idnits 2.17.1 

draft-ietf-sip-sec-flows-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 19.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 1885.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1862.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1869.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1875.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
     document.

  == There are 6 instances of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  == There are 2 instances of lines with non-RFC3849-compliant IPv6 addresses
     in the document.  If these are example addresses, they should be changed.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == The document doesn't use any RFC 2119 keywords, yet seems to have RFC
     2119 boilerplate text.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (May 16, 2006) is 6555 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: '0' is mentioned on line 908, but not defined

  ** Obsolete normative reference: RFC 3280 (ref. '3') (Obsoleted by RFC 5280)

  ** Obsolete normative reference: RFC 2246 (ref. '4') (Obsoleted by RFC 4346)

  ** Obsolete normative reference: RFC 3546 (ref. '5') (Obsoleted by RFC 4366)

  ** Obsolete normative reference: RFC 3268 (ref. '6') (Obsoleted by RFC 5246)

  ** Obsolete normative reference: RFC 3851 (ref. '7') (Obsoleted by RFC 5751)

  ** Obsolete normative reference: RFC 3369 (ref. '8') (Obsoleted by RFC 3852)


     Summary: 9 errors (**), 0 flaws (~~), 7 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                        C. Jennings
3	Internet-Draft                                             Cisco Systems
4	Expires: November 17, 2006                                        K. Ono
5	                                                         NTT Corporation
6	                                                          R. Sparks, Ed.
7	                                                        Estacado Systems
8	                                                            May 16, 2006

10	  Example call flows using Session Initiation Protocol (SIP) security
11	                               mechanisms
12	                      draft-ietf-sip-sec-flows-00

14	Status of this Memo

16	   By submitting this Internet-Draft, each author represents that any
17	   applicable patent or other IPR claims of which he or she is aware
18	   have been or will be disclosed, and any of which he or she becomes
19	   aware will be disclosed, in accordance with Section 6 of BCP 79.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF), its areas, and its working groups.  Note that
23	   other groups may also distribute working documents as Internet-
24	   Drafts.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   The list of current Internet-Drafts can be accessed at
32	   http://www.ietf.org/ietf/1id-abstracts.txt.

34	   The list of Internet-Draft Shadow Directories can be accessed at
35	   http://www.ietf.org/shadow.html.

37	   This Internet-Draft will expire on November 17, 2006.

39	Copyright Notice

41	   Copyright (C) The Internet Society (2006).

43	Abstract

45	   This document shows example call flows demonstrating the use of
46	   Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail
47	   Extensions (S/MIME) in Session Initiation Protocol (SIP).  It also
48	   provides information that helps implementers build interoperable SIP
49	   software.  To help facilitate interoperability testing, it includes
50	   certificates used in the example call flows and processes to create
51	   certificates for testing.

53	Table of Contents

55	   1.  Administrive Information . . . . . . . . . . . . . . . . . . .  3
56	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
57	   3.  Conventions  . . . . . . . . . . . . . . . . . . . . . . . . .  4
58	   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  4
59	   5.  Known Problems . . . . . . . . . . . . . . . . . . . . . . . .  4
60	   6.  Certificates . . . . . . . . . . . . . . . . . . . . . . . . .  4
61	     6.1.  CA Certificates  . . . . . . . . . . . . . . . . . . . . .  4
62	     6.2.  Host Certificates  . . . . . . . . . . . . . . . . . . . .  8
63	     6.3.  User Certificates  . . . . . . . . . . . . . . . . . . . .  9
64	   7.  Callflow with Message Over TLS . . . . . . . . . . . . . . . . 12
65	     7.1.  TLS with Server Authentication . . . . . . . . . . . . . . 12
66	     7.2.  MESSAGE Message Over TLS . . . . . . . . . . . . . . . . . 13
67	   8.  Callflow with S/MIME-secured Message . . . . . . . . . . . . . 14
68	     8.1.  MESSAGE Message with Signed Body . . . . . . . . . . . . . 14
69	     8.2.  MESSAGE Message with Encrypted Body  . . . . . . . . . . . 17
70	     8.3.  MESSAGE Message with Encrypted and Signed Body . . . . . . 20
71	   9.  Test Consideration . . . . . . . . . . . . . . . . . . . . . . 25
72	   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 26
73	   11. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 26
74	   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
75	     12.1. Normative References . . . . . . . . . . . . . . . . . . . 26
76	     12.2. Informative References . . . . . . . . . . . . . . . . . . 27
77	   Appendix A.  Making Test Certificates  . . . . . . . . . . . . . . 27
78	     A.1.  makeCA script  . . . . . . . . . . . . . . . . . . . . . . 29
79	     A.2.  makeCert script  . . . . . . . . . . . . . . . . . . . . . 31
80	   Appendix B.  Certificates for Testing  . . . . . . . . . . . . . . 33
81	   Appendix C.  Message Dumps . . . . . . . . . . . . . . . . . . . . 36
82	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 44
83	   Intellectual Property and Copyright Statements . . . . . . . . . . 45

85	1.  Administrive Information

87	   Please note that this version of the document
88	   (draft-ietf-sip-sec-flows-00) is ONLY an administrative renaming from
89	   draft-ietf-sipping-sec-flows.  The outstanding additions to this
90	   document discussed in those working groups have not yet been captured
91	   here.

93	2.  Introduction

95	   Several different groups are starting to implement the S/MIME[7]
96	   portion of SIP[2], and SIP with TLS[4], implementations are becoming
97	   very common.  At several interoperability events, it has become clear
98	   that it is difficult to write these systems without any test vectors
99	   or examples of "known good" messages to test against.  Furthermore,
100	   testing at the events is often hampered by trying to get certificates
101	   signed by some common test root into the appropriate format for
102	   various clients.  This document addresses both of these issues by
103	   providing messages that give detailed examples that implementers can
104	   use for comparison and that can also be used for testing.  In
105	   addition, this document provides a common certificate that can be
106	   used for a Certificate Authority (CA) to reduce the time it takes to
107	   set up a test at an interoperability event.  The document also
108	   provides some hints and clarifications for implementers.

110	   A simple SIP call flow using SIPS URIs and TLS is shown in Section 7.
111	   The certificates for the hosts used are shown in Section 6.2, and the
112	   CA certificates used to sign these are shown in Section 6.1.

114	   The text from Section 8.1 through Section 8.3 shows some simple SIP
115	   call flows using S/MIME to sign and encrypt the body of the message.
116	   The user certificates used in these examples are shown in
117	   Section 6.3.  These host certificates are signed with the same CA
118	   certificate.

120	   Section 9 presents a partial list of things implementers should
121	   consider in order to implement systems that will interoperate.

123	   A way to make certificates that can be used for interoperability
124	   testing is presented in Appendix A, along with methods for converting
125	   these to various formats.

127	   Binary copies of various messages in this draft that can be used for
128	   testing appear in Appendix C.

130	3.  Conventions

132	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
133	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
134	   document are to be interpreted as described in RFC-2119 [1].

136	4.  Security Considerations

138	   Implementers must never use any of the certificates provided in this
139	   document in anything but a test environment.  Installing the CA root
140	   certificates used in this document as a trusted root in operational
141	   software would completely destroy the security of the system while
142	   giving the user the impression that the system was operating
143	   securely.

145	   This document recommends some things that implementers might test or
146	   verify to improve the security of their implementations.  It is
147	   impossible to make a comprehensive list of these, and this document
148	   only suggests some of the most common mistakes that have been seen at
149	   the SIPit interoperability events.  Just because an implementation
150	   does everything this document recommends does not make it secure.

152	   This document does not show the messages to check Certificate
153	   Revocation Lists (see [3]) as that is not part of the SIP call flow.

155	5.  Known Problems

157	   The binary dumps of the messages in Section 7.2 need to be updated to
158	   match the text of the draft.

160	   The messages are missing the accept headers.  They should have the
161	   following header:

163	      Accept: multipart/signed
164	      Accept: text/plain
165	      Accept: application/pkcs7-mime
166	      Accept: application/sdp
167	      Accept: multipart/alternative

169	6.  Certificates

171	6.1.  CA Certificates

173	   The certificate used by the CA to sign the other certificates is
174	   shown below.  This is a X509v3 certificate.  Note that the basic
175	   constraints allow it to be used as a CA.

177	   Version: 3 (0x2)
178	   Serial Number: 0 (0x0)
179	   Signature Algorithm: sha1WithRSAEncryption
180	   Issuer: C=US, ST=California, L=San Jose, O=sipit,
181	           OU=Sipit Test Certificate Authority
182	   Validity
183	       Not Before: Jul 18 12:21:52 2003 GMT
184	       Not After : Jul 15 12:21:52 2013 GMT
185	   Subject: C=US, ST=California, L=San Jose, O=sipit,
186	           OU=Sipit Test Certificate Authority
187	   Subject Public Key Info:
188	       Public Key Algorithm: rsaEncryption
189	       RSA Public Key: (1024 bit)
190	           Modulus (1024 bit):
191	               00:c3:22:1e:83:91:c5:03:2c:3c:8a:f4:11:14:c6:
192	               4b:9d:fa:72:78:c6:b0:95:18:a7:e0:8c:79:ba:5d:
193	               a4:ae:1e:21:2d:9d:f1:0b:1c:cf:bd:5b:29:b3:90:
194	               13:73:66:92:6e:df:4c:b3:b3:1c:1f:2a:82:0a:ba:
195	               07:4d:52:b0:f8:37:7b:e2:0a:27:30:70:dd:f9:2e:
196	               03:ff:2a:76:cd:df:87:1a:bd:71:eb:e1:99:6a:c4:
197	               7f:8e:74:a0:77:85:04:e9:41:ad:fc:03:b6:17:75:
198	               aa:33:ea:0a:16:d9:fb:79:32:2e:f8:cf:4d:c6:34:
199	               a3:ff:1b:d0:68:28:e1:9d:e5
200	           Exponent: 65537 (0x10001)
201	   X509v3 extensions:
202	     X509v3 Subject Key Identifier:
203	       6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
204	     X509v3 Authority Key Identifier:
205	       6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
206	       DirName:/C=US/ST=California/L=San Jose/O=sipit/
207	                OU=Sipit Test Certificate Authority
208	       serial:00
209	     X509v3 Basic Constraints:
210	       CA:TRUE
211	   Signature Algorithm: sha1WithRSAEncryption
212	    96:6d:1b:ef:d5:91:93:45:7c:5b:1f:cf:c4:aa:47:52:0b:34:
213	    a8:50:fa:ec:fa:b4:2a:47:4c:5d:41:a7:3d:c0:d6:3f:9e:56:
214	    5b:91:1d:ce:a8:07:b3:1b:a4:9f:9a:49:6f:7f:e0:ce:83:94:
215	    71:42:af:fe:63:a2:34:dc:b4:5e:a5:ce:ca:79:50:e9:6a:99:
216	    4c:14:69:e9:7c:ab:22:6c:44:cc:8a:9c:33:6b:23:50:42:05:
217	    1f:e1:c2:81:88:5f:ba:e5:47:bb:85:9b:83:25:ad:84:32:ff:
218	    2a:5b:8b:70:12:11:83:61:c9:69:15:4f:58:a3:3c:92:d4:e8:
219	    6f:52

221	   The ASN.1 parse of the CA certificate is shown below.

223	       0:l= 804 cons: SEQUENCE
224	       4:l= 653 cons:  SEQUENCE
225	       8:l=   3 cons:   cont [ 0 ]
226	      10:l=   1 prim:    INTEGER           :02
227	      13:l=   1 prim:   INTEGER           :00
228	      16:l=  13 cons:   SEQUENCE
229	      18:l=   9 prim:    OBJECT            :sha1WithRSAEncryption
230	      29:l=   0 prim:    NULL
231	      31:l= 112 cons:   SEQUENCE
232	      33:l=  11 cons:    SET
233	      35:l=   9 cons:     SEQUENCE
234	      37:l=   3 prim:      OBJECT            :countryName
235	      42:l=   2 prim:      PRINTABLESTRING   :US
236	      46:l=  19 cons:    SET
237	      48:l=  17 cons:     SEQUENCE
238	      50:l=   3 prim:      OBJECT            :stateOrProvinceName
239	      55:l=  10 prim:      PRINTABLESTRING   :California
240	      67:l=  17 cons:    SET
241	      69:l=  15 cons:     SEQUENCE
242	      71:l=   3 prim:      OBJECT            :localityName
243	      76:l=   8 prim:      PRINTABLESTRING   :San Jose
244	      86:l=  14 cons:    SET
245	      88:l=  12 cons:     SEQUENCE
246	      90:l=   3 prim:      OBJECT            :organizationName
247	      95:l=   5 prim:      PRINTABLESTRING   :sipit
248	     102:l=  41 cons:    SET
249	     104:l=  39 cons:     SEQUENCE
250	     106:l=   3 prim:      OBJECT            :organizationalUnitName
251	     111:l=  32 prim:      PRINTABLESTRING   :
252	                           Sipit Test Certificate Authority
253	     145:l=  30 cons:   SEQUENCE
254	     147:l=  13 prim:    UTCTIME           :030718122152Z
255	     162:l=  13 prim:    UTCTIME           :130715122152Z
256	     177:l= 112 cons:   SEQUENCE
257	     179:l=  11 cons:    SET
258	     181:l=   9 cons:     SEQUENCE
259	     183:l=   3 prim:      OBJECT            :countryName
260	     188:l=   2 prim:      PRINTABLESTRING   :US
261	     192:l=  19 cons:    SET
262	     194:l=  17 cons:     SEQUENCE
263	     196:l=   3 prim:      OBJECT            :stateOrProvinceName
264	     201:l=  10 prim:      PRINTABLESTRING   :California
265	     213:l=  17 cons:    SET
266	     215:l=  15 cons:     SEQUENCE
267	     217:l=   3 prim:      OBJECT            :localityName
268	     222:l=   8 prim:      PRINTABLESTRING   :San Jose
269	     232:l=  14 cons:    SET
270	     234:l=  12 cons:     SEQUENCE
271	     236:l=   3 prim:      OBJECT            :organizationName
272	     241:l=   5 prim:      PRINTABLESTRING   :sipit
273	     248:l=  41 cons:    SET
274	     250:l=  39 cons:     SEQUENCE
275	     252:l=   3 prim:      OBJECT            :organizationalUnitName
276	     257:l=  32 prim:      PRINTABLESTRING   :
277	                           Sipit Test Certificate Authority
278	     291:l= 159 cons:   SEQUENCE
279	     294:l=  13 cons:    SEQUENCE
280	     296:l=   9 prim:     OBJECT            :rsaEncryption
281	     307:l=   0 prim:     NULL
282	     309:l= 141 prim:    BIT STRING
283	   00 30 81 89 02 81 81 00-c3 22 1e 83 91 c5 03 2c   .0.......".....,
284	   3c 8a f4 11 14 c6 4b 9d-fa 72 78 c6 b0 95 18 a7   <.....K..rx.....
285	   e0 8c 79 ba 5d a4 ae 1e-21 2d 9d f1 0b 1c cf bd   ..y.]...!-......
286	   5b 29 b3 90 13 73 66 92-6e df 4c b3 b3 1c 1f 2a   [)...sf.n.L....*
287	   82 0a ba 07 4d 52 b0 f8-37 7b e2 0a 27 30 70 dd   ....MR..7{..'0p.
288	   f9 2e 03 ff 2a 76 cd df-87 1a bd 71 eb e1 99 6a   ....*v.....q...j
289	   c4 7f 8e 74 a0 77 85 04-e9 41 ad fc 03 b6 17 75   ...t.w...A.....u
290	   aa 33 ea 0a 16 d9 fb 79-32 2e f8 cf 4d c6 34 a3   .3.....y2...M.4.
291	   ff 1b d0 68 28 e1 9d e5-02 03 01 00 01            ...h(........
292	     453:l= 205 cons:   cont [ 3 ]
293	     456:l= 202 cons:    SEQUENCE
294	     459:l=  29 cons:     SEQUENCE
295	     461:l=   3 prim:      OBJECT    :X509v3 Subject Key Identifier
296	     466:l=  22 prim:      OCTET STRING
297	   04 14 6b 46 17 14 ea 94-76 25 80 54 6e 13 54 da   ..kF....v%.Tn.T.
298	   a1 e3 54 14 a1 b6                                 ..T...
299	     490:l= 154 cons:     SEQUENCE
300	     493:l=   3 prim:      OBJECT    :X509v3 Authority Key Identifier
301	     498:l= 146 prim:      OCTET STRING
302	   30 81 8f 80 14 6b 46 17-14 ea 94 76 25 80 54 6e   0....kF....v%.Tn
303	   13 54 da a1 e3 54 14 a1-b6 a1 74 a4 72 30 70 31   .T...T....t.r0p1
304	   0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11   .0...U....US1.0.
305	   06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69   ..U....Californi
306	   61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20   a1.0...U....San
307	   4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73   Jose1.0...U....s
308	   69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53   ipit1)0'..U... S
309	   69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66   ipit Test Certif
310	   69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82   icate Authority.
311	   01                                                .
312	         0092 - <SPACES/NULS>
313	     647:l=  12 cons:     SEQUENCE
314	     649:l=   3 prim:      OBJECT            :X509v3 Basic Constraints
315	     654:l=   5 prim:      OCTET STRING
316	   30 03 01 01 ff                                    0....
317	     661:l=  13 cons:  SEQUENCE
318	     663:l=   9 prim:   OBJECT            :sha1WithRSAEncryption
319	     674:l=   0 prim:   NULL
320	     676:l= 129 prim:  BIT STRING
321	   00 96 6d 1b ef d5 91 93-45 7c 5b 1f cf c4 aa 47   ..m.....E|[....G
322	   52 0b 34 a8 50 fa ec fa-b4 2a 47 4c 5d 41 a7 3d   R.4.P....*GL]A.=
323	   c0 d6 3f 9e 56 5b 91 1d-ce a8 07 b3 1b a4 9f 9a   ..?.V[..........
324	   49 6f 7f e0 ce 83 94 71-42 af fe 63 a2 34 dc b4   Io.....qB..c.4..
325	   5e a5 ce ca 79 50 e9 6a-99 4c 14 69 e9 7c ab 22   ^...yP.j.L.i.|."
326	   6c 44 cc 8a 9c 33 6b 23-50 42 05 1f e1 c2 81 88   lD...3k#PB......
327	   5f ba e5 47 bb 85 9b 83-25 ad 84 32 ff 2a 5b 8b   _..G....%..2.*[.
328	   70 12 11 83 61 c9 69 15-4f 58 a3 3c 92 d4 e8 6f   p...a.i.OX.<...o
329	   52                                                R

331	6.2.  Host Certificates

333	   The certificate for the host example.com is shown below.  Note that
334	   the Subject Alternative Name is set to example.com and is a DNS type.
335	   The certificates for the other hosts are shown in Appendix B.

337	   Data:
338	       Version: 3 (0x2)
339	       Serial Number:
340	           01:95:00:71:02:33:00:55
341	       Signature Algorithm: sha1WithRSAEncryption
342	       Issuer: C=US, ST=California, L=San Jose, O=sipit,
343	               OU=Sipit Test Certificate Authority
344	       Validity
345	           Not Before: Feb  3 18:49:08 2005 GMT
346	           Not After : Feb  3 18:49:08 2008 GMT
347	       Subject: C=US, ST=California, L=San Jose, O=sipit,
348	                CN=example.com
349	       Subject Public Key Info:
350	           Public Key Algorithm: rsaEncryption
351	           RSA Public Key: (1024 bit)
352	               Modulus (1024 bit):
353	                   00:e6:31:76:b5:27:cc:8d:32:85:56:70:f7:c2:33:
354	                   33:32:26:42:5e:3c:68:71:7b:1f:79:50:d0:72:27:
355	                   3b:4a:af:f2:ce:d1:0c:bc:c0:5f:31:6a:43:e7:7c:
356	                   ad:64:bd:c7:e6:25:9f:aa:cd:2d:90:aa:68:84:62:
357	                   7b:05:be:43:a5:af:bb:ea:9d:a9:5b:a4:53:9d:22:
358	                   8b:da:96:2e:1f:3f:92:46:b8:cc:c8:24:3c:46:cd:
359	                   5d:2d:64:85:b1:a4:ca:01:f1:8e:c5:7e:0f:ff:00:
360	                   91:a3:ea:cb:3e:12:02:75:a4:bb:08:c8:d0:2a:ef:
361	                   b3:bb:72:7a:98:e5:ff:9f:81
362	               Exponent: 65537 (0x10001)
363	       X509v3 extensions:
364	           X509v3 Subject Alternative Name:
365	               DNS:example.com
366	           X509v3 Basic Constraints:
367	               CA:FALSE
368	           X509v3 Subject Key Identifier:
369	               22:EA:CB:38:66:1D:F1:96:0C:9A:47:B6:BB:1C:52:
370	               44:B0:77:65:8D
371	   Signature Algorithm: sha1WithRSAEncryption
372	       ae:eb:49:ed:1e:f1:8d:26:a9:6d:03:82:92:d5:df:44:c4:1e:
373	       1f:07:75:88:37:e4:76:97:35:12:59:98:79:78:16:6e:3b:b1:
374	       c0:2b:db:85:02:6b:74:c9:5b:19:92:da:7e:f5:41:0b:bc:d2:
375	       dd:45:aa:6f:be:24:dc:48:57:66:d9:2e:82:df:9e:8d:70:03:
376	       73:75:ef:8f:7a:56:4c:cc:42:bd:31:45:b0:5e:ff:d1:3b:c4:
377	       82:ee:fd:a7:c1:10:34:eb:81:49:1a:6b:86:7e:c7:61:1d:b3:
378	       b9:0a:02:bd:84:f8:47:af:cf:f1:a8:73:a8:31:1d:20:7a:06:
379	       7f:ac

381	6.3.  User Certificates

383	   The user certificate for fluffy@example.com is shown below.  Note
384	   that the Subject Alternative Name has a list of names with different
385	   URL types such as a sip, im, or pres URL.  This is necessary for
386	   interoperating with CPIM gateway.  In this example, example.com is
387	   the domain for fluffy.  The message could be coming from a host
388	   called atlanta.example.com, and the AOR in the user certificate would
389	   still be the same.  The others are shown in Appendix B.

391	   Data:
392	       Version: 3 (0x2)
393	       Serial Number:
394	           01:95:00:71:02:33:00:58
395	       Signature Algorithm: sha1WithRSAEncryption
396	       Issuer: C=US, ST=California, L=San Jose, O=sipit,
397	               OU=Sipit Test Certificate Authority
398	       Validity
399	           Not Before: Feb  3 18:49:34 2005 GMT
400	           Not After : Feb  3 18:49:34 2008 GMT
401	       Subject: C=US, ST=California, L=San Jose, O=sipit,
402	                CN=fluffy@example.com
403	       Subject Public Key Info:
404	           Public Key Algorithm: rsaEncryption
405	           RSA Public Key: (1024 bit)
406	               Modulus (1024 bit):
407	                   00:ca:ab:9b:9b:4e:3c:d5:45:3c:ce:00:a6:36:a8:
408	                   b9:ec:d2:76:e2:b9:9b:e8:28:aa:ba:86:22:c5:cf:
409	                   33:3e:4f:6d:56:21:ae:bd:54:84:7c:14:14:f9:7d:
410	                   99:85:00:4e:93:d6:fd:6b:d4:d1:d4:55:8e:c9:89:
411	                   b1:af:2b:5f:23:99:4a:95:e5:68:65:64:1d:12:a7:
412	                   db:d3:d5:97:18:47:35:9c:e6:88:27:9d:a8:6c:ca:
413	                   2a:84:e6:62:d8:f1:e9:a2:1a:39:7e:0e:0f:90:a5:
414	                   a6:79:21:bc:2a:67:b4:dd:69:90:82:9a:ae:1f:02:
415	                   52:8a:58:d3:f5:d0:d4:66:67
416	               Exponent: 65537 (0x10001)
417	       X509v3 extensions:
418	           X509v3 Subject Alternative Name:
419	               URI:sip:fluffy@example.com, URI:im:fluffy@example.com,
420	               URI:pres:fluffy@example.com
421	           X509v3 Basic Constraints:
422	               CA:FALSE
423	           X509v3 Subject Key Identifier:
424	               EC:DA:98:5E:E9:F7:F7:D7:EC:2B:29:4B:DA:25:EE:C7:C7:
425	               7E:95:70
426	   Signature Algorithm: sha1WithRSAEncryption
427	       4c:46:49:6e:01:48:e2:d4:6e:d7:48:a1:f3:7b:c8:a5:98:37:
428	       a5:44:46:58:9f:4a:37:7d:90:fb:5f:ff:36:bd:67:31:f0:29:
429	       de:0a:e2:ea:b9:f0:5c:9f:ad:a0:de:e5:4e:42:8f:11:d8:41:
430	       ea:68:be:db:c2:1e:fa:e5:8a:2d:7f:66:13:29:e9:da:8f:fb:
431	       80:bf:7e:5e:b6:04:ad:08:5e:58:95:b7:c5:38:85:d5:65:31:
432	       ad:80:cb:28:a7:4c:ad:11:fd:41:3b:37:77:5a:de:85:96:3d:
433	       66:eb:5f:9a:f8:60:5f:8e:b1:fc:4a:43:53:b6:11:4d:2e:f4:
434	       3d:ff

436	7.  Callflow with Message Over TLS

438	7.1.  TLS with Server Authentication

440	   The flow below shows the edited SSLDump output of the host
441	   example.com forming a TLS[4] connection to example.net.  In this
442	   example mutual authentication is not used.  Note that the client
443	   proposed three protocol suites including TLS_RSA_WITH_AES_128_CBC_SHA
444	   defined in [6].  The certificate returned by the server contains a
445	   Subject Alternative Name that is set to example.net.  A detailed
446	   discussion of TLS can be found in [13].

448	   This example does not use the Server Extended Hello[5].

450	   New TCP connection #1: 127.0.0.1(55768) <-> 127.0.0.1(5061)
451	   1 1  0.0060 (0.0060)  C>SV3.1(49)  Handshake
452	         ClientHello
453	           Version 3.1
454	           random[32]=
455	             42 16 8c c7 82 cd c5 87 42 ba f5 1c 91 04 fb 7d
456	             4d 6c 56 f1 db 1d ce 8a b1 25 71 5a 68 01 a2 14
457	           cipher suites
458	           TLS_RSA_WITH_AES_256_CBC_SHA
459	           TLS_RSA_WITH_AES_128_CBC_SHA
460	           TLS_RSA_WITH_3DES_EDE_CBC_SHA
461	           compression methods
462	                     NULL
463	   1 2  0.0138 (0.0077)  S>CV3.1(74)  Handshake
464	         ServerHello
465	           Version 3.1
466	           random[32]=
467	             42 16 8c c7 c9 2c 43 42 bb 69 a5 ba f1 2d 69 75
468	             c3 8d 3a 85 78 19 f2 e4 d9 2b 72 b4 cc dd e4 72
469	           session_id[32]=
470	             06 37 e9 22 56 29 e6 b4 3a 6e 53 fe 56 27 ed 1f
471	             2a 75 34 65 f0 91 fc 79 cf 90 da ac f4 6f 64 b5
472	           cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
473	           compressionMethod                   NULL
474	   1 3  0.0138 (0.0000)  S>CV3.1(1477)  Handshake
475	         Certificate
476	   1 4  0.0138 (0.0000)  S>CV3.1(4)  Handshake
477	         ServerHelloDone
478	   1 5  0.0183 (0.0045)  C>SV3.1(134)  Handshake
479	         ClientKeyExchange
480	           EncryptedPreMasterSecret[128]=
481	             a6 bd d9 4b 76 4b 9d 6f 7b 12 8a e4 52 75 9d 74
482	             4f 06 e4 b0 bc 69 96 d7 42 ba 77 01 b6 9e 64 b0
483	             ea c5 aa de 59 41 e4 f3 9e 1c 1c a9 48 f5 0a 3f
484	             5e c3 50 23 15 d7 46 1d 69 79 76 ba 5e c8 ac 39
485	             23 71 d0 0c 18 a6 a9 77 0f 7d 49 61 ef 6f 8d 32
486	             54 f5 a4 1d 19 33 0a 64 ee 56 91 9b f4 f7 50 b1
487	             11 4b 81 46 4c 36 df 70 98 04 dc 5c 8a 16 a9 2e
488	             58 67 ae 5e 7a a9 44 2b 0b 7c 9c 2f 16 25 1a e9
489	   1 6  0.0183 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
490	   1 7  0.0183 (0.0000)  C>SV3.1(48)  Handshake
491	   1 8  0.0630 (0.0447)  S>CV3.1(1)  ChangeCipherSpec
492	   1 9  0.0630 (0.0000)  S>CV3.1(48)  Handshake
493	   1 10 0.3274 (0.2643)  C>SV3.1(32)  application_data
494	   1 11 0.3274 (0.0000)  C>SV3.1(720)  application_data
495	   1 12 0.3324 (0.0050)  S>CV3.1(32)  application_data
496	   1 13 0.3324 (0.0000)  S>CV3.1(384)  application_data
497	   1    9.2491 (8.9166)  C>S  TCP FIN
498	   1    9.4023 (0.1531)  S>C  TCP FIN

500	7.2.  MESSAGE Message Over TLS

502	   Once the TLS session is set up, the following MESSAGE message (as
503	   defined in [12] is sent from fluffy@example.com to
504	   kumiko@example.net.  Note that the URI has a SIPS URL and that the
505	   VIA indicates that TLS was used.  In order to format this document,
506	   it was necessary to break up some of the lines across continuation
507	   lines but the original messages have no continuation lines and no
508	   breaks in the Identity header field value.

510	   MESSAGE sips:kumiko@example.net SIP/2.0
511	   To: <sips:kumiko@example.net>
512	   From: <sips:fluffy@example.com>;tag=03de46e1
513	   Via: SIP/2.0/TLS 127.0.0.1:5071;
514	        branch=z9hG4bK-d87543-58c826887160f95f-1--d87543-;rport
515	   Call-ID: 0dc68373623af98a@Y2ouY2lzY28uc2lwaXQubmV0
516	   CSeq: 1 MESSAGE
517	   Contact: <sips:fluffy@127.0.0.1:5071>
518	   Max-Forwards: 70
519	   Content-Transfer-Encoding: binary
520	   Content-Type: text/plain
521	   Date: Sat, 19 Feb 2005 00:48:07 GMT
522	   User-Agent: SIPimp.org/0.2.5 (curses)
523	   Content-Length: 6

525	   Hello!

527	   The response is sent from example.net to example.com over the same
528	   TLS connection.  It is shown below.

530	   SIP/2.0 200 OK
531	   To: <sips:kumiko@example.net>;tag=4c53f1b8
532	   From: <sips:fluffy@example.com>;tag=03de46e1
533	   Via: SIP/2.0/TLS 127.0.0.1:5071;
534	        branch=z9hG4bK-d87543-58c826887160f95f-1--d87543-;
535	        rport=55768;received=127.0.0.1
536	   Call-ID: 0dc68373623af98a@Y2ouY2lzY28uc2lwaXQubmV0
537	   CSeq: 1 MESSAGE
538	   Contact: <sips:kumiko@127.0.0.1:5061>
539	   Content-Length: 0

541	8.  Callflow with S/MIME-secured Message

543	8.1.  MESSAGE Message with Signed Body

545	   Example Signed Message.  The value on the Content-Type line has been
546	   broken across lines to fit on the page but it should not be broken
547	   across lines in actual implementations.

549	   MESSAGE sip:kumiko@example.net SIP/2.0
550	   To: <sip:kumiko@example.net>
551	   From: <sip:fluffy@example.com>;tag=0c523b42
552	   Via: SIP/2.0/UDP 68.122.119.3:5060;
553	        branch=z9hG4bK-d87543-16a1192b7960f635-1--d87543-;rport
554	   Call-ID: 27bb7608596d8914@Y2ouY2lzY28uc2lwaXQubmV0
555	   CSeq: 1 MESSAGE
556	   Contact: <sip:fluffy@68.122.119.3:5060>
557	   Max-Forwards: 70
558	   Content-Transfer-Encoding: binary
559	   Content-Type: multipart/signed;boundary=151aa2144df0f6bd;\
560	                 micalg=sha1;protocol="application/pkcs7-signature"
561	   Date: Sat, 19 Nov 2005 23:34:50 GMT
562	   User-Agent: SIPimp.org/0.2.5 (curses)
563	   Content-Length: 639

565	   --151aa2144df0f6bd
566	   Content-Type: text/plain
567	   Content-Transfer-Encoding: binary

569	   hello
570	   --151aa2144df0f6bd
571	   Content-Type: application/pkcs7-mime;name=smime.p7s
572	   Content-Disposition: attachment;handling=required;filename=smime.p7s
573	   Content-Transfer-Encoding: binary

575	   *******************
576	   * BINARY BLOB 1   *
577	   *******************
578	   --151aa2144df0f6bd--

580	   It is important to note that the signature is computed across
581	   includes the header and excludes the boundary.  The value on the
582	   Message-body line ends with CRLF.  The CRLF is included in the
583	   boundary and should not be part of the signature computation.  In the
584	   example below, the signature is computed over data starting with the
585	   C in the Content-Type and ending with the o in the hello.

587	   Content-Type: text/plain
588	   Content-Transfer-Encoding: binary

590	   hello

592	   ASN.1 parse of binary Blob 1.  Note that at address 30, the hash for
593	   the signature is specified as SHA1.  Also note that the sender's
594	   certificate is not attached as it is optional in [8].

596	      0:SEQUENCE {
597	      4:  OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
598	     15:  [0] {
599	     19:    SEQUENCE {
600	     23:      INTEGER 1
601	     26:      SET {
602	     28:        SEQUENCE {
603	     30:          OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
604	       :          }
605	       :        }
606	     37:      SEQUENCE {
607	     39:        OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
608	       :        }
609	     50:      SET {
610	     54:        SEQUENCE {
611	     58:          INTEGER 1
612	     61:          SEQUENCE {
613	     63:            SEQUENCE {
614	     65:              SET {
615	     67:                SEQUENCE {
616	     69:                  OBJECT IDENTIFIER countryName (2 5 4 6)
617	     74:                  PrintableString 'US'
618	       :                  }
619	       :                }
620	     78:              SET {
621	     80:                SEQUENCE {
622	     82:                  OBJECT IDENTIFIER stateOrProvinceName(2 5 4 8)
623	     87:                  PrintableString 'California'
624	       :                  }
625	       :                }
626	     99:              SET {
627	    101:                SEQUENCE {
628	    103:                  OBJECT IDENTIFIER localityName (2 5 4 7)
629	    108:                  PrintableString 'San Jose'
630	       :                  }
631	       :                }
632	    118:              SET {
633	    120:                SEQUENCE {
634	    122:                  OBJECT IDENTIFIER organizationName (2 5 4 10)
635	    127:                  PrintableString 'sipit'
636	       :                  }
637	       :                }
638	    134:              SET {
639	    136:                SEQUENCE {
640	    138:                  OBJECT IDENTIFIER
641	       :                    organizationalUnitName (2 5 4 11)
642	    143:                  PrintableString
643	                            'Sipit Test Certificate Authority'
644	       :                  }
645	       :                }
646	       :              }
647	    177:            INTEGER 01 95 00 71 02 33 00 58
648	       :            }
649	    187:          SEQUENCE {
650	    189:            OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
651	       :            }
652	    196:          SEQUENCE {
653	    198:            OBJECT IDENTIFIER rsaEncryption
654	                      (1 2 840 113549 1 1 1)
655	    209:            NULL
656	       :            }
657	    211:          OCTET STRING
658	       :            C4 0E 40 A5 7F 88 5B 06 90 E7 B2 40 39 DF 33 E3
659	       :            18 39 C2 9E EC 51 5E 06 E2 D5 DA F0 F6 87 77 1E
660	       :            F7 F9 C1 26 04 20 F8 30 B8 C0 37 92 F6 5C 64 DD
661	       :            87 41 43 F8 2D E5 28 20 35 7D 84 72 2B 5E 5F CF
662	       :            2E 73 93 03 4B DB 35 4C CA 44 CD F8 91 58 A2 4C
663	       :            65 A1 A6 EA DC E6 1B 1E DD DA BD BE 1A EA 9F 62
664	       :            12 7A D1 1A E7 27 B5 96 88 B9 E6 EF 79 C0 E5 40
665	       :            A0 5F 9F 93 09 4C 65 55 DA A8 FE CD 02 10 A9 67
666	       :          }
667	       :        }
668	       :      }
669	       :    }
670	       :  }

672	8.2.  MESSAGE Message with Encrypted Body

674	   Example encrypted text/plain message that says "hello":

676	   MESSAGE sip:kumiko@example.net SIP/2.0
677	   To: <sip:kumiko@example.net>
678	   From: <sip:fluffy@example.com>;tag=6d2a39e4
679	   Via: SIP/2.0/UDP 68.122.119.3:5060;
680	        branch=z9hG4bK-d87543-44ddc0a217a51788-1--d87543-;rport
681	   Call-ID: 031be67669ea9799@Y2ouY2lzY28uc2lwaXQubmV0
682	   CSeq: 1 MESSAGE
683	   Contact: <sip:fluffy@68.122.119.3:5060>
684	   Max-Forwards: 70
685	   Content-Disposition: attachment;handling=required;filename=smime.p7
686	   Content-Transfer-Encoding: binary
687	   Content-Type: application/pkcs7-mime;\
688	                 smime-type=enveloped-data;name=smime.p7m
689	   Date: Sat, 19 Nov 2005 23:33:18 GMT
690	   User-Agent: SIPimp.org/0.2.5 (curses)
691	   Content-Length: 435

693	   *****************
694	   * BINARY BLOB 2 *
695	   *****************

697	   ASN.1 parse of binary Blob 2.  Note that at address 324, the
698	   encryption is set to aes128-CBC.

700	      0:SEQUENCE {
701	      4:  OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
702	     15:  [0] {
703	     19:    SEQUENCE {
704	     23:      INTEGER 0
705	     26:      SET {
706	     30:        SEQUENCE {
707	     34:          INTEGER 0
708	     37:          SEQUENCE {
709	     39:            SEQUENCE {
710	     41:              SET {
711	     43:                SEQUENCE {
712	     45:                  OBJECT IDENTIFIER countryName (2 5 4 6)
713	     50:                  PrintableString 'US'
714	       :                  }
715	       :                }
716	     54:              SET {
717	     56:                SEQUENCE {
718	     58:                  OBJECT IDENTIFIER stateOrProvinceName(2 5 4 8)
719	     63:                  PrintableString 'California'
720	       :                  }
721	       :                }
722	     75:              SET {
723	     77:                SEQUENCE {
724	     79:                  OBJECT IDENTIFIER localityName (2 5 4 7)
725	     84:                  PrintableString 'San Jose'
726	       :                  }
727	       :                }
728	     94:              SET {
729	     96:                SEQUENCE {
730	     98:                  OBJECT IDENTIFIER organizationName (2 5 4 10)
731	    103:                  PrintableString 'sipit'
732	       :                  }
733	       :                }
734	    110:              SET {
735	    112:                SEQUENCE {
736	    114:                  OBJECT IDENTIFIER
737	       :                    organizationalUnitName (2 5 4 11)
738	    119:                  PrintableString
739	                            'Sipit Test Certificate Authority'
740	       :                  }
741	       :                }
742	       :              }
743	    153:            INTEGER 01 95 00 71 02 33 00 57
744	       :            }
745	    163:          SEQUENCE {
746	    165:           OBJECT IDENTIFIER rsaEncryption(1 2 840 113549 1 1 1)
747	    176:           NULL
748	       :           }
749	    178:          OCTET STRING
750	       :            7C F3 8A 02 E8 44 2C A6 9B 3E 64 46 06 D3 95 2D
751	       :            DF 19 8F 5D 0C 24 6B F7 93 03 E7 3C 98 F1 57 74
752	       :            67 70 0E 40 F8 05 96 34 06 36 97 61 5C 0B 2D 61
753	       :            AD CB F0 82 56 23 E5 09 C0 C7 BC A5 F4 A3 B7 59
754	       :            5D 8B 44 6E 3F 7C DE 50 54 2C 95 73 CC 9A 74 8B
755	       :            A9 26 68 FD F8 82 01 43 1D 30 3C 0C 40 B2 19 A2
756	       :            5A 90 06 0F AC 95 CB DF 21 13 F2 26 C8 10 45 A3
757	       :            F4 AB 54 74 72 FD 91 6C 73 27 BF 62 47 7B EC 58
758	       :          }
759	       :        }
760	    309:      SEQUENCE {
761	    311:        OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
762	    322:        SEQUENCE {
763	    324:          OBJECT IDENTIFIER aes128-CBC (2 16 840 1 101 3 4 1 2)
764	    335:          OCTET STRING
765	       :            50 9E 44 AA A5 54 C3 5C 0D 9A DF 65 F7 47 36 99
766	       :          }
767	    353:        [0]
768	       :          55 C5 C7 EA 5D 5A 7C 06 95 3C 24 25 D5 53 08 BB
769	       :          04 19 B4 BF 84 15 F5 6C 4C 80 05 14 06 3E F3 D1
770	       :          B7 04 A1 46 4E E3 1E FF 16 35 79 2A 06 DD A8 83
771	       :          61 24 E1 62 B0 DA 03 53 78 F8 B7 CD B2 11 68 57
772	       :          BE 5F 13 49 B9 5E AB 6F 6E 26 2D 8A A5 9E E5 10
773	       :        }
774	       :       }
775	       :    }
776	       :  }

778	8.3.  MESSAGE Message with Encrypted and Signed Body

780	   In the example below, one of the headers is contained in a box and is
781	   split across two lines.  This was only done to make it fit in the RFC
782	   format.  This header should not have the box around it and should be
783	   on one line with no whitespace between the "mime;" and the "smime-
784	   type".  Note that Content-Type is split across lines for formatting
785	   but is not split in the real message.

787	   MESSAGE sip:kumiko@example.net SIP/2.0
788	   To: <sip:kumiko@example.net>
789	   From: <sip:fluffy@example.com>;tag=361300da
790	   Via: SIP/2.0/UDP 68.122.119.3:5060;
791	        branch=z9hG4bK-d87543-0710dbfb18ebb8e6-1--d87543-;rport
792	   Call-ID: 5eda27a67de6283d@Y2ouY2lzY28uc2lwaXQubmV0
793	   CSeq: 1 MESSAGE
794	   Contact: <sip:fluffy@68.122.119.3:5060>
795	   Max-Forwards: 70
796	   Content-Transfer-Encoding: binary
797	   Content-Type: multipart/signed;boundary=1af019eb7754ddf7;\
798	                 micalg=sha1;protocol="application/pkcs7-signature"
799	   Date: Sat, 19 Nov 2005 23:35:40 GMT
800	   User-Agent: SIPimp.org/0.2.5 (curses)
801	   Content-Length: 1191

803	   --1af019eb7754ddf7
804	   |--See note about stuff in this box --------------------|
805	   |Content-Type: application/pkcs7-mime;                  |
806	   |              smime-type=enveloped-data;name=smime.p7m |
807	   |-------------------------------------------------------|
808	   Content-Disposition: attachment;handling=required;filename=smime.p7
809	   Content-Transfer-Encoding: binary

811	   *****************
812	   * BINARY BLOB 3 *
813	   *****************
814	   --1af019eb7754ddf7
815	   Content-Type: application/pkcs7-mime;name=smime.p7s
816	   Content-Disposition: attachment;handling=required;filename=smime.p7s
817	   Content-Transfer-Encoding: binary

819	   *****************
820	   * BINARY BLOB 4 *
821	   *****************
822	   --1af019eb7754ddf7--

824	   Binary blob 3

826	      0:SEQUENCE {
827	      4:  OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
828	     15:  [0] {
829	     19:    SEQUENCE {
830	     23:      INTEGER 0
831	     26:      SET {
832	     30:        SEQUENCE {
833	     34:          INTEGER 0
834	     37:          SEQUENCE {
835	     39:            SEQUENCE {
836	     41:              SET {
837	     43:                SEQUENCE {
838	     45:                  OBJECT IDENTIFIER countryName (2 5 4 6)
839	     50:                  PrintableString 'US'
840	       :                  }
841	       :                }
842	     54:              SET {
843	     56:                SEQUENCE {
844	     58:                  OBJECT IDENTIFIER stateOrProvinceName(2 5 4 8)
845	     63:                  PrintableString 'California'
846	       :                  }
847	       :                }
848	     75:              SET {
849	     77:                SEQUENCE {
850	     79:                  OBJECT IDENTIFIER localityName (2 5 4 7)
851	     84:                  PrintableString 'San Jose'
852	       :                  }
853	       :                }
854	     94:              SET {
855	     96:                SEQUENCE {
856	     98:                  OBJECT IDENTIFIER organizationName (2 5 4 10)
857	    103:                  PrintableString 'sipit'
858	       :                  }
859	       :                }
860	    110:              SET {
861	    112:                SEQUENCE {
862	    114:                  OBJECT IDENTIFIER
863	       :                    organizationalUnitName (2 5 4 11)
864	    119:                  PrintableString
865	                            'Sipit Test Certificate Authority'
866	       :                  }
867	       :                }
868	       :              }
869	    153:            INTEGER 01 95 00 71 02 33 00 57
870	       :            }
871	    163:          SEQUENCE {
872	    165:           OBJECT IDENTIFIER rsaEncryption(1 2 840 113549 1 1 1)
873	    176:           NULL
874	       :           }
875	    178:          OCTET STRING
876	       :            69 B3 A3 61 F4 F8 63 4F 46 0A 1A AB 0F 1B 16 09
877	       :            DB 3A A9 12 3B 23 F0 C9 4E 68 04 15 AB 42 4F 66
878	       :            FA EF 8D C4 86 88 41 BA 53 A3 88 49 54 E3 0E EB
879	       :            E3 69 63 5A DF 77 2A 8A 1E 42 7E E4 A7 DB CF 90
880	       :            7E 90 47 FD 20 C9 B2 3B 2F A5 42 2A 68 66 9A 25
881	       :            53 D8 FC D9 70 9F 02 0F F2 D2 CB F7 15 7F 6F 4F
882	       :            AB 19 0F 55 51 A2 76 24 DA A3 78 F4 1E 31 AA 6A
883	       :            DF 7C E2 42 3B C5 33 11 E0 EE EE 2E 02 9D 8C 1A
884	       :          }
885	       :        }
886	    309:      SEQUENCE {
887	    311:        OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
888	    322:        SEQUENCE {
889	    324:          OBJECT IDENTIFIER aes128-CBC (2 16 840 1 101 3 4 1 2)
890	    335:          OCTET STRING
891	       :            72 71 AE FE 55 12 BA 99 92 EA D3 C5 9C B6 60 69
892	       :          }
893	    353:        [0]
894	       :          9A 9F DD 9E 58 B6 BE 59 BC CA 6C 3E 3E F5 81 A3
895	       :          30 A0 38 A3 1C 25 92 E3 AA 07 7A 85 7C 36 F0 12
896	       :          9F 80 DF 98 BD 1E 22 EC BF 8B 03 EB 33 AE 81 75
897	       :          D3 91 0A 82 1E 13 8C 60 F0 2B 55 DD 03 52 84 52
898	       :          B1 51 5F E2 F0 CE 8A 94 4B F5 46 CE BF 77 80 8F
899	       :        }
900	       :      }
901	       :    }
902	       :  }

904	   Binary Blob 4

906	      0:SEQUENCE {
907	      4:  OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
908	     15:  [0] {
909	     19:    SEQUENCE {
910	     23:      INTEGER 1
911	     26:      SET {
912	     28:        SEQUENCE {
913	     30:          OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
914	       :          }
915	       :        }
916	     37:      SEQUENCE {
917	     39:        OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
918	       :        }
919	     50:      SET {
920	     54:        SEQUENCE {
921	     58:          INTEGER 1
922	     61:          SEQUENCE {
923	     63:            SEQUENCE {
924	     65:              SET {
925	     67:                SEQUENCE {
926	     69:                  OBJECT IDENTIFIER countryName (2 5 4 6)
927	     74:                  PrintableString 'US'
928	       :                  }
929	       :                }
930	     78:              SET {
931	     80:                SEQUENCE {
932	     82:                  OBJECT IDENTIFIER stateOrProvinceName(2 5 4 8)
933	     87:                  PrintableString 'California'
934	       :                  }
935	       :                }
936	     99:              SET {
937	    101:                SEQUENCE {
938	    103:                  OBJECT IDENTIFIER localityName (2 5 4 7)
939	    108:                  PrintableString 'San Jose'
940	       :                  }
941	       :                }
942	    118:              SET {
943	    120:                SEQUENCE {
944	    122:                  OBJECT IDENTIFIER organizationName (2 5 4 10)
945	    127:                  PrintableString 'sipit'
946	       :                  }
947	       :                }
948	    134:              SET {
949	    136:                SEQUENCE {
950	    138:                  OBJECT IDENTIFIER
951	       :                    organizationalUnitName (2 5 4 11)
952	    143:                  PrintableString
953	                            'Sipit Test Certificate Authority'
954	       :                  }
955	       :                }
956	       :              }
957	    177:            INTEGER 01 95 00 71 02 33 00 58
958	       :            }
959	    187:          SEQUENCE {
960	    189:            OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
961	       :            }
962	    196:          SEQUENCE {
963	    198:           OBJECT IDENTIFIER rsaEncryption(1 2 840 113549 1 1 1)
964	    209:           NULL
965	       :           }
966	    211:          OCTET STRING
967	       :            16 85 D7 B8 08 C6 32 D5 85 7D 26 0F F8 89 DA D0
968	       :            B8 FE 96 FB 40 C9 0E 52 C7 FE A5 87 55 F7 1A 86
969	       :            29 80 CC B0 75 A3 72 DD 76 80 6B 2C 8B C0 14 EA
970	       :            49 FE 18 8F A6 27 BC 5B 60 C1 FE 15 4D 2A 42 DD
971	       :            33 F8 0D D0 77 11 73 82 31 4D 31 66 B1 CF 95 F0
972	       :            9D EE DF 81 E3 54 DF 8C 7B 63 70 D4 93 B5 AE E0
973	       :            D4 90 DB BE D8 0B 3B C2 99 6A FE 5A F0 E9 F0 DF
974	       :            85 F2 A6 8C 28 33 0D 77 04 59 78 06 E5 0E 48 78
975	       :          }
976	       :        }
977	       :      }
978	       :    }
979	       :  }

981	9.  Test Consideration

983	   This section describes some common interoperability problems.
984	   Implementers should verify that their clients do the correct things
985	   and perhaps make their clients forgiving in what they receive, or at
986	   least have them produce reasonable error messages when interacting
987	   with software that has these problems.

989	   A common problem is that some SIP clients incorrectly only do SSLv3
990	   and do not support TLS.

992	   Many SIP clients were found to accept expired certificates with no
993	   warning or error.

995	   TLS and S/MIME can provide the identity of the peer that a client is
996	   communicating with in the Subject Alternative Name in the
997	   certificate.  The software must check that this name corresponds to
998	   the identity the server is trying to contact.  If a client is trying
999	   to set up a TLS connection to good.example.com and it gets a TLS
1000	   connection set up with a server that presents a valid certificate but
1001	   with the name evil.example.com, it must generate an error or warning
1002	   of some type.  Similarly with S/MIME, if a user is trying to
1003	   communicate with sip:fluffy@example.com, one of the items in the
1004	   Subject Alternate Name set in the certificate must match.

1006	   Some implementations used binary MIME encodings while others used
1007	   base64.  The preferred form is binary.

1009	   In several places in this draft, the messages contain the encoding
1010	   for the SHA-1 digest algorithm identifier.  The preferred form for
1011	   encoding as set out in Section 2 of RFC 3370 [10] is the form in
1012	   which the optional AlgorithmIdentifier parameter field is omitted.
1013	   However, RFC 3370 also says the receives need to be able to receive
1014	   the form in which the AlgorithmIdentifier parameter field is present
1015	   and set to NULL.  Examples of the form using NULL can be found in
1016	   Section 4.2 of RFC 4134 [11].  Receivers really do need to be able to
1017	   receive the form that includes the NULL because the NULL form, while
1018	   not preferred, is what was observed as being generated by most
1019	   implementations.  Implementers should also note that if the algorithm
1020	   is MD5 instead of SHA1, then the form that omits the
1021	   AlgorithmIdentifier parameters field is not allowed and the sender
1022	   has to use the form where the NULL is included.

1024	   The preferred encryption algorithm for S/MIME in SIP is AES as
1025	   defined in RFC 3853 [9].

1027	   Interoperability was generally better when UAs did not attach the
1028	   senders' certificates.  Attaching the certificates significantly
1029	   increases the size of the messages, and since it can not be relied
1030	   on, it does not turn out to be useful in most situations.

1032	10.  IANA Considerations

1034	   No IANA actions are required.

1036	11.  Acknowledgments

1038	   Many thanks to the developers of all the open source software used to
1039	   create these call flows.  This includes the underling crypto and TLS
1040	   software used from openssl.org, the SIP stack from
1041	   www.resiprocate.org, and the SIMPLE IMPP agent from www.sipimp.org.
1042	   The TLS flow dumps were done with SSLDump from
1043	   http://www.rtfm.com/ssldump.  The book "SSL and TLS" [13] was a huge
1044	   help in developing the code for these flows.  It's sad there is no
1045	   second edition.

1047	   Thanks to Jim Schaad, Russ Housley, Eric Rescorla, Dan Wing, Tat
1048	   Chan, and Lyndsay Campbell who all helped find and correct mistakes
1049	   in this document.

1051	12.  References

1053	12.1.  Normative References

1055	   [1]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
1056	         Levels", BCP 14, RFC 2119, March 1997.

1058	   [2]   Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
1059	         Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
1060	         Session Initiation Protocol", RFC 3261, June 2002.

1062	   [3]   Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
1063	         Public Key Infrastructure Certificate and Certificate
1064	         Revocation List (CRL) Profile", RFC 3280, April 2002.

1066	   [4]   Dierks, T., Allen, C., Treese, W., Karlton, P., Freier, A., and
1067	         P. Kocher, "The TLS Protocol Version 1.0", RFC 2246,
1068	         January 1999.

1070	   [5]   Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
1071	         T. Wright, "Transport Layer Security (TLS) Extensions",
1072	         RFC 3546, June 2003.

1074	   [6]   Chown, P., "Advanced Encryption Standard (AES) Ciphersuites for
1075	         Transport Layer Security (TLS)", RFC 3268, June 2002.

1077	   [7]   Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
1078	         (S/MIME) Version 3.1 Message Specification", RFC 3851,
1079	         July 2004.

1081	   [8]   Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369,
1082	         August 2002.

1084	   [9]   Peterson, J., "S/MIME Advanced Encryption Standard (AES)
1085	         Requirement for the Session Initiation Protocol (SIP)",
1086	         RFC 3853, July 2004.

1088	   [10]  Housley, R., "Cryptographic Message Syntax (CMS) Algorithms",
1089	         RFC 3370, August 2002.

1091	12.2.  Informative References

1093	   [11]  Hoffman, P., "Examples of S/MIME Messages", RFC 4134,
1094	         July 2005.

1096	   [12]  Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C., and
1097	         D. Gurle, "Session Initiation Protocol (SIP) Extension for
1098	         Instant Messaging", RFC 3428, December 2002.

1100	   [13]  Rescorla, E., "SSL and TLS - Designing and Building Secure
1101	         Systems", 2001.

1103	Appendix A.  Making Test Certificates

1105	   These scripts allow you to make certificates for test purposes.  The
1106	   certificates will all share a common CA root so that everyone running
1107	   these scripts can have interoperable certificates.  WARNING - these
1108	   certificates are totally insecure and are for test purposes only.
1109	   All the CA created by this script share the same private key to
1110	   facilitate interoperability testing, but this totally breaks the
1111	   security since the private key of the CA is well known.

1113	   The instructions assume a Unix-like environment with openssl
1114	   installed, but openssl does work in Windows too.  Make sure you have
1115	   openssl installed by trying to run "openssl".  Run the makeCA script
1116	   found in Appendix A.1; this creates a subdirectory called demoCA.  If
1117	   the makeCA script cannot find where your openssl is installed you
1118	   will have to set an environment variable called OPENSSLDIR to
1119	   whatever directory contains the file openssl.cnf.  You can find this
1120	   with a "locate openssl.cnf".  You are now ready to make certificates.

1122	   To create certs for use with TLS, run the makeCert script found in
1123	   Appendix A.2 with the fully qualified domain name of the proxy you
1124	   are making the certificate for.  For example, "makeCert
1125	   host.example.net".  This will generate a private key and a
1126	   certificate.  The private key will be left in a file named
1127	   domain_key_example.net.pem in pem format.  The certificate will be in
1128	   domain_cert_example.net.pem.  Some programs expect both the
1129	   certificate and private key combined together in a PKCS12 format
1130	   file.  This is created by the script and left in a file named
1131	   example.net.p12.  Some programs expect this file to have a .pfx
1132	   extension instead of .p12 - just rename the file if needed.  A filed
1133	   with a certificate signing request, called example.net.csr, is also
1134	   created and can be used to get the certificate signed by another CA.

1136	   A second argument indicating the number of days for which the
1137	   certificate should be valid can be passed to the makeCert script.  It
1138	   is possible to make an expired certificate using the command
1139	   "makeCert host.example.net 0".

1141	   Anywhere that a password is used to protect a certificate, the
1142	   password is set to the string "password".

1144	   The root certificate for the CA is in the file
1145	   root_cert_fluffyCA.pem.

1147	   For things that need DER format certificates, a certificate can be
1148	   converted from PEM to DER with "openssl x509 -in cert.pem -inform PEM
1149	   -out cert.der -outform DER".

1151	   Some programs expect certificates in PKCS#7 format (with a file
1152	   extension of .p7c).  You can convert these from PEM format to PKCS#7
1153	   with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/
1154	   cacert.pem -outform DER -out cert.p7c"

1156	   IE, Outlook, and Netscape can import and export .p12 files and .p7c
1157	   files.  You can convert a pkcs7 certificate to PEM format with
1158	   "openssl pkcs7 -in cert.p7c -inform DER -outform PEM -out cert.pem".

1160	   The private key can be converted to pkcs8 format with "openssl pkcs8
1161	   -in a_key.pem -topk8 -outform DER -out a_key.p8c"

1163	   In general, a TLS client will just need the root certificate of the
1164	   CA.  A TLS server will need its private key and its certificate.

1166	   These could be in two PEM files or one .p12 file.  An S/MIME program
1167	   will need its private key and certificate, the root certificate of
1168	   the CA, and the certificate for every other user it communicates
1169	   with.

1171	A.1.  makeCA script

1173	   #!/bin/sh
1174	   #set -x

1176	   rm -rf demoCA

1178	   mkdir demoCA
1179	   mkdir demoCA/certs
1180	   mkdir demoCA/crl
1181	   mkdir demoCA/newcerts
1182	   mkdir demoCA/private
1183	   echo "01" > demoCA/serial
1184	   hexdump -n 4 -e '4/1 "%04u"' /dev/random > demoCA/serial
1185	   touch demoCA/index.txt

1187	   # You may need to modify this for where your default file is
1188	   # you can find where yours in by typing "openssl ca"
1189	   for D in /etc/ssl /usr/local/ssl /sw/etc/ssl /sw/share/ssl; do
1190	           CONF=${OPENSSLDIR:=$D}/openssl.cnf
1191	           [ -f ${CONF} ] && break
1192	   done

1194	   if [ ! -f $CONF  ]; then
1195	       echo "Can not find file $CONF - set your OPENSSLDIR variable"
1196	       exit
1197	   fi
1198	   cp $CONF openssl.cnf

1200	   cat >> openssl.cnf  <<EOF
1201	   [ cj_cert ]
1202	   subjectAltName=\${ENV::ALTNAME}
1203	   basicConstraints=CA:FALSE
1204	   subjectKeyIdentifier=hash
1205	   #authorityKeyIdentifier=keyid,issuer:always

1207	   [ cj_req ]
1208	   basicConstraints = CA:FALSE
1209	   subjectAltName=\${ENV::ALTNAME}
1210	   subjectKeyIdentifier=hash
1211	   #authorityKeyIdentifier=keyid,issuer:always
1212	   #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
1213	   EOF

1215	   cat > demoCA/private/cakey.pem <<EOF
1216	   -----BEGIN RSA PRIVATE KEY-----
1217	   Proc-Type: 4,ENCRYPTED
1218	   DEK-Info: DES-EDE3-CBC,4B47A0A73ADE342E

1220	   aHmlPa+ZrOV6v+Jk0SClxzpxoG3j0ZuyoVkF9rzq2bZkzVBKLU6xhWwjMDqwA8dH
1221	   3fCRLhMGIUVnmymXYhTW9svI1gpFxMBQHJcKpV/SmgFn/fbYk98Smo2izHOniIiu
1222	   NOu2zr+bMiaBphOAZ/OCtVUxUOoBDKN9lR39UCDOgkEQzp9Vbw7l736yu5H9GMHP
1223	   JtGLJyx3RhS3TvLfLAJZhjm/wZ/9QM8GjyJEiDhMQRJVeIZGvv4Yr1u6yYHiHfjX
1224	   tX2eds8Luc83HbSvjAyjnkLtJsAZ/8cFzrd7pjFzbogLdWuil+kpkkf5h1uzh7oa
1225	   um0M1EXBE4tcDHsfg1iqEsDMIei/U+/rWfk1PrzYlklwZp8S03vulkDm1fT76W7d
1226	   mRBg4+CrHA6qYn6EPWB37OBtfEqAfINnIcI1dWzso9A0bTPD4EJO0JA0PcZ/2JgT
1227	   PaKySgooHQ8AHNQebelch6M5LFExpaOADJKrqauKcc2HeUxXaYIpac5/7drIl3io
1228	   UloqUnMlGa3eLP7BZIMsZKCfHZ8oqwU4g6mmmJath2gODRDx3mfhH6yaimDL7v4i
1229	   SAIIkrEHXfSyovrTJymfSfQtYxUraVZDqax6oj/eGllRxliGfMLYG9ceU+yU/8FN
1230	   LE7P+Cs19H5tHHzx1LlieaK43u/XvbXHlB5mqL/fZdkUIBJsjbBVx0HR8eQl2CH9
1231	   YJDMOPLADecwHoyKA0AY59oN9d41oF7yZtN9KwNdslROYH7mNJlqMMenhXCLN+Nz
1232	   vVU5/7/ugZFhZqfS46c1WdmSvuqpDp7TBtMeaH/PXjysBr0iZffOxQ==
1233	   -----END RSA PRIVATE KEY-----
1234	   EOF

1236	   cat > demoCA/cacert.pem <<EOF
1237	   -----BEGIN CERTIFICATE-----
1238	   MIIDJDCCAo2gAwIBAgIBADANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET
1239	   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
1240	   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
1241	   eTAeFw0wMzA3MTgxMjIxNTJaFw0xMzA3MTUxMjIxNTJaMHAxCzAJBgNVBAYTAlVT
1242	   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
1243	   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
1244	   aXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDIh6DkcUDLDyK9BEUxkud
1245	   +nJ4xrCVGKfgjHm6XaSuHiEtnfELHM+9WymzkBNzZpJu30yzsxwfKoIKugdNUrD4
1246	   N3viCicwcN35LgP/KnbN34cavXHr4ZlqxH+OdKB3hQTpQa38A7YXdaoz6goW2ft5
1247	   Mi74z03GNKP/G9BoKOGd5QIDAQABo4HNMIHKMB0GA1UdDgQWBBRrRhcU6pR2JYBU
1248	   bhNU2qHjVBShtjCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0
1249	   pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT
1250	   CFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBD
1251	   ZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
1252	   AQUFAAOBgQCWbRvv1ZGTRXxbH8/EqkdSCzSoUPrs+rQqR0xdQac9wNY/nlZbkR3O
1253	   qAezG6Sfmklvf+DOg5RxQq/+Y6I03LRepc7KeVDpaplMFGnpfKsibETMipwzayNQ
1254	   QgUf4cKBiF+65Ue7hZuDJa2EMv8qW4twEhGDYclpFU9YozyS1OhvUg==
1255	   -----END CERTIFICATE-----
1256	   EOF

1258	   # uncomment the following lines to generate your own key pair
1259	   #openssl req -newkey rsa:1024 -passin pass:password \
1260	   #    -passout pass:password \
1261	   #    -sha1 -x509 -keyout demoCA/private/cakey.pem \
1262	   #    -out demoCA/cacert.pem -days 3650 <<EOF
1263	   #US
1264	   #California
1265	   #San Jose
1266	   #sipit
1267	   #Sipit Test Certificate Authority
1268	   #
1269	   #
1270	   #EOF

1272	   openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \
1273	           -outform DER -out demoCA/cacert.p7c

1275	   cp demoCA/cacert.pem root_cert_fluffyCA.pem

1277	A.2.  makeCert script

1279	   #!/bin/sh
1280	   #set -x

1282	   if [  $# == 1  ]; then
1283	     DAYS=1095
1284	   elif [ $# == 2 ]; then
1285	     DAYS=$2
1286	   else
1287	     echo "Usage: makeCert test.example.org [days]"
1288	     echo "       makeCert alice@example.org [days]"
1289	     echo "days is how long the certificate is valid"
1290	     echo "days set to 0 generates an invalid certificate"
1291	     exit 0
1292	   fi

1294	   ADDR=$1

1296	   echo "making cert for ${ADDR}"

1298	   rm -f ${ADDR}_*.pem
1299	   rm -f ${ADDR}.p12

1301	   case ${ADDR} in
1302	   *:*) ALTNAME="URI:${ADDR}" ;;
1303	   *@*) ALTNAME="URI:sip:${ADDR},URI:im:${ADDR},URI:pres:${ADDR}" ;;
1304	   *)   ALTNAME="DNS:${ADDR}" ;;
1305	   esac
1306	   rm -f demoCA/index.txt
1307	   touch demoCA/index.txt
1308	   rm -f demoCA/newcerts/*

1310	   export ALTNAME

1312	   openssl genrsa  -out ${ADDR}_key.pem 1024
1313	   openssl req -new  -config openssl.cnf -reqexts cj_req \
1314	           -sha1 -key ${ADDR}_key.pem \
1315	           -out ${ADDR}.csr -days ${DAYS} <<EOF
1316	   US
1317	   California
1318	   San Jose
1319	   sipit

1321	   ${ADDR}

1323	   EOF

1325	   if [ $DAYS == 0 ]; then
1326	   openssl ca -extensions cj_cert -config openssl.cnf \
1327	       -passin pass:password -policy policy_anything \
1328	       -md sha1 -batch -notext -out ${ADDR}_cert.pem \
1329	       -startdate 990101000000Z \
1330	       -enddate 000101000000Z \
1331	        -infiles ${ADDR}.csr
1332	   else
1333	   openssl ca -extensions cj_cert -config openssl.cnf \
1334	       -passin pass:password -policy policy_anything \
1335	       -md sha1 -days ${DAYS} -batch -notext -out ${ADDR}_cert.pem \
1336	        -infiles ${ADDR}.csr
1337	   fi

1339	   openssl pkcs12 -passin pass:password \
1340	       -passout pass:password -export \
1341	       -out ${ADDR}.p12 -in ${ADDR}_cert.pem \
1342	       -inkey ${ADDR}_key.pem -name ${ADDR} -certfile demoCA/cacert.pem

1344	   openssl x509 -in ${ADDR}_cert.pem -noout -text

1346	   case ${ADDR} in
1347	   *@*) mv ${ADDR}_key.pem user_key_${ADDR}.pem;   \
1348	        mv ${ADDR}_cert.pem user_cert_${ADDR}.pem ;;
1349	   *)   mv ${ADDR}_key.pem domain_key_${ADDR}.pem; \
1350	        mv ${ADDR}_cert.pem domain_cert_${ADDR}.pem ;;
1351	   esac

1353	Appendix B.  Certificates for Testing

1355	   This section contains various certificates used for testing in PEM
1356	   format.

1358	   Fluffy's certificate.

1360	   -----BEGIN CERTIFICATE-----
1361	   MIICzjCCAjegAwIBAgIIAZUAcQIzAFgwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
1362	   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
1363	   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
1364	   dXRob3JpdHkwHhcNMDUwMjAzMTg0OTM0WhcNMDgwMjAzMTg0OTM0WjBiMQswCQYD
1365	   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
1366	   DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20wgZ8w
1367	   DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqrm5tOPNVFPM4ApjaouezSduK5m+go
1368	   qrqGIsXPMz5PbVYhrr1UhHwUFPl9mYUATpPW/WvU0dRVjsmJsa8rXyOZSpXlaGVk
1369	   HRKn29PVlxhHNZzmiCedqGzKKoTmYtjx6aIaOX4OD5ClpnkhvCpntN1pkIKarh8C
1370	   UopY0/XQ1GZnAgMBAAGjfzB9MFEGA1UdEQRKMEiGFnNpcDpmbHVmZnlAZXhhbXBs
1371	   ZS5jb22GFWltOmZsdWZmeUBleGFtcGxlLmNvbYYXcHJlczpmbHVmZnlAZXhhbXBs
1372	   ZS5jb20wCQYDVR0TBAIwADAdBgNVHQ4EFgQU7NqYXun399fsKylL2iXux8d+lXAw
1373	   DQYJKoZIhvcNAQEFBQADgYEATEZJbgFI4tRu10ih83vIpZg3pURGWJ9KN32Q+1//
1374	   Nr1nMfAp3gri6rnwXJ+toN7lTkKPEdhB6mi+28Ie+uWKLX9mEynp2o/7gL9+XrYE
1375	   rQheWJW3xTiF1WUxrYDLKKdMrRH9QTs3d1rehZY9ZutfmvhgX46x/EpDU7YRTS70
1376	   Pf8=
1377	   -----END CERTIFICATE-----

1379	   Fluffy's private key

1381	   -----BEGIN RSA PRIVATE KEY-----
1382	   MIICXAIBAAKBgQDKq5ubTjzVRTzOAKY2qLns0nbiuZvoKKq6hiLFzzM+T21WIa69
1383	   VIR8FBT5fZmFAE6T1v1r1NHUVY7JibGvK18jmUqV5WhlZB0Sp9vT1ZcYRzWc5ogn
1384	   nahsyiqE5mLY8emiGjl+Dg+QpaZ5IbwqZ7TdaZCCmq4fAlKKWNP10NRmZwIDAQAB
1385	   AoGAXgtxwoh0jBZ716/PcS+sTut+xUiRwxIT30fdHONACRr8RmqM1khAzf7XmMoi
1386	   kegJjmrF3+K6l4g4IOcnL3y1wVCtzJ1f2QDTuVzAsvazZqI4+pNB4LaAb+JPNQ+4
1387	   BtrQSXADXv7HfkUakzeZpgnJYw+zHWaVogKjcLDKHWdrbOECQQDpH/G+GsJ4mnrp
1388	   wZF9OxKqKhqBO73ZONHDxu55AukLghGnFh1udqdCQ7EPsaCqLN82RS4gn/WDfnBh
1389	   WB8DRavxAkEA3o6nMOMyKdsuqBbGyEPvaPDVmw973wtEohIj6MgwdYSUOhdKAurR
1390	   hs09yVGy0QpjoNHIE0vi5lUhPxJ1+Xvv1wJBAL0Ry14DFfX6U/WBqB2I63pW62gk
1391	   q7ShAH9nt8EtOxS6SNbaeMQ+Nyjm/ZNc3JEoE2BQezi6gsRCp6JLdduRhgECQD1p
1392	   V7EhwCHUnVc8kbWJKXLnocmbyC6PyWx/XPFK7DRBVTWCX6XWbeKol7gJlzIfj8Y8
1393	   nNzWP9IXA4mH6o3hKRkCQA+1er++Tx24uypEijIi7OK0bfjJUlrhCM9NVWxDKrzO
1394	   3zpuUB7yzuxrbcMZI8JKQIHL0sWz7egscepxS+N61y8=
1395	   -----END RSA PRIVATE KEY-----

1397	   Kumiko's certificate
1398	   -----BEGIN CERTIFICATE-----
1399	   MIICzjCCAjegAwIBAgIIAZUAcQIzAFcwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
1400	   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
1401	   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
1402	   dXRob3JpdHkwHhcNMDUwMjAzMTg0OTIzWhcNMDgwMjAzMTg0OTIzWjBiMQswCQYD
1403	   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
1404	   DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQwgZ8w
1405	   DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANX6dhOhUuf+2I3lymzeuSDwHLZqMqnu
1406	   3ISiIji/VlEoVUBFIHYjtxbmhIi40mEl4cqT+tVI6gY6Pe7VrL835Yr3AoLLeUB7
1407	   4mXa7T152+jAxA4+nCVnIAkMrPxTDeBFEfn+qyCRPWyQ7WEgH3Vd9AufnC7aeafD
1408	   pp+dcAOFZ2pBAgMBAAGjfzB9MFEGA1UdEQRKMEiGFnNpcDprdW1pa29AZXhhbXBs
1409	   ZS5uZXSGFWltOmt1bWlrb0BleGFtcGxlLm5ldIYXcHJlczprdW1pa29AZXhhbXBs
1410	   ZS5uZXQwCQYDVR0TBAIwADAdBgNVHQ4EFgQUNi5qQQ2G6AsiZK79cPEXYmPsqFIw
1411	   DQYJKoZIhvcNAQEFBQADgYEABIFd9N/3/05AD7Kt9kKSdy6vFvncU1IaccuFfdXc
1412	   QPfewY8NWwYKWsu588D4Nu77VQ++6a8AtjlJPSY/742Z4oKq1jfxdA+Uz/Z9cv2v
1413	   6aM4oX7R5FTgJTbHRC0ueH32OhNlcLhSNGHzNWSrS8AbtNOlfLRJipZI3N0W5b6q
1414	   09Q=
1415	   -----END CERTIFICATE-----

1417	   Kumiko's private key

1419	   -----BEGIN RSA PRIVATE KEY-----
1420	   MIICXQIBAAKBgQDV+nYToVLn/tiN5cps3rkg8By2ajKp7tyEoiI4v1ZRKFVARSB2
1421	   I7cW5oSIuNJhJeHKk/rVSOoGOj3u1ay/N+WK9wKCy3lAe+Jl2u09edvowMQOPpwl
1422	   ZyAJDKz8Uw3gRRH5/qsgkT1skO1hIB91XfQLn5wu2nmnw6afnXADhWdqQQIDAQAB
1423	   AoGBANJktWrxyanxC47iLdpEWHVJgoHeA7jQ8yS6orl3cPDVnpVWIufmkCTFPfWM
1424	   /Namv89HF3BVhD3hUHogwP03gcsIdxpccnu1wnmTW7IhSQXjBts0mEDbOw8S+WtS
1425	   9NjRI4m1+86OflE+TVa3DtwCE/pEOKhFvcZHvXiosYMnucABAkEA6xqKEwR1zI/V
1426	   u2B28Lcv0iafkJQDfPB3ooahQ+9qy5qUWgGZzXj6tM8YUusVqR/NCg8auqRC5uWD
1427	   yonN98phQQJBAOj/Pp9yyO2NCVs4Mp5QSXDOlRAOuruMz6vlmURQO/8uBmHvETfC
1428	   nkvqxxHjHW7mmusEY+ZIvRxmFV4RZcYByQECQHiT5/TQ+Mmti2TKmLXkffY+MOAp
1429	   yZAulG0at2LsS82YvjVbVNJ5Fbvd6w+72iQfVz2teXv3+wgI9orOGoDXnwECQGrE
1430	   I58PCzGHkkUBkHhpE+4kS7wK89hjYvpDAKOEHKoHHhecZAhoHv9suwHgT6l09IJD
1431	   BcANjtLHmHz9feRpBwECQQCuIn02CMxFy5yhjj4nlmCRQ6w6KBWjY68xnN4Qj/g3
1432	   SV+1HtmCclS0bK7e/IV6gOKn+MV3C+14JGdSRM+9HqcZ
1433	   -----END RSA PRIVATE KEY-----

1435	   Certificate for example.com
1436	   -----BEGIN CERTIFICATE-----
1437	   MIICjDCCAfWgAwIBAgIIAZUAcQIzAFUwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
1438	   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
1439	   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
1440	   dXRob3JpdHkwHhcNMDUwMjAzMTg0OTA4WhcNMDgwMjAzMTg0OTA4WjBbMQswCQYD
1441	   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
1442	   DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCBnzANBgkqhkiG
1443	   9w0BAQEFAAOBjQAwgYkCgYEA5jF2tSfMjTKFVnD3wjMzMiZCXjxocXsfeVDQcic7
1444	   Sq/yztEMvMBfMWpD53ytZL3H5iWfqs0tkKpohGJ7Bb5Dpa+76p2pW6RTnSKL2pYu
1445	   Hz+SRrjMyCQ8Rs1dLWSFsaTKAfGOxX4P/wCRo+rLPhICdaS7CMjQKu+zu3J6mOX/
1446	   n4ECAwEAAaNEMEIwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCQYDVR0TBAIwADAd
1447	   BgNVHQ4EFgQUIurLOGYd8ZYMmke2uxxSRLB3ZY0wDQYJKoZIhvcNAQEFBQADgYEA
1448	   rutJ7R7xjSapbQOCktXfRMQeHwd1iDfkdpc1ElmYeXgWbjuxwCvbhQJrdMlbGZLa
1449	   fvVBC7zS3UWqb74k3EhXZtkugt+ejXADc3Xvj3pWTMxCvTFFsF7/0TvEgu79p8EQ
1450	   NOuBSRprhn7HYR2zuQoCvYT4R6/P8ahzqDEdIHoGf6w=
1451	   -----END CERTIFICATE-----

1453	   Private key for example.com

1455	   -----BEGIN RSA PRIVATE KEY-----
1456	   MIICXgIBAAKBgQDmMXa1J8yNMoVWcPfCMzMyJkJePGhxex95UNByJztKr/LO0Qy8
1457	   wF8xakPnfK1kvcfmJZ+qzS2QqmiEYnsFvkOlr7vqnalbpFOdIovali4fP5JGuMzI
1458	   JDxGzV0tZIWxpMoB8Y7Ffg//AJGj6ss+EgJ1pLsIyNAq77O7cnqY5f+fgQIDAQAB
1459	   AoGBANtRm2FkRv7seJ/wSA6OS6PnUeqJMZWVklo6xi9M86/oTbYA9VrNCqWBMqtW
1460	   XboTG2dKx4KrtFMWGTiwv7esHLPsUB1jYF7/KEsRh4WoRxfeWoQlAY6VYXycg6b5
1461	   X0uORdFMWL+WRxPmo8IhDKEwNyRyCyGQjfKpMj0724WjEqWxAkEA9MFDUQD+fL3N
1462	   ImRQl9ns3nHIIbcrtfxGCFaj+EJEwsyc5gq7QxRc3niNVt5pogPP7+CxskLaPPKU
1463	   TJmhtwixLQJBAPDE7hcDCPtsn9DIOXf/ZxXjfZAlAfwVsT+ggWQi5r63lGwjIbCT
1464	   qO6TijtbSqqD0QqULTabVwpIdYyknQqQlCUCQGnkG322UmQhsdiJUh0Amex7ibyc
1465	   hPrNVHdTFMnZ0en9oHwedHpHGw7dVTkaLNV9lL8RlY+sQMNRqDuj1EVeK1kCQQCH
1466	   945FLI+b/OHbs9bQb0k10TyNdHjEdTOdrPSlKhiIx39n+gcCgsC5ylQb5RgrZzlb
1467	   8gX+eocS5YyMmkGdP7yJAkEAsmGKAgt4nTfZY5L8PytPK8lCJjBLcyIllI3QEiMY
1468	   K/81YWYQcqsg5/cLBZC26KgNvxkyLwxS220Djlm19HJKGQ==
1469	   -----END RSA PRIVATE KEY-----

1471	   Certificate for example.net
1472	   -----BEGIN CERTIFICATE-----
1473	   MIICjDCCAfWgAwIBAgIIAZUAcQIzAFYwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
1474	   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
1475	   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
1476	   dXRob3JpdHkwHhcNMDUwMjAzMTg0OTExWhcNMDgwMjAzMTg0OTExWjBbMQswCQYD
1477	   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
1478	   DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCBnzANBgkqhkiG
1479	   9w0BAQEFAAOBjQAwgYkCgYEA2w4I/bz/vxzVskUEF56EYjf4yUftpG8jhmIiwsA8
1480	   AKLwc7CTnceW+tLmdDfUQLWw+HP4ky0tgQQA6pmviPORUNjuSj91dE7EJk3ZKePE
1481	   3MZ2M5JL6CEFn3HEFnHOQKv3TMKIGSpUZJjHmm15yRPiAlx0Q2vJ29h4W52X1DPM
1482	   62MCAwEAAaNEMEIwFgYDVR0RBA8wDYILZXhhbXBsZS5uZXQwCQYDVR0TBAIwADAd
1483	   BgNVHQ4EFgQUHNoIc7Or6o1iTsM1PmWPdgbxUAwwDQYJKoZIhvcNAQEFBQADgYEA
1484	   VlSod7+XfvSKNsybqtWPaM8VnoRLFVXvukgQbsdv4wuv5bnDfwxdU25rdizBbql+
1485	   m8Us+ky8ORw190v73mSeOro7KMv0mN1u2BaGUB/wjaRsH2HC+UZb0ok3vzZ+W8Re
1486	   ECjcVyHNRGVw5Iu2W5iWcO/a/74vPaVBiFQQJBRSLxg=
1487	   -----END CERTIFICATE-----<

1489	   Private key for example.net

1491	   -----BEGIN RSA PRIVATE KEY-----
1492	   MIICXgIBAAKBgQDbDgj9vP+/HNWyRQQXnoRiN/jJR+2kbyOGYiLCwDwAovBzsJOd
1493	   x5b60uZ0N9RAtbD4c/iTLS2BBADqma+I85FQ2O5KP3V0TsQmTdkp48TcxnYzkkvo
1494	   IQWfccQWcc5Aq/dMwogZKlRkmMeabXnJE+ICXHRDa8nb2HhbnZfUM8zrYwIDAQAB
1495	   AoGBAIrUP1CIutEldi3wXaKWfTI+ZPc0FeFz6mDdy0gAS0bf/WJk03lYqFA434Ni
1496	   aqvEOu+LmEu2gzNUFTyZwE0ciMg3NQ0H57z7OvbnHa0LajiJROo7zkROrmE5GTIV
1497	   v2WstOKJYsMdcTVa4VZd9cHH6zWXHtWDT+Y2MxrIerFnOYxBAkEA72cBQSE4SStZ
1498	   KvodDuMjFXG97Z1F927Xe/47iWnYRKhVB/jwN9uYpJog2cQFgsIsRMltozi3huTP
1499	   L8IKkI5N4QJBAOo95ShiRPcbXIXY1IcUGx1Rulr+paIAJwjuuutwrtCA1CbIKB0j
1500	   vfGVr3mKBGV2XLmz15nNV+5WFiLRBiUgucMCQQCxf+63KnlADurS6ZTH5/KoQKfw
1501	   WE568WzFWy8raBXYefJpsdHxqFiZmklHDIaFd5A5BBvNDA1O77EKGNWablghAkEA
1502	   zbvpPqv4+LRuchy8pZtyKTE0JWHNZlkN79mGEO4ajITqUNmx6c4PsVUQFwayz87C
1503	   qFQdxDdHyMyRiqjd5dQ1cwJAfJsXNGcOhilkV3xBy95tb3IsVP6G5DqwtID4hrYa
1504	   Onf9xrVzh9M29Xp+AHcwS4Y0+UgiNrd5BlbZs+ALZPD/jw==
1505	   -----END RSA PRIVATE KEY-----

1507	Appendix C.  Message Dumps

1509	   This section contains a base64 encoded gzipped, compressed tar file
1510	   of various CMS messages used in this document.  Saving the data in a
1511	   file foo.tgz.b64 then running a command like "openssl base64 -d -in
1512	   foo.tgz.b64 | tar txfz -" would recover the CMS messages and allow
1513	   them to be used as test vectors.

1515	   H4sIAO0RgEMAA+xaybajyLWtMV+Rc5YtBEJIA6/16DvR90y8aETfiR6+3tx7n+3M
1516	   rCpX46r083p1BkI6ARHEjoh9IvbRkHd/Gp7Rn+JgDE7f/T4GHYah6Mf1en2/Hvb3
1517	   6/v3M4ScoTN6RiHsO+iMYAjy3Sf0d3qfL2waxqD/9Om7pJqSZPvx+5bs+az+RT1f
1518	   deo3f8/fyYbPxz969uPw28+Cnzn+CIYhF+jtvrdZcP5j/L+F/cD4x20d5M1f3378
1519	   9bkGdVc9/xy19Z+7Z/3r2njD43q5/Nj4n6/Xr9Y/DCMI+t2nbwLi//Px/9ObETTL
1520	   y59IWjd5hidxk373AhLPkwVFknjipPjCE3jK87hv4ZHG7zhjLZTmCWLr89kcybhG
1521	   M4SGLxFFPyS8ZPGzRQNEJpG2La30jutEKttHDSZZylnIVnWICFPg0Ctt4upHWWSS
1522	   zFGWE2KIyJWkXRaAwj3K1jSRXuw9cIkupuhOIqP32slVSi24WgJXS23W3mOSoHxX
1523	   gALH7zyYgXyDIIDY1dujpS7myoXLIlmirEUq8F0yU0gx8Yvz7ku/9BVEKGnDQmoe
1524	   BRyts/Qi2NZOm9KB03vLhCRqMDMcLc1RjXaeSesSfnsvI1aJt2Bm4ulujmBrBagC
1525	   lz7615qEK3cRW0GSri10+t41il7G6skyY8Su1aOW59AkiWbHZSItX1mZs8B9gYg3
1526	   dHFcIYoD4dQrydSjcbRg4NFIpMIUGbuhkKWQdin3SbdY28gdkqdNaVEeYYDxOm37
1527	   SEuzRCSS01Eoso3+A+HQ3EleAzSWYtdmrIARIUp1AYhdO7hzrrrZGOID7rwJ4HbQ
1528	   0PtC2kjtpg/n+OEYR+dNEU9YZXUv6mkh9RbsH2rGk3FgYKRUaOIE7hMiXGvFPQHN
1529	   hSbxhcbxQKYlml+Yt77rkE7gt4Xy+IfvZlnoEoNvoEUIQ+/IH+UmgfMLTuEx8AYg
1530	   p11oJtUsfuofCuvFN9+T6vIJT+tq6A8C8T3oh2Yk9YYV0E+jgOnYWhhBF2oKWY5u
1531	   okvak1vic04lZdxFZ7qqvaebOmExrQs5h5km9LFUhaz/CIBktgkS2w3Ecl4hdikR
1532	   OnP9sZzSEXwWLk5FiDsXSOeY0krOJsMMDHaCzJlOJ+ze3WgNkJWJMPSuzxqM83R4
1533	   n7SWnD3zol9P6i3I9hdFxzzXssl1+Qvwvv5omfr+mvyt1//P5P/mOX5b/r/8wf/f
1534	   xH49/3v//fxPr9/n/8P3H+R/tIqpn8n/8HLhT+F+mtfdHkqLZtAr7RXJZbOSsWNv
1535	   RVbz+TLgNwAXH0uEkWYTPR1wfNQxlVjaw1lATr2UGzSmmoZfu3rOVUW35GIyivs5
1536	   pjFaKBFffKo0gEg+LKHC40rSTINwxwenaOKMmJLIs0Zn+ULB1fUZ3XQ1x6sV0uBZ
1537	   gO/ZxUFh90ypEnCFpZ/L/5Pvav+a/zm55SNM6a/tOTcH6azWjhqn4Wrhy4/zv10Z
1538	   bYyBbjIbojxs4Wt01EC62U2rPxjbnacy1cIhni/LNKNhQyXLGlsw2sf5ToSvCgTq
1539	   mzWA5XZT9OV8h2YMqY2n0reYKM1QLZ8nmAhYizgtRaAPHMyRoOWHUFsi8+6Dzk1/
1540	   AjRZRPbGyTprLyg/wc4RfiPlFJywy6wGNpEzmiYQuvFY0/8b/F8+t99m+/+T/I9i
1541	   yNf8fz5cf/D/N7DP+F838E+qztvHXPsk0t4/Y4CbHtyPi0SqUbXkBmfhtslSazuR
1542	   mpDHnnMTSuGpstn6XO+oJRObsI9if3ookLbdgIW5rUGpNol4LucoqQUffO0GrL3q
1543	   nPaagZlLpeqx+dUEVdgxSsy3c1Dll0RFBXaSdh4QqJXdbWj0eWftpJa4eRiTpKcT
1544	   LrDFdRhAOhXO3WPgNxl/YZiCRc3LQxMwSTWewjWcAPCWJXB51GuYKfUZG57CaTHw
1545	   q2Jc1cZ6vgTJd+yyaq9rfpdu11Nrhh5+t3uZfDmEdBAF4IatycKxuF7EfmQkhzXz
1546	   ZcaeA/dQB4s4F96x1xPpQT8Yr9XX5Om0WoV7V9tztyi9hijgQpOix8eTD9DRV7Vu
1547	   b3xGHUFN3vSN3FitSMROKiAMPs4e9MtZ8ZLG7xJDWRoFJg9EBvha16p7MyANx/Nh
1548	   1I/JypJMUIC0QC/DFqHpC9NWPUKaXLZHtGtTVcVAch3KR6CqogWYQp2NS74+Do7B
1549	   VYrGsogi1XFo7hSvuMnJX90i8fEKTxZ7MME0dbQc7a9IxS4FH5Im8FKuZl6MofF6
1550	   UZD2sh5mENpLx8feVjbaS6tIi9TYpmQRGLZqLRviXLAyCK+fK5aHWwRkan9weGwy
1551	   UuNDz+becssz5jqOXbDYNsvgIdv36nHTKw8cNEnWX9RUnGn7eUwbUtNIDrhfUObB
1552	   g+FJ4cLhHmohVJ4hc5NjrqBjU4l71ajELOdX5N6AaUSmA4lulRaietr7exUCt9QF
1553	   n21koN52HBzYWMU24Q3poWZFPB0vjZn4Hvq4qduoireKFAriEW18VfGIRueSB4in
1554	   29lzPC16DSl6ih6ET8JXMZXntdwey2rAMEQVVX2+c4LIan/5jMZ/cGn9p5f+u/08
1555	   /v+3tv+/hv9h6A/+/yb2C/k/pNLiPqvgiZOdTdc099hA5fKpEHQQLsPtOJfnD3Kh
1556	   FrydiX0QlBhY0fAKTT4k33V8DKlLdMrNhwETBE696gDkbyijwQoqqogNmYNWm3HZ
1557	   XW5mtDbeXpZzC/Cak0SR5kQRir9OsbS0qS9WellLzyB0G4EGjzfkdCq4NSHMZWHj
1558	   J5Z023tv+Zz/+d5SzyQ/jXQV58jiBqKTmDzoqxHEPJn9WlPxBqW4AYXJyRFKCKm8
1559	   F4NfkIucA8FrppUJfNT0BKe7bDHm5i80FOVSisgaxKHYjilz2HAB9AiKXNCVFttL
1560	   XelrGmVN3gZm2BlGRRS8QYoj0w4uth/fI4677o7LjQ5lgh4srT3/7JlG8VbijZUw
1561	   OCI0g74YxugD4tzG1CQVjMveMf/M3GHMfZ4uWO40ni5mNnEqFvk+eZ3QpnCkMenA
1562	   D7pUje2eI9lkqsDjxoslj8qXN/5X2jtqZLmuRqHLu96Zjyx2PetT1YNdwOPCUkzT
1563	   NC79SOJnMuRFAiqAOWHtHqlFgrVh91HvZ7SRbRB1mPyhE7mVTpH0RtNrAl4Rsalw
1564	   auqNq29y6ElsNTFZAIdGrzdnZ5zt1geE6z0ToRtibn0xuV+XFUfxAROjOEoQs0zh
1565	   ZwXDaJGVnSCs0uwND2AP5059zRfwoU9Rtt06f9xEk4YEh5P9qpSxe83SyiUoePNl
1566	   yfV6jS7qYFsaswTbfsNI4MVo8UrF3CZtev4qYjTWztEi4IkwuDIbKVlelTayEtsd
1567	   HUOEH2z1yqLUaxl56pL1XgAoTXJfe3vP7hJ8dzsQ56LFuHgQaKW53McoUYX+AOIP
1568	   X6WO8fiv5f++bccP9eeDE0n83+D+N/sJ/j82+9hX/H9Gjtv/4P9vYD+h/1DCm/7T
1569	   wn/Xfw7W/qc08aFMWAxOEcvfBZPP9RLg1wgmn+slwD8EE6NchOW99ge9Eea7FkQS
1570	   lu/KEE/LVdTonV9XhefqFU8z55jNjoYqCHia+JNZoEXacUQy01Uq+FU2heDwrR8+
1571	   6x8+icNXcseFj9Y9E6/sowu6tNAf/eLppaO84xDi1/ctrKtM0ukj1L2XcfSSmZ5z
1572	   SY36vvsmrUj48qGBkZnERB8y1SqaePNR+3Ag/dE1ntGrCNFSDba3mK3qwJGzmLVS
1573	   zbWhgL1vQODqqMSziYRDLGm8WIMPEUqj35DH8Qsr4xRJ5Np7dKb47EqVkUU9qE28
1574	   E7S1llMMgI1wWXvSZsUkLbj66gbGxOX02CT0g5PAu7PVe0nIu98JEwJt+7Auidjy
1575	   4pTGstVTF0BG5pzMoyWSEfSRqiexCWXkEgWzy/UXv3qtHKjEIoFkmtlpAXLDMc+N
1576	   g3a/pq0DJyMKSDl22SGElUX1xN6JVlTYGP3f41l74WSJ50SJgN4Ai6lUcwhC7/Us
1577	   sq6dDgseYQFhJlvwiytswsjGgiTqDwGpIHjWOLBR068e+OL+FwMBHcd/IU3+UmUS
1578	   +Fqa/KXKJPC1NPlPZbImDxw+KnzXvKwFX2jitH+50ID3lYYrxziTTqjP89lnTd1d
1579	   Q+52ol9lbJC70VpqP4C99tKhNdaC6L7I3qmp/LDUEQV44c+dvRrJEW3nBKSUFNVX
1580	   7XUCvSsPIQ/92UWY+LSpLugqiWGbLhGHPKRNKe+WPdhkDdBSK7lEIpEz4BW1nljm
1581	   T5QQwLQ0317OZVzojKW8qOoY6+61+2aclWy20r98SznrD/uF9gPxfxqe/efx/3/+
1582	   XRXwp+I/dIa/iv8IgkJ/xP9vYT+V/9mLI/4Xzx/I/6T//fkfCfp+/ufwFUT+e+d/
1583	   hoX92FRQDCHUIWfX/nFo+joPnvq3A4MvUSY+choQfsQ94f1oK736Gh0VVbYZVbrg
1584	   XRG003M34klEazBtgVf/YvnBVaUdVUPby/r+bGXcYjFqda89Czc71Tk5swXFul0M
1585	   tTAEt97dFN/o3Cpg7RLgdLGB76pdrdlx1NrrnHzGL3YXxdasvbFYrwEfKO5FoVCy
1586	   6poym8muGeVzV/Ji0Gc3ErDazoNOrnZm/QZPJQLH2SLZibvEvAMa05ouSnTOMs2B
1587	   D9V9Dw/gAxCYZZxqVGp/iB2/flrEl3+c8Dw34oQq2n+0gu//s+DzxBImvzx3apD7
1588	   PRnErXrAuTuttxisXPx7o/CPzJJJ+0KYMvxl1KczlGc3ZOY7P0U6S2cd4S7KCKyB
1589	   59MJkPtzIyV4h6R9fu2bxRXAsZWxyixFlY4z4lrnIHzjn+DkiI+/sXctUG5U53l3
1590	   ba+xzNqYDbTQhKMSHgGx1rwfu9jx6Dmj0XskjaSGhtHMSDOS5qF56BU3MeaRFOiB
1591	   JHUaaAIkPtAGWprQFtKU4rQppRQKaSEnPI7rNJTTluRQl8CxT1tMR2vjJ9jGLEvd
1592	   s7/O6Giuru69c+9/v+///3vvbpnUogPdhIwg3kiSgbJVifqsnCLzCR7uF9QYyBf7
1593	   ViWSZFkpZeVpMlewYQm0ZKVaIauuU9e6SqOMYP1g1IwU8Uq+wOGAL1snlqh4SY6U
1594	   4/J/y9XUlrHp/UaBT4X/sSX/f1Hk1PlfPP35nxkey/9e2mLzvyXxoClAJHX0PoiT
1595	   4/90GZOUjFJ06wGIgdueNy+7XKRHJ6udVEd3fTDDqUxTDZbaUaNUDMUYutJ0+jVN
1596	   YVQE0KJtROwUAk6JwRoVLCvjJStJwGjFgikjmfRIFvchWlnACyAKBZpUn0ICerik
1597	   M1QrZWX7hYgcikXreqAzCOez/CCH89EGDZckknLrehgXZKEe8ZlmQBKpTKwKmaGT
1598	   4P9j+sO3v0O4A/zvgDW+bdWA0JEbZ5iD/P9uBRy7s+Rw/k+raCeXg+IYZatVFifF
1599	   bLRc0bJ2J8a8O/+HmJhEpoNwEECpCM46ZIvlpAHWjXV1sQgygii6sbpUFn25bF3u
1600	   VYg036uwvO2iBBFB0i6Ol3KBACYQlNNsJ7JcJYgjUBUx2A7YrPclKlAcBquk2IW6
1601	   PkxIIUYZz6OxQiNRqNH5MODKNAxllHRbTCpcOk4P0zxncQRVc9KZdj2ZT6hmlYHT
1602	   AI/WsI4PIHNL/L8kR8q78f9o9XeB3P8Tr/9iR8f/YQgCl/h/MeSk1n+pg+u/bAd1
1603	   a4XmsJQvDDMUW4E6Sd0G9JrqVrsGy3YwRU3GhsNUoACBPCNgpK/E5IlYqIDWq1qM
1604	   imIFsAtaYJoulip4Qq3FuyxINLVip4TySrsaAjiT7BbAqljJD3kRNRq6TxcUe6B2
1605	   oqiWrBCypsab7UCkEciZQhVlar1OFS9IQjUc1jpInWqzLJ/OgkA6r1UPW/+lyg2n
1606	   3zMUoBmq4iAWzIpcwC64TqBfVPO9PlOAgbpEZ9JUOG8Rea2TAlsKNazjZS1lqL6W
1607	   3Eg0NSsGB1isjTQQJiPqSXgA9kphZ5gA61AuUnBLQ8ruCsNqh0ECZjqEJAWqFkhk
1608	   07kA4gs5Vo4rU5FyF6frraLQGspVs6EnKr3AkOaFktFgm2IywtK8ZNUy0bBnFph0
1609	   MB6I2wlE0y3T16vGyEyf7bBKJ5TB4WomTUf6LopSbivZUOJ6TAFdqSOFc3g0awvh
1610	   TjJNQHkOaehBPlLXQ4qPDxGRvNCd31kEG5ieyqQGrGS7nVAtPohmu0I2UtJ6JA73
1611	   nKihME0s1ehJFa6YUSSWcq28T7EBclCKD4Cc2TTSNBMFuiraLirZfgIMlLtdsJcI
1612	   UUkgPwCRSKxexopBPtQJQQwGmzwGNVq+Ds4pFE3qDhF1Mn0O49I1QU7lAulBUwtW
1613	   0yKciBpRKJSThyrWsPNhE0skJcnNKw2vPyKg6SvhUaUXpot6SSRaNT7BlpO6IWq1
1614	   QRjLDvh+sJyNsXgkHyoV+HAZK/M1mTXaeCPRHjL1JlEhfHp6yGdJpkwhGo0ZsMLm
1615	   W+EcFQBlKxAo9CHEHZhRtcmoeIYFavVmoti2lHCKTJf4foS1hhkfPDRdzx4aDN2+
1616	   VRNTVYZIsDmGTgI2P8Tlhi3KZp8LpDFwQJwWa78jOR7+L5D7d0r4v3T+a3HkpPA/
1617	   dxD/SwG9UjBKST3oqGlUNG3YajWI0AASmqyJO4OooTJIF6zm2ViJynMhyMfgIo8a
1618	   HOOmE0pCptlW0CpxGSOeacIuKAyC6QDPkj02PIDblBxItCEXIGWpa/RSuUzW7LV9
1619	   1QGViLBDotiDG/k8jQY7dqNVAO1WBlSYEAmW67mkjvZcSNf0HibUdQ9oFV7yTPkj
1620	   9n8mWg5v9QeC3g8juJqUzChPlxINg5YpvJkjBhxmWG1Y9HBQN0s849a1VrgQy9b5
1621	   lC+YFrQuQdIxOFRSIrBSpI1GLwvADdFmpL4piroL9nStwOOMwuXKzZBje35VpJbp
1622	   EVyAdzgfmW7mGUQDAwSWqbejgUJJgCNOLxwNmtEMq8S6YpXullXDrqR0V6Tm9/9g
1623	   /Y7n9ubBIRMs+VwoBBFJsQuoQr2VyEXq2RBsGIKSC5CdAdop8o14dVhuYk6KqBRd
1624	   u9TJB9PhBiG4nXwYdfmIb2DoaZIwldz8/p9mMGuSg0EGSodLNpIyUY+dIpl2nsq4
1625	   lpsaYt22VsznMkHCDWl0N1qoh316q9vp9+kmzeOa5trRSqDKdPN9LVZC8h5bhwY5
1626	   D6ZptYAGC7lASnNUqMBqyXKrXq8EUhnK9A2qlNuOA4IDJW2OgCrdZqlWSifQWK0r
1627	   Yb0ADqm5emkIOXK5Cwd6DYY0rEzciJT1nldw3Ir6GJTIhodxutUqhlq0YkYDSIvD
1628	   eyxBKs1K14xQbCZKswZNK7JYpRSD7pK226MbBawNkEwi4guJVLrpJGmNHpJ1OW+G
1629	   RiXnwi6jA1A41Y8N0IHSbCJ6Wwvnc1gPY0N8s4IRfT2N5JrBBuzjSgGQdrSw2OaA
1630	   GovLQaaENTKsHkiV4HAARBJxicunAiTdEaunJf6P3qK6uNAnwOdx/8Tnv5H5YCA0
1631	   f/4bwpbO/y+KvOP4y44iW7JwvMd9L3IC/ochDHz7/D+M4F46iAMQtsT/iyHfeOAH
1632	   z45NjC0/lPLWW6P38Oce3Dg22doxNrZi7f5rbCI6tmL1tU+NjW1aNzb2ubGx8dE1
1633	   /dT0c8v3LFudinIcFY/6PX2aPdZu9HNMNgitB6Z8JVWYffsuWIxk/SCErwe8Fzjr
1634	   mX7AXM0SdFHZMCSVOFJjZyQCRxF4BqwREgQQEoCJgEyC8gw48/ZXc5ZpWM6ULyX0
1635	   Z2KG1RMsyZ71415VecN15Fn/laMmHV4LAWyc8jGSrDuqM/AaE0oldM4IZREVQjsS
1636	   UAzq7UGnpTUjOM5HGVcFmt14nSg0jUzKBkRKMloDaxgx8bIQj4OpBOu23D5erMS1
1637	   cj9eSZJZq6kL0WLBinbQsILbuJToink13NRbSCtG4SQW1QqhBi/lDa5Qo4haBEZz
1638	   ACsEw2aXpmqsrUKAxuUgtggRLiUQJA+0wvEc0ipGN0z5wobuCKJz4LEORGiO7EPv
1639	   6QrGgQzHDoX3bcwytCMLOCzEs3HOERobUAICMQlAvAqFdnuGicz6MVzCZayOogiC
1640	   4EQd31TV+mBVq6JJHlQqA6CfVlG7BqWVGrV+vfc7Tu7M+kH/AcXY33Kvz2ciqm0a
1641	   tuqohj7rFxzvaRTNS59TBF1qq3pjgyV3XNWSpbm62pZ1QZM32JqqyetN/FAhBU9N
1642	   7LpszXhwZUjer2b9NVUXrMFhWQamN/qCabZVURjVFjRboo3PjMqamy9xxvGybJD1
1643	   rtw2TFmax8C5IyrUpnwRYaREnOBc4QdJf9ro+iEAQP0QPAvDsyDhj6cKU76i5zLN
1644	   UA2v2nnlVjVzvWE1gsB6aD3q/4ToWrZsX3aoaUlZbzjKrB+B0SnflA/YOv5Hk6su
1645	   v4G+Yc/U+Mpld20dv8tL+trE+Bi4dfyXvI/T3kdgM2CCq4FVk8uKyyenJ4ocOA2s
1646	   G92cMT0aI7VuWLoqgOuAtaPEldNncILuTxi2DK4Bzhwl+aZXeCOuOuBlwKWj+9XT
1647	   fm507y/ItuMPe66fWh/1lOynXEcxLG9yTJwxvm2sMwGP8cDUwQaOj68YW37Nls2/
1648	   uHHi3yJX3PO7G6XY5DPbZnadd8tVZ17U2vPlZf965Vf/k3ca5ppNe1d8BZnEfkf4
1649	   1OoZ4Q+f2L219PGXV33/sYfvfn37Q5Wrboron9z8T9nCFdvsJ293bvrWJcqbe7eO
1650	   hz8GXHnmpgfO+2b11sm1f7DtiV2/Ov3aJX97VnT76/cVHOvNL7btS3fU4p/5eRnY
1651	   fKjLxoGPTa66+gZ6XF62fHxi+VnZOyL33l34waembt8l74ljt23JFh997JWrqpsn
1652	   t1150cU/4s748+Xn/cmO6855o53csuIjkxt/8Q8PLf9GLP3SBW+diw4un9z5+9cK
1653	   F/1z7dsvLOP6ex/6+wfWKfwjn55m/uzX7zP0S2ZuvPuOl8/aD49PbPcQsLn/GsHj
1654	   eP3ap4+Cx+emnxrPvyUfQLyR7vgz7AcGgxtGPz4aJA5gwDEQeDyQmAcBEJcJAcHI
1655	   Dxsx3p4uwGiyfDg0+f9W3tH+s+RRsqyL1sB0ZjwafX91nMD+AzAMPmj/eRnGAAjA
1656	   0KXzX4siS9xz2nHPgo7/O81/Tm0saAjgPfn/ODQ2fyIUWPL/F0PebfwXMgRwAvxH
1657	   0P3nv/b7/wg28v9HywBL+L8Ichz//8mxlYl7xsZW7tx/jQzclc9ft+pY/3/loyue
1658	   /2D9f8hzgwGErGE4jkASii2k/191hbJZIXQrIJUhO1Vlm3V50CfrSd1s0x2CjXSJ
1659	   tpXWErEUW3XwShZuDJsux3aH4SwryrLZlRmnU+OULqKX6SQet8iwHALaNo2ESL3p
1660	   Erwo1asK6iY1C7NcV03Dervf6RvVEi+7cjvR7cL5SrxtJpx+PlQF1Hy1L+QSdDAC
1661	   ZbkqKxTIjNojTCvr0LnF8/9hqVaD67h4mDWPEKQkiBIJyQgA1SHhVK35k3bdNbft
1662	   qKZgOUFbbeiyNFczXF3yMm4AYUySEBGAiBomyiQyp3nGQ7uxwVYEcM60DMcQjfaG
1663	   C4/1/UcFCY5ryRce17FHZxHgfTn2IEiCI2dlZubopi54fGKxwiqnaZhC/ePtwut7
1664	   xUzMd/59a3/l3FUvzn7r7LmP7348rSw/575Qpv5f//Fbf33DF6jvcdu/wBReWvOz
1665	   l1Sxuqt3+Y0XhD77L7/34tO3fvbW+Jv+xx+YC94dulyp334x99z/PG/eObH2tX98
1666	   Ys85nzMy9523tpj7ZveiF7b3X78AvLe5a/NPQ3OPwut+8uqr6ye+fvP5xzMVrc79
1667	   +4pnf++2L73yzKNfe/BqdUv29jt33lF+8JHKw3/X3rjxjWu2A3cR2z968Zdeunfl
1668	   8PrN2O6z79yy66t/ccGFP99x07Kfwfdf4z7zRd/WC6Zvvnp3oLhzWf66/Hdyn/7p
1669	   7qdu/G32jdhTO3pbbjk1DTw4S45UNntBlM0+eW3LH+q6CU/bwl7SJyfGx8FVwMrJ
1670	   FYE1yybOB1Yf1rueFvq9LB/1snyoWlg+1Lxj1PHc63/83TP+BvrR9b9xydq9v/nC
1671	   D7+77yv/venxNfnH9t39+eKe82+4bMuT33a3Wzu7W1pX3PT9j7zC7PvlW+659OFf
1672	   u/ov952Tujy0E9479cPeOnsrmALr33l62+6vv7rrmpcKu27+jGg+++U/vf8nz976
1673	   4iPPrZ77q9ua+6q7/333rutfu+fmT8BTveWV/uTLa+j+OynEzMx+st9BHR3Nus73
1674	   QUazTkjqCxvNQmoyXhMF9MPmv/9b0ax3s/8XMgT0XuI/MIjM//0HcGn/56LIEqmf
1675	   dqS+oON//Pk/sgRGk3/+61Ou4wTzHwRR5Oj5P9oGsDT/F0GWvJEl4DotgWtJFkRO
1676	   Ev+9D6dex4nsPxTCjrH/kKX1v0WRJTf7g3CzP+xRPXk5Zv4v9OLf2Htc/xulgyi0
1677	   9P+fFkfecfwXef/v4fiPzq//4h4nLOH/Yshx1v9uH5v68f+ydx1gTWRbeEKAVbCg
1678	   AhZAR1wbCJn0BEFaqAGlK0XckExCJCSQAsRKsbA8RRF1BQQsoGLF/hYVC6Doioir
1679	   q4KuClZsuDbEXXkzCbJAorKKuO/7uN83kEkm/z3nv+eWc87NzAIA0NqnPBT7fwuT
1680	   mlXzf1prsYVfN/9HxkMwHEagQyQKjcDlhnVl/s+d5DuNM4s32c9rakQg7OnkyQiC
1681	   AsjOjr6uuDCIKIfJsUFh5jgfKc9biGdFMGNZ5o4+UpgVIAjnSPmOxCgKw5PnxJOE
1682	   x0YSYoUQJ5AnEfO8cXiJkwNDHGYewJdKhYGeATEMiT97Cis6gibFmXu7euKYsgAO
1683	   ThwhFrmSmCIi2cmFK/U3N49k0r0ivFxlDG/zQCmD5uzj70aX+AVBru485yBJN+b/
1684	   qDCdjoeJbXfzETgUEgtikwgsFpuEh75h/o8ShswTLBgmk6ksGDGHrs7/kRAevyj/
1685	   RyHSlem/jpJ21FEKx0lxUQIWX9hJtzccFghEnUHuSet043qztJ9d/vzkYO3l9/bY
1686	   0W8Q64bQT+Q88g7Vrr1U3fBqcezw12+Oj9EEG6H/HqOueBXCub7Y3rHR4s44kDx3
1687	   gdg8dEalpSQdy6whe5xhVDSmTdvgAa/fVH/trtHw69VHiofV54YNnFU17N7Y/auT
1688	   f777VH7sjt26GbnpvT1g/+ot7yo09Ap46gxCkdbJBPoNzlNJ6wBfM63zybG6a9M6
1689	   VIjO4tLJxG89rP270jqdLmrXf10Z/AU+7f/job/jvwQiAfX/IWKP/98tpSumo2+t
1690	   Q0/5/NKZ/v9FwT/gn8X/lP0fouJ77v/XLaVnPfY11mPfulU7X9r1f6ngKzz9vdPx
1691	   v7/v/4InkdH7v/TE/75+UWl/5MBboH4e0gO7qI5PjP94Ahnfof2pELEn/98tpU3c
1692	   TvKRwF2rH6buokltXC/JB30viMiBSRQY396t9PPwbe9W4j/kVtLYNAKFRqPiKRDi
1693	   73FV3Mq/XTqIw6bQiFQihUBEXEMayy6QIJIFEgSzAgk0WcuzWGRhkQFQR2+uvU8q
1694	   URtew0+UogtihSOLCD9JJfD46YXzB2NAHWJSznCYMiYFQVYkmhVERWNSnQtJtYlv
1695	   RjP9nabG8CQSc2coytvV3VHOEofR3DzDGOF4Dp7Hx9tHk/FSOQUfNsVcxiMHec8S
1696	   EfFxQk97Z1d/GJLOmhwgkk/hRrr4BxI4bk5T3Qn8IIGLG9lpKtHHmRzuMpnOheRE
1697	   Ot/RJ9rFyd7JgeTvQhax/Uk+s3jTuEwiQyYWwDgKRRwhd2R5eLl746Jm8ezNo6fi
1698	   hN5yqa9sFhwbzhAznH3Ejg7eNqqBNB0dV9TFGPl/5FL/X5UPjf+IgQslcNfU8cn1
1699	   P4nYcfwnQD37P7ultI/5fXyYV26jZpOJXHwY7V8x5tuQyVQKbaIYZsP8GJhj04r6
1700	   FSYDNRFKispkoBIN1NH5d49cavu/ZRSbFdV1dXy8/+MhAoncof9TCJSe3392S/lQ
1701	   /tfBcMkpoHfAcOSlXcuh4QQA1phhdoCd9sR173MHV68MKovWzTuFfmedRnMzzhi5
1702	   UNP2CgaLBTCYXjrz6ljRbfBmqOAZKfByW3MRZVevlCev90Mwy9cNbIbubFbFQ48W
1703	   PDT2SGs5UDwSxliBt6mDfOUIpn+8XnOz+3FADU7kE+T7wpYDxZmJMVHgiNTiDGlu
1704	   LtjdHscQiwHwGACwwGJQyMSKssUORS+N0zTfzvUUBDyrMTmXsnt0dFA4ZoM+AGgD
1705	   ZAAH6GBaWIl+o6LFcEXteR1Y8UckeBev966JuVydFksGI9BBygPF0Q7AjEBxyAlq
1706	   cYY0Q9F1qlq4awCAs1KL0xMcHQ7x84ueWfBlJUutFsYN/eP2VXPxvrPXb4tBbeoD
1707	   04Dxd/dZCX3fBYx9PMJMRoIb0v6UVy6v3v5CxNmP6IjAaZXpAlrHAa1iQGM5lKix
1708	   BErEvFyH1cBotMZxAtqGb7S0gO4PKUHDB/eFyBABGYJoJDoeH4Sc0tqcQsFdI5E+
1709	   NBA9xw7SbTOrQgm5HeJX2ISlAJTwo0ZCAlDTr9dfh5uPGl/a46Q5OGdBGLXxtMvj
1710	   PNGoRWGmJ45ZAxsaJIXp2adWN124K6VetNtf2ChpTLewSNAE6jN2JT9P87ryxN1W
1711	   Jp1cOsbz6vi60msnY4grmPdHauVGlxpGn7Pb9trjRPJQMz/OmlOZkfLTg2o1QqSO
1712	   EadrrsQFZ/90kXj2IVsDsQfMRgbkABkikpsM0OwP9U1sJz1Ki8kgTQ1k4DNBX/bT
1713	   NNTUN67uJdm7rX5p2OQS8iR4WYz2M68+HVoZi2gX4Lcl9uhP816kUM5mbb20LLzS
1714	   IGcB08D/aZGrnvCUqE53152fS+b3me4rjIiZcFxYMC+rbEKTx2G6Mfk18+3vnByr
1715	   oonjfnmx5rrwiuEirxENS/MEI1gn3jgHX/iRepQyL7g0VG/ctakjKxhw1O3/HAhe
1716	   szrqaXVzMc4m3z7ZT+97fR/cEAA7DkrEfo+Y5VKlSWKAf4ctEpElEQ1PIODJBMQW
1717	   8egpueX0G0j0MQMtMR2elFaGnWCd8mKA/klmdpM47mThqiGbby6RF03P2zl8pEX2
1718	   M13jyiPB4/cuHyThrhDe8Ni713iEWaJO0XeePoWN1Nm1OmOhqOtvLLHNZjEVNxYP
1719	   OxL98FbGzNL5qdJ1sQs1H9jv+BN7YLBsK7Fex/DqWznBsrHS8yRpY7PR+fBxt7Lv
1720	   KA00oQJKONPG/iKcB+vXr4wZHe8nHORXvb7OT3/9ASghE/18lGbCCihhWbzaa9ZL
1721	   88TdT3AiYnZ9lN1IC8JiMM1qusrqSKOnl9LSneYEj6gs3erio0va4tX0qGmfmYvH
1722	   dPvNNsd+s80JCE4zObflu71GebmZbqL5N88lrYx22PWOvYF0bV9o/rkzcq8HMzM8
1723	   9PkP5mwzFTDOpqwlRozyctAacetEQvKMojsuhxZmJY3esYDQbBb8n6iBA5JYp/kG
1724	   U6ZttF5x8b7IB50YNPu1zuPZJ5CX71oOdMZqwoDoTGN1rcN8+a48eXMsOl+uzFWd
1725	   aRbpAUAiEL/pyFVmDDNbNHtgym0fWbZ0ivbtwsP81ZcdimIxB3I4hfVlW38PtL/9
1726	   PMfYuMD1pY5taInXKIPLziZ8eUxRaPl2+qjo832GbCqI7T/XjfVUtJTg9zLPZChR
1727	   h/MkIC3rxWuv3QOYCc4elBtRazSvhaQYFlhO4+0MnVXAMNedsxZnOHrYA33UhjCo
1728	   QJA8q6ghOHs7VWObeRG2mphSyMq7vOIKbujt5NWa580qUq+YJRzaSf516r0/+x+0
1729	   zW9uULCh44HeE13ScqBsiDAjFfM3t/28uzk2Wje/FJ13t99qZUOMstFGBPeMpBNv
1730	   Q342NQjJ/bFeIwBsqKu6OMbg7OVoy+A/ng18vddnpMHTQoZtZGp2qdGdQRdoChH6
1731	   zE9SWUKYqluo5ZciYuxBF0KO3HYiiBU4/fxJAIAlKA8UB2uJGYXi0PLV4qALIWl7
1732	   nMGIEmDW86HgmJsSc6Mtl0bEXr5GjW9MCTxE3XZl85OHpvvJVTbIRRrnzx5tfiDw
1733	   tjcqKc6AqumUm5czK233BevvKW16NZYjz7nnXVu+bvHp/auWldadtHZqPgu6ZU1d
1734	   mo95c73EA96/IzzGKyZ2hW7GHp2HA5ff50WMn2fnt/81/7uS1wkH5oxbsmDduzzO
1735	   olWUDRn/nRdfJpnaO7qUaX1wq/S55c79Ep/eS/1jY42KdrrnnHRIvnWAfCGkslxv
1736	   fI7m48EXxnhvaQhdlHk9s2FOfGqFnOd2ascN7MNXN2em7rjMfHRkoIPOado9fV/9
1737	   ktR7Zypiz+g6ndoTLQglxQ+n3B8/aQmmadXjGe4mvFkpxQ8zuUMLGen7413sQMM9
1738	   00/+oCfMm2Ln9fBOX+LYxjFuR29de3VRb6huWhSzsmZzzhqpdfObYQsqJ5x0KNCa
1739	   9UP1hqrglNzHdjWMCT8OuDWuyhdbuXVbryEay1KNigRBd26uMTOO/8PMSrL9iW+u
1740	   HzdnxC6r+N1R0467npg438x8XDqz8fT1Nads8o+O3f6iZq/r8p9err5ZN9binonz
1741	   k+/rwaKkl/OMUpdsvmP1XaXpoOReiRfG2npPBFJeScpXDt6U4e0VYnHw4JSNvIoz
1742	   9pDlcHldiUOp+ZhDF69Vvy6uSRamNaw2edX4DMi9dIQ/rfbXGQ1bd4yargn2bj6M
1743	   WdM4xuVxrTku9w33cP76/HXG26j6wpO77w12vnuYANYWVtXv2qh7q+LZjX3NNE3L
1744	   U9vmvK5zdd9zu0zv532/DHl6/IcxR7XizO+O/V2rIhWIXeZkfF57RZ3Wdv2UjeGN
1745	   T+FJouGC2TlVIfOD3t47f8bQovlAXk5vx6RTtVomT24crqm9KM7Xf7Z3yh7BMF5m
1746	   f8wqG1vxnPhge49BnD+Ahzc1mIPHpfhhkuDSsyPrBae/i9q298LEodqDnl3qO5db
1747	   vq1u3V3NXb4DDvyU+I5yO133XrwUrG+aXrd3c6bHpnO6OQflqfl82o2Q29an4g4/
1748	   n/TK1xqw8Sa61G8lLevVuGRDE8OyaF5Sf2UPCkeGRkyt8lBst/od8z3ag+gvOgwG
1749	   e6J1txSjg4HtRDU96N4vq18vuV88b1XN4dKBZ/WiJ7/r0z8w4oL9CuamYxmHHq9E
1750	   LsLEz30zEqu9Zsgz4dTqUgHDOMlTf2rhgogsE+CXkqX86yN/7gsvel45O2OhZZIY
1751	   8joi8/5z5+jxhxJNd88gZtGfXmSHJpf9VjZaeth5Ok8bn7P+XOMKB4iY0BvqvadO
1752	   NKcsnNg7d8Of1tvv6vVevGa2p2P63asOaVn9jQv5JVWYpw5/7XUJdPDt4+NdYOA8
1753	   bbl4oVWOOI1pkXGs7FHURtOSXeOy3v6ydKL7xOMetWv7WfWZ/hcz246wJbSXvefV
1754	   uWOnvD2f69UvCQwJnS5/acgwmI2rOlTFNWga9sj1VbDJZbdBB2sTebbzWWsv+RbH
1755	   0A8I+2BvlRgUFkizb/ya/spw8YSbx8sdaump+Xo3XBKubr8/55ZOZkVCJmCSPiY0
1756	   eH3v4qCG4uP9ch8FsSevH6JrkDnjdcV4Z0viI2ubKEvTzctTfL5Pzk6vGi6dd2D2
1757	   S+K+Oxs1CiKJG+Jw41lkx/L5nGkzr2VY/17z4rc4O0J8yIua5BWEdzkrzy+8Vn5u
1758	   YeOmVzOfUM3wgSkcupbVsRKkxcsBwL1aZewdrRh7s9uPmVuKy5MLQtCxd9IJlbH3
1759	   PNB3lL8KzhgFzlq1OAMQnF2tOAva4OxXwRmrwMlqb4EFIQjWUUQeyFbQDmcBglMF
1760	   AFS+Cs44BU6mWpwBCE6EWpw8FZzxCpyMDnodRbCmK/hZ2x6nC+IcPUV9UR//Q3/q
1761	   K2GL+VFdkgL+ePyPRCGq5P+p5J77f3ZP8VW0MoiSIIU5oEgIOov5iswjngbiKVYk
1762	   KroXHs1C6rBnWrL5ErbIUuHgoN5/S9wfRFpuNCiRcUQgHMliS0AxLBEJYizZIiHX
1763	   KJhAYLA5IA6WsnFGwUyjYBojUiSGQTMChUgM40vM0HckRsFUR6NgPAm9lM9Bruvb
1764	   Vwf5+4kqBfzIKNBCKPJjK/75c5B/iP16icRSEE0rIGci0PQD6QxT0IIlErd8rJrA
1765	   MEURfWAeXyKFxaBFTAwikdtk5yngHBCPh2hUKgmiUpETVAY28t/HydfN6/25JTsu
1766	   zopKoiPnvrBUyhfyQFkU8pItQx2+vjoMJwd/l08hvb9cAYaHSKQOaL4eyFfCxIqd
1767	   mJ8BSKIgb/mJ5SgcQpNAxOKA6LZ+kCOKZPGFyicAd3j23+dURKO1q0cMv68Hh2ay
1768	   JTgl9Ti0iR0Vz5/6aP2daYL2elJRPX1lbFgi4coEArlCU8TUP6v6r81zyzO2vhnP
1769	   rfV/G56/QP1P8ow+0ewbmrPa6ruN5S5S/h+R/A1sWW3134Tkr2LJYpFIquwwShEc
1770	   7buN4A9V/fXJ7TqlP0zs34+8V//M226h+NNCfH2yP4MIWlfQrv5Rk59T2xfQ/iEh
1771	   OtL+aY0/n/auI+ITtH/4Ac/dx/rHZOgm0ruWhk5w/q0t/WMydCPnX0TD3z4WDU9E
1772	   zu3DRDIpygGLwwGl4TDYuitLAnYG0srPx36yr9cUHz8Foy3fbfG78Mh7jgi5Cr+L
1773	   y7EhggEknJ+j1xcDo96hA1/IaWk/SLGtDOpEK7RHFUjaAxOpbQVG99q1sgFyEYdX
1774	   uVgBQb4QcWy5LDZsA77/VS7+n/NPRmtjiIQwyr1Ck470d8ao2gDSUItCHXO+BPyA
1775	   a/7PMVEh2crtfB1wO6mxn8zNU9lsRDqk6AVSEDVxULERG5zMioTRNvzILQKQq0GL
1776	   cFgQhcZYUJIQRSJZQg5SlVDx3Rg+HAuKotAf30vQ3z2DEqSOWPRGLKBcJBODkUgf
1777	   Y/FgCRjLFwhAHvKhBK0aDdX11QGRIhVZKW6/wRLw2XBbvkAFXKRIyJeKxAiARBQJ
1778	   w2iTRSFnsJANtwFBWlGJEibjcOSqKOxwlpCnkAjRQyG6RMqSyiRtIJRvWCEGhsgM
1779	   o1bYqg6qiAQWcFF9RVyuUvX3X2z5nuJiOI6vVA1kIdII/9fesfa2bSS/FgX0H7Yo
1780	   DrU/OCGXTxFlAZ3dokZbJWc57YegFyzJZcyzTKok5ce/v5ldUg+KkimZcRxkB0ji
1781	   kPLOzs5zZ2dHH8GqzXieZBFeOpUV4Zucc3fnYyTnzngBUxJ9EVAUNu3QAeO6jXGr
1782	   trlC3ZKCyFvsLZcr9iJkRQTR5gHjIlzGrdW6e64TXj04hT8fs7zOOBmVoEfiVkLE
1783	   Hnwbpai88nXywFnuy8sJeDfB2ZsIU0fDijokVUh0k9ihP52GnySzCSj5tUThivzb
1784	   z+MzD19cYHVvXdzbxo0yifxmxTEJC/6PX/9SZUL8Kgf5mugkzrObo3IOE5xcjk5/
1785	   2zlBabdHp5fnb8a1P4DhQGJg0iWvJo2rPgZ1ZWV4JQzq8mNCoL4YUkxt1RGlYN2a
1786	   H/PaJ/qenE4TkIlxlp6nt0nJX1dRTs6nCQvAFpQsBwPovwdXXPtNTyPvxr+N3/w1
1787	   /rB0j0BlygW+88jXyN9/90WbIWRrgx5vlmcYCzXm/yzy97iCNAlLbnj+nzmfS5IE
1788	   RaPKieMrT36C/NI+s5vCN8AAaL1JvimCZ7Rrl9lfCbi9u6S8ImlGolQcKcyn5ecQ
1789	   mK7r2ozyJnwKI2W5lBcbleH3LLuusvdIE8w4T8Afo1ZvseKd0J+NJ2jA0+JCLJJc
1790	   TaqtPvO8KeAGvH3jobYMAJGs8ejt5QWRiDyyNnoHEWkdXexxLqrrHRUCKQq4an0h
1791	   Ga4vVaXEAtvRMdEPHtnUKBrzlWUhMYMdGoRY+HHwfbegXzkv53kK5IHg3MH/F2LP
1792	   SnY4X1x9wZfJxZ8LrnxAAXj1oQxnr/pYO1MfrqH5Z86FSOtCqHvBQO1VEUAkfQuA
1793	   SdsFAHAB+7UqMPXNwxGICHHJhqUUyL0Yxj7AcSRpnkYHo7GoKWMHuUhhlkdFkw+v
1794	   6ozBqP7EE1RfW/D+16woydHouFftt9a1f9Q7460tmo/UIOcPHtgWio9vRjXLQ5bC
1795	   BixkU8HtfuZva+7SZwvftn47Tez+my5N5orEQhYdcXfx3tS14N1zu2fyEbQGl6aO
1796	   D1YDqpOTn8j7rsvSLTRsdbUiB3UhrLiMdO/LhX9/8Doz5vBQY0umysZM1buzlkzV
1797	   QTGMLejEGAaUEUMJ2MyHXOaUlpvf7vQSZM/6Z7X2D2Ki4yR48OUPIlul9UTU0JDp
1798	   HJbL3RZSsy1n5v/wQ29Y0VL/gtYe1i5mqIxbsfaE09FRQb8TlTTfkbfZbD5lWPJz
1799	   QM+D7rvxP2TSqoqGcALnadWZgJwuLOIE4mBY+6TwtqX8vC1xq9f5ei+oab358nY2
1800	   WPC6LoO3V35lPW9u6xjVnGY3s3nJSVIvyWIn8BWsgIWKd8WKK5LFEGJVEkC0+9A2
1801	   Y2c41PWI6syMbNvUhrplxSHTYj3WuQPa41AjOAytcFN5wRZJOsAuZiFwM5dZmmmx
1802	   2KVhYHDdMeH/ejjUAmqzwI5DqoV2aLiO5TiWS2lkaiwYRnYUBiyyAiPgAdO4NTQN
1803	   gxlO5OjDMITl1SPTCcwA+1tbzKDGEBhlW7obDSMK6PCbxaiND1xumlbgwF/c1uF9
1804	   bMWRQaM4cl1q2kx3TU3DFDUYVW6DhzW5rodcs6KYBo7GOeOWE8QwCcZN4YUDI4TJ
1805	   xMwxXE2LGbOCeBhpIYtMxsOIh1TXeKCFlmkHmqubfdkay6jf3SSyYg2ijm2Oob6+
1806	   T9B7LAasHEkdDoh6vlbvsPHgNmHdHEvH5jeDwe6+CIPBXs0QBoNP1Q5hMDig78Fg
1807	   s6np4JBGOIOWHtxdukjuaIncbNLcaq0GXbs0D77QpjiDlv7S8GywT4J/R9xo0JXE
1808	   X3XIhNpa3pMAuM5zcbD0TLq7Py3h7N+s4I1QWJz0vJWbOSTrDhyAjFRfLB2PxPLW
1809	   1lPnQxaIiqj3zYyndWp+ScAzWur9iZkWp4sxpPRapHHavULJczkcQGX1QEvlNOuC
1810	   DhDXmyZFJwQ33vCeFSQUm+oe8EJwhc8BE89z0JHs2j/R8WefyidedamBetMkONKO
1811	   vXiehvhv8VCU/AbL0PuYhsgnNQi+Y2kpSlsUnVsQNEanlrx1IOtK7KFFgoeSd8vy
1812	   fY3L97XQqcREiYkSk72Xr1Fptvf41KDr4/NeBrWrQfGbWYords3lDT5Ra/Xk0W1j
1813	   Y/QoS/nTRzadmucFBuZZWoiqsPlMnnnCi1td/v16Mvn91iCjnyfUsk8mv45a6jj3
1814	   j69EySWeGNzjj1XOSXytLWwupzz1dV2cuvr7now/gldHGZDZXqz6y6oTvyQlWPON
1815	   GaieEYq7gsU8+B88HE1LUZ4IWAQ2UUSSpLJij/xIf3o6Xy2LtuKTnObI6QbuH9cr
1816	   1V6qkTKG4oAwiQQpYhfZ0w5VcKj5annynN3wC7A/xdExOX0zHntEu6earjFNI9az
1817	   bGvoAbuz5uKtb2KrZAJuwr8cktqZZ9kvnnlSBS4znIhPNdMV/sw3bOOpbHXRYZ6n
1818	   pKrgG/O76pDnqQMP6dqzxXqijxASVB04vlhZaZTho69LUjD4IoUjEsTPNvWNo+x9
1819	   riYY4lYHDLL+fWCPZMHXugO/mJT41g7BnyxX3qVPcEtKV5Mp3Rap2826ZjwrLgV+
1820	   //2KHn1GI1SPt+CskqVnlaWuZuCxylx3Eb/uLksvZp7gcPdS5lYKl5XNd0nOj7FQ
1821	   5AUUih+0dgcVin+aZexRHKwq3sY09eU7pd0v1VOQxpUY6lDx6vTPTyxpnaa2vAyk
1822	   W/XOvDqAVCL1Uh0G2ajrcsSOYPnQ88DkVhgKj1Q/4eE+uYI9CMfCNl6Iemd+nxQl
1823	   OSGAYJqIZ0LO8Bc3sxI7RYjaKEGLWuH6HLuupT9wVEdYOpEOTCLid2fVfmhccVUq
1824	   vOLhNZnhtPdEtp+2uSbm94Qj5/K6dK3jUcKm2cd9xxu6ZqW89Tj118dgDkhkmShe
1825	   E3o12NlCjP6L/Pfsm2/w5ufg22+rvmSYd9xsSmaBE6eyKdnn7p+mQIECBQoUKFCg
1826	   QIECBQoUKFCgQIECBQoUKFCgQIECBQoUKFCgQIECBQoUKFDw3PB/MVUingAYAQA=

1828	Authors' Addresses

1830	   Cullen Jennings
1831	   Cisco Systems
1832	   170 West Tasman Drive
1833	   Mailstop SJC-21/2
1834	   San Jose, CA  95134
1835	   USA

1837	   Phone: +1 408 421 9990
1838	   Email: fluffy@cisco.com

1840	   Kumiko Ono
1841	   NTT Corporation
1842	   Musashino-shi, Tokyo  180-8585
1843	   Japan

1845	   Phone: +81 422 59 4508
1846	   Email: ono.kumiko@lab.ntt.co.jp

1848	   Robert Sparks (editor)
1849	   Estacado Systems

1851	   Email: RjS@estacado.net

1853	Intellectual Property Statement

1855	   The IETF takes no position regarding the validity or scope of any
1856	   Intellectual Property Rights or other rights that might be claimed to
1857	   pertain to the implementation or use of the technology described in
1858	   this document or the extent to which any license under such rights
1859	   might or might not be available; nor does it represent that it has
1860	   made any independent effort to identify any such rights.  Information
1861	   on the procedures with respect to rights in RFC documents can be
1862	   found in BCP 78 and BCP 79.

1864	   Copies of IPR disclosures made to the IETF Secretariat and any
1865	   assurances of licenses to be made available, or the result of an
1866	   attempt made to obtain a general license or permission for the use of
1867	   such proprietary rights by implementers or users of this
1868	   specification can be obtained from the IETF on-line IPR repository at
1869	   http://www.ietf.org/ipr.

1871	   The IETF invites any interested party to bring to its attention any
1872	   copyrights, patents or patent applications, or other proprietary
1873	   rights that may cover technology that may be required to implement
1874	   this standard.  Please address the information to the IETF at
1875	   ietf-ipr@ietf.org.

1877	Disclaimer of Validity

1879	   This document and the information contained herein are provided on an
1880	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1881	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1882	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1883	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1884	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1885	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1887	Copyright Statement

1889	   Copyright (C) The Internet Society (2006).  This document is subject
1890	   to the rights, licenses and restrictions contained in BCP 78, and
1891	   except as set forth therein, the authors retain all their rights.

1893	Acknowledgment

1895	   Funding for the RFC Editor function is currently provided by the
1896	   Internet Society.