Appears in Proceedings of the 13th IEEE Computer Security Foundations Workshop (CSFW-13)
the PGP software considers the signatures certifying vides insurance for some of its public-key certicates.
the binding of KB to B (there may be more than one). Two advantages of insurance are that users may be
PGP must ask A whether any of the users who signed more willing to act as introducers if they do not incur
B 's certicates are considered trusted (completely or nancial risk by doing so, and that longer paths can
marginally) to verify and sign someone else's certi- be useful if the keys involved are insured, even when
cate. In other words, trust is not conveyed along the they do not carry hierarchical authority. Insurance can
path of certicates, but rather it is awarded by the user be used to replace or complement the need for trusted
of the certicate. Belief in the nal certicate is possi- introducers for some or all of the certicates in a path.
ble only if the user trusts all of the certifying users on
a path. 1.2 Our Approach
A limiting factor in the realization of a large-scale
PKI has been that the initial authentication of a user- We propose an approach that uses insurance to re-
key binding to provide that user with a certicate has alize some of the best features of prior approaches. We
had to be done in person. In fact, no large-scale PKI consider that the insurer of a key may not be the same
has been fully realized as of date. The hierarchical ap- entity that certies the user/key binding. This allows
proach has an apparent advantage of simplicity, but us to consider insurers as institutions, while still taking
it has been hard to nd an organization willing to advantage of existing personal relationships to certify
act as a CA that is both considered trustworthy by user/key bindings. We also suggest the use of thresh-
many people and has the resources to carry out the old cryptography [3] to create audited keys, which may
initial authentication in person. On the other hand, make insurers more willing to provide insurance for
the PGP approach takes advantage of already exist- keys in some circumstances. Furthermore, in order to
ing personal relationships between individuals to solve help reason about insurance of keys and statements
the problem of in-person authentication. However, if signed by them, we provide a formal yet simple insur-
there are not enough users acting as introducers and ance logic related to the authentication logic of Lamp-
considered trusted by other users as introducers, then son, et al. [8].
the resulting paths will tend either not to exist or to be Our approach diers from Verisign's because it is not
long. Unfortunately, long paths provide less assurance hierarchical, and because it can insure the trustworthi-
because there is more chance that one of the introduc- ness of a key owner as an introducer. Furthermore,
ers is not, or should not be, trusted. unlike Verisign, which only intends its liability to hold
in the case that the keys are compromised despite be-
1.1 The Role of Insurance ing properly stored, we allow (but do not require) that
the insurance may extend to any statement signed by
In the real world, insurance is used to mitigate - an insured key, not just to certicates. Our approach
nancial risk in many settings. For individuals, the xed diers from the Reiter-Stubblebine metric because of
moderate cost of paying for insurance is preferable to the separation between insurer and introducer and be-
risking the liability of large sums of money if certain cause of the insurance logic. Our proposal also diers
bad events occur. For insurers, risk is pooled and there- from that of [9] in that we do not require all keys in a
fore statistically predictable; insurance rates can be ad- set of paths to be insured in order to reason about the
justed accordingly. Similarly, it has been suggested degree of assurance in the target key.
that insurance can be used in distributed systems, and The LABW logic [8] characterizes the \speaks for"
in particular, in authentication procedures, to mitigate relation. A public key speaks for its owner in the sense
risk there [7, 9, 11]. that if the key has not been compromised, only the
owner is able to use the key to sign statements. Our
The use of insurance in a public-key system is not logic introduces the \insured by" relation, which allows
new. Lai, Medvinsky, and Neuman [7] discuss several deduction of the insurance associated with statements.
methods of providing assurance, including liability and In the case that an injured party wishes to obtain pay-
surety insurance, of distributed services, including au- ment for damages, derivations obtained by the logic
thentication services. They also describe a method of can indicate which parties are liable.
representing and verifying assurance credentials. Re- To summarize, the contributions of this paper are
iter and Stubblebine [9] further consider the use of the following.
insurance-backed public-key certicates and argue that
such insurance can be used to provide a better metric We present a method for using insured public keys
of authentication than other methods proposed in the to facilitate the creation of a large-scale public-key
literature. Verisign's NetSure program [11] also pro- infrastructure.
2
We describe an application using threshold cryp- As with current insurance practice, it will not al-
tography in which insured keys have an associated ways be possible to correctly determine precisely the
auditor who is involved in any creating any sig- events that have occurred, due to incomplete, incorrect,
nature using the key, thereby allowing the insurer or misleading information, but there is a delicate but
more control over its liability. workable balance between many factors to help stabi-
lize the infrastructure into one that can be maintained
We provide a formal yet simple insurance logic in a practical way. Insurance rates are tailored to al-
that can be used to reason about the insurance low insurers to prot even if they must pay some set-
of keys and statements. tlements only because they could not prove that they
Using our logic, we show how to analyze several were not liable. Large-scale or systematic misbehav-
examples in which insured keys are used. The re- ior, either by insurers or by insured parties, is likely to
sults can be used to demonstrate the insurance be caught and punished. For insurers, factors such as
of various statements, and also to help determine government regulations, court judgements, and public
who is liable if those statements turn out to be perception work to help ensure that they pay when re-
false. quired to do so. For the insured, the possibility that
settlements will not be paid if fraud is detected, as well
We present our insurance proposal in Section 2. We as the threat of criminal penalties, help prevent fraud-
describe the use of audited keys in Section 3. In Sec- ulent behavior.
tion 4, we describe the insurance logic and show some It is unlikely that insurers will want to take on the
examples of its use. We conclude in Section 5. risk of liability for all possible uses of digital signatures.
Insurance policies can state restrictions on what kind of
2 Insurance in a Public-Key Infrastruc- uses are allowed for particular keys. If desired, insurers
ture can require insured keys to be audited, allowing the
auditor control over which signatures will be allowed.
In our proposed approach, accredited insurers can This possibility is discussed further in Section 3.
provide insurance for cryptographic keys. Insurers pro- A natural and useful restriction, on which we will
vide certicates stating the insurance relationship. An focus most of our attention, is to consider only the use
insurance certicate, written [$Z; K; a], indicates that of keys to sign public-key certicates. In particular,
K is insured by Z for up to a dollars. We will also we propose a public-key infrastructure where an indi-
have the usual user/key binding certicates, which we vidual's keys are certied by other individuals acting
call binding certicates to distinguish them from insur- as introducers, as in PGP. The trustworthiness of an
ance certicates. An insurance certicate, like bind- introducer is replaced by insurance.
ing certicates, normally carries a digital signature, as At this point, it is useful to consider a simple ex-
[$Z; K; a]K . Z may or may not be the owner of the
0 ample. Suppose that we have a binding certicate
key K 0 with which the certicate is signed. In partic- [A; KA]KB and an insurance certicate [$Z; KB ; a]KZ ,
ular, if the user of the certicate does not know the and that we know (somehow) that KZ is Z 's public key.
insurer, it may be more useful to have a certicate Here, A is a user whose public key is being certied, Z
signed by someone else. If the signer's key is insured is an insurer, and B is the introducer who has a policy
or introduced by another certicate, this creates a path with Z . Ordinarily Z would know who B is. (If B is
of certicates. An insurance certicate can be viewed anonymous, Z would have to accept responsibility that
as a kind of authorization certicate, and could be would be passed to B in some cases.) Suppose further
implemented with a SPKI certicate (see IETF RFC- that KA is later found to have signed a statement S =
2693 [10]). \A owes C the sum of $100," and A refuses to pay.
An insurance certicate has certain contractual and C 's belief that KA was A's signature was based on the
legal obligations. Roughly speaking, if a statement certicate signed by KB .
signed by an insured key turns out to be false, then If A agrees that she signed S , then there is no reason
the insurer may be liable. Whether or not the insurer to hold Z liable. In this case, C should take A to court
is liable depends on the specic terms of the policy. In to try to obtain payment for the statement S signed
reality, as with any insurance settlement, there may be by A. However, if A repudiates S , saying that she
a complicated process to determine exactly how much never signed it, this is a claim by A that the binding
is paid, by whom, and to whom. However, there are between KA and A, which was signed by the insured
already procedures in place for current insurance prac- key KB , is incorrect. In this case, C should try to
tices that can be adapted for this new setting. collect from Z . There are a number of dierent ways
3
that this latter case could arise. In general, C 's ling a As even this small example illustrates, it can be
claim due to repudiation will result in an investigation complicated to determine who is liable when a dispute
by Z to attempt determine which of the cases below arises. In Section 4, we present a formal logic that can
has occurred, and to take appropriate action: be used to identify a list of possibly liable parties. We
will revisit this example there. However, many of the
A is lying now. This constitutes fraud on the part practical real-world details are necessarily outside the
of A, and is a crime. In this case, logically, Z scope of the logic.
should not pay; it is just a matter for B and Z
to get together and present the evidence that A's
certicate was valid. 3 Audited Keys
KA is not actually A's key, because B , either in- Because statements signed with insured keys are
tentionally or unintentionally, did not properly au- themselves insured, insurers may wish to place some
thenticate A before signing the certicate. De- restrictions on the kinds of statements that are signed
pending on the specics of the policy between Z with insured keys. There are several methods by which
and B , and whether B can show any records of this can be achieved, which would most likely work in
having followed some kind of proper procedure in combination. Courts can be relied on to dene and rec-
authenticating A before signing A's certicate, Z ognize what statements are considered contracts. Al-
or B is liable. If Z and B disagree about who is ternately, the policy between a user A and the insurer
liable, a court judgement may be needed. Z can spell out exactly what kinds of statements A is
KA has been compromised. Even though B cor- allowed to sign with a key KA , or what kinds of signed
rectly identied A as the owner of KA , Z might statements are insured. Similarly, the standard notions
still be liable if KA had been publicly revoked and of what constitutes a contract and who can be consid-
B had failed at the time to check the applicable re- ered an injured party will apply.
vocation list. Auditing information such as times- A novel method for an insurer to enforce such re-
tamps in certicates may be needed to help de- strictions is to require, using a threshold signature
termine whether the key binding in question was scheme, that an auditor (who is possibly the same
correct in the sense covered by Z . entity as the insurer) participate in every signature.
(A survey of threshold cryptography can be found
KB has been compromised; an attacker forged in [3]; some threshold signature schemes are pre-
the signature on A's certicate. Since KB is in- sented in [4, 6].) In two-out-of-two threshold signature
sured by Z and has been compromised, Z should schemes, two parties hold shares of a private key K 1 .
pay. (Note that this case is the only case that Computing signatures with K 1 requires participation
the Verisign NetSure model insures against.) How- of both parties; neither party can compute signatures
ever, if it can be shown that B did not properly without the help of the other. The resulting signature
safeguard KB , then Z may decide that B violated can, as usual, be veried by anyone using the corre-
the terms of the contract, and Z will inform C to sponding public key K .
go after B . Whether B is seen to be liable by a Two-out-of-two threshold signature schemes can be
court depends on the circumstances under which used for auditing as follows. A user A, whose public key
digital signatures are held to be binding. is KA , has one share of the corresponding private key
KZ has been compromised or was improperly iden- KA 1 . The auditor holds the other share. These shares
tied as Z 's key, or Z is not an accredited in- can be generated by a trusted third party or can be gen-
surer. This should be extremely unlikely as insur- erated by A and the auditor themselves [6, 2, 5]. Note
ers' keys are assumed to be well-known and well- that neither A nor the auditor learns the entire pri-
protected, and similarly it should be easy to deter- vate key, but both learn the corresponding public key
mine whether an entity is an accredited insurer. In KA . Assuming neither of the shares of the private key
the case that KZ has been compromised, it might nor the entire private key are compromised1, A cannot
be determined that either Z or some kind of fund produce signed documents without the involvement of
to which all insurers contribute should pay. the auditor. Similarly, the auditor cannot forge A's
signature. Additionally, other users, with or without
We anticipate a range of insurance policies, available 1 Even though the entire private key need not be known to any
at dierent rates. For example, some policies might of the participants, it could still be compromised, for example in
stipulate that Z is always liable, while other policies the case of RSA, by an attacker who is able to factor the public
would stipulate conditions under which B is liable. modulus.
4
the help of the auditor, cannot forge A's signature. 4 Insurance Logic
Now suppose that an insurer Z insures KA , but
wishes to restrict the use of KA to sign only partic- In this section, we describe a method for reasoning
ular kinds of statements. Each time A wishes to sign a about insured keys to derive insurance about the state-
statement, he must communicate (electronically) with ments signed by those keys. Specically, we extend the
the auditor, who will verify that the statement being delegation logic of Lampson et al [8] to handle insur-
signed is of the proper form before participating in cre- ance by adding three axioms.
ating the signature. For example, to use auditing with The LABW logic interprets a certicate as a state-
keys intended only for the purpose of creating public- ment that a key \says" some statement implied by the
key certicates, the auditor would verify that the state- format of the certicate. Given an additional state-
ment being signed was in fact a certicate. If desired, ment that the key \speaks for" a principal, one con-
the auditor could also verify other properties, such as cludes that the principal said (i.e. uttered, believed,
that the key length is long enough to be considered authorized) the same statement. Let K ) A be an
secure. abbreviation for \K speaks for A." Informally, this
Note that recipients of signatures need not know means that K is a public key owned by A. It should
whether a key is being used auditably, even in order also mean that A is responsible for statements (such
to verify the signature. That is, A can still be given as contracts) that are signed with K . Thus, if K says
only the insurance certicate [$Z; KB ; a]KZ showing something, we may act as though A said it. The formal
that the public key KB is insured by Z . If desired, meaning of \speaking for" is embodied in the following
special auditor certicates can also be introduced to axiom:
indicate an auditing relationship, but this is not neces-
sary. A1. If K ) A and K says S then A says S
The use of auditors gives insurers more control over In the LABW logic, A1 is not an axiom, but rather
their liability, and also can be used to ensure that users a consequence of a denition of ) involving the com-
are meeting the terms of their policies. Because the au- pound principal A ^ K . In our application, we will not
ditor can refuse to participate in the signing of state- need compound principals, so for simplicity we take
ments that do not meet the insurer's requirements, au- this directly as an axiom.
diting potentially reduces the insurer's risk (of having A binding certicate [A; KA]KB is interpreted in the
to pay large settlements on certain statements) and logic as the statement KB says KA ) A. An insur-
court costs (of having to prove that they are not liable ance certicate [$Z; KZ ; a]KB is interpreted in our logic
for certain statements) by controlling which statements as KB says KZ $a Z .
insured keys sign. We add three axioms that represent the properties
Another use of auditing is that the auditor can check of insurance. The rst property of an insured key is
that the user is up to date on premium payments be- that statements signed by the key are also insured:
fore participating in creating a signature. In addition,
the auditor can keep records of which statements were A2. If K $a Z and K says S then S $a Z
signed with which keys. These records could be useful
for checking that an insured key is not being used more Second, a principal can commit itself to a liability:
than allowed by the insurance policy, or to detect cer-
tain kinds of compromised keys. For example, if KA A3. If Z says P $a Z then P $a Z
is an audited key and a claimant presents a statement In A3, P can either be a statement or a key.
signed by KA that is not in the auditor's record, then Finally, the falsity of an insured statement creates
this implies that either the entire private key KA 1 or a liability for the insurer provided that the terms of
the auditor's share of it has been compromised, or the the insurance are met. We write Z $ a to mean that Z
auditor's records themselves have been compromised. is liable for the amount a provided that the terms of
Auditing can also provide benets to the user. For the associated insurance are met. The liability axiom
example, an insurer may be willing to give a policy for is then:
audited keys that indemnies the user completely, since
the auditor can refuse to sign \risky" statements when A4. If S $a Z and :S then Z $ a
asked. Insurers may chooses to require auditors for all
users, or only for some users, or may oer lower insur- As discussed in Section 2, this does not necessarily
ance premiums for audited keys than for non-audited mean that Z is necessarily liable if S is false, but rather
keys. that Z is a reasonable entity to go after when seeking
5
damages caused by S being false. In practice it means (7) :(KA ) A)
that Z is liable unless Z can show another party is
liable instead. As we will see in the following examples, In this case, it follows from (7) and Axiom A4 that:
we can use our logic to derive liability statements.
4.1 A Simple Example
(8) Z $ a
At this stage, we can give an example of a useful de- That is, C can expect to recover those damages, up to
duction. We return to the example discussed at the end the amount of a, from Z , provided the terms of the
of Section 2. Suppose we have certicates [A; KA]KB insurance are met.
and [$Z; KB ; a]KZ , and KZ is Z 's public key. The lat-
ter assumption is interpreted in our logic as the state- 4.2 Longer Paths
ment:
(1) KZ ) Z In this section, we further demonstrate the utility
of the logic by brie
y considering some slightly more
The certicates are interpreted as: complicated examples. We rst show how a path of
insurance certicates can be coalesced into a single in-
(2) KB says KA ) A surance statement. Following that, we analyze a path
in which some certicates are insured and some are
(3) KZ says KB $a Z trusted.
A helpful visual representation is to create a diagram
as follows: Multiple insurers along a path For this example,
suppose that KB is insured by Y , but the insurance
(KZ ) Z ) ! (KB $a Z ) ! (KA ) A) certicate we have for KB is signed by a key KD not
where an arrow is a says relation using the key men- known to be Y 's key. Additionally, KD is insured by
tioned on its left. Z , who has signed an insurance certicate. That is, we
From (1) and (3), are assuming:
(4) Z says KB $a Z (1) KD says KB $a Y
From (4) and A3 we have (2) KZ says KD $b Z
(5) KB $a Z
(3) KZ ) Z .
and by A2, (2), and (5), we have
(6) (KA ) A) $a Z This would be diagrammed as
That is, we are able to conclude as desired that the (KZ ) Z ) ! (KD $b Z ) ! (KB $a Y )
link between A and KA has been insured by Z . Note
that it is not possible to derive KA $a Z . That is, our We conclude in a few steps that
logic upholds the desirable property that the fact that
B , who is insured by Z , acts as an introducer for KA
does not imply that Z is liable for statements signed (4) (KB $b Y ) $a Z
by KA , but only for the binding between A and KA .
Again continuing with our example from Section 2, Again, we ask what happens if a statement signed
suppose that KA is later found to have signed a state- by KB is false. That depends on whether KB $b Y ,
ment S = \A owes C the sum of $100," and A refuses as determined by some factual investigation. If true,
to pay. As we argued there, there are several ways the liability axiom says Y $ b. If false, we have Z $ a.
this could happen that do not create a liability for Z . In either case, an injured party seeking damages can
In terms of our logic, that is because, in those cases, hope to collect at least the smaller of a and b. This
the statement KA ) A is true, so (6) does not apply. sort of case analysis can be extended to consider mul-
However, if B did not properly authenticate A, or if tiple independent paths, leading to the min-cut metric
KA has been compromised, then: proposed by [9].
6
Combining trust and insurance in a path Here, than certication authorities whose trustedness is be-
we extend the example from Section 4.1 by adding yond question. It is more formal than the PGP \web of
the additional assumptions that A is trusted as an in- trust" in which individuals must make their own unsup-
troducer, and that we have a certicate [D; KD ]KA 2 . ported decisions as to the trustedness of introducers,
These assumptions are represented as follows: yet it also allows users to incorporate their own beliefs
about who are trustworthy introducers into their de-
(1) If A says (KD ) D) then KD ) D cisions if desired. Furthermore, it is not necessary to
(2) KA says (KD ) D) have a hierarchy of insured introducers|any path will
do|and not all introducers on the path need be in-
In addition, we have all the assumptions and conclu- sured. We imagine that, as is very common with PGP,
sions from Section 4.1. The extended diagram is as some users will certify each other's keys; such users may
follows: or may not choose to have their own keys insured. In
addition, some users will act as notaries public; these
(KZ ) Z ) ! (KB $a Z ) ! (KA ) A) ! (KD ) D) users will certify more keys, and would be expected to
have their own keys insured.
Note that we are assuming that the entity A is trust- The role of insurers is important. Insurers' keys
worthy, rather than a key. This assumption is useful are intended to be more well-known and well-protected
for demonstrational purposes, but also re
ects that fact than regular user keys. We envision a world in which
that trust is usually based a personal relationship with there are a fairly small number of insurers. Insurance
a user, rather than with a key. The user/key bind- keys are assumed to be easy to verify. While we do not
ing between A and KA is not directly assumed, but it require all users to know all insurers' keys, we think
can be derived that the binding is insured by Z . In it is reasonable to assume that insurers can determine
particular, recall the conclusion reached in Section 4.1: other insurers' keys, and that each user knows at least
one insurer's key. Insurers' keys are extremely valuable
(3) (KA ) A) $a Z targets and should therefore be properly protected; the
Hence, by A4, it follows that either ability to do this should be one of the requirements of
being accredited as an insurer. Similarly, unscrupulous
(4) KA ) A, or insurers who misbehave too frequently or too severely
will be detected and punished.
(5) Z $ a There are several advantages to this PKI approach.
Supposing that (4) is true, in a few steps one can derive: Like PGP, we can use existing personal relationships
to perform certications. However, because of the in-
(6) KD ) D surance, we do not require the user to personally trust
Suppose that now a user C shows damages based all introducers in a path. Furthermore, we believe our
on a document signed by KD (and by beliefs in these approach is easily implemented because most people
assumptions). If it is determined that :KD ) D, already have a relationship with some insurance com-
then (6) is false. If further investigation determines pany; extending existing insurance business models to
that in fact A is not trustworthy, then the trust in A cover this case should be easier than starting new CAs.
as an introducer was misplaced, and it is a personal de- Another advantage is that not all introducers need be
cision whether C wants to try to recover damages from insured: a user may still choose to trust some other
A or not. However, if it is determined that in fact the users as introducers even without insurance. In that
problem was that (4) is false, i.e. :(KA ) A), then it case, provided that their assumptions about trusted in-
follows from (5) that Z should pay. troducers are correct, any incorrect key-binding pairs
will involve an insured introducer. In addition, note
that some risks can be lessened by taking certain pre-
5 Discussion cautions. Insurers can encourage users to take such
precautions by charging lower premiums to customers
Our PKI approach is most useful in an environment who agree to adhere to risk-reducing behaviors. (Many
where certicates can be signed by introducers other car insurers have lower premiums for seat belt wearers.)
2 For simplicity, we state here only the assumption that A is
For example, keys are less likely to be compromised if
trusted to introduce the key and user in this particularcerticate. they are chosen keys properly (i.e. large enough and
A fully general treatment would use a universal quantier and randomly) and properly safeguarded. In order to ob-
then infer the particular statement needed. tain lower premiums, many users may adopt these risk-
7
reducing behaviors, which has the benecial side eect [11] Verisign,
https://www.verisign.com /netsure
of providing better security for everyone. /index.html .
References [12] P. Zimmermann, The Ocial PGP User's Guide,
MIT Press, 1995.
[1] C. Adams and R. Zuccherato, \Internet X.509
Public Key Infrastructure Data Certication
Server Protocols," Internet Draft, PKIZ Working
Group, 1998.
[2] D. Boneh and M. Franklin, \Ecient generation
of shared RSA keys," In Advances in Cryptology|
CRYPTO '97, Lecture Notes in Computer Science
1294, 424{439, Springer-Verlag, 1997.
[3] Y. Desmedt, \Threshold cryptography," European
Transactions on Telecommunications and Related
Technologies, 5(4):35{43, July{August 1994.
[4] Y. Desmedt and Y. Frankel, \Shared generation
of authenticators and signatures," In Advances
in Cryptology|CRYPTO '91, Lecture Notes in
Computer Science 576, 457{469, Springer-Verlag,
1992.
[5] Y. Frankel, P. MacKenzie, and M. Yung, \Ro-
bust ecient distributed RSA key generation," In
Proc. of the 30th ACM Symposium on the Theory
of Computing, 663{672, May 1998.
[6] R. Gennaro, S. Jarecki, H. Krawczyk, and
T. Rabin, \Robust Threshold DSS Signatures,"
In Advances in Cryptology|CRYPTO '96, Lec-
ture Notes in Computer Science 1070, 354{371,
Springer-Verlag, 1996.
[7] C. Lai, G. Medvinsky, and B. C. Neuman, \En-
dorsements, Licensing, and Insurance for Dis-
tributed System Services," In Proc. of the 2nd
ACM Conf. on Computer and Comm. Security ,
170{175, Nov. 1994.
[8] B. Lampson, M. Abadi, M. Burrows, and E.
Wobber, \Authentication in Distributed Systems:
Theory and Practice," In ACM Transactions on
Computer Systems , Vol. 10, No. 4, 265{310,
November, 1992.
[9] M. K. Reiter and S. G. Stubblebine, \Authentica-
tion Metric Analysis and Design," In ACM Trans-
actions on Information and System Security , Vol.
2, No. 2, 138{158, May 1999.
[10] C. Ellison et al, \SPKI Certicate Theory," IETF
Network Working Group RFC 2693, Septem-
ber 1999. Posted at http://www.ietf.org/
rfc/rfc2693.txt.