From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 532D8431FBD for ; Mon, 3 Mar 2014 09:36:13 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dZkzceYvpiFa for ; Mon, 3 Mar 2014 09:36:01 -0800 (PST) X-Greylist: delayed 319 seconds by postgrey-1.32 at olra; Mon, 03 Mar 2014 09:36:01 PST Received: from mx1a.lautre.net (mx1a.lautre.net [80.67.160.71]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by olra.theworths.org (Postfix) with ESMTPS id 21FAE431FBC for ; Mon, 3 Mar 2014 09:36:01 -0800 (PST) Received: from arch-vm (unknown [109.21.163.7]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: bateast@bat.fr.eu.org) by mx1a.lautre.net (Postfix) with ESMTPSA id 96C8540F88 for ; Mon, 3 Mar 2014 18:30:38 +0100 (CET) From: Baptiste To: notmuch@notmuchmail.org Subject: Smime signature verification in Notmuch - Emacs Organization: bat.fr.eu.org User-Agent: Notmuch/0.17+81~g718d58a (http://notmuchmail.org) Emacs/24.3.50.2 (i686-pc-linux-gnu) Date: Mon, 03 Mar 2014 18:29:23 +0100 Message-ID: <87y50r42do.fsf@bat.fr.eu.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=-=-=" X-Mailman-Approved-At: Sun, 09 Mar 2014 01:23:57 -0800 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 17:36:13 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi,=20 I made a little ~Emacs~ advice for ~notmuch-show-insert-part-multipart/sign= ed~ to deal with mails signed with /SMIME/ mechanism. It calls /openssl/ to= create missing :sigstatus. Here it is=C2=A0: [[https://github.com/bateast/notmuch-openssl]] (it is an org-file, in ~Emacs~, use /org-babel-tangle/ on it to extract the= .el). You are welcomed to make any comment. Thanks, --=20 : ~^v^~ Bat --=-=-= Content-Type: multipart/related; boundary="==-=-=" --==-=-= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----7255D4F2A349A67769A52D2DB70D3A55" This is an S/MIME signed message ------7255D4F2A349A67769A52D2DB70D3A55 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

Hi,

I made a little Emacs advice for notmuch-show-insert-par= t-multipart/signed to deal with mails signed with SMIME mecha= nism. It calls openssl to create missing :sigstatus.

Here it is=C2=A0: ht= tps://github.com/bateast/notmuch-openssl
(it is an org-file, in Emacs, use org-babel-tangle on i= t to extract the .el).

You are welcomed to make any comment.

Thanks,


~^v^~ Bat
------7255D4F2A349A67769A52D2DB70D3A55 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIJGwYJKoZIhvcNAQcCoIIJDDCCCQgCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCBkwwggZIMIIFMKADAgECAgMI9O0wDQYJKoZIhvcNAQEFBQAwgYwxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1 cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENv bSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xNDAy MTExOTAxNTZaFw0xNTAyMTIyMjAxMThaMGExGTAXBgNVBA0TEEY2NkE5OGZkb2FN Q0k4Qk4xHjAcBgNVBAMMFWJhdGVhc3RAYmF0LmZyLmV1Lm9yZzEkMCIGCSqGSIb3 DQEJARYVYmF0ZWFzdEBiYXQuZnIuZXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAyZVzZ9wZRF2ws0rxniwRZ66Eyd+G98Cx61SPc7X1siZFsdwt yF+L2KI5tDIBt3uhbM5uLSNQIxysz2iDyLWxo7+u+Ot5MYOu3BCCcWyrqHJMErZG dWte3HlyN2suzK9j4NDwHippcgCH8ImRJ/sPH+Q9tRnr2Y6fs0LH4fH9WCrr/kR9 kniUSnyVL5iW06ZbIS+6Pwd4VIkB6ctaq5Zro3HA75alsW6qZ5QTwJKPb4zAKMlm jsbQqd8VtBMjVL9FqDTIGBfvCtsSY3x8WwETw0O0ks6V3KCe3qD9o7bt66QmcH6u yFLnFwBBWl53q6Uj+f9HyDN6oKlQMEVykDs0KwIDAQABo4IC2zCCAtcwCQYDVR0T BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MB0GA1UdDgQWBBR1jaZYWD3I4/WRf66Lp+7n1c3CDjAfBgNVHSMEGDAWgBRTcu2S nODaywFcfH6WNU7y1LhRgjAgBgNVHREEGTAXgRViYXRlYXN0QGJhdC5mci5ldS5v cmcwggFMBgNVHSAEggFDMIIBPzCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEF BQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYB BQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIB ARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhl IENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBv c2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9u cy4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0 dTEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDov L29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczEvY2xpZW50L2NhMEIGCCsGAQUF BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLmNs aWVudC5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20v MA0GCSqGSIb3DQEBBQUAA4IBAQBuipeKxSwZNTsTF1uY9CHWFvHDRrhWROKQ/3oB cI6nV7MgXAvKxXqLGdq+N6URtKTspPuZz0pWMtHF6Sgu6mzeiXGS3ZOtz6Kq/q9Y raogWBYjgqp5GQwl8uKG7VW4BQPtop8DyrgP0IV97enY5qTTCmT5GsLrT6t2y5CY o7N1yMcukSq6VlQwm4JNrNcWK16kBO+7HwJ0JYGl9jF9ITyvsVWEg9/6uNjNT4Gs hZs4T1KFVA+fuKwWQXs0INZevU8UgTduKdofA4Z9+AxCm5yjfV1S+am47LqmX3hQ 6hUtP36pa1OqeeMXYi210UmcnONJsAxFbMYyvWSVq+VntBwyMYIClzCCApMCAQEw gZQwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYD VQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQD Ey9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBD QQIDCPTtMAkGBSsOAwIaBQCggdgwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc BgkqhkiG9w0BCQUxDxcNMTQwMzAzMTcyOTM2WjAjBgkqhkiG9w0BCQQxFgQUWgQz +PvEDhWYeJkq5zheuGu4J8sweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASow CwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJ KoZIhvcNAQEBBQAEggEAPoWOwOeHgrfpD7E+2hK1wnJ8lpDDQg3qhyRQvDU5K2rM XZIwtUB4Ov2ZjRnb9V894BSu2c7p5hr03hqcs8JJ1HKYGOM9gefQVMUCrUyXwcDE J/814Oi6FfFbs9yXkjmNvv0wrhCHs/FMIsUxKmg+u3ohCgsnUTmbcxFa7VHD3N9r VSvR8gWg3hP2b1n6nYK+OUUQt9gdmPzbOYjeeNBjJIKcIdtbZjNu/oHTxK3BzxBK 9/Rf2VHyF1IfAU0sm+LT8g00VdVd0vZaAqc1h1BYuLEuYRDGL4sQp/KuwZd2dM3x u+msmDSRa/Tp3Mz/b1VGQo5MapF1wv8LmALqEWLuKA== ------7255D4F2A349A67769A52D2DB70D3A55-- --==-=-=-- --=-=-=-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 13DC7431FBF for ; Tue, 11 Mar 2014 11:03:20 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gK+qQn9-Oqb for ; Tue, 11 Mar 2014 11:03:12 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by olra.theworths.org (Postfix) with ESMTP id 69EA6431FBD for ; Tue, 11 Mar 2014 11:03:12 -0700 (PDT) Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 708EDF984; Tue, 11 Mar 2014 14:03:08 -0400 (EDT) Message-ID: <531F4FDD.6000506@fifthhorseman.net> Date: Tue, 11 Mar 2014 14:03:09 -0400 From: Daniel Kahn Gillmor User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0 MIME-Version: 1.0 To: Baptiste , notmuch@notmuchmail.org Subject: Re: Smime signature verification in Notmuch - Emacs References: <87y50r42do.fsf@bat.fr.eu.org> In-Reply-To: <87y50r42do.fsf@bat.fr.eu.org> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="9GtqB0nCORLb3dPEnV7SGNs5BUj58uoxD" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 18:03:20 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --9GtqB0nCORLb3dPEnV7SGNs5BUj58uoxD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Baptiste-- On 03/03/2014 12:29 PM, Baptiste wrote: > I made a little |Emacs| advice for |notmuch-show-insert-part-multipart/= signed|=20 > to deal with mails signed with /SMIME/ mechanism. It calls /openssl/ to= create=20 > missing :sigstatus. >=20 > Here it is : https://github.com/bateast/notmuch-openssl > (it is an org-file, in |Emacs|, use /org-babel-tangle/ on it to extract= the .el). >=20 > You are welcomed to make any comment. i'm interested in the functionality you're describing, but i confess i'm confused by the syntax of your e-mail and the structure of the file in question, as well as how you think it should be related to the notmuch project. This might all be obvious to other people; sorry for my confusi= on! Do you think this should be integrated into notmuch and shipped with it? if so, can you provide it as a standard patch for folks here to review? Some questions worth documenting if possible: * do you expect this to work for S/MIME encrypted messages as well as S/MIME signed messages? * is there a reason to do this only in emacs? PGP/MIME-signed (and -encrypted) messages can be parsed directly by libnotmuch so they are useful in other contexts as well * what key management model does this code assume and/or enforce? how do we know which keys belong to which users? Thanks for working on notmuch! Regards, --dkg --9GtqB0nCORLb3dPEnV7SGNs5BUj58uoxD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTH0/dXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcGBAP/14WqoZtyOu4sAzge4hYZ5TZ tWEDmujJsLn6JWQqekSxlRcs7oq1bBfpD/9wq1cHU7jgD3vKnHgJ+7eFsQOds5W7 yHtVh8lGBmdI3ip1eeo/YJy3ApNb5iJ98xbHFGEq5dRwfCk6DuHGj2GzFabY6+kv Ow/LEMsjNJ2Yt7ZRPJuJcwpbPVzM1QcZUdcUZa/ROFZEu7XyxvzzGxPi41fvxQb+ Gn6gwuCzwSfulMBqtrNUSEHvOTAuQslHNiwpYL6l9F6RYNWliFwMJBtd2+fVb3/V 9NkgLD3kzEkKK3GyOfWWqF7OO4iBllu8u1m3gWk691tR/UQ2dV5OuAvxeDQ4LzvF X47+McrSfZoRTkgJQdEIy6DDOpoES0hsEufa9Kh8E8S//Wfzg/FVJRDLwQP1JZLe EaUNwl4rYd71Z8B/37au46QoxGpwjkJnQ0ygh/IAR7Ql13qfUTEpJ5BGVHwhdUWl 3LNFUkkQoSqw3D2UnxcbFvgCFt8OT8KqcnHA0g3FPO9XorjbSUILJpA92LdUxFhs BdHmwtVoNu7DArtMPmy0WteWzLcz0rUg739KzryVeDeulHoxweQOFkDQvl/ZqMgL yVhhjiVcQxtU0xPVlb5mEsybfrE2+osbLzDbISN4aObLHO8qNomOUyWYYSc5zLyV hcWqFkIZ3+K57xp341cH =cwod -----END PGP SIGNATURE----- --9GtqB0nCORLb3dPEnV7SGNs5BUj58uoxD-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 5ED99431FB6 for ; Fri, 14 Mar 2014 08:15:03 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zRVHtCvWDOK for ; Fri, 14 Mar 2014 08:14:54 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by olra.theworths.org (Postfix) with ESMTP id A6098431FAE for ; Fri, 14 Mar 2014 08:14:54 -0700 (PDT) Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 5A47BF984; Fri, 14 Mar 2014 11:14:51 -0400 (EDT) Message-ID: <53231CEC.6070101@fifthhorseman.net> Date: Fri, 14 Mar 2014 11:14:52 -0400 From: Daniel Kahn Gillmor User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0 MIME-Version: 1.0 To: Baptiste , notmuch@notmuchmail.org Subject: Re: Smime signature verification in Notmuch - Emacs References: <87y50r42do.fsf@bat.fr.eu.org> <531F4FDD.6000506@fifthhorseman.net> <87siqlrqq8.fsf@bat.fr.eu.org> In-Reply-To: <87siqlrqq8.fsf@bat.fr.eu.org> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="XE5cd1LDwo1B8WC14iSwGgifT8sWAa3Fe" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2014 15:15:03 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --XE5cd1LDwo1B8WC14iSwGgifT8sWAa3Fe Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Baptiste-- On 03/14/2014 06:58 AM, Baptiste wrote: > firstly, sorry for my previous mail, you are right, it was broken. This= one=20 > should be better. i didn't mean to imply it was broken at all. i haven't tested it :) > Truly, it would be better to implement it directly in notmuch core. i agree with this. > Signature verification just present a line with the signature owner and= the=20 > trust chain status (/green/ for good verification, /orange/ for self si= gned only=20 > signature). No verification is made today against :From field. what does "good verification" mean? This seems to imply that there is a trusted root store used. how does the user configure this trust store? what about non-self-signed and unvalidated certificates? (e.g. certs by unknown issuers, certs by known but untrusted issuers, certs with unknown signature algorithms, certs without proper EKUs for creating S/MIME signatures, etc.) > (green) [ Good signature by: bateast@bat.fr.eu.org - 08F4ED ] > (orange) [ Good signature by key: 0x08F4ED self signed for bateast@bat.= fr.eu.org ] the use of 08F4ED here is a bit confusing. i see from further below that this refers to the serial number of the cert; but serial numbers are not guaranteed to be unique (they are supposed to be unique across issuers, but most root trust stores (and X.509 chains) can accept certifications from different issuers). what does displaying this information do for the user? > My opinion is that S/MIME is more and more widely used today, and then = relying=20 > only on gpg for signature or encryption is a bit rough. I agree that S/MIME support would be nice; i think implementing it in the notmuch core is the way to go. fwiw, gmime already has a cryptocontext that is supposed to handle S/MIME; it just needs proper integration, similar to the PGP/MIME integration in notmuch core: https://developer.gnome.org/gmime/stable/GMimePkcs7Context.html This has been on my plate for, uh, over a year now, but clearly i haven't gotten to it, and would be happy if someone else wanted to pick it up. --dkg --XE5cd1LDwo1B8WC14iSwGgifT8sWAa3Fe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTIxzsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcwF4QANWfbKZY7MjBVJO231hvbSsl uAD9UUlLhj/JI0GfusGewoRhpPV11CUmjJKGQz28MIW4xw79w5Pbx/cR7eP2SsEW YeHoh7N6pbaTMaS2Uhv1ksgMuUxyaUMmg38HqOEhuIp3DwW0NRYlpiV85PCxgxJV J7pPMkvxOboNErORFjtsmXt4aoQXgmmp9Rj2KAZTKjFPEBhcpdCQgjQ81Hj6HoPs wcFBlVTEy0f1bcrXMwyflm8Va2XB2wT1gkOJo35Alml8wmHCzfAGWx1VqZ+i8ftq 23CDZJtyZwUd27ewrmKnuYQuLc4QthFR0ckUugY9nDG3mgBq2kJ7g2dHNR7XJ/Sc htQs+PGghRrm7FhIZAZy9L7HiC3FuBS1sWMbzWZlM1q+9F1Iw7UyHHkNmgstBElq 8vHCRJNpIP80+/S+jFZGVAPJ9Ikb3tUJpTu3poNrqVks19eMXe0rngC4dbR0zCP2 /1n7CloUKhvctbzZ9/H1umKtXaipazxGvIb95A2pFO6t3Eefsy9cFf/YNQMIej1Q QDqx8sTXhoMNQ+uL5V4RY7KRBgEi7BoS6exYKeHS3/JEpKfOtRh9DCxNeVt5A2BG WAxMKQklddRlJAYc99QPiJp4lqPvUHJCm/6/KOmhfv8P7JiYfCcARSmFJ7JuojQ3 bLc+E+QQI6v6v19efDWg =6caX -----END PGP SIGNATURE----- --XE5cd1LDwo1B8WC14iSwGgifT8sWAa3Fe-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 27494431FB6 for ; Fri, 14 Mar 2014 11:08:32 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSoxSP68yUe5 for ; Fri, 14 Mar 2014 11:08:27 -0700 (PDT) Received: from yantan.tethera.net (yantan.tethera.net [199.188.72.155]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by olra.theworths.org (Postfix) with ESMTPS id 6A3B1431FAE for ; Fri, 14 Mar 2014 11:08:27 -0700 (PDT) Received: from remotemail by yantan.tethera.net with local (Exim 4.80) (envelope-from ) id 1WOWWm-0006DY-Pu; Fri, 14 Mar 2014 15:08:16 -0300 Received: (nullmailer pid 6412 invoked by uid 1000); Fri, 14 Mar 2014 18:08:13 -0000 From: David Bremner To: Daniel Kahn Gillmor , Baptiste , notmuch@notmuchmail.org Subject: Re: Smime signature verification in Notmuch - Emacs In-Reply-To: <53231CEC.6070101@fifthhorseman.net> References: <87y50r42do.fsf@bat.fr.eu.org> <531F4FDD.6000506@fifthhorseman.net> <87siqlrqq8.fsf@bat.fr.eu.org> <53231CEC.6070101@fifthhorseman.net> User-Agent: Notmuch/0.16+164~gfcbf06a (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu) Date: Fri, 14 Mar 2014 15:08:13 -0300 Message-ID: <8761ngfyb6.fsf@tethera.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2014 18:08:32 -0000 Daniel Kahn Gillmor writes: > > I agree that S/MIME support would be nice; i think implementing it in > the notmuch core is the way to go. fwiw, gmime already has a > cryptocontext that is supposed to handle S/MIME; it just needs proper > integration, similar to the PGP/MIME integration in notmuch core: > > https://developer.gnome.org/gmime/stable/GMimePkcs7Context.html > > This has been on my plate for, uh, over a year now, but clearly i > haven't gotten to it, and would be happy if someone else wanted to pick > it up. Like Jamie did? id:1340995101-9616-1-git-send-email-jrollins@finestructure.net From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 2075C431FB6 for ; Fri, 14 Mar 2014 11:12:40 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oj1E86B3jYMO for ; Fri, 14 Mar 2014 11:12:32 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by olra.theworths.org (Postfix) with ESMTP id BE56F431FAE for ; Fri, 14 Mar 2014 11:12:32 -0700 (PDT) Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 1F038F984; Fri, 14 Mar 2014 14:12:31 -0400 (EDT) Message-ID: <53234685.7020308@fifthhorseman.net> Date: Fri, 14 Mar 2014 14:12:21 -0400 From: Daniel Kahn Gillmor User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0 MIME-Version: 1.0 To: David Bremner , Baptiste , notmuch@notmuchmail.org Subject: Re: Smime signature verification in Notmuch - Emacs References: <87y50r42do.fsf@bat.fr.eu.org> <531F4FDD.6000506@fifthhorseman.net> <87siqlrqq8.fsf@bat.fr.eu.org> <53231CEC.6070101@fifthhorseman.net> <8761ngfyb6.fsf@tethera.net> In-Reply-To: <8761ngfyb6.fsf@tethera.net> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070401030507080902080902" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2014 18:12:40 -0000 This is a cryptographically signed message in MIME format. --------------ms070401030507080902080902 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 03/14/2014 02:08 PM, David Bremner wrote: > Daniel Kahn Gillmor writes: >> >> I agree that S/MIME support would be nice; i think implementing it in >> the notmuch core is the way to go. fwiw, gmime already has a >> cryptocontext that is supposed to handle S/MIME; it just needs proper >> integration, similar to the PGP/MIME integration in notmuch core: >> >> https://developer.gnome.org/gmime/stable/GMimePkcs7Context.html >> >> This has been on my plate for, uh, over a year now, but clearly i >> haven't gotten to it, and would be happy if someone else wanted to pic= k >> it up. >=20 > Like Jamie did? >=20 > id:1340995101-9616-1-git-send-email-jrollins@finestructure.net that message has an "ahem, dkg" -- it's waiting on me for something -- a test suite, i guess? sigh. like i said, years and years. if anyone wants to pass a test suite for jamie's code, that'd be great. (I'm S/MIME-signing this message with some wacky comodo cert out of sheer perversity) --dkg --------------ms070401030507080902080902 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKTTCC BRowggQCoAMCAQICEG0Z6qcZT2ozIuYiMnqqcd4wDQYJKoZIhvcNAQEFBQAwga4xCzAJBgNV BAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoT FVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3Qu Y29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg RW1haWwwHhcNMTEwNDI4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjCBkzELMAkGA1UEBhMCR0Ix GzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE ChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVudGlj YXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAJKEhFtLV5jUXi+LpOFAyKNTWF9mZfEyTvefMn1V0HhMVbdClOD5J3EHxcZppLkyxPFA GpDMJ1Zifxe1cWmu5SAb5MtjXmDKokH2auGj/7jfH0htZUOMKi4rYzh337EXrMLaggLW1DJq 1GdvIBOPXDX65VSAr9hxCh03CgJQU2yVHakQFLSZlVkSMf8JotJM3FLb3uJAAVtIaN3FSrTg 7SQfOq9xXwfjrL8UO7AlcWg99A/WF1hGFYE8aIuLgw9teiFX5jSw2zJ+40rhpVJyZCaRTqWS D//gsWD9Gm9oUZljjRqLpcxCm5t9ImPTqaD8zp6Q30QZ9FxbNboW86eb/8ECAwEAAaOCAUsw ggFHMB8GA1UdIwQYMBaAFImCZ33EnSZwAEu0UEh83j2uBG59MB0GA1UdDgQWBBR6E04AdFvG eGNkJ8Ev4qBbvHnFezAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADARBgNV HSAECjAIMAYGBFUdIAAwWAYDVR0fBFEwTzBNoEugSYZHaHR0cDovL2NybC51c2VydHJ1c3Qu Y29tL1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFpbC5jcmwwdAYI KwYBBQUHAQEEaDBmMD0GCCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVRO QWRkVHJ1c3RDbGllbnRfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1 c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCF1r54V1VtM39EUv5C1QaoAQOAivsNsv1Kv/av QUn1G1rF0q0bc24+6SZ85kyYwTAo38v7QjyhJT4KddbQPTmGZtGhm7VNm2+vKGwdr+XqdFqo 2rHA8XV6L566k3nK/uKRHlZ0sviN0+BDchvtj/1gOSBH+4uvOmVIPJg9pSW/ve9g4EnlFsjr P0OD8ODuDcHTzTNfm9C9YGqzO/761Mk6PB/tm/+bSTO+Qik5g+4zaS6CnUVNqGnagBsePdIa XXxHmaWbCG0SmYbWXVcHG6cwvktJRLiQfsrReTjrtDP6oDpdJlieYVUYtCHVmdXgQ0BCML7q peeU0rD+83X5f27nMIIFKzCCBBOgAwIBAgIQLg5H1Rtucf+h5vDhsyue/jANBgkqhkiG9w0B AQUFADCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENP TU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xMzEx MDgwMDAwMDBaFw0xNDExMDgyMzU5NTlaMCYxJDAiBgkqhkiG9w0BCQEWFWRrZ0BmaWZ0aGhv cnNlbWFuLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL7xkZTzd+IPSS0A is2MQvfG9w9r8E2/qoi7qnzIyrHPRVFtMox/ZI/4F9PLIx5l+g9JgmQhy1xI0WdN8rrveLx3 8AGib9kilujEOK+R+sc+l6KFvC99/zQ4skt4wj7Jjqq6JeXsLjI9xSsLeB+KCxi1KXD+4sIc woJcY51PosCLbn0lEER+BtDofA19I63ZCLcRrgJO5kAaf/5+7udWNaAxlKy42Lkm8OrO/Jpz mP99fxFym/P7EaZWlKqunvQb+KEaSvRJ5RwHkXH54fvrPRaaB1InKLQqIh6Z1IdN6Uj+9gKY Kj0aaxfsHdyHJNeWSxQT5NOizPEkEzEfsxyF6KkCAwEAAaOCAeUwggHhMB8GA1UdIwQYMBaA FHoTTgB0W8Z4Y2QnwS/ioFu8ecV7MB0GA1UdDgQWBBRGU2iw5G9WvpLU4myzPxLmKcYLwTAO BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYB BAGyMQEDBQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEB MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMFcGA1UdHwRQ ME4wTKBKoEiGRmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0NsaWVudEF1dGhlbnRp Y2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYgGCCsGAQUFBwEBBHwwejBSBggrBgEFBQcw AoZGaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPQ2xpZW50QXV0aGVudGljYXRpb25h bmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2Eu Y29tMCAGA1UdEQQZMBeBFWRrZ0BmaWZ0aGhvcnNlbWFuLm5ldDANBgkqhkiG9w0BAQUFAAOC AQEALIWXsX2ZdHTSlJHLbKUfBy6t8IPAM+oMONS30HPXJSowMYz18wM4VLXIyehqyT+5wyx9 Z1o6Fm+umyOd5HTTAh97wnNyiI+V4fL5bK5RTRU6TBWlNAy6ZZrw075vl6oG7mBRaK9VMThQ rf8XQ21wYp0C7c0A4+N7XVlp28Z23MOZjEDkT/T2xaugjKih2hqgWHNtJw817N/tPBnB5ffe yie8X+fZnxXFTmiHmT0hd2yOulAK2KbTPyyJHXefoJSP7LP8LjwbuOuQXo86hTQ67SZU4qPA GCu0REICxY0kDT9A9Z824G56X0TeIObxFY9V0kmvDfR56uxbBW72OWsN1TGCBBkwggQVAgEB MIGoMIGTMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE5MDcGA1UEAxMwQ09N T0RPIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAuDkfVG25x /6Hm8OGzK57+MAkGBSsOAwIaBQCgggJFMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTE0MDMxNDE4MTIyMVowIwYJKoZIhvcNAQkEMRYEFLbBfwwN8GAde0R0 4B7YePD/4KURMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAK BggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI KoZIhvcNAwICASgwgbkGCSsGAQQBgjcQBDGBqzCBqDCBkzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N T0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24g YW5kIFNlY3VyZSBFbWFpbCBDQQIQLg5H1Rtucf+h5vDhsyue/jCBuwYLKoZIhvcNAQkQAgsx gauggagwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTkwNwYDVQQDEzBD T01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEC4OR9Ub bnH/oebw4bMrnv4wDQYJKoZIhvcNAQEBBQAEggEAiXl0NmPajnnh8zU+8U2WASubF72Zv3Ju IUMTSzgXR9QVr1U+nXwMdYm+lcuc4LfMxDJsm0PB78gCVIFPrFsrwA1W5XMxgDxJORpZLvep mldINLfEwo8lFqnlBM+j9rVMf+WQXR0r7CFivEPzE5VxtpwwqzRf2/44VAaJL+53VrkU747y 7tIfdcPAI3MytV0J6hf5QQ68Ng27o6GBFznujiYkun/erFgkK3EG4sldW8Mcex0zZdnZlYvk j0U8vATt66imr1ywC+kxfuuW/KpbC+V0NdZHl4Q68mJWj3iFZsexU4kyO8bNVJYAvJJ6wtgH jk+Akv4eO2XJM4nTgrWCjgAAAAAAAA== --------------ms070401030507080902080902-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 3C397431FAF for ; Fri, 14 Mar 2014 04:00:25 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 1.741 X-Spam-Level: * X-Spam-Status: No, score=1.741 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.635, MIME_HTML_ONLY=1.105] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dwe1n+PAlwDg for ; Fri, 14 Mar 2014 04:00:18 -0700 (PDT) Received: from mx1a.lautre.net (mx1a.lautre.net [80.67.160.71]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by olra.theworths.org (Postfix) with ESMTPS id 25188431FAE for ; Fri, 14 Mar 2014 04:00:18 -0700 (PDT) Received: from arch-vm (unknown [109.21.163.7]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: bateast@bat.fr.eu.org) by mx1a.lautre.net (Postfix) with ESMTPSA id 796E8A108A; Fri, 14 Mar 2014 12:00:13 +0100 (CET) From: Baptiste To: Daniel Kahn Gillmor , notmuch@notmuchmail.org Subject: Re: Smime signature verification in Notmuch - Emacs In-Reply-To: <531F4FDD.6000506@fifthhorseman.net> Organization: bat.fr.eu.org References: <87y50r42do.fsf@bat.fr.eu.org> <531F4FDD.6000506@fifthhorseman.net> User-Agent: Notmuch/0.17+81~g718d58a (http://notmuchmail.org) Emacs/24.3.50.2 (i686-pc-linux-gnu) Date: Fri, 14 Mar 2014 11:58:55 +0100 Message-ID: <87siqlrqq8.fsf@bat.fr.eu.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="----7A9AC58F7D949A2C35A72AFA089957FC" X-Mailman-Approved-At: Mon, 17 Mar 2014 02:21:11 -0700 X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Mar 2014 11:00:25 -0000 This is an S/MIME signed message ------7A9AC58F7D949A2C35A72AFA089957FC Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

Hi,

thanks you for your answer.

firstly, sorry for my previous mail, you are right, it was broken. This one= should be better.

Anyway, my goal was to make S/MIME messages to work with notmuch. Actually, I am not looking to modify directly notmuch (well, I h= ave no good reason for not doing it), so I hooked the notmuch emacs interfa= ce. I does work today with S/MIME signature and I am currently working on e= ncryption, though it have no clew how to recreate s-exp after decryption to= re-inject into notmuch-show emacs function.

Truly, it would be better to implement it directly in notmuch core.

Signature verification just present a line with the signature owner and the= trust chain status (green for good verification, orange for = self signed only signature). No verification is made today against :From fi= eld.

As for example=C2=A0:

(green)  [ Good signature by: bateast@bat.fr.eu.org - 08F4ED ]

or

(orange) [ Good signature by key: 0x08F4ED self signed for bateast@bat.fr.e=
u.org ]

and if you click on button, you get key description=C2=A0:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 586989 (0x8f4ed)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=3DIL, O=3DStartCom Ltd., OU=3DSecure Digital Certificate =
Signing, CN=3DStartCom Class 1 Primary Intermediate Client CA
        Validity
            Not Before: Feb 11 19:01:56 2014 GMT
...

My opinion is that S/MIME is more and more widely used today, and then rely= ing only on gpg for signature or encryption is a bit rough.

Thank you,

Le mar., mars 11 2014, Daniel Kahn Gillmor a =C3=A9crit

Hi Baptiste

i'm interested in the functionality you're describing, but i confess i'm co= nfused by the syntax of your e-mail and the structure of the file in questi= on, as well as how you think it should be related to the notmuch project. = This might all be obvious to other people; sorry for my confusion!

Do you think this should be integrated into notmuch and shipped with it? if= so, can you provide it as a standard patch for folks here to review?

Some questions worth documenting if possible:

  • do you expect this to work for S/MIME encrypted messages as well as S/M= IME signed messages?
  • is there a reason to do this only in emacs? PGP/MIME-signed (and -encr= ypted) messages can be parsed directly by libnotmuch so they are useful in = other contexts as well
  • what key management model does this code assume and/or enforce? how do= we know which keys belong to which users?

Thanks for working on notmuch!

Regards,

–dkg


~^v^~ Bat
------7A9AC58F7D949A2C35A72AFA089957FC Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIJGwYJKoZIhvcNAQcCoIIJDDCCCQgCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCBkwwggZIMIIFMKADAgECAgMI9O0wDQYJKoZIhvcNAQEFBQAwgYwxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1 cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENv bSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xNDAy MTExOTAxNTZaFw0xNTAyMTIyMjAxMThaMGExGTAXBgNVBA0TEEY2NkE5OGZkb2FN Q0k4Qk4xHjAcBgNVBAMMFWJhdGVhc3RAYmF0LmZyLmV1Lm9yZzEkMCIGCSqGSIb3 DQEJARYVYmF0ZWFzdEBiYXQuZnIuZXUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAyZVzZ9wZRF2ws0rxniwRZ66Eyd+G98Cx61SPc7X1siZFsdwt yF+L2KI5tDIBt3uhbM5uLSNQIxysz2iDyLWxo7+u+Ot5MYOu3BCCcWyrqHJMErZG dWte3HlyN2suzK9j4NDwHippcgCH8ImRJ/sPH+Q9tRnr2Y6fs0LH4fH9WCrr/kR9 kniUSnyVL5iW06ZbIS+6Pwd4VIkB6ctaq5Zro3HA75alsW6qZ5QTwJKPb4zAKMlm jsbQqd8VtBMjVL9FqDTIGBfvCtsSY3x8WwETw0O0ks6V3KCe3qD9o7bt66QmcH6u yFLnFwBBWl53q6Uj+f9HyDN6oKlQMEVykDs0KwIDAQABo4IC2zCCAtcwCQYDVR0T BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MB0GA1UdDgQWBBR1jaZYWD3I4/WRf66Lp+7n1c3CDjAfBgNVHSMEGDAWgBRTcu2S nODaywFcfH6WNU7y1LhRgjAgBgNVHREEGTAXgRViYXRlYXN0QGJhdC5mci5ldS5v cmcwggFMBgNVHSAEggFDMIIBPzCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEF BQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYB BQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIB ARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhl IENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBv c2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9u cy4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0 dTEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDov L29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczEvY2xpZW50L2NhMEIGCCsGAQUF BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLmNs aWVudC5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20v MA0GCSqGSIb3DQEBBQUAA4IBAQBuipeKxSwZNTsTF1uY9CHWFvHDRrhWROKQ/3oB cI6nV7MgXAvKxXqLGdq+N6URtKTspPuZz0pWMtHF6Sgu6mzeiXGS3ZOtz6Kq/q9Y raogWBYjgqp5GQwl8uKG7VW4BQPtop8DyrgP0IV97enY5qTTCmT5GsLrT6t2y5CY o7N1yMcukSq6VlQwm4JNrNcWK16kBO+7HwJ0JYGl9jF9ITyvsVWEg9/6uNjNT4Gs hZs4T1KFVA+fuKwWQXs0INZevU8UgTduKdofA4Z9+AxCm5yjfV1S+am47LqmX3hQ 6hUtP36pa1OqeeMXYi210UmcnONJsAxFbMYyvWSVq+VntBwyMYIClzCCApMCAQEw gZQwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYD VQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQD Ey9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBD QQIDCPTtMAkGBSsOAwIaBQCggdgwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc BgkqhkiG9w0BCQUxDxcNMTQwMzE0MTA1OTAwWjAjBgkqhkiG9w0BCQQxFgQUvJap oazocYXOILg8KwPnQM5tju4weQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASow CwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJ KoZIhvcNAQEBBQAEggEAY1Y7F2BmpA8iB/UIgQlB85MrTmRv/L2nrqnHyn5b2TWw 1PXSVvQeUPQVdo472gNeeqjOdUxjyFciLK0fsYXJNBwL991Up3RfBT+2seATtCXK Q38NidMf2u2+rH3m/WQjEZQ26PxwkoBEqUcBh5BOlvucqZWd65tW3fmeN/cAq6m5 laoLJzM93Xewxekas1QfriSFrWpkZR/yJ9InUJe+sYX/pEAWF50rsSdwkOtb0SbP gqGOtlcnGpPCOrhCZbz6UaPc7kbxeap6IQo23ni0rSuySjbzizL7wIYGftpHXh5n Da2BLlSMLw00mj414S25lnXB7SnqtUaYHVDGUrqfIA== ------7A9AC58F7D949A2C35A72AFA089957FC--