5 tests=[AWL=1.105, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4lNSVqO5ZTjW for ; Tue, 21 Aug 2012 15:22:44 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id C11E121F857E for ; Tue, 21 Aug 2012 15:22:44 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 5B9C22D; Tue, 21 Aug 2012 17:22:44 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id C619C749; Tue, 21 Aug 2012 17:22:43 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id A233981048; Tue, 21 Aug 2012 17:22:43 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 53D5181035 for ; Tue, 21 Aug 2012 17:22:42 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 4DACA2D; Tue, 21 Aug 2012 17:22:42 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 45F4A749 for ; Tue, 21 Aug 2012 17:22:42 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 3D8C22D for ; Tue, 21 Aug 2012 17:22:42 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 26D067CC08D; Tue, 21 Aug 2012 17:22:42 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28980-05; Tue, 21 Aug 2012 17:22:42 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 0C0A97CC06C for ; Tue, 21 Aug 2012 17:22:42 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ah8BAGsJNFCAlYttkWdsb2JhbABFuwEBAQEBCQsLBxQFIoIgAQEBAQIBOj8FCwsYLlcGE4gHBrlGiwgkhhhgA4hPkkyNSw X-IronPort-AV: E=Sophos;i="4.77,804,1336366800"; d="scan'208";a="193667" Received: from smtp.jpl.nasa.gov (HELO mail.jpl.nasa.gov) ([128.149.139.109]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Aug 2012 17:22:41 -0500 Received: from dhcp-149-153-130.jpl.nasa.gov (dhcp-149-153-130.jpl.nasa.gov [128.149.153.130]) (authenticated (0 bits)) by smtp.jpl.nasa.gov (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q7LMMdjl031227 (using TLSv1/SSLv3 with cipher AES128-SHA (128 bits) verified NO); Tue, 21 Aug 2012 15:22:40 -0700 Mime-Version: 1.0 (Apple Message framework v1084) From: "Henry B. Hotz" In-Reply-To: Date: Tue, 21 Aug 2012 15:22:39 -0700 Message-Id: References: <5033C38E.8070002@secure-endpoints.com> To: Nico Williams X-Mailer: Apple Mail (2.1084) X-Source-Sender: hotz@jpl.nasa.gov X-AUTH: Authorized X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On Aug 21, 2012, at 3:09 PM, Nico Williams wrote: > On Tue, Aug 21, 2012 at 12:21 PM, Jeffrey Altman > wrote: >> As part of any revision to RFC 4120, I would like to see this section >> modified. > > Note that some client libraries check that the KDC does not exceed the > limits you quoted. That means that relaxing them will require a KDC > options flag in the request... And it should only be used in KDC-REQs > where the body of the request is protected (e.g., TGS-REQs and AS-REQs > in a FAST tunnel). > > Nico IMO it's inappropriate (as in: a *bug*) for a client to unconditionally enforce limits which are the KDCs responsibility to enforce. If nothing else, it makes it hard to support edge cases which may violate some letters of the limits, but not the intent or the policy. (I suppose I'm a bit twitchy due to a PKINIT issue I ran into recently.) ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 17:56:25 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A8F21F85FF for ; Tue, 21 Aug 2012 17:56:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.355 X-Spam-Level: X-Spam-Status: No, score=-8.355 tagged_above=-999 required=5 tests=[AWL=-1.756, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QH0au1D4oeBL for ; Tue, 21 Aug 2012 17:56:24 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id C385121F85A8 for ; Tue, 21 Aug 2012 17:56:23 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id D08BB79B; Tue, 21 Aug 2012 19:56:22 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id A1C78796; Tue, 21 Aug 2012 19:56:20 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 6E46C54C001; Tue, 21 Aug 2012 19:56:20 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 91D6F81035 for ; Tue, 21 Aug 2012 19:56:19 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 8146778F; Tue, 21 Aug 2012 19:56:19 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 7B95F796 for ; Tue, 21 Aug 2012 19:56:19 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 7011378F for ; Tue, 21 Aug 2012 19:56:19 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 5A2447CC0AF; Tue, 21 Aug 2012 19:56:19 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19458-08; Tue, 21 Aug 2012 19:56:19 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 374897CC084 for ; Tue, 21 Aug 2012 19:56:19 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AuMBAOQsNFCbOESqlGdsb2JhbABFul8iAQEBAQkLCQkUBiGCIAEBAQECATo/BRYYHVoBDQYKBIgMBrleixwBD4YYYAOVUQGSdoFWAQ X-IronPort-AV: E=Sophos;i="4.77,806,1336366800"; d="scan'208";a="198445" Received: from smtpde01.sap-ag.de ([155.56.68.170]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Aug 2012 19:56:18 -0500 Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q7M0uGnY014989 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 22 Aug 2012 02:56:16 +0200 (MEST) In-Reply-To: To: Nico Williams Date: Wed, 22 Aug 2012 02:56:15 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Message-Id: <20120822005615.EDEDC1A1A6@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list Reply-To: mrex@sap.com List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov Nico Williams wrote: > > But at the same time expiring connections when the tickets used to > authenticate expire has been disastrous for usability. All sorts of > things go wrong within clock skew of ticket expiration. Two types of > problems arise: > > - bugs around clock skew of ticket expiration, of which there have > been too many, sadly > > - application protocols that can't re-authenticate without reconnecting. As there was a "mandatory" security context expiration in MIT Kerberos when we added support for GSS-API to our application, I built support for dealing with replacing an expired security context before it expires. While it has been working OK in principle, we've found some application states where the apps programmers didn't sufficiently plan ahead (to cope with the resulting complexity). I've also encountered interop problems resulting from incorrect security context lifetime being determined when running on Microsoft Windows under Citrix with the user-specific Citrix timezone hack. Performing security context renegotiation for GSS-API requires to address a number of interesting problems: - the new security context will typically have to be established in the exact same direction, so when the server/acceptor detects after a longer period of silence that a new security context is required it will have to ask the client/initiator to start a new security context establishment. - you may want to limit the security context "renegotiation" (attempts) to near the end of the security context lifetime - you may want to start security context "renegotiation" before the current security context expired, so that no protected data "expires in transit" (which would otherwise require application-level retransmission queues). But really, the strict security context expiration in the original MIT Kerberos is a royal PITA about "protected data expiring in transit" when using other than simplistic request/response protocols where the processing of protected data in application-level request queues may get delayed for 10+ minutes. - you may want to limit the number/frequence of attempts for renegotiating a new security context so that there is no deadly embrace. - there is no point in trying to renegotiate a new security context if that will not be valid any longer than the current security context (when that lifetime is determined by the credentials, and the available credentials have not been updated/renewed since the original/previous security context establishment). > Of the latter IMAP has been used as an example before. But IMAP > clients can typically recover state quickly enough that reconnection > should just be a hiccup (as long as there are no transfers that > require so long that the connection always expires first). The > filesystem protocols can handle re-authentication. LDAP is pretty > much stateless (but don't expire a connection in the middle of a write > operation!). ... > > The former are all just depressing. We had such a bug in the Solaris > NFS/RPC stack where every RPC resulted in a new security context when > within clock skew of ticket expiration due to a client-side bug. I'm > quite sure there have been others. Bugs like this often happen when testing is limited to black-box testing (product / end-user testing) rather than module testing an white-box testing, where developers watch the real behaviour of their code when they first implement it and whenever they change it, and testing every "feature" and non-trivial combination of features they implement, fully aware of the boundary conditions within their own code. -Martin _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 18:07:37 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAB8411E8098 for ; Tue, 21 Aug 2012 18:07:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.058 X-Spam-Level: X-Spam-Status: No, score=-5.058 tagged_above=-999 required=5 tests=[AWL=0.919, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5lEl-ZcqWfUf for ; Tue, 21 Aug 2012 18:07:36 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7D011E8091 for ; Tue, 21 Aug 2012 18:07:36 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 896BC7A7; Tue, 21 Aug 2012 20:07:35 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 2F6DA7A0; Tue, 21 Aug 2012 20:07:35 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id D573981048; Tue, 21 Aug 2012 20:07:34 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 8AD1881035 for ; Tue, 21 Aug 2012 20:07:31 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id 7AEB7796; Tue, 21 Aug 2012 20:07:31 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 73EEC7A0 for ; Tue, 21 Aug 2012 20:07:31 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 69F46796 for ; Tue, 21 Aug 2012 20:07:31 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 529217CC0AE; Tue, 21 Aug 2012 20:07:31 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20789-06; Tue, 21 Aug 2012 20:07:31 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 1FDFE7CC084 for ; Tue, 21 Aug 2012 20:07:31 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Al4BAGkwNFDQYYRRk2dsb2JhbABFhTpHtFUqAQEBAQkJCwkUAySCIAEBAQEDEgIPHTkBDwsLDQICJgICIhIBBQEcGQgah2uaYAkDimVug0ePRwaBIYlnJINcggqBEohSjQOONj6EHg X-IronPort-AV: E=Sophos;i="4.77,806,1336366800"; d="scan'208";a="198711" Received: from caiajhbdcaib.dreamhost.com (HELO homiemail-a95.g.dreamhost.com) ([208.97.132.81]) by mailgateway.anl.gov with ESMTP; 21 Aug 2012 20:07:06 -0500 Received: from homiemail-a95.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTP id EBE491E064 for ; Tue, 21 Aug 2012 18:07:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=PdJeRt1F0djfmmlvQ/et x8AM6IU=; b=FheXZlNccPVkss2UuaxtIgyA+66sWzreCeRZ317ydh0iou8NXFMQ vz1bDmPcYvSbwwQincHBr16y+YieoKAY8wFOh5lbqI4T2IziE8K2fsnupGAGPqdA T5EE/6+tDSVP8gs09lgXLKPj7MfVt6Tw7i2VRcPnWRUrAfnijIRVbzc= Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTPSA id BBAC91E05C for ; Tue, 21 Aug 2012 18:07:05 -0700 (PDT) Received: by vcbgb22 with SMTP id gb22so620934vcb.13 for ; Tue, 21 Aug 2012 18:07:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.58.182.35 with SMTP id eb3mr4867196vec.42.1345597624917; Tue, 21 Aug 2012 18:07:04 -0700 (PDT) Received: by 10.220.103.70 with HTTP; Tue, 21 Aug 2012 18:07:04 -0700 (PDT) In-Reply-To: <20120822005615.EDEDC1A1A6@ld9781.wdf.sap.corp> References: <20120822005615.EDEDC1A1A6@ld9781.wdf.sap.corp> Date: Tue, 21 Aug 2012 20:07:04 -0500 Message-ID: From: Nico Williams To: mrex@sap.com X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On Tue, Aug 21, 2012 at 7:56 PM, Martin Rex wrote: > Performing security context renegotiation for GSS-API requires to > address a number of interesting problems: Considering the GSI GSS mech that is TLS on the wire, and MSFT's API to TLS which is basically SSPI, and how MSFT handles TLS re-nego in that API, we could do the same in GSS. BUT, it'd require app changes. Nico -- _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 18:35:45 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6339D11E80F4 for ; Tue, 21 Aug 2012 18:35:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -107.599 X-Spam-Level: X-Spam-Status: No, score=-107.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TR-msg6JdhsO for ; Tue, 21 Aug 2012 18:35:44 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 510BF11E8091 for ; Tue, 21 Aug 2012 18:35:39 -0700 (PDT) Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 9B5C67AE; Tue, 21 Aug 2012 20:35:38 -0500 (CDT) Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 1C33A7B2; Tue, 21 Aug 2012 20:35:38 -0500 (CDT) Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id E848081048; Tue, 21 Aug 2012 20:35:37 -0500 (CDT) X-Original-To: ietf-krb-wg@lists.anl.gov Delivered-To: ietf-krb-wg@lists.anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 202E981035 for ; Tue, 21 Aug 2012 20:35:36 -0500 (CDT) Received: by mailhost.anl.gov (Postfix) id D837F7B0; Tue, 21 Aug 2012 20:35:35 -0500 (CDT) Delivered-To: ietf-krb-wg@anl.gov Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id AE2D77B4 for ; Tue, 21 Aug 2012 20:35:35 -0500 (CDT) Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 69B307B3 for ; Tue, 21 Aug 2012 20:35:35 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 512E87CC0B0; Tue, 21 Aug 2012 20:35:35 -0500 (CDT) Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24343-01; Tue, 21 Aug 2012 20:35:35 -0500 (CDT) Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 349D07CC08A for ; Tue, 21 Aug 2012 20:35:35 -0500 (CDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvQBAE02NFCAAtnFiWdsb2JhbABFhgG0XSIBAQEVEhQFIoIgAQEBAQMjVhALGAICJgICVwYTiA2mR4oTiQSBIYlnCxmFZoESA5sujTSBPQ X-IronPort-AV: E=Sophos;i="4.77,806,1336366800"; d="scan'208";a="199475" Received: from smtp02.srv.cs.cmu.edu ([128.2.217.197]) by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Aug 2012 20:35:34 -0500 Received: from [192.168.202.154] (pool-74-111-100-191.pitbpa.fios.verizon.net [74.111.100.191]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id q7M1ZWwa005139 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Aug 2012 21:35:33 -0400 (EDT) From: Jeffrey Hutzelman To: "Henry B. Hotz" In-Reply-To: References: <5033C38E.8070002@secure-endpoints.com>

Date: Tue, 21 Aug 2012 21:35:32 -0400 Message-ID: <1345599332.9464.65.camel@destiny.pc.cs.cmu.edu> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 X-Scanned-By: mimedefang-cmuscs on 128.2.217.197 X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov Cc: Kerberos WG , jhutz@cmu.edu Subject: Re: [Ietf-krb-wg] The usability of service ticket lifetimes X-BeenThere: ietf-krb-wg@lists.anl.gov X-Mailman-Version: 2.1.14 Precedence: list List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ietf-krb-wg-bounces@lists.anl.gov Sender: ietf-krb-wg-bounces@lists.anl.gov On Tue, 2012-08-21 at 15:22 -0700, Henry B. Hotz wrote: > On Aug 21, 2012, at 3:09 PM, Nico Williams wrote: > > > On Tue, Aug 21, 2012 at 12:21 PM, Jeffrey Altman > > wrote: > >> As part of any revision to RFC 4120, I would like to see this section > >> modified. > > > > Note that some client libraries check that the KDC does not exceed the > > limits you quoted. That means that relaxing them will require a KDC > > options flag in the request... And it should only be used in KDC-REQs > > where the body of the request is protected (e.g., TGS-REQs and AS-REQs > > in a FAST tunnel). > > > > Nico > > IMO it's inappropriate (as in: a *bug*) for a client to unconditionally > enforce limits which are the KDCs responsibility to enforce. If > nothing else, it makes it hard to support edge cases which may violate > some letters of the limits, but not the intent or the policy. (I > suppose I'm a bit twitchy due to a PKINIT issue I ran into recently.) Actually, no. The protocol contains fields to allow a client to place limits on the lifetime and renew lifetime of tickets it requests, and the spec requires the KDC to obey those limits. As a check that these fields have not been modified in transit, it is reasonable for a client to verify that the requested limits have not been exceeded. There is a mechanism for a client to indicate the KDC should use the maximum lifetime permitted by policy; when this is used, clients should not expect any particular values back. -- Jeff _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg From ietf-krb-wg-bounces@lists.anl.gov Tue Aug 21 20:10:37 2012 Return-Path: X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B04121F8471 for ; Tue, 21 Aug 2012 20:10:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.587 X-Spam-Level: X-Spam-Status: No, score=-7.587 tagged_above=-999 required=5 tests=[AWL=1.012, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MrTF3Gzfrvk2 for