idnits 2.17.00 (12 Aug 2021)

/tmp/idnits63950/draft-ietf-sidr-rpsl-sig-08.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document date (October 9, 2015) is 2416 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '6' on line 483

  ** Obsolete normative reference: RFC 4871 (Obsoleted by RFC 6376)

  ** Obsolete normative reference: RFC 6485 (Obsoleted by RFC 7935)


     Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	SIDR                                                        R. Kisteleki
3	Internet-Draft                                                  RIPE NCC
4	Intended status: Standards Track                             B. Haberman
5	Expires: April 11, 2016                                          JHU APL
6	                                                         October 9, 2015

8	               Securing RPSL Objects with RPKI Signatures
9	                    draft-ietf-sidr-rpsl-sig-08.txt

11	Abstract

13	   This document describes a method to allow parties to electronically
14	   sign RPSL-like objects and validate such electronic signatures.  This
15	   allows relying parties to detect accidental or malicious
16	   modifications on such objects.  It also allows parties who run
17	   Internet Routing Registries or similar databases, but do not yet have
18	   RPSS-like authentication of the maintainers of certain objects, to
19	   verify that the additions or modifications of such database objects
20	   are done by the legitimate holder(s) of the Internet resources
21	   mentioned in those objects.

23	Status of This Memo

25	   This Internet-Draft is submitted in full conformance with the
26	   provisions of BCP 78 and BCP 79.

28	   Internet-Drafts are working documents of the Internet Engineering
29	   Task Force (IETF).  Note that other groups may also distribute
30	   working documents as Internet-Drafts.  The list of current Internet-
31	   Drafts is at http://datatracker.ietf.org/drafts/current/.

33	   Internet-Drafts are draft documents valid for a maximum of six months
34	   and may be updated, replaced, or obsoleted by other documents at any
35	   time.  It is inappropriate to use Internet-Drafts as reference
36	   material or to cite them other than as "work in progress."

38	   This Internet-Draft will expire on April 11, 2016.

40	Copyright Notice

42	   Copyright (c) 2015 IETF Trust and the persons identified as the
43	   document authors.  All rights reserved.

45	   This document is subject to BCP 78 and the IETF Trust's Legal
46	   Provisions Relating to IETF Documents
47	   (http://trustee.ietf.org/license-info) in effect on the date of
48	   publication of this document.  Please review these documents
49	   carefully, as they describe your rights and restrictions with respect
50	   to this document.  Code Components extracted from this document must
51	   include Simplified BSD License text as described in Section 4.e of
52	   the Trust Legal Provisions and are provided without warranty as
53	   described in the Simplified BSD License.

55	Table of Contents

57	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
58	   2.  Signature Syntax and Semantics  . . . . . . . . . . . . . . .   3
59	     2.1.  General Attributes, Meta Information  . . . . . . . . . .   3
60	     2.2.  Signed Attributes . . . . . . . . . . . . . . . . . . . .   4
61	     2.3.  Storage of the Signature Data . . . . . . . . . . . . . .   5
62	     2.4.  Number Resource Coverage  . . . . . . . . . . . . . . . .   5
63	     2.5.  Validity Time of the Signature  . . . . . . . . . . . . .   6
64	   3.  Signature Creation and Validation Steps . . . . . . . . . . .   6
65	     3.1.  Canonicalization  . . . . . . . . . . . . . . . . . . . .   6
66	     3.2.  Signature Creation  . . . . . . . . . . . . . . . . . . .   8
67	     3.3.  Signature Validation  . . . . . . . . . . . . . . . . . .   9
68	   4.  Signed Object Types, Set of Signed Attributes . . . . . . . .  10
69	   5.  Keys and Certificates used for Signature and Verification . .  12
70	   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  12
71	   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
72	   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  12
73	   9.  Normative References  . . . . . . . . . . . . . . . . . . . .  13
74	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  14

76	1.  Introduction

78	   Objects stored in resource databases, like the RIPE DB, are generally
79	   protected by an authentication mechanism: anyone creating or
80	   modifying an object in the database has to have proper authorization
81	   to do so, and therefore has to go through an authentication procedure
82	   (provide a password, certificate, e-mail signature, etc.)  However,
83	   for objects transferred between resource databases, the
84	   authentication is not guaranteed.  This means when downloading an
85	   object stored in this database, one can reasonably safely claim that
86	   the object is authentic, but for an imported object one cannot.
87	   Also, once such an object is downloaded from the database, it becomes
88	   a simple (but still structured) text file with no integrity
89	   protection.  More importantly, the authentication and integrity
90	   guarantees associated with these objects do not always ensure that
91	   the entity that generated them is authorized to make the assertions
92	   implied by the data contained in the objects.

94	   A potential use for resource certificates [RFC6487] is to use them to
95	   secure such (both imported and downloaded) database objects, by
96	   applying a form of digital signature over the object contents.  A
97	   maintainer of such signed database objects MUST possess a relevant
98	   resource certificate, which shows him/her as the legitimate holder of
99	   an Internet number resource.  This mechanism allows the users of such
100	   database objects to verify that the contents are in fact produced by
101	   the legitimate holder(s) of the Internet resources mentioned in those
102	   objects.  It also allows the signatures to cover whole RPSL objects,
103	   or just selected attributes of them.  In other words, a digital
104	   signature created using the private key associated with a resource
105	   certificate can offer object security in addition to the channel
106	   security already present in most of such databases.  Object security
107	   in turn allows such objects to be hosted in different databases and
108	   still be independently verifiable.

110	   The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
111	   "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
112	   "OPTIONAL" in this document are to be interpreted as described in
113	   [RFC2119].

115	2.  Signature Syntax and Semantics

117	   When signing an RPSL object, the input for the signature process is
118	   transformed into a sequence of strings of (ASCII) data.  The approach
119	   is similar to the one used in DKIM (Domain Key Identified Mail)
120	   [RFC4871].  In the case of RPSL, the object-to-be-signed closely
121	   resembles an SMTP header, so it seems reasonable to adapt DKIM's
122	   relevant features.

124	2.1.  General Attributes, Meta Information

126	   The digital signature associated with an RPSL object is itself a new
127	   attribute named "signature".  It consists of mandatory and optional
128	   fields.  These fields are structured in a sequence of name and value
129	   pairs, separated by a semicolon ";" and a white space.  Collectively
130	   these fields make up the value for the new "signature" attribute.
131	   The "name" part of such a component is always a single ASCII
132	   character that serves as an identifier; the value is an ASCII string
133	   the contents of which depend on the field type.  Mandatory fields
134	   must appear exactly once, whereas optional fields MUST appear at most
135	   once.

137	   Mandatory fields of the "signature" attribute:

139	   o  Version number of the signature (field "v").  This field MUST be
140	      set to "1".

142	   o  Reference to the certificate corresponding to the private key used
143	      to sign this object (field "c").  This is a URL of type "rsync" or
144	      "http(s)" that points to a specific resource certificate in an
145	      RPKI repository [RFC6481].  The value of this field MUST be an
146	      "rsync://..." or an "http[s]://..." URL.  Any non URL-safe
147	      characters (including semicolon ";" and plus "+") must be URL
148	      encoded.

150	   o  Signature method (field "m"): what hash and signature algorithms
151	      were used to create the signature.  The allowed algorithms which
152	      can be used for the signature are specified in [RFC6485].

154	   o  Time of signing (field "t").  The format of the value of this
155	      field MUST be in the Internet Date/Time format [RFC3339].  All
156	      times MUST be converted to Universal Coordinated Time (UTC)

158	   o  The signed attributes (field "a").  This is a list of attribute
159	      names, separated by an ASCII "+" character (if more than one
160	      attribute is enumerated).  The list must include any attribute at
161	      most once.

163	   o  The signature itself (field "b").  This MUST be the last field in
164	      the list.  The signature is the output of the signature algorithm
165	      using the appropriate private key and the calculated hash value of
166	      the object as inputs.  The value of this field is the digital
167	      signature in base64 encoding [RFC4648].

169	   Optional fields of the "signature" attribute:

171	   o  Signature expiration time (field "x").  The format of the value of
172	      this field MUST be in the Internet Date/Time format [RFC3339].
173	      All times MUST be represented in UTC.

175	2.2.  Signed Attributes

177	   One can look at an RPSL object as an (ordered) set of attributes,
178	   each having a "key: value" syntax.  Understanding this structure can
179	   help in developing more flexible methods for applying digital
180	   signatures.

182	   Some of these attributes are automatically added by the database,
183	   some are database-dependent, yet others do not carry operationally
184	   important information.  This specification allows the maintainer of
185	   such an object to decide which attributes are important (signed) and
186	   which are not (not signed), from among all the attributes of the
187	   object; in other words, we define a way of including important
188	   attributes while excluding irrelevant ones.  Allowing the maintainer
189	   of an object to select the attributes that are covered by the digital
190	   signature achieves the goals established in Section 1.

192	   The type of the object determines the minimum set of attributes that
193	   MUST be signed.  The signer MAY choose to sign additional attributes,
194	   in order to provide integrity protection for those attributes too.

196	   When verifying the signature of an object, the verifier has to check
197	   whether the signature itself is valid, and whether all the specified
198	   attributes are referenced in the signature.  If not, the verifier
199	   MUST reject the signature and threat the object as a regular, non-
200	   signed RPSL object.

202	2.3.  Storage of the Signature Data

204	   The result of applying the signature mechanism once is exactly one
205	   new attribute for the object.  As an illustration, the structure of a
206	   signed RPSL object is as follows:

208	     attribute1:  value1
209	     attribute2:  value2
210	     attribute3:  value3
211	     ...
212	     signature:   v=1; c=rsync://.....; m=sha256WithRSAEncryption;
213	                  t=2014-12-31T23:59:60Z;
214	                  a=attribute1+attribute2+attribute3+...;
215	                  b=<base64 data>

217	2.4.  Number Resource Coverage

219	   Even if the signature(s) over the object are valid according to the
220	   signature validation rules, they may not be relevant to the object;
221	   they also need to cover the relevant Internet number resources
222	   mentioned in the object.

224	   Therefore the Internet number resources present in [RFC3779]
225	   extensions of the certificate referred to in the "c" field of the
226	   signature (or in the union of such extensions in the "c" fields of
227	   the certificates, in case multiple signatures are present) MUST cover
228	   the resources in the primary key of the object (e.g., value of the
229	   "aut-num:" attribute of an aut-num object, value of the "inetnum:"
230	   attribute of an inetnum object, values of "route:" and "origin:"
231	   attributes of a route object, etc.).

233	2.5.  Validity Time of the Signature

235	   The validity time interval of a signature is the intersection of the
236	   validity time of the certificate used to verify the signature, the
237	   "not before" time specified by the "t" field of the signature, and
238	   the optional "not after" time specified by the "x" field of the
239	   signature.

241	   When checking multiple signatures, these checks are applied to each
242	   signature, individually.

244	3.  Signature Creation and Validation Steps

246	3.1.  Canonicalization

248	   The notion of canonicalization is essential to digital signature
249	   generation and validation whenever data representations may change
250	   between a signer and one or more signature verifiers.
251	   Canonicalization defines how one transforms a representation of data
252	   into a series of bits for signature generation and verification.  The
253	   task of canonicalization is to make irrelevant differences in
254	   representations of the same object, which would otherwise cause
255	   signature verification to fail.  Examples of this could be:

257	   o  data transformations applied by the databases that host these
258	      objects (such as notational changes for IPv4/IPv6 prefixes,
259	      automatic addition/modification of "changed" attributes, etc.)

261	   o  the difference of line terminators across different systems.

263	   This means that the destination database might change parts of the
264	   submitted data after it was signed, which would cause signature
265	   verification to fail.  This document specifies strict
266	   canonicalization rules to overcome this problem.

268	   The following steps MUST be applied in order to achieve canonicalized
269	   representation of an object, before the actual signature
270	   (verification) process can begin:

272	   1.  Comments (anything beginning with a "#") MUST be omitted.

274	   2.  Any trailing white space MUST be omitted.

276	   3.  A multi-line attribute MUST be converted into its single-line
277	       equivalent.  This is accomplished by:

279	       *  Converting all line endings to a single blank space.

281	       *  Concatenating all lines into a single line.

283	       *  Replacing the trailing blank space with a single new line
284	          ("\n").

286	   4.  Numerical fields MUST be converted to canonical representations.
287	       These include:

289	       *  Date and time fields MUST be converted to UTC and MUST be
290	          represented in the Internet Date/Time format [RFC3339].

292	       *  AS numbers MUST be converted to ASPLAIN syntax [RFC5396].

294	       *  IPv6 addresses MUST be canonicalized as defined in [RFC5952].

296	       *  IPv4 addresses MUST be represented as the ipv4-address type
297	          defined by RPSL [RFC2622]

299	       *  All IP prefixes (IPv4 and IPv6) MUST be represented in CIDR
300	          notation [RFC4632].

302	   5.  All ranges, lists, or sets of numerical fields are represented
303	       using the appropriate RPSL attribute and each numerical element
304	       contained within those attributes MUST conform to the
305	       canonicalization rules in this document.

307	   6.  The name of each attribute MUST be converted into lower case, and
308	       MUST be kept as part of the attribute line.

310	   7.  Tab characters ("\t") MUST be converted to spaces.

312	   8.  Multiple whitespaces MUST be collapsed into a single space (" ")
313	       character.

315	   9.  All line endings MUST be converted to a singe new line ("\n")
316	       character (thus avoiding CR vs. CRLF differences).

318	3.2.  Signature Creation

320	   Given an RPSL object, in order to create the digital signature, the
321	   following steps MUST be performed:

323	   1.  For each signature, a new public/private key pair and certificate
324	       SHOULD be used.  Therefore the signer SHOULD create a single-use
325	       key pair and end-entity resource certificate (see [RFC6487]).
326	       The private key is used for signing this object this time.

328	   2.  Create a list of attribute names referring to the attributes that
329	       will be signed (contents of the "a" field).  The minimum set of
330	       these attributes is determined by the object type; the signer MAY
331	       select additional attributes.

333	   3.  Arrange the selected attributes according to the selection
334	       sequence specified in the "a" field as above, omitting all
335	       attributes that will not be signed.

337	   4.  Construct the new "signature" attribute, with all its fields,
338	       leaving the value of the "b" field empty.

340	   5.  Apply canonicalization rules to the result (including the
341	       "signature" attribute).

343	   6.  Create the signature over the results of the canonicalization
344	       process (according to the signature and hash algorithms specified
345	       in the "m" field of the signature attribute).

347	   7.  Insert the base64 encoded value of the signature as the value of
348	       the "b" field.

350	   8.  Append the resulting "signature" attribute to the original
351	       object.

353	3.3.  Signature Validation

355	   In order to validate a signature over such an object, the following
356	   steps MUST be performed:

358	   1.  Verify the syntax of the "signature" attribute (i.e., whether it
359	       contains the mandatory and optional components and the syntax of
360	       these fields matches the specification as described in section
361	       2.1.)

363	   2.  Fetch the certificate referred to in the "c" field of the
364	       "signature" attribute, and check its validity using the steps
365	       described in [RFC6487].

367	   3.  Extract the list of attributes that were signed using the signer
368	       from the "a" field of the "signature" attribute.

370	   4.  Verify that the list of signed attributes includes the minimum
371	       set of attributes for that object type.

373	   5.  Arrange the selected attributes according to the selection
374	       sequence provided in the value of the "a" field, omitting all
375	       non-signed attributes.

377	   6.  Replace the value of the signature field "b" of the "signature"
378	       attribute with an empty string.

380	   7.  Apply the canonicalization procedure to the selected attributes
381	       (including the "signature" attribute).

383	   8.  Check the validity of the signature using the signature algorithm
384	       specified in the "m" field of the signature attribute, the public
385	       key contained in the certificate mentioned in the "c" field of
386	       the signature, the signature value specified in the "b" field of
387	       the signature attribute, and the output of the canonicalization
388	       process.

390	4.  Signed Object Types, Set of Signed Attributes

392	   This section describes a list of object types that MAY signed using
393	   this approach.  For each object type, the set of attributes that MUST
394	   be signed for these object types (the minimum set noted in
395	   Section Section 3.3 is enumerated.

397	   This list generally excludes attributes that are used to maintain
398	   referential integrity in the databases that carry these objects,
399	   since these usually make sense only within the context of such a
400	   database, whereas the scope of the signatures is only one specific
401	   object.  Since the attributes in the referred object (such as mnt-by,
402	   admin-c, tech-c, ...) can change without any modifications to the
403	   signed object, signing such attributes could lead to false sense of
404	   security in terms of the contents of the signed data; therefore
405	   including such attributes should only be done in order to provide
406	   full integrity protection of the object itself.

408	   The newly constructed "signature" attribute is always included in the
409	   list.

411	      as-block:

413	      *  as-block

415	      *  org

417	      *  signature

419	      aut-num:

421	      *  aut-num

423	      *  as-name

425	      *  member-of

427	      *  import

429	      *  mp-import

431	      *  export

433	      *  mp-export

435	      *  default

437	      *  mp-default
438	      *  signature

440	      inet[6]num:

442	      *  inet[6]num

444	      *  netname

446	      *  country

448	      *  org

450	      *  status

452	      *  signature

454	      route[6]:

456	      *  route[6]

458	      *  origin

460	      *  holes

462	      *  org

464	      *  member-of

466	      *  signature

468	   For each signature, the RFC3779 extension appearing in the
469	   certificate used to verify the signature MUST include a resource
470	   entry that is equivalent to, or covers ("less specific" than) the
471	   following resources mentioned in the object the signature is attached
472	   to:

474	   o  For the as-block object type: the resource in the "as-block"
475	      attribute.

477	   o  For the aut-num object type: the resource in the "aut-num"
478	      attribute.

480	   o  For the inet[6]num object type: the resource in the "inet[6]num"
481	      attribute.

483	   o  For the route[6] object type: the resource in the "route[6]" or
484	      "origin" (or both) attributes.

486	5.  Keys and Certificates used for Signature and Verification

488	   The certificate that is referred to in the signature (in the "c"
489	   field):

491	   o  MUST be an end-entity (ie. non-CA) certificate

493	   o  MUST conform to the X.509 PKIX Resource Certificate profile
494	      [RFC6487]

496	   o  MUST have an [RFC3779] extension that covers the Internet number
497	      resource included in a signed attribute.

499	   o  SHOULD NOT be used to verify more than one signed object (ie.
500	      should be a "single-use" EE certificate, as defined in [RFC6487]).

502	6.  Security Considerations

504	   RPSL objects stored in the IRR databases are public, and as such
505	   there is no need for confidentiality.  Each signed RPSL object can
506	   have its integrity and authenticity verified using the supplied
507	   digital signature and the referenced certificate.

509	   Since the RPSL signature approach leverages X.509 extensions, the
510	   security considerations in [RFC3779] apply here as well.

512	   The maintainer of an object has the ability to include attributes in
513	   the signature that are not included in the resource certificate used
514	   to create the signature.  Potentially, a maintainer may include
515	   attributes that reference resources the maintainer is not authorized
516	   to use.

518	7.  IANA Considerations

520	   [Note to IANA, to be removed prior to publication: there are no IANA
521	   considerations stated in this version of the document.]

523	8.  Acknowledgements

525	   The authors would like to acknowledge the valued contributions from
526	   Jos Boumans, Steve Kent, Sean Turner, and Geoff Huston in preparation
527	   of this document.

529	9.  Normative References

531	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
532	              Requirement Levels", BCP 14, RFC 2119,
533	              DOI 10.17487/RFC2119, March 1997,
534	              <http://www.rfc-editor.org/info/rfc2119>.

536	   [RFC2622]  Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,
537	              Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra,
538	              "Routing Policy Specification Language (RPSL)", RFC 2622,
539	              DOI 10.17487/RFC2622, June 1999,
540	              <http://www.rfc-editor.org/info/rfc2622>.

542	   [RFC3339]  Klyne, G. and C. Newman, "Date and Time on the Internet:
543	              Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
544	              <http://www.rfc-editor.org/info/rfc3339>.

546	   [RFC3779]  Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
547	              Addresses and AS Identifiers", RFC 3779,
548	              DOI 10.17487/RFC3779, June 2004,
549	              <http://www.rfc-editor.org/info/rfc3779>.

551	   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
552	              (CIDR): The Internet Address Assignment and Aggregation
553	              Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
554	              2006, <http://www.rfc-editor.org/info/rfc4632>.

556	   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
557	              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
558	              <http://www.rfc-editor.org/info/rfc4648>.

560	   [RFC4871]  Allman, E., Callas, J., Delany, M., Libbey, M., Fenton,
561	              J., and M. Thomas, "DomainKeys Identified Mail (DKIM)
562	              Signatures", RFC 4871, DOI 10.17487/RFC4871, May 2007,
563	              <http://www.rfc-editor.org/info/rfc4871>.

565	   [RFC5396]  Huston, G. and G. Michaelson, "Textual Representation of
566	              Autonomous System (AS) Numbers", RFC 5396,
567	              DOI 10.17487/RFC5396, December 2008,
568	              <http://www.rfc-editor.org/info/rfc5396>.

570	   [RFC5952]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
571	              Address Text Representation", RFC 5952,
572	              DOI 10.17487/RFC5952, August 2010,
573	              <http://www.rfc-editor.org/info/rfc5952>.

575	   [RFC6481]  Huston, G., Loomans, R., and G. Michaelson, "A Profile for
576	              Resource Certificate Repository Structure", RFC 6481,
577	              DOI 10.17487/RFC6481, February 2012,
578	              <http://www.rfc-editor.org/info/rfc6481>.

580	   [RFC6485]  Huston, G., "The Profile for Algorithms and Key Sizes for
581	              Use in the Resource Public Key Infrastructure (RPKI)",
582	              RFC 6485, DOI 10.17487/RFC6485, February 2012,
583	              <http://www.rfc-editor.org/info/rfc6485>.

585	   [RFC6487]  Huston, G., Michaelson, G., and R. Loomans, "A Profile for
586	              X.509 PKIX Resource Certificates", RFC 6487,
587	              DOI 10.17487/RFC6487, February 2012,
588	              <http://www.rfc-editor.org/info/rfc6487>.

590	Authors' Addresses

592	   Robert Kisteleki

594	   Email: robert@ripe.net
595	   URI:   http://www.ripe.net

597	   Brian Haberman
598	   Johns Hopkins University Applied Physics Lab

600	   Email: brian@innovationslab.net