Knowledge

1208: 1260: 1298: 1191: 1496:, they can convince a CA to sign a certificate with innocuous contents, where the hash of those contents is identical to the hash of another, malicious set of certificate contents, created by the attacker with values of their choosing. The attacker can then append the CA-provided signature to their malicious certificate contents, resulting in a malicious certificate that appears to be signed by the CA. Because the malicious certificate contents are chosen solely by the attacker, they can have different validity dates or hostnames than the innocuous certificate. The malicious certificate can even contain a "CA: true" field making it able to issue further trusted certificates. 321:(PKI) and X.509 certificates was the well known "which directory" problem. The problem is the client does not know where to fetch missing intermediate certificates because the global X.500 directory never materialized. The problem was mitigated by including all intermediate certificates in a request. For example, early web servers only sent the web server's certificate to the client. Clients that lacked an intermediate CA certificate or where to find them failed to build a valid path from the CA to the server's certificate. To work around the problem, web servers now send all the intermediate certificates along with the web server's certificate. 2240: 1084: 692:, if a certificate has several extensions restricting its use, all restrictions must be satisfied for a given use to be appropriate. The RFC gives the specific example of a certificate containing both keyUsage and extendedKeyUsage: in this case, both must be processed and the certificate can only be used if both extensions are coherent in specifying the usage of a certificate. For example, 582:, which is a set of values, together with either a critical or non-critical indication. A certificate-using system must reject the certificate if it encounters a critical extension that it does not recognize, or a critical extension that contains information that it cannot process. A non-critical extension may be ignored if it is not recognized, but must be processed if it is recognized. 1358:: CAs cannot technically restrict subordinate CAs from issuing certificates outside a limited namespaces or attribute set; this feature of X.509 is not in use. Therefore, a large number of CAs exist on the Internet, and classifying them and their policies is an insurmountable task. Delegation of authority within an organization cannot be handled at all, as in common business practice. 1100: 1255:. This certificate signed the end-entity certificate above, and was signed by the root certificate below. Note that the subject field of this intermediate certificate matches the issuer field of the end-entity certificate that it signed. Also, the "subject key identifier" field in the intermediate matches the "authority key identifier" field in the end-entity certificate. 658:, are used to indicate whether the certificate is a CA certificate and can certify or issue other certificates. A constraint can be marked as critical. If a constraint is marked critical, then an agent must fail to process the certificate if the agent does not understand the constraint. An agent can continue to process a non-critical constraint it does not understand. 1364:: Certificate chains that are the result of subordinate CAs, bridge CAs, and cross-signing make validation complex and expensive in terms of processing time. Path validation semantics may be ambiguous. The hierarchy with a third-party trusted party is the only model. This is inconvenient when a bilateral trust relationship is already in place. 209:, etc.), and is either signed by a certificate authority or is self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can use the public key it contains to establish secure communications with another party, or validate documents 1557: 1259: 1190: 1060: 747: 1150: 374: 1334: 1297: 324: 1160: 1127: 704: 1413: 1099: 1207: 1549: 1061: 759: 1474:, wrong implementations or by using integer overflows of the client's browsers, an attacker can include an unknown attribute in the CSR, which the CA will sign, which the client wrongly interprets as "CN" (OID=2.5.4.3). Dan Kaminsky demonstrated this at the 26th 456: 1394:, EV certificates do not add any additional security controls. Rather, EV certificates merely restore CA profits to levels prior to the Race to the Bottom by allowing a CA to charge more for a service they should have been providing all along. 1242: 1173:, as stated in the Issuer field. Its Subject field describes Knowledge as an organization, and its Subject Alternative Name (SAN) field for DNS describes the hostnames for which it could be used. The Subject Public Key Info field contains an 1272: 375: 665:, provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signatures but not for encipherment. 1491: 1381: 1352:: Identity claims (authenticate with an identifier), attribute claims (submit a bag of vetted attributes), and policy claims are combined in a single container. This raises privacy, policy mapping, and maintenance issues. 1048: 1290:. Its issuer and subject fields are the same, and its signature can be validated with its own public key. Validation of the trust chain has to end here. If the validating program has this root certificate in its 1409: 1405: 743: 735: 1371: 872:. These are generated for submission to certificate-authorities (CA). It includes key details of the requested certificate such as Common Name (/CN), subject, organization, state, country, as well as the 290:-like web of trust, but was rarely used that way as of 2004. The X.500 system has only been implemented by sovereign nations for state identity information sharing treaty fulfillment purposes, and the 1602:— Certification Path Building — guidance and recommendations for building X.509 public-key certification paths within applications (i.e., validating an end-entity certificate using a CA certificate) 1530: 672:, is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate. It contains a list of OIDs, each of which indicates an allowed use. For example, 3082: 1017: 609: 1291: 1511: 1092: 337:. For example, if a PKI has a policy of only issuing certificates on Monday, then common tools like cURL and Wget will not enforce the policy and allow a certificate issued on a Tuesday. 1725: 193: 1422:. Another example is a revocation request of the CA of the Dutch government, because of a Dutch law passed in 2018, giving new powers for the Dutch intelligence and security services 1203: 410:(DN) that is unique for the person, organization or business. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority. 325: 1131: 605: 1431: 1467: 2207: 294:'s Public-Key Infrastructure (X.509) (PKIX) working group has adapted the standard to the more flexible organization of the Internet. In fact, the term 3090: 1619: 228:, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a 3163: 1169: 646:(and its predecessors) defines a number of certificate extensions which indicate how the certificate should be used. Most of them are arcs from the 1294:, the end-entity certificate can be considered trusted for use in a TLS connection. Otherwise, the end-entity certificate is considered untrusted. 2232: 2634: 1616: 1533: 379: 1161: 578: 1504:. Since the root certificate already had a self-signature, attackers could use this signature and use it for an intermediate certificate. 2563: 1662: 1956: 1215: 1115: 224:, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a 2438: 876: 616: 2464: 2033: 3282: 3208: 1065: 225: 1809:"X.509: Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks" 387: 2184: 1592:(Personal Information Exchange Syntax Standard) — used to store a private key with the appropriate public key certificate 1570:(Cryptographic Message Syntax Standard — public keys with proof of identity for signed and/or encrypted message for PKI) 1537:". The researchers were able to deduce a method which increases the likelihood of a collision by several orders of magnitude. 259: 167: 918:(SignedData, EnvelopedData) Message e.g. encrypted ("enveloped") file, message or MIME email letter. Defined in RFC 2311. 1540: 1211: 2387: 2363: 1974: 1579: 1391: 1328: 1311: 752: 477: 2323: 25: 2304: 613: 3272: 3267: 2821: 1701: 1398: 880:(which includes the public key but not the private key), which itself can be in a couple of formats but usually in 780: 1441: 3031: 1612: 1368: 1037: 391: 623: 402: 3277: 1122: 997: 2796: 1680: 1659: 1045: 275:, where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates. 1734: 1527: 1475: 1335: 947: 813: 788: 501: 418: 244: 1076: 2696: 1764: 1488: 1397: 1007: 865: 421:. The roles registration authority and certification authority are usually separate business units under 383: 221: 3251: 2900: 2515: 2259: 1870: 1140: 1694: 996: 2490: 1623: 709:. Or a web server can be validated at a higher level of assurances using more detailed methods called 2625: 2279: 1774: 1010:(CRL). Certificate Authorities produce these as a way to de-authorize certificates before expiration. 729: 693: 318: 3236:- Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 2847: 2633:(Technical report). Lucent Technologies, Bell Laboratories & Technische Universiteit Eindhoven. 1833: 1192: 1041: 772: 739: 2598: 1639: 1573: 1419: 399: 260: 175: 2116: 1897: 432: 1769: 1749: 1691: 1283: 1199: 1152: 414: 403: 363: 2244: 2239: 1576:(TLS) and its predecessor SSL — cryptographic protocols for Internet secure communications. 1446: 171: 3195: 2391: 2295: 988:, may contain certificate(s) (public) and private keys (password protected) in a single file. 1287: 1252: 1118: 1038: 928: 606: 382: 264: 3200: 1390: 1056:: a certificate that you trust because it was delivered to you by some trustworthy procedure 728:, and a company like Example, LLC is the owner of the domain, and the owner was verified by 3045: 2983: 2942: 2130: 2012: 1911: 1850: 1784: 1754: 1744: 1620: 1493: 1340: 1204: 453: 445: 422: 240: 187: 89: 2367: 2208:"What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?" 1123: 958:. The format used by Windows for certificate interchange. Supported by Java but often has 8: 3024: 2416: 1779: 1387: 1155:. Note that these are in addition to the two self-signed certificates (one old, one new). 508: 441: 272: 2770: 2243: This article incorporates text from this source, which is available under the 1554: 2537: 1978: 1739: 1722: 1383: 1178: 769: 756: 407: 198: 194: 3212: 2113: 2080: 1894: 1196: 3023: 2300: 2226: 1523: 1471: 740: 579: 485: 433: 210: 3248:- decodes to an associative array whose keys correspond to X.509's ASN.1 description 3245: 3035: 2973: 2932: 2120: 2002: 1901: 1840: 1669: 1647: 1624: 1595: 1551: 1512: 1069: 1030: 685: 639: 624: 586: 461: 429: 303: 3027: 2743: 2722: 2681: 255: 3219: 1631: 1583: 1501: 1324: 1264: 1077: 943: 676: 469: 299: 3233: 3226: 3112: 3069: 3065: 3061: 3057: 3048: 3025: 3011: 3007: 3003: 2999: 2995: 2986: 2963: 2945: 2926: 2170: 2166: 2162: 2158: 2154: 2150: 2146: 2142: 2133: 2114: 2015: 1996: 1951: 1947: 1943: 1939: 1935: 1931: 1927: 1923: 1914: 1895: 1853: 1834: 1673: 1651: 1628: 1599: 1225: 1073: 1034: 689: 643: 628: 590: 465: 307: 3287: 1307: 716: 279: 183: 1083: 894: 3261: 2627: 1759: 1508: 489: 449: 278: 2745: 2744: 2659: 1998: 1177: 904: 413: 2873: 2694: 2392:"Everything you Never Wanted to Know about PKI but were Forced to Find Out" 1718: 1705: 1053: 617: 500: 283: 268: 229: 159: 128: 2055: 951: 3187: 2346: 1708: 1698: 1634: 1261: 1200: 1091: 634: 481: 326: 214: 1500: 3229:- Internet X.509 Public Key Infrastructure: Certification Path Building 2522: 1687: 1170: 1064: 755: 596: 351: 1808: 597: 139: 3040: 2978: 2937: 2125: 2041: 2007: 1906: 1845: 1836: 1461: 1415: 1402: 1265: 942: 724:. An EV certificate means a certificate was issued for a domain like 452: 1269: 174:. X.509 certificates are used in many Internet protocols, including 3164:"How To Create an SSH CA to Validate Hosts and Clients with Ubuntu" 395: 3138: 1343: 3242:- can be used to decode and examine an encoded CSR or certificate 1251: 1193: 748: 437: 287: 206: 1683: 1464: 3239: 2462: 1712: 1655: 1589: 1181: 1029:(see the equivalent concept of "certification path" defined by 985: 905: 861: 784: 417: 302: 1789: 1665: 1643: 1567: 1534: 1174: 1020: 1014: 939: 925: 915: 901: 891: 835: 650: 256: 236: 202: 179: 118: 107: 79: 2516:"Certification Authority — Certification Practice Statement" 2112: 1893: 2969: 2344: 1586:(CRL) — this is to check certificate revocation status 1544: 1235: 1112: 610: 473: 334: 330: 291: 1832: 1375: 816: 476:-approved way of checking a certificate's validity is the 406: 2352:. Computer Security Journal (Volume XVI, Number 1, 2000). 2324:"Web Services Security X.509 Token Profile Version 1.1.1" 1715: 1516: 1455: 1306: 1268: 3083:"PKCS 12: Personal Information Exchange Syntax Standard" 2695: 1205: 267:(CAs) for issuing the certificates. This contrasts with 235: 2965: 2038: 1658:(Secure Multipurpose Internet Mail Extensions) and the 16: 2439:"Security Systems Business Plan Sample [2021]" 1635: 635: 2874:"Safari and WebKit do not support SHA-1 certificates" 2684:. International Association for Cryptologic Research. 484: 3113:"Public-Key Infrastructure (X.509) (pkix) - Charter" 2961: 2294: 2023:sec. 4: MIME registrations. 1134: 2081:"Bug 110161 - (ocspdefault) enable OCSP by default" 1197: 1128:"cert2.2 → cert2" and "cert2.2 → cert2.1 → cert1". 699: 696:uses both extensions to specify certificate usage. 680: 186:. They are also used in offline applications, like 2662:. Eindhoven University of Technology. 16 June 2011 2465:"Sub-Prime PKI: Attacking Extended Validation SSL" 763: 298:usually refers to the IETF's PKIX certificate and 2928:PKCS #7: Cryptographic Message Syntax Version 1.5 2561: 1346:Revocation of root certificates is not addressed, 3259: 1435:Many implementations turn off revocation check: 1386:. The Race to the Bottom is partly addressed by 1323:Use of blocklisting invalid certificates (using 2898: 2624:Lenstra, Arjen; de Weger, Benne (19 May 2005). 2623: 2463:Michael Zusman; Alexander Sotirov (July 2009). 2182: 1470:By using illegal 0x80 padded subidentifiers of 1087:Example 1: Cross-certification between two PKIs 970:way to include certification-path certificates. 2794: 1994: 1969: 1967: 1965: 1963: 1617:National Institute of Standards and Technology 2261:Understanding Certification Path Construction 1151:certificates are self-issued, but neither is 1142:Understanding Certification Path Construction 838:. May be in DER or PEM form that starts with 599:X.520 The Directory: Selected attribute types 495: 388:Simple Certificate Enrollment Protocol (SCEP) 263:. It assumes a strict hierarchical system of 2720: 2596: 2569:. Institute For Disruptive Studies. Blackhat 2281:Qualified Subordination Deployment Scenarios 2205: 1452:Name and policy constraints hardly supported 1164: 720:after someone responded to an email sent to 2564:"More Tricks for Defeating SSL in Practice" 2491:"Extended Validation Certificates are Dead" 2382: 2380: 2231:: CS1 maint: numeric names: authors list ( 1960: 1487:Digital signature systems depend on secure 1482: 1438:Seen as obstacle, policies are not enforced 1317: 1246: 243:), in ITU-T Study Group 17 and is based on 3201:X.509 implementation notes and style guide 2108: 2106: 2104: 2102: 2100: 2098: 1561: 1021:Certificate chains and cross-certification 705:level of assurances using an email called 3039: 2977: 2936: 2924: 2538:"Logius: Dutch Government CA trust issue" 2362: 2297:PKI: Implementing and Managing E-Security 2124: 2006: 1905: 1844: 1828: 1826: 1184: 2488: 2377: 2318: 2316: 2278:"Cross-Certification Between Root CAs". 1545:Mitigations for cryptographic weaknesses 1426: 1090: 1082: 3017: 2955: 2918: 2414: 2095: 1973: 1458:Enforcement of custom OIDs is difficult 1376:Problems with certification authorities 908:for email signing. Defined in RFC 2311. 834:– exported private key as specified in 585:The structure of version 1 is given in 468:also include standards for certificate 226:certification path validation algorithm 182:, the secure protocol for browsing the 3260: 2962:T. Dierks; E. Rescorla (August 2008). 2417:"Revocation checking and Chrome's CRL" 2373:. IEEE Computer (Volume:35, Issue: 8). 1823: 1399:Certification Practice Statement (CPS) 1262:https://www.globalsign.com/repository/ 1201:https://www.globalsign.com/repository/ 1052:The last certificate in the list is a 966:style certificates, this format has a 170:(ITU) standard defining the format of 2848:"Microsoft Security Advisory 4010323" 2751:. CWI Amsterdam & Google Research 2313: 2257: 1995:Housley, R.; Hoffman, P. (May 1999). 1606: 1066:certification path validation process 946:(rarely) but not a private key. Uses 844:-----BEGIN ENCRYPTED PRIVATE KEY----- 394:. The organization first generates a 392:Certificate Management Protocol (CMP) 168:International Telecommunication Union 2822:"The end of SHA-1 on the Public Web" 2746:"The first collision for full SHA-1" 1369:Extended Validation (EV) certificate 558:Subject Unique Identifier (optional) 286:. It can be used in a peer-to-peer, 250: 3240:CSR Decoder and Certificate Decoder 2899:Daniel Stenburg (10 January 2017). 2795:Andrew Whalley (16 November 2016). 2702:. Macquarie University and Qualcomm 2386: 2299:. RSA Press - Osborne/McGraw-Hill. 1871:"Monumental Cybersecurity Blunders" 1277: 870:-----BEGIN CERTIFICATE REQUEST----- 555:Issuer Unique Identifier (optional) 13: 3252:Understanding Digital Certificates 3211:. RSA Laboratories. Archived from 3089:. RSA Laboratories. Archived from 2368:"PKI: it's not dead, just resting" 2185:"All About Certificate Extensions" 1676:profile for authenticating peers. 1580:Online Certificate Status Protocol 1526:and Marc Stevens presented at the 1266:http://crl.globalsign.net/root.crl 648:joint-iso-ccitt(2) ds(5) id-ce(29) 478:Online Certificate Status Protocol 364:Uniform Type Identifier (UTI) 14: 3299: 3181: 3119:. Internet Engineering Task Force 2771:"Baseline Requirements Documents" 2723:"SHA-1 Collision Attacks Now 252" 2597:Dan Kaminsky (29 December 2009). 2415:Langley, Adam (5 February 2012). 2345:Carl Ellison and Bruce Schneier. 1270:http://ocsp.globalsign.com/rootr1 1135:Example 2: CA certificate renewal 1095:Example 2: CA certificate renewal 384:Certificate Signing Request (CSR) 312:Public Key Infrastructure (X.509) 247:(ASN.1), another ITU-T standard. 2640:from the original on 14 May 2013 2489:Hunt, Troy (17 September 2018). 2238: 1988: 1887: 1681:OpenCable security specification 1286:root certificate representing a 962:as an extension instead. Unlike 842:. The encrypted key starts with 781:Privacy-enhanced Electronic Mail 768:There are several commonly used 700:Extended Validation certificates 3156: 3131: 3105: 3075: 3032:Internet Engineering Task Force 2901:"Lesser HTTPS for non-browsers" 2892: 2866: 2840: 2814: 2788: 2763: 2737: 2714: 2688: 2674: 2652: 2617: 2590: 2587:Rec. ITU-T X.690, clause 8.19.2 2581: 2555: 2529: 2508: 2482: 2456: 2431: 2408: 2356: 2338: 2288: 2271: 2258:Lloyd, Steve (September 2002). 2251: 2199: 2176: 1613:Internet Engineering Task Force 868:(CSR). In PEM form starts with 764:Certificate filename extensions 571:Certificate Signature Algorithm 472:(CRL) implementations. Another 340: 3283:ITU-T X Series Recommendations 2797:"SHA-1 Certificates in Chrome" 2660:"MD5 considered harmful today" 2183:Nelson B Boyard (9 May 2002). 2073: 2048: 2026: 1863: 1801: 791:certificate, enclosed between 1: 2206:sysadmin1138 (May 19, 2009). 1795: 1148:. PKI Forum. September 2002. 994:Personal Information eXchange 507:The structure of an X.509 v3 425:to reduce the risk of fraud. 41:1.0 at November 25, 1988 2721:Dennis Dwyer (2 June 2009). 2535: 1735:Abstract Syntax Notation One 1528:Chaos Communication Congress 1489:cryptographic hash functions 1476:Chaos Communication Congress 1449:rfc822Name has two notations 1314:and other security experts. 502:Abstract Syntax Notation One 245:Abstract Syntax Notation One 222:certificate revocation lists 7: 2801:Google Online Security Blog 1765:PKI Resource Query Protocol 1728: 1301: 1103: 1008:Certificate Revocation List 866:Certificate Signing Request 840:-----BEGIN PRIVATE KEY----- 793:-----BEGIN CERTIFICATE----- 310:, commonly called PKIX for 10: 3304: 3209:"Crypto FAQ from RSA Labs" 3192:Peter Gutmann's articles: 3072:. 3014:. 2562:Moxie Marlinspike (2009). 2173:. 496:Structure of a certificate 428:An organization's trusted 2931:. Network Working Group. 2605:. Der Chaos Computer Club 2284:. Microsoft. August 2009. 2001:. Network Working Group. 1839:. Network Working Group. 1775:Public Key Infrastructure 1420:man-in-the-middle attacks 1231:Authority Key Identifier 1165:Sample X.509 certificates 955: 869: 843: 839: 797:-----END CERTIFICATE----- 796: 792: 730:Articles of Incorporation 362: 350: 319:Public Key Infrastructure 178:, which is the basis for 134: 124: 113: 103: 95: 85: 75: 55: 37: 33:In force (Recommendation) 29: 24: 3246:phpseclib: X.509 Decoder 2925:B Kaliski (March 1998). 2599:"26C3: Black Ops Of PKI" 1654:profile of X.509, as do 1615:in conjunction with the 1574:Transport Layer Security 1483:Cryptographic weaknesses 1388:Extended Validation (EV) 1318:Architectural weaknesses 1282:This is an example of a 1247:Intermediate certificate 954:or PEM that starts with 711:Extended Validation (EV) 544:Subject Public Key Info 352:Internet media type 261:man-in-the-middle attack 3273:Public-key cryptography 3268:Cryptographic protocols 3188:ITU-T's X.509 standards 1770:Public-key cryptography 1750:Communications security 1562:PKI standards for X.509 741:Object Identifier (OID) 618:signing digital objects 580:object identifier (OID) 415:certification authority 368:public.x509-certificate 265:certificate authorities 172:public key certificates 3220:Secure code guidelines 2994:Obsoleted by RFC  2759:– via Shattered. 2725:. SecureWorks Insights 2697:"SHA-1 collisions now" 1979:"Engineering Security" 1706:Microsoft Authenticode 1185:End-entity certificate 1096: 1088: 707:Domain Validation (DV) 684:In general when using 561:Extensions (optional) 524:Signature Algorithm ID 43:; 35 years ago 3278:ITU-T recommendations 3060:. Obsoletes RFC  2998:; obsoletes RFC  2826:Mozilla Security Blog 2161:. Obsoletes RFC  1942:. Obsoletes RFC  1582:(OCSP) / certificate 1427:Implementation issues 1288:certificate authority 1253:certificate authority 1094: 1086: 956:-----BEGIN PKCS7----- 722:webmaster@example.com 574:Certificate Signature 357:application/pkix-cert 213:by the corresponding 188:electronic signatures 117:ISO/IEC 9594-8:2020, 63:; 2 years ago 61:October 14, 2021 3215:on 30 December 2006. 3056:Updated by RFC  2141:Updated by RFC  1922:Updated by RFC  1785:Trusted timestamping 1755:Information security 1745:Code Access Security 1558:SHA-1 certificates. 812:– usually in binary 668:Extended Key Usage, 547:Public Key Algorithm 423:separation of duties 317:An early issue with 90:ITU-T Study Group 17 3139:"Pkix Status Pages" 3068:. Updates RFC  3010:; updates RFC  1780:Time stamp protocol 1350:Aggregation problem 1108:In these diagrams: 770:filename extensions 654:Basic Constraints, 509:digital certificate 347: 220:X.509 also defines 21: 3054:Proposed Standard. 2828:. 23 February 2017 2525:. August 19, 2016. 2347:"Top 10 PKI risks" 2139:Proposed Standard. 2021:Proposed Standard. 1920:Proposed Standard. 1740:Certificate policy 1723:Trust On First Use 1607:PKIX Working Group 1478:"Black OPs of PKI" 1472:object identifiers 1384:Race to the Bottom 1362:Federation problem 1356:Delegation problem 1097: 1089: 757:Race to the Bottom 550:Subject Public Key 419:distinguished name 408:Distinguished Name 345: 19: 3254:Microsoft TechNet 2419:. Imperial Violet 2034:"x509Certificate" 1721:generally uses a 1524:Alexander Sotirov 1240: 1239: 1027:certificate chain 846:and may have the 434:Internet Explorer 430:root certificates 372: 371: 346:X.509 certificate 296:X.509 certificate 251:History and usage 156: 155: 114:Related standards 3295: 3216: 3176: 3175: 3173: 3171: 3160: 3154: 3153: 3151: 3149: 3135: 3129: 3128: 3126: 3124: 3117:IETF Datatracker 3109: 3103: 3102: 3100: 3098: 3079: 3073: 3052: 3043: 3041:10.17487/RFC6960 3021: 3015: 2990: 2981: 2979:10.17487/RFC5246 2959: 2953: 2949: 2940: 2938:10.17487/RFC2315 2922: 2916: 2915: 2913: 2911: 2896: 2890: 2889: 2887: 2885: 2880:. 16 August 2018 2870: 2864: 2863: 2861: 2859: 2844: 2838: 2837: 2835: 2833: 2818: 2812: 2811: 2809: 2807: 2792: 2786: 2785: 2783: 2781: 2775:CA Browser Forum 2767: 2761: 2760: 2758: 2756: 2750: 2741: 2735: 2734: 2732: 2730: 2718: 2712: 2711: 2709: 2707: 2701: 2692: 2686: 2685: 2682:"Eurocrypt 2009" 2678: 2672: 2671: 2669: 2667: 2656: 2650: 2649: 2647: 2645: 2639: 2632: 2621: 2615: 2614: 2612: 2610: 2594: 2588: 2585: 2579: 2578: 2576: 2574: 2568: 2559: 2553: 2552: 2550: 2548: 2536:van Pelt, Cris. 2533: 2527: 2526: 2520: 2512: 2506: 2505: 2503: 2501: 2486: 2480: 2479: 2477: 2475: 2469: 2460: 2454: 2453: 2451: 2450: 2435: 2429: 2428: 2426: 2424: 2412: 2406: 2405: 2403: 2401: 2396: 2384: 2375: 2374: 2372: 2360: 2354: 2353: 2351: 2342: 2336: 2335: 2333: 2331: 2320: 2311: 2310: 2292: 2286: 2285: 2275: 2269: 2268: 2266: 2255: 2249: 2242: 2236: 2230: 2222: 2220: 2218: 2203: 2197: 2196: 2194: 2192: 2180: 2174: 2137: 2128: 2126:10.17487/RFC5280 2110: 2093: 2092: 2090: 2088: 2077: 2071: 2070: 2068: 2066: 2056:"CA:IncludedCAs" 2052: 2046: 2045: 2030: 2024: 2019: 2010: 2008:10.17487/RFC2585 1992: 1986: 1985: 1983: 1971: 1958: 1918: 1909: 1907:10.17487/RFC5280 1891: 1885: 1884: 1882: 1881: 1867: 1861: 1857: 1848: 1846:10.17487/RFC4158 1830: 1821: 1820: 1818: 1816: 1805: 1552:CA/Browser Forum 1513:collision attack 1502:preimage attacks 1278:Root certificate 1236: 1226: 1218: 1217: 1157: 1147: 1005: 991: 983: 979: 975: 965: 961: 957: 937: 933: 923: 913: 899: 889: 883: 871: 859: 855: 849: 845: 841: 833: 829: 825: 819: 811: 807: 803: 798: 794: 778: 751:Security expert 727: 723: 719: 679: 675: 671: 664: 657: 649: 602:recommendation. 530:Validity period 348: 344: 211:digitally signed 152: 149: 147: 145: 143: 141: 71: 69: 64: 51: 49: 44: 22: 18: 3303: 3302: 3298: 3297: 3296: 3294: 3293: 3292: 3258: 3257: 3207: 3196:Overview of PKI 3184: 3179: 3169: 3167: 3162: 3161: 3157: 3147: 3145: 3137: 3136: 3132: 3122: 3120: 3111: 3110: 3106: 3096: 3094: 3081: 3080: 3076: 3022: 3018: 2972:TLS workgroup. 2960: 2956: 2923: 2919: 2909: 2907: 2897: 2893: 2883: 2881: 2872: 2871: 2867: 2857: 2855: 2846: 2845: 2841: 2831: 2829: 2820: 2819: 2815: 2805: 2803: 2793: 2789: 2779: 2777: 2769: 2768: 2764: 2754: 2752: 2748: 2742: 2738: 2728: 2726: 2719: 2715: 2705: 2703: 2699: 2693: 2689: 2680: 2679: 2675: 2665: 2663: 2658: 2657: 2653: 2643: 2641: 2637: 2630: 2622: 2618: 2608: 2606: 2603:CCC Events Blog 2595: 2591: 2586: 2582: 2572: 2570: 2566: 2560: 2556: 2546: 2544: 2534: 2530: 2521:. Version 6.1. 2518: 2514: 2513: 2509: 2499: 2497: 2487: 2483: 2473: 2471: 2467: 2461: 2457: 2448: 2446: 2437: 2436: 2432: 2422: 2420: 2413: 2409: 2399: 2397: 2394: 2385: 2378: 2370: 2361: 2357: 2349: 2343: 2339: 2329: 2327: 2322: 2321: 2314: 2307: 2293: 2289: 2277: 2276: 2272: 2264: 2256: 2252: 2224: 2223: 2216: 2214: 2204: 2200: 2190: 2188: 2181: 2177: 2111: 2096: 2086: 2084: 2079: 2078: 2074: 2064: 2062: 2054: 2053: 2049: 2032: 2031: 2027: 1993: 1989: 1981: 1972: 1961: 1892: 1888: 1879: 1877: 1869: 1868: 1864: 1831: 1824: 1814: 1812: 1807: 1806: 1802: 1798: 1731: 1637: 1609: 1584:revocation list 1564: 1547: 1485: 1429: 1418:, to carry out 1401:. For example, 1378: 1367:Issuance of an 1320: 1304: 1299: 1280: 1275: 1274: 1249: 1234: 1224: 1213: 1212: 1209: 1187: 1167: 1145: 1139: 1137: 1125: 1106: 1023: 1003: 989: 981: 977: 973: 963: 959: 935: 931: 921: 911: 897: 887: 881: 857: 853: 847: 831: 827: 823: 817: 809: 805: 801: 776: 766: 725: 721: 717: 702: 678:{ id-pkix 3 4 } 677: 674:{ id-pkix 3 1 } 673: 669: 662: 655: 647: 637: 511:is as follows: 498: 470:revocation list 358: 343: 253: 138: 67: 65: 62: 60: 47: 45: 42: 38:First published 17: 12: 11: 5: 3301: 3291: 3290: 3285: 3280: 3275: 3270: 3256: 3255: 3249: 3243: 3237: 3230: 3223: 3217: 3205: 3204: 3203: 3198: 3190: 3183: 3182:External links 3180: 3178: 3177: 3166:. DigitalOcean 3155: 3130: 3104: 3093:on 6 July 2017 3074: 3016: 2954: 2951:Informational. 2917: 2891: 2865: 2839: 2813: 2787: 2762: 2736: 2713: 2687: 2673: 2651: 2616: 2589: 2580: 2554: 2528: 2507: 2481: 2455: 2430: 2407: 2388:Gutmann, Peter 2376: 2355: 2337: 2312: 2305: 2287: 2270: 2250: 2198: 2175: 2094: 2072: 2047: 2025: 1987: 1977:(April 2014). 1975:Gutmann, Peter 1959: 1886: 1862: 1859:Informational. 1822: 1799: 1797: 1794: 1793: 1792: 1787: 1782: 1777: 1772: 1767: 1762: 1757: 1752: 1747: 1742: 1737: 1730: 1727: 1636: 1633: 1608: 1605: 1604: 1603: 1593: 1587: 1577: 1571: 1563: 1560: 1546: 1543: 1542: 1541: 1538: 1531: 1520: 1519:hash function. 1505: 1494:hash collision 1484: 1481: 1480: 1479: 1468: 1465: 1462: 1459: 1456: 1453: 1450: 1447: 1444: 1443: 1442: 1439: 1428: 1425: 1424: 1423: 1411: 1407: 1395: 1377: 1374: 1373: 1372: 1365: 1359: 1353: 1347: 1344: 1341: 1338: 1337: 1336: 1319: 1316: 1308:Bruce Schneier 1303: 1300: 1296: 1279: 1276: 1258: 1257: 1248: 1245: 1238: 1237: 1232: 1228: 1227: 1222: 1210: 1189: 1188: 1186: 1183: 1166: 1163: 1136: 1133: 1124: 1121: 1120: 1119: 1116: 1113: 1105: 1102: 1068:as defined by 1058: 1057: 1050: 1046: 1022: 1019: 1012: 1011: 1001: 971: 929: 919: 909: 895: 885: 851: 821: 799: 765: 762: 701: 698: 682: 681: 666: 659: 636: 633: 576: 575: 572: 569: 568: 567: 566: 565: 559: 556: 553: 552: 551: 548: 542: 539: 538: 537: 534: 528: 525: 522: 519: 518:Version Number 497: 494: 488:from at least 398:, keeping the 370: 369: 366: 360: 359: 356: 354: 342: 339: 252: 249: 154: 153: 136: 132: 131: 126: 122: 121: 115: 111: 110: 105: 104:Base standards 101: 100: 97: 93: 92: 87: 83: 82: 77: 73: 72: 57: 56:Latest version 53: 52: 39: 35: 34: 31: 27: 26: 15: 9: 6: 4: 3: 2: 3300: 3289: 3286: 3284: 3281: 3279: 3276: 3274: 3271: 3269: 3266: 3265: 3263: 3253: 3250: 3247: 3244: 3241: 3238: 3235: 3231: 3228: 3224: 3221: 3218: 3214: 3210: 3206: 3202: 3199: 3197: 3194: 3193: 3191: 3189: 3186: 3185: 3165: 3159: 3144: 3140: 3134: 3118: 3114: 3108: 3092: 3088: 3084: 3078: 3071: 3067: 3063: 3059: 3055: 3050: 3047: 3042: 3037: 3033: 3029: 3028: 3020: 3013: 3009: 3005: 3001: 2997: 2993: 2988: 2985: 2980: 2975: 2971: 2967: 2966: 2958: 2952: 2947: 2944: 2939: 2934: 2930: 2929: 2921: 2906: 2902: 2895: 2879: 2878:Apple Support 2875: 2869: 2853: 2849: 2843: 2827: 2823: 2817: 2802: 2798: 2791: 2776: 2772: 2766: 2747: 2740: 2724: 2717: 2698: 2691: 2683: 2677: 2661: 2655: 2636: 2629: 2628: 2620: 2604: 2600: 2593: 2584: 2565: 2558: 2543: 2539: 2532: 2524: 2517: 2511: 2496: 2492: 2485: 2466: 2459: 2444: 2440: 2434: 2418: 2411: 2393: 2389: 2383: 2381: 2369: 2365: 2364:Peter Gutmann 2359: 2348: 2341: 2325: 2319: 2317: 2308: 2306:0-07-213123-3 2302: 2298: 2291: 2283: 2282: 2274: 2263: 2262: 2254: 2248: 2246: 2241: 2234: 2228: 2213: 2209: 2202: 2186: 2179: 2172: 2168: 2164: 2160: 2156: 2152: 2148: 2144: 2140: 2135: 2132: 2127: 2122: 2118: 2117: 2109: 2107: 2105: 2103: 2101: 2099: 2082: 2076: 2061: 2057: 2051: 2043: 2039: 2035: 2029: 2022: 2017: 2014: 2009: 2004: 2000: 1999: 1991: 1980: 1976: 1970: 1968: 1966: 1964: 1957: 1953: 1949: 1945: 1941: 1937: 1933: 1929: 1925: 1921: 1916: 1913: 1908: 1903: 1899: 1898: 1890: 1876: 1872: 1866: 1860: 1855: 1852: 1847: 1842: 1838: 1837: 1829: 1827: 1810: 1804: 1800: 1791: 1788: 1786: 1783: 1781: 1778: 1776: 1773: 1771: 1768: 1766: 1763: 1761: 1760:ISO/IEC JTC 1 1758: 1756: 1753: 1751: 1748: 1746: 1743: 1741: 1738: 1736: 1733: 1732: 1726: 1724: 1720: 1716: 1714: 1709: 1707: 1702: 1700: 1695: 1693: 1689: 1686:Devices like 1684: 1682: 1677: 1675: 1671: 1667: 1663: 1661: 1657: 1653: 1649: 1645: 1641: 1632: 1630: 1626: 1622: 1618: 1614: 1611:In 1995, the 1601: 1597: 1594: 1591: 1588: 1585: 1581: 1578: 1575: 1572: 1569: 1566: 1565: 1559: 1555: 1553: 1539: 1536: 1532: 1529: 1525: 1521: 1518: 1514: 1510: 1509:Arjen Lenstra 1506: 1503: 1499: 1498: 1497: 1495: 1490: 1477: 1473: 1469: 1466: 1463: 1460: 1457: 1454: 1451: 1448: 1445: 1440: 1437: 1436: 1434: 1433: 1432: 1421: 1417: 1412: 1408: 1404: 1400: 1396: 1393: 1392:Peter Gutmann 1389: 1385: 1380: 1379: 1370: 1366: 1363: 1360: 1357: 1354: 1351: 1348: 1345: 1342: 1339: 1333: 1332: 1330: 1326: 1322: 1321: 1315: 1313: 1312:Peter Gutmann 1309: 1295: 1293: 1289: 1285: 1271: 1267: 1263: 1256: 1254: 1244: 1233: 1230: 1229: 1223: 1220: 1219: 1216: 1206: 1202: 1198: 1194: 1182: 1180: 1176: 1172: 1162: 1158: 1156: 1154: 1144: 1143: 1132: 1129: 1117: 1114: 1111: 1110: 1109: 1101: 1093: 1085: 1081: 1079: 1075: 1071: 1067: 1062: 1055: 1051: 1047: 1044: 1043: 1042: 1040: 1036: 1032: 1028: 1018: 1016: 1009: 1002: 999: 995: 987: 972: 969: 953: 949: 945: 941: 930: 927: 920: 917: 910: 907: 903: 896: 893: 886: 879: 875: 867: 863: 852: 837: 822: 815: 800: 790: 786: 782: 775: 774: 773: 771: 761: 758: 754: 753:Peter Gutmann 749: 745: 742: 737: 733: 731: 714: 712: 708: 697: 695: 691: 687: 667: 660: 653: 652: 651: 645: 641: 632: 630: 626: 621: 619: 614: 612: 608: 603: 601: 600: 594: 592: 588: 583: 581: 573: 570: 563: 562: 560: 557: 554: 549: 546: 545: 543: 540: 535: 532: 531: 529: 526: 523: 521:Serial Number 520: 517: 516: 514: 513: 512: 510: 505: 503: 493: 491: 487: 483: 479: 475: 471: 467: 463: 458: 455: 451: 447: 443: 439: 435: 431: 426: 424: 420: 416: 411: 409: 405: 401: 397: 393: 389: 385: 380: 378: 367: 365: 361: 355: 353: 349: 338: 336: 332: 328: 322: 320: 315: 313: 309: 305: 301: 297: 293: 289: 285: 281: 276: 274: 271:models, like 270: 266: 262: 258: 248: 246: 242: 238: 233: 231: 227: 223: 218: 216: 212: 208: 204: 200: 196: 191: 189: 185: 181: 177: 173: 169: 165: 161: 151: 137: 133: 130: 127: 123: 120: 116: 112: 109: 106: 102: 98: 94: 91: 88: 84: 81: 78: 74: 58: 54: 40: 36: 32: 28: 23: 3213:the original 3168:. Retrieved 3158: 3146:. Retrieved 3142: 3133: 3121:. Retrieved 3116: 3107: 3095:. Retrieved 3091:the original 3086: 3077: 3053: 3026: 3019: 2991: 2964: 2957: 2950: 2927: 2920: 2908:. Retrieved 2904: 2894: 2884:10 September 2882:. Retrieved 2877: 2868: 2856:. Retrieved 2851: 2842: 2830:. Retrieved 2825: 2816: 2804:. Retrieved 2800: 2790: 2778:. Retrieved 2774: 2765: 2755:10 September 2753:. Retrieved 2739: 2727:. Retrieved 2716: 2706:10 September 2704:. Retrieved 2690: 2676: 2666:29 September 2664:. Retrieved 2654: 2644:28 September 2642:. Retrieved 2626: 2619: 2609:29 September 2607:. Retrieved 2602: 2592: 2583: 2573:10 September 2571:. Retrieved 2557: 2545:. Retrieved 2541: 2531: 2510: 2498:. Retrieved 2495:TroyHunt.com 2494: 2484: 2474:10 September 2472:. Retrieved 2458: 2447:. Retrieved 2445:. 2014-01-27 2442: 2433: 2421:. Retrieved 2410: 2398:. Retrieved 2358: 2340: 2328:. Retrieved 2296: 2290: 2280: 2273: 2267:. PKI Forum. 2260: 2253: 2245:CC BY-SA 2.5 2237: 2215:. Retrieved 2212:Server Fault 2211: 2201: 2191:10 September 2189:. Retrieved 2178: 2138: 2115: 2085:. Retrieved 2075: 2063:. Retrieved 2060:Mozilla Wiki 2059: 2050: 2037: 2028: 2020: 1997: 1990: 1955: 1919: 1896: 1889: 1878:. Retrieved 1875:circleid.com 1874: 1865: 1858: 1835: 1813:. Retrieved 1803: 1717: 1710: 1703: 1696: 1685: 1678: 1668:can use the 1664: 1638: 1610: 1556: 1548: 1486: 1430: 1361: 1355: 1349: 1305: 1281: 1250: 1241: 1214: 1168: 1159: 1149: 1141: 1138: 1130: 1126: 1107: 1098: 1063: 1059: 1054:trust anchor 1049:certificate) 1026: 1024: 1013: 993: 967: 877: 873: 767: 750: 746: 738: 734: 715: 710: 706: 703: 683: 670:{ id-ce 37 } 663:{ id-ce 15 } 656:{ id-ce 19 } 638: 622: 615: 604: 598: 595: 584: 577: 541:Subject name 515:Certificate 506: 499: 459: 427: 412: 381: 376: 373: 341:Certificates 327:web browsers 323: 316: 311: 295: 277: 269:web of trust 254: 234: 230:trust anchor 219: 192: 163: 160:cryptography 157: 129:Cryptography 76:Organization 2854:. Microsoft 2729:24 February 2500:26 February 2400:14 November 1699:WS-Security 1688:smart cards 1292:trust store 1284:self-signed 1195:OCSP - URI: 1153:self-signed 878:certificate 726:example.com 718:example.com 661:Key Usage, 527:Issuer Name 492:and later. 482:Firefox 3.0 460:X.509 and 400:private key 215:private key 3262:Categories 3143:IETF Tools 2905:Daniel Hax 2547:31 October 2523:Apple, Inc 2470:. Blackhat 2449:2021-06-30 2443:OGScapital 2423:2 February 2217:19 October 2065:17 January 1880:2022-09-03 1815:6 November 1796:References 1171:GlobalSign 874:public key 850:extension. 533:Not Before 404:public key 68:2021-10-14 48:1988-11-25 3232:RFC  3225:RFC  3123:1 October 2992:Obsolete. 2187:. Mozilla 2083:. Mozilla 2042:Apple Inc 1522:In 2008, 1507:In 2005, 1416:DigiNotar 1406:purpose". 1403:Apple Inc 960:.keystore 936:.keystore 536:Not After 504:(ASN.1). 86:Committee 3170:19 March 3148:10 March 3097:19 March 3034:(IETF). 2910:19 March 2832:19 March 2806:19 March 2780:19 March 2635:Archived 2542:Bugzilla 2330:14 March 2247:license. 2227:cite web 2087:17 March 1729:See also 1646:use the 1302:Security 1104:Examples 950:form or 787:encoded 480:(OCSP). 396:key pair 148:/T-REC-X 3087:EMC.com 2852:Technet 2326:. Oasis 1660:EAP-TLS 1640:TLS/SSL 1515:on the 1221:Issuer 1080:, etc. 986:PKCS#12 982:.pkcs12 968:defined 862:PKCS#10 486:Windows 438:Firefox 288:OpenPGP 280:bridges 207:ed25519 176:TLS/SSL 135:Website 66: ( 46: ( 2858:16 May 2303:  1713:OPC UA 1672:  1656:S/MIME 1650:  1627:  1598:  1590:PKCS12 1072:  1033:  1015:PKCS#7 940:PKCS#7 926:PKCS#7 916:PKCS#7 906:S/MIME 902:PKCS#7 892:PKCS#7 836:PKCS#8 820:above) 785:Base64 688:  642:  627:  589:  464:  450:Chrome 446:Safari 377:cannot 333:, and 306:  284:meshes 166:is an 125:Domain 96:Series 30:Status 3288:X.500 2749:(PDF) 2700:(PDF) 2638:(PDF) 2631:(PDF) 2567:(PDF) 2519:(PDF) 2468:(PDF) 2395:(PDF) 2371:(PDF) 2350:(PDF) 2265:(PDF) 1982:(PDF) 1811:. ITU 1790:EdDSA 1666:IPsec 1644:HTTPS 1568:PKCS7 1535:SHA-1 1175:ECDSA 1146:(PDF) 490:Vista 442:Opera 257:X.500 237:ITU-T 203:ECDSA 180:HTTPS 164:X.509 119:X.500 108:ASN.1 80:ITU-T 20:X.509 3234:5280 3227:4158 3172:2017 3150:2017 3125:2013 3099:2017 3070:5912 3066:2560 3064:and 3062:6277 3058:8954 3049:6960 3012:4492 3008:4366 3006:and 3004:4346 3000:3268 2996:8446 2987:5246 2970:IETF 2946:2315 2912:2017 2886:2020 2860:2017 2834:2017 2808:2017 2782:2017 2757:2020 2731:2016 2708:2020 2668:2013 2646:2013 2611:2013 2575:2020 2549:2017 2502:2019 2476:2020 2425:2017 2402:2011 2332:2017 2301:ISBN 2233:link 2219:2023 2193:2020 2171:3280 2169:and 2167:4325 2163:4630 2159:6818 2157:and 2155:8399 2151:8398 2147:9598 2143:9549 2134:5280 2089:2016 2067:2017 2016:2585 1952:3280 1950:and 1948:4325 1944:4630 1940:6818 1938:and 1936:8399 1932:8398 1928:9598 1924:9549 1915:5280 1854:4158 1817:2019 1711:The 1704:The 1697:The 1692:TPMs 1690:and 1679:The 1674:4945 1652:5280 1642:and 1629:3280 1621:RFCs 1600:4158 1329:OCSP 1327:and 1325:CRLs 1078:CRLs 1074:5280 1035:5280 1006:– A 1004:.crl 990:.pfx 978:.pfx 974:.p12 964:.pem 944:CRLs 932:.p7b 922:.p7c 912:.p7m 898:.p7s 888:.p7r 882:.p7r 858:.csr 854:.p10 848:.p8e 832:.pk8 828:.p8e 818:.pem 810:.der 806:.crt 802:.cer 795:and 777:.pem 690:5280 644:5280 629:5280 611:IETF 591:1422 474:IETF 466:5280 448:and 335:Wget 331:cURL 308:5280 292:IETF 282:and 241:SG17 150:.509 146:/rec 144:.int 142:.itu 3222:Sun 3046:RFC 3036:doi 2984:RFC 2974:doi 2943:RFC 2933:doi 2131:RFC 2121:doi 2013:RFC 2003:doi 1912:RFC 1902:doi 1851:RFC 1841:doi 1719:SSH 1670:RFC 1648:RFC 1625:RFC 1596:RFC 1517:MD5 1410:it" 1331:), 1179:RSA 1070:RFC 1031:RFC 998:IIS 952:BER 948:DER 824:.p8 814:DER 789:DER 779:– ( 713:. 694:NSS 686:RFC 640:RFC 631:). 625:RFC 620:). 587:RFC 564:... 462:RFC 454:SSL 390:or 304:RFC 300:CRL 273:PGP 239:'s 199:DSA 195:RSA 184:web 158:In 140:www 59:9.1 3264:: 3141:. 3115:. 3085:. 3044:. 3030:. 3002:, 2982:. 2968:. 2941:. 2903:. 2876:. 2850:. 2824:. 2799:. 2773:. 2601:. 2540:. 2493:. 2441:. 2390:. 2379:^ 2366:. 2315:^ 2229:}} 2225:{{ 2210:. 2165:, 2153:, 2149:, 2145:, 2129:. 2119:. 2097:^ 2058:. 2040:. 2036:. 2011:. 1962:^ 1954:. 1946:, 1934:, 1930:, 1926:, 1910:. 1900:. 1873:. 1849:. 1825:^ 1310:, 1039:CA 1025:A 1000:). 992:– 984:– 980:, 976:, 938:– 934:, 924:– 914:– 900:– 890:– 864:a 860:– 856:, 830:, 826:, 808:, 804:, 783:) 732:. 607:CA 593:. 444:, 440:, 436:, 386:, 329:, 314:. 232:. 217:. 205:, 201:, 197:, 190:. 162:, 3174:. 3152:. 3127:. 3101:. 3051:. 3038:: 2989:. 2976:: 2948:. 2935:: 2914:. 2888:. 2862:. 2836:. 2810:. 2784:. 2733:. 2710:. 2670:. 2648:. 2613:. 2577:. 2551:. 2504:. 2478:. 2452:. 2427:. 2404:. 2334:. 2309:. 2235:) 2221:. 2195:. 2136:. 2123:: 2091:. 2069:. 2044:. 2018:. 2005:: 1984:. 1917:. 1904:: 1883:. 1856:. 1843:: 1819:. 884:. 99:X 70:) 50:)