Electronic Data Interchange-Internet Integration (ediint)

Internet-Drafts | 4 Jun 2003 13:57

I-D ACTION:draft-ietf-ediint-as2-13.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Electronic Data Interchange-Internet Integration Working Group of the IETF.

	Title		: MIME-based Secure Peer-to-Peer Business Data 
                          Interchange over the Internet Using HTTP AS2
	Author(s)	: D. Moberg, R. Drummond
	Filename	: draft-ietf-ediint-as2-13.txt
	Pages		: 28
	Date		: 2003-6-3
	
This document describes how to exchange structured business
data securely using HTTP transfer for XML, Binary,
Electronic Data Interchange, (EDI - either the American
Standards Committee X12 or UN/EDIFACT,  Electronic Data
Interchange for Administration, Commerce and Transport) or
other data describable in MIME used for business to business
data interchange. The data is packaged using standard MIME
content-types. Authentication and privacy are obtained by
using Cryptographic Message Syntax (S/MIME) security body
parts. Authenticated acknowledgements make use of
multipart/signed replies to the original HTTP message.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-ediint-as2-13.txt

To remove yourself from the IETF Announcement list, send a message to 
ietf-announce-request with the word unsubscribe in the body of the message.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,

(Continue reading)

headers

lstoeckle | 5 Jun 2003 15:58

AS2-SMIME : has the certificate to be included inside the signatu re?

Hello,

I am new on this list - and I need your help.

AS2: when sending a signed message (the original message which can also be signed, or a signed MDN), has the signer's certificate to be included inside of the signature MIME part?

Is it mandatory or should AS2 compliant products accept both? (signed messages containing the cert, or not containing it, in which case they would try to find a certificate on the local key store etc.)

Regards,

-----------------------------------------
Ludan STOECKLE
DSI Groupe Casino - Etudes

04 77 45 48 01

lstoeckle <at> groupe-casino.fr
-----------------------------------------

headers

Jess Sightler | 5 Jun 2003 15:36

Re: AS2-SMIME : has the certificate to be included inside the signatu re?


I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert.  I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess

On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
> 
>  
> 
> I am new on this list - and I need your help.
> 
>  
> 
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
> 
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.) 
> 
>  
> 
> Regards,
> 
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
> 
> 04 77 45 48 01
> 
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
> 
> 
>  
> 
> 
>  
--

-- 
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

headers

Rishel,Wes | 5 Jun 2003 16:23

RE: AS2-SMIME : has the certificate to be included inside thesignatu re?


What is the benefit of sending the cert with the message? If you truly want to authenticate the originator
you have to acquire the cert by independent, trusted means, don't you?

-----Original Message-----
From: owner-ietf-ediint <at> mail.imc.org
[mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle <at> groupe-casino.fr
Cc: ietf-ediint <at> above.proper.com
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?

I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert.  I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess

On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
> 
>  
> 
> I am new on this list - and I need your help.
> 
>  
> 
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
> 
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.) 
> 
>  
> 
> Regards,
> 
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
> 
> 04 77 45 48 01
> 
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
> 
> 
>  
> 
> 
>  
--

-- 
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

headers

Jess Sightler | 5 Jun 2003 16:54

RE: AS2-SMIME : has the certificate to be included inside thesignatu re?


I was primarily thinking to do so, because it seems like it is standard
convention with S/MIME to do that when used for email.

Anyway, as a side thought, of course, one certificate has to be acquired
through an independent, trusted means.  However, that certificate does
not necessarily have to be the certificate used for signing the message.

Ie, couldn't the trusted Cert be a signing authority, and the message
itself come with a separate Cert signed by that authority?

Thanks,
Jess

On Thu, 2003-06-05 at 10:23, Rishel,Wes wrote:
> What is the benefit of sending the cert with the message? If you truly want to authenticate the originator
you have to acquire the cert by independent, trusted means, don't you?
> 
> -----Original Message-----
> From: owner-ietf-ediint <at> mail.imc.org
> [mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
> Sent: Thursday, June 05, 2003 6:36 AM
> To: lstoeckle <at> groupe-casino.fr
> Cc: ietf-ediint <at> above.proper.com
> Subject: Re: AS2-SMIME : has the certificate to be included inside
> thesignatu re?
> 
> 
> 
> I can't speak 100% from the spec on this, but I know that iSoft makes
> sending the Certificate with a signature optional.
> 
> Based on that, I believe that it is an option to not send the cert.  I
> believe that sending the Cert would be a good practice, however.
> 
> Thanks,
> Jess
> 
> 
> On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> > Hello,
> > 
> >  
> > 
> > I am new on this list - and I need your help.
> > 
> >  
> > 
> > AS2: when sending a signed message (the original message which can
> > also be signed, or a signed MDN), has the signer's certificate to be
> > included inside of the signature MIME part?
> > 
> > Is it mandatory or should AS2 compliant products accept both? (signed
> > messages containing the cert, or not containing it, in which case they
> > would try to find a certificate on the local key store etc.) 
> > 
> >  
> > 
> > Regards,
> > 
> > -----------------------------------------
> > Ludan STOECKLE
> > DSI Groupe Casino - Etudes
> > 
> > 04 77 45 48 01
> > 
> > lstoeckle <at> groupe-casino.fr
> > -----------------------------------------
> > 
> > 
> >  
> > 
> > 
> >  
--

-- 
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

headers

Dale Moberg | 5 Jun 2003 17:29

RE: AS2-SMIME : has the certificate to be included inside the signature?

PKCS7/CMS always has a the issuer serial number to identify and retrieve a certificate (from a local store or whatever) so that it is not essential to include a certificate or certificate chain.

While it is normal to check or verify signer certificate validity with respect to a site's trusted roots no matter how a certificate is retrieved (so including or not including a certificate is not a security gap), two considerations point to opposite conclusions on including the certificate/certificate chain. First, saving bandwidth favors omitting the certificate and chain. Second, having the certificates in the message may for some implementations speed up some message processing operations.

An application should be able to deal with either case.

RFC 2633 is the operative RFC that is cited in AS2 and should also be consulted.

See for example section 3.7 which says:

A sending agent that signs messages MUST have a certificate for the
   signature so that a receiving agent can verify the signature. There
   are many ways of getting certificates, such as through an exchange
   with a certificate authority, through a hardware token or diskette,
   and so on.

   S/MIME v2 [SMIMEV2] specified a method for "registering" public keys
   with certificate authorities using an application/pkcs10 body part.
   The IETF's PKIX Working Group is preparing another method for
   requesting certificates; however, that work was not finished at the
   time of this memo. S/MIME v3 does not specify how to request a

   certificate, but instead mandates that every sending agent already
   has a certificate. Standardization of certificate management is being
   pursued separately in the IETF.

And between 1999, when that was published, and now, the situation remains about the same on PKI setup, alignment, and maintenance.

So, if you are an implementer, do not depend on receiving a cert chain in the message whose signature you will be checking.

As far as sending certificates, implementers might be well advised to be able to configure their software to either include or omit.

The choice of a default behavior is not specified in AS2. But the motto "Be conservative in what you send, liberal in what you can receive"

probably favors including the cert chain, and then allowing an optimization to omit for bandwidth conservation where it is not necessary.

-----Original Message-----
From: lstoeckle <at> groupe-casino.fr [mailto:lstoeckle <at> groupe-casino.fr]
Sent: Thursday, June 05, 2003 6:58 AM
To: ietf-ediint <at> above.proper.com
Subject: AS2-SMIME : has the certificate to be included inside the signature?

Hello,

I am new on this list - and I need your help.

AS2: when sending a signed message (the original message which can also be signed, or a signed MDN), has the signer's certificate to be included inside of the signature MIME part?

Is it mandatory or should AS2 compliant products accept both? (signed messages containing the cert, or not containing it, in which case they would try to find a certificate on the local key store etc.)

Regards,

-----------------------------------------
Ludan STOECKLE
DSI Groupe Casino - Etudes

04 77 45 48 01

lstoeckle <at> groupe-casino.fr
-----------------------------------------

headers

Paul V Ford-Hutchinson | 5 Jun 2003 18:02

RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

No , that's one of the main points of X.509 certificates.

[Unless you are discussing self-signed certificates (the X.509 equivalent of "trust me, because I say so - signed me")]

so .....

Is there a published way for an AS-2 implementation to map the "AS2-From" field to an X.509 DN ?
Or does AS2 assume that there is always some OOB mechanism for establishing identity (AS2-To/From) to certificate mappings ?

If the former - who needs to bloat messages with certificates?
If the latter - why ?

Paul
--
Paul Ford-Hutchinson : eCommerce application security : paulfordh <at> uk.ibm.com
MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL +44 (0)1926 462005
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

"Rishel,Wes" <Wes.Rishel <at> gartner.com>
Sent by: owner-ietf-ediint <at> mail.imc.org

05/06/2003 15:23

To: "Jess Sightler" <jsightler <at> eximtechnologies.com>, <lstoeckle <at> groupe-casino.fr>
cc: <ietf-ediint <at> above.proper.com>
Subject: RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

What is the benefit of sending the cert with the message? If you truly want to authenticate the originator you have to acquire the cert by independent, trusted means, don't you?

-----Original Message-----
From: owner-ietf-ediint <at> mail.imc.org
[mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle <at> groupe-casino.fr
Cc: ietf-ediint <at> above.proper.com
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?

I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert. I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess

On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
>
>
>
> I am new on this list - and I need your help.
>
>
>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>
>
>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
>
>
>
>
>
>
--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

headers

Dale Moberg | 5 Jun 2003 18:29

RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

Response or two in line.

-----Original Message-----
From: Paul V Ford-Hutchinson [mailto:paulfordh <at> uk.ibm.com]
Sent: Thursday, June 05, 2003 9:02 AM
To: Rishel,Wes
Cc: ietf-ediint <at> above.proper.com
Subject: RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

No , that's one of the main points of X.509 certificates.

[Unless you are discussing self-signed certificates (the X.509 equivalent of "trust me, because I say so - signed me")]

so .....

Is there a published way for an AS-2 implementation to map the "AS2-From" field to an X.509 DN ?

Not in IETF spec. Maybe someone has profiled AS2 for some community/vertical but I have not heard of one.

Or does AS2 assume that there is always some OOB mechanism for establishing identity (AS2-To/From) to certificate mappings ?

SMIME/CMS/PKCS7 has in its SignerInfo structure fields that allow determination of the relevant signature used in producing the signature.

So the value for the AS2-From field is not involved in finding the certificate. Actually, the AS2-From value should not be considered a highly trusted piece of information-- no signature over it. Generally spoofing would be a lot harder if you use SSL though.

If the former - who needs to bloat messages with certificates?

AS2 follows the CMS/PKCS7 approach on identifying the certificate used in signing. So you are right, cert chain can be omitted.
If the latter - why ?

Not applicable. If there were a mapping, then people might wonder what to do if the AS2-from value did not match up with the X.509 DN.

Should we discard the whole thing?

We avoid this. What we have now is that the signed info is what counts only. So trust that the payload is OK if you accept the signature as one that checks out with respect to a certificate that chains up to one of your trust anchors (which will be itself if using self-signed certs.)

Dale

Paul
--
Paul Ford-Hutchinson : eCommerce application security : paulfordh <at> uk.ibm.com
MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL +44 (0)1926 462005
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

"Rishel,Wes" <Wes.Rishel <at> gartner.com>
Sent by: owner-ietf-ediint <at> mail.imc.org
05/06/2003 15:23

To: "Jess Sightler" <jsightler <at> eximtechnologies.com>, <lstoeckle <at> groupe-casino.fr>
cc: <ietf-ediint <at> above.proper.com>
Subject: RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

What is the benefit of sending the cert with the message? If you truly want to authenticate the originator you have to acquire the cert by independent, trusted means, don't you?

-----Original Message-----
From: owner-ietf-ediint <at> mail.imc.org
[mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle <at> groupe-casino.fr
Cc: ietf-ediint <at> above.proper.com
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?

I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert. I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess

On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
>
>
>
> I am new on this list - and I need your help.
>
>
>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>
>
>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
>
>
>
>
>
>
--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

headers

lstoeckle | 5 Jun 2003 17:57

RE : AS2-SMIME : has the certificate to be included inside thesig natu re?

The administration work could be reduced if all the certificates exchanges were dynamic; still the partner cert is always required to encrypt messages...

I agree with you. If you use the cert included in the message (assuming it is valid CA certified etc.) you can make clear that someone has signed the message and that it hasn't changed since, but how can you be sure of who is the signer?

I mean, there must be an identity check somewhere else?
If you use the good certificate that you trust to check the signature you can authenticate at the same time, can't you?

-----Message d'origine-----
De : Rishel,Wes [mailto:Wes.Rishel <at> gartner.com]
Envoyé : jeudi 5 juin 2003 15:24
À : Jess Sightler; lstoeckle <at> groupe-casino.fr
Cc : ietf-ediint <at> above.proper.com
Objet : RE: AS2-SMIME : has the certificate to be included inside thesignatu re?

What is the benefit of sending the cert with the message? If you truly want to authenticate the originator you have to acquire the cert by independent, trusted means, don't you?

-----Original Message-----
From: owner-ietf-ediint <at> mail.imc.org
[mailto:owner-ietf-ediint <at> mail.imc.org]On Behalf Of Jess Sightler
Sent: Thursday, June 05, 2003 6:36 AM
To: lstoeckle <at> groupe-casino.fr
Cc: ietf-ediint <at> above.proper.com
Subject: Re: AS2-SMIME : has the certificate to be included inside
thesignatu re?

I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert. I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess

On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
>
>
>
> I am new on this list - and I need your help.
>
>
>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>
>
>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
>
>
>
>
>
>
--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

headers

lstoeckle | 5 Jun 2003 17:27

RE : AS2-SMIME : has the certificate to be included inside the si gnatu re?

Thanks for your answer.

In fact I have interoperability issues between OpenAS2 and a commercial AS2-certified product (I will not say which one).

I'm pretty sure OpenAS2 doesn't send the certificate inside the signature when it sends a message (the signature part is too short to be contain the certificate). But this produces a signature checking error on the commercial product, and I do believe it's due to the lack of certificate: this commercial product uses OpenSSL, and in the log the command line calls are visible; and with this command line OpenSSL is not able to check the signature even if it is available on the computer.

I'd really like to know what's inside the spec about this.

Thanks,
Ludan Stoecklé.

-----Message d'origine-----
De : Jess Sightler [mailto:jsightler <at> eximtechnologies.com]
Envoyé : jeudi 5 juin 2003 14:36
À : lstoeckle <at> groupe-casino.fr
Cc : ietf-ediint <at> above.proper.com
Objet : Re: AS2-SMIME : has the certificate to be included inside the signatu re?

I can't speak 100% from the spec on this, but I know that iSoft makes
sending the Certificate with a signature optional.

Based on that, I believe that it is an option to not send the cert. I
believe that sending the Cert would be a good practice, however.

Thanks,
Jess

On Thu, 2003-06-05 at 09:58, lstoeckle <at> groupe-casino.fr wrote:
> Hello,
>
>
>
> I am new on this list - and I need your help.
>
>
>
> AS2: when sending a signed message (the original message which can
> also be signed, or a signed MDN), has the signer's certificate to be
> included inside of the signature MIME part?
>
> Is it mandatory or should AS2 compliant products accept both? (signed
> messages containing the cert, or not containing it, in which case they
> would try to find a certificate on the local key store etc.)
>
>
>
> Regards,
>
> -----------------------------------------
> Ludan STOECKLE
> DSI Groupe Casino - Etudes
>
> 04 77 45 48 01
>
> lstoeckle <at> groupe-casino.fr
> -----------------------------------------
>
>
>
>
>
>
--
=======================================
Jess Sightler
Senior Developer
Exim Technologies
131 Falls Street
Greenville SC 29601
Phone: 864-679-4651
=======================================

1	January 2011
1	December 2010
9	June 2010
1	May 2010
1	November 2009
1	May 2008
1	March 2008
1	July 2007
1	June 2007
1	May 2007
1	April 2007
1	January 2007
6	November 2006
1	July 2006
1	May 2006
7	March 2006
3	February 2006
4	January 2006
14	December 2005
5	November 2005
22	October 2005
4	August 2005
6	July 2005
6	June 2005
4	May 2005
13	April 2005
1	March 2005
5	February 2005
7	January 2005
3	December 2004
8	November 2004
7	October 2004
4	September 2004
5	August 2004
7	July 2004
2	June 2004
2	May 2004
8	April 2004
4	March 2004
2	February 2004
26	January 2004
1	December 2003
1	November 2003
2	September 2003
7	August 2003
2	July 2003
13	June 2003
3	March 2003
4	February 2003
36	January 2003
1	November 2002
22	October 2002
7	September 2002
3	August 2002
12	June 2002
12	May 2002
16	April 2002
25	March 2002
6	February 2002
4	January 2002
10	December 2001
23	November 2001
1	October 2001
8	September 2001
1	July 2001
2	June 2001
4	May 2001
14	April 2001
10	March 2001
4	February 2001
23	January 2001
6	December 2000
107	November 2000
14	October 2000
5	September 2000
5	August 2000
1	July 2000
4	June 2000
5	May 2000
17	April 2000
16	March 2000
6	February 2000
2	January 2000
4	December 1999
19	November 1999
16	October 1999
5	September 1999
11	August 1999
18	July 1999
21	June 1999
6	May 1999
61	April 1999
56	March 1999
53	February 1999
3	January 1999
22	December 1998
22	November 1998
43	October 1998
1	September 1998
23	August 1998
2	July 1998
8	June 1998
53	May 1998
31	April 1998
23	March 1998
30	February 1998
34	January 1998
48	December 1997
31	November 1997
14	October 1997
5	September 1997
29	August 1997
59	July 1997
101	June 1997
16	May 1997
37	April 1997
87	March 1997
49	February 1997
45	January 1997
44	December 1996
67	November 1996
83	October 1996
98	September 1996
26	August 1996
93	July 1996
73	June 1996
217	May 1996
58	April 1996
37	March 1996
79	February 1996
1	January 1995

Mon	Tue	Wed	Thu	Fri	Sat	Sun

						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30