| rfc9883.original.xml | rfc9883.xml | |||
|---|---|---|---|---|
| <?xml version='1.0' encoding='utf-8'?> | <?xml version='1.0' encoding='UTF-8'?> | |||
| <!DOCTYPE rfc [ | <!DOCTYPE rfc [ | |||
| <!ENTITY nbsp " "> | <!ENTITY nbsp " "> | |||
| <!ENTITY zwsp "​"> | <!ENTITY zwsp "​"> | |||
| <!ENTITY nbhy "‑"> | <!ENTITY nbhy "‑"> | |||
| <!ENTITY wj "⁠"> | <!ENTITY wj "⁠"> | |||
| ]> | ]> | |||
| <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | ||||
| <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.18 (Ruby 2.6. | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | |||
| 10) --> | -ietf-lamps-private-key-stmt-attr-09" number="9883" updates="" obsoletes="" xml: | |||
| <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | lang="en" category="std" consensus="true" submissionType="IETF" tocInclude="true | |||
| -ietf-lamps-private-key-stmt-attr-09" category="std" consensus="true" submission | " sortRefs="true" symRefs="true" version="3"> | |||
| Type="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3"> | ||||
| <!-- xml2rfc v2v3 conversion 3.28.1 --> | ||||
| <front> | <front> | |||
| <title abbrev="Statement of Private Key Possession">An Attribute for Stateme nt of Possession of a Private Key</title> | <title abbrev="Statement of Private Key Possession">An Attribute for Stateme nt of Possession of a Private Key</title> | |||
| <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-private-key-stmt-a ttr-09"/> | <seriesInfo name="RFC" value="9883"/> | |||
| <author initials="R." surname="Housley" fullname="Russ Housley"> | <author initials="R." surname="Housley" fullname="Russ Housley"> | |||
| <organization abbrev="Vigil Security">Vigil Security, LLC</organization> | <organization abbrev="Vigil Security">Vigil Security, LLC</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <city>Herndon, VA</city> | <city>Herndon</city><region>VA</region> | |||
| <country>US</country> | <country>United States of America</country> | |||
| </postal> | </postal> | |||
| <email>housley@vigilsec.com</email> | <email>housley@vigilsec.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <date year="2025" month="June" day="26"/> | <date year="2025" month="October"/> | |||
| <area>Security</area> | <area>SEC</area> | |||
| <keyword>Internet-Draft</keyword> | <workgroup>lamps</workgroup> | |||
| <abstract> | ||||
| <?line 61?> | ||||
| <abstract> | ||||
| <t>This document specifies an attribute for a statement of possession of a priva te key | <t>This document specifies an attribute for a statement of possession of a priva te key | |||
| by a certificate subject. As part of X.509 certificate enrollment, a Certificat ion | by a certificate subject. As part of X.509 certificate enrollment, a Certificat ion | |||
| Authority (CA) typically demands proof that the subject possesses the private ke y | Authority (CA) typically demands proof that the subject possesses the private ke y | |||
| that corresponds to the to-be-certified public key. In some cases, a CA might a ccept | that corresponds to the to-be-certified public key. In some cases, a CA might a ccept | |||
| a signed statement from the certificate subject. For example, when a certificat e | a signed statement from the certificate subject. For example, when a certificat e | |||
| subject needs separate certificates for signature and key establishment, a state ment | subject needs separate certificates for signature and key establishment, a state ment | |||
| that can be validated with the previously issued signature certificate for the s ame | that can be validated with the previously issued signature certificate for the s ame | |||
| subject might be adequate for subsequent issuance of the key establishment certi ficate.</t> | subject might be adequate for subsequent issuance of the key establishment certi ficate.</t> | |||
| </abstract> | </abstract> | |||
| </front> | </front> | |||
| skipping to change at line 57 ¶ | skipping to change at line 56 ¶ | |||
| private key by a certificate subject. X.509 certificate <xref target="RFC5280"/ > | private key by a certificate subject. X.509 certificate <xref target="RFC5280"/ > | |||
| enrollment often depends on PKCS#10 <xref target="RFC2986"/> or the Certificate | enrollment often depends on PKCS#10 <xref target="RFC2986"/> or the Certificate | |||
| Request Message Format (CRMF) <xref target="RFC4211"/>. As part of enrollment, a | Request Message Format (CRMF) <xref target="RFC4211"/>. As part of enrollment, a | |||
| Certification Authority (CA) typically demands proof that the subject | Certification Authority (CA) typically demands proof that the subject | |||
| possesses the private key that corresponds to the to-be-certified public | possesses the private key that corresponds to the to-be-certified public | |||
| key. Alternatively, a CA may accept a signed statement from the | key. Alternatively, a CA may accept a signed statement from the | |||
| certificate subject claiming knowledge of that private key. When a | certificate subject claiming knowledge of that private key. When a | |||
| certificate subject needs separate certificates for signature and key | certificate subject needs separate certificates for signature and key | |||
| establishment, a signed statement that can be validated with the | establishment, a signed statement that can be validated with the | |||
| previously issued signature certificate for the same subject might be | previously issued signature certificate for the same subject might be | |||
| adequate for subsequent issuance of the key establishment certificate.</t> | adequate for subsequent issuance of the key establishment certificate.</t> | |||
| <t>For example, a subject may need a signature certificate that contains a | ||||
| ML-DSA | <t>For example, a subject may need a signature certificate that contains a | |||
| n ML-DSA | ||||
| (Module-Lattice-Based Digital Signature Algorithm) public key and a key | (Module-Lattice-Based Digital Signature Algorithm) public key and a key | |||
| establishment certificate that contains a ML-KEM (Module-Lattice-Based | establishment certificate that contains an ML-KEM (Module-Lattice-Based | |||
| Key-Encapsulation Mechanism) public key. For another example, a subject may | Key-Encapsulation Mechanism) public key. For another example, a subject may | |||
| need a signature certificate that contains a ECDSA (Elliptic Curve Digital | need a signature certificate that contains an ECDSA (Elliptic Curve Digital | |||
| Signature Algorithm) public key and a key establishment certificate that | Signature Algorithm) public key and a key establishment certificate that | |||
| contains a ECDH (Elliptic Curve Diffie-Hellman) public key.</t> | contains an ECDH (Elliptic Curve Diffie-Hellman) public key.</t> | |||
| <t>A statement of possession may be used in lieu of the usual proof of | <t>A statement of possession may be used in lieu of the usual proof-of-pos | |||
| possession mechanisms. The statement is simply a signed assertion that | session mechanisms. The statement is simply a signed assertion that | |||
| the requestor of a key establishment certificate has possession of the | the requestor of a key establishment certificate has possession of the | |||
| key establishment private key, and that statement is signed using a | key establishment private key and that statement is signed using a | |||
| signature private key that was previously shown to be in the possession | signature private key that was previously shown to be in the possession | |||
| of the same certificate subject. If allowed by the Certificate Policy | of the same certificate subject. If allowed by the Certificate Policy | |||
| <xref target="RFC3647"/>, the CA is permitted to accept this statement in lieu o f proof | <xref target="RFC3647"/>, the CA is permitted to accept this statement in lieu o f proof | |||
| that the requestor has possession of the private key, such as <xref target="RFC6 955"/>.</t> | that the requestor has possession of the private key, such as <xref target="RFC6 955"/>.</t> | |||
| <t>Note that <xref target="RFC6955"/> offers some algorithms that provide proof of possession for | <t>Note that <xref target="RFC6955"/> offers some algorithms that provide proof of possession for | |||
| Diffie-Hellman private keys; however, these algorithms are not suitable for use | Diffie-Hellman private keys; however, these algorithms are not suitable for use | |||
| with PKCS#10 <xref target="RFC2986"/>. In addition, the algorithms in <xref tar get="RFC6955"/> do not | with PKCS#10 <xref target="RFC2986"/>. In addition, the algorithms in <xref tar get="RFC6955"/> do not | |||
| support key encapsulation mechanism algorithms, such as ML-KEM. The attribute | support key encapsulation mechanism algorithms, such as ML-KEM. The attribute | |||
| specified in this document, on the other hand, is suitable for use with both | specified in this document, on the other hand, is suitable for use with both | |||
| PKCS#10 and the CRMF <xref target="RFC4211"/>.</t> | PKCS#10 and the CRMF <xref target="RFC4211"/>.</t> | |||
| <section anchor="asn1"> | <section anchor="asn1"> | |||
| <name>ASN.1</name> | <name>ASN.1</name> | |||
| <t>The attribute defined in this document is generated using ASN.1 <xref target="X680"/>, using | <t>The attribute defined in this document is generated using ASN.1 <xref target="X680"/>, using | |||
| the Distinguished Encoding Rules (DER) <xref target="X690"/>.</t> | the Distinguished Encoding Rules (DER) <xref target="X690"/>.</t> | |||
| </section> | </section> | |||
| <section anchor="terminology"> | <section anchor="terminology"> | |||
| <name>Terminology</name> | <name>Terminology</name> | |||
| <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp | <t> | |||
| 14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU | |||
| NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO | IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | |||
| MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14> | |||
| "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i | RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
| nterpreted as | "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | |||
| described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and | be interpreted as | |||
| only when, they | described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | |||
| appear in all capitals, as shown here.</t> | when, and only when, they appear in all capitals, as shown here. | |||
| <?line -18?> | </t> | |||
| </section> | </section> | |||
| </section> | </section> | |||
| <section anchor="overview"> | <section anchor="overview"> | |||
| <name>Overview</name> | <name>Overview</name> | |||
| <t>When using the attribute defined in this document to make a statement a bout the | <t>When using the attribute defined in this document to make a statement a bout the | |||
| possession of the key establishment private key, the process to obtain two | possession of the key establishment private key, the process to obtain two | |||
| certificates with PKCS#10 is:</t> | certificates with PKCS#10 is as follows:</t> | |||
| <ol spacing="normal" type="1"><li> | <ol spacing="normal" type="1"><li> | |||
| <t>The subject generates the signature key pair.</t> | <t>The subject generates the signature key pair.</t> | |||
| </li> | </li> | |||
| <li> | <li> | |||
| <t>The subject composes a PKCS#10 Certificate Signing Request (CSR) in the usual | <t>The subject composes a PKCS#10 Certificate Signing Request (CSR) in the usual | |||
| manner. It includes a signature that is produced with the private key from | manner. It includes a signature that is produced with the private key from | |||
| step 1.</t> | step 1.</t> | |||
| </li> | </li> | |||
| <li> | <li> | |||
| <t>The subject sends the CSR to the CA, and it gets back a signature c ertificate. | <t>The subject sends the CSR to the CA, and it gets back a signature c ertificate. | |||
| skipping to change at line 138 ¶ | skipping to change at line 137 ¶ | |||
| <t>In general, the issuer of the key establishment certificate will be the same | <t>In general, the issuer of the key establishment certificate will be the same | |||
| as the issuer of the signature certificate. If the issuers of the two certifica tes | as the issuer of the signature certificate. If the issuers of the two certifica tes | |||
| will be different, then the certificate policy of the issuer of the key establis hment | will be different, then the certificate policy of the issuer of the key establis hment | |||
| certificate <bcp14>MUST</bcp14> explain the procedure that is used to verify the subject and | certificate <bcp14>MUST</bcp14> explain the procedure that is used to verify the subject and | |||
| subject alternative names.</t> | subject alternative names.</t> | |||
| </section> | </section> | |||
| <section anchor="attr"> | <section anchor="attr"> | |||
| <name>Attribute for Statement of Possession of a Private Key</name> | <name>Attribute for Statement of Possession of a Private Key</name> | |||
| <t>The attribute for statement of possession of a private key is included in a | <t>The attribute for statement of possession of a private key is included in a | |||
| certificate request to make the following statement:</t> | certificate request to make the following statement:</t> | |||
| <ul empty="true"> | ||||
| <li> | <t indent="3">The subject of the signature certificate that is used to | |||
| <t>The subject of the signature certificate that is used to | ||||
| validate the signature on this certificate request states, | validate the signature on this certificate request states, | |||
| without providing proof, that it has possession of the | without providing proof, that it has possession of the | |||
| private key that corresponds to the public key in the | private key that corresponds to the public key in the | |||
| certificate request.</t> | certificate request.</t> | |||
| </li> | ||||
| </ul> | ||||
| <t>The CA <bcp14>MUST</bcp14> perform certification path validation for th e signature | <t>The CA <bcp14>MUST</bcp14> perform certification path validation for th e signature | |||
| certificate as specified in <xref section="6" sectionFormat="of" target="RFC5280 "/>. If the certification | certificate as specified in <xref section="6" sectionFormat="of" target="RFC5280 "/>. If the certification | |||
| path is not valid, then the CA <bcp14>MUST</bcp14> reject the request for the ke y | path is not valid, then the CA <bcp14>MUST</bcp14> reject the request for the ke y | |||
| establishment certificate.</t> | establishment certificate.</t> | |||
| <t>The CA <bcp14>MUST</bcp14> validate the signature on the certificate re quest using the | <t>The CA <bcp14>MUST</bcp14> validate the signature on the certificate re quest using the | |||
| public key from the signature certificate. If the signature is not valid, | public key from the signature certificate. If the signature is not valid, | |||
| then the CA <bcp14>MUST</bcp14> reject the certificate request.</t> | then the CA <bcp14>MUST</bcp14> reject the certificate request.</t> | |||
| <t>The subject in the signature certificate <bcp14>SHOULD</bcp14> be the s ame as the subject name | <t>The subject in the signature certificate <bcp14>SHOULD</bcp14> be the s ame as the subject name | |||
| in the certificate request. If they are different, the certificate policy <bcp1 4>MUST</bcp14> | in the certificate request. If they are different, the certificate policy <bcp1 4>MUST</bcp14> | |||
| describe how the CA can determine that the two subject names identify the same | describe how the CA can determine that the two subject names identify the same | |||
| entity. If the CA is unable to determine that the two subject names identify | entity. If the CA is unable to determine that the two subject names identify | |||
| the same entity, then the CA <bcp14>MUST</bcp14> reject the certificate request. </t> | the same entity, then the CA <bcp14>MUST</bcp14> reject the certificate request. </t> | |||
| <t>If subject alternative names are present in the certificate request, th ey | <t>If subject alternative names are present in the certificate request, th ey | |||
| <bcp14>SHOULD</bcp14> match subject alternative names in the signature certifica te. If they | <bcp14>SHOULD</bcp14> match subject alternative names in the signature certifica te. If they | |||
| are different, the certificate policy <bcp14>MUST</bcp14> describe how the CA ca n determine that | are different, the certificate policy <bcp14>MUST</bcp14> describe how the CA ca n determine that | |||
| the two subject alternative names identify the same entity. If the CA | the two subject alternative names identify the same entity. If the CA | |||
| is unable to determine that each of subject alternative names identifies | is unable to determine that each of subject alternative names identifies | |||
| the same entity as is named in the signature certificate, then the CA <bcp14>MUS T</bcp14> | the same entity as is named in the signature certificate, then the CA <bcp14>MUS T</bcp14> | |||
| reject the certificate request.</t> | reject the certificate request.</t> | |||
| <t>When the CA rejects a certificate request for any of the reasons listed | <t>When the CA rejects a certificate request for any of the reasons listed | |||
| above, the CA should provide information to the requester about the reason | above, the CA should provide information to the requestor about the reason | |||
| for the rejection to aid with diagnostic efforts. Likewise, the CA should | for the rejection to aid with diagnostic efforts. Likewise, the CA should | |||
| log the rejection events.</t> | log the rejection events.</t> | |||
| <t>The attribute for statement of possession of a private key has the foll owing | <t>The attribute for statement of possession of a private key has the foll owing | |||
| structure:</t> | structure:</t> | |||
| <sourcecode type="asn.1"><![CDATA[ | <sourcecode type="asn.1"><![CDATA[ | |||
| id-at-statementOfPossession OBJECT IDENTIFIER ::= | id-at-statementOfPossession OBJECT IDENTIFIER ::= | |||
| { 1 3 6 1 4 1 22112 2 1 } | { 1 3 6 1 4 1 22112 2 1 } | |||
| privateKeyPossessionStatement ATTRIBUTE ::= { | privateKeyPossessionStatement ATTRIBUTE ::= { | |||
| TYPE PrivateKeyPossessionStatement | TYPE PrivateKeyPossessionStatement | |||
| IDENTIFIED BY id-at-statementOfPossession } | IDENTIFIED BY id-at-statementOfPossession } | |||
| PrivateKeyPossessionStatement ::= SEQUENCE { | PrivateKeyPossessionStatement ::= SEQUENCE { | |||
| signer IssuerAndSerialNumber, | signer IssuerAndSerialNumber, | |||
| cert Certificate OPTIONAL } | cert Certificate OPTIONAL }]]></sourcecode> | |||
| ]]></sourcecode> | ||||
| <t>The components of the PrivateKeyStatement SEQUENCE have the following s emantics:</t> | <t>The components of the PrivateKeyStatement SEQUENCE have the following s emantics:</t> | |||
| <ul empty="true"> | ||||
| <li> | <dl spacing="normal" newline="false"> | |||
| <dl> | ||||
| <dt>signer:</dt> | <dt>signer:</dt> | |||
| <dd> | <dd> | |||
| <t>the issuer name and certificate serial number of the signature certificate.</t> | <t>The issuer name and certificate serial number of the signature certificate.</t> | |||
| </dd> | </dd> | |||
| </dl> | ||||
| </li> | ||||
| </ul> | ||||
| <ul empty="true"> | ||||
| <li> | ||||
| <dl> | ||||
| <dt>cert:</dt> | <dt>cert:</dt> | |||
| <dd> | <dd> | |||
| <t>the signature certificate. If the issuer of the key establishm ent certificate | <t>The signature certificate. If the issuer of the key establishm ent certificate | |||
| will be the same as the issuer of the signature certificate, then this | will be the same as the issuer of the signature certificate, then this | |||
| component <bcp14>MAY</bcp14> be omitted. When the signature certificate is omit ted, the | component <bcp14>MAY</bcp14> be omitted. When the signature certificate is omit ted, the | |||
| signer is assuming that the CA has a mechanism to obtain all valid | signer is assuming that the CA has a mechanism to obtain all valid | |||
| certificates that it issued.</t> | certificates that it issued.</t> | |||
| </dd> | </dd> | |||
| </dl> | </dl> | |||
| </li> | ||||
| </ul> | ||||
| </section> | </section> | |||
| <section anchor="conventions-for-pkcs10"> | <section anchor="conventions-for-pkcs10"> | |||
| <name>Conventions for PKCS#10</name> | <name>Conventions for PKCS#10</name> | |||
| <t>This section specifies the conventions for using the attribute for stat ement | <t>This section specifies the conventions for using the attribute for stat ement | |||
| of possession of a private key with PKCS#10 <xref target="RFC2986"/> when reques ting a | of possession of a private key with PKCS#10 <xref target="RFC2986"/> when reques ting a | |||
| key establishment certificate.</t> | key establishment certificate.</t> | |||
| <t>The PKCS#10 CertificationRequest always has three components, as follow s:</t> | <t>The PKCS#10 CertificationRequest always has three components, as follow s:</t> | |||
| <ul empty="true"> | ||||
| <li> | <dl spacing="normal" newline="false"> | |||
| <dl> | ||||
| <dt>certificationRequestInfo:</dt> | <dt>certificationRequestInfo:</dt> | |||
| <dd> | <dd> | |||
| <t>the subject name <bcp14>SHOULD</bcp14> be the same as the subje ct name in the signature certificate, | <t>The subject name <bcp14>SHOULD</bcp14> be the same as the subje ct name in the signature certificate, | |||
| the subjectPKInfo <bcp14>MUST</bcp14> contain the public key for the key establi shment algorithm, | the subjectPKInfo <bcp14>MUST</bcp14> contain the public key for the key establi shment algorithm, | |||
| and the attributes <bcp14>MUST</bcp14> include privateKeyPossessionStatement att ribute as specified | and the attributes <bcp14>MUST</bcp14> include privateKeyPossessionStatement att ribute as specified | |||
| in <xref target="attr"/> of this document.</t> | in <xref target="attr"/> of this document.</t> | |||
| </dd> | </dd> | |||
| </dl> | ||||
| </li> | ||||
| </ul> | ||||
| <ul empty="true"> | ||||
| <li> | ||||
| <dl> | ||||
| <dt>signatureAlgorithm:</dt> | <dt>signatureAlgorithm:</dt> | |||
| <dd> | <dd> | |||
| <t>the signature algorithm <bcp14>MUST</bcp14> be one that can be validated with the public key | <t>The signature algorithm <bcp14>MUST</bcp14> be one that can be validated with the public key | |||
| in the signature certificate.</t> | in the signature certificate.</t> | |||
| </dd> | </dd> | |||
| </dl> | ||||
| </li> | ||||
| </ul> | ||||
| <ul empty="true"> | ||||
| <li> | ||||
| <dl> | ||||
| <dt>signature:</dt> | <dt>signature:</dt> | |||
| <dd> | <dd> | |||
| <t>the signature over certificationRequestInfo <bcp14>MUST</bcp14> validate with the public key | <t>The signature over certificationRequestInfo <bcp14>MUST</bcp14> validate with the public key | |||
| in the signature certificate, and certification path validation for the signatur e | in the signature certificate, and certification path validation for the signatur e | |||
| certificate <bcp14>MUST</bcp14> be successful as specified in <xref section="6" sectionFormat="of" target="RFC5280"/>.</t> | certificate <bcp14>MUST</bcp14> be successful as specified in <xref section="6" sectionFormat="of" target="RFC5280"/>.</t> | |||
| </dd> | </dd> | |||
| </dl> | </dl> | |||
| </li> | ||||
| </ul> | ||||
| </section> | </section> | |||
| <section anchor="conventions-for-crmf"> | <section anchor="conventions-for-crmf"> | |||
| <name>Conventions for CRMF</name> | <name>Conventions for CRMF</name> | |||
| <t>This section specifies the conventions for using the attribute for stat ement | <t>This section specifies the conventions for using the attribute for stat ement | |||
| of possession of a private key with the CRMF <xref target="RFC4211"/> when reque sting a key | of possession of a private key with the CRMF <xref target="RFC4211"/> when reque sting a key | |||
| establishment certificate.</t> | establishment certificate.</t> | |||
| <t>The following ASN.1 types are defined for use with CRMF. They have exa ctly | <t>The following ASN.1 types are defined for use with CRMF. They have exa ctly | |||
| the same semantics and syntax as the attribute discussed above, but they | the same semantics and syntax as the attribute discussed above, but they | |||
| offer a similar naming convention to the Registration Controls in <xref target=" RFC4211"/>.</t> | offer a similar naming convention to the Registration Controls in <xref target=" RFC4211"/>.</t> | |||
| <sourcecode type="asn.1"><![CDATA[ | <sourcecode type="asn.1"><![CDATA[ | |||
| regCtrl-privateKeyPossessionStatement ATTRIBUTE ::= | regCtrl-privateKeyPossessionStatement ATTRIBUTE ::= | |||
| privateKeyPossessionStatement | privateKeyPossessionStatement | |||
| id-regCtrl-statementOfPossession OBJECT IDENTIFIER ::= | id-regCtrl-statementOfPossession OBJECT IDENTIFIER ::= | |||
| id-at-statementOfPossession | id-at-statementOfPossession]]></sourcecode> | |||
| ]]></sourcecode> | ||||
| <t>The CRMF CertificationRequest always has three components, as follows:< /t> | <t>The CRMF CertificationRequest always has three components, as follows:< /t> | |||
| <ul empty="true"> | ||||
| <li> | <dl spacing="normal" newline="false"> | |||
| <dl> | ||||
| <dt>certReq:</dt> | <dt>certReq:</dt> | |||
| <dd> | <dd> | |||
| <t>the certTemplate <bcp14>MUST</bcp14> include the subject and th e publicKey components. The | <t>The certTemplate <bcp14>MUST</bcp14> include the subject and th e publicKey components. The | |||
| same subject name <bcp14>SHOULD</bcp14> match the subject name in the signature certificate, and | same subject name <bcp14>SHOULD</bcp14> match the subject name in the signature certificate, and | |||
| publicKey <bcp14>MUST</bcp14> contain the public key for the key establishment a lgorithm.</t> | publicKey <bcp14>MUST</bcp14> contain the public key for the key establishment a lgorithm.</t> | |||
| </dd> | </dd> | |||
| </dl> | ||||
| </li> | ||||
| </ul> | ||||
| <ul empty="true"> | ||||
| <li> | ||||
| <dl> | ||||
| <dt>popo:</dt> | <dt>popo:</dt> | |||
| <dd> | <dd> | |||
| <t>the ProofOfPossession <bcp14>MUST</bcp14> use the signature CHO ICE, | <t>The ProofOfPossession <bcp14>MUST</bcp14> use the signature CHO ICE, | |||
| the poposkInput <bcp14>MUST</bcp14> be present, POPOSigningKeyInput.authInfo <bc p14>MUST</bcp14> use | the poposkInput <bcp14>MUST</bcp14> be present, POPOSigningKeyInput.authInfo <bc p14>MUST</bcp14> use | |||
| the sender CHOICE, the sender <bcp14>SHOULD</bcp14> be set to the subject name t hat appears in | the sender CHOICE, the sender <bcp14>SHOULD</bcp14> be set to the subject name t hat appears in | |||
| the signature certificate, the publicKey <bcp14>MUST</bcp14> contain a copy of t he public | the signature certificate, the publicKey <bcp14>MUST</bcp14> contain a copy of t he public | |||
| key from the certTemplate, the algorithmIdentifier <bcp14>MUST</bcp14> identify a signature | key from the certTemplate, the algorithmIdentifier <bcp14>MUST</bcp14> identify a signature | |||
| algorithm that can be validated with the public key in the signature certificate , | algorithm that can be validated with the public key in the signature certificate , | |||
| signature over the poposkInput <bcp14>MUST</bcp14> validate with the public key in the signature | the signature over the poposkInput <bcp14>MUST</bcp14> validate with the public key in the signature | |||
| certificate, and certification path validation for the signature certificate | certificate, and certification path validation for the signature certificate | |||
| <bcp14>MUST</bcp14> be successful as specified in <xref section="6" sectionForma t="of" target="RFC5280"/>.</t> | <bcp14>MUST</bcp14> be successful as specified in <xref section="6" sectionForma t="of" target="RFC5280"/>.</t> | |||
| </dd> | </dd> | |||
| </dl> | ||||
| </li> | ||||
| </ul> | ||||
| <ul empty="true"> | ||||
| <li> | ||||
| <dl> | ||||
| <dt>regInfo:</dt> | <dt>regInfo:</dt> | |||
| <dd> | <dd> | |||
| <t>the attributes <bcp14>MUST</bcp14> include privateKeyPossession Statement attribute as specified | <t>The attributes <bcp14>MUST</bcp14> include the privateKeyPosses sionStatement attribute as specified | |||
| in <xref target="attr"/> of this document.</t> | in <xref target="attr"/> of this document.</t> | |||
| </dd> | </dd> | |||
| </dl> | </dl> | |||
| </li> | ||||
| </ul> | ||||
| </section> | </section> | |||
| <section anchor="security-considerations"> | <section anchor="security-considerations"> | |||
| <name>Security Considerations</name> | <name>Security Considerations</name> | |||
| <t>The privateKeyPossessionStatement attribute <bcp14>MUST NOT</bcp14> be used to obtain a | <t>The privateKeyPossessionStatement attribute <bcp14>MUST NOT</bcp14> be used to obtain a | |||
| signature certificate. Performing proof of possession of the signature | signature certificate. Performing proof of possession of the signature | |||
| private key is easily accomplished by signing the certificate request.</t> | private key is easily accomplished by signing the certificate request.</t> | |||
| <t>The subject is signing privateKeyPossessionStatement attribute to tell the CA that it has | <t>The subject is signing the privateKeyPossessionStatement attribute to t ell the CA that it has | |||
| possession of the key establishment private key. This is being done instead of | possession of the key establishment private key. This is being done instead of | |||
| providing technical proof of possession. If the subject has lost control | providing technical proof of possession. If the subject has lost control | |||
| of the signature private key, then the signed privateKeyPossessionStatement attr ibute | of the signature private key, then the signed privateKeyPossessionStatement attr ibute | |||
| could be generated by some other party. Timely revocation of the compromised | could be generated by some other party. Timely revocation of the compromised | |||
| signature certificate is the only protection against such loss of control.</t> | signature certificate is the only protection against such loss of control.</t> | |||
| <t>If the CA revokes a compromised signature certificate, then the CA <bcp 14>SHOULD</bcp14> | <t>If the CA revokes a compromised signature certificate, then the CA <bcp 14>SHOULD</bcp14> | |||
| also revoke all key establishment certificates that were obtained with | also revoke all key establishment certificates that were obtained with | |||
| privateKeyPossessionStatement attributes signed by that compromised signature | privateKeyPossessionStatement attributes signed by that compromised signature | |||
| certificate.</t> | certificate.</t> | |||
| <t>The signature key pair and the key establishment key pair are expected to have | <t>The signature key pair and the key establishment key pair are expected to have | |||
| roughly the same security strength. To ensure that the signature on the stateme nt | roughly the same security strength. To ensure that the signature on the stateme nt | |||
| is not the weakest part of the certificate enrollment, the signature key pair <b cp14>SHOULD</bcp14> | is not the weakest part of the certificate enrollment, the signature key pair <b cp14>SHOULD</bcp14> | |||
| be at least as strong as the key establishment key pair.</t> | be at least as strong as the key establishment key pair.</t> | |||
| <t>If a CA allows subject in the key establishment certificate to be diffe rent than | <t>If a CA allows a subject in the key establishment certificate to be dif ferent than | |||
| the subject name in the signature certificate, then certificate policy <bcp14>MU ST</bcp14> | the subject name in the signature certificate, then certificate policy <bcp14>MU ST</bcp14> | |||
| describe how to determine that the two subject names identify the same entity. | describe how to determine that the two subject names identify the same entity. | |||
| Likewise, if a CA allows subject alternative names in the key establishment | Likewise, if a CA allows subject alternative names in the key establishment | |||
| certificate that are not present in the signature certificate, then certificate | certificate that are not present in the signature certificate, then certificate | |||
| policy <bcp14>MUST</bcp14> describe how to determine that the subject alternativ e names identify | policy <bcp14>MUST</bcp14> describe how to determine that the subject alternativ e names identify | |||
| the same entity as is named in the signature certificate.</t> | the same entity as is named in the signature certificate.</t> | |||
| </section> | </section> | |||
| <section anchor="iana"> | <section anchor="iana"> | |||
| <name>IANA Considerations</name> | <name>IANA Considerations</name> | |||
| <t>For the ASN.1 Module in the <xref target="appendix-asn1"/> of this docu | <t>For the ASN.1 Module in <xref target="appendix-asn1"/> of this document | |||
| ment, IANA is | , IANA has assigned an object identifier (OID) for the module identifier (118) | |||
| requested to assign an object identifier (OID) for the module identifier (TBD0) | with a Description of "id-mod-private-key-possession-stmt-2025" in the "SMI Secu | |||
| with a Description of "id-mod-private-key-possession-stmt-2025". The | rity for PKIX Module | |||
| OID for the module should be allocated in the "SMI Security for PKIX Module | ||||
| Identifier" registry (1.3.6.1.5.5.7.0).</t> | Identifier" registry (1.3.6.1.5.5.7.0).</t> | |||
| </section> | </section> | |||
| </middle> | </middle> | |||
| <back> | <back> | |||
| <references anchor="sec-combined-references"> | <references anchor="sec-combined-references"> | |||
| <name>References</name> | <name>References</name> | |||
| <references anchor="sec-normative-references"> | <references anchor="sec-normative-references"> | |||
| <name>Normative References</name> | <name>Normative References</name> | |||
| <reference anchor="RFC2986"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | |||
| <front> | 986.xml"/> | |||
| <title>PKCS #10: Certification Request Syntax Specification Version | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | |||
| 1.7</title> | 211.xml"/> | |||
| <author fullname="M. Nystrom" initials="M." surname="Nystrom"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | |||
| <author fullname="B. Kaliski" initials="B." surname="Kaliski"/> | 280.xml"/> | |||
| <date month="November" year="2000"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | |||
| <abstract> | 912.xml"/> | |||
| <t>This memo represents a republication of PKCS #10 v1.7 from RSA | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | |||
| Laboratories' Public-Key Cryptography Standards (PKCS) series, and change contro | 268.xml"/> | |||
| l is retained within the PKCS process. The body of this document, except for the | ||||
| security considerations section, is taken directly from the PKCS #9 v2.0 or the | ||||
| PKCS #10 v1.7 document. This memo provides information for the Internet communi | ||||
| ty.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="2986"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC2986"/> | ||||
| </reference> | ||||
| <reference anchor="RFC4211"> | ||||
| <front> | ||||
| <title>Internet X.509 Public Key Infrastructure Certificate Request | ||||
| Message Format (CRMF)</title> | ||||
| <author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
| <date month="September" year="2005"/> | ||||
| <abstract> | ||||
| <t>This document describes the Certificate Request Message Format | ||||
| (CRMF) syntax and semantics. This syntax is used to convey a request for a certi | ||||
| ficate to a Certification Authority (CA), possibly via a Registration Authority | ||||
| (RA), for the purposes of X.509 certificate production. The request will typical | ||||
| ly include a public key and the associated registration information. This docume | ||||
| nt does not define a certificate request protocol. [STANDARDS-TRACK]</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="4211"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC4211"/> | ||||
| </reference> | ||||
| <reference anchor="RFC5280"> | ||||
| <front> | ||||
| <title>Internet X.509 Public Key Infrastructure Certificate and Cert | ||||
| ificate Revocation List (CRL) Profile</title> | ||||
| <author fullname="D. Cooper" initials="D." surname="Cooper"/> | ||||
| <author fullname="S. Santesson" initials="S." surname="Santesson"/> | ||||
| <author fullname="S. Farrell" initials="S." surname="Farrell"/> | ||||
| <author fullname="S. Boeyen" initials="S." surname="Boeyen"/> | ||||
| <author fullname="R. Housley" initials="R." surname="Housley"/> | ||||
| <author fullname="W. Polk" initials="W." surname="Polk"/> | ||||
| <date month="May" year="2008"/> | ||||
| <abstract> | ||||
| <t>This memo profiles the X.509 v3 certificate and X.509 v2 certif | ||||
| icate revocation list (CRL) for use in the Internet. An overview of this approac | ||||
| h and model is provided as an introduction. The X.509 v3 certificate format is d | ||||
| escribed in detail, with additional information regarding the format and semanti | ||||
| cs of Internet name forms. Standard certificate extensions are described and two | ||||
| Internet-specific extensions are defined. A set of required certificate extensi | ||||
| ons is specified. The X.509 v2 CRL format is described in detail along with stan | ||||
| dard and Internet-specific extensions. An algorithm for X.509 certification path | ||||
| validation is described. An ASN.1 module and examples are provided in the appen | ||||
| dices. [STANDARDS-TRACK]</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="5280"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC5280"/> | ||||
| </reference> | ||||
| <reference anchor="RFC5912"> | ||||
| <front> | ||||
| <title>New ASN.1 Modules for the Public Key Infrastructure Using X.5 | ||||
| 09 (PKIX)</title> | ||||
| <author fullname="P. Hoffman" initials="P." surname="Hoffman"/> | ||||
| <author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
| <date month="June" year="2010"/> | ||||
| <abstract> | ||||
| <t>The Public Key Infrastructure using X.509 (PKIX) certificate fo | ||||
| rmat, and many associated formats, are expressed using ASN.1. The current ASN.1 | ||||
| modules conform to the 1988 version of ASN.1. This document updates those ASN.1 | ||||
| modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire c | ||||
| hanges to any of the formats; this is simply a change to the syntax. This docume | ||||
| nt is not an Internet Standards Track specification; it is published for informa | ||||
| tional purposes.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="5912"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC5912"/> | ||||
| </reference> | ||||
| <reference anchor="RFC6268"> | ||||
| <front> | ||||
| <title>Additional New ASN.1 Modules for the Cryptographic Message Sy | ||||
| ntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)</title> | ||||
| <author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
| <author fullname="S. Turner" initials="S." surname="Turner"/> | ||||
| <date month="July" year="2011"/> | ||||
| <abstract> | ||||
| <t>The Cryptographic Message Syntax (CMS) format, and many associa | ||||
| ted formats, are expressed using ASN.1. The current ASN.1 modules conform to the | ||||
| 1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to co | ||||
| nform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative | ||||
| version. There are no bits- on-the-wire changes to any of the formats; this is s | ||||
| imply a change to the syntax. This document is not an Internet Standards Track s | ||||
| pecification; it is published for informational purposes.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="6268"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC6268"/> | ||||
| </reference> | ||||
| <reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680"> | <reference anchor="X680" target="https://www.itu.int/rec/T-REC-X.680"> | |||
| <front> | <front> | |||
| <title>Information technology -- Abstract Syntax Notation One (ASN.1 ): Specification of basic notation</title> | <title>Information technology -- Abstract Syntax Notation One (ASN.1 ): Specification of basic notation</title> | |||
| <author> | <author> | |||
| <organization>ITU-T</organization> | <organization>ITU-T</organization> | |||
| </author> | </author> | |||
| <date year="2021" month="February"/> | <date year="2021" month="February"/> | |||
| </front> | </front> | |||
| <seriesInfo name="ITU-T Recommendation" value="X.680"/> | <seriesInfo name="ITU-T Recommendation" value="X.680"/> | |||
| <seriesInfo name="ISO/IEC" value="8824-1:2021"/> | <seriesInfo name="ISO/IEC" value="8824-1:2021"/> | |||
| </reference> | </reference> | |||
| <reference anchor="X690" target="https://www.itu.int/rec/T-REC-X.690"> | <reference anchor="X690" target="https://www.itu.int/rec/T-REC-X.690"> | |||
| <front> | <front> | |||
| <title>Information technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title> | <title>Information technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title> | |||
| <author> | <author> | |||
| <organization>ITU-T</organization> | <organization>ITU-T</organization> | |||
| </author> | </author> | |||
| <date year="2021" month="February"/> | <date year="2021" month="February"/> | |||
| </front> | </front> | |||
| <seriesInfo name="ITU-T Recommendation" value="X.690"/> | <seriesInfo name="ITU-T Recommendation" value="X.690"/> | |||
| <seriesInfo name="ISO/IEC" value="8825-1-2021"/> | <seriesInfo name="ISO/IEC" value="8825-1:2021"/> | |||
| </reference> | ||||
| <reference anchor="RFC2119"> | ||||
| <front> | ||||
| <title>Key words for use in RFCs to Indicate Requirement Levels</tit | ||||
| le> | ||||
| <author fullname="S. Bradner" initials="S." surname="Bradner"/> | ||||
| <date month="March" year="1997"/> | ||||
| <abstract> | ||||
| <t>In many standards track documents several words are used to sig | ||||
| nify the requirements in the specification. These words are often capitalized. T | ||||
| his document defines these words as they should be interpreted in IETF documents | ||||
| . This document specifies an Internet Best Current Practices for the Internet Co | ||||
| mmunity, and requests discussion and suggestions for improvements.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="BCP" value="14"/> | ||||
| <seriesInfo name="RFC" value="2119"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC2119"/> | ||||
| </reference> | ||||
| <reference anchor="RFC8174"> | ||||
| <front> | ||||
| <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti | ||||
| tle> | ||||
| <author fullname="B. Leiba" initials="B." surname="Leiba"/> | ||||
| <date month="May" year="2017"/> | ||||
| <abstract> | ||||
| <t>RFC 2119 specifies common key words that may be used in protoco | ||||
| l specifications. This document aims to reduce the ambiguity by clarifying that | ||||
| only UPPERCASE usage of the key words have the defined special meanings.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="BCP" value="14"/> | ||||
| <seriesInfo name="RFC" value="8174"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC8174"/> | ||||
| </reference> | </reference> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
| 119.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
| 174.xml"/> | ||||
| </references> | </references> | |||
| <references anchor="sec-informative-references"> | <references anchor="sec-informative-references"> | |||
| <name>Informative References</name> | <name>Informative References</name> | |||
| <reference anchor="RFC3647"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3 | |||
| <front> | 647.xml"/> | |||
| <title>Internet X.509 Public Key Infrastructure Certificate Policy a | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | |||
| nd Certification Practices Framework</title> | 955.xml"/> | |||
| <author fullname="S. Chokhani" initials="S." surname="Chokhani"/> | ||||
| <author fullname="W. Ford" initials="W." surname="Ford"/> | ||||
| <author fullname="R. Sabett" initials="R." surname="Sabett"/> | ||||
| <author fullname="C. Merrill" initials="C." surname="Merrill"/> | ||||
| <author fullname="S. Wu" initials="S." surname="Wu"/> | ||||
| <date month="November" year="2003"/> | ||||
| <abstract> | ||||
| <t>This document presents a framework to assist the writers of cer | ||||
| tificate policies or certification practice statements for participants within p | ||||
| ublic key infrastructures, such as certification authorities, policy authorities | ||||
| , and communities of interest that wish to rely on certificates. In particular, | ||||
| the framework provides a comprehensive list of topics that potentially (at the w | ||||
| riter's discretion) need to be covered in a certificate policy or a certificatio | ||||
| n practice statement. This document supersedes RFC 2527.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="3647"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC3647"/> | ||||
| </reference> | ||||
| <reference anchor="RFC6955"> | ||||
| <front> | ||||
| <title>Diffie-Hellman Proof-of-Possession Algorithms</title> | ||||
| <author fullname="J. Schaad" initials="J." surname="Schaad"/> | ||||
| <author fullname="H. Prafullchandra" initials="H." surname="Prafullc | ||||
| handra"/> | ||||
| <date month="May" year="2013"/> | ||||
| <abstract> | ||||
| <t>This document describes two methods for producing an integrity | ||||
| check value from a Diffie-Hellman key pair and one method for producing an integ | ||||
| rity check value from an Elliptic Curve key pair. This behavior is needed for su | ||||
| ch operations as creating the signature of a Public-Key Cryptography Standards ( | ||||
| PKCS) #10 Certification Request. These algorithms are designed to provide a Proo | ||||
| f-of-Possession of the private key and not to be a general purpose signing algor | ||||
| ithm.</t> | ||||
| <t>This document obsoletes RFC 2875.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="6955"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC6955"/> | ||||
| </reference> | ||||
| </references> | </references> | |||
| </references> | </references> | |||
| <?line 355?> | ||||
| <section anchor="appendix-asn1"> | <section anchor="appendix-asn1"> | |||
| <name>ASN.1 Module</name> | <name>ASN.1 Module</name> | |||
| <t>This ASN.1 Module uses the conventions established by <xref target="RFC 5912"/> and <xref target="RFC6268"/>.</t> | <t>This ASN.1 Module uses the conventions established by <xref target="RFC 5912"/> and <xref target="RFC6268"/>.</t> | |||
| <sourcecode type="asn.1" markers="true"><![CDATA[ | <sourcecode type="asn.1" markers="true"><![CDATA[ | |||
| PrivateKeyPossessionStatement-2025 | PrivateKeyPossessionStatement-2025 | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-private-key-possession-stmt-2025(TBD0) } | id-mod-private-key-possession-stmt-2025(118) } | |||
| DEFINITIONS IMPLICIT TAGS ::= BEGIN | DEFINITIONS IMPLICIT TAGS ::= BEGIN | |||
| EXPORTS ALL; | EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| ATTRIBUTE | ATTRIBUTE | |||
| FROM PKIX-CommonTypes-2009 -- in [RFC5912] | FROM PKIX-CommonTypes-2009 -- in [RFC5912] | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| skipping to change at line 567 ¶ | skipping to change at line 406 ¶ | |||
| RegControlSet ATTRIBUTE ::= | RegControlSet ATTRIBUTE ::= | |||
| { regCtrl-privateKeyPossessionStatement, ... } | { regCtrl-privateKeyPossessionStatement, ... } | |||
| regCtrl-privateKeyPossessionStatement ATTRIBUTE ::= | regCtrl-privateKeyPossessionStatement ATTRIBUTE ::= | |||
| privateKeyPossessionStatement | privateKeyPossessionStatement | |||
| id-regCtrl-statementOfPossession OBJECT IDENTIFIER ::= | id-regCtrl-statementOfPossession OBJECT IDENTIFIER ::= | |||
| id-at-statementOfPossession | id-at-statementOfPossession | |||
| END | END]]></sourcecode> | |||
| ]]></sourcecode> | ||||
| </section> | </section> | |||
| <section anchor="example-use-of-the-privatekeypossessionstatement-attribute" > | <section anchor="example-use-of-the-privatekeypossessionstatement-attribute" > | |||
| <name>Example use of the privateKeyPossessionStatement Attribute</name> | <name>Example Use of the privateKeyPossessionStatement Attribute</name> | |||
| <t>In this example, the self-signed certificate for the CA is:</t> | <t>In this example, the self-signed certificate for the CA is as follows:< | |||
| /t> | ||||
| <artwork><![CDATA[ | <artwork><![CDATA[ | |||
| -----BEGIN CERTIFICATE----- | -----BEGIN CERTIFICATE----- | |||
| MIIB7DCCAXKgAwIBAgIUL149AUxHunELBZMELEQm+isgKCQwCgYIKoZIzj0EAwMw | MIIB7DCCAXKgAwIBAgIUL149AUxHunELBZMELEQm+isgKCQwCgYIKoZIzj0EAwMw | |||
| NzELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkV4YW1wbGUgQ0ExEzARBgNVBAMTCmNh | NzELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkV4YW1wbGUgQ0ExEzARBgNVBAMTCmNh | |||
| LmV4YW1wbGUwHhcNMjUwMTAzMjAyNzA5WhcNMzUwMTAzMjAyNzA5WjA3MQswCQYD | LmV4YW1wbGUwHhcNMjUwMTAzMjAyNzA5WhcNMzUwMTAzMjAyNzA5WjA3MQswCQYD | |||
| VQQGEwJVUzETMBEGA1UEChMKRXhhbXBsZSBDQTETMBEGA1UEAxMKY2EuZXhhbXBs | VQQGEwJVUzETMBEGA1UEChMKRXhhbXBsZSBDQTETMBEGA1UEAxMKY2EuZXhhbXBs | |||
| ZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDxZdB/Glcxdk1p6Jf1j5en6QfliY9OS | ZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDxZdB/Glcxdk1p6Jf1j5en6QfliY9OS | |||
| fjZbtje/w6M58PN8Sb3VFln1rPdvD17UXeazSG9Hr/Dq3enbsHHO0pPntcFOgb8n | fjZbtje/w6M58PN8Sb3VFln1rPdvD17UXeazSG9Hr/Dq3enbsHHO0pPntcFOgb8n | |||
| r8R8LUGhxRzjlxkaEJN+pa6Nf7qk49JDeaM/MD0wDwYDVR0TAQH/BAUwAwEB/zAL | r8R8LUGhxRzjlxkaEJN+pa6Nf7qk49JDeaM/MD0wDwYDVR0TAQH/BAUwAwEB/zAL | |||
| BgNVHQ8EBAMCAgQwHQYDVR0OBBYEFD6YvLLv3DQbvnGS0qP6bbzyZkCqMAoGCCqG | BgNVHQ8EBAMCAgQwHQYDVR0OBBYEFD6YvLLv3DQbvnGS0qP6bbzyZkCqMAoGCCqG | |||
| SM49BAMDA2gAMGUCMGfb61IigoJ3QDnlsRdoktREHe0Dpm6DKw3qOyLL6A0cFK9Z | SM49BAMDA2gAMGUCMGfb61IigoJ3QDnlsRdoktREHe0Dpm6DKw3qOyLL6A0cFK9Z | |||
| g8m11xIwvptlran52gIxAK1VrOjzRsFiHRptO+gFXstTXnQkKBb2/3WQz2SqcIS/ | g8m11xIwvptlran52gIxAK1VrOjzRsFiHRptO+gFXstTXnQkKBb2/3WQz2SqcIS/ | |||
| BWEp+siJ19OXOlz6APDB7w== | BWEp+siJ19OXOlz6APDB7w== | |||
| -----END CERTIFICATE----- | -----END CERTIFICATE----- | |||
| ]]></artwork> | ]]></artwork> | |||
| <t>Alice generates her ECDSA signature key pair. Then, Alice composes | <t>Alice generates her ECDSA signature key pair. Then, Alice composes | |||
| a PKCS#10 Certificate Signing Request (CSR) in the usual manner as | a PKCS#10 Certificate Signing Request (CSR) in the usual manner as | |||
| specified in <xref target="RFC2986"/>. The CSR includes a signature that is pro duced | specified in <xref target="RFC2986"/>. The CSR includes a signature that is pro duced | |||
| with her ECDSA private key. The CSR is:</t> | with her ECDSA private key. The CSR is as follows:</t> | |||
| <artwork><![CDATA[ | <artwork><![CDATA[ | |||
| -----BEGIN CERTIFICATE REQUEST----- | -----BEGIN CERTIFICATE REQUEST----- | |||
| MIIBhTCCAQsCAQAwPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRAwDgYDVQQH | MIIBhTCCAQsCAQAwPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRAwDgYDVQQH | |||
| EwdIZXJuZG9uMQ4wDAYDVQQDEwVBbGljZTB2MBAGByqGSM49AgEGBSuBBAAiA2IA | EwdIZXJuZG9uMQ4wDAYDVQQDEwVBbGljZTB2MBAGByqGSM49AgEGBSuBBAAiA2IA | |||
| BIAc+6lXN1MIM/82QeWNb55H0zr+lVgWVeF0bf4jzxCb5MCjVaM0eFEvcjXMV5p4 | BIAc+6lXN1MIM/82QeWNb55H0zr+lVgWVeF0bf4jzxCb5MCjVaM0eFEvcjXMV5p4 | |||
| kzqiJTHC0V2JAoqYMX/DMFIcwZ7xP9uQd9ep6KZ+RXut211L8+W1QI1QJSDNxANR | kzqiJTHC0V2JAoqYMX/DMFIcwZ7xP9uQd9ep6KZ+RXut211L8+W1QI1QJSDNxANR | |||
| saBQME4GCSqGSIb3DQEJDjFBMD8wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4Aw | saBQME4GCSqGSIb3DQEJDjFBMD8wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4Aw | |||
| IgYDVR0RBBswGYEXYWxpY2VAZW1haWwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwMD | IgYDVR0RBBswGYEXYWxpY2VAZW1haWwuZXhhbXBsZS5jb20wCgYIKoZIzj0EAwMD | |||
| aAAwZQIwPa2rOCe60edAF43C/t57IW8liyy+69FE04hMAFgw3Ga+nR+8zDuUsVLw | aAAwZQIwPa2rOCe60edAF43C/t57IW8liyy+69FE04hMAFgw3Ga+nR+8zDuUsVLw | |||
| xXGAHtcDAjEA6LbvNkZjo6j2z5xRIjrHzEbGgiV4MF4xtnpfSSRI4dB0zT52bWkj | xXGAHtcDAjEA6LbvNkZjo6j2z5xRIjrHzEbGgiV4MF4xtnpfSSRI4dB0zT52bWkj | |||
| skipping to change at line 626 ¶ | skipping to change at line 464 ¶ | |||
| VR0jBBgwFoAUPpi8su/cNBu+cZLSo/ptvPJmQKowFwYDVR0gBBAwDjAMBgpghkgB | VR0jBBgwFoAUPpi8su/cNBu+cZLSo/ptvPJmQKowFwYDVR0gBBAwDjAMBgpghkgB | |||
| ZQMCATAwMAoGCCqGSM49BAMDA2cAMGQCMGu/Uypd7BaVnUjB36UtX9m5ZmPi78y5 | ZQMCATAwMAoGCCqGSM49BAMDA2cAMGQCMGu/Uypd7BaVnUjB36UtX9m5ZmPi78y5 | |||
| 1RA8WhbOv0KQVrcYtj4qOdiMVKBcoVceyAIwRJ6U91048NAb3nicHcrGFf1UYrhb | 1RA8WhbOv0KQVrcYtj4qOdiMVKBcoVceyAIwRJ6U91048NAb3nicHcrGFf1UYrhb | |||
| DlytK4tCa5HBxD/qAgy4/eUzA5NZwVaLK78u | DlytK4tCa5HBxD/qAgy4/eUzA5NZwVaLK78u | |||
| -----END CERTIFICATE----- | -----END CERTIFICATE----- | |||
| ]]></artwork> | ]]></artwork> | |||
| <t>Alice generates her ECDH key establishment key pair. Then, Alice | <t>Alice generates her ECDH key establishment key pair. Then, Alice | |||
| composes a PKCS#10 CSR. The CSR attributes include the | composes a PKCS#10 CSR. The CSR attributes include the | |||
| privateKeyPossessionStatement attribute, which points to her ECDSA signature | privateKeyPossessionStatement attribute, which points to her ECDSA signature | |||
| certificate. The CSR includes her ECDH public key and a signature that | certificate. The CSR includes her ECDH public key and a signature that | |||
| is produced with her ECDSA private key. The CSR is:</t> | is produced with her ECDSA private key. The CSR is as follows:</t> | |||
| <artwork><![CDATA[ | <artwork><![CDATA[ | |||
| -----BEGIN CERTIFICATE REQUEST----- | -----BEGIN CERTIFICATE REQUEST----- | |||
| MIIEMTCCA7gCAQAwPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRAwDgYDVQQH | MIIEMTCCA7gCAQAwPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRAwDgYDVQQH | |||
| EwdIZXJuZG9uMQ4wDAYDVQQDEwVBbGljZTB0MA4GBSuBBAEMBgUrgQQAIgNiAAQB | EwdIZXJuZG9uMQ4wDAYDVQQDEwVBbGljZTB0MA4GBSuBBAEMBgUrgQQAIgNiAAQB | |||
| RyQTH+cq1s5F94uFqFe7l1LqGdEC8Tm+e5VYBCfKAC8MJySQMj1GixEEXL+1Wjtg | RyQTH+cq1s5F94uFqFe7l1LqGdEC8Tm+e5VYBCfKAC8MJySQMj1GixEEXL+1Wjtg | |||
| 23XvnJouCDoxSpDCSMqf3kvp5+naM37uxa3ZYgD6DPY3me5EZvyZPvSRJTFl/Bag | 23XvnJouCDoxSpDCSMqf3kvp5+naM37uxa3ZYgD6DPY3me5EZvyZPvSRJTFl/Bag | |||
| ggL9MGcGCSqGSIb3DQEJDjFaMFgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCAwgw | ggL9MGcGCSqGSIb3DQEJDjFaMFgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCAwgw | |||
| IgYDVR0RBBswGYEXYWxpY2VAZW1haWwuZXhhbXBsZS5jb20wFwYDVR0gBBAwDjAM | IgYDVR0RBBswGYEXYWxpY2VAZW1haWwuZXhhbXBsZS5jb20wFwYDVR0gBBAwDjAM | |||
| BgpghkgBZQMCATAwMIICkAYKKwYBBAGBrGACATGCAoAwggJ8ME8wNzELMAkGA1UE | BgpghkgBZQMCATAwMIICkAYKKwYBBAGBrGACATGCAoAwggJ8ME8wNzELMAkGA1UE | |||
| BhMCVVMxEzARBgNVBAoTCkV4YW1wbGUgQ0ExEzARBgNVBAMTCmNhLmV4YW1wbGUC | BhMCVVMxEzARBgNVBAoTCkV4YW1wbGUgQ0ExEzARBgNVBAMTCmNhLmV4YW1wbGUC | |||
| skipping to change at line 654 ¶ | skipping to change at line 492 ¶ | |||
| A1Gxo3YwdDAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUIx0A | A1Gxo3YwdDAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUIx0A | |||
| 0f7tCzkQEZgYzH3NcM2L05IwHwYDVR0jBBgwFoAUPpi8su/cNBu+cZLSo/ptvPJm | 0f7tCzkQEZgYzH3NcM2L05IwHwYDVR0jBBgwFoAUPpi8su/cNBu+cZLSo/ptvPJm | |||
| QKowFwYDVR0gBBAwDjAMBgpghkgBZQMCATAwMAoGCCqGSM49BAMDA2cAMGQCMGu/ | QKowFwYDVR0gBBAwDjAMBgpghkgBZQMCATAwMAoGCCqGSM49BAMDA2cAMGQCMGu/ | |||
| Uypd7BaVnUjB36UtX9m5ZmPi78y51RA8WhbOv0KQVrcYtj4qOdiMVKBcoVceyAIw | Uypd7BaVnUjB36UtX9m5ZmPi78y51RA8WhbOv0KQVrcYtj4qOdiMVKBcoVceyAIw | |||
| RJ6U91048NAb3nicHcrGFf1UYrhbDlytK4tCa5HBxD/qAgy4/eUzA5NZwVaLK78u | RJ6U91048NAb3nicHcrGFf1UYrhbDlytK4tCa5HBxD/qAgy4/eUzA5NZwVaLK78u | |||
| MAoGCCqGSM49BAMDA2cAMGQCL2TNHPULWcCS2DqZCCiQeSwx2JPLMI14Vi977bzy | MAoGCCqGSM49BAMDA2cAMGQCL2TNHPULWcCS2DqZCCiQeSwx2JPLMI14Vi977bzy | |||
| rImq5p0H3Bel6fAS8BnQ00WNAjEAhHDAlcbRuHhqdW6mOgDd5kWEGGqgixIuvEEc | rImq5p0H3Bel6fAS8BnQ00WNAjEAhHDAlcbRuHhqdW6mOgDd5kWEGGqgixIuvEEc | |||
| fVbnNCEyEE4n0mQ99PHURnXoHwqF | fVbnNCEyEE4n0mQ99PHURnXoHwqF | |||
| -----END CERTIFICATE REQUEST----- | -----END CERTIFICATE REQUEST----- | |||
| ]]></artwork> | ]]></artwork> | |||
| <t>The CSR decodes to:</t> | <t>The CSR decodes to the following:</t> | |||
| <artwork><![CDATA[ | <artwork><![CDATA[ | |||
| 0 1073: SEQUENCE { | 0 1073: SEQUENCE { | |||
| 4 952: SEQUENCE { | 4 952: SEQUENCE { | |||
| 8 1: INTEGER 0 | 8 1: INTEGER 0 | |||
| 11 60: SEQUENCE { | 11 60: SEQUENCE { | |||
| 13 11: SET { | 13 11: SET { | |||
| 15 9: SEQUENCE { | 15 9: SEQUENCE { | |||
| 17 3: OBJECT IDENTIFIER countryName (2 5 4 6) | 17 3: OBJECT IDENTIFIER countryName (2 5 4 6) | |||
| 22 2: PrintableString 'US' | 22 2: PrintableString 'US' | |||
| : } | : } | |||
| skipping to change at line 972 ¶ | skipping to change at line 810 ¶ | |||
| BgNVHQ8EBAMCAwgwHQYDVR0OBBYEFAnLfJvnEUcvLXaPUDZMZlQ/zZ3WMB8GA1Ud | BgNVHQ8EBAMCAwgwHQYDVR0OBBYEFAnLfJvnEUcvLXaPUDZMZlQ/zZ3WMB8GA1Ud | |||
| IwQYMBaAFD6YvLLv3DQbvnGS0qP6bbzyZkCqMBcGA1UdIAQQMA4wDAYKYIZIAWUD | IwQYMBaAFD6YvLLv3DQbvnGS0qP6bbzyZkCqMBcGA1UdIAQQMA4wDAYKYIZIAWUD | |||
| AgEwMDAKBggqhkjOPQQDAwNnADBkAjARQ5LuV6yz8A5DZCll1S/gfxZ+QSJl/pKc | AgEwMDAKBggqhkjOPQQDAwNnADBkAjARQ5LuV6yz8A5DZCll1S/gfxZ+QSJl/pKc | |||
| cTL6Sdr1IS18U/zY8VUJeB2H0nBamLwCMBRQ6sEWpNoeeR8Bonpoot/zYD2luQ1V | cTL6Sdr1IS18U/zY8VUJeB2H0nBamLwCMBRQ6sEWpNoeeR8Bonpoot/zYD2luQ1V | |||
| 2jevmYsnBihKF0debgfhGvh8WIgBR69DZg== | 2jevmYsnBihKF0debgfhGvh8WIgBR69DZg== | |||
| -----END CERTIFICATE----- | -----END CERTIFICATE----- | |||
| ]]></artwork> | ]]></artwork> | |||
| </section> | </section> | |||
| <section numbered="false" anchor="acknowledgements"> | <section numbered="false" anchor="acknowledgements"> | |||
| <name>Acknowledgements</name> | <name>Acknowledgements</name> | |||
| <t>Thanks to | <t>Thanks to <contact fullname="Sean Turner"/>, <contact fullname="Joe | |||
| Sean Turner, | Mandel"/>, <contact fullname="Mike StJohns"/>, <contact fullname="Mike | |||
| Joe Mandel, | Ounsworth"/>, <contact fullname="John Gray"/>, <contact fullname="Carl | |||
| Mike StJohns, | Wallace"/>, <contact fullname="Corey Bonnell"/>, <contact fullname="Hani | |||
| Mike Ounsworth, | Ezzadeen"/>, <contact fullname="Deb Cooley"/>, <contact | |||
| John Gray, | fullname="Mohamed Boucadair"/>, and <contact fullname="Bron Gondwana"/> | |||
| Carl Wallace, | for their constructive comments.</t> | |||
| Corey Bonnell, | ||||
| Hani Ezzadeen, | ||||
| Deb Cooley, | ||||
| Mohamed Boucadair, and | ||||
| Bron Gondwana | ||||
| for their constructive comments.</t> | ||||
| </section> | </section> | |||
| </back> | </back> | |||
| <!-- ##markdown-source: | ||||
| H4sIAI1qXWgAA8196XbiSLrgfz1FTNaPdN40tiQkFvetvlcbBhuw2bzV6TNH | ||||
| CBlkCwlLwhjnyX6WeZZ5svm+CAkkEBhnVfcdV6UTQrF8+xYRykKhwIWR6Y3+ | ||||
| t+n6nn1GomBuc84soJ/CSOT5Ki9yI9/yzCk8HgXmY1Rw7Oix4JrTWViYBc6r | ||||
| GdmFZ3tZCKNpVDCjKCjwVc4yozMSRiPO8r3Q9sJ5eEa+4uxfuZlzxhES+Ra0 | ||||
| LO3wK3wJ/SAK7Mcw1bKcphsiJ3Jh/a+KRxRYwRnOI5s8+gHpRbD81PYi4j+S | ||||
| az8M7TB0fA+/meSaQUcu7eVXzhwOA/sV5sgOWXdJDf/KhfPh1KGf+8sZrNww | ||||
| +jXODGzzjPRsax440ZJ7XkC7F9mBZ0cFHUnDjWCuMyLyolzgSwWxxHHmPJr4 | ||||
| wRlXIIyE3XkYkro/D117CXj6wfiM3Dhjx13Ne0yaTQ0eJQBnn8IDC/46I3VY | ||||
| d+R7x+RGwTZ/7kUBNA968M2emo57RiZsmf9+xRlC2zqx/CnHOR4QbmpGzquN | ||||
| jOjWtGJJKscfS1VZPuM4b6OHWK2U4o+SKAjxR1ms8MnHqiAmU4ilCn68K7Gn | ||||
| wGszGNsgD5MomoVnp6eLxeLEieYnjhedBrZ12i90Da1wdwIDWH/G7b/TLwRo | ||||
| HAMMfI1sa+L5rj9eEpBd9lwZhlFgWhHpLb3IfCNtP2KdrzybHCm99onw7Szu | ||||
| 25vZlvPoWKwDCMDQDB2LePEQ2ithGX4uMA41+oNCnzasOCwUQDOwJbQDxw6R | ||||
| qskitDfp2kBukLMRnfmMrPGDHr2r04ahnZFKRZQKwhnOR0lW/SzJqr9GMiQK | ||||
| sT3LHznemARz1wZd2yKOSoljJN262I0cqUb323E8kWZ6vgcj3K1eGvQiYFqI | ||||
| 7oQRtM+dcGKPtrrp0O1fTPVqHtXlglCgVOcKhQLoGhMhjutPnJCAwZtTCxEy | ||||
| igCgpkfMjOUxwbylDMlsw/bElpGAZeSGS2iw7CBixLUJWJcn24pOgBEhmZkB | ||||
| neHuROarmW62F/iuiyscwwTa6gkKqkLJBZYAKK18I9Fyhlxwl2QEyu+NYNrA | ||||
| h0mjiRnBr9WSCZyAEbamoaRdLT8I7HDm4wyRT/tEfmFoF2K4gIOz+dAFqYAh | ||||
| JyhoYLynNrFMmJJCqZCpM55ExLQsexZxQCZn7MGwNbUeA39KZ84nSQ2Ia7+B | ||||
| e3HtY7KY2F6WeFyCiWfbAGRoA/1wglSXkDII1zWjeWBTKQRwiQ0wAOzhJCHp | ||||
| CqYYeWDy0CavpuugwI3IwokmMZ3sVwet6ZKAV5gjOqvZ01jgupTaYOtXgDJ6 | ||||
| wMTmyH6ZJ93gaQhfkSA4pelZNqEMs7dhTa9xwiR26oxGrs1xv6ELCvzR3KJi | ||||
| 8VfJL5eSDLJHfreF9seP2DP8/MmtBRgmjYCTI3tmo2jBKteXWu83gWf90b/8 | ||||
| /Eli6mkpbneRRmFEWgCcObZROsCugdB3W7VvbDB6pJ8/s8qUUR0uozrkF1WH | ||||
| 26k65HOqwzHVUVwMHaiXdZeJ6pjLWHHIHsXhcnhBLNd0pmhYnz1/4dqjcSxO | ||||
| AFkKVFj3lqpU7hyfViluW6U2gd6vWdyvaBbZ1Czur9KsjO0x1+sAW5A2MX7b | ||||
| 0MUCAOGH44GukVazoPcU7qgFiunahSaonmPZBfCnNjrEsROBx+ytplLcMQrk | ||||
| ZPotZV0pjc1tKn+08KXRIrkLcxDkFsD/mrNw7jJVaEFsYHpOmFk4tsHg2YFk | ||||
| u+jBfYoehgbkIEeG6zozAIho8+DVTgjBHUyI3byjK3LZFes5Cz6CHhbqNpgG | ||||
| 08vgzHHKToOI7AfpnSPzHI+4jj1PBGoO8uXGBsN/5NKDEtKGQM8+Su5qdrDQ | ||||
| oQM0Xa71xYRxAQvXEBGcOmCWDzhBA4r96E/McMOEo3Jtj0mZgmNKV8qpDdAo | ||||
| RPMQjYnJrRm8ZfEWuOhaf8OJv/DQ9AGtHI8ZyRVIXEwwqr/5vqQBaLquv4DF | ||||
| h8tNRwDZGbBqyVGLjwnLz5/HrI+CQM/sYOpEaFlg/diCRugKU6itOUf5xa0M | ||||
| /JrSuWTMEi2cWxNgF3M9mC6B6+E4yDliqU+1w/hHOwhZhGQmoh0mRtl/dUb2 | ||||
| SnbS64IV47KymoYh/Btkdgv71Q4oBcLM3JCjYjYDYDrId2YRQXI5anFznC4L | ||||
| 4szRyEHxYzRNzQdUS2M08nF2CG1mM8jZmVBmLMpK7FOTrInGzFOsEKt4hEvC | ||||
| lBGTm1QEc0x8JknMFsHUo2MqpBvoMYcyhF5cgiOTbhAQiBQygQIETb+xDAjD | ||||
| pRQcEAA8Ol4OFLji2PbsgPouphkshfrxA9NclEXaShX344SHDqvyCSx9FF6W | ||||
| ojGIkKwLPwBf/KU16PW/HLO/SfuKfu4anUGja+j4uVdXms3VBy7u0atfDZr6 | ||||
| +tN6pHbVahltnQ2GVpJp4r60lPsvzDJ8ubruN67aSvPLNj1QyhJFhygGjEBE | ||||
| jRg3skMLiMloqGrX//f/CBJg+79Q3AShChLEvlSEsgRfMLxnq/keWBD2FWi4 | ||||
| 5MzZzDYDnAVsAsQPM/QUmGGEsZ0BcUCP/R9/IGX+cUb+c2jNBOnvcQMinGlM | ||||
| aJZppDTbbtkazIiY05SzzIqamfYNSmfhVe4z3xO6pxr/879cEExSECr/9XcO | ||||
| g/4r0P5Xx15wHA3nmEhGhwkzMG5qPtuZDMAc+vOIBWRb5u8DL8IspG/BIJza | ||||
| H6ILJtHC5zLxY8b+OOEZxwknzC/GQUWiYCy8XrsdXH5mOgEwW8yOgEwfoMXk | ||||
| ZjVx2mNgWEEVL04hjrQeqF7smajjxroAGFdYF60gugjLnY/ohOv1qbV2aFYA | ||||
| WVY2K1w7RIzNcbowsmdEAFiLWVhDmvdQe9TrJvmBpjDhdxD7KCRD03reFVOd | ||||
| 4Oz9DGXSbjQFOoIzp8kSMHDEYqxViHVMcB7P97r2bD5yTGb0wYii7SRHoY0Z | ||||
| XM+m2SSRTsQT4aSI86ySum+Am7SPc9vikuKg/DEHgTxxHJfIdI4AskQKMGHx | ||||
| aj+m60r6w4QgG0qR8TQ/fuAD6qepiuB8iZYkQVuSGWHYAomnNYmx9EEdaT5G | ||||
| GV5MwbDmBJWHX5CjtRCVfl2ItoiG0KTliUG8P6zcIVUx4cG1OTOwwyxkDrBJ | ||||
| GQc2sygHihLEHkx8XGZJaBIYHJSvAQHBNQztdcXFDHPmyNcmGm6uO4dJb7Bb | ||||
| mbyXSxYZORjM0ZAkQpO7WcCa0fg0meYDNDLZN/VX9tvMNZOoGa3pKC0zNPUA | ||||
| foPVdx6XmYIesH5VaTLXJQUqsSHGF7+4Y0J+/Ea1YzNGohn2gZVPBD0WIapw | ||||
| 2apDHHav/BFi9ehjBoCKv1oDPMXfubQW7OPrJsW4pOSwMcSPnWIePHTl8JhG | ||||
| zOgVWaSOMNFY/TheI9qRdB1SGEolt4zneYQ5YaSHBIdKCKQ4WNRPgYyLzkww | ||||
| IjGSceqQRTUzM0ZPWQuY6Gcpo5lr9cisxtHVgGyYYdBFU8qQwBnYlEupxGoF | ||||
| 1N5axga6+xhn5/JtFQRxKfKuis0fmIH14wx63D70dvMsEdVYofNFNQ4hUwaM | ||||
| xAYs7XU4ZyfGK+iXNCDPWqg844QIrEJ0TCITzLA+N4IYHvMQe135RGOYhgW0 | ||||
| eQTzr0wQgoffo+WakCwfn3s0OwNx/9S03IoSbNr94pVPf4Bjpz2kdIJsJYwL | ||||
| AjtmiXOQmEHU7e+Zcx+T1yziDmcROYxF3CYtc0DbZBfZZhe3j122Caj7+yga | ||||
| L+GAq9xYBKUZlQlaRnuJtM1l7kMu36ZGsM7hxiZF2viY3sozB7YZ+l5IwARB | ||||
| zspB4vNqrypJkFrO3dGqNuOkt1H9tEkD375KmeIpucTKMXDiMaYTB3oQa489 | ||||
| P8RipP0IXSOsCzadZ3vhhJsAcK4/3pjKfgWihid/yhtPYvOycrJcGAVzC9kB | ||||
| Tvaf//wncMzDqgiEd86oYEaF1dRXj6lQ4Uq9MLQ+aehGu9+oNYwuOTv7nbBN | ||||
| 1h9EIEXwJgKR4I8ISb9IRPj0k84aQwPhxXq6dUCi9PvdhjroG3S+H2zC/v21 | ||||
| kcQl+eNYvxU0OlHv94LPQNk7JQWgZ3QGRlszEkhoYTSAlWhsp3ijHkRjptue | ||||
| T4d2EG+IowDSffGUICb5PC4MRGYspJmPhzxNBHMN0BqMFQgT83UrQMLdKhCn | ||||
| kAZIDLgz7iwdftKsBXODTMGVQk08Cvb+IBknxu/JtAeF0gfF7kCtzeidHB69 | ||||
| rwwGzdlWpCQt5R5n9FkpONnr2u2BwTrFfemM3IrH8MAEMKYsoIjdFqgnapCZ | ||||
| qnGu6x1YpaIhA5fJssJVsMh2t2hArvkearODZggVOE59483bMNb49d4ttYIb | ||||
| Y/IqPhljwH1gDHbVg9mWe2zm2BbAR7tmKM/bBRgHawzMBJvuwlyGsf2BBDEl | ||||
| /bSix4SaCbKVM0GDHvM424qNDgyh9jsfPIy2HnB9iYsxNxyXITYj9lQ0u0GW | ||||
| VckbJ03qz6maBJ01KUzst4VrrqZjdpg2p26xLlokloBiudpM21bfFaAMpCGr | ||||
| Z3x0CGJFAgbGfruxerK9OnjcgOzi80b0//nVjzcs3mFZUkZrV1QJ5xbWNR/n | ||||
| 7uGpU56G4x7E/4B6U6u1sf2xrd8HpWVrv8M2PqLlLA6nkzpzZicGV2UVpiXz | ||||
| XfabaUVuKsBfuS/KrpAd3YuVN1XEdkJrHmIuHwdqQxZzLTm6t0aLpVPHNamv | ||||
| Q+jWhEwitq49dvB0F20DxkSB7673tVZ7QpnwJ7DHWhS4hc/EKzQA2DsAZ4bA | ||||
| JJn8E8EVnXtPTMORdWRBGf6XmGEYlygvfu3b05m70o50fTVVi0rpKhaR1ivQ | ||||
| SiZ62PQBjrQRZ2nW52w3rX6R1Hp/0m5TyzXzZytvc40Vnwx/6Aoo51motPpV | ||||
| QzMSZ4JThM8NbwbSmtiSOO08JtdX11fx3gSATDud4OnHtfXD/drYK9neCMQ8 | ||||
| nj3dtHZ9oR0lsp6hHDXnbB8N5T2ZcWdAtYuMkFb5s1X+tCq9Z6orafnY2ENu | ||||
| JAliEAtOkpOaGfO7dkkHu6EP/fqGy8nlzD5Ps7VA1k38kqfZiIL/nKf5OyTK | ||||
| 43R09O8NNn5bHUtHwxoCZ5mZDZklOnTRZMN2dcgmFVZzu3KOa1YOXZVlt5Pf | ||||
| LOc2ytKQsjsuPWwHFsplW/XDJe2feN4DynvhasChuKKi2pArxAlFqpT82Z1X | ||||
| 6l4dWmIZ2gjCCGM4xwsj2xzRw0irujU9Ak5PaeeQKlUDjdFCB+H6ITvBBd6S | ||||
| 28rFNjeA12qCpxwPIwVn0VoL8Hx9tAI5gIdl2GkPPMxJ0XSmNvAqsF/99dn0 | ||||
| KE6iwQI5eLhtZ4aHHenpAugaxYpkjvGYWMTOpQCqNAmPsWUlxFVp6dV/pvtf | ||||
| qbUOqWIx88yZbujHk9AUcW8qFSeLCxsNFpX/2O5xB5J0dXhruNp6yAGa247u | ||||
| tnfbV75893Yujf7sNzAX8bkrDPS4wJ+PJ26q4hgmJgKCMNsbRxPkqE/wUlCQ | ||||
| KgpvlfjXoW5ckcfGhW0+YyiTnPPd1NP0ud8oH7GYM3geOyIu2IGIWj1gPQbD | ||||
| B+xh4zk1ZDE9rBZu1vo/OKboZ/YSEX2P+2TMQ8XssOr+J8vvW2Vibl2gdPKx | ||||
| 3lkO37/nyWKT+KzaRkH+QLS53RXzXLQ/rpL/cgGbns3Ao/hKW9nwhOTHb47p | ||||
| mT/Z2WKcgeVP7IBuMis42RmejHfeCpCDCDne9phN7oRcUoFmRx1DBAhP9/ux | ||||
| FK6jraOrhv5tFYBM4wVTz/uqzn9jBwNNolMKzhLz+gWyDRiSueG39hnssh/e | ||||
| c/vCsjwO1tpcKi6mD6nlQ8u9puKXXquxjh1YDaxxFxOFW0eMXzATw+xtSY6E | ||||
| k+JJ6UQ4keG/8gn/Lb4Igccd6C53mqw/fsvSM869M33mYU7uvZJYZkTZZYaq | ||||
| IAJH0CCyo5BiqbKRMu4tJlM6cVgad0L/SPi25sGo4Adj03PeqawcFb8Bu0dH | ||||
| pW/sVJ1nR9A7vu3ESHUkf0sdLMZvs2fn7aiMcyK7jvhvSap4CPOYBGBdWjdq | ||||
| jXYD69Q90mhdNxtao0/6ynmPpraqcd5oc5xxd33V7feI0mz+Dcxgi36D9VZ5 | ||||
| MHyuda9alJkFzZ9O2fXJsIAXSQkwC9j/R0zRf3Bsu+CXafJ5qqzpAo8ZeAVe | ||||
| PJLL39iegJaJzFeYCMYbRIiWE/3/iIZQsBPoEBUhRiV3jyJBSguWs8gfB+Zs | ||||
| 4ljxxRp2dxIwFHjE8I9YzjfQm9o4T2Hoj5ZH4jdQoaOKBAIUhOYodI4EoShL | ||||
| 1QRIgN4KcRD+XageVb+RcAqR3JEAVGAmIlyjlOBkTZm0HMkVQIX8DZUc/t9x | ||||
| UTd1mmV1ygUHcJ/evuL2bl19dt/qoE2rT+1YfXK76sO9qo82qhjV82pnpMcO | ||||
| f1M6Q4e4uWfnFMR+HFZJOyYnJye46i/U3bgPi26/XHLbW3DDH85o67Tw9uMM | ||||
| 8pZ5YNmWP7ILUzN4toPwd3bh/Sd6J4NdoqGFo+ytgl04rsQZj8jRUGB1EYdV | ||||
| gdzHQhzt592Toscw2K4uuslCgdpwohldRFFT+gZt5VqNhlrWNU25uxwri4aq | ||||
| jBuDpiBVlcFbfe4ZTfWhZTSNzvS7E44vtc5CG983Lv2HxvsTbyiL1oJrvxvN | ||||
| lvJ8rggDQ520tJub1pvxrnTVcftGVfy+9nwj3d8Ki+H5YNzhjdSzVl+btidc | ||||
| c7rqsKhPrHbrabBo9ZX31pOybL8r8i22vW+0PSnFVidcaJ17nbvpdM6NxcXN | ||||
| 4N3otwBNhESbtC67d5PJ8E4NH3qq3umvnylvrct70Zg/xM+5h74qtlTlXF2+ | ||||
| nPdagPvYOFd7c1VVFEcRG4qqvz2M1NNz13obPQuz0sWj8CTbXqnz6Dr31ase | ||||
| 9/j0MIye7NNFqSVXrtuV3rB4U3M9IbgevepCeXBnm++982o9ONVfirY3DOv1 | ||||
| K3527UVW7Wo8rHhcUOlWmoPzyVv3/cl9ezaNi/b3mVlqP5ZfnqXqhW6brdOW | ||||
| zi/0xb1+0+X7Sqd+qiqDhbIw1NN3pckhReudigFU1ZRxZ1Hv0I5Xqnpv1PTS | ||||
| /Wuz+VrUO8NX77zHv1yXhsP35cOz9tJS/HNNeznnEG8YrCviWGmdD7TW+eOw | ||||
| JDScsX9R7OieG3ZH/nPUNeo2r8+mJf1yUXy5WjabJYW3apfVB25cmQrCW2Px | ||||
| OovcwPRkcdx4Uy6Fm+Dq6b0b1px6dxZdfR/X7sKof+d1ni/VoXhavO28i70X | ||||
| q9E75dRbY/Y9dC6E6tXdlfteUq51tbz4/XcmvqBp28JLa94KeD87dQYZKwfs | ||||
| vlnOGXIarHrHhA1Kjh9zv3qAPD49jjcfNkp26fs1tCqfORm851gwi8fXSGxW | ||||
| fOKp9us2wesORq+/1vFJH3S8E8IfZXGtb6us9q5cMLUc9xX3QW11lYU+BiHq | ||||
| dOqcsRg1Hu4u5g/n1XmrIy10hT7QjcWNOjx3nz5SIE5tKNb3knvXFlqN1mlF | ||||
| 7Ni37aEs1/n34Lt7M769sWv88FF6en/ThnJLe7oxW7xdM16tp7vWjTyTuOf3 | ||||
| F+eiX9f4G/FC8V/uW3eneqvWsBYP5bfr6rwzqtqz0uXD9+7dPALH3ax8vxU6 | ||||
| DaFz0dPbb0q7y4Wm2mkZ0rnWAxAbQ9AF40J/qqktvcLQWWlVY6HoSjOtUKqk | ||||
| LLjGmHbqqmq4OL837u5v32b34o3ycCtMzNvFypo89OSnochvGkqdMxVl8dBp | ||||
| LK5NMbjS7BJvj5SaVNROI7ncuK24znL5vVStGbw0aSm18aJ4bn73ut8r7/p8 | ||||
| EN40F9zb3blSjyxdeTKUUnP42n5+ePJLT+K7/NZtPAX1d2N4PnZupFZNeou8 | ||||
| 2WOv121II5V/78vi8Pb5ies/hPOecH/beH6KcrUqKzbrHSWFnV4Id9/39JlG | ||||
| HeZwtIt3EEaztHI4j8Xe06nSDqVJV7qruZP+9Hu78vxWf6k///scjtzqW4vW | ||||
| e0eiDufpPtv2pFTyHM4KEk0FSJ5hNV25YqtZfZWfuNZUfh6K0pv+pLQSKDh1 | ||||
| UAvN27bbqt8vDOW+HuMHynlfu5QMQ9Ea+v1YMcbqe/nlxioOFuP30/cHVb4X | ||||
| Xr3nxz539Vq6uVUfbqS7bnTqXF8bF6/Pi8v2jf/elQa96rJtvd1NPad/9dJw | ||||
| W1aze3f/rDmz8dtjpbUYTN5Vzns1TkVZLQolz595cs0uFYd3g9d3eXijPN0o | ||||
| bqNVNBTh/M0v3i9GOgO93gUdf6wYypOicC0lRLxH+qIDbGnUx7oyYjojGbVx | ||||
| Z9B44xX+sRxp788d42F8/14vtq2W2OTlxqK+QCJ2+SdVHS9qvjK4njmVcH5q | ||||
| tdX5d+uh2fNPZ9Hr9cW0c+kvaszljcGYLBgRZ+PJ81jlHjrg6vogErELW3sw | ||||
| CzxYBzzY/HSwnI3KqnnjDZ7UYmkQ3VWn8sP02ilXljIndJXK7WR49cpfdm4C | ||||
| 6z56kl6uRk7r5lK1/BvLXoIp6F6UBlWBlyptZVj0HKtuBee1R2FwH0yGnO4u | ||||
| o0sp0ky5rr7ppy/KeCmd2gOIT9oPixuzeVmuzH/Re9X3lSAzTozLv0Pz4aWY | ||||
| Q2vK+A4Ox5qQme/gYTUs8247WC67N7Pl8FZYbd3qzjpCbut+zF/tCI0WOsLy | ||||
| +F/mCPmWIsXOzwBhHQTjTkdpjNuOonRUrrvs9OvfrRchlGtVaV57qdllV2i+ | ||||
| nI8MrQJmz5Zv7lXt8VLRKq2LZa/TehLOnTfDuGt+F26fojEnFu9evQt/run+ | ||||
| W2+ma73Wy2Px+XUmf/fMVrE8fzOLD/djvaRf3xentmw8vC4frl973Yt+zT1V | ||||
| zTE3HjerrXNr0xGaLXA5HzlCZTH+vCPcVGAu0eCVAoNHeFbuLy8X9yoGEcG5 | ||||
| Au3nmuLDeuOLSsuoLNJGn/sVq58y+hpXq1d5/3ShD68aA7v29nA/kF+fHi9a | ||||
| 3dJEPsQ/cfsc1CH+iTsQ1J3+idvnoA7xT9w+B3WIf+L2OahD/BO3z0Ed4p+4 | ||||
| fQ7qEP/E7XNQh/gnbp+DOsQ/cfsc1CH+idvnoA7yT7vAa4r9dv160Ly1tJ6o | ||||
| vzxomtOxe4s38eK62WoI0o1TLZchi+SCxvRFnvH1omq7pUelV1G9Ds/ftjFM | ||||
| ndR1xbWG3Xl98jK6LU2vxvpIfr41zs9fxs5bY/5qGBb3eDP02pqxNAzJ46ed | ||||
| avW6Puh6d3598VL7VJgK7mBEKzDopmK3QAjhicCXi2cb57klQqqyeEY2mitY | ||||
| 1xHO8EB5u2+cG12Cbw8TBGgo8dic6S4UsTftDg/6rE3Gb1XattG7jE1F9iSn | ||||
| 6hS/xK+NO1BHIpEBxhLWR0UR+4vxuOsAHDFe1+iBh4bs9Oug9zUpohISdyI/ | ||||
| t5qwRSxtwytWdsFb5PfDSytjV8E1njPwLDsNdwXhLsp74b5RDoa7WEW4Sxm4 | ||||
| JeSJIOXALRX3w42bUa4TZQhdRoAlSoryLoDjVy4eDLVcXkOYQC1TTMQcqEvC | ||||
| R9KBGxZpmIsIcwlZSuRdMNMY8WCIMy3YUC6ivJS2BL8sp1FLPyinwNlGgr2W | ||||
| B+vsQhFr64KIOFSkvYNC25oVK1IgrEfypCh9y0WhimSsVmiL2uiTXr/baJ9v | ||||
| duUlwgtEKhNRQiUWasSAzwrRS2BoiCSTWplUVFKRiVIBPm4OV1VSLRNZJIZC | ||||
| hCrRBcKLpCagnKoGKcNTmcgVXEUs4xWrzdV5ItYIr+FTAKAK2IikqBOphIuC | ||||
| sYGBskbUGlFhnq3hRRVsEdFV5IJRI1WNVBUiGoSvkKJCioCXgnNqIgr09urV | ||||
| GtEBR5UYVcQafuswqkjKBjEMogHKOtGrpCQinLVt4DVSK5FimVSr2F+SUARr | ||||
| Gn4tGqQmIQdEGcEoARm1zeFCKUfOBORauUQl4A/+HyhJApAQDHdxS8SEKhWx | ||||
| 6g5p2RIK+y2yvTB1DBaESASRA7dA96tACuEPSpPIo/5X+UQ5qcaKAlrBSiWe | ||||
| LQ2JKKBhTpR58xmV6USdDwEUfujbSPEAQRSYNN2imi4CfLitJgpVSsFVf/Xq | ||||
| qmkobdLvQlQMbiLjJ2BJrW8kCnCcek8P+EeEUKQQ8uvV1/BvW4eYUdutP3Gm | ||||
| lFvZpANzL3vogAndgL5YYIWsjMgWqRWXDsUm62xIWvnBZsw9erBw6ERhLmpf | ||||
| BR5+vqrkCLqQHNOyF3/qnopSLv5Sxqznmjd2MEVxo7VxRyqgSxIlJK1YPpQK | ||||
| 1IOJch5P4amMoiwWUyj9IfyDfDXRR/w3fWnwSbzJhK8KzvEaO6mwmzbUU6zX | ||||
| zMBTzgREB+pIqtRA3wmGVygSmhXRnYgVqpalQ2lGvY8g7aBZhcp2Sq42HiPB | ||||
| BT5NoG0O5xOSAAAR7jewV5shEkKJGSaYET0dekjgqFTJl8ddvPgki7Yac9py | ||||
| w4Ui+Acw8klYtqZKkZdSVPmYq/nbske52/FACsgKYV0pa6eLIgJTTLieAYda | ||||
| unI1TwaL1HbJa43JPqTcFdKiwRZjoXF1h1QUi9QSF/dLxY5wv1ikWpGWuANj | ||||
| /l3MS9jFIubqNjY0YBbKu7CR5I+x2QFN+hBMGlEBD34UqT3KKs8WpsnOuZaX | ||||
| LXyEcUncgXFJ2osxC6o/5F9eQF4sCx8jZZmJof08UjnNiGoFeSiul43T163+ | ||||
| 5RopS0QpYsjGg35pxACtggSogiEnpCeQh0gGKdVIRSc1cWu8pGHYDFFxubrD | ||||
| nki8jBqVGw5IfBXzMz5X3SQhk7iRVSwosZw6pYer7HwbwBUYQiVLkX8PSSRp | ||||
| U6gzKErUMlRSsB6oSrY1Cs1bJ5r06gokQ6koluclKnwsH9xBDBnXlXcEBpJM | ||||
| 1UHIqEOfPaGakDZ0GyM3wrtPYER2WUCpROUgYwE/YwJ3KQ8lRIkm5dUcVEs0 | ||||
| NS/vRLW8Ecl9CtW9hlAq0yCD34/wx5ZwL+IsUslDvMrvR7y67c0+w+M8KynR | ||||
| JO4jjD82k/swzmuHZnxhOda28lVBpqU+IY3soK/hDRTCV0954RTPzSKxIDOF | ||||
| 0Oy81YcxLP/ZO6a0MWYXcNK60pgDnJSqNyaP++xJuuqYN3Ij1MafP6unsryR | ||||
| cOLPX6SnspzNKVOoyumCZQ6qpUzZ8pOoflDTlEubaWYeyrmVzY9RLqWqnFmU | ||||
| y+laZw7K5U3H+RmUd5VD5XKmHLoD191F0Y8RrqQKpFmEK+kyaQ7C1T9ji/NN | ||||
| klzNVFJ3oLurnvohsnnt0FziaYW1kq/wJZ7WWbMikX5MtTrDoUOpYFvXq+u+ | ||||
| G7EEy7JKwjY9Dp384Irtmg4iinA1HRjtrt5ifbQC0GqkphKlioV2SJrkIq2A | ||||
| QhhXgwge9wcMGSO2Um1rfNXAiE0vYr20ZsTVWsBXlokhYDBY0rEdYNJqQJTt | ||||
| 8SoxJKLxGDTCGPhdZOGigIXdsohbH5qGcFUVaN8eT1dWxLhQqolYQpZ1AmLP | ||||
| AycUIAS2Q2CqQc/t9cHwAvKagIhg2bmG1WBw42VAqowUMSpEKWFFF9hZVrfG | ||||
| Y4VXxQUlldSKSCcV1IBHakFOBkBBMq3pRJMwHpaFrfHqdlPCyLK4KdB/FGkQ | ||||
| Xxbl1V5C/JOW5bJIjcFOlS+LtPj5iyq/v7BaLtJSqJAZky2ulnOy8g8KS2Va | ||||
| FiTZGOfDImtMxvwnSF+WxQs76ST9GV+QX4sts40x6TPI09x+g17pmmz5w5os | ||||
| /nwVkposv8t4fEAumtqIO6OFsryd6n8iWmClW3yNQ+peXUI6tHdluq0nfkpu | ||||
| Shup/NaYLXBA5wQdt2vAjIDdMuCziptRAm5yoDGBXBjsUVlHrS5v2xNoraho | ||||
| D6s78umPqFxBP1XcLZSVPxN+msk/2JNP5yIVUZqkiJ8S0SoVDXGXfmIPWn3f | ||||
| 4ARWJbZALRpIZlUjqoh7crqGHkFQ6XYgcAAMvEgrDAq6FnVrV4zURNxGAxOs | ||||
| bG24ZSi949E+5lRYIaS4izkV8c8EzB+W4yviVgzzEWcq4lZguAXzdoC42aW4 | ||||
| XYj7FGbkr6jQ489utv0iR3MffLZiWGHJZH4prsLyyZQXP4xsv16lQojk1JYv | ||||
| /qzdRY6MYBoIs+YHzhWaBErpcHJX9a+k4kY7BI+ighGRoSGPISKs6nT7XCB6 | ||||
| jSggzhAagV5vFz3VKmou2GyDaj6YWWjRZbS9RQgBFZwOgII1JJFUc2K5ElHL | ||||
| aKDVEloRgAIMt14hFRgsEYXHGqQiYCwpGESDWLIqHIybJGGECHauVkbcihVS | ||||
| Ax/Bo2HSDQxYqxo6Dk0hWglc/bZV0hGGkkhUiG1VwhsUGJ2IKvoLwAeIB6kY | ||||
| EAlCxeJ2nG0oGM/yGo6HuSDOhPAcQkqIf+UqDpPpiQeRskA0/kd3s7Itmw3w | ||||
| vVpaVXbTolYtrUu625sEv6IQuBbkELEq7FOCalleKUEGJrqzKrHEcIdwlCR0 | ||||
| +5hDyRgtID946qjoKZJqFZMpsUKziioRtzwWWFfoCYzUVDwoBpkD5j8lmv+o | ||||
| GIGALwSnpmiY1Gw7NaOECgb5K3hKoYwKZlRROAWR/q6ilEI8ImEGxwk8rbBJ | ||||
| 1X34QPQD9C3zFA0ZBRqCIZA7AKuk4FGZkoE5EeCGcZKeAxAuJqEmQn/QOzyK | ||||
| I+K5GsAEgm6Bxk+AoQHZprQ5XBTwDA9opmTgqR7w9kDfoo7nYSBB0yU824PH | ||||
| dSp41ojfIkdlS/dyBDD9/Wf+9ZwP3z7yqWs6eFTeXB5wTcf/N1/TafeVxeY1 | ||||
| Hdr2L7qm08ErAOzoc2eRvRuq1OoXautRXga37893RUe69W/K87vB3H/g+E7z | ||||
| 7Wool92bsXFR8ZXmYuFdXCjL64HZNDpd67V8Y16J+nBkf7emjtS4eqpdPrcu | ||||
| GsvZqd377nlcaeS/P87LtWDkOsq136o+2Q/l5+709OL5e/XCcFu3d5XaS1uk | ||||
| EOYc3uc2T+9n7oUqXvPx4tUzBtZr8868HugPrQe3c/r+ULxtqRV6fJprLDr3 | ||||
| LdVU9l4iVS3auaF0Oi2F3oq4vG88NJTbgc4pY2PR0pVLdTx+mTw/XV13Orqy | ||||
| aHuKrj4rT0q3IzfnN6Xle0WR9QfNdYXe6fjx7eF7p3fhns4uLc7qN0u9USA0 | ||||
| ekJlcPp+X7kZXNiqWOc91Zw2F1pL7XZKoXE7a/u23a2ovjfz/Qg66qI77wg3 | ||||
| nPhkv07vQ091Jpc1fmQPx4+T89dJ5bYxVrulqv4w/viS6W9EsVb/sCbqVYh3 | ||||
| vtk7lO3R7188/wt9yYjpPePhY65nmx7pzwMPb9tf+DZpmd7Ido+5lvNsk150 | ||||
| 4U+8MP52NffChR9EE+w58ch5YC6POc0MXHJruq5p2fDND0CzATfPdmGWuuk5 | ||||
| xHh/N0e27R1zuj0kmu+7Noxr+RP6vhrVn1vmyHQC9pJENfBhZt8bLUzPTF5V | ||||
| 7gT48hP2EnB8HQ77p5PxNeP/D7p0QS4afgAA | ||||
| </rfc> | </rfc> | |||
| End of changes. 55 change blocks. | ||||
| 540 lines changed or deleted | 101 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||