From nobody Wed Jul 8 03:04:52 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1397B1B33F5 for ; Wed, 8 Jul 2015 03:04:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.11 X-Spam-Level: * X-Spam-Status: No, score=1.11 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBUGlYezfbd7 for ; Wed, 8 Jul 2015 03:04:49 -0700 (PDT) Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E40BB1B33F4 for ; Wed, 8 Jul 2015 03:04:48 -0700 (PDT) Received: from Morten ([62.44.134.206]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201507081204450925; Wed, 08 Jul 2015 12:04:45 +0200 From: "Erik Andersen" To: "Directory list" , "PKIX" Date: Wed, 8 Jul 2015 12:04:46 +0200 Message-ID: <000201d0b965$8597d4e0$90c77ea0$@x500.eu> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0003_01D0B976.4920A4E0" X-Mailer: Microsoft Outlook 15.0 Thread-Index: AdC5ZYTWICHXrWDpSPyNrlQIAPd+RA== Content-Language: en-gb Archived-At: Subject: [pkix] Delegating certificate revocation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 10:04:51 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0003_01D0B976.4920A4E0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Clause 7.10 of X.509 on Certificate revocation lists states: "the certificate-issuing authority authorizes a different entity to perform revocation." Can an AA do that, and if yes, how? Regards, Erik ------=_NextPart_000_0003_01D0B976.4920A4E0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Clause 7.10 of X.509 on Certificate revocation lists = states:

 

“the certificate-issuing authority authorizes a = different entity to perform revocation.”

 

Can an AA do = that, and if yes, how?

 

Regards,

 

Erik =

------=_NextPart_000_0003_01D0B976.4920A4E0-- From nobody Wed Jul 8 05:47:51 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 499211A909F for ; Wed, 8 Jul 2015 05:47:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.825 X-Spam-Level: **** X-Spam-Status: No, score=4.825 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CHARSET_FARAWAY_HEADER=3.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pffaoMHZ12GZ for ; Wed, 8 Jul 2015 05:47:46 -0700 (PDT) Received: from scan14.cht.com.tw (scan14.cht.com.tw [202.39.160.144]) by ietfa.amsl.com (Postfix) with ESMTP id 6CBED1A90DA for ; Wed, 8 Jul 2015 05:47:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436359622; x=1438951622; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8HIzJTzT4v9Lwbh6+3BpWfIayEaTSjIgnvDqb/cNAIY=; b=A7UVCr6BUGTCS9ef3baD4VrfykIj4d8UzdPKXdeRKrdK9oRVlfc5tQkMy6wE8sJJ EFi7j+ksNBx+u1HeIY4+4O0WXpQUCG87zQMENeZTrXaD4HBOCuPdCAAaKiu7WcDN 1Uu4LzK/W/vAvM80pNyleNYg4OBEEyLdXmiAl50+g90=; X-AuditID: 0aa00768-f79166d000000bd1-4c-559d1bc63aef Received: from scanrelay4.cht.com.tw ( [10.160.7.109]) by scan14.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 84.99.03025.6CB1D955; Wed, 8 Jul 2015 20:47:02 +0800 (CST) Received: from CAS3.app.corp.cht.com.tw (unknown [10.172.18.165]) by scanrelay4.cht.com.tw (Symantec Mail Security) with ESMTP id E79AAC000088; Wed, 8 Jul 2015 20:47:01 +0800 (CST) Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS3.app.corp.cht.com.tw ([fe80::51e1:3e0d:a18c:1a89%12]) with mapi id 14.02.0342.003; Wed, 8 Jul 2015 20:47:01 +0800 From: =?big5?B?pP2k5aW/?= To: Directory list , PKIX Thread-Topic: [pkix] Delegating certificate revocation Thread-Index: AdC5ZYTWICHXrWDpSPyNrlQIAPd+RAAE8o5Q Date: Wed, 8 Jul 2015 12:47:00 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D61D07D@mbs6.app.corp.cht.com.tw> References: <000201d0b965$8597d4e0$90c77ea0$@x500.eu> In-Reply-To: <000201d0b965$8597d4e0$90c77ea0$@x500.eu> Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.77.4.111] Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D61D07Dmbs6appcorpchtc_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDKsWRmVeSWpSXmKPExsXCtYA9V/eY9NxQg2332C0uHiyyWH99MqsD k8epi1IeS5b8ZApgimpgtEnMy8svSSxJVUhJLU62VUrOKNFNySxOzknMzE0t0k3NS1dSyEyx VTJRUijISUxOzU3NK7FVSiwoSM1LUbLjUsAANkBlmXkKqXnJ+SmZeem2Sp7B/roWFqaWuoZK dgE5qYnFqQpJqQqJKWWZxakpCgkbZDKuvHrPXHA7v+Lj5g0sDYwv07oYOTkkBEwkrlxfww5h i0lcuLeerYuRi0NIYDujxL8jn5ggnJ2MEr1tx5khnEOMEs2/rjODtLAJ6ErsOrwVrF1EwFXi +KdbTCC2sICpxM6dR9gg4mYSlzofMULYRhK7Xr4Eq2ERUJFYvmkHWC+vgL/E5tXrWboYOYAW mErcOpcOEuYEap1w8xfYKkYBWYknC56BtTILiEucu9gKdbWAxJI955khbFGJl4//sYKMkRCQ l5j2RgaiPF9i2as+FohNghInZz5hmcAoOgvJpFlIymYhKYOIa0h861zIBGErSkzpfghVry6x +0kDlK0tsWzha+YFjOyrGAWLkxPzDE30gJGsl5yfq1dSvokRklIydjDun+94iFGAg1GJh7fh ++xQIdbEsuLKXGCYcjArifCe55wbKsSbklhZlVqUH19UmpNafIjRFBhWE5mlRJPzgekuryTe 0NjS2MLQyMDM2NzCQkmcd0prZoiQQDowdWWnphakFsH0MXFwSjUwzrCSyZV65lf3K71425/t cmV7D9v6v932I3bHHkumFyvlpqZ/PWWwRfKX8hJOLbv3hSFJEdNZz/9xyJdkPek0I+OXQsKB BatOqtmsXxQuopW/mn8Vi1Cw5IQXE1aeuTO5OyVXozD9d61ObpKbAANPdkPrniqzDWpr9Trf W3X+irSOfh+9oe61EktxRqKhFnNRcSIASrWxeT8DAAA= Archived-At: Subject: Re: [pkix] Delegating certificate revocation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 12:47:50 -0000 --_000_20825998BCB8D84C983674C159E25E753D61D07Dmbs6appcorpchtc_ Content-Type: text/plain; charset="big5" content-transfer-encoding: base64 RXJpYywNCg0KDQpJIHRoaW5rIGFuIEFBIGNhbiBkbyB0aGF0Lg0KDQoNCg0KQWN0dWFsbHks IHRoZXJlIGlzIGEgcGFyYWdyYXBoIGRlc2NyaWJlcyBob3cgYSBDQSBhdXRob3JpemVzIGEg ZGlmZmVyZW50IGVudGl0eSB0byBwZXJmb3JtIHJldm9jYXRpb24uDQoNCg0KDQpPbmx5IGEg Q0EgdGhhdCBpcyBhdXRob3JpemVkIHRvIGlzc3VlIENSTHMgbWF5IGNob29zZSB0byBkZWxl Z2F0ZSB0aGF0IGF1dGhvcml0eSB0byBhbm90aGVyIGVudGl0eS4gSWYgdGhpcyBkZWxlZ2F0 aW9uIGlzDQoNCmRvbmUsIGl0IHNoYWxsIGJlIHZlcmlmaWFibGUgYXQgdGhlIHRpbWUgb2Yg Y2VydGlmaWNhdGUvQ1JMIHZlcmlmaWNhdGlvbi4gVGhlIGNSTERpc3RyaWJ1dGlvblBvaW50 cyBleHRlbnNpb24gY2FuIGJlDQoNCnVzZWQgZm9yIHRoaXMgcHVycG9zZS4gVGhlIGNSTElz c3VlciBmaWVsZCBvZiB0aGlzIGV4dGVuc2lvbiB3b3VsZCBiZSBwb3B1bGF0ZWQgd2l0aCB0 aGUgbmFtZShzKSBvZiBhbnkgZW50aXRpZXMsIG90aGVyDQoNCnRoYW4gdGhlIGNlcnRpZmlj YXRlIGlzc3VlciBpdHNlbGYsIHRoYXQgaGF2ZSBiZWVuIGF1dGhvcml6ZWQgdG8gaXNzdWUg Q1JMcyBjb25jZXJuaW5nIHRoZSByZXZvY2F0aW9uIHN0YXR1cyBvZiB0aGUNCg0KY2VydGlm aWNhdGUgaW4gcXVlc3Rpb24uDQoNClRoZSBzYW1lIG1ldGhvZCBjYW4gYmUgdXNlZCBieSBh biBBQS4gWW91IGNhbiBzaW1wbHkgcmVwbGFjZSChp0NBoaggd2l0aCChp0FBoagsIKGnQ1JM oaggd2l0aCChp0FDUkyhqCwgoadjZXJ0aWZpY2F0ZaGoIHdpdGggoadhdHRyaWJ1dGUgY2Vy dGlmaWNhdGWhqCBhbmQgZG9uZS4NCg0KDQpPbmx5IGEgQUEgdGhhdCBpcyBhdXRob3JpemVk IHRvIGlzc3VlIEFDUkxzIG1heSBjaG9vc2UgdG8gZGVsZWdhdGUgdGhhdCBhdXRob3JpdHkg dG8gYW5vdGhlciBlbnRpdHkuIElmIHRoaXMgZGVsZWdhdGlvbiBpcw0KDQpkb25lLCBpdCBz aGFsbCBiZSB2ZXJpZmlhYmxlIGF0IHRoZSB0aW1lIG9mIGF0dHJpYnV0ZSBjZXJ0aWZpY2F0 ZS9BQ1JMIHZlcmlmaWNhdGlvbi4gVGhlIGNSTERpc3RyaWJ1dGlvblBvaW50cyBleHRlbnNp b24gY2FuIGJlDQoNCnVzZWQgZm9yIHRoaXMgcHVycG9zZS4gVGhlIGNSTElzc3VlciBmaWVs ZCBvZiB0aGlzIGV4dGVuc2lvbiB3b3VsZCBiZSBwb3B1bGF0ZWQgd2l0aCB0aGUgbmFtZShz KSBvZiBhbnkgZW50aXRpZXMsIG90aGVyDQoNCnRoYW4gdGhlIGF0dHJpYnV0ZSBjZXJ0aWZp Y2F0ZSBpc3N1ZXIgaXRzZWxmLCB0aGF0IGhhdmUgYmVlbiBhdXRob3JpemVkIHRvIGlzc3Vl IEFDUkxzIGNvbmNlcm5pbmcgdGhlIHJldm9jYXRpb24gc3RhdHVzIG9mIHRoZQ0KDQphdHRy aWJ1dGUgY2VydGlmaWNhdGUgaW4gcXVlc3Rpb24uDQoNClRoYXQgbWVhbnMgdGhlIEFBIGNh biBpbmNsdWRlIGEgY1JMRGlzdHJpYnV0aW9uUG9pbnRzIGV4dGVuc2lvbiBpbiBhdHRyaWJ1 dGUgY2VydGlmaWNhdGVzIGFuZCB1c2UgdGhlIGNSTElzc3VlciBmaWVsZCBvZiB0aGlzIGV4 dGVuc2lvbiB0byBzcGVjaWZ5IHRoZSBuYW1lIG9mIHRoZSBkZWxlZ2F0ZWQgQ0FSTCBpc3N1 ZXIuDQoNCldlbi1DaGVuZyBXYW5nDQoNCkZyb206IHBraXggW21haWx0bzpwa2l4LWJvdW5j ZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBFcmlrIEFuZGVyc2VuDQpTZW50OiBXZWRuZXNk YXksIEp1bHkgMDgsIDIwMTUgNjowNSBQTQ0KVG86IERpcmVjdG9yeSBsaXN0OyBQS0lYDQpT dWJqZWN0OiBbcGtpeF0gRGVsZWdhdGluZyBjZXJ0aWZpY2F0ZSByZXZvY2F0aW9uDQoNCkNs YXVzZSA3LjEwIG9mIFguNTA5IG9uIENlcnRpZmljYXRlIHJldm9jYXRpb24gbGlzdHMgc3Rh dGVzOg0KDQqhp3RoZSBjZXJ0aWZpY2F0ZS1pc3N1aW5nIGF1dGhvcml0eSBhdXRob3JpemVz IGEgZGlmZmVyZW50IGVudGl0eSB0byBwZXJmb3JtIHJldm9jYXRpb24uoagNCg0KQ2FuIGFu IEFBIGRvIHRoYXQsIGFuZCBpZiB5ZXMsIGhvdz8NCg0KUmVnYXJkcywNCg0KRXJpaw0KDQpQ bGVhc2UgYmUgYWR2aXNlZCB0aGF0IHRoaXMgZW1haWwgbWVzc2FnZSAoaW5jbHVkaW5nIGFu eSBhdHRhY2htZW50cykgY29udGFpbnMgY29uZmlkZW50aWFsIGluZm9ybWF0aW9uIGFuZCBt YXkgYmUgbGVnYWxseSBwcml2aWxlZ2VkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQg cmVjaXBpZW50LCBwbGVhc2UgZGVzdHJveSB0aGlzIG1lc3NhZ2UgYW5kIGFsbCBhdHRhY2ht ZW50cyBmcm9tIHlvdXIgc3lzdGVtIGFuZCBkbyBub3QgZnVydGhlciBjb2xsZWN0LCBwcm9j ZXNzLCBvciB1c2UgdGhlbS4gQ2h1bmdod2EgVGVsZWNvbSBhbmQgYWxsIGl0cyBzdWJzaWRp YXJpZXMgYW5kIGFzc29jaWF0ZWQgY29tcGFuaWVzIHNoYWxsIG5vdCBiZSBsaWFibGUgZm9y IHRoZSBpbXByb3BlciBvciBpbmNvbXBsZXRlIHRyYW5zbWlzc2lvbiBvZiB0aGUgaW5mb3Jt YXRpb24gY29udGFpbmVkIGluIHRoaXMgZW1haWwgbm9yIGZvciBhbnkgZGVsYXkgaW4gaXRz IHJlY2VpcHQgb3IgZGFtYWdlIHRvIHlvdXIgc3lzdGVtLiBJZiB5b3UgYXJlIHRoZSBpbnRl bmRlZCByZWNpcGllbnQsIHBsZWFzZSBwcm90ZWN0IHRoZSBjb25maWRlbnRpYWwgYW5kL29y IHBlcnNvbmFsIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGlzIGVtYWlsIHdpdGggZHVl IGNhcmUuIEFueSB1bmF1dGhvcml6ZWQgdXNlLCBkaXNjbG9zdXJlIG9yIGRpc3RyaWJ1dGlv biBvZiB0aGlzIG1lc3NhZ2UgaW4gd2hvbGUgb3IgaW4gcGFydCBpcyBzdHJpY3RseSBwcm9o aWJpdGVkLiAgQWxzbywgcGxlYXNlIHNlbGYtaW5zcGVjdCBhdHRhY2htZW50cyBhbmQgaHlw ZXJsaW5rcyBjb250YWluZWQgaW4gdGhpcyBlbWFpbCB0byBlbnN1cmUgdGhlIGluZm9ybWF0 aW9uIHNlY3VyaXR5IGFuZCB0byBwcm90ZWN0IHBlcnNvbmFsIGluZm9ybWF0aW9uLg0K --_000_20825998BCB8D84C983674C159E25E753D61D07Dmbs6appcorpchtc_ Content-Type: text/html; charset="big5" content-transfer-encoding: quoted-printable

Eric,

 

I think an AA can do that.=

 

Actually, there is a paragraph descri= bes how a CA authorizes a different entity to perform revocation.=

 

Only a CA that is authorized to issue CRLs may choose to= delegate that authority to another entity. If this delegation is

done, it shall be verifiable at the time of certificate/C= RL verification. The cRLDistributionPoints extension can be

used for this purpose. The cRLIssuer field of this extens= ion would be populated with the name(s) of any entities, other

than the certificate issuer itself, that have been author= ized to issue CRLs concerning the revocation status of the=

certificate in question.

 

The same method can be used by an AA. You can simply replace =A1=A7CA=A1= =A8 with =A1=A7AA=A1=A8, =A1=A7CRL=A1=A8 with =A1=A7ACRL=A1=A8, =A1=A7certif= icate=A1=A8 with =A1=A7attribute certificate=A1=A8 and done.

 

Only a AA that is authorized to issue ACRLs may choose to= delegate that authority to another entity. If this delegation is

done, it shall be verifiable at the time of attribute cer= tificate/ACRL verification. The cRLDistributionPoints extension can be

used for this purpose. The cRLIssuer field of this extens= ion would be populated with the name(s) of any entities, other

than the attribute certificate issuer itself, that have b= een authorized to issue ACRLs concerning the revocation status of the

attribute certificate in question.

 

That means the AA can include a cRLDistributionPoints extension in attri= bute certificates and use the cRLIssuer field of this extension to specify the name of the delegated CARL issuer.

 

Wen-Cheng Wang

&nbs= p;

From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erik Andersen
Sent: Wednesday, July 08, 2015 6:05 PM
To: Directory list; PKIX
Subject: [pkix] Delegating certificate revocation

 

Clause 7.10 of X.509 on Certificate revo= cation lists states:

 

=A1=A7the certificate-issuing authority= authorizes a different entity to perform revocation.=A1=A8

 

Can an AA do that, and if yes, how?=

 

Regards,

 

Erik



本信件可能包= ;含中華電信股份有限= 0844;司機密資訊,非指定ߔ= 3;收件者,請勿蒐集、處&= #29702;或利用本信件內容,= 006;請銷毀此信件. 如為指定收件者,應確= 3526;保護郵件中本公司之= ;營業機密及個人資料,&#= 19981;得任意傳佈或揭露,È= 06;應自行確認本郵件之&= #38468;檔與超連結之安全ö= 15;,以共同善盡資訊安全= 與個資保護責任.
Please be advised that this email message (including any attachments) co= ntains confidential information and may be legally privileged. If you are no= t the intended recipient, please destroy this message and all attachments fr= om your system and do not further collect, process, or use them. Chunghwa Te= lecom and all its subsidiaries and associated companies shall not be liable= for the improper or incomplete transmission of the information contained in= this email nor for any delay in its receipt or damage to your system. If yo= u are the intended recipient, please protect the confidential and/or persona= l information contained in this email with due care. Any unauthorized use, d= isclosure or distribution of this message in whole or in part is strictly pr= ohibited. Also, please self-inspect attachments and hyperlinks contained in= this email to ensure the information security and to protect personal infor= mation.
--_000_20825998BCB8D84C983674C159E25E753D61D07Dmbs6appcorpchtc_-- From nobody Wed Jul 8 06:15:49 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 415571B354C for ; Wed, 8 Jul 2015 06:15:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.41 X-Spam-Level: * X-Spam-Status: No, score=1.41 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lp9dMcTDQEsE for ; Wed, 8 Jul 2015 06:15:39 -0700 (PDT) Received: from mail02.dandomain.dk (mail02.dandomain.dk [194.150.112.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 924B51B354B for ; Wed, 8 Jul 2015 06:15:14 -0700 (PDT) Received: from Morten ([62.44.134.206]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201507081515094246; Wed, 08 Jul 2015 15:15:09 +0200 From: "Erik Andersen" To: =?UTF-8?B?J+eOi+aWh+atoyc=?= , "'Directory list'" , "'PKIX'" References: <000201d0b965$8597d4e0$90c77ea0$@x500.eu> <20825998BCB8D84C983674C159E25E753D61D07D@mbs6.app.corp.cht.com.tw> In-Reply-To: <20825998BCB8D84C983674C159E25E753D61D07D@mbs6.app.corp.cht.com.tw> Date: Wed, 8 Jul 2015 15:15:10 +0200 Message-ID: <001801d0b980$1ecc6ad0$5c654070$@x500.eu> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0019_01D0B990.E259F5C0" X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQEnZye0rHlvOB3wLRCexS1K7tSvAwE9VGpwnxpFo0A= Content-Language: en-gb Archived-At: Subject: Re: [pkix] Delegating certificate revocation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 13:15:42 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0019_01D0B990.E259F5C0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Wen-Cheng, =20 Thank you very much for your input. =20 What public-key certificate is then used for signing the ACRL? =20 Kind regard, =20 Erik =20 Fra: pkix [mailto:pkix-bounces@ietf.org] P=C3=A5 vegne af ??? Sendt: 08 July 2015 14:47 Til: Directory list; PKIX Emne: Re: [pkix] Delegating certificate revocation =20 Eric, =20 I think an AA can do that. =20 Actually, there is a paragraph describes how a CA authorizes a different = entity to perform revocation. =20 Only a CA that is authorized to issue CRLs may choose to delegate that = authority to another entity. If this delegation is done, it shall be verifiable at the time of certificate/CRL = verification. The cRLDistributionPoints extension can be used for this purpose. The cRLIssuer field of this extension would be = populated with the name(s) of any entities, other than the certificate issuer itself, that have been authorized to issue = CRLs concerning the revocation status of the certificate in question. =20 The same method can be used by an AA. You can simply replace = =E2=80=9CCA=E2=80=9D with =E2=80=9CAA=E2=80=9D, =E2=80=9CCRL=E2=80=9D = with =E2=80=9CACRL=E2=80=9D, =E2=80=9Ccertificate=E2=80=9D with = =E2=80=9Cattribute certificate=E2=80=9D and done. =20 Only a AA that is authorized to issue ACRLs may choose to delegate that = authority to another entity. If this delegation is done, it shall be verifiable at the time of attribute certificate/ACRL = verification. The cRLDistributionPoints extension can be used for this purpose. The cRLIssuer field of this extension would be = populated with the name(s) of any entities, other than the attribute certificate issuer itself, that have been authorized = to issue ACRLs concerning the revocation status of the attribute certificate in question. =20 That means the AA can include a cRLDistributionPoints extension in = attribute certificates and use the cRLIssuer field of this extension to = specify the name of the delegated CARL issuer. =20 Wen-Cheng Wang =20 From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erik Andersen Sent: Wednesday, July 08, 2015 6:05 PM To: Directory list; PKIX Subject: [pkix] Delegating certificate revocation =20 Clause 7.10 of X.509 on Certificate revocation lists states: =20 =E2=80=9Cthe certificate-issuing authority authorizes a different entity = to perform revocation.=E2=80=9D =20 Can an AA do that, and if yes, how? =20 Regards, =20 Erik=20 =E6=9C=AC=E4=BF=A1=E4=BB=B6=E5=8F=AF=E8=83=BD=E5=8C=85=E5=90=AB=E4=B8=AD=E8= =8F=AF=E9=9B=BB=E4=BF=A1=E8=82=A1=E4=BB=BD=E6=9C=89=E9=99=90=E5=85=AC=E5=8F= =B8=E6=A9=9F=E5=AF=86=E8=B3=87=E8=A8=8A,=E9=9D=9E=E6=8C=87=E5=AE=9A=E4=B9= =8B=E6=94=B6=E4=BB=B6=E8=80=85,=E8=AB=8B=E5=8B=BF=E8=92=90=E9=9B=86=E3=80= =81=E8=99=95=E7=90=86=E6=88=96=E5=88=A9=E7=94=A8=E6=9C=AC=E4=BF=A1=E4=BB=B6= =E5=85=A7=E5=AE=B9,=E4=B8=A6=E8=AB=8B=E9=8A=B7=E6=AF=80=E6=AD=A4=E4=BF=A1= =E4=BB=B6. = =E5=A6=82=E7=82=BA=E6=8C=87=E5=AE=9A=E6=94=B6=E4=BB=B6=E8=80=85,=E6=87=89= =E7=A2=BA=E5=AF=A6=E4=BF=9D=E8=AD=B7=E9=83=B5=E4=BB=B6=E4=B8=AD=E6=9C=AC=E5= =85=AC=E5=8F=B8=E4=B9=8B=E7=87=9F=E6=A5=AD=E6=A9=9F=E5=AF=86=E5=8F=8A=E5=80= =8B=E4=BA=BA=E8=B3=87=E6=96=99,=E4=B8=8D=E5=BE=97=E4=BB=BB=E6=84=8F=E5=82= =B3=E4=BD=88=E6=88=96=E6=8F=AD=E9=9C=B2,=E4=B8=A6=E6=87=89=E8=87=AA=E8=A1= =8C=E7=A2=BA=E8=AA=8D=E6=9C=AC=E9=83=B5=E4=BB=B6=E4=B9=8B=E9=99=84=E6=AA=94= =E8=88=87=E8=B6=85=E9=80=A3=E7=B5=90=E4=B9=8B=E5=AE=89=E5=85=A8=E6=80=A7,= =E4=BB=A5=E5=85=B1=E5=90=8C=E5=96=84=E7=9B=A1=E8=B3=87=E8=A8=8A=E5=AE=89=E5= =85=A8=E8=88=87=E5=80=8B=E8=B3=87=E4=BF=9D=E8=AD=B7=E8=B2=AC=E4=BB=BB.=20 Please be advised that this email message (including any attachments) = contains confidential information and may be legally privileged. If you = are not the intended recipient, please destroy this message and all = attachments from your system and do not further collect, process, or use = them. Chunghwa Telecom and all its subsidiaries and associated companies = shall not be liable for the improper or incomplete transmission of the = information contained in this email nor for any delay in its receipt or = damage to your system. If you are the intended recipient, please protect = the confidential and/or personal information contained in this email = with due care. Any unauthorized use, disclosure or distribution of this = message in whole or in part is strictly prohibited. Also, please = self-inspect attachments and hyperlinks contained in this email to = ensure the information security and to protect personal information.=20 ------=_NextPart_000_0019_01D0B990.E259F5C0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi = Wen-Cheng,

 

Thank you very much for = your input.

 

What public-key = certificate is then used for signing the ACRL?

 

Kind = regard,

 

Erik

 

Fra: pkix = [mailto:pkix-bounces@ietf.org] På vegne af = ???
Sendt: 08 July 2015 14:47
Til: Directory = list; PKIX
Emne: Re: [pkix] Delegating certificate = revocation

 

Eric,

 

I think an AA can do that.

 

Actually, = there is a paragraph describes how a CA authorizes a different entity to = perform revocation.

 

Only a CA = that is authorized to issue CRLs may choose to delegate that authority = to another entity. If this delegation is

done, it = shall be verifiable at the time of certificate/CRL verification. The = cRLDistributionPoints extension can be

used for this = purpose. The cRLIssuer field of this extension would be populated with = the name(s) of any entities, other

than the = certificate issuer itself, that have been authorized to issue CRLs = concerning the revocation status of the

certificate = in question.

 

The same method can be used by = an AA. You can simply replace =E2=80=9CCA=E2=80=9D with = =E2=80=9CAA=E2=80=9D, =E2=80=9CCRL=E2=80=9D with =E2=80=9CACRL=E2=80=9D, = =E2=80=9Ccertificate=E2=80=9D with =E2=80=9Cattribute = certificate=E2=80=9D and done.

 

Only a AA = that is authorized to issue ACRLs may choose to delegate that authority = to another entity. If this delegation is

done, it = shall be verifiable at the time of attribute certificate/ACRL = verification. The cRLDistributionPoints extension can = be

used for this = purpose. The cRLIssuer field of this extension would be populated with = the name(s) of any entities, other

than the = attribute certificate issuer itself, that have been authorized to issue = ACRLs concerning the revocation status of the

attribute = certificate in question.

 

That means the AA can include a = cRLDistributionPoints extension in attribute certificates and use the = cRLIssuer field of this extension to specify the name of the = delegated CARL issuer.

 

Wen-Cheng = Wang

 

From: pkix [mailto:pkix-bounces@ietf.org] = On Behalf Of Erik Andersen
Sent: Wednesday, July 08, = 2015 6:05 PM
To: Directory list; PKIX
Subject: = [pkix] Delegating certificate = revocation

 

Clause 7.10 of X.509 on = Certificate revocation lists states:

 

=E2=80=9Cthe = certificate-issuing authority authorizes a different entity to perform = revocation.=E2=80=9D

 

Can an AA do that, and if = yes, how?

 

Regards,

 

Erik =



=E6=9C=AC=E4=BF=A1=E4=BB=B6=E5=8F=AF=E8=83=BD=E5=8C=85=E5=90=AB= =E4=B8=AD=E8=8F=AF=E9=9B=BB=E4=BF=A1=E8=82=A1=E4=BB=BD=E6=9C=89=E9=99=90=E5= =85=AC=E5=8F=B8=E6=A9=9F=E5=AF=86=E8=B3=87=E8=A8=8A,=E9=9D=9E=E6=8C=87=E5=AE=9A=E4=B9=8B=E6=94=B6=E4=BB=B6=E8=80= =85,=E8=AB=8B=E5=8B=BF=E8=92=90=E9=9B=86=E3=80=81=E8=99=95=E7=90= =86=E6=88=96=E5=88=A9=E7=94=A8=E6=9C=AC=E4=BF=A1=E4=BB=B6=E5=85=A7=E5=AE=B9= ,=E4=B8=A6=E8=AB=8B=E9=8A=B7=E6=AF=80=E6=AD=A4=E4=BF=A1=E4=BB= =B6. =E5=A6=82=E7=82=BA=E6=8C=87=E5=AE=9A=E6=94=B6=E4=BB=B6=E8=80= =85,=E6=87=89=E7=A2=BA=E5=AF=A6=E4=BF=9D=E8=AD=B7=E9=83=B5=E4=BB= =B6=E4=B8=AD=E6=9C=AC=E5=85=AC=E5=8F=B8=E4=B9=8B=E7=87=9F=E6=A5=AD=E6=A9=9F= =E5=AF=86=E5=8F=8A=E5=80=8B=E4=BA=BA=E8=B3=87=E6=96=99,=E4=B8=8D=E5=BE=97=E4=BB=BB=E6=84=8F=E5=82=B3=E4=BD=88=E6=88= =96=E6=8F=AD=E9=9C=B2,=E4=B8=A6=E6=87=89=E8=87=AA=E8=A1=8C=E7=A2=BA=E8=AA=8D=E6=9C= =AC=E9=83=B5=E4=BB=B6=E4=B9=8B=E9=99=84=E6=AA=94=E8=88=87=E8=B6=85=E9=80=A3= =E7=B5=90=E4=B9=8B=E5=AE=89=E5=85=A8=E6=80=A7,=E4=BB=A5=E5=85=B1=E5=90=8C=E5=96=84=E7=9B=A1=E8=B3=87=E8=A8= =8A=E5=AE=89=E5=85=A8=E8=88=87=E5=80=8B=E8=B3=87=E4=BF=9D=E8=AD=B7=E8=B2=AC= =E4=BB=BB.
Please be advised that this email message = (including any attachments) contains confidential information and may be = legally privileged. If you are not the intended recipient, please = destroy this message and all attachments from your system and do not = further collect, process, or use them. Chunghwa Telecom and all its = subsidiaries and associated companies shall not be liable for the = improper or incomplete transmission of the information contained in this = email nor for any delay in its receipt or damage to your system. If you = are the intended recipient, please protect the confidential and/or = personal information contained in this email with due care. Any = unauthorized use, disclosure or distribution of this message in whole or = in part is strictly prohibited. Also, please self-inspect attachments = and hyperlinks contained in this email to ensure the information = security and to protect personal information.

------=_NextPart_000_0019_01D0B990.E259F5C0-- From nobody Wed Jul 8 06:36:46 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0CA61B3629 for ; Wed, 8 Jul 2015 06:36:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.824 X-Spam-Level: X-Spam-Status: No, score=0.824 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fSexVCvE4OVQ for ; Wed, 8 Jul 2015 06:36:41 -0700 (PDT) Received: from scan12.cht.com.tw (scan12.cht.com.tw [202.39.160.142]) by ietfa.amsl.com (Postfix) with ESMTP id 31C4B1B3611 for ; Wed, 8 Jul 2015 06:36:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436362598; x=1438954598; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=y7GM66TO+DGApK/OB7A6QJq292wwvJxaSvDj7N2VllI=; b=bB+TKYc4AZCI+lOISk49iCsi1IzYkA15OQuHrjxq6/lbE/S6VTNikP9iqDrXWilA NGawgJXXg9JLR8dFqKIOiAj21UGbQZrM4ypKBct1WaNPWmHCZJ9O8dSc6iLDeAqg EyPabKbZyS87HwTZv+ipN6yzVCFXMTucWeO6vynrmSI=; X-AuditID: 0aa00766-f798c6d000002b61-32-559d27666029 Received: from scanrelay2.cht.com.tw ( [10.160.7.107]) by scan12.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id F8.44.11105.6672D955; Wed, 8 Jul 2015 21:36:38 +0800 (CST) Received: from HUB5.app.corp.cht.com.tw (unknown [10.172.18.163]) by scanrelay2.cht.com.tw (Symantec Mail Security) with ESMTP id 0C7E0C000088; Wed, 8 Jul 2015 21:36:37 +0800 (CST) Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by HUB5.app.corp.cht.com.tw ([fe80::58b:697d:2597:a188%12]) with mapi id 14.02.0342.003; Wed, 8 Jul 2015 21:36:37 +0800 From: =?utf-8?B?546L5paH5q2j?= To: 'Directory list' , 'PKIX' Thread-Topic: [pkix] Delegating certificate revocation Thread-Index: AdC5ZYTWICHXrWDpSPyNrlQIAPd+RAAE8o5Q//+HgQD//3m4YA== Date: Wed, 8 Jul 2015 13:36:36 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D61D0DC@mbs6.app.corp.cht.com.tw> References: <000201d0b965$8597d4e0$90c77ea0$@x500.eu> <20825998BCB8D84C983674C159E25E753D61D07D@mbs6.app.corp.cht.com.tw> <001801d0b980$1ecc6ad0$5c654070$@x500.eu> In-Reply-To: <001801d0b980$1ecc6ad0$5c654070$@x500.eu> Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.77.4.111] Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D61D0DCmbs6appcorpchtc_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsXCtYA9WzdNfW6oweQP7BYXDxZZrL8+mdWB yePURSmPJUt+MgUwRSnapKTmZJalFunb2SRVFiQWF+smpykk5uTYKpUUlaYq6dslKGZc2bCG rWDKJKaKj3/OsDUw/uli6mLk5JAQMJF4/WwxC4QtJnHh3nq2LkYuDiGB7YwSu6bPYIVwdjJK dC95zAThHGSU+DPjC1g7m4CRxMazu8BsEQFPiXuTJ4KNEhYwldi58wgbRNxM4lLnI0YI20mi a99/sBoWARWJaZv7wOK8Av4SDdtuQS1Yziixclkv2FBOoOYVW6exg9iMArISTxY8A4szC4hL nLvYyg5xt4DEkj3nmSFsUYmXj/8Bnc0BZMtLTHsjA1GeL7HwQB8rxC5BiZMzn7BMYBSdhWTS LCRls5CUzQKaxCygKbF+lz5EiaLElO6HUOUaEq1z5rIjiy9gZF/FKFicnJhnaKSXnFGil5yf q1dSvokREpdpOxi3z3c8xCjAwajEw9vwfXaoEGtiWXFl7iFGCQ5mJRHeUMW5oUK8KYmVValF +fFFpTmpxYcYq4CBNZFZSjQ5H5gy8kriDY0tjU0sTcyNzM1MDagirCTOO701M0RIID2xJDU7 NbUgtQhmORMHp1QDY2XPu/R+fW2/yCeTo7fP3OAvdKHv1e5es691FmvmabzsqZh8jvXm//tG zLl8qY7ZbG8/V0WcM4oNjmMJcG+My1sVFuLZInY9zdGFwyHx9YI7MT1yDlJx2bnVEy5dX3SD 3T1B8nVay+ppEbOy05aZbguPPtNz8oXfv+tbdXnckhfO0qk5cNZTiaU4I9FQi7moOBEA3Hu8 fyYDAAA= Archived-At: Subject: Re: [pkix] Delegating certificate revocation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 13:36:45 -0000 --_000_20825998BCB8D84C983674C159E25E753D61D0DCmbs6appcorpchtc_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RXJpYywNCg0KRm9yIHRoZSBzZWN1cml0eSByZWFzb24sIGRlbGVnYXRlZCBBQ1JMIGlzc3VlciBz aG91bGQgYmUgYW4gZW50aXR5IGluIHRoZSBzYW1lIGRvbWFpbiB3aXRoIHRoZSBBQS4gVGhlcmVm b3JlLCBJIHRoaW5rIHRoZSBwdWJsaWMta2V5IGNlcnRpZmljYXRlIG9mIHRoZSBkZWxlZ2F0ZWQg QUNSTCBpc3N1ZXIgc2hvdWxkIGJlIGlzc3VlZCBieSB0aGUgc2FtZSBDQSB3aGljaCBpc3N1ZWQg dGhlIHB1YmxpYy1rZXkgY2VydGlmaWNhdGUgb2YgdGhlIEFBIG9yIFNPQS4NCg0KV2VuLUNoZW5n IFdhbmcNCg0KRnJvbTogRXJpayBBbmRlcnNlbiBbbWFpbHRvOmVyYUB4NTAwLmV1XQ0KU2VudDog V2VkbmVzZGF5LCBKdWx5IDA4LCAyMDE1IDk6MTUgUE0NClRvOiDnjovmlofmraM7ICdEaXJlY3Rv cnkgbGlzdCc7ICdQS0lYJw0KU3ViamVjdDogU1Y6IFtwa2l4XSBEZWxlZ2F0aW5nIGNlcnRpZmlj YXRlIHJldm9jYXRpb24NCg0KSGkgV2VuLUNoZW5nLA0KDQpUaGFuayB5b3UgdmVyeSBtdWNoIGZv ciB5b3VyIGlucHV0Lg0KDQpXaGF0IHB1YmxpYy1rZXkgY2VydGlmaWNhdGUgaXMgdGhlbiB1c2Vk IGZvciBzaWduaW5nIHRoZSBBQ1JMPw0KDQpLaW5kIHJlZ2FyZCwNCg0KRXJpaw0KDQpGcmE6IHBr aXggW21haWx0bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmddIFDDpSB2ZWduZSBhZiA/Pz8NClNlbmR0 OiAwOCBKdWx5IDIwMTUgMTQ6NDcNClRpbDogRGlyZWN0b3J5IGxpc3Q7IFBLSVgNCkVtbmU6IFJl OiBbcGtpeF0gRGVsZWdhdGluZyBjZXJ0aWZpY2F0ZSByZXZvY2F0aW9uDQoNCkVyaWMsDQoNCg0K SSB0aGluayBhbiBBQSBjYW4gZG8gdGhhdC4NCg0KDQoNCkFjdHVhbGx5LCB0aGVyZSBpcyBhIHBh cmFncmFwaCBkZXNjcmliZXMgaG93IGEgQ0EgYXV0aG9yaXplcyBhIGRpZmZlcmVudCBlbnRpdHkg dG8gcGVyZm9ybSByZXZvY2F0aW9uLg0KDQoNCg0KT25seSBhIENBIHRoYXQgaXMgYXV0aG9yaXpl ZCB0byBpc3N1ZSBDUkxzIG1heSBjaG9vc2UgdG8gZGVsZWdhdGUgdGhhdCBhdXRob3JpdHkgdG8g YW5vdGhlciBlbnRpdHkuIElmIHRoaXMgZGVsZWdhdGlvbiBpcw0KDQpkb25lLCBpdCBzaGFsbCBi ZSB2ZXJpZmlhYmxlIGF0IHRoZSB0aW1lIG9mIGNlcnRpZmljYXRlL0NSTCB2ZXJpZmljYXRpb24u IFRoZSBjUkxEaXN0cmlidXRpb25Qb2ludHMgZXh0ZW5zaW9uIGNhbiBiZQ0KDQp1c2VkIGZvciB0 aGlzIHB1cnBvc2UuIFRoZSBjUkxJc3N1ZXIgZmllbGQgb2YgdGhpcyBleHRlbnNpb24gd291bGQg YmUgcG9wdWxhdGVkIHdpdGggdGhlIG5hbWUocykgb2YgYW55IGVudGl0aWVzLCBvdGhlcg0KDQp0 aGFuIHRoZSBjZXJ0aWZpY2F0ZSBpc3N1ZXIgaXRzZWxmLCB0aGF0IGhhdmUgYmVlbiBhdXRob3Jp emVkIHRvIGlzc3VlIENSTHMgY29uY2VybmluZyB0aGUgcmV2b2NhdGlvbiBzdGF0dXMgb2YgdGhl DQoNCmNlcnRpZmljYXRlIGluIHF1ZXN0aW9uLg0KDQpUaGUgc2FtZSBtZXRob2QgY2FuIGJlIHVz ZWQgYnkgYW4gQUEuIFlvdSBjYW4gc2ltcGx5IHJlcGxhY2Ug4oCcQ0HigJ0gd2l0aCDigJxBQeKA nSwg4oCcQ1JM4oCdIHdpdGgg4oCcQUNSTOKAnSwg4oCcY2VydGlmaWNhdGXigJ0gd2l0aCDigJxh dHRyaWJ1dGUgY2VydGlmaWNhdGXigJ0gYW5kIGRvbmUuDQoNCg0KT25seSBhIEFBIHRoYXQgaXMg YXV0aG9yaXplZCB0byBpc3N1ZSBBQ1JMcyBtYXkgY2hvb3NlIHRvIGRlbGVnYXRlIHRoYXQgYXV0 aG9yaXR5IHRvIGFub3RoZXIgZW50aXR5LiBJZiB0aGlzIGRlbGVnYXRpb24gaXMNCg0KZG9uZSwg aXQgc2hhbGwgYmUgdmVyaWZpYWJsZSBhdCB0aGUgdGltZSBvZiBhdHRyaWJ1dGUgY2VydGlmaWNh dGUvQUNSTCB2ZXJpZmljYXRpb24uIFRoZSBjUkxEaXN0cmlidXRpb25Qb2ludHMgZXh0ZW5zaW9u IGNhbiBiZQ0KDQp1c2VkIGZvciB0aGlzIHB1cnBvc2UuIFRoZSBjUkxJc3N1ZXIgZmllbGQgb2Yg dGhpcyBleHRlbnNpb24gd291bGQgYmUgcG9wdWxhdGVkIHdpdGggdGhlIG5hbWUocykgb2YgYW55 IGVudGl0aWVzLCBvdGhlcg0KDQp0aGFuIHRoZSBhdHRyaWJ1dGUgY2VydGlmaWNhdGUgaXNzdWVy IGl0c2VsZiwgdGhhdCBoYXZlIGJlZW4gYXV0aG9yaXplZCB0byBpc3N1ZSBBQ1JMcyBjb25jZXJu aW5nIHRoZSByZXZvY2F0aW9uIHN0YXR1cyBvZiB0aGUNCg0KYXR0cmlidXRlIGNlcnRpZmljYXRl IGluIHF1ZXN0aW9uLg0KDQpUaGF0IG1lYW5zIHRoZSBBQSBjYW4gaW5jbHVkZSBhIGNSTERpc3Ry aWJ1dGlvblBvaW50cyBleHRlbnNpb24gaW4gYXR0cmlidXRlIGNlcnRpZmljYXRlcyBhbmQgdXNl IHRoZSBjUkxJc3N1ZXIgZmllbGQgb2YgdGhpcyBleHRlbnNpb24gdG8gc3BlY2lmeSB0aGUgbmFt ZSBvZiB0aGUgZGVsZWdhdGVkIEFDUkwgaXNzdWVyLg0KDQpXZW4tQ2hlbmcgV2FuZw0KDQpGcm9t OiBwa2l4IFttYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgRXJpayBB bmRlcnNlbg0KU2VudDogV2VkbmVzZGF5LCBKdWx5IDA4LCAyMDE1IDY6MDUgUE0NClRvOiBEaXJl Y3RvcnkgbGlzdDsgUEtJWA0KU3ViamVjdDogW3BraXhdIERlbGVnYXRpbmcgY2VydGlmaWNhdGUg cmV2b2NhdGlvbg0KDQpDbGF1c2UgNy4xMCBvZiBYLjUwOSBvbiBDZXJ0aWZpY2F0ZSByZXZvY2F0 aW9uIGxpc3RzIHN0YXRlczoNCg0K4oCcdGhlIGNlcnRpZmljYXRlLWlzc3VpbmcgYXV0aG9yaXR5 IGF1dGhvcml6ZXMgYSBkaWZmZXJlbnQgZW50aXR5IHRvIHBlcmZvcm0gcmV2b2NhdGlvbi7igJ0N Cg0KQ2FuIGFuIEFBIGRvIHRoYXQsIGFuZCBpZiB5ZXMsIGhvdz8NCg0KUmVnYXJkcywNCg0KRXJp aw0KDQoNCuacrOS/oeS7tuWPr+iDveWMheWQq+S4reiPr+mbu+S/oeiCoeS7veaciemZkOWFrOWP uOapn+Wvhuizh+ioiizpnZ7mjIflrprkuYvmlLbku7bogIUs6KuL5Yu/6JKQ6ZuG44CB6JmV55CG 5oiW5Yip55So5pys5L+h5Lu25YWn5a65LOS4puiri+mKt+avgOatpOS/oeS7ti4g5aaC54K65oyH 5a6a5pS25Lu26ICFLOaHieeiuuWvpuS/neitt+mDteS7tuS4reacrOWFrOWPuOS5i+eHn+alreap n+WvhuWPiuWAi+S6uuizh+aWmSzkuI3lvpfku7vmhI/lgrPkvYjmiJbmj63pnLIs5Lim5oeJ6Ieq 6KGM56K66KqN5pys6YO15Lu25LmL6ZmE5qqU6IiH6LaF6YCj57WQ5LmL5a6J5YWo5oCnLOS7peWF seWQjOWWhOeboeizh+ioiuWuieWFqOiIh+WAi+izh+S/neitt+iyrOS7uy4NClBsZWFzZSBiZSBh ZHZpc2VkIHRoYXQgdGhpcyBlbWFpbCBtZXNzYWdlIChpbmNsdWRpbmcgYW55IGF0dGFjaG1lbnRz KSBjb250YWlucyBjb25maWRlbnRpYWwgaW5mb3JtYXRpb24gYW5kIG1heSBiZSBsZWdhbGx5IHBy aXZpbGVnZWQuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFzZSBk ZXN0cm95IHRoaXMgbWVzc2FnZSBhbmQgYWxsIGF0dGFjaG1lbnRzIGZyb20geW91ciBzeXN0ZW0g YW5kIGRvIG5vdCBmdXJ0aGVyIGNvbGxlY3QsIHByb2Nlc3MsIG9yIHVzZSB0aGVtLiBDaHVuZ2h3 YSBUZWxlY29tIGFuZCBhbGwgaXRzIHN1YnNpZGlhcmllcyBhbmQgYXNzb2NpYXRlZCBjb21wYW5p ZXMgc2hhbGwgbm90IGJlIGxpYWJsZSBmb3IgdGhlIGltcHJvcGVyIG9yIGluY29tcGxldGUgdHJh bnNtaXNzaW9uIG9mIHRoZSBpbmZvcm1hdGlvbiBjb250YWluZWQgaW4gdGhpcyBlbWFpbCBub3Ig Zm9yIGFueSBkZWxheSBpbiBpdHMgcmVjZWlwdCBvciBkYW1hZ2UgdG8geW91ciBzeXN0ZW0uIElm IHlvdSBhcmUgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlIHByb3RlY3QgdGhlIGNvbmZp ZGVudGlhbCBhbmQvb3IgcGVyc29uYWwgaW5mb3JtYXRpb24gY29udGFpbmVkIGluIHRoaXMgZW1h aWwgd2l0aCBkdWUgY2FyZS4gQW55IHVuYXV0aG9yaXplZCB1c2UsIGRpc2Nsb3N1cmUgb3IgZGlz dHJpYnV0aW9uIG9mIHRoaXMgbWVzc2FnZSBpbiB3aG9sZSBvciBpbiBwYXJ0IGlzIHN0cmljdGx5 IHByb2hpYml0ZWQuIEFsc28sIHBsZWFzZSBzZWxmLWluc3BlY3QgYXR0YWNobWVudHMgYW5kIGh5 cGVybGlua3MgY29udGFpbmVkIGluIHRoaXMgZW1haWwgdG8gZW5zdXJlIHRoZSBpbmZvcm1hdGlv biBzZWN1cml0eSBhbmQgdG8gcHJvdGVjdCBwZXJzb25hbCBpbmZvcm1hdGlvbi4NCg== --_000_20825998BCB8D84C983674C159E25E753D61D0DCmbs6appcorpchtc_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6eD0idXJuOnNjaGVtYXMtbWljcm9z b2Z0LWNvbTpvZmZpY2U6ZXhjZWwiIHhtbG5zOm09Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5j b20vb2ZmaWNlLzIwMDQvMTIvb21tbCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnL1RSL1JFQy1o dG1sNDAiPg0KPGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9 InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCI+DQo8bWV0YSBuYW1lPSJHZW5lcmF0b3IiIGNvbnRl bnQ9Ik1pY3Jvc29mdCBXb3JkIDE0IChmaWx0ZXJlZCBtZWRpdW0pIj4NCjxzdHlsZT48IS0tDQov KiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OuaWsOe0sOaY jumrlDsNCglwYW5vc2UtMToyIDIgNSAwIDAgMCAwIDAgMCAwO30NCkBmb250LWZhY2UNCgl7Zm9u dC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9 DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIg MiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiXEDmlrDntLDmmI7pq5Qi Ow0KCXBhbm9zZS0xOjIgMiA1IDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZh bWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDExIDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHls ZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1h bA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEu MHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJbXNvLWZhcmVhc3Qt bGFuZ3VhZ2U6RU4tVVM7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUt cHJpb3JpdHk6OTk7DQoJY29sb3I6IzA1NjNDMTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5l O30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJp b3JpdHk6OTk7DQoJY29sb3I6Izk1NEY3MjsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30N CnAuTXNvUGxhaW5UZXh0LCBsaS5Nc29QbGFpblRleHQsIGRpdi5Nc29QbGFpblRleHQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiLntJTmloflrZcg5a2X5YWDIjsN CgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0 Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJbXNvLWZhcmVhc3QtbGFu Z3VhZ2U6RU4tVVM7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0 ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6Iuiou+ino+aWueWh iuaWh+WtlyDlrZflhYMiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0K CWZvbnQtc2l6ZTo5LjBwdDsNCglmb250LWZhbWlseToiQ2FtYnJpYSIsInNlcmlmIjsNCgltc28t ZmFyZWFzdC1sYW5ndWFnZTpFTi1VUzt9DQpzcGFuLmENCgl7bXNvLXN0eWxlLW5hbWU6Iue0lOaW h+WtlyDlrZflhYMiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazrn tJTmloflrZc7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQpwLkFsbWlu ZGVsaWd0ZWtzdCwgbGkuQWxtaW5kZWxpZ3Rla3N0LCBkaXYuQWxtaW5kZWxpZ3Rla3N0DQoJe21z by1zdHlsZS1uYW1lOiJBbG1pbmRlbGlnIHRla3N0IjsNCgltc28tc3R5bGUtbGluazoiQWxtaW5k ZWxpZyB0ZWtzdCBUZWduIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsN Cglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7 DQoJbXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVM7fQ0Kc3Bhbi5BbG1pbmRlbGlndGVrc3RUZWdu DQoJe21zby1zdHlsZS1uYW1lOiJBbG1pbmRlbGlnIHRla3N0IFRlZ24iOw0KCW1zby1zdHlsZS1w cmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiQWxtaW5kZWxpZyB0ZWtzdCI7DQoJZm9udC1m YW1pbHk6Q29uc29sYXM7DQoJbXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVM7fQ0Kc3Bhbi5FbWFp bFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGli cmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTIy DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fu cy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkVtYWlsU3R5bGUyMw0KCXttc28tc3R5 bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0K CWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5hMA0KCXttc28tc3R5bGUtbmFtZToi6Ki76Kej5pa55aGK 5paH5a2XIOWtl+WFgyI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5r Ouiou+ino+aWueWhiuaWh+WtlzsNCglmb250LWZhbWlseToiQ2FtYnJpYSIsInNlcmlmIjsNCglt c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUzt9DQpzcGFuLkVtYWlsU3R5bGUyNg0KCXttc28tc3R5 bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2Vy aWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6 ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7 c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQgNzIuMHB0IDcyLjBw dDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+ PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBz cGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4 bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIg ZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4N Cjxib2R5IGxhbmc9IlpILVRXIiBsaW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2 IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i RU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0 LWxhbmd1YWdlOlpILVRXIj5FcmljLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250 LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7Y29s b3I6IzFGNDk3RDttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OywmcXVvdDtzZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOlpI LVRXIj5Gb3IgdGhlIHNlY3VyaXR5IHJlYXNvbiwgZGVsZWdhdGVkIEFDUkwgaXNzdWVyIHNob3Vs ZCBiZSBhbiBlbnRpdHkgaW4gdGhlIHNhbWUgZG9tYWluIHdpdGggdGhlIEFBLiBUaGVyZWZvcmUs IEkgdGhpbmsNCiB0aGUgcHVibGljLWtleSBjZXJ0aWZpY2F0ZSBvZiB0aGUgZGVsZWdhdGVkIEFD UkwgaXNzdWVyIHNob3VsZCBiZSBpc3N1ZWQgYnkgdGhlIHNhbWUgQ0Egd2hpY2ggaXNzdWVkIHRo ZSBwdWJsaWMta2V5IGNlcnRpZmljYXRlIG9mIHRoZSBBQSBvciBTT0EuPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJm b250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90Oywm cXVvdDtzZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl PSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OywmcXVvdDtzZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEO21zby1mYXJlYXN0LWxhbmd1YWdlOlpI LVRXIj5XZW4tQ2hlbmcgV2FuZzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90 Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRp diBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRp bmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFu Zz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpa SC1UVyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXpl OjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2Vy aWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPg0KIEVyaWsgQW5kZXJzZW4gW21h aWx0bzplcmFAeDUwMC5ldV0gPGJyPg0KPGI+U2VudDo8L2I+IFdlZG5lc2RheSwgSnVseSAwOCwg MjAxNSA5OjE1IFBNPGJyPg0KPGI+VG86PC9iPiA8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q75paw57Sw5piO6auUJnF1b3Q7LCZxdW90O3Nlcmlm JnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1YWdlOlpILVRXIj7njovmlofmraM8L3NwYW4+PHNwYW4g bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rp bWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFn ZTpaSC1UVyI+OyAnRGlyZWN0b3J5IGxpc3QnOyAnUEtJWCc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g U1Y6IFtwa2l4XSBEZWxlZ2F0aW5nIGNlcnRpZmljYXRlIHJldm9jYXRpb248bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu Zz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDss JnF1b3Q7c2VyaWYmcXVvdDsiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkhp IFdlbi1DaGVuZyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OywmcXVvdDtzZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5 bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj5UaGFuayB5b3UgdmVyeSBtdWNoIGZvciB5b3VyIGlucHV0Ljxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90 O3NlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPldoYXQgcHVibGljLWtleSBjZXJ0aWZpY2F0ZSBpcyB0aGVuIHVzZWQgZm9yIHNpZ25p bmcgdGhlIEFDUkw/PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0 eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYm cXVvdDs7Y29sb3I6IzFGNDk3RCI+S2luZCByZWdhcmQsPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7Y29sb3I6IzFG NDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+RXJpazxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHls ZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1 b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8 ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFk ZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBs YW5nPSJEQSIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90Oywm cXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+RnJhOjwvc3Bhbj48 L2I+PHNwYW4gbGFuZz0iREEiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPiBw a2l4IFs8YSBocmVmPSJtYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnIj5tYWlsdG86cGtpeC1i b3VuY2VzQGlldGYub3JnPC9hPl0NCjxiPlDDpSB2ZWduZSBhZiA8L2I+Pz8/PGJyPg0KPGI+U2Vu ZHQ6PC9iPiAwOCBKdWx5IDIwMTUgMTQ6NDc8YnI+DQo8Yj5UaWw6PC9iPiBEaXJlY3RvcnkgbGlz dDsgUEtJWDxicj4NCjxiPkVtbmU6PC9iPiBSZTogW3BraXhdIERlbGVnYXRpbmcgY2VydGlmaWNh dGUgcmV2b2NhdGlvbjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90OyI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMi IHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21h biZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+RXJp Yyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n PSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1YWdlOlpI LVRXIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0 LWxhbmd1YWdlOlpILVRXIj5JIHRoaW5rIGFuIEFBIGNhbiBkbyB0aGF0LjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls ZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9 IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6Wkgt VFciPkFjdHVhbGx5LCB0aGVyZSBpcyBhIHBhcmFncmFwaCBkZXNjcmliZXMgaG93IGEgQ0EgYXV0 aG9yaXplcyBhIGRpZmZlcmVudCBlbnRpdHkgdG8gcGVyZm9ybSByZXZvY2F0aW9uLjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVT IiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPjxv OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxl PSJtYXJnaW4tbGVmdDoyMi4wcHQ7bXNvLXBhcmEtbWFyZ2luLWxlZnQ6Mi4wZ2QiPjxzcGFuIGxh bmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6 WkgtVFciPk9ubHkgYSBDQSB0aGF0IGlzIGF1dGhvcml6ZWQgdG8gaXNzdWUgQ1JMcyBtYXkgY2hv b3NlIHRvIGRlbGVnYXRlIHRoYXQNCiBhdXRob3JpdHkgdG8gYW5vdGhlciBlbnRpdHkuIElmIHRo aXMgZGVsZWdhdGlvbiBpczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDoyMi4wcHQ7bXNvLXBhcmEtbWFyZ2luLWxlZnQ6Mi4w Z2QiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWls eTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVh c3QtbGFuZ3VhZ2U6WkgtVFciPmRvbmUsIGl0IHNoYWxsIGJlIHZlcmlmaWFibGUgYXQgdGhlIHRp bWUgb2YgY2VydGlmaWNhdGUvQ1JMIHZlcmlmaWNhdGlvbi4NCiBUaGUgY1JMRGlzdHJpYnV0aW9u UG9pbnRzIGV4dGVuc2lvbiBjYW4gYmU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MjIuMHB0O21zby1wYXJhLW1hcmdpbi1s ZWZ0OjIuMGdkIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21z by1mYXJlYXN0LWxhbmd1YWdlOlpILVRXIj51c2VkIGZvciB0aGlzIHB1cnBvc2UuIFRoZSBjUkxJ c3N1ZXIgZmllbGQgb2YgdGhpcyBleHRlbnNpb24gd291bGQgYmUNCiBwb3B1bGF0ZWQgd2l0aCB0 aGUgbmFtZShzKSBvZiBhbnkgZW50aXRpZXMsIG90aGVyPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjIyLjBwdDttc28tcGFy YS1tYXJnaW4tbGVmdDoyLjBnZCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJp ZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+dGhhbiB0aGUgY2VydGlmaWNhdGUg aXNzdWVyIGl0c2VsZiwgdGhhdCBoYXZlIGJlZW4gYXV0aG9yaXplZCB0byBpc3N1ZQ0KIENSTHMg Y29uY2VybmluZyB0aGUgcmV2b2NhdGlvbiBzdGF0dXMgb2YgdGhlPG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjIyLjBwdDtt c28tcGFyYS1tYXJnaW4tbGVmdDoyLjBnZCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250 LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVv dDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+Y2VydGlmaWNhdGUgaW4g cXVlc3Rpb24uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5n dWFnZTpaSC1UVyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFy ZWFzdC1sYW5ndWFnZTpaSC1UVyI+VGhlIHNhbWUgbWV0aG9kIGNhbiBiZSB1c2VkIGJ5IGFuIEFB LiBZb3UgY2FuIHNpbXBseSByZXBsYWNlIOKAnENB4oCdIHdpdGgg4oCcQUHigJ0sIOKAnENSTOKA nSB3aXRoIOKAnEFDUkzigJ0sIOKAnGNlcnRpZmljYXRl4oCdIHdpdGgg4oCcYXR0cmlidXRlIGNl cnRpZmljYXRl4oCdDQogYW5kIGRvbmUuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Oztt c28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjIyLjBwdDttc28tcGFy YS1tYXJnaW4tbGVmdDoyLjBnZCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6 MTIuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJp ZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+T25seSBhIEFBIHRoYXQgaXMgYXV0 aG9yaXplZCB0byBpc3N1ZSBBQ1JMcyBtYXkgY2hvb3NlIHRvIGRlbGVnYXRlIHRoYXQNCiBhdXRo b3JpdHkgdG8gYW5vdGhlciBlbnRpdHkuIElmIHRoaXMgZGVsZWdhdGlvbiBpczxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDoy Mi4wcHQ7bXNvLXBhcmEtbWFyZ2luLWxlZnQ6Mi4wZ2QiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls ZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPmRvbmUsIGl0 IHNoYWxsIGJlIHZlcmlmaWFibGUgYXQgdGhlIHRpbWUgb2YgYXR0cmlidXRlIGNlcnRpZmljYXRl L0FDUkwNCiB2ZXJpZmljYXRpb24uIFRoZSBjUkxEaXN0cmlidXRpb25Qb2ludHMgZXh0ZW5zaW9u IGNhbiBiZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0 eWxlPSJtYXJnaW4tbGVmdDoyMi4wcHQ7bXNvLXBhcmEtbWFyZ2luLWxlZnQ6Mi4wZ2QiPjxzcGFu IGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtU aW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3Vh Z2U6WkgtVFciPnVzZWQgZm9yIHRoaXMgcHVycG9zZS4gVGhlIGNSTElzc3VlciBmaWVsZCBvZiB0 aGlzIGV4dGVuc2lvbiB3b3VsZCBiZQ0KIHBvcHVsYXRlZCB3aXRoIHRoZSBuYW1lKHMpIG9mIGFu eSBlbnRpdGllcywgb3RoZXI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MjIuMHB0O21zby1wYXJhLW1hcmdpbi1sZWZ0OjIu MGdkIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJl YXN0LWxhbmd1YWdlOlpILVRXIj50aGFuIHRoZSBhdHRyaWJ1dGUgY2VydGlmaWNhdGUgaXNzdWVy IGl0c2VsZiwgdGhhdCBoYXZlIGJlZW4gYXV0aG9yaXplZA0KIHRvIGlzc3VlIEFDUkxzIGNvbmNl cm5pbmcgdGhlIHJldm9jYXRpb24gc3RhdHVzIG9mIHRoZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDoyMi4wcHQ7bXNvLXBh cmEtbWFyZ2luLWxlZnQ6Mi4wZ2QiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2Vy aWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPmF0dHJpYnV0ZSBjZXJ0aWZpY2F0 ZSBpbiBxdWVzdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0 LWxhbmd1YWdlOlpILVRXIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21z by1mYXJlYXN0LWxhbmd1YWdlOlpILVRXIj5UaGF0IG1lYW5zIHRoZSBBQSBjYW4gaW5jbHVkZSBh IGNSTERpc3RyaWJ1dGlvblBvaW50cyBleHRlbnNpb24gaW4gYXR0cmlidXRlIGNlcnRpZmljYXRl cyBhbmQgdXNlIHRoZQ0KPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7Ij5jUkxJc3N1 ZXIgZmllbGQgb2YgdGhpcyBleHRlbnNpb248L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVv dDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPiB0byBzcGVjaWZ5IHRoZSBuYW1lIG9mIHRo ZSBkZWxlZ2F0ZWQNCjxzcGFuIHN0eWxlPSJjb2xvcjpyZWQiPkFDUkw8L3NwYW4+IGlzc3Vlci48 L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFy ZWFzdC1sYW5ndWFnZTpaSC1UVyI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28t ZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1z aXplOjEyLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7 c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPldlbi1DaGVuZyBXYW5nPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs YW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGlt ZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90 O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1YWdlOlpILVRXIj5Gcm9tOjwvc3Bhbj48L2I+ PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1s YW5ndWFnZTpaSC1UVyI+DQogcGtpeCBbPGEgaHJlZj0ibWFpbHRvOnBraXgtYm91bmNlc0BpZXRm Lm9yZyI+bWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZzwvYT5dIDxiPg0KT24gQmVoYWxmIE9m IDwvYj5FcmlrIEFuZGVyc2VuPGJyPg0KPGI+U2VudDo8L2I+IFdlZG5lc2RheSwgSnVseSAwOCwg MjAxNSA2OjA1IFBNPGJyPg0KPGI+VG86PC9iPiBEaXJlY3RvcnkgbGlzdDsgUEtJWDxicj4NCjxi PlN1YmplY3Q6PC9iPiBbcGtpeF0gRGVsZWdhdGluZyBjZXJ0aWZpY2F0ZSByZXZvY2F0aW9uPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90OyI+Q2xhdXNl IDcuMTAgb2YgWC41MDkgb24gQ2VydGlmaWNhdGUgcmV2b2NhdGlvbiBsaXN0cyBzdGF0ZXM6PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7 c2VyaWYmcXVvdDsiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7Ij7igJx0aGUgY2VydGlmaWNhdGUtaXNz dWluZyBhdXRob3JpdHkgYXV0aG9yaXplcyBhIGRpZmZlcmVudCBlbnRpdHkgdG8gcGVyZm9ybSBy ZXZvY2F0aW9uLuKAnTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJv bWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90OyI+Q2FuIGFu IEFBIGRvIHRoYXQsIGFuZCBpZiB5ZXMsIGhvdz88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90OyI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2Vy aWYmcXVvdDsiPlJlZ2FyZHMsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDsiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9u dC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7Ij5F cmlrDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMi4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1 YWdlOlpILVRXIj48YnI+DQo8YnI+DQo8L3NwYW4+PC9iPjxiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O+aWsOe0sOaYjumrlCZxdW90OywmcXVvdDtzZXJp ZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+5pys5L+h5Lu25Y+v6IO95YyF5ZCr 5Lit6I+v6Zu75L+h6IKh5Lu95pyJ6ZmQ5YWs5Y+45qmf5a+G6LOH6KiKPC9zcGFuPjwvYj48Yj48 c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0LWxh bmd1YWdlOlpILVRXIj4sPC9zcGFuPjwvYj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBw dDtmb250LWZhbWlseTomcXVvdDvmlrDntLDmmI7pq5QmcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7 bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPumdnuaMh+WumuS5i+aUtuS7tuiAhTwvc3Bhbj48 L2I+PGI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFy ZWFzdC1sYW5ndWFnZTpaSC1UVyI+LDwvc3Bhbj48L2I+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q75paw57Sw5piO6auUJnF1b3Q7LCZxdW90O3Nlcmlm JnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1YWdlOlpILVRXIj7oq4vli7/okpDpm4bjgIHomZXnkIbm iJbliKnnlKjmnKzkv6Hku7blhaflrrk8L3NwYW4+PC9iPjxiPjxzcGFuIGxhbmc9IkVOLUdCIiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9tYW4m cXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPiw8L3Nw YW4+PC9iPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O+aWsOe0sOaYjumrlCZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFn ZTpaSC1UVyI+5Lim6KuL6Yq35q+A5q2k5L+h5Lu2PC9zcGFuPjwvYj48Yj48c3BhbiBsYW5nPSJF Ti1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMgTmV3 IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1YWdlOlpILVRX Ij4uDQo8L3NwYW4+PC9iPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O+aWsOe0sOaYjumrlCZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFz dC1sYW5ndWFnZTpaSC1UVyI+5aaC54K65oyH5a6a5pS25Lu26ICFPC9zcGFuPjwvYj48Yj48c3Bh biBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 VGltZXMgTmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1 YWdlOlpILVRXIj4sPC9zcGFuPjwvYj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTomcXVvdDvmlrDntLDmmI7pq5QmcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNv LWZhcmVhc3QtbGFuZ3VhZ2U6WkgtVFciPuaHieeiuuWvpuS/neitt+mDteS7tuS4reacrOWFrOWP uOS5i+eHn+alreapn+WvhuWPiuWAi+S6uuizh+aWmTwvc3Bhbj48L2I+PGI+PHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1U VyI+LDwvc3Bhbj48L2I+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q75paw57Sw5piO6auUJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0 LWxhbmd1YWdlOlpILVRXIj7kuI3lvpfku7vmhI/lgrPkvYjmiJbmj63pnLI8L3NwYW4+PC9iPjxi PjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTom cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVhc3Qt bGFuZ3VhZ2U6WkgtVFciPiw8L3NwYW4+PC9iPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O+aWsOe0sOaYjumrlCZxdW90OywmcXVvdDtzZXJpZiZxdW90 Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+5Lim5oeJ6Ieq6KGM56K66KqN5pys6YO15Lu2 5LmL6ZmE5qqU6IiH6LaF6YCj57WQ5LmL5a6J5YWo5oCnPC9zcGFuPjwvYj48Yj48c3BhbiBsYW5n PSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGltZXMg TmV3IFJvbWFuJnF1b3Q7LCZxdW90O3NlcmlmJnF1b3Q7O21zby1mYXJlYXN0LWxhbmd1YWdlOlpI LVRXIj4sPC9zcGFuPjwvYj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZh bWlseTomcXVvdDvmlrDntLDmmI7pq5QmcXVvdDssJnF1b3Q7c2VyaWYmcXVvdDs7bXNvLWZhcmVh c3QtbGFuZ3VhZ2U6WkgtVFciPuS7peWFseWQjOWWhOeboeizh+ioiuWuieWFqOiIh+WAi+izh+S/ neitt+iyrOS7uzwvc3Bhbj48L2I+PGI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtz ZXJpZiZxdW90Ozttc28tZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+Lg0KPGJyPg0KUGxlYXNlIGJl IGFkdmlzZWQgdGhhdCB0aGlzIGVtYWlsIG1lc3NhZ2UgKGluY2x1ZGluZyBhbnkgYXR0YWNobWVu dHMpIGNvbnRhaW5zIGNvbmZpZGVudGlhbCBpbmZvcm1hdGlvbiBhbmQgbWF5IGJlIGxlZ2FsbHkg cHJpdmlsZWdlZC4gSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNl IGRlc3Ryb3kgdGhpcyBtZXNzYWdlIGFuZCBhbGwgYXR0YWNobWVudHMgZnJvbSB5b3VyIHN5c3Rl bSBhbmQgZG8gbm90IGZ1cnRoZXINCiBjb2xsZWN0LCBwcm9jZXNzLCBvciB1c2UgdGhlbS4gQ2h1 bmdod2EgVGVsZWNvbSBhbmQgYWxsIGl0cyBzdWJzaWRpYXJpZXMgYW5kIGFzc29jaWF0ZWQgY29t cGFuaWVzIHNoYWxsIG5vdCBiZSBsaWFibGUgZm9yIHRoZSBpbXByb3BlciBvciBpbmNvbXBsZXRl IHRyYW5zbWlzc2lvbiBvZiB0aGUgaW5mb3JtYXRpb24gY29udGFpbmVkIGluIHRoaXMgZW1haWwg bm9yIGZvciBhbnkgZGVsYXkgaW4gaXRzIHJlY2VpcHQgb3IgZGFtYWdlIHRvIHlvdXINCiBzeXN0 ZW0uIElmIHlvdSBhcmUgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlIHByb3RlY3QgdGhl IGNvbmZpZGVudGlhbCBhbmQvb3IgcGVyc29uYWwgaW5mb3JtYXRpb24gY29udGFpbmVkIGluIHRo aXMgZW1haWwgd2l0aCBkdWUgY2FyZS4gQW55IHVuYXV0aG9yaXplZCB1c2UsIGRpc2Nsb3N1cmUg b3IgZGlzdHJpYnV0aW9uIG9mIHRoaXMgbWVzc2FnZSBpbiB3aG9sZSBvciBpbiBwYXJ0IGlzIHN0 cmljdGx5IHByb2hpYml0ZWQuIEFsc28sDQogcGxlYXNlIHNlbGYtaW5zcGVjdCBhdHRhY2htZW50 cyBhbmQgaHlwZXJsaW5rcyBjb250YWluZWQgaW4gdGhpcyBlbWFpbCB0byBlbnN1cmUgdGhlIGlu Zm9ybWF0aW9uIHNlY3VyaXR5IGFuZCB0byBwcm90ZWN0IHBlcnNvbmFsIGluZm9ybWF0aW9uLjwv c3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTIuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OywmcXVvdDtzZXJpZiZxdW90Ozttc28t ZmFyZWFzdC1sYW5ndWFnZTpaSC1UVyI+DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjwvYm9keT4NCjwvaHRtbD4NCg== --_000_20825998BCB8D84C983674C159E25E753D61D0DCmbs6appcorpchtc_-- From nobody Wed Jul 8 07:23:40 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEF921B37B8 for ; Wed, 8 Jul 2015 07:23:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.29 X-Spam-Level: X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iJCI9DIl-stA for ; Wed, 8 Jul 2015 07:23:35 -0700 (PDT) Received: from mail02.dandomain.dk (mail02.dandomain.dk [194.150.112.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B373F1AC3B0 for ; Wed, 8 Jul 2015 07:13:03 -0700 (PDT) Received: from Morten ([62.44.134.206]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201507081613005584; Wed, 08 Jul 2015 16:13:00 +0200 From: "Erik Andersen" To: =?UTF-8?B?J+eOi+aWh+atoyc=?= , "'Directory list'" , "'PKIX'" References: <000201d0b965$8597d4e0$90c77ea0$@x500.eu> <20825998BCB8D84C983674C159E25E753D61D07D@mbs6.app.corp.cht.com.tw> <001801d0b980$1ecc6ad0$5c654070$@x500.eu> <20825998BCB8D84C983674C159E25E753D61D0DC@mbs6.app.corp.cht.com.tw> In-Reply-To: <20825998BCB8D84C983674C159E25E753D61D0DC@mbs6.app.corp.cht.com.tw> Date: Wed, 8 Jul 2015 16:13:01 +0200 Message-ID: <003001d0b988$33966710$9ac33530$@x500.eu> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0031_01D0B998.F71F3710" X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQEnZye0rHlvOB3wLRCexS1K7tSvAwE9VGpwAgNa96oCAszCmZ76JcfQ Content-Language: en-gb Archived-At: Subject: Re: [pkix] Delegating certificate revocation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 14:23:37 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0031_01D0B998.F71F3710 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Wen-Cheng, =20 That makes sense. Thanks for the clarification. =20 Erik =20 Fra: pkix [mailto:pkix-bounces@ietf.org] P=C3=A5 vegne af ??? Sendt: 08 July 2015 15:37 Til: 'Directory list'; 'PKIX' Emne: Re: [pkix] Delegating certificate revocation =20 Eric, =20 For the security reason, delegated ACRL issuer should be an entity in = the same domain with the AA. Therefore, I think the public-key = certificate of the delegated ACRL issuer should be issued by the same CA = which issued the public-key certificate of the AA or SOA. =20 Wen-Cheng Wang =20 From: Erik Andersen [mailto:era@x500.eu]=20 Sent: Wednesday, July 08, 2015 9:15 PM To: =E7=8E=8B=E6=96=87=E6=AD=A3; 'Directory list'; 'PKIX' Subject: SV: [pkix] Delegating certificate revocation =20 Hi Wen-Cheng, =20 Thank you very much for your input. =20 What public-key certificate is then used for signing the ACRL? =20 Kind regard, =20 Erik =20 Fra: pkix [mailto:pkix-bounces@ietf.org] P=C3=A5 vegne af ??? Sendt: 08 July 2015 14:47 Til: Directory list; PKIX Emne: Re: [pkix] Delegating certificate revocation =20 Eric, =20 I think an AA can do that. =20 Actually, there is a paragraph describes how a CA authorizes a different = entity to perform revocation. =20 Only a CA that is authorized to issue CRLs may choose to delegate that = authority to another entity. If this delegation is done, it shall be verifiable at the time of certificate/CRL = verification. The cRLDistributionPoints extension can be used for this purpose. The cRLIssuer field of this extension would be = populated with the name(s) of any entities, other than the certificate issuer itself, that have been authorized to issue = CRLs concerning the revocation status of the certificate in question. =20 The same method can be used by an AA. You can simply replace = =E2=80=9CCA=E2=80=9D with =E2=80=9CAA=E2=80=9D, =E2=80=9CCRL=E2=80=9D = with =E2=80=9CACRL=E2=80=9D, =E2=80=9Ccertificate=E2=80=9D with = =E2=80=9Cattribute certificate=E2=80=9D and done. =20 Only a AA that is authorized to issue ACRLs may choose to delegate that = authority to another entity. If this delegation is done, it shall be verifiable at the time of attribute certificate/ACRL = verification. The cRLDistributionPoints extension can be used for this purpose. The cRLIssuer field of this extension would be = populated with the name(s) of any entities, other than the attribute certificate issuer itself, that have been authorized = to issue ACRLs concerning the revocation status of the attribute certificate in question. =20 That means the AA can include a cRLDistributionPoints extension in = attribute certificates and use the cRLIssuer field of this extension to = specify the name of the delegated ACRL issuer. =20 Wen-Cheng Wang =20 From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erik Andersen Sent: Wednesday, July 08, 2015 6:05 PM To: Directory list; PKIX Subject: [pkix] Delegating certificate revocation =20 Clause 7.10 of X.509 on Certificate revocation lists states: =20 =E2=80=9Cthe certificate-issuing authority authorizes a different entity = to perform revocation.=E2=80=9D =20 Can an AA do that, and if yes, how? =20 Regards, =20 Erik=20 =E6=9C=AC=E4=BF=A1=E4=BB=B6=E5=8F=AF=E8=83=BD=E5=8C=85=E5=90=AB=E4=B8=AD=E8= =8F=AF=E9=9B=BB=E4=BF=A1=E8=82=A1=E4=BB=BD=E6=9C=89=E9=99=90=E5=85=AC=E5=8F= =B8=E6=A9=9F=E5=AF=86=E8=B3=87=E8=A8=8A,=E9=9D=9E=E6=8C=87=E5=AE=9A=E4=B9= =8B=E6=94=B6=E4=BB=B6=E8=80=85,=E8=AB=8B=E5=8B=BF=E8=92=90=E9=9B=86=E3=80= =81=E8=99=95=E7=90=86=E6=88=96=E5=88=A9=E7=94=A8=E6=9C=AC=E4=BF=A1=E4=BB=B6= =E5=85=A7=E5=AE=B9,=E4=B8=A6=E8=AB=8B=E9=8A=B7=E6=AF=80=E6=AD=A4=E4=BF=A1= =E4=BB=B6. = =E5=A6=82=E7=82=BA=E6=8C=87=E5=AE=9A=E6=94=B6=E4=BB=B6=E8=80=85,=E6=87=89= =E7=A2=BA=E5=AF=A6=E4=BF=9D=E8=AD=B7=E9=83=B5=E4=BB=B6=E4=B8=AD=E6=9C=AC=E5= =85=AC=E5=8F=B8=E4=B9=8B=E7=87=9F=E6=A5=AD=E6=A9=9F=E5=AF=86=E5=8F=8A=E5=80= =8B=E4=BA=BA=E8=B3=87=E6=96=99,=E4=B8=8D=E5=BE=97=E4=BB=BB=E6=84=8F=E5=82= =B3=E4=BD=88=E6=88=96=E6=8F=AD=E9=9C=B2,=E4=B8=A6=E6=87=89=E8=87=AA=E8=A1= =8C=E7=A2=BA=E8=AA=8D=E6=9C=AC=E9=83=B5=E4=BB=B6=E4=B9=8B=E9=99=84=E6=AA=94= =E8=88=87=E8=B6=85=E9=80=A3=E7=B5=90=E4=B9=8B=E5=AE=89=E5=85=A8=E6=80=A7,= =E4=BB=A5=E5=85=B1=E5=90=8C=E5=96=84=E7=9B=A1=E8=B3=87=E8=A8=8A=E5=AE=89=E5= =85=A8=E8=88=87=E5=80=8B=E8=B3=87=E4=BF=9D=E8=AD=B7=E8=B2=AC=E4=BB=BB.=20 Please be advised that this email message (including any attachments) = contains confidential information and may be legally privileged. If you = are not the intended recipient, please destroy this message and all = attachments from your system and do not further collect, process, or use = them. Chunghwa Telecom and all its subsidiaries and associated companies = shall not be liable for the improper or incomplete transmission of the = information contained in this email nor for any delay in its receipt or = damage to your system. If you are the intended recipient, please protect = the confidential and/or personal information contained in this email = with due care. Any unauthorized use, disclosure or distribution of this = message in whole or in part is strictly prohibited. Also, please = self-inspect attachments and hyperlinks contained in this email to = ensure the information security and to protect personal information.=20 ------=_NextPart_000_0031_01D0B998.F71F3710 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi = Wen-Cheng,

 

That makes sense. Thanks = for the clarification.

 

Erik

 

Fra: pkix = [mailto:pkix-bounces@ietf.org] P=C3=A5 vegne af = ???
Sendt: 08 July 2015 15:37
Til: 'Directory = list'; 'PKIX'
Emne: Re: [pkix] Delegating certificate = revocation

 

Eric,

 <= /span>

For the security = reason, delegated ACRL issuer should be an entity in the same domain = with the AA. Therefore, I think the public-key certificate of the = delegated ACRL issuer should be issued by the same CA which issued the = public-key certificate of the AA or SOA.

 

Wen-Cheng = Wang

 

From: Erik Andersen [mailto:era@x500.eu]
Sent: = Wednesday, July 08, 2015 9:15 PM
To:
=E7=8E=8B=E6=96=87=E6=AD=A3; 'Directory list'; = 'PKIX'
Subject: SV: [pkix] Delegating certificate = revocation

 

Hi = Wen-Cheng,

 

Thank you very much for your = input.

 

What public-key certificate is then used for = signing the ACRL?

 

Kind regard,

 

Erik

 

Fra: pkix [mailto:pkix-bounces@ietf.org] = P=C3=A5 vegne af ???
Sendt: 08 July 2015 = 14:47
Til: Directory list; PKIX
Emne: Re: [pkix] = Delegating certificate revocation

 

Eric,

 

I think an AA can do = that.

 

Actually, there is a paragraph = describes how a CA authorizes a different entity to perform = revocation.

 

Only a CA that is authorized to = issue CRLs may choose to delegate that authority to another entity. If = this delegation is

done, it shall be verifiable at = the time of certificate/CRL verification. The cRLDistributionPoints = extension can be

used for this purpose. The = cRLIssuer field of this extension would be populated with the name(s) of = any entities, other

than the certificate issuer = itself, that have been authorized to issue CRLs concerning the = revocation status of the

certificate in = question.

 

The same method can be used by = an AA. You can simply replace =E2=80=9CCA=E2=80=9D with = =E2=80=9CAA=E2=80=9D, =E2=80=9CCRL=E2=80=9D with =E2=80=9CACRL=E2=80=9D, = =E2=80=9Ccertificate=E2=80=9D with =E2=80=9Cattribute = certificate=E2=80=9D and done.

 

Only a AA that is authorized to = issue ACRLs may choose to delegate that authority to another entity. If = this delegation is

done, it shall be verifiable at = the time of attribute certificate/ACRL verification. The = cRLDistributionPoints extension can be

used for this purpose. The = cRLIssuer field of this extension would be populated with the name(s) of = any entities, other

than the attribute certificate = issuer itself, that have been authorized to issue ACRLs concerning the = revocation status of the

attribute certificate in = question.

 

That means the AA can include a = cRLDistributionPoints extension in attribute certificates and use the = cRLIssuer field of this extension to specify the name of the = delegated ACRL issuer.

 

Wen-Cheng = Wang

 

From: pkix [mailto:pkix-bounces@ietf.org] = On Behalf Of Erik Andersen
Sent: Wednesday, July 08, = 2015 6:05 PM
To: Directory list; PKIX
Subject: = [pkix] Delegating certificate = revocation

 

Clause 7.10 of X.509 on = Certificate revocation lists states:

 

=E2=80=9Cthe = certificate-issuing authority authorizes a different entity to perform = revocation.=E2=80=9D

 

Can an AA do that, and if = yes, how?

 

Regards,

 

Erik =



=E6=9C=AC=E4=BF=A1=E4=BB=B6=E5=8F=AF=E8=83=BD=E5=8C=85=E5=90=AB= =E4=B8=AD=E8=8F=AF=E9=9B=BB=E4=BF=A1=E8=82=A1=E4=BB=BD=E6=9C=89=E9=99=90=E5= =85=AC=E5=8F=B8=E6=A9=9F=E5=AF=86=E8=B3=87=E8=A8=8A,=E9=9D=9E=E6=8C=87=E5=AE=9A=E4=B9=8B=E6=94=B6=E4=BB=B6=E8=80=85= ,=E8=AB=8B=E5=8B=BF=E8=92=90=E9=9B=86=E3=80=81=E8=99=95=E7=90=86= =E6=88=96=E5=88=A9=E7=94=A8=E6=9C=AC=E4=BF=A1=E4=BB=B6=E5=85=A7=E5=AE=B9<= /span>,=E4=B8=A6=E8=AB=8B=E9=8A=B7=E6=AF=80=E6=AD=A4=E4=BF=A1=E4=BB=B6= . =E5=A6=82=E7=82=BA=E6=8C=87=E5=AE=9A=E6=94=B6=E4=BB=B6=E8=80=85= ,=E6=87=89=E7=A2=BA=E5=AF=A6=E4=BF=9D=E8=AD=B7=E9=83=B5=E4=BB=B6= =E4=B8=AD=E6=9C=AC=E5=85=AC=E5=8F=B8=E4=B9=8B=E7=87=9F=E6=A5=AD=E6=A9=9F=E5= =AF=86=E5=8F=8A=E5=80=8B=E4=BA=BA=E8=B3=87=E6=96=99,=E4=B8=8D=E5=BE=97=E4=BB=BB=E6=84=8F=E5=82=B3=E4=BD=88=E6=88=96= =E6=8F=AD=E9=9C=B2,=E4=B8=A6=E6=87=89=E8=87=AA=E8=A1=8C=E7=A2=BA=E8=AA=8D=E6=9C=AC= =E9=83=B5=E4=BB=B6=E4=B9=8B=E9=99=84=E6=AA=94=E8=88=87=E8=B6=85=E9=80=A3=E7= =B5=90=E4=B9=8B=E5=AE=89=E5=85=A8=E6=80=A7,=E4=BB=A5=E5=85=B1=E5=90=8C=E5=96=84=E7=9B=A1=E8=B3=87=E8=A8=8A= =E5=AE=89=E5=85=A8=E8=88=87=E5=80=8B=E8=B3=87=E4=BF=9D=E8=AD=B7=E8=B2=AC=E4= =BB=BB.
Please be advised = that this email message (including any attachments) contains = confidential information and may be legally privileged. If you are not = the intended recipient, please destroy this message and all attachments = from your system and do not further collect, process, or use them. = Chunghwa Telecom and all its subsidiaries and associated companies shall = not be liable for the improper or incomplete transmission of the = information contained in this email nor for any delay in its receipt or = damage to your system. If you are the intended recipient, please protect = the confidential and/or personal information contained in this email = with due care. Any unauthorized use, disclosure or distribution of this = message in whole or in part is strictly prohibited. Also, please = self-inspect attachments and hyperlinks contained in this email to = ensure the information security and to protect personal = information.
=

------=_NextPart_000_0031_01D0B998.F71F3710-- From nobody Sun Jul 12 15:02:55 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 866C31A886F for ; Sun, 12 Jul 2015 15:02:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.5 X-Spam-Level: ** X-Spam-Status: No, score=2.5 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kR2A4OsixAIV for ; Sun, 12 Jul 2015 15:02:53 -0700 (PDT) Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AEFB1A886E for ; Sun, 12 Jul 2015 15:02:53 -0700 (PDT) Received: by pacan13 with SMTP id an13so4440109pac.1 for ; Sun, 12 Jul 2015 15:02:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=m22HWBX+a4HDn9JIHSC5jOoKsDJWVFz7NCXA3/Ekz24=; b=RlgjCB+t+A9g3lgX9ZlIGklRCty+5L5UMVEBPQrmzeL2tfm6n2551yY8O1WWBFgETk wMth27AmctYabmTOhDHySxOmd0RSuiZULkMV5cYcYJsB93VoF+9tq5Xk/1rt6E7bAycm Dj1UPTrC5FMYU8yCgfnELiYkqOQXmY1Tzb3SIJlglQ7kAXx+mwIuq0ygAYmBs7mMQ/PO 85aOXX5M+ZUVQ1qwvLvs5QnNFbQkbEd/IloYdEsEULj5gZ94j98aHDBqlYBNEXE765u8 Zc9tUZ9xrAhkUWqTtJbmWwzmvP1rArBRtWtbSD+vLIp98GXy+qKJ5Km/u0iO2KADYC9V s4LA== MIME-Version: 1.0 X-Received: by 10.68.185.37 with SMTP id ez5mr63505883pbc.74.1436738573130; Sun, 12 Jul 2015 15:02:53 -0700 (PDT) Received: by 10.70.66.5 with HTTP; Sun, 12 Jul 2015 15:02:53 -0700 (PDT) Date: Sun, 12 Jul 2015 15:02:53 -0700 Message-ID: From: Peter Bowen To: pkix@ietf.org Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2015 22:02:54 -0000 I'm trying to make sense of the definition of "self-issued certificates" in RFC 5280 (and X.509) Section 3.2 provides a definition: "Self-issued certificates are CA certificates in which the issuer and subject are the same entity." However section 6.1 says "A certificate is self-issued if the same DN appears in the subject and issuer fields." While it is clear that all certificates with the same DN for subject and issue are self-issued, it is unclear to me whether a certificate with different DNs could be self-issued. Section 6.1 could be giving one example of how a certificate could be self-issued or section 6.1 could be a limiting definition. Consider the following example: Example Trust Services has two different private keys. Each key has a single associated DN: Key0 has DN O=Example Trust Services, OU=Global Trust Anchor Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor There is a CA certificate created with Subject: O=Example Trust Services, OU=Commercial Trust Anchor Subject Public Key: Key1 Issuer: O=Example Trust Services, OU=Global Trust Anchor Signed by Key0 Is this CA certificate considered a self-issued certificate? Thanks, Peter From nobody Sun Jul 12 18:52:20 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C03F61ACD45 for ; Sun, 12 Jul 2015 18:52:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.501 X-Spam-Level: ** X-Spam-Status: No, score=2.501 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Y5jzUf4nQwc for ; Sun, 12 Jul 2015 18:52:17 -0700 (PDT) Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23E601ACD41 for ; Sun, 12 Jul 2015 18:52:17 -0700 (PDT) Received: by qgy5 with SMTP id 5so14793538qgy.3 for ; Sun, 12 Jul 2015 18:52:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=LhBLHpkmvi3wVXIALPpBZ6EKJgIQgfkHi52NtB/6fAY=; b=MbBCwgEi7FLhixEsXrB/B0mwFXufqcpUtSJ028AXqWWb3Q9jKkKdrtksCyIjnVez+S ymBX1az03V4kyo+iA9T3DjqgUx87Fe+sn8GGXONbHrNb7rrUkK6yLruzHcmc/MiuhcxV gPop0mXj7pAnYE6A+hBeM0FsJjR1qrlx15xS7LAsqnOpfuR3PC8mcU4No3vuyRMXAwOb zJwvyi8F/mFpGwOUIJ4qK6azkmR1QkK/xNDyEsOn8+JniLFDcaaTKY7YCqxE7qe/5bb6 KBn8Fe2cLTf1hUBhQIATTCHef1NrhBKZxyDWV3yLRbAoLEp322J4ZOn/Cj/YXPp/fSiz +tIg== MIME-Version: 1.0 X-Received: by 10.140.239.136 with SMTP id k130mr52405437qhc.90.1436752336312; Sun, 12 Jul 2015 18:52:16 -0700 (PDT) Received: by 10.140.94.67 with HTTP; Sun, 12 Jul 2015 18:52:16 -0700 (PDT) In-Reply-To: References: Date: Mon, 13 Jul 2015 03:52:16 +0200 Message-ID: From: Erwann Abalea To: Peter Bowen , "" Content-Type: multipart/alternative; boundary=001a11359256a2dee3051ab7f878 Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 01:52:18 -0000 --001a11359256a2dee3051ab7f878 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Bonsoir Peter, This isn't a self-issued certificate in X.509/RFC5280. It's a subordinate CA. Section 6.1 clearly defines how one knows if issuer and subject are the same entity. Entities in X.509 are purely technical; your company named "Example Trust Services" doesn't exist in this standard. If it existed, there should be a way to express if it's the same entity when it's located in the US or in MY (think about Digicert's certificates). You're "free" to change the rule behind section 6.1 to match your idea of what an entity is, for your own set of applications, but it will be incompatible with the rest of the world. This has been done with electronic passports (BAC), where an entity is defined by the countryCode alone when validating CRLs, and the complete DN when validating a certificate chain. Le lundi 13 juillet 2015, Peter Bowen a =C3=A9crit : > I'm trying to make sense of the definition of "self-issued > certificates" in RFC 5280 (and X.509) > > Section 3.2 provides a definition: "Self-issued certificates are CA > certificates in which the issuer and subject are the same entity." > However section 6.1 says "A certificate is self-issued if the same DN > appears in the subject and issuer fields." > > While it is clear that all certificates with the same DN for subject > and issue are self-issued, it is unclear to me whether a certificate > with different DNs could be self-issued. Section 6.1 could be giving > one example of how a certificate could be self-issued or section 6.1 > could be a limiting definition. > > Consider the following example: > Example Trust Services has two different private keys. Each key has a > single associated DN: > Key0 has DN O=3DExample Trust Services, OU=3DGlobal Trust Anchor > Key1 has DN O=3DExample Trust Services, OU=3DCommercial Trust Anchor > > There is a CA certificate created with > Subject: O=3DExample Trust Services, OU=3DCommercial Trust Anchor > Subject Public Key: Key1 > Issuer: O=3DExample Trust Services, OU=3DGlobal Trust Anchor > Signed by Key0 > > Is this CA certificate considered a self-issued certificate? > > Thanks, > Peter > --=20 Erwann. --001a11359256a2dee3051ab7f878 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Bonsoir Peter,

This isn't a self-issued certif= icate in X.509/RFC5280. It's a subordinate CA. Section 6.1 clearly defi= nes how one knows if issuer and subject are the same entity.

E= ntities in X.509 are purely technical; your company named "Example Tru= st Services" doesn't exist in this standard. If it existed, there = should be a way to express if=C2=A0it's the same entity when it's l= ocated in the US or in MY (think about Digicert's certificates).=C2=A0<= br>
You're "free"=C2=A0to change the rule behind section 6= .1 to match your idea of what an entity is, for your own set of application= s, but it=C2=A0will be incompatible with the rest of the world. This has be= en done with electronic passports (BAC), where an entity is defined by the = countryCode=C2=A0alone when validating CRLs, and the complete DN when valid= ating a=C2=A0certificate chain.

Le=C2=A0lundi 13 juillet 2015, Peter= Bowen <pzbowen@gmail.com> a= =C3=A9crit=C2=A0:
I'm trying to make= sense of the definition of "self-issued
certificates" in RFC 5280 (and X.509)

Section 3.2 provides a definition: "Self-issued certificates are CA certificates in which the issuer and subject are the same entity."
However section 6.1 says "A certificate is self-issued if the same DN<= br> appears in the subject and issuer fields."

While it is clear that all certificates with the same DN for subject
and issue are self-issued, it is unclear to me whether a certificate
with different DNs could be self-issued.=C2=A0 Section 6.1 could be giving<= br> one example of how a certificate could be self-issued or section 6.1
could be a limiting definition.

Consider the following example:
Example Trust Services has two different private keys.=C2=A0 Each key has a=
single associated DN:
Key0 has DN O=3DExample Trust Services, OU=3DGlobal Trust Anchor
Key1 has DN O=3DExample Trust Services, OU=3DCommercial Trust Anchor

There is a CA certificate created with
Subject: O=3DExample Trust Services, OU=3DCommercial Trust Anchor
Subject Public Key: Key1
Issuer: O=3DExample Trust Services, OU=3DGlobal Trust Anchor
Signed by Key0

Is this CA certificate considered a self-issued certificate?

Thanks,
Peter


--
Erwann.
--001a11359256a2dee3051ab7f878-- From nobody Sun Jul 12 18:57:14 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC7F1ACD4B for ; Sun, 12 Jul 2015 18:57:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.522 X-Spam-Level: ** X-Spam-Status: No, score=2.522 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJdp6gx2PlHz for ; Sun, 12 Jul 2015 18:57:12 -0700 (PDT) Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com [209.85.218.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91FF81ACCF8 for ; Sun, 12 Jul 2015 18:57:12 -0700 (PDT) Received: by oihq81 with SMTP id q81so30926954oih.2 for ; Sun, 12 Jul 2015 18:57:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jlj17CwnBwkjVDShSxjf2bSimlgMcKt7QVnIRawfnhc=; b=K01e/dhOdJy5f3CJb1vwslqZGcLdLBMoLIVDutp4PtBxgDq8tCOv3Fpw04mVO+YGKL tqybbGmz7xon0Al24GULsrBiRMefwS4L15U75QtlPkUS/bmxNbEGR/VR2LR5YtE+FCtg /cXyYb1TaEpZLDXUkkKVFIIYH5Z6VmJVODixtUlMEAREO5AFuIbGQFRWZNdJrKQzWZUf 5YUEojSOYLtJn8nVhZwqmh2OfEsU2TSc3UUh3IU1CkdjcyZ8LfRw3MhxIkRbcUNnXoAJ LuvlaxqxZ6sp7O5/MEV7k+xFisbC9duXp6ET54WupL5B1elMsOOvxMqkm/LyFTRDJl8j JzCw== X-Gm-Message-State: ALoCoQk77m6KrS5wG/97AWKImedUohfXN6Sd0kerCR9abBtV0syAjh6R0cinj5NNyNdtJUu/+siR MIME-Version: 1.0 X-Received: by 10.202.86.215 with SMTP id k206mr26768197oib.13.1436752631846; Sun, 12 Jul 2015 18:57:11 -0700 (PDT) Received: by 10.76.90.97 with HTTP; Sun, 12 Jul 2015 18:57:11 -0700 (PDT) In-Reply-To: References: Date: Sun, 12 Jul 2015 21:57:11 -0400 Message-ID: From: Brian Smith To: Peter Bowen Content-Type: multipart/alternative; boundary=001a113d7ba6406f58051ab80a55 Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 01:57:14 -0000 --001a113d7ba6406f58051ab80a55 Content-Type: text/plain; charset=UTF-8 Peter Bowen wrote: > Consider the following example: > Example Trust Services has two different private keys. Each key has a > single associated DN: > Key0 has DN O=Example Trust Services, OU=Global Trust Anchor > Key1 has DN O=Example Trust Services, OU=Commercial Trust Anchor > > There is a CA certificate created with > Subject: O=Example Trust Services, OU=Commercial Trust Anchor > Subject Public Key: Key1 > Issuer: O=Example Trust Services, OU=Global Trust Anchor > Signed by Key0 > > Is this CA certificate considered a self-issued certificate? > No, because the issuer and subject fields are not equal. For further justification,, it helps to look at what "self-issued" is used for in RFC 5280: exceptions for the normal path length constraints, policy constraints, name constraints rules, and (IIRC) nothing else. There's nothing to indicate that such exceptions would warranted for that certificate. In fact, mozilla::pkix doesn't recognize self-issued certificates at all, and so doesn't implement those exceptions. So far, this has not caused any problems, so as far as the Web PKI is concerned, it is likely we can forget about the concept of self-issued certificate completely. And, that's what I recommend that people do. Cheers, Brian --001a113d7ba6406f58051ab80a55 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Pete= r Bowen <pzbowen@gmail.com> wrote:
Consider the following example:
Example Trust Services has two different private keys.=C2=A0 Each key has a=
single associated DN:
Key0 has DN O=3DExample Trust Services, OU=3DGlobal Trust Anchor
Key1 has DN O=3DExample Trust Services, OU=3DCommercial Trust Anchor

There is a CA certificate created with
Subject: O=3DExample Trust Services, OU=3DCommercial Trust Anchor
Subject Public Key: Key1
Issuer: O=3DExample Trust Services, OU=3DGlobal Trust Anchor
Signed by Key0

Is this CA certificate considered a self-issued certificate?

No, because the issuer and subject fields are not equ= al.

For further justification,, it helps to look a= t what "self-issued" is used for in RFC 5280: exceptions for the = normal path length constraints, policy constraints, name constraints rules,= and (IIRC) nothing else. There's nothing to indicate that such excepti= ons would warranted for that certificate.

In fact,= mozilla::pkix doesn't recognize self-issued certificates at all, and s= o doesn't implement those exceptions. So far, this has not caused any p= roblems, so as far as the Web PKI is concerned, it is likely we can forget = about the concept of self-issued certificate completely. And, that's wh= at I recommend that people do.

Cheers,
B= rian

--001a113d7ba6406f58051ab80a55-- From nobody Sun Jul 12 21:46:13 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F0C1ACD92 for ; Sun, 12 Jul 2015 21:46:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.7 X-Spam-Level: X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uWb0dZfaKAC0 for ; Sun, 12 Jul 2015 21:46:10 -0700 (PDT) Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA8941ACD8D for ; Sun, 12 Jul 2015 21:46:09 -0700 (PDT) Received: by pdbqm3 with SMTP id qm3so73308713pdb.0 for ; Sun, 12 Jul 2015 21:46:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=0LnfPx7unThZLDZJUPLkpL0i+iNkWTADHhx4RCpM6wY=; b=kfX2BmpY3Qt2lk7+Rnnd+coudnlGbhur3Y4FLSDqSZRjXYejkZpJprmreX0GpQDft0 qxHZuJDNdvygB6iNv3C7M+ttyGkhq3oJ//pSSV/UkYRB1E+QCpY52sEWb7qiidRRUOy0 pAvU6MOhyBb7biHzVXWSamL68UO2YHqhD3f+pcdx+yLW0Tl+JYzqd0tWUlpTmVdBwRaq wgthpYDH6w8M/OnEwtTFKrAUPvKYneUkG9d0JRsqPtw2CI3j6M9NMtlj7cT3Z12Yu/QW xcNwvjpXDccYaSzalTLwHL5YkR/ZTHWDYv0yGxzo9BY2ymZc3sBNC1FJ0PhuprONnIiv y8dQ== MIME-Version: 1.0 X-Received: by 10.68.167.131 with SMTP id zo3mr65074429pbb.123.1436762769563; Sun, 12 Jul 2015 21:46:09 -0700 (PDT) Received: by 10.70.66.5 with HTTP; Sun, 12 Jul 2015 21:46:09 -0700 (PDT) In-Reply-To: References: Date: Sun, 12 Jul 2015 21:46:09 -0700 Message-ID: From: Peter Bowen To: Erwann Abalea Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "" Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 04:46:12 -0000 On Sun, Jul 12, 2015 at 6:52 PM, Erwann Abalea wrote: > This isn't a self-issued certificate in X.509/RFC5280. It's a subordinate > CA. Section 6.1 clearly defines how one knows if issuer and subject are t= he > same entity. > > Entities in X.509 are purely technical; your company named "Example Trust > Services" doesn't exist in this standard. If it existed, there should be = a > way to express if it's the same entity when it's located in the US or in = MY > (think about Digicert's certificates). Merci Erwann. Taking this one step further, X.509 has the following definitions: authority: An entity, responsible for the issuance of certificates. Two types are defined in this [document]; a certification authority which issues public-key certificates and an attribute authority which issues attribute certificates certification authority (CA): An authority trusted by one or more users to create and assign public-key certificates. Do I take it correctly that a single business entity (e.g. soci=C3=A9t=C3= =A9 anonyme or SARL) may operate multiple certificate authorities and that the term "entity" in the above definition does not refer to the business entity rather the existence of each CA as being independent, separate, and self-contained? Thanks, Peter From nobody Mon Jul 13 00:30:27 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E521AD16B for ; Mon, 13 Jul 2015 00:30:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.909 X-Spam-Level: ** X-Spam-Status: No, score=2.909 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EV_Wy392Dbfn for ; Mon, 13 Jul 2015 00:30:24 -0700 (PDT) Received: from mail04.dandomain.dk (mail04.dandomain.dk [194.150.112.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0FDB1AD151 for ; Mon, 13 Jul 2015 00:30:23 -0700 (PDT) Received: from Morten ([62.44.135.11]) by mail04.dandomain.dk (DanDomain Mailserver) with ASMTP id 4201507130930206382 for ; Mon, 13 Jul 2015 09:30:20 +0200 From: "Erik Andersen" To: References: In-Reply-To: Date: Mon, 13 Jul 2015 09:30:23 +0200 Message-ID: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTqA6TvTw Content-Language: en-gb Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 07:30:26 -0000 Hi Peter, It is only RFC 5280 that is unclear. X.509 is quite clear. The X.509 definition is: 3.5.62 self-issued certificate: A CA certificate where the issuer and = the subject are the same CA. A CA might use self-issued certificates, for example, during a key rollover operation to provide trust from the old = key to the new key. The problem you are facing is that the term entity is not clearly = defined. Is a CA an entity or is CA is specific role for an entity among other = roles for the same entity? The RFC 5280 definition seems to assume that a CA is an entity, and the = two CA you mention are different entities, while X.509 does not necessarily = make that assumption. Kind regards, Erik Andersen -----Oprindelig meddelelse----- Fra: pkix [mailto:pkix-bounces@ietf.org] P=E5 vegne af Peter Bowen Sendt: 13 July 2015 00:03 Til: pkix@ietf.org Emne: [pkix] Self-issued certificates I'm trying to make sense of the definition of "self-issued certificates" = in RFC 5280 (and X.509) Section 3.2 provides a definition: "Self-issued certificates are CA certificates in which the issuer and subject are the same entity." However section 6.1 says "A certificate is self-issued if the same DN appears in the subject and issuer fields." While it is clear that all certificates with the same DN for subject and issue are self-issued, it is unclear to me whether a certificate with different DNs could be self-issued. Section 6.1 could be giving one = example of how a certificate could be self-issued or section 6.1 could be a = limiting definition. Consider the following example: Example Trust Services has two different private keys. Each key has a single associated DN: Key0 has DN O=3DExample Trust Services, OU=3DGlobal Trust Anchor Key1 has DN O=3DExample Trust Services, OU=3DCommercial Trust Anchor There is a CA certificate created with Subject: O=3DExample Trust Services, OU=3DCommercial Trust Anchor = Subject Public Key: Key1 Issuer: O=3DExample Trust Services, OU=3DGlobal Trust Anchor Signed by = Key0 Is this CA certificate considered a self-issued certificate? Thanks, Peter _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix From nobody Mon Jul 13 04:14:38 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D04A51A8739 for ; Mon, 13 Jul 2015 04:14:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.7 X-Spam-Level: X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiU70Hsqdj4o for ; Mon, 13 Jul 2015 04:14:35 -0700 (PDT) Received: from mail-qg0-f50.google.com (mail-qg0-f50.google.com [209.85.192.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EBF91A873B for ; Mon, 13 Jul 2015 04:14:35 -0700 (PDT) Received: by qgef3 with SMTP id f3so104587399qge.0 for ; Mon, 13 Jul 2015 04:14:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type; bh=BNzCOESzW6FFJdZiR/FuatQgE+YHwcK4WR1iCpGc9C0=; b=OD+XidlWs5GhEkF43HIc0tPqg/yd2JWaNUhEoZruNlKGKPH+KL9IUcNPkw7Rrvzhy9 T5bx4QoJx1vLEjcVNqyoYs9gL25x/Pb2xr8yPk3eRngw9LbJdyEJe+R7zbv9QyyOTgn4 2RQY4ibEE6gAw0MMcEAgcWltTdoKUWTdqyzoA5rJNVuBdkmQZw4gz8KDRaygl98AoEc/ 0qpwlIuyI+xxGb5aqbgzL5Co3Y3RZIZioaMZ2TQD1/2fhP+lOiK98bhnFw24XHa8ZJ9J 0/VBqXSbLgjuAhhot675C2Ow4j3R4joadADcNgF48s1QESLBDauQuh2OgYXeWXQgrk1N 3gww== X-Gm-Message-State: ALoCoQnQcesJeEJfzpj6KilwV4dc7wArrJQ/VssDBPRlI6zcgr7DLcOcMgm44AA2i9l4Bj8qNIzR X-Received: by 10.55.48.11 with SMTP id w11mr51502876qkw.61.1436786074600; Mon, 13 Jul 2015 04:14:34 -0700 (PDT) Received: from [192.168.2.27] (pool-96-241-148-223.washdc.fios.verizon.net. [96.241.148.223]) by smtp.gmail.com with ESMTPSA id a7sm7148217qka.0.2015.07.13.04.14.33 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 13 Jul 2015 04:14:34 -0700 (PDT) User-Agent: Microsoft-MacOutlook/14.4.7.141117 Date: Mon, 13 Jul 2015 07:14:26 -0400 From: Carl Wallace To: Brian Smith Message-ID: Thread-Topic: [pkix] Self-issued certificates References: In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3519616473_507272" Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 11:14:37 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3519616473_507272 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit From: Brian Smith Date: Sunday, July 12, 2015 at 9:57 PM To: Peter Bowen Cc: PKIX Subject: Re: [pkix] Self-issued certificates > > In fact, mozilla::pkix doesn't recognize self-issued certificates at all, and > so doesn't implement those exceptions. So far, this has not caused any > problems, so as far as the Web PKI is concerned, it is likely we can forget > about the concept of self-issued certificate completely. And, that's what I > recommend that people do. Do you have a list of standard path validation features that were omitted from mozilla::pkix? This could form the basis of a revised path validation algorithm definition or at least keep folks from using a library that is missing features that are present in their environment. --B_3519616473_507272 Content-type: text/html; charset="UTF-8" Content-transfer-encoding: quoted-printable

From: Brian Smith <brian@briansmith.org>
Date: Sunday, July 12, 2015 at 9:57 PM
To: Peter Bowen <pzbowen@gmail.com>
Cc: PKIX <
pkix@ietf.org>
Subj= ect: Re: [pkix] Self-issued certificates


In fact, mozilla::pkix = doesn't recognize self-issued certificates at all, and so doesn't implement = those exceptions. So far, this has not caused any problems, so as far as the= Web PKI is concerned, it is likely we can forget about the concept of self-= issued certificate completely. And, that's what I recommend that people do.<= /div>

Do you have a list of standard path validation features that were om= itted from mozilla::pkix? This could form the basis of a revised path valida= tion algorithm definition or at least keep folks from using a library that i= s missing features that are present in their environment. 
<= /div>
--B_3519616473_507272-- From nobody Mon Jul 13 05:25:18 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F101B29FE for ; Mon, 13 Jul 2015 05:25:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.11 X-Spam-Level: X-Spam-Status: No, score=-0.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHpDqzMeFA4Q for ; Mon, 13 Jul 2015 05:25:14 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id CA10C1B29F9 for ; Mon, 13 Jul 2015 05:25:13 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5D5616C009E; Mon, 13 Jul 2015 08:25:13 -0400 (EDT) Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 46B716C0098; Mon, 13 Jul 2015 08:25:13 -0400 (EDT) Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Mon, 13 Jul 2015 08:25:12 -0400 Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Mon, 13 Jul 2015 08:25:12 -0400 Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB111.namprd09.prod.outlook.com (10.242.36.19) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 13 Jul 2015 12:25:11 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Mon, 13 Jul 2015 12:25:11 +0000 From: "Miller, Timothy J." To: Peter Bowen , "pkix@ietf.org" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53ZUDLg Date: Mon, 13 Jul 2015 12:25:11 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: gmail.com; dkim=none (message not signed) header.d=none; x-originating-ip: [192.160.51.89] x-microsoft-exchange-diagnostics: 1; BY2PR09MB111; 5:+fUbopar8+IqmVCXd5OiCg6PdY8q3+fwfo66w5ylyAhO7a9aVS207crUQoQwoTOh15MKfkmfdV+pgWThvgqvzHLUjGm/SOw+YwxBXYLGiTS4nVH3bQmZlWar/bjKEJE3jnHDFnm+JanhoJt9J2ndlg==; 24:HuHTXA9K7sJXJSkA7BKLt9MZqECYPAeZve0DMlZEqQH/QVeDw7SUVw6mwR3VmqqhL9WSQXM6HBErNV7xhixb4Os+/zIMZxteOzCLFJu/s0E=; 20:mZf0T/GQQoj93q9poOjh3Nl1yKRMLo9j/H05KXxVWq1UBamuXBYNkBqdiMnuSd8ooil9v1HYtwg2Duz/zHtfqA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB111; by2pr09mb111: X-MS-Exchange-Organization-RulesExecuted x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB111; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB111; x-forefront-prvs: 0636271852 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(164054003)(51704005)(13464003)(2656002)(2900100001)(92566002)(5003600100002)(19580395003)(76176999)(54356999)(74316001)(2950100001)(86362001)(77096005)(66066001)(19580405001)(5001770100001)(50986999)(46102003)(99286002)(189998001)(102836002)(62966003)(33656002)(15975445007)(87936001)(106116001)(40100003)(5002640100001)(77156002)(107886002)(76576001)(5001960100002)(2501003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB111; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2015 12:25:11.1679 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB111 X-OriginatorOrg: mitre.org Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 12:25:16 -0000 In X.509 (and PKIX) the name *is* the identity. X.509 (and PKIX) binds key= s to names; the key can change but the name remains invariant. In contrast= , SPKI/SDSI binds names to keys; the key remains invariant, but the name ca= n change. So if it has a different DN, it's not the same entity. As a result there's= no ambiguity in the RFC. It is possible to bind the same key to different names. Nothing stops you = from presenting the same key to multiple CAs and claiming different names. = If your goal is pseudonymity, though, I wouldn't recommend this. :) It's also possible to use keys from X.509 certificates as entities and igno= re the name--e.g., key continuity management (a.k.a. certificate pinning)--= but this is outside the spec. -- T=20 > -----Original Message----- > From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Peter Bowen > Sent: Sunday, July 12, 2015 5:03 PM > To: pkix@ietf.org > Subject: [pkix] Self-issued certificates >=20 > I'm trying to make sense of the definition of "self-issued certificates" = in RFC > 5280 (and X.509) >=20 > Section 3.2 provides a definition: "Self-issued certificates are CA certi= ficates > in which the issuer and subject are the same entity." > However section 6.1 says "A certificate is self-issued if the same DN app= ears > in the subject and issuer fields." >=20 > While it is clear that all certificates with the same DN for subject and = issue are > self-issued, it is unclear to me whether a certificate with different DNs= could > be self-issued. Section 6.1 could be giving one example of how a certifi= cate > could be self-issued or section 6.1 could be a limiting definition. >=20 > Consider the following example: > Example Trust Services has two different private keys. Each key has a si= ngle > associated DN: > Key0 has DN O=3DExample Trust Services, OU=3DGlobal Trust Anchor > Key1 has DN O=3DExample Trust Services, OU=3DCommercial Trust Anchor >=20 > There is a CA certificate created with > Subject: O=3DExample Trust Services, OU=3DCommercial Trust Anchor Subject > Public Key: Key1 > Issuer: O=3DExample Trust Services, OU=3DGlobal Trust Anchor Signed by Ke= y0 >=20 > Is this CA certificate considered a self-issued certificate? >=20 > Thanks, > Peter >=20 > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From nobody Mon Jul 13 05:54:50 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92AD31B2A63 for ; Mon, 13 Jul 2015 05:54:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.425 X-Spam-Level: *** X-Spam-Status: No, score=3.425 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4YuagondhFQ for ; Mon, 13 Jul 2015 05:54:42 -0700 (PDT) Received: from scan14.cht.com.tw (scan14.cht.com.tw [202.39.160.144]) by ietfa.amsl.com (Postfix) with ESMTP id C2D1F1B2A61 for ; Mon, 13 Jul 2015 05:54:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436792080; x=1439384080; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=eBnPff9DJuT5E6Z+ldDm55Lfa4PjkqCB7KOmZbycSLk=; b=OA1/9122yfl3CuJm0cgw1BOuIGjlJ3vdQRPhf6QAmRny1BYAa3cle0jm6FYTcdY8 WUKe3NF5wjIiZBCbenOsX8xqqMMzLJyZQ7SqnAtTIApiARuO26KJHmuB6vsbMH6f 4aYsHVYab3LBNkutuwfVqOT+xbstVUzuyFNDIX0KM/Q=; X-AuditID: 0aa00768-f79166d000000bd1-04-55a3b5109c4f Received: from scanrelay4.cht.com.tw ( [10.160.7.109]) by scan14.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 61.1F.03025.015B3A55; Mon, 13 Jul 2015 20:54:40 +0800 (CST) Received: from CAS6.app.corp.cht.com.tw (unknown [10.172.18.162]) by scanrelay4.cht.com.tw (Symantec Mail Security) with ESMTP id 725FBC000088 for ; Mon, 13 Jul 2015 20:54:40 +0800 (CST) Received: from CAS5.app.corp.cht.com.tw (10.172.18.161) by CAS6.app.corp.cht.com.tw (10.172.18.162) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 13 Jul 2015 20:54:39 +0800 Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS5.app.corp.cht.com.tw ([fe80::8d2:3a3e:f009:84df%12]) with mapi id 14.02.0342.003; Mon, 13 Jul 2015 20:54:39 +0800 From: =?utf-8?B?546L5paH5q2j?= To: "pkix@ietf.org" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3Ye5WAgADSrFA= Date: Mon, 13 Jul 2015 12:54:39 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D620DB0@mbs6.app.corp.cht.com.tw> References: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu> In-Reply-To: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu> Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.77.4.111] Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D620DB0mbs6appcorpchtc_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIKsWRmVeSWpSXmKPExsXCtYA9V1dg6+JQg74HshYXDxY5MHosWfKT KYAxqoHRJjEvL78ksSRVISW1ONlWKTmjRDclszg5JzEzN7VINzUvXUkhM8VWyURJoSAnMTk1 NzWvxFYpsaAgNS9FyY5LAQPYAJVl5imk5iXnp2TmpdsqeQb761pYmFrqGirZBeSkJhanKiSl KiSmlGUWp6YoJGyQyZh5aD9LwZ3njBWtnW/YGhgvPGTsYuTkkBAwkTjRe4wNwhaTuHBvPZDN xSEksJ1R4uzJViYI5yyjxKk3hxjhMts2LANrERI4xChx5600iM0mYCSx8ewuJhBbREBZ4vO6 /ewgtrCAjsStO/uh4roSl559Z4OwrSRO/DwDFmcRUJXY+qQZ7CReAX+JmUsfskPMr5Ho753D AmJzCphJnLs6ixXEZhSQlXiy4BlYL7OAuMS5i63sEC8ISCzZc54ZwhaVePn4H1A9B5AtLzHt jQxEeb5E08MfLBCrBCVOznzCMoFRbBaSSbOQlM1CUjYLaBKzgKbE+l36ECWKElO6H0KVa0i0 zpnLjiy+gJF9FaNgcXJinqGJHjDK9ZLzc/VKyjcxQpJLxg7G/fMdDzEKcDAq8fAy9C8KFWJN LCuuzAUGKQezkghvTvHiUCHelMTKqtSi/Pii0pzU4kOMpsCwmsgsJZqcD0x8eSXxhsaWxhaG RgZmxuYWFkrivFNaM0OEBNKBaS07NbUgtQimj4mDU6qBUWdpxl2prZu5T5r+nezRamZhPKn8 8unAW50pdvP3bFl/8bT6rG97wrQs9b6+ik022tp1Ku6HwtQH01Vmn52Uxt7DvNhQUHOz+XUj 7sf3GxPEm2sDxJN4qpW119nenxUi9X2K3eq3CvGqRxK2SUyu/PuBqbiuc4JJwpEXnmdyDLPy vHdfnZNzQ4mlOCPRUIu5qDgRAP7zi0NEAwAA Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 12:54:48 -0000 --_000_20825998BCB8D84C983674C159E25E753D620DB0mbs6appcorpchtc_ Content-Type: text/plain; charset="utf-8" content-transfer-encoding: base64 SSB0aGluayBib3RoIFguNTA5IGFuZCBSRkMgNTI4MCBhcmUgY2xlYXIgYW5kIGVxdWl2YWxl bnQgd2l0aCByZXNwZWN0IHRvIHRoZSBkZWZpbml0aW9uIG9mIHNlbGYtaXNzdWVkIGNlcnRp ZmljYXRlcy4NCg0KDQoNCkluIGNsYXVzZSAzLjUuNjIgb2YgWC41MDksIHRoZSBkZWZpbml0 aW9uIG9mIHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlcyBpcyBhcyBiZWxvdzoNCg0KDQoNCnNl bGYtaXNzdWVkIGNlcnRpZmljYXRlOiBBIHB1YmxpYy1rZXkgY2VydGlmaWNhdGUgd2hlcmUg dGhlIGlzc3VlciBhbmQgdGhlIHN1YmplY3QgYXJlIHRoZSBzYW1lIENBLiBBIENBDQoNCm1p Z2h0IHVzZSBzZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMsIGZvciBleGFtcGxlLCBkdXJpbmcg YSBrZXkgcm9sbG92ZXIgb3BlcmF0aW9uIHRvIHByb3ZpZGUgdHJ1c3QgZnJvbSB0aGUgb2xk IGtleSB0byB0aGUNCg0KbmV3IGtleS4NCg0KDQoNCkluIHNlY3Rpb24gMy4yIG9mIFJGQyA1 MjgwLCB0aGUgZGVmaW5pdGlvbiBvZiBzZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMgaXMgYXMg YmVsb3c6DQoNCg0KDQpTZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMgYXJlIENBIGNlcnRpZmlj YXRlcyBpbiB3aGljaCB0aGUgaXNzdWVyIGFuZCBzdWJqZWN0IGFyZSB0aGUgc2FtZSBlbnRp dHkuICBTZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMNCg0KYXJlIGdlbmVyYXRlZCB0byBzdXBw b3J0IGNoYW5nZXMgaW4gcG9saWN5IG9yIG9wZXJhdGlvbnMuDQoNCg0KDQpJbiBjbGF1c2Ug OC4xLjUgb2YgWC41MDksIGl0IHNwZWNpZmllcyB0aGF0IG5hbWluZyBydWxlIGZvciBzZWxm LWlzc3VlZCBjZXJ0aWZpY2F0ZXMgYXMgYmVsb3c6DQoNClRoZXNlIHR5cGVzIG9mIENBLWNl cnRpZmljYXRlcyBhcmUgY2FsbGVkIHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlcywgYW5kIHRo ZXkgY2FuIGJlIHJlY29nbml6ZWQgYnkgdGhlIGZhY3QgdGhhdCB0aGUgaXNzdWVyDQoNCmFu ZCBzdWJqZWN0IG5hbWVzIHByZXNlbnQgaW4gdGhlbSBhcmUgaWRlbnRpY2FsLg0KDQoNCg0K SW4gc2VjdGlvbiA2LjEgb2YgUkZDIDUyODAsIGl0IHNwZWNpZmllcyB0aGF0IG5hbWluZyBy dWxlIGZvciBzZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMgYXMgYmVsb3c6DQoNCkEgY2VydGlm aWNhdGUgaXMgc2VsZi1pc3N1ZWQgaWYgdGhlIHNhbWUgRE4gYXBwZWFycyBpbiB0aGUgc3Vi amVjdA0KDQphbmQgaXNzdWVyIGZpZWxkcyAodGhlIHR3byBETnMgYXJlIHRoZSBzYW1lIGlm IHRoZXkgbWF0Y2ggYWNjb3JkaW5nDQoNCnRvIHRoZSBydWxlcyBzcGVjaWZpZWQgaW4gU2Vj dGlvbiA3LjEpLg0KDQoNCg0KVGhlIGxvZ2ljIGJlaGluZCBpcyAiQSBDQSBpcyBjZXJ0YWlu bHkgYW4gZW50aXR5LiBPbmNlIHRoZSBETiBvZiB0aGUgZW50aXR5IGlzIG9mZmljaWFsbHkg YXNzaWduZWQgYnkgYSBuYW1pbmcgYXV0aG9yaXR5LCBpdCBzaG91bGQgbm90IGJlIGNoYW5n ZWQgdW5sZXNzIGl0cyBpZGVudGl0eSBpcyBjaGFuZ2UgaW4gdGhlIGZ1dHVyZS4gVGhlcmVm b3JlLCB3aGVuIGEgQ0EgcGVyZm9ybXMgaXRzIGtleSByb2xsb3ZlcnMgb2YgcG9saWN5IGNo YW5nZXMsIGl0IHNob3VsZCBub3QgY2hhbmdlIGl0cyBETi4gVGhhdCBpcyB3aHkgc2VsZi1p c3N1ZWQgY2VydGlmaWNhdGVzIHdpdGggdGhlIHNhbWUgaXNzdWVyIGFuZCBzdWJqZWN0IG5h bWVzIGFyZSBnZW5lcmF0ZWQgdG8gc3VwcG9ydCBrZXkgcm9sbG92ZXJzIG9mIHBvbGljeSBj aGFuZ2VzLiINCg0KDQoNClBsZWFzZSBub3RlIHRoYXQgdGhlcmUgYXJlIHNvbWUgc3BlY2lh bCBjZXJ0aWZpY2F0aW9uIHBhdGggaGFuZGxpbmcgcnVsZXMgYXJlIGJhc2VkIG9uIHRoZSBh c3N1bXB0aW9uIG9mICJhIGNlcnRpZmljYXRlIGlzIHNlbGYtaXNzdWVkIGlmIHRoZSBzYW1l IEROIGFwcGVhcnMgaW4gdGhlIHN1YmplY3QgYW5kIGlzc3VlciBmaWVsZHMiIGFzIG1lbnRp b25lZCBpbiBjbGF1c2UgOC4xLjUgb2YgWC41MDk6DQoNCg0KDQpOZXZlcnRoZWxlc3MsIGlm IHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlcyBvZiB0aGlzIGNhdGVnb3J5IGFyZSBlbmNvdW50 ZXJlZCBpbiB0aGUgcGF0aCwgdGhleSBzaGFsbCBiZSBwcm9jZXNzZWQgYXMNCg0KaW50ZXJt ZWRpYXRlIGNlcnRpZmljYXRlcywgd2l0aCB0aGUgZm9sbG93aW5nIGV4Y2VwdGlvbjogdGhl eSBkbyBub3QgY29udHJpYnV0ZSB0byB0aGUgcGF0aCBsZW5ndGggZm9yIHRoZSBwdXJwb3Nl cyBvZg0KDQpwcm9jZXNzaW5nIHRoZSBwYXRoTGVuQ29uc3RyYWludCBjb21wb25lbnQgb2Yg dGhlIGJhc2ljQ29uc3RyYWludHMgZXh0ZW5zaW9uIGFuZCB0aGUgc2tpcC1jZXJ0aWZpY2F0 ZXMNCg0KdmFsdWVzIGFzc29jaWF0ZWQgd2l0aCB0aGUgcG9saWN5LW1hcHBpbmctaW5oaWJp dC1wZW5kaW5nIGFuZCBleHBsaWNpdC1wb2xpY3ktcGVuZGluZyBpbmRpY2F0b3JzLg0KDQoN Cg0KVGhlIGNlcnRpZmljYXRlIHBhdGggdmFsaWRhdGlvbiBhbGdvcml0aG0gZGVmaW5lZCBp biBzZWN0aW9uIDYuMSBvZiBSRkMgNTI4MCBhbHNvIGNvbnRhaW5zIGV4Y2VwdGlvbmFsICJz ZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMiIGhhbmRsaW5nIHJ1bGVzIHdoaWNoIGFyZSBlcXVp dmFsZW50IHRvIHRob3NlIHJlcXVpcmVkIGJ5IHRoZSBYLjUwOSBzdGFuZGFyZC4NCg0KDQoN CklmIGEgQ0EgaXNzdWVzIGEgY2VydGlmaWNhdGUgb2Ygd2hpY2ggdGhlIGlzc3VlciBuYW1l IGFuZCBzdWJqZWN0IG5hbWUgYXJlIG5vdCB0aGUgc2FtZSwgaXQgd2lsbCBiZSBoYW5kbGVk IGFzIGEgbm9ybWFsIGNlcnRpZmljYXRlIChlaXRoZXIgYXMgYW4gbm9uLXNlbGYtaXNzdWVk IGludGVybWVkaWF0ZSBjZXJ0aWZpY2F0ZSBvciBhcyBhbiBlbmQtZW50aXR5IGNlcnRpZmlj YXRlKSBhbmQgdGh1cyB0aG9zZSBleGNlcHRpb25hbCAic2VsZi1pc3N1ZWQgY2VydGlmaWNh dGVzIiBoYW5kbGluZyBydWxlcyB3aWxsIG5vdCBhcHBseSB0byBpdC4NCg0KDQoNCldlbi1D aGVuZyBXYW5nDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogcGtp eCBbbWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEVyaWsgQW5k ZXJzZW4NClNlbnQ6IE1vbmRheSwgSnVseSAxMywgMjAxNSAzOjMwIFBNDQpUbzogcGtpeEBp ZXRmLm9yZw0KU3ViamVjdDogUmU6IFtwa2l4XSBTZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMN Cg0KDQoNCkhpIFBldGVyLA0KDQoNCg0KSXQgaXMgb25seSBSRkMgNTI4MCB0aGF0IGlzIHVu Y2xlYXIuIFguNTA5IGlzIHF1aXRlIGNsZWFyLiBUaGUgWC41MDkgZGVmaW5pdGlvbiBpczoN Cg0KDQoNCjMuNS42MiAgICAgIHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlOiBBIENBIGNlcnRp ZmljYXRlIHdoZXJlIHRoZSBpc3N1ZXIgYW5kIHRoZQ0KDQpzdWJqZWN0IGFyZSB0aGUgc2Ft ZSBDQS4gQSBDQSBtaWdodCB1c2Ugc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVzLCBmb3IgZXhh bXBsZSwgZHVyaW5nIGEga2V5IHJvbGxvdmVyIG9wZXJhdGlvbiB0byBwcm92aWRlIHRydXN0 IGZyb20gdGhlIG9sZCBrZXkgdG8gdGhlIG5ldyBrZXkuDQoNCg0KDQpUaGUgcHJvYmxlbSB5 b3UgYXJlIGZhY2luZyBpcyB0aGF0IHRoZSB0ZXJtIGVudGl0eSBpcyBub3QgY2xlYXJseSBk ZWZpbmVkLg0KDQpJcyBhIENBIGFuIGVudGl0eSBvciBpcyBDQSBpcyBzcGVjaWZpYyByb2xl IGZvciBhbiBlbnRpdHkgYW1vbmcgb3RoZXIgcm9sZXMgZm9yIHRoZSBzYW1lIGVudGl0eT8N Cg0KDQoNClRoZSBSRkMgNTI4MCBkZWZpbml0aW9uIHNlZW1zIHRvIGFzc3VtZSB0aGF0IGEg Q0EgaXMgYW4gZW50aXR5LCBhbmQgdGhlIHR3byBDQSB5b3UgbWVudGlvbiBhcmUgZGlmZmVy ZW50IGVudGl0aWVzLCB3aGlsZSBYLjUwOSBkb2VzIG5vdCBuZWNlc3NhcmlseSBtYWtlIHRo YXQgYXNzdW1wdGlvbi4NCg0KDQoNCktpbmQgcmVnYXJkcywNCg0KDQoNCkVyaWsgQW5kZXJz ZW4NCg0KDQoNCi0tLS0tT3ByaW5kZWxpZyBtZWRkZWxlbHNlLS0tLS0NCg0KRnJhOiBwa2l4 IFttYWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnXSBQw6UgdmVnbmUgYWYgUGV0ZXIgQm93 ZW4NCg0KU2VuZHQ6IDEzIEp1bHkgMjAxNSAwMDowMw0KDQpUaWw6IHBraXhAaWV0Zi5vcmc8 bWFpbHRvOnBraXhAaWV0Zi5vcmc+DQoNCkVtbmU6IFtwa2l4XSBTZWxmLWlzc3VlZCBjZXJ0 aWZpY2F0ZXMNCg0KDQoNCkknbSB0cnlpbmcgdG8gbWFrZSBzZW5zZSBvZiB0aGUgZGVmaW5p dGlvbiBvZiAic2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVzIiBpbiBSRkMgNTI4MCAoYW5kIFgu NTA5KQ0KDQoNCg0KU2VjdGlvbiAzLjIgcHJvdmlkZXMgYSBkZWZpbml0aW9uOiAiU2VsZi1p c3N1ZWQgY2VydGlmaWNhdGVzIGFyZSBDQSBjZXJ0aWZpY2F0ZXMgaW4gd2hpY2ggdGhlIGlz c3VlciBhbmQgc3ViamVjdCBhcmUgdGhlIHNhbWUgZW50aXR5LiINCg0KSG93ZXZlciBzZWN0 aW9uIDYuMSBzYXlzICJBIGNlcnRpZmljYXRlIGlzIHNlbGYtaXNzdWVkIGlmIHRoZSBzYW1l IEROIGFwcGVhcnMgaW4gdGhlIHN1YmplY3QgYW5kIGlzc3VlciBmaWVsZHMuIg0KDQoNCg0K V2hpbGUgaXQgaXMgY2xlYXIgdGhhdCBhbGwgY2VydGlmaWNhdGVzIHdpdGggdGhlIHNhbWUg RE4gZm9yIHN1YmplY3QgYW5kIGlzc3VlIGFyZSBzZWxmLWlzc3VlZCwgaXQgaXMgdW5jbGVh ciB0byBtZSB3aGV0aGVyIGEgY2VydGlmaWNhdGUgd2l0aCBkaWZmZXJlbnQgRE5zIGNvdWxk IGJlIHNlbGYtaXNzdWVkLiAgU2VjdGlvbiA2LjEgY291bGQgYmUgZ2l2aW5nIG9uZSBleGFt cGxlIG9mIGhvdyBhIGNlcnRpZmljYXRlIGNvdWxkIGJlIHNlbGYtaXNzdWVkIG9yIHNlY3Rp b24gNi4xIGNvdWxkIGJlIGEgbGltaXRpbmcgZGVmaW5pdGlvbi4NCg0KDQoNCkNvbnNpZGVy IHRoZSBmb2xsb3dpbmcgZXhhbXBsZToNCg0KRXhhbXBsZSBUcnVzdCBTZXJ2aWNlcyBoYXMg dHdvIGRpZmZlcmVudCBwcml2YXRlIGtleXMuICBFYWNoIGtleSBoYXMgYSBzaW5nbGUgYXNz b2NpYXRlZCBETjoNCg0KS2V5MCBoYXMgRE4gTz1FeGFtcGxlIFRydXN0IFNlcnZpY2VzLCBP VT1HbG9iYWwgVHJ1c3QgQW5jaG9yDQoNCktleTEgaGFzIEROIE89RXhhbXBsZSBUcnVzdCBT ZXJ2aWNlcywgT1U9Q29tbWVyY2lhbCBUcnVzdCBBbmNob3INCg0KDQoNClRoZXJlIGlzIGEg Q0EgY2VydGlmaWNhdGUgY3JlYXRlZCB3aXRoDQoNClN1YmplY3Q6IE89RXhhbXBsZSBUcnVz dCBTZXJ2aWNlcywgT1U9Q29tbWVyY2lhbCBUcnVzdCBBbmNob3IgU3ViamVjdCBQdWJsaWMN Cg0KS2V5OiBLZXkxDQoNCklzc3VlcjogTz1FeGFtcGxlIFRydXN0IFNlcnZpY2VzLCBPVT1H bG9iYWwgVHJ1c3QgQW5jaG9yIFNpZ25lZCBieSBLZXkwDQoNCg0KDQpJcyB0aGlzIENBIGNl cnRpZmljYXRlIGNvbnNpZGVyZWQgYSBzZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZT8NCg0KDQoN ClRoYW5rcywNCg0KUGV0ZXINCg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fDQoNCnBraXggbWFpbGluZyBsaXN0DQoNCnBraXhAaWV0Zi5v cmc8bWFpbHRvOnBraXhAaWV0Zi5vcmc+DQoNCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt YW4vbGlzdGluZm8vcGtpeA0KDQoNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX18NCg0KcGtpeCBtYWlsaW5nIGxpc3QNCg0KcGtpeEBpZXRmLm9y ZzxtYWlsdG86cGtpeEBpZXRmLm9yZz4NCg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1h bi9saXN0aW5mby9wa2l4DQoNClBsZWFzZSBiZSBhZHZpc2VkIHRoYXQgdGhpcyBlbWFpbCBt ZXNzYWdlIChpbmNsdWRpbmcgYW55IGF0dGFjaG1lbnRzKSBjb250YWlucyBjb25maWRlbnRp YWwgaW5mb3JtYXRpb24gYW5kIG1heSBiZSBsZWdhbGx5IHByaXZpbGVnZWQuIElmIHlvdSBh cmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFzZSBkZXN0cm95IHRoaXMgbWVz c2FnZSBhbmQgYWxsIGF0dGFjaG1lbnRzIGZyb20geW91ciBzeXN0ZW0gYW5kIGRvIG5vdCBm dXJ0aGVyIGNvbGxlY3QsIHByb2Nlc3MsIG9yIHVzZSB0aGVtLiBDaHVuZ2h3YSBUZWxlY29t IGFuZCBhbGwgaXRzIHN1YnNpZGlhcmllcyBhbmQgYXNzb2NpYXRlZCBjb21wYW5pZXMgc2hh bGwgbm90IGJlIGxpYWJsZSBmb3IgdGhlIGltcHJvcGVyIG9yIGluY29tcGxldGUgdHJhbnNt aXNzaW9uIG9mIHRoZSBpbmZvcm1hdGlvbiBjb250YWluZWQgaW4gdGhpcyBlbWFpbCBub3Ig Zm9yIGFueSBkZWxheSBpbiBpdHMgcmVjZWlwdCBvciBkYW1hZ2UgdG8geW91ciBzeXN0ZW0u IElmIHlvdSBhcmUgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlIHByb3RlY3QgdGhl IGNvbmZpZGVudGlhbCBhbmQvb3IgcGVyc29uYWwgaW5mb3JtYXRpb24gY29udGFpbmVkIGlu IHRoaXMgZW1haWwgd2l0aCBkdWUgY2FyZS4gQW55IHVuYXV0aG9yaXplZCB1c2UsIGRpc2Ns b3N1cmUgb3IgZGlzdHJpYnV0aW9uIG9mIHRoaXMgbWVzc2FnZSBpbiB3aG9sZSBvciBpbiBw YXJ0IGlzIHN0cmljdGx5IHByb2hpYml0ZWQuICBBbHNvLCBwbGVhc2Ugc2VsZi1pbnNwZWN0 IGF0dGFjaG1lbnRzIGFuZCBoeXBlcmxpbmtzIGNvbnRhaW5lZCBpbiB0aGlzIGVtYWlsIHRv IGVuc3VyZSB0aGUgaW5mb3JtYXRpb24gc2VjdXJpdHkgYW5kIHRvIHByb3RlY3QgcGVyc29u YWwgaW5mb3JtYXRpb24uDQo= --_000_20825998BCB8D84C983674C159E25E753D620DB0mbs6appcorpchtc_ Content-Type: text/html; charset="utf-8" content-transfer-encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89 InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJu OnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3Nj aGVtYXMubWljcm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDov L3d3dy53My5vcmcvVFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9 IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxt ZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRl cmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBm b250LWZhY2UNCgl7Zm9udC1mYW1pbHk65paw57Sw5piO6auUOw0KCXBhbm9zZS0xOjIgMiA1 IDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBN YXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7 Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9 DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJcQOaWsOe0sOaYjumrlCI7DQoJcGFub3Nl LTE6MiAyIDUgMCAwIDAgMCAwIDAgMDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0K CW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGlu aw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29y YXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dl ZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVj b3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29QbGFpblRleHQsIGxpLk1zb1BsYWluVGV4dCwg ZGl2Lk1zb1BsYWluVGV4dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxl LWxpbms6Iue0lOaWh+WtlyDlrZflhYMiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRv bTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LCJzYW5zLXNlcmlmIjt9DQpwLk1zb0FjZXRhdGUsIGxpLk1zb0FjZXRhdGUsIGRpdi5Nc29B Y2V0YXRlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi6Ki7 6Kej5pa55aGK5paH5a2XIOWtl+WFgyI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9t Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjkuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYW1icmlhIiwi c2VyaWYiO30NCnNwYW4uYQ0KCXttc28tc3R5bGUtbmFtZToi57SU5paH5a2XIOWtl+WFgyI7 DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOue0lOaWh+WtlzsN Cglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCnNwYW4uYTANCgl7bXNv LXN0eWxlLW5hbWU6Iuiou+ino+aWueWhiuaWh+WtlyDlrZflhYMiOw0KCW1zby1zdHlsZS1w cmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazroqLvop6PmlrnloYrmloflrZc7DQoJZm9u dC1mYW1pbHk6IkNhbWJyaWEiLCJzZXJpZiI7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0 eWxlLXR5cGU6ZXhwb3J0LW9ubHk7fQ0KLyogUGFnZSBEZWZpbml0aW9ucyAqLw0KQHBhZ2Ug V29yZFNlY3Rpb24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQg OTAuMHB0IDcyLjBwdCA5MC4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRT ZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hh cGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2Vu ZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9 ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVs YXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJaSC1UVyIg bGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSIgc3R5bGU9InRleHQtanVzdGlmeS10cmltOnB1 bmN0dWF0aW9uIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+SSB0aGluayBib3RoIFguNTA5IGFuZCBS RkMgNTI4MCBhcmUgY2xlYXIgYW5kIGVxdWl2YWxlbnQgd2l0aCByZXNwZWN0IHRvIHRoZSBk ZWZpbml0aW9uIG9mIHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlcy48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNw YW4gbGFuZz0iRU4tVVMiPkluIGNsYXVzZSAzLjUuNjIgb2YgWC41MDksIHRoZSBkZWZpbml0 aW9uIG9mIHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlcyBpcyBhcyBiZWxvdzo8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1V UyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjI0LjBwdDttc28tcGFyYS1tYXJnaW4tbGVmdDoyLjBn ZCI+PGI+PHNwYW4gbGFuZz0iRU4tVVMiPnNlbGYtaXNzdWVkIGNlcnRpZmljYXRlPC9zcGFu PjwvYj48c3BhbiBsYW5nPSJFTi1VUyI+OiBBIHB1YmxpYy1rZXkgY2VydGlmaWNhdGUgd2hl cmUgdGhlIGlzc3VlciBhbmQgdGhlIHN1YmplY3QgYXJlIHRoZSBzYW1lIENBLiBBIENBPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjI0LjBwdDttc28tcGFyYS1tYXJnaW4tbGVmdDoyLjBnZCI+PHNwYW4gbGFu Zz0iRU4tVVMiPm1pZ2h0IHVzZSBzZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMsIGZvciBleGFt cGxlLCBkdXJpbmcgYSBrZXkgcm9sbG92ZXIgb3BlcmF0aW9uIHRvIHByb3ZpZGUgdHJ1c3Qg ZnJvbSB0aGUgb2xkIGtleSB0byB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MjQuMHB0O21zby1wYXJhLW1h cmdpbi1sZWZ0OjIuMGdkIj48c3BhbiBsYW5nPSJFTi1VUyI+bmV3IGtleS48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1V UyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PHNwYW4gbGFuZz0iRU4tVVMiPkluIHNlY3Rpb24gMy4yIG9mIFJGQyA1MjgwLCB0aGUg ZGVmaW5pdGlvbiBvZiBzZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMgaXMgYXMgYmVsb3c6PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFu Zz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDoyNC4wcHQ7bXNvLXBhcmEtbWFyZ2luLWxl ZnQ6Mi4wZ2QiPjxzcGFuIGxhbmc9IkVOLVVTIj5TZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMg YXJlIENBIGNlcnRpZmljYXRlcyBpbiB3aGljaCB0aGUgaXNzdWVyIGFuZCBzdWJqZWN0IGFy ZSB0aGUgc2FtZSBlbnRpdHkuJm5ic3A7IFNlbGYtaXNzdWVkIGNlcnRpZmljYXRlczxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJn aW4tbGVmdDoyNC4wcHQ7bXNvLXBhcmEtbWFyZ2luLWxlZnQ6Mi4wZ2QiPjxzcGFuIGxhbmc9 IkVOLVVTIj5hcmUgZ2VuZXJhdGVkIHRvIHN1cHBvcnQgY2hhbmdlcyBpbiBwb2xpY3kgb3Ig b3BlcmF0aW9ucy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPkluIGNsYXVzZSA4 LjEuNSBvZiBYLjUwOSwgaXQgc3BlY2lmaWVzIHRoYXQgbmFtaW5nIHJ1bGUgZm9yIHNlbGYt aXNzdWVkIGNlcnRpZmljYXRlcyBhcyBiZWxvdzo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MjQuMHB0O21zby1w YXJhLW1hcmdpbi1sZWZ0OjIuMGdkIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhlc2UgdHlwZXMg b2YgQ0EtY2VydGlmaWNhdGVzIGFyZSBjYWxsZWQgc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVz LCBhbmQgdGhleSBjYW4gYmUgcmVjb2duaXplZCBieSB0aGUgZmFjdCB0aGF0IHRoZSBpc3N1 ZXI8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHls ZT0ibWFyZ2luLWxlZnQ6MjQuMHB0O21zby1wYXJhLW1hcmdpbi1sZWZ0OjIuMGdkIj48c3Bh biBsYW5nPSJFTi1VUyI+YW5kIHN1YmplY3QgbmFtZXMgcHJlc2VudCBpbiB0aGVtIGFyZSBp ZGVudGljYWwuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5JbiBzZWN0aW9uIDYu MSBvZiBSRkMgNTI4MCwgaXQgc3BlY2lmaWVzIHRoYXQgbmFtaW5nIHJ1bGUgZm9yIHNlbGYt aXNzdWVkIGNlcnRpZmljYXRlcyBhcyBiZWxvdzo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MjQuMHB0O21zby1w YXJhLW1hcmdpbi1sZWZ0OjIuMGdkIj48c3BhbiBsYW5nPSJFTi1VUyI+QSBjZXJ0aWZpY2F0 ZSBpcyBzZWxmLWlzc3VlZCBpZiB0aGUgc2FtZSBETiBhcHBlYXJzIGluIHRoZSBzdWJqZWN0 PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjI0LjBwdDttc28tcGFyYS1tYXJnaW4tbGVmdDoyLjBnZCI+PHNwYW4g bGFuZz0iRU4tVVMiPmFuZCBpc3N1ZXIgZmllbGRzICh0aGUgdHdvIEROcyBhcmUgdGhlIHNh bWUgaWYgdGhleSBtYXRjaCBhY2NvcmRpbmc8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MjQuMHB0O21zby1wYXJh LW1hcmdpbi1sZWZ0OjIuMGdkIj48c3BhbiBsYW5nPSJFTi1VUyI+dG8gdGhlIHJ1bGVzIHNw ZWNpZmllZCBpbiBTZWN0aW9uIDcuMSkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVT Ij5UaGUgbG9naWMgYmVoaW5kIGlzICZxdW90O0EgQ0EgaXMgY2VydGFpbmx5IGFuIGVudGl0 eS4gT25jZSB0aGUgRE4gb2YgdGhlIGVudGl0eSBpcyBvZmZpY2lhbGx5IGFzc2lnbmVkIGJ5 IGEgbmFtaW5nIGF1dGhvcml0eSwgaXQgc2hvdWxkIG5vdCBiZSBjaGFuZ2VkIHVubGVzcyBp dHMgaWRlbnRpdHkgaXMgY2hhbmdlIGluIHRoZSBmdXR1cmUuIFRoZXJlZm9yZSwgd2hlbiBh IENBIHBlcmZvcm1zDQogaXRzIGtleSByb2xsb3ZlcnMgb2YgcG9saWN5IGNoYW5nZXMsIGl0 IHNob3VsZCBub3QgY2hhbmdlIGl0cyBETi4gVGhhdCBpcyB3aHkgc2VsZi1pc3N1ZWQgY2Vy dGlmaWNhdGVzIHdpdGggdGhlIHNhbWUgaXNzdWVyIGFuZCBzdWJqZWN0IG5hbWVzIGFyZSBn ZW5lcmF0ZWQgdG8gc3VwcG9ydCBrZXkgcm9sbG92ZXJzIG9mIHBvbGljeSBjaGFuZ2VzLiZx dW90OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxz cGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+UGxlYXNlIG5vdGUgdGhhdCB0 aGVyZSBhcmUgc29tZSBzcGVjaWFsIGNlcnRpZmljYXRpb24gcGF0aCBoYW5kbGluZyBydWxl cyBhcmUgYmFzZWQgb24gdGhlIGFzc3VtcHRpb24gb2YgJnF1b3Q7YSBjZXJ0aWZpY2F0ZSBp cyBzZWxmLWlzc3VlZCBpZiB0aGUgc2FtZSBETiBhcHBlYXJzIGluIHRoZSBzdWJqZWN0IGFu ZCBpc3N1ZXIgZmllbGRzJnF1b3Q7IGFzIG1lbnRpb25lZCBpbiBjbGF1c2UNCiA4LjEuNSBv ZiBYLjUwOTo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjI0LjBwdDttc28tcGFy YS1tYXJnaW4tbGVmdDoyLjBnZCI+PHNwYW4gbGFuZz0iRU4tVVMiPk5ldmVydGhlbGVzcywg aWYgc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVzIG9mIHRoaXMgY2F0ZWdvcnkgYXJlIGVuY291 bnRlcmVkIGluIHRoZSBwYXRoLCB0aGV5IHNoYWxsIGJlIHByb2Nlc3NlZCBhczxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4t bGVmdDoyNC4wcHQ7bXNvLXBhcmEtbWFyZ2luLWxlZnQ6Mi4wZ2QiPjxzcGFuIGxhbmc9IkVO LVVTIj5pbnRlcm1lZGlhdGUgY2VydGlmaWNhdGVzLCB3aXRoIHRoZSBmb2xsb3dpbmcgZXhj ZXB0aW9uOiB0aGV5IGRvIG5vdCBjb250cmlidXRlIHRvIHRoZSBwYXRoIGxlbmd0aCBmb3Ig dGhlIHB1cnBvc2VzIG9mPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjI0LjBwdDttc28tcGFyYS1tYXJnaW4tbGVm dDoyLjBnZCI+PHNwYW4gbGFuZz0iRU4tVVMiPnByb2Nlc3NpbmcgdGhlIHBhdGhMZW5Db25z dHJhaW50IGNvbXBvbmVudCBvZiB0aGUgYmFzaWNDb25zdHJhaW50cyBleHRlbnNpb24gYW5k IHRoZSBza2lwLWNlcnRpZmljYXRlczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDoyNC4wcHQ7bXNvLXBhcmEtbWFy Z2luLWxlZnQ6Mi4wZ2QiPjxzcGFuIGxhbmc9IkVOLVVTIj52YWx1ZXMgYXNzb2NpYXRlZCB3 aXRoIHRoZSBwb2xpY3ktbWFwcGluZy1pbmhpYml0LXBlbmRpbmcgYW5kIGV4cGxpY2l0LXBv bGljeS1wZW5kaW5nIGluZGljYXRvcnMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVT Ij5UaGUgY2VydGlmaWNhdGUgcGF0aCB2YWxpZGF0aW9uIGFsZ29yaXRobSBkZWZpbmVkIGlu IHNlY3Rpb24gNi4xIG9mIFJGQyA1MjgwIGFsc28gY29udGFpbnMgZXhjZXB0aW9uYWwgJnF1 b3Q7c2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVzJnF1b3Q7IGhhbmRsaW5nIHJ1bGVzIHdoaWNo IGFyZSBlcXVpdmFsZW50IHRvIHRob3NlIHJlcXVpcmVkIGJ5IHRoZSBYLjUwOSBzdGFuZGFy ZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3Bh biBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPklmIGEgQ0EgaXNzdWVzIGEgY2Vy dGlmaWNhdGUgb2Ygd2hpY2ggdGhlIGlzc3VlciBuYW1lIGFuZCBzdWJqZWN0IG5hbWUgYXJl IG5vdCB0aGUgc2FtZSwgaXQgd2lsbCBiZSBoYW5kbGVkIGFzIGEgbm9ybWFsIGNlcnRpZmlj YXRlIChlaXRoZXIgYXMgYW4gbm9uLXNlbGYtaXNzdWVkIGludGVybWVkaWF0ZSBjZXJ0aWZp Y2F0ZSBvciBhcyBhbiBlbmQtZW50aXR5IGNlcnRpZmljYXRlKQ0KIGFuZCB0aHVzIHRob3Nl IGV4Y2VwdGlvbmFsICZxdW90O3NlbGYtaXNzdWVkIGNlcnRpZmljYXRlcyZxdW90OyBoYW5k bGluZyBydWxlcyB3aWxsIG5vdCBhcHBseSB0byBpdC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFu Zz0iRU4tVVMiPldlbi1DaGVuZyBXYW5nPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVT Ij4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxicj4NCkZyb206IHBraXggW21haWx0bzpw a2l4LWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBFcmlrIEFuZGVyc2VuPGJyPg0K U2VudDogTW9uZGF5LCBKdWx5IDEzLCAyMDE1IDM6MzAgUE08YnI+DQpUbzogcGtpeEBpZXRm Lm9yZzxicj4NClN1YmplY3Q6IFJlOiBbcGtpeF0gU2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVz PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVT Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij48c3BhbiBsYW5nPSJFTi1VUyI+SGkgUGV0ZXIsPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9 IkVOLVVTIj5JdCBpcyBvbmx5IFJGQyA1MjgwIHRoYXQgaXMgdW5jbGVhci4gWC41MDkgaXMg cXVpdGUgY2xlYXIuIFRoZSBYLjUwOSBkZWZpbml0aW9uIGlzOjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3Bh biBsYW5nPSJFTi1VUyI+My41LjYyJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHNl bGYtaXNzdWVkIGNlcnRpZmljYXRlOiBBIENBIGNlcnRpZmljYXRlIHdoZXJlIHRoZSBpc3N1 ZXIgYW5kIHRoZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5zdWJqZWN0IGFyZSB0aGUgc2FtZSBDQS4gQSBDQSBt aWdodCB1c2Ugc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVzLCBmb3IgZXhhbXBsZSwgZHVyaW5n IGEga2V5IHJvbGxvdmVyIG9wZXJhdGlvbiB0byBwcm92aWRlIHRydXN0IGZyb20gdGhlIG9s ZCBrZXkgdG8gdGhlIG5ldyBrZXkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5U aGUgcHJvYmxlbSB5b3UgYXJlIGZhY2luZyBpcyB0aGF0IHRoZSB0ZXJtIGVudGl0eSBpcyBu b3QgY2xlYXJseSBkZWZpbmVkLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5JcyBhIENBIGFuIGVudGl0eSBvciBp cyBDQSBpcyBzcGVjaWZpYyByb2xlIGZvciBhbiBlbnRpdHkgYW1vbmcgb3RoZXIgcm9sZXMg Zm9yIHRoZSBzYW1lIGVudGl0eT88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPlRo ZSBSRkMgNTI4MCBkZWZpbml0aW9uIHNlZW1zIHRvIGFzc3VtZSB0aGF0IGEgQ0EgaXMgYW4g ZW50aXR5LCBhbmQgdGhlIHR3byBDQSB5b3UgbWVudGlvbiBhcmUgZGlmZmVyZW50IGVudGl0 aWVzLCB3aGlsZSBYLjUwOSBkb2VzIG5vdCBuZWNlc3NhcmlseSBtYWtlIHRoYXQgYXNzdW1w dGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPktpbmQgcmVnYXJkcyw8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5n PSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPkVyaWsgQW5kZXJzZW48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PHNwYW4gbGFuZz0iRU4tVVMiPi0tLS0tT3ByaW5kZWxpZyBtZWRkZWxlbHNlLS0tLS08bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5n PSJFTi1VUyI+RnJhOiBwa2l4IFs8YSBocmVmPSJtYWlsdG86cGtpeC1ib3VuY2VzQGlldGYu b3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9u ZSI+bWFpbHRvOnBraXgtYm91bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+XSBQPC9zcGFuPjxz cGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcm cXVvdDsiPsOlPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIj4NCiB2ZWduZSBhZiBQZXRlciBC b3dlbjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxz cGFuIGxhbmc9IkVOLVVTIj5TZW5kdDogMTMgSnVseSAyMDE1IDAwOjAzPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMi PlRpbDogPGEgaHJlZj0ibWFpbHRvOnBraXhAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xv cjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5wa2l4QGlldGYub3JnPC9zcGFu PjwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 c3BhbiBsYW5nPSJFTi1VUyI+RW1uZTogW3BraXhdIFNlbGYtaXNzdWVkIGNlcnRpZmljYXRl czxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFu IGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+SSdtIHRyeWluZyB0byBtYWtlIHNl bnNlIG9mIHRoZSBkZWZpbml0aW9uIG9mICZxdW90O3NlbGYtaXNzdWVkIGNlcnRpZmljYXRl cyZxdW90OyBpbiBSRkMgNTI4MCAoYW5kIFguNTA5KTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5n PSJFTi1VUyI+U2VjdGlvbiAzLjIgcHJvdmlkZXMgYSBkZWZpbml0aW9uOiAmcXVvdDtTZWxm LWlzc3VlZCBjZXJ0aWZpY2F0ZXMgYXJlIENBIGNlcnRpZmljYXRlcyBpbiB3aGljaCB0aGUg aXNzdWVyIGFuZCBzdWJqZWN0IGFyZSB0aGUgc2FtZSBlbnRpdHkuJnF1b3Q7PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4t VVMiPkhvd2V2ZXIgc2VjdGlvbiA2LjEgc2F5cyAmcXVvdDtBIGNlcnRpZmljYXRlIGlzIHNl bGYtaXNzdWVkIGlmIHRoZSBzYW1lIEROIGFwcGVhcnMgaW4gdGhlIHN1YmplY3QgYW5kIGlz c3VlciBmaWVsZHMuJnF1b3Q7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5XaGls ZSBpdCBpcyBjbGVhciB0aGF0IGFsbCBjZXJ0aWZpY2F0ZXMgd2l0aCB0aGUgc2FtZSBETiBm b3Igc3ViamVjdCBhbmQgaXNzdWUgYXJlIHNlbGYtaXNzdWVkLCBpdCBpcyB1bmNsZWFyIHRv IG1lIHdoZXRoZXIgYSBjZXJ0aWZpY2F0ZSB3aXRoIGRpZmZlcmVudCBETnMgY291bGQgYmUg c2VsZi1pc3N1ZWQuJm5ic3A7IFNlY3Rpb24gNi4xIGNvdWxkIGJlIGdpdmluZyBvbmUgZXhh bXBsZQ0KIG9mIGhvdyBhIGNlcnRpZmljYXRlIGNvdWxkIGJlIHNlbGYtaXNzdWVkIG9yIHNl Y3Rpb24gNi4xIGNvdWxkIGJlIGEgbGltaXRpbmcgZGVmaW5pdGlvbi48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PHNwYW4gbGFuZz0iRU4tVVMiPkNvbnNpZGVyIHRoZSBmb2xsb3dpbmcgZXhhbXBsZTo8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5n PSJFTi1VUyI+RXhhbXBsZSBUcnVzdCBTZXJ2aWNlcyBoYXMgdHdvIGRpZmZlcmVudCBwcml2 YXRlIGtleXMuJm5ic3A7IEVhY2gga2V5IGhhcyBhIHNpbmdsZSBhc3NvY2lhdGVkIEROOjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxh bmc9IkVOLVVTIj5LZXkwIGhhcyBETiBPPUV4YW1wbGUgVHJ1c3QgU2VydmljZXMsIE9VPUds b2JhbCBUcnVzdCBBbmNob3I8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+S2V5MSBoYXMgRE4gTz1FeGFtcGxlIFRy dXN0IFNlcnZpY2VzLCBPVT1Db21tZXJjaWFsIFRydXN0IEFuY2hvcjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 c3BhbiBsYW5nPSJFTi1VUyI+VGhlcmUgaXMgYSBDQSBjZXJ0aWZpY2F0ZSBjcmVhdGVkIHdp dGg8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3Bh biBsYW5nPSJFTi1VUyI+U3ViamVjdDogTz1FeGFtcGxlIFRydXN0IFNlcnZpY2VzLCBPVT1D b21tZXJjaWFsIFRydXN0IEFuY2hvciBTdWJqZWN0IFB1YmxpYzxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5LZXk6 IEtleTE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 c3BhbiBsYW5nPSJFTi1VUyI+SXNzdWVyOiBPPUV4YW1wbGUgVHJ1c3QgU2VydmljZXMsIE9V PUdsb2JhbCBUcnVzdCBBbmNob3IgU2lnbmVkIGJ5IEtleTA8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4g bGFuZz0iRU4tVVMiPklzIHRoaXMgQ0EgY2VydGlmaWNhdGUgY29uc2lkZXJlZCBhIHNlbGYt aXNzdWVkIGNlcnRpZmljYXRlPzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+VGhh bmtzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxz cGFuIGxhbmc9IkVOLVVTIj5QZXRlcjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+ X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJF Ti1VUyI+cGtpeCBtYWlsaW5nIGxpc3Q8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PGEgaHJlZj0ibWFpbHRvOnBr aXhAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3Jh dGlvbjpub25lIj5wa2l4QGlldGYub3JnPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PGEgaHJl Zj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4Ij48c3BhbiBz dHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9wa2l4PC9zcGFuPjwvYT48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1V UyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PHNwYW4gbGFuZz0iRU4tVVMiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPnBraXggbWFpbGluZyBsaXN0PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4t VVMiPjxhIGhyZWY9Im1haWx0bzpwa2l4QGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6 d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+cGtpeEBpZXRmLm9yZzwvc3Bhbj48 L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNw YW4gbGFuZz0iRU4tVVMiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4v bGlzdGluZm8vcGtpeCI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNv cmF0aW9uOm5vbmUiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vcGtp eDwvc3Bhbj48L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8Qj48QlI+PEJS Pjxmb250IHNpemU9Ii0xIj4mIzI2NDEyOyYjMjA0NDk7JiMyMDIxNDsmIzIxNDg3OyYjMzMw MjE7JiMyMTI1MzsmIzIxNTQ3OyYjMjAwMTM7JiMzMzc3NTsmIzM4NjUxOyYjMjA0NDk7JiMz MjkyOTsmIzIwMjIxOyYjMjYzNzc7JiMzODQ4MDsmIzIwODQ0OyYjMjE0OTY7JiMyNzIzMTsm IzIzNDk0OyYjMzYwMzk7JiMzNTMzODssJiMzODc1MDsmIzI1MzUxOyYjMjM0NTA7JiMyMDA0 MzsmIzI1OTEwOyYjMjAyMTQ7JiMzMjc3MzssJiMzNTUzMTsmIzIxMjQ3OyYjMzM5MzY7JiMz ODU5ODsmIzEyMjg5OyYjMzQzODk7JiMyOTcwMjsmIzI1MTEwOyYjMjEwMzM7JiMyOTk5Mjsm IzI2NDEyOyYjMjA0NDk7JiMyMDIxNDsmIzIwODM5OyYjMjM0ODE7LCYjMjAwMDY7JiMzNTUz MTsmIzM3NTU5OyYjMjc1ODQ7JiMyNzQ5MjsmIzIwNDQ5OyYjMjAyMTQ7Lg0KJiMyMjkxNDsm IzI4ODU4OyYjMjUzNTE7JiMyMzQ1MDsmIzI1OTEwOyYjMjAyMTQ7JiMzMjc3MzssJiMyNTAz MzsmIzMwOTA2OyYjMjM1MjY7JiMyMDQ0NTsmIzM1NzAzOyYjMzcxMDk7JiMyMDIxNDsmIzIw MDEzOyYjMjY0MTI7JiMyMDg0NDsmIzIxNDk2OyYjMjAwNDM7JiMyOTE1MTsmIzI2OTg5OyYj MjcyMzE7JiMyMzQ5NDsmIzIxNDUwOyYjMjA0OTE7JiMyMDE1NDsmIzM2MDM5OyYjMjYwMDk7 LCYjMTk5ODE7JiMyNDQ3MTsmIzIwMjE5OyYjMjQ4NDc7JiMyMDY1OTsmIzIwMjk2OyYjMjUx MTA7JiMyNTU4MTsmIzM4NzA2OywmIzIwMDA2OyYjMjUwMzM7JiMzMzI1ODsmIzM0ODkyOyYj MzA5MDY7JiMzNTQ2OTsmIzI2NDEyOyYjMzcxMDk7JiMyMDIxNDsmIzIwMDQzOyYjMzg0Njg7 JiMyNzI4NDsmIzMzMjg3OyYjMzYyMjk7JiMzNjg5OTsmIzMyMDgwOyYjMjAwNDM7JiMyMzQz MzsmIzIwODQwOyYjMjQ2MTU7LCYjMjAxOTc7JiMyMDg0OTsmIzIxNTE2OyYjMjE4OTI7JiMz MDQzMzsmIzM2MDM5OyYjMzUzMzg7JiMyMzQzMzsmIzIwODQwOyYjMzMyODc7JiMyMDQ5MTsm IzM2MDM5OyYjMjA0NDU7JiMzNTcwMzsmIzM2MDEyOyYjMjAyMTk7LiANCjxCUj5QbGVhc2Ug YmUgYWR2aXNlZCB0aGF0IHRoaXMgZW1haWwgbWVzc2FnZSAoaW5jbHVkaW5nIGFueSBhdHRh Y2htZW50cykgY29udGFpbnMgY29uZmlkZW50aWFsIGluZm9ybWF0aW9uIGFuZCBtYXkgYmUg bGVnYWxseSBwcml2aWxlZ2VkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBp ZW50LCBwbGVhc2UgZGVzdHJveSB0aGlzIG1lc3NhZ2UgYW5kIGFsbCBhdHRhY2htZW50cyBm cm9tIHlvdXIgc3lzdGVtIGFuZCBkbyBub3QgZnVydGhlciBjb2xsZWN0LCBwcm9jZXNzLCBv ciB1c2UgdGhlbS4gQ2h1bmdod2EgVGVsZWNvbSBhbmQgYWxsIGl0cyBzdWJzaWRpYXJpZXMg YW5kIGFzc29jaWF0ZWQgY29tcGFuaWVzIHNoYWxsIG5vdCBiZSBsaWFibGUgZm9yIHRoZSBp bXByb3BlciBvciBpbmNvbXBsZXRlIHRyYW5zbWlzc2lvbiBvZiB0aGUgaW5mb3JtYXRpb24g Y29udGFpbmVkIGluIHRoaXMgZW1haWwgbm9yIGZvciBhbnkgZGVsYXkgaW4gaXRzIHJlY2Vp cHQgb3IgZGFtYWdlIHRvIHlvdXIgc3lzdGVtLiBJZiB5b3UgYXJlIHRoZSBpbnRlbmRlZCBy ZWNpcGllbnQsIHBsZWFzZSBwcm90ZWN0IHRoZSBjb25maWRlbnRpYWwgYW5kL29yIHBlcnNv bmFsIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGlzIGVtYWlsIHdpdGggZHVlIGNhcmUu IEFueSB1bmF1dGhvcml6ZWQgdXNlLCBkaXNjbG9zdXJlIG9yIGRpc3RyaWJ1dGlvbiBvZiB0 aGlzIG1lc3NhZ2UgaW4gd2hvbGUgb3IgaW4gcGFydCBpcyBzdHJpY3RseSBwcm9oaWJpdGVk LiAgQWxzbywgcGxlYXNlIHNlbGYtaW5zcGVjdCBhdHRhY2htZW50cyBhbmQgaHlwZXJsaW5r cyBjb250YWluZWQgaW4gdGhpcyBlbWFpbCB0byBlbnN1cmUgdGhlIGluZm9ybWF0aW9uIHNl Y3VyaXR5IGFuZCB0byBwcm90ZWN0IHBlcnNvbmFsIGluZm9ybWF0aW9uLjwvZm9udD48L0I+ DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_20825998BCB8D84C983674C159E25E753D620DB0mbs6appcorpchtc_-- From nobody Mon Jul 13 06:50:48 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1541B2AF6 for ; Mon, 13 Jul 2015 06:50:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.625 X-Spam-Level: * X-Spam-Status: No, score=1.625 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6HCmQD2YM8Z for ; Mon, 13 Jul 2015 06:50:43 -0700 (PDT) Received: from scan14.cht.com.tw (scan14.cht.com.tw [202.39.160.144]) by ietfa.amsl.com (Postfix) with ESMTP id 4CCD21B2AFA for ; Mon, 13 Jul 2015 06:50:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436795436; x=1439387436; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=3J14pXEonjtJgKMsv3kw4RMUAsLZMdbFc85C7D5nKls=; b=omO9uEhatNYWE0mD8pyCe52Mx9KbI5pdPQwI/rBeOFul7gq6BGEUrWCIqCLgSHvD iUGD6NeDB8aKNAr0HBAY16b3Gnz0vvsZ590rzKrdeiH4fPx6xbVCpAkwbVVPZgcf q16GhJiu4EfxCKuMUX/wYoAUrNfIEiFgg8HwgRPRzEw=; X-AuditID: 0aa00768-f79166d000000bd1-c1-55a3c22cc485 Received: from scanrelay4.cht.com.tw ( [10.160.7.109]) by scan14.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id D7.5F.03025.C22C3A55; Mon, 13 Jul 2015 21:50:36 +0800 (CST) Received: from HUB4.app.corp.cht.com.tw (unknown [10.172.18.168]) by scanrelay4.cht.com.tw (Symantec Mail Security) with ESMTP id 6C1AFC000088 for ; Mon, 13 Jul 2015 21:50:36 +0800 (CST) Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by HUB4.app.corp.cht.com.tw ([fe80::f8db:4064:82dd:2fdb%12]) with mapi id 14.02.0342.003; Mon, 13 Jul 2015 21:50:36 +0800 From: =?utf-8?B?546L5paH5q2j?= To: PKIX Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVNA= Date: Mon, 13 Jul 2015 13:50:35 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D620DDF@mbs6.app.corp.cht.com.tw> References: In-Reply-To: Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.77.4.111] Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D620DDFmbs6appcorpchtc_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrMKsWRmVeSWpSXmKPExsXCtYA9V1fn0OJQg+UPFC0uHixyYPRYsuQn UwBjVAOjTWJeXn5JYkmqQkpqcbKtUnJGiW5KZnFyTmJmbmqRbmpeupJCZoqtkomSQkFOYnJq bmpeia1SYkFBal6Kkh2XAgawASrLzFNIzUvOT8nMS7dV8gz217WwMLXUNVSyC8hJTSxOVUhK VUhMKcssTk1RSNggk7H/Vht7wYGkisdf37I1ML6I72Lk5JAQMJG4d7OXHcIWk7hwbz1bFyMX h5DAdkaJPVdPM0I4Zxkl9n25ygzhHGaU6Oz/ywbSwiZgJLHx7C4mEFtEQEJiw+vnYLawgI7E rTv7oeK6EpeefQeq5wCyrSQOHZYCCbMIqEq8f/YObAyvgL/Epb8foOZPZ5SYdPICM0iCUyBQ 4tS3RWA2o4CsxJMFz8BmMguIS5y72Ap1toDEkj3nmSFsUYmXj/+xguySEJCXmPZGBqI8X+LP 1n0sELsEJU7OfMIygVF0FpJJs5CUzUJSNgtoErOApsT6XfoQJYoSU7ofQpVrSLTOmcuOLL6A kX0Vo2BxcmKeoYkeMJL1kvNz9UrKNzFCEkjGDsb98x0PMQpwMCrx8DL0LwoVYk0sK67MPcQo wcGsJMKbU7w4VIg3JbGyKrUoP76oNCe1+BCjKTCwJjJLiSbnA5NbXkm8obGlsYWhkYGZsbmF hZI475TWzBAhgXRg6spOTS1ILYLpY+LglGpg5GVc+0A5yNXqwJ2bk5ZMP3j/mDXD9pjEtqWV TNUctVwNWfZpr3VkJl1s1ph0vqFd8O6GTSxujIuVFDaYPctatf/Oarc4lcjGGPt6ZeUK1dgF X6KXtLn0CwRnP59uUDlRpuT14d6AF6v2p+7hz7z1xmTmtga+EOtmpZesKSs/3lrF+Dme74ma EktxRqKhFnNRcSIAO0qOwzYDAAA= Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 13:50:47 -0000 --_000_20825998BCB8D84C983674C159E25E753D620DDFmbs6appcorpchtc_ Content-Type: text/plain; charset="utf-8" content-transfer-encoding: base64 SW4gbXkgZXhwZXJpZW5jZXMsIE1vemlsbGEgRmlyZWZveCBzdGlsbCB3b3JrZWQgZmluZSBm b3IgaGFuZGxpbmcgc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVzIGZvciBrZXkgcm9sbG92ZXIg cHVycG9zZXMuIEFjdHVhbGx5LCBtb3N0IGJyb3dzZXJzIHdpbGwgc2ltcGx5IHRyZWF0IHNl bGYtaXNzdWVkIGNlcnRpZmljYXRlcyBhcyByZWd1bGFyIGludGVybWVkaWF0ZSBDQSBjZXJ0 aWZpY2F0ZXMuIFRoZXJlZm9yZSwgaWYgdGhlcmUgYXJlIG5vIGNvbXBsZXggcGF0aCBsZW5n dGggY29uc3RyYWlucyBvciBuYW1lIGNvbnN0cmFpbnMgdG8gYmUgaGFuZGxlZCwgdGhlIGNl cnRpZmljYXRpb24gcGF0aCBwcm9jZXNzaW5nIHdpbGwgYmUgZmluZSBldmVuIHRob3VnaCBi cm93c2VycyBtaWdodCBub3QgaW1wbGVtZW50IHRob3NlIGV4Y2VwdGlvbmFsIGhhbmRsaW5n IHJ1bGVzIGZvciBzZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMuDQoNCg0KDQpXaGF0IHJlYWxs eSBjYXVzZWQgb3VyIGhlYWRhY2hlcyB3YXMgc29tZSB3ZWIgc2VydmVyIHN1Y2ggYXMgTWlj cm9zb2Z0IElJUyBkb2VzIG5vdCByZWNvZ25pemUgc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVz LiBGb3IgYSBDQSBwZXJmb3JtaW5nIGl0cyBrZXkgcm9sbG92ZXIgd2l0aCBzZWxmLWlzc3Vl ZCBjZXJ0aWZpY2F0ZXMsIHRoZSBjZXJ0aWZpY2F0aW9uIHBhdGggY2hhaW5pbmcgdXAgdG8g dGhlIG9sZCByb290IGNlcnRpZmljYXRlIHdpbGwgYmUgYXMgZm9sbG93czoNCg0KDQoNCm9s ZCByb290IGNlcnRpZmljYXRlIChhIHNlbGYtc2lnbmVkIGNlcnRpZmljYXRlKSAtLT4gbmV3 LXdpdGgtb2xkIGNlcnRpZmljYXRlIChhIHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlKSAtLT4g c3Vib3JkaW5hdGUgQ0EgY2VydGlmaWNhdGUgKGFuIGludGVybWVkaWF0ZSBDQSBjZXJ0aWZp Y2F0ZSkgLS0+IFNTTCBjZXJ0aWZpY2F0ZQ0KDQoNCg0KRHVyaW5nIHRoZSBTU0wvVExTIGhh bmRzaGFrZSwgaXQgaXMgZXhwZWN0ZWQgdGhhdCB0aGUgd2ViIHNlcnZlciB0byBzZW5kICJu ZXctd2l0aC1vbGQgY2VydGlmaWNhdGUgLS0+IHN1Ym9yZGluYXRlIENBIGNlcnRpZmljYXRl IC0tPiBTU0wgY2VydGlmaWNhdGUiIHRvIGJyb3dzZXJzICh0aGUgY2xpZW50IHNpZGUpLg0K DQpIb3dldmVyLCBpdCBpcyB1bmZvcnR1bmF0ZWx5IHRoYXQgTWljcm9zb2Z0IElJUyB3cm9u Z2x5IHRyZWF0cyB0aGUgc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGUgYXMgYSBzZWxmLXNpZ25l ZCBjZXJ0aWZpY2F0ZSBhbmQgdGhlcmVmb3JlIGl0IHdpbGwgb25seSBzZW5kICJzdWJvcmRp bmF0ZSBDQSBjZXJ0aWZpY2F0ZSAtLT4gU1NMIGNlcnRpZmljYXRlIiB0byBicm93c2Vycy4g VGhlIHJlc3VsdCBpcyB0aGF0IGJyb3dzZXJzIHN1Y2ggYXMgRmlyZWZveCBtaWdodCBmYWls ZWQgdG8gY2hhaW4gdGhlIGNlcnRpZmljYXRpb24gcGF0aCB1cCB0byB0aGUgb2xkIHJvb3Qg Y2VydGlmaWNhdGUuIEluIHRoZSBjYXNlcyB3aGVyZSBicm93c2VycyBkbyBub3QgeWV0IHRy dXN0IHRoZSBuZXcgcm9vdCBjZXJ0aWZpY2F0ZSwgdGhlIFNTTC9UTFMgaGFuZHNoYWtlIHdp bGwgYmUgZmFpbGVkLg0KDQoNCg0KT3VyIGNvbXBhbnkgaGFkIGFscmVhZHkgc2VuZCBhIGJ1 ZyByZXBvcnQgdG8gTWljcm9zb2Z0IHRocm91Z2ggdGhlaXIgc28tY2FsbGVkIHByZW1pdW0g dGVjaCBzdXBwb3J0IGNoYW5uZWwgc2V2ZXJhbCBtb250aHMgYWdvLCBob3dldmVyIHRoZXkg c2VlbWVkIG5vdCB5ZXQgZGVjaWRlIHdoZXRoZXIgdGhleSB3YW50IHRvIGZpeCB0aGF0IElJ UyBidWcgb3Igbm90LiBUaGVyZWZvcmUsIGJlIHdhcm5lZCBpZiB5b3Ugd2FudCB0byBwZXJm b3JtIGEgQ0Ega2V5IHJvbGxvdmVyIHdpdGggc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGVzIGJl Y2F1c2UgdGhlcmUgYXJlIHN0aWxsIGEgbG90IHNlcnZlcnMgYW5kIGNsaWVudHMgd2hvc2Ug Y2VydGlmaWNhdGlvbiBwYXRoIHByb2Nlc3NpbmcgaW1wbGVtZW50YXRpb25zIGRvIG5vdCBj b25mb3JtIHRvIFJGQyA1MjgwIG9yIFguNTA5IHN0YW5kYXJkLg0KDQoNCg0KV2VuLUNoZW5n IFdhbmcNCg0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBwa2l4IFtt YWlsdG86cGtpeC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgQnJpYW4gU21pdGgN ClNlbnQ6IE1vbmRheSwgSnVseSAxMywgMjAxNSA5OjU3IEFNDQpUbzogUGV0ZXIgQm93ZW4N CkNjOiBQS0lYDQpTdWJqZWN0OiBSZTogW3BraXhdIFNlbGYtaXNzdWVkIGNlcnRpZmljYXRl cw0KDQoNCg0KPHNuaXA+DQoNCg0KDQpJbiBmYWN0LCBtb3ppbGxhOjpwa2l4IGRvZXNuJ3Qg cmVjb2duaXplIHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlcyBhdCBhbGwsIGFuZCBzbyBkb2Vz bid0IGltcGxlbWVudCB0aG9zZSBleGNlcHRpb25zLiBTbyBmYXIsIHRoaXMgaGFzIG5vdCBj YXVzZWQgYW55IHByb2JsZW1zLCBzbyBhcyBmYXIgYXMgdGhlIFdlYiBQS0kgaXMgY29uY2Vy bmVkLCBpdCBpcyBsaWtlbHkgd2UgY2FuIGZvcmdldCBhYm91dCB0aGUgY29uY2VwdCBvZiBz ZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZSBjb21wbGV0ZWx5LiBBbmQsIHRoYXQncyB3aGF0IEkg cmVjb21tZW5kIHRoYXQgcGVvcGxlIGRvLg0KDQoNCg0KQ2hlZXJzLA0KDQpCcmlhbg0KDQoN Cg0KUGxlYXNlIGJlIGFkdmlzZWQgdGhhdCB0aGlzIGVtYWlsIG1lc3NhZ2UgKGluY2x1ZGlu ZyBhbnkgYXR0YWNobWVudHMpIGNvbnRhaW5zIGNvbmZpZGVudGlhbCBpbmZvcm1hdGlvbiBh bmQgbWF5IGJlIGxlZ2FsbHkgcHJpdmlsZWdlZC4gSWYgeW91IGFyZSBub3QgdGhlIGludGVu ZGVkIHJlY2lwaWVudCwgcGxlYXNlIGRlc3Ryb3kgdGhpcyBtZXNzYWdlIGFuZCBhbGwgYXR0 YWNobWVudHMgZnJvbSB5b3VyIHN5c3RlbSBhbmQgZG8gbm90IGZ1cnRoZXIgY29sbGVjdCwg cHJvY2Vzcywgb3IgdXNlIHRoZW0uIENodW5naHdhIFRlbGVjb20gYW5kIGFsbCBpdHMgc3Vi c2lkaWFyaWVzIGFuZCBhc3NvY2lhdGVkIGNvbXBhbmllcyBzaGFsbCBub3QgYmUgbGlhYmxl IGZvciB0aGUgaW1wcm9wZXIgb3IgaW5jb21wbGV0ZSB0cmFuc21pc3Npb24gb2YgdGhlIGlu Zm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGlzIGVtYWlsIG5vciBmb3IgYW55IGRlbGF5IGlu IGl0cyByZWNlaXB0IG9yIGRhbWFnZSB0byB5b3VyIHN5c3RlbS4gSWYgeW91IGFyZSB0aGUg aW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UgcHJvdGVjdCB0aGUgY29uZmlkZW50aWFsIGFu ZC9vciBwZXJzb25hbCBpbmZvcm1hdGlvbiBjb250YWluZWQgaW4gdGhpcyBlbWFpbCB3aXRo IGR1ZSBjYXJlLiBBbnkgdW5hdXRob3JpemVkIHVzZSwgZGlzY2xvc3VyZSBvciBkaXN0cmli dXRpb24gb2YgdGhpcyBtZXNzYWdlIGluIHdob2xlIG9yIGluIHBhcnQgaXMgc3RyaWN0bHkg cHJvaGliaXRlZC4gIEFsc28sIHBsZWFzZSBzZWxmLWluc3BlY3QgYXR0YWNobWVudHMgYW5k IGh5cGVybGlua3MgY29udGFpbmVkIGluIHRoaXMgZW1haWwgdG8gZW5zdXJlIHRoZSBpbmZv cm1hdGlvbiBzZWN1cml0eSBhbmQgdG8gcHJvdGVjdCBwZXJzb25hbCBpbmZvcm1hdGlvbi4N Cg== --_000_20825998BCB8D84C983674C159E25E753D620DDFmbs6appcorpchtc_ Content-Type: text/html; charset="utf-8" content-transfer-encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89 InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJu OnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3Nj aGVtYXMubWljcm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDov L3d3dy53My5vcmcvVFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9 IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxt ZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRl cmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBm b250LWZhY2UNCgl7Zm9udC1mYW1pbHk65paw57Sw5piO6auUOw0KCXBhbm9zZS0xOjIgMiA1 IDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBN YXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7 Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9 DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJcQOaWsOe0sOaYjumrlCI7DQoJcGFub3Nl LTE6MiAyIDUgMCAwIDAgMCAwIDAgMDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5N c29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0K CW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGlu aw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29y YXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dl ZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVj b3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29QbGFpblRleHQsIGxpLk1zb1BsYWluVGV4dCwg ZGl2Lk1zb1BsYWluVGV4dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxl LWxpbms6Iue0lOaWh+WtlyDlrZflhYMiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRv bTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LCJzYW5zLXNlcmlmIjt9DQpzcGFuLmENCgl7bXNvLXN0eWxlLW5hbWU6Iue0lOaWh+WtlyDl rZflhYMiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazrntJTm loflrZc7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjt9DQouTXNvQ2hw RGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToi Q2FsaWJyaSIsInNhbnMtc2VyaWYiO30NCi8qIFBhZ2UgRGVmaW5pdGlvbnMgKi8NCkBwYWdl IFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0 IDkwLjBwdCA3Mi4wcHQgOTAuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3Jk U2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNo YXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtl bmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0 PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBl bGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iWkgtVFci IGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiIHN0eWxlPSJ0ZXh0LWp1c3RpZnktdHJpbTpw dW5jdHVhdGlvbiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPkluIG15IGV4cGVyaWVuY2VzLCBNb3pp bGxhIEZpcmVmb3ggc3RpbGwgd29ya2VkIGZpbmUgZm9yIGhhbmRsaW5nIHNlbGYtaXNzdWVk IGNlcnRpZmljYXRlcyBmb3Iga2V5IHJvbGxvdmVyIHB1cnBvc2VzLiBBY3R1YWxseSwgbW9z dCBicm93c2VycyB3aWxsIHNpbXBseSB0cmVhdCBzZWxmLWlzc3VlZCBjZXJ0aWZpY2F0ZXMg YXMgcmVndWxhciBpbnRlcm1lZGlhdGUgQ0EgY2VydGlmaWNhdGVzLg0KIFRoZXJlZm9yZSwg aWYgdGhlcmUgYXJlIG5vIGNvbXBsZXggcGF0aCBsZW5ndGggY29uc3RyYWlucyBvciBuYW1l IGNvbnN0cmFpbnMgdG8gYmUgaGFuZGxlZCwgdGhlIGNlcnRpZmljYXRpb24gcGF0aCBwcm9j ZXNzaW5nIHdpbGwgYmUgZmluZSBldmVuIHRob3VnaCBicm93c2VycyBtaWdodCBub3QgaW1w bGVtZW50IHRob3NlIGV4Y2VwdGlvbmFsIGhhbmRsaW5nIHJ1bGVzIGZvciBzZWxmLWlzc3Vl ZCBjZXJ0aWZpY2F0ZXMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5XaGF0IHJl YWxseSBjYXVzZWQgb3VyIGhlYWRhY2hlcyB3YXMgc29tZSB3ZWIgc2VydmVyIHN1Y2ggYXMg TWljcm9zb2Z0IElJUyBkb2VzIG5vdCByZWNvZ25pemUgc2VsZi1pc3N1ZWQgY2VydGlmaWNh dGVzLiBGb3IgYSBDQSBwZXJmb3JtaW5nIGl0cyBrZXkgcm9sbG92ZXIgd2l0aCBzZWxmLWlz c3VlZCBjZXJ0aWZpY2F0ZXMsIHRoZSBjZXJ0aWZpY2F0aW9uIHBhdGggY2hhaW5pbmcNCiB1 cCB0byB0aGUgb2xkIHJvb3QgY2VydGlmaWNhdGUgd2lsbCBiZSBhcyBmb2xsb3dzOjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9 IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTIuMHB0O21zby1wYXJhLW1hcmdpbi1sZWZ0 OjEuMGdkIj48c3BhbiBsYW5nPSJFTi1VUyI+b2xkIHJvb3QgY2VydGlmaWNhdGUgKGEgc2Vs Zi1zaWduZWQgY2VydGlmaWNhdGUpIC0tJmd0OyBuZXctd2l0aC1vbGQgY2VydGlmaWNhdGUg KGEgc2VsZi1pc3N1ZWQgY2VydGlmaWNhdGUpIC0tJmd0OyBzdWJvcmRpbmF0ZSBDQSBjZXJ0 aWZpY2F0ZSAoYW4gaW50ZXJtZWRpYXRlIENBIGNlcnRpZmljYXRlKQ0KIC0tJmd0OyBTU0wg Y2VydGlmaWNhdGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPkR1cmluZyB0aGUg U1NML1RMUyBoYW5kc2hha2UsIGl0IGlzIGV4cGVjdGVkIHRoYXQgdGhlIHdlYiBzZXJ2ZXIg dG8gc2VuZCAmcXVvdDtuZXctd2l0aC1vbGQgY2VydGlmaWNhdGUgLS0mZ3Q7IHN1Ym9yZGlu YXRlIENBIGNlcnRpZmljYXRlIC0tJmd0OyBTU0wgY2VydGlmaWNhdGUmcXVvdDsgdG8gYnJv d3NlcnMgKHRoZSBjbGllbnQgc2lkZSkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPkhvd2V2ZXIsIGl0IGlzIHVu Zm9ydHVuYXRlbHkgdGhhdCBNaWNyb3NvZnQgSUlTIHdyb25nbHkgdHJlYXRzIHRoZSBzZWxm LWlzc3VlZCBjZXJ0aWZpY2F0ZSBhcyBhIHNlbGYtc2lnbmVkIGNlcnRpZmljYXRlIGFuZCB0 aGVyZWZvcmUgaXQgd2lsbCBvbmx5IHNlbmQgJnF1b3Q7c3Vib3JkaW5hdGUgQ0EgY2VydGlm aWNhdGUgLS0mZ3Q7IFNTTCBjZXJ0aWZpY2F0ZSZxdW90OyB0byBicm93c2Vycy4NCiBUaGUg cmVzdWx0IGlzIHRoYXQgYnJvd3NlcnMgc3VjaCBhcyBGaXJlZm94IG1pZ2h0IGZhaWxlZCB0 byBjaGFpbiB0aGUgY2VydGlmaWNhdGlvbiBwYXRoIHVwIHRvIHRoZSBvbGQgcm9vdCBjZXJ0 aWZpY2F0ZS4gSW4gdGhlIGNhc2VzIHdoZXJlIGJyb3dzZXJzIGRvIG5vdCB5ZXQgdHJ1c3Qg dGhlIG5ldyByb290IGNlcnRpZmljYXRlLCB0aGUgU1NML1RMUyBoYW5kc2hha2Ugd2lsbCBi ZSBmYWlsZWQuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5PdXIgY29tcGFueSBo YWQgYWxyZWFkeSBzZW5kIGEgYnVnIHJlcG9ydCB0byBNaWNyb3NvZnQgdGhyb3VnaCB0aGVp ciBzby1jYWxsZWQgcHJlbWl1bSB0ZWNoIHN1cHBvcnQgY2hhbm5lbCBzZXZlcmFsIG1vbnRo cyBhZ28sIGhvd2V2ZXIgdGhleSBzZWVtZWQgbm90IHlldCBkZWNpZGUgd2hldGhlciB0aGV5 IHdhbnQgdG8gZml4IHRoYXQgSUlTIGJ1ZyBvciBub3QuIFRoZXJlZm9yZSwNCiBiZSB3YXJu ZWQgaWYgeW91IHdhbnQgdG8gcGVyZm9ybSBhIENBIGtleSByb2xsb3ZlciB3aXRoIHNlbGYt aXNzdWVkIGNlcnRpZmljYXRlcyBiZWNhdXNlIHRoZXJlIGFyZSBzdGlsbCBhIGxvdCBzZXJ2 ZXJzIGFuZCBjbGllbnRzIHdob3NlIGNlcnRpZmljYXRpb24gcGF0aCBwcm9jZXNzaW5nIGlt cGxlbWVudGF0aW9ucyBkbyBub3QgY29uZm9ybSB0byBSRkMgNTI4MCBvciBYLjUwOSBzdGFu ZGFyZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48 c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPldlbi1DaGVuZyBXYW5nPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFu Zz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0t LTxicj4NCkZyb206IHBraXggW21haWx0bzpwa2l4LWJvdW5jZXNAaWV0Zi5vcmddIE9uIEJl aGFsZiBPZiBCcmlhbiBTbWl0aDxicj4NClNlbnQ6IE1vbmRheSwgSnVseSAxMywgMjAxNSA5 OjU3IEFNPGJyPg0KVG86IFBldGVyIEJvd2VuPGJyPg0KQ2M6IFBLSVg8YnI+DQpTdWJqZWN0 OiBSZTogW3BraXhdIFNlbGYtaXNzdWVkIGNlcnRpZmljYXRlczwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4t VVMiPiZsdDtzbmlwJmd0OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFu IGxhbmc9IkVOLVVTIj5JbiBmYWN0LCBtb3ppbGxhOjpwa2l4IGRvZXNuJ3QgcmVjb2duaXpl IHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlcyBhdCBhbGwsIGFuZCBzbyBkb2Vzbid0IGltcGxl bWVudCB0aG9zZSBleGNlcHRpb25zLiBTbyBmYXIsIHRoaXMgaGFzIG5vdCBjYXVzZWQgYW55 IHByb2JsZW1zLCBzbyBhcyBmYXIgYXMgdGhlIFdlYiBQS0kgaXMgY29uY2VybmVkLCBpdCBp cyBsaWtlbHkgd2UNCiBjYW4gZm9yZ2V0IGFib3V0IHRoZSBjb25jZXB0IG9mIHNlbGYtaXNz dWVkIGNlcnRpZmljYXRlIGNvbXBsZXRlbHkuIEFuZCwgdGhhdCdzIHdoYXQgSSByZWNvbW1l bmQgdGhhdCBwZW9wbGUgZG8uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5DaGVl cnMsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNw YW4gbGFuZz0iRU4tVVMiPkJyaWFuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPEI+PEJSPjxCUj48Zm9udCBzaXplPSItMSI+JiMyNjQxMjsm IzIwNDQ5OyYjMjAyMTQ7JiMyMTQ4NzsmIzMzMDIxOyYjMjEyNTM7JiMyMTU0NzsmIzIwMDEz OyYjMzM3NzU7JiMzODY1MTsmIzIwNDQ5OyYjMzI5Mjk7JiMyMDIyMTsmIzI2Mzc3OyYjMzg0 ODA7JiMyMDg0NDsmIzIxNDk2OyYjMjcyMzE7JiMyMzQ5NDsmIzM2MDM5OyYjMzUzMzg7LCYj Mzg3NTA7JiMyNTM1MTsmIzIzNDUwOyYjMjAwNDM7JiMyNTkxMDsmIzIwMjE0OyYjMzI3NzM7 LCYjMzU1MzE7JiMyMTI0NzsmIzMzOTM2OyYjMzg1OTg7JiMxMjI4OTsmIzM0Mzg5OyYjMjk3 MDI7JiMyNTExMDsmIzIxMDMzOyYjMjk5OTI7JiMyNjQxMjsmIzIwNDQ5OyYjMjAyMTQ7JiMy MDgzOTsmIzIzNDgxOywmIzIwMDA2OyYjMzU1MzE7JiMzNzU1OTsmIzI3NTg0OyYjMjc0OTI7 JiMyMDQ0OTsmIzIwMjE0Oy4NCiYjMjI5MTQ7JiMyODg1ODsmIzI1MzUxOyYjMjM0NTA7JiMy NTkxMDsmIzIwMjE0OyYjMzI3NzM7LCYjMjUwMzM7JiMzMDkwNjsmIzIzNTI2OyYjMjA0NDU7 JiMzNTcwMzsmIzM3MTA5OyYjMjAyMTQ7JiMyMDAxMzsmIzI2NDEyOyYjMjA4NDQ7JiMyMTQ5 NjsmIzIwMDQzOyYjMjkxNTE7JiMyNjk4OTsmIzI3MjMxOyYjMjM0OTQ7JiMyMTQ1MDsmIzIw NDkxOyYjMjAxNTQ7JiMzNjAzOTsmIzI2MDA5OywmIzE5OTgxOyYjMjQ0NzE7JiMyMDIxOTsm IzI0ODQ3OyYjMjA2NTk7JiMyMDI5NjsmIzI1MTEwOyYjMjU1ODE7JiMzODcwNjssJiMyMDAw NjsmIzI1MDMzOyYjMzMyNTg7JiMzNDg5MjsmIzMwOTA2OyYjMzU0Njk7JiMyNjQxMjsmIzM3 MTA5OyYjMjAyMTQ7JiMyMDA0MzsmIzM4NDY4OyYjMjcyODQ7JiMzMzI4NzsmIzM2MjI5OyYj MzY4OTk7JiMzMjA4MDsmIzIwMDQzOyYjMjM0MzM7JiMyMDg0MDsmIzI0NjE1OywmIzIwMTk3 OyYjMjA4NDk7JiMyMTUxNjsmIzIxODkyOyYjMzA0MzM7JiMzNjAzOTsmIzM1MzM4OyYjMjM0 MzM7JiMyMDg0MDsmIzMzMjg3OyYjMjA0OTE7JiMzNjAzOTsmIzIwNDQ1OyYjMzU3MDM7JiMz NjAxMjsmIzIwMjE5Oy4gDQo8QlI+UGxlYXNlIGJlIGFkdmlzZWQgdGhhdCB0aGlzIGVtYWls IG1lc3NhZ2UgKGluY2x1ZGluZyBhbnkgYXR0YWNobWVudHMpIGNvbnRhaW5zIGNvbmZpZGVu dGlhbCBpbmZvcm1hdGlvbiBhbmQgbWF5IGJlIGxlZ2FsbHkgcHJpdmlsZWdlZC4gSWYgeW91 IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlIGRlc3Ryb3kgdGhpcyBt ZXNzYWdlIGFuZCBhbGwgYXR0YWNobWVudHMgZnJvbSB5b3VyIHN5c3RlbSBhbmQgZG8gbm90 IGZ1cnRoZXIgY29sbGVjdCwgcHJvY2Vzcywgb3IgdXNlIHRoZW0uIENodW5naHdhIFRlbGVj b20gYW5kIGFsbCBpdHMgc3Vic2lkaWFyaWVzIGFuZCBhc3NvY2lhdGVkIGNvbXBhbmllcyBz aGFsbCBub3QgYmUgbGlhYmxlIGZvciB0aGUgaW1wcm9wZXIgb3IgaW5jb21wbGV0ZSB0cmFu c21pc3Npb24gb2YgdGhlIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGlzIGVtYWlsIG5v ciBmb3IgYW55IGRlbGF5IGluIGl0cyByZWNlaXB0IG9yIGRhbWFnZSB0byB5b3VyIHN5c3Rl bS4gSWYgeW91IGFyZSB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UgcHJvdGVjdCB0 aGUgY29uZmlkZW50aWFsIGFuZC9vciBwZXJzb25hbCBpbmZvcm1hdGlvbiBjb250YWluZWQg aW4gdGhpcyBlbWFpbCB3aXRoIGR1ZSBjYXJlLiBBbnkgdW5hdXRob3JpemVkIHVzZSwgZGlz Y2xvc3VyZSBvciBkaXN0cmlidXRpb24gb2YgdGhpcyBtZXNzYWdlIGluIHdob2xlIG9yIGlu IHBhcnQgaXMgc3RyaWN0bHkgcHJvaGliaXRlZC4gIEFsc28sIHBsZWFzZSBzZWxmLWluc3Bl Y3QgYXR0YWNobWVudHMgYW5kIGh5cGVybGlua3MgY29udGFpbmVkIGluIHRoaXMgZW1haWwg dG8gZW5zdXJlIHRoZSBpbmZvcm1hdGlvbiBzZWN1cml0eSBhbmQgdG8gcHJvdGVjdCBwZXJz b25hbCBpbmZvcm1hdGlvbi48L2ZvbnQ+PC9CPg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_20825998BCB8D84C983674C159E25E753D620DDFmbs6appcorpchtc_-- From nobody Mon Jul 13 07:01:33 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFA0D1B2B0D for ; Mon, 13 Jul 2015 07:01:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.909 X-Spam-Level: ** X-Spam-Status: No, score=2.909 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, J_CHICKENPOX_17=0.6, J_CHICKENPOX_210=0.6, J_CHICKENPOX_26=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLCkd5Z3xC2T for ; Mon, 13 Jul 2015 07:01:31 -0700 (PDT) Received: from mail04.dandomain.dk (mail04.dandomain.dk [194.150.112.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A56CB1B2B0C for ; Mon, 13 Jul 2015 07:01:30 -0700 (PDT) Received: from Morten ([62.44.135.11]) by mail04.dandomain.dk (DanDomain Mailserver) with ASMTP id 4201507131601269325 for ; Mon, 13 Jul 2015 16:01:26 +0200 From: "Erik Andersen" To: References: In-Reply-To: Date: Mon, 13 Jul 2015 16:01:29 +0200 Message-ID: <000501d0bd74$6ab70660$40251320$@x500.eu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTgH+f5lfoCrLFiA= Content-Language: en-gb Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 14:01:33 -0000 Hi Timothy I am not sure how the first paragraph leads to the second paragraph. = Where is that stated in RFC 5280 or X.509? Regards Erik -----Oprindelig meddelelse----- Fra: pkix [mailto:pkix-bounces@ietf.org] P=E5 vegne af Miller, Timothy = J. Sendt: 13 July 2015 14:25 Til: Peter Bowen; pkix@ietf.org Emne: Re: [pkix] Self-issued certificates In X.509 (and PKIX) the name *is* the identity. X.509 (and PKIX) binds = keys to names; the key can change but the name remains invariant. In = contrast, SPKI/SDSI binds names to keys; the key remains invariant, but the name = can change. So if it has a different DN, it's not the same entity. As a result = there's no ambiguity in the RFC. It is possible to bind the same key to different names. Nothing stops = you from presenting the same key to multiple CAs and claiming different = names. If your goal is pseudonymity, though, I wouldn't recommend this. :) It's also possible to use keys from X.509 certificates as entities and ignore the name--e.g., key continuity management (a.k.a. certificate pinning)--but this is outside the spec. -- T=20 > -----Original Message----- > From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Peter Bowen > Sent: Sunday, July 12, 2015 5:03 PM > To: pkix@ietf.org > Subject: [pkix] Self-issued certificates >=20 > I'm trying to make sense of the definition of "self-issued=20 > certificates" in RFC > 5280 (and X.509) >=20 > Section 3.2 provides a definition: "Self-issued certificates are CA=20 > certificates in which the issuer and subject are the same entity." > However section 6.1 says "A certificate is self-issued if the same DN=20 > appears in the subject and issuer fields." >=20 > While it is clear that all certificates with the same DN for subject=20 > and issue are self-issued, it is unclear to me whether a certificate=20 > with different DNs could be self-issued. Section 6.1 could be giving=20 > one example of how a certificate could be self-issued or section 6.1 = could be a limiting definition. >=20 > Consider the following example: > Example Trust Services has two different private keys. Each key has a = > single associated DN: > Key0 has DN O=3DExample Trust Services, OU=3DGlobal Trust Anchor > Key1 has DN O=3DExample Trust Services, OU=3DCommercial Trust Anchor >=20 > There is a CA certificate created with > Subject: O=3DExample Trust Services, OU=3DCommercial Trust Anchor = Subject=20 > Public Key: Key1 > Issuer: O=3DExample Trust Services, OU=3DGlobal Trust Anchor Signed by = > Key0 >=20 > Is this CA certificate considered a self-issued certificate? >=20 > Thanks, > Peter >=20 > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix From nobody Mon Jul 13 07:42:05 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D306D1B2B47 for ; Mon, 13 Jul 2015 07:42:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlPH7LKzKYsl for ; Mon, 13 Jul 2015 07:42:03 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 2012B1B2B46 for ; Mon, 13 Jul 2015 07:42:03 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C9BB66C0122; Mon, 13 Jul 2015 10:42:02 -0400 (EDT) Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id BA24F6C011E; Mon, 13 Jul 2015 10:42:02 -0400 (EDT) Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Mon, 13 Jul 2015 10:42:02 -0400 Received: from na01-by2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Mon, 13 Jul 2015 10:42:02 -0400 Received: from BY2PR09MB110.namprd09.prod.outlook.com (10.242.36.155) by BY2PR09MB062.namprd09.prod.outlook.com (10.242.36.17) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 13 Jul 2015 14:42:00 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB110.namprd09.prod.outlook.com (10.242.36.155) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 13 Jul 2015 14:41:36 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Mon, 13 Jul 2015 14:41:36 +0000 From: "Miller, Timothy J." To: Erik Andersen , "pkix@ietf.org" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53ZUDLggAAexYCAAAYZIA== Date: Mon, 13 Jul 2015 14:41:35 +0000 Message-ID: References: <000501d0bd74$6ab70660$40251320$@x500.eu> In-Reply-To: <000501d0bd74$6ab70660$40251320$@x500.eu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: x500.eu; dkim=none (message not signed) header.d=none; x-originating-ip: [192.160.51.89] x-microsoft-exchange-diagnostics: 1; BY2PR09MB110; 5:BJnNXT7+JTKkaZSWTDZjAgZMTFCesGgKRF6WQ3YEKZaY6++eXuy9czJeOpg5qs/QQWf3JIf+mtwUG5GlTRV+CtRkKqmX9xyOK3n9WWJZdjclm9jRHaZzxNMNC3BsL87utuGCwTQq7rFdJV6N3pM/vQ==; 24:8X7ooqsWltTRPQlrVpyU2tN/EgVceZ6ARA1iFOtwo9EoRb0On5rQOhPitmtdAEsjIlMVGV9jJQ1kUwKfMn2Ls7b7vUuMzTK67iiZ/rcEVG0=; 20:Ueqt6T7gAVK2FpSl8kcYwPxhdiyPY6Sg+MUKDM5lav9aJR2ub4o3EI92T5+Qq9FbSd0+aYyuupt+KvAy6GTd8w== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB110; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB062; by2pr09mb110: X-MS-Exchange-Organization-RulesExecuted x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB110; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB110; x-forefront-prvs: 0636271852 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(92566002)(2656002)(87936001)(50986999)(46102003)(54356999)(86362001)(76176999)(76576001)(66066001)(189998001)(62966003)(5001960100002)(74316001)(99286002)(40100003)(106116001)(122556002)(107886002)(33656002)(2900100001)(2950100001)(5003600100002)(77096005)(102836002)(2501003)(5002640100001)(77156002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB110; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2015 14:41:35.7872 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB110 X-Microsoft-Exchange-Diagnostics: 1; BY2PR09MB062; 2:F2UPqpJWtwFE5jWlt8w9kvNTYxrmqXPUd8tf3d7sHgaqFezBCg/gFL5PNFwylolO; 3:xMRYnlRJZi9PkICihmsfoRO3O6giW8JLMTvk5HM5JBAtJzA2SwgUIsxRLpYEaPmobJnpSPn3tI/YIzfehwCnq1bKPYYHW6ddNwiUzaPWqfndRpvRmJ83igdEUgAulN/r1rIEImN6vLeTZRRE9cnULg==; 25:O8sGNtdwwtYC85qMuu6EvaLFQ6YvavEtUHwS/IM92P6SIHgl+wDomtp5EhrYixJFwNG9cuIOq73G1p8+toR0FC0oijVcSf3wx+NjEkE7b9OZUSMu5ZH0Dkj6whrUzDkAgFyizEXvamjXpsnikcD83SleS1yDgzTp46G2jJr71PIc3hlwM/hVA9NSHLxweWblV9MVYHXMXLCfTwoMQW88S8/mPmtUReb5K9mgdyAc32rf0UbN1gqBMEr8KJGIt+WGiMG0anOCTUo61XVTAR4ahg==; 20:oo0fo7Jh2K8ccH3AvbK7uuKDUgpsLnym5ZN7/mg72o4ithIT3Bdskgzft4n6Zp+4/Y0NT9UwsMt4KKhNiHy2wQ==; 23:MJyAx8HnP2TB+aupdnvebfmi1FbqdEI9fgcwjBTP1ylUu5wfk3/Kf7hDq6RGWuhSP/kyYLNfXzziMmBFW80LQpDzMt+ILAIcnN1UAJuh7ZPEJjgoJnTg74nHVxvhi/F1P2L/YN15Fzq7KKCgQ+ss5JbiUtbNmtFRhl3bfwxLJbFnruRF6ehvj5pdFbZI8Id6amQgPJKHT/LYq6aTzfR8DiL3+USdIUlUOeViENyK9pyMk8let2SANtCiHndCUTPo BY2PR09MB062: X-MS-Exchange-Organization-RulesExecuted X-OriginatorOrg: mitre.org Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 14:42:05 -0000 > I am not sure how the first paragraph leads to the second paragraph. Wher= e > is that stated in RFC 5280 or X.509? It's not stated, it's legacy. Originally the DN was supposed to be the ent= ity's location in the imaginary X.500 directory. Two different DNs =3D=3D = two different locations, and therefore two different entities (because X.50= 0 had a single DIT). =20 In short, the name--in X.509 and PKIX--*is* the thing. =20 This may seem like a philosophical issue but is has real implications. In = access control systems, once the user's authenticator is verified, the user= 's public key is discarded and the system uses the name (usually by binding= that name to a proprietary access credential, e.g., a cookie). This behav= ior is common to most PK-enabled systems, though the use of the DN is no lo= nger exclusive (we have SANs now). Change the name--even if the same key i= s bound to it--and you'll lose access. Try it with a PK-enabled website. = =20 Similarly with S/MIME--change the relevant name (here the SAN rfc822Name), = and the email won't verify. -- T From nobody Mon Jul 13 09:32:36 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6A3E1B2C35 for ; Mon, 13 Jul 2015 09:32:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.251 X-Spam-Level: X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GJrQXXS1mlqE for ; Mon, 13 Jul 2015 09:32:26 -0700 (PDT) Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2EB81B2C36 for ; Mon, 13 Jul 2015 09:32:26 -0700 (PDT) Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 6F0C3443D6; Mon, 13 Jul 2015 18:32:25 +0200 (CEST) X-purgate-ID: 152705::1436805145-0000413A-621F1D7F/0/0 X-purgate-size: 633 X-purgate: clean X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate-type: clean X-SAP-SPAM-Status: clean Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 6190F4015A; Mon, 13 Jul 2015 18:32:25 +0200 (CEST) Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 588A01A1DD; Mon, 13 Jul 2015 18:32:25 +0200 (CEST) In-Reply-To: <20825998BCB8D84C983674C159E25E753D620DDF@mbs6.app.corp.cht.com.tw> To: =?UTF-8?Q?=E7=8E=8B=E6=96=87=E6=AD=A3?= Date: Mon, 13 Jul 2015 18:32:25 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20150713163225.588A01A1DD@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 16:32:31 -0000 ??? wrote: > > What really caused our headaches was some web server such as > Microsoft IIS does not recognize self-issued certificates. > For a CA performing its key rollover with self-issued certificates, A CA which attempts to perform key rollover with self-issued certificates is violating the 1997 UN convention on the prohibition on the use of anti-personel land mines. Public CAs seem to do it properly and safely, and include a generation identifier in the subject DNames of new CA keys. Do not be surprised if your attempts to use self-issued certificates fail with other PKI software as well. -Martin From nobody Mon Jul 13 11:20:15 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59CEA1B2CFF for ; Mon, 13 Jul 2015 11:20:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ulOsjEMpOnd for ; Mon, 13 Jul 2015 11:20:11 -0700 (PDT) Received: from mail-pd0-x235.google.com (mail-pd0-x235.google.com [IPv6:2607:f8b0:400e:c02::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 267931B2CF9 for ; Mon, 13 Jul 2015 11:19:41 -0700 (PDT) Received: by pdbqm3 with SMTP id qm3so84226975pdb.0 for ; Mon, 13 Jul 2015 11:19:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Xr1FBdPzxjW0PpPnf7N2Y521ddG0twu2JPDi+3KkQfw=; b=aHZu84TZgHTC8R+pv+TqIj3S6KS5W7QPmY0Vqbj4VjoHVAkSi9ZXFZzEdRvCKkWZXO iJnysDnwQ62rWcigYxd1051RWJaOK6n2dKQ5dh/9P95NnTxNylAOgjhZ04oVVJBpcQqX s3ohJxObzUAnwN819mrCDz49fkno10CFgxKtSAZTzLz4mXFNwO95CULFG/wNFbkJ6O/J ejSV0vhHq+DSDRqaT7oMXfKEcXi0t/Mtbead3Sd3Yem4fj9RpewYTzsm4wEZoXXYQuy9 ZJv/tBCDiXvvYTKBsp0sHCUWtv1eyntQmjMII7BZp67Z7f+aRNs+s/qdLTa2ssLMHxxh MOKQ== MIME-Version: 1.0 X-Received: by 10.66.141.5 with SMTP id rk5mr58958089pab.16.1436811580782; Mon, 13 Jul 2015 11:19:40 -0700 (PDT) Received: by 10.70.66.5 with HTTP; Mon, 13 Jul 2015 11:19:40 -0700 (PDT) In-Reply-To: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu> References: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu> Date: Mon, 13 Jul 2015 11:19:40 -0700 Message-ID: From: Peter Bowen To: Erik Andersen Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "" Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 18:20:13 -0000 On Mon, Jul 13, 2015 at 12:30 AM, Erik Andersen wrote: > It is only RFC 5280 that is unclear. X.509 is quite clear. The X.509 > definition is: > > 3.5.62 self-issued certificate: A CA certificate where the issuer and the > subject are the same CA. A CA might use self-issued certificates, for > example, during a key rollover operation to provide trust from the old key > to the new key. > > The problem you are facing is that the term entity is not clearly defined. > Is a CA an entity or is CA is specific role for an entity among other roles > for the same entity? > > The RFC 5280 definition seems to assume that a CA is an entity, and the two > CA you mention are different entities, while X.509 does not necessarily make > that assumption. OK. Now I'm even more confused. X.509 says an authority is an entity, responsible for the issuance of certificates and says a certificate authority is a type of authority. How is RFC 5280 any more or less clear than X.509? Is X.509's take the certificate I described different from that attributed to 5280? Thanks, Peter From nobody Tue Jul 14 01:39:34 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B622E1A90B3 for ; Tue, 14 Jul 2015 01:39:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.308 X-Spam-Level: X-Spam-Status: No, score=0.308 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1m5XYZRlVH04 for ; Tue, 14 Jul 2015 01:39:32 -0700 (PDT) Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8CFE1A90AE for ; Tue, 14 Jul 2015 01:39:31 -0700 (PDT) Received: from Morten ([62.44.134.114]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201507141039283129 for ; Tue, 14 Jul 2015 10:39:28 +0200 From: "Erik Andersen" To: References: <000001d0bd3d$c7bcfa90$5736efb0$@x500.eu> In-Reply-To: Date: Tue, 14 Jul 2015 10:39:31 +0200 Message-ID: <000001d0be10$9ab9b3c0$d02d1b40$@x500.eu> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTgJXCi9RAmhoqtqgFfpeMA== Content-Language: en-gb Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 08:39:33 -0000 Hi Peter, I understand the confusion. I do not claim that X.509 is consistent. Sometime X.509 is more clear = and sometime RFC 5280 is more clear. I often go to RFC 5280 to get some = clarification. It appears to me that there is no consistent, detailed model for PKI. = People supplement the current model with their own interpretation based = on legacy. That people have somewhat different models in mind is clear = from many PKIX discussions. Regards, Erik -----Oprindelig meddelelse----- Fra: Peter Bowen [mailto:pzbowen@gmail.com]=20 Sendt: 13 July 2015 20:20 Til: Erik Andersen Cc: Emne: Re: [pkix] Self-issued certificates On Mon, Jul 13, 2015 at 12:30 AM, Erik Andersen wrote: > It is only RFC 5280 that is unclear. X.509 is quite clear. The X.509=20 > definition is: > > 3.5.62 self-issued certificate: A CA certificate where the issuer and = > the subject are the same CA. A CA might use self-issued certificates,=20 > for example, during a key rollover operation to provide trust from the = > old key to the new key. > > The problem you are facing is that the term entity is not clearly = defined. > Is a CA an entity or is CA is specific role for an entity among other=20 > roles for the same entity? > > The RFC 5280 definition seems to assume that a CA is an entity, and=20 > the two CA you mention are different entities, while X.509 does not=20 > necessarily make that assumption. OK. Now I'm even more confused. X.509 says an authority is an entity, responsible for the issuance of = certificates and says a certificate authority is a type of authority. How is RFC 5280 any more or less clear than X.509? Is X.509's take the = certificate I described different from that attributed to 5280? Thanks, Peter From nobody Tue Jul 14 05:30:22 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64FE71A90A4 for ; Tue, 14 Jul 2015 05:30:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.308 X-Spam-Level: X-Spam-Status: No, score=0.308 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KcG_yUcvIQe4 for ; Tue, 14 Jul 2015 05:30:18 -0700 (PDT) Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4717D1AC3F3 for ; Tue, 14 Jul 2015 05:30:18 -0700 (PDT) Received: from Morten ([62.44.134.114]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201507141430169619; Tue, 14 Jul 2015 14:30:16 +0200 From: "Erik Andersen" To: "'Miller, Timothy J.'" , References: <000501d0bd74$6ab70660$40251320$@x500.eu> In-Reply-To: Date: Tue, 14 Jul 2015 14:30:19 +0200 Message-ID: <000001d0be30$d8a64f70$89f2ee50$@x500.eu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQCgE/ogHwJetEhcLbEBOzoFDxgmTgH+f5lfAWVQ3CwBQRcjM6AVsqNw Content-Language: en-gb Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 12:30:20 -0000 Hi Timothy, I understand what you are saying and agree that the name is the thing. However, the model is not that clear. Attributes may be stored in a directory entry either in X.500 or LDAP. The X.500 definition is: 11.2.1 User certificate attribute A user may obtain one or more public-key certificates from one or more CAs. The userCertificate attribute type contains the end-entity public-key certificates a user has obtained from one or more CAs. userCertificate ATTRIBUTE ::= { WITH SYNTAX Certificate EQUALITY MATCHING RULE certificateExactMatch ID id-at-userCertificate } The RFC 4523 defines an equivalent one for LDAP. The object class needed for defining directory entries is: 11.1.1 PKI user object class The PKI user object class is used in defining entries for objects that may be the subject of public-key certificates. pkiUser OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {userCertificate} ID id-oc-pkiUser } As it an auxiliary object class, it has no associated name form, but it might be combined with a structural object class that has a name form different from the name form used in any subject name. If I get end-entity certificates from different CAs, they may not have the same subject name. Are they then different entities? At least they may be contained in the same directory entry. By the way, I never believed in a single DIT, which made me a apostasy of a religious belief at the time. I was closed to being crucified. -----Oprindelig meddelelse----- Fra: Miller, Timothy J. [mailto:tmiller@mitre.org] Sendt: 13 July 2015 16:42 Til: Erik Andersen; pkix@ietf.org Emne: RE: [pkix] Self-issued certificates > I am not sure how the first paragraph leads to the second paragraph. > Where is that stated in RFC 5280 or X.509? It's not stated, it's legacy. Originally the DN was supposed to be the entity's location in the imaginary X.500 directory. Two different DNs == two different locations, and therefore two different entities (because X.500 had a single DIT). In short, the name--in X.509 and PKIX--*is* the thing. This may seem like a philosophical issue but is has real implications. In access control systems, once the user's authenticator is verified, the user's public key is discarded and the system uses the name (usually by binding that name to a proprietary access credential, e.g., a cookie). This behavior is common to most PK-enabled systems, though the use of the DN is no longer exclusive (we have SANs now). Change the name--even if the same key is bound to it--and you'll lose access. Try it with a PK-enabled website. Similarly with S/MIME--change the relevant name (here the SAN rfc822Name), and the email won't verify. -- T From nobody Tue Jul 14 06:40:57 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62F9B1ACD2F for ; Tue, 14 Jul 2015 06:40:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rFasI-MNaLDx for ; Tue, 14 Jul 2015 06:40:53 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 4B3411ACD21 for ; Tue, 14 Jul 2015 06:40:53 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 844746C03D4; Tue, 14 Jul 2015 09:40:52 -0400 (EDT) Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 747D66C031D; Tue, 14 Jul 2015 09:40:52 -0400 (EDT) Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Tue, 14 Jul 2015 09:40:52 -0400 Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Tue, 14 Jul 2015 09:40:51 -0400 Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB112.namprd09.prod.outlook.com (10.242.36.25) with Microsoft SMTP Server (TLS) id 15.1.213.14; Tue, 14 Jul 2015 13:40:51 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Tue, 14 Jul 2015 13:40:50 +0000 From: "Miller, Timothy J." To: Erik Andersen , "pkix@ietf.org" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53ZUDLggAAexYCAAAYZIIABcsOAgAAQOBA= Date: Tue, 14 Jul 2015 13:40:50 +0000 Message-ID: References: <000501d0bd74$6ab70660$40251320$@x500.eu> <000001d0be30$d8a64f70$89f2ee50$@x500.eu> In-Reply-To: <000001d0be30$d8a64f70$89f2ee50$@x500.eu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: x500.eu; dkim=none (message not signed) header.d=none; x-originating-ip: [192.160.51.87] x-microsoft-exchange-diagnostics: 1; BY2PR09MB112; 5:JSg0tlaXIrAyaM6EopE8avHVFEfOaZe4O786lAC5p6WxmvJysfioaBqc0K6fw4rkA5JKyZPBCW8ve9QiVSWjA10VgHKzOF0ggciCINrQaQiRxvyYHhqy37kc9ohPOd9jYe6OlVOii2FYSwriZQFZHg==; 24:w0pCmU4yR0+t5TjdddNVOZaTpfogctK4RJpi1x0GEnKlKeME7Flh/h2sPdEVzTWhaPZSvi+rS2WLaKuOzUV7ghhkam/yL0TpZZ5R0Z4eNgk=; 20:ng0P9xyPmXd2kZev6D2QhX2f2TKkwg2v/zR98jFXTuxCnXiCNreC8fMtS34SgC8+ro8EevJuYm4uH6ZyesGKPQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB112; by2pr09mb112: X-MS-Exchange-Organization-RulesExecuted x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB112; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB112; x-forefront-prvs: 0637FCE711 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(13464003)(377454003)(52034003)(51704005)(77156002)(86362001)(2501003)(5003600100002)(19580405001)(33656002)(62966003)(87936001)(2656002)(92566002)(5002640100001)(40100003)(122556002)(93886004)(46102003)(107886002)(5001960100002)(189998001)(5001920100001)(5001770100001)(74316001)(19580395003)(50986999)(66066001)(54356999)(2900100001)(2950100001)(102836002)(106116001)(77096005)(76576001)(99286002)(76176999); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB112; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2015 13:40:50.5444 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB112 X-OriginatorOrg: mitre.org Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 13:40:55 -0000 Welcome to directories. Please check your common sense at the door. :) The fact that the DN in my cert and my user account DN in, say, Active Dire= ctory aren't the same isn't a problem because (a) one of my SANs is probabl= y set for AD--e.g., UPN, and (b) most code doesn't force them to be consist= ent anyway. In effect, when I load a cert into userCertificate or userSMIMECertificate = the directory is binding that cert to that directory identity. That's tech= nically separate from the identity the CA was binding into the cert because= the CA is using a separate directory. This is a necessary consequence of = multiple independent DITs. Yay! Are the different names different identities? It depends. If you consider= only the computer's POV, then yes, they may be separate identities dependi= ng on the processing being done. If you take a meatspace POV, then the ans= wer is "not necessarily." The only real identity that matters is "keyholder." If I control the priva= te key bound to any name--DN, SAN, account name, doesn't matter--then I *am= * that identity for all computational intents and purposes. If this doesn'= t align with meatspace, well, too bad. The only binding between a key and = a bag o' meat is the private key container--this is a big reason why we use= smartcards (though under certain conditions even this binding can be inval= idated--see Balfanz and Felton, 1999). -- T > -----Original Message----- > From: Erik Andersen [mailto:era@x500.eu] > Sent: Tuesday, July 14, 2015 7:30 AM > To: Miller, Timothy J.; pkix@ietf.org > Subject: SV: [pkix] Self-issued certificates >=20 > Hi Timothy, >=20 > I understand what you are saying and agree that the name is the thing. > However, the model is not that clear. Attributes may be stored in a direc= tory > entry either in X.500 or LDAP. >=20 > The X.500 definition is: >=20 > 11.2.1 User certificate attribute > A user may obtain one or more public-key certificates from one or more CA= s. > The userCertificate attribute type contains the end-entity public-key > certificates a user has obtained from one or more CAs. >=20 > userCertificate ATTRIBUTE ::=3D { > WITH SYNTAX Certificate > EQUALITY MATCHING RULE certificateExactMatch > ID id-at-userCertificate } >=20 > The RFC 4523 defines an equivalent one for LDAP. >=20 > The object class needed for defining directory entries is: >=20 > 11.1.1 PKI user object class > The PKI user object class is used in defining entries for objects that ma= y be > the subject of public-key certificates. >=20 > pkiUser OBJECT-CLASS ::=3D { > SUBCLASS OF {top} > KIND auxiliary > MAY CONTAIN {userCertificate} > ID id-oc-pkiUser } >=20 > As it an auxiliary object class, it has no associated name form, but it m= ight be > combined with a structural object class that has a name form different fr= om > the name form used in any subject name. >=20 > If I get end-entity certificates from different CAs, they may not have th= e > same subject name. Are they then different entities? At least they may be > contained in the same directory entry. >=20 > By the way, I never believed in a single DIT, which made me a apostasy of= a > religious belief at the time. I was closed to being crucified. >=20 > -----Oprindelig meddelelse----- > Fra: Miller, Timothy J. [mailto:tmiller@mitre.org] > Sendt: 13 July 2015 16:42 > Til: Erik Andersen; pkix@ietf.org > Emne: RE: [pkix] Self-issued certificates >=20 > > I am not sure how the first paragraph leads to the second paragraph. > > Where is that stated in RFC 5280 or X.509? >=20 > It's not stated, it's legacy. Originally the DN was supposed to be the e= ntity's > location in the imaginary X.500 directory. Two different DNs =3D=3D two = different > locations, and therefore two different entities (because X.500 had a sing= le > DIT). >=20 > In short, the name--in X.509 and PKIX--*is* the thing. >=20 > This may seem like a philosophical issue but is has real implications. I= n access > control systems, once the user's authenticator is verified, the user's pu= blic > key is discarded and the system uses the name (usually by binding that na= me > to a proprietary access credential, e.g., a cookie). This behavior is co= mmon to > most PK-enabled systems, though the use of the DN is no longer exclusive > (we have SANs now). Change the name--even if the same key is bound to it= - > -and you'll lose access. Try it with a PK-enabled website. >=20 > Similarly with S/MIME--change the relevant name (here the SAN > rfc822Name), and the email won't verify. >=20 > -- T From nobody Tue Jul 14 08:59:25 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 622E01A1B6F for ; Tue, 14 Jul 2015 08:59:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.525 X-Spam-Level: **** X-Spam-Status: No, score=4.525 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CHARSET_FARAWAY_HEADER=3.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ftloif_na7rJ for ; Tue, 14 Jul 2015 08:59:19 -0700 (PDT) Received: from scan12.cht.com.tw (scan12.cht.com.tw [202.39.160.142]) by ietfa.amsl.com (Postfix) with ESMTP id 4648B1A1B77 for ; Tue, 14 Jul 2015 08:59:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436889555; x=1439481555; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ypmsnYTD0/21z4kUvsQ40fREWPf6M6uZUNsH9ANhr9A=; b=CUoY3zJ7uKHI/dz9IsD7AvfVqf1anmpG3wiUp7NRSYWLv0QWEq387nGSGj9DDJmQ BkBC1RHOPwGQBUp2yADVvGJTAv650rYiRfaPdECV9+RxE5QGj4lOA72MhBSTMAGj rxJ/9fQ/QbmftlaRZQ7flKF7OG7586Zhf5XUBw8C8uA=; X-AuditID: 0aa00766-f798c6d000002b61-47-55a531d320ca Received: from scanrelay2.cht.com.tw ( [10.160.7.107]) by scan12.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 09.14.11105.3D135A55; Tue, 14 Jul 2015 23:59:15 +0800 (CST) Received: from HUB6.app.corp.cht.com.tw (unknown [10.172.18.164]) by scanrelay2.cht.com.tw (Symantec Mail Security) with ESMTP id BFE96C000088; Tue, 14 Jul 2015 23:59:15 +0800 (CST) Received: from CAS5.app.corp.cht.com.tw (10.172.18.161) by HUB6.app.corp.cht.com.tw (10.172.18.164) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 14 Jul 2015 23:56:49 +0800 Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS5.app.corp.cht.com.tw ([fe80::8d2:3a3e:f009:84df%12]) with mapi id 14.02.0342.003; Tue, 14 Jul 2015 23:56:42 +0800 From: =?iso-2022-jp?B?GyRCMiZKOEA1GyhC?= To: "mrex@sap.com" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkc= Date: Tue, 14 Jul 2015 15:56:42 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> References: <20825998BCB8D84C983674C159E25E753D620DDF@mbs6.app.corp.cht.com.tw> <20150713163225.588A01A1DD@ld9781.wdf.sap.corp> In-Reply-To: <20150713163225.588A01A1DD@ld9781.wdf.sap.corp> Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mimectl: Produced By Microsoft Exchange V14.2.247.1 x-originating-ip: [202.39.167.17] Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D621BA2mbs6appcorpchtc_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrHKsWRmVeSWpSXmKPExsXCtYA9W/ey4dJQg5dXTC16f+9gtrh4sMiB yWPJkp9MHlM+b2UMYIpqYLRJzMvLL0ksSVVISS1OtlVKzijRTcksTs5JzMxNLdJNzUtXUshM sVUyUVIoyElMTs1NzSuxVUosKEjNS1Gy41LAADZAZZl5Cql5yfkpmXnptkqewf66FhamlrqG SnYBOamJxakKSakKiSllmcWpKQoJG2QytnefZitoUq9YPv0jewPjDIUuRk4OCQETiY8NU5gh bDGJC/fWs3UxcnEICWxnlDhx6gE7hLOTUWLRs3OscJlb5zqgnEOMEnO2P2MB6WcTsJH4f3Up I4gtIqAocat9GlA7BwezgIRE302wdcICOhK37uxngijRlbj07DsbSImIgJ/Euo2WIGEWAVWJ Q5Mng03kFfCX6FyyiAViVSPQRX/esoMkOIFWnTm6BsxmFJCVeLLgGdhMZgFxiXMXW9kh3hGQ WLLnPNRrohIvH/9jhbBNJX5t+MAIslcC6My+xXIQrfkS3ybtZ4TYKyhxcuYTlgmMErOQTJ2F pGwWkjKIuL7EnomnoGxtiWULXzND2HoS93b8ZYWwLSU+vl7AjKxmASPHKkbB4uTEPEMjPWCq 0EvOz9UrKd/ECElbaTsYt893PMQowMGoxMPb8GBxqBBrYllxZS4w3DmYlUR4/SSWhgrxpiRW VqUW5ccXleakFh9iNAWG4kRmKdHkfGBKzSuJNzS2NLYwNDIwMza3sFAS553emhkiJJAOTI7Z qakFqUUwfUwcnFINjPEl39tmLF7Y5jirIfGqzAMPr9sz0hIDzWSaNh63FtWRY1d/9S7v6aRG Gd8u3iP8GiInsriCdRjXsegbXNiw299jh290jwOHibfft4kGTjofZHbVLljU5XUsOdZ5c6OB 63L5WaunX3u4ZItP9nFl9ycx+m03anfZLL4dU5X7ZN4ms0TeyztalFiKMxINtZiLihMB1r8u VHEDAAA= Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 15:59:23 -0000 --_000_20825998BCB8D84C983674C159E25E753D621BA2mbs6appcorpchtc_ Content-Type: text/plain; charset="iso-2022-jp" content-transfer-encoding: quoted-printable Hi Martin, Regarding your simile of "key rollover with self-issued certificates" as "th= e use of anti-personnel land mines", I appreciate your sense of humor. However, since "key rollover with self-issued certificates" is the standard= method suggested by X.509 and PKIX, your simile seems to implies both X.509= and PKIX are violating the 1997 UN convention. Do you really mean that? :) I believe the philosophy of X.509 (or the whole X.500 series) is that a Dist= inguished Name (DN) represents the identity of an entity. Therefore, if the= DN is changed, it means the identity of that entity has been changed. With= this philosophy, the DN of each entity should not be changed unless its ide= ntity is changed. Especially, a root CA is the trust anchor, which should no= t change its DN between generations of CA keys, otherwise relying parties wi= ll be confused about whether they are the same root CA entity. It is unfortunately that many COTS have not yet fully implement the certific= ation path validation algorithm specified in X.509 or RFC 5280, therefore ma= ny root CAs choosed to change their DNs whenever they performed key rollover= s. They actually bred logically new root CAs whenever they doing so. As a re= sult, there were more and more root CAs created. Please take a look at trust= lists maintained by browsers, Those lists are really messy adn it is hard t= o tell which one is which. Wen-Cheng Wang -----Original Message----- From: Martin Rex [mailto:mrex@sap.com] Sent: Tuesday, July 14, 2015 12:32 AM To: =1B$B2&J8@5=1B(B Cc: PKIX Subject: Re: [pkix] Self-issued certificates A CA which attempts to perform key rollover with self-issued certificates is= violating the 1997 UN convention on the prohibition on the use of anti-pers= onel land mines. Public CAs seem to do it properly and safely, and include a generation ident= ifier in the subject DNames of new CA keys. Do not be surprised if your attempts to use self-issued certificates fail wi= th other PKI software as well. -Martin Please be advised that this email message (including any attachments) contai= ns confidential information and may be legally privileged. If you are not th= e intended recipient, please destroy this message and all attachments from y= our system and do not further collect, process, or use them. Chunghwa Teleco= m and all its subsidiaries and associated companies shall not be liable for= the improper or incomplete transmission of the information contained in thi= s email nor for any delay in its receipt or damage to your system. If you ar= e the intended recipient, please protect the confidential and/or personal in= formation contained in this email with due care. Any unauthorized use, discl= osure or distribution of this message in whole or in part is strictly prohib= ited. Also, please self-inspect attachments and hyperlinks contained in thi= s email to ensure the information security and to protect personal informati= on. --_000_20825998BCB8D84C983674C159E25E753D621BA2mbs6appcorpchtc_ Content-Type: text/html; charset="iso-2022-jp" Content-ID: content-transfer-encoding: quoted-printable Hi Martin,

Regarding your simile of "key rollover with self-issued certificates&qu= ot; as "the use of anti-personnel land mines", I appreciate your s= ense of humor.

However, since "key rollover with self-issued certificates" is the= standard method suggested by X.509 and PKIX, your simile seems to implies b= oth X.509 and PKIX are violating the 1997 UN convention. Do you really mean= that? :)

I believe the philosophy of X.509 (or the whole X.500 series) is that a Dist= inguished Name (DN) represents the identity of an entity. Therefore, if the= DN is changed, it means the identity of that entity has been changed. With= this philosophy, the DN of each entity should not be changed unless its identity is changed. Especially, a= root CA is the trust anchor, which should not change its DN between generat= ions of CA keys, otherwise relying parties will be confused about whether th= ey are the same root CA entity.
It is unfortunately that many COTS have not yet fully implement the certific= ation path validation algorithm specified in X.509 or RFC 5280, therefore ma= ny root CAs choosed to change their DNs whenever they performed key rollover= s. They actually bred logically new root CAs whenever they doing so. As a result, there were more and more= root CAs created. Please take a look at trust lists maintained by browsers,= Those lists are really messy adn it is hard to tell which one is which.

Wen-Cheng Wang

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com]
Sent: Tuesday, July 14, 2015 12:32 AM
To: =1B$B2&J8@5=1B(B
Cc: PKIX
Subject: Re: [pkix] Self-issued certificates

A CA which attempts to perform key rollover with self-issued certificates is= violating the 1997 UN convention on the prohibition on the use of anti-pers= onel land mines.

Public CAs seem to do it properly and safely, and include a generation ident= ifier in the subject DNames of new CA keys.

Do not be surprised if your attempts to use self-issued certificates fail wi= th other PKI software as well.

-Martin

本信件可能包= ;含中華電信股份有限= 0844;司機密資訊,非指定ߔ= 3;收件者,請勿蒐集、處&= #29702;或利用本信件內容,= 006;請銷毀此信件. 如為指定收件者,應確= 3526;保護郵件中本公司之= ;營業機密及個人資料,&#= 19981;得任意傳佈或揭露,È= 06;應自行確認本郵件之&= #38468;檔與超連結之安全ö= 15;,以共同善盡資訊安全= 與個資保護責任.
Please be advised that this email message (including any attachments) co= ntains confidential information and may be legally privileged. If you are no= t the intended recipient, please destroy this message and all attachments fr= om your system and do not further collect, process, or use them. Chunghwa Te= lecom and all its subsidiaries and associated companies shall not be liable= for the improper or incomplete transmission of the information contained in= this email nor for any delay in its receipt or damage to your system. If yo= u are the intended recipient, please protect the confidential and/or persona= l information contained in this email with due care. Any unauthorized use, d= isclosure or distribution of this message in whole or in part is strictly pr= ohibited. Also, please self-inspect attachments and hyperlinks contained in= this email to ensure the information security and to protect personal infor= mation.
--_000_20825998BCB8D84C983674C159E25E753D621BA2mbs6appcorpchtc_-- From nobody Tue Jul 14 13:13:06 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E0751B2C31 for ; Tue, 14 Jul 2015 13:13:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.551 X-Spam-Level: X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3sda00atVf8K for ; Tue, 14 Jul 2015 13:12:56 -0700 (PDT) Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 511401B2C27 for ; Tue, 14 Jul 2015 13:12:56 -0700 (PDT) Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 570FE45B67; Tue, 14 Jul 2015 22:12:54 +0200 (CEST) X-purgate-ID: 152705::1436904774-0000413A-63BF963A/0/0 X-purgate-size: 2942 X-purgate: clean X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate-type: clean X-SAP-SPAM-Status: clean Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 48065406F5; Tue, 14 Jul 2015 22:12:54 +0200 (CEST) Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 42B171A1DE; Tue, 14 Jul 2015 22:12:54 +0200 (CEST) In-Reply-To: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> To: =?ISO-2022-JP?Q?=1B=24=28B=0F2=26J8=405=1B=28B?= Date: Tue, 14 Jul 2015 22:12:54 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 20:13:05 -0000 > > However, since "key rollover with self-issued certificates" is the > standard method suggested by X.509 and PKIX, your simile seems to > implies both X.509 and PKIX are violating the 1997 UN convention. > Do you really mean that? :) The originaly idea in X.509 predates the UN convention, so it's only current consumers that are making use of this half-baked misfeature that are violatin the UN convention. > > I believe the philosophy of X.509 (or the whole X.500 series) is that > a Distinguished Name (DN) represents the identity of an entity. > Therefore, if the DN is changed, it means the identity of that entity > has been changed. With this philosophy, the DN of each entity should > not be changed unless its identity is changed. The last sentence is a non-sequitur. > > Especially, a root CA is the trust anchor, which should not change > its DN between generations of CA keys, otherwise relying parties > will be confused about whether they are the same root CA entity. It's extremely difficult to believe that anyone could get confused about the entity/entities represented by name that simply include generation identifiers to avoid self-issued problems. "CN=VeriSign Class 3 Public Primary Certification Authority - G3, ..." "CN=VeriSign Class 3 Public Primary Certification Authority - G5, ..." Distinguished names contain semantic structure on purpose. Use whatever RDName component you like to avoid the troubles and complexitis of self-issued certificates. For root CA certs, the distinguished name regularly does not describe the true entity that operates the CA anyway, because many of them change ownership once or more often while they're in use. e.g. RSA->VeriSign->Symantec The fashion in which the processing of self-issued certificates is specified actually _creates_ a security problem. Normally, one might assume that using a path len constraint of 0 in the certificate of an online CA would preclude that an attacker who manages to briefly obtain control over a CA key to issue himself a CA cert. The official processing rules for self-issued certs subverts that assumed protection -- the attacker can sign himself a self-issued CA cert and use that to screw all RPs that process cert chains in the fashion that X.509 / PKIX specifies. >From the perspective of risk management, not supporting self-issued certificates is IMHO a very resonable decision. For CAs to do rollover with Generation identifiers in DNames is a no-brainer. It will also facilitate recognizing and telling apart the CA certificates -- for RPs that start with an empty trust store rather than a trust store prepopulated with hundreds of omnipotent CAs -- or a dynamic trust store such as that of newer Versions of Microsoft Windows, where you essentially have no control over the trust anchors any more and no idea who is trusted. -Martin From nobody Wed Jul 15 11:14:15 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF65B1B337E for ; Wed, 15 Jul 2015 11:14:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.525 X-Spam-Level: **** X-Spam-Status: No, score=4.525 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CHARSET_FARAWAY_HEADER=3.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7F534CfrANV for ; Wed, 15 Jul 2015 11:14:07 -0700 (PDT) Received: from scan11.cht.com.tw (scan11.cht.com.tw [202.39.160.141]) by ietfa.amsl.com (Postfix) with ESMTP id 9CBA81B337F for ; Wed, 15 Jul 2015 11:14:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436984041; x=1439576041; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FCLjogO+GBw5YnD81rcOf2JfSA1tA3AkE4yZLBOBUFM=; b=IeimAaliQDsPDGfd/duo7HcizBDXd8v0lZ0dcy/IMS8scjBtBu48FMiFqHoQo28w mGbjq6VeLBZL2V6m3IaOyO8VRjTPNnuwxsDFeP1V0tFaGENEhxeq2yCs+n5MBXZv e6z7jnJB063UId4PBwVymxPBZPcDedKjvGFf2A+mWUE=; X-AuditID: 0aa00765-f79976d000005eba-af-55a6a2e9fe6d Received: from scanrelay1.cht.com.tw ( [10.160.7.106]) by scan11.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id B3.32.24250.9E2A6A55; Thu, 16 Jul 2015 02:14:01 +0800 (CST) Received: from CAS4.app.corp.cht.com.tw (unknown [10.172.18.166]) by scanrelay1.cht.com.tw (Symantec Mail Security) with ESMTP id F3C1CC000088; Thu, 16 Jul 2015 02:14:00 +0800 (CST) Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS4.app.corp.cht.com.tw ([fe80::f179:c93d:e31a:eb23%12]) with mapi id 14.02.0342.003; Thu, 16 Jul 2015 02:13:22 +0800 From: =?iso-2022-jp?B?GyRCMiZKOEA1GyhC?= To: "mrex@sap.com" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9co= Date: Wed, 15 Jul 2015 18:13:20 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw> References: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> In-Reply-To: <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mimectl: Produced By Microsoft Exchange V14.2.247.1 x-originating-ip: [202.39.167.17] Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D6244C3mbs6appcorpchtc_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrAKsWRmVeSWpSXmKPExsXCtYA9S/flomWhBs9n8Fr0/t7BbHHxYJED k8eSJT+ZPKZ83soYwBTVwGiTmJeXX5JYkqqQklqcbKuUnFGim5JZnJyTmJmbWqSbmpeupJCZ YqtkoqRQkJOYnJqbmldiq5RYUJCal6Jkx6WAAWyAyjLzFFLzkvNTMvPSbZU8g/11LSxMLXUN lewCclITi1MVklIVElPKMotTUxQSNshkXOxsZy04WlDxa9FE1gbGnpguRk4OCQETiaX3l7FB 2GISF+6tB7K5OIQEtjNKLDzczgTh7GSU+PNsAZRzmFHi/53lrCAtbAI2Ev+vLmUEsUUEFCVu tU9j72Lk4GAWkJDou6kAEhYW0JG4dWc/E0SJrsSlZ9/ZIOwkiYMn57OD2CwCqhL9vdNYQGxe AX+JrfN3Qu1qBFo8cw9YghNo17op88AGMQrISjxZ8AzMZhYQlzh3sZUd4gUBiSV7zjND2KIS Lx//Y4WwTSV+bfjACHKbBNCdfYvlIM7Ml2jdHAexVlDi5MwnLBMYxWchGToLoWoWkiqIEn2J PRNPQdnaEssWvmaGsPUk7u34ywphW0p0fOhgQlazgJFjFaNgcXJinqGhHjAd6CXn5+qVlG9i hKSm1B2MW+c7HmIU4GBU4uFtaF4WKsSaWFZcmXuIUYKDWUmE998MoBBvSmJlVWpRfnxRaU5q 8SFGU2AYTmSWEk3OB6bNvJJ4Q2NLYwtDIwMzY3MLCyVxXom2zBAhgXRgAsxOTS1ILYLpY+Lg lGpg9PlZIe57//AUz39JQWySpmumpbrUcbyIF1v86grL07Qzmjb5a/0cblTkTs6fqrg1yXKj 5OWZBeL2vZeW3uT677hfZLv9XfP2ew+KeF3q3688t23Rq3itbZ994/nbrru0KoX0/f6z7Mvc g1cU+vynnNcz2r01/f8bjox11Vs/eYR8nli3lOG6rRJLcUaioRZzUXEiAOuP/wFjAwAA Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2015 18:14:14 -0000 --_000_20825998BCB8D84C983674C159E25E753D6244C3mbs6appcorpchtc_ Content-Type: text/plain; charset="iso-2022-jp" content-transfer-encoding: quoted-printable Hi Martin, -----Original Message----- From: Martin Rex [mailto:mrex@sap.com] Sent: Wednesday, July 15, 2015 4:13 AM To: =1B$B2&J8@5=1B(B Cc: mrex@sap.com; PKIX Subject: Re: [pkix] Self-issued certificates > The originaly idea in X.509 predates the UN convention, so it's only > current consumers that are making use of this half-baked misfeature > that are violatin the UN convention. IIRC, the notion of "key rollover with self-issued certificates" arose in RF= C 2510 (1999) and the 4th edition of ITU-T X.509 (2000). Please take a look= at the 1997 version of ITU-T X.509, the term "self-issued certificate" does= not appeared in that version. Therefore, it does not predate the 1997 UN co= nvention. >> I believe the philosophy of X.509 (or the whole X.500 series) is that >> a Distinguished Name (DN) represents the identity of an entity. >> Therefore, if the DN is changed, it means the identity of that entity >> has been changed. With this philosophy, the DN of each entity should >> not be changed unless its identity is changed. > > The last sentence is a non-sequitur. If the DN represents the identity, I do not see why the last sentence is a n= on-sequitur. The analogy is that if your name or your Facebook ID represents= your identity, will you frequently change your name or your Facebook ID? > It's extremely difficult to believe that anyone could get confused > about the entity/entities represented by name that simply include > generation identifiers to avoid self-issued problems. > > "CN=3DVeriSign Class 3 Public Primary Certification Authority - G3, ..." > "CN=3DVeriSign Class 3 Public Primary Certification Authority - G5, ..." Isn't it dangerous to trust two entities as the same one simply because they= have similar DN? How do you know these two CA is the same one? Besides, differnet CA might use different way add "generation identifiers" t= o their CN, O, or OU. There is no systematically secure way to tell whether= they are the same entity. Your decision to accept G5 because your trust G3= is only based on your intuition and that might be dangrous. > Distinguished names contain semantic structure on purpose. Use whatever > RDName component you like to avoid the troubles and complexitis of > self-issued certificates. Indeed, DNs are designed to contain semantic structure on purpose, and that= is because X.500 wants every entity use the semantic structure to uniquely= name themself to establish trust relationship based on their persistent DNs= . > For root CA certs, the distinguished name regularly does not describe > the true entity that operates the CA anyway, because many of them change > ownership once or more often while they're in use. > > e.g. RSA->VeriSign->Symantec No mater who operates the CA, the CA is itself an entity and has its identit= y in the PKI world. People trust the VeriSign CA not because it is operated= by Symantec Corp. or VeriSign Inc., it is because the CA fullfil some inter= national security criteria and has been audited. > The fashion in which the processing of self-issued certificates is specifi= ed > actually _creates_ a security problem. Normally, one might assume that us= ing > a path len constraint of 0 in the certificate of an online CA would preclu= de > that an attacker who manages to briefly obtain control over a CA key to > issue himself a CA cert. The official processing rules for self-issued > certs subverts that assumed protection -- the attacker can sign himself > a self-issued CA cert and use that to screw all RPs that process cert > chains in the fashion that X.509 / PKIX specifies. Your reasoning is really illogical. If a CA key is compromised, nothing furt= her can be trusted. I do not see why this secure problem will be more specif= ic to a CA which adopt self-issued certificates for key rollovers. If an att= acker obtains control over the certificate sining key of a CA which has a "g= eneration identifier" in its DN, doesn't the attacker be able to sign a hims= elf a subordinate CA certificate? > From the perspective of risk management, not supporting self-issued > certificates is IMHO a very resonable decision. > > For CAs to do rollover with Generation identifiers in DNames > is a no-brainer. It will also facilitate recognizing and > telling apart the CA certificates -- for RPs that start with an > empty trust store rather than a trust store prepopulated > with hundreds of omnipotent CAs -- or a dynamic trust store > such as that of newer Versions of Microsoft Windows, where you > essentially have no control over the trust anchors any more and > no idea who is trusted. I assume you know the reason why the root CA key (usually in the form of a s= elf-signed certificate) must be distributed to RPs through an out-of-band se= cure channel. If you do, you may realized what PKIX and X.509 tried to do is= to specify a systematically secure way to distribute the next generation ro= ot CA key to RPs. There are at least two advantages if a root CA do its key= rollover with self-issued certificates: (1) Since RPs had already receieved the previous generation of the root CA k= ey from a secure channel and trust it, the RPs can use the trusted root CA k= ey to verified the new-with-old self-issued certificate and build the trust= to the new generation of the root CA key (and therefore the new self-signed= certificate of the root CA). (2) The self-issued certificate can temporarily be used to chain the new cer= tificate chain up to the old self-signed certificate of the root CA, before= the new self-signed certificate is finally distributed to all RPs. I do not see why adopting a non-systemantical and messy way such as adding G= eneration identifiers in DNames is more reasonable than the standard way sug= gested by X.509/PKIX. It is unfortunate that there are many RPs does not ful= ly implement the certification path validation algorithm defined by X.509/PK= IX. This might be the reason why many root CAs choose to adopt the messy way= for key rollovers. I guess there are some CA implementors do not fully unde= rstand the standard way for key rollovers suggested by X.509/PKIX, they simp= ly saw some big CA vendors do such thing and they learnt to do it. Wen-Cheng Wang Please be advised that this email message (including any attachments) contai= ns confidential information and may be legally privileged. If you are not th= e intended recipient, please destroy this message and all attachments from y= our system and do not further collect, process, or use them. Chunghwa Teleco= m and all its subsidiaries and associated companies shall not be liable for= the improper or incomplete transmission of the information contained in thi= s email nor for any delay in its receipt or damage to your system. If you ar= e the intended recipient, please protect the confidential and/or personal in= formation contained in this email with due care. Any unauthorized use, discl= osure or distribution of this message in whole or in part is strictly prohib= ited. Also, please self-inspect attachments and hyperlinks contained in thi= s email to ensure the information security and to protect personal informati= on. --_000_20825998BCB8D84C983674C159E25E753D6244C3mbs6appcorpchtc_ Content-Type: text/html; charset="iso-2022-jp" Content-ID: content-transfer-encoding: quoted-printable

Hi Martin,

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com]
Sent: Wednesday, July 15, 2015 4:13 AM
To: =1B$B2&J8@5=1B(B
Cc: mrex@sap.com; PKIX
Subject: Re: [pkix] Self-issued certificates

> The originaly idea in X.509 predates the UN convention, so it's only > current consumers that are making use of this half-baked misfeature
> that are violatin the UN convention.

IIRC, the notion of "key rollover with self-issued certificates" a= rose in RFC 2510 (1999) and the 4th edition of ITU-T X.509 (2000). Please ta= ke a look at the 1997 version of ITU-T X.509, the term "self-issued cer= tificate" does not appeared in that version. Therefore, it does not predate the 1997 UN convention.

>> I believe the philosophy of X.509 (or the whole X.500 series) is th= at
>> a Distinguished Name (DN) represents the identity of an entity.
>> Therefore, if the DN is changed, it means the identity of that enti= ty
>> has been changed. With this philosophy, the DN of each entity shoul= d
>> not be changed unless its identity is changed.
>
> The last sentence is a non-sequitur.

If the DN represents the identity, I do not see why the last sentence is a n= on-sequitur. The analogy is that if your name or your Facebook ID represents= your identity, will you frequently change your name or your Facebook ID?
> It's extremely difficult to believe that anyone could get confused
> about the entity/entities represented by name that simply include
> generation identifiers to avoid self-issued problems.
>
>   "CN=3DVeriSign Class 3 Public Primary Certification Au= thority - G3, ..."
>   "CN=3DVeriSign Class 3 Public Primary Certification Au= thority - G5, ..."

Isn't it dangerous to trust two entities as the same one simply because they= have similar DN? How do you know these two CA is the same one?
Besides, differnet CA might use different way add "generation identifie= rs" to their CN, O, or OU. There is no systematically secure way to tel= l whether they are the same entity. Your decision to accept G5 because your= trust G3 is only based on your intuition and that might be dangrous.

> Distinguished names contain semantic structure on purpose.  Use= whatever
> RDName component you like to avoid the troubles and complexitis of
> self-issued certificates.

Indeed, DNs are designed to contain semantic structure on purpose, and&nb= sp;that is because X.500 wants every entity use the semantic structure= to uniquely name themself to establish trust relationship based on the= ir persistent DNs.


> For root CA certs, the distinguished name regularly does not describe > the true entity that operates the CA anyway, because many of them chang= e
> ownership once or more often while they're in use. 
>
>  e.g.  RSA->VeriSign->Symantec

No mater who operates the CA, the CA is itself an entity and has its iden= tity in the PKI world. People trust the VeriSign CA not because it is operat= ed by Symantec Corp. or VeriSign Inc., it is because the CA fullfil some int= ernational security criteria and has been audited.

> The fashion in which the processing of self-issued certificates is spec= ified
> actually _creates_ a security problem.  Normally, one might assume= that using
> a path len constraint of 0 in the certificate of an online CA would pre= clude
> that an attacker who manages to briefly obtain control over a CA key to=
> issue himself a CA cert.  The official processing rules for self-i= ssued
> certs subverts that assumed protection -- the attacker can sign himself=
> a self-issued CA cert and use that to screw all RPs that process cert > chains in the fashion that X.509 / PKIX specifies.

Your reasoning is really illogical. If a CA key is compromised, nothing f= urther can be trusted. I do not see why this secure problem will be more spe= cific to a CA which adopt self-issued certificates for key rollovers. If an= attacker obtains control over the certificate sining key of a CA which has a "generat= ion identifier" in its DN, doesn't the attacker be able to sign a himse= lf a subordinate CA certificate?

 

> From the perspective of risk management, not supporting self-issued<= br> > certificates is IMHO a very resonable decision.
>
> For CAs to do rollover with Generation identifiers in DNames
> is a no-brainer.  It will also facilitate recognizing and
> telling apart the CA certificates -- for RPs that start with an
> empty trust store rather than a trust store prepopulated
> with hundreds of omnipotent CAs -- or a dynamic trust store
> such as that of newer Versions of Microsoft Windows, where you
> essentially have no control over the trust anchors any more and
> no idea who is trusted.

I assume you know the reason why the root CA key (usually in the form of&= nbsp;a self-signed certificate) must be distributed to RPs through an out-of= -band secure channel. If you do, you may realized what PKIX and X.509 tried= to do is to specify a systematically secure way to distribute the next generation root CA key to RPs. There are= at least two advantages if a root CA do its key rollover with sel= f-issued certificates:

 

(1) Since RPs had already receieved the previous generation of the root C= A key from a secure channel and trust it, the RPs can use the trusted r= oot CA key to verified the new-with-old self-issued certificate an= d build the trust to the new generation of the root CA key (and therefore the new self-signed certificate of the root CA).=

(2) The self-issued certificate can temporarily be used to chain the new= certificate chain up to the old self-signed certificate of the root CA= , before the new self-signed certificate is finally distributed to all RPs.<= /p>

 

I do not see why adopting a non-systemantical and messy way suc= h as adding Generation identifiers in DNames is more reasonable than the sta= ndard way suggested by X.509/PKIX. It is unfortunate that there are many RPs= does not fully implement the certification path validation algorithm defined by X.509/PKIX. This might be the rea= son why many root CAs choose to adopt the messy way for key rollovers. I gue= ss there are some CA implementors do not fully understand the standard way f= or key rollovers suggested by X.509/PKIX, they simply saw some big CA vendors do such thing and they learnt to do it.=

Wen-Cheng Wang



本信件可能包= ;含中華電信股份有限= 0844;司機密資訊,非指定ߔ= 3;收件者,請勿蒐集、處&= #29702;或利用本信件內容,= 006;請銷毀此信件. 如為指定收件者,應確= 3526;保護郵件中本公司之= ;營業機密及個人資料,&#= 19981;得任意傳佈或揭露,È= 06;應自行確認本郵件之&= #38468;檔與超連結之安全ö= 15;,以共同善盡資訊安全= 與個資保護責任.
Please be advised that this email message (including any attachments) co= ntains confidential information and may be legally privileged. If you are no= t the intended recipient, please destroy this message and all attachments fr= om your system and do not further collect, process, or use them. Chunghwa Te= lecom and all its subsidiaries and associated companies shall not be liable= for the improper or incomplete transmission of the information contained in= this email nor for any delay in its receipt or damage to your system. If yo= u are the intended recipient, please protect the confidential and/or persona= l information contained in this email with due care. Any unauthorized use, d= isclosure or distribution of this message in whole or in part is strictly pr= ohibited. Also, please self-inspect attachments and hyperlinks contained in= this email to ensure the information security and to protect personal infor= mation.
--_000_20825998BCB8D84C983674C159E25E753D6244C3mbs6appcorpchtc_-- From nobody Wed Jul 15 11:42:22 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A0801ACEA9 for ; Wed, 15 Jul 2015 11:42:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.61 X-Spam-Level: X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YArHZnQh2QDG for ; Wed, 15 Jul 2015 11:42:15 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 308CF1AD0AC for ; Wed, 15 Jul 2015 11:41:44 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 825E57BC0BF; Wed, 15 Jul 2015 14:41:43 -0400 (EDT) Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 74ECC7BC0AF; Wed, 15 Jul 2015 14:41:43 -0400 (EDT) Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 15 Jul 2015 14:41:43 -0400 Received: from na01-bn1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Wed, 15 Jul 2015 14:41:43 -0400 Received: from BY2PR09MB110.namprd09.prod.outlook.com (10.242.36.155) by BY2PR09MB0160.namprd09.prod.outlook.com (10.255.243.146) with Microsoft SMTP Server (TLS) id 15.1.213.14; Wed, 15 Jul 2015 18:41:42 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB110.namprd09.prod.outlook.com (10.242.36.155) with Microsoft SMTP Server (TLS) id 15.1.213.14; Wed, 15 Jul 2015 18:41:29 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Wed, 15 Jul 2015 18:41:29 +0000 From: "Miller, Timothy J." To: =?utf-8?B?546L5paH5q2j?= Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53YpJmAgADHUoCAAC03gIABiFsAgABHlACAAXDtAIAAB9uA Date: Wed, 15 Jul 2015 18:41:29 +0000 Message-ID: <263DE390-A784-4BAF-8ACE-98D613B2CC4B@mitre.org> References: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw> In-Reply-To: <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: cht.com.tw; dkim=none (message not signed) header.d=none; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [128.29.115.169] x-microsoft-exchange-diagnostics: 1; BY2PR09MB110; 5:aQSJ3R7Mmulv8cStciZ2u5EHf+opmRJSipjWRpDQxfv0YoHqXtz6QQ7lC+I1B2p2UATxA2sAtCxQaXBQ/PKF0imGCeLq3LWlI623/HkUc5+V+6ZbZXfFpw3rYnmM4a7fT1RTxOUoDOXbTbOEbZ0nhQ==; 24:jvFhA5e5h14BRjUtPAv49UVEO6zargFdnveDs5uW6s3OsDXzQ6Kymc3RY+JPBMShbYOkPwiVO4M70QWVnmY1u7e1F9irZd4btqSiR6cHaLE=; 20:dll8ITRGlO5g+1Z/lN53DLLQV7iLxdvDsr3zNtcTF9kkoPN+zy65w5uhQ2Klik3LBYY0FrOBCNnrPGokQsWQ+Q== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB110; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB0160; by2pr09mb110: X-MS-Exchange-Organization-RulesExecuted x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB110; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB110; x-forefront-prvs: 0638FD5066 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(82746002)(36756003)(122556002)(99286002)(87936001)(77156002)(62966003)(40100003)(66066001)(92566002)(83716003)(46102003)(110136002)(50986999)(86362001)(5001960100002)(54356999)(76176999)(2900100001)(2950100001)(5002640100001)(189998001)(77096005)(33656002)(106116001)(2656002)(102836002)(7059030)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB110; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2015 18:41:29.0194 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB110 X-Microsoft-Exchange-Diagnostics: 1; BY2PR09MB0160; 2:dCvWpct1N9N4eKBO4bpWAAmc7ZVzfXiFphnuxOWR0usNq0ivWfaeOWjWPvhsqd+m; 3:Fg9H99QWpF/q471dBFHM7YL4hjiIVp4qyMAYirWgZeh0RB7jDYo/xucyvFD/runm3Xqfpcd7CAV8lz24Bhx+Pbn6wsbDx3qlLB7F4++aUeElwFTk4K7WN2N2hlNgbH6VTs6Ppkosp+jTQxNfAVRQQw==; 25:SAu8uW6H/vOGSNnRrhJKvc4f+PGW4rSMHVQ1ma1x3BZADGLYbIomAUxSLp7eFxmFjk784J5+3oMzko1G5j08A71IDsdOEuXA1wSNunrLodLMjubrASzZUFm9TIa3srIW/5dcDcs3WWqMCDmskWliINNda08TlyrhMMdZEn0sxS+qqCY/MjBN/PX6JqhnwvwciySf99vAUGE1Zk3/UoH978ucQtHjYDV8kV/dttg7tbgu0WdWn17r5P3a3vG4IDX5NBsU8/ZWnY4xMN/j4I3YkA==; 20:ad/phGVj9pXXz5j2+VfGP7Vq78QkAofYekNubePs/j4JjRdAJruqBf6+DDGI85dhPFgIPPprfOxoQHybplnkPQ==; 23:hWCx3PN/y6CT9cpmV5m2aRt3PH7MwvgyEg2y+ufOEIo2PkS4JWm+jwrSTOM+Nv8rIVGVxyGp4UtigDbvx7RogznGmeEjRYlYnppa52iDk1xp06ojtdFtMNOraqE5+wCieXBulNDk7oEYq63qvovjpkMHaX/qdB4m7Wzd/bzoaUidC2kfA0snNeVzymEWp7b4Y9EySPASM71rbnhNBcXFf9QUpPVu+7EGHdHks68IjGSY9yKT0YGuI6MFS5lpuSIk BY2PR09MB0160: X-MS-Exchange-Organization-RulesExecuted X-OriginatorOrg: mitre.org Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2015 18:42:21 -0000 PiBJc24ndCBpdCBkYW5nZXJvdXMgdG8gdHJ1c3QgdHdvIGVudGl0aWVzIGFzIHRoZSBzYW1lIG9u ZSBzaW1wbHkgYmVjYXVzZSB0aGV5IGhhdmUgc2ltaWxhciBETj8gSG93IGRvIHlvdSBrbm93IHRo ZXNlIHR3byBDQSBpcyB0aGUgc2FtZSBvbmU/DQoNCkkgc3VwcG9zZSBpdCBiZWFycyBtZW50aW9u aW5nIHRoYXQgeW91IHNob3VsZCBuZXZlciBhY2NlcHQgYSB0cnVzdCBhbmNob3Igd2l0aG91dCBz b21lIGtpbmQgb2YgdmVyaWZpY2F0aW9uLiAgQW4gUkZDIDQyMTAgcm9sbG92ZXIgYW5ub3VuY2Vt ZW50IGlzIGZpbmUgYW5kIGRhbmR5IGlmIGFuZCBvbmx5IGlmIHlvdSBhbHJlYWR5IHRydXN0ZWQg dGhlIG9sZCBhbmNob3IuICBJZiB5b3UgZG9u4oCZdCwgdGhlbiB5b3UgbmVlZCB0byBnbyBvdXQt b2YtYmFuZCwgYW5kIHBhcnQgb2YgdGhhdCBpcyB2ZXJpZnlpbmcgdGhhdCB0aGUgZW50aXR5IG5h bWVkIGlzIHRoZSBlbnRpdHkgeW91IGV4cGVjdC4NCg0K4oCUIFQNCg0KDQo= From nobody Thu Jul 16 02:22:03 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43BB91A8720 for ; Thu, 16 Jul 2015 02:22:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.624 X-Spam-Level: * X-Spam-Status: No, score=1.624 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05dq9a9tk4hH for ; Thu, 16 Jul 2015 02:22:00 -0700 (PDT) Received: from scan12.cht.com.tw (scan12.cht.com.tw [202.39.160.142]) by ietfa.amsl.com (Postfix) with ESMTP id 73AE11A871E for ; Thu, 16 Jul 2015 02:22:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1437038519; x=1439630519; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nf3LCva4stf4siEwCS/H5X/hLM7CIaR+He4sruggLxo=; b=kH6pCpRK3b+x7mKfi0JQU6EISv504nlQ7KYqGwJtXVlnJad9o4PzWOz8hHDFeJ7R WNI6cHJUAvt7La569Pr5/h2ZnFG+UpM9lmEJMO+jW/00cdlAr6Vz4ZpC1Z47nSwW OMOaNtVYiKA5Cc+EjudE/UC1QlrQNs3JssldMBl7eSU=; X-AuditID: 0aa00766-f798c6d000002b61-a2-55a777b70858 Received: from scanrelay2.cht.com.tw ( [10.160.7.107]) by scan12.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 18.B6.11105.7B777A55; Thu, 16 Jul 2015 17:21:59 +0800 (CST) Received: from CAS6.app.corp.cht.com.tw (unknown [10.172.18.162]) by scanrelay2.cht.com.tw (Symantec Mail Security) with ESMTP id EECB9C000088; Thu, 16 Jul 2015 17:21:58 +0800 (CST) Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS6.app.corp.cht.com.tw ([fe80::cd00:8556:7c97:6ab9%12]) with mapi id 14.02.0342.003; Thu, 16 Jul 2015 17:20:02 +0800 From: =?utf-8?B?546L5paH5q2j?= To: "Miller, Timothy J." Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9cr//4HAgAAu3dMA Date: Thu, 16 Jul 2015 09:20:01 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D624E22@mbs6.app.corp.cht.com.tw> References: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw> <263DE390-A784-4BAF-8ACE-98D613B2CC4B@mitre.org> In-Reply-To: <263DE390-A784-4BAF-8ACE-98D613B2CC4B@mitre.org> Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.77.4.111] Content-Type: text/plain; charset="utf-8" content-transfer-encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKKsWRmVeSWpSXmKPExsXCtYA9W3d7+fJQg1lLxSx6f+9gtrh4sMhi 2olvrA7MHkuW/GTyeNtwld1jyuetjAHMUfU2iXl5+SWJJakKKanFybZKyRkluimZxck5iZm5 qUW6pSVpFkoKmSm2SmZKCgU5icmpual5JbZKiQUFqXkpSnZcChjABqgsM08hNS85PyUzL91W KTTETddCye7ZnDVP9i98snvb0/71L5r3Pu1pfTphdcIa+Yz3y5uYC26wVPR+38vUwHiCpYuR k0NCwERia/czdghbTOLCvfVsXYxcHEIC2xklJux+wwzh7GSUeLL3FhNIlZDAYUaJrSvKQGw2 ASOJjWd3AcU5OEQEdCSuTAkHCTMLmEt8m7aTFcQWBgrfurMfrFVEQFfi0rPvbBB2nsT9YzOY QWwWAVWJ35M+gdXwCvhLdO48xgKx9xejxLbPO8ESnAK2ElPnnwe7mlFAVuLJgmdMEMvEJc5d bIX6QEBiyZ7zzBC2qMTLx/9YQW6TEJCXmPZGBsRkFtCUWL9LH6JTUWJK90N2iLWCEidnPmGZ wCg+C8nQWQgds5B0zELSsYCRZRWjYHFyYp6hkR4wVvWS83P1Sso3MUISSdoOxu3zHQ8xCnAw KvHwNjQvCxViTSwrrsw9xCjBwawkwvvUc3moEG9KYmVValF+fFFpTmrxIcZkYJhMZJYSTc4H Jrm8knhDY0tjE3NjcwMjQwND0oSVxHmnt2aGCAmkAxNfdmpqQWoRzBYmDk6pBkbTknDN/x6S mc63WT0ktyW9dzY/6/b95eQNUg90LJOebtg87XmqVdt/2w3X1OwWzJmux1jZ96lV2z3bxH22 xn9F5shVPUvldH5297Dkh6tPk9CIN1r3PPL3vRCfy+n3DY4xbs2efihyCdOi+Y4HVzx4+17g hPp33tO2115XsZUX7NmX9iC+y0+JpTgj0VCLuag4EQB3Xs2IaAMAAA== Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2015 09:22:02 -0000 SGkgVGltb3RoeSwNCg0KPiBJIHN1cHBvc2UgaXQgYmVhcnMgbWVudGlvbmluZyB0aGF0IHlv dSBzaG91bGQgbmV2ZXIgYWNjZXB0IGEgdHJ1c3QgYW5jaG9yIHdpdGhvdXQgc29tZSBraW5k IG9mIHZlcmlmaWNhdGlvbi4gIEFuIFJGQyA0MjEwIHJvbGxvdmVyIGFubm91bmNlbWVudCBp cyBmaW5lIGFuZCBkYW5keSBpZiBhbmQgb25seSBpZiB5b3UgYWxyZWFkeSB0cnVzdGVkIHRo ZSBvbGQgYW5jaG9yLiAgSWYgeW91IGRvbuKAmXQsIHRoZW4geW91IG5lZWQgdG8gZ28gb3V0 LW9mLWJhbmQsIGFuZCBwYXJ0IG9mIHRoYXQgaXMgdmVyaWZ5aW5nIHRoYXQgdGhlIGVudGl0 eSBuYW1lZCBpcyB0aGUgZW50aXR5IHlvdSBleHBlY3QuDQoNCkV4YWN0bHksIHRoYW5rIHlv dSBmb3IgaGVscGluZyB0byBjbGFyaWZ5IHRoYXQgY29uY2VwdC4NCg0KV2VuLUNoZW5nIFdh bmcNCg0K5pys5L+h5Lu25Y+v6IO95YyF5ZCr5Lit6I+v6Zu75L+h6IKh5Lu95pyJ6ZmQ5YWs 5Y+45qmf5a+G6LOH6KiKLOmdnuaMh+WumuS5i+aUtuS7tuiAhSzoq4vli7/okpDpm4bjgIHo mZXnkIbmiJbliKnnlKjmnKzkv6Hku7blhaflrrks5Lim6KuL6Yq35q+A5q2k5L+h5Lu2LuWm gueCuuaMh+WumuaUtuS7tuiAhSzmh4nnorrlr6bkv53orbfpg7Xku7bkuK3mnKzlhazlj7jk uYvnh5/mpa3mqZ/lr4blj4rlgIvkurros4fmlpks5LiN5b6X5Lu75oSP5YKz5L2I5oiW5o+t 6ZyyLOS4puaHieiHquihjOeiuuiqjeacrOmDteS7tuS5i+mZhOaqlOiIh+i2hemAo+e1kOS5 i+WuieWFqOaApyzku6XlhbHlkIzlloTnm6Hos4foqIrlronlhajoiIflgIvos4fkv53orbfo sqzku7suDQpQbGVhc2UgYmUgYWR2aXNlZCB0aGF0IHRoaXMgZW1haWwgbWVzc2FnZSAoaW5j bHVkaW5nIGFueSBhdHRhY2htZW50cykgY29udGFpbnMgY29uZmlkZW50aWFsIGluZm9ybWF0 aW9uIGFuZCBtYXkgYmUgbGVnYWxseSBwcml2aWxlZ2VkLiBJZiB5b3UgYXJlIG5vdCB0aGUg aW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UgZGVzdHJveSB0aGlzIG1lc3NhZ2UgYW5kIGFs bCBhdHRhY2htZW50cyBmcm9tIHlvdXIgc3lzdGVtIGFuZCBkbyBub3QgZnVydGhlciBjb2xs ZWN0LCBwcm9jZXNzLCBvciB1c2UgdGhlbS4gQ2h1bmdod2EgVGVsZWNvbSBhbmQgYWxsIGl0 cyBzdWJzaWRpYXJpZXMgYW5kIGFzc29jaWF0ZWQgY29tcGFuaWVzIHNoYWxsIG5vdCBiZSBs aWFibGUgZm9yIHRoZSBpbXByb3BlciBvciBpbmNvbXBsZXRlIHRyYW5zbWlzc2lvbiBvZiB0 aGUgaW5mb3JtYXRpb24gY29udGFpbmVkIGluIHRoaXMgZW1haWwgbm9yIGZvciBhbnkgZGVs YXkgaW4gaXRzIHJlY2VpcHQgb3IgZGFtYWdlIHRvIHlvdXIgc3lzdGVtLiBJZiB5b3UgYXJl IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFzZSBwcm90ZWN0IHRoZSBjb25maWRlbnRp YWwgYW5kL29yIHBlcnNvbmFsIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGlzIGVtYWls IHdpdGggZHVlIGNhcmUuIEFueSB1bmF1dGhvcml6ZWQgdXNlLCBkaXNjbG9zdXJlIG9yIGRp c3RyaWJ1dGlvbiBvZiB0aGlzIG1lc3NhZ2UgaW4gd2hvbGUgb3IgaW4gcGFydCBpcyBzdHJp Y3RseSBwcm9oaWJpdGVkLiAgQWxzbywgcGxlYXNlIHNlbGYtaW5zcGVjdCBhdHRhY2htZW50 cyBhbmQgaHlwZXJsaW5rcyBjb250YWluZWQgaW4gdGhpcyBlbWFpbCB0byBlbnN1cmUgdGhl IGluZm9ybWF0aW9uIHNlY3VyaXR5IGFuZCB0byBwcm90ZWN0IHBlcnNvbmFsIGluZm9ybWF0 aW9uLg0K From nobody Thu Jul 16 07:12:22 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFE101B3C4B for ; Thu, 16 Jul 2015 07:12:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.551 X-Spam-Level: X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6etuwhfUdaWF for ; Thu, 16 Jul 2015 07:12:20 -0700 (PDT) Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 052EE1A9072 for ; Thu, 16 Jul 2015 07:12:19 -0700 (PDT) Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id AC319443FD; Thu, 16 Jul 2015 16:12:17 +0200 (CEST) X-purgate-ID: 152705::1437055937-0000413A-063CDF53/0/0 X-purgate-size: 1277 X-purgate: clean X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate-type: clean X-SAP-SPAM-Status: clean Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 994BA40898; Thu, 16 Jul 2015 16:12:17 +0200 (CEST) Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 913ED1A1EB; Thu, 16 Jul 2015 16:12:17 +0200 (CEST) In-Reply-To: <263DE390-A784-4BAF-8ACE-98D613B2CC4B@mitre.org> To: "Miller, Timothy J." Date: Thu, 16 Jul 2015 16:12:17 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20150716141217.913ED1A1EB@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2015 14:12:22 -0000 Miller, Timothy J. wrote: > >> Isn't it dangerous to trust two entities as the same one simply because >> they have similar DN? How do you know these two CA is the same one? > > I suppose it bears mentioning that you should never accept a trust > anchor without some kind of verification. An RFC 4210 rollover > announcement is fine and dandy if and only if you already trusted > the old anchor. If you don't, then you need to go out-of-band, > and part of that is verifying that the entity named is the entity > you expect. An entity announcing a a key rollover and the coincidence to receive a new self-signed cert with verbatim the same DName but a different public key in it does not provide any verification or proof. Only a signature of the new key with the old key could provide such a proof. But then, it becomes entirely irrelevant whether the new cert bears a generation identifier in the subject DName that differs from the subject DName of the original trust anchor. It could even be a totally different name -- and for some of the changes of ownership of the CA entity, a complete name change could even make sense. So really, self-issued certificates a fifth wheel on the PKIX cart that can only get you in trouble. -Martin From nobody Thu Jul 16 07:43:34 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88AFB1A9140 for ; Thu, 16 Jul 2015 07:43:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4HXWNEg4oaw for ; Thu, 16 Jul 2015 07:43:32 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 4B4811A913F for ; Thu, 16 Jul 2015 07:43:32 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id DDD356CC0F5; Thu, 16 Jul 2015 10:43:31 -0400 (EDT) Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id CF9516C06D6; Thu, 16 Jul 2015 10:43:31 -0400 (EDT) Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 16 Jul 2015 10:43:31 -0400 Received: from na01-bn1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Thu, 16 Jul 2015 10:43:31 -0400 Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) with Microsoft SMTP Server (TLS) id 15.1.213.14; Thu, 16 Jul 2015 14:43:30 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Thu, 16 Jul 2015 14:43:30 +0000 From: "Miller, Timothy J." To: "mrex@sap.com" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53YpJmAgADHUoCAAC03gIABiFsAgABHlACAAXDtAIAAB9uAgAFHIYCAAAi2AA== Date: Thu, 16 Jul 2015 14:43:29 +0000 Message-ID: <198BA0FB-79C1-4AAB-BA15-554C653CE571@mitre.org> References: <20150716141217.913ED1A1EB@ld9781.wdf.sap.corp> In-Reply-To: <20150716141217.913ED1A1EB@ld9781.wdf.sap.corp> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: sap.com; dkim=none (message not signed) header.d=none; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [128.29.115.169] x-microsoft-exchange-diagnostics: 1; BY2PR09MB109; 5:odD+8pDAq1EnG357rry2DqGTR7/rvRxVAZPoMKj0ZgzZXGQd5Bl7lSW1F5nksf/tJemurnKLGXHyQ+PJZF+eXXF7N8L3jejrBHBTgRXJ1OrkY7zlC+LlhVJxDUYkAQP/JkaAsAfnMqHqYKmifGQygw==; 24:xT8O0WiMqOi1F1pL2hOR6GSlCX4xPzLBi7IsJJSKvmv0hn0wttel396lsJGTqi1hFv8f5PUGEnQAycdW4eC51WToP8peXrqxMG9k1ONdPU0=; 20:b5ZM4wX4e+pzXoLDuwhLkfPYoawNKcQ0i8Ybb2vOmqNsemrJmrFyuJK6hc3xjYtGyThxVlTDgWjQdaUya7CuCg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB109; by2pr09mb109: X-MS-Exchange-Organization-RulesExecuted x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB109; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB109; x-forefront-prvs: 0639027A9E x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(77156002)(40100003)(2656002)(106116001)(87936001)(86362001)(122556002)(558084003)(99286002)(33656002)(5002640100001)(62966003)(2501003)(110136002)(46102003)(189998001)(66066001)(5001920100001)(5001960100002)(77096005)(2351001)(83716003)(50986999)(82746002)(92566002)(2900100001)(54356999)(2950100001)(76176999)(102836002)(36756003)(7059030)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB109; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="utf-8" Content-ID: <8A9E35927BDEFA46BF28E3839394B073@namprd09.prod.outlook.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2015 14:43:29.8093 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB109 X-OriginatorOrg: mitre.org Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2015 14:43:33 -0000 DQo+IE9ubHkgYSBzaWduYXR1cmUgb2YgdGhlIG5ldyBrZXkgd2l0aCB0aGUgb2xkIGtleSBjb3Vs ZCBwcm92aWRlDQo+IHN1Y2ggYSBwcm9vZi4gIA0KDQpVbW0sIHRoYXTigJlzIHdoYXQgYW4gUkZD IDQyMTAgQ0EgS2V5IFVwZGF0ZSBBbm5vdW5jZW1lbnQgaXMuICBBY3R1YWxseSwgaXQgY29udGFp bnMgdGhlIG9sZCBrZXkgc2lnbmVkIHdpdGggdGhlIG5ldyBrZXksIHRoZSBuZXcga2V5IHNpZ25l ZCB3aXRoIHRoZSBvbGQga2V5LCBhbmQgdGhlIG5ldyBrZXkgc2VsZi1zaWduZWQuDQoNCuKAlCBU From nobody Thu Jul 16 08:44:55 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBCE21A8825 for ; Thu, 16 Jul 2015 08:44:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.951 X-Spam-Level: X-Spam-Status: No, score=-5.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZYu-6Bpeaum for ; Thu, 16 Jul 2015 08:44:51 -0700 (PDT) Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9D781A8780 for ; Thu, 16 Jul 2015 08:44:51 -0700 (PDT) Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id CD4362AA0D; Thu, 16 Jul 2015 17:44:49 +0200 (CEST) X-purgate-ID: 152705::1437061489-0000413A-2D7C3E1E/0/0 X-purgate-size: 702 X-purgate: clean X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate-type: clean X-SAP-SPAM-Status: clean Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id BC369409E9; Thu, 16 Jul 2015 17:44:49 +0200 (CEST) Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id B20051A1EC; Thu, 16 Jul 2015 17:44:49 +0200 (CEST) In-Reply-To: <198BA0FB-79C1-4AAB-BA15-554C653CE571@mitre.org> To: "Miller, Timothy J." Date: Thu, 16 Jul 2015 17:44:49 +0200 (CEST) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2015 15:44:53 -0000 Miller, Timothy J. wrote: > >> Only a signature of the new key with the old key could provide >> such a proof. > > Umm, that?s what an RFC 4210 CA Key Update Announcement is. > Actually, it contains the old key signed with the new key, > the new key signed with the old key, and the new key self-signed. :-) I'm sorry. I had not recognized your term "RFC 4210 rollover announcement" as something that refers to a technical protocol that includes the relevant PDUs. rfc4210 is sufficient complex and awkward that is not used anywhere around TLS (at least the stuff that I come in contact with) nor common web-service or pkcs#7/CMS based data exchange scenarios. -Martin From nobody Thu Jul 16 09:16:56 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D20781A9238 for ; Thu, 16 Jul 2015 09:16:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obqnMveKwK5m for ; Thu, 16 Jul 2015 09:16:54 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 41EAE1A9147 for ; Thu, 16 Jul 2015 09:16:54 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id DC41B6C0706; Thu, 16 Jul 2015 12:16:53 -0400 (EDT) Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id CF2936C06DA; Thu, 16 Jul 2015 12:16:53 -0400 (EDT) Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 16 Jul 2015 12:16:54 -0400 Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Thu, 16 Jul 2015 12:16:54 -0400 Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB111.namprd09.prod.outlook.com (10.242.36.19) with Microsoft SMTP Server (TLS) id 15.1.213.14; Thu, 16 Jul 2015 16:16:52 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Thu, 16 Jul 2015 16:16:52 +0000 From: "Miller, Timothy J." To: "mrex@sap.com" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53YpJmAgADHUoCAAC03gIABiFsAgABHlACAAXDtAIAAB9uAgAFHIYCAAAi2AIAAESSAgAAI8gA= Date: Thu, 16 Jul 2015 16:16:52 +0000 Message-ID: <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> In-Reply-To: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: sap.com; dkim=none (message not signed) header.d=none; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [128.29.115.169] x-microsoft-exchange-diagnostics: 1; BY2PR09MB111; 5:YeFbqhUloLoGZ9DN9cv9ukV9A+dBnShz2Ww1AXj6F9StDfnBD46pnqx8HSXLLvH9Mk6Mqn/mKQVilUQ93y9Fm1OIYqcvtLYz+EiHr8zpuBg2D5cOZWyWUYrpUEV5FP8Xz1R/XTlsT+cVvW+DSY+iWg==; 24:jD8hG87fD8sqgDTSl+SWoCXZ1Fzj267Mq53IcTdYpFFFpTCuFcp8CEdC/6tjrrXpQUfvMElaUQDaTs5CY8DURqFhBQ9xMvxqsEDhgkxXzyM=; 20:aVnW1uWq5CsNEGNkjo1F/gi8/K2sDq0LV77ztnSDhy9V2etru3Cbk2Q0N3vy+oS/ZDcWTjjEXUmWr8azcOy01g== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB111; by2pr09mb111: X-MS-Exchange-Organization-RulesExecuted x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB111; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB111; x-forefront-prvs: 0639027A9E x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(102836002)(5001960100002)(2351001)(77096005)(106116001)(92566002)(66066001)(33656002)(99286002)(2950100001)(2900100001)(36756003)(54356999)(76176999)(122556002)(189998001)(110136002)(50986999)(83716003)(40100003)(46102003)(62966003)(87936001)(2501003)(2656002)(77156002)(82746002)(5002640100001)(86362001)(7059030)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB111; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2015 16:16:52.0583 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB111 X-OriginatorOrg: mitre.org Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2015 16:16:56 -0000 PiBJIGhhZCBub3QgcmVjb2duaXplZCB5b3VyIHRlcm0gIlJGQyA0MjEwIHJvbGxvdmVyIGFubm91 bmNlbWVudCIgYXMNCj4gc29tZXRoaW5nIHRoYXQgcmVmZXJzIHRvIGEgdGVjaG5pY2FsIHByb3Rv Y29sIHRoYXQgaW5jbHVkZXMNCj4gdGhlIHJlbGV2YW50IFBEVXMuDQo+IA0KPiByZmM0MjEwIGlz IHN1ZmZpY2llbnQgY29tcGxleCBhbmQgYXdrd2FyZCB0aGF0IGlzIG5vdCB1c2VkIGFueXdoZXJl DQo+IGFyb3VuZCBUTFMgKGF0IGxlYXN0IHRoZSBzdHVmZiB0aGF0IEkgY29tZSBpbiBjb250YWN0 IHdpdGgpIG5vciBjb21tb24NCj4gd2ViLXNlcnZpY2Ugb3IgcGtjcyM3L0NNUyBiYXNlZCBkYXRh IGV4Y2hhbmdlIHNjZW5hcmlvcy4NCg0KSSBkaWRu4oCZdCBzYXkgaXQgd2FzICp1c2VkKiwgSSBz YWlkIGl0IHdvdWxkICp3b3JrKi4gIDspDQoNCuKAlCBUDQoNCg== From nobody Thu Jul 16 21:23:43 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 120511B2B62 for ; Thu, 16 Jul 2015 21:23:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXuXk5juAeq4 for ; Thu, 16 Jul 2015 21:23:36 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 562F81B2CC0 for ; Thu, 16 Jul 2015 21:22:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1437106925; x=1468642925; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=paQyq60Rcu0D14DFBHd2VMU2A1yFOdKbxuaHQqw/mlc=; b=ijUP7FqfTx+0dRrBF4fQXjUFUBGoC45NrjnJjzFcpyLbIvEpOWLLZTqu bDZrPCDwbkZfS7/Vr5sHi6d2dYViTM8+jb8GMySgBbecW/waLocVNiEtU dkpQnSN0dj8qikU0dcia9jM2nsE5fut4iuajpwjQnQT/zSK0y8uUUgvlA rYzeG8fNH26kHmxcyNotsOgrVioW304cGsDWGu9q9MctT1j4BXSyzvy+A 0Ner9epAQYpywdVo+ZMS6Riuvpk1UNHaoATNcGcs+pAGraadMASZYWBkY Vsgicjou4UDgY5CNFTTpPvvhfzOWAYYkxVqxZGnz0nIwScXgIwiXgbsh5 Q==; X-IronPort-AV: E=Sophos;i="5.15,493,1432555200"; d="scan'208";a="28906864" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 17 Jul 2015 16:21:47 +1200 Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Fri, 17 Jul 2015 16:21:47 +1200 From: Peter Gutmann To: "Miller, Timothy J." , "mrex@sap.com" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9cr//z6ygAAo49+AAAEW84AAAiRdgAABHowAADJp+Ns= Date: Fri, 17 Jul 2015 04:21:46 +0000 Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB06271D@uxcn10-tdc05.UoA.auckland.ac.nz> References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp>, <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> In-Reply-To: <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 04:23:41 -0000 Miller, Timothy J. writes:=0A= =0A= >> rfc4210 is sufficient complex and awkward that is not used anywhere=0A= >> around TLS (at least the stuff that I come in contact with) nor common= =0A= >> web-service or pkcs#7/CMS based data exchange scenarios.=0A= >=0A= >I didn=92t say it was *used*, I said it would *work*. ;)=0A= =0A= You can't really claim that it'll work either. CMP is sufficiently=0A= dysfunctional and broken that it's really hard (in many cases almost=0A= impossible) to get two implementations to talk to each other just to do a= =0A= standard "gimme a cert" (which is all that 99.5% of users really care about= ).=0A= Given that, I'd put the chances of something as untried as a TA-update work= ing=0A= correctly at "vanishingly small", at best. So the correct phrasing would b= e=0A= something like "CMP has something that could, in theory, work, if someone= =0A= implemented it".=0A= =0A= Peter.= From nobody Thu Jul 16 22:58:19 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE3F21B2CF8 for ; Thu, 16 Jul 2015 22:58:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.199 X-Spam-Level: X-Spam-Status: No, score=0.199 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTlAPAB9RAp8 for ; Thu, 16 Jul 2015 22:58:18 -0700 (PDT) Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB1C21B2CF1 for ; Thu, 16 Jul 2015 22:58:17 -0700 (PDT) Received: by iggf3 with SMTP id f3so30157988igg.1 for ; Thu, 16 Jul 2015 22:58:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=NlMuTRfNLVrKw79JzbL4Y+dRW8jcTDIYVeqBNJP1YFE=; b=AH6X4Tvg22CHvVNP8xH2MA63TA5QAyyAfAuLFCUOVA/qxRR7LQXlYLHX8sKbL8XBn3 /kDVfgw68S9KZMjUD4Cus6THLIoqS4uKmojM9qT+ADrF9A3X6OfqDwLOlJvpG+vWiPIJ ZHLNgHDttizARV7FEF6Nq0lcVLPbLuhsH9ykzVgnJIiJmC8hIuOtYZjrAoRIytVU5NP0 1g8dTWSmyqif4fdR1/i8i1TBcVSXGCzAOfRgQQ+A22ApDH/EGE7bRgX6V3L1/hq58z9v nFHVEHAvSzbRVf6PRckRXBEe4wwKdumCs9HkjhDCGvgtbrdiU2k/1zRtVtAsblnS/C5F mIrw== MIME-Version: 1.0 X-Received: by 10.107.131.70 with SMTP id f67mr15743235iod.47.1437112697457; Thu, 16 Jul 2015 22:58:17 -0700 (PDT) Received: by 10.36.77.15 with HTTP; Thu, 16 Jul 2015 22:58:17 -0700 (PDT) In-Reply-To: <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw> References: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> <20150714201254.42B171A1DE@ld9781.wdf.sap.corp> <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw> Date: Fri, 17 Jul 2015 01:58:17 -0400 Message-ID: From: Jeffrey Walton To: =?UTF-8?B?546L5paH5q2j?= Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: noloader@gmail.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 05:58:19 -0000 >> For root CA certs, the distinguished name regularly does not describe >> the true entity that operates the CA anyway, because many of them change >> ownership once or more often while they're in use. >> >> e.g. RSA->VeriSign->Symantec > > No mater who operates the CA, the CA is itself an entity and has its > identity in the PKI world. People trust the VeriSign CA not because it is > operated by Symantec Corp. or VeriSign Inc., it is because the CA fullfil > some international security criteria and has been audited. It may be worth noting: if you read the CPS and believe the company's lawyers, then you probably would not trust most CAs. Its strange the company's lawyers tell us the warez are not fit for use, but we choose to trust them anyway.... Jeff From nobody Fri Jul 17 07:38:00 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B6AC1A0020 for ; Fri, 17 Jul 2015 07:37:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.823 X-Spam-Level: X-Spam-Status: No, score=0.823 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yAt5gTEHYMbL for ; Fri, 17 Jul 2015 07:37:56 -0700 (PDT) Received: from scan12.cht.com.tw (scan12.cht.com.tw [202.39.160.142]) by ietfa.amsl.com (Postfix) with ESMTP id 5CE4E1A001D for ; Fri, 17 Jul 2015 07:37:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1437143875; x=1439735875; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=YXfS/KBks+xiiH6Va7lGXY5RzuP0UFZfh3TYKiFfmvE=; b=R2zzQDyHHZ4jIUWSNpnthpVKExC5R7VhHe6IoVzQuHReV4di/ycxRA6NT+pBE3PI pPZCwspQxSgOYNBtoVE2ad6ERSA9RrTiAe/+MT5AFPk92zNeXyi/5T7bzhCrlYQJ /WerYHBzhGC4jC0oWQ49RYnXtshmI5MlVbNSutbXjsA=; X-AuditID: 0aa00766-f798c6d000002b61-e4-55a9134366fa Received: from scanrelay2.cht.com.tw ( [10.160.7.107]) by scan12.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 6E.D2.11105.34319A55; Fri, 17 Jul 2015 22:37:55 +0800 (CST) Received: from CAS3.app.corp.cht.com.tw (unknown [10.172.18.165]) by scanrelay2.cht.com.tw (Symantec Mail Security) with ESMTP id D2817C000088; Fri, 17 Jul 2015 22:37:54 +0800 (CST) Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS3.app.corp.cht.com.tw ([fe80::51e1:3e0d:a18c:1a89%12]) with mapi id 14.02.0342.003; Fri, 17 Jul 2015 22:37:54 +0800 From: =?utf-8?B?546L5paH5q2j?= To: "Miller, Timothy J." , "mrex@sap.com" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9cr//4HAgAAo4+OAAAEW84AAAiRdgAABHo0AADyYzOA= Date: Fri, 17 Jul 2015 14:37:53 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D625F93@mbs6.app.corp.cht.com.tw> References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> In-Reply-To: <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.77.4.111] Content-Type: text/plain; charset="utf-8" content-transfer-encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrCKsWRmVeSWpSXmKPExsXCtYA9W9dZeGWowZW5/Ba9v3cwW1w8WGQx 7cQ3VgdmjyVLfjJ5vG24yu4x5fNWxgDmqHqbxLy8/JLEklSFlNTiZFul5IwS3ZTM4uScxMzc 1CLd0pI0CyWFzBRbJTMlhYKcxOTU3NS8ElulxIKC1LwUJTsuBQxgA1SWmaeQmpecn5KZl26r FBripmuhZPdszpon+xc+2b3taf/6F817n/a0Pp2wOmGNfMbce4tYC5ZIVjzpWcjewHhBoouR nUNCwERinkkXIyeQJSZx4d56ti5GLg4hge2MEh+fTWSGcHYySmy9vI8JwjnMKDHhy35WkBY2 ASOJjWd3MYHYIgLeEkvvnmTpYuTgYBaQkOi7qQASFhbQkbh1Zz9Uia7EpWffwTaICHQxSlzr PQg2h0VAVaKtq4EdxOYV8Jc4eu80mC0kkCfR+XE3mM0pYCtx4NA8sHpGAVmJJwuegQ1lFhCX OHexlR3iBQGJJXvOM0PYohIvH/9jBblHQkBeYtobGYjTNCXW79KH6FSUmNL9EGqroMTJmU9Y JjCKz0IydBZCxywkHbOQdCxgZFnFKFicnJhnaKQHjFS95PxcvZLyTYyQNJK2g3H7fMdDjAIc jEo8vAxXl4cKsSaWFVfmHmKU4GBWEuHdyrUyVIg3JbGyKrUoP76oNCe1+BBjMjBIJjJLiSbn A1NcXkm8obGlsYm5sbmBkaGBIWnCSuK801szQ4QE0oFpLzs1tSC1CGYLEwenVANjKdNO0e93 VefnHp1Rs6u/3fdrscCZ2kV8oonzHCJ4jK6d4ixtNNwd77mwrLjA+MjlAmfPuO/MAbrs1ZO/ HcywKOfa6fn9aOe5JKaNb9MiLhuu0TmosjBbnyX5uSFzfdEB7tPlAc1XnG0q7JPZ0hfLeIdP an8gliK8lueIs0V72Rn7+0xRvUosxRmJhlrMRcWJAJ3V1cJnAwAA Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 14:37:59 -0000 Pj4gSSBoYWQgbm90IHJlY29nbml6ZWQgeW91ciB0ZXJtICJSRkMgNDIxMCByb2xsb3ZlciBh bm5vdW5jZW1lbnQiIGFzIA0KPj4gc29tZXRoaW5nIHRoYXQgcmVmZXJzIHRvIGEgdGVjaG5p Y2FsIHByb3RvY29sIHRoYXQgaW5jbHVkZXMgdGhlIA0KPj4gcmVsZXZhbnQgUERVcy4NCj4+ IA0KPj4gcmZjNDIxMCBpcyBzdWZmaWNpZW50IGNvbXBsZXggYW5kIGF3a3dhcmQgdGhhdCBp cyBub3QgdXNlZCBhbnl3aGVyZSANCj4+IGFyb3VuZCBUTFMgKGF0IGxlYXN0IHRoZSBzdHVm ZiB0aGF0IEkgY29tZSBpbiBjb250YWN0IHdpdGgpIG5vciBjb21tb24gDQo+PiB3ZWItc2Vy dmljZSBvciBwa2NzIzcvQ01TIGJhc2VkIGRhdGEgZXhjaGFuZ2Ugc2NlbmFyaW9zLg0KPiAN Cj5JIGRpZG7igJl0IHNheSBpdCB3YXMgKnVzZWQqLCBJIHNhaWQgaXQgd291bGQgKndvcmsq LiAgOykNCg0KQWN0dWFsbHksIGFjY29yZGluZyB0byBteSBleHBlcmllbmNlcywgY2VydGlm aWNhdGlvbiBwYXRocyB3aXRoIHNlbGYtaXNzdWVkIGNlcnRpZmljYXRlcyB3b3JrZWQgc2Vh bWxlc3NseSBpbiBtb3N0IFRMUy9TU0wgZW52aXJvbm1lbnRzLCBleGNlcHQgd2l0aCBNaWNy b3NvZnQgSUlTLg0KDQpJbiBhIGNhc2Ugd2hlcmUgdGhlIGVuZC1lbnRpdHkgY2VydGlmaWNh dGUgaXMgYSBTU0wgY2VydGlmaWNhdGUsIGFmdGVyIHRoZSByb290IGtleSByb2xsb3Zlciwg dGhlIGNlcnRpZmljYXRpb24gcGF0aCB3aWxsIGJlIGFzIGZvbGxvd3M6DQoNCm9sZCByb290 IHNlbGYtc2lnbmVkIGNlcnQgLS0+IG5ldy13aXRoLW9sZCBzZWxmLWlzc3VlZCBjZXJ0IC0t PiBzdWJvcmRpbmF0ZSBDQSBjZXJ0IC0tPiBTU0wgY2VydA0KDQpNb3N0IFNTTC9UTFMgc2Vy dmVycywgc3VjaCBhcyBhcGFjaGUrb3BlbnNzbCwgaXMgYWJsZSB0byBjb3JyZWN0bHkgc2Vu ZCB0aGUgY2VydGlmaWNhdGVzIHBheWxvYWQgKCJuZXctd2l0aC1vbGQgc2VsZi1pc3N1ZWQg Y2VydCAtLT4gc3Vib3JkaW5hdGUgQ0EgY2VydCAtLT4gU1NMIGNlcnQiKSB0byBjbGllbnQg c2lkZXMgZHVyaW5nIHRoZSBTU0wvVExTIGhhbmRzaGFrZS4NCkFsc28sIG1vc3QgYnJvd3Nl cnMsIGluY2x1ZGluZyBJRSwgQ2hyb21lLCBGaXJlZm94LCBTYWZhcmksIGFuZCBPcGVyYSwg Y2FuIHN1Y2Nlc3NmdWxseSBjaGFpbiB0aGUgY2VydGlmaWNhdGlvbiBwYXRoIHRvIHRoZSB0 cnVzdCBhbmNob3IgKHRoZSBvbGQgcm9vdCBzZWxmLXNpZ25lZCBjZXJ0KSBhbmQgc3VjY2Vz c2Z1bGx5IHZhbGlkYXRlIGl0IGJlY2F1c2UgdGhleSBzaW1wbHkgdHJlYXQgdGhlIG5ldy13 aXRoLW9sZCBzZWxmLWlzc3VlZCBjZXJ0IGFzIGEgbm9ybWFsIGludGVybWVkaWF0ZSBjZXJ0 aWZpY2F0ZS4NCg0KVGhlIG9ubHkgcHJvYmxlbSBJIGhhZCBldmVyIGVuY291bnRlcmVkIGlz IGNhdXNlZCBieSBNaWNyb3NvZnQgSUlTLiBVbmxpa2Ugb3RoZXIgU1NML1RMUyBzZXJ2ZXJz IHdoaWNoIGNhbiBiZSBjb25maWd1cmVkIHRvIHNlbmQgd2hhdGV2ZXIgaW50ZXJtZWRpYXRl IGNlcnRpZmljYXRlcyB5b3Ugc3BlY2lmaWVkIHRvIHRoZSBjbGllbnQgc2lkZSwgTWljcm9z b2Z0IElJUyBpbnNpc3RzIHRvIGF1dG9tYXRpY2FsbHkgZGVjaWRlIHdoaWNoIGFyZSB0aGUg aW50ZXJtZWRpYXRlIGNlcnRpZmljYXRlcyBmb3IgeW91ciBTU0wgY2VydGlmaWNhdGUuIFVu Zm9ydHVuYXRlbHksIE1pY3Jvc29mdCBJSVMgaW5jb3JyZWN0bHkgZGVjaWRlcyB0aGF0IHRo ZSBuZXctd2l0aC1vbGQgc2VsZi1pc3N1ZWQgY2VydCBpcyBub3QgYW4gaW50ZXJtZWRpYXRl IGNlcnRpZmljYXRlIHRvIGJlIHNlbnQgdG8gdGhlIGNsaWVudCBzaWRlLiBNeSBndWVzcyBp cyB0aGF0IE1pY3Jvc29mdCBJSVMgbWlzdGFrZW5seSB0cmVhdCB0aGUgc2VsZi1pc3N1ZWQg Y2VydCBhcyBhIHNlbGYtc2lnbmVkIHJvb3QgY2VydCAoaXQgbWF5IHRob3VnaHQgYW55IGNl cnQgd2lsbCBiZSBhIHNlbGYtc2lnbmVkIGNlcnQgaWYgdGhlIHNhbWUgRE4gYXBwZWFycyBp biB0aGUgc3ViamVjdA0KYW5kIGlzc3VlciBmaWVsZHMpLCB0aGVyZWZvcmUgaXQgZGVjaWRl cyBub3QgdG8gc2VuZCBpdCB0byB0aGUgY2xpZW50IHNpZGUuIFRoZSByZXN1bHQgaXMgYSBi cm9rZW4gY2VydGlmaWNhdGlvbiBwYXRoIGluIHRoZSBjbGllbnQgc2lkZS4NCg0KSW50ZXJl c3RpbmdseSwgTWljcm9zb2Z0IElFIGl0c2VsZiBjYW4gdmFsaWRhdGUgdGhlIGNlcnRpZmlj YXRpb24gcGF0aCAib2xkIHJvb3Qgc2VsZi1zaWduZWQgY2VydCAtLT4gbmV3LXdpdGgtb2xk IHNlbGYtaXNzdWVkIGNlcnQgLS0+IHN1Ym9yZGluYXRlIENBIGNlcnQgLS0+IFNTTCBjZXJ0 IiB3aXRob3V0IGFueSBwcm9ibGVtLg0KDQpXZW4tQ2hlbmcgV2FuZw0KDQrmnKzkv6Hku7bl j6/og73ljIXlkKvkuK3oj6/pm7vkv6HogqHku73mnInpmZDlhazlj7jmqZ/lr4bos4foqIos 6Z2e5oyH5a6a5LmL5pS25Lu26ICFLOiri+WLv+iSkOmbhuOAgeiZleeQhuaIluWIqeeUqOac rOS/oeS7tuWFp+WuuSzkuKboq4vpirfmr4DmraTkv6Hku7Yu5aaC54K65oyH5a6a5pS25Lu2 6ICFLOaHieeiuuWvpuS/neitt+mDteS7tuS4reacrOWFrOWPuOS5i+eHn+alreapn+WvhuWP iuWAi+S6uuizh+aWmSzkuI3lvpfku7vmhI/lgrPkvYjmiJbmj63pnLIs5Lim5oeJ6Ieq6KGM 56K66KqN5pys6YO15Lu25LmL6ZmE5qqU6IiH6LaF6YCj57WQ5LmL5a6J5YWo5oCnLOS7peWF seWQjOWWhOeboeizh+ioiuWuieWFqOiIh+WAi+izh+S/neitt+iyrOS7uy4NClBsZWFzZSBi ZSBhZHZpc2VkIHRoYXQgdGhpcyBlbWFpbCBtZXNzYWdlIChpbmNsdWRpbmcgYW55IGF0dGFj aG1lbnRzKSBjb250YWlucyBjb25maWRlbnRpYWwgaW5mb3JtYXRpb24gYW5kIG1heSBiZSBs ZWdhbGx5IHByaXZpbGVnZWQuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGll bnQsIHBsZWFzZSBkZXN0cm95IHRoaXMgbWVzc2FnZSBhbmQgYWxsIGF0dGFjaG1lbnRzIGZy b20geW91ciBzeXN0ZW0gYW5kIGRvIG5vdCBmdXJ0aGVyIGNvbGxlY3QsIHByb2Nlc3MsIG9y IHVzZSB0aGVtLiBDaHVuZ2h3YSBUZWxlY29tIGFuZCBhbGwgaXRzIHN1YnNpZGlhcmllcyBh bmQgYXNzb2NpYXRlZCBjb21wYW5pZXMgc2hhbGwgbm90IGJlIGxpYWJsZSBmb3IgdGhlIGlt cHJvcGVyIG9yIGluY29tcGxldGUgdHJhbnNtaXNzaW9uIG9mIHRoZSBpbmZvcm1hdGlvbiBj b250YWluZWQgaW4gdGhpcyBlbWFpbCBub3IgZm9yIGFueSBkZWxheSBpbiBpdHMgcmVjZWlw dCBvciBkYW1hZ2UgdG8geW91ciBzeXN0ZW0uIElmIHlvdSBhcmUgdGhlIGludGVuZGVkIHJl Y2lwaWVudCwgcGxlYXNlIHByb3RlY3QgdGhlIGNvbmZpZGVudGlhbCBhbmQvb3IgcGVyc29u YWwgaW5mb3JtYXRpb24gY29udGFpbmVkIGluIHRoaXMgZW1haWwgd2l0aCBkdWUgY2FyZS4g QW55IHVuYXV0aG9yaXplZCB1c2UsIGRpc2Nsb3N1cmUgb3IgZGlzdHJpYnV0aW9uIG9mIHRo aXMgbWVzc2FnZSBpbiB3aG9sZSBvciBpbiBwYXJ0IGlzIHN0cmljdGx5IHByb2hpYml0ZWQu ICBBbHNvLCBwbGVhc2Ugc2VsZi1pbnNwZWN0IGF0dGFjaG1lbnRzIGFuZCBoeXBlcmxpbmtz IGNvbnRhaW5lZCBpbiB0aGlzIGVtYWlsIHRvIGVuc3VyZSB0aGUgaW5mb3JtYXRpb24gc2Vj dXJpdHkgYW5kIHRvIHByb3RlY3QgcGVyc29uYWwgaW5mb3JtYXRpb24uDQo= From nobody Fri Jul 17 08:36:46 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E688A1A0025 for ; Fri, 17 Jul 2015 08:36:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.61 X-Spam-Level: X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLlp-_9zJbXx for ; Fri, 17 Jul 2015 08:36:43 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id AE6681A0024 for ; Fri, 17 Jul 2015 08:36:43 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 068E18BC356; Fri, 17 Jul 2015 11:36:43 -0400 (EDT) Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id ED53B8BC348; Fri, 17 Jul 2015 11:36:42 -0400 (EDT) Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Fri, 17 Jul 2015 11:36:42 -0400 Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Fri, 17 Jul 2015 11:36:42 -0400 Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) with Microsoft SMTP Server (TLS) id 15.1.213.14; Fri, 17 Jul 2015 15:36:41 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.000; Fri, 17 Jul 2015 15:36:41 +0000 From: "Miller, Timothy J." To: =?utf-8?B?546L5paH5q2j?= , "mrex@sap.com" Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53YpJmAgADHUoCAAC03gIABiFsAgABHlACAAXDtAIAAB9uAgAFHIYCAAAi2AIAAESSAgAAI8gCAAXawgIAABqew Date: Fri, 17 Jul 2015 15:36:41 +0000 Message-ID: References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> <20825998BCB8D84C983674C159E25E753D625F93@mbs6.app.corp.cht.com.tw> In-Reply-To: <20825998BCB8D84C983674C159E25E753D625F93@mbs6.app.corp.cht.com.tw> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: cht.com.tw; dkim=none (message not signed) header.d=none; x-originating-ip: [192.160.51.88] x-microsoft-exchange-diagnostics: 1; BY2PR09MB109; 5:A0UOWTtfBV3102Czpnzfa2eApH5J8SjmY0fHeN0vDDnYr2LYV/qqyh4nrXF+TZymA9+ql6QcrftMB8qsGQ6aBEqEKB6fa0X5wbYLmwrOSkyFwIchUc8Qyk1sig4N1n6GC2WFT3eUQ6DfKvyzUimpHA==; 24:kMsOvG8GJmHg1lMWEO/+tKl0FbHksuuFdvkALL1Qh6KmGARFWu3EIripP4QfAvIWbuMBtW1uHkMxhlpZ6t4jewwBZVLuolJFQLYOXODsYnI=; 20:EFQGxnidl1bQY7+RQGdfMsm06BCCBMZMYVBDeJwxbgykvJJ+z0IJjEu3+hiTiDUR/GtPMKU+8kNg5aLxRH8tSw== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB109; by2pr09mb109: X-MS-Exchange-Organization-RulesExecuted x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB109; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB109; x-forefront-prvs: 06400060E1 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(106116001)(2656002)(77156002)(87936001)(86362001)(122556002)(99286002)(5003600100002)(5002640100001)(33656002)(62966003)(46102003)(77096005)(189998001)(5001960100002)(2501003)(5001770100001)(76576001)(102836002)(5001920100001)(2950100001)(92566002)(54356999)(74316001)(76176999)(50986999)(2900100001)(7059030); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB109; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2015 15:36:41.0724 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB109 X-OriginatorOrg: mitre.org Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2015 15:36:45 -0000 PiBJbiBhIGNhc2Ugd2hlcmUgdGhlIGVuZC1lbnRpdHkgY2VydGlmaWNhdGUgaXMgYSBTU0wgY2Vy dGlmaWNhdGUsIGFmdGVyIHRoZSByb290DQo+IGtleSByb2xsb3ZlciwgdGhlIGNlcnRpZmljYXRp b24gcGF0aCB3aWxsIGJlIGFzIGZvbGxvd3M6DQogDQo+IG9sZCByb290IHNlbGYtc2lnbmVkIGNl cnQgLS0+IG5ldy13aXRoLW9sZCBzZWxmLWlzc3VlZCBjZXJ0IC0tPiBzdWJvcmRpbmF0ZSBDQQ0K PiBjZXJ0IC0tPiBTU0wgY2VydA0KDQpXaGlsZSByb2xsaW5nIG92ZXIgYSBzZWxmLXNpZ25lZCBj ZXJ0aWZpY2F0ZSB3aGlsZSBwcmVzZXJ2aW5nIHRydXN0IGlzIGFuIGludGVyZXN0aW5nIHByb2Js ZW0gKHRvIG1lLCBhbnl3YXksICdjYXVzZSBJJ20gYSBmYW4gb2Yga2V5IGNvbnRpbnVpdHkgbWFu YWdlbWVudCA7KSBpbiBnZW5lcmFsIHByYWN0aWNlIHlvdXIgZXhhbXBsZSBjaGFpbiBzaG91bGQg bmV2ZXIgb2NjdXIgaW4gVExTL1NTTC4gIFJvbGxvdmVyIG1lc3NhZ2VzIGFyZSBjZXJ0aWZpY2F0 ZSBtYW5hZ2VtZW50IG1lc3NhZ2VzOyBuZXctd2l0aC1vbGQgYW5kIG9sZC13aXRoLW5ldyBhcmUg bWFuYWdlbWVudCBhcnRpZmFjdHMgYW5kIG5vdCBpbnRlbmRlZCBmb3IgcGF0aCBjb25zdHJ1Y3Rp b24uDQoNCkkuZS4sIGlmIGluIHlvdXIgZXhhbXBsZToNCg0KLSBSb290IHJvbGxvdmVyIGlzIGR1 ZSB0byBwZW5kaW5nIG9yIHBhc3Qgcm9vdCBrZXkgZXhwaXJhdGlvbiwgdGhlbiB0aGUgIm9sZC1y b290IiB0cnVzdCBhbmNob3IgaXMgcmVwbGFjZWQgYnkgIm5ldy1yb290OyIgdGhlIGNoYWluIHRl cm1pbmF0ZXMgYXQgIm5ldy1yb290IiBhbmQgbmV3LXdpdGgtb2xkIGRvZXNuJ3QgYXBwZWFyLg0K DQotIFJvb3Qgcm9sbG92ZXIgaXMgZHVlIHRvIHJvb3Qga2V5IGNvbXByb21pc2UsIG5ldy13aXRo LW9sZCBjYW4ndCBiZSB0cnVzdGVkLCAib2xkLXJvb3QiIHRydXN0IGFuY2hvciBtdXN0IGJlIHJl bW92ZWQsIGFuZCB0aGUgY2hhaW4gaXMgaW52YWxpZC4gICANCg0KLS0gVA0KDQoNCg== From nobody Mon Jul 20 05:39:35 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75DA31A8716 for ; Mon, 20 Jul 2015 05:39:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljwU-UOab494 for ; Mon, 20 Jul 2015 05:39:31 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id B5D871A870A for ; Mon, 20 Jul 2015 05:39:31 -0700 (PDT) Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 566EF6C0C9C; Mon, 20 Jul 2015 08:39:31 -0400 (EDT) Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 5A46F6C0CC2; Mon, 20 Jul 2015 08:39:28 -0400 (EDT) Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Mon, 20 Jul 2015 08:39:27 -0400 Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Mon, 20 Jul 2015 08:39:28 -0400 Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) with Microsoft SMTP Server (TLS) id 15.1.213.14; Mon, 20 Jul 2015 12:39:25 +0000 Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0213.021; Mon, 20 Jul 2015 12:39:25 +0000 From: "Miller, Timothy J." To: =?iso-2022-jp?B?GyRCMiZKOEA1GyhC?= Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6Win+gscY4xki0Ne4yM5Okv53YpJmAgADHUoCAAC03gIABiFsAgABHlACAAXDtAIAAB9uAgAFHIYCAAAi2AIAAESSAgAAI8gCAAXawgIAABqewgAG5fYCAAtDscA== Date: Mon, 20 Jul 2015 12:39:25 +0000 Message-ID: References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> <20825998BCB8D84C983674C159E25E753D625F93@mbs6.app.corp.cht.com.tw>, <20825998BCB8D84C983674C159E25E753D6268E0@mbs6.app.corp.cht.com.tw> In-Reply-To: <20825998BCB8D84C983674C159E25E753D6268E0@mbs6.app.corp.cht.com.tw> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: cht.com.tw; dkim=none (message not signed) header.d=none; x-originating-ip: [192.160.51.89] x-microsoft-exchange-diagnostics: 1; BY2PR09MB109; 5:erPHaH2Fmwo95EH3zdY23SXF71HBPFCDMTfAYx3Xr4PCgbJstn89tYKCziRwUTLM3BxdoHWuA2YsEZnaWyOuv1ftvYV+hSkSEYRZCY28lfV+5N4LlKpHYW2A3CA9/9YYqha/rCaRZSUi1GcANWcb1g==; 24:lVm4VsXEr/4Q/0dLCJabxHjDkrBX5M0OyDwri9LYcSOWWdFfhrZSFBfD4b8STYMt20mnRtigEUykIdC6eCFJMySxUx+s1jf0u2bNU0J0IpE=; 20:6fvFl13l/VESsdeA0I6lEFifxLGx+3BTYx5609xEAh/Q7qlQY0unjcxfVD62indg7LzG1YBsCv2qM4oE3oMN9g== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB109; by2pr09mb109: X-MS-Exchange-Organization-RulesExecuted x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB109; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB109; x-forefront-prvs: 0643BDA83C x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(92566002)(77156002)(33656002)(93886004)(62966003)(5003600100002)(50986999)(99286002)(76176999)(86362001)(106116001)(54356999)(87936001)(122556002)(2656002)(40100003)(66066001)(102836002)(110136002)(5001920100001)(5001960100002)(77096005)(76576001)(189998001)(46102003)(2950100001)(2900100001)(5002640100001)(74316001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB109; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2015 12:39:25.5341 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB109 X-OriginatorOrg: mitre.org Archived-At: Cc: PKIX Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2015 12:39:33 -0000 > However, most relying parties rely on COTS such as browsers or operating > systems to update their lists of trust anchors. After a root CA performed= its > key rollover, it will submit its new root cert to "Root Certificate Progr= ams" of > all mainstream browsers or operating systems. It might take server months > or even more than half year before the new root cert is accepted by "Root > Certificate Programs" of all mainstream browsers or operating systems. > Before the new root cert is added to the lists of trust anchors of all > mainstream browsers and operating systems, TLS/SSL servers would > temporarily rely on the new-with-old certificate to assist relying partie= s to > chain the certification path up to the old root cert (i.e., the old trust= anchor). In practice, commercial CAs act with enough foresight that this isn't a pro= blem for the most part; they ensure that a new root is published (minimally= by MS and Mozilla) before making it an active issuer. It's not like you c= an't see key expiration coming and plan accordingly. Private CAs have their own trust management avenues so while they have to d= o the same kind of planning, timelines are shorter. =20 Most PKIs also create new CAs rather than deal with the complexities of rol= lover. It's easier to just prune the PKI entity tree than to try to graft = in a new parent node. As each CA switches into CRL-only mode [1] you have = another ready to take its place and operations continue without interruptio= n. =20 -- T [1] If your CP and CPS is written according to best practices, a CA's actua= l lifetime is minimally double the maximum Subscriber key lifetime. By doi= ng so the CA can issue a Subscriber cert just before switching into CRL-onl= y mode, that Subscriber gets a full life out of that cert, and the CA can b= e retired as soon as all Subscribers certs are either revoked (with a final= CRL issued) or expired. From nobody Tue Jul 21 06:47:27 2015 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE6351B2DC0 for ; Tue, 21 Jul 2015 06:47:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.624 X-Spam-Level: * X-Spam-Status: No, score=1.624 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gF00Nm-MwPOi for ; Tue, 21 Jul 2015 06:47:23 -0700 (PDT) Received: from scan12.cht.com.tw (scan12.cht.com.tw [202.39.160.142]) by ietfa.amsl.com (Postfix) with ESMTP id 7411F1B2E01 for ; Tue, 21 Jul 2015 06:47:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1437486440; x=1440078440; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=HxMXRL3KMgyGDXxhd8TNJbtYbNZRhdwsakCtfRG+aKo=; b=mrVYD2JApymsnUKnFqF7fzxeygVm15q4QWBLrPGd1Q0lfOpvLhLz6PHLvtJKxGPr Q4nPDZvzsUQCEZqvonTD5NfbZZ84zZWBzoq0jI8I0gBdQGK2WI17qaRrtMkupGH0 Xd613c6Tu7zZUp4aSWI0WdQBVStdgdvFvq4d5sT6sZk=; X-AuditID: 0aa00766-f798c6d000002b61-b0-55ae4d68d9ff Received: from scanrelay2.cht.com.tw ( [10.160.7.107]) by scan12.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id DA.0F.11105.86D4EA55; Tue, 21 Jul 2015 21:47:20 +0800 (CST) Received: from CAS3.app.corp.cht.com.tw (unknown [10.172.18.165]) by scanrelay2.cht.com.tw (Symantec Mail Security) with ESMTP id 15111C000088 for ; Tue, 21 Jul 2015 21:47:20 +0800 (CST) Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS3.app.corp.cht.com.tw ([fe80::51e1:3e0d:a18c:1a89%12]) with mapi id 14.02.0342.003; Tue, 21 Jul 2015 21:47:19 +0800 From: =?utf-8?B?546L5paH5q2j?= To: PKIX Thread-Topic: [pkix] Self-issued certificates Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9cr//4HAgAAo4+OAAAEW84AAAiRdgAABHo0AADyYzOD//6JUgP/5T3NA Date: Tue, 21 Jul 2015 13:47:18 +0000 Message-ID: <20825998BCB8D84C983674C159E25E753D62967A@mbs6.app.corp.cht.com.tw> References: <20150716154449.B20051A1EC@ld9781.wdf.sap.corp> <74A5D249-85E1-4887-ADD1-C6084F07B265@mitre.org> <20825998BCB8D84C983674C159E25E753D625F93@mbs6.app.corp.cht.com.tw> In-Reply-To: Accept-Language: zh-TW, en-US Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.77.4.111] Content-Type: text/plain; charset="utf-8" content-transfer-encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrOKsWRmVeSWpSXmKPExsXCtYA9WzfDd12oQccpLouLB4scGD2WLPnJ FMAYVW+TmJeXX5JYkqqQklqcbKuUnFGim5JZnJyTmJmbWqRbWpJmoaSQmWKrZKakUJCTmJya m5pXYquUWFCQmpeiZMelgAFsgMoy8xRS85LzUzLz0m2VQkPcdC2U7J7NWfNk/8Inu7c97V// onnv057WpxNWJ6yRz5jX85mx4JlkxYuJ31gaGCdIdjFyckgImEgceXuZEcIWk7hwbz1bFyMX h5DAdkaJfxuWsEM4ZxkltjXvgHIOM0r82nuLDaSFTcBIYuPZXUwgtoiAhMSG18/BbGEBHYlb d/ZDxXUlLj37DjZWRGAao8TfWYvB9rEIqErs2boSqIiDg1fAX2L7izKIBa1MEg3Xp4LVcApE S9ycPB9sGaOArMSTBc/AhjILiEucu9jKDnG3gMSSPeeZIWxRiZeP/7GCzJQQkJeY9kYGxGQW 0JRYv0sfolNRYkr3Q7BOXgFBiZMzn7BMYBSbhWToLISOWUg6ZiHpWMDIsopRsDg5Mc/QSA8Y l3rJ+bl6JeWbGCHJIG0H4/b5jocYBTgYlXh4GaTXhgqxJpYVV+YeYpTgYFYS4f1ivy5UiDcl sbIqtSg/vqg0J7X4EGMyMEgmMkuJJucDE1VeSbyhsaWxibmxuYGRoYEhacJK4rzTWzNDhATS gUkuOzW1ILUIZgsTB6dUA+OC3IzPndOM96dEa8+K33ugJ/6C7NIV7pwGmw8tVF7ZrpZa/MTj 52OFNJ1DOw49qSs+fCmuetLR+cqnWbJXJzPGtUysdNmgkDt5a05Pssn/rOfXuT8ynV43MTVB 8tmVbyHFh01a5J9NSK0ru8T6PbSfQ6jX03lfk7JtX6HBvhiXgil1qncq1JRYijMSDbWYi4oT AUAUKaFKAwAA Archived-At: Subject: Re: [pkix] Self-issued certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2015 13:47:26 -0000 PiBXaGlsZSByb2xsaW5nIG92ZXIgYSBzZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZSB3aGlsZSBw cmVzZXJ2aW5nIHRydXN0IGlzIGFuIGludGVyZXN0aW5nIHByb2JsZW0gKHRvIG1lLCBhbnl3 YXksICdjYXVzZSBJJ20gYSBmYW4gb2Yga2V5IGNvbnRpbnVpdHkgbWFuYWdlbWVudCA7KSBp biBnZW5lcmFsIHByYWN0aWNlIHlvdXIgZXhhbXBsZSBjaGFpbiBzaG91bGQgbmV2ZXIgb2Nj dXIgaW4gVExTL1NTTC4gIFJvbGxvdmVyIG1lc3NhZ2VzIGFyZSBjZXJ0aWZpY2F0ZSBtYW5h Z2VtZW50IG1lc3NhZ2VzOyBuZXctd2l0aC1vbGQgYW5kIG9sZC13aXRoLW5ldyBhcmUgbWFu YWdlbWVudCBhcnRpZmFjdHMgYW5kIG5vdCBpbnRlbmRlZCBmb3IgcGF0aCBjb25zdHJ1Y3Rp b24uDQo+IA0KPiBJLmUuLCBpZiBpbiB5b3VyIGV4YW1wbGU6DQo+IA0KPiAtIFJvb3Qgcm9s bG92ZXIgaXMgZHVlIHRvIHBlbmRpbmcgb3IgcGFzdCByb290IGtleSBleHBpcmF0aW9uLCB0 aGVuIHRoZSAib2xkLXJvb3QiIHRydXN0IGFuY2hvciBpcyByZXBsYWNlZCBieSAibmV3LXJv b3Q7IiB0aGUgY2hhaW4gdGVybWluYXRlcyBhdCAibmV3LXJvb3QiIGFuZCBuZXctd2l0aC1v bGQgZG9lc24ndCBhcHBlYXIuDQoNCllvdSBhcmUgcmlnaHQsIGlmIHRoZSBuZXcgcm9vdCBj ZXJ0IChuZXctd2l0aC1uZXcgc2VsZi1zaWduZWQgY2VydCkgaGFzIGJlZW4gZGlzdHJpYnV0 ZWQgdG8gcmVseWluZyBwYXJ0aWVzLCB0aGVuIHRoZSByZWx5aW5nIHBhcnRpZXMgY2FuIGRp cmVjdGx5IHVzZSB0aGUgbmV3IHJvb3QgY2VydCBhcyB0aGUgdHJ1c3QgYW5jaG9yIGFuZCB0 aGVyZWZvcmUgdGhleSBkbyBub3QgbmVlZCB0byBidWlsZCB0aGUgY2VydGlmaWNhdGlvbiBw YXRoIHdpdGggdGhlIGhlbHAgb2YgdGhlIG5ldy13aXRoLW9sZCBzZWxmLWlzc3VlZCBjZXJ0 IGFueW1vcmUuIEluIHRoZSBzaXR1YXRpb25zIHdoZXJlIHJlbHlpbmcgcGFydGllcyBhbHJl YWR5IGhhcyB0aGUgbmV3IHJvb3QgY2VydCBpbiB0aGVpciBsaXN0cyBvZiB0cnVzdCBhbmNo b3JzLCB0aGUgY2VydGlmaWNhdGlvbiBwYXRoIHdpbGwgYmUgYXMgZm9sbG93czoNCg0KbmV3 IHJvb3QgY2VydCAtLT4gaW50ZXJtZWRpYXRlIENBIGNlcnQgLS0+IFRMUy9TU0wgY2VydA0K DQpIb3dldmVyLCBtb3N0IHJlbHlpbmcgcGFydGllcyByZWx5IG9uIENPVFMgc3VjaCBhcyBi cm93c2VycyBvciBvcGVyYXRpbmcgc3lzdGVtcyB0byB1cGRhdGUgdGhlaXIgbGlzdHMgb2Yg dHJ1c3QgYW5jaG9ycy4gQWZ0ZXIgYSByb290IENBIHBlcmZvcm1lZCBpdHMga2V5IHJvbGxv dmVyLCBpdCB3aWxsIHN1Ym1pdCBpdHMgbmV3IHJvb3QgY2VydCB0byAiUm9vdCBDZXJ0aWZp Y2F0ZSBQcm9ncmFtcyIgb2YgYWxsIG1haW5zdHJlYW0gYnJvd3NlcnMgb3Igb3BlcmF0aW5n IHN5c3RlbXMuIEl0IG1pZ2h0IHRha2Ugc2VydmVyIG1vbnRocyBvciBldmVuIG1vcmUgdGhh biBoYWxmIHllYXIgYmVmb3JlIHRoZSBuZXcgcm9vdCBjZXJ0IGlzIGFjY2VwdGVkIGJ5ICJS b290IENlcnRpZmljYXRlIFByb2dyYW1zIiBvZiBhbGwgbWFpbnN0cmVhbSBicm93c2VycyBv ciBvcGVyYXRpbmcgc3lzdGVtcy4gQmVmb3JlIHRoZSBuZXcgcm9vdCBjZXJ0IGlzIGFkZGVk IHRvIHRoZSBsaXN0cyBvZiB0cnVzdCBhbmNob3JzIG9mIGFsbCBtYWluc3RyZWFtIGJyb3dz ZXJzIGFuZCBvcGVyYXRpbmcgc3lzdGVtcywgVExTL1NTTCBzZXJ2ZXJzIHdvdWxkIHRlbXBv cmFyaWx5IHJlbHkgb24gdGhlIG5ldy13aXRoLW9sZCBjZXJ0aWZpY2F0ZSB0byBhc3Npc3Qg cmVseWluZyBwYXJ0aWVzIHRvIGNoYWluIHRoZSBjZXJ0aWZpY2F0aW9uIHBhdGggdXAgdG8g dGhlIG9sZCByb290IGNlcnQgKGkuZS4sIHRoZSBvbGQgdHJ1c3QgYW5jaG9yKS4NCg0KPiAN Cj4gLSBSb290IHJvbGxvdmVyIGlzIGR1ZSB0byByb290IGtleSBjb21wcm9taXNlLCBuZXct d2l0aC1vbGQgY2FuJ3QgYmUgdHJ1c3RlZCwgIm9sZC1yb290IiB0cnVzdCBhbmNob3IgbXVz dCBiZSByZW1vdmVkLCBhbmQgdGhlIGNoYWluIGlzIGludmFsaWQuDQoNClllcywgaWYgdGhl IG9sZCByb290IGtleSB3YXMgY29tcHJvbWlzZWQsIHRoZW4gYm90aCBuZXctd2l0aC1vbGQg YW5kIG9sZC13aXRoLW5ldyBhcmUgdXNlbGVzcy4gSW4gdGhhdCBzaXR1YXRpb24sIHRoZSBy b290IENBIGhhcyB0byBnZW5lcmF0ZSBhIG5ldyBrZXkgcGFpciBhbmQgZGlzdHJpYnV0ZSB0 aGUgbmV3IHJvb3QgY2VydCB0byByZWx5aW5nIHBhcnRpZXMgYXMgc29vbiBhcyBwb3NzaWJs ZS4gSG93ZXZlciwgaWYgYSByb290IENBIG9mIHdoaWNoIHJvb3Qga2V5IGhhZCBldmVyIGJl ZW4gY29tcHJvbWlzZWQsIEkgZG91YnQgdGhhdCByZWx5aW5nIHBhcnRpZXMgd2lsbCB0cnVz dCB0aGUgQ0EgYWdhaW4uDQoNCldlbi1DaGVuZyBXYW5nDQoNCuacrOS/oeS7tuWPr+iDveWM heWQq+S4reiPr+mbu+S/oeiCoeS7veaciemZkOWFrOWPuOapn+Wvhuizh+ioiizpnZ7mjIfl rprkuYvmlLbku7bogIUs6KuL5Yu/6JKQ6ZuG44CB6JmV55CG5oiW5Yip55So5pys5L+h5Lu2 5YWn5a65LOS4puiri+mKt+avgOatpOS/oeS7ti7lpoLngrrmjIflrprmlLbku7bogIUs5oeJ 56K65a+m5L+d6K236YO15Lu25Lit5pys5YWs5Y+45LmL54ef5qWt5qmf5a+G5Y+K5YCL5Lq6 6LOH5paZLOS4jeW+l+S7u+aEj+WCs+S9iOaIluaPremcsizkuKbmh4noh6rooYznorroqo3m nKzpg7Xku7bkuYvpmYTmqpToiIfotoXpgKPntZDkuYvlronlhajmgKcs5Lul5YWx5ZCM5ZaE 55uh6LOH6KiK5a6J5YWo6IiH5YCL6LOH5L+d6K236LKs5Lu7Lg0KUGxlYXNlIGJlIGFkdmlz ZWQgdGhhdCB0aGlzIGVtYWlsIG1lc3NhZ2UgKGluY2x1ZGluZyBhbnkgYXR0YWNobWVudHMp IGNvbnRhaW5zIGNvbmZpZGVudGlhbCBpbmZvcm1hdGlvbiBhbmQgbWF5IGJlIGxlZ2FsbHkg cHJpdmlsZWdlZC4gSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxl YXNlIGRlc3Ryb3kgdGhpcyBtZXNzYWdlIGFuZCBhbGwgYXR0YWNobWVudHMgZnJvbSB5b3Vy IHN5c3RlbSBhbmQgZG8gbm90IGZ1cnRoZXIgY29sbGVjdCwgcHJvY2Vzcywgb3IgdXNlIHRo ZW0uIENodW5naHdhIFRlbGVjb20gYW5kIGFsbCBpdHMgc3Vic2lkaWFyaWVzIGFuZCBhc3Nv Y2lhdGVkIGNvbXBhbmllcyBzaGFsbCBub3QgYmUgbGlhYmxlIGZvciB0aGUgaW1wcm9wZXIg b3IgaW5jb21wbGV0ZSB0cmFuc21pc3Npb24gb2YgdGhlIGluZm9ybWF0aW9uIGNvbnRhaW5l ZCBpbiB0aGlzIGVtYWlsIG5vciBmb3IgYW55IGRlbGF5IGluIGl0cyByZWNlaXB0IG9yIGRh bWFnZSB0byB5b3VyIHN5c3RlbS4gSWYgeW91IGFyZSB0aGUgaW50ZW5kZWQgcmVjaXBpZW50 LCBwbGVhc2UgcHJvdGVjdCB0aGUgY29uZmlkZW50aWFsIGFuZC9vciBwZXJzb25hbCBpbmZv cm1hdGlvbiBjb250YWluZWQgaW4gdGhpcyBlbWFpbCB3aXRoIGR1ZSBjYXJlLiBBbnkgdW5h dXRob3JpemVkIHVzZSwgZGlzY2xvc3VyZSBvciBkaXN0cmlidXRpb24gb2YgdGhpcyBtZXNz YWdlIGluIHdob2xlIG9yIGluIHBhcnQgaXMgc3RyaWN0bHkgcHJvaGliaXRlZC4gIEFsc28s IHBsZWFzZSBzZWxmLWluc3BlY3QgYXR0YWNobWVudHMgYW5kIGh5cGVybGlua3MgY29udGFp bmVkIGluIHRoaXMgZW1haWwgdG8gZW5zdXJlIHRoZSBpbmZvcm1hdGlvbiBzZWN1cml0eSBh bmQgdG8gcHJvdGVjdCBwZXJzb25hbCBpbmZvcm1hdGlvbi4NCg==