Knowledge (XXG)

1220: 1272: 1310: 1203: 1508:, they can convince a CA to sign a certificate with innocuous contents, where the hash of those contents is identical to the hash of another, malicious set of certificate contents, created by the attacker with values of their choosing. The attacker can then append the CA-provided signature to their malicious certificate contents, resulting in a malicious certificate that appears to be signed by the CA. Because the malicious certificate contents are chosen solely by the attacker, they can have different validity dates or hostnames than the innocuous certificate. The malicious certificate can even contain a "CA: true" field making it able to issue further trusted certificates. 332:(PKI) and X.509 certificates was the well known "which directory" problem. The problem is the client does not know where to fetch missing intermediate certificates because the global X.500 directory never materialized. The problem was mitigated by including all intermediate certificates in a request. For example, early web servers only sent the web server's certificate to the client. Clients that lacked an intermediate CA certificate or where to find them failed to build a valid path from the CA to the server's certificate. To work around the problem, web servers now send all the intermediate certificates along with the web server's certificate. 2252: 1096: 703:, if a certificate has several extensions restricting its use, all restrictions must be satisfied for a given use to be appropriate. The RFC gives the specific example of a certificate containing both keyUsage and extendedKeyUsage: in this case, both must be processed and the certificate can only be used if both extensions are coherent in specifying the usage of a certificate. For example, 593:, which is a set of values, together with either a critical or non-critical indication. A certificate-using system must reject the certificate if it encounters a critical extension that it does not recognize, or a critical extension that contains information that it cannot process. A non-critical extension may be ignored if it is not recognized, but must be processed if it is recognized. 1370:: CAs cannot technically restrict subordinate CAs from issuing certificates outside a limited namespaces or attribute set; this feature of X.509 is not in use. Therefore, a large number of CAs exist on the Internet, and classifying them and their policies is an insurmountable task. Delegation of authority within an organization cannot be handled at all, as in common business practice. 1112: 1267:. This certificate signed the end-entity certificate above, and was signed by the root certificate below. Note that the subject field of this intermediate certificate matches the issuer field of the end-entity certificate that it signed. Also, the "subject key identifier" field in the intermediate matches the "authority key identifier" field in the end-entity certificate. 669:, are used to indicate whether the certificate is a CA certificate and can certify or issue other certificates. A constraint can be marked as critical. If a constraint is marked critical, then an agent must fail to process the certificate if the agent does not understand the constraint. An agent can continue to process a non-critical constraint it does not understand. 1376:: Certificate chains that are the result of subordinate CAs, bridge CAs, and cross-signing make validation complex and expensive in terms of processing time. Path validation semantics may be ambiguous. The hierarchy with a third-party trusted party is the only model. This is inconvenient when a bilateral trust relationship is already in place. 220:, etc.), and is either signed by a certificate authority or is self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can use the public key it contains to establish secure communications with another party, or validate documents 1569: 1271: 1202: 1072: 759: 1162: 385: 1346: 1309: 335: 1172: 1139: 715: 1425: 1111: 1219: 1561: 1073: 771: 1486:, wrong implementations or by using integer overflows of the client's browsers, an attacker can include an unknown attribute in the CSR, which the CA will sign, which the client wrongly interprets as "CN" (OID=2.5.4.3). Dan Kaminsky demonstrated this at the 26th 467: 1185:, as stated in the Issuer field. Its Subject field describes Knowledge (XXG) as an organization, and its Subject Alternative Name (SAN) field for DNS describes the hostnames for which it could be used. The Subject Public Key Info field contains an 1406:, EV certificates do not add any additional security controls. Rather, EV certificates merely restore CA profits to levels prior to the Race to the Bottom by allowing a CA to charge more for a service they should have been providing all along. 1254: 1284: 386: 676:, provides a bitmap specifying the cryptographic operations which may be performed using the public key contained in the certificate; for example, it could indicate that the key should be used for signatures but not for encipherment. 1503: 1393: 1364:: Identity claims (authenticate with an identifier), attribute claims (submit a bag of vetted attributes), and policy claims are combined in a single container. This raises privacy, policy mapping, and maintenance issues. 1060: 1302:. Its issuer and subject fields are the same, and its signature can be validated with its own public key. Validation of the trust chain has to end here. If the validating program has this root certificate in its 1421: 1417: 755: 747: 1383: 884:. These are generated for submission to certificate-authorities (CA). It includes key details of the requested certificate such as Common Name (/CN), subject, organization, state, country, as well as the 301:-like web of trust, but was rarely used that way as of 2004. The X.500 system has only been implemented by sovereign nations for state identity information sharing treaty fulfillment purposes, and the 1614:— Certification Path Building — guidance and recommendations for building X.509 public-key certification paths within applications (i.e., validating an end-entity certificate using a CA certificate) 1542: 683:, is used, typically on a leaf certificate, to indicate the purpose of the public key contained in the certificate. It contains a list of OIDs, each of which indicates an allowed use. For example, 3094: 1029: 620: 1523: 348:. For example, if a PKI has a policy of only issuing certificates on Monday, then common tools like cURL and Wget will not enforce the policy and allow a certificate issued on a Tuesday. 1737: 204: 1434:. Another example is a revocation request of the CA of the Dutch government, because of a Dutch law passed in 2018, giving new powers for the Dutch intelligence and security services 1215: 421:(DN) that is unique for the person, organization or business. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority. 336: 1143: 616: 2244: 1628: 1443: 1479: 1181: 2219: 305:'s Public-Key Infrastructure (X.509) (PKIX) working group has adapted the standard to the more flexible organization of the Internet. In fact, the term 3102: 1631: 239:, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a 3175: 657:(and its predecessors) defines a number of certificate extensions which indicate how the certificate should be used. Most of them are arcs from the 1306:, the end-entity certificate can be considered trusted for use in a TLS connection. Otherwise, the end-entity certificate is considered untrusted. 3294: 1077: 236: 2646: 1545: 1104: 398: 390: 178: 1173: 589: 1516:. Since the root certificate already had a self-signature, attackers could use this signature and use it for an intermediate certificate. 2575: 1674: 2399: 2375: 1986: 1591: 1403: 1340: 1323: 764: 488: 1968: 1227: 2316: 1127: 235:, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a 2450: 888: 627: 2476: 2045: 3284: 3279: 3220: 1410: 792: 3043: 1821:"X.509: Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks" 1624: 1380: 402: 2196: 1604:(Personal Information Exchange Syntax Standard) — used to store a private key with the appropriate public key certificate 3289: 1582:(Cryptographic Message Syntax Standard — public keys with proof of identity for signed and/or encrypted message for PKI) 1549:". The researchers were able to deduce a method which increases the likelihood of a collision by several orders of magnitude. 270: 1303: 1009: 930:(SignedData, EnvelopedData) Message e.g. encrypted ("enveloped") file, message or MIME email letter. Defined in RFC 2311. 1746: 1552: 1539: 1487: 1223: 959: 825: 800: 512: 255: 2335: 1776: 1500: 1019: 877: 394: 232: 36: 624: 2833: 1713: 892:(which includes the public key but not the private key), which itself can be in a couple of formats but usually in 1453: 1786: 1049: 741: 704: 329: 634: 413: 1651: 1585: 1431: 410: 271: 186: 2808: 1781: 1761: 1703: 1692: 1295: 1164: 1057: 425: 414: 374: 286:, where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates. 1347: 1088: 182: 2708: 1409: 432:. The roles registration authority and certification authority are usually separate business units under 3263: 2912: 2527: 2271: 1882: 1299: 1264: 1152: 1050: 617: 275: 1706: 1008: 2502: 1635: 720:. Or a web server can be validated at a higher level of assurances using more detailed methods called 3057: 2995: 2954: 2637: 2291: 2142: 2024: 1923: 1862: 1796: 1766: 1756: 1632: 1505: 1022:(CRL). Certificate Authorities produce these as a way to de-authorize certificates before expiration. 464: 456: 433: 251: 198: 100: 3248:- Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 2859: 2645:(Technical report). Lucent Technologies, Bell Laboratories & Technische Universiteit Eindhoven. 1845: 1204: 1053: 784: 751: 2610: 1791: 1399: 519: 452: 283: 2128: 1909: 443: 1751: 1734: 1395: 1211: 1190: 781: 768: 429: 418: 209: 205: 2256: 2251: 1588:(TLS) and its predecessor SSL — cryptographic protocols for Internet secure communications. 1458: 3207: 2403: 2312: 2307: 2238: 1535: 1483: 1095: 1000:, may contain certificate(s) (public) and private keys (password protected) in a single file. 752: 590: 496: 444: 221: 1130: 940: 393: 3212: 3047: 2985: 2944: 2132: 2014: 1913: 1852: 1681: 1659: 1636: 1607: 1563: 1524: 1402: 1081: 1068:: a certificate that you trust because it was delivered to you by some trustworthy procedure 1042: 740:, and a company like Example, LLC is the owner of the domain, and the owner was verified by 696: 650: 635: 597: 472: 440: 314: 1352: 1216: 2379: 2220:"What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?" 1595: 1513: 1336: 1135: 1089: 970:. The format used by Windows for certificate interchange. Supported by Java but often has 955: 480: 310: 3036: 2428: 1167:. Note that these are in addition to the two self-signed certificates (one old, one new). 2782: 2255: This article incorporates text from this source, which is available under the 1566: 3299: 2549: 1990: 1319: 1103: 290: 194: 3224: 2125: 2092: 1906: 1208: 3273: 1771: 1520: 500: 460: 3260:- decodes to an associative array whose keys correspond to X.509's ASN.1 description 3257: 1730: 1717: 1065: 628: 294: 279: 240: 170: 139: 3039: 2734: 2693: 266: 3231: 1643: 1276: 687: 3245: 3238: 3124: 3081: 3077: 3073: 3069: 3060: 3037: 3023: 3019: 3015: 3011: 3007: 2998: 2975: 2957: 2938: 2182: 2178: 2174: 2170: 2166: 2162: 2158: 2154: 2145: 2126: 2027: 2008: 1963: 1959: 1955: 1951: 1947: 1943: 1939: 1935: 1926: 1907: 1865: 1846: 1710: 1685: 1663: 1640: 1611: 1237: 1085: 1046: 733: 700: 654: 639: 601: 492: 476: 337: 318: 225: 727: 2534: 1699: 1182: 906: 362: 2639: 289: 2757: 2756: 2671: 2053: 2010: 1427: 1414: 1189: 916: 424: 2885: 2404:"Everything you Never Wanted to Know about PKI but were Forced to Find Out" 511: 2067: 3199: 2358: 1720: 1273: 1212: 406: 1512: 3241:- Internet X.509 Public Key Infrastructure: Certification Path Building 1671: 1076: 767: 607: 448: 298: 217: 1820: 608: 150: 3052: 2990: 2949: 2137: 2019: 1918: 1857: 1848: 1724: 1667: 1601: 1473: 1277: 997: 954: 917: 873: 796: 736:. An EV certificate means a certificate was issued for a domain like 463: 1281: 185:. X.509 certificates are used in many Internet protocols, including 17: 3176:"How To Create an SSH CA to Validate Hosts and Clients with Ubuntu" 3150: 1801: 1677: 1655: 1579: 1546: 1355: 1186: 1102: 1094: 1026: 963: 951: 937: 927: 913: 903: 847: 267: 247: 213: 190: 129: 118: 90: 3254:- can be used to decode and examine an encoded CSR or certificate 1263: 1205: 760: 2981: 1695: 1476: 621: 484: 345: 341: 302: 3251: 1193: 1041:(see the equivalent concept of "certification path" defined by 1528: 428: 313: 661: 2528:"Certification Authority — Certification Practice Statement" 1598:(CRL) — this is to check certificate revocation status 1247: 1124: 828: 487:-approved way of checking a certificate's validity is the 417: 2364:. Computer Security Journal (Volume XVI, Number 1, 2000). 2336:"Web Services Security X.509 Token Profile Version 1.1.1" 1727: 1467: 1318: 1280: 3095:"PKCS 12: Personal Information Exchange Syntax Standard" 2707: 1217: 278:(CAs) for issuing the certificates. This contrasts with 246: 2977: 2050: 1670:(Secure Multipurpose Internet Mail Extensions) and the 27: 2451:"Security Systems Business Plan Sample [2021]" 1647: 646: 2886:"Safari and WebKit do not support SHA-1 certificates" 2696:. International Association for Cryptologic Research. 495: 3125:"Public-Key Infrastructure (X.509) (pkix) - Charter" 2035:sec. 4: MIME registrations. 2093:"Bug 110161 - (ocspdefault) enable OCSP by default" 1209: 1140:"cert2.2 → cert2" and "cert2.2 → cert2.1 → cert1". 967: 881: 855: 851: 808: 804: 707:uses both extensions to specify certificate usage. 691: 373: 361: 197:. They are also used in offline applications, like 145: 135: 124: 114: 106: 96: 86: 66: 48: 40: 2674:. Eindhoven University of Technology. 16 June 2011 2477:"Sub-Prime PKI: Attacking Extended Validation SSL" 309:usually refers to the IETF's PKIX certificate and 2940:PKCS #7: Cryptographic Message Syntax Version 1.5 1358:Revocation of root certificates is not addressed, 1447:Many implementations turn off revocation check: 1398:. The Race to the Bottom is partly addressed by 1335:Use of blocklisting invalid certificates (using 2636:Lenstra, Arjen; de Weger, Benne (19 May 2005). 2475:Michael Zusman; Alexander Sotirov (July 2009). 1482:By using illegal 0x80 padded subidentifiers of 1099:Example 1: Cross-certification between two PKIs 982:way to include certification-path certificates. 1981: 1979: 1977: 1975: 1629:National Institute of Standards and Technology 2273:Understanding Certification Path Construction 1163:certificates are self-issued, but neither is 1154:Understanding Certification Path Construction 850:. May be in DER or PEM form that starts with 610:X.520 The Directory: Selected attribute types 399:Simple Certificate Enrollment Protocol (SCEP) 274:. It assumes a strict hierarchical system of 8: 2581:. Institute For Disruptive Studies. Blackhat 2293:Qualified Subordination Deployment Scenarios 1464:Name and policy constraints hardly supported 731:after someone responded to an email sent to 356: 30: 2576:"More Tricks for Defeating SSL in Practice" 2503:"Extended Validation Certificates are Dead" 2394: 2392: 2243:: CS1 maint: numeric names: authors list ( 1499:Digital signature systems depend on secure 1450:Seen as obstacle, policies are not enforced 254:), in ITU-T Study Group 17 and is based on 3213:X.509 implementation notes and style guide 2120: 2118: 2116: 2114: 2112: 2110: 1033:Certificate chains and cross-certification 716:level of assurances using an email called 29: 3051: 2989: 2948: 2550:"Logius: Dutch Government CA trust issue" 2309:PKI: Implementing and Managing E-Security 2136: 2018: 1917: 1856: 1840: 1838: 2330: 2328: 2290:"Cross-Certification Between Root CAs". 1557:Mitigations for cryptographic weaknesses 1229: 1812: 1470:Enforcement of custom OIDs is difficult 1388:Problems with certification authorities 920:for email signing. Defined in RFC 2311. 846:– exported private key as specified in 596:The structure of version 1 is given in 479:also include standards for certificate 237:certification path validation algorithm 193:, the secure protocol for browsing the 2974:T. Dierks; E. Rescorla (August 2008). 2429:"Revocation checking and Chrome's CRL" 2385:. IEEE Computer (Volume:35, Issue: 8). 2236: 1411:Certification Practice Statement (CPS) 1274:https://www.globalsign.com/repository/ 1213:https://www.globalsign.com/repository/ 1064:The last certificate in the list is a 978:style certificates, this format has a 355: 181:(ITU) standard defining the format of 2860:"Microsoft Security Advisory 4010323" 2763:. CWI Amsterdam & Google Research 2007:Housley, R.; Hoffman, P. (May 1999). 1078:certification path validation process 958:(rarely) but not a private key. Uses 856:-----BEGIN ENCRYPTED PRIVATE KEY----- 405:. The organization first generates a 403:Certificate Management Protocol (CMP) 179:International Telecommunication Union 7: 2834:"The end of SHA-1 on the Public Web" 2758:"The first collision for full SHA-1" 1381:Extended Validation (EV) certificate 1242: 1232: 569:Subject Unique Identifier (optional) 297:. It can be used in a peer-to-peer, 3252:CSR Decoder and Certificate Decoder 2911:Daniel Stenburg (10 January 2017). 2807:Andrew Whalley (16 November 2016). 2714:. Macquarie University and Qualcomm 2311:. RSA Press - Osborne/McGraw-Hill. 1883:"Monumental Cybersecurity Blunders" 882:-----BEGIN CERTIFICATE REQUEST----- 566:Issuer Unique Identifier (optional) 3264:Understanding Digital Certificates 3223:. RSA Laboratories. Archived from 3101:. RSA Laboratories. Archived from 2380:"PKI: it's not dead, just resting" 2197:"All About Certificate Extensions" 1688:profile for authenticating peers. 1592:Online Certificate Status Protocol 1538:and Marc Stevens presented at the 1278:http://crl.globalsign.net/root.crl 659:joint-iso-ccitt(2) ds(5) id-ce(29) 489:Online Certificate Status Protocol 375:Uniform Type Identifier (UTI) 25: 3131:. Internet Engineering Task Force 2783:"Baseline Requirements Documents" 2735:"SHA-1 Collision Attacks Now 252" 2609:Dan Kaminsky (29 December 2009). 2427:Langley, Adam (5 February 2012). 2357:Carl Ellison and Bruce Schneier. 1282:http://ocsp.globalsign.com/rootr1 1147:Example 2: CA certificate renewal 1107:Example 2: CA certificate renewal 395:Certificate Signing Request (CSR) 323:Public Key Infrastructure (X.509) 258:(ASN.1), another ITU-T standard. 2652:from the original on 14 May 2013 2501:Hunt, Troy (17 September 2018). 2250: 1693:OpenCable security specification 1298:root certificate representing a 974:as an extension instead. Unlike 854:. The encrypted key starts with 793:Privacy-enhanced Electronic Mail 780:There are several commonly used 711:Extended Validation certificates 3044:Internet Engineering Task Force 2913:"Lesser HTTPS for non-browsers" 2599:Rec. ITU-T X.690, clause 8.19.2 2270:Lloyd, Steve (September 2002). 1625:Internet Engineering Task Force 880:(CSR). In PEM form starts with 776:Certificate filename extensions 582:Certificate Signature Algorithm 483:(CRL) implementations. Another 3295:ITU-T X Series Recommendations 2809:"SHA-1 Certificates in Chrome" 2672:"MD5 considered harmful today" 2195:Nelson B Boyard (9 May 2002). 803:certificate, enclosed between 1: 2218:sysadmin1138 (May 19, 2009). 1160:. PKI Forum. September 2002. 1006:Personal Information eXchange 518:The structure of an X.509 v3 436:to reduce the risk of fraud. 52:1.0 at November 25, 1988 2733:Dennis Dwyer (2 June 2009). 1747:Abstract Syntax Notation One 1540:Chaos Communication Congress 1501:cryptographic hash functions 1488:Chaos Communication Congress 1461:rfc822Name has two notations 1326:and other security experts. 513:Abstract Syntax Notation One 256:Abstract Syntax Notation One 233:certificate revocation lists 2813:Google Online Security Blog 1777:PKI Resource Query Protocol 1020:Certificate Revocation List 878:Certificate Signing Request 852:-----BEGIN PRIVATE KEY----- 805:-----BEGIN CERTIFICATE----- 321:, commonly called PKIX for 3316: 3221:"Crypto FAQ from RSA Labs" 3204:Peter Gutmann's articles: 3084:. 3026:. 2574:Moxie Marlinspike (2009). 2185:. 507:Structure of a certificate 439:An organization's trusted 2943:. Network Working Group. 2617:. Der Chaos Computer Club 2296:. Microsoft. August 2009. 2013:. Network Working Group. 1851:. Network Working Group. 1787:Public Key Infrastructure 1432:man-in-the-middle attacks 1243:Authority Key Identifier 1177:Sample X.509 certificates 809:-----END CERTIFICATE----- 742:Articles of Incorporation 330:Public Key Infrastructure 189:, which is the basis for 44:In force (Recommendation) 35: 3258:phpseclib: X.509 Decoder 2937:B Kaliski (March 1998). 2611:"26C3: Black Ops Of PKI" 1666:profile of X.509, as do 1627:in conjunction with the 1586:Transport Layer Security 1495:Cryptographic weaknesses 1400:Extended Validation (EV) 1330:Architectural weaknesses 1294:This is an example of a 1259:Intermediate certificate 966:or PEM that starts with 722:Extended Validation (EV) 555:Subject Public Key Info 363:Internet media type 272:man-in-the-middle attack 3285:Public-key cryptography 3280:Cryptographic protocols 3200:ITU-T's X.509 standards 1782:Public-key cryptography 1762:Communications security 1574:PKI standards for X.509 753:Object Identifier (OID) 629:signing digital objects 591:object identifier (OID) 426:certification authority 379:public.x509-certificate 276:certificate authorities 183:public key certificates 3232:Secure code guidelines 3006:Obsoleted by RFC  2771:– via Shattered. 2737:. SecureWorks Insights 2709:"SHA-1 collisions now" 1991:"Engineering Security" 1718:Microsoft Authenticode 1197:End-entity certificate 1108: 1100: 718:Domain Validation (DV) 695:In general when using 572:Extensions (optional) 535:Signature Algorithm ID 54:; 35 years ago 3290:ITU-T recommendations 3072:. Obsoletes RFC  3010:; obsoletes RFC  2838:Mozilla Security Blog 2173:. Obsoletes RFC  1954:. Obsoletes RFC  1594:(OCSP) / certificate 1439:Implementation issues 1300:certificate authority 1265:certificate authority 1106: 1098: 968:-----BEGIN PKCS7----- 585:Certificate Signature 368:application/pkix-cert 224:by the corresponding 199:electronic signatures 128:ISO/IEC 9594-8:2020, 74:; 2 years ago 72:October 14, 2021 3227:on 30 December 2006. 3068:Updated by RFC  2153:Updated by RFC  1934:Updated by RFC  1797:Trusted timestamping 1767:Information security 1757:Code Access Security 1570:SHA-1 certificates. 824:– usually in binary 679:Extended Key Usage, 558:Public Key Algorithm 434:separation of duties 328:An early issue with 101:ITU-T Study Group 17 3151:"Pkix Status Pages" 3080:. Updates RFC  3022:; updates RFC  1792:Time stamp protocol 1362:Aggregation problem 1120:In these diagrams: 782:filename extensions 665:Basic Constraints, 520:digital certificate 358: 231:X.509 also defines 32: 3066:Proposed Standard. 2840:. 23 February 2017 2537:. August 19, 2016. 2359:"Top 10 PKI risks" 2151:Proposed Standard. 2033:Proposed Standard. 1932:Proposed Standard. 1752:Certificate policy 1735:Trust On First Use 1619:PKIX Working Group 1490:"Black OPs of PKI" 1484:object identifiers 1396:Race to the Bottom 1374:Federation problem 1368:Delegation problem 1109: 1101: 769:Race to the Bottom 561:Subject Public Key 430:distinguished name 419:Distinguished Name 3266:Microsoft TechNet 2431:. Imperial Violet 2046:"x509Certificate" 1733:generally uses a 1536:Alexander Sotirov 1252: 1251: 1039:certificate chain 858:and may have the 445:Internet Explorer 441:root certificates 383: 382: 357:X.509 certificate 307:X.509 certificate 262:History and usage 167: 166: 125:Related standards 16:(Redirected from 3307: 3228: 3188: 3187: 3185: 3183: 3172: 3166: 3165: 3163: 3161: 3147: 3141: 3140: 3138: 3136: 3129:IETF Datatracker 3121: 3115: 3114: 3112: 3110: 3091: 3085: 3064: 3055: 3053:10.17487/RFC6960 3033: 3027: 3002: 2993: 2991:10.17487/RFC5246 2971: 2965: 2961: 2952: 2950:10.17487/RFC2315 2934: 2928: 2927: 2925: 2923: 2908: 2902: 2901: 2899: 2897: 2892:. 16 August 2018 2882: 2876: 2875: 2873: 2871: 2856: 2850: 2849: 2847: 2845: 2830: 2824: 2823: 2821: 2819: 2804: 2798: 2797: 2795: 2793: 2787:CA Browser Forum 2779: 2773: 2772: 2770: 2768: 2762: 2753: 2747: 2746: 2744: 2742: 2730: 2724: 2723: 2721: 2719: 2713: 2704: 2698: 2697: 2694:"Eurocrypt 2009" 2690: 2684: 2683: 2681: 2679: 2668: 2662: 2661: 2659: 2657: 2651: 2644: 2633: 2627: 2626: 2624: 2622: 2606: 2600: 2597: 2591: 2590: 2588: 2586: 2580: 2571: 2565: 2564: 2562: 2560: 2548:van Pelt, Cris. 2545: 2539: 2538: 2532: 2524: 2518: 2517: 2515: 2513: 2498: 2492: 2491: 2489: 2487: 2481: 2472: 2466: 2465: 2463: 2462: 2447: 2441: 2440: 2438: 2436: 2424: 2418: 2417: 2415: 2413: 2408: 2396: 2387: 2386: 2384: 2372: 2366: 2365: 2363: 2354: 2348: 2347: 2345: 2343: 2332: 2323: 2322: 2304: 2298: 2297: 2287: 2281: 2280: 2278: 2267: 2261: 2254: 2248: 2242: 2234: 2232: 2230: 2215: 2209: 2208: 2206: 2204: 2192: 2186: 2149: 2140: 2138:10.17487/RFC5280 2122: 2105: 2104: 2102: 2100: 2089: 2083: 2082: 2080: 2078: 2068:"CA:IncludedCAs" 2064: 2058: 2057: 2042: 2036: 2031: 2022: 2020:10.17487/RFC2585 2004: 1998: 1997: 1995: 1983: 1970: 1930: 1921: 1919:10.17487/RFC5280 1903: 1897: 1896: 1894: 1893: 1879: 1873: 1869: 1860: 1858:10.17487/RFC4158 1842: 1833: 1832: 1830: 1828: 1817: 1564:CA/Browser Forum 1525:collision attack 1514:preimage attacks 1290:Root certificate 1248: 1238: 1230: 1169: 1159: 1017: 1003: 995: 991: 987: 977: 973: 969: 949: 945: 935: 925: 911: 901: 895: 883: 871: 867: 861: 857: 853: 845: 841: 837: 831: 823: 819: 815: 810: 806: 790: 763:Security expert 739: 735: 730: 690: 686: 682: 675: 668: 660: 613:recommendation. 541:Validity period 359: 222:digitally signed 163: 160: 158: 156: 154: 152: 82: 80: 75: 62: 60: 55: 33: 21: 3315: 3314: 3310: 3309: 3308: 3306: 3305: 3304: 3270: 3269: 3219: 3208:Overview of PKI 3196: 3191: 3181: 3179: 3174: 3173: 3169: 3159: 3157: 3149: 3148: 3144: 3134: 3132: 3123: 3122: 3118: 3108: 3106: 3093: 3092: 3088: 3035: 3034: 3030: 2984:TLS workgroup. 2973: 2972: 2968: 2936: 2935: 2931: 2921: 2919: 2910: 2909: 2905: 2895: 2893: 2884: 2883: 2879: 2869: 2867: 2858: 2857: 2853: 2843: 2841: 2832: 2831: 2827: 2817: 2815: 2806: 2805: 2801: 2791: 2789: 2781: 2780: 2776: 2766: 2764: 2760: 2755: 2754: 2750: 2740: 2738: 2732: 2731: 2727: 2717: 2715: 2711: 2706: 2705: 2701: 2692: 2691: 2687: 2677: 2675: 2670: 2669: 2665: 2655: 2653: 2649: 2642: 2635: 2634: 2630: 2620: 2618: 2615:CCC Events Blog 2608: 2607: 2603: 2598: 2594: 2584: 2582: 2578: 2573: 2572: 2568: 2558: 2556: 2547: 2546: 2542: 2533:. Version 6.1. 2530: 2526: 2525: 2521: 2511: 2509: 2500: 2499: 2495: 2485: 2483: 2479: 2474: 2473: 2469: 2460: 2458: 2449: 2448: 2444: 2434: 2432: 2426: 2425: 2421: 2411: 2409: 2406: 2398: 2397: 2390: 2382: 2374: 2373: 2369: 2361: 2356: 2355: 2351: 2341: 2339: 2334: 2333: 2326: 2319: 2306: 2305: 2301: 2289: 2288: 2284: 2276: 2269: 2268: 2264: 2235: 2228: 2226: 2217: 2216: 2212: 2202: 2200: 2194: 2193: 2189: 2124: 2123: 2108: 2098: 2096: 2091: 2090: 2086: 2076: 2074: 2066: 2065: 2061: 2044: 2043: 2039: 2006: 2005: 2001: 1993: 1985: 1984: 1973: 1905: 1904: 1900: 1891: 1889: 1881: 1880: 1876: 1844: 1843: 1836: 1826: 1824: 1819: 1818: 1814: 1810: 1743: 1649: 1621: 1596:revocation list 1576: 1559: 1497: 1441: 1430:, to carry out 1413:. For example, 1390: 1379:Issuance of an 1332: 1316: 1311: 1292: 1287: 1286: 1261: 1246: 1236: 1225: 1224: 1221: 1199: 1179: 1157: 1151: 1149: 1137: 1118: 1035: 1015: 1001: 993: 989: 985: 975: 971: 947: 943: 933: 923: 909: 899: 893: 869: 865: 859: 843: 839: 835: 829: 821: 817: 813: 788: 778: 737: 732: 728: 713: 689:{ id-pkix 3 4 } 688: 685:{ id-pkix 3 1 } 684: 680: 673: 666: 658: 648: 522:is as follows: 509: 481:revocation list 369: 354: 264: 149: 78: 76: 73: 71: 58: 56: 53: 49:First published 28: 23: 22: 15: 12: 11: 5: 3313: 3311: 3303: 3302: 3297: 3292: 3287: 3282: 3272: 3271: 3268: 3267: 3261: 3255: 3249: 3242: 3235: 3229: 3217: 3216: 3215: 3210: 3202: 3195: 3194:External links 3192: 3190: 3189: 3178:. DigitalOcean 3167: 3142: 3116: 3105:on 6 July 2017 3086: 3028: 2966: 2963:Informational. 2929: 2903: 2877: 2851: 2825: 2799: 2774: 2748: 2725: 2699: 2685: 2663: 2628: 2601: 2592: 2566: 2540: 2519: 2493: 2467: 2442: 2419: 2400:Gutmann, Peter 2388: 2367: 2349: 2324: 2317: 2299: 2282: 2262: 2210: 2187: 2106: 2084: 2059: 2037: 1999: 1989:(April 2014). 1987:Gutmann, Peter 1971: 1898: 1874: 1871:Informational. 1834: 1811: 1809: 1806: 1805: 1804: 1799: 1794: 1789: 1784: 1779: 1774: 1769: 1764: 1759: 1754: 1749: 1742: 1739: 1648: 1645: 1620: 1617: 1616: 1615: 1605: 1599: 1589: 1583: 1575: 1572: 1558: 1555: 1554: 1553: 1550: 1543: 1532: 1531:hash function. 1517: 1506:hash collision 1496: 1493: 1492: 1491: 1480: 1477: 1474: 1471: 1468: 1465: 1462: 1459: 1456: 1455: 1454: 1451: 1440: 1437: 1436: 1435: 1423: 1419: 1407: 1389: 1386: 1385: 1384: 1377: 1371: 1365: 1359: 1356: 1353: 1350: 1349: 1348: 1331: 1328: 1320:Bruce Schneier 1315: 1312: 1308: 1291: 1288: 1270: 1269: 1260: 1257: 1250: 1249: 1244: 1240: 1239: 1234: 1222: 1201: 1200: 1198: 1195: 1178: 1175: 1148: 1145: 1136: 1133: 1132: 1131: 1128: 1125: 1117: 1114: 1080:as defined by 1070: 1069: 1062: 1058: 1034: 1031: 1024: 1023: 1013: 983: 941: 931: 921: 907: 897: 863: 833: 811: 777: 774: 712: 709: 693: 692: 677: 670: 647: 644: 587: 586: 583: 580: 579: 578: 577: 576: 570: 567: 564: 563: 562: 559: 553: 550: 549: 548: 545: 539: 536: 533: 530: 529:Version Number 508: 505: 499:from at least 409:, keeping the 381: 380: 377: 371: 370: 367: 365: 353: 350: 263: 260: 165: 164: 147: 143: 142: 137: 133: 132: 126: 122: 121: 116: 115:Base standards 112: 111: 108: 104: 103: 98: 94: 93: 88: 84: 83: 68: 67:Latest version 64: 63: 50: 46: 45: 42: 38: 37: 26: 24: 14: 13: 10: 9: 6: 4: 3: 2: 3312: 3301: 3298: 3296: 3293: 3291: 3288: 3286: 3283: 3281: 3278: 3277: 3275: 3265: 3262: 3259: 3256: 3253: 3250: 3247: 3243: 3240: 3236: 3233: 3230: 3226: 3222: 3218: 3214: 3211: 3209: 3206: 3205: 3203: 3201: 3198: 3197: 3193: 3177: 3171: 3168: 3156: 3152: 3146: 3143: 3130: 3126: 3120: 3117: 3104: 3100: 3096: 3090: 3087: 3083: 3079: 3075: 3071: 3067: 3062: 3059: 3054: 3049: 3045: 3041: 3040: 3032: 3029: 3025: 3021: 3017: 3013: 3009: 3005: 3000: 2997: 2992: 2987: 2983: 2979: 2978: 2970: 2967: 2964: 2959: 2956: 2951: 2946: 2942: 2941: 2933: 2930: 2918: 2914: 2907: 2904: 2891: 2890:Apple Support 2887: 2881: 2878: 2865: 2861: 2855: 2852: 2839: 2835: 2829: 2826: 2814: 2810: 2803: 2800: 2788: 2784: 2778: 2775: 2759: 2752: 2749: 2736: 2729: 2726: 2710: 2703: 2700: 2695: 2689: 2686: 2673: 2667: 2664: 2648: 2641: 2640: 2632: 2629: 2616: 2612: 2605: 2602: 2596: 2593: 2577: 2570: 2567: 2555: 2551: 2544: 2541: 2536: 2529: 2523: 2520: 2508: 2504: 2497: 2494: 2478: 2471: 2468: 2456: 2452: 2446: 2443: 2430: 2423: 2420: 2405: 2401: 2395: 2393: 2389: 2381: 2377: 2376:Peter Gutmann 2371: 2368: 2360: 2353: 2350: 2337: 2331: 2329: 2325: 2320: 2318:0-07-213123-3 2314: 2310: 2303: 2300: 2295: 2294: 2286: 2283: 2275: 2274: 2266: 2263: 2260: 2258: 2253: 2246: 2240: 2225: 2221: 2214: 2211: 2198: 2191: 2188: 2184: 2180: 2176: 2172: 2168: 2164: 2160: 2156: 2152: 2147: 2144: 2139: 2134: 2130: 2129: 2121: 2119: 2117: 2115: 2113: 2111: 2107: 2094: 2088: 2085: 2073: 2069: 2063: 2060: 2055: 2051: 2047: 2041: 2038: 2034: 2029: 2026: 2021: 2016: 2012: 2011: 2003: 2000: 1992: 1988: 1982: 1980: 1978: 1976: 1972: 1969: 1965: 1961: 1957: 1953: 1949: 1945: 1941: 1937: 1933: 1928: 1925: 1920: 1915: 1911: 1910: 1902: 1899: 1888: 1884: 1878: 1875: 1872: 1867: 1864: 1859: 1854: 1850: 1849: 1841: 1839: 1835: 1822: 1816: 1813: 1807: 1803: 1800: 1798: 1795: 1793: 1790: 1788: 1785: 1783: 1780: 1778: 1775: 1773: 1772:ISO/IEC JTC 1 1770: 1768: 1765: 1763: 1760: 1758: 1755: 1753: 1750: 1748: 1745: 1744: 1740: 1738: 1736: 1732: 1728: 1726: 1721: 1719: 1714: 1712: 1707: 1705: 1701: 1698:Devices like 1696: 1694: 1689: 1687: 1683: 1679: 1675: 1673: 1669: 1665: 1661: 1657: 1653: 1646: 1644: 1642: 1638: 1634: 1630: 1626: 1623:In 1995, the 1618: 1613: 1609: 1606: 1603: 1600: 1597: 1593: 1590: 1587: 1584: 1581: 1578: 1577: 1573: 1571: 1567: 1565: 1556: 1551: 1548: 1544: 1541: 1537: 1533: 1530: 1526: 1522: 1521:Arjen Lenstra 1518: 1515: 1511: 1510: 1509: 1507: 1502: 1494: 1489: 1485: 1481: 1478: 1475: 1472: 1469: 1466: 1463: 1460: 1457: 1452: 1449: 1448: 1446: 1445: 1444: 1438: 1433: 1429: 1424: 1420: 1416: 1412: 1408: 1405: 1404:Peter Gutmann 1401: 1397: 1392: 1391: 1387: 1382: 1378: 1375: 1372: 1369: 1366: 1363: 1360: 1357: 1354: 1351: 1345: 1344: 1342: 1338: 1334: 1333: 1329: 1327: 1325: 1324:Peter Gutmann 1321: 1313: 1307: 1305: 1301: 1297: 1289: 1283: 1279: 1275: 1268: 1266: 1258: 1256: 1245: 1241: 1235: 1231: 1228: 1218: 1214: 1210: 1206: 1196: 1194: 1192: 1188: 1184: 1176: 1174: 1170: 1168: 1166: 1156: 1155: 1146: 1144: 1141: 1134: 1129: 1126: 1123: 1122: 1121: 1115: 1113: 1105: 1097: 1093: 1091: 1087: 1083: 1079: 1074: 1067: 1063: 1059: 1056: 1055: 1054: 1052: 1048: 1044: 1040: 1032: 1030: 1028: 1021: 1014: 1011: 1007: 999: 984: 981: 965: 961: 957: 953: 942: 939: 932: 929: 922: 919: 915: 908: 905: 898: 891: 887: 879: 875: 864: 849: 834: 827: 812: 802: 798: 794: 787: 786: 785: 783: 775: 773: 770: 766: 765:Peter Gutmann 761: 757: 754: 749: 745: 743: 734: 725: 723: 719: 710: 708: 706: 702: 698: 678: 671: 664: 663: 662: 656: 652: 645: 643: 641: 637: 632: 630: 625: 623: 619: 614: 612: 611: 605: 603: 599: 594: 592: 584: 581: 574: 573: 571: 568: 565: 560: 557: 556: 554: 551: 546: 543: 542: 540: 537: 534: 532:Serial Number 531: 528: 527: 525: 524: 523: 521: 516: 514: 506: 504: 502: 498: 494: 490: 486: 482: 478: 474: 469: 466: 462: 458: 454: 450: 446: 442: 437: 435: 431: 427: 422: 420: 416: 412: 408: 404: 400: 396: 391: 389: 378: 376: 372: 366: 364: 360: 351: 349: 347: 343: 339: 333: 331: 326: 324: 320: 316: 312: 308: 304: 300: 296: 292: 287: 285: 282:models, like 281: 277: 273: 269: 261: 259: 257: 253: 249: 244: 242: 238: 234: 229: 227: 223: 219: 215: 211: 207: 202: 200: 196: 192: 188: 184: 180: 176: 172: 162: 148: 144: 141: 138: 134: 131: 127: 123: 120: 117: 113: 109: 105: 102: 99: 95: 92: 89: 85: 69: 65: 51: 47: 43: 39: 34: 19: 3225:the original 3180:. Retrieved 3170: 3158:. Retrieved 3154: 3145: 3133:. Retrieved 3128: 3119: 3107:. Retrieved 3103:the original 3098: 3089: 3065: 3038: 3031: 3003: 2976: 2969: 2962: 2939: 2932: 2920:. Retrieved 2916: 2906: 2896:10 September 2894:. Retrieved 2889: 2880: 2868:. Retrieved 2863: 2854: 2842:. Retrieved 2837: 2828: 2816:. Retrieved 2812: 2802: 2790:. Retrieved 2786: 2777: 2767:10 September 2765:. Retrieved 2751: 2739:. Retrieved 2728: 2718:10 September 2716:. Retrieved 2702: 2688: 2678:29 September 2676:. Retrieved 2666: 2656:28 September 2654:. Retrieved 2638: 2631: 2621:29 September 2619:. Retrieved 2614: 2604: 2595: 2585:10 September 2583:. Retrieved 2569: 2557:. Retrieved 2553: 2543: 2522: 2510:. Retrieved 2507:TroyHunt.com 2506: 2496: 2486:10 September 2484:. Retrieved 2470: 2459:. Retrieved 2457:. 2014-01-27 2454: 2445: 2433:. Retrieved 2422: 2410:. Retrieved 2370: 2352: 2340:. Retrieved 2308: 2302: 2292: 2285: 2279:. PKI Forum. 2272: 2265: 2257:CC BY-SA 2.5 2249: 2227:. Retrieved 2224:Server Fault 2223: 2213: 2203:10 September 2201:. Retrieved 2190: 2150: 2127: 2097:. Retrieved 2087: 2075:. Retrieved 2072:Mozilla Wiki 2071: 2062: 2049: 2040: 2032: 2009: 2002: 1967: 1931: 1908: 1901: 1890:. Retrieved 1887:circleid.com 1886: 1877: 1870: 1847: 1825:. Retrieved 1815: 1729: 1722: 1715: 1708: 1697: 1690: 1680:can use the 1676: 1650: 1622: 1568: 1560: 1498: 1442: 1373: 1367: 1361: 1317: 1293: 1262: 1253: 1226: 1180: 1171: 1161: 1153: 1150: 1142: 1138: 1119: 1110: 1075: 1071: 1066:trust anchor 1061:certificate) 1038: 1036: 1025: 1005: 979: 889: 885: 779: 762: 758: 750: 746: 726: 721: 717: 714: 694: 681:{ id-ce 37 } 674:{ id-ce 15 } 667:{ id-ce 19 } 649: 633: 626: 615: 609: 606: 595: 588: 552:Subject name 526:Certificate 517: 510: 470: 438: 423: 392: 387: 384: 352:Certificates 338:web browsers 334: 327: 322: 306: 288: 280:web of trust 265: 245: 241:trust anchor 230: 203: 174: 171:cryptography 168: 140:Cryptography 87:Organization 2866:. Microsoft 2741:24 February 2512:26 February 2412:14 November 1711:WS-Security 1700:smart cards 1304:trust store 1296:self-signed 1207:OCSP - URI: 1165:self-signed 890:certificate 738:example.com 729:example.com 672:Key Usage, 538:Issuer Name 503:and later. 493:Firefox 3.0 471:X.509 and 411:private key 226:private key 3274:Categories 3155:IETF Tools 2917:Daniel Hax 2559:31 October 2535:Apple, Inc 2482:. Blackhat 2461:2021-06-30 2455:OGScapital 2435:2 February 2229:19 October 2077:17 January 1892:2022-09-03 1827:6 November 1808:References 1183:GlobalSign 886:public key 862:extension. 544:Not Before 415:public key 79:2021-10-14 59:1988-11-25 3244:RFC  3237:RFC  3135:1 October 3004:Obsolete. 2199:. Mozilla 2095:. Mozilla 2054:Apple Inc 1534:In 2008, 1519:In 2005, 1428:DigiNotar 1418:purpose". 1415:Apple Inc 972:.keystore 948:.keystore 547:Not After 515:(ASN.1). 97:Committee 3182:19 March 3160:10 March 3109:19 March 3046:(IETF). 2922:19 March 2844:19 March 2818:19 March 2792:19 March 2647:Archived 2554:Bugzilla 2342:14 March 2259:license. 2239:cite web 2099:17 March 1741:See also 1658:use the 1314:Security 1116:Examples 962:form or 799:encoded 491:(OCSP). 407:key pair 159:/T-REC-X 3099:EMC.com 2864:Technet 2338:. Oasis 1672:EAP-TLS 1652:TLS/SSL 1527:on the 1233:Issuer 1092:, etc. 998:PKCS#12 994:.pkcs12 980:defined 874:PKCS#10 497:Windows 449:Firefox 299:OpenPGP 291:bridges 218:ed25519 187:TLS/SSL 146:Website 77: ( 57: ( 2870:16 May 2315:  1725:OPC UA 1684:  1668:S/MIME 1662:  1639:  1610:  1602:PKCS12 1084:  1045:  1027:PKCS#7 952:PKCS#7 938:PKCS#7 928:PKCS#7 918:S/MIME 914:PKCS#7 904:PKCS#7 848:PKCS#8 832:above) 797:Base64 699:  653:  638:  600:  475:  461:Chrome 457:Safari 388:cannot 344:, and 317:  295:meshes 177:is an 136:Domain 107:Series 41:Status 3300:X.500 2761:(PDF) 2712:(PDF) 2650:(PDF) 2643:(PDF) 2579:(PDF) 2531:(PDF) 2480:(PDF) 2407:(PDF) 2383:(PDF) 2362:(PDF) 2277:(PDF) 1994:(PDF) 1823:. ITU 1802:EdDSA 1678:IPsec 1656:HTTPS 1580:PKCS7 1547:SHA-1 1187:ECDSA 1158:(PDF) 501:Vista 453:Opera 268:X.500 248:ITU-T 214:ECDSA 191:HTTPS 175:X.509 130:X.500 119:ASN.1 91:ITU-T 31:X.509 3246:5280 3239:4158 3184:2017 3162:2017 3137:2013 3111:2017 3082:5912 3078:2560 3076:and 3074:6277 3070:8954 3061:6960 3024:4492 3020:4366 3018:and 3016:4346 3012:3268 3008:8446 2999:5246 2982:IETF 2958:2315 2924:2017 2898:2020 2872:2017 2846:2017 2820:2017 2794:2017 2769:2020 2743:2016 2720:2020 2680:2013 2658:2013 2623:2013 2587:2020 2561:2017 2514:2019 2488:2020 2437:2017 2414:2011 2344:2017 2313:ISBN 2245:link 2231:2023 2205:2020 2183:3280 2181:and 2179:4325 2175:4630 2171:6818 2169:and 2167:8399 2163:8398 2159:9598 2155:9549 2146:5280 2101:2016 2079:2017 2028:2585 1964:3280 1962:and 1960:4325 1956:4630 1952:6818 1950:and 1948:8399 1944:8398 1940:9598 1936:9549 1927:5280 1866:4158 1829:2019 1723:The 1716:The 1709:The 1704:TPMs 1702:and 1691:The 1686:4945 1664:5280 1654:and 1641:3280 1633:RFCs 1612:4158 1341:OCSP 1339:and 1337:CRLs 1090:CRLs 1086:5280 1047:5280 1018:– A 1016:.crl 1002:.pfx 990:.pfx 986:.p12 976:.pem 956:CRLs 944:.p7b 934:.p7c 924:.p7m 910:.p7s 900:.p7r 894:.p7r 870:.csr 866:.p10 860:.p8e 844:.pk8 840:.p8e 830:.pem 822:.der 818:.crt 814:.cer 807:and 789:.pem 701:5280 655:5280 640:5280 622:IETF 602:1422 485:IETF 477:5280 459:and 346:Wget 342:cURL 319:5280 303:IETF 293:and 252:SG17 161:.509 157:/rec 155:.int 153:.itu 18:PKIX 3234:Sun 3058:RFC 3048:doi 2996:RFC 2986:doi 2955:RFC 2945:doi 2143:RFC 2133:doi 2025:RFC 2015:doi 1924:RFC 1914:doi 1863:RFC 1853:doi 1731:SSH 1682:RFC 1660:RFC 1637:RFC 1608:RFC 1529:MD5 1422:it" 1343:), 1191:RSA 1082:RFC 1043:RFC 1010:IIS 964:BER 960:DER 836:.p8 826:DER 801:DER 791:– ( 724:. 705:NSS 697:RFC 651:RFC 642:). 636:RFC 631:). 598:RFC 575:... 473:RFC 465:SSL 401:or 315:RFC 311:CRL 284:PGP 250:'s 210:DSA 206:RSA 195:web 169:In 151:www 70:9.1 3276:: 3153:. 3127:. 3097:. 3056:. 3042:. 3014:, 2994:. 2980:. 2953:. 2915:. 2888:. 2862:. 2836:. 2811:. 2785:. 2613:. 2552:. 2505:. 2453:. 2402:. 2391:^ 2378:. 2327:^ 2241:}} 2237:{{ 2222:. 2177:, 2165:, 2161:, 2157:, 2141:. 2131:. 2109:^ 2070:. 2052:. 2048:. 2023:. 1974:^ 1966:. 1958:, 1946:, 1942:, 1938:, 1922:. 1912:. 1885:. 1861:. 1837:^ 1322:, 1051:CA 1037:A 1012:). 1004:– 996:– 992:, 988:, 950:– 946:, 936:– 926:– 912:– 902:– 876:a 872:– 868:, 842:, 838:, 820:, 816:, 795:) 744:. 618:CA 604:. 455:, 451:, 447:, 397:, 340:, 325:. 243:. 228:. 216:, 212:, 208:, 201:. 173:, 3186:. 3164:. 3139:. 3113:. 3063:. 3050:: 3001:. 2988:: 2960:. 2947:: 2926:. 2900:. 2874:. 2848:. 2822:. 2796:. 2745:. 2722:. 2682:. 2660:. 2625:. 2589:. 2563:. 2516:. 2490:. 2464:. 2439:. 2416:. 2346:. 2321:. 2247:) 2233:. 2207:. 2148:. 2135:: 2103:. 2081:. 2056:. 2030:. 2017:: 1996:. 1929:. 1916:: 1895:. 1868:. 1855:: 1831:. 896:. 110:X 81:) 61:) 20:)