Common Authentication Technology (cat)

Jeffrey Altman | 8 Jul 2004 08:28

Kitten Working Group Status Report and Important IETF 60 Deadlines

The request for the creation of the Kitten Working Group is still being 
discussed by
the Security Area Directors and the IESG.  While there is still plenty 
of time for the
working group to be approved prior to IETF 60, it is prudent that we 
assume that
approval will not be obtained prior to the end of the scheduling 
period.  As such I
will be submitting a request for a BOF slot which can be converted to a 
working group
slot once approval is obtained.

The IETF 60 Important Dates are as follows:
    July 12, Monday - Internet Draft Cut-off for initial document (-00) 
submission at 09:00 ET
    July 19, Monday - Working Group and BOF scheduling closes at 17:00 ET
    July 19, Monday - Internet Draft final submission cut-off at 09:00 ET
    July 21, Wednesday - Pre-Registration and Pre-payment cut-off at 
12:00 noon ET
    July 26, Monday - Registration cancellation cut-off at 17:00 ET
    July 26, Monday - Working Group agendas due date at 12:00 ET
    August 1-6, 2004 - 60th IETF Meeting in San Diego, CA, USA

If you have committed to submitting a new Internet Draft for Kitten, 
please ensure that
the draft has been submitted by next Monday.

To assist me in planning the BOF time slot please send me private mail 
indicating whether
or not you are planning to attend the IETF session and if there are any

(Continue reading)

headers

Jlinn | 9 Jul 2004 15:58

Fax Message Received

Attached file is protected with the password for security reasons. Password is

Attachment (Message.zip): application/octet-stream, 20 KiB

headers

Jeffrey Altman | 12 Jul 2004 17:22

Request to create KITTEN (daughter of CAT) BOF at IETF 60

[NOTE: Most of this e-mail is the same text as was sent on May 24th. The changes are in the subject "Request for BOF" instead of "Request for Working Group"; the addition of a new draft on GSSAPI Naming to the Charter; the addition of a BOF Agenda section; the addition of a BOF scheduling preferences section.]

Russ and Steve:

During the years since the Security Area's Common Authentication Technology working group closed its doors there has been significant new experience gained by those designing applications which utilize GSSAPI v2 update 1 and the GSSAPI v2 C Language Bindings. This experience has demonstrated several areas within the existing RFCs (2743 and 2744) which are less than well-defined and/or lacking in functionality.

Attempts to address these deficiencies have resulted in discussions taking place in many inappropriate forums. Some attempts have occurred within existing IETF working groups which have rejected the work as being outside the existing charter. Other attempts have been pursued by third party organizations such as Global Grid Forum which have chosen to extend IETF standards on their own due to an inability to find a forum within IETF to pursue their work.

The discussions on the IETF-CAT mailing list over the last several months have been quite contentious not to mention fun to read. The fruits of these discussions are the following:

There are a number of interested parties who would like to produce an new and improved GSSAPI specification be created to address issues related to credentials management; thread safety; channel binding usability (as discussed at IETF Minneapolis SAAG); C Language usage; ABI stability; mechanism specific extensibility; and support for mechanisms which do not provide a single canonical name.
There is an apparent consensus that the existing GSSAPI v2 RFCs should be revised to include improved language to clarify areas which have resulted in confusion for GSS mechanism implementors and application developers. There should be new text describing the lack of thread safety in GSSAPI v2 as well as descriptions of how to support IPv6 in the existing channel bindings. However, these revisions must not change the specification in any way which would affect backward interoperability with either existing implementations of GSSAPI v2 or even GSSAPI v1.
There is an apparent consensus that a new GSSAPI v3 specification be created to support the extended functionality that is required.
There is rough consensus that work should proceed to develop new forms of non-address based channel bindings which may be used to bind GSS to TLS, IPSec, SSH, and other cryptographic channels.
There are also proposals that a new mechansism for negotiating and properly using channel bindings (CCM) should be defined and that SPNEGO (RFC 2748) be updated to correct flaws in its design and specification.

The current participants of the IETF-CAT mailing list believe the time is right to form the Common Authentication Technology Next Generation working group (aka Kitten) to address these work areas. As such we would like permission from the IESG to form the working group at San Diego or if necessary to hold a BOF to discuss the need for the working group and the scope of its charter. What follows is a proposed charter for the Kitten Working Group.

Proposed Charter

The Generic Security Services API [RFC 2743, RFC 2744] provides an API for applications to set up security contexts and to use these contexts for per-message protection services. The Common Authentication Technology Next Generation Working Group (Kitten) will work on standardizing extensions and improvements to the GSSAPI that the IETF believes are necessary based on experience using GSSAPI over the last 10 years. Extensions may be published as separate drafts or included in a GSSAPI version 3. While version 2 of the GSSAPI may be clarified, no backward incompatible changes will be made to this version of the API.

This working group is chartered to revise the GSSAPI v2 RFCs for the purpose of clarifying areas of ambiguity:

Use of channel bindings
Thread safety restrictions
C Language utilization

use of const
utilization of gss types by the application
gss name space
improve recommendations for implementation specific types (e.g., use pointers to incomplete structs)

Guidelines for GSS-API mechanism designers
Guidelines for GSS-API application protocol designers

This working group is chartered to specify a non-backward compatible GSSAPI v3 to support the following extensions:

Clarify the portable use of channel bindings and better specify channel bindings in a language-independent manner.
Specify thread safety extensions to allow multi-threaded applications to use GSSAPI
Definitions of channel bindings for TLS, IPSec, SSH and other cryptographic channels based on work started in the NFSV4 working group.
Defined a GSSAPI extension to allow applications to store credentials. Discussions to be started based upon:

draft-williams-gss-store-deleg-creds-xx.txt

Extensions to solve problems posed by the Global Grid Forum's GSSAPI extensions document.
Extensions to deal with mechanism-specific extensibility in a multi-mechanism environment.
Extend GSSAPI to support mechanisms that do not have a single canonical name for each authentication identity.
Extensions to support stackable GSSAPI mechanisms.

This working group is chartered to perform the following GSSAPI mechanism specification work:

Specify a GSSAPI v2/v3 Channel Conjunction Mechanism
Revise RFC 2748 (SPNEGO) to correct problems that make the specification unimplementable and to document the problems found in widely-deployed attempts to implement this spec.

End of Proposed Charter

The participants of the IETF-CAT mailing list realize the quantity of work which we desire to undertake is quite ambitious in scope. This is simply an indication of how much work has accumulated over the last few years since the CAT working group disbanded. We believe that we can accomplish the stated work items in 18 months.

Milestones

Clarifications to GSSAPIv2 (six months to IESG)
Informational
[editor: Jeffrey Altman]
The Channel Conjunction Mechanism (CCM) for the GSSAPI (six months to IESG)
Proposed Standard
[editors: Nicolas Williams/Mike Eisler]
On the Use of Channel Bindings to Secure Channels (six months to IESG)
Proposed Standard
[editor: Nicolas Williams]
draft-ietf-nfsv4-channel-bindings-01.txt
GSSAPIv3 (18 months to IESG)
Proposed Standard
[editor: to be determined]
Stackable Generic Security Service Pseudo-mechanisms
Proposed Standard or to be folded into GSSAPIv3
[editor: Nicolas Williams]
draft-williams-gssapi-stackable-pseudo-mechs-00.txt
GSS-APIv2 Extension for Storing Delegated Credentials

GSSAPI Mechanisms without a Single Canonical Name (12 months to IESG)
to be folded into GSSAPIv3
[editor: Sam Hartman]
draft-hartman-gss-naming-00.txt
SPNEGO (RFC 2478) Revisions (18 months to IESG)
Proposed Standard
[editor: to be determined]

End of Milestones

Chairperson
The proposed chairperson for the Kitten WG is Jeffrey Altman.

Mailing List
The current mailing list for discussions is ietf-cat-wg <at> lists.stanford.edu.
Due to the facts that no one at Stanford is actively involved in the
discussions and the mailing list software is quite old, the working group
when formed will switch to a new mailing list.

Kitten BOF Agenda for IETF 60

The following charter is proposed for the Kitten BOF. The BOF will require a 2 hour time slot.

* Introduction and Welcome [5 minutes] - Jeffrey Altman
* Discussion of the Global Grid Forum GSS requirements [15 minutes] - To Be Determined
* Discussion of channel bindings portability issues (C struct et all) [10 minutes] - Sam Hartman
* Discussion of GSSAPI naming [15 minutes] - Sam Hartman
* Discussion of need for cryptographic channel bindings and CCM [10 minutes] - Nicolas Williams
* Discussion of specific channel bindings [10 to 15 minutes] - To Be Determined
* Discussion of Stackable Psuedo Mechanisms [10 minutes] - Nicolas Williams
* Discussion of the SPNEGO issues [10 minutes] - Wyllys Ingersol
* Charter discussion [15 minutes] - Jeffrey Altman

Kitten BOF Scheduling Requests

Please do not schedule on Friday as it is known that two of the speakers will not
be able to attend due to scheduling conflicts with other events

Presenters at the Kitten BOF are also active draft authors or working group chairs in
the following groups: NFSv4, KRB-WG or SASL

Please attempt to avoid scheduling opposite other Security Area working groups

Sincerely,

Jeffrey Altman (for the participants of the ietf-cat-wg mailing list)

Attachment (smime.p7s): application/x-pkcs7-signature, 3256 bytes

headers

Sam Hartman | 13 Jul 2004 21:57

Draft available on GSSAPI naming issues


Please take a look at
http://www.ietf.org/internet-drafts/draft-hartman-gss-naming-00.txt.
This describes problems I see with GSSAPI's naming architecture and a
proposal to solve these problems.  I will be presenting at the BOF
meeting.

I'm particularly interested in things I've missed in the problem
description or other open issues that I failed to mention.

--Sam

-++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server.  If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe ietf-cat-wg" to majordomo <at> lists.stanford.edu

headers

Martin Rex | 13 Jul 2004 23:14

Re: Draft available on GSSAPI naming issues

Sam,

Sam Hartman wrote:
> 
> Please take a look at
> http://www.ietf.org/internet-drafts/draft-hartman-gss-naming-00.txt.
> This describes problems I see with GSSAPI's naming architecture and a
> proposal to solve these problems.  I will be presenting at the BOF
> meeting.
> 
> I'm particularly interested in things I've missed in the problem
> description or other open issues that I failed to mention.

There are zero problems with existing GSS-API naming.

I have three major problems in the above document:

 (1) it fails to distinguish authentication from authorization.

     In the past I have seen two proposals to extend GSS-API
     authentication with an API for authorization
     (presented in CAT wg sessions at IETF meetings),
     one was XGSS-API from the SESAME project and the other
     one was "GAA" (Cliff?)

 (2) it fails to recognize where existing infrastructures deliberatly
     abuses the underlying protocol (e.g. Microsoft entirely ignores
     the Kerberos name-based authentication and uses a proprietary
     extension to convey authentication and authorization information).

 (3) it fails to realize that *ALL* access control schemes require
     a canonical representation of either the identity or some
     standarized authorization information in order to work.

     On Microsoft platforms the "canonical" name appears to be a "SID",
     which is what gets stored in their (D)ACLs.  The printable representation
     of a SID is a "SAM account name" (LanManager style).

The provision of GSS-API to (pre-)populate ACLs using
gss_import_name()+gss_canonicalize_name()+gss_export_name() is
absolutely necessary.  Btw: It is extensible since gss_canonicalize_name()
already requires a (mechanism) OID input parameter as a hint what kind of
transformation is required.

I don't see a problem in defining mechanism- or environment-specific
OIDs which can be used to draw a canonical name from a particular
namespace -- or alternatively from some kind of authorization data.

But don't fall prey to illusions, any such approach is no longer
a general abstraction.  It will actually turn out to be extremely
implementation specific.  The acceptor would have to use
gss_canonicalize_name() on the src_name returned from
gss_accept_sec_context() upon successful authentication in order
to transform the name to the alternative namespace (currently no
gssapi-based server needs to do that).  Keep in mind that the
authentication may be successful, but a transformation of the
identity into a particular namespace or authorization space
may fail for all sorts of reasons.

Personally I think it would be perfectly OK to allow to extend
the use of gss_canonicalize_name() for arbitrary namespaces,
maybe even for authorization elements (since the app caller needs
to be explicitly aware of the OIDs anyway).  But I don't think
that this will have an impact on PORTABLE gssapi callers that
use gssapi for the purpose of **abstraction** in heterogeneous
environments.

Just take Microsoft's abuse of the Kerberos 5 protocol as an
example.  We do have several customers that use a Microsoft
W2K Active Directory for user management but run their servers
on Unix machines with a (mostly vanilla MIT Kerberos) that only
supports name based authentication.  The server side implementation
doesn't implement/understand Microsoft's proprietary extensions,
therefore the only namespace available for authentication is
that of the base Kerberos 5 protocol -- name-based authentication
of Kerberos principals.  And it is likely to remain like this
for some time, I assume.  HP-UX 11.11 seems to include an
implementation of MIT Kerberos v1.1 today.

-Martin
-++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server.  If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe ietf-cat-wg" to majordomo <at> lists.stanford.edu

headers

Nicolas Williams | 13 Jul 2004 23:29

Re: Draft available on GSSAPI naming issues

On Tue, Jul 13, 2004 at 03:57:48PM -0400, Sam Hartman wrote:
> 
> Please take a look at
> http://www.ietf.org/internet-drafts/draft-hartman-gss-naming-00.txt.
> This describes problems I see with GSSAPI's naming architecture and a
> proposal to solve these problems.  I will be presenting at the BOF
> meeting.
> 
> I'm particularly interested in things I've missed in the problem
> description or other open issues that I failed to mention.

Comments:

 - The Abstract starts with a claim that the GSS-API "uses name-based"
   authorization.  This is not so.  Authorization is outside the scope
   of the GSS-API v2u1, though the GSS-API does aim to make name-based
   authorization workable as a lowest common denominator.

   A nit?  Solaris' NFS server (and CITI's) can map GSS-API principal
   names to Unix credentials and authorize clients based on those
   credentials and ACLs that reference Unix UIDs/GIDs; and Windows does
   much the same thing -- so I don't think this is a nit.

   The abstract should point out that name-based authorization is the
   LCD for the GSS-API, that name-based authorization is highly
   problematic (see below), and that generic extensions that facilitate
   authorization based on principals' attributes *other* than their
   names are highly desirable.

 - I disagree with the fourth sentence of the Abstract.  It's always
   been the case that principal names are subject to change, and this
   has been true for all GSS-API mechanisms (including MS' NTLM and
   Sun's DH mechs), as well as for non-GSS security mechanisms.

   It is the fact that names are subject to change, combined with the
   utter lack of any generic mechanism for keeping name-based ACLs up to
   date with name changes that argues against name-based authorization.

   It's important to point out why names change too.  Marriage and
   divorce, as well as other legal name changes are typical reasons, but
   so are user dissatisfaction with their short-form usernames (initial
   misspellings are a typical reason for this), and then there's
   collisions (particularly in flat namespaces) resulting from relating
   to mergers and acquisitions, etc...

   If the GSS-API's mechanisms' canonical names were not based on human
   readable display versions of principal names, but on unique,
   unchanging identifiers intended for machine use then authorization
   based on canonical GSS principal names would not be so bad.  But this
   is not a feasible solution now.

   Another way of stating this is this: canonical names based on display
   forms of principal names, for any security mechanism, including
   non-GSS mechanisms, are of bounded utility, in time, for
   authorization purposes.  Emphasis should be placed on this not being
   a GSS-API-specific problem.

 - That last comment makes me think of possible different approaches to
   this problem, none of which, fortunately, are attractive to me, but
   which might keep existing users of name-based access controls happy,
   such as a method for converting MNs to GSS_C_NT_MACHINE_UID_NAME
   names.  Such an extension would not be fully satisfactory to me, but
   as long as there's an exported name for for GSS_C_NT_MACHINE_UID_NAME
   this might be helpful to anyone who, for whatever reason (e.g.,
   legacy), must cling to GSS-API name-based ACLs.

Cheers,

Nico
--

-- 
-++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server.  If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe ietf-cat-wg" to majordomo <at> lists.stanford.edu

headers

Nicolas Williams | 13 Jul 2004 23:48

Re: Draft available on GSSAPI naming issues

On Tue, Jul 13, 2004 at 11:14:33PM +0200, Martin Rex wrote:
> Sam,
> 
> Sam Hartman wrote:
> > 
> > Please take a look at
> > http://www.ietf.org/internet-drafts/draft-hartman-gss-naming-00.txt.
> > This describes problems I see with GSSAPI's naming architecture and a
> > proposal to solve these problems.  I will be presenting at the BOF
> > meeting.
> > 
> > I'm particularly interested in things I've missed in the problem
> > description or other open issues that I failed to mention.
> 
> There are zero problems with existing GSS-API naming.

I agree with your comment -- there's nothing wrong with the GSS-API's
naming.

Name-based authorization is really problematic though, and in a way that
transcends the GSS-API.

Please read the comments I just posted.  I think some extensions to the
GSS-API can be made that will greatly improve authorization in
applications by moving beyond the use of canonical names based on
display forms that are subject to change at any time.

> I have three major problems in the above document:
> 
>  (1) it fails to distinguish authentication from authorization.

It doesn't have to.  The GSS-API handles authentication.

>  (2) it fails to recognize where existing infrastructures deliberatly
>      abuses the underlying protocol (e.g. Microsoft entirely ignores
>      the Kerberos name-based authentication and uses a proprietary
>      extension to convey authentication and authorization information).

It doesn't have to.  The basic problem with name-based authorization
transcends the GSS-API and its mechanisms (see above and my other post
just now).

>  (3) it fails to realize that *ALL* access control schemes require
>      a canonical representation of either the identity or some
>      standarized authorization information in order to work.
>
>      On Microsoft platforms the "canonical" name appears to be a "SID",
>      which is what gets stored in their (D)ACLs.  The printable representation
>      of a SID is a "SAM account name" (LanManager style).

But a user may have multiple SIDs (a primary user SID, a primary group
SID and additional user and group SIDs).  The primary user SID can be
considered a canonical name, yes, and maps onto the
GSS_C_NT_MACHINE_UID_NAME name type, but the GSS-API provides no way to
get the GSS_C_NT_MACHINE_UID_NAME that corresponds to a
GSS_C_NT_USER_NAME (or vice-versa -- but the reverse might not be a
one-to-one mapping!).

We MUST at the very least have a way to convert names of one type to
another, where that is feasible.

I'm sure you'll agree that authorization by UID or SID is much better
than by name -- the former change much less frequently than the latter
and non-reuse of the former is a typical policy in many organizations.

> The provision of GSS-API to (pre-)populate ACLs using
> gss_import_name()+gss_canonicalize_name()+gss_export_name() is
> absolutely necessary.  Btw: It is extensible since gss_canonicalize_name()
> already requires a (mechanism) OID input parameter as a hint what kind of
> transformation is required.

But GSS_Canonicalize_name() has no nametype OID parameter.  If it had
both, a mech OID and a nametype OID, or if GSS_Display_name() had an
optional display-as-other-nametype OID parameter then name-based
authorization, using GSS_C_NT_MACHINE_UID_NAME names, would be a lot
less problematic.

I'll stop here.  I consider this nametype conversion idea an olive
branch.  I do prefer the name attribute interface that Sam's draft
describes however, as that would allow for access to principals' group
membership information, and so one, in a fairly generic manner.

Nico
--

-- 
-++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server.  If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe ietf-cat-wg" to majordomo <at> lists.stanford.edu

headers

Sam Hartman | 14 Jul 2004 00:04

Re: Draft available on GSSAPI naming issues

>>>>> "Martin" == Martin Rex <martin.rex <at> sap.com> writes:

    Martin>  (1) it fails to distinguish authentication from
    Martin> authorization.

Really?  Pointers on where I got this wrong would be appreciated; I
agree with you that this distinction is critical and I'd certainly
like to correct any errors I made in this regard.

I don't think the draft talks much about authorization; it talks a lot
about making certain authentication assertions (or parts of names)
available for authorization decisions.

    Martin>      In the past I have seen two proposals to extend
    Martin> GSS-API authentication with an API for authorization
    Martin> (presented in CAT wg sessions at IETF meetings), one was
    Martin> XGSS-API from the SESAME project and the other one was
l    Martin> "GAA" (Cliff?)

I certainly remember GAA.  I was not really around for XGSS.

    Martin>  (2) it fails to recognize where existing infrastructures
    Martin> deliberatly abuses the underlying protocol (e.g. Microsoft
    Martin> entirely ignores the Kerberos name-based authentication
    Martin> and uses a proprietary extension to convey authentication
    Martin> and authorization information).

I actually believe I do discuss Microsoft's PAC.  You're right that I
assume the reader is roughly familiar with the contents of the PAC
already; I can certainly add a bit more background to this section of
the draft.

    Martin>  (3) it fails to realize that *ALL* access control schemes
    Martin> require a canonical representation of either the identity
    Martin> or some standarized authorization information in order to
    Martin> work.

OK, then the draft is unclear.  The entire point of the draft is that
you need such representations.  The problem seems to be that there
will be multiple representations available and different applications
will require different representations.

I actually like your proposal of expanding gss_canonicalize_name to
deal with environment-specific OIDs.  I don't think it fully solves
the problem though, because it doesn't deal with composite identities
like subjectAltName extensions or like group memberships.  Let's say
we define an oid that when passed into gss_canonicalize_name gives us
a representation of all the sids associated with some name in the
Microsoft authorization model.  I don't really want to put that
representation on an ACL because the account might gain or lose group
memberships and thus gain or lose sids. Instead I somehow want to put
a representation of a single sid corresponding to some group on the
ACL.  Later, when I try and authorize some previously-authenticated
context, I want to find out if the identity corresponding to that
context has that single group sid as part of its name.

With your proposal, an application wanting to do this sort of
authorization would need to understand the representation of the
sid-based name and decompose that representation.

With name attributes it seems like you could define a multi-valued
attribute for group membership and see if the name in the context
contained the value for this attribute corresponding to SId placed on the ACL.

--Sam
-++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server.  If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe ietf-cat-wg" to majordomo <at> lists.stanford.edu

headers

Jeffrey Altman | 14 Jul 2004 22:06

Kitten BOF has been approved

The Kitten BOF has been approved to meet at IETF 60.
We are tentatively scheduled for a two hour slot on Monday
without conflicts with any other Security Area session.

Please be advised that the current scheduling is preliminary
and is subject to change. For all I know we could find ourselves
with a Friday morning session one week before the meeting.
IETF meetings are one week in duration. Please do not
attempt to schedule your arrival for a single day based upon
schedule information made available this far in advance.

I look forward to seeing all of you at the BOF. If the IESG
agrees to approved the formation of the Working Group
before IETF 60, the allocated time slot will still be valid.

Jeffrey Altman

Attachment (smime.p7s): application/x-pkcs7-signature, 3256 bytes

headers

Jeffrey Altman | 19 Jul 2004 21:18

FTP AUTH GSSAPI - Is Kitten the appropriate forum?

Hello:

I would like to ask the group whether or not you believe that Kitten is an
appropriate forum to discuss a successor to RFC 2228 which specifies the
FTP AUTH GSSAPI mechanism.

A large vendor we all know very well is considering the implementation
of FTP AUTH GSSAPI in their FTP Servers and perhaps their clients.
However, it has become clear in our discussions that RFC 2228 is in some
ways under specified; is susceptible to a few attacks; is not NAT friendly;
and all known implementations actually violate the base FTP RFCs by
being unable to send data simultaneously on the command and data
channels.

If there are no objections, I would like Kitten to accept an RFC meant
to update RFC 2228 and provide a revised AUTH GSSAPI mode which
does not suffer from the hinted at problems.

Jeffrey Altman

Attachment (smime.p7s): application/x-pkcs7-signature, 3256 bytes

2	July 2005
2	February 2005
3	September 2004
10	August 2004
15	July 2004
1	June 2004
17	May 2004
46	April 2004
100	March 2004
1	November 2003
3	October 2003
1	September 2003
1	August 2003
1	August 2002
3	July 2002

Mon	Tue	Wed	Thu	Fri	Sat	Sun

			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31