OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

imi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [imi] Token profile issue with AppliesTo and AudienceRestriction

--Apple-Mail-61--794186384
Content-Type: multipart/alternative;
	boundary=Apple-Mail-60--794186548


--Apple-Mail-60--794186548
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

Tony,

If auditing mode was used then the token is opaque to the selector, so =
the user would not know if the IdP were sending additional claims.

I understand the logic but we need to be careful that when we promote =
info-cards as user centric and privacy preserving,  that is what we are =
delivering.

=46rom an interoperability point of view STS being predictable is good.  =
Not respecting the RST is OK if both parties have an agreement.  Re =
token type, proof Keys etc.

It is where we start bypassing the card/claims selection process and =
perhaps impacting user disclosure and consent that I have real concerns.=20=


If the IMI profiles allow STS to not respect claims in the RST then =
other profiles will need to address it.
This is in some ways more of a policy issue than a technical one.

John B.


On 2009-12-16, at 1:07 PM, Anthony Nadalin wrote:

> So the parameters on the RST MAY be returned on the RSTR (which means =
that the STS may have not honored the RST), so I don=92t see anything in =
the IMI profile that would profile this allowed behavior, so right now =
an STS could override anything that is in the RST and still be within =
bounds, the RSTR should be checked to see if what is requested is what =
is returned.
> =20
> You can  have the case where the entity requested a Kerberos Token for =
Application X and sends the RST over to the STS and the STS knows the =
policy (Application X MEX Endpoint)  from Application X and Application =
X does not support Kerberos only UNP so does the STS fail the request or =
return a UPN token and allow the entity to continue
> =20
> From: John Bradley [mailto:jbradley@mac.com]=20
> Sent: Wednesday, December 16, 2009 7:56 AM
> To: Anthony Nadalin
> Cc: Mike Jones; 'imi@lists.oasis-open.org'
> Subject: Re: [imi] Token profile issue with AppliesTo and =
AudienceRestriction
> =20
> Tony,
> =20
> I think that is reasonable.
> =20
> However with cards we have introduced another expectation.  If the =
selector cant count on the STS respecting what it has put in the card it =
has given to the user, then the ability of the selector to act as a =
privacy tool is compromised.
> =20
> I can see  WS-Fed giving the selector more latitude.
> =20
> The question is should the IMI profiles constrain that by saying if =
the issuer puts RequireAppliesto in the card and it receives it in the =
RST it MUST respect the request.
> =20
> To be fair because of some feedback from Vittorio the ICAM profile in =
Sec 3.5 is specific about what the STS MUST do when it receives =
WSP:AppliesTo.
> =20
> What is perhaps underspecified is restricting the STS from sending =
claims that are requested, we had that in openID but thought it was =
unnecessary for IMI.   We also made the assumption the STS would always =
return the token type from the request.  =20
> =20
> I can't do anything about WS-Fed, so unless the IMI profiles specify =
the STS behaviour,  it will need to be clarified in the ICAM profile.
> =20
> Are there other things that the STS might override the selector on?
> =20
> John B.
> =20
> =20
> On 2009-12-16, at 12:33 PM, Anthony Nadalin wrote:
>=20
>=20
> Not sure what a well behaved STS really is, as you can take the case =
where an entity requests a token with a life span of 100 days, but the =
STS policy is max life span at 50 day, does the STS fault and return =
nothing or return a RSTR with a token that has a life span of 50 days? =
WS-Trust was made flexible to abide by policy that can be used to guide =
the RST and RSTR. =20
> =20
> From: John Bradley [mailto:jbradley@mac.com]=20
> Sent: Tuesday, December 15, 2009 6:07 PM
> To: Anthony Nadalin
> Cc: Mike Jones; 'imi@lists.oasis-open.org'
> Subject: Re: [imi] Token profile issue with AppliesTo and =
AudienceRestriction
> =20
> So if a Issuer gives a user a SAML 1.1 auditing mode card and the =
selector properly sends the RequiresAppliesTo, it would be OK for the =
STS to ignore that and perhaps send a different token type than =
requested eg SAML 2.0 with no audience restriction?
> =20
> I can see the server ignoring a token type in the RST if it doesn't =
support that token type and the user agent is broken.
> =20
> Completely disregarding the meta-data from the card seems a touch =
excessive.  It probably makes more sense in the WS-Fed case.
> =20
> The ICAM profile assumes the STS is well behaved, and attempted not to =
duplicate the spec itself.
> =20
> If the specs don't require the STS to honour the RST then we will need =
to revisit the IMI profile, unless the SAML 1.1 profile covers it.
> =20
> John B.
> =20
> On 2009-12-15, at 9:53 PM, Anthony Nadalin wrote:
>=20
>=20
>=20
> The STS (WS-Trust) is under the model that the Server Makes Right, =
just because the RST has it there is ZERO guarantee that the RSTR will =
reflect any of the RST
> =20
> From: John Bradley [mailto:jbradley@mac.com]=20
> Sent: Tuesday, December 15, 2009 11:22 AM
> To: Mike Jones
> Cc: 'imi@lists.oasis-open.org'
> Subject: Re: [imi] Token profile issue with AppliesTo and =
AudienceRestriction
> =20
> The wsp:AppliesTo element in the RST is set by the user agent based on =
the card.
> =20
> The issuer has three choices 11.7
> =20
> The Issuer has complete control over everything but the optional case.
> =20
> I think if the issuer has issued a Auditing or Auditing optional card =
they MUST honour the ic:RequireAppliesTo in the RST.
> =20
> If that is not a requirement of the SAML 1.1 tokens I will need to =
revisit the ICAM profile.
> We would need to make it a requirement if it is not covered in the IMI =
spec.
> =20
> We say the card must have the ic:RequireAppliesTo, I don't think we =
called out that the STS must honour it.
> =20
> If the RP issues unscoped tokens it shouldn't issue cards that say =
they support scoped tokens.
> =20
> John B.
> On 2009-12-15, at 3:13 PM, Mike Jones wrote:
>=20
>=20
>=20
>=20
> The SAML 2.0 token profile currently says:
> If the request contains a <wsp:AppliesTo> element, then a =
<saml:AudienceRestriction> containing a <saml:Audience> element MUST be =
included with the value of that element.
> =20
> As part of the review of the draft SAML 1.1 token profile, Arun Nanda =
commented:  =93This is overkill IMO. If an IdP is an open IdP that =
issues =91unscoped=92 tokens for consumption by any RP, it should not be =
forced to encode an audience in the issued token just because the =
request included it. So, may be SHOULD is preferred here=85=94
> =20
> I tend to agree with Arun.  I think we should make this change.  =
That=92s the language I=92m using in the 1.1 profile.  After discussion, =
I=92ll file an issue about this too.
> =20
>                                                                 -- =
Mike
> =20
> =20
> =20
> =20


--Apple-Mail-60--794186548
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><base href=3D"x-msg://469/"></head><body style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div>Tony,</div><div><br></div>If auditing mode was =
used then the token is opaque to the selector, so the user would not =
know if the IdP were sending additional claims.<div><br></div><div>I =
understand the logic but we need to be careful that when we promote =
info-cards as user centric and privacy preserving, &nbsp;that is what we =
are delivering.</div><div><br></div><div>=46rom an interoperability =
point of view STS being predictable is good. &nbsp;Not respecting the =
RST is OK if both parties have an agreement. &nbsp;Re token type, proof =
Keys etc.</div><div><br></div><div>It is where we start bypassing the =
card/claims selection process and perhaps impacting user disclosure and =
consent that I have real concerns.&nbsp;</div><div><br></div><div>If the =
IMI profiles allow STS to not respect claims in the RST then other =
profiles will need to address it.</div><div>This is in some ways more of =
a policy issue than a technical one.</div><div><br></div><div>John =
B.</div><div><div><br></div><div><br><div><div>On 2009-12-16, at 1:07 =
PM, Anthony Nadalin wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div lang=3D"EN-US" link=3D"blue" =
vlink=3D"purple"><div class=3D"WordSection1"><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; "><span =
style=3D"font-size: 11pt; font-family: Calibri, sans-serif; color: =
rgb(31, 73, 125); ">So the parameters on the RST MAY be returned on the =
RSTR (which means that the STS may have not honored the RST), so I don=92t=
 see anything in the IMI profile that would profile this allowed =
behavior, so right now an STS could override anything that is in the RST =
and still be within bounds, the RSTR should be checked to see if what is =
requested is what is returned.<o:p></o:p></span></div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; color: rgb(31, 73, 125); =
"><o:p>&nbsp;</o:p></span></div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; "><span style=3D"font-size: =
11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">You =
can &nbsp;have the case where the entity requested a Kerberos Token for =
Application X and sends the RST over to the STS and the STS knows the =
policy (Application X MEX Endpoint) &nbsp;from Application X and =
Application X does not support Kerberos only UNP so does the STS fail =
the request or return a UPN token and allow the entity to =
continue<o:p></o:p></span></div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; "><span style=3D"font-size: =
11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); =
"><o:p>&nbsp;</o:p></span></div><div><div style=3D"border-right-style: =
none; border-bottom-style: none; border-left-style: none; border-width: =
initial; border-color: initial; border-top-style: solid; =
border-top-color: rgb(181, 196, 223); border-top-width: 1pt; =
padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: =
0in; "><div style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: =
0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New =
Roman', serif; "><b><span style=3D"font-size: 10pt; font-family: Tahoma, =
sans-serif; ">From:</span></b><span style=3D"font-size: 10pt; =
font-family: Tahoma, sans-serif; "><span =
class=3D"Apple-converted-space">&nbsp;</span>John Bradley =
[mailto:jbradley@mac.com]<span =
class=3D"Apple-converted-space">&nbsp;</span><br><b>Sent:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Wednesday, December 16, =
2009 7:56 AM<br><b>To:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Anthony =
Nadalin<br><b>Cc:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Mike Jones;<span =
class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"mailto:'imi@lists.oasis-open.org" style=3D"color: blue; =
text-decoration: underline; =
">'imi@lists.oasis-open.org</a>'<br><b>Subject:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Re: [imi] Token profile =
issue with AppliesTo and =
AudienceRestriction<o:p></o:p></span></div></div></div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><o:p>&nbsp;</o:p></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
">Tony,<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; ">I think that is =
reasonable.<o:p></o:p></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; ">However with cards we =
have introduced another expectation. &nbsp;If the selector cant count on =
the STS respecting what it has put in the card it has given to the user, =
then the ability of the selector to act as a privacy tool is =
compromised.<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; ">I can see &nbsp;WS-Fed =
giving the selector more latitude.<o:p></o:p></div></div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; ">The question =
is should the IMI profiles constrain that by saying if the issuer puts =
RequireAppliesto in the card and it receives it in the RST it MUST =
respect the request.<o:p></o:p></div></div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; ">To be fair because of =
some feedback from Vittorio the ICAM profile in Sec 3.5 is specific =
about what the STS MUST do when it receives =
WSP:AppliesTo.<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; ">What is perhaps =
underspecified is restricting the STS from sending claims that are =
requested, we had that in openID but thought it was unnecessary for IMI. =
&nbsp; We also made the assumption the STS would always return the token =
type from the request. &nbsp;&nbsp;<o:p></o:p></div></div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; ">I can't do =
anything about WS-Fed, so unless the IMI profiles specify the STS =
behaviour, &nbsp;it will need to be clarified in the ICAM =
profile.<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; ">Are there other things =
that the STS might override the selector =
on?<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; ">John =
B.<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div><div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; ">On 2009-12-16, at 12:33 =
PM, Anthony Nadalin wrote:<o:p></o:p></div></div><div style=3D"margin-top:=
 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; =
"><br><br><o:p></o:p></div><div><div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; "><span style=3D"font-size: =
11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Not =
sure what a well behaved STS really is, as you can take the case where =
an entity requests a token with a life span of 100 days, but the STS =
policy is max life span at 50 day, does the STS fault and return nothing =
or return a RSTR with a token that has a life span of 50 days? WS-Trust =
was made flexible to abide by policy that can be used to guide the RST =
and RSTR. &nbsp;</span><o:p></o:p></div></div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; color: rgb(31, 73, 125); =
">&nbsp;</span><o:p></o:p></div></div><div><div =
style=3D"border-right-style: none; border-bottom-style: none; =
border-left-style: none; border-width: initial; border-color: initial; =
border-top-style: solid; padding-top: 3pt; padding-right: 0in; =
padding-bottom: 0in; padding-left: 0in; border-width: initial; =
border-color: initial; "><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; "><b><span =
style=3D"font-size: 10pt; font-family: Tahoma, sans-serif; =
">From:</span></b><span class=3D"apple-converted-space"><span =
style=3D"font-size: 10pt; font-family: Tahoma, sans-serif; =
">&nbsp;</span></span><span style=3D"font-size: 10pt; font-family: =
Tahoma, sans-serif; ">John Bradley [mailto:jbradley@mac.com]<span =
class=3D"apple-converted-space">&nbsp;</span><br><b>Sent:</b><span =
class=3D"apple-converted-space">&nbsp;</span>Tuesday, December 15, 2009 =
6:07 PM<br><b>To:</b><span =
class=3D"apple-converted-space">&nbsp;</span>Anthony =
Nadalin<br><b>Cc:</b><span =
class=3D"apple-converted-space">&nbsp;</span>Mike Jones;<span =
class=3D"apple-converted-space">&nbsp;</span><a =
href=3D"mailto:'imi@lists.oasis-open.org" style=3D"color: blue; =
text-decoration: underline; =
">'imi@lists.oasis-open.org</a>'<br><b>Subject:</b><span =
class=3D"apple-converted-space">&nbsp;</span>Re: [imi] Token profile =
issue with AppliesTo and =
AudienceRestriction</span><o:p></o:p></div></div></div></div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; ">So if a Issuer =
gives a user a SAML 1.1 auditing mode card and the selector properly =
sends the RequiresAppliesTo, it would be OK for the STS to ignore that =
and perhaps send a different token type than requested eg SAML 2.0 with =
no audience restriction?<o:p></o:p></div></div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">I can see the server ignoring a token type in the RST if it =
doesn't support that token type and the user agent is =
broken.<o:p></o:p></div></div></div><div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; =
">&nbsp;<o:p></o:p></div></div></div><div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; ">Completely =
disregarding the meta-data from the card seems a touch excessive. =
&nbsp;It probably makes more sense in the WS-Fed =
case.<o:p></o:p></div></div></div><div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; =
">&nbsp;<o:p></o:p></div></div></div><div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; ">The ICAM =
profile assumes the STS is well behaved, and attempted not to duplicate =
the spec itself.<o:p></o:p></div></div></div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">If the specs don't require the STS to honour the RST then we =
will need to revisit the IMI profile, unless the SAML 1.1 profile covers =
it.<o:p></o:p></div></div></div><div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
">&nbsp;<o:p></o:p></div></div></div><div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; ">John =
B.<o:p></o:p></div></div></div><div><div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: =
12pt; font-family: 'Times New Roman', serif; =
">&nbsp;<o:p></o:p></div></div><div><div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2009-12-15, =
at 9:53 PM, Anthony Nadalin wrote:<o:p></o:p></div></div></div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><br><br><br><o:p></o:p></div></div><div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; color: rgb(31, 73, 125); ">The STS (WS-Trust) is under the =
model that the Server Makes Right, just because the RST has it there is =
ZERO guarantee that the RSTR will reflect any of the =
RST</span><o:p></o:p></div></div></div><div><div><div style=3D"margin-top:=
 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; "><span =
style=3D"font-size: 11pt; font-family: Calibri, sans-serif; color: =
rgb(31, 73, 125); ">&nbsp;</span><o:p></o:p></div></div></div><div><div =
style=3D"border-right-style: none; border-bottom-style: none; =
border-left-style: none; border-width: initial; border-color: initial; =
border-top-style: solid; padding-top: 3pt; padding-right: 0in; =
padding-bottom: 0in; padding-left: 0in; border-width: initial; =
border-color: initial; border-width: initial; border-color: initial; =
"><div><div><div style=3D"margin-top: 0in; margin-right: 0in; =
margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: =
'Times New Roman', serif; "><b><span style=3D"font-size: 10pt; =
font-family: Tahoma, sans-serif; ">From:</span></b><span =
class=3D"apple-converted-space"><span style=3D"font-size: 10pt; =
font-family: Tahoma, sans-serif; ">&nbsp;</span></span><span =
style=3D"font-size: 10pt; font-family: Tahoma, sans-serif; ">John =
Bradley [mailto:jbradley@mac.com]<span =
class=3D"apple-converted-space">&nbsp;</span><br><b>Sent:</b><span =
class=3D"apple-converted-space">&nbsp;</span>Tuesday, December 15, 2009 =
11:22 AM<br><b>To:</b><span =
class=3D"apple-converted-space">&nbsp;</span>Mike =
Jones<br><b>Cc:</b><span class=3D"apple-converted-space">&nbsp;</span><a =
href=3D"mailto:'imi@lists.oasis-open.org" style=3D"color: blue; =
text-decoration: underline; =
">'imi@lists.oasis-open.org</a>'<br><b>Subject:</b><span =
class=3D"apple-converted-space">&nbsp;</span>Re: [imi] Token profile =
issue with AppliesTo and =
AudienceRestriction</span><o:p></o:p></div></div></div></div></div><div><d=
iv><div style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: =
0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New =
Roman', serif; ">&nbsp;<o:p></o:p></div></div></div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">The wsp:AppliesTo element in the RST is set by the user agent =
based on the card.<o:p></o:p></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">The issuer has three choices =
11.7<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">The Issuer has complete control over everything but the =
optional =
case.<o:p></o:p></div></div></div></div><div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">I think if the issuer has issued a Auditing or Auditing =
optional card they MUST honour the ic:RequireAppliesTo in the =
RST.<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">If that is not a requirement of the SAML 1.1 tokens I will need =
to revisit the ICAM =
profile.<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">We would need to make it a requirement if it is not covered in =
the IMI spec.<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">We say the card must have the ic:RequireAppliesTo, I don't =
think we called out that the STS must honour =
it.<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">If the RP issues unscoped tokens it shouldn't issue cards that =
say they support scoped =
tokens.<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">John =
B.<o:p></o:p></div></div></div></div><div><div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">On 2009-12-15, at 3:13 PM, Mike Jones =
wrote:<o:p></o:p></div></div></div></div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; =
"><br><br><br><br><o:p></o:p></div></div></div><div><div><div><div><div><d=
iv style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; ">The SAML 2.0 token profile currently =
says:</span><o:p></o:p></div></div></div></div><p class=3D"standard" =
style=3D"margin-right: 0in; margin-left: 0in; font-size: 12pt; =
font-family: 'Times New Roman', serif; margin-bottom: 4pt; "><span =
style=3D"font-size: 10pt; font-family: Arial, sans-serif; ">If the =
request contains a<span =
class=3D"apple-converted-space">&nbsp;</span></span><span =
style=3D"font-size: 10pt; font-family: 'Courier New'; =
">&lt;wsp:AppliesTo&gt;</span><span class=3D"apple-converted-space"><span =
style=3D"font-size: 10pt; font-family: Arial, sans-serif; =
">&nbsp;</span></span><span style=3D"font-size: 10pt; font-family: =
Arial, sans-serif; ">element, then a<span =
class=3D"apple-converted-space">&nbsp;</span></span><span =
style=3D"font-size: 10pt; font-family: 'Courier New'; =
">&lt;saml:AudienceRestriction&gt;</span><span =
class=3D"apple-converted-space"><span style=3D"font-size: 10pt; =
font-family: Arial, sans-serif; ">&nbsp;</span></span><span =
style=3D"font-size: 10pt; font-family: Arial, sans-serif; ">containing =
a<span class=3D"apple-converted-space">&nbsp;</span></span><span =
style=3D"font-size: 10pt; font-family: 'Courier New'; =
">&lt;saml:Audience&gt;</span><span class=3D"apple-converted-space"><span =
style=3D"font-size: 10pt; font-family: Arial, sans-serif; =
">&nbsp;</span></span><span style=3D"font-size: 10pt; font-family: =
Arial, sans-serif; ">element MUST be included with the value of that =
element.</span><o:p></o:p></p><div><div><div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; =
font-size: 12pt; font-family: 'Times New Roman', serif; "><span =
style=3D"font-size: 11pt; font-family: Calibri, sans-serif; =
">&nbsp;</span><o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; ">As part of the review of the draft SAML 1.1 token profile, =
Arun Nanda commented:&nbsp; =93This is overkill IMO. If an IdP is an =
open IdP that issues =91unscoped=92 tokens for consumption by any RP, it =
should not be forced to encode an audience in the issued token just =
because the request included it. So, may be SHOULD is preferred =
here=85=94</span><o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; =
">&nbsp;</span><o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; ">I tend to agree with Arun.&nbsp; I think we should make =
this change.&nbsp; That=92s the language I=92m using in the 1.1 =
profile.&nbsp; After discussion, I=92ll file an issue about this =
too.</span><o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; =
">&nbsp;</span><o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; =
">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp; -- =
Mike</span><o:p></o:p></div></div></div></div><div><div><div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; "><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; =
">&nbsp;</span><o:p></o:p></div></div></div></div></div></div></div><div><=
div><div style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: =
0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New =
Roman', serif; =
">&nbsp;<o:p></o:p></div></div></div></div></div></div></div></div><div><d=
iv style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; ">&nbsp;<o:p></o:p></div></div></div></div></div></div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; =
margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', =
serif; =
"><o:p>&nbsp;</o:p></div></div></div></div></span></blockquote></div><br><=
/div></div></body></html>=

--Apple-Mail-60--794186548--

--Apple-Mail-61--794186384
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWJDCCBv8w
ggXnoAMCAQICAnEPMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh
cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4
MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew
HhcNMDkwMzE5MDA1MzU2WhcNMTAwMzE5MDA1MzU2WjBsMR4wHAYDVQQKExVQZXJzb25hIE5vdCBW
YWxpZGF0ZWQxKTAnBgNVBAMTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMR8wHQYJ
KoZIhvcNAQkBFhBqYnJhZGxleUBtYWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAz3okuJxE7OE652aGLbj/c3BSDEN948QVbCpKaE1HcsIdvGCIzgJWujkMj5Q+QJNXb6VYPR8W
xIaIjqlZIhqXzis9YEzc6z3MsdhYpeDTEbJg/hXpW1NFHX+CIGDO2TD2v6V7SbJYNm6MDJhHQEEn
/fGBtWrdDXwTHUQBQNJX1N4pUWaTqgcPBiW2V/M1/ZuFZlo0RBJRfHpHkYqTBDx2VkA+KYl6ULTy
TnKsYzGQFqAqp5T/nnOqyEV6iItSAuczHf6DTe5gyDzbBE+BLx3bzdDXn2uE27DFAERJaVzu1G34
wW23M7PQyFzoo5bvGbBjGCSLYQ7/EFulChKwxA7EDQIDAQABo4IDiDCCA4QwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBRIzl+k
PHLfEqIfyQAbdLvRd9ELHDAbBgNVHREEFDASgRBqYnJhZGxleUBtYWMuY29tMIGoBgNVHSMEgaAw
gZ2AFFNy7ZKc4NrLAVx8fpY1TvLUuFGCoYGBpH8wfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0
YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx
KTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggENMIIBRwYDVR0gBIIB
PjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRz
c2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2lu
dGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGvMBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxp
bWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg
dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQg
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRw
Oi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRw
Oi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNydDAjBgNV
HRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAJseTTEK
i3xbLVWJPJF/oArTkB1LAr8TxR1JKoxQBgBrZwmWU4MNnU525gR59/ZlgYCp2HBBF8EG9iYFNShu
hkRxfT3PpgiQ9/hdPS5lyE+l5cAhYnkJHicpqoIsWwAAcR6aG08kU3Jx7O++RLOvRthYZIGY5aG5
PIogRS844AlQTNAeFtSSpAlYZT6MJjE55eQb0pXIUr+8QJEdmPax5DMV+iBASElHir4knWLDfCEc
m2+OK0CajHxTg1tU7H/d58BIfB8Szml3SUxbek98OOKZP4URdFbZA4+o27lEJSJFb9JvMjABimt9
YpmvU4oKmNKYLBM1UP6iC4ZtdkX2HZ8wggc3MIIGH6ADAgECAgIA3jANBgkqhkiG9w0BAQUFADCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJp
bWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTA5MDMyMDE5NTYyMloXDTEwMDMyMDE5NTYy
MlowgaMxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIwEAYDVQQHEwlW
YW5jb3V2ZXIxLTArBgNVBAsTJFN0YXJ0Q29tIFZlcmlmaWVkIENlcnRpZmljYXRlIE1lbWJlcjEV
MBMGA1UEAxMMSm9obiBCcmFkbGV5MR8wHQYJKoZIhvcNAQkBFhBqYnJhZGxleUBtYWMuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6eBS+r9t09H9KUSW4W/YvlZxSKjNR1pa017l
TwoaP7ydmJjdFyN8i0CMbW3qUidZP/gZcrACAtF7c4GPf+o0sxMIHC1pVUANhCS4HMwTA2KRIBqu
5LJ2IIni5HWN1mv2Q8kN+GgvX0v2SzQraZZ1yRSpJcqI2q9oV2XsUlQ0f4icnMAD/o3FtBk2p2OV
+R0IGrDiRYPsL3tyf7IjO+3zYJJS2iFkIRgYy+egI4AhWrd9t6EqnoHMplt4n5/xgoxPXRQ8T4ST
03wVsTXbeAmWECTud8RLiqvU6s9qvm1QlNuXfqjnGDy4Zgok3epFsTNP9rtIHdI36bYp6c/+6GQF
HQIDAQABo4IDiDCCA4QwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSJ3y3+LbYfMZEALd2djXgavtvAZzAbBgNVHREEFDASgRBq
YnJhZGxleUBtYWMuY29tMIGoBgNVHSMEgaAwgZ2AFK5Vg2/sMcq59x36r2sx88gd46y7oYGBpH8w
fTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5ggEOMIIBRwYDVR0gBIIBPjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYI
KwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEW
KGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGv
MBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0
aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5
LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwu
Y3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEF
BQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNz
Mi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1
Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNv
bS8wDQYJKoZIhvcNAQEFBQADggEBAKsZIOrdqVshNdrUw80Zr2RiHFnzPjKxqG6tFKG/hISfJ7WF
xAlnATxZNytnMFiNfLDS7O4P3idfwx8HnE8H5DBT0k8FYxcip6MDVMxZ/23DVhhKq7pTmj4DrPNB
2KZKwSwXKdUblksjNalfzs9ymozBRcK2H6S6y5bSE0b9aOVN5aGGOQBL+fp/Xh12+SrAl9M1RA5X
oFSTvMoVI3txCqFPpJdFL0jzKujaJBdg+OeUDSQCSbwFd7X9vcLdWdsfnHLECZE6C+KXfA9IoK7f
YloBd2HEo51VkJa10FRAdZglMapXaAtl7Agdgegw8fveQ86d2v2A8e4ptZaaVhBjE8YwggfiMIIF
yqADAgECAgEOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYD
VQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0x
MjEwMjIyMTAyNTRaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkG
A1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD
b20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3M
bQ2Gd+mehh9GBZ+36uUQA7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7O
YPYSR68mdmnEnJ83M4wQgKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMO
eh8xJVSKGEmd6uPkSbj113yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7Tp
M1K3hv/wrBZwffrmmEpUeuXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIID
VzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3j
rLswgagGA1UdIwSBoDCBnYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlm
aWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmC
AQEwCQYDVR0SBAIwADA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL3Nmc2NhLmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNv
bS5vcmcvc2ZzY2EtY3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2Eu
Y3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0
dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2Vy
dC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQg
Q29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFk
IHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20u
b3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENv
bSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRl
czANBgkqhkiG9w0BAQUFAAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVt
R/7/yeNFAV7MPQylPE8pROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8t
RmEyfoT4gRL9B5h5w8Y4ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONC
vq9zeJcpMkkDadhJSCfB9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpX
n8HkLO/g2FCt7KYkJCaTe6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7Q
LN2Q+S98p/SwnXito+GW0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhB
obkFojhUqGt+VyU3GH/+BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQP
YIu+zpzwWC/8sZFxoJCwvbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDN
L8bIIQE2LHVDwcOq+mcQx416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi+
+YyqjPyhPO6q4fRarYvWyqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIA3jAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG
SIb3DQEJBTEPFw0wOTEyMTYxNjI3MzVaMCMGCSqGSIb3DQEJBDEWBBTTwHPuIAoJETw4+BJB4O9Z
kCB9WjCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD
b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG
A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAnEP
MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t
IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJxDzAN
BgkqhkiG9w0BAQEFAASCAQAXDJ9rkXjJBL9ZkxNfnbFPb+e3NZaINKj3eT0RkqhgTxY0CHykrH98
h+32ScjiPB5izHwlI6wwGD3653ETxqcqZIyAjq0pDgQJsxl3I5qqgCLMW1jCfpgAABD4HBrN8k0j
PT2yT37tf32sw5R+ykC2GhH4PHdMHqH3rczgEEk/jQ+0vUV6/j027sAgOPFMM9Q13RFepvCngBU1
x1T1LtmtUMwJ4xp25pdx815kr1opZGEXXmrnHAzU19wOGdPdptAkXPTgVCcryVti/v6c3G7BWDFh
W1pLGZiSP+jdksvf0IzY6rAXJud6ceoX0I5DdGsB3T3Wjp/pW4r2avs/cqCMAAAAAAAA

--Apple-Mail-61--794186384--

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]