[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [imi] Token profile issue with AppliesTo and AudienceRestriction
--Apple-Mail-5--845847901 Content-Type: multipart/alternative; boundary=Apple-Mail-4--845848048 --Apple-Mail-4--845848048 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 So if a Issuer gives a user a SAML 1.1 auditing mode card and the = selector properly sends the RequiresAppliesTo, it would be OK for the = STS to ignore that and perhaps send a different token type than = requested eg SAML 2.0 with no audience restriction? I can see the server ignoring a token type in the RST if it doesn't = support that token type and the user agent is broken. Completely disregarding the meta-data from the card seems a touch = excessive. It probably makes more sense in the WS-Fed case. The ICAM profile assumes the STS is well behaved, and attempted not to = duplicate the spec itself. If the specs don't require the STS to honour the RST then we will need = to revisit the IMI profile, unless the SAML 1.1 profile covers it. John B. On 2009-12-15, at 9:53 PM, Anthony Nadalin wrote: > The STS (WS-Trust) is under the model that the Server Makes Right, = just because the RST has it there is ZERO guarantee that the RSTR will = reflect any of the RST > =20 > From: John Bradley [mailto:jbradley@mac.com]=20 > Sent: Tuesday, December 15, 2009 11:22 AM > To: Mike Jones > Cc: 'imi@lists.oasis-open.org' > Subject: Re: [imi] Token profile issue with AppliesTo and = AudienceRestriction > =20 > The wsp:AppliesTo element in the RST is set by the user agent based on = the card. > =20 > The issuer has three choices 11.7 > =20 > The Issuer has complete control over everything but the optional case. > =20 > I think if the issuer has issued a Auditing or Auditing optional card = they MUST honour the ic:RequireAppliesTo in the RST. > =20 > If that is not a requirement of the SAML 1.1 tokens I will need to = revisit the ICAM profile. > We would need to make it a requirement if it is not covered in the IMI = spec. > =20 > We say the card must have the ic:RequireAppliesTo, I don't think we = called out that the STS must honour it. > =20 > If the RP issues unscoped tokens it shouldn't issue cards that say = they support scoped tokens. > =20 > John B. > On 2009-12-15, at 3:13 PM, Mike Jones wrote: >=20 >=20 > The SAML 2.0 token profile currently says: > If the request contains a <wsp:AppliesTo> element, then a = <saml:AudienceRestriction> containing a <saml:Audience> element MUST be = included with the value of that element. > =20 > As part of the review of the draft SAML 1.1 token profile, Arun Nanda = commented: =93This is overkill IMO. If an IdP is an open IdP that = issues =91unscoped=92 tokens for consumption by any RP, it should not be = forced to encode an audience in the issued token just because the = request included it. So, may be SHOULD is preferred here=85=94 > =20 > I tend to agree with Arun. I think we should make this change. = That=92s the language I=92m using in the 1.1 profile. After discussion, = I=92ll file an issue about this too. > =20 > -- = Mike > =20 > =20 --Apple-Mail-4--845848048 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 <html><head><base href=3D"x-msg://469/"></head><body style=3D"word-wrap: = break-word; -webkit-nbsp-mode: space; -webkit-line-break: = after-white-space; ">So if a Issuer gives a user a SAML 1.1 auditing = mode card and the selector properly sends the RequiresAppliesTo, it = would be OK for the STS to ignore that and perhaps send a different = token type than requested eg SAML 2.0 with no audience = restriction?<div><br></div><div>I can see the server ignoring a token = type in the RST if it doesn't support that token type and the user agent = is broken.</div><div><br></div><div>Completely disregarding the = meta-data from the card seems a touch excessive. It probably makes = more sense in the WS-Fed case.</div><div><br></div><div>The ICAM profile = assumes the STS is well behaved, and attempted not to duplicate the spec = itself.</div><div><br></div><div>If the specs don't require the STS to = honour the RST then we will need to revisit the IMI profile, unless the = SAML 1.1 profile covers it.</div><div><br></div><div>John = B.</div><div><br><div><div>On 2009-12-15, at 9:53 PM, Anthony Nadalin = wrote:</div><br class=3D"Apple-interchange-newline"><blockquote = type=3D"cite"><span class=3D"Apple-style-span" style=3D"border-collapse: = separate; font-family: Helvetica; font-size: medium; font-style: normal; = font-variant: normal; font-weight: normal; letter-spacing: normal; = line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; = white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0px; "><div lang=3D"EN-US" link=3D"blue" = vlink=3D"purple"><div class=3D"WordSection1"><div style=3D"margin-top: = 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; = font-size: 12pt; font-family: 'Times New Roman', serif; "><span = style=3D"font-size: 11pt; font-family: Calibri, sans-serif; color: = rgb(31, 73, 125); ">The STS (WS-Trust) is under the model that the = Server Makes Right, just because the RST has it there is ZERO guarantee = that the RSTR will reflect any of the RST<o:p></o:p></span></div><div = style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; = margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', = serif; "><span style=3D"font-size: 11pt; font-family: Calibri, = sans-serif; color: rgb(31, 73, 125); = "><o:p> </o:p></span></div><div><div style=3D"border-right-style: = none; border-bottom-style: none; border-left-style: none; border-width: = initial; border-color: initial; border-top-style: solid; = border-top-color: rgb(181, 196, 223); border-top-width: 1pt; = padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: = 0in; "><div style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: = 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New = Roman', serif; "><b><span style=3D"font-size: 10pt; font-family: Tahoma, = sans-serif; ">From:</span></b><span style=3D"font-size: 10pt; = font-family: Tahoma, sans-serif; "><span = class=3D"Apple-converted-space"> </span>John Bradley = [mailto:jbradley@mac.com]<span = class=3D"Apple-converted-space"> </span><br><b>Sent:</b><span = class=3D"Apple-converted-space"> </span>Tuesday, December 15, 2009 = 11:22 AM<br><b>To:</b><span = class=3D"Apple-converted-space"> </span>Mike = Jones<br><b>Cc:</b><span class=3D"Apple-converted-space"> </span><a = href=3D"mailto:'imi@lists.oasis-open.org" style=3D"color: blue; = text-decoration: underline; = ">'imi@lists.oasis-open.org</a>'<br><b>Subject:</b><span = class=3D"Apple-converted-space"> </span>Re: [imi] Token profile = issue with AppliesTo and = AudienceRestriction<o:p></o:p></span></div></div></div><div = style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; = margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', = serif; "><o:p> </o:p></div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">The wsp:AppliesTo element = in the RST is set by the user agent based on the = card.<o:p></o:p></div><div><div style=3D"margin-top: 0in; margin-right: = 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; = font-family: 'Times New Roman', serif; = "><o:p> </o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">The issuer has three = choices 11.7<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; = "><o:p> </o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">The Issuer has complete = control over everything but the optional = case.<o:p></o:p></div></div><div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; = "><o:p> </o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">I think if the issuer has = issued a Auditing or Auditing optional card they MUST honour the = ic:RequireAppliesTo in the RST.<o:p></o:p></div></div><div><div = style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; = margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', = serif; "><o:p> </o:p></div></div><div><div style=3D"margin-top: = 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; = font-size: 12pt; font-family: 'Times New Roman', serif; ">If that is not = a requirement of the SAML 1.1 tokens I will need to revisit the ICAM = profile.<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">We would need to make it = a requirement if it is not covered in the IMI = spec.<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; = "><o:p> </o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">We say the card must have = the ic:RequireAppliesTo, I don't think we called out that the STS must = honour it.<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; = "><o:p> </o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">If the RP issues unscoped = tokens it shouldn't issue cards that say they support scoped = tokens.<o:p></o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; = "><o:p> </o:p></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">John = B.<o:p></o:p></div></div><div><div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; ">On 2009-12-15, at 3:13 = PM, Mike Jones wrote:<o:p></o:p></div></div><div style=3D"margin-top: = 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; = font-size: 12pt; font-family: 'Times New Roman', serif; = "><br><br><o:p></o:p></div><div><div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; "><span style=3D"font-size: = 11pt; font-family: Calibri, sans-serif; ">The SAML 2.0 token profile = currently says:<o:p></o:p></span></div></div><p class=3D"standard" = style=3D"margin-right: 0in; margin-left: 0in; font-size: 12pt; = font-family: 'Times New Roman', serif; margin-bottom: 4pt; "><span = style=3D"font-size: 10pt; font-family: Arial, sans-serif; ">If the = request contains a<span = class=3D"apple-converted-space"> </span></span><span = style=3D"font-size: 10pt; font-family: 'Courier New'; = "><wsp:AppliesTo></span><span class=3D"apple-converted-space"><span = style=3D"font-size: 10pt; font-family: Arial, sans-serif; = "> </span></span><span style=3D"font-size: 10pt; font-family: = Arial, sans-serif; ">element, then a<span = class=3D"apple-converted-space"> </span></span><span = style=3D"font-size: 10pt; font-family: 'Courier New'; = "><saml:AudienceRestriction></span><span = class=3D"apple-converted-space"><span style=3D"font-size: 10pt; = font-family: Arial, sans-serif; "> </span></span><span = style=3D"font-size: 10pt; font-family: Arial, sans-serif; ">containing = a<span class=3D"apple-converted-space"> </span></span><span = style=3D"font-size: 10pt; font-family: 'Courier New'; = "><saml:Audience></span><span class=3D"apple-converted-space"><span = style=3D"font-size: 10pt; font-family: Arial, sans-serif; = "> </span></span><span style=3D"font-size: 10pt; font-family: = Arial, sans-serif; ">element MUST be included with the value of that = element.<o:p></o:p></span></p><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; "><span style=3D"font-size: = 11pt; font-family: Calibri, sans-serif; = "> <o:p></o:p></span></div></div><div><div style=3D"margin-top: = 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; = font-size: 12pt; font-family: 'Times New Roman', serif; "><span = style=3D"font-size: 11pt; font-family: Calibri, sans-serif; ">As part of = the review of the draft SAML 1.1 token profile, Arun Nanda = commented: =93This is overkill IMO. If an IdP is an open IdP that = issues =91unscoped=92 tokens for consumption by any RP, it should not be = forced to encode an audience in the issued token just because the = request included it. So, may be SHOULD is preferred = here=85=94<o:p></o:p></span></div></div><div><div style=3D"margin-top: = 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; = font-size: 12pt; font-family: 'Times New Roman', serif; "><span = style=3D"font-size: 11pt; font-family: Calibri, sans-serif; = "> <o:p></o:p></span></div></div><div><div style=3D"margin-top: = 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; = font-size: 12pt; font-family: 'Times New Roman', serif; "><span = style=3D"font-size: 11pt; font-family: Calibri, sans-serif; ">I tend to = agree with Arun. I think we should make this change. That=92s = the language I=92m using in the 1.1 profile. After discussion, = I=92ll file an issue about this = too.<o:p></o:p></span></div></div><div><div style=3D"margin-top: 0in; = margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: = 12pt; font-family: 'Times New Roman', serif; "><span style=3D"font-size: = 11pt; font-family: Calibri, sans-serif; = "> <o:p></o:p></span></div></div><div><div style=3D"margin-top: = 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; = font-size: 12pt; font-family: 'Times New Roman', serif; "><span = style=3D"font-size: 11pt; font-family: Calibri, sans-serif; = "> = &n= bsp; &nbs= p; = &n= bsp; -- Mike<o:p></o:p></span></div></div><div><div = style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; = margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', = serif; "><span style=3D"font-size: 11pt; font-family: Calibri, = sans-serif; "> <o:p></o:p></span></div></div></div></div></div><div = style=3D"margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; = margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', = serif; = "><o:p> </o:p></div></div></div></div></div></span></blockquote></div= ><br></div></body></html>= --Apple-Mail-4--845848048-- --Apple-Mail-5--845847901 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWJDCCBv8w ggXnoAMCAQICAnEPMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0Ew HhcNMDkwMzE5MDA1MzU2WhcNMTAwMzE5MDA1MzU2WjBsMR4wHAYDVQQKExVQZXJzb25hIE5vdCBW YWxpZGF0ZWQxKTAnBgNVBAMTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMR8wHQYJ KoZIhvcNAQkBFhBqYnJhZGxleUBtYWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAz3okuJxE7OE652aGLbj/c3BSDEN948QVbCpKaE1HcsIdvGCIzgJWujkMj5Q+QJNXb6VYPR8W xIaIjqlZIhqXzis9YEzc6z3MsdhYpeDTEbJg/hXpW1NFHX+CIGDO2TD2v6V7SbJYNm6MDJhHQEEn /fGBtWrdDXwTHUQBQNJX1N4pUWaTqgcPBiW2V/M1/ZuFZlo0RBJRfHpHkYqTBDx2VkA+KYl6ULTy TnKsYzGQFqAqp5T/nnOqyEV6iItSAuczHf6DTe5gyDzbBE+BLx3bzdDXn2uE27DFAERJaVzu1G34 wW23M7PQyFzoo5bvGbBjGCSLYQ7/EFulChKwxA7EDQIDAQABo4IDiDCCA4QwCQYDVR0TBAIwADAL BgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBRIzl+k PHLfEqIfyQAbdLvRd9ELHDAbBgNVHREEFDASgRBqYnJhZGxleUBtYWMuY29tMIGoBgNVHSMEgaAw gZ2AFFNy7ZKc4NrLAVx8fpY1TvLUuFGCoYGBpH8wfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx KTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggENMIIBRwYDVR0gBIIB PjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRz c2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2lu dGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGvMBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxp bWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQg aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRw Oi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0 c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRw Oi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNydDAjBgNV HRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAJseTTEK i3xbLVWJPJF/oArTkB1LAr8TxR1JKoxQBgBrZwmWU4MNnU525gR59/ZlgYCp2HBBF8EG9iYFNShu hkRxfT3PpgiQ9/hdPS5lyE+l5cAhYnkJHicpqoIsWwAAcR6aG08kU3Jx7O++RLOvRthYZIGY5aG5 PIogRS844AlQTNAeFtSSpAlYZT6MJjE55eQb0pXIUr+8QJEdmPax5DMV+iBASElHir4knWLDfCEc m2+OK0CajHxTg1tU7H/d58BIfB8Szml3SUxbek98OOKZP4URdFbZA4+o27lEJSJFb9JvMjABimt9 YpmvU4oKmNKYLBM1UP6iC4ZtdkX2HZ8wggc3MIIGH6ADAgECAgIA3jANBgkqhkiG9w0BAQUFADCB jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJp bWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTA5MDMyMDE5NTYyMloXDTEwMDMyMDE5NTYy MlowgaMxCzAJBgNVBAYTAkNBMRkwFwYDVQQIExBCcml0aXNoIENvbHVtYmlhMRIwEAYDVQQHEwlW YW5jb3V2ZXIxLTArBgNVBAsTJFN0YXJ0Q29tIFZlcmlmaWVkIENlcnRpZmljYXRlIE1lbWJlcjEV MBMGA1UEAxMMSm9obiBCcmFkbGV5MR8wHQYJKoZIhvcNAQkBFhBqYnJhZGxleUBtYWMuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6eBS+r9t09H9KUSW4W/YvlZxSKjNR1pa017l TwoaP7ydmJjdFyN8i0CMbW3qUidZP/gZcrACAtF7c4GPf+o0sxMIHC1pVUANhCS4HMwTA2KRIBqu 5LJ2IIni5HWN1mv2Q8kN+GgvX0v2SzQraZZ1yRSpJcqI2q9oV2XsUlQ0f4icnMAD/o3FtBk2p2OV +R0IGrDiRYPsL3tyf7IjO+3zYJJS2iFkIRgYy+egI4AhWrd9t6EqnoHMplt4n5/xgoxPXRQ8T4ST 03wVsTXbeAmWECTud8RLiqvU6s9qvm1QlNuXfqjnGDy4Zgok3epFsTNP9rtIHdI36bYp6c/+6GQF HQIDAQABo4IDiDCCA4QwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSJ3y3+LbYfMZEALd2djXgavtvAZzAbBgNVHREEFDASgRBq YnJhZGxleUBtYWMuY29tMIGoBgNVHSMEgaAwgZ2AFK5Vg2/sMcq59x36r2sx88gd46y7oYGBpH8w fTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRp b24gQXV0aG9yaXR5ggEOMIIBRwYDVR0gBIIBPjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYI KwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEW KGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUFBwICMIGv MBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0ZWQgTGlhYmlsaXR5LCByZWFkIHRoZSBzZWN0 aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5 LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwu Y3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1Mi1jcmwuY3JsMIGOBggrBgEF BQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNz Mi9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1 Yi5jbGFzczIuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNv bS8wDQYJKoZIhvcNAQEFBQADggEBAKsZIOrdqVshNdrUw80Zr2RiHFnzPjKxqG6tFKG/hISfJ7WF xAlnATxZNytnMFiNfLDS7O4P3idfwx8HnE8H5DBT0k8FYxcip6MDVMxZ/23DVhhKq7pTmj4DrPNB 2KZKwSwXKdUblksjNalfzs9ymozBRcK2H6S6y5bSE0b9aOVN5aGGOQBL+fp/Xh12+SrAl9M1RA5X oFSTvMoVI3txCqFPpJdFL0jzKujaJBdg+OeUDSQCSbwFd7X9vcLdWdsfnHLECZE6C+KXfA9IoK7f YloBd2HEo51VkJa10FRAdZglMapXaAtl7Agdgegw8fveQ86d2v2A8e4ptZaaVhBjE8YwggfiMIIF yqADAgECAgEOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYD VQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAyNTRaFw0x MjEwMjIyMTAyNTRaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkG A1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD b20gQ2xhc3MgMiBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDLKIVFnAEs+xnyq6UzjCqgDcvQVe1dIoFnRsQPCFO+y92k8RK0Pn3M bQ2Gd+mehh9GBZ+36uUQA7Xj9AGM6wgPhEE34vKtfpAN5tJ8LcFxveDObCKrL7O5UT9WsnAZHv7O YPYSR68mdmnEnJ83M4wQgKO19b+Rt8sPDAz9ptkQsntCn4GeJzg3q2SVc4QJTg/WHo7wF2ah5LMO eh8xJVSKGEmd6uPkSbj113yKMm8vmNptRPmM1+YgmVwcdOYJOjCgFtb2sOP79jji8uhWR91xx7Tp M1K3hv/wrBZwffrmmEpUeuXHRs07JqCCvFh9coKF4UQZvfEg+x3/69xRCzb1AgMBAAGjggNbMIID VzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUrlWDb+wxyrn3HfqvazHzyB3j rLswgagGA1UdIwSBoDCBnYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlm aWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmC AQEwCQYDVR0SBAIwADA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3Rh cnRzc2wuY29tL3Nmc2NhLmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNv bS5vcmcvc2ZzY2EtY3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2Eu Y3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0 dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2Vy dC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQg Q29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCByZWFk IHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20u b3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRDFkFTdGFydENv bSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENlcnRpZmljYXRl czANBgkqhkiG9w0BAQUFAAOCAgEAHvcQF/726YR5L5A3Ta7JV1nTu3w9yWqp00945pg7uea+1KVt R/7/yeNFAV7MPQylPE8pROEcGU+RwwDFuNn9cePfAMzOBTpy/6VE076+gYkZa4n8uWaL5A2FVo8t RmEyfoT4gRL9B5h5w8Y4ZySCJBLyfp4jByyxHaTTIWZ8TIkxUQLSBeFnmHKYFwYwMbBA0Sgb8ONC vq9zeJcpMkkDadhJSCfB9c9gZocbaaVHVqTlSeENRr5/Y31dapzIRQg2Pl9V/A65Cq03KQxMXBpX n8HkLO/g2FCt7KYkJCaTe6qT2JX8thmB3nb+5RmtWQIITCP+PPNkFQCts6ujOtJx6TlDLWA+tV7Q LN2Q+S98p/SwnXito+GW0N7kXcL8QDBVsF8lCvwCz+JQrvUIcW5xEzpAVk9xSbpePxVIMzNEUQhB obkFojhUqGt+VyU3GH/+BP2brzl4StOJ1KXuw2EzFs0ai9OMsqCUFRyhykm6MrbnsnSrqhWSnSQP YIu+zpzwWC/8sZFxoJCwvbbIu+6E+AIGa8tP+pYF+empPn/7pkIoTT4LSkkEIxGKvUvDJTh86VDN L8bIIQE2LHVDwcOq+mcQx416FAA9Nw1DBGyrFr6hQe5yTVXrJ4G7vJosNRGCwPnx302gonaFdwi+ +YyqjPyhPO6q4fRarYvWyqp5L6UxggNsMIIDaAIBATCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgIA3jAJBgUrDgMCGgUAoIIBrTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0wOTEyMTYwMjA2MzNaMCMGCSqGSIb3DQEJBDEWBBQFaP6CQRwBiqP2Judubtw3 EhV3fzCBpAYJKwYBBAGCNxAEMYGWMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAnEP MIGmBgsqhkiG9w0BCRACCzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgJxDzAN BgkqhkiG9w0BAQEFAASCAQC6C/YyZwxmw7jkjxwH458H1JNp3UgADr/G2yk1UUpr2Mfz5hhEDm5c noGbmL9PkS2fP3j9fmYBNA83wXsAkdgVtMt1bZtNPKOCS0BEKwH+T3JxTpSMhGFhpp834xTjUy64 dmLo4IbfteQRsqzUJr0KzRjniKcB5CRMQs/qAQC8j+3JojdRZGD/biE+2XkMydGs//5QGc3W3fe+ FNIdieCOF5mNk5cn/48G8z5JeGoF3C1s2Y97krQnQkNRm6F3hBnolkRqd+DAvk8T+7f385S291Vg XztSUGYAz8LgBJbonZzItj3JK3zxwZXiPTj6hnoedX9cuWm/9AAyCExmzL6sAAAAAAAA --Apple-Mail-5--845847901--
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]