< draft-ietf-lamps-samples-05.txt   draft-ietf-lamps-samples-06.txt >
lamps D.K. Gillmor, Ed. lamps D.K. Gillmor, Ed.
Internet-Draft ACLU Internet-Draft ACLU
Intended status: Informational 5 August 2021 Intended status: Informational 13 December 2021
Expires: 6 February 2022 Expires: 16 June 2022
S/MIME Example Keys and Certificates S/MIME Example Keys and Certificates
draft-ietf-lamps-samples-05 draft-ietf-lamps-samples-06
Abstract Abstract
The S/MIME development community benefits from sharing samples of The S/MIME development community benefits from sharing samples of
signed or encrypted data. This document facilitates such signed or encrypted data. This document facilitates such
collaboration by defining a small set of X.509v3 certificates and collaboration by defining a small set of X.509v3 certificates and
keys for use when generating such samples. keys for use when generating such samples.
Status of This Memo Status of This Memo
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 6 February 2022. This Internet-Draft will expire on 16 June 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Prior Work . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Prior Work . . . . . . . . . . . . . . . . . . . . . . . 4
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Certificate Usage . . . . . . . . . . . . . . . . . . . . 5 2.1. Certificate Usage . . . . . . . . . . . . . . . . . . . . 5
2.2. Certificate Expiration . . . . . . . . . . . . . . . . . 5 2.2. Certificate Expiration . . . . . . . . . . . . . . . . . 5
skipping to change at page 2, line 46 skipping to change at page 2, line 46
6.1. Ed25519 Certification Authority Root Certificate . . . . 24 6.1. Ed25519 Certification Authority Root Certificate . . . . 24
6.2. Ed25519 Certification Authority Secret Key . . . . . . . 25 6.2. Ed25519 Certification Authority Secret Key . . . . . . . 25
6.3. Ed25519 Certification Authority Cross-signed 6.3. Ed25519 Certification Authority Cross-signed
Certificate . . . . . . . . . . . . . . . . . . . . . . . 25 Certificate . . . . . . . . . . . . . . . . . . . . . . . 25
7. Carlos's Sample Certificates . . . . . . . . . . . . . . . . 26 7. Carlos's Sample Certificates . . . . . . . . . . . . . . . . 26
7.1. Carlos's Signature Verification End-Entity Certificate . 26 7.1. Carlos's Signature Verification End-Entity Certificate . 26
7.2. Carlos's Signing Private Key Material . . . . . . . . . . 27 7.2. Carlos's Signing Private Key Material . . . . . . . . . . 27
7.3. Carlos's Encryption End-Entity Certificate . . . . . . . 27 7.3. Carlos's Encryption End-Entity Certificate . . . . . . . 27
7.4. Carlos's Decryption Private Key Material . . . . . . . . 27 7.4. Carlos's Decryption Private Key Material . . . . . . . . 27
7.5. PKCS12 Object for Carlos . . . . . . . . . . . . . . . . 28 7.5. PKCS12 Object for Carlos . . . . . . . . . . . . . . . . 28
8. Dana's Sample Certificates . . . . . . . . . . . . . . . . . 29 8. Dana's Sample Certificates . . . . . . . . . . . . . . . . . 30
8.1. Dana's Signature Verification End-Entity Certificate . . 29 8.1. Dana's Signature Verification End-Entity Certificate . . 31
8.2. Dana's Signing Private Key Material . . . . . . . . . . . 30 8.2. Dana's Signing Private Key Material . . . . . . . . . . . 31
8.3. Dana's Encryption End-Entity Certificate . . . . . . . . 30 8.3. Dana's Encryption End-Entity Certificate . . . . . . . . 31
8.4. Dana's Decryption Private Key Material . . . . . . . . . 30 8.4. Dana's Decryption Private Key Material . . . . . . . . . 32
8.5. PKCS12 Object for Dana . . . . . . . . . . . . . . . . . 31 8.5. PKCS12 Object for Dana . . . . . . . . . . . . . . . . . 32
9. Security Considerations . . . . . . . . . . . . . . . . . . . 32 9. Security Considerations . . . . . . . . . . . . . . . . . . . 34
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
11. Document Considerations . . . . . . . . . . . . . . . . . . . 32 11. Document Considerations . . . . . . . . . . . . . . . . . . . 34
11.1. Document History . . . . . . . . . . . . . . . . . . . . 32 11.1. Document History . . . . . . . . . . . . . . . . . . . . 34
11.1.1. Substantive Changes from draft-ietf-*-04 to 11.1.1. Substantive Changes from draft-ietf-*-04 to
draft-ietf-*-05 . . . . . . . . . . . . . . . . . . . 32 draft-ietf-*-05 . . . . . . . . . . . . . . . . . . . 34
11.1.2. Substantive Changes from draft-ietf-*-03 to 11.1.2. Substantive Changes from draft-ietf-*-04 to
draft-ietf-*-04 . . . . . . . . . . . . . . . . . . . 33 draft-ietf-*-05 . . . . . . . . . . . . . . . . . . . 34
11.1.3. Substantive Changes from draft-ietf-*-02 to 11.1.3. Substantive Changes from draft-ietf-*-03 to
draft-ietf-*-03 . . . . . . . . . . . . . . . . . . . 33 draft-ietf-*-04 . . . . . . . . . . . . . . . . . . . 34
11.1.4. Substantive Changes from draft-ietf-*-01 to 11.1.4. Substantive Changes from draft-ietf-*-02 to
draft-ietf-*-02 . . . . . . . . . . . . . . . . . . . 33 draft-ietf-*-03 . . . . . . . . . . . . . . . . . . . 34
11.1.5. Substantive Changes from draft-ietf-*-00 to 11.1.5. Substantive Changes from draft-ietf-*-01 to
draft-ietf-*-01 . . . . . . . . . . . . . . . . . . . 33 draft-ietf-*-02 . . . . . . . . . . . . . . . . . . . 35
11.1.6. Substantive Changes from draft-dkg-*-05 to 11.1.6. Substantive Changes from draft-ietf-*-00 to
draft-ietf-*-00 . . . . . . . . . . . . . . . . . . . 33 draft-ietf-*-01 . . . . . . . . . . . . . . . . . . . 35
11.1.7. Substantive Changes from draft-dkg-*-04 to 11.1.7. Substantive Changes from draft-dkg-*-05 to
draft-dkg-*-05 . . . . . . . . . . . . . . . . . . . 33 draft-ietf-*-00 . . . . . . . . . . . . . . . . . . . 35
11.1.8. Substantive Changes from draft-dkg-*-03 to 11.1.8. Substantive Changes from draft-dkg-*-04 to
draft-dkg-*-04 . . . . . . . . . . . . . . . . . . . 33 draft-dkg-*-05 . . . . . . . . . . . . . . . . . . . 35
11.1.9. Substantive Changes from draft-dkg-*-02 to 11.1.9. Substantive Changes from draft-dkg-*-03 to
draft-dkg-*-03 . . . . . . . . . . . . . . . . . . . 34 draft-dkg-*-04 . . . . . . . . . . . . . . . . . . . 35
11.1.10. Substantive Changes from draft-dkg-*-01 to 11.1.10. Substantive Changes from draft-dkg-*-02 to
draft-dkg-*-02 . . . . . . . . . . . . . . . . . . . 34 draft-dkg-*-03 . . . . . . . . . . . . . . . . . . . 35
11.1.11. Substantive Changes from draft-dkg-*-00 to 11.1.11. Substantive Changes from draft-dkg-*-01 to
draft-dkg-*-01 . . . . . . . . . . . . . . . . . . . 34 draft-dkg-*-02 . . . . . . . . . . . . . . . . . . . 35
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 11.1.12. Substantive Changes from draft-dkg-*-00 to
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 draft-dkg-*-01 . . . . . . . . . . . . . . . . . . . 35
13.1. Normative References . . . . . . . . . . . . . . . . . . 34 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 36
13.2. Informative References . . . . . . . . . . . . . . . . . 35 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 36
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 36 13.1. Normative References . . . . . . . . . . . . . . . . . . 36
13.2. Informative References . . . . . . . . . . . . . . . . . 37
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 38
1. Introduction 1. Introduction
The S/MIME ([RFC8551]) development community, in particular the The S/MIME ([RFC8551]) development community, in particular the
e-mail development community, benefits from sharing samples of signed e-mail development community, benefits from sharing samples of signed
and/or encrypted data. Often the exact key material used does not and/or encrypted data. Often the exact key material used does not
matter because the properties being tested pertain to implementation matter because the properties being tested pertain to implementation
correctness, completeness or interoperability of the overall system. correctness, completeness or interoperability of the overall system.
However, without access to the relevant secret key material, a sample However, without access to the relevant secret key material, a sample
is useless. is useless.
skipping to change at page 4, line 42 skipping to change at page 4, line 42
1.3. Prior Work 1.3. Prior Work
[RFC4134] contains some sample certificates, as well as messages of [RFC4134] contains some sample certificates, as well as messages of
various S/MIME formats. That older work has unacceptably old various S/MIME formats. That older work has unacceptably old
algorithm choices that may introduce failures when testing modern algorithm choices that may introduce failures when testing modern
systems: in 2019, some tools explicitly mark 1024-bit RSA and systems: in 2019, some tools explicitly mark 1024-bit RSA and
1024-bit DSS as weak. 1024-bit DSS as weak.
This earlier document also does not use the now widely-accepted PEM This earlier document also does not use the now widely-accepted PEM
encoding for the objects, and instead embeds runnable perl code to encoding (see [RFC7468]) for the objects, and instead embeds runnable
extract them from the document. Perl code to extract them from the document.
It also includes examples of messages and other structures which are It also includes examples of messages and other structures which are
greater in ambition than this document intends to be. greater in ambition than this document intends to be.
[RFC8410] includes an example X25519 certificate that is certified [RFC8410] includes an example X25519 certificate that is certified
with Ed25519, but it appears to be self-issued, and it is not with Ed25519, but it appears to be self-issued, and it is not
directly useful in testing an S/MIME-capable MUA. directly useful in testing an S/MIME-capable MUA.
2. Background 2. Background
skipping to change at page 5, line 40 skipping to change at page 5, line 40
particularly useful to test or evaluate the interaction between particularly useful to test or evaluate the interaction between
certificate expiration and protected messages. certificate expiration and protected messages.
2.3. Certificate Revocation 2.3. Certificate Revocation
Because these are expected to be used in test suites or examples, and Because these are expected to be used in test suites or examples, and
we do not expect there to be online network services in these use we do not expect there to be online network services in these use
cases, we do not expect these certificates to produce any revocation cases, we do not expect these certificates to produce any revocation
artifacts. artifacts.
As a result, there are no OCSP or CRL indicators in any of the As a result, none of the certificates include either an OCSP
certificates. indicator (see id-ad-ocsp as defined in the Authority Information
Access X.509 extension in S.4.2.2.1 of [RFC5280]) or a CRL indicator
(see the CRL Disttribution Points X.509 extension as defined in
S.4.2.1.13 of [RFC5280]).
2.4. Using the CA in Test Suites 2.4. Using the CA in Test Suites
To use these end-entity certificates in a piece of software (for To use these end-entity certificates in a piece of software (for
example, in a test suite or an interoperability matrix), most tools example, in a test suite or an interoperability matrix), most tools
will need to accept either the Example RSA CA (Section 3) or the will need to accept either the Example RSA CA (Section 3) or the
Example Ed25519 CA (Section 6) as a legitimate root authority. Example Ed25519 CA (Section 6) as a legitimate root authority.
Note that some tooling behaves differently for certificates validated Note that some tooling behaves differently for certificates validated
by "locally-installed root CAs" than for pre-installed "system-level" by "locally-installed root CAs" than for pre-installed "system-level"
skipping to change at page 6, line 25 skipping to change at page 6, line 29
chain of more than one X.509 certificate. In particular, there is chain of more than one X.509 certificate. In particular, there is
typically a long-lived root CA that users' software knows about upon typically a long-lived root CA that users' software knows about upon
installation, and the end-entity certificate is issued by an installation, and the end-entity certificate is issued by an
intermediate CA, which is in turn issued by the root CA. intermediate CA, which is in turn issued by the root CA.
The example end-entity certificates in this document can be used with The example end-entity certificates in this document can be used with
either a simple two-link certificate chain (they are directly either a simple two-link certificate chain (they are directly
certified by their corresponding root CA), or in a three-link chain. certified by their corresponding root CA), or in a three-link chain.
For example, Alice's encryption certificate (Section 4.3, For example, Alice's encryption certificate (Section 4.3,
"alice.encrypt.crt") can be validated by a peer that directly trusts alice.encrypt.crt) can be validated by a peer that directly trusts
the Example RSA CA's root cert (Section 3.1, "ca.rsa.crt"): the Example RSA CA's root cert (Section 3.1, ca.rsa.crt):
╔════════════╗ ┌───────────────────┐ ╔════════════╗ ┌───────────────────┐
║ ca.rsa.crt ╟─→│ alice.encrypt.crt │ ║ ca.rsa.crt ╟─→│ alice.encrypt.crt │
╚════════════╝ └───────────────────┘ ╚════════════╝ └───────────────────┘
And it can also be validated by a peer that only directly trusts the And it can also be validated by a peer that only directly trusts the
Example Ed25519 CA's root cert (Section 6.1, "ca.25519.crt"), via an Example Ed25519 CA's root cert (Section 6.1, ca.25519.crt), via an
intermediate cross-signed CA cert (Section 3.3, "ca.rsa.cross.crt"): intermediate cross-signed CA cert (Section 3.3, ca.rsa.cross.crt):
╔══════════════╗ ┌──────────────────┐ ┌───────────────────┐ ╔══════════════╗ ┌──────────────────┐ ┌───────────────────┐
║ ca.25519.crt ╟─→│ ca.rsa.cross.crt ├─→│ alice.encrypt.crt │ ║ ca.25519.crt ╟─→│ ca.rsa.cross.crt ├─→│ alice.encrypt.crt │
╚══════════════╝ └──────────────────┘ └───────────────────┘ ╚══════════════╝ └──────────────────┘ └───────────────────┘
By omitting the cross-signed CA certs, it should be possible to test By omitting the cross-signed CA certs, it should be possible to test
a "transvalid" certificate (an end-entity certificate that is a "transvalid" certificate (an end-entity certificate that is
supplied without its intermediate certificate) in some supplied without its intermediate certificate) in some
configurations. configurations.
skipping to change at page 7, line 28 skipping to change at page 7, line 31
All RSA seeds used are 224 bits long (the first 224 bits of the All RSA seeds used are 224 bits long (the first 224 bits of the
SHA-256 digest of the origin string), and are represented in SHA-256 digest of the origin string), and are represented in
hexadecimal. hexadecimal.
3. Example RSA Certification Authority 3. Example RSA Certification Authority
The example RSA Certification Authority has the following The example RSA Certification Authority has the following
information: information:
* Name: "Sample LAMPS RSA Certification Authority" * Name: Sample LAMPS RSA Certification Authority
3.1. RSA Certification Authority Root Certificate 3.1. RSA Certification Authority Root Certificate
This cerificate is used to verify certificates issued by the example This certificate is used to verify certificates issued by the example
RSA Certification Authority. RSA Certification Authority.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDezCCAmOgAwIBAgITcBn0xb/zdaeCQlqp6yZUAGZUCDANBgkqhkiG9w0BAQ0F MIIDezCCAmOgAwIBAgITcBn0xb/zdaeCQlqp6yZUAGZUCDANBgkqhkiG9w0BAQ0F
ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo
U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx
MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowVTENMAsGA1UEChMESUVURjERMA8G MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowVTENMAsGA1UEChMESUVURjERMA8G
A1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlm A1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC2GGPTEFVNdi0LsiQ79A0Mz2G+LRJlbX2vNo8STibAnyQ9VzFrGJHjUhRX/Omr AQC2GGPTEFVNdi0LsiQ79A0Mz2G+LRJlbX2vNo8STibAnyQ9VzFrGJHjUhRX/Omr
skipping to change at page 9, line 37 skipping to change at page 9, line 37
BqvpSoQjBLt1nDysV2krI0RwMIOzAWc0E9C8RMvJ6+RdU50Q1BSyjvLGaKi5AAHk BqvpSoQjBLt1nDysV2krI0RwMIOzAWc0E9C8RMvJ6+RdU50Q1BSyjvLGaKi5AAHk
PTk8cGYVO1BCHGlX8p3XYfw0xQaHxtuVCV8eYgCvAoGBAIZeiVhc0YTJOjUadz+0 PTk8cGYVO1BCHGlX8p3XYfw0xQaHxtuVCV8eYgCvAoGBAIZeiVhc0YTJOjUadz+0
vSOzA1arg5k2YCPCGf7z+ijM5rbMk7jrYixD6WMjTOkVLHDsVxMBpbA7GhL7TKy5 vSOzA1arg5k2YCPCGf7z+ijM5rbMk7jrYixD6WMjTOkVLHDsVxMBpbA7GhL7TKy5
cepBH1PVwxEIl8dqN+UoeJeBpnHo/cjJ0iCR9/aMJzI+qiUo3OMDR+UH99NIddKN cepBH1PVwxEIl8dqN+UoeJeBpnHo/cjJ0iCR9/aMJzI+qiUo3OMDR+UH99NIddKN
i75GRVLAeW0Izgt09EMEiD9joDswOQYKKwYBBAGSCBIIATErMCkGCWCGSAFlAwQC i75GRVLAeW0Izgt09EMEiD9joDswOQYKKwYBBAGSCBIIATErMCkGCWCGSAFlAwQC
AgQcpcG3hHYU7WYaawUiNRQotLfwnYzMotmTAt1i6Q== AgQcpcG3hHYU7WYaawUiNRQotLfwnYzMotmTAt1i6Q==
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key was generated using provable prime generation found This secret key was generated using provable prime generation found
in [FIPS186-4] using the seed in [FIPS186-4] using the seed
"a5c1b7847614ed661a6b0522351428b4b7f09d8ccca2d99302dd62e9". This a5c1b7847614ed661a6b0522351428b4b7f09d8ccca2d99302dd62e9. This seed
seed is the first 224 bits of the [SHA256] digest of the string is the first 224 bits of the [SHA256] digest of the string draft-
"draft-lamps-sample-certs-keygen.ca.rsa.seed". lamps-sample-certs-keygen.ca.rsa.seed.
3.3. RSA Certification Authority Cross-signed Certificate 3.3. RSA Certification Authority Cross-signed Certificate
If an e-mail client only trusts the Ed25519 Certification Authority If an e-mail client only trusts the Ed25519 Certification Authority
Root Certificate found in Section 6.1, they can use this intermediate Root Certificate found in Section 6.1, they can use this intermediate
CA certificate to verify any end entity certificate issued by the CA certificate to verify any end entity certificate issued by the
example RSA Certification Authority. example RSA Certification Authority.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIC5zCCApmgAwIBAgITcTQnnf8DUsvAdvkX7mUemYos7DAFBgMrZXAwWTENMAsG MIIC5zCCApmgAwIBAgITcTQnnf8DUsvAdvkX7mUemYos7DAFBgMrZXAwWTENMAsG
skipping to change at page 10, line 28 skipping to change at page 10, line 28
EDAOMAwGCmCGSAFlAwIBMAIwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSRMI58 EDAOMAwGCmCGSAFlAwIBMAIwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSRMI58
BxcMp/EJKGU2GmccaHb0WTAfBgNVHSMEGDAWgBRropV9uhSb5C0E0Qek0YLkLmuM BxcMp/EJKGU2GmccaHb0WTAfBgNVHSMEGDAWgBRropV9uhSb5C0E0Qek0YLkLmuM
tTAFBgMrZXADQQBnQ+0eFP/BBKz8bVELVEPw9WFXwIGnyH7rrmLQJSE5GJmm7cYX tTAFBgMrZXADQQBnQ+0eFP/BBKz8bVELVEPw9WFXwIGnyH7rrmLQJSE5GJmm7cYX
FFJBGyc3NWzlxxyfJLsh0yYh04dxdM8R5hcD FFJBGyc3NWzlxxyfJLsh0yYh04dxdM8R5hcD
-----END CERTIFICATE----- -----END CERTIFICATE-----
4. Alice's Sample Certificates 4. Alice's Sample Certificates
Alice has the following information: Alice has the following information:
* Name: "Alice Lovelace" * Name: Alice Lovelace
* E-mail Address: "alice@smime.example" * E-mail Address: alice@smime.example
4.1. Alice's Signature Verification End-Entity Certificate 4.1. Alice's Signature Verification End-Entity Certificate
This certificate is used for verification of signatures made by This certificate is used for verification of signatures made by
Alice. Alice.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0F MIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0F
ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo
U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx
skipping to change at page 12, line 37 skipping to change at page 12, line 37
uEuM18+QM73hfLt26RBCHGXK1CUMMzL+fAQc7sjH1YXlkleFASg4rrpcrKqoR+KB uEuM18+QM73hfLt26RBCHGXK1CUMMzL+fAQc7sjH1YXlkleFASg4rrpcrKqoR+KB
YSiayNhAK4yrf+WN66C8VPknbA7us0L1TEbAOAECgYEAtwRiiQwk3BlqENFypyc8 YSiayNhAK4yrf+WN66C8VPknbA7us0L1TEbAOAECgYEAtwRiiQwk3BlqENFypyc8
0Q1pxp3U7ciHi8mni0kNcTqe57Y/2o8nY9ISnt1GffMs79YQfRXTRdEm2St6oChI 0Q1pxp3U7ciHi8mni0kNcTqe57Y/2o8nY9ISnt1GffMs79YQfRXTRdEm2St6oChI
9Cv5j74LHZXkgEVFfO2Nq/uwSzTZkePk+HoPJo4WtAdokZgRAyyHl0gEae8Rl89e 9Cv5j74LHZXkgEVFfO2Nq/uwSzTZkePk+HoPJo4WtAdokZgRAyyHl0gEae8Rl89e
yBX7dutONALjRZFTrg18CuegOzA5BgorBgEEAZIIEggBMSswKQYJYIZIAWUDBAIC yBX7dutONALjRZFTrg18CuegOzA5BgorBgEEAZIIEggBMSswKQYJYIZIAWUDBAIC
BBySyJ1DMNPY4x1P3pudD+bp/BQhQd1lpF5bQ28F BBySyJ1DMNPY4x1P3pudD+bp/BQhQd1lpF5bQ28F
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key was generated using provable prime generation found This secret key was generated using provable prime generation found
in [FIPS186-4] using the seed in [FIPS186-4] using the seed
"92c89d4330d3d8e31d4fde9b9d0fe6e9fc142141dd65a45e5b436f05". This 92c89d4330d3d8e31d4fde9b9d0fe6e9fc142141dd65a45e5b436f05. This seed
seed is the first 224 bits of the [SHA256] digest of the string is the first 224 bits of the [SHA256] digest of the string draft-
"draft-lamps-sample-certs-keygen.alice.sign.seed". lamps-sample-certs-keygen.alice.sign.seed.
4.3. Alice's Encryption End-Entity Certificate 4.3. Alice's Encryption End-Entity Certificate
This certificate is used to encrypt messages to Alice. This certificate is used to encrypt messages to Alice.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0F MIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0F
ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo
U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx
MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8G MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8G
skipping to change at page 14, line 37 skipping to change at page 14, line 37
fDGDv7wb5FIgykypqtn4lpvjHUHA6hX90gShT3TTTsZ0SjJJGgZEeV/2qyq+ZdF/ fDGDv7wb5FIgykypqtn4lpvjHUHA6hX90gShT3TTTsZ0SjJJGgZEeV/2qyq+ZdF/
Ya+ecV26BzR1Vfuzs4jBnCuS4DaHgxcuWW2N6pZRAoGAWTovk3xdtE0TZvDerxUY Ya+ecV26BzR1Vfuzs4jBnCuS4DaHgxcuWW2N6pZRAoGAWTovk3xdtE0TZvDerxUY
l8hX+vwJGy7uZjegi4cFecSkOR4iekVxrEvEGhpNdEB2GqdLgp6Q6GPdalCG2wc4 l8hX+vwJGy7uZjegi4cFecSkOR4iekVxrEvEGhpNdEB2GqdLgp6Q6GPdalCG2wc4
7pojp/0inc4RtRRf3nZHaTy00bnSe/0y+t0OUbkRMtXhnViVhCcOt6BUcsHupbu2 7pojp/0inc4RtRRf3nZHaTy00bnSe/0y+t0OUbkRMtXhnViVhCcOt6BUcsHupbu2
Adub72KLk+gvASDduuatGjqgOzA5BgorBgEEAZIIEggBMSswKQYJYIZIAWUDBAIC Adub72KLk+gvASDduuatGjqgOzA5BgorBgEEAZIIEggBMSswKQYJYIZIAWUDBAIC
BBwc90hJ90RfRmxCciUfX5a3f6Bpiz6Ys/Hugge/ BBwc90hJ90RfRmxCciUfX5a3f6Bpiz6Ys/Hugge/
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key was generated using provable prime generation found This secret key was generated using provable prime generation found
in [FIPS186-4] using the seed in [FIPS186-4] using the seed
"1cf74849f7445f466c4272251f5f96b77fa0698b3e98b3f1ee8207bf". This 1cf74849f7445f466c4272251f5f96b77fa0698b3e98b3f1ee8207bf. This seed
seed is the first 224 bits of the [SHA256] digest of the string is the first 224 bits of the [SHA256] digest of the string draft-
"draft-lamps-sample-certs-keygen.alice.encrypt.seed". lamps-sample-certs-keygen.alice.encrypt.seed.
4.5. PKCS12 Object for Alice 4.5. PKCS12 Object for Alice
This PKCS12 ([RFC7292]) object contains the same information as This PKCS12 ([RFC7292]) object contains the same information as
presented in Section 4.1, Section 4.2, Section 4.3, Section 4.4, and presented in Section 4.1, Section 4.2, Section 4.3, Section 4.4, and
Section 3.3. Section 3.3.
It is locked with the simple five-letter password "alice". It is locked with the simple five-letter password alice.
-----BEGIN PKCS12----- -----BEGIN PKCS12-----
MIIX+AIBAzCCF8AGCSqGSIb3DQEHAaCCF7EEghetMIIXqTCCBI8GCSqGSIb3DQEH MIIX+AIBAzCCF8AGCSqGSIb3DQEHAaCCF7EEghetMIIXqTCCBI8GCSqGSIb3DQEH
BqCCBIAwggR8AgEAMIIEdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIWQKs BqCCBIAwggR8AgEAMIIEdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIWQKs
PyUaB9YCAhTCgIIESCsrTOUTY394FyrjkeCBSV1dw7I3o9oZN7N6Ux2KyIamsWiJ PyUaB9YCAhTCgIIESCsrTOUTY394FyrjkeCBSV1dw7I3o9oZN7N6Ux2KyIamsWiJ
77t7RL1/VSxSBLjVV8Sn5+/o3mFjr5NkyQbWuky33ySVy3HZUdZc2RTooyFEdRi8 77t7RL1/VSxSBLjVV8Sn5+/o3mFjr5NkyQbWuky33ySVy3HZUdZc2RTooyFEdRi8
x82dzEaVmab7pW4zpoG/IVR6OTizcWJOooGoE0ORim6y2G+iRZ3ePBUq0+8eSNYW x82dzEaVmab7pW4zpoG/IVR6OTizcWJOooGoE0ORim6y2G+iRZ3ePBUq0+8eSNYW
+jIWov9abdFqj9j1bQKj/Hrdje2TCdl6a9sSlTFYvIxBWUdPlZDwvCQqwiCWmXeI +jIWov9abdFqj9j1bQKj/Hrdje2TCdl6a9sSlTFYvIxBWUdPlZDwvCQqwiCWmXeI
6T9EpZldksDjr5N+zFhSLoRwABGRU8jXSU9AEsem9DFxoqZq8VsQcegQFY6aJcZO 6T9EpZldksDjr5N+zFhSLoRwABGRU8jXSU9AEsem9DFxoqZq8VsQcegQFY6aJcZO
Xel7IECIAgK8nZlKCTzyNVALxeFw0ijWnW4ltDaqcC6GepmuINiqqdD94YAOHxRl Xel7IECIAgK8nZlKCTzyNVALxeFw0ijWnW4ltDaqcC6GepmuINiqqdD94YAOHxRl
skipping to change at page 17, line 43 skipping to change at page 17, line 43
coTqPkm/XGNMmOZ81KX/ReVdP+dC93sov2DuDZbYGPmHlD47bOOiA68GD64DEuNt coTqPkm/XGNMmOZ81KX/ReVdP+dC93sov2DuDZbYGPmHlD47bOOiA68GD64DEuNt
Q8MhWk8VRR1FqcuwB0T0bc+SIKEINkvYmDFAMBkGCSqGSIb3DQEJFDEMHgoAYQBs Q8MhWk8VRR1FqcuwB0T0bc+SIKEINkvYmDFAMBkGCSqGSIb3DQEJFDEMHgoAYQBs
AGkAYwBlMCMGCSqGSIb3DQEJFTEWBBS79syyLR0GEhyXrilqkBDTIGZmczAvMB8w AGkAYwBlMCMGCSqGSIb3DQEJFTEWBBS79syyLR0GEhyXrilqkBDTIGZmczAvMB8w
BwYFKw4DAhoEFO/nnMx9hi1oZ0S+JkJAu+H3/jPzBAj1OQCGvaJQwQICKAA= BwYFKw4DAhoEFO/nnMx9hi1oZ0S+JkJAu+H3/jPzBAj1OQCGvaJQwQICKAA=
-----END PKCS12----- -----END PKCS12-----
5. Bob's Sample 5. Bob's Sample
Bob has the following information: Bob has the following information:
* Name: "Bob Babbage" * Name: Bob Babbage
* E-mail Address: "bob@smime.example" * E-mail Address: bob@smime.example
5.1. Bob's Signature Verification End-Entity Certificate 5.1. Bob's Signature Verification End-Entity Certificate
This certificate is used for verification of signatures made by Bob. This certificate is used for verification of signatures made by Bob.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgITaqOkD33fBy/kGaVsmPv8LghbwzANBgkqhkiG9w0BAQ0F MIIDyjCCArKgAwIBAgITaqOkD33fBy/kGaVsmPv8LghbwzANBgkqhkiG9w0BAQ0F
ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo
U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx
MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowODENMAsGA1UEChMESUVURjERMA8G MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowODENMAsGA1UEChMESUVURjERMA8G
skipping to change at page 19, line 37 skipping to change at page 19, line 37
s5n5iwI1VZEtDbKTt1kqKCp8tqAV9p9AYWQKrgzxUJsOuUWcZc+X3aWEf87IIpNE s5n5iwI1VZEtDbKTt1kqKCp8tqAV9p9AYWQKrgzxUJsOuUWcZc+X3aWEf87IIpNE
iQKfXiZaquZ23T2tKvsoZz8nqg9x7U8hG3uYLV26HQKBgCOJ/C21yW25NwZ5FUdh iQKfXiZaquZ23T2tKvsoZz8nqg9x7U8hG3uYLV26HQKBgCOJ/C21yW25NwZ5FUdh
PsQmVH7+YydJaLzHS/c7PrOgQFRMdejvAku/eYJbKbUv7qsJFIG4i/IG0CfVmu/B PsQmVH7+YydJaLzHS/c7PrOgQFRMdejvAku/eYJbKbUv7qsJFIG4i/IG0CfVmu/B
ax5fbfYZtoB/0zxWaLkIEStVWaKrSKRdTrNzTAOreeJKsY4RNp6rvmpgojbmIGA1 ax5fbfYZtoB/0zxWaLkIEStVWaKrSKRdTrNzTAOreeJKsY4RNp6rvmpgojbmIGA1
Tg8Mup0xQ8F4d28rtUeynHxzoDswOQYKKwYBBAGSCBIIATErMCkGCWCGSAFlAwQC Tg8Mup0xQ8F4d28rtUeynHxzoDswOQYKKwYBBAGSCBIIATErMCkGCWCGSAFlAwQC
AgQc9K+qy7VHPzYOBqwy4AGI/kFzrhXJm88EOouPbg== AgQc9K+qy7VHPzYOBqwy4AGI/kFzrhXJm88EOouPbg==
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key was generated using provable prime generation found This secret key was generated using provable prime generation found
in [FIPS186-4] using the seed in [FIPS186-4] using the seed
"f4afaacbb5473f360e06ac32e00188fe4173ae15c99bcf043a8b8f6e". This f4afaacbb5473f360e06ac32e00188fe4173ae15c99bcf043a8b8f6e. This seed
seed is the first 224 bits of the [SHA256] digest of the string is the first 224 bits of the [SHA256] digest of the string draft-
"draft-lamps-sample-certs-keygen.bob.sign.seed". lamps-sample-certs-keygen.bob.sign.seed.
5.3. Bob's Encryption End-Entity Certificate 5.3. Bob's Encryption End-Entity Certificate
This certificate is used to encrypt messages to Bob. This certificate is used to encrypt messages to Bob.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgITMHxHQA+GJjocYtLrgy+WwNeGlDANBgkqhkiG9w0BAQ0F MIIDyjCCArKgAwIBAgITMHxHQA+GJjocYtLrgy+WwNeGlDANBgkqhkiG9w0BAQ0F
ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo
U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx
MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowODENMAsGA1UEChMESUVURjERMA8G MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowODENMAsGA1UEChMESUVURjERMA8G
skipping to change at page 21, line 37 skipping to change at page 21, line 37
dOXFU7gCdBeMotTBA7uBVUxZOtKQyl9bTorNU1wNn1zNnJbETDLi1WH9zCdkrTIC dOXFU7gCdBeMotTBA7uBVUxZOtKQyl9bTorNU1wNn1zNnJbETDLi1WH9zCdkrTIC
PtFK67WQ6yMFdWzC1gEy5YjzRjbTe/rukbP5weH1uQKBgQC+WfachEmQ3NcxSjbR PtFK67WQ6yMFdWzC1gEy5YjzRjbTe/rukbP5weH1uQKBgQC+WfachEmQ3NcxSjbR
kUxCcida8REewWh4AldU8U0gFcFxF6YwQI8I7ujtnCK2RKTECG9HCyaDXgMwfArV kUxCcida8REewWh4AldU8U0gFcFxF6YwQI8I7ujtnCK2RKTECG9HCyaDXgMwfArV
zf17a9xDJL2LQKrJ9ATeSo34o9zIkpbJL0NCHHocOqYdHU+VO2ZE4Gu8DKk3siVH zf17a9xDJL2LQKrJ9ATeSo34o9zIkpbJL0NCHHocOqYdHU+VO2ZE4Gu8DKk3siVH
XAaJ/RJSEqAIMOgwfGuHOhhto6A7MDkGCisGAQQBkggSCAExKzApBglghkgBZQME XAaJ/RJSEqAIMOgwfGuHOhhto6A7MDkGCisGAQQBkggSCAExKzApBglghkgBZQME
AgIEHJjImYZSlYkp6InjQZ87/Q7f4KyhXaMGDe34oeg= AgIEHJjImYZSlYkp6InjQZ87/Q7f4KyhXaMGDe34oeg=
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key was generated using provable prime generation found This secret key was generated using provable prime generation found
in [FIPS186-4] using the seed in [FIPS186-4] using the seed
"98c8998652958929e889e3419f3bfd0edfe0aca15da3060dedf8a1e8". This 98c8998652958929e889e3419f3bfd0edfe0aca15da3060dedf8a1e8. This seed
seed is the first 224 bits of the [SHA256] digest of the string is the first 224 bits of the [SHA256] digest of the string draft-
"draft-lamps-sample-certs-keygen.bob.encrypt.seed". lamps-sample-certs-keygen.bob.encrypt.seed.
5.5. PKCS12 Object for Bob 5.5. PKCS12 Object for Bob
This PKCS12 ([RFC7292]) object contains the same information as This PKCS12 ([RFC7292]) object contains the same information as
presented in Section 5.1, Section 5.2, Section 5.3, Section 5.4, and presented in Section 5.1, Section 5.2, Section 5.3, Section 5.4, and
Section 3.3. Section 3.3.
It is locked with the simple three-letter password "bob". It is locked with the simple three-letter password bob.
-----BEGIN PKCS12----- -----BEGIN PKCS12-----
MIIX6AIBAzCCF7AGCSqGSIb3DQEHAaCCF6EEghedMIIXmTCCBIcGCSqGSIb3DQEH MIIX6AIBAzCCF7AGCSqGSIb3DQEHAaCCF6EEghedMIIXmTCCBIcGCSqGSIb3DQEH
BqCCBHgwggR0AgEAMIIEbQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIe/d6 BqCCBHgwggR0AgEAMIIEbQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQI6NTC
qDQ/28QCAhQGgIIEQJKA5kzRVm9d6rEwC/0RyBSgpPuSROUQTjspt6EhBZlgHc3u of68mzgCAhQXgIIEQDuXJ0vv86loQC7vz26FjGylSr7mt6epUVNUtlEn9tbsIjjw
FTCPaO5P/vpeWaCnBRarGFn3DmqA3JT+59bmRpGdiP3Zrlk2EbHi0yrd2P3UFDnX IGpu0eRzEk8ezAfzL0R5NaeVKkoFDvihn7NOoclhWPt66SJmiss54pRRkrVlTVwf
qRkkI+7pf6eOHWJRntJA+KJS8v3tZ/hpiEKAEav/Mq0IFNFyEiZpCkbKCX5auDb1 qY9tHeWQShQQjBU0suq9MOIJYZDfsT+aFJJNVSPNid4mj8npvP3p5d0M7Jh8kQUp
p5c3J2MNg/WNBfpGJUHKVIzuIF3H+8LfFgayRsDsppoUMffR+GmdL8nxLiqhraHD Ia+/YWQD8KX7GtJ6ObyhF88gxuWs0a5GqXqE3qIC3ULOQVE13SORmql5Tvxyr9iK
+Iqr3LpEroNi/iZQWUTFTUlaePf/2KMqaHOuy41IVvcH1jIcLXHGNa66S8AP/Hj2 f/J9pfWmmr7uHsztBO9mzze872PBQ27Zgc2sojR5FcxHZWFQvUxRkjzMGDh/QC15
TJPPg/lve76DVaGdEnx4QJd4pBFQac90zmhxU1HZrvzubK9t4e5lr80wpd2djvZK 5j+Nc+eke8KJSh0PoO8/RPbDjbPekPd1JKvAr+eU/ksw205ldcZqVUVyQTLFghr8
wSLzUgtQZXq8pSs1r85vrb3KItdYGF6SZpX029FS7rY3uYth5SYVUQWdUYYY3S0/ G8thAh/SzUPeZ5Ag6FLLCxBuaj8HDyFC7hIoYjaNuPd3QxtTrgAuDFzB6+SlEfGj
nsaLg4MCWUO4Sh7nYJZl5Ijkk9LS7JhmwKvizHRRTXbLyRDH06e+jCRgLcU2WSUq MFxd4m1gXJYOm0OaKE+rRAHZ8KtGnr43vK/QAnSkW6G1evZc0kcAW7fNfAg8Oqzk
1bEr9Jy0ucK8zNPTf8HWBTS0ubvy4JfO3mVp4REX/8ozXlLztWGblFGbyaJ9Y4ga J84xBrc9OwF+IFMYJteYEGcsb49Djzb5QDwusMDQ2SBJatNsFNMTv8+w79toyMWd
LM3JpKxMtb1UTxoAyj3iFwGlGZFGKBlWplr+OdkKkC4dloFE22IINfLdRNLV9mPO fEaqmdQ6GvZOf9rNNSWVgT+g7EGAEUtA1cXrz5cuHdFN5qcKM0+948++A59BB9dw
aGZhsDheB8iVOtN01u91BlU68Q7AL1ryXWUSjouKGRSU6uMDLZ7rw0wlZC1m4oLG 2+J+YSZ/3XxUGP/4zFwJE6ZgrjZYl5h9uqxE+tABVZVvtv16hJgXojFlyRUe6DY7
BF8CmO4ELmbOci78fBs/qDXlf3BJazcNtciamEsQPYRGkHASBRYtoDfVy6mTT40o Mxt0a/NomXzNM/cXrqJ1tnhaCSTBdeUSvgQi2U6k9y76Jj4Mc1T7tUG7rZHvyAyE
obdrZigcvCwttDBu7RtynAQVZ8DvKzxFGhe2p2Yc9H5A5ML7IwqNtYzheduBAQTE q4WBZ6U+GD89Agrg2pSn+zVS2BJc68P1WRRqsX87yaD60UuGuoIphCkYnxfSCmdX
jAU2jMqwnZN5wULEnH2TF6KAQNrKdtBYMbqkToKgxf5Zf+cJZbyQq7WM6nVfOM7g O3aZOG3/3l37FkViFooPJ+91t455P2vyiDS0gfUffpH+jWyC6c4lbs5mmQW/HlMy
kcFdeHDn/CWoSNHI1+JA3wSDM06zkU5HMd2MpT1RLTSaemImUKCAGYieJmwNQxR9 cKNbIzvlvRhC5xwgS6T8jaJjMTSOdX6G/gxIx+JOmPpZT3uJ1IQtn1Kec0uhq3B9
aYHBBw5BNBw1XRB7WRka2Uah0Xq/wAgaI/o9L+mShDRFJjFi+t8AV3KR0WWHg02O i9pBQwPTzzE0oLac9QHiVDl7EWWfAQQENSKuGkZ2yDx32sdLU62l1N6w3anUIv41
9qchX7P5H3Sy/tq8yUQIol+hRiRjkfi9qy6AxIRttrK4WbW4scUtBZSkg9uFkTVU cAZjqEB5AWpDPCO/9yVtrpnN9FfFx0q4XC9qkTCwFh07YSXrZ/o1c9XO36wZ9Osp
ybnV6WvBpn2SrnwF/E1ueKARVmouWJ/7fiLJXk6wVvVtuBZw2gE5QGfuCwq0PQsC YI3M4bWFDXOdMiNr/RxnBC/cOs3UsYgpnV7Po5hSmxb5Ncew6g7YN71lkY0UXk0k
xPx8MhNl1KZYDVCGsyUr/LMHeKNc31S2HLGQK7kh/o+QQazafiJocQ+kRbS1VX1D 5zCkATF2Qu9wfA35BX+N4eghN5ArQjgS7so6ohw9C1egknScU5CiJJ2XsXGKPxsw
nQlIhz4zvKsBgzHpoe3wQcfAY5sp2ubepsZ5T/YHkmroBmvA4g1vi7nlCetgxXrh L12O+kQRv5/s1QxGbru2C/oKeQnBR8cuWrtYXFLHXhGl8i8pcX0OO6ABYRenqJsq
2V6OXvaZ+BnfsYxJeUZGnNMNEDFlzS7xB18ojtT5JN0o+9tLsdikdikl69IsVv+2 EDJf5MppbN486UivL/mq0dgHHpl99rmtXJaBaq+aSF8bZGZUOTMOcI0mhlq2kcWT
eCv9Go+wh19cSAL24rkzdKVuiIAXS7tzel3eWGjdKoq3Ke+tfJtobSGrB39xgLVr F1wrwFt7iMPAg4SxJTAFaxnIlLvesxGQLWvnaQyK+l4Rua9C7HxONrp2tDh9Qwie
3ho63hd+qTUyjcAhVL3hAJinv+/KT0jR8fq+CDsXMnCEWugHhwB+66NOr876MIIE Yo30dRbOQR4xD3SEHloH9UMei2E8hXMztS5tPFIgKuiTVqQid26C5rcP7kV+MIIE
bwYJKoZIhvcNAQcGoIIEYDCCBFwCAQAwggRVBgkqhkiG9w0BBwEwHAYKKoZIhvcN bwYJKoZIhvcNAQcGoIIEYDCCBFwCAQAwggRVBgkqhkiG9w0BBwEwHAYKKoZIhvcN
AQwBAzAOBAjiGuDSkfG4UwICFLWAggQogyL08hPtUl52dkO+BVimcGXW3FmDrT0D AQwBAzAOBAjEoygdzjeRWwICFCeAggQoV/qxKd0svQ+7Pkd6VDs7zPVlHbxynt78
gU3Drd0P76KzYzd2lLuGb9dx84wx0XnFIXeBM4F3QSDbCK4tOuJ6JRaEeUoCAyZd MAz98oshJ0OyG5RXL++heW2+x5u6lmNhD5LjgLjcUToGCYDwJFzqI8QiwgCvcpfE
XyHtLjVeuozt2xHBDUgQVEO1dZHtk1VUgzLSCha1rXjcwpa4+8xqqoVM3Cl5uBh6 obiCI2+Ev9FZ7H8gRsASIP1DDaiYXuO3xJrAaQM77uLek6T18X+BsmvRWzRpN4Hi
QLUNey8Z3YlKlk018Tdge6OOUrg72BPKppNfJlN4TnOFwMVMA/qHAJl4pL1YDpmc JyKFPX5mcBX6AgFaVLJKhZ/GXcTuxFga8uA2sFzxridzgW3120ghCLDx9aL/8JVo
5BZm4tMg0HvPiz96uwjEhw1GZFGOgZIogeVJuqCNiZPDjCFEDgnCw6sciS5Bi+dX 9DaxMqo8aS0gL1yasjidAd6bkiPnZNztEIYWBHy7jq468KjmxO6XL3sn6VOIgjRL
Km0VUdamSr93e2eEPLbzxZR0E0A3IcOj66iHuZpU9YhKzsAIhLMxT8kF81I0ZZzj PSSYcPKktZWhxlQgEg+OdOLzli4PqA/7ILbcPQ/wk6XA19uzmxTO2zhk8lBaGb+p
8N+P1hnkjdVWuJLg77pkXxQJyvuT0e2oc9r/DCHjckneen3+E66IKsYbib7sX4g6 C84Kf2cYaI1RkpHzEmqPs3EpJMbBhwxVT7Gw2nfTmMIKCUfRfxCqtWOhC3pEo/Nn
2oFBJs+7xQopy69pC8jCn3fx61t7AFx2RIvuVHY/eU4sXoWkJNqQ3Vxj2SPWKjzJ 9MnZq5iqb5tJ6tUAqSkXYN+/JEM5g9Yf94m5JAlbnxYDMhWU5Mz0v00hxCd4jn8/
4IIvWVxIFiQjjOtDFdGYPGukJXn62Lbb8CFgam9s4jDKnr0LHIngVeUIgi4wkvva fK0st+vTPpbIFXH6XeKrGwYyKBluycM2jExXsjbLnX2aINShCDuxn/LOO6hYGkcc
QzZTzXfUApezQgQqy4x+ogdiYF1UOa0OaqvrGRiiJlMdRi0/MDy+jzkX5cULhxkF 7+G/kQjacDlbdJ5LtaZwbfU7p4AR+OxaqA4lr5uk+OFcMW2lF+Bbwim2F5gs3NW3
vdBNCirv+3zBaiJ5Eu6q0zP5Cxi2qXhSbehZqvTPB4dD/vu9yxHpZmUCvzm7H213 1KDtsrgyHTPNal8vjuWtPmZhqBR+0lwmTmaGdVmG0Q3EOthXPmB7k/iRobS/JwFV
Tdrb9WxHOc92ZpBzsfiCA1smVwTDFVGa/kqN6noPw0qWZANIk27/+apsTkBYaVpa oi0u6wkwelCkYplObE9RqCjx78Xts+0M/WVlGkjnuhWthv8pvK8L3C/eQLVXLlrn
jpfn9eydi5eV2+pEQV08fh4OJfiKbHS0l2E3Gp/rPm9lVgmCmjBWh+Di1k4qgF/f Yf2DlWVQH64S3U/TjEwVrOVNpfqAST7KJy85JWTnShGqySRB8h+LYBHa60YiCBg3
lsxWgzXNOxPntpohnM6AZDxW9Sk+BElDLYS4WFwUg679BsJG6hQqAZKvG/8agSH2 Qn6ZOn/aJN+dxOm1JthNJojB6DSt+gEIDr1XWQJjmiy2Bg4DnM8wRa58jfxWi/wH
k+TKKYUbXbFVCB0+iuNZIwgf4qxGzvI5+Iok+OcxuGCqwOu30QbfECEG01QbKETn a8tHGpq8DdJhKRIWvOK2YveUQ01KWVAxNnzYmREGHQGEc9d4kp5hBltX7Xh1+OWT
ic3kMiZ5Cxt7NQSuyEYAQ/AmvM4qo0x7Tw1r7tR8BcAEF6fGxd2VXIV8Tr/pXGO2 zDa9Zqgq0+l2SffVerERsY0KuCo6g7DCOieyDsWJEtKF3LsAcYclWq7X0RYk5ta0
HL+0iIHs+Ob67zlTHr7wUB4tCp9LC3IIWdsr7KcSRNEMXpUIFI0etCjNgCU3iT+R MKcG4kXZ6KJOkTynZQTtuBOJ8t7g2u0PxzxZxgLit2ukd5zm8KIdoTdUgz7Q5ZVO
915215OfWNGxQfaXTEyMVNaT1HpwihIisSb9QHbagaRLbYmqJ+ILSECADYQPEWf+ ukxK4S9mn6Slfkea0k4mxRh6wttcDJ5jr7yv5iEIvQ3J2XqH64W70fm5tbD3l3W5
LTO1tcOhkIb6BiwVWUuOOqNj6ILJM2XvmknATyUj9MYcd77xOJzMrJE5VtaM5BVT fyaBxTpmb5rX7oqE0WOjtr1GVurbydUVnvBD7Jxir5tmnGsdUvRPeGYy6x4K86wH
oRpcOLfhYOmihceGSEqXX5golkqfLUze7zlslNWMYTTLw6tC6I+c/IUIWJnZT4m2 b7IU9GEqyS44J/P2p0s+6/tOCtiS1kGRGkf5UEkEqmKu0rzhZVBx2ImqjwmOqy0c
RbTQ0krfPn94zbTjrG42HS5+Ke3ySV6Fv8MZ+s93yY1v9iB6cVPEUteLRc+C7e7t xYnPItLdV6FVRX0Pvc7ROnqdRABpNo9bClEENR80v+hnqyh1MARDWOdUCZtccf6l
lw0bQ2+MyAkjenS5Td+3tC7lR42O2CSfY2SaOsRv+EaYjTGzf9F3TM706o5+VZrM ttG5ihCcK8LunDF//qXcgFZsRvSwzAWhJkHbubpAJmkbDS7Zv25yvo/bG5VyXGqF
gtIKtw2okRcjRhaKDfhui6jo46YYzWbrgOS3vzc60VcwggNnBgkqhkiG9w0BBwag eAbSQHM5JJQWy9daTEeo41n2tyZu9Ubjxo7w3QhtF3UwggNnBgkqhkiG9w0BBwag
ggNYMIIDVAIBADCCA00GCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECEyHXPVs ggNYMIIDVAIBADCCA00GCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECCwvAkUo
ncxTAgIUQ4CCAyDSBlYeFnsa4vtKApbLnd9FENDYeYqkKmj0lkDagMqHC22/nQ9v pFtUAgIU0oCCAyAyxF7F1HQNryZd8PlbEy/f1R8MWtVQDEIJ30eTlaate/rS5RO9
gz2lOo5FQJoaJx/WSorQt0Jny1QP9vZd2t+bkfoaXOR0MtmFY5SOtYEudJplrCz+ 9MOlglCc43bhk6iHzZuJ9FV/fWlFaJ6JmFPkyLPif8Rn/9EFTXGVq7smLvk0POCU
ZEw8JlePJRP0Q3lnwEiSk5NnXLRWNzurIeuyZEd1VbTvi/rF22sRWlmU335L67zj BBq/rI378tu9DbVT1JiWULvvD4bzwvChBSTlzNUo5HGRNfS/J3mLmm35c1ETYktH
P1sPeXkBpIYCPLHw8E4rkaC8G1ko5wyrnhuqL4ItzhvOORvgRaDflpP9WTj9LVUv L05NM86Yv2RUiTpRYDDK99heCYRwflrV6CPv+pJ5mNtniN0L4VtIPhSNczLoUZgL
FD5D59zgb0ptaW0jIw4JplIGXIEZIynW4KfkWy2YJvsXiuLHvN3Z8qL6VtxNGk1s hraX4qqQ82NN9VR+WBoQjvLfJSMtYxqCxkEc7uKG/cu0EJ5QAv3ufvTLq5TajXRd
g340uKkUUlzmtDJqGT9RVkoYBXxN7KYesbSttONhPwdv/MxHrEo8TGHZAvbmwgft Yb4Vvjxuik7WLKK4lXSMyFgvgY/NRL9zLFETTEJgpDHcfYgMmSKVy9gxZ+8S6i69
hOUrc/WVtUopPEs4QgrsA8d0MrSd5lVtPW0XPsBPEnLuh7dqAlmgztYlP4Yztk2/ 8okItTqJxnKZM1c/C+aAVaQb+ZiB805ntsp06zCYQljN4cnIlaMphAqf6ht6eg8M
JJ+E4MosmhRjbKzM2N5WuGlDC5m9KF/5JjNVwQ7e8gMeUv/3gizgCG/4Mgng0VGG 77I2/ZTnDw0ED/0ZGVvNKoqSE+Twito4KcZ3b9e8B15gZYhtzoE62x4kHEYYqM4+
IxGzzBoQXPWCKdT3sLQVyt4/pqPBpZYnP09bmkkY/UIa1unNB+WWpLOkKSzD5wRv TVxey+9pkTGK5Y4xeDld/WiML3t/7G4jdub05Wwnu4YzqHGqKFV6gFgLqSAVlWvU
/2xmNO2D37DnHwTFYC51ZblKz7FGjOgCwG95VPc8NQ8aG5rqpQ+muq/Jil5mXgNw Ytn5/Ox+MjHet0tSU4ByIkbjL8G+nInc9KFBZ7udc/Qwqsn394BT0k/b4LNSvatK
IDeM4bawa01UKEzqTGQUb3gsJMGiVOhgtOrBiO9Kx/2PJolUuwZGcbo4oGSVR7KH JFl1z/VlnA//DyiGc1l1KWqBPLJ+0Bq0gzKse9bCFtNuYPnQf1INuRuCjxhdsCbu
lLgIuC8aIQDyFURVYRCNwOw5U7JN5arkvZ4ty0/qk5UbjxQuDkF8o6ZdViO3l0Do CMgu2r3l7lVRscL7KbpD//cjjWza7C816hzZ21TJWLAe5HxmLs7Etnpu+/R7LwYI
C+6zvncDx4HvUd6uQ+u/kZfr8qfwM5o6D2qXhS/ZHSkq2xwIzb47uUUqaeg3yOZJ jpeQPVTNzdnt7FM+bf4rWwkxfoEx/lSvV/Fdp+WGrMZ7+2VK1PHThIUo9yJRN30z
++na7gC+ibtHXXnNsHUvPbpCn9qViFhzilcQZYq0tZxDKa0E/pzEP/IA4IG24wEL aLpRyzLR5i9qt6yyk1cLxtztoBIBmb/GvJEXEOWF80r92+LlI53sHdnqD+0+mgRE
GnyuUIHXBS9T0MchTxl7BglycOPRDnFKzMQfUXY1rAErK76cs3y4VQDbfYDiOzsa LfnsE6vCQE5hyI9lxXalyqVUdspAsMQA5Zs94fctvZ27UzVtE5EuY6X9/4UrE7Fj
1qqMApIX4i/qKFdRvDuLxtZQbVA/rNumm40LPUQ5OvEngIESA74G+//YQbVjbMjP bdg7jWHVbGO/KvMa0UvgRxbglAJLAN6CwdMT1Cbca01MrmK9pcZBMKuJDcUibmQO
y+hm7/15q5LRo9YxCS49KGlz4NG1QMWjnfkpOCNVZVpaQ7TPGOIYzBL6kTCCBZgG mzeunDJBT+BVbNRSo0zKAAfEWonFNgNdqjE9uMXzlhaIbGFlDxXhfPt9NDCCBZgG
CSqGSIb3DQEHAaCCBYkEggWFMIIFgTCCBX0GCyqGSIb3DQEMCgECoIIFLjCCBSow CSqGSIb3DQEHAaCCBYkEggWFMIIFgTCCBX0GCyqGSIb3DQEMCgECoIIFLjCCBSow
HAYKKoZIhvcNAQwBAzAOBAiO/0ICbTbZLQICFOwEggUIFwT/JI8UjJQPfYTFonJE HAYKKoZIhvcNAQwBAzAOBAh3So2X8cem5gICFDIEggUIhIUw+YkTW0xCm9S8Kn3k
o8zEbpYWXKboqw6/zZsMGmAnUPgQNQDxyuLVprs5jUc437kVB2M3F0x8DjmEppeb Fm6mI68Da4CD0b/5H2QU0UaMg1DT05TwCybWFIsjdEmHhXALvxQ53nTZyIEYp5Jf
tHfIoyjoXF7jdnA4EF38tsso0K1nMPmSgl02iYZtOqsOvBpfeO5Hj4Ovhi26J9Pz 6ICOwXBm3Vn5TL9472L6e5RPG2li1IrowR0nzFxr7oiSNWMhmv9NZbBNtHbH9KfT
TwPcgl3QQPqfWv7CwgGVn4/hntBAriPSE4gAlfAcqkxtJBm01QwDoAdsOKOMsYnt HCMlouIhOnxFX+yP8YzGfiiqNLgHX7xEVWVhLBglJeet6c1xxMHR/b7z2DuI6k3U
gWajpr1J3Hm+34NPL04Usf1OpcesPUJ4CBxNyLXxjjsOzD78WVvKY+N+j89xTsyt p5NArfNwbZpT/SzLO+jqBwfFsMPXa1jmqi3W+q0xUt+obsfb7jK7ha9e+oegW7yY
z5Y0fEkFqrcl8pgBQxH72jBwSCm5YwHz3BhWQgr2bpWJ1f2LWcVsnrN9tx6RhQtA fklgXJObY0YxuFbiJYJb+vnOb/qBiO15/b0xifxA/R6X6cv96T79I+9fvUOHQnQ5
AkcyNgX/ksp5EW4JTo+o6oXLRhXIYauRrUrisMY++b8ZJTp6C1t0RW2QdqgMZghS bEKXFymxd9FD2UtxcWAOhD7R3iwtPGNx4WgEOe2nOPBP4OXgk/Rvq9bTkF/1mojn
ZgaW6FSC6Dy2Dd/ezdkYUCgiEtq8eSxF/8WDw6Va2iGVSNt4/p/OJ97yN5yOJ0K1 MN7oer90NsvVEEx0x6Yoayy+ncolfxAeui9LJ6Cso/bYNA7fw9GvEkC9tSCiO65L
g0hATebU+I3E74PQ9RK84FfJvyHDBC6fvYZW/ouMcgp3YmAF+dTm74Hq88X4daV+ He9O1qHss08eXUi4Nrp7zh95T5/sC8HU+blhj8asE3ofJGb8l7SrAREoVLI4D3iA
/UPYf/cVpyiwcBTg6H3jrkrs0yKoWLIfrIvMNBeeKZ+fl2Enw1MFzkLI4VGD/UeR xHE7E79i5Lf/J/3eisxZXdL4nU+4bk3fuZqqScQL7BlkZPtzcDJTCcoRG0jvNCA2
wrbhN0SHkh5lIGtu0yRTfq6msYQpkw+jr7QwJIdQyrAoaaVaRotVyvgTOLlHw8r6 lWvzfwzrNmo5SWHXQ29It5wpGFJPRKFRIdg88GNxGwzNoxye1pnaQR/9JCjL2RSW
o7v36yoNov3kDPW7DfbSVTWX5lIyQn8NqMwa4N1clWT8ukfZXSaYykFSqF3w5zal RhuS7bIXLKC8DlLlCUgzPoiD8UEPBhNcX7OiOSlgL0KW70qcH+jqVuSq/3t6kWlE
a4iIhu03GjDcfiWLMUlYVAUcvSmcIULE1oW7FKiJc8OadeIu0JBySRSEvf7B3w8l i0fL2OZU3s8r0hq34nuXe4pkO1VUTafZ4nOlrLFYsLj67+P/abtH67LUYgI0xZQ5
eYUs+u/h1ptrZZKhe1JdAtlszvHJ0DD0kMqA6Ig4yomscGSol/sRUqpecIQwVZTC VcywY0BN6CrxCKY2Dgkvf9+YtidysDkS5tfDMYmSEQyAORJVHKvipXeMjTblV5v/
RRq9dJOFJkKhKD5Eo9E0Z2snp01fpUF5qlMeBjpYgkX7jhyFyvq+qDqBAY8izvkc FhgoxXCS/FeqzEHQLioCxVsnluEaE4KukXBdJYpUJg26kuTp+kY/plzq9hLU4aF4
ruE69WooBVyorqKHURjWtY+rhzcB4+HL72wZKzLnY3iUjJ1UANxM8mC9fpD1NJt/ 37ah/yIwI97SmulsM799Ru1tx0bigIdoB354sj6S2UcSQaEXAEf8i3ljXvK63zC4
7epqzPyZ2Kd4GJVYi8sQpFKf4tRHDr0tI5iUB78qj1EBp1w4qvRn/jC4ii7+Bas8 pDA4i37IGUqHVaH1I6bmmPqBgw3jNW7NMNUsldwawSbDAyRAw2LtI62U4DL6B6Lb
mz/AJ25QeviC44Vj+eT2YYXafDivrmoeBuVMIBbD066YnuBC2CeKydNWdiARzc3I 1Cri2oAydd6YogP5eGYxfYEpjzIQ+jmElUctKPc63Fc8OVINytooTi6o/SIwDovp
fhcuhVwq7riotYfyDqd4e0Jy7Y57pbwv4Qwz1yCxRjSwiFQ7/fRa2Cx8xtxKcC/A WT+6liQ8M2vNcH4NSGitMcp98K1RnlstAErNtNf+pfe0NoUP9f7xpajiEFKjjTtC
4LGnXAKISy+uNbDWA7AYaP6RmGgMCaNiXy3F1zvxnE3bv68tXRF9vjuEChUq56N6 FHY2eOrdaaiZG9xjOuviDmJ/4gvtdfCjpfOrwtqeYiHFvmWYgxiUfMFvuMYTYGJ9
992qhoBuHP0J/mRItw+JoI4m/OFnEUGT3bNyxpEFyA7aXBE91aQdSXl4a97nC0/R LdVS+rWYrjC+srQi2lPyci8JzRZFG3SV7OktujZFHANqpRVF4mFBV+hR7AYouU89
SFH/fRwPFYgxr3XdCIf3Cw5PDs25YNsXWCsDCVejWMFrwOzmDwa8sBkY270+rGv7 BpkjFSkOFSOBQF9eEbK3O+6iiWYznrDie3CW2chuK7eeYEj9z69xBKJ+pfNuji1w
6qXvb/uGD3M2C+DySVy55Zd42wjghSezgY6taT0tqKfLOS6Vl4ELU78Q6va2o8Ml jx7UiSd7Wfdhohc2MKPuSJYVXCK36xeN2sh0YpmFX0o23PL41XooO9M1oTKGxPNJ
cUdi343tOi60MZgCDUwPP8TjKZINh8u1KNhzgpwNLz1gE0dd200l3bbzdZ6uio3R u1O3gGOV9Oeczd8+mta3OEM0TbGhA/Uwgpq8itG1CkL4nzaH3Gt59l3bL7ACyM5X
52WQWRCk17Z9lUesCJavytcAi0mMefMxBPMOdnUi6O8TPDRA0mcohbE5rybwDXAo Pl8eve57SsQcarGbLs8pN3KBOC8p/ETo24WZdDJSzzAf+Kk/ObsXgFcH/u+0bi4Y
B/VUbwgM0/qCpZ7VcSKN1lUuoe9+Kho0NK/gyMEvntMxGNNI8arV8UkeFollPhrt TnnrZg1O4Eiw3WJHpaRshAwrt1l4wK6R5QDIMRS2WxTzW1k+CuP13LG2c6x+SexW
umvdwqbVCeN8TBj5vXo6Hu+eKB7AVwjBk/rRHpZxnnVGXbm8HzM+kjib2cY1dius zMwhkDCrNGVubXnfPwbwUGXes1+jMr4vWkklFSFJG5vR0ol8wwVbTFt/cFgv0QjM
VRJ/1+Q9GXuo135tQbobgcMzAmqAqZp9kDE8MBUGCSqGSIb3DQEJFDEIHgYAYgBv BOsZDYlXzziQAoERKa6EBvl4d/ygICU3KzE8MBUGCSqGSIb3DQEJFDEIHgYAYgBv
AGIwIwYJKoZIhvcNAQkVMRYEFEqzrDFTAkmcTeNueeAlYZU+iGIlMIIFkAYJKoZI AGIwIwYJKoZIhvcNAQkVMRYEFEqzrDFTAkmcTeNueeAlYZU+iGIlMIIFkAYJKoZI
hvcNAQcBoIIFgQSCBX0wggV5MIIFdQYLKoZIhvcNAQwKAQKgggUmMIIFIjAcBgoq hvcNAQcBoIIFgQSCBX0wggV5MIIFdQYLKoZIhvcNAQwKAQKgggUmMIIFIjAcBgoq
hkiG9w0BDAEDMA4ECCNi2K1bMEiBAgIUdgSCBQDLIXo4ExcyE8+4aiZIj/Wnh/SV hkiG9w0BDAEDMA4ECJJKzeDj9Jy9AgIULwSCBQDqW3Z5nt8HxRRIJlcwYDdGa8lE
VVR0n7s4PGCbXt+VrOHd9YzTuUicAqIcHH62dv7NSy+fgqZG7SmVR1IodadFe+5u TK58VexJYzhLMwO6OtM0J6JyhKcknJYIWL754aozGhFh3wJfP0YJ5u2x6lWeNJwW
sAzXoyyhhEe2c+ToeVbr5rs+vBvQUyh6X5XTV5QVOAkwSyKGjyfdy86x1Q8cL2D2 1mRW8htE5MR1FntBeQC1+KrhmwDXhPe03/r1yiefs6lq33MuB2N9WZCCKr7SLcFA
BM+Rpkm1cFtjgWcB46U6S6w50sG7XOKSCMI4a6rnHPVgPPdXMrj3VSPJY8bhBqED 0UdVZNM5sbm34/7c2QMbl/yp20mE8dypNsjVFuUX9ermiBkTQiNdp5mENpYkualW
PVTnfSHf/wKZrIi54O3F33B5jt6Cm9+9m9Fed8n+81w59rRom72CY9Xii/ULER9T I22asZVowGOQdIgwnW238RMO+Ai8/1tY3H7kvR50aziujLDwVY9LDRZLEsmD5YXt
HwjxOZOQ+dIml23KauwexuOGjii0UR8MeM/A0n7UNys+bZTulgdpWW/mDhJ+eLAT BR9BjpGwvPMx9kq2pKvpbVamS7N4jdEWdMNc/v0/hl/ZIBmxroztkd+IseV3ntJH
nhJw5ro/AWa6YVXG+t5k9LjdJ1ZmqS4bJxvBwilpEGoh0MM6Yp0dr1XM4mT/E0JM gCufXSNzSjb2vOUB2Ouu9mH9J2wpIW80Q9g297aOoV+MOoWrqkjJzcKz887/MZ9z
WD458Ngs05CuCpwAUXGdQmgrVsFrrV0HTyHeVLDhe43J3GI6HCWJVOeDQzzmaO3A UeTBj8eLxUgvw/udhCt7t6C+xfyNqvMEVKRb4TAKu7f9vsI750n1fXkIuS7h9qQV
M+IooRDkTHnJMaxUXphKTag5+f/smNYEhzVjZeIc8GFZ36eSI4BNGHSXFACwLu2T H1PKyVCl+WmfV4soJ71UVW86oMdow09PCmzIDAut0mRJ6640Tez7umv+PJd3WLk/
hkzpXMmg50JAUhBYxqE/fVevLUH4JPLgz869wk8gRlUBo6ihQGrnsx7ZO5IsYahE j8ge3RtFP0S5sQ4fyhmaP43ZkOJkybLvap1EW/OLPaqd/rSS1sLQwdQ4kaqJlouG
Yjz0N05PVPJYMLSyMovG9i+LpzQ49gIBzPu2fdLR41u5n5O5mG1Y4aJ7OCJxMORY 1iyVK8pLgobITNwZfRzvOakKTmo35dQkYzixB2zuJVY7ZXuiDD/7sWRNfcU8J8XT
hWHuctHdGdpJsgiq8+1iiUwmfyCfb0ZL3ePMU+W0zkAsyn22aK8jDBLLVZlvOZIV z6Y+p5Cr+3MKbrWzw5agJ9+TtH1fORqr6Fm0bvgfhVDl5lGgBQNTgwg+2Gy+qFoF
qR3Gx4QFPSk6qCMQ0E58VkMUMxYvClzTwSeEMu66eND/AKTE+XXV/d9bmSmWGk7Y qVoFwKpnCRutB5rFiUHW7B1fKp9RL9BZhdvNfTb5tlvDlK06uiemwI2nvnEQabAN
8XrDKLKfmRdrlIeondVJv5mk12YKxBPQGeUqK5XJUa2dzH9zvfEX8iYzdt4281QC Toc8eZ6d6yqrlSkYj4xbyneoL7ydkViKt5gCB5+F+diTt40IN5PDJKLkemUOdwGy
iXJ3qwmbT+8RoOLBt4KyOs2e2ZSZnjrL9OO4oUsHIOyEfjwnWoLhKbkmun8GJxoB BTbWvcwAFhL5hChoHQguJOqG1J7zq6Hsh4H893s5gVWBOshfadz78vwE3aPnCZ4Y
2yCzTawVQf9/qIUXaSzcp23AV6Lf1k9Of79HYPW3cQJAtjf6XBVE1xVZPkfTuC3y ZX/e9uiVsq67N7EblcB7IcE15y1bR0H7MXoJXumjCJx0VxZbRv228NrvUsFx+mFn
VLufljs2ed/ctpHg9nuId/xHFH7t4HbmU3/ZufE1GHnsRQ3kbnqA5WXerd9UzeoD so6xsGZCrH62hkqI9lSdlRyCLxd+vjyg7xQOIXqVTIeGHP/Kie0SJNzYf2bsdrNU
aVDjFXGrITp8env08GXYvwWGXLL150l0DuJSv1E+1yww86SNjBYUTx0r0CJjjTk2 A1EtlA32ti+My8eko2X1PFYCg3mX9NY3XoPJpacvpzZ5Uj/ie0Vnl6q8S7PdOjqx
7vIUhAYUEA+J71IeifqqPDKYXnrCdUEajbfEdek30WiLR+ChEvEp48Mla6UVTLm/ YlT7QBk/qPGKCiIYyG+TRKDLNr8vTNnOGVUVxsp5vp36Pf3vaCzeddrUvd6P7Puj
mjziwbsxm5QlGccmz13e32RiyrfseB+RyllmzeJtydP2IHkWK7pww9yOlPK0QtZs 1ymz4dmvd/OOuOCtZ9lFiOqD9bHZ4BSwJR6Myr/jrprRIBGQn7QCqFDSg2N1lXqa
66IGZKqeXrWBk9QFYDX42gAy/xTfglco4KO7akhp3UzTIQyTXnt+OsOScc+ArVm/ 1tqxKF7tRJIkq2UDQmR3Sgiv+wdQGlGNRiwNGZmNme8O1kRTbT7mCjmLfYWD50z6
dwClm+ZxybtOcVyadjpKWydyfAr3aTkGxX6RmHrEWr1R9BnMGPYesDs+yeVNs1Qd JP8q09HS+1gXfYqfbvDLQTHMQl/fxL/zmkF8xlMqtoLSIDkNvesyiT9g/JwN9X0G
Dhff/bQLwCLXdGLWwLe6kitUiyi8F3bdfPjR7R61lEUvJrBm7YLmgdxRCJ02LFLG hanzi3B3kMWI7lqkhO+If5SNI7Ct928YQTEfPEm79J1UGmXZBtdt9lOKK7M5b6F0
n09iSMNe5vmiNaKiuzfb4Dp9dqEMhmJfdsTURagfJIyqULoe08EIIozahivbzoWV 5TCkOp7RN7SXw+UGYx53kUspR0HNwqRa7rqXT4RodxVcnghGT4qA/rb1uQZZzWnv
A6oPAkk2D8DnTiMegX4IZ/Zb3LPxJKAeXO3Ys1YQrNSNZ3B2ZISBapzGzhFZfRVz TuuZolIhOxpdmhJVZdQoEWVx/w/EERdNLivqzHykeiv7OiSy4FhrgWWmWipJRB2v
POmXhN53pDhlxkw0btkKblYA9CvP+kzgwekzCy/Mlq/HbO38CV1NKzay3yg4nteh cgezn/v8XSIG+KJKRLzyfx44P6senjcgmKRBITgJ85rU/uoLNGjLjEfwQb6x5Lit
J+v9/k7gaqKmo3ZWMGk0WGBv/GFxYhmeNd14Y65D9TlypM/zrXSyGoOqZgSA6HlA KqNfcqN2PB3q3/Om4Ft5BeWk2uGXAObLe98s27rZe0iOT5eqyftyiWlMXLS0bIkg
gogzwwSaGwx9n/o6czE8MBUGCSqGSIb3DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcN xSrxDA2LJW5Gf8F58zE8MBUGCSqGSIb3DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcN
AQkVMRYEFBfFhHvQp+92kDi4s28IvJK1niuUMC8wHzAHBgUrDgMCGgQUgwafFeGU AQkVMRYEFBfFhHvQp+92kDi4s28IvJK1niuUMC8wHzAHBgUrDgMCGgQUFQ+BtZ/3
n9Q1rAOUCgw+KWxk+8EECJ1vqXe6ro0FAgIoAA== gX+Re8eKDEP/OBp2V1YECDNLqWo6a8ZVAgIoAA==
-----END PKCS12----- -----END PKCS12-----
6. Example Ed25519 Certification Authority 6. Example Ed25519 Certification Authority
The example Ed25519 Certification Authority has the following The example Ed25519 Certification Authority has the following
information: information:
* Name: "Sample LAMPS Ed25519 Certification Authority" * Name: Sample LAMPS Ed25519 Certification Authority
6.1. Ed25519 Certification Authority Root Certificate 6.1. Ed25519 Certification Authority Root Certificate
This certificate is used to verify certificates issued by the example This certificate is used to verify certificates issued by the example
Ed25519 Certification Authority. Ed25519 Certification Authority.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBtzCCAWmgAwIBAgITH59R65FuWGNFHoyc0N3iWesrXzAFBgMrZXAwWTENMAsG MIIBtzCCAWmgAwIBAgITH59R65FuWGNFHoyc0N3iWesrXzAFBgMrZXAwWTENMAsG
A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM
QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx
skipping to change at page 25, line 27 skipping to change at page 25, line 27
6.2. Ed25519 Certification Authority Secret Key 6.2. Ed25519 Certification Authority Secret Key
This secret key material is used by the example Ed25519 Certification This secret key material is used by the example Ed25519 Certification
Authority to issue new certificates. Authority to issue new certificates.
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIAt889xRDvxNT8ak53T7tzKuSn6CQDe8fIdjrCiSFRcp MC4CAQAwBQYDK2VwBCIEIAt889xRDvxNT8ak53T7tzKuSn6CQDe8fIdjrCiSFRcp
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key is the [SHA256] digest of the ASCII string "draft- This secret key is the [SHA256] digest of the ASCII string draft-
lamps-sample-certs-keygen.ca.25519.seed". lamps-sample-certs-keygen.ca.25519.seed.
6.3. Ed25519 Certification Authority Cross-signed Certificate 6.3. Ed25519 Certification Authority Cross-signed Certificate
If an e-mail client only trusts the RSA Certification Authority Root If an e-mail client only trusts the RSA Certification Authority Root
Certificate found in Section 3.1, they can use this intermediate CA Certificate found in Section 3.1, they can use this intermediate CA
certificate to verify any end entity certificate issued by the certificate to verify any end entity certificate issued by the
example Ed25519 Certification Authority. example Ed25519 Certification Authority.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICvzCCAaegAwIBAgITR49T5oAgYhF5+eBYQ3ZBZIMuujANBgkqhkiG9w0BAQsF MIICvzCCAaegAwIBAgITR49T5oAgYhF5+eBYQ3ZBZIMuujANBgkqhkiG9w0BAQsF
skipping to change at page 26, line 27 skipping to change at page 26, line 27
f/v99LEcsZTcuIbnJqz35danQkp4/upG4hPkfx+nbc1bsVylrITwIGOpnGhz7z3m f/v99LEcsZTcuIbnJqz35danQkp4/upG4hPkfx+nbc1bsVylrITwIGOpnGhz7z3m
VCk03DFE3Qt4w9mlv9yuMse33nmsBGXog/XZvM2JRY0iKt0xksQqQD9uYm7MoMeH VCk03DFE3Qt4w9mlv9yuMse33nmsBGXog/XZvM2JRY0iKt0xksQqQD9uYm7MoMeH
qQs3Ot7EaoPj54xyWvy42run6TLUye64D94SNjB/q/wjL96bsVIKGrRn10T1ybCh qQs3Ot7EaoPj54xyWvy42run6TLUye64D94SNjB/q/wjL96bsVIKGrRn10T1ybCh
4F5HD00hQZgP15Dlb1rg+vskN8MSk5nuD+6z1VsugioW0+k= 4F5HD00hQZgP15Dlb1rg+vskN8MSk5nuD+6z1VsugioW0+k=
-----END CERTIFICATE----- -----END CERTIFICATE-----
7. Carlos's Sample Certificates 7. Carlos's Sample Certificates
Carlos has the following information: Carlos has the following information:
* Name: "Carlos Turing" * Name: Carlos Turing
* E-mail Address: "carlos@smime.example" * E-mail Address: carlos@smime.example
7.1. Carlos's Signature Verification End-Entity Certificate 7.1. Carlos's Signature Verification End-Entity Certificate
This certificate is used for verification of signatures made by This certificate is used for verification of signatures made by
Carlos. Carlos.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICBzCCAbmgAwIBAgITP14fVCTRtAFDeA9zwYoXhR52ljAFBgMrZXAwWTENMAsG MIICBzCCAbmgAwIBAgITP14fVCTRtAFDeA9zwYoXhR52ljAFBgMrZXAwWTENMAsG
A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM
QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx
skipping to change at page 27, line 13 skipping to change at page 27, line 13
-----END CERTIFICATE----- -----END CERTIFICATE-----
7.2. Carlos's Signing Private Key Material 7.2. Carlos's Signing Private Key Material
This private key material is used by Carlos to create signatures. This private key material is used by Carlos to create signatures.
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEILvvxL741LfX+Ep3Iyye3Cjr4JmONIVYhZPM4M9N1IHY MC4CAQAwBQYDK2VwBCIEILvvxL741LfX+Ep3Iyye3Cjr4JmONIVYhZPM4M9N1IHY
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key is the [SHA256] digest of the ASCII string "draft- This secret key is the [SHA256] digest of the ASCII string draft-
lamps-sample-certs-keygen.carlos.sign.25519.seed". lamps-sample-certs-keygen.carlos.sign.25519.seed.
7.3. Carlos's Encryption End-Entity Certificate 7.3. Carlos's Encryption End-Entity Certificate
This certificate is used to encrypt messages to Carlos. It contains This certificate is used to encrypt messages to Carlos. It contains
an SMIMECapabilities extension to indicate that Carlos's MUA expects an SMIMECapabilities extension to indicate that Carlos's MUA expects
ECDH with HKDF using SHA-256; uses AES-128 key wrap, as indicated in ECDH with HKDF using SHA-256; uses AES-128 key wrap, as indicated in
[RFC8418]. [RFC8418].
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICNDCCAeagAwIBAgITfz0Bv+b1OMAT79aCh3arViNvhDAFBgMrZXAwWTENMAsG MIICNDCCAeagAwIBAgITfz0Bv+b1OMAT79aCh3arViNvhDAFBgMrZXAwWTENMAsG
skipping to change at page 27, line 46 skipping to change at page 27, line 46
-----END CERTIFICATE----- -----END CERTIFICATE-----
7.4. Carlos's Decryption Private Key Material 7.4. Carlos's Decryption Private Key Material
This private key material is used by Carlos to decrypt messages. This private key material is used by Carlos to decrypt messages.
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VuBCIEIIH5782H/otrhLy9Dtvzt79ffsvpcVXgdUczTdUvSQsK MC4CAQAwBQYDK2VuBCIEIIH5782H/otrhLy9Dtvzt79ffsvpcVXgdUczTdUvSQsK
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key is the [SHA256] digest of the ASCII string "draft- This secret key is the [SHA256] digest of the ASCII string draft-
lamps-sample-certs-keygen.carlos.encrypt.25519.seed". lamps-sample-certs-keygen.carlos.encrypt.25519.seed.
7.5. PKCS12 Object for Carlos 7.5. PKCS12 Object for Carlos
This PKCS12 ([RFC7292]) object contains the same information as This PKCS12 ([RFC7292]) object contains the same information as
presented in Section 7.1, Section 7.2, Section 7.3, Section 7.4, and presented in Section 7.1, Section 7.2, Section 7.3, Section 7.4, and
Section 6.3. Section 6.3.
It is locked with the simple five-letter password "carlos". It is locked with the simple five-letter password carlos.
-----BEGIN PKCS12----- -----BEGIN PKCS12-----
MIIKzgIBAzCCCpYGCSqGSIb3DQEHAaCCCocEggqDMIIKfzCCAvcGCSqGSIb3DQEH MIIYJAIBAzCCF+wGCSqGSIb3DQEHAaCCF90EghfZMIIX1TCCBJ8GCSqGSIb3DQEH
BqCCAugwggLkAgEAMIIC3QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIwS3R BqCCBJAwggSMAgEAMIIEhQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQI7xhQ
pT1mkyMCAhS7gIICsGKkBm0nci9VHfqxOTWy/lkKyQeF5bwsF/9gZrqUym1KtHZF zoEDt2UCAhQIgIIEWMgzPbEtNf6qVctx2p5i7x6wAz15AjqfNv+qiIHQtPljZ23b
a4rSJIPUctmzqVnhGmfW9m+LEi7Em9rRmUIQbDZt4kQDG5eDk7AdhyDnB3uZDG1W BjHWAdxuri+jbwV+jY1JWwMG7CvikBZN0EeWkjeTC5R6RFz0QPoK5cetdcu1gyX1
4cAeUVXJMzGfnwtzy5TzBZzEo5nnVX74Al+PDW9wdpbv2TIriL0m29fBT+7HVS9F /ugrG48vgnrNwxfZOaBzRUuudLB0FI0ns436XPPgAPx9lCZ+jZesjfj38mSB+qb6
Z/95XokSwbb6mmCYeGiPpNEaoeUeuU4zrh/k+JJqDuqNsU66I30wH0CFmk3aarBV SxFbZc9ix4bMgPMqCyjF6o1TL25HGCfN562sNcG/xLqNT94wvw1Ofibd1ywuunlE
3LkEeCjKFkngzMOZqiKZu8D2hEUjsGQ9ALsRn7P+hIWNFIgjvqgcCMTF8fLK1C/8 Mm/L/G31U8ZehA27XHHSKXOTkSxQ7cNCh9ZfU9tpFm8XMo6s30BQRCHubF+VLzso
vYGD+HOpnn23nLele4b/qpFYx5kJ0bOK1Zo1SpgUQ7Bu6gectUceyOgi7CjRScuV 7xPhtc8/ldcl9MyLnpSBzYhPbHwIxbDo9DxqN7N8latA+WKXT0YlR+bCfF9XQnbH
ew7918ZY0ugyYoIWAT0kecPM0TFtxAn19JPXo4jBYAlwUtx7GYAlDkgZCb/0dbkv xFKk08U51XCT8mBp8BdAHp2n60XwDfBm3eQPJfc5TOyfoLOEkJNbC+dA88hb97zv
4L+PAeJK4kVDREDQ6ch/6/hlqU8xHeNzdagEWYL6FxWDiHebASxIvZzqkLd7RV9m Uw8bW91YtiU2XvIrKUajJVlXHCBFZnCnFwst+f19T5PFGPAj7s4mZdPWnQTtLyjw
dL1FXst9R9G74jOs0WMMFmd9toyOhD0q6Gl9catOrolCVS/CKaC0CucsJfiKrlJ/ pHnuT4/U5w1sHAvf2oZ0PdUNq/yqjdKARxsRvS7lBTcci89Lto0OwF4TRzi/vdFZ
duQkt/JwcELveuOg60u2uaGKUqHmFhd3+6omk+wNBoY+0D5MmBZ/xnrVELGmzp94 X5bBhf/WYY6gacG1X9pzTPl5qp3doOwwhxXIvoneQFVAP21yI0imrus+66mxB6Gd
q0f/HfZPT6sxkYBGuP2eUA/qr/zimNG3TuGVch/MdnduuVhvAYLyh1gbA8yRm+I/ wQf8iZMniS/1Gpu1N5XUUSL1B/qcxYK72YOK12ChpgzEETwJ7Y0lYrbOsJt8IhE1
zGCVuAqhsHITTx7Fqc3tyVp/mLYUO0QuwmgAw6NhzwKZf5N+tR0DZGcgw8rZpeJA WxsDy6nWLA2c8/1OU16l1mIgrVoKVOs0ZkK2dCDYdr0qKqeKgdHqp3INeUKX1ZQo
yTxVFcjzXvoShxog7RroR9Nc4FwJhWI4BO241OHFEiQZeRk8vzI8WIFXnn6t42/q k/kYAD6Mo0QkjW5fPbt/vQWSspjTKzpcz3NgQYKMcFqlB8P186nb4BvrDky0BM3i
j1mV7Ba42zxPEGoY3mObKwjR6rDp6KwmmfkghpwMPU3qP2/ASV8WT1+9GIYHc5Am P7mXpcRb42WSY77xpeUDhUg1q6fnlTdtm5NdUZkuSgpHpQUrs945KTkxfLReErSd
9CmSOTiQMluW70Ra2k5ZMlwnbKNyMRbjUB/yHwwwggKvBgkqhkiG9w0BBwagggKg 15OAAnODb5T8+5JdXOLAgHnPPezRuof1LQZsytsx4nC92OrboC2Yn3hHEqcgqQYE
MIICnAIBADCCApUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECOMzXMste/8a BywzDNGuA8ISEmdKvo7AgaJvoFEvLDmas8T5I2yuWQ9mDXMurgKFxheMSpHpZiPc
AgIUlICCAmgXa+q2JhTLvWsj5SKLdMninTk5uB6HhOsDKYR9GDg/cABqUFxycROG JE/n45ooSH+uX3HDUVmjUOYQf35udyurbS772Zrptguek6VdjV3F6GV0Q4X3wIo9
JeJuewIRkJhsfdXJi+TSRtnQOqpyVM9oRUdxcbGuCI98fEbLmVyr7KF8GudTgC+b llV+aFe2/v3Mm/tt+h0KW8XVfBOB62uvb7ac7ipBjAHBeGYFQeVkmI0Nzvizk1lA
eaLjn6HYkWpv7lWdvsFG8BEy6Jqi3/tP9PgNvpCYgVVM7yx6SX8QArcLSQkxbTsv jKtmIGZ8MwBp2e6rpu3g9rCbCz53LxWB4yJYgGc6NQmWxWQGjLUqdOkYuQwEdjr9
Ae0iN18H89W9xOHEz4Z2qHYyb7f0pPHrmpTGC6qmtvo1gNRsKTF0wYeQ5Sy/9U3f 6hpZbtXvXs+jcDO8OACg9kfjX6EzK2kVXoGdy7tPMH6ElXEaSf4tzIhfwvwNapj5
oM6bIcrOvHDksaco4+5n0zeySDETY8W4mO1K0uC/t0oTOScYGBeRhVr0DQapZGT/ 7smeQbXQj/v9HC9XbgdslB89V1wAcU1PG/xBjEulm6O9EN8xhEXfegzIGxJ7JcVq
Ej5LpgjXOuosAoT3IKnMwK3C0OZ8oBzcvgSpeAa/V/OTKDpZb22yq6sEaHAPoUqb 7kaxdX6BPPH4iW2Bwbv+FFvSQOwMf1SVjpE/LcV5JxkYrfT2cEinTcZsEFfP5XOZ
cKRJmB6HC5mdLs3n0uP1vlZuYsHu7Evt0Uhns9pbklJDiCgM+4SFgKTRbd6Xt8bf aJw3xmya24L2ynjNfljmpK1xg38OkzeCVebkeQ82OAYequb/iTz2yyfaeUoXbNlR
GHkWnmpv4pQL7jjzA3epP2DHyC8MJaDvleWY7Z3t/IEtkzVxflLo8kT21edz12cm wcc++JwAWlkj6FS/dy5gwLTGvUBkMIIEdwYJKoZIhvcNAQcGoIIEaDCCBGQCAQAw
uFVK9ilMW3eJuyiRyFXFPgVsuNi/HFnijXFgxzAncP7fFP5MCsOo6daiEjJjemKf ggRdBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAjBHiWMROp4AgICFOKAggQw
J3D+HdD60gFih/eX9V+tGl4y7/jtxCRA/54mit4sCy3LC0++lEp9AtFwGYrDw825 FC71dSM3kMdsEhcjRPE+6YRmvktReM0XxK7+5FTD6tGJsl6gglHIre4gC3LKekFp
uGj27a7mE26qgGdGXdzT9UJ8FfUsIoRPrG38Q4mhS10pTarNucWOGjkftZiKJLay 4P346gebmSflwp1v/7ReLpNPXngK98HXfVcxHYFXWKOYdgHSVqGBbpH6v961C6XW
rfMRf3HYxOI/7iupfxYLK/4/FODijaHzAfSdQf2Bo7csPaz2HQkK/0nyO+tt68S9 PGwIvQ9+H6R6Np1gw3CZ2CJN1paFKmciHmCDkc1iPKbr0I8J5fruol7SS1WMnWFQ
pUCjEfV6Liy22tang/jXxPFbBDK/P68MnmgR8C3PcYhPJCo/K0JR2/8F8pVVEqd5 AWk+EuR+Di9vNYD0+7QyNANu1Ud9yvlLaPxCcrgZBccXe/om07penmWPwVuXq2aq
MIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZI zc2/vUq3JLqrg5d5OiP4ZEwksvSIBzZSNlAM08D1Ez4fDmMt9iRvlztujOKad/Gc
hvcNAQwBAzAOBAho9g0tQyYTvwICFIGAggL43SpNCoshZX3ikmK1mOIJpS2Ah8Xv bwhhy/kUZ+HliTA5ItnZRJSXtsICwpH2DqJ4MnvtQtOjcl72uyFOigC/DANDjSYo
94S/5NA8kwHtaNXpLrjYr3CyRL93USm55uvGAtECR/EblON9zeo2p0gK2JPSbDr6 YJn44h4dx351AyuF6wpyRwYfaXzjAaQ39SsEQpvSzzZmKYrsgjQEwIoWv0EcBvqR
/1oovo7UoZNRoRBZ8pUegVWJswNWjqvzVu5JIRmpD05XjVDKHbFqiXAqtj9/w3q0 AQjHVBnJK/ZFNhTHDlD5RrXtkM3VLU5zhiNtsMWAj0gAN0DNBqHP8y9ZqVInWWjF
Qq/p/M9UrLWD93hyLNdIppWr2KR2it9mASTKEHX9dqXcTOG0Kp2GmrfGNteGL02j YvoThcpHuwKI+pRto0fLsZxwWaZiCqAs8tJpF/iXcUoCm6+eGXNBBbBwzABaMC0S
qVKZaZyYI8gkSxhVLS9zzgf1OynAkzYQsoo+GKhdAW1fJECemAyPc3L+eeARw/SY c3HyhQ9luuQeq0m5WbulGfXKFA7OAo+pWnivbHjIoEOVeJgnLYLT2ImOOypKYepN
q1d5QVwxKfYpIJ2wiiavdeRVNbWiwV7Ti+P9PtPx/hV22NNLwMhvnJcHaSS1PaOi 48kyVBAJ8y5QDnG82/4GU7VSW8ZztIbAWzhVFuEejuhd3V6bvPxI36lYrPeObees
SjoxFJ1EJWGEs0QwcdwM8iN3oVuqT5HU/edMgx9TLNTiE1g2GEq59I/RwBtCL8Dh c1WuaQgDvHf1VFjoGCZRDW0Nw/kxmvWqwnfLmhZVo8LbIJGTstMt+rNvAD7zhtCM
OzKnUb4PU1Z81+HimV3KPI8g3cduhYaBR4HfqAhMnc+w5HXI6J3C1NtAE/izZ1Y2 M3LhWfT/IYI4xCQFpP+ENG9DZFHpVorRrAVu9OwbXGSJOGUx0ISlZiBA3Gtou59W
Od7l+GTJfjPgzIy0hjqfbMt8uU9D9aPr2XjNOWoKRSojae16v8bLx+dFn6RMxFUS NN089EprACk7VDIQlzOS8Ox5vwo8UwqEKWt+537xIbclanc6pIYz6F6RgwEHb+T4
g3nLEZ6EDpyrJfpGPm6mPgZKSXtvnHuFcbS+utkRuVAtqu07r2XpkGBIJLNVIRHU 4xKEbE/cNLJHQEJJZ8tF4afN3DENPLMnDoyAbetPrJILomZEayKfkY+dkXFGiyxU
5gLACbTj9TPcAce6RLoaYSDgOuFK0YZMdwzhsAI0YMpyHsUEZpQ5tjWSBY6ENbvF xslhk+JR7Utc4e+WNCZ0hnUyid0ZE7qjMUFSzdYoSmPZttM4zRh4qpCfXTyhvQkI
7+QhmDnf6N3Bj+vxUtGS40pVsYCGbmOD7UM5QpUxIgVkpPrfRokOZs/fi9sW+Xy6 G88dNenQ/b51VCCNfWqRKytrpnhZQYKd7SuNQLh2GAL/urlWtYq5rDRDKGLv7vmu
eQ2Brbn3t9C2TAsORYzFbuBwuTCqFW/rXHS6iffJpx2eAg3DCqaUAJjptSV/yzj4 0NloL4xJjWVlUSGsSjlOigZNfvphEDqYimIGXhiU6uAQN64suvWMVMNoNIwcZVrP
vxiXlDB3fMRcpNd5Je7DoHS4axuj7SLHdpNoUHs+qQsG6yDM5BEuXWGxo/L9sGhe zZQUky59Ct6ahnc5cdSwWWmwKxJj1GHtvn82tMoR2LtERJMx/hEdqrCSNXvrIeZl
XQrUnkZ4m4g01sfgTOfDNurXx/oP0ym+B50q6nLUWv0tYZpmCVil358dIEGPPSMY ozwSh9mXupO6Fa0KIpf0txZl6zK1/8F3xvly0lyxpsYwrTeTlGKm2y/RMUYp8tDJ
AMXh05tIPFdYSJ3WLs0cxy5X4sXZl5w16Pzeb9SF5topqRUb5PDTfVr2bQUMwTbp zUZu34oeOogonerOnSIU7kEM0slXJs16lIrReFI46ZQ3XGB98MLuCser+5SzzgvY
99FcOQf6cg8HXyT+8b4qKp9WyjCBxAYJKoZIhvcNAQcBoIG2BIGzMIGwMIGtBgsq Bf+alMAiz8qUTFMBuLFFoM0IRCsSmaaclSBB2NjpFOVjR+sajmxWEcN4lPO604Ru
hkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAgNhfODEdzSrQICFF0EOCEq N0cFylKAYe9BJlxhNFx1AjCCA2cGCSqGSIb3DQEHBqCCA1gwggNUAgEAMIIDTQYJ
Fie1peicS9OSXNQjLwbN3kO8lYM2HqeSZoEKJ4JSFlV1kWW3xwfu5aZKrGEYBfGM KoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIkUQBCq0OgUgCAhQ3gIIDIFJKEkt8
d8renRijMUIwGwYJKoZIhvcNAQkUMQ4eDABjAGEAcgBsAG8AczAjBgkqhkiG9w0B ErFDpHJT+IOyrxR/ULSFmO5aBopLCJd44vSqxcHl1EEH0LQ3bAedxiiI8Go4iy3H
CRUxFgQUgSmg+iOgSyCMDXgA3u3aFss0JbkwgcQGCSqGSIb3DQEHAaCBtgSBszCB Aw9nvpyvkZTrXWfhZqgsLsuD3AYHVHVCO/9pmZe4gWuWosR7PMI6RUoE4f00My5+
sDCBrQYLKoZIhvcNAQwKAQKgWjBYMBwGCiqGSIb3DQEMAQMwDgQINFcqIEMfd9UC kmm5gRpJ6Ol0SUG7yZ5P+ESc7emwkjzPqQds29WegzFgU4lLVk0UMq76a14m80or
AhS1BDgZruEsSaBY+Cm9WKR8HhH3JXh+AoMSrwkDCKytWt+MNIXB0jY2QZHDbN3u kWpjWpWddkid+Ku7cr8vU9BOpkTObmg9Gd8T1GGliQa1UvvyOxRKtdwOMOjM0OBs
Fn7qHw06MDthnKniazFCMBsGCSqGSIb3DQEJFDEOHgwAYwBhAHIAbABvAHMwIwYJ pmc4RFNk49zLbsTaOZIgiv2CN6aCL7ZVqGNrnHfkglKV5uq119hnTkr8rPvXqgcK
KoZIhvcNAQkVMRYEFGSF4zucHVrN5gu6Gn8IvsSczIQ/MC8wHzAHBgUrDgMCGgQU vnc6bvMQUp388wzYzjkLQw0oS8+Jr3NaJefj65e0MZlPOOA+uGPHKo2XXRndy6np
8nOYIWrnJVXEur957K5cCV3jx5cECJDjaZkfy4FnAgIoAA== /ASNEj7nAYQUTBwu4/GIdjmaCwauTiyvYMZOyVlp0mISZ4+YfeZTFqpjX/K39RFK
ubLSQHpevhn5vFUO90/94U1FQkLCGQ1V4xcDe2SZe0NF3B+dJw5R+NjE8Nvv1VfQ
isw/Qv3MlTTqz8VFBtbPdg77rwzVnSJuHinrVW9FwlDTNA9hhDbnBeZdyZkeEBUT
ddjOGGeudc6SYbp4Dy9hsmr5x4o0GKsUJWyItO8+NPbKfFYpYB97NsaoiNQN1wXG
LD8zKNZ9VKlpeW9n8b8/j61jxCiWwQILeGAuDsLpFxaQEtOBiDmzXKZjC45Efp1E
+Wps/rpEIpYnAF6hoj292amDbenkPsq0TlYuo3u1M4PqqBwQ0FC72ssNlM9uUNTI
G1q83GH3snnarr59+DpiIaTZkEhj3fBh+9dJnbzxPhHT2d0cze4eTF3nhG9u1cxL
fE1qruycIWkHXF0XsVnzw6CwEToLWNr06QOjsKBTAsMmMd0w6WWeL+b1DO26avlu
6tx83SCPp7EoxPdwFYB2Jqg4+KT/L87RtuPzHlGeFsh7QhCfI8Qk7CAkfk67Zhv1
PFWsYKcJZvAuZHZXiSrMPY9NEB2DaDBGN/DFnwk4JVjlj9ACJ98MY+c2id8dkuTd
ejwtalC1VPehC2HhqRR/9oGnIFzh0drCi20JMIIFogYJKoZIhvcNAQcBoIIFkwSC
BY8wggWLMIIFhwYLKoZIhvcNAQwKAQKgggUmMIIFIjAcBgoqhkiG9w0BDAEDMA4E
CPaeHSwq2qj1AgIUjgSCBQA6OexrotUYcswY06ija4HfeLQQYbDA9+UjC5xEi6QX
FRIAXfT1zoqZ6R+9sYnyCNqZWRzsKR6+OswWSlPjsgC6CXI3YO/MjtDo/MSif6Mw
O5ZIxqPYcbslKDF6Og7MQ8C+tRu2qfu7e6ufkw/cyO3BXNyOU6tS7iCbNlVn28EF
6W/14HvXsQ4mv1yAwvoWa5G9hettvwxMIL3KADLkEI40abpzbH/LOMXEAPHghunQ
xijllviwYQKEJGqJmtShpBOxBGHkTik0b8xJK5LfX+oSowehO8yv7/z52c9x9RKY
p2jLPudBByeA93iWhaUIe+p3ueexS4hmjegshjXE3LBm9ppZ1zWhJr8ipA/DY/1g
KGy3tM5OUYc8CGbWstJfQ9dxsse8qG1WmwhNtCj5heXWMGZgsbt53+eSoirgJVFq
40NzVryc3BEc+JS/d+U7MeL7ySdvGRHZ9kb8ItdsDcNAPMhvN/XXhALSBs5GWec5
dqAUYyd5GREVCOqoPkKx/secOOGUkHl2unUD3ub+6JDXplSyiQulS04EXLZJqPWN
yEK2wWCPsWquhTvVJCB6W/xcgtdY0zq7fiq0sZf6qPjb4s+hIDZXSWENh1VnuJBg
9e40G/jh4M+vEdrLPpOLLCEhpiVxzRyQG0eP3EL8EWBZd71lX45VgGt+ZXVoNuDY
PcLuQAHYcN8Sixg+8gTakuJGUwYGBy5tRjAWGGdtd2cuWrvtKxjooP/gLQ8hVAFi
Dedo7ab5t8xar5lhG2ftAH59CqP5+Sr3ZpIkldu1lxlJHxDO0Pws1EyVkwllrxNO
li3ETTwUeyENPswGPN+cTgKMJvPf5sCVlUWCS7I7pRPUUx5F4mebz/Drgeuqr54D
feXu4zvDxUHUQGrb6g2bIxlvDU6/CJo11LVpRLRWWc3YfBSvOYwUjCehyK2kaC9/
FhlRvqDZGuFFjKB04QanP0M7H6f31iH05a2gakxYhWw9wPysEw+Te/KJp/TBJnsX
YjQCDDi1A69Pq/Xo1IONutCKKq/gQKpku53acvTYtdEscbNEschY4PWjbsy8h/tF
HAm90g3eCxGqIU18Vb6bErm4x/wurBw2025yXTK4LEOc6ZyZi53RAsUBPjcob+xh
urBScAwv1mEIzH5luy5yvF/jjkJBl11SgYVfRZFTEGZs/l6h4REGwe1SaCyCa2pn
eojFOlxk1pHe4QTlbjfv19xAvurpzUu9e9Hfl7M7c3V3WFXiyMUlqNS9CNRDEj4G
Re35XVrehDrymodsAsIzyxU1iQvAN2BD1BeZI286YagK2mZX/q/YWCq2s0HGyESa
XdBoVm7JzkrQt4q+Am4fi8SNrKNVQD8x3b7UQ1EQ23L/MnS3+p2jaw4evnrnuoy3
eihOofuRVdbECvMCurGom72zCjC8KcVZ8yssWYIZKQjRr3dgdGUFiaJ6jA+Xgxws
2GGMgTu6G3/Y1AOrF96qC0G6geHjPbByWGKKSPEqswyllsYlk4m2j+JU/BEh44+8
lCdPfg0eAkanNdyJoXbYBxFRDaAxeKUEnNtwZ/wo4yLAJBdoo2extWP/9kvrEfII
qqiVUAZNS2pKx6apysRtRDWzmm4leoc41lQ7yK+OT+d/Kkq9iiFrpj4esbJYHe7C
RA18+Sc4nwNAsJrF4zBWN3eBfxk1YRDT8zTEsIyyMpes1xHm6KJq1rpfWDdjpEgJ
IzFOMCMGCSqGSIb3DQEJFTEWBBRAtwlRIx9e+C9k2MGQwb2AVNthojAnBgkqhkiG
9w0BCRQxGh4YAGMAYQByAGwAbwBzAC4AMgA1ADUAMQA5MIIFogYJKoZIhvcNAQcB
oIIFkwSCBY8wggWLMIIFhwYLKoZIhvcNAQwKAQKgggUmMIIFIjAcBgoqhkiG9w0B
DAEDMA4ECMEFrpUx/mJTAgIUIgSCBQAJ3iJnERsIV+zUmXifQtXp08dtGZ4th5vJ
1sGGtredTpyG/xZCI91P27VtdvAJLJO1fvqRVTqwztJJ109vimnYaeMlnQPwFjmE
tHATQcrpVPd4k6Vq3DnRKu71118pR4nTNnCS3IzwnTgGZeZJvz0wOWdqOgrUX7v4
DuLvMOmecTBWvJcy8ypN2itfuDQ2J9o/G3kmExzmDkHRuFB1LtkCZTus1JS7AJ8Y
MnoWJmmOItF3lDURRxOCFY4fhs+EEhOMz7gvvRWxtnUXqNj7hq02shVO8zDjUgxL
oKMOfD3hj2O+3+woRrvvTgVHKP/rlorn/m0SYy7JCcJ+oC3PPhFqlDLKFsBZfqgE
DWezGXAvevOnHVVyqmNo32iSV8kJggFwv1K6tJkR55lILvwl/dKeSiPk7NpImngw
/5vhTCLAelZMU4QqdTp5tFgzKcH25kU4b6DFKs4IGRDXbrdKEk8TV4jNIoivv4KS
kKjPVdkXZkqmn39e8D2VGDb6j/t1hD3kI2WgYwWN5GKQlcWIwYdVncINkimkjmlM
1rTk6hF8rma/BiN6RfJMs6JsNduLIKebtiMoVLFc91MwQbAbY0GZ35GTKunQURrT
abAJZiVOSFzrArLEsEteQBBu9kph2rdwMIv3+cAVQDsYckAhQhRDXQwvOjYnUwsM
XB/Xde3hkngm6g+4ZYSftC5pKOhBamHoR8q0xggFmGA2gsmA/AMCkamhrhfYDYlG
Bg5SZJwZVI/Wq+8mpZ+mXKsIkKo/piYVXl/RLSJLmksBwg5nETOsQtAh0wzn5Fv9
sqbcJzVboZgZ+zxbGQW6d0MNFoFJ33G6CJ1tGmqS5TK1BuADGGCZNNSph4IK/WW7
/8XHS1Vh4fs3XMoqlA50XNtk9Rymxb9Vwr5CbRGUzVT0mkJbPm8M5SzMSWKawhfv
F/ecrBdz+Z+nN05ULBIEJXv00fLZZ5dNNWs+Nwa+A1NqSIjrrvy0rkd42dneA0ss
kjMCsI1qy/pwmpxBOnvGu2/GN6pWqTm2kNuJtFSWnGUU6zecz0jP0jC10j33EQAl
d22usIzIA2VGoojA7xO07UacQ+w4axa2eOOATApdU8Vs+621GO2Yb5On27aEMbs2
dm9D0XoION5u1hXfgSg175sVA0IStIT/2ktkyC5fUJJYDB4klpPG0EBTwRfqOvqG
Kf27ZDhxHY8DZySh6idUJMAGfMpUnpIOlX3tWroRMEMWBnao7Pfy9n1Q1ySGWFRo
DD1BkfNZXabovM6qdpGD2zbp+MAFF7l/fsV4otDH2UjC1jpPyibVyUYme3/9et65
H2WtzCC6+ARR3FHGiR+6JBcKbov1VEy1XW2IeDLdUCOFWoiRyWDkUFyKLtKPOncH
+4NczdYh+EyvHijf3N8Dyiw/lnSLHmYFlBULYjRFbplIlPw0iJdDLLW6A8z78cO5
hqkKRbXIxM9jKMM3ccqYFiKeVAHmbEX5AEvQau387acVkEwDORqXuvXN9GVdteNn
BIe5kd9p+m+SONqUkmPJGRUJdt2kwVFvpW/woLS+tAk5Ys3u5eDfH0av59lp8xKa
/vLaoBTtSiUIU/KuXt3D7yas/Ybo1etc02KO913dd8ByjWdozhD8aLF0o9PEeBPC
ttm93YSrv7ttH1LF5vfhi9xq+yGhbEvbJHtD6y5g7KeUekwfXMxd0C8M1OyakcHH
Arh3TJZ3WDFOMCMGCSqGSIb3DQEJFTEWBBRB2kp/JAu+EV0KnNDuwZWyHH7/azAn
BgkqhkiG9w0BCRQxGh4YAGMAYQByAGwAbwBzAC4AMgA1ADUAMQA5MC8wHzAHBgUr
DgMCGgQUS7gZkMK++JTD92Cctznb5uLKdvEECJmBdZIPusX5AgIoAA==
-----END PKCS12----- -----END PKCS12-----
8. Dana's Sample Certificates 8. Dana's Sample Certificates
Dana has the following information: Dana has the following information:
* Name: "Dana Hopper" * Name: Dana Hopper
* E-mail Address: "dna@smime.example" * E-mail Address: dna@smime.example
8.1. Dana's Signature Verification End-Entity Certificate 8.1. Dana's Signature Verification End-Entity Certificate
This certificate is used for verification of signatures made by Dana. This certificate is used for verification of signatures made by Dana.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICAzCCAbWgAwIBAgITaWZI+hVtn8pQZviAmPmBXzWfnjAFBgMrZXAwWTENMAsG MIICAzCCAbWgAwIBAgITaWZI+hVtn8pQZviAmPmBXzWfnjAFBgMrZXAwWTENMAsG
A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM
QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx
MzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjA4MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL MzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjA4MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL
skipping to change at page 30, line 13 skipping to change at page 31, line 35
-----END CERTIFICATE----- -----END CERTIFICATE-----
8.2. Dana's Signing Private Key Material 8.2. Dana's Signing Private Key Material
This private key material is used by Dana to create signatures. This private key material is used by Dana to create signatures.
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEINZ8GPfmQh2AMp+uNIsZMbzvyTOltwvEt13usjnUaW4N MC4CAQAwBQYDK2VwBCIEINZ8GPfmQh2AMp+uNIsZMbzvyTOltwvEt13usjnUaW4N
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This secret key is the [SHA256] digest of the ASCII string "draft- This secret key is the [SHA256] digest of the ASCII string draft-
lamps-sample-certs-keygen.dana.sign.25519.seed". lamps-sample-certs-keygen.dana.sign.25519.seed.
8.3. Dana's Encryption End-Entity Certificate 8.3. Dana's Encryption End-Entity Certificate
This certificate is used to encrypt messages to Dana. It contains an This certificate is used to encrypt messages to Dana. It contains an
SMIMECapabilities extension to indicate that Dana's MUA expects ECDH SMIMECapabilities extension to indicate that Dana's MUA expects ECDH
with HKDF using SHA-256; uses AES-128 key wrap, as indicated in with HKDF using SHA-256; uses AES-128 key wrap, as indicated in
[RFC8418]. [RFC8418].
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICMDCCAeKgAwIBAgITDksKNqnvupyaO2gkjlIdwN7zpzAFBgMrZXAwWTENMAsG MIICMDCCAeKgAwIBAgITDksKNqnvupyaO2gkjlIdwN7zpzAFBgMrZXAwWTENMAsG
skipping to change at page 30, line 46 skipping to change at page 32, line 28
-----END CERTIFICATE----- -----END CERTIFICATE-----
8.4. Dana's Decryption Private Key Material 8.4. Dana's Decryption Private Key Material
This private key material is used by Dana to decrypt messages. This private key material is used by Dana to decrypt messages.
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VuBCIEIGxZt8L7lY48OEq4gs/smQ4weDhRNMlYHG21StivPfz3 MC4CAQAwBQYDK2VuBCIEIGxZt8L7lY48OEq4gs/smQ4weDhRNMlYHG21StivPfz3
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
This seed is the [SHA256] digest of the ASCII string "draft-lamps- This seed is the [SHA256] digest of the ASCII string draft-lamps-
sample-certs-keygen.dana.encrypt.25519.seed". sample-certs-keygen.dana.encrypt.25519.seed.
8.5. PKCS12 Object for Dana 8.5. PKCS12 Object for Dana
This PKCS12 ([RFC7292]) object contains the same information as This PKCS12 ([RFC7292]) object contains the same information as
presented in Section 8.1, Section 8.2, Section 8.3, Section 8.4, and presented in Section 8.1, Section 8.2, Section 8.3, Section 8.4, and
Section 6.3. Section 6.3.
It is locked with the simple four-letter password "dana". It is locked with the simple four-letter password dana.
-----BEGIN PKCS12----- -----BEGIN PKCS12-----
MIIKtgIBAzCCCn4GCSqGSIb3DQEHAaCCCm8EggprMIIKZzCCAu8GCSqGSIb3DQEH MIIKtgIBAzCCCn4GCSqGSIb3DQEHAaCCCm8EggprMIIKZzCCAu8GCSqGSIb3DQEH
BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZNqH BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZNqH
TA2APx0CAhQXgIICqK+HFHF6dF5qwlWM6MRCXw11VKrcYBff65iLABPyGvWENnVM TA2APx0CAhQXgIICqK+HFHF6dF5qwlWM6MRCXw11VKrcYBff65iLABPyGvWENnVM
TTPpDLqbGm6Yd2eLntPZvJoVe5Sf2+DW4q3BZ9aKuEdneBBk8mDJ6/Lq1+wFxY5k TTPpDLqbGm6Yd2eLntPZvJoVe5Sf2+DW4q3BZ9aKuEdneBBk8mDJ6/Lq1+wFxY5k
WaBHTA6LNml/NkM3za/fr4abKFQnu6DZgZDGbZh2BsgCMmO9TeHgZyepsh3WP4ZO WaBHTA6LNml/NkM3za/fr4abKFQnu6DZgZDGbZh2BsgCMmO9TeHgZyepsh3WP4ZO
aYDvSD0LiEzerDPlOBgjYahcNLjv/Dn/dFxtOO3or010TTUoQCqeHJOoq3hJtSI+ aYDvSD0LiEzerDPlOBgjYahcNLjv/Dn/dFxtOO3or010TTUoQCqeHJOoq3hJtSI+
8n0iXk6gtf1/ROj6JRt/3Aqz/mLMIhuxIg/5K1wxY9AwFT4oyflapNJozGg9qwGi 8n0iXk6gtf1/ROj6JRt/3Aqz/mLMIhuxIg/5K1wxY9AwFT4oyflapNJozGg9qwGi
PWVtEy3QDNvAs3bDfiNQqAfJOEHv2z3Ran7sYuz3vE0FnPfA81oWbazlydjB0P/B PWVtEy3QDNvAs3bDfiNQqAfJOEHv2z3Ran7sYuz3vE0FnPfA81oWbazlydjB0P/B
skipping to change at page 32, line 31 skipping to change at page 34, line 11
zAawM6xXMt2WMC8wHzAHBgUrDgMCGgQUzSoHpcIerV21CvCOjAe5ZVhs2M8ECC5D zAawM6xXMt2WMC8wHzAHBgUrDgMCGgQUzSoHpcIerV21CvCOjAe5ZVhs2M8ECC5D
kkzl2MltAgIoAA== kkzl2MltAgIoAA==
-----END PKCS12----- -----END PKCS12-----
9. Security Considerations 9. Security Considerations
The keys presented in this document should be considered compromised The keys presented in this document should be considered compromised
and insecure, because the secret key material is published and and insecure, because the secret key material is published and
therefore not secret. therefore not secret.
Applications which maintain blacklists of invalid key material SHOULD Any application which maintains a denylist of invalid key material
include these keys in their lists. SHOULD include these keys in its list.
10. IANA Considerations 10. IANA Considerations
IANA has nothing to do for this document. IANA has nothing to do for this document.
11. Document Considerations 11. Document Considerations
[ RFC Editor: please remove this section before publication ] [ RFC Editor: please remove this section before publication ]
This document is currently edited as markdown. Minor editorial This document is currently edited as markdown. Minor editorial
changes can be suggested via merge requests at changes can be suggested via merge requests at
https://gitlab.com/dkg/lamps-samples or by e-mail to the author. https://gitlab.com/dkg/lamps-samples or by e-mail to the author.
Please direct all significant commentary to the public IETF LAMPS Please direct all significant commentary to the public IETF LAMPS
mailing list: "spasm@ietf.org" mailing list: spasm@ietf.org
11.1. Document History 11.1. Document History
11.1.1. Substantive Changes from draft-ietf-*-04 to draft-ietf-*-05 11.1.1. Substantive Changes from draft-ietf-*-04 to draft-ietf-*-05
* Added outbound references for acronyms PEM, CRL, and OCSP, thanks
Stewart Brant.
11.1.2. Substantive Changes from draft-ietf-*-04 to draft-ietf-*-05
* Switch from SHA512 to SHA1 as MAC checksum in PKCS#12 objects, for * Switch from SHA512 to SHA1 as MAC checksum in PKCS#12 objects, for
interop with Keychain Access on macOS. interop with Keychain Access on macOS.
11.1.2. Substantive Changes from draft-ietf-*-03 to draft-ietf-*-04 11.1.3. Substantive Changes from draft-ietf-*-03 to draft-ietf-*-04
* Order subject/issuer DN components by scope. * Order subject/issuer DN components by scope.
* Put cross-signed intermediate CA certificates into PKCS#12 instead * Put cross-signed intermediate CA certificates into PKCS#12 instead
of self-signed root CA certificates. of self-signed root CA certificates.
11.1.3. Substantive Changes from draft-ietf-*-02 to draft-ietf-*-03 11.1.4. Substantive Changes from draft-ietf-*-02 to draft-ietf-*-03
* Correct encoding of S/MIME Capabilities extension. * Correct encoding of S/MIME Capabilities extension.
* Change "Certificate Authority" to "Certification Authority". * Change "Certificate Authority" to "Certification Authority".
* Add CertificatePolicies to all intermediate and end-entity * Add CertificatePolicies to all intermediate and end-entity
certificates. certificates.
* Add organization and organizational unit to all certificates. * Add organization and organizational unit to all certificates.
11.1.4. Substantive Changes from draft-ietf-*-01 to draft-ietf-*-02 11.1.5. Substantive Changes from draft-ietf-*-01 to draft-ietf-*-02
* Added cross-signed certificates for both CAs * Added cross-signed certificates for both CAs
* Added S/MIME Capabilities extension for Carlos and Dana's * Added S/MIME Capabilities extension for Carlos and Dana's
encryption keys, indicating preferred ECDH parameters. encryption keys, indicating preferred ECDH parameters.
* Ensure no serial numbers are negative. * Ensure no serial numbers are negative.
* Encode keyUsage extensions in minimum-length BIT STRINGs. * Encode keyUsage extensions in minimum-length BIT STRINGs.
11.1.5. Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01 11.1.6. Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01
* Added Curve25519 sample certificates (new CA, Carlos, and Dana) * Added Curve25519 sample certificates (new CA, Carlos, and Dana)
11.1.6. Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00 11.1.7. Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00
* WG adoption (dkg moves from Author to Editor) * WG adoption (dkg moves from Author to Editor)
11.1.7. Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05 11.1.8. Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05
* PEM blobs are now "sourcecode", not "artwork" * PEM blobs are now sourcecode, not artwork
11.1.8. Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04 11.1.9. Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04
* Describe deterministic key generation * Describe deterministic key generation
* label PEM blobs with filenames in XML * label PEM blobs with filenames in XML
11.1.9. Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03 11.1.10. Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03
* Alice and Bob now each have two distinct certificates: one for * Alice and Bob now each have two distinct certificates: one for
signing, one for encryption, and public keys to match. signing, one for encryption, and public keys to match.
11.1.10. Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02 11.1.11. Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02
* PKCS#12 objects are deliberately locked with simple passphrases * PKCS#12 objects are deliberately locked with simple passphrases
11.1.11. Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01 11.1.12. Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01
* changed all three keys to use RSA instead of RSA-PSS * changed all three keys to use RSA instead of RSA-PSS
* set keyEncipherment keyUsage flag instead of dataEncipherment in * set keyEncipherment keyUsage flag instead of dataEncipherment in
EE certs EE certs
12. Acknowledgements 12. Acknowledgements
This draft was inspired by similar work in the OpenPGP space by This draft was inspired by similar work in the OpenPGP space by
Bjarni Runar and juga at [I-D.bre-openpgp-samples]. Bjarni Runar and juga at [I-D.bre-openpgp-samples].
Eric Rescorla helped spot issues with certificate formats. Eric Rescorla helped spot issues with certificate formats.
Sean Turner pointed to [RFC4134] as prior work. Sean Turner pointed to [RFC4134] as prior work.
Deb Cooley suggested that Alice and Bob should have separate Deb Cooley suggested that Alice and Bob should have separate
certificates for signing and encryption. certificates for signing and encryption.
Wolfgang Hommel helped to build reproducible encrypted PKCS#12 Wolfgang Hommel helped to build reproducible encrypted PKCS#12
objects. objects.
Carsten Bormann got the XML "sourcecode" markup working for this Carsten Bormann got the XML sourcecode markup working for this draft.
draft.
David A. Cooper identified problems with the certificates and David A. Cooper identified problems with the certificates and
suggested corrections. suggested corrections.
Lijun Liao helped get the terminology right. Lijun Liao helped get the terminology right.
Stewart Brant and Roman Danyliw provided editorial suggestions.
13. References 13. References
13.1. Normative References 13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
skipping to change at page 36, line 9 skipping to change at page 37, line 43
Einarsson, B. R., juga, and D. K. Gillmor, "OpenPGP Einarsson, B. R., juga, and D. K. Gillmor, "OpenPGP
Example Keys and Certificates", Work in Progress, Example Keys and Certificates", Work in Progress,
Internet-Draft, draft-bre-openpgp-samples-01, 20 December Internet-Draft, draft-bre-openpgp-samples-01, 20 December
2019, <https://www.ietf.org/archive/id/draft-bre-openpgp- 2019, <https://www.ietf.org/archive/id/draft-bre-openpgp-
samples-01.txt>. samples-01.txt>.
[RFC4134] Hoffman, P., Ed., "Examples of S/MIME Messages", RFC 4134, [RFC4134] Hoffman, P., Ed., "Examples of S/MIME Messages", RFC 4134,
DOI 10.17487/RFC4134, July 2005, DOI 10.17487/RFC4134, July 2005,
<https://www.rfc-editor.org/info/rfc4134>. <https://www.rfc-editor.org/info/rfc4134>.
[RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX,
PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468,
April 2015, <https://www.rfc-editor.org/info/rfc7468>.
[RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning
Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April
2015, <https://www.rfc-editor.org/info/rfc7469>. 2015, <https://www.rfc-editor.org/info/rfc7469>.
[RFC8410] Josefsson, S. and J. Schaad, "Algorithm Identifiers for [RFC8410] Josefsson, S. and J. Schaad, "Algorithm Identifiers for
Ed25519, Ed448, X25519, and X448 for Use in the Internet Ed25519, Ed448, X25519, and X448 for Use in the Internet
X.509 Public Key Infrastructure", RFC 8410, X.509 Public Key Infrastructure", RFC 8410,
DOI 10.17487/RFC8410, August 2018, DOI 10.17487/RFC8410, August 2018,
<https://www.rfc-editor.org/info/rfc8410>. <https://www.rfc-editor.org/info/rfc8410>.
 End of changes. 59 change blocks. 
289 lines changed or deleted 376 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/